{ "summary": { "snap": { "added": [], "removed": [], "diff": [] }, "deb": { "added": [ "linux-headers-6.17.0-14-generic", "linux-image-6.17.0-14-generic", "linux-modules-6.17.0-14-generic", "linux-riscv-headers-6.17.0-14", "linux-riscv-tools-6.17.0-14", "linux-tools-6.17.0-14-generic" ], "removed": [ "linux-headers-6.17.0-12-generic", "linux-image-6.17.0-12-generic", "linux-modules-6.17.0-12-generic", "linux-riscv-headers-6.17.0-12", "linux-riscv-tools-6.17.0-12", "linux-tools-6.17.0-12-generic" ], "diff": [ "libexpat1:riscv64", "libpng16-16t64:riscv64", "linux-headers-generic", "linux-headers-virtual", "linux-image-virtual", "linux-virtual" ] } }, "diff": { "deb": [ { "name": "libexpat1:riscv64", "from_version": { "source_package_name": "expat", "source_package_version": "2.7.1-2", "version": "2.7.1-2" }, "to_version": { "source_package_name": "expat", "source_package_version": "2.7.1-2ubuntu0.2", "version": "2.7.1-2ubuntu0.2" }, "cves": [ { "cve": "CVE-2025-59375", "url": "https://ubuntu.com/security/CVE-2025-59375", "cve_description": "libexpat in Expat before 2.7.2 allows attackers to trigger large dynamic memory allocations via a small document that is submitted for parsing.", "cve_priority": "medium", "cve_public_date": "2025-09-15 03:15:00 UTC" }, { "cve": "CVE-2026-24515", "url": "https://ubuntu.com/security/CVE-2026-24515", "cve_description": "In libexpat before 2.7.4, XML_ExternalEntityParserCreate does not copy unknown encoding handler user data.", "cve_priority": "medium", "cve_public_date": "2026-01-23 08:16:00 UTC" }, { "cve": "CVE-2026-25210", "url": "https://ubuntu.com/security/CVE-2026-25210", "cve_description": "In libexpat before 2.7.4, the doContent function does not properly determine the buffer size bufSize because there is no integer overflow check for tag buffer reallocation.", "cve_priority": "medium", "cve_public_date": "2026-01-30 07:16:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2025-59375", "url": "https://ubuntu.com/security/CVE-2025-59375", "cve_description": "libexpat in Expat before 2.7.2 allows attackers to trigger large dynamic memory allocations via a small document that is submitted for parsing.", "cve_priority": "medium", "cve_public_date": "2025-09-15 03:15:00 UTC" }, { "cve": "CVE-2026-24515", "url": "https://ubuntu.com/security/CVE-2026-24515", "cve_description": "In libexpat before 2.7.4, XML_ExternalEntityParserCreate does not copy unknown encoding handler user data.", "cve_priority": "medium", "cve_public_date": "2026-01-23 08:16:00 UTC" }, { "cve": "CVE-2026-25210", "url": "https://ubuntu.com/security/CVE-2026-25210", "cve_description": "In libexpat before 2.7.4, the doContent function does not properly determine the buffer size bufSize because there is no integer overflow check for tag buffer reallocation.", "cve_priority": "medium", "cve_public_date": "2026-01-30 07:16:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: Large memory allocation.", " - debian/patches/CVE-2025-59375-*: Fix large memory allocation in", " expat/lib/xmlparse.c, expat/lib/expat.h, expat/tests/basic_tests.c,", " expat/tests/nsalloc_tests.c, expat/xmlwf/xmlwf.c,", " expat/xmlwf/xmlwf_helpgen.py, expat/lib/internal.h,", " expat/tests/alloc_tests.c, expat/fuzz/xml_lpm_fuzzer.cpp,", " expat/fuzz/xml_parse_fuzzer.c, expat/tests/misc_tests.c.", " - debian/libexpat1.symbols: Add new symbols.", " - CVE-2025-59375", " * SECURITY UPDATE: Null pointer dereference.", " - debian/patches/CVE-2026-24515-*: Add oldUnknownEncodingHandlerData and", " assignments in expat/lib/xmlparse.c. Add tests in", " expat/tests/basic_tests.c.", " - CVE-2026-24515", " * SECURITY UPDATE: Integer overflow.", " - debian/patches/CVE-2026-25210-*: Change bufSize operation and assignment", " and add error check in expat/lib/xmlparse.c.", " - CVE-2026-25210", "" ], "package": "expat", "version": "2.7.1-2ubuntu0.2", "urgency": "medium", "distributions": "questing-security", "launchpad_bugs_fixed": [], "author": "Hlib Korzhynskyy ", "date": "Fri, 06 Feb 2026 11:45:02 -0330" } ], "notes": null, "is_version_downgrade": false }, { "name": "libpng16-16t64:riscv64", "from_version": { "source_package_name": "libpng1.6", "source_package_version": "1.6.50-1ubuntu0.3", "version": "1.6.50-1ubuntu0.3" }, "to_version": { "source_package_name": "libpng1.6", "source_package_version": "1.6.50-1ubuntu0.4", "version": "1.6.50-1ubuntu0.4" }, "cves": [ { "cve": "CVE-2026-25646", "url": "https://ubuntu.com/security/CVE-2026-25646", "cve_description": "LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable Network Graphics) raster image files. Prior to 1.6.55, an out-of-bounds read vulnerability exists in the png_set_quantize() API function. When the function is called with no histogram and the number of colors in the palette is more than twice the maximum supported by the user's display, certain palettes will cause the function to enter into an infinite loop that reads past the end of an internal heap-allocated buffer. The images that trigger this vulnerability are valid per the PNG specification. This vulnerability is fixed in 1.6.55.", "cve_priority": "medium", "cve_public_date": "2026-02-10 18:16:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2026-25646", "url": "https://ubuntu.com/security/CVE-2026-25646", "cve_description": "LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable Network Graphics) raster image files. Prior to 1.6.55, an out-of-bounds read vulnerability exists in the png_set_quantize() API function. When the function is called with no histogram and the number of colors in the palette is more than twice the maximum supported by the user's display, certain palettes will cause the function to enter into an infinite loop that reads past the end of an internal heap-allocated buffer. The images that trigger this vulnerability are valid per the PNG specification. This vulnerability is fixed in 1.6.55.", "cve_priority": "medium", "cve_public_date": "2026-02-10 18:16:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: OOB read in png_set_quantize()", " - debian/patches/CVE-2026-25646.patch: fix a heap buffer overflow in", " pngrtran.c.", " - CVE-2026-25646", "" ], "package": "libpng1.6", "version": "1.6.50-1ubuntu0.4", "urgency": "medium", "distributions": "questing-security", "launchpad_bugs_fixed": [], "author": "Marc Deslauriers ", "date": "Wed, 11 Feb 2026 09:23:07 -0500" } ], "notes": null, "is_version_downgrade": false }, { "name": "linux-headers-generic", "from_version": { "source_package_name": "linux-meta-riscv", "source_package_version": "6.17.0-12.12.1", "version": "6.17.0-12.12.1" }, "to_version": { "source_package_name": "linux-meta-riscv", "source_package_version": "6.17.0-14.14.1", "version": "6.17.0-14.14.1" }, "cves": [], "launchpad_bugs_fixed": [ 1786013 ], "changes": [ { "cves": [], "log": [ "", " * Main version: 6.17.0-14.14.1", "", " * Packaging resync (LP: #1786013)", " - [Packaging] debian/dkms-versions -- resync from main package", "" ], "package": "linux-meta-riscv", "version": "6.17.0-14.14.1", "urgency": "medium", "distributions": "questing", "launchpad_bugs_fixed": [ 1786013 ], "author": "Sarah Emery ", "date": "Fri, 23 Jan 2026 09:49:19 +0100" } ], "notes": null, "is_version_downgrade": false }, { "name": "linux-headers-virtual", "from_version": { "source_package_name": "linux-meta-riscv", "source_package_version": "6.17.0-12.12.1", "version": "6.17.0-12.12.1" }, "to_version": { "source_package_name": "linux-meta-riscv", "source_package_version": "6.17.0-14.14.1", "version": "6.17.0-14.14.1" }, "cves": [], "launchpad_bugs_fixed": [ 1786013 ], "changes": [ { "cves": [], "log": [ "", " * Main version: 6.17.0-14.14.1", "", " * Packaging resync (LP: #1786013)", " - [Packaging] debian/dkms-versions -- resync from main package", "" ], "package": "linux-meta-riscv", "version": "6.17.0-14.14.1", "urgency": "medium", "distributions": "questing", "launchpad_bugs_fixed": [ 1786013 ], "author": "Sarah Emery ", "date": "Fri, 23 Jan 2026 09:49:19 +0100" } ], "notes": null, "is_version_downgrade": false }, { "name": "linux-image-virtual", "from_version": { "source_package_name": "linux-meta-riscv", "source_package_version": "6.17.0-12.12.1", "version": "6.17.0-12.12.1" }, "to_version": { "source_package_name": "linux-meta-riscv", "source_package_version": "6.17.0-14.14.1", "version": "6.17.0-14.14.1" }, "cves": [], "launchpad_bugs_fixed": [ 1786013 ], "changes": [ { "cves": [], "log": [ "", " * Main version: 6.17.0-14.14.1", "", " * Packaging resync (LP: #1786013)", " - [Packaging] debian/dkms-versions -- resync from main package", "" ], "package": "linux-meta-riscv", "version": "6.17.0-14.14.1", "urgency": "medium", "distributions": "questing", "launchpad_bugs_fixed": [ 1786013 ], "author": "Sarah Emery ", "date": "Fri, 23 Jan 2026 09:49:19 +0100" } ], "notes": null, "is_version_downgrade": false }, { "name": "linux-virtual", "from_version": { "source_package_name": "linux-meta-riscv", "source_package_version": "6.17.0-12.12.1", "version": "6.17.0-12.12.1" }, "to_version": { "source_package_name": "linux-meta-riscv", "source_package_version": "6.17.0-14.14.1", "version": "6.17.0-14.14.1" }, "cves": [], "launchpad_bugs_fixed": [ 1786013 ], "changes": [ { "cves": [], "log": [ "", " * Main version: 6.17.0-14.14.1", "", " * Packaging resync (LP: #1786013)", " - [Packaging] debian/dkms-versions -- resync from main package", "" ], "package": "linux-meta-riscv", "version": "6.17.0-14.14.1", "urgency": "medium", "distributions": "questing", "launchpad_bugs_fixed": [ 1786013 ], "author": "Sarah Emery ", "date": "Fri, 23 Jan 2026 09:49:19 +0100" } ], "notes": null, "is_version_downgrade": false } ], "snap": [] }, "added": { "deb": [ { "name": "linux-headers-6.17.0-14-generic", "from_version": { "source_package_name": "linux-riscv", "source_package_version": "6.17.0-12.12.1", "version": null }, "to_version": { "source_package_name": "linux-riscv", "source_package_version": "6.17.0-14.14.1", "version": "6.17.0-14.14.1" }, "cves": [ { "cve": "CVE-2025-40256", "url": "https://ubuntu.com/security/CVE-2025-40256", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: xfrm: also call xfrm_state_delete_tunnel at destroy time for states that were never added In commit b441cf3f8c4b (\"xfrm: delete x->tunnel as we delete x\"), I missed the case where state creation fails between full initialization (->init_state has been called) and being inserted on the lists. In this situation, ->init_state has been called, so for IPcomp tunnels, the fallback tunnel has been created and added onto the lists, but the user state never gets added, because we fail before that. The user state doesn't go through __xfrm_state_delete, so we don't call xfrm_state_delete_tunnel for those states, and we end up leaking the FB tunnel. There are several codepaths affected by this: the add/update paths, in both net/key and xfrm, and the migrate code (xfrm_migrate, xfrm_state_migrate). A \"proper\" rollback of the init_state work would probably be doable in the add/update code, but for migrate it gets more complicated as multiple states may be involved. At some point, the new (not-inserted) state will be destroyed, so call xfrm_state_delete_tunnel during xfrm_state_gc_destroy. Most states will have their fallback tunnel cleaned up during __xfrm_state_delete, which solves the issue that b441cf3f8c4b (and other patches before it) aimed at. All states (including FB tunnels) will be removed from the lists once xfrm_state_fini has called flush_work(&xfrm_state_gc_work).", "cve_priority": "medium", "cve_public_date": "2025-12-04 16:16:00 UTC" }, { "cve": "CVE-2025-68204", "url": "https://ubuntu.com/security/CVE-2025-68204", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: pmdomain: arm: scmi: Fix genpd leak on provider registration failure If of_genpd_add_provider_onecell() fails during probe, the previously created generic power domains are not removed, leading to a memory leak and potential kernel crash later in genpd_debug_add(). Add proper error handling to unwind the initialized domains before returning from probe to ensure all resources are correctly released on failure. Example crash trace observed without this fix: | Unable to handle kernel paging request at virtual address fffffffffffffc70 | CPU: 1 UID: 0 PID: 1 Comm: swapper/0 Not tainted 6.18.0-rc1 #405 PREEMPT | Hardware name: ARM LTD ARM Juno Development Platform/ARM Juno Development Platform | pstate: 00000005 (nzcv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--) | pc : genpd_debug_add+0x2c/0x160 | lr : genpd_debug_init+0x74/0x98 | Call trace: | genpd_debug_add+0x2c/0x160 (P) | genpd_debug_init+0x74/0x98 | do_one_initcall+0xd0/0x2d8 | do_initcall_level+0xa0/0x140 | do_initcalls+0x60/0xa8 | do_basic_setup+0x28/0x40 | kernel_init_freeable+0xe8/0x170 | kernel_init+0x2c/0x140 | ret_from_fork+0x10/0x20", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-68203", "url": "https://ubuntu.com/security/CVE-2025-68203", "cve_description": "Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-40267", "url": "https://ubuntu.com/security/CVE-2025-40267", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: io_uring/rw: ensure allocated iovec gets cleared for early failure A previous commit reused the recyling infrastructure for early cleanup, but this is not enough for the case where our internal caches have overflowed. If this happens, then the allocated iovec can get leaked if the request is also aborted early. Reinstate the previous forced free of the iovec for that situation.", "cve_priority": "medium", "cve_public_date": "2025-12-06 22:15:00 UTC" }, { "cve": "CVE-2025-68198", "url": "https://ubuntu.com/security/CVE-2025-68198", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: crash: fix crashkernel resource shrink When crashkernel is configured with a high reservation, shrinking its value below the low crashkernel reservation causes two issues: 1. Invalid crashkernel resource objects 2. Kernel crash if crashkernel shrinking is done twice For example, with crashkernel=200M,high, the kernel reserves 200MB of high memory and some default low memory (say 256MB). The reservation appears as: cat /proc/iomem | grep -i crash af000000-beffffff : Crash kernel 433000000-43f7fffff : Crash kernel If crashkernel is then shrunk to 50MB (echo 52428800 > /sys/kernel/kexec_crash_size), /proc/iomem still shows 256MB reserved: af000000-beffffff : Crash kernel Instead, it should show 50MB: af000000-b21fffff : Crash kernel Further shrinking crashkernel to 40MB causes a kernel crash with the following trace (x86): BUG: kernel NULL pointer dereference, address: 0000000000000038 PGD 0 P4D 0 Oops: 0000 [#1] PREEMPT SMP NOPTI Call Trace: ? __die_body.cold+0x19/0x27 ? page_fault_oops+0x15a/0x2f0 ? search_module_extables+0x19/0x60 ? search_bpf_extables+0x5f/0x80 ? exc_page_fault+0x7e/0x180 ? asm_exc_page_fault+0x26/0x30 ? __release_resource+0xd/0xb0 release_resource+0x26/0x40 __crash_shrink_memory+0xe5/0x110 crash_shrink_memory+0x12a/0x190 kexec_crash_size_store+0x41/0x80 kernfs_fop_write_iter+0x141/0x1f0 vfs_write+0x294/0x460 ksys_write+0x6d/0xf0 This happens because __crash_shrink_memory()/kernel/crash_core.c incorrectly updates the crashk_res resource object even when crashk_low_res should be updated. Fix this by ensuring the correct crashkernel resource object is updated when shrinking crashkernel memory.", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-68199", "url": "https://ubuntu.com/security/CVE-2025-68199", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: codetag: debug: handle existing CODETAG_EMPTY in mark_objexts_empty for slabobj_ext When alloc_slab_obj_exts() fails and then later succeeds in allocating a slab extension vector, it calls handle_failed_objexts_alloc() to mark all objects in the vector as empty. As a result all objects in this slab (slabA) will have their extensions set to CODETAG_EMPTY. Later on if this slabA is used to allocate a slabobj_ext vector for another slab (slabB), we end up with the slabB->obj_exts pointing to a slabobj_ext vector that itself has a non-NULL slabobj_ext equal to CODETAG_EMPTY. When slabB gets freed, free_slab_obj_exts() is called to free slabB->obj_exts vector. free_slab_obj_exts() calls mark_objexts_empty(slabB->obj_exts) which will generate a warning because it expects slabobj_ext vectors to have a NULL obj_ext, not CODETAG_EMPTY. Modify mark_objexts_empty() to skip the warning and setting the obj_ext value if it's already set to CODETAG_EMPTY. To quickly detect this WARN, I modified the code from WARN_ON(slab_exts[offs].ref.ct) to BUG_ON(slab_exts[offs].ref.ct == 1); We then obtained this message: [21630.898561] ------------[ cut here ]------------ [21630.898596] kernel BUG at mm/slub.c:2050! [21630.898611] Internal error: Oops - BUG: 00000000f2000800 [#1] SMP [21630.900372] Modules linked in: squashfs isofs vfio_iommu_type1 vhost_vsock vfio vhost_net vmw_vsock_virtio_transport_common vhost tap vhost_iotlb iommufd vsock binfmt_misc nfsv3 nfs_acl nfs lockd grace netfs tls rds dns_resolver tun brd overlay ntfs3 exfat btrfs blake2b_generic xor xor_neon raid6_pq loop sctp ip6_udp_tunnel udp_tunnel nft_fib_inet nft_fib_ipv4 nft_fib_ipv6 nft_fib nft_reject_inet nf_reject_ipv4 nf_reject_ipv6 nft_reject nft_ct nft_chain_nat nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 nf_tables rfkill ip_set sunrpc vfat fat joydev sg sch_fq_codel nfnetlink virtio_gpu sr_mod cdrom drm_client_lib virtio_dma_buf drm_shmem_helper drm_kms_helper drm ghash_ce backlight virtio_net virtio_blk virtio_scsi net_failover virtio_console failover virtio_mmio dm_mirror dm_region_hash dm_log dm_multipath dm_mod fuse i2c_dev virtio_pci virtio_pci_legacy_dev virtio_pci_modern_dev virtio virtio_ring autofs4 aes_neon_bs aes_ce_blk [last unloaded: hwpoison_inject] [21630.909177] CPU: 3 UID: 0 PID: 3787 Comm: kylin-process-m Kdump: loaded Tainted: G        W           6.18.0-rc1+ #74 PREEMPT(voluntary) [21630.910495] Tainted: [W]=WARN [21630.910867] Hardware name: QEMU KVM Virtual Machine, BIOS unknown 2/2/2022 [21630.911625] pstate: 80400005 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) [21630.912392] pc : __free_slab+0x228/0x250 [21630.912868] lr : __free_slab+0x18c/0x250[21630.913334] sp : ffff8000a02f73e0 [21630.913830] x29: ffff8000a02f73e0 x28: fffffdffc43fc800 x27: ffff0000c0011c40 [21630.914677] x26: ffff0000c000cac0 x25: ffff00010fe5e5f0 x24: ffff000102199b40 [21630.915469] x23: 0000000000000003 x22: 0000000000000003 x21: ffff0000c0011c40 [21630.916259] x20: fffffdffc4086600 x19: fffffdffc43fc800 x18: 0000000000000000 [21630.917048] x17: 0000000000000000 x16: 0000000000000000 x15: 0000000000000000 [21630.917837] x14: 0000000000000000 x13: 0000000000000000 x12: ffff70001405ee66 [21630.918640] x11: 1ffff0001405ee65 x10: ffff70001405ee65 x9 : ffff800080a295dc [21630.919442] x8 : ffff8000a02f7330 x7 : 0000000000000000 x6 : 0000000000003000 [21630.920232] x5 : 0000000024924925 x4 : 0000000000000001 x3 : 0000000000000007 [21630.921021] x2 : 0000000000001b40 x1 : 000000000000001f x0 : 0000000000000001 [21630.921810] Call trace: [21630.922130]  __free_slab+0x228/0x250 (P) [21630.922669]  free_slab+0x38/0x118 [21630.923079]  free_to_partial_list+0x1d4/0x340 [21630.923591]  __slab_free+0x24c/0x348 [21630.924024]  ___cache_free+0xf0/0x110 [21630.924468]  qlist_free_all+0x78/0x130 [21630.924922]  kasan_quarantine_reduce+0x11 ---truncated---", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-40268", "url": "https://ubuntu.com/security/CVE-2025-40268", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: cifs: client: fix memory leak in smb3_fs_context_parse_param The user calls fsconfig twice, but when the program exits, free() only frees ctx->source for the second fsconfig, not the first. Regarding fc->source, there is no code in the fs context related to its memory reclamation. To fix this memory leak, release the source memory corresponding to ctx or fc before each parsing. syzbot reported: BUG: memory leak unreferenced object 0xffff888128afa360 (size 96): backtrace (crc 79c9c7ba): kstrdup+0x3c/0x80 mm/util.c:84 smb3_fs_context_parse_param+0x229b/0x36c0 fs/smb/client/fs_context.c:1444 BUG: memory leak unreferenced object 0xffff888112c7d900 (size 96): backtrace (crc 79c9c7ba): smb3_fs_context_fullpath+0x70/0x1b0 fs/smb/client/fs_context.c:629 smb3_fs_context_parse_param+0x2266/0x36c0 fs/smb/client/fs_context.c:1438", "cve_priority": "medium", "cve_public_date": "2025-12-06 22:15:00 UTC" }, { "cve": "CVE-2025-40269", "url": "https://ubuntu.com/security/CVE-2025-40269", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ALSA: usb-audio: Fix potential overflow of PCM transfer buffer The PCM stream data in USB-audio driver is transferred over USB URB packet buffers, and each packet size is determined dynamically. The packet sizes are limited by some factors such as wMaxPacketSize USB descriptor. OTOH, in the current code, the actually used packet sizes are determined only by the rate and the PPS, which may be bigger than the size limit above. This results in a buffer overflow, as reported by syzbot. Basically when the limit is smaller than the calculated packet size, it implies that something is wrong, most likely a weird USB descriptor. So the best option would be just to return an error at the parameter setup time before doing any further operations. This patch introduces such a sanity check, and returns -EINVAL when the packet size is greater than maxpacksize. The comparison with ep->packsize[1] alone should suffice since it's always equal or greater than ep->packsize[0].", "cve_priority": "medium", "cve_public_date": "2025-12-06 22:15:00 UTC" }, { "cve": "CVE-2025-68205", "url": "https://ubuntu.com/security/CVE-2025-68205", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ALSA: hda/hdmi: Fix breakage at probing nvhdmi-mcp driver After restructuring and splitting the HDMI codec driver code, each HDMI codec driver contains the own build_controls and build_pcms ops. A copy-n-paste error put the wrong entries for nvhdmi-mcp driver; both build_controls and build_pcms are swapped. Unfortunately both callbacks have the very same form, and the compiler didn't complain it, either. This resulted in a NULL dereference because the PCM instance hasn't been initialized at calling the build_controls callback. Fix it by passing the proper entries.", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-40270", "url": "https://ubuntu.com/security/CVE-2025-40270", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: mm, swap: fix potential UAF issue for VMA readahead Since commit 78524b05f1a3 (\"mm, swap: avoid redundant swap device pinning\"), the common helper for allocating and preparing a folio in the swap cache layer no longer tries to get a swap device reference internally, because all callers of __read_swap_cache_async are already holding a swap entry reference. The repeated swap device pinning isn't needed on the same swap device. Caller of VMA readahead is also holding a reference to the target entry's swap device, but VMA readahead walks the page table, so it might encounter swap entries from other devices, and call __read_swap_cache_async on another device without holding a reference to it. So it is possible to cause a UAF when swapoff of device A raced with swapin on device B, and VMA readahead tries to read swap entries from device A. It's not easy to trigger, but in theory, it could cause real issues. Make VMA readahead try to get the device reference first if the swap device is a different one from the target entry.", "cve_priority": "medium", "cve_public_date": "2025-12-06 22:15:00 UTC" }, { "cve": "CVE-2025-40271", "url": "https://ubuntu.com/security/CVE-2025-40271", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: fs/proc: fix uaf in proc_readdir_de() Pde is erased from subdir rbtree through rb_erase(), but not set the node to EMPTY, which may result in uaf access. We should use RB_CLEAR_NODE() set the erased node to EMPTY, then pde_subdir_next() will return NULL to avoid uaf access. We found an uaf issue while using stress-ng testing, need to run testcase getdent and tun in the same time. The steps of the issue is as follows: 1) use getdent to traverse dir /proc/pid/net/dev_snmp6/, and current pde is tun3; 2) in the [time windows] unregister netdevice tun3 and tun2, and erase them from rbtree. erase tun3 first, and then erase tun2. the pde(tun2) will be released to slab; 3) continue to getdent process, then pde_subdir_next() will return pde(tun2) which is released, it will case uaf access. CPU 0 | CPU 1 ------------------------------------------------------------------------- traverse dir /proc/pid/net/dev_snmp6/ | unregister_netdevice(tun->dev) //tun3 tun2 sys_getdents64() | iterate_dir() | proc_readdir() | proc_readdir_de() | snmp6_unregister_dev() pde_get(de); | proc_remove() read_unlock(&proc_subdir_lock); | remove_proc_subtree() | write_lock(&proc_subdir_lock); [time window] | rb_erase(&root->subdir_node, &parent->subdir); | write_unlock(&proc_subdir_lock); read_lock(&proc_subdir_lock); | next = pde_subdir_next(de); | pde_put(de); | de = next; //UAF | rbtree of dev_snmp6 | pde(tun3) / \\ NULL pde(tun2)", "cve_priority": "medium", "cve_public_date": "2025-12-06 22:15:00 UTC" }, { "cve": "CVE-2025-40272", "url": "https://ubuntu.com/security/CVE-2025-40272", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: mm/secretmem: fix use-after-free race in fault handler When a page fault occurs in a secret memory file created with `memfd_secret(2)`, the kernel will allocate a new folio for it, mark the underlying page as not-present in the direct map, and add it to the file mapping. If two tasks cause a fault in the same page concurrently, both could end up allocating a folio and removing the page from the direct map, but only one would succeed in adding the folio to the file mapping. The task that failed undoes the effects of its attempt by (a) freeing the folio again and (b) putting the page back into the direct map. However, by doing these two operations in this order, the page becomes available to the allocator again before it is placed back in the direct mapping. If another task attempts to allocate the page between (a) and (b), and the kernel tries to access it via the direct map, it would result in a supervisor not-present page fault. Fix the ordering to restore the direct map before the folio is freed.", "cve_priority": "medium", "cve_public_date": "2025-12-06 22:15:00 UTC" }, { "cve": "CVE-2025-68245", "url": "https://ubuntu.com/security/CVE-2025-68245", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net: netpoll: fix incorrect refcount handling causing incorrect cleanup commit efa95b01da18 (\"netpoll: fix use after free\") incorrectly ignored the refcount and prematurely set dev->npinfo to NULL during netpoll cleanup, leading to improper behavior and memory leaks. Scenario causing lack of proper cleanup: 1) A netpoll is associated with a NIC (e.g., eth0) and netdev->npinfo is allocated, and refcnt = 1 - Keep in mind that npinfo is shared among all netpoll instances. In this case, there is just one. 2) Another netpoll is also associated with the same NIC and npinfo->refcnt += 1. - Now dev->npinfo->refcnt = 2; - There is just one npinfo associated to the netdev. 3) When the first netpolls goes to clean up: - The first cleanup succeeds and clears np->dev->npinfo, ignoring refcnt. - It basically calls `RCU_INIT_POINTER(np->dev->npinfo, NULL);` - Set dev->npinfo = NULL, without proper cleanup - No ->ndo_netpoll_cleanup() is either called 4) Now the second target tries to clean up - The second cleanup fails because np->dev->npinfo is already NULL. * In this case, ops->ndo_netpoll_cleanup() was never called, and the skb pool is not cleaned as well (for the second netpoll instance) - This leaks npinfo and skbpool skbs, which is clearly reported by kmemleak. Revert commit efa95b01da18 (\"netpoll: fix use after free\") and adds clarifying comments emphasizing that npinfo cleanup should only happen once the refcount reaches zero, ensuring stable and correct netpoll behavior.", "cve_priority": "medium", "cve_public_date": "2025-12-16 15:15:00 UTC" }, { "cve": "CVE-2025-68240", "url": "https://ubuntu.com/security/CVE-2025-68240", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: nilfs2: avoid having an active sc_timer before freeing sci Because kthread_stop did not stop sc_task properly and returned -EINTR, the sc_timer was not properly closed, ultimately causing the problem [1] reported by syzbot when freeing sci due to the sc_timer not being closed. Because the thread sc_task main function nilfs_segctor_thread() returns 0 when it succeeds, when the return value of kthread_stop() is not 0 in nilfs_segctor_destroy(), we believe that it has not properly closed sc_timer. We use timer_shutdown_sync() to sync wait for sc_timer to shutdown, and set the value of sc_task to NULL under the protection of lock sc_state_lock, so as to avoid the issue caused by sc_timer not being properly shutdowned. [1] ODEBUG: free active (active state 0) object: 00000000dacb411a object type: timer_list hint: nilfs_construction_timeout Call trace: nilfs_segctor_destroy fs/nilfs2/segment.c:2811 [inline] nilfs_detach_log_writer+0x668/0x8cc fs/nilfs2/segment.c:2877 nilfs_put_super+0x4c/0x12c fs/nilfs2/super.c:509", "cve_priority": "medium", "cve_public_date": "2025-12-16 15:15:00 UTC" }, { "cve": "CVE-2025-68241", "url": "https://ubuntu.com/security/CVE-2025-68241", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ipv4: route: Prevent rt_bind_exception() from rebinding stale fnhe The sit driver's packet transmission path calls: sit_tunnel_xmit() -> update_or_create_fnhe(), which lead to fnhe_remove_oldest() being called to delete entries exceeding FNHE_RECLAIM_DEPTH+random. The race window is between fnhe_remove_oldest() selecting fnheX for deletion and the subsequent kfree_rcu(). During this time, the concurrent path's __mkroute_output() -> find_exception() can fetch the soon-to-be-deleted fnheX, and rt_bind_exception() then binds it with a new dst using a dst_hold(). When the original fnheX is freed via RCU, the dst reference remains permanently leaked. CPU 0 CPU 1 __mkroute_output() find_exception() [fnheX] update_or_create_fnhe() fnhe_remove_oldest() [fnheX] rt_bind_exception() [bind dst] RCU callback [fnheX freed, dst leak] This issue manifests as a device reference count leak and a warning in dmesg when unregistering the net device: unregister_netdevice: waiting for sitX to become free. Usage count = N Ido Schimmel provided the simple test validation method [1]. The fix clears 'oldest->fnhe_daddr' before calling fnhe_flush_routes(). Since rt_bind_exception() checks this field, setting it to zero prevents the stale fnhe from being reused and bound to a new dst just before it is freed. [1] ip netns add ns1 ip -n ns1 link set dev lo up ip -n ns1 address add 192.0.2.1/32 dev lo ip -n ns1 link add name dummy1 up type dummy ip -n ns1 route add 192.0.2.2/32 dev dummy1 ip -n ns1 link add name gretap1 up arp off type gretap \\ local 192.0.2.1 remote 192.0.2.2 ip -n ns1 route add 198.51.0.0/16 dev gretap1 taskset -c 0 ip netns exec ns1 mausezahn gretap1 \\ -A 198.51.100.1 -B 198.51.0.0/16 -t udp -p 1000 -c 0 -q & taskset -c 2 ip netns exec ns1 mausezahn gretap1 \\ -A 198.51.100.1 -B 198.51.0.0/16 -t udp -p 1000 -c 0 -q & sleep 10 ip netns pids ns1 | xargs kill ip netns del ns1", "cve_priority": "medium", "cve_public_date": "2025-12-16 15:15:00 UTC" }, { "cve": "CVE-2025-68211", "url": "https://ubuntu.com/security/CVE-2025-68211", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ksm: use range-walk function to jump over holes in scan_get_next_rmap_item Currently, scan_get_next_rmap_item() walks every page address in a VMA to locate mergeable pages. This becomes highly inefficient when scanning large virtual memory areas that contain mostly unmapped regions, causing ksmd to use large amount of cpu without deduplicating much pages. This patch replaces the per-address lookup with a range walk using walk_page_range(). The range walker allows KSM to skip over entire unmapped holes in a VMA, avoiding unnecessary lookups. This problem was previously discussed in [1]. Consider the following test program which creates a 32 TiB mapping in the virtual address space but only populates a single page: #include #include #include /* 32 TiB */ const size_t size = 32ul * 1024 * 1024 * 1024 * 1024; int main() { char *area = mmap(NULL, size, PROT_READ | PROT_WRITE, MAP_NORESERVE | MAP_PRIVATE | MAP_ANON, -1, 0); if (area == MAP_FAILED) { perror(\"mmap() failed\\n\"); return -1; } /* Populate a single page such that we get an anon_vma. */ *area = 0; /* Enable KSM. */ madvise(area, size, MADV_MERGEABLE); pause(); return 0; } $ ./ksm-sparse & $ echo 1 > /sys/kernel/mm/ksm/run Without this patch ksmd uses 100% of the cpu for a long time (more then 1 hour in my test machine) scanning all the 32 TiB virtual address space that contain only one mapped page. This makes ksmd essentially deadlocked not able to deduplicate anything of value. With this patch ksmd walks only the one mapped page and skips the rest of the 32 TiB virtual address space, making the scan fast using little cpu.", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-68246", "url": "https://ubuntu.com/security/CVE-2025-68246", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ksmbd: close accepted socket when per-IP limit rejects connection When the per-IP connection limit is exceeded in ksmbd_kthread_fn(), the code sets ret = -EAGAIN and continues the accept loop without closing the just-accepted socket. That leaks one socket per rejected attempt from a single IP and enables a trivial remote DoS. Release client_sk before continuing. This bug was found with ZeroPath.", "cve_priority": "medium", "cve_public_date": "2025-12-16 15:15:00 UTC" }, { "cve": "CVE-2025-40273", "url": "https://ubuntu.com/security/CVE-2025-40273", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: NFSD: free copynotify stateid in nfs4_free_ol_stateid() Typically copynotify stateid is freed either when parent's stateid is being close/freed or in nfsd4_laundromat if the stateid hasn't been used in a lease period. However, in case when the server got an OPEN (which created a parent stateid), followed by a COPY_NOTIFY using that stateid, followed by a client reboot. New client instance while doing CREATE_SESSION would force expire previous state of this client. It leads to the open state being freed thru release_openowner-> nfs4_free_ol_stateid() and it finds that it still has copynotify stateid associated with it. We currently print a warning and is triggerred WARNING: CPU: 1 PID: 8858 at fs/nfsd/nfs4state.c:1550 nfs4_free_ol_stateid+0xb0/0x100 [nfsd] This patch, instead, frees the associated copynotify stateid here. If the parent stateid is freed (without freeing the copynotify stateids associated with it), it leads to the list corruption when laundromat ends up freeing the copynotify state later. [ 1626.839430] Internal error: Oops - BUG: 00000000f2000800 [#1] SMP [ 1626.842828] Modules linked in: nfnetlink_queue nfnetlink_log bluetooth cfg80211 rpcrdma rdma_cm iw_cm ib_cm ib_core nfsd nfs_acl lockd grace nfs_localio ext4 crc16 mbcache jbd2 overlay uinput snd_seq_dummy snd_hrtimer qrtr rfkill vfat fat uvcvideo snd_hda_codec_generic videobuf2_vmalloc videobuf2_memops snd_hda_intel uvc snd_intel_dspcfg videobuf2_v4l2 videobuf2_common snd_hda_codec snd_hda_core videodev snd_hwdep snd_seq mc snd_seq_device snd_pcm snd_timer snd soundcore sg loop auth_rpcgss vsock_loopback vmw_vsock_virtio_transport_common vmw_vsock_vmci_transport vmw_vmci vsock xfs 8021q garp stp llc mrp nvme ghash_ce e1000e nvme_core sr_mod nvme_keyring nvme_auth cdrom vmwgfx drm_ttm_helper ttm sunrpc dm_mirror dm_region_hash dm_log iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi fuse dm_multipath dm_mod nfnetlink [ 1626.855594] CPU: 2 UID: 0 PID: 199 Comm: kworker/u24:33 Kdump: loaded Tainted: G B W 6.17.0-rc7+ #22 PREEMPT(voluntary) [ 1626.857075] Tainted: [B]=BAD_PAGE, [W]=WARN [ 1626.857573] Hardware name: VMware, Inc. VMware20,1/VBSA, BIOS VMW201.00V.24006586.BA64.2406042154 06/04/2024 [ 1626.858724] Workqueue: nfsd4 laundromat_main [nfsd] [ 1626.859304] pstate: 61400005 (nZCv daif +PAN -UAO -TCO +DIT -SSBS BTYPE=--) [ 1626.860010] pc : __list_del_entry_valid_or_report+0x148/0x200 [ 1626.860601] lr : __list_del_entry_valid_or_report+0x148/0x200 [ 1626.861182] sp : ffff8000881d7a40 [ 1626.861521] x29: ffff8000881d7a40 x28: 0000000000000018 x27: ffff0000c2a98200 [ 1626.862260] x26: 0000000000000600 x25: 0000000000000000 x24: ffff8000881d7b20 [ 1626.862986] x23: ffff0000c2a981e8 x22: 1fffe00012410e7d x21: ffff0000920873e8 [ 1626.863701] x20: ffff0000920873e8 x19: ffff000086f22998 x18: 0000000000000000 [ 1626.864421] x17: 20747562202c3839 x16: 3932326636383030 x15: 3030666666662065 [ 1626.865092] x14: 6220646c756f6873 x13: 0000000000000001 x12: ffff60004fd9e4a3 [ 1626.865713] x11: 1fffe0004fd9e4a2 x10: ffff60004fd9e4a2 x9 : dfff800000000000 [ 1626.866320] x8 : 00009fffb0261b5e x7 : ffff00027ecf2513 x6 : 0000000000000001 [ 1626.866938] x5 : ffff00027ecf2510 x4 : ffff60004fd9e4a3 x3 : 0000000000000000 [ 1626.867553] x2 : 0000000000000000 x1 : ffff000096069640 x0 : 000000000000006d [ 1626.868167] Call trace: [ 1626.868382] __list_del_entry_valid_or_report+0x148/0x200 (P) [ 1626.868876] _free_cpntf_state_locked+0xd0/0x268 [nfsd] [ 1626.869368] nfs4_laundromat+0x6f8/0x1058 [nfsd] [ 1626.869813] laundromat_main+0x24/0x60 [nfsd] [ 1626.870231] process_one_work+0x584/0x1050 [ 1626.870595] worker_thread+0x4c4/0xc60 [ 1626.870893] kthread+0x2f8/0x398 [ 1626.871146] ret_from_fork+0x10/0x20 [ 1626.871422] Code: aa1303e1 aa1403e3 910e8000 97bc55d7 (d4210000) [ 1626.871892] SMP: stopping secondary CPUs", "cve_priority": "medium", "cve_public_date": "2025-12-06 22:15:00 UTC" }, { "cve": "CVE-2025-40212", "url": "https://ubuntu.com/security/CVE-2025-40212", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: nfsd: fix refcount leak in nfsd_set_fh_dentry() nfsd exports a \"pseudo root filesystem\" which is used by NFSv4 to find the various exported filesystems using LOOKUP requests from a known root filehandle. NFSv3 uses the MOUNT protocol to find those exported filesystems and so is not given access to the pseudo root filesystem. If a v3 (or v2) client uses a filehandle from that filesystem, nfsd_set_fh_dentry() will report an error, but still stores the export in \"struct svc_fh\" even though it also drops the reference (exp_put()). This means that when fh_put() is called an extra reference will be dropped which can lead to use-after-free and possible denial of service. Normal NFS usage will not provide a pseudo-root filehandle to a v3 client. This bug can only be triggered by the client synthesising an incorrect filehandle. To fix this we move the assignments to the svc_fh later, after all possible error cases have been detected.", "cve_priority": "medium", "cve_public_date": "2025-11-24 13:16:00 UTC" }, { "cve": "CVE-2025-40274", "url": "https://ubuntu.com/security/CVE-2025-40274", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: KVM: guest_memfd: Remove bindings on memslot deletion when gmem is dying When unbinding a memslot from a guest_memfd instance, remove the bindings even if the guest_memfd file is dying, i.e. even if its file refcount has gone to zero. If the memslot is freed before the file is fully released, nullifying the memslot side of the binding in kvm_gmem_release() will write to freed memory, as detected by syzbot+KASAN: ================================================================== BUG: KASAN: slab-use-after-free in kvm_gmem_release+0x176/0x440 virt/kvm/guest_memfd.c:353 Write of size 8 at addr ffff88807befa508 by task syz.0.17/6022 CPU: 0 UID: 0 PID: 6022 Comm: syz.0.17 Not tainted syzkaller #0 PREEMPT(full) Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/02/2025 Call Trace: dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:378 [inline] print_report+0xca/0x240 mm/kasan/report.c:482 kasan_report+0x118/0x150 mm/kasan/report.c:595 kvm_gmem_release+0x176/0x440 virt/kvm/guest_memfd.c:353 __fput+0x44c/0xa70 fs/file_table.c:468 task_work_run+0x1d4/0x260 kernel/task_work.c:227 resume_user_mode_work include/linux/resume_user_mode.h:50 [inline] exit_to_user_mode_loop+0xe9/0x130 kernel/entry/common.c:43 exit_to_user_mode_prepare include/linux/irq-entry-common.h:225 [inline] syscall_exit_to_user_mode_work include/linux/entry-common.h:175 [inline] syscall_exit_to_user_mode include/linux/entry-common.h:210 [inline] do_syscall_64+0x2bd/0xfa0 arch/x86/entry/syscall_64.c:100 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7fbeeff8efc9 Allocated by task 6023: kasan_save_stack mm/kasan/common.c:56 [inline] kasan_save_track+0x3e/0x80 mm/kasan/common.c:77 poison_kmalloc_redzone mm/kasan/common.c:397 [inline] __kasan_kmalloc+0x93/0xb0 mm/kasan/common.c:414 kasan_kmalloc include/linux/kasan.h:262 [inline] __kmalloc_cache_noprof+0x3e2/0x700 mm/slub.c:5758 kmalloc_noprof include/linux/slab.h:957 [inline] kzalloc_noprof include/linux/slab.h:1094 [inline] kvm_set_memory_region+0x747/0xb90 virt/kvm/kvm_main.c:2104 kvm_vm_ioctl_set_memory_region+0x6f/0xd0 virt/kvm/kvm_main.c:2154 kvm_vm_ioctl+0x957/0xc60 virt/kvm/kvm_main.c:5201 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:597 [inline] __se_sys_ioctl+0xfc/0x170 fs/ioctl.c:583 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xfa/0xfa0 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f Freed by task 6023: kasan_save_stack mm/kasan/common.c:56 [inline] kasan_save_track+0x3e/0x80 mm/kasan/common.c:77 kasan_save_free_info+0x46/0x50 mm/kasan/generic.c:584 poison_slab_object mm/kasan/common.c:252 [inline] __kasan_slab_free+0x5c/0x80 mm/kasan/common.c:284 kasan_slab_free include/linux/kasan.h:234 [inline] slab_free_hook mm/slub.c:2533 [inline] slab_free mm/slub.c:6622 [inline] kfree+0x19a/0x6d0 mm/slub.c:6829 kvm_set_memory_region+0x9c4/0xb90 virt/kvm/kvm_main.c:2130 kvm_vm_ioctl_set_memory_region+0x6f/0xd0 virt/kvm/kvm_main.c:2154 kvm_vm_ioctl+0x957/0xc60 virt/kvm/kvm_main.c:5201 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:597 [inline] __se_sys_ioctl+0xfc/0x170 fs/ioctl.c:583 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xfa/0xfa0 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f Deliberately don't acquire filemap invalid lock when the file is dying as the lifecycle of f_mapping is outside the purview of KVM. Dereferencing the mapping is *probably* fine, but there's no need to invalidate anything as memslot deletion is responsible for zapping SPTEs, and the only code that can access the dying file is kvm_gmem_release(), whose core code is mutual ---truncated---", "cve_priority": "medium", "cve_public_date": "2025-12-06 22:15:00 UTC" }, { "cve": "CVE-2025-68202", "url": "https://ubuntu.com/security/CVE-2025-68202", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: sched_ext: Fix unsafe locking in the scx_dump_state() For built with CONFIG_PREEMPT_RT=y kernels, the dump_lock will be converted sleepable spinlock and not disable-irq, so the following scenarios occur: inconsistent {IN-HARDIRQ-W} -> {HARDIRQ-ON-W} usage. irq_work/0/27 [HC0[0]:SC0[0]:HE1:SE1] takes: (&rq->__lock){?...}-{2:2}, at: raw_spin_rq_lock_nested+0x2b/0x40 {IN-HARDIRQ-W} state was registered at: lock_acquire+0x1e1/0x510 _raw_spin_lock_nested+0x42/0x80 raw_spin_rq_lock_nested+0x2b/0x40 sched_tick+0xae/0x7b0 update_process_times+0x14c/0x1b0 tick_periodic+0x62/0x1f0 tick_handle_periodic+0x48/0xf0 timer_interrupt+0x55/0x80 __handle_irq_event_percpu+0x20a/0x5c0 handle_irq_event_percpu+0x18/0xc0 handle_irq_event+0xb5/0x150 handle_level_irq+0x220/0x460 __common_interrupt+0xa2/0x1e0 common_interrupt+0xb0/0xd0 asm_common_interrupt+0x2b/0x40 _raw_spin_unlock_irqrestore+0x45/0x80 __setup_irq+0xc34/0x1a30 request_threaded_irq+0x214/0x2f0 hpet_time_init+0x3e/0x60 x86_late_time_init+0x5b/0xb0 start_kernel+0x308/0x410 x86_64_start_reservations+0x1c/0x30 x86_64_start_kernel+0x96/0xa0 common_startup_64+0x13e/0x148 other info that might help us debug this: Possible unsafe locking scenario: CPU0 ---- lock(&rq->__lock); lock(&rq->__lock); *** DEADLOCK *** stack backtrace: CPU: 0 UID: 0 PID: 27 Comm: irq_work/0 Call Trace: dump_stack_lvl+0x8c/0xd0 dump_stack+0x14/0x20 print_usage_bug+0x42e/0x690 mark_lock.part.44+0x867/0xa70 ? __pfx_mark_lock.part.44+0x10/0x10 ? string_nocheck+0x19c/0x310 ? number+0x739/0x9f0 ? __pfx_string_nocheck+0x10/0x10 ? __pfx_check_pointer+0x10/0x10 ? kvm_sched_clock_read+0x15/0x30 ? sched_clock_noinstr+0xd/0x20 ? local_clock_noinstr+0x1c/0xe0 __lock_acquire+0xc4b/0x62b0 ? __pfx_format_decode+0x10/0x10 ? __pfx_string+0x10/0x10 ? __pfx___lock_acquire+0x10/0x10 ? __pfx_vsnprintf+0x10/0x10 lock_acquire+0x1e1/0x510 ? raw_spin_rq_lock_nested+0x2b/0x40 ? __pfx_lock_acquire+0x10/0x10 ? dump_line+0x12e/0x270 ? raw_spin_rq_lock_nested+0x20/0x40 _raw_spin_lock_nested+0x42/0x80 ? raw_spin_rq_lock_nested+0x2b/0x40 raw_spin_rq_lock_nested+0x2b/0x40 scx_dump_state+0x3b3/0x1270 ? finish_task_switch+0x27e/0x840 scx_ops_error_irq_workfn+0x67/0x80 irq_work_single+0x113/0x260 irq_work_run_list.part.3+0x44/0x70 run_irq_workd+0x6b/0x90 ? __pfx_run_irq_workd+0x10/0x10 smpboot_thread_fn+0x529/0x870 ? __pfx_smpboot_thread_fn+0x10/0x10 kthread+0x305/0x3f0 ? __pfx_kthread+0x10/0x10 ret_from_fork+0x40/0x70 ? __pfx_kthread+0x10/0x10 ret_from_fork_asm+0x1a/0x30 This commit therefore use rq_lock_irqsave/irqrestore() to replace rq_lock/unlock() in the scx_dump_state().", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-68239", "url": "https://ubuntu.com/security/CVE-2025-68239", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: binfmt_misc: restore write access before closing files opened by open_exec() bm_register_write() opens an executable file using open_exec(), which internally calls do_open_execat() and denies write access on the file to avoid modification while it is being executed. However, when an error occurs, bm_register_write() closes the file using filp_close() directly. This does not restore the write permission, which may cause subsequent write operations on the same file to fail. Fix this by calling exe_file_allow_write_access() before filp_close() to restore the write permission properly.", "cve_priority": "medium", "cve_public_date": "2025-12-16 15:15:00 UTC" }, { "cve": "CVE-2025-68247", "url": "https://ubuntu.com/security/CVE-2025-68247", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: posix-timers: Plug potential memory leak in do_timer_create() When posix timer creation is set to allocate a given timer ID and the access to the user space value faults, the function terminates without freeing the already allocated posix timer structure. Move the allocation after the user space access to cure that. [ tglx: Massaged change log ]", "cve_priority": "medium", "cve_public_date": "2025-12-16 15:15:00 UTC" }, { "cve": "CVE-2025-68208", "url": "https://ubuntu.com/security/CVE-2025-68208", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: bpf: account for current allocated stack depth in widen_imprecise_scalars() The usage pattern for widen_imprecise_scalars() looks as follows: prev_st = find_prev_entry(env, ...); queued_st = push_stack(...); widen_imprecise_scalars(env, prev_st, queued_st); Where prev_st is an ancestor of the queued_st in the explored states tree. This ancestor is not guaranteed to have same allocated stack depth as queued_st. E.g. in the following case: def main(): for i in 1..2: foo(i) // same callsite, differnt param def foo(i): if i == 1: use 128 bytes of stack iterator based loop Here, for a second 'foo' call prev_st->allocated_stack is 128, while queued_st->allocated_stack is much smaller. widen_imprecise_scalars() needs to take this into account and avoid accessing bpf_verifier_state->frame[*]->stack out of bounds.", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-68200", "url": "https://ubuntu.com/security/CVE-2025-68200", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: bpf: Add bpf_prog_run_data_pointers() syzbot found that cls_bpf_classify() is able to change tc_skb_cb(skb)->drop_reason triggering a warning in sk_skb_reason_drop(). WARNING: CPU: 0 PID: 5965 at net/core/skbuff.c:1192 __sk_skb_reason_drop net/core/skbuff.c:1189 [inline] WARNING: CPU: 0 PID: 5965 at net/core/skbuff.c:1192 sk_skb_reason_drop+0x76/0x170 net/core/skbuff.c:1214 struct tc_skb_cb has been added in commit ec624fe740b4 (\"net/sched: Extend qdisc control block with tc control block\"), which added a wrong interaction with db58ba459202 (\"bpf: wire in data and data_end for cls_act_bpf\"). drop_reason was added later. Add bpf_prog_run_data_pointers() helper to save/restore the net_sched storage colliding with BPF data_meta/data_end.", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-40275", "url": "https://ubuntu.com/security/CVE-2025-40275", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ALSA: usb-audio: Fix NULL pointer dereference in snd_usb_mixer_controls_badd In snd_usb_create_streams(), for UAC version 3 devices, the Interface Association Descriptor (IAD) is retrieved via usb_ifnum_to_if(). If this call fails, a fallback routine attempts to obtain the IAD from the next interface and sets a BADD profile. However, snd_usb_mixer_controls_badd() assumes that the IAD retrieved from usb_ifnum_to_if() is always valid, without performing a NULL check. This can lead to a NULL pointer dereference when usb_ifnum_to_if() fails to find the interface descriptor. This patch adds a NULL pointer check after calling usb_ifnum_to_if() in snd_usb_mixer_controls_badd() to prevent the dereference. This issue was discovered by syzkaller, which triggered the bug by sending a crafted USB device descriptor.", "cve_priority": "medium", "cve_public_date": "2025-12-06 22:15:00 UTC" }, { "cve": "CVE-2025-68242", "url": "https://ubuntu.com/security/CVE-2025-68242", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: NFS: Fix LTP test failures when timestamps are delegated The utimes01 and utime06 tests fail when delegated timestamps are enabled, specifically in subtests that modify the atime and mtime fields using the 'nobody' user ID. The problem can be reproduced as follow: # echo \"/media *(rw,no_root_squash,sync)\" >> /etc/exports # export -ra # mount -o rw,nfsvers=4.2 127.0.0.1:/media /tmpdir # cd /opt/ltp # ./runltp -d /tmpdir -s utimes01 # ./runltp -d /tmpdir -s utime06 This issue occurs because nfs_setattr does not verify the inode's UID against the caller's fsuid when delegated timestamps are permitted for the inode. This patch adds the UID check and if it does not match then the request is sent to the server for permission checking.", "cve_priority": "medium", "cve_public_date": "2025-12-16 15:15:00 UTC" }, { "cve": "CVE-2025-68243", "url": "https://ubuntu.com/security/CVE-2025-68243", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: NFS: Check the TLS certificate fields in nfs_match_client() If the TLS security policy is of type RPC_XPRTSEC_TLS_X509, then the cert_serial and privkey_serial fields need to match as well since they define the client's identity, as presented to the server.", "cve_priority": "medium", "cve_public_date": "2025-12-16 15:15:00 UTC" }, { "cve": "CVE-2025-40276", "url": "https://ubuntu.com/security/CVE-2025-40276", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/panthor: Flush shmem writes before mapping buffers CPU-uncached The shmem layer zeroes out the new pages using cached mappings, and if we don't CPU-flush we might leave dirty cachelines behind, leading to potential data leaks and/or asynchronous buffer corruption when dirty cachelines are evicted.", "cve_priority": "medium", "cve_public_date": "2025-12-06 22:15:00 UTC" }, { "cve": "CVE-2025-40277", "url": "https://ubuntu.com/security/CVE-2025-40277", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/vmwgfx: Validate command header size against SVGA_CMD_MAX_DATASIZE This data originates from userspace and is used in buffer offset calculations which could potentially overflow causing an out-of-bounds access.", "cve_priority": "medium", "cve_public_date": "2025-12-06 22:15:00 UTC" }, { "cve": "CVE-2025-68206", "url": "https://ubuntu.com/security/CVE-2025-68206", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: netfilter: nft_ct: add seqadj extension for natted connections Sequence adjustment may be required for FTP traffic with PASV/EPSV modes. due to need to re-write packet payload (IP, port) on the ftp control connection. This can require changes to the TCP length and expected seq / ack_seq. The easiest way to reproduce this issue is with PASV mode. Example ruleset: table inet ftp_nat { ct helper ftp_helper { type \"ftp\" protocol tcp l3proto inet } chain prerouting { type filter hook prerouting priority 0; policy accept; tcp dport 21 ct state new ct helper set \"ftp_helper\" } } table ip nat { chain prerouting { type nat hook prerouting priority -100; policy accept; tcp dport 21 dnat ip prefix to ip daddr map { \t\t\t192.168.100.1 : 192.168.13.2/32 } } chain postrouting { type nat hook postrouting priority 100 ; policy accept; tcp sport 21 snat ip prefix to ip saddr map { \t\t\t192.168.13.2 : 192.168.100.1/32 } } } Note that the ftp helper gets assigned *after* the dnat setup. The inverse (nat after helper assign) is handled by an existing check in nf_nat_setup_info() and will not show the problem. Topoloy: +-------------------+ +----------------------------------+ | FTP: 192.168.13.2 | <-> | NAT: 192.168.13.3, 192.168.100.1 | +-------------------+ +----------------------------------+ | +-----------------------+ | Client: 192.168.100.2 | +-----------------------+ ftp nat changes do not work as expected in this case: Connected to 192.168.100.1. [..] ftp> epsv EPSV/EPRT on IPv4 off. ftp> ls 227 Entering passive mode (192,168,100,1,209,129). 421 Service not available, remote server has closed connection. Kernel logs: Missing nfct_seqadj_ext_add() setup call WARNING: CPU: 1 PID: 0 at net/netfilter/nf_conntrack_seqadj.c:41 [..] __nf_nat_mangle_tcp_packet+0x100/0x160 [nf_nat] nf_nat_ftp+0x142/0x280 [nf_nat_ftp] help+0x4d1/0x880 [nf_conntrack_ftp] nf_confirm+0x122/0x2e0 [nf_conntrack] nf_hook_slow+0x3c/0xb0 .. Fix this by adding the required extension when a conntrack helper is assigned to a connection that has a nat binding.", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-68209", "url": "https://ubuntu.com/security/CVE-2025-68209", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: mlx5: Fix default values in create CQ Currently, CQs without a completion function are assigned the mlx5_add_cq_to_tasklet function by default. This is problematic since only user CQs created through the mlx5_ib driver are intended to use this function. Additionally, all CQs that will use doorbells instead of polling for completions must call mlx5_cq_arm. However, the default CQ creation flow leaves a valid value in the CQ's arm_db field, allowing FW to send interrupts to polling-only CQs in certain corner cases. These two factors would allow a polling-only kernel CQ to be triggered by an EQ interrupt and call a completion function intended only for user CQs, causing a null pointer exception. Some areas in the driver have prevented this issue with one-off fixes but did not address the root cause. This patch fixes the described issue by adding defaults to the create CQ flow. It adds a default dummy completion function to protect against null pointer exceptions, and it sets an invalid command sequence number by default in kernel CQs to prevent the FW from sending an interrupt to the CQ until it is armed. User CQs are responsible for their own initialization values. Callers of mlx5_core_create_cq are responsible for changing the completion function and arming the CQ per their needs.", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-40278", "url": "https://ubuntu.com/security/CVE-2025-40278", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net: sched: act_ife: initialize struct tc_ife to fix KMSAN kernel-infoleak Fix a KMSAN kernel-infoleak detected by the syzbot . [net?] KMSAN: kernel-infoleak in __skb_datagram_iter In tcf_ife_dump(), the variable 'opt' was partially initialized using a designatied initializer. While the padding bytes are reamined uninitialized. nla_put() copies the entire structure into a netlink message, these uninitialized bytes leaked to userspace. Initialize the structure with memset before assigning its fields to ensure all members and padding are cleared prior to beign copied. This change silences the KMSAN report and prevents potential information leaks from the kernel memory. This fix has been tested and validated by syzbot. This patch closes the bug reported at the following syzkaller link and ensures no infoleak.", "cve_priority": "medium", "cve_public_date": "2025-12-06 22:15:00 UTC" }, { "cve": "CVE-2025-40279", "url": "https://ubuntu.com/security/CVE-2025-40279", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net: sched: act_connmark: initialize struct tc_ife to fix kernel leak In tcf_connmark_dump(), the variable 'opt' was partially initialized using a designatied initializer. While the padding bytes are reamined uninitialized. nla_put() copies the entire structure into a netlink message, these uninitialized bytes leaked to userspace. Initialize the structure with memset before assigning its fields to ensure all members and padding are cleared prior to beign copied.", "cve_priority": "medium", "cve_public_date": "2025-12-06 22:15:00 UTC" }, { "cve": "CVE-2025-40280", "url": "https://ubuntu.com/security/CVE-2025-40280", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: tipc: Fix use-after-free in tipc_mon_reinit_self(). syzbot reported use-after-free of tipc_net(net)->monitors[] in tipc_mon_reinit_self(). [0] The array is protected by RTNL, but tipc_mon_reinit_self() iterates over it without RTNL. tipc_mon_reinit_self() is called from tipc_net_finalize(), which is always under RTNL except for tipc_net_finalize_work(). Let's hold RTNL in tipc_net_finalize_work(). [0]: BUG: KASAN: slab-use-after-free in __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline] BUG: KASAN: slab-use-after-free in _raw_spin_lock_irqsave+0xa7/0xf0 kernel/locking/spinlock.c:162 Read of size 1 at addr ffff88805eae1030 by task kworker/0:7/5989 CPU: 0 UID: 0 PID: 5989 Comm: kworker/0:7 Not tainted syzkaller #0 PREEMPT_{RT,(full)} Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/18/2025 Workqueue: events tipc_net_finalize_work Call Trace: dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:378 [inline] print_report+0xca/0x240 mm/kasan/report.c:482 kasan_report+0x118/0x150 mm/kasan/report.c:595 __kasan_check_byte+0x2a/0x40 mm/kasan/common.c:568 kasan_check_byte include/linux/kasan.h:399 [inline] lock_acquire+0x8d/0x360 kernel/locking/lockdep.c:5842 __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline] _raw_spin_lock_irqsave+0xa7/0xf0 kernel/locking/spinlock.c:162 rtlock_slowlock kernel/locking/rtmutex.c:1894 [inline] rwbase_rtmutex_lock_state kernel/locking/spinlock_rt.c:160 [inline] rwbase_write_lock+0xd3/0x7e0 kernel/locking/rwbase_rt.c:244 rt_write_lock+0x76/0x110 kernel/locking/spinlock_rt.c:243 write_lock_bh include/linux/rwlock_rt.h:99 [inline] tipc_mon_reinit_self+0x79/0x430 net/tipc/monitor.c:718 tipc_net_finalize+0x115/0x190 net/tipc/net.c:140 process_one_work kernel/workqueue.c:3236 [inline] process_scheduled_works+0xade/0x17b0 kernel/workqueue.c:3319 worker_thread+0x8a0/0xda0 kernel/workqueue.c:3400 kthread+0x70e/0x8a0 kernel/kthread.c:463 ret_from_fork+0x439/0x7d0 arch/x86/kernel/process.c:148 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245 Allocated by task 6089: kasan_save_stack mm/kasan/common.c:47 [inline] kasan_save_track+0x3e/0x80 mm/kasan/common.c:68 poison_kmalloc_redzone mm/kasan/common.c:388 [inline] __kasan_kmalloc+0x93/0xb0 mm/kasan/common.c:405 kasan_kmalloc include/linux/kasan.h:260 [inline] __kmalloc_cache_noprof+0x1a8/0x320 mm/slub.c:4407 kmalloc_noprof include/linux/slab.h:905 [inline] kzalloc_noprof include/linux/slab.h:1039 [inline] tipc_mon_create+0xc3/0x4d0 net/tipc/monitor.c:657 tipc_enable_bearer net/tipc/bearer.c:357 [inline] __tipc_nl_bearer_enable+0xe16/0x13f0 net/tipc/bearer.c:1047 __tipc_nl_compat_doit net/tipc/netlink_compat.c:371 [inline] tipc_nl_compat_doit+0x3bc/0x5f0 net/tipc/netlink_compat.c:393 tipc_nl_compat_handle net/tipc/netlink_compat.c:-1 [inline] tipc_nl_compat_recv+0x83c/0xbe0 net/tipc/netlink_compat.c:1321 genl_family_rcv_msg_doit+0x215/0x300 net/netlink/genetlink.c:1115 genl_family_rcv_msg net/netlink/genetlink.c:1195 [inline] genl_rcv_msg+0x60e/0x790 net/netlink/genetlink.c:1210 netlink_rcv_skb+0x208/0x470 net/netlink/af_netlink.c:2552 genl_rcv+0x28/0x40 net/netlink/genetlink.c:1219 netlink_unicast_kernel net/netlink/af_netlink.c:1320 [inline] netlink_unicast+0x846/0xa10 net/netlink/af_netlink.c:1346 netlink_sendmsg+0x805/0xb30 net/netlink/af_netlink.c:1896 sock_sendmsg_nosec net/socket.c:714 [inline] __sock_sendmsg+0x21c/0x270 net/socket.c:729 ____sys_sendmsg+0x508/0x820 net/socket.c:2614 ___sys_sendmsg+0x21f/0x2a0 net/socket.c:2668 __sys_sendmsg net/socket.c:2700 [inline] __do_sys_sendmsg net/socket.c:2705 [inline] __se_sys_sendmsg net/socket.c:2703 [inline] __x64_sys_sendmsg+0x1a1/0x260 net/socket.c:2703 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xfa/0x3b0 arch/ ---truncated---", "cve_priority": "medium", "cve_public_date": "2025-12-06 22:15:00 UTC" }, { "cve": "CVE-2025-40281", "url": "https://ubuntu.com/security/CVE-2025-40281", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: sctp: prevent possible shift-out-of-bounds in sctp_transport_update_rto syzbot reported a possible shift-out-of-bounds [1] Blamed commit added rto_alpha_max and rto_beta_max set to 1000. It is unclear if some sctp users are setting very large rto_alpha and/or rto_beta. In order to prevent user regression, perform the test at run time. Also add READ_ONCE() annotations as sysctl values can change under us. [1] UBSAN: shift-out-of-bounds in net/sctp/transport.c:509:41 shift exponent 64 is too large for 32-bit type 'unsigned int' CPU: 0 UID: 0 PID: 16704 Comm: syz.2.2320 Not tainted syzkaller #0 PREEMPT(full) Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/02/2025 Call Trace: __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x16c/0x1f0 lib/dump_stack.c:120 ubsan_epilogue lib/ubsan.c:233 [inline] __ubsan_handle_shift_out_of_bounds+0x27f/0x420 lib/ubsan.c:494 sctp_transport_update_rto.cold+0x1c/0x34b net/sctp/transport.c:509 sctp_check_transmitted+0x11c4/0x1c30 net/sctp/outqueue.c:1502 sctp_outq_sack+0x4ef/0x1b20 net/sctp/outqueue.c:1338 sctp_cmd_process_sack net/sctp/sm_sideeffect.c:840 [inline] sctp_cmd_interpreter net/sctp/sm_sideeffect.c:1372 [inline]", "cve_priority": "medium", "cve_public_date": "2025-12-06 22:15:00 UTC" }, { "cve": "CVE-2025-40282", "url": "https://ubuntu.com/security/CVE-2025-40282", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: Bluetooth: 6lowpan: reset link-local header on ipv6 recv path Bluetooth 6lowpan.c netdev has header_ops, so it must set link-local header for RX skb, otherwise things crash, eg. with AF_PACKET SOCK_RAW Add missing skb_reset_mac_header() for uncompressed ipv6 RX path. For the compressed one, it is done in lowpan_header_decompress(). Log: (BlueZ 6lowpan-tester Client Recv Raw - Success) ------ kernel BUG at net/core/skbuff.c:212! Call Trace: ... packet_rcv (net/packet/af_packet.c:2152) ... __local_bh_enable_ip (kernel/softirq.c:407) netif_rx (net/core/dev.c:5648) chan_recv_cb (net/bluetooth/6lowpan.c:294 net/bluetooth/6lowpan.c:359) ------", "cve_priority": "medium", "cve_public_date": "2025-12-06 22:15:00 UTC" }, { "cve": "CVE-2025-40283", "url": "https://ubuntu.com/security/CVE-2025-40283", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: Bluetooth: btusb: reorder cleanup in btusb_disconnect to avoid UAF There is a KASAN: slab-use-after-free read in btusb_disconnect(). Calling \"usb_driver_release_interface(&btusb_driver, data->intf)\" will free the btusb data associated with the interface. The same data is then used later in the function, hence the UAF. Fix by moving the accesses to btusb data to before the data is free'd.", "cve_priority": "medium", "cve_public_date": "2025-12-06 22:15:00 UTC" }, { "cve": "CVE-2025-40284", "url": "https://ubuntu.com/security/CVE-2025-40284", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: Bluetooth: MGMT: cancel mesh send timer when hdev removed mesh_send_done timer is not canceled when hdev is removed, which causes crash if the timer triggers after hdev is gone. Cancel the timer when MGMT removes the hdev, like other MGMT timers. Should fix the BUG: sporadically seen by BlueZ test bot (in \"Mesh - Send cancel - 1\" test). Log: ------ BUG: KASAN: slab-use-after-free in run_timer_softirq+0x76b/0x7d0 ... Freed by task 36: kasan_save_stack+0x24/0x50 kasan_save_track+0x14/0x30 __kasan_save_free_info+0x3a/0x60 __kasan_slab_free+0x43/0x70 kfree+0x103/0x500 device_release+0x9a/0x210 kobject_put+0x100/0x1e0 vhci_release+0x18b/0x240 ------", "cve_priority": "medium", "cve_public_date": "2025-12-06 22:15:00 UTC" }, { "cve": "CVE-2025-68210", "url": "https://ubuntu.com/security/CVE-2025-68210", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: erofs: avoid infinite loop due to incomplete zstd-compressed data Currently, the decompression logic incorrectly spins if compressed data is truncated in crafted (deliberately corrupted) images.", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-40285", "url": "https://ubuntu.com/security/CVE-2025-40285", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: smb/server: fix possible refcount leak in smb2_sess_setup() Reference count of ksmbd_session will leak when session need reconnect. Fix this by adding the missing ksmbd_user_session_put().", "cve_priority": "medium", "cve_public_date": "2025-12-06 22:15:00 UTC" }, { "cve": "CVE-2025-40286", "url": "https://ubuntu.com/security/CVE-2025-40286", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: smb/server: fix possible memory leak in smb2_read() Memory leak occurs when ksmbd_vfs_read() fails. Fix this by adding the missing kvfree().", "cve_priority": "medium", "cve_public_date": "2025-12-06 22:15:00 UTC" }, { "cve": "CVE-2025-40287", "url": "https://ubuntu.com/security/CVE-2025-40287", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: exfat: fix improper check of dentry.stream.valid_size We found an infinite loop bug in the exFAT file system that can lead to a Denial-of-Service (DoS) condition. When a dentry in an exFAT filesystem is malformed, the following system calls — SYS_openat, SYS_ftruncate, and SYS_pwrite64 — can cause the kernel to hang. Root cause analysis shows that the size validation code in exfat_find() does not check whether dentry.stream.valid_size is negative. As a result, the system calls mentioned above can succeed and eventually trigger the DoS issue. This patch adds a check for negative dentry.stream.valid_size to prevent this vulnerability.", "cve_priority": "medium", "cve_public_date": "2025-12-06 22:15:00 UTC" }, { "cve": "CVE-2025-40288", "url": "https://ubuntu.com/security/CVE-2025-40288", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: Fix NULL pointer dereference in VRAM logic for APU devices Previously, APU platforms (and other scenarios with uninitialized VRAM managers) triggered a NULL pointer dereference in `ttm_resource_manager_usage()`. The root cause is not that the `struct ttm_resource_manager *man` pointer itself is NULL, but that `man->bdev` (the backing device pointer within the manager) remains uninitialized (NULL) on APUs—since APUs lack dedicated VRAM and do not fully set up VRAM manager structures. When `ttm_resource_manager_usage()` attempts to acquire `man->bdev->lru_lock`, it dereferences the NULL `man->bdev`, leading to a kernel OOPS. 1. **amdgpu_cs.c**: Extend the existing bandwidth control check in `amdgpu_cs_get_threshold_for_moves()` to include a check for `ttm_resource_manager_used()`. If the manager is not used (uninitialized `bdev`), return 0 for migration thresholds immediately—skipping VRAM-specific logic that would trigger the NULL dereference. 2. **amdgpu_kms.c**: Update the `AMDGPU_INFO_VRAM_USAGE` ioctl and memory info reporting to use a conditional: if the manager is used, return the real VRAM usage; otherwise, return 0. This avoids accessing `man->bdev` when it is NULL. 3. **amdgpu_virt.c**: Modify the vf2pf (virtual function to physical function) data write path. Use `ttm_resource_manager_used()` to check validity: if the manager is usable, calculate `fb_usage` from VRAM usage; otherwise, set `fb_usage` to 0 (APUs have no discrete framebuffer to report). This approach is more robust than APU-specific checks because it: - Works for all scenarios where the VRAM manager is uninitialized (not just APUs), - Aligns with TTM's design by using its native helper function, - Preserves correct behavior for discrete GPUs (which have fully initialized `man->bdev` and pass the `ttm_resource_manager_used()` check). v4: use ttm_resource_manager_used(&adev->mman.vram_mgr.manager) instead of checking the adev->gmc.is_app_apu flag (Christian)", "cve_priority": "medium", "cve_public_date": "2025-12-06 22:15:00 UTC" }, { "cve": "CVE-2025-40289", "url": "https://ubuntu.com/security/CVE-2025-40289", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: hide VRAM sysfs attributes on GPUs without VRAM Otherwise accessing them can cause a crash.", "cve_priority": "medium", "cve_public_date": "2025-12-06 22:15:00 UTC" }, { "cve": "CVE-2025-68201", "url": "https://ubuntu.com/security/CVE-2025-68201", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: remove two invalid BUG_ON()s Those can be triggered trivially by userspace.", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-68207", "url": "https://ubuntu.com/security/CVE-2025-68207", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/xe/guc: Synchronize Dead CT worker with unbind Cancel and wait for any Dead CT worker to complete before continuing with device unbinding. Else the worker will end up using resources freed by the undind operation. (cherry picked from commit 492671339114e376aaa38626d637a2751cdef263)", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-68244", "url": "https://ubuntu.com/security/CVE-2025-68244", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/i915: Avoid lock inversion when pinning to GGTT on CHV/BXT+VTD On completion of i915_vma_pin_ww(), a synchronous variant of dma_fence_work_commit() is called. When pinning a VMA to GGTT address space on a Cherry View family processor, or on a Broxton generation SoC with VTD enabled, i.e., when stop_machine() is then called from intel_ggtt_bind_vma(), that can potentially lead to lock inversion among reservation_ww and cpu_hotplug locks. [86.861179] ====================================================== [86.861193] WARNING: possible circular locking dependency detected [86.861209] 6.15.0-rc5-CI_DRM_16515-gca0305cadc2d+ #1 Tainted: G U [86.861226] ------------------------------------------------------ [86.861238] i915_module_loa/1432 is trying to acquire lock: [86.861252] ffffffff83489090 (cpu_hotplug_lock){++++}-{0:0}, at: stop_machine+0x1c/0x50 [86.861290] but task is already holding lock: [86.861303] ffffc90002e0b4c8 (reservation_ww_class_mutex){+.+.}-{3:3}, at: i915_vma_pin.constprop.0+0x39/0x1d0 [i915] [86.862233] which lock already depends on the new lock. [86.862251] the existing dependency chain (in reverse order) is: [86.862265] -> #5 (reservation_ww_class_mutex){+.+.}-{3:3}: [86.862292] dma_resv_lockdep+0x19a/0x390 [86.862315] do_one_initcall+0x60/0x3f0 [86.862334] kernel_init_freeable+0x3cd/0x680 [86.862353] kernel_init+0x1b/0x200 [86.862369] ret_from_fork+0x47/0x70 [86.862383] ret_from_fork_asm+0x1a/0x30 [86.862399] -> #4 (reservation_ww_class_acquire){+.+.}-{0:0}: [86.862425] dma_resv_lockdep+0x178/0x390 [86.862440] do_one_initcall+0x60/0x3f0 [86.862454] kernel_init_freeable+0x3cd/0x680 [86.862470] kernel_init+0x1b/0x200 [86.862482] ret_from_fork+0x47/0x70 [86.862495] ret_from_fork_asm+0x1a/0x30 [86.862509] -> #3 (&mm->mmap_lock){++++}-{3:3}: [86.862531] down_read_killable+0x46/0x1e0 [86.862546] lock_mm_and_find_vma+0xa2/0x280 [86.862561] do_user_addr_fault+0x266/0x8e0 [86.862578] exc_page_fault+0x8a/0x2f0 [86.862593] asm_exc_page_fault+0x27/0x30 [86.862607] filldir64+0xeb/0x180 [86.862620] kernfs_fop_readdir+0x118/0x480 [86.862635] iterate_dir+0xcf/0x2b0 [86.862648] __x64_sys_getdents64+0x84/0x140 [86.862661] x64_sys_call+0x1058/0x2660 [86.862675] do_syscall_64+0x91/0xe90 [86.862689] entry_SYSCALL_64_after_hwframe+0x76/0x7e [86.862703] -> #2 (&root->kernfs_rwsem){++++}-{3:3}: [86.862725] down_write+0x3e/0xf0 [86.862738] kernfs_add_one+0x30/0x3c0 [86.862751] kernfs_create_dir_ns+0x53/0xb0 [86.862765] internal_create_group+0x134/0x4c0 [86.862779] sysfs_create_group+0x13/0x20 [86.862792] topology_add_dev+0x1d/0x30 [86.862806] cpuhp_invoke_callback+0x4b5/0x850 [86.862822] cpuhp_issue_call+0xbf/0x1f0 [86.862836] __cpuhp_setup_state_cpuslocked+0x111/0x320 [86.862852] __cpuhp_setup_state+0xb0/0x220 [86.862866] topology_sysfs_init+0x30/0x50 [86.862879] do_one_initcall+0x60/0x3f0 [86.862893] kernel_init_freeable+0x3cd/0x680 [86.862908] kernel_init+0x1b/0x200 [86.862921] ret_from_fork+0x47/0x70 [86.862934] ret_from_fork_asm+0x1a/0x30 [86.862947] -> #1 (cpuhp_state_mutex){+.+.}-{3:3}: [86.862969] __mutex_lock+0xaa/0xed0 [86.862982] mutex_lock_nested+0x1b/0x30 [86.862995] __cpuhp_setup_state_cpuslocked+0x67/0x320 [86.863012] __cpuhp_setup_state+0xb0/0x220 [86.863026] page_alloc_init_cpuhp+0x2d/0x60 [86.863041] mm_core_init+0x22/0x2d0 [86.863054] start_kernel+0x576/0xbd0 [86.863068] x86_64_start_reservations+0x18/0x30 [86.863084] x86_64_start_kernel+0xbf/0x110 [86.863098] common_startup_64+0x13e/0x141 [86.863114] -> #0 (cpu_hotplug_lock){++++}-{0:0}: [86.863135] __lock_acquire+0x16 ---truncated---", "cve_priority": "medium", "cve_public_date": "2025-12-16 15:15:00 UTC" }, { "cve": "CVE-2025-68316", "url": "https://ubuntu.com/security/CVE-2025-68316", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: scsi: ufs: core: Fix invalid probe error return value After DME Link Startup, the error return value is set to the MIPI UniPro GenericErrorCode which can be 0 (SUCCESS) or 1 (FAILURE). Upon failure during driver probe, the error code 1 is propagated back to the driver probe function which must return a negative value to indicate an error, but 1 is not negative, so the probe is considered to be successful even though it failed. Subsequently, removing the driver results in an oops because it is not in a valid state. This happens because none of the callers of ufshcd_init() expect a non-negative error code. Fix the return value and documentation to match actual usage.", "cve_priority": "medium", "cve_public_date": "2025-12-16 16:16:00 UTC" }, { "cve": "CVE-2025-40292", "url": "https://ubuntu.com/security/CVE-2025-40292", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: virtio-net: fix received length check in big packets Since commit 4959aebba8c0 (\"virtio-net: use mtu size as buffer length for big packets\"), when guest gso is off, the allocated size for big packets is not MAX_SKB_FRAGS * PAGE_SIZE anymore but depends on negotiated MTU. The number of allocated frags for big packets is stored in vi->big_packets_num_skbfrags. Because the host announced buffer length can be malicious (e.g. the host vhost_net driver's get_rx_bufs is modified to announce incorrect length), we need a check in virtio_net receive path. Currently, the check is not adapted to the new change which can lead to NULL page pointer dereference in the below while loop when receiving length that is larger than the allocated one. This commit fixes the received length check corresponding to the new change.", "cve_priority": "medium", "cve_public_date": "2025-12-08 01:16:00 UTC" }, { "cve": "CVE-2025-68180", "url": "https://ubuntu.com/security/CVE-2025-68180", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Fix NULL deref in debugfs odm_combine_segments When a connector is connected but inactive (e.g., disabled by desktop environments), pipe_ctx->stream_res.tg will be destroyed. Then, reading odm_combine_segments causes kernel NULL pointer dereference. BUG: kernel NULL pointer dereference, address: 0000000000000000 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page PGD 0 P4D 0 Oops: Oops: 0000 [#1] SMP NOPTI CPU: 16 UID: 0 PID: 26474 Comm: cat Not tainted 6.17.0+ #2 PREEMPT(lazy) e6a17af9ee6db7c63e9d90dbe5b28ccab67520c6 Hardware name: LENOVO 21Q4/LNVNB161216, BIOS PXCN25WW 03/27/2025 RIP: 0010:odm_combine_segments_show+0x93/0xf0 [amdgpu] Code: 41 83 b8 b0 00 00 00 01 75 6e 48 98 ba a1 ff ff ff 48 c1 e0 0c 48 8d 8c 07 d8 02 00 00 48 85 c9 74 2d 48 8b bc 07 f0 08 00 00 <48> 8b 07 48 8b 80 08 02 00> RSP: 0018:ffffd1bf4b953c58 EFLAGS: 00010286 RAX: 0000000000005000 RBX: ffff8e35976b02d0 RCX: ffff8e3aeed052d8 RDX: 00000000ffffffa1 RSI: ffff8e35a3120800 RDI: 0000000000000000 RBP: 0000000000000000 R08: ffff8e3580eb0000 R09: ffff8e35976b02d0 R10: ffffd1bf4b953c78 R11: 0000000000000000 R12: ffffd1bf4b953d08 R13: 0000000000040000 R14: 0000000000000001 R15: 0000000000000001 FS: 00007f44d3f9f740(0000) GS:ffff8e3caa47f000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000000 CR3: 00000006485c2000 CR4: 0000000000f50ef0 PKRU: 55555554 Call Trace: seq_read_iter+0x125/0x490 ? __alloc_frozen_pages_noprof+0x18f/0x350 seq_read+0x12c/0x170 full_proxy_read+0x51/0x80 vfs_read+0xbc/0x390 ? __handle_mm_fault+0xa46/0xef0 ? do_syscall_64+0x71/0x900 ksys_read+0x73/0xf0 do_syscall_64+0x71/0x900 ? count_memcg_events+0xc2/0x190 ? handle_mm_fault+0x1d7/0x2d0 ? do_user_addr_fault+0x21a/0x690 ? exc_page_fault+0x7e/0x1a0 entry_SYSCALL_64_after_hwframe+0x6c/0x74 RIP: 0033:0x7f44d4031687 Code: 48 89 fa 4c 89 df e8 58 b3 00 00 8b 93 08 03 00 00 59 5e 48 83 f8 fc 74 1a 5b c3 0f 1f 84 00 00 00 00 00 48 8b 44 24 10 0f 05 <5b> c3 0f 1f 80 00 00 00 00> RSP: 002b:00007ffdb4b5f0b0 EFLAGS: 00000202 ORIG_RAX: 0000000000000000 RAX: ffffffffffffffda RBX: 00007f44d3f9f740 RCX: 00007f44d4031687 RDX: 0000000000040000 RSI: 00007f44d3f5e000 RDI: 0000000000000003 RBP: 0000000000040000 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000202 R12: 00007f44d3f5e000 R13: 0000000000000003 R14: 0000000000000000 R15: 0000000000040000 Modules linked in: tls tcp_diag inet_diag xt_mark ccm snd_hrtimer snd_seq_dummy snd_seq_midi snd_seq_oss snd_seq_midi_event snd_rawmidi snd_seq snd_seq_device x> snd_hda_codec_atihdmi snd_hda_codec_realtek_lib lenovo_wmi_helpers think_lmi snd_hda_codec_generic snd_hda_codec_hdmi snd_soc_core kvm snd_compress uvcvideo sn> platform_profile joydev amd_pmc mousedev mac_hid sch_fq_codel uinput i2c_dev parport_pc ppdev lp parport nvme_fabrics loop nfnetlink ip_tables x_tables dm_cryp> CR2: 0000000000000000 ---[ end trace 0000000000000000 ]--- RIP: 0010:odm_combine_segments_show+0x93/0xf0 [amdgpu] Code: 41 83 b8 b0 00 00 00 01 75 6e 48 98 ba a1 ff ff ff 48 c1 e0 0c 48 8d 8c 07 d8 02 00 00 48 85 c9 74 2d 48 8b bc 07 f0 08 00 00 <48> 8b 07 48 8b 80 08 02 00> RSP: 0018:ffffd1bf4b953c58 EFLAGS: 00010286 RAX: 0000000000005000 RBX: ffff8e35976b02d0 RCX: ffff8e3aeed052d8 RDX: 00000000ffffffa1 RSI: ffff8e35a3120800 RDI: 0000000000000000 RBP: 0000000000000000 R08: ffff8e3580eb0000 R09: ffff8e35976b02d0 R10: ffffd1bf4b953c78 R11: 0000000000000000 R12: ffffd1bf4b953d08 R13: 0000000000040000 R14: 0000000000000001 R15: 0000000000000001 FS: 00007f44d3f9f740(0000) GS:ffff8e3caa47f000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000000 CR3: 00000006485c2000 CR4: 0000000000f50ef0 PKRU: 55555554 Fix this by checking pipe_ctx-> ---truncated---", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-40327", "url": "https://ubuntu.com/security/CVE-2025-40327", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: perf/core: Fix system hang caused by cpu-clock usage cpu-clock usage by the async-profiler tool can trigger a system hang, which got bisected back to the following commit by Octavia Togami: 18dbcbfabfff (\"perf: Fix the POLL_HUP delivery breakage\") causes this issue The root cause of the hang is that cpu-clock is a special type of SW event which relies on hrtimers. The __perf_event_overflow() callback is invoked from the hrtimer handler for cpu-clock events, and __perf_event_overflow() tries to call cpu_clock_event_stop() to stop the event, which calls htimer_cancel() to cancel the hrtimer. But that's a recursion into the hrtimer code from a hrtimer handler, which (unsurprisingly) deadlocks. To fix this bug, use hrtimer_try_to_cancel() instead, and set the PERF_HES_STOPPED flag, which causes perf_swevent_hrtimer() to stop the event once it sees the PERF_HES_STOPPED flag. [ mingo: Fixed the comments and improved the changelog. ]", "cve_priority": "medium", "cve_public_date": "2025-12-09 16:17:00 UTC" }, { "cve": "CVE-2025-40328", "url": "https://ubuntu.com/security/CVE-2025-40328", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: smb: client: fix potential UAF in smb2_close_cached_fid() find_or_create_cached_dir() could grab a new reference after kref_put() had seen the refcount drop to zero but before cfid_list_lock is acquired in smb2_close_cached_fid(), leading to use-after-free. Switch to kref_put_lock() so cfid_release() is called with cfid_list_lock held, closing that gap.", "cve_priority": "medium", "cve_public_date": "2025-12-09 16:17:00 UTC" }, { "cve": "CVE-2025-40291", "url": "https://ubuntu.com/security/CVE-2025-40291", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: io_uring: fix regbuf vector size truncation There is a report of io_estimate_bvec_size() truncating the calculated number of segments that leads to corruption issues. Check it doesn't overflow \"int\"s used later. Rough but simple, can be improved on top.", "cve_priority": "medium", "cve_public_date": "2025-12-08 01:16:00 UTC" }, { "cve": "CVE-2025-68322", "url": "https://ubuntu.com/security/CVE-2025-68322", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: parisc: Avoid crash due to unaligned access in unwinder Guenter Roeck reported this kernel crash on his emulated B160L machine: Starting network: udhcpc: started, v1.36.1 Backtrace: [<104320d4>] unwind_once+0x1c/0x5c [<10434a00>] walk_stackframe.isra.0+0x74/0xb8 [<10434a6c>] arch_stack_walk+0x28/0x38 [<104e5efc>] stack_trace_save+0x48/0x5c [<105d1bdc>] set_track_prepare+0x44/0x6c [<105d9c80>] ___slab_alloc+0xfc4/0x1024 [<105d9d38>] __slab_alloc.isra.0+0x58/0x90 [<105dc80c>] kmem_cache_alloc_noprof+0x2ac/0x4a0 [<105b8e54>] __anon_vma_prepare+0x60/0x280 [<105a823c>] __vmf_anon_prepare+0x68/0x94 [<105a8b34>] do_wp_page+0x8cc/0xf10 [<105aad88>] handle_mm_fault+0x6c0/0xf08 [<10425568>] do_page_fault+0x110/0x440 [<10427938>] handle_interruption+0x184/0x748 [<11178398>] schedule+0x4c/0x190 BUG: spinlock recursion on CPU#0, ifconfig/2420 lock: terminate_lock.2+0x0/0x1c, .magic: dead4ead, .owner: ifconfig/2420, .owner_cpu: 0 While creating the stack trace, the unwinder uses the stack pointer to guess the previous frame to read the previous stack pointer from memory. The crash happens, because the unwinder tries to read from unaligned memory and as such triggers the unalignment trap handler which then leads to the spinlock recursion and finally to a deadlock. Fix it by checking the alignment before accessing the memory.", "cve_priority": "medium", "cve_public_date": "2025-12-16 16:16:00 UTC" }, { "cve": "CVE-2025-40293", "url": "https://ubuntu.com/security/CVE-2025-40293", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: iommufd: Don't overflow during division for dirty tracking If pgshift is 63 then BITS_PER_TYPE(*bitmap->bitmap) * pgsize will overflow to 0 and this triggers divide by 0. In this case the index should just be 0, so reorganize things to divide by shift and avoid hitting any overflows.", "cve_priority": "medium", "cve_public_date": "2025-12-08 01:16:00 UTC" }, { "cve": "CVE-2025-40294", "url": "https://ubuntu.com/security/CVE-2025-40294", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: Bluetooth: MGMT: Fix OOB access in parse_adv_monitor_pattern() In the parse_adv_monitor_pattern() function, the value of the 'length' variable is currently limited to HCI_MAX_EXT_AD_LENGTH(251). The size of the 'value' array in the mgmt_adv_pattern structure is 31. If the value of 'pattern[i].length' is set in the user space and exceeds 31, the 'patterns[i].value' array can be accessed out of bound when copied. Increasing the size of the 'value' array in the 'mgmt_adv_pattern' structure will break the userspace. Considering this, and to avoid OOB access revert the limits for 'offset' and 'length' back to the value of HCI_MAX_AD_LENGTH. Found by InfoTeCS on behalf of Linux Verification Center (linuxtesting.org) with SVACE.", "cve_priority": "medium", "cve_public_date": "2025-12-08 01:16:00 UTC" }, { "cve": "CVE-2025-40329", "url": "https://ubuntu.com/security/CVE-2025-40329", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/sched: Fix deadlock in drm_sched_entity_kill_jobs_cb The Mesa issue referenced below pointed out a possible deadlock: [ 1231.611031] Possible interrupt unsafe locking scenario: [ 1231.611033] CPU0 CPU1 [ 1231.611034] ---- ---- [ 1231.611035] lock(&xa->xa_lock#17); [ 1231.611038] local_irq_disable(); [ 1231.611039] lock(&fence->lock); [ 1231.611041] lock(&xa->xa_lock#17); [ 1231.611044] [ 1231.611045] lock(&fence->lock); [ 1231.611047] *** DEADLOCK *** In this example, CPU0 would be any function accessing job->dependencies through the xa_* functions that don't disable interrupts (eg: drm_sched_job_add_dependency(), drm_sched_entity_kill_jobs_cb()). CPU1 is executing drm_sched_entity_kill_jobs_cb() as a fence signalling callback so in an interrupt context. It will deadlock when trying to grab the xa_lock which is already held by CPU0. Replacing all xa_* usage by their xa_*_irq counterparts would fix this issue, but Christian pointed out another issue: dma_fence_signal takes fence.lock and so does dma_fence_add_callback. dma_fence_signal() // locks f1.lock -> drm_sched_entity_kill_jobs_cb() -> foreach dependencies -> dma_fence_add_callback() // locks f2.lock This will deadlock if f1 and f2 share the same spinlock. To fix both issues, the code iterating on dependencies and re-arming them is moved out to drm_sched_entity_kill_jobs_work(). [phasta: commit message nits]", "cve_priority": "medium", "cve_public_date": "2025-12-09 16:17:00 UTC" }, { "cve": "CVE-2025-40295", "url": "https://ubuntu.com/security/CVE-2025-40295", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: fscrypt: fix left shift underflow when inode->i_blkbits > PAGE_SHIFT When simulating an nvme device on qemu with both logical_block_size and physical_block_size set to 8 KiB, an error trace appears during partition table reading at boot time. The issue is caused by inode->i_blkbits being larger than PAGE_SHIFT, which leads to a left shift of -1 and triggering a UBSAN warning. [ 2.697306] ------------[ cut here ]------------ [ 2.697309] UBSAN: shift-out-of-bounds in fs/crypto/inline_crypt.c:336:37 [ 2.697311] shift exponent -1 is negative [ 2.697315] CPU: 3 UID: 0 PID: 274 Comm: (udev-worker) Not tainted 6.18.0-rc2+ #34 PREEMPT(voluntary) [ 2.697317] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014 [ 2.697320] Call Trace: [ 2.697324] [ 2.697325] dump_stack_lvl+0x76/0xa0 [ 2.697340] dump_stack+0x10/0x20 [ 2.697342] __ubsan_handle_shift_out_of_bounds+0x1e3/0x390 [ 2.697351] bh_get_inode_and_lblk_num.cold+0x12/0x94 [ 2.697359] fscrypt_set_bio_crypt_ctx_bh+0x44/0x90 [ 2.697365] submit_bh_wbc+0xb6/0x190 [ 2.697370] block_read_full_folio+0x194/0x270 [ 2.697371] ? __pfx_blkdev_get_block+0x10/0x10 [ 2.697375] ? __pfx_blkdev_read_folio+0x10/0x10 [ 2.697377] blkdev_read_folio+0x18/0x30 [ 2.697379] filemap_read_folio+0x40/0xe0 [ 2.697382] filemap_get_pages+0x5ef/0x7a0 [ 2.697385] ? mmap_region+0x63/0xd0 [ 2.697389] filemap_read+0x11d/0x520 [ 2.697392] blkdev_read_iter+0x7c/0x180 [ 2.697393] vfs_read+0x261/0x390 [ 2.697397] ksys_read+0x71/0xf0 [ 2.697398] __x64_sys_read+0x19/0x30 [ 2.697399] x64_sys_call+0x1e88/0x26a0 [ 2.697405] do_syscall_64+0x80/0x670 [ 2.697410] ? __x64_sys_newfstat+0x15/0x20 [ 2.697414] ? x64_sys_call+0x204a/0x26a0 [ 2.697415] ? do_syscall_64+0xb8/0x670 [ 2.697417] ? irqentry_exit_to_user_mode+0x2e/0x2a0 [ 2.697420] ? irqentry_exit+0x43/0x50 [ 2.697421] ? exc_page_fault+0x90/0x1b0 [ 2.697422] entry_SYSCALL_64_after_hwframe+0x76/0x7e [ 2.697425] RIP: 0033:0x75054cba4a06 [ 2.697426] Code: 5d e8 41 8b 93 08 03 00 00 59 5e 48 83 f8 fc 75 19 83 e2 39 83 fa 08 75 11 e8 26 ff ff ff 66 0f 1f 44 00 00 48 8b 45 10 0f 05 <48> 8b 5d f8 c9 c3 0f 1f 40 00 f3 0f 1e fa 55 48 89 e5 48 83 ec 08 [ 2.697427] RSP: 002b:00007fff973723a0 EFLAGS: 00000202 ORIG_RAX: 0000000000000000 [ 2.697430] RAX: ffffffffffffffda RBX: 00005ea9a2c02760 RCX: 000075054cba4a06 [ 2.697432] RDX: 0000000000002000 RSI: 000075054c190000 RDI: 000000000000001b [ 2.697433] RBP: 00007fff973723c0 R08: 0000000000000000 R09: 0000000000000000 [ 2.697434] R10: 0000000000000000 R11: 0000000000000202 R12: 0000000000000000 [ 2.697434] R13: 00005ea9a2c027c0 R14: 00005ea9a2be5608 R15: 00005ea9a2be55f0 [ 2.697436] [ 2.697436] ---[ end trace ]--- This situation can happen for block devices because when CONFIG_TRANSPARENT_HUGEPAGE is enabled, the maximum logical_block_size is 64 KiB. set_init_blocksize() then sets the block device inode->i_blkbits to 13, which is within this limit. File I/O does not trigger this problem because for filesystems that do not support the FS_LBS feature, sb_set_blocksize() prevents sb->s_blocksize_bits from being larger than PAGE_SHIFT. During inode allocation, alloc_inode()->inode_init_always() assigns inode->i_blkbits from sb->s_blocksize_bits. Currently, only xfs_fs_type has the FS_LBS flag, and since xfs I/O paths do not reach submit_bh_wbc(), it does not hit the left-shift underflow issue. [EB: use folio_pos() and consolidate the two shifts by i_blkbits]", "cve_priority": "medium", "cve_public_date": "2025-12-08 01:16:00 UTC" }, { "cve": "CVE-2025-40296", "url": "https://ubuntu.com/security/CVE-2025-40296", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: platform/x86: int3472: Fix double free of GPIO device during unregister regulator_unregister() already frees the associated GPIO device. On ThinkPad X9 (Lunar Lake), this causes a double free issue that leads to random failures when other drivers (typically Intel THC) attempt to allocate interrupts. The root cause is that the reference count of the pinctrl_intel_platform module unexpectedly drops to zero when this driver defers its probe. This behavior can also be reproduced by unloading the module directly. Fix the issue by removing the redundant release of the GPIO device during regulator unregistration.", "cve_priority": "medium", "cve_public_date": "2025-12-08 01:16:00 UTC" }, { "cve": "CVE-2025-40297", "url": "https://ubuntu.com/security/CVE-2025-40297", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net: bridge: fix use-after-free due to MST port state bypass syzbot reported[1] a use-after-free when deleting an expired fdb. It is due to a race condition between learning still happening and a port being deleted, after all its fdbs have been flushed. The port's state has been toggled to disabled so no learning should happen at that time, but if we have MST enabled, it will bypass the port's state, that together with VLAN filtering disabled can lead to fdb learning at a time when it shouldn't happen while the port is being deleted. VLAN filtering must be disabled because we flush the port VLANs when it's being deleted which will stop learning. This fix adds a check for the port's vlan group which is initialized to NULL when the port is getting deleted, that avoids the port state bypass. When MST is enabled there would be a minimal new overhead in the fast-path because the port's vlan group pointer is cache-hot. [1] https://syzkaller.appspot.com/bug?extid=dd280197f0f7ab3917be", "cve_priority": "medium", "cve_public_date": "2025-12-08 01:16:00 UTC" }, { "cve": "CVE-2025-68320", "url": "https://ubuntu.com/security/CVE-2025-68320", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: lan966x: Fix sleeping in atomic context The following warning was seen when we try to connect using ssh to the device. BUG: sleeping function called from invalid context at kernel/locking/mutex.c:575 in_atomic(): 1, irqs_disabled(): 0, non_block: 0, pid: 104, name: dropbear preempt_count: 1, expected: 0 INFO: lockdep is turned off. CPU: 0 UID: 0 PID: 104 Comm: dropbear Tainted: G W 6.18.0-rc2-00399-g6f1ab1b109b9-dirty #530 NONE Tainted: [W]=WARN Hardware name: Generic DT based system Call trace: unwind_backtrace from show_stack+0x10/0x14 show_stack from dump_stack_lvl+0x7c/0xac dump_stack_lvl from __might_resched+0x16c/0x2b0 __might_resched from __mutex_lock+0x64/0xd34 __mutex_lock from mutex_lock_nested+0x1c/0x24 mutex_lock_nested from lan966x_stats_get+0x5c/0x558 lan966x_stats_get from dev_get_stats+0x40/0x43c dev_get_stats from dev_seq_printf_stats+0x3c/0x184 dev_seq_printf_stats from dev_seq_show+0x10/0x30 dev_seq_show from seq_read_iter+0x350/0x4ec seq_read_iter from seq_read+0xfc/0x194 seq_read from proc_reg_read+0xac/0x100 proc_reg_read from vfs_read+0xb0/0x2b0 vfs_read from ksys_read+0x6c/0xec ksys_read from ret_fast_syscall+0x0/0x1c Exception stack(0xf0b11fa8 to 0xf0b11ff0) 1fa0: 00000001 00001000 00000008 be9048d8 00001000 00000001 1fc0: 00000001 00001000 00000008 00000003 be905920 0000001e 00000000 00000001 1fe0: 0005404c be9048c0 00018684 b6ec2cd8 It seems that we are using a mutex in a atomic context which is wrong. Change the mutex with a spinlock.", "cve_priority": "medium", "cve_public_date": "2025-12-16 16:16:00 UTC" }, { "cve": "CVE-2025-68169", "url": "https://ubuntu.com/security/CVE-2025-68169", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: netpoll: Fix deadlock in memory allocation under spinlock Fix a AA deadlock in refill_skbs() where memory allocation while holding skb_pool->lock can trigger a recursive lock acquisition attempt. The deadlock scenario occurs when the system is under severe memory pressure: 1. refill_skbs() acquires skb_pool->lock (spinlock) 2. alloc_skb() is called while holding the lock 3. Memory allocator fails and calls slab_out_of_memory() 4. This triggers printk() for the OOM warning 5. The console output path calls netpoll_send_udp() 6. netpoll_send_udp() attempts to acquire the same skb_pool->lock 7. Deadlock: the lock is already held by the same CPU Call stack: refill_skbs() spin_lock_irqsave(&skb_pool->lock) <- lock acquired __alloc_skb() kmem_cache_alloc_node_noprof() slab_out_of_memory() printk() console_flush_all() netpoll_send_udp() skb_dequeue() spin_lock_irqsave(&skb_pool->lock) <- deadlock attempt This bug was exposed by commit 248f6571fd4c51 (\"netpoll: Optimize skb refilling on critical path\") which removed refill_skbs() from the critical path (where nested printk was being deferred), letting nested printk being called from inside refill_skbs() Refactor refill_skbs() to never allocate memory while holding the spinlock. Another possible solution to fix this problem is protecting the refill_skbs() from nested printks, basically calling printk_deferred_{enter,exit}() in refill_skbs(), then, any nested pr_warn() would be deferred. I prefer this approach, given I _think_ it might be a good idea to move the alloc_skb() from GFP_ATOMIC to GFP_KERNEL in the future, so, having the alloc_skb() outside of the lock will be necessary step. There is a possible TOCTOU issue when checking for the pool length, and queueing the new allocated skb, but, this is not an issue, given that an extra SKB in the pool is harmless and it will be eventually used.", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-68197", "url": "https://ubuntu.com/security/CVE-2025-68197", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: bnxt_en: Fix null pointer dereference in bnxt_bs_trace_check_wrap() With older FW, we may get the ASYNC_EVENT_CMPL_EVENT_ID_DBG_BUF_PRODUCER for FW trace data type that has not been initialized. This will result in a crash in bnxt_bs_trace_type_wrap(). Add a guard to check for a valid magic_byte pointer before proceeding.", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-40330", "url": "https://ubuntu.com/security/CVE-2025-40330", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: bnxt_en: Shutdown FW DMA in bnxt_shutdown() The netif_close() call in bnxt_shutdown() only stops packet DMA. There may be FW DMA for trace logging (recently added) that will continue. If we kexec to a new kernel, the DMA will corrupt memory in the new kernel. Add bnxt_hwrm_func_drv_unrgtr() to unregister the driver from the FW. This will stop the FW DMA. In case the call fails, call pcie_flr() to reset the function and stop the DMA.", "cve_priority": "medium", "cve_public_date": "2025-12-09 16:17:00 UTC" }, { "cve": "CVE-2025-68192", "url": "https://ubuntu.com/security/CVE-2025-68192", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net: usb: qmi_wwan: initialize MAC header offset in qmimux_rx_fixup Raw IP packets have no MAC header, leaving skb->mac_header uninitialized. This can trigger kernel panics on ARM64 when xfrm or other subsystems access the offset due to strict alignment checks. Initialize the MAC header to prevent such crashes. This can trigger kernel panics on ARM when running IPsec over the qmimux0 interface. Example trace: Internal error: Oops: 000000009600004f [#1] SMP CPU: 0 UID: 0 PID: 0 Comm: swapper/0 Not tainted 6.12.34-gbe78e49cb433 #1 Hardware name: LS1028A RDB Board (DT) pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : xfrm_input+0xde8/0x1318 lr : xfrm_input+0x61c/0x1318 sp : ffff800080003b20 Call trace: xfrm_input+0xde8/0x1318 xfrm6_rcv+0x38/0x44 xfrm6_esp_rcv+0x48/0xa8 ip6_protocol_deliver_rcu+0x94/0x4b0 ip6_input_finish+0x44/0x70 ip6_input+0x44/0xc0 ipv6_rcv+0x6c/0x114 __netif_receive_skb_one_core+0x5c/0x8c __netif_receive_skb+0x18/0x60 process_backlog+0x78/0x17c __napi_poll+0x38/0x180 net_rx_action+0x168/0x2f0", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-40331", "url": "https://ubuntu.com/security/CVE-2025-40331", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: sctp: Prevent TOCTOU out-of-bounds write For the following path not holding the sock lock, sctp_diag_dump() -> sctp_for_each_endpoint() -> sctp_ep_dump() make sure not to exceed bounds in case the address list has grown between buffer allocation (time-of-check) and write (time-of-use).", "cve_priority": "medium", "cve_public_date": "2025-12-09 16:17:00 UTC" }, { "cve": "CVE-2025-68187", "url": "https://ubuntu.com/security/CVE-2025-68187", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net: mdio: Check regmap pointer returned by device_node_to_regmap() The call to device_node_to_regmap() in airoha_mdio_probe() can return an ERR_PTR() if regmap initialization fails. Currently, the driver stores the pointer without validation, which could lead to a crash if it is later dereferenced. Add an IS_ERR() check and return the corresponding error code to make the probe path more robust.", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-68167", "url": "https://ubuntu.com/security/CVE-2025-68167", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: gpiolib: fix invalid pointer access in debugfs If the memory allocation in gpiolib_seq_start() fails, the s->private field remains uninitialized and is later dereferenced without checking in gpiolib_seq_stop(). Initialize s->private to NULL before calling kzalloc() and check it before dereferencing it.", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-68319", "url": "https://ubuntu.com/security/CVE-2025-68319", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: netconsole: Acquire su_mutex before navigating configs hierarchy There is a race between operations that iterate over the userdata cg_children list and concurrent add/remove of userdata items through configfs. The update_userdata() function iterates over the nt->userdata_group.cg_children list, and count_extradata_entries() also iterates over this same list to count nodes. Quoting from Documentation/filesystems/configfs.rst: > A subsystem can navigate the cg_children list and the ci_parent pointer > to see the tree created by the subsystem. This can race with configfs' > management of the hierarchy, so configfs uses the subsystem mutex to > protect modifications. Whenever a subsystem wants to navigate the > hierarchy, it must do so under the protection of the subsystem > mutex. Without proper locking, if a userdata item is added or removed concurrently while these functions are iterating, the list can be accessed in an inconsistent state. For example, the list_for_each() loop can reach a node that is being removed from the list by list_del_init() which sets the nodes' .next pointer to point to itself, so the loop will never end (or reach the WARN_ON_ONCE in update_userdata() ). Fix this by holding the configfs subsystem mutex (su_mutex) during all operations that iterate over cg_children. This includes: - userdatum_value_store() which calls update_userdata() to iterate over cg_children - All sysdata_*_enabled_store() functions which call count_extradata_entries() to iterate over cg_children The su_mutex must be acquired before dynamic_netconsole_mutex to avoid potential lock ordering issues, as configfs operations may already hold su_mutex when calling into our code.", "cve_priority": "medium", "cve_public_date": "2025-12-16 16:16:00 UTC" }, { "cve": "CVE-2025-40298", "url": "https://ubuntu.com/security/CVE-2025-40298", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: gve: Implement settime64 with -EOPNOTSUPP ptp_clock_settime() assumes every ptp_clock has implemented settime64(). Stub it with -EOPNOTSUPP to prevent a NULL dereference.", "cve_priority": "medium", "cve_public_date": "2025-12-08 01:16:00 UTC" }, { "cve": "CVE-2025-40299", "url": "https://ubuntu.com/security/CVE-2025-40299", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: gve: Implement gettimex64 with -EOPNOTSUPP gve implemented a ptp_clock for sole use of do_aux_work at this time. ptp_clock_gettime() and ptp_sys_offset() assume every ptp_clock has implemented either gettimex64 or gettime64. Stub gettimex64 and return -EOPNOTSUPP to prevent NULL dereferencing.", "cve_priority": "medium", "cve_public_date": "2025-12-08 01:16:00 UTC" }, { "cve": "CVE-2025-40301", "url": "https://ubuntu.com/security/CVE-2025-40301", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: Bluetooth: hci_event: validate skb length for unknown CC opcode In hci_cmd_complete_evt(), if the command complete event has an unknown opcode, we assume the first byte of the remaining skb->data contains the return status. However, parameter data has previously been pulled in hci_event_func(), which may leave the skb empty. If so, using skb->data[0] for the return status uses un-init memory. The fix is to check skb->len before using skb->data.", "cve_priority": "medium", "cve_public_date": "2025-12-08 01:16:00 UTC" }, { "cve": "CVE-2025-40358", "url": "https://ubuntu.com/security/CVE-2025-40358", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: riscv: stacktrace: Disable KASAN checks for non-current tasks Unwinding the stack of a task other than current, KASAN would report \"BUG: KASAN: out-of-bounds in walk_stackframe+0x41c/0x460\" There is a same issue on x86 and has been resolved by the commit 84936118bdf3 (\"x86/unwind: Disable KASAN checks for non-current tasks\") The solution could be applied to RISC-V too. This patch also can solve the issue: https://seclists.org/oss-sec/2025/q4/23 [pjw@kernel.org: clean up checkpatch issues]", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-68186", "url": "https://ubuntu.com/security/CVE-2025-68186", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ring-buffer: Do not warn in ring_buffer_map_get_reader() when reader catches up The function ring_buffer_map_get_reader() is a bit more strict than the other get reader functions, and except for certain situations the rb_get_reader_page() should not return NULL. If it does, it triggers a warning. This warning was triggering but after looking at why, it was because another acceptable situation was happening and it wasn't checked for. If the reader catches up to the writer and there's still data to be read on the reader page, then the rb_get_reader_page() will return NULL as there's no new page to get. In this situation, the reader page should not be updated and no warning should trigger.", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-68184", "url": "https://ubuntu.com/security/CVE-2025-68184", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/mediatek: Disable AFBC support on Mediatek DRM driver Commit c410fa9b07c3 (\"drm/mediatek: Add AFBC support to Mediatek DRM driver\") added AFBC support to Mediatek DRM and enabled the 32x8/split/sparse modifier. However, this is currently broken on Mediatek MT8188 (Genio 700 EVK platform); tested using upstream Kernel and Mesa (v25.2.1), AFBC is used by default since Mesa v25.0. Kernel trace reports vblank timeouts constantly, and the render is garbled: ``` [CRTC:62:crtc-0] vblank wait timed out WARNING: CPU: 7 PID: 70 at drivers/gpu/drm/drm_atomic_helper.c:1835 drm_atomic_helper_wait_for_vblanks.part.0+0x24c/0x27c [...] Hardware name: MediaTek Genio-700 EVK (DT) Workqueue: events_unbound commit_work pstate: 60400009 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : drm_atomic_helper_wait_for_vblanks.part.0+0x24c/0x27c lr : drm_atomic_helper_wait_for_vblanks.part.0+0x24c/0x27c sp : ffff80008337bca0 x29: ffff80008337bcd0 x28: 0000000000000061 x27: 0000000000000000 x26: 0000000000000001 x25: 0000000000000000 x24: ffff0000c9dcc000 x23: 0000000000000001 x22: 0000000000000000 x21: ffff0000c66f2f80 x20: ffff0000c0d7d880 x19: 0000000000000000 x18: 000000000000000a x17: 000000040044ffff x16: 005000f2b5503510 x15: 0000000000000000 x14: 0000000000000000 x13: 74756f2064656d69 x12: 742074696177206b x11: 0000000000000058 x10: 0000000000000018 x9 : ffff800082396a70 x8 : 0000000000057fa8 x7 : 0000000000000cce x6 : ffff8000823eea70 x5 : ffff0001fef5f408 x4 : ffff80017ccee000 x3 : ffff0000c12cb480 x2 : 0000000000000000 x1 : 0000000000000000 x0 : ffff0000c12cb480 Call trace: drm_atomic_helper_wait_for_vblanks.part.0+0x24c/0x27c (P) drm_atomic_helper_commit_tail_rpm+0x64/0x80 commit_tail+0xa4/0x1a4 commit_work+0x14/0x20 process_one_work+0x150/0x290 worker_thread+0x2d0/0x3ec kthread+0x12c/0x210 ret_from_fork+0x10/0x20 ---[ end trace 0000000000000000 ]--- ``` Until this gets fixed upstream, disable AFBC support on this platform, as it's currently broken with upstream Mesa.", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-40302", "url": "https://ubuntu.com/security/CVE-2025-40302", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: media: videobuf2: forbid remove_bufs when legacy fileio is active vb2_ioctl_remove_bufs() call manipulates queue internal buffer list, potentially overwriting some pointers used by the legacy fileio access mode. Forbid that ioctl when fileio is active to protect internal queue state between subsequent read/write calls.", "cve_priority": "medium", "cve_public_date": "2025-12-08 01:16:00 UTC" }, { "cve": "CVE-2025-40303", "url": "https://ubuntu.com/security/CVE-2025-40303", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: btrfs: ensure no dirty metadata is written back for an fs with errors [BUG] During development of a minor feature (make sure all btrfs_bio::end_io() is called in task context), I noticed a crash in generic/388, where metadata writes triggered new works after btrfs_stop_all_workers(). It turns out that it can even happen without any code modification, just using RAID5 for metadata and the same workload from generic/388 is going to trigger the use-after-free. [CAUSE] If btrfs hits an error, the fs is marked as error, no new transaction is allowed thus metadata is in a frozen state. But there are some metadata modifications before that error, and they are still in the btree inode page cache. Since there will be no real transaction commit, all those dirty folios are just kept as is in the page cache, and they can not be invalidated by invalidate_inode_pages2() call inside close_ctree(), because they are dirty. And finally after btrfs_stop_all_workers(), we call iput() on btree inode, which triggers writeback of those dirty metadata. And if the fs is using RAID56 metadata, this will trigger RMW and queue new works into rmw_workers, which is already stopped, causing warning from queue_work() and use-after-free. [FIX] Add a special handling for write_one_eb(), that if the fs is already in an error state, immediately mark the bbio as failure, instead of really submitting them. Then during close_ctree(), iput() will just discard all those dirty tree blocks without really writing them back, thus no more new jobs for already stopped-and-freed workqueues. The extra discard in write_one_eb() also acts as an extra safenet. E.g. the transaction abort is triggered by some extent/free space tree corruptions, and since extent/free space tree is already corrupted some tree blocks may be allocated where they shouldn't be (overwriting existing tree blocks). In that case writing them back will further corrupting the fs.", "cve_priority": "medium", "cve_public_date": "2025-12-08 01:16:00 UTC" }, { "cve": "CVE-2025-40362", "url": "https://ubuntu.com/security/CVE-2025-40362", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ceph: fix multifs mds auth caps issue The mds auth caps check should also validate the fsname along with the associated caps. Not doing so would result in applying the mds auth caps of one fs on to the other fs in a multifs ceph cluster. The bug causes multiple issues w.r.t user authentication, following is one such example. Steps to Reproduce (on vstart cluster): 1. Create two file systems in a cluster, say 'fsname1' and 'fsname2' 2. Authorize read only permission to the user 'client.usr' on fs 'fsname1' $ceph fs authorize fsname1 client.usr / r 3. Authorize read and write permission to the same user 'client.usr' on fs 'fsname2' $ceph fs authorize fsname2 client.usr / rw 4. Update the keyring $ceph auth get client.usr >> ./keyring With above permssions for the user 'client.usr', following is the expectation. a. The 'client.usr' should be able to only read the contents and not allowed to create or delete files on file system 'fsname1'. b. The 'client.usr' should be able to read/write on file system 'fsname2'. But, with this bug, the 'client.usr' is allowed to read/write on file system 'fsname1'. See below. 5. Mount the file system 'fsname1' with the user 'client.usr' $sudo bin/mount.ceph usr@.fsname1=/ /kmnt_fsname1_usr/ 6. Try creating a file on file system 'fsname1' with user 'client.usr'. This should fail but passes with this bug. $touch /kmnt_fsname1_usr/file1 7. Mount the file system 'fsname1' with the user 'client.admin' and create a file. $sudo bin/mount.ceph admin@.fsname1=/ /kmnt_fsname1_admin $echo \"data\" > /kmnt_fsname1_admin/admin_file1 8. Try removing an existing file on file system 'fsname1' with the user 'client.usr'. This shoudn't succeed but succeeds with the bug. $rm -f /kmnt_fsname1_usr/admin_file1 For more information, please take a look at the corresponding mds/fuse patch and tests added by looking into the tracker mentioned below. v2: Fix a possible null dereference in doutc v3: Don't store fsname from mdsmap, validate against ceph_mount_options's fsname and use it v4: Code refactor, better warning message and fix possible compiler warning [ Slava.Dubeyko: \"fsname check failed\" -> \"fsname mismatch\" ]", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-40332", "url": "https://ubuntu.com/security/CVE-2025-40332", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/amdkfd: Fix mmap write lock not release If mmap write lock is taken while draining retry fault, mmap write lock is not released because svm_range_restore_pages calls mmap_read_unlock then returns. This causes deadlock and system hangs later because mmap read or write lock cannot be taken. Downgrade mmap write lock to read lock if draining retry fault fix this bug.", "cve_priority": "medium", "cve_public_date": "2025-12-09 16:17:00 UTC" }, { "cve": "CVE-2025-40304", "url": "https://ubuntu.com/security/CVE-2025-40304", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: fbdev: Add bounds checking in bit_putcs to fix vmalloc-out-of-bounds Add bounds checking to prevent writes past framebuffer boundaries when rendering text near screen edges. Return early if the Y position is off-screen and clip image height to screen boundary. Break from the rendering loop if the X position is off-screen. When clipping image width to fit the screen, update the character count to match the clipped width to prevent buffer size mismatches. Without the character count update, bit_putcs_aligned and bit_putcs_unaligned receive mismatched parameters where the buffer is allocated for the clipped width but cnt reflects the original larger count, causing out-of-bounds writes.", "cve_priority": "medium", "cve_public_date": "2025-12-08 01:16:00 UTC" }, { "cve": "CVE-2025-40305", "url": "https://ubuntu.com/security/CVE-2025-40305", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: 9p/trans_fd: p9_fd_request: kick rx thread if EPOLLIN p9_read_work() doesn't set Rworksched and doesn't do schedule_work(m->rq) if list_empty(&m->req_list). However, if the pipe is full, we need to read more data and this used to work prior to commit aaec5a95d59615 (\"pipe_read: don't wake up the writer if the pipe is still full\"). p9_read_work() does p9_fd_read() -> ... -> anon_pipe_read() which (before the commit above) triggered the unnecessary wakeup. This wakeup calls p9_pollwake() which kicks p9_poll_workfn() -> p9_poll_mux(), p9_poll_mux() will notice EPOLLIN and schedule_work(&m->rq). This no longer happens after the optimization above, change p9_fd_request() to use p9_poll_mux() instead of only checking for EPOLLOUT.", "cve_priority": "medium", "cve_public_date": "2025-12-08 01:16:00 UTC" }, { "cve": "CVE-2025-68318", "url": "https://ubuntu.com/security/CVE-2025-68318", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: clk: thead: th1520-ap: set all AXI clocks to CLK_IS_CRITICAL The AXI crossbar of TH1520 has no proper timeout handling, which means gating AXI clocks can easily lead to bus timeout and thus system hang. Set all AXI clock gates to CLK_IS_CRITICAL. All these clock gates are ungated by default on system reset. In addition, convert all current CLK_IGNORE_UNUSED usage to CLK_IS_CRITICAL to prevent unwanted clock gating.", "cve_priority": "medium", "cve_public_date": "2025-12-16 16:16:00 UTC" }, { "cve": "CVE-2025-40209", "url": "https://ubuntu.com/security/CVE-2025-40209", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: btrfs: fix memory leak of qgroup_list in btrfs_add_qgroup_relation When btrfs_add_qgroup_relation() is called with invalid qgroup levels (src >= dst), the function returns -EINVAL directly without freeing the preallocated qgroup_list structure passed by the caller. This causes a memory leak because the caller unconditionally sets the pointer to NULL after the call, preventing any cleanup. The issue occurs because the level validation check happens before the mutex is acquired and before any error handling path that would free the prealloc pointer. On this early return, the cleanup code at the 'out' label (which includes kfree(prealloc)) is never reached. In btrfs_ioctl_qgroup_assign(), the code pattern is: prealloc = kzalloc(sizeof(*prealloc), GFP_KERNEL); ret = btrfs_add_qgroup_relation(trans, sa->src, sa->dst, prealloc); prealloc = NULL; // Always set to NULL regardless of return value ... kfree(prealloc); // This becomes kfree(NULL), does nothing When the level check fails, 'prealloc' is never freed by either the callee or the caller, resulting in a 64-byte memory leak per failed operation. This can be triggered repeatedly by an unprivileged user with access to a writable btrfs mount, potentially exhausting kernel memory. Fix this by freeing prealloc before the early return, ensuring prealloc is always freed on all error paths.", "cve_priority": "medium", "cve_public_date": "2025-11-21 11:15:00 UTC" }, { "cve": "CVE-2025-68183", "url": "https://ubuntu.com/security/CVE-2025-68183", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ima: don't clear IMA_DIGSIG flag when setting or removing non-IMA xattr Currently when both IMA and EVM are in fix mode, the IMA signature will be reset to IMA hash if a program first stores IMA signature in security.ima and then writes/removes some other security xattr for the file. For example, on Fedora, after booting the kernel with \"ima_appraise=fix evm=fix ima_policy=appraise_tcb\" and installing rpm-plugin-ima, installing/reinstalling a package will not make good reference IMA signature generated. Instead IMA hash is generated, # getfattr -m - -d -e hex /usr/bin/bash # file: usr/bin/bash security.ima=0x0404... This happens because when setting security.selinux, the IMA_DIGSIG flag that had been set early was cleared. As a result, IMA hash is generated when the file is closed. Similarly, IMA signature can be cleared on file close after removing security xattr like security.evm or setting/removing ACL. Prevent replacing the IMA file signature with a file hash, by preventing the IMA_DIGSIG flag from being reset. Here's a minimal C reproducer which sets security.selinux as the last step which can also replaced by removing security.evm or setting ACL, #include #include #include #include #include #include int main() { const char* file_path = \"/usr/sbin/test_binary\"; const char* hex_string = \"030204d33204490066306402304\"; int length = strlen(hex_string); char* ima_attr_value; int fd; fd = open(file_path, O_WRONLY|O_CREAT|O_EXCL, 0644); if (fd == -1) { perror(\"Error opening file\"); return 1; } ima_attr_value = (char*)malloc(length / 2 ); for (int i = 0, j = 0; i < length; i += 2, j++) { sscanf(hex_string + i, \"%2hhx\", &ima_attr_value[j]); } if (fsetxattr(fd, \"security.ima\", ima_attr_value, length/2, 0) == -1) { perror(\"Error setting extended attribute\"); close(fd); return 1; } const char* selinux_value= \"system_u:object_r:bin_t:s0\"; if (fsetxattr(fd, \"security.selinux\", selinux_value, strlen(selinux_value), 0) == -1) { perror(\"Error setting extended attribute\"); close(fd); return 1; } close(fd); return 0; }", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-68173", "url": "https://ubuntu.com/security/CVE-2025-68173", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ftrace: Fix softlockup in ftrace_module_enable A soft lockup was observed when loading amdgpu module. If a module has a lot of tracable functions, multiple calls to kallsyms_lookup can spend too much time in RCU critical section and with disabled preemption, causing kernel panic. This is the same issue that was fixed in commit d0b24b4e91fc (\"ftrace: Prevent RCU stall on PREEMPT_VOLUNTARY kernels\") and commit 42ea22e754ba (\"ftrace: Add cond_resched() to ftrace_graph_set_hash()\"). Fix it the same way by adding cond_resched() in ftrace_module_enable.", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-40306", "url": "https://ubuntu.com/security/CVE-2025-40306", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: orangefs: fix xattr related buffer overflow... Willy Tarreau forwarded me a message from Disclosure with the following warning: > The helper `xattr_key()` uses the pointer variable in the loop condition > rather than dereferencing it. As `key` is incremented, it remains non-NULL > (until it runs into unmapped memory), so the loop does not terminate on > valid C strings and will walk memory indefinitely, consuming CPU or hanging > the thread. I easily reproduced this with setfattr and getfattr, causing a kernel oops, hung user processes and corrupted orangefs files. Disclosure sent along a diff (not a patch) with a suggested fix, which I based this patch on. After xattr_key started working right, xfstest generic/069 exposed an xattr related memory leak that lead to OOM. xattr_key returns a hashed key. When adding xattrs to the orangefs xattr cache, orangefs used hash_add, a kernel hashing macro. hash_add also hashes the key using hash_log which resulted in additions to the xattr cache going to the wrong hash bucket. generic/069 tortures a single file and orangefs does a getattr for the xattr \"security.capability\" every time. Orangefs negative caches on xattrs which includes a kmalloc. Since adds to the xattr cache were going to the wrong bucket, every getattr for \"security.capability\" resulted in another kmalloc, none of which were ever freed. I changed the two uses of hash_add to hlist_add_head instead and the memory leak ceased and generic/069 quit throwing furniture.", "cve_priority": "medium", "cve_public_date": "2025-12-08 01:16:00 UTC" }, { "cve": "CVE-2025-40307", "url": "https://ubuntu.com/security/CVE-2025-40307", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: exfat: validate cluster allocation bits of the allocation bitmap syzbot created an exfat image with cluster bits not set for the allocation bitmap. exfat-fs reads and uses the allocation bitmap without checking this. The problem is that if the start cluster of the allocation bitmap is 6, cluster 6 can be allocated when creating a directory with mkdir. exfat zeros out this cluster in exfat_mkdir, which can delete existing entries. This can reallocate the allocated entries. In addition, the allocation bitmap is also zeroed out, so cluster 6 can be reallocated. This patch adds exfat_test_bitmap_range to validate that clusters used for the allocation bitmap are correctly marked as in-use.", "cve_priority": "medium", "cve_public_date": "2025-12-08 01:16:00 UTC" }, { "cve": "CVE-2025-40308", "url": "https://ubuntu.com/security/CVE-2025-40308", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: Bluetooth: bcsp: receive data only if registered Currently, bcsp_recv() can be called even when the BCSP protocol has not been registered. This leads to a NULL pointer dereference, as shown in the following stack trace: KASAN: null-ptr-deref in range [0x0000000000000108-0x000000000000010f] RIP: 0010:bcsp_recv+0x13d/0x1740 drivers/bluetooth/hci_bcsp.c:590 Call Trace: hci_uart_tty_receive+0x194/0x220 drivers/bluetooth/hci_ldisc.c:627 tiocsti+0x23c/0x2c0 drivers/tty/tty_io.c:2290 tty_ioctl+0x626/0xde0 drivers/tty/tty_io.c:2706 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:907 [inline] __se_sys_ioctl+0xfc/0x170 fs/ioctl.c:893 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f To prevent this, ensure that the HCI_UART_REGISTERED flag is set before processing received data. If the protocol is not registered, return -EUNATCH.", "cve_priority": "medium", "cve_public_date": "2025-12-08 01:16:00 UTC" }, { "cve": "CVE-2025-40309", "url": "https://ubuntu.com/security/CVE-2025-40309", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: Bluetooth: SCO: Fix UAF on sco_conn_free BUG: KASAN: slab-use-after-free in sco_conn_free net/bluetooth/sco.c:87 [inline] BUG: KASAN: slab-use-after-free in kref_put include/linux/kref.h:65 [inline] BUG: KASAN: slab-use-after-free in sco_conn_put+0xdd/0x410 net/bluetooth/sco.c:107 Write of size 8 at addr ffff88811cb96b50 by task kworker/u17:4/352 CPU: 1 UID: 0 PID: 352 Comm: kworker/u17:4 Not tainted 6.17.0-rc5-g717368f83676 #4 PREEMPT(voluntary) Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014 Workqueue: hci13 hci_cmd_sync_work Call Trace: __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x10b/0x170 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:378 [inline] print_report+0x191/0x550 mm/kasan/report.c:482 kasan_report+0xc4/0x100 mm/kasan/report.c:595 sco_conn_free net/bluetooth/sco.c:87 [inline] kref_put include/linux/kref.h:65 [inline] sco_conn_put+0xdd/0x410 net/bluetooth/sco.c:107 sco_connect_cfm+0xb4/0xae0 net/bluetooth/sco.c:1441 hci_connect_cfm include/net/bluetooth/hci_core.h:2082 [inline] hci_conn_failed+0x20a/0x2e0 net/bluetooth/hci_conn.c:1313 hci_conn_unlink+0x55f/0x810 net/bluetooth/hci_conn.c:1121 hci_conn_del+0xb6/0x1110 net/bluetooth/hci_conn.c:1147 hci_abort_conn_sync+0x8c5/0xbb0 net/bluetooth/hci_sync.c:5689 hci_cmd_sync_work+0x281/0x380 net/bluetooth/hci_sync.c:332 process_one_work kernel/workqueue.c:3236 [inline] process_scheduled_works+0x77e/0x1040 kernel/workqueue.c:3319 worker_thread+0xbee/0x1200 kernel/workqueue.c:3400 kthread+0x3c7/0x870 kernel/kthread.c:463 ret_from_fork+0x13a/0x1e0 arch/x86/kernel/process.c:148 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245 Allocated by task 31370: kasan_save_stack mm/kasan/common.c:47 [inline] kasan_save_track+0x30/0x70 mm/kasan/common.c:68 poison_kmalloc_redzone mm/kasan/common.c:388 [inline] __kasan_kmalloc+0x82/0x90 mm/kasan/common.c:405 kasan_kmalloc include/linux/kasan.h:260 [inline] __do_kmalloc_node mm/slub.c:4382 [inline] __kmalloc_noprof+0x22f/0x390 mm/slub.c:4394 kmalloc_noprof include/linux/slab.h:909 [inline] sk_prot_alloc+0xae/0x220 net/core/sock.c:2239 sk_alloc+0x34/0x5a0 net/core/sock.c:2295 bt_sock_alloc+0x3c/0x330 net/bluetooth/af_bluetooth.c:151 sco_sock_alloc net/bluetooth/sco.c:562 [inline] sco_sock_create+0xc0/0x350 net/bluetooth/sco.c:593 bt_sock_create+0x161/0x3b0 net/bluetooth/af_bluetooth.c:135 __sock_create+0x3ad/0x780 net/socket.c:1589 sock_create net/socket.c:1647 [inline] __sys_socket_create net/socket.c:1684 [inline] __sys_socket+0xd5/0x330 net/socket.c:1731 __do_sys_socket net/socket.c:1745 [inline] __se_sys_socket net/socket.c:1743 [inline] __x64_sys_socket+0x7a/0x90 net/socket.c:1743 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xc7/0x240 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f Freed by task 31374: kasan_save_stack mm/kasan/common.c:47 [inline] kasan_save_track+0x30/0x70 mm/kasan/common.c:68 kasan_save_free_info+0x40/0x50 mm/kasan/generic.c:576 poison_slab_object mm/kasan/common.c:243 [inline] __kasan_slab_free+0x3d/0x50 mm/kasan/common.c:275 kasan_slab_free include/linux/kasan.h:233 [inline] slab_free_hook mm/slub.c:2428 [inline] slab_free mm/slub.c:4701 [inline] kfree+0x199/0x3b0 mm/slub.c:4900 sk_prot_free net/core/sock.c:2278 [inline] __sk_destruct+0x4aa/0x630 net/core/sock.c:2373 sco_sock_release+0x2ad/0x300 net/bluetooth/sco.c:1333 __sock_release net/socket.c:649 [inline] sock_close+0xb8/0x230 net/socket.c:1439 __fput+0x3d1/0x9e0 fs/file_table.c:468 task_work_run+0x206/0x2a0 kernel/task_work.c:227 get_signal+0x1201/0x1410 kernel/signal.c:2807 arch_do_signal_or_restart+0x34/0x740 arch/x86/kernel/signal.c:337 exit_to_user_mode_loop+0x68/0xc0 kernel/entry/common.c:40 exit_to_user_mode_prepare include/linux/irq-entry-common.h:225 [inline] s ---truncated---", "cve_priority": "medium", "cve_public_date": "2025-12-08 01:16:00 UTC" }, { "cve": "CVE-2025-68174", "url": "https://ubuntu.com/security/CVE-2025-68174", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: amd/amdkfd: enhance kfd process check in switch partition current switch partition only check if kfd_processes_table is empty. kfd_prcesses_table entry is deleted in kfd_process_notifier_release, but kfd_process tear down is in kfd_process_wq_release. consider two processes: Process A (workqueue) -> kfd_process_wq_release -> Access kfd_node member Process B switch partition -> amdgpu_xcp_pre_partition_switch -> amdgpu_amdkfd_device_fini_sw -> kfd_node tear down. Process A and B may trigger a race as shown in dmesg log. This patch is to resolve the race by adding an atomic kfd_process counter kfd_processes_count, it increment as create kfd process, decrement as finish kfd_process_wq_release. v2: Put kfd_processes_count per kfd_dev, move decrement to kfd_process_destroy_pdds and bug fix. (Philip Yang) [3966658.307702] divide error: 0000 [#1] SMP NOPTI [3966658.350818] i10nm_edac [3966658.356318] CPU: 124 PID: 38435 Comm: kworker/124:0 Kdump: loaded Tainted [3966658.356890] Workqueue: kfd_process_wq kfd_process_wq_release [amdgpu] [3966658.362839] nfit [3966658.366457] RIP: 0010:kfd_get_num_sdma_engines+0x17/0x40 [amdgpu] [3966658.366460] Code: 00 00 e9 ac 81 02 00 66 66 2e 0f 1f 84 00 00 00 00 00 90 0f 1f 44 00 00 48 8b 4f 08 48 8b b7 00 01 00 00 8b 81 58 26 03 00 99 be b8 01 00 00 80 b9 70 2e 00 00 00 74 0b 83 f8 02 ba 02 00 00 [3966658.380967] x86_pkg_temp_thermal [3966658.391529] RSP: 0018:ffffc900a0edfdd8 EFLAGS: 00010246 [3966658.391531] RAX: 0000000000000008 RBX: ffff8974e593b800 RCX: ffff888645900000 [3966658.391531] RDX: 0000000000000000 RSI: ffff888129154400 RDI: ffff888129151c00 [3966658.391532] RBP: ffff8883ad79d400 R08: 0000000000000000 R09: ffff8890d2750af4 [3966658.391532] R10: 0000000000000018 R11: 0000000000000018 R12: 0000000000000000 [3966658.391533] R13: ffff8883ad79d400 R14: ffffe87ff662ba00 R15: ffff8974e593b800 [3966658.391533] FS: 0000000000000000(0000) GS:ffff88fe7f600000(0000) knlGS:0000000000000000 [3966658.391534] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [3966658.391534] CR2: 0000000000d71000 CR3: 000000dd0e970004 CR4: 0000000002770ee0 [3966658.391535] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [3966658.391535] DR3: 0000000000000000 DR6: 00000000fffe07f0 DR7: 0000000000000400 [3966658.391536] PKRU: 55555554 [3966658.391536] Call Trace: [3966658.391674] deallocate_sdma_queue+0x38/0xa0 [amdgpu] [3966658.391762] process_termination_cpsch+0x1ed/0x480 [amdgpu] [3966658.399754] intel_powerclamp [3966658.402831] kfd_process_dequeue_from_all_devices+0x5b/0xc0 [amdgpu] [3966658.402908] kfd_process_wq_release+0x1a/0x1a0 [amdgpu] [3966658.410516] coretemp [3966658.434016] process_one_work+0x1ad/0x380 [3966658.434021] worker_thread+0x49/0x310 [3966658.438963] kvm_intel [3966658.446041] ? process_one_work+0x380/0x380 [3966658.446045] kthread+0x118/0x140 [3966658.446047] ? __kthread_bind_mask+0x60/0x60 [3966658.446050] ret_from_fork+0x1f/0x30 [3966658.446053] Modules linked in: kpatch_20765354(OEK) [3966658.455310] kvm [3966658.464534] mptcp_diag xsk_diag raw_diag unix_diag af_packet_diag netlink_diag udp_diag act_pedit act_mirred act_vlan cls_flower kpatch_21951273(OEK) kpatch_18424469(OEK) kpatch_19749756(OEK) [3966658.473462] idxd_mdev [3966658.482306] kpatch_17971294(OEK) sch_ingress xt_conntrack amdgpu(OE) amdxcp(OE) amddrm_buddy(OE) amd_sched(OE) amdttm(OE) amdkcl(OE) intel_ifs iptable_mangle tcm_loop target_core_pscsi tcp_diag target_core_file inet_diag target_core_iblock target_core_user target_core_mod coldpgs kpatch_18383292(OEK) ip6table_nat ip6table_filter ip6_tables ip_set_hash_ipportip ip_set_hash_ipportnet ip_set_hash_ipport ip_set_bitmap_port xt_comment iptable_nat nf_nat iptable_filter ip_tables ip_set ip_vs_sh ip_vs_wrr ip_vs_rr ip_vs nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 sn_core_odd(OE) i40e overlay binfmt_misc tun bonding(OE) aisqos(OE) aisqo ---truncated---", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-40310", "url": "https://ubuntu.com/security/CVE-2025-40310", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: amd/amdkfd: resolve a race in amdgpu_amdkfd_device_fini_sw There is race in amdgpu_amdkfd_device_fini_sw and interrupt. if amdgpu_amdkfd_device_fini_sw run in b/w kfd_cleanup_nodes and kfree(kfd), and KGD interrupt generated. kernel panic log: BUG: kernel NULL pointer dereference, address: 0000000000000098 amdgpu 0000:c8:00.0: amdgpu: Requesting 4 partitions through PSP PGD d78c68067 P4D d78c68067 kfd kfd: amdgpu: Allocated 3969056 bytes on gart PUD 1465b8067 PMD @ Oops: @002 [#1] SMP NOPTI kfd kfd: amdgpu: Total number of KFD nodes to be created: 4 CPU: 115 PID: @ Comm: swapper/115 Kdump: loaded Tainted: G S W OE K RIP: 0010:_raw_spin_lock_irqsave+0x12/0x40 Code: 89 e@ 41 5c c3 cc cc cc cc 66 66 2e Of 1f 84 00 00 00 00 00 OF 1f 40 00 Of 1f 44% 00 00 41 54 9c 41 5c fa 31 cO ba 01 00 00 00 OF b1 17 75 Ba 4c 89 e@ 41 Sc 89 c6 e8 07 38 5d RSP: 0018: ffffc90@1a6b0e28 EFLAGS: 00010046 RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000018 0000000000000001 RSI: ffff8883bb623e00 RDI: 0000000000000098 ffff8883bb000000 RO8: ffff888100055020 ROO: ffff888100055020 0000000000000000 R11: 0000000000000000 R12: 0900000000000002 ffff888F2b97da0@ R14: @000000000000098 R15: ffff8883babdfo00 CS: 010 DS: 0000 ES: 0000 CRO: 0000000080050033 CR2: 0000000000000098 CR3: 0000000e7cae2006 CR4: 0000000002770ce0 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 0000000000000000 DR6: 00000000fffeO7FO DR7: 0000000000000400 PKRU: 55555554 Call Trace: kgd2kfd_interrupt+@x6b/0x1f@ [amdgpu] ? amdgpu_fence_process+0xa4/0x150 [amdgpu] kfd kfd: amdgpu: Node: 0, interrupt_bitmap: 3 YcpxFl Rant tErace amdgpu_irq_dispatch+0x165/0x210 [amdgpu] amdgpu_ih_process+0x80/0x100 [amdgpu] amdgpu: Virtual CRAT table created for GPU amdgpu_irq_handler+0x1f/@x60 [amdgpu] __handle_irq_event_percpu+0x3d/0x170 amdgpu: Topology: Add dGPU node [0x74a2:0x1002] handle_irq_event+0x5a/@xcO handle_edge_irq+0x93/0x240 kfd kfd: amdgpu: KFD node 1 partition @ size 49148M asm_call_irq_on_stack+0xf/@x20 common_interrupt+0xb3/0x130 asm_common_interrupt+0x1le/0x40 5.10.134-010.a1i5000.a18.x86_64 #1", "cve_priority": "medium", "cve_public_date": "2025-12-08 01:16:00 UTC" }, { "cve": "CVE-2025-40361", "url": "https://ubuntu.com/security/CVE-2025-40361", "cve_description": "Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-40311", "url": "https://ubuntu.com/security/CVE-2025-40311", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: accel/habanalabs: support mapping cb with vmalloc-backed coherent memory When IOMMU is enabled, dma_alloc_coherent() with GFP_USER may return addresses from the vmalloc range. If such an address is mapped without VM_MIXEDMAP, vm_insert_page() will trigger a BUG_ON due to the VM_PFNMAP restriction. Fix this by checking for vmalloc addresses and setting VM_MIXEDMAP in the VMA before mapping. This ensures safe mapping and avoids kernel crashes. The memory is still driver-allocated and cannot be accessed directly by userspace.", "cve_priority": "medium", "cve_public_date": "2025-12-08 01:16:00 UTC" }, { "cve": "CVE-2025-68185", "url": "https://ubuntu.com/security/CVE-2025-68185", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: nfs4_setup_readdir(): insufficient locking for ->d_parent->d_inode dereferencing Theoretically it's an oopsable race, but I don't believe one can manage to hit it on real hardware; might become doable on a KVM, but it still won't be easy to attack. Anyway, it's easy to deal with - since xdr_encode_hyper() is just a call of put_unaligned_be64(), we can put that under ->d_lock and be done with that.", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-68176", "url": "https://ubuntu.com/security/CVE-2025-68176", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: PCI: cadence: Check for the existence of cdns_pcie::ops before using it cdns_pcie::ops might not be populated by all the Cadence glue drivers. This is going to be true for the upcoming Sophgo platform which doesn't set the ops. Hence, add a check to prevent NULL pointer dereference. [mani: reworded subject and description]", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-68190", "url": "https://ubuntu.com/security/CVE-2025-68190", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu/atom: Check kcalloc() for WS buffer in amdgpu_atom_execute_table_locked() kcalloc() may fail. When WS is non-zero and allocation fails, ectx.ws remains NULL while ectx.ws_size is set, leading to a potential NULL pointer dereference in atom_get_src_int() when accessing WS entries. Return -ENOMEM on allocation failure to avoid the NULL dereference.", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-68168", "url": "https://ubuntu.com/security/CVE-2025-68168", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: jfs: fix uninitialized waitqueue in transaction manager The transaction manager initialization in txInit() was not properly initializing TxBlock[0].waitor waitqueue, causing a crash when txEnd(0) is called on read-only filesystems. When a filesystem is mounted read-only, txBegin() returns tid=0 to indicate no transaction. However, txEnd(0) still gets called and tries to access TxBlock[0].waitor via tid_to_tblock(0), but this waitqueue was never initialized because the initialization loop started at index 1 instead of 0. This causes a 'non-static key' lockdep warning and system crash: INFO: trying to register non-static key in txEnd Fix by ensuring all transaction blocks including TxBlock[0] have their waitqueues properly initialized during txInit().", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-40312", "url": "https://ubuntu.com/security/CVE-2025-40312", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: jfs: Verify inode mode when loading from disk The inode mode loaded from corrupted disk can be invalid. Do like what commit 0a9e74051313 (\"isofs: Verify inode mode when loading from disk\") does.", "cve_priority": "medium", "cve_public_date": "2025-12-08 01:16:00 UTC" }, { "cve": "CVE-2025-40333", "url": "https://ubuntu.com/security/CVE-2025-40333", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: f2fs: fix infinite loop in __insert_extent_tree() When we get wrong extent info data, and look up extent_node in rb tree, it will cause infinite loop (CONFIG_F2FS_CHECK_FS=n). Avoiding this by return NULL and print some kernel messages in that case.", "cve_priority": "medium", "cve_public_date": "2025-12-09 16:17:00 UTC" }, { "cve": "CVE-2025-68321", "url": "https://ubuntu.com/security/CVE-2025-68321", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: page_pool: always add GFP_NOWARN for ATOMIC allocations Driver authors often forget to add GFP_NOWARN for page allocation from the datapath. This is annoying to users as OOMs are a fact of life, and we pretty much expect network Rx to hit page allocation failures during OOM. Make page pool add GFP_NOWARN for ATOMIC allocations by default.", "cve_priority": "medium", "cve_public_date": "2025-12-16 16:16:00 UTC" }, { "cve": "CVE-2025-40334", "url": "https://ubuntu.com/security/CVE-2025-40334", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: validate userq buffer virtual address and size It needs to validate the userq object virtual address to determine whether it is residented in a valid vm mapping.", "cve_priority": "medium", "cve_public_date": "2025-12-09 16:17:00 UTC" }, { "cve": "CVE-2025-68191", "url": "https://ubuntu.com/security/CVE-2025-68191", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: udp_tunnel: use netdev_warn() instead of netdev_WARN() netdev_WARN() uses WARN/WARN_ON to print a backtrace along with file and line information. In this case, udp_tunnel_nic_register() returning an error is just a failed operation, not a kernel bug. udp_tunnel_nic_register() can fail due to a memory allocation failure (kzalloc() or udp_tunnel_nic_alloc()). This is a normal runtime error and not a kernel bug. Replace netdev_WARN() with netdev_warn() accordingly.", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-68309", "url": "https://ubuntu.com/security/CVE-2025-68309", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: PCI/AER: Fix NULL pointer access by aer_info The kzalloc(GFP_KERNEL) may return NULL, so all accesses to aer_info->xxx will result in kernel panic. Fix it.", "cve_priority": "medium", "cve_public_date": "2025-12-16 16:16:00 UTC" }, { "cve": "CVE-2025-40313", "url": "https://ubuntu.com/security/CVE-2025-40313", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ntfs3: pretend $Extend records as regular files Since commit af153bb63a33 (\"vfs: catch invalid modes in may_open()\") requires any inode be one of S_IFDIR/S_IFLNK/S_IFREG/S_IFCHR/S_IFBLK/ S_IFIFO/S_IFSOCK type, use S_IFREG for $Extend records.", "cve_priority": "medium", "cve_public_date": "2025-12-08 01:16:00 UTC" }, { "cve": "CVE-2025-40335", "url": "https://ubuntu.com/security/CVE-2025-40335", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: validate userq input args This will help on validating the userq input args, and rejecting for the invalid userq request at the IOCTLs first place.", "cve_priority": "medium", "cve_public_date": "2025-12-09 16:17:00 UTC" }, { "cve": "CVE-2025-40314", "url": "https://ubuntu.com/security/CVE-2025-40314", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: usb: cdns3: gadget: Use-after-free during failed initialization and exit of cdnsp gadget In the __cdnsp_gadget_init() and cdnsp_gadget_exit() functions, the gadget structure (pdev->gadget) was freed before its endpoints. The endpoints are linked via the ep_list in the gadget structure. Freeing the gadget first leaves dangling pointers in the endpoint list. When the endpoints are subsequently freed, this results in a use-after-free. Fix: By separating the usb_del_gadget_udc() operation into distinct \"del\" and \"put\" steps, cdnsp_gadget_free_endpoints() can be executed prior to the final release of the gadget structure with usb_put_gadget(). A patch similar to bb9c74a5bd14(\"usb: dwc3: gadget: Free gadget structure only after freeing endpoints\").", "cve_priority": "medium", "cve_public_date": "2025-12-08 01:16:00 UTC" }, { "cve": "CVE-2025-40336", "url": "https://ubuntu.com/security/CVE-2025-40336", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/gpusvm: fix hmm_pfn_to_map_order() usage Handle the case where the hmm range partially covers a huge page (like 2M), otherwise we can potentially end up doing something nasty like mapping memory which is outside the range, and maybe not even mapped by the mm. Fix is based on the xe userptr code, which in a future patch will directly use gpusvm, so needs alignment here. v2: - Add kernel-doc (Matt B) - s/fls/ilog2/ (Thomas)", "cve_priority": "medium", "cve_public_date": "2025-12-09 16:17:00 UTC" }, { "cve": "CVE-2025-68193", "url": "https://ubuntu.com/security/CVE-2025-68193", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/xe/guc: Add devm release action to safely tear down CT When a buffer object (BO) is allocated with the XE_BO_FLAG_GGTT_INVALIDATE flag, the driver initiates TLB invalidation requests via the CTB mechanism while releasing the BO. However a premature release of the CTB BO can lead to system crashes, as observed in: Oops: Oops: 0000 [#1] SMP NOPTI RIP: 0010:h2g_write+0x2f3/0x7c0 [xe] Call Trace: guc_ct_send_locked+0x8b/0x670 [xe] xe_guc_ct_send_locked+0x19/0x60 [xe] send_tlb_invalidation+0xb4/0x460 [xe] xe_gt_tlb_invalidation_ggtt+0x15e/0x2e0 [xe] ggtt_invalidate_gt_tlb.part.0+0x16/0x90 [xe] ggtt_node_remove+0x110/0x140 [xe] xe_ggtt_node_remove+0x40/0xa0 [xe] xe_ggtt_remove_bo+0x87/0x250 [xe] Introduce a devm-managed release action during xe_guc_ct_init() and xe_guc_ct_init_post_hwconfig() to ensure proper CTB disablement before resource deallocation, preventing the use-after-free scenario.", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-68175", "url": "https://ubuntu.com/security/CVE-2025-68175", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: media: nxp: imx8-isi: Fix streaming cleanup on release The current implementation unconditionally calls mxc_isi_video_cleanup_streaming() in mxc_isi_video_release(). This can lead to situations where any release call (like from a simple \"v4l2-ctl -l\") may release a currently streaming queue when called on such a device. This is reproducible on an i.MX8MP board by streaming from an ISI capture device using gstreamer: \tgst-launch-1.0 -v v4l2src device=/dev/videoX ! \\ \t video/x-raw,format=GRAY8,width=1280,height=800,framerate=1/120 ! \\ \t fakesink While this stream is running, querying the caps of the same device provokes the error state: \tv4l2-ctl -l -d /dev/videoX This results in the following trace: [ 155.452152] ------------[ cut here ]------------ [ 155.452163] WARNING: CPU: 0 PID: 1708 at drivers/media/platform/nxp/imx8-isi/imx8-isi-pipe.c:713 mxc_isi_pipe_irq_handler+0x19c/0x1b0 [imx8_isi] [ 157.004248] Modules linked in: cfg80211 rpmsg_ctrl rpmsg_char rpmsg_tty virtio_rpmsg_bus rpmsg_ns rpmsg_core rfkill nft_ct nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 nf_tables mcp251x6 [ 157.053499] CPU: 0 UID: 0 PID: 1708 Comm: python3 Not tainted 6.15.4-00114-g1f61ca5cad76 #1 PREEMPT [ 157.064369] Hardware name: imx8mp_board_01 (DT) [ 157.068205] pstate: 400000c5 (nZcv daIF -PAN -UAO -TCO -DIT -SSBS BTYPE=--) [ 157.075169] pc : mxc_isi_pipe_irq_handler+0x19c/0x1b0 [imx8_isi] [ 157.081195] lr : mxc_isi_pipe_irq_handler+0x38/0x1b0 [imx8_isi] [ 157.087126] sp : ffff800080003ee0 [ 157.090438] x29: ffff800080003ee0 x28: ffff0000c3688000 x27: 0000000000000000 [ 157.097580] x26: 0000000000000000 x25: ffff0000c1e7ac00 x24: ffff800081b5ad50 [ 157.104723] x23: 00000000000000d1 x22: 0000000000000000 x21: ffff0000c25e4000 [ 157.111866] x20: 0000000060000200 x19: ffff80007a0608d0 x18: 0000000000000000 [ 157.119008] x17: ffff80006a4e3000 x16: ffff800080000000 x15: 0000000000000000 [ 157.126146] x14: 0000000000000000 x13: 0000000000000000 x12: 0000000000000000 [ 157.133287] x11: 0000000000000040 x10: ffff0000c01445f0 x9 : ffff80007a053a38 [ 157.140425] x8 : ffff0000c04004b8 x7 : 0000000000000000 x6 : 0000000000000000 [ 157.147567] x5 : ffff0000c0400490 x4 : ffff80006a4e3000 x3 : ffff0000c25e4000 [ 157.154706] x2 : 0000000000000000 x1 : ffff8000825c0014 x0 : 0000000060000200 [ 157.161850] Call trace: [ 157.164296] mxc_isi_pipe_irq_handler+0x19c/0x1b0 [imx8_isi] (P) [ 157.170319] __handle_irq_event_percpu+0x58/0x218 [ 157.175029] handle_irq_event+0x54/0xb8 [ 157.178867] handle_fasteoi_irq+0xac/0x248 [ 157.182968] handle_irq_desc+0x48/0x68 [ 157.186723] generic_handle_domain_irq+0x24/0x38 [ 157.191346] gic_handle_irq+0x54/0x120 [ 157.195098] call_on_irq_stack+0x24/0x30 [ 157.199027] do_interrupt_handler+0x88/0x98 [ 157.203212] el0_interrupt+0x44/0xc0 [ 157.206792] __el0_irq_handler_common+0x18/0x28 [ 157.211328] el0t_64_irq_handler+0x10/0x20 [ 157.215429] el0t_64_irq+0x198/0x1a0 [ 157.219009] ---[ end trace 0000000000000000 ]--- Address this issue by moving the streaming preparation and cleanup to the vb2 .prepare_streaming() and .unprepare_streaming() operations. This also simplifies the driver by allowing direct usage of the vb2_ioctl_streamon() and vb2_ioctl_streamoff() helpers, and removal of the manual cleanup from mxc_isi_video_release().", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-68188", "url": "https://ubuntu.com/security/CVE-2025-68188", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: tcp: use dst_dev_rcu() in tcp_fastopen_active_disable_ofo_check() Use RCU to avoid a pair of atomic operations and a potential UAF on dst_dev()->flags.", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-68315", "url": "https://ubuntu.com/security/CVE-2025-68315", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: f2fs: fix to detect potential corrupted nid in free_nid_list As reported, on-disk footer.ino and footer.nid is the same and out-of-range, let's add sanity check on f2fs_alloc_nid() to detect any potential corruption in free_nid_list.", "cve_priority": "medium", "cve_public_date": "2025-12-16 16:16:00 UTC" }, { "cve": "CVE-2025-40337", "url": "https://ubuntu.com/security/CVE-2025-40337", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net: stmmac: Correctly handle Rx checksum offload errors The stmmac_rx function would previously set skb->ip_summed to CHECKSUM_UNNECESSARY if hardware checksum offload (CoE) was enabled and the packet was of a known IP ethertype. However, this logic failed to check if the hardware had actually reported a checksum error. The hardware status, indicating a header or payload checksum failure, was being ignored at this stage. This could cause corrupt packets to be passed up the network stack as valid. This patch corrects the logic by checking the `csum_none` status flag, which is set when the hardware reports a checksum error. If this flag is set, skb->ip_summed is now correctly set to CHECKSUM_NONE, ensuring the kernel's network stack will perform its own validation and properly handle the corrupt packet.", "cve_priority": "medium", "cve_public_date": "2025-12-09 16:17:00 UTC" }, { "cve": "CVE-2025-40338", "url": "https://ubuntu.com/security/CVE-2025-40338", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ASoC: Intel: avs: Do not share the name pointer between components By sharing 'name' directly, tearing down components may lead to use-after-free errors. Duplicate the name to avoid that. At the same time, update the order of operations - since commit cee28113db17 (\"ASoC: dmaengine_pcm: Allow passing component name via config\") the framework does not override component->name if set before invoking the initializer.", "cve_priority": "medium", "cve_public_date": "2025-12-09 16:17:00 UTC" }, { "cve": "CVE-2025-40339", "url": "https://ubuntu.com/security/CVE-2025-40339", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: fix nullptr err of vm_handle_moved If a amdgpu_bo_va is fpriv->prt_va, the bo of this one is always NULL. So, such kind of amdgpu_bo_va should be updated separately before amdgpu_vm_handle_moved.", "cve_priority": "medium", "cve_public_date": "2025-12-09 16:17:00 UTC" }, { "cve": "CVE-2025-68194", "url": "https://ubuntu.com/security/CVE-2025-68194", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: media: imon: make send_packet() more robust syzbot is reporting that imon has three problems which result in hung tasks due to forever holding device lock [1]. First problem is that when usb_rx_callback_intf0() once got -EPROTO error after ictx->dev_present_intf0 became true, usb_rx_callback_intf0() resubmits urb after printk(), and resubmitted urb causes usb_rx_callback_intf0() to again get -EPROTO error. This results in printk() flooding (RCU stalls). Alan Stern commented [2] that In theory it's okay to resubmit _if_ the driver has a robust error-recovery scheme (such as giving up after some fixed limit on the number of errors or after some fixed time has elapsed, perhaps with a time delay to prevent a flood of errors). Most drivers don't bother to do this; they simply give up right away. This makes them more vulnerable to short-term noise interference during USB transfers, but in reality such interference is quite rare. There's nothing really wrong with giving up right away. but imon has a poor error-recovery scheme which just retries forever; this behavior should be fixed. Since I'm not sure whether it is safe for imon users to give up upon any error code, this patch takes care of only union of error codes chosen from modules in drivers/media/rc/ directory which handle -EPROTO error (i.e. ir_toy, mceusb and igorplugusb). Second problem is that when usb_rx_callback_intf0() once got -EPROTO error before ictx->dev_present_intf0 becomes true, usb_rx_callback_intf0() always resubmits urb due to commit 8791d63af0cf (\"[media] imon: don't wedge hardware after early callbacks\"). Move the ictx->dev_present_intf0 test introduced by commit 6f6b90c9231a (\"[media] imon: don't parse scancodes until intf configured\") to immediately before imon_incoming_packet(), or the first problem explained above happens without printk() flooding (i.e. hung task). Third problem is that when usb_rx_callback_intf0() is not called for some reason (e.g. flaky hardware; the reproducer for this problem sometimes prevents usb_rx_callback_intf0() from being called), wait_for_completion_interruptible() in send_packet() never returns (i.e. hung task). As a workaround for such situation, change send_packet() to wait for completion with timeout of 10 seconds.", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-40363", "url": "https://ubuntu.com/security/CVE-2025-40363", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net: ipv6: fix field-spanning memcpy warning in AH output Fix field-spanning memcpy warnings in ah6_output() and ah6_output_done() where extension headers are copied to/from IPv6 address fields, triggering fortify-string warnings about writes beyond the 16-byte address fields. memcpy: detected field-spanning write (size 40) of single field \"&top_iph->saddr\" at net/ipv6/ah6.c:439 (size 16) WARNING: CPU: 0 PID: 8838 at net/ipv6/ah6.c:439 ah6_output+0xe7e/0x14e0 net/ipv6/ah6.c:439 The warnings are false positives as the extension headers are intentionally placed after the IPv6 header in memory. Fix by properly copying addresses and extension headers separately, and introduce helper functions to avoid code duplication.", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-68311", "url": "https://ubuntu.com/security/CVE-2025-68311", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: tty: serial: ip22zilog: Use platform device for probing After commit 84a9582fd203 (\"serial: core: Start managing serial controllers to enable runtime PM\") serial drivers need to provide a device in struct uart_port.dev otherwise an oops happens. To fix this issue for ip22zilog driver switch driver to a platform driver and setup the serial device in sgi-ip22 code.", "cve_priority": "medium", "cve_public_date": "2025-12-16 16:16:00 UTC" }, { "cve": "CVE-2025-40340", "url": "https://ubuntu.com/security/CVE-2025-40340", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/xe: Fix oops in xe_gem_fault when running core_hotunplug test. I saw an oops in xe_gem_fault when running the xe-fast-feedback testlist against the realtime kernel without debug options enabled. The panic happens after core_hotunplug unbind-rebind finishes. Presumably what happens is that a process mmaps, unlocks because of the FAULT_FLAG_RETRY_NOWAIT logic, has no process memory left, causing ttm_bo_vm_dummy_page() to return VM_FAULT_NOPAGE, since there was nothing left to populate, and then oopses in \"mem_type_is_vram(tbo->resource->mem_type)\" because tbo->resource is NULL. It's convoluted, but fits the data and explains the oops after the test exits.", "cve_priority": "medium", "cve_public_date": "2025-12-09 16:17:00 UTC" }, { "cve": "CVE-2025-68196", "url": "https://ubuntu.com/security/CVE-2025-68196", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Cache streams targeting link when performing LT automation [WHY] Last LT automation update can cause crash by referencing current_state and calling into dc_update_planes_and_stream which may clobber current_state. [HOW] Cache relevant stream pointers and iterate through them instead of relying on the current_state.", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-68178", "url": "https://ubuntu.com/security/CVE-2025-68178", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: blk-cgroup: fix possible deadlock while configuring policy Following deadlock can be triggered easily by lockdep: WARNING: possible circular locking dependency detected 6.17.0-rc3-00124-ga12c2658ced0 #1665 Not tainted ------------------------------------------------------ check/1334 is trying to acquire lock: ff1100011d9d0678 (&q->sysfs_lock){+.+.}-{4:4}, at: blk_unregister_queue+0x53/0x180 but task is already holding lock: ff1100011d9d00e0 (&q->q_usage_counter(queue)#3){++++}-{0:0}, at: del_gendisk+0xba/0x110 which lock already depends on the new lock. the existing dependency chain (in reverse order) is: -> #2 (&q->q_usage_counter(queue)#3){++++}-{0:0}: blk_queue_enter+0x40b/0x470 blkg_conf_prep+0x7b/0x3c0 tg_set_limit+0x10a/0x3e0 cgroup_file_write+0xc6/0x420 kernfs_fop_write_iter+0x189/0x280 vfs_write+0x256/0x490 ksys_write+0x83/0x190 __x64_sys_write+0x21/0x30 x64_sys_call+0x4608/0x4630 do_syscall_64+0xdb/0x6b0 entry_SYSCALL_64_after_hwframe+0x76/0x7e -> #1 (&q->rq_qos_mutex){+.+.}-{4:4}: __mutex_lock+0xd8/0xf50 mutex_lock_nested+0x2b/0x40 wbt_init+0x17e/0x280 wbt_enable_default+0xe9/0x140 blk_register_queue+0x1da/0x2e0 __add_disk+0x38c/0x5d0 add_disk_fwnode+0x89/0x250 device_add_disk+0x18/0x30 virtblk_probe+0x13a3/0x1800 virtio_dev_probe+0x389/0x610 really_probe+0x136/0x620 __driver_probe_device+0xb3/0x230 driver_probe_device+0x2f/0xe0 __driver_attach+0x158/0x250 bus_for_each_dev+0xa9/0x130 driver_attach+0x26/0x40 bus_add_driver+0x178/0x3d0 driver_register+0x7d/0x1c0 __register_virtio_driver+0x2c/0x60 virtio_blk_init+0x6f/0xe0 do_one_initcall+0x94/0x540 kernel_init_freeable+0x56a/0x7b0 kernel_init+0x2b/0x270 ret_from_fork+0x268/0x4c0 ret_from_fork_asm+0x1a/0x30 -> #0 (&q->sysfs_lock){+.+.}-{4:4}: __lock_acquire+0x1835/0x2940 lock_acquire+0xf9/0x450 __mutex_lock+0xd8/0xf50 mutex_lock_nested+0x2b/0x40 blk_unregister_queue+0x53/0x180 __del_gendisk+0x226/0x690 del_gendisk+0xba/0x110 sd_remove+0x49/0xb0 [sd_mod] device_remove+0x87/0xb0 device_release_driver_internal+0x11e/0x230 device_release_driver+0x1a/0x30 bus_remove_device+0x14d/0x220 device_del+0x1e1/0x5a0 __scsi_remove_device+0x1ff/0x2f0 scsi_remove_device+0x37/0x60 sdev_store_delete+0x77/0x100 dev_attr_store+0x1f/0x40 sysfs_kf_write+0x65/0x90 kernfs_fop_write_iter+0x189/0x280 vfs_write+0x256/0x490 ksys_write+0x83/0x190 __x64_sys_write+0x21/0x30 x64_sys_call+0x4608/0x4630 do_syscall_64+0xdb/0x6b0 entry_SYSCALL_64_after_hwframe+0x76/0x7e other info that might help us debug this: Chain exists of: &q->sysfs_lock --> &q->rq_qos_mutex --> &q->q_usage_counter(queue)#3 Possible unsafe locking scenario: CPU0 CPU1 ---- ---- lock(&q->q_usage_counter(queue)#3); lock(&q->rq_qos_mutex); lock(&q->q_usage_counter(queue)#3); lock(&q->sysfs_lock); Root cause is that queue_usage_counter is grabbed with rq_qos_mutex held in blkg_conf_prep(), while queue should be freezed before rq_qos_mutex from other context. The blk_queue_enter() from blkg_conf_prep() is used to protect against policy deactivation, which is already protected with blkcg_mutex, hence convert blk_queue_enter() to blkcg_mutex to fix this problem. Meanwhile, consider that blkcg_mutex is held after queue is freezed from policy deactivation, also convert blkg_alloc() to use GFP_NOIO.", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-40341", "url": "https://ubuntu.com/security/CVE-2025-40341", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: futex: Don't leak robust_list pointer on exec race sys_get_robust_list() and compat_get_robust_list() use ptrace_may_access() to check if the calling task is allowed to access another task's robust_list pointer. This check is racy against a concurrent exec() in the target process. During exec(), a task may transition from a non-privileged binary to a privileged one (e.g., setuid binary) and its credentials/memory mappings may change. If get_robust_list() performs ptrace_may_access() before this transition, it may erroneously allow access to sensitive information after the target becomes privileged. A racy access allows an attacker to exploit a window during which ptrace_may_access() passes before a target process transitions to a privileged state via exec(). For example, consider a non-privileged task T that is about to execute a setuid-root binary. An attacker task A calls get_robust_list(T) while T is still unprivileged. Since ptrace_may_access() checks permissions based on current credentials, it succeeds. However, if T begins exec immediately afterwards, it becomes privileged and may change its memory mappings. Because get_robust_list() proceeds to access T->robust_list without synchronizing with exec() it may read user-space pointers from a now-privileged process. This violates the intended post-exec access restrictions and could expose sensitive memory addresses or be used as a primitive in a larger exploit chain. Consequently, the race can lead to unauthorized disclosure of information across privilege boundaries and poses a potential security risk. Take a read lock on signal->exec_update_lock prior to invoking ptrace_may_access() and accessing the robust_list/compat_robust_list. This ensures that the target task's exec state remains stable during the check, allowing for consistent and synchronized validation of credentials.", "cve_priority": "medium", "cve_public_date": "2025-12-09 16:17:00 UTC" }, { "cve": "CVE-2025-40342", "url": "https://ubuntu.com/security/CVE-2025-40342", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: nvme-fc: use lock accessing port_state and rport state nvme_fc_unregister_remote removes the remote port on a lport object at any point in time when there is no active association. This races with with the reconnect logic, because nvme_fc_create_association is not taking a lock to check the port_state and atomically increase the active count on the rport.", "cve_priority": "medium", "cve_public_date": "2025-12-09 16:17:00 UTC" }, { "cve": "CVE-2025-40343", "url": "https://ubuntu.com/security/CVE-2025-40343", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: nvmet-fc: avoid scheduling association deletion twice When forcefully shutting down a port via the configfs interface, nvmet_port_subsys_drop_link() first calls nvmet_port_del_ctrls() and then nvmet_disable_port(). Both functions will eventually schedule all remaining associations for deletion. The current implementation checks whether an association is about to be removed, but only after the work item has already been scheduled. As a result, it is possible for the first scheduled work item to free all resources, and then for the same work item to be scheduled again for deletion. Because the association list is an RCU list, it is not possible to take a lock and remove the list entry directly, so it cannot be looked up again. Instead, a flag (terminating) must be used to determine whether the association is already in the process of being deleted.", "cve_priority": "medium", "cve_public_date": "2025-12-09 16:17:00 UTC" }, { "cve": "CVE-2025-68177", "url": "https://ubuntu.com/security/CVE-2025-68177", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: cpufreq/longhaul: handle NULL policy in longhaul_exit longhaul_exit() was calling cpufreq_cpu_get(0) without checking for a NULL policy pointer. On some systems, this could lead to a NULL dereference and a kernel warning or panic. This patch adds a check using unlikely() and returns early if the policy is NULL. Bugzilla: #219962", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-68317", "url": "https://ubuntu.com/security/CVE-2025-68317", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: io_uring/zctx: check chained notif contexts Send zc only links ubuf_info for requests coming from the same context. There are some ambiguous syz reports, so let's check the assumption on notification completion.", "cve_priority": "medium", "cve_public_date": "2025-12-16 16:16:00 UTC" }, { "cve": "CVE-2025-40315", "url": "https://ubuntu.com/security/CVE-2025-40315", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: usb: gadget: f_fs: Fix epfile null pointer access after ep enable. A race condition occurs when ffs_func_eps_enable() runs concurrently with ffs_data_reset(). The ffs_data_clear() called in ffs_data_reset() sets ffs->epfiles to NULL before resetting ffs->eps_count to 0, leading to a NULL pointer dereference when accessing epfile->ep in ffs_func_eps_enable() after successful usb_ep_enable(). The ffs->epfiles pointer is set to NULL in both ffs_data_clear() and ffs_data_close() functions, and its modification is protected by the spinlock ffs->eps_lock. And the whole ffs_func_eps_enable() function is also protected by ffs->eps_lock. Thus, add NULL pointer handling for ffs->epfiles in the ffs_func_eps_enable() function to fix issues", "cve_priority": "medium", "cve_public_date": "2025-12-08 01:16:00 UTC" }, { "cve": "CVE-2025-40316", "url": "https://ubuntu.com/security/CVE-2025-40316", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/mediatek: Fix device use-after-free on unbind A recent change fixed device reference leaks when looking up drm platform device driver data during bind() but failed to remove a partial fix which had been added by commit 80805b62ea5b (\"drm/mediatek: Fix kobject put for component sub-drivers\"). This results in a reference imbalance on component bind() failures and on unbind() which could lead to a user-after-free. Make sure to only drop the references after retrieving the driver data by effectively reverting the previous partial fix. Note that holding a reference to a device does not prevent its driver data from going away so there is no point in keeping the reference.", "cve_priority": "medium", "cve_public_date": "2025-12-08 01:16:00 UTC" }, { "cve": "CVE-2025-40360", "url": "https://ubuntu.com/security/CVE-2025-40360", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/sysfb: Do not dereference NULL pointer in plane reset The plane state in __drm_gem_reset_shadow_plane() can be NULL. Do not deref that pointer, but forward NULL to the other plane-reset helpers. Clears plane->state to NULL. v2: - fix typo in commit description (Javier)", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-68179", "url": "https://ubuntu.com/security/CVE-2025-68179", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: s390: Disable ARCH_WANT_OPTIMIZE_HUGETLB_VMEMMAP As reported by Luiz Capitulino enabling HVO on s390 leads to reproducible crashes. The problem is that kernel page tables are modified without flushing corresponding TLB entries. Even if it looks like the empty flush_tlb_all() implementation on s390 is the problem, it is actually a different problem: on s390 it is not allowed to replace an active/valid page table entry with another valid page table entry without the detour over an invalid entry. A direct replacement may lead to random crashes and/or data corruption. In order to invalidate an entry special instructions have to be used (e.g. ipte or idte). Alternatively there are also special instructions available which allow to replace a valid entry with a different valid entry (e.g. crdte or cspg). Given that the HVO code currently does not provide the hooks to allow for an implementation which is compliant with the s390 architecture requirements, disable ARCH_WANT_OPTIMIZE_HUGETLB_VMEMMAP again, which is basically a revert of the original patch which enabled it.", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-68310", "url": "https://ubuntu.com/security/CVE-2025-68310", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: s390/pci: Avoid deadlock between PCI error recovery and mlx5 crdump Do not block PCI config accesses through pci_cfg_access_lock() when executing the s390 variant of PCI error recovery: Acquire just device_lock() instead of pci_dev_lock() as powerpc's EEH and generig PCI AER processing do. During error recovery testing a pair of tasks was reported to be hung: mlx5_core 0000:00:00.1: mlx5_health_try_recover:338:(pid 5553): health recovery flow aborted, PCI reads still not working INFO: task kmcheck:72 blocked for more than 122 seconds. Not tainted 5.14.0-570.12.1.bringup7.el9.s390x #1 \"echo 0 > /proc/sys/kernel/hung_task_timeout_secs\" disables this message. task:kmcheck state:D stack:0 pid:72 tgid:72 ppid:2 flags:0x00000000 Call Trace: [<000000065256f030>] __schedule+0x2a0/0x590 [<000000065256f356>] schedule+0x36/0xe0 [<000000065256f572>] schedule_preempt_disabled+0x22/0x30 [<0000000652570a94>] __mutex_lock.constprop.0+0x484/0x8a8 [<000003ff800673a4>] mlx5_unload_one+0x34/0x58 [mlx5_core] [<000003ff8006745c>] mlx5_pci_err_detected+0x94/0x140 [mlx5_core] [<0000000652556c5a>] zpci_event_attempt_error_recovery+0xf2/0x398 [<0000000651b9184a>] __zpci_event_error+0x23a/0x2c0 INFO: task kworker/u1664:6:1514 blocked for more than 122 seconds. Not tainted 5.14.0-570.12.1.bringup7.el9.s390x #1 \"echo 0 > /proc/sys/kernel/hung_task_timeout_secs\" disables this message. task:kworker/u1664:6 state:D stack:0 pid:1514 tgid:1514 ppid:2 flags:0x00000000 Workqueue: mlx5_health0000:00:00.0 mlx5_fw_fatal_reporter_err_work [mlx5_core] Call Trace: [<000000065256f030>] __schedule+0x2a0/0x590 [<000000065256f356>] schedule+0x36/0xe0 [<0000000652172e28>] pci_wait_cfg+0x80/0xe8 [<0000000652172f94>] pci_cfg_access_lock+0x74/0x88 [<000003ff800916b6>] mlx5_vsc_gw_lock+0x36/0x178 [mlx5_core] [<000003ff80098824>] mlx5_crdump_collect+0x34/0x1c8 [mlx5_core] [<000003ff80074b62>] mlx5_fw_fatal_reporter_dump+0x6a/0xe8 [mlx5_core] [<0000000652512242>] devlink_health_do_dump.part.0+0x82/0x168 [<0000000652513212>] devlink_health_report+0x19a/0x230 [<000003ff80075a12>] mlx5_fw_fatal_reporter_err_work+0xba/0x1b0 [mlx5_core] No kernel log of the exact same error with an upstream kernel is available - but the very same deadlock situation can be constructed there, too: - task: kmcheck mlx5_unload_one() tries to acquire devlink lock while the PCI error recovery code has set pdev->block_cfg_access by way of pci_cfg_access_lock() - task: kworker mlx5_crdump_collect() tries to set block_cfg_access through pci_cfg_access_lock() while devlink_health_report() had acquired the devlink lock. A similar deadlock situation can be reproduced by requesting a crdump with > devlink health dump show pci/ reporter fw_fatal while PCI error recovery is executed on the same physical function by mlx5_core's pci_error_handlers. On s390 this can be injected with > zpcictl --reset-fw Tests with this patch failed to reproduce that second deadlock situation, the devlink command is rejected with \"kernel answers: Permission denied\" - and we get a kernel log message of: mlx5_core 1ed0:00:00.1: mlx5_crdump_collect:50:(pid 254382): crdump: failed to lock vsc gw err -5 because the config read of VSC_SEMAPHORE is rejected by the underlying hardware. Two prior attempts to address this issue have been discussed and ultimately rejected [see link], with the primary argument that s390's implementation of PCI error recovery is imposing restrictions that neither powerpc's EEH nor PCI AER handling need. Tests show that PCI error recovery on s390 is running to completion even without blocking access to PCI config space.", "cve_priority": "medium", "cve_public_date": "2025-12-16 16:16:00 UTC" }, { "cve": "CVE-2025-40317", "url": "https://ubuntu.com/security/CVE-2025-40317", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: regmap: slimbus: fix bus_context pointer in regmap init calls Commit 4e65bda8273c (\"ASoC: wcd934x: fix error handling in wcd934x_codec_parse_data()\") revealed the problem in the slimbus regmap. That commit breaks audio playback, for instance, on sdm845 Thundercomm Dragonboard 845c board: Unable to handle kernel paging request at virtual address ffff8000847cbad4 ... CPU: 5 UID: 0 PID: 776 Comm: aplay Not tainted 6.18.0-rc1-00028-g7ea30958b305 #11 PREEMPT Hardware name: Thundercomm Dragonboard 845c (DT) ... Call trace: slim_xfer_msg+0x24/0x1ac [slimbus] (P) slim_read+0x48/0x74 [slimbus] regmap_slimbus_read+0x18/0x24 [regmap_slimbus] _regmap_raw_read+0xe8/0x174 _regmap_bus_read+0x44/0x80 _regmap_read+0x60/0xd8 _regmap_update_bits+0xf4/0x140 _regmap_select_page+0xa8/0x124 _regmap_raw_write_impl+0x3b8/0x65c _regmap_bus_raw_write+0x60/0x80 _regmap_write+0x58/0xc0 regmap_write+0x4c/0x80 wcd934x_hw_params+0x494/0x8b8 [snd_soc_wcd934x] snd_soc_dai_hw_params+0x3c/0x7c [snd_soc_core] __soc_pcm_hw_params+0x22c/0x634 [snd_soc_core] dpcm_be_dai_hw_params+0x1d4/0x38c [snd_soc_core] dpcm_fe_dai_hw_params+0x9c/0x17c [snd_soc_core] snd_pcm_hw_params+0x124/0x464 [snd_pcm] snd_pcm_common_ioctl+0x110c/0x1820 [snd_pcm] snd_pcm_ioctl+0x34/0x4c [snd_pcm] __arm64_sys_ioctl+0xac/0x104 invoke_syscall+0x48/0x104 el0_svc_common.constprop.0+0x40/0xe0 do_el0_svc+0x1c/0x28 el0_svc+0x34/0xec el0t_64_sync_handler+0xa0/0xf0 el0t_64_sync+0x198/0x19c The __devm_regmap_init_slimbus() started to be used instead of __regmap_init_slimbus() after the commit mentioned above and turns out the incorrect bus_context pointer (3rd argument) was used in __devm_regmap_init_slimbus(). It should be just \"slimbus\" (which is equal to &slimbus->dev). Correct it. The wcd934x codec seems to be the only or the first user of devm_regmap_init_slimbus() but we should fix it till the point where __devm_regmap_init_slimbus() was introduced therefore two \"Fixes\" tags. While at this, also correct the same argument in __regmap_init_slimbus().", "cve_priority": "medium", "cve_public_date": "2025-12-08 01:16:00 UTC" }, { "cve": "CVE-2025-40359", "url": "https://ubuntu.com/security/CVE-2025-40359", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: perf/x86/intel: Fix KASAN global-out-of-bounds warning When running \"perf mem record\" command on CWF, the below KASAN global-out-of-bounds warning is seen. ================================================================== BUG: KASAN: global-out-of-bounds in cmt_latency_data+0x176/0x1b0 Read of size 4 at addr ffffffffb721d000 by task dtlb/9850 Call Trace: kasan_report+0xb8/0xf0 cmt_latency_data+0x176/0x1b0 setup_arch_pebs_sample_data+0xf49/0x2560 intel_pmu_drain_arch_pebs+0x577/0xb00 handle_pmi_common+0x6c4/0xc80 The issue is caused by below code in __grt_latency_data(). The code tries to access x86_hybrid_pmu structure which doesn't exist on non-hybrid platform like CWF. WARN_ON_ONCE(hybrid_pmu(event->pmu)->pmu_type == hybrid_big) So add is_hybrid() check before calling this WARN_ON_ONCE to fix the global-out-of-bounds access issue.", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-68181", "url": "https://ubuntu.com/security/CVE-2025-68181", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/radeon: Remove calls to drm_put_dev() Since the allocation of the drivers main structure was changed to devm_drm_dev_alloc() drm_put_dev()'ing to trigger it to be free'd should be done by devres. However, drm_put_dev() is still in the probe error and device remove paths. When the driver fails to probe warnings like the following are shown because devres is trying to drm_put_dev() after the driver already did it. [ 5.642230] radeon 0000:01:05.0: probe with driver radeon failed with error -22 [ 5.649605] ------------[ cut here ]------------ [ 5.649607] refcount_t: underflow; use-after-free. [ 5.649620] WARNING: CPU: 0 PID: 357 at lib/refcount.c:28 refcount_warn_saturate+0xbe/0x110 (cherry picked from commit 3eb8c0b4c091da0a623ade0d3ee7aa4a93df1ea4)", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-68170", "url": "https://ubuntu.com/security/CVE-2025-68170", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/radeon: Do not kfree() devres managed rdev Since the allocation of the drivers main structure was changed to devm_drm_dev_alloc() rdev is managed by devres and we shouldn't be calling kfree() on it. This fixes things exploding if the driver probe fails and devres cleans up the rdev after we already free'd it. (cherry picked from commit 16c0681617b8a045773d4d87b6140002fa75b03b)", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-40213", "url": "https://ubuntu.com/security/CVE-2025-40213", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: Bluetooth: MGMT: fix crash in set_mesh_sync and set_mesh_complete There is a BUG: KASAN: stack-out-of-bounds in set_mesh_sync due to memcpy from badly declared on-stack flexible array. Another crash is in set_mesh_complete() due to double list_del via mgmt_pending_valid + mgmt_pending_remove. Use DEFINE_FLEX to declare the flexible array right, and don't memcpy outside bounds. As mgmt_pending_valid removes the cmd from list, use mgmt_pending_free, and also report status on error.", "cve_priority": "medium", "cve_public_date": "2025-11-24 16:15:00 UTC" }, { "cve": "CVE-2025-40318", "url": "https://ubuntu.com/security/CVE-2025-40318", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: Bluetooth: hci_sync: fix race in hci_cmd_sync_dequeue_once hci_cmd_sync_dequeue_once() does lookup and then cancel the entry under two separate lock sections. Meanwhile, hci_cmd_sync_work() can also delete the same entry, leading to double list_del() and \"UAF\". Fix this by holding cmd_sync_work_lock across both lookup and cancel, so that the entry cannot be removed concurrently.", "cve_priority": "medium", "cve_public_date": "2025-12-08 01:16:00 UTC" }, { "cve": "CVE-2025-68312", "url": "https://ubuntu.com/security/CVE-2025-68312", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: usbnet: Prevents free active kevent The root cause of this issue are: 1. When probing the usbnet device, executing usbnet_link_change(dev, 0, 0); put the kevent work in global workqueue. However, the kevent has not yet been scheduled when the usbnet device is unregistered. Therefore, executing free_netdev() results in the \"free active object (kevent)\" error reported here. 2. Another factor is that when calling usbnet_disconnect()->unregister_netdev(), if the usbnet device is up, ndo_stop() is executed to cancel the kevent. However, because the device is not up, ndo_stop() is not executed. The solution to this problem is to cancel the kevent before executing free_netdev().", "cve_priority": "medium", "cve_public_date": "2025-12-16 16:16:00 UTC" }, { "cve": "CVE-2025-40344", "url": "https://ubuntu.com/security/CVE-2025-40344", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ASoC: Intel: avs: Disable periods-elapsed work when closing PCM avs_dai_fe_shutdown() handles the shutdown procedure for HOST HDAudio stream while period-elapsed work services its IRQs. As the former frees the DAI's private context, these two operations shall be synchronized to avoid slab-use-after-free or worse errors.", "cve_priority": "medium", "cve_public_date": "2025-12-09 16:17:00 UTC" }, { "cve": "CVE-2025-68172", "url": "https://ubuntu.com/security/CVE-2025-68172", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: crypto: aspeed - fix double free caused by devm The clock obtained via devm_clk_get_enabled() is automatically managed by devres and will be disabled and freed on driver detach. Manually calling clk_disable_unprepare() in error path and remove function causes double free. Remove the manual clock cleanup in both aspeed_acry_probe()'s error path and aspeed_acry_remove().", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-40319", "url": "https://ubuntu.com/security/CVE-2025-40319", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: bpf: Sync pending IRQ work before freeing ring buffer Fix a race where irq_work can be queued in bpf_ringbuf_commit() but the ring buffer is freed before the work executes. In the syzbot reproducer, a BPF program attached to sched_switch triggers bpf_ringbuf_commit(), queuing an irq_work. If the ring buffer is freed before this work executes, the irq_work thread may accesses freed memory. Calling `irq_work_sync(&rb->work)` ensures that all pending irq_work complete before freeing the buffer.", "cve_priority": "medium", "cve_public_date": "2025-12-08 01:16:00 UTC" }, { "cve": "CVE-2025-68182", "url": "https://ubuntu.com/security/CVE-2025-68182", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: wifi: iwlwifi: fix potential use after free in iwl_mld_remove_link() This code frees \"link\" by calling kfree_rcu(link, rcu_head) and then it dereferences \"link\" to get the \"link->fw_id\". Save the \"link->fw_id\" first to avoid a potential use after free.", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-68314", "url": "https://ubuntu.com/security/CVE-2025-68314", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/msm: make sure last_fence is always updated Update last_fence in the vm-bind path instead of kernel managed path. last_fence is used to wait for work to finish in vm_bind contexts but not used for kernel managed contexts. This fixes a bug where last_fence is not waited on context close leading to faults as resources are freed while in use. Patchwork: https://patchwork.freedesktop.org/patch/680080/", "cve_priority": "medium", "cve_public_date": "2025-12-16 16:16:00 UTC" }, { "cve": "CVE-2025-68189", "url": "https://ubuntu.com/security/CVE-2025-68189", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/msm: Fix GEM free for imported dma-bufs Imported dma-bufs also have obj->resv != &obj->_resv. So we should check both this condition in addition to flags for handling the _NO_SHARE case. Fixes this splat that was reported with IRIS video playback: ------------[ cut here ]------------ WARNING: CPU: 3 PID: 2040 at drivers/gpu/drm/msm/msm_gem.c:1127 msm_gem_free_object+0x1f8/0x264 [msm] CPU: 3 UID: 1000 PID: 2040 Comm: .gnome-shell-wr Not tainted 6.17.0-rc7 #1 PREEMPT pstate: 81400005 (Nzcv daif +PAN -UAO -TCO +DIT -SSBS BTYPE=--) pc : msm_gem_free_object+0x1f8/0x264 [msm] lr : msm_gem_free_object+0x138/0x264 [msm] sp : ffff800092a1bb30 x29: ffff800092a1bb80 x28: ffff800092a1bce8 x27: ffffbc702dbdbe08 x26: 0000000000000008 x25: 0000000000000009 x24: 00000000000000a6 x23: ffff00083c72f850 x22: ffff00083c72f868 x21: ffff00087e69f200 x20: ffff00087e69f330 x19: ffff00084d157ae0 x18: 0000000000000000 x17: 0000000000000000 x16: ffffbc704bd46b80 x15: 0000ffffd0959540 x14: 0000000000000000 x13: 0000000000000000 x12: 0000000000000000 x11: ffffbc702e6cdb48 x10: 0000000000000000 x9 : 000000000000003f x8 : ffff800092a1ba90 x7 : 0000000000000000 x6 : 0000000000000020 x5 : ffffbc704bd46c40 x4 : fffffdffe102cf60 x3 : 0000000000400032 x2 : 0000000000020000 x1 : ffff00087e6978e8 x0 : ffff00087e6977e8 Call trace: msm_gem_free_object+0x1f8/0x264 [msm] (P) drm_gem_object_free+0x1c/0x30 [drm] drm_gem_object_handle_put_unlocked+0x138/0x150 [drm] drm_gem_object_release_handle+0x5c/0xcc [drm] drm_gem_handle_delete+0x68/0xbc [drm] drm_gem_close_ioctl+0x34/0x40 [drm] drm_ioctl_kernel+0xc0/0x130 [drm] drm_ioctl+0x360/0x4e0 [drm] __arm64_sys_ioctl+0xac/0x104 invoke_syscall+0x48/0x104 el0_svc_common.constprop.0+0x40/0xe0 do_el0_svc+0x1c/0x28 el0_svc+0x34/0xec el0t_64_sync_handler+0xa0/0xe4 el0t_64_sync+0x198/0x19c ---[ end trace 0000000000000000 ]--- ------------[ cut here ]------------ Patchwork: https://patchwork.freedesktop.org/patch/676273/", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-68171", "url": "https://ubuntu.com/security/CVE-2025-68171", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: x86/fpu: Ensure XFD state on signal delivery Sean reported [1] the following splat when running KVM tests: WARNING: CPU: 232 PID: 15391 at xfd_validate_state+0x65/0x70 Call Trace: fpu__clear_user_states+0x9c/0x100 arch_do_signal_or_restart+0x142/0x210 exit_to_user_mode_loop+0x55/0x100 do_syscall_64+0x205/0x2c0 entry_SYSCALL_64_after_hwframe+0x4b/0x53 Chao further identified [2] a reproducible scenario involving signal delivery: a non-AMX task is preempted by an AMX-enabled task which modifies the XFD MSR. When the non-AMX task resumes and reloads XSTATE with init values, a warning is triggered due to a mismatch between fpstate::xfd and the CPU's current XFD state. fpu__clear_user_states() does not currently re-synchronize the XFD state after such preemption. Invoke xfd_update_state() which detects and corrects the mismatch if there is a dynamic feature. This also benefits the sigreturn path, as fpu__restore_sig() may call fpu__clear_user_states() when the sigframe is inaccessible. [ dhansen: minor changelog munging ]", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-68313", "url": "https://ubuntu.com/security/CVE-2025-68313", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: x86/CPU/AMD: Add RDSEED fix for Zen5 There's an issue with RDSEED's 16-bit and 32-bit register output variants on Zen5 which return a random value of 0 \"at a rate inconsistent with randomness while incorrectly signaling success (CF=1)\". Search the web for AMD-SB-7055 for more detail. Add a fix glue which checks microcode revisions. [ bp: Add microcode revisions checking, rewrite. ]", "cve_priority": "medium", "cve_public_date": "2025-12-16 16:16:00 UTC" }, { "cve": "CVE-2025-40320", "url": "https://ubuntu.com/security/CVE-2025-40320", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: smb: client: fix potential cfid UAF in smb2_query_info_compound When smb2_query_info_compound() retries, a previously allocated cfid may have been freed in the first attempt. Because cfid wasn't reset on replay, later cleanup could act on a stale pointer, leading to a potential use-after-free. Reinitialize cfid to NULL under the replay label. Example trace (trimmed): refcount_t: underflow; use-after-free. WARNING: CPU: 1 PID: 11224 at ../lib/refcount.c:28 refcount_warn_saturate+0x9c/0x110 [...] RIP: 0010:refcount_warn_saturate+0x9c/0x110 [...] Call Trace: smb2_query_info_compound+0x29c/0x5c0 [cifs f90b72658819bd21c94769b6a652029a07a7172f] ? step_into+0x10d/0x690 ? __legitimize_path+0x28/0x60 smb2_queryfs+0x6a/0xf0 [cifs f90b72658819bd21c94769b6a652029a07a7172f] smb311_queryfs+0x12d/0x140 [cifs f90b72658819bd21c94769b6a652029a07a7172f] ? kmem_cache_alloc+0x18a/0x340 ? getname_flags+0x46/0x1e0 cifs_statfs+0x9f/0x2b0 [cifs f90b72658819bd21c94769b6a652029a07a7172f] statfs_by_dentry+0x67/0x90 vfs_statfs+0x16/0xd0 user_statfs+0x54/0xa0 __do_sys_statfs+0x20/0x50 do_syscall_64+0x58/0x80", "cve_priority": "medium", "cve_public_date": "2025-12-08 01:16:00 UTC" }, { "cve": "CVE-2025-40321", "url": "https://ubuntu.com/security/CVE-2025-40321", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: wifi: brcmfmac: fix crash while sending Action Frames in standalone AP Mode Currently, whenever there is a need to transmit an Action frame, the brcmfmac driver always uses the P2P vif to send the \"actframe\" IOVAR to firmware. The P2P interfaces were available when wpa_supplicant is managing the wlan interface. However, the P2P interfaces are not created/initialized when only hostapd is managing the wlan interface. And if hostapd receives an ANQP Query REQ Action frame even from an un-associated STA, the brcmfmac driver tries to use an uninitialized P2P vif pointer for sending the IOVAR to firmware. This NULL pointer dereferencing triggers a driver crash. [ 1417.074538] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000 [...] [ 1417.075188] Hardware name: Raspberry Pi 4 Model B Rev 1.5 (DT) [...] [ 1417.075653] Call trace: [ 1417.075662] brcmf_p2p_send_action_frame+0x23c/0xc58 [brcmfmac] [ 1417.075738] brcmf_cfg80211_mgmt_tx+0x304/0x5c0 [brcmfmac] [ 1417.075810] cfg80211_mlme_mgmt_tx+0x1b0/0x428 [cfg80211] [ 1417.076067] nl80211_tx_mgmt+0x238/0x388 [cfg80211] [ 1417.076281] genl_family_rcv_msg_doit+0xe0/0x158 [ 1417.076302] genl_rcv_msg+0x220/0x2a0 [ 1417.076317] netlink_rcv_skb+0x68/0x140 [ 1417.076330] genl_rcv+0x40/0x60 [ 1417.076343] netlink_unicast+0x330/0x3b8 [ 1417.076357] netlink_sendmsg+0x19c/0x3f8 [ 1417.076370] __sock_sendmsg+0x64/0xc0 [ 1417.076391] ____sys_sendmsg+0x268/0x2a0 [ 1417.076408] ___sys_sendmsg+0xb8/0x118 [ 1417.076427] __sys_sendmsg+0x90/0xf8 [ 1417.076445] __arm64_sys_sendmsg+0x2c/0x40 [ 1417.076465] invoke_syscall+0x50/0x120 [ 1417.076486] el0_svc_common.constprop.0+0x48/0xf0 [ 1417.076506] do_el0_svc+0x24/0x38 [ 1417.076525] el0_svc+0x30/0x100 [ 1417.076548] el0t_64_sync_handler+0x100/0x130 [ 1417.076569] el0t_64_sync+0x190/0x198 [ 1417.076589] Code: f9401e80 aa1603e2 f9403be1 5280e483 (f9400000) Fix this, by always using the vif corresponding to the wdev on which the Action frame Transmission request was initiated by the userspace. This way, even if P2P vif is not available, the IOVAR is sent to firmware on AP vif and the ANQP Query RESP Action frame is transmitted without crashing the driver. Move init_completion() for \"send_af_done\" from brcmf_p2p_create_p2pdev() to brcmf_p2p_attach(). Because the former function would not get executed when only hostapd is managing wlan interface, and it is not safe to do reinit_completion() later in brcmf_p2p_tx_action_frame(), without any prior init_completion(). And in the brcmf_p2p_tx_action_frame() function, the condition check for P2P Presence response frame is not needed, since the wpa_supplicant is properly sending the P2P Presense Response frame on the P2P-GO vif instead of the P2P-Device vif. [Cc stable]", "cve_priority": "medium", "cve_public_date": "2025-12-08 01:16:00 UTC" }, { "cve": "CVE-2025-40322", "url": "https://ubuntu.com/security/CVE-2025-40322", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: fbdev: bitblit: bound-check glyph index in bit_putcs* bit_putcs_aligned()/unaligned() derived the glyph pointer from the character value masked by 0xff/0x1ff, which may exceed the actual font's glyph count and read past the end of the built-in font array. Clamp the index to the actual glyph count before computing the address. This fixes a global out-of-bounds read reported by syzbot.", "cve_priority": "medium", "cve_public_date": "2025-12-08 01:16:00 UTC" }, { "cve": "CVE-2025-40211", "url": "https://ubuntu.com/security/CVE-2025-40211", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ACPI: video: Fix use-after-free in acpi_video_switch_brightness() The switch_brightness_work delayed work accesses device->brightness and device->backlight, freed by acpi_video_dev_unregister_backlight() during device removal. If the work executes after acpi_video_bus_unregister_backlight() frees these resources, it causes a use-after-free when acpi_video_switch_brightness() dereferences device->brightness or device->backlight. Fix this by calling cancel_delayed_work_sync() for each device's switch_brightness_work in acpi_video_bus_remove_notify_handler() after removing the notify handler that queues the work. This ensures the work completes before the memory is freed. [ rjw: Changelog edit ]", "cve_priority": "medium", "cve_public_date": "2025-11-21 11:15:00 UTC" }, { "cve": "CVE-2025-40323", "url": "https://ubuntu.com/security/CVE-2025-40323", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: fbcon: Set fb_display[i]->mode to NULL when the mode is released Recently, we discovered the following issue through syzkaller: BUG: KASAN: slab-use-after-free in fb_mode_is_equal+0x285/0x2f0 Read of size 4 at addr ff11000001b3c69c by task syz.xxx ... Call Trace: dump_stack_lvl+0xab/0xe0 print_address_description.constprop.0+0x2c/0x390 print_report+0xb9/0x280 kasan_report+0xb8/0xf0 fb_mode_is_equal+0x285/0x2f0 fbcon_mode_deleted+0x129/0x180 fb_set_var+0xe7f/0x11d0 do_fb_ioctl+0x6a0/0x750 fb_ioctl+0xe0/0x140 __x64_sys_ioctl+0x193/0x210 do_syscall_64+0x5f/0x9c0 entry_SYSCALL_64_after_hwframe+0x76/0x7e Based on experimentation and analysis, during framebuffer unregistration, only the memory of fb_info->modelist is freed, without setting the corresponding fb_display[i]->mode to NULL for the freed modes. This leads to UAF issues during subsequent accesses. Here's an example of reproduction steps: 1. With /dev/fb0 already registered in the system, load a kernel module to register a new device /dev/fb1; 2. Set fb1's mode to the global fb_display[] array (via FBIOPUT_CON2FBMAP); 3. Switch console from fb to VGA (to allow normal rmmod of the ko); 4. Unload the kernel module, at this point fb1's modelist is freed, leaving a wild pointer in fb_display[]; 5. Trigger the bug via system calls through fb0 attempting to delete a mode from fb0. Add a check in do_unregister_framebuffer(): if the mode to be freed exists in fb_display[], set the corresponding mode pointer to NULL.", "cve_priority": "medium", "cve_public_date": "2025-12-08 01:16:00 UTC" }, { "cve": "CVE-2025-40210", "url": "https://ubuntu.com/security/CVE-2025-40210", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: Revert \"NFSD: Remove the cap on number of operations per NFSv4 COMPOUND\" I've found that pynfs COMP6 now leaves the connection or lease in a strange state, which causes CLOSE9 to hang indefinitely. I've dug into it a little, but I haven't been able to root-cause it yet. However, I bisected to commit 48aab1606fa8 (\"NFSD: Remove the cap on number of operations per NFSv4 COMPOUND\"). Tianshuo Han also reports a potential vulnerability when decoding an NFSv4 COMPOUND. An attacker can place an arbitrarily large op count in the COMPOUND header, which results in: [ 51.410584] nfsd: vmalloc error: size 1209533382144, exceeds total pages, mode:0xdc0(GFP_KERNEL|__GFP_ZERO), nodemask=(null),cpuset=/,mems_allowed=0 when NFSD attempts to allocate the COMPOUND op array. Let's restore the operation-per-COMPOUND limit, but increased to 200 for now.", "cve_priority": "medium", "cve_public_date": "2025-11-21 11:15:00 UTC" }, { "cve": "CVE-2025-40324", "url": "https://ubuntu.com/security/CVE-2025-40324", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: NFSD: Fix crash in nfsd4_read_release() When tracing is enabled, the trace_nfsd_read_done trace point crashes during the pynfs read.testNoFh test.", "cve_priority": "medium", "cve_public_date": "2025-12-08 01:16:00 UTC" }, { "cve": "CVE-2025-40326", "url": "https://ubuntu.com/security/CVE-2025-40326", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: NFSD: Define actions for the new time_deleg FATTR4 attributes NFSv4 clients won't send legitimate GETATTR requests for these new attributes because they are intended to be used only with CB_GETATTR and SETATTR. But NFSD has to do something besides crashing if it ever sees a GETATTR request that queries these attributes. RFC 8881 Section 18.7.3 states: > The server MUST return a value for each attribute that the client > requests if the attribute is supported by the server for the > target file system. If the server does not support a particular > attribute on the target file system, then it MUST NOT return the > attribute value and MUST NOT set the attribute bit in the result > bitmap. The server MUST return an error if it supports an > attribute on the target but cannot obtain its value. In that case, > no attribute values will be returned. Further, RFC 9754 Section 5 states: > These new attributes are invalid to be used with GETATTR, VERIFY, > and NVERIFY, and they can only be used with CB_GETATTR and SETATTR > by a client holding an appropriate delegation. Thus there does not appear to be a specific server response mandated by specification. Taking the guidance that querying these attributes via GETATTR is \"invalid\", NFSD will return nfserr_inval, failing the request entirely.", "cve_priority": "medium", "cve_public_date": "2025-12-08 01:16:00 UTC" }, { "cve": "CVE-2025-40084", "url": "https://ubuntu.com/security/CVE-2025-40084", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ksmbd: transport_ipc: validate payload size before reading handle handle_response() dereferences the payload as a 4-byte handle without verifying that the declared payload size is at least 4 bytes. A malformed or truncated message from ksmbd.mountd can lead to a 4-byte read past the declared payload size. Validate the size before dereferencing. This is a minimal fix to guard the initial handle read.", "cve_priority": "medium", "cve_public_date": "2025-10-29 14:15:00 UTC" }, { "cve": "CVE-2025-40222", "url": "https://ubuntu.com/security/CVE-2025-40222", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: tty: serial: sh-sci: fix RSCI FIFO overrun handling The receive error handling code is shared between RSCI and all other SCIF port types, but the RSCI overrun_reg is specified as a memory offset, while for other SCIF types it is an enum value used to index into the sci_port_params->regs array, as mentioned above the sci_serial_in() function. For RSCI, the overrun_reg is CSR (0x48), causing the sci_getreg() call inside the sci_handle_fifo_overrun() function to index outside the bounds of the regs array, which currently has a size of 20, as specified by SCI_NR_REGS. Because of this, we end up accessing memory outside of RSCI's rsci_port_params structure, which, when interpreted as a plat_sci_reg, happens to have a non-zero size, causing the following WARN when sci_serial_in() is called, as the accidental size does not match the supported register sizes. The existence of the overrun_reg needs to be checked because SCIx_SH3_SCIF_REGTYPE has overrun_reg set to SCLSR, but SCLSR is not present in the regs array. Avoid calling sci_getreg() for port types which don't use standard register handling. Use the ops->read_reg() and ops->write_reg() functions to properly read and write registers for RSCI, and change the type of the status variable to accommodate the 32-bit CSR register. sci_getreg() and sci_serial_in() are also called with overrun_reg in the sci_mpxed_interrupt() interrupt handler, but that code path is not used for RSCI, as it does not have a muxed interrupt. ------------[ cut here ]------------ Invalid register access WARNING: CPU: 0 PID: 0 at drivers/tty/serial/sh-sci.c:522 sci_serial_in+0x38/0xac Modules linked in: renesas_usbhs at24 rzt2h_adc industrialio_adc sha256 cfg80211 bluetooth ecdh_generic ecc rfkill fuse drm backlight ipv6 CPU: 0 UID: 0 PID: 0 Comm: swapper/0 Not tainted 6.17.0-rc1+ #30 PREEMPT Hardware name: Renesas RZ/T2H EVK Board based on r9a09g077m44 (DT) pstate: 604000c5 (nZCv daIF +PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : sci_serial_in+0x38/0xac lr : sci_serial_in+0x38/0xac sp : ffff800080003e80 x29: ffff800080003e80 x28: ffff800082195b80 x27: 000000000000000d x26: ffff8000821956d0 x25: 0000000000000000 x24: ffff800082195b80 x23: ffff000180e0d800 x22: 0000000000000010 x21: 0000000000000000 x20: 0000000000000010 x19: ffff000180e72000 x18: 000000000000000a x17: ffff8002bcee7000 x16: ffff800080000000 x15: 0720072007200720 x14: 0720072007200720 x13: 0720072007200720 x12: 0720072007200720 x11: 0000000000000058 x10: 0000000000000018 x9 : ffff8000821a6a48 x8 : 0000000000057fa8 x7 : 0000000000000406 x6 : ffff8000821fea48 x5 : ffff00033ef88408 x4 : ffff8002bcee7000 x3 : ffff800082195b80 x2 : 0000000000000000 x1 : 0000000000000000 x0 : ffff800082195b80 Call trace: sci_serial_in+0x38/0xac (P) sci_handle_fifo_overrun.isra.0+0x70/0x134 sci_er_interrupt+0x50/0x39c __handle_irq_event_percpu+0x48/0x140 handle_irq_event+0x44/0xb0 handle_fasteoi_irq+0xf4/0x1a0 handle_irq_desc+0x34/0x58 generic_handle_domain_irq+0x1c/0x28 gic_handle_irq+0x4c/0x140 call_on_irq_stack+0x30/0x48 do_interrupt_handler+0x80/0x84 el1_interrupt+0x34/0x68 el1h_64_irq_handler+0x18/0x24 el1h_64_irq+0x6c/0x70 default_idle_call+0x28/0x58 (P) do_idle+0x1f8/0x250 cpu_startup_entry+0x34/0x3c rest_init+0xd8/0xe0 console_on_rootfs+0x0/0x6c __primary_switched+0x88/0x90 ---[ end trace 0000000000000000 ]---", "cve_priority": "medium", "cve_public_date": "2025-12-04 16:16:00 UTC" }, { "cve": "CVE-2025-40223", "url": "https://ubuntu.com/security/CVE-2025-40223", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: most: usb: Fix use-after-free in hdm_disconnect hdm_disconnect() calls most_deregister_interface(), which eventually unregisters the MOST interface device with device_unregister(iface->dev). If that drops the last reference, the device core may call release_mdev() immediately while hdm_disconnect() is still executing. The old code also freed several mdev-owned allocations in hdm_disconnect() and then performed additional put_device() calls. Depending on refcount order, this could lead to use-after-free or double-free when release_mdev() ran (or when unregister paths also performed puts). Fix by moving the frees of mdev-owned allocations into release_mdev(), so they happen exactly once when the device is truly released, and by dropping the extra put_device() calls in hdm_disconnect() that are redundant after device_unregister() and most_deregister_interface(). This addresses the KASAN slab-use-after-free reported by syzbot in hdm_disconnect(). See report and stack traces in the bug link below.", "cve_priority": "medium", "cve_public_date": "2025-12-04 16:16:00 UTC" }, { "cve": "CVE-2025-40106", "url": "https://ubuntu.com/security/CVE-2025-40106", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: comedi: fix divide-by-zero in comedi_buf_munge() The comedi_buf_munge() function performs a modulo operation `async->munge_chan %= async->cmd.chanlist_len` without first checking if chanlist_len is zero. If a user program submits a command with chanlist_len set to zero, this causes a divide-by-zero error when the device processes data in the interrupt handler path. Add a check for zero chanlist_len at the beginning of the function, similar to the existing checks for !map and CMDF_RAWDATA flag. When chanlist_len is zero, update munge_count and return early, indicating the data was handled without munging. This prevents potential kernel panics from malformed user commands.", "cve_priority": "medium", "cve_public_date": "2025-10-31 10:15:00 UTC" }, { "cve": "CVE-2025-40224", "url": "https://ubuntu.com/security/CVE-2025-40224", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: hwmon: (cgbc-hwmon) Add missing NULL check after devm_kzalloc() The driver allocates memory for sensor data using devm_kzalloc(), but did not check if the allocation succeeded. In case of memory allocation failure, dereferencing the NULL pointer would lead to a kernel crash. Add a NULL pointer check and return -ENOMEM to handle allocation failure properly.", "cve_priority": "medium", "cve_public_date": "2025-12-04 16:16:00 UTC" }, { "cve": "CVE-2025-40225", "url": "https://ubuntu.com/security/CVE-2025-40225", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/panthor: Fix kernel panic on partial unmap of a GPU VA region This commit address a kernel panic issue that can happen if Userspace tries to partially unmap a GPU virtual region (aka drm_gpuva). The VM_BIND interface allows partial unmapping of a BO. Panthor driver pre-allocates memory for the new drm_gpuva structures that would be needed for the map/unmap operation, done using drm_gpuvm layer. It expected that only one new drm_gpuva would be needed on umap but a partial unmap can require 2 new drm_gpuva and that's why it ended up doing a NULL pointer dereference causing a kernel panic. Following dump was seen when partial unmap was exercised. Unable to handle kernel NULL pointer dereference at virtual address 0000000000000078 Mem abort info: ESR = 0x0000000096000046 EC = 0x25: DABT (current EL), IL = 32 bits SET = 0, FnV = 0 EA = 0, S1PTW = 0 FSC = 0x06: level 2 translation fault Data abort info: ISV = 0, ISS = 0x00000046, ISS2 = 0x00000000 CM = 0, WnR = 1, TnD = 0, TagAccess = 0 GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0 user pgtable: 4k pages, 48-bit VAs, pgdp=000000088a863000 [000000000000078] pgd=080000088a842003, p4d=080000088a842003, pud=0800000884bf5003, pmd=0000000000000000 Internal error: Oops: 0000000096000046 [#1] PREEMPT SMP pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : panthor_gpuva_sm_step_remap+0xe4/0x330 [panthor] lr : panthor_gpuva_sm_step_remap+0x6c/0x330 [panthor] sp : ffff800085d43970 x29: ffff800085d43970 x28: ffff00080363e440 x27: ffff0008090c6000 x26: 0000000000000030 x25: ffff800085d439f8 x24: ffff00080d402000 x23: ffff800085d43b60 x22: ffff800085d439e0 x21: ffff00080abdb180 x20: 0000000000000000 x19: 0000000000000000 x18: 0000000000000010 x17: 6e656c202c303030 x16: 3666666666646466 x15: 393d61766f69202c x14: 312d3d7361203a70 x13: 303030323d6e656c x12: ffff80008324bf58 x11: 0000000000000003 x10: 0000000000000002 x9 : ffff8000801a6a9c x8 : ffff00080360b300 x7 : 0000000000000000 x6 : 000000088aa35fc7 x5 : fff1000080000000 x4 : ffff8000842ddd30 x3 : 0000000000000001 x2 : 0000000100000000 x1 : 0000000000000001 x0 : 0000000000000078 Call trace: panthor_gpuva_sm_step_remap+0xe4/0x330 [panthor] op_remap_cb.isra.22+0x50/0x80 __drm_gpuvm_sm_unmap+0x10c/0x1c8 drm_gpuvm_sm_unmap+0x40/0x60 panthor_vm_exec_op+0xb4/0x3d0 [panthor] panthor_vm_bind_exec_sync_op+0x154/0x278 [panthor] panthor_ioctl_vm_bind+0x160/0x4a0 [panthor] drm_ioctl_kernel+0xbc/0x138 drm_ioctl+0x240/0x500 __arm64_sys_ioctl+0xb0/0xf8 invoke_syscall+0x4c/0x110 el0_svc_common.constprop.1+0x98/0xf8 do_el0_svc+0x24/0x38 el0_svc+0x40/0xf8 el0t_64_sync_handler+0xa0/0xc8 el0t_64_sync+0x174/0x178", "cve_priority": "medium", "cve_public_date": "2025-12-04 16:16:00 UTC" }, { "cve": "CVE-2025-40226", "url": "https://ubuntu.com/security/CVE-2025-40226", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: firmware: arm_scmi: Account for failed debug initialization When the SCMI debug subsystem fails to initialize, the related debug root will be missing, and the underlying descriptor will be NULL. Handle this fault condition in the SCMI debug helpers that maintain metrics counters.", "cve_priority": "medium", "cve_public_date": "2025-12-04 16:16:00 UTC" }, { "cve": "CVE-2025-40227", "url": "https://ubuntu.com/security/CVE-2025-40227", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: mm/damon/sysfs: dealloc commit test ctx always The damon_ctx for testing online DAMON parameters commit inputs is deallocated only when the test fails. This means memory is leaked for every successful online DAMON parameters commit. Fix the leak by always deallocating it.", "cve_priority": "medium", "cve_public_date": "2025-12-04 16:16:00 UTC" }, { "cve": "CVE-2025-40228", "url": "https://ubuntu.com/security/CVE-2025-40228", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: mm/damon/sysfs: catch commit test ctx alloc failure Patch series \"mm/damon/sysfs: fix commit test damon_ctx [de]allocation\". DAMON sysfs interface dynamically allocates and uses a damon_ctx object for testing if given inputs for online DAMON parameters update is valid. The object is being used without an allocation failure check, and leaked when the test succeeds. Fix the two bugs. This patch (of 2): The damon_ctx for testing online DAMON parameters commit inputs is used without its allocation failure check. This could result in an invalid memory access. Fix it by directly returning an error when the allocation failed.", "cve_priority": "medium", "cve_public_date": "2025-12-04 16:16:00 UTC" }, { "cve": "CVE-2025-40229", "url": "https://ubuntu.com/security/CVE-2025-40229", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: mm/damon/core: fix potential memory leak by cleaning ops_filter in damon_destroy_scheme Currently, damon_destroy_scheme() only cleans up the filter list but leaves ops_filter untouched, which could lead to memory leaks when a scheme is destroyed. This patch ensures both filter and ops_filter are properly freed in damon_destroy_scheme(), preventing potential memory leaks.", "cve_priority": "medium", "cve_public_date": "2025-12-04 16:16:00 UTC" }, { "cve": "CVE-2025-40230", "url": "https://ubuntu.com/security/CVE-2025-40230", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: mm: prevent poison consumption when splitting THP When performing memory error injection on a THP (Transparent Huge Page) mapped to userspace on an x86 server, the kernel panics with the following trace. The expected behavior is to terminate the affected process instead of panicking the kernel, as the x86 Machine Check code can recover from an in-userspace #MC. mce: [Hardware Error]: CPU 0: Machine Check Exception: f Bank 3: bd80000000070134 mce: [Hardware Error]: RIP 10: {memchr_inv+0x4c/0xf0} mce: [Hardware Error]: TSC afff7bbff88a ADDR 1d301b000 MISC 80 PPIN 1e741e77539027db mce: [Hardware Error]: PROCESSOR 0:d06d0 TIME 1758093249 SOCKET 0 APIC 0 microcode 80000320 mce: [Hardware Error]: Run the above through 'mcelog --ascii' mce: [Hardware Error]: Machine check: Data load in unrecoverable area of kernel Kernel panic - not syncing: Fatal local machine check The root cause of this panic is that handling a memory failure triggered by an in-userspace #MC necessitates splitting the THP. The splitting process employs a mechanism, implemented in try_to_map_unused_to_zeropage(), which reads the pages in the THP to identify zero-filled pages. However, reading the pages in the THP results in a second in-kernel #MC, occurring before the initial memory_failure() completes, ultimately leading to a kernel panic. See the kernel panic call trace on the two #MCs. First Machine Check occurs // [1] memory_failure() // [2] try_to_split_thp_page() split_huge_page() split_huge_page_to_list_to_order() __folio_split() // [3] remap_page() remove_migration_ptes() remove_migration_pte() try_to_map_unused_to_zeropage() // [4] memchr_inv() // [5] Second Machine Check occurs // [6] Kernel panic [1] Triggered by accessing a hardware-poisoned THP in userspace, which is typically recoverable by terminating the affected process. [2] Call folio_set_has_hwpoisoned() before try_to_split_thp_page(). [3] Pass the RMP_USE_SHARED_ZEROPAGE remap flag to remap_page(). [4] Try to map the unused THP to zeropage. [5] Re-access pages in the hw-poisoned THP in the kernel. [6] Triggered in-kernel, leading to a panic kernel. In Step[2], memory_failure() sets the poisoned flag on the page in the THP by TestSetPageHWPoison() before calling try_to_split_thp_page(). As suggested by David Hildenbrand, fix this panic by not accessing to the poisoned page in the THP during zeropage identification, while continuing to scan unaffected pages in the THP for possible zeropage mapping. This prevents a second in-kernel #MC that would cause kernel panic in Step[4]. Thanks to Andrew Zaborowski for his initial work on fixing this issue.", "cve_priority": "medium", "cve_public_date": "2025-12-04 16:16:00 UTC" }, { "cve": "CVE-2025-40231", "url": "https://ubuntu.com/security/CVE-2025-40231", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: vsock: fix lock inversion in vsock_assign_transport() Syzbot reported a potential lock inversion deadlock between vsock_register_mutex and sk_lock-AF_VSOCK when vsock_linger() is called. The issue was introduced by commit 687aa0c5581b (\"vsock: Fix transport_* TOCTOU\") which added vsock_register_mutex locking in vsock_assign_transport() around the transport->release() call, that can call vsock_linger(). vsock_assign_transport() can be called with sk_lock held. vsock_linger() calls sk_wait_event() that temporarily releases and re-acquires sk_lock. During this window, if another thread hold vsock_register_mutex while trying to acquire sk_lock, a circular dependency is created. Fix this by releasing vsock_register_mutex before calling transport->release() and vsock_deassign_transport(). This is safe because we don't need to hold vsock_register_mutex while releasing the old transport, and we ensure the new transport won't disappear by obtaining a module reference first via try_module_get().", "cve_priority": "medium", "cve_public_date": "2025-12-04 16:16:00 UTC" }, { "cve": "CVE-2025-40233", "url": "https://ubuntu.com/security/CVE-2025-40233", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ocfs2: clear extent cache after moving/defragmenting extents The extent map cache can become stale when extents are moved or defragmented, causing subsequent operations to see outdated extent flags. This triggers a BUG_ON in ocfs2_refcount_cal_cow_clusters(). The problem occurs when: 1. copy_file_range() creates a reflinked extent with OCFS2_EXT_REFCOUNTED 2. ioctl(FITRIM) triggers ocfs2_move_extents() 3. __ocfs2_move_extents_range() reads and caches the extent (flags=0x2) 4. ocfs2_move_extent()/ocfs2_defrag_extent() calls __ocfs2_move_extent() which clears OCFS2_EXT_REFCOUNTED flag on disk (flags=0x0) 5. The extent map cache is not invalidated after the move 6. Later write() operations read stale cached flags (0x2) but disk has updated flags (0x0), causing a mismatch 7. BUG_ON(!(rec->e_flags & OCFS2_EXT_REFCOUNTED)) triggers Fix by clearing the extent map cache after each extent move/defrag operation in __ocfs2_move_extents_range(). This ensures subsequent operations read fresh extent data from disk.", "cve_priority": "medium", "cve_public_date": "2025-12-04 16:16:00 UTC" }, { "cve": "CVE-2025-40235", "url": "https://ubuntu.com/security/CVE-2025-40235", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: btrfs: directly free partially initialized fs_info in btrfs_check_leaked_roots() If fs_info->super_copy or fs_info->super_for_commit allocated failed in btrfs_get_tree_subvol(), then no need to call btrfs_free_fs_info(). Otherwise btrfs_check_leaked_roots() would access NULL pointer because fs_info->allocated_roots had not been initialised. syzkaller reported the following information: ------------[ cut here ]------------ BUG: unable to handle page fault for address: fffffffffffffbb0 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page PGD 64c9067 P4D 64c9067 PUD 64cb067 PMD 0 Oops: Oops: 0000 [#1] SMP KASAN PTI CPU: 0 UID: 0 PID: 1402 Comm: syz.1.35 Not tainted 6.15.8 #4 PREEMPT(lazy) Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), (...) RIP: 0010:arch_atomic_read arch/x86/include/asm/atomic.h:23 [inline] RIP: 0010:raw_atomic_read include/linux/atomic/atomic-arch-fallback.h:457 [inline] RIP: 0010:atomic_read include/linux/atomic/atomic-instrumented.h:33 [inline] RIP: 0010:refcount_read include/linux/refcount.h:170 [inline] RIP: 0010:btrfs_check_leaked_roots+0x18f/0x2c0 fs/btrfs/disk-io.c:1230 [...] Call Trace: btrfs_free_fs_info+0x310/0x410 fs/btrfs/disk-io.c:1280 btrfs_get_tree_subvol+0x592/0x6b0 fs/btrfs/super.c:2029 btrfs_get_tree+0x63/0x80 fs/btrfs/super.c:2097 vfs_get_tree+0x98/0x320 fs/super.c:1759 do_new_mount+0x357/0x660 fs/namespace.c:3899 path_mount+0x716/0x19c0 fs/namespace.c:4226 do_mount fs/namespace.c:4239 [inline] __do_sys_mount fs/namespace.c:4450 [inline] __se_sys_mount fs/namespace.c:4427 [inline] __x64_sys_mount+0x28c/0x310 fs/namespace.c:4427 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0x92/0x180 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x76/0x7e RIP: 0033:0x7f032eaffa8d [...]", "cve_priority": "medium", "cve_public_date": "2025-12-04 16:16:00 UTC" }, { "cve": "CVE-2025-40236", "url": "https://ubuntu.com/security/CVE-2025-40236", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: virtio-net: zero unused hash fields When GSO tunnel is negotiated virtio_net_hdr_tnl_from_skb() tries to initialize the tunnel metadata but forget to zero unused rxhash fields. This may leak information to another side. Fixing this by zeroing the unused hash fields.", "cve_priority": "medium", "cve_public_date": "2025-12-04 16:16:00 UTC" }, { "cve": "CVE-2025-40237", "url": "https://ubuntu.com/security/CVE-2025-40237", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: fs/notify: call exportfs_encode_fid with s_umount Calling intotify_show_fdinfo() on fd watching an overlayfs inode, while the overlayfs is being unmounted, can lead to dereferencing NULL ptr. This issue was found by syzkaller. Race Condition Diagram: Thread 1 Thread 2 -------- -------- generic_shutdown_super() shrink_dcache_for_umount sb->s_root = NULL | | vfs_read() | inotify_fdinfo() | * inode get from mark * | show_mark_fhandle(m, inode) | exportfs_encode_fid(inode, ..) | ovl_encode_fh(inode, ..) | ovl_check_encode_origin(inode) | * deref i_sb->s_root * | | v fsnotify_sb_delete(sb) Which then leads to: [ 32.133461] Oops: general protection fault, probably for non-canonical address 0xdffffc0000000006: 0000 [#1] SMP DEBUG_PAGEALLOC KASAN NOPTI [ 32.134438] KASAN: null-ptr-deref in range [0x0000000000000030-0x0000000000000037] [ 32.135032] CPU: 1 UID: 0 PID: 4468 Comm: systemd-coredum Not tainted 6.17.0-rc6 #22 PREEMPT(none) [ 32.143353] Call Trace: [ 32.143732] ovl_encode_fh+0xd5/0x170 [ 32.144031] exportfs_encode_inode_fh+0x12f/0x300 [ 32.144425] show_mark_fhandle+0xbe/0x1f0 [ 32.145805] inotify_fdinfo+0x226/0x2d0 [ 32.146442] inotify_show_fdinfo+0x1c5/0x350 [ 32.147168] seq_show+0x530/0x6f0 [ 32.147449] seq_read_iter+0x503/0x12a0 [ 32.148419] seq_read+0x31f/0x410 [ 32.150714] vfs_read+0x1f0/0x9e0 [ 32.152297] ksys_read+0x125/0x240 IOW ovl_check_encode_origin derefs inode->i_sb->s_root, after it was set to NULL in the unmount path. Fix it by protecting calling exportfs_encode_fid() from show_mark_fhandle() with s_umount lock. This form of fix was suggested by Amir in [1]. [1]: https://lore.kernel.org/all/CAOQ4uxhbDwhb+2Brs1UdkoF0a3NSdBAOQPNfEHjahrgoKJpLEw@mail.gmail.com/", "cve_priority": "medium", "cve_public_date": "2025-12-04 16:16:00 UTC" }, { "cve": "CVE-2025-40238", "url": "https://ubuntu.com/security/CVE-2025-40238", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net/mlx5: Fix IPsec cleanup over MPV device When we do mlx5e_detach_netdev() we eventually disable blocking events notifier, among those events are IPsec MPV events from IB to core. So before disabling those blocking events, make sure to also unregister the devcom device and mark all this device operations as complete, in order to prevent the other device from using invalid netdev during future devcom events which could cause the trace below. BUG: kernel NULL pointer dereference, address: 0000000000000010 PGD 146427067 P4D 146427067 PUD 146488067 PMD 0 Oops: Oops: 0000 [#1] SMP CPU: 1 UID: 0 PID: 7735 Comm: devlink Tainted: GW 6.12.0-rc6_for_upstream_min_debug_2024_11_08_00_46 #1 Tainted: [W]=WARN Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014 RIP: 0010:mlx5_devcom_comp_set_ready+0x5/0x40 [mlx5_core] Code: 00 01 48 83 05 23 32 1e 00 01 41 b8 ed ff ff ff e9 60 ff ff ff 48 83 05 00 32 1e 00 01 eb e3 66 0f 1f 44 00 00 0f 1f 44 00 00 <48> 8b 47 10 48 83 05 5f 32 1e 00 01 48 8b 50 40 48 85 d2 74 05 40 RSP: 0018:ffff88811a5c35f8 EFLAGS: 00010206 RAX: ffff888106e8ab80 RBX: ffff888107d7e200 RCX: ffff88810d6f0a00 RDX: ffff88810d6f0a00 RSI: 0000000000000001 RDI: 0000000000000000 RBP: ffff88811a17e620 R08: 0000000000000040 R09: 0000000000000000 R10: ffff88811a5c3618 R11: 0000000de85d51bd R12: ffff88811a17e600 R13: ffff88810d6f0a00 R14: 0000000000000000 R15: ffff8881034bda80 FS: 00007f27bdf89180(0000) GS:ffff88852c880000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000010 CR3: 000000010f159005 CR4: 0000000000372eb0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: ? __die+0x20/0x60 ? page_fault_oops+0x150/0x3e0 ? exc_page_fault+0x74/0x130 ? asm_exc_page_fault+0x22/0x30 ? mlx5_devcom_comp_set_ready+0x5/0x40 [mlx5_core] mlx5e_devcom_event_mpv+0x42/0x60 [mlx5_core] mlx5_devcom_send_event+0x8c/0x170 [mlx5_core] blocking_event+0x17b/0x230 [mlx5_core] notifier_call_chain+0x35/0xa0 blocking_notifier_call_chain+0x3d/0x60 mlx5_blocking_notifier_call_chain+0x22/0x30 [mlx5_core] mlx5_core_mp_event_replay+0x12/0x20 [mlx5_core] mlx5_ib_bind_slave_port+0x228/0x2c0 [mlx5_ib] mlx5_ib_stage_init_init+0x664/0x9d0 [mlx5_ib] ? idr_alloc_cyclic+0x50/0xb0 ? __kmalloc_cache_noprof+0x167/0x340 ? __kmalloc_noprof+0x1a7/0x430 __mlx5_ib_add+0x34/0xd0 [mlx5_ib] mlx5r_probe+0xe9/0x310 [mlx5_ib] ? kernfs_add_one+0x107/0x150 ? __mlx5_ib_add+0xd0/0xd0 [mlx5_ib] auxiliary_bus_probe+0x3e/0x90 really_probe+0xc5/0x3a0 ? driver_probe_device+0x90/0x90 __driver_probe_device+0x80/0x160 driver_probe_device+0x1e/0x90 __device_attach_driver+0x7d/0x100 bus_for_each_drv+0x80/0xd0 __device_attach+0xbc/0x1f0 bus_probe_device+0x86/0xa0 device_add+0x62d/0x830 __auxiliary_device_add+0x3b/0xa0 ? auxiliary_device_init+0x41/0x90 add_adev+0xd1/0x150 [mlx5_core] mlx5_rescan_drivers_locked+0x21c/0x300 [mlx5_core] esw_mode_change+0x6c/0xc0 [mlx5_core] mlx5_devlink_eswitch_mode_set+0x21e/0x640 [mlx5_core] devlink_nl_eswitch_set_doit+0x60/0xe0 genl_family_rcv_msg_doit+0xd0/0x120 genl_rcv_msg+0x180/0x2b0 ? devlink_get_from_attrs_lock+0x170/0x170 ? devlink_nl_eswitch_get_doit+0x290/0x290 ? devlink_nl_pre_doit_port_optional+0x50/0x50 ? genl_family_rcv_msg_dumpit+0xf0/0xf0 netlink_rcv_skb+0x54/0x100 genl_rcv+0x24/0x40 netlink_unicast+0x1fc/0x2d0 netlink_sendmsg+0x1e4/0x410 __sock_sendmsg+0x38/0x60 ? sockfd_lookup_light+0x12/0x60 __sys_sendto+0x105/0x160 ? __sys_recvmsg+0x4e/0x90 __x64_sys_sendto+0x20/0x30 do_syscall_64+0x4c/0x100 entry_SYSCALL_64_after_hwframe+0x4b/0x53 RIP: 0033:0x7f27bc91b13a Code: bb 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 8b 05 fa 96 2c 00 45 89 c9 4c 63 d1 48 63 ff 85 c0 75 15 b8 2c 00 00 00 0f 05 <48> 3d 00 f0 ff ff ---truncated---", "cve_priority": "medium", "cve_public_date": "2025-12-04 16:16:00 UTC" }, { "cve": "CVE-2025-40239", "url": "https://ubuntu.com/security/CVE-2025-40239", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net: phy: micrel: always set shared->phydev for LAN8814 Currently, during the LAN8814 PTP probe shared->phydev is only set if PTP clock gets actually set, otherwise the function will return before setting it. This is an issue as shared->phydev is unconditionally being used when IRQ is being handled, especially in lan8814_gpio_process_cap and since it was not set it will cause a NULL pointer exception and crash the kernel. So, simply always set shared->phydev to avoid the NULL pointer exception.", "cve_priority": "medium", "cve_public_date": "2025-12-04 16:16:00 UTC" }, { "cve": "CVE-2025-40240", "url": "https://ubuntu.com/security/CVE-2025-40240", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: sctp: avoid NULL dereference when chunk data buffer is missing chunk->skb pointer is dereferenced in the if-block where it's supposed to be NULL only. chunk->skb can only be NULL if chunk->head_skb is not. Check for frag_list instead and do it just before replacing chunk->skb. We're sure that otherwise chunk->skb is non-NULL because of outer if() condition.", "cve_priority": "medium", "cve_public_date": "2025-12-04 16:16:00 UTC" }, { "cve": "CVE-2025-40241", "url": "https://ubuntu.com/security/CVE-2025-40241", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: erofs: fix crafted invalid cases for encoded extents Robert recently reported two corrupted images that can cause system crashes, which are related to the new encoded extents introduced in Linux 6.15: - The first one [1] has plen != 0 (e.g. plen == 0x2000000) but (plen & Z_EROFS_EXTENT_PLEN_MASK) == 0. It is used to represent special extents such as sparse extents (!EROFS_MAP_MAPPED), but previously only plen == 0 was handled; - The second one [2] has pa 0xffffffffffdcffed and plen 0xb4000, then \"cur [0xfffffffffffff000] += bvec.bv_len [0x1000]\" in \"} while ((cur += bvec.bv_len) < end);\" wraps around, causing an out-of-bound access of pcl->compressed_bvecs[] in z_erofs_submit_queue(). EROFS only supports 48-bit physical block addresses (up to 1EiB for 4k blocks), so add a sanity check to enforce this.", "cve_priority": "medium", "cve_public_date": "2025-12-04 16:16:00 UTC" }, { "cve": "CVE-2025-40242", "url": "https://ubuntu.com/security/CVE-2025-40242", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: gfs2: Fix unlikely race in gdlm_put_lock In gdlm_put_lock(), there is a small window of time in which the DFL_UNMOUNT flag has been set but the lockspace hasn't been released, yet. In that window, dlm may still call gdlm_ast() and gdlm_bast(). To prevent it from dereferencing freed glock objects, only free the glock if the lockspace has actually been released.", "cve_priority": "medium", "cve_public_date": "2025-12-04 16:16:00 UTC" }, { "cve": "CVE-2025-40243", "url": "https://ubuntu.com/security/CVE-2025-40243", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: hfs: fix KMSAN uninit-value issue in hfs_find_set_zero_bits() The syzbot reported issue in hfs_find_set_zero_bits(): ===================================================== BUG: KMSAN: uninit-value in hfs_find_set_zero_bits+0x74d/0xb60 fs/hfs/bitmap.c:45 hfs_find_set_zero_bits+0x74d/0xb60 fs/hfs/bitmap.c:45 hfs_vbm_search_free+0x13c/0x5b0 fs/hfs/bitmap.c:151 hfs_extend_file+0x6a5/0x1b00 fs/hfs/extent.c:408 hfs_get_block+0x435/0x1150 fs/hfs/extent.c:353 __block_write_begin_int+0xa76/0x3030 fs/buffer.c:2151 block_write_begin fs/buffer.c:2262 [inline] cont_write_begin+0x10e1/0x1bc0 fs/buffer.c:2601 hfs_write_begin+0x85/0x130 fs/hfs/inode.c:52 cont_expand_zero fs/buffer.c:2528 [inline] cont_write_begin+0x35a/0x1bc0 fs/buffer.c:2591 hfs_write_begin+0x85/0x130 fs/hfs/inode.c:52 hfs_file_truncate+0x1d6/0xe60 fs/hfs/extent.c:494 hfs_inode_setattr+0x964/0xaa0 fs/hfs/inode.c:654 notify_change+0x1993/0x1aa0 fs/attr.c:552 do_truncate+0x28f/0x310 fs/open.c:68 do_ftruncate+0x698/0x730 fs/open.c:195 do_sys_ftruncate fs/open.c:210 [inline] __do_sys_ftruncate fs/open.c:215 [inline] __se_sys_ftruncate fs/open.c:213 [inline] __x64_sys_ftruncate+0x11b/0x250 fs/open.c:213 x64_sys_call+0xfe3/0x3db0 arch/x86/include/generated/asm/syscalls_64.h:78 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xd9/0x210 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f Uninit was created at: slab_post_alloc_hook mm/slub.c:4154 [inline] slab_alloc_node mm/slub.c:4197 [inline] __kmalloc_cache_noprof+0x7f7/0xed0 mm/slub.c:4354 kmalloc_noprof include/linux/slab.h:905 [inline] hfs_mdb_get+0x1cc8/0x2a90 fs/hfs/mdb.c:175 hfs_fill_super+0x3d0/0xb80 fs/hfs/super.c:337 get_tree_bdev_flags+0x6e3/0x920 fs/super.c:1681 get_tree_bdev+0x38/0x50 fs/super.c:1704 hfs_get_tree+0x35/0x40 fs/hfs/super.c:388 vfs_get_tree+0xb0/0x5c0 fs/super.c:1804 do_new_mount+0x738/0x1610 fs/namespace.c:3902 path_mount+0x6db/0x1e90 fs/namespace.c:4226 do_mount fs/namespace.c:4239 [inline] __do_sys_mount fs/namespace.c:4450 [inline] __se_sys_mount+0x6eb/0x7d0 fs/namespace.c:4427 __x64_sys_mount+0xe4/0x150 fs/namespace.c:4427 x64_sys_call+0xfa7/0x3db0 arch/x86/include/generated/asm/syscalls_64.h:166 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xd9/0x210 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f CPU: 1 UID: 0 PID: 12609 Comm: syz.1.2692 Not tainted 6.16.0-syzkaller #0 PREEMPT(none) Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/12/2025 ===================================================== The HFS_SB(sb)->bitmap buffer is allocated in hfs_mdb_get(): HFS_SB(sb)->bitmap = kmalloc(8192, GFP_KERNEL); Finally, it can trigger the reported issue because kmalloc() doesn't clear the allocated memory. If allocated memory contains only zeros, then everything will work pretty fine. But if the allocated memory contains the \"garbage\", then it can affect the bitmap operations and it triggers the reported issue. This patch simply exchanges the kmalloc() on kzalloc() with the goal to guarantee the correctness of bitmap operations. Because, newly created allocation bitmap should have all available blocks free. Potentially, initialization bitmap's read operation could not fill the whole allocated memory and \"garbage\" in the not initialized memory will be the reason of volume coruptions and file system driver bugs.", "cve_priority": "medium", "cve_public_date": "2025-12-04 16:16:00 UTC" }, { "cve": "CVE-2025-40244", "url": "https://ubuntu.com/security/CVE-2025-40244", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: hfsplus: fix KMSAN uninit-value issue in __hfsplus_ext_cache_extent() The syzbot reported issue in __hfsplus_ext_cache_extent(): [ 70.194323][ T9350] BUG: KMSAN: uninit-value in __hfsplus_ext_cache_extent+0x7d0/0x990 [ 70.195022][ T9350] __hfsplus_ext_cache_extent+0x7d0/0x990 [ 70.195530][ T9350] hfsplus_file_extend+0x74f/0x1cf0 [ 70.195998][ T9350] hfsplus_get_block+0xe16/0x17b0 [ 70.196458][ T9350] __block_write_begin_int+0x962/0x2ce0 [ 70.196959][ T9350] cont_write_begin+0x1000/0x1950 [ 70.197416][ T9350] hfsplus_write_begin+0x85/0x130 [ 70.197873][ T9350] generic_perform_write+0x3e8/0x1060 [ 70.198374][ T9350] __generic_file_write_iter+0x215/0x460 [ 70.198892][ T9350] generic_file_write_iter+0x109/0x5e0 [ 70.199393][ T9350] vfs_write+0xb0f/0x14e0 [ 70.199771][ T9350] ksys_write+0x23e/0x490 [ 70.200149][ T9350] __x64_sys_write+0x97/0xf0 [ 70.200570][ T9350] x64_sys_call+0x3015/0x3cf0 [ 70.201065][ T9350] do_syscall_64+0xd9/0x1d0 [ 70.201506][ T9350] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 70.202054][ T9350] [ 70.202279][ T9350] Uninit was created at: [ 70.202693][ T9350] __kmalloc_noprof+0x621/0xf80 [ 70.203149][ T9350] hfsplus_find_init+0x8d/0x1d0 [ 70.203602][ T9350] hfsplus_file_extend+0x6ca/0x1cf0 [ 70.204087][ T9350] hfsplus_get_block+0xe16/0x17b0 [ 70.204561][ T9350] __block_write_begin_int+0x962/0x2ce0 [ 70.205074][ T9350] cont_write_begin+0x1000/0x1950 [ 70.205547][ T9350] hfsplus_write_begin+0x85/0x130 [ 70.206017][ T9350] generic_perform_write+0x3e8/0x1060 [ 70.206519][ T9350] __generic_file_write_iter+0x215/0x460 [ 70.207042][ T9350] generic_file_write_iter+0x109/0x5e0 [ 70.207552][ T9350] vfs_write+0xb0f/0x14e0 [ 70.207961][ T9350] ksys_write+0x23e/0x490 [ 70.208375][ T9350] __x64_sys_write+0x97/0xf0 [ 70.208810][ T9350] x64_sys_call+0x3015/0x3cf0 [ 70.209255][ T9350] do_syscall_64+0xd9/0x1d0 [ 70.209680][ T9350] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 70.210230][ T9350] [ 70.210454][ T9350] CPU: 2 UID: 0 PID: 9350 Comm: repro Not tainted 6.12.0-rc5 #5 [ 70.211174][ T9350] Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 70.212115][ T9350] ===================================================== [ 70.212734][ T9350] Disabling lock debugging due to kernel taint [ 70.213284][ T9350] Kernel panic - not syncing: kmsan.panic set ... [ 70.213858][ T9350] CPU: 2 UID: 0 PID: 9350 Comm: repro Tainted: G B 6.12.0-rc5 #5 [ 70.214679][ T9350] Tainted: [B]=BAD_PAGE [ 70.215057][ T9350] Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 70.215999][ T9350] Call Trace: [ 70.216309][ T9350] [ 70.216585][ T9350] dump_stack_lvl+0x1fd/0x2b0 [ 70.217025][ T9350] dump_stack+0x1e/0x30 [ 70.217421][ T9350] panic+0x502/0xca0 [ 70.217803][ T9350] ? kmsan_get_metadata+0x13e/0x1c0 [ 70.218294][ Message fromT sy9350] kmsan_report+0x296/slogd@syzkaller 0x2aat Aug 18 22:11:058 ... kernel :[ 70.213284][ T9350] Kernel panic - not syncing: kmsan.panic [ 70.220179][ T9350] ? kmsan_get_metadata+0x13e/0x1c0 set ... [ 70.221254][ T9350] ? __msan_warning+0x96/0x120 [ 70.222066][ T9350] ? __hfsplus_ext_cache_extent+0x7d0/0x990 [ 70.223023][ T9350] ? hfsplus_file_extend+0x74f/0x1cf0 [ 70.224120][ T9350] ? hfsplus_get_block+0xe16/0x17b0 [ 70.224946][ T9350] ? __block_write_begin_int+0x962/0x2ce0 [ 70.225756][ T9350] ? cont_write_begin+0x1000/0x1950 [ 70.226337][ T9350] ? hfsplus_write_begin+0x85/0x130 [ 70.226852][ T9350] ? generic_perform_write+0x3e8/0x1060 [ 70.227405][ T9350] ? __generic_file_write_iter+0x215/0x460 [ 70.227979][ T9350] ? generic_file_write_iter+0x109/0x5e0 [ 70.228540][ T9350] ? vfs_write+0xb0f/0x14e0 [ 70.228997][ T9350] ? ksys_write+0x23e/0x490 ---truncated---", "cve_priority": "medium", "cve_public_date": "2025-12-04 16:16:00 UTC" }, { "cve": "CVE-2025-40245", "url": "https://ubuntu.com/security/CVE-2025-40245", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: nios2: ensure that memblock.current_limit is set when setting pfn limits On nios2, with CONFIG_FLATMEM set, the kernel relies on memblock_get_current_limit() to determine the limits of mem_map, in particular for max_low_pfn. Unfortunately, memblock.current_limit is only default initialized to MEMBLOCK_ALLOC_ANYWHERE at this point of the bootup, potentially leading to situations where max_low_pfn can erroneously exceed the value of max_pfn and, thus, the valid range of available DRAM. This can in turn cause kernel-level paging failures, e.g.: [ 76.900000] Unable to handle kernel paging request at virtual address 20303000 [ 76.900000] ea = c0080890, ra = c000462c, cause = 14 [ 76.900000] Kernel panic - not syncing: Oops [ 76.900000] ---[ end Kernel panic - not syncing: Oops ]--- This patch fixes this by pre-calculating memblock.current_limit based on the upper limits of the available memory ranges via adjust_lowmem_bounds, a simplified version of the equivalent implementation within the arm architecture.", "cve_priority": "medium", "cve_public_date": "2025-12-04 16:16:00 UTC" }, { "cve": "CVE-2025-40086", "url": "https://ubuntu.com/security/CVE-2025-40086", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/xe: Don't allow evicting of BOs in same VM in array of VM binds An array of VM binds can potentially evict other buffer objects (BOs) within the same VM under certain conditions, which may lead to NULL pointer dereferences later in the bind pipeline. To prevent this, clear the allow_res_evict flag in the xe_bo_validate call. v2: - Invert polarity of no_res_evict (Thomas) - Add comment in code explaining issue (Thomas) (cherry picked from commit 8b9ba8d6d95fe75fed6b0480bb03da4b321bea08)", "cve_priority": "medium", "cve_public_date": "2025-10-30 10:15:00 UTC" }, { "cve": "CVE-2025-40087", "url": "https://ubuntu.com/security/CVE-2025-40087", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: NFSD: Define a proc_layoutcommit for the FlexFiles layout type Avoid a crash if a pNFS client should happen to send a LAYOUTCOMMIT operation on a FlexFiles layout.", "cve_priority": "medium", "cve_public_date": "2025-10-30 10:15:00 UTC" }, { "cve": "CVE-2025-40088", "url": "https://ubuntu.com/security/CVE-2025-40088", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: hfsplus: fix slab-out-of-bounds read in hfsplus_strcasecmp() The hfsplus_strcasecmp() logic can trigger the issue: [ 117.317703][ T9855] ================================================================== [ 117.318353][ T9855] BUG: KASAN: slab-out-of-bounds in hfsplus_strcasecmp+0x1bc/0x490 [ 117.318991][ T9855] Read of size 2 at addr ffff88802160f40c by task repro/9855 [ 117.319577][ T9855] [ 117.319773][ T9855] CPU: 0 UID: 0 PID: 9855 Comm: repro Not tainted 6.17.0-rc6 #33 PREEMPT(full) [ 117.319780][ T9855] Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 117.319783][ T9855] Call Trace: [ 117.319785][ T9855] [ 117.319788][ T9855] dump_stack_lvl+0x1c1/0x2a0 [ 117.319795][ T9855] ? __virt_addr_valid+0x1c8/0x5c0 [ 117.319803][ T9855] ? __pfx_dump_stack_lvl+0x10/0x10 [ 117.319808][ T9855] ? rcu_is_watching+0x15/0xb0 [ 117.319816][ T9855] ? lock_release+0x4b/0x3e0 [ 117.319821][ T9855] ? __kasan_check_byte+0x12/0x40 [ 117.319828][ T9855] ? __virt_addr_valid+0x1c8/0x5c0 [ 117.319835][ T9855] ? __virt_addr_valid+0x4a5/0x5c0 [ 117.319842][ T9855] print_report+0x17e/0x7e0 [ 117.319848][ T9855] ? __virt_addr_valid+0x1c8/0x5c0 [ 117.319855][ T9855] ? __virt_addr_valid+0x4a5/0x5c0 [ 117.319862][ T9855] ? __phys_addr+0xd3/0x180 [ 117.319869][ T9855] ? hfsplus_strcasecmp+0x1bc/0x490 [ 117.319876][ T9855] kasan_report+0x147/0x180 [ 117.319882][ T9855] ? hfsplus_strcasecmp+0x1bc/0x490 [ 117.319891][ T9855] hfsplus_strcasecmp+0x1bc/0x490 [ 117.319900][ T9855] ? __pfx_hfsplus_cat_case_cmp_key+0x10/0x10 [ 117.319906][ T9855] hfs_find_rec_by_key+0xa9/0x1e0 [ 117.319913][ T9855] __hfsplus_brec_find+0x18e/0x470 [ 117.319920][ T9855] ? __pfx_hfsplus_bnode_find+0x10/0x10 [ 117.319926][ T9855] ? __pfx_hfs_find_rec_by_key+0x10/0x10 [ 117.319933][ T9855] ? __pfx___hfsplus_brec_find+0x10/0x10 [ 117.319942][ T9855] hfsplus_brec_find+0x28f/0x510 [ 117.319949][ T9855] ? __pfx_hfs_find_rec_by_key+0x10/0x10 [ 117.319956][ T9855] ? __pfx_hfsplus_brec_find+0x10/0x10 [ 117.319963][ T9855] ? __kmalloc_noprof+0x2a9/0x510 [ 117.319969][ T9855] ? hfsplus_find_init+0x8c/0x1d0 [ 117.319976][ T9855] hfsplus_brec_read+0x2b/0x120 [ 117.319983][ T9855] hfsplus_lookup+0x2aa/0x890 [ 117.319990][ T9855] ? __pfx_hfsplus_lookup+0x10/0x10 [ 117.320003][ T9855] ? d_alloc_parallel+0x2f0/0x15e0 [ 117.320008][ T9855] ? __lock_acquire+0xaec/0xd80 [ 117.320013][ T9855] ? __pfx_d_alloc_parallel+0x10/0x10 [ 117.320019][ T9855] ? __raw_spin_lock_init+0x45/0x100 [ 117.320026][ T9855] ? __init_waitqueue_head+0xa9/0x150 [ 117.320034][ T9855] __lookup_slow+0x297/0x3d0 [ 117.320039][ T9855] ? __pfx___lookup_slow+0x10/0x10 [ 117.320045][ T9855] ? down_read+0x1ad/0x2e0 [ 117.320055][ T9855] lookup_slow+0x53/0x70 [ 117.320065][ T9855] walk_component+0x2f0/0x430 [ 117.320073][ T9855] path_lookupat+0x169/0x440 [ 117.320081][ T9855] filename_lookup+0x212/0x590 [ 117.320089][ T9855] ? __pfx_filename_lookup+0x10/0x10 [ 117.320098][ T9855] ? strncpy_from_user+0x150/0x290 [ 117.320105][ T9855] ? getname_flags+0x1e5/0x540 [ 117.320112][ T9855] user_path_at+0x3a/0x60 [ 117.320117][ T9855] __x64_sys_umount+0xee/0x160 [ 117.320123][ T9855] ? __pfx___x64_sys_umount+0x10/0x10 [ 117.320129][ T9855] ? do_syscall_64+0xb7/0x3a0 [ 117.320135][ T9855] ? entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 117.320141][ T9855] ? entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 117.320145][ T9855] do_syscall_64+0xf3/0x3a0 [ 117.320150][ T9855] ? exc_page_fault+0x9f/0xf0 [ 117.320154][ T9855] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 117.320158][ T9855] RIP: 0033:0x7f7dd7908b07 [ 117.320163][ T9855] Code: 23 0d 00 f7 d8 64 89 01 48 83 c8 ff c3 66 0f 1f 44 00 00 31 f6 e9 09 00 00 00 66 0f 1f 84 00 00 08 [ 117.320167][ T9855] RSP: 002b:00007ffd5ebd9698 EFLAGS: 00000202 ---truncated---", "cve_priority": "medium", "cve_public_date": "2025-10-30 10:15:00 UTC" }, { "cve": "CVE-2025-40162", "url": "https://ubuntu.com/security/CVE-2025-40162", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ASoC: amd/sdw_utils: avoid NULL deref when devm_kasprintf() fails devm_kasprintf() may return NULL on memory allocation failure, but the debug message prints cpus->dai_name before checking it. Move the dev_dbg() call after the NULL check to prevent potential NULL pointer dereference.", "cve_priority": "medium", "cve_public_date": "2025-11-12 11:15:00 UTC" }, { "cve": "CVE-2025-40085", "url": "https://ubuntu.com/security/CVE-2025-40085", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ALSA: usb-audio: Fix NULL pointer deference in try_to_register_card In try_to_register_card(), the return value of usb_ifnum_to_if() is passed directly to usb_interface_claimed() without a NULL check, which will lead to a NULL pointer dereference when creating an invalid USB audio device. Fix this by adding a check to ensure the interface pointer is valid before passing it to usb_interface_claimed().", "cve_priority": "medium", "cve_public_date": "2025-10-29 14:15:00 UTC" }, { "cve": "CVE-2025-40172", "url": "https://ubuntu.com/security/CVE-2025-40172", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: accel/qaic: Treat remaining == 0 as error in find_and_map_user_pages() Currently, if find_and_map_user_pages() takes a DMA xfer request from the user with a length field set to 0, or in a rare case, the host receives QAIC_TRANS_DMA_XFER_CONT from the device where resources->xferred_dma_size is equal to the requested transaction size, the function will return 0 before allocating an sgt or setting the fields of the dma_xfer struct. In that case, encode_addr_size_pairs() will try to access the sgt which will lead to a general protection fault. Return an EINVAL in case the user provides a zero-sized ALP, or the device requests continuation after all of the bytes have been transferred.", "cve_priority": "medium", "cve_public_date": "2025-11-12 11:15:00 UTC" }, { "cve": "CVE-2025-40177", "url": "https://ubuntu.com/security/CVE-2025-40177", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: accel/qaic: Fix bootlog initialization ordering As soon as we queue MHI buffers to receive the bootlog from the device, we could be receiving data. Therefore all the resources needed to process that data need to be setup prior to queuing the buffers. We currently initialize some of the resources after queuing the buffers which creates a race between the probe() and any data that comes back from the device. If the uninitialized resources are accessed, we could see page faults. Fix the init ordering to close the race.", "cve_priority": "medium", "cve_public_date": "2025-11-12 11:15:00 UTC" }, { "cve": "CVE-2025-40163", "url": "https://ubuntu.com/security/CVE-2025-40163", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: sched/deadline: Stop dl_server before CPU goes offline IBM CI tool reported kernel warning[1] when running a CPU removal operation through drmgr[2]. i.e \"drmgr -c cpu -r -q 1\" WARNING: CPU: 0 PID: 0 at kernel/sched/cpudeadline.c:219 cpudl_set+0x58/0x170 NIP [c0000000002b6ed8] cpudl_set+0x58/0x170 LR [c0000000002b7cb8] dl_server_timer+0x168/0x2a0 Call Trace: [c000000002c2f8c0] init_stack+0x78c0/0x8000 (unreliable) [c0000000002b7cb8] dl_server_timer+0x168/0x2a0 [c00000000034df84] __hrtimer_run_queues+0x1a4/0x390 [c00000000034f624] hrtimer_interrupt+0x124/0x300 [c00000000002a230] timer_interrupt+0x140/0x320 Git bisects to: commit 4ae8d9aa9f9d (\"sched/deadline: Fix dl_server getting stuck\") This happens since: - dl_server hrtimer gets enqueued close to cpu offline, when kthread_park enqueues a fair task. - CPU goes offline and drmgr removes it from cpu_present_mask. - hrtimer fires and warning is hit. Fix it by stopping the dl_server before CPU is marked dead. [1]: https://lore.kernel.org/all/8218e149-7718-4432-9312-f97297c352b9@linux.ibm.com/ [2]: https://github.com/ibm-power-utilities/powerpc-utils/tree/next/src/drmgr [sshegde: wrote the changelog and tested it]", "cve_priority": "medium", "cve_public_date": "2025-11-12 11:15:00 UTC" }, { "cve": "CVE-2025-40174", "url": "https://ubuntu.com/security/CVE-2025-40174", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: x86/mm: Fix SMP ordering in switch_mm_irqs_off() Stephen noted that it is possible to not have an smp_mb() between the loaded_mm store and the tlb_gen load in switch_mm(), meaning the ordering against flush_tlb_mm_range() goes out the window, and it becomes possible for switch_mm() to not observe a recent tlb_gen update and fail to flush the TLBs. [ dhansen: merge conflict fixed by Ingo ]", "cve_priority": "medium", "cve_public_date": "2025-11-12 11:15:00 UTC" }, { "cve": "CVE-2025-40089", "url": "https://ubuntu.com/security/CVE-2025-40089", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: cxl/features: Add check for no entries in cxl_feature_info cxl EDAC calls cxl_feature_info() to get the feature information and if the hardware has no Features support, cxlfs may be passed in as NULL. [ 51.957498] BUG: kernel NULL pointer dereference, address: 0000000000000008 [ 51.965571] #PF: supervisor read access in kernel mode [ 51.971559] #PF: error_code(0x0000) - not-present page [ 51.977542] PGD 17e4f6067 P4D 0 [ 51.981384] Oops: Oops: 0000 [#1] SMP NOPTI [ 51.986300] CPU: 49 UID: 0 PID: 3782 Comm: systemd-udevd Not tainted 6.17.0dj test+ #64 PREEMPT(voluntary) [ 51.997355] Hardware name: [ 52.009790] RIP: 0010:cxl_feature_info+0xa/0x80 [cxl_core] Add a check for cxlfs before dereferencing it and return -EOPNOTSUPP if there is no cxlfs created due to no hardware support.", "cve_priority": "medium", "cve_public_date": "2025-10-30 10:15:00 UTC" }, { "cve": "CVE-2025-40176", "url": "https://ubuntu.com/security/CVE-2025-40176", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: tls: wait for pending async decryptions if tls_strp_msg_hold fails Async decryption calls tls_strp_msg_hold to create a clone of the input skb to hold references to the memory it uses. If we fail to allocate that clone, proceeding with async decryption can lead to various issues (UAF on the skb, writing into userspace memory after the recv() call has returned). In this case, wait for all pending decryption requests.", "cve_priority": "medium", "cve_public_date": "2025-11-12 11:15:00 UTC" }, { "cve": "CVE-2025-40164", "url": "https://ubuntu.com/security/CVE-2025-40164", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: usbnet: Fix using smp_processor_id() in preemptible code warnings Syzbot reported the following warning: BUG: using smp_processor_id() in preemptible [00000000] code: dhcpcd/2879 caller is usbnet_skb_return+0x74/0x490 drivers/net/usb/usbnet.c:331 CPU: 1 UID: 0 PID: 2879 Comm: dhcpcd Not tainted 6.15.0-rc4-syzkaller-00098-g615dca38c2ea #0 PREEMPT(voluntary) Call Trace: __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x16c/0x1f0 lib/dump_stack.c:120 check_preemption_disabled+0xd0/0xe0 lib/smp_processor_id.c:49 usbnet_skb_return+0x74/0x490 drivers/net/usb/usbnet.c:331 usbnet_resume_rx+0x4b/0x170 drivers/net/usb/usbnet.c:708 usbnet_change_mtu+0x1be/0x220 drivers/net/usb/usbnet.c:417 __dev_set_mtu net/core/dev.c:9443 [inline] netif_set_mtu_ext+0x369/0x5c0 net/core/dev.c:9496 netif_set_mtu+0xb0/0x160 net/core/dev.c:9520 dev_set_mtu+0xae/0x170 net/core/dev_api.c:247 dev_ifsioc+0xa31/0x18d0 net/core/dev_ioctl.c:572 dev_ioctl+0x223/0x10e0 net/core/dev_ioctl.c:821 sock_do_ioctl+0x19d/0x280 net/socket.c:1204 sock_ioctl+0x42f/0x6a0 net/socket.c:1311 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:906 [inline] __se_sys_ioctl fs/ioctl.c:892 [inline] __x64_sys_ioctl+0x190/0x200 fs/ioctl.c:892 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xcd/0x260 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f For historical and portability reasons, the netif_rx() is usually run in the softirq or interrupt context, this commit therefore add local_bh_disable/enable() protection in the usbnet_resume_rx().", "cve_priority": "medium", "cve_public_date": "2025-11-12 11:15:00 UTC" }, { "cve": "CVE-2025-40091", "url": "https://ubuntu.com/security/CVE-2025-40091", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ixgbe: fix too early devlink_free() in ixgbe_remove() Since ixgbe_adapter is embedded in devlink, calling devlink_free() prematurely in the ixgbe_remove() path can lead to UAF. Move devlink_free() to the end. KASAN report: BUG: KASAN: use-after-free in ixgbe_reset_interrupt_capability+0x140/0x180 [ixgbe] Read of size 8 at addr ffff0000adf813e0 by task bash/2095 CPU: 1 UID: 0 PID: 2095 Comm: bash Tainted: G S 6.17.0-rc2-tnguy.net-queue+ #1 PREEMPT(full) [...] Call trace: show_stack+0x30/0x90 (C) dump_stack_lvl+0x9c/0xd0 print_address_description.constprop.0+0x90/0x310 print_report+0x104/0x1f0 kasan_report+0x88/0x180 __asan_report_load8_noabort+0x20/0x30 ixgbe_reset_interrupt_capability+0x140/0x180 [ixgbe] ixgbe_clear_interrupt_scheme+0xf8/0x130 [ixgbe] ixgbe_remove+0x2d0/0x8c0 [ixgbe] pci_device_remove+0xa0/0x220 device_remove+0xb8/0x170 device_release_driver_internal+0x318/0x490 device_driver_detach+0x40/0x68 unbind_store+0xec/0x118 drv_attr_store+0x64/0xb8 sysfs_kf_write+0xcc/0x138 kernfs_fop_write_iter+0x294/0x440 new_sync_write+0x1fc/0x588 vfs_write+0x480/0x6a0 ksys_write+0xf0/0x1e0 __arm64_sys_write+0x70/0xc0 invoke_syscall.constprop.0+0xcc/0x280 el0_svc_common.constprop.0+0xa8/0x248 do_el0_svc+0x44/0x68 el0_svc+0x54/0x160 el0t_64_sync_handler+0xa0/0xe8 el0t_64_sync+0x1b0/0x1b8", "cve_priority": "medium", "cve_public_date": "2025-10-30 10:15:00 UTC" }, { "cve": "CVE-2025-40175", "url": "https://ubuntu.com/security/CVE-2025-40175", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: idpf: cleanup remaining SKBs in PTP flows When the driver requests Tx timestamp value, one of the first steps is to clone SKB using skb_get. It increases the reference counter for that SKB to prevent unexpected freeing by another component. However, there may be a case where the index is requested, SKB is assigned and never consumed by PTP flows - for example due to reset during running PTP apps. Add a check in release timestamping function to verify if the SKB assigned to Tx timestamp latch was freed, and release remaining SKBs.", "cve_priority": "medium", "cve_public_date": "2025-11-12 11:15:00 UTC" }, { "cve": "CVE-2025-40173", "url": "https://ubuntu.com/security/CVE-2025-40173", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net/ip6_tunnel: Prevent perpetual tunnel growth Similarly to ipv4 tunnel, ipv6 version updates dev->needed_headroom, too. While ipv4 tunnel headroom adjustment growth was limited in commit 5ae1e9922bbd (\"net: ip_tunnel: prevent perpetual headroom growth\"), ipv6 tunnel yet increases the headroom without any ceiling. Reflect ipv4 tunnel headroom adjustment limit on ipv6 version. Credits to Francesco Ruggeri, who was originally debugging this issue and wrote local Arista-specific patch and a reproducer.", "cve_priority": "medium", "cve_public_date": "2025-11-12 11:15:00 UTC" }, { "cve": "CVE-2025-40092", "url": "https://ubuntu.com/security/CVE-2025-40092", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: usb: gadget: f_ncm: Refactor bind path to use __free() After an bind/unbind cycle, the ncm->notify_req is left stale. If a subsequent bind fails, the unified error label attempts to free this stale request, leading to a NULL pointer dereference when accessing ep->ops->free_request. Refactor the error handling in the bind path to use the __free() automatic cleanup mechanism. Unable to handle kernel NULL pointer dereference at virtual address 0000000000000020 Call trace: usb_ep_free_request+0x2c/0xec ncm_bind+0x39c/0x3dc usb_add_function+0xcc/0x1f0 configfs_composite_bind+0x468/0x588 gadget_bind_driver+0x104/0x270 really_probe+0x190/0x374 __driver_probe_device+0xa0/0x12c driver_probe_device+0x3c/0x218 __device_attach_driver+0x14c/0x188 bus_for_each_drv+0x10c/0x168 __device_attach+0xfc/0x198 device_initial_probe+0x14/0x24 bus_probe_device+0x94/0x11c device_add+0x268/0x48c usb_add_gadget+0x198/0x28c dwc3_gadget_init+0x700/0x858 __dwc3_set_mode+0x3cc/0x664 process_scheduled_works+0x1d8/0x488 worker_thread+0x244/0x334 kthread+0x114/0x1bc ret_from_fork+0x10/0x20", "cve_priority": "medium", "cve_public_date": "2025-10-30 10:15:00 UTC" }, { "cve": "CVE-2025-40093", "url": "https://ubuntu.com/security/CVE-2025-40093", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: usb: gadget: f_ecm: Refactor bind path to use __free() After an bind/unbind cycle, the ecm->notify_req is left stale. If a subsequent bind fails, the unified error label attempts to free this stale request, leading to a NULL pointer dereference when accessing ep->ops->free_request. Refactor the error handling in the bind path to use the __free() automatic cleanup mechanism.", "cve_priority": "medium", "cve_public_date": "2025-10-30 10:15:00 UTC" }, { "cve": "CVE-2025-40094", "url": "https://ubuntu.com/security/CVE-2025-40094", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: usb: gadget: f_acm: Refactor bind path to use __free() After an bind/unbind cycle, the acm->notify_req is left stale. If a subsequent bind fails, the unified error label attempts to free this stale request, leading to a NULL pointer dereference when accessing ep->ops->free_request. Refactor the error handling in the bind path to use the __free() automatic cleanup mechanism. Unable to handle kernel NULL pointer dereference at virtual address 0000000000000020 Call trace: usb_ep_free_request+0x2c/0xec gs_free_req+0x30/0x44 acm_bind+0x1b8/0x1f4 usb_add_function+0xcc/0x1f0 configfs_composite_bind+0x468/0x588 gadget_bind_driver+0x104/0x270 really_probe+0x190/0x374 __driver_probe_device+0xa0/0x12c driver_probe_device+0x3c/0x218 __device_attach_driver+0x14c/0x188 bus_for_each_drv+0x10c/0x168 __device_attach+0xfc/0x198 device_initial_probe+0x14/0x24 bus_probe_device+0x94/0x11c device_add+0x268/0x48c usb_add_gadget+0x198/0x28c dwc3_gadget_init+0x700/0x858 __dwc3_set_mode+0x3cc/0x664 process_scheduled_works+0x1d8/0x488 worker_thread+0x244/0x334 kthread+0x114/0x1bc ret_from_fork+0x10/0x20", "cve_priority": "medium", "cve_public_date": "2025-10-30 10:15:00 UTC" }, { "cve": "CVE-2025-40095", "url": "https://ubuntu.com/security/CVE-2025-40095", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: usb: gadget: f_rndis: Refactor bind path to use __free() After an bind/unbind cycle, the rndis->notify_req is left stale. If a subsequent bind fails, the unified error label attempts to free this stale request, leading to a NULL pointer dereference when accessing ep->ops->free_request. Refactor the error handling in the bind path to use the __free() automatic cleanup mechanism.", "cve_priority": "medium", "cve_public_date": "2025-10-30 10:15:00 UTC" }, { "cve": "CVE-2025-40165", "url": "https://ubuntu.com/security/CVE-2025-40165", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: media: nxp: imx8-isi: m2m: Fix streaming cleanup on release If streamon/streamoff calls are imbalanced, such as when exiting an application with Ctrl+C when streaming, the m2m usage_count will never reach zero and the ISI channel won't be freed. Besides from that, if the input line width is more than 2K, it will trigger a WARN_ON(): [ 59.222120] ------------[ cut here ]------------ [ 59.226758] WARNING: drivers/media/platform/nxp/imx8-isi/imx8-isi-hw.c:631 at mxc_isi_channel_chain+0xa4/0x120, CPU#4: v4l2-ctl/654 [ 59.238569] Modules linked in: ap1302 [ 59.242231] CPU: 4 UID: 0 PID: 654 Comm: v4l2-ctl Not tainted 6.16.0-rc4-next-20250704-06511-gff0e002d480a-dirty #258 PREEMPT [ 59.253597] Hardware name: NXP i.MX95 15X15 board (DT) [ 59.258720] pstate: 80400009 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) [ 59.265669] pc : mxc_isi_channel_chain+0xa4/0x120 [ 59.270358] lr : mxc_isi_channel_chain+0x44/0x120 [ 59.275047] sp : ffff8000848c3b40 [ 59.278348] x29: ffff8000848c3b40 x28: ffff0000859b4c98 x27: ffff800081939f00 [ 59.285472] x26: 000000000000000a x25: ffff0000859b4cb8 x24: 0000000000000001 [ 59.292597] x23: ffff0000816f4760 x22: ffff0000816f4258 x21: ffff000084ceb780 [ 59.299720] x20: ffff000084342ff8 x19: ffff000084340000 x18: 0000000000000000 [ 59.306845] x17: 0000000000000000 x16: 0000000000000000 x15: 0000ffffdb369e1c [ 59.313969] x14: 0000000000000000 x13: 0000000000000000 x12: 0000000000000000 [ 59.321093] x11: 0000000000000000 x10: 0000000000000000 x9 : 0000000000000000 [ 59.328217] x8 : ffff8000848c3d48 x7 : ffff800081930b30 x6 : ffff800081930b30 [ 59.335340] x5 : ffff0000859b6000 x4 : ffff80008193ae80 x3 : ffff800081022420 [ 59.342464] x2 : ffff0000852f6900 x1 : 0000000000000001 x0 : ffff000084341000 [ 59.349590] Call trace: [ 59.352025] mxc_isi_channel_chain+0xa4/0x120 (P) [ 59.356722] mxc_isi_m2m_streamon+0x160/0x20c [ 59.361072] v4l_streamon+0x24/0x30 [ 59.364556] __video_do_ioctl+0x40c/0x4a0 [ 59.368560] video_usercopy+0x2bc/0x690 [ 59.372382] video_ioctl2+0x18/0x24 [ 59.375857] v4l2_ioctl+0x40/0x60 [ 59.379168] __arm64_sys_ioctl+0xac/0x104 [ 59.383172] invoke_syscall+0x48/0x104 [ 59.386916] el0_svc_common.constprop.0+0xc0/0xe0 [ 59.391613] do_el0_svc+0x1c/0x28 [ 59.394915] el0_svc+0x34/0xf4 [ 59.397966] el0t_64_sync_handler+0xa0/0xe4 [ 59.402143] el0t_64_sync+0x198/0x19c [ 59.405801] ---[ end trace 0000000000000000 ]--- Address this issue by moving the streaming preparation and cleanup to the vb2 .prepare_streaming() and .unprepare_streaming() operations. This also simplifies the driver by allowing direct usage of the v4l2_m2m_ioctl_streamon() and v4l2_m2m_ioctl_streamoff() helpers.", "cve_priority": "medium", "cve_public_date": "2025-11-12 11:15:00 UTC" }, { "cve": "CVE-2025-40096", "url": "https://ubuntu.com/security/CVE-2025-40096", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/sched: Fix potential double free in drm_sched_job_add_resv_dependencies When adding dependencies with drm_sched_job_add_dependency(), that function consumes the fence reference both on success and failure, so in the latter case the dma_fence_put() on the error path (xarray failed to expand) is a double free. Interestingly this bug appears to have been present ever since commit ebd5f74255b9 (\"drm/sched: Add dependency tracking\"), since the code back then looked like this: drm_sched_job_add_implicit_dependencies(): ... for (i = 0; i < fence_count; i++) { ret = drm_sched_job_add_dependency(job, fences[i]); if (ret) break; } for (; i < fence_count; i++) dma_fence_put(fences[i]); Which means for the failing 'i' the dma_fence_put was already a double free. Possibly there were no users at that time, or the test cases were insufficient to hit it. The bug was then only noticed and fixed after commit 9c2ba265352a (\"drm/scheduler: use new iterator in drm_sched_job_add_implicit_dependencies v2\") landed, with its fixup of commit 4eaf02d6076c (\"drm/scheduler: fix drm_sched_job_add_implicit_dependencies\"). At that point it was a slightly different flavour of a double free, which commit 963d0b356935 (\"drm/scheduler: fix drm_sched_job_add_implicit_dependencies harder\") noticed and attempted to fix. But it only moved the double free from happening inside the drm_sched_job_add_dependency(), when releasing the reference not yet obtained, to the caller, when releasing the reference already released by the former in the failure case. As such it is not easy to identify the right target for the fixes tag so lets keep it simple and just continue the chain. While fixing we also improve the comment and explain the reason for taking the reference and not dropping it.", "cve_priority": "medium", "cve_public_date": "2025-10-30 10:15:00 UTC" }, { "cve": "CVE-2025-40097", "url": "https://ubuntu.com/security/CVE-2025-40097", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ALSA: hda: Fix missing pointer check in hda_component_manager_init function The __component_match_add function may assign the 'matchptr' pointer the value ERR_PTR(-ENOMEM), which will subsequently be dereferenced. The call stack leading to the error looks like this: hda_component_manager_init |-> component_match_add |-> component_match_add_release |-> __component_match_add ( ... ,**matchptr, ... ) |-> *matchptr = ERR_PTR(-ENOMEM); // assign |-> component_master_add_with_match( ... match) |-> component_match_realloc(match, match->num); // dereference Add IS_ERR() check to prevent the crash. Found by Linux Verification Center (linuxtesting.org) with SVACE.", "cve_priority": "medium", "cve_public_date": "2025-10-30 10:15:00 UTC" }, { "cve": "CVE-2025-40098", "url": "https://ubuntu.com/security/CVE-2025-40098", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ALSA: hda: cs35l41: Fix NULL pointer dereference in cs35l41_get_acpi_mute_state() Return value of a function acpi_evaluate_dsm() is dereferenced without checking for NULL, but it is usually checked for this function. acpi_evaluate_dsm() may return NULL, when acpi_evaluate_object() returns acpi_status other than ACPI_SUCCESS, so add a check to prevent the crach. Found by Linux Verification Center (linuxtesting.org) with SVACE.", "cve_priority": "medium", "cve_public_date": "2025-10-30 10:15:00 UTC" }, { "cve": "CVE-2025-40099", "url": "https://ubuntu.com/security/CVE-2025-40099", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: cifs: parse_dfs_referrals: prevent oob on malformed input Malicious SMB server can send invalid reply to FSCTL_DFS_GET_REFERRALS - reply smaller than sizeof(struct get_dfs_referral_rsp) - reply with number of referrals smaller than NumberOfReferrals in the header Processing of such replies will cause oob. Return -EINVAL error on such replies to prevent oob-s.", "cve_priority": "medium", "cve_public_date": "2025-10-30 10:15:00 UTC" }, { "cve": "CVE-2025-40100", "url": "https://ubuntu.com/security/CVE-2025-40100", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: btrfs: do not assert we found block group item when creating free space tree Currently, when building a free space tree at populate_free_space_tree(), if we are not using the block group tree feature, we always expect to find block group items (either extent items or a block group item with key type BTRFS_BLOCK_GROUP_ITEM_KEY) when we search the extent tree with btrfs_search_slot_for_read(), so we assert that we found an item. However this expectation is wrong since we can have a new block group created in the current transaction which is still empty and for which we still have not added the block group's item to the extent tree, in which case we do not have any items in the extent tree associated to the block group. The insertion of a new block group's block group item in the extent tree happens at btrfs_create_pending_block_groups() when it calls the helper insert_block_group_item(). This typically is done when a transaction handle is released, committed or when running delayed refs (either as part of a transaction commit or when serving tickets for space reservation if we are low on free space). So remove the assertion at populate_free_space_tree() even when the block group tree feature is not enabled and update the comment to mention this case. Syzbot reported this with the following stack trace: BTRFS info (device loop3 state M): rebuilding free space tree assertion failed: ret == 0 :: 0, in fs/btrfs/free-space-tree.c:1115 ------------[ cut here ]------------ kernel BUG at fs/btrfs/free-space-tree.c:1115! Oops: invalid opcode: 0000 [#1] SMP KASAN PTI CPU: 1 UID: 0 PID: 6352 Comm: syz.3.25 Not tainted syzkaller #0 PREEMPT(full) Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/18/2025 RIP: 0010:populate_free_space_tree+0x700/0x710 fs/btrfs/free-space-tree.c:1115 Code: ff ff e8 d3 (...) RSP: 0018:ffffc9000430f780 EFLAGS: 00010246 RAX: 0000000000000043 RBX: ffff88805b709630 RCX: fea61d0e2e79d000 RDX: 0000000000000000 RSI: 0000000080000000 RDI: 0000000000000000 RBP: ffffc9000430f8b0 R08: ffffc9000430f4a7 R09: 1ffff92000861e94 R10: dffffc0000000000 R11: fffff52000861e95 R12: 0000000000000001 R13: 1ffff92000861f00 R14: dffffc0000000000 R15: 0000000000000000 FS: 00007f424d9fe6c0(0000) GS:ffff888125afc000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007fd78ad212c0 CR3: 0000000076d68000 CR4: 00000000003526f0 Call Trace: btrfs_rebuild_free_space_tree+0x1ba/0x6d0 fs/btrfs/free-space-tree.c:1364 btrfs_start_pre_rw_mount+0x128f/0x1bf0 fs/btrfs/disk-io.c:3062 btrfs_remount_rw fs/btrfs/super.c:1334 [inline] btrfs_reconfigure+0xaed/0x2160 fs/btrfs/super.c:1559 reconfigure_super+0x227/0x890 fs/super.c:1076 do_remount fs/namespace.c:3279 [inline] path_mount+0xd1a/0xfe0 fs/namespace.c:4027 do_mount fs/namespace.c:4048 [inline] __do_sys_mount fs/namespace.c:4236 [inline] __se_sys_mount+0x313/0x410 fs/namespace.c:4213 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xfa/0xfa0 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f424e39066a Code: d8 64 89 02 (...) RSP: 002b:00007f424d9fde68 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5 RAX: ffffffffffffffda RBX: 00007f424d9fdef0 RCX: 00007f424e39066a RDX: 0000200000000180 RSI: 0000200000000380 RDI: 0000000000000000 RBP: 0000200000000180 R08: 00007f424d9fdef0 R09: 0000000000000020 R10: 0000000000000020 R11: 0000000000000246 R12: 0000200000000380 R13: 00007f424d9fdeb0 R14: 0000000000000000 R15: 00002000000002c0 Modules linked in: ---[ end trace 0000000000000000 ]---", "cve_priority": "medium", "cve_public_date": "2025-10-30 10:15:00 UTC" }, { "cve": "CVE-2025-40101", "url": "https://ubuntu.com/security/CVE-2025-40101", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: btrfs: fix memory leaks when rejecting a non SINGLE data profile without an RST At the end of btrfs_load_block_group_zone_info() the first thing we do is to ensure that if the mapping type is not a SINGLE one and there is no RAID stripe tree, then we return early with an error. Doing that, though, prevents the code from running the last calls from this function which are about freeing memory allocated during its run. Hence, in this case, instead of returning early, we set the ret value and fall through the rest of the cleanup code.", "cve_priority": "medium", "cve_public_date": "2025-10-30 10:15:00 UTC" }, { "cve": "CVE-2025-40167", "url": "https://ubuntu.com/security/CVE-2025-40167", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ext4: detect invalid INLINE_DATA + EXTENTS flag combination syzbot reported a BUG_ON in ext4_es_cache_extent() when opening a verity file on a corrupted ext4 filesystem mounted without a journal. The issue is that the filesystem has an inode with both the INLINE_DATA and EXTENTS flags set: EXT4-fs error (device loop0): ext4_cache_extents:545: inode #15: comm syz.0.17: corrupted extent tree: lblk 0 < prev 66 Investigation revealed that the inode has both flags set: DEBUG: inode 15 - flag=1, i_inline_off=164, has_inline=1, extents_flag=1 This is an invalid combination since an inode should have either: - INLINE_DATA: data stored directly in the inode - EXTENTS: data stored in extent-mapped blocks Having both flags causes ext4_has_inline_data() to return true, skipping extent tree validation in __ext4_iget(). The unvalidated out-of-order extents then trigger a BUG_ON in ext4_es_cache_extent() due to integer underflow when calculating hole sizes. Fix this by detecting this invalid flag combination early in ext4_iget() and rejecting the corrupted inode.", "cve_priority": "medium", "cve_public_date": "2025-11-12 11:15:00 UTC" }, { "cve": "CVE-2025-40102", "url": "https://ubuntu.com/security/CVE-2025-40102", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: KVM: arm64: Prevent access to vCPU events before init Another day, another syzkaller bug. KVM erroneously allows userspace to pend vCPU events for a vCPU that hasn't been initialized yet, leading to KVM interpreting a bunch of uninitialized garbage for routing / injecting the exception. In one case the injection code and the hyp disagree on whether the vCPU has a 32bit EL1 and put the vCPU into an illegal mode for AArch64, tripping the BUG() in exception_target_el() during the next injection: kernel BUG at arch/arm64/kvm/inject_fault.c:40! Internal error: Oops - BUG: 00000000f2000800 [#1] SMP CPU: 3 UID: 0 PID: 318 Comm: repro Not tainted 6.17.0-rc4-00104-g10fd0285305d #6 PREEMPT Hardware name: linux,dummy-virt (DT) pstate: 21402009 (nzCv daif +PAN -UAO -TCO +DIT -SSBS BTYPE=--) pc : exception_target_el+0x88/0x8c lr : pend_serror_exception+0x18/0x13c sp : ffff800082f03a10 x29: ffff800082f03a10 x28: ffff0000cb132280 x27: 0000000000000000 x26: 0000000000000000 x25: ffff0000c2a99c20 x24: 0000000000000000 x23: 0000000000008000 x22: 0000000000000002 x21: 0000000000000004 x20: 0000000000008000 x19: ffff0000c2a99c20 x18: 0000000000000000 x17: 0000000000000000 x16: 0000000000000000 x15: 00000000200000c0 x14: 0000000000000000 x13: 0000000000000000 x12: 0000000000000000 x11: 0000000000000000 x10: 0000000000000000 x9 : 0000000000000000 x8 : ffff800082f03af8 x7 : 0000000000000000 x6 : 0000000000000000 x5 : ffff800080f621f0 x4 : 0000000000000000 x3 : 0000000000000000 x2 : 000000000040009b x1 : 0000000000000003 x0 : ffff0000c2a99c20 Call trace: exception_target_el+0x88/0x8c (P) kvm_inject_serror_esr+0x40/0x3b4 __kvm_arm_vcpu_set_events+0xf0/0x100 kvm_arch_vcpu_ioctl+0x180/0x9d4 kvm_vcpu_ioctl+0x60c/0x9f4 __arm64_sys_ioctl+0xac/0x104 invoke_syscall+0x48/0x110 el0_svc_common.constprop.0+0x40/0xe0 do_el0_svc+0x1c/0x28 el0_svc+0x34/0xf0 el0t_64_sync_handler+0xa0/0xe4 el0t_64_sync+0x198/0x19c Code: f946bc01 b4fffe61 9101e020 17fffff2 (d4210000) Reject the ioctls outright as no sane VMM would call these before KVM_ARM_VCPU_INIT anyway. Even if it did the exception would've been thrown away by the eventual reset of the vCPU's state.", "cve_priority": "medium", "cve_public_date": "2025-10-30 10:15:00 UTC" }, { "cve": "CVE-2025-40103", "url": "https://ubuntu.com/security/CVE-2025-40103", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: smb: client: Fix refcount leak for cifs_sb_tlink Fix three refcount inconsistency issues related to `cifs_sb_tlink`. Comments for `cifs_sb_tlink` state that `cifs_put_tlink()` needs to be called after successful calls to `cifs_sb_tlink()`. Three calls fail to update refcount accordingly, leading to possible resource leaks.", "cve_priority": "medium", "cve_public_date": "2025-10-30 10:15:00 UTC" }, { "cve": "CVE-2025-40104", "url": "https://ubuntu.com/security/CVE-2025-40104", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ixgbevf: fix mailbox API compatibility by negotiating supported features There was backward compatibility in the terms of mailbox API. Various drivers from various OSes supporting 10G adapters from Intel portfolio could easily negotiate mailbox API. This convention has been broken since introducing API 1.4. Commit 0062e7cc955e (\"ixgbevf: add VF IPsec offload code\") added support for IPSec which is specific only for the kernel ixgbe driver. None of the rest of the Intel 10G PF/VF drivers supports it. And actually lack of support was not included in the IPSec implementation - there were no such code paths. No possibility to negotiate support for the feature was introduced along with introduction of the feature itself. Commit 339f28964147 (\"ixgbevf: Add support for new mailbox communication between PF and VF\") increasing API version to 1.5 did the same - it introduced code supported specifically by the PF ESX driver. It altered API version for the VF driver in the same time not touching the version defined for the PF ixgbe driver. It led to additional discrepancies, as the code provided within API 1.6 cannot be supported for Linux ixgbe driver as it causes crashes. The issue was noticed some time ago and mitigated by Jake within the commit d0725312adf5 (\"ixgbevf: stop attempting IPSEC offload on Mailbox API 1.5\"). As a result we have regression for IPsec support and after increasing API to version 1.6 ixgbevf driver stopped to support ESX MBX. To fix this mess add new mailbox op asking PF driver about supported features. Basing on a response determine whether to set support for IPSec and ESX-specific enhanced mailbox. New mailbox op, for compatibility purposes, must be added within new API revision, as API version of OOT PF & VF drivers is already increased to 1.6 and doesn't incorporate features negotiate op. Features negotiation mechanism gives possibility to be extended with new features when needed in the future.", "cve_priority": "medium", "cve_public_date": "2025-10-30 10:15:00 UTC" }, { "cve": "CVE-2025-40166", "url": "https://ubuntu.com/security/CVE-2025-40166", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/xe/guc: Check GuC running state before deregistering exec queue In normal operation, a registered exec queue is disabled and deregistered through the GuC, and freed only after the GuC confirms completion. However, if the driver is forced to unbind while the exec queue is still running, the user may call exec_destroy() after the GuC has already been stopped and CT communication disabled. In this case, the driver cannot receive a response from the GuC, preventing proper cleanup of exec queue resources. Fix this by directly releasing the resources when GuC is not running. Here is the failure dmesg log: \" [ 468.089581] ---[ end trace 0000000000000000 ]--- [ 468.089608] pci 0000:03:00.0: [drm] *ERROR* GT0: GUC ID manager unclean (1/65535) [ 468.090558] pci 0000:03:00.0: [drm] GT0: total 65535 [ 468.090562] pci 0000:03:00.0: [drm] GT0: used 1 [ 468.090564] pci 0000:03:00.0: [drm] GT0: range 1..1 (1) [ 468.092716] ------------[ cut here ]------------ [ 468.092719] WARNING: CPU: 14 PID: 4775 at drivers/gpu/drm/xe/xe_ttm_vram_mgr.c:298 ttm_vram_mgr_fini+0xf8/0x130 [xe] \" v2: use xe_uc_fw_is_running() instead of xe_guc_ct_enabled(). As CT may go down and come back during VF migration. (cherry picked from commit 9b42321a02c50a12b2beb6ae9469606257fbecea)", "cve_priority": "medium", "cve_public_date": "2025-11-12 11:15:00 UTC" }, { "cve": "CVE-2025-40105", "url": "https://ubuntu.com/security/CVE-2025-40105", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: vfs: Don't leak disconnected dentries on umount When user calls open_by_handle_at() on some inode that is not cached, we will create disconnected dentry for it. If such dentry is a directory, exportfs_decode_fh_raw() will then try to connect this dentry to the dentry tree through reconnect_path(). It may happen for various reasons (such as corrupted fs or race with rename) that the call to lookup_one_unlocked() in reconnect_one() will fail to find the dentry we are trying to reconnect and instead create a new dentry under the parent. Now this dentry will not be marked as disconnected although the parent still may well be disconnected (at least in case this inconsistency happened because the fs is corrupted and .. doesn't point to the real parent directory). This creates inconsistency in disconnected flags but AFAICS it was mostly harmless. At least until commit f1ee616214cb (\"VFS: don't keep disconnected dentries on d_anon\") which removed adding of most disconnected dentries to sb->s_anon list. Thus after this commit cleanup of disconnected dentries implicitely relies on the fact that dput() will immediately reclaim such dentries. However when some leaf dentry isn't marked as disconnected, as in the scenario described above, the reclaim doesn't happen and the dentries are \"leaked\". Memory reclaim can eventually reclaim them but otherwise they stay in memory and if umount comes first, we hit infamous \"Busy inodes after unmount\" bug. Make sure all dentries created under a disconnected parent are marked as disconnected as well.", "cve_priority": "medium", "cve_public_date": "2025-10-30 10:15:00 UTC" }, { "cve": "CVE-2025-40019", "url": "https://ubuntu.com/security/CVE-2025-40019", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: crypto: essiv - Check ssize for decryption and in-place encryption Move the ssize check to the start in essiv_aead_crypt so that it's also checked for decryption and in-place encryption.", "cve_priority": "medium", "cve_public_date": "2025-10-24 12:15:00 UTC" }, { "cve": "CVE-2025-40214", "url": "https://ubuntu.com/security/CVE-2025-40214", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: af_unix: Initialise scc_index in unix_add_edge(). Quang Le reported that the AF_UNIX GC could garbage-collect a receive queue of an alive in-flight socket, with a nice repro. The repro consists of three stages. 1) 1-a. Create a single cyclic reference with many sockets 1-b. close() all sockets 1-c. Trigger GC 2) 2-a. Pass sk-A to an embryo sk-B 2-b. Pass sk-X to sk-X 2-c. Trigger GC 3) 3-a. accept() the embryo sk-B 3-b. Pass sk-B to sk-C 3-c. close() the in-flight sk-A 3-d. Trigger GC As of 2-c, sk-A and sk-X are linked to unix_unvisited_vertices, and unix_walk_scc() groups them into two different SCCs: unix_sk(sk-A)->vertex->scc_index = 2 (UNIX_VERTEX_INDEX_START) unix_sk(sk-X)->vertex->scc_index = 3 Once GC completes, unix_graph_grouped is set to true. Also, unix_graph_maybe_cyclic is set to true due to sk-X's cyclic self-reference, which makes close() trigger GC. At 3-b, unix_add_edge() allocates unix_sk(sk-B)->vertex and links it to unix_unvisited_vertices. unix_update_graph() is called at 3-a. and 3-b., but neither unix_graph_grouped nor unix_graph_maybe_cyclic is changed because both sk-B's listener and sk-C are not in-flight. 3-c decrements sk-A's file refcnt to 1. Since unix_graph_grouped is true at 3-d, unix_walk_scc_fast() is finally called and iterates 3 sockets sk-A, sk-B, and sk-X: sk-A -> sk-B (-> sk-C) sk-X -> sk-X This is totally fine. All of them are not yet close()d and should be grouped into different SCCs. However, unix_vertex_dead() misjudges that sk-A and sk-B are in the same SCC and sk-A is dead. unix_sk(sk-A)->scc_index == unix_sk(sk-B)->scc_index <-- Wrong! && sk-A's file refcnt == unix_sk(sk-A)->vertex->out_degree ^-- 1 in-flight count for sk-B -> sk-A is dead !? The problem is that unix_add_edge() does not initialise scc_index. Stage 1) is used for heap spraying, making a newly allocated vertex have vertex->scc_index == 2 (UNIX_VERTEX_INDEX_START) set by unix_walk_scc() at 1-c. Let's track the max SCC index from the previous unix_walk_scc() call and assign the max + 1 to a new vertex's scc_index. This way, we can continue to avoid Tarjan's algorithm while preventing misjudgments.", "cve_priority": "high", "cve_public_date": "2025-12-04 13:15:00 UTC" } ], "launchpad_bugs_fixed": [ 2137845, 1786013, 2137849, 1786013, 2136820, 2137698, 2129812, 2125022, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136813, 2132317, 2134982, 2134982, 2134982, 2134982, 2134982, 2134982, 2134982, 2134982, 2134982, 2134982, 2134982, 2134982, 2134982, 2134982, 2134982, 2134982, 2134982, 2134982, 2134982, 2134982, 2134982, 2134982, 2134982, 2134982, 2134982, 2133557, 2133557, 2133557, 2133557, 2133557, 2133557, 2133557, 2133557, 2133557, 2133557, 2133557, 2133557, 2133557, 2133557, 2133557, 2133557, 2133557, 2133557, 2133557, 2133557, 2133557, 2133557, 2133557, 2133557, 2133557, 2133557, 2133557, 2133557, 2133557, 2133557, 2133557, 2133557, 2133557, 2132095, 2131046, 2115860, 2128792, 2121852, 2131259, 2131259, 2131702, 2129610 ], "changes": [ { "cves": [ { "cve": "CVE-2025-40256", "url": "https://ubuntu.com/security/CVE-2025-40256", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: xfrm: also call xfrm_state_delete_tunnel at destroy time for states that were never added In commit b441cf3f8c4b (\"xfrm: delete x->tunnel as we delete x\"), I missed the case where state creation fails between full initialization (->init_state has been called) and being inserted on the lists. In this situation, ->init_state has been called, so for IPcomp tunnels, the fallback tunnel has been created and added onto the lists, but the user state never gets added, because we fail before that. The user state doesn't go through __xfrm_state_delete, so we don't call xfrm_state_delete_tunnel for those states, and we end up leaking the FB tunnel. There are several codepaths affected by this: the add/update paths, in both net/key and xfrm, and the migrate code (xfrm_migrate, xfrm_state_migrate). A \"proper\" rollback of the init_state work would probably be doable in the add/update code, but for migrate it gets more complicated as multiple states may be involved. At some point, the new (not-inserted) state will be destroyed, so call xfrm_state_delete_tunnel during xfrm_state_gc_destroy. Most states will have their fallback tunnel cleaned up during __xfrm_state_delete, which solves the issue that b441cf3f8c4b (and other patches before it) aimed at. All states (including FB tunnels) will be removed from the lists once xfrm_state_fini has called flush_work(&xfrm_state_gc_work).", "cve_priority": "medium", "cve_public_date": "2025-12-04 16:16:00 UTC" }, { "cve": "CVE-2025-68204", "url": "https://ubuntu.com/security/CVE-2025-68204", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: pmdomain: arm: scmi: Fix genpd leak on provider registration failure If of_genpd_add_provider_onecell() fails during probe, the previously created generic power domains are not removed, leading to a memory leak and potential kernel crash later in genpd_debug_add(). Add proper error handling to unwind the initialized domains before returning from probe to ensure all resources are correctly released on failure. Example crash trace observed without this fix: | Unable to handle kernel paging request at virtual address fffffffffffffc70 | CPU: 1 UID: 0 PID: 1 Comm: swapper/0 Not tainted 6.18.0-rc1 #405 PREEMPT | Hardware name: ARM LTD ARM Juno Development Platform/ARM Juno Development Platform | pstate: 00000005 (nzcv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--) | pc : genpd_debug_add+0x2c/0x160 | lr : genpd_debug_init+0x74/0x98 | Call trace: | genpd_debug_add+0x2c/0x160 (P) | genpd_debug_init+0x74/0x98 | do_one_initcall+0xd0/0x2d8 | do_initcall_level+0xa0/0x140 | do_initcalls+0x60/0xa8 | do_basic_setup+0x28/0x40 | kernel_init_freeable+0xe8/0x170 | kernel_init+0x2c/0x140 | ret_from_fork+0x10/0x20", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-68203", "url": "https://ubuntu.com/security/CVE-2025-68203", "cve_description": "Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-40267", "url": "https://ubuntu.com/security/CVE-2025-40267", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: io_uring/rw: ensure allocated iovec gets cleared for early failure A previous commit reused the recyling infrastructure for early cleanup, but this is not enough for the case where our internal caches have overflowed. If this happens, then the allocated iovec can get leaked if the request is also aborted early. Reinstate the previous forced free of the iovec for that situation.", "cve_priority": "medium", "cve_public_date": "2025-12-06 22:15:00 UTC" }, { "cve": "CVE-2025-68198", "url": "https://ubuntu.com/security/CVE-2025-68198", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: crash: fix crashkernel resource shrink When crashkernel is configured with a high reservation, shrinking its value below the low crashkernel reservation causes two issues: 1. Invalid crashkernel resource objects 2. Kernel crash if crashkernel shrinking is done twice For example, with crashkernel=200M,high, the kernel reserves 200MB of high memory and some default low memory (say 256MB). The reservation appears as: cat /proc/iomem | grep -i crash af000000-beffffff : Crash kernel 433000000-43f7fffff : Crash kernel If crashkernel is then shrunk to 50MB (echo 52428800 > /sys/kernel/kexec_crash_size), /proc/iomem still shows 256MB reserved: af000000-beffffff : Crash kernel Instead, it should show 50MB: af000000-b21fffff : Crash kernel Further shrinking crashkernel to 40MB causes a kernel crash with the following trace (x86): BUG: kernel NULL pointer dereference, address: 0000000000000038 PGD 0 P4D 0 Oops: 0000 [#1] PREEMPT SMP NOPTI Call Trace: ? __die_body.cold+0x19/0x27 ? page_fault_oops+0x15a/0x2f0 ? search_module_extables+0x19/0x60 ? search_bpf_extables+0x5f/0x80 ? exc_page_fault+0x7e/0x180 ? asm_exc_page_fault+0x26/0x30 ? __release_resource+0xd/0xb0 release_resource+0x26/0x40 __crash_shrink_memory+0xe5/0x110 crash_shrink_memory+0x12a/0x190 kexec_crash_size_store+0x41/0x80 kernfs_fop_write_iter+0x141/0x1f0 vfs_write+0x294/0x460 ksys_write+0x6d/0xf0 This happens because __crash_shrink_memory()/kernel/crash_core.c incorrectly updates the crashk_res resource object even when crashk_low_res should be updated. Fix this by ensuring the correct crashkernel resource object is updated when shrinking crashkernel memory.", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-68199", "url": "https://ubuntu.com/security/CVE-2025-68199", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: codetag: debug: handle existing CODETAG_EMPTY in mark_objexts_empty for slabobj_ext When alloc_slab_obj_exts() fails and then later succeeds in allocating a slab extension vector, it calls handle_failed_objexts_alloc() to mark all objects in the vector as empty. As a result all objects in this slab (slabA) will have their extensions set to CODETAG_EMPTY. Later on if this slabA is used to allocate a slabobj_ext vector for another slab (slabB), we end up with the slabB->obj_exts pointing to a slabobj_ext vector that itself has a non-NULL slabobj_ext equal to CODETAG_EMPTY. When slabB gets freed, free_slab_obj_exts() is called to free slabB->obj_exts vector. free_slab_obj_exts() calls mark_objexts_empty(slabB->obj_exts) which will generate a warning because it expects slabobj_ext vectors to have a NULL obj_ext, not CODETAG_EMPTY. Modify mark_objexts_empty() to skip the warning and setting the obj_ext value if it's already set to CODETAG_EMPTY. To quickly detect this WARN, I modified the code from WARN_ON(slab_exts[offs].ref.ct) to BUG_ON(slab_exts[offs].ref.ct == 1); We then obtained this message: [21630.898561] ------------[ cut here ]------------ [21630.898596] kernel BUG at mm/slub.c:2050! [21630.898611] Internal error: Oops - BUG: 00000000f2000800 [#1] SMP [21630.900372] Modules linked in: squashfs isofs vfio_iommu_type1 vhost_vsock vfio vhost_net vmw_vsock_virtio_transport_common vhost tap vhost_iotlb iommufd vsock binfmt_misc nfsv3 nfs_acl nfs lockd grace netfs tls rds dns_resolver tun brd overlay ntfs3 exfat btrfs blake2b_generic xor xor_neon raid6_pq loop sctp ip6_udp_tunnel udp_tunnel nft_fib_inet nft_fib_ipv4 nft_fib_ipv6 nft_fib nft_reject_inet nf_reject_ipv4 nf_reject_ipv6 nft_reject nft_ct nft_chain_nat nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 nf_tables rfkill ip_set sunrpc vfat fat joydev sg sch_fq_codel nfnetlink virtio_gpu sr_mod cdrom drm_client_lib virtio_dma_buf drm_shmem_helper drm_kms_helper drm ghash_ce backlight virtio_net virtio_blk virtio_scsi net_failover virtio_console failover virtio_mmio dm_mirror dm_region_hash dm_log dm_multipath dm_mod fuse i2c_dev virtio_pci virtio_pci_legacy_dev virtio_pci_modern_dev virtio virtio_ring autofs4 aes_neon_bs aes_ce_blk [last unloaded: hwpoison_inject] [21630.909177] CPU: 3 UID: 0 PID: 3787 Comm: kylin-process-m Kdump: loaded Tainted: G        W           6.18.0-rc1+ #74 PREEMPT(voluntary) [21630.910495] Tainted: [W]=WARN [21630.910867] Hardware name: QEMU KVM Virtual Machine, BIOS unknown 2/2/2022 [21630.911625] pstate: 80400005 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) [21630.912392] pc : __free_slab+0x228/0x250 [21630.912868] lr : __free_slab+0x18c/0x250[21630.913334] sp : ffff8000a02f73e0 [21630.913830] x29: ffff8000a02f73e0 x28: fffffdffc43fc800 x27: ffff0000c0011c40 [21630.914677] x26: ffff0000c000cac0 x25: ffff00010fe5e5f0 x24: ffff000102199b40 [21630.915469] x23: 0000000000000003 x22: 0000000000000003 x21: ffff0000c0011c40 [21630.916259] x20: fffffdffc4086600 x19: fffffdffc43fc800 x18: 0000000000000000 [21630.917048] x17: 0000000000000000 x16: 0000000000000000 x15: 0000000000000000 [21630.917837] x14: 0000000000000000 x13: 0000000000000000 x12: ffff70001405ee66 [21630.918640] x11: 1ffff0001405ee65 x10: ffff70001405ee65 x9 : ffff800080a295dc [21630.919442] x8 : ffff8000a02f7330 x7 : 0000000000000000 x6 : 0000000000003000 [21630.920232] x5 : 0000000024924925 x4 : 0000000000000001 x3 : 0000000000000007 [21630.921021] x2 : 0000000000001b40 x1 : 000000000000001f x0 : 0000000000000001 [21630.921810] Call trace: [21630.922130]  __free_slab+0x228/0x250 (P) [21630.922669]  free_slab+0x38/0x118 [21630.923079]  free_to_partial_list+0x1d4/0x340 [21630.923591]  __slab_free+0x24c/0x348 [21630.924024]  ___cache_free+0xf0/0x110 [21630.924468]  qlist_free_all+0x78/0x130 [21630.924922]  kasan_quarantine_reduce+0x11 ---truncated---", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-40268", "url": "https://ubuntu.com/security/CVE-2025-40268", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: cifs: client: fix memory leak in smb3_fs_context_parse_param The user calls fsconfig twice, but when the program exits, free() only frees ctx->source for the second fsconfig, not the first. Regarding fc->source, there is no code in the fs context related to its memory reclamation. To fix this memory leak, release the source memory corresponding to ctx or fc before each parsing. syzbot reported: BUG: memory leak unreferenced object 0xffff888128afa360 (size 96): backtrace (crc 79c9c7ba): kstrdup+0x3c/0x80 mm/util.c:84 smb3_fs_context_parse_param+0x229b/0x36c0 fs/smb/client/fs_context.c:1444 BUG: memory leak unreferenced object 0xffff888112c7d900 (size 96): backtrace (crc 79c9c7ba): smb3_fs_context_fullpath+0x70/0x1b0 fs/smb/client/fs_context.c:629 smb3_fs_context_parse_param+0x2266/0x36c0 fs/smb/client/fs_context.c:1438", "cve_priority": "medium", "cve_public_date": "2025-12-06 22:15:00 UTC" }, { "cve": "CVE-2025-40269", "url": "https://ubuntu.com/security/CVE-2025-40269", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ALSA: usb-audio: Fix potential overflow of PCM transfer buffer The PCM stream data in USB-audio driver is transferred over USB URB packet buffers, and each packet size is determined dynamically. The packet sizes are limited by some factors such as wMaxPacketSize USB descriptor. OTOH, in the current code, the actually used packet sizes are determined only by the rate and the PPS, which may be bigger than the size limit above. This results in a buffer overflow, as reported by syzbot. Basically when the limit is smaller than the calculated packet size, it implies that something is wrong, most likely a weird USB descriptor. So the best option would be just to return an error at the parameter setup time before doing any further operations. This patch introduces such a sanity check, and returns -EINVAL when the packet size is greater than maxpacksize. The comparison with ep->packsize[1] alone should suffice since it's always equal or greater than ep->packsize[0].", "cve_priority": "medium", "cve_public_date": "2025-12-06 22:15:00 UTC" }, { "cve": "CVE-2025-68205", "url": "https://ubuntu.com/security/CVE-2025-68205", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ALSA: hda/hdmi: Fix breakage at probing nvhdmi-mcp driver After restructuring and splitting the HDMI codec driver code, each HDMI codec driver contains the own build_controls and build_pcms ops. A copy-n-paste error put the wrong entries for nvhdmi-mcp driver; both build_controls and build_pcms are swapped. Unfortunately both callbacks have the very same form, and the compiler didn't complain it, either. This resulted in a NULL dereference because the PCM instance hasn't been initialized at calling the build_controls callback. Fix it by passing the proper entries.", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-40270", "url": "https://ubuntu.com/security/CVE-2025-40270", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: mm, swap: fix potential UAF issue for VMA readahead Since commit 78524b05f1a3 (\"mm, swap: avoid redundant swap device pinning\"), the common helper for allocating and preparing a folio in the swap cache layer no longer tries to get a swap device reference internally, because all callers of __read_swap_cache_async are already holding a swap entry reference. The repeated swap device pinning isn't needed on the same swap device. Caller of VMA readahead is also holding a reference to the target entry's swap device, but VMA readahead walks the page table, so it might encounter swap entries from other devices, and call __read_swap_cache_async on another device without holding a reference to it. So it is possible to cause a UAF when swapoff of device A raced with swapin on device B, and VMA readahead tries to read swap entries from device A. It's not easy to trigger, but in theory, it could cause real issues. Make VMA readahead try to get the device reference first if the swap device is a different one from the target entry.", "cve_priority": "medium", "cve_public_date": "2025-12-06 22:15:00 UTC" }, { "cve": "CVE-2025-40271", "url": "https://ubuntu.com/security/CVE-2025-40271", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: fs/proc: fix uaf in proc_readdir_de() Pde is erased from subdir rbtree through rb_erase(), but not set the node to EMPTY, which may result in uaf access. We should use RB_CLEAR_NODE() set the erased node to EMPTY, then pde_subdir_next() will return NULL to avoid uaf access. We found an uaf issue while using stress-ng testing, need to run testcase getdent and tun in the same time. The steps of the issue is as follows: 1) use getdent to traverse dir /proc/pid/net/dev_snmp6/, and current pde is tun3; 2) in the [time windows] unregister netdevice tun3 and tun2, and erase them from rbtree. erase tun3 first, and then erase tun2. the pde(tun2) will be released to slab; 3) continue to getdent process, then pde_subdir_next() will return pde(tun2) which is released, it will case uaf access. CPU 0 | CPU 1 ------------------------------------------------------------------------- traverse dir /proc/pid/net/dev_snmp6/ | unregister_netdevice(tun->dev) //tun3 tun2 sys_getdents64() | iterate_dir() | proc_readdir() | proc_readdir_de() | snmp6_unregister_dev() pde_get(de); | proc_remove() read_unlock(&proc_subdir_lock); | remove_proc_subtree() | write_lock(&proc_subdir_lock); [time window] | rb_erase(&root->subdir_node, &parent->subdir); | write_unlock(&proc_subdir_lock); read_lock(&proc_subdir_lock); | next = pde_subdir_next(de); | pde_put(de); | de = next; //UAF | rbtree of dev_snmp6 | pde(tun3) / \\ NULL pde(tun2)", "cve_priority": "medium", "cve_public_date": "2025-12-06 22:15:00 UTC" }, { "cve": "CVE-2025-40272", "url": "https://ubuntu.com/security/CVE-2025-40272", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: mm/secretmem: fix use-after-free race in fault handler When a page fault occurs in a secret memory file created with `memfd_secret(2)`, the kernel will allocate a new folio for it, mark the underlying page as not-present in the direct map, and add it to the file mapping. If two tasks cause a fault in the same page concurrently, both could end up allocating a folio and removing the page from the direct map, but only one would succeed in adding the folio to the file mapping. The task that failed undoes the effects of its attempt by (a) freeing the folio again and (b) putting the page back into the direct map. However, by doing these two operations in this order, the page becomes available to the allocator again before it is placed back in the direct mapping. If another task attempts to allocate the page between (a) and (b), and the kernel tries to access it via the direct map, it would result in a supervisor not-present page fault. Fix the ordering to restore the direct map before the folio is freed.", "cve_priority": "medium", "cve_public_date": "2025-12-06 22:15:00 UTC" }, { "cve": "CVE-2025-68245", "url": "https://ubuntu.com/security/CVE-2025-68245", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net: netpoll: fix incorrect refcount handling causing incorrect cleanup commit efa95b01da18 (\"netpoll: fix use after free\") incorrectly ignored the refcount and prematurely set dev->npinfo to NULL during netpoll cleanup, leading to improper behavior and memory leaks. Scenario causing lack of proper cleanup: 1) A netpoll is associated with a NIC (e.g., eth0) and netdev->npinfo is allocated, and refcnt = 1 - Keep in mind that npinfo is shared among all netpoll instances. In this case, there is just one. 2) Another netpoll is also associated with the same NIC and npinfo->refcnt += 1. - Now dev->npinfo->refcnt = 2; - There is just one npinfo associated to the netdev. 3) When the first netpolls goes to clean up: - The first cleanup succeeds and clears np->dev->npinfo, ignoring refcnt. - It basically calls `RCU_INIT_POINTER(np->dev->npinfo, NULL);` - Set dev->npinfo = NULL, without proper cleanup - No ->ndo_netpoll_cleanup() is either called 4) Now the second target tries to clean up - The second cleanup fails because np->dev->npinfo is already NULL. * In this case, ops->ndo_netpoll_cleanup() was never called, and the skb pool is not cleaned as well (for the second netpoll instance) - This leaks npinfo and skbpool skbs, which is clearly reported by kmemleak. Revert commit efa95b01da18 (\"netpoll: fix use after free\") and adds clarifying comments emphasizing that npinfo cleanup should only happen once the refcount reaches zero, ensuring stable and correct netpoll behavior.", "cve_priority": "medium", "cve_public_date": "2025-12-16 15:15:00 UTC" }, { "cve": "CVE-2025-68240", "url": "https://ubuntu.com/security/CVE-2025-68240", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: nilfs2: avoid having an active sc_timer before freeing sci Because kthread_stop did not stop sc_task properly and returned -EINTR, the sc_timer was not properly closed, ultimately causing the problem [1] reported by syzbot when freeing sci due to the sc_timer not being closed. Because the thread sc_task main function nilfs_segctor_thread() returns 0 when it succeeds, when the return value of kthread_stop() is not 0 in nilfs_segctor_destroy(), we believe that it has not properly closed sc_timer. We use timer_shutdown_sync() to sync wait for sc_timer to shutdown, and set the value of sc_task to NULL under the protection of lock sc_state_lock, so as to avoid the issue caused by sc_timer not being properly shutdowned. [1] ODEBUG: free active (active state 0) object: 00000000dacb411a object type: timer_list hint: nilfs_construction_timeout Call trace: nilfs_segctor_destroy fs/nilfs2/segment.c:2811 [inline] nilfs_detach_log_writer+0x668/0x8cc fs/nilfs2/segment.c:2877 nilfs_put_super+0x4c/0x12c fs/nilfs2/super.c:509", "cve_priority": "medium", "cve_public_date": "2025-12-16 15:15:00 UTC" }, { "cve": "CVE-2025-68241", "url": "https://ubuntu.com/security/CVE-2025-68241", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ipv4: route: Prevent rt_bind_exception() from rebinding stale fnhe The sit driver's packet transmission path calls: sit_tunnel_xmit() -> update_or_create_fnhe(), which lead to fnhe_remove_oldest() being called to delete entries exceeding FNHE_RECLAIM_DEPTH+random. The race window is between fnhe_remove_oldest() selecting fnheX for deletion and the subsequent kfree_rcu(). During this time, the concurrent path's __mkroute_output() -> find_exception() can fetch the soon-to-be-deleted fnheX, and rt_bind_exception() then binds it with a new dst using a dst_hold(). When the original fnheX is freed via RCU, the dst reference remains permanently leaked. CPU 0 CPU 1 __mkroute_output() find_exception() [fnheX] update_or_create_fnhe() fnhe_remove_oldest() [fnheX] rt_bind_exception() [bind dst] RCU callback [fnheX freed, dst leak] This issue manifests as a device reference count leak and a warning in dmesg when unregistering the net device: unregister_netdevice: waiting for sitX to become free. Usage count = N Ido Schimmel provided the simple test validation method [1]. The fix clears 'oldest->fnhe_daddr' before calling fnhe_flush_routes(). Since rt_bind_exception() checks this field, setting it to zero prevents the stale fnhe from being reused and bound to a new dst just before it is freed. [1] ip netns add ns1 ip -n ns1 link set dev lo up ip -n ns1 address add 192.0.2.1/32 dev lo ip -n ns1 link add name dummy1 up type dummy ip -n ns1 route add 192.0.2.2/32 dev dummy1 ip -n ns1 link add name gretap1 up arp off type gretap \\ local 192.0.2.1 remote 192.0.2.2 ip -n ns1 route add 198.51.0.0/16 dev gretap1 taskset -c 0 ip netns exec ns1 mausezahn gretap1 \\ -A 198.51.100.1 -B 198.51.0.0/16 -t udp -p 1000 -c 0 -q & taskset -c 2 ip netns exec ns1 mausezahn gretap1 \\ -A 198.51.100.1 -B 198.51.0.0/16 -t udp -p 1000 -c 0 -q & sleep 10 ip netns pids ns1 | xargs kill ip netns del ns1", "cve_priority": "medium", "cve_public_date": "2025-12-16 15:15:00 UTC" }, { "cve": "CVE-2025-68211", "url": "https://ubuntu.com/security/CVE-2025-68211", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ksm: use range-walk function to jump over holes in scan_get_next_rmap_item Currently, scan_get_next_rmap_item() walks every page address in a VMA to locate mergeable pages. This becomes highly inefficient when scanning large virtual memory areas that contain mostly unmapped regions, causing ksmd to use large amount of cpu without deduplicating much pages. This patch replaces the per-address lookup with a range walk using walk_page_range(). The range walker allows KSM to skip over entire unmapped holes in a VMA, avoiding unnecessary lookups. This problem was previously discussed in [1]. Consider the following test program which creates a 32 TiB mapping in the virtual address space but only populates a single page: #include #include #include /* 32 TiB */ const size_t size = 32ul * 1024 * 1024 * 1024 * 1024; int main() { char *area = mmap(NULL, size, PROT_READ | PROT_WRITE, MAP_NORESERVE | MAP_PRIVATE | MAP_ANON, -1, 0); if (area == MAP_FAILED) { perror(\"mmap() failed\\n\"); return -1; } /* Populate a single page such that we get an anon_vma. */ *area = 0; /* Enable KSM. */ madvise(area, size, MADV_MERGEABLE); pause(); return 0; } $ ./ksm-sparse & $ echo 1 > /sys/kernel/mm/ksm/run Without this patch ksmd uses 100% of the cpu for a long time (more then 1 hour in my test machine) scanning all the 32 TiB virtual address space that contain only one mapped page. This makes ksmd essentially deadlocked not able to deduplicate anything of value. With this patch ksmd walks only the one mapped page and skips the rest of the 32 TiB virtual address space, making the scan fast using little cpu.", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-68246", "url": "https://ubuntu.com/security/CVE-2025-68246", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ksmbd: close accepted socket when per-IP limit rejects connection When the per-IP connection limit is exceeded in ksmbd_kthread_fn(), the code sets ret = -EAGAIN and continues the accept loop without closing the just-accepted socket. That leaks one socket per rejected attempt from a single IP and enables a trivial remote DoS. Release client_sk before continuing. This bug was found with ZeroPath.", "cve_priority": "medium", "cve_public_date": "2025-12-16 15:15:00 UTC" }, { "cve": "CVE-2025-40273", "url": "https://ubuntu.com/security/CVE-2025-40273", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: NFSD: free copynotify stateid in nfs4_free_ol_stateid() Typically copynotify stateid is freed either when parent's stateid is being close/freed or in nfsd4_laundromat if the stateid hasn't been used in a lease period. However, in case when the server got an OPEN (which created a parent stateid), followed by a COPY_NOTIFY using that stateid, followed by a client reboot. New client instance while doing CREATE_SESSION would force expire previous state of this client. It leads to the open state being freed thru release_openowner-> nfs4_free_ol_stateid() and it finds that it still has copynotify stateid associated with it. We currently print a warning and is triggerred WARNING: CPU: 1 PID: 8858 at fs/nfsd/nfs4state.c:1550 nfs4_free_ol_stateid+0xb0/0x100 [nfsd] This patch, instead, frees the associated copynotify stateid here. If the parent stateid is freed (without freeing the copynotify stateids associated with it), it leads to the list corruption when laundromat ends up freeing the copynotify state later. [ 1626.839430] Internal error: Oops - BUG: 00000000f2000800 [#1] SMP [ 1626.842828] Modules linked in: nfnetlink_queue nfnetlink_log bluetooth cfg80211 rpcrdma rdma_cm iw_cm ib_cm ib_core nfsd nfs_acl lockd grace nfs_localio ext4 crc16 mbcache jbd2 overlay uinput snd_seq_dummy snd_hrtimer qrtr rfkill vfat fat uvcvideo snd_hda_codec_generic videobuf2_vmalloc videobuf2_memops snd_hda_intel uvc snd_intel_dspcfg videobuf2_v4l2 videobuf2_common snd_hda_codec snd_hda_core videodev snd_hwdep snd_seq mc snd_seq_device snd_pcm snd_timer snd soundcore sg loop auth_rpcgss vsock_loopback vmw_vsock_virtio_transport_common vmw_vsock_vmci_transport vmw_vmci vsock xfs 8021q garp stp llc mrp nvme ghash_ce e1000e nvme_core sr_mod nvme_keyring nvme_auth cdrom vmwgfx drm_ttm_helper ttm sunrpc dm_mirror dm_region_hash dm_log iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi fuse dm_multipath dm_mod nfnetlink [ 1626.855594] CPU: 2 UID: 0 PID: 199 Comm: kworker/u24:33 Kdump: loaded Tainted: G B W 6.17.0-rc7+ #22 PREEMPT(voluntary) [ 1626.857075] Tainted: [B]=BAD_PAGE, [W]=WARN [ 1626.857573] Hardware name: VMware, Inc. VMware20,1/VBSA, BIOS VMW201.00V.24006586.BA64.2406042154 06/04/2024 [ 1626.858724] Workqueue: nfsd4 laundromat_main [nfsd] [ 1626.859304] pstate: 61400005 (nZCv daif +PAN -UAO -TCO +DIT -SSBS BTYPE=--) [ 1626.860010] pc : __list_del_entry_valid_or_report+0x148/0x200 [ 1626.860601] lr : __list_del_entry_valid_or_report+0x148/0x200 [ 1626.861182] sp : ffff8000881d7a40 [ 1626.861521] x29: ffff8000881d7a40 x28: 0000000000000018 x27: ffff0000c2a98200 [ 1626.862260] x26: 0000000000000600 x25: 0000000000000000 x24: ffff8000881d7b20 [ 1626.862986] x23: ffff0000c2a981e8 x22: 1fffe00012410e7d x21: ffff0000920873e8 [ 1626.863701] x20: ffff0000920873e8 x19: ffff000086f22998 x18: 0000000000000000 [ 1626.864421] x17: 20747562202c3839 x16: 3932326636383030 x15: 3030666666662065 [ 1626.865092] x14: 6220646c756f6873 x13: 0000000000000001 x12: ffff60004fd9e4a3 [ 1626.865713] x11: 1fffe0004fd9e4a2 x10: ffff60004fd9e4a2 x9 : dfff800000000000 [ 1626.866320] x8 : 00009fffb0261b5e x7 : ffff00027ecf2513 x6 : 0000000000000001 [ 1626.866938] x5 : ffff00027ecf2510 x4 : ffff60004fd9e4a3 x3 : 0000000000000000 [ 1626.867553] x2 : 0000000000000000 x1 : ffff000096069640 x0 : 000000000000006d [ 1626.868167] Call trace: [ 1626.868382] __list_del_entry_valid_or_report+0x148/0x200 (P) [ 1626.868876] _free_cpntf_state_locked+0xd0/0x268 [nfsd] [ 1626.869368] nfs4_laundromat+0x6f8/0x1058 [nfsd] [ 1626.869813] laundromat_main+0x24/0x60 [nfsd] [ 1626.870231] process_one_work+0x584/0x1050 [ 1626.870595] worker_thread+0x4c4/0xc60 [ 1626.870893] kthread+0x2f8/0x398 [ 1626.871146] ret_from_fork+0x10/0x20 [ 1626.871422] Code: aa1303e1 aa1403e3 910e8000 97bc55d7 (d4210000) [ 1626.871892] SMP: stopping secondary CPUs", "cve_priority": "medium", "cve_public_date": "2025-12-06 22:15:00 UTC" }, { "cve": "CVE-2025-40212", "url": "https://ubuntu.com/security/CVE-2025-40212", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: nfsd: fix refcount leak in nfsd_set_fh_dentry() nfsd exports a \"pseudo root filesystem\" which is used by NFSv4 to find the various exported filesystems using LOOKUP requests from a known root filehandle. NFSv3 uses the MOUNT protocol to find those exported filesystems and so is not given access to the pseudo root filesystem. If a v3 (or v2) client uses a filehandle from that filesystem, nfsd_set_fh_dentry() will report an error, but still stores the export in \"struct svc_fh\" even though it also drops the reference (exp_put()). This means that when fh_put() is called an extra reference will be dropped which can lead to use-after-free and possible denial of service. Normal NFS usage will not provide a pseudo-root filehandle to a v3 client. This bug can only be triggered by the client synthesising an incorrect filehandle. To fix this we move the assignments to the svc_fh later, after all possible error cases have been detected.", "cve_priority": "medium", "cve_public_date": "2025-11-24 13:16:00 UTC" }, { "cve": "CVE-2025-40274", "url": "https://ubuntu.com/security/CVE-2025-40274", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: KVM: guest_memfd: Remove bindings on memslot deletion when gmem is dying When unbinding a memslot from a guest_memfd instance, remove the bindings even if the guest_memfd file is dying, i.e. even if its file refcount has gone to zero. If the memslot is freed before the file is fully released, nullifying the memslot side of the binding in kvm_gmem_release() will write to freed memory, as detected by syzbot+KASAN: ================================================================== BUG: KASAN: slab-use-after-free in kvm_gmem_release+0x176/0x440 virt/kvm/guest_memfd.c:353 Write of size 8 at addr ffff88807befa508 by task syz.0.17/6022 CPU: 0 UID: 0 PID: 6022 Comm: syz.0.17 Not tainted syzkaller #0 PREEMPT(full) Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/02/2025 Call Trace: dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:378 [inline] print_report+0xca/0x240 mm/kasan/report.c:482 kasan_report+0x118/0x150 mm/kasan/report.c:595 kvm_gmem_release+0x176/0x440 virt/kvm/guest_memfd.c:353 __fput+0x44c/0xa70 fs/file_table.c:468 task_work_run+0x1d4/0x260 kernel/task_work.c:227 resume_user_mode_work include/linux/resume_user_mode.h:50 [inline] exit_to_user_mode_loop+0xe9/0x130 kernel/entry/common.c:43 exit_to_user_mode_prepare include/linux/irq-entry-common.h:225 [inline] syscall_exit_to_user_mode_work include/linux/entry-common.h:175 [inline] syscall_exit_to_user_mode include/linux/entry-common.h:210 [inline] do_syscall_64+0x2bd/0xfa0 arch/x86/entry/syscall_64.c:100 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7fbeeff8efc9 Allocated by task 6023: kasan_save_stack mm/kasan/common.c:56 [inline] kasan_save_track+0x3e/0x80 mm/kasan/common.c:77 poison_kmalloc_redzone mm/kasan/common.c:397 [inline] __kasan_kmalloc+0x93/0xb0 mm/kasan/common.c:414 kasan_kmalloc include/linux/kasan.h:262 [inline] __kmalloc_cache_noprof+0x3e2/0x700 mm/slub.c:5758 kmalloc_noprof include/linux/slab.h:957 [inline] kzalloc_noprof include/linux/slab.h:1094 [inline] kvm_set_memory_region+0x747/0xb90 virt/kvm/kvm_main.c:2104 kvm_vm_ioctl_set_memory_region+0x6f/0xd0 virt/kvm/kvm_main.c:2154 kvm_vm_ioctl+0x957/0xc60 virt/kvm/kvm_main.c:5201 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:597 [inline] __se_sys_ioctl+0xfc/0x170 fs/ioctl.c:583 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xfa/0xfa0 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f Freed by task 6023: kasan_save_stack mm/kasan/common.c:56 [inline] kasan_save_track+0x3e/0x80 mm/kasan/common.c:77 kasan_save_free_info+0x46/0x50 mm/kasan/generic.c:584 poison_slab_object mm/kasan/common.c:252 [inline] __kasan_slab_free+0x5c/0x80 mm/kasan/common.c:284 kasan_slab_free include/linux/kasan.h:234 [inline] slab_free_hook mm/slub.c:2533 [inline] slab_free mm/slub.c:6622 [inline] kfree+0x19a/0x6d0 mm/slub.c:6829 kvm_set_memory_region+0x9c4/0xb90 virt/kvm/kvm_main.c:2130 kvm_vm_ioctl_set_memory_region+0x6f/0xd0 virt/kvm/kvm_main.c:2154 kvm_vm_ioctl+0x957/0xc60 virt/kvm/kvm_main.c:5201 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:597 [inline] __se_sys_ioctl+0xfc/0x170 fs/ioctl.c:583 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xfa/0xfa0 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f Deliberately don't acquire filemap invalid lock when the file is dying as the lifecycle of f_mapping is outside the purview of KVM. Dereferencing the mapping is *probably* fine, but there's no need to invalidate anything as memslot deletion is responsible for zapping SPTEs, and the only code that can access the dying file is kvm_gmem_release(), whose core code is mutual ---truncated---", "cve_priority": "medium", "cve_public_date": "2025-12-06 22:15:00 UTC" }, { "cve": "CVE-2025-68202", "url": "https://ubuntu.com/security/CVE-2025-68202", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: sched_ext: Fix unsafe locking in the scx_dump_state() For built with CONFIG_PREEMPT_RT=y kernels, the dump_lock will be converted sleepable spinlock and not disable-irq, so the following scenarios occur: inconsistent {IN-HARDIRQ-W} -> {HARDIRQ-ON-W} usage. irq_work/0/27 [HC0[0]:SC0[0]:HE1:SE1] takes: (&rq->__lock){?...}-{2:2}, at: raw_spin_rq_lock_nested+0x2b/0x40 {IN-HARDIRQ-W} state was registered at: lock_acquire+0x1e1/0x510 _raw_spin_lock_nested+0x42/0x80 raw_spin_rq_lock_nested+0x2b/0x40 sched_tick+0xae/0x7b0 update_process_times+0x14c/0x1b0 tick_periodic+0x62/0x1f0 tick_handle_periodic+0x48/0xf0 timer_interrupt+0x55/0x80 __handle_irq_event_percpu+0x20a/0x5c0 handle_irq_event_percpu+0x18/0xc0 handle_irq_event+0xb5/0x150 handle_level_irq+0x220/0x460 __common_interrupt+0xa2/0x1e0 common_interrupt+0xb0/0xd0 asm_common_interrupt+0x2b/0x40 _raw_spin_unlock_irqrestore+0x45/0x80 __setup_irq+0xc34/0x1a30 request_threaded_irq+0x214/0x2f0 hpet_time_init+0x3e/0x60 x86_late_time_init+0x5b/0xb0 start_kernel+0x308/0x410 x86_64_start_reservations+0x1c/0x30 x86_64_start_kernel+0x96/0xa0 common_startup_64+0x13e/0x148 other info that might help us debug this: Possible unsafe locking scenario: CPU0 ---- lock(&rq->__lock); lock(&rq->__lock); *** DEADLOCK *** stack backtrace: CPU: 0 UID: 0 PID: 27 Comm: irq_work/0 Call Trace: dump_stack_lvl+0x8c/0xd0 dump_stack+0x14/0x20 print_usage_bug+0x42e/0x690 mark_lock.part.44+0x867/0xa70 ? __pfx_mark_lock.part.44+0x10/0x10 ? string_nocheck+0x19c/0x310 ? number+0x739/0x9f0 ? __pfx_string_nocheck+0x10/0x10 ? __pfx_check_pointer+0x10/0x10 ? kvm_sched_clock_read+0x15/0x30 ? sched_clock_noinstr+0xd/0x20 ? local_clock_noinstr+0x1c/0xe0 __lock_acquire+0xc4b/0x62b0 ? __pfx_format_decode+0x10/0x10 ? __pfx_string+0x10/0x10 ? __pfx___lock_acquire+0x10/0x10 ? __pfx_vsnprintf+0x10/0x10 lock_acquire+0x1e1/0x510 ? raw_spin_rq_lock_nested+0x2b/0x40 ? __pfx_lock_acquire+0x10/0x10 ? dump_line+0x12e/0x270 ? raw_spin_rq_lock_nested+0x20/0x40 _raw_spin_lock_nested+0x42/0x80 ? raw_spin_rq_lock_nested+0x2b/0x40 raw_spin_rq_lock_nested+0x2b/0x40 scx_dump_state+0x3b3/0x1270 ? finish_task_switch+0x27e/0x840 scx_ops_error_irq_workfn+0x67/0x80 irq_work_single+0x113/0x260 irq_work_run_list.part.3+0x44/0x70 run_irq_workd+0x6b/0x90 ? __pfx_run_irq_workd+0x10/0x10 smpboot_thread_fn+0x529/0x870 ? __pfx_smpboot_thread_fn+0x10/0x10 kthread+0x305/0x3f0 ? __pfx_kthread+0x10/0x10 ret_from_fork+0x40/0x70 ? __pfx_kthread+0x10/0x10 ret_from_fork_asm+0x1a/0x30 This commit therefore use rq_lock_irqsave/irqrestore() to replace rq_lock/unlock() in the scx_dump_state().", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-68239", "url": "https://ubuntu.com/security/CVE-2025-68239", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: binfmt_misc: restore write access before closing files opened by open_exec() bm_register_write() opens an executable file using open_exec(), which internally calls do_open_execat() and denies write access on the file to avoid modification while it is being executed. However, when an error occurs, bm_register_write() closes the file using filp_close() directly. This does not restore the write permission, which may cause subsequent write operations on the same file to fail. Fix this by calling exe_file_allow_write_access() before filp_close() to restore the write permission properly.", "cve_priority": "medium", "cve_public_date": "2025-12-16 15:15:00 UTC" }, { "cve": "CVE-2025-68247", "url": "https://ubuntu.com/security/CVE-2025-68247", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: posix-timers: Plug potential memory leak in do_timer_create() When posix timer creation is set to allocate a given timer ID and the access to the user space value faults, the function terminates without freeing the already allocated posix timer structure. Move the allocation after the user space access to cure that. [ tglx: Massaged change log ]", "cve_priority": "medium", "cve_public_date": "2025-12-16 15:15:00 UTC" }, { "cve": "CVE-2025-68208", "url": "https://ubuntu.com/security/CVE-2025-68208", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: bpf: account for current allocated stack depth in widen_imprecise_scalars() The usage pattern for widen_imprecise_scalars() looks as follows: prev_st = find_prev_entry(env, ...); queued_st = push_stack(...); widen_imprecise_scalars(env, prev_st, queued_st); Where prev_st is an ancestor of the queued_st in the explored states tree. This ancestor is not guaranteed to have same allocated stack depth as queued_st. E.g. in the following case: def main(): for i in 1..2: foo(i) // same callsite, differnt param def foo(i): if i == 1: use 128 bytes of stack iterator based loop Here, for a second 'foo' call prev_st->allocated_stack is 128, while queued_st->allocated_stack is much smaller. widen_imprecise_scalars() needs to take this into account and avoid accessing bpf_verifier_state->frame[*]->stack out of bounds.", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-68200", "url": "https://ubuntu.com/security/CVE-2025-68200", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: bpf: Add bpf_prog_run_data_pointers() syzbot found that cls_bpf_classify() is able to change tc_skb_cb(skb)->drop_reason triggering a warning in sk_skb_reason_drop(). WARNING: CPU: 0 PID: 5965 at net/core/skbuff.c:1192 __sk_skb_reason_drop net/core/skbuff.c:1189 [inline] WARNING: CPU: 0 PID: 5965 at net/core/skbuff.c:1192 sk_skb_reason_drop+0x76/0x170 net/core/skbuff.c:1214 struct tc_skb_cb has been added in commit ec624fe740b4 (\"net/sched: Extend qdisc control block with tc control block\"), which added a wrong interaction with db58ba459202 (\"bpf: wire in data and data_end for cls_act_bpf\"). drop_reason was added later. Add bpf_prog_run_data_pointers() helper to save/restore the net_sched storage colliding with BPF data_meta/data_end.", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-40275", "url": "https://ubuntu.com/security/CVE-2025-40275", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ALSA: usb-audio: Fix NULL pointer dereference in snd_usb_mixer_controls_badd In snd_usb_create_streams(), for UAC version 3 devices, the Interface Association Descriptor (IAD) is retrieved via usb_ifnum_to_if(). If this call fails, a fallback routine attempts to obtain the IAD from the next interface and sets a BADD profile. However, snd_usb_mixer_controls_badd() assumes that the IAD retrieved from usb_ifnum_to_if() is always valid, without performing a NULL check. This can lead to a NULL pointer dereference when usb_ifnum_to_if() fails to find the interface descriptor. This patch adds a NULL pointer check after calling usb_ifnum_to_if() in snd_usb_mixer_controls_badd() to prevent the dereference. This issue was discovered by syzkaller, which triggered the bug by sending a crafted USB device descriptor.", "cve_priority": "medium", "cve_public_date": "2025-12-06 22:15:00 UTC" }, { "cve": "CVE-2025-68242", "url": "https://ubuntu.com/security/CVE-2025-68242", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: NFS: Fix LTP test failures when timestamps are delegated The utimes01 and utime06 tests fail when delegated timestamps are enabled, specifically in subtests that modify the atime and mtime fields using the 'nobody' user ID. The problem can be reproduced as follow: # echo \"/media *(rw,no_root_squash,sync)\" >> /etc/exports # export -ra # mount -o rw,nfsvers=4.2 127.0.0.1:/media /tmpdir # cd /opt/ltp # ./runltp -d /tmpdir -s utimes01 # ./runltp -d /tmpdir -s utime06 This issue occurs because nfs_setattr does not verify the inode's UID against the caller's fsuid when delegated timestamps are permitted for the inode. This patch adds the UID check and if it does not match then the request is sent to the server for permission checking.", "cve_priority": "medium", "cve_public_date": "2025-12-16 15:15:00 UTC" }, { "cve": "CVE-2025-68243", "url": "https://ubuntu.com/security/CVE-2025-68243", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: NFS: Check the TLS certificate fields in nfs_match_client() If the TLS security policy is of type RPC_XPRTSEC_TLS_X509, then the cert_serial and privkey_serial fields need to match as well since they define the client's identity, as presented to the server.", "cve_priority": "medium", "cve_public_date": "2025-12-16 15:15:00 UTC" }, { "cve": "CVE-2025-40276", "url": "https://ubuntu.com/security/CVE-2025-40276", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/panthor: Flush shmem writes before mapping buffers CPU-uncached The shmem layer zeroes out the new pages using cached mappings, and if we don't CPU-flush we might leave dirty cachelines behind, leading to potential data leaks and/or asynchronous buffer corruption when dirty cachelines are evicted.", "cve_priority": "medium", "cve_public_date": "2025-12-06 22:15:00 UTC" }, { "cve": "CVE-2025-40277", "url": "https://ubuntu.com/security/CVE-2025-40277", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/vmwgfx: Validate command header size against SVGA_CMD_MAX_DATASIZE This data originates from userspace and is used in buffer offset calculations which could potentially overflow causing an out-of-bounds access.", "cve_priority": "medium", "cve_public_date": "2025-12-06 22:15:00 UTC" }, { "cve": "CVE-2025-68206", "url": "https://ubuntu.com/security/CVE-2025-68206", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: netfilter: nft_ct: add seqadj extension for natted connections Sequence adjustment may be required for FTP traffic with PASV/EPSV modes. due to need to re-write packet payload (IP, port) on the ftp control connection. This can require changes to the TCP length and expected seq / ack_seq. The easiest way to reproduce this issue is with PASV mode. Example ruleset: table inet ftp_nat { ct helper ftp_helper { type \"ftp\" protocol tcp l3proto inet } chain prerouting { type filter hook prerouting priority 0; policy accept; tcp dport 21 ct state new ct helper set \"ftp_helper\" } } table ip nat { chain prerouting { type nat hook prerouting priority -100; policy accept; tcp dport 21 dnat ip prefix to ip daddr map { \t\t\t192.168.100.1 : 192.168.13.2/32 } } chain postrouting { type nat hook postrouting priority 100 ; policy accept; tcp sport 21 snat ip prefix to ip saddr map { \t\t\t192.168.13.2 : 192.168.100.1/32 } } } Note that the ftp helper gets assigned *after* the dnat setup. The inverse (nat after helper assign) is handled by an existing check in nf_nat_setup_info() and will not show the problem. Topoloy: +-------------------+ +----------------------------------+ | FTP: 192.168.13.2 | <-> | NAT: 192.168.13.3, 192.168.100.1 | +-------------------+ +----------------------------------+ | +-----------------------+ | Client: 192.168.100.2 | +-----------------------+ ftp nat changes do not work as expected in this case: Connected to 192.168.100.1. [..] ftp> epsv EPSV/EPRT on IPv4 off. ftp> ls 227 Entering passive mode (192,168,100,1,209,129). 421 Service not available, remote server has closed connection. Kernel logs: Missing nfct_seqadj_ext_add() setup call WARNING: CPU: 1 PID: 0 at net/netfilter/nf_conntrack_seqadj.c:41 [..] __nf_nat_mangle_tcp_packet+0x100/0x160 [nf_nat] nf_nat_ftp+0x142/0x280 [nf_nat_ftp] help+0x4d1/0x880 [nf_conntrack_ftp] nf_confirm+0x122/0x2e0 [nf_conntrack] nf_hook_slow+0x3c/0xb0 .. Fix this by adding the required extension when a conntrack helper is assigned to a connection that has a nat binding.", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-68209", "url": "https://ubuntu.com/security/CVE-2025-68209", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: mlx5: Fix default values in create CQ Currently, CQs without a completion function are assigned the mlx5_add_cq_to_tasklet function by default. This is problematic since only user CQs created through the mlx5_ib driver are intended to use this function. Additionally, all CQs that will use doorbells instead of polling for completions must call mlx5_cq_arm. However, the default CQ creation flow leaves a valid value in the CQ's arm_db field, allowing FW to send interrupts to polling-only CQs in certain corner cases. These two factors would allow a polling-only kernel CQ to be triggered by an EQ interrupt and call a completion function intended only for user CQs, causing a null pointer exception. Some areas in the driver have prevented this issue with one-off fixes but did not address the root cause. This patch fixes the described issue by adding defaults to the create CQ flow. It adds a default dummy completion function to protect against null pointer exceptions, and it sets an invalid command sequence number by default in kernel CQs to prevent the FW from sending an interrupt to the CQ until it is armed. User CQs are responsible for their own initialization values. Callers of mlx5_core_create_cq are responsible for changing the completion function and arming the CQ per their needs.", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-40278", "url": "https://ubuntu.com/security/CVE-2025-40278", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net: sched: act_ife: initialize struct tc_ife to fix KMSAN kernel-infoleak Fix a KMSAN kernel-infoleak detected by the syzbot . [net?] KMSAN: kernel-infoleak in __skb_datagram_iter In tcf_ife_dump(), the variable 'opt' was partially initialized using a designatied initializer. While the padding bytes are reamined uninitialized. nla_put() copies the entire structure into a netlink message, these uninitialized bytes leaked to userspace. Initialize the structure with memset before assigning its fields to ensure all members and padding are cleared prior to beign copied. This change silences the KMSAN report and prevents potential information leaks from the kernel memory. This fix has been tested and validated by syzbot. This patch closes the bug reported at the following syzkaller link and ensures no infoleak.", "cve_priority": "medium", "cve_public_date": "2025-12-06 22:15:00 UTC" }, { "cve": "CVE-2025-40279", "url": "https://ubuntu.com/security/CVE-2025-40279", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net: sched: act_connmark: initialize struct tc_ife to fix kernel leak In tcf_connmark_dump(), the variable 'opt' was partially initialized using a designatied initializer. While the padding bytes are reamined uninitialized. nla_put() copies the entire structure into a netlink message, these uninitialized bytes leaked to userspace. Initialize the structure with memset before assigning its fields to ensure all members and padding are cleared prior to beign copied.", "cve_priority": "medium", "cve_public_date": "2025-12-06 22:15:00 UTC" }, { "cve": "CVE-2025-40280", "url": "https://ubuntu.com/security/CVE-2025-40280", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: tipc: Fix use-after-free in tipc_mon_reinit_self(). syzbot reported use-after-free of tipc_net(net)->monitors[] in tipc_mon_reinit_self(). [0] The array is protected by RTNL, but tipc_mon_reinit_self() iterates over it without RTNL. tipc_mon_reinit_self() is called from tipc_net_finalize(), which is always under RTNL except for tipc_net_finalize_work(). Let's hold RTNL in tipc_net_finalize_work(). [0]: BUG: KASAN: slab-use-after-free in __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline] BUG: KASAN: slab-use-after-free in _raw_spin_lock_irqsave+0xa7/0xf0 kernel/locking/spinlock.c:162 Read of size 1 at addr ffff88805eae1030 by task kworker/0:7/5989 CPU: 0 UID: 0 PID: 5989 Comm: kworker/0:7 Not tainted syzkaller #0 PREEMPT_{RT,(full)} Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/18/2025 Workqueue: events tipc_net_finalize_work Call Trace: dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:378 [inline] print_report+0xca/0x240 mm/kasan/report.c:482 kasan_report+0x118/0x150 mm/kasan/report.c:595 __kasan_check_byte+0x2a/0x40 mm/kasan/common.c:568 kasan_check_byte include/linux/kasan.h:399 [inline] lock_acquire+0x8d/0x360 kernel/locking/lockdep.c:5842 __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline] _raw_spin_lock_irqsave+0xa7/0xf0 kernel/locking/spinlock.c:162 rtlock_slowlock kernel/locking/rtmutex.c:1894 [inline] rwbase_rtmutex_lock_state kernel/locking/spinlock_rt.c:160 [inline] rwbase_write_lock+0xd3/0x7e0 kernel/locking/rwbase_rt.c:244 rt_write_lock+0x76/0x110 kernel/locking/spinlock_rt.c:243 write_lock_bh include/linux/rwlock_rt.h:99 [inline] tipc_mon_reinit_self+0x79/0x430 net/tipc/monitor.c:718 tipc_net_finalize+0x115/0x190 net/tipc/net.c:140 process_one_work kernel/workqueue.c:3236 [inline] process_scheduled_works+0xade/0x17b0 kernel/workqueue.c:3319 worker_thread+0x8a0/0xda0 kernel/workqueue.c:3400 kthread+0x70e/0x8a0 kernel/kthread.c:463 ret_from_fork+0x439/0x7d0 arch/x86/kernel/process.c:148 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245 Allocated by task 6089: kasan_save_stack mm/kasan/common.c:47 [inline] kasan_save_track+0x3e/0x80 mm/kasan/common.c:68 poison_kmalloc_redzone mm/kasan/common.c:388 [inline] __kasan_kmalloc+0x93/0xb0 mm/kasan/common.c:405 kasan_kmalloc include/linux/kasan.h:260 [inline] __kmalloc_cache_noprof+0x1a8/0x320 mm/slub.c:4407 kmalloc_noprof include/linux/slab.h:905 [inline] kzalloc_noprof include/linux/slab.h:1039 [inline] tipc_mon_create+0xc3/0x4d0 net/tipc/monitor.c:657 tipc_enable_bearer net/tipc/bearer.c:357 [inline] __tipc_nl_bearer_enable+0xe16/0x13f0 net/tipc/bearer.c:1047 __tipc_nl_compat_doit net/tipc/netlink_compat.c:371 [inline] tipc_nl_compat_doit+0x3bc/0x5f0 net/tipc/netlink_compat.c:393 tipc_nl_compat_handle net/tipc/netlink_compat.c:-1 [inline] tipc_nl_compat_recv+0x83c/0xbe0 net/tipc/netlink_compat.c:1321 genl_family_rcv_msg_doit+0x215/0x300 net/netlink/genetlink.c:1115 genl_family_rcv_msg net/netlink/genetlink.c:1195 [inline] genl_rcv_msg+0x60e/0x790 net/netlink/genetlink.c:1210 netlink_rcv_skb+0x208/0x470 net/netlink/af_netlink.c:2552 genl_rcv+0x28/0x40 net/netlink/genetlink.c:1219 netlink_unicast_kernel net/netlink/af_netlink.c:1320 [inline] netlink_unicast+0x846/0xa10 net/netlink/af_netlink.c:1346 netlink_sendmsg+0x805/0xb30 net/netlink/af_netlink.c:1896 sock_sendmsg_nosec net/socket.c:714 [inline] __sock_sendmsg+0x21c/0x270 net/socket.c:729 ____sys_sendmsg+0x508/0x820 net/socket.c:2614 ___sys_sendmsg+0x21f/0x2a0 net/socket.c:2668 __sys_sendmsg net/socket.c:2700 [inline] __do_sys_sendmsg net/socket.c:2705 [inline] __se_sys_sendmsg net/socket.c:2703 [inline] __x64_sys_sendmsg+0x1a1/0x260 net/socket.c:2703 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xfa/0x3b0 arch/ ---truncated---", "cve_priority": "medium", "cve_public_date": "2025-12-06 22:15:00 UTC" }, { "cve": "CVE-2025-40281", "url": "https://ubuntu.com/security/CVE-2025-40281", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: sctp: prevent possible shift-out-of-bounds in sctp_transport_update_rto syzbot reported a possible shift-out-of-bounds [1] Blamed commit added rto_alpha_max and rto_beta_max set to 1000. It is unclear if some sctp users are setting very large rto_alpha and/or rto_beta. In order to prevent user regression, perform the test at run time. Also add READ_ONCE() annotations as sysctl values can change under us. [1] UBSAN: shift-out-of-bounds in net/sctp/transport.c:509:41 shift exponent 64 is too large for 32-bit type 'unsigned int' CPU: 0 UID: 0 PID: 16704 Comm: syz.2.2320 Not tainted syzkaller #0 PREEMPT(full) Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/02/2025 Call Trace: __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x16c/0x1f0 lib/dump_stack.c:120 ubsan_epilogue lib/ubsan.c:233 [inline] __ubsan_handle_shift_out_of_bounds+0x27f/0x420 lib/ubsan.c:494 sctp_transport_update_rto.cold+0x1c/0x34b net/sctp/transport.c:509 sctp_check_transmitted+0x11c4/0x1c30 net/sctp/outqueue.c:1502 sctp_outq_sack+0x4ef/0x1b20 net/sctp/outqueue.c:1338 sctp_cmd_process_sack net/sctp/sm_sideeffect.c:840 [inline] sctp_cmd_interpreter net/sctp/sm_sideeffect.c:1372 [inline]", "cve_priority": "medium", "cve_public_date": "2025-12-06 22:15:00 UTC" }, { "cve": "CVE-2025-40282", "url": "https://ubuntu.com/security/CVE-2025-40282", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: Bluetooth: 6lowpan: reset link-local header on ipv6 recv path Bluetooth 6lowpan.c netdev has header_ops, so it must set link-local header for RX skb, otherwise things crash, eg. with AF_PACKET SOCK_RAW Add missing skb_reset_mac_header() for uncompressed ipv6 RX path. For the compressed one, it is done in lowpan_header_decompress(). Log: (BlueZ 6lowpan-tester Client Recv Raw - Success) ------ kernel BUG at net/core/skbuff.c:212! Call Trace: ... packet_rcv (net/packet/af_packet.c:2152) ... __local_bh_enable_ip (kernel/softirq.c:407) netif_rx (net/core/dev.c:5648) chan_recv_cb (net/bluetooth/6lowpan.c:294 net/bluetooth/6lowpan.c:359) ------", "cve_priority": "medium", "cve_public_date": "2025-12-06 22:15:00 UTC" }, { "cve": "CVE-2025-40283", "url": "https://ubuntu.com/security/CVE-2025-40283", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: Bluetooth: btusb: reorder cleanup in btusb_disconnect to avoid UAF There is a KASAN: slab-use-after-free read in btusb_disconnect(). Calling \"usb_driver_release_interface(&btusb_driver, data->intf)\" will free the btusb data associated with the interface. The same data is then used later in the function, hence the UAF. Fix by moving the accesses to btusb data to before the data is free'd.", "cve_priority": "medium", "cve_public_date": "2025-12-06 22:15:00 UTC" }, { "cve": "CVE-2025-40284", "url": "https://ubuntu.com/security/CVE-2025-40284", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: Bluetooth: MGMT: cancel mesh send timer when hdev removed mesh_send_done timer is not canceled when hdev is removed, which causes crash if the timer triggers after hdev is gone. Cancel the timer when MGMT removes the hdev, like other MGMT timers. Should fix the BUG: sporadically seen by BlueZ test bot (in \"Mesh - Send cancel - 1\" test). Log: ------ BUG: KASAN: slab-use-after-free in run_timer_softirq+0x76b/0x7d0 ... Freed by task 36: kasan_save_stack+0x24/0x50 kasan_save_track+0x14/0x30 __kasan_save_free_info+0x3a/0x60 __kasan_slab_free+0x43/0x70 kfree+0x103/0x500 device_release+0x9a/0x210 kobject_put+0x100/0x1e0 vhci_release+0x18b/0x240 ------", "cve_priority": "medium", "cve_public_date": "2025-12-06 22:15:00 UTC" }, { "cve": "CVE-2025-68210", "url": "https://ubuntu.com/security/CVE-2025-68210", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: erofs: avoid infinite loop due to incomplete zstd-compressed data Currently, the decompression logic incorrectly spins if compressed data is truncated in crafted (deliberately corrupted) images.", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-40285", "url": "https://ubuntu.com/security/CVE-2025-40285", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: smb/server: fix possible refcount leak in smb2_sess_setup() Reference count of ksmbd_session will leak when session need reconnect. Fix this by adding the missing ksmbd_user_session_put().", "cve_priority": "medium", "cve_public_date": "2025-12-06 22:15:00 UTC" }, { "cve": "CVE-2025-40286", "url": "https://ubuntu.com/security/CVE-2025-40286", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: smb/server: fix possible memory leak in smb2_read() Memory leak occurs when ksmbd_vfs_read() fails. Fix this by adding the missing kvfree().", "cve_priority": "medium", "cve_public_date": "2025-12-06 22:15:00 UTC" }, { "cve": "CVE-2025-40287", "url": "https://ubuntu.com/security/CVE-2025-40287", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: exfat: fix improper check of dentry.stream.valid_size We found an infinite loop bug in the exFAT file system that can lead to a Denial-of-Service (DoS) condition. When a dentry in an exFAT filesystem is malformed, the following system calls — SYS_openat, SYS_ftruncate, and SYS_pwrite64 — can cause the kernel to hang. Root cause analysis shows that the size validation code in exfat_find() does not check whether dentry.stream.valid_size is negative. As a result, the system calls mentioned above can succeed and eventually trigger the DoS issue. This patch adds a check for negative dentry.stream.valid_size to prevent this vulnerability.", "cve_priority": "medium", "cve_public_date": "2025-12-06 22:15:00 UTC" }, { "cve": "CVE-2025-40288", "url": "https://ubuntu.com/security/CVE-2025-40288", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: Fix NULL pointer dereference in VRAM logic for APU devices Previously, APU platforms (and other scenarios with uninitialized VRAM managers) triggered a NULL pointer dereference in `ttm_resource_manager_usage()`. The root cause is not that the `struct ttm_resource_manager *man` pointer itself is NULL, but that `man->bdev` (the backing device pointer within the manager) remains uninitialized (NULL) on APUs—since APUs lack dedicated VRAM and do not fully set up VRAM manager structures. When `ttm_resource_manager_usage()` attempts to acquire `man->bdev->lru_lock`, it dereferences the NULL `man->bdev`, leading to a kernel OOPS. 1. **amdgpu_cs.c**: Extend the existing bandwidth control check in `amdgpu_cs_get_threshold_for_moves()` to include a check for `ttm_resource_manager_used()`. If the manager is not used (uninitialized `bdev`), return 0 for migration thresholds immediately—skipping VRAM-specific logic that would trigger the NULL dereference. 2. **amdgpu_kms.c**: Update the `AMDGPU_INFO_VRAM_USAGE` ioctl and memory info reporting to use a conditional: if the manager is used, return the real VRAM usage; otherwise, return 0. This avoids accessing `man->bdev` when it is NULL. 3. **amdgpu_virt.c**: Modify the vf2pf (virtual function to physical function) data write path. Use `ttm_resource_manager_used()` to check validity: if the manager is usable, calculate `fb_usage` from VRAM usage; otherwise, set `fb_usage` to 0 (APUs have no discrete framebuffer to report). This approach is more robust than APU-specific checks because it: - Works for all scenarios where the VRAM manager is uninitialized (not just APUs), - Aligns with TTM's design by using its native helper function, - Preserves correct behavior for discrete GPUs (which have fully initialized `man->bdev` and pass the `ttm_resource_manager_used()` check). v4: use ttm_resource_manager_used(&adev->mman.vram_mgr.manager) instead of checking the adev->gmc.is_app_apu flag (Christian)", "cve_priority": "medium", "cve_public_date": "2025-12-06 22:15:00 UTC" }, { "cve": "CVE-2025-40289", "url": "https://ubuntu.com/security/CVE-2025-40289", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: hide VRAM sysfs attributes on GPUs without VRAM Otherwise accessing them can cause a crash.", "cve_priority": "medium", "cve_public_date": "2025-12-06 22:15:00 UTC" }, { "cve": "CVE-2025-68201", "url": "https://ubuntu.com/security/CVE-2025-68201", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: remove two invalid BUG_ON()s Those can be triggered trivially by userspace.", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-68207", "url": "https://ubuntu.com/security/CVE-2025-68207", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/xe/guc: Synchronize Dead CT worker with unbind Cancel and wait for any Dead CT worker to complete before continuing with device unbinding. Else the worker will end up using resources freed by the undind operation. (cherry picked from commit 492671339114e376aaa38626d637a2751cdef263)", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-68244", "url": "https://ubuntu.com/security/CVE-2025-68244", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/i915: Avoid lock inversion when pinning to GGTT on CHV/BXT+VTD On completion of i915_vma_pin_ww(), a synchronous variant of dma_fence_work_commit() is called. When pinning a VMA to GGTT address space on a Cherry View family processor, or on a Broxton generation SoC with VTD enabled, i.e., when stop_machine() is then called from intel_ggtt_bind_vma(), that can potentially lead to lock inversion among reservation_ww and cpu_hotplug locks. [86.861179] ====================================================== [86.861193] WARNING: possible circular locking dependency detected [86.861209] 6.15.0-rc5-CI_DRM_16515-gca0305cadc2d+ #1 Tainted: G U [86.861226] ------------------------------------------------------ [86.861238] i915_module_loa/1432 is trying to acquire lock: [86.861252] ffffffff83489090 (cpu_hotplug_lock){++++}-{0:0}, at: stop_machine+0x1c/0x50 [86.861290] but task is already holding lock: [86.861303] ffffc90002e0b4c8 (reservation_ww_class_mutex){+.+.}-{3:3}, at: i915_vma_pin.constprop.0+0x39/0x1d0 [i915] [86.862233] which lock already depends on the new lock. [86.862251] the existing dependency chain (in reverse order) is: [86.862265] -> #5 (reservation_ww_class_mutex){+.+.}-{3:3}: [86.862292] dma_resv_lockdep+0x19a/0x390 [86.862315] do_one_initcall+0x60/0x3f0 [86.862334] kernel_init_freeable+0x3cd/0x680 [86.862353] kernel_init+0x1b/0x200 [86.862369] ret_from_fork+0x47/0x70 [86.862383] ret_from_fork_asm+0x1a/0x30 [86.862399] -> #4 (reservation_ww_class_acquire){+.+.}-{0:0}: [86.862425] dma_resv_lockdep+0x178/0x390 [86.862440] do_one_initcall+0x60/0x3f0 [86.862454] kernel_init_freeable+0x3cd/0x680 [86.862470] kernel_init+0x1b/0x200 [86.862482] ret_from_fork+0x47/0x70 [86.862495] ret_from_fork_asm+0x1a/0x30 [86.862509] -> #3 (&mm->mmap_lock){++++}-{3:3}: [86.862531] down_read_killable+0x46/0x1e0 [86.862546] lock_mm_and_find_vma+0xa2/0x280 [86.862561] do_user_addr_fault+0x266/0x8e0 [86.862578] exc_page_fault+0x8a/0x2f0 [86.862593] asm_exc_page_fault+0x27/0x30 [86.862607] filldir64+0xeb/0x180 [86.862620] kernfs_fop_readdir+0x118/0x480 [86.862635] iterate_dir+0xcf/0x2b0 [86.862648] __x64_sys_getdents64+0x84/0x140 [86.862661] x64_sys_call+0x1058/0x2660 [86.862675] do_syscall_64+0x91/0xe90 [86.862689] entry_SYSCALL_64_after_hwframe+0x76/0x7e [86.862703] -> #2 (&root->kernfs_rwsem){++++}-{3:3}: [86.862725] down_write+0x3e/0xf0 [86.862738] kernfs_add_one+0x30/0x3c0 [86.862751] kernfs_create_dir_ns+0x53/0xb0 [86.862765] internal_create_group+0x134/0x4c0 [86.862779] sysfs_create_group+0x13/0x20 [86.862792] topology_add_dev+0x1d/0x30 [86.862806] cpuhp_invoke_callback+0x4b5/0x850 [86.862822] cpuhp_issue_call+0xbf/0x1f0 [86.862836] __cpuhp_setup_state_cpuslocked+0x111/0x320 [86.862852] __cpuhp_setup_state+0xb0/0x220 [86.862866] topology_sysfs_init+0x30/0x50 [86.862879] do_one_initcall+0x60/0x3f0 [86.862893] kernel_init_freeable+0x3cd/0x680 [86.862908] kernel_init+0x1b/0x200 [86.862921] ret_from_fork+0x47/0x70 [86.862934] ret_from_fork_asm+0x1a/0x30 [86.862947] -> #1 (cpuhp_state_mutex){+.+.}-{3:3}: [86.862969] __mutex_lock+0xaa/0xed0 [86.862982] mutex_lock_nested+0x1b/0x30 [86.862995] __cpuhp_setup_state_cpuslocked+0x67/0x320 [86.863012] __cpuhp_setup_state+0xb0/0x220 [86.863026] page_alloc_init_cpuhp+0x2d/0x60 [86.863041] mm_core_init+0x22/0x2d0 [86.863054] start_kernel+0x576/0xbd0 [86.863068] x86_64_start_reservations+0x18/0x30 [86.863084] x86_64_start_kernel+0xbf/0x110 [86.863098] common_startup_64+0x13e/0x141 [86.863114] -> #0 (cpu_hotplug_lock){++++}-{0:0}: [86.863135] __lock_acquire+0x16 ---truncated---", "cve_priority": "medium", "cve_public_date": "2025-12-16 15:15:00 UTC" }, { "cve": "CVE-2025-68316", "url": "https://ubuntu.com/security/CVE-2025-68316", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: scsi: ufs: core: Fix invalid probe error return value After DME Link Startup, the error return value is set to the MIPI UniPro GenericErrorCode which can be 0 (SUCCESS) or 1 (FAILURE). Upon failure during driver probe, the error code 1 is propagated back to the driver probe function which must return a negative value to indicate an error, but 1 is not negative, so the probe is considered to be successful even though it failed. Subsequently, removing the driver results in an oops because it is not in a valid state. This happens because none of the callers of ufshcd_init() expect a non-negative error code. Fix the return value and documentation to match actual usage.", "cve_priority": "medium", "cve_public_date": "2025-12-16 16:16:00 UTC" }, { "cve": "CVE-2025-40292", "url": "https://ubuntu.com/security/CVE-2025-40292", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: virtio-net: fix received length check in big packets Since commit 4959aebba8c0 (\"virtio-net: use mtu size as buffer length for big packets\"), when guest gso is off, the allocated size for big packets is not MAX_SKB_FRAGS * PAGE_SIZE anymore but depends on negotiated MTU. The number of allocated frags for big packets is stored in vi->big_packets_num_skbfrags. Because the host announced buffer length can be malicious (e.g. the host vhost_net driver's get_rx_bufs is modified to announce incorrect length), we need a check in virtio_net receive path. Currently, the check is not adapted to the new change which can lead to NULL page pointer dereference in the below while loop when receiving length that is larger than the allocated one. This commit fixes the received length check corresponding to the new change.", "cve_priority": "medium", "cve_public_date": "2025-12-08 01:16:00 UTC" }, { "cve": "CVE-2025-68180", "url": "https://ubuntu.com/security/CVE-2025-68180", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Fix NULL deref in debugfs odm_combine_segments When a connector is connected but inactive (e.g., disabled by desktop environments), pipe_ctx->stream_res.tg will be destroyed. Then, reading odm_combine_segments causes kernel NULL pointer dereference. BUG: kernel NULL pointer dereference, address: 0000000000000000 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page PGD 0 P4D 0 Oops: Oops: 0000 [#1] SMP NOPTI CPU: 16 UID: 0 PID: 26474 Comm: cat Not tainted 6.17.0+ #2 PREEMPT(lazy) e6a17af9ee6db7c63e9d90dbe5b28ccab67520c6 Hardware name: LENOVO 21Q4/LNVNB161216, BIOS PXCN25WW 03/27/2025 RIP: 0010:odm_combine_segments_show+0x93/0xf0 [amdgpu] Code: 41 83 b8 b0 00 00 00 01 75 6e 48 98 ba a1 ff ff ff 48 c1 e0 0c 48 8d 8c 07 d8 02 00 00 48 85 c9 74 2d 48 8b bc 07 f0 08 00 00 <48> 8b 07 48 8b 80 08 02 00> RSP: 0018:ffffd1bf4b953c58 EFLAGS: 00010286 RAX: 0000000000005000 RBX: ffff8e35976b02d0 RCX: ffff8e3aeed052d8 RDX: 00000000ffffffa1 RSI: ffff8e35a3120800 RDI: 0000000000000000 RBP: 0000000000000000 R08: ffff8e3580eb0000 R09: ffff8e35976b02d0 R10: ffffd1bf4b953c78 R11: 0000000000000000 R12: ffffd1bf4b953d08 R13: 0000000000040000 R14: 0000000000000001 R15: 0000000000000001 FS: 00007f44d3f9f740(0000) GS:ffff8e3caa47f000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000000 CR3: 00000006485c2000 CR4: 0000000000f50ef0 PKRU: 55555554 Call Trace: seq_read_iter+0x125/0x490 ? __alloc_frozen_pages_noprof+0x18f/0x350 seq_read+0x12c/0x170 full_proxy_read+0x51/0x80 vfs_read+0xbc/0x390 ? __handle_mm_fault+0xa46/0xef0 ? do_syscall_64+0x71/0x900 ksys_read+0x73/0xf0 do_syscall_64+0x71/0x900 ? count_memcg_events+0xc2/0x190 ? handle_mm_fault+0x1d7/0x2d0 ? do_user_addr_fault+0x21a/0x690 ? exc_page_fault+0x7e/0x1a0 entry_SYSCALL_64_after_hwframe+0x6c/0x74 RIP: 0033:0x7f44d4031687 Code: 48 89 fa 4c 89 df e8 58 b3 00 00 8b 93 08 03 00 00 59 5e 48 83 f8 fc 74 1a 5b c3 0f 1f 84 00 00 00 00 00 48 8b 44 24 10 0f 05 <5b> c3 0f 1f 80 00 00 00 00> RSP: 002b:00007ffdb4b5f0b0 EFLAGS: 00000202 ORIG_RAX: 0000000000000000 RAX: ffffffffffffffda RBX: 00007f44d3f9f740 RCX: 00007f44d4031687 RDX: 0000000000040000 RSI: 00007f44d3f5e000 RDI: 0000000000000003 RBP: 0000000000040000 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000202 R12: 00007f44d3f5e000 R13: 0000000000000003 R14: 0000000000000000 R15: 0000000000040000 Modules linked in: tls tcp_diag inet_diag xt_mark ccm snd_hrtimer snd_seq_dummy snd_seq_midi snd_seq_oss snd_seq_midi_event snd_rawmidi snd_seq snd_seq_device x> snd_hda_codec_atihdmi snd_hda_codec_realtek_lib lenovo_wmi_helpers think_lmi snd_hda_codec_generic snd_hda_codec_hdmi snd_soc_core kvm snd_compress uvcvideo sn> platform_profile joydev amd_pmc mousedev mac_hid sch_fq_codel uinput i2c_dev parport_pc ppdev lp parport nvme_fabrics loop nfnetlink ip_tables x_tables dm_cryp> CR2: 0000000000000000 ---[ end trace 0000000000000000 ]--- RIP: 0010:odm_combine_segments_show+0x93/0xf0 [amdgpu] Code: 41 83 b8 b0 00 00 00 01 75 6e 48 98 ba a1 ff ff ff 48 c1 e0 0c 48 8d 8c 07 d8 02 00 00 48 85 c9 74 2d 48 8b bc 07 f0 08 00 00 <48> 8b 07 48 8b 80 08 02 00> RSP: 0018:ffffd1bf4b953c58 EFLAGS: 00010286 RAX: 0000000000005000 RBX: ffff8e35976b02d0 RCX: ffff8e3aeed052d8 RDX: 00000000ffffffa1 RSI: ffff8e35a3120800 RDI: 0000000000000000 RBP: 0000000000000000 R08: ffff8e3580eb0000 R09: ffff8e35976b02d0 R10: ffffd1bf4b953c78 R11: 0000000000000000 R12: ffffd1bf4b953d08 R13: 0000000000040000 R14: 0000000000000001 R15: 0000000000000001 FS: 00007f44d3f9f740(0000) GS:ffff8e3caa47f000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000000 CR3: 00000006485c2000 CR4: 0000000000f50ef0 PKRU: 55555554 Fix this by checking pipe_ctx-> ---truncated---", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-40327", "url": "https://ubuntu.com/security/CVE-2025-40327", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: perf/core: Fix system hang caused by cpu-clock usage cpu-clock usage by the async-profiler tool can trigger a system hang, which got bisected back to the following commit by Octavia Togami: 18dbcbfabfff (\"perf: Fix the POLL_HUP delivery breakage\") causes this issue The root cause of the hang is that cpu-clock is a special type of SW event which relies on hrtimers. The __perf_event_overflow() callback is invoked from the hrtimer handler for cpu-clock events, and __perf_event_overflow() tries to call cpu_clock_event_stop() to stop the event, which calls htimer_cancel() to cancel the hrtimer. But that's a recursion into the hrtimer code from a hrtimer handler, which (unsurprisingly) deadlocks. To fix this bug, use hrtimer_try_to_cancel() instead, and set the PERF_HES_STOPPED flag, which causes perf_swevent_hrtimer() to stop the event once it sees the PERF_HES_STOPPED flag. [ mingo: Fixed the comments and improved the changelog. ]", "cve_priority": "medium", "cve_public_date": "2025-12-09 16:17:00 UTC" }, { "cve": "CVE-2025-40328", "url": "https://ubuntu.com/security/CVE-2025-40328", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: smb: client: fix potential UAF in smb2_close_cached_fid() find_or_create_cached_dir() could grab a new reference after kref_put() had seen the refcount drop to zero but before cfid_list_lock is acquired in smb2_close_cached_fid(), leading to use-after-free. Switch to kref_put_lock() so cfid_release() is called with cfid_list_lock held, closing that gap.", "cve_priority": "medium", "cve_public_date": "2025-12-09 16:17:00 UTC" }, { "cve": "CVE-2025-40291", "url": "https://ubuntu.com/security/CVE-2025-40291", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: io_uring: fix regbuf vector size truncation There is a report of io_estimate_bvec_size() truncating the calculated number of segments that leads to corruption issues. Check it doesn't overflow \"int\"s used later. Rough but simple, can be improved on top.", "cve_priority": "medium", "cve_public_date": "2025-12-08 01:16:00 UTC" }, { "cve": "CVE-2025-68322", "url": "https://ubuntu.com/security/CVE-2025-68322", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: parisc: Avoid crash due to unaligned access in unwinder Guenter Roeck reported this kernel crash on his emulated B160L machine: Starting network: udhcpc: started, v1.36.1 Backtrace: [<104320d4>] unwind_once+0x1c/0x5c [<10434a00>] walk_stackframe.isra.0+0x74/0xb8 [<10434a6c>] arch_stack_walk+0x28/0x38 [<104e5efc>] stack_trace_save+0x48/0x5c [<105d1bdc>] set_track_prepare+0x44/0x6c [<105d9c80>] ___slab_alloc+0xfc4/0x1024 [<105d9d38>] __slab_alloc.isra.0+0x58/0x90 [<105dc80c>] kmem_cache_alloc_noprof+0x2ac/0x4a0 [<105b8e54>] __anon_vma_prepare+0x60/0x280 [<105a823c>] __vmf_anon_prepare+0x68/0x94 [<105a8b34>] do_wp_page+0x8cc/0xf10 [<105aad88>] handle_mm_fault+0x6c0/0xf08 [<10425568>] do_page_fault+0x110/0x440 [<10427938>] handle_interruption+0x184/0x748 [<11178398>] schedule+0x4c/0x190 BUG: spinlock recursion on CPU#0, ifconfig/2420 lock: terminate_lock.2+0x0/0x1c, .magic: dead4ead, .owner: ifconfig/2420, .owner_cpu: 0 While creating the stack trace, the unwinder uses the stack pointer to guess the previous frame to read the previous stack pointer from memory. The crash happens, because the unwinder tries to read from unaligned memory and as such triggers the unalignment trap handler which then leads to the spinlock recursion and finally to a deadlock. Fix it by checking the alignment before accessing the memory.", "cve_priority": "medium", "cve_public_date": "2025-12-16 16:16:00 UTC" }, { "cve": "CVE-2025-40293", "url": "https://ubuntu.com/security/CVE-2025-40293", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: iommufd: Don't overflow during division for dirty tracking If pgshift is 63 then BITS_PER_TYPE(*bitmap->bitmap) * pgsize will overflow to 0 and this triggers divide by 0. In this case the index should just be 0, so reorganize things to divide by shift and avoid hitting any overflows.", "cve_priority": "medium", "cve_public_date": "2025-12-08 01:16:00 UTC" }, { "cve": "CVE-2025-40294", "url": "https://ubuntu.com/security/CVE-2025-40294", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: Bluetooth: MGMT: Fix OOB access in parse_adv_monitor_pattern() In the parse_adv_monitor_pattern() function, the value of the 'length' variable is currently limited to HCI_MAX_EXT_AD_LENGTH(251). The size of the 'value' array in the mgmt_adv_pattern structure is 31. If the value of 'pattern[i].length' is set in the user space and exceeds 31, the 'patterns[i].value' array can be accessed out of bound when copied. Increasing the size of the 'value' array in the 'mgmt_adv_pattern' structure will break the userspace. Considering this, and to avoid OOB access revert the limits for 'offset' and 'length' back to the value of HCI_MAX_AD_LENGTH. Found by InfoTeCS on behalf of Linux Verification Center (linuxtesting.org) with SVACE.", "cve_priority": "medium", "cve_public_date": "2025-12-08 01:16:00 UTC" }, { "cve": "CVE-2025-40329", "url": "https://ubuntu.com/security/CVE-2025-40329", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/sched: Fix deadlock in drm_sched_entity_kill_jobs_cb The Mesa issue referenced below pointed out a possible deadlock: [ 1231.611031] Possible interrupt unsafe locking scenario: [ 1231.611033] CPU0 CPU1 [ 1231.611034] ---- ---- [ 1231.611035] lock(&xa->xa_lock#17); [ 1231.611038] local_irq_disable(); [ 1231.611039] lock(&fence->lock); [ 1231.611041] lock(&xa->xa_lock#17); [ 1231.611044] [ 1231.611045] lock(&fence->lock); [ 1231.611047] *** DEADLOCK *** In this example, CPU0 would be any function accessing job->dependencies through the xa_* functions that don't disable interrupts (eg: drm_sched_job_add_dependency(), drm_sched_entity_kill_jobs_cb()). CPU1 is executing drm_sched_entity_kill_jobs_cb() as a fence signalling callback so in an interrupt context. It will deadlock when trying to grab the xa_lock which is already held by CPU0. Replacing all xa_* usage by their xa_*_irq counterparts would fix this issue, but Christian pointed out another issue: dma_fence_signal takes fence.lock and so does dma_fence_add_callback. dma_fence_signal() // locks f1.lock -> drm_sched_entity_kill_jobs_cb() -> foreach dependencies -> dma_fence_add_callback() // locks f2.lock This will deadlock if f1 and f2 share the same spinlock. To fix both issues, the code iterating on dependencies and re-arming them is moved out to drm_sched_entity_kill_jobs_work(). [phasta: commit message nits]", "cve_priority": "medium", "cve_public_date": "2025-12-09 16:17:00 UTC" }, { "cve": "CVE-2025-40295", "url": "https://ubuntu.com/security/CVE-2025-40295", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: fscrypt: fix left shift underflow when inode->i_blkbits > PAGE_SHIFT When simulating an nvme device on qemu with both logical_block_size and physical_block_size set to 8 KiB, an error trace appears during partition table reading at boot time. The issue is caused by inode->i_blkbits being larger than PAGE_SHIFT, which leads to a left shift of -1 and triggering a UBSAN warning. [ 2.697306] ------------[ cut here ]------------ [ 2.697309] UBSAN: shift-out-of-bounds in fs/crypto/inline_crypt.c:336:37 [ 2.697311] shift exponent -1 is negative [ 2.697315] CPU: 3 UID: 0 PID: 274 Comm: (udev-worker) Not tainted 6.18.0-rc2+ #34 PREEMPT(voluntary) [ 2.697317] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014 [ 2.697320] Call Trace: [ 2.697324] [ 2.697325] dump_stack_lvl+0x76/0xa0 [ 2.697340] dump_stack+0x10/0x20 [ 2.697342] __ubsan_handle_shift_out_of_bounds+0x1e3/0x390 [ 2.697351] bh_get_inode_and_lblk_num.cold+0x12/0x94 [ 2.697359] fscrypt_set_bio_crypt_ctx_bh+0x44/0x90 [ 2.697365] submit_bh_wbc+0xb6/0x190 [ 2.697370] block_read_full_folio+0x194/0x270 [ 2.697371] ? __pfx_blkdev_get_block+0x10/0x10 [ 2.697375] ? __pfx_blkdev_read_folio+0x10/0x10 [ 2.697377] blkdev_read_folio+0x18/0x30 [ 2.697379] filemap_read_folio+0x40/0xe0 [ 2.697382] filemap_get_pages+0x5ef/0x7a0 [ 2.697385] ? mmap_region+0x63/0xd0 [ 2.697389] filemap_read+0x11d/0x520 [ 2.697392] blkdev_read_iter+0x7c/0x180 [ 2.697393] vfs_read+0x261/0x390 [ 2.697397] ksys_read+0x71/0xf0 [ 2.697398] __x64_sys_read+0x19/0x30 [ 2.697399] x64_sys_call+0x1e88/0x26a0 [ 2.697405] do_syscall_64+0x80/0x670 [ 2.697410] ? __x64_sys_newfstat+0x15/0x20 [ 2.697414] ? x64_sys_call+0x204a/0x26a0 [ 2.697415] ? do_syscall_64+0xb8/0x670 [ 2.697417] ? irqentry_exit_to_user_mode+0x2e/0x2a0 [ 2.697420] ? irqentry_exit+0x43/0x50 [ 2.697421] ? exc_page_fault+0x90/0x1b0 [ 2.697422] entry_SYSCALL_64_after_hwframe+0x76/0x7e [ 2.697425] RIP: 0033:0x75054cba4a06 [ 2.697426] Code: 5d e8 41 8b 93 08 03 00 00 59 5e 48 83 f8 fc 75 19 83 e2 39 83 fa 08 75 11 e8 26 ff ff ff 66 0f 1f 44 00 00 48 8b 45 10 0f 05 <48> 8b 5d f8 c9 c3 0f 1f 40 00 f3 0f 1e fa 55 48 89 e5 48 83 ec 08 [ 2.697427] RSP: 002b:00007fff973723a0 EFLAGS: 00000202 ORIG_RAX: 0000000000000000 [ 2.697430] RAX: ffffffffffffffda RBX: 00005ea9a2c02760 RCX: 000075054cba4a06 [ 2.697432] RDX: 0000000000002000 RSI: 000075054c190000 RDI: 000000000000001b [ 2.697433] RBP: 00007fff973723c0 R08: 0000000000000000 R09: 0000000000000000 [ 2.697434] R10: 0000000000000000 R11: 0000000000000202 R12: 0000000000000000 [ 2.697434] R13: 00005ea9a2c027c0 R14: 00005ea9a2be5608 R15: 00005ea9a2be55f0 [ 2.697436] [ 2.697436] ---[ end trace ]--- This situation can happen for block devices because when CONFIG_TRANSPARENT_HUGEPAGE is enabled, the maximum logical_block_size is 64 KiB. set_init_blocksize() then sets the block device inode->i_blkbits to 13, which is within this limit. File I/O does not trigger this problem because for filesystems that do not support the FS_LBS feature, sb_set_blocksize() prevents sb->s_blocksize_bits from being larger than PAGE_SHIFT. During inode allocation, alloc_inode()->inode_init_always() assigns inode->i_blkbits from sb->s_blocksize_bits. Currently, only xfs_fs_type has the FS_LBS flag, and since xfs I/O paths do not reach submit_bh_wbc(), it does not hit the left-shift underflow issue. [EB: use folio_pos() and consolidate the two shifts by i_blkbits]", "cve_priority": "medium", "cve_public_date": "2025-12-08 01:16:00 UTC" }, { "cve": "CVE-2025-40296", "url": "https://ubuntu.com/security/CVE-2025-40296", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: platform/x86: int3472: Fix double free of GPIO device during unregister regulator_unregister() already frees the associated GPIO device. On ThinkPad X9 (Lunar Lake), this causes a double free issue that leads to random failures when other drivers (typically Intel THC) attempt to allocate interrupts. The root cause is that the reference count of the pinctrl_intel_platform module unexpectedly drops to zero when this driver defers its probe. This behavior can also be reproduced by unloading the module directly. Fix the issue by removing the redundant release of the GPIO device during regulator unregistration.", "cve_priority": "medium", "cve_public_date": "2025-12-08 01:16:00 UTC" }, { "cve": "CVE-2025-40297", "url": "https://ubuntu.com/security/CVE-2025-40297", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net: bridge: fix use-after-free due to MST port state bypass syzbot reported[1] a use-after-free when deleting an expired fdb. It is due to a race condition between learning still happening and a port being deleted, after all its fdbs have been flushed. The port's state has been toggled to disabled so no learning should happen at that time, but if we have MST enabled, it will bypass the port's state, that together with VLAN filtering disabled can lead to fdb learning at a time when it shouldn't happen while the port is being deleted. VLAN filtering must be disabled because we flush the port VLANs when it's being deleted which will stop learning. This fix adds a check for the port's vlan group which is initialized to NULL when the port is getting deleted, that avoids the port state bypass. When MST is enabled there would be a minimal new overhead in the fast-path because the port's vlan group pointer is cache-hot. [1] https://syzkaller.appspot.com/bug?extid=dd280197f0f7ab3917be", "cve_priority": "medium", "cve_public_date": "2025-12-08 01:16:00 UTC" }, { "cve": "CVE-2025-68320", "url": "https://ubuntu.com/security/CVE-2025-68320", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: lan966x: Fix sleeping in atomic context The following warning was seen when we try to connect using ssh to the device. BUG: sleeping function called from invalid context at kernel/locking/mutex.c:575 in_atomic(): 1, irqs_disabled(): 0, non_block: 0, pid: 104, name: dropbear preempt_count: 1, expected: 0 INFO: lockdep is turned off. CPU: 0 UID: 0 PID: 104 Comm: dropbear Tainted: G W 6.18.0-rc2-00399-g6f1ab1b109b9-dirty #530 NONE Tainted: [W]=WARN Hardware name: Generic DT based system Call trace: unwind_backtrace from show_stack+0x10/0x14 show_stack from dump_stack_lvl+0x7c/0xac dump_stack_lvl from __might_resched+0x16c/0x2b0 __might_resched from __mutex_lock+0x64/0xd34 __mutex_lock from mutex_lock_nested+0x1c/0x24 mutex_lock_nested from lan966x_stats_get+0x5c/0x558 lan966x_stats_get from dev_get_stats+0x40/0x43c dev_get_stats from dev_seq_printf_stats+0x3c/0x184 dev_seq_printf_stats from dev_seq_show+0x10/0x30 dev_seq_show from seq_read_iter+0x350/0x4ec seq_read_iter from seq_read+0xfc/0x194 seq_read from proc_reg_read+0xac/0x100 proc_reg_read from vfs_read+0xb0/0x2b0 vfs_read from ksys_read+0x6c/0xec ksys_read from ret_fast_syscall+0x0/0x1c Exception stack(0xf0b11fa8 to 0xf0b11ff0) 1fa0: 00000001 00001000 00000008 be9048d8 00001000 00000001 1fc0: 00000001 00001000 00000008 00000003 be905920 0000001e 00000000 00000001 1fe0: 0005404c be9048c0 00018684 b6ec2cd8 It seems that we are using a mutex in a atomic context which is wrong. Change the mutex with a spinlock.", "cve_priority": "medium", "cve_public_date": "2025-12-16 16:16:00 UTC" }, { "cve": "CVE-2025-68169", "url": "https://ubuntu.com/security/CVE-2025-68169", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: netpoll: Fix deadlock in memory allocation under spinlock Fix a AA deadlock in refill_skbs() where memory allocation while holding skb_pool->lock can trigger a recursive lock acquisition attempt. The deadlock scenario occurs when the system is under severe memory pressure: 1. refill_skbs() acquires skb_pool->lock (spinlock) 2. alloc_skb() is called while holding the lock 3. Memory allocator fails and calls slab_out_of_memory() 4. This triggers printk() for the OOM warning 5. The console output path calls netpoll_send_udp() 6. netpoll_send_udp() attempts to acquire the same skb_pool->lock 7. Deadlock: the lock is already held by the same CPU Call stack: refill_skbs() spin_lock_irqsave(&skb_pool->lock) <- lock acquired __alloc_skb() kmem_cache_alloc_node_noprof() slab_out_of_memory() printk() console_flush_all() netpoll_send_udp() skb_dequeue() spin_lock_irqsave(&skb_pool->lock) <- deadlock attempt This bug was exposed by commit 248f6571fd4c51 (\"netpoll: Optimize skb refilling on critical path\") which removed refill_skbs() from the critical path (where nested printk was being deferred), letting nested printk being called from inside refill_skbs() Refactor refill_skbs() to never allocate memory while holding the spinlock. Another possible solution to fix this problem is protecting the refill_skbs() from nested printks, basically calling printk_deferred_{enter,exit}() in refill_skbs(), then, any nested pr_warn() would be deferred. I prefer this approach, given I _think_ it might be a good idea to move the alloc_skb() from GFP_ATOMIC to GFP_KERNEL in the future, so, having the alloc_skb() outside of the lock will be necessary step. There is a possible TOCTOU issue when checking for the pool length, and queueing the new allocated skb, but, this is not an issue, given that an extra SKB in the pool is harmless and it will be eventually used.", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-68197", "url": "https://ubuntu.com/security/CVE-2025-68197", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: bnxt_en: Fix null pointer dereference in bnxt_bs_trace_check_wrap() With older FW, we may get the ASYNC_EVENT_CMPL_EVENT_ID_DBG_BUF_PRODUCER for FW trace data type that has not been initialized. This will result in a crash in bnxt_bs_trace_type_wrap(). Add a guard to check for a valid magic_byte pointer before proceeding.", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-40330", "url": "https://ubuntu.com/security/CVE-2025-40330", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: bnxt_en: Shutdown FW DMA in bnxt_shutdown() The netif_close() call in bnxt_shutdown() only stops packet DMA. There may be FW DMA for trace logging (recently added) that will continue. If we kexec to a new kernel, the DMA will corrupt memory in the new kernel. Add bnxt_hwrm_func_drv_unrgtr() to unregister the driver from the FW. This will stop the FW DMA. In case the call fails, call pcie_flr() to reset the function and stop the DMA.", "cve_priority": "medium", "cve_public_date": "2025-12-09 16:17:00 UTC" }, { "cve": "CVE-2025-68192", "url": "https://ubuntu.com/security/CVE-2025-68192", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net: usb: qmi_wwan: initialize MAC header offset in qmimux_rx_fixup Raw IP packets have no MAC header, leaving skb->mac_header uninitialized. This can trigger kernel panics on ARM64 when xfrm or other subsystems access the offset due to strict alignment checks. Initialize the MAC header to prevent such crashes. This can trigger kernel panics on ARM when running IPsec over the qmimux0 interface. Example trace: Internal error: Oops: 000000009600004f [#1] SMP CPU: 0 UID: 0 PID: 0 Comm: swapper/0 Not tainted 6.12.34-gbe78e49cb433 #1 Hardware name: LS1028A RDB Board (DT) pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : xfrm_input+0xde8/0x1318 lr : xfrm_input+0x61c/0x1318 sp : ffff800080003b20 Call trace: xfrm_input+0xde8/0x1318 xfrm6_rcv+0x38/0x44 xfrm6_esp_rcv+0x48/0xa8 ip6_protocol_deliver_rcu+0x94/0x4b0 ip6_input_finish+0x44/0x70 ip6_input+0x44/0xc0 ipv6_rcv+0x6c/0x114 __netif_receive_skb_one_core+0x5c/0x8c __netif_receive_skb+0x18/0x60 process_backlog+0x78/0x17c __napi_poll+0x38/0x180 net_rx_action+0x168/0x2f0", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-40331", "url": "https://ubuntu.com/security/CVE-2025-40331", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: sctp: Prevent TOCTOU out-of-bounds write For the following path not holding the sock lock, sctp_diag_dump() -> sctp_for_each_endpoint() -> sctp_ep_dump() make sure not to exceed bounds in case the address list has grown between buffer allocation (time-of-check) and write (time-of-use).", "cve_priority": "medium", "cve_public_date": "2025-12-09 16:17:00 UTC" }, { "cve": "CVE-2025-68187", "url": "https://ubuntu.com/security/CVE-2025-68187", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net: mdio: Check regmap pointer returned by device_node_to_regmap() The call to device_node_to_regmap() in airoha_mdio_probe() can return an ERR_PTR() if regmap initialization fails. Currently, the driver stores the pointer without validation, which could lead to a crash if it is later dereferenced. Add an IS_ERR() check and return the corresponding error code to make the probe path more robust.", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-68167", "url": "https://ubuntu.com/security/CVE-2025-68167", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: gpiolib: fix invalid pointer access in debugfs If the memory allocation in gpiolib_seq_start() fails, the s->private field remains uninitialized and is later dereferenced without checking in gpiolib_seq_stop(). Initialize s->private to NULL before calling kzalloc() and check it before dereferencing it.", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-68319", "url": "https://ubuntu.com/security/CVE-2025-68319", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: netconsole: Acquire su_mutex before navigating configs hierarchy There is a race between operations that iterate over the userdata cg_children list and concurrent add/remove of userdata items through configfs. The update_userdata() function iterates over the nt->userdata_group.cg_children list, and count_extradata_entries() also iterates over this same list to count nodes. Quoting from Documentation/filesystems/configfs.rst: > A subsystem can navigate the cg_children list and the ci_parent pointer > to see the tree created by the subsystem. This can race with configfs' > management of the hierarchy, so configfs uses the subsystem mutex to > protect modifications. Whenever a subsystem wants to navigate the > hierarchy, it must do so under the protection of the subsystem > mutex. Without proper locking, if a userdata item is added or removed concurrently while these functions are iterating, the list can be accessed in an inconsistent state. For example, the list_for_each() loop can reach a node that is being removed from the list by list_del_init() which sets the nodes' .next pointer to point to itself, so the loop will never end (or reach the WARN_ON_ONCE in update_userdata() ). Fix this by holding the configfs subsystem mutex (su_mutex) during all operations that iterate over cg_children. This includes: - userdatum_value_store() which calls update_userdata() to iterate over cg_children - All sysdata_*_enabled_store() functions which call count_extradata_entries() to iterate over cg_children The su_mutex must be acquired before dynamic_netconsole_mutex to avoid potential lock ordering issues, as configfs operations may already hold su_mutex when calling into our code.", "cve_priority": "medium", "cve_public_date": "2025-12-16 16:16:00 UTC" }, { "cve": "CVE-2025-40298", "url": "https://ubuntu.com/security/CVE-2025-40298", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: gve: Implement settime64 with -EOPNOTSUPP ptp_clock_settime() assumes every ptp_clock has implemented settime64(). Stub it with -EOPNOTSUPP to prevent a NULL dereference.", "cve_priority": "medium", "cve_public_date": "2025-12-08 01:16:00 UTC" }, { "cve": "CVE-2025-40299", "url": "https://ubuntu.com/security/CVE-2025-40299", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: gve: Implement gettimex64 with -EOPNOTSUPP gve implemented a ptp_clock for sole use of do_aux_work at this time. ptp_clock_gettime() and ptp_sys_offset() assume every ptp_clock has implemented either gettimex64 or gettime64. Stub gettimex64 and return -EOPNOTSUPP to prevent NULL dereferencing.", "cve_priority": "medium", "cve_public_date": "2025-12-08 01:16:00 UTC" }, { "cve": "CVE-2025-40301", "url": "https://ubuntu.com/security/CVE-2025-40301", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: Bluetooth: hci_event: validate skb length for unknown CC opcode In hci_cmd_complete_evt(), if the command complete event has an unknown opcode, we assume the first byte of the remaining skb->data contains the return status. However, parameter data has previously been pulled in hci_event_func(), which may leave the skb empty. If so, using skb->data[0] for the return status uses un-init memory. The fix is to check skb->len before using skb->data.", "cve_priority": "medium", "cve_public_date": "2025-12-08 01:16:00 UTC" }, { "cve": "CVE-2025-40358", "url": "https://ubuntu.com/security/CVE-2025-40358", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: riscv: stacktrace: Disable KASAN checks for non-current tasks Unwinding the stack of a task other than current, KASAN would report \"BUG: KASAN: out-of-bounds in walk_stackframe+0x41c/0x460\" There is a same issue on x86 and has been resolved by the commit 84936118bdf3 (\"x86/unwind: Disable KASAN checks for non-current tasks\") The solution could be applied to RISC-V too. This patch also can solve the issue: https://seclists.org/oss-sec/2025/q4/23 [pjw@kernel.org: clean up checkpatch issues]", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-68186", "url": "https://ubuntu.com/security/CVE-2025-68186", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ring-buffer: Do not warn in ring_buffer_map_get_reader() when reader catches up The function ring_buffer_map_get_reader() is a bit more strict than the other get reader functions, and except for certain situations the rb_get_reader_page() should not return NULL. If it does, it triggers a warning. This warning was triggering but after looking at why, it was because another acceptable situation was happening and it wasn't checked for. If the reader catches up to the writer and there's still data to be read on the reader page, then the rb_get_reader_page() will return NULL as there's no new page to get. In this situation, the reader page should not be updated and no warning should trigger.", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-68184", "url": "https://ubuntu.com/security/CVE-2025-68184", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/mediatek: Disable AFBC support on Mediatek DRM driver Commit c410fa9b07c3 (\"drm/mediatek: Add AFBC support to Mediatek DRM driver\") added AFBC support to Mediatek DRM and enabled the 32x8/split/sparse modifier. However, this is currently broken on Mediatek MT8188 (Genio 700 EVK platform); tested using upstream Kernel and Mesa (v25.2.1), AFBC is used by default since Mesa v25.0. Kernel trace reports vblank timeouts constantly, and the render is garbled: ``` [CRTC:62:crtc-0] vblank wait timed out WARNING: CPU: 7 PID: 70 at drivers/gpu/drm/drm_atomic_helper.c:1835 drm_atomic_helper_wait_for_vblanks.part.0+0x24c/0x27c [...] Hardware name: MediaTek Genio-700 EVK (DT) Workqueue: events_unbound commit_work pstate: 60400009 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : drm_atomic_helper_wait_for_vblanks.part.0+0x24c/0x27c lr : drm_atomic_helper_wait_for_vblanks.part.0+0x24c/0x27c sp : ffff80008337bca0 x29: ffff80008337bcd0 x28: 0000000000000061 x27: 0000000000000000 x26: 0000000000000001 x25: 0000000000000000 x24: ffff0000c9dcc000 x23: 0000000000000001 x22: 0000000000000000 x21: ffff0000c66f2f80 x20: ffff0000c0d7d880 x19: 0000000000000000 x18: 000000000000000a x17: 000000040044ffff x16: 005000f2b5503510 x15: 0000000000000000 x14: 0000000000000000 x13: 74756f2064656d69 x12: 742074696177206b x11: 0000000000000058 x10: 0000000000000018 x9 : ffff800082396a70 x8 : 0000000000057fa8 x7 : 0000000000000cce x6 : ffff8000823eea70 x5 : ffff0001fef5f408 x4 : ffff80017ccee000 x3 : ffff0000c12cb480 x2 : 0000000000000000 x1 : 0000000000000000 x0 : ffff0000c12cb480 Call trace: drm_atomic_helper_wait_for_vblanks.part.0+0x24c/0x27c (P) drm_atomic_helper_commit_tail_rpm+0x64/0x80 commit_tail+0xa4/0x1a4 commit_work+0x14/0x20 process_one_work+0x150/0x290 worker_thread+0x2d0/0x3ec kthread+0x12c/0x210 ret_from_fork+0x10/0x20 ---[ end trace 0000000000000000 ]--- ``` Until this gets fixed upstream, disable AFBC support on this platform, as it's currently broken with upstream Mesa.", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-40302", "url": "https://ubuntu.com/security/CVE-2025-40302", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: media: videobuf2: forbid remove_bufs when legacy fileio is active vb2_ioctl_remove_bufs() call manipulates queue internal buffer list, potentially overwriting some pointers used by the legacy fileio access mode. Forbid that ioctl when fileio is active to protect internal queue state between subsequent read/write calls.", "cve_priority": "medium", "cve_public_date": "2025-12-08 01:16:00 UTC" }, { "cve": "CVE-2025-40303", "url": "https://ubuntu.com/security/CVE-2025-40303", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: btrfs: ensure no dirty metadata is written back for an fs with errors [BUG] During development of a minor feature (make sure all btrfs_bio::end_io() is called in task context), I noticed a crash in generic/388, where metadata writes triggered new works after btrfs_stop_all_workers(). It turns out that it can even happen without any code modification, just using RAID5 for metadata and the same workload from generic/388 is going to trigger the use-after-free. [CAUSE] If btrfs hits an error, the fs is marked as error, no new transaction is allowed thus metadata is in a frozen state. But there are some metadata modifications before that error, and they are still in the btree inode page cache. Since there will be no real transaction commit, all those dirty folios are just kept as is in the page cache, and they can not be invalidated by invalidate_inode_pages2() call inside close_ctree(), because they are dirty. And finally after btrfs_stop_all_workers(), we call iput() on btree inode, which triggers writeback of those dirty metadata. And if the fs is using RAID56 metadata, this will trigger RMW and queue new works into rmw_workers, which is already stopped, causing warning from queue_work() and use-after-free. [FIX] Add a special handling for write_one_eb(), that if the fs is already in an error state, immediately mark the bbio as failure, instead of really submitting them. Then during close_ctree(), iput() will just discard all those dirty tree blocks without really writing them back, thus no more new jobs for already stopped-and-freed workqueues. The extra discard in write_one_eb() also acts as an extra safenet. E.g. the transaction abort is triggered by some extent/free space tree corruptions, and since extent/free space tree is already corrupted some tree blocks may be allocated where they shouldn't be (overwriting existing tree blocks). In that case writing them back will further corrupting the fs.", "cve_priority": "medium", "cve_public_date": "2025-12-08 01:16:00 UTC" }, { "cve": "CVE-2025-40362", "url": "https://ubuntu.com/security/CVE-2025-40362", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ceph: fix multifs mds auth caps issue The mds auth caps check should also validate the fsname along with the associated caps. Not doing so would result in applying the mds auth caps of one fs on to the other fs in a multifs ceph cluster. The bug causes multiple issues w.r.t user authentication, following is one such example. Steps to Reproduce (on vstart cluster): 1. Create two file systems in a cluster, say 'fsname1' and 'fsname2' 2. Authorize read only permission to the user 'client.usr' on fs 'fsname1' $ceph fs authorize fsname1 client.usr / r 3. Authorize read and write permission to the same user 'client.usr' on fs 'fsname2' $ceph fs authorize fsname2 client.usr / rw 4. Update the keyring $ceph auth get client.usr >> ./keyring With above permssions for the user 'client.usr', following is the expectation. a. The 'client.usr' should be able to only read the contents and not allowed to create or delete files on file system 'fsname1'. b. The 'client.usr' should be able to read/write on file system 'fsname2'. But, with this bug, the 'client.usr' is allowed to read/write on file system 'fsname1'. See below. 5. Mount the file system 'fsname1' with the user 'client.usr' $sudo bin/mount.ceph usr@.fsname1=/ /kmnt_fsname1_usr/ 6. Try creating a file on file system 'fsname1' with user 'client.usr'. This should fail but passes with this bug. $touch /kmnt_fsname1_usr/file1 7. Mount the file system 'fsname1' with the user 'client.admin' and create a file. $sudo bin/mount.ceph admin@.fsname1=/ /kmnt_fsname1_admin $echo \"data\" > /kmnt_fsname1_admin/admin_file1 8. Try removing an existing file on file system 'fsname1' with the user 'client.usr'. This shoudn't succeed but succeeds with the bug. $rm -f /kmnt_fsname1_usr/admin_file1 For more information, please take a look at the corresponding mds/fuse patch and tests added by looking into the tracker mentioned below. v2: Fix a possible null dereference in doutc v3: Don't store fsname from mdsmap, validate against ceph_mount_options's fsname and use it v4: Code refactor, better warning message and fix possible compiler warning [ Slava.Dubeyko: \"fsname check failed\" -> \"fsname mismatch\" ]", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-40332", "url": "https://ubuntu.com/security/CVE-2025-40332", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/amdkfd: Fix mmap write lock not release If mmap write lock is taken while draining retry fault, mmap write lock is not released because svm_range_restore_pages calls mmap_read_unlock then returns. This causes deadlock and system hangs later because mmap read or write lock cannot be taken. Downgrade mmap write lock to read lock if draining retry fault fix this bug.", "cve_priority": "medium", "cve_public_date": "2025-12-09 16:17:00 UTC" }, { "cve": "CVE-2025-40304", "url": "https://ubuntu.com/security/CVE-2025-40304", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: fbdev: Add bounds checking in bit_putcs to fix vmalloc-out-of-bounds Add bounds checking to prevent writes past framebuffer boundaries when rendering text near screen edges. Return early if the Y position is off-screen and clip image height to screen boundary. Break from the rendering loop if the X position is off-screen. When clipping image width to fit the screen, update the character count to match the clipped width to prevent buffer size mismatches. Without the character count update, bit_putcs_aligned and bit_putcs_unaligned receive mismatched parameters where the buffer is allocated for the clipped width but cnt reflects the original larger count, causing out-of-bounds writes.", "cve_priority": "medium", "cve_public_date": "2025-12-08 01:16:00 UTC" }, { "cve": "CVE-2025-40305", "url": "https://ubuntu.com/security/CVE-2025-40305", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: 9p/trans_fd: p9_fd_request: kick rx thread if EPOLLIN p9_read_work() doesn't set Rworksched and doesn't do schedule_work(m->rq) if list_empty(&m->req_list). However, if the pipe is full, we need to read more data and this used to work prior to commit aaec5a95d59615 (\"pipe_read: don't wake up the writer if the pipe is still full\"). p9_read_work() does p9_fd_read() -> ... -> anon_pipe_read() which (before the commit above) triggered the unnecessary wakeup. This wakeup calls p9_pollwake() which kicks p9_poll_workfn() -> p9_poll_mux(), p9_poll_mux() will notice EPOLLIN and schedule_work(&m->rq). This no longer happens after the optimization above, change p9_fd_request() to use p9_poll_mux() instead of only checking for EPOLLOUT.", "cve_priority": "medium", "cve_public_date": "2025-12-08 01:16:00 UTC" }, { "cve": "CVE-2025-68318", "url": "https://ubuntu.com/security/CVE-2025-68318", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: clk: thead: th1520-ap: set all AXI clocks to CLK_IS_CRITICAL The AXI crossbar of TH1520 has no proper timeout handling, which means gating AXI clocks can easily lead to bus timeout and thus system hang. Set all AXI clock gates to CLK_IS_CRITICAL. All these clock gates are ungated by default on system reset. In addition, convert all current CLK_IGNORE_UNUSED usage to CLK_IS_CRITICAL to prevent unwanted clock gating.", "cve_priority": "medium", "cve_public_date": "2025-12-16 16:16:00 UTC" }, { "cve": "CVE-2025-40209", "url": "https://ubuntu.com/security/CVE-2025-40209", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: btrfs: fix memory leak of qgroup_list in btrfs_add_qgroup_relation When btrfs_add_qgroup_relation() is called with invalid qgroup levels (src >= dst), the function returns -EINVAL directly without freeing the preallocated qgroup_list structure passed by the caller. This causes a memory leak because the caller unconditionally sets the pointer to NULL after the call, preventing any cleanup. The issue occurs because the level validation check happens before the mutex is acquired and before any error handling path that would free the prealloc pointer. On this early return, the cleanup code at the 'out' label (which includes kfree(prealloc)) is never reached. In btrfs_ioctl_qgroup_assign(), the code pattern is: prealloc = kzalloc(sizeof(*prealloc), GFP_KERNEL); ret = btrfs_add_qgroup_relation(trans, sa->src, sa->dst, prealloc); prealloc = NULL; // Always set to NULL regardless of return value ... kfree(prealloc); // This becomes kfree(NULL), does nothing When the level check fails, 'prealloc' is never freed by either the callee or the caller, resulting in a 64-byte memory leak per failed operation. This can be triggered repeatedly by an unprivileged user with access to a writable btrfs mount, potentially exhausting kernel memory. Fix this by freeing prealloc before the early return, ensuring prealloc is always freed on all error paths.", "cve_priority": "medium", "cve_public_date": "2025-11-21 11:15:00 UTC" }, { "cve": "CVE-2025-68183", "url": "https://ubuntu.com/security/CVE-2025-68183", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ima: don't clear IMA_DIGSIG flag when setting or removing non-IMA xattr Currently when both IMA and EVM are in fix mode, the IMA signature will be reset to IMA hash if a program first stores IMA signature in security.ima and then writes/removes some other security xattr for the file. For example, on Fedora, after booting the kernel with \"ima_appraise=fix evm=fix ima_policy=appraise_tcb\" and installing rpm-plugin-ima, installing/reinstalling a package will not make good reference IMA signature generated. Instead IMA hash is generated, # getfattr -m - -d -e hex /usr/bin/bash # file: usr/bin/bash security.ima=0x0404... This happens because when setting security.selinux, the IMA_DIGSIG flag that had been set early was cleared. As a result, IMA hash is generated when the file is closed. Similarly, IMA signature can be cleared on file close after removing security xattr like security.evm or setting/removing ACL. Prevent replacing the IMA file signature with a file hash, by preventing the IMA_DIGSIG flag from being reset. Here's a minimal C reproducer which sets security.selinux as the last step which can also replaced by removing security.evm or setting ACL, #include #include #include #include #include #include int main() { const char* file_path = \"/usr/sbin/test_binary\"; const char* hex_string = \"030204d33204490066306402304\"; int length = strlen(hex_string); char* ima_attr_value; int fd; fd = open(file_path, O_WRONLY|O_CREAT|O_EXCL, 0644); if (fd == -1) { perror(\"Error opening file\"); return 1; } ima_attr_value = (char*)malloc(length / 2 ); for (int i = 0, j = 0; i < length; i += 2, j++) { sscanf(hex_string + i, \"%2hhx\", &ima_attr_value[j]); } if (fsetxattr(fd, \"security.ima\", ima_attr_value, length/2, 0) == -1) { perror(\"Error setting extended attribute\"); close(fd); return 1; } const char* selinux_value= \"system_u:object_r:bin_t:s0\"; if (fsetxattr(fd, \"security.selinux\", selinux_value, strlen(selinux_value), 0) == -1) { perror(\"Error setting extended attribute\"); close(fd); return 1; } close(fd); return 0; }", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-68173", "url": "https://ubuntu.com/security/CVE-2025-68173", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ftrace: Fix softlockup in ftrace_module_enable A soft lockup was observed when loading amdgpu module. If a module has a lot of tracable functions, multiple calls to kallsyms_lookup can spend too much time in RCU critical section and with disabled preemption, causing kernel panic. This is the same issue that was fixed in commit d0b24b4e91fc (\"ftrace: Prevent RCU stall on PREEMPT_VOLUNTARY kernels\") and commit 42ea22e754ba (\"ftrace: Add cond_resched() to ftrace_graph_set_hash()\"). Fix it the same way by adding cond_resched() in ftrace_module_enable.", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-40306", "url": "https://ubuntu.com/security/CVE-2025-40306", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: orangefs: fix xattr related buffer overflow... Willy Tarreau forwarded me a message from Disclosure with the following warning: > The helper `xattr_key()` uses the pointer variable in the loop condition > rather than dereferencing it. As `key` is incremented, it remains non-NULL > (until it runs into unmapped memory), so the loop does not terminate on > valid C strings and will walk memory indefinitely, consuming CPU or hanging > the thread. I easily reproduced this with setfattr and getfattr, causing a kernel oops, hung user processes and corrupted orangefs files. Disclosure sent along a diff (not a patch) with a suggested fix, which I based this patch on. After xattr_key started working right, xfstest generic/069 exposed an xattr related memory leak that lead to OOM. xattr_key returns a hashed key. When adding xattrs to the orangefs xattr cache, orangefs used hash_add, a kernel hashing macro. hash_add also hashes the key using hash_log which resulted in additions to the xattr cache going to the wrong hash bucket. generic/069 tortures a single file and orangefs does a getattr for the xattr \"security.capability\" every time. Orangefs negative caches on xattrs which includes a kmalloc. Since adds to the xattr cache were going to the wrong bucket, every getattr for \"security.capability\" resulted in another kmalloc, none of which were ever freed. I changed the two uses of hash_add to hlist_add_head instead and the memory leak ceased and generic/069 quit throwing furniture.", "cve_priority": "medium", "cve_public_date": "2025-12-08 01:16:00 UTC" }, { "cve": "CVE-2025-40307", "url": "https://ubuntu.com/security/CVE-2025-40307", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: exfat: validate cluster allocation bits of the allocation bitmap syzbot created an exfat image with cluster bits not set for the allocation bitmap. exfat-fs reads and uses the allocation bitmap without checking this. The problem is that if the start cluster of the allocation bitmap is 6, cluster 6 can be allocated when creating a directory with mkdir. exfat zeros out this cluster in exfat_mkdir, which can delete existing entries. This can reallocate the allocated entries. In addition, the allocation bitmap is also zeroed out, so cluster 6 can be reallocated. This patch adds exfat_test_bitmap_range to validate that clusters used for the allocation bitmap are correctly marked as in-use.", "cve_priority": "medium", "cve_public_date": "2025-12-08 01:16:00 UTC" }, { "cve": "CVE-2025-40308", "url": "https://ubuntu.com/security/CVE-2025-40308", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: Bluetooth: bcsp: receive data only if registered Currently, bcsp_recv() can be called even when the BCSP protocol has not been registered. This leads to a NULL pointer dereference, as shown in the following stack trace: KASAN: null-ptr-deref in range [0x0000000000000108-0x000000000000010f] RIP: 0010:bcsp_recv+0x13d/0x1740 drivers/bluetooth/hci_bcsp.c:590 Call Trace: hci_uart_tty_receive+0x194/0x220 drivers/bluetooth/hci_ldisc.c:627 tiocsti+0x23c/0x2c0 drivers/tty/tty_io.c:2290 tty_ioctl+0x626/0xde0 drivers/tty/tty_io.c:2706 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:907 [inline] __se_sys_ioctl+0xfc/0x170 fs/ioctl.c:893 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f To prevent this, ensure that the HCI_UART_REGISTERED flag is set before processing received data. If the protocol is not registered, return -EUNATCH.", "cve_priority": "medium", "cve_public_date": "2025-12-08 01:16:00 UTC" }, { "cve": "CVE-2025-40309", "url": "https://ubuntu.com/security/CVE-2025-40309", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: Bluetooth: SCO: Fix UAF on sco_conn_free BUG: KASAN: slab-use-after-free in sco_conn_free net/bluetooth/sco.c:87 [inline] BUG: KASAN: slab-use-after-free in kref_put include/linux/kref.h:65 [inline] BUG: KASAN: slab-use-after-free in sco_conn_put+0xdd/0x410 net/bluetooth/sco.c:107 Write of size 8 at addr ffff88811cb96b50 by task kworker/u17:4/352 CPU: 1 UID: 0 PID: 352 Comm: kworker/u17:4 Not tainted 6.17.0-rc5-g717368f83676 #4 PREEMPT(voluntary) Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014 Workqueue: hci13 hci_cmd_sync_work Call Trace: __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x10b/0x170 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:378 [inline] print_report+0x191/0x550 mm/kasan/report.c:482 kasan_report+0xc4/0x100 mm/kasan/report.c:595 sco_conn_free net/bluetooth/sco.c:87 [inline] kref_put include/linux/kref.h:65 [inline] sco_conn_put+0xdd/0x410 net/bluetooth/sco.c:107 sco_connect_cfm+0xb4/0xae0 net/bluetooth/sco.c:1441 hci_connect_cfm include/net/bluetooth/hci_core.h:2082 [inline] hci_conn_failed+0x20a/0x2e0 net/bluetooth/hci_conn.c:1313 hci_conn_unlink+0x55f/0x810 net/bluetooth/hci_conn.c:1121 hci_conn_del+0xb6/0x1110 net/bluetooth/hci_conn.c:1147 hci_abort_conn_sync+0x8c5/0xbb0 net/bluetooth/hci_sync.c:5689 hci_cmd_sync_work+0x281/0x380 net/bluetooth/hci_sync.c:332 process_one_work kernel/workqueue.c:3236 [inline] process_scheduled_works+0x77e/0x1040 kernel/workqueue.c:3319 worker_thread+0xbee/0x1200 kernel/workqueue.c:3400 kthread+0x3c7/0x870 kernel/kthread.c:463 ret_from_fork+0x13a/0x1e0 arch/x86/kernel/process.c:148 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245 Allocated by task 31370: kasan_save_stack mm/kasan/common.c:47 [inline] kasan_save_track+0x30/0x70 mm/kasan/common.c:68 poison_kmalloc_redzone mm/kasan/common.c:388 [inline] __kasan_kmalloc+0x82/0x90 mm/kasan/common.c:405 kasan_kmalloc include/linux/kasan.h:260 [inline] __do_kmalloc_node mm/slub.c:4382 [inline] __kmalloc_noprof+0x22f/0x390 mm/slub.c:4394 kmalloc_noprof include/linux/slab.h:909 [inline] sk_prot_alloc+0xae/0x220 net/core/sock.c:2239 sk_alloc+0x34/0x5a0 net/core/sock.c:2295 bt_sock_alloc+0x3c/0x330 net/bluetooth/af_bluetooth.c:151 sco_sock_alloc net/bluetooth/sco.c:562 [inline] sco_sock_create+0xc0/0x350 net/bluetooth/sco.c:593 bt_sock_create+0x161/0x3b0 net/bluetooth/af_bluetooth.c:135 __sock_create+0x3ad/0x780 net/socket.c:1589 sock_create net/socket.c:1647 [inline] __sys_socket_create net/socket.c:1684 [inline] __sys_socket+0xd5/0x330 net/socket.c:1731 __do_sys_socket net/socket.c:1745 [inline] __se_sys_socket net/socket.c:1743 [inline] __x64_sys_socket+0x7a/0x90 net/socket.c:1743 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xc7/0x240 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f Freed by task 31374: kasan_save_stack mm/kasan/common.c:47 [inline] kasan_save_track+0x30/0x70 mm/kasan/common.c:68 kasan_save_free_info+0x40/0x50 mm/kasan/generic.c:576 poison_slab_object mm/kasan/common.c:243 [inline] __kasan_slab_free+0x3d/0x50 mm/kasan/common.c:275 kasan_slab_free include/linux/kasan.h:233 [inline] slab_free_hook mm/slub.c:2428 [inline] slab_free mm/slub.c:4701 [inline] kfree+0x199/0x3b0 mm/slub.c:4900 sk_prot_free net/core/sock.c:2278 [inline] __sk_destruct+0x4aa/0x630 net/core/sock.c:2373 sco_sock_release+0x2ad/0x300 net/bluetooth/sco.c:1333 __sock_release net/socket.c:649 [inline] sock_close+0xb8/0x230 net/socket.c:1439 __fput+0x3d1/0x9e0 fs/file_table.c:468 task_work_run+0x206/0x2a0 kernel/task_work.c:227 get_signal+0x1201/0x1410 kernel/signal.c:2807 arch_do_signal_or_restart+0x34/0x740 arch/x86/kernel/signal.c:337 exit_to_user_mode_loop+0x68/0xc0 kernel/entry/common.c:40 exit_to_user_mode_prepare include/linux/irq-entry-common.h:225 [inline] s ---truncated---", "cve_priority": "medium", "cve_public_date": "2025-12-08 01:16:00 UTC" }, { "cve": "CVE-2025-68174", "url": "https://ubuntu.com/security/CVE-2025-68174", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: amd/amdkfd: enhance kfd process check in switch partition current switch partition only check if kfd_processes_table is empty. kfd_prcesses_table entry is deleted in kfd_process_notifier_release, but kfd_process tear down is in kfd_process_wq_release. consider two processes: Process A (workqueue) -> kfd_process_wq_release -> Access kfd_node member Process B switch partition -> amdgpu_xcp_pre_partition_switch -> amdgpu_amdkfd_device_fini_sw -> kfd_node tear down. Process A and B may trigger a race as shown in dmesg log. This patch is to resolve the race by adding an atomic kfd_process counter kfd_processes_count, it increment as create kfd process, decrement as finish kfd_process_wq_release. v2: Put kfd_processes_count per kfd_dev, move decrement to kfd_process_destroy_pdds and bug fix. (Philip Yang) [3966658.307702] divide error: 0000 [#1] SMP NOPTI [3966658.350818] i10nm_edac [3966658.356318] CPU: 124 PID: 38435 Comm: kworker/124:0 Kdump: loaded Tainted [3966658.356890] Workqueue: kfd_process_wq kfd_process_wq_release [amdgpu] [3966658.362839] nfit [3966658.366457] RIP: 0010:kfd_get_num_sdma_engines+0x17/0x40 [amdgpu] [3966658.366460] Code: 00 00 e9 ac 81 02 00 66 66 2e 0f 1f 84 00 00 00 00 00 90 0f 1f 44 00 00 48 8b 4f 08 48 8b b7 00 01 00 00 8b 81 58 26 03 00 99 be b8 01 00 00 80 b9 70 2e 00 00 00 74 0b 83 f8 02 ba 02 00 00 [3966658.380967] x86_pkg_temp_thermal [3966658.391529] RSP: 0018:ffffc900a0edfdd8 EFLAGS: 00010246 [3966658.391531] RAX: 0000000000000008 RBX: ffff8974e593b800 RCX: ffff888645900000 [3966658.391531] RDX: 0000000000000000 RSI: ffff888129154400 RDI: ffff888129151c00 [3966658.391532] RBP: ffff8883ad79d400 R08: 0000000000000000 R09: ffff8890d2750af4 [3966658.391532] R10: 0000000000000018 R11: 0000000000000018 R12: 0000000000000000 [3966658.391533] R13: ffff8883ad79d400 R14: ffffe87ff662ba00 R15: ffff8974e593b800 [3966658.391533] FS: 0000000000000000(0000) GS:ffff88fe7f600000(0000) knlGS:0000000000000000 [3966658.391534] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [3966658.391534] CR2: 0000000000d71000 CR3: 000000dd0e970004 CR4: 0000000002770ee0 [3966658.391535] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [3966658.391535] DR3: 0000000000000000 DR6: 00000000fffe07f0 DR7: 0000000000000400 [3966658.391536] PKRU: 55555554 [3966658.391536] Call Trace: [3966658.391674] deallocate_sdma_queue+0x38/0xa0 [amdgpu] [3966658.391762] process_termination_cpsch+0x1ed/0x480 [amdgpu] [3966658.399754] intel_powerclamp [3966658.402831] kfd_process_dequeue_from_all_devices+0x5b/0xc0 [amdgpu] [3966658.402908] kfd_process_wq_release+0x1a/0x1a0 [amdgpu] [3966658.410516] coretemp [3966658.434016] process_one_work+0x1ad/0x380 [3966658.434021] worker_thread+0x49/0x310 [3966658.438963] kvm_intel [3966658.446041] ? process_one_work+0x380/0x380 [3966658.446045] kthread+0x118/0x140 [3966658.446047] ? __kthread_bind_mask+0x60/0x60 [3966658.446050] ret_from_fork+0x1f/0x30 [3966658.446053] Modules linked in: kpatch_20765354(OEK) [3966658.455310] kvm [3966658.464534] mptcp_diag xsk_diag raw_diag unix_diag af_packet_diag netlink_diag udp_diag act_pedit act_mirred act_vlan cls_flower kpatch_21951273(OEK) kpatch_18424469(OEK) kpatch_19749756(OEK) [3966658.473462] idxd_mdev [3966658.482306] kpatch_17971294(OEK) sch_ingress xt_conntrack amdgpu(OE) amdxcp(OE) amddrm_buddy(OE) amd_sched(OE) amdttm(OE) amdkcl(OE) intel_ifs iptable_mangle tcm_loop target_core_pscsi tcp_diag target_core_file inet_diag target_core_iblock target_core_user target_core_mod coldpgs kpatch_18383292(OEK) ip6table_nat ip6table_filter ip6_tables ip_set_hash_ipportip ip_set_hash_ipportnet ip_set_hash_ipport ip_set_bitmap_port xt_comment iptable_nat nf_nat iptable_filter ip_tables ip_set ip_vs_sh ip_vs_wrr ip_vs_rr ip_vs nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 sn_core_odd(OE) i40e overlay binfmt_misc tun bonding(OE) aisqos(OE) aisqo ---truncated---", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-40310", "url": "https://ubuntu.com/security/CVE-2025-40310", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: amd/amdkfd: resolve a race in amdgpu_amdkfd_device_fini_sw There is race in amdgpu_amdkfd_device_fini_sw and interrupt. if amdgpu_amdkfd_device_fini_sw run in b/w kfd_cleanup_nodes and kfree(kfd), and KGD interrupt generated. kernel panic log: BUG: kernel NULL pointer dereference, address: 0000000000000098 amdgpu 0000:c8:00.0: amdgpu: Requesting 4 partitions through PSP PGD d78c68067 P4D d78c68067 kfd kfd: amdgpu: Allocated 3969056 bytes on gart PUD 1465b8067 PMD @ Oops: @002 [#1] SMP NOPTI kfd kfd: amdgpu: Total number of KFD nodes to be created: 4 CPU: 115 PID: @ Comm: swapper/115 Kdump: loaded Tainted: G S W OE K RIP: 0010:_raw_spin_lock_irqsave+0x12/0x40 Code: 89 e@ 41 5c c3 cc cc cc cc 66 66 2e Of 1f 84 00 00 00 00 00 OF 1f 40 00 Of 1f 44% 00 00 41 54 9c 41 5c fa 31 cO ba 01 00 00 00 OF b1 17 75 Ba 4c 89 e@ 41 Sc 89 c6 e8 07 38 5d RSP: 0018: ffffc90@1a6b0e28 EFLAGS: 00010046 RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000018 0000000000000001 RSI: ffff8883bb623e00 RDI: 0000000000000098 ffff8883bb000000 RO8: ffff888100055020 ROO: ffff888100055020 0000000000000000 R11: 0000000000000000 R12: 0900000000000002 ffff888F2b97da0@ R14: @000000000000098 R15: ffff8883babdfo00 CS: 010 DS: 0000 ES: 0000 CRO: 0000000080050033 CR2: 0000000000000098 CR3: 0000000e7cae2006 CR4: 0000000002770ce0 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 0000000000000000 DR6: 00000000fffeO7FO DR7: 0000000000000400 PKRU: 55555554 Call Trace: kgd2kfd_interrupt+@x6b/0x1f@ [amdgpu] ? amdgpu_fence_process+0xa4/0x150 [amdgpu] kfd kfd: amdgpu: Node: 0, interrupt_bitmap: 3 YcpxFl Rant tErace amdgpu_irq_dispatch+0x165/0x210 [amdgpu] amdgpu_ih_process+0x80/0x100 [amdgpu] amdgpu: Virtual CRAT table created for GPU amdgpu_irq_handler+0x1f/@x60 [amdgpu] __handle_irq_event_percpu+0x3d/0x170 amdgpu: Topology: Add dGPU node [0x74a2:0x1002] handle_irq_event+0x5a/@xcO handle_edge_irq+0x93/0x240 kfd kfd: amdgpu: KFD node 1 partition @ size 49148M asm_call_irq_on_stack+0xf/@x20 common_interrupt+0xb3/0x130 asm_common_interrupt+0x1le/0x40 5.10.134-010.a1i5000.a18.x86_64 #1", "cve_priority": "medium", "cve_public_date": "2025-12-08 01:16:00 UTC" }, { "cve": "CVE-2025-40361", "url": "https://ubuntu.com/security/CVE-2025-40361", "cve_description": "Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-40311", "url": "https://ubuntu.com/security/CVE-2025-40311", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: accel/habanalabs: support mapping cb with vmalloc-backed coherent memory When IOMMU is enabled, dma_alloc_coherent() with GFP_USER may return addresses from the vmalloc range. If such an address is mapped without VM_MIXEDMAP, vm_insert_page() will trigger a BUG_ON due to the VM_PFNMAP restriction. Fix this by checking for vmalloc addresses and setting VM_MIXEDMAP in the VMA before mapping. This ensures safe mapping and avoids kernel crashes. The memory is still driver-allocated and cannot be accessed directly by userspace.", "cve_priority": "medium", "cve_public_date": "2025-12-08 01:16:00 UTC" }, { "cve": "CVE-2025-68185", "url": "https://ubuntu.com/security/CVE-2025-68185", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: nfs4_setup_readdir(): insufficient locking for ->d_parent->d_inode dereferencing Theoretically it's an oopsable race, but I don't believe one can manage to hit it on real hardware; might become doable on a KVM, but it still won't be easy to attack. Anyway, it's easy to deal with - since xdr_encode_hyper() is just a call of put_unaligned_be64(), we can put that under ->d_lock and be done with that.", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-68176", "url": "https://ubuntu.com/security/CVE-2025-68176", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: PCI: cadence: Check for the existence of cdns_pcie::ops before using it cdns_pcie::ops might not be populated by all the Cadence glue drivers. This is going to be true for the upcoming Sophgo platform which doesn't set the ops. Hence, add a check to prevent NULL pointer dereference. [mani: reworded subject and description]", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-68190", "url": "https://ubuntu.com/security/CVE-2025-68190", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu/atom: Check kcalloc() for WS buffer in amdgpu_atom_execute_table_locked() kcalloc() may fail. When WS is non-zero and allocation fails, ectx.ws remains NULL while ectx.ws_size is set, leading to a potential NULL pointer dereference in atom_get_src_int() when accessing WS entries. Return -ENOMEM on allocation failure to avoid the NULL dereference.", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-68168", "url": "https://ubuntu.com/security/CVE-2025-68168", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: jfs: fix uninitialized waitqueue in transaction manager The transaction manager initialization in txInit() was not properly initializing TxBlock[0].waitor waitqueue, causing a crash when txEnd(0) is called on read-only filesystems. When a filesystem is mounted read-only, txBegin() returns tid=0 to indicate no transaction. However, txEnd(0) still gets called and tries to access TxBlock[0].waitor via tid_to_tblock(0), but this waitqueue was never initialized because the initialization loop started at index 1 instead of 0. This causes a 'non-static key' lockdep warning and system crash: INFO: trying to register non-static key in txEnd Fix by ensuring all transaction blocks including TxBlock[0] have their waitqueues properly initialized during txInit().", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-40312", "url": "https://ubuntu.com/security/CVE-2025-40312", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: jfs: Verify inode mode when loading from disk The inode mode loaded from corrupted disk can be invalid. Do like what commit 0a9e74051313 (\"isofs: Verify inode mode when loading from disk\") does.", "cve_priority": "medium", "cve_public_date": "2025-12-08 01:16:00 UTC" }, { "cve": "CVE-2025-40333", "url": "https://ubuntu.com/security/CVE-2025-40333", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: f2fs: fix infinite loop in __insert_extent_tree() When we get wrong extent info data, and look up extent_node in rb tree, it will cause infinite loop (CONFIG_F2FS_CHECK_FS=n). Avoiding this by return NULL and print some kernel messages in that case.", "cve_priority": "medium", "cve_public_date": "2025-12-09 16:17:00 UTC" }, { "cve": "CVE-2025-68321", "url": "https://ubuntu.com/security/CVE-2025-68321", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: page_pool: always add GFP_NOWARN for ATOMIC allocations Driver authors often forget to add GFP_NOWARN for page allocation from the datapath. This is annoying to users as OOMs are a fact of life, and we pretty much expect network Rx to hit page allocation failures during OOM. Make page pool add GFP_NOWARN for ATOMIC allocations by default.", "cve_priority": "medium", "cve_public_date": "2025-12-16 16:16:00 UTC" }, { "cve": "CVE-2025-40334", "url": "https://ubuntu.com/security/CVE-2025-40334", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: validate userq buffer virtual address and size It needs to validate the userq object virtual address to determine whether it is residented in a valid vm mapping.", "cve_priority": "medium", "cve_public_date": "2025-12-09 16:17:00 UTC" }, { "cve": "CVE-2025-68191", "url": "https://ubuntu.com/security/CVE-2025-68191", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: udp_tunnel: use netdev_warn() instead of netdev_WARN() netdev_WARN() uses WARN/WARN_ON to print a backtrace along with file and line information. In this case, udp_tunnel_nic_register() returning an error is just a failed operation, not a kernel bug. udp_tunnel_nic_register() can fail due to a memory allocation failure (kzalloc() or udp_tunnel_nic_alloc()). This is a normal runtime error and not a kernel bug. Replace netdev_WARN() with netdev_warn() accordingly.", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-68309", "url": "https://ubuntu.com/security/CVE-2025-68309", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: PCI/AER: Fix NULL pointer access by aer_info The kzalloc(GFP_KERNEL) may return NULL, so all accesses to aer_info->xxx will result in kernel panic. Fix it.", "cve_priority": "medium", "cve_public_date": "2025-12-16 16:16:00 UTC" }, { "cve": "CVE-2025-40313", "url": "https://ubuntu.com/security/CVE-2025-40313", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ntfs3: pretend $Extend records as regular files Since commit af153bb63a33 (\"vfs: catch invalid modes in may_open()\") requires any inode be one of S_IFDIR/S_IFLNK/S_IFREG/S_IFCHR/S_IFBLK/ S_IFIFO/S_IFSOCK type, use S_IFREG for $Extend records.", "cve_priority": "medium", "cve_public_date": "2025-12-08 01:16:00 UTC" }, { "cve": "CVE-2025-40335", "url": "https://ubuntu.com/security/CVE-2025-40335", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: validate userq input args This will help on validating the userq input args, and rejecting for the invalid userq request at the IOCTLs first place.", "cve_priority": "medium", "cve_public_date": "2025-12-09 16:17:00 UTC" }, { "cve": "CVE-2025-40314", "url": "https://ubuntu.com/security/CVE-2025-40314", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: usb: cdns3: gadget: Use-after-free during failed initialization and exit of cdnsp gadget In the __cdnsp_gadget_init() and cdnsp_gadget_exit() functions, the gadget structure (pdev->gadget) was freed before its endpoints. The endpoints are linked via the ep_list in the gadget structure. Freeing the gadget first leaves dangling pointers in the endpoint list. When the endpoints are subsequently freed, this results in a use-after-free. Fix: By separating the usb_del_gadget_udc() operation into distinct \"del\" and \"put\" steps, cdnsp_gadget_free_endpoints() can be executed prior to the final release of the gadget structure with usb_put_gadget(). A patch similar to bb9c74a5bd14(\"usb: dwc3: gadget: Free gadget structure only after freeing endpoints\").", "cve_priority": "medium", "cve_public_date": "2025-12-08 01:16:00 UTC" }, { "cve": "CVE-2025-40336", "url": "https://ubuntu.com/security/CVE-2025-40336", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/gpusvm: fix hmm_pfn_to_map_order() usage Handle the case where the hmm range partially covers a huge page (like 2M), otherwise we can potentially end up doing something nasty like mapping memory which is outside the range, and maybe not even mapped by the mm. Fix is based on the xe userptr code, which in a future patch will directly use gpusvm, so needs alignment here. v2: - Add kernel-doc (Matt B) - s/fls/ilog2/ (Thomas)", "cve_priority": "medium", "cve_public_date": "2025-12-09 16:17:00 UTC" }, { "cve": "CVE-2025-68193", "url": "https://ubuntu.com/security/CVE-2025-68193", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/xe/guc: Add devm release action to safely tear down CT When a buffer object (BO) is allocated with the XE_BO_FLAG_GGTT_INVALIDATE flag, the driver initiates TLB invalidation requests via the CTB mechanism while releasing the BO. However a premature release of the CTB BO can lead to system crashes, as observed in: Oops: Oops: 0000 [#1] SMP NOPTI RIP: 0010:h2g_write+0x2f3/0x7c0 [xe] Call Trace: guc_ct_send_locked+0x8b/0x670 [xe] xe_guc_ct_send_locked+0x19/0x60 [xe] send_tlb_invalidation+0xb4/0x460 [xe] xe_gt_tlb_invalidation_ggtt+0x15e/0x2e0 [xe] ggtt_invalidate_gt_tlb.part.0+0x16/0x90 [xe] ggtt_node_remove+0x110/0x140 [xe] xe_ggtt_node_remove+0x40/0xa0 [xe] xe_ggtt_remove_bo+0x87/0x250 [xe] Introduce a devm-managed release action during xe_guc_ct_init() and xe_guc_ct_init_post_hwconfig() to ensure proper CTB disablement before resource deallocation, preventing the use-after-free scenario.", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-68175", "url": "https://ubuntu.com/security/CVE-2025-68175", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: media: nxp: imx8-isi: Fix streaming cleanup on release The current implementation unconditionally calls mxc_isi_video_cleanup_streaming() in mxc_isi_video_release(). This can lead to situations where any release call (like from a simple \"v4l2-ctl -l\") may release a currently streaming queue when called on such a device. This is reproducible on an i.MX8MP board by streaming from an ISI capture device using gstreamer: \tgst-launch-1.0 -v v4l2src device=/dev/videoX ! \\ \t video/x-raw,format=GRAY8,width=1280,height=800,framerate=1/120 ! \\ \t fakesink While this stream is running, querying the caps of the same device provokes the error state: \tv4l2-ctl -l -d /dev/videoX This results in the following trace: [ 155.452152] ------------[ cut here ]------------ [ 155.452163] WARNING: CPU: 0 PID: 1708 at drivers/media/platform/nxp/imx8-isi/imx8-isi-pipe.c:713 mxc_isi_pipe_irq_handler+0x19c/0x1b0 [imx8_isi] [ 157.004248] Modules linked in: cfg80211 rpmsg_ctrl rpmsg_char rpmsg_tty virtio_rpmsg_bus rpmsg_ns rpmsg_core rfkill nft_ct nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 nf_tables mcp251x6 [ 157.053499] CPU: 0 UID: 0 PID: 1708 Comm: python3 Not tainted 6.15.4-00114-g1f61ca5cad76 #1 PREEMPT [ 157.064369] Hardware name: imx8mp_board_01 (DT) [ 157.068205] pstate: 400000c5 (nZcv daIF -PAN -UAO -TCO -DIT -SSBS BTYPE=--) [ 157.075169] pc : mxc_isi_pipe_irq_handler+0x19c/0x1b0 [imx8_isi] [ 157.081195] lr : mxc_isi_pipe_irq_handler+0x38/0x1b0 [imx8_isi] [ 157.087126] sp : ffff800080003ee0 [ 157.090438] x29: ffff800080003ee0 x28: ffff0000c3688000 x27: 0000000000000000 [ 157.097580] x26: 0000000000000000 x25: ffff0000c1e7ac00 x24: ffff800081b5ad50 [ 157.104723] x23: 00000000000000d1 x22: 0000000000000000 x21: ffff0000c25e4000 [ 157.111866] x20: 0000000060000200 x19: ffff80007a0608d0 x18: 0000000000000000 [ 157.119008] x17: ffff80006a4e3000 x16: ffff800080000000 x15: 0000000000000000 [ 157.126146] x14: 0000000000000000 x13: 0000000000000000 x12: 0000000000000000 [ 157.133287] x11: 0000000000000040 x10: ffff0000c01445f0 x9 : ffff80007a053a38 [ 157.140425] x8 : ffff0000c04004b8 x7 : 0000000000000000 x6 : 0000000000000000 [ 157.147567] x5 : ffff0000c0400490 x4 : ffff80006a4e3000 x3 : ffff0000c25e4000 [ 157.154706] x2 : 0000000000000000 x1 : ffff8000825c0014 x0 : 0000000060000200 [ 157.161850] Call trace: [ 157.164296] mxc_isi_pipe_irq_handler+0x19c/0x1b0 [imx8_isi] (P) [ 157.170319] __handle_irq_event_percpu+0x58/0x218 [ 157.175029] handle_irq_event+0x54/0xb8 [ 157.178867] handle_fasteoi_irq+0xac/0x248 [ 157.182968] handle_irq_desc+0x48/0x68 [ 157.186723] generic_handle_domain_irq+0x24/0x38 [ 157.191346] gic_handle_irq+0x54/0x120 [ 157.195098] call_on_irq_stack+0x24/0x30 [ 157.199027] do_interrupt_handler+0x88/0x98 [ 157.203212] el0_interrupt+0x44/0xc0 [ 157.206792] __el0_irq_handler_common+0x18/0x28 [ 157.211328] el0t_64_irq_handler+0x10/0x20 [ 157.215429] el0t_64_irq+0x198/0x1a0 [ 157.219009] ---[ end trace 0000000000000000 ]--- Address this issue by moving the streaming preparation and cleanup to the vb2 .prepare_streaming() and .unprepare_streaming() operations. This also simplifies the driver by allowing direct usage of the vb2_ioctl_streamon() and vb2_ioctl_streamoff() helpers, and removal of the manual cleanup from mxc_isi_video_release().", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-68188", "url": "https://ubuntu.com/security/CVE-2025-68188", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: tcp: use dst_dev_rcu() in tcp_fastopen_active_disable_ofo_check() Use RCU to avoid a pair of atomic operations and a potential UAF on dst_dev()->flags.", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-68315", "url": "https://ubuntu.com/security/CVE-2025-68315", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: f2fs: fix to detect potential corrupted nid in free_nid_list As reported, on-disk footer.ino and footer.nid is the same and out-of-range, let's add sanity check on f2fs_alloc_nid() to detect any potential corruption in free_nid_list.", "cve_priority": "medium", "cve_public_date": "2025-12-16 16:16:00 UTC" }, { "cve": "CVE-2025-40337", "url": "https://ubuntu.com/security/CVE-2025-40337", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net: stmmac: Correctly handle Rx checksum offload errors The stmmac_rx function would previously set skb->ip_summed to CHECKSUM_UNNECESSARY if hardware checksum offload (CoE) was enabled and the packet was of a known IP ethertype. However, this logic failed to check if the hardware had actually reported a checksum error. The hardware status, indicating a header or payload checksum failure, was being ignored at this stage. This could cause corrupt packets to be passed up the network stack as valid. This patch corrects the logic by checking the `csum_none` status flag, which is set when the hardware reports a checksum error. If this flag is set, skb->ip_summed is now correctly set to CHECKSUM_NONE, ensuring the kernel's network stack will perform its own validation and properly handle the corrupt packet.", "cve_priority": "medium", "cve_public_date": "2025-12-09 16:17:00 UTC" }, { "cve": "CVE-2025-40338", "url": "https://ubuntu.com/security/CVE-2025-40338", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ASoC: Intel: avs: Do not share the name pointer between components By sharing 'name' directly, tearing down components may lead to use-after-free errors. Duplicate the name to avoid that. At the same time, update the order of operations - since commit cee28113db17 (\"ASoC: dmaengine_pcm: Allow passing component name via config\") the framework does not override component->name if set before invoking the initializer.", "cve_priority": "medium", "cve_public_date": "2025-12-09 16:17:00 UTC" }, { "cve": "CVE-2025-40339", "url": "https://ubuntu.com/security/CVE-2025-40339", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: fix nullptr err of vm_handle_moved If a amdgpu_bo_va is fpriv->prt_va, the bo of this one is always NULL. So, such kind of amdgpu_bo_va should be updated separately before amdgpu_vm_handle_moved.", "cve_priority": "medium", "cve_public_date": "2025-12-09 16:17:00 UTC" }, { "cve": "CVE-2025-68194", "url": "https://ubuntu.com/security/CVE-2025-68194", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: media: imon: make send_packet() more robust syzbot is reporting that imon has three problems which result in hung tasks due to forever holding device lock [1]. First problem is that when usb_rx_callback_intf0() once got -EPROTO error after ictx->dev_present_intf0 became true, usb_rx_callback_intf0() resubmits urb after printk(), and resubmitted urb causes usb_rx_callback_intf0() to again get -EPROTO error. This results in printk() flooding (RCU stalls). Alan Stern commented [2] that In theory it's okay to resubmit _if_ the driver has a robust error-recovery scheme (such as giving up after some fixed limit on the number of errors or after some fixed time has elapsed, perhaps with a time delay to prevent a flood of errors). Most drivers don't bother to do this; they simply give up right away. This makes them more vulnerable to short-term noise interference during USB transfers, but in reality such interference is quite rare. There's nothing really wrong with giving up right away. but imon has a poor error-recovery scheme which just retries forever; this behavior should be fixed. Since I'm not sure whether it is safe for imon users to give up upon any error code, this patch takes care of only union of error codes chosen from modules in drivers/media/rc/ directory which handle -EPROTO error (i.e. ir_toy, mceusb and igorplugusb). Second problem is that when usb_rx_callback_intf0() once got -EPROTO error before ictx->dev_present_intf0 becomes true, usb_rx_callback_intf0() always resubmits urb due to commit 8791d63af0cf (\"[media] imon: don't wedge hardware after early callbacks\"). Move the ictx->dev_present_intf0 test introduced by commit 6f6b90c9231a (\"[media] imon: don't parse scancodes until intf configured\") to immediately before imon_incoming_packet(), or the first problem explained above happens without printk() flooding (i.e. hung task). Third problem is that when usb_rx_callback_intf0() is not called for some reason (e.g. flaky hardware; the reproducer for this problem sometimes prevents usb_rx_callback_intf0() from being called), wait_for_completion_interruptible() in send_packet() never returns (i.e. hung task). As a workaround for such situation, change send_packet() to wait for completion with timeout of 10 seconds.", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-40363", "url": "https://ubuntu.com/security/CVE-2025-40363", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net: ipv6: fix field-spanning memcpy warning in AH output Fix field-spanning memcpy warnings in ah6_output() and ah6_output_done() where extension headers are copied to/from IPv6 address fields, triggering fortify-string warnings about writes beyond the 16-byte address fields. memcpy: detected field-spanning write (size 40) of single field \"&top_iph->saddr\" at net/ipv6/ah6.c:439 (size 16) WARNING: CPU: 0 PID: 8838 at net/ipv6/ah6.c:439 ah6_output+0xe7e/0x14e0 net/ipv6/ah6.c:439 The warnings are false positives as the extension headers are intentionally placed after the IPv6 header in memory. Fix by properly copying addresses and extension headers separately, and introduce helper functions to avoid code duplication.", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-68311", "url": "https://ubuntu.com/security/CVE-2025-68311", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: tty: serial: ip22zilog: Use platform device for probing After commit 84a9582fd203 (\"serial: core: Start managing serial controllers to enable runtime PM\") serial drivers need to provide a device in struct uart_port.dev otherwise an oops happens. To fix this issue for ip22zilog driver switch driver to a platform driver and setup the serial device in sgi-ip22 code.", "cve_priority": "medium", "cve_public_date": "2025-12-16 16:16:00 UTC" }, { "cve": "CVE-2025-40340", "url": "https://ubuntu.com/security/CVE-2025-40340", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/xe: Fix oops in xe_gem_fault when running core_hotunplug test. I saw an oops in xe_gem_fault when running the xe-fast-feedback testlist against the realtime kernel without debug options enabled. The panic happens after core_hotunplug unbind-rebind finishes. Presumably what happens is that a process mmaps, unlocks because of the FAULT_FLAG_RETRY_NOWAIT logic, has no process memory left, causing ttm_bo_vm_dummy_page() to return VM_FAULT_NOPAGE, since there was nothing left to populate, and then oopses in \"mem_type_is_vram(tbo->resource->mem_type)\" because tbo->resource is NULL. It's convoluted, but fits the data and explains the oops after the test exits.", "cve_priority": "medium", "cve_public_date": "2025-12-09 16:17:00 UTC" }, { "cve": "CVE-2025-68196", "url": "https://ubuntu.com/security/CVE-2025-68196", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Cache streams targeting link when performing LT automation [WHY] Last LT automation update can cause crash by referencing current_state and calling into dc_update_planes_and_stream which may clobber current_state. [HOW] Cache relevant stream pointers and iterate through them instead of relying on the current_state.", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-68178", "url": "https://ubuntu.com/security/CVE-2025-68178", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: blk-cgroup: fix possible deadlock while configuring policy Following deadlock can be triggered easily by lockdep: WARNING: possible circular locking dependency detected 6.17.0-rc3-00124-ga12c2658ced0 #1665 Not tainted ------------------------------------------------------ check/1334 is trying to acquire lock: ff1100011d9d0678 (&q->sysfs_lock){+.+.}-{4:4}, at: blk_unregister_queue+0x53/0x180 but task is already holding lock: ff1100011d9d00e0 (&q->q_usage_counter(queue)#3){++++}-{0:0}, at: del_gendisk+0xba/0x110 which lock already depends on the new lock. the existing dependency chain (in reverse order) is: -> #2 (&q->q_usage_counter(queue)#3){++++}-{0:0}: blk_queue_enter+0x40b/0x470 blkg_conf_prep+0x7b/0x3c0 tg_set_limit+0x10a/0x3e0 cgroup_file_write+0xc6/0x420 kernfs_fop_write_iter+0x189/0x280 vfs_write+0x256/0x490 ksys_write+0x83/0x190 __x64_sys_write+0x21/0x30 x64_sys_call+0x4608/0x4630 do_syscall_64+0xdb/0x6b0 entry_SYSCALL_64_after_hwframe+0x76/0x7e -> #1 (&q->rq_qos_mutex){+.+.}-{4:4}: __mutex_lock+0xd8/0xf50 mutex_lock_nested+0x2b/0x40 wbt_init+0x17e/0x280 wbt_enable_default+0xe9/0x140 blk_register_queue+0x1da/0x2e0 __add_disk+0x38c/0x5d0 add_disk_fwnode+0x89/0x250 device_add_disk+0x18/0x30 virtblk_probe+0x13a3/0x1800 virtio_dev_probe+0x389/0x610 really_probe+0x136/0x620 __driver_probe_device+0xb3/0x230 driver_probe_device+0x2f/0xe0 __driver_attach+0x158/0x250 bus_for_each_dev+0xa9/0x130 driver_attach+0x26/0x40 bus_add_driver+0x178/0x3d0 driver_register+0x7d/0x1c0 __register_virtio_driver+0x2c/0x60 virtio_blk_init+0x6f/0xe0 do_one_initcall+0x94/0x540 kernel_init_freeable+0x56a/0x7b0 kernel_init+0x2b/0x270 ret_from_fork+0x268/0x4c0 ret_from_fork_asm+0x1a/0x30 -> #0 (&q->sysfs_lock){+.+.}-{4:4}: __lock_acquire+0x1835/0x2940 lock_acquire+0xf9/0x450 __mutex_lock+0xd8/0xf50 mutex_lock_nested+0x2b/0x40 blk_unregister_queue+0x53/0x180 __del_gendisk+0x226/0x690 del_gendisk+0xba/0x110 sd_remove+0x49/0xb0 [sd_mod] device_remove+0x87/0xb0 device_release_driver_internal+0x11e/0x230 device_release_driver+0x1a/0x30 bus_remove_device+0x14d/0x220 device_del+0x1e1/0x5a0 __scsi_remove_device+0x1ff/0x2f0 scsi_remove_device+0x37/0x60 sdev_store_delete+0x77/0x100 dev_attr_store+0x1f/0x40 sysfs_kf_write+0x65/0x90 kernfs_fop_write_iter+0x189/0x280 vfs_write+0x256/0x490 ksys_write+0x83/0x190 __x64_sys_write+0x21/0x30 x64_sys_call+0x4608/0x4630 do_syscall_64+0xdb/0x6b0 entry_SYSCALL_64_after_hwframe+0x76/0x7e other info that might help us debug this: Chain exists of: &q->sysfs_lock --> &q->rq_qos_mutex --> &q->q_usage_counter(queue)#3 Possible unsafe locking scenario: CPU0 CPU1 ---- ---- lock(&q->q_usage_counter(queue)#3); lock(&q->rq_qos_mutex); lock(&q->q_usage_counter(queue)#3); lock(&q->sysfs_lock); Root cause is that queue_usage_counter is grabbed with rq_qos_mutex held in blkg_conf_prep(), while queue should be freezed before rq_qos_mutex from other context. The blk_queue_enter() from blkg_conf_prep() is used to protect against policy deactivation, which is already protected with blkcg_mutex, hence convert blk_queue_enter() to blkcg_mutex to fix this problem. Meanwhile, consider that blkcg_mutex is held after queue is freezed from policy deactivation, also convert blkg_alloc() to use GFP_NOIO.", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-40341", "url": "https://ubuntu.com/security/CVE-2025-40341", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: futex: Don't leak robust_list pointer on exec race sys_get_robust_list() and compat_get_robust_list() use ptrace_may_access() to check if the calling task is allowed to access another task's robust_list pointer. This check is racy against a concurrent exec() in the target process. During exec(), a task may transition from a non-privileged binary to a privileged one (e.g., setuid binary) and its credentials/memory mappings may change. If get_robust_list() performs ptrace_may_access() before this transition, it may erroneously allow access to sensitive information after the target becomes privileged. A racy access allows an attacker to exploit a window during which ptrace_may_access() passes before a target process transitions to a privileged state via exec(). For example, consider a non-privileged task T that is about to execute a setuid-root binary. An attacker task A calls get_robust_list(T) while T is still unprivileged. Since ptrace_may_access() checks permissions based on current credentials, it succeeds. However, if T begins exec immediately afterwards, it becomes privileged and may change its memory mappings. Because get_robust_list() proceeds to access T->robust_list without synchronizing with exec() it may read user-space pointers from a now-privileged process. This violates the intended post-exec access restrictions and could expose sensitive memory addresses or be used as a primitive in a larger exploit chain. Consequently, the race can lead to unauthorized disclosure of information across privilege boundaries and poses a potential security risk. Take a read lock on signal->exec_update_lock prior to invoking ptrace_may_access() and accessing the robust_list/compat_robust_list. This ensures that the target task's exec state remains stable during the check, allowing for consistent and synchronized validation of credentials.", "cve_priority": "medium", "cve_public_date": "2025-12-09 16:17:00 UTC" }, { "cve": "CVE-2025-40342", "url": "https://ubuntu.com/security/CVE-2025-40342", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: nvme-fc: use lock accessing port_state and rport state nvme_fc_unregister_remote removes the remote port on a lport object at any point in time when there is no active association. This races with with the reconnect logic, because nvme_fc_create_association is not taking a lock to check the port_state and atomically increase the active count on the rport.", "cve_priority": "medium", "cve_public_date": "2025-12-09 16:17:00 UTC" }, { "cve": "CVE-2025-40343", "url": "https://ubuntu.com/security/CVE-2025-40343", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: nvmet-fc: avoid scheduling association deletion twice When forcefully shutting down a port via the configfs interface, nvmet_port_subsys_drop_link() first calls nvmet_port_del_ctrls() and then nvmet_disable_port(). Both functions will eventually schedule all remaining associations for deletion. The current implementation checks whether an association is about to be removed, but only after the work item has already been scheduled. As a result, it is possible for the first scheduled work item to free all resources, and then for the same work item to be scheduled again for deletion. Because the association list is an RCU list, it is not possible to take a lock and remove the list entry directly, so it cannot be looked up again. Instead, a flag (terminating) must be used to determine whether the association is already in the process of being deleted.", "cve_priority": "medium", "cve_public_date": "2025-12-09 16:17:00 UTC" }, { "cve": "CVE-2025-68177", "url": "https://ubuntu.com/security/CVE-2025-68177", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: cpufreq/longhaul: handle NULL policy in longhaul_exit longhaul_exit() was calling cpufreq_cpu_get(0) without checking for a NULL policy pointer. On some systems, this could lead to a NULL dereference and a kernel warning or panic. This patch adds a check using unlikely() and returns early if the policy is NULL. Bugzilla: #219962", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-68317", "url": "https://ubuntu.com/security/CVE-2025-68317", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: io_uring/zctx: check chained notif contexts Send zc only links ubuf_info for requests coming from the same context. There are some ambiguous syz reports, so let's check the assumption on notification completion.", "cve_priority": "medium", "cve_public_date": "2025-12-16 16:16:00 UTC" }, { "cve": "CVE-2025-40315", "url": "https://ubuntu.com/security/CVE-2025-40315", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: usb: gadget: f_fs: Fix epfile null pointer access after ep enable. A race condition occurs when ffs_func_eps_enable() runs concurrently with ffs_data_reset(). The ffs_data_clear() called in ffs_data_reset() sets ffs->epfiles to NULL before resetting ffs->eps_count to 0, leading to a NULL pointer dereference when accessing epfile->ep in ffs_func_eps_enable() after successful usb_ep_enable(). The ffs->epfiles pointer is set to NULL in both ffs_data_clear() and ffs_data_close() functions, and its modification is protected by the spinlock ffs->eps_lock. And the whole ffs_func_eps_enable() function is also protected by ffs->eps_lock. Thus, add NULL pointer handling for ffs->epfiles in the ffs_func_eps_enable() function to fix issues", "cve_priority": "medium", "cve_public_date": "2025-12-08 01:16:00 UTC" }, { "cve": "CVE-2025-40316", "url": "https://ubuntu.com/security/CVE-2025-40316", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/mediatek: Fix device use-after-free on unbind A recent change fixed device reference leaks when looking up drm platform device driver data during bind() but failed to remove a partial fix which had been added by commit 80805b62ea5b (\"drm/mediatek: Fix kobject put for component sub-drivers\"). This results in a reference imbalance on component bind() failures and on unbind() which could lead to a user-after-free. Make sure to only drop the references after retrieving the driver data by effectively reverting the previous partial fix. Note that holding a reference to a device does not prevent its driver data from going away so there is no point in keeping the reference.", "cve_priority": "medium", "cve_public_date": "2025-12-08 01:16:00 UTC" }, { "cve": "CVE-2025-40360", "url": "https://ubuntu.com/security/CVE-2025-40360", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/sysfb: Do not dereference NULL pointer in plane reset The plane state in __drm_gem_reset_shadow_plane() can be NULL. Do not deref that pointer, but forward NULL to the other plane-reset helpers. Clears plane->state to NULL. v2: - fix typo in commit description (Javier)", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-68179", "url": "https://ubuntu.com/security/CVE-2025-68179", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: s390: Disable ARCH_WANT_OPTIMIZE_HUGETLB_VMEMMAP As reported by Luiz Capitulino enabling HVO on s390 leads to reproducible crashes. The problem is that kernel page tables are modified without flushing corresponding TLB entries. Even if it looks like the empty flush_tlb_all() implementation on s390 is the problem, it is actually a different problem: on s390 it is not allowed to replace an active/valid page table entry with another valid page table entry without the detour over an invalid entry. A direct replacement may lead to random crashes and/or data corruption. In order to invalidate an entry special instructions have to be used (e.g. ipte or idte). Alternatively there are also special instructions available which allow to replace a valid entry with a different valid entry (e.g. crdte or cspg). Given that the HVO code currently does not provide the hooks to allow for an implementation which is compliant with the s390 architecture requirements, disable ARCH_WANT_OPTIMIZE_HUGETLB_VMEMMAP again, which is basically a revert of the original patch which enabled it.", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-68310", "url": "https://ubuntu.com/security/CVE-2025-68310", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: s390/pci: Avoid deadlock between PCI error recovery and mlx5 crdump Do not block PCI config accesses through pci_cfg_access_lock() when executing the s390 variant of PCI error recovery: Acquire just device_lock() instead of pci_dev_lock() as powerpc's EEH and generig PCI AER processing do. During error recovery testing a pair of tasks was reported to be hung: mlx5_core 0000:00:00.1: mlx5_health_try_recover:338:(pid 5553): health recovery flow aborted, PCI reads still not working INFO: task kmcheck:72 blocked for more than 122 seconds. Not tainted 5.14.0-570.12.1.bringup7.el9.s390x #1 \"echo 0 > /proc/sys/kernel/hung_task_timeout_secs\" disables this message. task:kmcheck state:D stack:0 pid:72 tgid:72 ppid:2 flags:0x00000000 Call Trace: [<000000065256f030>] __schedule+0x2a0/0x590 [<000000065256f356>] schedule+0x36/0xe0 [<000000065256f572>] schedule_preempt_disabled+0x22/0x30 [<0000000652570a94>] __mutex_lock.constprop.0+0x484/0x8a8 [<000003ff800673a4>] mlx5_unload_one+0x34/0x58 [mlx5_core] [<000003ff8006745c>] mlx5_pci_err_detected+0x94/0x140 [mlx5_core] [<0000000652556c5a>] zpci_event_attempt_error_recovery+0xf2/0x398 [<0000000651b9184a>] __zpci_event_error+0x23a/0x2c0 INFO: task kworker/u1664:6:1514 blocked for more than 122 seconds. Not tainted 5.14.0-570.12.1.bringup7.el9.s390x #1 \"echo 0 > /proc/sys/kernel/hung_task_timeout_secs\" disables this message. task:kworker/u1664:6 state:D stack:0 pid:1514 tgid:1514 ppid:2 flags:0x00000000 Workqueue: mlx5_health0000:00:00.0 mlx5_fw_fatal_reporter_err_work [mlx5_core] Call Trace: [<000000065256f030>] __schedule+0x2a0/0x590 [<000000065256f356>] schedule+0x36/0xe0 [<0000000652172e28>] pci_wait_cfg+0x80/0xe8 [<0000000652172f94>] pci_cfg_access_lock+0x74/0x88 [<000003ff800916b6>] mlx5_vsc_gw_lock+0x36/0x178 [mlx5_core] [<000003ff80098824>] mlx5_crdump_collect+0x34/0x1c8 [mlx5_core] [<000003ff80074b62>] mlx5_fw_fatal_reporter_dump+0x6a/0xe8 [mlx5_core] [<0000000652512242>] devlink_health_do_dump.part.0+0x82/0x168 [<0000000652513212>] devlink_health_report+0x19a/0x230 [<000003ff80075a12>] mlx5_fw_fatal_reporter_err_work+0xba/0x1b0 [mlx5_core] No kernel log of the exact same error with an upstream kernel is available - but the very same deadlock situation can be constructed there, too: - task: kmcheck mlx5_unload_one() tries to acquire devlink lock while the PCI error recovery code has set pdev->block_cfg_access by way of pci_cfg_access_lock() - task: kworker mlx5_crdump_collect() tries to set block_cfg_access through pci_cfg_access_lock() while devlink_health_report() had acquired the devlink lock. A similar deadlock situation can be reproduced by requesting a crdump with > devlink health dump show pci/ reporter fw_fatal while PCI error recovery is executed on the same physical function by mlx5_core's pci_error_handlers. On s390 this can be injected with > zpcictl --reset-fw Tests with this patch failed to reproduce that second deadlock situation, the devlink command is rejected with \"kernel answers: Permission denied\" - and we get a kernel log message of: mlx5_core 1ed0:00:00.1: mlx5_crdump_collect:50:(pid 254382): crdump: failed to lock vsc gw err -5 because the config read of VSC_SEMAPHORE is rejected by the underlying hardware. Two prior attempts to address this issue have been discussed and ultimately rejected [see link], with the primary argument that s390's implementation of PCI error recovery is imposing restrictions that neither powerpc's EEH nor PCI AER handling need. Tests show that PCI error recovery on s390 is running to completion even without blocking access to PCI config space.", "cve_priority": "medium", "cve_public_date": "2025-12-16 16:16:00 UTC" }, { "cve": "CVE-2025-40317", "url": "https://ubuntu.com/security/CVE-2025-40317", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: regmap: slimbus: fix bus_context pointer in regmap init calls Commit 4e65bda8273c (\"ASoC: wcd934x: fix error handling in wcd934x_codec_parse_data()\") revealed the problem in the slimbus regmap. That commit breaks audio playback, for instance, on sdm845 Thundercomm Dragonboard 845c board: Unable to handle kernel paging request at virtual address ffff8000847cbad4 ... CPU: 5 UID: 0 PID: 776 Comm: aplay Not tainted 6.18.0-rc1-00028-g7ea30958b305 #11 PREEMPT Hardware name: Thundercomm Dragonboard 845c (DT) ... Call trace: slim_xfer_msg+0x24/0x1ac [slimbus] (P) slim_read+0x48/0x74 [slimbus] regmap_slimbus_read+0x18/0x24 [regmap_slimbus] _regmap_raw_read+0xe8/0x174 _regmap_bus_read+0x44/0x80 _regmap_read+0x60/0xd8 _regmap_update_bits+0xf4/0x140 _regmap_select_page+0xa8/0x124 _regmap_raw_write_impl+0x3b8/0x65c _regmap_bus_raw_write+0x60/0x80 _regmap_write+0x58/0xc0 regmap_write+0x4c/0x80 wcd934x_hw_params+0x494/0x8b8 [snd_soc_wcd934x] snd_soc_dai_hw_params+0x3c/0x7c [snd_soc_core] __soc_pcm_hw_params+0x22c/0x634 [snd_soc_core] dpcm_be_dai_hw_params+0x1d4/0x38c [snd_soc_core] dpcm_fe_dai_hw_params+0x9c/0x17c [snd_soc_core] snd_pcm_hw_params+0x124/0x464 [snd_pcm] snd_pcm_common_ioctl+0x110c/0x1820 [snd_pcm] snd_pcm_ioctl+0x34/0x4c [snd_pcm] __arm64_sys_ioctl+0xac/0x104 invoke_syscall+0x48/0x104 el0_svc_common.constprop.0+0x40/0xe0 do_el0_svc+0x1c/0x28 el0_svc+0x34/0xec el0t_64_sync_handler+0xa0/0xf0 el0t_64_sync+0x198/0x19c The __devm_regmap_init_slimbus() started to be used instead of __regmap_init_slimbus() after the commit mentioned above and turns out the incorrect bus_context pointer (3rd argument) was used in __devm_regmap_init_slimbus(). It should be just \"slimbus\" (which is equal to &slimbus->dev). Correct it. The wcd934x codec seems to be the only or the first user of devm_regmap_init_slimbus() but we should fix it till the point where __devm_regmap_init_slimbus() was introduced therefore two \"Fixes\" tags. While at this, also correct the same argument in __regmap_init_slimbus().", "cve_priority": "medium", "cve_public_date": "2025-12-08 01:16:00 UTC" }, { "cve": "CVE-2025-40359", "url": "https://ubuntu.com/security/CVE-2025-40359", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: perf/x86/intel: Fix KASAN global-out-of-bounds warning When running \"perf mem record\" command on CWF, the below KASAN global-out-of-bounds warning is seen. ================================================================== BUG: KASAN: global-out-of-bounds in cmt_latency_data+0x176/0x1b0 Read of size 4 at addr ffffffffb721d000 by task dtlb/9850 Call Trace: kasan_report+0xb8/0xf0 cmt_latency_data+0x176/0x1b0 setup_arch_pebs_sample_data+0xf49/0x2560 intel_pmu_drain_arch_pebs+0x577/0xb00 handle_pmi_common+0x6c4/0xc80 The issue is caused by below code in __grt_latency_data(). The code tries to access x86_hybrid_pmu structure which doesn't exist on non-hybrid platform like CWF. WARN_ON_ONCE(hybrid_pmu(event->pmu)->pmu_type == hybrid_big) So add is_hybrid() check before calling this WARN_ON_ONCE to fix the global-out-of-bounds access issue.", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-68181", "url": "https://ubuntu.com/security/CVE-2025-68181", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/radeon: Remove calls to drm_put_dev() Since the allocation of the drivers main structure was changed to devm_drm_dev_alloc() drm_put_dev()'ing to trigger it to be free'd should be done by devres. However, drm_put_dev() is still in the probe error and device remove paths. When the driver fails to probe warnings like the following are shown because devres is trying to drm_put_dev() after the driver already did it. [ 5.642230] radeon 0000:01:05.0: probe with driver radeon failed with error -22 [ 5.649605] ------------[ cut here ]------------ [ 5.649607] refcount_t: underflow; use-after-free. [ 5.649620] WARNING: CPU: 0 PID: 357 at lib/refcount.c:28 refcount_warn_saturate+0xbe/0x110 (cherry picked from commit 3eb8c0b4c091da0a623ade0d3ee7aa4a93df1ea4)", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-68170", "url": "https://ubuntu.com/security/CVE-2025-68170", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/radeon: Do not kfree() devres managed rdev Since the allocation of the drivers main structure was changed to devm_drm_dev_alloc() rdev is managed by devres and we shouldn't be calling kfree() on it. This fixes things exploding if the driver probe fails and devres cleans up the rdev after we already free'd it. (cherry picked from commit 16c0681617b8a045773d4d87b6140002fa75b03b)", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-40213", "url": "https://ubuntu.com/security/CVE-2025-40213", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: Bluetooth: MGMT: fix crash in set_mesh_sync and set_mesh_complete There is a BUG: KASAN: stack-out-of-bounds in set_mesh_sync due to memcpy from badly declared on-stack flexible array. Another crash is in set_mesh_complete() due to double list_del via mgmt_pending_valid + mgmt_pending_remove. Use DEFINE_FLEX to declare the flexible array right, and don't memcpy outside bounds. As mgmt_pending_valid removes the cmd from list, use mgmt_pending_free, and also report status on error.", "cve_priority": "medium", "cve_public_date": "2025-11-24 16:15:00 UTC" }, { "cve": "CVE-2025-40318", "url": "https://ubuntu.com/security/CVE-2025-40318", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: Bluetooth: hci_sync: fix race in hci_cmd_sync_dequeue_once hci_cmd_sync_dequeue_once() does lookup and then cancel the entry under two separate lock sections. Meanwhile, hci_cmd_sync_work() can also delete the same entry, leading to double list_del() and \"UAF\". Fix this by holding cmd_sync_work_lock across both lookup and cancel, so that the entry cannot be removed concurrently.", "cve_priority": "medium", "cve_public_date": "2025-12-08 01:16:00 UTC" }, { "cve": "CVE-2025-68312", "url": "https://ubuntu.com/security/CVE-2025-68312", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: usbnet: Prevents free active kevent The root cause of this issue are: 1. When probing the usbnet device, executing usbnet_link_change(dev, 0, 0); put the kevent work in global workqueue. However, the kevent has not yet been scheduled when the usbnet device is unregistered. Therefore, executing free_netdev() results in the \"free active object (kevent)\" error reported here. 2. Another factor is that when calling usbnet_disconnect()->unregister_netdev(), if the usbnet device is up, ndo_stop() is executed to cancel the kevent. However, because the device is not up, ndo_stop() is not executed. The solution to this problem is to cancel the kevent before executing free_netdev().", "cve_priority": "medium", "cve_public_date": "2025-12-16 16:16:00 UTC" }, { "cve": "CVE-2025-40344", "url": "https://ubuntu.com/security/CVE-2025-40344", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ASoC: Intel: avs: Disable periods-elapsed work when closing PCM avs_dai_fe_shutdown() handles the shutdown procedure for HOST HDAudio stream while period-elapsed work services its IRQs. As the former frees the DAI's private context, these two operations shall be synchronized to avoid slab-use-after-free or worse errors.", "cve_priority": "medium", "cve_public_date": "2025-12-09 16:17:00 UTC" }, { "cve": "CVE-2025-68172", "url": "https://ubuntu.com/security/CVE-2025-68172", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: crypto: aspeed - fix double free caused by devm The clock obtained via devm_clk_get_enabled() is automatically managed by devres and will be disabled and freed on driver detach. Manually calling clk_disable_unprepare() in error path and remove function causes double free. Remove the manual clock cleanup in both aspeed_acry_probe()'s error path and aspeed_acry_remove().", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-40319", "url": "https://ubuntu.com/security/CVE-2025-40319", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: bpf: Sync pending IRQ work before freeing ring buffer Fix a race where irq_work can be queued in bpf_ringbuf_commit() but the ring buffer is freed before the work executes. In the syzbot reproducer, a BPF program attached to sched_switch triggers bpf_ringbuf_commit(), queuing an irq_work. If the ring buffer is freed before this work executes, the irq_work thread may accesses freed memory. Calling `irq_work_sync(&rb->work)` ensures that all pending irq_work complete before freeing the buffer.", "cve_priority": "medium", "cve_public_date": "2025-12-08 01:16:00 UTC" }, { "cve": "CVE-2025-68182", "url": "https://ubuntu.com/security/CVE-2025-68182", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: wifi: iwlwifi: fix potential use after free in iwl_mld_remove_link() This code frees \"link\" by calling kfree_rcu(link, rcu_head) and then it dereferences \"link\" to get the \"link->fw_id\". Save the \"link->fw_id\" first to avoid a potential use after free.", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-68314", "url": "https://ubuntu.com/security/CVE-2025-68314", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/msm: make sure last_fence is always updated Update last_fence in the vm-bind path instead of kernel managed path. last_fence is used to wait for work to finish in vm_bind contexts but not used for kernel managed contexts. This fixes a bug where last_fence is not waited on context close leading to faults as resources are freed while in use. Patchwork: https://patchwork.freedesktop.org/patch/680080/", "cve_priority": "medium", "cve_public_date": "2025-12-16 16:16:00 UTC" }, { "cve": "CVE-2025-68189", "url": "https://ubuntu.com/security/CVE-2025-68189", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/msm: Fix GEM free for imported dma-bufs Imported dma-bufs also have obj->resv != &obj->_resv. So we should check both this condition in addition to flags for handling the _NO_SHARE case. Fixes this splat that was reported with IRIS video playback: ------------[ cut here ]------------ WARNING: CPU: 3 PID: 2040 at drivers/gpu/drm/msm/msm_gem.c:1127 msm_gem_free_object+0x1f8/0x264 [msm] CPU: 3 UID: 1000 PID: 2040 Comm: .gnome-shell-wr Not tainted 6.17.0-rc7 #1 PREEMPT pstate: 81400005 (Nzcv daif +PAN -UAO -TCO +DIT -SSBS BTYPE=--) pc : msm_gem_free_object+0x1f8/0x264 [msm] lr : msm_gem_free_object+0x138/0x264 [msm] sp : ffff800092a1bb30 x29: ffff800092a1bb80 x28: ffff800092a1bce8 x27: ffffbc702dbdbe08 x26: 0000000000000008 x25: 0000000000000009 x24: 00000000000000a6 x23: ffff00083c72f850 x22: ffff00083c72f868 x21: ffff00087e69f200 x20: ffff00087e69f330 x19: ffff00084d157ae0 x18: 0000000000000000 x17: 0000000000000000 x16: ffffbc704bd46b80 x15: 0000ffffd0959540 x14: 0000000000000000 x13: 0000000000000000 x12: 0000000000000000 x11: ffffbc702e6cdb48 x10: 0000000000000000 x9 : 000000000000003f x8 : ffff800092a1ba90 x7 : 0000000000000000 x6 : 0000000000000020 x5 : ffffbc704bd46c40 x4 : fffffdffe102cf60 x3 : 0000000000400032 x2 : 0000000000020000 x1 : ffff00087e6978e8 x0 : ffff00087e6977e8 Call trace: msm_gem_free_object+0x1f8/0x264 [msm] (P) drm_gem_object_free+0x1c/0x30 [drm] drm_gem_object_handle_put_unlocked+0x138/0x150 [drm] drm_gem_object_release_handle+0x5c/0xcc [drm] drm_gem_handle_delete+0x68/0xbc [drm] drm_gem_close_ioctl+0x34/0x40 [drm] drm_ioctl_kernel+0xc0/0x130 [drm] drm_ioctl+0x360/0x4e0 [drm] __arm64_sys_ioctl+0xac/0x104 invoke_syscall+0x48/0x104 el0_svc_common.constprop.0+0x40/0xe0 do_el0_svc+0x1c/0x28 el0_svc+0x34/0xec el0t_64_sync_handler+0xa0/0xe4 el0t_64_sync+0x198/0x19c ---[ end trace 0000000000000000 ]--- ------------[ cut here ]------------ Patchwork: https://patchwork.freedesktop.org/patch/676273/", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-68171", "url": "https://ubuntu.com/security/CVE-2025-68171", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: x86/fpu: Ensure XFD state on signal delivery Sean reported [1] the following splat when running KVM tests: WARNING: CPU: 232 PID: 15391 at xfd_validate_state+0x65/0x70 Call Trace: fpu__clear_user_states+0x9c/0x100 arch_do_signal_or_restart+0x142/0x210 exit_to_user_mode_loop+0x55/0x100 do_syscall_64+0x205/0x2c0 entry_SYSCALL_64_after_hwframe+0x4b/0x53 Chao further identified [2] a reproducible scenario involving signal delivery: a non-AMX task is preempted by an AMX-enabled task which modifies the XFD MSR. When the non-AMX task resumes and reloads XSTATE with init values, a warning is triggered due to a mismatch between fpstate::xfd and the CPU's current XFD state. fpu__clear_user_states() does not currently re-synchronize the XFD state after such preemption. Invoke xfd_update_state() which detects and corrects the mismatch if there is a dynamic feature. This also benefits the sigreturn path, as fpu__restore_sig() may call fpu__clear_user_states() when the sigframe is inaccessible. [ dhansen: minor changelog munging ]", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-68313", "url": "https://ubuntu.com/security/CVE-2025-68313", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: x86/CPU/AMD: Add RDSEED fix for Zen5 There's an issue with RDSEED's 16-bit and 32-bit register output variants on Zen5 which return a random value of 0 \"at a rate inconsistent with randomness while incorrectly signaling success (CF=1)\". Search the web for AMD-SB-7055 for more detail. Add a fix glue which checks microcode revisions. [ bp: Add microcode revisions checking, rewrite. ]", "cve_priority": "medium", "cve_public_date": "2025-12-16 16:16:00 UTC" }, { "cve": "CVE-2025-40320", "url": "https://ubuntu.com/security/CVE-2025-40320", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: smb: client: fix potential cfid UAF in smb2_query_info_compound When smb2_query_info_compound() retries, a previously allocated cfid may have been freed in the first attempt. Because cfid wasn't reset on replay, later cleanup could act on a stale pointer, leading to a potential use-after-free. Reinitialize cfid to NULL under the replay label. Example trace (trimmed): refcount_t: underflow; use-after-free. WARNING: CPU: 1 PID: 11224 at ../lib/refcount.c:28 refcount_warn_saturate+0x9c/0x110 [...] RIP: 0010:refcount_warn_saturate+0x9c/0x110 [...] Call Trace: smb2_query_info_compound+0x29c/0x5c0 [cifs f90b72658819bd21c94769b6a652029a07a7172f] ? step_into+0x10d/0x690 ? __legitimize_path+0x28/0x60 smb2_queryfs+0x6a/0xf0 [cifs f90b72658819bd21c94769b6a652029a07a7172f] smb311_queryfs+0x12d/0x140 [cifs f90b72658819bd21c94769b6a652029a07a7172f] ? kmem_cache_alloc+0x18a/0x340 ? getname_flags+0x46/0x1e0 cifs_statfs+0x9f/0x2b0 [cifs f90b72658819bd21c94769b6a652029a07a7172f] statfs_by_dentry+0x67/0x90 vfs_statfs+0x16/0xd0 user_statfs+0x54/0xa0 __do_sys_statfs+0x20/0x50 do_syscall_64+0x58/0x80", "cve_priority": "medium", "cve_public_date": "2025-12-08 01:16:00 UTC" }, { "cve": "CVE-2025-40321", "url": "https://ubuntu.com/security/CVE-2025-40321", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: wifi: brcmfmac: fix crash while sending Action Frames in standalone AP Mode Currently, whenever there is a need to transmit an Action frame, the brcmfmac driver always uses the P2P vif to send the \"actframe\" IOVAR to firmware. The P2P interfaces were available when wpa_supplicant is managing the wlan interface. However, the P2P interfaces are not created/initialized when only hostapd is managing the wlan interface. And if hostapd receives an ANQP Query REQ Action frame even from an un-associated STA, the brcmfmac driver tries to use an uninitialized P2P vif pointer for sending the IOVAR to firmware. This NULL pointer dereferencing triggers a driver crash. [ 1417.074538] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000 [...] [ 1417.075188] Hardware name: Raspberry Pi 4 Model B Rev 1.5 (DT) [...] [ 1417.075653] Call trace: [ 1417.075662] brcmf_p2p_send_action_frame+0x23c/0xc58 [brcmfmac] [ 1417.075738] brcmf_cfg80211_mgmt_tx+0x304/0x5c0 [brcmfmac] [ 1417.075810] cfg80211_mlme_mgmt_tx+0x1b0/0x428 [cfg80211] [ 1417.076067] nl80211_tx_mgmt+0x238/0x388 [cfg80211] [ 1417.076281] genl_family_rcv_msg_doit+0xe0/0x158 [ 1417.076302] genl_rcv_msg+0x220/0x2a0 [ 1417.076317] netlink_rcv_skb+0x68/0x140 [ 1417.076330] genl_rcv+0x40/0x60 [ 1417.076343] netlink_unicast+0x330/0x3b8 [ 1417.076357] netlink_sendmsg+0x19c/0x3f8 [ 1417.076370] __sock_sendmsg+0x64/0xc0 [ 1417.076391] ____sys_sendmsg+0x268/0x2a0 [ 1417.076408] ___sys_sendmsg+0xb8/0x118 [ 1417.076427] __sys_sendmsg+0x90/0xf8 [ 1417.076445] __arm64_sys_sendmsg+0x2c/0x40 [ 1417.076465] invoke_syscall+0x50/0x120 [ 1417.076486] el0_svc_common.constprop.0+0x48/0xf0 [ 1417.076506] do_el0_svc+0x24/0x38 [ 1417.076525] el0_svc+0x30/0x100 [ 1417.076548] el0t_64_sync_handler+0x100/0x130 [ 1417.076569] el0t_64_sync+0x190/0x198 [ 1417.076589] Code: f9401e80 aa1603e2 f9403be1 5280e483 (f9400000) Fix this, by always using the vif corresponding to the wdev on which the Action frame Transmission request was initiated by the userspace. This way, even if P2P vif is not available, the IOVAR is sent to firmware on AP vif and the ANQP Query RESP Action frame is transmitted without crashing the driver. Move init_completion() for \"send_af_done\" from brcmf_p2p_create_p2pdev() to brcmf_p2p_attach(). Because the former function would not get executed when only hostapd is managing wlan interface, and it is not safe to do reinit_completion() later in brcmf_p2p_tx_action_frame(), without any prior init_completion(). And in the brcmf_p2p_tx_action_frame() function, the condition check for P2P Presence response frame is not needed, since the wpa_supplicant is properly sending the P2P Presense Response frame on the P2P-GO vif instead of the P2P-Device vif. [Cc stable]", "cve_priority": "medium", "cve_public_date": "2025-12-08 01:16:00 UTC" }, { "cve": "CVE-2025-40322", "url": "https://ubuntu.com/security/CVE-2025-40322", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: fbdev: bitblit: bound-check glyph index in bit_putcs* bit_putcs_aligned()/unaligned() derived the glyph pointer from the character value masked by 0xff/0x1ff, which may exceed the actual font's glyph count and read past the end of the built-in font array. Clamp the index to the actual glyph count before computing the address. This fixes a global out-of-bounds read reported by syzbot.", "cve_priority": "medium", "cve_public_date": "2025-12-08 01:16:00 UTC" }, { "cve": "CVE-2025-40211", "url": "https://ubuntu.com/security/CVE-2025-40211", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ACPI: video: Fix use-after-free in acpi_video_switch_brightness() The switch_brightness_work delayed work accesses device->brightness and device->backlight, freed by acpi_video_dev_unregister_backlight() during device removal. If the work executes after acpi_video_bus_unregister_backlight() frees these resources, it causes a use-after-free when acpi_video_switch_brightness() dereferences device->brightness or device->backlight. Fix this by calling cancel_delayed_work_sync() for each device's switch_brightness_work in acpi_video_bus_remove_notify_handler() after removing the notify handler that queues the work. This ensures the work completes before the memory is freed. [ rjw: Changelog edit ]", "cve_priority": "medium", "cve_public_date": "2025-11-21 11:15:00 UTC" }, { "cve": "CVE-2025-40323", "url": "https://ubuntu.com/security/CVE-2025-40323", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: fbcon: Set fb_display[i]->mode to NULL when the mode is released Recently, we discovered the following issue through syzkaller: BUG: KASAN: slab-use-after-free in fb_mode_is_equal+0x285/0x2f0 Read of size 4 at addr ff11000001b3c69c by task syz.xxx ... Call Trace: dump_stack_lvl+0xab/0xe0 print_address_description.constprop.0+0x2c/0x390 print_report+0xb9/0x280 kasan_report+0xb8/0xf0 fb_mode_is_equal+0x285/0x2f0 fbcon_mode_deleted+0x129/0x180 fb_set_var+0xe7f/0x11d0 do_fb_ioctl+0x6a0/0x750 fb_ioctl+0xe0/0x140 __x64_sys_ioctl+0x193/0x210 do_syscall_64+0x5f/0x9c0 entry_SYSCALL_64_after_hwframe+0x76/0x7e Based on experimentation and analysis, during framebuffer unregistration, only the memory of fb_info->modelist is freed, without setting the corresponding fb_display[i]->mode to NULL for the freed modes. This leads to UAF issues during subsequent accesses. Here's an example of reproduction steps: 1. With /dev/fb0 already registered in the system, load a kernel module to register a new device /dev/fb1; 2. Set fb1's mode to the global fb_display[] array (via FBIOPUT_CON2FBMAP); 3. Switch console from fb to VGA (to allow normal rmmod of the ko); 4. Unload the kernel module, at this point fb1's modelist is freed, leaving a wild pointer in fb_display[]; 5. Trigger the bug via system calls through fb0 attempting to delete a mode from fb0. Add a check in do_unregister_framebuffer(): if the mode to be freed exists in fb_display[], set the corresponding mode pointer to NULL.", "cve_priority": "medium", "cve_public_date": "2025-12-08 01:16:00 UTC" }, { "cve": "CVE-2025-40210", "url": "https://ubuntu.com/security/CVE-2025-40210", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: Revert \"NFSD: Remove the cap on number of operations per NFSv4 COMPOUND\" I've found that pynfs COMP6 now leaves the connection or lease in a strange state, which causes CLOSE9 to hang indefinitely. I've dug into it a little, but I haven't been able to root-cause it yet. However, I bisected to commit 48aab1606fa8 (\"NFSD: Remove the cap on number of operations per NFSv4 COMPOUND\"). Tianshuo Han also reports a potential vulnerability when decoding an NFSv4 COMPOUND. An attacker can place an arbitrarily large op count in the COMPOUND header, which results in: [ 51.410584] nfsd: vmalloc error: size 1209533382144, exceeds total pages, mode:0xdc0(GFP_KERNEL|__GFP_ZERO), nodemask=(null),cpuset=/,mems_allowed=0 when NFSD attempts to allocate the COMPOUND op array. Let's restore the operation-per-COMPOUND limit, but increased to 200 for now.", "cve_priority": "medium", "cve_public_date": "2025-11-21 11:15:00 UTC" }, { "cve": "CVE-2025-40324", "url": "https://ubuntu.com/security/CVE-2025-40324", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: NFSD: Fix crash in nfsd4_read_release() When tracing is enabled, the trace_nfsd_read_done trace point crashes during the pynfs read.testNoFh test.", "cve_priority": "medium", "cve_public_date": "2025-12-08 01:16:00 UTC" }, { "cve": "CVE-2025-40326", "url": "https://ubuntu.com/security/CVE-2025-40326", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: NFSD: Define actions for the new time_deleg FATTR4 attributes NFSv4 clients won't send legitimate GETATTR requests for these new attributes because they are intended to be used only with CB_GETATTR and SETATTR. But NFSD has to do something besides crashing if it ever sees a GETATTR request that queries these attributes. RFC 8881 Section 18.7.3 states: > The server MUST return a value for each attribute that the client > requests if the attribute is supported by the server for the > target file system. If the server does not support a particular > attribute on the target file system, then it MUST NOT return the > attribute value and MUST NOT set the attribute bit in the result > bitmap. The server MUST return an error if it supports an > attribute on the target but cannot obtain its value. In that case, > no attribute values will be returned. Further, RFC 9754 Section 5 states: > These new attributes are invalid to be used with GETATTR, VERIFY, > and NVERIFY, and they can only be used with CB_GETATTR and SETATTR > by a client holding an appropriate delegation. Thus there does not appear to be a specific server response mandated by specification. Taking the guidance that querying these attributes via GETATTR is \"invalid\", NFSD will return nfserr_inval, failing the request entirely.", "cve_priority": "medium", "cve_public_date": "2025-12-08 01:16:00 UTC" }, { "cve": "CVE-2025-40084", "url": "https://ubuntu.com/security/CVE-2025-40084", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ksmbd: transport_ipc: validate payload size before reading handle handle_response() dereferences the payload as a 4-byte handle without verifying that the declared payload size is at least 4 bytes. A malformed or truncated message from ksmbd.mountd can lead to a 4-byte read past the declared payload size. Validate the size before dereferencing. This is a minimal fix to guard the initial handle read.", "cve_priority": "medium", "cve_public_date": "2025-10-29 14:15:00 UTC" }, { "cve": "CVE-2025-40222", "url": "https://ubuntu.com/security/CVE-2025-40222", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: tty: serial: sh-sci: fix RSCI FIFO overrun handling The receive error handling code is shared between RSCI and all other SCIF port types, but the RSCI overrun_reg is specified as a memory offset, while for other SCIF types it is an enum value used to index into the sci_port_params->regs array, as mentioned above the sci_serial_in() function. For RSCI, the overrun_reg is CSR (0x48), causing the sci_getreg() call inside the sci_handle_fifo_overrun() function to index outside the bounds of the regs array, which currently has a size of 20, as specified by SCI_NR_REGS. Because of this, we end up accessing memory outside of RSCI's rsci_port_params structure, which, when interpreted as a plat_sci_reg, happens to have a non-zero size, causing the following WARN when sci_serial_in() is called, as the accidental size does not match the supported register sizes. The existence of the overrun_reg needs to be checked because SCIx_SH3_SCIF_REGTYPE has overrun_reg set to SCLSR, but SCLSR is not present in the regs array. Avoid calling sci_getreg() for port types which don't use standard register handling. Use the ops->read_reg() and ops->write_reg() functions to properly read and write registers for RSCI, and change the type of the status variable to accommodate the 32-bit CSR register. sci_getreg() and sci_serial_in() are also called with overrun_reg in the sci_mpxed_interrupt() interrupt handler, but that code path is not used for RSCI, as it does not have a muxed interrupt. ------------[ cut here ]------------ Invalid register access WARNING: CPU: 0 PID: 0 at drivers/tty/serial/sh-sci.c:522 sci_serial_in+0x38/0xac Modules linked in: renesas_usbhs at24 rzt2h_adc industrialio_adc sha256 cfg80211 bluetooth ecdh_generic ecc rfkill fuse drm backlight ipv6 CPU: 0 UID: 0 PID: 0 Comm: swapper/0 Not tainted 6.17.0-rc1+ #30 PREEMPT Hardware name: Renesas RZ/T2H EVK Board based on r9a09g077m44 (DT) pstate: 604000c5 (nZCv daIF +PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : sci_serial_in+0x38/0xac lr : sci_serial_in+0x38/0xac sp : ffff800080003e80 x29: ffff800080003e80 x28: ffff800082195b80 x27: 000000000000000d x26: ffff8000821956d0 x25: 0000000000000000 x24: ffff800082195b80 x23: ffff000180e0d800 x22: 0000000000000010 x21: 0000000000000000 x20: 0000000000000010 x19: ffff000180e72000 x18: 000000000000000a x17: ffff8002bcee7000 x16: ffff800080000000 x15: 0720072007200720 x14: 0720072007200720 x13: 0720072007200720 x12: 0720072007200720 x11: 0000000000000058 x10: 0000000000000018 x9 : ffff8000821a6a48 x8 : 0000000000057fa8 x7 : 0000000000000406 x6 : ffff8000821fea48 x5 : ffff00033ef88408 x4 : ffff8002bcee7000 x3 : ffff800082195b80 x2 : 0000000000000000 x1 : 0000000000000000 x0 : ffff800082195b80 Call trace: sci_serial_in+0x38/0xac (P) sci_handle_fifo_overrun.isra.0+0x70/0x134 sci_er_interrupt+0x50/0x39c __handle_irq_event_percpu+0x48/0x140 handle_irq_event+0x44/0xb0 handle_fasteoi_irq+0xf4/0x1a0 handle_irq_desc+0x34/0x58 generic_handle_domain_irq+0x1c/0x28 gic_handle_irq+0x4c/0x140 call_on_irq_stack+0x30/0x48 do_interrupt_handler+0x80/0x84 el1_interrupt+0x34/0x68 el1h_64_irq_handler+0x18/0x24 el1h_64_irq+0x6c/0x70 default_idle_call+0x28/0x58 (P) do_idle+0x1f8/0x250 cpu_startup_entry+0x34/0x3c rest_init+0xd8/0xe0 console_on_rootfs+0x0/0x6c __primary_switched+0x88/0x90 ---[ end trace 0000000000000000 ]---", "cve_priority": "medium", "cve_public_date": "2025-12-04 16:16:00 UTC" }, { "cve": "CVE-2025-40223", "url": "https://ubuntu.com/security/CVE-2025-40223", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: most: usb: Fix use-after-free in hdm_disconnect hdm_disconnect() calls most_deregister_interface(), which eventually unregisters the MOST interface device with device_unregister(iface->dev). If that drops the last reference, the device core may call release_mdev() immediately while hdm_disconnect() is still executing. The old code also freed several mdev-owned allocations in hdm_disconnect() and then performed additional put_device() calls. Depending on refcount order, this could lead to use-after-free or double-free when release_mdev() ran (or when unregister paths also performed puts). Fix by moving the frees of mdev-owned allocations into release_mdev(), so they happen exactly once when the device is truly released, and by dropping the extra put_device() calls in hdm_disconnect() that are redundant after device_unregister() and most_deregister_interface(). This addresses the KASAN slab-use-after-free reported by syzbot in hdm_disconnect(). See report and stack traces in the bug link below.", "cve_priority": "medium", "cve_public_date": "2025-12-04 16:16:00 UTC" }, { "cve": "CVE-2025-40106", "url": "https://ubuntu.com/security/CVE-2025-40106", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: comedi: fix divide-by-zero in comedi_buf_munge() The comedi_buf_munge() function performs a modulo operation `async->munge_chan %= async->cmd.chanlist_len` without first checking if chanlist_len is zero. If a user program submits a command with chanlist_len set to zero, this causes a divide-by-zero error when the device processes data in the interrupt handler path. Add a check for zero chanlist_len at the beginning of the function, similar to the existing checks for !map and CMDF_RAWDATA flag. When chanlist_len is zero, update munge_count and return early, indicating the data was handled without munging. This prevents potential kernel panics from malformed user commands.", "cve_priority": "medium", "cve_public_date": "2025-10-31 10:15:00 UTC" }, { "cve": "CVE-2025-40224", "url": "https://ubuntu.com/security/CVE-2025-40224", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: hwmon: (cgbc-hwmon) Add missing NULL check after devm_kzalloc() The driver allocates memory for sensor data using devm_kzalloc(), but did not check if the allocation succeeded. In case of memory allocation failure, dereferencing the NULL pointer would lead to a kernel crash. Add a NULL pointer check and return -ENOMEM to handle allocation failure properly.", "cve_priority": "medium", "cve_public_date": "2025-12-04 16:16:00 UTC" }, { "cve": "CVE-2025-40225", "url": "https://ubuntu.com/security/CVE-2025-40225", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/panthor: Fix kernel panic on partial unmap of a GPU VA region This commit address a kernel panic issue that can happen if Userspace tries to partially unmap a GPU virtual region (aka drm_gpuva). The VM_BIND interface allows partial unmapping of a BO. Panthor driver pre-allocates memory for the new drm_gpuva structures that would be needed for the map/unmap operation, done using drm_gpuvm layer. It expected that only one new drm_gpuva would be needed on umap but a partial unmap can require 2 new drm_gpuva and that's why it ended up doing a NULL pointer dereference causing a kernel panic. Following dump was seen when partial unmap was exercised. Unable to handle kernel NULL pointer dereference at virtual address 0000000000000078 Mem abort info: ESR = 0x0000000096000046 EC = 0x25: DABT (current EL), IL = 32 bits SET = 0, FnV = 0 EA = 0, S1PTW = 0 FSC = 0x06: level 2 translation fault Data abort info: ISV = 0, ISS = 0x00000046, ISS2 = 0x00000000 CM = 0, WnR = 1, TnD = 0, TagAccess = 0 GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0 user pgtable: 4k pages, 48-bit VAs, pgdp=000000088a863000 [000000000000078] pgd=080000088a842003, p4d=080000088a842003, pud=0800000884bf5003, pmd=0000000000000000 Internal error: Oops: 0000000096000046 [#1] PREEMPT SMP pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : panthor_gpuva_sm_step_remap+0xe4/0x330 [panthor] lr : panthor_gpuva_sm_step_remap+0x6c/0x330 [panthor] sp : ffff800085d43970 x29: ffff800085d43970 x28: ffff00080363e440 x27: ffff0008090c6000 x26: 0000000000000030 x25: ffff800085d439f8 x24: ffff00080d402000 x23: ffff800085d43b60 x22: ffff800085d439e0 x21: ffff00080abdb180 x20: 0000000000000000 x19: 0000000000000000 x18: 0000000000000010 x17: 6e656c202c303030 x16: 3666666666646466 x15: 393d61766f69202c x14: 312d3d7361203a70 x13: 303030323d6e656c x12: ffff80008324bf58 x11: 0000000000000003 x10: 0000000000000002 x9 : ffff8000801a6a9c x8 : ffff00080360b300 x7 : 0000000000000000 x6 : 000000088aa35fc7 x5 : fff1000080000000 x4 : ffff8000842ddd30 x3 : 0000000000000001 x2 : 0000000100000000 x1 : 0000000000000001 x0 : 0000000000000078 Call trace: panthor_gpuva_sm_step_remap+0xe4/0x330 [panthor] op_remap_cb.isra.22+0x50/0x80 __drm_gpuvm_sm_unmap+0x10c/0x1c8 drm_gpuvm_sm_unmap+0x40/0x60 panthor_vm_exec_op+0xb4/0x3d0 [panthor] panthor_vm_bind_exec_sync_op+0x154/0x278 [panthor] panthor_ioctl_vm_bind+0x160/0x4a0 [panthor] drm_ioctl_kernel+0xbc/0x138 drm_ioctl+0x240/0x500 __arm64_sys_ioctl+0xb0/0xf8 invoke_syscall+0x4c/0x110 el0_svc_common.constprop.1+0x98/0xf8 do_el0_svc+0x24/0x38 el0_svc+0x40/0xf8 el0t_64_sync_handler+0xa0/0xc8 el0t_64_sync+0x174/0x178", "cve_priority": "medium", "cve_public_date": "2025-12-04 16:16:00 UTC" }, { "cve": "CVE-2025-40226", "url": "https://ubuntu.com/security/CVE-2025-40226", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: firmware: arm_scmi: Account for failed debug initialization When the SCMI debug subsystem fails to initialize, the related debug root will be missing, and the underlying descriptor will be NULL. Handle this fault condition in the SCMI debug helpers that maintain metrics counters.", "cve_priority": "medium", "cve_public_date": "2025-12-04 16:16:00 UTC" }, { "cve": "CVE-2025-40227", "url": "https://ubuntu.com/security/CVE-2025-40227", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: mm/damon/sysfs: dealloc commit test ctx always The damon_ctx for testing online DAMON parameters commit inputs is deallocated only when the test fails. This means memory is leaked for every successful online DAMON parameters commit. Fix the leak by always deallocating it.", "cve_priority": "medium", "cve_public_date": "2025-12-04 16:16:00 UTC" }, { "cve": "CVE-2025-40228", "url": "https://ubuntu.com/security/CVE-2025-40228", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: mm/damon/sysfs: catch commit test ctx alloc failure Patch series \"mm/damon/sysfs: fix commit test damon_ctx [de]allocation\". DAMON sysfs interface dynamically allocates and uses a damon_ctx object for testing if given inputs for online DAMON parameters update is valid. The object is being used without an allocation failure check, and leaked when the test succeeds. Fix the two bugs. This patch (of 2): The damon_ctx for testing online DAMON parameters commit inputs is used without its allocation failure check. This could result in an invalid memory access. Fix it by directly returning an error when the allocation failed.", "cve_priority": "medium", "cve_public_date": "2025-12-04 16:16:00 UTC" }, { "cve": "CVE-2025-40229", "url": "https://ubuntu.com/security/CVE-2025-40229", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: mm/damon/core: fix potential memory leak by cleaning ops_filter in damon_destroy_scheme Currently, damon_destroy_scheme() only cleans up the filter list but leaves ops_filter untouched, which could lead to memory leaks when a scheme is destroyed. This patch ensures both filter and ops_filter are properly freed in damon_destroy_scheme(), preventing potential memory leaks.", "cve_priority": "medium", "cve_public_date": "2025-12-04 16:16:00 UTC" }, { "cve": "CVE-2025-40230", "url": "https://ubuntu.com/security/CVE-2025-40230", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: mm: prevent poison consumption when splitting THP When performing memory error injection on a THP (Transparent Huge Page) mapped to userspace on an x86 server, the kernel panics with the following trace. The expected behavior is to terminate the affected process instead of panicking the kernel, as the x86 Machine Check code can recover from an in-userspace #MC. mce: [Hardware Error]: CPU 0: Machine Check Exception: f Bank 3: bd80000000070134 mce: [Hardware Error]: RIP 10: {memchr_inv+0x4c/0xf0} mce: [Hardware Error]: TSC afff7bbff88a ADDR 1d301b000 MISC 80 PPIN 1e741e77539027db mce: [Hardware Error]: PROCESSOR 0:d06d0 TIME 1758093249 SOCKET 0 APIC 0 microcode 80000320 mce: [Hardware Error]: Run the above through 'mcelog --ascii' mce: [Hardware Error]: Machine check: Data load in unrecoverable area of kernel Kernel panic - not syncing: Fatal local machine check The root cause of this panic is that handling a memory failure triggered by an in-userspace #MC necessitates splitting the THP. The splitting process employs a mechanism, implemented in try_to_map_unused_to_zeropage(), which reads the pages in the THP to identify zero-filled pages. However, reading the pages in the THP results in a second in-kernel #MC, occurring before the initial memory_failure() completes, ultimately leading to a kernel panic. See the kernel panic call trace on the two #MCs. First Machine Check occurs // [1] memory_failure() // [2] try_to_split_thp_page() split_huge_page() split_huge_page_to_list_to_order() __folio_split() // [3] remap_page() remove_migration_ptes() remove_migration_pte() try_to_map_unused_to_zeropage() // [4] memchr_inv() // [5] Second Machine Check occurs // [6] Kernel panic [1] Triggered by accessing a hardware-poisoned THP in userspace, which is typically recoverable by terminating the affected process. [2] Call folio_set_has_hwpoisoned() before try_to_split_thp_page(). [3] Pass the RMP_USE_SHARED_ZEROPAGE remap flag to remap_page(). [4] Try to map the unused THP to zeropage. [5] Re-access pages in the hw-poisoned THP in the kernel. [6] Triggered in-kernel, leading to a panic kernel. In Step[2], memory_failure() sets the poisoned flag on the page in the THP by TestSetPageHWPoison() before calling try_to_split_thp_page(). As suggested by David Hildenbrand, fix this panic by not accessing to the poisoned page in the THP during zeropage identification, while continuing to scan unaffected pages in the THP for possible zeropage mapping. This prevents a second in-kernel #MC that would cause kernel panic in Step[4]. Thanks to Andrew Zaborowski for his initial work on fixing this issue.", "cve_priority": "medium", "cve_public_date": "2025-12-04 16:16:00 UTC" }, { "cve": "CVE-2025-40231", "url": "https://ubuntu.com/security/CVE-2025-40231", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: vsock: fix lock inversion in vsock_assign_transport() Syzbot reported a potential lock inversion deadlock between vsock_register_mutex and sk_lock-AF_VSOCK when vsock_linger() is called. The issue was introduced by commit 687aa0c5581b (\"vsock: Fix transport_* TOCTOU\") which added vsock_register_mutex locking in vsock_assign_transport() around the transport->release() call, that can call vsock_linger(). vsock_assign_transport() can be called with sk_lock held. vsock_linger() calls sk_wait_event() that temporarily releases and re-acquires sk_lock. During this window, if another thread hold vsock_register_mutex while trying to acquire sk_lock, a circular dependency is created. Fix this by releasing vsock_register_mutex before calling transport->release() and vsock_deassign_transport(). This is safe because we don't need to hold vsock_register_mutex while releasing the old transport, and we ensure the new transport won't disappear by obtaining a module reference first via try_module_get().", "cve_priority": "medium", "cve_public_date": "2025-12-04 16:16:00 UTC" }, { "cve": "CVE-2025-40233", "url": "https://ubuntu.com/security/CVE-2025-40233", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ocfs2: clear extent cache after moving/defragmenting extents The extent map cache can become stale when extents are moved or defragmented, causing subsequent operations to see outdated extent flags. This triggers a BUG_ON in ocfs2_refcount_cal_cow_clusters(). The problem occurs when: 1. copy_file_range() creates a reflinked extent with OCFS2_EXT_REFCOUNTED 2. ioctl(FITRIM) triggers ocfs2_move_extents() 3. __ocfs2_move_extents_range() reads and caches the extent (flags=0x2) 4. ocfs2_move_extent()/ocfs2_defrag_extent() calls __ocfs2_move_extent() which clears OCFS2_EXT_REFCOUNTED flag on disk (flags=0x0) 5. The extent map cache is not invalidated after the move 6. Later write() operations read stale cached flags (0x2) but disk has updated flags (0x0), causing a mismatch 7. BUG_ON(!(rec->e_flags & OCFS2_EXT_REFCOUNTED)) triggers Fix by clearing the extent map cache after each extent move/defrag operation in __ocfs2_move_extents_range(). This ensures subsequent operations read fresh extent data from disk.", "cve_priority": "medium", "cve_public_date": "2025-12-04 16:16:00 UTC" }, { "cve": "CVE-2025-40235", "url": "https://ubuntu.com/security/CVE-2025-40235", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: btrfs: directly free partially initialized fs_info in btrfs_check_leaked_roots() If fs_info->super_copy or fs_info->super_for_commit allocated failed in btrfs_get_tree_subvol(), then no need to call btrfs_free_fs_info(). Otherwise btrfs_check_leaked_roots() would access NULL pointer because fs_info->allocated_roots had not been initialised. syzkaller reported the following information: ------------[ cut here ]------------ BUG: unable to handle page fault for address: fffffffffffffbb0 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page PGD 64c9067 P4D 64c9067 PUD 64cb067 PMD 0 Oops: Oops: 0000 [#1] SMP KASAN PTI CPU: 0 UID: 0 PID: 1402 Comm: syz.1.35 Not tainted 6.15.8 #4 PREEMPT(lazy) Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), (...) RIP: 0010:arch_atomic_read arch/x86/include/asm/atomic.h:23 [inline] RIP: 0010:raw_atomic_read include/linux/atomic/atomic-arch-fallback.h:457 [inline] RIP: 0010:atomic_read include/linux/atomic/atomic-instrumented.h:33 [inline] RIP: 0010:refcount_read include/linux/refcount.h:170 [inline] RIP: 0010:btrfs_check_leaked_roots+0x18f/0x2c0 fs/btrfs/disk-io.c:1230 [...] Call Trace: btrfs_free_fs_info+0x310/0x410 fs/btrfs/disk-io.c:1280 btrfs_get_tree_subvol+0x592/0x6b0 fs/btrfs/super.c:2029 btrfs_get_tree+0x63/0x80 fs/btrfs/super.c:2097 vfs_get_tree+0x98/0x320 fs/super.c:1759 do_new_mount+0x357/0x660 fs/namespace.c:3899 path_mount+0x716/0x19c0 fs/namespace.c:4226 do_mount fs/namespace.c:4239 [inline] __do_sys_mount fs/namespace.c:4450 [inline] __se_sys_mount fs/namespace.c:4427 [inline] __x64_sys_mount+0x28c/0x310 fs/namespace.c:4427 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0x92/0x180 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x76/0x7e RIP: 0033:0x7f032eaffa8d [...]", "cve_priority": "medium", "cve_public_date": "2025-12-04 16:16:00 UTC" }, { "cve": "CVE-2025-40236", "url": "https://ubuntu.com/security/CVE-2025-40236", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: virtio-net: zero unused hash fields When GSO tunnel is negotiated virtio_net_hdr_tnl_from_skb() tries to initialize the tunnel metadata but forget to zero unused rxhash fields. This may leak information to another side. Fixing this by zeroing the unused hash fields.", "cve_priority": "medium", "cve_public_date": "2025-12-04 16:16:00 UTC" }, { "cve": "CVE-2025-40237", "url": "https://ubuntu.com/security/CVE-2025-40237", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: fs/notify: call exportfs_encode_fid with s_umount Calling intotify_show_fdinfo() on fd watching an overlayfs inode, while the overlayfs is being unmounted, can lead to dereferencing NULL ptr. This issue was found by syzkaller. Race Condition Diagram: Thread 1 Thread 2 -------- -------- generic_shutdown_super() shrink_dcache_for_umount sb->s_root = NULL | | vfs_read() | inotify_fdinfo() | * inode get from mark * | show_mark_fhandle(m, inode) | exportfs_encode_fid(inode, ..) | ovl_encode_fh(inode, ..) | ovl_check_encode_origin(inode) | * deref i_sb->s_root * | | v fsnotify_sb_delete(sb) Which then leads to: [ 32.133461] Oops: general protection fault, probably for non-canonical address 0xdffffc0000000006: 0000 [#1] SMP DEBUG_PAGEALLOC KASAN NOPTI [ 32.134438] KASAN: null-ptr-deref in range [0x0000000000000030-0x0000000000000037] [ 32.135032] CPU: 1 UID: 0 PID: 4468 Comm: systemd-coredum Not tainted 6.17.0-rc6 #22 PREEMPT(none) [ 32.143353] Call Trace: [ 32.143732] ovl_encode_fh+0xd5/0x170 [ 32.144031] exportfs_encode_inode_fh+0x12f/0x300 [ 32.144425] show_mark_fhandle+0xbe/0x1f0 [ 32.145805] inotify_fdinfo+0x226/0x2d0 [ 32.146442] inotify_show_fdinfo+0x1c5/0x350 [ 32.147168] seq_show+0x530/0x6f0 [ 32.147449] seq_read_iter+0x503/0x12a0 [ 32.148419] seq_read+0x31f/0x410 [ 32.150714] vfs_read+0x1f0/0x9e0 [ 32.152297] ksys_read+0x125/0x240 IOW ovl_check_encode_origin derefs inode->i_sb->s_root, after it was set to NULL in the unmount path. Fix it by protecting calling exportfs_encode_fid() from show_mark_fhandle() with s_umount lock. This form of fix was suggested by Amir in [1]. [1]: https://lore.kernel.org/all/CAOQ4uxhbDwhb+2Brs1UdkoF0a3NSdBAOQPNfEHjahrgoKJpLEw@mail.gmail.com/", "cve_priority": "medium", "cve_public_date": "2025-12-04 16:16:00 UTC" }, { "cve": "CVE-2025-40238", "url": "https://ubuntu.com/security/CVE-2025-40238", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net/mlx5: Fix IPsec cleanup over MPV device When we do mlx5e_detach_netdev() we eventually disable blocking events notifier, among those events are IPsec MPV events from IB to core. So before disabling those blocking events, make sure to also unregister the devcom device and mark all this device operations as complete, in order to prevent the other device from using invalid netdev during future devcom events which could cause the trace below. BUG: kernel NULL pointer dereference, address: 0000000000000010 PGD 146427067 P4D 146427067 PUD 146488067 PMD 0 Oops: Oops: 0000 [#1] SMP CPU: 1 UID: 0 PID: 7735 Comm: devlink Tainted: GW 6.12.0-rc6_for_upstream_min_debug_2024_11_08_00_46 #1 Tainted: [W]=WARN Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014 RIP: 0010:mlx5_devcom_comp_set_ready+0x5/0x40 [mlx5_core] Code: 00 01 48 83 05 23 32 1e 00 01 41 b8 ed ff ff ff e9 60 ff ff ff 48 83 05 00 32 1e 00 01 eb e3 66 0f 1f 44 00 00 0f 1f 44 00 00 <48> 8b 47 10 48 83 05 5f 32 1e 00 01 48 8b 50 40 48 85 d2 74 05 40 RSP: 0018:ffff88811a5c35f8 EFLAGS: 00010206 RAX: ffff888106e8ab80 RBX: ffff888107d7e200 RCX: ffff88810d6f0a00 RDX: ffff88810d6f0a00 RSI: 0000000000000001 RDI: 0000000000000000 RBP: ffff88811a17e620 R08: 0000000000000040 R09: 0000000000000000 R10: ffff88811a5c3618 R11: 0000000de85d51bd R12: ffff88811a17e600 R13: ffff88810d6f0a00 R14: 0000000000000000 R15: ffff8881034bda80 FS: 00007f27bdf89180(0000) GS:ffff88852c880000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000010 CR3: 000000010f159005 CR4: 0000000000372eb0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: ? __die+0x20/0x60 ? page_fault_oops+0x150/0x3e0 ? exc_page_fault+0x74/0x130 ? asm_exc_page_fault+0x22/0x30 ? mlx5_devcom_comp_set_ready+0x5/0x40 [mlx5_core] mlx5e_devcom_event_mpv+0x42/0x60 [mlx5_core] mlx5_devcom_send_event+0x8c/0x170 [mlx5_core] blocking_event+0x17b/0x230 [mlx5_core] notifier_call_chain+0x35/0xa0 blocking_notifier_call_chain+0x3d/0x60 mlx5_blocking_notifier_call_chain+0x22/0x30 [mlx5_core] mlx5_core_mp_event_replay+0x12/0x20 [mlx5_core] mlx5_ib_bind_slave_port+0x228/0x2c0 [mlx5_ib] mlx5_ib_stage_init_init+0x664/0x9d0 [mlx5_ib] ? idr_alloc_cyclic+0x50/0xb0 ? __kmalloc_cache_noprof+0x167/0x340 ? __kmalloc_noprof+0x1a7/0x430 __mlx5_ib_add+0x34/0xd0 [mlx5_ib] mlx5r_probe+0xe9/0x310 [mlx5_ib] ? kernfs_add_one+0x107/0x150 ? __mlx5_ib_add+0xd0/0xd0 [mlx5_ib] auxiliary_bus_probe+0x3e/0x90 really_probe+0xc5/0x3a0 ? driver_probe_device+0x90/0x90 __driver_probe_device+0x80/0x160 driver_probe_device+0x1e/0x90 __device_attach_driver+0x7d/0x100 bus_for_each_drv+0x80/0xd0 __device_attach+0xbc/0x1f0 bus_probe_device+0x86/0xa0 device_add+0x62d/0x830 __auxiliary_device_add+0x3b/0xa0 ? auxiliary_device_init+0x41/0x90 add_adev+0xd1/0x150 [mlx5_core] mlx5_rescan_drivers_locked+0x21c/0x300 [mlx5_core] esw_mode_change+0x6c/0xc0 [mlx5_core] mlx5_devlink_eswitch_mode_set+0x21e/0x640 [mlx5_core] devlink_nl_eswitch_set_doit+0x60/0xe0 genl_family_rcv_msg_doit+0xd0/0x120 genl_rcv_msg+0x180/0x2b0 ? devlink_get_from_attrs_lock+0x170/0x170 ? devlink_nl_eswitch_get_doit+0x290/0x290 ? devlink_nl_pre_doit_port_optional+0x50/0x50 ? genl_family_rcv_msg_dumpit+0xf0/0xf0 netlink_rcv_skb+0x54/0x100 genl_rcv+0x24/0x40 netlink_unicast+0x1fc/0x2d0 netlink_sendmsg+0x1e4/0x410 __sock_sendmsg+0x38/0x60 ? sockfd_lookup_light+0x12/0x60 __sys_sendto+0x105/0x160 ? __sys_recvmsg+0x4e/0x90 __x64_sys_sendto+0x20/0x30 do_syscall_64+0x4c/0x100 entry_SYSCALL_64_after_hwframe+0x4b/0x53 RIP: 0033:0x7f27bc91b13a Code: bb 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 8b 05 fa 96 2c 00 45 89 c9 4c 63 d1 48 63 ff 85 c0 75 15 b8 2c 00 00 00 0f 05 <48> 3d 00 f0 ff ff ---truncated---", "cve_priority": "medium", "cve_public_date": "2025-12-04 16:16:00 UTC" }, { "cve": "CVE-2025-40239", "url": "https://ubuntu.com/security/CVE-2025-40239", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net: phy: micrel: always set shared->phydev for LAN8814 Currently, during the LAN8814 PTP probe shared->phydev is only set if PTP clock gets actually set, otherwise the function will return before setting it. This is an issue as shared->phydev is unconditionally being used when IRQ is being handled, especially in lan8814_gpio_process_cap and since it was not set it will cause a NULL pointer exception and crash the kernel. So, simply always set shared->phydev to avoid the NULL pointer exception.", "cve_priority": "medium", "cve_public_date": "2025-12-04 16:16:00 UTC" }, { "cve": "CVE-2025-40240", "url": "https://ubuntu.com/security/CVE-2025-40240", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: sctp: avoid NULL dereference when chunk data buffer is missing chunk->skb pointer is dereferenced in the if-block where it's supposed to be NULL only. chunk->skb can only be NULL if chunk->head_skb is not. Check for frag_list instead and do it just before replacing chunk->skb. We're sure that otherwise chunk->skb is non-NULL because of outer if() condition.", "cve_priority": "medium", "cve_public_date": "2025-12-04 16:16:00 UTC" }, { "cve": "CVE-2025-40241", "url": "https://ubuntu.com/security/CVE-2025-40241", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: erofs: fix crafted invalid cases for encoded extents Robert recently reported two corrupted images that can cause system crashes, which are related to the new encoded extents introduced in Linux 6.15: - The first one [1] has plen != 0 (e.g. plen == 0x2000000) but (plen & Z_EROFS_EXTENT_PLEN_MASK) == 0. It is used to represent special extents such as sparse extents (!EROFS_MAP_MAPPED), but previously only plen == 0 was handled; - The second one [2] has pa 0xffffffffffdcffed and plen 0xb4000, then \"cur [0xfffffffffffff000] += bvec.bv_len [0x1000]\" in \"} while ((cur += bvec.bv_len) < end);\" wraps around, causing an out-of-bound access of pcl->compressed_bvecs[] in z_erofs_submit_queue(). EROFS only supports 48-bit physical block addresses (up to 1EiB for 4k blocks), so add a sanity check to enforce this.", "cve_priority": "medium", "cve_public_date": "2025-12-04 16:16:00 UTC" }, { "cve": "CVE-2025-40242", "url": "https://ubuntu.com/security/CVE-2025-40242", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: gfs2: Fix unlikely race in gdlm_put_lock In gdlm_put_lock(), there is a small window of time in which the DFL_UNMOUNT flag has been set but the lockspace hasn't been released, yet. In that window, dlm may still call gdlm_ast() and gdlm_bast(). To prevent it from dereferencing freed glock objects, only free the glock if the lockspace has actually been released.", "cve_priority": "medium", "cve_public_date": "2025-12-04 16:16:00 UTC" }, { "cve": "CVE-2025-40243", "url": "https://ubuntu.com/security/CVE-2025-40243", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: hfs: fix KMSAN uninit-value issue in hfs_find_set_zero_bits() The syzbot reported issue in hfs_find_set_zero_bits(): ===================================================== BUG: KMSAN: uninit-value in hfs_find_set_zero_bits+0x74d/0xb60 fs/hfs/bitmap.c:45 hfs_find_set_zero_bits+0x74d/0xb60 fs/hfs/bitmap.c:45 hfs_vbm_search_free+0x13c/0x5b0 fs/hfs/bitmap.c:151 hfs_extend_file+0x6a5/0x1b00 fs/hfs/extent.c:408 hfs_get_block+0x435/0x1150 fs/hfs/extent.c:353 __block_write_begin_int+0xa76/0x3030 fs/buffer.c:2151 block_write_begin fs/buffer.c:2262 [inline] cont_write_begin+0x10e1/0x1bc0 fs/buffer.c:2601 hfs_write_begin+0x85/0x130 fs/hfs/inode.c:52 cont_expand_zero fs/buffer.c:2528 [inline] cont_write_begin+0x35a/0x1bc0 fs/buffer.c:2591 hfs_write_begin+0x85/0x130 fs/hfs/inode.c:52 hfs_file_truncate+0x1d6/0xe60 fs/hfs/extent.c:494 hfs_inode_setattr+0x964/0xaa0 fs/hfs/inode.c:654 notify_change+0x1993/0x1aa0 fs/attr.c:552 do_truncate+0x28f/0x310 fs/open.c:68 do_ftruncate+0x698/0x730 fs/open.c:195 do_sys_ftruncate fs/open.c:210 [inline] __do_sys_ftruncate fs/open.c:215 [inline] __se_sys_ftruncate fs/open.c:213 [inline] __x64_sys_ftruncate+0x11b/0x250 fs/open.c:213 x64_sys_call+0xfe3/0x3db0 arch/x86/include/generated/asm/syscalls_64.h:78 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xd9/0x210 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f Uninit was created at: slab_post_alloc_hook mm/slub.c:4154 [inline] slab_alloc_node mm/slub.c:4197 [inline] __kmalloc_cache_noprof+0x7f7/0xed0 mm/slub.c:4354 kmalloc_noprof include/linux/slab.h:905 [inline] hfs_mdb_get+0x1cc8/0x2a90 fs/hfs/mdb.c:175 hfs_fill_super+0x3d0/0xb80 fs/hfs/super.c:337 get_tree_bdev_flags+0x6e3/0x920 fs/super.c:1681 get_tree_bdev+0x38/0x50 fs/super.c:1704 hfs_get_tree+0x35/0x40 fs/hfs/super.c:388 vfs_get_tree+0xb0/0x5c0 fs/super.c:1804 do_new_mount+0x738/0x1610 fs/namespace.c:3902 path_mount+0x6db/0x1e90 fs/namespace.c:4226 do_mount fs/namespace.c:4239 [inline] __do_sys_mount fs/namespace.c:4450 [inline] __se_sys_mount+0x6eb/0x7d0 fs/namespace.c:4427 __x64_sys_mount+0xe4/0x150 fs/namespace.c:4427 x64_sys_call+0xfa7/0x3db0 arch/x86/include/generated/asm/syscalls_64.h:166 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xd9/0x210 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f CPU: 1 UID: 0 PID: 12609 Comm: syz.1.2692 Not tainted 6.16.0-syzkaller #0 PREEMPT(none) Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/12/2025 ===================================================== The HFS_SB(sb)->bitmap buffer is allocated in hfs_mdb_get(): HFS_SB(sb)->bitmap = kmalloc(8192, GFP_KERNEL); Finally, it can trigger the reported issue because kmalloc() doesn't clear the allocated memory. If allocated memory contains only zeros, then everything will work pretty fine. But if the allocated memory contains the \"garbage\", then it can affect the bitmap operations and it triggers the reported issue. This patch simply exchanges the kmalloc() on kzalloc() with the goal to guarantee the correctness of bitmap operations. Because, newly created allocation bitmap should have all available blocks free. Potentially, initialization bitmap's read operation could not fill the whole allocated memory and \"garbage\" in the not initialized memory will be the reason of volume coruptions and file system driver bugs.", "cve_priority": "medium", "cve_public_date": "2025-12-04 16:16:00 UTC" }, { "cve": "CVE-2025-40244", "url": "https://ubuntu.com/security/CVE-2025-40244", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: hfsplus: fix KMSAN uninit-value issue in __hfsplus_ext_cache_extent() The syzbot reported issue in __hfsplus_ext_cache_extent(): [ 70.194323][ T9350] BUG: KMSAN: uninit-value in __hfsplus_ext_cache_extent+0x7d0/0x990 [ 70.195022][ T9350] __hfsplus_ext_cache_extent+0x7d0/0x990 [ 70.195530][ T9350] hfsplus_file_extend+0x74f/0x1cf0 [ 70.195998][ T9350] hfsplus_get_block+0xe16/0x17b0 [ 70.196458][ T9350] __block_write_begin_int+0x962/0x2ce0 [ 70.196959][ T9350] cont_write_begin+0x1000/0x1950 [ 70.197416][ T9350] hfsplus_write_begin+0x85/0x130 [ 70.197873][ T9350] generic_perform_write+0x3e8/0x1060 [ 70.198374][ T9350] __generic_file_write_iter+0x215/0x460 [ 70.198892][ T9350] generic_file_write_iter+0x109/0x5e0 [ 70.199393][ T9350] vfs_write+0xb0f/0x14e0 [ 70.199771][ T9350] ksys_write+0x23e/0x490 [ 70.200149][ T9350] __x64_sys_write+0x97/0xf0 [ 70.200570][ T9350] x64_sys_call+0x3015/0x3cf0 [ 70.201065][ T9350] do_syscall_64+0xd9/0x1d0 [ 70.201506][ T9350] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 70.202054][ T9350] [ 70.202279][ T9350] Uninit was created at: [ 70.202693][ T9350] __kmalloc_noprof+0x621/0xf80 [ 70.203149][ T9350] hfsplus_find_init+0x8d/0x1d0 [ 70.203602][ T9350] hfsplus_file_extend+0x6ca/0x1cf0 [ 70.204087][ T9350] hfsplus_get_block+0xe16/0x17b0 [ 70.204561][ T9350] __block_write_begin_int+0x962/0x2ce0 [ 70.205074][ T9350] cont_write_begin+0x1000/0x1950 [ 70.205547][ T9350] hfsplus_write_begin+0x85/0x130 [ 70.206017][ T9350] generic_perform_write+0x3e8/0x1060 [ 70.206519][ T9350] __generic_file_write_iter+0x215/0x460 [ 70.207042][ T9350] generic_file_write_iter+0x109/0x5e0 [ 70.207552][ T9350] vfs_write+0xb0f/0x14e0 [ 70.207961][ T9350] ksys_write+0x23e/0x490 [ 70.208375][ T9350] __x64_sys_write+0x97/0xf0 [ 70.208810][ T9350] x64_sys_call+0x3015/0x3cf0 [ 70.209255][ T9350] do_syscall_64+0xd9/0x1d0 [ 70.209680][ T9350] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 70.210230][ T9350] [ 70.210454][ T9350] CPU: 2 UID: 0 PID: 9350 Comm: repro Not tainted 6.12.0-rc5 #5 [ 70.211174][ T9350] Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 70.212115][ T9350] ===================================================== [ 70.212734][ T9350] Disabling lock debugging due to kernel taint [ 70.213284][ T9350] Kernel panic - not syncing: kmsan.panic set ... [ 70.213858][ T9350] CPU: 2 UID: 0 PID: 9350 Comm: repro Tainted: G B 6.12.0-rc5 #5 [ 70.214679][ T9350] Tainted: [B]=BAD_PAGE [ 70.215057][ T9350] Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 70.215999][ T9350] Call Trace: [ 70.216309][ T9350] [ 70.216585][ T9350] dump_stack_lvl+0x1fd/0x2b0 [ 70.217025][ T9350] dump_stack+0x1e/0x30 [ 70.217421][ T9350] panic+0x502/0xca0 [ 70.217803][ T9350] ? kmsan_get_metadata+0x13e/0x1c0 [ 70.218294][ Message fromT sy9350] kmsan_report+0x296/slogd@syzkaller 0x2aat Aug 18 22:11:058 ... kernel :[ 70.213284][ T9350] Kernel panic - not syncing: kmsan.panic [ 70.220179][ T9350] ? kmsan_get_metadata+0x13e/0x1c0 set ... [ 70.221254][ T9350] ? __msan_warning+0x96/0x120 [ 70.222066][ T9350] ? __hfsplus_ext_cache_extent+0x7d0/0x990 [ 70.223023][ T9350] ? hfsplus_file_extend+0x74f/0x1cf0 [ 70.224120][ T9350] ? hfsplus_get_block+0xe16/0x17b0 [ 70.224946][ T9350] ? __block_write_begin_int+0x962/0x2ce0 [ 70.225756][ T9350] ? cont_write_begin+0x1000/0x1950 [ 70.226337][ T9350] ? hfsplus_write_begin+0x85/0x130 [ 70.226852][ T9350] ? generic_perform_write+0x3e8/0x1060 [ 70.227405][ T9350] ? __generic_file_write_iter+0x215/0x460 [ 70.227979][ T9350] ? generic_file_write_iter+0x109/0x5e0 [ 70.228540][ T9350] ? vfs_write+0xb0f/0x14e0 [ 70.228997][ T9350] ? ksys_write+0x23e/0x490 ---truncated---", "cve_priority": "medium", "cve_public_date": "2025-12-04 16:16:00 UTC" }, { "cve": "CVE-2025-40245", "url": "https://ubuntu.com/security/CVE-2025-40245", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: nios2: ensure that memblock.current_limit is set when setting pfn limits On nios2, with CONFIG_FLATMEM set, the kernel relies on memblock_get_current_limit() to determine the limits of mem_map, in particular for max_low_pfn. Unfortunately, memblock.current_limit is only default initialized to MEMBLOCK_ALLOC_ANYWHERE at this point of the bootup, potentially leading to situations where max_low_pfn can erroneously exceed the value of max_pfn and, thus, the valid range of available DRAM. This can in turn cause kernel-level paging failures, e.g.: [ 76.900000] Unable to handle kernel paging request at virtual address 20303000 [ 76.900000] ea = c0080890, ra = c000462c, cause = 14 [ 76.900000] Kernel panic - not syncing: Oops [ 76.900000] ---[ end Kernel panic - not syncing: Oops ]--- This patch fixes this by pre-calculating memblock.current_limit based on the upper limits of the available memory ranges via adjust_lowmem_bounds, a simplified version of the equivalent implementation within the arm architecture.", "cve_priority": "medium", "cve_public_date": "2025-12-04 16:16:00 UTC" }, { "cve": "CVE-2025-40086", "url": "https://ubuntu.com/security/CVE-2025-40086", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/xe: Don't allow evicting of BOs in same VM in array of VM binds An array of VM binds can potentially evict other buffer objects (BOs) within the same VM under certain conditions, which may lead to NULL pointer dereferences later in the bind pipeline. To prevent this, clear the allow_res_evict flag in the xe_bo_validate call. v2: - Invert polarity of no_res_evict (Thomas) - Add comment in code explaining issue (Thomas) (cherry picked from commit 8b9ba8d6d95fe75fed6b0480bb03da4b321bea08)", "cve_priority": "medium", "cve_public_date": "2025-10-30 10:15:00 UTC" }, { "cve": "CVE-2025-40087", "url": "https://ubuntu.com/security/CVE-2025-40087", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: NFSD: Define a proc_layoutcommit for the FlexFiles layout type Avoid a crash if a pNFS client should happen to send a LAYOUTCOMMIT operation on a FlexFiles layout.", "cve_priority": "medium", "cve_public_date": "2025-10-30 10:15:00 UTC" }, { "cve": "CVE-2025-40088", "url": "https://ubuntu.com/security/CVE-2025-40088", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: hfsplus: fix slab-out-of-bounds read in hfsplus_strcasecmp() The hfsplus_strcasecmp() logic can trigger the issue: [ 117.317703][ T9855] ================================================================== [ 117.318353][ T9855] BUG: KASAN: slab-out-of-bounds in hfsplus_strcasecmp+0x1bc/0x490 [ 117.318991][ T9855] Read of size 2 at addr ffff88802160f40c by task repro/9855 [ 117.319577][ T9855] [ 117.319773][ T9855] CPU: 0 UID: 0 PID: 9855 Comm: repro Not tainted 6.17.0-rc6 #33 PREEMPT(full) [ 117.319780][ T9855] Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 117.319783][ T9855] Call Trace: [ 117.319785][ T9855] [ 117.319788][ T9855] dump_stack_lvl+0x1c1/0x2a0 [ 117.319795][ T9855] ? __virt_addr_valid+0x1c8/0x5c0 [ 117.319803][ T9855] ? __pfx_dump_stack_lvl+0x10/0x10 [ 117.319808][ T9855] ? rcu_is_watching+0x15/0xb0 [ 117.319816][ T9855] ? lock_release+0x4b/0x3e0 [ 117.319821][ T9855] ? __kasan_check_byte+0x12/0x40 [ 117.319828][ T9855] ? __virt_addr_valid+0x1c8/0x5c0 [ 117.319835][ T9855] ? __virt_addr_valid+0x4a5/0x5c0 [ 117.319842][ T9855] print_report+0x17e/0x7e0 [ 117.319848][ T9855] ? __virt_addr_valid+0x1c8/0x5c0 [ 117.319855][ T9855] ? __virt_addr_valid+0x4a5/0x5c0 [ 117.319862][ T9855] ? __phys_addr+0xd3/0x180 [ 117.319869][ T9855] ? hfsplus_strcasecmp+0x1bc/0x490 [ 117.319876][ T9855] kasan_report+0x147/0x180 [ 117.319882][ T9855] ? hfsplus_strcasecmp+0x1bc/0x490 [ 117.319891][ T9855] hfsplus_strcasecmp+0x1bc/0x490 [ 117.319900][ T9855] ? __pfx_hfsplus_cat_case_cmp_key+0x10/0x10 [ 117.319906][ T9855] hfs_find_rec_by_key+0xa9/0x1e0 [ 117.319913][ T9855] __hfsplus_brec_find+0x18e/0x470 [ 117.319920][ T9855] ? __pfx_hfsplus_bnode_find+0x10/0x10 [ 117.319926][ T9855] ? __pfx_hfs_find_rec_by_key+0x10/0x10 [ 117.319933][ T9855] ? __pfx___hfsplus_brec_find+0x10/0x10 [ 117.319942][ T9855] hfsplus_brec_find+0x28f/0x510 [ 117.319949][ T9855] ? __pfx_hfs_find_rec_by_key+0x10/0x10 [ 117.319956][ T9855] ? __pfx_hfsplus_brec_find+0x10/0x10 [ 117.319963][ T9855] ? __kmalloc_noprof+0x2a9/0x510 [ 117.319969][ T9855] ? hfsplus_find_init+0x8c/0x1d0 [ 117.319976][ T9855] hfsplus_brec_read+0x2b/0x120 [ 117.319983][ T9855] hfsplus_lookup+0x2aa/0x890 [ 117.319990][ T9855] ? __pfx_hfsplus_lookup+0x10/0x10 [ 117.320003][ T9855] ? d_alloc_parallel+0x2f0/0x15e0 [ 117.320008][ T9855] ? __lock_acquire+0xaec/0xd80 [ 117.320013][ T9855] ? __pfx_d_alloc_parallel+0x10/0x10 [ 117.320019][ T9855] ? __raw_spin_lock_init+0x45/0x100 [ 117.320026][ T9855] ? __init_waitqueue_head+0xa9/0x150 [ 117.320034][ T9855] __lookup_slow+0x297/0x3d0 [ 117.320039][ T9855] ? __pfx___lookup_slow+0x10/0x10 [ 117.320045][ T9855] ? down_read+0x1ad/0x2e0 [ 117.320055][ T9855] lookup_slow+0x53/0x70 [ 117.320065][ T9855] walk_component+0x2f0/0x430 [ 117.320073][ T9855] path_lookupat+0x169/0x440 [ 117.320081][ T9855] filename_lookup+0x212/0x590 [ 117.320089][ T9855] ? __pfx_filename_lookup+0x10/0x10 [ 117.320098][ T9855] ? strncpy_from_user+0x150/0x290 [ 117.320105][ T9855] ? getname_flags+0x1e5/0x540 [ 117.320112][ T9855] user_path_at+0x3a/0x60 [ 117.320117][ T9855] __x64_sys_umount+0xee/0x160 [ 117.320123][ T9855] ? __pfx___x64_sys_umount+0x10/0x10 [ 117.320129][ T9855] ? do_syscall_64+0xb7/0x3a0 [ 117.320135][ T9855] ? entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 117.320141][ T9855] ? entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 117.320145][ T9855] do_syscall_64+0xf3/0x3a0 [ 117.320150][ T9855] ? exc_page_fault+0x9f/0xf0 [ 117.320154][ T9855] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 117.320158][ T9855] RIP: 0033:0x7f7dd7908b07 [ 117.320163][ T9855] Code: 23 0d 00 f7 d8 64 89 01 48 83 c8 ff c3 66 0f 1f 44 00 00 31 f6 e9 09 00 00 00 66 0f 1f 84 00 00 08 [ 117.320167][ T9855] RSP: 002b:00007ffd5ebd9698 EFLAGS: 00000202 ---truncated---", "cve_priority": "medium", "cve_public_date": "2025-10-30 10:15:00 UTC" }, { "cve": "CVE-2025-40162", "url": "https://ubuntu.com/security/CVE-2025-40162", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ASoC: amd/sdw_utils: avoid NULL deref when devm_kasprintf() fails devm_kasprintf() may return NULL on memory allocation failure, but the debug message prints cpus->dai_name before checking it. Move the dev_dbg() call after the NULL check to prevent potential NULL pointer dereference.", "cve_priority": "medium", "cve_public_date": "2025-11-12 11:15:00 UTC" }, { "cve": "CVE-2025-40085", "url": "https://ubuntu.com/security/CVE-2025-40085", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ALSA: usb-audio: Fix NULL pointer deference in try_to_register_card In try_to_register_card(), the return value of usb_ifnum_to_if() is passed directly to usb_interface_claimed() without a NULL check, which will lead to a NULL pointer dereference when creating an invalid USB audio device. Fix this by adding a check to ensure the interface pointer is valid before passing it to usb_interface_claimed().", "cve_priority": "medium", "cve_public_date": "2025-10-29 14:15:00 UTC" }, { "cve": "CVE-2025-40172", "url": "https://ubuntu.com/security/CVE-2025-40172", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: accel/qaic: Treat remaining == 0 as error in find_and_map_user_pages() Currently, if find_and_map_user_pages() takes a DMA xfer request from the user with a length field set to 0, or in a rare case, the host receives QAIC_TRANS_DMA_XFER_CONT from the device where resources->xferred_dma_size is equal to the requested transaction size, the function will return 0 before allocating an sgt or setting the fields of the dma_xfer struct. In that case, encode_addr_size_pairs() will try to access the sgt which will lead to a general protection fault. Return an EINVAL in case the user provides a zero-sized ALP, or the device requests continuation after all of the bytes have been transferred.", "cve_priority": "medium", "cve_public_date": "2025-11-12 11:15:00 UTC" }, { "cve": "CVE-2025-40177", "url": "https://ubuntu.com/security/CVE-2025-40177", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: accel/qaic: Fix bootlog initialization ordering As soon as we queue MHI buffers to receive the bootlog from the device, we could be receiving data. Therefore all the resources needed to process that data need to be setup prior to queuing the buffers. We currently initialize some of the resources after queuing the buffers which creates a race between the probe() and any data that comes back from the device. If the uninitialized resources are accessed, we could see page faults. Fix the init ordering to close the race.", "cve_priority": "medium", "cve_public_date": "2025-11-12 11:15:00 UTC" }, { "cve": "CVE-2025-40163", "url": "https://ubuntu.com/security/CVE-2025-40163", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: sched/deadline: Stop dl_server before CPU goes offline IBM CI tool reported kernel warning[1] when running a CPU removal operation through drmgr[2]. i.e \"drmgr -c cpu -r -q 1\" WARNING: CPU: 0 PID: 0 at kernel/sched/cpudeadline.c:219 cpudl_set+0x58/0x170 NIP [c0000000002b6ed8] cpudl_set+0x58/0x170 LR [c0000000002b7cb8] dl_server_timer+0x168/0x2a0 Call Trace: [c000000002c2f8c0] init_stack+0x78c0/0x8000 (unreliable) [c0000000002b7cb8] dl_server_timer+0x168/0x2a0 [c00000000034df84] __hrtimer_run_queues+0x1a4/0x390 [c00000000034f624] hrtimer_interrupt+0x124/0x300 [c00000000002a230] timer_interrupt+0x140/0x320 Git bisects to: commit 4ae8d9aa9f9d (\"sched/deadline: Fix dl_server getting stuck\") This happens since: - dl_server hrtimer gets enqueued close to cpu offline, when kthread_park enqueues a fair task. - CPU goes offline and drmgr removes it from cpu_present_mask. - hrtimer fires and warning is hit. Fix it by stopping the dl_server before CPU is marked dead. [1]: https://lore.kernel.org/all/8218e149-7718-4432-9312-f97297c352b9@linux.ibm.com/ [2]: https://github.com/ibm-power-utilities/powerpc-utils/tree/next/src/drmgr [sshegde: wrote the changelog and tested it]", "cve_priority": "medium", "cve_public_date": "2025-11-12 11:15:00 UTC" }, { "cve": "CVE-2025-40174", "url": "https://ubuntu.com/security/CVE-2025-40174", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: x86/mm: Fix SMP ordering in switch_mm_irqs_off() Stephen noted that it is possible to not have an smp_mb() between the loaded_mm store and the tlb_gen load in switch_mm(), meaning the ordering against flush_tlb_mm_range() goes out the window, and it becomes possible for switch_mm() to not observe a recent tlb_gen update and fail to flush the TLBs. [ dhansen: merge conflict fixed by Ingo ]", "cve_priority": "medium", "cve_public_date": "2025-11-12 11:15:00 UTC" }, { "cve": "CVE-2025-40089", "url": "https://ubuntu.com/security/CVE-2025-40089", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: cxl/features: Add check for no entries in cxl_feature_info cxl EDAC calls cxl_feature_info() to get the feature information and if the hardware has no Features support, cxlfs may be passed in as NULL. [ 51.957498] BUG: kernel NULL pointer dereference, address: 0000000000000008 [ 51.965571] #PF: supervisor read access in kernel mode [ 51.971559] #PF: error_code(0x0000) - not-present page [ 51.977542] PGD 17e4f6067 P4D 0 [ 51.981384] Oops: Oops: 0000 [#1] SMP NOPTI [ 51.986300] CPU: 49 UID: 0 PID: 3782 Comm: systemd-udevd Not tainted 6.17.0dj test+ #64 PREEMPT(voluntary) [ 51.997355] Hardware name: [ 52.009790] RIP: 0010:cxl_feature_info+0xa/0x80 [cxl_core] Add a check for cxlfs before dereferencing it and return -EOPNOTSUPP if there is no cxlfs created due to no hardware support.", "cve_priority": "medium", "cve_public_date": "2025-10-30 10:15:00 UTC" }, { "cve": "CVE-2025-40176", "url": "https://ubuntu.com/security/CVE-2025-40176", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: tls: wait for pending async decryptions if tls_strp_msg_hold fails Async decryption calls tls_strp_msg_hold to create a clone of the input skb to hold references to the memory it uses. If we fail to allocate that clone, proceeding with async decryption can lead to various issues (UAF on the skb, writing into userspace memory after the recv() call has returned). In this case, wait for all pending decryption requests.", "cve_priority": "medium", "cve_public_date": "2025-11-12 11:15:00 UTC" }, { "cve": "CVE-2025-40164", "url": "https://ubuntu.com/security/CVE-2025-40164", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: usbnet: Fix using smp_processor_id() in preemptible code warnings Syzbot reported the following warning: BUG: using smp_processor_id() in preemptible [00000000] code: dhcpcd/2879 caller is usbnet_skb_return+0x74/0x490 drivers/net/usb/usbnet.c:331 CPU: 1 UID: 0 PID: 2879 Comm: dhcpcd Not tainted 6.15.0-rc4-syzkaller-00098-g615dca38c2ea #0 PREEMPT(voluntary) Call Trace: __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x16c/0x1f0 lib/dump_stack.c:120 check_preemption_disabled+0xd0/0xe0 lib/smp_processor_id.c:49 usbnet_skb_return+0x74/0x490 drivers/net/usb/usbnet.c:331 usbnet_resume_rx+0x4b/0x170 drivers/net/usb/usbnet.c:708 usbnet_change_mtu+0x1be/0x220 drivers/net/usb/usbnet.c:417 __dev_set_mtu net/core/dev.c:9443 [inline] netif_set_mtu_ext+0x369/0x5c0 net/core/dev.c:9496 netif_set_mtu+0xb0/0x160 net/core/dev.c:9520 dev_set_mtu+0xae/0x170 net/core/dev_api.c:247 dev_ifsioc+0xa31/0x18d0 net/core/dev_ioctl.c:572 dev_ioctl+0x223/0x10e0 net/core/dev_ioctl.c:821 sock_do_ioctl+0x19d/0x280 net/socket.c:1204 sock_ioctl+0x42f/0x6a0 net/socket.c:1311 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:906 [inline] __se_sys_ioctl fs/ioctl.c:892 [inline] __x64_sys_ioctl+0x190/0x200 fs/ioctl.c:892 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xcd/0x260 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f For historical and portability reasons, the netif_rx() is usually run in the softirq or interrupt context, this commit therefore add local_bh_disable/enable() protection in the usbnet_resume_rx().", "cve_priority": "medium", "cve_public_date": "2025-11-12 11:15:00 UTC" }, { "cve": "CVE-2025-40091", "url": "https://ubuntu.com/security/CVE-2025-40091", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ixgbe: fix too early devlink_free() in ixgbe_remove() Since ixgbe_adapter is embedded in devlink, calling devlink_free() prematurely in the ixgbe_remove() path can lead to UAF. Move devlink_free() to the end. KASAN report: BUG: KASAN: use-after-free in ixgbe_reset_interrupt_capability+0x140/0x180 [ixgbe] Read of size 8 at addr ffff0000adf813e0 by task bash/2095 CPU: 1 UID: 0 PID: 2095 Comm: bash Tainted: G S 6.17.0-rc2-tnguy.net-queue+ #1 PREEMPT(full) [...] Call trace: show_stack+0x30/0x90 (C) dump_stack_lvl+0x9c/0xd0 print_address_description.constprop.0+0x90/0x310 print_report+0x104/0x1f0 kasan_report+0x88/0x180 __asan_report_load8_noabort+0x20/0x30 ixgbe_reset_interrupt_capability+0x140/0x180 [ixgbe] ixgbe_clear_interrupt_scheme+0xf8/0x130 [ixgbe] ixgbe_remove+0x2d0/0x8c0 [ixgbe] pci_device_remove+0xa0/0x220 device_remove+0xb8/0x170 device_release_driver_internal+0x318/0x490 device_driver_detach+0x40/0x68 unbind_store+0xec/0x118 drv_attr_store+0x64/0xb8 sysfs_kf_write+0xcc/0x138 kernfs_fop_write_iter+0x294/0x440 new_sync_write+0x1fc/0x588 vfs_write+0x480/0x6a0 ksys_write+0xf0/0x1e0 __arm64_sys_write+0x70/0xc0 invoke_syscall.constprop.0+0xcc/0x280 el0_svc_common.constprop.0+0xa8/0x248 do_el0_svc+0x44/0x68 el0_svc+0x54/0x160 el0t_64_sync_handler+0xa0/0xe8 el0t_64_sync+0x1b0/0x1b8", "cve_priority": "medium", "cve_public_date": "2025-10-30 10:15:00 UTC" }, { "cve": "CVE-2025-40175", "url": "https://ubuntu.com/security/CVE-2025-40175", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: idpf: cleanup remaining SKBs in PTP flows When the driver requests Tx timestamp value, one of the first steps is to clone SKB using skb_get. It increases the reference counter for that SKB to prevent unexpected freeing by another component. However, there may be a case where the index is requested, SKB is assigned and never consumed by PTP flows - for example due to reset during running PTP apps. Add a check in release timestamping function to verify if the SKB assigned to Tx timestamp latch was freed, and release remaining SKBs.", "cve_priority": "medium", "cve_public_date": "2025-11-12 11:15:00 UTC" }, { "cve": "CVE-2025-40173", "url": "https://ubuntu.com/security/CVE-2025-40173", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net/ip6_tunnel: Prevent perpetual tunnel growth Similarly to ipv4 tunnel, ipv6 version updates dev->needed_headroom, too. While ipv4 tunnel headroom adjustment growth was limited in commit 5ae1e9922bbd (\"net: ip_tunnel: prevent perpetual headroom growth\"), ipv6 tunnel yet increases the headroom without any ceiling. Reflect ipv4 tunnel headroom adjustment limit on ipv6 version. Credits to Francesco Ruggeri, who was originally debugging this issue and wrote local Arista-specific patch and a reproducer.", "cve_priority": "medium", "cve_public_date": "2025-11-12 11:15:00 UTC" }, { "cve": "CVE-2025-40092", "url": "https://ubuntu.com/security/CVE-2025-40092", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: usb: gadget: f_ncm: Refactor bind path to use __free() After an bind/unbind cycle, the ncm->notify_req is left stale. If a subsequent bind fails, the unified error label attempts to free this stale request, leading to a NULL pointer dereference when accessing ep->ops->free_request. Refactor the error handling in the bind path to use the __free() automatic cleanup mechanism. Unable to handle kernel NULL pointer dereference at virtual address 0000000000000020 Call trace: usb_ep_free_request+0x2c/0xec ncm_bind+0x39c/0x3dc usb_add_function+0xcc/0x1f0 configfs_composite_bind+0x468/0x588 gadget_bind_driver+0x104/0x270 really_probe+0x190/0x374 __driver_probe_device+0xa0/0x12c driver_probe_device+0x3c/0x218 __device_attach_driver+0x14c/0x188 bus_for_each_drv+0x10c/0x168 __device_attach+0xfc/0x198 device_initial_probe+0x14/0x24 bus_probe_device+0x94/0x11c device_add+0x268/0x48c usb_add_gadget+0x198/0x28c dwc3_gadget_init+0x700/0x858 __dwc3_set_mode+0x3cc/0x664 process_scheduled_works+0x1d8/0x488 worker_thread+0x244/0x334 kthread+0x114/0x1bc ret_from_fork+0x10/0x20", "cve_priority": "medium", "cve_public_date": "2025-10-30 10:15:00 UTC" }, { "cve": "CVE-2025-40093", "url": "https://ubuntu.com/security/CVE-2025-40093", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: usb: gadget: f_ecm: Refactor bind path to use __free() After an bind/unbind cycle, the ecm->notify_req is left stale. If a subsequent bind fails, the unified error label attempts to free this stale request, leading to a NULL pointer dereference when accessing ep->ops->free_request. Refactor the error handling in the bind path to use the __free() automatic cleanup mechanism.", "cve_priority": "medium", "cve_public_date": "2025-10-30 10:15:00 UTC" }, { "cve": "CVE-2025-40094", "url": "https://ubuntu.com/security/CVE-2025-40094", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: usb: gadget: f_acm: Refactor bind path to use __free() After an bind/unbind cycle, the acm->notify_req is left stale. If a subsequent bind fails, the unified error label attempts to free this stale request, leading to a NULL pointer dereference when accessing ep->ops->free_request. Refactor the error handling in the bind path to use the __free() automatic cleanup mechanism. Unable to handle kernel NULL pointer dereference at virtual address 0000000000000020 Call trace: usb_ep_free_request+0x2c/0xec gs_free_req+0x30/0x44 acm_bind+0x1b8/0x1f4 usb_add_function+0xcc/0x1f0 configfs_composite_bind+0x468/0x588 gadget_bind_driver+0x104/0x270 really_probe+0x190/0x374 __driver_probe_device+0xa0/0x12c driver_probe_device+0x3c/0x218 __device_attach_driver+0x14c/0x188 bus_for_each_drv+0x10c/0x168 __device_attach+0xfc/0x198 device_initial_probe+0x14/0x24 bus_probe_device+0x94/0x11c device_add+0x268/0x48c usb_add_gadget+0x198/0x28c dwc3_gadget_init+0x700/0x858 __dwc3_set_mode+0x3cc/0x664 process_scheduled_works+0x1d8/0x488 worker_thread+0x244/0x334 kthread+0x114/0x1bc ret_from_fork+0x10/0x20", "cve_priority": "medium", "cve_public_date": "2025-10-30 10:15:00 UTC" }, { "cve": "CVE-2025-40095", "url": "https://ubuntu.com/security/CVE-2025-40095", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: usb: gadget: f_rndis: Refactor bind path to use __free() After an bind/unbind cycle, the rndis->notify_req is left stale. If a subsequent bind fails, the unified error label attempts to free this stale request, leading to a NULL pointer dereference when accessing ep->ops->free_request. Refactor the error handling in the bind path to use the __free() automatic cleanup mechanism.", "cve_priority": "medium", "cve_public_date": "2025-10-30 10:15:00 UTC" }, { "cve": "CVE-2025-40165", "url": "https://ubuntu.com/security/CVE-2025-40165", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: media: nxp: imx8-isi: m2m: Fix streaming cleanup on release If streamon/streamoff calls are imbalanced, such as when exiting an application with Ctrl+C when streaming, the m2m usage_count will never reach zero and the ISI channel won't be freed. Besides from that, if the input line width is more than 2K, it will trigger a WARN_ON(): [ 59.222120] ------------[ cut here ]------------ [ 59.226758] WARNING: drivers/media/platform/nxp/imx8-isi/imx8-isi-hw.c:631 at mxc_isi_channel_chain+0xa4/0x120, CPU#4: v4l2-ctl/654 [ 59.238569] Modules linked in: ap1302 [ 59.242231] CPU: 4 UID: 0 PID: 654 Comm: v4l2-ctl Not tainted 6.16.0-rc4-next-20250704-06511-gff0e002d480a-dirty #258 PREEMPT [ 59.253597] Hardware name: NXP i.MX95 15X15 board (DT) [ 59.258720] pstate: 80400009 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) [ 59.265669] pc : mxc_isi_channel_chain+0xa4/0x120 [ 59.270358] lr : mxc_isi_channel_chain+0x44/0x120 [ 59.275047] sp : ffff8000848c3b40 [ 59.278348] x29: ffff8000848c3b40 x28: ffff0000859b4c98 x27: ffff800081939f00 [ 59.285472] x26: 000000000000000a x25: ffff0000859b4cb8 x24: 0000000000000001 [ 59.292597] x23: ffff0000816f4760 x22: ffff0000816f4258 x21: ffff000084ceb780 [ 59.299720] x20: ffff000084342ff8 x19: ffff000084340000 x18: 0000000000000000 [ 59.306845] x17: 0000000000000000 x16: 0000000000000000 x15: 0000ffffdb369e1c [ 59.313969] x14: 0000000000000000 x13: 0000000000000000 x12: 0000000000000000 [ 59.321093] x11: 0000000000000000 x10: 0000000000000000 x9 : 0000000000000000 [ 59.328217] x8 : ffff8000848c3d48 x7 : ffff800081930b30 x6 : ffff800081930b30 [ 59.335340] x5 : ffff0000859b6000 x4 : ffff80008193ae80 x3 : ffff800081022420 [ 59.342464] x2 : ffff0000852f6900 x1 : 0000000000000001 x0 : ffff000084341000 [ 59.349590] Call trace: [ 59.352025] mxc_isi_channel_chain+0xa4/0x120 (P) [ 59.356722] mxc_isi_m2m_streamon+0x160/0x20c [ 59.361072] v4l_streamon+0x24/0x30 [ 59.364556] __video_do_ioctl+0x40c/0x4a0 [ 59.368560] video_usercopy+0x2bc/0x690 [ 59.372382] video_ioctl2+0x18/0x24 [ 59.375857] v4l2_ioctl+0x40/0x60 [ 59.379168] __arm64_sys_ioctl+0xac/0x104 [ 59.383172] invoke_syscall+0x48/0x104 [ 59.386916] el0_svc_common.constprop.0+0xc0/0xe0 [ 59.391613] do_el0_svc+0x1c/0x28 [ 59.394915] el0_svc+0x34/0xf4 [ 59.397966] el0t_64_sync_handler+0xa0/0xe4 [ 59.402143] el0t_64_sync+0x198/0x19c [ 59.405801] ---[ end trace 0000000000000000 ]--- Address this issue by moving the streaming preparation and cleanup to the vb2 .prepare_streaming() and .unprepare_streaming() operations. This also simplifies the driver by allowing direct usage of the v4l2_m2m_ioctl_streamon() and v4l2_m2m_ioctl_streamoff() helpers.", "cve_priority": "medium", "cve_public_date": "2025-11-12 11:15:00 UTC" }, { "cve": "CVE-2025-40096", "url": "https://ubuntu.com/security/CVE-2025-40096", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/sched: Fix potential double free in drm_sched_job_add_resv_dependencies When adding dependencies with drm_sched_job_add_dependency(), that function consumes the fence reference both on success and failure, so in the latter case the dma_fence_put() on the error path (xarray failed to expand) is a double free. Interestingly this bug appears to have been present ever since commit ebd5f74255b9 (\"drm/sched: Add dependency tracking\"), since the code back then looked like this: drm_sched_job_add_implicit_dependencies(): ... for (i = 0; i < fence_count; i++) { ret = drm_sched_job_add_dependency(job, fences[i]); if (ret) break; } for (; i < fence_count; i++) dma_fence_put(fences[i]); Which means for the failing 'i' the dma_fence_put was already a double free. Possibly there were no users at that time, or the test cases were insufficient to hit it. The bug was then only noticed and fixed after commit 9c2ba265352a (\"drm/scheduler: use new iterator in drm_sched_job_add_implicit_dependencies v2\") landed, with its fixup of commit 4eaf02d6076c (\"drm/scheduler: fix drm_sched_job_add_implicit_dependencies\"). At that point it was a slightly different flavour of a double free, which commit 963d0b356935 (\"drm/scheduler: fix drm_sched_job_add_implicit_dependencies harder\") noticed and attempted to fix. But it only moved the double free from happening inside the drm_sched_job_add_dependency(), when releasing the reference not yet obtained, to the caller, when releasing the reference already released by the former in the failure case. As such it is not easy to identify the right target for the fixes tag so lets keep it simple and just continue the chain. While fixing we also improve the comment and explain the reason for taking the reference and not dropping it.", "cve_priority": "medium", "cve_public_date": "2025-10-30 10:15:00 UTC" }, { "cve": "CVE-2025-40097", "url": "https://ubuntu.com/security/CVE-2025-40097", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ALSA: hda: Fix missing pointer check in hda_component_manager_init function The __component_match_add function may assign the 'matchptr' pointer the value ERR_PTR(-ENOMEM), which will subsequently be dereferenced. The call stack leading to the error looks like this: hda_component_manager_init |-> component_match_add |-> component_match_add_release |-> __component_match_add ( ... ,**matchptr, ... ) |-> *matchptr = ERR_PTR(-ENOMEM); // assign |-> component_master_add_with_match( ... match) |-> component_match_realloc(match, match->num); // dereference Add IS_ERR() check to prevent the crash. Found by Linux Verification Center (linuxtesting.org) with SVACE.", "cve_priority": "medium", "cve_public_date": "2025-10-30 10:15:00 UTC" }, { "cve": "CVE-2025-40098", "url": "https://ubuntu.com/security/CVE-2025-40098", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ALSA: hda: cs35l41: Fix NULL pointer dereference in cs35l41_get_acpi_mute_state() Return value of a function acpi_evaluate_dsm() is dereferenced without checking for NULL, but it is usually checked for this function. acpi_evaluate_dsm() may return NULL, when acpi_evaluate_object() returns acpi_status other than ACPI_SUCCESS, so add a check to prevent the crach. Found by Linux Verification Center (linuxtesting.org) with SVACE.", "cve_priority": "medium", "cve_public_date": "2025-10-30 10:15:00 UTC" }, { "cve": "CVE-2025-40099", "url": "https://ubuntu.com/security/CVE-2025-40099", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: cifs: parse_dfs_referrals: prevent oob on malformed input Malicious SMB server can send invalid reply to FSCTL_DFS_GET_REFERRALS - reply smaller than sizeof(struct get_dfs_referral_rsp) - reply with number of referrals smaller than NumberOfReferrals in the header Processing of such replies will cause oob. Return -EINVAL error on such replies to prevent oob-s.", "cve_priority": "medium", "cve_public_date": "2025-10-30 10:15:00 UTC" }, { "cve": "CVE-2025-40100", "url": "https://ubuntu.com/security/CVE-2025-40100", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: btrfs: do not assert we found block group item when creating free space tree Currently, when building a free space tree at populate_free_space_tree(), if we are not using the block group tree feature, we always expect to find block group items (either extent items or a block group item with key type BTRFS_BLOCK_GROUP_ITEM_KEY) when we search the extent tree with btrfs_search_slot_for_read(), so we assert that we found an item. However this expectation is wrong since we can have a new block group created in the current transaction which is still empty and for which we still have not added the block group's item to the extent tree, in which case we do not have any items in the extent tree associated to the block group. The insertion of a new block group's block group item in the extent tree happens at btrfs_create_pending_block_groups() when it calls the helper insert_block_group_item(). This typically is done when a transaction handle is released, committed or when running delayed refs (either as part of a transaction commit or when serving tickets for space reservation if we are low on free space). So remove the assertion at populate_free_space_tree() even when the block group tree feature is not enabled and update the comment to mention this case. Syzbot reported this with the following stack trace: BTRFS info (device loop3 state M): rebuilding free space tree assertion failed: ret == 0 :: 0, in fs/btrfs/free-space-tree.c:1115 ------------[ cut here ]------------ kernel BUG at fs/btrfs/free-space-tree.c:1115! Oops: invalid opcode: 0000 [#1] SMP KASAN PTI CPU: 1 UID: 0 PID: 6352 Comm: syz.3.25 Not tainted syzkaller #0 PREEMPT(full) Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/18/2025 RIP: 0010:populate_free_space_tree+0x700/0x710 fs/btrfs/free-space-tree.c:1115 Code: ff ff e8 d3 (...) RSP: 0018:ffffc9000430f780 EFLAGS: 00010246 RAX: 0000000000000043 RBX: ffff88805b709630 RCX: fea61d0e2e79d000 RDX: 0000000000000000 RSI: 0000000080000000 RDI: 0000000000000000 RBP: ffffc9000430f8b0 R08: ffffc9000430f4a7 R09: 1ffff92000861e94 R10: dffffc0000000000 R11: fffff52000861e95 R12: 0000000000000001 R13: 1ffff92000861f00 R14: dffffc0000000000 R15: 0000000000000000 FS: 00007f424d9fe6c0(0000) GS:ffff888125afc000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007fd78ad212c0 CR3: 0000000076d68000 CR4: 00000000003526f0 Call Trace: btrfs_rebuild_free_space_tree+0x1ba/0x6d0 fs/btrfs/free-space-tree.c:1364 btrfs_start_pre_rw_mount+0x128f/0x1bf0 fs/btrfs/disk-io.c:3062 btrfs_remount_rw fs/btrfs/super.c:1334 [inline] btrfs_reconfigure+0xaed/0x2160 fs/btrfs/super.c:1559 reconfigure_super+0x227/0x890 fs/super.c:1076 do_remount fs/namespace.c:3279 [inline] path_mount+0xd1a/0xfe0 fs/namespace.c:4027 do_mount fs/namespace.c:4048 [inline] __do_sys_mount fs/namespace.c:4236 [inline] __se_sys_mount+0x313/0x410 fs/namespace.c:4213 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xfa/0xfa0 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f424e39066a Code: d8 64 89 02 (...) RSP: 002b:00007f424d9fde68 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5 RAX: ffffffffffffffda RBX: 00007f424d9fdef0 RCX: 00007f424e39066a RDX: 0000200000000180 RSI: 0000200000000380 RDI: 0000000000000000 RBP: 0000200000000180 R08: 00007f424d9fdef0 R09: 0000000000000020 R10: 0000000000000020 R11: 0000000000000246 R12: 0000200000000380 R13: 00007f424d9fdeb0 R14: 0000000000000000 R15: 00002000000002c0 Modules linked in: ---[ end trace 0000000000000000 ]---", "cve_priority": "medium", "cve_public_date": "2025-10-30 10:15:00 UTC" }, { "cve": "CVE-2025-40101", "url": "https://ubuntu.com/security/CVE-2025-40101", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: btrfs: fix memory leaks when rejecting a non SINGLE data profile without an RST At the end of btrfs_load_block_group_zone_info() the first thing we do is to ensure that if the mapping type is not a SINGLE one and there is no RAID stripe tree, then we return early with an error. Doing that, though, prevents the code from running the last calls from this function which are about freeing memory allocated during its run. Hence, in this case, instead of returning early, we set the ret value and fall through the rest of the cleanup code.", "cve_priority": "medium", "cve_public_date": "2025-10-30 10:15:00 UTC" }, { "cve": "CVE-2025-40167", "url": "https://ubuntu.com/security/CVE-2025-40167", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ext4: detect invalid INLINE_DATA + EXTENTS flag combination syzbot reported a BUG_ON in ext4_es_cache_extent() when opening a verity file on a corrupted ext4 filesystem mounted without a journal. The issue is that the filesystem has an inode with both the INLINE_DATA and EXTENTS flags set: EXT4-fs error (device loop0): ext4_cache_extents:545: inode #15: comm syz.0.17: corrupted extent tree: lblk 0 < prev 66 Investigation revealed that the inode has both flags set: DEBUG: inode 15 - flag=1, i_inline_off=164, has_inline=1, extents_flag=1 This is an invalid combination since an inode should have either: - INLINE_DATA: data stored directly in the inode - EXTENTS: data stored in extent-mapped blocks Having both flags causes ext4_has_inline_data() to return true, skipping extent tree validation in __ext4_iget(). The unvalidated out-of-order extents then trigger a BUG_ON in ext4_es_cache_extent() due to integer underflow when calculating hole sizes. Fix this by detecting this invalid flag combination early in ext4_iget() and rejecting the corrupted inode.", "cve_priority": "medium", "cve_public_date": "2025-11-12 11:15:00 UTC" }, { "cve": "CVE-2025-40102", "url": "https://ubuntu.com/security/CVE-2025-40102", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: KVM: arm64: Prevent access to vCPU events before init Another day, another syzkaller bug. KVM erroneously allows userspace to pend vCPU events for a vCPU that hasn't been initialized yet, leading to KVM interpreting a bunch of uninitialized garbage for routing / injecting the exception. In one case the injection code and the hyp disagree on whether the vCPU has a 32bit EL1 and put the vCPU into an illegal mode for AArch64, tripping the BUG() in exception_target_el() during the next injection: kernel BUG at arch/arm64/kvm/inject_fault.c:40! Internal error: Oops - BUG: 00000000f2000800 [#1] SMP CPU: 3 UID: 0 PID: 318 Comm: repro Not tainted 6.17.0-rc4-00104-g10fd0285305d #6 PREEMPT Hardware name: linux,dummy-virt (DT) pstate: 21402009 (nzCv daif +PAN -UAO -TCO +DIT -SSBS BTYPE=--) pc : exception_target_el+0x88/0x8c lr : pend_serror_exception+0x18/0x13c sp : ffff800082f03a10 x29: ffff800082f03a10 x28: ffff0000cb132280 x27: 0000000000000000 x26: 0000000000000000 x25: ffff0000c2a99c20 x24: 0000000000000000 x23: 0000000000008000 x22: 0000000000000002 x21: 0000000000000004 x20: 0000000000008000 x19: ffff0000c2a99c20 x18: 0000000000000000 x17: 0000000000000000 x16: 0000000000000000 x15: 00000000200000c0 x14: 0000000000000000 x13: 0000000000000000 x12: 0000000000000000 x11: 0000000000000000 x10: 0000000000000000 x9 : 0000000000000000 x8 : ffff800082f03af8 x7 : 0000000000000000 x6 : 0000000000000000 x5 : ffff800080f621f0 x4 : 0000000000000000 x3 : 0000000000000000 x2 : 000000000040009b x1 : 0000000000000003 x0 : ffff0000c2a99c20 Call trace: exception_target_el+0x88/0x8c (P) kvm_inject_serror_esr+0x40/0x3b4 __kvm_arm_vcpu_set_events+0xf0/0x100 kvm_arch_vcpu_ioctl+0x180/0x9d4 kvm_vcpu_ioctl+0x60c/0x9f4 __arm64_sys_ioctl+0xac/0x104 invoke_syscall+0x48/0x110 el0_svc_common.constprop.0+0x40/0xe0 do_el0_svc+0x1c/0x28 el0_svc+0x34/0xf0 el0t_64_sync_handler+0xa0/0xe4 el0t_64_sync+0x198/0x19c Code: f946bc01 b4fffe61 9101e020 17fffff2 (d4210000) Reject the ioctls outright as no sane VMM would call these before KVM_ARM_VCPU_INIT anyway. Even if it did the exception would've been thrown away by the eventual reset of the vCPU's state.", "cve_priority": "medium", "cve_public_date": "2025-10-30 10:15:00 UTC" }, { "cve": "CVE-2025-40103", "url": "https://ubuntu.com/security/CVE-2025-40103", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: smb: client: Fix refcount leak for cifs_sb_tlink Fix three refcount inconsistency issues related to `cifs_sb_tlink`. Comments for `cifs_sb_tlink` state that `cifs_put_tlink()` needs to be called after successful calls to `cifs_sb_tlink()`. Three calls fail to update refcount accordingly, leading to possible resource leaks.", "cve_priority": "medium", "cve_public_date": "2025-10-30 10:15:00 UTC" }, { "cve": "CVE-2025-40104", "url": "https://ubuntu.com/security/CVE-2025-40104", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ixgbevf: fix mailbox API compatibility by negotiating supported features There was backward compatibility in the terms of mailbox API. Various drivers from various OSes supporting 10G adapters from Intel portfolio could easily negotiate mailbox API. This convention has been broken since introducing API 1.4. Commit 0062e7cc955e (\"ixgbevf: add VF IPsec offload code\") added support for IPSec which is specific only for the kernel ixgbe driver. None of the rest of the Intel 10G PF/VF drivers supports it. And actually lack of support was not included in the IPSec implementation - there were no such code paths. No possibility to negotiate support for the feature was introduced along with introduction of the feature itself. Commit 339f28964147 (\"ixgbevf: Add support for new mailbox communication between PF and VF\") increasing API version to 1.5 did the same - it introduced code supported specifically by the PF ESX driver. It altered API version for the VF driver in the same time not touching the version defined for the PF ixgbe driver. It led to additional discrepancies, as the code provided within API 1.6 cannot be supported for Linux ixgbe driver as it causes crashes. The issue was noticed some time ago and mitigated by Jake within the commit d0725312adf5 (\"ixgbevf: stop attempting IPSEC offload on Mailbox API 1.5\"). As a result we have regression for IPsec support and after increasing API to version 1.6 ixgbevf driver stopped to support ESX MBX. To fix this mess add new mailbox op asking PF driver about supported features. Basing on a response determine whether to set support for IPSec and ESX-specific enhanced mailbox. New mailbox op, for compatibility purposes, must be added within new API revision, as API version of OOT PF & VF drivers is already increased to 1.6 and doesn't incorporate features negotiate op. Features negotiation mechanism gives possibility to be extended with new features when needed in the future.", "cve_priority": "medium", "cve_public_date": "2025-10-30 10:15:00 UTC" }, { "cve": "CVE-2025-40166", "url": "https://ubuntu.com/security/CVE-2025-40166", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/xe/guc: Check GuC running state before deregistering exec queue In normal operation, a registered exec queue is disabled and deregistered through the GuC, and freed only after the GuC confirms completion. However, if the driver is forced to unbind while the exec queue is still running, the user may call exec_destroy() after the GuC has already been stopped and CT communication disabled. In this case, the driver cannot receive a response from the GuC, preventing proper cleanup of exec queue resources. Fix this by directly releasing the resources when GuC is not running. Here is the failure dmesg log: \" [ 468.089581] ---[ end trace 0000000000000000 ]--- [ 468.089608] pci 0000:03:00.0: [drm] *ERROR* GT0: GUC ID manager unclean (1/65535) [ 468.090558] pci 0000:03:00.0: [drm] GT0: total 65535 [ 468.090562] pci 0000:03:00.0: [drm] GT0: used 1 [ 468.090564] pci 0000:03:00.0: [drm] GT0: range 1..1 (1) [ 468.092716] ------------[ cut here ]------------ [ 468.092719] WARNING: CPU: 14 PID: 4775 at drivers/gpu/drm/xe/xe_ttm_vram_mgr.c:298 ttm_vram_mgr_fini+0xf8/0x130 [xe] \" v2: use xe_uc_fw_is_running() instead of xe_guc_ct_enabled(). As CT may go down and come back during VF migration. (cherry picked from commit 9b42321a02c50a12b2beb6ae9469606257fbecea)", "cve_priority": "medium", "cve_public_date": "2025-11-12 11:15:00 UTC" }, { "cve": "CVE-2025-40105", "url": "https://ubuntu.com/security/CVE-2025-40105", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: vfs: Don't leak disconnected dentries on umount When user calls open_by_handle_at() on some inode that is not cached, we will create disconnected dentry for it. If such dentry is a directory, exportfs_decode_fh_raw() will then try to connect this dentry to the dentry tree through reconnect_path(). It may happen for various reasons (such as corrupted fs or race with rename) that the call to lookup_one_unlocked() in reconnect_one() will fail to find the dentry we are trying to reconnect and instead create a new dentry under the parent. Now this dentry will not be marked as disconnected although the parent still may well be disconnected (at least in case this inconsistency happened because the fs is corrupted and .. doesn't point to the real parent directory). This creates inconsistency in disconnected flags but AFAICS it was mostly harmless. At least until commit f1ee616214cb (\"VFS: don't keep disconnected dentries on d_anon\") which removed adding of most disconnected dentries to sb->s_anon list. Thus after this commit cleanup of disconnected dentries implicitely relies on the fact that dput() will immediately reclaim such dentries. However when some leaf dentry isn't marked as disconnected, as in the scenario described above, the reclaim doesn't happen and the dentries are \"leaked\". Memory reclaim can eventually reclaim them but otherwise they stay in memory and if umount comes first, we hit infamous \"Busy inodes after unmount\" bug. Make sure all dentries created under a disconnected parent are marked as disconnected as well.", "cve_priority": "medium", "cve_public_date": "2025-10-30 10:15:00 UTC" }, { "cve": "CVE-2025-40019", "url": "https://ubuntu.com/security/CVE-2025-40019", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: crypto: essiv - Check ssize for decryption and in-place encryption Move the ssize check to the start in essiv_aead_crypt so that it's also checked for decryption and in-place encryption.", "cve_priority": "medium", "cve_public_date": "2025-10-24 12:15:00 UTC" }, { "cve": "CVE-2025-40214", "url": "https://ubuntu.com/security/CVE-2025-40214", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: af_unix: Initialise scc_index in unix_add_edge(). Quang Le reported that the AF_UNIX GC could garbage-collect a receive queue of an alive in-flight socket, with a nice repro. The repro consists of three stages. 1) 1-a. Create a single cyclic reference with many sockets 1-b. close() all sockets 1-c. Trigger GC 2) 2-a. Pass sk-A to an embryo sk-B 2-b. Pass sk-X to sk-X 2-c. Trigger GC 3) 3-a. accept() the embryo sk-B 3-b. Pass sk-B to sk-C 3-c. close() the in-flight sk-A 3-d. Trigger GC As of 2-c, sk-A and sk-X are linked to unix_unvisited_vertices, and unix_walk_scc() groups them into two different SCCs: unix_sk(sk-A)->vertex->scc_index = 2 (UNIX_VERTEX_INDEX_START) unix_sk(sk-X)->vertex->scc_index = 3 Once GC completes, unix_graph_grouped is set to true. Also, unix_graph_maybe_cyclic is set to true due to sk-X's cyclic self-reference, which makes close() trigger GC. At 3-b, unix_add_edge() allocates unix_sk(sk-B)->vertex and links it to unix_unvisited_vertices. unix_update_graph() is called at 3-a. and 3-b., but neither unix_graph_grouped nor unix_graph_maybe_cyclic is changed because both sk-B's listener and sk-C are not in-flight. 3-c decrements sk-A's file refcnt to 1. Since unix_graph_grouped is true at 3-d, unix_walk_scc_fast() is finally called and iterates 3 sockets sk-A, sk-B, and sk-X: sk-A -> sk-B (-> sk-C) sk-X -> sk-X This is totally fine. All of them are not yet close()d and should be grouped into different SCCs. However, unix_vertex_dead() misjudges that sk-A and sk-B are in the same SCC and sk-A is dead. unix_sk(sk-A)->scc_index == unix_sk(sk-B)->scc_index <-- Wrong! && sk-A's file refcnt == unix_sk(sk-A)->vertex->out_degree ^-- 1 in-flight count for sk-B -> sk-A is dead !? The problem is that unix_add_edge() does not initialise scc_index. Stage 1) is used for heap spraying, making a newly allocated vertex have vertex->scc_index == 2 (UNIX_VERTEX_INDEX_START) set by unix_walk_scc() at 1-c. Let's track the max SCC index from the previous unix_walk_scc() call and assign the max + 1 to a new vertex's scc_index. This way, we can continue to avoid Tarjan's algorithm while preventing misjudgments.", "cve_priority": "high", "cve_public_date": "2025-12-04 13:15:00 UTC" } ], "log": [ "", " * questing/linux-riscv: 6.17.0-14.14.1 -proposed tracker (LP: #2137845)", "", " * Packaging resync (LP: #1786013)", " - [Packaging] debian.riscv/dkms-versions -- update from kernel-versions", " (main/2026.01.12)", "", " [ Ubuntu: 6.17.0-14.14 ]", "", " * questing/linux: 6.17.0-14.14 -proposed tracker (LP: #2137849)", " * Packaging resync (LP: #1786013)", " - [Packaging] debian.master/dkms-versions -- update from kernel-versions", " (main/2026.01.12)", " * ubuntu_kselftests:_net/net:gre_gso.sh failing (LP: #2136820)", " - SAUCE increase socat timeout in gre_gso.sh", " * ubuntu_blktrace_smoke_test fails on questing with rust coreutils", " (LP: #2137698)", " - SAUCE: Revert \"ext4: fail unaligned direct IO write with EINVAL\"", " * bareudp.sh in ubuntu_kselftests_net fails because of dash default shell", " (LP: #2129812)", " - selftests: net: use BASH for bareudp testing", " * CVE-2025-40256", " - xfrm: also call xfrm_state_delete_tunnel at destroy time for states that", " were never added", " * Enable PMF on AMD HPT/STX/KRK (LP: #2125022)", " - platform/x86/amd/pmf: Add support for adjusting PMF PPT and PPT APU", " thresholds", " - platform/x86/amd/pmf: Extend custom BIOS inputs for more policies", " - platform/x86/amd/pmf: Update ta_pmf_action structure member", " - platform/x86/amd/pmf: Add helper to verify BIOS input notifications are", " enable/disable", " - platform/x86/amd/pmf: Add custom BIOS input support for AMD_CPU_ID_PS", " - platform/x86/amd/pmf: Preserve custom BIOS inputs for evaluating the", " policies", " - platform/x86/amd/pmf: Call enact function sooner to process early", " pending requests", " - platform/x86/amd/pmf: Add debug logs for pending requests and custom", " BIOS inputs", " * Questing update: v6.17.8 upstream stable release (LP: #2136850)", " - iommufd/selftest: Fix ioctl return value in _test_cmd_trigger_vevents()", " - drm/mediatek: Add pm_runtime support for GCE power control", " - drm/i915: Fix conversion between clock ticks and nanoseconds", " - drm/amdgpu: set default gfx reset masks for gfx6-8", " - drm/amd/display: Don't stretch non-native images by default in eDP", " - smb: client: fix refcount leak in smb2_set_path_attr", " - iommufd: Make vfio_compat's unmap succeed if the range is already empty", " - futex: Optimize per-cpu reference counting", " - drm/amd: Fix suspend failure with secure display TA", " - drm/xe: Move declarations under conditional branch", " - drm/xe: Do clean shutdown also when using flr", " - drm/amd/display: Add pixel_clock to amd_pp_display_configuration", " - drm/amd/pm: Use pm_display_cfg in legacy DPM (v2)", " - drm/amd/display: Disable fastboot on DCE 6 too", " - drm/amd/pm: Disable MCLK switching on SI at high pixel clocks", " - drm/amd: Disable ASPM on SI", " - arm64: kprobes: check the return value of set_memory_rox()", " - compiler_types: Move unused static inline functions warning to W=2", " - riscv: Build loader.bin exclusively for Canaan K210", " - RISC-V: clear hot-unplugged cores from all task mm_cpumasks to avoid", " rfence errors", " - riscv: acpi: avoid errors caused by probing DT devices when ACPI is used", " - fs: return EOPNOTSUPP from file_setattr/file_getattr syscalls", " - ASoC: nau8821: Avoid unnecessary blocking in IRQ handler", " - NFS4: Fix state renewals missing after boot", " - drm/amdkfd: fix suspend/resume all calls in mes based eviction path", " - NFS4: Apply delay_retrans to async operations", " - HID: intel-thc-hid: intel-quickspi: Add ARL PCI Device Id's", " - HID: quirks: avoid Cooler Master MM712 dongle wakeup bug", " - ixgbe: handle IXGBE_VF_GET_PF_LINK_STATE mailbox operation", " - HID: nintendo: Wait longer for initial probe", " - NFS: check if suid/sgid was cleared after a write as needed", " - HID: quirks: Add ALWAYS_POLL quirk for VRS R295 steering wheel", " - io_uring: fix unexpected placement on same size resizing", " - HID: logitech-hidpp: Add HIDPP_QUIRK_RESET_HI_RES_SCROLL", " - ASoC: max98090/91: fixed max98091 ALSA widget powering up/down", " - ALSA: hda/realtek: Fix mute led for HP Omen 17-cb0xxx", " - ixgbe: handle IXGBE_VF_FEATURES_NEGOTIATE mbox cmd", " - wifi: ath11k: zero init info->status in wmi_process_mgmt_tx_comp()", " - selftests: net: local_termination: Wait for interfaces to come up", " - net: fec: correct rx_bytes statistic for the case SHIFT16 is set", " - net: phy: micrel: Introduce lanphy_modify_page_reg", " - net: phy: micrel: Replace hardcoded pages with defines", " - net: phy: micrel: lan8814 fix reset of the QSGMII interface", " - rust: Add -fno-isolate-erroneous-paths-dereference to", " bindgen_skip_c_flags", " - NFSD: Skip close replay processing if XDR encoding fails", " - Bluetooth: 6lowpan: fix BDADDR_LE vs ADDR_LE_DEV address type confusion", " - Bluetooth: 6lowpan: Don't hold spin lock over sleeping functions", " - Bluetooth: hci_conn: Fix not cleaning up PA_LINK connections", " - net: dsa: tag_brcm: do not mark link local traffic as offloaded", " - net/smc: fix mismatch between CLC header and proposal", " - net/handshake: Fix memory leak in tls_handshake_accept()", " - net: ethernet: ti: am65-cpsw-qos: fix IET verify/response timeout", " - net: ethernet: ti: am65-cpsw-qos: fix IET verify retry mechanism", " - net: mdio: fix resource leak in mdiobus_register_device()", " - wifi: mac80211: skip rate verification for not captured PSDUs", " - Bluetooth: hci_event: Fix not handling PA Sync Lost event", " - net/mlx5e: Fix missing error assignment in mlx5e_xfrm_add_state()", " - net/mlx5e: Fix maxrate wraparound in threshold between units", " - net/mlx5e: Fix wraparound in rate limiting for values above 255 Gbps", " - net/mlx5e: Fix potentially misleading debug message", " - net/mlx5: Fix typo of MLX5_EQ_DOORBEL_OFFSET", " - net/mlx5: Store the global doorbell in mlx5_priv", " - net/mlx5e: Prepare for using different CQ doorbells", " - net_sched: limit try_bulk_dequeue_skb() batches", " - wifi: iwlwifi: mvm: fix beacon template/fixed rate", " - wifi: iwlwifi: mld: always take beacon ies in link grading", " - virtio-net: fix incorrect flags recording in big mode", " - hsr: Fix supervision frame sending on HSRv0", " - hsr: Follow standard for HSRv0 supervision frames", " - ACPI: CPPC: Detect preferred core availability on online CPUs", " - ACPI: CPPC: Check _CPC validity for only the online CPUs", " - ACPI: CPPC: Perform fast check switch only for online CPUs", " - ACPI: CPPC: Limit perf ctrs in PCC check only to online CPUs", " - cpufreq: intel_pstate: Check IDA only before MSR_IA32_PERF_CTL writes", " - Bluetooth: L2CAP: export l2cap_chan_hold for modules", " - io_uring/rsrc: don't use blk_rq_nr_phys_segments() as number of bvecs", " - acpi,srat: Fix incorrect device handle check for Generic Initiator", " - regulator: fixed: fix GPIO descriptor leak on register failure", " - ASoC: cs4271: Fix regulator leak on probe failure", " - ASoC: codecs: va-macro: fix resource leak in probe error path", " - drm/vmwgfx: Restore Guest-Backed only cursor plane support", " - ASoC: tas2781: fix getting the wrong device number", " - pnfs: Fix TLS logic in _nfs4_pnfs_v3_ds_connect()", " - pnfs: Fix TLS logic in _nfs4_pnfs_v4_ds_connect()", " - pnfs: Set transport security policy to RPC_XPRTSEC_NONE unless using TLS", " - simplify nfs_atomic_open_v23()", " - NFSv2/v3: Fix error handling in nfs_atomic_open_v23()", " - NFS: sysfs: fix leak when nfs_client kobject add fails", " - NFSv4: Fix an incorrect parameter when calling nfs4_call_sync()", " - drm/amd/amdgpu: Ensure isp_kernel_buffer_alloc() creates a new BO", " - acpi/hmat: Fix lockdep warning for hmem_register_resource()", " - ASoC: rsnd: fix OF node reference leak in rsnd_ssiu_probe()", " - drm/client: fix MODULE_PARM_DESC string for \"active\"", " - irqchip/riscv-intc: Add missing free() callback in riscv_intc_domain_ops", " - lib/crypto: arm/curve25519: Disable on CPU_BIG_ENDIAN", " - hostfs: Fix only passing host root in boot stage with new mount", " - afs: Fix dynamic lookup to fail on cell lookup failure", " - mtd: onenand: Pass correct pointer to IRQ handler", " - virtio-fs: fix incorrect check for fsvq->kobj", " - fs/namespace: correctly handle errors returned by grab_requested_mnt_ns", " - perf header: Write bpf_prog (infos|btfs)_cnt to data file", " - perf build: Don't fail fast path feature detection when binutils-devel", " is not available", " - perf lock: Fix segfault due to missing kernel map", " - perf test shell lock_contention: Extra debug diagnostics", " - perf test: Fix lock contention test", " - arm64: dts: rockchip: Set correct pinctrl for I2S1 8ch TX on odroid-m1", " - arm64: dts: rockchip: Fix PCIe power enable pin for BigTreeTech CB2 and", " Pi2", " - arm64: dts: rockchip: Make RK3588 GPU OPP table naming less generic", " - ARM: dts: imx6ull-engicam-microgea-rmm: fix report-rate-hz value", " - ARM: dts: imx51-zii-rdu1: Fix audmux node names", " - arm64: dts: imx8-ss-img: Avoid gpio0_mipi_csi GPIOs being deferred", " - arm64: dts: imx8mp-kontron: Fix USB OTG role switching", " - HID: hid-ntrig: Prevent memory leak in ntrig_report_version()", " - ARM: dts: BCM53573: Fix address of Luxul XAP-1440's Ethernet PHY", " - arm64: dts: rockchip: Fix USB power enable pin for BTT CB2 and Pi2", " - arm64: dts: rockchip: drop reset from rk3576 i2c9 node", " - pwm: adp5585: Correct mismatched pwm chip info", " - HID: playstation: Fix memory leak in dualshock4_get_calibration_data()", " - HID: uclogic: Fix potential memory leak in error path", " - LoongArch: KVM: Restore guest PMU if it is enabled", " - LoongArch: KVM: Add delay until timer interrupt injected", " - LoongArch: KVM: Fix max supported vCPUs set with EIOINTC", " - KVM: arm64: Make all 32bit ID registers fully writable", " - KVM: SVM: Mark VMCB_LBR dirty when MSR_IA32_DEBUGCTLMSR is updated", " - KVM: nSVM: Always recalculate LBR MSR intercepts in svm_update_lbrv()", " - KVM: nSVM: Fix and simplify LBR virtualization handling with nested", " - KVM: VMX: Fix check for valid GVA on an EPT violation", " - nfsd: add missing FATTR4_WORD2_CLONE_BLKSIZE from supported attributes", " - gcov: add support for GCC 15", " - kho: warn and exit when unpreserved page wasn't preserved", " - strparser: Fix signed/unsigned mismatch bug", " - dma-mapping: benchmark: Restore padding to ensure uABI remained", " consistent", " - maple_tree: fix tracepoint string pointers", " - LoongArch: Consolidate early_ioremap()/ioremap_prot()", " - LoongArch: Use correct accessor to read FWPC/MWPC", " - LoongArch: Let {pte,pmd}_modify() record the status of _PAGE_DIRTY", " - mm/damon/sysfs: change next_update_jiffies to a global variable", " - selftests/tracing: Run sample events to clear page cache events", " - wifi: mac80211: reject address change while connecting", " - mm/huge_memory: preserve PG_has_hwpoisoned if a folio is split to >0", " order", " - mm/mm_init: fix hash table order logging in alloc_large_system_hash()", " - mm/damon/stat: change last_refresh_jiffies to a global variable", " - mm/kmsan: fix kmsan kmalloc hook when no stack depots are allocated yet", " - mm/shmem: fix THP allocation and fallback loop", " - mm/mremap: honour writable bit in mremap pte batching", " - mm/huge_memory: fix folio split check for anon folios in swapcache", " - mmc: sdhci-of-dwcmshc: Change DLL_STRBIN_TAPNUM_DEFAULT to 0x4", " - mmc: pxamci: Simplify pxamci_probe() error handling using devm APIs", " - mmc: dw_mmc-rockchip: Fix wrong internal phase calculate", " - ASoC: sdw_utils: fix device reference leak in is_sdca_endpoint_present()", " - crypto: hisilicon/qm - Fix device reference leak in qm_get_qos_value", " - smb: client: fix cifs_pick_channel when channel needs reconnect", " - spi: Try to get ACPI GPIO IRQ earlier", " - x86/microcode/AMD: Add Zen5 model 0x44, stepping 0x1 minrev", " - x86/CPU/AMD: Add additional fixed RDSEED microcode revisions", " - selftests/user_events: fix type cast for write_index packed member in", " perf_test", " - gendwarfksyms: Skip files with no exports", " - ftrace: Fix BPF fexit with livepatch", " - LoongArch: Consolidate max_pfn & max_low_pfn calculation", " - LoongArch: Use physical addresses for CSR_MERRENTRY/CSR_TLBRENTRY", " - EDAC/altera: Handle OCRAM ECC enable after warm reset", " - EDAC/altera: Use INTTEST register for Ethernet and USB SBE injection", " - PM: hibernate: Emit an error when image writing fails", " - PM: hibernate: Use atomic64_t for compressed_size variable", " - btrfs: zoned: fix conventional zone capacity calculation", " - btrfs: zoned: fix stripe width calculation", " - btrfs: scrub: put bio after errors in scrub_raid56_parity_stripe()", " - btrfs: do not update last_log_commit when logging inode due to a new", " name", " - btrfs: release root after error in data_reloc_print_warning_inode()", " - drm/amdkfd: relax checks for over allocation of save area", " - drm/amdgpu: disable peer-to-peer access for DCC-enabled GC12 VRAM", " surfaces", " - drm/i915/psr: fix pipe to vblank conversion", " - drm/xe/xe3lpg: Extend Wa_15016589081 for xe3lpg", " - drm/xe/xe3: Extend wa_14023061436", " - drm/xe/xe3: Add WA_14024681466 for Xe3_LPG", " - pmdomain: imx: Fix reference count leak in imx_gpc_remove", " - pmdomain: samsung: plug potential memleak during probe", " - pmdomain: samsung: Rework legacy splash-screen handover workaround", " - selftests: mptcp: connect: fix fallback note due to OoO", " - selftests: mptcp: join: rm: set backup flag", " - selftests: mptcp: join: endpoints: longer transfer", " - selftests: mptcp: connect: trunc: read all recv data", " - selftests: mptcp: join: userspace: longer transfer", " - selftests: mptcp: join: properly kill background tasks", " - mm/huge_memory: do not change split_huge_page*() target order silently", " - mm/memory: do not populate page table entries beyond i_size", " - scripts/decode_stacktrace.sh: symbol: avoid trailing whitespaces", " - scripts/decode_stacktrace.sh: symbol: preserve alignment", " - scripts/decode_stacktrace.sh: fix build ID and PC source parsing", " - ASoC: da7213: Convert to DEFINE_RUNTIME_DEV_PM_OPS()", " - ASoC: da7213: Use component driver suspend/resume", " - KVM: x86: Rename local \"ecx\" variables to \"msr\" and \"pmc\" as appropriate", " - KVM: x86: Add support for RDMSR/WRMSRNS w/ immediate on Intel", " - KVM: VMX: Inject #UD if guest tries to execute SEAMCALL or TDCALL", " - isdn: mISDN: hfcsusb: fix memory leak in hfcsusb_probe()", " - net: phy: micrel: Fix lan8814_config_init", " - Linux 6.17.9", " * Questing update: v6.17.8 upstream stable release (LP: #2136850) //", " CVE-2025-68204", " - pmdomain: arm: scmi: Fix genpd leak on provider registration failure", " * Questing update: v6.17.8 upstream stable release (LP: #2136850) //", " CVE-2025-68203", " - drm/amdgpu: fix lock warning in amdgpu_userq_fence_driver_process", " * Questing update: v6.17.8 upstream stable release (LP: #2136850) //", " CVE-2025-40267", " - io_uring/rw: ensure allocated iovec gets cleared for early failure", " * Questing update: v6.17.8 upstream stable release (LP: #2136850) //", " CVE-2025-68198", " - crash: fix crashkernel resource shrink", " * Questing update: v6.17.8 upstream stable release (LP: #2136850) //", " CVE-2025-68199", " - codetag: debug: handle existing CODETAG_EMPTY in mark_objexts_empty for", " slabobj_ext", " * Questing update: v6.17.8 upstream stable release (LP: #2136850) //", " CVE-2025-40268", " - cifs: client: fix memory leak in smb3_fs_context_parse_param", " * Questing update: v6.17.8 upstream stable release (LP: #2136850) //", " CVE-2025-40269", " - ALSA: usb-audio: Fix potential overflow of PCM transfer buffer", " * Questing update: v6.17.8 upstream stable release (LP: #2136850) //", " CVE-2025-68205", " - ALSA: hda/hdmi: Fix breakage at probing nvhdmi-mcp driver", " * Questing update: v6.17.8 upstream stable release (LP: #2136850) //", " CVE-2025-40270", " - mm, swap: fix potential UAF issue for VMA readahead", " * Questing update: v6.17.8 upstream stable release (LP: #2136850) //", " CVE-2025-40271", " - fs/proc: fix uaf in proc_readdir_de()", " * Questing update: v6.17.8 upstream stable release (LP: #2136850) //", " CVE-2025-40272", " - mm/secretmem: fix use-after-free race in fault handler", " * Questing update: v6.17.8 upstream stable release (LP: #2136850) //", " CVE-2025-68245", " - net: netpoll: fix incorrect refcount handling causing incorrect cleanup", " * Questing update: v6.17.8 upstream stable release (LP: #2136850) //", " CVE-2025-68240", " - nilfs2: avoid having an active sc_timer before freeing sci", " * Questing update: v6.17.8 upstream stable release (LP: #2136850) //", " CVE-2025-68241", " - ipv4: route: Prevent rt_bind_exception() from rebinding stale fnhe", " * Questing update: v6.17.8 upstream stable release (LP: #2136850) //", " CVE-2025-68211", " - ksm: use range-walk function to jump over holes in", " scan_get_next_rmap_item", " * Questing update: v6.17.8 upstream stable release (LP: #2136850) //", " CVE-2025-68246", " - ksmbd: close accepted socket when per-IP limit rejects connection", " * Questing update: v6.17.8 upstream stable release (LP: #2136850) //", " CVE-2025-40273", " - NFSD: free copynotify stateid in nfs4_free_ol_stateid()", " * Questing update: v6.17.8 upstream stable release (LP: #2136850) //", " CVE-2025-40212", " - nfsd: fix refcount leak in nfsd_set_fh_dentry()", " * Questing update: v6.17.8 upstream stable release (LP: #2136850) //", " CVE-2025-40274", " - KVM: guest_memfd: Remove bindings on memslot deletion when gmem is dying", " * Questing update: v6.17.8 upstream stable release (LP: #2136850) //", " CVE-2025-68202", " - sched_ext: Fix unsafe locking in the scx_dump_state()", " * Questing update: v6.17.8 upstream stable release (LP: #2136850) //", " CVE-2025-68239", " - binfmt_misc: restore write access before closing files opened by", " open_exec()", " * Questing update: v6.17.8 upstream stable release (LP: #2136850) //", " CVE-2025-68247", " - posix-timers: Plug potential memory leak in do_timer_create()", " * Questing update: v6.17.8 upstream stable release (LP: #2136850) //", " CVE-2025-68208", " - bpf: account for current allocated stack depth in", " widen_imprecise_scalars()", " * Questing update: v6.17.8 upstream stable release (LP: #2136850) //", " CVE-2025-68200", " - bpf: Add bpf_prog_run_data_pointers()", " * Questing update: v6.17.8 upstream stable release (LP: #2136850) //", " CVE-2025-40275", " - ALSA: usb-audio: Fix NULL pointer dereference in", " snd_usb_mixer_controls_badd", " * Questing update: v6.17.8 upstream stable release (LP: #2136850) //", " CVE-2025-68242", " - NFS: Fix LTP test failures when timestamps are delegated", " * Questing update: v6.17.8 upstream stable release (LP: #2136850) //", " CVE-2025-68243", " - NFS: Check the TLS certificate fields in nfs_match_client()", " * Questing update: v6.17.8 upstream stable release (LP: #2136850) //", " CVE-2025-40276", " - drm/panthor: Flush shmem writes before mapping buffers CPU-uncached", " * Questing update: v6.17.8 upstream stable release (LP: #2136850) //", " CVE-2025-40277", " - drm/vmwgfx: Validate command header size against SVGA_CMD_MAX_DATASIZE", " * Questing update: v6.17.8 upstream stable release (LP: #2136850) //", " CVE-2025-68206", " - netfilter: nft_ct: add seqadj extension for natted connections", " * Questing update: v6.17.8 upstream stable release (LP: #2136850) //", " CVE-2025-68209", " - mlx5: Fix default values in create CQ", " * Questing update: v6.17.8 upstream stable release (LP: #2136850) //", " CVE-2025-40278", " - net: sched: act_ife: initialize struct tc_ife to fix KMSAN kernel-", " infoleak", " * Questing update: v6.17.8 upstream stable release (LP: #2136850) //", " CVE-2025-40279", " - net: sched: act_connmark: initialize struct tc_ife to fix kernel leak", " * Questing update: v6.17.8 upstream stable release (LP: #2136850) //", " CVE-2025-40280", " - tipc: Fix use-after-free in tipc_mon_reinit_self().", " * Questing update: v6.17.8 upstream stable release (LP: #2136850) //", " CVE-2025-40281", " - sctp: prevent possible shift-out-of-bounds in sctp_transport_update_rto", " * Questing update: v6.17.8 upstream stable release (LP: #2136850) //", " CVE-2025-40282", " - Bluetooth: 6lowpan: reset link-local header on ipv6 recv path", " * Questing update: v6.17.8 upstream stable release (LP: #2136850) //", " CVE-2025-40283", " - Bluetooth: btusb: reorder cleanup in btusb_disconnect to avoid UAF", " * Questing update: v6.17.8 upstream stable release (LP: #2136850) //", " CVE-2025-40284", " - Bluetooth: MGMT: cancel mesh send timer when hdev removed", " * Questing update: v6.17.8 upstream stable release (LP: #2136850) //", " CVE-2025-68210", " - erofs: avoid infinite loop due to incomplete zstd-compressed data", " * Questing update: v6.17.8 upstream stable release (LP: #2136850) //", " CVE-2025-40285", " - smb/server: fix possible refcount leak in smb2_sess_setup()", " * Questing update: v6.17.8 upstream stable release (LP: #2136850) //", " CVE-2025-40286", " - smb/server: fix possible memory leak in smb2_read()", " * Questing update: v6.17.8 upstream stable release (LP: #2136850) //", " CVE-2025-40287", " - exfat: fix improper check of dentry.stream.valid_size", " * Questing update: v6.17.8 upstream stable release (LP: #2136850) //", " CVE-2025-40288", " - drm/amdgpu: Fix NULL pointer dereference in VRAM logic for APU devices", " * Questing update: v6.17.8 upstream stable release (LP: #2136850) //", " CVE-2025-40289", " - drm/amdgpu: hide VRAM sysfs attributes on GPUs without VRAM", " * Questing update: v6.17.8 upstream stable release (LP: #2136850) //", " CVE-2025-68201", " - drm/amdgpu: remove two invalid BUG_ON()s", " * Questing update: v6.17.8 upstream stable release (LP: #2136850) //", " CVE-2025-68207", " - drm/xe/guc: Synchronize Dead CT worker with unbind", " * Questing update: v6.17.8 upstream stable release (LP: #2136850) //", " CVE-2025-68244", " - drm/i915: Avoid lock inversion when pinning to GGTT on CHV/BXT+VTD", " * Questing update: v6.17.8 upstream stable release (LP: #2136833)", " - Revert \"Bluetooth: L2CAP: convert timeouts to secs_to_jiffies()\"", " - sched_ext: Mark scx_bpf_dsq_move_set_[slice|vtime]() with KF_RCU", " - net: usb: asix_devices: Check return value of usbnet_get_endpoints", " - fbdev: atyfb: Check if pll_ops->init_pll failed", " - ACPI: button: Call input_free_device() on failing input device", " registration", " - ACPI: fan: Use platform device for devres-related actions", " - virtio-net: drop the multi-buffer XDP packet in zerocopy", " - batman-adv: Release references to inactive interfaces", " - Bluetooth: rfcomm: fix modem control handling", " - net: phy: dp83867: Disable EEE support as not implemented", " - fbdev: pvr2fb: Fix leftover reference to ONCHIP_NR_DMA_CHANNELS", " - fbdev: valkyriefb: Fix reference count leak in valkyriefb_init", " - mptcp: drop bogus optimization in __mptcp_check_push()", " - mptcp: restore window probe", " - ASoC: qdsp6: q6asm: do not sleep while atomic", " - ASoC: renesas: rz-ssi: Use proper dma_buffer_pos after resume", " - s390/pci: Restore IRQ unconditionally for the zPCI device", " - x86/build: Disable SSE4a", " - wifi: ath10k: Fix memory leak on unsupported WMI command", " - wifi: ath11k: Add missing platform IDs for quirk table", " - wifi: ath12k: free skb during idr cleanup callback", " - wifi: ath11k: avoid bit operation on key flags", " - drm/msm/a6xx: Fix GMU firmware parser", " - ALSA: usb-audio: fix control pipe direction", " - ASoC: cs-amp-lib-test: Fix missing include of kunit/test-bug.h", " - wifi: mac80211: reset FILS discovery and unsol probe resp intervals", " - wifi: mac80211: fix key tailroom accounting leak", " - wifi: nl80211: call kfree without a NULL check", " - kunit: test_dev_action: Correctly cast 'priv' pointer to long*", " - scsi: ufs: core: Initialize value of an attribute returned by uic cmd", " - scsi: core: Fix the unit attention counter implementation", " - bpf: Do not audit capability check in do_jit()", " - nvmet-auth: update sc_c in host response", " - crypto: s390/phmac - Do not modify the req->nbytes value", " - ASoC: Intel: avs: Unprepare a stream when XRUN occurs", " - ASoC: fsl_sai: fix bit order for DSD format", " - ASoC: fsl_micfil: correct the endian format for DSD", " - libbpf: Fix powerpc's stack register definition in bpf_tracing.h", " - ASoC: mediatek: Fix double pm_runtime_disable in remove functions", " - Bluetooth: ISO: Fix BIS connection dst_type handling", " - Bluetooth: btmtksdio: Add pmctrl handling for BT closed state during", " reset", " - Bluetooth: HCI: Fix tracking of advertisement set/instance 0x00", " - Bluetooth: ISO: Fix another instance of dst_type handling", " - Bluetooth: btintel_pcie: Fix event packet loss issue", " - Bluetooth: hci_conn: Fix connection cleanup with BIG with 2 or more BIS", " - Bluetooth: hci_core: Fix tracking of periodic advertisement", " - bpf: Conditionally include dynptr copy kfuncs", " - drm/msm: Ensure vm is created in VM_BIND ioctl", " - ALSA: usb-audio: add mono main switch to Presonus S1824c", " - ALSA: usb-audio: don't log messages meant for 1810c when initializing", " 1824c", " - ACPI: MRRM: Check revision of MRRM table", " - drm/etnaviv: fix flush sequence logic", " - tools: ynl: fix string attribute length to include null terminator", " - net: hns3: return error code when function fails", " - sfc: fix potential memory leak in efx_mae_process_mport()", " - tools: ynl: avoid print_field when there is no reply", " - dpll: spec: add missing module-name and clock-id to pin-get reply", " - ASoC: fsl_sai: Fix sync error in consumer mode", " - ASoC: soc_sdw_utils: remove cs42l43 component_name", " - drm/amd/pm: fix smu table id bound check issue in smu_cmn_update_table()", " - drm/amd/pm/powerplay/smumgr: Fix PCIeBootLinkLevel value on Fiji", " - drm/amd/pm/powerplay/smumgr: Fix PCIeBootLinkLevel value on Iceland", " - drm/amdgpu: fix SPDX headers on amdgpu_cper.c/h", " - drm/amdgpu: fix SPDX header on amd_cper.h", " - drm/amdgpu: fix SPDX header on irqsrcs_vcn_5_0.h", " - ACPI: fan: Use ACPI handle when retrieving _FST", " - block: fix op_is_zone_mgmt() to handle REQ_OP_ZONE_RESET_ALL", " - block: make REQ_OP_ZONE_OPEN a write operation", " - dma-fence: Fix safe access wrapper to call timeline name method", " - kbuild: align modinfo section for Secureboot Authenticode EDK2 compat", " - regmap: irq: Correct documentation of wake_invert flag", " - [Config] Disable ARCH_WANT_OPTIMIZE_HUGETLB_VMEMMAP for s390x", " - s390/mm: Fix memory leak in add_marker() when kvrealloc() fails", " - drm/xe: Do not wake device during a GT reset", " - drm/sched: avoid killing parent entity on child SIGKILL", " - drm/sched: Fix race in drm_sched_entity_select_rq()", " - drm/nouveau: Fix race in nouveau_sched_fini()", " - drm/i915/dmc: Clear HRR EVT_CTL/HTP to zero on ADL-S", " - drm/ast: Clear preserved bits from register output value", " - drm/amd: Check that VPE has reached DPM0 in idle handler", " - drm/amd/display: Fix incorrect return of vblank enable on unconfigured", " crtc", " - drm/amd/display: Don't program BLNDGAM_MEM_PWR_FORCE when CM low-power", " is disabled on DCN30", " - drm/amd/display: Add HDR workaround for a specific eDP", " - mptcp: leverage skb deferral free", " - mptcp: fix MSG_PEEK stream corruption", " - cpuidle: governors: menu: Rearrange main loop in menu_select()", " - cpuidle: governors: menu: Select polling state in some more cases", " - PM: hibernate: Combine return paths in power_down()", " - PM: sleep: Allow pm_restrict_gfp_mask() stacking", " - mfd: kempld: Switch back to earlier ->init() behavior", " - soc: aspeed: socinfo: Add AST27xx silicon IDs", " - firmware: qcom: scm: preserve assign_mem() error return value", " - soc: qcom: smem: Fix endian-unaware access of num_entries", " - spi: loopback-test: Don't use %pK through printk", " - spi: spi-qpic-snand: handle 'use_ecc' parameter of", " qcom_spi_config_cw_read()", " - soc: ti: pruss: don't use %pK through printk", " - bpf: Don't use %pK through printk", " - mmc: sdhci: Disable SD card clock before changing parameters", " - pinctrl: single: fix bias pull up/down handling in pin_config_set", " - mmc: host: renesas_sdhi: Fix the actual clock", " - memstick: Add timeout to prevent indefinite waiting", " - cpufreq: ti: Add support for AM62D2", " - bpf: Use tnums for JEQ/JNE is_branch_taken logic", " - firmware: ti_sci: Enable abort handling of entry to LPM", " - firewire: ohci: move self_id_complete tracepoint after validating", " register", " - irqchip/sifive-plic: Respect mask state when setting affinity", " - irqchip/loongson-eiointc: Route interrupt parsed from bios table", " - ACPI: sysfs: Use ACPI_FREE() for freeing an ACPI object", " - ACPI: video: force native for Lenovo 82K8", " - libbpf: Fix USDT SIB argument handling causing unrecognized register", " error", " - selftests/bpf: Fix bpf_prog_detach2 usage in test_lirc_mode2", " - arm64: versal-net: Update rtc calibration value", " - Revert \"UBUNTU: SAUCE: firmware: qcom: scm: Allow QSEECOM on Dell", " Inspiron 7441 / Latitude 7455\"", " - firmware: qcom: scm: Allow QSEECOM on Dell Inspiron 7441 / Latitude 7455", " - kselftest/arm64: tpidr2: Switch to waitpid() over wait4()", " - arc: Fix __fls() const-foldability via __builtin_clzl()", " - selftests/bpf: Upon failures, exit with code 1 in test_xsk.sh", " - irqchip/gic-v2m: Handle Multiple MSI base IRQ Alignment", " - ACPI: PRM: Skip handlers with NULL handler_address or NULL VA", " - ACPI: resource: Skip IRQ override on ASUS Vivobook Pro N6506CU", " - ACPI: scan: Add Intel CVS ACPI HIDs to acpi_ignore_dep_ids[]", " - thermal: gov_step_wise: Allow cooling level to be reduced earlier", " - thermal: intel: selftests: workload_hint: Mask unsupported types", " - power: supply: qcom_battmgr: add OOI chemistry", " - hwmon: (k10temp) Add thermal support for AMD Family 1Ah-based models", " - hwmon: (k10temp) Add device ID for Strix Halo", " - hwmon: (lenovo-ec-sensors) Update P8 supprt", " - hwmon: (sbtsi_temp) AMD CPU extended temperature range support", " - pinctrl: renesas: rzg2l: Add suspend/resume support for Schmitt control", " registers", " - pinctrl: keembay: release allocated memory in detach path", " - power: supply: sbs-charger: Support multiple devices", " - io_uring/rsrc: respect submitter_task in io_register_clone_buffers()", " - hwmon: sy7636a: add alias", " - selftests/bpf: Fix incorrect array size calculation", " - block: check for valid bio while splitting", " - irqchip/loongson-pch-lpc: Use legacy domain for PCH-LPC IRQ controller", " - cpufreq: ondemand: Update the efficient idle check for Intel extended", " Families", " - arm64: zynqmp: Disable coresight by default", " - arm64: zynqmp: Revert usb node drive strength and slew rate for zcu106", " - soc/tegra: fuse: Add Tegra114 nvmem cells and fuse lookups", " - ARM: tegra: p880: set correct touchscreen clipping", " - ARM: tegra: transformer-20: add missing magnetometer interrupt", " - ARM: tegra: transformer-20: fix audio-codec interrupt", " - firmware: qcom: tzmem: disable sc7180 platform", " - soc: ti: k3-socinfo: Add information for AM62L SR1.1", " - mmc: sdhci-msm: Enable tuning for SDR50 mode for SD card", " - pwm: pca9685: Use bulk write to atomicially update registers", " - ACPICA: dispatcher: Use acpi_ds_clear_operands() in", " acpi_ds_call_control_method()", " - tee: allow a driver to allocate a tee_device without a pool", " - kunit: Enable PCI on UML without triggering WARN()", " - selftests/bpf: Fix arena_spin_lock selftest failure", " - bpf: Do not limit bpf_cgroup_from_id to current's namespace", " - i3c: mipi-i3c-hci-pci: Add support for Intel Wildcat Lake-U I3C", " - rust: kunit: allow `cfg` on `test`s", " - video: backlight: lp855x_bl: Set correct EPROM start for LP8556", " - i3c: dw: Add shutdown support to dw_i3c_master driver", " - io_uring/zcrx: check all niovs filled with dma addresses", " - tools/cpupower: fix error return value in cpupower_write_sysfs()", " - io_uring/zcrx: account niov arrays to cgroup", " - pmdomain: apple: Add \"apple,t8103-pmgr-pwrstate\"", " - power: supply: qcom_battmgr: handle charging state change notifications", " - bpftool: Fix -Wuninitialized-const-pointer warnings with clang >= 21", " - cpuidle: Fail cpuidle device registration if there is one already", " - selftests/bpf: Fix selftest verifier_arena_large failure", " - selftests: ublk: fix behavior when fio is not installed", " - spi: rpc-if: Add resume support for RZ/G3E", " - ACPI: SPCR: Support Precise Baud Rate field", " - clocksource/drivers/vf-pit: Replace raw_readl/writel to readl/writel", " - clocksource/drivers/timer-rtl-otto: Work around dying timers", " - clocksource/drivers/timer-rtl-otto: Do not interfere with interrupts", " - riscv: bpf: Fix uninitialized symbol 'retval_off'", " - bpf: Clear pfmemalloc flag when freeing all fragments", " - selftests: drv-net: Pull data before parsing headers", " - nvme: Use non zero KATO for persistent discovery connections", " - uprobe: Do not emulate/sstep original instruction when ip is changed", " - hwmon: (asus-ec-sensors) increase timeout for locking ACPI mutex", " - hwmon: (dell-smm) Remove Dell Precision 490 custom config data", " - hwmon: (dell-smm) Add support for Dell OptiPlex 7040", " - tools/cpupower: Fix incorrect size in cpuidle_state_disable()", " - selftests/bpf: Fix flaky bpf_cookie selftest", " - tools/power turbostat: Fix incorrect sorting of PMT telemetry", " - tools/power x86_energy_perf_policy: Fix incorrect fopen mode usage", " - tools/power x86_energy_perf_policy: Enhance HWP enable", " - tools/power x86_energy_perf_policy: Prefer driver HWP limits", " - mfd: simple-mfd-i2c: Add compatible strings for Layerscape QIXIS FPGA", " - mfd: stmpe: Remove IRQ domain upon removal", " - mfd: stmpe-i2c: Add missing MODULE_LICENSE", " - mfd: qnap-mcu: Handle errors returned from qnap_mcu_write", " - mfd: qnap-mcu: Include linux/types.h in qnap-mcu.h shared header", " - mfd: madera: Work around false-positive -Wininitialized warning", " - mfd: da9063: Split chip variant reading in two bus transactions", " - mfd: macsmc: Add \"apple,t8103-smc\" compatible", " - mfd: core: Increment of_node's refcount before linking it to the", " platform device", " - mfd: cs42l43: Move IRQ enable/disable to encompass force suspend", " - mfd: intel-lpss: Add Intel Wildcat Lake LPSS PCI IDs", " - drm/xe/ptl: Apply Wa_16026007364", " - drm/xe/configfs: Enforce canonical device names", " - drm/amd/display: Update tiled to tiled copy command", " - drm/amd/display: fix condition for setting timing_adjust_pending", " - drm/amd/display: ensure committing streams is seamless", " - drm/amdgpu: add range check for RAS bad page address", " - drm/amdgpu: Check vcn sram load return value", " - drm/amd/display: Remove check DPIA HPD status for BW Allocation", " - drm/amd/display: Increase AUX Intra-Hop Done Max Wait Duration", " - drm/amd/display: Fix dmub_cmd header alignment", " - drm/xe/guc: Add more GuC load error status codes", " - drm/xe/pf: Don't resume device from restart worker", " - drm/amdgpu: Fix build error when CONFIG_SUSPEND is disabled", " - drm/amdgpu: Update IPID value for bad page threshold CPER", " - drm/amdgpu: Avoid rma causes GPU duplicate reset", " - drm/amdgpu: Effective health check before reset", " - drm/amd/amdgpu: Release xcp drm memory after unplug", " - drm/amdgpu: Fix vcn v5.0.1 poison irq call trace", " - drm/xe: Extend wa_13012615864 to additional Xe2 and Xe3 platforms", " - drm/amdgpu: Skip poison aca bank from UE channel", " - drm/amd/display: add more cyan skillfish devices", " - drm/amdgpu: Initialize jpeg v5_0_1 ras function", " - drm/amdgpu: skip mgpu fan boost for multi-vf", " - drm/amd/display: fix dmub access race condition", " - drm/amd/display: update dpp/disp clock from smu clock table", " - drm/amd/pm: Use cached metrics data on aldebaran", " - drm/amd/pm: Use cached metrics data on arcturus", " - accel/amdxdna: Unify pm and rpm suspend and resume callbacks", " - drm/amdgpu/jpeg: Hold pg_lock before jpeg poweroff", " - drm/xe/pf: Program LMTT directory pointer on all GTs within a tile", " - drm/nouveau: replace snprintf() with scnprintf() in nvkm_snprintbf()", " - ASoC: tas2781: Add keyword \"init\" in profile section", " - ASoC: mediatek: Use SND_JACK_AVOUT for HDMI/DP jacks", " - drm/amd/display: Reset apply_eamless_boot_optimization when dpms_off", " - drm/amdgpu: add to custom amdgpu_drm_release drm_dev_enter/exit", " - drm/amd/display: Wait until OTG enable state is cleared", " - drm/xe: rework PDE PAT index selection", " - docs: kernel-doc: avoid script crash on ancient Python", " - drm/sharp-memory: Do not access GEM-DMA vaddr directly", " - PCI: Disable MSI on RDC PCI to PCIe bridges", " - drm/nouveau: always set RMDevidCheckIgnore for GSP-RM", " - drm/panel-edp: Add SHP LQ134Z1 panel for Dell XPS 9345", " - selftests/net: Replace non-standard __WORDSIZE with sizeof(long) * 8", " - selftests/net: Ensure assert() triggers in psock_tpacket.c", " - wifi: rtw89: print just once for unknown C2H events", " - wifi: rtw88: sdio: use indirect IO for device registers before power-on", " - wifi: rtw89: add dummy C2H handlers for BCN resend and update done", " - drm/amdkfd: return -ENOTTY for unsupported IOCTLs", " - selftests: drv-net: devmem: add / correct the IPv6 support", " - selftests: drv-net: devmem: flip the direction of Tx tests", " - media: pci: ivtv: Don't create fake v4l2_fh", " - media: amphion: Delete v4l2_fh synchronously in .release()", " - drm/tidss: Use the crtc_* timings when programming the HW", " - drm/bridge: cdns-dsi: Fix REG_WAKEUP_TIME value", " - drm/bridge: cdns-dsi: Don't fail on MIPI_DSI_MODE_VIDEO_BURST", " - drm/tidss: Set crtc modesetting parameters with adjusted mode", " - drm/tidss: Remove early fb", " - RDMA/mana_ib: Drain send wrs of GSI QP", " - media: i2c: Kconfig: Ensure a dependency on HAVE_CLK for", " VIDEO_CAMERA_SENSOR", " - PCI/ERR: Update device error_state already after reset", " - x86/vsyscall: Do not require X86_PF_INSTR to emulate vsyscall", " - net: stmmac: Check stmmac_hw_setup() in stmmac_resume()", " - ice: Don't use %pK through printk or tracepoints", " - thunderbolt: Use is_pciehp instead of is_hotplug_bridge", " - ASoC: es8323: enable DAPM power widgets for playback DAC and output", " - powerpc/eeh: Use result of error_detected() in uevent", " - s390/pci: Use pci_uevent_ers() in PCI recovery", " - bridge: Redirect to backup port when port is administratively down", " - selftests: drv-net: wait for carrier", " - net: phy: mscc: report and configure in-band auto-negotiation for", " SGMII/QSGMII", " - scsi: ufs: host: mediatek: Fix auto-hibern8 timer configuration", " - scsi: ufs: host: mediatek: Fix PWM mode switch issue", " - scsi: ufs: host: mediatek: Assign power mode userdata before FASTAUTO", " mode change", " - scsi: ufs: host: mediatek: Change reset sequence for improved stability", " - scsi: ufs: host: mediatek: Fix invalid access in vccqx handling", " - gpu: nova-core: register: allow fields named `offset`", " - drm/panthor: Serialize GPU cache flush operations", " - HID: pidff: Use direction fix only for conditional effects", " - HID: pidff: PERMISSIVE_CONTROL quirk autodetection", " - drm/bridge: display-connector: don't set OP_DETECT for DisplayPorts", " - drm/amdkfd: Handle lack of READ permissions in SVM mapping", " - drm/amdgpu: refactor bad_page_work for corner case handling", " - hwrng: timeriomem - Use us_to_ktime() where appropriate", " - iio: adc: spear_adc: mask SPEAR_ADC_STATUS channel and avg sample before", " setting register", " - iio: adc: imx93_adc: load calibrated values even calibration failed", " - usb: gadget: f_ncm: Fix MAC assignment NCM ethernet", " - ASoC: es8323: remove DAC enablement write from es8323_probe", " - ASoC: es8323: add proper left/right mixer controls via DAPM", " - ASoC: codecs: wsa883x: Handle shared reset GPIO for WSA883x speakers", " - drm/xe: Make page size consistent in loop", " - wifi: rtw89: wow: remove notify during WoWLAN net-detect", " - wifi: rtw89: fix BSSID comparison for non-transmitted BSSID", " - wifi: rtw89: 8851b: rfk: update IQK TIA setting", " - dm error: mark as DM_TARGET_PASSES_INTEGRITY", " - char: misc: Make misc_register() reentry for miscdevice who wants", " dynamic minor", " - char: misc: Does not request module for miscdevice with dynamic minor", " - net: When removing nexthops, don't call synchronize_net if it is not", " necessary", " - net: Call trace_sock_exceed_buf_limit() for memcg failure with", " SK_MEM_RECV.", " - dmaengine: idxd: Add a new IAA device ID for Wildcat Lake family", " platforms", " - PCI/P2PDMA: Fix incorrect pointer usage in devm_kfree() call", " - bnxt_en: Add Hyper-V VF ID", " - tty: serial: Modify the use of dev_err_probe()", " - ALSA: usb-audio: Add validation of UAC2/UAC3 effect units", " - Octeontx2-af: Broadcast XON on all channels", " - idpf: do not linearize big TSO packets", " - drm/xe/pcode: Initialize data0 for pcode read routine", " - drm/panel: ilitek-ili9881c: turn off power-supply when init fails", " - drm/panel: ilitek-ili9881c: move display_on/_off dcs calls to", " (un-)prepare", " - rds: Fix endianness annotation for RDS_MPATH_HASH", " - net: wangxun: limit tx_max_coalesced_frames_irq", " - iio: imu: bmi270: Match PNP ID found on newer GPD firmware", " - media: ipu6: isys: Set embedded data type correctly for metadata formats", " - rpmsg: char: Export alias for RPMSG ID rpmsg-raw from table", " - net: ipv4: allow directed broadcast routes to use dst hint", " - scsi: mpi3mr: Fix device loss during enclosure reboot due to zero link", " speed", " - wifi: rtw89: coex: Limit Wi-Fi scan slot cost to avoid A2DP glitch", " - scsi: mpi3mr: Fix I/O failures during controller reset", " - scsi: mpi3mr: Fix controller init failure on fault during queue creation", " - scsi: pm80xx: Fix race condition caused by static variables", " - extcon: adc-jack: Fix wakeup source leaks on device unbind", " - extcon: fsa9480: Fix wakeup source leaks on device unbind", " - extcon: axp288: Fix wakeup source leaks on device unbind", " - drm/xe: Set GT as wedged before sending wedged uevent", " - remoteproc: wkup_m3: Use devm_pm_runtime_enable() helper", " - drm/xe/wcl: Extend L3bank mask workaround", " - net: phy: fixed_phy: let fixed_phy_unregister free the phy_device", " - selftests: drv-net: hds: restore hds settings", " - fuse: zero initialize inode private data", " - virtio_fs: fix the hash table using in virtio_fs_enqueue_req()", " - selftests: pci_endpoint: Skip IRQ test if IRQ is out of range.", " - drm/xe: Ensure GT is in C0 during resumes", " - misc: pci_endpoint_test: Skip IRQ tests if irq is out of range", " - drm/amdgpu: Correct the loss of aca bank reg info", " - drm/amdgpu: Correct the counts of nr_banks and nr_errors", " - drm/amdkfd: fix vram allocation failure for a special case", " - drm/amd/display: Support HW cursor 180 rot for any number of pipe splits", " - drm/amdkfd: Tie UNMAP_LATENCY to queue_preemption", " - drm/amd/display: wait for otg update pending latch before clock", " optimization", " - drm/amd/display: Consider sink max slice width limitation for dsc", " - drm/amdgpu/vpe: cancel delayed work in hw_fini", " - drm/xe: Cancel pending TLB inval workers on teardown", " - net: Prevent RPS table overwrite of active flows", " - eth: fbnic: Reset hw stats upon PCI error", " - wifi: iwlwifi: mld: trigger mlo scan only when not in EMLSR", " - platform/x86/intel-uncore-freq: Fix warning in partitioned system", " - drm/msm/dpu: Filter modes based on adjusted mode clock", " - drm/msm: Use of_reserved_mem_region_to_resource() for \"memory-region\"", " - selftests: drv-net: rss_ctx: fix the queue count check", " - media: fix uninitialized symbol warnings", " - media: pci: mgb4: Fix timings comparison in VIDIOC_S_DV_TIMINGS", " - ASoC: SOF: ipc4-pcm: Add fixup for channels", " - drm/amdgpu: Notify pmfw bad page threshold exceeded", " - drm/amd/display: Increase minimum clock for TMDS 420 with pipe splitting", " - drm/amdgpu: Avoid jpeg v5.0.1 poison irq call trace on sriov guest", " - drm/amd/display: incorrect conditions for failing dto calculations", " - drm/amdgpu: Avoid vcn v5.0.1 poison irq call trace on sriov guest", " - drm/amdgpu: Respect max pixel clock for HDMI and DVI-D (v2)", " - mips: lantiq: danube: add missing properties to cpu node", " - mips: lantiq: danube: add model to EASY50712 dts", " - mips: lantiq: danube: add missing device_type in pci node", " - mips: lantiq: xway: sysctrl: rename stp clock", " - mips: lantiq: danube: rename stp node on EASY50712 reference board", " - inet_diag: annotate data-races in inet_diag_bc_sk()", " - microchip: lan865x: add ndo_eth_ioctl handler to enable PHY ioctl", " support", " - crypto: qat - use kcalloc() in qat_uclo_map_objs_from_mof()", " - scsi: pm8001: Use int instead of u32 to store error codes", " - iio: adc: ad7124: do not require mclk", " - scsi: ufs: exynos: fsd: Gate ref_clk and put UFS device in reset on", " suspend", " - media: imx-mipi-csis: Only set clock rate when specified in DT", " - wifi: iwlwifi: pcie: remember when interrupts are disabled", " - drm/st7571-i2c: add support for inverted pixel format", " - ptp: Limit time setting of PTP clocks", " - dmaengine: sh: setup_xref error handling", " - dmaengine: mv_xor: match alloc_wc and free_wc", " - dmaengine: dw-edma: Set status for callback_result", " - netfilter: nf_tables: all transaction allocations can now sleep", " - drm/msm/dsi/phy: Toggle back buffer resync after preparing PLL", " - drm/msm/dsi/phy_7nm: Fix missing initial VCO rate", " - drm/amdgpu: Allow kfd CRIU with no buffer objects", " - drm/xe/guc: Increase GuC crash dump buffer size", " - drm/amd/pm: Increase SMC timeout on SI and warn (v3)", " - move_mount(2): take sanity checks in 'beneath' case into do_lock_mount()", " - selftests: drv-net: rss_ctx: make the test pass with few queues", " - ipv6: Add sanity checks on ipv6_devconf.rpl_seg_enabled", " - drm/xe: Extend Wa_22021007897 to Xe3 platforms", " - wifi: mac80211: count reg connection element in the size", " - drm/panthor: check bo offset alignment in vm bind", " - drm: panel-backlight-quirks: Make EDID match optional", " - ixgbe: reduce number of reads when getting OROM data", " - netlink: specs: fou: change local-v6/peer-v6 check", " - net: nfc: nci: Increase NCI_DATA_TIMEOUT to 3000 ms", " - media: adv7180: Add missing lock in suspend callback", " - media: adv7180: Do not write format to device in set_fmt", " - media: adv7180: Only validate format in querystd", " - media: verisilicon: Explicitly disable selection api ioctls for decoders", " - wifi: mac80211: Fix 6 GHz Band capabilities element advertisement in", " lower bands", " - platform/x86: think-lmi: Add extra TC BIOS error messages", " - platform/x86/intel-uncore-freq: Present unique domain ID per package", " - ALSA: usb-audio: apply quirk for MOONDROP Quark2", " - PCI: imx6: Enable the Vaux supply if available", " - drm/xe/guc: Set upper limit of H2G retries over CTB", " - net: call cond_resched() less often in __release_sock()", " - smsc911x: add second read of EEPROM mac when possible corruption seen", " - drm/xe: improve dma-resv handling for backup object", " - iommu/amd: Add support to remap/unmap IOMMU buffers for kdump", " - iommu/amd: Skip enabling command/event buffers for kdump", " - iommu/amd: Reuse device table for kdump", " - crypto: ccp: Skip SEV and SNP INIT for kdump boot", " - iommu/apple-dart: Clear stream error indicator bits for T8110 DARTs", " - bus: mhi: host: pci_generic: Add support for all Foxconn T99W696 SKU", " variants", " - drm/amdgpu: Correct info field of bad page threshold exceed CPER", " - drm/amd: add more cyan skillfish PCI ids", " - drm/amdgpu: don't enable SMU on cyan skillfish", " - drm/amdgpu: add support for cyan skillfish gpu_info", " - drm/amd/display: Fix pbn_div Calculation Error", " - drm/amd/display: dont wait for pipe update during medupdate/highirq", " - drm/amd/pm: refine amdgpu pm sysfs node error code", " - drm/amd/display: Indicate when custom brightness curves are in use", " - selftests: ncdevmem: don't retry EFAULT", " - net: dsa: felix: support phy-mode = \"10g-qxgmii\"", " - usb: gadget: f_hid: Fix zero length packet transfer", " - serial: qcom-geni: Add DFS clock mode support to GENI UART driver", " - serdev: Drop dev_pm_domain_detach() call", " - tty/vt: Add missing return value for VT_RESIZE in vt_ioctl()", " - eeprom: at25: support Cypress FRAMs without device ID", " - drm/msm/adreno: Add speedbins for A663 GPU", " - drm/msm: Fix 32b size truncation", " - dt-bindings: display/msm/gmu: Update Adreno 623 bindings", " - drm/msm: make sure to not queue up recovery more than once", " - char: Use list_del_init() in misc_deregister() to reinitialize list", " pointer", " - drm/msm/adreno: Add speedbin data for A623 GPU", " - drm/msm/adreno: Add fenced regwrite support", " - drm/msm/a6xx: Switch to GMU AO counter", " - idpf: link NAPIs to queues", " - selftests: net: make the dump test less sensitive to mem accounting", " - PCI: endpoint: pci-epf-test: Limit PCIe BAR size for fixed BARs", " - wifi: rtw89: Add USB ID 2001:332a for D-Link AX9U rev. A1", " - wifi: rtw89: Add USB ID 2001:3327 for D-Link AX18U rev. A1", " - wifi: iwlwifi: fw: Add ASUS to PPAG and TAS list", " - drm/xe/i2c: Enable bus mastering", " - media: ov08x40: Fix the horizontal flip control", " - media: i2c: og01a1b: Specify monochrome media bus format instead of", " Bayer", " - media: qcom: camss: csiphy-3ph: Add CSIPHY 2ph DPHY v2.0.1 init sequence", " - drm/bridge: write full Audio InfoFrame", " - drm/xe/guc: Always add CT disable action during second init step", " - f2fs: fix wrong layout information on 16KB page", " - selftests: mptcp: join: allow more time to send ADD_ADDR", " - scsi: ufs: host: mediatek: Enhance recovery on resume failure", " - scsi: ufs: ufs-qcom: Align programming sequence of Shared ICE for UFS", " controller v5", " - scsi: ufs: host: mediatek: Fix unbalanced IRQ enable issue", " - scsi: ufs: host: mediatek: Enhance recovery on hibernation exit failure", " - net: phy: marvell: Fix 88e1510 downshift counter errata", " - scsi: ufs: host: mediatek: Correct system PM flow", " - scsi: ufs: host: mediatek: Disable auto-hibern8 during power mode", " changes", " - scsi: ufs: host: mediatek: Fix adapt issue after PA_Init", " - wifi: cfg80211: update the time stamps in hidden ssid", " - wifi: mac80211: Fix HE capabilities element check", " - fbcon: Use screen info to find primary device", " - phy: cadence: cdns-dphy: Enable lower resolutions in dphy", " - Fix access to video_is_primary_device() when compiled without", " CONFIG_VIDEO", " - phy: renesas: r8a779f0-ether-serdes: add new step added to latest", " datasheet", " - phy: rockchip: phy-rockchip-inno-csidphy: allow writes to grf register 0", " - drm/msm/registers: Generate _HI/LO builders for reg64", " - net: sh_eth: Disable WoL if system can not suspend", " - selftests: net: replace sleeps in fcnal-test with waits", " - media: redrat3: use int type to store negative error codes", " - platform/x86/amd/pmf: Fix the custom bios input handling mechanism", " - selftests: traceroute: Use require_command()", " - selftests: traceroute: Return correct value on failure", " - openrisc: Add R_OR1K_32_PCREL relocation type module support", " - netfilter: nf_reject: don't reply to icmp error messages", " - x86/kvm: Prefer native qspinlock for dedicated vCPUs irrespective of", " PV_UNHALT", " - x86/virt/tdx: Use precalculated TDVPR page physical address", " - selftests: Disable dad for ipv6 in fcnal-test.sh", " - eth: 8139too: Make 8139TOO_PIO depend on !NO_IOPORT_MAP", " - [Config] No longer enable `CONFIG_8139TOO_PIO` for armhf", " - selftests: Replace sleep with slowwait", " - net: devmem: expose tcp_recvmsg_locked errors", " - selftests: net: lib.sh: Don't defer failed commands", " - HID: asus: add Z13 folio to generic group for multitouch to work", " - watchdog: s3c2410_wdt: Fix max_timeout being calculated larger", " - crypto: sun8i-ce - remove channel timeout field", " - PCI: dwc: Verify the single eDMA IRQ in dw_pcie_edma_irq_verify()", " - crypto: ccp - Fix incorrect payload size calculation in", " psp_poulate_hsti()", " - crypto: caam - double the entropy delay interval for retry", " - can: rcar_canfd: Update bit rate constants for RZ/G3E and R-Car Gen4", " - net: mana: Reduce waiting time if HWC not responding", " - ionic: use int type for err in ionic_get_module_eeprom_by_page", " - net/cls_cgroup: Fix task_get_classid() during qdisc run", " - wifi: mt76: mt7921: Add 160MHz beamformee capability for mt7922 device", " - wifi: mt76: mt7925: add pci restore for hibernate", " - wifi: mt76: mt7996: Fix mt7996_reverse_frag0_hdr_trans for MLO", " - wifi: mt76: mt7996: Set def_wcid pointer in mt7996_mac_sta_init_link()", " - wifi: mt76: mt7996: Temporarily disable EPCS", " - wifi: mt76: mt7996: support writing MAC TXD for AddBA Request", " - wifi: mt76: mt76_eeprom_override to int", " - ALSA: serial-generic: remove shared static buffer", " - wifi: mt76: mt7996: fix memory leak on mt7996_mcu_sta_key_tlv error", " - wifi: mt76: mt7996: disable promiscuous mode by default", " - wifi: mt76: use altx queue for offchannel tx on connac+", " - wifi: mt76: improve phy reset on hw restart", " - drm/amdgpu: Use memdup_array_user in amdgpu_cs_wait_fences_ioctl", " - drm/amdgpu: Release hive reference properly", " - drm/amd/display: Fix DMCUB loading sequence for DCN3.2", " - drm/amd/display: Set up pixel encoding for YCBCR422", " - drm/amd/display: fix dml ms order of operations", " - drm/amd/display: Don't use non-registered VUPDATE on DCE 6", " - drm/amd/display: Keep PLL0 running on DCE 6.0 and 6.4", " - drm/amd/display: Fix DVI-D/HDMI adapters", " - drm/amd/display: Disable VRR on DCE 6", " - drm/amd/display/dml2: Guard dml21_map_dc_state_into_dml_display_cfg with", " DC_FP_START", " - net: phy: clear EEE runtime state in PHY_HALTED/PHY_ERROR", " - ethernet: Extend device_get_mac_address() to use NVMEM", " - scsi: ufs: ufs-qcom: Disable lane clocks during phy hibern8", " - HID: i2c-hid: Resolve touchpad issues on Dell systems during S4", " - hinic3: Queue pair endianness improvements", " - hinic3: Fix missing napi->dev in netif_queue_set_napi", " - tools: ynl-gen: validate nested arrays", " - drm/xe/guc: Return an error code if the GuC load fails", " - drm/amdgpu: reject gang submissions under SRIOV", " - selftests/Makefile: include $(INSTALL_DEP_TARGETS) in clean target to", " clean net/lib dependency", " - scsi: ufs: core: Disable timestamp functionality if not supported", " - scsi: lpfc: Clean up allocated queues when queue setup mbox commands", " fail", " - scsi: lpfc: Decrement ndlp kref after FDISC retries exhausted", " - scsi: lpfc: Check return status of lpfc_reset_flush_io_context during", " TGT_RESET", " - scsi: lpfc: Remove ndlp kref decrement clause for F_Port_Ctrl in", " lpfc_cleanup", " - scsi: lpfc: Define size of debugfs entry for xri rebalancing", " - scsi: lpfc: Ensure PLOGI_ACC is sent prior to PRLI in Point to Point", " topology", " - allow finish_no_open(file, ERR_PTR(-E...))", " - usb: mon: Increase BUFF_MAX to 64 MiB to support multi-MB URBs", " - usb: xhci: plat: Facilitate using autosuspend for xhci plat devices", " - wifi: rtw89: disable RTW89_PHYSTS_IE09_FTR_0 for ppdu status", " - wifi: rtw89: obtain RX path from ppdu status IE00", " - wifi: rtw89: renew a completion for each H2C command waiting C2H event", " - usb: xhci-pci: add support for hosts with zero USB3 ports", " - ipv6: np->rxpmtu race annotation", " - RDMA/irdma: Update Kconfig", " - IB/ipoib: Ignore L3 master device", " - bnxt_en: Add fw log trace support for 5731X/5741X chips", " - mei: make a local copy of client uuid in connect", " - ASoC: qcom: sc8280xp: explicitly set S16LE format in", " sc8280xp_be_hw_params_fixup()", " - net: phy: clear link parameters on admin link down", " - net: ethernet: microchip: sparx5: make it selectable for ARCH_LAN969X", " - bus: mhi: core: Improve mhi_sync_power_up handling for SYS_ERR state", " - iommu/vt-d: Replace snprintf with scnprintf in dmar_latency_snapshot()", " - wifi: ath10k: Fix connection after GTK rekeying", " - iommu/vt-d: Remove LPIG from page group response descriptor", " - wifi: mac80211: Get the correct interface for non-netdev skb status", " - wifi: mac80211: Track NAN interface start/stop", " - net: intel: fm10k: Fix parameter idx set but not used", " - sparc/module: Add R_SPARC_UA64 relocation handling", " - sparc64: fix prototypes of reads[bwl]()", " - vfio: return -ENOTTY for unsupported device feature", " - ptp_ocp: make ptp_ocp driver compatible with PTP_EXTTS_REQUEST2", " - crypto: hisilicon/qm - invalidate queues in use", " - crypto: hisilicon/qm - clear all VF configurations in the hardware", " - ASoC: ops: improve snd_soc_get_volsw", " - PCI/PM: Skip resuming to D0 if device is disconnected", " - selftests: forwarding: Reorder (ar)ping arguments to obey POSIX getopt", " - remoteproc: qcom: q6v5: Avoid handling handover twice", " - wifi: ath12k: Increase DP_REO_CMD_RING_SIZE to 256", " - net: dsa: microchip: Set SPI as bus interface during reset for KSZ8463", " - bng_en: make bnge_alloc_ring() self-unwind on failure", " - ALSA: usb-audio: don't apply interface quirk to Presonus S1824c", " - tcp: Update bind bucket state on port release", " - ovl: make sure that ovl_create_real() returns a hashed dentry", " - drm/amd/display: Add missing post flip calls", " - drm/amd/display: Add AVI infoframe copy in copy_stream_update_to_stream", " - drm/amd/display: Add fast sync field in ultra sleep more for DMUB", " - drm/amd/display: Init dispclk from bootup clock for DCN314", " - drm/amd/display: Fix for test crash due to power gating", " - drm/amd/display: change dc stream color settings only in atomic commit", " - NFSv4: handle ERR_GRACE on delegation recalls", " - NFSv4.1: fix mount hang after CREATE_SESSION failure", " - net: bridge: Install FDB for bridge MAC on VLAN 0", " - net: phy: dp83640: improve phydev and driver removal handling", " - scsi: ufs: core: Change MCQ interrupt enable flow", " - scsi: libfc: Fix potential buffer overflow in fc_ct_ms_fill()", " - accel/habanalabs/gaudi2: fix BMON disable configuration", " - scsi: mpt3sas: Add support for 22.5 Gbps SAS link rate", " - accel/habanalabs: return ENOMEM if less than requested pages were pinned", " - accel/habanalabs/gaudi2: read preboot status after recovering from dirty", " state", " - ASoC: renesas: msiof: add .symmetric_xxx on snd_soc_dai_driver", " - ASoC: renesas: msiof: use reset controller", " - ASoC: renesas: msiof: tidyup DMAC stop timing", " - ASoC: renesas: msiof: set SIFCTR register", " - ext4: increase IO priority of fastcommit", " - drm/amdgpu: Add fallback to pipe reset if KCQ ring reset fails", " - drm/amdgpu: Fix fence signaling race condition in userqueue", " - ASoC: stm32: sai: manage context in set_sysclk callback", " - ASoC: tlv320aic3x: Fix class-D initialization for tlv320aic3007", " - ACPI: scan: Update honor list for RPMI System MSI", " - platform/x86: x86-android-tablets: Stop using EPROBE_DEFER", " - vfio/pci: Fix INTx handling on legacy non-PCI 2.3 devices", " - vfio/nvgrace-gpu: Add GB300 SKU to the devid table", " - selftest: net: Fix error message if empty variable", " - net/mlx5e: Don't query FEC statistics when FEC is disabled", " - Bluetooth: btintel: Add support for BlazarIW core", " - net: macb: avoid dealing with endianness in macb_set_hwaddr()", " - Bluetooth: btusb: Add new VID/PID 13d3/3627 for MT7925", " - Bluetooth: btintel_pcie: Define hdev->wakeup() callback", " - Bluetooth: ISO: Don't initiate CIS connections if there are no buffers", " - Bluetooth: btusb: Check for unexpected bytes when defragmenting HCI", " frames", " - Bluetooth: ISO: Use sk_sndtimeo as conn_timeout", " - Bluetooth: btusb: Add new VID/PID 13d3/3633 for MT7922", " - net: stmmac: est: Drop frames causing HLBS error", " - exfat: limit log print for IO error", " - 6pack: drop redundant locking and refcounting", " - page_pool: Clamp pool size to max 16K pages", " - net/mlx5e: Prevent entering switchdev mode with inconsistent netns", " - ksmbd: use sock_create_kern interface to create kernel socket", " - smb: client: update cfid->last_access_time in", " open_cached_dir_by_dentry()", " - smb: client: transport: avoid reconnects triggered by pending task work", " - usb: xhci-pci: Fix USB2-only root hub registration", " - drm/amd/display: Add fallback path for YCBCR422", " - ACPICA: Update dsmethod.c to get rid of unused variable warning", " - RDMA/bnxt_re: Fix a potential memory leak in destroy_gsi_sqp", " - RDMA/irdma: Fix SD index calculation", " - RDMA/irdma: Remove unused struct irdma_cq fields", " - RDMA/irdma: Set irdma_cq cq_num field during CQ create", " - RDMA/uverbs: Fix umem release in UVERBS_METHOD_CQ_CREATE", " - RDMA/hns: Fix recv CQ and QP cache affinity", " - RDMA/hns: Fix the modification of max_send_sge", " - RDMA/hns: Fix wrong WQE data when QP wraps around", " - btrfs: mark dirty extent range for out of bound prealloc extents", " - clk: qcom: gcc-ipq6018: rework nss_port5 clock to multiple conf", " - clk: renesas: rzv2h: Re-assert reset on deassert timeout", " - clk: samsung: exynos990: Add missing USB clock registers to HSI0", " - fs/hpfs: Fix error code for new_inode() failure in", " mkdir/create/mknod/symlink", " - clocksource: hyper-v: Skip unnecessary checks for the root partition", " - hyperv: Add missing field to hv_output_map_device_interrupt", " - um: Fix help message for ssl-non-raw", " - clk: sunxi-ng: sun6i-rtc: Add A523 specifics", " - rtc: pcf2127: clear minute/second interrupt", " - ARM: at91: pm: save and restore ACR during PLL disable/enable", " - clk: at91: add ACR in all PLL settings", " - clk: at91: sam9x7: Add peripheral clock id for pmecc", " - clk: at91: clk-master: Add check for divide by 3", " - clk: at91: clk-sam9x60-pll: force write to PLL_UPDT register", " - clk: ti: am33xx: keep WKUP_DEBUGSS_CLKCTRL enabled", " - clk: scmi: Add duty cycle ops only when duty cycle is supported", " - clk: clocking-wizard: Fix output clock register offset for Versal", " platforms", " - NTB: epf: Allow arbitrary BAR mapping", " - 9p: fix /sys/fs/9p/caches overwriting itself", " - cpufreq: tegra186: Initialize all cores to max frequencies", " - 9p: sysfs_init: don't hardcode error to ENOMEM", " - scsi: ufs: core: Include UTP error in INT_FATAL_ERRORS", " - fbdev: core: Fix ubsan warning in pixel_to_pat", " - ACPI: property: Return present device nodes only on fwnode interface", " - LoongArch: Handle new atomic instructions for probes", " - tools bitmap: Add missing asm-generic/bitsperlong.h include", " - tools: lib: thermal: don't preserve owner in install", " - tools: lib: thermal: use pkg-config to locate libnl3", " - ALSA: hda/realtek: Add quirk for ASUS ROG Zephyrus Duo", " - rtc: zynqmp: Restore alarm functionality after kexec transition", " - rtc: pcf2127: fix watchdog interrupt mask on pcf2131", " - net: wwan: t7xx: add support for HP DRMR-H01", " - kbuild: uapi: Strip comments before size type check", " - ASoC: meson: aiu-encoder-i2s: fix bit clock polarity", " - ASoC: rt722: add settings for rt722VB", " - drm/amdgpu: Report individual reset error", " - ceph: add checking of wait_for_completion_killable() return value", " - ceph: fix potential race condition in ceph_ioctl_lazyio()", " - ceph: refactor wake_up_bit() pattern of calling", " - x86: uaccess: don't use runtime-const rewriting in modules", " - rust: condvar: fix broken intra-doc link", " - rust: devres: fix private intra-doc link", " - rust: kbuild: workaround `rustdoc` doctests modifier bug", " - rust: kbuild: treat `build_error` and `rustdoc` as kernel objects", " - media: uvcvideo: Use heuristic to find stream entity", " - Revert \"wifi: ath10k: avoid unnecessary wait for service ready message\"", " - tracing: tprobe-events: Fix to register tracepoint correctly", " - tracing: tprobe-events: Fix to put tracepoint_user when disable the", " tprobe", " - net: libwx: fix device bus LAN ID", " - scsi: ufs: core: Fix a race condition related to the \"hid\" attribute", " group", " - riscv: ptdump: use seq_puts() in pt_dump_seq_puts() macro", " - Revert \"wifi: ath12k: Fix missing station power save configuration\"", " - scsi: ufs: core: Revert \"Make HID attributes visible\"", " - Bluetooth: btrtl: Fix memory leak in rtlbt_parse_firmware_v2()", " - net: dsa: tag_brcm: legacy: fix untagged rx on unbridged ports for", " bcm63xx", " - selftests/net: fix out-of-order delivery of FIN in gro:tcp test", " - selftests/net: use destination options instead of hop-by-hop", " - selftests: netdevsim: Fix ethtool-coalesce.sh fail by installing", " ethtool-common.sh", " - net: vlan: sync VLAN features with lower device", " - net: dsa: b53: fix resetting speed and pause on forced link", " - net: dsa: b53: fix bcm63xx RGMII port link adjustment", " - net: dsa: b53: fix enabling ip multicast", " - net: dsa: b53: stop reading ARL entries if search is done", " - net: dsa: b53: properly bound ARL searches for < 4 ARL bin chips", " - sctp: Hold RCU read lock while iterating over address list", " - sctp: Hold sock lock while iterating over address list", " - net: ionic: add dma_wmb() before ringing TX doorbell", " - net: ionic: map SKB after pseudo-header checksum prep", " - octeontx2-pf: Fix devm_kcalloc() error checking", " - bnxt_en: Fix a possible memory leak in bnxt_ptp_init", " - bnxt_en: Always provide max entry and entry size in coredump segments", " - bnxt_en: Fix warning in bnxt_dl_reload_down()", " - wifi: mac80211_hwsim: Limit destroy_on_close radio removal to netgroup", " - io_uring: fix types for region size calulation", " - net/mlx5e: Fix return value in case of module EEPROM read error", " - net: ti: icssg-prueth: Fix fdb hash size configuration", " - net/mlx5e: SHAMPO, Fix header mapping for 64K pages", " - net/mlx5e: SHAMPO, Fix skb size check for 64K pages", " - net/mlx5e: SHAMPO, Fix header formulas for higher MTUs and 64K pages", " - net: wan: framer: pef2256: Switch to devm_mfd_add_devices()", " - net: dsa: microchip: Fix reserved multicast address table programming", " - net: bridge: fix MST static key usage", " - selftests/vsock: avoid false-positives when checking dmesg", " - tracing: Fix memory leaks in create_field_var()", " - drm/amd/display: Enable mst when it's detected but yet to be initialized", " - wifi: cfg80211: add an hrtimer based delayed work item", " - wifi: mac80211: use wiphy_hrtimer_work for ml_reconf_work", " - wifi: mac80211: use wiphy_hrtimer_work for ttlm_work", " - wifi: mac80211: use wiphy_hrtimer_work for csa.switch_work", " - riscv: Fix memory leak in module_frob_arch_sections()", " - rtc: rx8025: fix incorrect register reference", " - x86/microcode/AMD: Add more known models to entry sign checking", " - smb: client: validate change notify buffer before copy", " - x86/amd_node: Fix AMD root device caching", " - xfs: fix delalloc write failures in software-provided atomic writes", " - xfs: fix various problems in xfs_atomic_write_cow_iomap_begin", " - x86/CPU/AMD: Add missing terminator for zen5_rdseed_microcode", " - drm: define NVIDIA DRM format modifiers for GB20x", " - drm/nouveau: Advertise correct modifiers on GB20x", " - drm/amdgpu/smu: Handle S0ix for vangogh", " - drm/amdkfd: Don't clear PT after process killed", " - virtio_net: fix alignment for virtio_net_hdr_v1_hash", " - lib/crypto: curve25519-hacl64: Fix older clang KASAN workaround for GCC", " - scsi: ufs: ufs-pci: Fix S0ix/S3 for Intel controllers", " - scsi: ufs: ufs-pci: Set UFSHCD_QUIRK_PERFORM_LINK_STARTUP_ONCE for Intel", " ADL", " - scsi: ufs: core: Add a quirk to suppress link_startup_again", " - drm/amd/display: update color on atomic commit time", " - extcon: adc-jack: Cleanup wakeup source only if it was enabled", " - kunit: Extend kconfig help text for KUNIT_UML_PCI", " - ALSA: hda/tas2781: Enable init_profile_id for device initialization", " - ACPI: SPCR: Check for table version when using precise baudrate", " - kbuild: Strip trailing padding bytes from modules.builtin.modinfo", " - drm/amdgpu: Fix unintended error log in VCN5_0_0", " - drm/amd/display: Fix vupdate_offload_work doc", " - drm/amdgpu: Fix function header names in amdgpu_connectors.c", " - drm/amdgpu/userq: assign an error code for invalid userq va", " - drm/msm/dpu: Fix adjusted mode clock check for 3d merge", " - drm/amd/display: Reject modes with too high pixel clock on DCE6-10", " - drm/amd/display: use GFP_NOWAIT for allocation in interrupt handler", " - drm/amd/display: Fix black screen with HDMI outputs", " - selftests: drv-net: Reload pkt pointer after calling filter_udphdr", " - dt-bindings: eeprom: at25: use \"size\" for FRAMs without device ID", " - Linux 6.17.8", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-68316", " - scsi: ufs: core: Fix invalid probe error return value", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-40292", " - virtio-net: fix received length check in big packets", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-68180", " - drm/amd/display: Fix NULL deref in debugfs odm_combine_segments", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-40327", " - perf/core: Fix system hang caused by cpu-clock usage", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-40328", " - smb: client: fix potential UAF in smb2_close_cached_fid()", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-40291", " - io_uring: fix regbuf vector size truncation", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-68322", " - parisc: Avoid crash due to unaligned access in unwinder", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-40293", " - iommufd: Don't overflow during division for dirty tracking", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-40294", " - Bluetooth: MGMT: Fix OOB access in parse_adv_monitor_pattern()", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-40329", " - drm/sched: Fix deadlock in drm_sched_entity_kill_jobs_cb", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-40295", " - fscrypt: fix left shift underflow when inode->i_blkbits > PAGE_SHIFT", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-40296", " - platform/x86: int3472: Fix double free of GPIO device during unregister", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-40297", " - net: bridge: fix use-after-free due to MST port state bypass", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-68320", " - lan966x: Fix sleeping in atomic context", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-68169", " - netpoll: Fix deadlock in memory allocation under spinlock", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-68197", " - bnxt_en: Fix null pointer dereference in bnxt_bs_trace_check_wrap()", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-40330", " - bnxt_en: Shutdown FW DMA in bnxt_shutdown()", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-68192", " - net: usb: qmi_wwan: initialize MAC header offset in qmimux_rx_fixup", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-40331", " - sctp: Prevent TOCTOU out-of-bounds write", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-68187", " - net: mdio: Check regmap pointer returned by device_node_to_regmap()", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-68167", " - gpiolib: fix invalid pointer access in debugfs", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-68319", " - netconsole: Acquire su_mutex before navigating configs hierarchy", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-40298", " - gve: Implement settime64 with -EOPNOTSUPP", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-40299", " - gve: Implement gettimex64 with -EOPNOTSUPP", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-40301", " - Bluetooth: hci_event: validate skb length for unknown CC opcode", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-40358", " - riscv: stacktrace: Disable KASAN checks for non-current tasks", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-68186", " - ring-buffer: Do not warn in ring_buffer_map_get_reader() when reader", " catches up", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-68184", " - drm/mediatek: Disable AFBC support on Mediatek DRM driver", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-40302", " - media: videobuf2: forbid remove_bufs when legacy fileio is active", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-40303", " - btrfs: ensure no dirty metadata is written back for an fs with errors", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-40362", " - ceph: fix multifs mds auth caps issue", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-40332", " - drm/amdkfd: Fix mmap write lock not release", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-40304", " - fbdev: Add bounds checking in bit_putcs to fix vmalloc-out-of-bounds", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-40305", " - 9p/trans_fd: p9_fd_request: kick rx thread if EPOLLIN", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-68318", " - clk: thead: th1520-ap: set all AXI clocks to CLK_IS_CRITICAL", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-40209", " - btrfs: fix memory leak of qgroup_list in btrfs_add_qgroup_relation", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-68183", " - ima: don't clear IMA_DIGSIG flag when setting or removing non-IMA xattr", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-68173", " - ftrace: Fix softlockup in ftrace_module_enable", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-40306", " - orangefs: fix xattr related buffer overflow...", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-40307", " - exfat: validate cluster allocation bits of the allocation bitmap", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-40308", " - Bluetooth: bcsp: receive data only if registered", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-40309", " - Bluetooth: SCO: Fix UAF on sco_conn_free", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-68174", " - amd/amdkfd: enhance kfd process check in switch partition", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-40310", " - amd/amdkfd: resolve a race in amdgpu_amdkfd_device_fini_sw", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-40361", " - fs: ext4: change GFP_KERNEL to GFP_NOFS to avoid deadlock", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-40311", " - accel/habanalabs: support mapping cb with vmalloc-backed coherent memory", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-68185", " - nfs4_setup_readdir(): insufficient locking for ->d_parent->d_inode", " dereferencing", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-68176", " - PCI: cadence: Check for the existence of cdns_pcie::ops before using it", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-68190", " - drm/amdgpu/atom: Check kcalloc() for WS buffer in", " amdgpu_atom_execute_table_locked()", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-68168", " - jfs: fix uninitialized waitqueue in transaction manager", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-40312", " - jfs: Verify inode mode when loading from disk", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-40333", " - f2fs: fix infinite loop in __insert_extent_tree()", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-68321", " - page_pool: always add GFP_NOWARN for ATOMIC allocations", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-40334", " - drm/amdgpu: validate userq buffer virtual address and size", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-68191", " - udp_tunnel: use netdev_warn() instead of netdev_WARN()", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-68309", " - PCI/AER: Fix NULL pointer access by aer_info", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-40313", " - ntfs3: pretend $Extend records as regular files", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-40335", " - drm/amdgpu: validate userq input args", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-40314", " - usb: cdns3: gadget: Use-after-free during failed initialization and exit", " of cdnsp gadget", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-40336", " - drm/gpusvm: fix hmm_pfn_to_map_order() usage", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-68193", " - drm/xe/guc: Add devm release action to safely tear down CT", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-68175", " - media: nxp: imx8-isi: Fix streaming cleanup on release", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-68188", " - tcp: use dst_dev_rcu() in tcp_fastopen_active_disable_ofo_check()", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-68315", " - f2fs: fix to detect potential corrupted nid in free_nid_list", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-40337", " - net: stmmac: Correctly handle Rx checksum offload errors", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-40338", " - ASoC: Intel: avs: Do not share the name pointer between components", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-40339", " - drm/amdgpu: fix nullptr err of vm_handle_moved", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-68194", " - media: imon: make send_packet() more robust", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-40363", " - net: ipv6: fix field-spanning memcpy warning in AH output", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-68311", " - tty: serial: ip22zilog: Use platform device for probing", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-40340", " - drm/xe: Fix oops in xe_gem_fault when running core_hotunplug test.", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-68196", " - drm/amd/display: Cache streams targeting link when performing LT", " automation", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-68178", " - blk-cgroup: fix possible deadlock while configuring policy", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-40341", " - futex: Don't leak robust_list pointer on exec race", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-40342", " - nvme-fc: use lock accessing port_state and rport state", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-40343", " - nvmet-fc: avoid scheduling association deletion twice", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-68177", " - cpufreq/longhaul: handle NULL policy in longhaul_exit", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-68317", " - io_uring/zctx: check chained notif contexts", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-40315", " - usb: gadget: f_fs: Fix epfile null pointer access after ep enable.", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-40316", " - drm/mediatek: Fix device use-after-free on unbind", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-40360", " - drm/sysfb: Do not dereference NULL pointer in plane reset", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-68179", " - s390: Disable ARCH_WANT_OPTIMIZE_HUGETLB_VMEMMAP", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-68310", " - s390/pci: Avoid deadlock between PCI error recovery and mlx5 crdump", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-40317", " - regmap: slimbus: fix bus_context pointer in regmap init calls", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-40359", " - perf/x86/intel: Fix KASAN global-out-of-bounds warning", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-68181", " - drm/radeon: Remove calls to drm_put_dev()", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-68170", " - drm/radeon: Do not kfree() devres managed rdev", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-40213", " - Bluetooth: MGMT: fix crash in set_mesh_sync and set_mesh_complete", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-40318", " - Bluetooth: hci_sync: fix race in hci_cmd_sync_dequeue_once", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-68312", " - usbnet: Prevents free active kevent", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-40344", " - ASoC: Intel: avs: Disable periods-elapsed work when closing PCM", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-68172", " - crypto: aspeed - fix double free caused by devm", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-40319", " - bpf: Sync pending IRQ work before freeing ring buffer", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-68182", " - wifi: iwlwifi: fix potential use after free in iwl_mld_remove_link()", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-68314", " - drm/msm: make sure last_fence is always updated", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-68189", " - drm/msm: Fix GEM free for imported dma-bufs", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-68171", " - x86/fpu: Ensure XFD state on signal delivery", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-68313", " - x86/CPU/AMD: Add RDSEED fix for Zen5", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-40320", " - smb: client: fix potential cfid UAF in smb2_query_info_compound", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-40321", " - wifi: brcmfmac: fix crash while sending Action Frames in standalone AP", " Mode", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-40322", " - fbdev: bitblit: bound-check glyph index in bit_putcs*", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-40211", " - ACPI: video: Fix use-after-free in acpi_video_switch_brightness()", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-40323", " - fbcon: Set fb_display[i]->mode to NULL when the mode is released", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-40210", " - Revert \"NFSD: Remove the cap on number of operations per NFSv4 COMPOUND\"", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-40324", " - NFSD: Fix crash in nfsd4_read_release()", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-40326", " - NFSD: Define actions for the new time_deleg FATTR4 attributes", " * Questing update: v6.17.7 upstream stable release (LP: #2136813)", " - sched_ext: Move internal type and accessor definitions to ext_internal.h", " - sched_ext: Put event_stats_cpu in struct scx_sched_pcpu", " - sched_ext: Sync error_irq_work before freeing scx_sched", " - timekeeping: Fix aux clocks sysfs initialization loop bound", " - x86/bugs: Report correct retbleed mitigation status", " - x86/bugs: Qualify RETBLEED_INTEL_MSG", " - genirq/chip: Add buslock back in to irq_set_handler()", " - genirq/manage: Add buslock back in to __disable_irq_nosync()", " - genirq/manage: Add buslock back in to enable_irq()", " - audit: record fanotify event regardless of presence of rules", " - EDAC/ie31200: Add two more Intel Alder Lake-S SoCs for EDAC support", " - perf/x86/intel: Add ICL_FIXED_0_ADAPTIVE bit into INTEL_FIXED_BITS_MASK", " - perf: Use current->flags & PF_KTHREAD|PF_USER_WORKER instead of", " current->mm == NULL", " - perf: Have get_perf_callchain() return NULL if crosstask and user are", " set", " - perf: Skip user unwind if the task is a kernel thread", " - EDAC: Fix wrong executable file modes for C source files", " - seccomp: passthrough uprobe systemcall without filtering", " - sched_ext: Keep bypass on between enable failure and", " scx_disable_workfn()", " - x86/bugs: Add attack vector controls for VMSCAPE", " - x86/bugs: Fix reporting of LFENCE retpoline", " - EDAC/mc_sysfs: Increase legacy channel support to 16", " - cpuset: Use new excpus for nocpu error check when enabling root", " partition", " - btrfs: abort transaction on specific error places when walking log tree", " - btrfs: abort transaction in the process_one_buffer() log tree walk", " callback", " - btrfs: zoned: return error from btrfs_zone_finish_endio()", " - btrfs: zoned: refine extent allocator hint selection", " - btrfs: scrub: replace max_t()/min_t() with clamp() in", " scrub_throttle_dev_io()", " - btrfs: always drop log root tree reference in btrfs_replay_log()", " - btrfs: use level argument in log tree walk callback replay_one_buffer()", " - btrfs: abort transaction if we fail to update inode in log replay dir", " fixup", " - btrfs: tree-checker: add inode extref checks", " - btrfs: use smp_mb__after_atomic() when forcing COW in", " create_pending_snapshot()", " - sched_ext: Make qmap dump operation non-destructive", " - arch: Add the macro COMPILE_OFFSETS to all the asm-offsets.c", " - btrfs: tree-checker: fix bounds check in check_inode_extref()", " - Linux 6.17.7", " * [UBUNTU 24.04] KVM: s390: improve interrupt cpu for wakeup (LP: #2132317)", " - KVM: s390: improve interrupt cpu for wakeup", " * Questing update: v6.17.6 upstream stable release (LP: #2134982)", " - sched/fair: Block delayed tasks on throttled hierarchy during dequeue", " - vfio/cdx: update driver to build without CONFIG_GENERIC_MSI_IRQ", " - expfs: Fix exportfs_can_encode_fh() for EXPORT_FH_FID", " - cgroup/misc: fix misc_res_type kernel-doc warning", " - dlm: move to rinfo for all middle conversion cases", " - exec: Fix incorrect type for ret", " - s390/pkey: Forward keygenflags to ep11_unwrapkey", " - hfs: clear offset and space out of valid records in b-tree node", " - hfs: make proper initalization of struct hfs_find_data", " - hfs: validate record offset in hfsplus_bmap_alloc", " - hfsplus: fix KMSAN uninit-value issue in hfsplus_delete_cat()", " - dlm: check for defined force value in dlm_lockspace_release", " - hfsplus: return EIO when type of hidden directory mismatch in", " hfsplus_fill_super()", " - PCI: Test for bit underflow in pcie_set_readrq()", " - lkdtm: fortify: Fix potential NULL dereference on kmalloc failure", " - arm64: sysreg: Correct sign definitions for EIESB and DoubleLock", " - m68k: bitops: Fix find_*_bit() signatures", " - powerpc/32: Remove PAGE_KERNEL_TEXT to fix startup failure", " - riscv: mm: Return intended SATP mode for noXlvl options", " - riscv: mm: Use mmu-type from FDT to limit SATP mode", " - riscv: cpufeature: add validation for zfa, zfh and zfhmin", " - drivers/perf: hisi: Relax the event ID check in the framework", " - s390/mm: Use __GFP_ACCOUNT for user page table allocations", " - smb: client: queue post_recv_credits_work also if the peer raises the", " credit target", " - smb: client: limit the range of info->receive_credit_target", " - smb: client: make use of ib_wc_status_msg() and skip IB_WC_WR_FLUSH_ERR", " logging", " - smb: server: let smb_direct_flush_send_list() invalidate a remote key", " first", " - Unbreak 'make tools/*' for user-space targets", " - platform/mellanox: mlxbf-pmc: add sysfs_attr_init() to count_clock init", " - cpufreq/amd-pstate: Fix a regression leading to EPP 0 after hibernate", " - net/mlx5e: Return 1 instead of 0 in invalid case in", " mlx5e_mpwrq_umr_entry_size()", " - rtnetlink: Allow deleting FDB entries in user namespace", " - net: enetc: fix the deadlock of enetc_mdio_lock", " - net: enetc: correct the value of ENETC_RXB_TRUESIZE", " - dpaa2-eth: fix the pointer passed to PTR_ALIGN on Tx path", " - net: phy: realtek: fix rtl8221b-vm-cg name", " - can: bxcan: bxcan_start_xmit(): use can_dev_dropped_skb() instead of", " can_dropped_invalid_skb()", " - can: esd: acc_start_xmit(): use can_dev_dropped_skb() instead of", " can_dropped_invalid_skb()", " - can: rockchip-canfd: rkcanfd_start_xmit(): use can_dev_dropped_skb()", " instead of can_dropped_invalid_skb()", " - selftests: net: fix server bind failure in sctp_vrf.sh", " - net/mlx5e: RX, Fix generating skb from non-linear xdp_buff for legacy RQ", " - net/mlx5e: RX, Fix generating skb from non-linear xdp_buff for striding", " RQ", " - net/smc: fix general protection fault in __smc_diag_dump", " - net: ethernet: ti: am65-cpts: fix timestamp loss due to race conditions", " - arm64, mm: avoid always making PTE dirty in pte_mkwrite()", " - erofs: avoid infinite loops due to corrupted subpage compact indexes", " - net: hibmcge: select FIXED_PHY", " - ptp: ocp: Fix typo using index 1 instead of i in SMA initialization loop", " - net: hsr: prevent creation of HSR device with slaves from another netns", " - espintcp: use datagram_poll_queue for socket readiness", " - net: datagram: introduce datagram_poll_queue for custom receive queues", " - ovpn: use datagram_poll_queue for socket readiness in TCP", " - net: bonding: fix possible peer notify event loss or dup issue", " - hung_task: fix warnings caused by unaligned lock pointers", " - mm: don't spin in add_stack_record when gfp flags don't allow", " - dma-debug: don't report false positives with", " DMA_BOUNCE_UNALIGNED_KMALLOC", " - arch_topology: Fix incorrect error check in", " topology_parse_cpu_capacity()", " - riscv: hwprobe: Fix stale vDSO data for late-initialized keys at boot", " - io_uring/sqpoll: switch away from getrusage() for CPU accounting", " - io_uring/sqpoll: be smarter on when to update the stime usage", " - btrfs: send: fix duplicated rmdir operations when using extrefs", " - btrfs: ref-verify: fix IS_ERR() vs NULL check in btrfs_build_ref_tree()", " - gpio: pci-idio-16: Define maximum valid register address offset", " - gpio: 104-idio-16: Define maximum valid register address offset", " - xfs: fix locking in xchk_nlinks_collect_dir", " - platform/x86: alienware-wmi-wmax: Add AWCC support to Dell G15 5530", " - Revert \"cpuidle: menu: Avoid discarding useful information\"", " - riscv: cpufeature: avoid uninitialized variable in", " has_thead_homogeneous_vlenb()", " - rust: device: fix device context of Device::parent()", " - slab: Avoid race on slab->obj_exts in alloc_slab_obj_exts", " - slab: Fix obj_ext mistakenly considered NULL due to race condition", " - smb: client: get rid of d_drop() in cifs_do_rename()", " - ACPICA: Work around bogus -Wstringop-overread warning since GCC 11", " - arm64: mte: Do not warn if the page is already tagged in copy_highpage()", " - can: netlink: can_changelink(): allow disabling of automatic restart", " - cifs: Fix TCP_Server_Info::credits to be signed", " - devcoredump: Fix circular locking dependency with devcd->mutex.", " - hwmon: (pmbus/max34440) Update adpm12160 coeff due to latest FW", " - MIPS: Malta: Fix keyboard resource preventing i8042 driver from", " registering", " - rv: Make rtapp/pagefault monitor depends on CONFIG_MMU", " - net: bonding: update the slave array for broadcast mode", " - net: stmmac: dwmac-rk: Fix disabling set_clock_selection", " - net: usb: rtl8150: Fix frame padding", " - net: ravb: Enforce descriptor type ordering", " - net: ravb: Ensure memory write completes before ringing TX doorbell", " - mptcp: pm: in-kernel: C-flag: handle late ADD_ADDR", " - selftests: mptcp: join: mark 'flush re-add' as skipped if not supported", " - selftests: mptcp: join: mark implicit tests as skipped if not supported", " - selftests: mptcp: join: mark 'delete re-add signal' as skipped if not", " supported", " - mm/mremap: correctly account old mapping after MREMAP_DONTUNMAP remap", " - drm/xe: Check return value of GGTT workqueue allocation", " - drm/amd/display: increase max link count and fix link->enc NULL pointer", " access", " - mm/damon/core: use damos_commit_quota_goal() for new goal commit", " - mm/damon/core: fix list_add_tail() call on damon_call()", " - spi: rockchip-sfc: Fix DMA-API usage", " - firmware: arm_ffa: Add support for IMPDEF value in the memory access", " descriptor", " - spi: spi-nxp-fspi: add the support for sample data from DQS pad", " - spi: spi-nxp-fspi: re-config the clock rate when operation require new", " clock rate", " - spi: spi-nxp-fspi: add extra delay after dll locked", " - spi: spi-nxp-fspi: limit the clock rate for different sample clock", " source selection", " - spi: cadence-quadspi: Fix pm_runtime unbalance on dma EPROBE_DEFER", " - arm64: dts: broadcom: bcm2712: Add default GIC address cells", " - arm64: dts: broadcom: bcm2712: Define VGIC interrupt", " - include: trace: Fix inflight count helper on failed initialization", " - firmware: arm_scmi: Fix premature SCMI_XFER_FLAG_IS_RAW clearing in raw", " mode", " - spi: airoha: return an error for continuous mode dirmap creation cases", " - spi: airoha: add support of dual/quad wires spi modes to exec_op()", " handler", " - spi: airoha: switch back to non-dma mode in the case of error", " - spi: airoha: fix reading/writing of flashes with more than one plane per", " lun", " - sysfs: check visibility before changing group attribute ownership", " - RISC-V: Define pgprot_dmacoherent() for non-coherent devices", " - RISC-V: Don't print details of CPUs disabled in DT", " - riscv: hwprobe: avoid uninitialized variable use in hwprobe_arch_id()", " - hwmon: (pmbus/isl68137) Fix child node reference leak on early return", " - hwmon: (sht3x) Fix error handling", " - io_uring: fix incorrect unlikely() usage in io_waitid_prep()", " - nbd: override creds to kernel when calling sock_{send,recv}msg()", " - drm/panic: Fix drawing the logo on a small narrow screen", " - drm/panic: Fix qr_code, ensure vmargin is positive", " - drm/panic: Fix 24bit pixel crossing page boundaries", " - of/irq: Convert of_msi_map_id() callers to of_msi_xlate()", " - of/irq: Add msi-parent check to of_msi_xlate()", " - block: require LBA dma_alignment when using PI", " - gpio: ljca: Fix duplicated IRQ mapping", " - io_uring: correct __must_hold annotation in io_install_fixed_file", " - sched: Remove never used code in mm_cid_get()", " - USB: serial: option: add UNISOC UIS7720", " - USB: serial: option: add Quectel RG255C", " - USB: serial: option: add Telit FN920C04 ECM compositions", " - usb/core/quirks: Add Huawei ME906S to wakeup quirk", " - usb: raw-gadget: do not limit transfer length", " - xhci: dbc: enable back DbC in resume if it was enabled before suspend", " - xhci: dbc: fix bogus 1024 byte prefix if ttyDBC read races with stall", " event", " - x86/microcode: Fix Entrysign revision check for Zen1/Naples", " - binder: remove \"invalid inc weak\" check", " - mei: me: add wildcat lake P DID", " - objtool/rust: add one more `noreturn` Rust function", " - nvmem: rcar-efuse: add missing MODULE_DEVICE_TABLE", " - misc: fastrpc: Fix dma_buf object leak in fastrpc_map_lookup", " - most: usb: hdm_probe: Fix calling put_device() before device", " initialization", " - tcpm: switch check for role_sw device with fw_node", " - dt-bindings: serial: sh-sci: Fix r8a78000 interrupts", " - dt-bindings: usb: dwc3-imx8mp: dma-range is required only for imx8mp", " - dt-bindings: usb: qcom,snps-dwc3: Fix bindings for X1E80100", " - serial: 8250_dw: handle reset control deassert error", " - serial: 8250_exar: add support for Advantech 2 port card with Device ID", " 0x0018", " - serial: 8250_mtk: Enable baud clock and manage in runtime PM", " - serial: sc16is7xx: remove useless enable of enhanced features", " - staging: gpib: Fix device reference leak in fmh_gpib driver", " - staging: gpib: Fix no EOI on 1 and 2 byte writes", " - staging: gpib: Return -EINTR on device clear", " - staging: gpib: Fix sending clear and trigger events", " - mm/migrate: remove MIGRATEPAGE_UNMAP", " - treewide: remove MIGRATEPAGE_SUCCESS", " - vmw_balloon: indicate success when effectively deflating during", " migration", " - xfs: always warn about deprecated mount options", " - gpio: regmap: Allow to allocate regmap-irq device", " - gpio: regmap: add the .fixed_direction_output configuration parameter", " - gpio: idio-16: Define fixed direction of the GPIO lines", " - Linux 6.17.6", " * Questing update: v6.17.6 upstream stable release (LP: #2134982) //", " CVE-2025-40084", " - ksmbd: transport_ipc: validate payload size before reading handle", " * Questing update: v6.17.6 upstream stable release (LP: #2134982) //", " CVE-2025-40222", " - tty: serial: sh-sci: fix RSCI FIFO overrun handling", " * Questing update: v6.17.6 upstream stable release (LP: #2134982) //", " CVE-2025-40223", " - most: usb: Fix use-after-free in hdm_disconnect", " * Questing update: v6.17.6 upstream stable release (LP: #2134982) //", " CVE-2025-40106", " - comedi: fix divide-by-zero in comedi_buf_munge()", " * Questing update: v6.17.6 upstream stable release (LP: #2134982) //", " CVE-2025-40224", " - hwmon: (cgbc-hwmon) Add missing NULL check after devm_kzalloc()", " * Questing update: v6.17.6 upstream stable release (LP: #2134982) //", " CVE-2025-40225", " - drm/panthor: Fix kernel panic on partial unmap of a GPU VA region", " * Questing update: v6.17.6 upstream stable release (LP: #2134982) //", " CVE-2025-40226", " - firmware: arm_scmi: Account for failed debug initialization", " * Questing update: v6.17.6 upstream stable release (LP: #2134982) //", " CVE-2025-40227", " - mm/damon/sysfs: dealloc commit test ctx always", " * Questing update: v6.17.6 upstream stable release (LP: #2134982) //", " CVE-2025-40228", " - mm/damon/sysfs: catch commit test ctx alloc failure", " * Questing update: v6.17.6 upstream stable release (LP: #2134982) //", " CVE-2025-40229", " - mm/damon/core: fix potential memory leak by cleaning ops_filter in", " damon_destroy_scheme", " * Questing update: v6.17.6 upstream stable release (LP: #2134982) //", " CVE-2025-40230", " - mm: prevent poison consumption when splitting THP", " * Questing update: v6.17.6 upstream stable release (LP: #2134982) //", " CVE-2025-40231", " - vsock: fix lock inversion in vsock_assign_transport()", " * Questing update: v6.17.6 upstream stable release (LP: #2134982) //", " CVE-2025-40233", " - ocfs2: clear extent cache after moving/defragmenting extents", " * Questing update: v6.17.6 upstream stable release (LP: #2134982) //", " CVE-2025-40235", " - btrfs: directly free partially initialized fs_info in", " btrfs_check_leaked_roots()", " * Questing update: v6.17.6 upstream stable release (LP: #2134982) //", " CVE-2025-40236", " - virtio-net: zero unused hash fields", " * Questing update: v6.17.6 upstream stable release (LP: #2134982) //", " CVE-2025-40237", " - fs/notify: call exportfs_encode_fid with s_umount", " * Questing update: v6.17.6 upstream stable release (LP: #2134982) //", " CVE-2025-40238", " - net/mlx5: Fix IPsec cleanup over MPV device", " * Questing update: v6.17.6 upstream stable release (LP: #2134982) //", " CVE-2025-40239", " - net: phy: micrel: always set shared->phydev for LAN8814", " * Questing update: v6.17.6 upstream stable release (LP: #2134982) //", " CVE-2025-40240", " - sctp: avoid NULL dereference when chunk data buffer is missing", " * Questing update: v6.17.6 upstream stable release (LP: #2134982) //", " CVE-2025-40241", " - erofs: fix crafted invalid cases for encoded extents", " * Questing update: v6.17.6 upstream stable release (LP: #2134982) //", " CVE-2025-40242", " - gfs2: Fix unlikely race in gdlm_put_lock", " * Questing update: v6.17.6 upstream stable release (LP: #2134982) //", " CVE-2025-40243", " - hfs: fix KMSAN uninit-value issue in hfs_find_set_zero_bits()", " * Questing update: v6.17.6 upstream stable release (LP: #2134982) //", " CVE-2025-40244", " - hfsplus: fix KMSAN uninit-value issue in __hfsplus_ext_cache_extent()", " * Questing update: v6.17.6 upstream stable release (LP: #2134982) //", " CVE-2025-40245", " - nios2: ensure that memblock.current_limit is set when setting pfn limits", " * Questing update: v6.17.5 upstream stable release (LP: #2133557)", " - docs: kdoc: handle the obsolescensce of docutils.ErrorString()", " - Revert \"fs: make vfs_fileattr_[get|set] return -EOPNOTSUPP\"", " - PCI: vmd: Override irq_startup()/irq_shutdown() in", " vmd_init_dev_msi_info()", " - ata: libata-core: relax checks in ata_read_log_directory()", " - arm64/sysreg: Fix GIC CDEOI instruction encoding", " - ixgbevf: fix getting link speed data for E610 devices", " - rust: cfi: only 64-bit arm and x86 support CFI_CLANG", " - x86/CPU/AMD: Prevent reset reasons from being retained across reboot", " - slab: reset slab->obj_ext when freeing and it is OBJEXTS_ALLOC_FAIL", " - Revert \"io_uring/rw: drop -EOPNOTSUPP check in", " __io_complete_rw_common()\"", " - io_uring: protect mem region deregistration", " - Revert \"drm/amd/display: Only restore backlight after amdgpu_dm_init or", " dm_resume\"", " - r8152: add error handling in rtl8152_driver_init", " - net: usb: lan78xx: Fix lost EEPROM write timeout error(-ETIMEDOUT) in", " lan78xx_write_raw_eeprom", " - f2fs: fix wrong block mapping for multi-devices", " - gve: Check valid ts bit on RX descriptor before hw timestamping", " - jbd2: ensure that all ongoing I/O complete before freeing blocks", " - ext4: wait for ongoing I/O to complete before freeing blocks", " - btrfs: fix clearing of BTRFS_FS_RELOC_RUNNING if relocation already", " running", " - btrfs: fix memory leak on duplicated memory in the qgroup assign ioctl", " - btrfs: only set the device specific options after devices are opened", " - btrfs: fix incorrect readahead expansion length", " - can: gs_usb: gs_make_candev(): populate net_device->dev_port", " - can: gs_usb: increase max interface to U8_MAX", " - cxl/acpi: Fix setup of memory resource in cxl_acpi_set_cache_size()", " - ALSA: hda/intel: Add MSI X870E Tomahawk to denylist", " - ALSA: hda/realtek: Add quirk entry for HP ZBook 17 G6", " - drm/amdgpu: use atomic functions with memory barriers for vm fault info", " - drm/amdgpu: fix gfx12 mes packet status return check", " - drm/xe: Increase global invalidation timeout to 1000us", " - perf/core: Fix address filter match with backing files", " - perf/core: Fix MMAP event path names with backing files", " - perf/core: Fix MMAP2 event device with backing files", " - drm/amd: Check whether secure display TA loaded successfully", " - PM: hibernate: Add pm_hibernation_mode_is_suspend()", " - drm/amd: Fix hybrid sleep", " - usb: gadget: Store endpoint pointer in usb_request", " - usb: gadget: Introduce free_usb_request helper", " - HID: multitouch: fix sticky fingers", " - dax: skip read lock assertion for read-only filesystems", " - coredump: fix core_pattern input validation", " - can: m_can: m_can_plat_remove(): add missing pm_runtime_disable()", " - can: m_can: m_can_handle_state_errors(): fix CAN state transition to", " Error Active", " - can: m_can: m_can_chip_config(): bring up interface in correct state", " - can: m_can: fix CAN state in system PM", " - net: mtk: wed: add dma mask limitation and GFP_DMA32 for device with", " more than 4GB DRAM", " - net: dlink: handle dma_map_single() failure properly", " - doc: fix seg6_flowlabel path", " - can: j1939: add missing calls in NETDEV_UNREGISTER notification handler", " - dpll: zl3073x: Refactor DPLL initialization", " - dpll: zl3073x: Handle missing or corrupted flash configuration", " - r8169: fix packet truncation after S4 resume on RTL8168H/RTL8111H", " - net: phy: bcm54811: Fix GMII/MII/MII-Lite selection", " - net: phy: realtek: Avoid PHYCR2 access if PHYCR2 not present", " - amd-xgbe: Avoid spurious link down messages during interface toggle", " - Octeontx2-af: Fix missing error code in cgx_probe()", " - tcp: fix tcp_tso_should_defer() vs large RTT", " - net: airoha: Take into account out-of-order tx completions in", " airoha_dev_xmit()", " - selftests: net: check jq command is supported", " - net: core: fix lockdep splat on device unregister", " - ksmbd: fix recursive locking in RPC handle list access", " - tg3: prevent use of uninitialized remote_adv and local_adv variables", " - tls: trim encrypted message to match the plaintext on short splice", " - tls: wait for async encrypt in case of error during latter iterations of", " sendmsg", " - tls: always set record_type in tls_process_cmsg", " - tls: don't rely on tx_work during send()", " - netdevsim: set the carrier when the device goes up", " - net: usb: lan78xx: fix use of improperly initialized dev->chipid in", " lan78xx_reset", " - drm/panthor: Ensure MCU is disabled on suspend", " - nvme-multipath: Skip nr_active increments in RETRY disposition", " - riscv: kprobes: Fix probe address validation", " - drm/bridge: lt9211: Drop check for last nibble of version register", " - powerpc/fadump: skip parameter area allocation when fadump is disabled", " - ASoC: codecs: Fix gain setting ranges for Renesas IDT821034 codec", " - ASoC: nau8821: Cancel jdet_work before handling jack ejection", " - ASoC: nau8821: Generalize helper to clear IRQ status", " - ASoC: nau8821: Consistently clear interrupts before unmasking", " - ASoC: nau8821: Add DMI quirk to bypass jack debounce circuit", " - drm/i915/guc: Skip communication warning on reset in progress", " - drm/i915/frontbuffer: Move bo refcounting", " intel_frontbuffer_{get,release}()", " - drm/i915/fb: Fix the set_tiling vs. addfb race, again", " - drm/amdgpu: add ip offset support for cyan skillfish", " - drm/amdgpu: add support for cyan skillfish without IP discovery", " - drm/amdgpu: fix handling of harvesting for ip_discovery firmware", " - drm/amdgpu: handle wrap around in reemit handling", " - drm/amdgpu: set an error on all fences from a bad context", " - drm/amdgpu: drop unused structures in amdgpu_drm.h", " - drm/amd/powerplay: Fix CIK shutdown temperature", " - drm/xe: Enable media sampler power gating", " - drm/draw: fix color truncation in drm_draw_fill24", " - drm/rockchip: vop2: use correct destination rectangle height check", " - HID: intel-thc-hid: Intel-quickspi: switch first interrupt from level to", " edge detection", " - sched/fair: Fix pelt lost idle time detection", " - ALSA: firewire: amdtp-stream: fix enum kernel-doc warnings", " - accel/qaic: Synchronize access to DBC request queue head & tail pointer", " - nvme-auth: update sc_c in host response", " - cxl/trace: Subtract to find an hpa_alias0 in cxl_poison events", " - selftests/bpf: make arg_parsing.c more robust to crashes", " - blk-mq: fix stale tag depth for shared sched tags in", " blk_mq_update_nr_requests()", " - block: Remove elevator_lock usage from blkg_conf frozen operations", " - HID: hid-input: only ignore 0 battery events for digitizers", " - HID: multitouch: fix name of Stylus input devices", " - drm/xe/evict: drop bogus assert", " - selftests: arg_parsing: Ensure data is flushed to disk before reading.", " - nvme/tcp: handle tls partially sent records in write_space()", " - rust: cpufreq: fix formatting", " - arm64: debug: always unmask interrupts in el0_softstp()", " - arm64: cputype: Add Neoverse-V3AE definitions", " - arm64: errata: Apply workarounds for Neoverse-V3AE", " - xfs: rename the old_crc variable in xlog_recover_process", " - xfs: fix log CRC mismatches between i386 and other architectures", " - NFSD: Rework encoding and decoding of nfsd4_deviceid", " - NFSD: Minor cleanup in layoutcommit processing", " - NFSD: Implement large extent array support in pNFS", " - NFSD: Fix last write offset handling in layoutcommit", " - phy: cdns-dphy: Store hs_clk_rate and return it", " - phy: cadence: cdns-dphy: Fix PLL lock and O_CMN_READY polling", " - x86/resctrl: Refactor resctrl_arch_rmid_read()", " - x86/resctrl: Fix miscount of bandwidth event when reactivating", " previously unavailable RMID", " - cxl: Fix match_region_by_range() to use region_res_match_cxl_range()", " - phy: cadence: cdns-dphy: Update calibration wait time for startup state", " machine", " - drm/xe: Use devm_ioremap_wc for VRAM mapping and drop manual unmap", " - drm/xe: Use dynamic allocation for tile and device VRAM region", " structures", " - drm/xe: Move struct xe_vram_region to a dedicated header", " - drm/xe: Unify the initialization of VRAM regions", " - drm/xe: Move rebar to be done earlier", " - PM: hibernate: Fix pm_hibernation_mode_is_suspend() build breakage", " - drm/xe: Fix an IS_ERR() vs NULL bug in xe_tile_alloc_vram()", " - Linux 6.17.5", " * Questing update: v6.17.5 upstream stable release (LP: #2133557) //", " CVE-2025-40086", " - drm/xe: Don't allow evicting of BOs in same VM in array of VM binds", " * Questing update: v6.17.5 upstream stable release (LP: #2133557) //", " CVE-2025-40087", " - NFSD: Define a proc_layoutcommit for the FlexFiles layout type", " * Questing update: v6.17.5 upstream stable release (LP: #2133557) //", " CVE-2025-40088", " - hfsplus: fix slab-out-of-bounds read in hfsplus_strcasecmp()", " * Questing update: v6.17.5 upstream stable release (LP: #2133557) //", " CVE-2025-40162", " - ASoC: amd/sdw_utils: avoid NULL deref when devm_kasprintf() fails", " * Questing update: v6.17.5 upstream stable release (LP: #2133557) //", " CVE-2025-40085", " - ALSA: usb-audio: Fix NULL pointer deference in try_to_register_card", " * Questing update: v6.17.5 upstream stable release (LP: #2133557) //", " CVE-2025-40172", " - accel/qaic: Treat remaining == 0 as error in find_and_map_user_pages()", " * Questing update: v6.17.5 upstream stable release (LP: #2133557) //", " CVE-2025-40177", " - accel/qaic: Fix bootlog initialization ordering", " * Questing update: v6.17.5 upstream stable release (LP: #2133557) //", " CVE-2025-40163", " - sched/deadline: Stop dl_server before CPU goes offline", " * Questing update: v6.17.5 upstream stable release (LP: #2133557) //", " CVE-2025-40174", " - x86/mm: Fix SMP ordering in switch_mm_irqs_off()", " * Questing update: v6.17.5 upstream stable release (LP: #2133557) //", " CVE-2025-40089", " - cxl/features: Add check for no entries in cxl_feature_info", " * Questing update: v6.17.5 upstream stable release (LP: #2133557) //", " CVE-2025-40176", " - tls: wait for pending async decryptions if tls_strp_msg_hold fails", " * Questing update: v6.17.5 upstream stable release (LP: #2133557) //", " CVE-2025-40164", " - usbnet: Fix using smp_processor_id() in preemptible code warnings", " * Questing update: v6.17.5 upstream stable release (LP: #2133557) //", " CVE-2025-40091", " - ixgbe: fix too early devlink_free() in ixgbe_remove()", " * Questing update: v6.17.5 upstream stable release (LP: #2133557) //", " CVE-2025-40175", " - idpf: cleanup remaining SKBs in PTP flows", " * Questing update: v6.17.5 upstream stable release (LP: #2133557) //", " CVE-2025-40173", " - net/ip6_tunnel: Prevent perpetual tunnel growth", " * Questing update: v6.17.5 upstream stable release (LP: #2133557) //", " CVE-2025-40092", " - usb: gadget: f_ncm: Refactor bind path to use __free()", " * Questing update: v6.17.5 upstream stable release (LP: #2133557) //", " CVE-2025-40093", " - usb: gadget: f_ecm: Refactor bind path to use __free()", " * Questing update: v6.17.5 upstream stable release (LP: #2133557) //", " CVE-2025-40094", " - usb: gadget: f_acm: Refactor bind path to use __free()", " * Questing update: v6.17.5 upstream stable release (LP: #2133557) //", " CVE-2025-40095", " - usb: gadget: f_rndis: Refactor bind path to use __free()", " * Questing update: v6.17.5 upstream stable release (LP: #2133557) //", " CVE-2025-40165", " - media: nxp: imx8-isi: m2m: Fix streaming cleanup on release", " * Questing update: v6.17.5 upstream stable release (LP: #2133557) //", " CVE-2025-40096", " - drm/sched: Fix potential double free in", " drm_sched_job_add_resv_dependencies", " * Questing update: v6.17.5 upstream stable release (LP: #2133557) //", " CVE-2025-40097", " - ALSA: hda: Fix missing pointer check in hda_component_manager_init", " function", " * Questing update: v6.17.5 upstream stable release (LP: #2133557) //", " CVE-2025-40098", " - ALSA: hda: cs35l41: Fix NULL pointer dereference in", " cs35l41_get_acpi_mute_state()", " * Questing update: v6.17.5 upstream stable release (LP: #2133557) //", " CVE-2025-40099", " - cifs: parse_dfs_referrals: prevent oob on malformed input", " * Questing update: v6.17.5 upstream stable release (LP: #2133557) //", " CVE-2025-40100", " - btrfs: do not assert we found block group item when creating free space", " tree", " * Questing update: v6.17.5 upstream stable release (LP: #2133557) //", " CVE-2025-40101", " - btrfs: fix memory leaks when rejecting a non SINGLE data profile without", " an RST", " * Questing update: v6.17.5 upstream stable release (LP: #2133557) //", " CVE-2025-40167", " - ext4: detect invalid INLINE_DATA + EXTENTS flag combination", " * Questing update: v6.17.5 upstream stable release (LP: #2133557) //", " CVE-2025-40102", " - KVM: arm64: Prevent access to vCPU events before init", " * Questing update: v6.17.5 upstream stable release (LP: #2133557) //", " CVE-2025-40103", " - smb: client: Fix refcount leak for cifs_sb_tlink", " * Questing update: v6.17.5 upstream stable release (LP: #2133557) //", " CVE-2025-40104", " - ixgbevf: fix mailbox API compatibility by negotiating supported features", " * Questing update: v6.17.5 upstream stable release (LP: #2133557) //", " CVE-2025-40166", " - drm/xe/guc: Check GuC running state before deregistering exec queue", " * Questing update: v6.17.5 upstream stable release (LP: #2133557) //", " CVE-2025-40105", " - vfs: Don't leak disconnected dentries on umount", " * The machine didn’t go into suspend and got stuck (LP: #2132095)", " - platform/x86: alienware-wmi-wmax: Fix NULL pointer dereference in sleep", " handlers", " * CAP_PERFMON insufficient to get perf data (LP: #2131046)", " - SAUCE: perf/core: Allow CAP_PERFMON for paranoid level 4", " * Poweroff not working consistently after upgrading kernel 6.14.0-17.17 or", " later (LP: #2115860)", " - drm/amd: Unify shutdown() callback behavior", " - drm/amd: Stop exporting amdgpu_device_ip_suspend() outside amdgpu_device", " - drm/amd: Remove comment about handling errors in", " amdgpu_device_ip_suspend_phase1()", " - drm/amd: Don't always set IP block HW status to false", " - drm/amd: Pass IP suspend errors up to callers", " - drm/amd: Avoid evicting resources at S5", " * Re-enable INTEL_SKL_INT3472 for kernels >= 6.16 for Intel IPU camera", " (LP: #2128792)", " - Revert \"UBUNTU: [Config] FTBFS: disable INTEL_SKL_INT3472\"", " - Revert \"UBUNTU: SAUCE: platform/x86: int3472: Add handshake GPIO", " function\"", " * Support Samsung S5K3J1 sensor for Intel MIPI camera (LP: #2121852)", " - SAUCE: media: ipu-bridge: Support s5k3j1 sensor", " * Questing update: v6.17.4 upstream stable release (LP: #2131259)", " - fs: always return zero on success from replace_fd()", " - fscontext: do not consume log entries when returning -EMSGSIZE", " - btrfs: fix the incorrect max_bytes value for find_lock_delalloc_range()", " - arm64: map [_text, _stext) virtual address range non-executable+read-", " only", " - rseq: Protect event mask against membarrier IPI", " - statmount: don't call path_put() under namespace semaphore", " - listmount: don't call path_put() under namespace semaphore", " - clocksource/drivers/clps711x: Fix resource leaks in error paths", " - memcg: skip cgroup_file_notify if spinning is not allowed", " - page_pool: Fix PP_MAGIC_MASK to avoid crashing on some 32-bit arches", " - PM: runtime: Update kerneldoc return codes", " - dma-mapping: fix direction in dma_alloc direction traces", " - cpufreq: Make drivers using CPUFREQ_ETERNAL specify transition latency", " - nfsd: unregister with rpcbind when deleting a transport", " - KVM: x86: Add helper to retrieve current value of user return MSR", " - KVM: SVM: Emulate PERF_CNTR_GLOBAL_STATUS_SET for PerfMonV2", " - iio: frequency: adf4350: Fix ADF4350_REG3_12BIT_CLKDIV_MODE", " - media: v4l2-subdev: Fix alloc failure check in", " v4l2_subdev_call_state_try()", " - asm-generic/io.h: Skip trace helpers if rwmmio events are disabled", " - clk: npcm: select CONFIG_AUXILIARY_BUS", " - clk: thead: th1520-ap: describe gate clocks with clk_gate", " - clk: thead: th1520-ap: fix parent of padctrl0 clock", " - clk: thead: Correct parent for DPU pixel clocks", " - clk: renesas: r9a08g045: Add MSTOP for GPIO", " - perf disasm: Avoid undefined behavior in incrementing NULL", " - perf test trace_btf_enum: Skip if permissions are insufficient", " - perf evsel: Avoid container_of on a NULL leader", " - libperf event: Ensure tracing data is multiple of 8 sized", " - clk: qcom: common: Fix NULL vs IS_ERR() check in qcom_cc_icc_register()", " - clk: qcom: Select the intended config in QCS_DISPCC_615", " - perf parse-events: Handle fake PMUs in CPU terms", " - clk: at91: peripheral: fix return value", " - clk: renesas: cpg-mssr: Fix memory leak in cpg_mssr_reserved_init()", " - perf: Completely remove possibility to override MAX_NR_CPUS", " - perf drm_pmu: Fix fd_dir leaks in for_each_drm_fdinfo_in_dir()", " - perf util: Fix compression checks returning -1 as bool", " - rtc: x1205: Fix Xicor X1205 vendor prefix", " - rtc: optee: fix memory leak on driver removal", " - perf arm_spe: Correct setting remote access", " - perf arm_spe: Correct memory level for remote access", " - perf vendor events arm64 AmpereOneX: Fix typo - should be", " l1d_cache_access_prefetches", " - perf test: AMD IBS swfilt skip kernel tests if paranoia is >1", " - perf test shell lbr: Avoid failures with perf event paranoia", " - perf trace: Fix IS_ERR() vs NULL check bug", " - perf session: Fix handling when buffer exceeds 2 GiB", " - perf test: Don't leak workload gopipe in PERF_RECORD_*", " - perf evsel: Fix uniquification when PMU given without suffix", " - perf test: Avoid uncore_imc/clockticks in uniquification test", " - perf evsel: Ensure the fallback message is always written to", " - perf build-id: Ensure snprintf string is empty when size is 0", " - clk: mediatek: mt8195-infra_ao: Fix parent for infra_ao_hdmi_26m", " - clk: mediatek: clk-mux: Do not pass flags to", " clk_mux_determine_rate_flags()", " - clk: nxp: lpc18xx-cgu: convert from round_rate() to determine_rate()", " - clk: nxp: Fix pll0 rate check condition in LPC18xx CGU driver", " - clk: tegra: do not overallocate memory for bpmp clocks", " - nfsd: fix assignment of ia_ctime.tv_nsec on delegated mtime update", " - nfsd: ignore ATTR_DELEG when checking ia_valid before notify_change()", " - vfs: add ATTR_CTIME_SET flag", " - nfsd: use ATTR_CTIME_SET for delegated ctime updates", " - nfsd: track original timestamps in nfs4_delegation", " - nfsd: fix SETATTR updates for delegated timestamps", " - nfsd: fix timestamp updates in CB_GETATTR", " - tracing: Fix the bug where bpf_get_stackid returns -EFAULT on the ARM64", " - PM: core: Annotate loops walking device links as _srcu", " - PM: core: Add two macros for walking device links", " - PM: sleep: Do not wait on SYNC_STATE_ONLY device links", " - cpufreq: tegra186: Set target frequency for all cpus in policy", " - scsi: mvsas: Fix use-after-free bugs in mvs_work_queue", " - perf bpf-filter: Fix opts declaration on older libbpfs", " - scsi: ufs: sysfs: Make HID attributes visible", " - mshv: Handle NEED_RESCHED_LAZY before transferring to guest", " - perf bpf_counter: Fix handling of cpumap fixing hybrid", " - ASoC: SOF: ipc4-topology: Correct the minimum host DMA buffer size", " - ASoC: SOF: ipc4-topology: Account for different ChainDMA host buffer", " size", " - ASoC: SOF: Intel: hda-pcm: Place the constraint on period time instead", " of buffer time", " - LoongArch: Add cflag -fno-isolate-erroneous-paths-dereference", " - LoongArch: Fix build error for LTO with LLVM-18", " - LoongArch: Init acpi_gbl_use_global_lock to false", " - ASoC: SOF: Intel: Read the LLP via the associated Link DMA channel", " - net: usb: lan78xx: Fix lost EEPROM read timeout error(-ETIMEDOUT) in", " lan78xx_read_raw_eeprom", " - net/mlx4: prevent potential use after free in mlx4_en_do_uc_filter()", " - drm/xe/hw_engine_group: Fix double write lock release in error path", " - drm/xe/i2c: Don't rely on d3cold.allowed flag in system PM path", " - s390/cio: Update purge function to unregister the unused subchannels", " - drm/vmwgfx: Fix a null-ptr access in the cursor snooper", " - drm/vmwgfx: Fix Use-after-free in validation", " - drm/vmwgfx: Fix copy-paste typo in validation", " - net/sctp: fix a null dereference in sctp_disposition", " sctp_sf_do_5_1D_ce()", " - tcp: Don't call reqsk_fastopen_remove() in tcp_conn_request().", " - net: mscc: ocelot: Fix use-after-free caused by cyclic delayed work", " - selftest: net: ovpn: Fix uninit return values", " - ice: ice_adapter: release xa entry on adapter allocation failure", " - net: fsl_pq_mdio: Fix device node reference leak in fsl_pq_mdio_probe", " - tools build: Align warning options with perf", " - perf python: split Clang options when invoking Popen", " - tcp: take care of zero tp->window_clamp in tcp_set_rcvlowat()", " - mailbox: zynqmp-ipi: Remove redundant mbox_controller_unregister() call", " - mailbox: zynqmp-ipi: Remove dev.parent check in zynqmp_ipi_free_mboxes", " - mailbox: zynqmp-ipi: Fix out-of-bounds access in mailbox cleanup loop", " - mailbox: zynqmp-ipi: Fix SGI cleanup on unbind", " - bpf: Fix metadata_dst leak __bpf_redirect_neigh_v{4,6}", " - net: mdio: mdio-i2c: Hold the i2c bus lock during smbus transactions", " - net: sparx5/lan969x: fix flooding configuration on bridge join/leave", " - net/mlx5: Prevent tunnel mode conflicts between FDB and NIC IPsec tables", " - net/mlx5e: Prevent tunnel reformat when tunnel mode not allowed", " - mailbox: mtk-cmdq: Remove pm_runtime APIs from cmdq_mbox_send_data()", " - drm/amdgpu: Add additional DCE6 SCL registers", " - drm/amd/display: Add missing DCE6 SCL_HORZ_FILTER_INIT* SRIs", " - drm/amd/display: Properly clear SCL_*_FILTER_CONTROL on DCE6", " - drm/amd/display: Properly disable scaling on DCE6", " - drm/amd/display: Disable scaling on DCE6 for now", " - drm/amdkfd: Fix kfd process ref leaking when userptr unmapping", " - net: pse-pd: tps23881: Fix current measurement scaling", " - crypto: skcipher - Fix reqsize handling", " - netfilter: nft_objref: validate objref and objrefmap expressions", " - bridge: br_vlan_fill_forward_path_pvid: use br_vlan_group_rcu()", " - selftests: netfilter: nft_fib.sh: fix spurious test failures", " - selftests: netfilter: query conntrack state to check for port clash", " resolution", " - io_uring/zcrx: increment fallback loop src offset", " - net: airoha: Fix loopback mode configuration for GDM2 port", " - cifs: Fix copy_to_iter return value check", " - smb: client: fix missing timestamp updates after utime(2)", " - rtc: isl12022: Fix initial enable_irq/disable_irq balance", " - cifs: Query EA $LXMOD in cifs_query_path_info() for WSL reparse points", " - tpm_tis: Fix incorrect arguments in tpm_tis_probe_irq_single", " - gpio: wcd934x: mark the GPIO controller as sleeping", " - bpf: Avoid RCU context warning when unpinning htab with internal structs", " - kbuild: always create intermediate vmlinux.unstripped", " - kbuild: keep .modinfo section in vmlinux.unstripped", " - kbuild: Restore pattern to avoid stripping .rela.dyn from vmlinux", " - kbuild: Add '.rel.*' strip pattern for vmlinux", " - s390: vmlinux.lds.S: Reorder sections", " - s390/vmlinux.lds.S: Move .vmlinux.info to end of allocatable sections", " - ACPICA: acpidump: drop ACPI_NONSTRING attribute from file_name", " - ACPI: property: Fix buffer properties extraction for subnodes", " - ACPI: TAD: Add missing sysfs_remove_group() for ACPI_TAD_RT", " - ACPICA: Debugger: drop ACPI_NONSTRING attribute from name_seg", " - ACPI: debug: fix signedness issues in read/write helpers", " - ACPI: battery: Add synchronization between interface updates", " - arm64: dts: qcom: msm8916: Add missing MDSS reset", " - arm64: dts: qcom: msm8939: Add missing MDSS reset", " - arm64: dts: qcom: sdm845: Fix slimbam num-channels/ees", " - Revert \"UBUNTU: SAUCE: arm64: dts: qcom: x1e80100-pmics: Disable pm8010", " by default\"", " - arm64: dts: qcom: x1e80100-pmics: Disable pm8010 by default", " - arm64: dts: ti: k3-am62a-main: Fix main padcfg length", " - arm64: dts: ti: k3-am62p: Fix supported hardware for 1GHz OPP", " - arm64: kprobes: call set_memory_rox() for kprobe page", " - arm64: mte: Do not flag the zero page as PG_mte_tagged", " - ARM: AM33xx: Implement TI advisory 1.0.36 (EMU0/EMU1 pins state on", " reset)", " - ARM: OMAP2+: pm33xx-core: ix device node reference leaks in", " amx3_idle_init", " - firmware: arm_scmi: quirk: Prevent writes to string constants", " - perf/arm-cmn: Fix CMN S3 DTM offset", " - KVM: s390: Fix to clear PTE when discarding a swapped page", " - KVM: arm64: Fix debug checking for np-guests using huge mappings", " - KVM: arm64: Fix page leak in user_mem_abort()", " - x86/kvm: Force legacy PCI hole to UC when overriding MTRRs for TDX/SNP", " - KVM: SVM: Re-load current, not host, TSC_AUX on #VMEXIT from SEV-ES", " guest", " - KVM: TDX: Fix uninitialized error code for __tdx_bringup()", " - dt-bindings: phy: rockchip-inno-csi-dphy: make power-domains non-", " required", " - xen: take system_transition_mutex on suspend", " - xen/events: Cleanup find_virq() return codes", " - xen/manage: Fix suspend error path", " - xen/events: Return -EEXIST for bound VIRQs", " - xen/events: Update virq_to_irq on migration", " - firmware: exynos-acpm: fix PMIC returned errno", " - firmware: meson_sm: fix device leak at probe", " - media: cec: extron-da-hd-4k-plus: drop external-module make commands", " - media: cx18: Add missing check after DMA map", " - media: i2c: mt9p031: fix mbus code initialization", " - media: i2c: mt9v111: fix incorrect type for ret", " - media: mc: Fix MUST_CONNECT handling for pads with no links", " - media: pci: ivtv: Add missing check after DMA map", " - media: pci: mg4b: fix uninitialized iio scan data", " - media: platform: mtk-mdp3: Add missing MT8188 compatible to comp_dt_ids", " - media: s5p-mfc: remove an unused/uninitialized variable", " - media: staging/ipu7: fix isys device runtime PM usage in firmware", " closing", " - media: uvcvideo: Avoid variable shadowing in uvc_ctrl_cleanup_fh", " - media: venus: firmware: Use correct reset sequence for IRIS2", " - media: venus: pm_helpers: add fallback for the opp-table", " - media: vivid: fix disappearing messages", " - media: vsp1: Export missing vsp1_isp_free_buffer symbol", " - media: ti: j721e-csi2rx: Use devm_of_platform_populate", " - media: ti: j721e-csi2rx: Fix source subdev link creation", " - media: lirc: Fix error handling in lirc_register()", " - drm/exynos: exynos7_drm_decon: remove ctx->suspended", " - drm/panthor: Fix memory leak in panthor_ioctl_group_create()", " - drm/msm/a6xx: Fix PDC sleep sequence", " - drm/rcar-du: dsi: Fix 1/2/3 lane support", " - drm/nouveau: fix bad ret code in nouveau_bo_move_prep", " - drm/xe/uapi: loosen used tracking restriction", " - drm/amd/display: Incorrect Mirror Cositing", " - drm/amd/display: Enable Dynamic DTBCLK Switch", " - drm/amd/display: Fix unsafe uses of kernel mode FPU", " - blk-crypto: fix missing blktrace bio split events", " - btrfs: avoid potential out-of-bounds in btrfs_encode_fh()", " - bus: mhi: ep: Fix chained transfer handling in read path", " - bus: mhi: host: Do not use uninitialized 'dev' pointer in", " mhi_init_irq_setup()", " - cdx: Fix device node reference leak in cdx_msi_domain_init", " - clk: qcom: tcsrcc-x1e80100: Set the bi_tcxo as parent to eDP refclk", " - clk: samsung: exynos990: Use PLL_CON0 for PLL parent muxes", " - clk: samsung: exynos990: Fix CMU_TOP mux/div bit widths", " - clk: samsung: exynos990: Replace bogus divs with fixed-factor clocks", " - copy_sighand: Handle architectures where sizeof(unsigned long) <", " sizeof(u64)", " - cpufreq: CPPC: Avoid using CPUFREQ_ETERNAL as transition delay", " - cpufreq: intel_pstate: Fix object lifecycle issue in", " update_qos_request()", " - crypto: aspeed - Fix dma_unmap_sg() direction", " - crypto: atmel - Fix dma_unmap_sg() direction", " - crypto: rockchip - Fix dma_unmap_sg() nents value", " - eventpoll: Replace rwlock with spinlock", " - fbdev: Fix logic error in \"offb\" name match", " - fs/ntfs3: Fix a resource leak bug in wnd_extend()", " - fs: quota: create dedicated workqueue for quota_release_work", " - fsnotify: pass correct offset to fsnotify_mmap_perm()", " - fuse: fix possibly missing fuse_copy_finish() call in fuse_notify()", " - fuse: fix livelock in synchronous file put from fuseblk workers", " - gpio: mpfs: fix setting gpio direction to output", " - i3c: Fix default I2C adapter timeout value", " - iio/adc/pac1934: fix channel disable configuration", " - iio: dac: ad5360: use int type to store negative error codes", " - iio: dac: ad5421: use int type to store negative error codes", " - iio: frequency: adf4350: Fix prescaler usage.", " - iio: xilinx-ams: Fix AMS_ALARM_THR_DIRECT_MASK", " - iio: xilinx-ams: Unmask interrupts after updating alarms", " - init: handle bootloader identifier in kernel parameters", " - iio: imu: inv_icm42600: Simplify pm_runtime setup", " - iio: imu: inv_icm42600: Drop redundant pm_runtime reinitialization in", " resume", " - iio: imu: inv_icm42600: Avoid configuring if already pm_runtime", " suspended", " - iommu/vt-d: PRS isn't usable if PDS isn't supported", " - ipmi: Rework user message limit handling", " - ipmi:msghandler:Change seq_lock to a mutex", " - kernel/sys.c: fix the racy usage of task_lock(tsk->group_leader) in", " sys_prlimit64() paths", " - KEYS: trusted_tpm1: Compare HMAC values in constant time", " - kho: only fill kimage if KHO is finalized", " - lib/genalloc: fix device leak in of_gen_pool_get()", " - loop: fix backing file reference leak on validation error", " - md: fix mssing blktrace bio split events", " - of: unittest: Fix device reference count leak in", " of_unittest_pci_node_verify", " - openat2: don't trigger automounts with RESOLVE_NO_XDEV", " - padata: Reset next CPU when reorder sequence wraps around", " - parisc: don't reference obsolete termio struct for TC* constants", " - parisc: Remove spurious if statement from raw_copy_from_user()", " - nvme-pci: Add TUXEDO IBS Gen8 to Samsung sleep quirk", " - pinctrl: samsung: Drop unused S3C24xx driver data", " - PM: EM: Fix late boot with holes in CPU topology", " - PM: hibernate: Fix hybrid-sleep", " - PM: hibernate: Restrict GFP mask in power_down()", " - power: supply: max77976_charger: fix constant current reporting", " - powerpc/powernv/pci: Fix underflow and leak issue", " - powerpc/pseries/msi: Fix potential underflow and leak issue", " - pwm: berlin: Fix wrong register in suspend/resume", " - pwm: Fix incorrect variable used in error message", " - Revert \"ipmi: fix msg stack when IPMI is disconnected\"", " - sched/deadline: Fix race in push_dl_task()", " - scsi: hpsa: Fix potential memory leak in hpsa_big_passthru_ioctl()", " - scsi: sd: Fix build warning in sd_revalidate_disk()", " - sctp: Fix MAC comparison to be constant-time", " - smb client: fix bug with newly created file in cached dir", " - sparc64: fix hugetlb for sun4u", " - sparc: fix error handling in scan_one_device()", " - xtensa: simdisk: add input size check in proc_write_simdisk", " - xsk: Harden userspace-supplied xdp_desc validation", " - mtd: rawnand: fsmc: Default to autodetect buswidth", " - mtd: nand: raw: gpmi: fix clocks when CONFIG_PM=N", " - mmc: core: SPI mode remove cmd7", " - mmc: mmc_spi: multiple block read remove read crc ack", " - memory: samsung: exynos-srom: Fix of_iomap leak in exynos_srom_probe", " - memory: stm32_omm: Fix req2ack update test", " - rtc: interface: Ensure alarm irq is enabled when UIE is enabled", " - rtc: interface: Fix long-standing race when setting alarm", " - rseq/selftests: Use weak symbol reference, not definition, to link with", " glibc", " - PCI: xilinx-nwl: Fix ECAM programming", " - PCI: tegra: Convert struct tegra_msi mask_lock into raw spinlock", " - PCI/sysfs: Ensure devices are powered for config reads", " - PCI/IOV: Add PCI rescan-remove locking when enabling/disabling SR-IOV", " - PCI/ERR: Fix uevent on failure to recover", " - PCI/AER: Fix missing uevent on recovery when a reset is requested", " - PCI/AER: Support errors introduced by PCIe r6.0", " - PCI: Ensure relaxed tail alignment does not increase min_align", " - PCI: Fix failure detection during resource resize", " - PCI: j721e: Fix module autoloading", " - PCI: j721e: Fix programming sequence of \"strap\" settings", " - PCI: keystone: Use devm_request_irq() to free \"ks-pcie-error-irq\" on", " exit", " - PCI: rcar-gen4: Fix PHY initialization", " - PCI: rcar-host: Drop PMSR spinlock", " - PCI: rcar-host: Convert struct rcar_msi mask_lock into raw spinlock", " - PCI: tegra194: Fix broken tegra_pcie_ep_raise_msi_irq()", " - PCI: tegra194: Handle errors in BPMP response", " - PCI: tegra194: Reset BARs when running in PCIe endpoint mode", " - PCI/pwrctrl: Fix device leak at registration", " - PCI/pwrctrl: Fix device and OF node leak at bus scan", " - PCI/pwrctrl: Fix device leak at device stop", " - spi: cadence-quadspi: Flush posted register writes before INDAC access", " - spi: cadence-quadspi: Flush posted register writes before DAC access", " - spi: cadence-quadspi: Fix cqspi_setup_flash()", " - xfs: use deferred intent items for reaping crosslinked blocks", " - x86/fred: Remove ENDBR64 from FRED entry points", " - x86/umip: Check that the instruction opcode is at least two bytes", " - x86/umip: Fix decoding of register forms of 0F 01 (SGDT and SIDT", " aliases)", " - mptcp: pm: in-kernel: usable client side with C-flag", " - mptcp: reset blackhole on success with non-loopback ifaces", " - selftests: mptcp: join: validate C-flag + def limit", " - s390/cio/ioasm: Fix __xsch() condition code handling", " - s390/dasd: enforce dma_alignment to ensure proper buffer validation", " - s390/dasd: Return BLK_STS_INVAL for EINVAL from do_dasd_request", " - s390: Add -Wno-pointer-sign to KBUILD_CFLAGS_DECOMPRESSOR", " - slab: prevent warnings when slab obj_exts vector allocation fails", " - slab: mark slab->obj_exts allocation failures unconditionally", " - wifi: ath11k: HAL SRNG: don't deinitialize and re-initialize again", " - wifi: iwlwifi: Fix dentry reference leak in iwl_mld_add_link_debugfs", " - wifi: rtw89: avoid possible TX wait initialization race", " - wifi: mt76: mt7925u: Add VID/PID for Netgear A9000", " - wifi: mt76: mt7921u: Add VID/PID for Netgear A7500", " - mm/thp: fix MTE tag mismatch when replacing zero-filled subpages", " - mm/rmap: fix soft-dirty and uffd-wp bit loss when remapping zero-filled", " mTHP subpage to shared zeropage", " - mm/page_alloc: only set ALLOC_HIGHATOMIC for __GPF_HIGH allocations", " - mm/hugetlb: early exit from hugetlb_pages_alloc_boot() when", " max_huge_pages=0", " - mm/damon/vaddr: do not repeat pte_offset_map_lock() until success", " - mm/damon/lru_sort: use param_ctx for damon_attrs staging", " - nfsd: decouple the xprtsec policy check from check_nfsd_access()", " - NFSD: Fix destination buffer size in nfsd4_ssc_setup_dul()", " - nfsd: nfserr_jukebox in nlm_fopen should lead to a retry", " - media: iris: Call correct power off callback in cleanup path", " - media: iris: Fix firmware reference leak and unmap memory after load", " - media: iris: fix module removal if firmware download failed", " - media: iris: vpu3x: Add MNoC low power handshake during hardware power-", " off", " - media: iris: Fix port streaming handling", " - media: iris: Fix buffer count reporting in internal buffer check", " - media: iris: Allow substate transition to load resources during output", " streaming", " - media: iris: Always destroy internal buffers on firmware release", " response", " - media: iris: Simplify session stop logic by relying on vb2 checks", " - media: iris: Update vbuf flags before v4l2_m2m_buf_done", " - media: iris: Send dummy buffer address for all codecs during drain", " - media: iris: Fix missing LAST flag handling during drain", " - media: iris: Fix format check for CAPTURE plane in try_fmt", " - media: iris: Allow stop on firmware only if start was issued.", " - ext4: add ext4_sb_bread_nofail() helper function for", " ext4_free_branches()", " - ext4: fail unaligned direct IO write with EINVAL", " - ext4: verify orphan file size is not too big", " - ext4: increase i_disksize to offset + len in", " ext4_update_disksize_before_punch()", " - ext4: correctly handle queries for metadata mappings", " - ext4: avoid potential buffer over-read in parse_apply_sb_mount_options()", " - ext4: fix an off-by-one issue during moving extents", " - ext4: guard against EA inode refcount underflow in xattr update", " - ext4: validate ea_ino and size in check_xattrs", " - ACPICA: Allow to skip Global Lock initialization", " - ext4: free orphan info with kvfree", " - ipmi: Fix handling of messages with provided receive message pointer", " - Squashfs: add additional inode sanity checking", " - Squashfs: reject negative file sizes in squashfs_read_inode()", " - mm/ksm: fix incorrect KSM counter handling in mm_struct during fork", " - media: mc: Clear minor number before put device", " - arm64: dts: qcom: qcs615: add missing dt property in QUP SEs", " - ACPI: property: Disregard references in data-only subnode lists", " - ACPI: property: Add code comments explaining what is going on", " - ACPI: property: Do not pass NULL handles to acpi_attach_data()", " - irqchip/sifive-plic: Avoid interrupt ID 0 handling during suspend/resume", " - copy_file_range: limit size if in compat mode", " - minixfs: Verify inode mode when loading from disk", " - pid: Add a judgment for ns null in pid_nr_ns", " - fs: Add 'initramfs_options' to set initramfs mount options", " - cramfs: Verify inode mode when loading from disk", " - nsfs: validate extensible ioctls", " - mnt_ns_tree_remove(): DTRT if mnt_ns had never been added to mnt_ns_list", " - writeback: Avoid softlockup when switching many inodes", " - writeback: Avoid excessively long inode switching times", " - iomap: error out on file IO when there is no inline_data buffer", " - pidfs: validate extensible ioctls", " - mount: handle NULL values in mnt_ns_release()", " - Linux 6.17.4", " * Questing update: v6.17.4 upstream stable release (LP: #2131259) // Race", " condition in perf build causes build failure due to missing unistd_64.h", " header on arm64 (LP: #2131702)", " - perf tools: Fix arm64 libjvmti build by generating unistd_64.h", " * Questing update: v6.17.3 upstream stable release (LP: #2129610)", " - arch: copy_thread: pass clone_flags as u64", " - filelock: add FL_RECLAIM to show_fl_flags() macro", " - init: INITRAMFS_PRESERVE_MTIME should depend on BLK_DEV_INITRD", " - pid: use ns_capable_noaudit() when determining net sysctl permissions", " - Fix CC_HAS_ASM_GOTO_OUTPUT on non-x86 architectures", " - [Config]: Update CC configs for v6.17.3", " - seccomp: Fix a race with WAIT_KILLABLE_RECV if the tracer replies too", " fast", " - kbuild: Add missing $(objtree) prefix to powerpc crtsavres.o artifact", " - selftests: arm64: Check fread return value in exec_target", " - selftests: arm64: Fix -Waddress warning in tpidr2 test", " - kselftest/arm64/gcs: Correctly check return value when disabling GCS", " - hfsplus: fix slab-out-of-bounds read in hfsplus_uni2asc()", " - gfs2: Fix GLF_INVALIDATE_IN_PROGRESS flag clearing in do_xmote", " - gfs2: Remove space before newline", " - gfs2: Further sanitize lock_dlm.c", " - gfs2: Fix LM_FLAG_TRY* logic in add_to_queue", " - gfs2: Remove duplicate check in do_xmote", " - gfs2: Get rid of GLF_INVALIDATE_IN_PROGRESS", " - gfs2: do_xmote cleanup", " - gfs2: Add proper lockspace locking", " - powerpc/8xx: Remove left-over instruction and comments in", " DataStoreTLBMiss handler", " - powerpc/603: Really copy kernel PGD entries into all PGDIRs", " - powerpc/ftrace: ensure ftrace record ops are always set for NOPs", " - powerpc64/modules: correctly iterate over stubs in", " setup_ftrace_ool_stubs", " - uprobes: uprobe_warn should use passed task", " - raid6: riscv: Clean up unused header file inclusion", " - coresight: trbe: Prevent overflow in PERF_IDX2OFF()", " - perf: arm_spe: Prevent overflow in PERF_IDX2OFF()", " - erofs: avoid reading more for fragment maps", " - smb: client: fix sending the iwrap custom IRD/ORD negotiation messages", " - smb: server: fix IRD/ORD negotiation with the client", " - perf/x86/intel: Use early_initcall() to hook bts_init()", " - perf/x86/intel: Fix IA32_PMC_x_CFG_B MSRs access error", " - x86/vdso: Fix output operand size of RDPID", " - selftests: cgroup: Make test_pids backwards compatible", " - sched/fair: Get rid of sched_domains_curr_level hack for tl->cpumask()", " - [Config]: Update CONFIG_SCHED_MC for v6.17.3", " - lsm: CONFIG_LSM can depend on CONFIG_SECURITY", " - cpuset: fix failure to enable isolated partition when containing", " isolcpus", " - btrfs: return any hit error from extent_writepage_io()", " - btrfs: fix symbolic link reading when bs > ps", " - pinctrl: renesas: rzg2l: Fix invalid unsigned return in rzg3s_oen_read()", " - arm64: dts: renesas: rzg2lc-smarc: Disable CAN-FD channel0", " - bpf: Tidy verifier bug message", " - regmap: Remove superfluous check for !config in __regmap_init()", " - selftests/bpf: Copy test_kmods when installing selftest", " - rust: cpumask: Mark CpumaskVar as transparent", " - bpf/selftests: Fix test_tcpnotify_user", " - bpf: Remove migrate_disable in kprobe_multi_link_prog_run", " - libbpf: Fix reuse of DEVMAP", " - tools/nolibc: fix error return value of clock_nanosleep()", " - ARM: dts: renesas: porter: Fix CAN pin group", " - leds: max77705: Function return instead of variable assignment", " - leds: flash: leds-qcom-flash: Update torch current clamp setting", " - s390/bpf: Do not write tail call counter into helper and kfunc frames", " - s390/bpf: Write back tail call counter for BPF_PSEUDO_CALL", " - s390/bpf: Write back tail call counter for BPF_TRAMP_F_CALL_ORIG", " - cpufreq: scmi: Account for malformed DT in scmi_dev_used_by_cpus()", " - arm64: dts: renesas: sparrow-hawk: Invert microSD voltage selector on", " EVTB1", " - arm64: dts: renesas: sparrow-hawk: Set VDDQ18_25_AVB voltage on EVTB1", " - libbpf: Export bpf_object__prepare symbol", " - firmware: arm_scmi: Mark VirtIO ready before registering", " scmi_virtio_driver", " - arm64: dts: imx93-kontron: Fix GPIO for panel regulator", " - arm64: dts: imx93-kontron: Fix USB port assignment", " - arm64: dts: imx95: Correct the lpuart7 and lpuart8 srcid", " - bpf: Remove preempt_disable in bpf_try_get_buffers", " - ACPI: processor: idle: Fix memory leak when register cpuidle device", " failed", " - genirq: Add irq_chip_(startup/shutdown)_parent()", " - PCI/MSI: Add startup/shutdown for per device domains", " - irqchip/sg2042-msi: Fix broken affinity setting", " - scripts/misc-check: update export checks for EXPORT_SYMBOL_FOR_MODULES()", " - soc: qcom: rpmh-rsc: Unconditionally clear _TRIGGER bit for TCS", " - pinctrl: meson-gxl: add missing i2c_d pinmux", " - blk-mq: check kobject state_in_sysfs before deleting in", " blk_mq_unregister_hctx", " - selftests/futex: Remove the -g parameter from futex_priv_hash", " - ARM: at91: pm: fix MCKx restore routine", " - arm64: dts: apple: t8103-j457: Fix PCIe ethernet iommu-map", " - regulator: scmi: Use int type to store negative error codes", " - selftests/futex: Fix some futex_numa_mpol subtests", " - tools/nolibc: avoid error in dup2() if old fd equals new fd", " - selftests/nolibc: fix EXPECT_NZ macro", " - leds: leds-lp55xx: Use correct address for memory programming", " - PCI/MSI: Check MSI_FLAG_PCI_MSI_MASK_PARENT in", " cond_[startup|shutdown]_parent()", " - block: use int to store blk_stack_limits() return value", " - ARM: dts: stm32: stm32mp151c-plyaqm: Use correct dai-format property", " - dt-bindings: vendor-prefixes: Add undocumented vendor prefixes", " - genirq/test: Fix depth tests on architectures with NOREQUEST by default.", " - genirq/test: Select IRQ_DOMAIN", " - genirq/test: Depend on SPARSE_IRQ", " - genirq/test: Drop CONFIG_GENERIC_IRQ_MIGRATION assumptions", " - genirq/test: Ensure CPU 1 is online for hotplug test", " - selftests/bpf: Fix count write in testapp_xdp_metadata_copy()", " - vdso/datastore: Gate time data behind CONFIG_GENERIC_GETTIMEOFDAY", " - PM: sleep: core: Clear power.must_resume in noirq suspend error path", " - blk-mq: fix elevator depth_updated method", " - vdso: Add struct __kernel_old_timeval forward declaration to gettime.h", " - ARM: dts: ti: omap: am335x-baltos: Fix ti,en-ck32k-xtal property in DTS", " to use correct boolean syntax", " - ARM: dts: ti: omap: omap3-devkit8000-lcd: Fix ti,keep-vref-on property", " to use correct boolean syntax in DTS", " - ARM: dts: omap: am335x-cm-t335: Remove unused mcasp num-serializer", " property", " - PM / devfreq: mtk-cci: Fix potential error pointer dereference in", " probe()", " - power: supply: cw2015: Fix a alignment coding style issue", " - hwmon: (asus-ec-sensors) Narrow lock for X870E-CREATOR WIFI", " - pinctrl: renesas: Use int type to store negative error codes", " - pinctrl: eswin: Fix regulator error check and Kconfig dependency", " - null_blk: Fix the description of the cache_size module argument", " - blk-throttle: fix access race during throttle policy activation", " - selftests: vDSO: Fix -Wunitialized in powerpc VDSO_CALL() wrapper", " - selftests: vDSO: vdso_test_abi: Correctly skip whole test with missing", " vDSO", " - irqchip/gic-v5: Fix loop in gicv5_its_create_itt_two_level() cleanup", " path", " - irqchip/gic-v5: Fix error handling in gicv5_its_irq_domain_alloc()", " - tick: Do not set device to detached state in tick_shutdown()", " - arm64: dts: mediatek: mt8195: Remove suspend-breaking reset from pcie0", " - arm64: dts: mediatek: mt8183: Fix out of range pull values", " - nbd: restrict sockets to TCP and UDP", " - PM / devfreq: rockchip-dfi: double count on RK3588", " - firmware: firmware: meson-sm: fix compile-test default", " - dts: arm: amlogic: fix pwm node for c3", " - soc: mediatek: mtk-svs: fix device leaks on mt8183 probe failure", " - soc: mediatek: mtk-svs: fix device leaks on mt8192 probe failure", " - cpuidle: qcom-spm: fix device and OF node leaks at probe", " - block: cleanup bio_issue", " - block: initialize bio issue time in blk_mq_submit_bio()", " - block: factor out a helper bio_submit_split_bioset()", " - block: skip unnecessary checks for split bio", " - block: fix ordering of recursive split IO", " - blk-mq: remove useless checkings in blk_mq_update_nr_requests()", " - blk-mq: check invalid nr_requests in queue_requests_store()", " - blk-mq: convert to serialize updating nr_requests with", " update_nr_hwq_lock", " - blk-mq: cleanup shared tags case in blk_mq_update_nr_requests()", " - blk-mq: split bitmap grow and resize case in blk_mq_update_nr_requests()", " - blk-mq-sched: add new parameter nr_requests in blk_mq_alloc_sched_tags()", " - blk-mq: fix potential deadlock while nr_requests grown", " - arm64: dts: allwinner: a527: cubie-a5e: Add ethernet PHY reset setting", " - arm64: dts: allwinner: t527: avaota-a1: Add ethernet PHY reset setting", " - arm64: dts: rockchip: Add RTC on rk3576-evb1-v10", " - arm64: dts: rockchip: Add WiFi on rk3576-evb1-v10", " - arm64: dts: rockchip: Fix network on rk3576 evb1 board", " - arm64: dts: ti: k3-j742s2-mcu-wakeup: Override firmware-name for MCU R5F", " cores", " - arm64: dts: ti: k3: Rename rproc reserved-mem nodes to 'memory@addr'", " - Revert \"arm64: dts: ti: k3-j721e-sk: Fix reversed C6x carveout", " locations\"", " - Revert \"arm64: dts: ti: k3-j721e-beagleboneai64: Fix reversed C6x", " carveout locations\"", " - arm64: dts: mediatek: mt8188: Change efuse fallback compatible to mt8186", " - arm64: dts: mediatek: mt8186-tentacruel: Fix touchscreen model", " - arm64: dts: ti: k3-pinctrl: Fix the bug in existing macros", " - arm64: dts: renesas: r9a09g047e57-smarc: Fix gpio key's pin control node", " - arm64: dts: mediatek: mt6331: Fix pmic, regulators, rtc, keys node names", " - mmc: core: Fix variable shadowing in mmc_route_rpmb_frames()", " - arm64: dts: mediatek: mt6795-xperia-m5: Fix mmc0 latch-ck value", " - arm64: dts: mediatek: mt7986a: Fix PCI-Express T-PHY node address", " - arm64: dts: mediatek: mt8395-kontron-i1200: Fix MT6360 regulator nodes", " - arm64: dts: mediatek: mt8516-pumpkin: Fix machine compatible", " - arm64: dts: allwinner: a527: cubie-a5e: Add LEDs", " - arm64: dts: allwinner: a527: cubie-a5e: Drop external 32.768 KHz crystal", " - arm64: dts: allwinner: t527: avaota-a1: hook up external 32k crystal", " - arm64: dts: allwinner: t527: orangepi-4a: hook up external 32k crystal", " - pwm: tiehrpwm: Don't drop runtime PM reference in .free()", " - pwm: tiehrpwm: Make code comment in .free() more useful", " - pwm: tiehrpwm: Fix various off-by-one errors in duty-cycle calculation", " - pwm: tiehrpwm: Fix corner case in clock divisor calculation", " - ACPICA: Apply ACPI_NONSTRING", " - ACPICA: Fix largest possible resource descriptor index", " - riscv, bpf: Sign extend struct ops return values properly", " - nvme-auth: update bi_directional flag", " - nvmet-fc: move lsop put work to nvmet_fc_ls_req_op", " - nvmet-fcloop: call done callback even when remote port is gone", " - nvme-tcp: send only permitted commands for secure concat", " - i3c: master: svc: Use manual response for IBI events", " - i3c: master: svc: Recycle unused IBI slot", " - block: update validation of atomic writes boundary for stacked devices", " - block: fix stacking of atomic writes when atomics are not supported", " - selftests: watchdog: skip ping loop if WDIOF_KEEPALIVEPING not supported", " - selftests/kselftest_harness: Add harness-selftest.expected to TEST_FILES", " - blk-throttle: fix throtl_data leak during disk release", " - bpf: Explicitly check accesses to bpf_sock_addr", " - mmc: select REGMAP_MMIO with MMC_LOONGSON2", " - selftests/futex: Fix futex_wait() for 32bit ARM", " - selftest/futex: Make the error check more precise for futex_numa_mpol", " - selftest/futex: Compile also with libnuma < 2.0.16", " - bpf: dont report verifier bug for missing bpf_scc_visit on speculative", " path", " - bpf, arm64: Call bpf_jit_binary_pack_finalize() in bpf_jit_free()", " - arm64: dts: apple: t600x: Add missing WiFi properties", " - arm64: dts: apple: t600x: Add bluetooth device nodes", " - arm64: dts: apple: Add ethernet0 alias for J375 template", " - selftests: always install UAPI headers to the correct directory", " - smp: Fix up and expand the smp_call_function_many() kerneldoc", " - mfd: max77705: max77705_charger: move active discharge setting to mfd", " parent", " - power: supply: max77705_charger: refactoring: rename charger to chg", " - power: supply: max77705_charger: use regfields for config registers", " - power: supply: max77705_charger: rework interrupts", " - tools/nolibc: make time_t robust if __kernel_old_time_t is missing in", " host headers", " - spi: fix return code when spi device has too many chipselects", " - clocksource/drivers/timer-tegra186: Avoid 64-bit divide operation", " - clocksource/drivers/tegra186: Avoid 64-bit division", " - bpf: Mark kfuncs as __noclone", " - once: fix race by moving DO_ONCE to separate section", " - hwmon: (mlxreg-fan) Separate methods of fan setting coming from", " different subsystems", " - tools/nolibc: add stdbool.h to nolibc includes", " - thermal/drivers/qcom: Make LMH select QCOM_SCM", " - thermal/drivers/qcom/lmh: Add missing IRQ includes", " - i2c: mediatek: fix potential incorrect use of I2C_MASTER_WRRD", " - i2c: spacemit: ensure bus release check runs when wait_bus_idle() fails", " - i2c: spacemit: remove stop function to avoid bus error", " - i2c: spacemit: disable SDA glitch fix to avoid restart delay", " - i2c: spacemit: check SDA instead of SCL after bus reset", " - i2c: spacemit: ensure SDA is released after bus reset", " - i2c: designware: Fix clock issue when PM is disabled", " - i2c: designware: Add disabling clocks when probe fails", " - libbpf: Fix error when st-prefix_ops and ops from differ btf", " - bpf: Enforce expected_attach_type for tailcall compatibility", " - i3c: fix big-endian FIFO transfers", " - mfd: max77705: Setup the core driver as an interrupt controller", " - drm/sched: Fix a race in DRM_GPU_SCHED_STAT_NO_HANG test", " - drm/panel-edp: Add disable to 100ms for MNB601LS1-4", " - drm/display: bridge-connector: correct CEC bridge pointers in", " drm_bridge_connector_init", " - drm/panel-edp: Add 50ms disable delay for four panels", " - drm/vmwgfx: fix missing assignment to ts", " - drm/amd/display: Reduce Stack Usage by moving 'audio_output' into", " 'stream_res' v4", " - drm/panel: novatek-nt35560: Fix invalid return value", " - drm/amdgpu: fix link error for !PM_SLEEP", " - drm/amdgpu: Fix jpeg v4.0.3 poison irq call trace on sriov guest", " - drm/amdgpu: Fix vcn v4.0.3 poison irq call trace on sriov guest", " - PCI: endpoint: pci-ep-msi: Fix NULL vs IS_ERR() check in", " pci_epf_write_msi_msg()", " - PCI: xgene-msi: Return negative -EINVAL in xgene_msi_handler_setup()", " - drm/radeon/r600_cs: clean up of dead code in r600_cs", " - f2fs: fix condition in __allow_reserved_blocks()", " - f2fs: fix to avoid overflow while left shift operation", " - f2fs: fix to zero data after EOF for compressed file correctly", " - drm/bridge: it6505: select REGMAP_I2C", " - wifi: rtw88: Lock rtwdev->mutex before setting the LED", " - HID: steelseries: refactor probe() and remove()", " - media: zoran: Remove zoran_fh structure", " - phy: rockchip: naneng-combphy: Enable U3 OTG port for RK3568", " - drm/bridge: cdns-dsi: Fix the _atomic_check()", " - usb: host: max3421-hcd: Fix error pointer dereference in probe cleanup", " - usb: misc: qcom_eud: Access EUD_MODE_MANAGER2 through secure calls", " - PCI/pwrctrl: Fix double cleanup on devm_add_action_or_reset() failure", " - misc: pci_endpoint_test: Fix array underflow in", " pci_endpoint_test_ioctl()", " - serial: max310x: Add error checking in probe()", " - drm/amd/display: Remove redundant semicolons", " - drm/amd/display: Add NULL pointer checks in dc_stream cursor attribute", " functions", " - crypto: keembay - Add missing check after sg_nents_for_len()", " - hwrng: nomadik - add ARM_AMBA dependency", " - docs: iio: ad3552r: Fix malformed code-block directive", " - fwctl/mlx5: Fix memory alloc/free in mlx5ctl_fw_rpc()", " - scsi: pm80xx: Restore support for expanders", " - scsi: pm80xx: Fix array-index-out-of-of-bounds on rmmod", " - scsi: libsas: Add dev_parent_is_expander() helper", " - scsi: pm80xx: Use dev_parent_is_expander() helper", " - scsi: pm80xx: Add helper function to get the local phy id", " - scsi: pm80xx: Fix pm8001_abort_task() for chip_8006 when using an", " expander", " - mptcp: Fix up subflow's memcg when CONFIG_SOCK_CGROUP_DATA=n.", " - scsi: myrs: Fix dma_alloc_coherent() error check", " - f2fs: fix to clear unusable_cap for checkpoint=enable", " - f2fs: fix to avoid NULL pointer dereference in", " f2fs_check_quota_consistency()", " - f2fs: fix to allow removing qf_name", " - Revert \"UBUNTU: SAUCE: drm/dp: drm_edp_backlight_set_level: do not", " always send 3-byte commands\"", " - drm/dp: drm_edp_backlight_set_level: do not always send 3-byte commands", " - crypto: octeontx2 - Call strscpy() with correct size argument", " - drm: re-allow no-op changes on non-primary planes in async flips", " - media: rj54n1cb0c: Fix memleak in rj54n1_probe()", " - media: staging/ipu7: convert to use pci_alloc_irq_vectors() API", " - media: staging/ipu7: Don't set name for IPU7 PCI device", " - media: staging/ipu7: cleanup the MMU correctly in IPU7 driver release", " - media: i2c: vd55g1: Fix duster register address", " - drm/panel: Allow powering on panel follower after panel is enabled", " - HID: i2c-hid: Make elan touch controllers power on after panel is", " enabled", " - RDMA/mlx5: Better estimate max_qp_wr to reflect WQE count", " - RDMA/mlx5: Fix vport loopback forcing for MPV device", " - wifi: rtw88: Use led->brightness_set_blocking for PCI too", " - net: phy: introduce phy_id_compare_vendor() PHY ID helper", " - net: phy: as21xxx: better handle PHY HW reset on soft-reboot", " - PCI: rcar-host: Pass proper IRQ domain to generic_handle_domain_irq()", " - fuse: remove unneeded offset assignment when filling write pages", " - PCI: qcom: Restrict port parsing only to PCIe bridge child nodes", " - cdx: don't select CONFIG_GENERIC_MSI_IRQ", " - PCI/ACPI: Fix pci_acpi_preserve_config() memory leak", " - HID: i2c-hid: Fix test in i2c_hid_core_register_panel_follower()", " - ALSA: lx_core: use int type to store negative error codes", " - media: st-delta: avoid excessive stack usage", " - drm/amdgpu/vcn: Add regdump helper functions", " - drm/amdgpu/vcn: Hold pg_lock before vcn power off", " - drm/amdgpu: Check vcn state before profile switch", " - accel/amdxdna: Use int instead of u32 to store error codes", " - efi: Explain OVMF acronym in OVMF_DEBUG_LOG help text", " - net: dst: introduce dst->dev_rcu", " - ipv6: mcast: Add ip6_mc_find_idev() helper", " - ipv6: start using dst_dev_rcu()", " - ipv6: use RCU in ip6_xmit()", " - ipv6: use RCU in ip6_output()", " - net: use dst_dev_rcu() in sk_setup_caps()", " - tcp_metrics: use dst_dev_net_rcu()", " - ipv4: start using dst_dev_rcu()", " - crypto: hisilicon/zip - remove unnecessary validation for high-", " performance mode configurations", " - crypto: hisilicon - re-enable address prefetch after device resuming", " - crypto: hisilicon - check the sva module status while enabling or", " disabling address prefetch", " - crypto: hisilicon/qm - check whether the input function and PF are on", " the same device", " - crypto: hisilicon/qm - request reserved interrupt for virtual function", " - inet: ping: check sock_net() in ping_get_port() and ping_lookup()", " - dmaengine: Fix dma_async_tx_descriptor->tx_submit documentation", " - coresight: trbe: Add ISB after TRBLIMITR write", " - coresight: Fix missing include for FIELD_GET", " - coresight: Only register perf symlink for sinks with alloc_buffer", " - drm/amdgpu: Power up UVD 3 for FW validation (v2)", " - drm/amd/pm: Disable ULV even if unsupported (v3)", " - drm/amd/pm: Fix si_upload_smc_data (v3)", " - drm/amd/pm: Adjust si_upload_smc_data register programming (v3)", " - drm/amd/pm: Treat zero vblank time as too short in si_dpm (v3)", " - drm/amd/pm: Disable MCLK switching with non-DC at 120 Hz+ (v2)", " - drm/amd/pm: Disable SCLK switching on Oland with high pixel clocks (v3)", " - wifi: mac80211: Make CONNECTION_MONITOR optional for MLO sta", " - wifi: mwifiex: send world regulatory domain to driver", " - wifi: brcmfmac: fix 43752 SDIO FWVID incorrectly labelled as Cypress", " (CYW)", " - drm/msm: Do not validate SSPP when it is not ready", " - PCI: tegra: Fix devm_kcalloc() argument order for port->phys allocation", " - wifi: mac80211: consider links for validating SCAN_FLAG_AP in scan", " request during MLO", " - PCI: qcom: Add equalization settings for 8.0 GT/s and 32.0 GT/s", " - tcp: fix __tcp_close() to only send RST when required", " - fanotify: Validate the return value of mnt_ns_from_dentry() before", " dereferencing", " - drm/amdkfd: Fix error code sign for EINVAL in svm_ioctl()", " - usb: phy: twl6030: Fix incorrect type for ret", " - usb: gadget: configfs: Correctly set use_os_string at bind", " - tty: n_gsm: Don't block input queue by waiting MSC", " - misc: genwqe: Fix incorrect cmd field being reported in error", " - pps: fix warning in pps_register_cdev when register device fail", " - drm/msm: Fix obj leak in VM_BIND error path", " - drm/msm: Fix missing VM_BIND offset/range validation", " - wifi: iwlwifi: Remove redundant header files", " - drm/msm/mdp4: stop supporting no-IOMMU configuration", " - drm/msm: stop supporting no-IOMMU configuration", " - idpf: fix Rx descriptor ready check barrier in splitq", " - ASoC: Intel: bytcht_es8316: Fix invalid quirk input mapping", " - ASoC: Intel: bytcr_rt5640: Fix invalid quirk input mapping", " - ASoC: Intel: bytcr_rt5651: Fix invalid quirk input mapping", " - ipv6: snmp: do not use SNMP_MIB_SENTINEL anymore", " - ipv6: snmp: do not track per idev ICMP6_MIB_RATELIMITHOST", " - drm/msm: Fix bootup splat with separate_gpu_drm modparam", " - drm/msm/dpu: fix incorrect type for ret", " - wifi: mac80211: fix reporting of all valid links in sta_set_sinfo()", " - fs: ntfs3: Fix integer overflow in run_unpack()", " - fs/ntfs3: reject index allocation if $BITMAP is empty but blocks exist", " - iio: consumers: Fix handling of negative channel scale in", " iio_convert_raw_to_processed()", " - iio: consumers: Fix offset handling in iio_convert_raw_to_processed()", " - mm/slub: Fix cmp_loc_by_count() to return 0 when counts are equal", " - tools: ynl: fix undefined variable name", " - RDMA/mlx5: Fix page size bitmap calculation for KSM mode", " - netfilter: ipset: Remove unused htable_bits in macro ahash_region", " - ipvs: Use READ_ONCE/WRITE_ONCE for ipvs->enable", " - HID: steelseries: Fix STEELSERIES_SRWS1 handling in steelseries_remove()", " - watchdog: intel_oc_wdt: Do not try to write into const memory", " - watchdog: mpc8xxx_wdt: Reload the watchdog timer when enabling the", " watchdog", " - PCI: endpoint: pci-epf-test: Fix doorbell test support", " - drivers/base/node: handle error properly in register_one_node()", " - RDMA/cm: Rate limit destroy CM ID timeout error message", " - wifi: mt76: mt7996: Fix mt7996_mcu_sta_ba wcid configuration", " - wifi: mt76: mt7996: Fix mt7996_mcu_bss_mld_tlv routine", " - wifi: mt76: fix potential memory leak in mt76_wmac_probe()", " - wifi: mt76: mt7996: Use proper link_id in link_sta_rc_update callback", " - wifi: mt76: mt7996: Check phy before init msta_link in", " mt7996_mac_sta_add_links()", " - wifi: mt76: mt7996: Fix tx-queues initialization for second phy on", " mt7996", " - wifi: mt76: mt7996: Fix RX packets configuration for primary WED device", " - wifi: mt76: mt7996: Convert mt7996_wed_rro_addr to LE", " - wifi: mt76: mt7915: fix mt7981 pre-calibration", " - wifi: mt76: mt7996: remove redundant per-phy mac80211 calls during", " restart", " - ASoC: Intel: hda-sdw-bpt: set persistent_buffer false", " - srcu/tiny: Remove preempt_disable/enable() in srcu_gp_start_if_needed()", " - drm/amdgpu: Fix allocating extra dwords for rings (v2)", " - f2fs: fix to update map->m_next_extent correctly in f2fs_map_blocks()", " - f2fs: fix to truncate first page in error path of f2fs_truncate()", " - f2fs: fix to avoid migrating empty section", " - f2fs: fix to mitigate overhead of f2fs_zero_post_eof_page()", " - RISC-V: KVM: Write hgatp register with valid mode bits", " - ALSA: pcm: Disable bottom softirqs as part of spin_lock_irq() on", " PREEMPT_RT", " - ACPI: NFIT: Fix incorrect ndr_desc being reportedin dev_err message", " - scsi: qla2xxx: edif: Fix incorrect sign of error code", " - scsi: qla2xxx: Fix incorrect sign of error code in START_SP_W_RETRIES()", " - scsi: qla2xxx: Fix incorrect sign of error code in qla_nvme_xmt_ls_rsp()", " - HID: hidraw: tighten ioctl command parsing", " - f2fs: fix zero-sized extent for precache extents", " - smc: Fix use-after-free in __pnet_find_base_ndev().", " - smc: Use __sk_dst_get() and dst_dev_rcu() in in smc_clc_prfx_set().", " - smc: Use __sk_dst_get() and dst_dev_rcu() in smc_clc_prfx_match().", " - smc: Use __sk_dst_get() and dst_dev_rcu() in smc_vlan_by_tcpsk().", " - tls: Use __sk_dst_get() and dst_dev_rcu() in get_netdev_for_sock().", " - mptcp: Call dst_release() in mptcp_active_enable().", " - mptcp: Use __sk_dst_get() and dst_dev_rcu() in mptcp_active_enable().", " - Revert \"usb: xhci: Avoid Stop Endpoint retry loop if the endpoint seems", " Running\"", " - RDMA/core: Resolve MAC of next-hop device without ARP support", " - IB/sa: Fix sa_local_svc_timeout_ms read race", " - Documentation: trace: historgram-design: Separate sched_waking histogram", " section heading and the following diagram", " - ASoC: SOF: ipc4-pcm: Fix incorrect comparison with number of tdm_slots", " - wifi: ath12k: initialize eirp_power before use", " - wifi: ath12k: fix overflow warning on num_pwr_levels", " - wifi: ath12k: fix signal in radiotap for WCN7850", " - wifi: ath12k: fix HAL_PHYRX_COMMON_USER_INFO handling in monitor mode", " - wifi: ath12k: fix the fetching of combined rssi", " - wifi: ath12k: Add fallback for invalid channel number in PHY metadata", " - wifi: ath12k: fix wrong logging ID used for CE", " - wifi: ath10k: avoid unnecessary wait for service ready message", " - iommu/vt-d: debugfs: Fix legacy mode page table dump logic", " - wifi: mac80211: fix Rx packet handling when pubsta information is not", " available", " - ASoC: Intel: sof_sdw: Prevent jump to NULL add_sidecar callback", " - sparc: fix accurate exception reporting in copy_{from_to}_user for", " UltraSPARC", " - sparc: fix accurate exception reporting in copy_{from_to}_user for", " UltraSPARC III", " - sparc: fix accurate exception reporting in copy_{from_to}_user for", " Niagara", " - sparc: fix accurate exception reporting in copy_to_user for Niagara 4", " - sparc: fix accurate exception reporting in copy_{from,to}_user for M7", " - vfio/pds: replace bitmap_free with vfree", " - crypto: comp - Use same definition of context alloc and free ops", " - crypto: hisilicon/qm - set NULL to qm->debug.qm_diff_regs", " - wifi: ath12k: Fix peer lookup in ath12k_dp_mon_rx_deliver_msdu()", " - rpmsg: qcom_smd: Fix fallback to qcom,ipc parse", " - remoteproc: qcom_q6v5_mss: support loading MBN file on msm8974", " - RDMA/rxe: Fix race in do_task() when draining", " - selftests/mm: fix va_high_addr_switch.sh failure on x86_64", " - wifi: rtw89: fix leak in rtw89_core_send_nullfunc()", " - wifi: rtw89: avoid circular locking dependency in ser_state_run()", " - PCI: tegra194: Fix duplicate PLL disable in", " pex_ep_event_pex_rst_assert()", " - remoteproc: qcom: q6v5: Avoid disabling handover IRQ twice", " - remoteproc: qcom: pas: Shutdown lite ADSP DTB on X1E", " - wifi: ath12k: Refactor RX TID deletion handling into helper function", " - wifi: ath12k: Fix flush cache failure during RX queue update", " - wifi: cfg80211: fix width unit in cfg80211_radio_chandef_valid()", " - dm vdo: return error on corrupted metadata in start_restoring_volume", " functions", " - coresight: fix indentation error in cscfg_remove_owned_csdev_configs()", " - coresight-etm4x: Conditionally access register TRCEXTINSELR", " - coresight: tmc: Support atclk", " - coresight: catu: Support atclk", " - coresight: etm4x: Support atclk", " - coresight: Appropriately disable programming clocks", " - coresight: Appropriately disable trace bus clocks", " - coresight: Avoid enable programming clock duplicately", " - coresight: trbe: Return NULL pointer for allocation failures", " - coresight: tpda: fix the logic to setup the element size", " - coresight: Fix incorrect handling for return value of devm_kzalloc", " - NFSv4.1: fix backchannel max_resp_sz verification check", " - net: ethtool: tsconfig: set command must provide a reply", " - netfilter: nfnetlink: reset nlh pointer during batch replay", " - netfilter: nf_conntrack: do not skip entries in /proc/net/nf_conntrack", " - scsi: ufs: core: Fix data race in CPU latency PM QoS request handling", " - scsi: mpt3sas: Fix crash in transport port remove by using ioc_info()", " - usb: vhci-hcd: Prevent suspending virtually attached devices", " - PCI: rcar-gen4: Add missing 1ms delay after PWR reset assertion", " - PCI: rcar-gen4: Assure reset occurs before DBI access", " - PCI: rcar-gen4: Fix inverted break condition in PHY initialization", " - ASoC: qcom: sc8280xp: use sa8775p/ subdir for QCS9100 / QCS9075", " - iommu/vt-d: Disallow dirty tracking if incoherent page walk", " - iommu/selftest: prevent use of uninitialized variable", " - RDMA/siw: Always report immediate post SQ errors", " - net: enetc: Fix probing error message typo for the ENETCv4 PF driver", " - net: usb: Remove disruptive netif_wake_queue in rtl8150_set_multicast", " - ptp: Add a upper bound on max_vclocks", " - vhost: vringh: Fix copy_to_iter return value check", " - net: macb: remove illusion about TBQPH/RBQPH being per-queue", " - net: macb: move ring size computation to functions", " - net: macb: single dma_alloc_coherent() for DMA descriptors", " - Bluetooth: btintel_pcie: Refactor Device Coredump", " - Bluetooth: MGMT: Fix not exposing debug UUID on", " MGMT_OP_READ_EXP_FEATURES_INFO", " - Bluetooth: ISO: Fix possible UAF on iso_conn_free", " - Bluetooth: ISO: free rx_skb if not consumed", " - Bluetooth: ISO: don't leak skb in ISO_CONT RX", " - Bluetooth: hci_sync: Fix using random address for BIG/PA advertisements", " - KEYS: X.509: Fix Basic Constraints CA flag parsing", " - hwrng: ks-sa - fix division by zero in ks_sa_rng_init", " - cramfs: fix incorrect physical page address calculation", " - ocfs2: fix double free in user_cluster_connect()", " - drivers/base/node: fix double free in register_one_node()", " - f2fs: fix UAF issue in f2fs_merge_page_bio()", " - mtd: rawnand: atmel: Fix error handling path in", " atmel_nand_controller_add_nands", " - PCI: j721e: Fix incorrect error message in probe()", " - idpf: fix mismatched free function for dma_alloc_coherent", " - tcp: use skb->len instead of skb->truesize in tcp_can_ingest()", " - nfp: fix RSS hash key size when RSS is not supported", " - net: ena: return 0 in ena_get_rxfh_key_size() when RSS hash key is not", " configurable", " - net: dlink: handle copy_thresh allocation failure", " - net/mlx5: Stop polling for command response if interface goes down", " - net/mlx5: pagealloc: Fix reclaim race during command interface teardown", " - net/mlx5: fw reset, add reset timeout work", " - smb: client: fix crypto buffers in non-linear memory", " - bonding: fix xfrm offload feature setup on active-backup mode", " - net: enetc: initialize SW PIR and CIR based HW PIR and CIR values", " - iommufd: Register iommufd mock devices with fwspec", " - Revert \"net/mlx5e: Update and set Xon/Xoff upon MTU set\"", " - NFSD: filecache: add STATX_DIOALIGN and STATX_DIO_READ_ALIGN support", " - nfs/localio: avoid issuing misaligned IO using O_DIRECT", " - octeontx2-vf: fix bitmap leak", " - octeontx2-pf: fix bitmap leak", " - vhost: vringh: Modify the return value check", " - selftests/bpf: Fix typos and grammar in test sources", " - selftests/bpf: move get_ksyms and get_addrs to trace_helpers.c", " - selftests/bpf: Fix realloc size in bpf_get_addrs", " - bpf: Skip scalar adjustment for BPF_NEG if dst is a pointer", " - bpf: Reject negative offsets for ALU ops", " - tpm: Disable TPM2_TCG_HMAC by default", " - ALSA: hda/hdmi: Add pin fix for HP ProDesk model", " - ALSA: hda/realtek: Add quirk for HP Spectre 14t-ea100", " - Squashfs: fix uninit-value in squashfs_get_parent", " - uio_hv_generic: Let userspace take care of interrupt mask", " - hisi_acc_vfio_pci: Fix reference leak in hisi_acc_vfio_debug_init", " - io_uring/waitid: always prune wait queue entry in io_waitid_wait()", " - io_uring/zcrx: fix overshooting recv limit", " - ASoC: wcd934x: fix error handling in wcd934x_codec_parse_data()", " - ASoC: SOF: ipc3-topology: Fix multi-core and static pipelines tear down", " - ASoC: codecs: wcd937x: set the comp soundwire port correctly", " - ASoC: codecs: wcd937x: make stub functions inline", " - ASoC: SOF: ipc4-pcm: fix delay calculation when DSP resamples", " - ASoC: SOF: ipc4-pcm: fix start offset calculation for chain DMA", " - fs: udf: fix OOB read in lengthAllocDescs handling", " - net: nfc: nci: Add parameter validation for packet data", " - mfd: rz-mtu3: Fix MTU5 NFCR register offset", " - mfd: intel_soc_pmic_chtdc_ti: Set use_single_read regmap_config flag", " - mfd: vexpress-sysreg: Check the return value of devm_gpiochip_add_data()", " - tracing: Fix lock imbalance in s_start() memory allocation failure path", " - tracing: Fix race condition in kprobe initialization causing NULL", " pointer dereference", " - tracing: Fix wakeup tracers on failure of acquiring calltime", " - tracing: Fix irqoff tracers on failure of acquiring calltime", " - tracing: Have trace_marker use per-cpu data to read user space", " - tracing: Fix tracing_mark_raw_write() to use buf and not ubuf", " - tracing: Stop fortify-string from warning in tracing_mark_raw_write()", " - dm: fix queue start/stop imbalance under suspend/load/resume races", " - dm: fix NULL pointer dereference in __dm_suspend()", " - LoongArch: Automatically disable kaslr if boot from kexec_file", " - pwm: loongson: Fix LOONGSON_PWM_FREQ_DEFAULT", " - LoongArch: BPF: Sign-extend struct ops return values properly", " - LoongArch: BPF: No support of struct argument in trampoline programs", " - LoongArch: BPF: Don't align trampoline size", " - LoongArch: BPF: Make trampoline size stable", " - LoongArch: BPF: Make error handling robust in", " arch_prepare_bpf_trampoline()", " - LoongArch: BPF: Remove duplicated bpf_flush_icache()", " - LoongArch: BPF: No text_poke() for kernel text", " - LoongArch: BPF: Remove duplicated flags check", " - LoongArch: BPF: Fix uninitialized symbol 'retval_off'", " - mm/ksm: fix flag-dropping behavior in ksm_madvise", " - ksmbd: Fix race condition in RPC handle list access", " - ksmbd: fix error code overwriting in smb2_get_info_filesystem()", " - ksmbd: add max ip connections parameter", " - ext4: fix potential null deref in ext4_mb_init()", " - ext4: fix checks for orphan inodes", " - KVM: SVM: Skip fastpath emulation on VM-Exit if next RIP isn't valid", " - fbdev: simplefb: Fix use after free in simplefb_detach_genpds()", " - mm: hugetlb: avoid soft lockup when mprotect to large memory area", " - selftests/mm: skip soft-dirty tests when CONFIG_MEM_SOFT_DIRTY is", " disabled", " - nvdimm: ndtest: Return -ENOMEM if devm_kcalloc() fails in ndtest_probe()", " - misc: fastrpc: Save actual DMA size in fastrpc_map structure", " - misc: fastrpc: Fix fastrpc_map_lookup operation", " - misc: fastrpc: fix possible map leak in fastrpc_put_args", " - misc: fastrpc: Skip reference for DMA handles", " - Input: atmel_mxt_ts - allow reset GPIO to sleep", " - Input: uinput - zero-initialize uinput_ff_upload_compat to avoid info", " leak", " - sunrpc: fix null pointer dereference on zero-length checksum", " - PCI/AER: Avoid NULL pointer dereference in aer_ratelimit()", " - remoteproc: pru: Fix potential NULL pointer dereference in", " pru_rproc_set_ctable()", " - PCI: endpoint: pci-epf-test: Add NULL check for DMA channels before", " release", " - thunderbolt: Fix use-after-free in tb_dp_dprx_work", " - tee: fix register_shm_helper()", " - pinctrl: check the return value of pinmux_ops::get_function_name()", " - bus: fsl-mc: Check return value of platform_get_resource()", " - net/9p: Fix buffer overflow in USB transport layer", " - net: usb: asix: hold PM usage ref to avoid PM/MDIO + RTNL deadlock", " - usb: typec: tipd: Clear interrupts first", " - arm64: dts: qcom: qcm2290: Disable USB SS bus instances in park mode", " - usb: cdns3: cdnsp-pci: remove redundant pci_disable_device() call", " - scsi: ufs: core: Fix PM QoS mutex initialization", " - drm/amdgpu/vcn: Fix double-free of vcn dump buffer", " - Linux 6.17.3", " * CVE-2025-40019", " - crypto: essiv - Check ssize for decryption and in-place encryption", " * CVE-2025-40214", " - af_unix: Initialise scc_index in unix_add_edge().", " * Miscellaneous Ubuntu changes", " - [SAUCE] Fix selftest/net/rtnetlink.sh for Big Endian", "" ], "package": "linux-riscv", "version": "6.17.0-14.14.1", "urgency": "medium", "distributions": "questing", "launchpad_bugs_fixed": [ 2137845, 1786013, 2137849, 1786013, 2136820, 2137698, 2129812, 2125022, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136813, 2132317, 2134982, 2134982, 2134982, 2134982, 2134982, 2134982, 2134982, 2134982, 2134982, 2134982, 2134982, 2134982, 2134982, 2134982, 2134982, 2134982, 2134982, 2134982, 2134982, 2134982, 2134982, 2134982, 2134982, 2134982, 2134982, 2133557, 2133557, 2133557, 2133557, 2133557, 2133557, 2133557, 2133557, 2133557, 2133557, 2133557, 2133557, 2133557, 2133557, 2133557, 2133557, 2133557, 2133557, 2133557, 2133557, 2133557, 2133557, 2133557, 2133557, 2133557, 2133557, 2133557, 2133557, 2133557, 2133557, 2133557, 2133557, 2133557, 2132095, 2131046, 2115860, 2128792, 2121852, 2131259, 2131259, 2131702, 2129610 ], "author": "Sarah Emery ", "date": "Fri, 23 Jan 2026 09:46:46 +0100" } ], "notes": "linux-headers-6.17.0-14-generic version '6.17.0-14.14.1' (source package linux-riscv version '6.17.0-14.14.1') was added. linux-headers-6.17.0-14-generic version '6.17.0-14.14.1' has the same source package name, linux-riscv, as removed package linux-headers-6.17.0-12-generic. As such we can use the source package version of the removed package, '6.17.0-12.12.1', as the starting point in our changelog diff. Kernel packages are an example of where the binary package name changes for the same source package. Using the removed package source package version as our starting point means we can still get meaningful changelog diffs even for what appears to be a new package.", "is_version_downgrade": false }, { "name": "linux-image-6.17.0-14-generic", "from_version": { "source_package_name": "linux-riscv", "source_package_version": "6.17.0-12.12.1", "version": null }, "to_version": { "source_package_name": "linux-riscv", "source_package_version": "6.17.0-14.14.1", "version": "6.17.0-14.14.1" }, "cves": [ { "cve": "CVE-2025-40256", "url": "https://ubuntu.com/security/CVE-2025-40256", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: xfrm: also call xfrm_state_delete_tunnel at destroy time for states that were never added In commit b441cf3f8c4b (\"xfrm: delete x->tunnel as we delete x\"), I missed the case where state creation fails between full initialization (->init_state has been called) and being inserted on the lists. In this situation, ->init_state has been called, so for IPcomp tunnels, the fallback tunnel has been created and added onto the lists, but the user state never gets added, because we fail before that. The user state doesn't go through __xfrm_state_delete, so we don't call xfrm_state_delete_tunnel for those states, and we end up leaking the FB tunnel. There are several codepaths affected by this: the add/update paths, in both net/key and xfrm, and the migrate code (xfrm_migrate, xfrm_state_migrate). A \"proper\" rollback of the init_state work would probably be doable in the add/update code, but for migrate it gets more complicated as multiple states may be involved. At some point, the new (not-inserted) state will be destroyed, so call xfrm_state_delete_tunnel during xfrm_state_gc_destroy. Most states will have their fallback tunnel cleaned up during __xfrm_state_delete, which solves the issue that b441cf3f8c4b (and other patches before it) aimed at. All states (including FB tunnels) will be removed from the lists once xfrm_state_fini has called flush_work(&xfrm_state_gc_work).", "cve_priority": "medium", "cve_public_date": "2025-12-04 16:16:00 UTC" }, { "cve": "CVE-2025-68204", "url": "https://ubuntu.com/security/CVE-2025-68204", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: pmdomain: arm: scmi: Fix genpd leak on provider registration failure If of_genpd_add_provider_onecell() fails during probe, the previously created generic power domains are not removed, leading to a memory leak and potential kernel crash later in genpd_debug_add(). Add proper error handling to unwind the initialized domains before returning from probe to ensure all resources are correctly released on failure. Example crash trace observed without this fix: | Unable to handle kernel paging request at virtual address fffffffffffffc70 | CPU: 1 UID: 0 PID: 1 Comm: swapper/0 Not tainted 6.18.0-rc1 #405 PREEMPT | Hardware name: ARM LTD ARM Juno Development Platform/ARM Juno Development Platform | pstate: 00000005 (nzcv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--) | pc : genpd_debug_add+0x2c/0x160 | lr : genpd_debug_init+0x74/0x98 | Call trace: | genpd_debug_add+0x2c/0x160 (P) | genpd_debug_init+0x74/0x98 | do_one_initcall+0xd0/0x2d8 | do_initcall_level+0xa0/0x140 | do_initcalls+0x60/0xa8 | do_basic_setup+0x28/0x40 | kernel_init_freeable+0xe8/0x170 | kernel_init+0x2c/0x140 | ret_from_fork+0x10/0x20", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-68203", "url": "https://ubuntu.com/security/CVE-2025-68203", "cve_description": "Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-40267", "url": "https://ubuntu.com/security/CVE-2025-40267", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: io_uring/rw: ensure allocated iovec gets cleared for early failure A previous commit reused the recyling infrastructure for early cleanup, but this is not enough for the case where our internal caches have overflowed. If this happens, then the allocated iovec can get leaked if the request is also aborted early. Reinstate the previous forced free of the iovec for that situation.", "cve_priority": "medium", "cve_public_date": "2025-12-06 22:15:00 UTC" }, { "cve": "CVE-2025-68198", "url": "https://ubuntu.com/security/CVE-2025-68198", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: crash: fix crashkernel resource shrink When crashkernel is configured with a high reservation, shrinking its value below the low crashkernel reservation causes two issues: 1. Invalid crashkernel resource objects 2. Kernel crash if crashkernel shrinking is done twice For example, with crashkernel=200M,high, the kernel reserves 200MB of high memory and some default low memory (say 256MB). The reservation appears as: cat /proc/iomem | grep -i crash af000000-beffffff : Crash kernel 433000000-43f7fffff : Crash kernel If crashkernel is then shrunk to 50MB (echo 52428800 > /sys/kernel/kexec_crash_size), /proc/iomem still shows 256MB reserved: af000000-beffffff : Crash kernel Instead, it should show 50MB: af000000-b21fffff : Crash kernel Further shrinking crashkernel to 40MB causes a kernel crash with the following trace (x86): BUG: kernel NULL pointer dereference, address: 0000000000000038 PGD 0 P4D 0 Oops: 0000 [#1] PREEMPT SMP NOPTI Call Trace: ? __die_body.cold+0x19/0x27 ? page_fault_oops+0x15a/0x2f0 ? search_module_extables+0x19/0x60 ? search_bpf_extables+0x5f/0x80 ? exc_page_fault+0x7e/0x180 ? asm_exc_page_fault+0x26/0x30 ? __release_resource+0xd/0xb0 release_resource+0x26/0x40 __crash_shrink_memory+0xe5/0x110 crash_shrink_memory+0x12a/0x190 kexec_crash_size_store+0x41/0x80 kernfs_fop_write_iter+0x141/0x1f0 vfs_write+0x294/0x460 ksys_write+0x6d/0xf0 This happens because __crash_shrink_memory()/kernel/crash_core.c incorrectly updates the crashk_res resource object even when crashk_low_res should be updated. Fix this by ensuring the correct crashkernel resource object is updated when shrinking crashkernel memory.", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-68199", "url": "https://ubuntu.com/security/CVE-2025-68199", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: codetag: debug: handle existing CODETAG_EMPTY in mark_objexts_empty for slabobj_ext When alloc_slab_obj_exts() fails and then later succeeds in allocating a slab extension vector, it calls handle_failed_objexts_alloc() to mark all objects in the vector as empty. As a result all objects in this slab (slabA) will have their extensions set to CODETAG_EMPTY. Later on if this slabA is used to allocate a slabobj_ext vector for another slab (slabB), we end up with the slabB->obj_exts pointing to a slabobj_ext vector that itself has a non-NULL slabobj_ext equal to CODETAG_EMPTY. When slabB gets freed, free_slab_obj_exts() is called to free slabB->obj_exts vector. free_slab_obj_exts() calls mark_objexts_empty(slabB->obj_exts) which will generate a warning because it expects slabobj_ext vectors to have a NULL obj_ext, not CODETAG_EMPTY. Modify mark_objexts_empty() to skip the warning and setting the obj_ext value if it's already set to CODETAG_EMPTY. To quickly detect this WARN, I modified the code from WARN_ON(slab_exts[offs].ref.ct) to BUG_ON(slab_exts[offs].ref.ct == 1); We then obtained this message: [21630.898561] ------------[ cut here ]------------ [21630.898596] kernel BUG at mm/slub.c:2050! [21630.898611] Internal error: Oops - BUG: 00000000f2000800 [#1] SMP [21630.900372] Modules linked in: squashfs isofs vfio_iommu_type1 vhost_vsock vfio vhost_net vmw_vsock_virtio_transport_common vhost tap vhost_iotlb iommufd vsock binfmt_misc nfsv3 nfs_acl nfs lockd grace netfs tls rds dns_resolver tun brd overlay ntfs3 exfat btrfs blake2b_generic xor xor_neon raid6_pq loop sctp ip6_udp_tunnel udp_tunnel nft_fib_inet nft_fib_ipv4 nft_fib_ipv6 nft_fib nft_reject_inet nf_reject_ipv4 nf_reject_ipv6 nft_reject nft_ct nft_chain_nat nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 nf_tables rfkill ip_set sunrpc vfat fat joydev sg sch_fq_codel nfnetlink virtio_gpu sr_mod cdrom drm_client_lib virtio_dma_buf drm_shmem_helper drm_kms_helper drm ghash_ce backlight virtio_net virtio_blk virtio_scsi net_failover virtio_console failover virtio_mmio dm_mirror dm_region_hash dm_log dm_multipath dm_mod fuse i2c_dev virtio_pci virtio_pci_legacy_dev virtio_pci_modern_dev virtio virtio_ring autofs4 aes_neon_bs aes_ce_blk [last unloaded: hwpoison_inject] [21630.909177] CPU: 3 UID: 0 PID: 3787 Comm: kylin-process-m Kdump: loaded Tainted: G        W           6.18.0-rc1+ #74 PREEMPT(voluntary) [21630.910495] Tainted: [W]=WARN [21630.910867] Hardware name: QEMU KVM Virtual Machine, BIOS unknown 2/2/2022 [21630.911625] pstate: 80400005 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) [21630.912392] pc : __free_slab+0x228/0x250 [21630.912868] lr : __free_slab+0x18c/0x250[21630.913334] sp : ffff8000a02f73e0 [21630.913830] x29: ffff8000a02f73e0 x28: fffffdffc43fc800 x27: ffff0000c0011c40 [21630.914677] x26: ffff0000c000cac0 x25: ffff00010fe5e5f0 x24: ffff000102199b40 [21630.915469] x23: 0000000000000003 x22: 0000000000000003 x21: ffff0000c0011c40 [21630.916259] x20: fffffdffc4086600 x19: fffffdffc43fc800 x18: 0000000000000000 [21630.917048] x17: 0000000000000000 x16: 0000000000000000 x15: 0000000000000000 [21630.917837] x14: 0000000000000000 x13: 0000000000000000 x12: ffff70001405ee66 [21630.918640] x11: 1ffff0001405ee65 x10: ffff70001405ee65 x9 : ffff800080a295dc [21630.919442] x8 : ffff8000a02f7330 x7 : 0000000000000000 x6 : 0000000000003000 [21630.920232] x5 : 0000000024924925 x4 : 0000000000000001 x3 : 0000000000000007 [21630.921021] x2 : 0000000000001b40 x1 : 000000000000001f x0 : 0000000000000001 [21630.921810] Call trace: [21630.922130]  __free_slab+0x228/0x250 (P) [21630.922669]  free_slab+0x38/0x118 [21630.923079]  free_to_partial_list+0x1d4/0x340 [21630.923591]  __slab_free+0x24c/0x348 [21630.924024]  ___cache_free+0xf0/0x110 [21630.924468]  qlist_free_all+0x78/0x130 [21630.924922]  kasan_quarantine_reduce+0x11 ---truncated---", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-40268", "url": "https://ubuntu.com/security/CVE-2025-40268", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: cifs: client: fix memory leak in smb3_fs_context_parse_param The user calls fsconfig twice, but when the program exits, free() only frees ctx->source for the second fsconfig, not the first. Regarding fc->source, there is no code in the fs context related to its memory reclamation. To fix this memory leak, release the source memory corresponding to ctx or fc before each parsing. syzbot reported: BUG: memory leak unreferenced object 0xffff888128afa360 (size 96): backtrace (crc 79c9c7ba): kstrdup+0x3c/0x80 mm/util.c:84 smb3_fs_context_parse_param+0x229b/0x36c0 fs/smb/client/fs_context.c:1444 BUG: memory leak unreferenced object 0xffff888112c7d900 (size 96): backtrace (crc 79c9c7ba): smb3_fs_context_fullpath+0x70/0x1b0 fs/smb/client/fs_context.c:629 smb3_fs_context_parse_param+0x2266/0x36c0 fs/smb/client/fs_context.c:1438", "cve_priority": "medium", "cve_public_date": "2025-12-06 22:15:00 UTC" }, { "cve": "CVE-2025-40269", "url": "https://ubuntu.com/security/CVE-2025-40269", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ALSA: usb-audio: Fix potential overflow of PCM transfer buffer The PCM stream data in USB-audio driver is transferred over USB URB packet buffers, and each packet size is determined dynamically. The packet sizes are limited by some factors such as wMaxPacketSize USB descriptor. OTOH, in the current code, the actually used packet sizes are determined only by the rate and the PPS, which may be bigger than the size limit above. This results in a buffer overflow, as reported by syzbot. Basically when the limit is smaller than the calculated packet size, it implies that something is wrong, most likely a weird USB descriptor. So the best option would be just to return an error at the parameter setup time before doing any further operations. This patch introduces such a sanity check, and returns -EINVAL when the packet size is greater than maxpacksize. The comparison with ep->packsize[1] alone should suffice since it's always equal or greater than ep->packsize[0].", "cve_priority": "medium", "cve_public_date": "2025-12-06 22:15:00 UTC" }, { "cve": "CVE-2025-68205", "url": "https://ubuntu.com/security/CVE-2025-68205", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ALSA: hda/hdmi: Fix breakage at probing nvhdmi-mcp driver After restructuring and splitting the HDMI codec driver code, each HDMI codec driver contains the own build_controls and build_pcms ops. A copy-n-paste error put the wrong entries for nvhdmi-mcp driver; both build_controls and build_pcms are swapped. Unfortunately both callbacks have the very same form, and the compiler didn't complain it, either. This resulted in a NULL dereference because the PCM instance hasn't been initialized at calling the build_controls callback. Fix it by passing the proper entries.", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-40270", "url": "https://ubuntu.com/security/CVE-2025-40270", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: mm, swap: fix potential UAF issue for VMA readahead Since commit 78524b05f1a3 (\"mm, swap: avoid redundant swap device pinning\"), the common helper for allocating and preparing a folio in the swap cache layer no longer tries to get a swap device reference internally, because all callers of __read_swap_cache_async are already holding a swap entry reference. The repeated swap device pinning isn't needed on the same swap device. Caller of VMA readahead is also holding a reference to the target entry's swap device, but VMA readahead walks the page table, so it might encounter swap entries from other devices, and call __read_swap_cache_async on another device without holding a reference to it. So it is possible to cause a UAF when swapoff of device A raced with swapin on device B, and VMA readahead tries to read swap entries from device A. It's not easy to trigger, but in theory, it could cause real issues. Make VMA readahead try to get the device reference first if the swap device is a different one from the target entry.", "cve_priority": "medium", "cve_public_date": "2025-12-06 22:15:00 UTC" }, { "cve": "CVE-2025-40271", "url": "https://ubuntu.com/security/CVE-2025-40271", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: fs/proc: fix uaf in proc_readdir_de() Pde is erased from subdir rbtree through rb_erase(), but not set the node to EMPTY, which may result in uaf access. We should use RB_CLEAR_NODE() set the erased node to EMPTY, then pde_subdir_next() will return NULL to avoid uaf access. We found an uaf issue while using stress-ng testing, need to run testcase getdent and tun in the same time. The steps of the issue is as follows: 1) use getdent to traverse dir /proc/pid/net/dev_snmp6/, and current pde is tun3; 2) in the [time windows] unregister netdevice tun3 and tun2, and erase them from rbtree. erase tun3 first, and then erase tun2. the pde(tun2) will be released to slab; 3) continue to getdent process, then pde_subdir_next() will return pde(tun2) which is released, it will case uaf access. CPU 0 | CPU 1 ------------------------------------------------------------------------- traverse dir /proc/pid/net/dev_snmp6/ | unregister_netdevice(tun->dev) //tun3 tun2 sys_getdents64() | iterate_dir() | proc_readdir() | proc_readdir_de() | snmp6_unregister_dev() pde_get(de); | proc_remove() read_unlock(&proc_subdir_lock); | remove_proc_subtree() | write_lock(&proc_subdir_lock); [time window] | rb_erase(&root->subdir_node, &parent->subdir); | write_unlock(&proc_subdir_lock); read_lock(&proc_subdir_lock); | next = pde_subdir_next(de); | pde_put(de); | de = next; //UAF | rbtree of dev_snmp6 | pde(tun3) / \\ NULL pde(tun2)", "cve_priority": "medium", "cve_public_date": "2025-12-06 22:15:00 UTC" }, { "cve": "CVE-2025-40272", "url": "https://ubuntu.com/security/CVE-2025-40272", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: mm/secretmem: fix use-after-free race in fault handler When a page fault occurs in a secret memory file created with `memfd_secret(2)`, the kernel will allocate a new folio for it, mark the underlying page as not-present in the direct map, and add it to the file mapping. If two tasks cause a fault in the same page concurrently, both could end up allocating a folio and removing the page from the direct map, but only one would succeed in adding the folio to the file mapping. The task that failed undoes the effects of its attempt by (a) freeing the folio again and (b) putting the page back into the direct map. However, by doing these two operations in this order, the page becomes available to the allocator again before it is placed back in the direct mapping. If another task attempts to allocate the page between (a) and (b), and the kernel tries to access it via the direct map, it would result in a supervisor not-present page fault. Fix the ordering to restore the direct map before the folio is freed.", "cve_priority": "medium", "cve_public_date": "2025-12-06 22:15:00 UTC" }, { "cve": "CVE-2025-68245", "url": "https://ubuntu.com/security/CVE-2025-68245", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net: netpoll: fix incorrect refcount handling causing incorrect cleanup commit efa95b01da18 (\"netpoll: fix use after free\") incorrectly ignored the refcount and prematurely set dev->npinfo to NULL during netpoll cleanup, leading to improper behavior and memory leaks. Scenario causing lack of proper cleanup: 1) A netpoll is associated with a NIC (e.g., eth0) and netdev->npinfo is allocated, and refcnt = 1 - Keep in mind that npinfo is shared among all netpoll instances. In this case, there is just one. 2) Another netpoll is also associated with the same NIC and npinfo->refcnt += 1. - Now dev->npinfo->refcnt = 2; - There is just one npinfo associated to the netdev. 3) When the first netpolls goes to clean up: - The first cleanup succeeds and clears np->dev->npinfo, ignoring refcnt. - It basically calls `RCU_INIT_POINTER(np->dev->npinfo, NULL);` - Set dev->npinfo = NULL, without proper cleanup - No ->ndo_netpoll_cleanup() is either called 4) Now the second target tries to clean up - The second cleanup fails because np->dev->npinfo is already NULL. * In this case, ops->ndo_netpoll_cleanup() was never called, and the skb pool is not cleaned as well (for the second netpoll instance) - This leaks npinfo and skbpool skbs, which is clearly reported by kmemleak. Revert commit efa95b01da18 (\"netpoll: fix use after free\") and adds clarifying comments emphasizing that npinfo cleanup should only happen once the refcount reaches zero, ensuring stable and correct netpoll behavior.", "cve_priority": "medium", "cve_public_date": "2025-12-16 15:15:00 UTC" }, { "cve": "CVE-2025-68240", "url": "https://ubuntu.com/security/CVE-2025-68240", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: nilfs2: avoid having an active sc_timer before freeing sci Because kthread_stop did not stop sc_task properly and returned -EINTR, the sc_timer was not properly closed, ultimately causing the problem [1] reported by syzbot when freeing sci due to the sc_timer not being closed. Because the thread sc_task main function nilfs_segctor_thread() returns 0 when it succeeds, when the return value of kthread_stop() is not 0 in nilfs_segctor_destroy(), we believe that it has not properly closed sc_timer. We use timer_shutdown_sync() to sync wait for sc_timer to shutdown, and set the value of sc_task to NULL under the protection of lock sc_state_lock, so as to avoid the issue caused by sc_timer not being properly shutdowned. [1] ODEBUG: free active (active state 0) object: 00000000dacb411a object type: timer_list hint: nilfs_construction_timeout Call trace: nilfs_segctor_destroy fs/nilfs2/segment.c:2811 [inline] nilfs_detach_log_writer+0x668/0x8cc fs/nilfs2/segment.c:2877 nilfs_put_super+0x4c/0x12c fs/nilfs2/super.c:509", "cve_priority": "medium", "cve_public_date": "2025-12-16 15:15:00 UTC" }, { "cve": "CVE-2025-68241", "url": "https://ubuntu.com/security/CVE-2025-68241", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ipv4: route: Prevent rt_bind_exception() from rebinding stale fnhe The sit driver's packet transmission path calls: sit_tunnel_xmit() -> update_or_create_fnhe(), which lead to fnhe_remove_oldest() being called to delete entries exceeding FNHE_RECLAIM_DEPTH+random. The race window is between fnhe_remove_oldest() selecting fnheX for deletion and the subsequent kfree_rcu(). During this time, the concurrent path's __mkroute_output() -> find_exception() can fetch the soon-to-be-deleted fnheX, and rt_bind_exception() then binds it with a new dst using a dst_hold(). When the original fnheX is freed via RCU, the dst reference remains permanently leaked. CPU 0 CPU 1 __mkroute_output() find_exception() [fnheX] update_or_create_fnhe() fnhe_remove_oldest() [fnheX] rt_bind_exception() [bind dst] RCU callback [fnheX freed, dst leak] This issue manifests as a device reference count leak and a warning in dmesg when unregistering the net device: unregister_netdevice: waiting for sitX to become free. Usage count = N Ido Schimmel provided the simple test validation method [1]. The fix clears 'oldest->fnhe_daddr' before calling fnhe_flush_routes(). Since rt_bind_exception() checks this field, setting it to zero prevents the stale fnhe from being reused and bound to a new dst just before it is freed. [1] ip netns add ns1 ip -n ns1 link set dev lo up ip -n ns1 address add 192.0.2.1/32 dev lo ip -n ns1 link add name dummy1 up type dummy ip -n ns1 route add 192.0.2.2/32 dev dummy1 ip -n ns1 link add name gretap1 up arp off type gretap \\ local 192.0.2.1 remote 192.0.2.2 ip -n ns1 route add 198.51.0.0/16 dev gretap1 taskset -c 0 ip netns exec ns1 mausezahn gretap1 \\ -A 198.51.100.1 -B 198.51.0.0/16 -t udp -p 1000 -c 0 -q & taskset -c 2 ip netns exec ns1 mausezahn gretap1 \\ -A 198.51.100.1 -B 198.51.0.0/16 -t udp -p 1000 -c 0 -q & sleep 10 ip netns pids ns1 | xargs kill ip netns del ns1", "cve_priority": "medium", "cve_public_date": "2025-12-16 15:15:00 UTC" }, { "cve": "CVE-2025-68211", "url": "https://ubuntu.com/security/CVE-2025-68211", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ksm: use range-walk function to jump over holes in scan_get_next_rmap_item Currently, scan_get_next_rmap_item() walks every page address in a VMA to locate mergeable pages. This becomes highly inefficient when scanning large virtual memory areas that contain mostly unmapped regions, causing ksmd to use large amount of cpu without deduplicating much pages. This patch replaces the per-address lookup with a range walk using walk_page_range(). The range walker allows KSM to skip over entire unmapped holes in a VMA, avoiding unnecessary lookups. This problem was previously discussed in [1]. Consider the following test program which creates a 32 TiB mapping in the virtual address space but only populates a single page: #include #include #include /* 32 TiB */ const size_t size = 32ul * 1024 * 1024 * 1024 * 1024; int main() { char *area = mmap(NULL, size, PROT_READ | PROT_WRITE, MAP_NORESERVE | MAP_PRIVATE | MAP_ANON, -1, 0); if (area == MAP_FAILED) { perror(\"mmap() failed\\n\"); return -1; } /* Populate a single page such that we get an anon_vma. */ *area = 0; /* Enable KSM. */ madvise(area, size, MADV_MERGEABLE); pause(); return 0; } $ ./ksm-sparse & $ echo 1 > /sys/kernel/mm/ksm/run Without this patch ksmd uses 100% of the cpu for a long time (more then 1 hour in my test machine) scanning all the 32 TiB virtual address space that contain only one mapped page. This makes ksmd essentially deadlocked not able to deduplicate anything of value. With this patch ksmd walks only the one mapped page and skips the rest of the 32 TiB virtual address space, making the scan fast using little cpu.", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-68246", "url": "https://ubuntu.com/security/CVE-2025-68246", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ksmbd: close accepted socket when per-IP limit rejects connection When the per-IP connection limit is exceeded in ksmbd_kthread_fn(), the code sets ret = -EAGAIN and continues the accept loop without closing the just-accepted socket. That leaks one socket per rejected attempt from a single IP and enables a trivial remote DoS. Release client_sk before continuing. This bug was found with ZeroPath.", "cve_priority": "medium", "cve_public_date": "2025-12-16 15:15:00 UTC" }, { "cve": "CVE-2025-40273", "url": "https://ubuntu.com/security/CVE-2025-40273", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: NFSD: free copynotify stateid in nfs4_free_ol_stateid() Typically copynotify stateid is freed either when parent's stateid is being close/freed or in nfsd4_laundromat if the stateid hasn't been used in a lease period. However, in case when the server got an OPEN (which created a parent stateid), followed by a COPY_NOTIFY using that stateid, followed by a client reboot. New client instance while doing CREATE_SESSION would force expire previous state of this client. It leads to the open state being freed thru release_openowner-> nfs4_free_ol_stateid() and it finds that it still has copynotify stateid associated with it. We currently print a warning and is triggerred WARNING: CPU: 1 PID: 8858 at fs/nfsd/nfs4state.c:1550 nfs4_free_ol_stateid+0xb0/0x100 [nfsd] This patch, instead, frees the associated copynotify stateid here. If the parent stateid is freed (without freeing the copynotify stateids associated with it), it leads to the list corruption when laundromat ends up freeing the copynotify state later. [ 1626.839430] Internal error: Oops - BUG: 00000000f2000800 [#1] SMP [ 1626.842828] Modules linked in: nfnetlink_queue nfnetlink_log bluetooth cfg80211 rpcrdma rdma_cm iw_cm ib_cm ib_core nfsd nfs_acl lockd grace nfs_localio ext4 crc16 mbcache jbd2 overlay uinput snd_seq_dummy snd_hrtimer qrtr rfkill vfat fat uvcvideo snd_hda_codec_generic videobuf2_vmalloc videobuf2_memops snd_hda_intel uvc snd_intel_dspcfg videobuf2_v4l2 videobuf2_common snd_hda_codec snd_hda_core videodev snd_hwdep snd_seq mc snd_seq_device snd_pcm snd_timer snd soundcore sg loop auth_rpcgss vsock_loopback vmw_vsock_virtio_transport_common vmw_vsock_vmci_transport vmw_vmci vsock xfs 8021q garp stp llc mrp nvme ghash_ce e1000e nvme_core sr_mod nvme_keyring nvme_auth cdrom vmwgfx drm_ttm_helper ttm sunrpc dm_mirror dm_region_hash dm_log iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi fuse dm_multipath dm_mod nfnetlink [ 1626.855594] CPU: 2 UID: 0 PID: 199 Comm: kworker/u24:33 Kdump: loaded Tainted: G B W 6.17.0-rc7+ #22 PREEMPT(voluntary) [ 1626.857075] Tainted: [B]=BAD_PAGE, [W]=WARN [ 1626.857573] Hardware name: VMware, Inc. VMware20,1/VBSA, BIOS VMW201.00V.24006586.BA64.2406042154 06/04/2024 [ 1626.858724] Workqueue: nfsd4 laundromat_main [nfsd] [ 1626.859304] pstate: 61400005 (nZCv daif +PAN -UAO -TCO +DIT -SSBS BTYPE=--) [ 1626.860010] pc : __list_del_entry_valid_or_report+0x148/0x200 [ 1626.860601] lr : __list_del_entry_valid_or_report+0x148/0x200 [ 1626.861182] sp : ffff8000881d7a40 [ 1626.861521] x29: ffff8000881d7a40 x28: 0000000000000018 x27: ffff0000c2a98200 [ 1626.862260] x26: 0000000000000600 x25: 0000000000000000 x24: ffff8000881d7b20 [ 1626.862986] x23: ffff0000c2a981e8 x22: 1fffe00012410e7d x21: ffff0000920873e8 [ 1626.863701] x20: ffff0000920873e8 x19: ffff000086f22998 x18: 0000000000000000 [ 1626.864421] x17: 20747562202c3839 x16: 3932326636383030 x15: 3030666666662065 [ 1626.865092] x14: 6220646c756f6873 x13: 0000000000000001 x12: ffff60004fd9e4a3 [ 1626.865713] x11: 1fffe0004fd9e4a2 x10: ffff60004fd9e4a2 x9 : dfff800000000000 [ 1626.866320] x8 : 00009fffb0261b5e x7 : ffff00027ecf2513 x6 : 0000000000000001 [ 1626.866938] x5 : ffff00027ecf2510 x4 : ffff60004fd9e4a3 x3 : 0000000000000000 [ 1626.867553] x2 : 0000000000000000 x1 : ffff000096069640 x0 : 000000000000006d [ 1626.868167] Call trace: [ 1626.868382] __list_del_entry_valid_or_report+0x148/0x200 (P) [ 1626.868876] _free_cpntf_state_locked+0xd0/0x268 [nfsd] [ 1626.869368] nfs4_laundromat+0x6f8/0x1058 [nfsd] [ 1626.869813] laundromat_main+0x24/0x60 [nfsd] [ 1626.870231] process_one_work+0x584/0x1050 [ 1626.870595] worker_thread+0x4c4/0xc60 [ 1626.870893] kthread+0x2f8/0x398 [ 1626.871146] ret_from_fork+0x10/0x20 [ 1626.871422] Code: aa1303e1 aa1403e3 910e8000 97bc55d7 (d4210000) [ 1626.871892] SMP: stopping secondary CPUs", "cve_priority": "medium", "cve_public_date": "2025-12-06 22:15:00 UTC" }, { "cve": "CVE-2025-40212", "url": "https://ubuntu.com/security/CVE-2025-40212", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: nfsd: fix refcount leak in nfsd_set_fh_dentry() nfsd exports a \"pseudo root filesystem\" which is used by NFSv4 to find the various exported filesystems using LOOKUP requests from a known root filehandle. NFSv3 uses the MOUNT protocol to find those exported filesystems and so is not given access to the pseudo root filesystem. If a v3 (or v2) client uses a filehandle from that filesystem, nfsd_set_fh_dentry() will report an error, but still stores the export in \"struct svc_fh\" even though it also drops the reference (exp_put()). This means that when fh_put() is called an extra reference will be dropped which can lead to use-after-free and possible denial of service. Normal NFS usage will not provide a pseudo-root filehandle to a v3 client. This bug can only be triggered by the client synthesising an incorrect filehandle. To fix this we move the assignments to the svc_fh later, after all possible error cases have been detected.", "cve_priority": "medium", "cve_public_date": "2025-11-24 13:16:00 UTC" }, { "cve": "CVE-2025-40274", "url": "https://ubuntu.com/security/CVE-2025-40274", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: KVM: guest_memfd: Remove bindings on memslot deletion when gmem is dying When unbinding a memslot from a guest_memfd instance, remove the bindings even if the guest_memfd file is dying, i.e. even if its file refcount has gone to zero. If the memslot is freed before the file is fully released, nullifying the memslot side of the binding in kvm_gmem_release() will write to freed memory, as detected by syzbot+KASAN: ================================================================== BUG: KASAN: slab-use-after-free in kvm_gmem_release+0x176/0x440 virt/kvm/guest_memfd.c:353 Write of size 8 at addr ffff88807befa508 by task syz.0.17/6022 CPU: 0 UID: 0 PID: 6022 Comm: syz.0.17 Not tainted syzkaller #0 PREEMPT(full) Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/02/2025 Call Trace: dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:378 [inline] print_report+0xca/0x240 mm/kasan/report.c:482 kasan_report+0x118/0x150 mm/kasan/report.c:595 kvm_gmem_release+0x176/0x440 virt/kvm/guest_memfd.c:353 __fput+0x44c/0xa70 fs/file_table.c:468 task_work_run+0x1d4/0x260 kernel/task_work.c:227 resume_user_mode_work include/linux/resume_user_mode.h:50 [inline] exit_to_user_mode_loop+0xe9/0x130 kernel/entry/common.c:43 exit_to_user_mode_prepare include/linux/irq-entry-common.h:225 [inline] syscall_exit_to_user_mode_work include/linux/entry-common.h:175 [inline] syscall_exit_to_user_mode include/linux/entry-common.h:210 [inline] do_syscall_64+0x2bd/0xfa0 arch/x86/entry/syscall_64.c:100 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7fbeeff8efc9 Allocated by task 6023: kasan_save_stack mm/kasan/common.c:56 [inline] kasan_save_track+0x3e/0x80 mm/kasan/common.c:77 poison_kmalloc_redzone mm/kasan/common.c:397 [inline] __kasan_kmalloc+0x93/0xb0 mm/kasan/common.c:414 kasan_kmalloc include/linux/kasan.h:262 [inline] __kmalloc_cache_noprof+0x3e2/0x700 mm/slub.c:5758 kmalloc_noprof include/linux/slab.h:957 [inline] kzalloc_noprof include/linux/slab.h:1094 [inline] kvm_set_memory_region+0x747/0xb90 virt/kvm/kvm_main.c:2104 kvm_vm_ioctl_set_memory_region+0x6f/0xd0 virt/kvm/kvm_main.c:2154 kvm_vm_ioctl+0x957/0xc60 virt/kvm/kvm_main.c:5201 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:597 [inline] __se_sys_ioctl+0xfc/0x170 fs/ioctl.c:583 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xfa/0xfa0 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f Freed by task 6023: kasan_save_stack mm/kasan/common.c:56 [inline] kasan_save_track+0x3e/0x80 mm/kasan/common.c:77 kasan_save_free_info+0x46/0x50 mm/kasan/generic.c:584 poison_slab_object mm/kasan/common.c:252 [inline] __kasan_slab_free+0x5c/0x80 mm/kasan/common.c:284 kasan_slab_free include/linux/kasan.h:234 [inline] slab_free_hook mm/slub.c:2533 [inline] slab_free mm/slub.c:6622 [inline] kfree+0x19a/0x6d0 mm/slub.c:6829 kvm_set_memory_region+0x9c4/0xb90 virt/kvm/kvm_main.c:2130 kvm_vm_ioctl_set_memory_region+0x6f/0xd0 virt/kvm/kvm_main.c:2154 kvm_vm_ioctl+0x957/0xc60 virt/kvm/kvm_main.c:5201 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:597 [inline] __se_sys_ioctl+0xfc/0x170 fs/ioctl.c:583 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xfa/0xfa0 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f Deliberately don't acquire filemap invalid lock when the file is dying as the lifecycle of f_mapping is outside the purview of KVM. Dereferencing the mapping is *probably* fine, but there's no need to invalidate anything as memslot deletion is responsible for zapping SPTEs, and the only code that can access the dying file is kvm_gmem_release(), whose core code is mutual ---truncated---", "cve_priority": "medium", "cve_public_date": "2025-12-06 22:15:00 UTC" }, { "cve": "CVE-2025-68202", "url": "https://ubuntu.com/security/CVE-2025-68202", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: sched_ext: Fix unsafe locking in the scx_dump_state() For built with CONFIG_PREEMPT_RT=y kernels, the dump_lock will be converted sleepable spinlock and not disable-irq, so the following scenarios occur: inconsistent {IN-HARDIRQ-W} -> {HARDIRQ-ON-W} usage. irq_work/0/27 [HC0[0]:SC0[0]:HE1:SE1] takes: (&rq->__lock){?...}-{2:2}, at: raw_spin_rq_lock_nested+0x2b/0x40 {IN-HARDIRQ-W} state was registered at: lock_acquire+0x1e1/0x510 _raw_spin_lock_nested+0x42/0x80 raw_spin_rq_lock_nested+0x2b/0x40 sched_tick+0xae/0x7b0 update_process_times+0x14c/0x1b0 tick_periodic+0x62/0x1f0 tick_handle_periodic+0x48/0xf0 timer_interrupt+0x55/0x80 __handle_irq_event_percpu+0x20a/0x5c0 handle_irq_event_percpu+0x18/0xc0 handle_irq_event+0xb5/0x150 handle_level_irq+0x220/0x460 __common_interrupt+0xa2/0x1e0 common_interrupt+0xb0/0xd0 asm_common_interrupt+0x2b/0x40 _raw_spin_unlock_irqrestore+0x45/0x80 __setup_irq+0xc34/0x1a30 request_threaded_irq+0x214/0x2f0 hpet_time_init+0x3e/0x60 x86_late_time_init+0x5b/0xb0 start_kernel+0x308/0x410 x86_64_start_reservations+0x1c/0x30 x86_64_start_kernel+0x96/0xa0 common_startup_64+0x13e/0x148 other info that might help us debug this: Possible unsafe locking scenario: CPU0 ---- lock(&rq->__lock); lock(&rq->__lock); *** DEADLOCK *** stack backtrace: CPU: 0 UID: 0 PID: 27 Comm: irq_work/0 Call Trace: dump_stack_lvl+0x8c/0xd0 dump_stack+0x14/0x20 print_usage_bug+0x42e/0x690 mark_lock.part.44+0x867/0xa70 ? __pfx_mark_lock.part.44+0x10/0x10 ? string_nocheck+0x19c/0x310 ? number+0x739/0x9f0 ? __pfx_string_nocheck+0x10/0x10 ? __pfx_check_pointer+0x10/0x10 ? kvm_sched_clock_read+0x15/0x30 ? sched_clock_noinstr+0xd/0x20 ? local_clock_noinstr+0x1c/0xe0 __lock_acquire+0xc4b/0x62b0 ? __pfx_format_decode+0x10/0x10 ? __pfx_string+0x10/0x10 ? __pfx___lock_acquire+0x10/0x10 ? __pfx_vsnprintf+0x10/0x10 lock_acquire+0x1e1/0x510 ? raw_spin_rq_lock_nested+0x2b/0x40 ? __pfx_lock_acquire+0x10/0x10 ? dump_line+0x12e/0x270 ? raw_spin_rq_lock_nested+0x20/0x40 _raw_spin_lock_nested+0x42/0x80 ? raw_spin_rq_lock_nested+0x2b/0x40 raw_spin_rq_lock_nested+0x2b/0x40 scx_dump_state+0x3b3/0x1270 ? finish_task_switch+0x27e/0x840 scx_ops_error_irq_workfn+0x67/0x80 irq_work_single+0x113/0x260 irq_work_run_list.part.3+0x44/0x70 run_irq_workd+0x6b/0x90 ? __pfx_run_irq_workd+0x10/0x10 smpboot_thread_fn+0x529/0x870 ? __pfx_smpboot_thread_fn+0x10/0x10 kthread+0x305/0x3f0 ? __pfx_kthread+0x10/0x10 ret_from_fork+0x40/0x70 ? __pfx_kthread+0x10/0x10 ret_from_fork_asm+0x1a/0x30 This commit therefore use rq_lock_irqsave/irqrestore() to replace rq_lock/unlock() in the scx_dump_state().", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-68239", "url": "https://ubuntu.com/security/CVE-2025-68239", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: binfmt_misc: restore write access before closing files opened by open_exec() bm_register_write() opens an executable file using open_exec(), which internally calls do_open_execat() and denies write access on the file to avoid modification while it is being executed. However, when an error occurs, bm_register_write() closes the file using filp_close() directly. This does not restore the write permission, which may cause subsequent write operations on the same file to fail. Fix this by calling exe_file_allow_write_access() before filp_close() to restore the write permission properly.", "cve_priority": "medium", "cve_public_date": "2025-12-16 15:15:00 UTC" }, { "cve": "CVE-2025-68247", "url": "https://ubuntu.com/security/CVE-2025-68247", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: posix-timers: Plug potential memory leak in do_timer_create() When posix timer creation is set to allocate a given timer ID and the access to the user space value faults, the function terminates without freeing the already allocated posix timer structure. Move the allocation after the user space access to cure that. [ tglx: Massaged change log ]", "cve_priority": "medium", "cve_public_date": "2025-12-16 15:15:00 UTC" }, { "cve": "CVE-2025-68208", "url": "https://ubuntu.com/security/CVE-2025-68208", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: bpf: account for current allocated stack depth in widen_imprecise_scalars() The usage pattern for widen_imprecise_scalars() looks as follows: prev_st = find_prev_entry(env, ...); queued_st = push_stack(...); widen_imprecise_scalars(env, prev_st, queued_st); Where prev_st is an ancestor of the queued_st in the explored states tree. This ancestor is not guaranteed to have same allocated stack depth as queued_st. E.g. in the following case: def main(): for i in 1..2: foo(i) // same callsite, differnt param def foo(i): if i == 1: use 128 bytes of stack iterator based loop Here, for a second 'foo' call prev_st->allocated_stack is 128, while queued_st->allocated_stack is much smaller. widen_imprecise_scalars() needs to take this into account and avoid accessing bpf_verifier_state->frame[*]->stack out of bounds.", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-68200", "url": "https://ubuntu.com/security/CVE-2025-68200", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: bpf: Add bpf_prog_run_data_pointers() syzbot found that cls_bpf_classify() is able to change tc_skb_cb(skb)->drop_reason triggering a warning in sk_skb_reason_drop(). WARNING: CPU: 0 PID: 5965 at net/core/skbuff.c:1192 __sk_skb_reason_drop net/core/skbuff.c:1189 [inline] WARNING: CPU: 0 PID: 5965 at net/core/skbuff.c:1192 sk_skb_reason_drop+0x76/0x170 net/core/skbuff.c:1214 struct tc_skb_cb has been added in commit ec624fe740b4 (\"net/sched: Extend qdisc control block with tc control block\"), which added a wrong interaction with db58ba459202 (\"bpf: wire in data and data_end for cls_act_bpf\"). drop_reason was added later. Add bpf_prog_run_data_pointers() helper to save/restore the net_sched storage colliding with BPF data_meta/data_end.", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-40275", "url": "https://ubuntu.com/security/CVE-2025-40275", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ALSA: usb-audio: Fix NULL pointer dereference in snd_usb_mixer_controls_badd In snd_usb_create_streams(), for UAC version 3 devices, the Interface Association Descriptor (IAD) is retrieved via usb_ifnum_to_if(). If this call fails, a fallback routine attempts to obtain the IAD from the next interface and sets a BADD profile. However, snd_usb_mixer_controls_badd() assumes that the IAD retrieved from usb_ifnum_to_if() is always valid, without performing a NULL check. This can lead to a NULL pointer dereference when usb_ifnum_to_if() fails to find the interface descriptor. This patch adds a NULL pointer check after calling usb_ifnum_to_if() in snd_usb_mixer_controls_badd() to prevent the dereference. This issue was discovered by syzkaller, which triggered the bug by sending a crafted USB device descriptor.", "cve_priority": "medium", "cve_public_date": "2025-12-06 22:15:00 UTC" }, { "cve": "CVE-2025-68242", "url": "https://ubuntu.com/security/CVE-2025-68242", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: NFS: Fix LTP test failures when timestamps are delegated The utimes01 and utime06 tests fail when delegated timestamps are enabled, specifically in subtests that modify the atime and mtime fields using the 'nobody' user ID. The problem can be reproduced as follow: # echo \"/media *(rw,no_root_squash,sync)\" >> /etc/exports # export -ra # mount -o rw,nfsvers=4.2 127.0.0.1:/media /tmpdir # cd /opt/ltp # ./runltp -d /tmpdir -s utimes01 # ./runltp -d /tmpdir -s utime06 This issue occurs because nfs_setattr does not verify the inode's UID against the caller's fsuid when delegated timestamps are permitted for the inode. This patch adds the UID check and if it does not match then the request is sent to the server for permission checking.", "cve_priority": "medium", "cve_public_date": "2025-12-16 15:15:00 UTC" }, { "cve": "CVE-2025-68243", "url": "https://ubuntu.com/security/CVE-2025-68243", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: NFS: Check the TLS certificate fields in nfs_match_client() If the TLS security policy is of type RPC_XPRTSEC_TLS_X509, then the cert_serial and privkey_serial fields need to match as well since they define the client's identity, as presented to the server.", "cve_priority": "medium", "cve_public_date": "2025-12-16 15:15:00 UTC" }, { "cve": "CVE-2025-40276", "url": "https://ubuntu.com/security/CVE-2025-40276", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/panthor: Flush shmem writes before mapping buffers CPU-uncached The shmem layer zeroes out the new pages using cached mappings, and if we don't CPU-flush we might leave dirty cachelines behind, leading to potential data leaks and/or asynchronous buffer corruption when dirty cachelines are evicted.", "cve_priority": "medium", "cve_public_date": "2025-12-06 22:15:00 UTC" }, { "cve": "CVE-2025-40277", "url": "https://ubuntu.com/security/CVE-2025-40277", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/vmwgfx: Validate command header size against SVGA_CMD_MAX_DATASIZE This data originates from userspace and is used in buffer offset calculations which could potentially overflow causing an out-of-bounds access.", "cve_priority": "medium", "cve_public_date": "2025-12-06 22:15:00 UTC" }, { "cve": "CVE-2025-68206", "url": "https://ubuntu.com/security/CVE-2025-68206", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: netfilter: nft_ct: add seqadj extension for natted connections Sequence adjustment may be required for FTP traffic with PASV/EPSV modes. due to need to re-write packet payload (IP, port) on the ftp control connection. This can require changes to the TCP length and expected seq / ack_seq. The easiest way to reproduce this issue is with PASV mode. Example ruleset: table inet ftp_nat { ct helper ftp_helper { type \"ftp\" protocol tcp l3proto inet } chain prerouting { type filter hook prerouting priority 0; policy accept; tcp dport 21 ct state new ct helper set \"ftp_helper\" } } table ip nat { chain prerouting { type nat hook prerouting priority -100; policy accept; tcp dport 21 dnat ip prefix to ip daddr map { \t\t\t192.168.100.1 : 192.168.13.2/32 } } chain postrouting { type nat hook postrouting priority 100 ; policy accept; tcp sport 21 snat ip prefix to ip saddr map { \t\t\t192.168.13.2 : 192.168.100.1/32 } } } Note that the ftp helper gets assigned *after* the dnat setup. The inverse (nat after helper assign) is handled by an existing check in nf_nat_setup_info() and will not show the problem. Topoloy: +-------------------+ +----------------------------------+ | FTP: 192.168.13.2 | <-> | NAT: 192.168.13.3, 192.168.100.1 | +-------------------+ +----------------------------------+ | +-----------------------+ | Client: 192.168.100.2 | +-----------------------+ ftp nat changes do not work as expected in this case: Connected to 192.168.100.1. [..] ftp> epsv EPSV/EPRT on IPv4 off. ftp> ls 227 Entering passive mode (192,168,100,1,209,129). 421 Service not available, remote server has closed connection. Kernel logs: Missing nfct_seqadj_ext_add() setup call WARNING: CPU: 1 PID: 0 at net/netfilter/nf_conntrack_seqadj.c:41 [..] __nf_nat_mangle_tcp_packet+0x100/0x160 [nf_nat] nf_nat_ftp+0x142/0x280 [nf_nat_ftp] help+0x4d1/0x880 [nf_conntrack_ftp] nf_confirm+0x122/0x2e0 [nf_conntrack] nf_hook_slow+0x3c/0xb0 .. Fix this by adding the required extension when a conntrack helper is assigned to a connection that has a nat binding.", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-68209", "url": "https://ubuntu.com/security/CVE-2025-68209", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: mlx5: Fix default values in create CQ Currently, CQs without a completion function are assigned the mlx5_add_cq_to_tasklet function by default. This is problematic since only user CQs created through the mlx5_ib driver are intended to use this function. Additionally, all CQs that will use doorbells instead of polling for completions must call mlx5_cq_arm. However, the default CQ creation flow leaves a valid value in the CQ's arm_db field, allowing FW to send interrupts to polling-only CQs in certain corner cases. These two factors would allow a polling-only kernel CQ to be triggered by an EQ interrupt and call a completion function intended only for user CQs, causing a null pointer exception. Some areas in the driver have prevented this issue with one-off fixes but did not address the root cause. This patch fixes the described issue by adding defaults to the create CQ flow. It adds a default dummy completion function to protect against null pointer exceptions, and it sets an invalid command sequence number by default in kernel CQs to prevent the FW from sending an interrupt to the CQ until it is armed. User CQs are responsible for their own initialization values. Callers of mlx5_core_create_cq are responsible for changing the completion function and arming the CQ per their needs.", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-40278", "url": "https://ubuntu.com/security/CVE-2025-40278", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net: sched: act_ife: initialize struct tc_ife to fix KMSAN kernel-infoleak Fix a KMSAN kernel-infoleak detected by the syzbot . [net?] KMSAN: kernel-infoleak in __skb_datagram_iter In tcf_ife_dump(), the variable 'opt' was partially initialized using a designatied initializer. While the padding bytes are reamined uninitialized. nla_put() copies the entire structure into a netlink message, these uninitialized bytes leaked to userspace. Initialize the structure with memset before assigning its fields to ensure all members and padding are cleared prior to beign copied. This change silences the KMSAN report and prevents potential information leaks from the kernel memory. This fix has been tested and validated by syzbot. This patch closes the bug reported at the following syzkaller link and ensures no infoleak.", "cve_priority": "medium", "cve_public_date": "2025-12-06 22:15:00 UTC" }, { "cve": "CVE-2025-40279", "url": "https://ubuntu.com/security/CVE-2025-40279", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net: sched: act_connmark: initialize struct tc_ife to fix kernel leak In tcf_connmark_dump(), the variable 'opt' was partially initialized using a designatied initializer. While the padding bytes are reamined uninitialized. nla_put() copies the entire structure into a netlink message, these uninitialized bytes leaked to userspace. Initialize the structure with memset before assigning its fields to ensure all members and padding are cleared prior to beign copied.", "cve_priority": "medium", "cve_public_date": "2025-12-06 22:15:00 UTC" }, { "cve": "CVE-2025-40280", "url": "https://ubuntu.com/security/CVE-2025-40280", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: tipc: Fix use-after-free in tipc_mon_reinit_self(). syzbot reported use-after-free of tipc_net(net)->monitors[] in tipc_mon_reinit_self(). [0] The array is protected by RTNL, but tipc_mon_reinit_self() iterates over it without RTNL. tipc_mon_reinit_self() is called from tipc_net_finalize(), which is always under RTNL except for tipc_net_finalize_work(). Let's hold RTNL in tipc_net_finalize_work(). [0]: BUG: KASAN: slab-use-after-free in __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline] BUG: KASAN: slab-use-after-free in _raw_spin_lock_irqsave+0xa7/0xf0 kernel/locking/spinlock.c:162 Read of size 1 at addr ffff88805eae1030 by task kworker/0:7/5989 CPU: 0 UID: 0 PID: 5989 Comm: kworker/0:7 Not tainted syzkaller #0 PREEMPT_{RT,(full)} Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/18/2025 Workqueue: events tipc_net_finalize_work Call Trace: dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:378 [inline] print_report+0xca/0x240 mm/kasan/report.c:482 kasan_report+0x118/0x150 mm/kasan/report.c:595 __kasan_check_byte+0x2a/0x40 mm/kasan/common.c:568 kasan_check_byte include/linux/kasan.h:399 [inline] lock_acquire+0x8d/0x360 kernel/locking/lockdep.c:5842 __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline] _raw_spin_lock_irqsave+0xa7/0xf0 kernel/locking/spinlock.c:162 rtlock_slowlock kernel/locking/rtmutex.c:1894 [inline] rwbase_rtmutex_lock_state kernel/locking/spinlock_rt.c:160 [inline] rwbase_write_lock+0xd3/0x7e0 kernel/locking/rwbase_rt.c:244 rt_write_lock+0x76/0x110 kernel/locking/spinlock_rt.c:243 write_lock_bh include/linux/rwlock_rt.h:99 [inline] tipc_mon_reinit_self+0x79/0x430 net/tipc/monitor.c:718 tipc_net_finalize+0x115/0x190 net/tipc/net.c:140 process_one_work kernel/workqueue.c:3236 [inline] process_scheduled_works+0xade/0x17b0 kernel/workqueue.c:3319 worker_thread+0x8a0/0xda0 kernel/workqueue.c:3400 kthread+0x70e/0x8a0 kernel/kthread.c:463 ret_from_fork+0x439/0x7d0 arch/x86/kernel/process.c:148 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245 Allocated by task 6089: kasan_save_stack mm/kasan/common.c:47 [inline] kasan_save_track+0x3e/0x80 mm/kasan/common.c:68 poison_kmalloc_redzone mm/kasan/common.c:388 [inline] __kasan_kmalloc+0x93/0xb0 mm/kasan/common.c:405 kasan_kmalloc include/linux/kasan.h:260 [inline] __kmalloc_cache_noprof+0x1a8/0x320 mm/slub.c:4407 kmalloc_noprof include/linux/slab.h:905 [inline] kzalloc_noprof include/linux/slab.h:1039 [inline] tipc_mon_create+0xc3/0x4d0 net/tipc/monitor.c:657 tipc_enable_bearer net/tipc/bearer.c:357 [inline] __tipc_nl_bearer_enable+0xe16/0x13f0 net/tipc/bearer.c:1047 __tipc_nl_compat_doit net/tipc/netlink_compat.c:371 [inline] tipc_nl_compat_doit+0x3bc/0x5f0 net/tipc/netlink_compat.c:393 tipc_nl_compat_handle net/tipc/netlink_compat.c:-1 [inline] tipc_nl_compat_recv+0x83c/0xbe0 net/tipc/netlink_compat.c:1321 genl_family_rcv_msg_doit+0x215/0x300 net/netlink/genetlink.c:1115 genl_family_rcv_msg net/netlink/genetlink.c:1195 [inline] genl_rcv_msg+0x60e/0x790 net/netlink/genetlink.c:1210 netlink_rcv_skb+0x208/0x470 net/netlink/af_netlink.c:2552 genl_rcv+0x28/0x40 net/netlink/genetlink.c:1219 netlink_unicast_kernel net/netlink/af_netlink.c:1320 [inline] netlink_unicast+0x846/0xa10 net/netlink/af_netlink.c:1346 netlink_sendmsg+0x805/0xb30 net/netlink/af_netlink.c:1896 sock_sendmsg_nosec net/socket.c:714 [inline] __sock_sendmsg+0x21c/0x270 net/socket.c:729 ____sys_sendmsg+0x508/0x820 net/socket.c:2614 ___sys_sendmsg+0x21f/0x2a0 net/socket.c:2668 __sys_sendmsg net/socket.c:2700 [inline] __do_sys_sendmsg net/socket.c:2705 [inline] __se_sys_sendmsg net/socket.c:2703 [inline] __x64_sys_sendmsg+0x1a1/0x260 net/socket.c:2703 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xfa/0x3b0 arch/ ---truncated---", "cve_priority": "medium", "cve_public_date": "2025-12-06 22:15:00 UTC" }, { "cve": "CVE-2025-40281", "url": "https://ubuntu.com/security/CVE-2025-40281", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: sctp: prevent possible shift-out-of-bounds in sctp_transport_update_rto syzbot reported a possible shift-out-of-bounds [1] Blamed commit added rto_alpha_max and rto_beta_max set to 1000. It is unclear if some sctp users are setting very large rto_alpha and/or rto_beta. In order to prevent user regression, perform the test at run time. Also add READ_ONCE() annotations as sysctl values can change under us. [1] UBSAN: shift-out-of-bounds in net/sctp/transport.c:509:41 shift exponent 64 is too large for 32-bit type 'unsigned int' CPU: 0 UID: 0 PID: 16704 Comm: syz.2.2320 Not tainted syzkaller #0 PREEMPT(full) Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/02/2025 Call Trace: __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x16c/0x1f0 lib/dump_stack.c:120 ubsan_epilogue lib/ubsan.c:233 [inline] __ubsan_handle_shift_out_of_bounds+0x27f/0x420 lib/ubsan.c:494 sctp_transport_update_rto.cold+0x1c/0x34b net/sctp/transport.c:509 sctp_check_transmitted+0x11c4/0x1c30 net/sctp/outqueue.c:1502 sctp_outq_sack+0x4ef/0x1b20 net/sctp/outqueue.c:1338 sctp_cmd_process_sack net/sctp/sm_sideeffect.c:840 [inline] sctp_cmd_interpreter net/sctp/sm_sideeffect.c:1372 [inline]", "cve_priority": "medium", "cve_public_date": "2025-12-06 22:15:00 UTC" }, { "cve": "CVE-2025-40282", "url": "https://ubuntu.com/security/CVE-2025-40282", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: Bluetooth: 6lowpan: reset link-local header on ipv6 recv path Bluetooth 6lowpan.c netdev has header_ops, so it must set link-local header for RX skb, otherwise things crash, eg. with AF_PACKET SOCK_RAW Add missing skb_reset_mac_header() for uncompressed ipv6 RX path. For the compressed one, it is done in lowpan_header_decompress(). Log: (BlueZ 6lowpan-tester Client Recv Raw - Success) ------ kernel BUG at net/core/skbuff.c:212! Call Trace: ... packet_rcv (net/packet/af_packet.c:2152) ... __local_bh_enable_ip (kernel/softirq.c:407) netif_rx (net/core/dev.c:5648) chan_recv_cb (net/bluetooth/6lowpan.c:294 net/bluetooth/6lowpan.c:359) ------", "cve_priority": "medium", "cve_public_date": "2025-12-06 22:15:00 UTC" }, { "cve": "CVE-2025-40283", "url": "https://ubuntu.com/security/CVE-2025-40283", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: Bluetooth: btusb: reorder cleanup in btusb_disconnect to avoid UAF There is a KASAN: slab-use-after-free read in btusb_disconnect(). Calling \"usb_driver_release_interface(&btusb_driver, data->intf)\" will free the btusb data associated with the interface. The same data is then used later in the function, hence the UAF. Fix by moving the accesses to btusb data to before the data is free'd.", "cve_priority": "medium", "cve_public_date": "2025-12-06 22:15:00 UTC" }, { "cve": "CVE-2025-40284", "url": "https://ubuntu.com/security/CVE-2025-40284", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: Bluetooth: MGMT: cancel mesh send timer when hdev removed mesh_send_done timer is not canceled when hdev is removed, which causes crash if the timer triggers after hdev is gone. Cancel the timer when MGMT removes the hdev, like other MGMT timers. Should fix the BUG: sporadically seen by BlueZ test bot (in \"Mesh - Send cancel - 1\" test). Log: ------ BUG: KASAN: slab-use-after-free in run_timer_softirq+0x76b/0x7d0 ... Freed by task 36: kasan_save_stack+0x24/0x50 kasan_save_track+0x14/0x30 __kasan_save_free_info+0x3a/0x60 __kasan_slab_free+0x43/0x70 kfree+0x103/0x500 device_release+0x9a/0x210 kobject_put+0x100/0x1e0 vhci_release+0x18b/0x240 ------", "cve_priority": "medium", "cve_public_date": "2025-12-06 22:15:00 UTC" }, { "cve": "CVE-2025-68210", "url": "https://ubuntu.com/security/CVE-2025-68210", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: erofs: avoid infinite loop due to incomplete zstd-compressed data Currently, the decompression logic incorrectly spins if compressed data is truncated in crafted (deliberately corrupted) images.", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-40285", "url": "https://ubuntu.com/security/CVE-2025-40285", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: smb/server: fix possible refcount leak in smb2_sess_setup() Reference count of ksmbd_session will leak when session need reconnect. Fix this by adding the missing ksmbd_user_session_put().", "cve_priority": "medium", "cve_public_date": "2025-12-06 22:15:00 UTC" }, { "cve": "CVE-2025-40286", "url": "https://ubuntu.com/security/CVE-2025-40286", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: smb/server: fix possible memory leak in smb2_read() Memory leak occurs when ksmbd_vfs_read() fails. Fix this by adding the missing kvfree().", "cve_priority": "medium", "cve_public_date": "2025-12-06 22:15:00 UTC" }, { "cve": "CVE-2025-40287", "url": "https://ubuntu.com/security/CVE-2025-40287", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: exfat: fix improper check of dentry.stream.valid_size We found an infinite loop bug in the exFAT file system that can lead to a Denial-of-Service (DoS) condition. When a dentry in an exFAT filesystem is malformed, the following system calls — SYS_openat, SYS_ftruncate, and SYS_pwrite64 — can cause the kernel to hang. Root cause analysis shows that the size validation code in exfat_find() does not check whether dentry.stream.valid_size is negative. As a result, the system calls mentioned above can succeed and eventually trigger the DoS issue. This patch adds a check for negative dentry.stream.valid_size to prevent this vulnerability.", "cve_priority": "medium", "cve_public_date": "2025-12-06 22:15:00 UTC" }, { "cve": "CVE-2025-40288", "url": "https://ubuntu.com/security/CVE-2025-40288", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: Fix NULL pointer dereference in VRAM logic for APU devices Previously, APU platforms (and other scenarios with uninitialized VRAM managers) triggered a NULL pointer dereference in `ttm_resource_manager_usage()`. The root cause is not that the `struct ttm_resource_manager *man` pointer itself is NULL, but that `man->bdev` (the backing device pointer within the manager) remains uninitialized (NULL) on APUs—since APUs lack dedicated VRAM and do not fully set up VRAM manager structures. When `ttm_resource_manager_usage()` attempts to acquire `man->bdev->lru_lock`, it dereferences the NULL `man->bdev`, leading to a kernel OOPS. 1. **amdgpu_cs.c**: Extend the existing bandwidth control check in `amdgpu_cs_get_threshold_for_moves()` to include a check for `ttm_resource_manager_used()`. If the manager is not used (uninitialized `bdev`), return 0 for migration thresholds immediately—skipping VRAM-specific logic that would trigger the NULL dereference. 2. **amdgpu_kms.c**: Update the `AMDGPU_INFO_VRAM_USAGE` ioctl and memory info reporting to use a conditional: if the manager is used, return the real VRAM usage; otherwise, return 0. This avoids accessing `man->bdev` when it is NULL. 3. **amdgpu_virt.c**: Modify the vf2pf (virtual function to physical function) data write path. Use `ttm_resource_manager_used()` to check validity: if the manager is usable, calculate `fb_usage` from VRAM usage; otherwise, set `fb_usage` to 0 (APUs have no discrete framebuffer to report). This approach is more robust than APU-specific checks because it: - Works for all scenarios where the VRAM manager is uninitialized (not just APUs), - Aligns with TTM's design by using its native helper function, - Preserves correct behavior for discrete GPUs (which have fully initialized `man->bdev` and pass the `ttm_resource_manager_used()` check). v4: use ttm_resource_manager_used(&adev->mman.vram_mgr.manager) instead of checking the adev->gmc.is_app_apu flag (Christian)", "cve_priority": "medium", "cve_public_date": "2025-12-06 22:15:00 UTC" }, { "cve": "CVE-2025-40289", "url": "https://ubuntu.com/security/CVE-2025-40289", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: hide VRAM sysfs attributes on GPUs without VRAM Otherwise accessing them can cause a crash.", "cve_priority": "medium", "cve_public_date": "2025-12-06 22:15:00 UTC" }, { "cve": "CVE-2025-68201", "url": "https://ubuntu.com/security/CVE-2025-68201", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: remove two invalid BUG_ON()s Those can be triggered trivially by userspace.", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-68207", "url": "https://ubuntu.com/security/CVE-2025-68207", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/xe/guc: Synchronize Dead CT worker with unbind Cancel and wait for any Dead CT worker to complete before continuing with device unbinding. Else the worker will end up using resources freed by the undind operation. (cherry picked from commit 492671339114e376aaa38626d637a2751cdef263)", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-68244", "url": "https://ubuntu.com/security/CVE-2025-68244", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/i915: Avoid lock inversion when pinning to GGTT on CHV/BXT+VTD On completion of i915_vma_pin_ww(), a synchronous variant of dma_fence_work_commit() is called. When pinning a VMA to GGTT address space on a Cherry View family processor, or on a Broxton generation SoC with VTD enabled, i.e., when stop_machine() is then called from intel_ggtt_bind_vma(), that can potentially lead to lock inversion among reservation_ww and cpu_hotplug locks. [86.861179] ====================================================== [86.861193] WARNING: possible circular locking dependency detected [86.861209] 6.15.0-rc5-CI_DRM_16515-gca0305cadc2d+ #1 Tainted: G U [86.861226] ------------------------------------------------------ [86.861238] i915_module_loa/1432 is trying to acquire lock: [86.861252] ffffffff83489090 (cpu_hotplug_lock){++++}-{0:0}, at: stop_machine+0x1c/0x50 [86.861290] but task is already holding lock: [86.861303] ffffc90002e0b4c8 (reservation_ww_class_mutex){+.+.}-{3:3}, at: i915_vma_pin.constprop.0+0x39/0x1d0 [i915] [86.862233] which lock already depends on the new lock. [86.862251] the existing dependency chain (in reverse order) is: [86.862265] -> #5 (reservation_ww_class_mutex){+.+.}-{3:3}: [86.862292] dma_resv_lockdep+0x19a/0x390 [86.862315] do_one_initcall+0x60/0x3f0 [86.862334] kernel_init_freeable+0x3cd/0x680 [86.862353] kernel_init+0x1b/0x200 [86.862369] ret_from_fork+0x47/0x70 [86.862383] ret_from_fork_asm+0x1a/0x30 [86.862399] -> #4 (reservation_ww_class_acquire){+.+.}-{0:0}: [86.862425] dma_resv_lockdep+0x178/0x390 [86.862440] do_one_initcall+0x60/0x3f0 [86.862454] kernel_init_freeable+0x3cd/0x680 [86.862470] kernel_init+0x1b/0x200 [86.862482] ret_from_fork+0x47/0x70 [86.862495] ret_from_fork_asm+0x1a/0x30 [86.862509] -> #3 (&mm->mmap_lock){++++}-{3:3}: [86.862531] down_read_killable+0x46/0x1e0 [86.862546] lock_mm_and_find_vma+0xa2/0x280 [86.862561] do_user_addr_fault+0x266/0x8e0 [86.862578] exc_page_fault+0x8a/0x2f0 [86.862593] asm_exc_page_fault+0x27/0x30 [86.862607] filldir64+0xeb/0x180 [86.862620] kernfs_fop_readdir+0x118/0x480 [86.862635] iterate_dir+0xcf/0x2b0 [86.862648] __x64_sys_getdents64+0x84/0x140 [86.862661] x64_sys_call+0x1058/0x2660 [86.862675] do_syscall_64+0x91/0xe90 [86.862689] entry_SYSCALL_64_after_hwframe+0x76/0x7e [86.862703] -> #2 (&root->kernfs_rwsem){++++}-{3:3}: [86.862725] down_write+0x3e/0xf0 [86.862738] kernfs_add_one+0x30/0x3c0 [86.862751] kernfs_create_dir_ns+0x53/0xb0 [86.862765] internal_create_group+0x134/0x4c0 [86.862779] sysfs_create_group+0x13/0x20 [86.862792] topology_add_dev+0x1d/0x30 [86.862806] cpuhp_invoke_callback+0x4b5/0x850 [86.862822] cpuhp_issue_call+0xbf/0x1f0 [86.862836] __cpuhp_setup_state_cpuslocked+0x111/0x320 [86.862852] __cpuhp_setup_state+0xb0/0x220 [86.862866] topology_sysfs_init+0x30/0x50 [86.862879] do_one_initcall+0x60/0x3f0 [86.862893] kernel_init_freeable+0x3cd/0x680 [86.862908] kernel_init+0x1b/0x200 [86.862921] ret_from_fork+0x47/0x70 [86.862934] ret_from_fork_asm+0x1a/0x30 [86.862947] -> #1 (cpuhp_state_mutex){+.+.}-{3:3}: [86.862969] __mutex_lock+0xaa/0xed0 [86.862982] mutex_lock_nested+0x1b/0x30 [86.862995] __cpuhp_setup_state_cpuslocked+0x67/0x320 [86.863012] __cpuhp_setup_state+0xb0/0x220 [86.863026] page_alloc_init_cpuhp+0x2d/0x60 [86.863041] mm_core_init+0x22/0x2d0 [86.863054] start_kernel+0x576/0xbd0 [86.863068] x86_64_start_reservations+0x18/0x30 [86.863084] x86_64_start_kernel+0xbf/0x110 [86.863098] common_startup_64+0x13e/0x141 [86.863114] -> #0 (cpu_hotplug_lock){++++}-{0:0}: [86.863135] __lock_acquire+0x16 ---truncated---", "cve_priority": "medium", "cve_public_date": "2025-12-16 15:15:00 UTC" }, { "cve": "CVE-2025-68316", "url": "https://ubuntu.com/security/CVE-2025-68316", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: scsi: ufs: core: Fix invalid probe error return value After DME Link Startup, the error return value is set to the MIPI UniPro GenericErrorCode which can be 0 (SUCCESS) or 1 (FAILURE). Upon failure during driver probe, the error code 1 is propagated back to the driver probe function which must return a negative value to indicate an error, but 1 is not negative, so the probe is considered to be successful even though it failed. Subsequently, removing the driver results in an oops because it is not in a valid state. This happens because none of the callers of ufshcd_init() expect a non-negative error code. Fix the return value and documentation to match actual usage.", "cve_priority": "medium", "cve_public_date": "2025-12-16 16:16:00 UTC" }, { "cve": "CVE-2025-40292", "url": "https://ubuntu.com/security/CVE-2025-40292", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: virtio-net: fix received length check in big packets Since commit 4959aebba8c0 (\"virtio-net: use mtu size as buffer length for big packets\"), when guest gso is off, the allocated size for big packets is not MAX_SKB_FRAGS * PAGE_SIZE anymore but depends on negotiated MTU. The number of allocated frags for big packets is stored in vi->big_packets_num_skbfrags. Because the host announced buffer length can be malicious (e.g. the host vhost_net driver's get_rx_bufs is modified to announce incorrect length), we need a check in virtio_net receive path. Currently, the check is not adapted to the new change which can lead to NULL page pointer dereference in the below while loop when receiving length that is larger than the allocated one. This commit fixes the received length check corresponding to the new change.", "cve_priority": "medium", "cve_public_date": "2025-12-08 01:16:00 UTC" }, { "cve": "CVE-2025-68180", "url": "https://ubuntu.com/security/CVE-2025-68180", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Fix NULL deref in debugfs odm_combine_segments When a connector is connected but inactive (e.g., disabled by desktop environments), pipe_ctx->stream_res.tg will be destroyed. Then, reading odm_combine_segments causes kernel NULL pointer dereference. BUG: kernel NULL pointer dereference, address: 0000000000000000 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page PGD 0 P4D 0 Oops: Oops: 0000 [#1] SMP NOPTI CPU: 16 UID: 0 PID: 26474 Comm: cat Not tainted 6.17.0+ #2 PREEMPT(lazy) e6a17af9ee6db7c63e9d90dbe5b28ccab67520c6 Hardware name: LENOVO 21Q4/LNVNB161216, BIOS PXCN25WW 03/27/2025 RIP: 0010:odm_combine_segments_show+0x93/0xf0 [amdgpu] Code: 41 83 b8 b0 00 00 00 01 75 6e 48 98 ba a1 ff ff ff 48 c1 e0 0c 48 8d 8c 07 d8 02 00 00 48 85 c9 74 2d 48 8b bc 07 f0 08 00 00 <48> 8b 07 48 8b 80 08 02 00> RSP: 0018:ffffd1bf4b953c58 EFLAGS: 00010286 RAX: 0000000000005000 RBX: ffff8e35976b02d0 RCX: ffff8e3aeed052d8 RDX: 00000000ffffffa1 RSI: ffff8e35a3120800 RDI: 0000000000000000 RBP: 0000000000000000 R08: ffff8e3580eb0000 R09: ffff8e35976b02d0 R10: ffffd1bf4b953c78 R11: 0000000000000000 R12: ffffd1bf4b953d08 R13: 0000000000040000 R14: 0000000000000001 R15: 0000000000000001 FS: 00007f44d3f9f740(0000) GS:ffff8e3caa47f000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000000 CR3: 00000006485c2000 CR4: 0000000000f50ef0 PKRU: 55555554 Call Trace: seq_read_iter+0x125/0x490 ? __alloc_frozen_pages_noprof+0x18f/0x350 seq_read+0x12c/0x170 full_proxy_read+0x51/0x80 vfs_read+0xbc/0x390 ? __handle_mm_fault+0xa46/0xef0 ? do_syscall_64+0x71/0x900 ksys_read+0x73/0xf0 do_syscall_64+0x71/0x900 ? count_memcg_events+0xc2/0x190 ? handle_mm_fault+0x1d7/0x2d0 ? do_user_addr_fault+0x21a/0x690 ? exc_page_fault+0x7e/0x1a0 entry_SYSCALL_64_after_hwframe+0x6c/0x74 RIP: 0033:0x7f44d4031687 Code: 48 89 fa 4c 89 df e8 58 b3 00 00 8b 93 08 03 00 00 59 5e 48 83 f8 fc 74 1a 5b c3 0f 1f 84 00 00 00 00 00 48 8b 44 24 10 0f 05 <5b> c3 0f 1f 80 00 00 00 00> RSP: 002b:00007ffdb4b5f0b0 EFLAGS: 00000202 ORIG_RAX: 0000000000000000 RAX: ffffffffffffffda RBX: 00007f44d3f9f740 RCX: 00007f44d4031687 RDX: 0000000000040000 RSI: 00007f44d3f5e000 RDI: 0000000000000003 RBP: 0000000000040000 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000202 R12: 00007f44d3f5e000 R13: 0000000000000003 R14: 0000000000000000 R15: 0000000000040000 Modules linked in: tls tcp_diag inet_diag xt_mark ccm snd_hrtimer snd_seq_dummy snd_seq_midi snd_seq_oss snd_seq_midi_event snd_rawmidi snd_seq snd_seq_device x> snd_hda_codec_atihdmi snd_hda_codec_realtek_lib lenovo_wmi_helpers think_lmi snd_hda_codec_generic snd_hda_codec_hdmi snd_soc_core kvm snd_compress uvcvideo sn> platform_profile joydev amd_pmc mousedev mac_hid sch_fq_codel uinput i2c_dev parport_pc ppdev lp parport nvme_fabrics loop nfnetlink ip_tables x_tables dm_cryp> CR2: 0000000000000000 ---[ end trace 0000000000000000 ]--- RIP: 0010:odm_combine_segments_show+0x93/0xf0 [amdgpu] Code: 41 83 b8 b0 00 00 00 01 75 6e 48 98 ba a1 ff ff ff 48 c1 e0 0c 48 8d 8c 07 d8 02 00 00 48 85 c9 74 2d 48 8b bc 07 f0 08 00 00 <48> 8b 07 48 8b 80 08 02 00> RSP: 0018:ffffd1bf4b953c58 EFLAGS: 00010286 RAX: 0000000000005000 RBX: ffff8e35976b02d0 RCX: ffff8e3aeed052d8 RDX: 00000000ffffffa1 RSI: ffff8e35a3120800 RDI: 0000000000000000 RBP: 0000000000000000 R08: ffff8e3580eb0000 R09: ffff8e35976b02d0 R10: ffffd1bf4b953c78 R11: 0000000000000000 R12: ffffd1bf4b953d08 R13: 0000000000040000 R14: 0000000000000001 R15: 0000000000000001 FS: 00007f44d3f9f740(0000) GS:ffff8e3caa47f000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000000 CR3: 00000006485c2000 CR4: 0000000000f50ef0 PKRU: 55555554 Fix this by checking pipe_ctx-> ---truncated---", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-40327", "url": "https://ubuntu.com/security/CVE-2025-40327", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: perf/core: Fix system hang caused by cpu-clock usage cpu-clock usage by the async-profiler tool can trigger a system hang, which got bisected back to the following commit by Octavia Togami: 18dbcbfabfff (\"perf: Fix the POLL_HUP delivery breakage\") causes this issue The root cause of the hang is that cpu-clock is a special type of SW event which relies on hrtimers. The __perf_event_overflow() callback is invoked from the hrtimer handler for cpu-clock events, and __perf_event_overflow() tries to call cpu_clock_event_stop() to stop the event, which calls htimer_cancel() to cancel the hrtimer. But that's a recursion into the hrtimer code from a hrtimer handler, which (unsurprisingly) deadlocks. To fix this bug, use hrtimer_try_to_cancel() instead, and set the PERF_HES_STOPPED flag, which causes perf_swevent_hrtimer() to stop the event once it sees the PERF_HES_STOPPED flag. [ mingo: Fixed the comments and improved the changelog. ]", "cve_priority": "medium", "cve_public_date": "2025-12-09 16:17:00 UTC" }, { "cve": "CVE-2025-40328", "url": "https://ubuntu.com/security/CVE-2025-40328", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: smb: client: fix potential UAF in smb2_close_cached_fid() find_or_create_cached_dir() could grab a new reference after kref_put() had seen the refcount drop to zero but before cfid_list_lock is acquired in smb2_close_cached_fid(), leading to use-after-free. Switch to kref_put_lock() so cfid_release() is called with cfid_list_lock held, closing that gap.", "cve_priority": "medium", "cve_public_date": "2025-12-09 16:17:00 UTC" }, { "cve": "CVE-2025-40291", "url": "https://ubuntu.com/security/CVE-2025-40291", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: io_uring: fix regbuf vector size truncation There is a report of io_estimate_bvec_size() truncating the calculated number of segments that leads to corruption issues. Check it doesn't overflow \"int\"s used later. Rough but simple, can be improved on top.", "cve_priority": "medium", "cve_public_date": "2025-12-08 01:16:00 UTC" }, { "cve": "CVE-2025-68322", "url": "https://ubuntu.com/security/CVE-2025-68322", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: parisc: Avoid crash due to unaligned access in unwinder Guenter Roeck reported this kernel crash on his emulated B160L machine: Starting network: udhcpc: started, v1.36.1 Backtrace: [<104320d4>] unwind_once+0x1c/0x5c [<10434a00>] walk_stackframe.isra.0+0x74/0xb8 [<10434a6c>] arch_stack_walk+0x28/0x38 [<104e5efc>] stack_trace_save+0x48/0x5c [<105d1bdc>] set_track_prepare+0x44/0x6c [<105d9c80>] ___slab_alloc+0xfc4/0x1024 [<105d9d38>] __slab_alloc.isra.0+0x58/0x90 [<105dc80c>] kmem_cache_alloc_noprof+0x2ac/0x4a0 [<105b8e54>] __anon_vma_prepare+0x60/0x280 [<105a823c>] __vmf_anon_prepare+0x68/0x94 [<105a8b34>] do_wp_page+0x8cc/0xf10 [<105aad88>] handle_mm_fault+0x6c0/0xf08 [<10425568>] do_page_fault+0x110/0x440 [<10427938>] handle_interruption+0x184/0x748 [<11178398>] schedule+0x4c/0x190 BUG: spinlock recursion on CPU#0, ifconfig/2420 lock: terminate_lock.2+0x0/0x1c, .magic: dead4ead, .owner: ifconfig/2420, .owner_cpu: 0 While creating the stack trace, the unwinder uses the stack pointer to guess the previous frame to read the previous stack pointer from memory. The crash happens, because the unwinder tries to read from unaligned memory and as such triggers the unalignment trap handler which then leads to the spinlock recursion and finally to a deadlock. Fix it by checking the alignment before accessing the memory.", "cve_priority": "medium", "cve_public_date": "2025-12-16 16:16:00 UTC" }, { "cve": "CVE-2025-40293", "url": "https://ubuntu.com/security/CVE-2025-40293", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: iommufd: Don't overflow during division for dirty tracking If pgshift is 63 then BITS_PER_TYPE(*bitmap->bitmap) * pgsize will overflow to 0 and this triggers divide by 0. In this case the index should just be 0, so reorganize things to divide by shift and avoid hitting any overflows.", "cve_priority": "medium", "cve_public_date": "2025-12-08 01:16:00 UTC" }, { "cve": "CVE-2025-40294", "url": "https://ubuntu.com/security/CVE-2025-40294", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: Bluetooth: MGMT: Fix OOB access in parse_adv_monitor_pattern() In the parse_adv_monitor_pattern() function, the value of the 'length' variable is currently limited to HCI_MAX_EXT_AD_LENGTH(251). The size of the 'value' array in the mgmt_adv_pattern structure is 31. If the value of 'pattern[i].length' is set in the user space and exceeds 31, the 'patterns[i].value' array can be accessed out of bound when copied. Increasing the size of the 'value' array in the 'mgmt_adv_pattern' structure will break the userspace. Considering this, and to avoid OOB access revert the limits for 'offset' and 'length' back to the value of HCI_MAX_AD_LENGTH. Found by InfoTeCS on behalf of Linux Verification Center (linuxtesting.org) with SVACE.", "cve_priority": "medium", "cve_public_date": "2025-12-08 01:16:00 UTC" }, { "cve": "CVE-2025-40329", "url": "https://ubuntu.com/security/CVE-2025-40329", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/sched: Fix deadlock in drm_sched_entity_kill_jobs_cb The Mesa issue referenced below pointed out a possible deadlock: [ 1231.611031] Possible interrupt unsafe locking scenario: [ 1231.611033] CPU0 CPU1 [ 1231.611034] ---- ---- [ 1231.611035] lock(&xa->xa_lock#17); [ 1231.611038] local_irq_disable(); [ 1231.611039] lock(&fence->lock); [ 1231.611041] lock(&xa->xa_lock#17); [ 1231.611044] [ 1231.611045] lock(&fence->lock); [ 1231.611047] *** DEADLOCK *** In this example, CPU0 would be any function accessing job->dependencies through the xa_* functions that don't disable interrupts (eg: drm_sched_job_add_dependency(), drm_sched_entity_kill_jobs_cb()). CPU1 is executing drm_sched_entity_kill_jobs_cb() as a fence signalling callback so in an interrupt context. It will deadlock when trying to grab the xa_lock which is already held by CPU0. Replacing all xa_* usage by their xa_*_irq counterparts would fix this issue, but Christian pointed out another issue: dma_fence_signal takes fence.lock and so does dma_fence_add_callback. dma_fence_signal() // locks f1.lock -> drm_sched_entity_kill_jobs_cb() -> foreach dependencies -> dma_fence_add_callback() // locks f2.lock This will deadlock if f1 and f2 share the same spinlock. To fix both issues, the code iterating on dependencies and re-arming them is moved out to drm_sched_entity_kill_jobs_work(). [phasta: commit message nits]", "cve_priority": "medium", "cve_public_date": "2025-12-09 16:17:00 UTC" }, { "cve": "CVE-2025-40295", "url": "https://ubuntu.com/security/CVE-2025-40295", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: fscrypt: fix left shift underflow when inode->i_blkbits > PAGE_SHIFT When simulating an nvme device on qemu with both logical_block_size and physical_block_size set to 8 KiB, an error trace appears during partition table reading at boot time. The issue is caused by inode->i_blkbits being larger than PAGE_SHIFT, which leads to a left shift of -1 and triggering a UBSAN warning. [ 2.697306] ------------[ cut here ]------------ [ 2.697309] UBSAN: shift-out-of-bounds in fs/crypto/inline_crypt.c:336:37 [ 2.697311] shift exponent -1 is negative [ 2.697315] CPU: 3 UID: 0 PID: 274 Comm: (udev-worker) Not tainted 6.18.0-rc2+ #34 PREEMPT(voluntary) [ 2.697317] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014 [ 2.697320] Call Trace: [ 2.697324] [ 2.697325] dump_stack_lvl+0x76/0xa0 [ 2.697340] dump_stack+0x10/0x20 [ 2.697342] __ubsan_handle_shift_out_of_bounds+0x1e3/0x390 [ 2.697351] bh_get_inode_and_lblk_num.cold+0x12/0x94 [ 2.697359] fscrypt_set_bio_crypt_ctx_bh+0x44/0x90 [ 2.697365] submit_bh_wbc+0xb6/0x190 [ 2.697370] block_read_full_folio+0x194/0x270 [ 2.697371] ? __pfx_blkdev_get_block+0x10/0x10 [ 2.697375] ? __pfx_blkdev_read_folio+0x10/0x10 [ 2.697377] blkdev_read_folio+0x18/0x30 [ 2.697379] filemap_read_folio+0x40/0xe0 [ 2.697382] filemap_get_pages+0x5ef/0x7a0 [ 2.697385] ? mmap_region+0x63/0xd0 [ 2.697389] filemap_read+0x11d/0x520 [ 2.697392] blkdev_read_iter+0x7c/0x180 [ 2.697393] vfs_read+0x261/0x390 [ 2.697397] ksys_read+0x71/0xf0 [ 2.697398] __x64_sys_read+0x19/0x30 [ 2.697399] x64_sys_call+0x1e88/0x26a0 [ 2.697405] do_syscall_64+0x80/0x670 [ 2.697410] ? __x64_sys_newfstat+0x15/0x20 [ 2.697414] ? x64_sys_call+0x204a/0x26a0 [ 2.697415] ? do_syscall_64+0xb8/0x670 [ 2.697417] ? irqentry_exit_to_user_mode+0x2e/0x2a0 [ 2.697420] ? irqentry_exit+0x43/0x50 [ 2.697421] ? exc_page_fault+0x90/0x1b0 [ 2.697422] entry_SYSCALL_64_after_hwframe+0x76/0x7e [ 2.697425] RIP: 0033:0x75054cba4a06 [ 2.697426] Code: 5d e8 41 8b 93 08 03 00 00 59 5e 48 83 f8 fc 75 19 83 e2 39 83 fa 08 75 11 e8 26 ff ff ff 66 0f 1f 44 00 00 48 8b 45 10 0f 05 <48> 8b 5d f8 c9 c3 0f 1f 40 00 f3 0f 1e fa 55 48 89 e5 48 83 ec 08 [ 2.697427] RSP: 002b:00007fff973723a0 EFLAGS: 00000202 ORIG_RAX: 0000000000000000 [ 2.697430] RAX: ffffffffffffffda RBX: 00005ea9a2c02760 RCX: 000075054cba4a06 [ 2.697432] RDX: 0000000000002000 RSI: 000075054c190000 RDI: 000000000000001b [ 2.697433] RBP: 00007fff973723c0 R08: 0000000000000000 R09: 0000000000000000 [ 2.697434] R10: 0000000000000000 R11: 0000000000000202 R12: 0000000000000000 [ 2.697434] R13: 00005ea9a2c027c0 R14: 00005ea9a2be5608 R15: 00005ea9a2be55f0 [ 2.697436] [ 2.697436] ---[ end trace ]--- This situation can happen for block devices because when CONFIG_TRANSPARENT_HUGEPAGE is enabled, the maximum logical_block_size is 64 KiB. set_init_blocksize() then sets the block device inode->i_blkbits to 13, which is within this limit. File I/O does not trigger this problem because for filesystems that do not support the FS_LBS feature, sb_set_blocksize() prevents sb->s_blocksize_bits from being larger than PAGE_SHIFT. During inode allocation, alloc_inode()->inode_init_always() assigns inode->i_blkbits from sb->s_blocksize_bits. Currently, only xfs_fs_type has the FS_LBS flag, and since xfs I/O paths do not reach submit_bh_wbc(), it does not hit the left-shift underflow issue. [EB: use folio_pos() and consolidate the two shifts by i_blkbits]", "cve_priority": "medium", "cve_public_date": "2025-12-08 01:16:00 UTC" }, { "cve": "CVE-2025-40296", "url": "https://ubuntu.com/security/CVE-2025-40296", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: platform/x86: int3472: Fix double free of GPIO device during unregister regulator_unregister() already frees the associated GPIO device. On ThinkPad X9 (Lunar Lake), this causes a double free issue that leads to random failures when other drivers (typically Intel THC) attempt to allocate interrupts. The root cause is that the reference count of the pinctrl_intel_platform module unexpectedly drops to zero when this driver defers its probe. This behavior can also be reproduced by unloading the module directly. Fix the issue by removing the redundant release of the GPIO device during regulator unregistration.", "cve_priority": "medium", "cve_public_date": "2025-12-08 01:16:00 UTC" }, { "cve": "CVE-2025-40297", "url": "https://ubuntu.com/security/CVE-2025-40297", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net: bridge: fix use-after-free due to MST port state bypass syzbot reported[1] a use-after-free when deleting an expired fdb. It is due to a race condition between learning still happening and a port being deleted, after all its fdbs have been flushed. The port's state has been toggled to disabled so no learning should happen at that time, but if we have MST enabled, it will bypass the port's state, that together with VLAN filtering disabled can lead to fdb learning at a time when it shouldn't happen while the port is being deleted. VLAN filtering must be disabled because we flush the port VLANs when it's being deleted which will stop learning. This fix adds a check for the port's vlan group which is initialized to NULL when the port is getting deleted, that avoids the port state bypass. When MST is enabled there would be a minimal new overhead in the fast-path because the port's vlan group pointer is cache-hot. [1] https://syzkaller.appspot.com/bug?extid=dd280197f0f7ab3917be", "cve_priority": "medium", "cve_public_date": "2025-12-08 01:16:00 UTC" }, { "cve": "CVE-2025-68320", "url": "https://ubuntu.com/security/CVE-2025-68320", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: lan966x: Fix sleeping in atomic context The following warning was seen when we try to connect using ssh to the device. BUG: sleeping function called from invalid context at kernel/locking/mutex.c:575 in_atomic(): 1, irqs_disabled(): 0, non_block: 0, pid: 104, name: dropbear preempt_count: 1, expected: 0 INFO: lockdep is turned off. CPU: 0 UID: 0 PID: 104 Comm: dropbear Tainted: G W 6.18.0-rc2-00399-g6f1ab1b109b9-dirty #530 NONE Tainted: [W]=WARN Hardware name: Generic DT based system Call trace: unwind_backtrace from show_stack+0x10/0x14 show_stack from dump_stack_lvl+0x7c/0xac dump_stack_lvl from __might_resched+0x16c/0x2b0 __might_resched from __mutex_lock+0x64/0xd34 __mutex_lock from mutex_lock_nested+0x1c/0x24 mutex_lock_nested from lan966x_stats_get+0x5c/0x558 lan966x_stats_get from dev_get_stats+0x40/0x43c dev_get_stats from dev_seq_printf_stats+0x3c/0x184 dev_seq_printf_stats from dev_seq_show+0x10/0x30 dev_seq_show from seq_read_iter+0x350/0x4ec seq_read_iter from seq_read+0xfc/0x194 seq_read from proc_reg_read+0xac/0x100 proc_reg_read from vfs_read+0xb0/0x2b0 vfs_read from ksys_read+0x6c/0xec ksys_read from ret_fast_syscall+0x0/0x1c Exception stack(0xf0b11fa8 to 0xf0b11ff0) 1fa0: 00000001 00001000 00000008 be9048d8 00001000 00000001 1fc0: 00000001 00001000 00000008 00000003 be905920 0000001e 00000000 00000001 1fe0: 0005404c be9048c0 00018684 b6ec2cd8 It seems that we are using a mutex in a atomic context which is wrong. Change the mutex with a spinlock.", "cve_priority": "medium", "cve_public_date": "2025-12-16 16:16:00 UTC" }, { "cve": "CVE-2025-68169", "url": "https://ubuntu.com/security/CVE-2025-68169", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: netpoll: Fix deadlock in memory allocation under spinlock Fix a AA deadlock in refill_skbs() where memory allocation while holding skb_pool->lock can trigger a recursive lock acquisition attempt. The deadlock scenario occurs when the system is under severe memory pressure: 1. refill_skbs() acquires skb_pool->lock (spinlock) 2. alloc_skb() is called while holding the lock 3. Memory allocator fails and calls slab_out_of_memory() 4. This triggers printk() for the OOM warning 5. The console output path calls netpoll_send_udp() 6. netpoll_send_udp() attempts to acquire the same skb_pool->lock 7. Deadlock: the lock is already held by the same CPU Call stack: refill_skbs() spin_lock_irqsave(&skb_pool->lock) <- lock acquired __alloc_skb() kmem_cache_alloc_node_noprof() slab_out_of_memory() printk() console_flush_all() netpoll_send_udp() skb_dequeue() spin_lock_irqsave(&skb_pool->lock) <- deadlock attempt This bug was exposed by commit 248f6571fd4c51 (\"netpoll: Optimize skb refilling on critical path\") which removed refill_skbs() from the critical path (where nested printk was being deferred), letting nested printk being called from inside refill_skbs() Refactor refill_skbs() to never allocate memory while holding the spinlock. Another possible solution to fix this problem is protecting the refill_skbs() from nested printks, basically calling printk_deferred_{enter,exit}() in refill_skbs(), then, any nested pr_warn() would be deferred. I prefer this approach, given I _think_ it might be a good idea to move the alloc_skb() from GFP_ATOMIC to GFP_KERNEL in the future, so, having the alloc_skb() outside of the lock will be necessary step. There is a possible TOCTOU issue when checking for the pool length, and queueing the new allocated skb, but, this is not an issue, given that an extra SKB in the pool is harmless and it will be eventually used.", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-68197", "url": "https://ubuntu.com/security/CVE-2025-68197", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: bnxt_en: Fix null pointer dereference in bnxt_bs_trace_check_wrap() With older FW, we may get the ASYNC_EVENT_CMPL_EVENT_ID_DBG_BUF_PRODUCER for FW trace data type that has not been initialized. This will result in a crash in bnxt_bs_trace_type_wrap(). Add a guard to check for a valid magic_byte pointer before proceeding.", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-40330", "url": "https://ubuntu.com/security/CVE-2025-40330", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: bnxt_en: Shutdown FW DMA in bnxt_shutdown() The netif_close() call in bnxt_shutdown() only stops packet DMA. There may be FW DMA for trace logging (recently added) that will continue. If we kexec to a new kernel, the DMA will corrupt memory in the new kernel. Add bnxt_hwrm_func_drv_unrgtr() to unregister the driver from the FW. This will stop the FW DMA. In case the call fails, call pcie_flr() to reset the function and stop the DMA.", "cve_priority": "medium", "cve_public_date": "2025-12-09 16:17:00 UTC" }, { "cve": "CVE-2025-68192", "url": "https://ubuntu.com/security/CVE-2025-68192", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net: usb: qmi_wwan: initialize MAC header offset in qmimux_rx_fixup Raw IP packets have no MAC header, leaving skb->mac_header uninitialized. This can trigger kernel panics on ARM64 when xfrm or other subsystems access the offset due to strict alignment checks. Initialize the MAC header to prevent such crashes. This can trigger kernel panics on ARM when running IPsec over the qmimux0 interface. Example trace: Internal error: Oops: 000000009600004f [#1] SMP CPU: 0 UID: 0 PID: 0 Comm: swapper/0 Not tainted 6.12.34-gbe78e49cb433 #1 Hardware name: LS1028A RDB Board (DT) pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : xfrm_input+0xde8/0x1318 lr : xfrm_input+0x61c/0x1318 sp : ffff800080003b20 Call trace: xfrm_input+0xde8/0x1318 xfrm6_rcv+0x38/0x44 xfrm6_esp_rcv+0x48/0xa8 ip6_protocol_deliver_rcu+0x94/0x4b0 ip6_input_finish+0x44/0x70 ip6_input+0x44/0xc0 ipv6_rcv+0x6c/0x114 __netif_receive_skb_one_core+0x5c/0x8c __netif_receive_skb+0x18/0x60 process_backlog+0x78/0x17c __napi_poll+0x38/0x180 net_rx_action+0x168/0x2f0", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-40331", "url": "https://ubuntu.com/security/CVE-2025-40331", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: sctp: Prevent TOCTOU out-of-bounds write For the following path not holding the sock lock, sctp_diag_dump() -> sctp_for_each_endpoint() -> sctp_ep_dump() make sure not to exceed bounds in case the address list has grown between buffer allocation (time-of-check) and write (time-of-use).", "cve_priority": "medium", "cve_public_date": "2025-12-09 16:17:00 UTC" }, { "cve": "CVE-2025-68187", "url": "https://ubuntu.com/security/CVE-2025-68187", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net: mdio: Check regmap pointer returned by device_node_to_regmap() The call to device_node_to_regmap() in airoha_mdio_probe() can return an ERR_PTR() if regmap initialization fails. Currently, the driver stores the pointer without validation, which could lead to a crash if it is later dereferenced. Add an IS_ERR() check and return the corresponding error code to make the probe path more robust.", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-68167", "url": "https://ubuntu.com/security/CVE-2025-68167", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: gpiolib: fix invalid pointer access in debugfs If the memory allocation in gpiolib_seq_start() fails, the s->private field remains uninitialized and is later dereferenced without checking in gpiolib_seq_stop(). Initialize s->private to NULL before calling kzalloc() and check it before dereferencing it.", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-68319", "url": "https://ubuntu.com/security/CVE-2025-68319", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: netconsole: Acquire su_mutex before navigating configs hierarchy There is a race between operations that iterate over the userdata cg_children list and concurrent add/remove of userdata items through configfs. The update_userdata() function iterates over the nt->userdata_group.cg_children list, and count_extradata_entries() also iterates over this same list to count nodes. Quoting from Documentation/filesystems/configfs.rst: > A subsystem can navigate the cg_children list and the ci_parent pointer > to see the tree created by the subsystem. This can race with configfs' > management of the hierarchy, so configfs uses the subsystem mutex to > protect modifications. Whenever a subsystem wants to navigate the > hierarchy, it must do so under the protection of the subsystem > mutex. Without proper locking, if a userdata item is added or removed concurrently while these functions are iterating, the list can be accessed in an inconsistent state. For example, the list_for_each() loop can reach a node that is being removed from the list by list_del_init() which sets the nodes' .next pointer to point to itself, so the loop will never end (or reach the WARN_ON_ONCE in update_userdata() ). Fix this by holding the configfs subsystem mutex (su_mutex) during all operations that iterate over cg_children. This includes: - userdatum_value_store() which calls update_userdata() to iterate over cg_children - All sysdata_*_enabled_store() functions which call count_extradata_entries() to iterate over cg_children The su_mutex must be acquired before dynamic_netconsole_mutex to avoid potential lock ordering issues, as configfs operations may already hold su_mutex when calling into our code.", "cve_priority": "medium", "cve_public_date": "2025-12-16 16:16:00 UTC" }, { "cve": "CVE-2025-40298", "url": "https://ubuntu.com/security/CVE-2025-40298", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: gve: Implement settime64 with -EOPNOTSUPP ptp_clock_settime() assumes every ptp_clock has implemented settime64(). Stub it with -EOPNOTSUPP to prevent a NULL dereference.", "cve_priority": "medium", "cve_public_date": "2025-12-08 01:16:00 UTC" }, { "cve": "CVE-2025-40299", "url": "https://ubuntu.com/security/CVE-2025-40299", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: gve: Implement gettimex64 with -EOPNOTSUPP gve implemented a ptp_clock for sole use of do_aux_work at this time. ptp_clock_gettime() and ptp_sys_offset() assume every ptp_clock has implemented either gettimex64 or gettime64. Stub gettimex64 and return -EOPNOTSUPP to prevent NULL dereferencing.", "cve_priority": "medium", "cve_public_date": "2025-12-08 01:16:00 UTC" }, { "cve": "CVE-2025-40301", "url": "https://ubuntu.com/security/CVE-2025-40301", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: Bluetooth: hci_event: validate skb length for unknown CC opcode In hci_cmd_complete_evt(), if the command complete event has an unknown opcode, we assume the first byte of the remaining skb->data contains the return status. However, parameter data has previously been pulled in hci_event_func(), which may leave the skb empty. If so, using skb->data[0] for the return status uses un-init memory. The fix is to check skb->len before using skb->data.", "cve_priority": "medium", "cve_public_date": "2025-12-08 01:16:00 UTC" }, { "cve": "CVE-2025-40358", "url": "https://ubuntu.com/security/CVE-2025-40358", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: riscv: stacktrace: Disable KASAN checks for non-current tasks Unwinding the stack of a task other than current, KASAN would report \"BUG: KASAN: out-of-bounds in walk_stackframe+0x41c/0x460\" There is a same issue on x86 and has been resolved by the commit 84936118bdf3 (\"x86/unwind: Disable KASAN checks for non-current tasks\") The solution could be applied to RISC-V too. This patch also can solve the issue: https://seclists.org/oss-sec/2025/q4/23 [pjw@kernel.org: clean up checkpatch issues]", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-68186", "url": "https://ubuntu.com/security/CVE-2025-68186", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ring-buffer: Do not warn in ring_buffer_map_get_reader() when reader catches up The function ring_buffer_map_get_reader() is a bit more strict than the other get reader functions, and except for certain situations the rb_get_reader_page() should not return NULL. If it does, it triggers a warning. This warning was triggering but after looking at why, it was because another acceptable situation was happening and it wasn't checked for. If the reader catches up to the writer and there's still data to be read on the reader page, then the rb_get_reader_page() will return NULL as there's no new page to get. In this situation, the reader page should not be updated and no warning should trigger.", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-68184", "url": "https://ubuntu.com/security/CVE-2025-68184", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/mediatek: Disable AFBC support on Mediatek DRM driver Commit c410fa9b07c3 (\"drm/mediatek: Add AFBC support to Mediatek DRM driver\") added AFBC support to Mediatek DRM and enabled the 32x8/split/sparse modifier. However, this is currently broken on Mediatek MT8188 (Genio 700 EVK platform); tested using upstream Kernel and Mesa (v25.2.1), AFBC is used by default since Mesa v25.0. Kernel trace reports vblank timeouts constantly, and the render is garbled: ``` [CRTC:62:crtc-0] vblank wait timed out WARNING: CPU: 7 PID: 70 at drivers/gpu/drm/drm_atomic_helper.c:1835 drm_atomic_helper_wait_for_vblanks.part.0+0x24c/0x27c [...] Hardware name: MediaTek Genio-700 EVK (DT) Workqueue: events_unbound commit_work pstate: 60400009 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : drm_atomic_helper_wait_for_vblanks.part.0+0x24c/0x27c lr : drm_atomic_helper_wait_for_vblanks.part.0+0x24c/0x27c sp : ffff80008337bca0 x29: ffff80008337bcd0 x28: 0000000000000061 x27: 0000000000000000 x26: 0000000000000001 x25: 0000000000000000 x24: ffff0000c9dcc000 x23: 0000000000000001 x22: 0000000000000000 x21: ffff0000c66f2f80 x20: ffff0000c0d7d880 x19: 0000000000000000 x18: 000000000000000a x17: 000000040044ffff x16: 005000f2b5503510 x15: 0000000000000000 x14: 0000000000000000 x13: 74756f2064656d69 x12: 742074696177206b x11: 0000000000000058 x10: 0000000000000018 x9 : ffff800082396a70 x8 : 0000000000057fa8 x7 : 0000000000000cce x6 : ffff8000823eea70 x5 : ffff0001fef5f408 x4 : ffff80017ccee000 x3 : ffff0000c12cb480 x2 : 0000000000000000 x1 : 0000000000000000 x0 : ffff0000c12cb480 Call trace: drm_atomic_helper_wait_for_vblanks.part.0+0x24c/0x27c (P) drm_atomic_helper_commit_tail_rpm+0x64/0x80 commit_tail+0xa4/0x1a4 commit_work+0x14/0x20 process_one_work+0x150/0x290 worker_thread+0x2d0/0x3ec kthread+0x12c/0x210 ret_from_fork+0x10/0x20 ---[ end trace 0000000000000000 ]--- ``` Until this gets fixed upstream, disable AFBC support on this platform, as it's currently broken with upstream Mesa.", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-40302", "url": "https://ubuntu.com/security/CVE-2025-40302", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: media: videobuf2: forbid remove_bufs when legacy fileio is active vb2_ioctl_remove_bufs() call manipulates queue internal buffer list, potentially overwriting some pointers used by the legacy fileio access mode. Forbid that ioctl when fileio is active to protect internal queue state between subsequent read/write calls.", "cve_priority": "medium", "cve_public_date": "2025-12-08 01:16:00 UTC" }, { "cve": "CVE-2025-40303", "url": "https://ubuntu.com/security/CVE-2025-40303", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: btrfs: ensure no dirty metadata is written back for an fs with errors [BUG] During development of a minor feature (make sure all btrfs_bio::end_io() is called in task context), I noticed a crash in generic/388, where metadata writes triggered new works after btrfs_stop_all_workers(). It turns out that it can even happen without any code modification, just using RAID5 for metadata and the same workload from generic/388 is going to trigger the use-after-free. [CAUSE] If btrfs hits an error, the fs is marked as error, no new transaction is allowed thus metadata is in a frozen state. But there are some metadata modifications before that error, and they are still in the btree inode page cache. Since there will be no real transaction commit, all those dirty folios are just kept as is in the page cache, and they can not be invalidated by invalidate_inode_pages2() call inside close_ctree(), because they are dirty. And finally after btrfs_stop_all_workers(), we call iput() on btree inode, which triggers writeback of those dirty metadata. And if the fs is using RAID56 metadata, this will trigger RMW and queue new works into rmw_workers, which is already stopped, causing warning from queue_work() and use-after-free. [FIX] Add a special handling for write_one_eb(), that if the fs is already in an error state, immediately mark the bbio as failure, instead of really submitting them. Then during close_ctree(), iput() will just discard all those dirty tree blocks without really writing them back, thus no more new jobs for already stopped-and-freed workqueues. The extra discard in write_one_eb() also acts as an extra safenet. E.g. the transaction abort is triggered by some extent/free space tree corruptions, and since extent/free space tree is already corrupted some tree blocks may be allocated where they shouldn't be (overwriting existing tree blocks). In that case writing them back will further corrupting the fs.", "cve_priority": "medium", "cve_public_date": "2025-12-08 01:16:00 UTC" }, { "cve": "CVE-2025-40362", "url": "https://ubuntu.com/security/CVE-2025-40362", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ceph: fix multifs mds auth caps issue The mds auth caps check should also validate the fsname along with the associated caps. Not doing so would result in applying the mds auth caps of one fs on to the other fs in a multifs ceph cluster. The bug causes multiple issues w.r.t user authentication, following is one such example. Steps to Reproduce (on vstart cluster): 1. Create two file systems in a cluster, say 'fsname1' and 'fsname2' 2. Authorize read only permission to the user 'client.usr' on fs 'fsname1' $ceph fs authorize fsname1 client.usr / r 3. Authorize read and write permission to the same user 'client.usr' on fs 'fsname2' $ceph fs authorize fsname2 client.usr / rw 4. Update the keyring $ceph auth get client.usr >> ./keyring With above permssions for the user 'client.usr', following is the expectation. a. The 'client.usr' should be able to only read the contents and not allowed to create or delete files on file system 'fsname1'. b. The 'client.usr' should be able to read/write on file system 'fsname2'. But, with this bug, the 'client.usr' is allowed to read/write on file system 'fsname1'. See below. 5. Mount the file system 'fsname1' with the user 'client.usr' $sudo bin/mount.ceph usr@.fsname1=/ /kmnt_fsname1_usr/ 6. Try creating a file on file system 'fsname1' with user 'client.usr'. This should fail but passes with this bug. $touch /kmnt_fsname1_usr/file1 7. Mount the file system 'fsname1' with the user 'client.admin' and create a file. $sudo bin/mount.ceph admin@.fsname1=/ /kmnt_fsname1_admin $echo \"data\" > /kmnt_fsname1_admin/admin_file1 8. Try removing an existing file on file system 'fsname1' with the user 'client.usr'. This shoudn't succeed but succeeds with the bug. $rm -f /kmnt_fsname1_usr/admin_file1 For more information, please take a look at the corresponding mds/fuse patch and tests added by looking into the tracker mentioned below. v2: Fix a possible null dereference in doutc v3: Don't store fsname from mdsmap, validate against ceph_mount_options's fsname and use it v4: Code refactor, better warning message and fix possible compiler warning [ Slava.Dubeyko: \"fsname check failed\" -> \"fsname mismatch\" ]", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-40332", "url": "https://ubuntu.com/security/CVE-2025-40332", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/amdkfd: Fix mmap write lock not release If mmap write lock is taken while draining retry fault, mmap write lock is not released because svm_range_restore_pages calls mmap_read_unlock then returns. This causes deadlock and system hangs later because mmap read or write lock cannot be taken. Downgrade mmap write lock to read lock if draining retry fault fix this bug.", "cve_priority": "medium", "cve_public_date": "2025-12-09 16:17:00 UTC" }, { "cve": "CVE-2025-40304", "url": "https://ubuntu.com/security/CVE-2025-40304", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: fbdev: Add bounds checking in bit_putcs to fix vmalloc-out-of-bounds Add bounds checking to prevent writes past framebuffer boundaries when rendering text near screen edges. Return early if the Y position is off-screen and clip image height to screen boundary. Break from the rendering loop if the X position is off-screen. When clipping image width to fit the screen, update the character count to match the clipped width to prevent buffer size mismatches. Without the character count update, bit_putcs_aligned and bit_putcs_unaligned receive mismatched parameters where the buffer is allocated for the clipped width but cnt reflects the original larger count, causing out-of-bounds writes.", "cve_priority": "medium", "cve_public_date": "2025-12-08 01:16:00 UTC" }, { "cve": "CVE-2025-40305", "url": "https://ubuntu.com/security/CVE-2025-40305", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: 9p/trans_fd: p9_fd_request: kick rx thread if EPOLLIN p9_read_work() doesn't set Rworksched and doesn't do schedule_work(m->rq) if list_empty(&m->req_list). However, if the pipe is full, we need to read more data and this used to work prior to commit aaec5a95d59615 (\"pipe_read: don't wake up the writer if the pipe is still full\"). p9_read_work() does p9_fd_read() -> ... -> anon_pipe_read() which (before the commit above) triggered the unnecessary wakeup. This wakeup calls p9_pollwake() which kicks p9_poll_workfn() -> p9_poll_mux(), p9_poll_mux() will notice EPOLLIN and schedule_work(&m->rq). This no longer happens after the optimization above, change p9_fd_request() to use p9_poll_mux() instead of only checking for EPOLLOUT.", "cve_priority": "medium", "cve_public_date": "2025-12-08 01:16:00 UTC" }, { "cve": "CVE-2025-68318", "url": "https://ubuntu.com/security/CVE-2025-68318", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: clk: thead: th1520-ap: set all AXI clocks to CLK_IS_CRITICAL The AXI crossbar of TH1520 has no proper timeout handling, which means gating AXI clocks can easily lead to bus timeout and thus system hang. Set all AXI clock gates to CLK_IS_CRITICAL. All these clock gates are ungated by default on system reset. In addition, convert all current CLK_IGNORE_UNUSED usage to CLK_IS_CRITICAL to prevent unwanted clock gating.", "cve_priority": "medium", "cve_public_date": "2025-12-16 16:16:00 UTC" }, { "cve": "CVE-2025-40209", "url": "https://ubuntu.com/security/CVE-2025-40209", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: btrfs: fix memory leak of qgroup_list in btrfs_add_qgroup_relation When btrfs_add_qgroup_relation() is called with invalid qgroup levels (src >= dst), the function returns -EINVAL directly without freeing the preallocated qgroup_list structure passed by the caller. This causes a memory leak because the caller unconditionally sets the pointer to NULL after the call, preventing any cleanup. The issue occurs because the level validation check happens before the mutex is acquired and before any error handling path that would free the prealloc pointer. On this early return, the cleanup code at the 'out' label (which includes kfree(prealloc)) is never reached. In btrfs_ioctl_qgroup_assign(), the code pattern is: prealloc = kzalloc(sizeof(*prealloc), GFP_KERNEL); ret = btrfs_add_qgroup_relation(trans, sa->src, sa->dst, prealloc); prealloc = NULL; // Always set to NULL regardless of return value ... kfree(prealloc); // This becomes kfree(NULL), does nothing When the level check fails, 'prealloc' is never freed by either the callee or the caller, resulting in a 64-byte memory leak per failed operation. This can be triggered repeatedly by an unprivileged user with access to a writable btrfs mount, potentially exhausting kernel memory. Fix this by freeing prealloc before the early return, ensuring prealloc is always freed on all error paths.", "cve_priority": "medium", "cve_public_date": "2025-11-21 11:15:00 UTC" }, { "cve": "CVE-2025-68183", "url": "https://ubuntu.com/security/CVE-2025-68183", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ima: don't clear IMA_DIGSIG flag when setting or removing non-IMA xattr Currently when both IMA and EVM are in fix mode, the IMA signature will be reset to IMA hash if a program first stores IMA signature in security.ima and then writes/removes some other security xattr for the file. For example, on Fedora, after booting the kernel with \"ima_appraise=fix evm=fix ima_policy=appraise_tcb\" and installing rpm-plugin-ima, installing/reinstalling a package will not make good reference IMA signature generated. Instead IMA hash is generated, # getfattr -m - -d -e hex /usr/bin/bash # file: usr/bin/bash security.ima=0x0404... This happens because when setting security.selinux, the IMA_DIGSIG flag that had been set early was cleared. As a result, IMA hash is generated when the file is closed. Similarly, IMA signature can be cleared on file close after removing security xattr like security.evm or setting/removing ACL. Prevent replacing the IMA file signature with a file hash, by preventing the IMA_DIGSIG flag from being reset. Here's a minimal C reproducer which sets security.selinux as the last step which can also replaced by removing security.evm or setting ACL, #include #include #include #include #include #include int main() { const char* file_path = \"/usr/sbin/test_binary\"; const char* hex_string = \"030204d33204490066306402304\"; int length = strlen(hex_string); char* ima_attr_value; int fd; fd = open(file_path, O_WRONLY|O_CREAT|O_EXCL, 0644); if (fd == -1) { perror(\"Error opening file\"); return 1; } ima_attr_value = (char*)malloc(length / 2 ); for (int i = 0, j = 0; i < length; i += 2, j++) { sscanf(hex_string + i, \"%2hhx\", &ima_attr_value[j]); } if (fsetxattr(fd, \"security.ima\", ima_attr_value, length/2, 0) == -1) { perror(\"Error setting extended attribute\"); close(fd); return 1; } const char* selinux_value= \"system_u:object_r:bin_t:s0\"; if (fsetxattr(fd, \"security.selinux\", selinux_value, strlen(selinux_value), 0) == -1) { perror(\"Error setting extended attribute\"); close(fd); return 1; } close(fd); return 0; }", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-68173", "url": "https://ubuntu.com/security/CVE-2025-68173", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ftrace: Fix softlockup in ftrace_module_enable A soft lockup was observed when loading amdgpu module. If a module has a lot of tracable functions, multiple calls to kallsyms_lookup can spend too much time in RCU critical section and with disabled preemption, causing kernel panic. This is the same issue that was fixed in commit d0b24b4e91fc (\"ftrace: Prevent RCU stall on PREEMPT_VOLUNTARY kernels\") and commit 42ea22e754ba (\"ftrace: Add cond_resched() to ftrace_graph_set_hash()\"). Fix it the same way by adding cond_resched() in ftrace_module_enable.", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-40306", "url": "https://ubuntu.com/security/CVE-2025-40306", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: orangefs: fix xattr related buffer overflow... Willy Tarreau forwarded me a message from Disclosure with the following warning: > The helper `xattr_key()` uses the pointer variable in the loop condition > rather than dereferencing it. As `key` is incremented, it remains non-NULL > (until it runs into unmapped memory), so the loop does not terminate on > valid C strings and will walk memory indefinitely, consuming CPU or hanging > the thread. I easily reproduced this with setfattr and getfattr, causing a kernel oops, hung user processes and corrupted orangefs files. Disclosure sent along a diff (not a patch) with a suggested fix, which I based this patch on. After xattr_key started working right, xfstest generic/069 exposed an xattr related memory leak that lead to OOM. xattr_key returns a hashed key. When adding xattrs to the orangefs xattr cache, orangefs used hash_add, a kernel hashing macro. hash_add also hashes the key using hash_log which resulted in additions to the xattr cache going to the wrong hash bucket. generic/069 tortures a single file and orangefs does a getattr for the xattr \"security.capability\" every time. Orangefs negative caches on xattrs which includes a kmalloc. Since adds to the xattr cache were going to the wrong bucket, every getattr for \"security.capability\" resulted in another kmalloc, none of which were ever freed. I changed the two uses of hash_add to hlist_add_head instead and the memory leak ceased and generic/069 quit throwing furniture.", "cve_priority": "medium", "cve_public_date": "2025-12-08 01:16:00 UTC" }, { "cve": "CVE-2025-40307", "url": "https://ubuntu.com/security/CVE-2025-40307", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: exfat: validate cluster allocation bits of the allocation bitmap syzbot created an exfat image with cluster bits not set for the allocation bitmap. exfat-fs reads and uses the allocation bitmap without checking this. The problem is that if the start cluster of the allocation bitmap is 6, cluster 6 can be allocated when creating a directory with mkdir. exfat zeros out this cluster in exfat_mkdir, which can delete existing entries. This can reallocate the allocated entries. In addition, the allocation bitmap is also zeroed out, so cluster 6 can be reallocated. This patch adds exfat_test_bitmap_range to validate that clusters used for the allocation bitmap are correctly marked as in-use.", "cve_priority": "medium", "cve_public_date": "2025-12-08 01:16:00 UTC" }, { "cve": "CVE-2025-40308", "url": "https://ubuntu.com/security/CVE-2025-40308", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: Bluetooth: bcsp: receive data only if registered Currently, bcsp_recv() can be called even when the BCSP protocol has not been registered. This leads to a NULL pointer dereference, as shown in the following stack trace: KASAN: null-ptr-deref in range [0x0000000000000108-0x000000000000010f] RIP: 0010:bcsp_recv+0x13d/0x1740 drivers/bluetooth/hci_bcsp.c:590 Call Trace: hci_uart_tty_receive+0x194/0x220 drivers/bluetooth/hci_ldisc.c:627 tiocsti+0x23c/0x2c0 drivers/tty/tty_io.c:2290 tty_ioctl+0x626/0xde0 drivers/tty/tty_io.c:2706 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:907 [inline] __se_sys_ioctl+0xfc/0x170 fs/ioctl.c:893 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f To prevent this, ensure that the HCI_UART_REGISTERED flag is set before processing received data. If the protocol is not registered, return -EUNATCH.", "cve_priority": "medium", "cve_public_date": "2025-12-08 01:16:00 UTC" }, { "cve": "CVE-2025-40309", "url": "https://ubuntu.com/security/CVE-2025-40309", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: Bluetooth: SCO: Fix UAF on sco_conn_free BUG: KASAN: slab-use-after-free in sco_conn_free net/bluetooth/sco.c:87 [inline] BUG: KASAN: slab-use-after-free in kref_put include/linux/kref.h:65 [inline] BUG: KASAN: slab-use-after-free in sco_conn_put+0xdd/0x410 net/bluetooth/sco.c:107 Write of size 8 at addr ffff88811cb96b50 by task kworker/u17:4/352 CPU: 1 UID: 0 PID: 352 Comm: kworker/u17:4 Not tainted 6.17.0-rc5-g717368f83676 #4 PREEMPT(voluntary) Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014 Workqueue: hci13 hci_cmd_sync_work Call Trace: __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x10b/0x170 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:378 [inline] print_report+0x191/0x550 mm/kasan/report.c:482 kasan_report+0xc4/0x100 mm/kasan/report.c:595 sco_conn_free net/bluetooth/sco.c:87 [inline] kref_put include/linux/kref.h:65 [inline] sco_conn_put+0xdd/0x410 net/bluetooth/sco.c:107 sco_connect_cfm+0xb4/0xae0 net/bluetooth/sco.c:1441 hci_connect_cfm include/net/bluetooth/hci_core.h:2082 [inline] hci_conn_failed+0x20a/0x2e0 net/bluetooth/hci_conn.c:1313 hci_conn_unlink+0x55f/0x810 net/bluetooth/hci_conn.c:1121 hci_conn_del+0xb6/0x1110 net/bluetooth/hci_conn.c:1147 hci_abort_conn_sync+0x8c5/0xbb0 net/bluetooth/hci_sync.c:5689 hci_cmd_sync_work+0x281/0x380 net/bluetooth/hci_sync.c:332 process_one_work kernel/workqueue.c:3236 [inline] process_scheduled_works+0x77e/0x1040 kernel/workqueue.c:3319 worker_thread+0xbee/0x1200 kernel/workqueue.c:3400 kthread+0x3c7/0x870 kernel/kthread.c:463 ret_from_fork+0x13a/0x1e0 arch/x86/kernel/process.c:148 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245 Allocated by task 31370: kasan_save_stack mm/kasan/common.c:47 [inline] kasan_save_track+0x30/0x70 mm/kasan/common.c:68 poison_kmalloc_redzone mm/kasan/common.c:388 [inline] __kasan_kmalloc+0x82/0x90 mm/kasan/common.c:405 kasan_kmalloc include/linux/kasan.h:260 [inline] __do_kmalloc_node mm/slub.c:4382 [inline] __kmalloc_noprof+0x22f/0x390 mm/slub.c:4394 kmalloc_noprof include/linux/slab.h:909 [inline] sk_prot_alloc+0xae/0x220 net/core/sock.c:2239 sk_alloc+0x34/0x5a0 net/core/sock.c:2295 bt_sock_alloc+0x3c/0x330 net/bluetooth/af_bluetooth.c:151 sco_sock_alloc net/bluetooth/sco.c:562 [inline] sco_sock_create+0xc0/0x350 net/bluetooth/sco.c:593 bt_sock_create+0x161/0x3b0 net/bluetooth/af_bluetooth.c:135 __sock_create+0x3ad/0x780 net/socket.c:1589 sock_create net/socket.c:1647 [inline] __sys_socket_create net/socket.c:1684 [inline] __sys_socket+0xd5/0x330 net/socket.c:1731 __do_sys_socket net/socket.c:1745 [inline] __se_sys_socket net/socket.c:1743 [inline] __x64_sys_socket+0x7a/0x90 net/socket.c:1743 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xc7/0x240 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f Freed by task 31374: kasan_save_stack mm/kasan/common.c:47 [inline] kasan_save_track+0x30/0x70 mm/kasan/common.c:68 kasan_save_free_info+0x40/0x50 mm/kasan/generic.c:576 poison_slab_object mm/kasan/common.c:243 [inline] __kasan_slab_free+0x3d/0x50 mm/kasan/common.c:275 kasan_slab_free include/linux/kasan.h:233 [inline] slab_free_hook mm/slub.c:2428 [inline] slab_free mm/slub.c:4701 [inline] kfree+0x199/0x3b0 mm/slub.c:4900 sk_prot_free net/core/sock.c:2278 [inline] __sk_destruct+0x4aa/0x630 net/core/sock.c:2373 sco_sock_release+0x2ad/0x300 net/bluetooth/sco.c:1333 __sock_release net/socket.c:649 [inline] sock_close+0xb8/0x230 net/socket.c:1439 __fput+0x3d1/0x9e0 fs/file_table.c:468 task_work_run+0x206/0x2a0 kernel/task_work.c:227 get_signal+0x1201/0x1410 kernel/signal.c:2807 arch_do_signal_or_restart+0x34/0x740 arch/x86/kernel/signal.c:337 exit_to_user_mode_loop+0x68/0xc0 kernel/entry/common.c:40 exit_to_user_mode_prepare include/linux/irq-entry-common.h:225 [inline] s ---truncated---", "cve_priority": "medium", "cve_public_date": "2025-12-08 01:16:00 UTC" }, { "cve": "CVE-2025-68174", "url": "https://ubuntu.com/security/CVE-2025-68174", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: amd/amdkfd: enhance kfd process check in switch partition current switch partition only check if kfd_processes_table is empty. kfd_prcesses_table entry is deleted in kfd_process_notifier_release, but kfd_process tear down is in kfd_process_wq_release. consider two processes: Process A (workqueue) -> kfd_process_wq_release -> Access kfd_node member Process B switch partition -> amdgpu_xcp_pre_partition_switch -> amdgpu_amdkfd_device_fini_sw -> kfd_node tear down. Process A and B may trigger a race as shown in dmesg log. This patch is to resolve the race by adding an atomic kfd_process counter kfd_processes_count, it increment as create kfd process, decrement as finish kfd_process_wq_release. v2: Put kfd_processes_count per kfd_dev, move decrement to kfd_process_destroy_pdds and bug fix. (Philip Yang) [3966658.307702] divide error: 0000 [#1] SMP NOPTI [3966658.350818] i10nm_edac [3966658.356318] CPU: 124 PID: 38435 Comm: kworker/124:0 Kdump: loaded Tainted [3966658.356890] Workqueue: kfd_process_wq kfd_process_wq_release [amdgpu] [3966658.362839] nfit [3966658.366457] RIP: 0010:kfd_get_num_sdma_engines+0x17/0x40 [amdgpu] [3966658.366460] Code: 00 00 e9 ac 81 02 00 66 66 2e 0f 1f 84 00 00 00 00 00 90 0f 1f 44 00 00 48 8b 4f 08 48 8b b7 00 01 00 00 8b 81 58 26 03 00 99 be b8 01 00 00 80 b9 70 2e 00 00 00 74 0b 83 f8 02 ba 02 00 00 [3966658.380967] x86_pkg_temp_thermal [3966658.391529] RSP: 0018:ffffc900a0edfdd8 EFLAGS: 00010246 [3966658.391531] RAX: 0000000000000008 RBX: ffff8974e593b800 RCX: ffff888645900000 [3966658.391531] RDX: 0000000000000000 RSI: ffff888129154400 RDI: ffff888129151c00 [3966658.391532] RBP: ffff8883ad79d400 R08: 0000000000000000 R09: ffff8890d2750af4 [3966658.391532] R10: 0000000000000018 R11: 0000000000000018 R12: 0000000000000000 [3966658.391533] R13: ffff8883ad79d400 R14: ffffe87ff662ba00 R15: ffff8974e593b800 [3966658.391533] FS: 0000000000000000(0000) GS:ffff88fe7f600000(0000) knlGS:0000000000000000 [3966658.391534] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [3966658.391534] CR2: 0000000000d71000 CR3: 000000dd0e970004 CR4: 0000000002770ee0 [3966658.391535] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [3966658.391535] DR3: 0000000000000000 DR6: 00000000fffe07f0 DR7: 0000000000000400 [3966658.391536] PKRU: 55555554 [3966658.391536] Call Trace: [3966658.391674] deallocate_sdma_queue+0x38/0xa0 [amdgpu] [3966658.391762] process_termination_cpsch+0x1ed/0x480 [amdgpu] [3966658.399754] intel_powerclamp [3966658.402831] kfd_process_dequeue_from_all_devices+0x5b/0xc0 [amdgpu] [3966658.402908] kfd_process_wq_release+0x1a/0x1a0 [amdgpu] [3966658.410516] coretemp [3966658.434016] process_one_work+0x1ad/0x380 [3966658.434021] worker_thread+0x49/0x310 [3966658.438963] kvm_intel [3966658.446041] ? process_one_work+0x380/0x380 [3966658.446045] kthread+0x118/0x140 [3966658.446047] ? __kthread_bind_mask+0x60/0x60 [3966658.446050] ret_from_fork+0x1f/0x30 [3966658.446053] Modules linked in: kpatch_20765354(OEK) [3966658.455310] kvm [3966658.464534] mptcp_diag xsk_diag raw_diag unix_diag af_packet_diag netlink_diag udp_diag act_pedit act_mirred act_vlan cls_flower kpatch_21951273(OEK) kpatch_18424469(OEK) kpatch_19749756(OEK) [3966658.473462] idxd_mdev [3966658.482306] kpatch_17971294(OEK) sch_ingress xt_conntrack amdgpu(OE) amdxcp(OE) amddrm_buddy(OE) amd_sched(OE) amdttm(OE) amdkcl(OE) intel_ifs iptable_mangle tcm_loop target_core_pscsi tcp_diag target_core_file inet_diag target_core_iblock target_core_user target_core_mod coldpgs kpatch_18383292(OEK) ip6table_nat ip6table_filter ip6_tables ip_set_hash_ipportip ip_set_hash_ipportnet ip_set_hash_ipport ip_set_bitmap_port xt_comment iptable_nat nf_nat iptable_filter ip_tables ip_set ip_vs_sh ip_vs_wrr ip_vs_rr ip_vs nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 sn_core_odd(OE) i40e overlay binfmt_misc tun bonding(OE) aisqos(OE) aisqo ---truncated---", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-40310", "url": "https://ubuntu.com/security/CVE-2025-40310", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: amd/amdkfd: resolve a race in amdgpu_amdkfd_device_fini_sw There is race in amdgpu_amdkfd_device_fini_sw and interrupt. if amdgpu_amdkfd_device_fini_sw run in b/w kfd_cleanup_nodes and kfree(kfd), and KGD interrupt generated. kernel panic log: BUG: kernel NULL pointer dereference, address: 0000000000000098 amdgpu 0000:c8:00.0: amdgpu: Requesting 4 partitions through PSP PGD d78c68067 P4D d78c68067 kfd kfd: amdgpu: Allocated 3969056 bytes on gart PUD 1465b8067 PMD @ Oops: @002 [#1] SMP NOPTI kfd kfd: amdgpu: Total number of KFD nodes to be created: 4 CPU: 115 PID: @ Comm: swapper/115 Kdump: loaded Tainted: G S W OE K RIP: 0010:_raw_spin_lock_irqsave+0x12/0x40 Code: 89 e@ 41 5c c3 cc cc cc cc 66 66 2e Of 1f 84 00 00 00 00 00 OF 1f 40 00 Of 1f 44% 00 00 41 54 9c 41 5c fa 31 cO ba 01 00 00 00 OF b1 17 75 Ba 4c 89 e@ 41 Sc 89 c6 e8 07 38 5d RSP: 0018: ffffc90@1a6b0e28 EFLAGS: 00010046 RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000018 0000000000000001 RSI: ffff8883bb623e00 RDI: 0000000000000098 ffff8883bb000000 RO8: ffff888100055020 ROO: ffff888100055020 0000000000000000 R11: 0000000000000000 R12: 0900000000000002 ffff888F2b97da0@ R14: @000000000000098 R15: ffff8883babdfo00 CS: 010 DS: 0000 ES: 0000 CRO: 0000000080050033 CR2: 0000000000000098 CR3: 0000000e7cae2006 CR4: 0000000002770ce0 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 0000000000000000 DR6: 00000000fffeO7FO DR7: 0000000000000400 PKRU: 55555554 Call Trace: kgd2kfd_interrupt+@x6b/0x1f@ [amdgpu] ? amdgpu_fence_process+0xa4/0x150 [amdgpu] kfd kfd: amdgpu: Node: 0, interrupt_bitmap: 3 YcpxFl Rant tErace amdgpu_irq_dispatch+0x165/0x210 [amdgpu] amdgpu_ih_process+0x80/0x100 [amdgpu] amdgpu: Virtual CRAT table created for GPU amdgpu_irq_handler+0x1f/@x60 [amdgpu] __handle_irq_event_percpu+0x3d/0x170 amdgpu: Topology: Add dGPU node [0x74a2:0x1002] handle_irq_event+0x5a/@xcO handle_edge_irq+0x93/0x240 kfd kfd: amdgpu: KFD node 1 partition @ size 49148M asm_call_irq_on_stack+0xf/@x20 common_interrupt+0xb3/0x130 asm_common_interrupt+0x1le/0x40 5.10.134-010.a1i5000.a18.x86_64 #1", "cve_priority": "medium", "cve_public_date": "2025-12-08 01:16:00 UTC" }, { "cve": "CVE-2025-40361", "url": "https://ubuntu.com/security/CVE-2025-40361", "cve_description": "Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-40311", "url": "https://ubuntu.com/security/CVE-2025-40311", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: accel/habanalabs: support mapping cb with vmalloc-backed coherent memory When IOMMU is enabled, dma_alloc_coherent() with GFP_USER may return addresses from the vmalloc range. If such an address is mapped without VM_MIXEDMAP, vm_insert_page() will trigger a BUG_ON due to the VM_PFNMAP restriction. Fix this by checking for vmalloc addresses and setting VM_MIXEDMAP in the VMA before mapping. This ensures safe mapping and avoids kernel crashes. The memory is still driver-allocated and cannot be accessed directly by userspace.", "cve_priority": "medium", "cve_public_date": "2025-12-08 01:16:00 UTC" }, { "cve": "CVE-2025-68185", "url": "https://ubuntu.com/security/CVE-2025-68185", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: nfs4_setup_readdir(): insufficient locking for ->d_parent->d_inode dereferencing Theoretically it's an oopsable race, but I don't believe one can manage to hit it on real hardware; might become doable on a KVM, but it still won't be easy to attack. Anyway, it's easy to deal with - since xdr_encode_hyper() is just a call of put_unaligned_be64(), we can put that under ->d_lock and be done with that.", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-68176", "url": "https://ubuntu.com/security/CVE-2025-68176", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: PCI: cadence: Check for the existence of cdns_pcie::ops before using it cdns_pcie::ops might not be populated by all the Cadence glue drivers. This is going to be true for the upcoming Sophgo platform which doesn't set the ops. Hence, add a check to prevent NULL pointer dereference. [mani: reworded subject and description]", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-68190", "url": "https://ubuntu.com/security/CVE-2025-68190", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu/atom: Check kcalloc() for WS buffer in amdgpu_atom_execute_table_locked() kcalloc() may fail. When WS is non-zero and allocation fails, ectx.ws remains NULL while ectx.ws_size is set, leading to a potential NULL pointer dereference in atom_get_src_int() when accessing WS entries. Return -ENOMEM on allocation failure to avoid the NULL dereference.", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-68168", "url": "https://ubuntu.com/security/CVE-2025-68168", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: jfs: fix uninitialized waitqueue in transaction manager The transaction manager initialization in txInit() was not properly initializing TxBlock[0].waitor waitqueue, causing a crash when txEnd(0) is called on read-only filesystems. When a filesystem is mounted read-only, txBegin() returns tid=0 to indicate no transaction. However, txEnd(0) still gets called and tries to access TxBlock[0].waitor via tid_to_tblock(0), but this waitqueue was never initialized because the initialization loop started at index 1 instead of 0. This causes a 'non-static key' lockdep warning and system crash: INFO: trying to register non-static key in txEnd Fix by ensuring all transaction blocks including TxBlock[0] have their waitqueues properly initialized during txInit().", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-40312", "url": "https://ubuntu.com/security/CVE-2025-40312", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: jfs: Verify inode mode when loading from disk The inode mode loaded from corrupted disk can be invalid. Do like what commit 0a9e74051313 (\"isofs: Verify inode mode when loading from disk\") does.", "cve_priority": "medium", "cve_public_date": "2025-12-08 01:16:00 UTC" }, { "cve": "CVE-2025-40333", "url": "https://ubuntu.com/security/CVE-2025-40333", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: f2fs: fix infinite loop in __insert_extent_tree() When we get wrong extent info data, and look up extent_node in rb tree, it will cause infinite loop (CONFIG_F2FS_CHECK_FS=n). Avoiding this by return NULL and print some kernel messages in that case.", "cve_priority": "medium", "cve_public_date": "2025-12-09 16:17:00 UTC" }, { "cve": "CVE-2025-68321", "url": "https://ubuntu.com/security/CVE-2025-68321", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: page_pool: always add GFP_NOWARN for ATOMIC allocations Driver authors often forget to add GFP_NOWARN for page allocation from the datapath. This is annoying to users as OOMs are a fact of life, and we pretty much expect network Rx to hit page allocation failures during OOM. Make page pool add GFP_NOWARN for ATOMIC allocations by default.", "cve_priority": "medium", "cve_public_date": "2025-12-16 16:16:00 UTC" }, { "cve": "CVE-2025-40334", "url": "https://ubuntu.com/security/CVE-2025-40334", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: validate userq buffer virtual address and size It needs to validate the userq object virtual address to determine whether it is residented in a valid vm mapping.", "cve_priority": "medium", "cve_public_date": "2025-12-09 16:17:00 UTC" }, { "cve": "CVE-2025-68191", "url": "https://ubuntu.com/security/CVE-2025-68191", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: udp_tunnel: use netdev_warn() instead of netdev_WARN() netdev_WARN() uses WARN/WARN_ON to print a backtrace along with file and line information. In this case, udp_tunnel_nic_register() returning an error is just a failed operation, not a kernel bug. udp_tunnel_nic_register() can fail due to a memory allocation failure (kzalloc() or udp_tunnel_nic_alloc()). This is a normal runtime error and not a kernel bug. Replace netdev_WARN() with netdev_warn() accordingly.", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-68309", "url": "https://ubuntu.com/security/CVE-2025-68309", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: PCI/AER: Fix NULL pointer access by aer_info The kzalloc(GFP_KERNEL) may return NULL, so all accesses to aer_info->xxx will result in kernel panic. Fix it.", "cve_priority": "medium", "cve_public_date": "2025-12-16 16:16:00 UTC" }, { "cve": "CVE-2025-40313", "url": "https://ubuntu.com/security/CVE-2025-40313", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ntfs3: pretend $Extend records as regular files Since commit af153bb63a33 (\"vfs: catch invalid modes in may_open()\") requires any inode be one of S_IFDIR/S_IFLNK/S_IFREG/S_IFCHR/S_IFBLK/ S_IFIFO/S_IFSOCK type, use S_IFREG for $Extend records.", "cve_priority": "medium", "cve_public_date": "2025-12-08 01:16:00 UTC" }, { "cve": "CVE-2025-40335", "url": "https://ubuntu.com/security/CVE-2025-40335", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: validate userq input args This will help on validating the userq input args, and rejecting for the invalid userq request at the IOCTLs first place.", "cve_priority": "medium", "cve_public_date": "2025-12-09 16:17:00 UTC" }, { "cve": "CVE-2025-40314", "url": "https://ubuntu.com/security/CVE-2025-40314", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: usb: cdns3: gadget: Use-after-free during failed initialization and exit of cdnsp gadget In the __cdnsp_gadget_init() and cdnsp_gadget_exit() functions, the gadget structure (pdev->gadget) was freed before its endpoints. The endpoints are linked via the ep_list in the gadget structure. Freeing the gadget first leaves dangling pointers in the endpoint list. When the endpoints are subsequently freed, this results in a use-after-free. Fix: By separating the usb_del_gadget_udc() operation into distinct \"del\" and \"put\" steps, cdnsp_gadget_free_endpoints() can be executed prior to the final release of the gadget structure with usb_put_gadget(). A patch similar to bb9c74a5bd14(\"usb: dwc3: gadget: Free gadget structure only after freeing endpoints\").", "cve_priority": "medium", "cve_public_date": "2025-12-08 01:16:00 UTC" }, { "cve": "CVE-2025-40336", "url": "https://ubuntu.com/security/CVE-2025-40336", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/gpusvm: fix hmm_pfn_to_map_order() usage Handle the case where the hmm range partially covers a huge page (like 2M), otherwise we can potentially end up doing something nasty like mapping memory which is outside the range, and maybe not even mapped by the mm. Fix is based on the xe userptr code, which in a future patch will directly use gpusvm, so needs alignment here. v2: - Add kernel-doc (Matt B) - s/fls/ilog2/ (Thomas)", "cve_priority": "medium", "cve_public_date": "2025-12-09 16:17:00 UTC" }, { "cve": "CVE-2025-68193", "url": "https://ubuntu.com/security/CVE-2025-68193", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/xe/guc: Add devm release action to safely tear down CT When a buffer object (BO) is allocated with the XE_BO_FLAG_GGTT_INVALIDATE flag, the driver initiates TLB invalidation requests via the CTB mechanism while releasing the BO. However a premature release of the CTB BO can lead to system crashes, as observed in: Oops: Oops: 0000 [#1] SMP NOPTI RIP: 0010:h2g_write+0x2f3/0x7c0 [xe] Call Trace: guc_ct_send_locked+0x8b/0x670 [xe] xe_guc_ct_send_locked+0x19/0x60 [xe] send_tlb_invalidation+0xb4/0x460 [xe] xe_gt_tlb_invalidation_ggtt+0x15e/0x2e0 [xe] ggtt_invalidate_gt_tlb.part.0+0x16/0x90 [xe] ggtt_node_remove+0x110/0x140 [xe] xe_ggtt_node_remove+0x40/0xa0 [xe] xe_ggtt_remove_bo+0x87/0x250 [xe] Introduce a devm-managed release action during xe_guc_ct_init() and xe_guc_ct_init_post_hwconfig() to ensure proper CTB disablement before resource deallocation, preventing the use-after-free scenario.", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-68175", "url": "https://ubuntu.com/security/CVE-2025-68175", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: media: nxp: imx8-isi: Fix streaming cleanup on release The current implementation unconditionally calls mxc_isi_video_cleanup_streaming() in mxc_isi_video_release(). This can lead to situations where any release call (like from a simple \"v4l2-ctl -l\") may release a currently streaming queue when called on such a device. This is reproducible on an i.MX8MP board by streaming from an ISI capture device using gstreamer: \tgst-launch-1.0 -v v4l2src device=/dev/videoX ! \\ \t video/x-raw,format=GRAY8,width=1280,height=800,framerate=1/120 ! \\ \t fakesink While this stream is running, querying the caps of the same device provokes the error state: \tv4l2-ctl -l -d /dev/videoX This results in the following trace: [ 155.452152] ------------[ cut here ]------------ [ 155.452163] WARNING: CPU: 0 PID: 1708 at drivers/media/platform/nxp/imx8-isi/imx8-isi-pipe.c:713 mxc_isi_pipe_irq_handler+0x19c/0x1b0 [imx8_isi] [ 157.004248] Modules linked in: cfg80211 rpmsg_ctrl rpmsg_char rpmsg_tty virtio_rpmsg_bus rpmsg_ns rpmsg_core rfkill nft_ct nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 nf_tables mcp251x6 [ 157.053499] CPU: 0 UID: 0 PID: 1708 Comm: python3 Not tainted 6.15.4-00114-g1f61ca5cad76 #1 PREEMPT [ 157.064369] Hardware name: imx8mp_board_01 (DT) [ 157.068205] pstate: 400000c5 (nZcv daIF -PAN -UAO -TCO -DIT -SSBS BTYPE=--) [ 157.075169] pc : mxc_isi_pipe_irq_handler+0x19c/0x1b0 [imx8_isi] [ 157.081195] lr : mxc_isi_pipe_irq_handler+0x38/0x1b0 [imx8_isi] [ 157.087126] sp : ffff800080003ee0 [ 157.090438] x29: ffff800080003ee0 x28: ffff0000c3688000 x27: 0000000000000000 [ 157.097580] x26: 0000000000000000 x25: ffff0000c1e7ac00 x24: ffff800081b5ad50 [ 157.104723] x23: 00000000000000d1 x22: 0000000000000000 x21: ffff0000c25e4000 [ 157.111866] x20: 0000000060000200 x19: ffff80007a0608d0 x18: 0000000000000000 [ 157.119008] x17: ffff80006a4e3000 x16: ffff800080000000 x15: 0000000000000000 [ 157.126146] x14: 0000000000000000 x13: 0000000000000000 x12: 0000000000000000 [ 157.133287] x11: 0000000000000040 x10: ffff0000c01445f0 x9 : ffff80007a053a38 [ 157.140425] x8 : ffff0000c04004b8 x7 : 0000000000000000 x6 : 0000000000000000 [ 157.147567] x5 : ffff0000c0400490 x4 : ffff80006a4e3000 x3 : ffff0000c25e4000 [ 157.154706] x2 : 0000000000000000 x1 : ffff8000825c0014 x0 : 0000000060000200 [ 157.161850] Call trace: [ 157.164296] mxc_isi_pipe_irq_handler+0x19c/0x1b0 [imx8_isi] (P) [ 157.170319] __handle_irq_event_percpu+0x58/0x218 [ 157.175029] handle_irq_event+0x54/0xb8 [ 157.178867] handle_fasteoi_irq+0xac/0x248 [ 157.182968] handle_irq_desc+0x48/0x68 [ 157.186723] generic_handle_domain_irq+0x24/0x38 [ 157.191346] gic_handle_irq+0x54/0x120 [ 157.195098] call_on_irq_stack+0x24/0x30 [ 157.199027] do_interrupt_handler+0x88/0x98 [ 157.203212] el0_interrupt+0x44/0xc0 [ 157.206792] __el0_irq_handler_common+0x18/0x28 [ 157.211328] el0t_64_irq_handler+0x10/0x20 [ 157.215429] el0t_64_irq+0x198/0x1a0 [ 157.219009] ---[ end trace 0000000000000000 ]--- Address this issue by moving the streaming preparation and cleanup to the vb2 .prepare_streaming() and .unprepare_streaming() operations. This also simplifies the driver by allowing direct usage of the vb2_ioctl_streamon() and vb2_ioctl_streamoff() helpers, and removal of the manual cleanup from mxc_isi_video_release().", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-68188", "url": "https://ubuntu.com/security/CVE-2025-68188", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: tcp: use dst_dev_rcu() in tcp_fastopen_active_disable_ofo_check() Use RCU to avoid a pair of atomic operations and a potential UAF on dst_dev()->flags.", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-68315", "url": "https://ubuntu.com/security/CVE-2025-68315", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: f2fs: fix to detect potential corrupted nid in free_nid_list As reported, on-disk footer.ino and footer.nid is the same and out-of-range, let's add sanity check on f2fs_alloc_nid() to detect any potential corruption in free_nid_list.", "cve_priority": "medium", "cve_public_date": "2025-12-16 16:16:00 UTC" }, { "cve": "CVE-2025-40337", "url": "https://ubuntu.com/security/CVE-2025-40337", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net: stmmac: Correctly handle Rx checksum offload errors The stmmac_rx function would previously set skb->ip_summed to CHECKSUM_UNNECESSARY if hardware checksum offload (CoE) was enabled and the packet was of a known IP ethertype. However, this logic failed to check if the hardware had actually reported a checksum error. The hardware status, indicating a header or payload checksum failure, was being ignored at this stage. This could cause corrupt packets to be passed up the network stack as valid. This patch corrects the logic by checking the `csum_none` status flag, which is set when the hardware reports a checksum error. If this flag is set, skb->ip_summed is now correctly set to CHECKSUM_NONE, ensuring the kernel's network stack will perform its own validation and properly handle the corrupt packet.", "cve_priority": "medium", "cve_public_date": "2025-12-09 16:17:00 UTC" }, { "cve": "CVE-2025-40338", "url": "https://ubuntu.com/security/CVE-2025-40338", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ASoC: Intel: avs: Do not share the name pointer between components By sharing 'name' directly, tearing down components may lead to use-after-free errors. Duplicate the name to avoid that. At the same time, update the order of operations - since commit cee28113db17 (\"ASoC: dmaengine_pcm: Allow passing component name via config\") the framework does not override component->name if set before invoking the initializer.", "cve_priority": "medium", "cve_public_date": "2025-12-09 16:17:00 UTC" }, { "cve": "CVE-2025-40339", "url": "https://ubuntu.com/security/CVE-2025-40339", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: fix nullptr err of vm_handle_moved If a amdgpu_bo_va is fpriv->prt_va, the bo of this one is always NULL. So, such kind of amdgpu_bo_va should be updated separately before amdgpu_vm_handle_moved.", "cve_priority": "medium", "cve_public_date": "2025-12-09 16:17:00 UTC" }, { "cve": "CVE-2025-68194", "url": "https://ubuntu.com/security/CVE-2025-68194", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: media: imon: make send_packet() more robust syzbot is reporting that imon has three problems which result in hung tasks due to forever holding device lock [1]. First problem is that when usb_rx_callback_intf0() once got -EPROTO error after ictx->dev_present_intf0 became true, usb_rx_callback_intf0() resubmits urb after printk(), and resubmitted urb causes usb_rx_callback_intf0() to again get -EPROTO error. This results in printk() flooding (RCU stalls). Alan Stern commented [2] that In theory it's okay to resubmit _if_ the driver has a robust error-recovery scheme (such as giving up after some fixed limit on the number of errors or after some fixed time has elapsed, perhaps with a time delay to prevent a flood of errors). Most drivers don't bother to do this; they simply give up right away. This makes them more vulnerable to short-term noise interference during USB transfers, but in reality such interference is quite rare. There's nothing really wrong with giving up right away. but imon has a poor error-recovery scheme which just retries forever; this behavior should be fixed. Since I'm not sure whether it is safe for imon users to give up upon any error code, this patch takes care of only union of error codes chosen from modules in drivers/media/rc/ directory which handle -EPROTO error (i.e. ir_toy, mceusb and igorplugusb). Second problem is that when usb_rx_callback_intf0() once got -EPROTO error before ictx->dev_present_intf0 becomes true, usb_rx_callback_intf0() always resubmits urb due to commit 8791d63af0cf (\"[media] imon: don't wedge hardware after early callbacks\"). Move the ictx->dev_present_intf0 test introduced by commit 6f6b90c9231a (\"[media] imon: don't parse scancodes until intf configured\") to immediately before imon_incoming_packet(), or the first problem explained above happens without printk() flooding (i.e. hung task). Third problem is that when usb_rx_callback_intf0() is not called for some reason (e.g. flaky hardware; the reproducer for this problem sometimes prevents usb_rx_callback_intf0() from being called), wait_for_completion_interruptible() in send_packet() never returns (i.e. hung task). As a workaround for such situation, change send_packet() to wait for completion with timeout of 10 seconds.", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-40363", "url": "https://ubuntu.com/security/CVE-2025-40363", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net: ipv6: fix field-spanning memcpy warning in AH output Fix field-spanning memcpy warnings in ah6_output() and ah6_output_done() where extension headers are copied to/from IPv6 address fields, triggering fortify-string warnings about writes beyond the 16-byte address fields. memcpy: detected field-spanning write (size 40) of single field \"&top_iph->saddr\" at net/ipv6/ah6.c:439 (size 16) WARNING: CPU: 0 PID: 8838 at net/ipv6/ah6.c:439 ah6_output+0xe7e/0x14e0 net/ipv6/ah6.c:439 The warnings are false positives as the extension headers are intentionally placed after the IPv6 header in memory. Fix by properly copying addresses and extension headers separately, and introduce helper functions to avoid code duplication.", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-68311", "url": "https://ubuntu.com/security/CVE-2025-68311", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: tty: serial: ip22zilog: Use platform device for probing After commit 84a9582fd203 (\"serial: core: Start managing serial controllers to enable runtime PM\") serial drivers need to provide a device in struct uart_port.dev otherwise an oops happens. To fix this issue for ip22zilog driver switch driver to a platform driver and setup the serial device in sgi-ip22 code.", "cve_priority": "medium", "cve_public_date": "2025-12-16 16:16:00 UTC" }, { "cve": "CVE-2025-40340", "url": "https://ubuntu.com/security/CVE-2025-40340", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/xe: Fix oops in xe_gem_fault when running core_hotunplug test. I saw an oops in xe_gem_fault when running the xe-fast-feedback testlist against the realtime kernel without debug options enabled. The panic happens after core_hotunplug unbind-rebind finishes. Presumably what happens is that a process mmaps, unlocks because of the FAULT_FLAG_RETRY_NOWAIT logic, has no process memory left, causing ttm_bo_vm_dummy_page() to return VM_FAULT_NOPAGE, since there was nothing left to populate, and then oopses in \"mem_type_is_vram(tbo->resource->mem_type)\" because tbo->resource is NULL. It's convoluted, but fits the data and explains the oops after the test exits.", "cve_priority": "medium", "cve_public_date": "2025-12-09 16:17:00 UTC" }, { "cve": "CVE-2025-68196", "url": "https://ubuntu.com/security/CVE-2025-68196", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Cache streams targeting link when performing LT automation [WHY] Last LT automation update can cause crash by referencing current_state and calling into dc_update_planes_and_stream which may clobber current_state. [HOW] Cache relevant stream pointers and iterate through them instead of relying on the current_state.", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-68178", "url": "https://ubuntu.com/security/CVE-2025-68178", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: blk-cgroup: fix possible deadlock while configuring policy Following deadlock can be triggered easily by lockdep: WARNING: possible circular locking dependency detected 6.17.0-rc3-00124-ga12c2658ced0 #1665 Not tainted ------------------------------------------------------ check/1334 is trying to acquire lock: ff1100011d9d0678 (&q->sysfs_lock){+.+.}-{4:4}, at: blk_unregister_queue+0x53/0x180 but task is already holding lock: ff1100011d9d00e0 (&q->q_usage_counter(queue)#3){++++}-{0:0}, at: del_gendisk+0xba/0x110 which lock already depends on the new lock. the existing dependency chain (in reverse order) is: -> #2 (&q->q_usage_counter(queue)#3){++++}-{0:0}: blk_queue_enter+0x40b/0x470 blkg_conf_prep+0x7b/0x3c0 tg_set_limit+0x10a/0x3e0 cgroup_file_write+0xc6/0x420 kernfs_fop_write_iter+0x189/0x280 vfs_write+0x256/0x490 ksys_write+0x83/0x190 __x64_sys_write+0x21/0x30 x64_sys_call+0x4608/0x4630 do_syscall_64+0xdb/0x6b0 entry_SYSCALL_64_after_hwframe+0x76/0x7e -> #1 (&q->rq_qos_mutex){+.+.}-{4:4}: __mutex_lock+0xd8/0xf50 mutex_lock_nested+0x2b/0x40 wbt_init+0x17e/0x280 wbt_enable_default+0xe9/0x140 blk_register_queue+0x1da/0x2e0 __add_disk+0x38c/0x5d0 add_disk_fwnode+0x89/0x250 device_add_disk+0x18/0x30 virtblk_probe+0x13a3/0x1800 virtio_dev_probe+0x389/0x610 really_probe+0x136/0x620 __driver_probe_device+0xb3/0x230 driver_probe_device+0x2f/0xe0 __driver_attach+0x158/0x250 bus_for_each_dev+0xa9/0x130 driver_attach+0x26/0x40 bus_add_driver+0x178/0x3d0 driver_register+0x7d/0x1c0 __register_virtio_driver+0x2c/0x60 virtio_blk_init+0x6f/0xe0 do_one_initcall+0x94/0x540 kernel_init_freeable+0x56a/0x7b0 kernel_init+0x2b/0x270 ret_from_fork+0x268/0x4c0 ret_from_fork_asm+0x1a/0x30 -> #0 (&q->sysfs_lock){+.+.}-{4:4}: __lock_acquire+0x1835/0x2940 lock_acquire+0xf9/0x450 __mutex_lock+0xd8/0xf50 mutex_lock_nested+0x2b/0x40 blk_unregister_queue+0x53/0x180 __del_gendisk+0x226/0x690 del_gendisk+0xba/0x110 sd_remove+0x49/0xb0 [sd_mod] device_remove+0x87/0xb0 device_release_driver_internal+0x11e/0x230 device_release_driver+0x1a/0x30 bus_remove_device+0x14d/0x220 device_del+0x1e1/0x5a0 __scsi_remove_device+0x1ff/0x2f0 scsi_remove_device+0x37/0x60 sdev_store_delete+0x77/0x100 dev_attr_store+0x1f/0x40 sysfs_kf_write+0x65/0x90 kernfs_fop_write_iter+0x189/0x280 vfs_write+0x256/0x490 ksys_write+0x83/0x190 __x64_sys_write+0x21/0x30 x64_sys_call+0x4608/0x4630 do_syscall_64+0xdb/0x6b0 entry_SYSCALL_64_after_hwframe+0x76/0x7e other info that might help us debug this: Chain exists of: &q->sysfs_lock --> &q->rq_qos_mutex --> &q->q_usage_counter(queue)#3 Possible unsafe locking scenario: CPU0 CPU1 ---- ---- lock(&q->q_usage_counter(queue)#3); lock(&q->rq_qos_mutex); lock(&q->q_usage_counter(queue)#3); lock(&q->sysfs_lock); Root cause is that queue_usage_counter is grabbed with rq_qos_mutex held in blkg_conf_prep(), while queue should be freezed before rq_qos_mutex from other context. The blk_queue_enter() from blkg_conf_prep() is used to protect against policy deactivation, which is already protected with blkcg_mutex, hence convert blk_queue_enter() to blkcg_mutex to fix this problem. Meanwhile, consider that blkcg_mutex is held after queue is freezed from policy deactivation, also convert blkg_alloc() to use GFP_NOIO.", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-40341", "url": "https://ubuntu.com/security/CVE-2025-40341", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: futex: Don't leak robust_list pointer on exec race sys_get_robust_list() and compat_get_robust_list() use ptrace_may_access() to check if the calling task is allowed to access another task's robust_list pointer. This check is racy against a concurrent exec() in the target process. During exec(), a task may transition from a non-privileged binary to a privileged one (e.g., setuid binary) and its credentials/memory mappings may change. If get_robust_list() performs ptrace_may_access() before this transition, it may erroneously allow access to sensitive information after the target becomes privileged. A racy access allows an attacker to exploit a window during which ptrace_may_access() passes before a target process transitions to a privileged state via exec(). For example, consider a non-privileged task T that is about to execute a setuid-root binary. An attacker task A calls get_robust_list(T) while T is still unprivileged. Since ptrace_may_access() checks permissions based on current credentials, it succeeds. However, if T begins exec immediately afterwards, it becomes privileged and may change its memory mappings. Because get_robust_list() proceeds to access T->robust_list without synchronizing with exec() it may read user-space pointers from a now-privileged process. This violates the intended post-exec access restrictions and could expose sensitive memory addresses or be used as a primitive in a larger exploit chain. Consequently, the race can lead to unauthorized disclosure of information across privilege boundaries and poses a potential security risk. Take a read lock on signal->exec_update_lock prior to invoking ptrace_may_access() and accessing the robust_list/compat_robust_list. This ensures that the target task's exec state remains stable during the check, allowing for consistent and synchronized validation of credentials.", "cve_priority": "medium", "cve_public_date": "2025-12-09 16:17:00 UTC" }, { "cve": "CVE-2025-40342", "url": "https://ubuntu.com/security/CVE-2025-40342", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: nvme-fc: use lock accessing port_state and rport state nvme_fc_unregister_remote removes the remote port on a lport object at any point in time when there is no active association. This races with with the reconnect logic, because nvme_fc_create_association is not taking a lock to check the port_state and atomically increase the active count on the rport.", "cve_priority": "medium", "cve_public_date": "2025-12-09 16:17:00 UTC" }, { "cve": "CVE-2025-40343", "url": "https://ubuntu.com/security/CVE-2025-40343", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: nvmet-fc: avoid scheduling association deletion twice When forcefully shutting down a port via the configfs interface, nvmet_port_subsys_drop_link() first calls nvmet_port_del_ctrls() and then nvmet_disable_port(). Both functions will eventually schedule all remaining associations for deletion. The current implementation checks whether an association is about to be removed, but only after the work item has already been scheduled. As a result, it is possible for the first scheduled work item to free all resources, and then for the same work item to be scheduled again for deletion. Because the association list is an RCU list, it is not possible to take a lock and remove the list entry directly, so it cannot be looked up again. Instead, a flag (terminating) must be used to determine whether the association is already in the process of being deleted.", "cve_priority": "medium", "cve_public_date": "2025-12-09 16:17:00 UTC" }, { "cve": "CVE-2025-68177", "url": "https://ubuntu.com/security/CVE-2025-68177", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: cpufreq/longhaul: handle NULL policy in longhaul_exit longhaul_exit() was calling cpufreq_cpu_get(0) without checking for a NULL policy pointer. On some systems, this could lead to a NULL dereference and a kernel warning or panic. This patch adds a check using unlikely() and returns early if the policy is NULL. Bugzilla: #219962", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-68317", "url": "https://ubuntu.com/security/CVE-2025-68317", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: io_uring/zctx: check chained notif contexts Send zc only links ubuf_info for requests coming from the same context. There are some ambiguous syz reports, so let's check the assumption on notification completion.", "cve_priority": "medium", "cve_public_date": "2025-12-16 16:16:00 UTC" }, { "cve": "CVE-2025-40315", "url": "https://ubuntu.com/security/CVE-2025-40315", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: usb: gadget: f_fs: Fix epfile null pointer access after ep enable. A race condition occurs when ffs_func_eps_enable() runs concurrently with ffs_data_reset(). The ffs_data_clear() called in ffs_data_reset() sets ffs->epfiles to NULL before resetting ffs->eps_count to 0, leading to a NULL pointer dereference when accessing epfile->ep in ffs_func_eps_enable() after successful usb_ep_enable(). The ffs->epfiles pointer is set to NULL in both ffs_data_clear() and ffs_data_close() functions, and its modification is protected by the spinlock ffs->eps_lock. And the whole ffs_func_eps_enable() function is also protected by ffs->eps_lock. Thus, add NULL pointer handling for ffs->epfiles in the ffs_func_eps_enable() function to fix issues", "cve_priority": "medium", "cve_public_date": "2025-12-08 01:16:00 UTC" }, { "cve": "CVE-2025-40316", "url": "https://ubuntu.com/security/CVE-2025-40316", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/mediatek: Fix device use-after-free on unbind A recent change fixed device reference leaks when looking up drm platform device driver data during bind() but failed to remove a partial fix which had been added by commit 80805b62ea5b (\"drm/mediatek: Fix kobject put for component sub-drivers\"). This results in a reference imbalance on component bind() failures and on unbind() which could lead to a user-after-free. Make sure to only drop the references after retrieving the driver data by effectively reverting the previous partial fix. Note that holding a reference to a device does not prevent its driver data from going away so there is no point in keeping the reference.", "cve_priority": "medium", "cve_public_date": "2025-12-08 01:16:00 UTC" }, { "cve": "CVE-2025-40360", "url": "https://ubuntu.com/security/CVE-2025-40360", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/sysfb: Do not dereference NULL pointer in plane reset The plane state in __drm_gem_reset_shadow_plane() can be NULL. Do not deref that pointer, but forward NULL to the other plane-reset helpers. Clears plane->state to NULL. v2: - fix typo in commit description (Javier)", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-68179", "url": "https://ubuntu.com/security/CVE-2025-68179", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: s390: Disable ARCH_WANT_OPTIMIZE_HUGETLB_VMEMMAP As reported by Luiz Capitulino enabling HVO on s390 leads to reproducible crashes. The problem is that kernel page tables are modified without flushing corresponding TLB entries. Even if it looks like the empty flush_tlb_all() implementation on s390 is the problem, it is actually a different problem: on s390 it is not allowed to replace an active/valid page table entry with another valid page table entry without the detour over an invalid entry. A direct replacement may lead to random crashes and/or data corruption. In order to invalidate an entry special instructions have to be used (e.g. ipte or idte). Alternatively there are also special instructions available which allow to replace a valid entry with a different valid entry (e.g. crdte or cspg). Given that the HVO code currently does not provide the hooks to allow for an implementation which is compliant with the s390 architecture requirements, disable ARCH_WANT_OPTIMIZE_HUGETLB_VMEMMAP again, which is basically a revert of the original patch which enabled it.", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-68310", "url": "https://ubuntu.com/security/CVE-2025-68310", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: s390/pci: Avoid deadlock between PCI error recovery and mlx5 crdump Do not block PCI config accesses through pci_cfg_access_lock() when executing the s390 variant of PCI error recovery: Acquire just device_lock() instead of pci_dev_lock() as powerpc's EEH and generig PCI AER processing do. During error recovery testing a pair of tasks was reported to be hung: mlx5_core 0000:00:00.1: mlx5_health_try_recover:338:(pid 5553): health recovery flow aborted, PCI reads still not working INFO: task kmcheck:72 blocked for more than 122 seconds. Not tainted 5.14.0-570.12.1.bringup7.el9.s390x #1 \"echo 0 > /proc/sys/kernel/hung_task_timeout_secs\" disables this message. task:kmcheck state:D stack:0 pid:72 tgid:72 ppid:2 flags:0x00000000 Call Trace: [<000000065256f030>] __schedule+0x2a0/0x590 [<000000065256f356>] schedule+0x36/0xe0 [<000000065256f572>] schedule_preempt_disabled+0x22/0x30 [<0000000652570a94>] __mutex_lock.constprop.0+0x484/0x8a8 [<000003ff800673a4>] mlx5_unload_one+0x34/0x58 [mlx5_core] [<000003ff8006745c>] mlx5_pci_err_detected+0x94/0x140 [mlx5_core] [<0000000652556c5a>] zpci_event_attempt_error_recovery+0xf2/0x398 [<0000000651b9184a>] __zpci_event_error+0x23a/0x2c0 INFO: task kworker/u1664:6:1514 blocked for more than 122 seconds. Not tainted 5.14.0-570.12.1.bringup7.el9.s390x #1 \"echo 0 > /proc/sys/kernel/hung_task_timeout_secs\" disables this message. task:kworker/u1664:6 state:D stack:0 pid:1514 tgid:1514 ppid:2 flags:0x00000000 Workqueue: mlx5_health0000:00:00.0 mlx5_fw_fatal_reporter_err_work [mlx5_core] Call Trace: [<000000065256f030>] __schedule+0x2a0/0x590 [<000000065256f356>] schedule+0x36/0xe0 [<0000000652172e28>] pci_wait_cfg+0x80/0xe8 [<0000000652172f94>] pci_cfg_access_lock+0x74/0x88 [<000003ff800916b6>] mlx5_vsc_gw_lock+0x36/0x178 [mlx5_core] [<000003ff80098824>] mlx5_crdump_collect+0x34/0x1c8 [mlx5_core] [<000003ff80074b62>] mlx5_fw_fatal_reporter_dump+0x6a/0xe8 [mlx5_core] [<0000000652512242>] devlink_health_do_dump.part.0+0x82/0x168 [<0000000652513212>] devlink_health_report+0x19a/0x230 [<000003ff80075a12>] mlx5_fw_fatal_reporter_err_work+0xba/0x1b0 [mlx5_core] No kernel log of the exact same error with an upstream kernel is available - but the very same deadlock situation can be constructed there, too: - task: kmcheck mlx5_unload_one() tries to acquire devlink lock while the PCI error recovery code has set pdev->block_cfg_access by way of pci_cfg_access_lock() - task: kworker mlx5_crdump_collect() tries to set block_cfg_access through pci_cfg_access_lock() while devlink_health_report() had acquired the devlink lock. A similar deadlock situation can be reproduced by requesting a crdump with > devlink health dump show pci/ reporter fw_fatal while PCI error recovery is executed on the same physical function by mlx5_core's pci_error_handlers. On s390 this can be injected with > zpcictl --reset-fw Tests with this patch failed to reproduce that second deadlock situation, the devlink command is rejected with \"kernel answers: Permission denied\" - and we get a kernel log message of: mlx5_core 1ed0:00:00.1: mlx5_crdump_collect:50:(pid 254382): crdump: failed to lock vsc gw err -5 because the config read of VSC_SEMAPHORE is rejected by the underlying hardware. Two prior attempts to address this issue have been discussed and ultimately rejected [see link], with the primary argument that s390's implementation of PCI error recovery is imposing restrictions that neither powerpc's EEH nor PCI AER handling need. Tests show that PCI error recovery on s390 is running to completion even without blocking access to PCI config space.", "cve_priority": "medium", "cve_public_date": "2025-12-16 16:16:00 UTC" }, { "cve": "CVE-2025-40317", "url": "https://ubuntu.com/security/CVE-2025-40317", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: regmap: slimbus: fix bus_context pointer in regmap init calls Commit 4e65bda8273c (\"ASoC: wcd934x: fix error handling in wcd934x_codec_parse_data()\") revealed the problem in the slimbus regmap. That commit breaks audio playback, for instance, on sdm845 Thundercomm Dragonboard 845c board: Unable to handle kernel paging request at virtual address ffff8000847cbad4 ... CPU: 5 UID: 0 PID: 776 Comm: aplay Not tainted 6.18.0-rc1-00028-g7ea30958b305 #11 PREEMPT Hardware name: Thundercomm Dragonboard 845c (DT) ... Call trace: slim_xfer_msg+0x24/0x1ac [slimbus] (P) slim_read+0x48/0x74 [slimbus] regmap_slimbus_read+0x18/0x24 [regmap_slimbus] _regmap_raw_read+0xe8/0x174 _regmap_bus_read+0x44/0x80 _regmap_read+0x60/0xd8 _regmap_update_bits+0xf4/0x140 _regmap_select_page+0xa8/0x124 _regmap_raw_write_impl+0x3b8/0x65c _regmap_bus_raw_write+0x60/0x80 _regmap_write+0x58/0xc0 regmap_write+0x4c/0x80 wcd934x_hw_params+0x494/0x8b8 [snd_soc_wcd934x] snd_soc_dai_hw_params+0x3c/0x7c [snd_soc_core] __soc_pcm_hw_params+0x22c/0x634 [snd_soc_core] dpcm_be_dai_hw_params+0x1d4/0x38c [snd_soc_core] dpcm_fe_dai_hw_params+0x9c/0x17c [snd_soc_core] snd_pcm_hw_params+0x124/0x464 [snd_pcm] snd_pcm_common_ioctl+0x110c/0x1820 [snd_pcm] snd_pcm_ioctl+0x34/0x4c [snd_pcm] __arm64_sys_ioctl+0xac/0x104 invoke_syscall+0x48/0x104 el0_svc_common.constprop.0+0x40/0xe0 do_el0_svc+0x1c/0x28 el0_svc+0x34/0xec el0t_64_sync_handler+0xa0/0xf0 el0t_64_sync+0x198/0x19c The __devm_regmap_init_slimbus() started to be used instead of __regmap_init_slimbus() after the commit mentioned above and turns out the incorrect bus_context pointer (3rd argument) was used in __devm_regmap_init_slimbus(). It should be just \"slimbus\" (which is equal to &slimbus->dev). Correct it. The wcd934x codec seems to be the only or the first user of devm_regmap_init_slimbus() but we should fix it till the point where __devm_regmap_init_slimbus() was introduced therefore two \"Fixes\" tags. While at this, also correct the same argument in __regmap_init_slimbus().", "cve_priority": "medium", "cve_public_date": "2025-12-08 01:16:00 UTC" }, { "cve": "CVE-2025-40359", "url": "https://ubuntu.com/security/CVE-2025-40359", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: perf/x86/intel: Fix KASAN global-out-of-bounds warning When running \"perf mem record\" command on CWF, the below KASAN global-out-of-bounds warning is seen. ================================================================== BUG: KASAN: global-out-of-bounds in cmt_latency_data+0x176/0x1b0 Read of size 4 at addr ffffffffb721d000 by task dtlb/9850 Call Trace: kasan_report+0xb8/0xf0 cmt_latency_data+0x176/0x1b0 setup_arch_pebs_sample_data+0xf49/0x2560 intel_pmu_drain_arch_pebs+0x577/0xb00 handle_pmi_common+0x6c4/0xc80 The issue is caused by below code in __grt_latency_data(). The code tries to access x86_hybrid_pmu structure which doesn't exist on non-hybrid platform like CWF. WARN_ON_ONCE(hybrid_pmu(event->pmu)->pmu_type == hybrid_big) So add is_hybrid() check before calling this WARN_ON_ONCE to fix the global-out-of-bounds access issue.", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-68181", "url": "https://ubuntu.com/security/CVE-2025-68181", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/radeon: Remove calls to drm_put_dev() Since the allocation of the drivers main structure was changed to devm_drm_dev_alloc() drm_put_dev()'ing to trigger it to be free'd should be done by devres. However, drm_put_dev() is still in the probe error and device remove paths. When the driver fails to probe warnings like the following are shown because devres is trying to drm_put_dev() after the driver already did it. [ 5.642230] radeon 0000:01:05.0: probe with driver radeon failed with error -22 [ 5.649605] ------------[ cut here ]------------ [ 5.649607] refcount_t: underflow; use-after-free. [ 5.649620] WARNING: CPU: 0 PID: 357 at lib/refcount.c:28 refcount_warn_saturate+0xbe/0x110 (cherry picked from commit 3eb8c0b4c091da0a623ade0d3ee7aa4a93df1ea4)", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-68170", "url": "https://ubuntu.com/security/CVE-2025-68170", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/radeon: Do not kfree() devres managed rdev Since the allocation of the drivers main structure was changed to devm_drm_dev_alloc() rdev is managed by devres and we shouldn't be calling kfree() on it. This fixes things exploding if the driver probe fails and devres cleans up the rdev after we already free'd it. (cherry picked from commit 16c0681617b8a045773d4d87b6140002fa75b03b)", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-40213", "url": "https://ubuntu.com/security/CVE-2025-40213", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: Bluetooth: MGMT: fix crash in set_mesh_sync and set_mesh_complete There is a BUG: KASAN: stack-out-of-bounds in set_mesh_sync due to memcpy from badly declared on-stack flexible array. Another crash is in set_mesh_complete() due to double list_del via mgmt_pending_valid + mgmt_pending_remove. Use DEFINE_FLEX to declare the flexible array right, and don't memcpy outside bounds. As mgmt_pending_valid removes the cmd from list, use mgmt_pending_free, and also report status on error.", "cve_priority": "medium", "cve_public_date": "2025-11-24 16:15:00 UTC" }, { "cve": "CVE-2025-40318", "url": "https://ubuntu.com/security/CVE-2025-40318", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: Bluetooth: hci_sync: fix race in hci_cmd_sync_dequeue_once hci_cmd_sync_dequeue_once() does lookup and then cancel the entry under two separate lock sections. Meanwhile, hci_cmd_sync_work() can also delete the same entry, leading to double list_del() and \"UAF\". Fix this by holding cmd_sync_work_lock across both lookup and cancel, so that the entry cannot be removed concurrently.", "cve_priority": "medium", "cve_public_date": "2025-12-08 01:16:00 UTC" }, { "cve": "CVE-2025-68312", "url": "https://ubuntu.com/security/CVE-2025-68312", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: usbnet: Prevents free active kevent The root cause of this issue are: 1. When probing the usbnet device, executing usbnet_link_change(dev, 0, 0); put the kevent work in global workqueue. However, the kevent has not yet been scheduled when the usbnet device is unregistered. Therefore, executing free_netdev() results in the \"free active object (kevent)\" error reported here. 2. Another factor is that when calling usbnet_disconnect()->unregister_netdev(), if the usbnet device is up, ndo_stop() is executed to cancel the kevent. However, because the device is not up, ndo_stop() is not executed. The solution to this problem is to cancel the kevent before executing free_netdev().", "cve_priority": "medium", "cve_public_date": "2025-12-16 16:16:00 UTC" }, { "cve": "CVE-2025-40344", "url": "https://ubuntu.com/security/CVE-2025-40344", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ASoC: Intel: avs: Disable periods-elapsed work when closing PCM avs_dai_fe_shutdown() handles the shutdown procedure for HOST HDAudio stream while period-elapsed work services its IRQs. As the former frees the DAI's private context, these two operations shall be synchronized to avoid slab-use-after-free or worse errors.", "cve_priority": "medium", "cve_public_date": "2025-12-09 16:17:00 UTC" }, { "cve": "CVE-2025-68172", "url": "https://ubuntu.com/security/CVE-2025-68172", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: crypto: aspeed - fix double free caused by devm The clock obtained via devm_clk_get_enabled() is automatically managed by devres and will be disabled and freed on driver detach. Manually calling clk_disable_unprepare() in error path and remove function causes double free. Remove the manual clock cleanup in both aspeed_acry_probe()'s error path and aspeed_acry_remove().", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-40319", "url": "https://ubuntu.com/security/CVE-2025-40319", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: bpf: Sync pending IRQ work before freeing ring buffer Fix a race where irq_work can be queued in bpf_ringbuf_commit() but the ring buffer is freed before the work executes. In the syzbot reproducer, a BPF program attached to sched_switch triggers bpf_ringbuf_commit(), queuing an irq_work. If the ring buffer is freed before this work executes, the irq_work thread may accesses freed memory. Calling `irq_work_sync(&rb->work)` ensures that all pending irq_work complete before freeing the buffer.", "cve_priority": "medium", "cve_public_date": "2025-12-08 01:16:00 UTC" }, { "cve": "CVE-2025-68182", "url": "https://ubuntu.com/security/CVE-2025-68182", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: wifi: iwlwifi: fix potential use after free in iwl_mld_remove_link() This code frees \"link\" by calling kfree_rcu(link, rcu_head) and then it dereferences \"link\" to get the \"link->fw_id\". Save the \"link->fw_id\" first to avoid a potential use after free.", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-68314", "url": "https://ubuntu.com/security/CVE-2025-68314", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/msm: make sure last_fence is always updated Update last_fence in the vm-bind path instead of kernel managed path. last_fence is used to wait for work to finish in vm_bind contexts but not used for kernel managed contexts. This fixes a bug where last_fence is not waited on context close leading to faults as resources are freed while in use. Patchwork: https://patchwork.freedesktop.org/patch/680080/", "cve_priority": "medium", "cve_public_date": "2025-12-16 16:16:00 UTC" }, { "cve": "CVE-2025-68189", "url": "https://ubuntu.com/security/CVE-2025-68189", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/msm: Fix GEM free for imported dma-bufs Imported dma-bufs also have obj->resv != &obj->_resv. So we should check both this condition in addition to flags for handling the _NO_SHARE case. Fixes this splat that was reported with IRIS video playback: ------------[ cut here ]------------ WARNING: CPU: 3 PID: 2040 at drivers/gpu/drm/msm/msm_gem.c:1127 msm_gem_free_object+0x1f8/0x264 [msm] CPU: 3 UID: 1000 PID: 2040 Comm: .gnome-shell-wr Not tainted 6.17.0-rc7 #1 PREEMPT pstate: 81400005 (Nzcv daif +PAN -UAO -TCO +DIT -SSBS BTYPE=--) pc : msm_gem_free_object+0x1f8/0x264 [msm] lr : msm_gem_free_object+0x138/0x264 [msm] sp : ffff800092a1bb30 x29: ffff800092a1bb80 x28: ffff800092a1bce8 x27: ffffbc702dbdbe08 x26: 0000000000000008 x25: 0000000000000009 x24: 00000000000000a6 x23: ffff00083c72f850 x22: ffff00083c72f868 x21: ffff00087e69f200 x20: ffff00087e69f330 x19: ffff00084d157ae0 x18: 0000000000000000 x17: 0000000000000000 x16: ffffbc704bd46b80 x15: 0000ffffd0959540 x14: 0000000000000000 x13: 0000000000000000 x12: 0000000000000000 x11: ffffbc702e6cdb48 x10: 0000000000000000 x9 : 000000000000003f x8 : ffff800092a1ba90 x7 : 0000000000000000 x6 : 0000000000000020 x5 : ffffbc704bd46c40 x4 : fffffdffe102cf60 x3 : 0000000000400032 x2 : 0000000000020000 x1 : ffff00087e6978e8 x0 : ffff00087e6977e8 Call trace: msm_gem_free_object+0x1f8/0x264 [msm] (P) drm_gem_object_free+0x1c/0x30 [drm] drm_gem_object_handle_put_unlocked+0x138/0x150 [drm] drm_gem_object_release_handle+0x5c/0xcc [drm] drm_gem_handle_delete+0x68/0xbc [drm] drm_gem_close_ioctl+0x34/0x40 [drm] drm_ioctl_kernel+0xc0/0x130 [drm] drm_ioctl+0x360/0x4e0 [drm] __arm64_sys_ioctl+0xac/0x104 invoke_syscall+0x48/0x104 el0_svc_common.constprop.0+0x40/0xe0 do_el0_svc+0x1c/0x28 el0_svc+0x34/0xec el0t_64_sync_handler+0xa0/0xe4 el0t_64_sync+0x198/0x19c ---[ end trace 0000000000000000 ]--- ------------[ cut here ]------------ Patchwork: https://patchwork.freedesktop.org/patch/676273/", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-68171", "url": "https://ubuntu.com/security/CVE-2025-68171", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: x86/fpu: Ensure XFD state on signal delivery Sean reported [1] the following splat when running KVM tests: WARNING: CPU: 232 PID: 15391 at xfd_validate_state+0x65/0x70 Call Trace: fpu__clear_user_states+0x9c/0x100 arch_do_signal_or_restart+0x142/0x210 exit_to_user_mode_loop+0x55/0x100 do_syscall_64+0x205/0x2c0 entry_SYSCALL_64_after_hwframe+0x4b/0x53 Chao further identified [2] a reproducible scenario involving signal delivery: a non-AMX task is preempted by an AMX-enabled task which modifies the XFD MSR. When the non-AMX task resumes and reloads XSTATE with init values, a warning is triggered due to a mismatch between fpstate::xfd and the CPU's current XFD state. fpu__clear_user_states() does not currently re-synchronize the XFD state after such preemption. Invoke xfd_update_state() which detects and corrects the mismatch if there is a dynamic feature. This also benefits the sigreturn path, as fpu__restore_sig() may call fpu__clear_user_states() when the sigframe is inaccessible. [ dhansen: minor changelog munging ]", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-68313", "url": "https://ubuntu.com/security/CVE-2025-68313", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: x86/CPU/AMD: Add RDSEED fix for Zen5 There's an issue with RDSEED's 16-bit and 32-bit register output variants on Zen5 which return a random value of 0 \"at a rate inconsistent with randomness while incorrectly signaling success (CF=1)\". Search the web for AMD-SB-7055 for more detail. Add a fix glue which checks microcode revisions. [ bp: Add microcode revisions checking, rewrite. ]", "cve_priority": "medium", "cve_public_date": "2025-12-16 16:16:00 UTC" }, { "cve": "CVE-2025-40320", "url": "https://ubuntu.com/security/CVE-2025-40320", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: smb: client: fix potential cfid UAF in smb2_query_info_compound When smb2_query_info_compound() retries, a previously allocated cfid may have been freed in the first attempt. Because cfid wasn't reset on replay, later cleanup could act on a stale pointer, leading to a potential use-after-free. Reinitialize cfid to NULL under the replay label. Example trace (trimmed): refcount_t: underflow; use-after-free. WARNING: CPU: 1 PID: 11224 at ../lib/refcount.c:28 refcount_warn_saturate+0x9c/0x110 [...] RIP: 0010:refcount_warn_saturate+0x9c/0x110 [...] Call Trace: smb2_query_info_compound+0x29c/0x5c0 [cifs f90b72658819bd21c94769b6a652029a07a7172f] ? step_into+0x10d/0x690 ? __legitimize_path+0x28/0x60 smb2_queryfs+0x6a/0xf0 [cifs f90b72658819bd21c94769b6a652029a07a7172f] smb311_queryfs+0x12d/0x140 [cifs f90b72658819bd21c94769b6a652029a07a7172f] ? kmem_cache_alloc+0x18a/0x340 ? getname_flags+0x46/0x1e0 cifs_statfs+0x9f/0x2b0 [cifs f90b72658819bd21c94769b6a652029a07a7172f] statfs_by_dentry+0x67/0x90 vfs_statfs+0x16/0xd0 user_statfs+0x54/0xa0 __do_sys_statfs+0x20/0x50 do_syscall_64+0x58/0x80", "cve_priority": "medium", "cve_public_date": "2025-12-08 01:16:00 UTC" }, { "cve": "CVE-2025-40321", "url": "https://ubuntu.com/security/CVE-2025-40321", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: wifi: brcmfmac: fix crash while sending Action Frames in standalone AP Mode Currently, whenever there is a need to transmit an Action frame, the brcmfmac driver always uses the P2P vif to send the \"actframe\" IOVAR to firmware. The P2P interfaces were available when wpa_supplicant is managing the wlan interface. However, the P2P interfaces are not created/initialized when only hostapd is managing the wlan interface. And if hostapd receives an ANQP Query REQ Action frame even from an un-associated STA, the brcmfmac driver tries to use an uninitialized P2P vif pointer for sending the IOVAR to firmware. This NULL pointer dereferencing triggers a driver crash. [ 1417.074538] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000 [...] [ 1417.075188] Hardware name: Raspberry Pi 4 Model B Rev 1.5 (DT) [...] [ 1417.075653] Call trace: [ 1417.075662] brcmf_p2p_send_action_frame+0x23c/0xc58 [brcmfmac] [ 1417.075738] brcmf_cfg80211_mgmt_tx+0x304/0x5c0 [brcmfmac] [ 1417.075810] cfg80211_mlme_mgmt_tx+0x1b0/0x428 [cfg80211] [ 1417.076067] nl80211_tx_mgmt+0x238/0x388 [cfg80211] [ 1417.076281] genl_family_rcv_msg_doit+0xe0/0x158 [ 1417.076302] genl_rcv_msg+0x220/0x2a0 [ 1417.076317] netlink_rcv_skb+0x68/0x140 [ 1417.076330] genl_rcv+0x40/0x60 [ 1417.076343] netlink_unicast+0x330/0x3b8 [ 1417.076357] netlink_sendmsg+0x19c/0x3f8 [ 1417.076370] __sock_sendmsg+0x64/0xc0 [ 1417.076391] ____sys_sendmsg+0x268/0x2a0 [ 1417.076408] ___sys_sendmsg+0xb8/0x118 [ 1417.076427] __sys_sendmsg+0x90/0xf8 [ 1417.076445] __arm64_sys_sendmsg+0x2c/0x40 [ 1417.076465] invoke_syscall+0x50/0x120 [ 1417.076486] el0_svc_common.constprop.0+0x48/0xf0 [ 1417.076506] do_el0_svc+0x24/0x38 [ 1417.076525] el0_svc+0x30/0x100 [ 1417.076548] el0t_64_sync_handler+0x100/0x130 [ 1417.076569] el0t_64_sync+0x190/0x198 [ 1417.076589] Code: f9401e80 aa1603e2 f9403be1 5280e483 (f9400000) Fix this, by always using the vif corresponding to the wdev on which the Action frame Transmission request was initiated by the userspace. This way, even if P2P vif is not available, the IOVAR is sent to firmware on AP vif and the ANQP Query RESP Action frame is transmitted without crashing the driver. Move init_completion() for \"send_af_done\" from brcmf_p2p_create_p2pdev() to brcmf_p2p_attach(). Because the former function would not get executed when only hostapd is managing wlan interface, and it is not safe to do reinit_completion() later in brcmf_p2p_tx_action_frame(), without any prior init_completion(). And in the brcmf_p2p_tx_action_frame() function, the condition check for P2P Presence response frame is not needed, since the wpa_supplicant is properly sending the P2P Presense Response frame on the P2P-GO vif instead of the P2P-Device vif. [Cc stable]", "cve_priority": "medium", "cve_public_date": "2025-12-08 01:16:00 UTC" }, { "cve": "CVE-2025-40322", "url": "https://ubuntu.com/security/CVE-2025-40322", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: fbdev: bitblit: bound-check glyph index in bit_putcs* bit_putcs_aligned()/unaligned() derived the glyph pointer from the character value masked by 0xff/0x1ff, which may exceed the actual font's glyph count and read past the end of the built-in font array. Clamp the index to the actual glyph count before computing the address. This fixes a global out-of-bounds read reported by syzbot.", "cve_priority": "medium", "cve_public_date": "2025-12-08 01:16:00 UTC" }, { "cve": "CVE-2025-40211", "url": "https://ubuntu.com/security/CVE-2025-40211", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ACPI: video: Fix use-after-free in acpi_video_switch_brightness() The switch_brightness_work delayed work accesses device->brightness and device->backlight, freed by acpi_video_dev_unregister_backlight() during device removal. If the work executes after acpi_video_bus_unregister_backlight() frees these resources, it causes a use-after-free when acpi_video_switch_brightness() dereferences device->brightness or device->backlight. Fix this by calling cancel_delayed_work_sync() for each device's switch_brightness_work in acpi_video_bus_remove_notify_handler() after removing the notify handler that queues the work. This ensures the work completes before the memory is freed. [ rjw: Changelog edit ]", "cve_priority": "medium", "cve_public_date": "2025-11-21 11:15:00 UTC" }, { "cve": "CVE-2025-40323", "url": "https://ubuntu.com/security/CVE-2025-40323", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: fbcon: Set fb_display[i]->mode to NULL when the mode is released Recently, we discovered the following issue through syzkaller: BUG: KASAN: slab-use-after-free in fb_mode_is_equal+0x285/0x2f0 Read of size 4 at addr ff11000001b3c69c by task syz.xxx ... Call Trace: dump_stack_lvl+0xab/0xe0 print_address_description.constprop.0+0x2c/0x390 print_report+0xb9/0x280 kasan_report+0xb8/0xf0 fb_mode_is_equal+0x285/0x2f0 fbcon_mode_deleted+0x129/0x180 fb_set_var+0xe7f/0x11d0 do_fb_ioctl+0x6a0/0x750 fb_ioctl+0xe0/0x140 __x64_sys_ioctl+0x193/0x210 do_syscall_64+0x5f/0x9c0 entry_SYSCALL_64_after_hwframe+0x76/0x7e Based on experimentation and analysis, during framebuffer unregistration, only the memory of fb_info->modelist is freed, without setting the corresponding fb_display[i]->mode to NULL for the freed modes. This leads to UAF issues during subsequent accesses. Here's an example of reproduction steps: 1. With /dev/fb0 already registered in the system, load a kernel module to register a new device /dev/fb1; 2. Set fb1's mode to the global fb_display[] array (via FBIOPUT_CON2FBMAP); 3. Switch console from fb to VGA (to allow normal rmmod of the ko); 4. Unload the kernel module, at this point fb1's modelist is freed, leaving a wild pointer in fb_display[]; 5. Trigger the bug via system calls through fb0 attempting to delete a mode from fb0. Add a check in do_unregister_framebuffer(): if the mode to be freed exists in fb_display[], set the corresponding mode pointer to NULL.", "cve_priority": "medium", "cve_public_date": "2025-12-08 01:16:00 UTC" }, { "cve": "CVE-2025-40210", "url": "https://ubuntu.com/security/CVE-2025-40210", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: Revert \"NFSD: Remove the cap on number of operations per NFSv4 COMPOUND\" I've found that pynfs COMP6 now leaves the connection or lease in a strange state, which causes CLOSE9 to hang indefinitely. I've dug into it a little, but I haven't been able to root-cause it yet. However, I bisected to commit 48aab1606fa8 (\"NFSD: Remove the cap on number of operations per NFSv4 COMPOUND\"). Tianshuo Han also reports a potential vulnerability when decoding an NFSv4 COMPOUND. An attacker can place an arbitrarily large op count in the COMPOUND header, which results in: [ 51.410584] nfsd: vmalloc error: size 1209533382144, exceeds total pages, mode:0xdc0(GFP_KERNEL|__GFP_ZERO), nodemask=(null),cpuset=/,mems_allowed=0 when NFSD attempts to allocate the COMPOUND op array. Let's restore the operation-per-COMPOUND limit, but increased to 200 for now.", "cve_priority": "medium", "cve_public_date": "2025-11-21 11:15:00 UTC" }, { "cve": "CVE-2025-40324", "url": "https://ubuntu.com/security/CVE-2025-40324", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: NFSD: Fix crash in nfsd4_read_release() When tracing is enabled, the trace_nfsd_read_done trace point crashes during the pynfs read.testNoFh test.", "cve_priority": "medium", "cve_public_date": "2025-12-08 01:16:00 UTC" }, { "cve": "CVE-2025-40326", "url": "https://ubuntu.com/security/CVE-2025-40326", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: NFSD: Define actions for the new time_deleg FATTR4 attributes NFSv4 clients won't send legitimate GETATTR requests for these new attributes because they are intended to be used only with CB_GETATTR and SETATTR. But NFSD has to do something besides crashing if it ever sees a GETATTR request that queries these attributes. RFC 8881 Section 18.7.3 states: > The server MUST return a value for each attribute that the client > requests if the attribute is supported by the server for the > target file system. If the server does not support a particular > attribute on the target file system, then it MUST NOT return the > attribute value and MUST NOT set the attribute bit in the result > bitmap. The server MUST return an error if it supports an > attribute on the target but cannot obtain its value. In that case, > no attribute values will be returned. Further, RFC 9754 Section 5 states: > These new attributes are invalid to be used with GETATTR, VERIFY, > and NVERIFY, and they can only be used with CB_GETATTR and SETATTR > by a client holding an appropriate delegation. Thus there does not appear to be a specific server response mandated by specification. Taking the guidance that querying these attributes via GETATTR is \"invalid\", NFSD will return nfserr_inval, failing the request entirely.", "cve_priority": "medium", "cve_public_date": "2025-12-08 01:16:00 UTC" }, { "cve": "CVE-2025-40084", "url": "https://ubuntu.com/security/CVE-2025-40084", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ksmbd: transport_ipc: validate payload size before reading handle handle_response() dereferences the payload as a 4-byte handle without verifying that the declared payload size is at least 4 bytes. A malformed or truncated message from ksmbd.mountd can lead to a 4-byte read past the declared payload size. Validate the size before dereferencing. This is a minimal fix to guard the initial handle read.", "cve_priority": "medium", "cve_public_date": "2025-10-29 14:15:00 UTC" }, { "cve": "CVE-2025-40222", "url": "https://ubuntu.com/security/CVE-2025-40222", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: tty: serial: sh-sci: fix RSCI FIFO overrun handling The receive error handling code is shared between RSCI and all other SCIF port types, but the RSCI overrun_reg is specified as a memory offset, while for other SCIF types it is an enum value used to index into the sci_port_params->regs array, as mentioned above the sci_serial_in() function. For RSCI, the overrun_reg is CSR (0x48), causing the sci_getreg() call inside the sci_handle_fifo_overrun() function to index outside the bounds of the regs array, which currently has a size of 20, as specified by SCI_NR_REGS. Because of this, we end up accessing memory outside of RSCI's rsci_port_params structure, which, when interpreted as a plat_sci_reg, happens to have a non-zero size, causing the following WARN when sci_serial_in() is called, as the accidental size does not match the supported register sizes. The existence of the overrun_reg needs to be checked because SCIx_SH3_SCIF_REGTYPE has overrun_reg set to SCLSR, but SCLSR is not present in the regs array. Avoid calling sci_getreg() for port types which don't use standard register handling. Use the ops->read_reg() and ops->write_reg() functions to properly read and write registers for RSCI, and change the type of the status variable to accommodate the 32-bit CSR register. sci_getreg() and sci_serial_in() are also called with overrun_reg in the sci_mpxed_interrupt() interrupt handler, but that code path is not used for RSCI, as it does not have a muxed interrupt. ------------[ cut here ]------------ Invalid register access WARNING: CPU: 0 PID: 0 at drivers/tty/serial/sh-sci.c:522 sci_serial_in+0x38/0xac Modules linked in: renesas_usbhs at24 rzt2h_adc industrialio_adc sha256 cfg80211 bluetooth ecdh_generic ecc rfkill fuse drm backlight ipv6 CPU: 0 UID: 0 PID: 0 Comm: swapper/0 Not tainted 6.17.0-rc1+ #30 PREEMPT Hardware name: Renesas RZ/T2H EVK Board based on r9a09g077m44 (DT) pstate: 604000c5 (nZCv daIF +PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : sci_serial_in+0x38/0xac lr : sci_serial_in+0x38/0xac sp : ffff800080003e80 x29: ffff800080003e80 x28: ffff800082195b80 x27: 000000000000000d x26: ffff8000821956d0 x25: 0000000000000000 x24: ffff800082195b80 x23: ffff000180e0d800 x22: 0000000000000010 x21: 0000000000000000 x20: 0000000000000010 x19: ffff000180e72000 x18: 000000000000000a x17: ffff8002bcee7000 x16: ffff800080000000 x15: 0720072007200720 x14: 0720072007200720 x13: 0720072007200720 x12: 0720072007200720 x11: 0000000000000058 x10: 0000000000000018 x9 : ffff8000821a6a48 x8 : 0000000000057fa8 x7 : 0000000000000406 x6 : ffff8000821fea48 x5 : ffff00033ef88408 x4 : ffff8002bcee7000 x3 : ffff800082195b80 x2 : 0000000000000000 x1 : 0000000000000000 x0 : ffff800082195b80 Call trace: sci_serial_in+0x38/0xac (P) sci_handle_fifo_overrun.isra.0+0x70/0x134 sci_er_interrupt+0x50/0x39c __handle_irq_event_percpu+0x48/0x140 handle_irq_event+0x44/0xb0 handle_fasteoi_irq+0xf4/0x1a0 handle_irq_desc+0x34/0x58 generic_handle_domain_irq+0x1c/0x28 gic_handle_irq+0x4c/0x140 call_on_irq_stack+0x30/0x48 do_interrupt_handler+0x80/0x84 el1_interrupt+0x34/0x68 el1h_64_irq_handler+0x18/0x24 el1h_64_irq+0x6c/0x70 default_idle_call+0x28/0x58 (P) do_idle+0x1f8/0x250 cpu_startup_entry+0x34/0x3c rest_init+0xd8/0xe0 console_on_rootfs+0x0/0x6c __primary_switched+0x88/0x90 ---[ end trace 0000000000000000 ]---", "cve_priority": "medium", "cve_public_date": "2025-12-04 16:16:00 UTC" }, { "cve": "CVE-2025-40223", "url": "https://ubuntu.com/security/CVE-2025-40223", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: most: usb: Fix use-after-free in hdm_disconnect hdm_disconnect() calls most_deregister_interface(), which eventually unregisters the MOST interface device with device_unregister(iface->dev). If that drops the last reference, the device core may call release_mdev() immediately while hdm_disconnect() is still executing. The old code also freed several mdev-owned allocations in hdm_disconnect() and then performed additional put_device() calls. Depending on refcount order, this could lead to use-after-free or double-free when release_mdev() ran (or when unregister paths also performed puts). Fix by moving the frees of mdev-owned allocations into release_mdev(), so they happen exactly once when the device is truly released, and by dropping the extra put_device() calls in hdm_disconnect() that are redundant after device_unregister() and most_deregister_interface(). This addresses the KASAN slab-use-after-free reported by syzbot in hdm_disconnect(). See report and stack traces in the bug link below.", "cve_priority": "medium", "cve_public_date": "2025-12-04 16:16:00 UTC" }, { "cve": "CVE-2025-40106", "url": "https://ubuntu.com/security/CVE-2025-40106", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: comedi: fix divide-by-zero in comedi_buf_munge() The comedi_buf_munge() function performs a modulo operation `async->munge_chan %= async->cmd.chanlist_len` without first checking if chanlist_len is zero. If a user program submits a command with chanlist_len set to zero, this causes a divide-by-zero error when the device processes data in the interrupt handler path. Add a check for zero chanlist_len at the beginning of the function, similar to the existing checks for !map and CMDF_RAWDATA flag. When chanlist_len is zero, update munge_count and return early, indicating the data was handled without munging. This prevents potential kernel panics from malformed user commands.", "cve_priority": "medium", "cve_public_date": "2025-10-31 10:15:00 UTC" }, { "cve": "CVE-2025-40224", "url": "https://ubuntu.com/security/CVE-2025-40224", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: hwmon: (cgbc-hwmon) Add missing NULL check after devm_kzalloc() The driver allocates memory for sensor data using devm_kzalloc(), but did not check if the allocation succeeded. In case of memory allocation failure, dereferencing the NULL pointer would lead to a kernel crash. Add a NULL pointer check and return -ENOMEM to handle allocation failure properly.", "cve_priority": "medium", "cve_public_date": "2025-12-04 16:16:00 UTC" }, { "cve": "CVE-2025-40225", "url": "https://ubuntu.com/security/CVE-2025-40225", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/panthor: Fix kernel panic on partial unmap of a GPU VA region This commit address a kernel panic issue that can happen if Userspace tries to partially unmap a GPU virtual region (aka drm_gpuva). The VM_BIND interface allows partial unmapping of a BO. Panthor driver pre-allocates memory for the new drm_gpuva structures that would be needed for the map/unmap operation, done using drm_gpuvm layer. It expected that only one new drm_gpuva would be needed on umap but a partial unmap can require 2 new drm_gpuva and that's why it ended up doing a NULL pointer dereference causing a kernel panic. Following dump was seen when partial unmap was exercised. Unable to handle kernel NULL pointer dereference at virtual address 0000000000000078 Mem abort info: ESR = 0x0000000096000046 EC = 0x25: DABT (current EL), IL = 32 bits SET = 0, FnV = 0 EA = 0, S1PTW = 0 FSC = 0x06: level 2 translation fault Data abort info: ISV = 0, ISS = 0x00000046, ISS2 = 0x00000000 CM = 0, WnR = 1, TnD = 0, TagAccess = 0 GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0 user pgtable: 4k pages, 48-bit VAs, pgdp=000000088a863000 [000000000000078] pgd=080000088a842003, p4d=080000088a842003, pud=0800000884bf5003, pmd=0000000000000000 Internal error: Oops: 0000000096000046 [#1] PREEMPT SMP pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : panthor_gpuva_sm_step_remap+0xe4/0x330 [panthor] lr : panthor_gpuva_sm_step_remap+0x6c/0x330 [panthor] sp : ffff800085d43970 x29: ffff800085d43970 x28: ffff00080363e440 x27: ffff0008090c6000 x26: 0000000000000030 x25: ffff800085d439f8 x24: ffff00080d402000 x23: ffff800085d43b60 x22: ffff800085d439e0 x21: ffff00080abdb180 x20: 0000000000000000 x19: 0000000000000000 x18: 0000000000000010 x17: 6e656c202c303030 x16: 3666666666646466 x15: 393d61766f69202c x14: 312d3d7361203a70 x13: 303030323d6e656c x12: ffff80008324bf58 x11: 0000000000000003 x10: 0000000000000002 x9 : ffff8000801a6a9c x8 : ffff00080360b300 x7 : 0000000000000000 x6 : 000000088aa35fc7 x5 : fff1000080000000 x4 : ffff8000842ddd30 x3 : 0000000000000001 x2 : 0000000100000000 x1 : 0000000000000001 x0 : 0000000000000078 Call trace: panthor_gpuva_sm_step_remap+0xe4/0x330 [panthor] op_remap_cb.isra.22+0x50/0x80 __drm_gpuvm_sm_unmap+0x10c/0x1c8 drm_gpuvm_sm_unmap+0x40/0x60 panthor_vm_exec_op+0xb4/0x3d0 [panthor] panthor_vm_bind_exec_sync_op+0x154/0x278 [panthor] panthor_ioctl_vm_bind+0x160/0x4a0 [panthor] drm_ioctl_kernel+0xbc/0x138 drm_ioctl+0x240/0x500 __arm64_sys_ioctl+0xb0/0xf8 invoke_syscall+0x4c/0x110 el0_svc_common.constprop.1+0x98/0xf8 do_el0_svc+0x24/0x38 el0_svc+0x40/0xf8 el0t_64_sync_handler+0xa0/0xc8 el0t_64_sync+0x174/0x178", "cve_priority": "medium", "cve_public_date": "2025-12-04 16:16:00 UTC" }, { "cve": "CVE-2025-40226", "url": "https://ubuntu.com/security/CVE-2025-40226", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: firmware: arm_scmi: Account for failed debug initialization When the SCMI debug subsystem fails to initialize, the related debug root will be missing, and the underlying descriptor will be NULL. Handle this fault condition in the SCMI debug helpers that maintain metrics counters.", "cve_priority": "medium", "cve_public_date": "2025-12-04 16:16:00 UTC" }, { "cve": "CVE-2025-40227", "url": "https://ubuntu.com/security/CVE-2025-40227", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: mm/damon/sysfs: dealloc commit test ctx always The damon_ctx for testing online DAMON parameters commit inputs is deallocated only when the test fails. This means memory is leaked for every successful online DAMON parameters commit. Fix the leak by always deallocating it.", "cve_priority": "medium", "cve_public_date": "2025-12-04 16:16:00 UTC" }, { "cve": "CVE-2025-40228", "url": "https://ubuntu.com/security/CVE-2025-40228", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: mm/damon/sysfs: catch commit test ctx alloc failure Patch series \"mm/damon/sysfs: fix commit test damon_ctx [de]allocation\". DAMON sysfs interface dynamically allocates and uses a damon_ctx object for testing if given inputs for online DAMON parameters update is valid. The object is being used without an allocation failure check, and leaked when the test succeeds. Fix the two bugs. This patch (of 2): The damon_ctx for testing online DAMON parameters commit inputs is used without its allocation failure check. This could result in an invalid memory access. Fix it by directly returning an error when the allocation failed.", "cve_priority": "medium", "cve_public_date": "2025-12-04 16:16:00 UTC" }, { "cve": "CVE-2025-40229", "url": "https://ubuntu.com/security/CVE-2025-40229", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: mm/damon/core: fix potential memory leak by cleaning ops_filter in damon_destroy_scheme Currently, damon_destroy_scheme() only cleans up the filter list but leaves ops_filter untouched, which could lead to memory leaks when a scheme is destroyed. This patch ensures both filter and ops_filter are properly freed in damon_destroy_scheme(), preventing potential memory leaks.", "cve_priority": "medium", "cve_public_date": "2025-12-04 16:16:00 UTC" }, { "cve": "CVE-2025-40230", "url": "https://ubuntu.com/security/CVE-2025-40230", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: mm: prevent poison consumption when splitting THP When performing memory error injection on a THP (Transparent Huge Page) mapped to userspace on an x86 server, the kernel panics with the following trace. The expected behavior is to terminate the affected process instead of panicking the kernel, as the x86 Machine Check code can recover from an in-userspace #MC. mce: [Hardware Error]: CPU 0: Machine Check Exception: f Bank 3: bd80000000070134 mce: [Hardware Error]: RIP 10: {memchr_inv+0x4c/0xf0} mce: [Hardware Error]: TSC afff7bbff88a ADDR 1d301b000 MISC 80 PPIN 1e741e77539027db mce: [Hardware Error]: PROCESSOR 0:d06d0 TIME 1758093249 SOCKET 0 APIC 0 microcode 80000320 mce: [Hardware Error]: Run the above through 'mcelog --ascii' mce: [Hardware Error]: Machine check: Data load in unrecoverable area of kernel Kernel panic - not syncing: Fatal local machine check The root cause of this panic is that handling a memory failure triggered by an in-userspace #MC necessitates splitting the THP. The splitting process employs a mechanism, implemented in try_to_map_unused_to_zeropage(), which reads the pages in the THP to identify zero-filled pages. However, reading the pages in the THP results in a second in-kernel #MC, occurring before the initial memory_failure() completes, ultimately leading to a kernel panic. See the kernel panic call trace on the two #MCs. First Machine Check occurs // [1] memory_failure() // [2] try_to_split_thp_page() split_huge_page() split_huge_page_to_list_to_order() __folio_split() // [3] remap_page() remove_migration_ptes() remove_migration_pte() try_to_map_unused_to_zeropage() // [4] memchr_inv() // [5] Second Machine Check occurs // [6] Kernel panic [1] Triggered by accessing a hardware-poisoned THP in userspace, which is typically recoverable by terminating the affected process. [2] Call folio_set_has_hwpoisoned() before try_to_split_thp_page(). [3] Pass the RMP_USE_SHARED_ZEROPAGE remap flag to remap_page(). [4] Try to map the unused THP to zeropage. [5] Re-access pages in the hw-poisoned THP in the kernel. [6] Triggered in-kernel, leading to a panic kernel. In Step[2], memory_failure() sets the poisoned flag on the page in the THP by TestSetPageHWPoison() before calling try_to_split_thp_page(). As suggested by David Hildenbrand, fix this panic by not accessing to the poisoned page in the THP during zeropage identification, while continuing to scan unaffected pages in the THP for possible zeropage mapping. This prevents a second in-kernel #MC that would cause kernel panic in Step[4]. Thanks to Andrew Zaborowski for his initial work on fixing this issue.", "cve_priority": "medium", "cve_public_date": "2025-12-04 16:16:00 UTC" }, { "cve": "CVE-2025-40231", "url": "https://ubuntu.com/security/CVE-2025-40231", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: vsock: fix lock inversion in vsock_assign_transport() Syzbot reported a potential lock inversion deadlock between vsock_register_mutex and sk_lock-AF_VSOCK when vsock_linger() is called. The issue was introduced by commit 687aa0c5581b (\"vsock: Fix transport_* TOCTOU\") which added vsock_register_mutex locking in vsock_assign_transport() around the transport->release() call, that can call vsock_linger(). vsock_assign_transport() can be called with sk_lock held. vsock_linger() calls sk_wait_event() that temporarily releases and re-acquires sk_lock. During this window, if another thread hold vsock_register_mutex while trying to acquire sk_lock, a circular dependency is created. Fix this by releasing vsock_register_mutex before calling transport->release() and vsock_deassign_transport(). This is safe because we don't need to hold vsock_register_mutex while releasing the old transport, and we ensure the new transport won't disappear by obtaining a module reference first via try_module_get().", "cve_priority": "medium", "cve_public_date": "2025-12-04 16:16:00 UTC" }, { "cve": "CVE-2025-40233", "url": "https://ubuntu.com/security/CVE-2025-40233", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ocfs2: clear extent cache after moving/defragmenting extents The extent map cache can become stale when extents are moved or defragmented, causing subsequent operations to see outdated extent flags. This triggers a BUG_ON in ocfs2_refcount_cal_cow_clusters(). The problem occurs when: 1. copy_file_range() creates a reflinked extent with OCFS2_EXT_REFCOUNTED 2. ioctl(FITRIM) triggers ocfs2_move_extents() 3. __ocfs2_move_extents_range() reads and caches the extent (flags=0x2) 4. ocfs2_move_extent()/ocfs2_defrag_extent() calls __ocfs2_move_extent() which clears OCFS2_EXT_REFCOUNTED flag on disk (flags=0x0) 5. The extent map cache is not invalidated after the move 6. Later write() operations read stale cached flags (0x2) but disk has updated flags (0x0), causing a mismatch 7. BUG_ON(!(rec->e_flags & OCFS2_EXT_REFCOUNTED)) triggers Fix by clearing the extent map cache after each extent move/defrag operation in __ocfs2_move_extents_range(). This ensures subsequent operations read fresh extent data from disk.", "cve_priority": "medium", "cve_public_date": "2025-12-04 16:16:00 UTC" }, { "cve": "CVE-2025-40235", "url": "https://ubuntu.com/security/CVE-2025-40235", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: btrfs: directly free partially initialized fs_info in btrfs_check_leaked_roots() If fs_info->super_copy or fs_info->super_for_commit allocated failed in btrfs_get_tree_subvol(), then no need to call btrfs_free_fs_info(). Otherwise btrfs_check_leaked_roots() would access NULL pointer because fs_info->allocated_roots had not been initialised. syzkaller reported the following information: ------------[ cut here ]------------ BUG: unable to handle page fault for address: fffffffffffffbb0 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page PGD 64c9067 P4D 64c9067 PUD 64cb067 PMD 0 Oops: Oops: 0000 [#1] SMP KASAN PTI CPU: 0 UID: 0 PID: 1402 Comm: syz.1.35 Not tainted 6.15.8 #4 PREEMPT(lazy) Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), (...) RIP: 0010:arch_atomic_read arch/x86/include/asm/atomic.h:23 [inline] RIP: 0010:raw_atomic_read include/linux/atomic/atomic-arch-fallback.h:457 [inline] RIP: 0010:atomic_read include/linux/atomic/atomic-instrumented.h:33 [inline] RIP: 0010:refcount_read include/linux/refcount.h:170 [inline] RIP: 0010:btrfs_check_leaked_roots+0x18f/0x2c0 fs/btrfs/disk-io.c:1230 [...] Call Trace: btrfs_free_fs_info+0x310/0x410 fs/btrfs/disk-io.c:1280 btrfs_get_tree_subvol+0x592/0x6b0 fs/btrfs/super.c:2029 btrfs_get_tree+0x63/0x80 fs/btrfs/super.c:2097 vfs_get_tree+0x98/0x320 fs/super.c:1759 do_new_mount+0x357/0x660 fs/namespace.c:3899 path_mount+0x716/0x19c0 fs/namespace.c:4226 do_mount fs/namespace.c:4239 [inline] __do_sys_mount fs/namespace.c:4450 [inline] __se_sys_mount fs/namespace.c:4427 [inline] __x64_sys_mount+0x28c/0x310 fs/namespace.c:4427 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0x92/0x180 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x76/0x7e RIP: 0033:0x7f032eaffa8d [...]", "cve_priority": "medium", "cve_public_date": "2025-12-04 16:16:00 UTC" }, { "cve": "CVE-2025-40236", "url": "https://ubuntu.com/security/CVE-2025-40236", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: virtio-net: zero unused hash fields When GSO tunnel is negotiated virtio_net_hdr_tnl_from_skb() tries to initialize the tunnel metadata but forget to zero unused rxhash fields. This may leak information to another side. Fixing this by zeroing the unused hash fields.", "cve_priority": "medium", "cve_public_date": "2025-12-04 16:16:00 UTC" }, { "cve": "CVE-2025-40237", "url": "https://ubuntu.com/security/CVE-2025-40237", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: fs/notify: call exportfs_encode_fid with s_umount Calling intotify_show_fdinfo() on fd watching an overlayfs inode, while the overlayfs is being unmounted, can lead to dereferencing NULL ptr. This issue was found by syzkaller. Race Condition Diagram: Thread 1 Thread 2 -------- -------- generic_shutdown_super() shrink_dcache_for_umount sb->s_root = NULL | | vfs_read() | inotify_fdinfo() | * inode get from mark * | show_mark_fhandle(m, inode) | exportfs_encode_fid(inode, ..) | ovl_encode_fh(inode, ..) | ovl_check_encode_origin(inode) | * deref i_sb->s_root * | | v fsnotify_sb_delete(sb) Which then leads to: [ 32.133461] Oops: general protection fault, probably for non-canonical address 0xdffffc0000000006: 0000 [#1] SMP DEBUG_PAGEALLOC KASAN NOPTI [ 32.134438] KASAN: null-ptr-deref in range [0x0000000000000030-0x0000000000000037] [ 32.135032] CPU: 1 UID: 0 PID: 4468 Comm: systemd-coredum Not tainted 6.17.0-rc6 #22 PREEMPT(none) [ 32.143353] Call Trace: [ 32.143732] ovl_encode_fh+0xd5/0x170 [ 32.144031] exportfs_encode_inode_fh+0x12f/0x300 [ 32.144425] show_mark_fhandle+0xbe/0x1f0 [ 32.145805] inotify_fdinfo+0x226/0x2d0 [ 32.146442] inotify_show_fdinfo+0x1c5/0x350 [ 32.147168] seq_show+0x530/0x6f0 [ 32.147449] seq_read_iter+0x503/0x12a0 [ 32.148419] seq_read+0x31f/0x410 [ 32.150714] vfs_read+0x1f0/0x9e0 [ 32.152297] ksys_read+0x125/0x240 IOW ovl_check_encode_origin derefs inode->i_sb->s_root, after it was set to NULL in the unmount path. Fix it by protecting calling exportfs_encode_fid() from show_mark_fhandle() with s_umount lock. This form of fix was suggested by Amir in [1]. [1]: https://lore.kernel.org/all/CAOQ4uxhbDwhb+2Brs1UdkoF0a3NSdBAOQPNfEHjahrgoKJpLEw@mail.gmail.com/", "cve_priority": "medium", "cve_public_date": "2025-12-04 16:16:00 UTC" }, { "cve": "CVE-2025-40238", "url": "https://ubuntu.com/security/CVE-2025-40238", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net/mlx5: Fix IPsec cleanup over MPV device When we do mlx5e_detach_netdev() we eventually disable blocking events notifier, among those events are IPsec MPV events from IB to core. So before disabling those blocking events, make sure to also unregister the devcom device and mark all this device operations as complete, in order to prevent the other device from using invalid netdev during future devcom events which could cause the trace below. BUG: kernel NULL pointer dereference, address: 0000000000000010 PGD 146427067 P4D 146427067 PUD 146488067 PMD 0 Oops: Oops: 0000 [#1] SMP CPU: 1 UID: 0 PID: 7735 Comm: devlink Tainted: GW 6.12.0-rc6_for_upstream_min_debug_2024_11_08_00_46 #1 Tainted: [W]=WARN Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014 RIP: 0010:mlx5_devcom_comp_set_ready+0x5/0x40 [mlx5_core] Code: 00 01 48 83 05 23 32 1e 00 01 41 b8 ed ff ff ff e9 60 ff ff ff 48 83 05 00 32 1e 00 01 eb e3 66 0f 1f 44 00 00 0f 1f 44 00 00 <48> 8b 47 10 48 83 05 5f 32 1e 00 01 48 8b 50 40 48 85 d2 74 05 40 RSP: 0018:ffff88811a5c35f8 EFLAGS: 00010206 RAX: ffff888106e8ab80 RBX: ffff888107d7e200 RCX: ffff88810d6f0a00 RDX: ffff88810d6f0a00 RSI: 0000000000000001 RDI: 0000000000000000 RBP: ffff88811a17e620 R08: 0000000000000040 R09: 0000000000000000 R10: ffff88811a5c3618 R11: 0000000de85d51bd R12: ffff88811a17e600 R13: ffff88810d6f0a00 R14: 0000000000000000 R15: ffff8881034bda80 FS: 00007f27bdf89180(0000) GS:ffff88852c880000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000010 CR3: 000000010f159005 CR4: 0000000000372eb0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: ? __die+0x20/0x60 ? page_fault_oops+0x150/0x3e0 ? exc_page_fault+0x74/0x130 ? asm_exc_page_fault+0x22/0x30 ? mlx5_devcom_comp_set_ready+0x5/0x40 [mlx5_core] mlx5e_devcom_event_mpv+0x42/0x60 [mlx5_core] mlx5_devcom_send_event+0x8c/0x170 [mlx5_core] blocking_event+0x17b/0x230 [mlx5_core] notifier_call_chain+0x35/0xa0 blocking_notifier_call_chain+0x3d/0x60 mlx5_blocking_notifier_call_chain+0x22/0x30 [mlx5_core] mlx5_core_mp_event_replay+0x12/0x20 [mlx5_core] mlx5_ib_bind_slave_port+0x228/0x2c0 [mlx5_ib] mlx5_ib_stage_init_init+0x664/0x9d0 [mlx5_ib] ? idr_alloc_cyclic+0x50/0xb0 ? __kmalloc_cache_noprof+0x167/0x340 ? __kmalloc_noprof+0x1a7/0x430 __mlx5_ib_add+0x34/0xd0 [mlx5_ib] mlx5r_probe+0xe9/0x310 [mlx5_ib] ? kernfs_add_one+0x107/0x150 ? __mlx5_ib_add+0xd0/0xd0 [mlx5_ib] auxiliary_bus_probe+0x3e/0x90 really_probe+0xc5/0x3a0 ? driver_probe_device+0x90/0x90 __driver_probe_device+0x80/0x160 driver_probe_device+0x1e/0x90 __device_attach_driver+0x7d/0x100 bus_for_each_drv+0x80/0xd0 __device_attach+0xbc/0x1f0 bus_probe_device+0x86/0xa0 device_add+0x62d/0x830 __auxiliary_device_add+0x3b/0xa0 ? auxiliary_device_init+0x41/0x90 add_adev+0xd1/0x150 [mlx5_core] mlx5_rescan_drivers_locked+0x21c/0x300 [mlx5_core] esw_mode_change+0x6c/0xc0 [mlx5_core] mlx5_devlink_eswitch_mode_set+0x21e/0x640 [mlx5_core] devlink_nl_eswitch_set_doit+0x60/0xe0 genl_family_rcv_msg_doit+0xd0/0x120 genl_rcv_msg+0x180/0x2b0 ? devlink_get_from_attrs_lock+0x170/0x170 ? devlink_nl_eswitch_get_doit+0x290/0x290 ? devlink_nl_pre_doit_port_optional+0x50/0x50 ? genl_family_rcv_msg_dumpit+0xf0/0xf0 netlink_rcv_skb+0x54/0x100 genl_rcv+0x24/0x40 netlink_unicast+0x1fc/0x2d0 netlink_sendmsg+0x1e4/0x410 __sock_sendmsg+0x38/0x60 ? sockfd_lookup_light+0x12/0x60 __sys_sendto+0x105/0x160 ? __sys_recvmsg+0x4e/0x90 __x64_sys_sendto+0x20/0x30 do_syscall_64+0x4c/0x100 entry_SYSCALL_64_after_hwframe+0x4b/0x53 RIP: 0033:0x7f27bc91b13a Code: bb 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 8b 05 fa 96 2c 00 45 89 c9 4c 63 d1 48 63 ff 85 c0 75 15 b8 2c 00 00 00 0f 05 <48> 3d 00 f0 ff ff ---truncated---", "cve_priority": "medium", "cve_public_date": "2025-12-04 16:16:00 UTC" }, { "cve": "CVE-2025-40239", "url": "https://ubuntu.com/security/CVE-2025-40239", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net: phy: micrel: always set shared->phydev for LAN8814 Currently, during the LAN8814 PTP probe shared->phydev is only set if PTP clock gets actually set, otherwise the function will return before setting it. This is an issue as shared->phydev is unconditionally being used when IRQ is being handled, especially in lan8814_gpio_process_cap and since it was not set it will cause a NULL pointer exception and crash the kernel. So, simply always set shared->phydev to avoid the NULL pointer exception.", "cve_priority": "medium", "cve_public_date": "2025-12-04 16:16:00 UTC" }, { "cve": "CVE-2025-40240", "url": "https://ubuntu.com/security/CVE-2025-40240", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: sctp: avoid NULL dereference when chunk data buffer is missing chunk->skb pointer is dereferenced in the if-block where it's supposed to be NULL only. chunk->skb can only be NULL if chunk->head_skb is not. Check for frag_list instead and do it just before replacing chunk->skb. We're sure that otherwise chunk->skb is non-NULL because of outer if() condition.", "cve_priority": "medium", "cve_public_date": "2025-12-04 16:16:00 UTC" }, { "cve": "CVE-2025-40241", "url": "https://ubuntu.com/security/CVE-2025-40241", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: erofs: fix crafted invalid cases for encoded extents Robert recently reported two corrupted images that can cause system crashes, which are related to the new encoded extents introduced in Linux 6.15: - The first one [1] has plen != 0 (e.g. plen == 0x2000000) but (plen & Z_EROFS_EXTENT_PLEN_MASK) == 0. It is used to represent special extents such as sparse extents (!EROFS_MAP_MAPPED), but previously only plen == 0 was handled; - The second one [2] has pa 0xffffffffffdcffed and plen 0xb4000, then \"cur [0xfffffffffffff000] += bvec.bv_len [0x1000]\" in \"} while ((cur += bvec.bv_len) < end);\" wraps around, causing an out-of-bound access of pcl->compressed_bvecs[] in z_erofs_submit_queue(). EROFS only supports 48-bit physical block addresses (up to 1EiB for 4k blocks), so add a sanity check to enforce this.", "cve_priority": "medium", "cve_public_date": "2025-12-04 16:16:00 UTC" }, { "cve": "CVE-2025-40242", "url": "https://ubuntu.com/security/CVE-2025-40242", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: gfs2: Fix unlikely race in gdlm_put_lock In gdlm_put_lock(), there is a small window of time in which the DFL_UNMOUNT flag has been set but the lockspace hasn't been released, yet. In that window, dlm may still call gdlm_ast() and gdlm_bast(). To prevent it from dereferencing freed glock objects, only free the glock if the lockspace has actually been released.", "cve_priority": "medium", "cve_public_date": "2025-12-04 16:16:00 UTC" }, { "cve": "CVE-2025-40243", "url": "https://ubuntu.com/security/CVE-2025-40243", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: hfs: fix KMSAN uninit-value issue in hfs_find_set_zero_bits() The syzbot reported issue in hfs_find_set_zero_bits(): ===================================================== BUG: KMSAN: uninit-value in hfs_find_set_zero_bits+0x74d/0xb60 fs/hfs/bitmap.c:45 hfs_find_set_zero_bits+0x74d/0xb60 fs/hfs/bitmap.c:45 hfs_vbm_search_free+0x13c/0x5b0 fs/hfs/bitmap.c:151 hfs_extend_file+0x6a5/0x1b00 fs/hfs/extent.c:408 hfs_get_block+0x435/0x1150 fs/hfs/extent.c:353 __block_write_begin_int+0xa76/0x3030 fs/buffer.c:2151 block_write_begin fs/buffer.c:2262 [inline] cont_write_begin+0x10e1/0x1bc0 fs/buffer.c:2601 hfs_write_begin+0x85/0x130 fs/hfs/inode.c:52 cont_expand_zero fs/buffer.c:2528 [inline] cont_write_begin+0x35a/0x1bc0 fs/buffer.c:2591 hfs_write_begin+0x85/0x130 fs/hfs/inode.c:52 hfs_file_truncate+0x1d6/0xe60 fs/hfs/extent.c:494 hfs_inode_setattr+0x964/0xaa0 fs/hfs/inode.c:654 notify_change+0x1993/0x1aa0 fs/attr.c:552 do_truncate+0x28f/0x310 fs/open.c:68 do_ftruncate+0x698/0x730 fs/open.c:195 do_sys_ftruncate fs/open.c:210 [inline] __do_sys_ftruncate fs/open.c:215 [inline] __se_sys_ftruncate fs/open.c:213 [inline] __x64_sys_ftruncate+0x11b/0x250 fs/open.c:213 x64_sys_call+0xfe3/0x3db0 arch/x86/include/generated/asm/syscalls_64.h:78 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xd9/0x210 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f Uninit was created at: slab_post_alloc_hook mm/slub.c:4154 [inline] slab_alloc_node mm/slub.c:4197 [inline] __kmalloc_cache_noprof+0x7f7/0xed0 mm/slub.c:4354 kmalloc_noprof include/linux/slab.h:905 [inline] hfs_mdb_get+0x1cc8/0x2a90 fs/hfs/mdb.c:175 hfs_fill_super+0x3d0/0xb80 fs/hfs/super.c:337 get_tree_bdev_flags+0x6e3/0x920 fs/super.c:1681 get_tree_bdev+0x38/0x50 fs/super.c:1704 hfs_get_tree+0x35/0x40 fs/hfs/super.c:388 vfs_get_tree+0xb0/0x5c0 fs/super.c:1804 do_new_mount+0x738/0x1610 fs/namespace.c:3902 path_mount+0x6db/0x1e90 fs/namespace.c:4226 do_mount fs/namespace.c:4239 [inline] __do_sys_mount fs/namespace.c:4450 [inline] __se_sys_mount+0x6eb/0x7d0 fs/namespace.c:4427 __x64_sys_mount+0xe4/0x150 fs/namespace.c:4427 x64_sys_call+0xfa7/0x3db0 arch/x86/include/generated/asm/syscalls_64.h:166 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xd9/0x210 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f CPU: 1 UID: 0 PID: 12609 Comm: syz.1.2692 Not tainted 6.16.0-syzkaller #0 PREEMPT(none) Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/12/2025 ===================================================== The HFS_SB(sb)->bitmap buffer is allocated in hfs_mdb_get(): HFS_SB(sb)->bitmap = kmalloc(8192, GFP_KERNEL); Finally, it can trigger the reported issue because kmalloc() doesn't clear the allocated memory. If allocated memory contains only zeros, then everything will work pretty fine. But if the allocated memory contains the \"garbage\", then it can affect the bitmap operations and it triggers the reported issue. This patch simply exchanges the kmalloc() on kzalloc() with the goal to guarantee the correctness of bitmap operations. Because, newly created allocation bitmap should have all available blocks free. Potentially, initialization bitmap's read operation could not fill the whole allocated memory and \"garbage\" in the not initialized memory will be the reason of volume coruptions and file system driver bugs.", "cve_priority": "medium", "cve_public_date": "2025-12-04 16:16:00 UTC" }, { "cve": "CVE-2025-40244", "url": "https://ubuntu.com/security/CVE-2025-40244", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: hfsplus: fix KMSAN uninit-value issue in __hfsplus_ext_cache_extent() The syzbot reported issue in __hfsplus_ext_cache_extent(): [ 70.194323][ T9350] BUG: KMSAN: uninit-value in __hfsplus_ext_cache_extent+0x7d0/0x990 [ 70.195022][ T9350] __hfsplus_ext_cache_extent+0x7d0/0x990 [ 70.195530][ T9350] hfsplus_file_extend+0x74f/0x1cf0 [ 70.195998][ T9350] hfsplus_get_block+0xe16/0x17b0 [ 70.196458][ T9350] __block_write_begin_int+0x962/0x2ce0 [ 70.196959][ T9350] cont_write_begin+0x1000/0x1950 [ 70.197416][ T9350] hfsplus_write_begin+0x85/0x130 [ 70.197873][ T9350] generic_perform_write+0x3e8/0x1060 [ 70.198374][ T9350] __generic_file_write_iter+0x215/0x460 [ 70.198892][ T9350] generic_file_write_iter+0x109/0x5e0 [ 70.199393][ T9350] vfs_write+0xb0f/0x14e0 [ 70.199771][ T9350] ksys_write+0x23e/0x490 [ 70.200149][ T9350] __x64_sys_write+0x97/0xf0 [ 70.200570][ T9350] x64_sys_call+0x3015/0x3cf0 [ 70.201065][ T9350] do_syscall_64+0xd9/0x1d0 [ 70.201506][ T9350] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 70.202054][ T9350] [ 70.202279][ T9350] Uninit was created at: [ 70.202693][ T9350] __kmalloc_noprof+0x621/0xf80 [ 70.203149][ T9350] hfsplus_find_init+0x8d/0x1d0 [ 70.203602][ T9350] hfsplus_file_extend+0x6ca/0x1cf0 [ 70.204087][ T9350] hfsplus_get_block+0xe16/0x17b0 [ 70.204561][ T9350] __block_write_begin_int+0x962/0x2ce0 [ 70.205074][ T9350] cont_write_begin+0x1000/0x1950 [ 70.205547][ T9350] hfsplus_write_begin+0x85/0x130 [ 70.206017][ T9350] generic_perform_write+0x3e8/0x1060 [ 70.206519][ T9350] __generic_file_write_iter+0x215/0x460 [ 70.207042][ T9350] generic_file_write_iter+0x109/0x5e0 [ 70.207552][ T9350] vfs_write+0xb0f/0x14e0 [ 70.207961][ T9350] ksys_write+0x23e/0x490 [ 70.208375][ T9350] __x64_sys_write+0x97/0xf0 [ 70.208810][ T9350] x64_sys_call+0x3015/0x3cf0 [ 70.209255][ T9350] do_syscall_64+0xd9/0x1d0 [ 70.209680][ T9350] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 70.210230][ T9350] [ 70.210454][ T9350] CPU: 2 UID: 0 PID: 9350 Comm: repro Not tainted 6.12.0-rc5 #5 [ 70.211174][ T9350] Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 70.212115][ T9350] ===================================================== [ 70.212734][ T9350] Disabling lock debugging due to kernel taint [ 70.213284][ T9350] Kernel panic - not syncing: kmsan.panic set ... [ 70.213858][ T9350] CPU: 2 UID: 0 PID: 9350 Comm: repro Tainted: G B 6.12.0-rc5 #5 [ 70.214679][ T9350] Tainted: [B]=BAD_PAGE [ 70.215057][ T9350] Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 70.215999][ T9350] Call Trace: [ 70.216309][ T9350] [ 70.216585][ T9350] dump_stack_lvl+0x1fd/0x2b0 [ 70.217025][ T9350] dump_stack+0x1e/0x30 [ 70.217421][ T9350] panic+0x502/0xca0 [ 70.217803][ T9350] ? kmsan_get_metadata+0x13e/0x1c0 [ 70.218294][ Message fromT sy9350] kmsan_report+0x296/slogd@syzkaller 0x2aat Aug 18 22:11:058 ... kernel :[ 70.213284][ T9350] Kernel panic - not syncing: kmsan.panic [ 70.220179][ T9350] ? kmsan_get_metadata+0x13e/0x1c0 set ... [ 70.221254][ T9350] ? __msan_warning+0x96/0x120 [ 70.222066][ T9350] ? __hfsplus_ext_cache_extent+0x7d0/0x990 [ 70.223023][ T9350] ? hfsplus_file_extend+0x74f/0x1cf0 [ 70.224120][ T9350] ? hfsplus_get_block+0xe16/0x17b0 [ 70.224946][ T9350] ? __block_write_begin_int+0x962/0x2ce0 [ 70.225756][ T9350] ? cont_write_begin+0x1000/0x1950 [ 70.226337][ T9350] ? hfsplus_write_begin+0x85/0x130 [ 70.226852][ T9350] ? generic_perform_write+0x3e8/0x1060 [ 70.227405][ T9350] ? __generic_file_write_iter+0x215/0x460 [ 70.227979][ T9350] ? generic_file_write_iter+0x109/0x5e0 [ 70.228540][ T9350] ? vfs_write+0xb0f/0x14e0 [ 70.228997][ T9350] ? ksys_write+0x23e/0x490 ---truncated---", "cve_priority": "medium", "cve_public_date": "2025-12-04 16:16:00 UTC" }, { "cve": "CVE-2025-40245", "url": "https://ubuntu.com/security/CVE-2025-40245", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: nios2: ensure that memblock.current_limit is set when setting pfn limits On nios2, with CONFIG_FLATMEM set, the kernel relies on memblock_get_current_limit() to determine the limits of mem_map, in particular for max_low_pfn. Unfortunately, memblock.current_limit is only default initialized to MEMBLOCK_ALLOC_ANYWHERE at this point of the bootup, potentially leading to situations where max_low_pfn can erroneously exceed the value of max_pfn and, thus, the valid range of available DRAM. This can in turn cause kernel-level paging failures, e.g.: [ 76.900000] Unable to handle kernel paging request at virtual address 20303000 [ 76.900000] ea = c0080890, ra = c000462c, cause = 14 [ 76.900000] Kernel panic - not syncing: Oops [ 76.900000] ---[ end Kernel panic - not syncing: Oops ]--- This patch fixes this by pre-calculating memblock.current_limit based on the upper limits of the available memory ranges via adjust_lowmem_bounds, a simplified version of the equivalent implementation within the arm architecture.", "cve_priority": "medium", "cve_public_date": "2025-12-04 16:16:00 UTC" }, { "cve": "CVE-2025-40086", "url": "https://ubuntu.com/security/CVE-2025-40086", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/xe: Don't allow evicting of BOs in same VM in array of VM binds An array of VM binds can potentially evict other buffer objects (BOs) within the same VM under certain conditions, which may lead to NULL pointer dereferences later in the bind pipeline. To prevent this, clear the allow_res_evict flag in the xe_bo_validate call. v2: - Invert polarity of no_res_evict (Thomas) - Add comment in code explaining issue (Thomas) (cherry picked from commit 8b9ba8d6d95fe75fed6b0480bb03da4b321bea08)", "cve_priority": "medium", "cve_public_date": "2025-10-30 10:15:00 UTC" }, { "cve": "CVE-2025-40087", "url": "https://ubuntu.com/security/CVE-2025-40087", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: NFSD: Define a proc_layoutcommit for the FlexFiles layout type Avoid a crash if a pNFS client should happen to send a LAYOUTCOMMIT operation on a FlexFiles layout.", "cve_priority": "medium", "cve_public_date": "2025-10-30 10:15:00 UTC" }, { "cve": "CVE-2025-40088", "url": "https://ubuntu.com/security/CVE-2025-40088", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: hfsplus: fix slab-out-of-bounds read in hfsplus_strcasecmp() The hfsplus_strcasecmp() logic can trigger the issue: [ 117.317703][ T9855] ================================================================== [ 117.318353][ T9855] BUG: KASAN: slab-out-of-bounds in hfsplus_strcasecmp+0x1bc/0x490 [ 117.318991][ T9855] Read of size 2 at addr ffff88802160f40c by task repro/9855 [ 117.319577][ T9855] [ 117.319773][ T9855] CPU: 0 UID: 0 PID: 9855 Comm: repro Not tainted 6.17.0-rc6 #33 PREEMPT(full) [ 117.319780][ T9855] Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 117.319783][ T9855] Call Trace: [ 117.319785][ T9855] [ 117.319788][ T9855] dump_stack_lvl+0x1c1/0x2a0 [ 117.319795][ T9855] ? __virt_addr_valid+0x1c8/0x5c0 [ 117.319803][ T9855] ? __pfx_dump_stack_lvl+0x10/0x10 [ 117.319808][ T9855] ? rcu_is_watching+0x15/0xb0 [ 117.319816][ T9855] ? lock_release+0x4b/0x3e0 [ 117.319821][ T9855] ? __kasan_check_byte+0x12/0x40 [ 117.319828][ T9855] ? __virt_addr_valid+0x1c8/0x5c0 [ 117.319835][ T9855] ? __virt_addr_valid+0x4a5/0x5c0 [ 117.319842][ T9855] print_report+0x17e/0x7e0 [ 117.319848][ T9855] ? __virt_addr_valid+0x1c8/0x5c0 [ 117.319855][ T9855] ? __virt_addr_valid+0x4a5/0x5c0 [ 117.319862][ T9855] ? __phys_addr+0xd3/0x180 [ 117.319869][ T9855] ? hfsplus_strcasecmp+0x1bc/0x490 [ 117.319876][ T9855] kasan_report+0x147/0x180 [ 117.319882][ T9855] ? hfsplus_strcasecmp+0x1bc/0x490 [ 117.319891][ T9855] hfsplus_strcasecmp+0x1bc/0x490 [ 117.319900][ T9855] ? __pfx_hfsplus_cat_case_cmp_key+0x10/0x10 [ 117.319906][ T9855] hfs_find_rec_by_key+0xa9/0x1e0 [ 117.319913][ T9855] __hfsplus_brec_find+0x18e/0x470 [ 117.319920][ T9855] ? __pfx_hfsplus_bnode_find+0x10/0x10 [ 117.319926][ T9855] ? __pfx_hfs_find_rec_by_key+0x10/0x10 [ 117.319933][ T9855] ? __pfx___hfsplus_brec_find+0x10/0x10 [ 117.319942][ T9855] hfsplus_brec_find+0x28f/0x510 [ 117.319949][ T9855] ? __pfx_hfs_find_rec_by_key+0x10/0x10 [ 117.319956][ T9855] ? __pfx_hfsplus_brec_find+0x10/0x10 [ 117.319963][ T9855] ? __kmalloc_noprof+0x2a9/0x510 [ 117.319969][ T9855] ? hfsplus_find_init+0x8c/0x1d0 [ 117.319976][ T9855] hfsplus_brec_read+0x2b/0x120 [ 117.319983][ T9855] hfsplus_lookup+0x2aa/0x890 [ 117.319990][ T9855] ? __pfx_hfsplus_lookup+0x10/0x10 [ 117.320003][ T9855] ? d_alloc_parallel+0x2f0/0x15e0 [ 117.320008][ T9855] ? __lock_acquire+0xaec/0xd80 [ 117.320013][ T9855] ? __pfx_d_alloc_parallel+0x10/0x10 [ 117.320019][ T9855] ? __raw_spin_lock_init+0x45/0x100 [ 117.320026][ T9855] ? __init_waitqueue_head+0xa9/0x150 [ 117.320034][ T9855] __lookup_slow+0x297/0x3d0 [ 117.320039][ T9855] ? __pfx___lookup_slow+0x10/0x10 [ 117.320045][ T9855] ? down_read+0x1ad/0x2e0 [ 117.320055][ T9855] lookup_slow+0x53/0x70 [ 117.320065][ T9855] walk_component+0x2f0/0x430 [ 117.320073][ T9855] path_lookupat+0x169/0x440 [ 117.320081][ T9855] filename_lookup+0x212/0x590 [ 117.320089][ T9855] ? __pfx_filename_lookup+0x10/0x10 [ 117.320098][ T9855] ? strncpy_from_user+0x150/0x290 [ 117.320105][ T9855] ? getname_flags+0x1e5/0x540 [ 117.320112][ T9855] user_path_at+0x3a/0x60 [ 117.320117][ T9855] __x64_sys_umount+0xee/0x160 [ 117.320123][ T9855] ? __pfx___x64_sys_umount+0x10/0x10 [ 117.320129][ T9855] ? do_syscall_64+0xb7/0x3a0 [ 117.320135][ T9855] ? entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 117.320141][ T9855] ? entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 117.320145][ T9855] do_syscall_64+0xf3/0x3a0 [ 117.320150][ T9855] ? exc_page_fault+0x9f/0xf0 [ 117.320154][ T9855] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 117.320158][ T9855] RIP: 0033:0x7f7dd7908b07 [ 117.320163][ T9855] Code: 23 0d 00 f7 d8 64 89 01 48 83 c8 ff c3 66 0f 1f 44 00 00 31 f6 e9 09 00 00 00 66 0f 1f 84 00 00 08 [ 117.320167][ T9855] RSP: 002b:00007ffd5ebd9698 EFLAGS: 00000202 ---truncated---", "cve_priority": "medium", "cve_public_date": "2025-10-30 10:15:00 UTC" }, { "cve": "CVE-2025-40162", "url": "https://ubuntu.com/security/CVE-2025-40162", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ASoC: amd/sdw_utils: avoid NULL deref when devm_kasprintf() fails devm_kasprintf() may return NULL on memory allocation failure, but the debug message prints cpus->dai_name before checking it. Move the dev_dbg() call after the NULL check to prevent potential NULL pointer dereference.", "cve_priority": "medium", "cve_public_date": "2025-11-12 11:15:00 UTC" }, { "cve": "CVE-2025-40085", "url": "https://ubuntu.com/security/CVE-2025-40085", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ALSA: usb-audio: Fix NULL pointer deference in try_to_register_card In try_to_register_card(), the return value of usb_ifnum_to_if() is passed directly to usb_interface_claimed() without a NULL check, which will lead to a NULL pointer dereference when creating an invalid USB audio device. Fix this by adding a check to ensure the interface pointer is valid before passing it to usb_interface_claimed().", "cve_priority": "medium", "cve_public_date": "2025-10-29 14:15:00 UTC" }, { "cve": "CVE-2025-40172", "url": "https://ubuntu.com/security/CVE-2025-40172", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: accel/qaic: Treat remaining == 0 as error in find_and_map_user_pages() Currently, if find_and_map_user_pages() takes a DMA xfer request from the user with a length field set to 0, or in a rare case, the host receives QAIC_TRANS_DMA_XFER_CONT from the device where resources->xferred_dma_size is equal to the requested transaction size, the function will return 0 before allocating an sgt or setting the fields of the dma_xfer struct. In that case, encode_addr_size_pairs() will try to access the sgt which will lead to a general protection fault. Return an EINVAL in case the user provides a zero-sized ALP, or the device requests continuation after all of the bytes have been transferred.", "cve_priority": "medium", "cve_public_date": "2025-11-12 11:15:00 UTC" }, { "cve": "CVE-2025-40177", "url": "https://ubuntu.com/security/CVE-2025-40177", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: accel/qaic: Fix bootlog initialization ordering As soon as we queue MHI buffers to receive the bootlog from the device, we could be receiving data. Therefore all the resources needed to process that data need to be setup prior to queuing the buffers. We currently initialize some of the resources after queuing the buffers which creates a race between the probe() and any data that comes back from the device. If the uninitialized resources are accessed, we could see page faults. Fix the init ordering to close the race.", "cve_priority": "medium", "cve_public_date": "2025-11-12 11:15:00 UTC" }, { "cve": "CVE-2025-40163", "url": "https://ubuntu.com/security/CVE-2025-40163", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: sched/deadline: Stop dl_server before CPU goes offline IBM CI tool reported kernel warning[1] when running a CPU removal operation through drmgr[2]. i.e \"drmgr -c cpu -r -q 1\" WARNING: CPU: 0 PID: 0 at kernel/sched/cpudeadline.c:219 cpudl_set+0x58/0x170 NIP [c0000000002b6ed8] cpudl_set+0x58/0x170 LR [c0000000002b7cb8] dl_server_timer+0x168/0x2a0 Call Trace: [c000000002c2f8c0] init_stack+0x78c0/0x8000 (unreliable) [c0000000002b7cb8] dl_server_timer+0x168/0x2a0 [c00000000034df84] __hrtimer_run_queues+0x1a4/0x390 [c00000000034f624] hrtimer_interrupt+0x124/0x300 [c00000000002a230] timer_interrupt+0x140/0x320 Git bisects to: commit 4ae8d9aa9f9d (\"sched/deadline: Fix dl_server getting stuck\") This happens since: - dl_server hrtimer gets enqueued close to cpu offline, when kthread_park enqueues a fair task. - CPU goes offline and drmgr removes it from cpu_present_mask. - hrtimer fires and warning is hit. Fix it by stopping the dl_server before CPU is marked dead. [1]: https://lore.kernel.org/all/8218e149-7718-4432-9312-f97297c352b9@linux.ibm.com/ [2]: https://github.com/ibm-power-utilities/powerpc-utils/tree/next/src/drmgr [sshegde: wrote the changelog and tested it]", "cve_priority": "medium", "cve_public_date": "2025-11-12 11:15:00 UTC" }, { "cve": "CVE-2025-40174", "url": "https://ubuntu.com/security/CVE-2025-40174", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: x86/mm: Fix SMP ordering in switch_mm_irqs_off() Stephen noted that it is possible to not have an smp_mb() between the loaded_mm store and the tlb_gen load in switch_mm(), meaning the ordering against flush_tlb_mm_range() goes out the window, and it becomes possible for switch_mm() to not observe a recent tlb_gen update and fail to flush the TLBs. [ dhansen: merge conflict fixed by Ingo ]", "cve_priority": "medium", "cve_public_date": "2025-11-12 11:15:00 UTC" }, { "cve": "CVE-2025-40089", "url": "https://ubuntu.com/security/CVE-2025-40089", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: cxl/features: Add check for no entries in cxl_feature_info cxl EDAC calls cxl_feature_info() to get the feature information and if the hardware has no Features support, cxlfs may be passed in as NULL. [ 51.957498] BUG: kernel NULL pointer dereference, address: 0000000000000008 [ 51.965571] #PF: supervisor read access in kernel mode [ 51.971559] #PF: error_code(0x0000) - not-present page [ 51.977542] PGD 17e4f6067 P4D 0 [ 51.981384] Oops: Oops: 0000 [#1] SMP NOPTI [ 51.986300] CPU: 49 UID: 0 PID: 3782 Comm: systemd-udevd Not tainted 6.17.0dj test+ #64 PREEMPT(voluntary) [ 51.997355] Hardware name: [ 52.009790] RIP: 0010:cxl_feature_info+0xa/0x80 [cxl_core] Add a check for cxlfs before dereferencing it and return -EOPNOTSUPP if there is no cxlfs created due to no hardware support.", "cve_priority": "medium", "cve_public_date": "2025-10-30 10:15:00 UTC" }, { "cve": "CVE-2025-40176", "url": "https://ubuntu.com/security/CVE-2025-40176", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: tls: wait for pending async decryptions if tls_strp_msg_hold fails Async decryption calls tls_strp_msg_hold to create a clone of the input skb to hold references to the memory it uses. If we fail to allocate that clone, proceeding with async decryption can lead to various issues (UAF on the skb, writing into userspace memory after the recv() call has returned). In this case, wait for all pending decryption requests.", "cve_priority": "medium", "cve_public_date": "2025-11-12 11:15:00 UTC" }, { "cve": "CVE-2025-40164", "url": "https://ubuntu.com/security/CVE-2025-40164", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: usbnet: Fix using smp_processor_id() in preemptible code warnings Syzbot reported the following warning: BUG: using smp_processor_id() in preemptible [00000000] code: dhcpcd/2879 caller is usbnet_skb_return+0x74/0x490 drivers/net/usb/usbnet.c:331 CPU: 1 UID: 0 PID: 2879 Comm: dhcpcd Not tainted 6.15.0-rc4-syzkaller-00098-g615dca38c2ea #0 PREEMPT(voluntary) Call Trace: __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x16c/0x1f0 lib/dump_stack.c:120 check_preemption_disabled+0xd0/0xe0 lib/smp_processor_id.c:49 usbnet_skb_return+0x74/0x490 drivers/net/usb/usbnet.c:331 usbnet_resume_rx+0x4b/0x170 drivers/net/usb/usbnet.c:708 usbnet_change_mtu+0x1be/0x220 drivers/net/usb/usbnet.c:417 __dev_set_mtu net/core/dev.c:9443 [inline] netif_set_mtu_ext+0x369/0x5c0 net/core/dev.c:9496 netif_set_mtu+0xb0/0x160 net/core/dev.c:9520 dev_set_mtu+0xae/0x170 net/core/dev_api.c:247 dev_ifsioc+0xa31/0x18d0 net/core/dev_ioctl.c:572 dev_ioctl+0x223/0x10e0 net/core/dev_ioctl.c:821 sock_do_ioctl+0x19d/0x280 net/socket.c:1204 sock_ioctl+0x42f/0x6a0 net/socket.c:1311 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:906 [inline] __se_sys_ioctl fs/ioctl.c:892 [inline] __x64_sys_ioctl+0x190/0x200 fs/ioctl.c:892 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xcd/0x260 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f For historical and portability reasons, the netif_rx() is usually run in the softirq or interrupt context, this commit therefore add local_bh_disable/enable() protection in the usbnet_resume_rx().", "cve_priority": "medium", "cve_public_date": "2025-11-12 11:15:00 UTC" }, { "cve": "CVE-2025-40091", "url": "https://ubuntu.com/security/CVE-2025-40091", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ixgbe: fix too early devlink_free() in ixgbe_remove() Since ixgbe_adapter is embedded in devlink, calling devlink_free() prematurely in the ixgbe_remove() path can lead to UAF. Move devlink_free() to the end. KASAN report: BUG: KASAN: use-after-free in ixgbe_reset_interrupt_capability+0x140/0x180 [ixgbe] Read of size 8 at addr ffff0000adf813e0 by task bash/2095 CPU: 1 UID: 0 PID: 2095 Comm: bash Tainted: G S 6.17.0-rc2-tnguy.net-queue+ #1 PREEMPT(full) [...] Call trace: show_stack+0x30/0x90 (C) dump_stack_lvl+0x9c/0xd0 print_address_description.constprop.0+0x90/0x310 print_report+0x104/0x1f0 kasan_report+0x88/0x180 __asan_report_load8_noabort+0x20/0x30 ixgbe_reset_interrupt_capability+0x140/0x180 [ixgbe] ixgbe_clear_interrupt_scheme+0xf8/0x130 [ixgbe] ixgbe_remove+0x2d0/0x8c0 [ixgbe] pci_device_remove+0xa0/0x220 device_remove+0xb8/0x170 device_release_driver_internal+0x318/0x490 device_driver_detach+0x40/0x68 unbind_store+0xec/0x118 drv_attr_store+0x64/0xb8 sysfs_kf_write+0xcc/0x138 kernfs_fop_write_iter+0x294/0x440 new_sync_write+0x1fc/0x588 vfs_write+0x480/0x6a0 ksys_write+0xf0/0x1e0 __arm64_sys_write+0x70/0xc0 invoke_syscall.constprop.0+0xcc/0x280 el0_svc_common.constprop.0+0xa8/0x248 do_el0_svc+0x44/0x68 el0_svc+0x54/0x160 el0t_64_sync_handler+0xa0/0xe8 el0t_64_sync+0x1b0/0x1b8", "cve_priority": "medium", "cve_public_date": "2025-10-30 10:15:00 UTC" }, { "cve": "CVE-2025-40175", "url": "https://ubuntu.com/security/CVE-2025-40175", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: idpf: cleanup remaining SKBs in PTP flows When the driver requests Tx timestamp value, one of the first steps is to clone SKB using skb_get. It increases the reference counter for that SKB to prevent unexpected freeing by another component. However, there may be a case where the index is requested, SKB is assigned and never consumed by PTP flows - for example due to reset during running PTP apps. Add a check in release timestamping function to verify if the SKB assigned to Tx timestamp latch was freed, and release remaining SKBs.", "cve_priority": "medium", "cve_public_date": "2025-11-12 11:15:00 UTC" }, { "cve": "CVE-2025-40173", "url": "https://ubuntu.com/security/CVE-2025-40173", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net/ip6_tunnel: Prevent perpetual tunnel growth Similarly to ipv4 tunnel, ipv6 version updates dev->needed_headroom, too. While ipv4 tunnel headroom adjustment growth was limited in commit 5ae1e9922bbd (\"net: ip_tunnel: prevent perpetual headroom growth\"), ipv6 tunnel yet increases the headroom without any ceiling. Reflect ipv4 tunnel headroom adjustment limit on ipv6 version. Credits to Francesco Ruggeri, who was originally debugging this issue and wrote local Arista-specific patch and a reproducer.", "cve_priority": "medium", "cve_public_date": "2025-11-12 11:15:00 UTC" }, { "cve": "CVE-2025-40092", "url": "https://ubuntu.com/security/CVE-2025-40092", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: usb: gadget: f_ncm: Refactor bind path to use __free() After an bind/unbind cycle, the ncm->notify_req is left stale. If a subsequent bind fails, the unified error label attempts to free this stale request, leading to a NULL pointer dereference when accessing ep->ops->free_request. Refactor the error handling in the bind path to use the __free() automatic cleanup mechanism. Unable to handle kernel NULL pointer dereference at virtual address 0000000000000020 Call trace: usb_ep_free_request+0x2c/0xec ncm_bind+0x39c/0x3dc usb_add_function+0xcc/0x1f0 configfs_composite_bind+0x468/0x588 gadget_bind_driver+0x104/0x270 really_probe+0x190/0x374 __driver_probe_device+0xa0/0x12c driver_probe_device+0x3c/0x218 __device_attach_driver+0x14c/0x188 bus_for_each_drv+0x10c/0x168 __device_attach+0xfc/0x198 device_initial_probe+0x14/0x24 bus_probe_device+0x94/0x11c device_add+0x268/0x48c usb_add_gadget+0x198/0x28c dwc3_gadget_init+0x700/0x858 __dwc3_set_mode+0x3cc/0x664 process_scheduled_works+0x1d8/0x488 worker_thread+0x244/0x334 kthread+0x114/0x1bc ret_from_fork+0x10/0x20", "cve_priority": "medium", "cve_public_date": "2025-10-30 10:15:00 UTC" }, { "cve": "CVE-2025-40093", "url": "https://ubuntu.com/security/CVE-2025-40093", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: usb: gadget: f_ecm: Refactor bind path to use __free() After an bind/unbind cycle, the ecm->notify_req is left stale. If a subsequent bind fails, the unified error label attempts to free this stale request, leading to a NULL pointer dereference when accessing ep->ops->free_request. Refactor the error handling in the bind path to use the __free() automatic cleanup mechanism.", "cve_priority": "medium", "cve_public_date": "2025-10-30 10:15:00 UTC" }, { "cve": "CVE-2025-40094", "url": "https://ubuntu.com/security/CVE-2025-40094", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: usb: gadget: f_acm: Refactor bind path to use __free() After an bind/unbind cycle, the acm->notify_req is left stale. If a subsequent bind fails, the unified error label attempts to free this stale request, leading to a NULL pointer dereference when accessing ep->ops->free_request. Refactor the error handling in the bind path to use the __free() automatic cleanup mechanism. Unable to handle kernel NULL pointer dereference at virtual address 0000000000000020 Call trace: usb_ep_free_request+0x2c/0xec gs_free_req+0x30/0x44 acm_bind+0x1b8/0x1f4 usb_add_function+0xcc/0x1f0 configfs_composite_bind+0x468/0x588 gadget_bind_driver+0x104/0x270 really_probe+0x190/0x374 __driver_probe_device+0xa0/0x12c driver_probe_device+0x3c/0x218 __device_attach_driver+0x14c/0x188 bus_for_each_drv+0x10c/0x168 __device_attach+0xfc/0x198 device_initial_probe+0x14/0x24 bus_probe_device+0x94/0x11c device_add+0x268/0x48c usb_add_gadget+0x198/0x28c dwc3_gadget_init+0x700/0x858 __dwc3_set_mode+0x3cc/0x664 process_scheduled_works+0x1d8/0x488 worker_thread+0x244/0x334 kthread+0x114/0x1bc ret_from_fork+0x10/0x20", "cve_priority": "medium", "cve_public_date": "2025-10-30 10:15:00 UTC" }, { "cve": "CVE-2025-40095", "url": "https://ubuntu.com/security/CVE-2025-40095", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: usb: gadget: f_rndis: Refactor bind path to use __free() After an bind/unbind cycle, the rndis->notify_req is left stale. If a subsequent bind fails, the unified error label attempts to free this stale request, leading to a NULL pointer dereference when accessing ep->ops->free_request. Refactor the error handling in the bind path to use the __free() automatic cleanup mechanism.", "cve_priority": "medium", "cve_public_date": "2025-10-30 10:15:00 UTC" }, { "cve": "CVE-2025-40165", "url": "https://ubuntu.com/security/CVE-2025-40165", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: media: nxp: imx8-isi: m2m: Fix streaming cleanup on release If streamon/streamoff calls are imbalanced, such as when exiting an application with Ctrl+C when streaming, the m2m usage_count will never reach zero and the ISI channel won't be freed. Besides from that, if the input line width is more than 2K, it will trigger a WARN_ON(): [ 59.222120] ------------[ cut here ]------------ [ 59.226758] WARNING: drivers/media/platform/nxp/imx8-isi/imx8-isi-hw.c:631 at mxc_isi_channel_chain+0xa4/0x120, CPU#4: v4l2-ctl/654 [ 59.238569] Modules linked in: ap1302 [ 59.242231] CPU: 4 UID: 0 PID: 654 Comm: v4l2-ctl Not tainted 6.16.0-rc4-next-20250704-06511-gff0e002d480a-dirty #258 PREEMPT [ 59.253597] Hardware name: NXP i.MX95 15X15 board (DT) [ 59.258720] pstate: 80400009 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) [ 59.265669] pc : mxc_isi_channel_chain+0xa4/0x120 [ 59.270358] lr : mxc_isi_channel_chain+0x44/0x120 [ 59.275047] sp : ffff8000848c3b40 [ 59.278348] x29: ffff8000848c3b40 x28: ffff0000859b4c98 x27: ffff800081939f00 [ 59.285472] x26: 000000000000000a x25: ffff0000859b4cb8 x24: 0000000000000001 [ 59.292597] x23: ffff0000816f4760 x22: ffff0000816f4258 x21: ffff000084ceb780 [ 59.299720] x20: ffff000084342ff8 x19: ffff000084340000 x18: 0000000000000000 [ 59.306845] x17: 0000000000000000 x16: 0000000000000000 x15: 0000ffffdb369e1c [ 59.313969] x14: 0000000000000000 x13: 0000000000000000 x12: 0000000000000000 [ 59.321093] x11: 0000000000000000 x10: 0000000000000000 x9 : 0000000000000000 [ 59.328217] x8 : ffff8000848c3d48 x7 : ffff800081930b30 x6 : ffff800081930b30 [ 59.335340] x5 : ffff0000859b6000 x4 : ffff80008193ae80 x3 : ffff800081022420 [ 59.342464] x2 : ffff0000852f6900 x1 : 0000000000000001 x0 : ffff000084341000 [ 59.349590] Call trace: [ 59.352025] mxc_isi_channel_chain+0xa4/0x120 (P) [ 59.356722] mxc_isi_m2m_streamon+0x160/0x20c [ 59.361072] v4l_streamon+0x24/0x30 [ 59.364556] __video_do_ioctl+0x40c/0x4a0 [ 59.368560] video_usercopy+0x2bc/0x690 [ 59.372382] video_ioctl2+0x18/0x24 [ 59.375857] v4l2_ioctl+0x40/0x60 [ 59.379168] __arm64_sys_ioctl+0xac/0x104 [ 59.383172] invoke_syscall+0x48/0x104 [ 59.386916] el0_svc_common.constprop.0+0xc0/0xe0 [ 59.391613] do_el0_svc+0x1c/0x28 [ 59.394915] el0_svc+0x34/0xf4 [ 59.397966] el0t_64_sync_handler+0xa0/0xe4 [ 59.402143] el0t_64_sync+0x198/0x19c [ 59.405801] ---[ end trace 0000000000000000 ]--- Address this issue by moving the streaming preparation and cleanup to the vb2 .prepare_streaming() and .unprepare_streaming() operations. This also simplifies the driver by allowing direct usage of the v4l2_m2m_ioctl_streamon() and v4l2_m2m_ioctl_streamoff() helpers.", "cve_priority": "medium", "cve_public_date": "2025-11-12 11:15:00 UTC" }, { "cve": "CVE-2025-40096", "url": "https://ubuntu.com/security/CVE-2025-40096", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/sched: Fix potential double free in drm_sched_job_add_resv_dependencies When adding dependencies with drm_sched_job_add_dependency(), that function consumes the fence reference both on success and failure, so in the latter case the dma_fence_put() on the error path (xarray failed to expand) is a double free. Interestingly this bug appears to have been present ever since commit ebd5f74255b9 (\"drm/sched: Add dependency tracking\"), since the code back then looked like this: drm_sched_job_add_implicit_dependencies(): ... for (i = 0; i < fence_count; i++) { ret = drm_sched_job_add_dependency(job, fences[i]); if (ret) break; } for (; i < fence_count; i++) dma_fence_put(fences[i]); Which means for the failing 'i' the dma_fence_put was already a double free. Possibly there were no users at that time, or the test cases were insufficient to hit it. The bug was then only noticed and fixed after commit 9c2ba265352a (\"drm/scheduler: use new iterator in drm_sched_job_add_implicit_dependencies v2\") landed, with its fixup of commit 4eaf02d6076c (\"drm/scheduler: fix drm_sched_job_add_implicit_dependencies\"). At that point it was a slightly different flavour of a double free, which commit 963d0b356935 (\"drm/scheduler: fix drm_sched_job_add_implicit_dependencies harder\") noticed and attempted to fix. But it only moved the double free from happening inside the drm_sched_job_add_dependency(), when releasing the reference not yet obtained, to the caller, when releasing the reference already released by the former in the failure case. As such it is not easy to identify the right target for the fixes tag so lets keep it simple and just continue the chain. While fixing we also improve the comment and explain the reason for taking the reference and not dropping it.", "cve_priority": "medium", "cve_public_date": "2025-10-30 10:15:00 UTC" }, { "cve": "CVE-2025-40097", "url": "https://ubuntu.com/security/CVE-2025-40097", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ALSA: hda: Fix missing pointer check in hda_component_manager_init function The __component_match_add function may assign the 'matchptr' pointer the value ERR_PTR(-ENOMEM), which will subsequently be dereferenced. The call stack leading to the error looks like this: hda_component_manager_init |-> component_match_add |-> component_match_add_release |-> __component_match_add ( ... ,**matchptr, ... ) |-> *matchptr = ERR_PTR(-ENOMEM); // assign |-> component_master_add_with_match( ... match) |-> component_match_realloc(match, match->num); // dereference Add IS_ERR() check to prevent the crash. Found by Linux Verification Center (linuxtesting.org) with SVACE.", "cve_priority": "medium", "cve_public_date": "2025-10-30 10:15:00 UTC" }, { "cve": "CVE-2025-40098", "url": "https://ubuntu.com/security/CVE-2025-40098", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ALSA: hda: cs35l41: Fix NULL pointer dereference in cs35l41_get_acpi_mute_state() Return value of a function acpi_evaluate_dsm() is dereferenced without checking for NULL, but it is usually checked for this function. acpi_evaluate_dsm() may return NULL, when acpi_evaluate_object() returns acpi_status other than ACPI_SUCCESS, so add a check to prevent the crach. Found by Linux Verification Center (linuxtesting.org) with SVACE.", "cve_priority": "medium", "cve_public_date": "2025-10-30 10:15:00 UTC" }, { "cve": "CVE-2025-40099", "url": "https://ubuntu.com/security/CVE-2025-40099", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: cifs: parse_dfs_referrals: prevent oob on malformed input Malicious SMB server can send invalid reply to FSCTL_DFS_GET_REFERRALS - reply smaller than sizeof(struct get_dfs_referral_rsp) - reply with number of referrals smaller than NumberOfReferrals in the header Processing of such replies will cause oob. Return -EINVAL error on such replies to prevent oob-s.", "cve_priority": "medium", "cve_public_date": "2025-10-30 10:15:00 UTC" }, { "cve": "CVE-2025-40100", "url": "https://ubuntu.com/security/CVE-2025-40100", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: btrfs: do not assert we found block group item when creating free space tree Currently, when building a free space tree at populate_free_space_tree(), if we are not using the block group tree feature, we always expect to find block group items (either extent items or a block group item with key type BTRFS_BLOCK_GROUP_ITEM_KEY) when we search the extent tree with btrfs_search_slot_for_read(), so we assert that we found an item. However this expectation is wrong since we can have a new block group created in the current transaction which is still empty and for which we still have not added the block group's item to the extent tree, in which case we do not have any items in the extent tree associated to the block group. The insertion of a new block group's block group item in the extent tree happens at btrfs_create_pending_block_groups() when it calls the helper insert_block_group_item(). This typically is done when a transaction handle is released, committed or when running delayed refs (either as part of a transaction commit or when serving tickets for space reservation if we are low on free space). So remove the assertion at populate_free_space_tree() even when the block group tree feature is not enabled and update the comment to mention this case. Syzbot reported this with the following stack trace: BTRFS info (device loop3 state M): rebuilding free space tree assertion failed: ret == 0 :: 0, in fs/btrfs/free-space-tree.c:1115 ------------[ cut here ]------------ kernel BUG at fs/btrfs/free-space-tree.c:1115! Oops: invalid opcode: 0000 [#1] SMP KASAN PTI CPU: 1 UID: 0 PID: 6352 Comm: syz.3.25 Not tainted syzkaller #0 PREEMPT(full) Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/18/2025 RIP: 0010:populate_free_space_tree+0x700/0x710 fs/btrfs/free-space-tree.c:1115 Code: ff ff e8 d3 (...) RSP: 0018:ffffc9000430f780 EFLAGS: 00010246 RAX: 0000000000000043 RBX: ffff88805b709630 RCX: fea61d0e2e79d000 RDX: 0000000000000000 RSI: 0000000080000000 RDI: 0000000000000000 RBP: ffffc9000430f8b0 R08: ffffc9000430f4a7 R09: 1ffff92000861e94 R10: dffffc0000000000 R11: fffff52000861e95 R12: 0000000000000001 R13: 1ffff92000861f00 R14: dffffc0000000000 R15: 0000000000000000 FS: 00007f424d9fe6c0(0000) GS:ffff888125afc000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007fd78ad212c0 CR3: 0000000076d68000 CR4: 00000000003526f0 Call Trace: btrfs_rebuild_free_space_tree+0x1ba/0x6d0 fs/btrfs/free-space-tree.c:1364 btrfs_start_pre_rw_mount+0x128f/0x1bf0 fs/btrfs/disk-io.c:3062 btrfs_remount_rw fs/btrfs/super.c:1334 [inline] btrfs_reconfigure+0xaed/0x2160 fs/btrfs/super.c:1559 reconfigure_super+0x227/0x890 fs/super.c:1076 do_remount fs/namespace.c:3279 [inline] path_mount+0xd1a/0xfe0 fs/namespace.c:4027 do_mount fs/namespace.c:4048 [inline] __do_sys_mount fs/namespace.c:4236 [inline] __se_sys_mount+0x313/0x410 fs/namespace.c:4213 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xfa/0xfa0 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f424e39066a Code: d8 64 89 02 (...) RSP: 002b:00007f424d9fde68 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5 RAX: ffffffffffffffda RBX: 00007f424d9fdef0 RCX: 00007f424e39066a RDX: 0000200000000180 RSI: 0000200000000380 RDI: 0000000000000000 RBP: 0000200000000180 R08: 00007f424d9fdef0 R09: 0000000000000020 R10: 0000000000000020 R11: 0000000000000246 R12: 0000200000000380 R13: 00007f424d9fdeb0 R14: 0000000000000000 R15: 00002000000002c0 Modules linked in: ---[ end trace 0000000000000000 ]---", "cve_priority": "medium", "cve_public_date": "2025-10-30 10:15:00 UTC" }, { "cve": "CVE-2025-40101", "url": "https://ubuntu.com/security/CVE-2025-40101", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: btrfs: fix memory leaks when rejecting a non SINGLE data profile without an RST At the end of btrfs_load_block_group_zone_info() the first thing we do is to ensure that if the mapping type is not a SINGLE one and there is no RAID stripe tree, then we return early with an error. Doing that, though, prevents the code from running the last calls from this function which are about freeing memory allocated during its run. Hence, in this case, instead of returning early, we set the ret value and fall through the rest of the cleanup code.", "cve_priority": "medium", "cve_public_date": "2025-10-30 10:15:00 UTC" }, { "cve": "CVE-2025-40167", "url": "https://ubuntu.com/security/CVE-2025-40167", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ext4: detect invalid INLINE_DATA + EXTENTS flag combination syzbot reported a BUG_ON in ext4_es_cache_extent() when opening a verity file on a corrupted ext4 filesystem mounted without a journal. The issue is that the filesystem has an inode with both the INLINE_DATA and EXTENTS flags set: EXT4-fs error (device loop0): ext4_cache_extents:545: inode #15: comm syz.0.17: corrupted extent tree: lblk 0 < prev 66 Investigation revealed that the inode has both flags set: DEBUG: inode 15 - flag=1, i_inline_off=164, has_inline=1, extents_flag=1 This is an invalid combination since an inode should have either: - INLINE_DATA: data stored directly in the inode - EXTENTS: data stored in extent-mapped blocks Having both flags causes ext4_has_inline_data() to return true, skipping extent tree validation in __ext4_iget(). The unvalidated out-of-order extents then trigger a BUG_ON in ext4_es_cache_extent() due to integer underflow when calculating hole sizes. Fix this by detecting this invalid flag combination early in ext4_iget() and rejecting the corrupted inode.", "cve_priority": "medium", "cve_public_date": "2025-11-12 11:15:00 UTC" }, { "cve": "CVE-2025-40102", "url": "https://ubuntu.com/security/CVE-2025-40102", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: KVM: arm64: Prevent access to vCPU events before init Another day, another syzkaller bug. KVM erroneously allows userspace to pend vCPU events for a vCPU that hasn't been initialized yet, leading to KVM interpreting a bunch of uninitialized garbage for routing / injecting the exception. In one case the injection code and the hyp disagree on whether the vCPU has a 32bit EL1 and put the vCPU into an illegal mode for AArch64, tripping the BUG() in exception_target_el() during the next injection: kernel BUG at arch/arm64/kvm/inject_fault.c:40! Internal error: Oops - BUG: 00000000f2000800 [#1] SMP CPU: 3 UID: 0 PID: 318 Comm: repro Not tainted 6.17.0-rc4-00104-g10fd0285305d #6 PREEMPT Hardware name: linux,dummy-virt (DT) pstate: 21402009 (nzCv daif +PAN -UAO -TCO +DIT -SSBS BTYPE=--) pc : exception_target_el+0x88/0x8c lr : pend_serror_exception+0x18/0x13c sp : ffff800082f03a10 x29: ffff800082f03a10 x28: ffff0000cb132280 x27: 0000000000000000 x26: 0000000000000000 x25: ffff0000c2a99c20 x24: 0000000000000000 x23: 0000000000008000 x22: 0000000000000002 x21: 0000000000000004 x20: 0000000000008000 x19: ffff0000c2a99c20 x18: 0000000000000000 x17: 0000000000000000 x16: 0000000000000000 x15: 00000000200000c0 x14: 0000000000000000 x13: 0000000000000000 x12: 0000000000000000 x11: 0000000000000000 x10: 0000000000000000 x9 : 0000000000000000 x8 : ffff800082f03af8 x7 : 0000000000000000 x6 : 0000000000000000 x5 : ffff800080f621f0 x4 : 0000000000000000 x3 : 0000000000000000 x2 : 000000000040009b x1 : 0000000000000003 x0 : ffff0000c2a99c20 Call trace: exception_target_el+0x88/0x8c (P) kvm_inject_serror_esr+0x40/0x3b4 __kvm_arm_vcpu_set_events+0xf0/0x100 kvm_arch_vcpu_ioctl+0x180/0x9d4 kvm_vcpu_ioctl+0x60c/0x9f4 __arm64_sys_ioctl+0xac/0x104 invoke_syscall+0x48/0x110 el0_svc_common.constprop.0+0x40/0xe0 do_el0_svc+0x1c/0x28 el0_svc+0x34/0xf0 el0t_64_sync_handler+0xa0/0xe4 el0t_64_sync+0x198/0x19c Code: f946bc01 b4fffe61 9101e020 17fffff2 (d4210000) Reject the ioctls outright as no sane VMM would call these before KVM_ARM_VCPU_INIT anyway. Even if it did the exception would've been thrown away by the eventual reset of the vCPU's state.", "cve_priority": "medium", "cve_public_date": "2025-10-30 10:15:00 UTC" }, { "cve": "CVE-2025-40103", "url": "https://ubuntu.com/security/CVE-2025-40103", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: smb: client: Fix refcount leak for cifs_sb_tlink Fix three refcount inconsistency issues related to `cifs_sb_tlink`. Comments for `cifs_sb_tlink` state that `cifs_put_tlink()` needs to be called after successful calls to `cifs_sb_tlink()`. Three calls fail to update refcount accordingly, leading to possible resource leaks.", "cve_priority": "medium", "cve_public_date": "2025-10-30 10:15:00 UTC" }, { "cve": "CVE-2025-40104", "url": "https://ubuntu.com/security/CVE-2025-40104", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ixgbevf: fix mailbox API compatibility by negotiating supported features There was backward compatibility in the terms of mailbox API. Various drivers from various OSes supporting 10G adapters from Intel portfolio could easily negotiate mailbox API. This convention has been broken since introducing API 1.4. Commit 0062e7cc955e (\"ixgbevf: add VF IPsec offload code\") added support for IPSec which is specific only for the kernel ixgbe driver. None of the rest of the Intel 10G PF/VF drivers supports it. And actually lack of support was not included in the IPSec implementation - there were no such code paths. No possibility to negotiate support for the feature was introduced along with introduction of the feature itself. Commit 339f28964147 (\"ixgbevf: Add support for new mailbox communication between PF and VF\") increasing API version to 1.5 did the same - it introduced code supported specifically by the PF ESX driver. It altered API version for the VF driver in the same time not touching the version defined for the PF ixgbe driver. It led to additional discrepancies, as the code provided within API 1.6 cannot be supported for Linux ixgbe driver as it causes crashes. The issue was noticed some time ago and mitigated by Jake within the commit d0725312adf5 (\"ixgbevf: stop attempting IPSEC offload on Mailbox API 1.5\"). As a result we have regression for IPsec support and after increasing API to version 1.6 ixgbevf driver stopped to support ESX MBX. To fix this mess add new mailbox op asking PF driver about supported features. Basing on a response determine whether to set support for IPSec and ESX-specific enhanced mailbox. New mailbox op, for compatibility purposes, must be added within new API revision, as API version of OOT PF & VF drivers is already increased to 1.6 and doesn't incorporate features negotiate op. Features negotiation mechanism gives possibility to be extended with new features when needed in the future.", "cve_priority": "medium", "cve_public_date": "2025-10-30 10:15:00 UTC" }, { "cve": "CVE-2025-40166", "url": "https://ubuntu.com/security/CVE-2025-40166", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/xe/guc: Check GuC running state before deregistering exec queue In normal operation, a registered exec queue is disabled and deregistered through the GuC, and freed only after the GuC confirms completion. However, if the driver is forced to unbind while the exec queue is still running, the user may call exec_destroy() after the GuC has already been stopped and CT communication disabled. In this case, the driver cannot receive a response from the GuC, preventing proper cleanup of exec queue resources. Fix this by directly releasing the resources when GuC is not running. Here is the failure dmesg log: \" [ 468.089581] ---[ end trace 0000000000000000 ]--- [ 468.089608] pci 0000:03:00.0: [drm] *ERROR* GT0: GUC ID manager unclean (1/65535) [ 468.090558] pci 0000:03:00.0: [drm] GT0: total 65535 [ 468.090562] pci 0000:03:00.0: [drm] GT0: used 1 [ 468.090564] pci 0000:03:00.0: [drm] GT0: range 1..1 (1) [ 468.092716] ------------[ cut here ]------------ [ 468.092719] WARNING: CPU: 14 PID: 4775 at drivers/gpu/drm/xe/xe_ttm_vram_mgr.c:298 ttm_vram_mgr_fini+0xf8/0x130 [xe] \" v2: use xe_uc_fw_is_running() instead of xe_guc_ct_enabled(). As CT may go down and come back during VF migration. (cherry picked from commit 9b42321a02c50a12b2beb6ae9469606257fbecea)", "cve_priority": "medium", "cve_public_date": "2025-11-12 11:15:00 UTC" }, { "cve": "CVE-2025-40105", "url": "https://ubuntu.com/security/CVE-2025-40105", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: vfs: Don't leak disconnected dentries on umount When user calls open_by_handle_at() on some inode that is not cached, we will create disconnected dentry for it. If such dentry is a directory, exportfs_decode_fh_raw() will then try to connect this dentry to the dentry tree through reconnect_path(). It may happen for various reasons (such as corrupted fs or race with rename) that the call to lookup_one_unlocked() in reconnect_one() will fail to find the dentry we are trying to reconnect and instead create a new dentry under the parent. Now this dentry will not be marked as disconnected although the parent still may well be disconnected (at least in case this inconsistency happened because the fs is corrupted and .. doesn't point to the real parent directory). This creates inconsistency in disconnected flags but AFAICS it was mostly harmless. At least until commit f1ee616214cb (\"VFS: don't keep disconnected dentries on d_anon\") which removed adding of most disconnected dentries to sb->s_anon list. Thus after this commit cleanup of disconnected dentries implicitely relies on the fact that dput() will immediately reclaim such dentries. However when some leaf dentry isn't marked as disconnected, as in the scenario described above, the reclaim doesn't happen and the dentries are \"leaked\". Memory reclaim can eventually reclaim them but otherwise they stay in memory and if umount comes first, we hit infamous \"Busy inodes after unmount\" bug. Make sure all dentries created under a disconnected parent are marked as disconnected as well.", "cve_priority": "medium", "cve_public_date": "2025-10-30 10:15:00 UTC" }, { "cve": "CVE-2025-40019", "url": "https://ubuntu.com/security/CVE-2025-40019", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: crypto: essiv - Check ssize for decryption and in-place encryption Move the ssize check to the start in essiv_aead_crypt so that it's also checked for decryption and in-place encryption.", "cve_priority": "medium", "cve_public_date": "2025-10-24 12:15:00 UTC" }, { "cve": "CVE-2025-40214", "url": "https://ubuntu.com/security/CVE-2025-40214", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: af_unix: Initialise scc_index in unix_add_edge(). Quang Le reported that the AF_UNIX GC could garbage-collect a receive queue of an alive in-flight socket, with a nice repro. The repro consists of three stages. 1) 1-a. Create a single cyclic reference with many sockets 1-b. close() all sockets 1-c. Trigger GC 2) 2-a. Pass sk-A to an embryo sk-B 2-b. Pass sk-X to sk-X 2-c. Trigger GC 3) 3-a. accept() the embryo sk-B 3-b. Pass sk-B to sk-C 3-c. close() the in-flight sk-A 3-d. Trigger GC As of 2-c, sk-A and sk-X are linked to unix_unvisited_vertices, and unix_walk_scc() groups them into two different SCCs: unix_sk(sk-A)->vertex->scc_index = 2 (UNIX_VERTEX_INDEX_START) unix_sk(sk-X)->vertex->scc_index = 3 Once GC completes, unix_graph_grouped is set to true. Also, unix_graph_maybe_cyclic is set to true due to sk-X's cyclic self-reference, which makes close() trigger GC. At 3-b, unix_add_edge() allocates unix_sk(sk-B)->vertex and links it to unix_unvisited_vertices. unix_update_graph() is called at 3-a. and 3-b., but neither unix_graph_grouped nor unix_graph_maybe_cyclic is changed because both sk-B's listener and sk-C are not in-flight. 3-c decrements sk-A's file refcnt to 1. Since unix_graph_grouped is true at 3-d, unix_walk_scc_fast() is finally called and iterates 3 sockets sk-A, sk-B, and sk-X: sk-A -> sk-B (-> sk-C) sk-X -> sk-X This is totally fine. All of them are not yet close()d and should be grouped into different SCCs. However, unix_vertex_dead() misjudges that sk-A and sk-B are in the same SCC and sk-A is dead. unix_sk(sk-A)->scc_index == unix_sk(sk-B)->scc_index <-- Wrong! && sk-A's file refcnt == unix_sk(sk-A)->vertex->out_degree ^-- 1 in-flight count for sk-B -> sk-A is dead !? The problem is that unix_add_edge() does not initialise scc_index. Stage 1) is used for heap spraying, making a newly allocated vertex have vertex->scc_index == 2 (UNIX_VERTEX_INDEX_START) set by unix_walk_scc() at 1-c. Let's track the max SCC index from the previous unix_walk_scc() call and assign the max + 1 to a new vertex's scc_index. This way, we can continue to avoid Tarjan's algorithm while preventing misjudgments.", "cve_priority": "high", "cve_public_date": "2025-12-04 13:15:00 UTC" } ], "launchpad_bugs_fixed": [ 2137845, 1786013, 2137849, 1786013, 2136820, 2137698, 2129812, 2125022, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136813, 2132317, 2134982, 2134982, 2134982, 2134982, 2134982, 2134982, 2134982, 2134982, 2134982, 2134982, 2134982, 2134982, 2134982, 2134982, 2134982, 2134982, 2134982, 2134982, 2134982, 2134982, 2134982, 2134982, 2134982, 2134982, 2134982, 2133557, 2133557, 2133557, 2133557, 2133557, 2133557, 2133557, 2133557, 2133557, 2133557, 2133557, 2133557, 2133557, 2133557, 2133557, 2133557, 2133557, 2133557, 2133557, 2133557, 2133557, 2133557, 2133557, 2133557, 2133557, 2133557, 2133557, 2133557, 2133557, 2133557, 2133557, 2133557, 2133557, 2132095, 2131046, 2115860, 2128792, 2121852, 2131259, 2131259, 2131702, 2129610 ], "changes": [ { "cves": [ { "cve": "CVE-2025-40256", "url": "https://ubuntu.com/security/CVE-2025-40256", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: xfrm: also call xfrm_state_delete_tunnel at destroy time for states that were never added In commit b441cf3f8c4b (\"xfrm: delete x->tunnel as we delete x\"), I missed the case where state creation fails between full initialization (->init_state has been called) and being inserted on the lists. In this situation, ->init_state has been called, so for IPcomp tunnels, the fallback tunnel has been created and added onto the lists, but the user state never gets added, because we fail before that. The user state doesn't go through __xfrm_state_delete, so we don't call xfrm_state_delete_tunnel for those states, and we end up leaking the FB tunnel. There are several codepaths affected by this: the add/update paths, in both net/key and xfrm, and the migrate code (xfrm_migrate, xfrm_state_migrate). A \"proper\" rollback of the init_state work would probably be doable in the add/update code, but for migrate it gets more complicated as multiple states may be involved. At some point, the new (not-inserted) state will be destroyed, so call xfrm_state_delete_tunnel during xfrm_state_gc_destroy. Most states will have their fallback tunnel cleaned up during __xfrm_state_delete, which solves the issue that b441cf3f8c4b (and other patches before it) aimed at. All states (including FB tunnels) will be removed from the lists once xfrm_state_fini has called flush_work(&xfrm_state_gc_work).", "cve_priority": "medium", "cve_public_date": "2025-12-04 16:16:00 UTC" }, { "cve": "CVE-2025-68204", "url": "https://ubuntu.com/security/CVE-2025-68204", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: pmdomain: arm: scmi: Fix genpd leak on provider registration failure If of_genpd_add_provider_onecell() fails during probe, the previously created generic power domains are not removed, leading to a memory leak and potential kernel crash later in genpd_debug_add(). Add proper error handling to unwind the initialized domains before returning from probe to ensure all resources are correctly released on failure. Example crash trace observed without this fix: | Unable to handle kernel paging request at virtual address fffffffffffffc70 | CPU: 1 UID: 0 PID: 1 Comm: swapper/0 Not tainted 6.18.0-rc1 #405 PREEMPT | Hardware name: ARM LTD ARM Juno Development Platform/ARM Juno Development Platform | pstate: 00000005 (nzcv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--) | pc : genpd_debug_add+0x2c/0x160 | lr : genpd_debug_init+0x74/0x98 | Call trace: | genpd_debug_add+0x2c/0x160 (P) | genpd_debug_init+0x74/0x98 | do_one_initcall+0xd0/0x2d8 | do_initcall_level+0xa0/0x140 | do_initcalls+0x60/0xa8 | do_basic_setup+0x28/0x40 | kernel_init_freeable+0xe8/0x170 | kernel_init+0x2c/0x140 | ret_from_fork+0x10/0x20", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-68203", "url": "https://ubuntu.com/security/CVE-2025-68203", "cve_description": "Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-40267", "url": "https://ubuntu.com/security/CVE-2025-40267", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: io_uring/rw: ensure allocated iovec gets cleared for early failure A previous commit reused the recyling infrastructure for early cleanup, but this is not enough for the case where our internal caches have overflowed. If this happens, then the allocated iovec can get leaked if the request is also aborted early. Reinstate the previous forced free of the iovec for that situation.", "cve_priority": "medium", "cve_public_date": "2025-12-06 22:15:00 UTC" }, { "cve": "CVE-2025-68198", "url": "https://ubuntu.com/security/CVE-2025-68198", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: crash: fix crashkernel resource shrink When crashkernel is configured with a high reservation, shrinking its value below the low crashkernel reservation causes two issues: 1. Invalid crashkernel resource objects 2. Kernel crash if crashkernel shrinking is done twice For example, with crashkernel=200M,high, the kernel reserves 200MB of high memory and some default low memory (say 256MB). The reservation appears as: cat /proc/iomem | grep -i crash af000000-beffffff : Crash kernel 433000000-43f7fffff : Crash kernel If crashkernel is then shrunk to 50MB (echo 52428800 > /sys/kernel/kexec_crash_size), /proc/iomem still shows 256MB reserved: af000000-beffffff : Crash kernel Instead, it should show 50MB: af000000-b21fffff : Crash kernel Further shrinking crashkernel to 40MB causes a kernel crash with the following trace (x86): BUG: kernel NULL pointer dereference, address: 0000000000000038 PGD 0 P4D 0 Oops: 0000 [#1] PREEMPT SMP NOPTI Call Trace: ? __die_body.cold+0x19/0x27 ? page_fault_oops+0x15a/0x2f0 ? search_module_extables+0x19/0x60 ? search_bpf_extables+0x5f/0x80 ? exc_page_fault+0x7e/0x180 ? asm_exc_page_fault+0x26/0x30 ? __release_resource+0xd/0xb0 release_resource+0x26/0x40 __crash_shrink_memory+0xe5/0x110 crash_shrink_memory+0x12a/0x190 kexec_crash_size_store+0x41/0x80 kernfs_fop_write_iter+0x141/0x1f0 vfs_write+0x294/0x460 ksys_write+0x6d/0xf0 This happens because __crash_shrink_memory()/kernel/crash_core.c incorrectly updates the crashk_res resource object even when crashk_low_res should be updated. Fix this by ensuring the correct crashkernel resource object is updated when shrinking crashkernel memory.", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-68199", "url": "https://ubuntu.com/security/CVE-2025-68199", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: codetag: debug: handle existing CODETAG_EMPTY in mark_objexts_empty for slabobj_ext When alloc_slab_obj_exts() fails and then later succeeds in allocating a slab extension vector, it calls handle_failed_objexts_alloc() to mark all objects in the vector as empty. As a result all objects in this slab (slabA) will have their extensions set to CODETAG_EMPTY. Later on if this slabA is used to allocate a slabobj_ext vector for another slab (slabB), we end up with the slabB->obj_exts pointing to a slabobj_ext vector that itself has a non-NULL slabobj_ext equal to CODETAG_EMPTY. When slabB gets freed, free_slab_obj_exts() is called to free slabB->obj_exts vector. free_slab_obj_exts() calls mark_objexts_empty(slabB->obj_exts) which will generate a warning because it expects slabobj_ext vectors to have a NULL obj_ext, not CODETAG_EMPTY. Modify mark_objexts_empty() to skip the warning and setting the obj_ext value if it's already set to CODETAG_EMPTY. To quickly detect this WARN, I modified the code from WARN_ON(slab_exts[offs].ref.ct) to BUG_ON(slab_exts[offs].ref.ct == 1); We then obtained this message: [21630.898561] ------------[ cut here ]------------ [21630.898596] kernel BUG at mm/slub.c:2050! [21630.898611] Internal error: Oops - BUG: 00000000f2000800 [#1] SMP [21630.900372] Modules linked in: squashfs isofs vfio_iommu_type1 vhost_vsock vfio vhost_net vmw_vsock_virtio_transport_common vhost tap vhost_iotlb iommufd vsock binfmt_misc nfsv3 nfs_acl nfs lockd grace netfs tls rds dns_resolver tun brd overlay ntfs3 exfat btrfs blake2b_generic xor xor_neon raid6_pq loop sctp ip6_udp_tunnel udp_tunnel nft_fib_inet nft_fib_ipv4 nft_fib_ipv6 nft_fib nft_reject_inet nf_reject_ipv4 nf_reject_ipv6 nft_reject nft_ct nft_chain_nat nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 nf_tables rfkill ip_set sunrpc vfat fat joydev sg sch_fq_codel nfnetlink virtio_gpu sr_mod cdrom drm_client_lib virtio_dma_buf drm_shmem_helper drm_kms_helper drm ghash_ce backlight virtio_net virtio_blk virtio_scsi net_failover virtio_console failover virtio_mmio dm_mirror dm_region_hash dm_log dm_multipath dm_mod fuse i2c_dev virtio_pci virtio_pci_legacy_dev virtio_pci_modern_dev virtio virtio_ring autofs4 aes_neon_bs aes_ce_blk [last unloaded: hwpoison_inject] [21630.909177] CPU: 3 UID: 0 PID: 3787 Comm: kylin-process-m Kdump: loaded Tainted: G        W           6.18.0-rc1+ #74 PREEMPT(voluntary) [21630.910495] Tainted: [W]=WARN [21630.910867] Hardware name: QEMU KVM Virtual Machine, BIOS unknown 2/2/2022 [21630.911625] pstate: 80400005 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) [21630.912392] pc : __free_slab+0x228/0x250 [21630.912868] lr : __free_slab+0x18c/0x250[21630.913334] sp : ffff8000a02f73e0 [21630.913830] x29: ffff8000a02f73e0 x28: fffffdffc43fc800 x27: ffff0000c0011c40 [21630.914677] x26: ffff0000c000cac0 x25: ffff00010fe5e5f0 x24: ffff000102199b40 [21630.915469] x23: 0000000000000003 x22: 0000000000000003 x21: ffff0000c0011c40 [21630.916259] x20: fffffdffc4086600 x19: fffffdffc43fc800 x18: 0000000000000000 [21630.917048] x17: 0000000000000000 x16: 0000000000000000 x15: 0000000000000000 [21630.917837] x14: 0000000000000000 x13: 0000000000000000 x12: ffff70001405ee66 [21630.918640] x11: 1ffff0001405ee65 x10: ffff70001405ee65 x9 : ffff800080a295dc [21630.919442] x8 : ffff8000a02f7330 x7 : 0000000000000000 x6 : 0000000000003000 [21630.920232] x5 : 0000000024924925 x4 : 0000000000000001 x3 : 0000000000000007 [21630.921021] x2 : 0000000000001b40 x1 : 000000000000001f x0 : 0000000000000001 [21630.921810] Call trace: [21630.922130]  __free_slab+0x228/0x250 (P) [21630.922669]  free_slab+0x38/0x118 [21630.923079]  free_to_partial_list+0x1d4/0x340 [21630.923591]  __slab_free+0x24c/0x348 [21630.924024]  ___cache_free+0xf0/0x110 [21630.924468]  qlist_free_all+0x78/0x130 [21630.924922]  kasan_quarantine_reduce+0x11 ---truncated---", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-40268", "url": "https://ubuntu.com/security/CVE-2025-40268", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: cifs: client: fix memory leak in smb3_fs_context_parse_param The user calls fsconfig twice, but when the program exits, free() only frees ctx->source for the second fsconfig, not the first. Regarding fc->source, there is no code in the fs context related to its memory reclamation. To fix this memory leak, release the source memory corresponding to ctx or fc before each parsing. syzbot reported: BUG: memory leak unreferenced object 0xffff888128afa360 (size 96): backtrace (crc 79c9c7ba): kstrdup+0x3c/0x80 mm/util.c:84 smb3_fs_context_parse_param+0x229b/0x36c0 fs/smb/client/fs_context.c:1444 BUG: memory leak unreferenced object 0xffff888112c7d900 (size 96): backtrace (crc 79c9c7ba): smb3_fs_context_fullpath+0x70/0x1b0 fs/smb/client/fs_context.c:629 smb3_fs_context_parse_param+0x2266/0x36c0 fs/smb/client/fs_context.c:1438", "cve_priority": "medium", "cve_public_date": "2025-12-06 22:15:00 UTC" }, { "cve": "CVE-2025-40269", "url": "https://ubuntu.com/security/CVE-2025-40269", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ALSA: usb-audio: Fix potential overflow of PCM transfer buffer The PCM stream data in USB-audio driver is transferred over USB URB packet buffers, and each packet size is determined dynamically. The packet sizes are limited by some factors such as wMaxPacketSize USB descriptor. OTOH, in the current code, the actually used packet sizes are determined only by the rate and the PPS, which may be bigger than the size limit above. This results in a buffer overflow, as reported by syzbot. Basically when the limit is smaller than the calculated packet size, it implies that something is wrong, most likely a weird USB descriptor. So the best option would be just to return an error at the parameter setup time before doing any further operations. This patch introduces such a sanity check, and returns -EINVAL when the packet size is greater than maxpacksize. The comparison with ep->packsize[1] alone should suffice since it's always equal or greater than ep->packsize[0].", "cve_priority": "medium", "cve_public_date": "2025-12-06 22:15:00 UTC" }, { "cve": "CVE-2025-68205", "url": "https://ubuntu.com/security/CVE-2025-68205", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ALSA: hda/hdmi: Fix breakage at probing nvhdmi-mcp driver After restructuring and splitting the HDMI codec driver code, each HDMI codec driver contains the own build_controls and build_pcms ops. A copy-n-paste error put the wrong entries for nvhdmi-mcp driver; both build_controls and build_pcms are swapped. Unfortunately both callbacks have the very same form, and the compiler didn't complain it, either. This resulted in a NULL dereference because the PCM instance hasn't been initialized at calling the build_controls callback. Fix it by passing the proper entries.", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-40270", "url": "https://ubuntu.com/security/CVE-2025-40270", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: mm, swap: fix potential UAF issue for VMA readahead Since commit 78524b05f1a3 (\"mm, swap: avoid redundant swap device pinning\"), the common helper for allocating and preparing a folio in the swap cache layer no longer tries to get a swap device reference internally, because all callers of __read_swap_cache_async are already holding a swap entry reference. The repeated swap device pinning isn't needed on the same swap device. Caller of VMA readahead is also holding a reference to the target entry's swap device, but VMA readahead walks the page table, so it might encounter swap entries from other devices, and call __read_swap_cache_async on another device without holding a reference to it. So it is possible to cause a UAF when swapoff of device A raced with swapin on device B, and VMA readahead tries to read swap entries from device A. It's not easy to trigger, but in theory, it could cause real issues. Make VMA readahead try to get the device reference first if the swap device is a different one from the target entry.", "cve_priority": "medium", "cve_public_date": "2025-12-06 22:15:00 UTC" }, { "cve": "CVE-2025-40271", "url": "https://ubuntu.com/security/CVE-2025-40271", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: fs/proc: fix uaf in proc_readdir_de() Pde is erased from subdir rbtree through rb_erase(), but not set the node to EMPTY, which may result in uaf access. We should use RB_CLEAR_NODE() set the erased node to EMPTY, then pde_subdir_next() will return NULL to avoid uaf access. We found an uaf issue while using stress-ng testing, need to run testcase getdent and tun in the same time. The steps of the issue is as follows: 1) use getdent to traverse dir /proc/pid/net/dev_snmp6/, and current pde is tun3; 2) in the [time windows] unregister netdevice tun3 and tun2, and erase them from rbtree. erase tun3 first, and then erase tun2. the pde(tun2) will be released to slab; 3) continue to getdent process, then pde_subdir_next() will return pde(tun2) which is released, it will case uaf access. CPU 0 | CPU 1 ------------------------------------------------------------------------- traverse dir /proc/pid/net/dev_snmp6/ | unregister_netdevice(tun->dev) //tun3 tun2 sys_getdents64() | iterate_dir() | proc_readdir() | proc_readdir_de() | snmp6_unregister_dev() pde_get(de); | proc_remove() read_unlock(&proc_subdir_lock); | remove_proc_subtree() | write_lock(&proc_subdir_lock); [time window] | rb_erase(&root->subdir_node, &parent->subdir); | write_unlock(&proc_subdir_lock); read_lock(&proc_subdir_lock); | next = pde_subdir_next(de); | pde_put(de); | de = next; //UAF | rbtree of dev_snmp6 | pde(tun3) / \\ NULL pde(tun2)", "cve_priority": "medium", "cve_public_date": "2025-12-06 22:15:00 UTC" }, { "cve": "CVE-2025-40272", "url": "https://ubuntu.com/security/CVE-2025-40272", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: mm/secretmem: fix use-after-free race in fault handler When a page fault occurs in a secret memory file created with `memfd_secret(2)`, the kernel will allocate a new folio for it, mark the underlying page as not-present in the direct map, and add it to the file mapping. If two tasks cause a fault in the same page concurrently, both could end up allocating a folio and removing the page from the direct map, but only one would succeed in adding the folio to the file mapping. The task that failed undoes the effects of its attempt by (a) freeing the folio again and (b) putting the page back into the direct map. However, by doing these two operations in this order, the page becomes available to the allocator again before it is placed back in the direct mapping. If another task attempts to allocate the page between (a) and (b), and the kernel tries to access it via the direct map, it would result in a supervisor not-present page fault. Fix the ordering to restore the direct map before the folio is freed.", "cve_priority": "medium", "cve_public_date": "2025-12-06 22:15:00 UTC" }, { "cve": "CVE-2025-68245", "url": "https://ubuntu.com/security/CVE-2025-68245", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net: netpoll: fix incorrect refcount handling causing incorrect cleanup commit efa95b01da18 (\"netpoll: fix use after free\") incorrectly ignored the refcount and prematurely set dev->npinfo to NULL during netpoll cleanup, leading to improper behavior and memory leaks. Scenario causing lack of proper cleanup: 1) A netpoll is associated with a NIC (e.g., eth0) and netdev->npinfo is allocated, and refcnt = 1 - Keep in mind that npinfo is shared among all netpoll instances. In this case, there is just one. 2) Another netpoll is also associated with the same NIC and npinfo->refcnt += 1. - Now dev->npinfo->refcnt = 2; - There is just one npinfo associated to the netdev. 3) When the first netpolls goes to clean up: - The first cleanup succeeds and clears np->dev->npinfo, ignoring refcnt. - It basically calls `RCU_INIT_POINTER(np->dev->npinfo, NULL);` - Set dev->npinfo = NULL, without proper cleanup - No ->ndo_netpoll_cleanup() is either called 4) Now the second target tries to clean up - The second cleanup fails because np->dev->npinfo is already NULL. * In this case, ops->ndo_netpoll_cleanup() was never called, and the skb pool is not cleaned as well (for the second netpoll instance) - This leaks npinfo and skbpool skbs, which is clearly reported by kmemleak. Revert commit efa95b01da18 (\"netpoll: fix use after free\") and adds clarifying comments emphasizing that npinfo cleanup should only happen once the refcount reaches zero, ensuring stable and correct netpoll behavior.", "cve_priority": "medium", "cve_public_date": "2025-12-16 15:15:00 UTC" }, { "cve": "CVE-2025-68240", "url": "https://ubuntu.com/security/CVE-2025-68240", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: nilfs2: avoid having an active sc_timer before freeing sci Because kthread_stop did not stop sc_task properly and returned -EINTR, the sc_timer was not properly closed, ultimately causing the problem [1] reported by syzbot when freeing sci due to the sc_timer not being closed. Because the thread sc_task main function nilfs_segctor_thread() returns 0 when it succeeds, when the return value of kthread_stop() is not 0 in nilfs_segctor_destroy(), we believe that it has not properly closed sc_timer. We use timer_shutdown_sync() to sync wait for sc_timer to shutdown, and set the value of sc_task to NULL under the protection of lock sc_state_lock, so as to avoid the issue caused by sc_timer not being properly shutdowned. [1] ODEBUG: free active (active state 0) object: 00000000dacb411a object type: timer_list hint: nilfs_construction_timeout Call trace: nilfs_segctor_destroy fs/nilfs2/segment.c:2811 [inline] nilfs_detach_log_writer+0x668/0x8cc fs/nilfs2/segment.c:2877 nilfs_put_super+0x4c/0x12c fs/nilfs2/super.c:509", "cve_priority": "medium", "cve_public_date": "2025-12-16 15:15:00 UTC" }, { "cve": "CVE-2025-68241", "url": "https://ubuntu.com/security/CVE-2025-68241", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ipv4: route: Prevent rt_bind_exception() from rebinding stale fnhe The sit driver's packet transmission path calls: sit_tunnel_xmit() -> update_or_create_fnhe(), which lead to fnhe_remove_oldest() being called to delete entries exceeding FNHE_RECLAIM_DEPTH+random. The race window is between fnhe_remove_oldest() selecting fnheX for deletion and the subsequent kfree_rcu(). During this time, the concurrent path's __mkroute_output() -> find_exception() can fetch the soon-to-be-deleted fnheX, and rt_bind_exception() then binds it with a new dst using a dst_hold(). When the original fnheX is freed via RCU, the dst reference remains permanently leaked. CPU 0 CPU 1 __mkroute_output() find_exception() [fnheX] update_or_create_fnhe() fnhe_remove_oldest() [fnheX] rt_bind_exception() [bind dst] RCU callback [fnheX freed, dst leak] This issue manifests as a device reference count leak and a warning in dmesg when unregistering the net device: unregister_netdevice: waiting for sitX to become free. Usage count = N Ido Schimmel provided the simple test validation method [1]. The fix clears 'oldest->fnhe_daddr' before calling fnhe_flush_routes(). Since rt_bind_exception() checks this field, setting it to zero prevents the stale fnhe from being reused and bound to a new dst just before it is freed. [1] ip netns add ns1 ip -n ns1 link set dev lo up ip -n ns1 address add 192.0.2.1/32 dev lo ip -n ns1 link add name dummy1 up type dummy ip -n ns1 route add 192.0.2.2/32 dev dummy1 ip -n ns1 link add name gretap1 up arp off type gretap \\ local 192.0.2.1 remote 192.0.2.2 ip -n ns1 route add 198.51.0.0/16 dev gretap1 taskset -c 0 ip netns exec ns1 mausezahn gretap1 \\ -A 198.51.100.1 -B 198.51.0.0/16 -t udp -p 1000 -c 0 -q & taskset -c 2 ip netns exec ns1 mausezahn gretap1 \\ -A 198.51.100.1 -B 198.51.0.0/16 -t udp -p 1000 -c 0 -q & sleep 10 ip netns pids ns1 | xargs kill ip netns del ns1", "cve_priority": "medium", "cve_public_date": "2025-12-16 15:15:00 UTC" }, { "cve": "CVE-2025-68211", "url": "https://ubuntu.com/security/CVE-2025-68211", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ksm: use range-walk function to jump over holes in scan_get_next_rmap_item Currently, scan_get_next_rmap_item() walks every page address in a VMA to locate mergeable pages. This becomes highly inefficient when scanning large virtual memory areas that contain mostly unmapped regions, causing ksmd to use large amount of cpu without deduplicating much pages. This patch replaces the per-address lookup with a range walk using walk_page_range(). The range walker allows KSM to skip over entire unmapped holes in a VMA, avoiding unnecessary lookups. This problem was previously discussed in [1]. Consider the following test program which creates a 32 TiB mapping in the virtual address space but only populates a single page: #include #include #include /* 32 TiB */ const size_t size = 32ul * 1024 * 1024 * 1024 * 1024; int main() { char *area = mmap(NULL, size, PROT_READ | PROT_WRITE, MAP_NORESERVE | MAP_PRIVATE | MAP_ANON, -1, 0); if (area == MAP_FAILED) { perror(\"mmap() failed\\n\"); return -1; } /* Populate a single page such that we get an anon_vma. */ *area = 0; /* Enable KSM. */ madvise(area, size, MADV_MERGEABLE); pause(); return 0; } $ ./ksm-sparse & $ echo 1 > /sys/kernel/mm/ksm/run Without this patch ksmd uses 100% of the cpu for a long time (more then 1 hour in my test machine) scanning all the 32 TiB virtual address space that contain only one mapped page. This makes ksmd essentially deadlocked not able to deduplicate anything of value. With this patch ksmd walks only the one mapped page and skips the rest of the 32 TiB virtual address space, making the scan fast using little cpu.", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-68246", "url": "https://ubuntu.com/security/CVE-2025-68246", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ksmbd: close accepted socket when per-IP limit rejects connection When the per-IP connection limit is exceeded in ksmbd_kthread_fn(), the code sets ret = -EAGAIN and continues the accept loop without closing the just-accepted socket. That leaks one socket per rejected attempt from a single IP and enables a trivial remote DoS. Release client_sk before continuing. This bug was found with ZeroPath.", "cve_priority": "medium", "cve_public_date": "2025-12-16 15:15:00 UTC" }, { "cve": "CVE-2025-40273", "url": "https://ubuntu.com/security/CVE-2025-40273", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: NFSD: free copynotify stateid in nfs4_free_ol_stateid() Typically copynotify stateid is freed either when parent's stateid is being close/freed or in nfsd4_laundromat if the stateid hasn't been used in a lease period. However, in case when the server got an OPEN (which created a parent stateid), followed by a COPY_NOTIFY using that stateid, followed by a client reboot. New client instance while doing CREATE_SESSION would force expire previous state of this client. It leads to the open state being freed thru release_openowner-> nfs4_free_ol_stateid() and it finds that it still has copynotify stateid associated with it. We currently print a warning and is triggerred WARNING: CPU: 1 PID: 8858 at fs/nfsd/nfs4state.c:1550 nfs4_free_ol_stateid+0xb0/0x100 [nfsd] This patch, instead, frees the associated copynotify stateid here. If the parent stateid is freed (without freeing the copynotify stateids associated with it), it leads to the list corruption when laundromat ends up freeing the copynotify state later. [ 1626.839430] Internal error: Oops - BUG: 00000000f2000800 [#1] SMP [ 1626.842828] Modules linked in: nfnetlink_queue nfnetlink_log bluetooth cfg80211 rpcrdma rdma_cm iw_cm ib_cm ib_core nfsd nfs_acl lockd grace nfs_localio ext4 crc16 mbcache jbd2 overlay uinput snd_seq_dummy snd_hrtimer qrtr rfkill vfat fat uvcvideo snd_hda_codec_generic videobuf2_vmalloc videobuf2_memops snd_hda_intel uvc snd_intel_dspcfg videobuf2_v4l2 videobuf2_common snd_hda_codec snd_hda_core videodev snd_hwdep snd_seq mc snd_seq_device snd_pcm snd_timer snd soundcore sg loop auth_rpcgss vsock_loopback vmw_vsock_virtio_transport_common vmw_vsock_vmci_transport vmw_vmci vsock xfs 8021q garp stp llc mrp nvme ghash_ce e1000e nvme_core sr_mod nvme_keyring nvme_auth cdrom vmwgfx drm_ttm_helper ttm sunrpc dm_mirror dm_region_hash dm_log iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi fuse dm_multipath dm_mod nfnetlink [ 1626.855594] CPU: 2 UID: 0 PID: 199 Comm: kworker/u24:33 Kdump: loaded Tainted: G B W 6.17.0-rc7+ #22 PREEMPT(voluntary) [ 1626.857075] Tainted: [B]=BAD_PAGE, [W]=WARN [ 1626.857573] Hardware name: VMware, Inc. VMware20,1/VBSA, BIOS VMW201.00V.24006586.BA64.2406042154 06/04/2024 [ 1626.858724] Workqueue: nfsd4 laundromat_main [nfsd] [ 1626.859304] pstate: 61400005 (nZCv daif +PAN -UAO -TCO +DIT -SSBS BTYPE=--) [ 1626.860010] pc : __list_del_entry_valid_or_report+0x148/0x200 [ 1626.860601] lr : __list_del_entry_valid_or_report+0x148/0x200 [ 1626.861182] sp : ffff8000881d7a40 [ 1626.861521] x29: ffff8000881d7a40 x28: 0000000000000018 x27: ffff0000c2a98200 [ 1626.862260] x26: 0000000000000600 x25: 0000000000000000 x24: ffff8000881d7b20 [ 1626.862986] x23: ffff0000c2a981e8 x22: 1fffe00012410e7d x21: ffff0000920873e8 [ 1626.863701] x20: ffff0000920873e8 x19: ffff000086f22998 x18: 0000000000000000 [ 1626.864421] x17: 20747562202c3839 x16: 3932326636383030 x15: 3030666666662065 [ 1626.865092] x14: 6220646c756f6873 x13: 0000000000000001 x12: ffff60004fd9e4a3 [ 1626.865713] x11: 1fffe0004fd9e4a2 x10: ffff60004fd9e4a2 x9 : dfff800000000000 [ 1626.866320] x8 : 00009fffb0261b5e x7 : ffff00027ecf2513 x6 : 0000000000000001 [ 1626.866938] x5 : ffff00027ecf2510 x4 : ffff60004fd9e4a3 x3 : 0000000000000000 [ 1626.867553] x2 : 0000000000000000 x1 : ffff000096069640 x0 : 000000000000006d [ 1626.868167] Call trace: [ 1626.868382] __list_del_entry_valid_or_report+0x148/0x200 (P) [ 1626.868876] _free_cpntf_state_locked+0xd0/0x268 [nfsd] [ 1626.869368] nfs4_laundromat+0x6f8/0x1058 [nfsd] [ 1626.869813] laundromat_main+0x24/0x60 [nfsd] [ 1626.870231] process_one_work+0x584/0x1050 [ 1626.870595] worker_thread+0x4c4/0xc60 [ 1626.870893] kthread+0x2f8/0x398 [ 1626.871146] ret_from_fork+0x10/0x20 [ 1626.871422] Code: aa1303e1 aa1403e3 910e8000 97bc55d7 (d4210000) [ 1626.871892] SMP: stopping secondary CPUs", "cve_priority": "medium", "cve_public_date": "2025-12-06 22:15:00 UTC" }, { "cve": "CVE-2025-40212", "url": "https://ubuntu.com/security/CVE-2025-40212", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: nfsd: fix refcount leak in nfsd_set_fh_dentry() nfsd exports a \"pseudo root filesystem\" which is used by NFSv4 to find the various exported filesystems using LOOKUP requests from a known root filehandle. NFSv3 uses the MOUNT protocol to find those exported filesystems and so is not given access to the pseudo root filesystem. If a v3 (or v2) client uses a filehandle from that filesystem, nfsd_set_fh_dentry() will report an error, but still stores the export in \"struct svc_fh\" even though it also drops the reference (exp_put()). This means that when fh_put() is called an extra reference will be dropped which can lead to use-after-free and possible denial of service. Normal NFS usage will not provide a pseudo-root filehandle to a v3 client. This bug can only be triggered by the client synthesising an incorrect filehandle. To fix this we move the assignments to the svc_fh later, after all possible error cases have been detected.", "cve_priority": "medium", "cve_public_date": "2025-11-24 13:16:00 UTC" }, { "cve": "CVE-2025-40274", "url": "https://ubuntu.com/security/CVE-2025-40274", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: KVM: guest_memfd: Remove bindings on memslot deletion when gmem is dying When unbinding a memslot from a guest_memfd instance, remove the bindings even if the guest_memfd file is dying, i.e. even if its file refcount has gone to zero. If the memslot is freed before the file is fully released, nullifying the memslot side of the binding in kvm_gmem_release() will write to freed memory, as detected by syzbot+KASAN: ================================================================== BUG: KASAN: slab-use-after-free in kvm_gmem_release+0x176/0x440 virt/kvm/guest_memfd.c:353 Write of size 8 at addr ffff88807befa508 by task syz.0.17/6022 CPU: 0 UID: 0 PID: 6022 Comm: syz.0.17 Not tainted syzkaller #0 PREEMPT(full) Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/02/2025 Call Trace: dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:378 [inline] print_report+0xca/0x240 mm/kasan/report.c:482 kasan_report+0x118/0x150 mm/kasan/report.c:595 kvm_gmem_release+0x176/0x440 virt/kvm/guest_memfd.c:353 __fput+0x44c/0xa70 fs/file_table.c:468 task_work_run+0x1d4/0x260 kernel/task_work.c:227 resume_user_mode_work include/linux/resume_user_mode.h:50 [inline] exit_to_user_mode_loop+0xe9/0x130 kernel/entry/common.c:43 exit_to_user_mode_prepare include/linux/irq-entry-common.h:225 [inline] syscall_exit_to_user_mode_work include/linux/entry-common.h:175 [inline] syscall_exit_to_user_mode include/linux/entry-common.h:210 [inline] do_syscall_64+0x2bd/0xfa0 arch/x86/entry/syscall_64.c:100 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7fbeeff8efc9 Allocated by task 6023: kasan_save_stack mm/kasan/common.c:56 [inline] kasan_save_track+0x3e/0x80 mm/kasan/common.c:77 poison_kmalloc_redzone mm/kasan/common.c:397 [inline] __kasan_kmalloc+0x93/0xb0 mm/kasan/common.c:414 kasan_kmalloc include/linux/kasan.h:262 [inline] __kmalloc_cache_noprof+0x3e2/0x700 mm/slub.c:5758 kmalloc_noprof include/linux/slab.h:957 [inline] kzalloc_noprof include/linux/slab.h:1094 [inline] kvm_set_memory_region+0x747/0xb90 virt/kvm/kvm_main.c:2104 kvm_vm_ioctl_set_memory_region+0x6f/0xd0 virt/kvm/kvm_main.c:2154 kvm_vm_ioctl+0x957/0xc60 virt/kvm/kvm_main.c:5201 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:597 [inline] __se_sys_ioctl+0xfc/0x170 fs/ioctl.c:583 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xfa/0xfa0 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f Freed by task 6023: kasan_save_stack mm/kasan/common.c:56 [inline] kasan_save_track+0x3e/0x80 mm/kasan/common.c:77 kasan_save_free_info+0x46/0x50 mm/kasan/generic.c:584 poison_slab_object mm/kasan/common.c:252 [inline] __kasan_slab_free+0x5c/0x80 mm/kasan/common.c:284 kasan_slab_free include/linux/kasan.h:234 [inline] slab_free_hook mm/slub.c:2533 [inline] slab_free mm/slub.c:6622 [inline] kfree+0x19a/0x6d0 mm/slub.c:6829 kvm_set_memory_region+0x9c4/0xb90 virt/kvm/kvm_main.c:2130 kvm_vm_ioctl_set_memory_region+0x6f/0xd0 virt/kvm/kvm_main.c:2154 kvm_vm_ioctl+0x957/0xc60 virt/kvm/kvm_main.c:5201 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:597 [inline] __se_sys_ioctl+0xfc/0x170 fs/ioctl.c:583 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xfa/0xfa0 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f Deliberately don't acquire filemap invalid lock when the file is dying as the lifecycle of f_mapping is outside the purview of KVM. Dereferencing the mapping is *probably* fine, but there's no need to invalidate anything as memslot deletion is responsible for zapping SPTEs, and the only code that can access the dying file is kvm_gmem_release(), whose core code is mutual ---truncated---", "cve_priority": "medium", "cve_public_date": "2025-12-06 22:15:00 UTC" }, { "cve": "CVE-2025-68202", "url": "https://ubuntu.com/security/CVE-2025-68202", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: sched_ext: Fix unsafe locking in the scx_dump_state() For built with CONFIG_PREEMPT_RT=y kernels, the dump_lock will be converted sleepable spinlock and not disable-irq, so the following scenarios occur: inconsistent {IN-HARDIRQ-W} -> {HARDIRQ-ON-W} usage. irq_work/0/27 [HC0[0]:SC0[0]:HE1:SE1] takes: (&rq->__lock){?...}-{2:2}, at: raw_spin_rq_lock_nested+0x2b/0x40 {IN-HARDIRQ-W} state was registered at: lock_acquire+0x1e1/0x510 _raw_spin_lock_nested+0x42/0x80 raw_spin_rq_lock_nested+0x2b/0x40 sched_tick+0xae/0x7b0 update_process_times+0x14c/0x1b0 tick_periodic+0x62/0x1f0 tick_handle_periodic+0x48/0xf0 timer_interrupt+0x55/0x80 __handle_irq_event_percpu+0x20a/0x5c0 handle_irq_event_percpu+0x18/0xc0 handle_irq_event+0xb5/0x150 handle_level_irq+0x220/0x460 __common_interrupt+0xa2/0x1e0 common_interrupt+0xb0/0xd0 asm_common_interrupt+0x2b/0x40 _raw_spin_unlock_irqrestore+0x45/0x80 __setup_irq+0xc34/0x1a30 request_threaded_irq+0x214/0x2f0 hpet_time_init+0x3e/0x60 x86_late_time_init+0x5b/0xb0 start_kernel+0x308/0x410 x86_64_start_reservations+0x1c/0x30 x86_64_start_kernel+0x96/0xa0 common_startup_64+0x13e/0x148 other info that might help us debug this: Possible unsafe locking scenario: CPU0 ---- lock(&rq->__lock); lock(&rq->__lock); *** DEADLOCK *** stack backtrace: CPU: 0 UID: 0 PID: 27 Comm: irq_work/0 Call Trace: dump_stack_lvl+0x8c/0xd0 dump_stack+0x14/0x20 print_usage_bug+0x42e/0x690 mark_lock.part.44+0x867/0xa70 ? __pfx_mark_lock.part.44+0x10/0x10 ? string_nocheck+0x19c/0x310 ? number+0x739/0x9f0 ? __pfx_string_nocheck+0x10/0x10 ? __pfx_check_pointer+0x10/0x10 ? kvm_sched_clock_read+0x15/0x30 ? sched_clock_noinstr+0xd/0x20 ? local_clock_noinstr+0x1c/0xe0 __lock_acquire+0xc4b/0x62b0 ? __pfx_format_decode+0x10/0x10 ? __pfx_string+0x10/0x10 ? __pfx___lock_acquire+0x10/0x10 ? __pfx_vsnprintf+0x10/0x10 lock_acquire+0x1e1/0x510 ? raw_spin_rq_lock_nested+0x2b/0x40 ? __pfx_lock_acquire+0x10/0x10 ? dump_line+0x12e/0x270 ? raw_spin_rq_lock_nested+0x20/0x40 _raw_spin_lock_nested+0x42/0x80 ? raw_spin_rq_lock_nested+0x2b/0x40 raw_spin_rq_lock_nested+0x2b/0x40 scx_dump_state+0x3b3/0x1270 ? finish_task_switch+0x27e/0x840 scx_ops_error_irq_workfn+0x67/0x80 irq_work_single+0x113/0x260 irq_work_run_list.part.3+0x44/0x70 run_irq_workd+0x6b/0x90 ? __pfx_run_irq_workd+0x10/0x10 smpboot_thread_fn+0x529/0x870 ? __pfx_smpboot_thread_fn+0x10/0x10 kthread+0x305/0x3f0 ? __pfx_kthread+0x10/0x10 ret_from_fork+0x40/0x70 ? __pfx_kthread+0x10/0x10 ret_from_fork_asm+0x1a/0x30 This commit therefore use rq_lock_irqsave/irqrestore() to replace rq_lock/unlock() in the scx_dump_state().", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-68239", "url": "https://ubuntu.com/security/CVE-2025-68239", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: binfmt_misc: restore write access before closing files opened by open_exec() bm_register_write() opens an executable file using open_exec(), which internally calls do_open_execat() and denies write access on the file to avoid modification while it is being executed. However, when an error occurs, bm_register_write() closes the file using filp_close() directly. This does not restore the write permission, which may cause subsequent write operations on the same file to fail. Fix this by calling exe_file_allow_write_access() before filp_close() to restore the write permission properly.", "cve_priority": "medium", "cve_public_date": "2025-12-16 15:15:00 UTC" }, { "cve": "CVE-2025-68247", "url": "https://ubuntu.com/security/CVE-2025-68247", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: posix-timers: Plug potential memory leak in do_timer_create() When posix timer creation is set to allocate a given timer ID and the access to the user space value faults, the function terminates without freeing the already allocated posix timer structure. Move the allocation after the user space access to cure that. [ tglx: Massaged change log ]", "cve_priority": "medium", "cve_public_date": "2025-12-16 15:15:00 UTC" }, { "cve": "CVE-2025-68208", "url": "https://ubuntu.com/security/CVE-2025-68208", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: bpf: account for current allocated stack depth in widen_imprecise_scalars() The usage pattern for widen_imprecise_scalars() looks as follows: prev_st = find_prev_entry(env, ...); queued_st = push_stack(...); widen_imprecise_scalars(env, prev_st, queued_st); Where prev_st is an ancestor of the queued_st in the explored states tree. This ancestor is not guaranteed to have same allocated stack depth as queued_st. E.g. in the following case: def main(): for i in 1..2: foo(i) // same callsite, differnt param def foo(i): if i == 1: use 128 bytes of stack iterator based loop Here, for a second 'foo' call prev_st->allocated_stack is 128, while queued_st->allocated_stack is much smaller. widen_imprecise_scalars() needs to take this into account and avoid accessing bpf_verifier_state->frame[*]->stack out of bounds.", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-68200", "url": "https://ubuntu.com/security/CVE-2025-68200", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: bpf: Add bpf_prog_run_data_pointers() syzbot found that cls_bpf_classify() is able to change tc_skb_cb(skb)->drop_reason triggering a warning in sk_skb_reason_drop(). WARNING: CPU: 0 PID: 5965 at net/core/skbuff.c:1192 __sk_skb_reason_drop net/core/skbuff.c:1189 [inline] WARNING: CPU: 0 PID: 5965 at net/core/skbuff.c:1192 sk_skb_reason_drop+0x76/0x170 net/core/skbuff.c:1214 struct tc_skb_cb has been added in commit ec624fe740b4 (\"net/sched: Extend qdisc control block with tc control block\"), which added a wrong interaction with db58ba459202 (\"bpf: wire in data and data_end for cls_act_bpf\"). drop_reason was added later. Add bpf_prog_run_data_pointers() helper to save/restore the net_sched storage colliding with BPF data_meta/data_end.", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-40275", "url": "https://ubuntu.com/security/CVE-2025-40275", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ALSA: usb-audio: Fix NULL pointer dereference in snd_usb_mixer_controls_badd In snd_usb_create_streams(), for UAC version 3 devices, the Interface Association Descriptor (IAD) is retrieved via usb_ifnum_to_if(). If this call fails, a fallback routine attempts to obtain the IAD from the next interface and sets a BADD profile. However, snd_usb_mixer_controls_badd() assumes that the IAD retrieved from usb_ifnum_to_if() is always valid, without performing a NULL check. This can lead to a NULL pointer dereference when usb_ifnum_to_if() fails to find the interface descriptor. This patch adds a NULL pointer check after calling usb_ifnum_to_if() in snd_usb_mixer_controls_badd() to prevent the dereference. This issue was discovered by syzkaller, which triggered the bug by sending a crafted USB device descriptor.", "cve_priority": "medium", "cve_public_date": "2025-12-06 22:15:00 UTC" }, { "cve": "CVE-2025-68242", "url": "https://ubuntu.com/security/CVE-2025-68242", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: NFS: Fix LTP test failures when timestamps are delegated The utimes01 and utime06 tests fail when delegated timestamps are enabled, specifically in subtests that modify the atime and mtime fields using the 'nobody' user ID. The problem can be reproduced as follow: # echo \"/media *(rw,no_root_squash,sync)\" >> /etc/exports # export -ra # mount -o rw,nfsvers=4.2 127.0.0.1:/media /tmpdir # cd /opt/ltp # ./runltp -d /tmpdir -s utimes01 # ./runltp -d /tmpdir -s utime06 This issue occurs because nfs_setattr does not verify the inode's UID against the caller's fsuid when delegated timestamps are permitted for the inode. This patch adds the UID check and if it does not match then the request is sent to the server for permission checking.", "cve_priority": "medium", "cve_public_date": "2025-12-16 15:15:00 UTC" }, { "cve": "CVE-2025-68243", "url": "https://ubuntu.com/security/CVE-2025-68243", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: NFS: Check the TLS certificate fields in nfs_match_client() If the TLS security policy is of type RPC_XPRTSEC_TLS_X509, then the cert_serial and privkey_serial fields need to match as well since they define the client's identity, as presented to the server.", "cve_priority": "medium", "cve_public_date": "2025-12-16 15:15:00 UTC" }, { "cve": "CVE-2025-40276", "url": "https://ubuntu.com/security/CVE-2025-40276", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/panthor: Flush shmem writes before mapping buffers CPU-uncached The shmem layer zeroes out the new pages using cached mappings, and if we don't CPU-flush we might leave dirty cachelines behind, leading to potential data leaks and/or asynchronous buffer corruption when dirty cachelines are evicted.", "cve_priority": "medium", "cve_public_date": "2025-12-06 22:15:00 UTC" }, { "cve": "CVE-2025-40277", "url": "https://ubuntu.com/security/CVE-2025-40277", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/vmwgfx: Validate command header size against SVGA_CMD_MAX_DATASIZE This data originates from userspace and is used in buffer offset calculations which could potentially overflow causing an out-of-bounds access.", "cve_priority": "medium", "cve_public_date": "2025-12-06 22:15:00 UTC" }, { "cve": "CVE-2025-68206", "url": "https://ubuntu.com/security/CVE-2025-68206", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: netfilter: nft_ct: add seqadj extension for natted connections Sequence adjustment may be required for FTP traffic with PASV/EPSV modes. due to need to re-write packet payload (IP, port) on the ftp control connection. This can require changes to the TCP length and expected seq / ack_seq. The easiest way to reproduce this issue is with PASV mode. Example ruleset: table inet ftp_nat { ct helper ftp_helper { type \"ftp\" protocol tcp l3proto inet } chain prerouting { type filter hook prerouting priority 0; policy accept; tcp dport 21 ct state new ct helper set \"ftp_helper\" } } table ip nat { chain prerouting { type nat hook prerouting priority -100; policy accept; tcp dport 21 dnat ip prefix to ip daddr map { \t\t\t192.168.100.1 : 192.168.13.2/32 } } chain postrouting { type nat hook postrouting priority 100 ; policy accept; tcp sport 21 snat ip prefix to ip saddr map { \t\t\t192.168.13.2 : 192.168.100.1/32 } } } Note that the ftp helper gets assigned *after* the dnat setup. The inverse (nat after helper assign) is handled by an existing check in nf_nat_setup_info() and will not show the problem. Topoloy: +-------------------+ +----------------------------------+ | FTP: 192.168.13.2 | <-> | NAT: 192.168.13.3, 192.168.100.1 | +-------------------+ +----------------------------------+ | +-----------------------+ | Client: 192.168.100.2 | +-----------------------+ ftp nat changes do not work as expected in this case: Connected to 192.168.100.1. [..] ftp> epsv EPSV/EPRT on IPv4 off. ftp> ls 227 Entering passive mode (192,168,100,1,209,129). 421 Service not available, remote server has closed connection. Kernel logs: Missing nfct_seqadj_ext_add() setup call WARNING: CPU: 1 PID: 0 at net/netfilter/nf_conntrack_seqadj.c:41 [..] __nf_nat_mangle_tcp_packet+0x100/0x160 [nf_nat] nf_nat_ftp+0x142/0x280 [nf_nat_ftp] help+0x4d1/0x880 [nf_conntrack_ftp] nf_confirm+0x122/0x2e0 [nf_conntrack] nf_hook_slow+0x3c/0xb0 .. Fix this by adding the required extension when a conntrack helper is assigned to a connection that has a nat binding.", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-68209", "url": "https://ubuntu.com/security/CVE-2025-68209", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: mlx5: Fix default values in create CQ Currently, CQs without a completion function are assigned the mlx5_add_cq_to_tasklet function by default. This is problematic since only user CQs created through the mlx5_ib driver are intended to use this function. Additionally, all CQs that will use doorbells instead of polling for completions must call mlx5_cq_arm. However, the default CQ creation flow leaves a valid value in the CQ's arm_db field, allowing FW to send interrupts to polling-only CQs in certain corner cases. These two factors would allow a polling-only kernel CQ to be triggered by an EQ interrupt and call a completion function intended only for user CQs, causing a null pointer exception. Some areas in the driver have prevented this issue with one-off fixes but did not address the root cause. This patch fixes the described issue by adding defaults to the create CQ flow. It adds a default dummy completion function to protect against null pointer exceptions, and it sets an invalid command sequence number by default in kernel CQs to prevent the FW from sending an interrupt to the CQ until it is armed. User CQs are responsible for their own initialization values. Callers of mlx5_core_create_cq are responsible for changing the completion function and arming the CQ per their needs.", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-40278", "url": "https://ubuntu.com/security/CVE-2025-40278", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net: sched: act_ife: initialize struct tc_ife to fix KMSAN kernel-infoleak Fix a KMSAN kernel-infoleak detected by the syzbot . [net?] KMSAN: kernel-infoleak in __skb_datagram_iter In tcf_ife_dump(), the variable 'opt' was partially initialized using a designatied initializer. While the padding bytes are reamined uninitialized. nla_put() copies the entire structure into a netlink message, these uninitialized bytes leaked to userspace. Initialize the structure with memset before assigning its fields to ensure all members and padding are cleared prior to beign copied. This change silences the KMSAN report and prevents potential information leaks from the kernel memory. This fix has been tested and validated by syzbot. This patch closes the bug reported at the following syzkaller link and ensures no infoleak.", "cve_priority": "medium", "cve_public_date": "2025-12-06 22:15:00 UTC" }, { "cve": "CVE-2025-40279", "url": "https://ubuntu.com/security/CVE-2025-40279", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net: sched: act_connmark: initialize struct tc_ife to fix kernel leak In tcf_connmark_dump(), the variable 'opt' was partially initialized using a designatied initializer. While the padding bytes are reamined uninitialized. nla_put() copies the entire structure into a netlink message, these uninitialized bytes leaked to userspace. Initialize the structure with memset before assigning its fields to ensure all members and padding are cleared prior to beign copied.", "cve_priority": "medium", "cve_public_date": "2025-12-06 22:15:00 UTC" }, { "cve": "CVE-2025-40280", "url": "https://ubuntu.com/security/CVE-2025-40280", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: tipc: Fix use-after-free in tipc_mon_reinit_self(). syzbot reported use-after-free of tipc_net(net)->monitors[] in tipc_mon_reinit_self(). [0] The array is protected by RTNL, but tipc_mon_reinit_self() iterates over it without RTNL. tipc_mon_reinit_self() is called from tipc_net_finalize(), which is always under RTNL except for tipc_net_finalize_work(). Let's hold RTNL in tipc_net_finalize_work(). [0]: BUG: KASAN: slab-use-after-free in __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline] BUG: KASAN: slab-use-after-free in _raw_spin_lock_irqsave+0xa7/0xf0 kernel/locking/spinlock.c:162 Read of size 1 at addr ffff88805eae1030 by task kworker/0:7/5989 CPU: 0 UID: 0 PID: 5989 Comm: kworker/0:7 Not tainted syzkaller #0 PREEMPT_{RT,(full)} Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/18/2025 Workqueue: events tipc_net_finalize_work Call Trace: dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:378 [inline] print_report+0xca/0x240 mm/kasan/report.c:482 kasan_report+0x118/0x150 mm/kasan/report.c:595 __kasan_check_byte+0x2a/0x40 mm/kasan/common.c:568 kasan_check_byte include/linux/kasan.h:399 [inline] lock_acquire+0x8d/0x360 kernel/locking/lockdep.c:5842 __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline] _raw_spin_lock_irqsave+0xa7/0xf0 kernel/locking/spinlock.c:162 rtlock_slowlock kernel/locking/rtmutex.c:1894 [inline] rwbase_rtmutex_lock_state kernel/locking/spinlock_rt.c:160 [inline] rwbase_write_lock+0xd3/0x7e0 kernel/locking/rwbase_rt.c:244 rt_write_lock+0x76/0x110 kernel/locking/spinlock_rt.c:243 write_lock_bh include/linux/rwlock_rt.h:99 [inline] tipc_mon_reinit_self+0x79/0x430 net/tipc/monitor.c:718 tipc_net_finalize+0x115/0x190 net/tipc/net.c:140 process_one_work kernel/workqueue.c:3236 [inline] process_scheduled_works+0xade/0x17b0 kernel/workqueue.c:3319 worker_thread+0x8a0/0xda0 kernel/workqueue.c:3400 kthread+0x70e/0x8a0 kernel/kthread.c:463 ret_from_fork+0x439/0x7d0 arch/x86/kernel/process.c:148 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245 Allocated by task 6089: kasan_save_stack mm/kasan/common.c:47 [inline] kasan_save_track+0x3e/0x80 mm/kasan/common.c:68 poison_kmalloc_redzone mm/kasan/common.c:388 [inline] __kasan_kmalloc+0x93/0xb0 mm/kasan/common.c:405 kasan_kmalloc include/linux/kasan.h:260 [inline] __kmalloc_cache_noprof+0x1a8/0x320 mm/slub.c:4407 kmalloc_noprof include/linux/slab.h:905 [inline] kzalloc_noprof include/linux/slab.h:1039 [inline] tipc_mon_create+0xc3/0x4d0 net/tipc/monitor.c:657 tipc_enable_bearer net/tipc/bearer.c:357 [inline] __tipc_nl_bearer_enable+0xe16/0x13f0 net/tipc/bearer.c:1047 __tipc_nl_compat_doit net/tipc/netlink_compat.c:371 [inline] tipc_nl_compat_doit+0x3bc/0x5f0 net/tipc/netlink_compat.c:393 tipc_nl_compat_handle net/tipc/netlink_compat.c:-1 [inline] tipc_nl_compat_recv+0x83c/0xbe0 net/tipc/netlink_compat.c:1321 genl_family_rcv_msg_doit+0x215/0x300 net/netlink/genetlink.c:1115 genl_family_rcv_msg net/netlink/genetlink.c:1195 [inline] genl_rcv_msg+0x60e/0x790 net/netlink/genetlink.c:1210 netlink_rcv_skb+0x208/0x470 net/netlink/af_netlink.c:2552 genl_rcv+0x28/0x40 net/netlink/genetlink.c:1219 netlink_unicast_kernel net/netlink/af_netlink.c:1320 [inline] netlink_unicast+0x846/0xa10 net/netlink/af_netlink.c:1346 netlink_sendmsg+0x805/0xb30 net/netlink/af_netlink.c:1896 sock_sendmsg_nosec net/socket.c:714 [inline] __sock_sendmsg+0x21c/0x270 net/socket.c:729 ____sys_sendmsg+0x508/0x820 net/socket.c:2614 ___sys_sendmsg+0x21f/0x2a0 net/socket.c:2668 __sys_sendmsg net/socket.c:2700 [inline] __do_sys_sendmsg net/socket.c:2705 [inline] __se_sys_sendmsg net/socket.c:2703 [inline] __x64_sys_sendmsg+0x1a1/0x260 net/socket.c:2703 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xfa/0x3b0 arch/ ---truncated---", "cve_priority": "medium", "cve_public_date": "2025-12-06 22:15:00 UTC" }, { "cve": "CVE-2025-40281", "url": "https://ubuntu.com/security/CVE-2025-40281", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: sctp: prevent possible shift-out-of-bounds in sctp_transport_update_rto syzbot reported a possible shift-out-of-bounds [1] Blamed commit added rto_alpha_max and rto_beta_max set to 1000. It is unclear if some sctp users are setting very large rto_alpha and/or rto_beta. In order to prevent user regression, perform the test at run time. Also add READ_ONCE() annotations as sysctl values can change under us. [1] UBSAN: shift-out-of-bounds in net/sctp/transport.c:509:41 shift exponent 64 is too large for 32-bit type 'unsigned int' CPU: 0 UID: 0 PID: 16704 Comm: syz.2.2320 Not tainted syzkaller #0 PREEMPT(full) Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/02/2025 Call Trace: __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x16c/0x1f0 lib/dump_stack.c:120 ubsan_epilogue lib/ubsan.c:233 [inline] __ubsan_handle_shift_out_of_bounds+0x27f/0x420 lib/ubsan.c:494 sctp_transport_update_rto.cold+0x1c/0x34b net/sctp/transport.c:509 sctp_check_transmitted+0x11c4/0x1c30 net/sctp/outqueue.c:1502 sctp_outq_sack+0x4ef/0x1b20 net/sctp/outqueue.c:1338 sctp_cmd_process_sack net/sctp/sm_sideeffect.c:840 [inline] sctp_cmd_interpreter net/sctp/sm_sideeffect.c:1372 [inline]", "cve_priority": "medium", "cve_public_date": "2025-12-06 22:15:00 UTC" }, { "cve": "CVE-2025-40282", "url": "https://ubuntu.com/security/CVE-2025-40282", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: Bluetooth: 6lowpan: reset link-local header on ipv6 recv path Bluetooth 6lowpan.c netdev has header_ops, so it must set link-local header for RX skb, otherwise things crash, eg. with AF_PACKET SOCK_RAW Add missing skb_reset_mac_header() for uncompressed ipv6 RX path. For the compressed one, it is done in lowpan_header_decompress(). Log: (BlueZ 6lowpan-tester Client Recv Raw - Success) ------ kernel BUG at net/core/skbuff.c:212! Call Trace: ... packet_rcv (net/packet/af_packet.c:2152) ... __local_bh_enable_ip (kernel/softirq.c:407) netif_rx (net/core/dev.c:5648) chan_recv_cb (net/bluetooth/6lowpan.c:294 net/bluetooth/6lowpan.c:359) ------", "cve_priority": "medium", "cve_public_date": "2025-12-06 22:15:00 UTC" }, { "cve": "CVE-2025-40283", "url": "https://ubuntu.com/security/CVE-2025-40283", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: Bluetooth: btusb: reorder cleanup in btusb_disconnect to avoid UAF There is a KASAN: slab-use-after-free read in btusb_disconnect(). Calling \"usb_driver_release_interface(&btusb_driver, data->intf)\" will free the btusb data associated with the interface. The same data is then used later in the function, hence the UAF. Fix by moving the accesses to btusb data to before the data is free'd.", "cve_priority": "medium", "cve_public_date": "2025-12-06 22:15:00 UTC" }, { "cve": "CVE-2025-40284", "url": "https://ubuntu.com/security/CVE-2025-40284", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: Bluetooth: MGMT: cancel mesh send timer when hdev removed mesh_send_done timer is not canceled when hdev is removed, which causes crash if the timer triggers after hdev is gone. Cancel the timer when MGMT removes the hdev, like other MGMT timers. Should fix the BUG: sporadically seen by BlueZ test bot (in \"Mesh - Send cancel - 1\" test). Log: ------ BUG: KASAN: slab-use-after-free in run_timer_softirq+0x76b/0x7d0 ... Freed by task 36: kasan_save_stack+0x24/0x50 kasan_save_track+0x14/0x30 __kasan_save_free_info+0x3a/0x60 __kasan_slab_free+0x43/0x70 kfree+0x103/0x500 device_release+0x9a/0x210 kobject_put+0x100/0x1e0 vhci_release+0x18b/0x240 ------", "cve_priority": "medium", "cve_public_date": "2025-12-06 22:15:00 UTC" }, { "cve": "CVE-2025-68210", "url": "https://ubuntu.com/security/CVE-2025-68210", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: erofs: avoid infinite loop due to incomplete zstd-compressed data Currently, the decompression logic incorrectly spins if compressed data is truncated in crafted (deliberately corrupted) images.", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-40285", "url": "https://ubuntu.com/security/CVE-2025-40285", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: smb/server: fix possible refcount leak in smb2_sess_setup() Reference count of ksmbd_session will leak when session need reconnect. Fix this by adding the missing ksmbd_user_session_put().", "cve_priority": "medium", "cve_public_date": "2025-12-06 22:15:00 UTC" }, { "cve": "CVE-2025-40286", "url": "https://ubuntu.com/security/CVE-2025-40286", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: smb/server: fix possible memory leak in smb2_read() Memory leak occurs when ksmbd_vfs_read() fails. Fix this by adding the missing kvfree().", "cve_priority": "medium", "cve_public_date": "2025-12-06 22:15:00 UTC" }, { "cve": "CVE-2025-40287", "url": "https://ubuntu.com/security/CVE-2025-40287", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: exfat: fix improper check of dentry.stream.valid_size We found an infinite loop bug in the exFAT file system that can lead to a Denial-of-Service (DoS) condition. When a dentry in an exFAT filesystem is malformed, the following system calls — SYS_openat, SYS_ftruncate, and SYS_pwrite64 — can cause the kernel to hang. Root cause analysis shows that the size validation code in exfat_find() does not check whether dentry.stream.valid_size is negative. As a result, the system calls mentioned above can succeed and eventually trigger the DoS issue. This patch adds a check for negative dentry.stream.valid_size to prevent this vulnerability.", "cve_priority": "medium", "cve_public_date": "2025-12-06 22:15:00 UTC" }, { "cve": "CVE-2025-40288", "url": "https://ubuntu.com/security/CVE-2025-40288", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: Fix NULL pointer dereference in VRAM logic for APU devices Previously, APU platforms (and other scenarios with uninitialized VRAM managers) triggered a NULL pointer dereference in `ttm_resource_manager_usage()`. The root cause is not that the `struct ttm_resource_manager *man` pointer itself is NULL, but that `man->bdev` (the backing device pointer within the manager) remains uninitialized (NULL) on APUs—since APUs lack dedicated VRAM and do not fully set up VRAM manager structures. When `ttm_resource_manager_usage()` attempts to acquire `man->bdev->lru_lock`, it dereferences the NULL `man->bdev`, leading to a kernel OOPS. 1. **amdgpu_cs.c**: Extend the existing bandwidth control check in `amdgpu_cs_get_threshold_for_moves()` to include a check for `ttm_resource_manager_used()`. If the manager is not used (uninitialized `bdev`), return 0 for migration thresholds immediately—skipping VRAM-specific logic that would trigger the NULL dereference. 2. **amdgpu_kms.c**: Update the `AMDGPU_INFO_VRAM_USAGE` ioctl and memory info reporting to use a conditional: if the manager is used, return the real VRAM usage; otherwise, return 0. This avoids accessing `man->bdev` when it is NULL. 3. **amdgpu_virt.c**: Modify the vf2pf (virtual function to physical function) data write path. Use `ttm_resource_manager_used()` to check validity: if the manager is usable, calculate `fb_usage` from VRAM usage; otherwise, set `fb_usage` to 0 (APUs have no discrete framebuffer to report). This approach is more robust than APU-specific checks because it: - Works for all scenarios where the VRAM manager is uninitialized (not just APUs), - Aligns with TTM's design by using its native helper function, - Preserves correct behavior for discrete GPUs (which have fully initialized `man->bdev` and pass the `ttm_resource_manager_used()` check). v4: use ttm_resource_manager_used(&adev->mman.vram_mgr.manager) instead of checking the adev->gmc.is_app_apu flag (Christian)", "cve_priority": "medium", "cve_public_date": "2025-12-06 22:15:00 UTC" }, { "cve": "CVE-2025-40289", "url": "https://ubuntu.com/security/CVE-2025-40289", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: hide VRAM sysfs attributes on GPUs without VRAM Otherwise accessing them can cause a crash.", "cve_priority": "medium", "cve_public_date": "2025-12-06 22:15:00 UTC" }, { "cve": "CVE-2025-68201", "url": "https://ubuntu.com/security/CVE-2025-68201", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: remove two invalid BUG_ON()s Those can be triggered trivially by userspace.", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-68207", "url": "https://ubuntu.com/security/CVE-2025-68207", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/xe/guc: Synchronize Dead CT worker with unbind Cancel and wait for any Dead CT worker to complete before continuing with device unbinding. Else the worker will end up using resources freed by the undind operation. (cherry picked from commit 492671339114e376aaa38626d637a2751cdef263)", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-68244", "url": "https://ubuntu.com/security/CVE-2025-68244", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/i915: Avoid lock inversion when pinning to GGTT on CHV/BXT+VTD On completion of i915_vma_pin_ww(), a synchronous variant of dma_fence_work_commit() is called. When pinning a VMA to GGTT address space on a Cherry View family processor, or on a Broxton generation SoC with VTD enabled, i.e., when stop_machine() is then called from intel_ggtt_bind_vma(), that can potentially lead to lock inversion among reservation_ww and cpu_hotplug locks. [86.861179] ====================================================== [86.861193] WARNING: possible circular locking dependency detected [86.861209] 6.15.0-rc5-CI_DRM_16515-gca0305cadc2d+ #1 Tainted: G U [86.861226] ------------------------------------------------------ [86.861238] i915_module_loa/1432 is trying to acquire lock: [86.861252] ffffffff83489090 (cpu_hotplug_lock){++++}-{0:0}, at: stop_machine+0x1c/0x50 [86.861290] but task is already holding lock: [86.861303] ffffc90002e0b4c8 (reservation_ww_class_mutex){+.+.}-{3:3}, at: i915_vma_pin.constprop.0+0x39/0x1d0 [i915] [86.862233] which lock already depends on the new lock. [86.862251] the existing dependency chain (in reverse order) is: [86.862265] -> #5 (reservation_ww_class_mutex){+.+.}-{3:3}: [86.862292] dma_resv_lockdep+0x19a/0x390 [86.862315] do_one_initcall+0x60/0x3f0 [86.862334] kernel_init_freeable+0x3cd/0x680 [86.862353] kernel_init+0x1b/0x200 [86.862369] ret_from_fork+0x47/0x70 [86.862383] ret_from_fork_asm+0x1a/0x30 [86.862399] -> #4 (reservation_ww_class_acquire){+.+.}-{0:0}: [86.862425] dma_resv_lockdep+0x178/0x390 [86.862440] do_one_initcall+0x60/0x3f0 [86.862454] kernel_init_freeable+0x3cd/0x680 [86.862470] kernel_init+0x1b/0x200 [86.862482] ret_from_fork+0x47/0x70 [86.862495] ret_from_fork_asm+0x1a/0x30 [86.862509] -> #3 (&mm->mmap_lock){++++}-{3:3}: [86.862531] down_read_killable+0x46/0x1e0 [86.862546] lock_mm_and_find_vma+0xa2/0x280 [86.862561] do_user_addr_fault+0x266/0x8e0 [86.862578] exc_page_fault+0x8a/0x2f0 [86.862593] asm_exc_page_fault+0x27/0x30 [86.862607] filldir64+0xeb/0x180 [86.862620] kernfs_fop_readdir+0x118/0x480 [86.862635] iterate_dir+0xcf/0x2b0 [86.862648] __x64_sys_getdents64+0x84/0x140 [86.862661] x64_sys_call+0x1058/0x2660 [86.862675] do_syscall_64+0x91/0xe90 [86.862689] entry_SYSCALL_64_after_hwframe+0x76/0x7e [86.862703] -> #2 (&root->kernfs_rwsem){++++}-{3:3}: [86.862725] down_write+0x3e/0xf0 [86.862738] kernfs_add_one+0x30/0x3c0 [86.862751] kernfs_create_dir_ns+0x53/0xb0 [86.862765] internal_create_group+0x134/0x4c0 [86.862779] sysfs_create_group+0x13/0x20 [86.862792] topology_add_dev+0x1d/0x30 [86.862806] cpuhp_invoke_callback+0x4b5/0x850 [86.862822] cpuhp_issue_call+0xbf/0x1f0 [86.862836] __cpuhp_setup_state_cpuslocked+0x111/0x320 [86.862852] __cpuhp_setup_state+0xb0/0x220 [86.862866] topology_sysfs_init+0x30/0x50 [86.862879] do_one_initcall+0x60/0x3f0 [86.862893] kernel_init_freeable+0x3cd/0x680 [86.862908] kernel_init+0x1b/0x200 [86.862921] ret_from_fork+0x47/0x70 [86.862934] ret_from_fork_asm+0x1a/0x30 [86.862947] -> #1 (cpuhp_state_mutex){+.+.}-{3:3}: [86.862969] __mutex_lock+0xaa/0xed0 [86.862982] mutex_lock_nested+0x1b/0x30 [86.862995] __cpuhp_setup_state_cpuslocked+0x67/0x320 [86.863012] __cpuhp_setup_state+0xb0/0x220 [86.863026] page_alloc_init_cpuhp+0x2d/0x60 [86.863041] mm_core_init+0x22/0x2d0 [86.863054] start_kernel+0x576/0xbd0 [86.863068] x86_64_start_reservations+0x18/0x30 [86.863084] x86_64_start_kernel+0xbf/0x110 [86.863098] common_startup_64+0x13e/0x141 [86.863114] -> #0 (cpu_hotplug_lock){++++}-{0:0}: [86.863135] __lock_acquire+0x16 ---truncated---", "cve_priority": "medium", "cve_public_date": "2025-12-16 15:15:00 UTC" }, { "cve": "CVE-2025-68316", "url": "https://ubuntu.com/security/CVE-2025-68316", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: scsi: ufs: core: Fix invalid probe error return value After DME Link Startup, the error return value is set to the MIPI UniPro GenericErrorCode which can be 0 (SUCCESS) or 1 (FAILURE). Upon failure during driver probe, the error code 1 is propagated back to the driver probe function which must return a negative value to indicate an error, but 1 is not negative, so the probe is considered to be successful even though it failed. Subsequently, removing the driver results in an oops because it is not in a valid state. This happens because none of the callers of ufshcd_init() expect a non-negative error code. Fix the return value and documentation to match actual usage.", "cve_priority": "medium", "cve_public_date": "2025-12-16 16:16:00 UTC" }, { "cve": "CVE-2025-40292", "url": "https://ubuntu.com/security/CVE-2025-40292", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: virtio-net: fix received length check in big packets Since commit 4959aebba8c0 (\"virtio-net: use mtu size as buffer length for big packets\"), when guest gso is off, the allocated size for big packets is not MAX_SKB_FRAGS * PAGE_SIZE anymore but depends on negotiated MTU. The number of allocated frags for big packets is stored in vi->big_packets_num_skbfrags. Because the host announced buffer length can be malicious (e.g. the host vhost_net driver's get_rx_bufs is modified to announce incorrect length), we need a check in virtio_net receive path. Currently, the check is not adapted to the new change which can lead to NULL page pointer dereference in the below while loop when receiving length that is larger than the allocated one. This commit fixes the received length check corresponding to the new change.", "cve_priority": "medium", "cve_public_date": "2025-12-08 01:16:00 UTC" }, { "cve": "CVE-2025-68180", "url": "https://ubuntu.com/security/CVE-2025-68180", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Fix NULL deref in debugfs odm_combine_segments When a connector is connected but inactive (e.g., disabled by desktop environments), pipe_ctx->stream_res.tg will be destroyed. Then, reading odm_combine_segments causes kernel NULL pointer dereference. BUG: kernel NULL pointer dereference, address: 0000000000000000 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page PGD 0 P4D 0 Oops: Oops: 0000 [#1] SMP NOPTI CPU: 16 UID: 0 PID: 26474 Comm: cat Not tainted 6.17.0+ #2 PREEMPT(lazy) e6a17af9ee6db7c63e9d90dbe5b28ccab67520c6 Hardware name: LENOVO 21Q4/LNVNB161216, BIOS PXCN25WW 03/27/2025 RIP: 0010:odm_combine_segments_show+0x93/0xf0 [amdgpu] Code: 41 83 b8 b0 00 00 00 01 75 6e 48 98 ba a1 ff ff ff 48 c1 e0 0c 48 8d 8c 07 d8 02 00 00 48 85 c9 74 2d 48 8b bc 07 f0 08 00 00 <48> 8b 07 48 8b 80 08 02 00> RSP: 0018:ffffd1bf4b953c58 EFLAGS: 00010286 RAX: 0000000000005000 RBX: ffff8e35976b02d0 RCX: ffff8e3aeed052d8 RDX: 00000000ffffffa1 RSI: ffff8e35a3120800 RDI: 0000000000000000 RBP: 0000000000000000 R08: ffff8e3580eb0000 R09: ffff8e35976b02d0 R10: ffffd1bf4b953c78 R11: 0000000000000000 R12: ffffd1bf4b953d08 R13: 0000000000040000 R14: 0000000000000001 R15: 0000000000000001 FS: 00007f44d3f9f740(0000) GS:ffff8e3caa47f000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000000 CR3: 00000006485c2000 CR4: 0000000000f50ef0 PKRU: 55555554 Call Trace: seq_read_iter+0x125/0x490 ? __alloc_frozen_pages_noprof+0x18f/0x350 seq_read+0x12c/0x170 full_proxy_read+0x51/0x80 vfs_read+0xbc/0x390 ? __handle_mm_fault+0xa46/0xef0 ? do_syscall_64+0x71/0x900 ksys_read+0x73/0xf0 do_syscall_64+0x71/0x900 ? count_memcg_events+0xc2/0x190 ? handle_mm_fault+0x1d7/0x2d0 ? do_user_addr_fault+0x21a/0x690 ? exc_page_fault+0x7e/0x1a0 entry_SYSCALL_64_after_hwframe+0x6c/0x74 RIP: 0033:0x7f44d4031687 Code: 48 89 fa 4c 89 df e8 58 b3 00 00 8b 93 08 03 00 00 59 5e 48 83 f8 fc 74 1a 5b c3 0f 1f 84 00 00 00 00 00 48 8b 44 24 10 0f 05 <5b> c3 0f 1f 80 00 00 00 00> RSP: 002b:00007ffdb4b5f0b0 EFLAGS: 00000202 ORIG_RAX: 0000000000000000 RAX: ffffffffffffffda RBX: 00007f44d3f9f740 RCX: 00007f44d4031687 RDX: 0000000000040000 RSI: 00007f44d3f5e000 RDI: 0000000000000003 RBP: 0000000000040000 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000202 R12: 00007f44d3f5e000 R13: 0000000000000003 R14: 0000000000000000 R15: 0000000000040000 Modules linked in: tls tcp_diag inet_diag xt_mark ccm snd_hrtimer snd_seq_dummy snd_seq_midi snd_seq_oss snd_seq_midi_event snd_rawmidi snd_seq snd_seq_device x> snd_hda_codec_atihdmi snd_hda_codec_realtek_lib lenovo_wmi_helpers think_lmi snd_hda_codec_generic snd_hda_codec_hdmi snd_soc_core kvm snd_compress uvcvideo sn> platform_profile joydev amd_pmc mousedev mac_hid sch_fq_codel uinput i2c_dev parport_pc ppdev lp parport nvme_fabrics loop nfnetlink ip_tables x_tables dm_cryp> CR2: 0000000000000000 ---[ end trace 0000000000000000 ]--- RIP: 0010:odm_combine_segments_show+0x93/0xf0 [amdgpu] Code: 41 83 b8 b0 00 00 00 01 75 6e 48 98 ba a1 ff ff ff 48 c1 e0 0c 48 8d 8c 07 d8 02 00 00 48 85 c9 74 2d 48 8b bc 07 f0 08 00 00 <48> 8b 07 48 8b 80 08 02 00> RSP: 0018:ffffd1bf4b953c58 EFLAGS: 00010286 RAX: 0000000000005000 RBX: ffff8e35976b02d0 RCX: ffff8e3aeed052d8 RDX: 00000000ffffffa1 RSI: ffff8e35a3120800 RDI: 0000000000000000 RBP: 0000000000000000 R08: ffff8e3580eb0000 R09: ffff8e35976b02d0 R10: ffffd1bf4b953c78 R11: 0000000000000000 R12: ffffd1bf4b953d08 R13: 0000000000040000 R14: 0000000000000001 R15: 0000000000000001 FS: 00007f44d3f9f740(0000) GS:ffff8e3caa47f000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000000 CR3: 00000006485c2000 CR4: 0000000000f50ef0 PKRU: 55555554 Fix this by checking pipe_ctx-> ---truncated---", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-40327", "url": "https://ubuntu.com/security/CVE-2025-40327", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: perf/core: Fix system hang caused by cpu-clock usage cpu-clock usage by the async-profiler tool can trigger a system hang, which got bisected back to the following commit by Octavia Togami: 18dbcbfabfff (\"perf: Fix the POLL_HUP delivery breakage\") causes this issue The root cause of the hang is that cpu-clock is a special type of SW event which relies on hrtimers. The __perf_event_overflow() callback is invoked from the hrtimer handler for cpu-clock events, and __perf_event_overflow() tries to call cpu_clock_event_stop() to stop the event, which calls htimer_cancel() to cancel the hrtimer. But that's a recursion into the hrtimer code from a hrtimer handler, which (unsurprisingly) deadlocks. To fix this bug, use hrtimer_try_to_cancel() instead, and set the PERF_HES_STOPPED flag, which causes perf_swevent_hrtimer() to stop the event once it sees the PERF_HES_STOPPED flag. [ mingo: Fixed the comments and improved the changelog. ]", "cve_priority": "medium", "cve_public_date": "2025-12-09 16:17:00 UTC" }, { "cve": "CVE-2025-40328", "url": "https://ubuntu.com/security/CVE-2025-40328", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: smb: client: fix potential UAF in smb2_close_cached_fid() find_or_create_cached_dir() could grab a new reference after kref_put() had seen the refcount drop to zero but before cfid_list_lock is acquired in smb2_close_cached_fid(), leading to use-after-free. Switch to kref_put_lock() so cfid_release() is called with cfid_list_lock held, closing that gap.", "cve_priority": "medium", "cve_public_date": "2025-12-09 16:17:00 UTC" }, { "cve": "CVE-2025-40291", "url": "https://ubuntu.com/security/CVE-2025-40291", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: io_uring: fix regbuf vector size truncation There is a report of io_estimate_bvec_size() truncating the calculated number of segments that leads to corruption issues. Check it doesn't overflow \"int\"s used later. Rough but simple, can be improved on top.", "cve_priority": "medium", "cve_public_date": "2025-12-08 01:16:00 UTC" }, { "cve": "CVE-2025-68322", "url": "https://ubuntu.com/security/CVE-2025-68322", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: parisc: Avoid crash due to unaligned access in unwinder Guenter Roeck reported this kernel crash on his emulated B160L machine: Starting network: udhcpc: started, v1.36.1 Backtrace: [<104320d4>] unwind_once+0x1c/0x5c [<10434a00>] walk_stackframe.isra.0+0x74/0xb8 [<10434a6c>] arch_stack_walk+0x28/0x38 [<104e5efc>] stack_trace_save+0x48/0x5c [<105d1bdc>] set_track_prepare+0x44/0x6c [<105d9c80>] ___slab_alloc+0xfc4/0x1024 [<105d9d38>] __slab_alloc.isra.0+0x58/0x90 [<105dc80c>] kmem_cache_alloc_noprof+0x2ac/0x4a0 [<105b8e54>] __anon_vma_prepare+0x60/0x280 [<105a823c>] __vmf_anon_prepare+0x68/0x94 [<105a8b34>] do_wp_page+0x8cc/0xf10 [<105aad88>] handle_mm_fault+0x6c0/0xf08 [<10425568>] do_page_fault+0x110/0x440 [<10427938>] handle_interruption+0x184/0x748 [<11178398>] schedule+0x4c/0x190 BUG: spinlock recursion on CPU#0, ifconfig/2420 lock: terminate_lock.2+0x0/0x1c, .magic: dead4ead, .owner: ifconfig/2420, .owner_cpu: 0 While creating the stack trace, the unwinder uses the stack pointer to guess the previous frame to read the previous stack pointer from memory. The crash happens, because the unwinder tries to read from unaligned memory and as such triggers the unalignment trap handler which then leads to the spinlock recursion and finally to a deadlock. Fix it by checking the alignment before accessing the memory.", "cve_priority": "medium", "cve_public_date": "2025-12-16 16:16:00 UTC" }, { "cve": "CVE-2025-40293", "url": "https://ubuntu.com/security/CVE-2025-40293", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: iommufd: Don't overflow during division for dirty tracking If pgshift is 63 then BITS_PER_TYPE(*bitmap->bitmap) * pgsize will overflow to 0 and this triggers divide by 0. In this case the index should just be 0, so reorganize things to divide by shift and avoid hitting any overflows.", "cve_priority": "medium", "cve_public_date": "2025-12-08 01:16:00 UTC" }, { "cve": "CVE-2025-40294", "url": "https://ubuntu.com/security/CVE-2025-40294", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: Bluetooth: MGMT: Fix OOB access in parse_adv_monitor_pattern() In the parse_adv_monitor_pattern() function, the value of the 'length' variable is currently limited to HCI_MAX_EXT_AD_LENGTH(251). The size of the 'value' array in the mgmt_adv_pattern structure is 31. If the value of 'pattern[i].length' is set in the user space and exceeds 31, the 'patterns[i].value' array can be accessed out of bound when copied. Increasing the size of the 'value' array in the 'mgmt_adv_pattern' structure will break the userspace. Considering this, and to avoid OOB access revert the limits for 'offset' and 'length' back to the value of HCI_MAX_AD_LENGTH. Found by InfoTeCS on behalf of Linux Verification Center (linuxtesting.org) with SVACE.", "cve_priority": "medium", "cve_public_date": "2025-12-08 01:16:00 UTC" }, { "cve": "CVE-2025-40329", "url": "https://ubuntu.com/security/CVE-2025-40329", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/sched: Fix deadlock in drm_sched_entity_kill_jobs_cb The Mesa issue referenced below pointed out a possible deadlock: [ 1231.611031] Possible interrupt unsafe locking scenario: [ 1231.611033] CPU0 CPU1 [ 1231.611034] ---- ---- [ 1231.611035] lock(&xa->xa_lock#17); [ 1231.611038] local_irq_disable(); [ 1231.611039] lock(&fence->lock); [ 1231.611041] lock(&xa->xa_lock#17); [ 1231.611044] [ 1231.611045] lock(&fence->lock); [ 1231.611047] *** DEADLOCK *** In this example, CPU0 would be any function accessing job->dependencies through the xa_* functions that don't disable interrupts (eg: drm_sched_job_add_dependency(), drm_sched_entity_kill_jobs_cb()). CPU1 is executing drm_sched_entity_kill_jobs_cb() as a fence signalling callback so in an interrupt context. It will deadlock when trying to grab the xa_lock which is already held by CPU0. Replacing all xa_* usage by their xa_*_irq counterparts would fix this issue, but Christian pointed out another issue: dma_fence_signal takes fence.lock and so does dma_fence_add_callback. dma_fence_signal() // locks f1.lock -> drm_sched_entity_kill_jobs_cb() -> foreach dependencies -> dma_fence_add_callback() // locks f2.lock This will deadlock if f1 and f2 share the same spinlock. To fix both issues, the code iterating on dependencies and re-arming them is moved out to drm_sched_entity_kill_jobs_work(). [phasta: commit message nits]", "cve_priority": "medium", "cve_public_date": "2025-12-09 16:17:00 UTC" }, { "cve": "CVE-2025-40295", "url": "https://ubuntu.com/security/CVE-2025-40295", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: fscrypt: fix left shift underflow when inode->i_blkbits > PAGE_SHIFT When simulating an nvme device on qemu with both logical_block_size and physical_block_size set to 8 KiB, an error trace appears during partition table reading at boot time. The issue is caused by inode->i_blkbits being larger than PAGE_SHIFT, which leads to a left shift of -1 and triggering a UBSAN warning. [ 2.697306] ------------[ cut here ]------------ [ 2.697309] UBSAN: shift-out-of-bounds in fs/crypto/inline_crypt.c:336:37 [ 2.697311] shift exponent -1 is negative [ 2.697315] CPU: 3 UID: 0 PID: 274 Comm: (udev-worker) Not tainted 6.18.0-rc2+ #34 PREEMPT(voluntary) [ 2.697317] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014 [ 2.697320] Call Trace: [ 2.697324] [ 2.697325] dump_stack_lvl+0x76/0xa0 [ 2.697340] dump_stack+0x10/0x20 [ 2.697342] __ubsan_handle_shift_out_of_bounds+0x1e3/0x390 [ 2.697351] bh_get_inode_and_lblk_num.cold+0x12/0x94 [ 2.697359] fscrypt_set_bio_crypt_ctx_bh+0x44/0x90 [ 2.697365] submit_bh_wbc+0xb6/0x190 [ 2.697370] block_read_full_folio+0x194/0x270 [ 2.697371] ? __pfx_blkdev_get_block+0x10/0x10 [ 2.697375] ? __pfx_blkdev_read_folio+0x10/0x10 [ 2.697377] blkdev_read_folio+0x18/0x30 [ 2.697379] filemap_read_folio+0x40/0xe0 [ 2.697382] filemap_get_pages+0x5ef/0x7a0 [ 2.697385] ? mmap_region+0x63/0xd0 [ 2.697389] filemap_read+0x11d/0x520 [ 2.697392] blkdev_read_iter+0x7c/0x180 [ 2.697393] vfs_read+0x261/0x390 [ 2.697397] ksys_read+0x71/0xf0 [ 2.697398] __x64_sys_read+0x19/0x30 [ 2.697399] x64_sys_call+0x1e88/0x26a0 [ 2.697405] do_syscall_64+0x80/0x670 [ 2.697410] ? __x64_sys_newfstat+0x15/0x20 [ 2.697414] ? x64_sys_call+0x204a/0x26a0 [ 2.697415] ? do_syscall_64+0xb8/0x670 [ 2.697417] ? irqentry_exit_to_user_mode+0x2e/0x2a0 [ 2.697420] ? irqentry_exit+0x43/0x50 [ 2.697421] ? exc_page_fault+0x90/0x1b0 [ 2.697422] entry_SYSCALL_64_after_hwframe+0x76/0x7e [ 2.697425] RIP: 0033:0x75054cba4a06 [ 2.697426] Code: 5d e8 41 8b 93 08 03 00 00 59 5e 48 83 f8 fc 75 19 83 e2 39 83 fa 08 75 11 e8 26 ff ff ff 66 0f 1f 44 00 00 48 8b 45 10 0f 05 <48> 8b 5d f8 c9 c3 0f 1f 40 00 f3 0f 1e fa 55 48 89 e5 48 83 ec 08 [ 2.697427] RSP: 002b:00007fff973723a0 EFLAGS: 00000202 ORIG_RAX: 0000000000000000 [ 2.697430] RAX: ffffffffffffffda RBX: 00005ea9a2c02760 RCX: 000075054cba4a06 [ 2.697432] RDX: 0000000000002000 RSI: 000075054c190000 RDI: 000000000000001b [ 2.697433] RBP: 00007fff973723c0 R08: 0000000000000000 R09: 0000000000000000 [ 2.697434] R10: 0000000000000000 R11: 0000000000000202 R12: 0000000000000000 [ 2.697434] R13: 00005ea9a2c027c0 R14: 00005ea9a2be5608 R15: 00005ea9a2be55f0 [ 2.697436] [ 2.697436] ---[ end trace ]--- This situation can happen for block devices because when CONFIG_TRANSPARENT_HUGEPAGE is enabled, the maximum logical_block_size is 64 KiB. set_init_blocksize() then sets the block device inode->i_blkbits to 13, which is within this limit. File I/O does not trigger this problem because for filesystems that do not support the FS_LBS feature, sb_set_blocksize() prevents sb->s_blocksize_bits from being larger than PAGE_SHIFT. During inode allocation, alloc_inode()->inode_init_always() assigns inode->i_blkbits from sb->s_blocksize_bits. Currently, only xfs_fs_type has the FS_LBS flag, and since xfs I/O paths do not reach submit_bh_wbc(), it does not hit the left-shift underflow issue. [EB: use folio_pos() and consolidate the two shifts by i_blkbits]", "cve_priority": "medium", "cve_public_date": "2025-12-08 01:16:00 UTC" }, { "cve": "CVE-2025-40296", "url": "https://ubuntu.com/security/CVE-2025-40296", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: platform/x86: int3472: Fix double free of GPIO device during unregister regulator_unregister() already frees the associated GPIO device. On ThinkPad X9 (Lunar Lake), this causes a double free issue that leads to random failures when other drivers (typically Intel THC) attempt to allocate interrupts. The root cause is that the reference count of the pinctrl_intel_platform module unexpectedly drops to zero when this driver defers its probe. This behavior can also be reproduced by unloading the module directly. Fix the issue by removing the redundant release of the GPIO device during regulator unregistration.", "cve_priority": "medium", "cve_public_date": "2025-12-08 01:16:00 UTC" }, { "cve": "CVE-2025-40297", "url": "https://ubuntu.com/security/CVE-2025-40297", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net: bridge: fix use-after-free due to MST port state bypass syzbot reported[1] a use-after-free when deleting an expired fdb. It is due to a race condition between learning still happening and a port being deleted, after all its fdbs have been flushed. The port's state has been toggled to disabled so no learning should happen at that time, but if we have MST enabled, it will bypass the port's state, that together with VLAN filtering disabled can lead to fdb learning at a time when it shouldn't happen while the port is being deleted. VLAN filtering must be disabled because we flush the port VLANs when it's being deleted which will stop learning. This fix adds a check for the port's vlan group which is initialized to NULL when the port is getting deleted, that avoids the port state bypass. When MST is enabled there would be a minimal new overhead in the fast-path because the port's vlan group pointer is cache-hot. [1] https://syzkaller.appspot.com/bug?extid=dd280197f0f7ab3917be", "cve_priority": "medium", "cve_public_date": "2025-12-08 01:16:00 UTC" }, { "cve": "CVE-2025-68320", "url": "https://ubuntu.com/security/CVE-2025-68320", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: lan966x: Fix sleeping in atomic context The following warning was seen when we try to connect using ssh to the device. BUG: sleeping function called from invalid context at kernel/locking/mutex.c:575 in_atomic(): 1, irqs_disabled(): 0, non_block: 0, pid: 104, name: dropbear preempt_count: 1, expected: 0 INFO: lockdep is turned off. CPU: 0 UID: 0 PID: 104 Comm: dropbear Tainted: G W 6.18.0-rc2-00399-g6f1ab1b109b9-dirty #530 NONE Tainted: [W]=WARN Hardware name: Generic DT based system Call trace: unwind_backtrace from show_stack+0x10/0x14 show_stack from dump_stack_lvl+0x7c/0xac dump_stack_lvl from __might_resched+0x16c/0x2b0 __might_resched from __mutex_lock+0x64/0xd34 __mutex_lock from mutex_lock_nested+0x1c/0x24 mutex_lock_nested from lan966x_stats_get+0x5c/0x558 lan966x_stats_get from dev_get_stats+0x40/0x43c dev_get_stats from dev_seq_printf_stats+0x3c/0x184 dev_seq_printf_stats from dev_seq_show+0x10/0x30 dev_seq_show from seq_read_iter+0x350/0x4ec seq_read_iter from seq_read+0xfc/0x194 seq_read from proc_reg_read+0xac/0x100 proc_reg_read from vfs_read+0xb0/0x2b0 vfs_read from ksys_read+0x6c/0xec ksys_read from ret_fast_syscall+0x0/0x1c Exception stack(0xf0b11fa8 to 0xf0b11ff0) 1fa0: 00000001 00001000 00000008 be9048d8 00001000 00000001 1fc0: 00000001 00001000 00000008 00000003 be905920 0000001e 00000000 00000001 1fe0: 0005404c be9048c0 00018684 b6ec2cd8 It seems that we are using a mutex in a atomic context which is wrong. Change the mutex with a spinlock.", "cve_priority": "medium", "cve_public_date": "2025-12-16 16:16:00 UTC" }, { "cve": "CVE-2025-68169", "url": "https://ubuntu.com/security/CVE-2025-68169", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: netpoll: Fix deadlock in memory allocation under spinlock Fix a AA deadlock in refill_skbs() where memory allocation while holding skb_pool->lock can trigger a recursive lock acquisition attempt. The deadlock scenario occurs when the system is under severe memory pressure: 1. refill_skbs() acquires skb_pool->lock (spinlock) 2. alloc_skb() is called while holding the lock 3. Memory allocator fails and calls slab_out_of_memory() 4. This triggers printk() for the OOM warning 5. The console output path calls netpoll_send_udp() 6. netpoll_send_udp() attempts to acquire the same skb_pool->lock 7. Deadlock: the lock is already held by the same CPU Call stack: refill_skbs() spin_lock_irqsave(&skb_pool->lock) <- lock acquired __alloc_skb() kmem_cache_alloc_node_noprof() slab_out_of_memory() printk() console_flush_all() netpoll_send_udp() skb_dequeue() spin_lock_irqsave(&skb_pool->lock) <- deadlock attempt This bug was exposed by commit 248f6571fd4c51 (\"netpoll: Optimize skb refilling on critical path\") which removed refill_skbs() from the critical path (where nested printk was being deferred), letting nested printk being called from inside refill_skbs() Refactor refill_skbs() to never allocate memory while holding the spinlock. Another possible solution to fix this problem is protecting the refill_skbs() from nested printks, basically calling printk_deferred_{enter,exit}() in refill_skbs(), then, any nested pr_warn() would be deferred. I prefer this approach, given I _think_ it might be a good idea to move the alloc_skb() from GFP_ATOMIC to GFP_KERNEL in the future, so, having the alloc_skb() outside of the lock will be necessary step. There is a possible TOCTOU issue when checking for the pool length, and queueing the new allocated skb, but, this is not an issue, given that an extra SKB in the pool is harmless and it will be eventually used.", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-68197", "url": "https://ubuntu.com/security/CVE-2025-68197", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: bnxt_en: Fix null pointer dereference in bnxt_bs_trace_check_wrap() With older FW, we may get the ASYNC_EVENT_CMPL_EVENT_ID_DBG_BUF_PRODUCER for FW trace data type that has not been initialized. This will result in a crash in bnxt_bs_trace_type_wrap(). Add a guard to check for a valid magic_byte pointer before proceeding.", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-40330", "url": "https://ubuntu.com/security/CVE-2025-40330", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: bnxt_en: Shutdown FW DMA in bnxt_shutdown() The netif_close() call in bnxt_shutdown() only stops packet DMA. There may be FW DMA for trace logging (recently added) that will continue. If we kexec to a new kernel, the DMA will corrupt memory in the new kernel. Add bnxt_hwrm_func_drv_unrgtr() to unregister the driver from the FW. This will stop the FW DMA. In case the call fails, call pcie_flr() to reset the function and stop the DMA.", "cve_priority": "medium", "cve_public_date": "2025-12-09 16:17:00 UTC" }, { "cve": "CVE-2025-68192", "url": "https://ubuntu.com/security/CVE-2025-68192", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net: usb: qmi_wwan: initialize MAC header offset in qmimux_rx_fixup Raw IP packets have no MAC header, leaving skb->mac_header uninitialized. This can trigger kernel panics on ARM64 when xfrm or other subsystems access the offset due to strict alignment checks. Initialize the MAC header to prevent such crashes. This can trigger kernel panics on ARM when running IPsec over the qmimux0 interface. Example trace: Internal error: Oops: 000000009600004f [#1] SMP CPU: 0 UID: 0 PID: 0 Comm: swapper/0 Not tainted 6.12.34-gbe78e49cb433 #1 Hardware name: LS1028A RDB Board (DT) pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : xfrm_input+0xde8/0x1318 lr : xfrm_input+0x61c/0x1318 sp : ffff800080003b20 Call trace: xfrm_input+0xde8/0x1318 xfrm6_rcv+0x38/0x44 xfrm6_esp_rcv+0x48/0xa8 ip6_protocol_deliver_rcu+0x94/0x4b0 ip6_input_finish+0x44/0x70 ip6_input+0x44/0xc0 ipv6_rcv+0x6c/0x114 __netif_receive_skb_one_core+0x5c/0x8c __netif_receive_skb+0x18/0x60 process_backlog+0x78/0x17c __napi_poll+0x38/0x180 net_rx_action+0x168/0x2f0", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-40331", "url": "https://ubuntu.com/security/CVE-2025-40331", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: sctp: Prevent TOCTOU out-of-bounds write For the following path not holding the sock lock, sctp_diag_dump() -> sctp_for_each_endpoint() -> sctp_ep_dump() make sure not to exceed bounds in case the address list has grown between buffer allocation (time-of-check) and write (time-of-use).", "cve_priority": "medium", "cve_public_date": "2025-12-09 16:17:00 UTC" }, { "cve": "CVE-2025-68187", "url": "https://ubuntu.com/security/CVE-2025-68187", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net: mdio: Check regmap pointer returned by device_node_to_regmap() The call to device_node_to_regmap() in airoha_mdio_probe() can return an ERR_PTR() if regmap initialization fails. Currently, the driver stores the pointer without validation, which could lead to a crash if it is later dereferenced. Add an IS_ERR() check and return the corresponding error code to make the probe path more robust.", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-68167", "url": "https://ubuntu.com/security/CVE-2025-68167", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: gpiolib: fix invalid pointer access in debugfs If the memory allocation in gpiolib_seq_start() fails, the s->private field remains uninitialized and is later dereferenced without checking in gpiolib_seq_stop(). Initialize s->private to NULL before calling kzalloc() and check it before dereferencing it.", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-68319", "url": "https://ubuntu.com/security/CVE-2025-68319", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: netconsole: Acquire su_mutex before navigating configs hierarchy There is a race between operations that iterate over the userdata cg_children list and concurrent add/remove of userdata items through configfs. The update_userdata() function iterates over the nt->userdata_group.cg_children list, and count_extradata_entries() also iterates over this same list to count nodes. Quoting from Documentation/filesystems/configfs.rst: > A subsystem can navigate the cg_children list and the ci_parent pointer > to see the tree created by the subsystem. This can race with configfs' > management of the hierarchy, so configfs uses the subsystem mutex to > protect modifications. Whenever a subsystem wants to navigate the > hierarchy, it must do so under the protection of the subsystem > mutex. Without proper locking, if a userdata item is added or removed concurrently while these functions are iterating, the list can be accessed in an inconsistent state. For example, the list_for_each() loop can reach a node that is being removed from the list by list_del_init() which sets the nodes' .next pointer to point to itself, so the loop will never end (or reach the WARN_ON_ONCE in update_userdata() ). Fix this by holding the configfs subsystem mutex (su_mutex) during all operations that iterate over cg_children. This includes: - userdatum_value_store() which calls update_userdata() to iterate over cg_children - All sysdata_*_enabled_store() functions which call count_extradata_entries() to iterate over cg_children The su_mutex must be acquired before dynamic_netconsole_mutex to avoid potential lock ordering issues, as configfs operations may already hold su_mutex when calling into our code.", "cve_priority": "medium", "cve_public_date": "2025-12-16 16:16:00 UTC" }, { "cve": "CVE-2025-40298", "url": "https://ubuntu.com/security/CVE-2025-40298", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: gve: Implement settime64 with -EOPNOTSUPP ptp_clock_settime() assumes every ptp_clock has implemented settime64(). Stub it with -EOPNOTSUPP to prevent a NULL dereference.", "cve_priority": "medium", "cve_public_date": "2025-12-08 01:16:00 UTC" }, { "cve": "CVE-2025-40299", "url": "https://ubuntu.com/security/CVE-2025-40299", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: gve: Implement gettimex64 with -EOPNOTSUPP gve implemented a ptp_clock for sole use of do_aux_work at this time. ptp_clock_gettime() and ptp_sys_offset() assume every ptp_clock has implemented either gettimex64 or gettime64. Stub gettimex64 and return -EOPNOTSUPP to prevent NULL dereferencing.", "cve_priority": "medium", "cve_public_date": "2025-12-08 01:16:00 UTC" }, { "cve": "CVE-2025-40301", "url": "https://ubuntu.com/security/CVE-2025-40301", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: Bluetooth: hci_event: validate skb length for unknown CC opcode In hci_cmd_complete_evt(), if the command complete event has an unknown opcode, we assume the first byte of the remaining skb->data contains the return status. However, parameter data has previously been pulled in hci_event_func(), which may leave the skb empty. If so, using skb->data[0] for the return status uses un-init memory. The fix is to check skb->len before using skb->data.", "cve_priority": "medium", "cve_public_date": "2025-12-08 01:16:00 UTC" }, { "cve": "CVE-2025-40358", "url": "https://ubuntu.com/security/CVE-2025-40358", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: riscv: stacktrace: Disable KASAN checks for non-current tasks Unwinding the stack of a task other than current, KASAN would report \"BUG: KASAN: out-of-bounds in walk_stackframe+0x41c/0x460\" There is a same issue on x86 and has been resolved by the commit 84936118bdf3 (\"x86/unwind: Disable KASAN checks for non-current tasks\") The solution could be applied to RISC-V too. This patch also can solve the issue: https://seclists.org/oss-sec/2025/q4/23 [pjw@kernel.org: clean up checkpatch issues]", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-68186", "url": "https://ubuntu.com/security/CVE-2025-68186", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ring-buffer: Do not warn in ring_buffer_map_get_reader() when reader catches up The function ring_buffer_map_get_reader() is a bit more strict than the other get reader functions, and except for certain situations the rb_get_reader_page() should not return NULL. If it does, it triggers a warning. This warning was triggering but after looking at why, it was because another acceptable situation was happening and it wasn't checked for. If the reader catches up to the writer and there's still data to be read on the reader page, then the rb_get_reader_page() will return NULL as there's no new page to get. In this situation, the reader page should not be updated and no warning should trigger.", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-68184", "url": "https://ubuntu.com/security/CVE-2025-68184", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/mediatek: Disable AFBC support on Mediatek DRM driver Commit c410fa9b07c3 (\"drm/mediatek: Add AFBC support to Mediatek DRM driver\") added AFBC support to Mediatek DRM and enabled the 32x8/split/sparse modifier. However, this is currently broken on Mediatek MT8188 (Genio 700 EVK platform); tested using upstream Kernel and Mesa (v25.2.1), AFBC is used by default since Mesa v25.0. Kernel trace reports vblank timeouts constantly, and the render is garbled: ``` [CRTC:62:crtc-0] vblank wait timed out WARNING: CPU: 7 PID: 70 at drivers/gpu/drm/drm_atomic_helper.c:1835 drm_atomic_helper_wait_for_vblanks.part.0+0x24c/0x27c [...] Hardware name: MediaTek Genio-700 EVK (DT) Workqueue: events_unbound commit_work pstate: 60400009 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : drm_atomic_helper_wait_for_vblanks.part.0+0x24c/0x27c lr : drm_atomic_helper_wait_for_vblanks.part.0+0x24c/0x27c sp : ffff80008337bca0 x29: ffff80008337bcd0 x28: 0000000000000061 x27: 0000000000000000 x26: 0000000000000001 x25: 0000000000000000 x24: ffff0000c9dcc000 x23: 0000000000000001 x22: 0000000000000000 x21: ffff0000c66f2f80 x20: ffff0000c0d7d880 x19: 0000000000000000 x18: 000000000000000a x17: 000000040044ffff x16: 005000f2b5503510 x15: 0000000000000000 x14: 0000000000000000 x13: 74756f2064656d69 x12: 742074696177206b x11: 0000000000000058 x10: 0000000000000018 x9 : ffff800082396a70 x8 : 0000000000057fa8 x7 : 0000000000000cce x6 : ffff8000823eea70 x5 : ffff0001fef5f408 x4 : ffff80017ccee000 x3 : ffff0000c12cb480 x2 : 0000000000000000 x1 : 0000000000000000 x0 : ffff0000c12cb480 Call trace: drm_atomic_helper_wait_for_vblanks.part.0+0x24c/0x27c (P) drm_atomic_helper_commit_tail_rpm+0x64/0x80 commit_tail+0xa4/0x1a4 commit_work+0x14/0x20 process_one_work+0x150/0x290 worker_thread+0x2d0/0x3ec kthread+0x12c/0x210 ret_from_fork+0x10/0x20 ---[ end trace 0000000000000000 ]--- ``` Until this gets fixed upstream, disable AFBC support on this platform, as it's currently broken with upstream Mesa.", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-40302", "url": "https://ubuntu.com/security/CVE-2025-40302", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: media: videobuf2: forbid remove_bufs when legacy fileio is active vb2_ioctl_remove_bufs() call manipulates queue internal buffer list, potentially overwriting some pointers used by the legacy fileio access mode. Forbid that ioctl when fileio is active to protect internal queue state between subsequent read/write calls.", "cve_priority": "medium", "cve_public_date": "2025-12-08 01:16:00 UTC" }, { "cve": "CVE-2025-40303", "url": "https://ubuntu.com/security/CVE-2025-40303", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: btrfs: ensure no dirty metadata is written back for an fs with errors [BUG] During development of a minor feature (make sure all btrfs_bio::end_io() is called in task context), I noticed a crash in generic/388, where metadata writes triggered new works after btrfs_stop_all_workers(). It turns out that it can even happen without any code modification, just using RAID5 for metadata and the same workload from generic/388 is going to trigger the use-after-free. [CAUSE] If btrfs hits an error, the fs is marked as error, no new transaction is allowed thus metadata is in a frozen state. But there are some metadata modifications before that error, and they are still in the btree inode page cache. Since there will be no real transaction commit, all those dirty folios are just kept as is in the page cache, and they can not be invalidated by invalidate_inode_pages2() call inside close_ctree(), because they are dirty. And finally after btrfs_stop_all_workers(), we call iput() on btree inode, which triggers writeback of those dirty metadata. And if the fs is using RAID56 metadata, this will trigger RMW and queue new works into rmw_workers, which is already stopped, causing warning from queue_work() and use-after-free. [FIX] Add a special handling for write_one_eb(), that if the fs is already in an error state, immediately mark the bbio as failure, instead of really submitting them. Then during close_ctree(), iput() will just discard all those dirty tree blocks without really writing them back, thus no more new jobs for already stopped-and-freed workqueues. The extra discard in write_one_eb() also acts as an extra safenet. E.g. the transaction abort is triggered by some extent/free space tree corruptions, and since extent/free space tree is already corrupted some tree blocks may be allocated where they shouldn't be (overwriting existing tree blocks). In that case writing them back will further corrupting the fs.", "cve_priority": "medium", "cve_public_date": "2025-12-08 01:16:00 UTC" }, { "cve": "CVE-2025-40362", "url": "https://ubuntu.com/security/CVE-2025-40362", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ceph: fix multifs mds auth caps issue The mds auth caps check should also validate the fsname along with the associated caps. Not doing so would result in applying the mds auth caps of one fs on to the other fs in a multifs ceph cluster. The bug causes multiple issues w.r.t user authentication, following is one such example. Steps to Reproduce (on vstart cluster): 1. Create two file systems in a cluster, say 'fsname1' and 'fsname2' 2. Authorize read only permission to the user 'client.usr' on fs 'fsname1' $ceph fs authorize fsname1 client.usr / r 3. Authorize read and write permission to the same user 'client.usr' on fs 'fsname2' $ceph fs authorize fsname2 client.usr / rw 4. Update the keyring $ceph auth get client.usr >> ./keyring With above permssions for the user 'client.usr', following is the expectation. a. The 'client.usr' should be able to only read the contents and not allowed to create or delete files on file system 'fsname1'. b. The 'client.usr' should be able to read/write on file system 'fsname2'. But, with this bug, the 'client.usr' is allowed to read/write on file system 'fsname1'. See below. 5. Mount the file system 'fsname1' with the user 'client.usr' $sudo bin/mount.ceph usr@.fsname1=/ /kmnt_fsname1_usr/ 6. Try creating a file on file system 'fsname1' with user 'client.usr'. This should fail but passes with this bug. $touch /kmnt_fsname1_usr/file1 7. Mount the file system 'fsname1' with the user 'client.admin' and create a file. $sudo bin/mount.ceph admin@.fsname1=/ /kmnt_fsname1_admin $echo \"data\" > /kmnt_fsname1_admin/admin_file1 8. Try removing an existing file on file system 'fsname1' with the user 'client.usr'. This shoudn't succeed but succeeds with the bug. $rm -f /kmnt_fsname1_usr/admin_file1 For more information, please take a look at the corresponding mds/fuse patch and tests added by looking into the tracker mentioned below. v2: Fix a possible null dereference in doutc v3: Don't store fsname from mdsmap, validate against ceph_mount_options's fsname and use it v4: Code refactor, better warning message and fix possible compiler warning [ Slava.Dubeyko: \"fsname check failed\" -> \"fsname mismatch\" ]", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-40332", "url": "https://ubuntu.com/security/CVE-2025-40332", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/amdkfd: Fix mmap write lock not release If mmap write lock is taken while draining retry fault, mmap write lock is not released because svm_range_restore_pages calls mmap_read_unlock then returns. This causes deadlock and system hangs later because mmap read or write lock cannot be taken. Downgrade mmap write lock to read lock if draining retry fault fix this bug.", "cve_priority": "medium", "cve_public_date": "2025-12-09 16:17:00 UTC" }, { "cve": "CVE-2025-40304", "url": "https://ubuntu.com/security/CVE-2025-40304", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: fbdev: Add bounds checking in bit_putcs to fix vmalloc-out-of-bounds Add bounds checking to prevent writes past framebuffer boundaries when rendering text near screen edges. Return early if the Y position is off-screen and clip image height to screen boundary. Break from the rendering loop if the X position is off-screen. When clipping image width to fit the screen, update the character count to match the clipped width to prevent buffer size mismatches. Without the character count update, bit_putcs_aligned and bit_putcs_unaligned receive mismatched parameters where the buffer is allocated for the clipped width but cnt reflects the original larger count, causing out-of-bounds writes.", "cve_priority": "medium", "cve_public_date": "2025-12-08 01:16:00 UTC" }, { "cve": "CVE-2025-40305", "url": "https://ubuntu.com/security/CVE-2025-40305", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: 9p/trans_fd: p9_fd_request: kick rx thread if EPOLLIN p9_read_work() doesn't set Rworksched and doesn't do schedule_work(m->rq) if list_empty(&m->req_list). However, if the pipe is full, we need to read more data and this used to work prior to commit aaec5a95d59615 (\"pipe_read: don't wake up the writer if the pipe is still full\"). p9_read_work() does p9_fd_read() -> ... -> anon_pipe_read() which (before the commit above) triggered the unnecessary wakeup. This wakeup calls p9_pollwake() which kicks p9_poll_workfn() -> p9_poll_mux(), p9_poll_mux() will notice EPOLLIN and schedule_work(&m->rq). This no longer happens after the optimization above, change p9_fd_request() to use p9_poll_mux() instead of only checking for EPOLLOUT.", "cve_priority": "medium", "cve_public_date": "2025-12-08 01:16:00 UTC" }, { "cve": "CVE-2025-68318", "url": "https://ubuntu.com/security/CVE-2025-68318", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: clk: thead: th1520-ap: set all AXI clocks to CLK_IS_CRITICAL The AXI crossbar of TH1520 has no proper timeout handling, which means gating AXI clocks can easily lead to bus timeout and thus system hang. Set all AXI clock gates to CLK_IS_CRITICAL. All these clock gates are ungated by default on system reset. In addition, convert all current CLK_IGNORE_UNUSED usage to CLK_IS_CRITICAL to prevent unwanted clock gating.", "cve_priority": "medium", "cve_public_date": "2025-12-16 16:16:00 UTC" }, { "cve": "CVE-2025-40209", "url": "https://ubuntu.com/security/CVE-2025-40209", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: btrfs: fix memory leak of qgroup_list in btrfs_add_qgroup_relation When btrfs_add_qgroup_relation() is called with invalid qgroup levels (src >= dst), the function returns -EINVAL directly without freeing the preallocated qgroup_list structure passed by the caller. This causes a memory leak because the caller unconditionally sets the pointer to NULL after the call, preventing any cleanup. The issue occurs because the level validation check happens before the mutex is acquired and before any error handling path that would free the prealloc pointer. On this early return, the cleanup code at the 'out' label (which includes kfree(prealloc)) is never reached. In btrfs_ioctl_qgroup_assign(), the code pattern is: prealloc = kzalloc(sizeof(*prealloc), GFP_KERNEL); ret = btrfs_add_qgroup_relation(trans, sa->src, sa->dst, prealloc); prealloc = NULL; // Always set to NULL regardless of return value ... kfree(prealloc); // This becomes kfree(NULL), does nothing When the level check fails, 'prealloc' is never freed by either the callee or the caller, resulting in a 64-byte memory leak per failed operation. This can be triggered repeatedly by an unprivileged user with access to a writable btrfs mount, potentially exhausting kernel memory. Fix this by freeing prealloc before the early return, ensuring prealloc is always freed on all error paths.", "cve_priority": "medium", "cve_public_date": "2025-11-21 11:15:00 UTC" }, { "cve": "CVE-2025-68183", "url": "https://ubuntu.com/security/CVE-2025-68183", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ima: don't clear IMA_DIGSIG flag when setting or removing non-IMA xattr Currently when both IMA and EVM are in fix mode, the IMA signature will be reset to IMA hash if a program first stores IMA signature in security.ima and then writes/removes some other security xattr for the file. For example, on Fedora, after booting the kernel with \"ima_appraise=fix evm=fix ima_policy=appraise_tcb\" and installing rpm-plugin-ima, installing/reinstalling a package will not make good reference IMA signature generated. Instead IMA hash is generated, # getfattr -m - -d -e hex /usr/bin/bash # file: usr/bin/bash security.ima=0x0404... This happens because when setting security.selinux, the IMA_DIGSIG flag that had been set early was cleared. As a result, IMA hash is generated when the file is closed. Similarly, IMA signature can be cleared on file close after removing security xattr like security.evm or setting/removing ACL. Prevent replacing the IMA file signature with a file hash, by preventing the IMA_DIGSIG flag from being reset. Here's a minimal C reproducer which sets security.selinux as the last step which can also replaced by removing security.evm or setting ACL, #include #include #include #include #include #include int main() { const char* file_path = \"/usr/sbin/test_binary\"; const char* hex_string = \"030204d33204490066306402304\"; int length = strlen(hex_string); char* ima_attr_value; int fd; fd = open(file_path, O_WRONLY|O_CREAT|O_EXCL, 0644); if (fd == -1) { perror(\"Error opening file\"); return 1; } ima_attr_value = (char*)malloc(length / 2 ); for (int i = 0, j = 0; i < length; i += 2, j++) { sscanf(hex_string + i, \"%2hhx\", &ima_attr_value[j]); } if (fsetxattr(fd, \"security.ima\", ima_attr_value, length/2, 0) == -1) { perror(\"Error setting extended attribute\"); close(fd); return 1; } const char* selinux_value= \"system_u:object_r:bin_t:s0\"; if (fsetxattr(fd, \"security.selinux\", selinux_value, strlen(selinux_value), 0) == -1) { perror(\"Error setting extended attribute\"); close(fd); return 1; } close(fd); return 0; }", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-68173", "url": "https://ubuntu.com/security/CVE-2025-68173", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ftrace: Fix softlockup in ftrace_module_enable A soft lockup was observed when loading amdgpu module. If a module has a lot of tracable functions, multiple calls to kallsyms_lookup can spend too much time in RCU critical section and with disabled preemption, causing kernel panic. This is the same issue that was fixed in commit d0b24b4e91fc (\"ftrace: Prevent RCU stall on PREEMPT_VOLUNTARY kernels\") and commit 42ea22e754ba (\"ftrace: Add cond_resched() to ftrace_graph_set_hash()\"). Fix it the same way by adding cond_resched() in ftrace_module_enable.", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-40306", "url": "https://ubuntu.com/security/CVE-2025-40306", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: orangefs: fix xattr related buffer overflow... Willy Tarreau forwarded me a message from Disclosure with the following warning: > The helper `xattr_key()` uses the pointer variable in the loop condition > rather than dereferencing it. As `key` is incremented, it remains non-NULL > (until it runs into unmapped memory), so the loop does not terminate on > valid C strings and will walk memory indefinitely, consuming CPU or hanging > the thread. I easily reproduced this with setfattr and getfattr, causing a kernel oops, hung user processes and corrupted orangefs files. Disclosure sent along a diff (not a patch) with a suggested fix, which I based this patch on. After xattr_key started working right, xfstest generic/069 exposed an xattr related memory leak that lead to OOM. xattr_key returns a hashed key. When adding xattrs to the orangefs xattr cache, orangefs used hash_add, a kernel hashing macro. hash_add also hashes the key using hash_log which resulted in additions to the xattr cache going to the wrong hash bucket. generic/069 tortures a single file and orangefs does a getattr for the xattr \"security.capability\" every time. Orangefs negative caches on xattrs which includes a kmalloc. Since adds to the xattr cache were going to the wrong bucket, every getattr for \"security.capability\" resulted in another kmalloc, none of which were ever freed. I changed the two uses of hash_add to hlist_add_head instead and the memory leak ceased and generic/069 quit throwing furniture.", "cve_priority": "medium", "cve_public_date": "2025-12-08 01:16:00 UTC" }, { "cve": "CVE-2025-40307", "url": "https://ubuntu.com/security/CVE-2025-40307", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: exfat: validate cluster allocation bits of the allocation bitmap syzbot created an exfat image with cluster bits not set for the allocation bitmap. exfat-fs reads and uses the allocation bitmap without checking this. The problem is that if the start cluster of the allocation bitmap is 6, cluster 6 can be allocated when creating a directory with mkdir. exfat zeros out this cluster in exfat_mkdir, which can delete existing entries. This can reallocate the allocated entries. In addition, the allocation bitmap is also zeroed out, so cluster 6 can be reallocated. This patch adds exfat_test_bitmap_range to validate that clusters used for the allocation bitmap are correctly marked as in-use.", "cve_priority": "medium", "cve_public_date": "2025-12-08 01:16:00 UTC" }, { "cve": "CVE-2025-40308", "url": "https://ubuntu.com/security/CVE-2025-40308", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: Bluetooth: bcsp: receive data only if registered Currently, bcsp_recv() can be called even when the BCSP protocol has not been registered. This leads to a NULL pointer dereference, as shown in the following stack trace: KASAN: null-ptr-deref in range [0x0000000000000108-0x000000000000010f] RIP: 0010:bcsp_recv+0x13d/0x1740 drivers/bluetooth/hci_bcsp.c:590 Call Trace: hci_uart_tty_receive+0x194/0x220 drivers/bluetooth/hci_ldisc.c:627 tiocsti+0x23c/0x2c0 drivers/tty/tty_io.c:2290 tty_ioctl+0x626/0xde0 drivers/tty/tty_io.c:2706 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:907 [inline] __se_sys_ioctl+0xfc/0x170 fs/ioctl.c:893 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f To prevent this, ensure that the HCI_UART_REGISTERED flag is set before processing received data. If the protocol is not registered, return -EUNATCH.", "cve_priority": "medium", "cve_public_date": "2025-12-08 01:16:00 UTC" }, { "cve": "CVE-2025-40309", "url": "https://ubuntu.com/security/CVE-2025-40309", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: Bluetooth: SCO: Fix UAF on sco_conn_free BUG: KASAN: slab-use-after-free in sco_conn_free net/bluetooth/sco.c:87 [inline] BUG: KASAN: slab-use-after-free in kref_put include/linux/kref.h:65 [inline] BUG: KASAN: slab-use-after-free in sco_conn_put+0xdd/0x410 net/bluetooth/sco.c:107 Write of size 8 at addr ffff88811cb96b50 by task kworker/u17:4/352 CPU: 1 UID: 0 PID: 352 Comm: kworker/u17:4 Not tainted 6.17.0-rc5-g717368f83676 #4 PREEMPT(voluntary) Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014 Workqueue: hci13 hci_cmd_sync_work Call Trace: __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x10b/0x170 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:378 [inline] print_report+0x191/0x550 mm/kasan/report.c:482 kasan_report+0xc4/0x100 mm/kasan/report.c:595 sco_conn_free net/bluetooth/sco.c:87 [inline] kref_put include/linux/kref.h:65 [inline] sco_conn_put+0xdd/0x410 net/bluetooth/sco.c:107 sco_connect_cfm+0xb4/0xae0 net/bluetooth/sco.c:1441 hci_connect_cfm include/net/bluetooth/hci_core.h:2082 [inline] hci_conn_failed+0x20a/0x2e0 net/bluetooth/hci_conn.c:1313 hci_conn_unlink+0x55f/0x810 net/bluetooth/hci_conn.c:1121 hci_conn_del+0xb6/0x1110 net/bluetooth/hci_conn.c:1147 hci_abort_conn_sync+0x8c5/0xbb0 net/bluetooth/hci_sync.c:5689 hci_cmd_sync_work+0x281/0x380 net/bluetooth/hci_sync.c:332 process_one_work kernel/workqueue.c:3236 [inline] process_scheduled_works+0x77e/0x1040 kernel/workqueue.c:3319 worker_thread+0xbee/0x1200 kernel/workqueue.c:3400 kthread+0x3c7/0x870 kernel/kthread.c:463 ret_from_fork+0x13a/0x1e0 arch/x86/kernel/process.c:148 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245 Allocated by task 31370: kasan_save_stack mm/kasan/common.c:47 [inline] kasan_save_track+0x30/0x70 mm/kasan/common.c:68 poison_kmalloc_redzone mm/kasan/common.c:388 [inline] __kasan_kmalloc+0x82/0x90 mm/kasan/common.c:405 kasan_kmalloc include/linux/kasan.h:260 [inline] __do_kmalloc_node mm/slub.c:4382 [inline] __kmalloc_noprof+0x22f/0x390 mm/slub.c:4394 kmalloc_noprof include/linux/slab.h:909 [inline] sk_prot_alloc+0xae/0x220 net/core/sock.c:2239 sk_alloc+0x34/0x5a0 net/core/sock.c:2295 bt_sock_alloc+0x3c/0x330 net/bluetooth/af_bluetooth.c:151 sco_sock_alloc net/bluetooth/sco.c:562 [inline] sco_sock_create+0xc0/0x350 net/bluetooth/sco.c:593 bt_sock_create+0x161/0x3b0 net/bluetooth/af_bluetooth.c:135 __sock_create+0x3ad/0x780 net/socket.c:1589 sock_create net/socket.c:1647 [inline] __sys_socket_create net/socket.c:1684 [inline] __sys_socket+0xd5/0x330 net/socket.c:1731 __do_sys_socket net/socket.c:1745 [inline] __se_sys_socket net/socket.c:1743 [inline] __x64_sys_socket+0x7a/0x90 net/socket.c:1743 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xc7/0x240 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f Freed by task 31374: kasan_save_stack mm/kasan/common.c:47 [inline] kasan_save_track+0x30/0x70 mm/kasan/common.c:68 kasan_save_free_info+0x40/0x50 mm/kasan/generic.c:576 poison_slab_object mm/kasan/common.c:243 [inline] __kasan_slab_free+0x3d/0x50 mm/kasan/common.c:275 kasan_slab_free include/linux/kasan.h:233 [inline] slab_free_hook mm/slub.c:2428 [inline] slab_free mm/slub.c:4701 [inline] kfree+0x199/0x3b0 mm/slub.c:4900 sk_prot_free net/core/sock.c:2278 [inline] __sk_destruct+0x4aa/0x630 net/core/sock.c:2373 sco_sock_release+0x2ad/0x300 net/bluetooth/sco.c:1333 __sock_release net/socket.c:649 [inline] sock_close+0xb8/0x230 net/socket.c:1439 __fput+0x3d1/0x9e0 fs/file_table.c:468 task_work_run+0x206/0x2a0 kernel/task_work.c:227 get_signal+0x1201/0x1410 kernel/signal.c:2807 arch_do_signal_or_restart+0x34/0x740 arch/x86/kernel/signal.c:337 exit_to_user_mode_loop+0x68/0xc0 kernel/entry/common.c:40 exit_to_user_mode_prepare include/linux/irq-entry-common.h:225 [inline] s ---truncated---", "cve_priority": "medium", "cve_public_date": "2025-12-08 01:16:00 UTC" }, { "cve": "CVE-2025-68174", "url": "https://ubuntu.com/security/CVE-2025-68174", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: amd/amdkfd: enhance kfd process check in switch partition current switch partition only check if kfd_processes_table is empty. kfd_prcesses_table entry is deleted in kfd_process_notifier_release, but kfd_process tear down is in kfd_process_wq_release. consider two processes: Process A (workqueue) -> kfd_process_wq_release -> Access kfd_node member Process B switch partition -> amdgpu_xcp_pre_partition_switch -> amdgpu_amdkfd_device_fini_sw -> kfd_node tear down. Process A and B may trigger a race as shown in dmesg log. This patch is to resolve the race by adding an atomic kfd_process counter kfd_processes_count, it increment as create kfd process, decrement as finish kfd_process_wq_release. v2: Put kfd_processes_count per kfd_dev, move decrement to kfd_process_destroy_pdds and bug fix. (Philip Yang) [3966658.307702] divide error: 0000 [#1] SMP NOPTI [3966658.350818] i10nm_edac [3966658.356318] CPU: 124 PID: 38435 Comm: kworker/124:0 Kdump: loaded Tainted [3966658.356890] Workqueue: kfd_process_wq kfd_process_wq_release [amdgpu] [3966658.362839] nfit [3966658.366457] RIP: 0010:kfd_get_num_sdma_engines+0x17/0x40 [amdgpu] [3966658.366460] Code: 00 00 e9 ac 81 02 00 66 66 2e 0f 1f 84 00 00 00 00 00 90 0f 1f 44 00 00 48 8b 4f 08 48 8b b7 00 01 00 00 8b 81 58 26 03 00 99 be b8 01 00 00 80 b9 70 2e 00 00 00 74 0b 83 f8 02 ba 02 00 00 [3966658.380967] x86_pkg_temp_thermal [3966658.391529] RSP: 0018:ffffc900a0edfdd8 EFLAGS: 00010246 [3966658.391531] RAX: 0000000000000008 RBX: ffff8974e593b800 RCX: ffff888645900000 [3966658.391531] RDX: 0000000000000000 RSI: ffff888129154400 RDI: ffff888129151c00 [3966658.391532] RBP: ffff8883ad79d400 R08: 0000000000000000 R09: ffff8890d2750af4 [3966658.391532] R10: 0000000000000018 R11: 0000000000000018 R12: 0000000000000000 [3966658.391533] R13: ffff8883ad79d400 R14: ffffe87ff662ba00 R15: ffff8974e593b800 [3966658.391533] FS: 0000000000000000(0000) GS:ffff88fe7f600000(0000) knlGS:0000000000000000 [3966658.391534] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [3966658.391534] CR2: 0000000000d71000 CR3: 000000dd0e970004 CR4: 0000000002770ee0 [3966658.391535] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [3966658.391535] DR3: 0000000000000000 DR6: 00000000fffe07f0 DR7: 0000000000000400 [3966658.391536] PKRU: 55555554 [3966658.391536] Call Trace: [3966658.391674] deallocate_sdma_queue+0x38/0xa0 [amdgpu] [3966658.391762] process_termination_cpsch+0x1ed/0x480 [amdgpu] [3966658.399754] intel_powerclamp [3966658.402831] kfd_process_dequeue_from_all_devices+0x5b/0xc0 [amdgpu] [3966658.402908] kfd_process_wq_release+0x1a/0x1a0 [amdgpu] [3966658.410516] coretemp [3966658.434016] process_one_work+0x1ad/0x380 [3966658.434021] worker_thread+0x49/0x310 [3966658.438963] kvm_intel [3966658.446041] ? process_one_work+0x380/0x380 [3966658.446045] kthread+0x118/0x140 [3966658.446047] ? __kthread_bind_mask+0x60/0x60 [3966658.446050] ret_from_fork+0x1f/0x30 [3966658.446053] Modules linked in: kpatch_20765354(OEK) [3966658.455310] kvm [3966658.464534] mptcp_diag xsk_diag raw_diag unix_diag af_packet_diag netlink_diag udp_diag act_pedit act_mirred act_vlan cls_flower kpatch_21951273(OEK) kpatch_18424469(OEK) kpatch_19749756(OEK) [3966658.473462] idxd_mdev [3966658.482306] kpatch_17971294(OEK) sch_ingress xt_conntrack amdgpu(OE) amdxcp(OE) amddrm_buddy(OE) amd_sched(OE) amdttm(OE) amdkcl(OE) intel_ifs iptable_mangle tcm_loop target_core_pscsi tcp_diag target_core_file inet_diag target_core_iblock target_core_user target_core_mod coldpgs kpatch_18383292(OEK) ip6table_nat ip6table_filter ip6_tables ip_set_hash_ipportip ip_set_hash_ipportnet ip_set_hash_ipport ip_set_bitmap_port xt_comment iptable_nat nf_nat iptable_filter ip_tables ip_set ip_vs_sh ip_vs_wrr ip_vs_rr ip_vs nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 sn_core_odd(OE) i40e overlay binfmt_misc tun bonding(OE) aisqos(OE) aisqo ---truncated---", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-40310", "url": "https://ubuntu.com/security/CVE-2025-40310", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: amd/amdkfd: resolve a race in amdgpu_amdkfd_device_fini_sw There is race in amdgpu_amdkfd_device_fini_sw and interrupt. if amdgpu_amdkfd_device_fini_sw run in b/w kfd_cleanup_nodes and kfree(kfd), and KGD interrupt generated. kernel panic log: BUG: kernel NULL pointer dereference, address: 0000000000000098 amdgpu 0000:c8:00.0: amdgpu: Requesting 4 partitions through PSP PGD d78c68067 P4D d78c68067 kfd kfd: amdgpu: Allocated 3969056 bytes on gart PUD 1465b8067 PMD @ Oops: @002 [#1] SMP NOPTI kfd kfd: amdgpu: Total number of KFD nodes to be created: 4 CPU: 115 PID: @ Comm: swapper/115 Kdump: loaded Tainted: G S W OE K RIP: 0010:_raw_spin_lock_irqsave+0x12/0x40 Code: 89 e@ 41 5c c3 cc cc cc cc 66 66 2e Of 1f 84 00 00 00 00 00 OF 1f 40 00 Of 1f 44% 00 00 41 54 9c 41 5c fa 31 cO ba 01 00 00 00 OF b1 17 75 Ba 4c 89 e@ 41 Sc 89 c6 e8 07 38 5d RSP: 0018: ffffc90@1a6b0e28 EFLAGS: 00010046 RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000018 0000000000000001 RSI: ffff8883bb623e00 RDI: 0000000000000098 ffff8883bb000000 RO8: ffff888100055020 ROO: ffff888100055020 0000000000000000 R11: 0000000000000000 R12: 0900000000000002 ffff888F2b97da0@ R14: @000000000000098 R15: ffff8883babdfo00 CS: 010 DS: 0000 ES: 0000 CRO: 0000000080050033 CR2: 0000000000000098 CR3: 0000000e7cae2006 CR4: 0000000002770ce0 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 0000000000000000 DR6: 00000000fffeO7FO DR7: 0000000000000400 PKRU: 55555554 Call Trace: kgd2kfd_interrupt+@x6b/0x1f@ [amdgpu] ? amdgpu_fence_process+0xa4/0x150 [amdgpu] kfd kfd: amdgpu: Node: 0, interrupt_bitmap: 3 YcpxFl Rant tErace amdgpu_irq_dispatch+0x165/0x210 [amdgpu] amdgpu_ih_process+0x80/0x100 [amdgpu] amdgpu: Virtual CRAT table created for GPU amdgpu_irq_handler+0x1f/@x60 [amdgpu] __handle_irq_event_percpu+0x3d/0x170 amdgpu: Topology: Add dGPU node [0x74a2:0x1002] handle_irq_event+0x5a/@xcO handle_edge_irq+0x93/0x240 kfd kfd: amdgpu: KFD node 1 partition @ size 49148M asm_call_irq_on_stack+0xf/@x20 common_interrupt+0xb3/0x130 asm_common_interrupt+0x1le/0x40 5.10.134-010.a1i5000.a18.x86_64 #1", "cve_priority": "medium", "cve_public_date": "2025-12-08 01:16:00 UTC" }, { "cve": "CVE-2025-40361", "url": "https://ubuntu.com/security/CVE-2025-40361", "cve_description": "Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-40311", "url": "https://ubuntu.com/security/CVE-2025-40311", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: accel/habanalabs: support mapping cb with vmalloc-backed coherent memory When IOMMU is enabled, dma_alloc_coherent() with GFP_USER may return addresses from the vmalloc range. If such an address is mapped without VM_MIXEDMAP, vm_insert_page() will trigger a BUG_ON due to the VM_PFNMAP restriction. Fix this by checking for vmalloc addresses and setting VM_MIXEDMAP in the VMA before mapping. This ensures safe mapping and avoids kernel crashes. The memory is still driver-allocated and cannot be accessed directly by userspace.", "cve_priority": "medium", "cve_public_date": "2025-12-08 01:16:00 UTC" }, { "cve": "CVE-2025-68185", "url": "https://ubuntu.com/security/CVE-2025-68185", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: nfs4_setup_readdir(): insufficient locking for ->d_parent->d_inode dereferencing Theoretically it's an oopsable race, but I don't believe one can manage to hit it on real hardware; might become doable on a KVM, but it still won't be easy to attack. Anyway, it's easy to deal with - since xdr_encode_hyper() is just a call of put_unaligned_be64(), we can put that under ->d_lock and be done with that.", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-68176", "url": "https://ubuntu.com/security/CVE-2025-68176", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: PCI: cadence: Check for the existence of cdns_pcie::ops before using it cdns_pcie::ops might not be populated by all the Cadence glue drivers. This is going to be true for the upcoming Sophgo platform which doesn't set the ops. Hence, add a check to prevent NULL pointer dereference. [mani: reworded subject and description]", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-68190", "url": "https://ubuntu.com/security/CVE-2025-68190", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu/atom: Check kcalloc() for WS buffer in amdgpu_atom_execute_table_locked() kcalloc() may fail. When WS is non-zero and allocation fails, ectx.ws remains NULL while ectx.ws_size is set, leading to a potential NULL pointer dereference in atom_get_src_int() when accessing WS entries. Return -ENOMEM on allocation failure to avoid the NULL dereference.", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-68168", "url": "https://ubuntu.com/security/CVE-2025-68168", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: jfs: fix uninitialized waitqueue in transaction manager The transaction manager initialization in txInit() was not properly initializing TxBlock[0].waitor waitqueue, causing a crash when txEnd(0) is called on read-only filesystems. When a filesystem is mounted read-only, txBegin() returns tid=0 to indicate no transaction. However, txEnd(0) still gets called and tries to access TxBlock[0].waitor via tid_to_tblock(0), but this waitqueue was never initialized because the initialization loop started at index 1 instead of 0. This causes a 'non-static key' lockdep warning and system crash: INFO: trying to register non-static key in txEnd Fix by ensuring all transaction blocks including TxBlock[0] have their waitqueues properly initialized during txInit().", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-40312", "url": "https://ubuntu.com/security/CVE-2025-40312", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: jfs: Verify inode mode when loading from disk The inode mode loaded from corrupted disk can be invalid. Do like what commit 0a9e74051313 (\"isofs: Verify inode mode when loading from disk\") does.", "cve_priority": "medium", "cve_public_date": "2025-12-08 01:16:00 UTC" }, { "cve": "CVE-2025-40333", "url": "https://ubuntu.com/security/CVE-2025-40333", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: f2fs: fix infinite loop in __insert_extent_tree() When we get wrong extent info data, and look up extent_node in rb tree, it will cause infinite loop (CONFIG_F2FS_CHECK_FS=n). Avoiding this by return NULL and print some kernel messages in that case.", "cve_priority": "medium", "cve_public_date": "2025-12-09 16:17:00 UTC" }, { "cve": "CVE-2025-68321", "url": "https://ubuntu.com/security/CVE-2025-68321", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: page_pool: always add GFP_NOWARN for ATOMIC allocations Driver authors often forget to add GFP_NOWARN for page allocation from the datapath. This is annoying to users as OOMs are a fact of life, and we pretty much expect network Rx to hit page allocation failures during OOM. Make page pool add GFP_NOWARN for ATOMIC allocations by default.", "cve_priority": "medium", "cve_public_date": "2025-12-16 16:16:00 UTC" }, { "cve": "CVE-2025-40334", "url": "https://ubuntu.com/security/CVE-2025-40334", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: validate userq buffer virtual address and size It needs to validate the userq object virtual address to determine whether it is residented in a valid vm mapping.", "cve_priority": "medium", "cve_public_date": "2025-12-09 16:17:00 UTC" }, { "cve": "CVE-2025-68191", "url": "https://ubuntu.com/security/CVE-2025-68191", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: udp_tunnel: use netdev_warn() instead of netdev_WARN() netdev_WARN() uses WARN/WARN_ON to print a backtrace along with file and line information. In this case, udp_tunnel_nic_register() returning an error is just a failed operation, not a kernel bug. udp_tunnel_nic_register() can fail due to a memory allocation failure (kzalloc() or udp_tunnel_nic_alloc()). This is a normal runtime error and not a kernel bug. Replace netdev_WARN() with netdev_warn() accordingly.", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-68309", "url": "https://ubuntu.com/security/CVE-2025-68309", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: PCI/AER: Fix NULL pointer access by aer_info The kzalloc(GFP_KERNEL) may return NULL, so all accesses to aer_info->xxx will result in kernel panic. Fix it.", "cve_priority": "medium", "cve_public_date": "2025-12-16 16:16:00 UTC" }, { "cve": "CVE-2025-40313", "url": "https://ubuntu.com/security/CVE-2025-40313", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ntfs3: pretend $Extend records as regular files Since commit af153bb63a33 (\"vfs: catch invalid modes in may_open()\") requires any inode be one of S_IFDIR/S_IFLNK/S_IFREG/S_IFCHR/S_IFBLK/ S_IFIFO/S_IFSOCK type, use S_IFREG for $Extend records.", "cve_priority": "medium", "cve_public_date": "2025-12-08 01:16:00 UTC" }, { "cve": "CVE-2025-40335", "url": "https://ubuntu.com/security/CVE-2025-40335", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: validate userq input args This will help on validating the userq input args, and rejecting for the invalid userq request at the IOCTLs first place.", "cve_priority": "medium", "cve_public_date": "2025-12-09 16:17:00 UTC" }, { "cve": "CVE-2025-40314", "url": "https://ubuntu.com/security/CVE-2025-40314", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: usb: cdns3: gadget: Use-after-free during failed initialization and exit of cdnsp gadget In the __cdnsp_gadget_init() and cdnsp_gadget_exit() functions, the gadget structure (pdev->gadget) was freed before its endpoints. The endpoints are linked via the ep_list in the gadget structure. Freeing the gadget first leaves dangling pointers in the endpoint list. When the endpoints are subsequently freed, this results in a use-after-free. Fix: By separating the usb_del_gadget_udc() operation into distinct \"del\" and \"put\" steps, cdnsp_gadget_free_endpoints() can be executed prior to the final release of the gadget structure with usb_put_gadget(). A patch similar to bb9c74a5bd14(\"usb: dwc3: gadget: Free gadget structure only after freeing endpoints\").", "cve_priority": "medium", "cve_public_date": "2025-12-08 01:16:00 UTC" }, { "cve": "CVE-2025-40336", "url": "https://ubuntu.com/security/CVE-2025-40336", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/gpusvm: fix hmm_pfn_to_map_order() usage Handle the case where the hmm range partially covers a huge page (like 2M), otherwise we can potentially end up doing something nasty like mapping memory which is outside the range, and maybe not even mapped by the mm. Fix is based on the xe userptr code, which in a future patch will directly use gpusvm, so needs alignment here. v2: - Add kernel-doc (Matt B) - s/fls/ilog2/ (Thomas)", "cve_priority": "medium", "cve_public_date": "2025-12-09 16:17:00 UTC" }, { "cve": "CVE-2025-68193", "url": "https://ubuntu.com/security/CVE-2025-68193", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/xe/guc: Add devm release action to safely tear down CT When a buffer object (BO) is allocated with the XE_BO_FLAG_GGTT_INVALIDATE flag, the driver initiates TLB invalidation requests via the CTB mechanism while releasing the BO. However a premature release of the CTB BO can lead to system crashes, as observed in: Oops: Oops: 0000 [#1] SMP NOPTI RIP: 0010:h2g_write+0x2f3/0x7c0 [xe] Call Trace: guc_ct_send_locked+0x8b/0x670 [xe] xe_guc_ct_send_locked+0x19/0x60 [xe] send_tlb_invalidation+0xb4/0x460 [xe] xe_gt_tlb_invalidation_ggtt+0x15e/0x2e0 [xe] ggtt_invalidate_gt_tlb.part.0+0x16/0x90 [xe] ggtt_node_remove+0x110/0x140 [xe] xe_ggtt_node_remove+0x40/0xa0 [xe] xe_ggtt_remove_bo+0x87/0x250 [xe] Introduce a devm-managed release action during xe_guc_ct_init() and xe_guc_ct_init_post_hwconfig() to ensure proper CTB disablement before resource deallocation, preventing the use-after-free scenario.", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-68175", "url": "https://ubuntu.com/security/CVE-2025-68175", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: media: nxp: imx8-isi: Fix streaming cleanup on release The current implementation unconditionally calls mxc_isi_video_cleanup_streaming() in mxc_isi_video_release(). This can lead to situations where any release call (like from a simple \"v4l2-ctl -l\") may release a currently streaming queue when called on such a device. This is reproducible on an i.MX8MP board by streaming from an ISI capture device using gstreamer: \tgst-launch-1.0 -v v4l2src device=/dev/videoX ! \\ \t video/x-raw,format=GRAY8,width=1280,height=800,framerate=1/120 ! \\ \t fakesink While this stream is running, querying the caps of the same device provokes the error state: \tv4l2-ctl -l -d /dev/videoX This results in the following trace: [ 155.452152] ------------[ cut here ]------------ [ 155.452163] WARNING: CPU: 0 PID: 1708 at drivers/media/platform/nxp/imx8-isi/imx8-isi-pipe.c:713 mxc_isi_pipe_irq_handler+0x19c/0x1b0 [imx8_isi] [ 157.004248] Modules linked in: cfg80211 rpmsg_ctrl rpmsg_char rpmsg_tty virtio_rpmsg_bus rpmsg_ns rpmsg_core rfkill nft_ct nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 nf_tables mcp251x6 [ 157.053499] CPU: 0 UID: 0 PID: 1708 Comm: python3 Not tainted 6.15.4-00114-g1f61ca5cad76 #1 PREEMPT [ 157.064369] Hardware name: imx8mp_board_01 (DT) [ 157.068205] pstate: 400000c5 (nZcv daIF -PAN -UAO -TCO -DIT -SSBS BTYPE=--) [ 157.075169] pc : mxc_isi_pipe_irq_handler+0x19c/0x1b0 [imx8_isi] [ 157.081195] lr : mxc_isi_pipe_irq_handler+0x38/0x1b0 [imx8_isi] [ 157.087126] sp : ffff800080003ee0 [ 157.090438] x29: ffff800080003ee0 x28: ffff0000c3688000 x27: 0000000000000000 [ 157.097580] x26: 0000000000000000 x25: ffff0000c1e7ac00 x24: ffff800081b5ad50 [ 157.104723] x23: 00000000000000d1 x22: 0000000000000000 x21: ffff0000c25e4000 [ 157.111866] x20: 0000000060000200 x19: ffff80007a0608d0 x18: 0000000000000000 [ 157.119008] x17: ffff80006a4e3000 x16: ffff800080000000 x15: 0000000000000000 [ 157.126146] x14: 0000000000000000 x13: 0000000000000000 x12: 0000000000000000 [ 157.133287] x11: 0000000000000040 x10: ffff0000c01445f0 x9 : ffff80007a053a38 [ 157.140425] x8 : ffff0000c04004b8 x7 : 0000000000000000 x6 : 0000000000000000 [ 157.147567] x5 : ffff0000c0400490 x4 : ffff80006a4e3000 x3 : ffff0000c25e4000 [ 157.154706] x2 : 0000000000000000 x1 : ffff8000825c0014 x0 : 0000000060000200 [ 157.161850] Call trace: [ 157.164296] mxc_isi_pipe_irq_handler+0x19c/0x1b0 [imx8_isi] (P) [ 157.170319] __handle_irq_event_percpu+0x58/0x218 [ 157.175029] handle_irq_event+0x54/0xb8 [ 157.178867] handle_fasteoi_irq+0xac/0x248 [ 157.182968] handle_irq_desc+0x48/0x68 [ 157.186723] generic_handle_domain_irq+0x24/0x38 [ 157.191346] gic_handle_irq+0x54/0x120 [ 157.195098] call_on_irq_stack+0x24/0x30 [ 157.199027] do_interrupt_handler+0x88/0x98 [ 157.203212] el0_interrupt+0x44/0xc0 [ 157.206792] __el0_irq_handler_common+0x18/0x28 [ 157.211328] el0t_64_irq_handler+0x10/0x20 [ 157.215429] el0t_64_irq+0x198/0x1a0 [ 157.219009] ---[ end trace 0000000000000000 ]--- Address this issue by moving the streaming preparation and cleanup to the vb2 .prepare_streaming() and .unprepare_streaming() operations. This also simplifies the driver by allowing direct usage of the vb2_ioctl_streamon() and vb2_ioctl_streamoff() helpers, and removal of the manual cleanup from mxc_isi_video_release().", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-68188", "url": "https://ubuntu.com/security/CVE-2025-68188", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: tcp: use dst_dev_rcu() in tcp_fastopen_active_disable_ofo_check() Use RCU to avoid a pair of atomic operations and a potential UAF on dst_dev()->flags.", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-68315", "url": "https://ubuntu.com/security/CVE-2025-68315", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: f2fs: fix to detect potential corrupted nid in free_nid_list As reported, on-disk footer.ino and footer.nid is the same and out-of-range, let's add sanity check on f2fs_alloc_nid() to detect any potential corruption in free_nid_list.", "cve_priority": "medium", "cve_public_date": "2025-12-16 16:16:00 UTC" }, { "cve": "CVE-2025-40337", "url": "https://ubuntu.com/security/CVE-2025-40337", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net: stmmac: Correctly handle Rx checksum offload errors The stmmac_rx function would previously set skb->ip_summed to CHECKSUM_UNNECESSARY if hardware checksum offload (CoE) was enabled and the packet was of a known IP ethertype. However, this logic failed to check if the hardware had actually reported a checksum error. The hardware status, indicating a header or payload checksum failure, was being ignored at this stage. This could cause corrupt packets to be passed up the network stack as valid. This patch corrects the logic by checking the `csum_none` status flag, which is set when the hardware reports a checksum error. If this flag is set, skb->ip_summed is now correctly set to CHECKSUM_NONE, ensuring the kernel's network stack will perform its own validation and properly handle the corrupt packet.", "cve_priority": "medium", "cve_public_date": "2025-12-09 16:17:00 UTC" }, { "cve": "CVE-2025-40338", "url": "https://ubuntu.com/security/CVE-2025-40338", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ASoC: Intel: avs: Do not share the name pointer between components By sharing 'name' directly, tearing down components may lead to use-after-free errors. Duplicate the name to avoid that. At the same time, update the order of operations - since commit cee28113db17 (\"ASoC: dmaengine_pcm: Allow passing component name via config\") the framework does not override component->name if set before invoking the initializer.", "cve_priority": "medium", "cve_public_date": "2025-12-09 16:17:00 UTC" }, { "cve": "CVE-2025-40339", "url": "https://ubuntu.com/security/CVE-2025-40339", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: fix nullptr err of vm_handle_moved If a amdgpu_bo_va is fpriv->prt_va, the bo of this one is always NULL. So, such kind of amdgpu_bo_va should be updated separately before amdgpu_vm_handle_moved.", "cve_priority": "medium", "cve_public_date": "2025-12-09 16:17:00 UTC" }, { "cve": "CVE-2025-68194", "url": "https://ubuntu.com/security/CVE-2025-68194", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: media: imon: make send_packet() more robust syzbot is reporting that imon has three problems which result in hung tasks due to forever holding device lock [1]. First problem is that when usb_rx_callback_intf0() once got -EPROTO error after ictx->dev_present_intf0 became true, usb_rx_callback_intf0() resubmits urb after printk(), and resubmitted urb causes usb_rx_callback_intf0() to again get -EPROTO error. This results in printk() flooding (RCU stalls). Alan Stern commented [2] that In theory it's okay to resubmit _if_ the driver has a robust error-recovery scheme (such as giving up after some fixed limit on the number of errors or after some fixed time has elapsed, perhaps with a time delay to prevent a flood of errors). Most drivers don't bother to do this; they simply give up right away. This makes them more vulnerable to short-term noise interference during USB transfers, but in reality such interference is quite rare. There's nothing really wrong with giving up right away. but imon has a poor error-recovery scheme which just retries forever; this behavior should be fixed. Since I'm not sure whether it is safe for imon users to give up upon any error code, this patch takes care of only union of error codes chosen from modules in drivers/media/rc/ directory which handle -EPROTO error (i.e. ir_toy, mceusb and igorplugusb). Second problem is that when usb_rx_callback_intf0() once got -EPROTO error before ictx->dev_present_intf0 becomes true, usb_rx_callback_intf0() always resubmits urb due to commit 8791d63af0cf (\"[media] imon: don't wedge hardware after early callbacks\"). Move the ictx->dev_present_intf0 test introduced by commit 6f6b90c9231a (\"[media] imon: don't parse scancodes until intf configured\") to immediately before imon_incoming_packet(), or the first problem explained above happens without printk() flooding (i.e. hung task). Third problem is that when usb_rx_callback_intf0() is not called for some reason (e.g. flaky hardware; the reproducer for this problem sometimes prevents usb_rx_callback_intf0() from being called), wait_for_completion_interruptible() in send_packet() never returns (i.e. hung task). As a workaround for such situation, change send_packet() to wait for completion with timeout of 10 seconds.", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-40363", "url": "https://ubuntu.com/security/CVE-2025-40363", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net: ipv6: fix field-spanning memcpy warning in AH output Fix field-spanning memcpy warnings in ah6_output() and ah6_output_done() where extension headers are copied to/from IPv6 address fields, triggering fortify-string warnings about writes beyond the 16-byte address fields. memcpy: detected field-spanning write (size 40) of single field \"&top_iph->saddr\" at net/ipv6/ah6.c:439 (size 16) WARNING: CPU: 0 PID: 8838 at net/ipv6/ah6.c:439 ah6_output+0xe7e/0x14e0 net/ipv6/ah6.c:439 The warnings are false positives as the extension headers are intentionally placed after the IPv6 header in memory. Fix by properly copying addresses and extension headers separately, and introduce helper functions to avoid code duplication.", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-68311", "url": "https://ubuntu.com/security/CVE-2025-68311", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: tty: serial: ip22zilog: Use platform device for probing After commit 84a9582fd203 (\"serial: core: Start managing serial controllers to enable runtime PM\") serial drivers need to provide a device in struct uart_port.dev otherwise an oops happens. To fix this issue for ip22zilog driver switch driver to a platform driver and setup the serial device in sgi-ip22 code.", "cve_priority": "medium", "cve_public_date": "2025-12-16 16:16:00 UTC" }, { "cve": "CVE-2025-40340", "url": "https://ubuntu.com/security/CVE-2025-40340", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/xe: Fix oops in xe_gem_fault when running core_hotunplug test. I saw an oops in xe_gem_fault when running the xe-fast-feedback testlist against the realtime kernel without debug options enabled. The panic happens after core_hotunplug unbind-rebind finishes. Presumably what happens is that a process mmaps, unlocks because of the FAULT_FLAG_RETRY_NOWAIT logic, has no process memory left, causing ttm_bo_vm_dummy_page() to return VM_FAULT_NOPAGE, since there was nothing left to populate, and then oopses in \"mem_type_is_vram(tbo->resource->mem_type)\" because tbo->resource is NULL. It's convoluted, but fits the data and explains the oops after the test exits.", "cve_priority": "medium", "cve_public_date": "2025-12-09 16:17:00 UTC" }, { "cve": "CVE-2025-68196", "url": "https://ubuntu.com/security/CVE-2025-68196", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Cache streams targeting link when performing LT automation [WHY] Last LT automation update can cause crash by referencing current_state and calling into dc_update_planes_and_stream which may clobber current_state. [HOW] Cache relevant stream pointers and iterate through them instead of relying on the current_state.", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-68178", "url": "https://ubuntu.com/security/CVE-2025-68178", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: blk-cgroup: fix possible deadlock while configuring policy Following deadlock can be triggered easily by lockdep: WARNING: possible circular locking dependency detected 6.17.0-rc3-00124-ga12c2658ced0 #1665 Not tainted ------------------------------------------------------ check/1334 is trying to acquire lock: ff1100011d9d0678 (&q->sysfs_lock){+.+.}-{4:4}, at: blk_unregister_queue+0x53/0x180 but task is already holding lock: ff1100011d9d00e0 (&q->q_usage_counter(queue)#3){++++}-{0:0}, at: del_gendisk+0xba/0x110 which lock already depends on the new lock. the existing dependency chain (in reverse order) is: -> #2 (&q->q_usage_counter(queue)#3){++++}-{0:0}: blk_queue_enter+0x40b/0x470 blkg_conf_prep+0x7b/0x3c0 tg_set_limit+0x10a/0x3e0 cgroup_file_write+0xc6/0x420 kernfs_fop_write_iter+0x189/0x280 vfs_write+0x256/0x490 ksys_write+0x83/0x190 __x64_sys_write+0x21/0x30 x64_sys_call+0x4608/0x4630 do_syscall_64+0xdb/0x6b0 entry_SYSCALL_64_after_hwframe+0x76/0x7e -> #1 (&q->rq_qos_mutex){+.+.}-{4:4}: __mutex_lock+0xd8/0xf50 mutex_lock_nested+0x2b/0x40 wbt_init+0x17e/0x280 wbt_enable_default+0xe9/0x140 blk_register_queue+0x1da/0x2e0 __add_disk+0x38c/0x5d0 add_disk_fwnode+0x89/0x250 device_add_disk+0x18/0x30 virtblk_probe+0x13a3/0x1800 virtio_dev_probe+0x389/0x610 really_probe+0x136/0x620 __driver_probe_device+0xb3/0x230 driver_probe_device+0x2f/0xe0 __driver_attach+0x158/0x250 bus_for_each_dev+0xa9/0x130 driver_attach+0x26/0x40 bus_add_driver+0x178/0x3d0 driver_register+0x7d/0x1c0 __register_virtio_driver+0x2c/0x60 virtio_blk_init+0x6f/0xe0 do_one_initcall+0x94/0x540 kernel_init_freeable+0x56a/0x7b0 kernel_init+0x2b/0x270 ret_from_fork+0x268/0x4c0 ret_from_fork_asm+0x1a/0x30 -> #0 (&q->sysfs_lock){+.+.}-{4:4}: __lock_acquire+0x1835/0x2940 lock_acquire+0xf9/0x450 __mutex_lock+0xd8/0xf50 mutex_lock_nested+0x2b/0x40 blk_unregister_queue+0x53/0x180 __del_gendisk+0x226/0x690 del_gendisk+0xba/0x110 sd_remove+0x49/0xb0 [sd_mod] device_remove+0x87/0xb0 device_release_driver_internal+0x11e/0x230 device_release_driver+0x1a/0x30 bus_remove_device+0x14d/0x220 device_del+0x1e1/0x5a0 __scsi_remove_device+0x1ff/0x2f0 scsi_remove_device+0x37/0x60 sdev_store_delete+0x77/0x100 dev_attr_store+0x1f/0x40 sysfs_kf_write+0x65/0x90 kernfs_fop_write_iter+0x189/0x280 vfs_write+0x256/0x490 ksys_write+0x83/0x190 __x64_sys_write+0x21/0x30 x64_sys_call+0x4608/0x4630 do_syscall_64+0xdb/0x6b0 entry_SYSCALL_64_after_hwframe+0x76/0x7e other info that might help us debug this: Chain exists of: &q->sysfs_lock --> &q->rq_qos_mutex --> &q->q_usage_counter(queue)#3 Possible unsafe locking scenario: CPU0 CPU1 ---- ---- lock(&q->q_usage_counter(queue)#3); lock(&q->rq_qos_mutex); lock(&q->q_usage_counter(queue)#3); lock(&q->sysfs_lock); Root cause is that queue_usage_counter is grabbed with rq_qos_mutex held in blkg_conf_prep(), while queue should be freezed before rq_qos_mutex from other context. The blk_queue_enter() from blkg_conf_prep() is used to protect against policy deactivation, which is already protected with blkcg_mutex, hence convert blk_queue_enter() to blkcg_mutex to fix this problem. Meanwhile, consider that blkcg_mutex is held after queue is freezed from policy deactivation, also convert blkg_alloc() to use GFP_NOIO.", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-40341", "url": "https://ubuntu.com/security/CVE-2025-40341", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: futex: Don't leak robust_list pointer on exec race sys_get_robust_list() and compat_get_robust_list() use ptrace_may_access() to check if the calling task is allowed to access another task's robust_list pointer. This check is racy against a concurrent exec() in the target process. During exec(), a task may transition from a non-privileged binary to a privileged one (e.g., setuid binary) and its credentials/memory mappings may change. If get_robust_list() performs ptrace_may_access() before this transition, it may erroneously allow access to sensitive information after the target becomes privileged. A racy access allows an attacker to exploit a window during which ptrace_may_access() passes before a target process transitions to a privileged state via exec(). For example, consider a non-privileged task T that is about to execute a setuid-root binary. An attacker task A calls get_robust_list(T) while T is still unprivileged. Since ptrace_may_access() checks permissions based on current credentials, it succeeds. However, if T begins exec immediately afterwards, it becomes privileged and may change its memory mappings. Because get_robust_list() proceeds to access T->robust_list without synchronizing with exec() it may read user-space pointers from a now-privileged process. This violates the intended post-exec access restrictions and could expose sensitive memory addresses or be used as a primitive in a larger exploit chain. Consequently, the race can lead to unauthorized disclosure of information across privilege boundaries and poses a potential security risk. Take a read lock on signal->exec_update_lock prior to invoking ptrace_may_access() and accessing the robust_list/compat_robust_list. This ensures that the target task's exec state remains stable during the check, allowing for consistent and synchronized validation of credentials.", "cve_priority": "medium", "cve_public_date": "2025-12-09 16:17:00 UTC" }, { "cve": "CVE-2025-40342", "url": "https://ubuntu.com/security/CVE-2025-40342", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: nvme-fc: use lock accessing port_state and rport state nvme_fc_unregister_remote removes the remote port on a lport object at any point in time when there is no active association. This races with with the reconnect logic, because nvme_fc_create_association is not taking a lock to check the port_state and atomically increase the active count on the rport.", "cve_priority": "medium", "cve_public_date": "2025-12-09 16:17:00 UTC" }, { "cve": "CVE-2025-40343", "url": "https://ubuntu.com/security/CVE-2025-40343", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: nvmet-fc: avoid scheduling association deletion twice When forcefully shutting down a port via the configfs interface, nvmet_port_subsys_drop_link() first calls nvmet_port_del_ctrls() and then nvmet_disable_port(). Both functions will eventually schedule all remaining associations for deletion. The current implementation checks whether an association is about to be removed, but only after the work item has already been scheduled. As a result, it is possible for the first scheduled work item to free all resources, and then for the same work item to be scheduled again for deletion. Because the association list is an RCU list, it is not possible to take a lock and remove the list entry directly, so it cannot be looked up again. Instead, a flag (terminating) must be used to determine whether the association is already in the process of being deleted.", "cve_priority": "medium", "cve_public_date": "2025-12-09 16:17:00 UTC" }, { "cve": "CVE-2025-68177", "url": "https://ubuntu.com/security/CVE-2025-68177", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: cpufreq/longhaul: handle NULL policy in longhaul_exit longhaul_exit() was calling cpufreq_cpu_get(0) without checking for a NULL policy pointer. On some systems, this could lead to a NULL dereference and a kernel warning or panic. This patch adds a check using unlikely() and returns early if the policy is NULL. Bugzilla: #219962", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-68317", "url": "https://ubuntu.com/security/CVE-2025-68317", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: io_uring/zctx: check chained notif contexts Send zc only links ubuf_info for requests coming from the same context. There are some ambiguous syz reports, so let's check the assumption on notification completion.", "cve_priority": "medium", "cve_public_date": "2025-12-16 16:16:00 UTC" }, { "cve": "CVE-2025-40315", "url": "https://ubuntu.com/security/CVE-2025-40315", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: usb: gadget: f_fs: Fix epfile null pointer access after ep enable. A race condition occurs when ffs_func_eps_enable() runs concurrently with ffs_data_reset(). The ffs_data_clear() called in ffs_data_reset() sets ffs->epfiles to NULL before resetting ffs->eps_count to 0, leading to a NULL pointer dereference when accessing epfile->ep in ffs_func_eps_enable() after successful usb_ep_enable(). The ffs->epfiles pointer is set to NULL in both ffs_data_clear() and ffs_data_close() functions, and its modification is protected by the spinlock ffs->eps_lock. And the whole ffs_func_eps_enable() function is also protected by ffs->eps_lock. Thus, add NULL pointer handling for ffs->epfiles in the ffs_func_eps_enable() function to fix issues", "cve_priority": "medium", "cve_public_date": "2025-12-08 01:16:00 UTC" }, { "cve": "CVE-2025-40316", "url": "https://ubuntu.com/security/CVE-2025-40316", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/mediatek: Fix device use-after-free on unbind A recent change fixed device reference leaks when looking up drm platform device driver data during bind() but failed to remove a partial fix which had been added by commit 80805b62ea5b (\"drm/mediatek: Fix kobject put for component sub-drivers\"). This results in a reference imbalance on component bind() failures and on unbind() which could lead to a user-after-free. Make sure to only drop the references after retrieving the driver data by effectively reverting the previous partial fix. Note that holding a reference to a device does not prevent its driver data from going away so there is no point in keeping the reference.", "cve_priority": "medium", "cve_public_date": "2025-12-08 01:16:00 UTC" }, { "cve": "CVE-2025-40360", "url": "https://ubuntu.com/security/CVE-2025-40360", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/sysfb: Do not dereference NULL pointer in plane reset The plane state in __drm_gem_reset_shadow_plane() can be NULL. Do not deref that pointer, but forward NULL to the other plane-reset helpers. Clears plane->state to NULL. v2: - fix typo in commit description (Javier)", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-68179", "url": "https://ubuntu.com/security/CVE-2025-68179", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: s390: Disable ARCH_WANT_OPTIMIZE_HUGETLB_VMEMMAP As reported by Luiz Capitulino enabling HVO on s390 leads to reproducible crashes. The problem is that kernel page tables are modified without flushing corresponding TLB entries. Even if it looks like the empty flush_tlb_all() implementation on s390 is the problem, it is actually a different problem: on s390 it is not allowed to replace an active/valid page table entry with another valid page table entry without the detour over an invalid entry. A direct replacement may lead to random crashes and/or data corruption. In order to invalidate an entry special instructions have to be used (e.g. ipte or idte). Alternatively there are also special instructions available which allow to replace a valid entry with a different valid entry (e.g. crdte or cspg). Given that the HVO code currently does not provide the hooks to allow for an implementation which is compliant with the s390 architecture requirements, disable ARCH_WANT_OPTIMIZE_HUGETLB_VMEMMAP again, which is basically a revert of the original patch which enabled it.", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-68310", "url": "https://ubuntu.com/security/CVE-2025-68310", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: s390/pci: Avoid deadlock between PCI error recovery and mlx5 crdump Do not block PCI config accesses through pci_cfg_access_lock() when executing the s390 variant of PCI error recovery: Acquire just device_lock() instead of pci_dev_lock() as powerpc's EEH and generig PCI AER processing do. During error recovery testing a pair of tasks was reported to be hung: mlx5_core 0000:00:00.1: mlx5_health_try_recover:338:(pid 5553): health recovery flow aborted, PCI reads still not working INFO: task kmcheck:72 blocked for more than 122 seconds. Not tainted 5.14.0-570.12.1.bringup7.el9.s390x #1 \"echo 0 > /proc/sys/kernel/hung_task_timeout_secs\" disables this message. task:kmcheck state:D stack:0 pid:72 tgid:72 ppid:2 flags:0x00000000 Call Trace: [<000000065256f030>] __schedule+0x2a0/0x590 [<000000065256f356>] schedule+0x36/0xe0 [<000000065256f572>] schedule_preempt_disabled+0x22/0x30 [<0000000652570a94>] __mutex_lock.constprop.0+0x484/0x8a8 [<000003ff800673a4>] mlx5_unload_one+0x34/0x58 [mlx5_core] [<000003ff8006745c>] mlx5_pci_err_detected+0x94/0x140 [mlx5_core] [<0000000652556c5a>] zpci_event_attempt_error_recovery+0xf2/0x398 [<0000000651b9184a>] __zpci_event_error+0x23a/0x2c0 INFO: task kworker/u1664:6:1514 blocked for more than 122 seconds. Not tainted 5.14.0-570.12.1.bringup7.el9.s390x #1 \"echo 0 > /proc/sys/kernel/hung_task_timeout_secs\" disables this message. task:kworker/u1664:6 state:D stack:0 pid:1514 tgid:1514 ppid:2 flags:0x00000000 Workqueue: mlx5_health0000:00:00.0 mlx5_fw_fatal_reporter_err_work [mlx5_core] Call Trace: [<000000065256f030>] __schedule+0x2a0/0x590 [<000000065256f356>] schedule+0x36/0xe0 [<0000000652172e28>] pci_wait_cfg+0x80/0xe8 [<0000000652172f94>] pci_cfg_access_lock+0x74/0x88 [<000003ff800916b6>] mlx5_vsc_gw_lock+0x36/0x178 [mlx5_core] [<000003ff80098824>] mlx5_crdump_collect+0x34/0x1c8 [mlx5_core] [<000003ff80074b62>] mlx5_fw_fatal_reporter_dump+0x6a/0xe8 [mlx5_core] [<0000000652512242>] devlink_health_do_dump.part.0+0x82/0x168 [<0000000652513212>] devlink_health_report+0x19a/0x230 [<000003ff80075a12>] mlx5_fw_fatal_reporter_err_work+0xba/0x1b0 [mlx5_core] No kernel log of the exact same error with an upstream kernel is available - but the very same deadlock situation can be constructed there, too: - task: kmcheck mlx5_unload_one() tries to acquire devlink lock while the PCI error recovery code has set pdev->block_cfg_access by way of pci_cfg_access_lock() - task: kworker mlx5_crdump_collect() tries to set block_cfg_access through pci_cfg_access_lock() while devlink_health_report() had acquired the devlink lock. A similar deadlock situation can be reproduced by requesting a crdump with > devlink health dump show pci/ reporter fw_fatal while PCI error recovery is executed on the same physical function by mlx5_core's pci_error_handlers. On s390 this can be injected with > zpcictl --reset-fw Tests with this patch failed to reproduce that second deadlock situation, the devlink command is rejected with \"kernel answers: Permission denied\" - and we get a kernel log message of: mlx5_core 1ed0:00:00.1: mlx5_crdump_collect:50:(pid 254382): crdump: failed to lock vsc gw err -5 because the config read of VSC_SEMAPHORE is rejected by the underlying hardware. Two prior attempts to address this issue have been discussed and ultimately rejected [see link], with the primary argument that s390's implementation of PCI error recovery is imposing restrictions that neither powerpc's EEH nor PCI AER handling need. Tests show that PCI error recovery on s390 is running to completion even without blocking access to PCI config space.", "cve_priority": "medium", "cve_public_date": "2025-12-16 16:16:00 UTC" }, { "cve": "CVE-2025-40317", "url": "https://ubuntu.com/security/CVE-2025-40317", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: regmap: slimbus: fix bus_context pointer in regmap init calls Commit 4e65bda8273c (\"ASoC: wcd934x: fix error handling in wcd934x_codec_parse_data()\") revealed the problem in the slimbus regmap. That commit breaks audio playback, for instance, on sdm845 Thundercomm Dragonboard 845c board: Unable to handle kernel paging request at virtual address ffff8000847cbad4 ... CPU: 5 UID: 0 PID: 776 Comm: aplay Not tainted 6.18.0-rc1-00028-g7ea30958b305 #11 PREEMPT Hardware name: Thundercomm Dragonboard 845c (DT) ... Call trace: slim_xfer_msg+0x24/0x1ac [slimbus] (P) slim_read+0x48/0x74 [slimbus] regmap_slimbus_read+0x18/0x24 [regmap_slimbus] _regmap_raw_read+0xe8/0x174 _regmap_bus_read+0x44/0x80 _regmap_read+0x60/0xd8 _regmap_update_bits+0xf4/0x140 _regmap_select_page+0xa8/0x124 _regmap_raw_write_impl+0x3b8/0x65c _regmap_bus_raw_write+0x60/0x80 _regmap_write+0x58/0xc0 regmap_write+0x4c/0x80 wcd934x_hw_params+0x494/0x8b8 [snd_soc_wcd934x] snd_soc_dai_hw_params+0x3c/0x7c [snd_soc_core] __soc_pcm_hw_params+0x22c/0x634 [snd_soc_core] dpcm_be_dai_hw_params+0x1d4/0x38c [snd_soc_core] dpcm_fe_dai_hw_params+0x9c/0x17c [snd_soc_core] snd_pcm_hw_params+0x124/0x464 [snd_pcm] snd_pcm_common_ioctl+0x110c/0x1820 [snd_pcm] snd_pcm_ioctl+0x34/0x4c [snd_pcm] __arm64_sys_ioctl+0xac/0x104 invoke_syscall+0x48/0x104 el0_svc_common.constprop.0+0x40/0xe0 do_el0_svc+0x1c/0x28 el0_svc+0x34/0xec el0t_64_sync_handler+0xa0/0xf0 el0t_64_sync+0x198/0x19c The __devm_regmap_init_slimbus() started to be used instead of __regmap_init_slimbus() after the commit mentioned above and turns out the incorrect bus_context pointer (3rd argument) was used in __devm_regmap_init_slimbus(). It should be just \"slimbus\" (which is equal to &slimbus->dev). Correct it. The wcd934x codec seems to be the only or the first user of devm_regmap_init_slimbus() but we should fix it till the point where __devm_regmap_init_slimbus() was introduced therefore two \"Fixes\" tags. While at this, also correct the same argument in __regmap_init_slimbus().", "cve_priority": "medium", "cve_public_date": "2025-12-08 01:16:00 UTC" }, { "cve": "CVE-2025-40359", "url": "https://ubuntu.com/security/CVE-2025-40359", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: perf/x86/intel: Fix KASAN global-out-of-bounds warning When running \"perf mem record\" command on CWF, the below KASAN global-out-of-bounds warning is seen. ================================================================== BUG: KASAN: global-out-of-bounds in cmt_latency_data+0x176/0x1b0 Read of size 4 at addr ffffffffb721d000 by task dtlb/9850 Call Trace: kasan_report+0xb8/0xf0 cmt_latency_data+0x176/0x1b0 setup_arch_pebs_sample_data+0xf49/0x2560 intel_pmu_drain_arch_pebs+0x577/0xb00 handle_pmi_common+0x6c4/0xc80 The issue is caused by below code in __grt_latency_data(). The code tries to access x86_hybrid_pmu structure which doesn't exist on non-hybrid platform like CWF. WARN_ON_ONCE(hybrid_pmu(event->pmu)->pmu_type == hybrid_big) So add is_hybrid() check before calling this WARN_ON_ONCE to fix the global-out-of-bounds access issue.", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-68181", "url": "https://ubuntu.com/security/CVE-2025-68181", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/radeon: Remove calls to drm_put_dev() Since the allocation of the drivers main structure was changed to devm_drm_dev_alloc() drm_put_dev()'ing to trigger it to be free'd should be done by devres. However, drm_put_dev() is still in the probe error and device remove paths. When the driver fails to probe warnings like the following are shown because devres is trying to drm_put_dev() after the driver already did it. [ 5.642230] radeon 0000:01:05.0: probe with driver radeon failed with error -22 [ 5.649605] ------------[ cut here ]------------ [ 5.649607] refcount_t: underflow; use-after-free. [ 5.649620] WARNING: CPU: 0 PID: 357 at lib/refcount.c:28 refcount_warn_saturate+0xbe/0x110 (cherry picked from commit 3eb8c0b4c091da0a623ade0d3ee7aa4a93df1ea4)", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-68170", "url": "https://ubuntu.com/security/CVE-2025-68170", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/radeon: Do not kfree() devres managed rdev Since the allocation of the drivers main structure was changed to devm_drm_dev_alloc() rdev is managed by devres and we shouldn't be calling kfree() on it. This fixes things exploding if the driver probe fails and devres cleans up the rdev after we already free'd it. (cherry picked from commit 16c0681617b8a045773d4d87b6140002fa75b03b)", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-40213", "url": "https://ubuntu.com/security/CVE-2025-40213", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: Bluetooth: MGMT: fix crash in set_mesh_sync and set_mesh_complete There is a BUG: KASAN: stack-out-of-bounds in set_mesh_sync due to memcpy from badly declared on-stack flexible array. Another crash is in set_mesh_complete() due to double list_del via mgmt_pending_valid + mgmt_pending_remove. Use DEFINE_FLEX to declare the flexible array right, and don't memcpy outside bounds. As mgmt_pending_valid removes the cmd from list, use mgmt_pending_free, and also report status on error.", "cve_priority": "medium", "cve_public_date": "2025-11-24 16:15:00 UTC" }, { "cve": "CVE-2025-40318", "url": "https://ubuntu.com/security/CVE-2025-40318", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: Bluetooth: hci_sync: fix race in hci_cmd_sync_dequeue_once hci_cmd_sync_dequeue_once() does lookup and then cancel the entry under two separate lock sections. Meanwhile, hci_cmd_sync_work() can also delete the same entry, leading to double list_del() and \"UAF\". Fix this by holding cmd_sync_work_lock across both lookup and cancel, so that the entry cannot be removed concurrently.", "cve_priority": "medium", "cve_public_date": "2025-12-08 01:16:00 UTC" }, { "cve": "CVE-2025-68312", "url": "https://ubuntu.com/security/CVE-2025-68312", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: usbnet: Prevents free active kevent The root cause of this issue are: 1. When probing the usbnet device, executing usbnet_link_change(dev, 0, 0); put the kevent work in global workqueue. However, the kevent has not yet been scheduled when the usbnet device is unregistered. Therefore, executing free_netdev() results in the \"free active object (kevent)\" error reported here. 2. Another factor is that when calling usbnet_disconnect()->unregister_netdev(), if the usbnet device is up, ndo_stop() is executed to cancel the kevent. However, because the device is not up, ndo_stop() is not executed. The solution to this problem is to cancel the kevent before executing free_netdev().", "cve_priority": "medium", "cve_public_date": "2025-12-16 16:16:00 UTC" }, { "cve": "CVE-2025-40344", "url": "https://ubuntu.com/security/CVE-2025-40344", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ASoC: Intel: avs: Disable periods-elapsed work when closing PCM avs_dai_fe_shutdown() handles the shutdown procedure for HOST HDAudio stream while period-elapsed work services its IRQs. As the former frees the DAI's private context, these two operations shall be synchronized to avoid slab-use-after-free or worse errors.", "cve_priority": "medium", "cve_public_date": "2025-12-09 16:17:00 UTC" }, { "cve": "CVE-2025-68172", "url": "https://ubuntu.com/security/CVE-2025-68172", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: crypto: aspeed - fix double free caused by devm The clock obtained via devm_clk_get_enabled() is automatically managed by devres and will be disabled and freed on driver detach. Manually calling clk_disable_unprepare() in error path and remove function causes double free. Remove the manual clock cleanup in both aspeed_acry_probe()'s error path and aspeed_acry_remove().", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-40319", "url": "https://ubuntu.com/security/CVE-2025-40319", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: bpf: Sync pending IRQ work before freeing ring buffer Fix a race where irq_work can be queued in bpf_ringbuf_commit() but the ring buffer is freed before the work executes. In the syzbot reproducer, a BPF program attached to sched_switch triggers bpf_ringbuf_commit(), queuing an irq_work. If the ring buffer is freed before this work executes, the irq_work thread may accesses freed memory. Calling `irq_work_sync(&rb->work)` ensures that all pending irq_work complete before freeing the buffer.", "cve_priority": "medium", "cve_public_date": "2025-12-08 01:16:00 UTC" }, { "cve": "CVE-2025-68182", "url": "https://ubuntu.com/security/CVE-2025-68182", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: wifi: iwlwifi: fix potential use after free in iwl_mld_remove_link() This code frees \"link\" by calling kfree_rcu(link, rcu_head) and then it dereferences \"link\" to get the \"link->fw_id\". Save the \"link->fw_id\" first to avoid a potential use after free.", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-68314", "url": "https://ubuntu.com/security/CVE-2025-68314", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/msm: make sure last_fence is always updated Update last_fence in the vm-bind path instead of kernel managed path. last_fence is used to wait for work to finish in vm_bind contexts but not used for kernel managed contexts. This fixes a bug where last_fence is not waited on context close leading to faults as resources are freed while in use. Patchwork: https://patchwork.freedesktop.org/patch/680080/", "cve_priority": "medium", "cve_public_date": "2025-12-16 16:16:00 UTC" }, { "cve": "CVE-2025-68189", "url": "https://ubuntu.com/security/CVE-2025-68189", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/msm: Fix GEM free for imported dma-bufs Imported dma-bufs also have obj->resv != &obj->_resv. So we should check both this condition in addition to flags for handling the _NO_SHARE case. Fixes this splat that was reported with IRIS video playback: ------------[ cut here ]------------ WARNING: CPU: 3 PID: 2040 at drivers/gpu/drm/msm/msm_gem.c:1127 msm_gem_free_object+0x1f8/0x264 [msm] CPU: 3 UID: 1000 PID: 2040 Comm: .gnome-shell-wr Not tainted 6.17.0-rc7 #1 PREEMPT pstate: 81400005 (Nzcv daif +PAN -UAO -TCO +DIT -SSBS BTYPE=--) pc : msm_gem_free_object+0x1f8/0x264 [msm] lr : msm_gem_free_object+0x138/0x264 [msm] sp : ffff800092a1bb30 x29: ffff800092a1bb80 x28: ffff800092a1bce8 x27: ffffbc702dbdbe08 x26: 0000000000000008 x25: 0000000000000009 x24: 00000000000000a6 x23: ffff00083c72f850 x22: ffff00083c72f868 x21: ffff00087e69f200 x20: ffff00087e69f330 x19: ffff00084d157ae0 x18: 0000000000000000 x17: 0000000000000000 x16: ffffbc704bd46b80 x15: 0000ffffd0959540 x14: 0000000000000000 x13: 0000000000000000 x12: 0000000000000000 x11: ffffbc702e6cdb48 x10: 0000000000000000 x9 : 000000000000003f x8 : ffff800092a1ba90 x7 : 0000000000000000 x6 : 0000000000000020 x5 : ffffbc704bd46c40 x4 : fffffdffe102cf60 x3 : 0000000000400032 x2 : 0000000000020000 x1 : ffff00087e6978e8 x0 : ffff00087e6977e8 Call trace: msm_gem_free_object+0x1f8/0x264 [msm] (P) drm_gem_object_free+0x1c/0x30 [drm] drm_gem_object_handle_put_unlocked+0x138/0x150 [drm] drm_gem_object_release_handle+0x5c/0xcc [drm] drm_gem_handle_delete+0x68/0xbc [drm] drm_gem_close_ioctl+0x34/0x40 [drm] drm_ioctl_kernel+0xc0/0x130 [drm] drm_ioctl+0x360/0x4e0 [drm] __arm64_sys_ioctl+0xac/0x104 invoke_syscall+0x48/0x104 el0_svc_common.constprop.0+0x40/0xe0 do_el0_svc+0x1c/0x28 el0_svc+0x34/0xec el0t_64_sync_handler+0xa0/0xe4 el0t_64_sync+0x198/0x19c ---[ end trace 0000000000000000 ]--- ------------[ cut here ]------------ Patchwork: https://patchwork.freedesktop.org/patch/676273/", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-68171", "url": "https://ubuntu.com/security/CVE-2025-68171", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: x86/fpu: Ensure XFD state on signal delivery Sean reported [1] the following splat when running KVM tests: WARNING: CPU: 232 PID: 15391 at xfd_validate_state+0x65/0x70 Call Trace: fpu__clear_user_states+0x9c/0x100 arch_do_signal_or_restart+0x142/0x210 exit_to_user_mode_loop+0x55/0x100 do_syscall_64+0x205/0x2c0 entry_SYSCALL_64_after_hwframe+0x4b/0x53 Chao further identified [2] a reproducible scenario involving signal delivery: a non-AMX task is preempted by an AMX-enabled task which modifies the XFD MSR. When the non-AMX task resumes and reloads XSTATE with init values, a warning is triggered due to a mismatch between fpstate::xfd and the CPU's current XFD state. fpu__clear_user_states() does not currently re-synchronize the XFD state after such preemption. Invoke xfd_update_state() which detects and corrects the mismatch if there is a dynamic feature. This also benefits the sigreturn path, as fpu__restore_sig() may call fpu__clear_user_states() when the sigframe is inaccessible. [ dhansen: minor changelog munging ]", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-68313", "url": "https://ubuntu.com/security/CVE-2025-68313", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: x86/CPU/AMD: Add RDSEED fix for Zen5 There's an issue with RDSEED's 16-bit and 32-bit register output variants on Zen5 which return a random value of 0 \"at a rate inconsistent with randomness while incorrectly signaling success (CF=1)\". Search the web for AMD-SB-7055 for more detail. Add a fix glue which checks microcode revisions. [ bp: Add microcode revisions checking, rewrite. ]", "cve_priority": "medium", "cve_public_date": "2025-12-16 16:16:00 UTC" }, { "cve": "CVE-2025-40320", "url": "https://ubuntu.com/security/CVE-2025-40320", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: smb: client: fix potential cfid UAF in smb2_query_info_compound When smb2_query_info_compound() retries, a previously allocated cfid may have been freed in the first attempt. Because cfid wasn't reset on replay, later cleanup could act on a stale pointer, leading to a potential use-after-free. Reinitialize cfid to NULL under the replay label. Example trace (trimmed): refcount_t: underflow; use-after-free. WARNING: CPU: 1 PID: 11224 at ../lib/refcount.c:28 refcount_warn_saturate+0x9c/0x110 [...] RIP: 0010:refcount_warn_saturate+0x9c/0x110 [...] Call Trace: smb2_query_info_compound+0x29c/0x5c0 [cifs f90b72658819bd21c94769b6a652029a07a7172f] ? step_into+0x10d/0x690 ? __legitimize_path+0x28/0x60 smb2_queryfs+0x6a/0xf0 [cifs f90b72658819bd21c94769b6a652029a07a7172f] smb311_queryfs+0x12d/0x140 [cifs f90b72658819bd21c94769b6a652029a07a7172f] ? kmem_cache_alloc+0x18a/0x340 ? getname_flags+0x46/0x1e0 cifs_statfs+0x9f/0x2b0 [cifs f90b72658819bd21c94769b6a652029a07a7172f] statfs_by_dentry+0x67/0x90 vfs_statfs+0x16/0xd0 user_statfs+0x54/0xa0 __do_sys_statfs+0x20/0x50 do_syscall_64+0x58/0x80", "cve_priority": "medium", "cve_public_date": "2025-12-08 01:16:00 UTC" }, { "cve": "CVE-2025-40321", "url": "https://ubuntu.com/security/CVE-2025-40321", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: wifi: brcmfmac: fix crash while sending Action Frames in standalone AP Mode Currently, whenever there is a need to transmit an Action frame, the brcmfmac driver always uses the P2P vif to send the \"actframe\" IOVAR to firmware. The P2P interfaces were available when wpa_supplicant is managing the wlan interface. However, the P2P interfaces are not created/initialized when only hostapd is managing the wlan interface. And if hostapd receives an ANQP Query REQ Action frame even from an un-associated STA, the brcmfmac driver tries to use an uninitialized P2P vif pointer for sending the IOVAR to firmware. This NULL pointer dereferencing triggers a driver crash. [ 1417.074538] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000 [...] [ 1417.075188] Hardware name: Raspberry Pi 4 Model B Rev 1.5 (DT) [...] [ 1417.075653] Call trace: [ 1417.075662] brcmf_p2p_send_action_frame+0x23c/0xc58 [brcmfmac] [ 1417.075738] brcmf_cfg80211_mgmt_tx+0x304/0x5c0 [brcmfmac] [ 1417.075810] cfg80211_mlme_mgmt_tx+0x1b0/0x428 [cfg80211] [ 1417.076067] nl80211_tx_mgmt+0x238/0x388 [cfg80211] [ 1417.076281] genl_family_rcv_msg_doit+0xe0/0x158 [ 1417.076302] genl_rcv_msg+0x220/0x2a0 [ 1417.076317] netlink_rcv_skb+0x68/0x140 [ 1417.076330] genl_rcv+0x40/0x60 [ 1417.076343] netlink_unicast+0x330/0x3b8 [ 1417.076357] netlink_sendmsg+0x19c/0x3f8 [ 1417.076370] __sock_sendmsg+0x64/0xc0 [ 1417.076391] ____sys_sendmsg+0x268/0x2a0 [ 1417.076408] ___sys_sendmsg+0xb8/0x118 [ 1417.076427] __sys_sendmsg+0x90/0xf8 [ 1417.076445] __arm64_sys_sendmsg+0x2c/0x40 [ 1417.076465] invoke_syscall+0x50/0x120 [ 1417.076486] el0_svc_common.constprop.0+0x48/0xf0 [ 1417.076506] do_el0_svc+0x24/0x38 [ 1417.076525] el0_svc+0x30/0x100 [ 1417.076548] el0t_64_sync_handler+0x100/0x130 [ 1417.076569] el0t_64_sync+0x190/0x198 [ 1417.076589] Code: f9401e80 aa1603e2 f9403be1 5280e483 (f9400000) Fix this, by always using the vif corresponding to the wdev on which the Action frame Transmission request was initiated by the userspace. This way, even if P2P vif is not available, the IOVAR is sent to firmware on AP vif and the ANQP Query RESP Action frame is transmitted without crashing the driver. Move init_completion() for \"send_af_done\" from brcmf_p2p_create_p2pdev() to brcmf_p2p_attach(). Because the former function would not get executed when only hostapd is managing wlan interface, and it is not safe to do reinit_completion() later in brcmf_p2p_tx_action_frame(), without any prior init_completion(). And in the brcmf_p2p_tx_action_frame() function, the condition check for P2P Presence response frame is not needed, since the wpa_supplicant is properly sending the P2P Presense Response frame on the P2P-GO vif instead of the P2P-Device vif. [Cc stable]", "cve_priority": "medium", "cve_public_date": "2025-12-08 01:16:00 UTC" }, { "cve": "CVE-2025-40322", "url": "https://ubuntu.com/security/CVE-2025-40322", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: fbdev: bitblit: bound-check glyph index in bit_putcs* bit_putcs_aligned()/unaligned() derived the glyph pointer from the character value masked by 0xff/0x1ff, which may exceed the actual font's glyph count and read past the end of the built-in font array. Clamp the index to the actual glyph count before computing the address. This fixes a global out-of-bounds read reported by syzbot.", "cve_priority": "medium", "cve_public_date": "2025-12-08 01:16:00 UTC" }, { "cve": "CVE-2025-40211", "url": "https://ubuntu.com/security/CVE-2025-40211", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ACPI: video: Fix use-after-free in acpi_video_switch_brightness() The switch_brightness_work delayed work accesses device->brightness and device->backlight, freed by acpi_video_dev_unregister_backlight() during device removal. If the work executes after acpi_video_bus_unregister_backlight() frees these resources, it causes a use-after-free when acpi_video_switch_brightness() dereferences device->brightness or device->backlight. Fix this by calling cancel_delayed_work_sync() for each device's switch_brightness_work in acpi_video_bus_remove_notify_handler() after removing the notify handler that queues the work. This ensures the work completes before the memory is freed. [ rjw: Changelog edit ]", "cve_priority": "medium", "cve_public_date": "2025-11-21 11:15:00 UTC" }, { "cve": "CVE-2025-40323", "url": "https://ubuntu.com/security/CVE-2025-40323", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: fbcon: Set fb_display[i]->mode to NULL when the mode is released Recently, we discovered the following issue through syzkaller: BUG: KASAN: slab-use-after-free in fb_mode_is_equal+0x285/0x2f0 Read of size 4 at addr ff11000001b3c69c by task syz.xxx ... Call Trace: dump_stack_lvl+0xab/0xe0 print_address_description.constprop.0+0x2c/0x390 print_report+0xb9/0x280 kasan_report+0xb8/0xf0 fb_mode_is_equal+0x285/0x2f0 fbcon_mode_deleted+0x129/0x180 fb_set_var+0xe7f/0x11d0 do_fb_ioctl+0x6a0/0x750 fb_ioctl+0xe0/0x140 __x64_sys_ioctl+0x193/0x210 do_syscall_64+0x5f/0x9c0 entry_SYSCALL_64_after_hwframe+0x76/0x7e Based on experimentation and analysis, during framebuffer unregistration, only the memory of fb_info->modelist is freed, without setting the corresponding fb_display[i]->mode to NULL for the freed modes. This leads to UAF issues during subsequent accesses. Here's an example of reproduction steps: 1. With /dev/fb0 already registered in the system, load a kernel module to register a new device /dev/fb1; 2. Set fb1's mode to the global fb_display[] array (via FBIOPUT_CON2FBMAP); 3. Switch console from fb to VGA (to allow normal rmmod of the ko); 4. Unload the kernel module, at this point fb1's modelist is freed, leaving a wild pointer in fb_display[]; 5. Trigger the bug via system calls through fb0 attempting to delete a mode from fb0. Add a check in do_unregister_framebuffer(): if the mode to be freed exists in fb_display[], set the corresponding mode pointer to NULL.", "cve_priority": "medium", "cve_public_date": "2025-12-08 01:16:00 UTC" }, { "cve": "CVE-2025-40210", "url": "https://ubuntu.com/security/CVE-2025-40210", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: Revert \"NFSD: Remove the cap on number of operations per NFSv4 COMPOUND\" I've found that pynfs COMP6 now leaves the connection or lease in a strange state, which causes CLOSE9 to hang indefinitely. I've dug into it a little, but I haven't been able to root-cause it yet. However, I bisected to commit 48aab1606fa8 (\"NFSD: Remove the cap on number of operations per NFSv4 COMPOUND\"). Tianshuo Han also reports a potential vulnerability when decoding an NFSv4 COMPOUND. An attacker can place an arbitrarily large op count in the COMPOUND header, which results in: [ 51.410584] nfsd: vmalloc error: size 1209533382144, exceeds total pages, mode:0xdc0(GFP_KERNEL|__GFP_ZERO), nodemask=(null),cpuset=/,mems_allowed=0 when NFSD attempts to allocate the COMPOUND op array. Let's restore the operation-per-COMPOUND limit, but increased to 200 for now.", "cve_priority": "medium", "cve_public_date": "2025-11-21 11:15:00 UTC" }, { "cve": "CVE-2025-40324", "url": "https://ubuntu.com/security/CVE-2025-40324", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: NFSD: Fix crash in nfsd4_read_release() When tracing is enabled, the trace_nfsd_read_done trace point crashes during the pynfs read.testNoFh test.", "cve_priority": "medium", "cve_public_date": "2025-12-08 01:16:00 UTC" }, { "cve": "CVE-2025-40326", "url": "https://ubuntu.com/security/CVE-2025-40326", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: NFSD: Define actions for the new time_deleg FATTR4 attributes NFSv4 clients won't send legitimate GETATTR requests for these new attributes because they are intended to be used only with CB_GETATTR and SETATTR. But NFSD has to do something besides crashing if it ever sees a GETATTR request that queries these attributes. RFC 8881 Section 18.7.3 states: > The server MUST return a value for each attribute that the client > requests if the attribute is supported by the server for the > target file system. If the server does not support a particular > attribute on the target file system, then it MUST NOT return the > attribute value and MUST NOT set the attribute bit in the result > bitmap. The server MUST return an error if it supports an > attribute on the target but cannot obtain its value. In that case, > no attribute values will be returned. Further, RFC 9754 Section 5 states: > These new attributes are invalid to be used with GETATTR, VERIFY, > and NVERIFY, and they can only be used with CB_GETATTR and SETATTR > by a client holding an appropriate delegation. Thus there does not appear to be a specific server response mandated by specification. Taking the guidance that querying these attributes via GETATTR is \"invalid\", NFSD will return nfserr_inval, failing the request entirely.", "cve_priority": "medium", "cve_public_date": "2025-12-08 01:16:00 UTC" }, { "cve": "CVE-2025-40084", "url": "https://ubuntu.com/security/CVE-2025-40084", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ksmbd: transport_ipc: validate payload size before reading handle handle_response() dereferences the payload as a 4-byte handle without verifying that the declared payload size is at least 4 bytes. A malformed or truncated message from ksmbd.mountd can lead to a 4-byte read past the declared payload size. Validate the size before dereferencing. This is a minimal fix to guard the initial handle read.", "cve_priority": "medium", "cve_public_date": "2025-10-29 14:15:00 UTC" }, { "cve": "CVE-2025-40222", "url": "https://ubuntu.com/security/CVE-2025-40222", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: tty: serial: sh-sci: fix RSCI FIFO overrun handling The receive error handling code is shared between RSCI and all other SCIF port types, but the RSCI overrun_reg is specified as a memory offset, while for other SCIF types it is an enum value used to index into the sci_port_params->regs array, as mentioned above the sci_serial_in() function. For RSCI, the overrun_reg is CSR (0x48), causing the sci_getreg() call inside the sci_handle_fifo_overrun() function to index outside the bounds of the regs array, which currently has a size of 20, as specified by SCI_NR_REGS. Because of this, we end up accessing memory outside of RSCI's rsci_port_params structure, which, when interpreted as a plat_sci_reg, happens to have a non-zero size, causing the following WARN when sci_serial_in() is called, as the accidental size does not match the supported register sizes. The existence of the overrun_reg needs to be checked because SCIx_SH3_SCIF_REGTYPE has overrun_reg set to SCLSR, but SCLSR is not present in the regs array. Avoid calling sci_getreg() for port types which don't use standard register handling. Use the ops->read_reg() and ops->write_reg() functions to properly read and write registers for RSCI, and change the type of the status variable to accommodate the 32-bit CSR register. sci_getreg() and sci_serial_in() are also called with overrun_reg in the sci_mpxed_interrupt() interrupt handler, but that code path is not used for RSCI, as it does not have a muxed interrupt. ------------[ cut here ]------------ Invalid register access WARNING: CPU: 0 PID: 0 at drivers/tty/serial/sh-sci.c:522 sci_serial_in+0x38/0xac Modules linked in: renesas_usbhs at24 rzt2h_adc industrialio_adc sha256 cfg80211 bluetooth ecdh_generic ecc rfkill fuse drm backlight ipv6 CPU: 0 UID: 0 PID: 0 Comm: swapper/0 Not tainted 6.17.0-rc1+ #30 PREEMPT Hardware name: Renesas RZ/T2H EVK Board based on r9a09g077m44 (DT) pstate: 604000c5 (nZCv daIF +PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : sci_serial_in+0x38/0xac lr : sci_serial_in+0x38/0xac sp : ffff800080003e80 x29: ffff800080003e80 x28: ffff800082195b80 x27: 000000000000000d x26: ffff8000821956d0 x25: 0000000000000000 x24: ffff800082195b80 x23: ffff000180e0d800 x22: 0000000000000010 x21: 0000000000000000 x20: 0000000000000010 x19: ffff000180e72000 x18: 000000000000000a x17: ffff8002bcee7000 x16: ffff800080000000 x15: 0720072007200720 x14: 0720072007200720 x13: 0720072007200720 x12: 0720072007200720 x11: 0000000000000058 x10: 0000000000000018 x9 : ffff8000821a6a48 x8 : 0000000000057fa8 x7 : 0000000000000406 x6 : ffff8000821fea48 x5 : ffff00033ef88408 x4 : ffff8002bcee7000 x3 : ffff800082195b80 x2 : 0000000000000000 x1 : 0000000000000000 x0 : ffff800082195b80 Call trace: sci_serial_in+0x38/0xac (P) sci_handle_fifo_overrun.isra.0+0x70/0x134 sci_er_interrupt+0x50/0x39c __handle_irq_event_percpu+0x48/0x140 handle_irq_event+0x44/0xb0 handle_fasteoi_irq+0xf4/0x1a0 handle_irq_desc+0x34/0x58 generic_handle_domain_irq+0x1c/0x28 gic_handle_irq+0x4c/0x140 call_on_irq_stack+0x30/0x48 do_interrupt_handler+0x80/0x84 el1_interrupt+0x34/0x68 el1h_64_irq_handler+0x18/0x24 el1h_64_irq+0x6c/0x70 default_idle_call+0x28/0x58 (P) do_idle+0x1f8/0x250 cpu_startup_entry+0x34/0x3c rest_init+0xd8/0xe0 console_on_rootfs+0x0/0x6c __primary_switched+0x88/0x90 ---[ end trace 0000000000000000 ]---", "cve_priority": "medium", "cve_public_date": "2025-12-04 16:16:00 UTC" }, { "cve": "CVE-2025-40223", "url": "https://ubuntu.com/security/CVE-2025-40223", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: most: usb: Fix use-after-free in hdm_disconnect hdm_disconnect() calls most_deregister_interface(), which eventually unregisters the MOST interface device with device_unregister(iface->dev). If that drops the last reference, the device core may call release_mdev() immediately while hdm_disconnect() is still executing. The old code also freed several mdev-owned allocations in hdm_disconnect() and then performed additional put_device() calls. Depending on refcount order, this could lead to use-after-free or double-free when release_mdev() ran (or when unregister paths also performed puts). Fix by moving the frees of mdev-owned allocations into release_mdev(), so they happen exactly once when the device is truly released, and by dropping the extra put_device() calls in hdm_disconnect() that are redundant after device_unregister() and most_deregister_interface(). This addresses the KASAN slab-use-after-free reported by syzbot in hdm_disconnect(). See report and stack traces in the bug link below.", "cve_priority": "medium", "cve_public_date": "2025-12-04 16:16:00 UTC" }, { "cve": "CVE-2025-40106", "url": "https://ubuntu.com/security/CVE-2025-40106", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: comedi: fix divide-by-zero in comedi_buf_munge() The comedi_buf_munge() function performs a modulo operation `async->munge_chan %= async->cmd.chanlist_len` without first checking if chanlist_len is zero. If a user program submits a command with chanlist_len set to zero, this causes a divide-by-zero error when the device processes data in the interrupt handler path. Add a check for zero chanlist_len at the beginning of the function, similar to the existing checks for !map and CMDF_RAWDATA flag. When chanlist_len is zero, update munge_count and return early, indicating the data was handled without munging. This prevents potential kernel panics from malformed user commands.", "cve_priority": "medium", "cve_public_date": "2025-10-31 10:15:00 UTC" }, { "cve": "CVE-2025-40224", "url": "https://ubuntu.com/security/CVE-2025-40224", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: hwmon: (cgbc-hwmon) Add missing NULL check after devm_kzalloc() The driver allocates memory for sensor data using devm_kzalloc(), but did not check if the allocation succeeded. In case of memory allocation failure, dereferencing the NULL pointer would lead to a kernel crash. Add a NULL pointer check and return -ENOMEM to handle allocation failure properly.", "cve_priority": "medium", "cve_public_date": "2025-12-04 16:16:00 UTC" }, { "cve": "CVE-2025-40225", "url": "https://ubuntu.com/security/CVE-2025-40225", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/panthor: Fix kernel panic on partial unmap of a GPU VA region This commit address a kernel panic issue that can happen if Userspace tries to partially unmap a GPU virtual region (aka drm_gpuva). The VM_BIND interface allows partial unmapping of a BO. Panthor driver pre-allocates memory for the new drm_gpuva structures that would be needed for the map/unmap operation, done using drm_gpuvm layer. It expected that only one new drm_gpuva would be needed on umap but a partial unmap can require 2 new drm_gpuva and that's why it ended up doing a NULL pointer dereference causing a kernel panic. Following dump was seen when partial unmap was exercised. Unable to handle kernel NULL pointer dereference at virtual address 0000000000000078 Mem abort info: ESR = 0x0000000096000046 EC = 0x25: DABT (current EL), IL = 32 bits SET = 0, FnV = 0 EA = 0, S1PTW = 0 FSC = 0x06: level 2 translation fault Data abort info: ISV = 0, ISS = 0x00000046, ISS2 = 0x00000000 CM = 0, WnR = 1, TnD = 0, TagAccess = 0 GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0 user pgtable: 4k pages, 48-bit VAs, pgdp=000000088a863000 [000000000000078] pgd=080000088a842003, p4d=080000088a842003, pud=0800000884bf5003, pmd=0000000000000000 Internal error: Oops: 0000000096000046 [#1] PREEMPT SMP pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : panthor_gpuva_sm_step_remap+0xe4/0x330 [panthor] lr : panthor_gpuva_sm_step_remap+0x6c/0x330 [panthor] sp : ffff800085d43970 x29: ffff800085d43970 x28: ffff00080363e440 x27: ffff0008090c6000 x26: 0000000000000030 x25: ffff800085d439f8 x24: ffff00080d402000 x23: ffff800085d43b60 x22: ffff800085d439e0 x21: ffff00080abdb180 x20: 0000000000000000 x19: 0000000000000000 x18: 0000000000000010 x17: 6e656c202c303030 x16: 3666666666646466 x15: 393d61766f69202c x14: 312d3d7361203a70 x13: 303030323d6e656c x12: ffff80008324bf58 x11: 0000000000000003 x10: 0000000000000002 x9 : ffff8000801a6a9c x8 : ffff00080360b300 x7 : 0000000000000000 x6 : 000000088aa35fc7 x5 : fff1000080000000 x4 : ffff8000842ddd30 x3 : 0000000000000001 x2 : 0000000100000000 x1 : 0000000000000001 x0 : 0000000000000078 Call trace: panthor_gpuva_sm_step_remap+0xe4/0x330 [panthor] op_remap_cb.isra.22+0x50/0x80 __drm_gpuvm_sm_unmap+0x10c/0x1c8 drm_gpuvm_sm_unmap+0x40/0x60 panthor_vm_exec_op+0xb4/0x3d0 [panthor] panthor_vm_bind_exec_sync_op+0x154/0x278 [panthor] panthor_ioctl_vm_bind+0x160/0x4a0 [panthor] drm_ioctl_kernel+0xbc/0x138 drm_ioctl+0x240/0x500 __arm64_sys_ioctl+0xb0/0xf8 invoke_syscall+0x4c/0x110 el0_svc_common.constprop.1+0x98/0xf8 do_el0_svc+0x24/0x38 el0_svc+0x40/0xf8 el0t_64_sync_handler+0xa0/0xc8 el0t_64_sync+0x174/0x178", "cve_priority": "medium", "cve_public_date": "2025-12-04 16:16:00 UTC" }, { "cve": "CVE-2025-40226", "url": "https://ubuntu.com/security/CVE-2025-40226", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: firmware: arm_scmi: Account for failed debug initialization When the SCMI debug subsystem fails to initialize, the related debug root will be missing, and the underlying descriptor will be NULL. Handle this fault condition in the SCMI debug helpers that maintain metrics counters.", "cve_priority": "medium", "cve_public_date": "2025-12-04 16:16:00 UTC" }, { "cve": "CVE-2025-40227", "url": "https://ubuntu.com/security/CVE-2025-40227", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: mm/damon/sysfs: dealloc commit test ctx always The damon_ctx for testing online DAMON parameters commit inputs is deallocated only when the test fails. This means memory is leaked for every successful online DAMON parameters commit. Fix the leak by always deallocating it.", "cve_priority": "medium", "cve_public_date": "2025-12-04 16:16:00 UTC" }, { "cve": "CVE-2025-40228", "url": "https://ubuntu.com/security/CVE-2025-40228", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: mm/damon/sysfs: catch commit test ctx alloc failure Patch series \"mm/damon/sysfs: fix commit test damon_ctx [de]allocation\". DAMON sysfs interface dynamically allocates and uses a damon_ctx object for testing if given inputs for online DAMON parameters update is valid. The object is being used without an allocation failure check, and leaked when the test succeeds. Fix the two bugs. This patch (of 2): The damon_ctx for testing online DAMON parameters commit inputs is used without its allocation failure check. This could result in an invalid memory access. Fix it by directly returning an error when the allocation failed.", "cve_priority": "medium", "cve_public_date": "2025-12-04 16:16:00 UTC" }, { "cve": "CVE-2025-40229", "url": "https://ubuntu.com/security/CVE-2025-40229", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: mm/damon/core: fix potential memory leak by cleaning ops_filter in damon_destroy_scheme Currently, damon_destroy_scheme() only cleans up the filter list but leaves ops_filter untouched, which could lead to memory leaks when a scheme is destroyed. This patch ensures both filter and ops_filter are properly freed in damon_destroy_scheme(), preventing potential memory leaks.", "cve_priority": "medium", "cve_public_date": "2025-12-04 16:16:00 UTC" }, { "cve": "CVE-2025-40230", "url": "https://ubuntu.com/security/CVE-2025-40230", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: mm: prevent poison consumption when splitting THP When performing memory error injection on a THP (Transparent Huge Page) mapped to userspace on an x86 server, the kernel panics with the following trace. The expected behavior is to terminate the affected process instead of panicking the kernel, as the x86 Machine Check code can recover from an in-userspace #MC. mce: [Hardware Error]: CPU 0: Machine Check Exception: f Bank 3: bd80000000070134 mce: [Hardware Error]: RIP 10: {memchr_inv+0x4c/0xf0} mce: [Hardware Error]: TSC afff7bbff88a ADDR 1d301b000 MISC 80 PPIN 1e741e77539027db mce: [Hardware Error]: PROCESSOR 0:d06d0 TIME 1758093249 SOCKET 0 APIC 0 microcode 80000320 mce: [Hardware Error]: Run the above through 'mcelog --ascii' mce: [Hardware Error]: Machine check: Data load in unrecoverable area of kernel Kernel panic - not syncing: Fatal local machine check The root cause of this panic is that handling a memory failure triggered by an in-userspace #MC necessitates splitting the THP. The splitting process employs a mechanism, implemented in try_to_map_unused_to_zeropage(), which reads the pages in the THP to identify zero-filled pages. However, reading the pages in the THP results in a second in-kernel #MC, occurring before the initial memory_failure() completes, ultimately leading to a kernel panic. See the kernel panic call trace on the two #MCs. First Machine Check occurs // [1] memory_failure() // [2] try_to_split_thp_page() split_huge_page() split_huge_page_to_list_to_order() __folio_split() // [3] remap_page() remove_migration_ptes() remove_migration_pte() try_to_map_unused_to_zeropage() // [4] memchr_inv() // [5] Second Machine Check occurs // [6] Kernel panic [1] Triggered by accessing a hardware-poisoned THP in userspace, which is typically recoverable by terminating the affected process. [2] Call folio_set_has_hwpoisoned() before try_to_split_thp_page(). [3] Pass the RMP_USE_SHARED_ZEROPAGE remap flag to remap_page(). [4] Try to map the unused THP to zeropage. [5] Re-access pages in the hw-poisoned THP in the kernel. [6] Triggered in-kernel, leading to a panic kernel. In Step[2], memory_failure() sets the poisoned flag on the page in the THP by TestSetPageHWPoison() before calling try_to_split_thp_page(). As suggested by David Hildenbrand, fix this panic by not accessing to the poisoned page in the THP during zeropage identification, while continuing to scan unaffected pages in the THP for possible zeropage mapping. This prevents a second in-kernel #MC that would cause kernel panic in Step[4]. Thanks to Andrew Zaborowski for his initial work on fixing this issue.", "cve_priority": "medium", "cve_public_date": "2025-12-04 16:16:00 UTC" }, { "cve": "CVE-2025-40231", "url": "https://ubuntu.com/security/CVE-2025-40231", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: vsock: fix lock inversion in vsock_assign_transport() Syzbot reported a potential lock inversion deadlock between vsock_register_mutex and sk_lock-AF_VSOCK when vsock_linger() is called. The issue was introduced by commit 687aa0c5581b (\"vsock: Fix transport_* TOCTOU\") which added vsock_register_mutex locking in vsock_assign_transport() around the transport->release() call, that can call vsock_linger(). vsock_assign_transport() can be called with sk_lock held. vsock_linger() calls sk_wait_event() that temporarily releases and re-acquires sk_lock. During this window, if another thread hold vsock_register_mutex while trying to acquire sk_lock, a circular dependency is created. Fix this by releasing vsock_register_mutex before calling transport->release() and vsock_deassign_transport(). This is safe because we don't need to hold vsock_register_mutex while releasing the old transport, and we ensure the new transport won't disappear by obtaining a module reference first via try_module_get().", "cve_priority": "medium", "cve_public_date": "2025-12-04 16:16:00 UTC" }, { "cve": "CVE-2025-40233", "url": "https://ubuntu.com/security/CVE-2025-40233", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ocfs2: clear extent cache after moving/defragmenting extents The extent map cache can become stale when extents are moved or defragmented, causing subsequent operations to see outdated extent flags. This triggers a BUG_ON in ocfs2_refcount_cal_cow_clusters(). The problem occurs when: 1. copy_file_range() creates a reflinked extent with OCFS2_EXT_REFCOUNTED 2. ioctl(FITRIM) triggers ocfs2_move_extents() 3. __ocfs2_move_extents_range() reads and caches the extent (flags=0x2) 4. ocfs2_move_extent()/ocfs2_defrag_extent() calls __ocfs2_move_extent() which clears OCFS2_EXT_REFCOUNTED flag on disk (flags=0x0) 5. The extent map cache is not invalidated after the move 6. Later write() operations read stale cached flags (0x2) but disk has updated flags (0x0), causing a mismatch 7. BUG_ON(!(rec->e_flags & OCFS2_EXT_REFCOUNTED)) triggers Fix by clearing the extent map cache after each extent move/defrag operation in __ocfs2_move_extents_range(). This ensures subsequent operations read fresh extent data from disk.", "cve_priority": "medium", "cve_public_date": "2025-12-04 16:16:00 UTC" }, { "cve": "CVE-2025-40235", "url": "https://ubuntu.com/security/CVE-2025-40235", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: btrfs: directly free partially initialized fs_info in btrfs_check_leaked_roots() If fs_info->super_copy or fs_info->super_for_commit allocated failed in btrfs_get_tree_subvol(), then no need to call btrfs_free_fs_info(). Otherwise btrfs_check_leaked_roots() would access NULL pointer because fs_info->allocated_roots had not been initialised. syzkaller reported the following information: ------------[ cut here ]------------ BUG: unable to handle page fault for address: fffffffffffffbb0 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page PGD 64c9067 P4D 64c9067 PUD 64cb067 PMD 0 Oops: Oops: 0000 [#1] SMP KASAN PTI CPU: 0 UID: 0 PID: 1402 Comm: syz.1.35 Not tainted 6.15.8 #4 PREEMPT(lazy) Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), (...) RIP: 0010:arch_atomic_read arch/x86/include/asm/atomic.h:23 [inline] RIP: 0010:raw_atomic_read include/linux/atomic/atomic-arch-fallback.h:457 [inline] RIP: 0010:atomic_read include/linux/atomic/atomic-instrumented.h:33 [inline] RIP: 0010:refcount_read include/linux/refcount.h:170 [inline] RIP: 0010:btrfs_check_leaked_roots+0x18f/0x2c0 fs/btrfs/disk-io.c:1230 [...] Call Trace: btrfs_free_fs_info+0x310/0x410 fs/btrfs/disk-io.c:1280 btrfs_get_tree_subvol+0x592/0x6b0 fs/btrfs/super.c:2029 btrfs_get_tree+0x63/0x80 fs/btrfs/super.c:2097 vfs_get_tree+0x98/0x320 fs/super.c:1759 do_new_mount+0x357/0x660 fs/namespace.c:3899 path_mount+0x716/0x19c0 fs/namespace.c:4226 do_mount fs/namespace.c:4239 [inline] __do_sys_mount fs/namespace.c:4450 [inline] __se_sys_mount fs/namespace.c:4427 [inline] __x64_sys_mount+0x28c/0x310 fs/namespace.c:4427 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0x92/0x180 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x76/0x7e RIP: 0033:0x7f032eaffa8d [...]", "cve_priority": "medium", "cve_public_date": "2025-12-04 16:16:00 UTC" }, { "cve": "CVE-2025-40236", "url": "https://ubuntu.com/security/CVE-2025-40236", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: virtio-net: zero unused hash fields When GSO tunnel is negotiated virtio_net_hdr_tnl_from_skb() tries to initialize the tunnel metadata but forget to zero unused rxhash fields. This may leak information to another side. Fixing this by zeroing the unused hash fields.", "cve_priority": "medium", "cve_public_date": "2025-12-04 16:16:00 UTC" }, { "cve": "CVE-2025-40237", "url": "https://ubuntu.com/security/CVE-2025-40237", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: fs/notify: call exportfs_encode_fid with s_umount Calling intotify_show_fdinfo() on fd watching an overlayfs inode, while the overlayfs is being unmounted, can lead to dereferencing NULL ptr. This issue was found by syzkaller. Race Condition Diagram: Thread 1 Thread 2 -------- -------- generic_shutdown_super() shrink_dcache_for_umount sb->s_root = NULL | | vfs_read() | inotify_fdinfo() | * inode get from mark * | show_mark_fhandle(m, inode) | exportfs_encode_fid(inode, ..) | ovl_encode_fh(inode, ..) | ovl_check_encode_origin(inode) | * deref i_sb->s_root * | | v fsnotify_sb_delete(sb) Which then leads to: [ 32.133461] Oops: general protection fault, probably for non-canonical address 0xdffffc0000000006: 0000 [#1] SMP DEBUG_PAGEALLOC KASAN NOPTI [ 32.134438] KASAN: null-ptr-deref in range [0x0000000000000030-0x0000000000000037] [ 32.135032] CPU: 1 UID: 0 PID: 4468 Comm: systemd-coredum Not tainted 6.17.0-rc6 #22 PREEMPT(none) [ 32.143353] Call Trace: [ 32.143732] ovl_encode_fh+0xd5/0x170 [ 32.144031] exportfs_encode_inode_fh+0x12f/0x300 [ 32.144425] show_mark_fhandle+0xbe/0x1f0 [ 32.145805] inotify_fdinfo+0x226/0x2d0 [ 32.146442] inotify_show_fdinfo+0x1c5/0x350 [ 32.147168] seq_show+0x530/0x6f0 [ 32.147449] seq_read_iter+0x503/0x12a0 [ 32.148419] seq_read+0x31f/0x410 [ 32.150714] vfs_read+0x1f0/0x9e0 [ 32.152297] ksys_read+0x125/0x240 IOW ovl_check_encode_origin derefs inode->i_sb->s_root, after it was set to NULL in the unmount path. Fix it by protecting calling exportfs_encode_fid() from show_mark_fhandle() with s_umount lock. This form of fix was suggested by Amir in [1]. [1]: https://lore.kernel.org/all/CAOQ4uxhbDwhb+2Brs1UdkoF0a3NSdBAOQPNfEHjahrgoKJpLEw@mail.gmail.com/", "cve_priority": "medium", "cve_public_date": "2025-12-04 16:16:00 UTC" }, { "cve": "CVE-2025-40238", "url": "https://ubuntu.com/security/CVE-2025-40238", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net/mlx5: Fix IPsec cleanup over MPV device When we do mlx5e_detach_netdev() we eventually disable blocking events notifier, among those events are IPsec MPV events from IB to core. So before disabling those blocking events, make sure to also unregister the devcom device and mark all this device operations as complete, in order to prevent the other device from using invalid netdev during future devcom events which could cause the trace below. BUG: kernel NULL pointer dereference, address: 0000000000000010 PGD 146427067 P4D 146427067 PUD 146488067 PMD 0 Oops: Oops: 0000 [#1] SMP CPU: 1 UID: 0 PID: 7735 Comm: devlink Tainted: GW 6.12.0-rc6_for_upstream_min_debug_2024_11_08_00_46 #1 Tainted: [W]=WARN Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014 RIP: 0010:mlx5_devcom_comp_set_ready+0x5/0x40 [mlx5_core] Code: 00 01 48 83 05 23 32 1e 00 01 41 b8 ed ff ff ff e9 60 ff ff ff 48 83 05 00 32 1e 00 01 eb e3 66 0f 1f 44 00 00 0f 1f 44 00 00 <48> 8b 47 10 48 83 05 5f 32 1e 00 01 48 8b 50 40 48 85 d2 74 05 40 RSP: 0018:ffff88811a5c35f8 EFLAGS: 00010206 RAX: ffff888106e8ab80 RBX: ffff888107d7e200 RCX: ffff88810d6f0a00 RDX: ffff88810d6f0a00 RSI: 0000000000000001 RDI: 0000000000000000 RBP: ffff88811a17e620 R08: 0000000000000040 R09: 0000000000000000 R10: ffff88811a5c3618 R11: 0000000de85d51bd R12: ffff88811a17e600 R13: ffff88810d6f0a00 R14: 0000000000000000 R15: ffff8881034bda80 FS: 00007f27bdf89180(0000) GS:ffff88852c880000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000010 CR3: 000000010f159005 CR4: 0000000000372eb0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: ? __die+0x20/0x60 ? page_fault_oops+0x150/0x3e0 ? exc_page_fault+0x74/0x130 ? asm_exc_page_fault+0x22/0x30 ? mlx5_devcom_comp_set_ready+0x5/0x40 [mlx5_core] mlx5e_devcom_event_mpv+0x42/0x60 [mlx5_core] mlx5_devcom_send_event+0x8c/0x170 [mlx5_core] blocking_event+0x17b/0x230 [mlx5_core] notifier_call_chain+0x35/0xa0 blocking_notifier_call_chain+0x3d/0x60 mlx5_blocking_notifier_call_chain+0x22/0x30 [mlx5_core] mlx5_core_mp_event_replay+0x12/0x20 [mlx5_core] mlx5_ib_bind_slave_port+0x228/0x2c0 [mlx5_ib] mlx5_ib_stage_init_init+0x664/0x9d0 [mlx5_ib] ? idr_alloc_cyclic+0x50/0xb0 ? __kmalloc_cache_noprof+0x167/0x340 ? __kmalloc_noprof+0x1a7/0x430 __mlx5_ib_add+0x34/0xd0 [mlx5_ib] mlx5r_probe+0xe9/0x310 [mlx5_ib] ? kernfs_add_one+0x107/0x150 ? __mlx5_ib_add+0xd0/0xd0 [mlx5_ib] auxiliary_bus_probe+0x3e/0x90 really_probe+0xc5/0x3a0 ? driver_probe_device+0x90/0x90 __driver_probe_device+0x80/0x160 driver_probe_device+0x1e/0x90 __device_attach_driver+0x7d/0x100 bus_for_each_drv+0x80/0xd0 __device_attach+0xbc/0x1f0 bus_probe_device+0x86/0xa0 device_add+0x62d/0x830 __auxiliary_device_add+0x3b/0xa0 ? auxiliary_device_init+0x41/0x90 add_adev+0xd1/0x150 [mlx5_core] mlx5_rescan_drivers_locked+0x21c/0x300 [mlx5_core] esw_mode_change+0x6c/0xc0 [mlx5_core] mlx5_devlink_eswitch_mode_set+0x21e/0x640 [mlx5_core] devlink_nl_eswitch_set_doit+0x60/0xe0 genl_family_rcv_msg_doit+0xd0/0x120 genl_rcv_msg+0x180/0x2b0 ? devlink_get_from_attrs_lock+0x170/0x170 ? devlink_nl_eswitch_get_doit+0x290/0x290 ? devlink_nl_pre_doit_port_optional+0x50/0x50 ? genl_family_rcv_msg_dumpit+0xf0/0xf0 netlink_rcv_skb+0x54/0x100 genl_rcv+0x24/0x40 netlink_unicast+0x1fc/0x2d0 netlink_sendmsg+0x1e4/0x410 __sock_sendmsg+0x38/0x60 ? sockfd_lookup_light+0x12/0x60 __sys_sendto+0x105/0x160 ? __sys_recvmsg+0x4e/0x90 __x64_sys_sendto+0x20/0x30 do_syscall_64+0x4c/0x100 entry_SYSCALL_64_after_hwframe+0x4b/0x53 RIP: 0033:0x7f27bc91b13a Code: bb 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 8b 05 fa 96 2c 00 45 89 c9 4c 63 d1 48 63 ff 85 c0 75 15 b8 2c 00 00 00 0f 05 <48> 3d 00 f0 ff ff ---truncated---", "cve_priority": "medium", "cve_public_date": "2025-12-04 16:16:00 UTC" }, { "cve": "CVE-2025-40239", "url": "https://ubuntu.com/security/CVE-2025-40239", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net: phy: micrel: always set shared->phydev for LAN8814 Currently, during the LAN8814 PTP probe shared->phydev is only set if PTP clock gets actually set, otherwise the function will return before setting it. This is an issue as shared->phydev is unconditionally being used when IRQ is being handled, especially in lan8814_gpio_process_cap and since it was not set it will cause a NULL pointer exception and crash the kernel. So, simply always set shared->phydev to avoid the NULL pointer exception.", "cve_priority": "medium", "cve_public_date": "2025-12-04 16:16:00 UTC" }, { "cve": "CVE-2025-40240", "url": "https://ubuntu.com/security/CVE-2025-40240", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: sctp: avoid NULL dereference when chunk data buffer is missing chunk->skb pointer is dereferenced in the if-block where it's supposed to be NULL only. chunk->skb can only be NULL if chunk->head_skb is not. Check for frag_list instead and do it just before replacing chunk->skb. We're sure that otherwise chunk->skb is non-NULL because of outer if() condition.", "cve_priority": "medium", "cve_public_date": "2025-12-04 16:16:00 UTC" }, { "cve": "CVE-2025-40241", "url": "https://ubuntu.com/security/CVE-2025-40241", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: erofs: fix crafted invalid cases for encoded extents Robert recently reported two corrupted images that can cause system crashes, which are related to the new encoded extents introduced in Linux 6.15: - The first one [1] has plen != 0 (e.g. plen == 0x2000000) but (plen & Z_EROFS_EXTENT_PLEN_MASK) == 0. It is used to represent special extents such as sparse extents (!EROFS_MAP_MAPPED), but previously only plen == 0 was handled; - The second one [2] has pa 0xffffffffffdcffed and plen 0xb4000, then \"cur [0xfffffffffffff000] += bvec.bv_len [0x1000]\" in \"} while ((cur += bvec.bv_len) < end);\" wraps around, causing an out-of-bound access of pcl->compressed_bvecs[] in z_erofs_submit_queue(). EROFS only supports 48-bit physical block addresses (up to 1EiB for 4k blocks), so add a sanity check to enforce this.", "cve_priority": "medium", "cve_public_date": "2025-12-04 16:16:00 UTC" }, { "cve": "CVE-2025-40242", "url": "https://ubuntu.com/security/CVE-2025-40242", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: gfs2: Fix unlikely race in gdlm_put_lock In gdlm_put_lock(), there is a small window of time in which the DFL_UNMOUNT flag has been set but the lockspace hasn't been released, yet. In that window, dlm may still call gdlm_ast() and gdlm_bast(). To prevent it from dereferencing freed glock objects, only free the glock if the lockspace has actually been released.", "cve_priority": "medium", "cve_public_date": "2025-12-04 16:16:00 UTC" }, { "cve": "CVE-2025-40243", "url": "https://ubuntu.com/security/CVE-2025-40243", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: hfs: fix KMSAN uninit-value issue in hfs_find_set_zero_bits() The syzbot reported issue in hfs_find_set_zero_bits(): ===================================================== BUG: KMSAN: uninit-value in hfs_find_set_zero_bits+0x74d/0xb60 fs/hfs/bitmap.c:45 hfs_find_set_zero_bits+0x74d/0xb60 fs/hfs/bitmap.c:45 hfs_vbm_search_free+0x13c/0x5b0 fs/hfs/bitmap.c:151 hfs_extend_file+0x6a5/0x1b00 fs/hfs/extent.c:408 hfs_get_block+0x435/0x1150 fs/hfs/extent.c:353 __block_write_begin_int+0xa76/0x3030 fs/buffer.c:2151 block_write_begin fs/buffer.c:2262 [inline] cont_write_begin+0x10e1/0x1bc0 fs/buffer.c:2601 hfs_write_begin+0x85/0x130 fs/hfs/inode.c:52 cont_expand_zero fs/buffer.c:2528 [inline] cont_write_begin+0x35a/0x1bc0 fs/buffer.c:2591 hfs_write_begin+0x85/0x130 fs/hfs/inode.c:52 hfs_file_truncate+0x1d6/0xe60 fs/hfs/extent.c:494 hfs_inode_setattr+0x964/0xaa0 fs/hfs/inode.c:654 notify_change+0x1993/0x1aa0 fs/attr.c:552 do_truncate+0x28f/0x310 fs/open.c:68 do_ftruncate+0x698/0x730 fs/open.c:195 do_sys_ftruncate fs/open.c:210 [inline] __do_sys_ftruncate fs/open.c:215 [inline] __se_sys_ftruncate fs/open.c:213 [inline] __x64_sys_ftruncate+0x11b/0x250 fs/open.c:213 x64_sys_call+0xfe3/0x3db0 arch/x86/include/generated/asm/syscalls_64.h:78 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xd9/0x210 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f Uninit was created at: slab_post_alloc_hook mm/slub.c:4154 [inline] slab_alloc_node mm/slub.c:4197 [inline] __kmalloc_cache_noprof+0x7f7/0xed0 mm/slub.c:4354 kmalloc_noprof include/linux/slab.h:905 [inline] hfs_mdb_get+0x1cc8/0x2a90 fs/hfs/mdb.c:175 hfs_fill_super+0x3d0/0xb80 fs/hfs/super.c:337 get_tree_bdev_flags+0x6e3/0x920 fs/super.c:1681 get_tree_bdev+0x38/0x50 fs/super.c:1704 hfs_get_tree+0x35/0x40 fs/hfs/super.c:388 vfs_get_tree+0xb0/0x5c0 fs/super.c:1804 do_new_mount+0x738/0x1610 fs/namespace.c:3902 path_mount+0x6db/0x1e90 fs/namespace.c:4226 do_mount fs/namespace.c:4239 [inline] __do_sys_mount fs/namespace.c:4450 [inline] __se_sys_mount+0x6eb/0x7d0 fs/namespace.c:4427 __x64_sys_mount+0xe4/0x150 fs/namespace.c:4427 x64_sys_call+0xfa7/0x3db0 arch/x86/include/generated/asm/syscalls_64.h:166 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xd9/0x210 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f CPU: 1 UID: 0 PID: 12609 Comm: syz.1.2692 Not tainted 6.16.0-syzkaller #0 PREEMPT(none) Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/12/2025 ===================================================== The HFS_SB(sb)->bitmap buffer is allocated in hfs_mdb_get(): HFS_SB(sb)->bitmap = kmalloc(8192, GFP_KERNEL); Finally, it can trigger the reported issue because kmalloc() doesn't clear the allocated memory. If allocated memory contains only zeros, then everything will work pretty fine. But if the allocated memory contains the \"garbage\", then it can affect the bitmap operations and it triggers the reported issue. This patch simply exchanges the kmalloc() on kzalloc() with the goal to guarantee the correctness of bitmap operations. Because, newly created allocation bitmap should have all available blocks free. Potentially, initialization bitmap's read operation could not fill the whole allocated memory and \"garbage\" in the not initialized memory will be the reason of volume coruptions and file system driver bugs.", "cve_priority": "medium", "cve_public_date": "2025-12-04 16:16:00 UTC" }, { "cve": "CVE-2025-40244", "url": "https://ubuntu.com/security/CVE-2025-40244", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: hfsplus: fix KMSAN uninit-value issue in __hfsplus_ext_cache_extent() The syzbot reported issue in __hfsplus_ext_cache_extent(): [ 70.194323][ T9350] BUG: KMSAN: uninit-value in __hfsplus_ext_cache_extent+0x7d0/0x990 [ 70.195022][ T9350] __hfsplus_ext_cache_extent+0x7d0/0x990 [ 70.195530][ T9350] hfsplus_file_extend+0x74f/0x1cf0 [ 70.195998][ T9350] hfsplus_get_block+0xe16/0x17b0 [ 70.196458][ T9350] __block_write_begin_int+0x962/0x2ce0 [ 70.196959][ T9350] cont_write_begin+0x1000/0x1950 [ 70.197416][ T9350] hfsplus_write_begin+0x85/0x130 [ 70.197873][ T9350] generic_perform_write+0x3e8/0x1060 [ 70.198374][ T9350] __generic_file_write_iter+0x215/0x460 [ 70.198892][ T9350] generic_file_write_iter+0x109/0x5e0 [ 70.199393][ T9350] vfs_write+0xb0f/0x14e0 [ 70.199771][ T9350] ksys_write+0x23e/0x490 [ 70.200149][ T9350] __x64_sys_write+0x97/0xf0 [ 70.200570][ T9350] x64_sys_call+0x3015/0x3cf0 [ 70.201065][ T9350] do_syscall_64+0xd9/0x1d0 [ 70.201506][ T9350] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 70.202054][ T9350] [ 70.202279][ T9350] Uninit was created at: [ 70.202693][ T9350] __kmalloc_noprof+0x621/0xf80 [ 70.203149][ T9350] hfsplus_find_init+0x8d/0x1d0 [ 70.203602][ T9350] hfsplus_file_extend+0x6ca/0x1cf0 [ 70.204087][ T9350] hfsplus_get_block+0xe16/0x17b0 [ 70.204561][ T9350] __block_write_begin_int+0x962/0x2ce0 [ 70.205074][ T9350] cont_write_begin+0x1000/0x1950 [ 70.205547][ T9350] hfsplus_write_begin+0x85/0x130 [ 70.206017][ T9350] generic_perform_write+0x3e8/0x1060 [ 70.206519][ T9350] __generic_file_write_iter+0x215/0x460 [ 70.207042][ T9350] generic_file_write_iter+0x109/0x5e0 [ 70.207552][ T9350] vfs_write+0xb0f/0x14e0 [ 70.207961][ T9350] ksys_write+0x23e/0x490 [ 70.208375][ T9350] __x64_sys_write+0x97/0xf0 [ 70.208810][ T9350] x64_sys_call+0x3015/0x3cf0 [ 70.209255][ T9350] do_syscall_64+0xd9/0x1d0 [ 70.209680][ T9350] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 70.210230][ T9350] [ 70.210454][ T9350] CPU: 2 UID: 0 PID: 9350 Comm: repro Not tainted 6.12.0-rc5 #5 [ 70.211174][ T9350] Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 70.212115][ T9350] ===================================================== [ 70.212734][ T9350] Disabling lock debugging due to kernel taint [ 70.213284][ T9350] Kernel panic - not syncing: kmsan.panic set ... [ 70.213858][ T9350] CPU: 2 UID: 0 PID: 9350 Comm: repro Tainted: G B 6.12.0-rc5 #5 [ 70.214679][ T9350] Tainted: [B]=BAD_PAGE [ 70.215057][ T9350] Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 70.215999][ T9350] Call Trace: [ 70.216309][ T9350] [ 70.216585][ T9350] dump_stack_lvl+0x1fd/0x2b0 [ 70.217025][ T9350] dump_stack+0x1e/0x30 [ 70.217421][ T9350] panic+0x502/0xca0 [ 70.217803][ T9350] ? kmsan_get_metadata+0x13e/0x1c0 [ 70.218294][ Message fromT sy9350] kmsan_report+0x296/slogd@syzkaller 0x2aat Aug 18 22:11:058 ... kernel :[ 70.213284][ T9350] Kernel panic - not syncing: kmsan.panic [ 70.220179][ T9350] ? kmsan_get_metadata+0x13e/0x1c0 set ... [ 70.221254][ T9350] ? __msan_warning+0x96/0x120 [ 70.222066][ T9350] ? __hfsplus_ext_cache_extent+0x7d0/0x990 [ 70.223023][ T9350] ? hfsplus_file_extend+0x74f/0x1cf0 [ 70.224120][ T9350] ? hfsplus_get_block+0xe16/0x17b0 [ 70.224946][ T9350] ? __block_write_begin_int+0x962/0x2ce0 [ 70.225756][ T9350] ? cont_write_begin+0x1000/0x1950 [ 70.226337][ T9350] ? hfsplus_write_begin+0x85/0x130 [ 70.226852][ T9350] ? generic_perform_write+0x3e8/0x1060 [ 70.227405][ T9350] ? __generic_file_write_iter+0x215/0x460 [ 70.227979][ T9350] ? generic_file_write_iter+0x109/0x5e0 [ 70.228540][ T9350] ? vfs_write+0xb0f/0x14e0 [ 70.228997][ T9350] ? ksys_write+0x23e/0x490 ---truncated---", "cve_priority": "medium", "cve_public_date": "2025-12-04 16:16:00 UTC" }, { "cve": "CVE-2025-40245", "url": "https://ubuntu.com/security/CVE-2025-40245", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: nios2: ensure that memblock.current_limit is set when setting pfn limits On nios2, with CONFIG_FLATMEM set, the kernel relies on memblock_get_current_limit() to determine the limits of mem_map, in particular for max_low_pfn. Unfortunately, memblock.current_limit is only default initialized to MEMBLOCK_ALLOC_ANYWHERE at this point of the bootup, potentially leading to situations where max_low_pfn can erroneously exceed the value of max_pfn and, thus, the valid range of available DRAM. This can in turn cause kernel-level paging failures, e.g.: [ 76.900000] Unable to handle kernel paging request at virtual address 20303000 [ 76.900000] ea = c0080890, ra = c000462c, cause = 14 [ 76.900000] Kernel panic - not syncing: Oops [ 76.900000] ---[ end Kernel panic - not syncing: Oops ]--- This patch fixes this by pre-calculating memblock.current_limit based on the upper limits of the available memory ranges via adjust_lowmem_bounds, a simplified version of the equivalent implementation within the arm architecture.", "cve_priority": "medium", "cve_public_date": "2025-12-04 16:16:00 UTC" }, { "cve": "CVE-2025-40086", "url": "https://ubuntu.com/security/CVE-2025-40086", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/xe: Don't allow evicting of BOs in same VM in array of VM binds An array of VM binds can potentially evict other buffer objects (BOs) within the same VM under certain conditions, which may lead to NULL pointer dereferences later in the bind pipeline. To prevent this, clear the allow_res_evict flag in the xe_bo_validate call. v2: - Invert polarity of no_res_evict (Thomas) - Add comment in code explaining issue (Thomas) (cherry picked from commit 8b9ba8d6d95fe75fed6b0480bb03da4b321bea08)", "cve_priority": "medium", "cve_public_date": "2025-10-30 10:15:00 UTC" }, { "cve": "CVE-2025-40087", "url": "https://ubuntu.com/security/CVE-2025-40087", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: NFSD: Define a proc_layoutcommit for the FlexFiles layout type Avoid a crash if a pNFS client should happen to send a LAYOUTCOMMIT operation on a FlexFiles layout.", "cve_priority": "medium", "cve_public_date": "2025-10-30 10:15:00 UTC" }, { "cve": "CVE-2025-40088", "url": "https://ubuntu.com/security/CVE-2025-40088", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: hfsplus: fix slab-out-of-bounds read in hfsplus_strcasecmp() The hfsplus_strcasecmp() logic can trigger the issue: [ 117.317703][ T9855] ================================================================== [ 117.318353][ T9855] BUG: KASAN: slab-out-of-bounds in hfsplus_strcasecmp+0x1bc/0x490 [ 117.318991][ T9855] Read of size 2 at addr ffff88802160f40c by task repro/9855 [ 117.319577][ T9855] [ 117.319773][ T9855] CPU: 0 UID: 0 PID: 9855 Comm: repro Not tainted 6.17.0-rc6 #33 PREEMPT(full) [ 117.319780][ T9855] Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 117.319783][ T9855] Call Trace: [ 117.319785][ T9855] [ 117.319788][ T9855] dump_stack_lvl+0x1c1/0x2a0 [ 117.319795][ T9855] ? __virt_addr_valid+0x1c8/0x5c0 [ 117.319803][ T9855] ? __pfx_dump_stack_lvl+0x10/0x10 [ 117.319808][ T9855] ? rcu_is_watching+0x15/0xb0 [ 117.319816][ T9855] ? lock_release+0x4b/0x3e0 [ 117.319821][ T9855] ? __kasan_check_byte+0x12/0x40 [ 117.319828][ T9855] ? __virt_addr_valid+0x1c8/0x5c0 [ 117.319835][ T9855] ? __virt_addr_valid+0x4a5/0x5c0 [ 117.319842][ T9855] print_report+0x17e/0x7e0 [ 117.319848][ T9855] ? __virt_addr_valid+0x1c8/0x5c0 [ 117.319855][ T9855] ? __virt_addr_valid+0x4a5/0x5c0 [ 117.319862][ T9855] ? __phys_addr+0xd3/0x180 [ 117.319869][ T9855] ? hfsplus_strcasecmp+0x1bc/0x490 [ 117.319876][ T9855] kasan_report+0x147/0x180 [ 117.319882][ T9855] ? hfsplus_strcasecmp+0x1bc/0x490 [ 117.319891][ T9855] hfsplus_strcasecmp+0x1bc/0x490 [ 117.319900][ T9855] ? __pfx_hfsplus_cat_case_cmp_key+0x10/0x10 [ 117.319906][ T9855] hfs_find_rec_by_key+0xa9/0x1e0 [ 117.319913][ T9855] __hfsplus_brec_find+0x18e/0x470 [ 117.319920][ T9855] ? __pfx_hfsplus_bnode_find+0x10/0x10 [ 117.319926][ T9855] ? __pfx_hfs_find_rec_by_key+0x10/0x10 [ 117.319933][ T9855] ? __pfx___hfsplus_brec_find+0x10/0x10 [ 117.319942][ T9855] hfsplus_brec_find+0x28f/0x510 [ 117.319949][ T9855] ? __pfx_hfs_find_rec_by_key+0x10/0x10 [ 117.319956][ T9855] ? __pfx_hfsplus_brec_find+0x10/0x10 [ 117.319963][ T9855] ? __kmalloc_noprof+0x2a9/0x510 [ 117.319969][ T9855] ? hfsplus_find_init+0x8c/0x1d0 [ 117.319976][ T9855] hfsplus_brec_read+0x2b/0x120 [ 117.319983][ T9855] hfsplus_lookup+0x2aa/0x890 [ 117.319990][ T9855] ? __pfx_hfsplus_lookup+0x10/0x10 [ 117.320003][ T9855] ? d_alloc_parallel+0x2f0/0x15e0 [ 117.320008][ T9855] ? __lock_acquire+0xaec/0xd80 [ 117.320013][ T9855] ? __pfx_d_alloc_parallel+0x10/0x10 [ 117.320019][ T9855] ? __raw_spin_lock_init+0x45/0x100 [ 117.320026][ T9855] ? __init_waitqueue_head+0xa9/0x150 [ 117.320034][ T9855] __lookup_slow+0x297/0x3d0 [ 117.320039][ T9855] ? __pfx___lookup_slow+0x10/0x10 [ 117.320045][ T9855] ? down_read+0x1ad/0x2e0 [ 117.320055][ T9855] lookup_slow+0x53/0x70 [ 117.320065][ T9855] walk_component+0x2f0/0x430 [ 117.320073][ T9855] path_lookupat+0x169/0x440 [ 117.320081][ T9855] filename_lookup+0x212/0x590 [ 117.320089][ T9855] ? __pfx_filename_lookup+0x10/0x10 [ 117.320098][ T9855] ? strncpy_from_user+0x150/0x290 [ 117.320105][ T9855] ? getname_flags+0x1e5/0x540 [ 117.320112][ T9855] user_path_at+0x3a/0x60 [ 117.320117][ T9855] __x64_sys_umount+0xee/0x160 [ 117.320123][ T9855] ? __pfx___x64_sys_umount+0x10/0x10 [ 117.320129][ T9855] ? do_syscall_64+0xb7/0x3a0 [ 117.320135][ T9855] ? entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 117.320141][ T9855] ? entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 117.320145][ T9855] do_syscall_64+0xf3/0x3a0 [ 117.320150][ T9855] ? exc_page_fault+0x9f/0xf0 [ 117.320154][ T9855] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 117.320158][ T9855] RIP: 0033:0x7f7dd7908b07 [ 117.320163][ T9855] Code: 23 0d 00 f7 d8 64 89 01 48 83 c8 ff c3 66 0f 1f 44 00 00 31 f6 e9 09 00 00 00 66 0f 1f 84 00 00 08 [ 117.320167][ T9855] RSP: 002b:00007ffd5ebd9698 EFLAGS: 00000202 ---truncated---", "cve_priority": "medium", "cve_public_date": "2025-10-30 10:15:00 UTC" }, { "cve": "CVE-2025-40162", "url": "https://ubuntu.com/security/CVE-2025-40162", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ASoC: amd/sdw_utils: avoid NULL deref when devm_kasprintf() fails devm_kasprintf() may return NULL on memory allocation failure, but the debug message prints cpus->dai_name before checking it. Move the dev_dbg() call after the NULL check to prevent potential NULL pointer dereference.", "cve_priority": "medium", "cve_public_date": "2025-11-12 11:15:00 UTC" }, { "cve": "CVE-2025-40085", "url": "https://ubuntu.com/security/CVE-2025-40085", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ALSA: usb-audio: Fix NULL pointer deference in try_to_register_card In try_to_register_card(), the return value of usb_ifnum_to_if() is passed directly to usb_interface_claimed() without a NULL check, which will lead to a NULL pointer dereference when creating an invalid USB audio device. Fix this by adding a check to ensure the interface pointer is valid before passing it to usb_interface_claimed().", "cve_priority": "medium", "cve_public_date": "2025-10-29 14:15:00 UTC" }, { "cve": "CVE-2025-40172", "url": "https://ubuntu.com/security/CVE-2025-40172", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: accel/qaic: Treat remaining == 0 as error in find_and_map_user_pages() Currently, if find_and_map_user_pages() takes a DMA xfer request from the user with a length field set to 0, or in a rare case, the host receives QAIC_TRANS_DMA_XFER_CONT from the device where resources->xferred_dma_size is equal to the requested transaction size, the function will return 0 before allocating an sgt or setting the fields of the dma_xfer struct. In that case, encode_addr_size_pairs() will try to access the sgt which will lead to a general protection fault. Return an EINVAL in case the user provides a zero-sized ALP, or the device requests continuation after all of the bytes have been transferred.", "cve_priority": "medium", "cve_public_date": "2025-11-12 11:15:00 UTC" }, { "cve": "CVE-2025-40177", "url": "https://ubuntu.com/security/CVE-2025-40177", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: accel/qaic: Fix bootlog initialization ordering As soon as we queue MHI buffers to receive the bootlog from the device, we could be receiving data. Therefore all the resources needed to process that data need to be setup prior to queuing the buffers. We currently initialize some of the resources after queuing the buffers which creates a race between the probe() and any data that comes back from the device. If the uninitialized resources are accessed, we could see page faults. Fix the init ordering to close the race.", "cve_priority": "medium", "cve_public_date": "2025-11-12 11:15:00 UTC" }, { "cve": "CVE-2025-40163", "url": "https://ubuntu.com/security/CVE-2025-40163", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: sched/deadline: Stop dl_server before CPU goes offline IBM CI tool reported kernel warning[1] when running a CPU removal operation through drmgr[2]. i.e \"drmgr -c cpu -r -q 1\" WARNING: CPU: 0 PID: 0 at kernel/sched/cpudeadline.c:219 cpudl_set+0x58/0x170 NIP [c0000000002b6ed8] cpudl_set+0x58/0x170 LR [c0000000002b7cb8] dl_server_timer+0x168/0x2a0 Call Trace: [c000000002c2f8c0] init_stack+0x78c0/0x8000 (unreliable) [c0000000002b7cb8] dl_server_timer+0x168/0x2a0 [c00000000034df84] __hrtimer_run_queues+0x1a4/0x390 [c00000000034f624] hrtimer_interrupt+0x124/0x300 [c00000000002a230] timer_interrupt+0x140/0x320 Git bisects to: commit 4ae8d9aa9f9d (\"sched/deadline: Fix dl_server getting stuck\") This happens since: - dl_server hrtimer gets enqueued close to cpu offline, when kthread_park enqueues a fair task. - CPU goes offline and drmgr removes it from cpu_present_mask. - hrtimer fires and warning is hit. Fix it by stopping the dl_server before CPU is marked dead. [1]: https://lore.kernel.org/all/8218e149-7718-4432-9312-f97297c352b9@linux.ibm.com/ [2]: https://github.com/ibm-power-utilities/powerpc-utils/tree/next/src/drmgr [sshegde: wrote the changelog and tested it]", "cve_priority": "medium", "cve_public_date": "2025-11-12 11:15:00 UTC" }, { "cve": "CVE-2025-40174", "url": "https://ubuntu.com/security/CVE-2025-40174", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: x86/mm: Fix SMP ordering in switch_mm_irqs_off() Stephen noted that it is possible to not have an smp_mb() between the loaded_mm store and the tlb_gen load in switch_mm(), meaning the ordering against flush_tlb_mm_range() goes out the window, and it becomes possible for switch_mm() to not observe a recent tlb_gen update and fail to flush the TLBs. [ dhansen: merge conflict fixed by Ingo ]", "cve_priority": "medium", "cve_public_date": "2025-11-12 11:15:00 UTC" }, { "cve": "CVE-2025-40089", "url": "https://ubuntu.com/security/CVE-2025-40089", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: cxl/features: Add check for no entries in cxl_feature_info cxl EDAC calls cxl_feature_info() to get the feature information and if the hardware has no Features support, cxlfs may be passed in as NULL. [ 51.957498] BUG: kernel NULL pointer dereference, address: 0000000000000008 [ 51.965571] #PF: supervisor read access in kernel mode [ 51.971559] #PF: error_code(0x0000) - not-present page [ 51.977542] PGD 17e4f6067 P4D 0 [ 51.981384] Oops: Oops: 0000 [#1] SMP NOPTI [ 51.986300] CPU: 49 UID: 0 PID: 3782 Comm: systemd-udevd Not tainted 6.17.0dj test+ #64 PREEMPT(voluntary) [ 51.997355] Hardware name: [ 52.009790] RIP: 0010:cxl_feature_info+0xa/0x80 [cxl_core] Add a check for cxlfs before dereferencing it and return -EOPNOTSUPP if there is no cxlfs created due to no hardware support.", "cve_priority": "medium", "cve_public_date": "2025-10-30 10:15:00 UTC" }, { "cve": "CVE-2025-40176", "url": "https://ubuntu.com/security/CVE-2025-40176", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: tls: wait for pending async decryptions if tls_strp_msg_hold fails Async decryption calls tls_strp_msg_hold to create a clone of the input skb to hold references to the memory it uses. If we fail to allocate that clone, proceeding with async decryption can lead to various issues (UAF on the skb, writing into userspace memory after the recv() call has returned). In this case, wait for all pending decryption requests.", "cve_priority": "medium", "cve_public_date": "2025-11-12 11:15:00 UTC" }, { "cve": "CVE-2025-40164", "url": "https://ubuntu.com/security/CVE-2025-40164", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: usbnet: Fix using smp_processor_id() in preemptible code warnings Syzbot reported the following warning: BUG: using smp_processor_id() in preemptible [00000000] code: dhcpcd/2879 caller is usbnet_skb_return+0x74/0x490 drivers/net/usb/usbnet.c:331 CPU: 1 UID: 0 PID: 2879 Comm: dhcpcd Not tainted 6.15.0-rc4-syzkaller-00098-g615dca38c2ea #0 PREEMPT(voluntary) Call Trace: __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x16c/0x1f0 lib/dump_stack.c:120 check_preemption_disabled+0xd0/0xe0 lib/smp_processor_id.c:49 usbnet_skb_return+0x74/0x490 drivers/net/usb/usbnet.c:331 usbnet_resume_rx+0x4b/0x170 drivers/net/usb/usbnet.c:708 usbnet_change_mtu+0x1be/0x220 drivers/net/usb/usbnet.c:417 __dev_set_mtu net/core/dev.c:9443 [inline] netif_set_mtu_ext+0x369/0x5c0 net/core/dev.c:9496 netif_set_mtu+0xb0/0x160 net/core/dev.c:9520 dev_set_mtu+0xae/0x170 net/core/dev_api.c:247 dev_ifsioc+0xa31/0x18d0 net/core/dev_ioctl.c:572 dev_ioctl+0x223/0x10e0 net/core/dev_ioctl.c:821 sock_do_ioctl+0x19d/0x280 net/socket.c:1204 sock_ioctl+0x42f/0x6a0 net/socket.c:1311 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:906 [inline] __se_sys_ioctl fs/ioctl.c:892 [inline] __x64_sys_ioctl+0x190/0x200 fs/ioctl.c:892 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xcd/0x260 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f For historical and portability reasons, the netif_rx() is usually run in the softirq or interrupt context, this commit therefore add local_bh_disable/enable() protection in the usbnet_resume_rx().", "cve_priority": "medium", "cve_public_date": "2025-11-12 11:15:00 UTC" }, { "cve": "CVE-2025-40091", "url": "https://ubuntu.com/security/CVE-2025-40091", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ixgbe: fix too early devlink_free() in ixgbe_remove() Since ixgbe_adapter is embedded in devlink, calling devlink_free() prematurely in the ixgbe_remove() path can lead to UAF. Move devlink_free() to the end. KASAN report: BUG: KASAN: use-after-free in ixgbe_reset_interrupt_capability+0x140/0x180 [ixgbe] Read of size 8 at addr ffff0000adf813e0 by task bash/2095 CPU: 1 UID: 0 PID: 2095 Comm: bash Tainted: G S 6.17.0-rc2-tnguy.net-queue+ #1 PREEMPT(full) [...] Call trace: show_stack+0x30/0x90 (C) dump_stack_lvl+0x9c/0xd0 print_address_description.constprop.0+0x90/0x310 print_report+0x104/0x1f0 kasan_report+0x88/0x180 __asan_report_load8_noabort+0x20/0x30 ixgbe_reset_interrupt_capability+0x140/0x180 [ixgbe] ixgbe_clear_interrupt_scheme+0xf8/0x130 [ixgbe] ixgbe_remove+0x2d0/0x8c0 [ixgbe] pci_device_remove+0xa0/0x220 device_remove+0xb8/0x170 device_release_driver_internal+0x318/0x490 device_driver_detach+0x40/0x68 unbind_store+0xec/0x118 drv_attr_store+0x64/0xb8 sysfs_kf_write+0xcc/0x138 kernfs_fop_write_iter+0x294/0x440 new_sync_write+0x1fc/0x588 vfs_write+0x480/0x6a0 ksys_write+0xf0/0x1e0 __arm64_sys_write+0x70/0xc0 invoke_syscall.constprop.0+0xcc/0x280 el0_svc_common.constprop.0+0xa8/0x248 do_el0_svc+0x44/0x68 el0_svc+0x54/0x160 el0t_64_sync_handler+0xa0/0xe8 el0t_64_sync+0x1b0/0x1b8", "cve_priority": "medium", "cve_public_date": "2025-10-30 10:15:00 UTC" }, { "cve": "CVE-2025-40175", "url": "https://ubuntu.com/security/CVE-2025-40175", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: idpf: cleanup remaining SKBs in PTP flows When the driver requests Tx timestamp value, one of the first steps is to clone SKB using skb_get. It increases the reference counter for that SKB to prevent unexpected freeing by another component. However, there may be a case where the index is requested, SKB is assigned and never consumed by PTP flows - for example due to reset during running PTP apps. Add a check in release timestamping function to verify if the SKB assigned to Tx timestamp latch was freed, and release remaining SKBs.", "cve_priority": "medium", "cve_public_date": "2025-11-12 11:15:00 UTC" }, { "cve": "CVE-2025-40173", "url": "https://ubuntu.com/security/CVE-2025-40173", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net/ip6_tunnel: Prevent perpetual tunnel growth Similarly to ipv4 tunnel, ipv6 version updates dev->needed_headroom, too. While ipv4 tunnel headroom adjustment growth was limited in commit 5ae1e9922bbd (\"net: ip_tunnel: prevent perpetual headroom growth\"), ipv6 tunnel yet increases the headroom without any ceiling. Reflect ipv4 tunnel headroom adjustment limit on ipv6 version. Credits to Francesco Ruggeri, who was originally debugging this issue and wrote local Arista-specific patch and a reproducer.", "cve_priority": "medium", "cve_public_date": "2025-11-12 11:15:00 UTC" }, { "cve": "CVE-2025-40092", "url": "https://ubuntu.com/security/CVE-2025-40092", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: usb: gadget: f_ncm: Refactor bind path to use __free() After an bind/unbind cycle, the ncm->notify_req is left stale. If a subsequent bind fails, the unified error label attempts to free this stale request, leading to a NULL pointer dereference when accessing ep->ops->free_request. Refactor the error handling in the bind path to use the __free() automatic cleanup mechanism. Unable to handle kernel NULL pointer dereference at virtual address 0000000000000020 Call trace: usb_ep_free_request+0x2c/0xec ncm_bind+0x39c/0x3dc usb_add_function+0xcc/0x1f0 configfs_composite_bind+0x468/0x588 gadget_bind_driver+0x104/0x270 really_probe+0x190/0x374 __driver_probe_device+0xa0/0x12c driver_probe_device+0x3c/0x218 __device_attach_driver+0x14c/0x188 bus_for_each_drv+0x10c/0x168 __device_attach+0xfc/0x198 device_initial_probe+0x14/0x24 bus_probe_device+0x94/0x11c device_add+0x268/0x48c usb_add_gadget+0x198/0x28c dwc3_gadget_init+0x700/0x858 __dwc3_set_mode+0x3cc/0x664 process_scheduled_works+0x1d8/0x488 worker_thread+0x244/0x334 kthread+0x114/0x1bc ret_from_fork+0x10/0x20", "cve_priority": "medium", "cve_public_date": "2025-10-30 10:15:00 UTC" }, { "cve": "CVE-2025-40093", "url": "https://ubuntu.com/security/CVE-2025-40093", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: usb: gadget: f_ecm: Refactor bind path to use __free() After an bind/unbind cycle, the ecm->notify_req is left stale. If a subsequent bind fails, the unified error label attempts to free this stale request, leading to a NULL pointer dereference when accessing ep->ops->free_request. Refactor the error handling in the bind path to use the __free() automatic cleanup mechanism.", "cve_priority": "medium", "cve_public_date": "2025-10-30 10:15:00 UTC" }, { "cve": "CVE-2025-40094", "url": "https://ubuntu.com/security/CVE-2025-40094", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: usb: gadget: f_acm: Refactor bind path to use __free() After an bind/unbind cycle, the acm->notify_req is left stale. If a subsequent bind fails, the unified error label attempts to free this stale request, leading to a NULL pointer dereference when accessing ep->ops->free_request. Refactor the error handling in the bind path to use the __free() automatic cleanup mechanism. Unable to handle kernel NULL pointer dereference at virtual address 0000000000000020 Call trace: usb_ep_free_request+0x2c/0xec gs_free_req+0x30/0x44 acm_bind+0x1b8/0x1f4 usb_add_function+0xcc/0x1f0 configfs_composite_bind+0x468/0x588 gadget_bind_driver+0x104/0x270 really_probe+0x190/0x374 __driver_probe_device+0xa0/0x12c driver_probe_device+0x3c/0x218 __device_attach_driver+0x14c/0x188 bus_for_each_drv+0x10c/0x168 __device_attach+0xfc/0x198 device_initial_probe+0x14/0x24 bus_probe_device+0x94/0x11c device_add+0x268/0x48c usb_add_gadget+0x198/0x28c dwc3_gadget_init+0x700/0x858 __dwc3_set_mode+0x3cc/0x664 process_scheduled_works+0x1d8/0x488 worker_thread+0x244/0x334 kthread+0x114/0x1bc ret_from_fork+0x10/0x20", "cve_priority": "medium", "cve_public_date": "2025-10-30 10:15:00 UTC" }, { "cve": "CVE-2025-40095", "url": "https://ubuntu.com/security/CVE-2025-40095", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: usb: gadget: f_rndis: Refactor bind path to use __free() After an bind/unbind cycle, the rndis->notify_req is left stale. If a subsequent bind fails, the unified error label attempts to free this stale request, leading to a NULL pointer dereference when accessing ep->ops->free_request. Refactor the error handling in the bind path to use the __free() automatic cleanup mechanism.", "cve_priority": "medium", "cve_public_date": "2025-10-30 10:15:00 UTC" }, { "cve": "CVE-2025-40165", "url": "https://ubuntu.com/security/CVE-2025-40165", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: media: nxp: imx8-isi: m2m: Fix streaming cleanup on release If streamon/streamoff calls are imbalanced, such as when exiting an application with Ctrl+C when streaming, the m2m usage_count will never reach zero and the ISI channel won't be freed. Besides from that, if the input line width is more than 2K, it will trigger a WARN_ON(): [ 59.222120] ------------[ cut here ]------------ [ 59.226758] WARNING: drivers/media/platform/nxp/imx8-isi/imx8-isi-hw.c:631 at mxc_isi_channel_chain+0xa4/0x120, CPU#4: v4l2-ctl/654 [ 59.238569] Modules linked in: ap1302 [ 59.242231] CPU: 4 UID: 0 PID: 654 Comm: v4l2-ctl Not tainted 6.16.0-rc4-next-20250704-06511-gff0e002d480a-dirty #258 PREEMPT [ 59.253597] Hardware name: NXP i.MX95 15X15 board (DT) [ 59.258720] pstate: 80400009 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) [ 59.265669] pc : mxc_isi_channel_chain+0xa4/0x120 [ 59.270358] lr : mxc_isi_channel_chain+0x44/0x120 [ 59.275047] sp : ffff8000848c3b40 [ 59.278348] x29: ffff8000848c3b40 x28: ffff0000859b4c98 x27: ffff800081939f00 [ 59.285472] x26: 000000000000000a x25: ffff0000859b4cb8 x24: 0000000000000001 [ 59.292597] x23: ffff0000816f4760 x22: ffff0000816f4258 x21: ffff000084ceb780 [ 59.299720] x20: ffff000084342ff8 x19: ffff000084340000 x18: 0000000000000000 [ 59.306845] x17: 0000000000000000 x16: 0000000000000000 x15: 0000ffffdb369e1c [ 59.313969] x14: 0000000000000000 x13: 0000000000000000 x12: 0000000000000000 [ 59.321093] x11: 0000000000000000 x10: 0000000000000000 x9 : 0000000000000000 [ 59.328217] x8 : ffff8000848c3d48 x7 : ffff800081930b30 x6 : ffff800081930b30 [ 59.335340] x5 : ffff0000859b6000 x4 : ffff80008193ae80 x3 : ffff800081022420 [ 59.342464] x2 : ffff0000852f6900 x1 : 0000000000000001 x0 : ffff000084341000 [ 59.349590] Call trace: [ 59.352025] mxc_isi_channel_chain+0xa4/0x120 (P) [ 59.356722] mxc_isi_m2m_streamon+0x160/0x20c [ 59.361072] v4l_streamon+0x24/0x30 [ 59.364556] __video_do_ioctl+0x40c/0x4a0 [ 59.368560] video_usercopy+0x2bc/0x690 [ 59.372382] video_ioctl2+0x18/0x24 [ 59.375857] v4l2_ioctl+0x40/0x60 [ 59.379168] __arm64_sys_ioctl+0xac/0x104 [ 59.383172] invoke_syscall+0x48/0x104 [ 59.386916] el0_svc_common.constprop.0+0xc0/0xe0 [ 59.391613] do_el0_svc+0x1c/0x28 [ 59.394915] el0_svc+0x34/0xf4 [ 59.397966] el0t_64_sync_handler+0xa0/0xe4 [ 59.402143] el0t_64_sync+0x198/0x19c [ 59.405801] ---[ end trace 0000000000000000 ]--- Address this issue by moving the streaming preparation and cleanup to the vb2 .prepare_streaming() and .unprepare_streaming() operations. This also simplifies the driver by allowing direct usage of the v4l2_m2m_ioctl_streamon() and v4l2_m2m_ioctl_streamoff() helpers.", "cve_priority": "medium", "cve_public_date": "2025-11-12 11:15:00 UTC" }, { "cve": "CVE-2025-40096", "url": "https://ubuntu.com/security/CVE-2025-40096", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/sched: Fix potential double free in drm_sched_job_add_resv_dependencies When adding dependencies with drm_sched_job_add_dependency(), that function consumes the fence reference both on success and failure, so in the latter case the dma_fence_put() on the error path (xarray failed to expand) is a double free. Interestingly this bug appears to have been present ever since commit ebd5f74255b9 (\"drm/sched: Add dependency tracking\"), since the code back then looked like this: drm_sched_job_add_implicit_dependencies(): ... for (i = 0; i < fence_count; i++) { ret = drm_sched_job_add_dependency(job, fences[i]); if (ret) break; } for (; i < fence_count; i++) dma_fence_put(fences[i]); Which means for the failing 'i' the dma_fence_put was already a double free. Possibly there were no users at that time, or the test cases were insufficient to hit it. The bug was then only noticed and fixed after commit 9c2ba265352a (\"drm/scheduler: use new iterator in drm_sched_job_add_implicit_dependencies v2\") landed, with its fixup of commit 4eaf02d6076c (\"drm/scheduler: fix drm_sched_job_add_implicit_dependencies\"). At that point it was a slightly different flavour of a double free, which commit 963d0b356935 (\"drm/scheduler: fix drm_sched_job_add_implicit_dependencies harder\") noticed and attempted to fix. But it only moved the double free from happening inside the drm_sched_job_add_dependency(), when releasing the reference not yet obtained, to the caller, when releasing the reference already released by the former in the failure case. As such it is not easy to identify the right target for the fixes tag so lets keep it simple and just continue the chain. While fixing we also improve the comment and explain the reason for taking the reference and not dropping it.", "cve_priority": "medium", "cve_public_date": "2025-10-30 10:15:00 UTC" }, { "cve": "CVE-2025-40097", "url": "https://ubuntu.com/security/CVE-2025-40097", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ALSA: hda: Fix missing pointer check in hda_component_manager_init function The __component_match_add function may assign the 'matchptr' pointer the value ERR_PTR(-ENOMEM), which will subsequently be dereferenced. The call stack leading to the error looks like this: hda_component_manager_init |-> component_match_add |-> component_match_add_release |-> __component_match_add ( ... ,**matchptr, ... ) |-> *matchptr = ERR_PTR(-ENOMEM); // assign |-> component_master_add_with_match( ... match) |-> component_match_realloc(match, match->num); // dereference Add IS_ERR() check to prevent the crash. Found by Linux Verification Center (linuxtesting.org) with SVACE.", "cve_priority": "medium", "cve_public_date": "2025-10-30 10:15:00 UTC" }, { "cve": "CVE-2025-40098", "url": "https://ubuntu.com/security/CVE-2025-40098", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ALSA: hda: cs35l41: Fix NULL pointer dereference in cs35l41_get_acpi_mute_state() Return value of a function acpi_evaluate_dsm() is dereferenced without checking for NULL, but it is usually checked for this function. acpi_evaluate_dsm() may return NULL, when acpi_evaluate_object() returns acpi_status other than ACPI_SUCCESS, so add a check to prevent the crach. Found by Linux Verification Center (linuxtesting.org) with SVACE.", "cve_priority": "medium", "cve_public_date": "2025-10-30 10:15:00 UTC" }, { "cve": "CVE-2025-40099", "url": "https://ubuntu.com/security/CVE-2025-40099", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: cifs: parse_dfs_referrals: prevent oob on malformed input Malicious SMB server can send invalid reply to FSCTL_DFS_GET_REFERRALS - reply smaller than sizeof(struct get_dfs_referral_rsp) - reply with number of referrals smaller than NumberOfReferrals in the header Processing of such replies will cause oob. Return -EINVAL error on such replies to prevent oob-s.", "cve_priority": "medium", "cve_public_date": "2025-10-30 10:15:00 UTC" }, { "cve": "CVE-2025-40100", "url": "https://ubuntu.com/security/CVE-2025-40100", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: btrfs: do not assert we found block group item when creating free space tree Currently, when building a free space tree at populate_free_space_tree(), if we are not using the block group tree feature, we always expect to find block group items (either extent items or a block group item with key type BTRFS_BLOCK_GROUP_ITEM_KEY) when we search the extent tree with btrfs_search_slot_for_read(), so we assert that we found an item. However this expectation is wrong since we can have a new block group created in the current transaction which is still empty and for which we still have not added the block group's item to the extent tree, in which case we do not have any items in the extent tree associated to the block group. The insertion of a new block group's block group item in the extent tree happens at btrfs_create_pending_block_groups() when it calls the helper insert_block_group_item(). This typically is done when a transaction handle is released, committed or when running delayed refs (either as part of a transaction commit or when serving tickets for space reservation if we are low on free space). So remove the assertion at populate_free_space_tree() even when the block group tree feature is not enabled and update the comment to mention this case. Syzbot reported this with the following stack trace: BTRFS info (device loop3 state M): rebuilding free space tree assertion failed: ret == 0 :: 0, in fs/btrfs/free-space-tree.c:1115 ------------[ cut here ]------------ kernel BUG at fs/btrfs/free-space-tree.c:1115! Oops: invalid opcode: 0000 [#1] SMP KASAN PTI CPU: 1 UID: 0 PID: 6352 Comm: syz.3.25 Not tainted syzkaller #0 PREEMPT(full) Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/18/2025 RIP: 0010:populate_free_space_tree+0x700/0x710 fs/btrfs/free-space-tree.c:1115 Code: ff ff e8 d3 (...) RSP: 0018:ffffc9000430f780 EFLAGS: 00010246 RAX: 0000000000000043 RBX: ffff88805b709630 RCX: fea61d0e2e79d000 RDX: 0000000000000000 RSI: 0000000080000000 RDI: 0000000000000000 RBP: ffffc9000430f8b0 R08: ffffc9000430f4a7 R09: 1ffff92000861e94 R10: dffffc0000000000 R11: fffff52000861e95 R12: 0000000000000001 R13: 1ffff92000861f00 R14: dffffc0000000000 R15: 0000000000000000 FS: 00007f424d9fe6c0(0000) GS:ffff888125afc000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007fd78ad212c0 CR3: 0000000076d68000 CR4: 00000000003526f0 Call Trace: btrfs_rebuild_free_space_tree+0x1ba/0x6d0 fs/btrfs/free-space-tree.c:1364 btrfs_start_pre_rw_mount+0x128f/0x1bf0 fs/btrfs/disk-io.c:3062 btrfs_remount_rw fs/btrfs/super.c:1334 [inline] btrfs_reconfigure+0xaed/0x2160 fs/btrfs/super.c:1559 reconfigure_super+0x227/0x890 fs/super.c:1076 do_remount fs/namespace.c:3279 [inline] path_mount+0xd1a/0xfe0 fs/namespace.c:4027 do_mount fs/namespace.c:4048 [inline] __do_sys_mount fs/namespace.c:4236 [inline] __se_sys_mount+0x313/0x410 fs/namespace.c:4213 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xfa/0xfa0 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f424e39066a Code: d8 64 89 02 (...) RSP: 002b:00007f424d9fde68 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5 RAX: ffffffffffffffda RBX: 00007f424d9fdef0 RCX: 00007f424e39066a RDX: 0000200000000180 RSI: 0000200000000380 RDI: 0000000000000000 RBP: 0000200000000180 R08: 00007f424d9fdef0 R09: 0000000000000020 R10: 0000000000000020 R11: 0000000000000246 R12: 0000200000000380 R13: 00007f424d9fdeb0 R14: 0000000000000000 R15: 00002000000002c0 Modules linked in: ---[ end trace 0000000000000000 ]---", "cve_priority": "medium", "cve_public_date": "2025-10-30 10:15:00 UTC" }, { "cve": "CVE-2025-40101", "url": "https://ubuntu.com/security/CVE-2025-40101", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: btrfs: fix memory leaks when rejecting a non SINGLE data profile without an RST At the end of btrfs_load_block_group_zone_info() the first thing we do is to ensure that if the mapping type is not a SINGLE one and there is no RAID stripe tree, then we return early with an error. Doing that, though, prevents the code from running the last calls from this function which are about freeing memory allocated during its run. Hence, in this case, instead of returning early, we set the ret value and fall through the rest of the cleanup code.", "cve_priority": "medium", "cve_public_date": "2025-10-30 10:15:00 UTC" }, { "cve": "CVE-2025-40167", "url": "https://ubuntu.com/security/CVE-2025-40167", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ext4: detect invalid INLINE_DATA + EXTENTS flag combination syzbot reported a BUG_ON in ext4_es_cache_extent() when opening a verity file on a corrupted ext4 filesystem mounted without a journal. The issue is that the filesystem has an inode with both the INLINE_DATA and EXTENTS flags set: EXT4-fs error (device loop0): ext4_cache_extents:545: inode #15: comm syz.0.17: corrupted extent tree: lblk 0 < prev 66 Investigation revealed that the inode has both flags set: DEBUG: inode 15 - flag=1, i_inline_off=164, has_inline=1, extents_flag=1 This is an invalid combination since an inode should have either: - INLINE_DATA: data stored directly in the inode - EXTENTS: data stored in extent-mapped blocks Having both flags causes ext4_has_inline_data() to return true, skipping extent tree validation in __ext4_iget(). The unvalidated out-of-order extents then trigger a BUG_ON in ext4_es_cache_extent() due to integer underflow when calculating hole sizes. Fix this by detecting this invalid flag combination early in ext4_iget() and rejecting the corrupted inode.", "cve_priority": "medium", "cve_public_date": "2025-11-12 11:15:00 UTC" }, { "cve": "CVE-2025-40102", "url": "https://ubuntu.com/security/CVE-2025-40102", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: KVM: arm64: Prevent access to vCPU events before init Another day, another syzkaller bug. KVM erroneously allows userspace to pend vCPU events for a vCPU that hasn't been initialized yet, leading to KVM interpreting a bunch of uninitialized garbage for routing / injecting the exception. In one case the injection code and the hyp disagree on whether the vCPU has a 32bit EL1 and put the vCPU into an illegal mode for AArch64, tripping the BUG() in exception_target_el() during the next injection: kernel BUG at arch/arm64/kvm/inject_fault.c:40! Internal error: Oops - BUG: 00000000f2000800 [#1] SMP CPU: 3 UID: 0 PID: 318 Comm: repro Not tainted 6.17.0-rc4-00104-g10fd0285305d #6 PREEMPT Hardware name: linux,dummy-virt (DT) pstate: 21402009 (nzCv daif +PAN -UAO -TCO +DIT -SSBS BTYPE=--) pc : exception_target_el+0x88/0x8c lr : pend_serror_exception+0x18/0x13c sp : ffff800082f03a10 x29: ffff800082f03a10 x28: ffff0000cb132280 x27: 0000000000000000 x26: 0000000000000000 x25: ffff0000c2a99c20 x24: 0000000000000000 x23: 0000000000008000 x22: 0000000000000002 x21: 0000000000000004 x20: 0000000000008000 x19: ffff0000c2a99c20 x18: 0000000000000000 x17: 0000000000000000 x16: 0000000000000000 x15: 00000000200000c0 x14: 0000000000000000 x13: 0000000000000000 x12: 0000000000000000 x11: 0000000000000000 x10: 0000000000000000 x9 : 0000000000000000 x8 : ffff800082f03af8 x7 : 0000000000000000 x6 : 0000000000000000 x5 : ffff800080f621f0 x4 : 0000000000000000 x3 : 0000000000000000 x2 : 000000000040009b x1 : 0000000000000003 x0 : ffff0000c2a99c20 Call trace: exception_target_el+0x88/0x8c (P) kvm_inject_serror_esr+0x40/0x3b4 __kvm_arm_vcpu_set_events+0xf0/0x100 kvm_arch_vcpu_ioctl+0x180/0x9d4 kvm_vcpu_ioctl+0x60c/0x9f4 __arm64_sys_ioctl+0xac/0x104 invoke_syscall+0x48/0x110 el0_svc_common.constprop.0+0x40/0xe0 do_el0_svc+0x1c/0x28 el0_svc+0x34/0xf0 el0t_64_sync_handler+0xa0/0xe4 el0t_64_sync+0x198/0x19c Code: f946bc01 b4fffe61 9101e020 17fffff2 (d4210000) Reject the ioctls outright as no sane VMM would call these before KVM_ARM_VCPU_INIT anyway. Even if it did the exception would've been thrown away by the eventual reset of the vCPU's state.", "cve_priority": "medium", "cve_public_date": "2025-10-30 10:15:00 UTC" }, { "cve": "CVE-2025-40103", "url": "https://ubuntu.com/security/CVE-2025-40103", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: smb: client: Fix refcount leak for cifs_sb_tlink Fix three refcount inconsistency issues related to `cifs_sb_tlink`. Comments for `cifs_sb_tlink` state that `cifs_put_tlink()` needs to be called after successful calls to `cifs_sb_tlink()`. Three calls fail to update refcount accordingly, leading to possible resource leaks.", "cve_priority": "medium", "cve_public_date": "2025-10-30 10:15:00 UTC" }, { "cve": "CVE-2025-40104", "url": "https://ubuntu.com/security/CVE-2025-40104", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ixgbevf: fix mailbox API compatibility by negotiating supported features There was backward compatibility in the terms of mailbox API. Various drivers from various OSes supporting 10G adapters from Intel portfolio could easily negotiate mailbox API. This convention has been broken since introducing API 1.4. Commit 0062e7cc955e (\"ixgbevf: add VF IPsec offload code\") added support for IPSec which is specific only for the kernel ixgbe driver. None of the rest of the Intel 10G PF/VF drivers supports it. And actually lack of support was not included in the IPSec implementation - there were no such code paths. No possibility to negotiate support for the feature was introduced along with introduction of the feature itself. Commit 339f28964147 (\"ixgbevf: Add support for new mailbox communication between PF and VF\") increasing API version to 1.5 did the same - it introduced code supported specifically by the PF ESX driver. It altered API version for the VF driver in the same time not touching the version defined for the PF ixgbe driver. It led to additional discrepancies, as the code provided within API 1.6 cannot be supported for Linux ixgbe driver as it causes crashes. The issue was noticed some time ago and mitigated by Jake within the commit d0725312adf5 (\"ixgbevf: stop attempting IPSEC offload on Mailbox API 1.5\"). As a result we have regression for IPsec support and after increasing API to version 1.6 ixgbevf driver stopped to support ESX MBX. To fix this mess add new mailbox op asking PF driver about supported features. Basing on a response determine whether to set support for IPSec and ESX-specific enhanced mailbox. New mailbox op, for compatibility purposes, must be added within new API revision, as API version of OOT PF & VF drivers is already increased to 1.6 and doesn't incorporate features negotiate op. Features negotiation mechanism gives possibility to be extended with new features when needed in the future.", "cve_priority": "medium", "cve_public_date": "2025-10-30 10:15:00 UTC" }, { "cve": "CVE-2025-40166", "url": "https://ubuntu.com/security/CVE-2025-40166", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/xe/guc: Check GuC running state before deregistering exec queue In normal operation, a registered exec queue is disabled and deregistered through the GuC, and freed only after the GuC confirms completion. However, if the driver is forced to unbind while the exec queue is still running, the user may call exec_destroy() after the GuC has already been stopped and CT communication disabled. In this case, the driver cannot receive a response from the GuC, preventing proper cleanup of exec queue resources. Fix this by directly releasing the resources when GuC is not running. Here is the failure dmesg log: \" [ 468.089581] ---[ end trace 0000000000000000 ]--- [ 468.089608] pci 0000:03:00.0: [drm] *ERROR* GT0: GUC ID manager unclean (1/65535) [ 468.090558] pci 0000:03:00.0: [drm] GT0: total 65535 [ 468.090562] pci 0000:03:00.0: [drm] GT0: used 1 [ 468.090564] pci 0000:03:00.0: [drm] GT0: range 1..1 (1) [ 468.092716] ------------[ cut here ]------------ [ 468.092719] WARNING: CPU: 14 PID: 4775 at drivers/gpu/drm/xe/xe_ttm_vram_mgr.c:298 ttm_vram_mgr_fini+0xf8/0x130 [xe] \" v2: use xe_uc_fw_is_running() instead of xe_guc_ct_enabled(). As CT may go down and come back during VF migration. (cherry picked from commit 9b42321a02c50a12b2beb6ae9469606257fbecea)", "cve_priority": "medium", "cve_public_date": "2025-11-12 11:15:00 UTC" }, { "cve": "CVE-2025-40105", "url": "https://ubuntu.com/security/CVE-2025-40105", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: vfs: Don't leak disconnected dentries on umount When user calls open_by_handle_at() on some inode that is not cached, we will create disconnected dentry for it. If such dentry is a directory, exportfs_decode_fh_raw() will then try to connect this dentry to the dentry tree through reconnect_path(). It may happen for various reasons (such as corrupted fs or race with rename) that the call to lookup_one_unlocked() in reconnect_one() will fail to find the dentry we are trying to reconnect and instead create a new dentry under the parent. Now this dentry will not be marked as disconnected although the parent still may well be disconnected (at least in case this inconsistency happened because the fs is corrupted and .. doesn't point to the real parent directory). This creates inconsistency in disconnected flags but AFAICS it was mostly harmless. At least until commit f1ee616214cb (\"VFS: don't keep disconnected dentries on d_anon\") which removed adding of most disconnected dentries to sb->s_anon list. Thus after this commit cleanup of disconnected dentries implicitely relies on the fact that dput() will immediately reclaim such dentries. However when some leaf dentry isn't marked as disconnected, as in the scenario described above, the reclaim doesn't happen and the dentries are \"leaked\". Memory reclaim can eventually reclaim them but otherwise they stay in memory and if umount comes first, we hit infamous \"Busy inodes after unmount\" bug. Make sure all dentries created under a disconnected parent are marked as disconnected as well.", "cve_priority": "medium", "cve_public_date": "2025-10-30 10:15:00 UTC" }, { "cve": "CVE-2025-40019", "url": "https://ubuntu.com/security/CVE-2025-40019", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: crypto: essiv - Check ssize for decryption and in-place encryption Move the ssize check to the start in essiv_aead_crypt so that it's also checked for decryption and in-place encryption.", "cve_priority": "medium", "cve_public_date": "2025-10-24 12:15:00 UTC" }, { "cve": "CVE-2025-40214", "url": "https://ubuntu.com/security/CVE-2025-40214", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: af_unix: Initialise scc_index in unix_add_edge(). Quang Le reported that the AF_UNIX GC could garbage-collect a receive queue of an alive in-flight socket, with a nice repro. The repro consists of three stages. 1) 1-a. Create a single cyclic reference with many sockets 1-b. close() all sockets 1-c. Trigger GC 2) 2-a. Pass sk-A to an embryo sk-B 2-b. Pass sk-X to sk-X 2-c. Trigger GC 3) 3-a. accept() the embryo sk-B 3-b. Pass sk-B to sk-C 3-c. close() the in-flight sk-A 3-d. Trigger GC As of 2-c, sk-A and sk-X are linked to unix_unvisited_vertices, and unix_walk_scc() groups them into two different SCCs: unix_sk(sk-A)->vertex->scc_index = 2 (UNIX_VERTEX_INDEX_START) unix_sk(sk-X)->vertex->scc_index = 3 Once GC completes, unix_graph_grouped is set to true. Also, unix_graph_maybe_cyclic is set to true due to sk-X's cyclic self-reference, which makes close() trigger GC. At 3-b, unix_add_edge() allocates unix_sk(sk-B)->vertex and links it to unix_unvisited_vertices. unix_update_graph() is called at 3-a. and 3-b., but neither unix_graph_grouped nor unix_graph_maybe_cyclic is changed because both sk-B's listener and sk-C are not in-flight. 3-c decrements sk-A's file refcnt to 1. Since unix_graph_grouped is true at 3-d, unix_walk_scc_fast() is finally called and iterates 3 sockets sk-A, sk-B, and sk-X: sk-A -> sk-B (-> sk-C) sk-X -> sk-X This is totally fine. All of them are not yet close()d and should be grouped into different SCCs. However, unix_vertex_dead() misjudges that sk-A and sk-B are in the same SCC and sk-A is dead. unix_sk(sk-A)->scc_index == unix_sk(sk-B)->scc_index <-- Wrong! && sk-A's file refcnt == unix_sk(sk-A)->vertex->out_degree ^-- 1 in-flight count for sk-B -> sk-A is dead !? The problem is that unix_add_edge() does not initialise scc_index. Stage 1) is used for heap spraying, making a newly allocated vertex have vertex->scc_index == 2 (UNIX_VERTEX_INDEX_START) set by unix_walk_scc() at 1-c. Let's track the max SCC index from the previous unix_walk_scc() call and assign the max + 1 to a new vertex's scc_index. This way, we can continue to avoid Tarjan's algorithm while preventing misjudgments.", "cve_priority": "high", "cve_public_date": "2025-12-04 13:15:00 UTC" } ], "log": [ "", " * questing/linux-riscv: 6.17.0-14.14.1 -proposed tracker (LP: #2137845)", "", " * Packaging resync (LP: #1786013)", " - [Packaging] debian.riscv/dkms-versions -- update from kernel-versions", " (main/2026.01.12)", "", " [ Ubuntu: 6.17.0-14.14 ]", "", " * questing/linux: 6.17.0-14.14 -proposed tracker (LP: #2137849)", " * Packaging resync (LP: #1786013)", " - [Packaging] debian.master/dkms-versions -- update from kernel-versions", " (main/2026.01.12)", " * ubuntu_kselftests:_net/net:gre_gso.sh failing (LP: #2136820)", " - SAUCE increase socat timeout in gre_gso.sh", " * ubuntu_blktrace_smoke_test fails on questing with rust coreutils", " (LP: #2137698)", " - SAUCE: Revert \"ext4: fail unaligned direct IO write with EINVAL\"", " * bareudp.sh in ubuntu_kselftests_net fails because of dash default shell", " (LP: #2129812)", " - selftests: net: use BASH for bareudp testing", " * CVE-2025-40256", " - xfrm: also call xfrm_state_delete_tunnel at destroy time for states that", " were never added", " * Enable PMF on AMD HPT/STX/KRK (LP: #2125022)", " - platform/x86/amd/pmf: Add support for adjusting PMF PPT and PPT APU", " thresholds", " - platform/x86/amd/pmf: Extend custom BIOS inputs for more policies", " - platform/x86/amd/pmf: Update ta_pmf_action structure member", " - platform/x86/amd/pmf: Add helper to verify BIOS input notifications are", " enable/disable", " - platform/x86/amd/pmf: Add custom BIOS input support for AMD_CPU_ID_PS", " - platform/x86/amd/pmf: Preserve custom BIOS inputs for evaluating the", " policies", " - platform/x86/amd/pmf: Call enact function sooner to process early", " pending requests", " - platform/x86/amd/pmf: Add debug logs for pending requests and custom", " BIOS inputs", " * Questing update: v6.17.8 upstream stable release (LP: #2136850)", " - iommufd/selftest: Fix ioctl return value in _test_cmd_trigger_vevents()", " - drm/mediatek: Add pm_runtime support for GCE power control", " - drm/i915: Fix conversion between clock ticks and nanoseconds", " - drm/amdgpu: set default gfx reset masks for gfx6-8", " - drm/amd/display: Don't stretch non-native images by default in eDP", " - smb: client: fix refcount leak in smb2_set_path_attr", " - iommufd: Make vfio_compat's unmap succeed if the range is already empty", " - futex: Optimize per-cpu reference counting", " - drm/amd: Fix suspend failure with secure display TA", " - drm/xe: Move declarations under conditional branch", " - drm/xe: Do clean shutdown also when using flr", " - drm/amd/display: Add pixel_clock to amd_pp_display_configuration", " - drm/amd/pm: Use pm_display_cfg in legacy DPM (v2)", " - drm/amd/display: Disable fastboot on DCE 6 too", " - drm/amd/pm: Disable MCLK switching on SI at high pixel clocks", " - drm/amd: Disable ASPM on SI", " - arm64: kprobes: check the return value of set_memory_rox()", " - compiler_types: Move unused static inline functions warning to W=2", " - riscv: Build loader.bin exclusively for Canaan K210", " - RISC-V: clear hot-unplugged cores from all task mm_cpumasks to avoid", " rfence errors", " - riscv: acpi: avoid errors caused by probing DT devices when ACPI is used", " - fs: return EOPNOTSUPP from file_setattr/file_getattr syscalls", " - ASoC: nau8821: Avoid unnecessary blocking in IRQ handler", " - NFS4: Fix state renewals missing after boot", " - drm/amdkfd: fix suspend/resume all calls in mes based eviction path", " - NFS4: Apply delay_retrans to async operations", " - HID: intel-thc-hid: intel-quickspi: Add ARL PCI Device Id's", " - HID: quirks: avoid Cooler Master MM712 dongle wakeup bug", " - ixgbe: handle IXGBE_VF_GET_PF_LINK_STATE mailbox operation", " - HID: nintendo: Wait longer for initial probe", " - NFS: check if suid/sgid was cleared after a write as needed", " - HID: quirks: Add ALWAYS_POLL quirk for VRS R295 steering wheel", " - io_uring: fix unexpected placement on same size resizing", " - HID: logitech-hidpp: Add HIDPP_QUIRK_RESET_HI_RES_SCROLL", " - ASoC: max98090/91: fixed max98091 ALSA widget powering up/down", " - ALSA: hda/realtek: Fix mute led for HP Omen 17-cb0xxx", " - ixgbe: handle IXGBE_VF_FEATURES_NEGOTIATE mbox cmd", " - wifi: ath11k: zero init info->status in wmi_process_mgmt_tx_comp()", " - selftests: net: local_termination: Wait for interfaces to come up", " - net: fec: correct rx_bytes statistic for the case SHIFT16 is set", " - net: phy: micrel: Introduce lanphy_modify_page_reg", " - net: phy: micrel: Replace hardcoded pages with defines", " - net: phy: micrel: lan8814 fix reset of the QSGMII interface", " - rust: Add -fno-isolate-erroneous-paths-dereference to", " bindgen_skip_c_flags", " - NFSD: Skip close replay processing if XDR encoding fails", " - Bluetooth: 6lowpan: fix BDADDR_LE vs ADDR_LE_DEV address type confusion", " - Bluetooth: 6lowpan: Don't hold spin lock over sleeping functions", " - Bluetooth: hci_conn: Fix not cleaning up PA_LINK connections", " - net: dsa: tag_brcm: do not mark link local traffic as offloaded", " - net/smc: fix mismatch between CLC header and proposal", " - net/handshake: Fix memory leak in tls_handshake_accept()", " - net: ethernet: ti: am65-cpsw-qos: fix IET verify/response timeout", " - net: ethernet: ti: am65-cpsw-qos: fix IET verify retry mechanism", " - net: mdio: fix resource leak in mdiobus_register_device()", " - wifi: mac80211: skip rate verification for not captured PSDUs", " - Bluetooth: hci_event: Fix not handling PA Sync Lost event", " - net/mlx5e: Fix missing error assignment in mlx5e_xfrm_add_state()", " - net/mlx5e: Fix maxrate wraparound in threshold between units", " - net/mlx5e: Fix wraparound in rate limiting for values above 255 Gbps", " - net/mlx5e: Fix potentially misleading debug message", " - net/mlx5: Fix typo of MLX5_EQ_DOORBEL_OFFSET", " - net/mlx5: Store the global doorbell in mlx5_priv", " - net/mlx5e: Prepare for using different CQ doorbells", " - net_sched: limit try_bulk_dequeue_skb() batches", " - wifi: iwlwifi: mvm: fix beacon template/fixed rate", " - wifi: iwlwifi: mld: always take beacon ies in link grading", " - virtio-net: fix incorrect flags recording in big mode", " - hsr: Fix supervision frame sending on HSRv0", " - hsr: Follow standard for HSRv0 supervision frames", " - ACPI: CPPC: Detect preferred core availability on online CPUs", " - ACPI: CPPC: Check _CPC validity for only the online CPUs", " - ACPI: CPPC: Perform fast check switch only for online CPUs", " - ACPI: CPPC: Limit perf ctrs in PCC check only to online CPUs", " - cpufreq: intel_pstate: Check IDA only before MSR_IA32_PERF_CTL writes", " - Bluetooth: L2CAP: export l2cap_chan_hold for modules", " - io_uring/rsrc: don't use blk_rq_nr_phys_segments() as number of bvecs", " - acpi,srat: Fix incorrect device handle check for Generic Initiator", " - regulator: fixed: fix GPIO descriptor leak on register failure", " - ASoC: cs4271: Fix regulator leak on probe failure", " - ASoC: codecs: va-macro: fix resource leak in probe error path", " - drm/vmwgfx: Restore Guest-Backed only cursor plane support", " - ASoC: tas2781: fix getting the wrong device number", " - pnfs: Fix TLS logic in _nfs4_pnfs_v3_ds_connect()", " - pnfs: Fix TLS logic in _nfs4_pnfs_v4_ds_connect()", " - pnfs: Set transport security policy to RPC_XPRTSEC_NONE unless using TLS", " - simplify nfs_atomic_open_v23()", " - NFSv2/v3: Fix error handling in nfs_atomic_open_v23()", " - NFS: sysfs: fix leak when nfs_client kobject add fails", " - NFSv4: Fix an incorrect parameter when calling nfs4_call_sync()", " - drm/amd/amdgpu: Ensure isp_kernel_buffer_alloc() creates a new BO", " - acpi/hmat: Fix lockdep warning for hmem_register_resource()", " - ASoC: rsnd: fix OF node reference leak in rsnd_ssiu_probe()", " - drm/client: fix MODULE_PARM_DESC string for \"active\"", " - irqchip/riscv-intc: Add missing free() callback in riscv_intc_domain_ops", " - lib/crypto: arm/curve25519: Disable on CPU_BIG_ENDIAN", " - hostfs: Fix only passing host root in boot stage with new mount", " - afs: Fix dynamic lookup to fail on cell lookup failure", " - mtd: onenand: Pass correct pointer to IRQ handler", " - virtio-fs: fix incorrect check for fsvq->kobj", " - fs/namespace: correctly handle errors returned by grab_requested_mnt_ns", " - perf header: Write bpf_prog (infos|btfs)_cnt to data file", " - perf build: Don't fail fast path feature detection when binutils-devel", " is not available", " - perf lock: Fix segfault due to missing kernel map", " - perf test shell lock_contention: Extra debug diagnostics", " - perf test: Fix lock contention test", " - arm64: dts: rockchip: Set correct pinctrl for I2S1 8ch TX on odroid-m1", " - arm64: dts: rockchip: Fix PCIe power enable pin for BigTreeTech CB2 and", " Pi2", " - arm64: dts: rockchip: Make RK3588 GPU OPP table naming less generic", " - ARM: dts: imx6ull-engicam-microgea-rmm: fix report-rate-hz value", " - ARM: dts: imx51-zii-rdu1: Fix audmux node names", " - arm64: dts: imx8-ss-img: Avoid gpio0_mipi_csi GPIOs being deferred", " - arm64: dts: imx8mp-kontron: Fix USB OTG role switching", " - HID: hid-ntrig: Prevent memory leak in ntrig_report_version()", " - ARM: dts: BCM53573: Fix address of Luxul XAP-1440's Ethernet PHY", " - arm64: dts: rockchip: Fix USB power enable pin for BTT CB2 and Pi2", " - arm64: dts: rockchip: drop reset from rk3576 i2c9 node", " - pwm: adp5585: Correct mismatched pwm chip info", " - HID: playstation: Fix memory leak in dualshock4_get_calibration_data()", " - HID: uclogic: Fix potential memory leak in error path", " - LoongArch: KVM: Restore guest PMU if it is enabled", " - LoongArch: KVM: Add delay until timer interrupt injected", " - LoongArch: KVM: Fix max supported vCPUs set with EIOINTC", " - KVM: arm64: Make all 32bit ID registers fully writable", " - KVM: SVM: Mark VMCB_LBR dirty when MSR_IA32_DEBUGCTLMSR is updated", " - KVM: nSVM: Always recalculate LBR MSR intercepts in svm_update_lbrv()", " - KVM: nSVM: Fix and simplify LBR virtualization handling with nested", " - KVM: VMX: Fix check for valid GVA on an EPT violation", " - nfsd: add missing FATTR4_WORD2_CLONE_BLKSIZE from supported attributes", " - gcov: add support for GCC 15", " - kho: warn and exit when unpreserved page wasn't preserved", " - strparser: Fix signed/unsigned mismatch bug", " - dma-mapping: benchmark: Restore padding to ensure uABI remained", " consistent", " - maple_tree: fix tracepoint string pointers", " - LoongArch: Consolidate early_ioremap()/ioremap_prot()", " - LoongArch: Use correct accessor to read FWPC/MWPC", " - LoongArch: Let {pte,pmd}_modify() record the status of _PAGE_DIRTY", " - mm/damon/sysfs: change next_update_jiffies to a global variable", " - selftests/tracing: Run sample events to clear page cache events", " - wifi: mac80211: reject address change while connecting", " - mm/huge_memory: preserve PG_has_hwpoisoned if a folio is split to >0", " order", " - mm/mm_init: fix hash table order logging in alloc_large_system_hash()", " - mm/damon/stat: change last_refresh_jiffies to a global variable", " - mm/kmsan: fix kmsan kmalloc hook when no stack depots are allocated yet", " - mm/shmem: fix THP allocation and fallback loop", " - mm/mremap: honour writable bit in mremap pte batching", " - mm/huge_memory: fix folio split check for anon folios in swapcache", " - mmc: sdhci-of-dwcmshc: Change DLL_STRBIN_TAPNUM_DEFAULT to 0x4", " - mmc: pxamci: Simplify pxamci_probe() error handling using devm APIs", " - mmc: dw_mmc-rockchip: Fix wrong internal phase calculate", " - ASoC: sdw_utils: fix device reference leak in is_sdca_endpoint_present()", " - crypto: hisilicon/qm - Fix device reference leak in qm_get_qos_value", " - smb: client: fix cifs_pick_channel when channel needs reconnect", " - spi: Try to get ACPI GPIO IRQ earlier", " - x86/microcode/AMD: Add Zen5 model 0x44, stepping 0x1 minrev", " - x86/CPU/AMD: Add additional fixed RDSEED microcode revisions", " - selftests/user_events: fix type cast for write_index packed member in", " perf_test", " - gendwarfksyms: Skip files with no exports", " - ftrace: Fix BPF fexit with livepatch", " - LoongArch: Consolidate max_pfn & max_low_pfn calculation", " - LoongArch: Use physical addresses for CSR_MERRENTRY/CSR_TLBRENTRY", " - EDAC/altera: Handle OCRAM ECC enable after warm reset", " - EDAC/altera: Use INTTEST register for Ethernet and USB SBE injection", " - PM: hibernate: Emit an error when image writing fails", " - PM: hibernate: Use atomic64_t for compressed_size variable", " - btrfs: zoned: fix conventional zone capacity calculation", " - btrfs: zoned: fix stripe width calculation", " - btrfs: scrub: put bio after errors in scrub_raid56_parity_stripe()", " - btrfs: do not update last_log_commit when logging inode due to a new", " name", " - btrfs: release root after error in data_reloc_print_warning_inode()", " - drm/amdkfd: relax checks for over allocation of save area", " - drm/amdgpu: disable peer-to-peer access for DCC-enabled GC12 VRAM", " surfaces", " - drm/i915/psr: fix pipe to vblank conversion", " - drm/xe/xe3lpg: Extend Wa_15016589081 for xe3lpg", " - drm/xe/xe3: Extend wa_14023061436", " - drm/xe/xe3: Add WA_14024681466 for Xe3_LPG", " - pmdomain: imx: Fix reference count leak in imx_gpc_remove", " - pmdomain: samsung: plug potential memleak during probe", " - pmdomain: samsung: Rework legacy splash-screen handover workaround", " - selftests: mptcp: connect: fix fallback note due to OoO", " - selftests: mptcp: join: rm: set backup flag", " - selftests: mptcp: join: endpoints: longer transfer", " - selftests: mptcp: connect: trunc: read all recv data", " - selftests: mptcp: join: userspace: longer transfer", " - selftests: mptcp: join: properly kill background tasks", " - mm/huge_memory: do not change split_huge_page*() target order silently", " - mm/memory: do not populate page table entries beyond i_size", " - scripts/decode_stacktrace.sh: symbol: avoid trailing whitespaces", " - scripts/decode_stacktrace.sh: symbol: preserve alignment", " - scripts/decode_stacktrace.sh: fix build ID and PC source parsing", " - ASoC: da7213: Convert to DEFINE_RUNTIME_DEV_PM_OPS()", " - ASoC: da7213: Use component driver suspend/resume", " - KVM: x86: Rename local \"ecx\" variables to \"msr\" and \"pmc\" as appropriate", " - KVM: x86: Add support for RDMSR/WRMSRNS w/ immediate on Intel", " - KVM: VMX: Inject #UD if guest tries to execute SEAMCALL or TDCALL", " - isdn: mISDN: hfcsusb: fix memory leak in hfcsusb_probe()", " - net: phy: micrel: Fix lan8814_config_init", " - Linux 6.17.9", " * Questing update: v6.17.8 upstream stable release (LP: #2136850) //", " CVE-2025-68204", " - pmdomain: arm: scmi: Fix genpd leak on provider registration failure", " * Questing update: v6.17.8 upstream stable release (LP: #2136850) //", " CVE-2025-68203", " - drm/amdgpu: fix lock warning in amdgpu_userq_fence_driver_process", " * Questing update: v6.17.8 upstream stable release (LP: #2136850) //", " CVE-2025-40267", " - io_uring/rw: ensure allocated iovec gets cleared for early failure", " * Questing update: v6.17.8 upstream stable release (LP: #2136850) //", " CVE-2025-68198", " - crash: fix crashkernel resource shrink", " * Questing update: v6.17.8 upstream stable release (LP: #2136850) //", " CVE-2025-68199", " - codetag: debug: handle existing CODETAG_EMPTY in mark_objexts_empty for", " slabobj_ext", " * Questing update: v6.17.8 upstream stable release (LP: #2136850) //", " CVE-2025-40268", " - cifs: client: fix memory leak in smb3_fs_context_parse_param", " * Questing update: v6.17.8 upstream stable release (LP: #2136850) //", " CVE-2025-40269", " - ALSA: usb-audio: Fix potential overflow of PCM transfer buffer", " * Questing update: v6.17.8 upstream stable release (LP: #2136850) //", " CVE-2025-68205", " - ALSA: hda/hdmi: Fix breakage at probing nvhdmi-mcp driver", " * Questing update: v6.17.8 upstream stable release (LP: #2136850) //", " CVE-2025-40270", " - mm, swap: fix potential UAF issue for VMA readahead", " * Questing update: v6.17.8 upstream stable release (LP: #2136850) //", " CVE-2025-40271", " - fs/proc: fix uaf in proc_readdir_de()", " * Questing update: v6.17.8 upstream stable release (LP: #2136850) //", " CVE-2025-40272", " - mm/secretmem: fix use-after-free race in fault handler", " * Questing update: v6.17.8 upstream stable release (LP: #2136850) //", " CVE-2025-68245", " - net: netpoll: fix incorrect refcount handling causing incorrect cleanup", " * Questing update: v6.17.8 upstream stable release (LP: #2136850) //", " CVE-2025-68240", " - nilfs2: avoid having an active sc_timer before freeing sci", " * Questing update: v6.17.8 upstream stable release (LP: #2136850) //", " CVE-2025-68241", " - ipv4: route: Prevent rt_bind_exception() from rebinding stale fnhe", " * Questing update: v6.17.8 upstream stable release (LP: #2136850) //", " CVE-2025-68211", " - ksm: use range-walk function to jump over holes in", " scan_get_next_rmap_item", " * Questing update: v6.17.8 upstream stable release (LP: #2136850) //", " CVE-2025-68246", " - ksmbd: close accepted socket when per-IP limit rejects connection", " * Questing update: v6.17.8 upstream stable release (LP: #2136850) //", " CVE-2025-40273", " - NFSD: free copynotify stateid in nfs4_free_ol_stateid()", " * Questing update: v6.17.8 upstream stable release (LP: #2136850) //", " CVE-2025-40212", " - nfsd: fix refcount leak in nfsd_set_fh_dentry()", " * Questing update: v6.17.8 upstream stable release (LP: #2136850) //", " CVE-2025-40274", " - KVM: guest_memfd: Remove bindings on memslot deletion when gmem is dying", " * Questing update: v6.17.8 upstream stable release (LP: #2136850) //", " CVE-2025-68202", " - sched_ext: Fix unsafe locking in the scx_dump_state()", " * Questing update: v6.17.8 upstream stable release (LP: #2136850) //", " CVE-2025-68239", " - binfmt_misc: restore write access before closing files opened by", " open_exec()", " * Questing update: v6.17.8 upstream stable release (LP: #2136850) //", " CVE-2025-68247", " - posix-timers: Plug potential memory leak in do_timer_create()", " * Questing update: v6.17.8 upstream stable release (LP: #2136850) //", " CVE-2025-68208", " - bpf: account for current allocated stack depth in", " widen_imprecise_scalars()", " * Questing update: v6.17.8 upstream stable release (LP: #2136850) //", " CVE-2025-68200", " - bpf: Add bpf_prog_run_data_pointers()", " * Questing update: v6.17.8 upstream stable release (LP: #2136850) //", " CVE-2025-40275", " - ALSA: usb-audio: Fix NULL pointer dereference in", " snd_usb_mixer_controls_badd", " * Questing update: v6.17.8 upstream stable release (LP: #2136850) //", " CVE-2025-68242", " - NFS: Fix LTP test failures when timestamps are delegated", " * Questing update: v6.17.8 upstream stable release (LP: #2136850) //", " CVE-2025-68243", " - NFS: Check the TLS certificate fields in nfs_match_client()", " * Questing update: v6.17.8 upstream stable release (LP: #2136850) //", " CVE-2025-40276", " - drm/panthor: Flush shmem writes before mapping buffers CPU-uncached", " * Questing update: v6.17.8 upstream stable release (LP: #2136850) //", " CVE-2025-40277", " - drm/vmwgfx: Validate command header size against SVGA_CMD_MAX_DATASIZE", " * Questing update: v6.17.8 upstream stable release (LP: #2136850) //", " CVE-2025-68206", " - netfilter: nft_ct: add seqadj extension for natted connections", " * Questing update: v6.17.8 upstream stable release (LP: #2136850) //", " CVE-2025-68209", " - mlx5: Fix default values in create CQ", " * Questing update: v6.17.8 upstream stable release (LP: #2136850) //", " CVE-2025-40278", " - net: sched: act_ife: initialize struct tc_ife to fix KMSAN kernel-", " infoleak", " * Questing update: v6.17.8 upstream stable release (LP: #2136850) //", " CVE-2025-40279", " - net: sched: act_connmark: initialize struct tc_ife to fix kernel leak", " * Questing update: v6.17.8 upstream stable release (LP: #2136850) //", " CVE-2025-40280", " - tipc: Fix use-after-free in tipc_mon_reinit_self().", " * Questing update: v6.17.8 upstream stable release (LP: #2136850) //", " CVE-2025-40281", " - sctp: prevent possible shift-out-of-bounds in sctp_transport_update_rto", " * Questing update: v6.17.8 upstream stable release (LP: #2136850) //", " CVE-2025-40282", " - Bluetooth: 6lowpan: reset link-local header on ipv6 recv path", " * Questing update: v6.17.8 upstream stable release (LP: #2136850) //", " CVE-2025-40283", " - Bluetooth: btusb: reorder cleanup in btusb_disconnect to avoid UAF", " * Questing update: v6.17.8 upstream stable release (LP: #2136850) //", " CVE-2025-40284", " - Bluetooth: MGMT: cancel mesh send timer when hdev removed", " * Questing update: v6.17.8 upstream stable release (LP: #2136850) //", " CVE-2025-68210", " - erofs: avoid infinite loop due to incomplete zstd-compressed data", " * Questing update: v6.17.8 upstream stable release (LP: #2136850) //", " CVE-2025-40285", " - smb/server: fix possible refcount leak in smb2_sess_setup()", " * Questing update: v6.17.8 upstream stable release (LP: #2136850) //", " CVE-2025-40286", " - smb/server: fix possible memory leak in smb2_read()", " * Questing update: v6.17.8 upstream stable release (LP: #2136850) //", " CVE-2025-40287", " - exfat: fix improper check of dentry.stream.valid_size", " * Questing update: v6.17.8 upstream stable release (LP: #2136850) //", " CVE-2025-40288", " - drm/amdgpu: Fix NULL pointer dereference in VRAM logic for APU devices", " * Questing update: v6.17.8 upstream stable release (LP: #2136850) //", " CVE-2025-40289", " - drm/amdgpu: hide VRAM sysfs attributes on GPUs without VRAM", " * Questing update: v6.17.8 upstream stable release (LP: #2136850) //", " CVE-2025-68201", " - drm/amdgpu: remove two invalid BUG_ON()s", " * Questing update: v6.17.8 upstream stable release (LP: #2136850) //", " CVE-2025-68207", " - drm/xe/guc: Synchronize Dead CT worker with unbind", " * Questing update: v6.17.8 upstream stable release (LP: #2136850) //", " CVE-2025-68244", " - drm/i915: Avoid lock inversion when pinning to GGTT on CHV/BXT+VTD", " * Questing update: v6.17.8 upstream stable release (LP: #2136833)", " - Revert \"Bluetooth: L2CAP: convert timeouts to secs_to_jiffies()\"", " - sched_ext: Mark scx_bpf_dsq_move_set_[slice|vtime]() with KF_RCU", " - net: usb: asix_devices: Check return value of usbnet_get_endpoints", " - fbdev: atyfb: Check if pll_ops->init_pll failed", " - ACPI: button: Call input_free_device() on failing input device", " registration", " - ACPI: fan: Use platform device for devres-related actions", " - virtio-net: drop the multi-buffer XDP packet in zerocopy", " - batman-adv: Release references to inactive interfaces", " - Bluetooth: rfcomm: fix modem control handling", " - net: phy: dp83867: Disable EEE support as not implemented", " - fbdev: pvr2fb: Fix leftover reference to ONCHIP_NR_DMA_CHANNELS", " - fbdev: valkyriefb: Fix reference count leak in valkyriefb_init", " - mptcp: drop bogus optimization in __mptcp_check_push()", " - mptcp: restore window probe", " - ASoC: qdsp6: q6asm: do not sleep while atomic", " - ASoC: renesas: rz-ssi: Use proper dma_buffer_pos after resume", " - s390/pci: Restore IRQ unconditionally for the zPCI device", " - x86/build: Disable SSE4a", " - wifi: ath10k: Fix memory leak on unsupported WMI command", " - wifi: ath11k: Add missing platform IDs for quirk table", " - wifi: ath12k: free skb during idr cleanup callback", " - wifi: ath11k: avoid bit operation on key flags", " - drm/msm/a6xx: Fix GMU firmware parser", " - ALSA: usb-audio: fix control pipe direction", " - ASoC: cs-amp-lib-test: Fix missing include of kunit/test-bug.h", " - wifi: mac80211: reset FILS discovery and unsol probe resp intervals", " - wifi: mac80211: fix key tailroom accounting leak", " - wifi: nl80211: call kfree without a NULL check", " - kunit: test_dev_action: Correctly cast 'priv' pointer to long*", " - scsi: ufs: core: Initialize value of an attribute returned by uic cmd", " - scsi: core: Fix the unit attention counter implementation", " - bpf: Do not audit capability check in do_jit()", " - nvmet-auth: update sc_c in host response", " - crypto: s390/phmac - Do not modify the req->nbytes value", " - ASoC: Intel: avs: Unprepare a stream when XRUN occurs", " - ASoC: fsl_sai: fix bit order for DSD format", " - ASoC: fsl_micfil: correct the endian format for DSD", " - libbpf: Fix powerpc's stack register definition in bpf_tracing.h", " - ASoC: mediatek: Fix double pm_runtime_disable in remove functions", " - Bluetooth: ISO: Fix BIS connection dst_type handling", " - Bluetooth: btmtksdio: Add pmctrl handling for BT closed state during", " reset", " - Bluetooth: HCI: Fix tracking of advertisement set/instance 0x00", " - Bluetooth: ISO: Fix another instance of dst_type handling", " - Bluetooth: btintel_pcie: Fix event packet loss issue", " - Bluetooth: hci_conn: Fix connection cleanup with BIG with 2 or more BIS", " - Bluetooth: hci_core: Fix tracking of periodic advertisement", " - bpf: Conditionally include dynptr copy kfuncs", " - drm/msm: Ensure vm is created in VM_BIND ioctl", " - ALSA: usb-audio: add mono main switch to Presonus S1824c", " - ALSA: usb-audio: don't log messages meant for 1810c when initializing", " 1824c", " - ACPI: MRRM: Check revision of MRRM table", " - drm/etnaviv: fix flush sequence logic", " - tools: ynl: fix string attribute length to include null terminator", " - net: hns3: return error code when function fails", " - sfc: fix potential memory leak in efx_mae_process_mport()", " - tools: ynl: avoid print_field when there is no reply", " - dpll: spec: add missing module-name and clock-id to pin-get reply", " - ASoC: fsl_sai: Fix sync error in consumer mode", " - ASoC: soc_sdw_utils: remove cs42l43 component_name", " - drm/amd/pm: fix smu table id bound check issue in smu_cmn_update_table()", " - drm/amd/pm/powerplay/smumgr: Fix PCIeBootLinkLevel value on Fiji", " - drm/amd/pm/powerplay/smumgr: Fix PCIeBootLinkLevel value on Iceland", " - drm/amdgpu: fix SPDX headers on amdgpu_cper.c/h", " - drm/amdgpu: fix SPDX header on amd_cper.h", " - drm/amdgpu: fix SPDX header on irqsrcs_vcn_5_0.h", " - ACPI: fan: Use ACPI handle when retrieving _FST", " - block: fix op_is_zone_mgmt() to handle REQ_OP_ZONE_RESET_ALL", " - block: make REQ_OP_ZONE_OPEN a write operation", " - dma-fence: Fix safe access wrapper to call timeline name method", " - kbuild: align modinfo section for Secureboot Authenticode EDK2 compat", " - regmap: irq: Correct documentation of wake_invert flag", " - [Config] Disable ARCH_WANT_OPTIMIZE_HUGETLB_VMEMMAP for s390x", " - s390/mm: Fix memory leak in add_marker() when kvrealloc() fails", " - drm/xe: Do not wake device during a GT reset", " - drm/sched: avoid killing parent entity on child SIGKILL", " - drm/sched: Fix race in drm_sched_entity_select_rq()", " - drm/nouveau: Fix race in nouveau_sched_fini()", " - drm/i915/dmc: Clear HRR EVT_CTL/HTP to zero on ADL-S", " - drm/ast: Clear preserved bits from register output value", " - drm/amd: Check that VPE has reached DPM0 in idle handler", " - drm/amd/display: Fix incorrect return of vblank enable on unconfigured", " crtc", " - drm/amd/display: Don't program BLNDGAM_MEM_PWR_FORCE when CM low-power", " is disabled on DCN30", " - drm/amd/display: Add HDR workaround for a specific eDP", " - mptcp: leverage skb deferral free", " - mptcp: fix MSG_PEEK stream corruption", " - cpuidle: governors: menu: Rearrange main loop in menu_select()", " - cpuidle: governors: menu: Select polling state in some more cases", " - PM: hibernate: Combine return paths in power_down()", " - PM: sleep: Allow pm_restrict_gfp_mask() stacking", " - mfd: kempld: Switch back to earlier ->init() behavior", " - soc: aspeed: socinfo: Add AST27xx silicon IDs", " - firmware: qcom: scm: preserve assign_mem() error return value", " - soc: qcom: smem: Fix endian-unaware access of num_entries", " - spi: loopback-test: Don't use %pK through printk", " - spi: spi-qpic-snand: handle 'use_ecc' parameter of", " qcom_spi_config_cw_read()", " - soc: ti: pruss: don't use %pK through printk", " - bpf: Don't use %pK through printk", " - mmc: sdhci: Disable SD card clock before changing parameters", " - pinctrl: single: fix bias pull up/down handling in pin_config_set", " - mmc: host: renesas_sdhi: Fix the actual clock", " - memstick: Add timeout to prevent indefinite waiting", " - cpufreq: ti: Add support for AM62D2", " - bpf: Use tnums for JEQ/JNE is_branch_taken logic", " - firmware: ti_sci: Enable abort handling of entry to LPM", " - firewire: ohci: move self_id_complete tracepoint after validating", " register", " - irqchip/sifive-plic: Respect mask state when setting affinity", " - irqchip/loongson-eiointc: Route interrupt parsed from bios table", " - ACPI: sysfs: Use ACPI_FREE() for freeing an ACPI object", " - ACPI: video: force native for Lenovo 82K8", " - libbpf: Fix USDT SIB argument handling causing unrecognized register", " error", " - selftests/bpf: Fix bpf_prog_detach2 usage in test_lirc_mode2", " - arm64: versal-net: Update rtc calibration value", " - Revert \"UBUNTU: SAUCE: firmware: qcom: scm: Allow QSEECOM on Dell", " Inspiron 7441 / Latitude 7455\"", " - firmware: qcom: scm: Allow QSEECOM on Dell Inspiron 7441 / Latitude 7455", " - kselftest/arm64: tpidr2: Switch to waitpid() over wait4()", " - arc: Fix __fls() const-foldability via __builtin_clzl()", " - selftests/bpf: Upon failures, exit with code 1 in test_xsk.sh", " - irqchip/gic-v2m: Handle Multiple MSI base IRQ Alignment", " - ACPI: PRM: Skip handlers with NULL handler_address or NULL VA", " - ACPI: resource: Skip IRQ override on ASUS Vivobook Pro N6506CU", " - ACPI: scan: Add Intel CVS ACPI HIDs to acpi_ignore_dep_ids[]", " - thermal: gov_step_wise: Allow cooling level to be reduced earlier", " - thermal: intel: selftests: workload_hint: Mask unsupported types", " - power: supply: qcom_battmgr: add OOI chemistry", " - hwmon: (k10temp) Add thermal support for AMD Family 1Ah-based models", " - hwmon: (k10temp) Add device ID for Strix Halo", " - hwmon: (lenovo-ec-sensors) Update P8 supprt", " - hwmon: (sbtsi_temp) AMD CPU extended temperature range support", " - pinctrl: renesas: rzg2l: Add suspend/resume support for Schmitt control", " registers", " - pinctrl: keembay: release allocated memory in detach path", " - power: supply: sbs-charger: Support multiple devices", " - io_uring/rsrc: respect submitter_task in io_register_clone_buffers()", " - hwmon: sy7636a: add alias", " - selftests/bpf: Fix incorrect array size calculation", " - block: check for valid bio while splitting", " - irqchip/loongson-pch-lpc: Use legacy domain for PCH-LPC IRQ controller", " - cpufreq: ondemand: Update the efficient idle check for Intel extended", " Families", " - arm64: zynqmp: Disable coresight by default", " - arm64: zynqmp: Revert usb node drive strength and slew rate for zcu106", " - soc/tegra: fuse: Add Tegra114 nvmem cells and fuse lookups", " - ARM: tegra: p880: set correct touchscreen clipping", " - ARM: tegra: transformer-20: add missing magnetometer interrupt", " - ARM: tegra: transformer-20: fix audio-codec interrupt", " - firmware: qcom: tzmem: disable sc7180 platform", " - soc: ti: k3-socinfo: Add information for AM62L SR1.1", " - mmc: sdhci-msm: Enable tuning for SDR50 mode for SD card", " - pwm: pca9685: Use bulk write to atomicially update registers", " - ACPICA: dispatcher: Use acpi_ds_clear_operands() in", " acpi_ds_call_control_method()", " - tee: allow a driver to allocate a tee_device without a pool", " - kunit: Enable PCI on UML without triggering WARN()", " - selftests/bpf: Fix arena_spin_lock selftest failure", " - bpf: Do not limit bpf_cgroup_from_id to current's namespace", " - i3c: mipi-i3c-hci-pci: Add support for Intel Wildcat Lake-U I3C", " - rust: kunit: allow `cfg` on `test`s", " - video: backlight: lp855x_bl: Set correct EPROM start for LP8556", " - i3c: dw: Add shutdown support to dw_i3c_master driver", " - io_uring/zcrx: check all niovs filled with dma addresses", " - tools/cpupower: fix error return value in cpupower_write_sysfs()", " - io_uring/zcrx: account niov arrays to cgroup", " - pmdomain: apple: Add \"apple,t8103-pmgr-pwrstate\"", " - power: supply: qcom_battmgr: handle charging state change notifications", " - bpftool: Fix -Wuninitialized-const-pointer warnings with clang >= 21", " - cpuidle: Fail cpuidle device registration if there is one already", " - selftests/bpf: Fix selftest verifier_arena_large failure", " - selftests: ublk: fix behavior when fio is not installed", " - spi: rpc-if: Add resume support for RZ/G3E", " - ACPI: SPCR: Support Precise Baud Rate field", " - clocksource/drivers/vf-pit: Replace raw_readl/writel to readl/writel", " - clocksource/drivers/timer-rtl-otto: Work around dying timers", " - clocksource/drivers/timer-rtl-otto: Do not interfere with interrupts", " - riscv: bpf: Fix uninitialized symbol 'retval_off'", " - bpf: Clear pfmemalloc flag when freeing all fragments", " - selftests: drv-net: Pull data before parsing headers", " - nvme: Use non zero KATO for persistent discovery connections", " - uprobe: Do not emulate/sstep original instruction when ip is changed", " - hwmon: (asus-ec-sensors) increase timeout for locking ACPI mutex", " - hwmon: (dell-smm) Remove Dell Precision 490 custom config data", " - hwmon: (dell-smm) Add support for Dell OptiPlex 7040", " - tools/cpupower: Fix incorrect size in cpuidle_state_disable()", " - selftests/bpf: Fix flaky bpf_cookie selftest", " - tools/power turbostat: Fix incorrect sorting of PMT telemetry", " - tools/power x86_energy_perf_policy: Fix incorrect fopen mode usage", " - tools/power x86_energy_perf_policy: Enhance HWP enable", " - tools/power x86_energy_perf_policy: Prefer driver HWP limits", " - mfd: simple-mfd-i2c: Add compatible strings for Layerscape QIXIS FPGA", " - mfd: stmpe: Remove IRQ domain upon removal", " - mfd: stmpe-i2c: Add missing MODULE_LICENSE", " - mfd: qnap-mcu: Handle errors returned from qnap_mcu_write", " - mfd: qnap-mcu: Include linux/types.h in qnap-mcu.h shared header", " - mfd: madera: Work around false-positive -Wininitialized warning", " - mfd: da9063: Split chip variant reading in two bus transactions", " - mfd: macsmc: Add \"apple,t8103-smc\" compatible", " - mfd: core: Increment of_node's refcount before linking it to the", " platform device", " - mfd: cs42l43: Move IRQ enable/disable to encompass force suspend", " - mfd: intel-lpss: Add Intel Wildcat Lake LPSS PCI IDs", " - drm/xe/ptl: Apply Wa_16026007364", " - drm/xe/configfs: Enforce canonical device names", " - drm/amd/display: Update tiled to tiled copy command", " - drm/amd/display: fix condition for setting timing_adjust_pending", " - drm/amd/display: ensure committing streams is seamless", " - drm/amdgpu: add range check for RAS bad page address", " - drm/amdgpu: Check vcn sram load return value", " - drm/amd/display: Remove check DPIA HPD status for BW Allocation", " - drm/amd/display: Increase AUX Intra-Hop Done Max Wait Duration", " - drm/amd/display: Fix dmub_cmd header alignment", " - drm/xe/guc: Add more GuC load error status codes", " - drm/xe/pf: Don't resume device from restart worker", " - drm/amdgpu: Fix build error when CONFIG_SUSPEND is disabled", " - drm/amdgpu: Update IPID value for bad page threshold CPER", " - drm/amdgpu: Avoid rma causes GPU duplicate reset", " - drm/amdgpu: Effective health check before reset", " - drm/amd/amdgpu: Release xcp drm memory after unplug", " - drm/amdgpu: Fix vcn v5.0.1 poison irq call trace", " - drm/xe: Extend wa_13012615864 to additional Xe2 and Xe3 platforms", " - drm/amdgpu: Skip poison aca bank from UE channel", " - drm/amd/display: add more cyan skillfish devices", " - drm/amdgpu: Initialize jpeg v5_0_1 ras function", " - drm/amdgpu: skip mgpu fan boost for multi-vf", " - drm/amd/display: fix dmub access race condition", " - drm/amd/display: update dpp/disp clock from smu clock table", " - drm/amd/pm: Use cached metrics data on aldebaran", " - drm/amd/pm: Use cached metrics data on arcturus", " - accel/amdxdna: Unify pm and rpm suspend and resume callbacks", " - drm/amdgpu/jpeg: Hold pg_lock before jpeg poweroff", " - drm/xe/pf: Program LMTT directory pointer on all GTs within a tile", " - drm/nouveau: replace snprintf() with scnprintf() in nvkm_snprintbf()", " - ASoC: tas2781: Add keyword \"init\" in profile section", " - ASoC: mediatek: Use SND_JACK_AVOUT for HDMI/DP jacks", " - drm/amd/display: Reset apply_eamless_boot_optimization when dpms_off", " - drm/amdgpu: add to custom amdgpu_drm_release drm_dev_enter/exit", " - drm/amd/display: Wait until OTG enable state is cleared", " - drm/xe: rework PDE PAT index selection", " - docs: kernel-doc: avoid script crash on ancient Python", " - drm/sharp-memory: Do not access GEM-DMA vaddr directly", " - PCI: Disable MSI on RDC PCI to PCIe bridges", " - drm/nouveau: always set RMDevidCheckIgnore for GSP-RM", " - drm/panel-edp: Add SHP LQ134Z1 panel for Dell XPS 9345", " - selftests/net: Replace non-standard __WORDSIZE with sizeof(long) * 8", " - selftests/net: Ensure assert() triggers in psock_tpacket.c", " - wifi: rtw89: print just once for unknown C2H events", " - wifi: rtw88: sdio: use indirect IO for device registers before power-on", " - wifi: rtw89: add dummy C2H handlers for BCN resend and update done", " - drm/amdkfd: return -ENOTTY for unsupported IOCTLs", " - selftests: drv-net: devmem: add / correct the IPv6 support", " - selftests: drv-net: devmem: flip the direction of Tx tests", " - media: pci: ivtv: Don't create fake v4l2_fh", " - media: amphion: Delete v4l2_fh synchronously in .release()", " - drm/tidss: Use the crtc_* timings when programming the HW", " - drm/bridge: cdns-dsi: Fix REG_WAKEUP_TIME value", " - drm/bridge: cdns-dsi: Don't fail on MIPI_DSI_MODE_VIDEO_BURST", " - drm/tidss: Set crtc modesetting parameters with adjusted mode", " - drm/tidss: Remove early fb", " - RDMA/mana_ib: Drain send wrs of GSI QP", " - media: i2c: Kconfig: Ensure a dependency on HAVE_CLK for", " VIDEO_CAMERA_SENSOR", " - PCI/ERR: Update device error_state already after reset", " - x86/vsyscall: Do not require X86_PF_INSTR to emulate vsyscall", " - net: stmmac: Check stmmac_hw_setup() in stmmac_resume()", " - ice: Don't use %pK through printk or tracepoints", " - thunderbolt: Use is_pciehp instead of is_hotplug_bridge", " - ASoC: es8323: enable DAPM power widgets for playback DAC and output", " - powerpc/eeh: Use result of error_detected() in uevent", " - s390/pci: Use pci_uevent_ers() in PCI recovery", " - bridge: Redirect to backup port when port is administratively down", " - selftests: drv-net: wait for carrier", " - net: phy: mscc: report and configure in-band auto-negotiation for", " SGMII/QSGMII", " - scsi: ufs: host: mediatek: Fix auto-hibern8 timer configuration", " - scsi: ufs: host: mediatek: Fix PWM mode switch issue", " - scsi: ufs: host: mediatek: Assign power mode userdata before FASTAUTO", " mode change", " - scsi: ufs: host: mediatek: Change reset sequence for improved stability", " - scsi: ufs: host: mediatek: Fix invalid access in vccqx handling", " - gpu: nova-core: register: allow fields named `offset`", " - drm/panthor: Serialize GPU cache flush operations", " - HID: pidff: Use direction fix only for conditional effects", " - HID: pidff: PERMISSIVE_CONTROL quirk autodetection", " - drm/bridge: display-connector: don't set OP_DETECT for DisplayPorts", " - drm/amdkfd: Handle lack of READ permissions in SVM mapping", " - drm/amdgpu: refactor bad_page_work for corner case handling", " - hwrng: timeriomem - Use us_to_ktime() where appropriate", " - iio: adc: spear_adc: mask SPEAR_ADC_STATUS channel and avg sample before", " setting register", " - iio: adc: imx93_adc: load calibrated values even calibration failed", " - usb: gadget: f_ncm: Fix MAC assignment NCM ethernet", " - ASoC: es8323: remove DAC enablement write from es8323_probe", " - ASoC: es8323: add proper left/right mixer controls via DAPM", " - ASoC: codecs: wsa883x: Handle shared reset GPIO for WSA883x speakers", " - drm/xe: Make page size consistent in loop", " - wifi: rtw89: wow: remove notify during WoWLAN net-detect", " - wifi: rtw89: fix BSSID comparison for non-transmitted BSSID", " - wifi: rtw89: 8851b: rfk: update IQK TIA setting", " - dm error: mark as DM_TARGET_PASSES_INTEGRITY", " - char: misc: Make misc_register() reentry for miscdevice who wants", " dynamic minor", " - char: misc: Does not request module for miscdevice with dynamic minor", " - net: When removing nexthops, don't call synchronize_net if it is not", " necessary", " - net: Call trace_sock_exceed_buf_limit() for memcg failure with", " SK_MEM_RECV.", " - dmaengine: idxd: Add a new IAA device ID for Wildcat Lake family", " platforms", " - PCI/P2PDMA: Fix incorrect pointer usage in devm_kfree() call", " - bnxt_en: Add Hyper-V VF ID", " - tty: serial: Modify the use of dev_err_probe()", " - ALSA: usb-audio: Add validation of UAC2/UAC3 effect units", " - Octeontx2-af: Broadcast XON on all channels", " - idpf: do not linearize big TSO packets", " - drm/xe/pcode: Initialize data0 for pcode read routine", " - drm/panel: ilitek-ili9881c: turn off power-supply when init fails", " - drm/panel: ilitek-ili9881c: move display_on/_off dcs calls to", " (un-)prepare", " - rds: Fix endianness annotation for RDS_MPATH_HASH", " - net: wangxun: limit tx_max_coalesced_frames_irq", " - iio: imu: bmi270: Match PNP ID found on newer GPD firmware", " - media: ipu6: isys: Set embedded data type correctly for metadata formats", " - rpmsg: char: Export alias for RPMSG ID rpmsg-raw from table", " - net: ipv4: allow directed broadcast routes to use dst hint", " - scsi: mpi3mr: Fix device loss during enclosure reboot due to zero link", " speed", " - wifi: rtw89: coex: Limit Wi-Fi scan slot cost to avoid A2DP glitch", " - scsi: mpi3mr: Fix I/O failures during controller reset", " - scsi: mpi3mr: Fix controller init failure on fault during queue creation", " - scsi: pm80xx: Fix race condition caused by static variables", " - extcon: adc-jack: Fix wakeup source leaks on device unbind", " - extcon: fsa9480: Fix wakeup source leaks on device unbind", " - extcon: axp288: Fix wakeup source leaks on device unbind", " - drm/xe: Set GT as wedged before sending wedged uevent", " - remoteproc: wkup_m3: Use devm_pm_runtime_enable() helper", " - drm/xe/wcl: Extend L3bank mask workaround", " - net: phy: fixed_phy: let fixed_phy_unregister free the phy_device", " - selftests: drv-net: hds: restore hds settings", " - fuse: zero initialize inode private data", " - virtio_fs: fix the hash table using in virtio_fs_enqueue_req()", " - selftests: pci_endpoint: Skip IRQ test if IRQ is out of range.", " - drm/xe: Ensure GT is in C0 during resumes", " - misc: pci_endpoint_test: Skip IRQ tests if irq is out of range", " - drm/amdgpu: Correct the loss of aca bank reg info", " - drm/amdgpu: Correct the counts of nr_banks and nr_errors", " - drm/amdkfd: fix vram allocation failure for a special case", " - drm/amd/display: Support HW cursor 180 rot for any number of pipe splits", " - drm/amdkfd: Tie UNMAP_LATENCY to queue_preemption", " - drm/amd/display: wait for otg update pending latch before clock", " optimization", " - drm/amd/display: Consider sink max slice width limitation for dsc", " - drm/amdgpu/vpe: cancel delayed work in hw_fini", " - drm/xe: Cancel pending TLB inval workers on teardown", " - net: Prevent RPS table overwrite of active flows", " - eth: fbnic: Reset hw stats upon PCI error", " - wifi: iwlwifi: mld: trigger mlo scan only when not in EMLSR", " - platform/x86/intel-uncore-freq: Fix warning in partitioned system", " - drm/msm/dpu: Filter modes based on adjusted mode clock", " - drm/msm: Use of_reserved_mem_region_to_resource() for \"memory-region\"", " - selftests: drv-net: rss_ctx: fix the queue count check", " - media: fix uninitialized symbol warnings", " - media: pci: mgb4: Fix timings comparison in VIDIOC_S_DV_TIMINGS", " - ASoC: SOF: ipc4-pcm: Add fixup for channels", " - drm/amdgpu: Notify pmfw bad page threshold exceeded", " - drm/amd/display: Increase minimum clock for TMDS 420 with pipe splitting", " - drm/amdgpu: Avoid jpeg v5.0.1 poison irq call trace on sriov guest", " - drm/amd/display: incorrect conditions for failing dto calculations", " - drm/amdgpu: Avoid vcn v5.0.1 poison irq call trace on sriov guest", " - drm/amdgpu: Respect max pixel clock for HDMI and DVI-D (v2)", " - mips: lantiq: danube: add missing properties to cpu node", " - mips: lantiq: danube: add model to EASY50712 dts", " - mips: lantiq: danube: add missing device_type in pci node", " - mips: lantiq: xway: sysctrl: rename stp clock", " - mips: lantiq: danube: rename stp node on EASY50712 reference board", " - inet_diag: annotate data-races in inet_diag_bc_sk()", " - microchip: lan865x: add ndo_eth_ioctl handler to enable PHY ioctl", " support", " - crypto: qat - use kcalloc() in qat_uclo_map_objs_from_mof()", " - scsi: pm8001: Use int instead of u32 to store error codes", " - iio: adc: ad7124: do not require mclk", " - scsi: ufs: exynos: fsd: Gate ref_clk and put UFS device in reset on", " suspend", " - media: imx-mipi-csis: Only set clock rate when specified in DT", " - wifi: iwlwifi: pcie: remember when interrupts are disabled", " - drm/st7571-i2c: add support for inverted pixel format", " - ptp: Limit time setting of PTP clocks", " - dmaengine: sh: setup_xref error handling", " - dmaengine: mv_xor: match alloc_wc and free_wc", " - dmaengine: dw-edma: Set status for callback_result", " - netfilter: nf_tables: all transaction allocations can now sleep", " - drm/msm/dsi/phy: Toggle back buffer resync after preparing PLL", " - drm/msm/dsi/phy_7nm: Fix missing initial VCO rate", " - drm/amdgpu: Allow kfd CRIU with no buffer objects", " - drm/xe/guc: Increase GuC crash dump buffer size", " - drm/amd/pm: Increase SMC timeout on SI and warn (v3)", " - move_mount(2): take sanity checks in 'beneath' case into do_lock_mount()", " - selftests: drv-net: rss_ctx: make the test pass with few queues", " - ipv6: Add sanity checks on ipv6_devconf.rpl_seg_enabled", " - drm/xe: Extend Wa_22021007897 to Xe3 platforms", " - wifi: mac80211: count reg connection element in the size", " - drm/panthor: check bo offset alignment in vm bind", " - drm: panel-backlight-quirks: Make EDID match optional", " - ixgbe: reduce number of reads when getting OROM data", " - netlink: specs: fou: change local-v6/peer-v6 check", " - net: nfc: nci: Increase NCI_DATA_TIMEOUT to 3000 ms", " - media: adv7180: Add missing lock in suspend callback", " - media: adv7180: Do not write format to device in set_fmt", " - media: adv7180: Only validate format in querystd", " - media: verisilicon: Explicitly disable selection api ioctls for decoders", " - wifi: mac80211: Fix 6 GHz Band capabilities element advertisement in", " lower bands", " - platform/x86: think-lmi: Add extra TC BIOS error messages", " - platform/x86/intel-uncore-freq: Present unique domain ID per package", " - ALSA: usb-audio: apply quirk for MOONDROP Quark2", " - PCI: imx6: Enable the Vaux supply if available", " - drm/xe/guc: Set upper limit of H2G retries over CTB", " - net: call cond_resched() less often in __release_sock()", " - smsc911x: add second read of EEPROM mac when possible corruption seen", " - drm/xe: improve dma-resv handling for backup object", " - iommu/amd: Add support to remap/unmap IOMMU buffers for kdump", " - iommu/amd: Skip enabling command/event buffers for kdump", " - iommu/amd: Reuse device table for kdump", " - crypto: ccp: Skip SEV and SNP INIT for kdump boot", " - iommu/apple-dart: Clear stream error indicator bits for T8110 DARTs", " - bus: mhi: host: pci_generic: Add support for all Foxconn T99W696 SKU", " variants", " - drm/amdgpu: Correct info field of bad page threshold exceed CPER", " - drm/amd: add more cyan skillfish PCI ids", " - drm/amdgpu: don't enable SMU on cyan skillfish", " - drm/amdgpu: add support for cyan skillfish gpu_info", " - drm/amd/display: Fix pbn_div Calculation Error", " - drm/amd/display: dont wait for pipe update during medupdate/highirq", " - drm/amd/pm: refine amdgpu pm sysfs node error code", " - drm/amd/display: Indicate when custom brightness curves are in use", " - selftests: ncdevmem: don't retry EFAULT", " - net: dsa: felix: support phy-mode = \"10g-qxgmii\"", " - usb: gadget: f_hid: Fix zero length packet transfer", " - serial: qcom-geni: Add DFS clock mode support to GENI UART driver", " - serdev: Drop dev_pm_domain_detach() call", " - tty/vt: Add missing return value for VT_RESIZE in vt_ioctl()", " - eeprom: at25: support Cypress FRAMs without device ID", " - drm/msm/adreno: Add speedbins for A663 GPU", " - drm/msm: Fix 32b size truncation", " - dt-bindings: display/msm/gmu: Update Adreno 623 bindings", " - drm/msm: make sure to not queue up recovery more than once", " - char: Use list_del_init() in misc_deregister() to reinitialize list", " pointer", " - drm/msm/adreno: Add speedbin data for A623 GPU", " - drm/msm/adreno: Add fenced regwrite support", " - drm/msm/a6xx: Switch to GMU AO counter", " - idpf: link NAPIs to queues", " - selftests: net: make the dump test less sensitive to mem accounting", " - PCI: endpoint: pci-epf-test: Limit PCIe BAR size for fixed BARs", " - wifi: rtw89: Add USB ID 2001:332a for D-Link AX9U rev. A1", " - wifi: rtw89: Add USB ID 2001:3327 for D-Link AX18U rev. A1", " - wifi: iwlwifi: fw: Add ASUS to PPAG and TAS list", " - drm/xe/i2c: Enable bus mastering", " - media: ov08x40: Fix the horizontal flip control", " - media: i2c: og01a1b: Specify monochrome media bus format instead of", " Bayer", " - media: qcom: camss: csiphy-3ph: Add CSIPHY 2ph DPHY v2.0.1 init sequence", " - drm/bridge: write full Audio InfoFrame", " - drm/xe/guc: Always add CT disable action during second init step", " - f2fs: fix wrong layout information on 16KB page", " - selftests: mptcp: join: allow more time to send ADD_ADDR", " - scsi: ufs: host: mediatek: Enhance recovery on resume failure", " - scsi: ufs: ufs-qcom: Align programming sequence of Shared ICE for UFS", " controller v5", " - scsi: ufs: host: mediatek: Fix unbalanced IRQ enable issue", " - scsi: ufs: host: mediatek: Enhance recovery on hibernation exit failure", " - net: phy: marvell: Fix 88e1510 downshift counter errata", " - scsi: ufs: host: mediatek: Correct system PM flow", " - scsi: ufs: host: mediatek: Disable auto-hibern8 during power mode", " changes", " - scsi: ufs: host: mediatek: Fix adapt issue after PA_Init", " - wifi: cfg80211: update the time stamps in hidden ssid", " - wifi: mac80211: Fix HE capabilities element check", " - fbcon: Use screen info to find primary device", " - phy: cadence: cdns-dphy: Enable lower resolutions in dphy", " - Fix access to video_is_primary_device() when compiled without", " CONFIG_VIDEO", " - phy: renesas: r8a779f0-ether-serdes: add new step added to latest", " datasheet", " - phy: rockchip: phy-rockchip-inno-csidphy: allow writes to grf register 0", " - drm/msm/registers: Generate _HI/LO builders for reg64", " - net: sh_eth: Disable WoL if system can not suspend", " - selftests: net: replace sleeps in fcnal-test with waits", " - media: redrat3: use int type to store negative error codes", " - platform/x86/amd/pmf: Fix the custom bios input handling mechanism", " - selftests: traceroute: Use require_command()", " - selftests: traceroute: Return correct value on failure", " - openrisc: Add R_OR1K_32_PCREL relocation type module support", " - netfilter: nf_reject: don't reply to icmp error messages", " - x86/kvm: Prefer native qspinlock for dedicated vCPUs irrespective of", " PV_UNHALT", " - x86/virt/tdx: Use precalculated TDVPR page physical address", " - selftests: Disable dad for ipv6 in fcnal-test.sh", " - eth: 8139too: Make 8139TOO_PIO depend on !NO_IOPORT_MAP", " - [Config] No longer enable `CONFIG_8139TOO_PIO` for armhf", " - selftests: Replace sleep with slowwait", " - net: devmem: expose tcp_recvmsg_locked errors", " - selftests: net: lib.sh: Don't defer failed commands", " - HID: asus: add Z13 folio to generic group for multitouch to work", " - watchdog: s3c2410_wdt: Fix max_timeout being calculated larger", " - crypto: sun8i-ce - remove channel timeout field", " - PCI: dwc: Verify the single eDMA IRQ in dw_pcie_edma_irq_verify()", " - crypto: ccp - Fix incorrect payload size calculation in", " psp_poulate_hsti()", " - crypto: caam - double the entropy delay interval for retry", " - can: rcar_canfd: Update bit rate constants for RZ/G3E and R-Car Gen4", " - net: mana: Reduce waiting time if HWC not responding", " - ionic: use int type for err in ionic_get_module_eeprom_by_page", " - net/cls_cgroup: Fix task_get_classid() during qdisc run", " - wifi: mt76: mt7921: Add 160MHz beamformee capability for mt7922 device", " - wifi: mt76: mt7925: add pci restore for hibernate", " - wifi: mt76: mt7996: Fix mt7996_reverse_frag0_hdr_trans for MLO", " - wifi: mt76: mt7996: Set def_wcid pointer in mt7996_mac_sta_init_link()", " - wifi: mt76: mt7996: Temporarily disable EPCS", " - wifi: mt76: mt7996: support writing MAC TXD for AddBA Request", " - wifi: mt76: mt76_eeprom_override to int", " - ALSA: serial-generic: remove shared static buffer", " - wifi: mt76: mt7996: fix memory leak on mt7996_mcu_sta_key_tlv error", " - wifi: mt76: mt7996: disable promiscuous mode by default", " - wifi: mt76: use altx queue for offchannel tx on connac+", " - wifi: mt76: improve phy reset on hw restart", " - drm/amdgpu: Use memdup_array_user in amdgpu_cs_wait_fences_ioctl", " - drm/amdgpu: Release hive reference properly", " - drm/amd/display: Fix DMCUB loading sequence for DCN3.2", " - drm/amd/display: Set up pixel encoding for YCBCR422", " - drm/amd/display: fix dml ms order of operations", " - drm/amd/display: Don't use non-registered VUPDATE on DCE 6", " - drm/amd/display: Keep PLL0 running on DCE 6.0 and 6.4", " - drm/amd/display: Fix DVI-D/HDMI adapters", " - drm/amd/display: Disable VRR on DCE 6", " - drm/amd/display/dml2: Guard dml21_map_dc_state_into_dml_display_cfg with", " DC_FP_START", " - net: phy: clear EEE runtime state in PHY_HALTED/PHY_ERROR", " - ethernet: Extend device_get_mac_address() to use NVMEM", " - scsi: ufs: ufs-qcom: Disable lane clocks during phy hibern8", " - HID: i2c-hid: Resolve touchpad issues on Dell systems during S4", " - hinic3: Queue pair endianness improvements", " - hinic3: Fix missing napi->dev in netif_queue_set_napi", " - tools: ynl-gen: validate nested arrays", " - drm/xe/guc: Return an error code if the GuC load fails", " - drm/amdgpu: reject gang submissions under SRIOV", " - selftests/Makefile: include $(INSTALL_DEP_TARGETS) in clean target to", " clean net/lib dependency", " - scsi: ufs: core: Disable timestamp functionality if not supported", " - scsi: lpfc: Clean up allocated queues when queue setup mbox commands", " fail", " - scsi: lpfc: Decrement ndlp kref after FDISC retries exhausted", " - scsi: lpfc: Check return status of lpfc_reset_flush_io_context during", " TGT_RESET", " - scsi: lpfc: Remove ndlp kref decrement clause for F_Port_Ctrl in", " lpfc_cleanup", " - scsi: lpfc: Define size of debugfs entry for xri rebalancing", " - scsi: lpfc: Ensure PLOGI_ACC is sent prior to PRLI in Point to Point", " topology", " - allow finish_no_open(file, ERR_PTR(-E...))", " - usb: mon: Increase BUFF_MAX to 64 MiB to support multi-MB URBs", " - usb: xhci: plat: Facilitate using autosuspend for xhci plat devices", " - wifi: rtw89: disable RTW89_PHYSTS_IE09_FTR_0 for ppdu status", " - wifi: rtw89: obtain RX path from ppdu status IE00", " - wifi: rtw89: renew a completion for each H2C command waiting C2H event", " - usb: xhci-pci: add support for hosts with zero USB3 ports", " - ipv6: np->rxpmtu race annotation", " - RDMA/irdma: Update Kconfig", " - IB/ipoib: Ignore L3 master device", " - bnxt_en: Add fw log trace support for 5731X/5741X chips", " - mei: make a local copy of client uuid in connect", " - ASoC: qcom: sc8280xp: explicitly set S16LE format in", " sc8280xp_be_hw_params_fixup()", " - net: phy: clear link parameters on admin link down", " - net: ethernet: microchip: sparx5: make it selectable for ARCH_LAN969X", " - bus: mhi: core: Improve mhi_sync_power_up handling for SYS_ERR state", " - iommu/vt-d: Replace snprintf with scnprintf in dmar_latency_snapshot()", " - wifi: ath10k: Fix connection after GTK rekeying", " - iommu/vt-d: Remove LPIG from page group response descriptor", " - wifi: mac80211: Get the correct interface for non-netdev skb status", " - wifi: mac80211: Track NAN interface start/stop", " - net: intel: fm10k: Fix parameter idx set but not used", " - sparc/module: Add R_SPARC_UA64 relocation handling", " - sparc64: fix prototypes of reads[bwl]()", " - vfio: return -ENOTTY for unsupported device feature", " - ptp_ocp: make ptp_ocp driver compatible with PTP_EXTTS_REQUEST2", " - crypto: hisilicon/qm - invalidate queues in use", " - crypto: hisilicon/qm - clear all VF configurations in the hardware", " - ASoC: ops: improve snd_soc_get_volsw", " - PCI/PM: Skip resuming to D0 if device is disconnected", " - selftests: forwarding: Reorder (ar)ping arguments to obey POSIX getopt", " - remoteproc: qcom: q6v5: Avoid handling handover twice", " - wifi: ath12k: Increase DP_REO_CMD_RING_SIZE to 256", " - net: dsa: microchip: Set SPI as bus interface during reset for KSZ8463", " - bng_en: make bnge_alloc_ring() self-unwind on failure", " - ALSA: usb-audio: don't apply interface quirk to Presonus S1824c", " - tcp: Update bind bucket state on port release", " - ovl: make sure that ovl_create_real() returns a hashed dentry", " - drm/amd/display: Add missing post flip calls", " - drm/amd/display: Add AVI infoframe copy in copy_stream_update_to_stream", " - drm/amd/display: Add fast sync field in ultra sleep more for DMUB", " - drm/amd/display: Init dispclk from bootup clock for DCN314", " - drm/amd/display: Fix for test crash due to power gating", " - drm/amd/display: change dc stream color settings only in atomic commit", " - NFSv4: handle ERR_GRACE on delegation recalls", " - NFSv4.1: fix mount hang after CREATE_SESSION failure", " - net: bridge: Install FDB for bridge MAC on VLAN 0", " - net: phy: dp83640: improve phydev and driver removal handling", " - scsi: ufs: core: Change MCQ interrupt enable flow", " - scsi: libfc: Fix potential buffer overflow in fc_ct_ms_fill()", " - accel/habanalabs/gaudi2: fix BMON disable configuration", " - scsi: mpt3sas: Add support for 22.5 Gbps SAS link rate", " - accel/habanalabs: return ENOMEM if less than requested pages were pinned", " - accel/habanalabs/gaudi2: read preboot status after recovering from dirty", " state", " - ASoC: renesas: msiof: add .symmetric_xxx on snd_soc_dai_driver", " - ASoC: renesas: msiof: use reset controller", " - ASoC: renesas: msiof: tidyup DMAC stop timing", " - ASoC: renesas: msiof: set SIFCTR register", " - ext4: increase IO priority of fastcommit", " - drm/amdgpu: Add fallback to pipe reset if KCQ ring reset fails", " - drm/amdgpu: Fix fence signaling race condition in userqueue", " - ASoC: stm32: sai: manage context in set_sysclk callback", " - ASoC: tlv320aic3x: Fix class-D initialization for tlv320aic3007", " - ACPI: scan: Update honor list for RPMI System MSI", " - platform/x86: x86-android-tablets: Stop using EPROBE_DEFER", " - vfio/pci: Fix INTx handling on legacy non-PCI 2.3 devices", " - vfio/nvgrace-gpu: Add GB300 SKU to the devid table", " - selftest: net: Fix error message if empty variable", " - net/mlx5e: Don't query FEC statistics when FEC is disabled", " - Bluetooth: btintel: Add support for BlazarIW core", " - net: macb: avoid dealing with endianness in macb_set_hwaddr()", " - Bluetooth: btusb: Add new VID/PID 13d3/3627 for MT7925", " - Bluetooth: btintel_pcie: Define hdev->wakeup() callback", " - Bluetooth: ISO: Don't initiate CIS connections if there are no buffers", " - Bluetooth: btusb: Check for unexpected bytes when defragmenting HCI", " frames", " - Bluetooth: ISO: Use sk_sndtimeo as conn_timeout", " - Bluetooth: btusb: Add new VID/PID 13d3/3633 for MT7922", " - net: stmmac: est: Drop frames causing HLBS error", " - exfat: limit log print for IO error", " - 6pack: drop redundant locking and refcounting", " - page_pool: Clamp pool size to max 16K pages", " - net/mlx5e: Prevent entering switchdev mode with inconsistent netns", " - ksmbd: use sock_create_kern interface to create kernel socket", " - smb: client: update cfid->last_access_time in", " open_cached_dir_by_dentry()", " - smb: client: transport: avoid reconnects triggered by pending task work", " - usb: xhci-pci: Fix USB2-only root hub registration", " - drm/amd/display: Add fallback path for YCBCR422", " - ACPICA: Update dsmethod.c to get rid of unused variable warning", " - RDMA/bnxt_re: Fix a potential memory leak in destroy_gsi_sqp", " - RDMA/irdma: Fix SD index calculation", " - RDMA/irdma: Remove unused struct irdma_cq fields", " - RDMA/irdma: Set irdma_cq cq_num field during CQ create", " - RDMA/uverbs: Fix umem release in UVERBS_METHOD_CQ_CREATE", " - RDMA/hns: Fix recv CQ and QP cache affinity", " - RDMA/hns: Fix the modification of max_send_sge", " - RDMA/hns: Fix wrong WQE data when QP wraps around", " - btrfs: mark dirty extent range for out of bound prealloc extents", " - clk: qcom: gcc-ipq6018: rework nss_port5 clock to multiple conf", " - clk: renesas: rzv2h: Re-assert reset on deassert timeout", " - clk: samsung: exynos990: Add missing USB clock registers to HSI0", " - fs/hpfs: Fix error code for new_inode() failure in", " mkdir/create/mknod/symlink", " - clocksource: hyper-v: Skip unnecessary checks for the root partition", " - hyperv: Add missing field to hv_output_map_device_interrupt", " - um: Fix help message for ssl-non-raw", " - clk: sunxi-ng: sun6i-rtc: Add A523 specifics", " - rtc: pcf2127: clear minute/second interrupt", " - ARM: at91: pm: save and restore ACR during PLL disable/enable", " - clk: at91: add ACR in all PLL settings", " - clk: at91: sam9x7: Add peripheral clock id for pmecc", " - clk: at91: clk-master: Add check for divide by 3", " - clk: at91: clk-sam9x60-pll: force write to PLL_UPDT register", " - clk: ti: am33xx: keep WKUP_DEBUGSS_CLKCTRL enabled", " - clk: scmi: Add duty cycle ops only when duty cycle is supported", " - clk: clocking-wizard: Fix output clock register offset for Versal", " platforms", " - NTB: epf: Allow arbitrary BAR mapping", " - 9p: fix /sys/fs/9p/caches overwriting itself", " - cpufreq: tegra186: Initialize all cores to max frequencies", " - 9p: sysfs_init: don't hardcode error to ENOMEM", " - scsi: ufs: core: Include UTP error in INT_FATAL_ERRORS", " - fbdev: core: Fix ubsan warning in pixel_to_pat", " - ACPI: property: Return present device nodes only on fwnode interface", " - LoongArch: Handle new atomic instructions for probes", " - tools bitmap: Add missing asm-generic/bitsperlong.h include", " - tools: lib: thermal: don't preserve owner in install", " - tools: lib: thermal: use pkg-config to locate libnl3", " - ALSA: hda/realtek: Add quirk for ASUS ROG Zephyrus Duo", " - rtc: zynqmp: Restore alarm functionality after kexec transition", " - rtc: pcf2127: fix watchdog interrupt mask on pcf2131", " - net: wwan: t7xx: add support for HP DRMR-H01", " - kbuild: uapi: Strip comments before size type check", " - ASoC: meson: aiu-encoder-i2s: fix bit clock polarity", " - ASoC: rt722: add settings for rt722VB", " - drm/amdgpu: Report individual reset error", " - ceph: add checking of wait_for_completion_killable() return value", " - ceph: fix potential race condition in ceph_ioctl_lazyio()", " - ceph: refactor wake_up_bit() pattern of calling", " - x86: uaccess: don't use runtime-const rewriting in modules", " - rust: condvar: fix broken intra-doc link", " - rust: devres: fix private intra-doc link", " - rust: kbuild: workaround `rustdoc` doctests modifier bug", " - rust: kbuild: treat `build_error` and `rustdoc` as kernel objects", " - media: uvcvideo: Use heuristic to find stream entity", " - Revert \"wifi: ath10k: avoid unnecessary wait for service ready message\"", " - tracing: tprobe-events: Fix to register tracepoint correctly", " - tracing: tprobe-events: Fix to put tracepoint_user when disable the", " tprobe", " - net: libwx: fix device bus LAN ID", " - scsi: ufs: core: Fix a race condition related to the \"hid\" attribute", " group", " - riscv: ptdump: use seq_puts() in pt_dump_seq_puts() macro", " - Revert \"wifi: ath12k: Fix missing station power save configuration\"", " - scsi: ufs: core: Revert \"Make HID attributes visible\"", " - Bluetooth: btrtl: Fix memory leak in rtlbt_parse_firmware_v2()", " - net: dsa: tag_brcm: legacy: fix untagged rx on unbridged ports for", " bcm63xx", " - selftests/net: fix out-of-order delivery of FIN in gro:tcp test", " - selftests/net: use destination options instead of hop-by-hop", " - selftests: netdevsim: Fix ethtool-coalesce.sh fail by installing", " ethtool-common.sh", " - net: vlan: sync VLAN features with lower device", " - net: dsa: b53: fix resetting speed and pause on forced link", " - net: dsa: b53: fix bcm63xx RGMII port link adjustment", " - net: dsa: b53: fix enabling ip multicast", " - net: dsa: b53: stop reading ARL entries if search is done", " - net: dsa: b53: properly bound ARL searches for < 4 ARL bin chips", " - sctp: Hold RCU read lock while iterating over address list", " - sctp: Hold sock lock while iterating over address list", " - net: ionic: add dma_wmb() before ringing TX doorbell", " - net: ionic: map SKB after pseudo-header checksum prep", " - octeontx2-pf: Fix devm_kcalloc() error checking", " - bnxt_en: Fix a possible memory leak in bnxt_ptp_init", " - bnxt_en: Always provide max entry and entry size in coredump segments", " - bnxt_en: Fix warning in bnxt_dl_reload_down()", " - wifi: mac80211_hwsim: Limit destroy_on_close radio removal to netgroup", " - io_uring: fix types for region size calulation", " - net/mlx5e: Fix return value in case of module EEPROM read error", " - net: ti: icssg-prueth: Fix fdb hash size configuration", " - net/mlx5e: SHAMPO, Fix header mapping for 64K pages", " - net/mlx5e: SHAMPO, Fix skb size check for 64K pages", " - net/mlx5e: SHAMPO, Fix header formulas for higher MTUs and 64K pages", " - net: wan: framer: pef2256: Switch to devm_mfd_add_devices()", " - net: dsa: microchip: Fix reserved multicast address table programming", " - net: bridge: fix MST static key usage", " - selftests/vsock: avoid false-positives when checking dmesg", " - tracing: Fix memory leaks in create_field_var()", " - drm/amd/display: Enable mst when it's detected but yet to be initialized", " - wifi: cfg80211: add an hrtimer based delayed work item", " - wifi: mac80211: use wiphy_hrtimer_work for ml_reconf_work", " - wifi: mac80211: use wiphy_hrtimer_work for ttlm_work", " - wifi: mac80211: use wiphy_hrtimer_work for csa.switch_work", " - riscv: Fix memory leak in module_frob_arch_sections()", " - rtc: rx8025: fix incorrect register reference", " - x86/microcode/AMD: Add more known models to entry sign checking", " - smb: client: validate change notify buffer before copy", " - x86/amd_node: Fix AMD root device caching", " - xfs: fix delalloc write failures in software-provided atomic writes", " - xfs: fix various problems in xfs_atomic_write_cow_iomap_begin", " - x86/CPU/AMD: Add missing terminator for zen5_rdseed_microcode", " - drm: define NVIDIA DRM format modifiers for GB20x", " - drm/nouveau: Advertise correct modifiers on GB20x", " - drm/amdgpu/smu: Handle S0ix for vangogh", " - drm/amdkfd: Don't clear PT after process killed", " - virtio_net: fix alignment for virtio_net_hdr_v1_hash", " - lib/crypto: curve25519-hacl64: Fix older clang KASAN workaround for GCC", " - scsi: ufs: ufs-pci: Fix S0ix/S3 for Intel controllers", " - scsi: ufs: ufs-pci: Set UFSHCD_QUIRK_PERFORM_LINK_STARTUP_ONCE for Intel", " ADL", " - scsi: ufs: core: Add a quirk to suppress link_startup_again", " - drm/amd/display: update color on atomic commit time", " - extcon: adc-jack: Cleanup wakeup source only if it was enabled", " - kunit: Extend kconfig help text for KUNIT_UML_PCI", " - ALSA: hda/tas2781: Enable init_profile_id for device initialization", " - ACPI: SPCR: Check for table version when using precise baudrate", " - kbuild: Strip trailing padding bytes from modules.builtin.modinfo", " - drm/amdgpu: Fix unintended error log in VCN5_0_0", " - drm/amd/display: Fix vupdate_offload_work doc", " - drm/amdgpu: Fix function header names in amdgpu_connectors.c", " - drm/amdgpu/userq: assign an error code for invalid userq va", " - drm/msm/dpu: Fix adjusted mode clock check for 3d merge", " - drm/amd/display: Reject modes with too high pixel clock on DCE6-10", " - drm/amd/display: use GFP_NOWAIT for allocation in interrupt handler", " - drm/amd/display: Fix black screen with HDMI outputs", " - selftests: drv-net: Reload pkt pointer after calling filter_udphdr", " - dt-bindings: eeprom: at25: use \"size\" for FRAMs without device ID", " - Linux 6.17.8", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-68316", " - scsi: ufs: core: Fix invalid probe error return value", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-40292", " - virtio-net: fix received length check in big packets", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-68180", " - drm/amd/display: Fix NULL deref in debugfs odm_combine_segments", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-40327", " - perf/core: Fix system hang caused by cpu-clock usage", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-40328", " - smb: client: fix potential UAF in smb2_close_cached_fid()", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-40291", " - io_uring: fix regbuf vector size truncation", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-68322", " - parisc: Avoid crash due to unaligned access in unwinder", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-40293", " - iommufd: Don't overflow during division for dirty tracking", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-40294", " - Bluetooth: MGMT: Fix OOB access in parse_adv_monitor_pattern()", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-40329", " - drm/sched: Fix deadlock in drm_sched_entity_kill_jobs_cb", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-40295", " - fscrypt: fix left shift underflow when inode->i_blkbits > PAGE_SHIFT", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-40296", " - platform/x86: int3472: Fix double free of GPIO device during unregister", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-40297", " - net: bridge: fix use-after-free due to MST port state bypass", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-68320", " - lan966x: Fix sleeping in atomic context", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-68169", " - netpoll: Fix deadlock in memory allocation under spinlock", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-68197", " - bnxt_en: Fix null pointer dereference in bnxt_bs_trace_check_wrap()", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-40330", " - bnxt_en: Shutdown FW DMA in bnxt_shutdown()", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-68192", " - net: usb: qmi_wwan: initialize MAC header offset in qmimux_rx_fixup", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-40331", " - sctp: Prevent TOCTOU out-of-bounds write", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-68187", " - net: mdio: Check regmap pointer returned by device_node_to_regmap()", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-68167", " - gpiolib: fix invalid pointer access in debugfs", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-68319", " - netconsole: Acquire su_mutex before navigating configs hierarchy", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-40298", " - gve: Implement settime64 with -EOPNOTSUPP", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-40299", " - gve: Implement gettimex64 with -EOPNOTSUPP", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-40301", " - Bluetooth: hci_event: validate skb length for unknown CC opcode", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-40358", " - riscv: stacktrace: Disable KASAN checks for non-current tasks", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-68186", " - ring-buffer: Do not warn in ring_buffer_map_get_reader() when reader", " catches up", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-68184", " - drm/mediatek: Disable AFBC support on Mediatek DRM driver", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-40302", " - media: videobuf2: forbid remove_bufs when legacy fileio is active", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-40303", " - btrfs: ensure no dirty metadata is written back for an fs with errors", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-40362", " - ceph: fix multifs mds auth caps issue", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-40332", " - drm/amdkfd: Fix mmap write lock not release", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-40304", " - fbdev: Add bounds checking in bit_putcs to fix vmalloc-out-of-bounds", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-40305", " - 9p/trans_fd: p9_fd_request: kick rx thread if EPOLLIN", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-68318", " - clk: thead: th1520-ap: set all AXI clocks to CLK_IS_CRITICAL", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-40209", " - btrfs: fix memory leak of qgroup_list in btrfs_add_qgroup_relation", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-68183", " - ima: don't clear IMA_DIGSIG flag when setting or removing non-IMA xattr", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-68173", " - ftrace: Fix softlockup in ftrace_module_enable", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-40306", " - orangefs: fix xattr related buffer overflow...", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-40307", " - exfat: validate cluster allocation bits of the allocation bitmap", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-40308", " - Bluetooth: bcsp: receive data only if registered", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-40309", " - Bluetooth: SCO: Fix UAF on sco_conn_free", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-68174", " - amd/amdkfd: enhance kfd process check in switch partition", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-40310", " - amd/amdkfd: resolve a race in amdgpu_amdkfd_device_fini_sw", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-40361", " - fs: ext4: change GFP_KERNEL to GFP_NOFS to avoid deadlock", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-40311", " - accel/habanalabs: support mapping cb with vmalloc-backed coherent memory", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-68185", " - nfs4_setup_readdir(): insufficient locking for ->d_parent->d_inode", " dereferencing", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-68176", " - PCI: cadence: Check for the existence of cdns_pcie::ops before using it", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-68190", " - drm/amdgpu/atom: Check kcalloc() for WS buffer in", " amdgpu_atom_execute_table_locked()", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-68168", " - jfs: fix uninitialized waitqueue in transaction manager", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-40312", " - jfs: Verify inode mode when loading from disk", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-40333", " - f2fs: fix infinite loop in __insert_extent_tree()", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-68321", " - page_pool: always add GFP_NOWARN for ATOMIC allocations", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-40334", " - drm/amdgpu: validate userq buffer virtual address and size", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-68191", " - udp_tunnel: use netdev_warn() instead of netdev_WARN()", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-68309", " - PCI/AER: Fix NULL pointer access by aer_info", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-40313", " - ntfs3: pretend $Extend records as regular files", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-40335", " - drm/amdgpu: validate userq input args", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-40314", " - usb: cdns3: gadget: Use-after-free during failed initialization and exit", " of cdnsp gadget", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-40336", " - drm/gpusvm: fix hmm_pfn_to_map_order() usage", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-68193", " - drm/xe/guc: Add devm release action to safely tear down CT", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-68175", " - media: nxp: imx8-isi: Fix streaming cleanup on release", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-68188", " - tcp: use dst_dev_rcu() in tcp_fastopen_active_disable_ofo_check()", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-68315", " - f2fs: fix to detect potential corrupted nid in free_nid_list", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-40337", " - net: stmmac: Correctly handle Rx checksum offload errors", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-40338", " - ASoC: Intel: avs: Do not share the name pointer between components", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-40339", " - drm/amdgpu: fix nullptr err of vm_handle_moved", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-68194", " - media: imon: make send_packet() more robust", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-40363", " - net: ipv6: fix field-spanning memcpy warning in AH output", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-68311", " - tty: serial: ip22zilog: Use platform device for probing", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-40340", " - drm/xe: Fix oops in xe_gem_fault when running core_hotunplug test.", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-68196", " - drm/amd/display: Cache streams targeting link when performing LT", " automation", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-68178", " - blk-cgroup: fix possible deadlock while configuring policy", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-40341", " - futex: Don't leak robust_list pointer on exec race", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-40342", " - nvme-fc: use lock accessing port_state and rport state", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-40343", " - nvmet-fc: avoid scheduling association deletion twice", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-68177", " - cpufreq/longhaul: handle NULL policy in longhaul_exit", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-68317", " - io_uring/zctx: check chained notif contexts", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-40315", " - usb: gadget: f_fs: Fix epfile null pointer access after ep enable.", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-40316", " - drm/mediatek: Fix device use-after-free on unbind", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-40360", " - drm/sysfb: Do not dereference NULL pointer in plane reset", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-68179", " - s390: Disable ARCH_WANT_OPTIMIZE_HUGETLB_VMEMMAP", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-68310", " - s390/pci: Avoid deadlock between PCI error recovery and mlx5 crdump", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-40317", " - regmap: slimbus: fix bus_context pointer in regmap init calls", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-40359", " - perf/x86/intel: Fix KASAN global-out-of-bounds warning", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-68181", " - drm/radeon: Remove calls to drm_put_dev()", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-68170", " - drm/radeon: Do not kfree() devres managed rdev", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-40213", " - Bluetooth: MGMT: fix crash in set_mesh_sync and set_mesh_complete", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-40318", " - Bluetooth: hci_sync: fix race in hci_cmd_sync_dequeue_once", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-68312", " - usbnet: Prevents free active kevent", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-40344", " - ASoC: Intel: avs: Disable periods-elapsed work when closing PCM", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-68172", " - crypto: aspeed - fix double free caused by devm", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-40319", " - bpf: Sync pending IRQ work before freeing ring buffer", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-68182", " - wifi: iwlwifi: fix potential use after free in iwl_mld_remove_link()", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-68314", " - drm/msm: make sure last_fence is always updated", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-68189", " - drm/msm: Fix GEM free for imported dma-bufs", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-68171", " - x86/fpu: Ensure XFD state on signal delivery", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-68313", " - x86/CPU/AMD: Add RDSEED fix for Zen5", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-40320", " - smb: client: fix potential cfid UAF in smb2_query_info_compound", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-40321", " - wifi: brcmfmac: fix crash while sending Action Frames in standalone AP", " Mode", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-40322", " - fbdev: bitblit: bound-check glyph index in bit_putcs*", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-40211", " - ACPI: video: Fix use-after-free in acpi_video_switch_brightness()", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-40323", " - fbcon: Set fb_display[i]->mode to NULL when the mode is released", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-40210", " - Revert \"NFSD: Remove the cap on number of operations per NFSv4 COMPOUND\"", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-40324", " - NFSD: Fix crash in nfsd4_read_release()", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-40326", " - NFSD: Define actions for the new time_deleg FATTR4 attributes", " * Questing update: v6.17.7 upstream stable release (LP: #2136813)", " - sched_ext: Move internal type and accessor definitions to ext_internal.h", " - sched_ext: Put event_stats_cpu in struct scx_sched_pcpu", " - sched_ext: Sync error_irq_work before freeing scx_sched", " - timekeeping: Fix aux clocks sysfs initialization loop bound", " - x86/bugs: Report correct retbleed mitigation status", " - x86/bugs: Qualify RETBLEED_INTEL_MSG", " - genirq/chip: Add buslock back in to irq_set_handler()", " - genirq/manage: Add buslock back in to __disable_irq_nosync()", " - genirq/manage: Add buslock back in to enable_irq()", " - audit: record fanotify event regardless of presence of rules", " - EDAC/ie31200: Add two more Intel Alder Lake-S SoCs for EDAC support", " - perf/x86/intel: Add ICL_FIXED_0_ADAPTIVE bit into INTEL_FIXED_BITS_MASK", " - perf: Use current->flags & PF_KTHREAD|PF_USER_WORKER instead of", " current->mm == NULL", " - perf: Have get_perf_callchain() return NULL if crosstask and user are", " set", " - perf: Skip user unwind if the task is a kernel thread", " - EDAC: Fix wrong executable file modes for C source files", " - seccomp: passthrough uprobe systemcall without filtering", " - sched_ext: Keep bypass on between enable failure and", " scx_disable_workfn()", " - x86/bugs: Add attack vector controls for VMSCAPE", " - x86/bugs: Fix reporting of LFENCE retpoline", " - EDAC/mc_sysfs: Increase legacy channel support to 16", " - cpuset: Use new excpus for nocpu error check when enabling root", " partition", " - btrfs: abort transaction on specific error places when walking log tree", " - btrfs: abort transaction in the process_one_buffer() log tree walk", " callback", " - btrfs: zoned: return error from btrfs_zone_finish_endio()", " - btrfs: zoned: refine extent allocator hint selection", " - btrfs: scrub: replace max_t()/min_t() with clamp() in", " scrub_throttle_dev_io()", " - btrfs: always drop log root tree reference in btrfs_replay_log()", " - btrfs: use level argument in log tree walk callback replay_one_buffer()", " - btrfs: abort transaction if we fail to update inode in log replay dir", " fixup", " - btrfs: tree-checker: add inode extref checks", " - btrfs: use smp_mb__after_atomic() when forcing COW in", " create_pending_snapshot()", " - sched_ext: Make qmap dump operation non-destructive", " - arch: Add the macro COMPILE_OFFSETS to all the asm-offsets.c", " - btrfs: tree-checker: fix bounds check in check_inode_extref()", " - Linux 6.17.7", " * [UBUNTU 24.04] KVM: s390: improve interrupt cpu for wakeup (LP: #2132317)", " - KVM: s390: improve interrupt cpu for wakeup", " * Questing update: v6.17.6 upstream stable release (LP: #2134982)", " - sched/fair: Block delayed tasks on throttled hierarchy during dequeue", " - vfio/cdx: update driver to build without CONFIG_GENERIC_MSI_IRQ", " - expfs: Fix exportfs_can_encode_fh() for EXPORT_FH_FID", " - cgroup/misc: fix misc_res_type kernel-doc warning", " - dlm: move to rinfo for all middle conversion cases", " - exec: Fix incorrect type for ret", " - s390/pkey: Forward keygenflags to ep11_unwrapkey", " - hfs: clear offset and space out of valid records in b-tree node", " - hfs: make proper initalization of struct hfs_find_data", " - hfs: validate record offset in hfsplus_bmap_alloc", " - hfsplus: fix KMSAN uninit-value issue in hfsplus_delete_cat()", " - dlm: check for defined force value in dlm_lockspace_release", " - hfsplus: return EIO when type of hidden directory mismatch in", " hfsplus_fill_super()", " - PCI: Test for bit underflow in pcie_set_readrq()", " - lkdtm: fortify: Fix potential NULL dereference on kmalloc failure", " - arm64: sysreg: Correct sign definitions for EIESB and DoubleLock", " - m68k: bitops: Fix find_*_bit() signatures", " - powerpc/32: Remove PAGE_KERNEL_TEXT to fix startup failure", " - riscv: mm: Return intended SATP mode for noXlvl options", " - riscv: mm: Use mmu-type from FDT to limit SATP mode", " - riscv: cpufeature: add validation for zfa, zfh and zfhmin", " - drivers/perf: hisi: Relax the event ID check in the framework", " - s390/mm: Use __GFP_ACCOUNT for user page table allocations", " - smb: client: queue post_recv_credits_work also if the peer raises the", " credit target", " - smb: client: limit the range of info->receive_credit_target", " - smb: client: make use of ib_wc_status_msg() and skip IB_WC_WR_FLUSH_ERR", " logging", " - smb: server: let smb_direct_flush_send_list() invalidate a remote key", " first", " - Unbreak 'make tools/*' for user-space targets", " - platform/mellanox: mlxbf-pmc: add sysfs_attr_init() to count_clock init", " - cpufreq/amd-pstate: Fix a regression leading to EPP 0 after hibernate", " - net/mlx5e: Return 1 instead of 0 in invalid case in", " mlx5e_mpwrq_umr_entry_size()", " - rtnetlink: Allow deleting FDB entries in user namespace", " - net: enetc: fix the deadlock of enetc_mdio_lock", " - net: enetc: correct the value of ENETC_RXB_TRUESIZE", " - dpaa2-eth: fix the pointer passed to PTR_ALIGN on Tx path", " - net: phy: realtek: fix rtl8221b-vm-cg name", " - can: bxcan: bxcan_start_xmit(): use can_dev_dropped_skb() instead of", " can_dropped_invalid_skb()", " - can: esd: acc_start_xmit(): use can_dev_dropped_skb() instead of", " can_dropped_invalid_skb()", " - can: rockchip-canfd: rkcanfd_start_xmit(): use can_dev_dropped_skb()", " instead of can_dropped_invalid_skb()", " - selftests: net: fix server bind failure in sctp_vrf.sh", " - net/mlx5e: RX, Fix generating skb from non-linear xdp_buff for legacy RQ", " - net/mlx5e: RX, Fix generating skb from non-linear xdp_buff for striding", " RQ", " - net/smc: fix general protection fault in __smc_diag_dump", " - net: ethernet: ti: am65-cpts: fix timestamp loss due to race conditions", " - arm64, mm: avoid always making PTE dirty in pte_mkwrite()", " - erofs: avoid infinite loops due to corrupted subpage compact indexes", " - net: hibmcge: select FIXED_PHY", " - ptp: ocp: Fix typo using index 1 instead of i in SMA initialization loop", " - net: hsr: prevent creation of HSR device with slaves from another netns", " - espintcp: use datagram_poll_queue for socket readiness", " - net: datagram: introduce datagram_poll_queue for custom receive queues", " - ovpn: use datagram_poll_queue for socket readiness in TCP", " - net: bonding: fix possible peer notify event loss or dup issue", " - hung_task: fix warnings caused by unaligned lock pointers", " - mm: don't spin in add_stack_record when gfp flags don't allow", " - dma-debug: don't report false positives with", " DMA_BOUNCE_UNALIGNED_KMALLOC", " - arch_topology: Fix incorrect error check in", " topology_parse_cpu_capacity()", " - riscv: hwprobe: Fix stale vDSO data for late-initialized keys at boot", " - io_uring/sqpoll: switch away from getrusage() for CPU accounting", " - io_uring/sqpoll: be smarter on when to update the stime usage", " - btrfs: send: fix duplicated rmdir operations when using extrefs", " - btrfs: ref-verify: fix IS_ERR() vs NULL check in btrfs_build_ref_tree()", " - gpio: pci-idio-16: Define maximum valid register address offset", " - gpio: 104-idio-16: Define maximum valid register address offset", " - xfs: fix locking in xchk_nlinks_collect_dir", " - platform/x86: alienware-wmi-wmax: Add AWCC support to Dell G15 5530", " - Revert \"cpuidle: menu: Avoid discarding useful information\"", " - riscv: cpufeature: avoid uninitialized variable in", " has_thead_homogeneous_vlenb()", " - rust: device: fix device context of Device::parent()", " - slab: Avoid race on slab->obj_exts in alloc_slab_obj_exts", " - slab: Fix obj_ext mistakenly considered NULL due to race condition", " - smb: client: get rid of d_drop() in cifs_do_rename()", " - ACPICA: Work around bogus -Wstringop-overread warning since GCC 11", " - arm64: mte: Do not warn if the page is already tagged in copy_highpage()", " - can: netlink: can_changelink(): allow disabling of automatic restart", " - cifs: Fix TCP_Server_Info::credits to be signed", " - devcoredump: Fix circular locking dependency with devcd->mutex.", " - hwmon: (pmbus/max34440) Update adpm12160 coeff due to latest FW", " - MIPS: Malta: Fix keyboard resource preventing i8042 driver from", " registering", " - rv: Make rtapp/pagefault monitor depends on CONFIG_MMU", " - net: bonding: update the slave array for broadcast mode", " - net: stmmac: dwmac-rk: Fix disabling set_clock_selection", " - net: usb: rtl8150: Fix frame padding", " - net: ravb: Enforce descriptor type ordering", " - net: ravb: Ensure memory write completes before ringing TX doorbell", " - mptcp: pm: in-kernel: C-flag: handle late ADD_ADDR", " - selftests: mptcp: join: mark 'flush re-add' as skipped if not supported", " - selftests: mptcp: join: mark implicit tests as skipped if not supported", " - selftests: mptcp: join: mark 'delete re-add signal' as skipped if not", " supported", " - mm/mremap: correctly account old mapping after MREMAP_DONTUNMAP remap", " - drm/xe: Check return value of GGTT workqueue allocation", " - drm/amd/display: increase max link count and fix link->enc NULL pointer", " access", " - mm/damon/core: use damos_commit_quota_goal() for new goal commit", " - mm/damon/core: fix list_add_tail() call on damon_call()", " - spi: rockchip-sfc: Fix DMA-API usage", " - firmware: arm_ffa: Add support for IMPDEF value in the memory access", " descriptor", " - spi: spi-nxp-fspi: add the support for sample data from DQS pad", " - spi: spi-nxp-fspi: re-config the clock rate when operation require new", " clock rate", " - spi: spi-nxp-fspi: add extra delay after dll locked", " - spi: spi-nxp-fspi: limit the clock rate for different sample clock", " source selection", " - spi: cadence-quadspi: Fix pm_runtime unbalance on dma EPROBE_DEFER", " - arm64: dts: broadcom: bcm2712: Add default GIC address cells", " - arm64: dts: broadcom: bcm2712: Define VGIC interrupt", " - include: trace: Fix inflight count helper on failed initialization", " - firmware: arm_scmi: Fix premature SCMI_XFER_FLAG_IS_RAW clearing in raw", " mode", " - spi: airoha: return an error for continuous mode dirmap creation cases", " - spi: airoha: add support of dual/quad wires spi modes to exec_op()", " handler", " - spi: airoha: switch back to non-dma mode in the case of error", " - spi: airoha: fix reading/writing of flashes with more than one plane per", " lun", " - sysfs: check visibility before changing group attribute ownership", " - RISC-V: Define pgprot_dmacoherent() for non-coherent devices", " - RISC-V: Don't print details of CPUs disabled in DT", " - riscv: hwprobe: avoid uninitialized variable use in hwprobe_arch_id()", " - hwmon: (pmbus/isl68137) Fix child node reference leak on early return", " - hwmon: (sht3x) Fix error handling", " - io_uring: fix incorrect unlikely() usage in io_waitid_prep()", " - nbd: override creds to kernel when calling sock_{send,recv}msg()", " - drm/panic: Fix drawing the logo on a small narrow screen", " - drm/panic: Fix qr_code, ensure vmargin is positive", " - drm/panic: Fix 24bit pixel crossing page boundaries", " - of/irq: Convert of_msi_map_id() callers to of_msi_xlate()", " - of/irq: Add msi-parent check to of_msi_xlate()", " - block: require LBA dma_alignment when using PI", " - gpio: ljca: Fix duplicated IRQ mapping", " - io_uring: correct __must_hold annotation in io_install_fixed_file", " - sched: Remove never used code in mm_cid_get()", " - USB: serial: option: add UNISOC UIS7720", " - USB: serial: option: add Quectel RG255C", " - USB: serial: option: add Telit FN920C04 ECM compositions", " - usb/core/quirks: Add Huawei ME906S to wakeup quirk", " - usb: raw-gadget: do not limit transfer length", " - xhci: dbc: enable back DbC in resume if it was enabled before suspend", " - xhci: dbc: fix bogus 1024 byte prefix if ttyDBC read races with stall", " event", " - x86/microcode: Fix Entrysign revision check for Zen1/Naples", " - binder: remove \"invalid inc weak\" check", " - mei: me: add wildcat lake P DID", " - objtool/rust: add one more `noreturn` Rust function", " - nvmem: rcar-efuse: add missing MODULE_DEVICE_TABLE", " - misc: fastrpc: Fix dma_buf object leak in fastrpc_map_lookup", " - most: usb: hdm_probe: Fix calling put_device() before device", " initialization", " - tcpm: switch check for role_sw device with fw_node", " - dt-bindings: serial: sh-sci: Fix r8a78000 interrupts", " - dt-bindings: usb: dwc3-imx8mp: dma-range is required only for imx8mp", " - dt-bindings: usb: qcom,snps-dwc3: Fix bindings for X1E80100", " - serial: 8250_dw: handle reset control deassert error", " - serial: 8250_exar: add support for Advantech 2 port card with Device ID", " 0x0018", " - serial: 8250_mtk: Enable baud clock and manage in runtime PM", " - serial: sc16is7xx: remove useless enable of enhanced features", " - staging: gpib: Fix device reference leak in fmh_gpib driver", " - staging: gpib: Fix no EOI on 1 and 2 byte writes", " - staging: gpib: Return -EINTR on device clear", " - staging: gpib: Fix sending clear and trigger events", " - mm/migrate: remove MIGRATEPAGE_UNMAP", " - treewide: remove MIGRATEPAGE_SUCCESS", " - vmw_balloon: indicate success when effectively deflating during", " migration", " - xfs: always warn about deprecated mount options", " - gpio: regmap: Allow to allocate regmap-irq device", " - gpio: regmap: add the .fixed_direction_output configuration parameter", " - gpio: idio-16: Define fixed direction of the GPIO lines", " - Linux 6.17.6", " * Questing update: v6.17.6 upstream stable release (LP: #2134982) //", " CVE-2025-40084", " - ksmbd: transport_ipc: validate payload size before reading handle", " * Questing update: v6.17.6 upstream stable release (LP: #2134982) //", " CVE-2025-40222", " - tty: serial: sh-sci: fix RSCI FIFO overrun handling", " * Questing update: v6.17.6 upstream stable release (LP: #2134982) //", " CVE-2025-40223", " - most: usb: Fix use-after-free in hdm_disconnect", " * Questing update: v6.17.6 upstream stable release (LP: #2134982) //", " CVE-2025-40106", " - comedi: fix divide-by-zero in comedi_buf_munge()", " * Questing update: v6.17.6 upstream stable release (LP: #2134982) //", " CVE-2025-40224", " - hwmon: (cgbc-hwmon) Add missing NULL check after devm_kzalloc()", " * Questing update: v6.17.6 upstream stable release (LP: #2134982) //", " CVE-2025-40225", " - drm/panthor: Fix kernel panic on partial unmap of a GPU VA region", " * Questing update: v6.17.6 upstream stable release (LP: #2134982) //", " CVE-2025-40226", " - firmware: arm_scmi: Account for failed debug initialization", " * Questing update: v6.17.6 upstream stable release (LP: #2134982) //", " CVE-2025-40227", " - mm/damon/sysfs: dealloc commit test ctx always", " * Questing update: v6.17.6 upstream stable release (LP: #2134982) //", " CVE-2025-40228", " - mm/damon/sysfs: catch commit test ctx alloc failure", " * Questing update: v6.17.6 upstream stable release (LP: #2134982) //", " CVE-2025-40229", " - mm/damon/core: fix potential memory leak by cleaning ops_filter in", " damon_destroy_scheme", " * Questing update: v6.17.6 upstream stable release (LP: #2134982) //", " CVE-2025-40230", " - mm: prevent poison consumption when splitting THP", " * Questing update: v6.17.6 upstream stable release (LP: #2134982) //", " CVE-2025-40231", " - vsock: fix lock inversion in vsock_assign_transport()", " * Questing update: v6.17.6 upstream stable release (LP: #2134982) //", " CVE-2025-40233", " - ocfs2: clear extent cache after moving/defragmenting extents", " * Questing update: v6.17.6 upstream stable release (LP: #2134982) //", " CVE-2025-40235", " - btrfs: directly free partially initialized fs_info in", " btrfs_check_leaked_roots()", " * Questing update: v6.17.6 upstream stable release (LP: #2134982) //", " CVE-2025-40236", " - virtio-net: zero unused hash fields", " * Questing update: v6.17.6 upstream stable release (LP: #2134982) //", " CVE-2025-40237", " - fs/notify: call exportfs_encode_fid with s_umount", " * Questing update: v6.17.6 upstream stable release (LP: #2134982) //", " CVE-2025-40238", " - net/mlx5: Fix IPsec cleanup over MPV device", " * Questing update: v6.17.6 upstream stable release (LP: #2134982) //", " CVE-2025-40239", " - net: phy: micrel: always set shared->phydev for LAN8814", " * Questing update: v6.17.6 upstream stable release (LP: #2134982) //", " CVE-2025-40240", " - sctp: avoid NULL dereference when chunk data buffer is missing", " * Questing update: v6.17.6 upstream stable release (LP: #2134982) //", " CVE-2025-40241", " - erofs: fix crafted invalid cases for encoded extents", " * Questing update: v6.17.6 upstream stable release (LP: #2134982) //", " CVE-2025-40242", " - gfs2: Fix unlikely race in gdlm_put_lock", " * Questing update: v6.17.6 upstream stable release (LP: #2134982) //", " CVE-2025-40243", " - hfs: fix KMSAN uninit-value issue in hfs_find_set_zero_bits()", " * Questing update: v6.17.6 upstream stable release (LP: #2134982) //", " CVE-2025-40244", " - hfsplus: fix KMSAN uninit-value issue in __hfsplus_ext_cache_extent()", " * Questing update: v6.17.6 upstream stable release (LP: #2134982) //", " CVE-2025-40245", " - nios2: ensure that memblock.current_limit is set when setting pfn limits", " * Questing update: v6.17.5 upstream stable release (LP: #2133557)", " - docs: kdoc: handle the obsolescensce of docutils.ErrorString()", " - Revert \"fs: make vfs_fileattr_[get|set] return -EOPNOTSUPP\"", " - PCI: vmd: Override irq_startup()/irq_shutdown() in", " vmd_init_dev_msi_info()", " - ata: libata-core: relax checks in ata_read_log_directory()", " - arm64/sysreg: Fix GIC CDEOI instruction encoding", " - ixgbevf: fix getting link speed data for E610 devices", " - rust: cfi: only 64-bit arm and x86 support CFI_CLANG", " - x86/CPU/AMD: Prevent reset reasons from being retained across reboot", " - slab: reset slab->obj_ext when freeing and it is OBJEXTS_ALLOC_FAIL", " - Revert \"io_uring/rw: drop -EOPNOTSUPP check in", " __io_complete_rw_common()\"", " - io_uring: protect mem region deregistration", " - Revert \"drm/amd/display: Only restore backlight after amdgpu_dm_init or", " dm_resume\"", " - r8152: add error handling in rtl8152_driver_init", " - net: usb: lan78xx: Fix lost EEPROM write timeout error(-ETIMEDOUT) in", " lan78xx_write_raw_eeprom", " - f2fs: fix wrong block mapping for multi-devices", " - gve: Check valid ts bit on RX descriptor before hw timestamping", " - jbd2: ensure that all ongoing I/O complete before freeing blocks", " - ext4: wait for ongoing I/O to complete before freeing blocks", " - btrfs: fix clearing of BTRFS_FS_RELOC_RUNNING if relocation already", " running", " - btrfs: fix memory leak on duplicated memory in the qgroup assign ioctl", " - btrfs: only set the device specific options after devices are opened", " - btrfs: fix incorrect readahead expansion length", " - can: gs_usb: gs_make_candev(): populate net_device->dev_port", " - can: gs_usb: increase max interface to U8_MAX", " - cxl/acpi: Fix setup of memory resource in cxl_acpi_set_cache_size()", " - ALSA: hda/intel: Add MSI X870E Tomahawk to denylist", " - ALSA: hda/realtek: Add quirk entry for HP ZBook 17 G6", " - drm/amdgpu: use atomic functions with memory barriers for vm fault info", " - drm/amdgpu: fix gfx12 mes packet status return check", " - drm/xe: Increase global invalidation timeout to 1000us", " - perf/core: Fix address filter match with backing files", " - perf/core: Fix MMAP event path names with backing files", " - perf/core: Fix MMAP2 event device with backing files", " - drm/amd: Check whether secure display TA loaded successfully", " - PM: hibernate: Add pm_hibernation_mode_is_suspend()", " - drm/amd: Fix hybrid sleep", " - usb: gadget: Store endpoint pointer in usb_request", " - usb: gadget: Introduce free_usb_request helper", " - HID: multitouch: fix sticky fingers", " - dax: skip read lock assertion for read-only filesystems", " - coredump: fix core_pattern input validation", " - can: m_can: m_can_plat_remove(): add missing pm_runtime_disable()", " - can: m_can: m_can_handle_state_errors(): fix CAN state transition to", " Error Active", " - can: m_can: m_can_chip_config(): bring up interface in correct state", " - can: m_can: fix CAN state in system PM", " - net: mtk: wed: add dma mask limitation and GFP_DMA32 for device with", " more than 4GB DRAM", " - net: dlink: handle dma_map_single() failure properly", " - doc: fix seg6_flowlabel path", " - can: j1939: add missing calls in NETDEV_UNREGISTER notification handler", " - dpll: zl3073x: Refactor DPLL initialization", " - dpll: zl3073x: Handle missing or corrupted flash configuration", " - r8169: fix packet truncation after S4 resume on RTL8168H/RTL8111H", " - net: phy: bcm54811: Fix GMII/MII/MII-Lite selection", " - net: phy: realtek: Avoid PHYCR2 access if PHYCR2 not present", " - amd-xgbe: Avoid spurious link down messages during interface toggle", " - Octeontx2-af: Fix missing error code in cgx_probe()", " - tcp: fix tcp_tso_should_defer() vs large RTT", " - net: airoha: Take into account out-of-order tx completions in", " airoha_dev_xmit()", " - selftests: net: check jq command is supported", " - net: core: fix lockdep splat on device unregister", " - ksmbd: fix recursive locking in RPC handle list access", " - tg3: prevent use of uninitialized remote_adv and local_adv variables", " - tls: trim encrypted message to match the plaintext on short splice", " - tls: wait for async encrypt in case of error during latter iterations of", " sendmsg", " - tls: always set record_type in tls_process_cmsg", " - tls: don't rely on tx_work during send()", " - netdevsim: set the carrier when the device goes up", " - net: usb: lan78xx: fix use of improperly initialized dev->chipid in", " lan78xx_reset", " - drm/panthor: Ensure MCU is disabled on suspend", " - nvme-multipath: Skip nr_active increments in RETRY disposition", " - riscv: kprobes: Fix probe address validation", " - drm/bridge: lt9211: Drop check for last nibble of version register", " - powerpc/fadump: skip parameter area allocation when fadump is disabled", " - ASoC: codecs: Fix gain setting ranges for Renesas IDT821034 codec", " - ASoC: nau8821: Cancel jdet_work before handling jack ejection", " - ASoC: nau8821: Generalize helper to clear IRQ status", " - ASoC: nau8821: Consistently clear interrupts before unmasking", " - ASoC: nau8821: Add DMI quirk to bypass jack debounce circuit", " - drm/i915/guc: Skip communication warning on reset in progress", " - drm/i915/frontbuffer: Move bo refcounting", " intel_frontbuffer_{get,release}()", " - drm/i915/fb: Fix the set_tiling vs. addfb race, again", " - drm/amdgpu: add ip offset support for cyan skillfish", " - drm/amdgpu: add support for cyan skillfish without IP discovery", " - drm/amdgpu: fix handling of harvesting for ip_discovery firmware", " - drm/amdgpu: handle wrap around in reemit handling", " - drm/amdgpu: set an error on all fences from a bad context", " - drm/amdgpu: drop unused structures in amdgpu_drm.h", " - drm/amd/powerplay: Fix CIK shutdown temperature", " - drm/xe: Enable media sampler power gating", " - drm/draw: fix color truncation in drm_draw_fill24", " - drm/rockchip: vop2: use correct destination rectangle height check", " - HID: intel-thc-hid: Intel-quickspi: switch first interrupt from level to", " edge detection", " - sched/fair: Fix pelt lost idle time detection", " - ALSA: firewire: amdtp-stream: fix enum kernel-doc warnings", " - accel/qaic: Synchronize access to DBC request queue head & tail pointer", " - nvme-auth: update sc_c in host response", " - cxl/trace: Subtract to find an hpa_alias0 in cxl_poison events", " - selftests/bpf: make arg_parsing.c more robust to crashes", " - blk-mq: fix stale tag depth for shared sched tags in", " blk_mq_update_nr_requests()", " - block: Remove elevator_lock usage from blkg_conf frozen operations", " - HID: hid-input: only ignore 0 battery events for digitizers", " - HID: multitouch: fix name of Stylus input devices", " - drm/xe/evict: drop bogus assert", " - selftests: arg_parsing: Ensure data is flushed to disk before reading.", " - nvme/tcp: handle tls partially sent records in write_space()", " - rust: cpufreq: fix formatting", " - arm64: debug: always unmask interrupts in el0_softstp()", " - arm64: cputype: Add Neoverse-V3AE definitions", " - arm64: errata: Apply workarounds for Neoverse-V3AE", " - xfs: rename the old_crc variable in xlog_recover_process", " - xfs: fix log CRC mismatches between i386 and other architectures", " - NFSD: Rework encoding and decoding of nfsd4_deviceid", " - NFSD: Minor cleanup in layoutcommit processing", " - NFSD: Implement large extent array support in pNFS", " - NFSD: Fix last write offset handling in layoutcommit", " - phy: cdns-dphy: Store hs_clk_rate and return it", " - phy: cadence: cdns-dphy: Fix PLL lock and O_CMN_READY polling", " - x86/resctrl: Refactor resctrl_arch_rmid_read()", " - x86/resctrl: Fix miscount of bandwidth event when reactivating", " previously unavailable RMID", " - cxl: Fix match_region_by_range() to use region_res_match_cxl_range()", " - phy: cadence: cdns-dphy: Update calibration wait time for startup state", " machine", " - drm/xe: Use devm_ioremap_wc for VRAM mapping and drop manual unmap", " - drm/xe: Use dynamic allocation for tile and device VRAM region", " structures", " - drm/xe: Move struct xe_vram_region to a dedicated header", " - drm/xe: Unify the initialization of VRAM regions", " - drm/xe: Move rebar to be done earlier", " - PM: hibernate: Fix pm_hibernation_mode_is_suspend() build breakage", " - drm/xe: Fix an IS_ERR() vs NULL bug in xe_tile_alloc_vram()", " - Linux 6.17.5", " * Questing update: v6.17.5 upstream stable release (LP: #2133557) //", " CVE-2025-40086", " - drm/xe: Don't allow evicting of BOs in same VM in array of VM binds", " * Questing update: v6.17.5 upstream stable release (LP: #2133557) //", " CVE-2025-40087", " - NFSD: Define a proc_layoutcommit for the FlexFiles layout type", " * Questing update: v6.17.5 upstream stable release (LP: #2133557) //", " CVE-2025-40088", " - hfsplus: fix slab-out-of-bounds read in hfsplus_strcasecmp()", " * Questing update: v6.17.5 upstream stable release (LP: #2133557) //", " CVE-2025-40162", " - ASoC: amd/sdw_utils: avoid NULL deref when devm_kasprintf() fails", " * Questing update: v6.17.5 upstream stable release (LP: #2133557) //", " CVE-2025-40085", " - ALSA: usb-audio: Fix NULL pointer deference in try_to_register_card", " * Questing update: v6.17.5 upstream stable release (LP: #2133557) //", " CVE-2025-40172", " - accel/qaic: Treat remaining == 0 as error in find_and_map_user_pages()", " * Questing update: v6.17.5 upstream stable release (LP: #2133557) //", " CVE-2025-40177", " - accel/qaic: Fix bootlog initialization ordering", " * Questing update: v6.17.5 upstream stable release (LP: #2133557) //", " CVE-2025-40163", " - sched/deadline: Stop dl_server before CPU goes offline", " * Questing update: v6.17.5 upstream stable release (LP: #2133557) //", " CVE-2025-40174", " - x86/mm: Fix SMP ordering in switch_mm_irqs_off()", " * Questing update: v6.17.5 upstream stable release (LP: #2133557) //", " CVE-2025-40089", " - cxl/features: Add check for no entries in cxl_feature_info", " * Questing update: v6.17.5 upstream stable release (LP: #2133557) //", " CVE-2025-40176", " - tls: wait for pending async decryptions if tls_strp_msg_hold fails", " * Questing update: v6.17.5 upstream stable release (LP: #2133557) //", " CVE-2025-40164", " - usbnet: Fix using smp_processor_id() in preemptible code warnings", " * Questing update: v6.17.5 upstream stable release (LP: #2133557) //", " CVE-2025-40091", " - ixgbe: fix too early devlink_free() in ixgbe_remove()", " * Questing update: v6.17.5 upstream stable release (LP: #2133557) //", " CVE-2025-40175", " - idpf: cleanup remaining SKBs in PTP flows", " * Questing update: v6.17.5 upstream stable release (LP: #2133557) //", " CVE-2025-40173", " - net/ip6_tunnel: Prevent perpetual tunnel growth", " * Questing update: v6.17.5 upstream stable release (LP: #2133557) //", " CVE-2025-40092", " - usb: gadget: f_ncm: Refactor bind path to use __free()", " * Questing update: v6.17.5 upstream stable release (LP: #2133557) //", " CVE-2025-40093", " - usb: gadget: f_ecm: Refactor bind path to use __free()", " * Questing update: v6.17.5 upstream stable release (LP: #2133557) //", " CVE-2025-40094", " - usb: gadget: f_acm: Refactor bind path to use __free()", " * Questing update: v6.17.5 upstream stable release (LP: #2133557) //", " CVE-2025-40095", " - usb: gadget: f_rndis: Refactor bind path to use __free()", " * Questing update: v6.17.5 upstream stable release (LP: #2133557) //", " CVE-2025-40165", " - media: nxp: imx8-isi: m2m: Fix streaming cleanup on release", " * Questing update: v6.17.5 upstream stable release (LP: #2133557) //", " CVE-2025-40096", " - drm/sched: Fix potential double free in", " drm_sched_job_add_resv_dependencies", " * Questing update: v6.17.5 upstream stable release (LP: #2133557) //", " CVE-2025-40097", " - ALSA: hda: Fix missing pointer check in hda_component_manager_init", " function", " * Questing update: v6.17.5 upstream stable release (LP: #2133557) //", " CVE-2025-40098", " - ALSA: hda: cs35l41: Fix NULL pointer dereference in", " cs35l41_get_acpi_mute_state()", " * Questing update: v6.17.5 upstream stable release (LP: #2133557) //", " CVE-2025-40099", " - cifs: parse_dfs_referrals: prevent oob on malformed input", " * Questing update: v6.17.5 upstream stable release (LP: #2133557) //", " CVE-2025-40100", " - btrfs: do not assert we found block group item when creating free space", " tree", " * Questing update: v6.17.5 upstream stable release (LP: #2133557) //", " CVE-2025-40101", " - btrfs: fix memory leaks when rejecting a non SINGLE data profile without", " an RST", " * Questing update: v6.17.5 upstream stable release (LP: #2133557) //", " CVE-2025-40167", " - ext4: detect invalid INLINE_DATA + EXTENTS flag combination", " * Questing update: v6.17.5 upstream stable release (LP: #2133557) //", " CVE-2025-40102", " - KVM: arm64: Prevent access to vCPU events before init", " * Questing update: v6.17.5 upstream stable release (LP: #2133557) //", " CVE-2025-40103", " - smb: client: Fix refcount leak for cifs_sb_tlink", " * Questing update: v6.17.5 upstream stable release (LP: #2133557) //", " CVE-2025-40104", " - ixgbevf: fix mailbox API compatibility by negotiating supported features", " * Questing update: v6.17.5 upstream stable release (LP: #2133557) //", " CVE-2025-40166", " - drm/xe/guc: Check GuC running state before deregistering exec queue", " * Questing update: v6.17.5 upstream stable release (LP: #2133557) //", " CVE-2025-40105", " - vfs: Don't leak disconnected dentries on umount", " * The machine didn’t go into suspend and got stuck (LP: #2132095)", " - platform/x86: alienware-wmi-wmax: Fix NULL pointer dereference in sleep", " handlers", " * CAP_PERFMON insufficient to get perf data (LP: #2131046)", " - SAUCE: perf/core: Allow CAP_PERFMON for paranoid level 4", " * Poweroff not working consistently after upgrading kernel 6.14.0-17.17 or", " later (LP: #2115860)", " - drm/amd: Unify shutdown() callback behavior", " - drm/amd: Stop exporting amdgpu_device_ip_suspend() outside amdgpu_device", " - drm/amd: Remove comment about handling errors in", " amdgpu_device_ip_suspend_phase1()", " - drm/amd: Don't always set IP block HW status to false", " - drm/amd: Pass IP suspend errors up to callers", " - drm/amd: Avoid evicting resources at S5", " * Re-enable INTEL_SKL_INT3472 for kernels >= 6.16 for Intel IPU camera", " (LP: #2128792)", " - Revert \"UBUNTU: [Config] FTBFS: disable INTEL_SKL_INT3472\"", " - Revert \"UBUNTU: SAUCE: platform/x86: int3472: Add handshake GPIO", " function\"", " * Support Samsung S5K3J1 sensor for Intel MIPI camera (LP: #2121852)", " - SAUCE: media: ipu-bridge: Support s5k3j1 sensor", " * Questing update: v6.17.4 upstream stable release (LP: #2131259)", " - fs: always return zero on success from replace_fd()", " - fscontext: do not consume log entries when returning -EMSGSIZE", " - btrfs: fix the incorrect max_bytes value for find_lock_delalloc_range()", " - arm64: map [_text, _stext) virtual address range non-executable+read-", " only", " - rseq: Protect event mask against membarrier IPI", " - statmount: don't call path_put() under namespace semaphore", " - listmount: don't call path_put() under namespace semaphore", " - clocksource/drivers/clps711x: Fix resource leaks in error paths", " - memcg: skip cgroup_file_notify if spinning is not allowed", " - page_pool: Fix PP_MAGIC_MASK to avoid crashing on some 32-bit arches", " - PM: runtime: Update kerneldoc return codes", " - dma-mapping: fix direction in dma_alloc direction traces", " - cpufreq: Make drivers using CPUFREQ_ETERNAL specify transition latency", " - nfsd: unregister with rpcbind when deleting a transport", " - KVM: x86: Add helper to retrieve current value of user return MSR", " - KVM: SVM: Emulate PERF_CNTR_GLOBAL_STATUS_SET for PerfMonV2", " - iio: frequency: adf4350: Fix ADF4350_REG3_12BIT_CLKDIV_MODE", " - media: v4l2-subdev: Fix alloc failure check in", " v4l2_subdev_call_state_try()", " - asm-generic/io.h: Skip trace helpers if rwmmio events are disabled", " - clk: npcm: select CONFIG_AUXILIARY_BUS", " - clk: thead: th1520-ap: describe gate clocks with clk_gate", " - clk: thead: th1520-ap: fix parent of padctrl0 clock", " - clk: thead: Correct parent for DPU pixel clocks", " - clk: renesas: r9a08g045: Add MSTOP for GPIO", " - perf disasm: Avoid undefined behavior in incrementing NULL", " - perf test trace_btf_enum: Skip if permissions are insufficient", " - perf evsel: Avoid container_of on a NULL leader", " - libperf event: Ensure tracing data is multiple of 8 sized", " - clk: qcom: common: Fix NULL vs IS_ERR() check in qcom_cc_icc_register()", " - clk: qcom: Select the intended config in QCS_DISPCC_615", " - perf parse-events: Handle fake PMUs in CPU terms", " - clk: at91: peripheral: fix return value", " - clk: renesas: cpg-mssr: Fix memory leak in cpg_mssr_reserved_init()", " - perf: Completely remove possibility to override MAX_NR_CPUS", " - perf drm_pmu: Fix fd_dir leaks in for_each_drm_fdinfo_in_dir()", " - perf util: Fix compression checks returning -1 as bool", " - rtc: x1205: Fix Xicor X1205 vendor prefix", " - rtc: optee: fix memory leak on driver removal", " - perf arm_spe: Correct setting remote access", " - perf arm_spe: Correct memory level for remote access", " - perf vendor events arm64 AmpereOneX: Fix typo - should be", " l1d_cache_access_prefetches", " - perf test: AMD IBS swfilt skip kernel tests if paranoia is >1", " - perf test shell lbr: Avoid failures with perf event paranoia", " - perf trace: Fix IS_ERR() vs NULL check bug", " - perf session: Fix handling when buffer exceeds 2 GiB", " - perf test: Don't leak workload gopipe in PERF_RECORD_*", " - perf evsel: Fix uniquification when PMU given without suffix", " - perf test: Avoid uncore_imc/clockticks in uniquification test", " - perf evsel: Ensure the fallback message is always written to", " - perf build-id: Ensure snprintf string is empty when size is 0", " - clk: mediatek: mt8195-infra_ao: Fix parent for infra_ao_hdmi_26m", " - clk: mediatek: clk-mux: Do not pass flags to", " clk_mux_determine_rate_flags()", " - clk: nxp: lpc18xx-cgu: convert from round_rate() to determine_rate()", " - clk: nxp: Fix pll0 rate check condition in LPC18xx CGU driver", " - clk: tegra: do not overallocate memory for bpmp clocks", " - nfsd: fix assignment of ia_ctime.tv_nsec on delegated mtime update", " - nfsd: ignore ATTR_DELEG when checking ia_valid before notify_change()", " - vfs: add ATTR_CTIME_SET flag", " - nfsd: use ATTR_CTIME_SET for delegated ctime updates", " - nfsd: track original timestamps in nfs4_delegation", " - nfsd: fix SETATTR updates for delegated timestamps", " - nfsd: fix timestamp updates in CB_GETATTR", " - tracing: Fix the bug where bpf_get_stackid returns -EFAULT on the ARM64", " - PM: core: Annotate loops walking device links as _srcu", " - PM: core: Add two macros for walking device links", " - PM: sleep: Do not wait on SYNC_STATE_ONLY device links", " - cpufreq: tegra186: Set target frequency for all cpus in policy", " - scsi: mvsas: Fix use-after-free bugs in mvs_work_queue", " - perf bpf-filter: Fix opts declaration on older libbpfs", " - scsi: ufs: sysfs: Make HID attributes visible", " - mshv: Handle NEED_RESCHED_LAZY before transferring to guest", " - perf bpf_counter: Fix handling of cpumap fixing hybrid", " - ASoC: SOF: ipc4-topology: Correct the minimum host DMA buffer size", " - ASoC: SOF: ipc4-topology: Account for different ChainDMA host buffer", " size", " - ASoC: SOF: Intel: hda-pcm: Place the constraint on period time instead", " of buffer time", " - LoongArch: Add cflag -fno-isolate-erroneous-paths-dereference", " - LoongArch: Fix build error for LTO with LLVM-18", " - LoongArch: Init acpi_gbl_use_global_lock to false", " - ASoC: SOF: Intel: Read the LLP via the associated Link DMA channel", " - net: usb: lan78xx: Fix lost EEPROM read timeout error(-ETIMEDOUT) in", " lan78xx_read_raw_eeprom", " - net/mlx4: prevent potential use after free in mlx4_en_do_uc_filter()", " - drm/xe/hw_engine_group: Fix double write lock release in error path", " - drm/xe/i2c: Don't rely on d3cold.allowed flag in system PM path", " - s390/cio: Update purge function to unregister the unused subchannels", " - drm/vmwgfx: Fix a null-ptr access in the cursor snooper", " - drm/vmwgfx: Fix Use-after-free in validation", " - drm/vmwgfx: Fix copy-paste typo in validation", " - net/sctp: fix a null dereference in sctp_disposition", " sctp_sf_do_5_1D_ce()", " - tcp: Don't call reqsk_fastopen_remove() in tcp_conn_request().", " - net: mscc: ocelot: Fix use-after-free caused by cyclic delayed work", " - selftest: net: ovpn: Fix uninit return values", " - ice: ice_adapter: release xa entry on adapter allocation failure", " - net: fsl_pq_mdio: Fix device node reference leak in fsl_pq_mdio_probe", " - tools build: Align warning options with perf", " - perf python: split Clang options when invoking Popen", " - tcp: take care of zero tp->window_clamp in tcp_set_rcvlowat()", " - mailbox: zynqmp-ipi: Remove redundant mbox_controller_unregister() call", " - mailbox: zynqmp-ipi: Remove dev.parent check in zynqmp_ipi_free_mboxes", " - mailbox: zynqmp-ipi: Fix out-of-bounds access in mailbox cleanup loop", " - mailbox: zynqmp-ipi: Fix SGI cleanup on unbind", " - bpf: Fix metadata_dst leak __bpf_redirect_neigh_v{4,6}", " - net: mdio: mdio-i2c: Hold the i2c bus lock during smbus transactions", " - net: sparx5/lan969x: fix flooding configuration on bridge join/leave", " - net/mlx5: Prevent tunnel mode conflicts between FDB and NIC IPsec tables", " - net/mlx5e: Prevent tunnel reformat when tunnel mode not allowed", " - mailbox: mtk-cmdq: Remove pm_runtime APIs from cmdq_mbox_send_data()", " - drm/amdgpu: Add additional DCE6 SCL registers", " - drm/amd/display: Add missing DCE6 SCL_HORZ_FILTER_INIT* SRIs", " - drm/amd/display: Properly clear SCL_*_FILTER_CONTROL on DCE6", " - drm/amd/display: Properly disable scaling on DCE6", " - drm/amd/display: Disable scaling on DCE6 for now", " - drm/amdkfd: Fix kfd process ref leaking when userptr unmapping", " - net: pse-pd: tps23881: Fix current measurement scaling", " - crypto: skcipher - Fix reqsize handling", " - netfilter: nft_objref: validate objref and objrefmap expressions", " - bridge: br_vlan_fill_forward_path_pvid: use br_vlan_group_rcu()", " - selftests: netfilter: nft_fib.sh: fix spurious test failures", " - selftests: netfilter: query conntrack state to check for port clash", " resolution", " - io_uring/zcrx: increment fallback loop src offset", " - net: airoha: Fix loopback mode configuration for GDM2 port", " - cifs: Fix copy_to_iter return value check", " - smb: client: fix missing timestamp updates after utime(2)", " - rtc: isl12022: Fix initial enable_irq/disable_irq balance", " - cifs: Query EA $LXMOD in cifs_query_path_info() for WSL reparse points", " - tpm_tis: Fix incorrect arguments in tpm_tis_probe_irq_single", " - gpio: wcd934x: mark the GPIO controller as sleeping", " - bpf: Avoid RCU context warning when unpinning htab with internal structs", " - kbuild: always create intermediate vmlinux.unstripped", " - kbuild: keep .modinfo section in vmlinux.unstripped", " - kbuild: Restore pattern to avoid stripping .rela.dyn from vmlinux", " - kbuild: Add '.rel.*' strip pattern for vmlinux", " - s390: vmlinux.lds.S: Reorder sections", " - s390/vmlinux.lds.S: Move .vmlinux.info to end of allocatable sections", " - ACPICA: acpidump: drop ACPI_NONSTRING attribute from file_name", " - ACPI: property: Fix buffer properties extraction for subnodes", " - ACPI: TAD: Add missing sysfs_remove_group() for ACPI_TAD_RT", " - ACPICA: Debugger: drop ACPI_NONSTRING attribute from name_seg", " - ACPI: debug: fix signedness issues in read/write helpers", " - ACPI: battery: Add synchronization between interface updates", " - arm64: dts: qcom: msm8916: Add missing MDSS reset", " - arm64: dts: qcom: msm8939: Add missing MDSS reset", " - arm64: dts: qcom: sdm845: Fix slimbam num-channels/ees", " - Revert \"UBUNTU: SAUCE: arm64: dts: qcom: x1e80100-pmics: Disable pm8010", " by default\"", " - arm64: dts: qcom: x1e80100-pmics: Disable pm8010 by default", " - arm64: dts: ti: k3-am62a-main: Fix main padcfg length", " - arm64: dts: ti: k3-am62p: Fix supported hardware for 1GHz OPP", " - arm64: kprobes: call set_memory_rox() for kprobe page", " - arm64: mte: Do not flag the zero page as PG_mte_tagged", " - ARM: AM33xx: Implement TI advisory 1.0.36 (EMU0/EMU1 pins state on", " reset)", " - ARM: OMAP2+: pm33xx-core: ix device node reference leaks in", " amx3_idle_init", " - firmware: arm_scmi: quirk: Prevent writes to string constants", " - perf/arm-cmn: Fix CMN S3 DTM offset", " - KVM: s390: Fix to clear PTE when discarding a swapped page", " - KVM: arm64: Fix debug checking for np-guests using huge mappings", " - KVM: arm64: Fix page leak in user_mem_abort()", " - x86/kvm: Force legacy PCI hole to UC when overriding MTRRs for TDX/SNP", " - KVM: SVM: Re-load current, not host, TSC_AUX on #VMEXIT from SEV-ES", " guest", " - KVM: TDX: Fix uninitialized error code for __tdx_bringup()", " - dt-bindings: phy: rockchip-inno-csi-dphy: make power-domains non-", " required", " - xen: take system_transition_mutex on suspend", " - xen/events: Cleanup find_virq() return codes", " - xen/manage: Fix suspend error path", " - xen/events: Return -EEXIST for bound VIRQs", " - xen/events: Update virq_to_irq on migration", " - firmware: exynos-acpm: fix PMIC returned errno", " - firmware: meson_sm: fix device leak at probe", " - media: cec: extron-da-hd-4k-plus: drop external-module make commands", " - media: cx18: Add missing check after DMA map", " - media: i2c: mt9p031: fix mbus code initialization", " - media: i2c: mt9v111: fix incorrect type for ret", " - media: mc: Fix MUST_CONNECT handling for pads with no links", " - media: pci: ivtv: Add missing check after DMA map", " - media: pci: mg4b: fix uninitialized iio scan data", " - media: platform: mtk-mdp3: Add missing MT8188 compatible to comp_dt_ids", " - media: s5p-mfc: remove an unused/uninitialized variable", " - media: staging/ipu7: fix isys device runtime PM usage in firmware", " closing", " - media: uvcvideo: Avoid variable shadowing in uvc_ctrl_cleanup_fh", " - media: venus: firmware: Use correct reset sequence for IRIS2", " - media: venus: pm_helpers: add fallback for the opp-table", " - media: vivid: fix disappearing messages", " - media: vsp1: Export missing vsp1_isp_free_buffer symbol", " - media: ti: j721e-csi2rx: Use devm_of_platform_populate", " - media: ti: j721e-csi2rx: Fix source subdev link creation", " - media: lirc: Fix error handling in lirc_register()", " - drm/exynos: exynos7_drm_decon: remove ctx->suspended", " - drm/panthor: Fix memory leak in panthor_ioctl_group_create()", " - drm/msm/a6xx: Fix PDC sleep sequence", " - drm/rcar-du: dsi: Fix 1/2/3 lane support", " - drm/nouveau: fix bad ret code in nouveau_bo_move_prep", " - drm/xe/uapi: loosen used tracking restriction", " - drm/amd/display: Incorrect Mirror Cositing", " - drm/amd/display: Enable Dynamic DTBCLK Switch", " - drm/amd/display: Fix unsafe uses of kernel mode FPU", " - blk-crypto: fix missing blktrace bio split events", " - btrfs: avoid potential out-of-bounds in btrfs_encode_fh()", " - bus: mhi: ep: Fix chained transfer handling in read path", " - bus: mhi: host: Do not use uninitialized 'dev' pointer in", " mhi_init_irq_setup()", " - cdx: Fix device node reference leak in cdx_msi_domain_init", " - clk: qcom: tcsrcc-x1e80100: Set the bi_tcxo as parent to eDP refclk", " - clk: samsung: exynos990: Use PLL_CON0 for PLL parent muxes", " - clk: samsung: exynos990: Fix CMU_TOP mux/div bit widths", " - clk: samsung: exynos990: Replace bogus divs with fixed-factor clocks", " - copy_sighand: Handle architectures where sizeof(unsigned long) <", " sizeof(u64)", " - cpufreq: CPPC: Avoid using CPUFREQ_ETERNAL as transition delay", " - cpufreq: intel_pstate: Fix object lifecycle issue in", " update_qos_request()", " - crypto: aspeed - Fix dma_unmap_sg() direction", " - crypto: atmel - Fix dma_unmap_sg() direction", " - crypto: rockchip - Fix dma_unmap_sg() nents value", " - eventpoll: Replace rwlock with spinlock", " - fbdev: Fix logic error in \"offb\" name match", " - fs/ntfs3: Fix a resource leak bug in wnd_extend()", " - fs: quota: create dedicated workqueue for quota_release_work", " - fsnotify: pass correct offset to fsnotify_mmap_perm()", " - fuse: fix possibly missing fuse_copy_finish() call in fuse_notify()", " - fuse: fix livelock in synchronous file put from fuseblk workers", " - gpio: mpfs: fix setting gpio direction to output", " - i3c: Fix default I2C adapter timeout value", " - iio/adc/pac1934: fix channel disable configuration", " - iio: dac: ad5360: use int type to store negative error codes", " - iio: dac: ad5421: use int type to store negative error codes", " - iio: frequency: adf4350: Fix prescaler usage.", " - iio: xilinx-ams: Fix AMS_ALARM_THR_DIRECT_MASK", " - iio: xilinx-ams: Unmask interrupts after updating alarms", " - init: handle bootloader identifier in kernel parameters", " - iio: imu: inv_icm42600: Simplify pm_runtime setup", " - iio: imu: inv_icm42600: Drop redundant pm_runtime reinitialization in", " resume", " - iio: imu: inv_icm42600: Avoid configuring if already pm_runtime", " suspended", " - iommu/vt-d: PRS isn't usable if PDS isn't supported", " - ipmi: Rework user message limit handling", " - ipmi:msghandler:Change seq_lock to a mutex", " - kernel/sys.c: fix the racy usage of task_lock(tsk->group_leader) in", " sys_prlimit64() paths", " - KEYS: trusted_tpm1: Compare HMAC values in constant time", " - kho: only fill kimage if KHO is finalized", " - lib/genalloc: fix device leak in of_gen_pool_get()", " - loop: fix backing file reference leak on validation error", " - md: fix mssing blktrace bio split events", " - of: unittest: Fix device reference count leak in", " of_unittest_pci_node_verify", " - openat2: don't trigger automounts with RESOLVE_NO_XDEV", " - padata: Reset next CPU when reorder sequence wraps around", " - parisc: don't reference obsolete termio struct for TC* constants", " - parisc: Remove spurious if statement from raw_copy_from_user()", " - nvme-pci: Add TUXEDO IBS Gen8 to Samsung sleep quirk", " - pinctrl: samsung: Drop unused S3C24xx driver data", " - PM: EM: Fix late boot with holes in CPU topology", " - PM: hibernate: Fix hybrid-sleep", " - PM: hibernate: Restrict GFP mask in power_down()", " - power: supply: max77976_charger: fix constant current reporting", " - powerpc/powernv/pci: Fix underflow and leak issue", " - powerpc/pseries/msi: Fix potential underflow and leak issue", " - pwm: berlin: Fix wrong register in suspend/resume", " - pwm: Fix incorrect variable used in error message", " - Revert \"ipmi: fix msg stack when IPMI is disconnected\"", " - sched/deadline: Fix race in push_dl_task()", " - scsi: hpsa: Fix potential memory leak in hpsa_big_passthru_ioctl()", " - scsi: sd: Fix build warning in sd_revalidate_disk()", " - sctp: Fix MAC comparison to be constant-time", " - smb client: fix bug with newly created file in cached dir", " - sparc64: fix hugetlb for sun4u", " - sparc: fix error handling in scan_one_device()", " - xtensa: simdisk: add input size check in proc_write_simdisk", " - xsk: Harden userspace-supplied xdp_desc validation", " - mtd: rawnand: fsmc: Default to autodetect buswidth", " - mtd: nand: raw: gpmi: fix clocks when CONFIG_PM=N", " - mmc: core: SPI mode remove cmd7", " - mmc: mmc_spi: multiple block read remove read crc ack", " - memory: samsung: exynos-srom: Fix of_iomap leak in exynos_srom_probe", " - memory: stm32_omm: Fix req2ack update test", " - rtc: interface: Ensure alarm irq is enabled when UIE is enabled", " - rtc: interface: Fix long-standing race when setting alarm", " - rseq/selftests: Use weak symbol reference, not definition, to link with", " glibc", " - PCI: xilinx-nwl: Fix ECAM programming", " - PCI: tegra: Convert struct tegra_msi mask_lock into raw spinlock", " - PCI/sysfs: Ensure devices are powered for config reads", " - PCI/IOV: Add PCI rescan-remove locking when enabling/disabling SR-IOV", " - PCI/ERR: Fix uevent on failure to recover", " - PCI/AER: Fix missing uevent on recovery when a reset is requested", " - PCI/AER: Support errors introduced by PCIe r6.0", " - PCI: Ensure relaxed tail alignment does not increase min_align", " - PCI: Fix failure detection during resource resize", " - PCI: j721e: Fix module autoloading", " - PCI: j721e: Fix programming sequence of \"strap\" settings", " - PCI: keystone: Use devm_request_irq() to free \"ks-pcie-error-irq\" on", " exit", " - PCI: rcar-gen4: Fix PHY initialization", " - PCI: rcar-host: Drop PMSR spinlock", " - PCI: rcar-host: Convert struct rcar_msi mask_lock into raw spinlock", " - PCI: tegra194: Fix broken tegra_pcie_ep_raise_msi_irq()", " - PCI: tegra194: Handle errors in BPMP response", " - PCI: tegra194: Reset BARs when running in PCIe endpoint mode", " - PCI/pwrctrl: Fix device leak at registration", " - PCI/pwrctrl: Fix device and OF node leak at bus scan", " - PCI/pwrctrl: Fix device leak at device stop", " - spi: cadence-quadspi: Flush posted register writes before INDAC access", " - spi: cadence-quadspi: Flush posted register writes before DAC access", " - spi: cadence-quadspi: Fix cqspi_setup_flash()", " - xfs: use deferred intent items for reaping crosslinked blocks", " - x86/fred: Remove ENDBR64 from FRED entry points", " - x86/umip: Check that the instruction opcode is at least two bytes", " - x86/umip: Fix decoding of register forms of 0F 01 (SGDT and SIDT", " aliases)", " - mptcp: pm: in-kernel: usable client side with C-flag", " - mptcp: reset blackhole on success with non-loopback ifaces", " - selftests: mptcp: join: validate C-flag + def limit", " - s390/cio/ioasm: Fix __xsch() condition code handling", " - s390/dasd: enforce dma_alignment to ensure proper buffer validation", " - s390/dasd: Return BLK_STS_INVAL for EINVAL from do_dasd_request", " - s390: Add -Wno-pointer-sign to KBUILD_CFLAGS_DECOMPRESSOR", " - slab: prevent warnings when slab obj_exts vector allocation fails", " - slab: mark slab->obj_exts allocation failures unconditionally", " - wifi: ath11k: HAL SRNG: don't deinitialize and re-initialize again", " - wifi: iwlwifi: Fix dentry reference leak in iwl_mld_add_link_debugfs", " - wifi: rtw89: avoid possible TX wait initialization race", " - wifi: mt76: mt7925u: Add VID/PID for Netgear A9000", " - wifi: mt76: mt7921u: Add VID/PID for Netgear A7500", " - mm/thp: fix MTE tag mismatch when replacing zero-filled subpages", " - mm/rmap: fix soft-dirty and uffd-wp bit loss when remapping zero-filled", " mTHP subpage to shared zeropage", " - mm/page_alloc: only set ALLOC_HIGHATOMIC for __GPF_HIGH allocations", " - mm/hugetlb: early exit from hugetlb_pages_alloc_boot() when", " max_huge_pages=0", " - mm/damon/vaddr: do not repeat pte_offset_map_lock() until success", " - mm/damon/lru_sort: use param_ctx for damon_attrs staging", " - nfsd: decouple the xprtsec policy check from check_nfsd_access()", " - NFSD: Fix destination buffer size in nfsd4_ssc_setup_dul()", " - nfsd: nfserr_jukebox in nlm_fopen should lead to a retry", " - media: iris: Call correct power off callback in cleanup path", " - media: iris: Fix firmware reference leak and unmap memory after load", " - media: iris: fix module removal if firmware download failed", " - media: iris: vpu3x: Add MNoC low power handshake during hardware power-", " off", " - media: iris: Fix port streaming handling", " - media: iris: Fix buffer count reporting in internal buffer check", " - media: iris: Allow substate transition to load resources during output", " streaming", " - media: iris: Always destroy internal buffers on firmware release", " response", " - media: iris: Simplify session stop logic by relying on vb2 checks", " - media: iris: Update vbuf flags before v4l2_m2m_buf_done", " - media: iris: Send dummy buffer address for all codecs during drain", " - media: iris: Fix missing LAST flag handling during drain", " - media: iris: Fix format check for CAPTURE plane in try_fmt", " - media: iris: Allow stop on firmware only if start was issued.", " - ext4: add ext4_sb_bread_nofail() helper function for", " ext4_free_branches()", " - ext4: fail unaligned direct IO write with EINVAL", " - ext4: verify orphan file size is not too big", " - ext4: increase i_disksize to offset + len in", " ext4_update_disksize_before_punch()", " - ext4: correctly handle queries for metadata mappings", " - ext4: avoid potential buffer over-read in parse_apply_sb_mount_options()", " - ext4: fix an off-by-one issue during moving extents", " - ext4: guard against EA inode refcount underflow in xattr update", " - ext4: validate ea_ino and size in check_xattrs", " - ACPICA: Allow to skip Global Lock initialization", " - ext4: free orphan info with kvfree", " - ipmi: Fix handling of messages with provided receive message pointer", " - Squashfs: add additional inode sanity checking", " - Squashfs: reject negative file sizes in squashfs_read_inode()", " - mm/ksm: fix incorrect KSM counter handling in mm_struct during fork", " - media: mc: Clear minor number before put device", " - arm64: dts: qcom: qcs615: add missing dt property in QUP SEs", " - ACPI: property: Disregard references in data-only subnode lists", " - ACPI: property: Add code comments explaining what is going on", " - ACPI: property: Do not pass NULL handles to acpi_attach_data()", " - irqchip/sifive-plic: Avoid interrupt ID 0 handling during suspend/resume", " - copy_file_range: limit size if in compat mode", " - minixfs: Verify inode mode when loading from disk", " - pid: Add a judgment for ns null in pid_nr_ns", " - fs: Add 'initramfs_options' to set initramfs mount options", " - cramfs: Verify inode mode when loading from disk", " - nsfs: validate extensible ioctls", " - mnt_ns_tree_remove(): DTRT if mnt_ns had never been added to mnt_ns_list", " - writeback: Avoid softlockup when switching many inodes", " - writeback: Avoid excessively long inode switching times", " - iomap: error out on file IO when there is no inline_data buffer", " - pidfs: validate extensible ioctls", " - mount: handle NULL values in mnt_ns_release()", " - Linux 6.17.4", " * Questing update: v6.17.4 upstream stable release (LP: #2131259) // Race", " condition in perf build causes build failure due to missing unistd_64.h", " header on arm64 (LP: #2131702)", " - perf tools: Fix arm64 libjvmti build by generating unistd_64.h", " * Questing update: v6.17.3 upstream stable release (LP: #2129610)", " - arch: copy_thread: pass clone_flags as u64", " - filelock: add FL_RECLAIM to show_fl_flags() macro", " - init: INITRAMFS_PRESERVE_MTIME should depend on BLK_DEV_INITRD", " - pid: use ns_capable_noaudit() when determining net sysctl permissions", " - Fix CC_HAS_ASM_GOTO_OUTPUT on non-x86 architectures", " - [Config]: Update CC configs for v6.17.3", " - seccomp: Fix a race with WAIT_KILLABLE_RECV if the tracer replies too", " fast", " - kbuild: Add missing $(objtree) prefix to powerpc crtsavres.o artifact", " - selftests: arm64: Check fread return value in exec_target", " - selftests: arm64: Fix -Waddress warning in tpidr2 test", " - kselftest/arm64/gcs: Correctly check return value when disabling GCS", " - hfsplus: fix slab-out-of-bounds read in hfsplus_uni2asc()", " - gfs2: Fix GLF_INVALIDATE_IN_PROGRESS flag clearing in do_xmote", " - gfs2: Remove space before newline", " - gfs2: Further sanitize lock_dlm.c", " - gfs2: Fix LM_FLAG_TRY* logic in add_to_queue", " - gfs2: Remove duplicate check in do_xmote", " - gfs2: Get rid of GLF_INVALIDATE_IN_PROGRESS", " - gfs2: do_xmote cleanup", " - gfs2: Add proper lockspace locking", " - powerpc/8xx: Remove left-over instruction and comments in", " DataStoreTLBMiss handler", " - powerpc/603: Really copy kernel PGD entries into all PGDIRs", " - powerpc/ftrace: ensure ftrace record ops are always set for NOPs", " - powerpc64/modules: correctly iterate over stubs in", " setup_ftrace_ool_stubs", " - uprobes: uprobe_warn should use passed task", " - raid6: riscv: Clean up unused header file inclusion", " - coresight: trbe: Prevent overflow in PERF_IDX2OFF()", " - perf: arm_spe: Prevent overflow in PERF_IDX2OFF()", " - erofs: avoid reading more for fragment maps", " - smb: client: fix sending the iwrap custom IRD/ORD negotiation messages", " - smb: server: fix IRD/ORD negotiation with the client", " - perf/x86/intel: Use early_initcall() to hook bts_init()", " - perf/x86/intel: Fix IA32_PMC_x_CFG_B MSRs access error", " - x86/vdso: Fix output operand size of RDPID", " - selftests: cgroup: Make test_pids backwards compatible", " - sched/fair: Get rid of sched_domains_curr_level hack for tl->cpumask()", " - [Config]: Update CONFIG_SCHED_MC for v6.17.3", " - lsm: CONFIG_LSM can depend on CONFIG_SECURITY", " - cpuset: fix failure to enable isolated partition when containing", " isolcpus", " - btrfs: return any hit error from extent_writepage_io()", " - btrfs: fix symbolic link reading when bs > ps", " - pinctrl: renesas: rzg2l: Fix invalid unsigned return in rzg3s_oen_read()", " - arm64: dts: renesas: rzg2lc-smarc: Disable CAN-FD channel0", " - bpf: Tidy verifier bug message", " - regmap: Remove superfluous check for !config in __regmap_init()", " - selftests/bpf: Copy test_kmods when installing selftest", " - rust: cpumask: Mark CpumaskVar as transparent", " - bpf/selftests: Fix test_tcpnotify_user", " - bpf: Remove migrate_disable in kprobe_multi_link_prog_run", " - libbpf: Fix reuse of DEVMAP", " - tools/nolibc: fix error return value of clock_nanosleep()", " - ARM: dts: renesas: porter: Fix CAN pin group", " - leds: max77705: Function return instead of variable assignment", " - leds: flash: leds-qcom-flash: Update torch current clamp setting", " - s390/bpf: Do not write tail call counter into helper and kfunc frames", " - s390/bpf: Write back tail call counter for BPF_PSEUDO_CALL", " - s390/bpf: Write back tail call counter for BPF_TRAMP_F_CALL_ORIG", " - cpufreq: scmi: Account for malformed DT in scmi_dev_used_by_cpus()", " - arm64: dts: renesas: sparrow-hawk: Invert microSD voltage selector on", " EVTB1", " - arm64: dts: renesas: sparrow-hawk: Set VDDQ18_25_AVB voltage on EVTB1", " - libbpf: Export bpf_object__prepare symbol", " - firmware: arm_scmi: Mark VirtIO ready before registering", " scmi_virtio_driver", " - arm64: dts: imx93-kontron: Fix GPIO for panel regulator", " - arm64: dts: imx93-kontron: Fix USB port assignment", " - arm64: dts: imx95: Correct the lpuart7 and lpuart8 srcid", " - bpf: Remove preempt_disable in bpf_try_get_buffers", " - ACPI: processor: idle: Fix memory leak when register cpuidle device", " failed", " - genirq: Add irq_chip_(startup/shutdown)_parent()", " - PCI/MSI: Add startup/shutdown for per device domains", " - irqchip/sg2042-msi: Fix broken affinity setting", " - scripts/misc-check: update export checks for EXPORT_SYMBOL_FOR_MODULES()", " - soc: qcom: rpmh-rsc: Unconditionally clear _TRIGGER bit for TCS", " - pinctrl: meson-gxl: add missing i2c_d pinmux", " - blk-mq: check kobject state_in_sysfs before deleting in", " blk_mq_unregister_hctx", " - selftests/futex: Remove the -g parameter from futex_priv_hash", " - ARM: at91: pm: fix MCKx restore routine", " - arm64: dts: apple: t8103-j457: Fix PCIe ethernet iommu-map", " - regulator: scmi: Use int type to store negative error codes", " - selftests/futex: Fix some futex_numa_mpol subtests", " - tools/nolibc: avoid error in dup2() if old fd equals new fd", " - selftests/nolibc: fix EXPECT_NZ macro", " - leds: leds-lp55xx: Use correct address for memory programming", " - PCI/MSI: Check MSI_FLAG_PCI_MSI_MASK_PARENT in", " cond_[startup|shutdown]_parent()", " - block: use int to store blk_stack_limits() return value", " - ARM: dts: stm32: stm32mp151c-plyaqm: Use correct dai-format property", " - dt-bindings: vendor-prefixes: Add undocumented vendor prefixes", " - genirq/test: Fix depth tests on architectures with NOREQUEST by default.", " - genirq/test: Select IRQ_DOMAIN", " - genirq/test: Depend on SPARSE_IRQ", " - genirq/test: Drop CONFIG_GENERIC_IRQ_MIGRATION assumptions", " - genirq/test: Ensure CPU 1 is online for hotplug test", " - selftests/bpf: Fix count write in testapp_xdp_metadata_copy()", " - vdso/datastore: Gate time data behind CONFIG_GENERIC_GETTIMEOFDAY", " - PM: sleep: core: Clear power.must_resume in noirq suspend error path", " - blk-mq: fix elevator depth_updated method", " - vdso: Add struct __kernel_old_timeval forward declaration to gettime.h", " - ARM: dts: ti: omap: am335x-baltos: Fix ti,en-ck32k-xtal property in DTS", " to use correct boolean syntax", " - ARM: dts: ti: omap: omap3-devkit8000-lcd: Fix ti,keep-vref-on property", " to use correct boolean syntax in DTS", " - ARM: dts: omap: am335x-cm-t335: Remove unused mcasp num-serializer", " property", " - PM / devfreq: mtk-cci: Fix potential error pointer dereference in", " probe()", " - power: supply: cw2015: Fix a alignment coding style issue", " - hwmon: (asus-ec-sensors) Narrow lock for X870E-CREATOR WIFI", " - pinctrl: renesas: Use int type to store negative error codes", " - pinctrl: eswin: Fix regulator error check and Kconfig dependency", " - null_blk: Fix the description of the cache_size module argument", " - blk-throttle: fix access race during throttle policy activation", " - selftests: vDSO: Fix -Wunitialized in powerpc VDSO_CALL() wrapper", " - selftests: vDSO: vdso_test_abi: Correctly skip whole test with missing", " vDSO", " - irqchip/gic-v5: Fix loop in gicv5_its_create_itt_two_level() cleanup", " path", " - irqchip/gic-v5: Fix error handling in gicv5_its_irq_domain_alloc()", " - tick: Do not set device to detached state in tick_shutdown()", " - arm64: dts: mediatek: mt8195: Remove suspend-breaking reset from pcie0", " - arm64: dts: mediatek: mt8183: Fix out of range pull values", " - nbd: restrict sockets to TCP and UDP", " - PM / devfreq: rockchip-dfi: double count on RK3588", " - firmware: firmware: meson-sm: fix compile-test default", " - dts: arm: amlogic: fix pwm node for c3", " - soc: mediatek: mtk-svs: fix device leaks on mt8183 probe failure", " - soc: mediatek: mtk-svs: fix device leaks on mt8192 probe failure", " - cpuidle: qcom-spm: fix device and OF node leaks at probe", " - block: cleanup bio_issue", " - block: initialize bio issue time in blk_mq_submit_bio()", " - block: factor out a helper bio_submit_split_bioset()", " - block: skip unnecessary checks for split bio", " - block: fix ordering of recursive split IO", " - blk-mq: remove useless checkings in blk_mq_update_nr_requests()", " - blk-mq: check invalid nr_requests in queue_requests_store()", " - blk-mq: convert to serialize updating nr_requests with", " update_nr_hwq_lock", " - blk-mq: cleanup shared tags case in blk_mq_update_nr_requests()", " - blk-mq: split bitmap grow and resize case in blk_mq_update_nr_requests()", " - blk-mq-sched: add new parameter nr_requests in blk_mq_alloc_sched_tags()", " - blk-mq: fix potential deadlock while nr_requests grown", " - arm64: dts: allwinner: a527: cubie-a5e: Add ethernet PHY reset setting", " - arm64: dts: allwinner: t527: avaota-a1: Add ethernet PHY reset setting", " - arm64: dts: rockchip: Add RTC on rk3576-evb1-v10", " - arm64: dts: rockchip: Add WiFi on rk3576-evb1-v10", " - arm64: dts: rockchip: Fix network on rk3576 evb1 board", " - arm64: dts: ti: k3-j742s2-mcu-wakeup: Override firmware-name for MCU R5F", " cores", " - arm64: dts: ti: k3: Rename rproc reserved-mem nodes to 'memory@addr'", " - Revert \"arm64: dts: ti: k3-j721e-sk: Fix reversed C6x carveout", " locations\"", " - Revert \"arm64: dts: ti: k3-j721e-beagleboneai64: Fix reversed C6x", " carveout locations\"", " - arm64: dts: mediatek: mt8188: Change efuse fallback compatible to mt8186", " - arm64: dts: mediatek: mt8186-tentacruel: Fix touchscreen model", " - arm64: dts: ti: k3-pinctrl: Fix the bug in existing macros", " - arm64: dts: renesas: r9a09g047e57-smarc: Fix gpio key's pin control node", " - arm64: dts: mediatek: mt6331: Fix pmic, regulators, rtc, keys node names", " - mmc: core: Fix variable shadowing in mmc_route_rpmb_frames()", " - arm64: dts: mediatek: mt6795-xperia-m5: Fix mmc0 latch-ck value", " - arm64: dts: mediatek: mt7986a: Fix PCI-Express T-PHY node address", " - arm64: dts: mediatek: mt8395-kontron-i1200: Fix MT6360 regulator nodes", " - arm64: dts: mediatek: mt8516-pumpkin: Fix machine compatible", " - arm64: dts: allwinner: a527: cubie-a5e: Add LEDs", " - arm64: dts: allwinner: a527: cubie-a5e: Drop external 32.768 KHz crystal", " - arm64: dts: allwinner: t527: avaota-a1: hook up external 32k crystal", " - arm64: dts: allwinner: t527: orangepi-4a: hook up external 32k crystal", " - pwm: tiehrpwm: Don't drop runtime PM reference in .free()", " - pwm: tiehrpwm: Make code comment in .free() more useful", " - pwm: tiehrpwm: Fix various off-by-one errors in duty-cycle calculation", " - pwm: tiehrpwm: Fix corner case in clock divisor calculation", " - ACPICA: Apply ACPI_NONSTRING", " - ACPICA: Fix largest possible resource descriptor index", " - riscv, bpf: Sign extend struct ops return values properly", " - nvme-auth: update bi_directional flag", " - nvmet-fc: move lsop put work to nvmet_fc_ls_req_op", " - nvmet-fcloop: call done callback even when remote port is gone", " - nvme-tcp: send only permitted commands for secure concat", " - i3c: master: svc: Use manual response for IBI events", " - i3c: master: svc: Recycle unused IBI slot", " - block: update validation of atomic writes boundary for stacked devices", " - block: fix stacking of atomic writes when atomics are not supported", " - selftests: watchdog: skip ping loop if WDIOF_KEEPALIVEPING not supported", " - selftests/kselftest_harness: Add harness-selftest.expected to TEST_FILES", " - blk-throttle: fix throtl_data leak during disk release", " - bpf: Explicitly check accesses to bpf_sock_addr", " - mmc: select REGMAP_MMIO with MMC_LOONGSON2", " - selftests/futex: Fix futex_wait() for 32bit ARM", " - selftest/futex: Make the error check more precise for futex_numa_mpol", " - selftest/futex: Compile also with libnuma < 2.0.16", " - bpf: dont report verifier bug for missing bpf_scc_visit on speculative", " path", " - bpf, arm64: Call bpf_jit_binary_pack_finalize() in bpf_jit_free()", " - arm64: dts: apple: t600x: Add missing WiFi properties", " - arm64: dts: apple: t600x: Add bluetooth device nodes", " - arm64: dts: apple: Add ethernet0 alias for J375 template", " - selftests: always install UAPI headers to the correct directory", " - smp: Fix up and expand the smp_call_function_many() kerneldoc", " - mfd: max77705: max77705_charger: move active discharge setting to mfd", " parent", " - power: supply: max77705_charger: refactoring: rename charger to chg", " - power: supply: max77705_charger: use regfields for config registers", " - power: supply: max77705_charger: rework interrupts", " - tools/nolibc: make time_t robust if __kernel_old_time_t is missing in", " host headers", " - spi: fix return code when spi device has too many chipselects", " - clocksource/drivers/timer-tegra186: Avoid 64-bit divide operation", " - clocksource/drivers/tegra186: Avoid 64-bit division", " - bpf: Mark kfuncs as __noclone", " - once: fix race by moving DO_ONCE to separate section", " - hwmon: (mlxreg-fan) Separate methods of fan setting coming from", " different subsystems", " - tools/nolibc: add stdbool.h to nolibc includes", " - thermal/drivers/qcom: Make LMH select QCOM_SCM", " - thermal/drivers/qcom/lmh: Add missing IRQ includes", " - i2c: mediatek: fix potential incorrect use of I2C_MASTER_WRRD", " - i2c: spacemit: ensure bus release check runs when wait_bus_idle() fails", " - i2c: spacemit: remove stop function to avoid bus error", " - i2c: spacemit: disable SDA glitch fix to avoid restart delay", " - i2c: spacemit: check SDA instead of SCL after bus reset", " - i2c: spacemit: ensure SDA is released after bus reset", " - i2c: designware: Fix clock issue when PM is disabled", " - i2c: designware: Add disabling clocks when probe fails", " - libbpf: Fix error when st-prefix_ops and ops from differ btf", " - bpf: Enforce expected_attach_type for tailcall compatibility", " - i3c: fix big-endian FIFO transfers", " - mfd: max77705: Setup the core driver as an interrupt controller", " - drm/sched: Fix a race in DRM_GPU_SCHED_STAT_NO_HANG test", " - drm/panel-edp: Add disable to 100ms for MNB601LS1-4", " - drm/display: bridge-connector: correct CEC bridge pointers in", " drm_bridge_connector_init", " - drm/panel-edp: Add 50ms disable delay for four panels", " - drm/vmwgfx: fix missing assignment to ts", " - drm/amd/display: Reduce Stack Usage by moving 'audio_output' into", " 'stream_res' v4", " - drm/panel: novatek-nt35560: Fix invalid return value", " - drm/amdgpu: fix link error for !PM_SLEEP", " - drm/amdgpu: Fix jpeg v4.0.3 poison irq call trace on sriov guest", " - drm/amdgpu: Fix vcn v4.0.3 poison irq call trace on sriov guest", " - PCI: endpoint: pci-ep-msi: Fix NULL vs IS_ERR() check in", " pci_epf_write_msi_msg()", " - PCI: xgene-msi: Return negative -EINVAL in xgene_msi_handler_setup()", " - drm/radeon/r600_cs: clean up of dead code in r600_cs", " - f2fs: fix condition in __allow_reserved_blocks()", " - f2fs: fix to avoid overflow while left shift operation", " - f2fs: fix to zero data after EOF for compressed file correctly", " - drm/bridge: it6505: select REGMAP_I2C", " - wifi: rtw88: Lock rtwdev->mutex before setting the LED", " - HID: steelseries: refactor probe() and remove()", " - media: zoran: Remove zoran_fh structure", " - phy: rockchip: naneng-combphy: Enable U3 OTG port for RK3568", " - drm/bridge: cdns-dsi: Fix the _atomic_check()", " - usb: host: max3421-hcd: Fix error pointer dereference in probe cleanup", " - usb: misc: qcom_eud: Access EUD_MODE_MANAGER2 through secure calls", " - PCI/pwrctrl: Fix double cleanup on devm_add_action_or_reset() failure", " - misc: pci_endpoint_test: Fix array underflow in", " pci_endpoint_test_ioctl()", " - serial: max310x: Add error checking in probe()", " - drm/amd/display: Remove redundant semicolons", " - drm/amd/display: Add NULL pointer checks in dc_stream cursor attribute", " functions", " - crypto: keembay - Add missing check after sg_nents_for_len()", " - hwrng: nomadik - add ARM_AMBA dependency", " - docs: iio: ad3552r: Fix malformed code-block directive", " - fwctl/mlx5: Fix memory alloc/free in mlx5ctl_fw_rpc()", " - scsi: pm80xx: Restore support for expanders", " - scsi: pm80xx: Fix array-index-out-of-of-bounds on rmmod", " - scsi: libsas: Add dev_parent_is_expander() helper", " - scsi: pm80xx: Use dev_parent_is_expander() helper", " - scsi: pm80xx: Add helper function to get the local phy id", " - scsi: pm80xx: Fix pm8001_abort_task() for chip_8006 when using an", " expander", " - mptcp: Fix up subflow's memcg when CONFIG_SOCK_CGROUP_DATA=n.", " - scsi: myrs: Fix dma_alloc_coherent() error check", " - f2fs: fix to clear unusable_cap for checkpoint=enable", " - f2fs: fix to avoid NULL pointer dereference in", " f2fs_check_quota_consistency()", " - f2fs: fix to allow removing qf_name", " - Revert \"UBUNTU: SAUCE: drm/dp: drm_edp_backlight_set_level: do not", " always send 3-byte commands\"", " - drm/dp: drm_edp_backlight_set_level: do not always send 3-byte commands", " - crypto: octeontx2 - Call strscpy() with correct size argument", " - drm: re-allow no-op changes on non-primary planes in async flips", " - media: rj54n1cb0c: Fix memleak in rj54n1_probe()", " - media: staging/ipu7: convert to use pci_alloc_irq_vectors() API", " - media: staging/ipu7: Don't set name for IPU7 PCI device", " - media: staging/ipu7: cleanup the MMU correctly in IPU7 driver release", " - media: i2c: vd55g1: Fix duster register address", " - drm/panel: Allow powering on panel follower after panel is enabled", " - HID: i2c-hid: Make elan touch controllers power on after panel is", " enabled", " - RDMA/mlx5: Better estimate max_qp_wr to reflect WQE count", " - RDMA/mlx5: Fix vport loopback forcing for MPV device", " - wifi: rtw88: Use led->brightness_set_blocking for PCI too", " - net: phy: introduce phy_id_compare_vendor() PHY ID helper", " - net: phy: as21xxx: better handle PHY HW reset on soft-reboot", " - PCI: rcar-host: Pass proper IRQ domain to generic_handle_domain_irq()", " - fuse: remove unneeded offset assignment when filling write pages", " - PCI: qcom: Restrict port parsing only to PCIe bridge child nodes", " - cdx: don't select CONFIG_GENERIC_MSI_IRQ", " - PCI/ACPI: Fix pci_acpi_preserve_config() memory leak", " - HID: i2c-hid: Fix test in i2c_hid_core_register_panel_follower()", " - ALSA: lx_core: use int type to store negative error codes", " - media: st-delta: avoid excessive stack usage", " - drm/amdgpu/vcn: Add regdump helper functions", " - drm/amdgpu/vcn: Hold pg_lock before vcn power off", " - drm/amdgpu: Check vcn state before profile switch", " - accel/amdxdna: Use int instead of u32 to store error codes", " - efi: Explain OVMF acronym in OVMF_DEBUG_LOG help text", " - net: dst: introduce dst->dev_rcu", " - ipv6: mcast: Add ip6_mc_find_idev() helper", " - ipv6: start using dst_dev_rcu()", " - ipv6: use RCU in ip6_xmit()", " - ipv6: use RCU in ip6_output()", " - net: use dst_dev_rcu() in sk_setup_caps()", " - tcp_metrics: use dst_dev_net_rcu()", " - ipv4: start using dst_dev_rcu()", " - crypto: hisilicon/zip - remove unnecessary validation for high-", " performance mode configurations", " - crypto: hisilicon - re-enable address prefetch after device resuming", " - crypto: hisilicon - check the sva module status while enabling or", " disabling address prefetch", " - crypto: hisilicon/qm - check whether the input function and PF are on", " the same device", " - crypto: hisilicon/qm - request reserved interrupt for virtual function", " - inet: ping: check sock_net() in ping_get_port() and ping_lookup()", " - dmaengine: Fix dma_async_tx_descriptor->tx_submit documentation", " - coresight: trbe: Add ISB after TRBLIMITR write", " - coresight: Fix missing include for FIELD_GET", " - coresight: Only register perf symlink for sinks with alloc_buffer", " - drm/amdgpu: Power up UVD 3 for FW validation (v2)", " - drm/amd/pm: Disable ULV even if unsupported (v3)", " - drm/amd/pm: Fix si_upload_smc_data (v3)", " - drm/amd/pm: Adjust si_upload_smc_data register programming (v3)", " - drm/amd/pm: Treat zero vblank time as too short in si_dpm (v3)", " - drm/amd/pm: Disable MCLK switching with non-DC at 120 Hz+ (v2)", " - drm/amd/pm: Disable SCLK switching on Oland with high pixel clocks (v3)", " - wifi: mac80211: Make CONNECTION_MONITOR optional for MLO sta", " - wifi: mwifiex: send world regulatory domain to driver", " - wifi: brcmfmac: fix 43752 SDIO FWVID incorrectly labelled as Cypress", " (CYW)", " - drm/msm: Do not validate SSPP when it is not ready", " - PCI: tegra: Fix devm_kcalloc() argument order for port->phys allocation", " - wifi: mac80211: consider links for validating SCAN_FLAG_AP in scan", " request during MLO", " - PCI: qcom: Add equalization settings for 8.0 GT/s and 32.0 GT/s", " - tcp: fix __tcp_close() to only send RST when required", " - fanotify: Validate the return value of mnt_ns_from_dentry() before", " dereferencing", " - drm/amdkfd: Fix error code sign for EINVAL in svm_ioctl()", " - usb: phy: twl6030: Fix incorrect type for ret", " - usb: gadget: configfs: Correctly set use_os_string at bind", " - tty: n_gsm: Don't block input queue by waiting MSC", " - misc: genwqe: Fix incorrect cmd field being reported in error", " - pps: fix warning in pps_register_cdev when register device fail", " - drm/msm: Fix obj leak in VM_BIND error path", " - drm/msm: Fix missing VM_BIND offset/range validation", " - wifi: iwlwifi: Remove redundant header files", " - drm/msm/mdp4: stop supporting no-IOMMU configuration", " - drm/msm: stop supporting no-IOMMU configuration", " - idpf: fix Rx descriptor ready check barrier in splitq", " - ASoC: Intel: bytcht_es8316: Fix invalid quirk input mapping", " - ASoC: Intel: bytcr_rt5640: Fix invalid quirk input mapping", " - ASoC: Intel: bytcr_rt5651: Fix invalid quirk input mapping", " - ipv6: snmp: do not use SNMP_MIB_SENTINEL anymore", " - ipv6: snmp: do not track per idev ICMP6_MIB_RATELIMITHOST", " - drm/msm: Fix bootup splat with separate_gpu_drm modparam", " - drm/msm/dpu: fix incorrect type for ret", " - wifi: mac80211: fix reporting of all valid links in sta_set_sinfo()", " - fs: ntfs3: Fix integer overflow in run_unpack()", " - fs/ntfs3: reject index allocation if $BITMAP is empty but blocks exist", " - iio: consumers: Fix handling of negative channel scale in", " iio_convert_raw_to_processed()", " - iio: consumers: Fix offset handling in iio_convert_raw_to_processed()", " - mm/slub: Fix cmp_loc_by_count() to return 0 when counts are equal", " - tools: ynl: fix undefined variable name", " - RDMA/mlx5: Fix page size bitmap calculation for KSM mode", " - netfilter: ipset: Remove unused htable_bits in macro ahash_region", " - ipvs: Use READ_ONCE/WRITE_ONCE for ipvs->enable", " - HID: steelseries: Fix STEELSERIES_SRWS1 handling in steelseries_remove()", " - watchdog: intel_oc_wdt: Do not try to write into const memory", " - watchdog: mpc8xxx_wdt: Reload the watchdog timer when enabling the", " watchdog", " - PCI: endpoint: pci-epf-test: Fix doorbell test support", " - drivers/base/node: handle error properly in register_one_node()", " - RDMA/cm: Rate limit destroy CM ID timeout error message", " - wifi: mt76: mt7996: Fix mt7996_mcu_sta_ba wcid configuration", " - wifi: mt76: mt7996: Fix mt7996_mcu_bss_mld_tlv routine", " - wifi: mt76: fix potential memory leak in mt76_wmac_probe()", " - wifi: mt76: mt7996: Use proper link_id in link_sta_rc_update callback", " - wifi: mt76: mt7996: Check phy before init msta_link in", " mt7996_mac_sta_add_links()", " - wifi: mt76: mt7996: Fix tx-queues initialization for second phy on", " mt7996", " - wifi: mt76: mt7996: Fix RX packets configuration for primary WED device", " - wifi: mt76: mt7996: Convert mt7996_wed_rro_addr to LE", " - wifi: mt76: mt7915: fix mt7981 pre-calibration", " - wifi: mt76: mt7996: remove redundant per-phy mac80211 calls during", " restart", " - ASoC: Intel: hda-sdw-bpt: set persistent_buffer false", " - srcu/tiny: Remove preempt_disable/enable() in srcu_gp_start_if_needed()", " - drm/amdgpu: Fix allocating extra dwords for rings (v2)", " - f2fs: fix to update map->m_next_extent correctly in f2fs_map_blocks()", " - f2fs: fix to truncate first page in error path of f2fs_truncate()", " - f2fs: fix to avoid migrating empty section", " - f2fs: fix to mitigate overhead of f2fs_zero_post_eof_page()", " - RISC-V: KVM: Write hgatp register with valid mode bits", " - ALSA: pcm: Disable bottom softirqs as part of spin_lock_irq() on", " PREEMPT_RT", " - ACPI: NFIT: Fix incorrect ndr_desc being reportedin dev_err message", " - scsi: qla2xxx: edif: Fix incorrect sign of error code", " - scsi: qla2xxx: Fix incorrect sign of error code in START_SP_W_RETRIES()", " - scsi: qla2xxx: Fix incorrect sign of error code in qla_nvme_xmt_ls_rsp()", " - HID: hidraw: tighten ioctl command parsing", " - f2fs: fix zero-sized extent for precache extents", " - smc: Fix use-after-free in __pnet_find_base_ndev().", " - smc: Use __sk_dst_get() and dst_dev_rcu() in in smc_clc_prfx_set().", " - smc: Use __sk_dst_get() and dst_dev_rcu() in smc_clc_prfx_match().", " - smc: Use __sk_dst_get() and dst_dev_rcu() in smc_vlan_by_tcpsk().", " - tls: Use __sk_dst_get() and dst_dev_rcu() in get_netdev_for_sock().", " - mptcp: Call dst_release() in mptcp_active_enable().", " - mptcp: Use __sk_dst_get() and dst_dev_rcu() in mptcp_active_enable().", " - Revert \"usb: xhci: Avoid Stop Endpoint retry loop if the endpoint seems", " Running\"", " - RDMA/core: Resolve MAC of next-hop device without ARP support", " - IB/sa: Fix sa_local_svc_timeout_ms read race", " - Documentation: trace: historgram-design: Separate sched_waking histogram", " section heading and the following diagram", " - ASoC: SOF: ipc4-pcm: Fix incorrect comparison with number of tdm_slots", " - wifi: ath12k: initialize eirp_power before use", " - wifi: ath12k: fix overflow warning on num_pwr_levels", " - wifi: ath12k: fix signal in radiotap for WCN7850", " - wifi: ath12k: fix HAL_PHYRX_COMMON_USER_INFO handling in monitor mode", " - wifi: ath12k: fix the fetching of combined rssi", " - wifi: ath12k: Add fallback for invalid channel number in PHY metadata", " - wifi: ath12k: fix wrong logging ID used for CE", " - wifi: ath10k: avoid unnecessary wait for service ready message", " - iommu/vt-d: debugfs: Fix legacy mode page table dump logic", " - wifi: mac80211: fix Rx packet handling when pubsta information is not", " available", " - ASoC: Intel: sof_sdw: Prevent jump to NULL add_sidecar callback", " - sparc: fix accurate exception reporting in copy_{from_to}_user for", " UltraSPARC", " - sparc: fix accurate exception reporting in copy_{from_to}_user for", " UltraSPARC III", " - sparc: fix accurate exception reporting in copy_{from_to}_user for", " Niagara", " - sparc: fix accurate exception reporting in copy_to_user for Niagara 4", " - sparc: fix accurate exception reporting in copy_{from,to}_user for M7", " - vfio/pds: replace bitmap_free with vfree", " - crypto: comp - Use same definition of context alloc and free ops", " - crypto: hisilicon/qm - set NULL to qm->debug.qm_diff_regs", " - wifi: ath12k: Fix peer lookup in ath12k_dp_mon_rx_deliver_msdu()", " - rpmsg: qcom_smd: Fix fallback to qcom,ipc parse", " - remoteproc: qcom_q6v5_mss: support loading MBN file on msm8974", " - RDMA/rxe: Fix race in do_task() when draining", " - selftests/mm: fix va_high_addr_switch.sh failure on x86_64", " - wifi: rtw89: fix leak in rtw89_core_send_nullfunc()", " - wifi: rtw89: avoid circular locking dependency in ser_state_run()", " - PCI: tegra194: Fix duplicate PLL disable in", " pex_ep_event_pex_rst_assert()", " - remoteproc: qcom: q6v5: Avoid disabling handover IRQ twice", " - remoteproc: qcom: pas: Shutdown lite ADSP DTB on X1E", " - wifi: ath12k: Refactor RX TID deletion handling into helper function", " - wifi: ath12k: Fix flush cache failure during RX queue update", " - wifi: cfg80211: fix width unit in cfg80211_radio_chandef_valid()", " - dm vdo: return error on corrupted metadata in start_restoring_volume", " functions", " - coresight: fix indentation error in cscfg_remove_owned_csdev_configs()", " - coresight-etm4x: Conditionally access register TRCEXTINSELR", " - coresight: tmc: Support atclk", " - coresight: catu: Support atclk", " - coresight: etm4x: Support atclk", " - coresight: Appropriately disable programming clocks", " - coresight: Appropriately disable trace bus clocks", " - coresight: Avoid enable programming clock duplicately", " - coresight: trbe: Return NULL pointer for allocation failures", " - coresight: tpda: fix the logic to setup the element size", " - coresight: Fix incorrect handling for return value of devm_kzalloc", " - NFSv4.1: fix backchannel max_resp_sz verification check", " - net: ethtool: tsconfig: set command must provide a reply", " - netfilter: nfnetlink: reset nlh pointer during batch replay", " - netfilter: nf_conntrack: do not skip entries in /proc/net/nf_conntrack", " - scsi: ufs: core: Fix data race in CPU latency PM QoS request handling", " - scsi: mpt3sas: Fix crash in transport port remove by using ioc_info()", " - usb: vhci-hcd: Prevent suspending virtually attached devices", " - PCI: rcar-gen4: Add missing 1ms delay after PWR reset assertion", " - PCI: rcar-gen4: Assure reset occurs before DBI access", " - PCI: rcar-gen4: Fix inverted break condition in PHY initialization", " - ASoC: qcom: sc8280xp: use sa8775p/ subdir for QCS9100 / QCS9075", " - iommu/vt-d: Disallow dirty tracking if incoherent page walk", " - iommu/selftest: prevent use of uninitialized variable", " - RDMA/siw: Always report immediate post SQ errors", " - net: enetc: Fix probing error message typo for the ENETCv4 PF driver", " - net: usb: Remove disruptive netif_wake_queue in rtl8150_set_multicast", " - ptp: Add a upper bound on max_vclocks", " - vhost: vringh: Fix copy_to_iter return value check", " - net: macb: remove illusion about TBQPH/RBQPH being per-queue", " - net: macb: move ring size computation to functions", " - net: macb: single dma_alloc_coherent() for DMA descriptors", " - Bluetooth: btintel_pcie: Refactor Device Coredump", " - Bluetooth: MGMT: Fix not exposing debug UUID on", " MGMT_OP_READ_EXP_FEATURES_INFO", " - Bluetooth: ISO: Fix possible UAF on iso_conn_free", " - Bluetooth: ISO: free rx_skb if not consumed", " - Bluetooth: ISO: don't leak skb in ISO_CONT RX", " - Bluetooth: hci_sync: Fix using random address for BIG/PA advertisements", " - KEYS: X.509: Fix Basic Constraints CA flag parsing", " - hwrng: ks-sa - fix division by zero in ks_sa_rng_init", " - cramfs: fix incorrect physical page address calculation", " - ocfs2: fix double free in user_cluster_connect()", " - drivers/base/node: fix double free in register_one_node()", " - f2fs: fix UAF issue in f2fs_merge_page_bio()", " - mtd: rawnand: atmel: Fix error handling path in", " atmel_nand_controller_add_nands", " - PCI: j721e: Fix incorrect error message in probe()", " - idpf: fix mismatched free function for dma_alloc_coherent", " - tcp: use skb->len instead of skb->truesize in tcp_can_ingest()", " - nfp: fix RSS hash key size when RSS is not supported", " - net: ena: return 0 in ena_get_rxfh_key_size() when RSS hash key is not", " configurable", " - net: dlink: handle copy_thresh allocation failure", " - net/mlx5: Stop polling for command response if interface goes down", " - net/mlx5: pagealloc: Fix reclaim race during command interface teardown", " - net/mlx5: fw reset, add reset timeout work", " - smb: client: fix crypto buffers in non-linear memory", " - bonding: fix xfrm offload feature setup on active-backup mode", " - net: enetc: initialize SW PIR and CIR based HW PIR and CIR values", " - iommufd: Register iommufd mock devices with fwspec", " - Revert \"net/mlx5e: Update and set Xon/Xoff upon MTU set\"", " - NFSD: filecache: add STATX_DIOALIGN and STATX_DIO_READ_ALIGN support", " - nfs/localio: avoid issuing misaligned IO using O_DIRECT", " - octeontx2-vf: fix bitmap leak", " - octeontx2-pf: fix bitmap leak", " - vhost: vringh: Modify the return value check", " - selftests/bpf: Fix typos and grammar in test sources", " - selftests/bpf: move get_ksyms and get_addrs to trace_helpers.c", " - selftests/bpf: Fix realloc size in bpf_get_addrs", " - bpf: Skip scalar adjustment for BPF_NEG if dst is a pointer", " - bpf: Reject negative offsets for ALU ops", " - tpm: Disable TPM2_TCG_HMAC by default", " - ALSA: hda/hdmi: Add pin fix for HP ProDesk model", " - ALSA: hda/realtek: Add quirk for HP Spectre 14t-ea100", " - Squashfs: fix uninit-value in squashfs_get_parent", " - uio_hv_generic: Let userspace take care of interrupt mask", " - hisi_acc_vfio_pci: Fix reference leak in hisi_acc_vfio_debug_init", " - io_uring/waitid: always prune wait queue entry in io_waitid_wait()", " - io_uring/zcrx: fix overshooting recv limit", " - ASoC: wcd934x: fix error handling in wcd934x_codec_parse_data()", " - ASoC: SOF: ipc3-topology: Fix multi-core and static pipelines tear down", " - ASoC: codecs: wcd937x: set the comp soundwire port correctly", " - ASoC: codecs: wcd937x: make stub functions inline", " - ASoC: SOF: ipc4-pcm: fix delay calculation when DSP resamples", " - ASoC: SOF: ipc4-pcm: fix start offset calculation for chain DMA", " - fs: udf: fix OOB read in lengthAllocDescs handling", " - net: nfc: nci: Add parameter validation for packet data", " - mfd: rz-mtu3: Fix MTU5 NFCR register offset", " - mfd: intel_soc_pmic_chtdc_ti: Set use_single_read regmap_config flag", " - mfd: vexpress-sysreg: Check the return value of devm_gpiochip_add_data()", " - tracing: Fix lock imbalance in s_start() memory allocation failure path", " - tracing: Fix race condition in kprobe initialization causing NULL", " pointer dereference", " - tracing: Fix wakeup tracers on failure of acquiring calltime", " - tracing: Fix irqoff tracers on failure of acquiring calltime", " - tracing: Have trace_marker use per-cpu data to read user space", " - tracing: Fix tracing_mark_raw_write() to use buf and not ubuf", " - tracing: Stop fortify-string from warning in tracing_mark_raw_write()", " - dm: fix queue start/stop imbalance under suspend/load/resume races", " - dm: fix NULL pointer dereference in __dm_suspend()", " - LoongArch: Automatically disable kaslr if boot from kexec_file", " - pwm: loongson: Fix LOONGSON_PWM_FREQ_DEFAULT", " - LoongArch: BPF: Sign-extend struct ops return values properly", " - LoongArch: BPF: No support of struct argument in trampoline programs", " - LoongArch: BPF: Don't align trampoline size", " - LoongArch: BPF: Make trampoline size stable", " - LoongArch: BPF: Make error handling robust in", " arch_prepare_bpf_trampoline()", " - LoongArch: BPF: Remove duplicated bpf_flush_icache()", " - LoongArch: BPF: No text_poke() for kernel text", " - LoongArch: BPF: Remove duplicated flags check", " - LoongArch: BPF: Fix uninitialized symbol 'retval_off'", " - mm/ksm: fix flag-dropping behavior in ksm_madvise", " - ksmbd: Fix race condition in RPC handle list access", " - ksmbd: fix error code overwriting in smb2_get_info_filesystem()", " - ksmbd: add max ip connections parameter", " - ext4: fix potential null deref in ext4_mb_init()", " - ext4: fix checks for orphan inodes", " - KVM: SVM: Skip fastpath emulation on VM-Exit if next RIP isn't valid", " - fbdev: simplefb: Fix use after free in simplefb_detach_genpds()", " - mm: hugetlb: avoid soft lockup when mprotect to large memory area", " - selftests/mm: skip soft-dirty tests when CONFIG_MEM_SOFT_DIRTY is", " disabled", " - nvdimm: ndtest: Return -ENOMEM if devm_kcalloc() fails in ndtest_probe()", " - misc: fastrpc: Save actual DMA size in fastrpc_map structure", " - misc: fastrpc: Fix fastrpc_map_lookup operation", " - misc: fastrpc: fix possible map leak in fastrpc_put_args", " - misc: fastrpc: Skip reference for DMA handles", " - Input: atmel_mxt_ts - allow reset GPIO to sleep", " - Input: uinput - zero-initialize uinput_ff_upload_compat to avoid info", " leak", " - sunrpc: fix null pointer dereference on zero-length checksum", " - PCI/AER: Avoid NULL pointer dereference in aer_ratelimit()", " - remoteproc: pru: Fix potential NULL pointer dereference in", " pru_rproc_set_ctable()", " - PCI: endpoint: pci-epf-test: Add NULL check for DMA channels before", " release", " - thunderbolt: Fix use-after-free in tb_dp_dprx_work", " - tee: fix register_shm_helper()", " - pinctrl: check the return value of pinmux_ops::get_function_name()", " - bus: fsl-mc: Check return value of platform_get_resource()", " - net/9p: Fix buffer overflow in USB transport layer", " - net: usb: asix: hold PM usage ref to avoid PM/MDIO + RTNL deadlock", " - usb: typec: tipd: Clear interrupts first", " - arm64: dts: qcom: qcm2290: Disable USB SS bus instances in park mode", " - usb: cdns3: cdnsp-pci: remove redundant pci_disable_device() call", " - scsi: ufs: core: Fix PM QoS mutex initialization", " - drm/amdgpu/vcn: Fix double-free of vcn dump buffer", " - Linux 6.17.3", " * CVE-2025-40019", " - crypto: essiv - Check ssize for decryption and in-place encryption", " * CVE-2025-40214", " - af_unix: Initialise scc_index in unix_add_edge().", " * Miscellaneous Ubuntu changes", " - [SAUCE] Fix selftest/net/rtnetlink.sh for Big Endian", "" ], "package": "linux-riscv", "version": "6.17.0-14.14.1", "urgency": "medium", "distributions": "questing", "launchpad_bugs_fixed": [ 2137845, 1786013, 2137849, 1786013, 2136820, 2137698, 2129812, 2125022, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136813, 2132317, 2134982, 2134982, 2134982, 2134982, 2134982, 2134982, 2134982, 2134982, 2134982, 2134982, 2134982, 2134982, 2134982, 2134982, 2134982, 2134982, 2134982, 2134982, 2134982, 2134982, 2134982, 2134982, 2134982, 2134982, 2134982, 2133557, 2133557, 2133557, 2133557, 2133557, 2133557, 2133557, 2133557, 2133557, 2133557, 2133557, 2133557, 2133557, 2133557, 2133557, 2133557, 2133557, 2133557, 2133557, 2133557, 2133557, 2133557, 2133557, 2133557, 2133557, 2133557, 2133557, 2133557, 2133557, 2133557, 2133557, 2133557, 2133557, 2132095, 2131046, 2115860, 2128792, 2121852, 2131259, 2131259, 2131702, 2129610 ], "author": "Sarah Emery ", "date": "Fri, 23 Jan 2026 09:46:46 +0100" } ], "notes": "linux-image-6.17.0-14-generic version '6.17.0-14.14.1' (source package linux-riscv version '6.17.0-14.14.1') was added. linux-image-6.17.0-14-generic version '6.17.0-14.14.1' has the same source package name, linux-riscv, as removed package linux-headers-6.17.0-12-generic. As such we can use the source package version of the removed package, '6.17.0-12.12.1', as the starting point in our changelog diff. Kernel packages are an example of where the binary package name changes for the same source package. Using the removed package source package version as our starting point means we can still get meaningful changelog diffs even for what appears to be a new package.", "is_version_downgrade": false }, { "name": "linux-modules-6.17.0-14-generic", "from_version": { "source_package_name": "linux-riscv", "source_package_version": "6.17.0-12.12.1", "version": null }, "to_version": { "source_package_name": "linux-riscv", "source_package_version": "6.17.0-14.14.1", "version": "6.17.0-14.14.1" }, "cves": [ { "cve": "CVE-2025-40256", "url": "https://ubuntu.com/security/CVE-2025-40256", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: xfrm: also call xfrm_state_delete_tunnel at destroy time for states that were never added In commit b441cf3f8c4b (\"xfrm: delete x->tunnel as we delete x\"), I missed the case where state creation fails between full initialization (->init_state has been called) and being inserted on the lists. In this situation, ->init_state has been called, so for IPcomp tunnels, the fallback tunnel has been created and added onto the lists, but the user state never gets added, because we fail before that. The user state doesn't go through __xfrm_state_delete, so we don't call xfrm_state_delete_tunnel for those states, and we end up leaking the FB tunnel. There are several codepaths affected by this: the add/update paths, in both net/key and xfrm, and the migrate code (xfrm_migrate, xfrm_state_migrate). A \"proper\" rollback of the init_state work would probably be doable in the add/update code, but for migrate it gets more complicated as multiple states may be involved. At some point, the new (not-inserted) state will be destroyed, so call xfrm_state_delete_tunnel during xfrm_state_gc_destroy. Most states will have their fallback tunnel cleaned up during __xfrm_state_delete, which solves the issue that b441cf3f8c4b (and other patches before it) aimed at. All states (including FB tunnels) will be removed from the lists once xfrm_state_fini has called flush_work(&xfrm_state_gc_work).", "cve_priority": "medium", "cve_public_date": "2025-12-04 16:16:00 UTC" }, { "cve": "CVE-2025-68204", "url": "https://ubuntu.com/security/CVE-2025-68204", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: pmdomain: arm: scmi: Fix genpd leak on provider registration failure If of_genpd_add_provider_onecell() fails during probe, the previously created generic power domains are not removed, leading to a memory leak and potential kernel crash later in genpd_debug_add(). Add proper error handling to unwind the initialized domains before returning from probe to ensure all resources are correctly released on failure. Example crash trace observed without this fix: | Unable to handle kernel paging request at virtual address fffffffffffffc70 | CPU: 1 UID: 0 PID: 1 Comm: swapper/0 Not tainted 6.18.0-rc1 #405 PREEMPT | Hardware name: ARM LTD ARM Juno Development Platform/ARM Juno Development Platform | pstate: 00000005 (nzcv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--) | pc : genpd_debug_add+0x2c/0x160 | lr : genpd_debug_init+0x74/0x98 | Call trace: | genpd_debug_add+0x2c/0x160 (P) | genpd_debug_init+0x74/0x98 | do_one_initcall+0xd0/0x2d8 | do_initcall_level+0xa0/0x140 | do_initcalls+0x60/0xa8 | do_basic_setup+0x28/0x40 | kernel_init_freeable+0xe8/0x170 | kernel_init+0x2c/0x140 | ret_from_fork+0x10/0x20", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-68203", "url": "https://ubuntu.com/security/CVE-2025-68203", "cve_description": "Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-40267", "url": "https://ubuntu.com/security/CVE-2025-40267", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: io_uring/rw: ensure allocated iovec gets cleared for early failure A previous commit reused the recyling infrastructure for early cleanup, but this is not enough for the case where our internal caches have overflowed. If this happens, then the allocated iovec can get leaked if the request is also aborted early. Reinstate the previous forced free of the iovec for that situation.", "cve_priority": "medium", "cve_public_date": "2025-12-06 22:15:00 UTC" }, { "cve": "CVE-2025-68198", "url": "https://ubuntu.com/security/CVE-2025-68198", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: crash: fix crashkernel resource shrink When crashkernel is configured with a high reservation, shrinking its value below the low crashkernel reservation causes two issues: 1. Invalid crashkernel resource objects 2. Kernel crash if crashkernel shrinking is done twice For example, with crashkernel=200M,high, the kernel reserves 200MB of high memory and some default low memory (say 256MB). The reservation appears as: cat /proc/iomem | grep -i crash af000000-beffffff : Crash kernel 433000000-43f7fffff : Crash kernel If crashkernel is then shrunk to 50MB (echo 52428800 > /sys/kernel/kexec_crash_size), /proc/iomem still shows 256MB reserved: af000000-beffffff : Crash kernel Instead, it should show 50MB: af000000-b21fffff : Crash kernel Further shrinking crashkernel to 40MB causes a kernel crash with the following trace (x86): BUG: kernel NULL pointer dereference, address: 0000000000000038 PGD 0 P4D 0 Oops: 0000 [#1] PREEMPT SMP NOPTI Call Trace: ? __die_body.cold+0x19/0x27 ? page_fault_oops+0x15a/0x2f0 ? search_module_extables+0x19/0x60 ? search_bpf_extables+0x5f/0x80 ? exc_page_fault+0x7e/0x180 ? asm_exc_page_fault+0x26/0x30 ? __release_resource+0xd/0xb0 release_resource+0x26/0x40 __crash_shrink_memory+0xe5/0x110 crash_shrink_memory+0x12a/0x190 kexec_crash_size_store+0x41/0x80 kernfs_fop_write_iter+0x141/0x1f0 vfs_write+0x294/0x460 ksys_write+0x6d/0xf0 This happens because __crash_shrink_memory()/kernel/crash_core.c incorrectly updates the crashk_res resource object even when crashk_low_res should be updated. Fix this by ensuring the correct crashkernel resource object is updated when shrinking crashkernel memory.", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-68199", "url": "https://ubuntu.com/security/CVE-2025-68199", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: codetag: debug: handle existing CODETAG_EMPTY in mark_objexts_empty for slabobj_ext When alloc_slab_obj_exts() fails and then later succeeds in allocating a slab extension vector, it calls handle_failed_objexts_alloc() to mark all objects in the vector as empty. As a result all objects in this slab (slabA) will have their extensions set to CODETAG_EMPTY. Later on if this slabA is used to allocate a slabobj_ext vector for another slab (slabB), we end up with the slabB->obj_exts pointing to a slabobj_ext vector that itself has a non-NULL slabobj_ext equal to CODETAG_EMPTY. When slabB gets freed, free_slab_obj_exts() is called to free slabB->obj_exts vector. free_slab_obj_exts() calls mark_objexts_empty(slabB->obj_exts) which will generate a warning because it expects slabobj_ext vectors to have a NULL obj_ext, not CODETAG_EMPTY. Modify mark_objexts_empty() to skip the warning and setting the obj_ext value if it's already set to CODETAG_EMPTY. To quickly detect this WARN, I modified the code from WARN_ON(slab_exts[offs].ref.ct) to BUG_ON(slab_exts[offs].ref.ct == 1); We then obtained this message: [21630.898561] ------------[ cut here ]------------ [21630.898596] kernel BUG at mm/slub.c:2050! [21630.898611] Internal error: Oops - BUG: 00000000f2000800 [#1] SMP [21630.900372] Modules linked in: squashfs isofs vfio_iommu_type1 vhost_vsock vfio vhost_net vmw_vsock_virtio_transport_common vhost tap vhost_iotlb iommufd vsock binfmt_misc nfsv3 nfs_acl nfs lockd grace netfs tls rds dns_resolver tun brd overlay ntfs3 exfat btrfs blake2b_generic xor xor_neon raid6_pq loop sctp ip6_udp_tunnel udp_tunnel nft_fib_inet nft_fib_ipv4 nft_fib_ipv6 nft_fib nft_reject_inet nf_reject_ipv4 nf_reject_ipv6 nft_reject nft_ct nft_chain_nat nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 nf_tables rfkill ip_set sunrpc vfat fat joydev sg sch_fq_codel nfnetlink virtio_gpu sr_mod cdrom drm_client_lib virtio_dma_buf drm_shmem_helper drm_kms_helper drm ghash_ce backlight virtio_net virtio_blk virtio_scsi net_failover virtio_console failover virtio_mmio dm_mirror dm_region_hash dm_log dm_multipath dm_mod fuse i2c_dev virtio_pci virtio_pci_legacy_dev virtio_pci_modern_dev virtio virtio_ring autofs4 aes_neon_bs aes_ce_blk [last unloaded: hwpoison_inject] [21630.909177] CPU: 3 UID: 0 PID: 3787 Comm: kylin-process-m Kdump: loaded Tainted: G        W           6.18.0-rc1+ #74 PREEMPT(voluntary) [21630.910495] Tainted: [W]=WARN [21630.910867] Hardware name: QEMU KVM Virtual Machine, BIOS unknown 2/2/2022 [21630.911625] pstate: 80400005 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) [21630.912392] pc : __free_slab+0x228/0x250 [21630.912868] lr : __free_slab+0x18c/0x250[21630.913334] sp : ffff8000a02f73e0 [21630.913830] x29: ffff8000a02f73e0 x28: fffffdffc43fc800 x27: ffff0000c0011c40 [21630.914677] x26: ffff0000c000cac0 x25: ffff00010fe5e5f0 x24: ffff000102199b40 [21630.915469] x23: 0000000000000003 x22: 0000000000000003 x21: ffff0000c0011c40 [21630.916259] x20: fffffdffc4086600 x19: fffffdffc43fc800 x18: 0000000000000000 [21630.917048] x17: 0000000000000000 x16: 0000000000000000 x15: 0000000000000000 [21630.917837] x14: 0000000000000000 x13: 0000000000000000 x12: ffff70001405ee66 [21630.918640] x11: 1ffff0001405ee65 x10: ffff70001405ee65 x9 : ffff800080a295dc [21630.919442] x8 : ffff8000a02f7330 x7 : 0000000000000000 x6 : 0000000000003000 [21630.920232] x5 : 0000000024924925 x4 : 0000000000000001 x3 : 0000000000000007 [21630.921021] x2 : 0000000000001b40 x1 : 000000000000001f x0 : 0000000000000001 [21630.921810] Call trace: [21630.922130]  __free_slab+0x228/0x250 (P) [21630.922669]  free_slab+0x38/0x118 [21630.923079]  free_to_partial_list+0x1d4/0x340 [21630.923591]  __slab_free+0x24c/0x348 [21630.924024]  ___cache_free+0xf0/0x110 [21630.924468]  qlist_free_all+0x78/0x130 [21630.924922]  kasan_quarantine_reduce+0x11 ---truncated---", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-40268", "url": "https://ubuntu.com/security/CVE-2025-40268", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: cifs: client: fix memory leak in smb3_fs_context_parse_param The user calls fsconfig twice, but when the program exits, free() only frees ctx->source for the second fsconfig, not the first. Regarding fc->source, there is no code in the fs context related to its memory reclamation. To fix this memory leak, release the source memory corresponding to ctx or fc before each parsing. syzbot reported: BUG: memory leak unreferenced object 0xffff888128afa360 (size 96): backtrace (crc 79c9c7ba): kstrdup+0x3c/0x80 mm/util.c:84 smb3_fs_context_parse_param+0x229b/0x36c0 fs/smb/client/fs_context.c:1444 BUG: memory leak unreferenced object 0xffff888112c7d900 (size 96): backtrace (crc 79c9c7ba): smb3_fs_context_fullpath+0x70/0x1b0 fs/smb/client/fs_context.c:629 smb3_fs_context_parse_param+0x2266/0x36c0 fs/smb/client/fs_context.c:1438", "cve_priority": "medium", "cve_public_date": "2025-12-06 22:15:00 UTC" }, { "cve": "CVE-2025-40269", "url": "https://ubuntu.com/security/CVE-2025-40269", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ALSA: usb-audio: Fix potential overflow of PCM transfer buffer The PCM stream data in USB-audio driver is transferred over USB URB packet buffers, and each packet size is determined dynamically. The packet sizes are limited by some factors such as wMaxPacketSize USB descriptor. OTOH, in the current code, the actually used packet sizes are determined only by the rate and the PPS, which may be bigger than the size limit above. This results in a buffer overflow, as reported by syzbot. Basically when the limit is smaller than the calculated packet size, it implies that something is wrong, most likely a weird USB descriptor. So the best option would be just to return an error at the parameter setup time before doing any further operations. This patch introduces such a sanity check, and returns -EINVAL when the packet size is greater than maxpacksize. The comparison with ep->packsize[1] alone should suffice since it's always equal or greater than ep->packsize[0].", "cve_priority": "medium", "cve_public_date": "2025-12-06 22:15:00 UTC" }, { "cve": "CVE-2025-68205", "url": "https://ubuntu.com/security/CVE-2025-68205", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ALSA: hda/hdmi: Fix breakage at probing nvhdmi-mcp driver After restructuring and splitting the HDMI codec driver code, each HDMI codec driver contains the own build_controls and build_pcms ops. A copy-n-paste error put the wrong entries for nvhdmi-mcp driver; both build_controls and build_pcms are swapped. Unfortunately both callbacks have the very same form, and the compiler didn't complain it, either. This resulted in a NULL dereference because the PCM instance hasn't been initialized at calling the build_controls callback. Fix it by passing the proper entries.", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-40270", "url": "https://ubuntu.com/security/CVE-2025-40270", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: mm, swap: fix potential UAF issue for VMA readahead Since commit 78524b05f1a3 (\"mm, swap: avoid redundant swap device pinning\"), the common helper for allocating and preparing a folio in the swap cache layer no longer tries to get a swap device reference internally, because all callers of __read_swap_cache_async are already holding a swap entry reference. The repeated swap device pinning isn't needed on the same swap device. Caller of VMA readahead is also holding a reference to the target entry's swap device, but VMA readahead walks the page table, so it might encounter swap entries from other devices, and call __read_swap_cache_async on another device without holding a reference to it. So it is possible to cause a UAF when swapoff of device A raced with swapin on device B, and VMA readahead tries to read swap entries from device A. It's not easy to trigger, but in theory, it could cause real issues. Make VMA readahead try to get the device reference first if the swap device is a different one from the target entry.", "cve_priority": "medium", "cve_public_date": "2025-12-06 22:15:00 UTC" }, { "cve": "CVE-2025-40271", "url": "https://ubuntu.com/security/CVE-2025-40271", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: fs/proc: fix uaf in proc_readdir_de() Pde is erased from subdir rbtree through rb_erase(), but not set the node to EMPTY, which may result in uaf access. We should use RB_CLEAR_NODE() set the erased node to EMPTY, then pde_subdir_next() will return NULL to avoid uaf access. We found an uaf issue while using stress-ng testing, need to run testcase getdent and tun in the same time. The steps of the issue is as follows: 1) use getdent to traverse dir /proc/pid/net/dev_snmp6/, and current pde is tun3; 2) in the [time windows] unregister netdevice tun3 and tun2, and erase them from rbtree. erase tun3 first, and then erase tun2. the pde(tun2) will be released to slab; 3) continue to getdent process, then pde_subdir_next() will return pde(tun2) which is released, it will case uaf access. CPU 0 | CPU 1 ------------------------------------------------------------------------- traverse dir /proc/pid/net/dev_snmp6/ | unregister_netdevice(tun->dev) //tun3 tun2 sys_getdents64() | iterate_dir() | proc_readdir() | proc_readdir_de() | snmp6_unregister_dev() pde_get(de); | proc_remove() read_unlock(&proc_subdir_lock); | remove_proc_subtree() | write_lock(&proc_subdir_lock); [time window] | rb_erase(&root->subdir_node, &parent->subdir); | write_unlock(&proc_subdir_lock); read_lock(&proc_subdir_lock); | next = pde_subdir_next(de); | pde_put(de); | de = next; //UAF | rbtree of dev_snmp6 | pde(tun3) / \\ NULL pde(tun2)", "cve_priority": "medium", "cve_public_date": "2025-12-06 22:15:00 UTC" }, { "cve": "CVE-2025-40272", "url": "https://ubuntu.com/security/CVE-2025-40272", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: mm/secretmem: fix use-after-free race in fault handler When a page fault occurs in a secret memory file created with `memfd_secret(2)`, the kernel will allocate a new folio for it, mark the underlying page as not-present in the direct map, and add it to the file mapping. If two tasks cause a fault in the same page concurrently, both could end up allocating a folio and removing the page from the direct map, but only one would succeed in adding the folio to the file mapping. The task that failed undoes the effects of its attempt by (a) freeing the folio again and (b) putting the page back into the direct map. However, by doing these two operations in this order, the page becomes available to the allocator again before it is placed back in the direct mapping. If another task attempts to allocate the page between (a) and (b), and the kernel tries to access it via the direct map, it would result in a supervisor not-present page fault. Fix the ordering to restore the direct map before the folio is freed.", "cve_priority": "medium", "cve_public_date": "2025-12-06 22:15:00 UTC" }, { "cve": "CVE-2025-68245", "url": "https://ubuntu.com/security/CVE-2025-68245", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net: netpoll: fix incorrect refcount handling causing incorrect cleanup commit efa95b01da18 (\"netpoll: fix use after free\") incorrectly ignored the refcount and prematurely set dev->npinfo to NULL during netpoll cleanup, leading to improper behavior and memory leaks. Scenario causing lack of proper cleanup: 1) A netpoll is associated with a NIC (e.g., eth0) and netdev->npinfo is allocated, and refcnt = 1 - Keep in mind that npinfo is shared among all netpoll instances. In this case, there is just one. 2) Another netpoll is also associated with the same NIC and npinfo->refcnt += 1. - Now dev->npinfo->refcnt = 2; - There is just one npinfo associated to the netdev. 3) When the first netpolls goes to clean up: - The first cleanup succeeds and clears np->dev->npinfo, ignoring refcnt. - It basically calls `RCU_INIT_POINTER(np->dev->npinfo, NULL);` - Set dev->npinfo = NULL, without proper cleanup - No ->ndo_netpoll_cleanup() is either called 4) Now the second target tries to clean up - The second cleanup fails because np->dev->npinfo is already NULL. * In this case, ops->ndo_netpoll_cleanup() was never called, and the skb pool is not cleaned as well (for the second netpoll instance) - This leaks npinfo and skbpool skbs, which is clearly reported by kmemleak. Revert commit efa95b01da18 (\"netpoll: fix use after free\") and adds clarifying comments emphasizing that npinfo cleanup should only happen once the refcount reaches zero, ensuring stable and correct netpoll behavior.", "cve_priority": "medium", "cve_public_date": "2025-12-16 15:15:00 UTC" }, { "cve": "CVE-2025-68240", "url": "https://ubuntu.com/security/CVE-2025-68240", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: nilfs2: avoid having an active sc_timer before freeing sci Because kthread_stop did not stop sc_task properly and returned -EINTR, the sc_timer was not properly closed, ultimately causing the problem [1] reported by syzbot when freeing sci due to the sc_timer not being closed. Because the thread sc_task main function nilfs_segctor_thread() returns 0 when it succeeds, when the return value of kthread_stop() is not 0 in nilfs_segctor_destroy(), we believe that it has not properly closed sc_timer. We use timer_shutdown_sync() to sync wait for sc_timer to shutdown, and set the value of sc_task to NULL under the protection of lock sc_state_lock, so as to avoid the issue caused by sc_timer not being properly shutdowned. [1] ODEBUG: free active (active state 0) object: 00000000dacb411a object type: timer_list hint: nilfs_construction_timeout Call trace: nilfs_segctor_destroy fs/nilfs2/segment.c:2811 [inline] nilfs_detach_log_writer+0x668/0x8cc fs/nilfs2/segment.c:2877 nilfs_put_super+0x4c/0x12c fs/nilfs2/super.c:509", "cve_priority": "medium", "cve_public_date": "2025-12-16 15:15:00 UTC" }, { "cve": "CVE-2025-68241", "url": "https://ubuntu.com/security/CVE-2025-68241", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ipv4: route: Prevent rt_bind_exception() from rebinding stale fnhe The sit driver's packet transmission path calls: sit_tunnel_xmit() -> update_or_create_fnhe(), which lead to fnhe_remove_oldest() being called to delete entries exceeding FNHE_RECLAIM_DEPTH+random. The race window is between fnhe_remove_oldest() selecting fnheX for deletion and the subsequent kfree_rcu(). During this time, the concurrent path's __mkroute_output() -> find_exception() can fetch the soon-to-be-deleted fnheX, and rt_bind_exception() then binds it with a new dst using a dst_hold(). When the original fnheX is freed via RCU, the dst reference remains permanently leaked. CPU 0 CPU 1 __mkroute_output() find_exception() [fnheX] update_or_create_fnhe() fnhe_remove_oldest() [fnheX] rt_bind_exception() [bind dst] RCU callback [fnheX freed, dst leak] This issue manifests as a device reference count leak and a warning in dmesg when unregistering the net device: unregister_netdevice: waiting for sitX to become free. Usage count = N Ido Schimmel provided the simple test validation method [1]. The fix clears 'oldest->fnhe_daddr' before calling fnhe_flush_routes(). Since rt_bind_exception() checks this field, setting it to zero prevents the stale fnhe from being reused and bound to a new dst just before it is freed. [1] ip netns add ns1 ip -n ns1 link set dev lo up ip -n ns1 address add 192.0.2.1/32 dev lo ip -n ns1 link add name dummy1 up type dummy ip -n ns1 route add 192.0.2.2/32 dev dummy1 ip -n ns1 link add name gretap1 up arp off type gretap \\ local 192.0.2.1 remote 192.0.2.2 ip -n ns1 route add 198.51.0.0/16 dev gretap1 taskset -c 0 ip netns exec ns1 mausezahn gretap1 \\ -A 198.51.100.1 -B 198.51.0.0/16 -t udp -p 1000 -c 0 -q & taskset -c 2 ip netns exec ns1 mausezahn gretap1 \\ -A 198.51.100.1 -B 198.51.0.0/16 -t udp -p 1000 -c 0 -q & sleep 10 ip netns pids ns1 | xargs kill ip netns del ns1", "cve_priority": "medium", "cve_public_date": "2025-12-16 15:15:00 UTC" }, { "cve": "CVE-2025-68211", "url": "https://ubuntu.com/security/CVE-2025-68211", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ksm: use range-walk function to jump over holes in scan_get_next_rmap_item Currently, scan_get_next_rmap_item() walks every page address in a VMA to locate mergeable pages. This becomes highly inefficient when scanning large virtual memory areas that contain mostly unmapped regions, causing ksmd to use large amount of cpu without deduplicating much pages. This patch replaces the per-address lookup with a range walk using walk_page_range(). The range walker allows KSM to skip over entire unmapped holes in a VMA, avoiding unnecessary lookups. This problem was previously discussed in [1]. Consider the following test program which creates a 32 TiB mapping in the virtual address space but only populates a single page: #include #include #include /* 32 TiB */ const size_t size = 32ul * 1024 * 1024 * 1024 * 1024; int main() { char *area = mmap(NULL, size, PROT_READ | PROT_WRITE, MAP_NORESERVE | MAP_PRIVATE | MAP_ANON, -1, 0); if (area == MAP_FAILED) { perror(\"mmap() failed\\n\"); return -1; } /* Populate a single page such that we get an anon_vma. */ *area = 0; /* Enable KSM. */ madvise(area, size, MADV_MERGEABLE); pause(); return 0; } $ ./ksm-sparse & $ echo 1 > /sys/kernel/mm/ksm/run Without this patch ksmd uses 100% of the cpu for a long time (more then 1 hour in my test machine) scanning all the 32 TiB virtual address space that contain only one mapped page. This makes ksmd essentially deadlocked not able to deduplicate anything of value. With this patch ksmd walks only the one mapped page and skips the rest of the 32 TiB virtual address space, making the scan fast using little cpu.", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-68246", "url": "https://ubuntu.com/security/CVE-2025-68246", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ksmbd: close accepted socket when per-IP limit rejects connection When the per-IP connection limit is exceeded in ksmbd_kthread_fn(), the code sets ret = -EAGAIN and continues the accept loop without closing the just-accepted socket. That leaks one socket per rejected attempt from a single IP and enables a trivial remote DoS. Release client_sk before continuing. This bug was found with ZeroPath.", "cve_priority": "medium", "cve_public_date": "2025-12-16 15:15:00 UTC" }, { "cve": "CVE-2025-40273", "url": "https://ubuntu.com/security/CVE-2025-40273", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: NFSD: free copynotify stateid in nfs4_free_ol_stateid() Typically copynotify stateid is freed either when parent's stateid is being close/freed or in nfsd4_laundromat if the stateid hasn't been used in a lease period. However, in case when the server got an OPEN (which created a parent stateid), followed by a COPY_NOTIFY using that stateid, followed by a client reboot. New client instance while doing CREATE_SESSION would force expire previous state of this client. It leads to the open state being freed thru release_openowner-> nfs4_free_ol_stateid() and it finds that it still has copynotify stateid associated with it. We currently print a warning and is triggerred WARNING: CPU: 1 PID: 8858 at fs/nfsd/nfs4state.c:1550 nfs4_free_ol_stateid+0xb0/0x100 [nfsd] This patch, instead, frees the associated copynotify stateid here. If the parent stateid is freed (without freeing the copynotify stateids associated with it), it leads to the list corruption when laundromat ends up freeing the copynotify state later. [ 1626.839430] Internal error: Oops - BUG: 00000000f2000800 [#1] SMP [ 1626.842828] Modules linked in: nfnetlink_queue nfnetlink_log bluetooth cfg80211 rpcrdma rdma_cm iw_cm ib_cm ib_core nfsd nfs_acl lockd grace nfs_localio ext4 crc16 mbcache jbd2 overlay uinput snd_seq_dummy snd_hrtimer qrtr rfkill vfat fat uvcvideo snd_hda_codec_generic videobuf2_vmalloc videobuf2_memops snd_hda_intel uvc snd_intel_dspcfg videobuf2_v4l2 videobuf2_common snd_hda_codec snd_hda_core videodev snd_hwdep snd_seq mc snd_seq_device snd_pcm snd_timer snd soundcore sg loop auth_rpcgss vsock_loopback vmw_vsock_virtio_transport_common vmw_vsock_vmci_transport vmw_vmci vsock xfs 8021q garp stp llc mrp nvme ghash_ce e1000e nvme_core sr_mod nvme_keyring nvme_auth cdrom vmwgfx drm_ttm_helper ttm sunrpc dm_mirror dm_region_hash dm_log iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi fuse dm_multipath dm_mod nfnetlink [ 1626.855594] CPU: 2 UID: 0 PID: 199 Comm: kworker/u24:33 Kdump: loaded Tainted: G B W 6.17.0-rc7+ #22 PREEMPT(voluntary) [ 1626.857075] Tainted: [B]=BAD_PAGE, [W]=WARN [ 1626.857573] Hardware name: VMware, Inc. VMware20,1/VBSA, BIOS VMW201.00V.24006586.BA64.2406042154 06/04/2024 [ 1626.858724] Workqueue: nfsd4 laundromat_main [nfsd] [ 1626.859304] pstate: 61400005 (nZCv daif +PAN -UAO -TCO +DIT -SSBS BTYPE=--) [ 1626.860010] pc : __list_del_entry_valid_or_report+0x148/0x200 [ 1626.860601] lr : __list_del_entry_valid_or_report+0x148/0x200 [ 1626.861182] sp : ffff8000881d7a40 [ 1626.861521] x29: ffff8000881d7a40 x28: 0000000000000018 x27: ffff0000c2a98200 [ 1626.862260] x26: 0000000000000600 x25: 0000000000000000 x24: ffff8000881d7b20 [ 1626.862986] x23: ffff0000c2a981e8 x22: 1fffe00012410e7d x21: ffff0000920873e8 [ 1626.863701] x20: ffff0000920873e8 x19: ffff000086f22998 x18: 0000000000000000 [ 1626.864421] x17: 20747562202c3839 x16: 3932326636383030 x15: 3030666666662065 [ 1626.865092] x14: 6220646c756f6873 x13: 0000000000000001 x12: ffff60004fd9e4a3 [ 1626.865713] x11: 1fffe0004fd9e4a2 x10: ffff60004fd9e4a2 x9 : dfff800000000000 [ 1626.866320] x8 : 00009fffb0261b5e x7 : ffff00027ecf2513 x6 : 0000000000000001 [ 1626.866938] x5 : ffff00027ecf2510 x4 : ffff60004fd9e4a3 x3 : 0000000000000000 [ 1626.867553] x2 : 0000000000000000 x1 : ffff000096069640 x0 : 000000000000006d [ 1626.868167] Call trace: [ 1626.868382] __list_del_entry_valid_or_report+0x148/0x200 (P) [ 1626.868876] _free_cpntf_state_locked+0xd0/0x268 [nfsd] [ 1626.869368] nfs4_laundromat+0x6f8/0x1058 [nfsd] [ 1626.869813] laundromat_main+0x24/0x60 [nfsd] [ 1626.870231] process_one_work+0x584/0x1050 [ 1626.870595] worker_thread+0x4c4/0xc60 [ 1626.870893] kthread+0x2f8/0x398 [ 1626.871146] ret_from_fork+0x10/0x20 [ 1626.871422] Code: aa1303e1 aa1403e3 910e8000 97bc55d7 (d4210000) [ 1626.871892] SMP: stopping secondary CPUs", "cve_priority": "medium", "cve_public_date": "2025-12-06 22:15:00 UTC" }, { "cve": "CVE-2025-40212", "url": "https://ubuntu.com/security/CVE-2025-40212", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: nfsd: fix refcount leak in nfsd_set_fh_dentry() nfsd exports a \"pseudo root filesystem\" which is used by NFSv4 to find the various exported filesystems using LOOKUP requests from a known root filehandle. NFSv3 uses the MOUNT protocol to find those exported filesystems and so is not given access to the pseudo root filesystem. If a v3 (or v2) client uses a filehandle from that filesystem, nfsd_set_fh_dentry() will report an error, but still stores the export in \"struct svc_fh\" even though it also drops the reference (exp_put()). This means that when fh_put() is called an extra reference will be dropped which can lead to use-after-free and possible denial of service. Normal NFS usage will not provide a pseudo-root filehandle to a v3 client. This bug can only be triggered by the client synthesising an incorrect filehandle. To fix this we move the assignments to the svc_fh later, after all possible error cases have been detected.", "cve_priority": "medium", "cve_public_date": "2025-11-24 13:16:00 UTC" }, { "cve": "CVE-2025-40274", "url": "https://ubuntu.com/security/CVE-2025-40274", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: KVM: guest_memfd: Remove bindings on memslot deletion when gmem is dying When unbinding a memslot from a guest_memfd instance, remove the bindings even if the guest_memfd file is dying, i.e. even if its file refcount has gone to zero. If the memslot is freed before the file is fully released, nullifying the memslot side of the binding in kvm_gmem_release() will write to freed memory, as detected by syzbot+KASAN: ================================================================== BUG: KASAN: slab-use-after-free in kvm_gmem_release+0x176/0x440 virt/kvm/guest_memfd.c:353 Write of size 8 at addr ffff88807befa508 by task syz.0.17/6022 CPU: 0 UID: 0 PID: 6022 Comm: syz.0.17 Not tainted syzkaller #0 PREEMPT(full) Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/02/2025 Call Trace: dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:378 [inline] print_report+0xca/0x240 mm/kasan/report.c:482 kasan_report+0x118/0x150 mm/kasan/report.c:595 kvm_gmem_release+0x176/0x440 virt/kvm/guest_memfd.c:353 __fput+0x44c/0xa70 fs/file_table.c:468 task_work_run+0x1d4/0x260 kernel/task_work.c:227 resume_user_mode_work include/linux/resume_user_mode.h:50 [inline] exit_to_user_mode_loop+0xe9/0x130 kernel/entry/common.c:43 exit_to_user_mode_prepare include/linux/irq-entry-common.h:225 [inline] syscall_exit_to_user_mode_work include/linux/entry-common.h:175 [inline] syscall_exit_to_user_mode include/linux/entry-common.h:210 [inline] do_syscall_64+0x2bd/0xfa0 arch/x86/entry/syscall_64.c:100 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7fbeeff8efc9 Allocated by task 6023: kasan_save_stack mm/kasan/common.c:56 [inline] kasan_save_track+0x3e/0x80 mm/kasan/common.c:77 poison_kmalloc_redzone mm/kasan/common.c:397 [inline] __kasan_kmalloc+0x93/0xb0 mm/kasan/common.c:414 kasan_kmalloc include/linux/kasan.h:262 [inline] __kmalloc_cache_noprof+0x3e2/0x700 mm/slub.c:5758 kmalloc_noprof include/linux/slab.h:957 [inline] kzalloc_noprof include/linux/slab.h:1094 [inline] kvm_set_memory_region+0x747/0xb90 virt/kvm/kvm_main.c:2104 kvm_vm_ioctl_set_memory_region+0x6f/0xd0 virt/kvm/kvm_main.c:2154 kvm_vm_ioctl+0x957/0xc60 virt/kvm/kvm_main.c:5201 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:597 [inline] __se_sys_ioctl+0xfc/0x170 fs/ioctl.c:583 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xfa/0xfa0 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f Freed by task 6023: kasan_save_stack mm/kasan/common.c:56 [inline] kasan_save_track+0x3e/0x80 mm/kasan/common.c:77 kasan_save_free_info+0x46/0x50 mm/kasan/generic.c:584 poison_slab_object mm/kasan/common.c:252 [inline] __kasan_slab_free+0x5c/0x80 mm/kasan/common.c:284 kasan_slab_free include/linux/kasan.h:234 [inline] slab_free_hook mm/slub.c:2533 [inline] slab_free mm/slub.c:6622 [inline] kfree+0x19a/0x6d0 mm/slub.c:6829 kvm_set_memory_region+0x9c4/0xb90 virt/kvm/kvm_main.c:2130 kvm_vm_ioctl_set_memory_region+0x6f/0xd0 virt/kvm/kvm_main.c:2154 kvm_vm_ioctl+0x957/0xc60 virt/kvm/kvm_main.c:5201 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:597 [inline] __se_sys_ioctl+0xfc/0x170 fs/ioctl.c:583 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xfa/0xfa0 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f Deliberately don't acquire filemap invalid lock when the file is dying as the lifecycle of f_mapping is outside the purview of KVM. Dereferencing the mapping is *probably* fine, but there's no need to invalidate anything as memslot deletion is responsible for zapping SPTEs, and the only code that can access the dying file is kvm_gmem_release(), whose core code is mutual ---truncated---", "cve_priority": "medium", "cve_public_date": "2025-12-06 22:15:00 UTC" }, { "cve": "CVE-2025-68202", "url": "https://ubuntu.com/security/CVE-2025-68202", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: sched_ext: Fix unsafe locking in the scx_dump_state() For built with CONFIG_PREEMPT_RT=y kernels, the dump_lock will be converted sleepable spinlock and not disable-irq, so the following scenarios occur: inconsistent {IN-HARDIRQ-W} -> {HARDIRQ-ON-W} usage. irq_work/0/27 [HC0[0]:SC0[0]:HE1:SE1] takes: (&rq->__lock){?...}-{2:2}, at: raw_spin_rq_lock_nested+0x2b/0x40 {IN-HARDIRQ-W} state was registered at: lock_acquire+0x1e1/0x510 _raw_spin_lock_nested+0x42/0x80 raw_spin_rq_lock_nested+0x2b/0x40 sched_tick+0xae/0x7b0 update_process_times+0x14c/0x1b0 tick_periodic+0x62/0x1f0 tick_handle_periodic+0x48/0xf0 timer_interrupt+0x55/0x80 __handle_irq_event_percpu+0x20a/0x5c0 handle_irq_event_percpu+0x18/0xc0 handle_irq_event+0xb5/0x150 handle_level_irq+0x220/0x460 __common_interrupt+0xa2/0x1e0 common_interrupt+0xb0/0xd0 asm_common_interrupt+0x2b/0x40 _raw_spin_unlock_irqrestore+0x45/0x80 __setup_irq+0xc34/0x1a30 request_threaded_irq+0x214/0x2f0 hpet_time_init+0x3e/0x60 x86_late_time_init+0x5b/0xb0 start_kernel+0x308/0x410 x86_64_start_reservations+0x1c/0x30 x86_64_start_kernel+0x96/0xa0 common_startup_64+0x13e/0x148 other info that might help us debug this: Possible unsafe locking scenario: CPU0 ---- lock(&rq->__lock); lock(&rq->__lock); *** DEADLOCK *** stack backtrace: CPU: 0 UID: 0 PID: 27 Comm: irq_work/0 Call Trace: dump_stack_lvl+0x8c/0xd0 dump_stack+0x14/0x20 print_usage_bug+0x42e/0x690 mark_lock.part.44+0x867/0xa70 ? __pfx_mark_lock.part.44+0x10/0x10 ? string_nocheck+0x19c/0x310 ? number+0x739/0x9f0 ? __pfx_string_nocheck+0x10/0x10 ? __pfx_check_pointer+0x10/0x10 ? kvm_sched_clock_read+0x15/0x30 ? sched_clock_noinstr+0xd/0x20 ? local_clock_noinstr+0x1c/0xe0 __lock_acquire+0xc4b/0x62b0 ? __pfx_format_decode+0x10/0x10 ? __pfx_string+0x10/0x10 ? __pfx___lock_acquire+0x10/0x10 ? __pfx_vsnprintf+0x10/0x10 lock_acquire+0x1e1/0x510 ? raw_spin_rq_lock_nested+0x2b/0x40 ? __pfx_lock_acquire+0x10/0x10 ? dump_line+0x12e/0x270 ? raw_spin_rq_lock_nested+0x20/0x40 _raw_spin_lock_nested+0x42/0x80 ? raw_spin_rq_lock_nested+0x2b/0x40 raw_spin_rq_lock_nested+0x2b/0x40 scx_dump_state+0x3b3/0x1270 ? finish_task_switch+0x27e/0x840 scx_ops_error_irq_workfn+0x67/0x80 irq_work_single+0x113/0x260 irq_work_run_list.part.3+0x44/0x70 run_irq_workd+0x6b/0x90 ? __pfx_run_irq_workd+0x10/0x10 smpboot_thread_fn+0x529/0x870 ? __pfx_smpboot_thread_fn+0x10/0x10 kthread+0x305/0x3f0 ? __pfx_kthread+0x10/0x10 ret_from_fork+0x40/0x70 ? __pfx_kthread+0x10/0x10 ret_from_fork_asm+0x1a/0x30 This commit therefore use rq_lock_irqsave/irqrestore() to replace rq_lock/unlock() in the scx_dump_state().", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-68239", "url": "https://ubuntu.com/security/CVE-2025-68239", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: binfmt_misc: restore write access before closing files opened by open_exec() bm_register_write() opens an executable file using open_exec(), which internally calls do_open_execat() and denies write access on the file to avoid modification while it is being executed. However, when an error occurs, bm_register_write() closes the file using filp_close() directly. This does not restore the write permission, which may cause subsequent write operations on the same file to fail. Fix this by calling exe_file_allow_write_access() before filp_close() to restore the write permission properly.", "cve_priority": "medium", "cve_public_date": "2025-12-16 15:15:00 UTC" }, { "cve": "CVE-2025-68247", "url": "https://ubuntu.com/security/CVE-2025-68247", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: posix-timers: Plug potential memory leak in do_timer_create() When posix timer creation is set to allocate a given timer ID and the access to the user space value faults, the function terminates without freeing the already allocated posix timer structure. Move the allocation after the user space access to cure that. [ tglx: Massaged change log ]", "cve_priority": "medium", "cve_public_date": "2025-12-16 15:15:00 UTC" }, { "cve": "CVE-2025-68208", "url": "https://ubuntu.com/security/CVE-2025-68208", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: bpf: account for current allocated stack depth in widen_imprecise_scalars() The usage pattern for widen_imprecise_scalars() looks as follows: prev_st = find_prev_entry(env, ...); queued_st = push_stack(...); widen_imprecise_scalars(env, prev_st, queued_st); Where prev_st is an ancestor of the queued_st in the explored states tree. This ancestor is not guaranteed to have same allocated stack depth as queued_st. E.g. in the following case: def main(): for i in 1..2: foo(i) // same callsite, differnt param def foo(i): if i == 1: use 128 bytes of stack iterator based loop Here, for a second 'foo' call prev_st->allocated_stack is 128, while queued_st->allocated_stack is much smaller. widen_imprecise_scalars() needs to take this into account and avoid accessing bpf_verifier_state->frame[*]->stack out of bounds.", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-68200", "url": "https://ubuntu.com/security/CVE-2025-68200", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: bpf: Add bpf_prog_run_data_pointers() syzbot found that cls_bpf_classify() is able to change tc_skb_cb(skb)->drop_reason triggering a warning in sk_skb_reason_drop(). WARNING: CPU: 0 PID: 5965 at net/core/skbuff.c:1192 __sk_skb_reason_drop net/core/skbuff.c:1189 [inline] WARNING: CPU: 0 PID: 5965 at net/core/skbuff.c:1192 sk_skb_reason_drop+0x76/0x170 net/core/skbuff.c:1214 struct tc_skb_cb has been added in commit ec624fe740b4 (\"net/sched: Extend qdisc control block with tc control block\"), which added a wrong interaction with db58ba459202 (\"bpf: wire in data and data_end for cls_act_bpf\"). drop_reason was added later. Add bpf_prog_run_data_pointers() helper to save/restore the net_sched storage colliding with BPF data_meta/data_end.", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-40275", "url": "https://ubuntu.com/security/CVE-2025-40275", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ALSA: usb-audio: Fix NULL pointer dereference in snd_usb_mixer_controls_badd In snd_usb_create_streams(), for UAC version 3 devices, the Interface Association Descriptor (IAD) is retrieved via usb_ifnum_to_if(). If this call fails, a fallback routine attempts to obtain the IAD from the next interface and sets a BADD profile. However, snd_usb_mixer_controls_badd() assumes that the IAD retrieved from usb_ifnum_to_if() is always valid, without performing a NULL check. This can lead to a NULL pointer dereference when usb_ifnum_to_if() fails to find the interface descriptor. This patch adds a NULL pointer check after calling usb_ifnum_to_if() in snd_usb_mixer_controls_badd() to prevent the dereference. This issue was discovered by syzkaller, which triggered the bug by sending a crafted USB device descriptor.", "cve_priority": "medium", "cve_public_date": "2025-12-06 22:15:00 UTC" }, { "cve": "CVE-2025-68242", "url": "https://ubuntu.com/security/CVE-2025-68242", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: NFS: Fix LTP test failures when timestamps are delegated The utimes01 and utime06 tests fail when delegated timestamps are enabled, specifically in subtests that modify the atime and mtime fields using the 'nobody' user ID. The problem can be reproduced as follow: # echo \"/media *(rw,no_root_squash,sync)\" >> /etc/exports # export -ra # mount -o rw,nfsvers=4.2 127.0.0.1:/media /tmpdir # cd /opt/ltp # ./runltp -d /tmpdir -s utimes01 # ./runltp -d /tmpdir -s utime06 This issue occurs because nfs_setattr does not verify the inode's UID against the caller's fsuid when delegated timestamps are permitted for the inode. This patch adds the UID check and if it does not match then the request is sent to the server for permission checking.", "cve_priority": "medium", "cve_public_date": "2025-12-16 15:15:00 UTC" }, { "cve": "CVE-2025-68243", "url": "https://ubuntu.com/security/CVE-2025-68243", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: NFS: Check the TLS certificate fields in nfs_match_client() If the TLS security policy is of type RPC_XPRTSEC_TLS_X509, then the cert_serial and privkey_serial fields need to match as well since they define the client's identity, as presented to the server.", "cve_priority": "medium", "cve_public_date": "2025-12-16 15:15:00 UTC" }, { "cve": "CVE-2025-40276", "url": "https://ubuntu.com/security/CVE-2025-40276", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/panthor: Flush shmem writes before mapping buffers CPU-uncached The shmem layer zeroes out the new pages using cached mappings, and if we don't CPU-flush we might leave dirty cachelines behind, leading to potential data leaks and/or asynchronous buffer corruption when dirty cachelines are evicted.", "cve_priority": "medium", "cve_public_date": "2025-12-06 22:15:00 UTC" }, { "cve": "CVE-2025-40277", "url": "https://ubuntu.com/security/CVE-2025-40277", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/vmwgfx: Validate command header size against SVGA_CMD_MAX_DATASIZE This data originates from userspace and is used in buffer offset calculations which could potentially overflow causing an out-of-bounds access.", "cve_priority": "medium", "cve_public_date": "2025-12-06 22:15:00 UTC" }, { "cve": "CVE-2025-68206", "url": "https://ubuntu.com/security/CVE-2025-68206", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: netfilter: nft_ct: add seqadj extension for natted connections Sequence adjustment may be required for FTP traffic with PASV/EPSV modes. due to need to re-write packet payload (IP, port) on the ftp control connection. This can require changes to the TCP length and expected seq / ack_seq. The easiest way to reproduce this issue is with PASV mode. Example ruleset: table inet ftp_nat { ct helper ftp_helper { type \"ftp\" protocol tcp l3proto inet } chain prerouting { type filter hook prerouting priority 0; policy accept; tcp dport 21 ct state new ct helper set \"ftp_helper\" } } table ip nat { chain prerouting { type nat hook prerouting priority -100; policy accept; tcp dport 21 dnat ip prefix to ip daddr map { \t\t\t192.168.100.1 : 192.168.13.2/32 } } chain postrouting { type nat hook postrouting priority 100 ; policy accept; tcp sport 21 snat ip prefix to ip saddr map { \t\t\t192.168.13.2 : 192.168.100.1/32 } } } Note that the ftp helper gets assigned *after* the dnat setup. The inverse (nat after helper assign) is handled by an existing check in nf_nat_setup_info() and will not show the problem. Topoloy: +-------------------+ +----------------------------------+ | FTP: 192.168.13.2 | <-> | NAT: 192.168.13.3, 192.168.100.1 | +-------------------+ +----------------------------------+ | +-----------------------+ | Client: 192.168.100.2 | +-----------------------+ ftp nat changes do not work as expected in this case: Connected to 192.168.100.1. [..] ftp> epsv EPSV/EPRT on IPv4 off. ftp> ls 227 Entering passive mode (192,168,100,1,209,129). 421 Service not available, remote server has closed connection. Kernel logs: Missing nfct_seqadj_ext_add() setup call WARNING: CPU: 1 PID: 0 at net/netfilter/nf_conntrack_seqadj.c:41 [..] __nf_nat_mangle_tcp_packet+0x100/0x160 [nf_nat] nf_nat_ftp+0x142/0x280 [nf_nat_ftp] help+0x4d1/0x880 [nf_conntrack_ftp] nf_confirm+0x122/0x2e0 [nf_conntrack] nf_hook_slow+0x3c/0xb0 .. Fix this by adding the required extension when a conntrack helper is assigned to a connection that has a nat binding.", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-68209", "url": "https://ubuntu.com/security/CVE-2025-68209", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: mlx5: Fix default values in create CQ Currently, CQs without a completion function are assigned the mlx5_add_cq_to_tasklet function by default. This is problematic since only user CQs created through the mlx5_ib driver are intended to use this function. Additionally, all CQs that will use doorbells instead of polling for completions must call mlx5_cq_arm. However, the default CQ creation flow leaves a valid value in the CQ's arm_db field, allowing FW to send interrupts to polling-only CQs in certain corner cases. These two factors would allow a polling-only kernel CQ to be triggered by an EQ interrupt and call a completion function intended only for user CQs, causing a null pointer exception. Some areas in the driver have prevented this issue with one-off fixes but did not address the root cause. This patch fixes the described issue by adding defaults to the create CQ flow. It adds a default dummy completion function to protect against null pointer exceptions, and it sets an invalid command sequence number by default in kernel CQs to prevent the FW from sending an interrupt to the CQ until it is armed. User CQs are responsible for their own initialization values. Callers of mlx5_core_create_cq are responsible for changing the completion function and arming the CQ per their needs.", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-40278", "url": "https://ubuntu.com/security/CVE-2025-40278", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net: sched: act_ife: initialize struct tc_ife to fix KMSAN kernel-infoleak Fix a KMSAN kernel-infoleak detected by the syzbot . [net?] KMSAN: kernel-infoleak in __skb_datagram_iter In tcf_ife_dump(), the variable 'opt' was partially initialized using a designatied initializer. While the padding bytes are reamined uninitialized. nla_put() copies the entire structure into a netlink message, these uninitialized bytes leaked to userspace. Initialize the structure with memset before assigning its fields to ensure all members and padding are cleared prior to beign copied. This change silences the KMSAN report and prevents potential information leaks from the kernel memory. This fix has been tested and validated by syzbot. This patch closes the bug reported at the following syzkaller link and ensures no infoleak.", "cve_priority": "medium", "cve_public_date": "2025-12-06 22:15:00 UTC" }, { "cve": "CVE-2025-40279", "url": "https://ubuntu.com/security/CVE-2025-40279", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net: sched: act_connmark: initialize struct tc_ife to fix kernel leak In tcf_connmark_dump(), the variable 'opt' was partially initialized using a designatied initializer. While the padding bytes are reamined uninitialized. nla_put() copies the entire structure into a netlink message, these uninitialized bytes leaked to userspace. Initialize the structure with memset before assigning its fields to ensure all members and padding are cleared prior to beign copied.", "cve_priority": "medium", "cve_public_date": "2025-12-06 22:15:00 UTC" }, { "cve": "CVE-2025-40280", "url": "https://ubuntu.com/security/CVE-2025-40280", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: tipc: Fix use-after-free in tipc_mon_reinit_self(). syzbot reported use-after-free of tipc_net(net)->monitors[] in tipc_mon_reinit_self(). [0] The array is protected by RTNL, but tipc_mon_reinit_self() iterates over it without RTNL. tipc_mon_reinit_self() is called from tipc_net_finalize(), which is always under RTNL except for tipc_net_finalize_work(). Let's hold RTNL in tipc_net_finalize_work(). [0]: BUG: KASAN: slab-use-after-free in __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline] BUG: KASAN: slab-use-after-free in _raw_spin_lock_irqsave+0xa7/0xf0 kernel/locking/spinlock.c:162 Read of size 1 at addr ffff88805eae1030 by task kworker/0:7/5989 CPU: 0 UID: 0 PID: 5989 Comm: kworker/0:7 Not tainted syzkaller #0 PREEMPT_{RT,(full)} Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/18/2025 Workqueue: events tipc_net_finalize_work Call Trace: dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:378 [inline] print_report+0xca/0x240 mm/kasan/report.c:482 kasan_report+0x118/0x150 mm/kasan/report.c:595 __kasan_check_byte+0x2a/0x40 mm/kasan/common.c:568 kasan_check_byte include/linux/kasan.h:399 [inline] lock_acquire+0x8d/0x360 kernel/locking/lockdep.c:5842 __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline] _raw_spin_lock_irqsave+0xa7/0xf0 kernel/locking/spinlock.c:162 rtlock_slowlock kernel/locking/rtmutex.c:1894 [inline] rwbase_rtmutex_lock_state kernel/locking/spinlock_rt.c:160 [inline] rwbase_write_lock+0xd3/0x7e0 kernel/locking/rwbase_rt.c:244 rt_write_lock+0x76/0x110 kernel/locking/spinlock_rt.c:243 write_lock_bh include/linux/rwlock_rt.h:99 [inline] tipc_mon_reinit_self+0x79/0x430 net/tipc/monitor.c:718 tipc_net_finalize+0x115/0x190 net/tipc/net.c:140 process_one_work kernel/workqueue.c:3236 [inline] process_scheduled_works+0xade/0x17b0 kernel/workqueue.c:3319 worker_thread+0x8a0/0xda0 kernel/workqueue.c:3400 kthread+0x70e/0x8a0 kernel/kthread.c:463 ret_from_fork+0x439/0x7d0 arch/x86/kernel/process.c:148 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245 Allocated by task 6089: kasan_save_stack mm/kasan/common.c:47 [inline] kasan_save_track+0x3e/0x80 mm/kasan/common.c:68 poison_kmalloc_redzone mm/kasan/common.c:388 [inline] __kasan_kmalloc+0x93/0xb0 mm/kasan/common.c:405 kasan_kmalloc include/linux/kasan.h:260 [inline] __kmalloc_cache_noprof+0x1a8/0x320 mm/slub.c:4407 kmalloc_noprof include/linux/slab.h:905 [inline] kzalloc_noprof include/linux/slab.h:1039 [inline] tipc_mon_create+0xc3/0x4d0 net/tipc/monitor.c:657 tipc_enable_bearer net/tipc/bearer.c:357 [inline] __tipc_nl_bearer_enable+0xe16/0x13f0 net/tipc/bearer.c:1047 __tipc_nl_compat_doit net/tipc/netlink_compat.c:371 [inline] tipc_nl_compat_doit+0x3bc/0x5f0 net/tipc/netlink_compat.c:393 tipc_nl_compat_handle net/tipc/netlink_compat.c:-1 [inline] tipc_nl_compat_recv+0x83c/0xbe0 net/tipc/netlink_compat.c:1321 genl_family_rcv_msg_doit+0x215/0x300 net/netlink/genetlink.c:1115 genl_family_rcv_msg net/netlink/genetlink.c:1195 [inline] genl_rcv_msg+0x60e/0x790 net/netlink/genetlink.c:1210 netlink_rcv_skb+0x208/0x470 net/netlink/af_netlink.c:2552 genl_rcv+0x28/0x40 net/netlink/genetlink.c:1219 netlink_unicast_kernel net/netlink/af_netlink.c:1320 [inline] netlink_unicast+0x846/0xa10 net/netlink/af_netlink.c:1346 netlink_sendmsg+0x805/0xb30 net/netlink/af_netlink.c:1896 sock_sendmsg_nosec net/socket.c:714 [inline] __sock_sendmsg+0x21c/0x270 net/socket.c:729 ____sys_sendmsg+0x508/0x820 net/socket.c:2614 ___sys_sendmsg+0x21f/0x2a0 net/socket.c:2668 __sys_sendmsg net/socket.c:2700 [inline] __do_sys_sendmsg net/socket.c:2705 [inline] __se_sys_sendmsg net/socket.c:2703 [inline] __x64_sys_sendmsg+0x1a1/0x260 net/socket.c:2703 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xfa/0x3b0 arch/ ---truncated---", "cve_priority": "medium", "cve_public_date": "2025-12-06 22:15:00 UTC" }, { "cve": "CVE-2025-40281", "url": "https://ubuntu.com/security/CVE-2025-40281", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: sctp: prevent possible shift-out-of-bounds in sctp_transport_update_rto syzbot reported a possible shift-out-of-bounds [1] Blamed commit added rto_alpha_max and rto_beta_max set to 1000. It is unclear if some sctp users are setting very large rto_alpha and/or rto_beta. In order to prevent user regression, perform the test at run time. Also add READ_ONCE() annotations as sysctl values can change under us. [1] UBSAN: shift-out-of-bounds in net/sctp/transport.c:509:41 shift exponent 64 is too large for 32-bit type 'unsigned int' CPU: 0 UID: 0 PID: 16704 Comm: syz.2.2320 Not tainted syzkaller #0 PREEMPT(full) Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/02/2025 Call Trace: __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x16c/0x1f0 lib/dump_stack.c:120 ubsan_epilogue lib/ubsan.c:233 [inline] __ubsan_handle_shift_out_of_bounds+0x27f/0x420 lib/ubsan.c:494 sctp_transport_update_rto.cold+0x1c/0x34b net/sctp/transport.c:509 sctp_check_transmitted+0x11c4/0x1c30 net/sctp/outqueue.c:1502 sctp_outq_sack+0x4ef/0x1b20 net/sctp/outqueue.c:1338 sctp_cmd_process_sack net/sctp/sm_sideeffect.c:840 [inline] sctp_cmd_interpreter net/sctp/sm_sideeffect.c:1372 [inline]", "cve_priority": "medium", "cve_public_date": "2025-12-06 22:15:00 UTC" }, { "cve": "CVE-2025-40282", "url": "https://ubuntu.com/security/CVE-2025-40282", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: Bluetooth: 6lowpan: reset link-local header on ipv6 recv path Bluetooth 6lowpan.c netdev has header_ops, so it must set link-local header for RX skb, otherwise things crash, eg. with AF_PACKET SOCK_RAW Add missing skb_reset_mac_header() for uncompressed ipv6 RX path. For the compressed one, it is done in lowpan_header_decompress(). Log: (BlueZ 6lowpan-tester Client Recv Raw - Success) ------ kernel BUG at net/core/skbuff.c:212! Call Trace: ... packet_rcv (net/packet/af_packet.c:2152) ... __local_bh_enable_ip (kernel/softirq.c:407) netif_rx (net/core/dev.c:5648) chan_recv_cb (net/bluetooth/6lowpan.c:294 net/bluetooth/6lowpan.c:359) ------", "cve_priority": "medium", "cve_public_date": "2025-12-06 22:15:00 UTC" }, { "cve": "CVE-2025-40283", "url": "https://ubuntu.com/security/CVE-2025-40283", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: Bluetooth: btusb: reorder cleanup in btusb_disconnect to avoid UAF There is a KASAN: slab-use-after-free read in btusb_disconnect(). Calling \"usb_driver_release_interface(&btusb_driver, data->intf)\" will free the btusb data associated with the interface. The same data is then used later in the function, hence the UAF. Fix by moving the accesses to btusb data to before the data is free'd.", "cve_priority": "medium", "cve_public_date": "2025-12-06 22:15:00 UTC" }, { "cve": "CVE-2025-40284", "url": "https://ubuntu.com/security/CVE-2025-40284", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: Bluetooth: MGMT: cancel mesh send timer when hdev removed mesh_send_done timer is not canceled when hdev is removed, which causes crash if the timer triggers after hdev is gone. Cancel the timer when MGMT removes the hdev, like other MGMT timers. Should fix the BUG: sporadically seen by BlueZ test bot (in \"Mesh - Send cancel - 1\" test). Log: ------ BUG: KASAN: slab-use-after-free in run_timer_softirq+0x76b/0x7d0 ... Freed by task 36: kasan_save_stack+0x24/0x50 kasan_save_track+0x14/0x30 __kasan_save_free_info+0x3a/0x60 __kasan_slab_free+0x43/0x70 kfree+0x103/0x500 device_release+0x9a/0x210 kobject_put+0x100/0x1e0 vhci_release+0x18b/0x240 ------", "cve_priority": "medium", "cve_public_date": "2025-12-06 22:15:00 UTC" }, { "cve": "CVE-2025-68210", "url": "https://ubuntu.com/security/CVE-2025-68210", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: erofs: avoid infinite loop due to incomplete zstd-compressed data Currently, the decompression logic incorrectly spins if compressed data is truncated in crafted (deliberately corrupted) images.", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-40285", "url": "https://ubuntu.com/security/CVE-2025-40285", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: smb/server: fix possible refcount leak in smb2_sess_setup() Reference count of ksmbd_session will leak when session need reconnect. Fix this by adding the missing ksmbd_user_session_put().", "cve_priority": "medium", "cve_public_date": "2025-12-06 22:15:00 UTC" }, { "cve": "CVE-2025-40286", "url": "https://ubuntu.com/security/CVE-2025-40286", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: smb/server: fix possible memory leak in smb2_read() Memory leak occurs when ksmbd_vfs_read() fails. Fix this by adding the missing kvfree().", "cve_priority": "medium", "cve_public_date": "2025-12-06 22:15:00 UTC" }, { "cve": "CVE-2025-40287", "url": "https://ubuntu.com/security/CVE-2025-40287", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: exfat: fix improper check of dentry.stream.valid_size We found an infinite loop bug in the exFAT file system that can lead to a Denial-of-Service (DoS) condition. When a dentry in an exFAT filesystem is malformed, the following system calls — SYS_openat, SYS_ftruncate, and SYS_pwrite64 — can cause the kernel to hang. Root cause analysis shows that the size validation code in exfat_find() does not check whether dentry.stream.valid_size is negative. As a result, the system calls mentioned above can succeed and eventually trigger the DoS issue. This patch adds a check for negative dentry.stream.valid_size to prevent this vulnerability.", "cve_priority": "medium", "cve_public_date": "2025-12-06 22:15:00 UTC" }, { "cve": "CVE-2025-40288", "url": "https://ubuntu.com/security/CVE-2025-40288", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: Fix NULL pointer dereference in VRAM logic for APU devices Previously, APU platforms (and other scenarios with uninitialized VRAM managers) triggered a NULL pointer dereference in `ttm_resource_manager_usage()`. The root cause is not that the `struct ttm_resource_manager *man` pointer itself is NULL, but that `man->bdev` (the backing device pointer within the manager) remains uninitialized (NULL) on APUs—since APUs lack dedicated VRAM and do not fully set up VRAM manager structures. When `ttm_resource_manager_usage()` attempts to acquire `man->bdev->lru_lock`, it dereferences the NULL `man->bdev`, leading to a kernel OOPS. 1. **amdgpu_cs.c**: Extend the existing bandwidth control check in `amdgpu_cs_get_threshold_for_moves()` to include a check for `ttm_resource_manager_used()`. If the manager is not used (uninitialized `bdev`), return 0 for migration thresholds immediately—skipping VRAM-specific logic that would trigger the NULL dereference. 2. **amdgpu_kms.c**: Update the `AMDGPU_INFO_VRAM_USAGE` ioctl and memory info reporting to use a conditional: if the manager is used, return the real VRAM usage; otherwise, return 0. This avoids accessing `man->bdev` when it is NULL. 3. **amdgpu_virt.c**: Modify the vf2pf (virtual function to physical function) data write path. Use `ttm_resource_manager_used()` to check validity: if the manager is usable, calculate `fb_usage` from VRAM usage; otherwise, set `fb_usage` to 0 (APUs have no discrete framebuffer to report). This approach is more robust than APU-specific checks because it: - Works for all scenarios where the VRAM manager is uninitialized (not just APUs), - Aligns with TTM's design by using its native helper function, - Preserves correct behavior for discrete GPUs (which have fully initialized `man->bdev` and pass the `ttm_resource_manager_used()` check). v4: use ttm_resource_manager_used(&adev->mman.vram_mgr.manager) instead of checking the adev->gmc.is_app_apu flag (Christian)", "cve_priority": "medium", "cve_public_date": "2025-12-06 22:15:00 UTC" }, { "cve": "CVE-2025-40289", "url": "https://ubuntu.com/security/CVE-2025-40289", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: hide VRAM sysfs attributes on GPUs without VRAM Otherwise accessing them can cause a crash.", "cve_priority": "medium", "cve_public_date": "2025-12-06 22:15:00 UTC" }, { "cve": "CVE-2025-68201", "url": "https://ubuntu.com/security/CVE-2025-68201", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: remove two invalid BUG_ON()s Those can be triggered trivially by userspace.", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-68207", "url": "https://ubuntu.com/security/CVE-2025-68207", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/xe/guc: Synchronize Dead CT worker with unbind Cancel and wait for any Dead CT worker to complete before continuing with device unbinding. Else the worker will end up using resources freed by the undind operation. (cherry picked from commit 492671339114e376aaa38626d637a2751cdef263)", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-68244", "url": "https://ubuntu.com/security/CVE-2025-68244", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/i915: Avoid lock inversion when pinning to GGTT on CHV/BXT+VTD On completion of i915_vma_pin_ww(), a synchronous variant of dma_fence_work_commit() is called. When pinning a VMA to GGTT address space on a Cherry View family processor, or on a Broxton generation SoC with VTD enabled, i.e., when stop_machine() is then called from intel_ggtt_bind_vma(), that can potentially lead to lock inversion among reservation_ww and cpu_hotplug locks. [86.861179] ====================================================== [86.861193] WARNING: possible circular locking dependency detected [86.861209] 6.15.0-rc5-CI_DRM_16515-gca0305cadc2d+ #1 Tainted: G U [86.861226] ------------------------------------------------------ [86.861238] i915_module_loa/1432 is trying to acquire lock: [86.861252] ffffffff83489090 (cpu_hotplug_lock){++++}-{0:0}, at: stop_machine+0x1c/0x50 [86.861290] but task is already holding lock: [86.861303] ffffc90002e0b4c8 (reservation_ww_class_mutex){+.+.}-{3:3}, at: i915_vma_pin.constprop.0+0x39/0x1d0 [i915] [86.862233] which lock already depends on the new lock. [86.862251] the existing dependency chain (in reverse order) is: [86.862265] -> #5 (reservation_ww_class_mutex){+.+.}-{3:3}: [86.862292] dma_resv_lockdep+0x19a/0x390 [86.862315] do_one_initcall+0x60/0x3f0 [86.862334] kernel_init_freeable+0x3cd/0x680 [86.862353] kernel_init+0x1b/0x200 [86.862369] ret_from_fork+0x47/0x70 [86.862383] ret_from_fork_asm+0x1a/0x30 [86.862399] -> #4 (reservation_ww_class_acquire){+.+.}-{0:0}: [86.862425] dma_resv_lockdep+0x178/0x390 [86.862440] do_one_initcall+0x60/0x3f0 [86.862454] kernel_init_freeable+0x3cd/0x680 [86.862470] kernel_init+0x1b/0x200 [86.862482] ret_from_fork+0x47/0x70 [86.862495] ret_from_fork_asm+0x1a/0x30 [86.862509] -> #3 (&mm->mmap_lock){++++}-{3:3}: [86.862531] down_read_killable+0x46/0x1e0 [86.862546] lock_mm_and_find_vma+0xa2/0x280 [86.862561] do_user_addr_fault+0x266/0x8e0 [86.862578] exc_page_fault+0x8a/0x2f0 [86.862593] asm_exc_page_fault+0x27/0x30 [86.862607] filldir64+0xeb/0x180 [86.862620] kernfs_fop_readdir+0x118/0x480 [86.862635] iterate_dir+0xcf/0x2b0 [86.862648] __x64_sys_getdents64+0x84/0x140 [86.862661] x64_sys_call+0x1058/0x2660 [86.862675] do_syscall_64+0x91/0xe90 [86.862689] entry_SYSCALL_64_after_hwframe+0x76/0x7e [86.862703] -> #2 (&root->kernfs_rwsem){++++}-{3:3}: [86.862725] down_write+0x3e/0xf0 [86.862738] kernfs_add_one+0x30/0x3c0 [86.862751] kernfs_create_dir_ns+0x53/0xb0 [86.862765] internal_create_group+0x134/0x4c0 [86.862779] sysfs_create_group+0x13/0x20 [86.862792] topology_add_dev+0x1d/0x30 [86.862806] cpuhp_invoke_callback+0x4b5/0x850 [86.862822] cpuhp_issue_call+0xbf/0x1f0 [86.862836] __cpuhp_setup_state_cpuslocked+0x111/0x320 [86.862852] __cpuhp_setup_state+0xb0/0x220 [86.862866] topology_sysfs_init+0x30/0x50 [86.862879] do_one_initcall+0x60/0x3f0 [86.862893] kernel_init_freeable+0x3cd/0x680 [86.862908] kernel_init+0x1b/0x200 [86.862921] ret_from_fork+0x47/0x70 [86.862934] ret_from_fork_asm+0x1a/0x30 [86.862947] -> #1 (cpuhp_state_mutex){+.+.}-{3:3}: [86.862969] __mutex_lock+0xaa/0xed0 [86.862982] mutex_lock_nested+0x1b/0x30 [86.862995] __cpuhp_setup_state_cpuslocked+0x67/0x320 [86.863012] __cpuhp_setup_state+0xb0/0x220 [86.863026] page_alloc_init_cpuhp+0x2d/0x60 [86.863041] mm_core_init+0x22/0x2d0 [86.863054] start_kernel+0x576/0xbd0 [86.863068] x86_64_start_reservations+0x18/0x30 [86.863084] x86_64_start_kernel+0xbf/0x110 [86.863098] common_startup_64+0x13e/0x141 [86.863114] -> #0 (cpu_hotplug_lock){++++}-{0:0}: [86.863135] __lock_acquire+0x16 ---truncated---", "cve_priority": "medium", "cve_public_date": "2025-12-16 15:15:00 UTC" }, { "cve": "CVE-2025-68316", "url": "https://ubuntu.com/security/CVE-2025-68316", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: scsi: ufs: core: Fix invalid probe error return value After DME Link Startup, the error return value is set to the MIPI UniPro GenericErrorCode which can be 0 (SUCCESS) or 1 (FAILURE). Upon failure during driver probe, the error code 1 is propagated back to the driver probe function which must return a negative value to indicate an error, but 1 is not negative, so the probe is considered to be successful even though it failed. Subsequently, removing the driver results in an oops because it is not in a valid state. This happens because none of the callers of ufshcd_init() expect a non-negative error code. Fix the return value and documentation to match actual usage.", "cve_priority": "medium", "cve_public_date": "2025-12-16 16:16:00 UTC" }, { "cve": "CVE-2025-40292", "url": "https://ubuntu.com/security/CVE-2025-40292", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: virtio-net: fix received length check in big packets Since commit 4959aebba8c0 (\"virtio-net: use mtu size as buffer length for big packets\"), when guest gso is off, the allocated size for big packets is not MAX_SKB_FRAGS * PAGE_SIZE anymore but depends on negotiated MTU. The number of allocated frags for big packets is stored in vi->big_packets_num_skbfrags. Because the host announced buffer length can be malicious (e.g. the host vhost_net driver's get_rx_bufs is modified to announce incorrect length), we need a check in virtio_net receive path. Currently, the check is not adapted to the new change which can lead to NULL page pointer dereference in the below while loop when receiving length that is larger than the allocated one. This commit fixes the received length check corresponding to the new change.", "cve_priority": "medium", "cve_public_date": "2025-12-08 01:16:00 UTC" }, { "cve": "CVE-2025-68180", "url": "https://ubuntu.com/security/CVE-2025-68180", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Fix NULL deref in debugfs odm_combine_segments When a connector is connected but inactive (e.g., disabled by desktop environments), pipe_ctx->stream_res.tg will be destroyed. Then, reading odm_combine_segments causes kernel NULL pointer dereference. BUG: kernel NULL pointer dereference, address: 0000000000000000 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page PGD 0 P4D 0 Oops: Oops: 0000 [#1] SMP NOPTI CPU: 16 UID: 0 PID: 26474 Comm: cat Not tainted 6.17.0+ #2 PREEMPT(lazy) e6a17af9ee6db7c63e9d90dbe5b28ccab67520c6 Hardware name: LENOVO 21Q4/LNVNB161216, BIOS PXCN25WW 03/27/2025 RIP: 0010:odm_combine_segments_show+0x93/0xf0 [amdgpu] Code: 41 83 b8 b0 00 00 00 01 75 6e 48 98 ba a1 ff ff ff 48 c1 e0 0c 48 8d 8c 07 d8 02 00 00 48 85 c9 74 2d 48 8b bc 07 f0 08 00 00 <48> 8b 07 48 8b 80 08 02 00> RSP: 0018:ffffd1bf4b953c58 EFLAGS: 00010286 RAX: 0000000000005000 RBX: ffff8e35976b02d0 RCX: ffff8e3aeed052d8 RDX: 00000000ffffffa1 RSI: ffff8e35a3120800 RDI: 0000000000000000 RBP: 0000000000000000 R08: ffff8e3580eb0000 R09: ffff8e35976b02d0 R10: ffffd1bf4b953c78 R11: 0000000000000000 R12: ffffd1bf4b953d08 R13: 0000000000040000 R14: 0000000000000001 R15: 0000000000000001 FS: 00007f44d3f9f740(0000) GS:ffff8e3caa47f000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000000 CR3: 00000006485c2000 CR4: 0000000000f50ef0 PKRU: 55555554 Call Trace: seq_read_iter+0x125/0x490 ? __alloc_frozen_pages_noprof+0x18f/0x350 seq_read+0x12c/0x170 full_proxy_read+0x51/0x80 vfs_read+0xbc/0x390 ? __handle_mm_fault+0xa46/0xef0 ? do_syscall_64+0x71/0x900 ksys_read+0x73/0xf0 do_syscall_64+0x71/0x900 ? count_memcg_events+0xc2/0x190 ? handle_mm_fault+0x1d7/0x2d0 ? do_user_addr_fault+0x21a/0x690 ? exc_page_fault+0x7e/0x1a0 entry_SYSCALL_64_after_hwframe+0x6c/0x74 RIP: 0033:0x7f44d4031687 Code: 48 89 fa 4c 89 df e8 58 b3 00 00 8b 93 08 03 00 00 59 5e 48 83 f8 fc 74 1a 5b c3 0f 1f 84 00 00 00 00 00 48 8b 44 24 10 0f 05 <5b> c3 0f 1f 80 00 00 00 00> RSP: 002b:00007ffdb4b5f0b0 EFLAGS: 00000202 ORIG_RAX: 0000000000000000 RAX: ffffffffffffffda RBX: 00007f44d3f9f740 RCX: 00007f44d4031687 RDX: 0000000000040000 RSI: 00007f44d3f5e000 RDI: 0000000000000003 RBP: 0000000000040000 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000202 R12: 00007f44d3f5e000 R13: 0000000000000003 R14: 0000000000000000 R15: 0000000000040000 Modules linked in: tls tcp_diag inet_diag xt_mark ccm snd_hrtimer snd_seq_dummy snd_seq_midi snd_seq_oss snd_seq_midi_event snd_rawmidi snd_seq snd_seq_device x> snd_hda_codec_atihdmi snd_hda_codec_realtek_lib lenovo_wmi_helpers think_lmi snd_hda_codec_generic snd_hda_codec_hdmi snd_soc_core kvm snd_compress uvcvideo sn> platform_profile joydev amd_pmc mousedev mac_hid sch_fq_codel uinput i2c_dev parport_pc ppdev lp parport nvme_fabrics loop nfnetlink ip_tables x_tables dm_cryp> CR2: 0000000000000000 ---[ end trace 0000000000000000 ]--- RIP: 0010:odm_combine_segments_show+0x93/0xf0 [amdgpu] Code: 41 83 b8 b0 00 00 00 01 75 6e 48 98 ba a1 ff ff ff 48 c1 e0 0c 48 8d 8c 07 d8 02 00 00 48 85 c9 74 2d 48 8b bc 07 f0 08 00 00 <48> 8b 07 48 8b 80 08 02 00> RSP: 0018:ffffd1bf4b953c58 EFLAGS: 00010286 RAX: 0000000000005000 RBX: ffff8e35976b02d0 RCX: ffff8e3aeed052d8 RDX: 00000000ffffffa1 RSI: ffff8e35a3120800 RDI: 0000000000000000 RBP: 0000000000000000 R08: ffff8e3580eb0000 R09: ffff8e35976b02d0 R10: ffffd1bf4b953c78 R11: 0000000000000000 R12: ffffd1bf4b953d08 R13: 0000000000040000 R14: 0000000000000001 R15: 0000000000000001 FS: 00007f44d3f9f740(0000) GS:ffff8e3caa47f000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000000 CR3: 00000006485c2000 CR4: 0000000000f50ef0 PKRU: 55555554 Fix this by checking pipe_ctx-> ---truncated---", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-40327", "url": "https://ubuntu.com/security/CVE-2025-40327", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: perf/core: Fix system hang caused by cpu-clock usage cpu-clock usage by the async-profiler tool can trigger a system hang, which got bisected back to the following commit by Octavia Togami: 18dbcbfabfff (\"perf: Fix the POLL_HUP delivery breakage\") causes this issue The root cause of the hang is that cpu-clock is a special type of SW event which relies on hrtimers. The __perf_event_overflow() callback is invoked from the hrtimer handler for cpu-clock events, and __perf_event_overflow() tries to call cpu_clock_event_stop() to stop the event, which calls htimer_cancel() to cancel the hrtimer. But that's a recursion into the hrtimer code from a hrtimer handler, which (unsurprisingly) deadlocks. To fix this bug, use hrtimer_try_to_cancel() instead, and set the PERF_HES_STOPPED flag, which causes perf_swevent_hrtimer() to stop the event once it sees the PERF_HES_STOPPED flag. [ mingo: Fixed the comments and improved the changelog. ]", "cve_priority": "medium", "cve_public_date": "2025-12-09 16:17:00 UTC" }, { "cve": "CVE-2025-40328", "url": "https://ubuntu.com/security/CVE-2025-40328", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: smb: client: fix potential UAF in smb2_close_cached_fid() find_or_create_cached_dir() could grab a new reference after kref_put() had seen the refcount drop to zero but before cfid_list_lock is acquired in smb2_close_cached_fid(), leading to use-after-free. Switch to kref_put_lock() so cfid_release() is called with cfid_list_lock held, closing that gap.", "cve_priority": "medium", "cve_public_date": "2025-12-09 16:17:00 UTC" }, { "cve": "CVE-2025-40291", "url": "https://ubuntu.com/security/CVE-2025-40291", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: io_uring: fix regbuf vector size truncation There is a report of io_estimate_bvec_size() truncating the calculated number of segments that leads to corruption issues. Check it doesn't overflow \"int\"s used later. Rough but simple, can be improved on top.", "cve_priority": "medium", "cve_public_date": "2025-12-08 01:16:00 UTC" }, { "cve": "CVE-2025-68322", "url": "https://ubuntu.com/security/CVE-2025-68322", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: parisc: Avoid crash due to unaligned access in unwinder Guenter Roeck reported this kernel crash on his emulated B160L machine: Starting network: udhcpc: started, v1.36.1 Backtrace: [<104320d4>] unwind_once+0x1c/0x5c [<10434a00>] walk_stackframe.isra.0+0x74/0xb8 [<10434a6c>] arch_stack_walk+0x28/0x38 [<104e5efc>] stack_trace_save+0x48/0x5c [<105d1bdc>] set_track_prepare+0x44/0x6c [<105d9c80>] ___slab_alloc+0xfc4/0x1024 [<105d9d38>] __slab_alloc.isra.0+0x58/0x90 [<105dc80c>] kmem_cache_alloc_noprof+0x2ac/0x4a0 [<105b8e54>] __anon_vma_prepare+0x60/0x280 [<105a823c>] __vmf_anon_prepare+0x68/0x94 [<105a8b34>] do_wp_page+0x8cc/0xf10 [<105aad88>] handle_mm_fault+0x6c0/0xf08 [<10425568>] do_page_fault+0x110/0x440 [<10427938>] handle_interruption+0x184/0x748 [<11178398>] schedule+0x4c/0x190 BUG: spinlock recursion on CPU#0, ifconfig/2420 lock: terminate_lock.2+0x0/0x1c, .magic: dead4ead, .owner: ifconfig/2420, .owner_cpu: 0 While creating the stack trace, the unwinder uses the stack pointer to guess the previous frame to read the previous stack pointer from memory. The crash happens, because the unwinder tries to read from unaligned memory and as such triggers the unalignment trap handler which then leads to the spinlock recursion and finally to a deadlock. Fix it by checking the alignment before accessing the memory.", "cve_priority": "medium", "cve_public_date": "2025-12-16 16:16:00 UTC" }, { "cve": "CVE-2025-40293", "url": "https://ubuntu.com/security/CVE-2025-40293", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: iommufd: Don't overflow during division for dirty tracking If pgshift is 63 then BITS_PER_TYPE(*bitmap->bitmap) * pgsize will overflow to 0 and this triggers divide by 0. In this case the index should just be 0, so reorganize things to divide by shift and avoid hitting any overflows.", "cve_priority": "medium", "cve_public_date": "2025-12-08 01:16:00 UTC" }, { "cve": "CVE-2025-40294", "url": "https://ubuntu.com/security/CVE-2025-40294", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: Bluetooth: MGMT: Fix OOB access in parse_adv_monitor_pattern() In the parse_adv_monitor_pattern() function, the value of the 'length' variable is currently limited to HCI_MAX_EXT_AD_LENGTH(251). The size of the 'value' array in the mgmt_adv_pattern structure is 31. If the value of 'pattern[i].length' is set in the user space and exceeds 31, the 'patterns[i].value' array can be accessed out of bound when copied. Increasing the size of the 'value' array in the 'mgmt_adv_pattern' structure will break the userspace. Considering this, and to avoid OOB access revert the limits for 'offset' and 'length' back to the value of HCI_MAX_AD_LENGTH. Found by InfoTeCS on behalf of Linux Verification Center (linuxtesting.org) with SVACE.", "cve_priority": "medium", "cve_public_date": "2025-12-08 01:16:00 UTC" }, { "cve": "CVE-2025-40329", "url": "https://ubuntu.com/security/CVE-2025-40329", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/sched: Fix deadlock in drm_sched_entity_kill_jobs_cb The Mesa issue referenced below pointed out a possible deadlock: [ 1231.611031] Possible interrupt unsafe locking scenario: [ 1231.611033] CPU0 CPU1 [ 1231.611034] ---- ---- [ 1231.611035] lock(&xa->xa_lock#17); [ 1231.611038] local_irq_disable(); [ 1231.611039] lock(&fence->lock); [ 1231.611041] lock(&xa->xa_lock#17); [ 1231.611044] [ 1231.611045] lock(&fence->lock); [ 1231.611047] *** DEADLOCK *** In this example, CPU0 would be any function accessing job->dependencies through the xa_* functions that don't disable interrupts (eg: drm_sched_job_add_dependency(), drm_sched_entity_kill_jobs_cb()). CPU1 is executing drm_sched_entity_kill_jobs_cb() as a fence signalling callback so in an interrupt context. It will deadlock when trying to grab the xa_lock which is already held by CPU0. Replacing all xa_* usage by their xa_*_irq counterparts would fix this issue, but Christian pointed out another issue: dma_fence_signal takes fence.lock and so does dma_fence_add_callback. dma_fence_signal() // locks f1.lock -> drm_sched_entity_kill_jobs_cb() -> foreach dependencies -> dma_fence_add_callback() // locks f2.lock This will deadlock if f1 and f2 share the same spinlock. To fix both issues, the code iterating on dependencies and re-arming them is moved out to drm_sched_entity_kill_jobs_work(). [phasta: commit message nits]", "cve_priority": "medium", "cve_public_date": "2025-12-09 16:17:00 UTC" }, { "cve": "CVE-2025-40295", "url": "https://ubuntu.com/security/CVE-2025-40295", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: fscrypt: fix left shift underflow when inode->i_blkbits > PAGE_SHIFT When simulating an nvme device on qemu with both logical_block_size and physical_block_size set to 8 KiB, an error trace appears during partition table reading at boot time. The issue is caused by inode->i_blkbits being larger than PAGE_SHIFT, which leads to a left shift of -1 and triggering a UBSAN warning. [ 2.697306] ------------[ cut here ]------------ [ 2.697309] UBSAN: shift-out-of-bounds in fs/crypto/inline_crypt.c:336:37 [ 2.697311] shift exponent -1 is negative [ 2.697315] CPU: 3 UID: 0 PID: 274 Comm: (udev-worker) Not tainted 6.18.0-rc2+ #34 PREEMPT(voluntary) [ 2.697317] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014 [ 2.697320] Call Trace: [ 2.697324] [ 2.697325] dump_stack_lvl+0x76/0xa0 [ 2.697340] dump_stack+0x10/0x20 [ 2.697342] __ubsan_handle_shift_out_of_bounds+0x1e3/0x390 [ 2.697351] bh_get_inode_and_lblk_num.cold+0x12/0x94 [ 2.697359] fscrypt_set_bio_crypt_ctx_bh+0x44/0x90 [ 2.697365] submit_bh_wbc+0xb6/0x190 [ 2.697370] block_read_full_folio+0x194/0x270 [ 2.697371] ? __pfx_blkdev_get_block+0x10/0x10 [ 2.697375] ? __pfx_blkdev_read_folio+0x10/0x10 [ 2.697377] blkdev_read_folio+0x18/0x30 [ 2.697379] filemap_read_folio+0x40/0xe0 [ 2.697382] filemap_get_pages+0x5ef/0x7a0 [ 2.697385] ? mmap_region+0x63/0xd0 [ 2.697389] filemap_read+0x11d/0x520 [ 2.697392] blkdev_read_iter+0x7c/0x180 [ 2.697393] vfs_read+0x261/0x390 [ 2.697397] ksys_read+0x71/0xf0 [ 2.697398] __x64_sys_read+0x19/0x30 [ 2.697399] x64_sys_call+0x1e88/0x26a0 [ 2.697405] do_syscall_64+0x80/0x670 [ 2.697410] ? __x64_sys_newfstat+0x15/0x20 [ 2.697414] ? x64_sys_call+0x204a/0x26a0 [ 2.697415] ? do_syscall_64+0xb8/0x670 [ 2.697417] ? irqentry_exit_to_user_mode+0x2e/0x2a0 [ 2.697420] ? irqentry_exit+0x43/0x50 [ 2.697421] ? exc_page_fault+0x90/0x1b0 [ 2.697422] entry_SYSCALL_64_after_hwframe+0x76/0x7e [ 2.697425] RIP: 0033:0x75054cba4a06 [ 2.697426] Code: 5d e8 41 8b 93 08 03 00 00 59 5e 48 83 f8 fc 75 19 83 e2 39 83 fa 08 75 11 e8 26 ff ff ff 66 0f 1f 44 00 00 48 8b 45 10 0f 05 <48> 8b 5d f8 c9 c3 0f 1f 40 00 f3 0f 1e fa 55 48 89 e5 48 83 ec 08 [ 2.697427] RSP: 002b:00007fff973723a0 EFLAGS: 00000202 ORIG_RAX: 0000000000000000 [ 2.697430] RAX: ffffffffffffffda RBX: 00005ea9a2c02760 RCX: 000075054cba4a06 [ 2.697432] RDX: 0000000000002000 RSI: 000075054c190000 RDI: 000000000000001b [ 2.697433] RBP: 00007fff973723c0 R08: 0000000000000000 R09: 0000000000000000 [ 2.697434] R10: 0000000000000000 R11: 0000000000000202 R12: 0000000000000000 [ 2.697434] R13: 00005ea9a2c027c0 R14: 00005ea9a2be5608 R15: 00005ea9a2be55f0 [ 2.697436] [ 2.697436] ---[ end trace ]--- This situation can happen for block devices because when CONFIG_TRANSPARENT_HUGEPAGE is enabled, the maximum logical_block_size is 64 KiB. set_init_blocksize() then sets the block device inode->i_blkbits to 13, which is within this limit. File I/O does not trigger this problem because for filesystems that do not support the FS_LBS feature, sb_set_blocksize() prevents sb->s_blocksize_bits from being larger than PAGE_SHIFT. During inode allocation, alloc_inode()->inode_init_always() assigns inode->i_blkbits from sb->s_blocksize_bits. Currently, only xfs_fs_type has the FS_LBS flag, and since xfs I/O paths do not reach submit_bh_wbc(), it does not hit the left-shift underflow issue. [EB: use folio_pos() and consolidate the two shifts by i_blkbits]", "cve_priority": "medium", "cve_public_date": "2025-12-08 01:16:00 UTC" }, { "cve": "CVE-2025-40296", "url": "https://ubuntu.com/security/CVE-2025-40296", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: platform/x86: int3472: Fix double free of GPIO device during unregister regulator_unregister() already frees the associated GPIO device. On ThinkPad X9 (Lunar Lake), this causes a double free issue that leads to random failures when other drivers (typically Intel THC) attempt to allocate interrupts. The root cause is that the reference count of the pinctrl_intel_platform module unexpectedly drops to zero when this driver defers its probe. This behavior can also be reproduced by unloading the module directly. Fix the issue by removing the redundant release of the GPIO device during regulator unregistration.", "cve_priority": "medium", "cve_public_date": "2025-12-08 01:16:00 UTC" }, { "cve": "CVE-2025-40297", "url": "https://ubuntu.com/security/CVE-2025-40297", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net: bridge: fix use-after-free due to MST port state bypass syzbot reported[1] a use-after-free when deleting an expired fdb. It is due to a race condition between learning still happening and a port being deleted, after all its fdbs have been flushed. The port's state has been toggled to disabled so no learning should happen at that time, but if we have MST enabled, it will bypass the port's state, that together with VLAN filtering disabled can lead to fdb learning at a time when it shouldn't happen while the port is being deleted. VLAN filtering must be disabled because we flush the port VLANs when it's being deleted which will stop learning. This fix adds a check for the port's vlan group which is initialized to NULL when the port is getting deleted, that avoids the port state bypass. When MST is enabled there would be a minimal new overhead in the fast-path because the port's vlan group pointer is cache-hot. [1] https://syzkaller.appspot.com/bug?extid=dd280197f0f7ab3917be", "cve_priority": "medium", "cve_public_date": "2025-12-08 01:16:00 UTC" }, { "cve": "CVE-2025-68320", "url": "https://ubuntu.com/security/CVE-2025-68320", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: lan966x: Fix sleeping in atomic context The following warning was seen when we try to connect using ssh to the device. BUG: sleeping function called from invalid context at kernel/locking/mutex.c:575 in_atomic(): 1, irqs_disabled(): 0, non_block: 0, pid: 104, name: dropbear preempt_count: 1, expected: 0 INFO: lockdep is turned off. CPU: 0 UID: 0 PID: 104 Comm: dropbear Tainted: G W 6.18.0-rc2-00399-g6f1ab1b109b9-dirty #530 NONE Tainted: [W]=WARN Hardware name: Generic DT based system Call trace: unwind_backtrace from show_stack+0x10/0x14 show_stack from dump_stack_lvl+0x7c/0xac dump_stack_lvl from __might_resched+0x16c/0x2b0 __might_resched from __mutex_lock+0x64/0xd34 __mutex_lock from mutex_lock_nested+0x1c/0x24 mutex_lock_nested from lan966x_stats_get+0x5c/0x558 lan966x_stats_get from dev_get_stats+0x40/0x43c dev_get_stats from dev_seq_printf_stats+0x3c/0x184 dev_seq_printf_stats from dev_seq_show+0x10/0x30 dev_seq_show from seq_read_iter+0x350/0x4ec seq_read_iter from seq_read+0xfc/0x194 seq_read from proc_reg_read+0xac/0x100 proc_reg_read from vfs_read+0xb0/0x2b0 vfs_read from ksys_read+0x6c/0xec ksys_read from ret_fast_syscall+0x0/0x1c Exception stack(0xf0b11fa8 to 0xf0b11ff0) 1fa0: 00000001 00001000 00000008 be9048d8 00001000 00000001 1fc0: 00000001 00001000 00000008 00000003 be905920 0000001e 00000000 00000001 1fe0: 0005404c be9048c0 00018684 b6ec2cd8 It seems that we are using a mutex in a atomic context which is wrong. Change the mutex with a spinlock.", "cve_priority": "medium", "cve_public_date": "2025-12-16 16:16:00 UTC" }, { "cve": "CVE-2025-68169", "url": "https://ubuntu.com/security/CVE-2025-68169", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: netpoll: Fix deadlock in memory allocation under spinlock Fix a AA deadlock in refill_skbs() where memory allocation while holding skb_pool->lock can trigger a recursive lock acquisition attempt. The deadlock scenario occurs when the system is under severe memory pressure: 1. refill_skbs() acquires skb_pool->lock (spinlock) 2. alloc_skb() is called while holding the lock 3. Memory allocator fails and calls slab_out_of_memory() 4. This triggers printk() for the OOM warning 5. The console output path calls netpoll_send_udp() 6. netpoll_send_udp() attempts to acquire the same skb_pool->lock 7. Deadlock: the lock is already held by the same CPU Call stack: refill_skbs() spin_lock_irqsave(&skb_pool->lock) <- lock acquired __alloc_skb() kmem_cache_alloc_node_noprof() slab_out_of_memory() printk() console_flush_all() netpoll_send_udp() skb_dequeue() spin_lock_irqsave(&skb_pool->lock) <- deadlock attempt This bug was exposed by commit 248f6571fd4c51 (\"netpoll: Optimize skb refilling on critical path\") which removed refill_skbs() from the critical path (where nested printk was being deferred), letting nested printk being called from inside refill_skbs() Refactor refill_skbs() to never allocate memory while holding the spinlock. Another possible solution to fix this problem is protecting the refill_skbs() from nested printks, basically calling printk_deferred_{enter,exit}() in refill_skbs(), then, any nested pr_warn() would be deferred. I prefer this approach, given I _think_ it might be a good idea to move the alloc_skb() from GFP_ATOMIC to GFP_KERNEL in the future, so, having the alloc_skb() outside of the lock will be necessary step. There is a possible TOCTOU issue when checking for the pool length, and queueing the new allocated skb, but, this is not an issue, given that an extra SKB in the pool is harmless and it will be eventually used.", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-68197", "url": "https://ubuntu.com/security/CVE-2025-68197", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: bnxt_en: Fix null pointer dereference in bnxt_bs_trace_check_wrap() With older FW, we may get the ASYNC_EVENT_CMPL_EVENT_ID_DBG_BUF_PRODUCER for FW trace data type that has not been initialized. This will result in a crash in bnxt_bs_trace_type_wrap(). Add a guard to check for a valid magic_byte pointer before proceeding.", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-40330", "url": "https://ubuntu.com/security/CVE-2025-40330", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: bnxt_en: Shutdown FW DMA in bnxt_shutdown() The netif_close() call in bnxt_shutdown() only stops packet DMA. There may be FW DMA for trace logging (recently added) that will continue. If we kexec to a new kernel, the DMA will corrupt memory in the new kernel. Add bnxt_hwrm_func_drv_unrgtr() to unregister the driver from the FW. This will stop the FW DMA. In case the call fails, call pcie_flr() to reset the function and stop the DMA.", "cve_priority": "medium", "cve_public_date": "2025-12-09 16:17:00 UTC" }, { "cve": "CVE-2025-68192", "url": "https://ubuntu.com/security/CVE-2025-68192", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net: usb: qmi_wwan: initialize MAC header offset in qmimux_rx_fixup Raw IP packets have no MAC header, leaving skb->mac_header uninitialized. This can trigger kernel panics on ARM64 when xfrm or other subsystems access the offset due to strict alignment checks. Initialize the MAC header to prevent such crashes. This can trigger kernel panics on ARM when running IPsec over the qmimux0 interface. Example trace: Internal error: Oops: 000000009600004f [#1] SMP CPU: 0 UID: 0 PID: 0 Comm: swapper/0 Not tainted 6.12.34-gbe78e49cb433 #1 Hardware name: LS1028A RDB Board (DT) pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : xfrm_input+0xde8/0x1318 lr : xfrm_input+0x61c/0x1318 sp : ffff800080003b20 Call trace: xfrm_input+0xde8/0x1318 xfrm6_rcv+0x38/0x44 xfrm6_esp_rcv+0x48/0xa8 ip6_protocol_deliver_rcu+0x94/0x4b0 ip6_input_finish+0x44/0x70 ip6_input+0x44/0xc0 ipv6_rcv+0x6c/0x114 __netif_receive_skb_one_core+0x5c/0x8c __netif_receive_skb+0x18/0x60 process_backlog+0x78/0x17c __napi_poll+0x38/0x180 net_rx_action+0x168/0x2f0", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-40331", "url": "https://ubuntu.com/security/CVE-2025-40331", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: sctp: Prevent TOCTOU out-of-bounds write For the following path not holding the sock lock, sctp_diag_dump() -> sctp_for_each_endpoint() -> sctp_ep_dump() make sure not to exceed bounds in case the address list has grown between buffer allocation (time-of-check) and write (time-of-use).", "cve_priority": "medium", "cve_public_date": "2025-12-09 16:17:00 UTC" }, { "cve": "CVE-2025-68187", "url": "https://ubuntu.com/security/CVE-2025-68187", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net: mdio: Check regmap pointer returned by device_node_to_regmap() The call to device_node_to_regmap() in airoha_mdio_probe() can return an ERR_PTR() if regmap initialization fails. Currently, the driver stores the pointer without validation, which could lead to a crash if it is later dereferenced. Add an IS_ERR() check and return the corresponding error code to make the probe path more robust.", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-68167", "url": "https://ubuntu.com/security/CVE-2025-68167", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: gpiolib: fix invalid pointer access in debugfs If the memory allocation in gpiolib_seq_start() fails, the s->private field remains uninitialized and is later dereferenced without checking in gpiolib_seq_stop(). Initialize s->private to NULL before calling kzalloc() and check it before dereferencing it.", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-68319", "url": "https://ubuntu.com/security/CVE-2025-68319", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: netconsole: Acquire su_mutex before navigating configs hierarchy There is a race between operations that iterate over the userdata cg_children list and concurrent add/remove of userdata items through configfs. The update_userdata() function iterates over the nt->userdata_group.cg_children list, and count_extradata_entries() also iterates over this same list to count nodes. Quoting from Documentation/filesystems/configfs.rst: > A subsystem can navigate the cg_children list and the ci_parent pointer > to see the tree created by the subsystem. This can race with configfs' > management of the hierarchy, so configfs uses the subsystem mutex to > protect modifications. Whenever a subsystem wants to navigate the > hierarchy, it must do so under the protection of the subsystem > mutex. Without proper locking, if a userdata item is added or removed concurrently while these functions are iterating, the list can be accessed in an inconsistent state. For example, the list_for_each() loop can reach a node that is being removed from the list by list_del_init() which sets the nodes' .next pointer to point to itself, so the loop will never end (or reach the WARN_ON_ONCE in update_userdata() ). Fix this by holding the configfs subsystem mutex (su_mutex) during all operations that iterate over cg_children. This includes: - userdatum_value_store() which calls update_userdata() to iterate over cg_children - All sysdata_*_enabled_store() functions which call count_extradata_entries() to iterate over cg_children The su_mutex must be acquired before dynamic_netconsole_mutex to avoid potential lock ordering issues, as configfs operations may already hold su_mutex when calling into our code.", "cve_priority": "medium", "cve_public_date": "2025-12-16 16:16:00 UTC" }, { "cve": "CVE-2025-40298", "url": "https://ubuntu.com/security/CVE-2025-40298", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: gve: Implement settime64 with -EOPNOTSUPP ptp_clock_settime() assumes every ptp_clock has implemented settime64(). Stub it with -EOPNOTSUPP to prevent a NULL dereference.", "cve_priority": "medium", "cve_public_date": "2025-12-08 01:16:00 UTC" }, { "cve": "CVE-2025-40299", "url": "https://ubuntu.com/security/CVE-2025-40299", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: gve: Implement gettimex64 with -EOPNOTSUPP gve implemented a ptp_clock for sole use of do_aux_work at this time. ptp_clock_gettime() and ptp_sys_offset() assume every ptp_clock has implemented either gettimex64 or gettime64. Stub gettimex64 and return -EOPNOTSUPP to prevent NULL dereferencing.", "cve_priority": "medium", "cve_public_date": "2025-12-08 01:16:00 UTC" }, { "cve": "CVE-2025-40301", "url": "https://ubuntu.com/security/CVE-2025-40301", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: Bluetooth: hci_event: validate skb length for unknown CC opcode In hci_cmd_complete_evt(), if the command complete event has an unknown opcode, we assume the first byte of the remaining skb->data contains the return status. However, parameter data has previously been pulled in hci_event_func(), which may leave the skb empty. If so, using skb->data[0] for the return status uses un-init memory. The fix is to check skb->len before using skb->data.", "cve_priority": "medium", "cve_public_date": "2025-12-08 01:16:00 UTC" }, { "cve": "CVE-2025-40358", "url": "https://ubuntu.com/security/CVE-2025-40358", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: riscv: stacktrace: Disable KASAN checks for non-current tasks Unwinding the stack of a task other than current, KASAN would report \"BUG: KASAN: out-of-bounds in walk_stackframe+0x41c/0x460\" There is a same issue on x86 and has been resolved by the commit 84936118bdf3 (\"x86/unwind: Disable KASAN checks for non-current tasks\") The solution could be applied to RISC-V too. This patch also can solve the issue: https://seclists.org/oss-sec/2025/q4/23 [pjw@kernel.org: clean up checkpatch issues]", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-68186", "url": "https://ubuntu.com/security/CVE-2025-68186", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ring-buffer: Do not warn in ring_buffer_map_get_reader() when reader catches up The function ring_buffer_map_get_reader() is a bit more strict than the other get reader functions, and except for certain situations the rb_get_reader_page() should not return NULL. If it does, it triggers a warning. This warning was triggering but after looking at why, it was because another acceptable situation was happening and it wasn't checked for. If the reader catches up to the writer and there's still data to be read on the reader page, then the rb_get_reader_page() will return NULL as there's no new page to get. In this situation, the reader page should not be updated and no warning should trigger.", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-68184", "url": "https://ubuntu.com/security/CVE-2025-68184", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/mediatek: Disable AFBC support on Mediatek DRM driver Commit c410fa9b07c3 (\"drm/mediatek: Add AFBC support to Mediatek DRM driver\") added AFBC support to Mediatek DRM and enabled the 32x8/split/sparse modifier. However, this is currently broken on Mediatek MT8188 (Genio 700 EVK platform); tested using upstream Kernel and Mesa (v25.2.1), AFBC is used by default since Mesa v25.0. Kernel trace reports vblank timeouts constantly, and the render is garbled: ``` [CRTC:62:crtc-0] vblank wait timed out WARNING: CPU: 7 PID: 70 at drivers/gpu/drm/drm_atomic_helper.c:1835 drm_atomic_helper_wait_for_vblanks.part.0+0x24c/0x27c [...] Hardware name: MediaTek Genio-700 EVK (DT) Workqueue: events_unbound commit_work pstate: 60400009 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : drm_atomic_helper_wait_for_vblanks.part.0+0x24c/0x27c lr : drm_atomic_helper_wait_for_vblanks.part.0+0x24c/0x27c sp : ffff80008337bca0 x29: ffff80008337bcd0 x28: 0000000000000061 x27: 0000000000000000 x26: 0000000000000001 x25: 0000000000000000 x24: ffff0000c9dcc000 x23: 0000000000000001 x22: 0000000000000000 x21: ffff0000c66f2f80 x20: ffff0000c0d7d880 x19: 0000000000000000 x18: 000000000000000a x17: 000000040044ffff x16: 005000f2b5503510 x15: 0000000000000000 x14: 0000000000000000 x13: 74756f2064656d69 x12: 742074696177206b x11: 0000000000000058 x10: 0000000000000018 x9 : ffff800082396a70 x8 : 0000000000057fa8 x7 : 0000000000000cce x6 : ffff8000823eea70 x5 : ffff0001fef5f408 x4 : ffff80017ccee000 x3 : ffff0000c12cb480 x2 : 0000000000000000 x1 : 0000000000000000 x0 : ffff0000c12cb480 Call trace: drm_atomic_helper_wait_for_vblanks.part.0+0x24c/0x27c (P) drm_atomic_helper_commit_tail_rpm+0x64/0x80 commit_tail+0xa4/0x1a4 commit_work+0x14/0x20 process_one_work+0x150/0x290 worker_thread+0x2d0/0x3ec kthread+0x12c/0x210 ret_from_fork+0x10/0x20 ---[ end trace 0000000000000000 ]--- ``` Until this gets fixed upstream, disable AFBC support on this platform, as it's currently broken with upstream Mesa.", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-40302", "url": "https://ubuntu.com/security/CVE-2025-40302", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: media: videobuf2: forbid remove_bufs when legacy fileio is active vb2_ioctl_remove_bufs() call manipulates queue internal buffer list, potentially overwriting some pointers used by the legacy fileio access mode. Forbid that ioctl when fileio is active to protect internal queue state between subsequent read/write calls.", "cve_priority": "medium", "cve_public_date": "2025-12-08 01:16:00 UTC" }, { "cve": "CVE-2025-40303", "url": "https://ubuntu.com/security/CVE-2025-40303", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: btrfs: ensure no dirty metadata is written back for an fs with errors [BUG] During development of a minor feature (make sure all btrfs_bio::end_io() is called in task context), I noticed a crash in generic/388, where metadata writes triggered new works after btrfs_stop_all_workers(). It turns out that it can even happen without any code modification, just using RAID5 for metadata and the same workload from generic/388 is going to trigger the use-after-free. [CAUSE] If btrfs hits an error, the fs is marked as error, no new transaction is allowed thus metadata is in a frozen state. But there are some metadata modifications before that error, and they are still in the btree inode page cache. Since there will be no real transaction commit, all those dirty folios are just kept as is in the page cache, and they can not be invalidated by invalidate_inode_pages2() call inside close_ctree(), because they are dirty. And finally after btrfs_stop_all_workers(), we call iput() on btree inode, which triggers writeback of those dirty metadata. And if the fs is using RAID56 metadata, this will trigger RMW and queue new works into rmw_workers, which is already stopped, causing warning from queue_work() and use-after-free. [FIX] Add a special handling for write_one_eb(), that if the fs is already in an error state, immediately mark the bbio as failure, instead of really submitting them. Then during close_ctree(), iput() will just discard all those dirty tree blocks without really writing them back, thus no more new jobs for already stopped-and-freed workqueues. The extra discard in write_one_eb() also acts as an extra safenet. E.g. the transaction abort is triggered by some extent/free space tree corruptions, and since extent/free space tree is already corrupted some tree blocks may be allocated where they shouldn't be (overwriting existing tree blocks). In that case writing them back will further corrupting the fs.", "cve_priority": "medium", "cve_public_date": "2025-12-08 01:16:00 UTC" }, { "cve": "CVE-2025-40362", "url": "https://ubuntu.com/security/CVE-2025-40362", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ceph: fix multifs mds auth caps issue The mds auth caps check should also validate the fsname along with the associated caps. Not doing so would result in applying the mds auth caps of one fs on to the other fs in a multifs ceph cluster. The bug causes multiple issues w.r.t user authentication, following is one such example. Steps to Reproduce (on vstart cluster): 1. Create two file systems in a cluster, say 'fsname1' and 'fsname2' 2. Authorize read only permission to the user 'client.usr' on fs 'fsname1' $ceph fs authorize fsname1 client.usr / r 3. Authorize read and write permission to the same user 'client.usr' on fs 'fsname2' $ceph fs authorize fsname2 client.usr / rw 4. Update the keyring $ceph auth get client.usr >> ./keyring With above permssions for the user 'client.usr', following is the expectation. a. The 'client.usr' should be able to only read the contents and not allowed to create or delete files on file system 'fsname1'. b. The 'client.usr' should be able to read/write on file system 'fsname2'. But, with this bug, the 'client.usr' is allowed to read/write on file system 'fsname1'. See below. 5. Mount the file system 'fsname1' with the user 'client.usr' $sudo bin/mount.ceph usr@.fsname1=/ /kmnt_fsname1_usr/ 6. Try creating a file on file system 'fsname1' with user 'client.usr'. This should fail but passes with this bug. $touch /kmnt_fsname1_usr/file1 7. Mount the file system 'fsname1' with the user 'client.admin' and create a file. $sudo bin/mount.ceph admin@.fsname1=/ /kmnt_fsname1_admin $echo \"data\" > /kmnt_fsname1_admin/admin_file1 8. Try removing an existing file on file system 'fsname1' with the user 'client.usr'. This shoudn't succeed but succeeds with the bug. $rm -f /kmnt_fsname1_usr/admin_file1 For more information, please take a look at the corresponding mds/fuse patch and tests added by looking into the tracker mentioned below. v2: Fix a possible null dereference in doutc v3: Don't store fsname from mdsmap, validate against ceph_mount_options's fsname and use it v4: Code refactor, better warning message and fix possible compiler warning [ Slava.Dubeyko: \"fsname check failed\" -> \"fsname mismatch\" ]", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-40332", "url": "https://ubuntu.com/security/CVE-2025-40332", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/amdkfd: Fix mmap write lock not release If mmap write lock is taken while draining retry fault, mmap write lock is not released because svm_range_restore_pages calls mmap_read_unlock then returns. This causes deadlock and system hangs later because mmap read or write lock cannot be taken. Downgrade mmap write lock to read lock if draining retry fault fix this bug.", "cve_priority": "medium", "cve_public_date": "2025-12-09 16:17:00 UTC" }, { "cve": "CVE-2025-40304", "url": "https://ubuntu.com/security/CVE-2025-40304", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: fbdev: Add bounds checking in bit_putcs to fix vmalloc-out-of-bounds Add bounds checking to prevent writes past framebuffer boundaries when rendering text near screen edges. Return early if the Y position is off-screen and clip image height to screen boundary. Break from the rendering loop if the X position is off-screen. When clipping image width to fit the screen, update the character count to match the clipped width to prevent buffer size mismatches. Without the character count update, bit_putcs_aligned and bit_putcs_unaligned receive mismatched parameters where the buffer is allocated for the clipped width but cnt reflects the original larger count, causing out-of-bounds writes.", "cve_priority": "medium", "cve_public_date": "2025-12-08 01:16:00 UTC" }, { "cve": "CVE-2025-40305", "url": "https://ubuntu.com/security/CVE-2025-40305", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: 9p/trans_fd: p9_fd_request: kick rx thread if EPOLLIN p9_read_work() doesn't set Rworksched and doesn't do schedule_work(m->rq) if list_empty(&m->req_list). However, if the pipe is full, we need to read more data and this used to work prior to commit aaec5a95d59615 (\"pipe_read: don't wake up the writer if the pipe is still full\"). p9_read_work() does p9_fd_read() -> ... -> anon_pipe_read() which (before the commit above) triggered the unnecessary wakeup. This wakeup calls p9_pollwake() which kicks p9_poll_workfn() -> p9_poll_mux(), p9_poll_mux() will notice EPOLLIN and schedule_work(&m->rq). This no longer happens after the optimization above, change p9_fd_request() to use p9_poll_mux() instead of only checking for EPOLLOUT.", "cve_priority": "medium", "cve_public_date": "2025-12-08 01:16:00 UTC" }, { "cve": "CVE-2025-68318", "url": "https://ubuntu.com/security/CVE-2025-68318", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: clk: thead: th1520-ap: set all AXI clocks to CLK_IS_CRITICAL The AXI crossbar of TH1520 has no proper timeout handling, which means gating AXI clocks can easily lead to bus timeout and thus system hang. Set all AXI clock gates to CLK_IS_CRITICAL. All these clock gates are ungated by default on system reset. In addition, convert all current CLK_IGNORE_UNUSED usage to CLK_IS_CRITICAL to prevent unwanted clock gating.", "cve_priority": "medium", "cve_public_date": "2025-12-16 16:16:00 UTC" }, { "cve": "CVE-2025-40209", "url": "https://ubuntu.com/security/CVE-2025-40209", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: btrfs: fix memory leak of qgroup_list in btrfs_add_qgroup_relation When btrfs_add_qgroup_relation() is called with invalid qgroup levels (src >= dst), the function returns -EINVAL directly without freeing the preallocated qgroup_list structure passed by the caller. This causes a memory leak because the caller unconditionally sets the pointer to NULL after the call, preventing any cleanup. The issue occurs because the level validation check happens before the mutex is acquired and before any error handling path that would free the prealloc pointer. On this early return, the cleanup code at the 'out' label (which includes kfree(prealloc)) is never reached. In btrfs_ioctl_qgroup_assign(), the code pattern is: prealloc = kzalloc(sizeof(*prealloc), GFP_KERNEL); ret = btrfs_add_qgroup_relation(trans, sa->src, sa->dst, prealloc); prealloc = NULL; // Always set to NULL regardless of return value ... kfree(prealloc); // This becomes kfree(NULL), does nothing When the level check fails, 'prealloc' is never freed by either the callee or the caller, resulting in a 64-byte memory leak per failed operation. This can be triggered repeatedly by an unprivileged user with access to a writable btrfs mount, potentially exhausting kernel memory. Fix this by freeing prealloc before the early return, ensuring prealloc is always freed on all error paths.", "cve_priority": "medium", "cve_public_date": "2025-11-21 11:15:00 UTC" }, { "cve": "CVE-2025-68183", "url": "https://ubuntu.com/security/CVE-2025-68183", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ima: don't clear IMA_DIGSIG flag when setting or removing non-IMA xattr Currently when both IMA and EVM are in fix mode, the IMA signature will be reset to IMA hash if a program first stores IMA signature in security.ima and then writes/removes some other security xattr for the file. For example, on Fedora, after booting the kernel with \"ima_appraise=fix evm=fix ima_policy=appraise_tcb\" and installing rpm-plugin-ima, installing/reinstalling a package will not make good reference IMA signature generated. Instead IMA hash is generated, # getfattr -m - -d -e hex /usr/bin/bash # file: usr/bin/bash security.ima=0x0404... This happens because when setting security.selinux, the IMA_DIGSIG flag that had been set early was cleared. As a result, IMA hash is generated when the file is closed. Similarly, IMA signature can be cleared on file close after removing security xattr like security.evm or setting/removing ACL. Prevent replacing the IMA file signature with a file hash, by preventing the IMA_DIGSIG flag from being reset. Here's a minimal C reproducer which sets security.selinux as the last step which can also replaced by removing security.evm or setting ACL, #include #include #include #include #include #include int main() { const char* file_path = \"/usr/sbin/test_binary\"; const char* hex_string = \"030204d33204490066306402304\"; int length = strlen(hex_string); char* ima_attr_value; int fd; fd = open(file_path, O_WRONLY|O_CREAT|O_EXCL, 0644); if (fd == -1) { perror(\"Error opening file\"); return 1; } ima_attr_value = (char*)malloc(length / 2 ); for (int i = 0, j = 0; i < length; i += 2, j++) { sscanf(hex_string + i, \"%2hhx\", &ima_attr_value[j]); } if (fsetxattr(fd, \"security.ima\", ima_attr_value, length/2, 0) == -1) { perror(\"Error setting extended attribute\"); close(fd); return 1; } const char* selinux_value= \"system_u:object_r:bin_t:s0\"; if (fsetxattr(fd, \"security.selinux\", selinux_value, strlen(selinux_value), 0) == -1) { perror(\"Error setting extended attribute\"); close(fd); return 1; } close(fd); return 0; }", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-68173", "url": "https://ubuntu.com/security/CVE-2025-68173", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ftrace: Fix softlockup in ftrace_module_enable A soft lockup was observed when loading amdgpu module. If a module has a lot of tracable functions, multiple calls to kallsyms_lookup can spend too much time in RCU critical section and with disabled preemption, causing kernel panic. This is the same issue that was fixed in commit d0b24b4e91fc (\"ftrace: Prevent RCU stall on PREEMPT_VOLUNTARY kernels\") and commit 42ea22e754ba (\"ftrace: Add cond_resched() to ftrace_graph_set_hash()\"). Fix it the same way by adding cond_resched() in ftrace_module_enable.", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-40306", "url": "https://ubuntu.com/security/CVE-2025-40306", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: orangefs: fix xattr related buffer overflow... Willy Tarreau forwarded me a message from Disclosure with the following warning: > The helper `xattr_key()` uses the pointer variable in the loop condition > rather than dereferencing it. As `key` is incremented, it remains non-NULL > (until it runs into unmapped memory), so the loop does not terminate on > valid C strings and will walk memory indefinitely, consuming CPU or hanging > the thread. I easily reproduced this with setfattr and getfattr, causing a kernel oops, hung user processes and corrupted orangefs files. Disclosure sent along a diff (not a patch) with a suggested fix, which I based this patch on. After xattr_key started working right, xfstest generic/069 exposed an xattr related memory leak that lead to OOM. xattr_key returns a hashed key. When adding xattrs to the orangefs xattr cache, orangefs used hash_add, a kernel hashing macro. hash_add also hashes the key using hash_log which resulted in additions to the xattr cache going to the wrong hash bucket. generic/069 tortures a single file and orangefs does a getattr for the xattr \"security.capability\" every time. Orangefs negative caches on xattrs which includes a kmalloc. Since adds to the xattr cache were going to the wrong bucket, every getattr for \"security.capability\" resulted in another kmalloc, none of which were ever freed. I changed the two uses of hash_add to hlist_add_head instead and the memory leak ceased and generic/069 quit throwing furniture.", "cve_priority": "medium", "cve_public_date": "2025-12-08 01:16:00 UTC" }, { "cve": "CVE-2025-40307", "url": "https://ubuntu.com/security/CVE-2025-40307", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: exfat: validate cluster allocation bits of the allocation bitmap syzbot created an exfat image with cluster bits not set for the allocation bitmap. exfat-fs reads and uses the allocation bitmap without checking this. The problem is that if the start cluster of the allocation bitmap is 6, cluster 6 can be allocated when creating a directory with mkdir. exfat zeros out this cluster in exfat_mkdir, which can delete existing entries. This can reallocate the allocated entries. In addition, the allocation bitmap is also zeroed out, so cluster 6 can be reallocated. This patch adds exfat_test_bitmap_range to validate that clusters used for the allocation bitmap are correctly marked as in-use.", "cve_priority": "medium", "cve_public_date": "2025-12-08 01:16:00 UTC" }, { "cve": "CVE-2025-40308", "url": "https://ubuntu.com/security/CVE-2025-40308", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: Bluetooth: bcsp: receive data only if registered Currently, bcsp_recv() can be called even when the BCSP protocol has not been registered. This leads to a NULL pointer dereference, as shown in the following stack trace: KASAN: null-ptr-deref in range [0x0000000000000108-0x000000000000010f] RIP: 0010:bcsp_recv+0x13d/0x1740 drivers/bluetooth/hci_bcsp.c:590 Call Trace: hci_uart_tty_receive+0x194/0x220 drivers/bluetooth/hci_ldisc.c:627 tiocsti+0x23c/0x2c0 drivers/tty/tty_io.c:2290 tty_ioctl+0x626/0xde0 drivers/tty/tty_io.c:2706 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:907 [inline] __se_sys_ioctl+0xfc/0x170 fs/ioctl.c:893 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f To prevent this, ensure that the HCI_UART_REGISTERED flag is set before processing received data. If the protocol is not registered, return -EUNATCH.", "cve_priority": "medium", "cve_public_date": "2025-12-08 01:16:00 UTC" }, { "cve": "CVE-2025-40309", "url": "https://ubuntu.com/security/CVE-2025-40309", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: Bluetooth: SCO: Fix UAF on sco_conn_free BUG: KASAN: slab-use-after-free in sco_conn_free net/bluetooth/sco.c:87 [inline] BUG: KASAN: slab-use-after-free in kref_put include/linux/kref.h:65 [inline] BUG: KASAN: slab-use-after-free in sco_conn_put+0xdd/0x410 net/bluetooth/sco.c:107 Write of size 8 at addr ffff88811cb96b50 by task kworker/u17:4/352 CPU: 1 UID: 0 PID: 352 Comm: kworker/u17:4 Not tainted 6.17.0-rc5-g717368f83676 #4 PREEMPT(voluntary) Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014 Workqueue: hci13 hci_cmd_sync_work Call Trace: __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x10b/0x170 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:378 [inline] print_report+0x191/0x550 mm/kasan/report.c:482 kasan_report+0xc4/0x100 mm/kasan/report.c:595 sco_conn_free net/bluetooth/sco.c:87 [inline] kref_put include/linux/kref.h:65 [inline] sco_conn_put+0xdd/0x410 net/bluetooth/sco.c:107 sco_connect_cfm+0xb4/0xae0 net/bluetooth/sco.c:1441 hci_connect_cfm include/net/bluetooth/hci_core.h:2082 [inline] hci_conn_failed+0x20a/0x2e0 net/bluetooth/hci_conn.c:1313 hci_conn_unlink+0x55f/0x810 net/bluetooth/hci_conn.c:1121 hci_conn_del+0xb6/0x1110 net/bluetooth/hci_conn.c:1147 hci_abort_conn_sync+0x8c5/0xbb0 net/bluetooth/hci_sync.c:5689 hci_cmd_sync_work+0x281/0x380 net/bluetooth/hci_sync.c:332 process_one_work kernel/workqueue.c:3236 [inline] process_scheduled_works+0x77e/0x1040 kernel/workqueue.c:3319 worker_thread+0xbee/0x1200 kernel/workqueue.c:3400 kthread+0x3c7/0x870 kernel/kthread.c:463 ret_from_fork+0x13a/0x1e0 arch/x86/kernel/process.c:148 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245 Allocated by task 31370: kasan_save_stack mm/kasan/common.c:47 [inline] kasan_save_track+0x30/0x70 mm/kasan/common.c:68 poison_kmalloc_redzone mm/kasan/common.c:388 [inline] __kasan_kmalloc+0x82/0x90 mm/kasan/common.c:405 kasan_kmalloc include/linux/kasan.h:260 [inline] __do_kmalloc_node mm/slub.c:4382 [inline] __kmalloc_noprof+0x22f/0x390 mm/slub.c:4394 kmalloc_noprof include/linux/slab.h:909 [inline] sk_prot_alloc+0xae/0x220 net/core/sock.c:2239 sk_alloc+0x34/0x5a0 net/core/sock.c:2295 bt_sock_alloc+0x3c/0x330 net/bluetooth/af_bluetooth.c:151 sco_sock_alloc net/bluetooth/sco.c:562 [inline] sco_sock_create+0xc0/0x350 net/bluetooth/sco.c:593 bt_sock_create+0x161/0x3b0 net/bluetooth/af_bluetooth.c:135 __sock_create+0x3ad/0x780 net/socket.c:1589 sock_create net/socket.c:1647 [inline] __sys_socket_create net/socket.c:1684 [inline] __sys_socket+0xd5/0x330 net/socket.c:1731 __do_sys_socket net/socket.c:1745 [inline] __se_sys_socket net/socket.c:1743 [inline] __x64_sys_socket+0x7a/0x90 net/socket.c:1743 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xc7/0x240 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f Freed by task 31374: kasan_save_stack mm/kasan/common.c:47 [inline] kasan_save_track+0x30/0x70 mm/kasan/common.c:68 kasan_save_free_info+0x40/0x50 mm/kasan/generic.c:576 poison_slab_object mm/kasan/common.c:243 [inline] __kasan_slab_free+0x3d/0x50 mm/kasan/common.c:275 kasan_slab_free include/linux/kasan.h:233 [inline] slab_free_hook mm/slub.c:2428 [inline] slab_free mm/slub.c:4701 [inline] kfree+0x199/0x3b0 mm/slub.c:4900 sk_prot_free net/core/sock.c:2278 [inline] __sk_destruct+0x4aa/0x630 net/core/sock.c:2373 sco_sock_release+0x2ad/0x300 net/bluetooth/sco.c:1333 __sock_release net/socket.c:649 [inline] sock_close+0xb8/0x230 net/socket.c:1439 __fput+0x3d1/0x9e0 fs/file_table.c:468 task_work_run+0x206/0x2a0 kernel/task_work.c:227 get_signal+0x1201/0x1410 kernel/signal.c:2807 arch_do_signal_or_restart+0x34/0x740 arch/x86/kernel/signal.c:337 exit_to_user_mode_loop+0x68/0xc0 kernel/entry/common.c:40 exit_to_user_mode_prepare include/linux/irq-entry-common.h:225 [inline] s ---truncated---", "cve_priority": "medium", "cve_public_date": "2025-12-08 01:16:00 UTC" }, { "cve": "CVE-2025-68174", "url": "https://ubuntu.com/security/CVE-2025-68174", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: amd/amdkfd: enhance kfd process check in switch partition current switch partition only check if kfd_processes_table is empty. kfd_prcesses_table entry is deleted in kfd_process_notifier_release, but kfd_process tear down is in kfd_process_wq_release. consider two processes: Process A (workqueue) -> kfd_process_wq_release -> Access kfd_node member Process B switch partition -> amdgpu_xcp_pre_partition_switch -> amdgpu_amdkfd_device_fini_sw -> kfd_node tear down. Process A and B may trigger a race as shown in dmesg log. This patch is to resolve the race by adding an atomic kfd_process counter kfd_processes_count, it increment as create kfd process, decrement as finish kfd_process_wq_release. v2: Put kfd_processes_count per kfd_dev, move decrement to kfd_process_destroy_pdds and bug fix. (Philip Yang) [3966658.307702] divide error: 0000 [#1] SMP NOPTI [3966658.350818] i10nm_edac [3966658.356318] CPU: 124 PID: 38435 Comm: kworker/124:0 Kdump: loaded Tainted [3966658.356890] Workqueue: kfd_process_wq kfd_process_wq_release [amdgpu] [3966658.362839] nfit [3966658.366457] RIP: 0010:kfd_get_num_sdma_engines+0x17/0x40 [amdgpu] [3966658.366460] Code: 00 00 e9 ac 81 02 00 66 66 2e 0f 1f 84 00 00 00 00 00 90 0f 1f 44 00 00 48 8b 4f 08 48 8b b7 00 01 00 00 8b 81 58 26 03 00 99 be b8 01 00 00 80 b9 70 2e 00 00 00 74 0b 83 f8 02 ba 02 00 00 [3966658.380967] x86_pkg_temp_thermal [3966658.391529] RSP: 0018:ffffc900a0edfdd8 EFLAGS: 00010246 [3966658.391531] RAX: 0000000000000008 RBX: ffff8974e593b800 RCX: ffff888645900000 [3966658.391531] RDX: 0000000000000000 RSI: ffff888129154400 RDI: ffff888129151c00 [3966658.391532] RBP: ffff8883ad79d400 R08: 0000000000000000 R09: ffff8890d2750af4 [3966658.391532] R10: 0000000000000018 R11: 0000000000000018 R12: 0000000000000000 [3966658.391533] R13: ffff8883ad79d400 R14: ffffe87ff662ba00 R15: ffff8974e593b800 [3966658.391533] FS: 0000000000000000(0000) GS:ffff88fe7f600000(0000) knlGS:0000000000000000 [3966658.391534] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [3966658.391534] CR2: 0000000000d71000 CR3: 000000dd0e970004 CR4: 0000000002770ee0 [3966658.391535] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [3966658.391535] DR3: 0000000000000000 DR6: 00000000fffe07f0 DR7: 0000000000000400 [3966658.391536] PKRU: 55555554 [3966658.391536] Call Trace: [3966658.391674] deallocate_sdma_queue+0x38/0xa0 [amdgpu] [3966658.391762] process_termination_cpsch+0x1ed/0x480 [amdgpu] [3966658.399754] intel_powerclamp [3966658.402831] kfd_process_dequeue_from_all_devices+0x5b/0xc0 [amdgpu] [3966658.402908] kfd_process_wq_release+0x1a/0x1a0 [amdgpu] [3966658.410516] coretemp [3966658.434016] process_one_work+0x1ad/0x380 [3966658.434021] worker_thread+0x49/0x310 [3966658.438963] kvm_intel [3966658.446041] ? process_one_work+0x380/0x380 [3966658.446045] kthread+0x118/0x140 [3966658.446047] ? __kthread_bind_mask+0x60/0x60 [3966658.446050] ret_from_fork+0x1f/0x30 [3966658.446053] Modules linked in: kpatch_20765354(OEK) [3966658.455310] kvm [3966658.464534] mptcp_diag xsk_diag raw_diag unix_diag af_packet_diag netlink_diag udp_diag act_pedit act_mirred act_vlan cls_flower kpatch_21951273(OEK) kpatch_18424469(OEK) kpatch_19749756(OEK) [3966658.473462] idxd_mdev [3966658.482306] kpatch_17971294(OEK) sch_ingress xt_conntrack amdgpu(OE) amdxcp(OE) amddrm_buddy(OE) amd_sched(OE) amdttm(OE) amdkcl(OE) intel_ifs iptable_mangle tcm_loop target_core_pscsi tcp_diag target_core_file inet_diag target_core_iblock target_core_user target_core_mod coldpgs kpatch_18383292(OEK) ip6table_nat ip6table_filter ip6_tables ip_set_hash_ipportip ip_set_hash_ipportnet ip_set_hash_ipport ip_set_bitmap_port xt_comment iptable_nat nf_nat iptable_filter ip_tables ip_set ip_vs_sh ip_vs_wrr ip_vs_rr ip_vs nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 sn_core_odd(OE) i40e overlay binfmt_misc tun bonding(OE) aisqos(OE) aisqo ---truncated---", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-40310", "url": "https://ubuntu.com/security/CVE-2025-40310", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: amd/amdkfd: resolve a race in amdgpu_amdkfd_device_fini_sw There is race in amdgpu_amdkfd_device_fini_sw and interrupt. if amdgpu_amdkfd_device_fini_sw run in b/w kfd_cleanup_nodes and kfree(kfd), and KGD interrupt generated. kernel panic log: BUG: kernel NULL pointer dereference, address: 0000000000000098 amdgpu 0000:c8:00.0: amdgpu: Requesting 4 partitions through PSP PGD d78c68067 P4D d78c68067 kfd kfd: amdgpu: Allocated 3969056 bytes on gart PUD 1465b8067 PMD @ Oops: @002 [#1] SMP NOPTI kfd kfd: amdgpu: Total number of KFD nodes to be created: 4 CPU: 115 PID: @ Comm: swapper/115 Kdump: loaded Tainted: G S W OE K RIP: 0010:_raw_spin_lock_irqsave+0x12/0x40 Code: 89 e@ 41 5c c3 cc cc cc cc 66 66 2e Of 1f 84 00 00 00 00 00 OF 1f 40 00 Of 1f 44% 00 00 41 54 9c 41 5c fa 31 cO ba 01 00 00 00 OF b1 17 75 Ba 4c 89 e@ 41 Sc 89 c6 e8 07 38 5d RSP: 0018: ffffc90@1a6b0e28 EFLAGS: 00010046 RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000018 0000000000000001 RSI: ffff8883bb623e00 RDI: 0000000000000098 ffff8883bb000000 RO8: ffff888100055020 ROO: ffff888100055020 0000000000000000 R11: 0000000000000000 R12: 0900000000000002 ffff888F2b97da0@ R14: @000000000000098 R15: ffff8883babdfo00 CS: 010 DS: 0000 ES: 0000 CRO: 0000000080050033 CR2: 0000000000000098 CR3: 0000000e7cae2006 CR4: 0000000002770ce0 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 0000000000000000 DR6: 00000000fffeO7FO DR7: 0000000000000400 PKRU: 55555554 Call Trace: kgd2kfd_interrupt+@x6b/0x1f@ [amdgpu] ? amdgpu_fence_process+0xa4/0x150 [amdgpu] kfd kfd: amdgpu: Node: 0, interrupt_bitmap: 3 YcpxFl Rant tErace amdgpu_irq_dispatch+0x165/0x210 [amdgpu] amdgpu_ih_process+0x80/0x100 [amdgpu] amdgpu: Virtual CRAT table created for GPU amdgpu_irq_handler+0x1f/@x60 [amdgpu] __handle_irq_event_percpu+0x3d/0x170 amdgpu: Topology: Add dGPU node [0x74a2:0x1002] handle_irq_event+0x5a/@xcO handle_edge_irq+0x93/0x240 kfd kfd: amdgpu: KFD node 1 partition @ size 49148M asm_call_irq_on_stack+0xf/@x20 common_interrupt+0xb3/0x130 asm_common_interrupt+0x1le/0x40 5.10.134-010.a1i5000.a18.x86_64 #1", "cve_priority": "medium", "cve_public_date": "2025-12-08 01:16:00 UTC" }, { "cve": "CVE-2025-40361", "url": "https://ubuntu.com/security/CVE-2025-40361", "cve_description": "Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-40311", "url": "https://ubuntu.com/security/CVE-2025-40311", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: accel/habanalabs: support mapping cb with vmalloc-backed coherent memory When IOMMU is enabled, dma_alloc_coherent() with GFP_USER may return addresses from the vmalloc range. If such an address is mapped without VM_MIXEDMAP, vm_insert_page() will trigger a BUG_ON due to the VM_PFNMAP restriction. Fix this by checking for vmalloc addresses and setting VM_MIXEDMAP in the VMA before mapping. This ensures safe mapping and avoids kernel crashes. The memory is still driver-allocated and cannot be accessed directly by userspace.", "cve_priority": "medium", "cve_public_date": "2025-12-08 01:16:00 UTC" }, { "cve": "CVE-2025-68185", "url": "https://ubuntu.com/security/CVE-2025-68185", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: nfs4_setup_readdir(): insufficient locking for ->d_parent->d_inode dereferencing Theoretically it's an oopsable race, but I don't believe one can manage to hit it on real hardware; might become doable on a KVM, but it still won't be easy to attack. Anyway, it's easy to deal with - since xdr_encode_hyper() is just a call of put_unaligned_be64(), we can put that under ->d_lock and be done with that.", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-68176", "url": "https://ubuntu.com/security/CVE-2025-68176", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: PCI: cadence: Check for the existence of cdns_pcie::ops before using it cdns_pcie::ops might not be populated by all the Cadence glue drivers. This is going to be true for the upcoming Sophgo platform which doesn't set the ops. Hence, add a check to prevent NULL pointer dereference. [mani: reworded subject and description]", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-68190", "url": "https://ubuntu.com/security/CVE-2025-68190", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu/atom: Check kcalloc() for WS buffer in amdgpu_atom_execute_table_locked() kcalloc() may fail. When WS is non-zero and allocation fails, ectx.ws remains NULL while ectx.ws_size is set, leading to a potential NULL pointer dereference in atom_get_src_int() when accessing WS entries. Return -ENOMEM on allocation failure to avoid the NULL dereference.", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-68168", "url": "https://ubuntu.com/security/CVE-2025-68168", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: jfs: fix uninitialized waitqueue in transaction manager The transaction manager initialization in txInit() was not properly initializing TxBlock[0].waitor waitqueue, causing a crash when txEnd(0) is called on read-only filesystems. When a filesystem is mounted read-only, txBegin() returns tid=0 to indicate no transaction. However, txEnd(0) still gets called and tries to access TxBlock[0].waitor via tid_to_tblock(0), but this waitqueue was never initialized because the initialization loop started at index 1 instead of 0. This causes a 'non-static key' lockdep warning and system crash: INFO: trying to register non-static key in txEnd Fix by ensuring all transaction blocks including TxBlock[0] have their waitqueues properly initialized during txInit().", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-40312", "url": "https://ubuntu.com/security/CVE-2025-40312", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: jfs: Verify inode mode when loading from disk The inode mode loaded from corrupted disk can be invalid. Do like what commit 0a9e74051313 (\"isofs: Verify inode mode when loading from disk\") does.", "cve_priority": "medium", "cve_public_date": "2025-12-08 01:16:00 UTC" }, { "cve": "CVE-2025-40333", "url": "https://ubuntu.com/security/CVE-2025-40333", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: f2fs: fix infinite loop in __insert_extent_tree() When we get wrong extent info data, and look up extent_node in rb tree, it will cause infinite loop (CONFIG_F2FS_CHECK_FS=n). Avoiding this by return NULL and print some kernel messages in that case.", "cve_priority": "medium", "cve_public_date": "2025-12-09 16:17:00 UTC" }, { "cve": "CVE-2025-68321", "url": "https://ubuntu.com/security/CVE-2025-68321", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: page_pool: always add GFP_NOWARN for ATOMIC allocations Driver authors often forget to add GFP_NOWARN for page allocation from the datapath. This is annoying to users as OOMs are a fact of life, and we pretty much expect network Rx to hit page allocation failures during OOM. Make page pool add GFP_NOWARN for ATOMIC allocations by default.", "cve_priority": "medium", "cve_public_date": "2025-12-16 16:16:00 UTC" }, { "cve": "CVE-2025-40334", "url": "https://ubuntu.com/security/CVE-2025-40334", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: validate userq buffer virtual address and size It needs to validate the userq object virtual address to determine whether it is residented in a valid vm mapping.", "cve_priority": "medium", "cve_public_date": "2025-12-09 16:17:00 UTC" }, { "cve": "CVE-2025-68191", "url": "https://ubuntu.com/security/CVE-2025-68191", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: udp_tunnel: use netdev_warn() instead of netdev_WARN() netdev_WARN() uses WARN/WARN_ON to print a backtrace along with file and line information. In this case, udp_tunnel_nic_register() returning an error is just a failed operation, not a kernel bug. udp_tunnel_nic_register() can fail due to a memory allocation failure (kzalloc() or udp_tunnel_nic_alloc()). This is a normal runtime error and not a kernel bug. Replace netdev_WARN() with netdev_warn() accordingly.", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-68309", "url": "https://ubuntu.com/security/CVE-2025-68309", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: PCI/AER: Fix NULL pointer access by aer_info The kzalloc(GFP_KERNEL) may return NULL, so all accesses to aer_info->xxx will result in kernel panic. Fix it.", "cve_priority": "medium", "cve_public_date": "2025-12-16 16:16:00 UTC" }, { "cve": "CVE-2025-40313", "url": "https://ubuntu.com/security/CVE-2025-40313", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ntfs3: pretend $Extend records as regular files Since commit af153bb63a33 (\"vfs: catch invalid modes in may_open()\") requires any inode be one of S_IFDIR/S_IFLNK/S_IFREG/S_IFCHR/S_IFBLK/ S_IFIFO/S_IFSOCK type, use S_IFREG for $Extend records.", "cve_priority": "medium", "cve_public_date": "2025-12-08 01:16:00 UTC" }, { "cve": "CVE-2025-40335", "url": "https://ubuntu.com/security/CVE-2025-40335", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: validate userq input args This will help on validating the userq input args, and rejecting for the invalid userq request at the IOCTLs first place.", "cve_priority": "medium", "cve_public_date": "2025-12-09 16:17:00 UTC" }, { "cve": "CVE-2025-40314", "url": "https://ubuntu.com/security/CVE-2025-40314", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: usb: cdns3: gadget: Use-after-free during failed initialization and exit of cdnsp gadget In the __cdnsp_gadget_init() and cdnsp_gadget_exit() functions, the gadget structure (pdev->gadget) was freed before its endpoints. The endpoints are linked via the ep_list in the gadget structure. Freeing the gadget first leaves dangling pointers in the endpoint list. When the endpoints are subsequently freed, this results in a use-after-free. Fix: By separating the usb_del_gadget_udc() operation into distinct \"del\" and \"put\" steps, cdnsp_gadget_free_endpoints() can be executed prior to the final release of the gadget structure with usb_put_gadget(). A patch similar to bb9c74a5bd14(\"usb: dwc3: gadget: Free gadget structure only after freeing endpoints\").", "cve_priority": "medium", "cve_public_date": "2025-12-08 01:16:00 UTC" }, { "cve": "CVE-2025-40336", "url": "https://ubuntu.com/security/CVE-2025-40336", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/gpusvm: fix hmm_pfn_to_map_order() usage Handle the case where the hmm range partially covers a huge page (like 2M), otherwise we can potentially end up doing something nasty like mapping memory which is outside the range, and maybe not even mapped by the mm. Fix is based on the xe userptr code, which in a future patch will directly use gpusvm, so needs alignment here. v2: - Add kernel-doc (Matt B) - s/fls/ilog2/ (Thomas)", "cve_priority": "medium", "cve_public_date": "2025-12-09 16:17:00 UTC" }, { "cve": "CVE-2025-68193", "url": "https://ubuntu.com/security/CVE-2025-68193", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/xe/guc: Add devm release action to safely tear down CT When a buffer object (BO) is allocated with the XE_BO_FLAG_GGTT_INVALIDATE flag, the driver initiates TLB invalidation requests via the CTB mechanism while releasing the BO. However a premature release of the CTB BO can lead to system crashes, as observed in: Oops: Oops: 0000 [#1] SMP NOPTI RIP: 0010:h2g_write+0x2f3/0x7c0 [xe] Call Trace: guc_ct_send_locked+0x8b/0x670 [xe] xe_guc_ct_send_locked+0x19/0x60 [xe] send_tlb_invalidation+0xb4/0x460 [xe] xe_gt_tlb_invalidation_ggtt+0x15e/0x2e0 [xe] ggtt_invalidate_gt_tlb.part.0+0x16/0x90 [xe] ggtt_node_remove+0x110/0x140 [xe] xe_ggtt_node_remove+0x40/0xa0 [xe] xe_ggtt_remove_bo+0x87/0x250 [xe] Introduce a devm-managed release action during xe_guc_ct_init() and xe_guc_ct_init_post_hwconfig() to ensure proper CTB disablement before resource deallocation, preventing the use-after-free scenario.", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-68175", "url": "https://ubuntu.com/security/CVE-2025-68175", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: media: nxp: imx8-isi: Fix streaming cleanup on release The current implementation unconditionally calls mxc_isi_video_cleanup_streaming() in mxc_isi_video_release(). This can lead to situations where any release call (like from a simple \"v4l2-ctl -l\") may release a currently streaming queue when called on such a device. This is reproducible on an i.MX8MP board by streaming from an ISI capture device using gstreamer: \tgst-launch-1.0 -v v4l2src device=/dev/videoX ! \\ \t video/x-raw,format=GRAY8,width=1280,height=800,framerate=1/120 ! \\ \t fakesink While this stream is running, querying the caps of the same device provokes the error state: \tv4l2-ctl -l -d /dev/videoX This results in the following trace: [ 155.452152] ------------[ cut here ]------------ [ 155.452163] WARNING: CPU: 0 PID: 1708 at drivers/media/platform/nxp/imx8-isi/imx8-isi-pipe.c:713 mxc_isi_pipe_irq_handler+0x19c/0x1b0 [imx8_isi] [ 157.004248] Modules linked in: cfg80211 rpmsg_ctrl rpmsg_char rpmsg_tty virtio_rpmsg_bus rpmsg_ns rpmsg_core rfkill nft_ct nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 nf_tables mcp251x6 [ 157.053499] CPU: 0 UID: 0 PID: 1708 Comm: python3 Not tainted 6.15.4-00114-g1f61ca5cad76 #1 PREEMPT [ 157.064369] Hardware name: imx8mp_board_01 (DT) [ 157.068205] pstate: 400000c5 (nZcv daIF -PAN -UAO -TCO -DIT -SSBS BTYPE=--) [ 157.075169] pc : mxc_isi_pipe_irq_handler+0x19c/0x1b0 [imx8_isi] [ 157.081195] lr : mxc_isi_pipe_irq_handler+0x38/0x1b0 [imx8_isi] [ 157.087126] sp : ffff800080003ee0 [ 157.090438] x29: ffff800080003ee0 x28: ffff0000c3688000 x27: 0000000000000000 [ 157.097580] x26: 0000000000000000 x25: ffff0000c1e7ac00 x24: ffff800081b5ad50 [ 157.104723] x23: 00000000000000d1 x22: 0000000000000000 x21: ffff0000c25e4000 [ 157.111866] x20: 0000000060000200 x19: ffff80007a0608d0 x18: 0000000000000000 [ 157.119008] x17: ffff80006a4e3000 x16: ffff800080000000 x15: 0000000000000000 [ 157.126146] x14: 0000000000000000 x13: 0000000000000000 x12: 0000000000000000 [ 157.133287] x11: 0000000000000040 x10: ffff0000c01445f0 x9 : ffff80007a053a38 [ 157.140425] x8 : ffff0000c04004b8 x7 : 0000000000000000 x6 : 0000000000000000 [ 157.147567] x5 : ffff0000c0400490 x4 : ffff80006a4e3000 x3 : ffff0000c25e4000 [ 157.154706] x2 : 0000000000000000 x1 : ffff8000825c0014 x0 : 0000000060000200 [ 157.161850] Call trace: [ 157.164296] mxc_isi_pipe_irq_handler+0x19c/0x1b0 [imx8_isi] (P) [ 157.170319] __handle_irq_event_percpu+0x58/0x218 [ 157.175029] handle_irq_event+0x54/0xb8 [ 157.178867] handle_fasteoi_irq+0xac/0x248 [ 157.182968] handle_irq_desc+0x48/0x68 [ 157.186723] generic_handle_domain_irq+0x24/0x38 [ 157.191346] gic_handle_irq+0x54/0x120 [ 157.195098] call_on_irq_stack+0x24/0x30 [ 157.199027] do_interrupt_handler+0x88/0x98 [ 157.203212] el0_interrupt+0x44/0xc0 [ 157.206792] __el0_irq_handler_common+0x18/0x28 [ 157.211328] el0t_64_irq_handler+0x10/0x20 [ 157.215429] el0t_64_irq+0x198/0x1a0 [ 157.219009] ---[ end trace 0000000000000000 ]--- Address this issue by moving the streaming preparation and cleanup to the vb2 .prepare_streaming() and .unprepare_streaming() operations. This also simplifies the driver by allowing direct usage of the vb2_ioctl_streamon() and vb2_ioctl_streamoff() helpers, and removal of the manual cleanup from mxc_isi_video_release().", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-68188", "url": "https://ubuntu.com/security/CVE-2025-68188", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: tcp: use dst_dev_rcu() in tcp_fastopen_active_disable_ofo_check() Use RCU to avoid a pair of atomic operations and a potential UAF on dst_dev()->flags.", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-68315", "url": "https://ubuntu.com/security/CVE-2025-68315", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: f2fs: fix to detect potential corrupted nid in free_nid_list As reported, on-disk footer.ino and footer.nid is the same and out-of-range, let's add sanity check on f2fs_alloc_nid() to detect any potential corruption in free_nid_list.", "cve_priority": "medium", "cve_public_date": "2025-12-16 16:16:00 UTC" }, { "cve": "CVE-2025-40337", "url": "https://ubuntu.com/security/CVE-2025-40337", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net: stmmac: Correctly handle Rx checksum offload errors The stmmac_rx function would previously set skb->ip_summed to CHECKSUM_UNNECESSARY if hardware checksum offload (CoE) was enabled and the packet was of a known IP ethertype. However, this logic failed to check if the hardware had actually reported a checksum error. The hardware status, indicating a header or payload checksum failure, was being ignored at this stage. This could cause corrupt packets to be passed up the network stack as valid. This patch corrects the logic by checking the `csum_none` status flag, which is set when the hardware reports a checksum error. If this flag is set, skb->ip_summed is now correctly set to CHECKSUM_NONE, ensuring the kernel's network stack will perform its own validation and properly handle the corrupt packet.", "cve_priority": "medium", "cve_public_date": "2025-12-09 16:17:00 UTC" }, { "cve": "CVE-2025-40338", "url": "https://ubuntu.com/security/CVE-2025-40338", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ASoC: Intel: avs: Do not share the name pointer between components By sharing 'name' directly, tearing down components may lead to use-after-free errors. Duplicate the name to avoid that. At the same time, update the order of operations - since commit cee28113db17 (\"ASoC: dmaengine_pcm: Allow passing component name via config\") the framework does not override component->name if set before invoking the initializer.", "cve_priority": "medium", "cve_public_date": "2025-12-09 16:17:00 UTC" }, { "cve": "CVE-2025-40339", "url": "https://ubuntu.com/security/CVE-2025-40339", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: fix nullptr err of vm_handle_moved If a amdgpu_bo_va is fpriv->prt_va, the bo of this one is always NULL. So, such kind of amdgpu_bo_va should be updated separately before amdgpu_vm_handle_moved.", "cve_priority": "medium", "cve_public_date": "2025-12-09 16:17:00 UTC" }, { "cve": "CVE-2025-68194", "url": "https://ubuntu.com/security/CVE-2025-68194", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: media: imon: make send_packet() more robust syzbot is reporting that imon has three problems which result in hung tasks due to forever holding device lock [1]. First problem is that when usb_rx_callback_intf0() once got -EPROTO error after ictx->dev_present_intf0 became true, usb_rx_callback_intf0() resubmits urb after printk(), and resubmitted urb causes usb_rx_callback_intf0() to again get -EPROTO error. This results in printk() flooding (RCU stalls). Alan Stern commented [2] that In theory it's okay to resubmit _if_ the driver has a robust error-recovery scheme (such as giving up after some fixed limit on the number of errors or after some fixed time has elapsed, perhaps with a time delay to prevent a flood of errors). Most drivers don't bother to do this; they simply give up right away. This makes them more vulnerable to short-term noise interference during USB transfers, but in reality such interference is quite rare. There's nothing really wrong with giving up right away. but imon has a poor error-recovery scheme which just retries forever; this behavior should be fixed. Since I'm not sure whether it is safe for imon users to give up upon any error code, this patch takes care of only union of error codes chosen from modules in drivers/media/rc/ directory which handle -EPROTO error (i.e. ir_toy, mceusb and igorplugusb). Second problem is that when usb_rx_callback_intf0() once got -EPROTO error before ictx->dev_present_intf0 becomes true, usb_rx_callback_intf0() always resubmits urb due to commit 8791d63af0cf (\"[media] imon: don't wedge hardware after early callbacks\"). Move the ictx->dev_present_intf0 test introduced by commit 6f6b90c9231a (\"[media] imon: don't parse scancodes until intf configured\") to immediately before imon_incoming_packet(), or the first problem explained above happens without printk() flooding (i.e. hung task). Third problem is that when usb_rx_callback_intf0() is not called for some reason (e.g. flaky hardware; the reproducer for this problem sometimes prevents usb_rx_callback_intf0() from being called), wait_for_completion_interruptible() in send_packet() never returns (i.e. hung task). As a workaround for such situation, change send_packet() to wait for completion with timeout of 10 seconds.", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-40363", "url": "https://ubuntu.com/security/CVE-2025-40363", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net: ipv6: fix field-spanning memcpy warning in AH output Fix field-spanning memcpy warnings in ah6_output() and ah6_output_done() where extension headers are copied to/from IPv6 address fields, triggering fortify-string warnings about writes beyond the 16-byte address fields. memcpy: detected field-spanning write (size 40) of single field \"&top_iph->saddr\" at net/ipv6/ah6.c:439 (size 16) WARNING: CPU: 0 PID: 8838 at net/ipv6/ah6.c:439 ah6_output+0xe7e/0x14e0 net/ipv6/ah6.c:439 The warnings are false positives as the extension headers are intentionally placed after the IPv6 header in memory. Fix by properly copying addresses and extension headers separately, and introduce helper functions to avoid code duplication.", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-68311", "url": "https://ubuntu.com/security/CVE-2025-68311", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: tty: serial: ip22zilog: Use platform device for probing After commit 84a9582fd203 (\"serial: core: Start managing serial controllers to enable runtime PM\") serial drivers need to provide a device in struct uart_port.dev otherwise an oops happens. To fix this issue for ip22zilog driver switch driver to a platform driver and setup the serial device in sgi-ip22 code.", "cve_priority": "medium", "cve_public_date": "2025-12-16 16:16:00 UTC" }, { "cve": "CVE-2025-40340", "url": "https://ubuntu.com/security/CVE-2025-40340", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/xe: Fix oops in xe_gem_fault when running core_hotunplug test. I saw an oops in xe_gem_fault when running the xe-fast-feedback testlist against the realtime kernel without debug options enabled. The panic happens after core_hotunplug unbind-rebind finishes. Presumably what happens is that a process mmaps, unlocks because of the FAULT_FLAG_RETRY_NOWAIT logic, has no process memory left, causing ttm_bo_vm_dummy_page() to return VM_FAULT_NOPAGE, since there was nothing left to populate, and then oopses in \"mem_type_is_vram(tbo->resource->mem_type)\" because tbo->resource is NULL. It's convoluted, but fits the data and explains the oops after the test exits.", "cve_priority": "medium", "cve_public_date": "2025-12-09 16:17:00 UTC" }, { "cve": "CVE-2025-68196", "url": "https://ubuntu.com/security/CVE-2025-68196", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Cache streams targeting link when performing LT automation [WHY] Last LT automation update can cause crash by referencing current_state and calling into dc_update_planes_and_stream which may clobber current_state. [HOW] Cache relevant stream pointers and iterate through them instead of relying on the current_state.", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-68178", "url": "https://ubuntu.com/security/CVE-2025-68178", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: blk-cgroup: fix possible deadlock while configuring policy Following deadlock can be triggered easily by lockdep: WARNING: possible circular locking dependency detected 6.17.0-rc3-00124-ga12c2658ced0 #1665 Not tainted ------------------------------------------------------ check/1334 is trying to acquire lock: ff1100011d9d0678 (&q->sysfs_lock){+.+.}-{4:4}, at: blk_unregister_queue+0x53/0x180 but task is already holding lock: ff1100011d9d00e0 (&q->q_usage_counter(queue)#3){++++}-{0:0}, at: del_gendisk+0xba/0x110 which lock already depends on the new lock. the existing dependency chain (in reverse order) is: -> #2 (&q->q_usage_counter(queue)#3){++++}-{0:0}: blk_queue_enter+0x40b/0x470 blkg_conf_prep+0x7b/0x3c0 tg_set_limit+0x10a/0x3e0 cgroup_file_write+0xc6/0x420 kernfs_fop_write_iter+0x189/0x280 vfs_write+0x256/0x490 ksys_write+0x83/0x190 __x64_sys_write+0x21/0x30 x64_sys_call+0x4608/0x4630 do_syscall_64+0xdb/0x6b0 entry_SYSCALL_64_after_hwframe+0x76/0x7e -> #1 (&q->rq_qos_mutex){+.+.}-{4:4}: __mutex_lock+0xd8/0xf50 mutex_lock_nested+0x2b/0x40 wbt_init+0x17e/0x280 wbt_enable_default+0xe9/0x140 blk_register_queue+0x1da/0x2e0 __add_disk+0x38c/0x5d0 add_disk_fwnode+0x89/0x250 device_add_disk+0x18/0x30 virtblk_probe+0x13a3/0x1800 virtio_dev_probe+0x389/0x610 really_probe+0x136/0x620 __driver_probe_device+0xb3/0x230 driver_probe_device+0x2f/0xe0 __driver_attach+0x158/0x250 bus_for_each_dev+0xa9/0x130 driver_attach+0x26/0x40 bus_add_driver+0x178/0x3d0 driver_register+0x7d/0x1c0 __register_virtio_driver+0x2c/0x60 virtio_blk_init+0x6f/0xe0 do_one_initcall+0x94/0x540 kernel_init_freeable+0x56a/0x7b0 kernel_init+0x2b/0x270 ret_from_fork+0x268/0x4c0 ret_from_fork_asm+0x1a/0x30 -> #0 (&q->sysfs_lock){+.+.}-{4:4}: __lock_acquire+0x1835/0x2940 lock_acquire+0xf9/0x450 __mutex_lock+0xd8/0xf50 mutex_lock_nested+0x2b/0x40 blk_unregister_queue+0x53/0x180 __del_gendisk+0x226/0x690 del_gendisk+0xba/0x110 sd_remove+0x49/0xb0 [sd_mod] device_remove+0x87/0xb0 device_release_driver_internal+0x11e/0x230 device_release_driver+0x1a/0x30 bus_remove_device+0x14d/0x220 device_del+0x1e1/0x5a0 __scsi_remove_device+0x1ff/0x2f0 scsi_remove_device+0x37/0x60 sdev_store_delete+0x77/0x100 dev_attr_store+0x1f/0x40 sysfs_kf_write+0x65/0x90 kernfs_fop_write_iter+0x189/0x280 vfs_write+0x256/0x490 ksys_write+0x83/0x190 __x64_sys_write+0x21/0x30 x64_sys_call+0x4608/0x4630 do_syscall_64+0xdb/0x6b0 entry_SYSCALL_64_after_hwframe+0x76/0x7e other info that might help us debug this: Chain exists of: &q->sysfs_lock --> &q->rq_qos_mutex --> &q->q_usage_counter(queue)#3 Possible unsafe locking scenario: CPU0 CPU1 ---- ---- lock(&q->q_usage_counter(queue)#3); lock(&q->rq_qos_mutex); lock(&q->q_usage_counter(queue)#3); lock(&q->sysfs_lock); Root cause is that queue_usage_counter is grabbed with rq_qos_mutex held in blkg_conf_prep(), while queue should be freezed before rq_qos_mutex from other context. The blk_queue_enter() from blkg_conf_prep() is used to protect against policy deactivation, which is already protected with blkcg_mutex, hence convert blk_queue_enter() to blkcg_mutex to fix this problem. Meanwhile, consider that blkcg_mutex is held after queue is freezed from policy deactivation, also convert blkg_alloc() to use GFP_NOIO.", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-40341", "url": "https://ubuntu.com/security/CVE-2025-40341", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: futex: Don't leak robust_list pointer on exec race sys_get_robust_list() and compat_get_robust_list() use ptrace_may_access() to check if the calling task is allowed to access another task's robust_list pointer. This check is racy against a concurrent exec() in the target process. During exec(), a task may transition from a non-privileged binary to a privileged one (e.g., setuid binary) and its credentials/memory mappings may change. If get_robust_list() performs ptrace_may_access() before this transition, it may erroneously allow access to sensitive information after the target becomes privileged. A racy access allows an attacker to exploit a window during which ptrace_may_access() passes before a target process transitions to a privileged state via exec(). For example, consider a non-privileged task T that is about to execute a setuid-root binary. An attacker task A calls get_robust_list(T) while T is still unprivileged. Since ptrace_may_access() checks permissions based on current credentials, it succeeds. However, if T begins exec immediately afterwards, it becomes privileged and may change its memory mappings. Because get_robust_list() proceeds to access T->robust_list without synchronizing with exec() it may read user-space pointers from a now-privileged process. This violates the intended post-exec access restrictions and could expose sensitive memory addresses or be used as a primitive in a larger exploit chain. Consequently, the race can lead to unauthorized disclosure of information across privilege boundaries and poses a potential security risk. Take a read lock on signal->exec_update_lock prior to invoking ptrace_may_access() and accessing the robust_list/compat_robust_list. This ensures that the target task's exec state remains stable during the check, allowing for consistent and synchronized validation of credentials.", "cve_priority": "medium", "cve_public_date": "2025-12-09 16:17:00 UTC" }, { "cve": "CVE-2025-40342", "url": "https://ubuntu.com/security/CVE-2025-40342", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: nvme-fc: use lock accessing port_state and rport state nvme_fc_unregister_remote removes the remote port on a lport object at any point in time when there is no active association. This races with with the reconnect logic, because nvme_fc_create_association is not taking a lock to check the port_state and atomically increase the active count on the rport.", "cve_priority": "medium", "cve_public_date": "2025-12-09 16:17:00 UTC" }, { "cve": "CVE-2025-40343", "url": "https://ubuntu.com/security/CVE-2025-40343", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: nvmet-fc: avoid scheduling association deletion twice When forcefully shutting down a port via the configfs interface, nvmet_port_subsys_drop_link() first calls nvmet_port_del_ctrls() and then nvmet_disable_port(). Both functions will eventually schedule all remaining associations for deletion. The current implementation checks whether an association is about to be removed, but only after the work item has already been scheduled. As a result, it is possible for the first scheduled work item to free all resources, and then for the same work item to be scheduled again for deletion. Because the association list is an RCU list, it is not possible to take a lock and remove the list entry directly, so it cannot be looked up again. Instead, a flag (terminating) must be used to determine whether the association is already in the process of being deleted.", "cve_priority": "medium", "cve_public_date": "2025-12-09 16:17:00 UTC" }, { "cve": "CVE-2025-68177", "url": "https://ubuntu.com/security/CVE-2025-68177", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: cpufreq/longhaul: handle NULL policy in longhaul_exit longhaul_exit() was calling cpufreq_cpu_get(0) without checking for a NULL policy pointer. On some systems, this could lead to a NULL dereference and a kernel warning or panic. This patch adds a check using unlikely() and returns early if the policy is NULL. Bugzilla: #219962", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-68317", "url": "https://ubuntu.com/security/CVE-2025-68317", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: io_uring/zctx: check chained notif contexts Send zc only links ubuf_info for requests coming from the same context. There are some ambiguous syz reports, so let's check the assumption on notification completion.", "cve_priority": "medium", "cve_public_date": "2025-12-16 16:16:00 UTC" }, { "cve": "CVE-2025-40315", "url": "https://ubuntu.com/security/CVE-2025-40315", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: usb: gadget: f_fs: Fix epfile null pointer access after ep enable. A race condition occurs when ffs_func_eps_enable() runs concurrently with ffs_data_reset(). The ffs_data_clear() called in ffs_data_reset() sets ffs->epfiles to NULL before resetting ffs->eps_count to 0, leading to a NULL pointer dereference when accessing epfile->ep in ffs_func_eps_enable() after successful usb_ep_enable(). The ffs->epfiles pointer is set to NULL in both ffs_data_clear() and ffs_data_close() functions, and its modification is protected by the spinlock ffs->eps_lock. And the whole ffs_func_eps_enable() function is also protected by ffs->eps_lock. Thus, add NULL pointer handling for ffs->epfiles in the ffs_func_eps_enable() function to fix issues", "cve_priority": "medium", "cve_public_date": "2025-12-08 01:16:00 UTC" }, { "cve": "CVE-2025-40316", "url": "https://ubuntu.com/security/CVE-2025-40316", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/mediatek: Fix device use-after-free on unbind A recent change fixed device reference leaks when looking up drm platform device driver data during bind() but failed to remove a partial fix which had been added by commit 80805b62ea5b (\"drm/mediatek: Fix kobject put for component sub-drivers\"). This results in a reference imbalance on component bind() failures and on unbind() which could lead to a user-after-free. Make sure to only drop the references after retrieving the driver data by effectively reverting the previous partial fix. Note that holding a reference to a device does not prevent its driver data from going away so there is no point in keeping the reference.", "cve_priority": "medium", "cve_public_date": "2025-12-08 01:16:00 UTC" }, { "cve": "CVE-2025-40360", "url": "https://ubuntu.com/security/CVE-2025-40360", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/sysfb: Do not dereference NULL pointer in plane reset The plane state in __drm_gem_reset_shadow_plane() can be NULL. Do not deref that pointer, but forward NULL to the other plane-reset helpers. Clears plane->state to NULL. v2: - fix typo in commit description (Javier)", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-68179", "url": "https://ubuntu.com/security/CVE-2025-68179", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: s390: Disable ARCH_WANT_OPTIMIZE_HUGETLB_VMEMMAP As reported by Luiz Capitulino enabling HVO on s390 leads to reproducible crashes. The problem is that kernel page tables are modified without flushing corresponding TLB entries. Even if it looks like the empty flush_tlb_all() implementation on s390 is the problem, it is actually a different problem: on s390 it is not allowed to replace an active/valid page table entry with another valid page table entry without the detour over an invalid entry. A direct replacement may lead to random crashes and/or data corruption. In order to invalidate an entry special instructions have to be used (e.g. ipte or idte). Alternatively there are also special instructions available which allow to replace a valid entry with a different valid entry (e.g. crdte or cspg). Given that the HVO code currently does not provide the hooks to allow for an implementation which is compliant with the s390 architecture requirements, disable ARCH_WANT_OPTIMIZE_HUGETLB_VMEMMAP again, which is basically a revert of the original patch which enabled it.", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-68310", "url": "https://ubuntu.com/security/CVE-2025-68310", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: s390/pci: Avoid deadlock between PCI error recovery and mlx5 crdump Do not block PCI config accesses through pci_cfg_access_lock() when executing the s390 variant of PCI error recovery: Acquire just device_lock() instead of pci_dev_lock() as powerpc's EEH and generig PCI AER processing do. During error recovery testing a pair of tasks was reported to be hung: mlx5_core 0000:00:00.1: mlx5_health_try_recover:338:(pid 5553): health recovery flow aborted, PCI reads still not working INFO: task kmcheck:72 blocked for more than 122 seconds. Not tainted 5.14.0-570.12.1.bringup7.el9.s390x #1 \"echo 0 > /proc/sys/kernel/hung_task_timeout_secs\" disables this message. task:kmcheck state:D stack:0 pid:72 tgid:72 ppid:2 flags:0x00000000 Call Trace: [<000000065256f030>] __schedule+0x2a0/0x590 [<000000065256f356>] schedule+0x36/0xe0 [<000000065256f572>] schedule_preempt_disabled+0x22/0x30 [<0000000652570a94>] __mutex_lock.constprop.0+0x484/0x8a8 [<000003ff800673a4>] mlx5_unload_one+0x34/0x58 [mlx5_core] [<000003ff8006745c>] mlx5_pci_err_detected+0x94/0x140 [mlx5_core] [<0000000652556c5a>] zpci_event_attempt_error_recovery+0xf2/0x398 [<0000000651b9184a>] __zpci_event_error+0x23a/0x2c0 INFO: task kworker/u1664:6:1514 blocked for more than 122 seconds. Not tainted 5.14.0-570.12.1.bringup7.el9.s390x #1 \"echo 0 > /proc/sys/kernel/hung_task_timeout_secs\" disables this message. task:kworker/u1664:6 state:D stack:0 pid:1514 tgid:1514 ppid:2 flags:0x00000000 Workqueue: mlx5_health0000:00:00.0 mlx5_fw_fatal_reporter_err_work [mlx5_core] Call Trace: [<000000065256f030>] __schedule+0x2a0/0x590 [<000000065256f356>] schedule+0x36/0xe0 [<0000000652172e28>] pci_wait_cfg+0x80/0xe8 [<0000000652172f94>] pci_cfg_access_lock+0x74/0x88 [<000003ff800916b6>] mlx5_vsc_gw_lock+0x36/0x178 [mlx5_core] [<000003ff80098824>] mlx5_crdump_collect+0x34/0x1c8 [mlx5_core] [<000003ff80074b62>] mlx5_fw_fatal_reporter_dump+0x6a/0xe8 [mlx5_core] [<0000000652512242>] devlink_health_do_dump.part.0+0x82/0x168 [<0000000652513212>] devlink_health_report+0x19a/0x230 [<000003ff80075a12>] mlx5_fw_fatal_reporter_err_work+0xba/0x1b0 [mlx5_core] No kernel log of the exact same error with an upstream kernel is available - but the very same deadlock situation can be constructed there, too: - task: kmcheck mlx5_unload_one() tries to acquire devlink lock while the PCI error recovery code has set pdev->block_cfg_access by way of pci_cfg_access_lock() - task: kworker mlx5_crdump_collect() tries to set block_cfg_access through pci_cfg_access_lock() while devlink_health_report() had acquired the devlink lock. A similar deadlock situation can be reproduced by requesting a crdump with > devlink health dump show pci/ reporter fw_fatal while PCI error recovery is executed on the same physical function by mlx5_core's pci_error_handlers. On s390 this can be injected with > zpcictl --reset-fw Tests with this patch failed to reproduce that second deadlock situation, the devlink command is rejected with \"kernel answers: Permission denied\" - and we get a kernel log message of: mlx5_core 1ed0:00:00.1: mlx5_crdump_collect:50:(pid 254382): crdump: failed to lock vsc gw err -5 because the config read of VSC_SEMAPHORE is rejected by the underlying hardware. Two prior attempts to address this issue have been discussed and ultimately rejected [see link], with the primary argument that s390's implementation of PCI error recovery is imposing restrictions that neither powerpc's EEH nor PCI AER handling need. Tests show that PCI error recovery on s390 is running to completion even without blocking access to PCI config space.", "cve_priority": "medium", "cve_public_date": "2025-12-16 16:16:00 UTC" }, { "cve": "CVE-2025-40317", "url": "https://ubuntu.com/security/CVE-2025-40317", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: regmap: slimbus: fix bus_context pointer in regmap init calls Commit 4e65bda8273c (\"ASoC: wcd934x: fix error handling in wcd934x_codec_parse_data()\") revealed the problem in the slimbus regmap. That commit breaks audio playback, for instance, on sdm845 Thundercomm Dragonboard 845c board: Unable to handle kernel paging request at virtual address ffff8000847cbad4 ... CPU: 5 UID: 0 PID: 776 Comm: aplay Not tainted 6.18.0-rc1-00028-g7ea30958b305 #11 PREEMPT Hardware name: Thundercomm Dragonboard 845c (DT) ... Call trace: slim_xfer_msg+0x24/0x1ac [slimbus] (P) slim_read+0x48/0x74 [slimbus] regmap_slimbus_read+0x18/0x24 [regmap_slimbus] _regmap_raw_read+0xe8/0x174 _regmap_bus_read+0x44/0x80 _regmap_read+0x60/0xd8 _regmap_update_bits+0xf4/0x140 _regmap_select_page+0xa8/0x124 _regmap_raw_write_impl+0x3b8/0x65c _regmap_bus_raw_write+0x60/0x80 _regmap_write+0x58/0xc0 regmap_write+0x4c/0x80 wcd934x_hw_params+0x494/0x8b8 [snd_soc_wcd934x] snd_soc_dai_hw_params+0x3c/0x7c [snd_soc_core] __soc_pcm_hw_params+0x22c/0x634 [snd_soc_core] dpcm_be_dai_hw_params+0x1d4/0x38c [snd_soc_core] dpcm_fe_dai_hw_params+0x9c/0x17c [snd_soc_core] snd_pcm_hw_params+0x124/0x464 [snd_pcm] snd_pcm_common_ioctl+0x110c/0x1820 [snd_pcm] snd_pcm_ioctl+0x34/0x4c [snd_pcm] __arm64_sys_ioctl+0xac/0x104 invoke_syscall+0x48/0x104 el0_svc_common.constprop.0+0x40/0xe0 do_el0_svc+0x1c/0x28 el0_svc+0x34/0xec el0t_64_sync_handler+0xa0/0xf0 el0t_64_sync+0x198/0x19c The __devm_regmap_init_slimbus() started to be used instead of __regmap_init_slimbus() after the commit mentioned above and turns out the incorrect bus_context pointer (3rd argument) was used in __devm_regmap_init_slimbus(). It should be just \"slimbus\" (which is equal to &slimbus->dev). Correct it. The wcd934x codec seems to be the only or the first user of devm_regmap_init_slimbus() but we should fix it till the point where __devm_regmap_init_slimbus() was introduced therefore two \"Fixes\" tags. While at this, also correct the same argument in __regmap_init_slimbus().", "cve_priority": "medium", "cve_public_date": "2025-12-08 01:16:00 UTC" }, { "cve": "CVE-2025-40359", "url": "https://ubuntu.com/security/CVE-2025-40359", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: perf/x86/intel: Fix KASAN global-out-of-bounds warning When running \"perf mem record\" command on CWF, the below KASAN global-out-of-bounds warning is seen. ================================================================== BUG: KASAN: global-out-of-bounds in cmt_latency_data+0x176/0x1b0 Read of size 4 at addr ffffffffb721d000 by task dtlb/9850 Call Trace: kasan_report+0xb8/0xf0 cmt_latency_data+0x176/0x1b0 setup_arch_pebs_sample_data+0xf49/0x2560 intel_pmu_drain_arch_pebs+0x577/0xb00 handle_pmi_common+0x6c4/0xc80 The issue is caused by below code in __grt_latency_data(). The code tries to access x86_hybrid_pmu structure which doesn't exist on non-hybrid platform like CWF. WARN_ON_ONCE(hybrid_pmu(event->pmu)->pmu_type == hybrid_big) So add is_hybrid() check before calling this WARN_ON_ONCE to fix the global-out-of-bounds access issue.", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-68181", "url": "https://ubuntu.com/security/CVE-2025-68181", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/radeon: Remove calls to drm_put_dev() Since the allocation of the drivers main structure was changed to devm_drm_dev_alloc() drm_put_dev()'ing to trigger it to be free'd should be done by devres. However, drm_put_dev() is still in the probe error and device remove paths. When the driver fails to probe warnings like the following are shown because devres is trying to drm_put_dev() after the driver already did it. [ 5.642230] radeon 0000:01:05.0: probe with driver radeon failed with error -22 [ 5.649605] ------------[ cut here ]------------ [ 5.649607] refcount_t: underflow; use-after-free. [ 5.649620] WARNING: CPU: 0 PID: 357 at lib/refcount.c:28 refcount_warn_saturate+0xbe/0x110 (cherry picked from commit 3eb8c0b4c091da0a623ade0d3ee7aa4a93df1ea4)", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-68170", "url": "https://ubuntu.com/security/CVE-2025-68170", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/radeon: Do not kfree() devres managed rdev Since the allocation of the drivers main structure was changed to devm_drm_dev_alloc() rdev is managed by devres and we shouldn't be calling kfree() on it. This fixes things exploding if the driver probe fails and devres cleans up the rdev after we already free'd it. (cherry picked from commit 16c0681617b8a045773d4d87b6140002fa75b03b)", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-40213", "url": "https://ubuntu.com/security/CVE-2025-40213", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: Bluetooth: MGMT: fix crash in set_mesh_sync and set_mesh_complete There is a BUG: KASAN: stack-out-of-bounds in set_mesh_sync due to memcpy from badly declared on-stack flexible array. Another crash is in set_mesh_complete() due to double list_del via mgmt_pending_valid + mgmt_pending_remove. Use DEFINE_FLEX to declare the flexible array right, and don't memcpy outside bounds. As mgmt_pending_valid removes the cmd from list, use mgmt_pending_free, and also report status on error.", "cve_priority": "medium", "cve_public_date": "2025-11-24 16:15:00 UTC" }, { "cve": "CVE-2025-40318", "url": "https://ubuntu.com/security/CVE-2025-40318", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: Bluetooth: hci_sync: fix race in hci_cmd_sync_dequeue_once hci_cmd_sync_dequeue_once() does lookup and then cancel the entry under two separate lock sections. Meanwhile, hci_cmd_sync_work() can also delete the same entry, leading to double list_del() and \"UAF\". Fix this by holding cmd_sync_work_lock across both lookup and cancel, so that the entry cannot be removed concurrently.", "cve_priority": "medium", "cve_public_date": "2025-12-08 01:16:00 UTC" }, { "cve": "CVE-2025-68312", "url": "https://ubuntu.com/security/CVE-2025-68312", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: usbnet: Prevents free active kevent The root cause of this issue are: 1. When probing the usbnet device, executing usbnet_link_change(dev, 0, 0); put the kevent work in global workqueue. However, the kevent has not yet been scheduled when the usbnet device is unregistered. Therefore, executing free_netdev() results in the \"free active object (kevent)\" error reported here. 2. Another factor is that when calling usbnet_disconnect()->unregister_netdev(), if the usbnet device is up, ndo_stop() is executed to cancel the kevent. However, because the device is not up, ndo_stop() is not executed. The solution to this problem is to cancel the kevent before executing free_netdev().", "cve_priority": "medium", "cve_public_date": "2025-12-16 16:16:00 UTC" }, { "cve": "CVE-2025-40344", "url": "https://ubuntu.com/security/CVE-2025-40344", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ASoC: Intel: avs: Disable periods-elapsed work when closing PCM avs_dai_fe_shutdown() handles the shutdown procedure for HOST HDAudio stream while period-elapsed work services its IRQs. As the former frees the DAI's private context, these two operations shall be synchronized to avoid slab-use-after-free or worse errors.", "cve_priority": "medium", "cve_public_date": "2025-12-09 16:17:00 UTC" }, { "cve": "CVE-2025-68172", "url": "https://ubuntu.com/security/CVE-2025-68172", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: crypto: aspeed - fix double free caused by devm The clock obtained via devm_clk_get_enabled() is automatically managed by devres and will be disabled and freed on driver detach. Manually calling clk_disable_unprepare() in error path and remove function causes double free. Remove the manual clock cleanup in both aspeed_acry_probe()'s error path and aspeed_acry_remove().", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-40319", "url": "https://ubuntu.com/security/CVE-2025-40319", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: bpf: Sync pending IRQ work before freeing ring buffer Fix a race where irq_work can be queued in bpf_ringbuf_commit() but the ring buffer is freed before the work executes. In the syzbot reproducer, a BPF program attached to sched_switch triggers bpf_ringbuf_commit(), queuing an irq_work. If the ring buffer is freed before this work executes, the irq_work thread may accesses freed memory. Calling `irq_work_sync(&rb->work)` ensures that all pending irq_work complete before freeing the buffer.", "cve_priority": "medium", "cve_public_date": "2025-12-08 01:16:00 UTC" }, { "cve": "CVE-2025-68182", "url": "https://ubuntu.com/security/CVE-2025-68182", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: wifi: iwlwifi: fix potential use after free in iwl_mld_remove_link() This code frees \"link\" by calling kfree_rcu(link, rcu_head) and then it dereferences \"link\" to get the \"link->fw_id\". Save the \"link->fw_id\" first to avoid a potential use after free.", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-68314", "url": "https://ubuntu.com/security/CVE-2025-68314", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/msm: make sure last_fence is always updated Update last_fence in the vm-bind path instead of kernel managed path. last_fence is used to wait for work to finish in vm_bind contexts but not used for kernel managed contexts. This fixes a bug where last_fence is not waited on context close leading to faults as resources are freed while in use. Patchwork: https://patchwork.freedesktop.org/patch/680080/", "cve_priority": "medium", "cve_public_date": "2025-12-16 16:16:00 UTC" }, { "cve": "CVE-2025-68189", "url": "https://ubuntu.com/security/CVE-2025-68189", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/msm: Fix GEM free for imported dma-bufs Imported dma-bufs also have obj->resv != &obj->_resv. So we should check both this condition in addition to flags for handling the _NO_SHARE case. Fixes this splat that was reported with IRIS video playback: ------------[ cut here ]------------ WARNING: CPU: 3 PID: 2040 at drivers/gpu/drm/msm/msm_gem.c:1127 msm_gem_free_object+0x1f8/0x264 [msm] CPU: 3 UID: 1000 PID: 2040 Comm: .gnome-shell-wr Not tainted 6.17.0-rc7 #1 PREEMPT pstate: 81400005 (Nzcv daif +PAN -UAO -TCO +DIT -SSBS BTYPE=--) pc : msm_gem_free_object+0x1f8/0x264 [msm] lr : msm_gem_free_object+0x138/0x264 [msm] sp : ffff800092a1bb30 x29: ffff800092a1bb80 x28: ffff800092a1bce8 x27: ffffbc702dbdbe08 x26: 0000000000000008 x25: 0000000000000009 x24: 00000000000000a6 x23: ffff00083c72f850 x22: ffff00083c72f868 x21: ffff00087e69f200 x20: ffff00087e69f330 x19: ffff00084d157ae0 x18: 0000000000000000 x17: 0000000000000000 x16: ffffbc704bd46b80 x15: 0000ffffd0959540 x14: 0000000000000000 x13: 0000000000000000 x12: 0000000000000000 x11: ffffbc702e6cdb48 x10: 0000000000000000 x9 : 000000000000003f x8 : ffff800092a1ba90 x7 : 0000000000000000 x6 : 0000000000000020 x5 : ffffbc704bd46c40 x4 : fffffdffe102cf60 x3 : 0000000000400032 x2 : 0000000000020000 x1 : ffff00087e6978e8 x0 : ffff00087e6977e8 Call trace: msm_gem_free_object+0x1f8/0x264 [msm] (P) drm_gem_object_free+0x1c/0x30 [drm] drm_gem_object_handle_put_unlocked+0x138/0x150 [drm] drm_gem_object_release_handle+0x5c/0xcc [drm] drm_gem_handle_delete+0x68/0xbc [drm] drm_gem_close_ioctl+0x34/0x40 [drm] drm_ioctl_kernel+0xc0/0x130 [drm] drm_ioctl+0x360/0x4e0 [drm] __arm64_sys_ioctl+0xac/0x104 invoke_syscall+0x48/0x104 el0_svc_common.constprop.0+0x40/0xe0 do_el0_svc+0x1c/0x28 el0_svc+0x34/0xec el0t_64_sync_handler+0xa0/0xe4 el0t_64_sync+0x198/0x19c ---[ end trace 0000000000000000 ]--- ------------[ cut here ]------------ Patchwork: https://patchwork.freedesktop.org/patch/676273/", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-68171", "url": "https://ubuntu.com/security/CVE-2025-68171", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: x86/fpu: Ensure XFD state on signal delivery Sean reported [1] the following splat when running KVM tests: WARNING: CPU: 232 PID: 15391 at xfd_validate_state+0x65/0x70 Call Trace: fpu__clear_user_states+0x9c/0x100 arch_do_signal_or_restart+0x142/0x210 exit_to_user_mode_loop+0x55/0x100 do_syscall_64+0x205/0x2c0 entry_SYSCALL_64_after_hwframe+0x4b/0x53 Chao further identified [2] a reproducible scenario involving signal delivery: a non-AMX task is preempted by an AMX-enabled task which modifies the XFD MSR. When the non-AMX task resumes and reloads XSTATE with init values, a warning is triggered due to a mismatch between fpstate::xfd and the CPU's current XFD state. fpu__clear_user_states() does not currently re-synchronize the XFD state after such preemption. Invoke xfd_update_state() which detects and corrects the mismatch if there is a dynamic feature. This also benefits the sigreturn path, as fpu__restore_sig() may call fpu__clear_user_states() when the sigframe is inaccessible. [ dhansen: minor changelog munging ]", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-68313", "url": "https://ubuntu.com/security/CVE-2025-68313", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: x86/CPU/AMD: Add RDSEED fix for Zen5 There's an issue with RDSEED's 16-bit and 32-bit register output variants on Zen5 which return a random value of 0 \"at a rate inconsistent with randomness while incorrectly signaling success (CF=1)\". Search the web for AMD-SB-7055 for more detail. Add a fix glue which checks microcode revisions. [ bp: Add microcode revisions checking, rewrite. ]", "cve_priority": "medium", "cve_public_date": "2025-12-16 16:16:00 UTC" }, { "cve": "CVE-2025-40320", "url": "https://ubuntu.com/security/CVE-2025-40320", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: smb: client: fix potential cfid UAF in smb2_query_info_compound When smb2_query_info_compound() retries, a previously allocated cfid may have been freed in the first attempt. Because cfid wasn't reset on replay, later cleanup could act on a stale pointer, leading to a potential use-after-free. Reinitialize cfid to NULL under the replay label. Example trace (trimmed): refcount_t: underflow; use-after-free. WARNING: CPU: 1 PID: 11224 at ../lib/refcount.c:28 refcount_warn_saturate+0x9c/0x110 [...] RIP: 0010:refcount_warn_saturate+0x9c/0x110 [...] Call Trace: smb2_query_info_compound+0x29c/0x5c0 [cifs f90b72658819bd21c94769b6a652029a07a7172f] ? step_into+0x10d/0x690 ? __legitimize_path+0x28/0x60 smb2_queryfs+0x6a/0xf0 [cifs f90b72658819bd21c94769b6a652029a07a7172f] smb311_queryfs+0x12d/0x140 [cifs f90b72658819bd21c94769b6a652029a07a7172f] ? kmem_cache_alloc+0x18a/0x340 ? getname_flags+0x46/0x1e0 cifs_statfs+0x9f/0x2b0 [cifs f90b72658819bd21c94769b6a652029a07a7172f] statfs_by_dentry+0x67/0x90 vfs_statfs+0x16/0xd0 user_statfs+0x54/0xa0 __do_sys_statfs+0x20/0x50 do_syscall_64+0x58/0x80", "cve_priority": "medium", "cve_public_date": "2025-12-08 01:16:00 UTC" }, { "cve": "CVE-2025-40321", "url": "https://ubuntu.com/security/CVE-2025-40321", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: wifi: brcmfmac: fix crash while sending Action Frames in standalone AP Mode Currently, whenever there is a need to transmit an Action frame, the brcmfmac driver always uses the P2P vif to send the \"actframe\" IOVAR to firmware. The P2P interfaces were available when wpa_supplicant is managing the wlan interface. However, the P2P interfaces are not created/initialized when only hostapd is managing the wlan interface. And if hostapd receives an ANQP Query REQ Action frame even from an un-associated STA, the brcmfmac driver tries to use an uninitialized P2P vif pointer for sending the IOVAR to firmware. This NULL pointer dereferencing triggers a driver crash. [ 1417.074538] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000 [...] [ 1417.075188] Hardware name: Raspberry Pi 4 Model B Rev 1.5 (DT) [...] [ 1417.075653] Call trace: [ 1417.075662] brcmf_p2p_send_action_frame+0x23c/0xc58 [brcmfmac] [ 1417.075738] brcmf_cfg80211_mgmt_tx+0x304/0x5c0 [brcmfmac] [ 1417.075810] cfg80211_mlme_mgmt_tx+0x1b0/0x428 [cfg80211] [ 1417.076067] nl80211_tx_mgmt+0x238/0x388 [cfg80211] [ 1417.076281] genl_family_rcv_msg_doit+0xe0/0x158 [ 1417.076302] genl_rcv_msg+0x220/0x2a0 [ 1417.076317] netlink_rcv_skb+0x68/0x140 [ 1417.076330] genl_rcv+0x40/0x60 [ 1417.076343] netlink_unicast+0x330/0x3b8 [ 1417.076357] netlink_sendmsg+0x19c/0x3f8 [ 1417.076370] __sock_sendmsg+0x64/0xc0 [ 1417.076391] ____sys_sendmsg+0x268/0x2a0 [ 1417.076408] ___sys_sendmsg+0xb8/0x118 [ 1417.076427] __sys_sendmsg+0x90/0xf8 [ 1417.076445] __arm64_sys_sendmsg+0x2c/0x40 [ 1417.076465] invoke_syscall+0x50/0x120 [ 1417.076486] el0_svc_common.constprop.0+0x48/0xf0 [ 1417.076506] do_el0_svc+0x24/0x38 [ 1417.076525] el0_svc+0x30/0x100 [ 1417.076548] el0t_64_sync_handler+0x100/0x130 [ 1417.076569] el0t_64_sync+0x190/0x198 [ 1417.076589] Code: f9401e80 aa1603e2 f9403be1 5280e483 (f9400000) Fix this, by always using the vif corresponding to the wdev on which the Action frame Transmission request was initiated by the userspace. This way, even if P2P vif is not available, the IOVAR is sent to firmware on AP vif and the ANQP Query RESP Action frame is transmitted without crashing the driver. Move init_completion() for \"send_af_done\" from brcmf_p2p_create_p2pdev() to brcmf_p2p_attach(). Because the former function would not get executed when only hostapd is managing wlan interface, and it is not safe to do reinit_completion() later in brcmf_p2p_tx_action_frame(), without any prior init_completion(). And in the brcmf_p2p_tx_action_frame() function, the condition check for P2P Presence response frame is not needed, since the wpa_supplicant is properly sending the P2P Presense Response frame on the P2P-GO vif instead of the P2P-Device vif. [Cc stable]", "cve_priority": "medium", "cve_public_date": "2025-12-08 01:16:00 UTC" }, { "cve": "CVE-2025-40322", "url": "https://ubuntu.com/security/CVE-2025-40322", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: fbdev: bitblit: bound-check glyph index in bit_putcs* bit_putcs_aligned()/unaligned() derived the glyph pointer from the character value masked by 0xff/0x1ff, which may exceed the actual font's glyph count and read past the end of the built-in font array. Clamp the index to the actual glyph count before computing the address. This fixes a global out-of-bounds read reported by syzbot.", "cve_priority": "medium", "cve_public_date": "2025-12-08 01:16:00 UTC" }, { "cve": "CVE-2025-40211", "url": "https://ubuntu.com/security/CVE-2025-40211", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ACPI: video: Fix use-after-free in acpi_video_switch_brightness() The switch_brightness_work delayed work accesses device->brightness and device->backlight, freed by acpi_video_dev_unregister_backlight() during device removal. If the work executes after acpi_video_bus_unregister_backlight() frees these resources, it causes a use-after-free when acpi_video_switch_brightness() dereferences device->brightness or device->backlight. Fix this by calling cancel_delayed_work_sync() for each device's switch_brightness_work in acpi_video_bus_remove_notify_handler() after removing the notify handler that queues the work. This ensures the work completes before the memory is freed. [ rjw: Changelog edit ]", "cve_priority": "medium", "cve_public_date": "2025-11-21 11:15:00 UTC" }, { "cve": "CVE-2025-40323", "url": "https://ubuntu.com/security/CVE-2025-40323", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: fbcon: Set fb_display[i]->mode to NULL when the mode is released Recently, we discovered the following issue through syzkaller: BUG: KASAN: slab-use-after-free in fb_mode_is_equal+0x285/0x2f0 Read of size 4 at addr ff11000001b3c69c by task syz.xxx ... Call Trace: dump_stack_lvl+0xab/0xe0 print_address_description.constprop.0+0x2c/0x390 print_report+0xb9/0x280 kasan_report+0xb8/0xf0 fb_mode_is_equal+0x285/0x2f0 fbcon_mode_deleted+0x129/0x180 fb_set_var+0xe7f/0x11d0 do_fb_ioctl+0x6a0/0x750 fb_ioctl+0xe0/0x140 __x64_sys_ioctl+0x193/0x210 do_syscall_64+0x5f/0x9c0 entry_SYSCALL_64_after_hwframe+0x76/0x7e Based on experimentation and analysis, during framebuffer unregistration, only the memory of fb_info->modelist is freed, without setting the corresponding fb_display[i]->mode to NULL for the freed modes. This leads to UAF issues during subsequent accesses. Here's an example of reproduction steps: 1. With /dev/fb0 already registered in the system, load a kernel module to register a new device /dev/fb1; 2. Set fb1's mode to the global fb_display[] array (via FBIOPUT_CON2FBMAP); 3. Switch console from fb to VGA (to allow normal rmmod of the ko); 4. Unload the kernel module, at this point fb1's modelist is freed, leaving a wild pointer in fb_display[]; 5. Trigger the bug via system calls through fb0 attempting to delete a mode from fb0. Add a check in do_unregister_framebuffer(): if the mode to be freed exists in fb_display[], set the corresponding mode pointer to NULL.", "cve_priority": "medium", "cve_public_date": "2025-12-08 01:16:00 UTC" }, { "cve": "CVE-2025-40210", "url": "https://ubuntu.com/security/CVE-2025-40210", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: Revert \"NFSD: Remove the cap on number of operations per NFSv4 COMPOUND\" I've found that pynfs COMP6 now leaves the connection or lease in a strange state, which causes CLOSE9 to hang indefinitely. I've dug into it a little, but I haven't been able to root-cause it yet. However, I bisected to commit 48aab1606fa8 (\"NFSD: Remove the cap on number of operations per NFSv4 COMPOUND\"). Tianshuo Han also reports a potential vulnerability when decoding an NFSv4 COMPOUND. An attacker can place an arbitrarily large op count in the COMPOUND header, which results in: [ 51.410584] nfsd: vmalloc error: size 1209533382144, exceeds total pages, mode:0xdc0(GFP_KERNEL|__GFP_ZERO), nodemask=(null),cpuset=/,mems_allowed=0 when NFSD attempts to allocate the COMPOUND op array. Let's restore the operation-per-COMPOUND limit, but increased to 200 for now.", "cve_priority": "medium", "cve_public_date": "2025-11-21 11:15:00 UTC" }, { "cve": "CVE-2025-40324", "url": "https://ubuntu.com/security/CVE-2025-40324", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: NFSD: Fix crash in nfsd4_read_release() When tracing is enabled, the trace_nfsd_read_done trace point crashes during the pynfs read.testNoFh test.", "cve_priority": "medium", "cve_public_date": "2025-12-08 01:16:00 UTC" }, { "cve": "CVE-2025-40326", "url": "https://ubuntu.com/security/CVE-2025-40326", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: NFSD: Define actions for the new time_deleg FATTR4 attributes NFSv4 clients won't send legitimate GETATTR requests for these new attributes because they are intended to be used only with CB_GETATTR and SETATTR. But NFSD has to do something besides crashing if it ever sees a GETATTR request that queries these attributes. RFC 8881 Section 18.7.3 states: > The server MUST return a value for each attribute that the client > requests if the attribute is supported by the server for the > target file system. If the server does not support a particular > attribute on the target file system, then it MUST NOT return the > attribute value and MUST NOT set the attribute bit in the result > bitmap. The server MUST return an error if it supports an > attribute on the target but cannot obtain its value. In that case, > no attribute values will be returned. Further, RFC 9754 Section 5 states: > These new attributes are invalid to be used with GETATTR, VERIFY, > and NVERIFY, and they can only be used with CB_GETATTR and SETATTR > by a client holding an appropriate delegation. Thus there does not appear to be a specific server response mandated by specification. Taking the guidance that querying these attributes via GETATTR is \"invalid\", NFSD will return nfserr_inval, failing the request entirely.", "cve_priority": "medium", "cve_public_date": "2025-12-08 01:16:00 UTC" }, { "cve": "CVE-2025-40084", "url": "https://ubuntu.com/security/CVE-2025-40084", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ksmbd: transport_ipc: validate payload size before reading handle handle_response() dereferences the payload as a 4-byte handle without verifying that the declared payload size is at least 4 bytes. A malformed or truncated message from ksmbd.mountd can lead to a 4-byte read past the declared payload size. Validate the size before dereferencing. This is a minimal fix to guard the initial handle read.", "cve_priority": "medium", "cve_public_date": "2025-10-29 14:15:00 UTC" }, { "cve": "CVE-2025-40222", "url": "https://ubuntu.com/security/CVE-2025-40222", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: tty: serial: sh-sci: fix RSCI FIFO overrun handling The receive error handling code is shared between RSCI and all other SCIF port types, but the RSCI overrun_reg is specified as a memory offset, while for other SCIF types it is an enum value used to index into the sci_port_params->regs array, as mentioned above the sci_serial_in() function. For RSCI, the overrun_reg is CSR (0x48), causing the sci_getreg() call inside the sci_handle_fifo_overrun() function to index outside the bounds of the regs array, which currently has a size of 20, as specified by SCI_NR_REGS. Because of this, we end up accessing memory outside of RSCI's rsci_port_params structure, which, when interpreted as a plat_sci_reg, happens to have a non-zero size, causing the following WARN when sci_serial_in() is called, as the accidental size does not match the supported register sizes. The existence of the overrun_reg needs to be checked because SCIx_SH3_SCIF_REGTYPE has overrun_reg set to SCLSR, but SCLSR is not present in the regs array. Avoid calling sci_getreg() for port types which don't use standard register handling. Use the ops->read_reg() and ops->write_reg() functions to properly read and write registers for RSCI, and change the type of the status variable to accommodate the 32-bit CSR register. sci_getreg() and sci_serial_in() are also called with overrun_reg in the sci_mpxed_interrupt() interrupt handler, but that code path is not used for RSCI, as it does not have a muxed interrupt. ------------[ cut here ]------------ Invalid register access WARNING: CPU: 0 PID: 0 at drivers/tty/serial/sh-sci.c:522 sci_serial_in+0x38/0xac Modules linked in: renesas_usbhs at24 rzt2h_adc industrialio_adc sha256 cfg80211 bluetooth ecdh_generic ecc rfkill fuse drm backlight ipv6 CPU: 0 UID: 0 PID: 0 Comm: swapper/0 Not tainted 6.17.0-rc1+ #30 PREEMPT Hardware name: Renesas RZ/T2H EVK Board based on r9a09g077m44 (DT) pstate: 604000c5 (nZCv daIF +PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : sci_serial_in+0x38/0xac lr : sci_serial_in+0x38/0xac sp : ffff800080003e80 x29: ffff800080003e80 x28: ffff800082195b80 x27: 000000000000000d x26: ffff8000821956d0 x25: 0000000000000000 x24: ffff800082195b80 x23: ffff000180e0d800 x22: 0000000000000010 x21: 0000000000000000 x20: 0000000000000010 x19: ffff000180e72000 x18: 000000000000000a x17: ffff8002bcee7000 x16: ffff800080000000 x15: 0720072007200720 x14: 0720072007200720 x13: 0720072007200720 x12: 0720072007200720 x11: 0000000000000058 x10: 0000000000000018 x9 : ffff8000821a6a48 x8 : 0000000000057fa8 x7 : 0000000000000406 x6 : ffff8000821fea48 x5 : ffff00033ef88408 x4 : ffff8002bcee7000 x3 : ffff800082195b80 x2 : 0000000000000000 x1 : 0000000000000000 x0 : ffff800082195b80 Call trace: sci_serial_in+0x38/0xac (P) sci_handle_fifo_overrun.isra.0+0x70/0x134 sci_er_interrupt+0x50/0x39c __handle_irq_event_percpu+0x48/0x140 handle_irq_event+0x44/0xb0 handle_fasteoi_irq+0xf4/0x1a0 handle_irq_desc+0x34/0x58 generic_handle_domain_irq+0x1c/0x28 gic_handle_irq+0x4c/0x140 call_on_irq_stack+0x30/0x48 do_interrupt_handler+0x80/0x84 el1_interrupt+0x34/0x68 el1h_64_irq_handler+0x18/0x24 el1h_64_irq+0x6c/0x70 default_idle_call+0x28/0x58 (P) do_idle+0x1f8/0x250 cpu_startup_entry+0x34/0x3c rest_init+0xd8/0xe0 console_on_rootfs+0x0/0x6c __primary_switched+0x88/0x90 ---[ end trace 0000000000000000 ]---", "cve_priority": "medium", "cve_public_date": "2025-12-04 16:16:00 UTC" }, { "cve": "CVE-2025-40223", "url": "https://ubuntu.com/security/CVE-2025-40223", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: most: usb: Fix use-after-free in hdm_disconnect hdm_disconnect() calls most_deregister_interface(), which eventually unregisters the MOST interface device with device_unregister(iface->dev). If that drops the last reference, the device core may call release_mdev() immediately while hdm_disconnect() is still executing. The old code also freed several mdev-owned allocations in hdm_disconnect() and then performed additional put_device() calls. Depending on refcount order, this could lead to use-after-free or double-free when release_mdev() ran (or when unregister paths also performed puts). Fix by moving the frees of mdev-owned allocations into release_mdev(), so they happen exactly once when the device is truly released, and by dropping the extra put_device() calls in hdm_disconnect() that are redundant after device_unregister() and most_deregister_interface(). This addresses the KASAN slab-use-after-free reported by syzbot in hdm_disconnect(). See report and stack traces in the bug link below.", "cve_priority": "medium", "cve_public_date": "2025-12-04 16:16:00 UTC" }, { "cve": "CVE-2025-40106", "url": "https://ubuntu.com/security/CVE-2025-40106", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: comedi: fix divide-by-zero in comedi_buf_munge() The comedi_buf_munge() function performs a modulo operation `async->munge_chan %= async->cmd.chanlist_len` without first checking if chanlist_len is zero. If a user program submits a command with chanlist_len set to zero, this causes a divide-by-zero error when the device processes data in the interrupt handler path. Add a check for zero chanlist_len at the beginning of the function, similar to the existing checks for !map and CMDF_RAWDATA flag. When chanlist_len is zero, update munge_count and return early, indicating the data was handled without munging. This prevents potential kernel panics from malformed user commands.", "cve_priority": "medium", "cve_public_date": "2025-10-31 10:15:00 UTC" }, { "cve": "CVE-2025-40224", "url": "https://ubuntu.com/security/CVE-2025-40224", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: hwmon: (cgbc-hwmon) Add missing NULL check after devm_kzalloc() The driver allocates memory for sensor data using devm_kzalloc(), but did not check if the allocation succeeded. In case of memory allocation failure, dereferencing the NULL pointer would lead to a kernel crash. Add a NULL pointer check and return -ENOMEM to handle allocation failure properly.", "cve_priority": "medium", "cve_public_date": "2025-12-04 16:16:00 UTC" }, { "cve": "CVE-2025-40225", "url": "https://ubuntu.com/security/CVE-2025-40225", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/panthor: Fix kernel panic on partial unmap of a GPU VA region This commit address a kernel panic issue that can happen if Userspace tries to partially unmap a GPU virtual region (aka drm_gpuva). The VM_BIND interface allows partial unmapping of a BO. Panthor driver pre-allocates memory for the new drm_gpuva structures that would be needed for the map/unmap operation, done using drm_gpuvm layer. It expected that only one new drm_gpuva would be needed on umap but a partial unmap can require 2 new drm_gpuva and that's why it ended up doing a NULL pointer dereference causing a kernel panic. Following dump was seen when partial unmap was exercised. Unable to handle kernel NULL pointer dereference at virtual address 0000000000000078 Mem abort info: ESR = 0x0000000096000046 EC = 0x25: DABT (current EL), IL = 32 bits SET = 0, FnV = 0 EA = 0, S1PTW = 0 FSC = 0x06: level 2 translation fault Data abort info: ISV = 0, ISS = 0x00000046, ISS2 = 0x00000000 CM = 0, WnR = 1, TnD = 0, TagAccess = 0 GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0 user pgtable: 4k pages, 48-bit VAs, pgdp=000000088a863000 [000000000000078] pgd=080000088a842003, p4d=080000088a842003, pud=0800000884bf5003, pmd=0000000000000000 Internal error: Oops: 0000000096000046 [#1] PREEMPT SMP pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : panthor_gpuva_sm_step_remap+0xe4/0x330 [panthor] lr : panthor_gpuva_sm_step_remap+0x6c/0x330 [panthor] sp : ffff800085d43970 x29: ffff800085d43970 x28: ffff00080363e440 x27: ffff0008090c6000 x26: 0000000000000030 x25: ffff800085d439f8 x24: ffff00080d402000 x23: ffff800085d43b60 x22: ffff800085d439e0 x21: ffff00080abdb180 x20: 0000000000000000 x19: 0000000000000000 x18: 0000000000000010 x17: 6e656c202c303030 x16: 3666666666646466 x15: 393d61766f69202c x14: 312d3d7361203a70 x13: 303030323d6e656c x12: ffff80008324bf58 x11: 0000000000000003 x10: 0000000000000002 x9 : ffff8000801a6a9c x8 : ffff00080360b300 x7 : 0000000000000000 x6 : 000000088aa35fc7 x5 : fff1000080000000 x4 : ffff8000842ddd30 x3 : 0000000000000001 x2 : 0000000100000000 x1 : 0000000000000001 x0 : 0000000000000078 Call trace: panthor_gpuva_sm_step_remap+0xe4/0x330 [panthor] op_remap_cb.isra.22+0x50/0x80 __drm_gpuvm_sm_unmap+0x10c/0x1c8 drm_gpuvm_sm_unmap+0x40/0x60 panthor_vm_exec_op+0xb4/0x3d0 [panthor] panthor_vm_bind_exec_sync_op+0x154/0x278 [panthor] panthor_ioctl_vm_bind+0x160/0x4a0 [panthor] drm_ioctl_kernel+0xbc/0x138 drm_ioctl+0x240/0x500 __arm64_sys_ioctl+0xb0/0xf8 invoke_syscall+0x4c/0x110 el0_svc_common.constprop.1+0x98/0xf8 do_el0_svc+0x24/0x38 el0_svc+0x40/0xf8 el0t_64_sync_handler+0xa0/0xc8 el0t_64_sync+0x174/0x178", "cve_priority": "medium", "cve_public_date": "2025-12-04 16:16:00 UTC" }, { "cve": "CVE-2025-40226", "url": "https://ubuntu.com/security/CVE-2025-40226", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: firmware: arm_scmi: Account for failed debug initialization When the SCMI debug subsystem fails to initialize, the related debug root will be missing, and the underlying descriptor will be NULL. Handle this fault condition in the SCMI debug helpers that maintain metrics counters.", "cve_priority": "medium", "cve_public_date": "2025-12-04 16:16:00 UTC" }, { "cve": "CVE-2025-40227", "url": "https://ubuntu.com/security/CVE-2025-40227", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: mm/damon/sysfs: dealloc commit test ctx always The damon_ctx for testing online DAMON parameters commit inputs is deallocated only when the test fails. This means memory is leaked for every successful online DAMON parameters commit. Fix the leak by always deallocating it.", "cve_priority": "medium", "cve_public_date": "2025-12-04 16:16:00 UTC" }, { "cve": "CVE-2025-40228", "url": "https://ubuntu.com/security/CVE-2025-40228", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: mm/damon/sysfs: catch commit test ctx alloc failure Patch series \"mm/damon/sysfs: fix commit test damon_ctx [de]allocation\". DAMON sysfs interface dynamically allocates and uses a damon_ctx object for testing if given inputs for online DAMON parameters update is valid. The object is being used without an allocation failure check, and leaked when the test succeeds. Fix the two bugs. This patch (of 2): The damon_ctx for testing online DAMON parameters commit inputs is used without its allocation failure check. This could result in an invalid memory access. Fix it by directly returning an error when the allocation failed.", "cve_priority": "medium", "cve_public_date": "2025-12-04 16:16:00 UTC" }, { "cve": "CVE-2025-40229", "url": "https://ubuntu.com/security/CVE-2025-40229", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: mm/damon/core: fix potential memory leak by cleaning ops_filter in damon_destroy_scheme Currently, damon_destroy_scheme() only cleans up the filter list but leaves ops_filter untouched, which could lead to memory leaks when a scheme is destroyed. This patch ensures both filter and ops_filter are properly freed in damon_destroy_scheme(), preventing potential memory leaks.", "cve_priority": "medium", "cve_public_date": "2025-12-04 16:16:00 UTC" }, { "cve": "CVE-2025-40230", "url": "https://ubuntu.com/security/CVE-2025-40230", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: mm: prevent poison consumption when splitting THP When performing memory error injection on a THP (Transparent Huge Page) mapped to userspace on an x86 server, the kernel panics with the following trace. The expected behavior is to terminate the affected process instead of panicking the kernel, as the x86 Machine Check code can recover from an in-userspace #MC. mce: [Hardware Error]: CPU 0: Machine Check Exception: f Bank 3: bd80000000070134 mce: [Hardware Error]: RIP 10: {memchr_inv+0x4c/0xf0} mce: [Hardware Error]: TSC afff7bbff88a ADDR 1d301b000 MISC 80 PPIN 1e741e77539027db mce: [Hardware Error]: PROCESSOR 0:d06d0 TIME 1758093249 SOCKET 0 APIC 0 microcode 80000320 mce: [Hardware Error]: Run the above through 'mcelog --ascii' mce: [Hardware Error]: Machine check: Data load in unrecoverable area of kernel Kernel panic - not syncing: Fatal local machine check The root cause of this panic is that handling a memory failure triggered by an in-userspace #MC necessitates splitting the THP. The splitting process employs a mechanism, implemented in try_to_map_unused_to_zeropage(), which reads the pages in the THP to identify zero-filled pages. However, reading the pages in the THP results in a second in-kernel #MC, occurring before the initial memory_failure() completes, ultimately leading to a kernel panic. See the kernel panic call trace on the two #MCs. First Machine Check occurs // [1] memory_failure() // [2] try_to_split_thp_page() split_huge_page() split_huge_page_to_list_to_order() __folio_split() // [3] remap_page() remove_migration_ptes() remove_migration_pte() try_to_map_unused_to_zeropage() // [4] memchr_inv() // [5] Second Machine Check occurs // [6] Kernel panic [1] Triggered by accessing a hardware-poisoned THP in userspace, which is typically recoverable by terminating the affected process. [2] Call folio_set_has_hwpoisoned() before try_to_split_thp_page(). [3] Pass the RMP_USE_SHARED_ZEROPAGE remap flag to remap_page(). [4] Try to map the unused THP to zeropage. [5] Re-access pages in the hw-poisoned THP in the kernel. [6] Triggered in-kernel, leading to a panic kernel. In Step[2], memory_failure() sets the poisoned flag on the page in the THP by TestSetPageHWPoison() before calling try_to_split_thp_page(). As suggested by David Hildenbrand, fix this panic by not accessing to the poisoned page in the THP during zeropage identification, while continuing to scan unaffected pages in the THP for possible zeropage mapping. This prevents a second in-kernel #MC that would cause kernel panic in Step[4]. Thanks to Andrew Zaborowski for his initial work on fixing this issue.", "cve_priority": "medium", "cve_public_date": "2025-12-04 16:16:00 UTC" }, { "cve": "CVE-2025-40231", "url": "https://ubuntu.com/security/CVE-2025-40231", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: vsock: fix lock inversion in vsock_assign_transport() Syzbot reported a potential lock inversion deadlock between vsock_register_mutex and sk_lock-AF_VSOCK when vsock_linger() is called. The issue was introduced by commit 687aa0c5581b (\"vsock: Fix transport_* TOCTOU\") which added vsock_register_mutex locking in vsock_assign_transport() around the transport->release() call, that can call vsock_linger(). vsock_assign_transport() can be called with sk_lock held. vsock_linger() calls sk_wait_event() that temporarily releases and re-acquires sk_lock. During this window, if another thread hold vsock_register_mutex while trying to acquire sk_lock, a circular dependency is created. Fix this by releasing vsock_register_mutex before calling transport->release() and vsock_deassign_transport(). This is safe because we don't need to hold vsock_register_mutex while releasing the old transport, and we ensure the new transport won't disappear by obtaining a module reference first via try_module_get().", "cve_priority": "medium", "cve_public_date": "2025-12-04 16:16:00 UTC" }, { "cve": "CVE-2025-40233", "url": "https://ubuntu.com/security/CVE-2025-40233", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ocfs2: clear extent cache after moving/defragmenting extents The extent map cache can become stale when extents are moved or defragmented, causing subsequent operations to see outdated extent flags. This triggers a BUG_ON in ocfs2_refcount_cal_cow_clusters(). The problem occurs when: 1. copy_file_range() creates a reflinked extent with OCFS2_EXT_REFCOUNTED 2. ioctl(FITRIM) triggers ocfs2_move_extents() 3. __ocfs2_move_extents_range() reads and caches the extent (flags=0x2) 4. ocfs2_move_extent()/ocfs2_defrag_extent() calls __ocfs2_move_extent() which clears OCFS2_EXT_REFCOUNTED flag on disk (flags=0x0) 5. The extent map cache is not invalidated after the move 6. Later write() operations read stale cached flags (0x2) but disk has updated flags (0x0), causing a mismatch 7. BUG_ON(!(rec->e_flags & OCFS2_EXT_REFCOUNTED)) triggers Fix by clearing the extent map cache after each extent move/defrag operation in __ocfs2_move_extents_range(). This ensures subsequent operations read fresh extent data from disk.", "cve_priority": "medium", "cve_public_date": "2025-12-04 16:16:00 UTC" }, { "cve": "CVE-2025-40235", "url": "https://ubuntu.com/security/CVE-2025-40235", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: btrfs: directly free partially initialized fs_info in btrfs_check_leaked_roots() If fs_info->super_copy or fs_info->super_for_commit allocated failed in btrfs_get_tree_subvol(), then no need to call btrfs_free_fs_info(). Otherwise btrfs_check_leaked_roots() would access NULL pointer because fs_info->allocated_roots had not been initialised. syzkaller reported the following information: ------------[ cut here ]------------ BUG: unable to handle page fault for address: fffffffffffffbb0 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page PGD 64c9067 P4D 64c9067 PUD 64cb067 PMD 0 Oops: Oops: 0000 [#1] SMP KASAN PTI CPU: 0 UID: 0 PID: 1402 Comm: syz.1.35 Not tainted 6.15.8 #4 PREEMPT(lazy) Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), (...) RIP: 0010:arch_atomic_read arch/x86/include/asm/atomic.h:23 [inline] RIP: 0010:raw_atomic_read include/linux/atomic/atomic-arch-fallback.h:457 [inline] RIP: 0010:atomic_read include/linux/atomic/atomic-instrumented.h:33 [inline] RIP: 0010:refcount_read include/linux/refcount.h:170 [inline] RIP: 0010:btrfs_check_leaked_roots+0x18f/0x2c0 fs/btrfs/disk-io.c:1230 [...] Call Trace: btrfs_free_fs_info+0x310/0x410 fs/btrfs/disk-io.c:1280 btrfs_get_tree_subvol+0x592/0x6b0 fs/btrfs/super.c:2029 btrfs_get_tree+0x63/0x80 fs/btrfs/super.c:2097 vfs_get_tree+0x98/0x320 fs/super.c:1759 do_new_mount+0x357/0x660 fs/namespace.c:3899 path_mount+0x716/0x19c0 fs/namespace.c:4226 do_mount fs/namespace.c:4239 [inline] __do_sys_mount fs/namespace.c:4450 [inline] __se_sys_mount fs/namespace.c:4427 [inline] __x64_sys_mount+0x28c/0x310 fs/namespace.c:4427 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0x92/0x180 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x76/0x7e RIP: 0033:0x7f032eaffa8d [...]", "cve_priority": "medium", "cve_public_date": "2025-12-04 16:16:00 UTC" }, { "cve": "CVE-2025-40236", "url": "https://ubuntu.com/security/CVE-2025-40236", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: virtio-net: zero unused hash fields When GSO tunnel is negotiated virtio_net_hdr_tnl_from_skb() tries to initialize the tunnel metadata but forget to zero unused rxhash fields. This may leak information to another side. Fixing this by zeroing the unused hash fields.", "cve_priority": "medium", "cve_public_date": "2025-12-04 16:16:00 UTC" }, { "cve": "CVE-2025-40237", "url": "https://ubuntu.com/security/CVE-2025-40237", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: fs/notify: call exportfs_encode_fid with s_umount Calling intotify_show_fdinfo() on fd watching an overlayfs inode, while the overlayfs is being unmounted, can lead to dereferencing NULL ptr. This issue was found by syzkaller. Race Condition Diagram: Thread 1 Thread 2 -------- -------- generic_shutdown_super() shrink_dcache_for_umount sb->s_root = NULL | | vfs_read() | inotify_fdinfo() | * inode get from mark * | show_mark_fhandle(m, inode) | exportfs_encode_fid(inode, ..) | ovl_encode_fh(inode, ..) | ovl_check_encode_origin(inode) | * deref i_sb->s_root * | | v fsnotify_sb_delete(sb) Which then leads to: [ 32.133461] Oops: general protection fault, probably for non-canonical address 0xdffffc0000000006: 0000 [#1] SMP DEBUG_PAGEALLOC KASAN NOPTI [ 32.134438] KASAN: null-ptr-deref in range [0x0000000000000030-0x0000000000000037] [ 32.135032] CPU: 1 UID: 0 PID: 4468 Comm: systemd-coredum Not tainted 6.17.0-rc6 #22 PREEMPT(none) [ 32.143353] Call Trace: [ 32.143732] ovl_encode_fh+0xd5/0x170 [ 32.144031] exportfs_encode_inode_fh+0x12f/0x300 [ 32.144425] show_mark_fhandle+0xbe/0x1f0 [ 32.145805] inotify_fdinfo+0x226/0x2d0 [ 32.146442] inotify_show_fdinfo+0x1c5/0x350 [ 32.147168] seq_show+0x530/0x6f0 [ 32.147449] seq_read_iter+0x503/0x12a0 [ 32.148419] seq_read+0x31f/0x410 [ 32.150714] vfs_read+0x1f0/0x9e0 [ 32.152297] ksys_read+0x125/0x240 IOW ovl_check_encode_origin derefs inode->i_sb->s_root, after it was set to NULL in the unmount path. Fix it by protecting calling exportfs_encode_fid() from show_mark_fhandle() with s_umount lock. This form of fix was suggested by Amir in [1]. [1]: https://lore.kernel.org/all/CAOQ4uxhbDwhb+2Brs1UdkoF0a3NSdBAOQPNfEHjahrgoKJpLEw@mail.gmail.com/", "cve_priority": "medium", "cve_public_date": "2025-12-04 16:16:00 UTC" }, { "cve": "CVE-2025-40238", "url": "https://ubuntu.com/security/CVE-2025-40238", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net/mlx5: Fix IPsec cleanup over MPV device When we do mlx5e_detach_netdev() we eventually disable blocking events notifier, among those events are IPsec MPV events from IB to core. So before disabling those blocking events, make sure to also unregister the devcom device and mark all this device operations as complete, in order to prevent the other device from using invalid netdev during future devcom events which could cause the trace below. BUG: kernel NULL pointer dereference, address: 0000000000000010 PGD 146427067 P4D 146427067 PUD 146488067 PMD 0 Oops: Oops: 0000 [#1] SMP CPU: 1 UID: 0 PID: 7735 Comm: devlink Tainted: GW 6.12.0-rc6_for_upstream_min_debug_2024_11_08_00_46 #1 Tainted: [W]=WARN Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014 RIP: 0010:mlx5_devcom_comp_set_ready+0x5/0x40 [mlx5_core] Code: 00 01 48 83 05 23 32 1e 00 01 41 b8 ed ff ff ff e9 60 ff ff ff 48 83 05 00 32 1e 00 01 eb e3 66 0f 1f 44 00 00 0f 1f 44 00 00 <48> 8b 47 10 48 83 05 5f 32 1e 00 01 48 8b 50 40 48 85 d2 74 05 40 RSP: 0018:ffff88811a5c35f8 EFLAGS: 00010206 RAX: ffff888106e8ab80 RBX: ffff888107d7e200 RCX: ffff88810d6f0a00 RDX: ffff88810d6f0a00 RSI: 0000000000000001 RDI: 0000000000000000 RBP: ffff88811a17e620 R08: 0000000000000040 R09: 0000000000000000 R10: ffff88811a5c3618 R11: 0000000de85d51bd R12: ffff88811a17e600 R13: ffff88810d6f0a00 R14: 0000000000000000 R15: ffff8881034bda80 FS: 00007f27bdf89180(0000) GS:ffff88852c880000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000010 CR3: 000000010f159005 CR4: 0000000000372eb0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: ? __die+0x20/0x60 ? page_fault_oops+0x150/0x3e0 ? exc_page_fault+0x74/0x130 ? asm_exc_page_fault+0x22/0x30 ? mlx5_devcom_comp_set_ready+0x5/0x40 [mlx5_core] mlx5e_devcom_event_mpv+0x42/0x60 [mlx5_core] mlx5_devcom_send_event+0x8c/0x170 [mlx5_core] blocking_event+0x17b/0x230 [mlx5_core] notifier_call_chain+0x35/0xa0 blocking_notifier_call_chain+0x3d/0x60 mlx5_blocking_notifier_call_chain+0x22/0x30 [mlx5_core] mlx5_core_mp_event_replay+0x12/0x20 [mlx5_core] mlx5_ib_bind_slave_port+0x228/0x2c0 [mlx5_ib] mlx5_ib_stage_init_init+0x664/0x9d0 [mlx5_ib] ? idr_alloc_cyclic+0x50/0xb0 ? __kmalloc_cache_noprof+0x167/0x340 ? __kmalloc_noprof+0x1a7/0x430 __mlx5_ib_add+0x34/0xd0 [mlx5_ib] mlx5r_probe+0xe9/0x310 [mlx5_ib] ? kernfs_add_one+0x107/0x150 ? __mlx5_ib_add+0xd0/0xd0 [mlx5_ib] auxiliary_bus_probe+0x3e/0x90 really_probe+0xc5/0x3a0 ? driver_probe_device+0x90/0x90 __driver_probe_device+0x80/0x160 driver_probe_device+0x1e/0x90 __device_attach_driver+0x7d/0x100 bus_for_each_drv+0x80/0xd0 __device_attach+0xbc/0x1f0 bus_probe_device+0x86/0xa0 device_add+0x62d/0x830 __auxiliary_device_add+0x3b/0xa0 ? auxiliary_device_init+0x41/0x90 add_adev+0xd1/0x150 [mlx5_core] mlx5_rescan_drivers_locked+0x21c/0x300 [mlx5_core] esw_mode_change+0x6c/0xc0 [mlx5_core] mlx5_devlink_eswitch_mode_set+0x21e/0x640 [mlx5_core] devlink_nl_eswitch_set_doit+0x60/0xe0 genl_family_rcv_msg_doit+0xd0/0x120 genl_rcv_msg+0x180/0x2b0 ? devlink_get_from_attrs_lock+0x170/0x170 ? devlink_nl_eswitch_get_doit+0x290/0x290 ? devlink_nl_pre_doit_port_optional+0x50/0x50 ? genl_family_rcv_msg_dumpit+0xf0/0xf0 netlink_rcv_skb+0x54/0x100 genl_rcv+0x24/0x40 netlink_unicast+0x1fc/0x2d0 netlink_sendmsg+0x1e4/0x410 __sock_sendmsg+0x38/0x60 ? sockfd_lookup_light+0x12/0x60 __sys_sendto+0x105/0x160 ? __sys_recvmsg+0x4e/0x90 __x64_sys_sendto+0x20/0x30 do_syscall_64+0x4c/0x100 entry_SYSCALL_64_after_hwframe+0x4b/0x53 RIP: 0033:0x7f27bc91b13a Code: bb 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 8b 05 fa 96 2c 00 45 89 c9 4c 63 d1 48 63 ff 85 c0 75 15 b8 2c 00 00 00 0f 05 <48> 3d 00 f0 ff ff ---truncated---", "cve_priority": "medium", "cve_public_date": "2025-12-04 16:16:00 UTC" }, { "cve": "CVE-2025-40239", "url": "https://ubuntu.com/security/CVE-2025-40239", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net: phy: micrel: always set shared->phydev for LAN8814 Currently, during the LAN8814 PTP probe shared->phydev is only set if PTP clock gets actually set, otherwise the function will return before setting it. This is an issue as shared->phydev is unconditionally being used when IRQ is being handled, especially in lan8814_gpio_process_cap and since it was not set it will cause a NULL pointer exception and crash the kernel. So, simply always set shared->phydev to avoid the NULL pointer exception.", "cve_priority": "medium", "cve_public_date": "2025-12-04 16:16:00 UTC" }, { "cve": "CVE-2025-40240", "url": "https://ubuntu.com/security/CVE-2025-40240", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: sctp: avoid NULL dereference when chunk data buffer is missing chunk->skb pointer is dereferenced in the if-block where it's supposed to be NULL only. chunk->skb can only be NULL if chunk->head_skb is not. Check for frag_list instead and do it just before replacing chunk->skb. We're sure that otherwise chunk->skb is non-NULL because of outer if() condition.", "cve_priority": "medium", "cve_public_date": "2025-12-04 16:16:00 UTC" }, { "cve": "CVE-2025-40241", "url": "https://ubuntu.com/security/CVE-2025-40241", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: erofs: fix crafted invalid cases for encoded extents Robert recently reported two corrupted images that can cause system crashes, which are related to the new encoded extents introduced in Linux 6.15: - The first one [1] has plen != 0 (e.g. plen == 0x2000000) but (plen & Z_EROFS_EXTENT_PLEN_MASK) == 0. It is used to represent special extents such as sparse extents (!EROFS_MAP_MAPPED), but previously only plen == 0 was handled; - The second one [2] has pa 0xffffffffffdcffed and plen 0xb4000, then \"cur [0xfffffffffffff000] += bvec.bv_len [0x1000]\" in \"} while ((cur += bvec.bv_len) < end);\" wraps around, causing an out-of-bound access of pcl->compressed_bvecs[] in z_erofs_submit_queue(). EROFS only supports 48-bit physical block addresses (up to 1EiB for 4k blocks), so add a sanity check to enforce this.", "cve_priority": "medium", "cve_public_date": "2025-12-04 16:16:00 UTC" }, { "cve": "CVE-2025-40242", "url": "https://ubuntu.com/security/CVE-2025-40242", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: gfs2: Fix unlikely race in gdlm_put_lock In gdlm_put_lock(), there is a small window of time in which the DFL_UNMOUNT flag has been set but the lockspace hasn't been released, yet. In that window, dlm may still call gdlm_ast() and gdlm_bast(). To prevent it from dereferencing freed glock objects, only free the glock if the lockspace has actually been released.", "cve_priority": "medium", "cve_public_date": "2025-12-04 16:16:00 UTC" }, { "cve": "CVE-2025-40243", "url": "https://ubuntu.com/security/CVE-2025-40243", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: hfs: fix KMSAN uninit-value issue in hfs_find_set_zero_bits() The syzbot reported issue in hfs_find_set_zero_bits(): ===================================================== BUG: KMSAN: uninit-value in hfs_find_set_zero_bits+0x74d/0xb60 fs/hfs/bitmap.c:45 hfs_find_set_zero_bits+0x74d/0xb60 fs/hfs/bitmap.c:45 hfs_vbm_search_free+0x13c/0x5b0 fs/hfs/bitmap.c:151 hfs_extend_file+0x6a5/0x1b00 fs/hfs/extent.c:408 hfs_get_block+0x435/0x1150 fs/hfs/extent.c:353 __block_write_begin_int+0xa76/0x3030 fs/buffer.c:2151 block_write_begin fs/buffer.c:2262 [inline] cont_write_begin+0x10e1/0x1bc0 fs/buffer.c:2601 hfs_write_begin+0x85/0x130 fs/hfs/inode.c:52 cont_expand_zero fs/buffer.c:2528 [inline] cont_write_begin+0x35a/0x1bc0 fs/buffer.c:2591 hfs_write_begin+0x85/0x130 fs/hfs/inode.c:52 hfs_file_truncate+0x1d6/0xe60 fs/hfs/extent.c:494 hfs_inode_setattr+0x964/0xaa0 fs/hfs/inode.c:654 notify_change+0x1993/0x1aa0 fs/attr.c:552 do_truncate+0x28f/0x310 fs/open.c:68 do_ftruncate+0x698/0x730 fs/open.c:195 do_sys_ftruncate fs/open.c:210 [inline] __do_sys_ftruncate fs/open.c:215 [inline] __se_sys_ftruncate fs/open.c:213 [inline] __x64_sys_ftruncate+0x11b/0x250 fs/open.c:213 x64_sys_call+0xfe3/0x3db0 arch/x86/include/generated/asm/syscalls_64.h:78 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xd9/0x210 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f Uninit was created at: slab_post_alloc_hook mm/slub.c:4154 [inline] slab_alloc_node mm/slub.c:4197 [inline] __kmalloc_cache_noprof+0x7f7/0xed0 mm/slub.c:4354 kmalloc_noprof include/linux/slab.h:905 [inline] hfs_mdb_get+0x1cc8/0x2a90 fs/hfs/mdb.c:175 hfs_fill_super+0x3d0/0xb80 fs/hfs/super.c:337 get_tree_bdev_flags+0x6e3/0x920 fs/super.c:1681 get_tree_bdev+0x38/0x50 fs/super.c:1704 hfs_get_tree+0x35/0x40 fs/hfs/super.c:388 vfs_get_tree+0xb0/0x5c0 fs/super.c:1804 do_new_mount+0x738/0x1610 fs/namespace.c:3902 path_mount+0x6db/0x1e90 fs/namespace.c:4226 do_mount fs/namespace.c:4239 [inline] __do_sys_mount fs/namespace.c:4450 [inline] __se_sys_mount+0x6eb/0x7d0 fs/namespace.c:4427 __x64_sys_mount+0xe4/0x150 fs/namespace.c:4427 x64_sys_call+0xfa7/0x3db0 arch/x86/include/generated/asm/syscalls_64.h:166 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xd9/0x210 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f CPU: 1 UID: 0 PID: 12609 Comm: syz.1.2692 Not tainted 6.16.0-syzkaller #0 PREEMPT(none) Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/12/2025 ===================================================== The HFS_SB(sb)->bitmap buffer is allocated in hfs_mdb_get(): HFS_SB(sb)->bitmap = kmalloc(8192, GFP_KERNEL); Finally, it can trigger the reported issue because kmalloc() doesn't clear the allocated memory. If allocated memory contains only zeros, then everything will work pretty fine. But if the allocated memory contains the \"garbage\", then it can affect the bitmap operations and it triggers the reported issue. This patch simply exchanges the kmalloc() on kzalloc() with the goal to guarantee the correctness of bitmap operations. Because, newly created allocation bitmap should have all available blocks free. Potentially, initialization bitmap's read operation could not fill the whole allocated memory and \"garbage\" in the not initialized memory will be the reason of volume coruptions and file system driver bugs.", "cve_priority": "medium", "cve_public_date": "2025-12-04 16:16:00 UTC" }, { "cve": "CVE-2025-40244", "url": "https://ubuntu.com/security/CVE-2025-40244", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: hfsplus: fix KMSAN uninit-value issue in __hfsplus_ext_cache_extent() The syzbot reported issue in __hfsplus_ext_cache_extent(): [ 70.194323][ T9350] BUG: KMSAN: uninit-value in __hfsplus_ext_cache_extent+0x7d0/0x990 [ 70.195022][ T9350] __hfsplus_ext_cache_extent+0x7d0/0x990 [ 70.195530][ T9350] hfsplus_file_extend+0x74f/0x1cf0 [ 70.195998][ T9350] hfsplus_get_block+0xe16/0x17b0 [ 70.196458][ T9350] __block_write_begin_int+0x962/0x2ce0 [ 70.196959][ T9350] cont_write_begin+0x1000/0x1950 [ 70.197416][ T9350] hfsplus_write_begin+0x85/0x130 [ 70.197873][ T9350] generic_perform_write+0x3e8/0x1060 [ 70.198374][ T9350] __generic_file_write_iter+0x215/0x460 [ 70.198892][ T9350] generic_file_write_iter+0x109/0x5e0 [ 70.199393][ T9350] vfs_write+0xb0f/0x14e0 [ 70.199771][ T9350] ksys_write+0x23e/0x490 [ 70.200149][ T9350] __x64_sys_write+0x97/0xf0 [ 70.200570][ T9350] x64_sys_call+0x3015/0x3cf0 [ 70.201065][ T9350] do_syscall_64+0xd9/0x1d0 [ 70.201506][ T9350] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 70.202054][ T9350] [ 70.202279][ T9350] Uninit was created at: [ 70.202693][ T9350] __kmalloc_noprof+0x621/0xf80 [ 70.203149][ T9350] hfsplus_find_init+0x8d/0x1d0 [ 70.203602][ T9350] hfsplus_file_extend+0x6ca/0x1cf0 [ 70.204087][ T9350] hfsplus_get_block+0xe16/0x17b0 [ 70.204561][ T9350] __block_write_begin_int+0x962/0x2ce0 [ 70.205074][ T9350] cont_write_begin+0x1000/0x1950 [ 70.205547][ T9350] hfsplus_write_begin+0x85/0x130 [ 70.206017][ T9350] generic_perform_write+0x3e8/0x1060 [ 70.206519][ T9350] __generic_file_write_iter+0x215/0x460 [ 70.207042][ T9350] generic_file_write_iter+0x109/0x5e0 [ 70.207552][ T9350] vfs_write+0xb0f/0x14e0 [ 70.207961][ T9350] ksys_write+0x23e/0x490 [ 70.208375][ T9350] __x64_sys_write+0x97/0xf0 [ 70.208810][ T9350] x64_sys_call+0x3015/0x3cf0 [ 70.209255][ T9350] do_syscall_64+0xd9/0x1d0 [ 70.209680][ T9350] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 70.210230][ T9350] [ 70.210454][ T9350] CPU: 2 UID: 0 PID: 9350 Comm: repro Not tainted 6.12.0-rc5 #5 [ 70.211174][ T9350] Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 70.212115][ T9350] ===================================================== [ 70.212734][ T9350] Disabling lock debugging due to kernel taint [ 70.213284][ T9350] Kernel panic - not syncing: kmsan.panic set ... [ 70.213858][ T9350] CPU: 2 UID: 0 PID: 9350 Comm: repro Tainted: G B 6.12.0-rc5 #5 [ 70.214679][ T9350] Tainted: [B]=BAD_PAGE [ 70.215057][ T9350] Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 70.215999][ T9350] Call Trace: [ 70.216309][ T9350] [ 70.216585][ T9350] dump_stack_lvl+0x1fd/0x2b0 [ 70.217025][ T9350] dump_stack+0x1e/0x30 [ 70.217421][ T9350] panic+0x502/0xca0 [ 70.217803][ T9350] ? kmsan_get_metadata+0x13e/0x1c0 [ 70.218294][ Message fromT sy9350] kmsan_report+0x296/slogd@syzkaller 0x2aat Aug 18 22:11:058 ... kernel :[ 70.213284][ T9350] Kernel panic - not syncing: kmsan.panic [ 70.220179][ T9350] ? kmsan_get_metadata+0x13e/0x1c0 set ... [ 70.221254][ T9350] ? __msan_warning+0x96/0x120 [ 70.222066][ T9350] ? __hfsplus_ext_cache_extent+0x7d0/0x990 [ 70.223023][ T9350] ? hfsplus_file_extend+0x74f/0x1cf0 [ 70.224120][ T9350] ? hfsplus_get_block+0xe16/0x17b0 [ 70.224946][ T9350] ? __block_write_begin_int+0x962/0x2ce0 [ 70.225756][ T9350] ? cont_write_begin+0x1000/0x1950 [ 70.226337][ T9350] ? hfsplus_write_begin+0x85/0x130 [ 70.226852][ T9350] ? generic_perform_write+0x3e8/0x1060 [ 70.227405][ T9350] ? __generic_file_write_iter+0x215/0x460 [ 70.227979][ T9350] ? generic_file_write_iter+0x109/0x5e0 [ 70.228540][ T9350] ? vfs_write+0xb0f/0x14e0 [ 70.228997][ T9350] ? ksys_write+0x23e/0x490 ---truncated---", "cve_priority": "medium", "cve_public_date": "2025-12-04 16:16:00 UTC" }, { "cve": "CVE-2025-40245", "url": "https://ubuntu.com/security/CVE-2025-40245", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: nios2: ensure that memblock.current_limit is set when setting pfn limits On nios2, with CONFIG_FLATMEM set, the kernel relies on memblock_get_current_limit() to determine the limits of mem_map, in particular for max_low_pfn. Unfortunately, memblock.current_limit is only default initialized to MEMBLOCK_ALLOC_ANYWHERE at this point of the bootup, potentially leading to situations where max_low_pfn can erroneously exceed the value of max_pfn and, thus, the valid range of available DRAM. This can in turn cause kernel-level paging failures, e.g.: [ 76.900000] Unable to handle kernel paging request at virtual address 20303000 [ 76.900000] ea = c0080890, ra = c000462c, cause = 14 [ 76.900000] Kernel panic - not syncing: Oops [ 76.900000] ---[ end Kernel panic - not syncing: Oops ]--- This patch fixes this by pre-calculating memblock.current_limit based on the upper limits of the available memory ranges via adjust_lowmem_bounds, a simplified version of the equivalent implementation within the arm architecture.", "cve_priority": "medium", "cve_public_date": "2025-12-04 16:16:00 UTC" }, { "cve": "CVE-2025-40086", "url": "https://ubuntu.com/security/CVE-2025-40086", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/xe: Don't allow evicting of BOs in same VM in array of VM binds An array of VM binds can potentially evict other buffer objects (BOs) within the same VM under certain conditions, which may lead to NULL pointer dereferences later in the bind pipeline. To prevent this, clear the allow_res_evict flag in the xe_bo_validate call. v2: - Invert polarity of no_res_evict (Thomas) - Add comment in code explaining issue (Thomas) (cherry picked from commit 8b9ba8d6d95fe75fed6b0480bb03da4b321bea08)", "cve_priority": "medium", "cve_public_date": "2025-10-30 10:15:00 UTC" }, { "cve": "CVE-2025-40087", "url": "https://ubuntu.com/security/CVE-2025-40087", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: NFSD: Define a proc_layoutcommit for the FlexFiles layout type Avoid a crash if a pNFS client should happen to send a LAYOUTCOMMIT operation on a FlexFiles layout.", "cve_priority": "medium", "cve_public_date": "2025-10-30 10:15:00 UTC" }, { "cve": "CVE-2025-40088", "url": "https://ubuntu.com/security/CVE-2025-40088", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: hfsplus: fix slab-out-of-bounds read in hfsplus_strcasecmp() The hfsplus_strcasecmp() logic can trigger the issue: [ 117.317703][ T9855] ================================================================== [ 117.318353][ T9855] BUG: KASAN: slab-out-of-bounds in hfsplus_strcasecmp+0x1bc/0x490 [ 117.318991][ T9855] Read of size 2 at addr ffff88802160f40c by task repro/9855 [ 117.319577][ T9855] [ 117.319773][ T9855] CPU: 0 UID: 0 PID: 9855 Comm: repro Not tainted 6.17.0-rc6 #33 PREEMPT(full) [ 117.319780][ T9855] Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 117.319783][ T9855] Call Trace: [ 117.319785][ T9855] [ 117.319788][ T9855] dump_stack_lvl+0x1c1/0x2a0 [ 117.319795][ T9855] ? __virt_addr_valid+0x1c8/0x5c0 [ 117.319803][ T9855] ? __pfx_dump_stack_lvl+0x10/0x10 [ 117.319808][ T9855] ? rcu_is_watching+0x15/0xb0 [ 117.319816][ T9855] ? lock_release+0x4b/0x3e0 [ 117.319821][ T9855] ? __kasan_check_byte+0x12/0x40 [ 117.319828][ T9855] ? __virt_addr_valid+0x1c8/0x5c0 [ 117.319835][ T9855] ? __virt_addr_valid+0x4a5/0x5c0 [ 117.319842][ T9855] print_report+0x17e/0x7e0 [ 117.319848][ T9855] ? __virt_addr_valid+0x1c8/0x5c0 [ 117.319855][ T9855] ? __virt_addr_valid+0x4a5/0x5c0 [ 117.319862][ T9855] ? __phys_addr+0xd3/0x180 [ 117.319869][ T9855] ? hfsplus_strcasecmp+0x1bc/0x490 [ 117.319876][ T9855] kasan_report+0x147/0x180 [ 117.319882][ T9855] ? hfsplus_strcasecmp+0x1bc/0x490 [ 117.319891][ T9855] hfsplus_strcasecmp+0x1bc/0x490 [ 117.319900][ T9855] ? __pfx_hfsplus_cat_case_cmp_key+0x10/0x10 [ 117.319906][ T9855] hfs_find_rec_by_key+0xa9/0x1e0 [ 117.319913][ T9855] __hfsplus_brec_find+0x18e/0x470 [ 117.319920][ T9855] ? __pfx_hfsplus_bnode_find+0x10/0x10 [ 117.319926][ T9855] ? __pfx_hfs_find_rec_by_key+0x10/0x10 [ 117.319933][ T9855] ? __pfx___hfsplus_brec_find+0x10/0x10 [ 117.319942][ T9855] hfsplus_brec_find+0x28f/0x510 [ 117.319949][ T9855] ? __pfx_hfs_find_rec_by_key+0x10/0x10 [ 117.319956][ T9855] ? __pfx_hfsplus_brec_find+0x10/0x10 [ 117.319963][ T9855] ? __kmalloc_noprof+0x2a9/0x510 [ 117.319969][ T9855] ? hfsplus_find_init+0x8c/0x1d0 [ 117.319976][ T9855] hfsplus_brec_read+0x2b/0x120 [ 117.319983][ T9855] hfsplus_lookup+0x2aa/0x890 [ 117.319990][ T9855] ? __pfx_hfsplus_lookup+0x10/0x10 [ 117.320003][ T9855] ? d_alloc_parallel+0x2f0/0x15e0 [ 117.320008][ T9855] ? __lock_acquire+0xaec/0xd80 [ 117.320013][ T9855] ? __pfx_d_alloc_parallel+0x10/0x10 [ 117.320019][ T9855] ? __raw_spin_lock_init+0x45/0x100 [ 117.320026][ T9855] ? __init_waitqueue_head+0xa9/0x150 [ 117.320034][ T9855] __lookup_slow+0x297/0x3d0 [ 117.320039][ T9855] ? __pfx___lookup_slow+0x10/0x10 [ 117.320045][ T9855] ? down_read+0x1ad/0x2e0 [ 117.320055][ T9855] lookup_slow+0x53/0x70 [ 117.320065][ T9855] walk_component+0x2f0/0x430 [ 117.320073][ T9855] path_lookupat+0x169/0x440 [ 117.320081][ T9855] filename_lookup+0x212/0x590 [ 117.320089][ T9855] ? __pfx_filename_lookup+0x10/0x10 [ 117.320098][ T9855] ? strncpy_from_user+0x150/0x290 [ 117.320105][ T9855] ? getname_flags+0x1e5/0x540 [ 117.320112][ T9855] user_path_at+0x3a/0x60 [ 117.320117][ T9855] __x64_sys_umount+0xee/0x160 [ 117.320123][ T9855] ? __pfx___x64_sys_umount+0x10/0x10 [ 117.320129][ T9855] ? do_syscall_64+0xb7/0x3a0 [ 117.320135][ T9855] ? entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 117.320141][ T9855] ? entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 117.320145][ T9855] do_syscall_64+0xf3/0x3a0 [ 117.320150][ T9855] ? exc_page_fault+0x9f/0xf0 [ 117.320154][ T9855] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 117.320158][ T9855] RIP: 0033:0x7f7dd7908b07 [ 117.320163][ T9855] Code: 23 0d 00 f7 d8 64 89 01 48 83 c8 ff c3 66 0f 1f 44 00 00 31 f6 e9 09 00 00 00 66 0f 1f 84 00 00 08 [ 117.320167][ T9855] RSP: 002b:00007ffd5ebd9698 EFLAGS: 00000202 ---truncated---", "cve_priority": "medium", "cve_public_date": "2025-10-30 10:15:00 UTC" }, { "cve": "CVE-2025-40162", "url": "https://ubuntu.com/security/CVE-2025-40162", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ASoC: amd/sdw_utils: avoid NULL deref when devm_kasprintf() fails devm_kasprintf() may return NULL on memory allocation failure, but the debug message prints cpus->dai_name before checking it. Move the dev_dbg() call after the NULL check to prevent potential NULL pointer dereference.", "cve_priority": "medium", "cve_public_date": "2025-11-12 11:15:00 UTC" }, { "cve": "CVE-2025-40085", "url": "https://ubuntu.com/security/CVE-2025-40085", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ALSA: usb-audio: Fix NULL pointer deference in try_to_register_card In try_to_register_card(), the return value of usb_ifnum_to_if() is passed directly to usb_interface_claimed() without a NULL check, which will lead to a NULL pointer dereference when creating an invalid USB audio device. Fix this by adding a check to ensure the interface pointer is valid before passing it to usb_interface_claimed().", "cve_priority": "medium", "cve_public_date": "2025-10-29 14:15:00 UTC" }, { "cve": "CVE-2025-40172", "url": "https://ubuntu.com/security/CVE-2025-40172", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: accel/qaic: Treat remaining == 0 as error in find_and_map_user_pages() Currently, if find_and_map_user_pages() takes a DMA xfer request from the user with a length field set to 0, or in a rare case, the host receives QAIC_TRANS_DMA_XFER_CONT from the device where resources->xferred_dma_size is equal to the requested transaction size, the function will return 0 before allocating an sgt or setting the fields of the dma_xfer struct. In that case, encode_addr_size_pairs() will try to access the sgt which will lead to a general protection fault. Return an EINVAL in case the user provides a zero-sized ALP, or the device requests continuation after all of the bytes have been transferred.", "cve_priority": "medium", "cve_public_date": "2025-11-12 11:15:00 UTC" }, { "cve": "CVE-2025-40177", "url": "https://ubuntu.com/security/CVE-2025-40177", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: accel/qaic: Fix bootlog initialization ordering As soon as we queue MHI buffers to receive the bootlog from the device, we could be receiving data. Therefore all the resources needed to process that data need to be setup prior to queuing the buffers. We currently initialize some of the resources after queuing the buffers which creates a race between the probe() and any data that comes back from the device. If the uninitialized resources are accessed, we could see page faults. Fix the init ordering to close the race.", "cve_priority": "medium", "cve_public_date": "2025-11-12 11:15:00 UTC" }, { "cve": "CVE-2025-40163", "url": "https://ubuntu.com/security/CVE-2025-40163", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: sched/deadline: Stop dl_server before CPU goes offline IBM CI tool reported kernel warning[1] when running a CPU removal operation through drmgr[2]. i.e \"drmgr -c cpu -r -q 1\" WARNING: CPU: 0 PID: 0 at kernel/sched/cpudeadline.c:219 cpudl_set+0x58/0x170 NIP [c0000000002b6ed8] cpudl_set+0x58/0x170 LR [c0000000002b7cb8] dl_server_timer+0x168/0x2a0 Call Trace: [c000000002c2f8c0] init_stack+0x78c0/0x8000 (unreliable) [c0000000002b7cb8] dl_server_timer+0x168/0x2a0 [c00000000034df84] __hrtimer_run_queues+0x1a4/0x390 [c00000000034f624] hrtimer_interrupt+0x124/0x300 [c00000000002a230] timer_interrupt+0x140/0x320 Git bisects to: commit 4ae8d9aa9f9d (\"sched/deadline: Fix dl_server getting stuck\") This happens since: - dl_server hrtimer gets enqueued close to cpu offline, when kthread_park enqueues a fair task. - CPU goes offline and drmgr removes it from cpu_present_mask. - hrtimer fires and warning is hit. Fix it by stopping the dl_server before CPU is marked dead. [1]: https://lore.kernel.org/all/8218e149-7718-4432-9312-f97297c352b9@linux.ibm.com/ [2]: https://github.com/ibm-power-utilities/powerpc-utils/tree/next/src/drmgr [sshegde: wrote the changelog and tested it]", "cve_priority": "medium", "cve_public_date": "2025-11-12 11:15:00 UTC" }, { "cve": "CVE-2025-40174", "url": "https://ubuntu.com/security/CVE-2025-40174", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: x86/mm: Fix SMP ordering in switch_mm_irqs_off() Stephen noted that it is possible to not have an smp_mb() between the loaded_mm store and the tlb_gen load in switch_mm(), meaning the ordering against flush_tlb_mm_range() goes out the window, and it becomes possible for switch_mm() to not observe a recent tlb_gen update and fail to flush the TLBs. [ dhansen: merge conflict fixed by Ingo ]", "cve_priority": "medium", "cve_public_date": "2025-11-12 11:15:00 UTC" }, { "cve": "CVE-2025-40089", "url": "https://ubuntu.com/security/CVE-2025-40089", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: cxl/features: Add check for no entries in cxl_feature_info cxl EDAC calls cxl_feature_info() to get the feature information and if the hardware has no Features support, cxlfs may be passed in as NULL. [ 51.957498] BUG: kernel NULL pointer dereference, address: 0000000000000008 [ 51.965571] #PF: supervisor read access in kernel mode [ 51.971559] #PF: error_code(0x0000) - not-present page [ 51.977542] PGD 17e4f6067 P4D 0 [ 51.981384] Oops: Oops: 0000 [#1] SMP NOPTI [ 51.986300] CPU: 49 UID: 0 PID: 3782 Comm: systemd-udevd Not tainted 6.17.0dj test+ #64 PREEMPT(voluntary) [ 51.997355] Hardware name: [ 52.009790] RIP: 0010:cxl_feature_info+0xa/0x80 [cxl_core] Add a check for cxlfs before dereferencing it and return -EOPNOTSUPP if there is no cxlfs created due to no hardware support.", "cve_priority": "medium", "cve_public_date": "2025-10-30 10:15:00 UTC" }, { "cve": "CVE-2025-40176", "url": "https://ubuntu.com/security/CVE-2025-40176", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: tls: wait for pending async decryptions if tls_strp_msg_hold fails Async decryption calls tls_strp_msg_hold to create a clone of the input skb to hold references to the memory it uses. If we fail to allocate that clone, proceeding with async decryption can lead to various issues (UAF on the skb, writing into userspace memory after the recv() call has returned). In this case, wait for all pending decryption requests.", "cve_priority": "medium", "cve_public_date": "2025-11-12 11:15:00 UTC" }, { "cve": "CVE-2025-40164", "url": "https://ubuntu.com/security/CVE-2025-40164", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: usbnet: Fix using smp_processor_id() in preemptible code warnings Syzbot reported the following warning: BUG: using smp_processor_id() in preemptible [00000000] code: dhcpcd/2879 caller is usbnet_skb_return+0x74/0x490 drivers/net/usb/usbnet.c:331 CPU: 1 UID: 0 PID: 2879 Comm: dhcpcd Not tainted 6.15.0-rc4-syzkaller-00098-g615dca38c2ea #0 PREEMPT(voluntary) Call Trace: __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x16c/0x1f0 lib/dump_stack.c:120 check_preemption_disabled+0xd0/0xe0 lib/smp_processor_id.c:49 usbnet_skb_return+0x74/0x490 drivers/net/usb/usbnet.c:331 usbnet_resume_rx+0x4b/0x170 drivers/net/usb/usbnet.c:708 usbnet_change_mtu+0x1be/0x220 drivers/net/usb/usbnet.c:417 __dev_set_mtu net/core/dev.c:9443 [inline] netif_set_mtu_ext+0x369/0x5c0 net/core/dev.c:9496 netif_set_mtu+0xb0/0x160 net/core/dev.c:9520 dev_set_mtu+0xae/0x170 net/core/dev_api.c:247 dev_ifsioc+0xa31/0x18d0 net/core/dev_ioctl.c:572 dev_ioctl+0x223/0x10e0 net/core/dev_ioctl.c:821 sock_do_ioctl+0x19d/0x280 net/socket.c:1204 sock_ioctl+0x42f/0x6a0 net/socket.c:1311 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:906 [inline] __se_sys_ioctl fs/ioctl.c:892 [inline] __x64_sys_ioctl+0x190/0x200 fs/ioctl.c:892 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xcd/0x260 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f For historical and portability reasons, the netif_rx() is usually run in the softirq or interrupt context, this commit therefore add local_bh_disable/enable() protection in the usbnet_resume_rx().", "cve_priority": "medium", "cve_public_date": "2025-11-12 11:15:00 UTC" }, { "cve": "CVE-2025-40091", "url": "https://ubuntu.com/security/CVE-2025-40091", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ixgbe: fix too early devlink_free() in ixgbe_remove() Since ixgbe_adapter is embedded in devlink, calling devlink_free() prematurely in the ixgbe_remove() path can lead to UAF. Move devlink_free() to the end. KASAN report: BUG: KASAN: use-after-free in ixgbe_reset_interrupt_capability+0x140/0x180 [ixgbe] Read of size 8 at addr ffff0000adf813e0 by task bash/2095 CPU: 1 UID: 0 PID: 2095 Comm: bash Tainted: G S 6.17.0-rc2-tnguy.net-queue+ #1 PREEMPT(full) [...] Call trace: show_stack+0x30/0x90 (C) dump_stack_lvl+0x9c/0xd0 print_address_description.constprop.0+0x90/0x310 print_report+0x104/0x1f0 kasan_report+0x88/0x180 __asan_report_load8_noabort+0x20/0x30 ixgbe_reset_interrupt_capability+0x140/0x180 [ixgbe] ixgbe_clear_interrupt_scheme+0xf8/0x130 [ixgbe] ixgbe_remove+0x2d0/0x8c0 [ixgbe] pci_device_remove+0xa0/0x220 device_remove+0xb8/0x170 device_release_driver_internal+0x318/0x490 device_driver_detach+0x40/0x68 unbind_store+0xec/0x118 drv_attr_store+0x64/0xb8 sysfs_kf_write+0xcc/0x138 kernfs_fop_write_iter+0x294/0x440 new_sync_write+0x1fc/0x588 vfs_write+0x480/0x6a0 ksys_write+0xf0/0x1e0 __arm64_sys_write+0x70/0xc0 invoke_syscall.constprop.0+0xcc/0x280 el0_svc_common.constprop.0+0xa8/0x248 do_el0_svc+0x44/0x68 el0_svc+0x54/0x160 el0t_64_sync_handler+0xa0/0xe8 el0t_64_sync+0x1b0/0x1b8", "cve_priority": "medium", "cve_public_date": "2025-10-30 10:15:00 UTC" }, { "cve": "CVE-2025-40175", "url": "https://ubuntu.com/security/CVE-2025-40175", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: idpf: cleanup remaining SKBs in PTP flows When the driver requests Tx timestamp value, one of the first steps is to clone SKB using skb_get. It increases the reference counter for that SKB to prevent unexpected freeing by another component. However, there may be a case where the index is requested, SKB is assigned and never consumed by PTP flows - for example due to reset during running PTP apps. Add a check in release timestamping function to verify if the SKB assigned to Tx timestamp latch was freed, and release remaining SKBs.", "cve_priority": "medium", "cve_public_date": "2025-11-12 11:15:00 UTC" }, { "cve": "CVE-2025-40173", "url": "https://ubuntu.com/security/CVE-2025-40173", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net/ip6_tunnel: Prevent perpetual tunnel growth Similarly to ipv4 tunnel, ipv6 version updates dev->needed_headroom, too. While ipv4 tunnel headroom adjustment growth was limited in commit 5ae1e9922bbd (\"net: ip_tunnel: prevent perpetual headroom growth\"), ipv6 tunnel yet increases the headroom without any ceiling. Reflect ipv4 tunnel headroom adjustment limit on ipv6 version. Credits to Francesco Ruggeri, who was originally debugging this issue and wrote local Arista-specific patch and a reproducer.", "cve_priority": "medium", "cve_public_date": "2025-11-12 11:15:00 UTC" }, { "cve": "CVE-2025-40092", "url": "https://ubuntu.com/security/CVE-2025-40092", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: usb: gadget: f_ncm: Refactor bind path to use __free() After an bind/unbind cycle, the ncm->notify_req is left stale. If a subsequent bind fails, the unified error label attempts to free this stale request, leading to a NULL pointer dereference when accessing ep->ops->free_request. Refactor the error handling in the bind path to use the __free() automatic cleanup mechanism. Unable to handle kernel NULL pointer dereference at virtual address 0000000000000020 Call trace: usb_ep_free_request+0x2c/0xec ncm_bind+0x39c/0x3dc usb_add_function+0xcc/0x1f0 configfs_composite_bind+0x468/0x588 gadget_bind_driver+0x104/0x270 really_probe+0x190/0x374 __driver_probe_device+0xa0/0x12c driver_probe_device+0x3c/0x218 __device_attach_driver+0x14c/0x188 bus_for_each_drv+0x10c/0x168 __device_attach+0xfc/0x198 device_initial_probe+0x14/0x24 bus_probe_device+0x94/0x11c device_add+0x268/0x48c usb_add_gadget+0x198/0x28c dwc3_gadget_init+0x700/0x858 __dwc3_set_mode+0x3cc/0x664 process_scheduled_works+0x1d8/0x488 worker_thread+0x244/0x334 kthread+0x114/0x1bc ret_from_fork+0x10/0x20", "cve_priority": "medium", "cve_public_date": "2025-10-30 10:15:00 UTC" }, { "cve": "CVE-2025-40093", "url": "https://ubuntu.com/security/CVE-2025-40093", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: usb: gadget: f_ecm: Refactor bind path to use __free() After an bind/unbind cycle, the ecm->notify_req is left stale. If a subsequent bind fails, the unified error label attempts to free this stale request, leading to a NULL pointer dereference when accessing ep->ops->free_request. Refactor the error handling in the bind path to use the __free() automatic cleanup mechanism.", "cve_priority": "medium", "cve_public_date": "2025-10-30 10:15:00 UTC" }, { "cve": "CVE-2025-40094", "url": "https://ubuntu.com/security/CVE-2025-40094", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: usb: gadget: f_acm: Refactor bind path to use __free() After an bind/unbind cycle, the acm->notify_req is left stale. If a subsequent bind fails, the unified error label attempts to free this stale request, leading to a NULL pointer dereference when accessing ep->ops->free_request. Refactor the error handling in the bind path to use the __free() automatic cleanup mechanism. Unable to handle kernel NULL pointer dereference at virtual address 0000000000000020 Call trace: usb_ep_free_request+0x2c/0xec gs_free_req+0x30/0x44 acm_bind+0x1b8/0x1f4 usb_add_function+0xcc/0x1f0 configfs_composite_bind+0x468/0x588 gadget_bind_driver+0x104/0x270 really_probe+0x190/0x374 __driver_probe_device+0xa0/0x12c driver_probe_device+0x3c/0x218 __device_attach_driver+0x14c/0x188 bus_for_each_drv+0x10c/0x168 __device_attach+0xfc/0x198 device_initial_probe+0x14/0x24 bus_probe_device+0x94/0x11c device_add+0x268/0x48c usb_add_gadget+0x198/0x28c dwc3_gadget_init+0x700/0x858 __dwc3_set_mode+0x3cc/0x664 process_scheduled_works+0x1d8/0x488 worker_thread+0x244/0x334 kthread+0x114/0x1bc ret_from_fork+0x10/0x20", "cve_priority": "medium", "cve_public_date": "2025-10-30 10:15:00 UTC" }, { "cve": "CVE-2025-40095", "url": "https://ubuntu.com/security/CVE-2025-40095", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: usb: gadget: f_rndis: Refactor bind path to use __free() After an bind/unbind cycle, the rndis->notify_req is left stale. If a subsequent bind fails, the unified error label attempts to free this stale request, leading to a NULL pointer dereference when accessing ep->ops->free_request. Refactor the error handling in the bind path to use the __free() automatic cleanup mechanism.", "cve_priority": "medium", "cve_public_date": "2025-10-30 10:15:00 UTC" }, { "cve": "CVE-2025-40165", "url": "https://ubuntu.com/security/CVE-2025-40165", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: media: nxp: imx8-isi: m2m: Fix streaming cleanup on release If streamon/streamoff calls are imbalanced, such as when exiting an application with Ctrl+C when streaming, the m2m usage_count will never reach zero and the ISI channel won't be freed. Besides from that, if the input line width is more than 2K, it will trigger a WARN_ON(): [ 59.222120] ------------[ cut here ]------------ [ 59.226758] WARNING: drivers/media/platform/nxp/imx8-isi/imx8-isi-hw.c:631 at mxc_isi_channel_chain+0xa4/0x120, CPU#4: v4l2-ctl/654 [ 59.238569] Modules linked in: ap1302 [ 59.242231] CPU: 4 UID: 0 PID: 654 Comm: v4l2-ctl Not tainted 6.16.0-rc4-next-20250704-06511-gff0e002d480a-dirty #258 PREEMPT [ 59.253597] Hardware name: NXP i.MX95 15X15 board (DT) [ 59.258720] pstate: 80400009 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) [ 59.265669] pc : mxc_isi_channel_chain+0xa4/0x120 [ 59.270358] lr : mxc_isi_channel_chain+0x44/0x120 [ 59.275047] sp : ffff8000848c3b40 [ 59.278348] x29: ffff8000848c3b40 x28: ffff0000859b4c98 x27: ffff800081939f00 [ 59.285472] x26: 000000000000000a x25: ffff0000859b4cb8 x24: 0000000000000001 [ 59.292597] x23: ffff0000816f4760 x22: ffff0000816f4258 x21: ffff000084ceb780 [ 59.299720] x20: ffff000084342ff8 x19: ffff000084340000 x18: 0000000000000000 [ 59.306845] x17: 0000000000000000 x16: 0000000000000000 x15: 0000ffffdb369e1c [ 59.313969] x14: 0000000000000000 x13: 0000000000000000 x12: 0000000000000000 [ 59.321093] x11: 0000000000000000 x10: 0000000000000000 x9 : 0000000000000000 [ 59.328217] x8 : ffff8000848c3d48 x7 : ffff800081930b30 x6 : ffff800081930b30 [ 59.335340] x5 : ffff0000859b6000 x4 : ffff80008193ae80 x3 : ffff800081022420 [ 59.342464] x2 : ffff0000852f6900 x1 : 0000000000000001 x0 : ffff000084341000 [ 59.349590] Call trace: [ 59.352025] mxc_isi_channel_chain+0xa4/0x120 (P) [ 59.356722] mxc_isi_m2m_streamon+0x160/0x20c [ 59.361072] v4l_streamon+0x24/0x30 [ 59.364556] __video_do_ioctl+0x40c/0x4a0 [ 59.368560] video_usercopy+0x2bc/0x690 [ 59.372382] video_ioctl2+0x18/0x24 [ 59.375857] v4l2_ioctl+0x40/0x60 [ 59.379168] __arm64_sys_ioctl+0xac/0x104 [ 59.383172] invoke_syscall+0x48/0x104 [ 59.386916] el0_svc_common.constprop.0+0xc0/0xe0 [ 59.391613] do_el0_svc+0x1c/0x28 [ 59.394915] el0_svc+0x34/0xf4 [ 59.397966] el0t_64_sync_handler+0xa0/0xe4 [ 59.402143] el0t_64_sync+0x198/0x19c [ 59.405801] ---[ end trace 0000000000000000 ]--- Address this issue by moving the streaming preparation and cleanup to the vb2 .prepare_streaming() and .unprepare_streaming() operations. This also simplifies the driver by allowing direct usage of the v4l2_m2m_ioctl_streamon() and v4l2_m2m_ioctl_streamoff() helpers.", "cve_priority": "medium", "cve_public_date": "2025-11-12 11:15:00 UTC" }, { "cve": "CVE-2025-40096", "url": "https://ubuntu.com/security/CVE-2025-40096", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/sched: Fix potential double free in drm_sched_job_add_resv_dependencies When adding dependencies with drm_sched_job_add_dependency(), that function consumes the fence reference both on success and failure, so in the latter case the dma_fence_put() on the error path (xarray failed to expand) is a double free. Interestingly this bug appears to have been present ever since commit ebd5f74255b9 (\"drm/sched: Add dependency tracking\"), since the code back then looked like this: drm_sched_job_add_implicit_dependencies(): ... for (i = 0; i < fence_count; i++) { ret = drm_sched_job_add_dependency(job, fences[i]); if (ret) break; } for (; i < fence_count; i++) dma_fence_put(fences[i]); Which means for the failing 'i' the dma_fence_put was already a double free. Possibly there were no users at that time, or the test cases were insufficient to hit it. The bug was then only noticed and fixed after commit 9c2ba265352a (\"drm/scheduler: use new iterator in drm_sched_job_add_implicit_dependencies v2\") landed, with its fixup of commit 4eaf02d6076c (\"drm/scheduler: fix drm_sched_job_add_implicit_dependencies\"). At that point it was a slightly different flavour of a double free, which commit 963d0b356935 (\"drm/scheduler: fix drm_sched_job_add_implicit_dependencies harder\") noticed and attempted to fix. But it only moved the double free from happening inside the drm_sched_job_add_dependency(), when releasing the reference not yet obtained, to the caller, when releasing the reference already released by the former in the failure case. As such it is not easy to identify the right target for the fixes tag so lets keep it simple and just continue the chain. While fixing we also improve the comment and explain the reason for taking the reference and not dropping it.", "cve_priority": "medium", "cve_public_date": "2025-10-30 10:15:00 UTC" }, { "cve": "CVE-2025-40097", "url": "https://ubuntu.com/security/CVE-2025-40097", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ALSA: hda: Fix missing pointer check in hda_component_manager_init function The __component_match_add function may assign the 'matchptr' pointer the value ERR_PTR(-ENOMEM), which will subsequently be dereferenced. The call stack leading to the error looks like this: hda_component_manager_init |-> component_match_add |-> component_match_add_release |-> __component_match_add ( ... ,**matchptr, ... ) |-> *matchptr = ERR_PTR(-ENOMEM); // assign |-> component_master_add_with_match( ... match) |-> component_match_realloc(match, match->num); // dereference Add IS_ERR() check to prevent the crash. Found by Linux Verification Center (linuxtesting.org) with SVACE.", "cve_priority": "medium", "cve_public_date": "2025-10-30 10:15:00 UTC" }, { "cve": "CVE-2025-40098", "url": "https://ubuntu.com/security/CVE-2025-40098", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ALSA: hda: cs35l41: Fix NULL pointer dereference in cs35l41_get_acpi_mute_state() Return value of a function acpi_evaluate_dsm() is dereferenced without checking for NULL, but it is usually checked for this function. acpi_evaluate_dsm() may return NULL, when acpi_evaluate_object() returns acpi_status other than ACPI_SUCCESS, so add a check to prevent the crach. Found by Linux Verification Center (linuxtesting.org) with SVACE.", "cve_priority": "medium", "cve_public_date": "2025-10-30 10:15:00 UTC" }, { "cve": "CVE-2025-40099", "url": "https://ubuntu.com/security/CVE-2025-40099", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: cifs: parse_dfs_referrals: prevent oob on malformed input Malicious SMB server can send invalid reply to FSCTL_DFS_GET_REFERRALS - reply smaller than sizeof(struct get_dfs_referral_rsp) - reply with number of referrals smaller than NumberOfReferrals in the header Processing of such replies will cause oob. Return -EINVAL error on such replies to prevent oob-s.", "cve_priority": "medium", "cve_public_date": "2025-10-30 10:15:00 UTC" }, { "cve": "CVE-2025-40100", "url": "https://ubuntu.com/security/CVE-2025-40100", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: btrfs: do not assert we found block group item when creating free space tree Currently, when building a free space tree at populate_free_space_tree(), if we are not using the block group tree feature, we always expect to find block group items (either extent items or a block group item with key type BTRFS_BLOCK_GROUP_ITEM_KEY) when we search the extent tree with btrfs_search_slot_for_read(), so we assert that we found an item. However this expectation is wrong since we can have a new block group created in the current transaction which is still empty and for which we still have not added the block group's item to the extent tree, in which case we do not have any items in the extent tree associated to the block group. The insertion of a new block group's block group item in the extent tree happens at btrfs_create_pending_block_groups() when it calls the helper insert_block_group_item(). This typically is done when a transaction handle is released, committed or when running delayed refs (either as part of a transaction commit or when serving tickets for space reservation if we are low on free space). So remove the assertion at populate_free_space_tree() even when the block group tree feature is not enabled and update the comment to mention this case. Syzbot reported this with the following stack trace: BTRFS info (device loop3 state M): rebuilding free space tree assertion failed: ret == 0 :: 0, in fs/btrfs/free-space-tree.c:1115 ------------[ cut here ]------------ kernel BUG at fs/btrfs/free-space-tree.c:1115! Oops: invalid opcode: 0000 [#1] SMP KASAN PTI CPU: 1 UID: 0 PID: 6352 Comm: syz.3.25 Not tainted syzkaller #0 PREEMPT(full) Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/18/2025 RIP: 0010:populate_free_space_tree+0x700/0x710 fs/btrfs/free-space-tree.c:1115 Code: ff ff e8 d3 (...) RSP: 0018:ffffc9000430f780 EFLAGS: 00010246 RAX: 0000000000000043 RBX: ffff88805b709630 RCX: fea61d0e2e79d000 RDX: 0000000000000000 RSI: 0000000080000000 RDI: 0000000000000000 RBP: ffffc9000430f8b0 R08: ffffc9000430f4a7 R09: 1ffff92000861e94 R10: dffffc0000000000 R11: fffff52000861e95 R12: 0000000000000001 R13: 1ffff92000861f00 R14: dffffc0000000000 R15: 0000000000000000 FS: 00007f424d9fe6c0(0000) GS:ffff888125afc000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007fd78ad212c0 CR3: 0000000076d68000 CR4: 00000000003526f0 Call Trace: btrfs_rebuild_free_space_tree+0x1ba/0x6d0 fs/btrfs/free-space-tree.c:1364 btrfs_start_pre_rw_mount+0x128f/0x1bf0 fs/btrfs/disk-io.c:3062 btrfs_remount_rw fs/btrfs/super.c:1334 [inline] btrfs_reconfigure+0xaed/0x2160 fs/btrfs/super.c:1559 reconfigure_super+0x227/0x890 fs/super.c:1076 do_remount fs/namespace.c:3279 [inline] path_mount+0xd1a/0xfe0 fs/namespace.c:4027 do_mount fs/namespace.c:4048 [inline] __do_sys_mount fs/namespace.c:4236 [inline] __se_sys_mount+0x313/0x410 fs/namespace.c:4213 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xfa/0xfa0 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f424e39066a Code: d8 64 89 02 (...) RSP: 002b:00007f424d9fde68 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5 RAX: ffffffffffffffda RBX: 00007f424d9fdef0 RCX: 00007f424e39066a RDX: 0000200000000180 RSI: 0000200000000380 RDI: 0000000000000000 RBP: 0000200000000180 R08: 00007f424d9fdef0 R09: 0000000000000020 R10: 0000000000000020 R11: 0000000000000246 R12: 0000200000000380 R13: 00007f424d9fdeb0 R14: 0000000000000000 R15: 00002000000002c0 Modules linked in: ---[ end trace 0000000000000000 ]---", "cve_priority": "medium", "cve_public_date": "2025-10-30 10:15:00 UTC" }, { "cve": "CVE-2025-40101", "url": "https://ubuntu.com/security/CVE-2025-40101", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: btrfs: fix memory leaks when rejecting a non SINGLE data profile without an RST At the end of btrfs_load_block_group_zone_info() the first thing we do is to ensure that if the mapping type is not a SINGLE one and there is no RAID stripe tree, then we return early with an error. Doing that, though, prevents the code from running the last calls from this function which are about freeing memory allocated during its run. Hence, in this case, instead of returning early, we set the ret value and fall through the rest of the cleanup code.", "cve_priority": "medium", "cve_public_date": "2025-10-30 10:15:00 UTC" }, { "cve": "CVE-2025-40167", "url": "https://ubuntu.com/security/CVE-2025-40167", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ext4: detect invalid INLINE_DATA + EXTENTS flag combination syzbot reported a BUG_ON in ext4_es_cache_extent() when opening a verity file on a corrupted ext4 filesystem mounted without a journal. The issue is that the filesystem has an inode with both the INLINE_DATA and EXTENTS flags set: EXT4-fs error (device loop0): ext4_cache_extents:545: inode #15: comm syz.0.17: corrupted extent tree: lblk 0 < prev 66 Investigation revealed that the inode has both flags set: DEBUG: inode 15 - flag=1, i_inline_off=164, has_inline=1, extents_flag=1 This is an invalid combination since an inode should have either: - INLINE_DATA: data stored directly in the inode - EXTENTS: data stored in extent-mapped blocks Having both flags causes ext4_has_inline_data() to return true, skipping extent tree validation in __ext4_iget(). The unvalidated out-of-order extents then trigger a BUG_ON in ext4_es_cache_extent() due to integer underflow when calculating hole sizes. Fix this by detecting this invalid flag combination early in ext4_iget() and rejecting the corrupted inode.", "cve_priority": "medium", "cve_public_date": "2025-11-12 11:15:00 UTC" }, { "cve": "CVE-2025-40102", "url": "https://ubuntu.com/security/CVE-2025-40102", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: KVM: arm64: Prevent access to vCPU events before init Another day, another syzkaller bug. KVM erroneously allows userspace to pend vCPU events for a vCPU that hasn't been initialized yet, leading to KVM interpreting a bunch of uninitialized garbage for routing / injecting the exception. In one case the injection code and the hyp disagree on whether the vCPU has a 32bit EL1 and put the vCPU into an illegal mode for AArch64, tripping the BUG() in exception_target_el() during the next injection: kernel BUG at arch/arm64/kvm/inject_fault.c:40! Internal error: Oops - BUG: 00000000f2000800 [#1] SMP CPU: 3 UID: 0 PID: 318 Comm: repro Not tainted 6.17.0-rc4-00104-g10fd0285305d #6 PREEMPT Hardware name: linux,dummy-virt (DT) pstate: 21402009 (nzCv daif +PAN -UAO -TCO +DIT -SSBS BTYPE=--) pc : exception_target_el+0x88/0x8c lr : pend_serror_exception+0x18/0x13c sp : ffff800082f03a10 x29: ffff800082f03a10 x28: ffff0000cb132280 x27: 0000000000000000 x26: 0000000000000000 x25: ffff0000c2a99c20 x24: 0000000000000000 x23: 0000000000008000 x22: 0000000000000002 x21: 0000000000000004 x20: 0000000000008000 x19: ffff0000c2a99c20 x18: 0000000000000000 x17: 0000000000000000 x16: 0000000000000000 x15: 00000000200000c0 x14: 0000000000000000 x13: 0000000000000000 x12: 0000000000000000 x11: 0000000000000000 x10: 0000000000000000 x9 : 0000000000000000 x8 : ffff800082f03af8 x7 : 0000000000000000 x6 : 0000000000000000 x5 : ffff800080f621f0 x4 : 0000000000000000 x3 : 0000000000000000 x2 : 000000000040009b x1 : 0000000000000003 x0 : ffff0000c2a99c20 Call trace: exception_target_el+0x88/0x8c (P) kvm_inject_serror_esr+0x40/0x3b4 __kvm_arm_vcpu_set_events+0xf0/0x100 kvm_arch_vcpu_ioctl+0x180/0x9d4 kvm_vcpu_ioctl+0x60c/0x9f4 __arm64_sys_ioctl+0xac/0x104 invoke_syscall+0x48/0x110 el0_svc_common.constprop.0+0x40/0xe0 do_el0_svc+0x1c/0x28 el0_svc+0x34/0xf0 el0t_64_sync_handler+0xa0/0xe4 el0t_64_sync+0x198/0x19c Code: f946bc01 b4fffe61 9101e020 17fffff2 (d4210000) Reject the ioctls outright as no sane VMM would call these before KVM_ARM_VCPU_INIT anyway. Even if it did the exception would've been thrown away by the eventual reset of the vCPU's state.", "cve_priority": "medium", "cve_public_date": "2025-10-30 10:15:00 UTC" }, { "cve": "CVE-2025-40103", "url": "https://ubuntu.com/security/CVE-2025-40103", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: smb: client: Fix refcount leak for cifs_sb_tlink Fix three refcount inconsistency issues related to `cifs_sb_tlink`. Comments for `cifs_sb_tlink` state that `cifs_put_tlink()` needs to be called after successful calls to `cifs_sb_tlink()`. Three calls fail to update refcount accordingly, leading to possible resource leaks.", "cve_priority": "medium", "cve_public_date": "2025-10-30 10:15:00 UTC" }, { "cve": "CVE-2025-40104", "url": "https://ubuntu.com/security/CVE-2025-40104", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ixgbevf: fix mailbox API compatibility by negotiating supported features There was backward compatibility in the terms of mailbox API. Various drivers from various OSes supporting 10G adapters from Intel portfolio could easily negotiate mailbox API. This convention has been broken since introducing API 1.4. Commit 0062e7cc955e (\"ixgbevf: add VF IPsec offload code\") added support for IPSec which is specific only for the kernel ixgbe driver. None of the rest of the Intel 10G PF/VF drivers supports it. And actually lack of support was not included in the IPSec implementation - there were no such code paths. No possibility to negotiate support for the feature was introduced along with introduction of the feature itself. Commit 339f28964147 (\"ixgbevf: Add support for new mailbox communication between PF and VF\") increasing API version to 1.5 did the same - it introduced code supported specifically by the PF ESX driver. It altered API version for the VF driver in the same time not touching the version defined for the PF ixgbe driver. It led to additional discrepancies, as the code provided within API 1.6 cannot be supported for Linux ixgbe driver as it causes crashes. The issue was noticed some time ago and mitigated by Jake within the commit d0725312adf5 (\"ixgbevf: stop attempting IPSEC offload on Mailbox API 1.5\"). As a result we have regression for IPsec support and after increasing API to version 1.6 ixgbevf driver stopped to support ESX MBX. To fix this mess add new mailbox op asking PF driver about supported features. Basing on a response determine whether to set support for IPSec and ESX-specific enhanced mailbox. New mailbox op, for compatibility purposes, must be added within new API revision, as API version of OOT PF & VF drivers is already increased to 1.6 and doesn't incorporate features negotiate op. Features negotiation mechanism gives possibility to be extended with new features when needed in the future.", "cve_priority": "medium", "cve_public_date": "2025-10-30 10:15:00 UTC" }, { "cve": "CVE-2025-40166", "url": "https://ubuntu.com/security/CVE-2025-40166", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/xe/guc: Check GuC running state before deregistering exec queue In normal operation, a registered exec queue is disabled and deregistered through the GuC, and freed only after the GuC confirms completion. However, if the driver is forced to unbind while the exec queue is still running, the user may call exec_destroy() after the GuC has already been stopped and CT communication disabled. In this case, the driver cannot receive a response from the GuC, preventing proper cleanup of exec queue resources. Fix this by directly releasing the resources when GuC is not running. Here is the failure dmesg log: \" [ 468.089581] ---[ end trace 0000000000000000 ]--- [ 468.089608] pci 0000:03:00.0: [drm] *ERROR* GT0: GUC ID manager unclean (1/65535) [ 468.090558] pci 0000:03:00.0: [drm] GT0: total 65535 [ 468.090562] pci 0000:03:00.0: [drm] GT0: used 1 [ 468.090564] pci 0000:03:00.0: [drm] GT0: range 1..1 (1) [ 468.092716] ------------[ cut here ]------------ [ 468.092719] WARNING: CPU: 14 PID: 4775 at drivers/gpu/drm/xe/xe_ttm_vram_mgr.c:298 ttm_vram_mgr_fini+0xf8/0x130 [xe] \" v2: use xe_uc_fw_is_running() instead of xe_guc_ct_enabled(). As CT may go down and come back during VF migration. (cherry picked from commit 9b42321a02c50a12b2beb6ae9469606257fbecea)", "cve_priority": "medium", "cve_public_date": "2025-11-12 11:15:00 UTC" }, { "cve": "CVE-2025-40105", "url": "https://ubuntu.com/security/CVE-2025-40105", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: vfs: Don't leak disconnected dentries on umount When user calls open_by_handle_at() on some inode that is not cached, we will create disconnected dentry for it. If such dentry is a directory, exportfs_decode_fh_raw() will then try to connect this dentry to the dentry tree through reconnect_path(). It may happen for various reasons (such as corrupted fs or race with rename) that the call to lookup_one_unlocked() in reconnect_one() will fail to find the dentry we are trying to reconnect and instead create a new dentry under the parent. Now this dentry will not be marked as disconnected although the parent still may well be disconnected (at least in case this inconsistency happened because the fs is corrupted and .. doesn't point to the real parent directory). This creates inconsistency in disconnected flags but AFAICS it was mostly harmless. At least until commit f1ee616214cb (\"VFS: don't keep disconnected dentries on d_anon\") which removed adding of most disconnected dentries to sb->s_anon list. Thus after this commit cleanup of disconnected dentries implicitely relies on the fact that dput() will immediately reclaim such dentries. However when some leaf dentry isn't marked as disconnected, as in the scenario described above, the reclaim doesn't happen and the dentries are \"leaked\". Memory reclaim can eventually reclaim them but otherwise they stay in memory and if umount comes first, we hit infamous \"Busy inodes after unmount\" bug. Make sure all dentries created under a disconnected parent are marked as disconnected as well.", "cve_priority": "medium", "cve_public_date": "2025-10-30 10:15:00 UTC" }, { "cve": "CVE-2025-40019", "url": "https://ubuntu.com/security/CVE-2025-40019", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: crypto: essiv - Check ssize for decryption and in-place encryption Move the ssize check to the start in essiv_aead_crypt so that it's also checked for decryption and in-place encryption.", "cve_priority": "medium", "cve_public_date": "2025-10-24 12:15:00 UTC" }, { "cve": "CVE-2025-40214", "url": "https://ubuntu.com/security/CVE-2025-40214", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: af_unix: Initialise scc_index in unix_add_edge(). Quang Le reported that the AF_UNIX GC could garbage-collect a receive queue of an alive in-flight socket, with a nice repro. The repro consists of three stages. 1) 1-a. Create a single cyclic reference with many sockets 1-b. close() all sockets 1-c. Trigger GC 2) 2-a. Pass sk-A to an embryo sk-B 2-b. Pass sk-X to sk-X 2-c. Trigger GC 3) 3-a. accept() the embryo sk-B 3-b. Pass sk-B to sk-C 3-c. close() the in-flight sk-A 3-d. Trigger GC As of 2-c, sk-A and sk-X are linked to unix_unvisited_vertices, and unix_walk_scc() groups them into two different SCCs: unix_sk(sk-A)->vertex->scc_index = 2 (UNIX_VERTEX_INDEX_START) unix_sk(sk-X)->vertex->scc_index = 3 Once GC completes, unix_graph_grouped is set to true. Also, unix_graph_maybe_cyclic is set to true due to sk-X's cyclic self-reference, which makes close() trigger GC. At 3-b, unix_add_edge() allocates unix_sk(sk-B)->vertex and links it to unix_unvisited_vertices. unix_update_graph() is called at 3-a. and 3-b., but neither unix_graph_grouped nor unix_graph_maybe_cyclic is changed because both sk-B's listener and sk-C are not in-flight. 3-c decrements sk-A's file refcnt to 1. Since unix_graph_grouped is true at 3-d, unix_walk_scc_fast() is finally called and iterates 3 sockets sk-A, sk-B, and sk-X: sk-A -> sk-B (-> sk-C) sk-X -> sk-X This is totally fine. All of them are not yet close()d and should be grouped into different SCCs. However, unix_vertex_dead() misjudges that sk-A and sk-B are in the same SCC and sk-A is dead. unix_sk(sk-A)->scc_index == unix_sk(sk-B)->scc_index <-- Wrong! && sk-A's file refcnt == unix_sk(sk-A)->vertex->out_degree ^-- 1 in-flight count for sk-B -> sk-A is dead !? The problem is that unix_add_edge() does not initialise scc_index. Stage 1) is used for heap spraying, making a newly allocated vertex have vertex->scc_index == 2 (UNIX_VERTEX_INDEX_START) set by unix_walk_scc() at 1-c. Let's track the max SCC index from the previous unix_walk_scc() call and assign the max + 1 to a new vertex's scc_index. This way, we can continue to avoid Tarjan's algorithm while preventing misjudgments.", "cve_priority": "high", "cve_public_date": "2025-12-04 13:15:00 UTC" } ], "launchpad_bugs_fixed": [ 2137845, 1786013, 2137849, 1786013, 2136820, 2137698, 2129812, 2125022, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136813, 2132317, 2134982, 2134982, 2134982, 2134982, 2134982, 2134982, 2134982, 2134982, 2134982, 2134982, 2134982, 2134982, 2134982, 2134982, 2134982, 2134982, 2134982, 2134982, 2134982, 2134982, 2134982, 2134982, 2134982, 2134982, 2134982, 2133557, 2133557, 2133557, 2133557, 2133557, 2133557, 2133557, 2133557, 2133557, 2133557, 2133557, 2133557, 2133557, 2133557, 2133557, 2133557, 2133557, 2133557, 2133557, 2133557, 2133557, 2133557, 2133557, 2133557, 2133557, 2133557, 2133557, 2133557, 2133557, 2133557, 2133557, 2133557, 2133557, 2132095, 2131046, 2115860, 2128792, 2121852, 2131259, 2131259, 2131702, 2129610 ], "changes": [ { "cves": [ { "cve": "CVE-2025-40256", "url": "https://ubuntu.com/security/CVE-2025-40256", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: xfrm: also call xfrm_state_delete_tunnel at destroy time for states that were never added In commit b441cf3f8c4b (\"xfrm: delete x->tunnel as we delete x\"), I missed the case where state creation fails between full initialization (->init_state has been called) and being inserted on the lists. In this situation, ->init_state has been called, so for IPcomp tunnels, the fallback tunnel has been created and added onto the lists, but the user state never gets added, because we fail before that. The user state doesn't go through __xfrm_state_delete, so we don't call xfrm_state_delete_tunnel for those states, and we end up leaking the FB tunnel. There are several codepaths affected by this: the add/update paths, in both net/key and xfrm, and the migrate code (xfrm_migrate, xfrm_state_migrate). A \"proper\" rollback of the init_state work would probably be doable in the add/update code, but for migrate it gets more complicated as multiple states may be involved. At some point, the new (not-inserted) state will be destroyed, so call xfrm_state_delete_tunnel during xfrm_state_gc_destroy. Most states will have their fallback tunnel cleaned up during __xfrm_state_delete, which solves the issue that b441cf3f8c4b (and other patches before it) aimed at. All states (including FB tunnels) will be removed from the lists once xfrm_state_fini has called flush_work(&xfrm_state_gc_work).", "cve_priority": "medium", "cve_public_date": "2025-12-04 16:16:00 UTC" }, { "cve": "CVE-2025-68204", "url": "https://ubuntu.com/security/CVE-2025-68204", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: pmdomain: arm: scmi: Fix genpd leak on provider registration failure If of_genpd_add_provider_onecell() fails during probe, the previously created generic power domains are not removed, leading to a memory leak and potential kernel crash later in genpd_debug_add(). Add proper error handling to unwind the initialized domains before returning from probe to ensure all resources are correctly released on failure. Example crash trace observed without this fix: | Unable to handle kernel paging request at virtual address fffffffffffffc70 | CPU: 1 UID: 0 PID: 1 Comm: swapper/0 Not tainted 6.18.0-rc1 #405 PREEMPT | Hardware name: ARM LTD ARM Juno Development Platform/ARM Juno Development Platform | pstate: 00000005 (nzcv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--) | pc : genpd_debug_add+0x2c/0x160 | lr : genpd_debug_init+0x74/0x98 | Call trace: | genpd_debug_add+0x2c/0x160 (P) | genpd_debug_init+0x74/0x98 | do_one_initcall+0xd0/0x2d8 | do_initcall_level+0xa0/0x140 | do_initcalls+0x60/0xa8 | do_basic_setup+0x28/0x40 | kernel_init_freeable+0xe8/0x170 | kernel_init+0x2c/0x140 | ret_from_fork+0x10/0x20", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-68203", "url": "https://ubuntu.com/security/CVE-2025-68203", "cve_description": "Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-40267", "url": "https://ubuntu.com/security/CVE-2025-40267", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: io_uring/rw: ensure allocated iovec gets cleared for early failure A previous commit reused the recyling infrastructure for early cleanup, but this is not enough for the case where our internal caches have overflowed. If this happens, then the allocated iovec can get leaked if the request is also aborted early. Reinstate the previous forced free of the iovec for that situation.", "cve_priority": "medium", "cve_public_date": "2025-12-06 22:15:00 UTC" }, { "cve": "CVE-2025-68198", "url": "https://ubuntu.com/security/CVE-2025-68198", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: crash: fix crashkernel resource shrink When crashkernel is configured with a high reservation, shrinking its value below the low crashkernel reservation causes two issues: 1. Invalid crashkernel resource objects 2. Kernel crash if crashkernel shrinking is done twice For example, with crashkernel=200M,high, the kernel reserves 200MB of high memory and some default low memory (say 256MB). The reservation appears as: cat /proc/iomem | grep -i crash af000000-beffffff : Crash kernel 433000000-43f7fffff : Crash kernel If crashkernel is then shrunk to 50MB (echo 52428800 > /sys/kernel/kexec_crash_size), /proc/iomem still shows 256MB reserved: af000000-beffffff : Crash kernel Instead, it should show 50MB: af000000-b21fffff : Crash kernel Further shrinking crashkernel to 40MB causes a kernel crash with the following trace (x86): BUG: kernel NULL pointer dereference, address: 0000000000000038 PGD 0 P4D 0 Oops: 0000 [#1] PREEMPT SMP NOPTI Call Trace: ? __die_body.cold+0x19/0x27 ? page_fault_oops+0x15a/0x2f0 ? search_module_extables+0x19/0x60 ? search_bpf_extables+0x5f/0x80 ? exc_page_fault+0x7e/0x180 ? asm_exc_page_fault+0x26/0x30 ? __release_resource+0xd/0xb0 release_resource+0x26/0x40 __crash_shrink_memory+0xe5/0x110 crash_shrink_memory+0x12a/0x190 kexec_crash_size_store+0x41/0x80 kernfs_fop_write_iter+0x141/0x1f0 vfs_write+0x294/0x460 ksys_write+0x6d/0xf0 This happens because __crash_shrink_memory()/kernel/crash_core.c incorrectly updates the crashk_res resource object even when crashk_low_res should be updated. Fix this by ensuring the correct crashkernel resource object is updated when shrinking crashkernel memory.", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-68199", "url": "https://ubuntu.com/security/CVE-2025-68199", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: codetag: debug: handle existing CODETAG_EMPTY in mark_objexts_empty for slabobj_ext When alloc_slab_obj_exts() fails and then later succeeds in allocating a slab extension vector, it calls handle_failed_objexts_alloc() to mark all objects in the vector as empty. As a result all objects in this slab (slabA) will have their extensions set to CODETAG_EMPTY. Later on if this slabA is used to allocate a slabobj_ext vector for another slab (slabB), we end up with the slabB->obj_exts pointing to a slabobj_ext vector that itself has a non-NULL slabobj_ext equal to CODETAG_EMPTY. When slabB gets freed, free_slab_obj_exts() is called to free slabB->obj_exts vector. free_slab_obj_exts() calls mark_objexts_empty(slabB->obj_exts) which will generate a warning because it expects slabobj_ext vectors to have a NULL obj_ext, not CODETAG_EMPTY. Modify mark_objexts_empty() to skip the warning and setting the obj_ext value if it's already set to CODETAG_EMPTY. To quickly detect this WARN, I modified the code from WARN_ON(slab_exts[offs].ref.ct) to BUG_ON(slab_exts[offs].ref.ct == 1); We then obtained this message: [21630.898561] ------------[ cut here ]------------ [21630.898596] kernel BUG at mm/slub.c:2050! [21630.898611] Internal error: Oops - BUG: 00000000f2000800 [#1] SMP [21630.900372] Modules linked in: squashfs isofs vfio_iommu_type1 vhost_vsock vfio vhost_net vmw_vsock_virtio_transport_common vhost tap vhost_iotlb iommufd vsock binfmt_misc nfsv3 nfs_acl nfs lockd grace netfs tls rds dns_resolver tun brd overlay ntfs3 exfat btrfs blake2b_generic xor xor_neon raid6_pq loop sctp ip6_udp_tunnel udp_tunnel nft_fib_inet nft_fib_ipv4 nft_fib_ipv6 nft_fib nft_reject_inet nf_reject_ipv4 nf_reject_ipv6 nft_reject nft_ct nft_chain_nat nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 nf_tables rfkill ip_set sunrpc vfat fat joydev sg sch_fq_codel nfnetlink virtio_gpu sr_mod cdrom drm_client_lib virtio_dma_buf drm_shmem_helper drm_kms_helper drm ghash_ce backlight virtio_net virtio_blk virtio_scsi net_failover virtio_console failover virtio_mmio dm_mirror dm_region_hash dm_log dm_multipath dm_mod fuse i2c_dev virtio_pci virtio_pci_legacy_dev virtio_pci_modern_dev virtio virtio_ring autofs4 aes_neon_bs aes_ce_blk [last unloaded: hwpoison_inject] [21630.909177] CPU: 3 UID: 0 PID: 3787 Comm: kylin-process-m Kdump: loaded Tainted: G        W           6.18.0-rc1+ #74 PREEMPT(voluntary) [21630.910495] Tainted: [W]=WARN [21630.910867] Hardware name: QEMU KVM Virtual Machine, BIOS unknown 2/2/2022 [21630.911625] pstate: 80400005 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) [21630.912392] pc : __free_slab+0x228/0x250 [21630.912868] lr : __free_slab+0x18c/0x250[21630.913334] sp : ffff8000a02f73e0 [21630.913830] x29: ffff8000a02f73e0 x28: fffffdffc43fc800 x27: ffff0000c0011c40 [21630.914677] x26: ffff0000c000cac0 x25: ffff00010fe5e5f0 x24: ffff000102199b40 [21630.915469] x23: 0000000000000003 x22: 0000000000000003 x21: ffff0000c0011c40 [21630.916259] x20: fffffdffc4086600 x19: fffffdffc43fc800 x18: 0000000000000000 [21630.917048] x17: 0000000000000000 x16: 0000000000000000 x15: 0000000000000000 [21630.917837] x14: 0000000000000000 x13: 0000000000000000 x12: ffff70001405ee66 [21630.918640] x11: 1ffff0001405ee65 x10: ffff70001405ee65 x9 : ffff800080a295dc [21630.919442] x8 : ffff8000a02f7330 x7 : 0000000000000000 x6 : 0000000000003000 [21630.920232] x5 : 0000000024924925 x4 : 0000000000000001 x3 : 0000000000000007 [21630.921021] x2 : 0000000000001b40 x1 : 000000000000001f x0 : 0000000000000001 [21630.921810] Call trace: [21630.922130]  __free_slab+0x228/0x250 (P) [21630.922669]  free_slab+0x38/0x118 [21630.923079]  free_to_partial_list+0x1d4/0x340 [21630.923591]  __slab_free+0x24c/0x348 [21630.924024]  ___cache_free+0xf0/0x110 [21630.924468]  qlist_free_all+0x78/0x130 [21630.924922]  kasan_quarantine_reduce+0x11 ---truncated---", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-40268", "url": "https://ubuntu.com/security/CVE-2025-40268", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: cifs: client: fix memory leak in smb3_fs_context_parse_param The user calls fsconfig twice, but when the program exits, free() only frees ctx->source for the second fsconfig, not the first. Regarding fc->source, there is no code in the fs context related to its memory reclamation. To fix this memory leak, release the source memory corresponding to ctx or fc before each parsing. syzbot reported: BUG: memory leak unreferenced object 0xffff888128afa360 (size 96): backtrace (crc 79c9c7ba): kstrdup+0x3c/0x80 mm/util.c:84 smb3_fs_context_parse_param+0x229b/0x36c0 fs/smb/client/fs_context.c:1444 BUG: memory leak unreferenced object 0xffff888112c7d900 (size 96): backtrace (crc 79c9c7ba): smb3_fs_context_fullpath+0x70/0x1b0 fs/smb/client/fs_context.c:629 smb3_fs_context_parse_param+0x2266/0x36c0 fs/smb/client/fs_context.c:1438", "cve_priority": "medium", "cve_public_date": "2025-12-06 22:15:00 UTC" }, { "cve": "CVE-2025-40269", "url": "https://ubuntu.com/security/CVE-2025-40269", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ALSA: usb-audio: Fix potential overflow of PCM transfer buffer The PCM stream data in USB-audio driver is transferred over USB URB packet buffers, and each packet size is determined dynamically. The packet sizes are limited by some factors such as wMaxPacketSize USB descriptor. OTOH, in the current code, the actually used packet sizes are determined only by the rate and the PPS, which may be bigger than the size limit above. This results in a buffer overflow, as reported by syzbot. Basically when the limit is smaller than the calculated packet size, it implies that something is wrong, most likely a weird USB descriptor. So the best option would be just to return an error at the parameter setup time before doing any further operations. This patch introduces such a sanity check, and returns -EINVAL when the packet size is greater than maxpacksize. The comparison with ep->packsize[1] alone should suffice since it's always equal or greater than ep->packsize[0].", "cve_priority": "medium", "cve_public_date": "2025-12-06 22:15:00 UTC" }, { "cve": "CVE-2025-68205", "url": "https://ubuntu.com/security/CVE-2025-68205", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ALSA: hda/hdmi: Fix breakage at probing nvhdmi-mcp driver After restructuring and splitting the HDMI codec driver code, each HDMI codec driver contains the own build_controls and build_pcms ops. A copy-n-paste error put the wrong entries for nvhdmi-mcp driver; both build_controls and build_pcms are swapped. Unfortunately both callbacks have the very same form, and the compiler didn't complain it, either. This resulted in a NULL dereference because the PCM instance hasn't been initialized at calling the build_controls callback. Fix it by passing the proper entries.", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-40270", "url": "https://ubuntu.com/security/CVE-2025-40270", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: mm, swap: fix potential UAF issue for VMA readahead Since commit 78524b05f1a3 (\"mm, swap: avoid redundant swap device pinning\"), the common helper for allocating and preparing a folio in the swap cache layer no longer tries to get a swap device reference internally, because all callers of __read_swap_cache_async are already holding a swap entry reference. The repeated swap device pinning isn't needed on the same swap device. Caller of VMA readahead is also holding a reference to the target entry's swap device, but VMA readahead walks the page table, so it might encounter swap entries from other devices, and call __read_swap_cache_async on another device without holding a reference to it. So it is possible to cause a UAF when swapoff of device A raced with swapin on device B, and VMA readahead tries to read swap entries from device A. It's not easy to trigger, but in theory, it could cause real issues. Make VMA readahead try to get the device reference first if the swap device is a different one from the target entry.", "cve_priority": "medium", "cve_public_date": "2025-12-06 22:15:00 UTC" }, { "cve": "CVE-2025-40271", "url": "https://ubuntu.com/security/CVE-2025-40271", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: fs/proc: fix uaf in proc_readdir_de() Pde is erased from subdir rbtree through rb_erase(), but not set the node to EMPTY, which may result in uaf access. We should use RB_CLEAR_NODE() set the erased node to EMPTY, then pde_subdir_next() will return NULL to avoid uaf access. We found an uaf issue while using stress-ng testing, need to run testcase getdent and tun in the same time. The steps of the issue is as follows: 1) use getdent to traverse dir /proc/pid/net/dev_snmp6/, and current pde is tun3; 2) in the [time windows] unregister netdevice tun3 and tun2, and erase them from rbtree. erase tun3 first, and then erase tun2. the pde(tun2) will be released to slab; 3) continue to getdent process, then pde_subdir_next() will return pde(tun2) which is released, it will case uaf access. CPU 0 | CPU 1 ------------------------------------------------------------------------- traverse dir /proc/pid/net/dev_snmp6/ | unregister_netdevice(tun->dev) //tun3 tun2 sys_getdents64() | iterate_dir() | proc_readdir() | proc_readdir_de() | snmp6_unregister_dev() pde_get(de); | proc_remove() read_unlock(&proc_subdir_lock); | remove_proc_subtree() | write_lock(&proc_subdir_lock); [time window] | rb_erase(&root->subdir_node, &parent->subdir); | write_unlock(&proc_subdir_lock); read_lock(&proc_subdir_lock); | next = pde_subdir_next(de); | pde_put(de); | de = next; //UAF | rbtree of dev_snmp6 | pde(tun3) / \\ NULL pde(tun2)", "cve_priority": "medium", "cve_public_date": "2025-12-06 22:15:00 UTC" }, { "cve": "CVE-2025-40272", "url": "https://ubuntu.com/security/CVE-2025-40272", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: mm/secretmem: fix use-after-free race in fault handler When a page fault occurs in a secret memory file created with `memfd_secret(2)`, the kernel will allocate a new folio for it, mark the underlying page as not-present in the direct map, and add it to the file mapping. If two tasks cause a fault in the same page concurrently, both could end up allocating a folio and removing the page from the direct map, but only one would succeed in adding the folio to the file mapping. The task that failed undoes the effects of its attempt by (a) freeing the folio again and (b) putting the page back into the direct map. However, by doing these two operations in this order, the page becomes available to the allocator again before it is placed back in the direct mapping. If another task attempts to allocate the page between (a) and (b), and the kernel tries to access it via the direct map, it would result in a supervisor not-present page fault. Fix the ordering to restore the direct map before the folio is freed.", "cve_priority": "medium", "cve_public_date": "2025-12-06 22:15:00 UTC" }, { "cve": "CVE-2025-68245", "url": "https://ubuntu.com/security/CVE-2025-68245", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net: netpoll: fix incorrect refcount handling causing incorrect cleanup commit efa95b01da18 (\"netpoll: fix use after free\") incorrectly ignored the refcount and prematurely set dev->npinfo to NULL during netpoll cleanup, leading to improper behavior and memory leaks. Scenario causing lack of proper cleanup: 1) A netpoll is associated with a NIC (e.g., eth0) and netdev->npinfo is allocated, and refcnt = 1 - Keep in mind that npinfo is shared among all netpoll instances. In this case, there is just one. 2) Another netpoll is also associated with the same NIC and npinfo->refcnt += 1. - Now dev->npinfo->refcnt = 2; - There is just one npinfo associated to the netdev. 3) When the first netpolls goes to clean up: - The first cleanup succeeds and clears np->dev->npinfo, ignoring refcnt. - It basically calls `RCU_INIT_POINTER(np->dev->npinfo, NULL);` - Set dev->npinfo = NULL, without proper cleanup - No ->ndo_netpoll_cleanup() is either called 4) Now the second target tries to clean up - The second cleanup fails because np->dev->npinfo is already NULL. * In this case, ops->ndo_netpoll_cleanup() was never called, and the skb pool is not cleaned as well (for the second netpoll instance) - This leaks npinfo and skbpool skbs, which is clearly reported by kmemleak. Revert commit efa95b01da18 (\"netpoll: fix use after free\") and adds clarifying comments emphasizing that npinfo cleanup should only happen once the refcount reaches zero, ensuring stable and correct netpoll behavior.", "cve_priority": "medium", "cve_public_date": "2025-12-16 15:15:00 UTC" }, { "cve": "CVE-2025-68240", "url": "https://ubuntu.com/security/CVE-2025-68240", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: nilfs2: avoid having an active sc_timer before freeing sci Because kthread_stop did not stop sc_task properly and returned -EINTR, the sc_timer was not properly closed, ultimately causing the problem [1] reported by syzbot when freeing sci due to the sc_timer not being closed. Because the thread sc_task main function nilfs_segctor_thread() returns 0 when it succeeds, when the return value of kthread_stop() is not 0 in nilfs_segctor_destroy(), we believe that it has not properly closed sc_timer. We use timer_shutdown_sync() to sync wait for sc_timer to shutdown, and set the value of sc_task to NULL under the protection of lock sc_state_lock, so as to avoid the issue caused by sc_timer not being properly shutdowned. [1] ODEBUG: free active (active state 0) object: 00000000dacb411a object type: timer_list hint: nilfs_construction_timeout Call trace: nilfs_segctor_destroy fs/nilfs2/segment.c:2811 [inline] nilfs_detach_log_writer+0x668/0x8cc fs/nilfs2/segment.c:2877 nilfs_put_super+0x4c/0x12c fs/nilfs2/super.c:509", "cve_priority": "medium", "cve_public_date": "2025-12-16 15:15:00 UTC" }, { "cve": "CVE-2025-68241", "url": "https://ubuntu.com/security/CVE-2025-68241", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ipv4: route: Prevent rt_bind_exception() from rebinding stale fnhe The sit driver's packet transmission path calls: sit_tunnel_xmit() -> update_or_create_fnhe(), which lead to fnhe_remove_oldest() being called to delete entries exceeding FNHE_RECLAIM_DEPTH+random. The race window is between fnhe_remove_oldest() selecting fnheX for deletion and the subsequent kfree_rcu(). During this time, the concurrent path's __mkroute_output() -> find_exception() can fetch the soon-to-be-deleted fnheX, and rt_bind_exception() then binds it with a new dst using a dst_hold(). When the original fnheX is freed via RCU, the dst reference remains permanently leaked. CPU 0 CPU 1 __mkroute_output() find_exception() [fnheX] update_or_create_fnhe() fnhe_remove_oldest() [fnheX] rt_bind_exception() [bind dst] RCU callback [fnheX freed, dst leak] This issue manifests as a device reference count leak and a warning in dmesg when unregistering the net device: unregister_netdevice: waiting for sitX to become free. Usage count = N Ido Schimmel provided the simple test validation method [1]. The fix clears 'oldest->fnhe_daddr' before calling fnhe_flush_routes(). Since rt_bind_exception() checks this field, setting it to zero prevents the stale fnhe from being reused and bound to a new dst just before it is freed. [1] ip netns add ns1 ip -n ns1 link set dev lo up ip -n ns1 address add 192.0.2.1/32 dev lo ip -n ns1 link add name dummy1 up type dummy ip -n ns1 route add 192.0.2.2/32 dev dummy1 ip -n ns1 link add name gretap1 up arp off type gretap \\ local 192.0.2.1 remote 192.0.2.2 ip -n ns1 route add 198.51.0.0/16 dev gretap1 taskset -c 0 ip netns exec ns1 mausezahn gretap1 \\ -A 198.51.100.1 -B 198.51.0.0/16 -t udp -p 1000 -c 0 -q & taskset -c 2 ip netns exec ns1 mausezahn gretap1 \\ -A 198.51.100.1 -B 198.51.0.0/16 -t udp -p 1000 -c 0 -q & sleep 10 ip netns pids ns1 | xargs kill ip netns del ns1", "cve_priority": "medium", "cve_public_date": "2025-12-16 15:15:00 UTC" }, { "cve": "CVE-2025-68211", "url": "https://ubuntu.com/security/CVE-2025-68211", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ksm: use range-walk function to jump over holes in scan_get_next_rmap_item Currently, scan_get_next_rmap_item() walks every page address in a VMA to locate mergeable pages. This becomes highly inefficient when scanning large virtual memory areas that contain mostly unmapped regions, causing ksmd to use large amount of cpu without deduplicating much pages. This patch replaces the per-address lookup with a range walk using walk_page_range(). The range walker allows KSM to skip over entire unmapped holes in a VMA, avoiding unnecessary lookups. This problem was previously discussed in [1]. Consider the following test program which creates a 32 TiB mapping in the virtual address space but only populates a single page: #include #include #include /* 32 TiB */ const size_t size = 32ul * 1024 * 1024 * 1024 * 1024; int main() { char *area = mmap(NULL, size, PROT_READ | PROT_WRITE, MAP_NORESERVE | MAP_PRIVATE | MAP_ANON, -1, 0); if (area == MAP_FAILED) { perror(\"mmap() failed\\n\"); return -1; } /* Populate a single page such that we get an anon_vma. */ *area = 0; /* Enable KSM. */ madvise(area, size, MADV_MERGEABLE); pause(); return 0; } $ ./ksm-sparse & $ echo 1 > /sys/kernel/mm/ksm/run Without this patch ksmd uses 100% of the cpu for a long time (more then 1 hour in my test machine) scanning all the 32 TiB virtual address space that contain only one mapped page. This makes ksmd essentially deadlocked not able to deduplicate anything of value. With this patch ksmd walks only the one mapped page and skips the rest of the 32 TiB virtual address space, making the scan fast using little cpu.", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-68246", "url": "https://ubuntu.com/security/CVE-2025-68246", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ksmbd: close accepted socket when per-IP limit rejects connection When the per-IP connection limit is exceeded in ksmbd_kthread_fn(), the code sets ret = -EAGAIN and continues the accept loop without closing the just-accepted socket. That leaks one socket per rejected attempt from a single IP and enables a trivial remote DoS. Release client_sk before continuing. This bug was found with ZeroPath.", "cve_priority": "medium", "cve_public_date": "2025-12-16 15:15:00 UTC" }, { "cve": "CVE-2025-40273", "url": "https://ubuntu.com/security/CVE-2025-40273", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: NFSD: free copynotify stateid in nfs4_free_ol_stateid() Typically copynotify stateid is freed either when parent's stateid is being close/freed or in nfsd4_laundromat if the stateid hasn't been used in a lease period. However, in case when the server got an OPEN (which created a parent stateid), followed by a COPY_NOTIFY using that stateid, followed by a client reboot. New client instance while doing CREATE_SESSION would force expire previous state of this client. It leads to the open state being freed thru release_openowner-> nfs4_free_ol_stateid() and it finds that it still has copynotify stateid associated with it. We currently print a warning and is triggerred WARNING: CPU: 1 PID: 8858 at fs/nfsd/nfs4state.c:1550 nfs4_free_ol_stateid+0xb0/0x100 [nfsd] This patch, instead, frees the associated copynotify stateid here. If the parent stateid is freed (without freeing the copynotify stateids associated with it), it leads to the list corruption when laundromat ends up freeing the copynotify state later. [ 1626.839430] Internal error: Oops - BUG: 00000000f2000800 [#1] SMP [ 1626.842828] Modules linked in: nfnetlink_queue nfnetlink_log bluetooth cfg80211 rpcrdma rdma_cm iw_cm ib_cm ib_core nfsd nfs_acl lockd grace nfs_localio ext4 crc16 mbcache jbd2 overlay uinput snd_seq_dummy snd_hrtimer qrtr rfkill vfat fat uvcvideo snd_hda_codec_generic videobuf2_vmalloc videobuf2_memops snd_hda_intel uvc snd_intel_dspcfg videobuf2_v4l2 videobuf2_common snd_hda_codec snd_hda_core videodev snd_hwdep snd_seq mc snd_seq_device snd_pcm snd_timer snd soundcore sg loop auth_rpcgss vsock_loopback vmw_vsock_virtio_transport_common vmw_vsock_vmci_transport vmw_vmci vsock xfs 8021q garp stp llc mrp nvme ghash_ce e1000e nvme_core sr_mod nvme_keyring nvme_auth cdrom vmwgfx drm_ttm_helper ttm sunrpc dm_mirror dm_region_hash dm_log iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi fuse dm_multipath dm_mod nfnetlink [ 1626.855594] CPU: 2 UID: 0 PID: 199 Comm: kworker/u24:33 Kdump: loaded Tainted: G B W 6.17.0-rc7+ #22 PREEMPT(voluntary) [ 1626.857075] Tainted: [B]=BAD_PAGE, [W]=WARN [ 1626.857573] Hardware name: VMware, Inc. VMware20,1/VBSA, BIOS VMW201.00V.24006586.BA64.2406042154 06/04/2024 [ 1626.858724] Workqueue: nfsd4 laundromat_main [nfsd] [ 1626.859304] pstate: 61400005 (nZCv daif +PAN -UAO -TCO +DIT -SSBS BTYPE=--) [ 1626.860010] pc : __list_del_entry_valid_or_report+0x148/0x200 [ 1626.860601] lr : __list_del_entry_valid_or_report+0x148/0x200 [ 1626.861182] sp : ffff8000881d7a40 [ 1626.861521] x29: ffff8000881d7a40 x28: 0000000000000018 x27: ffff0000c2a98200 [ 1626.862260] x26: 0000000000000600 x25: 0000000000000000 x24: ffff8000881d7b20 [ 1626.862986] x23: ffff0000c2a981e8 x22: 1fffe00012410e7d x21: ffff0000920873e8 [ 1626.863701] x20: ffff0000920873e8 x19: ffff000086f22998 x18: 0000000000000000 [ 1626.864421] x17: 20747562202c3839 x16: 3932326636383030 x15: 3030666666662065 [ 1626.865092] x14: 6220646c756f6873 x13: 0000000000000001 x12: ffff60004fd9e4a3 [ 1626.865713] x11: 1fffe0004fd9e4a2 x10: ffff60004fd9e4a2 x9 : dfff800000000000 [ 1626.866320] x8 : 00009fffb0261b5e x7 : ffff00027ecf2513 x6 : 0000000000000001 [ 1626.866938] x5 : ffff00027ecf2510 x4 : ffff60004fd9e4a3 x3 : 0000000000000000 [ 1626.867553] x2 : 0000000000000000 x1 : ffff000096069640 x0 : 000000000000006d [ 1626.868167] Call trace: [ 1626.868382] __list_del_entry_valid_or_report+0x148/0x200 (P) [ 1626.868876] _free_cpntf_state_locked+0xd0/0x268 [nfsd] [ 1626.869368] nfs4_laundromat+0x6f8/0x1058 [nfsd] [ 1626.869813] laundromat_main+0x24/0x60 [nfsd] [ 1626.870231] process_one_work+0x584/0x1050 [ 1626.870595] worker_thread+0x4c4/0xc60 [ 1626.870893] kthread+0x2f8/0x398 [ 1626.871146] ret_from_fork+0x10/0x20 [ 1626.871422] Code: aa1303e1 aa1403e3 910e8000 97bc55d7 (d4210000) [ 1626.871892] SMP: stopping secondary CPUs", "cve_priority": "medium", "cve_public_date": "2025-12-06 22:15:00 UTC" }, { "cve": "CVE-2025-40212", "url": "https://ubuntu.com/security/CVE-2025-40212", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: nfsd: fix refcount leak in nfsd_set_fh_dentry() nfsd exports a \"pseudo root filesystem\" which is used by NFSv4 to find the various exported filesystems using LOOKUP requests from a known root filehandle. NFSv3 uses the MOUNT protocol to find those exported filesystems and so is not given access to the pseudo root filesystem. If a v3 (or v2) client uses a filehandle from that filesystem, nfsd_set_fh_dentry() will report an error, but still stores the export in \"struct svc_fh\" even though it also drops the reference (exp_put()). This means that when fh_put() is called an extra reference will be dropped which can lead to use-after-free and possible denial of service. Normal NFS usage will not provide a pseudo-root filehandle to a v3 client. This bug can only be triggered by the client synthesising an incorrect filehandle. To fix this we move the assignments to the svc_fh later, after all possible error cases have been detected.", "cve_priority": "medium", "cve_public_date": "2025-11-24 13:16:00 UTC" }, { "cve": "CVE-2025-40274", "url": "https://ubuntu.com/security/CVE-2025-40274", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: KVM: guest_memfd: Remove bindings on memslot deletion when gmem is dying When unbinding a memslot from a guest_memfd instance, remove the bindings even if the guest_memfd file is dying, i.e. even if its file refcount has gone to zero. If the memslot is freed before the file is fully released, nullifying the memslot side of the binding in kvm_gmem_release() will write to freed memory, as detected by syzbot+KASAN: ================================================================== BUG: KASAN: slab-use-after-free in kvm_gmem_release+0x176/0x440 virt/kvm/guest_memfd.c:353 Write of size 8 at addr ffff88807befa508 by task syz.0.17/6022 CPU: 0 UID: 0 PID: 6022 Comm: syz.0.17 Not tainted syzkaller #0 PREEMPT(full) Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/02/2025 Call Trace: dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:378 [inline] print_report+0xca/0x240 mm/kasan/report.c:482 kasan_report+0x118/0x150 mm/kasan/report.c:595 kvm_gmem_release+0x176/0x440 virt/kvm/guest_memfd.c:353 __fput+0x44c/0xa70 fs/file_table.c:468 task_work_run+0x1d4/0x260 kernel/task_work.c:227 resume_user_mode_work include/linux/resume_user_mode.h:50 [inline] exit_to_user_mode_loop+0xe9/0x130 kernel/entry/common.c:43 exit_to_user_mode_prepare include/linux/irq-entry-common.h:225 [inline] syscall_exit_to_user_mode_work include/linux/entry-common.h:175 [inline] syscall_exit_to_user_mode include/linux/entry-common.h:210 [inline] do_syscall_64+0x2bd/0xfa0 arch/x86/entry/syscall_64.c:100 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7fbeeff8efc9 Allocated by task 6023: kasan_save_stack mm/kasan/common.c:56 [inline] kasan_save_track+0x3e/0x80 mm/kasan/common.c:77 poison_kmalloc_redzone mm/kasan/common.c:397 [inline] __kasan_kmalloc+0x93/0xb0 mm/kasan/common.c:414 kasan_kmalloc include/linux/kasan.h:262 [inline] __kmalloc_cache_noprof+0x3e2/0x700 mm/slub.c:5758 kmalloc_noprof include/linux/slab.h:957 [inline] kzalloc_noprof include/linux/slab.h:1094 [inline] kvm_set_memory_region+0x747/0xb90 virt/kvm/kvm_main.c:2104 kvm_vm_ioctl_set_memory_region+0x6f/0xd0 virt/kvm/kvm_main.c:2154 kvm_vm_ioctl+0x957/0xc60 virt/kvm/kvm_main.c:5201 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:597 [inline] __se_sys_ioctl+0xfc/0x170 fs/ioctl.c:583 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xfa/0xfa0 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f Freed by task 6023: kasan_save_stack mm/kasan/common.c:56 [inline] kasan_save_track+0x3e/0x80 mm/kasan/common.c:77 kasan_save_free_info+0x46/0x50 mm/kasan/generic.c:584 poison_slab_object mm/kasan/common.c:252 [inline] __kasan_slab_free+0x5c/0x80 mm/kasan/common.c:284 kasan_slab_free include/linux/kasan.h:234 [inline] slab_free_hook mm/slub.c:2533 [inline] slab_free mm/slub.c:6622 [inline] kfree+0x19a/0x6d0 mm/slub.c:6829 kvm_set_memory_region+0x9c4/0xb90 virt/kvm/kvm_main.c:2130 kvm_vm_ioctl_set_memory_region+0x6f/0xd0 virt/kvm/kvm_main.c:2154 kvm_vm_ioctl+0x957/0xc60 virt/kvm/kvm_main.c:5201 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:597 [inline] __se_sys_ioctl+0xfc/0x170 fs/ioctl.c:583 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xfa/0xfa0 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f Deliberately don't acquire filemap invalid lock when the file is dying as the lifecycle of f_mapping is outside the purview of KVM. Dereferencing the mapping is *probably* fine, but there's no need to invalidate anything as memslot deletion is responsible for zapping SPTEs, and the only code that can access the dying file is kvm_gmem_release(), whose core code is mutual ---truncated---", "cve_priority": "medium", "cve_public_date": "2025-12-06 22:15:00 UTC" }, { "cve": "CVE-2025-68202", "url": "https://ubuntu.com/security/CVE-2025-68202", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: sched_ext: Fix unsafe locking in the scx_dump_state() For built with CONFIG_PREEMPT_RT=y kernels, the dump_lock will be converted sleepable spinlock and not disable-irq, so the following scenarios occur: inconsistent {IN-HARDIRQ-W} -> {HARDIRQ-ON-W} usage. irq_work/0/27 [HC0[0]:SC0[0]:HE1:SE1] takes: (&rq->__lock){?...}-{2:2}, at: raw_spin_rq_lock_nested+0x2b/0x40 {IN-HARDIRQ-W} state was registered at: lock_acquire+0x1e1/0x510 _raw_spin_lock_nested+0x42/0x80 raw_spin_rq_lock_nested+0x2b/0x40 sched_tick+0xae/0x7b0 update_process_times+0x14c/0x1b0 tick_periodic+0x62/0x1f0 tick_handle_periodic+0x48/0xf0 timer_interrupt+0x55/0x80 __handle_irq_event_percpu+0x20a/0x5c0 handle_irq_event_percpu+0x18/0xc0 handle_irq_event+0xb5/0x150 handle_level_irq+0x220/0x460 __common_interrupt+0xa2/0x1e0 common_interrupt+0xb0/0xd0 asm_common_interrupt+0x2b/0x40 _raw_spin_unlock_irqrestore+0x45/0x80 __setup_irq+0xc34/0x1a30 request_threaded_irq+0x214/0x2f0 hpet_time_init+0x3e/0x60 x86_late_time_init+0x5b/0xb0 start_kernel+0x308/0x410 x86_64_start_reservations+0x1c/0x30 x86_64_start_kernel+0x96/0xa0 common_startup_64+0x13e/0x148 other info that might help us debug this: Possible unsafe locking scenario: CPU0 ---- lock(&rq->__lock); lock(&rq->__lock); *** DEADLOCK *** stack backtrace: CPU: 0 UID: 0 PID: 27 Comm: irq_work/0 Call Trace: dump_stack_lvl+0x8c/0xd0 dump_stack+0x14/0x20 print_usage_bug+0x42e/0x690 mark_lock.part.44+0x867/0xa70 ? __pfx_mark_lock.part.44+0x10/0x10 ? string_nocheck+0x19c/0x310 ? number+0x739/0x9f0 ? __pfx_string_nocheck+0x10/0x10 ? __pfx_check_pointer+0x10/0x10 ? kvm_sched_clock_read+0x15/0x30 ? sched_clock_noinstr+0xd/0x20 ? local_clock_noinstr+0x1c/0xe0 __lock_acquire+0xc4b/0x62b0 ? __pfx_format_decode+0x10/0x10 ? __pfx_string+0x10/0x10 ? __pfx___lock_acquire+0x10/0x10 ? __pfx_vsnprintf+0x10/0x10 lock_acquire+0x1e1/0x510 ? raw_spin_rq_lock_nested+0x2b/0x40 ? __pfx_lock_acquire+0x10/0x10 ? dump_line+0x12e/0x270 ? raw_spin_rq_lock_nested+0x20/0x40 _raw_spin_lock_nested+0x42/0x80 ? raw_spin_rq_lock_nested+0x2b/0x40 raw_spin_rq_lock_nested+0x2b/0x40 scx_dump_state+0x3b3/0x1270 ? finish_task_switch+0x27e/0x840 scx_ops_error_irq_workfn+0x67/0x80 irq_work_single+0x113/0x260 irq_work_run_list.part.3+0x44/0x70 run_irq_workd+0x6b/0x90 ? __pfx_run_irq_workd+0x10/0x10 smpboot_thread_fn+0x529/0x870 ? __pfx_smpboot_thread_fn+0x10/0x10 kthread+0x305/0x3f0 ? __pfx_kthread+0x10/0x10 ret_from_fork+0x40/0x70 ? __pfx_kthread+0x10/0x10 ret_from_fork_asm+0x1a/0x30 This commit therefore use rq_lock_irqsave/irqrestore() to replace rq_lock/unlock() in the scx_dump_state().", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-68239", "url": "https://ubuntu.com/security/CVE-2025-68239", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: binfmt_misc: restore write access before closing files opened by open_exec() bm_register_write() opens an executable file using open_exec(), which internally calls do_open_execat() and denies write access on the file to avoid modification while it is being executed. However, when an error occurs, bm_register_write() closes the file using filp_close() directly. This does not restore the write permission, which may cause subsequent write operations on the same file to fail. Fix this by calling exe_file_allow_write_access() before filp_close() to restore the write permission properly.", "cve_priority": "medium", "cve_public_date": "2025-12-16 15:15:00 UTC" }, { "cve": "CVE-2025-68247", "url": "https://ubuntu.com/security/CVE-2025-68247", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: posix-timers: Plug potential memory leak in do_timer_create() When posix timer creation is set to allocate a given timer ID and the access to the user space value faults, the function terminates without freeing the already allocated posix timer structure. Move the allocation after the user space access to cure that. [ tglx: Massaged change log ]", "cve_priority": "medium", "cve_public_date": "2025-12-16 15:15:00 UTC" }, { "cve": "CVE-2025-68208", "url": "https://ubuntu.com/security/CVE-2025-68208", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: bpf: account for current allocated stack depth in widen_imprecise_scalars() The usage pattern for widen_imprecise_scalars() looks as follows: prev_st = find_prev_entry(env, ...); queued_st = push_stack(...); widen_imprecise_scalars(env, prev_st, queued_st); Where prev_st is an ancestor of the queued_st in the explored states tree. This ancestor is not guaranteed to have same allocated stack depth as queued_st. E.g. in the following case: def main(): for i in 1..2: foo(i) // same callsite, differnt param def foo(i): if i == 1: use 128 bytes of stack iterator based loop Here, for a second 'foo' call prev_st->allocated_stack is 128, while queued_st->allocated_stack is much smaller. widen_imprecise_scalars() needs to take this into account and avoid accessing bpf_verifier_state->frame[*]->stack out of bounds.", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-68200", "url": "https://ubuntu.com/security/CVE-2025-68200", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: bpf: Add bpf_prog_run_data_pointers() syzbot found that cls_bpf_classify() is able to change tc_skb_cb(skb)->drop_reason triggering a warning in sk_skb_reason_drop(). WARNING: CPU: 0 PID: 5965 at net/core/skbuff.c:1192 __sk_skb_reason_drop net/core/skbuff.c:1189 [inline] WARNING: CPU: 0 PID: 5965 at net/core/skbuff.c:1192 sk_skb_reason_drop+0x76/0x170 net/core/skbuff.c:1214 struct tc_skb_cb has been added in commit ec624fe740b4 (\"net/sched: Extend qdisc control block with tc control block\"), which added a wrong interaction with db58ba459202 (\"bpf: wire in data and data_end for cls_act_bpf\"). drop_reason was added later. Add bpf_prog_run_data_pointers() helper to save/restore the net_sched storage colliding with BPF data_meta/data_end.", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-40275", "url": "https://ubuntu.com/security/CVE-2025-40275", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ALSA: usb-audio: Fix NULL pointer dereference in snd_usb_mixer_controls_badd In snd_usb_create_streams(), for UAC version 3 devices, the Interface Association Descriptor (IAD) is retrieved via usb_ifnum_to_if(). If this call fails, a fallback routine attempts to obtain the IAD from the next interface and sets a BADD profile. However, snd_usb_mixer_controls_badd() assumes that the IAD retrieved from usb_ifnum_to_if() is always valid, without performing a NULL check. This can lead to a NULL pointer dereference when usb_ifnum_to_if() fails to find the interface descriptor. This patch adds a NULL pointer check after calling usb_ifnum_to_if() in snd_usb_mixer_controls_badd() to prevent the dereference. This issue was discovered by syzkaller, which triggered the bug by sending a crafted USB device descriptor.", "cve_priority": "medium", "cve_public_date": "2025-12-06 22:15:00 UTC" }, { "cve": "CVE-2025-68242", "url": "https://ubuntu.com/security/CVE-2025-68242", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: NFS: Fix LTP test failures when timestamps are delegated The utimes01 and utime06 tests fail when delegated timestamps are enabled, specifically in subtests that modify the atime and mtime fields using the 'nobody' user ID. The problem can be reproduced as follow: # echo \"/media *(rw,no_root_squash,sync)\" >> /etc/exports # export -ra # mount -o rw,nfsvers=4.2 127.0.0.1:/media /tmpdir # cd /opt/ltp # ./runltp -d /tmpdir -s utimes01 # ./runltp -d /tmpdir -s utime06 This issue occurs because nfs_setattr does not verify the inode's UID against the caller's fsuid when delegated timestamps are permitted for the inode. This patch adds the UID check and if it does not match then the request is sent to the server for permission checking.", "cve_priority": "medium", "cve_public_date": "2025-12-16 15:15:00 UTC" }, { "cve": "CVE-2025-68243", "url": "https://ubuntu.com/security/CVE-2025-68243", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: NFS: Check the TLS certificate fields in nfs_match_client() If the TLS security policy is of type RPC_XPRTSEC_TLS_X509, then the cert_serial and privkey_serial fields need to match as well since they define the client's identity, as presented to the server.", "cve_priority": "medium", "cve_public_date": "2025-12-16 15:15:00 UTC" }, { "cve": "CVE-2025-40276", "url": "https://ubuntu.com/security/CVE-2025-40276", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/panthor: Flush shmem writes before mapping buffers CPU-uncached The shmem layer zeroes out the new pages using cached mappings, and if we don't CPU-flush we might leave dirty cachelines behind, leading to potential data leaks and/or asynchronous buffer corruption when dirty cachelines are evicted.", "cve_priority": "medium", "cve_public_date": "2025-12-06 22:15:00 UTC" }, { "cve": "CVE-2025-40277", "url": "https://ubuntu.com/security/CVE-2025-40277", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/vmwgfx: Validate command header size against SVGA_CMD_MAX_DATASIZE This data originates from userspace and is used in buffer offset calculations which could potentially overflow causing an out-of-bounds access.", "cve_priority": "medium", "cve_public_date": "2025-12-06 22:15:00 UTC" }, { "cve": "CVE-2025-68206", "url": "https://ubuntu.com/security/CVE-2025-68206", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: netfilter: nft_ct: add seqadj extension for natted connections Sequence adjustment may be required for FTP traffic with PASV/EPSV modes. due to need to re-write packet payload (IP, port) on the ftp control connection. This can require changes to the TCP length and expected seq / ack_seq. The easiest way to reproduce this issue is with PASV mode. Example ruleset: table inet ftp_nat { ct helper ftp_helper { type \"ftp\" protocol tcp l3proto inet } chain prerouting { type filter hook prerouting priority 0; policy accept; tcp dport 21 ct state new ct helper set \"ftp_helper\" } } table ip nat { chain prerouting { type nat hook prerouting priority -100; policy accept; tcp dport 21 dnat ip prefix to ip daddr map { \t\t\t192.168.100.1 : 192.168.13.2/32 } } chain postrouting { type nat hook postrouting priority 100 ; policy accept; tcp sport 21 snat ip prefix to ip saddr map { \t\t\t192.168.13.2 : 192.168.100.1/32 } } } Note that the ftp helper gets assigned *after* the dnat setup. The inverse (nat after helper assign) is handled by an existing check in nf_nat_setup_info() and will not show the problem. Topoloy: +-------------------+ +----------------------------------+ | FTP: 192.168.13.2 | <-> | NAT: 192.168.13.3, 192.168.100.1 | +-------------------+ +----------------------------------+ | +-----------------------+ | Client: 192.168.100.2 | +-----------------------+ ftp nat changes do not work as expected in this case: Connected to 192.168.100.1. [..] ftp> epsv EPSV/EPRT on IPv4 off. ftp> ls 227 Entering passive mode (192,168,100,1,209,129). 421 Service not available, remote server has closed connection. Kernel logs: Missing nfct_seqadj_ext_add() setup call WARNING: CPU: 1 PID: 0 at net/netfilter/nf_conntrack_seqadj.c:41 [..] __nf_nat_mangle_tcp_packet+0x100/0x160 [nf_nat] nf_nat_ftp+0x142/0x280 [nf_nat_ftp] help+0x4d1/0x880 [nf_conntrack_ftp] nf_confirm+0x122/0x2e0 [nf_conntrack] nf_hook_slow+0x3c/0xb0 .. Fix this by adding the required extension when a conntrack helper is assigned to a connection that has a nat binding.", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-68209", "url": "https://ubuntu.com/security/CVE-2025-68209", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: mlx5: Fix default values in create CQ Currently, CQs without a completion function are assigned the mlx5_add_cq_to_tasklet function by default. This is problematic since only user CQs created through the mlx5_ib driver are intended to use this function. Additionally, all CQs that will use doorbells instead of polling for completions must call mlx5_cq_arm. However, the default CQ creation flow leaves a valid value in the CQ's arm_db field, allowing FW to send interrupts to polling-only CQs in certain corner cases. These two factors would allow a polling-only kernel CQ to be triggered by an EQ interrupt and call a completion function intended only for user CQs, causing a null pointer exception. Some areas in the driver have prevented this issue with one-off fixes but did not address the root cause. This patch fixes the described issue by adding defaults to the create CQ flow. It adds a default dummy completion function to protect against null pointer exceptions, and it sets an invalid command sequence number by default in kernel CQs to prevent the FW from sending an interrupt to the CQ until it is armed. User CQs are responsible for their own initialization values. Callers of mlx5_core_create_cq are responsible for changing the completion function and arming the CQ per their needs.", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-40278", "url": "https://ubuntu.com/security/CVE-2025-40278", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net: sched: act_ife: initialize struct tc_ife to fix KMSAN kernel-infoleak Fix a KMSAN kernel-infoleak detected by the syzbot . [net?] KMSAN: kernel-infoleak in __skb_datagram_iter In tcf_ife_dump(), the variable 'opt' was partially initialized using a designatied initializer. While the padding bytes are reamined uninitialized. nla_put() copies the entire structure into a netlink message, these uninitialized bytes leaked to userspace. Initialize the structure with memset before assigning its fields to ensure all members and padding are cleared prior to beign copied. This change silences the KMSAN report and prevents potential information leaks from the kernel memory. This fix has been tested and validated by syzbot. This patch closes the bug reported at the following syzkaller link and ensures no infoleak.", "cve_priority": "medium", "cve_public_date": "2025-12-06 22:15:00 UTC" }, { "cve": "CVE-2025-40279", "url": "https://ubuntu.com/security/CVE-2025-40279", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net: sched: act_connmark: initialize struct tc_ife to fix kernel leak In tcf_connmark_dump(), the variable 'opt' was partially initialized using a designatied initializer. While the padding bytes are reamined uninitialized. nla_put() copies the entire structure into a netlink message, these uninitialized bytes leaked to userspace. Initialize the structure with memset before assigning its fields to ensure all members and padding are cleared prior to beign copied.", "cve_priority": "medium", "cve_public_date": "2025-12-06 22:15:00 UTC" }, { "cve": "CVE-2025-40280", "url": "https://ubuntu.com/security/CVE-2025-40280", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: tipc: Fix use-after-free in tipc_mon_reinit_self(). syzbot reported use-after-free of tipc_net(net)->monitors[] in tipc_mon_reinit_self(). [0] The array is protected by RTNL, but tipc_mon_reinit_self() iterates over it without RTNL. tipc_mon_reinit_self() is called from tipc_net_finalize(), which is always under RTNL except for tipc_net_finalize_work(). Let's hold RTNL in tipc_net_finalize_work(). [0]: BUG: KASAN: slab-use-after-free in __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline] BUG: KASAN: slab-use-after-free in _raw_spin_lock_irqsave+0xa7/0xf0 kernel/locking/spinlock.c:162 Read of size 1 at addr ffff88805eae1030 by task kworker/0:7/5989 CPU: 0 UID: 0 PID: 5989 Comm: kworker/0:7 Not tainted syzkaller #0 PREEMPT_{RT,(full)} Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/18/2025 Workqueue: events tipc_net_finalize_work Call Trace: dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:378 [inline] print_report+0xca/0x240 mm/kasan/report.c:482 kasan_report+0x118/0x150 mm/kasan/report.c:595 __kasan_check_byte+0x2a/0x40 mm/kasan/common.c:568 kasan_check_byte include/linux/kasan.h:399 [inline] lock_acquire+0x8d/0x360 kernel/locking/lockdep.c:5842 __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline] _raw_spin_lock_irqsave+0xa7/0xf0 kernel/locking/spinlock.c:162 rtlock_slowlock kernel/locking/rtmutex.c:1894 [inline] rwbase_rtmutex_lock_state kernel/locking/spinlock_rt.c:160 [inline] rwbase_write_lock+0xd3/0x7e0 kernel/locking/rwbase_rt.c:244 rt_write_lock+0x76/0x110 kernel/locking/spinlock_rt.c:243 write_lock_bh include/linux/rwlock_rt.h:99 [inline] tipc_mon_reinit_self+0x79/0x430 net/tipc/monitor.c:718 tipc_net_finalize+0x115/0x190 net/tipc/net.c:140 process_one_work kernel/workqueue.c:3236 [inline] process_scheduled_works+0xade/0x17b0 kernel/workqueue.c:3319 worker_thread+0x8a0/0xda0 kernel/workqueue.c:3400 kthread+0x70e/0x8a0 kernel/kthread.c:463 ret_from_fork+0x439/0x7d0 arch/x86/kernel/process.c:148 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245 Allocated by task 6089: kasan_save_stack mm/kasan/common.c:47 [inline] kasan_save_track+0x3e/0x80 mm/kasan/common.c:68 poison_kmalloc_redzone mm/kasan/common.c:388 [inline] __kasan_kmalloc+0x93/0xb0 mm/kasan/common.c:405 kasan_kmalloc include/linux/kasan.h:260 [inline] __kmalloc_cache_noprof+0x1a8/0x320 mm/slub.c:4407 kmalloc_noprof include/linux/slab.h:905 [inline] kzalloc_noprof include/linux/slab.h:1039 [inline] tipc_mon_create+0xc3/0x4d0 net/tipc/monitor.c:657 tipc_enable_bearer net/tipc/bearer.c:357 [inline] __tipc_nl_bearer_enable+0xe16/0x13f0 net/tipc/bearer.c:1047 __tipc_nl_compat_doit net/tipc/netlink_compat.c:371 [inline] tipc_nl_compat_doit+0x3bc/0x5f0 net/tipc/netlink_compat.c:393 tipc_nl_compat_handle net/tipc/netlink_compat.c:-1 [inline] tipc_nl_compat_recv+0x83c/0xbe0 net/tipc/netlink_compat.c:1321 genl_family_rcv_msg_doit+0x215/0x300 net/netlink/genetlink.c:1115 genl_family_rcv_msg net/netlink/genetlink.c:1195 [inline] genl_rcv_msg+0x60e/0x790 net/netlink/genetlink.c:1210 netlink_rcv_skb+0x208/0x470 net/netlink/af_netlink.c:2552 genl_rcv+0x28/0x40 net/netlink/genetlink.c:1219 netlink_unicast_kernel net/netlink/af_netlink.c:1320 [inline] netlink_unicast+0x846/0xa10 net/netlink/af_netlink.c:1346 netlink_sendmsg+0x805/0xb30 net/netlink/af_netlink.c:1896 sock_sendmsg_nosec net/socket.c:714 [inline] __sock_sendmsg+0x21c/0x270 net/socket.c:729 ____sys_sendmsg+0x508/0x820 net/socket.c:2614 ___sys_sendmsg+0x21f/0x2a0 net/socket.c:2668 __sys_sendmsg net/socket.c:2700 [inline] __do_sys_sendmsg net/socket.c:2705 [inline] __se_sys_sendmsg net/socket.c:2703 [inline] __x64_sys_sendmsg+0x1a1/0x260 net/socket.c:2703 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xfa/0x3b0 arch/ ---truncated---", "cve_priority": "medium", "cve_public_date": "2025-12-06 22:15:00 UTC" }, { "cve": "CVE-2025-40281", "url": "https://ubuntu.com/security/CVE-2025-40281", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: sctp: prevent possible shift-out-of-bounds in sctp_transport_update_rto syzbot reported a possible shift-out-of-bounds [1] Blamed commit added rto_alpha_max and rto_beta_max set to 1000. It is unclear if some sctp users are setting very large rto_alpha and/or rto_beta. In order to prevent user regression, perform the test at run time. Also add READ_ONCE() annotations as sysctl values can change under us. [1] UBSAN: shift-out-of-bounds in net/sctp/transport.c:509:41 shift exponent 64 is too large for 32-bit type 'unsigned int' CPU: 0 UID: 0 PID: 16704 Comm: syz.2.2320 Not tainted syzkaller #0 PREEMPT(full) Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/02/2025 Call Trace: __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x16c/0x1f0 lib/dump_stack.c:120 ubsan_epilogue lib/ubsan.c:233 [inline] __ubsan_handle_shift_out_of_bounds+0x27f/0x420 lib/ubsan.c:494 sctp_transport_update_rto.cold+0x1c/0x34b net/sctp/transport.c:509 sctp_check_transmitted+0x11c4/0x1c30 net/sctp/outqueue.c:1502 sctp_outq_sack+0x4ef/0x1b20 net/sctp/outqueue.c:1338 sctp_cmd_process_sack net/sctp/sm_sideeffect.c:840 [inline] sctp_cmd_interpreter net/sctp/sm_sideeffect.c:1372 [inline]", "cve_priority": "medium", "cve_public_date": "2025-12-06 22:15:00 UTC" }, { "cve": "CVE-2025-40282", "url": "https://ubuntu.com/security/CVE-2025-40282", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: Bluetooth: 6lowpan: reset link-local header on ipv6 recv path Bluetooth 6lowpan.c netdev has header_ops, so it must set link-local header for RX skb, otherwise things crash, eg. with AF_PACKET SOCK_RAW Add missing skb_reset_mac_header() for uncompressed ipv6 RX path. For the compressed one, it is done in lowpan_header_decompress(). Log: (BlueZ 6lowpan-tester Client Recv Raw - Success) ------ kernel BUG at net/core/skbuff.c:212! Call Trace: ... packet_rcv (net/packet/af_packet.c:2152) ... __local_bh_enable_ip (kernel/softirq.c:407) netif_rx (net/core/dev.c:5648) chan_recv_cb (net/bluetooth/6lowpan.c:294 net/bluetooth/6lowpan.c:359) ------", "cve_priority": "medium", "cve_public_date": "2025-12-06 22:15:00 UTC" }, { "cve": "CVE-2025-40283", "url": "https://ubuntu.com/security/CVE-2025-40283", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: Bluetooth: btusb: reorder cleanup in btusb_disconnect to avoid UAF There is a KASAN: slab-use-after-free read in btusb_disconnect(). Calling \"usb_driver_release_interface(&btusb_driver, data->intf)\" will free the btusb data associated with the interface. The same data is then used later in the function, hence the UAF. Fix by moving the accesses to btusb data to before the data is free'd.", "cve_priority": "medium", "cve_public_date": "2025-12-06 22:15:00 UTC" }, { "cve": "CVE-2025-40284", "url": "https://ubuntu.com/security/CVE-2025-40284", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: Bluetooth: MGMT: cancel mesh send timer when hdev removed mesh_send_done timer is not canceled when hdev is removed, which causes crash if the timer triggers after hdev is gone. Cancel the timer when MGMT removes the hdev, like other MGMT timers. Should fix the BUG: sporadically seen by BlueZ test bot (in \"Mesh - Send cancel - 1\" test). Log: ------ BUG: KASAN: slab-use-after-free in run_timer_softirq+0x76b/0x7d0 ... Freed by task 36: kasan_save_stack+0x24/0x50 kasan_save_track+0x14/0x30 __kasan_save_free_info+0x3a/0x60 __kasan_slab_free+0x43/0x70 kfree+0x103/0x500 device_release+0x9a/0x210 kobject_put+0x100/0x1e0 vhci_release+0x18b/0x240 ------", "cve_priority": "medium", "cve_public_date": "2025-12-06 22:15:00 UTC" }, { "cve": "CVE-2025-68210", "url": "https://ubuntu.com/security/CVE-2025-68210", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: erofs: avoid infinite loop due to incomplete zstd-compressed data Currently, the decompression logic incorrectly spins if compressed data is truncated in crafted (deliberately corrupted) images.", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-40285", "url": "https://ubuntu.com/security/CVE-2025-40285", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: smb/server: fix possible refcount leak in smb2_sess_setup() Reference count of ksmbd_session will leak when session need reconnect. Fix this by adding the missing ksmbd_user_session_put().", "cve_priority": "medium", "cve_public_date": "2025-12-06 22:15:00 UTC" }, { "cve": "CVE-2025-40286", "url": "https://ubuntu.com/security/CVE-2025-40286", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: smb/server: fix possible memory leak in smb2_read() Memory leak occurs when ksmbd_vfs_read() fails. Fix this by adding the missing kvfree().", "cve_priority": "medium", "cve_public_date": "2025-12-06 22:15:00 UTC" }, { "cve": "CVE-2025-40287", "url": "https://ubuntu.com/security/CVE-2025-40287", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: exfat: fix improper check of dentry.stream.valid_size We found an infinite loop bug in the exFAT file system that can lead to a Denial-of-Service (DoS) condition. When a dentry in an exFAT filesystem is malformed, the following system calls — SYS_openat, SYS_ftruncate, and SYS_pwrite64 — can cause the kernel to hang. Root cause analysis shows that the size validation code in exfat_find() does not check whether dentry.stream.valid_size is negative. As a result, the system calls mentioned above can succeed and eventually trigger the DoS issue. This patch adds a check for negative dentry.stream.valid_size to prevent this vulnerability.", "cve_priority": "medium", "cve_public_date": "2025-12-06 22:15:00 UTC" }, { "cve": "CVE-2025-40288", "url": "https://ubuntu.com/security/CVE-2025-40288", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: Fix NULL pointer dereference in VRAM logic for APU devices Previously, APU platforms (and other scenarios with uninitialized VRAM managers) triggered a NULL pointer dereference in `ttm_resource_manager_usage()`. The root cause is not that the `struct ttm_resource_manager *man` pointer itself is NULL, but that `man->bdev` (the backing device pointer within the manager) remains uninitialized (NULL) on APUs—since APUs lack dedicated VRAM and do not fully set up VRAM manager structures. When `ttm_resource_manager_usage()` attempts to acquire `man->bdev->lru_lock`, it dereferences the NULL `man->bdev`, leading to a kernel OOPS. 1. **amdgpu_cs.c**: Extend the existing bandwidth control check in `amdgpu_cs_get_threshold_for_moves()` to include a check for `ttm_resource_manager_used()`. If the manager is not used (uninitialized `bdev`), return 0 for migration thresholds immediately—skipping VRAM-specific logic that would trigger the NULL dereference. 2. **amdgpu_kms.c**: Update the `AMDGPU_INFO_VRAM_USAGE` ioctl and memory info reporting to use a conditional: if the manager is used, return the real VRAM usage; otherwise, return 0. This avoids accessing `man->bdev` when it is NULL. 3. **amdgpu_virt.c**: Modify the vf2pf (virtual function to physical function) data write path. Use `ttm_resource_manager_used()` to check validity: if the manager is usable, calculate `fb_usage` from VRAM usage; otherwise, set `fb_usage` to 0 (APUs have no discrete framebuffer to report). This approach is more robust than APU-specific checks because it: - Works for all scenarios where the VRAM manager is uninitialized (not just APUs), - Aligns with TTM's design by using its native helper function, - Preserves correct behavior for discrete GPUs (which have fully initialized `man->bdev` and pass the `ttm_resource_manager_used()` check). v4: use ttm_resource_manager_used(&adev->mman.vram_mgr.manager) instead of checking the adev->gmc.is_app_apu flag (Christian)", "cve_priority": "medium", "cve_public_date": "2025-12-06 22:15:00 UTC" }, { "cve": "CVE-2025-40289", "url": "https://ubuntu.com/security/CVE-2025-40289", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: hide VRAM sysfs attributes on GPUs without VRAM Otherwise accessing them can cause a crash.", "cve_priority": "medium", "cve_public_date": "2025-12-06 22:15:00 UTC" }, { "cve": "CVE-2025-68201", "url": "https://ubuntu.com/security/CVE-2025-68201", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: remove two invalid BUG_ON()s Those can be triggered trivially by userspace.", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-68207", "url": "https://ubuntu.com/security/CVE-2025-68207", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/xe/guc: Synchronize Dead CT worker with unbind Cancel and wait for any Dead CT worker to complete before continuing with device unbinding. Else the worker will end up using resources freed by the undind operation. (cherry picked from commit 492671339114e376aaa38626d637a2751cdef263)", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-68244", "url": "https://ubuntu.com/security/CVE-2025-68244", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/i915: Avoid lock inversion when pinning to GGTT on CHV/BXT+VTD On completion of i915_vma_pin_ww(), a synchronous variant of dma_fence_work_commit() is called. When pinning a VMA to GGTT address space on a Cherry View family processor, or on a Broxton generation SoC with VTD enabled, i.e., when stop_machine() is then called from intel_ggtt_bind_vma(), that can potentially lead to lock inversion among reservation_ww and cpu_hotplug locks. [86.861179] ====================================================== [86.861193] WARNING: possible circular locking dependency detected [86.861209] 6.15.0-rc5-CI_DRM_16515-gca0305cadc2d+ #1 Tainted: G U [86.861226] ------------------------------------------------------ [86.861238] i915_module_loa/1432 is trying to acquire lock: [86.861252] ffffffff83489090 (cpu_hotplug_lock){++++}-{0:0}, at: stop_machine+0x1c/0x50 [86.861290] but task is already holding lock: [86.861303] ffffc90002e0b4c8 (reservation_ww_class_mutex){+.+.}-{3:3}, at: i915_vma_pin.constprop.0+0x39/0x1d0 [i915] [86.862233] which lock already depends on the new lock. [86.862251] the existing dependency chain (in reverse order) is: [86.862265] -> #5 (reservation_ww_class_mutex){+.+.}-{3:3}: [86.862292] dma_resv_lockdep+0x19a/0x390 [86.862315] do_one_initcall+0x60/0x3f0 [86.862334] kernel_init_freeable+0x3cd/0x680 [86.862353] kernel_init+0x1b/0x200 [86.862369] ret_from_fork+0x47/0x70 [86.862383] ret_from_fork_asm+0x1a/0x30 [86.862399] -> #4 (reservation_ww_class_acquire){+.+.}-{0:0}: [86.862425] dma_resv_lockdep+0x178/0x390 [86.862440] do_one_initcall+0x60/0x3f0 [86.862454] kernel_init_freeable+0x3cd/0x680 [86.862470] kernel_init+0x1b/0x200 [86.862482] ret_from_fork+0x47/0x70 [86.862495] ret_from_fork_asm+0x1a/0x30 [86.862509] -> #3 (&mm->mmap_lock){++++}-{3:3}: [86.862531] down_read_killable+0x46/0x1e0 [86.862546] lock_mm_and_find_vma+0xa2/0x280 [86.862561] do_user_addr_fault+0x266/0x8e0 [86.862578] exc_page_fault+0x8a/0x2f0 [86.862593] asm_exc_page_fault+0x27/0x30 [86.862607] filldir64+0xeb/0x180 [86.862620] kernfs_fop_readdir+0x118/0x480 [86.862635] iterate_dir+0xcf/0x2b0 [86.862648] __x64_sys_getdents64+0x84/0x140 [86.862661] x64_sys_call+0x1058/0x2660 [86.862675] do_syscall_64+0x91/0xe90 [86.862689] entry_SYSCALL_64_after_hwframe+0x76/0x7e [86.862703] -> #2 (&root->kernfs_rwsem){++++}-{3:3}: [86.862725] down_write+0x3e/0xf0 [86.862738] kernfs_add_one+0x30/0x3c0 [86.862751] kernfs_create_dir_ns+0x53/0xb0 [86.862765] internal_create_group+0x134/0x4c0 [86.862779] sysfs_create_group+0x13/0x20 [86.862792] topology_add_dev+0x1d/0x30 [86.862806] cpuhp_invoke_callback+0x4b5/0x850 [86.862822] cpuhp_issue_call+0xbf/0x1f0 [86.862836] __cpuhp_setup_state_cpuslocked+0x111/0x320 [86.862852] __cpuhp_setup_state+0xb0/0x220 [86.862866] topology_sysfs_init+0x30/0x50 [86.862879] do_one_initcall+0x60/0x3f0 [86.862893] kernel_init_freeable+0x3cd/0x680 [86.862908] kernel_init+0x1b/0x200 [86.862921] ret_from_fork+0x47/0x70 [86.862934] ret_from_fork_asm+0x1a/0x30 [86.862947] -> #1 (cpuhp_state_mutex){+.+.}-{3:3}: [86.862969] __mutex_lock+0xaa/0xed0 [86.862982] mutex_lock_nested+0x1b/0x30 [86.862995] __cpuhp_setup_state_cpuslocked+0x67/0x320 [86.863012] __cpuhp_setup_state+0xb0/0x220 [86.863026] page_alloc_init_cpuhp+0x2d/0x60 [86.863041] mm_core_init+0x22/0x2d0 [86.863054] start_kernel+0x576/0xbd0 [86.863068] x86_64_start_reservations+0x18/0x30 [86.863084] x86_64_start_kernel+0xbf/0x110 [86.863098] common_startup_64+0x13e/0x141 [86.863114] -> #0 (cpu_hotplug_lock){++++}-{0:0}: [86.863135] __lock_acquire+0x16 ---truncated---", "cve_priority": "medium", "cve_public_date": "2025-12-16 15:15:00 UTC" }, { "cve": "CVE-2025-68316", "url": "https://ubuntu.com/security/CVE-2025-68316", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: scsi: ufs: core: Fix invalid probe error return value After DME Link Startup, the error return value is set to the MIPI UniPro GenericErrorCode which can be 0 (SUCCESS) or 1 (FAILURE). Upon failure during driver probe, the error code 1 is propagated back to the driver probe function which must return a negative value to indicate an error, but 1 is not negative, so the probe is considered to be successful even though it failed. Subsequently, removing the driver results in an oops because it is not in a valid state. This happens because none of the callers of ufshcd_init() expect a non-negative error code. Fix the return value and documentation to match actual usage.", "cve_priority": "medium", "cve_public_date": "2025-12-16 16:16:00 UTC" }, { "cve": "CVE-2025-40292", "url": "https://ubuntu.com/security/CVE-2025-40292", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: virtio-net: fix received length check in big packets Since commit 4959aebba8c0 (\"virtio-net: use mtu size as buffer length for big packets\"), when guest gso is off, the allocated size for big packets is not MAX_SKB_FRAGS * PAGE_SIZE anymore but depends on negotiated MTU. The number of allocated frags for big packets is stored in vi->big_packets_num_skbfrags. Because the host announced buffer length can be malicious (e.g. the host vhost_net driver's get_rx_bufs is modified to announce incorrect length), we need a check in virtio_net receive path. Currently, the check is not adapted to the new change which can lead to NULL page pointer dereference in the below while loop when receiving length that is larger than the allocated one. This commit fixes the received length check corresponding to the new change.", "cve_priority": "medium", "cve_public_date": "2025-12-08 01:16:00 UTC" }, { "cve": "CVE-2025-68180", "url": "https://ubuntu.com/security/CVE-2025-68180", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Fix NULL deref in debugfs odm_combine_segments When a connector is connected but inactive (e.g., disabled by desktop environments), pipe_ctx->stream_res.tg will be destroyed. Then, reading odm_combine_segments causes kernel NULL pointer dereference. BUG: kernel NULL pointer dereference, address: 0000000000000000 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page PGD 0 P4D 0 Oops: Oops: 0000 [#1] SMP NOPTI CPU: 16 UID: 0 PID: 26474 Comm: cat Not tainted 6.17.0+ #2 PREEMPT(lazy) e6a17af9ee6db7c63e9d90dbe5b28ccab67520c6 Hardware name: LENOVO 21Q4/LNVNB161216, BIOS PXCN25WW 03/27/2025 RIP: 0010:odm_combine_segments_show+0x93/0xf0 [amdgpu] Code: 41 83 b8 b0 00 00 00 01 75 6e 48 98 ba a1 ff ff ff 48 c1 e0 0c 48 8d 8c 07 d8 02 00 00 48 85 c9 74 2d 48 8b bc 07 f0 08 00 00 <48> 8b 07 48 8b 80 08 02 00> RSP: 0018:ffffd1bf4b953c58 EFLAGS: 00010286 RAX: 0000000000005000 RBX: ffff8e35976b02d0 RCX: ffff8e3aeed052d8 RDX: 00000000ffffffa1 RSI: ffff8e35a3120800 RDI: 0000000000000000 RBP: 0000000000000000 R08: ffff8e3580eb0000 R09: ffff8e35976b02d0 R10: ffffd1bf4b953c78 R11: 0000000000000000 R12: ffffd1bf4b953d08 R13: 0000000000040000 R14: 0000000000000001 R15: 0000000000000001 FS: 00007f44d3f9f740(0000) GS:ffff8e3caa47f000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000000 CR3: 00000006485c2000 CR4: 0000000000f50ef0 PKRU: 55555554 Call Trace: seq_read_iter+0x125/0x490 ? __alloc_frozen_pages_noprof+0x18f/0x350 seq_read+0x12c/0x170 full_proxy_read+0x51/0x80 vfs_read+0xbc/0x390 ? __handle_mm_fault+0xa46/0xef0 ? do_syscall_64+0x71/0x900 ksys_read+0x73/0xf0 do_syscall_64+0x71/0x900 ? count_memcg_events+0xc2/0x190 ? handle_mm_fault+0x1d7/0x2d0 ? do_user_addr_fault+0x21a/0x690 ? exc_page_fault+0x7e/0x1a0 entry_SYSCALL_64_after_hwframe+0x6c/0x74 RIP: 0033:0x7f44d4031687 Code: 48 89 fa 4c 89 df e8 58 b3 00 00 8b 93 08 03 00 00 59 5e 48 83 f8 fc 74 1a 5b c3 0f 1f 84 00 00 00 00 00 48 8b 44 24 10 0f 05 <5b> c3 0f 1f 80 00 00 00 00> RSP: 002b:00007ffdb4b5f0b0 EFLAGS: 00000202 ORIG_RAX: 0000000000000000 RAX: ffffffffffffffda RBX: 00007f44d3f9f740 RCX: 00007f44d4031687 RDX: 0000000000040000 RSI: 00007f44d3f5e000 RDI: 0000000000000003 RBP: 0000000000040000 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000202 R12: 00007f44d3f5e000 R13: 0000000000000003 R14: 0000000000000000 R15: 0000000000040000 Modules linked in: tls tcp_diag inet_diag xt_mark ccm snd_hrtimer snd_seq_dummy snd_seq_midi snd_seq_oss snd_seq_midi_event snd_rawmidi snd_seq snd_seq_device x> snd_hda_codec_atihdmi snd_hda_codec_realtek_lib lenovo_wmi_helpers think_lmi snd_hda_codec_generic snd_hda_codec_hdmi snd_soc_core kvm snd_compress uvcvideo sn> platform_profile joydev amd_pmc mousedev mac_hid sch_fq_codel uinput i2c_dev parport_pc ppdev lp parport nvme_fabrics loop nfnetlink ip_tables x_tables dm_cryp> CR2: 0000000000000000 ---[ end trace 0000000000000000 ]--- RIP: 0010:odm_combine_segments_show+0x93/0xf0 [amdgpu] Code: 41 83 b8 b0 00 00 00 01 75 6e 48 98 ba a1 ff ff ff 48 c1 e0 0c 48 8d 8c 07 d8 02 00 00 48 85 c9 74 2d 48 8b bc 07 f0 08 00 00 <48> 8b 07 48 8b 80 08 02 00> RSP: 0018:ffffd1bf4b953c58 EFLAGS: 00010286 RAX: 0000000000005000 RBX: ffff8e35976b02d0 RCX: ffff8e3aeed052d8 RDX: 00000000ffffffa1 RSI: ffff8e35a3120800 RDI: 0000000000000000 RBP: 0000000000000000 R08: ffff8e3580eb0000 R09: ffff8e35976b02d0 R10: ffffd1bf4b953c78 R11: 0000000000000000 R12: ffffd1bf4b953d08 R13: 0000000000040000 R14: 0000000000000001 R15: 0000000000000001 FS: 00007f44d3f9f740(0000) GS:ffff8e3caa47f000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000000 CR3: 00000006485c2000 CR4: 0000000000f50ef0 PKRU: 55555554 Fix this by checking pipe_ctx-> ---truncated---", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-40327", "url": "https://ubuntu.com/security/CVE-2025-40327", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: perf/core: Fix system hang caused by cpu-clock usage cpu-clock usage by the async-profiler tool can trigger a system hang, which got bisected back to the following commit by Octavia Togami: 18dbcbfabfff (\"perf: Fix the POLL_HUP delivery breakage\") causes this issue The root cause of the hang is that cpu-clock is a special type of SW event which relies on hrtimers. The __perf_event_overflow() callback is invoked from the hrtimer handler for cpu-clock events, and __perf_event_overflow() tries to call cpu_clock_event_stop() to stop the event, which calls htimer_cancel() to cancel the hrtimer. But that's a recursion into the hrtimer code from a hrtimer handler, which (unsurprisingly) deadlocks. To fix this bug, use hrtimer_try_to_cancel() instead, and set the PERF_HES_STOPPED flag, which causes perf_swevent_hrtimer() to stop the event once it sees the PERF_HES_STOPPED flag. [ mingo: Fixed the comments and improved the changelog. ]", "cve_priority": "medium", "cve_public_date": "2025-12-09 16:17:00 UTC" }, { "cve": "CVE-2025-40328", "url": "https://ubuntu.com/security/CVE-2025-40328", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: smb: client: fix potential UAF in smb2_close_cached_fid() find_or_create_cached_dir() could grab a new reference after kref_put() had seen the refcount drop to zero but before cfid_list_lock is acquired in smb2_close_cached_fid(), leading to use-after-free. Switch to kref_put_lock() so cfid_release() is called with cfid_list_lock held, closing that gap.", "cve_priority": "medium", "cve_public_date": "2025-12-09 16:17:00 UTC" }, { "cve": "CVE-2025-40291", "url": "https://ubuntu.com/security/CVE-2025-40291", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: io_uring: fix regbuf vector size truncation There is a report of io_estimate_bvec_size() truncating the calculated number of segments that leads to corruption issues. Check it doesn't overflow \"int\"s used later. Rough but simple, can be improved on top.", "cve_priority": "medium", "cve_public_date": "2025-12-08 01:16:00 UTC" }, { "cve": "CVE-2025-68322", "url": "https://ubuntu.com/security/CVE-2025-68322", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: parisc: Avoid crash due to unaligned access in unwinder Guenter Roeck reported this kernel crash on his emulated B160L machine: Starting network: udhcpc: started, v1.36.1 Backtrace: [<104320d4>] unwind_once+0x1c/0x5c [<10434a00>] walk_stackframe.isra.0+0x74/0xb8 [<10434a6c>] arch_stack_walk+0x28/0x38 [<104e5efc>] stack_trace_save+0x48/0x5c [<105d1bdc>] set_track_prepare+0x44/0x6c [<105d9c80>] ___slab_alloc+0xfc4/0x1024 [<105d9d38>] __slab_alloc.isra.0+0x58/0x90 [<105dc80c>] kmem_cache_alloc_noprof+0x2ac/0x4a0 [<105b8e54>] __anon_vma_prepare+0x60/0x280 [<105a823c>] __vmf_anon_prepare+0x68/0x94 [<105a8b34>] do_wp_page+0x8cc/0xf10 [<105aad88>] handle_mm_fault+0x6c0/0xf08 [<10425568>] do_page_fault+0x110/0x440 [<10427938>] handle_interruption+0x184/0x748 [<11178398>] schedule+0x4c/0x190 BUG: spinlock recursion on CPU#0, ifconfig/2420 lock: terminate_lock.2+0x0/0x1c, .magic: dead4ead, .owner: ifconfig/2420, .owner_cpu: 0 While creating the stack trace, the unwinder uses the stack pointer to guess the previous frame to read the previous stack pointer from memory. The crash happens, because the unwinder tries to read from unaligned memory and as such triggers the unalignment trap handler which then leads to the spinlock recursion and finally to a deadlock. Fix it by checking the alignment before accessing the memory.", "cve_priority": "medium", "cve_public_date": "2025-12-16 16:16:00 UTC" }, { "cve": "CVE-2025-40293", "url": "https://ubuntu.com/security/CVE-2025-40293", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: iommufd: Don't overflow during division for dirty tracking If pgshift is 63 then BITS_PER_TYPE(*bitmap->bitmap) * pgsize will overflow to 0 and this triggers divide by 0. In this case the index should just be 0, so reorganize things to divide by shift and avoid hitting any overflows.", "cve_priority": "medium", "cve_public_date": "2025-12-08 01:16:00 UTC" }, { "cve": "CVE-2025-40294", "url": "https://ubuntu.com/security/CVE-2025-40294", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: Bluetooth: MGMT: Fix OOB access in parse_adv_monitor_pattern() In the parse_adv_monitor_pattern() function, the value of the 'length' variable is currently limited to HCI_MAX_EXT_AD_LENGTH(251). The size of the 'value' array in the mgmt_adv_pattern structure is 31. If the value of 'pattern[i].length' is set in the user space and exceeds 31, the 'patterns[i].value' array can be accessed out of bound when copied. Increasing the size of the 'value' array in the 'mgmt_adv_pattern' structure will break the userspace. Considering this, and to avoid OOB access revert the limits for 'offset' and 'length' back to the value of HCI_MAX_AD_LENGTH. Found by InfoTeCS on behalf of Linux Verification Center (linuxtesting.org) with SVACE.", "cve_priority": "medium", "cve_public_date": "2025-12-08 01:16:00 UTC" }, { "cve": "CVE-2025-40329", "url": "https://ubuntu.com/security/CVE-2025-40329", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/sched: Fix deadlock in drm_sched_entity_kill_jobs_cb The Mesa issue referenced below pointed out a possible deadlock: [ 1231.611031] Possible interrupt unsafe locking scenario: [ 1231.611033] CPU0 CPU1 [ 1231.611034] ---- ---- [ 1231.611035] lock(&xa->xa_lock#17); [ 1231.611038] local_irq_disable(); [ 1231.611039] lock(&fence->lock); [ 1231.611041] lock(&xa->xa_lock#17); [ 1231.611044] [ 1231.611045] lock(&fence->lock); [ 1231.611047] *** DEADLOCK *** In this example, CPU0 would be any function accessing job->dependencies through the xa_* functions that don't disable interrupts (eg: drm_sched_job_add_dependency(), drm_sched_entity_kill_jobs_cb()). CPU1 is executing drm_sched_entity_kill_jobs_cb() as a fence signalling callback so in an interrupt context. It will deadlock when trying to grab the xa_lock which is already held by CPU0. Replacing all xa_* usage by their xa_*_irq counterparts would fix this issue, but Christian pointed out another issue: dma_fence_signal takes fence.lock and so does dma_fence_add_callback. dma_fence_signal() // locks f1.lock -> drm_sched_entity_kill_jobs_cb() -> foreach dependencies -> dma_fence_add_callback() // locks f2.lock This will deadlock if f1 and f2 share the same spinlock. To fix both issues, the code iterating on dependencies and re-arming them is moved out to drm_sched_entity_kill_jobs_work(). [phasta: commit message nits]", "cve_priority": "medium", "cve_public_date": "2025-12-09 16:17:00 UTC" }, { "cve": "CVE-2025-40295", "url": "https://ubuntu.com/security/CVE-2025-40295", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: fscrypt: fix left shift underflow when inode->i_blkbits > PAGE_SHIFT When simulating an nvme device on qemu with both logical_block_size and physical_block_size set to 8 KiB, an error trace appears during partition table reading at boot time. The issue is caused by inode->i_blkbits being larger than PAGE_SHIFT, which leads to a left shift of -1 and triggering a UBSAN warning. [ 2.697306] ------------[ cut here ]------------ [ 2.697309] UBSAN: shift-out-of-bounds in fs/crypto/inline_crypt.c:336:37 [ 2.697311] shift exponent -1 is negative [ 2.697315] CPU: 3 UID: 0 PID: 274 Comm: (udev-worker) Not tainted 6.18.0-rc2+ #34 PREEMPT(voluntary) [ 2.697317] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014 [ 2.697320] Call Trace: [ 2.697324] [ 2.697325] dump_stack_lvl+0x76/0xa0 [ 2.697340] dump_stack+0x10/0x20 [ 2.697342] __ubsan_handle_shift_out_of_bounds+0x1e3/0x390 [ 2.697351] bh_get_inode_and_lblk_num.cold+0x12/0x94 [ 2.697359] fscrypt_set_bio_crypt_ctx_bh+0x44/0x90 [ 2.697365] submit_bh_wbc+0xb6/0x190 [ 2.697370] block_read_full_folio+0x194/0x270 [ 2.697371] ? __pfx_blkdev_get_block+0x10/0x10 [ 2.697375] ? __pfx_blkdev_read_folio+0x10/0x10 [ 2.697377] blkdev_read_folio+0x18/0x30 [ 2.697379] filemap_read_folio+0x40/0xe0 [ 2.697382] filemap_get_pages+0x5ef/0x7a0 [ 2.697385] ? mmap_region+0x63/0xd0 [ 2.697389] filemap_read+0x11d/0x520 [ 2.697392] blkdev_read_iter+0x7c/0x180 [ 2.697393] vfs_read+0x261/0x390 [ 2.697397] ksys_read+0x71/0xf0 [ 2.697398] __x64_sys_read+0x19/0x30 [ 2.697399] x64_sys_call+0x1e88/0x26a0 [ 2.697405] do_syscall_64+0x80/0x670 [ 2.697410] ? __x64_sys_newfstat+0x15/0x20 [ 2.697414] ? x64_sys_call+0x204a/0x26a0 [ 2.697415] ? do_syscall_64+0xb8/0x670 [ 2.697417] ? irqentry_exit_to_user_mode+0x2e/0x2a0 [ 2.697420] ? irqentry_exit+0x43/0x50 [ 2.697421] ? exc_page_fault+0x90/0x1b0 [ 2.697422] entry_SYSCALL_64_after_hwframe+0x76/0x7e [ 2.697425] RIP: 0033:0x75054cba4a06 [ 2.697426] Code: 5d e8 41 8b 93 08 03 00 00 59 5e 48 83 f8 fc 75 19 83 e2 39 83 fa 08 75 11 e8 26 ff ff ff 66 0f 1f 44 00 00 48 8b 45 10 0f 05 <48> 8b 5d f8 c9 c3 0f 1f 40 00 f3 0f 1e fa 55 48 89 e5 48 83 ec 08 [ 2.697427] RSP: 002b:00007fff973723a0 EFLAGS: 00000202 ORIG_RAX: 0000000000000000 [ 2.697430] RAX: ffffffffffffffda RBX: 00005ea9a2c02760 RCX: 000075054cba4a06 [ 2.697432] RDX: 0000000000002000 RSI: 000075054c190000 RDI: 000000000000001b [ 2.697433] RBP: 00007fff973723c0 R08: 0000000000000000 R09: 0000000000000000 [ 2.697434] R10: 0000000000000000 R11: 0000000000000202 R12: 0000000000000000 [ 2.697434] R13: 00005ea9a2c027c0 R14: 00005ea9a2be5608 R15: 00005ea9a2be55f0 [ 2.697436] [ 2.697436] ---[ end trace ]--- This situation can happen for block devices because when CONFIG_TRANSPARENT_HUGEPAGE is enabled, the maximum logical_block_size is 64 KiB. set_init_blocksize() then sets the block device inode->i_blkbits to 13, which is within this limit. File I/O does not trigger this problem because for filesystems that do not support the FS_LBS feature, sb_set_blocksize() prevents sb->s_blocksize_bits from being larger than PAGE_SHIFT. During inode allocation, alloc_inode()->inode_init_always() assigns inode->i_blkbits from sb->s_blocksize_bits. Currently, only xfs_fs_type has the FS_LBS flag, and since xfs I/O paths do not reach submit_bh_wbc(), it does not hit the left-shift underflow issue. [EB: use folio_pos() and consolidate the two shifts by i_blkbits]", "cve_priority": "medium", "cve_public_date": "2025-12-08 01:16:00 UTC" }, { "cve": "CVE-2025-40296", "url": "https://ubuntu.com/security/CVE-2025-40296", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: platform/x86: int3472: Fix double free of GPIO device during unregister regulator_unregister() already frees the associated GPIO device. On ThinkPad X9 (Lunar Lake), this causes a double free issue that leads to random failures when other drivers (typically Intel THC) attempt to allocate interrupts. The root cause is that the reference count of the pinctrl_intel_platform module unexpectedly drops to zero when this driver defers its probe. This behavior can also be reproduced by unloading the module directly. Fix the issue by removing the redundant release of the GPIO device during regulator unregistration.", "cve_priority": "medium", "cve_public_date": "2025-12-08 01:16:00 UTC" }, { "cve": "CVE-2025-40297", "url": "https://ubuntu.com/security/CVE-2025-40297", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net: bridge: fix use-after-free due to MST port state bypass syzbot reported[1] a use-after-free when deleting an expired fdb. It is due to a race condition between learning still happening and a port being deleted, after all its fdbs have been flushed. The port's state has been toggled to disabled so no learning should happen at that time, but if we have MST enabled, it will bypass the port's state, that together with VLAN filtering disabled can lead to fdb learning at a time when it shouldn't happen while the port is being deleted. VLAN filtering must be disabled because we flush the port VLANs when it's being deleted which will stop learning. This fix adds a check for the port's vlan group which is initialized to NULL when the port is getting deleted, that avoids the port state bypass. When MST is enabled there would be a minimal new overhead in the fast-path because the port's vlan group pointer is cache-hot. [1] https://syzkaller.appspot.com/bug?extid=dd280197f0f7ab3917be", "cve_priority": "medium", "cve_public_date": "2025-12-08 01:16:00 UTC" }, { "cve": "CVE-2025-68320", "url": "https://ubuntu.com/security/CVE-2025-68320", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: lan966x: Fix sleeping in atomic context The following warning was seen when we try to connect using ssh to the device. BUG: sleeping function called from invalid context at kernel/locking/mutex.c:575 in_atomic(): 1, irqs_disabled(): 0, non_block: 0, pid: 104, name: dropbear preempt_count: 1, expected: 0 INFO: lockdep is turned off. CPU: 0 UID: 0 PID: 104 Comm: dropbear Tainted: G W 6.18.0-rc2-00399-g6f1ab1b109b9-dirty #530 NONE Tainted: [W]=WARN Hardware name: Generic DT based system Call trace: unwind_backtrace from show_stack+0x10/0x14 show_stack from dump_stack_lvl+0x7c/0xac dump_stack_lvl from __might_resched+0x16c/0x2b0 __might_resched from __mutex_lock+0x64/0xd34 __mutex_lock from mutex_lock_nested+0x1c/0x24 mutex_lock_nested from lan966x_stats_get+0x5c/0x558 lan966x_stats_get from dev_get_stats+0x40/0x43c dev_get_stats from dev_seq_printf_stats+0x3c/0x184 dev_seq_printf_stats from dev_seq_show+0x10/0x30 dev_seq_show from seq_read_iter+0x350/0x4ec seq_read_iter from seq_read+0xfc/0x194 seq_read from proc_reg_read+0xac/0x100 proc_reg_read from vfs_read+0xb0/0x2b0 vfs_read from ksys_read+0x6c/0xec ksys_read from ret_fast_syscall+0x0/0x1c Exception stack(0xf0b11fa8 to 0xf0b11ff0) 1fa0: 00000001 00001000 00000008 be9048d8 00001000 00000001 1fc0: 00000001 00001000 00000008 00000003 be905920 0000001e 00000000 00000001 1fe0: 0005404c be9048c0 00018684 b6ec2cd8 It seems that we are using a mutex in a atomic context which is wrong. Change the mutex with a spinlock.", "cve_priority": "medium", "cve_public_date": "2025-12-16 16:16:00 UTC" }, { "cve": "CVE-2025-68169", "url": "https://ubuntu.com/security/CVE-2025-68169", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: netpoll: Fix deadlock in memory allocation under spinlock Fix a AA deadlock in refill_skbs() where memory allocation while holding skb_pool->lock can trigger a recursive lock acquisition attempt. The deadlock scenario occurs when the system is under severe memory pressure: 1. refill_skbs() acquires skb_pool->lock (spinlock) 2. alloc_skb() is called while holding the lock 3. Memory allocator fails and calls slab_out_of_memory() 4. This triggers printk() for the OOM warning 5. The console output path calls netpoll_send_udp() 6. netpoll_send_udp() attempts to acquire the same skb_pool->lock 7. Deadlock: the lock is already held by the same CPU Call stack: refill_skbs() spin_lock_irqsave(&skb_pool->lock) <- lock acquired __alloc_skb() kmem_cache_alloc_node_noprof() slab_out_of_memory() printk() console_flush_all() netpoll_send_udp() skb_dequeue() spin_lock_irqsave(&skb_pool->lock) <- deadlock attempt This bug was exposed by commit 248f6571fd4c51 (\"netpoll: Optimize skb refilling on critical path\") which removed refill_skbs() from the critical path (where nested printk was being deferred), letting nested printk being called from inside refill_skbs() Refactor refill_skbs() to never allocate memory while holding the spinlock. Another possible solution to fix this problem is protecting the refill_skbs() from nested printks, basically calling printk_deferred_{enter,exit}() in refill_skbs(), then, any nested pr_warn() would be deferred. I prefer this approach, given I _think_ it might be a good idea to move the alloc_skb() from GFP_ATOMIC to GFP_KERNEL in the future, so, having the alloc_skb() outside of the lock will be necessary step. There is a possible TOCTOU issue when checking for the pool length, and queueing the new allocated skb, but, this is not an issue, given that an extra SKB in the pool is harmless and it will be eventually used.", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-68197", "url": "https://ubuntu.com/security/CVE-2025-68197", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: bnxt_en: Fix null pointer dereference in bnxt_bs_trace_check_wrap() With older FW, we may get the ASYNC_EVENT_CMPL_EVENT_ID_DBG_BUF_PRODUCER for FW trace data type that has not been initialized. This will result in a crash in bnxt_bs_trace_type_wrap(). Add a guard to check for a valid magic_byte pointer before proceeding.", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-40330", "url": "https://ubuntu.com/security/CVE-2025-40330", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: bnxt_en: Shutdown FW DMA in bnxt_shutdown() The netif_close() call in bnxt_shutdown() only stops packet DMA. There may be FW DMA for trace logging (recently added) that will continue. If we kexec to a new kernel, the DMA will corrupt memory in the new kernel. Add bnxt_hwrm_func_drv_unrgtr() to unregister the driver from the FW. This will stop the FW DMA. In case the call fails, call pcie_flr() to reset the function and stop the DMA.", "cve_priority": "medium", "cve_public_date": "2025-12-09 16:17:00 UTC" }, { "cve": "CVE-2025-68192", "url": "https://ubuntu.com/security/CVE-2025-68192", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net: usb: qmi_wwan: initialize MAC header offset in qmimux_rx_fixup Raw IP packets have no MAC header, leaving skb->mac_header uninitialized. This can trigger kernel panics on ARM64 when xfrm or other subsystems access the offset due to strict alignment checks. Initialize the MAC header to prevent such crashes. This can trigger kernel panics on ARM when running IPsec over the qmimux0 interface. Example trace: Internal error: Oops: 000000009600004f [#1] SMP CPU: 0 UID: 0 PID: 0 Comm: swapper/0 Not tainted 6.12.34-gbe78e49cb433 #1 Hardware name: LS1028A RDB Board (DT) pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : xfrm_input+0xde8/0x1318 lr : xfrm_input+0x61c/0x1318 sp : ffff800080003b20 Call trace: xfrm_input+0xde8/0x1318 xfrm6_rcv+0x38/0x44 xfrm6_esp_rcv+0x48/0xa8 ip6_protocol_deliver_rcu+0x94/0x4b0 ip6_input_finish+0x44/0x70 ip6_input+0x44/0xc0 ipv6_rcv+0x6c/0x114 __netif_receive_skb_one_core+0x5c/0x8c __netif_receive_skb+0x18/0x60 process_backlog+0x78/0x17c __napi_poll+0x38/0x180 net_rx_action+0x168/0x2f0", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-40331", "url": "https://ubuntu.com/security/CVE-2025-40331", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: sctp: Prevent TOCTOU out-of-bounds write For the following path not holding the sock lock, sctp_diag_dump() -> sctp_for_each_endpoint() -> sctp_ep_dump() make sure not to exceed bounds in case the address list has grown between buffer allocation (time-of-check) and write (time-of-use).", "cve_priority": "medium", "cve_public_date": "2025-12-09 16:17:00 UTC" }, { "cve": "CVE-2025-68187", "url": "https://ubuntu.com/security/CVE-2025-68187", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net: mdio: Check regmap pointer returned by device_node_to_regmap() The call to device_node_to_regmap() in airoha_mdio_probe() can return an ERR_PTR() if regmap initialization fails. Currently, the driver stores the pointer without validation, which could lead to a crash if it is later dereferenced. Add an IS_ERR() check and return the corresponding error code to make the probe path more robust.", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-68167", "url": "https://ubuntu.com/security/CVE-2025-68167", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: gpiolib: fix invalid pointer access in debugfs If the memory allocation in gpiolib_seq_start() fails, the s->private field remains uninitialized and is later dereferenced without checking in gpiolib_seq_stop(). Initialize s->private to NULL before calling kzalloc() and check it before dereferencing it.", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-68319", "url": "https://ubuntu.com/security/CVE-2025-68319", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: netconsole: Acquire su_mutex before navigating configs hierarchy There is a race between operations that iterate over the userdata cg_children list and concurrent add/remove of userdata items through configfs. The update_userdata() function iterates over the nt->userdata_group.cg_children list, and count_extradata_entries() also iterates over this same list to count nodes. Quoting from Documentation/filesystems/configfs.rst: > A subsystem can navigate the cg_children list and the ci_parent pointer > to see the tree created by the subsystem. This can race with configfs' > management of the hierarchy, so configfs uses the subsystem mutex to > protect modifications. Whenever a subsystem wants to navigate the > hierarchy, it must do so under the protection of the subsystem > mutex. Without proper locking, if a userdata item is added or removed concurrently while these functions are iterating, the list can be accessed in an inconsistent state. For example, the list_for_each() loop can reach a node that is being removed from the list by list_del_init() which sets the nodes' .next pointer to point to itself, so the loop will never end (or reach the WARN_ON_ONCE in update_userdata() ). Fix this by holding the configfs subsystem mutex (su_mutex) during all operations that iterate over cg_children. This includes: - userdatum_value_store() which calls update_userdata() to iterate over cg_children - All sysdata_*_enabled_store() functions which call count_extradata_entries() to iterate over cg_children The su_mutex must be acquired before dynamic_netconsole_mutex to avoid potential lock ordering issues, as configfs operations may already hold su_mutex when calling into our code.", "cve_priority": "medium", "cve_public_date": "2025-12-16 16:16:00 UTC" }, { "cve": "CVE-2025-40298", "url": "https://ubuntu.com/security/CVE-2025-40298", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: gve: Implement settime64 with -EOPNOTSUPP ptp_clock_settime() assumes every ptp_clock has implemented settime64(). Stub it with -EOPNOTSUPP to prevent a NULL dereference.", "cve_priority": "medium", "cve_public_date": "2025-12-08 01:16:00 UTC" }, { "cve": "CVE-2025-40299", "url": "https://ubuntu.com/security/CVE-2025-40299", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: gve: Implement gettimex64 with -EOPNOTSUPP gve implemented a ptp_clock for sole use of do_aux_work at this time. ptp_clock_gettime() and ptp_sys_offset() assume every ptp_clock has implemented either gettimex64 or gettime64. Stub gettimex64 and return -EOPNOTSUPP to prevent NULL dereferencing.", "cve_priority": "medium", "cve_public_date": "2025-12-08 01:16:00 UTC" }, { "cve": "CVE-2025-40301", "url": "https://ubuntu.com/security/CVE-2025-40301", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: Bluetooth: hci_event: validate skb length for unknown CC opcode In hci_cmd_complete_evt(), if the command complete event has an unknown opcode, we assume the first byte of the remaining skb->data contains the return status. However, parameter data has previously been pulled in hci_event_func(), which may leave the skb empty. If so, using skb->data[0] for the return status uses un-init memory. The fix is to check skb->len before using skb->data.", "cve_priority": "medium", "cve_public_date": "2025-12-08 01:16:00 UTC" }, { "cve": "CVE-2025-40358", "url": "https://ubuntu.com/security/CVE-2025-40358", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: riscv: stacktrace: Disable KASAN checks for non-current tasks Unwinding the stack of a task other than current, KASAN would report \"BUG: KASAN: out-of-bounds in walk_stackframe+0x41c/0x460\" There is a same issue on x86 and has been resolved by the commit 84936118bdf3 (\"x86/unwind: Disable KASAN checks for non-current tasks\") The solution could be applied to RISC-V too. This patch also can solve the issue: https://seclists.org/oss-sec/2025/q4/23 [pjw@kernel.org: clean up checkpatch issues]", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-68186", "url": "https://ubuntu.com/security/CVE-2025-68186", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ring-buffer: Do not warn in ring_buffer_map_get_reader() when reader catches up The function ring_buffer_map_get_reader() is a bit more strict than the other get reader functions, and except for certain situations the rb_get_reader_page() should not return NULL. If it does, it triggers a warning. This warning was triggering but after looking at why, it was because another acceptable situation was happening and it wasn't checked for. If the reader catches up to the writer and there's still data to be read on the reader page, then the rb_get_reader_page() will return NULL as there's no new page to get. In this situation, the reader page should not be updated and no warning should trigger.", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-68184", "url": "https://ubuntu.com/security/CVE-2025-68184", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/mediatek: Disable AFBC support on Mediatek DRM driver Commit c410fa9b07c3 (\"drm/mediatek: Add AFBC support to Mediatek DRM driver\") added AFBC support to Mediatek DRM and enabled the 32x8/split/sparse modifier. However, this is currently broken on Mediatek MT8188 (Genio 700 EVK platform); tested using upstream Kernel and Mesa (v25.2.1), AFBC is used by default since Mesa v25.0. Kernel trace reports vblank timeouts constantly, and the render is garbled: ``` [CRTC:62:crtc-0] vblank wait timed out WARNING: CPU: 7 PID: 70 at drivers/gpu/drm/drm_atomic_helper.c:1835 drm_atomic_helper_wait_for_vblanks.part.0+0x24c/0x27c [...] Hardware name: MediaTek Genio-700 EVK (DT) Workqueue: events_unbound commit_work pstate: 60400009 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : drm_atomic_helper_wait_for_vblanks.part.0+0x24c/0x27c lr : drm_atomic_helper_wait_for_vblanks.part.0+0x24c/0x27c sp : ffff80008337bca0 x29: ffff80008337bcd0 x28: 0000000000000061 x27: 0000000000000000 x26: 0000000000000001 x25: 0000000000000000 x24: ffff0000c9dcc000 x23: 0000000000000001 x22: 0000000000000000 x21: ffff0000c66f2f80 x20: ffff0000c0d7d880 x19: 0000000000000000 x18: 000000000000000a x17: 000000040044ffff x16: 005000f2b5503510 x15: 0000000000000000 x14: 0000000000000000 x13: 74756f2064656d69 x12: 742074696177206b x11: 0000000000000058 x10: 0000000000000018 x9 : ffff800082396a70 x8 : 0000000000057fa8 x7 : 0000000000000cce x6 : ffff8000823eea70 x5 : ffff0001fef5f408 x4 : ffff80017ccee000 x3 : ffff0000c12cb480 x2 : 0000000000000000 x1 : 0000000000000000 x0 : ffff0000c12cb480 Call trace: drm_atomic_helper_wait_for_vblanks.part.0+0x24c/0x27c (P) drm_atomic_helper_commit_tail_rpm+0x64/0x80 commit_tail+0xa4/0x1a4 commit_work+0x14/0x20 process_one_work+0x150/0x290 worker_thread+0x2d0/0x3ec kthread+0x12c/0x210 ret_from_fork+0x10/0x20 ---[ end trace 0000000000000000 ]--- ``` Until this gets fixed upstream, disable AFBC support on this platform, as it's currently broken with upstream Mesa.", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-40302", "url": "https://ubuntu.com/security/CVE-2025-40302", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: media: videobuf2: forbid remove_bufs when legacy fileio is active vb2_ioctl_remove_bufs() call manipulates queue internal buffer list, potentially overwriting some pointers used by the legacy fileio access mode. Forbid that ioctl when fileio is active to protect internal queue state between subsequent read/write calls.", "cve_priority": "medium", "cve_public_date": "2025-12-08 01:16:00 UTC" }, { "cve": "CVE-2025-40303", "url": "https://ubuntu.com/security/CVE-2025-40303", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: btrfs: ensure no dirty metadata is written back for an fs with errors [BUG] During development of a minor feature (make sure all btrfs_bio::end_io() is called in task context), I noticed a crash in generic/388, where metadata writes triggered new works after btrfs_stop_all_workers(). It turns out that it can even happen without any code modification, just using RAID5 for metadata and the same workload from generic/388 is going to trigger the use-after-free. [CAUSE] If btrfs hits an error, the fs is marked as error, no new transaction is allowed thus metadata is in a frozen state. But there are some metadata modifications before that error, and they are still in the btree inode page cache. Since there will be no real transaction commit, all those dirty folios are just kept as is in the page cache, and they can not be invalidated by invalidate_inode_pages2() call inside close_ctree(), because they are dirty. And finally after btrfs_stop_all_workers(), we call iput() on btree inode, which triggers writeback of those dirty metadata. And if the fs is using RAID56 metadata, this will trigger RMW and queue new works into rmw_workers, which is already stopped, causing warning from queue_work() and use-after-free. [FIX] Add a special handling for write_one_eb(), that if the fs is already in an error state, immediately mark the bbio as failure, instead of really submitting them. Then during close_ctree(), iput() will just discard all those dirty tree blocks without really writing them back, thus no more new jobs for already stopped-and-freed workqueues. The extra discard in write_one_eb() also acts as an extra safenet. E.g. the transaction abort is triggered by some extent/free space tree corruptions, and since extent/free space tree is already corrupted some tree blocks may be allocated where they shouldn't be (overwriting existing tree blocks). In that case writing them back will further corrupting the fs.", "cve_priority": "medium", "cve_public_date": "2025-12-08 01:16:00 UTC" }, { "cve": "CVE-2025-40362", "url": "https://ubuntu.com/security/CVE-2025-40362", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ceph: fix multifs mds auth caps issue The mds auth caps check should also validate the fsname along with the associated caps. Not doing so would result in applying the mds auth caps of one fs on to the other fs in a multifs ceph cluster. The bug causes multiple issues w.r.t user authentication, following is one such example. Steps to Reproduce (on vstart cluster): 1. Create two file systems in a cluster, say 'fsname1' and 'fsname2' 2. Authorize read only permission to the user 'client.usr' on fs 'fsname1' $ceph fs authorize fsname1 client.usr / r 3. Authorize read and write permission to the same user 'client.usr' on fs 'fsname2' $ceph fs authorize fsname2 client.usr / rw 4. Update the keyring $ceph auth get client.usr >> ./keyring With above permssions for the user 'client.usr', following is the expectation. a. The 'client.usr' should be able to only read the contents and not allowed to create or delete files on file system 'fsname1'. b. The 'client.usr' should be able to read/write on file system 'fsname2'. But, with this bug, the 'client.usr' is allowed to read/write on file system 'fsname1'. See below. 5. Mount the file system 'fsname1' with the user 'client.usr' $sudo bin/mount.ceph usr@.fsname1=/ /kmnt_fsname1_usr/ 6. Try creating a file on file system 'fsname1' with user 'client.usr'. This should fail but passes with this bug. $touch /kmnt_fsname1_usr/file1 7. Mount the file system 'fsname1' with the user 'client.admin' and create a file. $sudo bin/mount.ceph admin@.fsname1=/ /kmnt_fsname1_admin $echo \"data\" > /kmnt_fsname1_admin/admin_file1 8. Try removing an existing file on file system 'fsname1' with the user 'client.usr'. This shoudn't succeed but succeeds with the bug. $rm -f /kmnt_fsname1_usr/admin_file1 For more information, please take a look at the corresponding mds/fuse patch and tests added by looking into the tracker mentioned below. v2: Fix a possible null dereference in doutc v3: Don't store fsname from mdsmap, validate against ceph_mount_options's fsname and use it v4: Code refactor, better warning message and fix possible compiler warning [ Slava.Dubeyko: \"fsname check failed\" -> \"fsname mismatch\" ]", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-40332", "url": "https://ubuntu.com/security/CVE-2025-40332", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/amdkfd: Fix mmap write lock not release If mmap write lock is taken while draining retry fault, mmap write lock is not released because svm_range_restore_pages calls mmap_read_unlock then returns. This causes deadlock and system hangs later because mmap read or write lock cannot be taken. Downgrade mmap write lock to read lock if draining retry fault fix this bug.", "cve_priority": "medium", "cve_public_date": "2025-12-09 16:17:00 UTC" }, { "cve": "CVE-2025-40304", "url": "https://ubuntu.com/security/CVE-2025-40304", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: fbdev: Add bounds checking in bit_putcs to fix vmalloc-out-of-bounds Add bounds checking to prevent writes past framebuffer boundaries when rendering text near screen edges. Return early if the Y position is off-screen and clip image height to screen boundary. Break from the rendering loop if the X position is off-screen. When clipping image width to fit the screen, update the character count to match the clipped width to prevent buffer size mismatches. Without the character count update, bit_putcs_aligned and bit_putcs_unaligned receive mismatched parameters where the buffer is allocated for the clipped width but cnt reflects the original larger count, causing out-of-bounds writes.", "cve_priority": "medium", "cve_public_date": "2025-12-08 01:16:00 UTC" }, { "cve": "CVE-2025-40305", "url": "https://ubuntu.com/security/CVE-2025-40305", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: 9p/trans_fd: p9_fd_request: kick rx thread if EPOLLIN p9_read_work() doesn't set Rworksched and doesn't do schedule_work(m->rq) if list_empty(&m->req_list). However, if the pipe is full, we need to read more data and this used to work prior to commit aaec5a95d59615 (\"pipe_read: don't wake up the writer if the pipe is still full\"). p9_read_work() does p9_fd_read() -> ... -> anon_pipe_read() which (before the commit above) triggered the unnecessary wakeup. This wakeup calls p9_pollwake() which kicks p9_poll_workfn() -> p9_poll_mux(), p9_poll_mux() will notice EPOLLIN and schedule_work(&m->rq). This no longer happens after the optimization above, change p9_fd_request() to use p9_poll_mux() instead of only checking for EPOLLOUT.", "cve_priority": "medium", "cve_public_date": "2025-12-08 01:16:00 UTC" }, { "cve": "CVE-2025-68318", "url": "https://ubuntu.com/security/CVE-2025-68318", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: clk: thead: th1520-ap: set all AXI clocks to CLK_IS_CRITICAL The AXI crossbar of TH1520 has no proper timeout handling, which means gating AXI clocks can easily lead to bus timeout and thus system hang. Set all AXI clock gates to CLK_IS_CRITICAL. All these clock gates are ungated by default on system reset. In addition, convert all current CLK_IGNORE_UNUSED usage to CLK_IS_CRITICAL to prevent unwanted clock gating.", "cve_priority": "medium", "cve_public_date": "2025-12-16 16:16:00 UTC" }, { "cve": "CVE-2025-40209", "url": "https://ubuntu.com/security/CVE-2025-40209", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: btrfs: fix memory leak of qgroup_list in btrfs_add_qgroup_relation When btrfs_add_qgroup_relation() is called with invalid qgroup levels (src >= dst), the function returns -EINVAL directly without freeing the preallocated qgroup_list structure passed by the caller. This causes a memory leak because the caller unconditionally sets the pointer to NULL after the call, preventing any cleanup. The issue occurs because the level validation check happens before the mutex is acquired and before any error handling path that would free the prealloc pointer. On this early return, the cleanup code at the 'out' label (which includes kfree(prealloc)) is never reached. In btrfs_ioctl_qgroup_assign(), the code pattern is: prealloc = kzalloc(sizeof(*prealloc), GFP_KERNEL); ret = btrfs_add_qgroup_relation(trans, sa->src, sa->dst, prealloc); prealloc = NULL; // Always set to NULL regardless of return value ... kfree(prealloc); // This becomes kfree(NULL), does nothing When the level check fails, 'prealloc' is never freed by either the callee or the caller, resulting in a 64-byte memory leak per failed operation. This can be triggered repeatedly by an unprivileged user with access to a writable btrfs mount, potentially exhausting kernel memory. Fix this by freeing prealloc before the early return, ensuring prealloc is always freed on all error paths.", "cve_priority": "medium", "cve_public_date": "2025-11-21 11:15:00 UTC" }, { "cve": "CVE-2025-68183", "url": "https://ubuntu.com/security/CVE-2025-68183", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ima: don't clear IMA_DIGSIG flag when setting or removing non-IMA xattr Currently when both IMA and EVM are in fix mode, the IMA signature will be reset to IMA hash if a program first stores IMA signature in security.ima and then writes/removes some other security xattr for the file. For example, on Fedora, after booting the kernel with \"ima_appraise=fix evm=fix ima_policy=appraise_tcb\" and installing rpm-plugin-ima, installing/reinstalling a package will not make good reference IMA signature generated. Instead IMA hash is generated, # getfattr -m - -d -e hex /usr/bin/bash # file: usr/bin/bash security.ima=0x0404... This happens because when setting security.selinux, the IMA_DIGSIG flag that had been set early was cleared. As a result, IMA hash is generated when the file is closed. Similarly, IMA signature can be cleared on file close after removing security xattr like security.evm or setting/removing ACL. Prevent replacing the IMA file signature with a file hash, by preventing the IMA_DIGSIG flag from being reset. Here's a minimal C reproducer which sets security.selinux as the last step which can also replaced by removing security.evm or setting ACL, #include #include #include #include #include #include int main() { const char* file_path = \"/usr/sbin/test_binary\"; const char* hex_string = \"030204d33204490066306402304\"; int length = strlen(hex_string); char* ima_attr_value; int fd; fd = open(file_path, O_WRONLY|O_CREAT|O_EXCL, 0644); if (fd == -1) { perror(\"Error opening file\"); return 1; } ima_attr_value = (char*)malloc(length / 2 ); for (int i = 0, j = 0; i < length; i += 2, j++) { sscanf(hex_string + i, \"%2hhx\", &ima_attr_value[j]); } if (fsetxattr(fd, \"security.ima\", ima_attr_value, length/2, 0) == -1) { perror(\"Error setting extended attribute\"); close(fd); return 1; } const char* selinux_value= \"system_u:object_r:bin_t:s0\"; if (fsetxattr(fd, \"security.selinux\", selinux_value, strlen(selinux_value), 0) == -1) { perror(\"Error setting extended attribute\"); close(fd); return 1; } close(fd); return 0; }", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-68173", "url": "https://ubuntu.com/security/CVE-2025-68173", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ftrace: Fix softlockup in ftrace_module_enable A soft lockup was observed when loading amdgpu module. If a module has a lot of tracable functions, multiple calls to kallsyms_lookup can spend too much time in RCU critical section and with disabled preemption, causing kernel panic. This is the same issue that was fixed in commit d0b24b4e91fc (\"ftrace: Prevent RCU stall on PREEMPT_VOLUNTARY kernels\") and commit 42ea22e754ba (\"ftrace: Add cond_resched() to ftrace_graph_set_hash()\"). Fix it the same way by adding cond_resched() in ftrace_module_enable.", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-40306", "url": "https://ubuntu.com/security/CVE-2025-40306", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: orangefs: fix xattr related buffer overflow... Willy Tarreau forwarded me a message from Disclosure with the following warning: > The helper `xattr_key()` uses the pointer variable in the loop condition > rather than dereferencing it. As `key` is incremented, it remains non-NULL > (until it runs into unmapped memory), so the loop does not terminate on > valid C strings and will walk memory indefinitely, consuming CPU or hanging > the thread. I easily reproduced this with setfattr and getfattr, causing a kernel oops, hung user processes and corrupted orangefs files. Disclosure sent along a diff (not a patch) with a suggested fix, which I based this patch on. After xattr_key started working right, xfstest generic/069 exposed an xattr related memory leak that lead to OOM. xattr_key returns a hashed key. When adding xattrs to the orangefs xattr cache, orangefs used hash_add, a kernel hashing macro. hash_add also hashes the key using hash_log which resulted in additions to the xattr cache going to the wrong hash bucket. generic/069 tortures a single file and orangefs does a getattr for the xattr \"security.capability\" every time. Orangefs negative caches on xattrs which includes a kmalloc. Since adds to the xattr cache were going to the wrong bucket, every getattr for \"security.capability\" resulted in another kmalloc, none of which were ever freed. I changed the two uses of hash_add to hlist_add_head instead and the memory leak ceased and generic/069 quit throwing furniture.", "cve_priority": "medium", "cve_public_date": "2025-12-08 01:16:00 UTC" }, { "cve": "CVE-2025-40307", "url": "https://ubuntu.com/security/CVE-2025-40307", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: exfat: validate cluster allocation bits of the allocation bitmap syzbot created an exfat image with cluster bits not set for the allocation bitmap. exfat-fs reads and uses the allocation bitmap without checking this. The problem is that if the start cluster of the allocation bitmap is 6, cluster 6 can be allocated when creating a directory with mkdir. exfat zeros out this cluster in exfat_mkdir, which can delete existing entries. This can reallocate the allocated entries. In addition, the allocation bitmap is also zeroed out, so cluster 6 can be reallocated. This patch adds exfat_test_bitmap_range to validate that clusters used for the allocation bitmap are correctly marked as in-use.", "cve_priority": "medium", "cve_public_date": "2025-12-08 01:16:00 UTC" }, { "cve": "CVE-2025-40308", "url": "https://ubuntu.com/security/CVE-2025-40308", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: Bluetooth: bcsp: receive data only if registered Currently, bcsp_recv() can be called even when the BCSP protocol has not been registered. This leads to a NULL pointer dereference, as shown in the following stack trace: KASAN: null-ptr-deref in range [0x0000000000000108-0x000000000000010f] RIP: 0010:bcsp_recv+0x13d/0x1740 drivers/bluetooth/hci_bcsp.c:590 Call Trace: hci_uart_tty_receive+0x194/0x220 drivers/bluetooth/hci_ldisc.c:627 tiocsti+0x23c/0x2c0 drivers/tty/tty_io.c:2290 tty_ioctl+0x626/0xde0 drivers/tty/tty_io.c:2706 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:907 [inline] __se_sys_ioctl+0xfc/0x170 fs/ioctl.c:893 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f To prevent this, ensure that the HCI_UART_REGISTERED flag is set before processing received data. If the protocol is not registered, return -EUNATCH.", "cve_priority": "medium", "cve_public_date": "2025-12-08 01:16:00 UTC" }, { "cve": "CVE-2025-40309", "url": "https://ubuntu.com/security/CVE-2025-40309", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: Bluetooth: SCO: Fix UAF on sco_conn_free BUG: KASAN: slab-use-after-free in sco_conn_free net/bluetooth/sco.c:87 [inline] BUG: KASAN: slab-use-after-free in kref_put include/linux/kref.h:65 [inline] BUG: KASAN: slab-use-after-free in sco_conn_put+0xdd/0x410 net/bluetooth/sco.c:107 Write of size 8 at addr ffff88811cb96b50 by task kworker/u17:4/352 CPU: 1 UID: 0 PID: 352 Comm: kworker/u17:4 Not tainted 6.17.0-rc5-g717368f83676 #4 PREEMPT(voluntary) Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014 Workqueue: hci13 hci_cmd_sync_work Call Trace: __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x10b/0x170 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:378 [inline] print_report+0x191/0x550 mm/kasan/report.c:482 kasan_report+0xc4/0x100 mm/kasan/report.c:595 sco_conn_free net/bluetooth/sco.c:87 [inline] kref_put include/linux/kref.h:65 [inline] sco_conn_put+0xdd/0x410 net/bluetooth/sco.c:107 sco_connect_cfm+0xb4/0xae0 net/bluetooth/sco.c:1441 hci_connect_cfm include/net/bluetooth/hci_core.h:2082 [inline] hci_conn_failed+0x20a/0x2e0 net/bluetooth/hci_conn.c:1313 hci_conn_unlink+0x55f/0x810 net/bluetooth/hci_conn.c:1121 hci_conn_del+0xb6/0x1110 net/bluetooth/hci_conn.c:1147 hci_abort_conn_sync+0x8c5/0xbb0 net/bluetooth/hci_sync.c:5689 hci_cmd_sync_work+0x281/0x380 net/bluetooth/hci_sync.c:332 process_one_work kernel/workqueue.c:3236 [inline] process_scheduled_works+0x77e/0x1040 kernel/workqueue.c:3319 worker_thread+0xbee/0x1200 kernel/workqueue.c:3400 kthread+0x3c7/0x870 kernel/kthread.c:463 ret_from_fork+0x13a/0x1e0 arch/x86/kernel/process.c:148 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245 Allocated by task 31370: kasan_save_stack mm/kasan/common.c:47 [inline] kasan_save_track+0x30/0x70 mm/kasan/common.c:68 poison_kmalloc_redzone mm/kasan/common.c:388 [inline] __kasan_kmalloc+0x82/0x90 mm/kasan/common.c:405 kasan_kmalloc include/linux/kasan.h:260 [inline] __do_kmalloc_node mm/slub.c:4382 [inline] __kmalloc_noprof+0x22f/0x390 mm/slub.c:4394 kmalloc_noprof include/linux/slab.h:909 [inline] sk_prot_alloc+0xae/0x220 net/core/sock.c:2239 sk_alloc+0x34/0x5a0 net/core/sock.c:2295 bt_sock_alloc+0x3c/0x330 net/bluetooth/af_bluetooth.c:151 sco_sock_alloc net/bluetooth/sco.c:562 [inline] sco_sock_create+0xc0/0x350 net/bluetooth/sco.c:593 bt_sock_create+0x161/0x3b0 net/bluetooth/af_bluetooth.c:135 __sock_create+0x3ad/0x780 net/socket.c:1589 sock_create net/socket.c:1647 [inline] __sys_socket_create net/socket.c:1684 [inline] __sys_socket+0xd5/0x330 net/socket.c:1731 __do_sys_socket net/socket.c:1745 [inline] __se_sys_socket net/socket.c:1743 [inline] __x64_sys_socket+0x7a/0x90 net/socket.c:1743 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xc7/0x240 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f Freed by task 31374: kasan_save_stack mm/kasan/common.c:47 [inline] kasan_save_track+0x30/0x70 mm/kasan/common.c:68 kasan_save_free_info+0x40/0x50 mm/kasan/generic.c:576 poison_slab_object mm/kasan/common.c:243 [inline] __kasan_slab_free+0x3d/0x50 mm/kasan/common.c:275 kasan_slab_free include/linux/kasan.h:233 [inline] slab_free_hook mm/slub.c:2428 [inline] slab_free mm/slub.c:4701 [inline] kfree+0x199/0x3b0 mm/slub.c:4900 sk_prot_free net/core/sock.c:2278 [inline] __sk_destruct+0x4aa/0x630 net/core/sock.c:2373 sco_sock_release+0x2ad/0x300 net/bluetooth/sco.c:1333 __sock_release net/socket.c:649 [inline] sock_close+0xb8/0x230 net/socket.c:1439 __fput+0x3d1/0x9e0 fs/file_table.c:468 task_work_run+0x206/0x2a0 kernel/task_work.c:227 get_signal+0x1201/0x1410 kernel/signal.c:2807 arch_do_signal_or_restart+0x34/0x740 arch/x86/kernel/signal.c:337 exit_to_user_mode_loop+0x68/0xc0 kernel/entry/common.c:40 exit_to_user_mode_prepare include/linux/irq-entry-common.h:225 [inline] s ---truncated---", "cve_priority": "medium", "cve_public_date": "2025-12-08 01:16:00 UTC" }, { "cve": "CVE-2025-68174", "url": "https://ubuntu.com/security/CVE-2025-68174", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: amd/amdkfd: enhance kfd process check in switch partition current switch partition only check if kfd_processes_table is empty. kfd_prcesses_table entry is deleted in kfd_process_notifier_release, but kfd_process tear down is in kfd_process_wq_release. consider two processes: Process A (workqueue) -> kfd_process_wq_release -> Access kfd_node member Process B switch partition -> amdgpu_xcp_pre_partition_switch -> amdgpu_amdkfd_device_fini_sw -> kfd_node tear down. Process A and B may trigger a race as shown in dmesg log. This patch is to resolve the race by adding an atomic kfd_process counter kfd_processes_count, it increment as create kfd process, decrement as finish kfd_process_wq_release. v2: Put kfd_processes_count per kfd_dev, move decrement to kfd_process_destroy_pdds and bug fix. (Philip Yang) [3966658.307702] divide error: 0000 [#1] SMP NOPTI [3966658.350818] i10nm_edac [3966658.356318] CPU: 124 PID: 38435 Comm: kworker/124:0 Kdump: loaded Tainted [3966658.356890] Workqueue: kfd_process_wq kfd_process_wq_release [amdgpu] [3966658.362839] nfit [3966658.366457] RIP: 0010:kfd_get_num_sdma_engines+0x17/0x40 [amdgpu] [3966658.366460] Code: 00 00 e9 ac 81 02 00 66 66 2e 0f 1f 84 00 00 00 00 00 90 0f 1f 44 00 00 48 8b 4f 08 48 8b b7 00 01 00 00 8b 81 58 26 03 00 99 be b8 01 00 00 80 b9 70 2e 00 00 00 74 0b 83 f8 02 ba 02 00 00 [3966658.380967] x86_pkg_temp_thermal [3966658.391529] RSP: 0018:ffffc900a0edfdd8 EFLAGS: 00010246 [3966658.391531] RAX: 0000000000000008 RBX: ffff8974e593b800 RCX: ffff888645900000 [3966658.391531] RDX: 0000000000000000 RSI: ffff888129154400 RDI: ffff888129151c00 [3966658.391532] RBP: ffff8883ad79d400 R08: 0000000000000000 R09: ffff8890d2750af4 [3966658.391532] R10: 0000000000000018 R11: 0000000000000018 R12: 0000000000000000 [3966658.391533] R13: ffff8883ad79d400 R14: ffffe87ff662ba00 R15: ffff8974e593b800 [3966658.391533] FS: 0000000000000000(0000) GS:ffff88fe7f600000(0000) knlGS:0000000000000000 [3966658.391534] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [3966658.391534] CR2: 0000000000d71000 CR3: 000000dd0e970004 CR4: 0000000002770ee0 [3966658.391535] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [3966658.391535] DR3: 0000000000000000 DR6: 00000000fffe07f0 DR7: 0000000000000400 [3966658.391536] PKRU: 55555554 [3966658.391536] Call Trace: [3966658.391674] deallocate_sdma_queue+0x38/0xa0 [amdgpu] [3966658.391762] process_termination_cpsch+0x1ed/0x480 [amdgpu] [3966658.399754] intel_powerclamp [3966658.402831] kfd_process_dequeue_from_all_devices+0x5b/0xc0 [amdgpu] [3966658.402908] kfd_process_wq_release+0x1a/0x1a0 [amdgpu] [3966658.410516] coretemp [3966658.434016] process_one_work+0x1ad/0x380 [3966658.434021] worker_thread+0x49/0x310 [3966658.438963] kvm_intel [3966658.446041] ? process_one_work+0x380/0x380 [3966658.446045] kthread+0x118/0x140 [3966658.446047] ? __kthread_bind_mask+0x60/0x60 [3966658.446050] ret_from_fork+0x1f/0x30 [3966658.446053] Modules linked in: kpatch_20765354(OEK) [3966658.455310] kvm [3966658.464534] mptcp_diag xsk_diag raw_diag unix_diag af_packet_diag netlink_diag udp_diag act_pedit act_mirred act_vlan cls_flower kpatch_21951273(OEK) kpatch_18424469(OEK) kpatch_19749756(OEK) [3966658.473462] idxd_mdev [3966658.482306] kpatch_17971294(OEK) sch_ingress xt_conntrack amdgpu(OE) amdxcp(OE) amddrm_buddy(OE) amd_sched(OE) amdttm(OE) amdkcl(OE) intel_ifs iptable_mangle tcm_loop target_core_pscsi tcp_diag target_core_file inet_diag target_core_iblock target_core_user target_core_mod coldpgs kpatch_18383292(OEK) ip6table_nat ip6table_filter ip6_tables ip_set_hash_ipportip ip_set_hash_ipportnet ip_set_hash_ipport ip_set_bitmap_port xt_comment iptable_nat nf_nat iptable_filter ip_tables ip_set ip_vs_sh ip_vs_wrr ip_vs_rr ip_vs nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 sn_core_odd(OE) i40e overlay binfmt_misc tun bonding(OE) aisqos(OE) aisqo ---truncated---", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-40310", "url": "https://ubuntu.com/security/CVE-2025-40310", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: amd/amdkfd: resolve a race in amdgpu_amdkfd_device_fini_sw There is race in amdgpu_amdkfd_device_fini_sw and interrupt. if amdgpu_amdkfd_device_fini_sw run in b/w kfd_cleanup_nodes and kfree(kfd), and KGD interrupt generated. kernel panic log: BUG: kernel NULL pointer dereference, address: 0000000000000098 amdgpu 0000:c8:00.0: amdgpu: Requesting 4 partitions through PSP PGD d78c68067 P4D d78c68067 kfd kfd: amdgpu: Allocated 3969056 bytes on gart PUD 1465b8067 PMD @ Oops: @002 [#1] SMP NOPTI kfd kfd: amdgpu: Total number of KFD nodes to be created: 4 CPU: 115 PID: @ Comm: swapper/115 Kdump: loaded Tainted: G S W OE K RIP: 0010:_raw_spin_lock_irqsave+0x12/0x40 Code: 89 e@ 41 5c c3 cc cc cc cc 66 66 2e Of 1f 84 00 00 00 00 00 OF 1f 40 00 Of 1f 44% 00 00 41 54 9c 41 5c fa 31 cO ba 01 00 00 00 OF b1 17 75 Ba 4c 89 e@ 41 Sc 89 c6 e8 07 38 5d RSP: 0018: ffffc90@1a6b0e28 EFLAGS: 00010046 RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000018 0000000000000001 RSI: ffff8883bb623e00 RDI: 0000000000000098 ffff8883bb000000 RO8: ffff888100055020 ROO: ffff888100055020 0000000000000000 R11: 0000000000000000 R12: 0900000000000002 ffff888F2b97da0@ R14: @000000000000098 R15: ffff8883babdfo00 CS: 010 DS: 0000 ES: 0000 CRO: 0000000080050033 CR2: 0000000000000098 CR3: 0000000e7cae2006 CR4: 0000000002770ce0 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 0000000000000000 DR6: 00000000fffeO7FO DR7: 0000000000000400 PKRU: 55555554 Call Trace: kgd2kfd_interrupt+@x6b/0x1f@ [amdgpu] ? amdgpu_fence_process+0xa4/0x150 [amdgpu] kfd kfd: amdgpu: Node: 0, interrupt_bitmap: 3 YcpxFl Rant tErace amdgpu_irq_dispatch+0x165/0x210 [amdgpu] amdgpu_ih_process+0x80/0x100 [amdgpu] amdgpu: Virtual CRAT table created for GPU amdgpu_irq_handler+0x1f/@x60 [amdgpu] __handle_irq_event_percpu+0x3d/0x170 amdgpu: Topology: Add dGPU node [0x74a2:0x1002] handle_irq_event+0x5a/@xcO handle_edge_irq+0x93/0x240 kfd kfd: amdgpu: KFD node 1 partition @ size 49148M asm_call_irq_on_stack+0xf/@x20 common_interrupt+0xb3/0x130 asm_common_interrupt+0x1le/0x40 5.10.134-010.a1i5000.a18.x86_64 #1", "cve_priority": "medium", "cve_public_date": "2025-12-08 01:16:00 UTC" }, { "cve": "CVE-2025-40361", "url": "https://ubuntu.com/security/CVE-2025-40361", "cve_description": "Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-40311", "url": "https://ubuntu.com/security/CVE-2025-40311", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: accel/habanalabs: support mapping cb with vmalloc-backed coherent memory When IOMMU is enabled, dma_alloc_coherent() with GFP_USER may return addresses from the vmalloc range. If such an address is mapped without VM_MIXEDMAP, vm_insert_page() will trigger a BUG_ON due to the VM_PFNMAP restriction. Fix this by checking for vmalloc addresses and setting VM_MIXEDMAP in the VMA before mapping. This ensures safe mapping and avoids kernel crashes. The memory is still driver-allocated and cannot be accessed directly by userspace.", "cve_priority": "medium", "cve_public_date": "2025-12-08 01:16:00 UTC" }, { "cve": "CVE-2025-68185", "url": "https://ubuntu.com/security/CVE-2025-68185", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: nfs4_setup_readdir(): insufficient locking for ->d_parent->d_inode dereferencing Theoretically it's an oopsable race, but I don't believe one can manage to hit it on real hardware; might become doable on a KVM, but it still won't be easy to attack. Anyway, it's easy to deal with - since xdr_encode_hyper() is just a call of put_unaligned_be64(), we can put that under ->d_lock and be done with that.", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-68176", "url": "https://ubuntu.com/security/CVE-2025-68176", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: PCI: cadence: Check for the existence of cdns_pcie::ops before using it cdns_pcie::ops might not be populated by all the Cadence glue drivers. This is going to be true for the upcoming Sophgo platform which doesn't set the ops. Hence, add a check to prevent NULL pointer dereference. [mani: reworded subject and description]", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-68190", "url": "https://ubuntu.com/security/CVE-2025-68190", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu/atom: Check kcalloc() for WS buffer in amdgpu_atom_execute_table_locked() kcalloc() may fail. When WS is non-zero and allocation fails, ectx.ws remains NULL while ectx.ws_size is set, leading to a potential NULL pointer dereference in atom_get_src_int() when accessing WS entries. Return -ENOMEM on allocation failure to avoid the NULL dereference.", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-68168", "url": "https://ubuntu.com/security/CVE-2025-68168", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: jfs: fix uninitialized waitqueue in transaction manager The transaction manager initialization in txInit() was not properly initializing TxBlock[0].waitor waitqueue, causing a crash when txEnd(0) is called on read-only filesystems. When a filesystem is mounted read-only, txBegin() returns tid=0 to indicate no transaction. However, txEnd(0) still gets called and tries to access TxBlock[0].waitor via tid_to_tblock(0), but this waitqueue was never initialized because the initialization loop started at index 1 instead of 0. This causes a 'non-static key' lockdep warning and system crash: INFO: trying to register non-static key in txEnd Fix by ensuring all transaction blocks including TxBlock[0] have their waitqueues properly initialized during txInit().", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-40312", "url": "https://ubuntu.com/security/CVE-2025-40312", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: jfs: Verify inode mode when loading from disk The inode mode loaded from corrupted disk can be invalid. Do like what commit 0a9e74051313 (\"isofs: Verify inode mode when loading from disk\") does.", "cve_priority": "medium", "cve_public_date": "2025-12-08 01:16:00 UTC" }, { "cve": "CVE-2025-40333", "url": "https://ubuntu.com/security/CVE-2025-40333", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: f2fs: fix infinite loop in __insert_extent_tree() When we get wrong extent info data, and look up extent_node in rb tree, it will cause infinite loop (CONFIG_F2FS_CHECK_FS=n). Avoiding this by return NULL and print some kernel messages in that case.", "cve_priority": "medium", "cve_public_date": "2025-12-09 16:17:00 UTC" }, { "cve": "CVE-2025-68321", "url": "https://ubuntu.com/security/CVE-2025-68321", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: page_pool: always add GFP_NOWARN for ATOMIC allocations Driver authors often forget to add GFP_NOWARN for page allocation from the datapath. This is annoying to users as OOMs are a fact of life, and we pretty much expect network Rx to hit page allocation failures during OOM. Make page pool add GFP_NOWARN for ATOMIC allocations by default.", "cve_priority": "medium", "cve_public_date": "2025-12-16 16:16:00 UTC" }, { "cve": "CVE-2025-40334", "url": "https://ubuntu.com/security/CVE-2025-40334", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: validate userq buffer virtual address and size It needs to validate the userq object virtual address to determine whether it is residented in a valid vm mapping.", "cve_priority": "medium", "cve_public_date": "2025-12-09 16:17:00 UTC" }, { "cve": "CVE-2025-68191", "url": "https://ubuntu.com/security/CVE-2025-68191", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: udp_tunnel: use netdev_warn() instead of netdev_WARN() netdev_WARN() uses WARN/WARN_ON to print a backtrace along with file and line information. In this case, udp_tunnel_nic_register() returning an error is just a failed operation, not a kernel bug. udp_tunnel_nic_register() can fail due to a memory allocation failure (kzalloc() or udp_tunnel_nic_alloc()). This is a normal runtime error and not a kernel bug. Replace netdev_WARN() with netdev_warn() accordingly.", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-68309", "url": "https://ubuntu.com/security/CVE-2025-68309", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: PCI/AER: Fix NULL pointer access by aer_info The kzalloc(GFP_KERNEL) may return NULL, so all accesses to aer_info->xxx will result in kernel panic. Fix it.", "cve_priority": "medium", "cve_public_date": "2025-12-16 16:16:00 UTC" }, { "cve": "CVE-2025-40313", "url": "https://ubuntu.com/security/CVE-2025-40313", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ntfs3: pretend $Extend records as regular files Since commit af153bb63a33 (\"vfs: catch invalid modes in may_open()\") requires any inode be one of S_IFDIR/S_IFLNK/S_IFREG/S_IFCHR/S_IFBLK/ S_IFIFO/S_IFSOCK type, use S_IFREG for $Extend records.", "cve_priority": "medium", "cve_public_date": "2025-12-08 01:16:00 UTC" }, { "cve": "CVE-2025-40335", "url": "https://ubuntu.com/security/CVE-2025-40335", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: validate userq input args This will help on validating the userq input args, and rejecting for the invalid userq request at the IOCTLs first place.", "cve_priority": "medium", "cve_public_date": "2025-12-09 16:17:00 UTC" }, { "cve": "CVE-2025-40314", "url": "https://ubuntu.com/security/CVE-2025-40314", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: usb: cdns3: gadget: Use-after-free during failed initialization and exit of cdnsp gadget In the __cdnsp_gadget_init() and cdnsp_gadget_exit() functions, the gadget structure (pdev->gadget) was freed before its endpoints. The endpoints are linked via the ep_list in the gadget structure. Freeing the gadget first leaves dangling pointers in the endpoint list. When the endpoints are subsequently freed, this results in a use-after-free. Fix: By separating the usb_del_gadget_udc() operation into distinct \"del\" and \"put\" steps, cdnsp_gadget_free_endpoints() can be executed prior to the final release of the gadget structure with usb_put_gadget(). A patch similar to bb9c74a5bd14(\"usb: dwc3: gadget: Free gadget structure only after freeing endpoints\").", "cve_priority": "medium", "cve_public_date": "2025-12-08 01:16:00 UTC" }, { "cve": "CVE-2025-40336", "url": "https://ubuntu.com/security/CVE-2025-40336", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/gpusvm: fix hmm_pfn_to_map_order() usage Handle the case where the hmm range partially covers a huge page (like 2M), otherwise we can potentially end up doing something nasty like mapping memory which is outside the range, and maybe not even mapped by the mm. Fix is based on the xe userptr code, which in a future patch will directly use gpusvm, so needs alignment here. v2: - Add kernel-doc (Matt B) - s/fls/ilog2/ (Thomas)", "cve_priority": "medium", "cve_public_date": "2025-12-09 16:17:00 UTC" }, { "cve": "CVE-2025-68193", "url": "https://ubuntu.com/security/CVE-2025-68193", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/xe/guc: Add devm release action to safely tear down CT When a buffer object (BO) is allocated with the XE_BO_FLAG_GGTT_INVALIDATE flag, the driver initiates TLB invalidation requests via the CTB mechanism while releasing the BO. However a premature release of the CTB BO can lead to system crashes, as observed in: Oops: Oops: 0000 [#1] SMP NOPTI RIP: 0010:h2g_write+0x2f3/0x7c0 [xe] Call Trace: guc_ct_send_locked+0x8b/0x670 [xe] xe_guc_ct_send_locked+0x19/0x60 [xe] send_tlb_invalidation+0xb4/0x460 [xe] xe_gt_tlb_invalidation_ggtt+0x15e/0x2e0 [xe] ggtt_invalidate_gt_tlb.part.0+0x16/0x90 [xe] ggtt_node_remove+0x110/0x140 [xe] xe_ggtt_node_remove+0x40/0xa0 [xe] xe_ggtt_remove_bo+0x87/0x250 [xe] Introduce a devm-managed release action during xe_guc_ct_init() and xe_guc_ct_init_post_hwconfig() to ensure proper CTB disablement before resource deallocation, preventing the use-after-free scenario.", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-68175", "url": "https://ubuntu.com/security/CVE-2025-68175", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: media: nxp: imx8-isi: Fix streaming cleanup on release The current implementation unconditionally calls mxc_isi_video_cleanup_streaming() in mxc_isi_video_release(). This can lead to situations where any release call (like from a simple \"v4l2-ctl -l\") may release a currently streaming queue when called on such a device. This is reproducible on an i.MX8MP board by streaming from an ISI capture device using gstreamer: \tgst-launch-1.0 -v v4l2src device=/dev/videoX ! \\ \t video/x-raw,format=GRAY8,width=1280,height=800,framerate=1/120 ! \\ \t fakesink While this stream is running, querying the caps of the same device provokes the error state: \tv4l2-ctl -l -d /dev/videoX This results in the following trace: [ 155.452152] ------------[ cut here ]------------ [ 155.452163] WARNING: CPU: 0 PID: 1708 at drivers/media/platform/nxp/imx8-isi/imx8-isi-pipe.c:713 mxc_isi_pipe_irq_handler+0x19c/0x1b0 [imx8_isi] [ 157.004248] Modules linked in: cfg80211 rpmsg_ctrl rpmsg_char rpmsg_tty virtio_rpmsg_bus rpmsg_ns rpmsg_core rfkill nft_ct nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 nf_tables mcp251x6 [ 157.053499] CPU: 0 UID: 0 PID: 1708 Comm: python3 Not tainted 6.15.4-00114-g1f61ca5cad76 #1 PREEMPT [ 157.064369] Hardware name: imx8mp_board_01 (DT) [ 157.068205] pstate: 400000c5 (nZcv daIF -PAN -UAO -TCO -DIT -SSBS BTYPE=--) [ 157.075169] pc : mxc_isi_pipe_irq_handler+0x19c/0x1b0 [imx8_isi] [ 157.081195] lr : mxc_isi_pipe_irq_handler+0x38/0x1b0 [imx8_isi] [ 157.087126] sp : ffff800080003ee0 [ 157.090438] x29: ffff800080003ee0 x28: ffff0000c3688000 x27: 0000000000000000 [ 157.097580] x26: 0000000000000000 x25: ffff0000c1e7ac00 x24: ffff800081b5ad50 [ 157.104723] x23: 00000000000000d1 x22: 0000000000000000 x21: ffff0000c25e4000 [ 157.111866] x20: 0000000060000200 x19: ffff80007a0608d0 x18: 0000000000000000 [ 157.119008] x17: ffff80006a4e3000 x16: ffff800080000000 x15: 0000000000000000 [ 157.126146] x14: 0000000000000000 x13: 0000000000000000 x12: 0000000000000000 [ 157.133287] x11: 0000000000000040 x10: ffff0000c01445f0 x9 : ffff80007a053a38 [ 157.140425] x8 : ffff0000c04004b8 x7 : 0000000000000000 x6 : 0000000000000000 [ 157.147567] x5 : ffff0000c0400490 x4 : ffff80006a4e3000 x3 : ffff0000c25e4000 [ 157.154706] x2 : 0000000000000000 x1 : ffff8000825c0014 x0 : 0000000060000200 [ 157.161850] Call trace: [ 157.164296] mxc_isi_pipe_irq_handler+0x19c/0x1b0 [imx8_isi] (P) [ 157.170319] __handle_irq_event_percpu+0x58/0x218 [ 157.175029] handle_irq_event+0x54/0xb8 [ 157.178867] handle_fasteoi_irq+0xac/0x248 [ 157.182968] handle_irq_desc+0x48/0x68 [ 157.186723] generic_handle_domain_irq+0x24/0x38 [ 157.191346] gic_handle_irq+0x54/0x120 [ 157.195098] call_on_irq_stack+0x24/0x30 [ 157.199027] do_interrupt_handler+0x88/0x98 [ 157.203212] el0_interrupt+0x44/0xc0 [ 157.206792] __el0_irq_handler_common+0x18/0x28 [ 157.211328] el0t_64_irq_handler+0x10/0x20 [ 157.215429] el0t_64_irq+0x198/0x1a0 [ 157.219009] ---[ end trace 0000000000000000 ]--- Address this issue by moving the streaming preparation and cleanup to the vb2 .prepare_streaming() and .unprepare_streaming() operations. This also simplifies the driver by allowing direct usage of the vb2_ioctl_streamon() and vb2_ioctl_streamoff() helpers, and removal of the manual cleanup from mxc_isi_video_release().", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-68188", "url": "https://ubuntu.com/security/CVE-2025-68188", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: tcp: use dst_dev_rcu() in tcp_fastopen_active_disable_ofo_check() Use RCU to avoid a pair of atomic operations and a potential UAF on dst_dev()->flags.", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-68315", "url": "https://ubuntu.com/security/CVE-2025-68315", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: f2fs: fix to detect potential corrupted nid in free_nid_list As reported, on-disk footer.ino and footer.nid is the same and out-of-range, let's add sanity check on f2fs_alloc_nid() to detect any potential corruption in free_nid_list.", "cve_priority": "medium", "cve_public_date": "2025-12-16 16:16:00 UTC" }, { "cve": "CVE-2025-40337", "url": "https://ubuntu.com/security/CVE-2025-40337", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net: stmmac: Correctly handle Rx checksum offload errors The stmmac_rx function would previously set skb->ip_summed to CHECKSUM_UNNECESSARY if hardware checksum offload (CoE) was enabled and the packet was of a known IP ethertype. However, this logic failed to check if the hardware had actually reported a checksum error. The hardware status, indicating a header or payload checksum failure, was being ignored at this stage. This could cause corrupt packets to be passed up the network stack as valid. This patch corrects the logic by checking the `csum_none` status flag, which is set when the hardware reports a checksum error. If this flag is set, skb->ip_summed is now correctly set to CHECKSUM_NONE, ensuring the kernel's network stack will perform its own validation and properly handle the corrupt packet.", "cve_priority": "medium", "cve_public_date": "2025-12-09 16:17:00 UTC" }, { "cve": "CVE-2025-40338", "url": "https://ubuntu.com/security/CVE-2025-40338", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ASoC: Intel: avs: Do not share the name pointer between components By sharing 'name' directly, tearing down components may lead to use-after-free errors. Duplicate the name to avoid that. At the same time, update the order of operations - since commit cee28113db17 (\"ASoC: dmaengine_pcm: Allow passing component name via config\") the framework does not override component->name if set before invoking the initializer.", "cve_priority": "medium", "cve_public_date": "2025-12-09 16:17:00 UTC" }, { "cve": "CVE-2025-40339", "url": "https://ubuntu.com/security/CVE-2025-40339", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: fix nullptr err of vm_handle_moved If a amdgpu_bo_va is fpriv->prt_va, the bo of this one is always NULL. So, such kind of amdgpu_bo_va should be updated separately before amdgpu_vm_handle_moved.", "cve_priority": "medium", "cve_public_date": "2025-12-09 16:17:00 UTC" }, { "cve": "CVE-2025-68194", "url": "https://ubuntu.com/security/CVE-2025-68194", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: media: imon: make send_packet() more robust syzbot is reporting that imon has three problems which result in hung tasks due to forever holding device lock [1]. First problem is that when usb_rx_callback_intf0() once got -EPROTO error after ictx->dev_present_intf0 became true, usb_rx_callback_intf0() resubmits urb after printk(), and resubmitted urb causes usb_rx_callback_intf0() to again get -EPROTO error. This results in printk() flooding (RCU stalls). Alan Stern commented [2] that In theory it's okay to resubmit _if_ the driver has a robust error-recovery scheme (such as giving up after some fixed limit on the number of errors or after some fixed time has elapsed, perhaps with a time delay to prevent a flood of errors). Most drivers don't bother to do this; they simply give up right away. This makes them more vulnerable to short-term noise interference during USB transfers, but in reality such interference is quite rare. There's nothing really wrong with giving up right away. but imon has a poor error-recovery scheme which just retries forever; this behavior should be fixed. Since I'm not sure whether it is safe for imon users to give up upon any error code, this patch takes care of only union of error codes chosen from modules in drivers/media/rc/ directory which handle -EPROTO error (i.e. ir_toy, mceusb and igorplugusb). Second problem is that when usb_rx_callback_intf0() once got -EPROTO error before ictx->dev_present_intf0 becomes true, usb_rx_callback_intf0() always resubmits urb due to commit 8791d63af0cf (\"[media] imon: don't wedge hardware after early callbacks\"). Move the ictx->dev_present_intf0 test introduced by commit 6f6b90c9231a (\"[media] imon: don't parse scancodes until intf configured\") to immediately before imon_incoming_packet(), or the first problem explained above happens without printk() flooding (i.e. hung task). Third problem is that when usb_rx_callback_intf0() is not called for some reason (e.g. flaky hardware; the reproducer for this problem sometimes prevents usb_rx_callback_intf0() from being called), wait_for_completion_interruptible() in send_packet() never returns (i.e. hung task). As a workaround for such situation, change send_packet() to wait for completion with timeout of 10 seconds.", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-40363", "url": "https://ubuntu.com/security/CVE-2025-40363", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net: ipv6: fix field-spanning memcpy warning in AH output Fix field-spanning memcpy warnings in ah6_output() and ah6_output_done() where extension headers are copied to/from IPv6 address fields, triggering fortify-string warnings about writes beyond the 16-byte address fields. memcpy: detected field-spanning write (size 40) of single field \"&top_iph->saddr\" at net/ipv6/ah6.c:439 (size 16) WARNING: CPU: 0 PID: 8838 at net/ipv6/ah6.c:439 ah6_output+0xe7e/0x14e0 net/ipv6/ah6.c:439 The warnings are false positives as the extension headers are intentionally placed after the IPv6 header in memory. Fix by properly copying addresses and extension headers separately, and introduce helper functions to avoid code duplication.", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-68311", "url": "https://ubuntu.com/security/CVE-2025-68311", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: tty: serial: ip22zilog: Use platform device for probing After commit 84a9582fd203 (\"serial: core: Start managing serial controllers to enable runtime PM\") serial drivers need to provide a device in struct uart_port.dev otherwise an oops happens. To fix this issue for ip22zilog driver switch driver to a platform driver and setup the serial device in sgi-ip22 code.", "cve_priority": "medium", "cve_public_date": "2025-12-16 16:16:00 UTC" }, { "cve": "CVE-2025-40340", "url": "https://ubuntu.com/security/CVE-2025-40340", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/xe: Fix oops in xe_gem_fault when running core_hotunplug test. I saw an oops in xe_gem_fault when running the xe-fast-feedback testlist against the realtime kernel without debug options enabled. The panic happens after core_hotunplug unbind-rebind finishes. Presumably what happens is that a process mmaps, unlocks because of the FAULT_FLAG_RETRY_NOWAIT logic, has no process memory left, causing ttm_bo_vm_dummy_page() to return VM_FAULT_NOPAGE, since there was nothing left to populate, and then oopses in \"mem_type_is_vram(tbo->resource->mem_type)\" because tbo->resource is NULL. It's convoluted, but fits the data and explains the oops after the test exits.", "cve_priority": "medium", "cve_public_date": "2025-12-09 16:17:00 UTC" }, { "cve": "CVE-2025-68196", "url": "https://ubuntu.com/security/CVE-2025-68196", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Cache streams targeting link when performing LT automation [WHY] Last LT automation update can cause crash by referencing current_state and calling into dc_update_planes_and_stream which may clobber current_state. [HOW] Cache relevant stream pointers and iterate through them instead of relying on the current_state.", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-68178", "url": "https://ubuntu.com/security/CVE-2025-68178", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: blk-cgroup: fix possible deadlock while configuring policy Following deadlock can be triggered easily by lockdep: WARNING: possible circular locking dependency detected 6.17.0-rc3-00124-ga12c2658ced0 #1665 Not tainted ------------------------------------------------------ check/1334 is trying to acquire lock: ff1100011d9d0678 (&q->sysfs_lock){+.+.}-{4:4}, at: blk_unregister_queue+0x53/0x180 but task is already holding lock: ff1100011d9d00e0 (&q->q_usage_counter(queue)#3){++++}-{0:0}, at: del_gendisk+0xba/0x110 which lock already depends on the new lock. the existing dependency chain (in reverse order) is: -> #2 (&q->q_usage_counter(queue)#3){++++}-{0:0}: blk_queue_enter+0x40b/0x470 blkg_conf_prep+0x7b/0x3c0 tg_set_limit+0x10a/0x3e0 cgroup_file_write+0xc6/0x420 kernfs_fop_write_iter+0x189/0x280 vfs_write+0x256/0x490 ksys_write+0x83/0x190 __x64_sys_write+0x21/0x30 x64_sys_call+0x4608/0x4630 do_syscall_64+0xdb/0x6b0 entry_SYSCALL_64_after_hwframe+0x76/0x7e -> #1 (&q->rq_qos_mutex){+.+.}-{4:4}: __mutex_lock+0xd8/0xf50 mutex_lock_nested+0x2b/0x40 wbt_init+0x17e/0x280 wbt_enable_default+0xe9/0x140 blk_register_queue+0x1da/0x2e0 __add_disk+0x38c/0x5d0 add_disk_fwnode+0x89/0x250 device_add_disk+0x18/0x30 virtblk_probe+0x13a3/0x1800 virtio_dev_probe+0x389/0x610 really_probe+0x136/0x620 __driver_probe_device+0xb3/0x230 driver_probe_device+0x2f/0xe0 __driver_attach+0x158/0x250 bus_for_each_dev+0xa9/0x130 driver_attach+0x26/0x40 bus_add_driver+0x178/0x3d0 driver_register+0x7d/0x1c0 __register_virtio_driver+0x2c/0x60 virtio_blk_init+0x6f/0xe0 do_one_initcall+0x94/0x540 kernel_init_freeable+0x56a/0x7b0 kernel_init+0x2b/0x270 ret_from_fork+0x268/0x4c0 ret_from_fork_asm+0x1a/0x30 -> #0 (&q->sysfs_lock){+.+.}-{4:4}: __lock_acquire+0x1835/0x2940 lock_acquire+0xf9/0x450 __mutex_lock+0xd8/0xf50 mutex_lock_nested+0x2b/0x40 blk_unregister_queue+0x53/0x180 __del_gendisk+0x226/0x690 del_gendisk+0xba/0x110 sd_remove+0x49/0xb0 [sd_mod] device_remove+0x87/0xb0 device_release_driver_internal+0x11e/0x230 device_release_driver+0x1a/0x30 bus_remove_device+0x14d/0x220 device_del+0x1e1/0x5a0 __scsi_remove_device+0x1ff/0x2f0 scsi_remove_device+0x37/0x60 sdev_store_delete+0x77/0x100 dev_attr_store+0x1f/0x40 sysfs_kf_write+0x65/0x90 kernfs_fop_write_iter+0x189/0x280 vfs_write+0x256/0x490 ksys_write+0x83/0x190 __x64_sys_write+0x21/0x30 x64_sys_call+0x4608/0x4630 do_syscall_64+0xdb/0x6b0 entry_SYSCALL_64_after_hwframe+0x76/0x7e other info that might help us debug this: Chain exists of: &q->sysfs_lock --> &q->rq_qos_mutex --> &q->q_usage_counter(queue)#3 Possible unsafe locking scenario: CPU0 CPU1 ---- ---- lock(&q->q_usage_counter(queue)#3); lock(&q->rq_qos_mutex); lock(&q->q_usage_counter(queue)#3); lock(&q->sysfs_lock); Root cause is that queue_usage_counter is grabbed with rq_qos_mutex held in blkg_conf_prep(), while queue should be freezed before rq_qos_mutex from other context. The blk_queue_enter() from blkg_conf_prep() is used to protect against policy deactivation, which is already protected with blkcg_mutex, hence convert blk_queue_enter() to blkcg_mutex to fix this problem. Meanwhile, consider that blkcg_mutex is held after queue is freezed from policy deactivation, also convert blkg_alloc() to use GFP_NOIO.", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-40341", "url": "https://ubuntu.com/security/CVE-2025-40341", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: futex: Don't leak robust_list pointer on exec race sys_get_robust_list() and compat_get_robust_list() use ptrace_may_access() to check if the calling task is allowed to access another task's robust_list pointer. This check is racy against a concurrent exec() in the target process. During exec(), a task may transition from a non-privileged binary to a privileged one (e.g., setuid binary) and its credentials/memory mappings may change. If get_robust_list() performs ptrace_may_access() before this transition, it may erroneously allow access to sensitive information after the target becomes privileged. A racy access allows an attacker to exploit a window during which ptrace_may_access() passes before a target process transitions to a privileged state via exec(). For example, consider a non-privileged task T that is about to execute a setuid-root binary. An attacker task A calls get_robust_list(T) while T is still unprivileged. Since ptrace_may_access() checks permissions based on current credentials, it succeeds. However, if T begins exec immediately afterwards, it becomes privileged and may change its memory mappings. Because get_robust_list() proceeds to access T->robust_list without synchronizing with exec() it may read user-space pointers from a now-privileged process. This violates the intended post-exec access restrictions and could expose sensitive memory addresses or be used as a primitive in a larger exploit chain. Consequently, the race can lead to unauthorized disclosure of information across privilege boundaries and poses a potential security risk. Take a read lock on signal->exec_update_lock prior to invoking ptrace_may_access() and accessing the robust_list/compat_robust_list. This ensures that the target task's exec state remains stable during the check, allowing for consistent and synchronized validation of credentials.", "cve_priority": "medium", "cve_public_date": "2025-12-09 16:17:00 UTC" }, { "cve": "CVE-2025-40342", "url": "https://ubuntu.com/security/CVE-2025-40342", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: nvme-fc: use lock accessing port_state and rport state nvme_fc_unregister_remote removes the remote port on a lport object at any point in time when there is no active association. This races with with the reconnect logic, because nvme_fc_create_association is not taking a lock to check the port_state and atomically increase the active count on the rport.", "cve_priority": "medium", "cve_public_date": "2025-12-09 16:17:00 UTC" }, { "cve": "CVE-2025-40343", "url": "https://ubuntu.com/security/CVE-2025-40343", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: nvmet-fc: avoid scheduling association deletion twice When forcefully shutting down a port via the configfs interface, nvmet_port_subsys_drop_link() first calls nvmet_port_del_ctrls() and then nvmet_disable_port(). Both functions will eventually schedule all remaining associations for deletion. The current implementation checks whether an association is about to be removed, but only after the work item has already been scheduled. As a result, it is possible for the first scheduled work item to free all resources, and then for the same work item to be scheduled again for deletion. Because the association list is an RCU list, it is not possible to take a lock and remove the list entry directly, so it cannot be looked up again. Instead, a flag (terminating) must be used to determine whether the association is already in the process of being deleted.", "cve_priority": "medium", "cve_public_date": "2025-12-09 16:17:00 UTC" }, { "cve": "CVE-2025-68177", "url": "https://ubuntu.com/security/CVE-2025-68177", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: cpufreq/longhaul: handle NULL policy in longhaul_exit longhaul_exit() was calling cpufreq_cpu_get(0) without checking for a NULL policy pointer. On some systems, this could lead to a NULL dereference and a kernel warning or panic. This patch adds a check using unlikely() and returns early if the policy is NULL. Bugzilla: #219962", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-68317", "url": "https://ubuntu.com/security/CVE-2025-68317", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: io_uring/zctx: check chained notif contexts Send zc only links ubuf_info for requests coming from the same context. There are some ambiguous syz reports, so let's check the assumption on notification completion.", "cve_priority": "medium", "cve_public_date": "2025-12-16 16:16:00 UTC" }, { "cve": "CVE-2025-40315", "url": "https://ubuntu.com/security/CVE-2025-40315", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: usb: gadget: f_fs: Fix epfile null pointer access after ep enable. A race condition occurs when ffs_func_eps_enable() runs concurrently with ffs_data_reset(). The ffs_data_clear() called in ffs_data_reset() sets ffs->epfiles to NULL before resetting ffs->eps_count to 0, leading to a NULL pointer dereference when accessing epfile->ep in ffs_func_eps_enable() after successful usb_ep_enable(). The ffs->epfiles pointer is set to NULL in both ffs_data_clear() and ffs_data_close() functions, and its modification is protected by the spinlock ffs->eps_lock. And the whole ffs_func_eps_enable() function is also protected by ffs->eps_lock. Thus, add NULL pointer handling for ffs->epfiles in the ffs_func_eps_enable() function to fix issues", "cve_priority": "medium", "cve_public_date": "2025-12-08 01:16:00 UTC" }, { "cve": "CVE-2025-40316", "url": "https://ubuntu.com/security/CVE-2025-40316", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/mediatek: Fix device use-after-free on unbind A recent change fixed device reference leaks when looking up drm platform device driver data during bind() but failed to remove a partial fix which had been added by commit 80805b62ea5b (\"drm/mediatek: Fix kobject put for component sub-drivers\"). This results in a reference imbalance on component bind() failures and on unbind() which could lead to a user-after-free. Make sure to only drop the references after retrieving the driver data by effectively reverting the previous partial fix. Note that holding a reference to a device does not prevent its driver data from going away so there is no point in keeping the reference.", "cve_priority": "medium", "cve_public_date": "2025-12-08 01:16:00 UTC" }, { "cve": "CVE-2025-40360", "url": "https://ubuntu.com/security/CVE-2025-40360", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/sysfb: Do not dereference NULL pointer in plane reset The plane state in __drm_gem_reset_shadow_plane() can be NULL. Do not deref that pointer, but forward NULL to the other plane-reset helpers. Clears plane->state to NULL. v2: - fix typo in commit description (Javier)", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-68179", "url": "https://ubuntu.com/security/CVE-2025-68179", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: s390: Disable ARCH_WANT_OPTIMIZE_HUGETLB_VMEMMAP As reported by Luiz Capitulino enabling HVO on s390 leads to reproducible crashes. The problem is that kernel page tables are modified without flushing corresponding TLB entries. Even if it looks like the empty flush_tlb_all() implementation on s390 is the problem, it is actually a different problem: on s390 it is not allowed to replace an active/valid page table entry with another valid page table entry without the detour over an invalid entry. A direct replacement may lead to random crashes and/or data corruption. In order to invalidate an entry special instructions have to be used (e.g. ipte or idte). Alternatively there are also special instructions available which allow to replace a valid entry with a different valid entry (e.g. crdte or cspg). Given that the HVO code currently does not provide the hooks to allow for an implementation which is compliant with the s390 architecture requirements, disable ARCH_WANT_OPTIMIZE_HUGETLB_VMEMMAP again, which is basically a revert of the original patch which enabled it.", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-68310", "url": "https://ubuntu.com/security/CVE-2025-68310", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: s390/pci: Avoid deadlock between PCI error recovery and mlx5 crdump Do not block PCI config accesses through pci_cfg_access_lock() when executing the s390 variant of PCI error recovery: Acquire just device_lock() instead of pci_dev_lock() as powerpc's EEH and generig PCI AER processing do. During error recovery testing a pair of tasks was reported to be hung: mlx5_core 0000:00:00.1: mlx5_health_try_recover:338:(pid 5553): health recovery flow aborted, PCI reads still not working INFO: task kmcheck:72 blocked for more than 122 seconds. Not tainted 5.14.0-570.12.1.bringup7.el9.s390x #1 \"echo 0 > /proc/sys/kernel/hung_task_timeout_secs\" disables this message. task:kmcheck state:D stack:0 pid:72 tgid:72 ppid:2 flags:0x00000000 Call Trace: [<000000065256f030>] __schedule+0x2a0/0x590 [<000000065256f356>] schedule+0x36/0xe0 [<000000065256f572>] schedule_preempt_disabled+0x22/0x30 [<0000000652570a94>] __mutex_lock.constprop.0+0x484/0x8a8 [<000003ff800673a4>] mlx5_unload_one+0x34/0x58 [mlx5_core] [<000003ff8006745c>] mlx5_pci_err_detected+0x94/0x140 [mlx5_core] [<0000000652556c5a>] zpci_event_attempt_error_recovery+0xf2/0x398 [<0000000651b9184a>] __zpci_event_error+0x23a/0x2c0 INFO: task kworker/u1664:6:1514 blocked for more than 122 seconds. Not tainted 5.14.0-570.12.1.bringup7.el9.s390x #1 \"echo 0 > /proc/sys/kernel/hung_task_timeout_secs\" disables this message. task:kworker/u1664:6 state:D stack:0 pid:1514 tgid:1514 ppid:2 flags:0x00000000 Workqueue: mlx5_health0000:00:00.0 mlx5_fw_fatal_reporter_err_work [mlx5_core] Call Trace: [<000000065256f030>] __schedule+0x2a0/0x590 [<000000065256f356>] schedule+0x36/0xe0 [<0000000652172e28>] pci_wait_cfg+0x80/0xe8 [<0000000652172f94>] pci_cfg_access_lock+0x74/0x88 [<000003ff800916b6>] mlx5_vsc_gw_lock+0x36/0x178 [mlx5_core] [<000003ff80098824>] mlx5_crdump_collect+0x34/0x1c8 [mlx5_core] [<000003ff80074b62>] mlx5_fw_fatal_reporter_dump+0x6a/0xe8 [mlx5_core] [<0000000652512242>] devlink_health_do_dump.part.0+0x82/0x168 [<0000000652513212>] devlink_health_report+0x19a/0x230 [<000003ff80075a12>] mlx5_fw_fatal_reporter_err_work+0xba/0x1b0 [mlx5_core] No kernel log of the exact same error with an upstream kernel is available - but the very same deadlock situation can be constructed there, too: - task: kmcheck mlx5_unload_one() tries to acquire devlink lock while the PCI error recovery code has set pdev->block_cfg_access by way of pci_cfg_access_lock() - task: kworker mlx5_crdump_collect() tries to set block_cfg_access through pci_cfg_access_lock() while devlink_health_report() had acquired the devlink lock. A similar deadlock situation can be reproduced by requesting a crdump with > devlink health dump show pci/ reporter fw_fatal while PCI error recovery is executed on the same physical function by mlx5_core's pci_error_handlers. On s390 this can be injected with > zpcictl --reset-fw Tests with this patch failed to reproduce that second deadlock situation, the devlink command is rejected with \"kernel answers: Permission denied\" - and we get a kernel log message of: mlx5_core 1ed0:00:00.1: mlx5_crdump_collect:50:(pid 254382): crdump: failed to lock vsc gw err -5 because the config read of VSC_SEMAPHORE is rejected by the underlying hardware. Two prior attempts to address this issue have been discussed and ultimately rejected [see link], with the primary argument that s390's implementation of PCI error recovery is imposing restrictions that neither powerpc's EEH nor PCI AER handling need. Tests show that PCI error recovery on s390 is running to completion even without blocking access to PCI config space.", "cve_priority": "medium", "cve_public_date": "2025-12-16 16:16:00 UTC" }, { "cve": "CVE-2025-40317", "url": "https://ubuntu.com/security/CVE-2025-40317", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: regmap: slimbus: fix bus_context pointer in regmap init calls Commit 4e65bda8273c (\"ASoC: wcd934x: fix error handling in wcd934x_codec_parse_data()\") revealed the problem in the slimbus regmap. That commit breaks audio playback, for instance, on sdm845 Thundercomm Dragonboard 845c board: Unable to handle kernel paging request at virtual address ffff8000847cbad4 ... CPU: 5 UID: 0 PID: 776 Comm: aplay Not tainted 6.18.0-rc1-00028-g7ea30958b305 #11 PREEMPT Hardware name: Thundercomm Dragonboard 845c (DT) ... Call trace: slim_xfer_msg+0x24/0x1ac [slimbus] (P) slim_read+0x48/0x74 [slimbus] regmap_slimbus_read+0x18/0x24 [regmap_slimbus] _regmap_raw_read+0xe8/0x174 _regmap_bus_read+0x44/0x80 _regmap_read+0x60/0xd8 _regmap_update_bits+0xf4/0x140 _regmap_select_page+0xa8/0x124 _regmap_raw_write_impl+0x3b8/0x65c _regmap_bus_raw_write+0x60/0x80 _regmap_write+0x58/0xc0 regmap_write+0x4c/0x80 wcd934x_hw_params+0x494/0x8b8 [snd_soc_wcd934x] snd_soc_dai_hw_params+0x3c/0x7c [snd_soc_core] __soc_pcm_hw_params+0x22c/0x634 [snd_soc_core] dpcm_be_dai_hw_params+0x1d4/0x38c [snd_soc_core] dpcm_fe_dai_hw_params+0x9c/0x17c [snd_soc_core] snd_pcm_hw_params+0x124/0x464 [snd_pcm] snd_pcm_common_ioctl+0x110c/0x1820 [snd_pcm] snd_pcm_ioctl+0x34/0x4c [snd_pcm] __arm64_sys_ioctl+0xac/0x104 invoke_syscall+0x48/0x104 el0_svc_common.constprop.0+0x40/0xe0 do_el0_svc+0x1c/0x28 el0_svc+0x34/0xec el0t_64_sync_handler+0xa0/0xf0 el0t_64_sync+0x198/0x19c The __devm_regmap_init_slimbus() started to be used instead of __regmap_init_slimbus() after the commit mentioned above and turns out the incorrect bus_context pointer (3rd argument) was used in __devm_regmap_init_slimbus(). It should be just \"slimbus\" (which is equal to &slimbus->dev). Correct it. The wcd934x codec seems to be the only or the first user of devm_regmap_init_slimbus() but we should fix it till the point where __devm_regmap_init_slimbus() was introduced therefore two \"Fixes\" tags. While at this, also correct the same argument in __regmap_init_slimbus().", "cve_priority": "medium", "cve_public_date": "2025-12-08 01:16:00 UTC" }, { "cve": "CVE-2025-40359", "url": "https://ubuntu.com/security/CVE-2025-40359", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: perf/x86/intel: Fix KASAN global-out-of-bounds warning When running \"perf mem record\" command on CWF, the below KASAN global-out-of-bounds warning is seen. ================================================================== BUG: KASAN: global-out-of-bounds in cmt_latency_data+0x176/0x1b0 Read of size 4 at addr ffffffffb721d000 by task dtlb/9850 Call Trace: kasan_report+0xb8/0xf0 cmt_latency_data+0x176/0x1b0 setup_arch_pebs_sample_data+0xf49/0x2560 intel_pmu_drain_arch_pebs+0x577/0xb00 handle_pmi_common+0x6c4/0xc80 The issue is caused by below code in __grt_latency_data(). The code tries to access x86_hybrid_pmu structure which doesn't exist on non-hybrid platform like CWF. WARN_ON_ONCE(hybrid_pmu(event->pmu)->pmu_type == hybrid_big) So add is_hybrid() check before calling this WARN_ON_ONCE to fix the global-out-of-bounds access issue.", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-68181", "url": "https://ubuntu.com/security/CVE-2025-68181", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/radeon: Remove calls to drm_put_dev() Since the allocation of the drivers main structure was changed to devm_drm_dev_alloc() drm_put_dev()'ing to trigger it to be free'd should be done by devres. However, drm_put_dev() is still in the probe error and device remove paths. When the driver fails to probe warnings like the following are shown because devres is trying to drm_put_dev() after the driver already did it. [ 5.642230] radeon 0000:01:05.0: probe with driver radeon failed with error -22 [ 5.649605] ------------[ cut here ]------------ [ 5.649607] refcount_t: underflow; use-after-free. [ 5.649620] WARNING: CPU: 0 PID: 357 at lib/refcount.c:28 refcount_warn_saturate+0xbe/0x110 (cherry picked from commit 3eb8c0b4c091da0a623ade0d3ee7aa4a93df1ea4)", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-68170", "url": "https://ubuntu.com/security/CVE-2025-68170", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/radeon: Do not kfree() devres managed rdev Since the allocation of the drivers main structure was changed to devm_drm_dev_alloc() rdev is managed by devres and we shouldn't be calling kfree() on it. This fixes things exploding if the driver probe fails and devres cleans up the rdev after we already free'd it. (cherry picked from commit 16c0681617b8a045773d4d87b6140002fa75b03b)", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-40213", "url": "https://ubuntu.com/security/CVE-2025-40213", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: Bluetooth: MGMT: fix crash in set_mesh_sync and set_mesh_complete There is a BUG: KASAN: stack-out-of-bounds in set_mesh_sync due to memcpy from badly declared on-stack flexible array. Another crash is in set_mesh_complete() due to double list_del via mgmt_pending_valid + mgmt_pending_remove. Use DEFINE_FLEX to declare the flexible array right, and don't memcpy outside bounds. As mgmt_pending_valid removes the cmd from list, use mgmt_pending_free, and also report status on error.", "cve_priority": "medium", "cve_public_date": "2025-11-24 16:15:00 UTC" }, { "cve": "CVE-2025-40318", "url": "https://ubuntu.com/security/CVE-2025-40318", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: Bluetooth: hci_sync: fix race in hci_cmd_sync_dequeue_once hci_cmd_sync_dequeue_once() does lookup and then cancel the entry under two separate lock sections. Meanwhile, hci_cmd_sync_work() can also delete the same entry, leading to double list_del() and \"UAF\". Fix this by holding cmd_sync_work_lock across both lookup and cancel, so that the entry cannot be removed concurrently.", "cve_priority": "medium", "cve_public_date": "2025-12-08 01:16:00 UTC" }, { "cve": "CVE-2025-68312", "url": "https://ubuntu.com/security/CVE-2025-68312", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: usbnet: Prevents free active kevent The root cause of this issue are: 1. When probing the usbnet device, executing usbnet_link_change(dev, 0, 0); put the kevent work in global workqueue. However, the kevent has not yet been scheduled when the usbnet device is unregistered. Therefore, executing free_netdev() results in the \"free active object (kevent)\" error reported here. 2. Another factor is that when calling usbnet_disconnect()->unregister_netdev(), if the usbnet device is up, ndo_stop() is executed to cancel the kevent. However, because the device is not up, ndo_stop() is not executed. The solution to this problem is to cancel the kevent before executing free_netdev().", "cve_priority": "medium", "cve_public_date": "2025-12-16 16:16:00 UTC" }, { "cve": "CVE-2025-40344", "url": "https://ubuntu.com/security/CVE-2025-40344", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ASoC: Intel: avs: Disable periods-elapsed work when closing PCM avs_dai_fe_shutdown() handles the shutdown procedure for HOST HDAudio stream while period-elapsed work services its IRQs. As the former frees the DAI's private context, these two operations shall be synchronized to avoid slab-use-after-free or worse errors.", "cve_priority": "medium", "cve_public_date": "2025-12-09 16:17:00 UTC" }, { "cve": "CVE-2025-68172", "url": "https://ubuntu.com/security/CVE-2025-68172", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: crypto: aspeed - fix double free caused by devm The clock obtained via devm_clk_get_enabled() is automatically managed by devres and will be disabled and freed on driver detach. Manually calling clk_disable_unprepare() in error path and remove function causes double free. Remove the manual clock cleanup in both aspeed_acry_probe()'s error path and aspeed_acry_remove().", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-40319", "url": "https://ubuntu.com/security/CVE-2025-40319", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: bpf: Sync pending IRQ work before freeing ring buffer Fix a race where irq_work can be queued in bpf_ringbuf_commit() but the ring buffer is freed before the work executes. In the syzbot reproducer, a BPF program attached to sched_switch triggers bpf_ringbuf_commit(), queuing an irq_work. If the ring buffer is freed before this work executes, the irq_work thread may accesses freed memory. Calling `irq_work_sync(&rb->work)` ensures that all pending irq_work complete before freeing the buffer.", "cve_priority": "medium", "cve_public_date": "2025-12-08 01:16:00 UTC" }, { "cve": "CVE-2025-68182", "url": "https://ubuntu.com/security/CVE-2025-68182", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: wifi: iwlwifi: fix potential use after free in iwl_mld_remove_link() This code frees \"link\" by calling kfree_rcu(link, rcu_head) and then it dereferences \"link\" to get the \"link->fw_id\". Save the \"link->fw_id\" first to avoid a potential use after free.", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-68314", "url": "https://ubuntu.com/security/CVE-2025-68314", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/msm: make sure last_fence is always updated Update last_fence in the vm-bind path instead of kernel managed path. last_fence is used to wait for work to finish in vm_bind contexts but not used for kernel managed contexts. This fixes a bug where last_fence is not waited on context close leading to faults as resources are freed while in use. Patchwork: https://patchwork.freedesktop.org/patch/680080/", "cve_priority": "medium", "cve_public_date": "2025-12-16 16:16:00 UTC" }, { "cve": "CVE-2025-68189", "url": "https://ubuntu.com/security/CVE-2025-68189", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/msm: Fix GEM free for imported dma-bufs Imported dma-bufs also have obj->resv != &obj->_resv. So we should check both this condition in addition to flags for handling the _NO_SHARE case. Fixes this splat that was reported with IRIS video playback: ------------[ cut here ]------------ WARNING: CPU: 3 PID: 2040 at drivers/gpu/drm/msm/msm_gem.c:1127 msm_gem_free_object+0x1f8/0x264 [msm] CPU: 3 UID: 1000 PID: 2040 Comm: .gnome-shell-wr Not tainted 6.17.0-rc7 #1 PREEMPT pstate: 81400005 (Nzcv daif +PAN -UAO -TCO +DIT -SSBS BTYPE=--) pc : msm_gem_free_object+0x1f8/0x264 [msm] lr : msm_gem_free_object+0x138/0x264 [msm] sp : ffff800092a1bb30 x29: ffff800092a1bb80 x28: ffff800092a1bce8 x27: ffffbc702dbdbe08 x26: 0000000000000008 x25: 0000000000000009 x24: 00000000000000a6 x23: ffff00083c72f850 x22: ffff00083c72f868 x21: ffff00087e69f200 x20: ffff00087e69f330 x19: ffff00084d157ae0 x18: 0000000000000000 x17: 0000000000000000 x16: ffffbc704bd46b80 x15: 0000ffffd0959540 x14: 0000000000000000 x13: 0000000000000000 x12: 0000000000000000 x11: ffffbc702e6cdb48 x10: 0000000000000000 x9 : 000000000000003f x8 : ffff800092a1ba90 x7 : 0000000000000000 x6 : 0000000000000020 x5 : ffffbc704bd46c40 x4 : fffffdffe102cf60 x3 : 0000000000400032 x2 : 0000000000020000 x1 : ffff00087e6978e8 x0 : ffff00087e6977e8 Call trace: msm_gem_free_object+0x1f8/0x264 [msm] (P) drm_gem_object_free+0x1c/0x30 [drm] drm_gem_object_handle_put_unlocked+0x138/0x150 [drm] drm_gem_object_release_handle+0x5c/0xcc [drm] drm_gem_handle_delete+0x68/0xbc [drm] drm_gem_close_ioctl+0x34/0x40 [drm] drm_ioctl_kernel+0xc0/0x130 [drm] drm_ioctl+0x360/0x4e0 [drm] __arm64_sys_ioctl+0xac/0x104 invoke_syscall+0x48/0x104 el0_svc_common.constprop.0+0x40/0xe0 do_el0_svc+0x1c/0x28 el0_svc+0x34/0xec el0t_64_sync_handler+0xa0/0xe4 el0t_64_sync+0x198/0x19c ---[ end trace 0000000000000000 ]--- ------------[ cut here ]------------ Patchwork: https://patchwork.freedesktop.org/patch/676273/", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-68171", "url": "https://ubuntu.com/security/CVE-2025-68171", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: x86/fpu: Ensure XFD state on signal delivery Sean reported [1] the following splat when running KVM tests: WARNING: CPU: 232 PID: 15391 at xfd_validate_state+0x65/0x70 Call Trace: fpu__clear_user_states+0x9c/0x100 arch_do_signal_or_restart+0x142/0x210 exit_to_user_mode_loop+0x55/0x100 do_syscall_64+0x205/0x2c0 entry_SYSCALL_64_after_hwframe+0x4b/0x53 Chao further identified [2] a reproducible scenario involving signal delivery: a non-AMX task is preempted by an AMX-enabled task which modifies the XFD MSR. When the non-AMX task resumes and reloads XSTATE with init values, a warning is triggered due to a mismatch between fpstate::xfd and the CPU's current XFD state. fpu__clear_user_states() does not currently re-synchronize the XFD state after such preemption. Invoke xfd_update_state() which detects and corrects the mismatch if there is a dynamic feature. This also benefits the sigreturn path, as fpu__restore_sig() may call fpu__clear_user_states() when the sigframe is inaccessible. [ dhansen: minor changelog munging ]", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-68313", "url": "https://ubuntu.com/security/CVE-2025-68313", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: x86/CPU/AMD: Add RDSEED fix for Zen5 There's an issue with RDSEED's 16-bit and 32-bit register output variants on Zen5 which return a random value of 0 \"at a rate inconsistent with randomness while incorrectly signaling success (CF=1)\". Search the web for AMD-SB-7055 for more detail. Add a fix glue which checks microcode revisions. [ bp: Add microcode revisions checking, rewrite. ]", "cve_priority": "medium", "cve_public_date": "2025-12-16 16:16:00 UTC" }, { "cve": "CVE-2025-40320", "url": "https://ubuntu.com/security/CVE-2025-40320", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: smb: client: fix potential cfid UAF in smb2_query_info_compound When smb2_query_info_compound() retries, a previously allocated cfid may have been freed in the first attempt. Because cfid wasn't reset on replay, later cleanup could act on a stale pointer, leading to a potential use-after-free. Reinitialize cfid to NULL under the replay label. Example trace (trimmed): refcount_t: underflow; use-after-free. WARNING: CPU: 1 PID: 11224 at ../lib/refcount.c:28 refcount_warn_saturate+0x9c/0x110 [...] RIP: 0010:refcount_warn_saturate+0x9c/0x110 [...] Call Trace: smb2_query_info_compound+0x29c/0x5c0 [cifs f90b72658819bd21c94769b6a652029a07a7172f] ? step_into+0x10d/0x690 ? __legitimize_path+0x28/0x60 smb2_queryfs+0x6a/0xf0 [cifs f90b72658819bd21c94769b6a652029a07a7172f] smb311_queryfs+0x12d/0x140 [cifs f90b72658819bd21c94769b6a652029a07a7172f] ? kmem_cache_alloc+0x18a/0x340 ? getname_flags+0x46/0x1e0 cifs_statfs+0x9f/0x2b0 [cifs f90b72658819bd21c94769b6a652029a07a7172f] statfs_by_dentry+0x67/0x90 vfs_statfs+0x16/0xd0 user_statfs+0x54/0xa0 __do_sys_statfs+0x20/0x50 do_syscall_64+0x58/0x80", "cve_priority": "medium", "cve_public_date": "2025-12-08 01:16:00 UTC" }, { "cve": "CVE-2025-40321", "url": "https://ubuntu.com/security/CVE-2025-40321", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: wifi: brcmfmac: fix crash while sending Action Frames in standalone AP Mode Currently, whenever there is a need to transmit an Action frame, the brcmfmac driver always uses the P2P vif to send the \"actframe\" IOVAR to firmware. The P2P interfaces were available when wpa_supplicant is managing the wlan interface. However, the P2P interfaces are not created/initialized when only hostapd is managing the wlan interface. And if hostapd receives an ANQP Query REQ Action frame even from an un-associated STA, the brcmfmac driver tries to use an uninitialized P2P vif pointer for sending the IOVAR to firmware. This NULL pointer dereferencing triggers a driver crash. [ 1417.074538] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000 [...] [ 1417.075188] Hardware name: Raspberry Pi 4 Model B Rev 1.5 (DT) [...] [ 1417.075653] Call trace: [ 1417.075662] brcmf_p2p_send_action_frame+0x23c/0xc58 [brcmfmac] [ 1417.075738] brcmf_cfg80211_mgmt_tx+0x304/0x5c0 [brcmfmac] [ 1417.075810] cfg80211_mlme_mgmt_tx+0x1b0/0x428 [cfg80211] [ 1417.076067] nl80211_tx_mgmt+0x238/0x388 [cfg80211] [ 1417.076281] genl_family_rcv_msg_doit+0xe0/0x158 [ 1417.076302] genl_rcv_msg+0x220/0x2a0 [ 1417.076317] netlink_rcv_skb+0x68/0x140 [ 1417.076330] genl_rcv+0x40/0x60 [ 1417.076343] netlink_unicast+0x330/0x3b8 [ 1417.076357] netlink_sendmsg+0x19c/0x3f8 [ 1417.076370] __sock_sendmsg+0x64/0xc0 [ 1417.076391] ____sys_sendmsg+0x268/0x2a0 [ 1417.076408] ___sys_sendmsg+0xb8/0x118 [ 1417.076427] __sys_sendmsg+0x90/0xf8 [ 1417.076445] __arm64_sys_sendmsg+0x2c/0x40 [ 1417.076465] invoke_syscall+0x50/0x120 [ 1417.076486] el0_svc_common.constprop.0+0x48/0xf0 [ 1417.076506] do_el0_svc+0x24/0x38 [ 1417.076525] el0_svc+0x30/0x100 [ 1417.076548] el0t_64_sync_handler+0x100/0x130 [ 1417.076569] el0t_64_sync+0x190/0x198 [ 1417.076589] Code: f9401e80 aa1603e2 f9403be1 5280e483 (f9400000) Fix this, by always using the vif corresponding to the wdev on which the Action frame Transmission request was initiated by the userspace. This way, even if P2P vif is not available, the IOVAR is sent to firmware on AP vif and the ANQP Query RESP Action frame is transmitted without crashing the driver. Move init_completion() for \"send_af_done\" from brcmf_p2p_create_p2pdev() to brcmf_p2p_attach(). Because the former function would not get executed when only hostapd is managing wlan interface, and it is not safe to do reinit_completion() later in brcmf_p2p_tx_action_frame(), without any prior init_completion(). And in the brcmf_p2p_tx_action_frame() function, the condition check for P2P Presence response frame is not needed, since the wpa_supplicant is properly sending the P2P Presense Response frame on the P2P-GO vif instead of the P2P-Device vif. [Cc stable]", "cve_priority": "medium", "cve_public_date": "2025-12-08 01:16:00 UTC" }, { "cve": "CVE-2025-40322", "url": "https://ubuntu.com/security/CVE-2025-40322", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: fbdev: bitblit: bound-check glyph index in bit_putcs* bit_putcs_aligned()/unaligned() derived the glyph pointer from the character value masked by 0xff/0x1ff, which may exceed the actual font's glyph count and read past the end of the built-in font array. Clamp the index to the actual glyph count before computing the address. This fixes a global out-of-bounds read reported by syzbot.", "cve_priority": "medium", "cve_public_date": "2025-12-08 01:16:00 UTC" }, { "cve": "CVE-2025-40211", "url": "https://ubuntu.com/security/CVE-2025-40211", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ACPI: video: Fix use-after-free in acpi_video_switch_brightness() The switch_brightness_work delayed work accesses device->brightness and device->backlight, freed by acpi_video_dev_unregister_backlight() during device removal. If the work executes after acpi_video_bus_unregister_backlight() frees these resources, it causes a use-after-free when acpi_video_switch_brightness() dereferences device->brightness or device->backlight. Fix this by calling cancel_delayed_work_sync() for each device's switch_brightness_work in acpi_video_bus_remove_notify_handler() after removing the notify handler that queues the work. This ensures the work completes before the memory is freed. [ rjw: Changelog edit ]", "cve_priority": "medium", "cve_public_date": "2025-11-21 11:15:00 UTC" }, { "cve": "CVE-2025-40323", "url": "https://ubuntu.com/security/CVE-2025-40323", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: fbcon: Set fb_display[i]->mode to NULL when the mode is released Recently, we discovered the following issue through syzkaller: BUG: KASAN: slab-use-after-free in fb_mode_is_equal+0x285/0x2f0 Read of size 4 at addr ff11000001b3c69c by task syz.xxx ... Call Trace: dump_stack_lvl+0xab/0xe0 print_address_description.constprop.0+0x2c/0x390 print_report+0xb9/0x280 kasan_report+0xb8/0xf0 fb_mode_is_equal+0x285/0x2f0 fbcon_mode_deleted+0x129/0x180 fb_set_var+0xe7f/0x11d0 do_fb_ioctl+0x6a0/0x750 fb_ioctl+0xe0/0x140 __x64_sys_ioctl+0x193/0x210 do_syscall_64+0x5f/0x9c0 entry_SYSCALL_64_after_hwframe+0x76/0x7e Based on experimentation and analysis, during framebuffer unregistration, only the memory of fb_info->modelist is freed, without setting the corresponding fb_display[i]->mode to NULL for the freed modes. This leads to UAF issues during subsequent accesses. Here's an example of reproduction steps: 1. With /dev/fb0 already registered in the system, load a kernel module to register a new device /dev/fb1; 2. Set fb1's mode to the global fb_display[] array (via FBIOPUT_CON2FBMAP); 3. Switch console from fb to VGA (to allow normal rmmod of the ko); 4. Unload the kernel module, at this point fb1's modelist is freed, leaving a wild pointer in fb_display[]; 5. Trigger the bug via system calls through fb0 attempting to delete a mode from fb0. Add a check in do_unregister_framebuffer(): if the mode to be freed exists in fb_display[], set the corresponding mode pointer to NULL.", "cve_priority": "medium", "cve_public_date": "2025-12-08 01:16:00 UTC" }, { "cve": "CVE-2025-40210", "url": "https://ubuntu.com/security/CVE-2025-40210", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: Revert \"NFSD: Remove the cap on number of operations per NFSv4 COMPOUND\" I've found that pynfs COMP6 now leaves the connection or lease in a strange state, which causes CLOSE9 to hang indefinitely. I've dug into it a little, but I haven't been able to root-cause it yet. However, I bisected to commit 48aab1606fa8 (\"NFSD: Remove the cap on number of operations per NFSv4 COMPOUND\"). Tianshuo Han also reports a potential vulnerability when decoding an NFSv4 COMPOUND. An attacker can place an arbitrarily large op count in the COMPOUND header, which results in: [ 51.410584] nfsd: vmalloc error: size 1209533382144, exceeds total pages, mode:0xdc0(GFP_KERNEL|__GFP_ZERO), nodemask=(null),cpuset=/,mems_allowed=0 when NFSD attempts to allocate the COMPOUND op array. Let's restore the operation-per-COMPOUND limit, but increased to 200 for now.", "cve_priority": "medium", "cve_public_date": "2025-11-21 11:15:00 UTC" }, { "cve": "CVE-2025-40324", "url": "https://ubuntu.com/security/CVE-2025-40324", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: NFSD: Fix crash in nfsd4_read_release() When tracing is enabled, the trace_nfsd_read_done trace point crashes during the pynfs read.testNoFh test.", "cve_priority": "medium", "cve_public_date": "2025-12-08 01:16:00 UTC" }, { "cve": "CVE-2025-40326", "url": "https://ubuntu.com/security/CVE-2025-40326", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: NFSD: Define actions for the new time_deleg FATTR4 attributes NFSv4 clients won't send legitimate GETATTR requests for these new attributes because they are intended to be used only with CB_GETATTR and SETATTR. But NFSD has to do something besides crashing if it ever sees a GETATTR request that queries these attributes. RFC 8881 Section 18.7.3 states: > The server MUST return a value for each attribute that the client > requests if the attribute is supported by the server for the > target file system. If the server does not support a particular > attribute on the target file system, then it MUST NOT return the > attribute value and MUST NOT set the attribute bit in the result > bitmap. The server MUST return an error if it supports an > attribute on the target but cannot obtain its value. In that case, > no attribute values will be returned. Further, RFC 9754 Section 5 states: > These new attributes are invalid to be used with GETATTR, VERIFY, > and NVERIFY, and they can only be used with CB_GETATTR and SETATTR > by a client holding an appropriate delegation. Thus there does not appear to be a specific server response mandated by specification. Taking the guidance that querying these attributes via GETATTR is \"invalid\", NFSD will return nfserr_inval, failing the request entirely.", "cve_priority": "medium", "cve_public_date": "2025-12-08 01:16:00 UTC" }, { "cve": "CVE-2025-40084", "url": "https://ubuntu.com/security/CVE-2025-40084", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ksmbd: transport_ipc: validate payload size before reading handle handle_response() dereferences the payload as a 4-byte handle without verifying that the declared payload size is at least 4 bytes. A malformed or truncated message from ksmbd.mountd can lead to a 4-byte read past the declared payload size. Validate the size before dereferencing. This is a minimal fix to guard the initial handle read.", "cve_priority": "medium", "cve_public_date": "2025-10-29 14:15:00 UTC" }, { "cve": "CVE-2025-40222", "url": "https://ubuntu.com/security/CVE-2025-40222", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: tty: serial: sh-sci: fix RSCI FIFO overrun handling The receive error handling code is shared between RSCI and all other SCIF port types, but the RSCI overrun_reg is specified as a memory offset, while for other SCIF types it is an enum value used to index into the sci_port_params->regs array, as mentioned above the sci_serial_in() function. For RSCI, the overrun_reg is CSR (0x48), causing the sci_getreg() call inside the sci_handle_fifo_overrun() function to index outside the bounds of the regs array, which currently has a size of 20, as specified by SCI_NR_REGS. Because of this, we end up accessing memory outside of RSCI's rsci_port_params structure, which, when interpreted as a plat_sci_reg, happens to have a non-zero size, causing the following WARN when sci_serial_in() is called, as the accidental size does not match the supported register sizes. The existence of the overrun_reg needs to be checked because SCIx_SH3_SCIF_REGTYPE has overrun_reg set to SCLSR, but SCLSR is not present in the regs array. Avoid calling sci_getreg() for port types which don't use standard register handling. Use the ops->read_reg() and ops->write_reg() functions to properly read and write registers for RSCI, and change the type of the status variable to accommodate the 32-bit CSR register. sci_getreg() and sci_serial_in() are also called with overrun_reg in the sci_mpxed_interrupt() interrupt handler, but that code path is not used for RSCI, as it does not have a muxed interrupt. ------------[ cut here ]------------ Invalid register access WARNING: CPU: 0 PID: 0 at drivers/tty/serial/sh-sci.c:522 sci_serial_in+0x38/0xac Modules linked in: renesas_usbhs at24 rzt2h_adc industrialio_adc sha256 cfg80211 bluetooth ecdh_generic ecc rfkill fuse drm backlight ipv6 CPU: 0 UID: 0 PID: 0 Comm: swapper/0 Not tainted 6.17.0-rc1+ #30 PREEMPT Hardware name: Renesas RZ/T2H EVK Board based on r9a09g077m44 (DT) pstate: 604000c5 (nZCv daIF +PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : sci_serial_in+0x38/0xac lr : sci_serial_in+0x38/0xac sp : ffff800080003e80 x29: ffff800080003e80 x28: ffff800082195b80 x27: 000000000000000d x26: ffff8000821956d0 x25: 0000000000000000 x24: ffff800082195b80 x23: ffff000180e0d800 x22: 0000000000000010 x21: 0000000000000000 x20: 0000000000000010 x19: ffff000180e72000 x18: 000000000000000a x17: ffff8002bcee7000 x16: ffff800080000000 x15: 0720072007200720 x14: 0720072007200720 x13: 0720072007200720 x12: 0720072007200720 x11: 0000000000000058 x10: 0000000000000018 x9 : ffff8000821a6a48 x8 : 0000000000057fa8 x7 : 0000000000000406 x6 : ffff8000821fea48 x5 : ffff00033ef88408 x4 : ffff8002bcee7000 x3 : ffff800082195b80 x2 : 0000000000000000 x1 : 0000000000000000 x0 : ffff800082195b80 Call trace: sci_serial_in+0x38/0xac (P) sci_handle_fifo_overrun.isra.0+0x70/0x134 sci_er_interrupt+0x50/0x39c __handle_irq_event_percpu+0x48/0x140 handle_irq_event+0x44/0xb0 handle_fasteoi_irq+0xf4/0x1a0 handle_irq_desc+0x34/0x58 generic_handle_domain_irq+0x1c/0x28 gic_handle_irq+0x4c/0x140 call_on_irq_stack+0x30/0x48 do_interrupt_handler+0x80/0x84 el1_interrupt+0x34/0x68 el1h_64_irq_handler+0x18/0x24 el1h_64_irq+0x6c/0x70 default_idle_call+0x28/0x58 (P) do_idle+0x1f8/0x250 cpu_startup_entry+0x34/0x3c rest_init+0xd8/0xe0 console_on_rootfs+0x0/0x6c __primary_switched+0x88/0x90 ---[ end trace 0000000000000000 ]---", "cve_priority": "medium", "cve_public_date": "2025-12-04 16:16:00 UTC" }, { "cve": "CVE-2025-40223", "url": "https://ubuntu.com/security/CVE-2025-40223", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: most: usb: Fix use-after-free in hdm_disconnect hdm_disconnect() calls most_deregister_interface(), which eventually unregisters the MOST interface device with device_unregister(iface->dev). If that drops the last reference, the device core may call release_mdev() immediately while hdm_disconnect() is still executing. The old code also freed several mdev-owned allocations in hdm_disconnect() and then performed additional put_device() calls. Depending on refcount order, this could lead to use-after-free or double-free when release_mdev() ran (or when unregister paths also performed puts). Fix by moving the frees of mdev-owned allocations into release_mdev(), so they happen exactly once when the device is truly released, and by dropping the extra put_device() calls in hdm_disconnect() that are redundant after device_unregister() and most_deregister_interface(). This addresses the KASAN slab-use-after-free reported by syzbot in hdm_disconnect(). See report and stack traces in the bug link below.", "cve_priority": "medium", "cve_public_date": "2025-12-04 16:16:00 UTC" }, { "cve": "CVE-2025-40106", "url": "https://ubuntu.com/security/CVE-2025-40106", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: comedi: fix divide-by-zero in comedi_buf_munge() The comedi_buf_munge() function performs a modulo operation `async->munge_chan %= async->cmd.chanlist_len` without first checking if chanlist_len is zero. If a user program submits a command with chanlist_len set to zero, this causes a divide-by-zero error when the device processes data in the interrupt handler path. Add a check for zero chanlist_len at the beginning of the function, similar to the existing checks for !map and CMDF_RAWDATA flag. When chanlist_len is zero, update munge_count and return early, indicating the data was handled without munging. This prevents potential kernel panics from malformed user commands.", "cve_priority": "medium", "cve_public_date": "2025-10-31 10:15:00 UTC" }, { "cve": "CVE-2025-40224", "url": "https://ubuntu.com/security/CVE-2025-40224", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: hwmon: (cgbc-hwmon) Add missing NULL check after devm_kzalloc() The driver allocates memory for sensor data using devm_kzalloc(), but did not check if the allocation succeeded. In case of memory allocation failure, dereferencing the NULL pointer would lead to a kernel crash. Add a NULL pointer check and return -ENOMEM to handle allocation failure properly.", "cve_priority": "medium", "cve_public_date": "2025-12-04 16:16:00 UTC" }, { "cve": "CVE-2025-40225", "url": "https://ubuntu.com/security/CVE-2025-40225", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/panthor: Fix kernel panic on partial unmap of a GPU VA region This commit address a kernel panic issue that can happen if Userspace tries to partially unmap a GPU virtual region (aka drm_gpuva). The VM_BIND interface allows partial unmapping of a BO. Panthor driver pre-allocates memory for the new drm_gpuva structures that would be needed for the map/unmap operation, done using drm_gpuvm layer. It expected that only one new drm_gpuva would be needed on umap but a partial unmap can require 2 new drm_gpuva and that's why it ended up doing a NULL pointer dereference causing a kernel panic. Following dump was seen when partial unmap was exercised. Unable to handle kernel NULL pointer dereference at virtual address 0000000000000078 Mem abort info: ESR = 0x0000000096000046 EC = 0x25: DABT (current EL), IL = 32 bits SET = 0, FnV = 0 EA = 0, S1PTW = 0 FSC = 0x06: level 2 translation fault Data abort info: ISV = 0, ISS = 0x00000046, ISS2 = 0x00000000 CM = 0, WnR = 1, TnD = 0, TagAccess = 0 GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0 user pgtable: 4k pages, 48-bit VAs, pgdp=000000088a863000 [000000000000078] pgd=080000088a842003, p4d=080000088a842003, pud=0800000884bf5003, pmd=0000000000000000 Internal error: Oops: 0000000096000046 [#1] PREEMPT SMP pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : panthor_gpuva_sm_step_remap+0xe4/0x330 [panthor] lr : panthor_gpuva_sm_step_remap+0x6c/0x330 [panthor] sp : ffff800085d43970 x29: ffff800085d43970 x28: ffff00080363e440 x27: ffff0008090c6000 x26: 0000000000000030 x25: ffff800085d439f8 x24: ffff00080d402000 x23: ffff800085d43b60 x22: ffff800085d439e0 x21: ffff00080abdb180 x20: 0000000000000000 x19: 0000000000000000 x18: 0000000000000010 x17: 6e656c202c303030 x16: 3666666666646466 x15: 393d61766f69202c x14: 312d3d7361203a70 x13: 303030323d6e656c x12: ffff80008324bf58 x11: 0000000000000003 x10: 0000000000000002 x9 : ffff8000801a6a9c x8 : ffff00080360b300 x7 : 0000000000000000 x6 : 000000088aa35fc7 x5 : fff1000080000000 x4 : ffff8000842ddd30 x3 : 0000000000000001 x2 : 0000000100000000 x1 : 0000000000000001 x0 : 0000000000000078 Call trace: panthor_gpuva_sm_step_remap+0xe4/0x330 [panthor] op_remap_cb.isra.22+0x50/0x80 __drm_gpuvm_sm_unmap+0x10c/0x1c8 drm_gpuvm_sm_unmap+0x40/0x60 panthor_vm_exec_op+0xb4/0x3d0 [panthor] panthor_vm_bind_exec_sync_op+0x154/0x278 [panthor] panthor_ioctl_vm_bind+0x160/0x4a0 [panthor] drm_ioctl_kernel+0xbc/0x138 drm_ioctl+0x240/0x500 __arm64_sys_ioctl+0xb0/0xf8 invoke_syscall+0x4c/0x110 el0_svc_common.constprop.1+0x98/0xf8 do_el0_svc+0x24/0x38 el0_svc+0x40/0xf8 el0t_64_sync_handler+0xa0/0xc8 el0t_64_sync+0x174/0x178", "cve_priority": "medium", "cve_public_date": "2025-12-04 16:16:00 UTC" }, { "cve": "CVE-2025-40226", "url": "https://ubuntu.com/security/CVE-2025-40226", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: firmware: arm_scmi: Account for failed debug initialization When the SCMI debug subsystem fails to initialize, the related debug root will be missing, and the underlying descriptor will be NULL. Handle this fault condition in the SCMI debug helpers that maintain metrics counters.", "cve_priority": "medium", "cve_public_date": "2025-12-04 16:16:00 UTC" }, { "cve": "CVE-2025-40227", "url": "https://ubuntu.com/security/CVE-2025-40227", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: mm/damon/sysfs: dealloc commit test ctx always The damon_ctx for testing online DAMON parameters commit inputs is deallocated only when the test fails. This means memory is leaked for every successful online DAMON parameters commit. Fix the leak by always deallocating it.", "cve_priority": "medium", "cve_public_date": "2025-12-04 16:16:00 UTC" }, { "cve": "CVE-2025-40228", "url": "https://ubuntu.com/security/CVE-2025-40228", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: mm/damon/sysfs: catch commit test ctx alloc failure Patch series \"mm/damon/sysfs: fix commit test damon_ctx [de]allocation\". DAMON sysfs interface dynamically allocates and uses a damon_ctx object for testing if given inputs for online DAMON parameters update is valid. The object is being used without an allocation failure check, and leaked when the test succeeds. Fix the two bugs. This patch (of 2): The damon_ctx for testing online DAMON parameters commit inputs is used without its allocation failure check. This could result in an invalid memory access. Fix it by directly returning an error when the allocation failed.", "cve_priority": "medium", "cve_public_date": "2025-12-04 16:16:00 UTC" }, { "cve": "CVE-2025-40229", "url": "https://ubuntu.com/security/CVE-2025-40229", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: mm/damon/core: fix potential memory leak by cleaning ops_filter in damon_destroy_scheme Currently, damon_destroy_scheme() only cleans up the filter list but leaves ops_filter untouched, which could lead to memory leaks when a scheme is destroyed. This patch ensures both filter and ops_filter are properly freed in damon_destroy_scheme(), preventing potential memory leaks.", "cve_priority": "medium", "cve_public_date": "2025-12-04 16:16:00 UTC" }, { "cve": "CVE-2025-40230", "url": "https://ubuntu.com/security/CVE-2025-40230", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: mm: prevent poison consumption when splitting THP When performing memory error injection on a THP (Transparent Huge Page) mapped to userspace on an x86 server, the kernel panics with the following trace. The expected behavior is to terminate the affected process instead of panicking the kernel, as the x86 Machine Check code can recover from an in-userspace #MC. mce: [Hardware Error]: CPU 0: Machine Check Exception: f Bank 3: bd80000000070134 mce: [Hardware Error]: RIP 10: {memchr_inv+0x4c/0xf0} mce: [Hardware Error]: TSC afff7bbff88a ADDR 1d301b000 MISC 80 PPIN 1e741e77539027db mce: [Hardware Error]: PROCESSOR 0:d06d0 TIME 1758093249 SOCKET 0 APIC 0 microcode 80000320 mce: [Hardware Error]: Run the above through 'mcelog --ascii' mce: [Hardware Error]: Machine check: Data load in unrecoverable area of kernel Kernel panic - not syncing: Fatal local machine check The root cause of this panic is that handling a memory failure triggered by an in-userspace #MC necessitates splitting the THP. The splitting process employs a mechanism, implemented in try_to_map_unused_to_zeropage(), which reads the pages in the THP to identify zero-filled pages. However, reading the pages in the THP results in a second in-kernel #MC, occurring before the initial memory_failure() completes, ultimately leading to a kernel panic. See the kernel panic call trace on the two #MCs. First Machine Check occurs // [1] memory_failure() // [2] try_to_split_thp_page() split_huge_page() split_huge_page_to_list_to_order() __folio_split() // [3] remap_page() remove_migration_ptes() remove_migration_pte() try_to_map_unused_to_zeropage() // [4] memchr_inv() // [5] Second Machine Check occurs // [6] Kernel panic [1] Triggered by accessing a hardware-poisoned THP in userspace, which is typically recoverable by terminating the affected process. [2] Call folio_set_has_hwpoisoned() before try_to_split_thp_page(). [3] Pass the RMP_USE_SHARED_ZEROPAGE remap flag to remap_page(). [4] Try to map the unused THP to zeropage. [5] Re-access pages in the hw-poisoned THP in the kernel. [6] Triggered in-kernel, leading to a panic kernel. In Step[2], memory_failure() sets the poisoned flag on the page in the THP by TestSetPageHWPoison() before calling try_to_split_thp_page(). As suggested by David Hildenbrand, fix this panic by not accessing to the poisoned page in the THP during zeropage identification, while continuing to scan unaffected pages in the THP for possible zeropage mapping. This prevents a second in-kernel #MC that would cause kernel panic in Step[4]. Thanks to Andrew Zaborowski for his initial work on fixing this issue.", "cve_priority": "medium", "cve_public_date": "2025-12-04 16:16:00 UTC" }, { "cve": "CVE-2025-40231", "url": "https://ubuntu.com/security/CVE-2025-40231", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: vsock: fix lock inversion in vsock_assign_transport() Syzbot reported a potential lock inversion deadlock between vsock_register_mutex and sk_lock-AF_VSOCK when vsock_linger() is called. The issue was introduced by commit 687aa0c5581b (\"vsock: Fix transport_* TOCTOU\") which added vsock_register_mutex locking in vsock_assign_transport() around the transport->release() call, that can call vsock_linger(). vsock_assign_transport() can be called with sk_lock held. vsock_linger() calls sk_wait_event() that temporarily releases and re-acquires sk_lock. During this window, if another thread hold vsock_register_mutex while trying to acquire sk_lock, a circular dependency is created. Fix this by releasing vsock_register_mutex before calling transport->release() and vsock_deassign_transport(). This is safe because we don't need to hold vsock_register_mutex while releasing the old transport, and we ensure the new transport won't disappear by obtaining a module reference first via try_module_get().", "cve_priority": "medium", "cve_public_date": "2025-12-04 16:16:00 UTC" }, { "cve": "CVE-2025-40233", "url": "https://ubuntu.com/security/CVE-2025-40233", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ocfs2: clear extent cache after moving/defragmenting extents The extent map cache can become stale when extents are moved or defragmented, causing subsequent operations to see outdated extent flags. This triggers a BUG_ON in ocfs2_refcount_cal_cow_clusters(). The problem occurs when: 1. copy_file_range() creates a reflinked extent with OCFS2_EXT_REFCOUNTED 2. ioctl(FITRIM) triggers ocfs2_move_extents() 3. __ocfs2_move_extents_range() reads and caches the extent (flags=0x2) 4. ocfs2_move_extent()/ocfs2_defrag_extent() calls __ocfs2_move_extent() which clears OCFS2_EXT_REFCOUNTED flag on disk (flags=0x0) 5. The extent map cache is not invalidated after the move 6. Later write() operations read stale cached flags (0x2) but disk has updated flags (0x0), causing a mismatch 7. BUG_ON(!(rec->e_flags & OCFS2_EXT_REFCOUNTED)) triggers Fix by clearing the extent map cache after each extent move/defrag operation in __ocfs2_move_extents_range(). This ensures subsequent operations read fresh extent data from disk.", "cve_priority": "medium", "cve_public_date": "2025-12-04 16:16:00 UTC" }, { "cve": "CVE-2025-40235", "url": "https://ubuntu.com/security/CVE-2025-40235", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: btrfs: directly free partially initialized fs_info in btrfs_check_leaked_roots() If fs_info->super_copy or fs_info->super_for_commit allocated failed in btrfs_get_tree_subvol(), then no need to call btrfs_free_fs_info(). Otherwise btrfs_check_leaked_roots() would access NULL pointer because fs_info->allocated_roots had not been initialised. syzkaller reported the following information: ------------[ cut here ]------------ BUG: unable to handle page fault for address: fffffffffffffbb0 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page PGD 64c9067 P4D 64c9067 PUD 64cb067 PMD 0 Oops: Oops: 0000 [#1] SMP KASAN PTI CPU: 0 UID: 0 PID: 1402 Comm: syz.1.35 Not tainted 6.15.8 #4 PREEMPT(lazy) Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), (...) RIP: 0010:arch_atomic_read arch/x86/include/asm/atomic.h:23 [inline] RIP: 0010:raw_atomic_read include/linux/atomic/atomic-arch-fallback.h:457 [inline] RIP: 0010:atomic_read include/linux/atomic/atomic-instrumented.h:33 [inline] RIP: 0010:refcount_read include/linux/refcount.h:170 [inline] RIP: 0010:btrfs_check_leaked_roots+0x18f/0x2c0 fs/btrfs/disk-io.c:1230 [...] Call Trace: btrfs_free_fs_info+0x310/0x410 fs/btrfs/disk-io.c:1280 btrfs_get_tree_subvol+0x592/0x6b0 fs/btrfs/super.c:2029 btrfs_get_tree+0x63/0x80 fs/btrfs/super.c:2097 vfs_get_tree+0x98/0x320 fs/super.c:1759 do_new_mount+0x357/0x660 fs/namespace.c:3899 path_mount+0x716/0x19c0 fs/namespace.c:4226 do_mount fs/namespace.c:4239 [inline] __do_sys_mount fs/namespace.c:4450 [inline] __se_sys_mount fs/namespace.c:4427 [inline] __x64_sys_mount+0x28c/0x310 fs/namespace.c:4427 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0x92/0x180 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x76/0x7e RIP: 0033:0x7f032eaffa8d [...]", "cve_priority": "medium", "cve_public_date": "2025-12-04 16:16:00 UTC" }, { "cve": "CVE-2025-40236", "url": "https://ubuntu.com/security/CVE-2025-40236", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: virtio-net: zero unused hash fields When GSO tunnel is negotiated virtio_net_hdr_tnl_from_skb() tries to initialize the tunnel metadata but forget to zero unused rxhash fields. This may leak information to another side. Fixing this by zeroing the unused hash fields.", "cve_priority": "medium", "cve_public_date": "2025-12-04 16:16:00 UTC" }, { "cve": "CVE-2025-40237", "url": "https://ubuntu.com/security/CVE-2025-40237", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: fs/notify: call exportfs_encode_fid with s_umount Calling intotify_show_fdinfo() on fd watching an overlayfs inode, while the overlayfs is being unmounted, can lead to dereferencing NULL ptr. This issue was found by syzkaller. Race Condition Diagram: Thread 1 Thread 2 -------- -------- generic_shutdown_super() shrink_dcache_for_umount sb->s_root = NULL | | vfs_read() | inotify_fdinfo() | * inode get from mark * | show_mark_fhandle(m, inode) | exportfs_encode_fid(inode, ..) | ovl_encode_fh(inode, ..) | ovl_check_encode_origin(inode) | * deref i_sb->s_root * | | v fsnotify_sb_delete(sb) Which then leads to: [ 32.133461] Oops: general protection fault, probably for non-canonical address 0xdffffc0000000006: 0000 [#1] SMP DEBUG_PAGEALLOC KASAN NOPTI [ 32.134438] KASAN: null-ptr-deref in range [0x0000000000000030-0x0000000000000037] [ 32.135032] CPU: 1 UID: 0 PID: 4468 Comm: systemd-coredum Not tainted 6.17.0-rc6 #22 PREEMPT(none) [ 32.143353] Call Trace: [ 32.143732] ovl_encode_fh+0xd5/0x170 [ 32.144031] exportfs_encode_inode_fh+0x12f/0x300 [ 32.144425] show_mark_fhandle+0xbe/0x1f0 [ 32.145805] inotify_fdinfo+0x226/0x2d0 [ 32.146442] inotify_show_fdinfo+0x1c5/0x350 [ 32.147168] seq_show+0x530/0x6f0 [ 32.147449] seq_read_iter+0x503/0x12a0 [ 32.148419] seq_read+0x31f/0x410 [ 32.150714] vfs_read+0x1f0/0x9e0 [ 32.152297] ksys_read+0x125/0x240 IOW ovl_check_encode_origin derefs inode->i_sb->s_root, after it was set to NULL in the unmount path. Fix it by protecting calling exportfs_encode_fid() from show_mark_fhandle() with s_umount lock. This form of fix was suggested by Amir in [1]. [1]: https://lore.kernel.org/all/CAOQ4uxhbDwhb+2Brs1UdkoF0a3NSdBAOQPNfEHjahrgoKJpLEw@mail.gmail.com/", "cve_priority": "medium", "cve_public_date": "2025-12-04 16:16:00 UTC" }, { "cve": "CVE-2025-40238", "url": "https://ubuntu.com/security/CVE-2025-40238", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net/mlx5: Fix IPsec cleanup over MPV device When we do mlx5e_detach_netdev() we eventually disable blocking events notifier, among those events are IPsec MPV events from IB to core. So before disabling those blocking events, make sure to also unregister the devcom device and mark all this device operations as complete, in order to prevent the other device from using invalid netdev during future devcom events which could cause the trace below. BUG: kernel NULL pointer dereference, address: 0000000000000010 PGD 146427067 P4D 146427067 PUD 146488067 PMD 0 Oops: Oops: 0000 [#1] SMP CPU: 1 UID: 0 PID: 7735 Comm: devlink Tainted: GW 6.12.0-rc6_for_upstream_min_debug_2024_11_08_00_46 #1 Tainted: [W]=WARN Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014 RIP: 0010:mlx5_devcom_comp_set_ready+0x5/0x40 [mlx5_core] Code: 00 01 48 83 05 23 32 1e 00 01 41 b8 ed ff ff ff e9 60 ff ff ff 48 83 05 00 32 1e 00 01 eb e3 66 0f 1f 44 00 00 0f 1f 44 00 00 <48> 8b 47 10 48 83 05 5f 32 1e 00 01 48 8b 50 40 48 85 d2 74 05 40 RSP: 0018:ffff88811a5c35f8 EFLAGS: 00010206 RAX: ffff888106e8ab80 RBX: ffff888107d7e200 RCX: ffff88810d6f0a00 RDX: ffff88810d6f0a00 RSI: 0000000000000001 RDI: 0000000000000000 RBP: ffff88811a17e620 R08: 0000000000000040 R09: 0000000000000000 R10: ffff88811a5c3618 R11: 0000000de85d51bd R12: ffff88811a17e600 R13: ffff88810d6f0a00 R14: 0000000000000000 R15: ffff8881034bda80 FS: 00007f27bdf89180(0000) GS:ffff88852c880000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000010 CR3: 000000010f159005 CR4: 0000000000372eb0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: ? __die+0x20/0x60 ? page_fault_oops+0x150/0x3e0 ? exc_page_fault+0x74/0x130 ? asm_exc_page_fault+0x22/0x30 ? mlx5_devcom_comp_set_ready+0x5/0x40 [mlx5_core] mlx5e_devcom_event_mpv+0x42/0x60 [mlx5_core] mlx5_devcom_send_event+0x8c/0x170 [mlx5_core] blocking_event+0x17b/0x230 [mlx5_core] notifier_call_chain+0x35/0xa0 blocking_notifier_call_chain+0x3d/0x60 mlx5_blocking_notifier_call_chain+0x22/0x30 [mlx5_core] mlx5_core_mp_event_replay+0x12/0x20 [mlx5_core] mlx5_ib_bind_slave_port+0x228/0x2c0 [mlx5_ib] mlx5_ib_stage_init_init+0x664/0x9d0 [mlx5_ib] ? idr_alloc_cyclic+0x50/0xb0 ? __kmalloc_cache_noprof+0x167/0x340 ? __kmalloc_noprof+0x1a7/0x430 __mlx5_ib_add+0x34/0xd0 [mlx5_ib] mlx5r_probe+0xe9/0x310 [mlx5_ib] ? kernfs_add_one+0x107/0x150 ? __mlx5_ib_add+0xd0/0xd0 [mlx5_ib] auxiliary_bus_probe+0x3e/0x90 really_probe+0xc5/0x3a0 ? driver_probe_device+0x90/0x90 __driver_probe_device+0x80/0x160 driver_probe_device+0x1e/0x90 __device_attach_driver+0x7d/0x100 bus_for_each_drv+0x80/0xd0 __device_attach+0xbc/0x1f0 bus_probe_device+0x86/0xa0 device_add+0x62d/0x830 __auxiliary_device_add+0x3b/0xa0 ? auxiliary_device_init+0x41/0x90 add_adev+0xd1/0x150 [mlx5_core] mlx5_rescan_drivers_locked+0x21c/0x300 [mlx5_core] esw_mode_change+0x6c/0xc0 [mlx5_core] mlx5_devlink_eswitch_mode_set+0x21e/0x640 [mlx5_core] devlink_nl_eswitch_set_doit+0x60/0xe0 genl_family_rcv_msg_doit+0xd0/0x120 genl_rcv_msg+0x180/0x2b0 ? devlink_get_from_attrs_lock+0x170/0x170 ? devlink_nl_eswitch_get_doit+0x290/0x290 ? devlink_nl_pre_doit_port_optional+0x50/0x50 ? genl_family_rcv_msg_dumpit+0xf0/0xf0 netlink_rcv_skb+0x54/0x100 genl_rcv+0x24/0x40 netlink_unicast+0x1fc/0x2d0 netlink_sendmsg+0x1e4/0x410 __sock_sendmsg+0x38/0x60 ? sockfd_lookup_light+0x12/0x60 __sys_sendto+0x105/0x160 ? __sys_recvmsg+0x4e/0x90 __x64_sys_sendto+0x20/0x30 do_syscall_64+0x4c/0x100 entry_SYSCALL_64_after_hwframe+0x4b/0x53 RIP: 0033:0x7f27bc91b13a Code: bb 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 8b 05 fa 96 2c 00 45 89 c9 4c 63 d1 48 63 ff 85 c0 75 15 b8 2c 00 00 00 0f 05 <48> 3d 00 f0 ff ff ---truncated---", "cve_priority": "medium", "cve_public_date": "2025-12-04 16:16:00 UTC" }, { "cve": "CVE-2025-40239", "url": "https://ubuntu.com/security/CVE-2025-40239", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net: phy: micrel: always set shared->phydev for LAN8814 Currently, during the LAN8814 PTP probe shared->phydev is only set if PTP clock gets actually set, otherwise the function will return before setting it. This is an issue as shared->phydev is unconditionally being used when IRQ is being handled, especially in lan8814_gpio_process_cap and since it was not set it will cause a NULL pointer exception and crash the kernel. So, simply always set shared->phydev to avoid the NULL pointer exception.", "cve_priority": "medium", "cve_public_date": "2025-12-04 16:16:00 UTC" }, { "cve": "CVE-2025-40240", "url": "https://ubuntu.com/security/CVE-2025-40240", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: sctp: avoid NULL dereference when chunk data buffer is missing chunk->skb pointer is dereferenced in the if-block where it's supposed to be NULL only. chunk->skb can only be NULL if chunk->head_skb is not. Check for frag_list instead and do it just before replacing chunk->skb. We're sure that otherwise chunk->skb is non-NULL because of outer if() condition.", "cve_priority": "medium", "cve_public_date": "2025-12-04 16:16:00 UTC" }, { "cve": "CVE-2025-40241", "url": "https://ubuntu.com/security/CVE-2025-40241", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: erofs: fix crafted invalid cases for encoded extents Robert recently reported two corrupted images that can cause system crashes, which are related to the new encoded extents introduced in Linux 6.15: - The first one [1] has plen != 0 (e.g. plen == 0x2000000) but (plen & Z_EROFS_EXTENT_PLEN_MASK) == 0. It is used to represent special extents such as sparse extents (!EROFS_MAP_MAPPED), but previously only plen == 0 was handled; - The second one [2] has pa 0xffffffffffdcffed and plen 0xb4000, then \"cur [0xfffffffffffff000] += bvec.bv_len [0x1000]\" in \"} while ((cur += bvec.bv_len) < end);\" wraps around, causing an out-of-bound access of pcl->compressed_bvecs[] in z_erofs_submit_queue(). EROFS only supports 48-bit physical block addresses (up to 1EiB for 4k blocks), so add a sanity check to enforce this.", "cve_priority": "medium", "cve_public_date": "2025-12-04 16:16:00 UTC" }, { "cve": "CVE-2025-40242", "url": "https://ubuntu.com/security/CVE-2025-40242", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: gfs2: Fix unlikely race in gdlm_put_lock In gdlm_put_lock(), there is a small window of time in which the DFL_UNMOUNT flag has been set but the lockspace hasn't been released, yet. In that window, dlm may still call gdlm_ast() and gdlm_bast(). To prevent it from dereferencing freed glock objects, only free the glock if the lockspace has actually been released.", "cve_priority": "medium", "cve_public_date": "2025-12-04 16:16:00 UTC" }, { "cve": "CVE-2025-40243", "url": "https://ubuntu.com/security/CVE-2025-40243", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: hfs: fix KMSAN uninit-value issue in hfs_find_set_zero_bits() The syzbot reported issue in hfs_find_set_zero_bits(): ===================================================== BUG: KMSAN: uninit-value in hfs_find_set_zero_bits+0x74d/0xb60 fs/hfs/bitmap.c:45 hfs_find_set_zero_bits+0x74d/0xb60 fs/hfs/bitmap.c:45 hfs_vbm_search_free+0x13c/0x5b0 fs/hfs/bitmap.c:151 hfs_extend_file+0x6a5/0x1b00 fs/hfs/extent.c:408 hfs_get_block+0x435/0x1150 fs/hfs/extent.c:353 __block_write_begin_int+0xa76/0x3030 fs/buffer.c:2151 block_write_begin fs/buffer.c:2262 [inline] cont_write_begin+0x10e1/0x1bc0 fs/buffer.c:2601 hfs_write_begin+0x85/0x130 fs/hfs/inode.c:52 cont_expand_zero fs/buffer.c:2528 [inline] cont_write_begin+0x35a/0x1bc0 fs/buffer.c:2591 hfs_write_begin+0x85/0x130 fs/hfs/inode.c:52 hfs_file_truncate+0x1d6/0xe60 fs/hfs/extent.c:494 hfs_inode_setattr+0x964/0xaa0 fs/hfs/inode.c:654 notify_change+0x1993/0x1aa0 fs/attr.c:552 do_truncate+0x28f/0x310 fs/open.c:68 do_ftruncate+0x698/0x730 fs/open.c:195 do_sys_ftruncate fs/open.c:210 [inline] __do_sys_ftruncate fs/open.c:215 [inline] __se_sys_ftruncate fs/open.c:213 [inline] __x64_sys_ftruncate+0x11b/0x250 fs/open.c:213 x64_sys_call+0xfe3/0x3db0 arch/x86/include/generated/asm/syscalls_64.h:78 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xd9/0x210 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f Uninit was created at: slab_post_alloc_hook mm/slub.c:4154 [inline] slab_alloc_node mm/slub.c:4197 [inline] __kmalloc_cache_noprof+0x7f7/0xed0 mm/slub.c:4354 kmalloc_noprof include/linux/slab.h:905 [inline] hfs_mdb_get+0x1cc8/0x2a90 fs/hfs/mdb.c:175 hfs_fill_super+0x3d0/0xb80 fs/hfs/super.c:337 get_tree_bdev_flags+0x6e3/0x920 fs/super.c:1681 get_tree_bdev+0x38/0x50 fs/super.c:1704 hfs_get_tree+0x35/0x40 fs/hfs/super.c:388 vfs_get_tree+0xb0/0x5c0 fs/super.c:1804 do_new_mount+0x738/0x1610 fs/namespace.c:3902 path_mount+0x6db/0x1e90 fs/namespace.c:4226 do_mount fs/namespace.c:4239 [inline] __do_sys_mount fs/namespace.c:4450 [inline] __se_sys_mount+0x6eb/0x7d0 fs/namespace.c:4427 __x64_sys_mount+0xe4/0x150 fs/namespace.c:4427 x64_sys_call+0xfa7/0x3db0 arch/x86/include/generated/asm/syscalls_64.h:166 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xd9/0x210 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f CPU: 1 UID: 0 PID: 12609 Comm: syz.1.2692 Not tainted 6.16.0-syzkaller #0 PREEMPT(none) Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/12/2025 ===================================================== The HFS_SB(sb)->bitmap buffer is allocated in hfs_mdb_get(): HFS_SB(sb)->bitmap = kmalloc(8192, GFP_KERNEL); Finally, it can trigger the reported issue because kmalloc() doesn't clear the allocated memory. If allocated memory contains only zeros, then everything will work pretty fine. But if the allocated memory contains the \"garbage\", then it can affect the bitmap operations and it triggers the reported issue. This patch simply exchanges the kmalloc() on kzalloc() with the goal to guarantee the correctness of bitmap operations. Because, newly created allocation bitmap should have all available blocks free. Potentially, initialization bitmap's read operation could not fill the whole allocated memory and \"garbage\" in the not initialized memory will be the reason of volume coruptions and file system driver bugs.", "cve_priority": "medium", "cve_public_date": "2025-12-04 16:16:00 UTC" }, { "cve": "CVE-2025-40244", "url": "https://ubuntu.com/security/CVE-2025-40244", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: hfsplus: fix KMSAN uninit-value issue in __hfsplus_ext_cache_extent() The syzbot reported issue in __hfsplus_ext_cache_extent(): [ 70.194323][ T9350] BUG: KMSAN: uninit-value in __hfsplus_ext_cache_extent+0x7d0/0x990 [ 70.195022][ T9350] __hfsplus_ext_cache_extent+0x7d0/0x990 [ 70.195530][ T9350] hfsplus_file_extend+0x74f/0x1cf0 [ 70.195998][ T9350] hfsplus_get_block+0xe16/0x17b0 [ 70.196458][ T9350] __block_write_begin_int+0x962/0x2ce0 [ 70.196959][ T9350] cont_write_begin+0x1000/0x1950 [ 70.197416][ T9350] hfsplus_write_begin+0x85/0x130 [ 70.197873][ T9350] generic_perform_write+0x3e8/0x1060 [ 70.198374][ T9350] __generic_file_write_iter+0x215/0x460 [ 70.198892][ T9350] generic_file_write_iter+0x109/0x5e0 [ 70.199393][ T9350] vfs_write+0xb0f/0x14e0 [ 70.199771][ T9350] ksys_write+0x23e/0x490 [ 70.200149][ T9350] __x64_sys_write+0x97/0xf0 [ 70.200570][ T9350] x64_sys_call+0x3015/0x3cf0 [ 70.201065][ T9350] do_syscall_64+0xd9/0x1d0 [ 70.201506][ T9350] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 70.202054][ T9350] [ 70.202279][ T9350] Uninit was created at: [ 70.202693][ T9350] __kmalloc_noprof+0x621/0xf80 [ 70.203149][ T9350] hfsplus_find_init+0x8d/0x1d0 [ 70.203602][ T9350] hfsplus_file_extend+0x6ca/0x1cf0 [ 70.204087][ T9350] hfsplus_get_block+0xe16/0x17b0 [ 70.204561][ T9350] __block_write_begin_int+0x962/0x2ce0 [ 70.205074][ T9350] cont_write_begin+0x1000/0x1950 [ 70.205547][ T9350] hfsplus_write_begin+0x85/0x130 [ 70.206017][ T9350] generic_perform_write+0x3e8/0x1060 [ 70.206519][ T9350] __generic_file_write_iter+0x215/0x460 [ 70.207042][ T9350] generic_file_write_iter+0x109/0x5e0 [ 70.207552][ T9350] vfs_write+0xb0f/0x14e0 [ 70.207961][ T9350] ksys_write+0x23e/0x490 [ 70.208375][ T9350] __x64_sys_write+0x97/0xf0 [ 70.208810][ T9350] x64_sys_call+0x3015/0x3cf0 [ 70.209255][ T9350] do_syscall_64+0xd9/0x1d0 [ 70.209680][ T9350] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 70.210230][ T9350] [ 70.210454][ T9350] CPU: 2 UID: 0 PID: 9350 Comm: repro Not tainted 6.12.0-rc5 #5 [ 70.211174][ T9350] Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 70.212115][ T9350] ===================================================== [ 70.212734][ T9350] Disabling lock debugging due to kernel taint [ 70.213284][ T9350] Kernel panic - not syncing: kmsan.panic set ... [ 70.213858][ T9350] CPU: 2 UID: 0 PID: 9350 Comm: repro Tainted: G B 6.12.0-rc5 #5 [ 70.214679][ T9350] Tainted: [B]=BAD_PAGE [ 70.215057][ T9350] Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 70.215999][ T9350] Call Trace: [ 70.216309][ T9350] [ 70.216585][ T9350] dump_stack_lvl+0x1fd/0x2b0 [ 70.217025][ T9350] dump_stack+0x1e/0x30 [ 70.217421][ T9350] panic+0x502/0xca0 [ 70.217803][ T9350] ? kmsan_get_metadata+0x13e/0x1c0 [ 70.218294][ Message fromT sy9350] kmsan_report+0x296/slogd@syzkaller 0x2aat Aug 18 22:11:058 ... kernel :[ 70.213284][ T9350] Kernel panic - not syncing: kmsan.panic [ 70.220179][ T9350] ? kmsan_get_metadata+0x13e/0x1c0 set ... [ 70.221254][ T9350] ? __msan_warning+0x96/0x120 [ 70.222066][ T9350] ? __hfsplus_ext_cache_extent+0x7d0/0x990 [ 70.223023][ T9350] ? hfsplus_file_extend+0x74f/0x1cf0 [ 70.224120][ T9350] ? hfsplus_get_block+0xe16/0x17b0 [ 70.224946][ T9350] ? __block_write_begin_int+0x962/0x2ce0 [ 70.225756][ T9350] ? cont_write_begin+0x1000/0x1950 [ 70.226337][ T9350] ? hfsplus_write_begin+0x85/0x130 [ 70.226852][ T9350] ? generic_perform_write+0x3e8/0x1060 [ 70.227405][ T9350] ? __generic_file_write_iter+0x215/0x460 [ 70.227979][ T9350] ? generic_file_write_iter+0x109/0x5e0 [ 70.228540][ T9350] ? vfs_write+0xb0f/0x14e0 [ 70.228997][ T9350] ? ksys_write+0x23e/0x490 ---truncated---", "cve_priority": "medium", "cve_public_date": "2025-12-04 16:16:00 UTC" }, { "cve": "CVE-2025-40245", "url": "https://ubuntu.com/security/CVE-2025-40245", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: nios2: ensure that memblock.current_limit is set when setting pfn limits On nios2, with CONFIG_FLATMEM set, the kernel relies on memblock_get_current_limit() to determine the limits of mem_map, in particular for max_low_pfn. Unfortunately, memblock.current_limit is only default initialized to MEMBLOCK_ALLOC_ANYWHERE at this point of the bootup, potentially leading to situations where max_low_pfn can erroneously exceed the value of max_pfn and, thus, the valid range of available DRAM. This can in turn cause kernel-level paging failures, e.g.: [ 76.900000] Unable to handle kernel paging request at virtual address 20303000 [ 76.900000] ea = c0080890, ra = c000462c, cause = 14 [ 76.900000] Kernel panic - not syncing: Oops [ 76.900000] ---[ end Kernel panic - not syncing: Oops ]--- This patch fixes this by pre-calculating memblock.current_limit based on the upper limits of the available memory ranges via adjust_lowmem_bounds, a simplified version of the equivalent implementation within the arm architecture.", "cve_priority": "medium", "cve_public_date": "2025-12-04 16:16:00 UTC" }, { "cve": "CVE-2025-40086", "url": "https://ubuntu.com/security/CVE-2025-40086", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/xe: Don't allow evicting of BOs in same VM in array of VM binds An array of VM binds can potentially evict other buffer objects (BOs) within the same VM under certain conditions, which may lead to NULL pointer dereferences later in the bind pipeline. To prevent this, clear the allow_res_evict flag in the xe_bo_validate call. v2: - Invert polarity of no_res_evict (Thomas) - Add comment in code explaining issue (Thomas) (cherry picked from commit 8b9ba8d6d95fe75fed6b0480bb03da4b321bea08)", "cve_priority": "medium", "cve_public_date": "2025-10-30 10:15:00 UTC" }, { "cve": "CVE-2025-40087", "url": "https://ubuntu.com/security/CVE-2025-40087", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: NFSD: Define a proc_layoutcommit for the FlexFiles layout type Avoid a crash if a pNFS client should happen to send a LAYOUTCOMMIT operation on a FlexFiles layout.", "cve_priority": "medium", "cve_public_date": "2025-10-30 10:15:00 UTC" }, { "cve": "CVE-2025-40088", "url": "https://ubuntu.com/security/CVE-2025-40088", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: hfsplus: fix slab-out-of-bounds read in hfsplus_strcasecmp() The hfsplus_strcasecmp() logic can trigger the issue: [ 117.317703][ T9855] ================================================================== [ 117.318353][ T9855] BUG: KASAN: slab-out-of-bounds in hfsplus_strcasecmp+0x1bc/0x490 [ 117.318991][ T9855] Read of size 2 at addr ffff88802160f40c by task repro/9855 [ 117.319577][ T9855] [ 117.319773][ T9855] CPU: 0 UID: 0 PID: 9855 Comm: repro Not tainted 6.17.0-rc6 #33 PREEMPT(full) [ 117.319780][ T9855] Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 117.319783][ T9855] Call Trace: [ 117.319785][ T9855] [ 117.319788][ T9855] dump_stack_lvl+0x1c1/0x2a0 [ 117.319795][ T9855] ? __virt_addr_valid+0x1c8/0x5c0 [ 117.319803][ T9855] ? __pfx_dump_stack_lvl+0x10/0x10 [ 117.319808][ T9855] ? rcu_is_watching+0x15/0xb0 [ 117.319816][ T9855] ? lock_release+0x4b/0x3e0 [ 117.319821][ T9855] ? __kasan_check_byte+0x12/0x40 [ 117.319828][ T9855] ? __virt_addr_valid+0x1c8/0x5c0 [ 117.319835][ T9855] ? __virt_addr_valid+0x4a5/0x5c0 [ 117.319842][ T9855] print_report+0x17e/0x7e0 [ 117.319848][ T9855] ? __virt_addr_valid+0x1c8/0x5c0 [ 117.319855][ T9855] ? __virt_addr_valid+0x4a5/0x5c0 [ 117.319862][ T9855] ? __phys_addr+0xd3/0x180 [ 117.319869][ T9855] ? hfsplus_strcasecmp+0x1bc/0x490 [ 117.319876][ T9855] kasan_report+0x147/0x180 [ 117.319882][ T9855] ? hfsplus_strcasecmp+0x1bc/0x490 [ 117.319891][ T9855] hfsplus_strcasecmp+0x1bc/0x490 [ 117.319900][ T9855] ? __pfx_hfsplus_cat_case_cmp_key+0x10/0x10 [ 117.319906][ T9855] hfs_find_rec_by_key+0xa9/0x1e0 [ 117.319913][ T9855] __hfsplus_brec_find+0x18e/0x470 [ 117.319920][ T9855] ? __pfx_hfsplus_bnode_find+0x10/0x10 [ 117.319926][ T9855] ? __pfx_hfs_find_rec_by_key+0x10/0x10 [ 117.319933][ T9855] ? __pfx___hfsplus_brec_find+0x10/0x10 [ 117.319942][ T9855] hfsplus_brec_find+0x28f/0x510 [ 117.319949][ T9855] ? __pfx_hfs_find_rec_by_key+0x10/0x10 [ 117.319956][ T9855] ? __pfx_hfsplus_brec_find+0x10/0x10 [ 117.319963][ T9855] ? __kmalloc_noprof+0x2a9/0x510 [ 117.319969][ T9855] ? hfsplus_find_init+0x8c/0x1d0 [ 117.319976][ T9855] hfsplus_brec_read+0x2b/0x120 [ 117.319983][ T9855] hfsplus_lookup+0x2aa/0x890 [ 117.319990][ T9855] ? __pfx_hfsplus_lookup+0x10/0x10 [ 117.320003][ T9855] ? d_alloc_parallel+0x2f0/0x15e0 [ 117.320008][ T9855] ? __lock_acquire+0xaec/0xd80 [ 117.320013][ T9855] ? __pfx_d_alloc_parallel+0x10/0x10 [ 117.320019][ T9855] ? __raw_spin_lock_init+0x45/0x100 [ 117.320026][ T9855] ? __init_waitqueue_head+0xa9/0x150 [ 117.320034][ T9855] __lookup_slow+0x297/0x3d0 [ 117.320039][ T9855] ? __pfx___lookup_slow+0x10/0x10 [ 117.320045][ T9855] ? down_read+0x1ad/0x2e0 [ 117.320055][ T9855] lookup_slow+0x53/0x70 [ 117.320065][ T9855] walk_component+0x2f0/0x430 [ 117.320073][ T9855] path_lookupat+0x169/0x440 [ 117.320081][ T9855] filename_lookup+0x212/0x590 [ 117.320089][ T9855] ? __pfx_filename_lookup+0x10/0x10 [ 117.320098][ T9855] ? strncpy_from_user+0x150/0x290 [ 117.320105][ T9855] ? getname_flags+0x1e5/0x540 [ 117.320112][ T9855] user_path_at+0x3a/0x60 [ 117.320117][ T9855] __x64_sys_umount+0xee/0x160 [ 117.320123][ T9855] ? __pfx___x64_sys_umount+0x10/0x10 [ 117.320129][ T9855] ? do_syscall_64+0xb7/0x3a0 [ 117.320135][ T9855] ? entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 117.320141][ T9855] ? entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 117.320145][ T9855] do_syscall_64+0xf3/0x3a0 [ 117.320150][ T9855] ? exc_page_fault+0x9f/0xf0 [ 117.320154][ T9855] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 117.320158][ T9855] RIP: 0033:0x7f7dd7908b07 [ 117.320163][ T9855] Code: 23 0d 00 f7 d8 64 89 01 48 83 c8 ff c3 66 0f 1f 44 00 00 31 f6 e9 09 00 00 00 66 0f 1f 84 00 00 08 [ 117.320167][ T9855] RSP: 002b:00007ffd5ebd9698 EFLAGS: 00000202 ---truncated---", "cve_priority": "medium", "cve_public_date": "2025-10-30 10:15:00 UTC" }, { "cve": "CVE-2025-40162", "url": "https://ubuntu.com/security/CVE-2025-40162", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ASoC: amd/sdw_utils: avoid NULL deref when devm_kasprintf() fails devm_kasprintf() may return NULL on memory allocation failure, but the debug message prints cpus->dai_name before checking it. Move the dev_dbg() call after the NULL check to prevent potential NULL pointer dereference.", "cve_priority": "medium", "cve_public_date": "2025-11-12 11:15:00 UTC" }, { "cve": "CVE-2025-40085", "url": "https://ubuntu.com/security/CVE-2025-40085", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ALSA: usb-audio: Fix NULL pointer deference in try_to_register_card In try_to_register_card(), the return value of usb_ifnum_to_if() is passed directly to usb_interface_claimed() without a NULL check, which will lead to a NULL pointer dereference when creating an invalid USB audio device. Fix this by adding a check to ensure the interface pointer is valid before passing it to usb_interface_claimed().", "cve_priority": "medium", "cve_public_date": "2025-10-29 14:15:00 UTC" }, { "cve": "CVE-2025-40172", "url": "https://ubuntu.com/security/CVE-2025-40172", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: accel/qaic: Treat remaining == 0 as error in find_and_map_user_pages() Currently, if find_and_map_user_pages() takes a DMA xfer request from the user with a length field set to 0, or in a rare case, the host receives QAIC_TRANS_DMA_XFER_CONT from the device where resources->xferred_dma_size is equal to the requested transaction size, the function will return 0 before allocating an sgt or setting the fields of the dma_xfer struct. In that case, encode_addr_size_pairs() will try to access the sgt which will lead to a general protection fault. Return an EINVAL in case the user provides a zero-sized ALP, or the device requests continuation after all of the bytes have been transferred.", "cve_priority": "medium", "cve_public_date": "2025-11-12 11:15:00 UTC" }, { "cve": "CVE-2025-40177", "url": "https://ubuntu.com/security/CVE-2025-40177", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: accel/qaic: Fix bootlog initialization ordering As soon as we queue MHI buffers to receive the bootlog from the device, we could be receiving data. Therefore all the resources needed to process that data need to be setup prior to queuing the buffers. We currently initialize some of the resources after queuing the buffers which creates a race between the probe() and any data that comes back from the device. If the uninitialized resources are accessed, we could see page faults. Fix the init ordering to close the race.", "cve_priority": "medium", "cve_public_date": "2025-11-12 11:15:00 UTC" }, { "cve": "CVE-2025-40163", "url": "https://ubuntu.com/security/CVE-2025-40163", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: sched/deadline: Stop dl_server before CPU goes offline IBM CI tool reported kernel warning[1] when running a CPU removal operation through drmgr[2]. i.e \"drmgr -c cpu -r -q 1\" WARNING: CPU: 0 PID: 0 at kernel/sched/cpudeadline.c:219 cpudl_set+0x58/0x170 NIP [c0000000002b6ed8] cpudl_set+0x58/0x170 LR [c0000000002b7cb8] dl_server_timer+0x168/0x2a0 Call Trace: [c000000002c2f8c0] init_stack+0x78c0/0x8000 (unreliable) [c0000000002b7cb8] dl_server_timer+0x168/0x2a0 [c00000000034df84] __hrtimer_run_queues+0x1a4/0x390 [c00000000034f624] hrtimer_interrupt+0x124/0x300 [c00000000002a230] timer_interrupt+0x140/0x320 Git bisects to: commit 4ae8d9aa9f9d (\"sched/deadline: Fix dl_server getting stuck\") This happens since: - dl_server hrtimer gets enqueued close to cpu offline, when kthread_park enqueues a fair task. - CPU goes offline and drmgr removes it from cpu_present_mask. - hrtimer fires and warning is hit. Fix it by stopping the dl_server before CPU is marked dead. [1]: https://lore.kernel.org/all/8218e149-7718-4432-9312-f97297c352b9@linux.ibm.com/ [2]: https://github.com/ibm-power-utilities/powerpc-utils/tree/next/src/drmgr [sshegde: wrote the changelog and tested it]", "cve_priority": "medium", "cve_public_date": "2025-11-12 11:15:00 UTC" }, { "cve": "CVE-2025-40174", "url": "https://ubuntu.com/security/CVE-2025-40174", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: x86/mm: Fix SMP ordering in switch_mm_irqs_off() Stephen noted that it is possible to not have an smp_mb() between the loaded_mm store and the tlb_gen load in switch_mm(), meaning the ordering against flush_tlb_mm_range() goes out the window, and it becomes possible for switch_mm() to not observe a recent tlb_gen update and fail to flush the TLBs. [ dhansen: merge conflict fixed by Ingo ]", "cve_priority": "medium", "cve_public_date": "2025-11-12 11:15:00 UTC" }, { "cve": "CVE-2025-40089", "url": "https://ubuntu.com/security/CVE-2025-40089", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: cxl/features: Add check for no entries in cxl_feature_info cxl EDAC calls cxl_feature_info() to get the feature information and if the hardware has no Features support, cxlfs may be passed in as NULL. [ 51.957498] BUG: kernel NULL pointer dereference, address: 0000000000000008 [ 51.965571] #PF: supervisor read access in kernel mode [ 51.971559] #PF: error_code(0x0000) - not-present page [ 51.977542] PGD 17e4f6067 P4D 0 [ 51.981384] Oops: Oops: 0000 [#1] SMP NOPTI [ 51.986300] CPU: 49 UID: 0 PID: 3782 Comm: systemd-udevd Not tainted 6.17.0dj test+ #64 PREEMPT(voluntary) [ 51.997355] Hardware name: [ 52.009790] RIP: 0010:cxl_feature_info+0xa/0x80 [cxl_core] Add a check for cxlfs before dereferencing it and return -EOPNOTSUPP if there is no cxlfs created due to no hardware support.", "cve_priority": "medium", "cve_public_date": "2025-10-30 10:15:00 UTC" }, { "cve": "CVE-2025-40176", "url": "https://ubuntu.com/security/CVE-2025-40176", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: tls: wait for pending async decryptions if tls_strp_msg_hold fails Async decryption calls tls_strp_msg_hold to create a clone of the input skb to hold references to the memory it uses. If we fail to allocate that clone, proceeding with async decryption can lead to various issues (UAF on the skb, writing into userspace memory after the recv() call has returned). In this case, wait for all pending decryption requests.", "cve_priority": "medium", "cve_public_date": "2025-11-12 11:15:00 UTC" }, { "cve": "CVE-2025-40164", "url": "https://ubuntu.com/security/CVE-2025-40164", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: usbnet: Fix using smp_processor_id() in preemptible code warnings Syzbot reported the following warning: BUG: using smp_processor_id() in preemptible [00000000] code: dhcpcd/2879 caller is usbnet_skb_return+0x74/0x490 drivers/net/usb/usbnet.c:331 CPU: 1 UID: 0 PID: 2879 Comm: dhcpcd Not tainted 6.15.0-rc4-syzkaller-00098-g615dca38c2ea #0 PREEMPT(voluntary) Call Trace: __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x16c/0x1f0 lib/dump_stack.c:120 check_preemption_disabled+0xd0/0xe0 lib/smp_processor_id.c:49 usbnet_skb_return+0x74/0x490 drivers/net/usb/usbnet.c:331 usbnet_resume_rx+0x4b/0x170 drivers/net/usb/usbnet.c:708 usbnet_change_mtu+0x1be/0x220 drivers/net/usb/usbnet.c:417 __dev_set_mtu net/core/dev.c:9443 [inline] netif_set_mtu_ext+0x369/0x5c0 net/core/dev.c:9496 netif_set_mtu+0xb0/0x160 net/core/dev.c:9520 dev_set_mtu+0xae/0x170 net/core/dev_api.c:247 dev_ifsioc+0xa31/0x18d0 net/core/dev_ioctl.c:572 dev_ioctl+0x223/0x10e0 net/core/dev_ioctl.c:821 sock_do_ioctl+0x19d/0x280 net/socket.c:1204 sock_ioctl+0x42f/0x6a0 net/socket.c:1311 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:906 [inline] __se_sys_ioctl fs/ioctl.c:892 [inline] __x64_sys_ioctl+0x190/0x200 fs/ioctl.c:892 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xcd/0x260 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f For historical and portability reasons, the netif_rx() is usually run in the softirq or interrupt context, this commit therefore add local_bh_disable/enable() protection in the usbnet_resume_rx().", "cve_priority": "medium", "cve_public_date": "2025-11-12 11:15:00 UTC" }, { "cve": "CVE-2025-40091", "url": "https://ubuntu.com/security/CVE-2025-40091", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ixgbe: fix too early devlink_free() in ixgbe_remove() Since ixgbe_adapter is embedded in devlink, calling devlink_free() prematurely in the ixgbe_remove() path can lead to UAF. Move devlink_free() to the end. KASAN report: BUG: KASAN: use-after-free in ixgbe_reset_interrupt_capability+0x140/0x180 [ixgbe] Read of size 8 at addr ffff0000adf813e0 by task bash/2095 CPU: 1 UID: 0 PID: 2095 Comm: bash Tainted: G S 6.17.0-rc2-tnguy.net-queue+ #1 PREEMPT(full) [...] Call trace: show_stack+0x30/0x90 (C) dump_stack_lvl+0x9c/0xd0 print_address_description.constprop.0+0x90/0x310 print_report+0x104/0x1f0 kasan_report+0x88/0x180 __asan_report_load8_noabort+0x20/0x30 ixgbe_reset_interrupt_capability+0x140/0x180 [ixgbe] ixgbe_clear_interrupt_scheme+0xf8/0x130 [ixgbe] ixgbe_remove+0x2d0/0x8c0 [ixgbe] pci_device_remove+0xa0/0x220 device_remove+0xb8/0x170 device_release_driver_internal+0x318/0x490 device_driver_detach+0x40/0x68 unbind_store+0xec/0x118 drv_attr_store+0x64/0xb8 sysfs_kf_write+0xcc/0x138 kernfs_fop_write_iter+0x294/0x440 new_sync_write+0x1fc/0x588 vfs_write+0x480/0x6a0 ksys_write+0xf0/0x1e0 __arm64_sys_write+0x70/0xc0 invoke_syscall.constprop.0+0xcc/0x280 el0_svc_common.constprop.0+0xa8/0x248 do_el0_svc+0x44/0x68 el0_svc+0x54/0x160 el0t_64_sync_handler+0xa0/0xe8 el0t_64_sync+0x1b0/0x1b8", "cve_priority": "medium", "cve_public_date": "2025-10-30 10:15:00 UTC" }, { "cve": "CVE-2025-40175", "url": "https://ubuntu.com/security/CVE-2025-40175", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: idpf: cleanup remaining SKBs in PTP flows When the driver requests Tx timestamp value, one of the first steps is to clone SKB using skb_get. It increases the reference counter for that SKB to prevent unexpected freeing by another component. However, there may be a case where the index is requested, SKB is assigned and never consumed by PTP flows - for example due to reset during running PTP apps. Add a check in release timestamping function to verify if the SKB assigned to Tx timestamp latch was freed, and release remaining SKBs.", "cve_priority": "medium", "cve_public_date": "2025-11-12 11:15:00 UTC" }, { "cve": "CVE-2025-40173", "url": "https://ubuntu.com/security/CVE-2025-40173", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net/ip6_tunnel: Prevent perpetual tunnel growth Similarly to ipv4 tunnel, ipv6 version updates dev->needed_headroom, too. While ipv4 tunnel headroom adjustment growth was limited in commit 5ae1e9922bbd (\"net: ip_tunnel: prevent perpetual headroom growth\"), ipv6 tunnel yet increases the headroom without any ceiling. Reflect ipv4 tunnel headroom adjustment limit on ipv6 version. Credits to Francesco Ruggeri, who was originally debugging this issue and wrote local Arista-specific patch and a reproducer.", "cve_priority": "medium", "cve_public_date": "2025-11-12 11:15:00 UTC" }, { "cve": "CVE-2025-40092", "url": "https://ubuntu.com/security/CVE-2025-40092", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: usb: gadget: f_ncm: Refactor bind path to use __free() After an bind/unbind cycle, the ncm->notify_req is left stale. If a subsequent bind fails, the unified error label attempts to free this stale request, leading to a NULL pointer dereference when accessing ep->ops->free_request. Refactor the error handling in the bind path to use the __free() automatic cleanup mechanism. Unable to handle kernel NULL pointer dereference at virtual address 0000000000000020 Call trace: usb_ep_free_request+0x2c/0xec ncm_bind+0x39c/0x3dc usb_add_function+0xcc/0x1f0 configfs_composite_bind+0x468/0x588 gadget_bind_driver+0x104/0x270 really_probe+0x190/0x374 __driver_probe_device+0xa0/0x12c driver_probe_device+0x3c/0x218 __device_attach_driver+0x14c/0x188 bus_for_each_drv+0x10c/0x168 __device_attach+0xfc/0x198 device_initial_probe+0x14/0x24 bus_probe_device+0x94/0x11c device_add+0x268/0x48c usb_add_gadget+0x198/0x28c dwc3_gadget_init+0x700/0x858 __dwc3_set_mode+0x3cc/0x664 process_scheduled_works+0x1d8/0x488 worker_thread+0x244/0x334 kthread+0x114/0x1bc ret_from_fork+0x10/0x20", "cve_priority": "medium", "cve_public_date": "2025-10-30 10:15:00 UTC" }, { "cve": "CVE-2025-40093", "url": "https://ubuntu.com/security/CVE-2025-40093", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: usb: gadget: f_ecm: Refactor bind path to use __free() After an bind/unbind cycle, the ecm->notify_req is left stale. If a subsequent bind fails, the unified error label attempts to free this stale request, leading to a NULL pointer dereference when accessing ep->ops->free_request. Refactor the error handling in the bind path to use the __free() automatic cleanup mechanism.", "cve_priority": "medium", "cve_public_date": "2025-10-30 10:15:00 UTC" }, { "cve": "CVE-2025-40094", "url": "https://ubuntu.com/security/CVE-2025-40094", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: usb: gadget: f_acm: Refactor bind path to use __free() After an bind/unbind cycle, the acm->notify_req is left stale. If a subsequent bind fails, the unified error label attempts to free this stale request, leading to a NULL pointer dereference when accessing ep->ops->free_request. Refactor the error handling in the bind path to use the __free() automatic cleanup mechanism. Unable to handle kernel NULL pointer dereference at virtual address 0000000000000020 Call trace: usb_ep_free_request+0x2c/0xec gs_free_req+0x30/0x44 acm_bind+0x1b8/0x1f4 usb_add_function+0xcc/0x1f0 configfs_composite_bind+0x468/0x588 gadget_bind_driver+0x104/0x270 really_probe+0x190/0x374 __driver_probe_device+0xa0/0x12c driver_probe_device+0x3c/0x218 __device_attach_driver+0x14c/0x188 bus_for_each_drv+0x10c/0x168 __device_attach+0xfc/0x198 device_initial_probe+0x14/0x24 bus_probe_device+0x94/0x11c device_add+0x268/0x48c usb_add_gadget+0x198/0x28c dwc3_gadget_init+0x700/0x858 __dwc3_set_mode+0x3cc/0x664 process_scheduled_works+0x1d8/0x488 worker_thread+0x244/0x334 kthread+0x114/0x1bc ret_from_fork+0x10/0x20", "cve_priority": "medium", "cve_public_date": "2025-10-30 10:15:00 UTC" }, { "cve": "CVE-2025-40095", "url": "https://ubuntu.com/security/CVE-2025-40095", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: usb: gadget: f_rndis: Refactor bind path to use __free() After an bind/unbind cycle, the rndis->notify_req is left stale. If a subsequent bind fails, the unified error label attempts to free this stale request, leading to a NULL pointer dereference when accessing ep->ops->free_request. Refactor the error handling in the bind path to use the __free() automatic cleanup mechanism.", "cve_priority": "medium", "cve_public_date": "2025-10-30 10:15:00 UTC" }, { "cve": "CVE-2025-40165", "url": "https://ubuntu.com/security/CVE-2025-40165", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: media: nxp: imx8-isi: m2m: Fix streaming cleanup on release If streamon/streamoff calls are imbalanced, such as when exiting an application with Ctrl+C when streaming, the m2m usage_count will never reach zero and the ISI channel won't be freed. Besides from that, if the input line width is more than 2K, it will trigger a WARN_ON(): [ 59.222120] ------------[ cut here ]------------ [ 59.226758] WARNING: drivers/media/platform/nxp/imx8-isi/imx8-isi-hw.c:631 at mxc_isi_channel_chain+0xa4/0x120, CPU#4: v4l2-ctl/654 [ 59.238569] Modules linked in: ap1302 [ 59.242231] CPU: 4 UID: 0 PID: 654 Comm: v4l2-ctl Not tainted 6.16.0-rc4-next-20250704-06511-gff0e002d480a-dirty #258 PREEMPT [ 59.253597] Hardware name: NXP i.MX95 15X15 board (DT) [ 59.258720] pstate: 80400009 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) [ 59.265669] pc : mxc_isi_channel_chain+0xa4/0x120 [ 59.270358] lr : mxc_isi_channel_chain+0x44/0x120 [ 59.275047] sp : ffff8000848c3b40 [ 59.278348] x29: ffff8000848c3b40 x28: ffff0000859b4c98 x27: ffff800081939f00 [ 59.285472] x26: 000000000000000a x25: ffff0000859b4cb8 x24: 0000000000000001 [ 59.292597] x23: ffff0000816f4760 x22: ffff0000816f4258 x21: ffff000084ceb780 [ 59.299720] x20: ffff000084342ff8 x19: ffff000084340000 x18: 0000000000000000 [ 59.306845] x17: 0000000000000000 x16: 0000000000000000 x15: 0000ffffdb369e1c [ 59.313969] x14: 0000000000000000 x13: 0000000000000000 x12: 0000000000000000 [ 59.321093] x11: 0000000000000000 x10: 0000000000000000 x9 : 0000000000000000 [ 59.328217] x8 : ffff8000848c3d48 x7 : ffff800081930b30 x6 : ffff800081930b30 [ 59.335340] x5 : ffff0000859b6000 x4 : ffff80008193ae80 x3 : ffff800081022420 [ 59.342464] x2 : ffff0000852f6900 x1 : 0000000000000001 x0 : ffff000084341000 [ 59.349590] Call trace: [ 59.352025] mxc_isi_channel_chain+0xa4/0x120 (P) [ 59.356722] mxc_isi_m2m_streamon+0x160/0x20c [ 59.361072] v4l_streamon+0x24/0x30 [ 59.364556] __video_do_ioctl+0x40c/0x4a0 [ 59.368560] video_usercopy+0x2bc/0x690 [ 59.372382] video_ioctl2+0x18/0x24 [ 59.375857] v4l2_ioctl+0x40/0x60 [ 59.379168] __arm64_sys_ioctl+0xac/0x104 [ 59.383172] invoke_syscall+0x48/0x104 [ 59.386916] el0_svc_common.constprop.0+0xc0/0xe0 [ 59.391613] do_el0_svc+0x1c/0x28 [ 59.394915] el0_svc+0x34/0xf4 [ 59.397966] el0t_64_sync_handler+0xa0/0xe4 [ 59.402143] el0t_64_sync+0x198/0x19c [ 59.405801] ---[ end trace 0000000000000000 ]--- Address this issue by moving the streaming preparation and cleanup to the vb2 .prepare_streaming() and .unprepare_streaming() operations. This also simplifies the driver by allowing direct usage of the v4l2_m2m_ioctl_streamon() and v4l2_m2m_ioctl_streamoff() helpers.", "cve_priority": "medium", "cve_public_date": "2025-11-12 11:15:00 UTC" }, { "cve": "CVE-2025-40096", "url": "https://ubuntu.com/security/CVE-2025-40096", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/sched: Fix potential double free in drm_sched_job_add_resv_dependencies When adding dependencies with drm_sched_job_add_dependency(), that function consumes the fence reference both on success and failure, so in the latter case the dma_fence_put() on the error path (xarray failed to expand) is a double free. Interestingly this bug appears to have been present ever since commit ebd5f74255b9 (\"drm/sched: Add dependency tracking\"), since the code back then looked like this: drm_sched_job_add_implicit_dependencies(): ... for (i = 0; i < fence_count; i++) { ret = drm_sched_job_add_dependency(job, fences[i]); if (ret) break; } for (; i < fence_count; i++) dma_fence_put(fences[i]); Which means for the failing 'i' the dma_fence_put was already a double free. Possibly there were no users at that time, or the test cases were insufficient to hit it. The bug was then only noticed and fixed after commit 9c2ba265352a (\"drm/scheduler: use new iterator in drm_sched_job_add_implicit_dependencies v2\") landed, with its fixup of commit 4eaf02d6076c (\"drm/scheduler: fix drm_sched_job_add_implicit_dependencies\"). At that point it was a slightly different flavour of a double free, which commit 963d0b356935 (\"drm/scheduler: fix drm_sched_job_add_implicit_dependencies harder\") noticed and attempted to fix. But it only moved the double free from happening inside the drm_sched_job_add_dependency(), when releasing the reference not yet obtained, to the caller, when releasing the reference already released by the former in the failure case. As such it is not easy to identify the right target for the fixes tag so lets keep it simple and just continue the chain. While fixing we also improve the comment and explain the reason for taking the reference and not dropping it.", "cve_priority": "medium", "cve_public_date": "2025-10-30 10:15:00 UTC" }, { "cve": "CVE-2025-40097", "url": "https://ubuntu.com/security/CVE-2025-40097", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ALSA: hda: Fix missing pointer check in hda_component_manager_init function The __component_match_add function may assign the 'matchptr' pointer the value ERR_PTR(-ENOMEM), which will subsequently be dereferenced. The call stack leading to the error looks like this: hda_component_manager_init |-> component_match_add |-> component_match_add_release |-> __component_match_add ( ... ,**matchptr, ... ) |-> *matchptr = ERR_PTR(-ENOMEM); // assign |-> component_master_add_with_match( ... match) |-> component_match_realloc(match, match->num); // dereference Add IS_ERR() check to prevent the crash. Found by Linux Verification Center (linuxtesting.org) with SVACE.", "cve_priority": "medium", "cve_public_date": "2025-10-30 10:15:00 UTC" }, { "cve": "CVE-2025-40098", "url": "https://ubuntu.com/security/CVE-2025-40098", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ALSA: hda: cs35l41: Fix NULL pointer dereference in cs35l41_get_acpi_mute_state() Return value of a function acpi_evaluate_dsm() is dereferenced without checking for NULL, but it is usually checked for this function. acpi_evaluate_dsm() may return NULL, when acpi_evaluate_object() returns acpi_status other than ACPI_SUCCESS, so add a check to prevent the crach. Found by Linux Verification Center (linuxtesting.org) with SVACE.", "cve_priority": "medium", "cve_public_date": "2025-10-30 10:15:00 UTC" }, { "cve": "CVE-2025-40099", "url": "https://ubuntu.com/security/CVE-2025-40099", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: cifs: parse_dfs_referrals: prevent oob on malformed input Malicious SMB server can send invalid reply to FSCTL_DFS_GET_REFERRALS - reply smaller than sizeof(struct get_dfs_referral_rsp) - reply with number of referrals smaller than NumberOfReferrals in the header Processing of such replies will cause oob. Return -EINVAL error on such replies to prevent oob-s.", "cve_priority": "medium", "cve_public_date": "2025-10-30 10:15:00 UTC" }, { "cve": "CVE-2025-40100", "url": "https://ubuntu.com/security/CVE-2025-40100", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: btrfs: do not assert we found block group item when creating free space tree Currently, when building a free space tree at populate_free_space_tree(), if we are not using the block group tree feature, we always expect to find block group items (either extent items or a block group item with key type BTRFS_BLOCK_GROUP_ITEM_KEY) when we search the extent tree with btrfs_search_slot_for_read(), so we assert that we found an item. However this expectation is wrong since we can have a new block group created in the current transaction which is still empty and for which we still have not added the block group's item to the extent tree, in which case we do not have any items in the extent tree associated to the block group. The insertion of a new block group's block group item in the extent tree happens at btrfs_create_pending_block_groups() when it calls the helper insert_block_group_item(). This typically is done when a transaction handle is released, committed or when running delayed refs (either as part of a transaction commit or when serving tickets for space reservation if we are low on free space). So remove the assertion at populate_free_space_tree() even when the block group tree feature is not enabled and update the comment to mention this case. Syzbot reported this with the following stack trace: BTRFS info (device loop3 state M): rebuilding free space tree assertion failed: ret == 0 :: 0, in fs/btrfs/free-space-tree.c:1115 ------------[ cut here ]------------ kernel BUG at fs/btrfs/free-space-tree.c:1115! Oops: invalid opcode: 0000 [#1] SMP KASAN PTI CPU: 1 UID: 0 PID: 6352 Comm: syz.3.25 Not tainted syzkaller #0 PREEMPT(full) Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/18/2025 RIP: 0010:populate_free_space_tree+0x700/0x710 fs/btrfs/free-space-tree.c:1115 Code: ff ff e8 d3 (...) RSP: 0018:ffffc9000430f780 EFLAGS: 00010246 RAX: 0000000000000043 RBX: ffff88805b709630 RCX: fea61d0e2e79d000 RDX: 0000000000000000 RSI: 0000000080000000 RDI: 0000000000000000 RBP: ffffc9000430f8b0 R08: ffffc9000430f4a7 R09: 1ffff92000861e94 R10: dffffc0000000000 R11: fffff52000861e95 R12: 0000000000000001 R13: 1ffff92000861f00 R14: dffffc0000000000 R15: 0000000000000000 FS: 00007f424d9fe6c0(0000) GS:ffff888125afc000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007fd78ad212c0 CR3: 0000000076d68000 CR4: 00000000003526f0 Call Trace: btrfs_rebuild_free_space_tree+0x1ba/0x6d0 fs/btrfs/free-space-tree.c:1364 btrfs_start_pre_rw_mount+0x128f/0x1bf0 fs/btrfs/disk-io.c:3062 btrfs_remount_rw fs/btrfs/super.c:1334 [inline] btrfs_reconfigure+0xaed/0x2160 fs/btrfs/super.c:1559 reconfigure_super+0x227/0x890 fs/super.c:1076 do_remount fs/namespace.c:3279 [inline] path_mount+0xd1a/0xfe0 fs/namespace.c:4027 do_mount fs/namespace.c:4048 [inline] __do_sys_mount fs/namespace.c:4236 [inline] __se_sys_mount+0x313/0x410 fs/namespace.c:4213 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xfa/0xfa0 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f424e39066a Code: d8 64 89 02 (...) RSP: 002b:00007f424d9fde68 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5 RAX: ffffffffffffffda RBX: 00007f424d9fdef0 RCX: 00007f424e39066a RDX: 0000200000000180 RSI: 0000200000000380 RDI: 0000000000000000 RBP: 0000200000000180 R08: 00007f424d9fdef0 R09: 0000000000000020 R10: 0000000000000020 R11: 0000000000000246 R12: 0000200000000380 R13: 00007f424d9fdeb0 R14: 0000000000000000 R15: 00002000000002c0 Modules linked in: ---[ end trace 0000000000000000 ]---", "cve_priority": "medium", "cve_public_date": "2025-10-30 10:15:00 UTC" }, { "cve": "CVE-2025-40101", "url": "https://ubuntu.com/security/CVE-2025-40101", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: btrfs: fix memory leaks when rejecting a non SINGLE data profile without an RST At the end of btrfs_load_block_group_zone_info() the first thing we do is to ensure that if the mapping type is not a SINGLE one and there is no RAID stripe tree, then we return early with an error. Doing that, though, prevents the code from running the last calls from this function which are about freeing memory allocated during its run. Hence, in this case, instead of returning early, we set the ret value and fall through the rest of the cleanup code.", "cve_priority": "medium", "cve_public_date": "2025-10-30 10:15:00 UTC" }, { "cve": "CVE-2025-40167", "url": "https://ubuntu.com/security/CVE-2025-40167", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ext4: detect invalid INLINE_DATA + EXTENTS flag combination syzbot reported a BUG_ON in ext4_es_cache_extent() when opening a verity file on a corrupted ext4 filesystem mounted without a journal. The issue is that the filesystem has an inode with both the INLINE_DATA and EXTENTS flags set: EXT4-fs error (device loop0): ext4_cache_extents:545: inode #15: comm syz.0.17: corrupted extent tree: lblk 0 < prev 66 Investigation revealed that the inode has both flags set: DEBUG: inode 15 - flag=1, i_inline_off=164, has_inline=1, extents_flag=1 This is an invalid combination since an inode should have either: - INLINE_DATA: data stored directly in the inode - EXTENTS: data stored in extent-mapped blocks Having both flags causes ext4_has_inline_data() to return true, skipping extent tree validation in __ext4_iget(). The unvalidated out-of-order extents then trigger a BUG_ON in ext4_es_cache_extent() due to integer underflow when calculating hole sizes. Fix this by detecting this invalid flag combination early in ext4_iget() and rejecting the corrupted inode.", "cve_priority": "medium", "cve_public_date": "2025-11-12 11:15:00 UTC" }, { "cve": "CVE-2025-40102", "url": "https://ubuntu.com/security/CVE-2025-40102", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: KVM: arm64: Prevent access to vCPU events before init Another day, another syzkaller bug. KVM erroneously allows userspace to pend vCPU events for a vCPU that hasn't been initialized yet, leading to KVM interpreting a bunch of uninitialized garbage for routing / injecting the exception. In one case the injection code and the hyp disagree on whether the vCPU has a 32bit EL1 and put the vCPU into an illegal mode for AArch64, tripping the BUG() in exception_target_el() during the next injection: kernel BUG at arch/arm64/kvm/inject_fault.c:40! Internal error: Oops - BUG: 00000000f2000800 [#1] SMP CPU: 3 UID: 0 PID: 318 Comm: repro Not tainted 6.17.0-rc4-00104-g10fd0285305d #6 PREEMPT Hardware name: linux,dummy-virt (DT) pstate: 21402009 (nzCv daif +PAN -UAO -TCO +DIT -SSBS BTYPE=--) pc : exception_target_el+0x88/0x8c lr : pend_serror_exception+0x18/0x13c sp : ffff800082f03a10 x29: ffff800082f03a10 x28: ffff0000cb132280 x27: 0000000000000000 x26: 0000000000000000 x25: ffff0000c2a99c20 x24: 0000000000000000 x23: 0000000000008000 x22: 0000000000000002 x21: 0000000000000004 x20: 0000000000008000 x19: ffff0000c2a99c20 x18: 0000000000000000 x17: 0000000000000000 x16: 0000000000000000 x15: 00000000200000c0 x14: 0000000000000000 x13: 0000000000000000 x12: 0000000000000000 x11: 0000000000000000 x10: 0000000000000000 x9 : 0000000000000000 x8 : ffff800082f03af8 x7 : 0000000000000000 x6 : 0000000000000000 x5 : ffff800080f621f0 x4 : 0000000000000000 x3 : 0000000000000000 x2 : 000000000040009b x1 : 0000000000000003 x0 : ffff0000c2a99c20 Call trace: exception_target_el+0x88/0x8c (P) kvm_inject_serror_esr+0x40/0x3b4 __kvm_arm_vcpu_set_events+0xf0/0x100 kvm_arch_vcpu_ioctl+0x180/0x9d4 kvm_vcpu_ioctl+0x60c/0x9f4 __arm64_sys_ioctl+0xac/0x104 invoke_syscall+0x48/0x110 el0_svc_common.constprop.0+0x40/0xe0 do_el0_svc+0x1c/0x28 el0_svc+0x34/0xf0 el0t_64_sync_handler+0xa0/0xe4 el0t_64_sync+0x198/0x19c Code: f946bc01 b4fffe61 9101e020 17fffff2 (d4210000) Reject the ioctls outright as no sane VMM would call these before KVM_ARM_VCPU_INIT anyway. Even if it did the exception would've been thrown away by the eventual reset of the vCPU's state.", "cve_priority": "medium", "cve_public_date": "2025-10-30 10:15:00 UTC" }, { "cve": "CVE-2025-40103", "url": "https://ubuntu.com/security/CVE-2025-40103", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: smb: client: Fix refcount leak for cifs_sb_tlink Fix three refcount inconsistency issues related to `cifs_sb_tlink`. Comments for `cifs_sb_tlink` state that `cifs_put_tlink()` needs to be called after successful calls to `cifs_sb_tlink()`. Three calls fail to update refcount accordingly, leading to possible resource leaks.", "cve_priority": "medium", "cve_public_date": "2025-10-30 10:15:00 UTC" }, { "cve": "CVE-2025-40104", "url": "https://ubuntu.com/security/CVE-2025-40104", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ixgbevf: fix mailbox API compatibility by negotiating supported features There was backward compatibility in the terms of mailbox API. Various drivers from various OSes supporting 10G adapters from Intel portfolio could easily negotiate mailbox API. This convention has been broken since introducing API 1.4. Commit 0062e7cc955e (\"ixgbevf: add VF IPsec offload code\") added support for IPSec which is specific only for the kernel ixgbe driver. None of the rest of the Intel 10G PF/VF drivers supports it. And actually lack of support was not included in the IPSec implementation - there were no such code paths. No possibility to negotiate support for the feature was introduced along with introduction of the feature itself. Commit 339f28964147 (\"ixgbevf: Add support for new mailbox communication between PF and VF\") increasing API version to 1.5 did the same - it introduced code supported specifically by the PF ESX driver. It altered API version for the VF driver in the same time not touching the version defined for the PF ixgbe driver. It led to additional discrepancies, as the code provided within API 1.6 cannot be supported for Linux ixgbe driver as it causes crashes. The issue was noticed some time ago and mitigated by Jake within the commit d0725312adf5 (\"ixgbevf: stop attempting IPSEC offload on Mailbox API 1.5\"). As a result we have regression for IPsec support and after increasing API to version 1.6 ixgbevf driver stopped to support ESX MBX. To fix this mess add new mailbox op asking PF driver about supported features. Basing on a response determine whether to set support for IPSec and ESX-specific enhanced mailbox. New mailbox op, for compatibility purposes, must be added within new API revision, as API version of OOT PF & VF drivers is already increased to 1.6 and doesn't incorporate features negotiate op. Features negotiation mechanism gives possibility to be extended with new features when needed in the future.", "cve_priority": "medium", "cve_public_date": "2025-10-30 10:15:00 UTC" }, { "cve": "CVE-2025-40166", "url": "https://ubuntu.com/security/CVE-2025-40166", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/xe/guc: Check GuC running state before deregistering exec queue In normal operation, a registered exec queue is disabled and deregistered through the GuC, and freed only after the GuC confirms completion. However, if the driver is forced to unbind while the exec queue is still running, the user may call exec_destroy() after the GuC has already been stopped and CT communication disabled. In this case, the driver cannot receive a response from the GuC, preventing proper cleanup of exec queue resources. Fix this by directly releasing the resources when GuC is not running. Here is the failure dmesg log: \" [ 468.089581] ---[ end trace 0000000000000000 ]--- [ 468.089608] pci 0000:03:00.0: [drm] *ERROR* GT0: GUC ID manager unclean (1/65535) [ 468.090558] pci 0000:03:00.0: [drm] GT0: total 65535 [ 468.090562] pci 0000:03:00.0: [drm] GT0: used 1 [ 468.090564] pci 0000:03:00.0: [drm] GT0: range 1..1 (1) [ 468.092716] ------------[ cut here ]------------ [ 468.092719] WARNING: CPU: 14 PID: 4775 at drivers/gpu/drm/xe/xe_ttm_vram_mgr.c:298 ttm_vram_mgr_fini+0xf8/0x130 [xe] \" v2: use xe_uc_fw_is_running() instead of xe_guc_ct_enabled(). As CT may go down and come back during VF migration. (cherry picked from commit 9b42321a02c50a12b2beb6ae9469606257fbecea)", "cve_priority": "medium", "cve_public_date": "2025-11-12 11:15:00 UTC" }, { "cve": "CVE-2025-40105", "url": "https://ubuntu.com/security/CVE-2025-40105", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: vfs: Don't leak disconnected dentries on umount When user calls open_by_handle_at() on some inode that is not cached, we will create disconnected dentry for it. If such dentry is a directory, exportfs_decode_fh_raw() will then try to connect this dentry to the dentry tree through reconnect_path(). It may happen for various reasons (such as corrupted fs or race with rename) that the call to lookup_one_unlocked() in reconnect_one() will fail to find the dentry we are trying to reconnect and instead create a new dentry under the parent. Now this dentry will not be marked as disconnected although the parent still may well be disconnected (at least in case this inconsistency happened because the fs is corrupted and .. doesn't point to the real parent directory). This creates inconsistency in disconnected flags but AFAICS it was mostly harmless. At least until commit f1ee616214cb (\"VFS: don't keep disconnected dentries on d_anon\") which removed adding of most disconnected dentries to sb->s_anon list. Thus after this commit cleanup of disconnected dentries implicitely relies on the fact that dput() will immediately reclaim such dentries. However when some leaf dentry isn't marked as disconnected, as in the scenario described above, the reclaim doesn't happen and the dentries are \"leaked\". Memory reclaim can eventually reclaim them but otherwise they stay in memory and if umount comes first, we hit infamous \"Busy inodes after unmount\" bug. Make sure all dentries created under a disconnected parent are marked as disconnected as well.", "cve_priority": "medium", "cve_public_date": "2025-10-30 10:15:00 UTC" }, { "cve": "CVE-2025-40019", "url": "https://ubuntu.com/security/CVE-2025-40019", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: crypto: essiv - Check ssize for decryption and in-place encryption Move the ssize check to the start in essiv_aead_crypt so that it's also checked for decryption and in-place encryption.", "cve_priority": "medium", "cve_public_date": "2025-10-24 12:15:00 UTC" }, { "cve": "CVE-2025-40214", "url": "https://ubuntu.com/security/CVE-2025-40214", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: af_unix: Initialise scc_index in unix_add_edge(). Quang Le reported that the AF_UNIX GC could garbage-collect a receive queue of an alive in-flight socket, with a nice repro. The repro consists of three stages. 1) 1-a. Create a single cyclic reference with many sockets 1-b. close() all sockets 1-c. Trigger GC 2) 2-a. Pass sk-A to an embryo sk-B 2-b. Pass sk-X to sk-X 2-c. Trigger GC 3) 3-a. accept() the embryo sk-B 3-b. Pass sk-B to sk-C 3-c. close() the in-flight sk-A 3-d. Trigger GC As of 2-c, sk-A and sk-X are linked to unix_unvisited_vertices, and unix_walk_scc() groups them into two different SCCs: unix_sk(sk-A)->vertex->scc_index = 2 (UNIX_VERTEX_INDEX_START) unix_sk(sk-X)->vertex->scc_index = 3 Once GC completes, unix_graph_grouped is set to true. Also, unix_graph_maybe_cyclic is set to true due to sk-X's cyclic self-reference, which makes close() trigger GC. At 3-b, unix_add_edge() allocates unix_sk(sk-B)->vertex and links it to unix_unvisited_vertices. unix_update_graph() is called at 3-a. and 3-b., but neither unix_graph_grouped nor unix_graph_maybe_cyclic is changed because both sk-B's listener and sk-C are not in-flight. 3-c decrements sk-A's file refcnt to 1. Since unix_graph_grouped is true at 3-d, unix_walk_scc_fast() is finally called and iterates 3 sockets sk-A, sk-B, and sk-X: sk-A -> sk-B (-> sk-C) sk-X -> sk-X This is totally fine. All of them are not yet close()d and should be grouped into different SCCs. However, unix_vertex_dead() misjudges that sk-A and sk-B are in the same SCC and sk-A is dead. unix_sk(sk-A)->scc_index == unix_sk(sk-B)->scc_index <-- Wrong! && sk-A's file refcnt == unix_sk(sk-A)->vertex->out_degree ^-- 1 in-flight count for sk-B -> sk-A is dead !? The problem is that unix_add_edge() does not initialise scc_index. Stage 1) is used for heap spraying, making a newly allocated vertex have vertex->scc_index == 2 (UNIX_VERTEX_INDEX_START) set by unix_walk_scc() at 1-c. Let's track the max SCC index from the previous unix_walk_scc() call and assign the max + 1 to a new vertex's scc_index. This way, we can continue to avoid Tarjan's algorithm while preventing misjudgments.", "cve_priority": "high", "cve_public_date": "2025-12-04 13:15:00 UTC" } ], "log": [ "", " * questing/linux-riscv: 6.17.0-14.14.1 -proposed tracker (LP: #2137845)", "", " * Packaging resync (LP: #1786013)", " - [Packaging] debian.riscv/dkms-versions -- update from kernel-versions", " (main/2026.01.12)", "", " [ Ubuntu: 6.17.0-14.14 ]", "", " * questing/linux: 6.17.0-14.14 -proposed tracker (LP: #2137849)", " * Packaging resync (LP: #1786013)", " - [Packaging] debian.master/dkms-versions -- update from kernel-versions", " (main/2026.01.12)", " * ubuntu_kselftests:_net/net:gre_gso.sh failing (LP: #2136820)", " - SAUCE increase socat timeout in gre_gso.sh", " * ubuntu_blktrace_smoke_test fails on questing with rust coreutils", " (LP: #2137698)", " - SAUCE: Revert \"ext4: fail unaligned direct IO write with EINVAL\"", " * bareudp.sh in ubuntu_kselftests_net fails because of dash default shell", " (LP: #2129812)", " - selftests: net: use BASH for bareudp testing", " * CVE-2025-40256", " - xfrm: also call xfrm_state_delete_tunnel at destroy time for states that", " were never added", " * Enable PMF on AMD HPT/STX/KRK (LP: #2125022)", " - platform/x86/amd/pmf: Add support for adjusting PMF PPT and PPT APU", " thresholds", " - platform/x86/amd/pmf: Extend custom BIOS inputs for more policies", " - platform/x86/amd/pmf: Update ta_pmf_action structure member", " - platform/x86/amd/pmf: Add helper to verify BIOS input notifications are", " enable/disable", " - platform/x86/amd/pmf: Add custom BIOS input support for AMD_CPU_ID_PS", " - platform/x86/amd/pmf: Preserve custom BIOS inputs for evaluating the", " policies", " - platform/x86/amd/pmf: Call enact function sooner to process early", " pending requests", " - platform/x86/amd/pmf: Add debug logs for pending requests and custom", " BIOS inputs", " * Questing update: v6.17.8 upstream stable release (LP: #2136850)", " - iommufd/selftest: Fix ioctl return value in _test_cmd_trigger_vevents()", " - drm/mediatek: Add pm_runtime support for GCE power control", " - drm/i915: Fix conversion between clock ticks and nanoseconds", " - drm/amdgpu: set default gfx reset masks for gfx6-8", " - drm/amd/display: Don't stretch non-native images by default in eDP", " - smb: client: fix refcount leak in smb2_set_path_attr", " - iommufd: Make vfio_compat's unmap succeed if the range is already empty", " - futex: Optimize per-cpu reference counting", " - drm/amd: Fix suspend failure with secure display TA", " - drm/xe: Move declarations under conditional branch", " - drm/xe: Do clean shutdown also when using flr", " - drm/amd/display: Add pixel_clock to amd_pp_display_configuration", " - drm/amd/pm: Use pm_display_cfg in legacy DPM (v2)", " - drm/amd/display: Disable fastboot on DCE 6 too", " - drm/amd/pm: Disable MCLK switching on SI at high pixel clocks", " - drm/amd: Disable ASPM on SI", " - arm64: kprobes: check the return value of set_memory_rox()", " - compiler_types: Move unused static inline functions warning to W=2", " - riscv: Build loader.bin exclusively for Canaan K210", " - RISC-V: clear hot-unplugged cores from all task mm_cpumasks to avoid", " rfence errors", " - riscv: acpi: avoid errors caused by probing DT devices when ACPI is used", " - fs: return EOPNOTSUPP from file_setattr/file_getattr syscalls", " - ASoC: nau8821: Avoid unnecessary blocking in IRQ handler", " - NFS4: Fix state renewals missing after boot", " - drm/amdkfd: fix suspend/resume all calls in mes based eviction path", " - NFS4: Apply delay_retrans to async operations", " - HID: intel-thc-hid: intel-quickspi: Add ARL PCI Device Id's", " - HID: quirks: avoid Cooler Master MM712 dongle wakeup bug", " - ixgbe: handle IXGBE_VF_GET_PF_LINK_STATE mailbox operation", " - HID: nintendo: Wait longer for initial probe", " - NFS: check if suid/sgid was cleared after a write as needed", " - HID: quirks: Add ALWAYS_POLL quirk for VRS R295 steering wheel", " - io_uring: fix unexpected placement on same size resizing", " - HID: logitech-hidpp: Add HIDPP_QUIRK_RESET_HI_RES_SCROLL", " - ASoC: max98090/91: fixed max98091 ALSA widget powering up/down", " - ALSA: hda/realtek: Fix mute led for HP Omen 17-cb0xxx", " - ixgbe: handle IXGBE_VF_FEATURES_NEGOTIATE mbox cmd", " - wifi: ath11k: zero init info->status in wmi_process_mgmt_tx_comp()", " - selftests: net: local_termination: Wait for interfaces to come up", " - net: fec: correct rx_bytes statistic for the case SHIFT16 is set", " - net: phy: micrel: Introduce lanphy_modify_page_reg", " - net: phy: micrel: Replace hardcoded pages with defines", " - net: phy: micrel: lan8814 fix reset of the QSGMII interface", " - rust: Add -fno-isolate-erroneous-paths-dereference to", " bindgen_skip_c_flags", " - NFSD: Skip close replay processing if XDR encoding fails", " - Bluetooth: 6lowpan: fix BDADDR_LE vs ADDR_LE_DEV address type confusion", " - Bluetooth: 6lowpan: Don't hold spin lock over sleeping functions", " - Bluetooth: hci_conn: Fix not cleaning up PA_LINK connections", " - net: dsa: tag_brcm: do not mark link local traffic as offloaded", " - net/smc: fix mismatch between CLC header and proposal", " - net/handshake: Fix memory leak in tls_handshake_accept()", " - net: ethernet: ti: am65-cpsw-qos: fix IET verify/response timeout", " - net: ethernet: ti: am65-cpsw-qos: fix IET verify retry mechanism", " - net: mdio: fix resource leak in mdiobus_register_device()", " - wifi: mac80211: skip rate verification for not captured PSDUs", " - Bluetooth: hci_event: Fix not handling PA Sync Lost event", " - net/mlx5e: Fix missing error assignment in mlx5e_xfrm_add_state()", " - net/mlx5e: Fix maxrate wraparound in threshold between units", " - net/mlx5e: Fix wraparound in rate limiting for values above 255 Gbps", " - net/mlx5e: Fix potentially misleading debug message", " - net/mlx5: Fix typo of MLX5_EQ_DOORBEL_OFFSET", " - net/mlx5: Store the global doorbell in mlx5_priv", " - net/mlx5e: Prepare for using different CQ doorbells", " - net_sched: limit try_bulk_dequeue_skb() batches", " - wifi: iwlwifi: mvm: fix beacon template/fixed rate", " - wifi: iwlwifi: mld: always take beacon ies in link grading", " - virtio-net: fix incorrect flags recording in big mode", " - hsr: Fix supervision frame sending on HSRv0", " - hsr: Follow standard for HSRv0 supervision frames", " - ACPI: CPPC: Detect preferred core availability on online CPUs", " - ACPI: CPPC: Check _CPC validity for only the online CPUs", " - ACPI: CPPC: Perform fast check switch only for online CPUs", " - ACPI: CPPC: Limit perf ctrs in PCC check only to online CPUs", " - cpufreq: intel_pstate: Check IDA only before MSR_IA32_PERF_CTL writes", " - Bluetooth: L2CAP: export l2cap_chan_hold for modules", " - io_uring/rsrc: don't use blk_rq_nr_phys_segments() as number of bvecs", " - acpi,srat: Fix incorrect device handle check for Generic Initiator", " - regulator: fixed: fix GPIO descriptor leak on register failure", " - ASoC: cs4271: Fix regulator leak on probe failure", " - ASoC: codecs: va-macro: fix resource leak in probe error path", " - drm/vmwgfx: Restore Guest-Backed only cursor plane support", " - ASoC: tas2781: fix getting the wrong device number", " - pnfs: Fix TLS logic in _nfs4_pnfs_v3_ds_connect()", " - pnfs: Fix TLS logic in _nfs4_pnfs_v4_ds_connect()", " - pnfs: Set transport security policy to RPC_XPRTSEC_NONE unless using TLS", " - simplify nfs_atomic_open_v23()", " - NFSv2/v3: Fix error handling in nfs_atomic_open_v23()", " - NFS: sysfs: fix leak when nfs_client kobject add fails", " - NFSv4: Fix an incorrect parameter when calling nfs4_call_sync()", " - drm/amd/amdgpu: Ensure isp_kernel_buffer_alloc() creates a new BO", " - acpi/hmat: Fix lockdep warning for hmem_register_resource()", " - ASoC: rsnd: fix OF node reference leak in rsnd_ssiu_probe()", " - drm/client: fix MODULE_PARM_DESC string for \"active\"", " - irqchip/riscv-intc: Add missing free() callback in riscv_intc_domain_ops", " - lib/crypto: arm/curve25519: Disable on CPU_BIG_ENDIAN", " - hostfs: Fix only passing host root in boot stage with new mount", " - afs: Fix dynamic lookup to fail on cell lookup failure", " - mtd: onenand: Pass correct pointer to IRQ handler", " - virtio-fs: fix incorrect check for fsvq->kobj", " - fs/namespace: correctly handle errors returned by grab_requested_mnt_ns", " - perf header: Write bpf_prog (infos|btfs)_cnt to data file", " - perf build: Don't fail fast path feature detection when binutils-devel", " is not available", " - perf lock: Fix segfault due to missing kernel map", " - perf test shell lock_contention: Extra debug diagnostics", " - perf test: Fix lock contention test", " - arm64: dts: rockchip: Set correct pinctrl for I2S1 8ch TX on odroid-m1", " - arm64: dts: rockchip: Fix PCIe power enable pin for BigTreeTech CB2 and", " Pi2", " - arm64: dts: rockchip: Make RK3588 GPU OPP table naming less generic", " - ARM: dts: imx6ull-engicam-microgea-rmm: fix report-rate-hz value", " - ARM: dts: imx51-zii-rdu1: Fix audmux node names", " - arm64: dts: imx8-ss-img: Avoid gpio0_mipi_csi GPIOs being deferred", " - arm64: dts: imx8mp-kontron: Fix USB OTG role switching", " - HID: hid-ntrig: Prevent memory leak in ntrig_report_version()", " - ARM: dts: BCM53573: Fix address of Luxul XAP-1440's Ethernet PHY", " - arm64: dts: rockchip: Fix USB power enable pin for BTT CB2 and Pi2", " - arm64: dts: rockchip: drop reset from rk3576 i2c9 node", " - pwm: adp5585: Correct mismatched pwm chip info", " - HID: playstation: Fix memory leak in dualshock4_get_calibration_data()", " - HID: uclogic: Fix potential memory leak in error path", " - LoongArch: KVM: Restore guest PMU if it is enabled", " - LoongArch: KVM: Add delay until timer interrupt injected", " - LoongArch: KVM: Fix max supported vCPUs set with EIOINTC", " - KVM: arm64: Make all 32bit ID registers fully writable", " - KVM: SVM: Mark VMCB_LBR dirty when MSR_IA32_DEBUGCTLMSR is updated", " - KVM: nSVM: Always recalculate LBR MSR intercepts in svm_update_lbrv()", " - KVM: nSVM: Fix and simplify LBR virtualization handling with nested", " - KVM: VMX: Fix check for valid GVA on an EPT violation", " - nfsd: add missing FATTR4_WORD2_CLONE_BLKSIZE from supported attributes", " - gcov: add support for GCC 15", " - kho: warn and exit when unpreserved page wasn't preserved", " - strparser: Fix signed/unsigned mismatch bug", " - dma-mapping: benchmark: Restore padding to ensure uABI remained", " consistent", " - maple_tree: fix tracepoint string pointers", " - LoongArch: Consolidate early_ioremap()/ioremap_prot()", " - LoongArch: Use correct accessor to read FWPC/MWPC", " - LoongArch: Let {pte,pmd}_modify() record the status of _PAGE_DIRTY", " - mm/damon/sysfs: change next_update_jiffies to a global variable", " - selftests/tracing: Run sample events to clear page cache events", " - wifi: mac80211: reject address change while connecting", " - mm/huge_memory: preserve PG_has_hwpoisoned if a folio is split to >0", " order", " - mm/mm_init: fix hash table order logging in alloc_large_system_hash()", " - mm/damon/stat: change last_refresh_jiffies to a global variable", " - mm/kmsan: fix kmsan kmalloc hook when no stack depots are allocated yet", " - mm/shmem: fix THP allocation and fallback loop", " - mm/mremap: honour writable bit in mremap pte batching", " - mm/huge_memory: fix folio split check for anon folios in swapcache", " - mmc: sdhci-of-dwcmshc: Change DLL_STRBIN_TAPNUM_DEFAULT to 0x4", " - mmc: pxamci: Simplify pxamci_probe() error handling using devm APIs", " - mmc: dw_mmc-rockchip: Fix wrong internal phase calculate", " - ASoC: sdw_utils: fix device reference leak in is_sdca_endpoint_present()", " - crypto: hisilicon/qm - Fix device reference leak in qm_get_qos_value", " - smb: client: fix cifs_pick_channel when channel needs reconnect", " - spi: Try to get ACPI GPIO IRQ earlier", " - x86/microcode/AMD: Add Zen5 model 0x44, stepping 0x1 minrev", " - x86/CPU/AMD: Add additional fixed RDSEED microcode revisions", " - selftests/user_events: fix type cast for write_index packed member in", " perf_test", " - gendwarfksyms: Skip files with no exports", " - ftrace: Fix BPF fexit with livepatch", " - LoongArch: Consolidate max_pfn & max_low_pfn calculation", " - LoongArch: Use physical addresses for CSR_MERRENTRY/CSR_TLBRENTRY", " - EDAC/altera: Handle OCRAM ECC enable after warm reset", " - EDAC/altera: Use INTTEST register for Ethernet and USB SBE injection", " - PM: hibernate: Emit an error when image writing fails", " - PM: hibernate: Use atomic64_t for compressed_size variable", " - btrfs: zoned: fix conventional zone capacity calculation", " - btrfs: zoned: fix stripe width calculation", " - btrfs: scrub: put bio after errors in scrub_raid56_parity_stripe()", " - btrfs: do not update last_log_commit when logging inode due to a new", " name", " - btrfs: release root after error in data_reloc_print_warning_inode()", " - drm/amdkfd: relax checks for over allocation of save area", " - drm/amdgpu: disable peer-to-peer access for DCC-enabled GC12 VRAM", " surfaces", " - drm/i915/psr: fix pipe to vblank conversion", " - drm/xe/xe3lpg: Extend Wa_15016589081 for xe3lpg", " - drm/xe/xe3: Extend wa_14023061436", " - drm/xe/xe3: Add WA_14024681466 for Xe3_LPG", " - pmdomain: imx: Fix reference count leak in imx_gpc_remove", " - pmdomain: samsung: plug potential memleak during probe", " - pmdomain: samsung: Rework legacy splash-screen handover workaround", " - selftests: mptcp: connect: fix fallback note due to OoO", " - selftests: mptcp: join: rm: set backup flag", " - selftests: mptcp: join: endpoints: longer transfer", " - selftests: mptcp: connect: trunc: read all recv data", " - selftests: mptcp: join: userspace: longer transfer", " - selftests: mptcp: join: properly kill background tasks", " - mm/huge_memory: do not change split_huge_page*() target order silently", " - mm/memory: do not populate page table entries beyond i_size", " - scripts/decode_stacktrace.sh: symbol: avoid trailing whitespaces", " - scripts/decode_stacktrace.sh: symbol: preserve alignment", " - scripts/decode_stacktrace.sh: fix build ID and PC source parsing", " - ASoC: da7213: Convert to DEFINE_RUNTIME_DEV_PM_OPS()", " - ASoC: da7213: Use component driver suspend/resume", " - KVM: x86: Rename local \"ecx\" variables to \"msr\" and \"pmc\" as appropriate", " - KVM: x86: Add support for RDMSR/WRMSRNS w/ immediate on Intel", " - KVM: VMX: Inject #UD if guest tries to execute SEAMCALL or TDCALL", " - isdn: mISDN: hfcsusb: fix memory leak in hfcsusb_probe()", " - net: phy: micrel: Fix lan8814_config_init", " - Linux 6.17.9", " * Questing update: v6.17.8 upstream stable release (LP: #2136850) //", " CVE-2025-68204", " - pmdomain: arm: scmi: Fix genpd leak on provider registration failure", " * Questing update: v6.17.8 upstream stable release (LP: #2136850) //", " CVE-2025-68203", " - drm/amdgpu: fix lock warning in amdgpu_userq_fence_driver_process", " * Questing update: v6.17.8 upstream stable release (LP: #2136850) //", " CVE-2025-40267", " - io_uring/rw: ensure allocated iovec gets cleared for early failure", " * Questing update: v6.17.8 upstream stable release (LP: #2136850) //", " CVE-2025-68198", " - crash: fix crashkernel resource shrink", " * Questing update: v6.17.8 upstream stable release (LP: #2136850) //", " CVE-2025-68199", " - codetag: debug: handle existing CODETAG_EMPTY in mark_objexts_empty for", " slabobj_ext", " * Questing update: v6.17.8 upstream stable release (LP: #2136850) //", " CVE-2025-40268", " - cifs: client: fix memory leak in smb3_fs_context_parse_param", " * Questing update: v6.17.8 upstream stable release (LP: #2136850) //", " CVE-2025-40269", " - ALSA: usb-audio: Fix potential overflow of PCM transfer buffer", " * Questing update: v6.17.8 upstream stable release (LP: #2136850) //", " CVE-2025-68205", " - ALSA: hda/hdmi: Fix breakage at probing nvhdmi-mcp driver", " * Questing update: v6.17.8 upstream stable release (LP: #2136850) //", " CVE-2025-40270", " - mm, swap: fix potential UAF issue for VMA readahead", " * Questing update: v6.17.8 upstream stable release (LP: #2136850) //", " CVE-2025-40271", " - fs/proc: fix uaf in proc_readdir_de()", " * Questing update: v6.17.8 upstream stable release (LP: #2136850) //", " CVE-2025-40272", " - mm/secretmem: fix use-after-free race in fault handler", " * Questing update: v6.17.8 upstream stable release (LP: #2136850) //", " CVE-2025-68245", " - net: netpoll: fix incorrect refcount handling causing incorrect cleanup", " * Questing update: v6.17.8 upstream stable release (LP: #2136850) //", " CVE-2025-68240", " - nilfs2: avoid having an active sc_timer before freeing sci", " * Questing update: v6.17.8 upstream stable release (LP: #2136850) //", " CVE-2025-68241", " - ipv4: route: Prevent rt_bind_exception() from rebinding stale fnhe", " * Questing update: v6.17.8 upstream stable release (LP: #2136850) //", " CVE-2025-68211", " - ksm: use range-walk function to jump over holes in", " scan_get_next_rmap_item", " * Questing update: v6.17.8 upstream stable release (LP: #2136850) //", " CVE-2025-68246", " - ksmbd: close accepted socket when per-IP limit rejects connection", " * Questing update: v6.17.8 upstream stable release (LP: #2136850) //", " CVE-2025-40273", " - NFSD: free copynotify stateid in nfs4_free_ol_stateid()", " * Questing update: v6.17.8 upstream stable release (LP: #2136850) //", " CVE-2025-40212", " - nfsd: fix refcount leak in nfsd_set_fh_dentry()", " * Questing update: v6.17.8 upstream stable release (LP: #2136850) //", " CVE-2025-40274", " - KVM: guest_memfd: Remove bindings on memslot deletion when gmem is dying", " * Questing update: v6.17.8 upstream stable release (LP: #2136850) //", " CVE-2025-68202", " - sched_ext: Fix unsafe locking in the scx_dump_state()", " * Questing update: v6.17.8 upstream stable release (LP: #2136850) //", " CVE-2025-68239", " - binfmt_misc: restore write access before closing files opened by", " open_exec()", " * Questing update: v6.17.8 upstream stable release (LP: #2136850) //", " CVE-2025-68247", " - posix-timers: Plug potential memory leak in do_timer_create()", " * Questing update: v6.17.8 upstream stable release (LP: #2136850) //", " CVE-2025-68208", " - bpf: account for current allocated stack depth in", " widen_imprecise_scalars()", " * Questing update: v6.17.8 upstream stable release (LP: #2136850) //", " CVE-2025-68200", " - bpf: Add bpf_prog_run_data_pointers()", " * Questing update: v6.17.8 upstream stable release (LP: #2136850) //", " CVE-2025-40275", " - ALSA: usb-audio: Fix NULL pointer dereference in", " snd_usb_mixer_controls_badd", " * Questing update: v6.17.8 upstream stable release (LP: #2136850) //", " CVE-2025-68242", " - NFS: Fix LTP test failures when timestamps are delegated", " * Questing update: v6.17.8 upstream stable release (LP: #2136850) //", " CVE-2025-68243", " - NFS: Check the TLS certificate fields in nfs_match_client()", " * Questing update: v6.17.8 upstream stable release (LP: #2136850) //", " CVE-2025-40276", " - drm/panthor: Flush shmem writes before mapping buffers CPU-uncached", " * Questing update: v6.17.8 upstream stable release (LP: #2136850) //", " CVE-2025-40277", " - drm/vmwgfx: Validate command header size against SVGA_CMD_MAX_DATASIZE", " * Questing update: v6.17.8 upstream stable release (LP: #2136850) //", " CVE-2025-68206", " - netfilter: nft_ct: add seqadj extension for natted connections", " * Questing update: v6.17.8 upstream stable release (LP: #2136850) //", " CVE-2025-68209", " - mlx5: Fix default values in create CQ", " * Questing update: v6.17.8 upstream stable release (LP: #2136850) //", " CVE-2025-40278", " - net: sched: act_ife: initialize struct tc_ife to fix KMSAN kernel-", " infoleak", " * Questing update: v6.17.8 upstream stable release (LP: #2136850) //", " CVE-2025-40279", " - net: sched: act_connmark: initialize struct tc_ife to fix kernel leak", " * Questing update: v6.17.8 upstream stable release (LP: #2136850) //", " CVE-2025-40280", " - tipc: Fix use-after-free in tipc_mon_reinit_self().", " * Questing update: v6.17.8 upstream stable release (LP: #2136850) //", " CVE-2025-40281", " - sctp: prevent possible shift-out-of-bounds in sctp_transport_update_rto", " * Questing update: v6.17.8 upstream stable release (LP: #2136850) //", " CVE-2025-40282", " - Bluetooth: 6lowpan: reset link-local header on ipv6 recv path", " * Questing update: v6.17.8 upstream stable release (LP: #2136850) //", " CVE-2025-40283", " - Bluetooth: btusb: reorder cleanup in btusb_disconnect to avoid UAF", " * Questing update: v6.17.8 upstream stable release (LP: #2136850) //", " CVE-2025-40284", " - Bluetooth: MGMT: cancel mesh send timer when hdev removed", " * Questing update: v6.17.8 upstream stable release (LP: #2136850) //", " CVE-2025-68210", " - erofs: avoid infinite loop due to incomplete zstd-compressed data", " * Questing update: v6.17.8 upstream stable release (LP: #2136850) //", " CVE-2025-40285", " - smb/server: fix possible refcount leak in smb2_sess_setup()", " * Questing update: v6.17.8 upstream stable release (LP: #2136850) //", " CVE-2025-40286", " - smb/server: fix possible memory leak in smb2_read()", " * Questing update: v6.17.8 upstream stable release (LP: #2136850) //", " CVE-2025-40287", " - exfat: fix improper check of dentry.stream.valid_size", " * Questing update: v6.17.8 upstream stable release (LP: #2136850) //", " CVE-2025-40288", " - drm/amdgpu: Fix NULL pointer dereference in VRAM logic for APU devices", " * Questing update: v6.17.8 upstream stable release (LP: #2136850) //", " CVE-2025-40289", " - drm/amdgpu: hide VRAM sysfs attributes on GPUs without VRAM", " * Questing update: v6.17.8 upstream stable release (LP: #2136850) //", " CVE-2025-68201", " - drm/amdgpu: remove two invalid BUG_ON()s", " * Questing update: v6.17.8 upstream stable release (LP: #2136850) //", " CVE-2025-68207", " - drm/xe/guc: Synchronize Dead CT worker with unbind", " * Questing update: v6.17.8 upstream stable release (LP: #2136850) //", " CVE-2025-68244", " - drm/i915: Avoid lock inversion when pinning to GGTT on CHV/BXT+VTD", " * Questing update: v6.17.8 upstream stable release (LP: #2136833)", " - Revert \"Bluetooth: L2CAP: convert timeouts to secs_to_jiffies()\"", " - sched_ext: Mark scx_bpf_dsq_move_set_[slice|vtime]() with KF_RCU", " - net: usb: asix_devices: Check return value of usbnet_get_endpoints", " - fbdev: atyfb: Check if pll_ops->init_pll failed", " - ACPI: button: Call input_free_device() on failing input device", " registration", " - ACPI: fan: Use platform device for devres-related actions", " - virtio-net: drop the multi-buffer XDP packet in zerocopy", " - batman-adv: Release references to inactive interfaces", " - Bluetooth: rfcomm: fix modem control handling", " - net: phy: dp83867: Disable EEE support as not implemented", " - fbdev: pvr2fb: Fix leftover reference to ONCHIP_NR_DMA_CHANNELS", " - fbdev: valkyriefb: Fix reference count leak in valkyriefb_init", " - mptcp: drop bogus optimization in __mptcp_check_push()", " - mptcp: restore window probe", " - ASoC: qdsp6: q6asm: do not sleep while atomic", " - ASoC: renesas: rz-ssi: Use proper dma_buffer_pos after resume", " - s390/pci: Restore IRQ unconditionally for the zPCI device", " - x86/build: Disable SSE4a", " - wifi: ath10k: Fix memory leak on unsupported WMI command", " - wifi: ath11k: Add missing platform IDs for quirk table", " - wifi: ath12k: free skb during idr cleanup callback", " - wifi: ath11k: avoid bit operation on key flags", " - drm/msm/a6xx: Fix GMU firmware parser", " - ALSA: usb-audio: fix control pipe direction", " - ASoC: cs-amp-lib-test: Fix missing include of kunit/test-bug.h", " - wifi: mac80211: reset FILS discovery and unsol probe resp intervals", " - wifi: mac80211: fix key tailroom accounting leak", " - wifi: nl80211: call kfree without a NULL check", " - kunit: test_dev_action: Correctly cast 'priv' pointer to long*", " - scsi: ufs: core: Initialize value of an attribute returned by uic cmd", " - scsi: core: Fix the unit attention counter implementation", " - bpf: Do not audit capability check in do_jit()", " - nvmet-auth: update sc_c in host response", " - crypto: s390/phmac - Do not modify the req->nbytes value", " - ASoC: Intel: avs: Unprepare a stream when XRUN occurs", " - ASoC: fsl_sai: fix bit order for DSD format", " - ASoC: fsl_micfil: correct the endian format for DSD", " - libbpf: Fix powerpc's stack register definition in bpf_tracing.h", " - ASoC: mediatek: Fix double pm_runtime_disable in remove functions", " - Bluetooth: ISO: Fix BIS connection dst_type handling", " - Bluetooth: btmtksdio: Add pmctrl handling for BT closed state during", " reset", " - Bluetooth: HCI: Fix tracking of advertisement set/instance 0x00", " - Bluetooth: ISO: Fix another instance of dst_type handling", " - Bluetooth: btintel_pcie: Fix event packet loss issue", " - Bluetooth: hci_conn: Fix connection cleanup with BIG with 2 or more BIS", " - Bluetooth: hci_core: Fix tracking of periodic advertisement", " - bpf: Conditionally include dynptr copy kfuncs", " - drm/msm: Ensure vm is created in VM_BIND ioctl", " - ALSA: usb-audio: add mono main switch to Presonus S1824c", " - ALSA: usb-audio: don't log messages meant for 1810c when initializing", " 1824c", " - ACPI: MRRM: Check revision of MRRM table", " - drm/etnaviv: fix flush sequence logic", " - tools: ynl: fix string attribute length to include null terminator", " - net: hns3: return error code when function fails", " - sfc: fix potential memory leak in efx_mae_process_mport()", " - tools: ynl: avoid print_field when there is no reply", " - dpll: spec: add missing module-name and clock-id to pin-get reply", " - ASoC: fsl_sai: Fix sync error in consumer mode", " - ASoC: soc_sdw_utils: remove cs42l43 component_name", " - drm/amd/pm: fix smu table id bound check issue in smu_cmn_update_table()", " - drm/amd/pm/powerplay/smumgr: Fix PCIeBootLinkLevel value on Fiji", " - drm/amd/pm/powerplay/smumgr: Fix PCIeBootLinkLevel value on Iceland", " - drm/amdgpu: fix SPDX headers on amdgpu_cper.c/h", " - drm/amdgpu: fix SPDX header on amd_cper.h", " - drm/amdgpu: fix SPDX header on irqsrcs_vcn_5_0.h", " - ACPI: fan: Use ACPI handle when retrieving _FST", " - block: fix op_is_zone_mgmt() to handle REQ_OP_ZONE_RESET_ALL", " - block: make REQ_OP_ZONE_OPEN a write operation", " - dma-fence: Fix safe access wrapper to call timeline name method", " - kbuild: align modinfo section for Secureboot Authenticode EDK2 compat", " - regmap: irq: Correct documentation of wake_invert flag", " - [Config] Disable ARCH_WANT_OPTIMIZE_HUGETLB_VMEMMAP for s390x", " - s390/mm: Fix memory leak in add_marker() when kvrealloc() fails", " - drm/xe: Do not wake device during a GT reset", " - drm/sched: avoid killing parent entity on child SIGKILL", " - drm/sched: Fix race in drm_sched_entity_select_rq()", " - drm/nouveau: Fix race in nouveau_sched_fini()", " - drm/i915/dmc: Clear HRR EVT_CTL/HTP to zero on ADL-S", " - drm/ast: Clear preserved bits from register output value", " - drm/amd: Check that VPE has reached DPM0 in idle handler", " - drm/amd/display: Fix incorrect return of vblank enable on unconfigured", " crtc", " - drm/amd/display: Don't program BLNDGAM_MEM_PWR_FORCE when CM low-power", " is disabled on DCN30", " - drm/amd/display: Add HDR workaround for a specific eDP", " - mptcp: leverage skb deferral free", " - mptcp: fix MSG_PEEK stream corruption", " - cpuidle: governors: menu: Rearrange main loop in menu_select()", " - cpuidle: governors: menu: Select polling state in some more cases", " - PM: hibernate: Combine return paths in power_down()", " - PM: sleep: Allow pm_restrict_gfp_mask() stacking", " - mfd: kempld: Switch back to earlier ->init() behavior", " - soc: aspeed: socinfo: Add AST27xx silicon IDs", " - firmware: qcom: scm: preserve assign_mem() error return value", " - soc: qcom: smem: Fix endian-unaware access of num_entries", " - spi: loopback-test: Don't use %pK through printk", " - spi: spi-qpic-snand: handle 'use_ecc' parameter of", " qcom_spi_config_cw_read()", " - soc: ti: pruss: don't use %pK through printk", " - bpf: Don't use %pK through printk", " - mmc: sdhci: Disable SD card clock before changing parameters", " - pinctrl: single: fix bias pull up/down handling in pin_config_set", " - mmc: host: renesas_sdhi: Fix the actual clock", " - memstick: Add timeout to prevent indefinite waiting", " - cpufreq: ti: Add support for AM62D2", " - bpf: Use tnums for JEQ/JNE is_branch_taken logic", " - firmware: ti_sci: Enable abort handling of entry to LPM", " - firewire: ohci: move self_id_complete tracepoint after validating", " register", " - irqchip/sifive-plic: Respect mask state when setting affinity", " - irqchip/loongson-eiointc: Route interrupt parsed from bios table", " - ACPI: sysfs: Use ACPI_FREE() for freeing an ACPI object", " - ACPI: video: force native for Lenovo 82K8", " - libbpf: Fix USDT SIB argument handling causing unrecognized register", " error", " - selftests/bpf: Fix bpf_prog_detach2 usage in test_lirc_mode2", " - arm64: versal-net: Update rtc calibration value", " - Revert \"UBUNTU: SAUCE: firmware: qcom: scm: Allow QSEECOM on Dell", " Inspiron 7441 / Latitude 7455\"", " - firmware: qcom: scm: Allow QSEECOM on Dell Inspiron 7441 / Latitude 7455", " - kselftest/arm64: tpidr2: Switch to waitpid() over wait4()", " - arc: Fix __fls() const-foldability via __builtin_clzl()", " - selftests/bpf: Upon failures, exit with code 1 in test_xsk.sh", " - irqchip/gic-v2m: Handle Multiple MSI base IRQ Alignment", " - ACPI: PRM: Skip handlers with NULL handler_address or NULL VA", " - ACPI: resource: Skip IRQ override on ASUS Vivobook Pro N6506CU", " - ACPI: scan: Add Intel CVS ACPI HIDs to acpi_ignore_dep_ids[]", " - thermal: gov_step_wise: Allow cooling level to be reduced earlier", " - thermal: intel: selftests: workload_hint: Mask unsupported types", " - power: supply: qcom_battmgr: add OOI chemistry", " - hwmon: (k10temp) Add thermal support for AMD Family 1Ah-based models", " - hwmon: (k10temp) Add device ID for Strix Halo", " - hwmon: (lenovo-ec-sensors) Update P8 supprt", " - hwmon: (sbtsi_temp) AMD CPU extended temperature range support", " - pinctrl: renesas: rzg2l: Add suspend/resume support for Schmitt control", " registers", " - pinctrl: keembay: release allocated memory in detach path", " - power: supply: sbs-charger: Support multiple devices", " - io_uring/rsrc: respect submitter_task in io_register_clone_buffers()", " - hwmon: sy7636a: add alias", " - selftests/bpf: Fix incorrect array size calculation", " - block: check for valid bio while splitting", " - irqchip/loongson-pch-lpc: Use legacy domain for PCH-LPC IRQ controller", " - cpufreq: ondemand: Update the efficient idle check for Intel extended", " Families", " - arm64: zynqmp: Disable coresight by default", " - arm64: zynqmp: Revert usb node drive strength and slew rate for zcu106", " - soc/tegra: fuse: Add Tegra114 nvmem cells and fuse lookups", " - ARM: tegra: p880: set correct touchscreen clipping", " - ARM: tegra: transformer-20: add missing magnetometer interrupt", " - ARM: tegra: transformer-20: fix audio-codec interrupt", " - firmware: qcom: tzmem: disable sc7180 platform", " - soc: ti: k3-socinfo: Add information for AM62L SR1.1", " - mmc: sdhci-msm: Enable tuning for SDR50 mode for SD card", " - pwm: pca9685: Use bulk write to atomicially update registers", " - ACPICA: dispatcher: Use acpi_ds_clear_operands() in", " acpi_ds_call_control_method()", " - tee: allow a driver to allocate a tee_device without a pool", " - kunit: Enable PCI on UML without triggering WARN()", " - selftests/bpf: Fix arena_spin_lock selftest failure", " - bpf: Do not limit bpf_cgroup_from_id to current's namespace", " - i3c: mipi-i3c-hci-pci: Add support for Intel Wildcat Lake-U I3C", " - rust: kunit: allow `cfg` on `test`s", " - video: backlight: lp855x_bl: Set correct EPROM start for LP8556", " - i3c: dw: Add shutdown support to dw_i3c_master driver", " - io_uring/zcrx: check all niovs filled with dma addresses", " - tools/cpupower: fix error return value in cpupower_write_sysfs()", " - io_uring/zcrx: account niov arrays to cgroup", " - pmdomain: apple: Add \"apple,t8103-pmgr-pwrstate\"", " - power: supply: qcom_battmgr: handle charging state change notifications", " - bpftool: Fix -Wuninitialized-const-pointer warnings with clang >= 21", " - cpuidle: Fail cpuidle device registration if there is one already", " - selftests/bpf: Fix selftest verifier_arena_large failure", " - selftests: ublk: fix behavior when fio is not installed", " - spi: rpc-if: Add resume support for RZ/G3E", " - ACPI: SPCR: Support Precise Baud Rate field", " - clocksource/drivers/vf-pit: Replace raw_readl/writel to readl/writel", " - clocksource/drivers/timer-rtl-otto: Work around dying timers", " - clocksource/drivers/timer-rtl-otto: Do not interfere with interrupts", " - riscv: bpf: Fix uninitialized symbol 'retval_off'", " - bpf: Clear pfmemalloc flag when freeing all fragments", " - selftests: drv-net: Pull data before parsing headers", " - nvme: Use non zero KATO for persistent discovery connections", " - uprobe: Do not emulate/sstep original instruction when ip is changed", " - hwmon: (asus-ec-sensors) increase timeout for locking ACPI mutex", " - hwmon: (dell-smm) Remove Dell Precision 490 custom config data", " - hwmon: (dell-smm) Add support for Dell OptiPlex 7040", " - tools/cpupower: Fix incorrect size in cpuidle_state_disable()", " - selftests/bpf: Fix flaky bpf_cookie selftest", " - tools/power turbostat: Fix incorrect sorting of PMT telemetry", " - tools/power x86_energy_perf_policy: Fix incorrect fopen mode usage", " - tools/power x86_energy_perf_policy: Enhance HWP enable", " - tools/power x86_energy_perf_policy: Prefer driver HWP limits", " - mfd: simple-mfd-i2c: Add compatible strings for Layerscape QIXIS FPGA", " - mfd: stmpe: Remove IRQ domain upon removal", " - mfd: stmpe-i2c: Add missing MODULE_LICENSE", " - mfd: qnap-mcu: Handle errors returned from qnap_mcu_write", " - mfd: qnap-mcu: Include linux/types.h in qnap-mcu.h shared header", " - mfd: madera: Work around false-positive -Wininitialized warning", " - mfd: da9063: Split chip variant reading in two bus transactions", " - mfd: macsmc: Add \"apple,t8103-smc\" compatible", " - mfd: core: Increment of_node's refcount before linking it to the", " platform device", " - mfd: cs42l43: Move IRQ enable/disable to encompass force suspend", " - mfd: intel-lpss: Add Intel Wildcat Lake LPSS PCI IDs", " - drm/xe/ptl: Apply Wa_16026007364", " - drm/xe/configfs: Enforce canonical device names", " - drm/amd/display: Update tiled to tiled copy command", " - drm/amd/display: fix condition for setting timing_adjust_pending", " - drm/amd/display: ensure committing streams is seamless", " - drm/amdgpu: add range check for RAS bad page address", " - drm/amdgpu: Check vcn sram load return value", " - drm/amd/display: Remove check DPIA HPD status for BW Allocation", " - drm/amd/display: Increase AUX Intra-Hop Done Max Wait Duration", " - drm/amd/display: Fix dmub_cmd header alignment", " - drm/xe/guc: Add more GuC load error status codes", " - drm/xe/pf: Don't resume device from restart worker", " - drm/amdgpu: Fix build error when CONFIG_SUSPEND is disabled", " - drm/amdgpu: Update IPID value for bad page threshold CPER", " - drm/amdgpu: Avoid rma causes GPU duplicate reset", " - drm/amdgpu: Effective health check before reset", " - drm/amd/amdgpu: Release xcp drm memory after unplug", " - drm/amdgpu: Fix vcn v5.0.1 poison irq call trace", " - drm/xe: Extend wa_13012615864 to additional Xe2 and Xe3 platforms", " - drm/amdgpu: Skip poison aca bank from UE channel", " - drm/amd/display: add more cyan skillfish devices", " - drm/amdgpu: Initialize jpeg v5_0_1 ras function", " - drm/amdgpu: skip mgpu fan boost for multi-vf", " - drm/amd/display: fix dmub access race condition", " - drm/amd/display: update dpp/disp clock from smu clock table", " - drm/amd/pm: Use cached metrics data on aldebaran", " - drm/amd/pm: Use cached metrics data on arcturus", " - accel/amdxdna: Unify pm and rpm suspend and resume callbacks", " - drm/amdgpu/jpeg: Hold pg_lock before jpeg poweroff", " - drm/xe/pf: Program LMTT directory pointer on all GTs within a tile", " - drm/nouveau: replace snprintf() with scnprintf() in nvkm_snprintbf()", " - ASoC: tas2781: Add keyword \"init\" in profile section", " - ASoC: mediatek: Use SND_JACK_AVOUT for HDMI/DP jacks", " - drm/amd/display: Reset apply_eamless_boot_optimization when dpms_off", " - drm/amdgpu: add to custom amdgpu_drm_release drm_dev_enter/exit", " - drm/amd/display: Wait until OTG enable state is cleared", " - drm/xe: rework PDE PAT index selection", " - docs: kernel-doc: avoid script crash on ancient Python", " - drm/sharp-memory: Do not access GEM-DMA vaddr directly", " - PCI: Disable MSI on RDC PCI to PCIe bridges", " - drm/nouveau: always set RMDevidCheckIgnore for GSP-RM", " - drm/panel-edp: Add SHP LQ134Z1 panel for Dell XPS 9345", " - selftests/net: Replace non-standard __WORDSIZE with sizeof(long) * 8", " - selftests/net: Ensure assert() triggers in psock_tpacket.c", " - wifi: rtw89: print just once for unknown C2H events", " - wifi: rtw88: sdio: use indirect IO for device registers before power-on", " - wifi: rtw89: add dummy C2H handlers for BCN resend and update done", " - drm/amdkfd: return -ENOTTY for unsupported IOCTLs", " - selftests: drv-net: devmem: add / correct the IPv6 support", " - selftests: drv-net: devmem: flip the direction of Tx tests", " - media: pci: ivtv: Don't create fake v4l2_fh", " - media: amphion: Delete v4l2_fh synchronously in .release()", " - drm/tidss: Use the crtc_* timings when programming the HW", " - drm/bridge: cdns-dsi: Fix REG_WAKEUP_TIME value", " - drm/bridge: cdns-dsi: Don't fail on MIPI_DSI_MODE_VIDEO_BURST", " - drm/tidss: Set crtc modesetting parameters with adjusted mode", " - drm/tidss: Remove early fb", " - RDMA/mana_ib: Drain send wrs of GSI QP", " - media: i2c: Kconfig: Ensure a dependency on HAVE_CLK for", " VIDEO_CAMERA_SENSOR", " - PCI/ERR: Update device error_state already after reset", " - x86/vsyscall: Do not require X86_PF_INSTR to emulate vsyscall", " - net: stmmac: Check stmmac_hw_setup() in stmmac_resume()", " - ice: Don't use %pK through printk or tracepoints", " - thunderbolt: Use is_pciehp instead of is_hotplug_bridge", " - ASoC: es8323: enable DAPM power widgets for playback DAC and output", " - powerpc/eeh: Use result of error_detected() in uevent", " - s390/pci: Use pci_uevent_ers() in PCI recovery", " - bridge: Redirect to backup port when port is administratively down", " - selftests: drv-net: wait for carrier", " - net: phy: mscc: report and configure in-band auto-negotiation for", " SGMII/QSGMII", " - scsi: ufs: host: mediatek: Fix auto-hibern8 timer configuration", " - scsi: ufs: host: mediatek: Fix PWM mode switch issue", " - scsi: ufs: host: mediatek: Assign power mode userdata before FASTAUTO", " mode change", " - scsi: ufs: host: mediatek: Change reset sequence for improved stability", " - scsi: ufs: host: mediatek: Fix invalid access in vccqx handling", " - gpu: nova-core: register: allow fields named `offset`", " - drm/panthor: Serialize GPU cache flush operations", " - HID: pidff: Use direction fix only for conditional effects", " - HID: pidff: PERMISSIVE_CONTROL quirk autodetection", " - drm/bridge: display-connector: don't set OP_DETECT for DisplayPorts", " - drm/amdkfd: Handle lack of READ permissions in SVM mapping", " - drm/amdgpu: refactor bad_page_work for corner case handling", " - hwrng: timeriomem - Use us_to_ktime() where appropriate", " - iio: adc: spear_adc: mask SPEAR_ADC_STATUS channel and avg sample before", " setting register", " - iio: adc: imx93_adc: load calibrated values even calibration failed", " - usb: gadget: f_ncm: Fix MAC assignment NCM ethernet", " - ASoC: es8323: remove DAC enablement write from es8323_probe", " - ASoC: es8323: add proper left/right mixer controls via DAPM", " - ASoC: codecs: wsa883x: Handle shared reset GPIO for WSA883x speakers", " - drm/xe: Make page size consistent in loop", " - wifi: rtw89: wow: remove notify during WoWLAN net-detect", " - wifi: rtw89: fix BSSID comparison for non-transmitted BSSID", " - wifi: rtw89: 8851b: rfk: update IQK TIA setting", " - dm error: mark as DM_TARGET_PASSES_INTEGRITY", " - char: misc: Make misc_register() reentry for miscdevice who wants", " dynamic minor", " - char: misc: Does not request module for miscdevice with dynamic minor", " - net: When removing nexthops, don't call synchronize_net if it is not", " necessary", " - net: Call trace_sock_exceed_buf_limit() for memcg failure with", " SK_MEM_RECV.", " - dmaengine: idxd: Add a new IAA device ID for Wildcat Lake family", " platforms", " - PCI/P2PDMA: Fix incorrect pointer usage in devm_kfree() call", " - bnxt_en: Add Hyper-V VF ID", " - tty: serial: Modify the use of dev_err_probe()", " - ALSA: usb-audio: Add validation of UAC2/UAC3 effect units", " - Octeontx2-af: Broadcast XON on all channels", " - idpf: do not linearize big TSO packets", " - drm/xe/pcode: Initialize data0 for pcode read routine", " - drm/panel: ilitek-ili9881c: turn off power-supply when init fails", " - drm/panel: ilitek-ili9881c: move display_on/_off dcs calls to", " (un-)prepare", " - rds: Fix endianness annotation for RDS_MPATH_HASH", " - net: wangxun: limit tx_max_coalesced_frames_irq", " - iio: imu: bmi270: Match PNP ID found on newer GPD firmware", " - media: ipu6: isys: Set embedded data type correctly for metadata formats", " - rpmsg: char: Export alias for RPMSG ID rpmsg-raw from table", " - net: ipv4: allow directed broadcast routes to use dst hint", " - scsi: mpi3mr: Fix device loss during enclosure reboot due to zero link", " speed", " - wifi: rtw89: coex: Limit Wi-Fi scan slot cost to avoid A2DP glitch", " - scsi: mpi3mr: Fix I/O failures during controller reset", " - scsi: mpi3mr: Fix controller init failure on fault during queue creation", " - scsi: pm80xx: Fix race condition caused by static variables", " - extcon: adc-jack: Fix wakeup source leaks on device unbind", " - extcon: fsa9480: Fix wakeup source leaks on device unbind", " - extcon: axp288: Fix wakeup source leaks on device unbind", " - drm/xe: Set GT as wedged before sending wedged uevent", " - remoteproc: wkup_m3: Use devm_pm_runtime_enable() helper", " - drm/xe/wcl: Extend L3bank mask workaround", " - net: phy: fixed_phy: let fixed_phy_unregister free the phy_device", " - selftests: drv-net: hds: restore hds settings", " - fuse: zero initialize inode private data", " - virtio_fs: fix the hash table using in virtio_fs_enqueue_req()", " - selftests: pci_endpoint: Skip IRQ test if IRQ is out of range.", " - drm/xe: Ensure GT is in C0 during resumes", " - misc: pci_endpoint_test: Skip IRQ tests if irq is out of range", " - drm/amdgpu: Correct the loss of aca bank reg info", " - drm/amdgpu: Correct the counts of nr_banks and nr_errors", " - drm/amdkfd: fix vram allocation failure for a special case", " - drm/amd/display: Support HW cursor 180 rot for any number of pipe splits", " - drm/amdkfd: Tie UNMAP_LATENCY to queue_preemption", " - drm/amd/display: wait for otg update pending latch before clock", " optimization", " - drm/amd/display: Consider sink max slice width limitation for dsc", " - drm/amdgpu/vpe: cancel delayed work in hw_fini", " - drm/xe: Cancel pending TLB inval workers on teardown", " - net: Prevent RPS table overwrite of active flows", " - eth: fbnic: Reset hw stats upon PCI error", " - wifi: iwlwifi: mld: trigger mlo scan only when not in EMLSR", " - platform/x86/intel-uncore-freq: Fix warning in partitioned system", " - drm/msm/dpu: Filter modes based on adjusted mode clock", " - drm/msm: Use of_reserved_mem_region_to_resource() for \"memory-region\"", " - selftests: drv-net: rss_ctx: fix the queue count check", " - media: fix uninitialized symbol warnings", " - media: pci: mgb4: Fix timings comparison in VIDIOC_S_DV_TIMINGS", " - ASoC: SOF: ipc4-pcm: Add fixup for channels", " - drm/amdgpu: Notify pmfw bad page threshold exceeded", " - drm/amd/display: Increase minimum clock for TMDS 420 with pipe splitting", " - drm/amdgpu: Avoid jpeg v5.0.1 poison irq call trace on sriov guest", " - drm/amd/display: incorrect conditions for failing dto calculations", " - drm/amdgpu: Avoid vcn v5.0.1 poison irq call trace on sriov guest", " - drm/amdgpu: Respect max pixel clock for HDMI and DVI-D (v2)", " - mips: lantiq: danube: add missing properties to cpu node", " - mips: lantiq: danube: add model to EASY50712 dts", " - mips: lantiq: danube: add missing device_type in pci node", " - mips: lantiq: xway: sysctrl: rename stp clock", " - mips: lantiq: danube: rename stp node on EASY50712 reference board", " - inet_diag: annotate data-races in inet_diag_bc_sk()", " - microchip: lan865x: add ndo_eth_ioctl handler to enable PHY ioctl", " support", " - crypto: qat - use kcalloc() in qat_uclo_map_objs_from_mof()", " - scsi: pm8001: Use int instead of u32 to store error codes", " - iio: adc: ad7124: do not require mclk", " - scsi: ufs: exynos: fsd: Gate ref_clk and put UFS device in reset on", " suspend", " - media: imx-mipi-csis: Only set clock rate when specified in DT", " - wifi: iwlwifi: pcie: remember when interrupts are disabled", " - drm/st7571-i2c: add support for inverted pixel format", " - ptp: Limit time setting of PTP clocks", " - dmaengine: sh: setup_xref error handling", " - dmaengine: mv_xor: match alloc_wc and free_wc", " - dmaengine: dw-edma: Set status for callback_result", " - netfilter: nf_tables: all transaction allocations can now sleep", " - drm/msm/dsi/phy: Toggle back buffer resync after preparing PLL", " - drm/msm/dsi/phy_7nm: Fix missing initial VCO rate", " - drm/amdgpu: Allow kfd CRIU with no buffer objects", " - drm/xe/guc: Increase GuC crash dump buffer size", " - drm/amd/pm: Increase SMC timeout on SI and warn (v3)", " - move_mount(2): take sanity checks in 'beneath' case into do_lock_mount()", " - selftests: drv-net: rss_ctx: make the test pass with few queues", " - ipv6: Add sanity checks on ipv6_devconf.rpl_seg_enabled", " - drm/xe: Extend Wa_22021007897 to Xe3 platforms", " - wifi: mac80211: count reg connection element in the size", " - drm/panthor: check bo offset alignment in vm bind", " - drm: panel-backlight-quirks: Make EDID match optional", " - ixgbe: reduce number of reads when getting OROM data", " - netlink: specs: fou: change local-v6/peer-v6 check", " - net: nfc: nci: Increase NCI_DATA_TIMEOUT to 3000 ms", " - media: adv7180: Add missing lock in suspend callback", " - media: adv7180: Do not write format to device in set_fmt", " - media: adv7180: Only validate format in querystd", " - media: verisilicon: Explicitly disable selection api ioctls for decoders", " - wifi: mac80211: Fix 6 GHz Band capabilities element advertisement in", " lower bands", " - platform/x86: think-lmi: Add extra TC BIOS error messages", " - platform/x86/intel-uncore-freq: Present unique domain ID per package", " - ALSA: usb-audio: apply quirk for MOONDROP Quark2", " - PCI: imx6: Enable the Vaux supply if available", " - drm/xe/guc: Set upper limit of H2G retries over CTB", " - net: call cond_resched() less often in __release_sock()", " - smsc911x: add second read of EEPROM mac when possible corruption seen", " - drm/xe: improve dma-resv handling for backup object", " - iommu/amd: Add support to remap/unmap IOMMU buffers for kdump", " - iommu/amd: Skip enabling command/event buffers for kdump", " - iommu/amd: Reuse device table for kdump", " - crypto: ccp: Skip SEV and SNP INIT for kdump boot", " - iommu/apple-dart: Clear stream error indicator bits for T8110 DARTs", " - bus: mhi: host: pci_generic: Add support for all Foxconn T99W696 SKU", " variants", " - drm/amdgpu: Correct info field of bad page threshold exceed CPER", " - drm/amd: add more cyan skillfish PCI ids", " - drm/amdgpu: don't enable SMU on cyan skillfish", " - drm/amdgpu: add support for cyan skillfish gpu_info", " - drm/amd/display: Fix pbn_div Calculation Error", " - drm/amd/display: dont wait for pipe update during medupdate/highirq", " - drm/amd/pm: refine amdgpu pm sysfs node error code", " - drm/amd/display: Indicate when custom brightness curves are in use", " - selftests: ncdevmem: don't retry EFAULT", " - net: dsa: felix: support phy-mode = \"10g-qxgmii\"", " - usb: gadget: f_hid: Fix zero length packet transfer", " - serial: qcom-geni: Add DFS clock mode support to GENI UART driver", " - serdev: Drop dev_pm_domain_detach() call", " - tty/vt: Add missing return value for VT_RESIZE in vt_ioctl()", " - eeprom: at25: support Cypress FRAMs without device ID", " - drm/msm/adreno: Add speedbins for A663 GPU", " - drm/msm: Fix 32b size truncation", " - dt-bindings: display/msm/gmu: Update Adreno 623 bindings", " - drm/msm: make sure to not queue up recovery more than once", " - char: Use list_del_init() in misc_deregister() to reinitialize list", " pointer", " - drm/msm/adreno: Add speedbin data for A623 GPU", " - drm/msm/adreno: Add fenced regwrite support", " - drm/msm/a6xx: Switch to GMU AO counter", " - idpf: link NAPIs to queues", " - selftests: net: make the dump test less sensitive to mem accounting", " - PCI: endpoint: pci-epf-test: Limit PCIe BAR size for fixed BARs", " - wifi: rtw89: Add USB ID 2001:332a for D-Link AX9U rev. A1", " - wifi: rtw89: Add USB ID 2001:3327 for D-Link AX18U rev. A1", " - wifi: iwlwifi: fw: Add ASUS to PPAG and TAS list", " - drm/xe/i2c: Enable bus mastering", " - media: ov08x40: Fix the horizontal flip control", " - media: i2c: og01a1b: Specify monochrome media bus format instead of", " Bayer", " - media: qcom: camss: csiphy-3ph: Add CSIPHY 2ph DPHY v2.0.1 init sequence", " - drm/bridge: write full Audio InfoFrame", " - drm/xe/guc: Always add CT disable action during second init step", " - f2fs: fix wrong layout information on 16KB page", " - selftests: mptcp: join: allow more time to send ADD_ADDR", " - scsi: ufs: host: mediatek: Enhance recovery on resume failure", " - scsi: ufs: ufs-qcom: Align programming sequence of Shared ICE for UFS", " controller v5", " - scsi: ufs: host: mediatek: Fix unbalanced IRQ enable issue", " - scsi: ufs: host: mediatek: Enhance recovery on hibernation exit failure", " - net: phy: marvell: Fix 88e1510 downshift counter errata", " - scsi: ufs: host: mediatek: Correct system PM flow", " - scsi: ufs: host: mediatek: Disable auto-hibern8 during power mode", " changes", " - scsi: ufs: host: mediatek: Fix adapt issue after PA_Init", " - wifi: cfg80211: update the time stamps in hidden ssid", " - wifi: mac80211: Fix HE capabilities element check", " - fbcon: Use screen info to find primary device", " - phy: cadence: cdns-dphy: Enable lower resolutions in dphy", " - Fix access to video_is_primary_device() when compiled without", " CONFIG_VIDEO", " - phy: renesas: r8a779f0-ether-serdes: add new step added to latest", " datasheet", " - phy: rockchip: phy-rockchip-inno-csidphy: allow writes to grf register 0", " - drm/msm/registers: Generate _HI/LO builders for reg64", " - net: sh_eth: Disable WoL if system can not suspend", " - selftests: net: replace sleeps in fcnal-test with waits", " - media: redrat3: use int type to store negative error codes", " - platform/x86/amd/pmf: Fix the custom bios input handling mechanism", " - selftests: traceroute: Use require_command()", " - selftests: traceroute: Return correct value on failure", " - openrisc: Add R_OR1K_32_PCREL relocation type module support", " - netfilter: nf_reject: don't reply to icmp error messages", " - x86/kvm: Prefer native qspinlock for dedicated vCPUs irrespective of", " PV_UNHALT", " - x86/virt/tdx: Use precalculated TDVPR page physical address", " - selftests: Disable dad for ipv6 in fcnal-test.sh", " - eth: 8139too: Make 8139TOO_PIO depend on !NO_IOPORT_MAP", " - [Config] No longer enable `CONFIG_8139TOO_PIO` for armhf", " - selftests: Replace sleep with slowwait", " - net: devmem: expose tcp_recvmsg_locked errors", " - selftests: net: lib.sh: Don't defer failed commands", " - HID: asus: add Z13 folio to generic group for multitouch to work", " - watchdog: s3c2410_wdt: Fix max_timeout being calculated larger", " - crypto: sun8i-ce - remove channel timeout field", " - PCI: dwc: Verify the single eDMA IRQ in dw_pcie_edma_irq_verify()", " - crypto: ccp - Fix incorrect payload size calculation in", " psp_poulate_hsti()", " - crypto: caam - double the entropy delay interval for retry", " - can: rcar_canfd: Update bit rate constants for RZ/G3E and R-Car Gen4", " - net: mana: Reduce waiting time if HWC not responding", " - ionic: use int type for err in ionic_get_module_eeprom_by_page", " - net/cls_cgroup: Fix task_get_classid() during qdisc run", " - wifi: mt76: mt7921: Add 160MHz beamformee capability for mt7922 device", " - wifi: mt76: mt7925: add pci restore for hibernate", " - wifi: mt76: mt7996: Fix mt7996_reverse_frag0_hdr_trans for MLO", " - wifi: mt76: mt7996: Set def_wcid pointer in mt7996_mac_sta_init_link()", " - wifi: mt76: mt7996: Temporarily disable EPCS", " - wifi: mt76: mt7996: support writing MAC TXD for AddBA Request", " - wifi: mt76: mt76_eeprom_override to int", " - ALSA: serial-generic: remove shared static buffer", " - wifi: mt76: mt7996: fix memory leak on mt7996_mcu_sta_key_tlv error", " - wifi: mt76: mt7996: disable promiscuous mode by default", " - wifi: mt76: use altx queue for offchannel tx on connac+", " - wifi: mt76: improve phy reset on hw restart", " - drm/amdgpu: Use memdup_array_user in amdgpu_cs_wait_fences_ioctl", " - drm/amdgpu: Release hive reference properly", " - drm/amd/display: Fix DMCUB loading sequence for DCN3.2", " - drm/amd/display: Set up pixel encoding for YCBCR422", " - drm/amd/display: fix dml ms order of operations", " - drm/amd/display: Don't use non-registered VUPDATE on DCE 6", " - drm/amd/display: Keep PLL0 running on DCE 6.0 and 6.4", " - drm/amd/display: Fix DVI-D/HDMI adapters", " - drm/amd/display: Disable VRR on DCE 6", " - drm/amd/display/dml2: Guard dml21_map_dc_state_into_dml_display_cfg with", " DC_FP_START", " - net: phy: clear EEE runtime state in PHY_HALTED/PHY_ERROR", " - ethernet: Extend device_get_mac_address() to use NVMEM", " - scsi: ufs: ufs-qcom: Disable lane clocks during phy hibern8", " - HID: i2c-hid: Resolve touchpad issues on Dell systems during S4", " - hinic3: Queue pair endianness improvements", " - hinic3: Fix missing napi->dev in netif_queue_set_napi", " - tools: ynl-gen: validate nested arrays", " - drm/xe/guc: Return an error code if the GuC load fails", " - drm/amdgpu: reject gang submissions under SRIOV", " - selftests/Makefile: include $(INSTALL_DEP_TARGETS) in clean target to", " clean net/lib dependency", " - scsi: ufs: core: Disable timestamp functionality if not supported", " - scsi: lpfc: Clean up allocated queues when queue setup mbox commands", " fail", " - scsi: lpfc: Decrement ndlp kref after FDISC retries exhausted", " - scsi: lpfc: Check return status of lpfc_reset_flush_io_context during", " TGT_RESET", " - scsi: lpfc: Remove ndlp kref decrement clause for F_Port_Ctrl in", " lpfc_cleanup", " - scsi: lpfc: Define size of debugfs entry for xri rebalancing", " - scsi: lpfc: Ensure PLOGI_ACC is sent prior to PRLI in Point to Point", " topology", " - allow finish_no_open(file, ERR_PTR(-E...))", " - usb: mon: Increase BUFF_MAX to 64 MiB to support multi-MB URBs", " - usb: xhci: plat: Facilitate using autosuspend for xhci plat devices", " - wifi: rtw89: disable RTW89_PHYSTS_IE09_FTR_0 for ppdu status", " - wifi: rtw89: obtain RX path from ppdu status IE00", " - wifi: rtw89: renew a completion for each H2C command waiting C2H event", " - usb: xhci-pci: add support for hosts with zero USB3 ports", " - ipv6: np->rxpmtu race annotation", " - RDMA/irdma: Update Kconfig", " - IB/ipoib: Ignore L3 master device", " - bnxt_en: Add fw log trace support for 5731X/5741X chips", " - mei: make a local copy of client uuid in connect", " - ASoC: qcom: sc8280xp: explicitly set S16LE format in", " sc8280xp_be_hw_params_fixup()", " - net: phy: clear link parameters on admin link down", " - net: ethernet: microchip: sparx5: make it selectable for ARCH_LAN969X", " - bus: mhi: core: Improve mhi_sync_power_up handling for SYS_ERR state", " - iommu/vt-d: Replace snprintf with scnprintf in dmar_latency_snapshot()", " - wifi: ath10k: Fix connection after GTK rekeying", " - iommu/vt-d: Remove LPIG from page group response descriptor", " - wifi: mac80211: Get the correct interface for non-netdev skb status", " - wifi: mac80211: Track NAN interface start/stop", " - net: intel: fm10k: Fix parameter idx set but not used", " - sparc/module: Add R_SPARC_UA64 relocation handling", " - sparc64: fix prototypes of reads[bwl]()", " - vfio: return -ENOTTY for unsupported device feature", " - ptp_ocp: make ptp_ocp driver compatible with PTP_EXTTS_REQUEST2", " - crypto: hisilicon/qm - invalidate queues in use", " - crypto: hisilicon/qm - clear all VF configurations in the hardware", " - ASoC: ops: improve snd_soc_get_volsw", " - PCI/PM: Skip resuming to D0 if device is disconnected", " - selftests: forwarding: Reorder (ar)ping arguments to obey POSIX getopt", " - remoteproc: qcom: q6v5: Avoid handling handover twice", " - wifi: ath12k: Increase DP_REO_CMD_RING_SIZE to 256", " - net: dsa: microchip: Set SPI as bus interface during reset for KSZ8463", " - bng_en: make bnge_alloc_ring() self-unwind on failure", " - ALSA: usb-audio: don't apply interface quirk to Presonus S1824c", " - tcp: Update bind bucket state on port release", " - ovl: make sure that ovl_create_real() returns a hashed dentry", " - drm/amd/display: Add missing post flip calls", " - drm/amd/display: Add AVI infoframe copy in copy_stream_update_to_stream", " - drm/amd/display: Add fast sync field in ultra sleep more for DMUB", " - drm/amd/display: Init dispclk from bootup clock for DCN314", " - drm/amd/display: Fix for test crash due to power gating", " - drm/amd/display: change dc stream color settings only in atomic commit", " - NFSv4: handle ERR_GRACE on delegation recalls", " - NFSv4.1: fix mount hang after CREATE_SESSION failure", " - net: bridge: Install FDB for bridge MAC on VLAN 0", " - net: phy: dp83640: improve phydev and driver removal handling", " - scsi: ufs: core: Change MCQ interrupt enable flow", " - scsi: libfc: Fix potential buffer overflow in fc_ct_ms_fill()", " - accel/habanalabs/gaudi2: fix BMON disable configuration", " - scsi: mpt3sas: Add support for 22.5 Gbps SAS link rate", " - accel/habanalabs: return ENOMEM if less than requested pages were pinned", " - accel/habanalabs/gaudi2: read preboot status after recovering from dirty", " state", " - ASoC: renesas: msiof: add .symmetric_xxx on snd_soc_dai_driver", " - ASoC: renesas: msiof: use reset controller", " - ASoC: renesas: msiof: tidyup DMAC stop timing", " - ASoC: renesas: msiof: set SIFCTR register", " - ext4: increase IO priority of fastcommit", " - drm/amdgpu: Add fallback to pipe reset if KCQ ring reset fails", " - drm/amdgpu: Fix fence signaling race condition in userqueue", " - ASoC: stm32: sai: manage context in set_sysclk callback", " - ASoC: tlv320aic3x: Fix class-D initialization for tlv320aic3007", " - ACPI: scan: Update honor list for RPMI System MSI", " - platform/x86: x86-android-tablets: Stop using EPROBE_DEFER", " - vfio/pci: Fix INTx handling on legacy non-PCI 2.3 devices", " - vfio/nvgrace-gpu: Add GB300 SKU to the devid table", " - selftest: net: Fix error message if empty variable", " - net/mlx5e: Don't query FEC statistics when FEC is disabled", " - Bluetooth: btintel: Add support for BlazarIW core", " - net: macb: avoid dealing with endianness in macb_set_hwaddr()", " - Bluetooth: btusb: Add new VID/PID 13d3/3627 for MT7925", " - Bluetooth: btintel_pcie: Define hdev->wakeup() callback", " - Bluetooth: ISO: Don't initiate CIS connections if there are no buffers", " - Bluetooth: btusb: Check for unexpected bytes when defragmenting HCI", " frames", " - Bluetooth: ISO: Use sk_sndtimeo as conn_timeout", " - Bluetooth: btusb: Add new VID/PID 13d3/3633 for MT7922", " - net: stmmac: est: Drop frames causing HLBS error", " - exfat: limit log print for IO error", " - 6pack: drop redundant locking and refcounting", " - page_pool: Clamp pool size to max 16K pages", " - net/mlx5e: Prevent entering switchdev mode with inconsistent netns", " - ksmbd: use sock_create_kern interface to create kernel socket", " - smb: client: update cfid->last_access_time in", " open_cached_dir_by_dentry()", " - smb: client: transport: avoid reconnects triggered by pending task work", " - usb: xhci-pci: Fix USB2-only root hub registration", " - drm/amd/display: Add fallback path for YCBCR422", " - ACPICA: Update dsmethod.c to get rid of unused variable warning", " - RDMA/bnxt_re: Fix a potential memory leak in destroy_gsi_sqp", " - RDMA/irdma: Fix SD index calculation", " - RDMA/irdma: Remove unused struct irdma_cq fields", " - RDMA/irdma: Set irdma_cq cq_num field during CQ create", " - RDMA/uverbs: Fix umem release in UVERBS_METHOD_CQ_CREATE", " - RDMA/hns: Fix recv CQ and QP cache affinity", " - RDMA/hns: Fix the modification of max_send_sge", " - RDMA/hns: Fix wrong WQE data when QP wraps around", " - btrfs: mark dirty extent range for out of bound prealloc extents", " - clk: qcom: gcc-ipq6018: rework nss_port5 clock to multiple conf", " - clk: renesas: rzv2h: Re-assert reset on deassert timeout", " - clk: samsung: exynos990: Add missing USB clock registers to HSI0", " - fs/hpfs: Fix error code for new_inode() failure in", " mkdir/create/mknod/symlink", " - clocksource: hyper-v: Skip unnecessary checks for the root partition", " - hyperv: Add missing field to hv_output_map_device_interrupt", " - um: Fix help message for ssl-non-raw", " - clk: sunxi-ng: sun6i-rtc: Add A523 specifics", " - rtc: pcf2127: clear minute/second interrupt", " - ARM: at91: pm: save and restore ACR during PLL disable/enable", " - clk: at91: add ACR in all PLL settings", " - clk: at91: sam9x7: Add peripheral clock id for pmecc", " - clk: at91: clk-master: Add check for divide by 3", " - clk: at91: clk-sam9x60-pll: force write to PLL_UPDT register", " - clk: ti: am33xx: keep WKUP_DEBUGSS_CLKCTRL enabled", " - clk: scmi: Add duty cycle ops only when duty cycle is supported", " - clk: clocking-wizard: Fix output clock register offset for Versal", " platforms", " - NTB: epf: Allow arbitrary BAR mapping", " - 9p: fix /sys/fs/9p/caches overwriting itself", " - cpufreq: tegra186: Initialize all cores to max frequencies", " - 9p: sysfs_init: don't hardcode error to ENOMEM", " - scsi: ufs: core: Include UTP error in INT_FATAL_ERRORS", " - fbdev: core: Fix ubsan warning in pixel_to_pat", " - ACPI: property: Return present device nodes only on fwnode interface", " - LoongArch: Handle new atomic instructions for probes", " - tools bitmap: Add missing asm-generic/bitsperlong.h include", " - tools: lib: thermal: don't preserve owner in install", " - tools: lib: thermal: use pkg-config to locate libnl3", " - ALSA: hda/realtek: Add quirk for ASUS ROG Zephyrus Duo", " - rtc: zynqmp: Restore alarm functionality after kexec transition", " - rtc: pcf2127: fix watchdog interrupt mask on pcf2131", " - net: wwan: t7xx: add support for HP DRMR-H01", " - kbuild: uapi: Strip comments before size type check", " - ASoC: meson: aiu-encoder-i2s: fix bit clock polarity", " - ASoC: rt722: add settings for rt722VB", " - drm/amdgpu: Report individual reset error", " - ceph: add checking of wait_for_completion_killable() return value", " - ceph: fix potential race condition in ceph_ioctl_lazyio()", " - ceph: refactor wake_up_bit() pattern of calling", " - x86: uaccess: don't use runtime-const rewriting in modules", " - rust: condvar: fix broken intra-doc link", " - rust: devres: fix private intra-doc link", " - rust: kbuild: workaround `rustdoc` doctests modifier bug", " - rust: kbuild: treat `build_error` and `rustdoc` as kernel objects", " - media: uvcvideo: Use heuristic to find stream entity", " - Revert \"wifi: ath10k: avoid unnecessary wait for service ready message\"", " - tracing: tprobe-events: Fix to register tracepoint correctly", " - tracing: tprobe-events: Fix to put tracepoint_user when disable the", " tprobe", " - net: libwx: fix device bus LAN ID", " - scsi: ufs: core: Fix a race condition related to the \"hid\" attribute", " group", " - riscv: ptdump: use seq_puts() in pt_dump_seq_puts() macro", " - Revert \"wifi: ath12k: Fix missing station power save configuration\"", " - scsi: ufs: core: Revert \"Make HID attributes visible\"", " - Bluetooth: btrtl: Fix memory leak in rtlbt_parse_firmware_v2()", " - net: dsa: tag_brcm: legacy: fix untagged rx on unbridged ports for", " bcm63xx", " - selftests/net: fix out-of-order delivery of FIN in gro:tcp test", " - selftests/net: use destination options instead of hop-by-hop", " - selftests: netdevsim: Fix ethtool-coalesce.sh fail by installing", " ethtool-common.sh", " - net: vlan: sync VLAN features with lower device", " - net: dsa: b53: fix resetting speed and pause on forced link", " - net: dsa: b53: fix bcm63xx RGMII port link adjustment", " - net: dsa: b53: fix enabling ip multicast", " - net: dsa: b53: stop reading ARL entries if search is done", " - net: dsa: b53: properly bound ARL searches for < 4 ARL bin chips", " - sctp: Hold RCU read lock while iterating over address list", " - sctp: Hold sock lock while iterating over address list", " - net: ionic: add dma_wmb() before ringing TX doorbell", " - net: ionic: map SKB after pseudo-header checksum prep", " - octeontx2-pf: Fix devm_kcalloc() error checking", " - bnxt_en: Fix a possible memory leak in bnxt_ptp_init", " - bnxt_en: Always provide max entry and entry size in coredump segments", " - bnxt_en: Fix warning in bnxt_dl_reload_down()", " - wifi: mac80211_hwsim: Limit destroy_on_close radio removal to netgroup", " - io_uring: fix types for region size calulation", " - net/mlx5e: Fix return value in case of module EEPROM read error", " - net: ti: icssg-prueth: Fix fdb hash size configuration", " - net/mlx5e: SHAMPO, Fix header mapping for 64K pages", " - net/mlx5e: SHAMPO, Fix skb size check for 64K pages", " - net/mlx5e: SHAMPO, Fix header formulas for higher MTUs and 64K pages", " - net: wan: framer: pef2256: Switch to devm_mfd_add_devices()", " - net: dsa: microchip: Fix reserved multicast address table programming", " - net: bridge: fix MST static key usage", " - selftests/vsock: avoid false-positives when checking dmesg", " - tracing: Fix memory leaks in create_field_var()", " - drm/amd/display: Enable mst when it's detected but yet to be initialized", " - wifi: cfg80211: add an hrtimer based delayed work item", " - wifi: mac80211: use wiphy_hrtimer_work for ml_reconf_work", " - wifi: mac80211: use wiphy_hrtimer_work for ttlm_work", " - wifi: mac80211: use wiphy_hrtimer_work for csa.switch_work", " - riscv: Fix memory leak in module_frob_arch_sections()", " - rtc: rx8025: fix incorrect register reference", " - x86/microcode/AMD: Add more known models to entry sign checking", " - smb: client: validate change notify buffer before copy", " - x86/amd_node: Fix AMD root device caching", " - xfs: fix delalloc write failures in software-provided atomic writes", " - xfs: fix various problems in xfs_atomic_write_cow_iomap_begin", " - x86/CPU/AMD: Add missing terminator for zen5_rdseed_microcode", " - drm: define NVIDIA DRM format modifiers for GB20x", " - drm/nouveau: Advertise correct modifiers on GB20x", " - drm/amdgpu/smu: Handle S0ix for vangogh", " - drm/amdkfd: Don't clear PT after process killed", " - virtio_net: fix alignment for virtio_net_hdr_v1_hash", " - lib/crypto: curve25519-hacl64: Fix older clang KASAN workaround for GCC", " - scsi: ufs: ufs-pci: Fix S0ix/S3 for Intel controllers", " - scsi: ufs: ufs-pci: Set UFSHCD_QUIRK_PERFORM_LINK_STARTUP_ONCE for Intel", " ADL", " - scsi: ufs: core: Add a quirk to suppress link_startup_again", " - drm/amd/display: update color on atomic commit time", " - extcon: adc-jack: Cleanup wakeup source only if it was enabled", " - kunit: Extend kconfig help text for KUNIT_UML_PCI", " - ALSA: hda/tas2781: Enable init_profile_id for device initialization", " - ACPI: SPCR: Check for table version when using precise baudrate", " - kbuild: Strip trailing padding bytes from modules.builtin.modinfo", " - drm/amdgpu: Fix unintended error log in VCN5_0_0", " - drm/amd/display: Fix vupdate_offload_work doc", " - drm/amdgpu: Fix function header names in amdgpu_connectors.c", " - drm/amdgpu/userq: assign an error code for invalid userq va", " - drm/msm/dpu: Fix adjusted mode clock check for 3d merge", " - drm/amd/display: Reject modes with too high pixel clock on DCE6-10", " - drm/amd/display: use GFP_NOWAIT for allocation in interrupt handler", " - drm/amd/display: Fix black screen with HDMI outputs", " - selftests: drv-net: Reload pkt pointer after calling filter_udphdr", " - dt-bindings: eeprom: at25: use \"size\" for FRAMs without device ID", " - Linux 6.17.8", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-68316", " - scsi: ufs: core: Fix invalid probe error return value", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-40292", " - virtio-net: fix received length check in big packets", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-68180", " - drm/amd/display: Fix NULL deref in debugfs odm_combine_segments", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-40327", " - perf/core: Fix system hang caused by cpu-clock usage", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-40328", " - smb: client: fix potential UAF in smb2_close_cached_fid()", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-40291", " - io_uring: fix regbuf vector size truncation", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-68322", " - parisc: Avoid crash due to unaligned access in unwinder", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-40293", " - iommufd: Don't overflow during division for dirty tracking", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-40294", " - Bluetooth: MGMT: Fix OOB access in parse_adv_monitor_pattern()", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-40329", " - drm/sched: Fix deadlock in drm_sched_entity_kill_jobs_cb", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-40295", " - fscrypt: fix left shift underflow when inode->i_blkbits > PAGE_SHIFT", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-40296", " - platform/x86: int3472: Fix double free of GPIO device during unregister", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-40297", " - net: bridge: fix use-after-free due to MST port state bypass", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-68320", " - lan966x: Fix sleeping in atomic context", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-68169", " - netpoll: Fix deadlock in memory allocation under spinlock", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-68197", " - bnxt_en: Fix null pointer dereference in bnxt_bs_trace_check_wrap()", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-40330", " - bnxt_en: Shutdown FW DMA in bnxt_shutdown()", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-68192", " - net: usb: qmi_wwan: initialize MAC header offset in qmimux_rx_fixup", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-40331", " - sctp: Prevent TOCTOU out-of-bounds write", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-68187", " - net: mdio: Check regmap pointer returned by device_node_to_regmap()", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-68167", " - gpiolib: fix invalid pointer access in debugfs", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-68319", " - netconsole: Acquire su_mutex before navigating configs hierarchy", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-40298", " - gve: Implement settime64 with -EOPNOTSUPP", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-40299", " - gve: Implement gettimex64 with -EOPNOTSUPP", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-40301", " - Bluetooth: hci_event: validate skb length for unknown CC opcode", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-40358", " - riscv: stacktrace: Disable KASAN checks for non-current tasks", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-68186", " - ring-buffer: Do not warn in ring_buffer_map_get_reader() when reader", " catches up", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-68184", " - drm/mediatek: Disable AFBC support on Mediatek DRM driver", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-40302", " - media: videobuf2: forbid remove_bufs when legacy fileio is active", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-40303", " - btrfs: ensure no dirty metadata is written back for an fs with errors", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-40362", " - ceph: fix multifs mds auth caps issue", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-40332", " - drm/amdkfd: Fix mmap write lock not release", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-40304", " - fbdev: Add bounds checking in bit_putcs to fix vmalloc-out-of-bounds", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-40305", " - 9p/trans_fd: p9_fd_request: kick rx thread if EPOLLIN", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-68318", " - clk: thead: th1520-ap: set all AXI clocks to CLK_IS_CRITICAL", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-40209", " - btrfs: fix memory leak of qgroup_list in btrfs_add_qgroup_relation", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-68183", " - ima: don't clear IMA_DIGSIG flag when setting or removing non-IMA xattr", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-68173", " - ftrace: Fix softlockup in ftrace_module_enable", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-40306", " - orangefs: fix xattr related buffer overflow...", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-40307", " - exfat: validate cluster allocation bits of the allocation bitmap", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-40308", " - Bluetooth: bcsp: receive data only if registered", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-40309", " - Bluetooth: SCO: Fix UAF on sco_conn_free", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-68174", " - amd/amdkfd: enhance kfd process check in switch partition", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-40310", " - amd/amdkfd: resolve a race in amdgpu_amdkfd_device_fini_sw", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-40361", " - fs: ext4: change GFP_KERNEL to GFP_NOFS to avoid deadlock", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-40311", " - accel/habanalabs: support mapping cb with vmalloc-backed coherent memory", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-68185", " - nfs4_setup_readdir(): insufficient locking for ->d_parent->d_inode", " dereferencing", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-68176", " - PCI: cadence: Check for the existence of cdns_pcie::ops before using it", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-68190", " - drm/amdgpu/atom: Check kcalloc() for WS buffer in", " amdgpu_atom_execute_table_locked()", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-68168", " - jfs: fix uninitialized waitqueue in transaction manager", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-40312", " - jfs: Verify inode mode when loading from disk", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-40333", " - f2fs: fix infinite loop in __insert_extent_tree()", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-68321", " - page_pool: always add GFP_NOWARN for ATOMIC allocations", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-40334", " - drm/amdgpu: validate userq buffer virtual address and size", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-68191", " - udp_tunnel: use netdev_warn() instead of netdev_WARN()", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-68309", " - PCI/AER: Fix NULL pointer access by aer_info", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-40313", " - ntfs3: pretend $Extend records as regular files", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-40335", " - drm/amdgpu: validate userq input args", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-40314", " - usb: cdns3: gadget: Use-after-free during failed initialization and exit", " of cdnsp gadget", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-40336", " - drm/gpusvm: fix hmm_pfn_to_map_order() usage", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-68193", " - drm/xe/guc: Add devm release action to safely tear down CT", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-68175", " - media: nxp: imx8-isi: Fix streaming cleanup on release", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-68188", " - tcp: use dst_dev_rcu() in tcp_fastopen_active_disable_ofo_check()", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-68315", " - f2fs: fix to detect potential corrupted nid in free_nid_list", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-40337", " - net: stmmac: Correctly handle Rx checksum offload errors", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-40338", " - ASoC: Intel: avs: Do not share the name pointer between components", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-40339", " - drm/amdgpu: fix nullptr err of vm_handle_moved", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-68194", " - media: imon: make send_packet() more robust", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-40363", " - net: ipv6: fix field-spanning memcpy warning in AH output", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-68311", " - tty: serial: ip22zilog: Use platform device for probing", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-40340", " - drm/xe: Fix oops in xe_gem_fault when running core_hotunplug test.", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-68196", " - drm/amd/display: Cache streams targeting link when performing LT", " automation", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-68178", " - blk-cgroup: fix possible deadlock while configuring policy", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-40341", " - futex: Don't leak robust_list pointer on exec race", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-40342", " - nvme-fc: use lock accessing port_state and rport state", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-40343", " - nvmet-fc: avoid scheduling association deletion twice", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-68177", " - cpufreq/longhaul: handle NULL policy in longhaul_exit", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-68317", " - io_uring/zctx: check chained notif contexts", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-40315", " - usb: gadget: f_fs: Fix epfile null pointer access after ep enable.", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-40316", " - drm/mediatek: Fix device use-after-free on unbind", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-40360", " - drm/sysfb: Do not dereference NULL pointer in plane reset", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-68179", " - s390: Disable ARCH_WANT_OPTIMIZE_HUGETLB_VMEMMAP", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-68310", " - s390/pci: Avoid deadlock between PCI error recovery and mlx5 crdump", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-40317", " - regmap: slimbus: fix bus_context pointer in regmap init calls", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-40359", " - perf/x86/intel: Fix KASAN global-out-of-bounds warning", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-68181", " - drm/radeon: Remove calls to drm_put_dev()", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-68170", " - drm/radeon: Do not kfree() devres managed rdev", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-40213", " - Bluetooth: MGMT: fix crash in set_mesh_sync and set_mesh_complete", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-40318", " - Bluetooth: hci_sync: fix race in hci_cmd_sync_dequeue_once", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-68312", " - usbnet: Prevents free active kevent", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-40344", " - ASoC: Intel: avs: Disable periods-elapsed work when closing PCM", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-68172", " - crypto: aspeed - fix double free caused by devm", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-40319", " - bpf: Sync pending IRQ work before freeing ring buffer", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-68182", " - wifi: iwlwifi: fix potential use after free in iwl_mld_remove_link()", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-68314", " - drm/msm: make sure last_fence is always updated", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-68189", " - drm/msm: Fix GEM free for imported dma-bufs", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-68171", " - x86/fpu: Ensure XFD state on signal delivery", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-68313", " - x86/CPU/AMD: Add RDSEED fix for Zen5", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-40320", " - smb: client: fix potential cfid UAF in smb2_query_info_compound", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-40321", " - wifi: brcmfmac: fix crash while sending Action Frames in standalone AP", " Mode", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-40322", " - fbdev: bitblit: bound-check glyph index in bit_putcs*", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-40211", " - ACPI: video: Fix use-after-free in acpi_video_switch_brightness()", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-40323", " - fbcon: Set fb_display[i]->mode to NULL when the mode is released", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-40210", " - Revert \"NFSD: Remove the cap on number of operations per NFSv4 COMPOUND\"", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-40324", " - NFSD: Fix crash in nfsd4_read_release()", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-40326", " - NFSD: Define actions for the new time_deleg FATTR4 attributes", " * Questing update: v6.17.7 upstream stable release (LP: #2136813)", " - sched_ext: Move internal type and accessor definitions to ext_internal.h", " - sched_ext: Put event_stats_cpu in struct scx_sched_pcpu", " - sched_ext: Sync error_irq_work before freeing scx_sched", " - timekeeping: Fix aux clocks sysfs initialization loop bound", " - x86/bugs: Report correct retbleed mitigation status", " - x86/bugs: Qualify RETBLEED_INTEL_MSG", " - genirq/chip: Add buslock back in to irq_set_handler()", " - genirq/manage: Add buslock back in to __disable_irq_nosync()", " - genirq/manage: Add buslock back in to enable_irq()", " - audit: record fanotify event regardless of presence of rules", " - EDAC/ie31200: Add two more Intel Alder Lake-S SoCs for EDAC support", " - perf/x86/intel: Add ICL_FIXED_0_ADAPTIVE bit into INTEL_FIXED_BITS_MASK", " - perf: Use current->flags & PF_KTHREAD|PF_USER_WORKER instead of", " current->mm == NULL", " - perf: Have get_perf_callchain() return NULL if crosstask and user are", " set", " - perf: Skip user unwind if the task is a kernel thread", " - EDAC: Fix wrong executable file modes for C source files", " - seccomp: passthrough uprobe systemcall without filtering", " - sched_ext: Keep bypass on between enable failure and", " scx_disable_workfn()", " - x86/bugs: Add attack vector controls for VMSCAPE", " - x86/bugs: Fix reporting of LFENCE retpoline", " - EDAC/mc_sysfs: Increase legacy channel support to 16", " - cpuset: Use new excpus for nocpu error check when enabling root", " partition", " - btrfs: abort transaction on specific error places when walking log tree", " - btrfs: abort transaction in the process_one_buffer() log tree walk", " callback", " - btrfs: zoned: return error from btrfs_zone_finish_endio()", " - btrfs: zoned: refine extent allocator hint selection", " - btrfs: scrub: replace max_t()/min_t() with clamp() in", " scrub_throttle_dev_io()", " - btrfs: always drop log root tree reference in btrfs_replay_log()", " - btrfs: use level argument in log tree walk callback replay_one_buffer()", " - btrfs: abort transaction if we fail to update inode in log replay dir", " fixup", " - btrfs: tree-checker: add inode extref checks", " - btrfs: use smp_mb__after_atomic() when forcing COW in", " create_pending_snapshot()", " - sched_ext: Make qmap dump operation non-destructive", " - arch: Add the macro COMPILE_OFFSETS to all the asm-offsets.c", " - btrfs: tree-checker: fix bounds check in check_inode_extref()", " - Linux 6.17.7", " * [UBUNTU 24.04] KVM: s390: improve interrupt cpu for wakeup (LP: #2132317)", " - KVM: s390: improve interrupt cpu for wakeup", " * Questing update: v6.17.6 upstream stable release (LP: #2134982)", " - sched/fair: Block delayed tasks on throttled hierarchy during dequeue", " - vfio/cdx: update driver to build without CONFIG_GENERIC_MSI_IRQ", " - expfs: Fix exportfs_can_encode_fh() for EXPORT_FH_FID", " - cgroup/misc: fix misc_res_type kernel-doc warning", " - dlm: move to rinfo for all middle conversion cases", " - exec: Fix incorrect type for ret", " - s390/pkey: Forward keygenflags to ep11_unwrapkey", " - hfs: clear offset and space out of valid records in b-tree node", " - hfs: make proper initalization of struct hfs_find_data", " - hfs: validate record offset in hfsplus_bmap_alloc", " - hfsplus: fix KMSAN uninit-value issue in hfsplus_delete_cat()", " - dlm: check for defined force value in dlm_lockspace_release", " - hfsplus: return EIO when type of hidden directory mismatch in", " hfsplus_fill_super()", " - PCI: Test for bit underflow in pcie_set_readrq()", " - lkdtm: fortify: Fix potential NULL dereference on kmalloc failure", " - arm64: sysreg: Correct sign definitions for EIESB and DoubleLock", " - m68k: bitops: Fix find_*_bit() signatures", " - powerpc/32: Remove PAGE_KERNEL_TEXT to fix startup failure", " - riscv: mm: Return intended SATP mode for noXlvl options", " - riscv: mm: Use mmu-type from FDT to limit SATP mode", " - riscv: cpufeature: add validation for zfa, zfh and zfhmin", " - drivers/perf: hisi: Relax the event ID check in the framework", " - s390/mm: Use __GFP_ACCOUNT for user page table allocations", " - smb: client: queue post_recv_credits_work also if the peer raises the", " credit target", " - smb: client: limit the range of info->receive_credit_target", " - smb: client: make use of ib_wc_status_msg() and skip IB_WC_WR_FLUSH_ERR", " logging", " - smb: server: let smb_direct_flush_send_list() invalidate a remote key", " first", " - Unbreak 'make tools/*' for user-space targets", " - platform/mellanox: mlxbf-pmc: add sysfs_attr_init() to count_clock init", " - cpufreq/amd-pstate: Fix a regression leading to EPP 0 after hibernate", " - net/mlx5e: Return 1 instead of 0 in invalid case in", " mlx5e_mpwrq_umr_entry_size()", " - rtnetlink: Allow deleting FDB entries in user namespace", " - net: enetc: fix the deadlock of enetc_mdio_lock", " - net: enetc: correct the value of ENETC_RXB_TRUESIZE", " - dpaa2-eth: fix the pointer passed to PTR_ALIGN on Tx path", " - net: phy: realtek: fix rtl8221b-vm-cg name", " - can: bxcan: bxcan_start_xmit(): use can_dev_dropped_skb() instead of", " can_dropped_invalid_skb()", " - can: esd: acc_start_xmit(): use can_dev_dropped_skb() instead of", " can_dropped_invalid_skb()", " - can: rockchip-canfd: rkcanfd_start_xmit(): use can_dev_dropped_skb()", " instead of can_dropped_invalid_skb()", " - selftests: net: fix server bind failure in sctp_vrf.sh", " - net/mlx5e: RX, Fix generating skb from non-linear xdp_buff for legacy RQ", " - net/mlx5e: RX, Fix generating skb from non-linear xdp_buff for striding", " RQ", " - net/smc: fix general protection fault in __smc_diag_dump", " - net: ethernet: ti: am65-cpts: fix timestamp loss due to race conditions", " - arm64, mm: avoid always making PTE dirty in pte_mkwrite()", " - erofs: avoid infinite loops due to corrupted subpage compact indexes", " - net: hibmcge: select FIXED_PHY", " - ptp: ocp: Fix typo using index 1 instead of i in SMA initialization loop", " - net: hsr: prevent creation of HSR device with slaves from another netns", " - espintcp: use datagram_poll_queue for socket readiness", " - net: datagram: introduce datagram_poll_queue for custom receive queues", " - ovpn: use datagram_poll_queue for socket readiness in TCP", " - net: bonding: fix possible peer notify event loss or dup issue", " - hung_task: fix warnings caused by unaligned lock pointers", " - mm: don't spin in add_stack_record when gfp flags don't allow", " - dma-debug: don't report false positives with", " DMA_BOUNCE_UNALIGNED_KMALLOC", " - arch_topology: Fix incorrect error check in", " topology_parse_cpu_capacity()", " - riscv: hwprobe: Fix stale vDSO data for late-initialized keys at boot", " - io_uring/sqpoll: switch away from getrusage() for CPU accounting", " - io_uring/sqpoll: be smarter on when to update the stime usage", " - btrfs: send: fix duplicated rmdir operations when using extrefs", " - btrfs: ref-verify: fix IS_ERR() vs NULL check in btrfs_build_ref_tree()", " - gpio: pci-idio-16: Define maximum valid register address offset", " - gpio: 104-idio-16: Define maximum valid register address offset", " - xfs: fix locking in xchk_nlinks_collect_dir", " - platform/x86: alienware-wmi-wmax: Add AWCC support to Dell G15 5530", " - Revert \"cpuidle: menu: Avoid discarding useful information\"", " - riscv: cpufeature: avoid uninitialized variable in", " has_thead_homogeneous_vlenb()", " - rust: device: fix device context of Device::parent()", " - slab: Avoid race on slab->obj_exts in alloc_slab_obj_exts", " - slab: Fix obj_ext mistakenly considered NULL due to race condition", " - smb: client: get rid of d_drop() in cifs_do_rename()", " - ACPICA: Work around bogus -Wstringop-overread warning since GCC 11", " - arm64: mte: Do not warn if the page is already tagged in copy_highpage()", " - can: netlink: can_changelink(): allow disabling of automatic restart", " - cifs: Fix TCP_Server_Info::credits to be signed", " - devcoredump: Fix circular locking dependency with devcd->mutex.", " - hwmon: (pmbus/max34440) Update adpm12160 coeff due to latest FW", " - MIPS: Malta: Fix keyboard resource preventing i8042 driver from", " registering", " - rv: Make rtapp/pagefault monitor depends on CONFIG_MMU", " - net: bonding: update the slave array for broadcast mode", " - net: stmmac: dwmac-rk: Fix disabling set_clock_selection", " - net: usb: rtl8150: Fix frame padding", " - net: ravb: Enforce descriptor type ordering", " - net: ravb: Ensure memory write completes before ringing TX doorbell", " - mptcp: pm: in-kernel: C-flag: handle late ADD_ADDR", " - selftests: mptcp: join: mark 'flush re-add' as skipped if not supported", " - selftests: mptcp: join: mark implicit tests as skipped if not supported", " - selftests: mptcp: join: mark 'delete re-add signal' as skipped if not", " supported", " - mm/mremap: correctly account old mapping after MREMAP_DONTUNMAP remap", " - drm/xe: Check return value of GGTT workqueue allocation", " - drm/amd/display: increase max link count and fix link->enc NULL pointer", " access", " - mm/damon/core: use damos_commit_quota_goal() for new goal commit", " - mm/damon/core: fix list_add_tail() call on damon_call()", " - spi: rockchip-sfc: Fix DMA-API usage", " - firmware: arm_ffa: Add support for IMPDEF value in the memory access", " descriptor", " - spi: spi-nxp-fspi: add the support for sample data from DQS pad", " - spi: spi-nxp-fspi: re-config the clock rate when operation require new", " clock rate", " - spi: spi-nxp-fspi: add extra delay after dll locked", " - spi: spi-nxp-fspi: limit the clock rate for different sample clock", " source selection", " - spi: cadence-quadspi: Fix pm_runtime unbalance on dma EPROBE_DEFER", " - arm64: dts: broadcom: bcm2712: Add default GIC address cells", " - arm64: dts: broadcom: bcm2712: Define VGIC interrupt", " - include: trace: Fix inflight count helper on failed initialization", " - firmware: arm_scmi: Fix premature SCMI_XFER_FLAG_IS_RAW clearing in raw", " mode", " - spi: airoha: return an error for continuous mode dirmap creation cases", " - spi: airoha: add support of dual/quad wires spi modes to exec_op()", " handler", " - spi: airoha: switch back to non-dma mode in the case of error", " - spi: airoha: fix reading/writing of flashes with more than one plane per", " lun", " - sysfs: check visibility before changing group attribute ownership", " - RISC-V: Define pgprot_dmacoherent() for non-coherent devices", " - RISC-V: Don't print details of CPUs disabled in DT", " - riscv: hwprobe: avoid uninitialized variable use in hwprobe_arch_id()", " - hwmon: (pmbus/isl68137) Fix child node reference leak on early return", " - hwmon: (sht3x) Fix error handling", " - io_uring: fix incorrect unlikely() usage in io_waitid_prep()", " - nbd: override creds to kernel when calling sock_{send,recv}msg()", " - drm/panic: Fix drawing the logo on a small narrow screen", " - drm/panic: Fix qr_code, ensure vmargin is positive", " - drm/panic: Fix 24bit pixel crossing page boundaries", " - of/irq: Convert of_msi_map_id() callers to of_msi_xlate()", " - of/irq: Add msi-parent check to of_msi_xlate()", " - block: require LBA dma_alignment when using PI", " - gpio: ljca: Fix duplicated IRQ mapping", " - io_uring: correct __must_hold annotation in io_install_fixed_file", " - sched: Remove never used code in mm_cid_get()", " - USB: serial: option: add UNISOC UIS7720", " - USB: serial: option: add Quectel RG255C", " - USB: serial: option: add Telit FN920C04 ECM compositions", " - usb/core/quirks: Add Huawei ME906S to wakeup quirk", " - usb: raw-gadget: do not limit transfer length", " - xhci: dbc: enable back DbC in resume if it was enabled before suspend", " - xhci: dbc: fix bogus 1024 byte prefix if ttyDBC read races with stall", " event", " - x86/microcode: Fix Entrysign revision check for Zen1/Naples", " - binder: remove \"invalid inc weak\" check", " - mei: me: add wildcat lake P DID", " - objtool/rust: add one more `noreturn` Rust function", " - nvmem: rcar-efuse: add missing MODULE_DEVICE_TABLE", " - misc: fastrpc: Fix dma_buf object leak in fastrpc_map_lookup", " - most: usb: hdm_probe: Fix calling put_device() before device", " initialization", " - tcpm: switch check for role_sw device with fw_node", " - dt-bindings: serial: sh-sci: Fix r8a78000 interrupts", " - dt-bindings: usb: dwc3-imx8mp: dma-range is required only for imx8mp", " - dt-bindings: usb: qcom,snps-dwc3: Fix bindings for X1E80100", " - serial: 8250_dw: handle reset control deassert error", " - serial: 8250_exar: add support for Advantech 2 port card with Device ID", " 0x0018", " - serial: 8250_mtk: Enable baud clock and manage in runtime PM", " - serial: sc16is7xx: remove useless enable of enhanced features", " - staging: gpib: Fix device reference leak in fmh_gpib driver", " - staging: gpib: Fix no EOI on 1 and 2 byte writes", " - staging: gpib: Return -EINTR on device clear", " - staging: gpib: Fix sending clear and trigger events", " - mm/migrate: remove MIGRATEPAGE_UNMAP", " - treewide: remove MIGRATEPAGE_SUCCESS", " - vmw_balloon: indicate success when effectively deflating during", " migration", " - xfs: always warn about deprecated mount options", " - gpio: regmap: Allow to allocate regmap-irq device", " - gpio: regmap: add the .fixed_direction_output configuration parameter", " - gpio: idio-16: Define fixed direction of the GPIO lines", " - Linux 6.17.6", " * Questing update: v6.17.6 upstream stable release (LP: #2134982) //", " CVE-2025-40084", " - ksmbd: transport_ipc: validate payload size before reading handle", " * Questing update: v6.17.6 upstream stable release (LP: #2134982) //", " CVE-2025-40222", " - tty: serial: sh-sci: fix RSCI FIFO overrun handling", " * Questing update: v6.17.6 upstream stable release (LP: #2134982) //", " CVE-2025-40223", " - most: usb: Fix use-after-free in hdm_disconnect", " * Questing update: v6.17.6 upstream stable release (LP: #2134982) //", " CVE-2025-40106", " - comedi: fix divide-by-zero in comedi_buf_munge()", " * Questing update: v6.17.6 upstream stable release (LP: #2134982) //", " CVE-2025-40224", " - hwmon: (cgbc-hwmon) Add missing NULL check after devm_kzalloc()", " * Questing update: v6.17.6 upstream stable release (LP: #2134982) //", " CVE-2025-40225", " - drm/panthor: Fix kernel panic on partial unmap of a GPU VA region", " * Questing update: v6.17.6 upstream stable release (LP: #2134982) //", " CVE-2025-40226", " - firmware: arm_scmi: Account for failed debug initialization", " * Questing update: v6.17.6 upstream stable release (LP: #2134982) //", " CVE-2025-40227", " - mm/damon/sysfs: dealloc commit test ctx always", " * Questing update: v6.17.6 upstream stable release (LP: #2134982) //", " CVE-2025-40228", " - mm/damon/sysfs: catch commit test ctx alloc failure", " * Questing update: v6.17.6 upstream stable release (LP: #2134982) //", " CVE-2025-40229", " - mm/damon/core: fix potential memory leak by cleaning ops_filter in", " damon_destroy_scheme", " * Questing update: v6.17.6 upstream stable release (LP: #2134982) //", " CVE-2025-40230", " - mm: prevent poison consumption when splitting THP", " * Questing update: v6.17.6 upstream stable release (LP: #2134982) //", " CVE-2025-40231", " - vsock: fix lock inversion in vsock_assign_transport()", " * Questing update: v6.17.6 upstream stable release (LP: #2134982) //", " CVE-2025-40233", " - ocfs2: clear extent cache after moving/defragmenting extents", " * Questing update: v6.17.6 upstream stable release (LP: #2134982) //", " CVE-2025-40235", " - btrfs: directly free partially initialized fs_info in", " btrfs_check_leaked_roots()", " * Questing update: v6.17.6 upstream stable release (LP: #2134982) //", " CVE-2025-40236", " - virtio-net: zero unused hash fields", " * Questing update: v6.17.6 upstream stable release (LP: #2134982) //", " CVE-2025-40237", " - fs/notify: call exportfs_encode_fid with s_umount", " * Questing update: v6.17.6 upstream stable release (LP: #2134982) //", " CVE-2025-40238", " - net/mlx5: Fix IPsec cleanup over MPV device", " * Questing update: v6.17.6 upstream stable release (LP: #2134982) //", " CVE-2025-40239", " - net: phy: micrel: always set shared->phydev for LAN8814", " * Questing update: v6.17.6 upstream stable release (LP: #2134982) //", " CVE-2025-40240", " - sctp: avoid NULL dereference when chunk data buffer is missing", " * Questing update: v6.17.6 upstream stable release (LP: #2134982) //", " CVE-2025-40241", " - erofs: fix crafted invalid cases for encoded extents", " * Questing update: v6.17.6 upstream stable release (LP: #2134982) //", " CVE-2025-40242", " - gfs2: Fix unlikely race in gdlm_put_lock", " * Questing update: v6.17.6 upstream stable release (LP: #2134982) //", " CVE-2025-40243", " - hfs: fix KMSAN uninit-value issue in hfs_find_set_zero_bits()", " * Questing update: v6.17.6 upstream stable release (LP: #2134982) //", " CVE-2025-40244", " - hfsplus: fix KMSAN uninit-value issue in __hfsplus_ext_cache_extent()", " * Questing update: v6.17.6 upstream stable release (LP: #2134982) //", " CVE-2025-40245", " - nios2: ensure that memblock.current_limit is set when setting pfn limits", " * Questing update: v6.17.5 upstream stable release (LP: #2133557)", " - docs: kdoc: handle the obsolescensce of docutils.ErrorString()", " - Revert \"fs: make vfs_fileattr_[get|set] return -EOPNOTSUPP\"", " - PCI: vmd: Override irq_startup()/irq_shutdown() in", " vmd_init_dev_msi_info()", " - ata: libata-core: relax checks in ata_read_log_directory()", " - arm64/sysreg: Fix GIC CDEOI instruction encoding", " - ixgbevf: fix getting link speed data for E610 devices", " - rust: cfi: only 64-bit arm and x86 support CFI_CLANG", " - x86/CPU/AMD: Prevent reset reasons from being retained across reboot", " - slab: reset slab->obj_ext when freeing and it is OBJEXTS_ALLOC_FAIL", " - Revert \"io_uring/rw: drop -EOPNOTSUPP check in", " __io_complete_rw_common()\"", " - io_uring: protect mem region deregistration", " - Revert \"drm/amd/display: Only restore backlight after amdgpu_dm_init or", " dm_resume\"", " - r8152: add error handling in rtl8152_driver_init", " - net: usb: lan78xx: Fix lost EEPROM write timeout error(-ETIMEDOUT) in", " lan78xx_write_raw_eeprom", " - f2fs: fix wrong block mapping for multi-devices", " - gve: Check valid ts bit on RX descriptor before hw timestamping", " - jbd2: ensure that all ongoing I/O complete before freeing blocks", " - ext4: wait for ongoing I/O to complete before freeing blocks", " - btrfs: fix clearing of BTRFS_FS_RELOC_RUNNING if relocation already", " running", " - btrfs: fix memory leak on duplicated memory in the qgroup assign ioctl", " - btrfs: only set the device specific options after devices are opened", " - btrfs: fix incorrect readahead expansion length", " - can: gs_usb: gs_make_candev(): populate net_device->dev_port", " - can: gs_usb: increase max interface to U8_MAX", " - cxl/acpi: Fix setup of memory resource in cxl_acpi_set_cache_size()", " - ALSA: hda/intel: Add MSI X870E Tomahawk to denylist", " - ALSA: hda/realtek: Add quirk entry for HP ZBook 17 G6", " - drm/amdgpu: use atomic functions with memory barriers for vm fault info", " - drm/amdgpu: fix gfx12 mes packet status return check", " - drm/xe: Increase global invalidation timeout to 1000us", " - perf/core: Fix address filter match with backing files", " - perf/core: Fix MMAP event path names with backing files", " - perf/core: Fix MMAP2 event device with backing files", " - drm/amd: Check whether secure display TA loaded successfully", " - PM: hibernate: Add pm_hibernation_mode_is_suspend()", " - drm/amd: Fix hybrid sleep", " - usb: gadget: Store endpoint pointer in usb_request", " - usb: gadget: Introduce free_usb_request helper", " - HID: multitouch: fix sticky fingers", " - dax: skip read lock assertion for read-only filesystems", " - coredump: fix core_pattern input validation", " - can: m_can: m_can_plat_remove(): add missing pm_runtime_disable()", " - can: m_can: m_can_handle_state_errors(): fix CAN state transition to", " Error Active", " - can: m_can: m_can_chip_config(): bring up interface in correct state", " - can: m_can: fix CAN state in system PM", " - net: mtk: wed: add dma mask limitation and GFP_DMA32 for device with", " more than 4GB DRAM", " - net: dlink: handle dma_map_single() failure properly", " - doc: fix seg6_flowlabel path", " - can: j1939: add missing calls in NETDEV_UNREGISTER notification handler", " - dpll: zl3073x: Refactor DPLL initialization", " - dpll: zl3073x: Handle missing or corrupted flash configuration", " - r8169: fix packet truncation after S4 resume on RTL8168H/RTL8111H", " - net: phy: bcm54811: Fix GMII/MII/MII-Lite selection", " - net: phy: realtek: Avoid PHYCR2 access if PHYCR2 not present", " - amd-xgbe: Avoid spurious link down messages during interface toggle", " - Octeontx2-af: Fix missing error code in cgx_probe()", " - tcp: fix tcp_tso_should_defer() vs large RTT", " - net: airoha: Take into account out-of-order tx completions in", " airoha_dev_xmit()", " - selftests: net: check jq command is supported", " - net: core: fix lockdep splat on device unregister", " - ksmbd: fix recursive locking in RPC handle list access", " - tg3: prevent use of uninitialized remote_adv and local_adv variables", " - tls: trim encrypted message to match the plaintext on short splice", " - tls: wait for async encrypt in case of error during latter iterations of", " sendmsg", " - tls: always set record_type in tls_process_cmsg", " - tls: don't rely on tx_work during send()", " - netdevsim: set the carrier when the device goes up", " - net: usb: lan78xx: fix use of improperly initialized dev->chipid in", " lan78xx_reset", " - drm/panthor: Ensure MCU is disabled on suspend", " - nvme-multipath: Skip nr_active increments in RETRY disposition", " - riscv: kprobes: Fix probe address validation", " - drm/bridge: lt9211: Drop check for last nibble of version register", " - powerpc/fadump: skip parameter area allocation when fadump is disabled", " - ASoC: codecs: Fix gain setting ranges for Renesas IDT821034 codec", " - ASoC: nau8821: Cancel jdet_work before handling jack ejection", " - ASoC: nau8821: Generalize helper to clear IRQ status", " - ASoC: nau8821: Consistently clear interrupts before unmasking", " - ASoC: nau8821: Add DMI quirk to bypass jack debounce circuit", " - drm/i915/guc: Skip communication warning on reset in progress", " - drm/i915/frontbuffer: Move bo refcounting", " intel_frontbuffer_{get,release}()", " - drm/i915/fb: Fix the set_tiling vs. addfb race, again", " - drm/amdgpu: add ip offset support for cyan skillfish", " - drm/amdgpu: add support for cyan skillfish without IP discovery", " - drm/amdgpu: fix handling of harvesting for ip_discovery firmware", " - drm/amdgpu: handle wrap around in reemit handling", " - drm/amdgpu: set an error on all fences from a bad context", " - drm/amdgpu: drop unused structures in amdgpu_drm.h", " - drm/amd/powerplay: Fix CIK shutdown temperature", " - drm/xe: Enable media sampler power gating", " - drm/draw: fix color truncation in drm_draw_fill24", " - drm/rockchip: vop2: use correct destination rectangle height check", " - HID: intel-thc-hid: Intel-quickspi: switch first interrupt from level to", " edge detection", " - sched/fair: Fix pelt lost idle time detection", " - ALSA: firewire: amdtp-stream: fix enum kernel-doc warnings", " - accel/qaic: Synchronize access to DBC request queue head & tail pointer", " - nvme-auth: update sc_c in host response", " - cxl/trace: Subtract to find an hpa_alias0 in cxl_poison events", " - selftests/bpf: make arg_parsing.c more robust to crashes", " - blk-mq: fix stale tag depth for shared sched tags in", " blk_mq_update_nr_requests()", " - block: Remove elevator_lock usage from blkg_conf frozen operations", " - HID: hid-input: only ignore 0 battery events for digitizers", " - HID: multitouch: fix name of Stylus input devices", " - drm/xe/evict: drop bogus assert", " - selftests: arg_parsing: Ensure data is flushed to disk before reading.", " - nvme/tcp: handle tls partially sent records in write_space()", " - rust: cpufreq: fix formatting", " - arm64: debug: always unmask interrupts in el0_softstp()", " - arm64: cputype: Add Neoverse-V3AE definitions", " - arm64: errata: Apply workarounds for Neoverse-V3AE", " - xfs: rename the old_crc variable in xlog_recover_process", " - xfs: fix log CRC mismatches between i386 and other architectures", " - NFSD: Rework encoding and decoding of nfsd4_deviceid", " - NFSD: Minor cleanup in layoutcommit processing", " - NFSD: Implement large extent array support in pNFS", " - NFSD: Fix last write offset handling in layoutcommit", " - phy: cdns-dphy: Store hs_clk_rate and return it", " - phy: cadence: cdns-dphy: Fix PLL lock and O_CMN_READY polling", " - x86/resctrl: Refactor resctrl_arch_rmid_read()", " - x86/resctrl: Fix miscount of bandwidth event when reactivating", " previously unavailable RMID", " - cxl: Fix match_region_by_range() to use region_res_match_cxl_range()", " - phy: cadence: cdns-dphy: Update calibration wait time for startup state", " machine", " - drm/xe: Use devm_ioremap_wc for VRAM mapping and drop manual unmap", " - drm/xe: Use dynamic allocation for tile and device VRAM region", " structures", " - drm/xe: Move struct xe_vram_region to a dedicated header", " - drm/xe: Unify the initialization of VRAM regions", " - drm/xe: Move rebar to be done earlier", " - PM: hibernate: Fix pm_hibernation_mode_is_suspend() build breakage", " - drm/xe: Fix an IS_ERR() vs NULL bug in xe_tile_alloc_vram()", " - Linux 6.17.5", " * Questing update: v6.17.5 upstream stable release (LP: #2133557) //", " CVE-2025-40086", " - drm/xe: Don't allow evicting of BOs in same VM in array of VM binds", " * Questing update: v6.17.5 upstream stable release (LP: #2133557) //", " CVE-2025-40087", " - NFSD: Define a proc_layoutcommit for the FlexFiles layout type", " * Questing update: v6.17.5 upstream stable release (LP: #2133557) //", " CVE-2025-40088", " - hfsplus: fix slab-out-of-bounds read in hfsplus_strcasecmp()", " * Questing update: v6.17.5 upstream stable release (LP: #2133557) //", " CVE-2025-40162", " - ASoC: amd/sdw_utils: avoid NULL deref when devm_kasprintf() fails", " * Questing update: v6.17.5 upstream stable release (LP: #2133557) //", " CVE-2025-40085", " - ALSA: usb-audio: Fix NULL pointer deference in try_to_register_card", " * Questing update: v6.17.5 upstream stable release (LP: #2133557) //", " CVE-2025-40172", " - accel/qaic: Treat remaining == 0 as error in find_and_map_user_pages()", " * Questing update: v6.17.5 upstream stable release (LP: #2133557) //", " CVE-2025-40177", " - accel/qaic: Fix bootlog initialization ordering", " * Questing update: v6.17.5 upstream stable release (LP: #2133557) //", " CVE-2025-40163", " - sched/deadline: Stop dl_server before CPU goes offline", " * Questing update: v6.17.5 upstream stable release (LP: #2133557) //", " CVE-2025-40174", " - x86/mm: Fix SMP ordering in switch_mm_irqs_off()", " * Questing update: v6.17.5 upstream stable release (LP: #2133557) //", " CVE-2025-40089", " - cxl/features: Add check for no entries in cxl_feature_info", " * Questing update: v6.17.5 upstream stable release (LP: #2133557) //", " CVE-2025-40176", " - tls: wait for pending async decryptions if tls_strp_msg_hold fails", " * Questing update: v6.17.5 upstream stable release (LP: #2133557) //", " CVE-2025-40164", " - usbnet: Fix using smp_processor_id() in preemptible code warnings", " * Questing update: v6.17.5 upstream stable release (LP: #2133557) //", " CVE-2025-40091", " - ixgbe: fix too early devlink_free() in ixgbe_remove()", " * Questing update: v6.17.5 upstream stable release (LP: #2133557) //", " CVE-2025-40175", " - idpf: cleanup remaining SKBs in PTP flows", " * Questing update: v6.17.5 upstream stable release (LP: #2133557) //", " CVE-2025-40173", " - net/ip6_tunnel: Prevent perpetual tunnel growth", " * Questing update: v6.17.5 upstream stable release (LP: #2133557) //", " CVE-2025-40092", " - usb: gadget: f_ncm: Refactor bind path to use __free()", " * Questing update: v6.17.5 upstream stable release (LP: #2133557) //", " CVE-2025-40093", " - usb: gadget: f_ecm: Refactor bind path to use __free()", " * Questing update: v6.17.5 upstream stable release (LP: #2133557) //", " CVE-2025-40094", " - usb: gadget: f_acm: Refactor bind path to use __free()", " * Questing update: v6.17.5 upstream stable release (LP: #2133557) //", " CVE-2025-40095", " - usb: gadget: f_rndis: Refactor bind path to use __free()", " * Questing update: v6.17.5 upstream stable release (LP: #2133557) //", " CVE-2025-40165", " - media: nxp: imx8-isi: m2m: Fix streaming cleanup on release", " * Questing update: v6.17.5 upstream stable release (LP: #2133557) //", " CVE-2025-40096", " - drm/sched: Fix potential double free in", " drm_sched_job_add_resv_dependencies", " * Questing update: v6.17.5 upstream stable release (LP: #2133557) //", " CVE-2025-40097", " - ALSA: hda: Fix missing pointer check in hda_component_manager_init", " function", " * Questing update: v6.17.5 upstream stable release (LP: #2133557) //", " CVE-2025-40098", " - ALSA: hda: cs35l41: Fix NULL pointer dereference in", " cs35l41_get_acpi_mute_state()", " * Questing update: v6.17.5 upstream stable release (LP: #2133557) //", " CVE-2025-40099", " - cifs: parse_dfs_referrals: prevent oob on malformed input", " * Questing update: v6.17.5 upstream stable release (LP: #2133557) //", " CVE-2025-40100", " - btrfs: do not assert we found block group item when creating free space", " tree", " * Questing update: v6.17.5 upstream stable release (LP: #2133557) //", " CVE-2025-40101", " - btrfs: fix memory leaks when rejecting a non SINGLE data profile without", " an RST", " * Questing update: v6.17.5 upstream stable release (LP: #2133557) //", " CVE-2025-40167", " - ext4: detect invalid INLINE_DATA + EXTENTS flag combination", " * Questing update: v6.17.5 upstream stable release (LP: #2133557) //", " CVE-2025-40102", " - KVM: arm64: Prevent access to vCPU events before init", " * Questing update: v6.17.5 upstream stable release (LP: #2133557) //", " CVE-2025-40103", " - smb: client: Fix refcount leak for cifs_sb_tlink", " * Questing update: v6.17.5 upstream stable release (LP: #2133557) //", " CVE-2025-40104", " - ixgbevf: fix mailbox API compatibility by negotiating supported features", " * Questing update: v6.17.5 upstream stable release (LP: #2133557) //", " CVE-2025-40166", " - drm/xe/guc: Check GuC running state before deregistering exec queue", " * Questing update: v6.17.5 upstream stable release (LP: #2133557) //", " CVE-2025-40105", " - vfs: Don't leak disconnected dentries on umount", " * The machine didn’t go into suspend and got stuck (LP: #2132095)", " - platform/x86: alienware-wmi-wmax: Fix NULL pointer dereference in sleep", " handlers", " * CAP_PERFMON insufficient to get perf data (LP: #2131046)", " - SAUCE: perf/core: Allow CAP_PERFMON for paranoid level 4", " * Poweroff not working consistently after upgrading kernel 6.14.0-17.17 or", " later (LP: #2115860)", " - drm/amd: Unify shutdown() callback behavior", " - drm/amd: Stop exporting amdgpu_device_ip_suspend() outside amdgpu_device", " - drm/amd: Remove comment about handling errors in", " amdgpu_device_ip_suspend_phase1()", " - drm/amd: Don't always set IP block HW status to false", " - drm/amd: Pass IP suspend errors up to callers", " - drm/amd: Avoid evicting resources at S5", " * Re-enable INTEL_SKL_INT3472 for kernels >= 6.16 for Intel IPU camera", " (LP: #2128792)", " - Revert \"UBUNTU: [Config] FTBFS: disable INTEL_SKL_INT3472\"", " - Revert \"UBUNTU: SAUCE: platform/x86: int3472: Add handshake GPIO", " function\"", " * Support Samsung S5K3J1 sensor for Intel MIPI camera (LP: #2121852)", " - SAUCE: media: ipu-bridge: Support s5k3j1 sensor", " * Questing update: v6.17.4 upstream stable release (LP: #2131259)", " - fs: always return zero on success from replace_fd()", " - fscontext: do not consume log entries when returning -EMSGSIZE", " - btrfs: fix the incorrect max_bytes value for find_lock_delalloc_range()", " - arm64: map [_text, _stext) virtual address range non-executable+read-", " only", " - rseq: Protect event mask against membarrier IPI", " - statmount: don't call path_put() under namespace semaphore", " - listmount: don't call path_put() under namespace semaphore", " - clocksource/drivers/clps711x: Fix resource leaks in error paths", " - memcg: skip cgroup_file_notify if spinning is not allowed", " - page_pool: Fix PP_MAGIC_MASK to avoid crashing on some 32-bit arches", " - PM: runtime: Update kerneldoc return codes", " - dma-mapping: fix direction in dma_alloc direction traces", " - cpufreq: Make drivers using CPUFREQ_ETERNAL specify transition latency", " - nfsd: unregister with rpcbind when deleting a transport", " - KVM: x86: Add helper to retrieve current value of user return MSR", " - KVM: SVM: Emulate PERF_CNTR_GLOBAL_STATUS_SET for PerfMonV2", " - iio: frequency: adf4350: Fix ADF4350_REG3_12BIT_CLKDIV_MODE", " - media: v4l2-subdev: Fix alloc failure check in", " v4l2_subdev_call_state_try()", " - asm-generic/io.h: Skip trace helpers if rwmmio events are disabled", " - clk: npcm: select CONFIG_AUXILIARY_BUS", " - clk: thead: th1520-ap: describe gate clocks with clk_gate", " - clk: thead: th1520-ap: fix parent of padctrl0 clock", " - clk: thead: Correct parent for DPU pixel clocks", " - clk: renesas: r9a08g045: Add MSTOP for GPIO", " - perf disasm: Avoid undefined behavior in incrementing NULL", " - perf test trace_btf_enum: Skip if permissions are insufficient", " - perf evsel: Avoid container_of on a NULL leader", " - libperf event: Ensure tracing data is multiple of 8 sized", " - clk: qcom: common: Fix NULL vs IS_ERR() check in qcom_cc_icc_register()", " - clk: qcom: Select the intended config in QCS_DISPCC_615", " - perf parse-events: Handle fake PMUs in CPU terms", " - clk: at91: peripheral: fix return value", " - clk: renesas: cpg-mssr: Fix memory leak in cpg_mssr_reserved_init()", " - perf: Completely remove possibility to override MAX_NR_CPUS", " - perf drm_pmu: Fix fd_dir leaks in for_each_drm_fdinfo_in_dir()", " - perf util: Fix compression checks returning -1 as bool", " - rtc: x1205: Fix Xicor X1205 vendor prefix", " - rtc: optee: fix memory leak on driver removal", " - perf arm_spe: Correct setting remote access", " - perf arm_spe: Correct memory level for remote access", " - perf vendor events arm64 AmpereOneX: Fix typo - should be", " l1d_cache_access_prefetches", " - perf test: AMD IBS swfilt skip kernel tests if paranoia is >1", " - perf test shell lbr: Avoid failures with perf event paranoia", " - perf trace: Fix IS_ERR() vs NULL check bug", " - perf session: Fix handling when buffer exceeds 2 GiB", " - perf test: Don't leak workload gopipe in PERF_RECORD_*", " - perf evsel: Fix uniquification when PMU given without suffix", " - perf test: Avoid uncore_imc/clockticks in uniquification test", " - perf evsel: Ensure the fallback message is always written to", " - perf build-id: Ensure snprintf string is empty when size is 0", " - clk: mediatek: mt8195-infra_ao: Fix parent for infra_ao_hdmi_26m", " - clk: mediatek: clk-mux: Do not pass flags to", " clk_mux_determine_rate_flags()", " - clk: nxp: lpc18xx-cgu: convert from round_rate() to determine_rate()", " - clk: nxp: Fix pll0 rate check condition in LPC18xx CGU driver", " - clk: tegra: do not overallocate memory for bpmp clocks", " - nfsd: fix assignment of ia_ctime.tv_nsec on delegated mtime update", " - nfsd: ignore ATTR_DELEG when checking ia_valid before notify_change()", " - vfs: add ATTR_CTIME_SET flag", " - nfsd: use ATTR_CTIME_SET for delegated ctime updates", " - nfsd: track original timestamps in nfs4_delegation", " - nfsd: fix SETATTR updates for delegated timestamps", " - nfsd: fix timestamp updates in CB_GETATTR", " - tracing: Fix the bug where bpf_get_stackid returns -EFAULT on the ARM64", " - PM: core: Annotate loops walking device links as _srcu", " - PM: core: Add two macros for walking device links", " - PM: sleep: Do not wait on SYNC_STATE_ONLY device links", " - cpufreq: tegra186: Set target frequency for all cpus in policy", " - scsi: mvsas: Fix use-after-free bugs in mvs_work_queue", " - perf bpf-filter: Fix opts declaration on older libbpfs", " - scsi: ufs: sysfs: Make HID attributes visible", " - mshv: Handle NEED_RESCHED_LAZY before transferring to guest", " - perf bpf_counter: Fix handling of cpumap fixing hybrid", " - ASoC: SOF: ipc4-topology: Correct the minimum host DMA buffer size", " - ASoC: SOF: ipc4-topology: Account for different ChainDMA host buffer", " size", " - ASoC: SOF: Intel: hda-pcm: Place the constraint on period time instead", " of buffer time", " - LoongArch: Add cflag -fno-isolate-erroneous-paths-dereference", " - LoongArch: Fix build error for LTO with LLVM-18", " - LoongArch: Init acpi_gbl_use_global_lock to false", " - ASoC: SOF: Intel: Read the LLP via the associated Link DMA channel", " - net: usb: lan78xx: Fix lost EEPROM read timeout error(-ETIMEDOUT) in", " lan78xx_read_raw_eeprom", " - net/mlx4: prevent potential use after free in mlx4_en_do_uc_filter()", " - drm/xe/hw_engine_group: Fix double write lock release in error path", " - drm/xe/i2c: Don't rely on d3cold.allowed flag in system PM path", " - s390/cio: Update purge function to unregister the unused subchannels", " - drm/vmwgfx: Fix a null-ptr access in the cursor snooper", " - drm/vmwgfx: Fix Use-after-free in validation", " - drm/vmwgfx: Fix copy-paste typo in validation", " - net/sctp: fix a null dereference in sctp_disposition", " sctp_sf_do_5_1D_ce()", " - tcp: Don't call reqsk_fastopen_remove() in tcp_conn_request().", " - net: mscc: ocelot: Fix use-after-free caused by cyclic delayed work", " - selftest: net: ovpn: Fix uninit return values", " - ice: ice_adapter: release xa entry on adapter allocation failure", " - net: fsl_pq_mdio: Fix device node reference leak in fsl_pq_mdio_probe", " - tools build: Align warning options with perf", " - perf python: split Clang options when invoking Popen", " - tcp: take care of zero tp->window_clamp in tcp_set_rcvlowat()", " - mailbox: zynqmp-ipi: Remove redundant mbox_controller_unregister() call", " - mailbox: zynqmp-ipi: Remove dev.parent check in zynqmp_ipi_free_mboxes", " - mailbox: zynqmp-ipi: Fix out-of-bounds access in mailbox cleanup loop", " - mailbox: zynqmp-ipi: Fix SGI cleanup on unbind", " - bpf: Fix metadata_dst leak __bpf_redirect_neigh_v{4,6}", " - net: mdio: mdio-i2c: Hold the i2c bus lock during smbus transactions", " - net: sparx5/lan969x: fix flooding configuration on bridge join/leave", " - net/mlx5: Prevent tunnel mode conflicts between FDB and NIC IPsec tables", " - net/mlx5e: Prevent tunnel reformat when tunnel mode not allowed", " - mailbox: mtk-cmdq: Remove pm_runtime APIs from cmdq_mbox_send_data()", " - drm/amdgpu: Add additional DCE6 SCL registers", " - drm/amd/display: Add missing DCE6 SCL_HORZ_FILTER_INIT* SRIs", " - drm/amd/display: Properly clear SCL_*_FILTER_CONTROL on DCE6", " - drm/amd/display: Properly disable scaling on DCE6", " - drm/amd/display: Disable scaling on DCE6 for now", " - drm/amdkfd: Fix kfd process ref leaking when userptr unmapping", " - net: pse-pd: tps23881: Fix current measurement scaling", " - crypto: skcipher - Fix reqsize handling", " - netfilter: nft_objref: validate objref and objrefmap expressions", " - bridge: br_vlan_fill_forward_path_pvid: use br_vlan_group_rcu()", " - selftests: netfilter: nft_fib.sh: fix spurious test failures", " - selftests: netfilter: query conntrack state to check for port clash", " resolution", " - io_uring/zcrx: increment fallback loop src offset", " - net: airoha: Fix loopback mode configuration for GDM2 port", " - cifs: Fix copy_to_iter return value check", " - smb: client: fix missing timestamp updates after utime(2)", " - rtc: isl12022: Fix initial enable_irq/disable_irq balance", " - cifs: Query EA $LXMOD in cifs_query_path_info() for WSL reparse points", " - tpm_tis: Fix incorrect arguments in tpm_tis_probe_irq_single", " - gpio: wcd934x: mark the GPIO controller as sleeping", " - bpf: Avoid RCU context warning when unpinning htab with internal structs", " - kbuild: always create intermediate vmlinux.unstripped", " - kbuild: keep .modinfo section in vmlinux.unstripped", " - kbuild: Restore pattern to avoid stripping .rela.dyn from vmlinux", " - kbuild: Add '.rel.*' strip pattern for vmlinux", " - s390: vmlinux.lds.S: Reorder sections", " - s390/vmlinux.lds.S: Move .vmlinux.info to end of allocatable sections", " - ACPICA: acpidump: drop ACPI_NONSTRING attribute from file_name", " - ACPI: property: Fix buffer properties extraction for subnodes", " - ACPI: TAD: Add missing sysfs_remove_group() for ACPI_TAD_RT", " - ACPICA: Debugger: drop ACPI_NONSTRING attribute from name_seg", " - ACPI: debug: fix signedness issues in read/write helpers", " - ACPI: battery: Add synchronization between interface updates", " - arm64: dts: qcom: msm8916: Add missing MDSS reset", " - arm64: dts: qcom: msm8939: Add missing MDSS reset", " - arm64: dts: qcom: sdm845: Fix slimbam num-channels/ees", " - Revert \"UBUNTU: SAUCE: arm64: dts: qcom: x1e80100-pmics: Disable pm8010", " by default\"", " - arm64: dts: qcom: x1e80100-pmics: Disable pm8010 by default", " - arm64: dts: ti: k3-am62a-main: Fix main padcfg length", " - arm64: dts: ti: k3-am62p: Fix supported hardware for 1GHz OPP", " - arm64: kprobes: call set_memory_rox() for kprobe page", " - arm64: mte: Do not flag the zero page as PG_mte_tagged", " - ARM: AM33xx: Implement TI advisory 1.0.36 (EMU0/EMU1 pins state on", " reset)", " - ARM: OMAP2+: pm33xx-core: ix device node reference leaks in", " amx3_idle_init", " - firmware: arm_scmi: quirk: Prevent writes to string constants", " - perf/arm-cmn: Fix CMN S3 DTM offset", " - KVM: s390: Fix to clear PTE when discarding a swapped page", " - KVM: arm64: Fix debug checking for np-guests using huge mappings", " - KVM: arm64: Fix page leak in user_mem_abort()", " - x86/kvm: Force legacy PCI hole to UC when overriding MTRRs for TDX/SNP", " - KVM: SVM: Re-load current, not host, TSC_AUX on #VMEXIT from SEV-ES", " guest", " - KVM: TDX: Fix uninitialized error code for __tdx_bringup()", " - dt-bindings: phy: rockchip-inno-csi-dphy: make power-domains non-", " required", " - xen: take system_transition_mutex on suspend", " - xen/events: Cleanup find_virq() return codes", " - xen/manage: Fix suspend error path", " - xen/events: Return -EEXIST for bound VIRQs", " - xen/events: Update virq_to_irq on migration", " - firmware: exynos-acpm: fix PMIC returned errno", " - firmware: meson_sm: fix device leak at probe", " - media: cec: extron-da-hd-4k-plus: drop external-module make commands", " - media: cx18: Add missing check after DMA map", " - media: i2c: mt9p031: fix mbus code initialization", " - media: i2c: mt9v111: fix incorrect type for ret", " - media: mc: Fix MUST_CONNECT handling for pads with no links", " - media: pci: ivtv: Add missing check after DMA map", " - media: pci: mg4b: fix uninitialized iio scan data", " - media: platform: mtk-mdp3: Add missing MT8188 compatible to comp_dt_ids", " - media: s5p-mfc: remove an unused/uninitialized variable", " - media: staging/ipu7: fix isys device runtime PM usage in firmware", " closing", " - media: uvcvideo: Avoid variable shadowing in uvc_ctrl_cleanup_fh", " - media: venus: firmware: Use correct reset sequence for IRIS2", " - media: venus: pm_helpers: add fallback for the opp-table", " - media: vivid: fix disappearing messages", " - media: vsp1: Export missing vsp1_isp_free_buffer symbol", " - media: ti: j721e-csi2rx: Use devm_of_platform_populate", " - media: ti: j721e-csi2rx: Fix source subdev link creation", " - media: lirc: Fix error handling in lirc_register()", " - drm/exynos: exynos7_drm_decon: remove ctx->suspended", " - drm/panthor: Fix memory leak in panthor_ioctl_group_create()", " - drm/msm/a6xx: Fix PDC sleep sequence", " - drm/rcar-du: dsi: Fix 1/2/3 lane support", " - drm/nouveau: fix bad ret code in nouveau_bo_move_prep", " - drm/xe/uapi: loosen used tracking restriction", " - drm/amd/display: Incorrect Mirror Cositing", " - drm/amd/display: Enable Dynamic DTBCLK Switch", " - drm/amd/display: Fix unsafe uses of kernel mode FPU", " - blk-crypto: fix missing blktrace bio split events", " - btrfs: avoid potential out-of-bounds in btrfs_encode_fh()", " - bus: mhi: ep: Fix chained transfer handling in read path", " - bus: mhi: host: Do not use uninitialized 'dev' pointer in", " mhi_init_irq_setup()", " - cdx: Fix device node reference leak in cdx_msi_domain_init", " - clk: qcom: tcsrcc-x1e80100: Set the bi_tcxo as parent to eDP refclk", " - clk: samsung: exynos990: Use PLL_CON0 for PLL parent muxes", " - clk: samsung: exynos990: Fix CMU_TOP mux/div bit widths", " - clk: samsung: exynos990: Replace bogus divs with fixed-factor clocks", " - copy_sighand: Handle architectures where sizeof(unsigned long) <", " sizeof(u64)", " - cpufreq: CPPC: Avoid using CPUFREQ_ETERNAL as transition delay", " - cpufreq: intel_pstate: Fix object lifecycle issue in", " update_qos_request()", " - crypto: aspeed - Fix dma_unmap_sg() direction", " - crypto: atmel - Fix dma_unmap_sg() direction", " - crypto: rockchip - Fix dma_unmap_sg() nents value", " - eventpoll: Replace rwlock with spinlock", " - fbdev: Fix logic error in \"offb\" name match", " - fs/ntfs3: Fix a resource leak bug in wnd_extend()", " - fs: quota: create dedicated workqueue for quota_release_work", " - fsnotify: pass correct offset to fsnotify_mmap_perm()", " - fuse: fix possibly missing fuse_copy_finish() call in fuse_notify()", " - fuse: fix livelock in synchronous file put from fuseblk workers", " - gpio: mpfs: fix setting gpio direction to output", " - i3c: Fix default I2C adapter timeout value", " - iio/adc/pac1934: fix channel disable configuration", " - iio: dac: ad5360: use int type to store negative error codes", " - iio: dac: ad5421: use int type to store negative error codes", " - iio: frequency: adf4350: Fix prescaler usage.", " - iio: xilinx-ams: Fix AMS_ALARM_THR_DIRECT_MASK", " - iio: xilinx-ams: Unmask interrupts after updating alarms", " - init: handle bootloader identifier in kernel parameters", " - iio: imu: inv_icm42600: Simplify pm_runtime setup", " - iio: imu: inv_icm42600: Drop redundant pm_runtime reinitialization in", " resume", " - iio: imu: inv_icm42600: Avoid configuring if already pm_runtime", " suspended", " - iommu/vt-d: PRS isn't usable if PDS isn't supported", " - ipmi: Rework user message limit handling", " - ipmi:msghandler:Change seq_lock to a mutex", " - kernel/sys.c: fix the racy usage of task_lock(tsk->group_leader) in", " sys_prlimit64() paths", " - KEYS: trusted_tpm1: Compare HMAC values in constant time", " - kho: only fill kimage if KHO is finalized", " - lib/genalloc: fix device leak in of_gen_pool_get()", " - loop: fix backing file reference leak on validation error", " - md: fix mssing blktrace bio split events", " - of: unittest: Fix device reference count leak in", " of_unittest_pci_node_verify", " - openat2: don't trigger automounts with RESOLVE_NO_XDEV", " - padata: Reset next CPU when reorder sequence wraps around", " - parisc: don't reference obsolete termio struct for TC* constants", " - parisc: Remove spurious if statement from raw_copy_from_user()", " - nvme-pci: Add TUXEDO IBS Gen8 to Samsung sleep quirk", " - pinctrl: samsung: Drop unused S3C24xx driver data", " - PM: EM: Fix late boot with holes in CPU topology", " - PM: hibernate: Fix hybrid-sleep", " - PM: hibernate: Restrict GFP mask in power_down()", " - power: supply: max77976_charger: fix constant current reporting", " - powerpc/powernv/pci: Fix underflow and leak issue", " - powerpc/pseries/msi: Fix potential underflow and leak issue", " - pwm: berlin: Fix wrong register in suspend/resume", " - pwm: Fix incorrect variable used in error message", " - Revert \"ipmi: fix msg stack when IPMI is disconnected\"", " - sched/deadline: Fix race in push_dl_task()", " - scsi: hpsa: Fix potential memory leak in hpsa_big_passthru_ioctl()", " - scsi: sd: Fix build warning in sd_revalidate_disk()", " - sctp: Fix MAC comparison to be constant-time", " - smb client: fix bug with newly created file in cached dir", " - sparc64: fix hugetlb for sun4u", " - sparc: fix error handling in scan_one_device()", " - xtensa: simdisk: add input size check in proc_write_simdisk", " - xsk: Harden userspace-supplied xdp_desc validation", " - mtd: rawnand: fsmc: Default to autodetect buswidth", " - mtd: nand: raw: gpmi: fix clocks when CONFIG_PM=N", " - mmc: core: SPI mode remove cmd7", " - mmc: mmc_spi: multiple block read remove read crc ack", " - memory: samsung: exynos-srom: Fix of_iomap leak in exynos_srom_probe", " - memory: stm32_omm: Fix req2ack update test", " - rtc: interface: Ensure alarm irq is enabled when UIE is enabled", " - rtc: interface: Fix long-standing race when setting alarm", " - rseq/selftests: Use weak symbol reference, not definition, to link with", " glibc", " - PCI: xilinx-nwl: Fix ECAM programming", " - PCI: tegra: Convert struct tegra_msi mask_lock into raw spinlock", " - PCI/sysfs: Ensure devices are powered for config reads", " - PCI/IOV: Add PCI rescan-remove locking when enabling/disabling SR-IOV", " - PCI/ERR: Fix uevent on failure to recover", " - PCI/AER: Fix missing uevent on recovery when a reset is requested", " - PCI/AER: Support errors introduced by PCIe r6.0", " - PCI: Ensure relaxed tail alignment does not increase min_align", " - PCI: Fix failure detection during resource resize", " - PCI: j721e: Fix module autoloading", " - PCI: j721e: Fix programming sequence of \"strap\" settings", " - PCI: keystone: Use devm_request_irq() to free \"ks-pcie-error-irq\" on", " exit", " - PCI: rcar-gen4: Fix PHY initialization", " - PCI: rcar-host: Drop PMSR spinlock", " - PCI: rcar-host: Convert struct rcar_msi mask_lock into raw spinlock", " - PCI: tegra194: Fix broken tegra_pcie_ep_raise_msi_irq()", " - PCI: tegra194: Handle errors in BPMP response", " - PCI: tegra194: Reset BARs when running in PCIe endpoint mode", " - PCI/pwrctrl: Fix device leak at registration", " - PCI/pwrctrl: Fix device and OF node leak at bus scan", " - PCI/pwrctrl: Fix device leak at device stop", " - spi: cadence-quadspi: Flush posted register writes before INDAC access", " - spi: cadence-quadspi: Flush posted register writes before DAC access", " - spi: cadence-quadspi: Fix cqspi_setup_flash()", " - xfs: use deferred intent items for reaping crosslinked blocks", " - x86/fred: Remove ENDBR64 from FRED entry points", " - x86/umip: Check that the instruction opcode is at least two bytes", " - x86/umip: Fix decoding of register forms of 0F 01 (SGDT and SIDT", " aliases)", " - mptcp: pm: in-kernel: usable client side with C-flag", " - mptcp: reset blackhole on success with non-loopback ifaces", " - selftests: mptcp: join: validate C-flag + def limit", " - s390/cio/ioasm: Fix __xsch() condition code handling", " - s390/dasd: enforce dma_alignment to ensure proper buffer validation", " - s390/dasd: Return BLK_STS_INVAL for EINVAL from do_dasd_request", " - s390: Add -Wno-pointer-sign to KBUILD_CFLAGS_DECOMPRESSOR", " - slab: prevent warnings when slab obj_exts vector allocation fails", " - slab: mark slab->obj_exts allocation failures unconditionally", " - wifi: ath11k: HAL SRNG: don't deinitialize and re-initialize again", " - wifi: iwlwifi: Fix dentry reference leak in iwl_mld_add_link_debugfs", " - wifi: rtw89: avoid possible TX wait initialization race", " - wifi: mt76: mt7925u: Add VID/PID for Netgear A9000", " - wifi: mt76: mt7921u: Add VID/PID for Netgear A7500", " - mm/thp: fix MTE tag mismatch when replacing zero-filled subpages", " - mm/rmap: fix soft-dirty and uffd-wp bit loss when remapping zero-filled", " mTHP subpage to shared zeropage", " - mm/page_alloc: only set ALLOC_HIGHATOMIC for __GPF_HIGH allocations", " - mm/hugetlb: early exit from hugetlb_pages_alloc_boot() when", " max_huge_pages=0", " - mm/damon/vaddr: do not repeat pte_offset_map_lock() until success", " - mm/damon/lru_sort: use param_ctx for damon_attrs staging", " - nfsd: decouple the xprtsec policy check from check_nfsd_access()", " - NFSD: Fix destination buffer size in nfsd4_ssc_setup_dul()", " - nfsd: nfserr_jukebox in nlm_fopen should lead to a retry", " - media: iris: Call correct power off callback in cleanup path", " - media: iris: Fix firmware reference leak and unmap memory after load", " - media: iris: fix module removal if firmware download failed", " - media: iris: vpu3x: Add MNoC low power handshake during hardware power-", " off", " - media: iris: Fix port streaming handling", " - media: iris: Fix buffer count reporting in internal buffer check", " - media: iris: Allow substate transition to load resources during output", " streaming", " - media: iris: Always destroy internal buffers on firmware release", " response", " - media: iris: Simplify session stop logic by relying on vb2 checks", " - media: iris: Update vbuf flags before v4l2_m2m_buf_done", " - media: iris: Send dummy buffer address for all codecs during drain", " - media: iris: Fix missing LAST flag handling during drain", " - media: iris: Fix format check for CAPTURE plane in try_fmt", " - media: iris: Allow stop on firmware only if start was issued.", " - ext4: add ext4_sb_bread_nofail() helper function for", " ext4_free_branches()", " - ext4: fail unaligned direct IO write with EINVAL", " - ext4: verify orphan file size is not too big", " - ext4: increase i_disksize to offset + len in", " ext4_update_disksize_before_punch()", " - ext4: correctly handle queries for metadata mappings", " - ext4: avoid potential buffer over-read in parse_apply_sb_mount_options()", " - ext4: fix an off-by-one issue during moving extents", " - ext4: guard against EA inode refcount underflow in xattr update", " - ext4: validate ea_ino and size in check_xattrs", " - ACPICA: Allow to skip Global Lock initialization", " - ext4: free orphan info with kvfree", " - ipmi: Fix handling of messages with provided receive message pointer", " - Squashfs: add additional inode sanity checking", " - Squashfs: reject negative file sizes in squashfs_read_inode()", " - mm/ksm: fix incorrect KSM counter handling in mm_struct during fork", " - media: mc: Clear minor number before put device", " - arm64: dts: qcom: qcs615: add missing dt property in QUP SEs", " - ACPI: property: Disregard references in data-only subnode lists", " - ACPI: property: Add code comments explaining what is going on", " - ACPI: property: Do not pass NULL handles to acpi_attach_data()", " - irqchip/sifive-plic: Avoid interrupt ID 0 handling during suspend/resume", " - copy_file_range: limit size if in compat mode", " - minixfs: Verify inode mode when loading from disk", " - pid: Add a judgment for ns null in pid_nr_ns", " - fs: Add 'initramfs_options' to set initramfs mount options", " - cramfs: Verify inode mode when loading from disk", " - nsfs: validate extensible ioctls", " - mnt_ns_tree_remove(): DTRT if mnt_ns had never been added to mnt_ns_list", " - writeback: Avoid softlockup when switching many inodes", " - writeback: Avoid excessively long inode switching times", " - iomap: error out on file IO when there is no inline_data buffer", " - pidfs: validate extensible ioctls", " - mount: handle NULL values in mnt_ns_release()", " - Linux 6.17.4", " * Questing update: v6.17.4 upstream stable release (LP: #2131259) // Race", " condition in perf build causes build failure due to missing unistd_64.h", " header on arm64 (LP: #2131702)", " - perf tools: Fix arm64 libjvmti build by generating unistd_64.h", " * Questing update: v6.17.3 upstream stable release (LP: #2129610)", " - arch: copy_thread: pass clone_flags as u64", " - filelock: add FL_RECLAIM to show_fl_flags() macro", " - init: INITRAMFS_PRESERVE_MTIME should depend on BLK_DEV_INITRD", " - pid: use ns_capable_noaudit() when determining net sysctl permissions", " - Fix CC_HAS_ASM_GOTO_OUTPUT on non-x86 architectures", " - [Config]: Update CC configs for v6.17.3", " - seccomp: Fix a race with WAIT_KILLABLE_RECV if the tracer replies too", " fast", " - kbuild: Add missing $(objtree) prefix to powerpc crtsavres.o artifact", " - selftests: arm64: Check fread return value in exec_target", " - selftests: arm64: Fix -Waddress warning in tpidr2 test", " - kselftest/arm64/gcs: Correctly check return value when disabling GCS", " - hfsplus: fix slab-out-of-bounds read in hfsplus_uni2asc()", " - gfs2: Fix GLF_INVALIDATE_IN_PROGRESS flag clearing in do_xmote", " - gfs2: Remove space before newline", " - gfs2: Further sanitize lock_dlm.c", " - gfs2: Fix LM_FLAG_TRY* logic in add_to_queue", " - gfs2: Remove duplicate check in do_xmote", " - gfs2: Get rid of GLF_INVALIDATE_IN_PROGRESS", " - gfs2: do_xmote cleanup", " - gfs2: Add proper lockspace locking", " - powerpc/8xx: Remove left-over instruction and comments in", " DataStoreTLBMiss handler", " - powerpc/603: Really copy kernel PGD entries into all PGDIRs", " - powerpc/ftrace: ensure ftrace record ops are always set for NOPs", " - powerpc64/modules: correctly iterate over stubs in", " setup_ftrace_ool_stubs", " - uprobes: uprobe_warn should use passed task", " - raid6: riscv: Clean up unused header file inclusion", " - coresight: trbe: Prevent overflow in PERF_IDX2OFF()", " - perf: arm_spe: Prevent overflow in PERF_IDX2OFF()", " - erofs: avoid reading more for fragment maps", " - smb: client: fix sending the iwrap custom IRD/ORD negotiation messages", " - smb: server: fix IRD/ORD negotiation with the client", " - perf/x86/intel: Use early_initcall() to hook bts_init()", " - perf/x86/intel: Fix IA32_PMC_x_CFG_B MSRs access error", " - x86/vdso: Fix output operand size of RDPID", " - selftests: cgroup: Make test_pids backwards compatible", " - sched/fair: Get rid of sched_domains_curr_level hack for tl->cpumask()", " - [Config]: Update CONFIG_SCHED_MC for v6.17.3", " - lsm: CONFIG_LSM can depend on CONFIG_SECURITY", " - cpuset: fix failure to enable isolated partition when containing", " isolcpus", " - btrfs: return any hit error from extent_writepage_io()", " - btrfs: fix symbolic link reading when bs > ps", " - pinctrl: renesas: rzg2l: Fix invalid unsigned return in rzg3s_oen_read()", " - arm64: dts: renesas: rzg2lc-smarc: Disable CAN-FD channel0", " - bpf: Tidy verifier bug message", " - regmap: Remove superfluous check for !config in __regmap_init()", " - selftests/bpf: Copy test_kmods when installing selftest", " - rust: cpumask: Mark CpumaskVar as transparent", " - bpf/selftests: Fix test_tcpnotify_user", " - bpf: Remove migrate_disable in kprobe_multi_link_prog_run", " - libbpf: Fix reuse of DEVMAP", " - tools/nolibc: fix error return value of clock_nanosleep()", " - ARM: dts: renesas: porter: Fix CAN pin group", " - leds: max77705: Function return instead of variable assignment", " - leds: flash: leds-qcom-flash: Update torch current clamp setting", " - s390/bpf: Do not write tail call counter into helper and kfunc frames", " - s390/bpf: Write back tail call counter for BPF_PSEUDO_CALL", " - s390/bpf: Write back tail call counter for BPF_TRAMP_F_CALL_ORIG", " - cpufreq: scmi: Account for malformed DT in scmi_dev_used_by_cpus()", " - arm64: dts: renesas: sparrow-hawk: Invert microSD voltage selector on", " EVTB1", " - arm64: dts: renesas: sparrow-hawk: Set VDDQ18_25_AVB voltage on EVTB1", " - libbpf: Export bpf_object__prepare symbol", " - firmware: arm_scmi: Mark VirtIO ready before registering", " scmi_virtio_driver", " - arm64: dts: imx93-kontron: Fix GPIO for panel regulator", " - arm64: dts: imx93-kontron: Fix USB port assignment", " - arm64: dts: imx95: Correct the lpuart7 and lpuart8 srcid", " - bpf: Remove preempt_disable in bpf_try_get_buffers", " - ACPI: processor: idle: Fix memory leak when register cpuidle device", " failed", " - genirq: Add irq_chip_(startup/shutdown)_parent()", " - PCI/MSI: Add startup/shutdown for per device domains", " - irqchip/sg2042-msi: Fix broken affinity setting", " - scripts/misc-check: update export checks for EXPORT_SYMBOL_FOR_MODULES()", " - soc: qcom: rpmh-rsc: Unconditionally clear _TRIGGER bit for TCS", " - pinctrl: meson-gxl: add missing i2c_d pinmux", " - blk-mq: check kobject state_in_sysfs before deleting in", " blk_mq_unregister_hctx", " - selftests/futex: Remove the -g parameter from futex_priv_hash", " - ARM: at91: pm: fix MCKx restore routine", " - arm64: dts: apple: t8103-j457: Fix PCIe ethernet iommu-map", " - regulator: scmi: Use int type to store negative error codes", " - selftests/futex: Fix some futex_numa_mpol subtests", " - tools/nolibc: avoid error in dup2() if old fd equals new fd", " - selftests/nolibc: fix EXPECT_NZ macro", " - leds: leds-lp55xx: Use correct address for memory programming", " - PCI/MSI: Check MSI_FLAG_PCI_MSI_MASK_PARENT in", " cond_[startup|shutdown]_parent()", " - block: use int to store blk_stack_limits() return value", " - ARM: dts: stm32: stm32mp151c-plyaqm: Use correct dai-format property", " - dt-bindings: vendor-prefixes: Add undocumented vendor prefixes", " - genirq/test: Fix depth tests on architectures with NOREQUEST by default.", " - genirq/test: Select IRQ_DOMAIN", " - genirq/test: Depend on SPARSE_IRQ", " - genirq/test: Drop CONFIG_GENERIC_IRQ_MIGRATION assumptions", " - genirq/test: Ensure CPU 1 is online for hotplug test", " - selftests/bpf: Fix count write in testapp_xdp_metadata_copy()", " - vdso/datastore: Gate time data behind CONFIG_GENERIC_GETTIMEOFDAY", " - PM: sleep: core: Clear power.must_resume in noirq suspend error path", " - blk-mq: fix elevator depth_updated method", " - vdso: Add struct __kernel_old_timeval forward declaration to gettime.h", " - ARM: dts: ti: omap: am335x-baltos: Fix ti,en-ck32k-xtal property in DTS", " to use correct boolean syntax", " - ARM: dts: ti: omap: omap3-devkit8000-lcd: Fix ti,keep-vref-on property", " to use correct boolean syntax in DTS", " - ARM: dts: omap: am335x-cm-t335: Remove unused mcasp num-serializer", " property", " - PM / devfreq: mtk-cci: Fix potential error pointer dereference in", " probe()", " - power: supply: cw2015: Fix a alignment coding style issue", " - hwmon: (asus-ec-sensors) Narrow lock for X870E-CREATOR WIFI", " - pinctrl: renesas: Use int type to store negative error codes", " - pinctrl: eswin: Fix regulator error check and Kconfig dependency", " - null_blk: Fix the description of the cache_size module argument", " - blk-throttle: fix access race during throttle policy activation", " - selftests: vDSO: Fix -Wunitialized in powerpc VDSO_CALL() wrapper", " - selftests: vDSO: vdso_test_abi: Correctly skip whole test with missing", " vDSO", " - irqchip/gic-v5: Fix loop in gicv5_its_create_itt_two_level() cleanup", " path", " - irqchip/gic-v5: Fix error handling in gicv5_its_irq_domain_alloc()", " - tick: Do not set device to detached state in tick_shutdown()", " - arm64: dts: mediatek: mt8195: Remove suspend-breaking reset from pcie0", " - arm64: dts: mediatek: mt8183: Fix out of range pull values", " - nbd: restrict sockets to TCP and UDP", " - PM / devfreq: rockchip-dfi: double count on RK3588", " - firmware: firmware: meson-sm: fix compile-test default", " - dts: arm: amlogic: fix pwm node for c3", " - soc: mediatek: mtk-svs: fix device leaks on mt8183 probe failure", " - soc: mediatek: mtk-svs: fix device leaks on mt8192 probe failure", " - cpuidle: qcom-spm: fix device and OF node leaks at probe", " - block: cleanup bio_issue", " - block: initialize bio issue time in blk_mq_submit_bio()", " - block: factor out a helper bio_submit_split_bioset()", " - block: skip unnecessary checks for split bio", " - block: fix ordering of recursive split IO", " - blk-mq: remove useless checkings in blk_mq_update_nr_requests()", " - blk-mq: check invalid nr_requests in queue_requests_store()", " - blk-mq: convert to serialize updating nr_requests with", " update_nr_hwq_lock", " - blk-mq: cleanup shared tags case in blk_mq_update_nr_requests()", " - blk-mq: split bitmap grow and resize case in blk_mq_update_nr_requests()", " - blk-mq-sched: add new parameter nr_requests in blk_mq_alloc_sched_tags()", " - blk-mq: fix potential deadlock while nr_requests grown", " - arm64: dts: allwinner: a527: cubie-a5e: Add ethernet PHY reset setting", " - arm64: dts: allwinner: t527: avaota-a1: Add ethernet PHY reset setting", " - arm64: dts: rockchip: Add RTC on rk3576-evb1-v10", " - arm64: dts: rockchip: Add WiFi on rk3576-evb1-v10", " - arm64: dts: rockchip: Fix network on rk3576 evb1 board", " - arm64: dts: ti: k3-j742s2-mcu-wakeup: Override firmware-name for MCU R5F", " cores", " - arm64: dts: ti: k3: Rename rproc reserved-mem nodes to 'memory@addr'", " - Revert \"arm64: dts: ti: k3-j721e-sk: Fix reversed C6x carveout", " locations\"", " - Revert \"arm64: dts: ti: k3-j721e-beagleboneai64: Fix reversed C6x", " carveout locations\"", " - arm64: dts: mediatek: mt8188: Change efuse fallback compatible to mt8186", " - arm64: dts: mediatek: mt8186-tentacruel: Fix touchscreen model", " - arm64: dts: ti: k3-pinctrl: Fix the bug in existing macros", " - arm64: dts: renesas: r9a09g047e57-smarc: Fix gpio key's pin control node", " - arm64: dts: mediatek: mt6331: Fix pmic, regulators, rtc, keys node names", " - mmc: core: Fix variable shadowing in mmc_route_rpmb_frames()", " - arm64: dts: mediatek: mt6795-xperia-m5: Fix mmc0 latch-ck value", " - arm64: dts: mediatek: mt7986a: Fix PCI-Express T-PHY node address", " - arm64: dts: mediatek: mt8395-kontron-i1200: Fix MT6360 regulator nodes", " - arm64: dts: mediatek: mt8516-pumpkin: Fix machine compatible", " - arm64: dts: allwinner: a527: cubie-a5e: Add LEDs", " - arm64: dts: allwinner: a527: cubie-a5e: Drop external 32.768 KHz crystal", " - arm64: dts: allwinner: t527: avaota-a1: hook up external 32k crystal", " - arm64: dts: allwinner: t527: orangepi-4a: hook up external 32k crystal", " - pwm: tiehrpwm: Don't drop runtime PM reference in .free()", " - pwm: tiehrpwm: Make code comment in .free() more useful", " - pwm: tiehrpwm: Fix various off-by-one errors in duty-cycle calculation", " - pwm: tiehrpwm: Fix corner case in clock divisor calculation", " - ACPICA: Apply ACPI_NONSTRING", " - ACPICA: Fix largest possible resource descriptor index", " - riscv, bpf: Sign extend struct ops return values properly", " - nvme-auth: update bi_directional flag", " - nvmet-fc: move lsop put work to nvmet_fc_ls_req_op", " - nvmet-fcloop: call done callback even when remote port is gone", " - nvme-tcp: send only permitted commands for secure concat", " - i3c: master: svc: Use manual response for IBI events", " - i3c: master: svc: Recycle unused IBI slot", " - block: update validation of atomic writes boundary for stacked devices", " - block: fix stacking of atomic writes when atomics are not supported", " - selftests: watchdog: skip ping loop if WDIOF_KEEPALIVEPING not supported", " - selftests/kselftest_harness: Add harness-selftest.expected to TEST_FILES", " - blk-throttle: fix throtl_data leak during disk release", " - bpf: Explicitly check accesses to bpf_sock_addr", " - mmc: select REGMAP_MMIO with MMC_LOONGSON2", " - selftests/futex: Fix futex_wait() for 32bit ARM", " - selftest/futex: Make the error check more precise for futex_numa_mpol", " - selftest/futex: Compile also with libnuma < 2.0.16", " - bpf: dont report verifier bug for missing bpf_scc_visit on speculative", " path", " - bpf, arm64: Call bpf_jit_binary_pack_finalize() in bpf_jit_free()", " - arm64: dts: apple: t600x: Add missing WiFi properties", " - arm64: dts: apple: t600x: Add bluetooth device nodes", " - arm64: dts: apple: Add ethernet0 alias for J375 template", " - selftests: always install UAPI headers to the correct directory", " - smp: Fix up and expand the smp_call_function_many() kerneldoc", " - mfd: max77705: max77705_charger: move active discharge setting to mfd", " parent", " - power: supply: max77705_charger: refactoring: rename charger to chg", " - power: supply: max77705_charger: use regfields for config registers", " - power: supply: max77705_charger: rework interrupts", " - tools/nolibc: make time_t robust if __kernel_old_time_t is missing in", " host headers", " - spi: fix return code when spi device has too many chipselects", " - clocksource/drivers/timer-tegra186: Avoid 64-bit divide operation", " - clocksource/drivers/tegra186: Avoid 64-bit division", " - bpf: Mark kfuncs as __noclone", " - once: fix race by moving DO_ONCE to separate section", " - hwmon: (mlxreg-fan) Separate methods of fan setting coming from", " different subsystems", " - tools/nolibc: add stdbool.h to nolibc includes", " - thermal/drivers/qcom: Make LMH select QCOM_SCM", " - thermal/drivers/qcom/lmh: Add missing IRQ includes", " - i2c: mediatek: fix potential incorrect use of I2C_MASTER_WRRD", " - i2c: spacemit: ensure bus release check runs when wait_bus_idle() fails", " - i2c: spacemit: remove stop function to avoid bus error", " - i2c: spacemit: disable SDA glitch fix to avoid restart delay", " - i2c: spacemit: check SDA instead of SCL after bus reset", " - i2c: spacemit: ensure SDA is released after bus reset", " - i2c: designware: Fix clock issue when PM is disabled", " - i2c: designware: Add disabling clocks when probe fails", " - libbpf: Fix error when st-prefix_ops and ops from differ btf", " - bpf: Enforce expected_attach_type for tailcall compatibility", " - i3c: fix big-endian FIFO transfers", " - mfd: max77705: Setup the core driver as an interrupt controller", " - drm/sched: Fix a race in DRM_GPU_SCHED_STAT_NO_HANG test", " - drm/panel-edp: Add disable to 100ms for MNB601LS1-4", " - drm/display: bridge-connector: correct CEC bridge pointers in", " drm_bridge_connector_init", " - drm/panel-edp: Add 50ms disable delay for four panels", " - drm/vmwgfx: fix missing assignment to ts", " - drm/amd/display: Reduce Stack Usage by moving 'audio_output' into", " 'stream_res' v4", " - drm/panel: novatek-nt35560: Fix invalid return value", " - drm/amdgpu: fix link error for !PM_SLEEP", " - drm/amdgpu: Fix jpeg v4.0.3 poison irq call trace on sriov guest", " - drm/amdgpu: Fix vcn v4.0.3 poison irq call trace on sriov guest", " - PCI: endpoint: pci-ep-msi: Fix NULL vs IS_ERR() check in", " pci_epf_write_msi_msg()", " - PCI: xgene-msi: Return negative -EINVAL in xgene_msi_handler_setup()", " - drm/radeon/r600_cs: clean up of dead code in r600_cs", " - f2fs: fix condition in __allow_reserved_blocks()", " - f2fs: fix to avoid overflow while left shift operation", " - f2fs: fix to zero data after EOF for compressed file correctly", " - drm/bridge: it6505: select REGMAP_I2C", " - wifi: rtw88: Lock rtwdev->mutex before setting the LED", " - HID: steelseries: refactor probe() and remove()", " - media: zoran: Remove zoran_fh structure", " - phy: rockchip: naneng-combphy: Enable U3 OTG port for RK3568", " - drm/bridge: cdns-dsi: Fix the _atomic_check()", " - usb: host: max3421-hcd: Fix error pointer dereference in probe cleanup", " - usb: misc: qcom_eud: Access EUD_MODE_MANAGER2 through secure calls", " - PCI/pwrctrl: Fix double cleanup on devm_add_action_or_reset() failure", " - misc: pci_endpoint_test: Fix array underflow in", " pci_endpoint_test_ioctl()", " - serial: max310x: Add error checking in probe()", " - drm/amd/display: Remove redundant semicolons", " - drm/amd/display: Add NULL pointer checks in dc_stream cursor attribute", " functions", " - crypto: keembay - Add missing check after sg_nents_for_len()", " - hwrng: nomadik - add ARM_AMBA dependency", " - docs: iio: ad3552r: Fix malformed code-block directive", " - fwctl/mlx5: Fix memory alloc/free in mlx5ctl_fw_rpc()", " - scsi: pm80xx: Restore support for expanders", " - scsi: pm80xx: Fix array-index-out-of-of-bounds on rmmod", " - scsi: libsas: Add dev_parent_is_expander() helper", " - scsi: pm80xx: Use dev_parent_is_expander() helper", " - scsi: pm80xx: Add helper function to get the local phy id", " - scsi: pm80xx: Fix pm8001_abort_task() for chip_8006 when using an", " expander", " - mptcp: Fix up subflow's memcg when CONFIG_SOCK_CGROUP_DATA=n.", " - scsi: myrs: Fix dma_alloc_coherent() error check", " - f2fs: fix to clear unusable_cap for checkpoint=enable", " - f2fs: fix to avoid NULL pointer dereference in", " f2fs_check_quota_consistency()", " - f2fs: fix to allow removing qf_name", " - Revert \"UBUNTU: SAUCE: drm/dp: drm_edp_backlight_set_level: do not", " always send 3-byte commands\"", " - drm/dp: drm_edp_backlight_set_level: do not always send 3-byte commands", " - crypto: octeontx2 - Call strscpy() with correct size argument", " - drm: re-allow no-op changes on non-primary planes in async flips", " - media: rj54n1cb0c: Fix memleak in rj54n1_probe()", " - media: staging/ipu7: convert to use pci_alloc_irq_vectors() API", " - media: staging/ipu7: Don't set name for IPU7 PCI device", " - media: staging/ipu7: cleanup the MMU correctly in IPU7 driver release", " - media: i2c: vd55g1: Fix duster register address", " - drm/panel: Allow powering on panel follower after panel is enabled", " - HID: i2c-hid: Make elan touch controllers power on after panel is", " enabled", " - RDMA/mlx5: Better estimate max_qp_wr to reflect WQE count", " - RDMA/mlx5: Fix vport loopback forcing for MPV device", " - wifi: rtw88: Use led->brightness_set_blocking for PCI too", " - net: phy: introduce phy_id_compare_vendor() PHY ID helper", " - net: phy: as21xxx: better handle PHY HW reset on soft-reboot", " - PCI: rcar-host: Pass proper IRQ domain to generic_handle_domain_irq()", " - fuse: remove unneeded offset assignment when filling write pages", " - PCI: qcom: Restrict port parsing only to PCIe bridge child nodes", " - cdx: don't select CONFIG_GENERIC_MSI_IRQ", " - PCI/ACPI: Fix pci_acpi_preserve_config() memory leak", " - HID: i2c-hid: Fix test in i2c_hid_core_register_panel_follower()", " - ALSA: lx_core: use int type to store negative error codes", " - media: st-delta: avoid excessive stack usage", " - drm/amdgpu/vcn: Add regdump helper functions", " - drm/amdgpu/vcn: Hold pg_lock before vcn power off", " - drm/amdgpu: Check vcn state before profile switch", " - accel/amdxdna: Use int instead of u32 to store error codes", " - efi: Explain OVMF acronym in OVMF_DEBUG_LOG help text", " - net: dst: introduce dst->dev_rcu", " - ipv6: mcast: Add ip6_mc_find_idev() helper", " - ipv6: start using dst_dev_rcu()", " - ipv6: use RCU in ip6_xmit()", " - ipv6: use RCU in ip6_output()", " - net: use dst_dev_rcu() in sk_setup_caps()", " - tcp_metrics: use dst_dev_net_rcu()", " - ipv4: start using dst_dev_rcu()", " - crypto: hisilicon/zip - remove unnecessary validation for high-", " performance mode configurations", " - crypto: hisilicon - re-enable address prefetch after device resuming", " - crypto: hisilicon - check the sva module status while enabling or", " disabling address prefetch", " - crypto: hisilicon/qm - check whether the input function and PF are on", " the same device", " - crypto: hisilicon/qm - request reserved interrupt for virtual function", " - inet: ping: check sock_net() in ping_get_port() and ping_lookup()", " - dmaengine: Fix dma_async_tx_descriptor->tx_submit documentation", " - coresight: trbe: Add ISB after TRBLIMITR write", " - coresight: Fix missing include for FIELD_GET", " - coresight: Only register perf symlink for sinks with alloc_buffer", " - drm/amdgpu: Power up UVD 3 for FW validation (v2)", " - drm/amd/pm: Disable ULV even if unsupported (v3)", " - drm/amd/pm: Fix si_upload_smc_data (v3)", " - drm/amd/pm: Adjust si_upload_smc_data register programming (v3)", " - drm/amd/pm: Treat zero vblank time as too short in si_dpm (v3)", " - drm/amd/pm: Disable MCLK switching with non-DC at 120 Hz+ (v2)", " - drm/amd/pm: Disable SCLK switching on Oland with high pixel clocks (v3)", " - wifi: mac80211: Make CONNECTION_MONITOR optional for MLO sta", " - wifi: mwifiex: send world regulatory domain to driver", " - wifi: brcmfmac: fix 43752 SDIO FWVID incorrectly labelled as Cypress", " (CYW)", " - drm/msm: Do not validate SSPP when it is not ready", " - PCI: tegra: Fix devm_kcalloc() argument order for port->phys allocation", " - wifi: mac80211: consider links for validating SCAN_FLAG_AP in scan", " request during MLO", " - PCI: qcom: Add equalization settings for 8.0 GT/s and 32.0 GT/s", " - tcp: fix __tcp_close() to only send RST when required", " - fanotify: Validate the return value of mnt_ns_from_dentry() before", " dereferencing", " - drm/amdkfd: Fix error code sign for EINVAL in svm_ioctl()", " - usb: phy: twl6030: Fix incorrect type for ret", " - usb: gadget: configfs: Correctly set use_os_string at bind", " - tty: n_gsm: Don't block input queue by waiting MSC", " - misc: genwqe: Fix incorrect cmd field being reported in error", " - pps: fix warning in pps_register_cdev when register device fail", " - drm/msm: Fix obj leak in VM_BIND error path", " - drm/msm: Fix missing VM_BIND offset/range validation", " - wifi: iwlwifi: Remove redundant header files", " - drm/msm/mdp4: stop supporting no-IOMMU configuration", " - drm/msm: stop supporting no-IOMMU configuration", " - idpf: fix Rx descriptor ready check barrier in splitq", " - ASoC: Intel: bytcht_es8316: Fix invalid quirk input mapping", " - ASoC: Intel: bytcr_rt5640: Fix invalid quirk input mapping", " - ASoC: Intel: bytcr_rt5651: Fix invalid quirk input mapping", " - ipv6: snmp: do not use SNMP_MIB_SENTINEL anymore", " - ipv6: snmp: do not track per idev ICMP6_MIB_RATELIMITHOST", " - drm/msm: Fix bootup splat with separate_gpu_drm modparam", " - drm/msm/dpu: fix incorrect type for ret", " - wifi: mac80211: fix reporting of all valid links in sta_set_sinfo()", " - fs: ntfs3: Fix integer overflow in run_unpack()", " - fs/ntfs3: reject index allocation if $BITMAP is empty but blocks exist", " - iio: consumers: Fix handling of negative channel scale in", " iio_convert_raw_to_processed()", " - iio: consumers: Fix offset handling in iio_convert_raw_to_processed()", " - mm/slub: Fix cmp_loc_by_count() to return 0 when counts are equal", " - tools: ynl: fix undefined variable name", " - RDMA/mlx5: Fix page size bitmap calculation for KSM mode", " - netfilter: ipset: Remove unused htable_bits in macro ahash_region", " - ipvs: Use READ_ONCE/WRITE_ONCE for ipvs->enable", " - HID: steelseries: Fix STEELSERIES_SRWS1 handling in steelseries_remove()", " - watchdog: intel_oc_wdt: Do not try to write into const memory", " - watchdog: mpc8xxx_wdt: Reload the watchdog timer when enabling the", " watchdog", " - PCI: endpoint: pci-epf-test: Fix doorbell test support", " - drivers/base/node: handle error properly in register_one_node()", " - RDMA/cm: Rate limit destroy CM ID timeout error message", " - wifi: mt76: mt7996: Fix mt7996_mcu_sta_ba wcid configuration", " - wifi: mt76: mt7996: Fix mt7996_mcu_bss_mld_tlv routine", " - wifi: mt76: fix potential memory leak in mt76_wmac_probe()", " - wifi: mt76: mt7996: Use proper link_id in link_sta_rc_update callback", " - wifi: mt76: mt7996: Check phy before init msta_link in", " mt7996_mac_sta_add_links()", " - wifi: mt76: mt7996: Fix tx-queues initialization for second phy on", " mt7996", " - wifi: mt76: mt7996: Fix RX packets configuration for primary WED device", " - wifi: mt76: mt7996: Convert mt7996_wed_rro_addr to LE", " - wifi: mt76: mt7915: fix mt7981 pre-calibration", " - wifi: mt76: mt7996: remove redundant per-phy mac80211 calls during", " restart", " - ASoC: Intel: hda-sdw-bpt: set persistent_buffer false", " - srcu/tiny: Remove preempt_disable/enable() in srcu_gp_start_if_needed()", " - drm/amdgpu: Fix allocating extra dwords for rings (v2)", " - f2fs: fix to update map->m_next_extent correctly in f2fs_map_blocks()", " - f2fs: fix to truncate first page in error path of f2fs_truncate()", " - f2fs: fix to avoid migrating empty section", " - f2fs: fix to mitigate overhead of f2fs_zero_post_eof_page()", " - RISC-V: KVM: Write hgatp register with valid mode bits", " - ALSA: pcm: Disable bottom softirqs as part of spin_lock_irq() on", " PREEMPT_RT", " - ACPI: NFIT: Fix incorrect ndr_desc being reportedin dev_err message", " - scsi: qla2xxx: edif: Fix incorrect sign of error code", " - scsi: qla2xxx: Fix incorrect sign of error code in START_SP_W_RETRIES()", " - scsi: qla2xxx: Fix incorrect sign of error code in qla_nvme_xmt_ls_rsp()", " - HID: hidraw: tighten ioctl command parsing", " - f2fs: fix zero-sized extent for precache extents", " - smc: Fix use-after-free in __pnet_find_base_ndev().", " - smc: Use __sk_dst_get() and dst_dev_rcu() in in smc_clc_prfx_set().", " - smc: Use __sk_dst_get() and dst_dev_rcu() in smc_clc_prfx_match().", " - smc: Use __sk_dst_get() and dst_dev_rcu() in smc_vlan_by_tcpsk().", " - tls: Use __sk_dst_get() and dst_dev_rcu() in get_netdev_for_sock().", " - mptcp: Call dst_release() in mptcp_active_enable().", " - mptcp: Use __sk_dst_get() and dst_dev_rcu() in mptcp_active_enable().", " - Revert \"usb: xhci: Avoid Stop Endpoint retry loop if the endpoint seems", " Running\"", " - RDMA/core: Resolve MAC of next-hop device without ARP support", " - IB/sa: Fix sa_local_svc_timeout_ms read race", " - Documentation: trace: historgram-design: Separate sched_waking histogram", " section heading and the following diagram", " - ASoC: SOF: ipc4-pcm: Fix incorrect comparison with number of tdm_slots", " - wifi: ath12k: initialize eirp_power before use", " - wifi: ath12k: fix overflow warning on num_pwr_levels", " - wifi: ath12k: fix signal in radiotap for WCN7850", " - wifi: ath12k: fix HAL_PHYRX_COMMON_USER_INFO handling in monitor mode", " - wifi: ath12k: fix the fetching of combined rssi", " - wifi: ath12k: Add fallback for invalid channel number in PHY metadata", " - wifi: ath12k: fix wrong logging ID used for CE", " - wifi: ath10k: avoid unnecessary wait for service ready message", " - iommu/vt-d: debugfs: Fix legacy mode page table dump logic", " - wifi: mac80211: fix Rx packet handling when pubsta information is not", " available", " - ASoC: Intel: sof_sdw: Prevent jump to NULL add_sidecar callback", " - sparc: fix accurate exception reporting in copy_{from_to}_user for", " UltraSPARC", " - sparc: fix accurate exception reporting in copy_{from_to}_user for", " UltraSPARC III", " - sparc: fix accurate exception reporting in copy_{from_to}_user for", " Niagara", " - sparc: fix accurate exception reporting in copy_to_user for Niagara 4", " - sparc: fix accurate exception reporting in copy_{from,to}_user for M7", " - vfio/pds: replace bitmap_free with vfree", " - crypto: comp - Use same definition of context alloc and free ops", " - crypto: hisilicon/qm - set NULL to qm->debug.qm_diff_regs", " - wifi: ath12k: Fix peer lookup in ath12k_dp_mon_rx_deliver_msdu()", " - rpmsg: qcom_smd: Fix fallback to qcom,ipc parse", " - remoteproc: qcom_q6v5_mss: support loading MBN file on msm8974", " - RDMA/rxe: Fix race in do_task() when draining", " - selftests/mm: fix va_high_addr_switch.sh failure on x86_64", " - wifi: rtw89: fix leak in rtw89_core_send_nullfunc()", " - wifi: rtw89: avoid circular locking dependency in ser_state_run()", " - PCI: tegra194: Fix duplicate PLL disable in", " pex_ep_event_pex_rst_assert()", " - remoteproc: qcom: q6v5: Avoid disabling handover IRQ twice", " - remoteproc: qcom: pas: Shutdown lite ADSP DTB on X1E", " - wifi: ath12k: Refactor RX TID deletion handling into helper function", " - wifi: ath12k: Fix flush cache failure during RX queue update", " - wifi: cfg80211: fix width unit in cfg80211_radio_chandef_valid()", " - dm vdo: return error on corrupted metadata in start_restoring_volume", " functions", " - coresight: fix indentation error in cscfg_remove_owned_csdev_configs()", " - coresight-etm4x: Conditionally access register TRCEXTINSELR", " - coresight: tmc: Support atclk", " - coresight: catu: Support atclk", " - coresight: etm4x: Support atclk", " - coresight: Appropriately disable programming clocks", " - coresight: Appropriately disable trace bus clocks", " - coresight: Avoid enable programming clock duplicately", " - coresight: trbe: Return NULL pointer for allocation failures", " - coresight: tpda: fix the logic to setup the element size", " - coresight: Fix incorrect handling for return value of devm_kzalloc", " - NFSv4.1: fix backchannel max_resp_sz verification check", " - net: ethtool: tsconfig: set command must provide a reply", " - netfilter: nfnetlink: reset nlh pointer during batch replay", " - netfilter: nf_conntrack: do not skip entries in /proc/net/nf_conntrack", " - scsi: ufs: core: Fix data race in CPU latency PM QoS request handling", " - scsi: mpt3sas: Fix crash in transport port remove by using ioc_info()", " - usb: vhci-hcd: Prevent suspending virtually attached devices", " - PCI: rcar-gen4: Add missing 1ms delay after PWR reset assertion", " - PCI: rcar-gen4: Assure reset occurs before DBI access", " - PCI: rcar-gen4: Fix inverted break condition in PHY initialization", " - ASoC: qcom: sc8280xp: use sa8775p/ subdir for QCS9100 / QCS9075", " - iommu/vt-d: Disallow dirty tracking if incoherent page walk", " - iommu/selftest: prevent use of uninitialized variable", " - RDMA/siw: Always report immediate post SQ errors", " - net: enetc: Fix probing error message typo for the ENETCv4 PF driver", " - net: usb: Remove disruptive netif_wake_queue in rtl8150_set_multicast", " - ptp: Add a upper bound on max_vclocks", " - vhost: vringh: Fix copy_to_iter return value check", " - net: macb: remove illusion about TBQPH/RBQPH being per-queue", " - net: macb: move ring size computation to functions", " - net: macb: single dma_alloc_coherent() for DMA descriptors", " - Bluetooth: btintel_pcie: Refactor Device Coredump", " - Bluetooth: MGMT: Fix not exposing debug UUID on", " MGMT_OP_READ_EXP_FEATURES_INFO", " - Bluetooth: ISO: Fix possible UAF on iso_conn_free", " - Bluetooth: ISO: free rx_skb if not consumed", " - Bluetooth: ISO: don't leak skb in ISO_CONT RX", " - Bluetooth: hci_sync: Fix using random address for BIG/PA advertisements", " - KEYS: X.509: Fix Basic Constraints CA flag parsing", " - hwrng: ks-sa - fix division by zero in ks_sa_rng_init", " - cramfs: fix incorrect physical page address calculation", " - ocfs2: fix double free in user_cluster_connect()", " - drivers/base/node: fix double free in register_one_node()", " - f2fs: fix UAF issue in f2fs_merge_page_bio()", " - mtd: rawnand: atmel: Fix error handling path in", " atmel_nand_controller_add_nands", " - PCI: j721e: Fix incorrect error message in probe()", " - idpf: fix mismatched free function for dma_alloc_coherent", " - tcp: use skb->len instead of skb->truesize in tcp_can_ingest()", " - nfp: fix RSS hash key size when RSS is not supported", " - net: ena: return 0 in ena_get_rxfh_key_size() when RSS hash key is not", " configurable", " - net: dlink: handle copy_thresh allocation failure", " - net/mlx5: Stop polling for command response if interface goes down", " - net/mlx5: pagealloc: Fix reclaim race during command interface teardown", " - net/mlx5: fw reset, add reset timeout work", " - smb: client: fix crypto buffers in non-linear memory", " - bonding: fix xfrm offload feature setup on active-backup mode", " - net: enetc: initialize SW PIR and CIR based HW PIR and CIR values", " - iommufd: Register iommufd mock devices with fwspec", " - Revert \"net/mlx5e: Update and set Xon/Xoff upon MTU set\"", " - NFSD: filecache: add STATX_DIOALIGN and STATX_DIO_READ_ALIGN support", " - nfs/localio: avoid issuing misaligned IO using O_DIRECT", " - octeontx2-vf: fix bitmap leak", " - octeontx2-pf: fix bitmap leak", " - vhost: vringh: Modify the return value check", " - selftests/bpf: Fix typos and grammar in test sources", " - selftests/bpf: move get_ksyms and get_addrs to trace_helpers.c", " - selftests/bpf: Fix realloc size in bpf_get_addrs", " - bpf: Skip scalar adjustment for BPF_NEG if dst is a pointer", " - bpf: Reject negative offsets for ALU ops", " - tpm: Disable TPM2_TCG_HMAC by default", " - ALSA: hda/hdmi: Add pin fix for HP ProDesk model", " - ALSA: hda/realtek: Add quirk for HP Spectre 14t-ea100", " - Squashfs: fix uninit-value in squashfs_get_parent", " - uio_hv_generic: Let userspace take care of interrupt mask", " - hisi_acc_vfio_pci: Fix reference leak in hisi_acc_vfio_debug_init", " - io_uring/waitid: always prune wait queue entry in io_waitid_wait()", " - io_uring/zcrx: fix overshooting recv limit", " - ASoC: wcd934x: fix error handling in wcd934x_codec_parse_data()", " - ASoC: SOF: ipc3-topology: Fix multi-core and static pipelines tear down", " - ASoC: codecs: wcd937x: set the comp soundwire port correctly", " - ASoC: codecs: wcd937x: make stub functions inline", " - ASoC: SOF: ipc4-pcm: fix delay calculation when DSP resamples", " - ASoC: SOF: ipc4-pcm: fix start offset calculation for chain DMA", " - fs: udf: fix OOB read in lengthAllocDescs handling", " - net: nfc: nci: Add parameter validation for packet data", " - mfd: rz-mtu3: Fix MTU5 NFCR register offset", " - mfd: intel_soc_pmic_chtdc_ti: Set use_single_read regmap_config flag", " - mfd: vexpress-sysreg: Check the return value of devm_gpiochip_add_data()", " - tracing: Fix lock imbalance in s_start() memory allocation failure path", " - tracing: Fix race condition in kprobe initialization causing NULL", " pointer dereference", " - tracing: Fix wakeup tracers on failure of acquiring calltime", " - tracing: Fix irqoff tracers on failure of acquiring calltime", " - tracing: Have trace_marker use per-cpu data to read user space", " - tracing: Fix tracing_mark_raw_write() to use buf and not ubuf", " - tracing: Stop fortify-string from warning in tracing_mark_raw_write()", " - dm: fix queue start/stop imbalance under suspend/load/resume races", " - dm: fix NULL pointer dereference in __dm_suspend()", " - LoongArch: Automatically disable kaslr if boot from kexec_file", " - pwm: loongson: Fix LOONGSON_PWM_FREQ_DEFAULT", " - LoongArch: BPF: Sign-extend struct ops return values properly", " - LoongArch: BPF: No support of struct argument in trampoline programs", " - LoongArch: BPF: Don't align trampoline size", " - LoongArch: BPF: Make trampoline size stable", " - LoongArch: BPF: Make error handling robust in", " arch_prepare_bpf_trampoline()", " - LoongArch: BPF: Remove duplicated bpf_flush_icache()", " - LoongArch: BPF: No text_poke() for kernel text", " - LoongArch: BPF: Remove duplicated flags check", " - LoongArch: BPF: Fix uninitialized symbol 'retval_off'", " - mm/ksm: fix flag-dropping behavior in ksm_madvise", " - ksmbd: Fix race condition in RPC handle list access", " - ksmbd: fix error code overwriting in smb2_get_info_filesystem()", " - ksmbd: add max ip connections parameter", " - ext4: fix potential null deref in ext4_mb_init()", " - ext4: fix checks for orphan inodes", " - KVM: SVM: Skip fastpath emulation on VM-Exit if next RIP isn't valid", " - fbdev: simplefb: Fix use after free in simplefb_detach_genpds()", " - mm: hugetlb: avoid soft lockup when mprotect to large memory area", " - selftests/mm: skip soft-dirty tests when CONFIG_MEM_SOFT_DIRTY is", " disabled", " - nvdimm: ndtest: Return -ENOMEM if devm_kcalloc() fails in ndtest_probe()", " - misc: fastrpc: Save actual DMA size in fastrpc_map structure", " - misc: fastrpc: Fix fastrpc_map_lookup operation", " - misc: fastrpc: fix possible map leak in fastrpc_put_args", " - misc: fastrpc: Skip reference for DMA handles", " - Input: atmel_mxt_ts - allow reset GPIO to sleep", " - Input: uinput - zero-initialize uinput_ff_upload_compat to avoid info", " leak", " - sunrpc: fix null pointer dereference on zero-length checksum", " - PCI/AER: Avoid NULL pointer dereference in aer_ratelimit()", " - remoteproc: pru: Fix potential NULL pointer dereference in", " pru_rproc_set_ctable()", " - PCI: endpoint: pci-epf-test: Add NULL check for DMA channels before", " release", " - thunderbolt: Fix use-after-free in tb_dp_dprx_work", " - tee: fix register_shm_helper()", " - pinctrl: check the return value of pinmux_ops::get_function_name()", " - bus: fsl-mc: Check return value of platform_get_resource()", " - net/9p: Fix buffer overflow in USB transport layer", " - net: usb: asix: hold PM usage ref to avoid PM/MDIO + RTNL deadlock", " - usb: typec: tipd: Clear interrupts first", " - arm64: dts: qcom: qcm2290: Disable USB SS bus instances in park mode", " - usb: cdns3: cdnsp-pci: remove redundant pci_disable_device() call", " - scsi: ufs: core: Fix PM QoS mutex initialization", " - drm/amdgpu/vcn: Fix double-free of vcn dump buffer", " - Linux 6.17.3", " * CVE-2025-40019", " - crypto: essiv - Check ssize for decryption and in-place encryption", " * CVE-2025-40214", " - af_unix: Initialise scc_index in unix_add_edge().", " * Miscellaneous Ubuntu changes", " - [SAUCE] Fix selftest/net/rtnetlink.sh for Big Endian", "" ], "package": "linux-riscv", "version": "6.17.0-14.14.1", "urgency": "medium", "distributions": "questing", "launchpad_bugs_fixed": [ 2137845, 1786013, 2137849, 1786013, 2136820, 2137698, 2129812, 2125022, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136813, 2132317, 2134982, 2134982, 2134982, 2134982, 2134982, 2134982, 2134982, 2134982, 2134982, 2134982, 2134982, 2134982, 2134982, 2134982, 2134982, 2134982, 2134982, 2134982, 2134982, 2134982, 2134982, 2134982, 2134982, 2134982, 2134982, 2133557, 2133557, 2133557, 2133557, 2133557, 2133557, 2133557, 2133557, 2133557, 2133557, 2133557, 2133557, 2133557, 2133557, 2133557, 2133557, 2133557, 2133557, 2133557, 2133557, 2133557, 2133557, 2133557, 2133557, 2133557, 2133557, 2133557, 2133557, 2133557, 2133557, 2133557, 2133557, 2133557, 2132095, 2131046, 2115860, 2128792, 2121852, 2131259, 2131259, 2131702, 2129610 ], "author": "Sarah Emery ", "date": "Fri, 23 Jan 2026 09:46:46 +0100" } ], "notes": "linux-modules-6.17.0-14-generic version '6.17.0-14.14.1' (source package linux-riscv version '6.17.0-14.14.1') was added. linux-modules-6.17.0-14-generic version '6.17.0-14.14.1' has the same source package name, linux-riscv, as removed package linux-headers-6.17.0-12-generic. As such we can use the source package version of the removed package, '6.17.0-12.12.1', as the starting point in our changelog diff. Kernel packages are an example of where the binary package name changes for the same source package. Using the removed package source package version as our starting point means we can still get meaningful changelog diffs even for what appears to be a new package.", "is_version_downgrade": false }, { "name": "linux-riscv-headers-6.17.0-14", "from_version": { "source_package_name": "linux-riscv", "source_package_version": "6.17.0-12.12.1", "version": null }, "to_version": { "source_package_name": "linux-riscv", "source_package_version": "6.17.0-14.14.1", "version": "6.17.0-14.14.1" }, "cves": [ { "cve": "CVE-2025-40256", "url": "https://ubuntu.com/security/CVE-2025-40256", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: xfrm: also call xfrm_state_delete_tunnel at destroy time for states that were never added In commit b441cf3f8c4b (\"xfrm: delete x->tunnel as we delete x\"), I missed the case where state creation fails between full initialization (->init_state has been called) and being inserted on the lists. In this situation, ->init_state has been called, so for IPcomp tunnels, the fallback tunnel has been created and added onto the lists, but the user state never gets added, because we fail before that. The user state doesn't go through __xfrm_state_delete, so we don't call xfrm_state_delete_tunnel for those states, and we end up leaking the FB tunnel. There are several codepaths affected by this: the add/update paths, in both net/key and xfrm, and the migrate code (xfrm_migrate, xfrm_state_migrate). A \"proper\" rollback of the init_state work would probably be doable in the add/update code, but for migrate it gets more complicated as multiple states may be involved. At some point, the new (not-inserted) state will be destroyed, so call xfrm_state_delete_tunnel during xfrm_state_gc_destroy. Most states will have their fallback tunnel cleaned up during __xfrm_state_delete, which solves the issue that b441cf3f8c4b (and other patches before it) aimed at. All states (including FB tunnels) will be removed from the lists once xfrm_state_fini has called flush_work(&xfrm_state_gc_work).", "cve_priority": "medium", "cve_public_date": "2025-12-04 16:16:00 UTC" }, { "cve": "CVE-2025-68204", "url": "https://ubuntu.com/security/CVE-2025-68204", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: pmdomain: arm: scmi: Fix genpd leak on provider registration failure If of_genpd_add_provider_onecell() fails during probe, the previously created generic power domains are not removed, leading to a memory leak and potential kernel crash later in genpd_debug_add(). Add proper error handling to unwind the initialized domains before returning from probe to ensure all resources are correctly released on failure. Example crash trace observed without this fix: | Unable to handle kernel paging request at virtual address fffffffffffffc70 | CPU: 1 UID: 0 PID: 1 Comm: swapper/0 Not tainted 6.18.0-rc1 #405 PREEMPT | Hardware name: ARM LTD ARM Juno Development Platform/ARM Juno Development Platform | pstate: 00000005 (nzcv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--) | pc : genpd_debug_add+0x2c/0x160 | lr : genpd_debug_init+0x74/0x98 | Call trace: | genpd_debug_add+0x2c/0x160 (P) | genpd_debug_init+0x74/0x98 | do_one_initcall+0xd0/0x2d8 | do_initcall_level+0xa0/0x140 | do_initcalls+0x60/0xa8 | do_basic_setup+0x28/0x40 | kernel_init_freeable+0xe8/0x170 | kernel_init+0x2c/0x140 | ret_from_fork+0x10/0x20", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-68203", "url": "https://ubuntu.com/security/CVE-2025-68203", "cve_description": "Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-40267", "url": "https://ubuntu.com/security/CVE-2025-40267", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: io_uring/rw: ensure allocated iovec gets cleared for early failure A previous commit reused the recyling infrastructure for early cleanup, but this is not enough for the case where our internal caches have overflowed. If this happens, then the allocated iovec can get leaked if the request is also aborted early. Reinstate the previous forced free of the iovec for that situation.", "cve_priority": "medium", "cve_public_date": "2025-12-06 22:15:00 UTC" }, { "cve": "CVE-2025-68198", "url": "https://ubuntu.com/security/CVE-2025-68198", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: crash: fix crashkernel resource shrink When crashkernel is configured with a high reservation, shrinking its value below the low crashkernel reservation causes two issues: 1. Invalid crashkernel resource objects 2. Kernel crash if crashkernel shrinking is done twice For example, with crashkernel=200M,high, the kernel reserves 200MB of high memory and some default low memory (say 256MB). The reservation appears as: cat /proc/iomem | grep -i crash af000000-beffffff : Crash kernel 433000000-43f7fffff : Crash kernel If crashkernel is then shrunk to 50MB (echo 52428800 > /sys/kernel/kexec_crash_size), /proc/iomem still shows 256MB reserved: af000000-beffffff : Crash kernel Instead, it should show 50MB: af000000-b21fffff : Crash kernel Further shrinking crashkernel to 40MB causes a kernel crash with the following trace (x86): BUG: kernel NULL pointer dereference, address: 0000000000000038 PGD 0 P4D 0 Oops: 0000 [#1] PREEMPT SMP NOPTI Call Trace: ? __die_body.cold+0x19/0x27 ? page_fault_oops+0x15a/0x2f0 ? search_module_extables+0x19/0x60 ? search_bpf_extables+0x5f/0x80 ? exc_page_fault+0x7e/0x180 ? asm_exc_page_fault+0x26/0x30 ? __release_resource+0xd/0xb0 release_resource+0x26/0x40 __crash_shrink_memory+0xe5/0x110 crash_shrink_memory+0x12a/0x190 kexec_crash_size_store+0x41/0x80 kernfs_fop_write_iter+0x141/0x1f0 vfs_write+0x294/0x460 ksys_write+0x6d/0xf0 This happens because __crash_shrink_memory()/kernel/crash_core.c incorrectly updates the crashk_res resource object even when crashk_low_res should be updated. Fix this by ensuring the correct crashkernel resource object is updated when shrinking crashkernel memory.", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-68199", "url": "https://ubuntu.com/security/CVE-2025-68199", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: codetag: debug: handle existing CODETAG_EMPTY in mark_objexts_empty for slabobj_ext When alloc_slab_obj_exts() fails and then later succeeds in allocating a slab extension vector, it calls handle_failed_objexts_alloc() to mark all objects in the vector as empty. As a result all objects in this slab (slabA) will have their extensions set to CODETAG_EMPTY. Later on if this slabA is used to allocate a slabobj_ext vector for another slab (slabB), we end up with the slabB->obj_exts pointing to a slabobj_ext vector that itself has a non-NULL slabobj_ext equal to CODETAG_EMPTY. When slabB gets freed, free_slab_obj_exts() is called to free slabB->obj_exts vector. free_slab_obj_exts() calls mark_objexts_empty(slabB->obj_exts) which will generate a warning because it expects slabobj_ext vectors to have a NULL obj_ext, not CODETAG_EMPTY. Modify mark_objexts_empty() to skip the warning and setting the obj_ext value if it's already set to CODETAG_EMPTY. To quickly detect this WARN, I modified the code from WARN_ON(slab_exts[offs].ref.ct) to BUG_ON(slab_exts[offs].ref.ct == 1); We then obtained this message: [21630.898561] ------------[ cut here ]------------ [21630.898596] kernel BUG at mm/slub.c:2050! [21630.898611] Internal error: Oops - BUG: 00000000f2000800 [#1] SMP [21630.900372] Modules linked in: squashfs isofs vfio_iommu_type1 vhost_vsock vfio vhost_net vmw_vsock_virtio_transport_common vhost tap vhost_iotlb iommufd vsock binfmt_misc nfsv3 nfs_acl nfs lockd grace netfs tls rds dns_resolver tun brd overlay ntfs3 exfat btrfs blake2b_generic xor xor_neon raid6_pq loop sctp ip6_udp_tunnel udp_tunnel nft_fib_inet nft_fib_ipv4 nft_fib_ipv6 nft_fib nft_reject_inet nf_reject_ipv4 nf_reject_ipv6 nft_reject nft_ct nft_chain_nat nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 nf_tables rfkill ip_set sunrpc vfat fat joydev sg sch_fq_codel nfnetlink virtio_gpu sr_mod cdrom drm_client_lib virtio_dma_buf drm_shmem_helper drm_kms_helper drm ghash_ce backlight virtio_net virtio_blk virtio_scsi net_failover virtio_console failover virtio_mmio dm_mirror dm_region_hash dm_log dm_multipath dm_mod fuse i2c_dev virtio_pci virtio_pci_legacy_dev virtio_pci_modern_dev virtio virtio_ring autofs4 aes_neon_bs aes_ce_blk [last unloaded: hwpoison_inject] [21630.909177] CPU: 3 UID: 0 PID: 3787 Comm: kylin-process-m Kdump: loaded Tainted: G        W           6.18.0-rc1+ #74 PREEMPT(voluntary) [21630.910495] Tainted: [W]=WARN [21630.910867] Hardware name: QEMU KVM Virtual Machine, BIOS unknown 2/2/2022 [21630.911625] pstate: 80400005 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) [21630.912392] pc : __free_slab+0x228/0x250 [21630.912868] lr : __free_slab+0x18c/0x250[21630.913334] sp : ffff8000a02f73e0 [21630.913830] x29: ffff8000a02f73e0 x28: fffffdffc43fc800 x27: ffff0000c0011c40 [21630.914677] x26: ffff0000c000cac0 x25: ffff00010fe5e5f0 x24: ffff000102199b40 [21630.915469] x23: 0000000000000003 x22: 0000000000000003 x21: ffff0000c0011c40 [21630.916259] x20: fffffdffc4086600 x19: fffffdffc43fc800 x18: 0000000000000000 [21630.917048] x17: 0000000000000000 x16: 0000000000000000 x15: 0000000000000000 [21630.917837] x14: 0000000000000000 x13: 0000000000000000 x12: ffff70001405ee66 [21630.918640] x11: 1ffff0001405ee65 x10: ffff70001405ee65 x9 : ffff800080a295dc [21630.919442] x8 : ffff8000a02f7330 x7 : 0000000000000000 x6 : 0000000000003000 [21630.920232] x5 : 0000000024924925 x4 : 0000000000000001 x3 : 0000000000000007 [21630.921021] x2 : 0000000000001b40 x1 : 000000000000001f x0 : 0000000000000001 [21630.921810] Call trace: [21630.922130]  __free_slab+0x228/0x250 (P) [21630.922669]  free_slab+0x38/0x118 [21630.923079]  free_to_partial_list+0x1d4/0x340 [21630.923591]  __slab_free+0x24c/0x348 [21630.924024]  ___cache_free+0xf0/0x110 [21630.924468]  qlist_free_all+0x78/0x130 [21630.924922]  kasan_quarantine_reduce+0x11 ---truncated---", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-40268", "url": "https://ubuntu.com/security/CVE-2025-40268", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: cifs: client: fix memory leak in smb3_fs_context_parse_param The user calls fsconfig twice, but when the program exits, free() only frees ctx->source for the second fsconfig, not the first. Regarding fc->source, there is no code in the fs context related to its memory reclamation. To fix this memory leak, release the source memory corresponding to ctx or fc before each parsing. syzbot reported: BUG: memory leak unreferenced object 0xffff888128afa360 (size 96): backtrace (crc 79c9c7ba): kstrdup+0x3c/0x80 mm/util.c:84 smb3_fs_context_parse_param+0x229b/0x36c0 fs/smb/client/fs_context.c:1444 BUG: memory leak unreferenced object 0xffff888112c7d900 (size 96): backtrace (crc 79c9c7ba): smb3_fs_context_fullpath+0x70/0x1b0 fs/smb/client/fs_context.c:629 smb3_fs_context_parse_param+0x2266/0x36c0 fs/smb/client/fs_context.c:1438", "cve_priority": "medium", "cve_public_date": "2025-12-06 22:15:00 UTC" }, { "cve": "CVE-2025-40269", "url": "https://ubuntu.com/security/CVE-2025-40269", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ALSA: usb-audio: Fix potential overflow of PCM transfer buffer The PCM stream data in USB-audio driver is transferred over USB URB packet buffers, and each packet size is determined dynamically. The packet sizes are limited by some factors such as wMaxPacketSize USB descriptor. OTOH, in the current code, the actually used packet sizes are determined only by the rate and the PPS, which may be bigger than the size limit above. This results in a buffer overflow, as reported by syzbot. Basically when the limit is smaller than the calculated packet size, it implies that something is wrong, most likely a weird USB descriptor. So the best option would be just to return an error at the parameter setup time before doing any further operations. This patch introduces such a sanity check, and returns -EINVAL when the packet size is greater than maxpacksize. The comparison with ep->packsize[1] alone should suffice since it's always equal or greater than ep->packsize[0].", "cve_priority": "medium", "cve_public_date": "2025-12-06 22:15:00 UTC" }, { "cve": "CVE-2025-68205", "url": "https://ubuntu.com/security/CVE-2025-68205", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ALSA: hda/hdmi: Fix breakage at probing nvhdmi-mcp driver After restructuring and splitting the HDMI codec driver code, each HDMI codec driver contains the own build_controls and build_pcms ops. A copy-n-paste error put the wrong entries for nvhdmi-mcp driver; both build_controls and build_pcms are swapped. Unfortunately both callbacks have the very same form, and the compiler didn't complain it, either. This resulted in a NULL dereference because the PCM instance hasn't been initialized at calling the build_controls callback. Fix it by passing the proper entries.", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-40270", "url": "https://ubuntu.com/security/CVE-2025-40270", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: mm, swap: fix potential UAF issue for VMA readahead Since commit 78524b05f1a3 (\"mm, swap: avoid redundant swap device pinning\"), the common helper for allocating and preparing a folio in the swap cache layer no longer tries to get a swap device reference internally, because all callers of __read_swap_cache_async are already holding a swap entry reference. The repeated swap device pinning isn't needed on the same swap device. Caller of VMA readahead is also holding a reference to the target entry's swap device, but VMA readahead walks the page table, so it might encounter swap entries from other devices, and call __read_swap_cache_async on another device without holding a reference to it. So it is possible to cause a UAF when swapoff of device A raced with swapin on device B, and VMA readahead tries to read swap entries from device A. It's not easy to trigger, but in theory, it could cause real issues. Make VMA readahead try to get the device reference first if the swap device is a different one from the target entry.", "cve_priority": "medium", "cve_public_date": "2025-12-06 22:15:00 UTC" }, { "cve": "CVE-2025-40271", "url": "https://ubuntu.com/security/CVE-2025-40271", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: fs/proc: fix uaf in proc_readdir_de() Pde is erased from subdir rbtree through rb_erase(), but not set the node to EMPTY, which may result in uaf access. We should use RB_CLEAR_NODE() set the erased node to EMPTY, then pde_subdir_next() will return NULL to avoid uaf access. We found an uaf issue while using stress-ng testing, need to run testcase getdent and tun in the same time. The steps of the issue is as follows: 1) use getdent to traverse dir /proc/pid/net/dev_snmp6/, and current pde is tun3; 2) in the [time windows] unregister netdevice tun3 and tun2, and erase them from rbtree. erase tun3 first, and then erase tun2. the pde(tun2) will be released to slab; 3) continue to getdent process, then pde_subdir_next() will return pde(tun2) which is released, it will case uaf access. CPU 0 | CPU 1 ------------------------------------------------------------------------- traverse dir /proc/pid/net/dev_snmp6/ | unregister_netdevice(tun->dev) //tun3 tun2 sys_getdents64() | iterate_dir() | proc_readdir() | proc_readdir_de() | snmp6_unregister_dev() pde_get(de); | proc_remove() read_unlock(&proc_subdir_lock); | remove_proc_subtree() | write_lock(&proc_subdir_lock); [time window] | rb_erase(&root->subdir_node, &parent->subdir); | write_unlock(&proc_subdir_lock); read_lock(&proc_subdir_lock); | next = pde_subdir_next(de); | pde_put(de); | de = next; //UAF | rbtree of dev_snmp6 | pde(tun3) / \\ NULL pde(tun2)", "cve_priority": "medium", "cve_public_date": "2025-12-06 22:15:00 UTC" }, { "cve": "CVE-2025-40272", "url": "https://ubuntu.com/security/CVE-2025-40272", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: mm/secretmem: fix use-after-free race in fault handler When a page fault occurs in a secret memory file created with `memfd_secret(2)`, the kernel will allocate a new folio for it, mark the underlying page as not-present in the direct map, and add it to the file mapping. If two tasks cause a fault in the same page concurrently, both could end up allocating a folio and removing the page from the direct map, but only one would succeed in adding the folio to the file mapping. The task that failed undoes the effects of its attempt by (a) freeing the folio again and (b) putting the page back into the direct map. However, by doing these two operations in this order, the page becomes available to the allocator again before it is placed back in the direct mapping. If another task attempts to allocate the page between (a) and (b), and the kernel tries to access it via the direct map, it would result in a supervisor not-present page fault. Fix the ordering to restore the direct map before the folio is freed.", "cve_priority": "medium", "cve_public_date": "2025-12-06 22:15:00 UTC" }, { "cve": "CVE-2025-68245", "url": "https://ubuntu.com/security/CVE-2025-68245", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net: netpoll: fix incorrect refcount handling causing incorrect cleanup commit efa95b01da18 (\"netpoll: fix use after free\") incorrectly ignored the refcount and prematurely set dev->npinfo to NULL during netpoll cleanup, leading to improper behavior and memory leaks. Scenario causing lack of proper cleanup: 1) A netpoll is associated with a NIC (e.g., eth0) and netdev->npinfo is allocated, and refcnt = 1 - Keep in mind that npinfo is shared among all netpoll instances. In this case, there is just one. 2) Another netpoll is also associated with the same NIC and npinfo->refcnt += 1. - Now dev->npinfo->refcnt = 2; - There is just one npinfo associated to the netdev. 3) When the first netpolls goes to clean up: - The first cleanup succeeds and clears np->dev->npinfo, ignoring refcnt. - It basically calls `RCU_INIT_POINTER(np->dev->npinfo, NULL);` - Set dev->npinfo = NULL, without proper cleanup - No ->ndo_netpoll_cleanup() is either called 4) Now the second target tries to clean up - The second cleanup fails because np->dev->npinfo is already NULL. * In this case, ops->ndo_netpoll_cleanup() was never called, and the skb pool is not cleaned as well (for the second netpoll instance) - This leaks npinfo and skbpool skbs, which is clearly reported by kmemleak. Revert commit efa95b01da18 (\"netpoll: fix use after free\") and adds clarifying comments emphasizing that npinfo cleanup should only happen once the refcount reaches zero, ensuring stable and correct netpoll behavior.", "cve_priority": "medium", "cve_public_date": "2025-12-16 15:15:00 UTC" }, { "cve": "CVE-2025-68240", "url": "https://ubuntu.com/security/CVE-2025-68240", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: nilfs2: avoid having an active sc_timer before freeing sci Because kthread_stop did not stop sc_task properly and returned -EINTR, the sc_timer was not properly closed, ultimately causing the problem [1] reported by syzbot when freeing sci due to the sc_timer not being closed. Because the thread sc_task main function nilfs_segctor_thread() returns 0 when it succeeds, when the return value of kthread_stop() is not 0 in nilfs_segctor_destroy(), we believe that it has not properly closed sc_timer. We use timer_shutdown_sync() to sync wait for sc_timer to shutdown, and set the value of sc_task to NULL under the protection of lock sc_state_lock, so as to avoid the issue caused by sc_timer not being properly shutdowned. [1] ODEBUG: free active (active state 0) object: 00000000dacb411a object type: timer_list hint: nilfs_construction_timeout Call trace: nilfs_segctor_destroy fs/nilfs2/segment.c:2811 [inline] nilfs_detach_log_writer+0x668/0x8cc fs/nilfs2/segment.c:2877 nilfs_put_super+0x4c/0x12c fs/nilfs2/super.c:509", "cve_priority": "medium", "cve_public_date": "2025-12-16 15:15:00 UTC" }, { "cve": "CVE-2025-68241", "url": "https://ubuntu.com/security/CVE-2025-68241", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ipv4: route: Prevent rt_bind_exception() from rebinding stale fnhe The sit driver's packet transmission path calls: sit_tunnel_xmit() -> update_or_create_fnhe(), which lead to fnhe_remove_oldest() being called to delete entries exceeding FNHE_RECLAIM_DEPTH+random. The race window is between fnhe_remove_oldest() selecting fnheX for deletion and the subsequent kfree_rcu(). During this time, the concurrent path's __mkroute_output() -> find_exception() can fetch the soon-to-be-deleted fnheX, and rt_bind_exception() then binds it with a new dst using a dst_hold(). When the original fnheX is freed via RCU, the dst reference remains permanently leaked. CPU 0 CPU 1 __mkroute_output() find_exception() [fnheX] update_or_create_fnhe() fnhe_remove_oldest() [fnheX] rt_bind_exception() [bind dst] RCU callback [fnheX freed, dst leak] This issue manifests as a device reference count leak and a warning in dmesg when unregistering the net device: unregister_netdevice: waiting for sitX to become free. Usage count = N Ido Schimmel provided the simple test validation method [1]. The fix clears 'oldest->fnhe_daddr' before calling fnhe_flush_routes(). Since rt_bind_exception() checks this field, setting it to zero prevents the stale fnhe from being reused and bound to a new dst just before it is freed. [1] ip netns add ns1 ip -n ns1 link set dev lo up ip -n ns1 address add 192.0.2.1/32 dev lo ip -n ns1 link add name dummy1 up type dummy ip -n ns1 route add 192.0.2.2/32 dev dummy1 ip -n ns1 link add name gretap1 up arp off type gretap \\ local 192.0.2.1 remote 192.0.2.2 ip -n ns1 route add 198.51.0.0/16 dev gretap1 taskset -c 0 ip netns exec ns1 mausezahn gretap1 \\ -A 198.51.100.1 -B 198.51.0.0/16 -t udp -p 1000 -c 0 -q & taskset -c 2 ip netns exec ns1 mausezahn gretap1 \\ -A 198.51.100.1 -B 198.51.0.0/16 -t udp -p 1000 -c 0 -q & sleep 10 ip netns pids ns1 | xargs kill ip netns del ns1", "cve_priority": "medium", "cve_public_date": "2025-12-16 15:15:00 UTC" }, { "cve": "CVE-2025-68211", "url": "https://ubuntu.com/security/CVE-2025-68211", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ksm: use range-walk function to jump over holes in scan_get_next_rmap_item Currently, scan_get_next_rmap_item() walks every page address in a VMA to locate mergeable pages. This becomes highly inefficient when scanning large virtual memory areas that contain mostly unmapped regions, causing ksmd to use large amount of cpu without deduplicating much pages. This patch replaces the per-address lookup with a range walk using walk_page_range(). The range walker allows KSM to skip over entire unmapped holes in a VMA, avoiding unnecessary lookups. This problem was previously discussed in [1]. Consider the following test program which creates a 32 TiB mapping in the virtual address space but only populates a single page: #include #include #include /* 32 TiB */ const size_t size = 32ul * 1024 * 1024 * 1024 * 1024; int main() { char *area = mmap(NULL, size, PROT_READ | PROT_WRITE, MAP_NORESERVE | MAP_PRIVATE | MAP_ANON, -1, 0); if (area == MAP_FAILED) { perror(\"mmap() failed\\n\"); return -1; } /* Populate a single page such that we get an anon_vma. */ *area = 0; /* Enable KSM. */ madvise(area, size, MADV_MERGEABLE); pause(); return 0; } $ ./ksm-sparse & $ echo 1 > /sys/kernel/mm/ksm/run Without this patch ksmd uses 100% of the cpu for a long time (more then 1 hour in my test machine) scanning all the 32 TiB virtual address space that contain only one mapped page. This makes ksmd essentially deadlocked not able to deduplicate anything of value. With this patch ksmd walks only the one mapped page and skips the rest of the 32 TiB virtual address space, making the scan fast using little cpu.", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-68246", "url": "https://ubuntu.com/security/CVE-2025-68246", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ksmbd: close accepted socket when per-IP limit rejects connection When the per-IP connection limit is exceeded in ksmbd_kthread_fn(), the code sets ret = -EAGAIN and continues the accept loop without closing the just-accepted socket. That leaks one socket per rejected attempt from a single IP and enables a trivial remote DoS. Release client_sk before continuing. This bug was found with ZeroPath.", "cve_priority": "medium", "cve_public_date": "2025-12-16 15:15:00 UTC" }, { "cve": "CVE-2025-40273", "url": "https://ubuntu.com/security/CVE-2025-40273", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: NFSD: free copynotify stateid in nfs4_free_ol_stateid() Typically copynotify stateid is freed either when parent's stateid is being close/freed or in nfsd4_laundromat if the stateid hasn't been used in a lease period. However, in case when the server got an OPEN (which created a parent stateid), followed by a COPY_NOTIFY using that stateid, followed by a client reboot. New client instance while doing CREATE_SESSION would force expire previous state of this client. It leads to the open state being freed thru release_openowner-> nfs4_free_ol_stateid() and it finds that it still has copynotify stateid associated with it. We currently print a warning and is triggerred WARNING: CPU: 1 PID: 8858 at fs/nfsd/nfs4state.c:1550 nfs4_free_ol_stateid+0xb0/0x100 [nfsd] This patch, instead, frees the associated copynotify stateid here. If the parent stateid is freed (without freeing the copynotify stateids associated with it), it leads to the list corruption when laundromat ends up freeing the copynotify state later. [ 1626.839430] Internal error: Oops - BUG: 00000000f2000800 [#1] SMP [ 1626.842828] Modules linked in: nfnetlink_queue nfnetlink_log bluetooth cfg80211 rpcrdma rdma_cm iw_cm ib_cm ib_core nfsd nfs_acl lockd grace nfs_localio ext4 crc16 mbcache jbd2 overlay uinput snd_seq_dummy snd_hrtimer qrtr rfkill vfat fat uvcvideo snd_hda_codec_generic videobuf2_vmalloc videobuf2_memops snd_hda_intel uvc snd_intel_dspcfg videobuf2_v4l2 videobuf2_common snd_hda_codec snd_hda_core videodev snd_hwdep snd_seq mc snd_seq_device snd_pcm snd_timer snd soundcore sg loop auth_rpcgss vsock_loopback vmw_vsock_virtio_transport_common vmw_vsock_vmci_transport vmw_vmci vsock xfs 8021q garp stp llc mrp nvme ghash_ce e1000e nvme_core sr_mod nvme_keyring nvme_auth cdrom vmwgfx drm_ttm_helper ttm sunrpc dm_mirror dm_region_hash dm_log iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi fuse dm_multipath dm_mod nfnetlink [ 1626.855594] CPU: 2 UID: 0 PID: 199 Comm: kworker/u24:33 Kdump: loaded Tainted: G B W 6.17.0-rc7+ #22 PREEMPT(voluntary) [ 1626.857075] Tainted: [B]=BAD_PAGE, [W]=WARN [ 1626.857573] Hardware name: VMware, Inc. VMware20,1/VBSA, BIOS VMW201.00V.24006586.BA64.2406042154 06/04/2024 [ 1626.858724] Workqueue: nfsd4 laundromat_main [nfsd] [ 1626.859304] pstate: 61400005 (nZCv daif +PAN -UAO -TCO +DIT -SSBS BTYPE=--) [ 1626.860010] pc : __list_del_entry_valid_or_report+0x148/0x200 [ 1626.860601] lr : __list_del_entry_valid_or_report+0x148/0x200 [ 1626.861182] sp : ffff8000881d7a40 [ 1626.861521] x29: ffff8000881d7a40 x28: 0000000000000018 x27: ffff0000c2a98200 [ 1626.862260] x26: 0000000000000600 x25: 0000000000000000 x24: ffff8000881d7b20 [ 1626.862986] x23: ffff0000c2a981e8 x22: 1fffe00012410e7d x21: ffff0000920873e8 [ 1626.863701] x20: ffff0000920873e8 x19: ffff000086f22998 x18: 0000000000000000 [ 1626.864421] x17: 20747562202c3839 x16: 3932326636383030 x15: 3030666666662065 [ 1626.865092] x14: 6220646c756f6873 x13: 0000000000000001 x12: ffff60004fd9e4a3 [ 1626.865713] x11: 1fffe0004fd9e4a2 x10: ffff60004fd9e4a2 x9 : dfff800000000000 [ 1626.866320] x8 : 00009fffb0261b5e x7 : ffff00027ecf2513 x6 : 0000000000000001 [ 1626.866938] x5 : ffff00027ecf2510 x4 : ffff60004fd9e4a3 x3 : 0000000000000000 [ 1626.867553] x2 : 0000000000000000 x1 : ffff000096069640 x0 : 000000000000006d [ 1626.868167] Call trace: [ 1626.868382] __list_del_entry_valid_or_report+0x148/0x200 (P) [ 1626.868876] _free_cpntf_state_locked+0xd0/0x268 [nfsd] [ 1626.869368] nfs4_laundromat+0x6f8/0x1058 [nfsd] [ 1626.869813] laundromat_main+0x24/0x60 [nfsd] [ 1626.870231] process_one_work+0x584/0x1050 [ 1626.870595] worker_thread+0x4c4/0xc60 [ 1626.870893] kthread+0x2f8/0x398 [ 1626.871146] ret_from_fork+0x10/0x20 [ 1626.871422] Code: aa1303e1 aa1403e3 910e8000 97bc55d7 (d4210000) [ 1626.871892] SMP: stopping secondary CPUs", "cve_priority": "medium", "cve_public_date": "2025-12-06 22:15:00 UTC" }, { "cve": "CVE-2025-40212", "url": "https://ubuntu.com/security/CVE-2025-40212", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: nfsd: fix refcount leak in nfsd_set_fh_dentry() nfsd exports a \"pseudo root filesystem\" which is used by NFSv4 to find the various exported filesystems using LOOKUP requests from a known root filehandle. NFSv3 uses the MOUNT protocol to find those exported filesystems and so is not given access to the pseudo root filesystem. If a v3 (or v2) client uses a filehandle from that filesystem, nfsd_set_fh_dentry() will report an error, but still stores the export in \"struct svc_fh\" even though it also drops the reference (exp_put()). This means that when fh_put() is called an extra reference will be dropped which can lead to use-after-free and possible denial of service. Normal NFS usage will not provide a pseudo-root filehandle to a v3 client. This bug can only be triggered by the client synthesising an incorrect filehandle. To fix this we move the assignments to the svc_fh later, after all possible error cases have been detected.", "cve_priority": "medium", "cve_public_date": "2025-11-24 13:16:00 UTC" }, { "cve": "CVE-2025-40274", "url": "https://ubuntu.com/security/CVE-2025-40274", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: KVM: guest_memfd: Remove bindings on memslot deletion when gmem is dying When unbinding a memslot from a guest_memfd instance, remove the bindings even if the guest_memfd file is dying, i.e. even if its file refcount has gone to zero. If the memslot is freed before the file is fully released, nullifying the memslot side of the binding in kvm_gmem_release() will write to freed memory, as detected by syzbot+KASAN: ================================================================== BUG: KASAN: slab-use-after-free in kvm_gmem_release+0x176/0x440 virt/kvm/guest_memfd.c:353 Write of size 8 at addr ffff88807befa508 by task syz.0.17/6022 CPU: 0 UID: 0 PID: 6022 Comm: syz.0.17 Not tainted syzkaller #0 PREEMPT(full) Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/02/2025 Call Trace: dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:378 [inline] print_report+0xca/0x240 mm/kasan/report.c:482 kasan_report+0x118/0x150 mm/kasan/report.c:595 kvm_gmem_release+0x176/0x440 virt/kvm/guest_memfd.c:353 __fput+0x44c/0xa70 fs/file_table.c:468 task_work_run+0x1d4/0x260 kernel/task_work.c:227 resume_user_mode_work include/linux/resume_user_mode.h:50 [inline] exit_to_user_mode_loop+0xe9/0x130 kernel/entry/common.c:43 exit_to_user_mode_prepare include/linux/irq-entry-common.h:225 [inline] syscall_exit_to_user_mode_work include/linux/entry-common.h:175 [inline] syscall_exit_to_user_mode include/linux/entry-common.h:210 [inline] do_syscall_64+0x2bd/0xfa0 arch/x86/entry/syscall_64.c:100 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7fbeeff8efc9 Allocated by task 6023: kasan_save_stack mm/kasan/common.c:56 [inline] kasan_save_track+0x3e/0x80 mm/kasan/common.c:77 poison_kmalloc_redzone mm/kasan/common.c:397 [inline] __kasan_kmalloc+0x93/0xb0 mm/kasan/common.c:414 kasan_kmalloc include/linux/kasan.h:262 [inline] __kmalloc_cache_noprof+0x3e2/0x700 mm/slub.c:5758 kmalloc_noprof include/linux/slab.h:957 [inline] kzalloc_noprof include/linux/slab.h:1094 [inline] kvm_set_memory_region+0x747/0xb90 virt/kvm/kvm_main.c:2104 kvm_vm_ioctl_set_memory_region+0x6f/0xd0 virt/kvm/kvm_main.c:2154 kvm_vm_ioctl+0x957/0xc60 virt/kvm/kvm_main.c:5201 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:597 [inline] __se_sys_ioctl+0xfc/0x170 fs/ioctl.c:583 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xfa/0xfa0 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f Freed by task 6023: kasan_save_stack mm/kasan/common.c:56 [inline] kasan_save_track+0x3e/0x80 mm/kasan/common.c:77 kasan_save_free_info+0x46/0x50 mm/kasan/generic.c:584 poison_slab_object mm/kasan/common.c:252 [inline] __kasan_slab_free+0x5c/0x80 mm/kasan/common.c:284 kasan_slab_free include/linux/kasan.h:234 [inline] slab_free_hook mm/slub.c:2533 [inline] slab_free mm/slub.c:6622 [inline] kfree+0x19a/0x6d0 mm/slub.c:6829 kvm_set_memory_region+0x9c4/0xb90 virt/kvm/kvm_main.c:2130 kvm_vm_ioctl_set_memory_region+0x6f/0xd0 virt/kvm/kvm_main.c:2154 kvm_vm_ioctl+0x957/0xc60 virt/kvm/kvm_main.c:5201 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:597 [inline] __se_sys_ioctl+0xfc/0x170 fs/ioctl.c:583 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xfa/0xfa0 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f Deliberately don't acquire filemap invalid lock when the file is dying as the lifecycle of f_mapping is outside the purview of KVM. Dereferencing the mapping is *probably* fine, but there's no need to invalidate anything as memslot deletion is responsible for zapping SPTEs, and the only code that can access the dying file is kvm_gmem_release(), whose core code is mutual ---truncated---", "cve_priority": "medium", "cve_public_date": "2025-12-06 22:15:00 UTC" }, { "cve": "CVE-2025-68202", "url": "https://ubuntu.com/security/CVE-2025-68202", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: sched_ext: Fix unsafe locking in the scx_dump_state() For built with CONFIG_PREEMPT_RT=y kernels, the dump_lock will be converted sleepable spinlock and not disable-irq, so the following scenarios occur: inconsistent {IN-HARDIRQ-W} -> {HARDIRQ-ON-W} usage. irq_work/0/27 [HC0[0]:SC0[0]:HE1:SE1] takes: (&rq->__lock){?...}-{2:2}, at: raw_spin_rq_lock_nested+0x2b/0x40 {IN-HARDIRQ-W} state was registered at: lock_acquire+0x1e1/0x510 _raw_spin_lock_nested+0x42/0x80 raw_spin_rq_lock_nested+0x2b/0x40 sched_tick+0xae/0x7b0 update_process_times+0x14c/0x1b0 tick_periodic+0x62/0x1f0 tick_handle_periodic+0x48/0xf0 timer_interrupt+0x55/0x80 __handle_irq_event_percpu+0x20a/0x5c0 handle_irq_event_percpu+0x18/0xc0 handle_irq_event+0xb5/0x150 handle_level_irq+0x220/0x460 __common_interrupt+0xa2/0x1e0 common_interrupt+0xb0/0xd0 asm_common_interrupt+0x2b/0x40 _raw_spin_unlock_irqrestore+0x45/0x80 __setup_irq+0xc34/0x1a30 request_threaded_irq+0x214/0x2f0 hpet_time_init+0x3e/0x60 x86_late_time_init+0x5b/0xb0 start_kernel+0x308/0x410 x86_64_start_reservations+0x1c/0x30 x86_64_start_kernel+0x96/0xa0 common_startup_64+0x13e/0x148 other info that might help us debug this: Possible unsafe locking scenario: CPU0 ---- lock(&rq->__lock); lock(&rq->__lock); *** DEADLOCK *** stack backtrace: CPU: 0 UID: 0 PID: 27 Comm: irq_work/0 Call Trace: dump_stack_lvl+0x8c/0xd0 dump_stack+0x14/0x20 print_usage_bug+0x42e/0x690 mark_lock.part.44+0x867/0xa70 ? __pfx_mark_lock.part.44+0x10/0x10 ? string_nocheck+0x19c/0x310 ? number+0x739/0x9f0 ? __pfx_string_nocheck+0x10/0x10 ? __pfx_check_pointer+0x10/0x10 ? kvm_sched_clock_read+0x15/0x30 ? sched_clock_noinstr+0xd/0x20 ? local_clock_noinstr+0x1c/0xe0 __lock_acquire+0xc4b/0x62b0 ? __pfx_format_decode+0x10/0x10 ? __pfx_string+0x10/0x10 ? __pfx___lock_acquire+0x10/0x10 ? __pfx_vsnprintf+0x10/0x10 lock_acquire+0x1e1/0x510 ? raw_spin_rq_lock_nested+0x2b/0x40 ? __pfx_lock_acquire+0x10/0x10 ? dump_line+0x12e/0x270 ? raw_spin_rq_lock_nested+0x20/0x40 _raw_spin_lock_nested+0x42/0x80 ? raw_spin_rq_lock_nested+0x2b/0x40 raw_spin_rq_lock_nested+0x2b/0x40 scx_dump_state+0x3b3/0x1270 ? finish_task_switch+0x27e/0x840 scx_ops_error_irq_workfn+0x67/0x80 irq_work_single+0x113/0x260 irq_work_run_list.part.3+0x44/0x70 run_irq_workd+0x6b/0x90 ? __pfx_run_irq_workd+0x10/0x10 smpboot_thread_fn+0x529/0x870 ? __pfx_smpboot_thread_fn+0x10/0x10 kthread+0x305/0x3f0 ? __pfx_kthread+0x10/0x10 ret_from_fork+0x40/0x70 ? __pfx_kthread+0x10/0x10 ret_from_fork_asm+0x1a/0x30 This commit therefore use rq_lock_irqsave/irqrestore() to replace rq_lock/unlock() in the scx_dump_state().", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-68239", "url": "https://ubuntu.com/security/CVE-2025-68239", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: binfmt_misc: restore write access before closing files opened by open_exec() bm_register_write() opens an executable file using open_exec(), which internally calls do_open_execat() and denies write access on the file to avoid modification while it is being executed. However, when an error occurs, bm_register_write() closes the file using filp_close() directly. This does not restore the write permission, which may cause subsequent write operations on the same file to fail. Fix this by calling exe_file_allow_write_access() before filp_close() to restore the write permission properly.", "cve_priority": "medium", "cve_public_date": "2025-12-16 15:15:00 UTC" }, { "cve": "CVE-2025-68247", "url": "https://ubuntu.com/security/CVE-2025-68247", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: posix-timers: Plug potential memory leak in do_timer_create() When posix timer creation is set to allocate a given timer ID and the access to the user space value faults, the function terminates without freeing the already allocated posix timer structure. Move the allocation after the user space access to cure that. [ tglx: Massaged change log ]", "cve_priority": "medium", "cve_public_date": "2025-12-16 15:15:00 UTC" }, { "cve": "CVE-2025-68208", "url": "https://ubuntu.com/security/CVE-2025-68208", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: bpf: account for current allocated stack depth in widen_imprecise_scalars() The usage pattern for widen_imprecise_scalars() looks as follows: prev_st = find_prev_entry(env, ...); queued_st = push_stack(...); widen_imprecise_scalars(env, prev_st, queued_st); Where prev_st is an ancestor of the queued_st in the explored states tree. This ancestor is not guaranteed to have same allocated stack depth as queued_st. E.g. in the following case: def main(): for i in 1..2: foo(i) // same callsite, differnt param def foo(i): if i == 1: use 128 bytes of stack iterator based loop Here, for a second 'foo' call prev_st->allocated_stack is 128, while queued_st->allocated_stack is much smaller. widen_imprecise_scalars() needs to take this into account and avoid accessing bpf_verifier_state->frame[*]->stack out of bounds.", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-68200", "url": "https://ubuntu.com/security/CVE-2025-68200", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: bpf: Add bpf_prog_run_data_pointers() syzbot found that cls_bpf_classify() is able to change tc_skb_cb(skb)->drop_reason triggering a warning in sk_skb_reason_drop(). WARNING: CPU: 0 PID: 5965 at net/core/skbuff.c:1192 __sk_skb_reason_drop net/core/skbuff.c:1189 [inline] WARNING: CPU: 0 PID: 5965 at net/core/skbuff.c:1192 sk_skb_reason_drop+0x76/0x170 net/core/skbuff.c:1214 struct tc_skb_cb has been added in commit ec624fe740b4 (\"net/sched: Extend qdisc control block with tc control block\"), which added a wrong interaction with db58ba459202 (\"bpf: wire in data and data_end for cls_act_bpf\"). drop_reason was added later. Add bpf_prog_run_data_pointers() helper to save/restore the net_sched storage colliding with BPF data_meta/data_end.", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-40275", "url": "https://ubuntu.com/security/CVE-2025-40275", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ALSA: usb-audio: Fix NULL pointer dereference in snd_usb_mixer_controls_badd In snd_usb_create_streams(), for UAC version 3 devices, the Interface Association Descriptor (IAD) is retrieved via usb_ifnum_to_if(). If this call fails, a fallback routine attempts to obtain the IAD from the next interface and sets a BADD profile. However, snd_usb_mixer_controls_badd() assumes that the IAD retrieved from usb_ifnum_to_if() is always valid, without performing a NULL check. This can lead to a NULL pointer dereference when usb_ifnum_to_if() fails to find the interface descriptor. This patch adds a NULL pointer check after calling usb_ifnum_to_if() in snd_usb_mixer_controls_badd() to prevent the dereference. This issue was discovered by syzkaller, which triggered the bug by sending a crafted USB device descriptor.", "cve_priority": "medium", "cve_public_date": "2025-12-06 22:15:00 UTC" }, { "cve": "CVE-2025-68242", "url": "https://ubuntu.com/security/CVE-2025-68242", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: NFS: Fix LTP test failures when timestamps are delegated The utimes01 and utime06 tests fail when delegated timestamps are enabled, specifically in subtests that modify the atime and mtime fields using the 'nobody' user ID. The problem can be reproduced as follow: # echo \"/media *(rw,no_root_squash,sync)\" >> /etc/exports # export -ra # mount -o rw,nfsvers=4.2 127.0.0.1:/media /tmpdir # cd /opt/ltp # ./runltp -d /tmpdir -s utimes01 # ./runltp -d /tmpdir -s utime06 This issue occurs because nfs_setattr does not verify the inode's UID against the caller's fsuid when delegated timestamps are permitted for the inode. This patch adds the UID check and if it does not match then the request is sent to the server for permission checking.", "cve_priority": "medium", "cve_public_date": "2025-12-16 15:15:00 UTC" }, { "cve": "CVE-2025-68243", "url": "https://ubuntu.com/security/CVE-2025-68243", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: NFS: Check the TLS certificate fields in nfs_match_client() If the TLS security policy is of type RPC_XPRTSEC_TLS_X509, then the cert_serial and privkey_serial fields need to match as well since they define the client's identity, as presented to the server.", "cve_priority": "medium", "cve_public_date": "2025-12-16 15:15:00 UTC" }, { "cve": "CVE-2025-40276", "url": "https://ubuntu.com/security/CVE-2025-40276", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/panthor: Flush shmem writes before mapping buffers CPU-uncached The shmem layer zeroes out the new pages using cached mappings, and if we don't CPU-flush we might leave dirty cachelines behind, leading to potential data leaks and/or asynchronous buffer corruption when dirty cachelines are evicted.", "cve_priority": "medium", "cve_public_date": "2025-12-06 22:15:00 UTC" }, { "cve": "CVE-2025-40277", "url": "https://ubuntu.com/security/CVE-2025-40277", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/vmwgfx: Validate command header size against SVGA_CMD_MAX_DATASIZE This data originates from userspace and is used in buffer offset calculations which could potentially overflow causing an out-of-bounds access.", "cve_priority": "medium", "cve_public_date": "2025-12-06 22:15:00 UTC" }, { "cve": "CVE-2025-68206", "url": "https://ubuntu.com/security/CVE-2025-68206", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: netfilter: nft_ct: add seqadj extension for natted connections Sequence adjustment may be required for FTP traffic with PASV/EPSV modes. due to need to re-write packet payload (IP, port) on the ftp control connection. This can require changes to the TCP length and expected seq / ack_seq. The easiest way to reproduce this issue is with PASV mode. Example ruleset: table inet ftp_nat { ct helper ftp_helper { type \"ftp\" protocol tcp l3proto inet } chain prerouting { type filter hook prerouting priority 0; policy accept; tcp dport 21 ct state new ct helper set \"ftp_helper\" } } table ip nat { chain prerouting { type nat hook prerouting priority -100; policy accept; tcp dport 21 dnat ip prefix to ip daddr map { \t\t\t192.168.100.1 : 192.168.13.2/32 } } chain postrouting { type nat hook postrouting priority 100 ; policy accept; tcp sport 21 snat ip prefix to ip saddr map { \t\t\t192.168.13.2 : 192.168.100.1/32 } } } Note that the ftp helper gets assigned *after* the dnat setup. The inverse (nat after helper assign) is handled by an existing check in nf_nat_setup_info() and will not show the problem. Topoloy: +-------------------+ +----------------------------------+ | FTP: 192.168.13.2 | <-> | NAT: 192.168.13.3, 192.168.100.1 | +-------------------+ +----------------------------------+ | +-----------------------+ | Client: 192.168.100.2 | +-----------------------+ ftp nat changes do not work as expected in this case: Connected to 192.168.100.1. [..] ftp> epsv EPSV/EPRT on IPv4 off. ftp> ls 227 Entering passive mode (192,168,100,1,209,129). 421 Service not available, remote server has closed connection. Kernel logs: Missing nfct_seqadj_ext_add() setup call WARNING: CPU: 1 PID: 0 at net/netfilter/nf_conntrack_seqadj.c:41 [..] __nf_nat_mangle_tcp_packet+0x100/0x160 [nf_nat] nf_nat_ftp+0x142/0x280 [nf_nat_ftp] help+0x4d1/0x880 [nf_conntrack_ftp] nf_confirm+0x122/0x2e0 [nf_conntrack] nf_hook_slow+0x3c/0xb0 .. Fix this by adding the required extension when a conntrack helper is assigned to a connection that has a nat binding.", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-68209", "url": "https://ubuntu.com/security/CVE-2025-68209", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: mlx5: Fix default values in create CQ Currently, CQs without a completion function are assigned the mlx5_add_cq_to_tasklet function by default. This is problematic since only user CQs created through the mlx5_ib driver are intended to use this function. Additionally, all CQs that will use doorbells instead of polling for completions must call mlx5_cq_arm. However, the default CQ creation flow leaves a valid value in the CQ's arm_db field, allowing FW to send interrupts to polling-only CQs in certain corner cases. These two factors would allow a polling-only kernel CQ to be triggered by an EQ interrupt and call a completion function intended only for user CQs, causing a null pointer exception. Some areas in the driver have prevented this issue with one-off fixes but did not address the root cause. This patch fixes the described issue by adding defaults to the create CQ flow. It adds a default dummy completion function to protect against null pointer exceptions, and it sets an invalid command sequence number by default in kernel CQs to prevent the FW from sending an interrupt to the CQ until it is armed. User CQs are responsible for their own initialization values. Callers of mlx5_core_create_cq are responsible for changing the completion function and arming the CQ per their needs.", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-40278", "url": "https://ubuntu.com/security/CVE-2025-40278", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net: sched: act_ife: initialize struct tc_ife to fix KMSAN kernel-infoleak Fix a KMSAN kernel-infoleak detected by the syzbot . [net?] KMSAN: kernel-infoleak in __skb_datagram_iter In tcf_ife_dump(), the variable 'opt' was partially initialized using a designatied initializer. While the padding bytes are reamined uninitialized. nla_put() copies the entire structure into a netlink message, these uninitialized bytes leaked to userspace. Initialize the structure with memset before assigning its fields to ensure all members and padding are cleared prior to beign copied. This change silences the KMSAN report and prevents potential information leaks from the kernel memory. This fix has been tested and validated by syzbot. This patch closes the bug reported at the following syzkaller link and ensures no infoleak.", "cve_priority": "medium", "cve_public_date": "2025-12-06 22:15:00 UTC" }, { "cve": "CVE-2025-40279", "url": "https://ubuntu.com/security/CVE-2025-40279", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net: sched: act_connmark: initialize struct tc_ife to fix kernel leak In tcf_connmark_dump(), the variable 'opt' was partially initialized using a designatied initializer. While the padding bytes are reamined uninitialized. nla_put() copies the entire structure into a netlink message, these uninitialized bytes leaked to userspace. Initialize the structure with memset before assigning its fields to ensure all members and padding are cleared prior to beign copied.", "cve_priority": "medium", "cve_public_date": "2025-12-06 22:15:00 UTC" }, { "cve": "CVE-2025-40280", "url": "https://ubuntu.com/security/CVE-2025-40280", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: tipc: Fix use-after-free in tipc_mon_reinit_self(). syzbot reported use-after-free of tipc_net(net)->monitors[] in tipc_mon_reinit_self(). [0] The array is protected by RTNL, but tipc_mon_reinit_self() iterates over it without RTNL. tipc_mon_reinit_self() is called from tipc_net_finalize(), which is always under RTNL except for tipc_net_finalize_work(). Let's hold RTNL in tipc_net_finalize_work(). [0]: BUG: KASAN: slab-use-after-free in __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline] BUG: KASAN: slab-use-after-free in _raw_spin_lock_irqsave+0xa7/0xf0 kernel/locking/spinlock.c:162 Read of size 1 at addr ffff88805eae1030 by task kworker/0:7/5989 CPU: 0 UID: 0 PID: 5989 Comm: kworker/0:7 Not tainted syzkaller #0 PREEMPT_{RT,(full)} Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/18/2025 Workqueue: events tipc_net_finalize_work Call Trace: dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:378 [inline] print_report+0xca/0x240 mm/kasan/report.c:482 kasan_report+0x118/0x150 mm/kasan/report.c:595 __kasan_check_byte+0x2a/0x40 mm/kasan/common.c:568 kasan_check_byte include/linux/kasan.h:399 [inline] lock_acquire+0x8d/0x360 kernel/locking/lockdep.c:5842 __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline] _raw_spin_lock_irqsave+0xa7/0xf0 kernel/locking/spinlock.c:162 rtlock_slowlock kernel/locking/rtmutex.c:1894 [inline] rwbase_rtmutex_lock_state kernel/locking/spinlock_rt.c:160 [inline] rwbase_write_lock+0xd3/0x7e0 kernel/locking/rwbase_rt.c:244 rt_write_lock+0x76/0x110 kernel/locking/spinlock_rt.c:243 write_lock_bh include/linux/rwlock_rt.h:99 [inline] tipc_mon_reinit_self+0x79/0x430 net/tipc/monitor.c:718 tipc_net_finalize+0x115/0x190 net/tipc/net.c:140 process_one_work kernel/workqueue.c:3236 [inline] process_scheduled_works+0xade/0x17b0 kernel/workqueue.c:3319 worker_thread+0x8a0/0xda0 kernel/workqueue.c:3400 kthread+0x70e/0x8a0 kernel/kthread.c:463 ret_from_fork+0x439/0x7d0 arch/x86/kernel/process.c:148 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245 Allocated by task 6089: kasan_save_stack mm/kasan/common.c:47 [inline] kasan_save_track+0x3e/0x80 mm/kasan/common.c:68 poison_kmalloc_redzone mm/kasan/common.c:388 [inline] __kasan_kmalloc+0x93/0xb0 mm/kasan/common.c:405 kasan_kmalloc include/linux/kasan.h:260 [inline] __kmalloc_cache_noprof+0x1a8/0x320 mm/slub.c:4407 kmalloc_noprof include/linux/slab.h:905 [inline] kzalloc_noprof include/linux/slab.h:1039 [inline] tipc_mon_create+0xc3/0x4d0 net/tipc/monitor.c:657 tipc_enable_bearer net/tipc/bearer.c:357 [inline] __tipc_nl_bearer_enable+0xe16/0x13f0 net/tipc/bearer.c:1047 __tipc_nl_compat_doit net/tipc/netlink_compat.c:371 [inline] tipc_nl_compat_doit+0x3bc/0x5f0 net/tipc/netlink_compat.c:393 tipc_nl_compat_handle net/tipc/netlink_compat.c:-1 [inline] tipc_nl_compat_recv+0x83c/0xbe0 net/tipc/netlink_compat.c:1321 genl_family_rcv_msg_doit+0x215/0x300 net/netlink/genetlink.c:1115 genl_family_rcv_msg net/netlink/genetlink.c:1195 [inline] genl_rcv_msg+0x60e/0x790 net/netlink/genetlink.c:1210 netlink_rcv_skb+0x208/0x470 net/netlink/af_netlink.c:2552 genl_rcv+0x28/0x40 net/netlink/genetlink.c:1219 netlink_unicast_kernel net/netlink/af_netlink.c:1320 [inline] netlink_unicast+0x846/0xa10 net/netlink/af_netlink.c:1346 netlink_sendmsg+0x805/0xb30 net/netlink/af_netlink.c:1896 sock_sendmsg_nosec net/socket.c:714 [inline] __sock_sendmsg+0x21c/0x270 net/socket.c:729 ____sys_sendmsg+0x508/0x820 net/socket.c:2614 ___sys_sendmsg+0x21f/0x2a0 net/socket.c:2668 __sys_sendmsg net/socket.c:2700 [inline] __do_sys_sendmsg net/socket.c:2705 [inline] __se_sys_sendmsg net/socket.c:2703 [inline] __x64_sys_sendmsg+0x1a1/0x260 net/socket.c:2703 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xfa/0x3b0 arch/ ---truncated---", "cve_priority": "medium", "cve_public_date": "2025-12-06 22:15:00 UTC" }, { "cve": "CVE-2025-40281", "url": "https://ubuntu.com/security/CVE-2025-40281", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: sctp: prevent possible shift-out-of-bounds in sctp_transport_update_rto syzbot reported a possible shift-out-of-bounds [1] Blamed commit added rto_alpha_max and rto_beta_max set to 1000. It is unclear if some sctp users are setting very large rto_alpha and/or rto_beta. In order to prevent user regression, perform the test at run time. Also add READ_ONCE() annotations as sysctl values can change under us. [1] UBSAN: shift-out-of-bounds in net/sctp/transport.c:509:41 shift exponent 64 is too large for 32-bit type 'unsigned int' CPU: 0 UID: 0 PID: 16704 Comm: syz.2.2320 Not tainted syzkaller #0 PREEMPT(full) Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/02/2025 Call Trace: __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x16c/0x1f0 lib/dump_stack.c:120 ubsan_epilogue lib/ubsan.c:233 [inline] __ubsan_handle_shift_out_of_bounds+0x27f/0x420 lib/ubsan.c:494 sctp_transport_update_rto.cold+0x1c/0x34b net/sctp/transport.c:509 sctp_check_transmitted+0x11c4/0x1c30 net/sctp/outqueue.c:1502 sctp_outq_sack+0x4ef/0x1b20 net/sctp/outqueue.c:1338 sctp_cmd_process_sack net/sctp/sm_sideeffect.c:840 [inline] sctp_cmd_interpreter net/sctp/sm_sideeffect.c:1372 [inline]", "cve_priority": "medium", "cve_public_date": "2025-12-06 22:15:00 UTC" }, { "cve": "CVE-2025-40282", "url": "https://ubuntu.com/security/CVE-2025-40282", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: Bluetooth: 6lowpan: reset link-local header on ipv6 recv path Bluetooth 6lowpan.c netdev has header_ops, so it must set link-local header for RX skb, otherwise things crash, eg. with AF_PACKET SOCK_RAW Add missing skb_reset_mac_header() for uncompressed ipv6 RX path. For the compressed one, it is done in lowpan_header_decompress(). Log: (BlueZ 6lowpan-tester Client Recv Raw - Success) ------ kernel BUG at net/core/skbuff.c:212! Call Trace: ... packet_rcv (net/packet/af_packet.c:2152) ... __local_bh_enable_ip (kernel/softirq.c:407) netif_rx (net/core/dev.c:5648) chan_recv_cb (net/bluetooth/6lowpan.c:294 net/bluetooth/6lowpan.c:359) ------", "cve_priority": "medium", "cve_public_date": "2025-12-06 22:15:00 UTC" }, { "cve": "CVE-2025-40283", "url": "https://ubuntu.com/security/CVE-2025-40283", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: Bluetooth: btusb: reorder cleanup in btusb_disconnect to avoid UAF There is a KASAN: slab-use-after-free read in btusb_disconnect(). Calling \"usb_driver_release_interface(&btusb_driver, data->intf)\" will free the btusb data associated with the interface. The same data is then used later in the function, hence the UAF. Fix by moving the accesses to btusb data to before the data is free'd.", "cve_priority": "medium", "cve_public_date": "2025-12-06 22:15:00 UTC" }, { "cve": "CVE-2025-40284", "url": "https://ubuntu.com/security/CVE-2025-40284", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: Bluetooth: MGMT: cancel mesh send timer when hdev removed mesh_send_done timer is not canceled when hdev is removed, which causes crash if the timer triggers after hdev is gone. Cancel the timer when MGMT removes the hdev, like other MGMT timers. Should fix the BUG: sporadically seen by BlueZ test bot (in \"Mesh - Send cancel - 1\" test). Log: ------ BUG: KASAN: slab-use-after-free in run_timer_softirq+0x76b/0x7d0 ... Freed by task 36: kasan_save_stack+0x24/0x50 kasan_save_track+0x14/0x30 __kasan_save_free_info+0x3a/0x60 __kasan_slab_free+0x43/0x70 kfree+0x103/0x500 device_release+0x9a/0x210 kobject_put+0x100/0x1e0 vhci_release+0x18b/0x240 ------", "cve_priority": "medium", "cve_public_date": "2025-12-06 22:15:00 UTC" }, { "cve": "CVE-2025-68210", "url": "https://ubuntu.com/security/CVE-2025-68210", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: erofs: avoid infinite loop due to incomplete zstd-compressed data Currently, the decompression logic incorrectly spins if compressed data is truncated in crafted (deliberately corrupted) images.", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-40285", "url": "https://ubuntu.com/security/CVE-2025-40285", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: smb/server: fix possible refcount leak in smb2_sess_setup() Reference count of ksmbd_session will leak when session need reconnect. Fix this by adding the missing ksmbd_user_session_put().", "cve_priority": "medium", "cve_public_date": "2025-12-06 22:15:00 UTC" }, { "cve": "CVE-2025-40286", "url": "https://ubuntu.com/security/CVE-2025-40286", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: smb/server: fix possible memory leak in smb2_read() Memory leak occurs when ksmbd_vfs_read() fails. Fix this by adding the missing kvfree().", "cve_priority": "medium", "cve_public_date": "2025-12-06 22:15:00 UTC" }, { "cve": "CVE-2025-40287", "url": "https://ubuntu.com/security/CVE-2025-40287", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: exfat: fix improper check of dentry.stream.valid_size We found an infinite loop bug in the exFAT file system that can lead to a Denial-of-Service (DoS) condition. When a dentry in an exFAT filesystem is malformed, the following system calls — SYS_openat, SYS_ftruncate, and SYS_pwrite64 — can cause the kernel to hang. Root cause analysis shows that the size validation code in exfat_find() does not check whether dentry.stream.valid_size is negative. As a result, the system calls mentioned above can succeed and eventually trigger the DoS issue. This patch adds a check for negative dentry.stream.valid_size to prevent this vulnerability.", "cve_priority": "medium", "cve_public_date": "2025-12-06 22:15:00 UTC" }, { "cve": "CVE-2025-40288", "url": "https://ubuntu.com/security/CVE-2025-40288", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: Fix NULL pointer dereference in VRAM logic for APU devices Previously, APU platforms (and other scenarios with uninitialized VRAM managers) triggered a NULL pointer dereference in `ttm_resource_manager_usage()`. The root cause is not that the `struct ttm_resource_manager *man` pointer itself is NULL, but that `man->bdev` (the backing device pointer within the manager) remains uninitialized (NULL) on APUs—since APUs lack dedicated VRAM and do not fully set up VRAM manager structures. When `ttm_resource_manager_usage()` attempts to acquire `man->bdev->lru_lock`, it dereferences the NULL `man->bdev`, leading to a kernel OOPS. 1. **amdgpu_cs.c**: Extend the existing bandwidth control check in `amdgpu_cs_get_threshold_for_moves()` to include a check for `ttm_resource_manager_used()`. If the manager is not used (uninitialized `bdev`), return 0 for migration thresholds immediately—skipping VRAM-specific logic that would trigger the NULL dereference. 2. **amdgpu_kms.c**: Update the `AMDGPU_INFO_VRAM_USAGE` ioctl and memory info reporting to use a conditional: if the manager is used, return the real VRAM usage; otherwise, return 0. This avoids accessing `man->bdev` when it is NULL. 3. **amdgpu_virt.c**: Modify the vf2pf (virtual function to physical function) data write path. Use `ttm_resource_manager_used()` to check validity: if the manager is usable, calculate `fb_usage` from VRAM usage; otherwise, set `fb_usage` to 0 (APUs have no discrete framebuffer to report). This approach is more robust than APU-specific checks because it: - Works for all scenarios where the VRAM manager is uninitialized (not just APUs), - Aligns with TTM's design by using its native helper function, - Preserves correct behavior for discrete GPUs (which have fully initialized `man->bdev` and pass the `ttm_resource_manager_used()` check). v4: use ttm_resource_manager_used(&adev->mman.vram_mgr.manager) instead of checking the adev->gmc.is_app_apu flag (Christian)", "cve_priority": "medium", "cve_public_date": "2025-12-06 22:15:00 UTC" }, { "cve": "CVE-2025-40289", "url": "https://ubuntu.com/security/CVE-2025-40289", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: hide VRAM sysfs attributes on GPUs without VRAM Otherwise accessing them can cause a crash.", "cve_priority": "medium", "cve_public_date": "2025-12-06 22:15:00 UTC" }, { "cve": "CVE-2025-68201", "url": "https://ubuntu.com/security/CVE-2025-68201", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: remove two invalid BUG_ON()s Those can be triggered trivially by userspace.", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-68207", "url": "https://ubuntu.com/security/CVE-2025-68207", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/xe/guc: Synchronize Dead CT worker with unbind Cancel and wait for any Dead CT worker to complete before continuing with device unbinding. Else the worker will end up using resources freed by the undind operation. (cherry picked from commit 492671339114e376aaa38626d637a2751cdef263)", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-68244", "url": "https://ubuntu.com/security/CVE-2025-68244", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/i915: Avoid lock inversion when pinning to GGTT on CHV/BXT+VTD On completion of i915_vma_pin_ww(), a synchronous variant of dma_fence_work_commit() is called. When pinning a VMA to GGTT address space on a Cherry View family processor, or on a Broxton generation SoC with VTD enabled, i.e., when stop_machine() is then called from intel_ggtt_bind_vma(), that can potentially lead to lock inversion among reservation_ww and cpu_hotplug locks. [86.861179] ====================================================== [86.861193] WARNING: possible circular locking dependency detected [86.861209] 6.15.0-rc5-CI_DRM_16515-gca0305cadc2d+ #1 Tainted: G U [86.861226] ------------------------------------------------------ [86.861238] i915_module_loa/1432 is trying to acquire lock: [86.861252] ffffffff83489090 (cpu_hotplug_lock){++++}-{0:0}, at: stop_machine+0x1c/0x50 [86.861290] but task is already holding lock: [86.861303] ffffc90002e0b4c8 (reservation_ww_class_mutex){+.+.}-{3:3}, at: i915_vma_pin.constprop.0+0x39/0x1d0 [i915] [86.862233] which lock already depends on the new lock. [86.862251] the existing dependency chain (in reverse order) is: [86.862265] -> #5 (reservation_ww_class_mutex){+.+.}-{3:3}: [86.862292] dma_resv_lockdep+0x19a/0x390 [86.862315] do_one_initcall+0x60/0x3f0 [86.862334] kernel_init_freeable+0x3cd/0x680 [86.862353] kernel_init+0x1b/0x200 [86.862369] ret_from_fork+0x47/0x70 [86.862383] ret_from_fork_asm+0x1a/0x30 [86.862399] -> #4 (reservation_ww_class_acquire){+.+.}-{0:0}: [86.862425] dma_resv_lockdep+0x178/0x390 [86.862440] do_one_initcall+0x60/0x3f0 [86.862454] kernel_init_freeable+0x3cd/0x680 [86.862470] kernel_init+0x1b/0x200 [86.862482] ret_from_fork+0x47/0x70 [86.862495] ret_from_fork_asm+0x1a/0x30 [86.862509] -> #3 (&mm->mmap_lock){++++}-{3:3}: [86.862531] down_read_killable+0x46/0x1e0 [86.862546] lock_mm_and_find_vma+0xa2/0x280 [86.862561] do_user_addr_fault+0x266/0x8e0 [86.862578] exc_page_fault+0x8a/0x2f0 [86.862593] asm_exc_page_fault+0x27/0x30 [86.862607] filldir64+0xeb/0x180 [86.862620] kernfs_fop_readdir+0x118/0x480 [86.862635] iterate_dir+0xcf/0x2b0 [86.862648] __x64_sys_getdents64+0x84/0x140 [86.862661] x64_sys_call+0x1058/0x2660 [86.862675] do_syscall_64+0x91/0xe90 [86.862689] entry_SYSCALL_64_after_hwframe+0x76/0x7e [86.862703] -> #2 (&root->kernfs_rwsem){++++}-{3:3}: [86.862725] down_write+0x3e/0xf0 [86.862738] kernfs_add_one+0x30/0x3c0 [86.862751] kernfs_create_dir_ns+0x53/0xb0 [86.862765] internal_create_group+0x134/0x4c0 [86.862779] sysfs_create_group+0x13/0x20 [86.862792] topology_add_dev+0x1d/0x30 [86.862806] cpuhp_invoke_callback+0x4b5/0x850 [86.862822] cpuhp_issue_call+0xbf/0x1f0 [86.862836] __cpuhp_setup_state_cpuslocked+0x111/0x320 [86.862852] __cpuhp_setup_state+0xb0/0x220 [86.862866] topology_sysfs_init+0x30/0x50 [86.862879] do_one_initcall+0x60/0x3f0 [86.862893] kernel_init_freeable+0x3cd/0x680 [86.862908] kernel_init+0x1b/0x200 [86.862921] ret_from_fork+0x47/0x70 [86.862934] ret_from_fork_asm+0x1a/0x30 [86.862947] -> #1 (cpuhp_state_mutex){+.+.}-{3:3}: [86.862969] __mutex_lock+0xaa/0xed0 [86.862982] mutex_lock_nested+0x1b/0x30 [86.862995] __cpuhp_setup_state_cpuslocked+0x67/0x320 [86.863012] __cpuhp_setup_state+0xb0/0x220 [86.863026] page_alloc_init_cpuhp+0x2d/0x60 [86.863041] mm_core_init+0x22/0x2d0 [86.863054] start_kernel+0x576/0xbd0 [86.863068] x86_64_start_reservations+0x18/0x30 [86.863084] x86_64_start_kernel+0xbf/0x110 [86.863098] common_startup_64+0x13e/0x141 [86.863114] -> #0 (cpu_hotplug_lock){++++}-{0:0}: [86.863135] __lock_acquire+0x16 ---truncated---", "cve_priority": "medium", "cve_public_date": "2025-12-16 15:15:00 UTC" }, { "cve": "CVE-2025-68316", "url": "https://ubuntu.com/security/CVE-2025-68316", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: scsi: ufs: core: Fix invalid probe error return value After DME Link Startup, the error return value is set to the MIPI UniPro GenericErrorCode which can be 0 (SUCCESS) or 1 (FAILURE). Upon failure during driver probe, the error code 1 is propagated back to the driver probe function which must return a negative value to indicate an error, but 1 is not negative, so the probe is considered to be successful even though it failed. Subsequently, removing the driver results in an oops because it is not in a valid state. This happens because none of the callers of ufshcd_init() expect a non-negative error code. Fix the return value and documentation to match actual usage.", "cve_priority": "medium", "cve_public_date": "2025-12-16 16:16:00 UTC" }, { "cve": "CVE-2025-40292", "url": "https://ubuntu.com/security/CVE-2025-40292", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: virtio-net: fix received length check in big packets Since commit 4959aebba8c0 (\"virtio-net: use mtu size as buffer length for big packets\"), when guest gso is off, the allocated size for big packets is not MAX_SKB_FRAGS * PAGE_SIZE anymore but depends on negotiated MTU. The number of allocated frags for big packets is stored in vi->big_packets_num_skbfrags. Because the host announced buffer length can be malicious (e.g. the host vhost_net driver's get_rx_bufs is modified to announce incorrect length), we need a check in virtio_net receive path. Currently, the check is not adapted to the new change which can lead to NULL page pointer dereference in the below while loop when receiving length that is larger than the allocated one. This commit fixes the received length check corresponding to the new change.", "cve_priority": "medium", "cve_public_date": "2025-12-08 01:16:00 UTC" }, { "cve": "CVE-2025-68180", "url": "https://ubuntu.com/security/CVE-2025-68180", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Fix NULL deref in debugfs odm_combine_segments When a connector is connected but inactive (e.g., disabled by desktop environments), pipe_ctx->stream_res.tg will be destroyed. Then, reading odm_combine_segments causes kernel NULL pointer dereference. BUG: kernel NULL pointer dereference, address: 0000000000000000 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page PGD 0 P4D 0 Oops: Oops: 0000 [#1] SMP NOPTI CPU: 16 UID: 0 PID: 26474 Comm: cat Not tainted 6.17.0+ #2 PREEMPT(lazy) e6a17af9ee6db7c63e9d90dbe5b28ccab67520c6 Hardware name: LENOVO 21Q4/LNVNB161216, BIOS PXCN25WW 03/27/2025 RIP: 0010:odm_combine_segments_show+0x93/0xf0 [amdgpu] Code: 41 83 b8 b0 00 00 00 01 75 6e 48 98 ba a1 ff ff ff 48 c1 e0 0c 48 8d 8c 07 d8 02 00 00 48 85 c9 74 2d 48 8b bc 07 f0 08 00 00 <48> 8b 07 48 8b 80 08 02 00> RSP: 0018:ffffd1bf4b953c58 EFLAGS: 00010286 RAX: 0000000000005000 RBX: ffff8e35976b02d0 RCX: ffff8e3aeed052d8 RDX: 00000000ffffffa1 RSI: ffff8e35a3120800 RDI: 0000000000000000 RBP: 0000000000000000 R08: ffff8e3580eb0000 R09: ffff8e35976b02d0 R10: ffffd1bf4b953c78 R11: 0000000000000000 R12: ffffd1bf4b953d08 R13: 0000000000040000 R14: 0000000000000001 R15: 0000000000000001 FS: 00007f44d3f9f740(0000) GS:ffff8e3caa47f000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000000 CR3: 00000006485c2000 CR4: 0000000000f50ef0 PKRU: 55555554 Call Trace: seq_read_iter+0x125/0x490 ? __alloc_frozen_pages_noprof+0x18f/0x350 seq_read+0x12c/0x170 full_proxy_read+0x51/0x80 vfs_read+0xbc/0x390 ? __handle_mm_fault+0xa46/0xef0 ? do_syscall_64+0x71/0x900 ksys_read+0x73/0xf0 do_syscall_64+0x71/0x900 ? count_memcg_events+0xc2/0x190 ? handle_mm_fault+0x1d7/0x2d0 ? do_user_addr_fault+0x21a/0x690 ? exc_page_fault+0x7e/0x1a0 entry_SYSCALL_64_after_hwframe+0x6c/0x74 RIP: 0033:0x7f44d4031687 Code: 48 89 fa 4c 89 df e8 58 b3 00 00 8b 93 08 03 00 00 59 5e 48 83 f8 fc 74 1a 5b c3 0f 1f 84 00 00 00 00 00 48 8b 44 24 10 0f 05 <5b> c3 0f 1f 80 00 00 00 00> RSP: 002b:00007ffdb4b5f0b0 EFLAGS: 00000202 ORIG_RAX: 0000000000000000 RAX: ffffffffffffffda RBX: 00007f44d3f9f740 RCX: 00007f44d4031687 RDX: 0000000000040000 RSI: 00007f44d3f5e000 RDI: 0000000000000003 RBP: 0000000000040000 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000202 R12: 00007f44d3f5e000 R13: 0000000000000003 R14: 0000000000000000 R15: 0000000000040000 Modules linked in: tls tcp_diag inet_diag xt_mark ccm snd_hrtimer snd_seq_dummy snd_seq_midi snd_seq_oss snd_seq_midi_event snd_rawmidi snd_seq snd_seq_device x> snd_hda_codec_atihdmi snd_hda_codec_realtek_lib lenovo_wmi_helpers think_lmi snd_hda_codec_generic snd_hda_codec_hdmi snd_soc_core kvm snd_compress uvcvideo sn> platform_profile joydev amd_pmc mousedev mac_hid sch_fq_codel uinput i2c_dev parport_pc ppdev lp parport nvme_fabrics loop nfnetlink ip_tables x_tables dm_cryp> CR2: 0000000000000000 ---[ end trace 0000000000000000 ]--- RIP: 0010:odm_combine_segments_show+0x93/0xf0 [amdgpu] Code: 41 83 b8 b0 00 00 00 01 75 6e 48 98 ba a1 ff ff ff 48 c1 e0 0c 48 8d 8c 07 d8 02 00 00 48 85 c9 74 2d 48 8b bc 07 f0 08 00 00 <48> 8b 07 48 8b 80 08 02 00> RSP: 0018:ffffd1bf4b953c58 EFLAGS: 00010286 RAX: 0000000000005000 RBX: ffff8e35976b02d0 RCX: ffff8e3aeed052d8 RDX: 00000000ffffffa1 RSI: ffff8e35a3120800 RDI: 0000000000000000 RBP: 0000000000000000 R08: ffff8e3580eb0000 R09: ffff8e35976b02d0 R10: ffffd1bf4b953c78 R11: 0000000000000000 R12: ffffd1bf4b953d08 R13: 0000000000040000 R14: 0000000000000001 R15: 0000000000000001 FS: 00007f44d3f9f740(0000) GS:ffff8e3caa47f000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000000 CR3: 00000006485c2000 CR4: 0000000000f50ef0 PKRU: 55555554 Fix this by checking pipe_ctx-> ---truncated---", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-40327", "url": "https://ubuntu.com/security/CVE-2025-40327", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: perf/core: Fix system hang caused by cpu-clock usage cpu-clock usage by the async-profiler tool can trigger a system hang, which got bisected back to the following commit by Octavia Togami: 18dbcbfabfff (\"perf: Fix the POLL_HUP delivery breakage\") causes this issue The root cause of the hang is that cpu-clock is a special type of SW event which relies on hrtimers. The __perf_event_overflow() callback is invoked from the hrtimer handler for cpu-clock events, and __perf_event_overflow() tries to call cpu_clock_event_stop() to stop the event, which calls htimer_cancel() to cancel the hrtimer. But that's a recursion into the hrtimer code from a hrtimer handler, which (unsurprisingly) deadlocks. To fix this bug, use hrtimer_try_to_cancel() instead, and set the PERF_HES_STOPPED flag, which causes perf_swevent_hrtimer() to stop the event once it sees the PERF_HES_STOPPED flag. [ mingo: Fixed the comments and improved the changelog. ]", "cve_priority": "medium", "cve_public_date": "2025-12-09 16:17:00 UTC" }, { "cve": "CVE-2025-40328", "url": "https://ubuntu.com/security/CVE-2025-40328", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: smb: client: fix potential UAF in smb2_close_cached_fid() find_or_create_cached_dir() could grab a new reference after kref_put() had seen the refcount drop to zero but before cfid_list_lock is acquired in smb2_close_cached_fid(), leading to use-after-free. Switch to kref_put_lock() so cfid_release() is called with cfid_list_lock held, closing that gap.", "cve_priority": "medium", "cve_public_date": "2025-12-09 16:17:00 UTC" }, { "cve": "CVE-2025-40291", "url": "https://ubuntu.com/security/CVE-2025-40291", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: io_uring: fix regbuf vector size truncation There is a report of io_estimate_bvec_size() truncating the calculated number of segments that leads to corruption issues. Check it doesn't overflow \"int\"s used later. Rough but simple, can be improved on top.", "cve_priority": "medium", "cve_public_date": "2025-12-08 01:16:00 UTC" }, { "cve": "CVE-2025-68322", "url": "https://ubuntu.com/security/CVE-2025-68322", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: parisc: Avoid crash due to unaligned access in unwinder Guenter Roeck reported this kernel crash on his emulated B160L machine: Starting network: udhcpc: started, v1.36.1 Backtrace: [<104320d4>] unwind_once+0x1c/0x5c [<10434a00>] walk_stackframe.isra.0+0x74/0xb8 [<10434a6c>] arch_stack_walk+0x28/0x38 [<104e5efc>] stack_trace_save+0x48/0x5c [<105d1bdc>] set_track_prepare+0x44/0x6c [<105d9c80>] ___slab_alloc+0xfc4/0x1024 [<105d9d38>] __slab_alloc.isra.0+0x58/0x90 [<105dc80c>] kmem_cache_alloc_noprof+0x2ac/0x4a0 [<105b8e54>] __anon_vma_prepare+0x60/0x280 [<105a823c>] __vmf_anon_prepare+0x68/0x94 [<105a8b34>] do_wp_page+0x8cc/0xf10 [<105aad88>] handle_mm_fault+0x6c0/0xf08 [<10425568>] do_page_fault+0x110/0x440 [<10427938>] handle_interruption+0x184/0x748 [<11178398>] schedule+0x4c/0x190 BUG: spinlock recursion on CPU#0, ifconfig/2420 lock: terminate_lock.2+0x0/0x1c, .magic: dead4ead, .owner: ifconfig/2420, .owner_cpu: 0 While creating the stack trace, the unwinder uses the stack pointer to guess the previous frame to read the previous stack pointer from memory. The crash happens, because the unwinder tries to read from unaligned memory and as such triggers the unalignment trap handler which then leads to the spinlock recursion and finally to a deadlock. Fix it by checking the alignment before accessing the memory.", "cve_priority": "medium", "cve_public_date": "2025-12-16 16:16:00 UTC" }, { "cve": "CVE-2025-40293", "url": "https://ubuntu.com/security/CVE-2025-40293", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: iommufd: Don't overflow during division for dirty tracking If pgshift is 63 then BITS_PER_TYPE(*bitmap->bitmap) * pgsize will overflow to 0 and this triggers divide by 0. In this case the index should just be 0, so reorganize things to divide by shift and avoid hitting any overflows.", "cve_priority": "medium", "cve_public_date": "2025-12-08 01:16:00 UTC" }, { "cve": "CVE-2025-40294", "url": "https://ubuntu.com/security/CVE-2025-40294", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: Bluetooth: MGMT: Fix OOB access in parse_adv_monitor_pattern() In the parse_adv_monitor_pattern() function, the value of the 'length' variable is currently limited to HCI_MAX_EXT_AD_LENGTH(251). The size of the 'value' array in the mgmt_adv_pattern structure is 31. If the value of 'pattern[i].length' is set in the user space and exceeds 31, the 'patterns[i].value' array can be accessed out of bound when copied. Increasing the size of the 'value' array in the 'mgmt_adv_pattern' structure will break the userspace. Considering this, and to avoid OOB access revert the limits for 'offset' and 'length' back to the value of HCI_MAX_AD_LENGTH. Found by InfoTeCS on behalf of Linux Verification Center (linuxtesting.org) with SVACE.", "cve_priority": "medium", "cve_public_date": "2025-12-08 01:16:00 UTC" }, { "cve": "CVE-2025-40329", "url": "https://ubuntu.com/security/CVE-2025-40329", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/sched: Fix deadlock in drm_sched_entity_kill_jobs_cb The Mesa issue referenced below pointed out a possible deadlock: [ 1231.611031] Possible interrupt unsafe locking scenario: [ 1231.611033] CPU0 CPU1 [ 1231.611034] ---- ---- [ 1231.611035] lock(&xa->xa_lock#17); [ 1231.611038] local_irq_disable(); [ 1231.611039] lock(&fence->lock); [ 1231.611041] lock(&xa->xa_lock#17); [ 1231.611044] [ 1231.611045] lock(&fence->lock); [ 1231.611047] *** DEADLOCK *** In this example, CPU0 would be any function accessing job->dependencies through the xa_* functions that don't disable interrupts (eg: drm_sched_job_add_dependency(), drm_sched_entity_kill_jobs_cb()). CPU1 is executing drm_sched_entity_kill_jobs_cb() as a fence signalling callback so in an interrupt context. It will deadlock when trying to grab the xa_lock which is already held by CPU0. Replacing all xa_* usage by their xa_*_irq counterparts would fix this issue, but Christian pointed out another issue: dma_fence_signal takes fence.lock and so does dma_fence_add_callback. dma_fence_signal() // locks f1.lock -> drm_sched_entity_kill_jobs_cb() -> foreach dependencies -> dma_fence_add_callback() // locks f2.lock This will deadlock if f1 and f2 share the same spinlock. To fix both issues, the code iterating on dependencies and re-arming them is moved out to drm_sched_entity_kill_jobs_work(). [phasta: commit message nits]", "cve_priority": "medium", "cve_public_date": "2025-12-09 16:17:00 UTC" }, { "cve": "CVE-2025-40295", "url": "https://ubuntu.com/security/CVE-2025-40295", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: fscrypt: fix left shift underflow when inode->i_blkbits > PAGE_SHIFT When simulating an nvme device on qemu with both logical_block_size and physical_block_size set to 8 KiB, an error trace appears during partition table reading at boot time. The issue is caused by inode->i_blkbits being larger than PAGE_SHIFT, which leads to a left shift of -1 and triggering a UBSAN warning. [ 2.697306] ------------[ cut here ]------------ [ 2.697309] UBSAN: shift-out-of-bounds in fs/crypto/inline_crypt.c:336:37 [ 2.697311] shift exponent -1 is negative [ 2.697315] CPU: 3 UID: 0 PID: 274 Comm: (udev-worker) Not tainted 6.18.0-rc2+ #34 PREEMPT(voluntary) [ 2.697317] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014 [ 2.697320] Call Trace: [ 2.697324] [ 2.697325] dump_stack_lvl+0x76/0xa0 [ 2.697340] dump_stack+0x10/0x20 [ 2.697342] __ubsan_handle_shift_out_of_bounds+0x1e3/0x390 [ 2.697351] bh_get_inode_and_lblk_num.cold+0x12/0x94 [ 2.697359] fscrypt_set_bio_crypt_ctx_bh+0x44/0x90 [ 2.697365] submit_bh_wbc+0xb6/0x190 [ 2.697370] block_read_full_folio+0x194/0x270 [ 2.697371] ? __pfx_blkdev_get_block+0x10/0x10 [ 2.697375] ? __pfx_blkdev_read_folio+0x10/0x10 [ 2.697377] blkdev_read_folio+0x18/0x30 [ 2.697379] filemap_read_folio+0x40/0xe0 [ 2.697382] filemap_get_pages+0x5ef/0x7a0 [ 2.697385] ? mmap_region+0x63/0xd0 [ 2.697389] filemap_read+0x11d/0x520 [ 2.697392] blkdev_read_iter+0x7c/0x180 [ 2.697393] vfs_read+0x261/0x390 [ 2.697397] ksys_read+0x71/0xf0 [ 2.697398] __x64_sys_read+0x19/0x30 [ 2.697399] x64_sys_call+0x1e88/0x26a0 [ 2.697405] do_syscall_64+0x80/0x670 [ 2.697410] ? __x64_sys_newfstat+0x15/0x20 [ 2.697414] ? x64_sys_call+0x204a/0x26a0 [ 2.697415] ? do_syscall_64+0xb8/0x670 [ 2.697417] ? irqentry_exit_to_user_mode+0x2e/0x2a0 [ 2.697420] ? irqentry_exit+0x43/0x50 [ 2.697421] ? exc_page_fault+0x90/0x1b0 [ 2.697422] entry_SYSCALL_64_after_hwframe+0x76/0x7e [ 2.697425] RIP: 0033:0x75054cba4a06 [ 2.697426] Code: 5d e8 41 8b 93 08 03 00 00 59 5e 48 83 f8 fc 75 19 83 e2 39 83 fa 08 75 11 e8 26 ff ff ff 66 0f 1f 44 00 00 48 8b 45 10 0f 05 <48> 8b 5d f8 c9 c3 0f 1f 40 00 f3 0f 1e fa 55 48 89 e5 48 83 ec 08 [ 2.697427] RSP: 002b:00007fff973723a0 EFLAGS: 00000202 ORIG_RAX: 0000000000000000 [ 2.697430] RAX: ffffffffffffffda RBX: 00005ea9a2c02760 RCX: 000075054cba4a06 [ 2.697432] RDX: 0000000000002000 RSI: 000075054c190000 RDI: 000000000000001b [ 2.697433] RBP: 00007fff973723c0 R08: 0000000000000000 R09: 0000000000000000 [ 2.697434] R10: 0000000000000000 R11: 0000000000000202 R12: 0000000000000000 [ 2.697434] R13: 00005ea9a2c027c0 R14: 00005ea9a2be5608 R15: 00005ea9a2be55f0 [ 2.697436] [ 2.697436] ---[ end trace ]--- This situation can happen for block devices because when CONFIG_TRANSPARENT_HUGEPAGE is enabled, the maximum logical_block_size is 64 KiB. set_init_blocksize() then sets the block device inode->i_blkbits to 13, which is within this limit. File I/O does not trigger this problem because for filesystems that do not support the FS_LBS feature, sb_set_blocksize() prevents sb->s_blocksize_bits from being larger than PAGE_SHIFT. During inode allocation, alloc_inode()->inode_init_always() assigns inode->i_blkbits from sb->s_blocksize_bits. Currently, only xfs_fs_type has the FS_LBS flag, and since xfs I/O paths do not reach submit_bh_wbc(), it does not hit the left-shift underflow issue. [EB: use folio_pos() and consolidate the two shifts by i_blkbits]", "cve_priority": "medium", "cve_public_date": "2025-12-08 01:16:00 UTC" }, { "cve": "CVE-2025-40296", "url": "https://ubuntu.com/security/CVE-2025-40296", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: platform/x86: int3472: Fix double free of GPIO device during unregister regulator_unregister() already frees the associated GPIO device. On ThinkPad X9 (Lunar Lake), this causes a double free issue that leads to random failures when other drivers (typically Intel THC) attempt to allocate interrupts. The root cause is that the reference count of the pinctrl_intel_platform module unexpectedly drops to zero when this driver defers its probe. This behavior can also be reproduced by unloading the module directly. Fix the issue by removing the redundant release of the GPIO device during regulator unregistration.", "cve_priority": "medium", "cve_public_date": "2025-12-08 01:16:00 UTC" }, { "cve": "CVE-2025-40297", "url": "https://ubuntu.com/security/CVE-2025-40297", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net: bridge: fix use-after-free due to MST port state bypass syzbot reported[1] a use-after-free when deleting an expired fdb. It is due to a race condition between learning still happening and a port being deleted, after all its fdbs have been flushed. The port's state has been toggled to disabled so no learning should happen at that time, but if we have MST enabled, it will bypass the port's state, that together with VLAN filtering disabled can lead to fdb learning at a time when it shouldn't happen while the port is being deleted. VLAN filtering must be disabled because we flush the port VLANs when it's being deleted which will stop learning. This fix adds a check for the port's vlan group which is initialized to NULL when the port is getting deleted, that avoids the port state bypass. When MST is enabled there would be a minimal new overhead in the fast-path because the port's vlan group pointer is cache-hot. [1] https://syzkaller.appspot.com/bug?extid=dd280197f0f7ab3917be", "cve_priority": "medium", "cve_public_date": "2025-12-08 01:16:00 UTC" }, { "cve": "CVE-2025-68320", "url": "https://ubuntu.com/security/CVE-2025-68320", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: lan966x: Fix sleeping in atomic context The following warning was seen when we try to connect using ssh to the device. BUG: sleeping function called from invalid context at kernel/locking/mutex.c:575 in_atomic(): 1, irqs_disabled(): 0, non_block: 0, pid: 104, name: dropbear preempt_count: 1, expected: 0 INFO: lockdep is turned off. CPU: 0 UID: 0 PID: 104 Comm: dropbear Tainted: G W 6.18.0-rc2-00399-g6f1ab1b109b9-dirty #530 NONE Tainted: [W]=WARN Hardware name: Generic DT based system Call trace: unwind_backtrace from show_stack+0x10/0x14 show_stack from dump_stack_lvl+0x7c/0xac dump_stack_lvl from __might_resched+0x16c/0x2b0 __might_resched from __mutex_lock+0x64/0xd34 __mutex_lock from mutex_lock_nested+0x1c/0x24 mutex_lock_nested from lan966x_stats_get+0x5c/0x558 lan966x_stats_get from dev_get_stats+0x40/0x43c dev_get_stats from dev_seq_printf_stats+0x3c/0x184 dev_seq_printf_stats from dev_seq_show+0x10/0x30 dev_seq_show from seq_read_iter+0x350/0x4ec seq_read_iter from seq_read+0xfc/0x194 seq_read from proc_reg_read+0xac/0x100 proc_reg_read from vfs_read+0xb0/0x2b0 vfs_read from ksys_read+0x6c/0xec ksys_read from ret_fast_syscall+0x0/0x1c Exception stack(0xf0b11fa8 to 0xf0b11ff0) 1fa0: 00000001 00001000 00000008 be9048d8 00001000 00000001 1fc0: 00000001 00001000 00000008 00000003 be905920 0000001e 00000000 00000001 1fe0: 0005404c be9048c0 00018684 b6ec2cd8 It seems that we are using a mutex in a atomic context which is wrong. Change the mutex with a spinlock.", "cve_priority": "medium", "cve_public_date": "2025-12-16 16:16:00 UTC" }, { "cve": "CVE-2025-68169", "url": "https://ubuntu.com/security/CVE-2025-68169", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: netpoll: Fix deadlock in memory allocation under spinlock Fix a AA deadlock in refill_skbs() where memory allocation while holding skb_pool->lock can trigger a recursive lock acquisition attempt. The deadlock scenario occurs when the system is under severe memory pressure: 1. refill_skbs() acquires skb_pool->lock (spinlock) 2. alloc_skb() is called while holding the lock 3. Memory allocator fails and calls slab_out_of_memory() 4. This triggers printk() for the OOM warning 5. The console output path calls netpoll_send_udp() 6. netpoll_send_udp() attempts to acquire the same skb_pool->lock 7. Deadlock: the lock is already held by the same CPU Call stack: refill_skbs() spin_lock_irqsave(&skb_pool->lock) <- lock acquired __alloc_skb() kmem_cache_alloc_node_noprof() slab_out_of_memory() printk() console_flush_all() netpoll_send_udp() skb_dequeue() spin_lock_irqsave(&skb_pool->lock) <- deadlock attempt This bug was exposed by commit 248f6571fd4c51 (\"netpoll: Optimize skb refilling on critical path\") which removed refill_skbs() from the critical path (where nested printk was being deferred), letting nested printk being called from inside refill_skbs() Refactor refill_skbs() to never allocate memory while holding the spinlock. Another possible solution to fix this problem is protecting the refill_skbs() from nested printks, basically calling printk_deferred_{enter,exit}() in refill_skbs(), then, any nested pr_warn() would be deferred. I prefer this approach, given I _think_ it might be a good idea to move the alloc_skb() from GFP_ATOMIC to GFP_KERNEL in the future, so, having the alloc_skb() outside of the lock will be necessary step. There is a possible TOCTOU issue when checking for the pool length, and queueing the new allocated skb, but, this is not an issue, given that an extra SKB in the pool is harmless and it will be eventually used.", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-68197", "url": "https://ubuntu.com/security/CVE-2025-68197", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: bnxt_en: Fix null pointer dereference in bnxt_bs_trace_check_wrap() With older FW, we may get the ASYNC_EVENT_CMPL_EVENT_ID_DBG_BUF_PRODUCER for FW trace data type that has not been initialized. This will result in a crash in bnxt_bs_trace_type_wrap(). Add a guard to check for a valid magic_byte pointer before proceeding.", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-40330", "url": "https://ubuntu.com/security/CVE-2025-40330", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: bnxt_en: Shutdown FW DMA in bnxt_shutdown() The netif_close() call in bnxt_shutdown() only stops packet DMA. There may be FW DMA for trace logging (recently added) that will continue. If we kexec to a new kernel, the DMA will corrupt memory in the new kernel. Add bnxt_hwrm_func_drv_unrgtr() to unregister the driver from the FW. This will stop the FW DMA. In case the call fails, call pcie_flr() to reset the function and stop the DMA.", "cve_priority": "medium", "cve_public_date": "2025-12-09 16:17:00 UTC" }, { "cve": "CVE-2025-68192", "url": "https://ubuntu.com/security/CVE-2025-68192", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net: usb: qmi_wwan: initialize MAC header offset in qmimux_rx_fixup Raw IP packets have no MAC header, leaving skb->mac_header uninitialized. This can trigger kernel panics on ARM64 when xfrm or other subsystems access the offset due to strict alignment checks. Initialize the MAC header to prevent such crashes. This can trigger kernel panics on ARM when running IPsec over the qmimux0 interface. Example trace: Internal error: Oops: 000000009600004f [#1] SMP CPU: 0 UID: 0 PID: 0 Comm: swapper/0 Not tainted 6.12.34-gbe78e49cb433 #1 Hardware name: LS1028A RDB Board (DT) pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : xfrm_input+0xde8/0x1318 lr : xfrm_input+0x61c/0x1318 sp : ffff800080003b20 Call trace: xfrm_input+0xde8/0x1318 xfrm6_rcv+0x38/0x44 xfrm6_esp_rcv+0x48/0xa8 ip6_protocol_deliver_rcu+0x94/0x4b0 ip6_input_finish+0x44/0x70 ip6_input+0x44/0xc0 ipv6_rcv+0x6c/0x114 __netif_receive_skb_one_core+0x5c/0x8c __netif_receive_skb+0x18/0x60 process_backlog+0x78/0x17c __napi_poll+0x38/0x180 net_rx_action+0x168/0x2f0", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-40331", "url": "https://ubuntu.com/security/CVE-2025-40331", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: sctp: Prevent TOCTOU out-of-bounds write For the following path not holding the sock lock, sctp_diag_dump() -> sctp_for_each_endpoint() -> sctp_ep_dump() make sure not to exceed bounds in case the address list has grown between buffer allocation (time-of-check) and write (time-of-use).", "cve_priority": "medium", "cve_public_date": "2025-12-09 16:17:00 UTC" }, { "cve": "CVE-2025-68187", "url": "https://ubuntu.com/security/CVE-2025-68187", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net: mdio: Check regmap pointer returned by device_node_to_regmap() The call to device_node_to_regmap() in airoha_mdio_probe() can return an ERR_PTR() if regmap initialization fails. Currently, the driver stores the pointer without validation, which could lead to a crash if it is later dereferenced. Add an IS_ERR() check and return the corresponding error code to make the probe path more robust.", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-68167", "url": "https://ubuntu.com/security/CVE-2025-68167", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: gpiolib: fix invalid pointer access in debugfs If the memory allocation in gpiolib_seq_start() fails, the s->private field remains uninitialized and is later dereferenced without checking in gpiolib_seq_stop(). Initialize s->private to NULL before calling kzalloc() and check it before dereferencing it.", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-68319", "url": "https://ubuntu.com/security/CVE-2025-68319", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: netconsole: Acquire su_mutex before navigating configs hierarchy There is a race between operations that iterate over the userdata cg_children list and concurrent add/remove of userdata items through configfs. The update_userdata() function iterates over the nt->userdata_group.cg_children list, and count_extradata_entries() also iterates over this same list to count nodes. Quoting from Documentation/filesystems/configfs.rst: > A subsystem can navigate the cg_children list and the ci_parent pointer > to see the tree created by the subsystem. This can race with configfs' > management of the hierarchy, so configfs uses the subsystem mutex to > protect modifications. Whenever a subsystem wants to navigate the > hierarchy, it must do so under the protection of the subsystem > mutex. Without proper locking, if a userdata item is added or removed concurrently while these functions are iterating, the list can be accessed in an inconsistent state. For example, the list_for_each() loop can reach a node that is being removed from the list by list_del_init() which sets the nodes' .next pointer to point to itself, so the loop will never end (or reach the WARN_ON_ONCE in update_userdata() ). Fix this by holding the configfs subsystem mutex (su_mutex) during all operations that iterate over cg_children. This includes: - userdatum_value_store() which calls update_userdata() to iterate over cg_children - All sysdata_*_enabled_store() functions which call count_extradata_entries() to iterate over cg_children The su_mutex must be acquired before dynamic_netconsole_mutex to avoid potential lock ordering issues, as configfs operations may already hold su_mutex when calling into our code.", "cve_priority": "medium", "cve_public_date": "2025-12-16 16:16:00 UTC" }, { "cve": "CVE-2025-40298", "url": "https://ubuntu.com/security/CVE-2025-40298", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: gve: Implement settime64 with -EOPNOTSUPP ptp_clock_settime() assumes every ptp_clock has implemented settime64(). Stub it with -EOPNOTSUPP to prevent a NULL dereference.", "cve_priority": "medium", "cve_public_date": "2025-12-08 01:16:00 UTC" }, { "cve": "CVE-2025-40299", "url": "https://ubuntu.com/security/CVE-2025-40299", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: gve: Implement gettimex64 with -EOPNOTSUPP gve implemented a ptp_clock for sole use of do_aux_work at this time. ptp_clock_gettime() and ptp_sys_offset() assume every ptp_clock has implemented either gettimex64 or gettime64. Stub gettimex64 and return -EOPNOTSUPP to prevent NULL dereferencing.", "cve_priority": "medium", "cve_public_date": "2025-12-08 01:16:00 UTC" }, { "cve": "CVE-2025-40301", "url": "https://ubuntu.com/security/CVE-2025-40301", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: Bluetooth: hci_event: validate skb length for unknown CC opcode In hci_cmd_complete_evt(), if the command complete event has an unknown opcode, we assume the first byte of the remaining skb->data contains the return status. However, parameter data has previously been pulled in hci_event_func(), which may leave the skb empty. If so, using skb->data[0] for the return status uses un-init memory. The fix is to check skb->len before using skb->data.", "cve_priority": "medium", "cve_public_date": "2025-12-08 01:16:00 UTC" }, { "cve": "CVE-2025-40358", "url": "https://ubuntu.com/security/CVE-2025-40358", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: riscv: stacktrace: Disable KASAN checks for non-current tasks Unwinding the stack of a task other than current, KASAN would report \"BUG: KASAN: out-of-bounds in walk_stackframe+0x41c/0x460\" There is a same issue on x86 and has been resolved by the commit 84936118bdf3 (\"x86/unwind: Disable KASAN checks for non-current tasks\") The solution could be applied to RISC-V too. This patch also can solve the issue: https://seclists.org/oss-sec/2025/q4/23 [pjw@kernel.org: clean up checkpatch issues]", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-68186", "url": "https://ubuntu.com/security/CVE-2025-68186", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ring-buffer: Do not warn in ring_buffer_map_get_reader() when reader catches up The function ring_buffer_map_get_reader() is a bit more strict than the other get reader functions, and except for certain situations the rb_get_reader_page() should not return NULL. If it does, it triggers a warning. This warning was triggering but after looking at why, it was because another acceptable situation was happening and it wasn't checked for. If the reader catches up to the writer and there's still data to be read on the reader page, then the rb_get_reader_page() will return NULL as there's no new page to get. In this situation, the reader page should not be updated and no warning should trigger.", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-68184", "url": "https://ubuntu.com/security/CVE-2025-68184", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/mediatek: Disable AFBC support on Mediatek DRM driver Commit c410fa9b07c3 (\"drm/mediatek: Add AFBC support to Mediatek DRM driver\") added AFBC support to Mediatek DRM and enabled the 32x8/split/sparse modifier. However, this is currently broken on Mediatek MT8188 (Genio 700 EVK platform); tested using upstream Kernel and Mesa (v25.2.1), AFBC is used by default since Mesa v25.0. Kernel trace reports vblank timeouts constantly, and the render is garbled: ``` [CRTC:62:crtc-0] vblank wait timed out WARNING: CPU: 7 PID: 70 at drivers/gpu/drm/drm_atomic_helper.c:1835 drm_atomic_helper_wait_for_vblanks.part.0+0x24c/0x27c [...] Hardware name: MediaTek Genio-700 EVK (DT) Workqueue: events_unbound commit_work pstate: 60400009 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : drm_atomic_helper_wait_for_vblanks.part.0+0x24c/0x27c lr : drm_atomic_helper_wait_for_vblanks.part.0+0x24c/0x27c sp : ffff80008337bca0 x29: ffff80008337bcd0 x28: 0000000000000061 x27: 0000000000000000 x26: 0000000000000001 x25: 0000000000000000 x24: ffff0000c9dcc000 x23: 0000000000000001 x22: 0000000000000000 x21: ffff0000c66f2f80 x20: ffff0000c0d7d880 x19: 0000000000000000 x18: 000000000000000a x17: 000000040044ffff x16: 005000f2b5503510 x15: 0000000000000000 x14: 0000000000000000 x13: 74756f2064656d69 x12: 742074696177206b x11: 0000000000000058 x10: 0000000000000018 x9 : ffff800082396a70 x8 : 0000000000057fa8 x7 : 0000000000000cce x6 : ffff8000823eea70 x5 : ffff0001fef5f408 x4 : ffff80017ccee000 x3 : ffff0000c12cb480 x2 : 0000000000000000 x1 : 0000000000000000 x0 : ffff0000c12cb480 Call trace: drm_atomic_helper_wait_for_vblanks.part.0+0x24c/0x27c (P) drm_atomic_helper_commit_tail_rpm+0x64/0x80 commit_tail+0xa4/0x1a4 commit_work+0x14/0x20 process_one_work+0x150/0x290 worker_thread+0x2d0/0x3ec kthread+0x12c/0x210 ret_from_fork+0x10/0x20 ---[ end trace 0000000000000000 ]--- ``` Until this gets fixed upstream, disable AFBC support on this platform, as it's currently broken with upstream Mesa.", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-40302", "url": "https://ubuntu.com/security/CVE-2025-40302", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: media: videobuf2: forbid remove_bufs when legacy fileio is active vb2_ioctl_remove_bufs() call manipulates queue internal buffer list, potentially overwriting some pointers used by the legacy fileio access mode. Forbid that ioctl when fileio is active to protect internal queue state between subsequent read/write calls.", "cve_priority": "medium", "cve_public_date": "2025-12-08 01:16:00 UTC" }, { "cve": "CVE-2025-40303", "url": "https://ubuntu.com/security/CVE-2025-40303", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: btrfs: ensure no dirty metadata is written back for an fs with errors [BUG] During development of a minor feature (make sure all btrfs_bio::end_io() is called in task context), I noticed a crash in generic/388, where metadata writes triggered new works after btrfs_stop_all_workers(). It turns out that it can even happen without any code modification, just using RAID5 for metadata and the same workload from generic/388 is going to trigger the use-after-free. [CAUSE] If btrfs hits an error, the fs is marked as error, no new transaction is allowed thus metadata is in a frozen state. But there are some metadata modifications before that error, and they are still in the btree inode page cache. Since there will be no real transaction commit, all those dirty folios are just kept as is in the page cache, and they can not be invalidated by invalidate_inode_pages2() call inside close_ctree(), because they are dirty. And finally after btrfs_stop_all_workers(), we call iput() on btree inode, which triggers writeback of those dirty metadata. And if the fs is using RAID56 metadata, this will trigger RMW and queue new works into rmw_workers, which is already stopped, causing warning from queue_work() and use-after-free. [FIX] Add a special handling for write_one_eb(), that if the fs is already in an error state, immediately mark the bbio as failure, instead of really submitting them. Then during close_ctree(), iput() will just discard all those dirty tree blocks without really writing them back, thus no more new jobs for already stopped-and-freed workqueues. The extra discard in write_one_eb() also acts as an extra safenet. E.g. the transaction abort is triggered by some extent/free space tree corruptions, and since extent/free space tree is already corrupted some tree blocks may be allocated where they shouldn't be (overwriting existing tree blocks). In that case writing them back will further corrupting the fs.", "cve_priority": "medium", "cve_public_date": "2025-12-08 01:16:00 UTC" }, { "cve": "CVE-2025-40362", "url": "https://ubuntu.com/security/CVE-2025-40362", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ceph: fix multifs mds auth caps issue The mds auth caps check should also validate the fsname along with the associated caps. Not doing so would result in applying the mds auth caps of one fs on to the other fs in a multifs ceph cluster. The bug causes multiple issues w.r.t user authentication, following is one such example. Steps to Reproduce (on vstart cluster): 1. Create two file systems in a cluster, say 'fsname1' and 'fsname2' 2. Authorize read only permission to the user 'client.usr' on fs 'fsname1' $ceph fs authorize fsname1 client.usr / r 3. Authorize read and write permission to the same user 'client.usr' on fs 'fsname2' $ceph fs authorize fsname2 client.usr / rw 4. Update the keyring $ceph auth get client.usr >> ./keyring With above permssions for the user 'client.usr', following is the expectation. a. The 'client.usr' should be able to only read the contents and not allowed to create or delete files on file system 'fsname1'. b. The 'client.usr' should be able to read/write on file system 'fsname2'. But, with this bug, the 'client.usr' is allowed to read/write on file system 'fsname1'. See below. 5. Mount the file system 'fsname1' with the user 'client.usr' $sudo bin/mount.ceph usr@.fsname1=/ /kmnt_fsname1_usr/ 6. Try creating a file on file system 'fsname1' with user 'client.usr'. This should fail but passes with this bug. $touch /kmnt_fsname1_usr/file1 7. Mount the file system 'fsname1' with the user 'client.admin' and create a file. $sudo bin/mount.ceph admin@.fsname1=/ /kmnt_fsname1_admin $echo \"data\" > /kmnt_fsname1_admin/admin_file1 8. Try removing an existing file on file system 'fsname1' with the user 'client.usr'. This shoudn't succeed but succeeds with the bug. $rm -f /kmnt_fsname1_usr/admin_file1 For more information, please take a look at the corresponding mds/fuse patch and tests added by looking into the tracker mentioned below. v2: Fix a possible null dereference in doutc v3: Don't store fsname from mdsmap, validate against ceph_mount_options's fsname and use it v4: Code refactor, better warning message and fix possible compiler warning [ Slava.Dubeyko: \"fsname check failed\" -> \"fsname mismatch\" ]", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-40332", "url": "https://ubuntu.com/security/CVE-2025-40332", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/amdkfd: Fix mmap write lock not release If mmap write lock is taken while draining retry fault, mmap write lock is not released because svm_range_restore_pages calls mmap_read_unlock then returns. This causes deadlock and system hangs later because mmap read or write lock cannot be taken. Downgrade mmap write lock to read lock if draining retry fault fix this bug.", "cve_priority": "medium", "cve_public_date": "2025-12-09 16:17:00 UTC" }, { "cve": "CVE-2025-40304", "url": "https://ubuntu.com/security/CVE-2025-40304", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: fbdev: Add bounds checking in bit_putcs to fix vmalloc-out-of-bounds Add bounds checking to prevent writes past framebuffer boundaries when rendering text near screen edges. Return early if the Y position is off-screen and clip image height to screen boundary. Break from the rendering loop if the X position is off-screen. When clipping image width to fit the screen, update the character count to match the clipped width to prevent buffer size mismatches. Without the character count update, bit_putcs_aligned and bit_putcs_unaligned receive mismatched parameters where the buffer is allocated for the clipped width but cnt reflects the original larger count, causing out-of-bounds writes.", "cve_priority": "medium", "cve_public_date": "2025-12-08 01:16:00 UTC" }, { "cve": "CVE-2025-40305", "url": "https://ubuntu.com/security/CVE-2025-40305", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: 9p/trans_fd: p9_fd_request: kick rx thread if EPOLLIN p9_read_work() doesn't set Rworksched and doesn't do schedule_work(m->rq) if list_empty(&m->req_list). However, if the pipe is full, we need to read more data and this used to work prior to commit aaec5a95d59615 (\"pipe_read: don't wake up the writer if the pipe is still full\"). p9_read_work() does p9_fd_read() -> ... -> anon_pipe_read() which (before the commit above) triggered the unnecessary wakeup. This wakeup calls p9_pollwake() which kicks p9_poll_workfn() -> p9_poll_mux(), p9_poll_mux() will notice EPOLLIN and schedule_work(&m->rq). This no longer happens after the optimization above, change p9_fd_request() to use p9_poll_mux() instead of only checking for EPOLLOUT.", "cve_priority": "medium", "cve_public_date": "2025-12-08 01:16:00 UTC" }, { "cve": "CVE-2025-68318", "url": "https://ubuntu.com/security/CVE-2025-68318", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: clk: thead: th1520-ap: set all AXI clocks to CLK_IS_CRITICAL The AXI crossbar of TH1520 has no proper timeout handling, which means gating AXI clocks can easily lead to bus timeout and thus system hang. Set all AXI clock gates to CLK_IS_CRITICAL. All these clock gates are ungated by default on system reset. In addition, convert all current CLK_IGNORE_UNUSED usage to CLK_IS_CRITICAL to prevent unwanted clock gating.", "cve_priority": "medium", "cve_public_date": "2025-12-16 16:16:00 UTC" }, { "cve": "CVE-2025-40209", "url": "https://ubuntu.com/security/CVE-2025-40209", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: btrfs: fix memory leak of qgroup_list in btrfs_add_qgroup_relation When btrfs_add_qgroup_relation() is called with invalid qgroup levels (src >= dst), the function returns -EINVAL directly without freeing the preallocated qgroup_list structure passed by the caller. This causes a memory leak because the caller unconditionally sets the pointer to NULL after the call, preventing any cleanup. The issue occurs because the level validation check happens before the mutex is acquired and before any error handling path that would free the prealloc pointer. On this early return, the cleanup code at the 'out' label (which includes kfree(prealloc)) is never reached. In btrfs_ioctl_qgroup_assign(), the code pattern is: prealloc = kzalloc(sizeof(*prealloc), GFP_KERNEL); ret = btrfs_add_qgroup_relation(trans, sa->src, sa->dst, prealloc); prealloc = NULL; // Always set to NULL regardless of return value ... kfree(prealloc); // This becomes kfree(NULL), does nothing When the level check fails, 'prealloc' is never freed by either the callee or the caller, resulting in a 64-byte memory leak per failed operation. This can be triggered repeatedly by an unprivileged user with access to a writable btrfs mount, potentially exhausting kernel memory. Fix this by freeing prealloc before the early return, ensuring prealloc is always freed on all error paths.", "cve_priority": "medium", "cve_public_date": "2025-11-21 11:15:00 UTC" }, { "cve": "CVE-2025-68183", "url": "https://ubuntu.com/security/CVE-2025-68183", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ima: don't clear IMA_DIGSIG flag when setting or removing non-IMA xattr Currently when both IMA and EVM are in fix mode, the IMA signature will be reset to IMA hash if a program first stores IMA signature in security.ima and then writes/removes some other security xattr for the file. For example, on Fedora, after booting the kernel with \"ima_appraise=fix evm=fix ima_policy=appraise_tcb\" and installing rpm-plugin-ima, installing/reinstalling a package will not make good reference IMA signature generated. Instead IMA hash is generated, # getfattr -m - -d -e hex /usr/bin/bash # file: usr/bin/bash security.ima=0x0404... This happens because when setting security.selinux, the IMA_DIGSIG flag that had been set early was cleared. As a result, IMA hash is generated when the file is closed. Similarly, IMA signature can be cleared on file close after removing security xattr like security.evm or setting/removing ACL. Prevent replacing the IMA file signature with a file hash, by preventing the IMA_DIGSIG flag from being reset. Here's a minimal C reproducer which sets security.selinux as the last step which can also replaced by removing security.evm or setting ACL, #include #include #include #include #include #include int main() { const char* file_path = \"/usr/sbin/test_binary\"; const char* hex_string = \"030204d33204490066306402304\"; int length = strlen(hex_string); char* ima_attr_value; int fd; fd = open(file_path, O_WRONLY|O_CREAT|O_EXCL, 0644); if (fd == -1) { perror(\"Error opening file\"); return 1; } ima_attr_value = (char*)malloc(length / 2 ); for (int i = 0, j = 0; i < length; i += 2, j++) { sscanf(hex_string + i, \"%2hhx\", &ima_attr_value[j]); } if (fsetxattr(fd, \"security.ima\", ima_attr_value, length/2, 0) == -1) { perror(\"Error setting extended attribute\"); close(fd); return 1; } const char* selinux_value= \"system_u:object_r:bin_t:s0\"; if (fsetxattr(fd, \"security.selinux\", selinux_value, strlen(selinux_value), 0) == -1) { perror(\"Error setting extended attribute\"); close(fd); return 1; } close(fd); return 0; }", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-68173", "url": "https://ubuntu.com/security/CVE-2025-68173", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ftrace: Fix softlockup in ftrace_module_enable A soft lockup was observed when loading amdgpu module. If a module has a lot of tracable functions, multiple calls to kallsyms_lookup can spend too much time in RCU critical section and with disabled preemption, causing kernel panic. This is the same issue that was fixed in commit d0b24b4e91fc (\"ftrace: Prevent RCU stall on PREEMPT_VOLUNTARY kernels\") and commit 42ea22e754ba (\"ftrace: Add cond_resched() to ftrace_graph_set_hash()\"). Fix it the same way by adding cond_resched() in ftrace_module_enable.", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-40306", "url": "https://ubuntu.com/security/CVE-2025-40306", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: orangefs: fix xattr related buffer overflow... Willy Tarreau forwarded me a message from Disclosure with the following warning: > The helper `xattr_key()` uses the pointer variable in the loop condition > rather than dereferencing it. As `key` is incremented, it remains non-NULL > (until it runs into unmapped memory), so the loop does not terminate on > valid C strings and will walk memory indefinitely, consuming CPU or hanging > the thread. I easily reproduced this with setfattr and getfattr, causing a kernel oops, hung user processes and corrupted orangefs files. Disclosure sent along a diff (not a patch) with a suggested fix, which I based this patch on. After xattr_key started working right, xfstest generic/069 exposed an xattr related memory leak that lead to OOM. xattr_key returns a hashed key. When adding xattrs to the orangefs xattr cache, orangefs used hash_add, a kernel hashing macro. hash_add also hashes the key using hash_log which resulted in additions to the xattr cache going to the wrong hash bucket. generic/069 tortures a single file and orangefs does a getattr for the xattr \"security.capability\" every time. Orangefs negative caches on xattrs which includes a kmalloc. Since adds to the xattr cache were going to the wrong bucket, every getattr for \"security.capability\" resulted in another kmalloc, none of which were ever freed. I changed the two uses of hash_add to hlist_add_head instead and the memory leak ceased and generic/069 quit throwing furniture.", "cve_priority": "medium", "cve_public_date": "2025-12-08 01:16:00 UTC" }, { "cve": "CVE-2025-40307", "url": "https://ubuntu.com/security/CVE-2025-40307", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: exfat: validate cluster allocation bits of the allocation bitmap syzbot created an exfat image with cluster bits not set for the allocation bitmap. exfat-fs reads and uses the allocation bitmap without checking this. The problem is that if the start cluster of the allocation bitmap is 6, cluster 6 can be allocated when creating a directory with mkdir. exfat zeros out this cluster in exfat_mkdir, which can delete existing entries. This can reallocate the allocated entries. In addition, the allocation bitmap is also zeroed out, so cluster 6 can be reallocated. This patch adds exfat_test_bitmap_range to validate that clusters used for the allocation bitmap are correctly marked as in-use.", "cve_priority": "medium", "cve_public_date": "2025-12-08 01:16:00 UTC" }, { "cve": "CVE-2025-40308", "url": "https://ubuntu.com/security/CVE-2025-40308", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: Bluetooth: bcsp: receive data only if registered Currently, bcsp_recv() can be called even when the BCSP protocol has not been registered. This leads to a NULL pointer dereference, as shown in the following stack trace: KASAN: null-ptr-deref in range [0x0000000000000108-0x000000000000010f] RIP: 0010:bcsp_recv+0x13d/0x1740 drivers/bluetooth/hci_bcsp.c:590 Call Trace: hci_uart_tty_receive+0x194/0x220 drivers/bluetooth/hci_ldisc.c:627 tiocsti+0x23c/0x2c0 drivers/tty/tty_io.c:2290 tty_ioctl+0x626/0xde0 drivers/tty/tty_io.c:2706 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:907 [inline] __se_sys_ioctl+0xfc/0x170 fs/ioctl.c:893 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f To prevent this, ensure that the HCI_UART_REGISTERED flag is set before processing received data. If the protocol is not registered, return -EUNATCH.", "cve_priority": "medium", "cve_public_date": "2025-12-08 01:16:00 UTC" }, { "cve": "CVE-2025-40309", "url": "https://ubuntu.com/security/CVE-2025-40309", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: Bluetooth: SCO: Fix UAF on sco_conn_free BUG: KASAN: slab-use-after-free in sco_conn_free net/bluetooth/sco.c:87 [inline] BUG: KASAN: slab-use-after-free in kref_put include/linux/kref.h:65 [inline] BUG: KASAN: slab-use-after-free in sco_conn_put+0xdd/0x410 net/bluetooth/sco.c:107 Write of size 8 at addr ffff88811cb96b50 by task kworker/u17:4/352 CPU: 1 UID: 0 PID: 352 Comm: kworker/u17:4 Not tainted 6.17.0-rc5-g717368f83676 #4 PREEMPT(voluntary) Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014 Workqueue: hci13 hci_cmd_sync_work Call Trace: __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x10b/0x170 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:378 [inline] print_report+0x191/0x550 mm/kasan/report.c:482 kasan_report+0xc4/0x100 mm/kasan/report.c:595 sco_conn_free net/bluetooth/sco.c:87 [inline] kref_put include/linux/kref.h:65 [inline] sco_conn_put+0xdd/0x410 net/bluetooth/sco.c:107 sco_connect_cfm+0xb4/0xae0 net/bluetooth/sco.c:1441 hci_connect_cfm include/net/bluetooth/hci_core.h:2082 [inline] hci_conn_failed+0x20a/0x2e0 net/bluetooth/hci_conn.c:1313 hci_conn_unlink+0x55f/0x810 net/bluetooth/hci_conn.c:1121 hci_conn_del+0xb6/0x1110 net/bluetooth/hci_conn.c:1147 hci_abort_conn_sync+0x8c5/0xbb0 net/bluetooth/hci_sync.c:5689 hci_cmd_sync_work+0x281/0x380 net/bluetooth/hci_sync.c:332 process_one_work kernel/workqueue.c:3236 [inline] process_scheduled_works+0x77e/0x1040 kernel/workqueue.c:3319 worker_thread+0xbee/0x1200 kernel/workqueue.c:3400 kthread+0x3c7/0x870 kernel/kthread.c:463 ret_from_fork+0x13a/0x1e0 arch/x86/kernel/process.c:148 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245 Allocated by task 31370: kasan_save_stack mm/kasan/common.c:47 [inline] kasan_save_track+0x30/0x70 mm/kasan/common.c:68 poison_kmalloc_redzone mm/kasan/common.c:388 [inline] __kasan_kmalloc+0x82/0x90 mm/kasan/common.c:405 kasan_kmalloc include/linux/kasan.h:260 [inline] __do_kmalloc_node mm/slub.c:4382 [inline] __kmalloc_noprof+0x22f/0x390 mm/slub.c:4394 kmalloc_noprof include/linux/slab.h:909 [inline] sk_prot_alloc+0xae/0x220 net/core/sock.c:2239 sk_alloc+0x34/0x5a0 net/core/sock.c:2295 bt_sock_alloc+0x3c/0x330 net/bluetooth/af_bluetooth.c:151 sco_sock_alloc net/bluetooth/sco.c:562 [inline] sco_sock_create+0xc0/0x350 net/bluetooth/sco.c:593 bt_sock_create+0x161/0x3b0 net/bluetooth/af_bluetooth.c:135 __sock_create+0x3ad/0x780 net/socket.c:1589 sock_create net/socket.c:1647 [inline] __sys_socket_create net/socket.c:1684 [inline] __sys_socket+0xd5/0x330 net/socket.c:1731 __do_sys_socket net/socket.c:1745 [inline] __se_sys_socket net/socket.c:1743 [inline] __x64_sys_socket+0x7a/0x90 net/socket.c:1743 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xc7/0x240 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f Freed by task 31374: kasan_save_stack mm/kasan/common.c:47 [inline] kasan_save_track+0x30/0x70 mm/kasan/common.c:68 kasan_save_free_info+0x40/0x50 mm/kasan/generic.c:576 poison_slab_object mm/kasan/common.c:243 [inline] __kasan_slab_free+0x3d/0x50 mm/kasan/common.c:275 kasan_slab_free include/linux/kasan.h:233 [inline] slab_free_hook mm/slub.c:2428 [inline] slab_free mm/slub.c:4701 [inline] kfree+0x199/0x3b0 mm/slub.c:4900 sk_prot_free net/core/sock.c:2278 [inline] __sk_destruct+0x4aa/0x630 net/core/sock.c:2373 sco_sock_release+0x2ad/0x300 net/bluetooth/sco.c:1333 __sock_release net/socket.c:649 [inline] sock_close+0xb8/0x230 net/socket.c:1439 __fput+0x3d1/0x9e0 fs/file_table.c:468 task_work_run+0x206/0x2a0 kernel/task_work.c:227 get_signal+0x1201/0x1410 kernel/signal.c:2807 arch_do_signal_or_restart+0x34/0x740 arch/x86/kernel/signal.c:337 exit_to_user_mode_loop+0x68/0xc0 kernel/entry/common.c:40 exit_to_user_mode_prepare include/linux/irq-entry-common.h:225 [inline] s ---truncated---", "cve_priority": "medium", "cve_public_date": "2025-12-08 01:16:00 UTC" }, { "cve": "CVE-2025-68174", "url": "https://ubuntu.com/security/CVE-2025-68174", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: amd/amdkfd: enhance kfd process check in switch partition current switch partition only check if kfd_processes_table is empty. kfd_prcesses_table entry is deleted in kfd_process_notifier_release, but kfd_process tear down is in kfd_process_wq_release. consider two processes: Process A (workqueue) -> kfd_process_wq_release -> Access kfd_node member Process B switch partition -> amdgpu_xcp_pre_partition_switch -> amdgpu_amdkfd_device_fini_sw -> kfd_node tear down. Process A and B may trigger a race as shown in dmesg log. This patch is to resolve the race by adding an atomic kfd_process counter kfd_processes_count, it increment as create kfd process, decrement as finish kfd_process_wq_release. v2: Put kfd_processes_count per kfd_dev, move decrement to kfd_process_destroy_pdds and bug fix. (Philip Yang) [3966658.307702] divide error: 0000 [#1] SMP NOPTI [3966658.350818] i10nm_edac [3966658.356318] CPU: 124 PID: 38435 Comm: kworker/124:0 Kdump: loaded Tainted [3966658.356890] Workqueue: kfd_process_wq kfd_process_wq_release [amdgpu] [3966658.362839] nfit [3966658.366457] RIP: 0010:kfd_get_num_sdma_engines+0x17/0x40 [amdgpu] [3966658.366460] Code: 00 00 e9 ac 81 02 00 66 66 2e 0f 1f 84 00 00 00 00 00 90 0f 1f 44 00 00 48 8b 4f 08 48 8b b7 00 01 00 00 8b 81 58 26 03 00 99 be b8 01 00 00 80 b9 70 2e 00 00 00 74 0b 83 f8 02 ba 02 00 00 [3966658.380967] x86_pkg_temp_thermal [3966658.391529] RSP: 0018:ffffc900a0edfdd8 EFLAGS: 00010246 [3966658.391531] RAX: 0000000000000008 RBX: ffff8974e593b800 RCX: ffff888645900000 [3966658.391531] RDX: 0000000000000000 RSI: ffff888129154400 RDI: ffff888129151c00 [3966658.391532] RBP: ffff8883ad79d400 R08: 0000000000000000 R09: ffff8890d2750af4 [3966658.391532] R10: 0000000000000018 R11: 0000000000000018 R12: 0000000000000000 [3966658.391533] R13: ffff8883ad79d400 R14: ffffe87ff662ba00 R15: ffff8974e593b800 [3966658.391533] FS: 0000000000000000(0000) GS:ffff88fe7f600000(0000) knlGS:0000000000000000 [3966658.391534] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [3966658.391534] CR2: 0000000000d71000 CR3: 000000dd0e970004 CR4: 0000000002770ee0 [3966658.391535] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [3966658.391535] DR3: 0000000000000000 DR6: 00000000fffe07f0 DR7: 0000000000000400 [3966658.391536] PKRU: 55555554 [3966658.391536] Call Trace: [3966658.391674] deallocate_sdma_queue+0x38/0xa0 [amdgpu] [3966658.391762] process_termination_cpsch+0x1ed/0x480 [amdgpu] [3966658.399754] intel_powerclamp [3966658.402831] kfd_process_dequeue_from_all_devices+0x5b/0xc0 [amdgpu] [3966658.402908] kfd_process_wq_release+0x1a/0x1a0 [amdgpu] [3966658.410516] coretemp [3966658.434016] process_one_work+0x1ad/0x380 [3966658.434021] worker_thread+0x49/0x310 [3966658.438963] kvm_intel [3966658.446041] ? process_one_work+0x380/0x380 [3966658.446045] kthread+0x118/0x140 [3966658.446047] ? __kthread_bind_mask+0x60/0x60 [3966658.446050] ret_from_fork+0x1f/0x30 [3966658.446053] Modules linked in: kpatch_20765354(OEK) [3966658.455310] kvm [3966658.464534] mptcp_diag xsk_diag raw_diag unix_diag af_packet_diag netlink_diag udp_diag act_pedit act_mirred act_vlan cls_flower kpatch_21951273(OEK) kpatch_18424469(OEK) kpatch_19749756(OEK) [3966658.473462] idxd_mdev [3966658.482306] kpatch_17971294(OEK) sch_ingress xt_conntrack amdgpu(OE) amdxcp(OE) amddrm_buddy(OE) amd_sched(OE) amdttm(OE) amdkcl(OE) intel_ifs iptable_mangle tcm_loop target_core_pscsi tcp_diag target_core_file inet_diag target_core_iblock target_core_user target_core_mod coldpgs kpatch_18383292(OEK) ip6table_nat ip6table_filter ip6_tables ip_set_hash_ipportip ip_set_hash_ipportnet ip_set_hash_ipport ip_set_bitmap_port xt_comment iptable_nat nf_nat iptable_filter ip_tables ip_set ip_vs_sh ip_vs_wrr ip_vs_rr ip_vs nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 sn_core_odd(OE) i40e overlay binfmt_misc tun bonding(OE) aisqos(OE) aisqo ---truncated---", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-40310", "url": "https://ubuntu.com/security/CVE-2025-40310", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: amd/amdkfd: resolve a race in amdgpu_amdkfd_device_fini_sw There is race in amdgpu_amdkfd_device_fini_sw and interrupt. if amdgpu_amdkfd_device_fini_sw run in b/w kfd_cleanup_nodes and kfree(kfd), and KGD interrupt generated. kernel panic log: BUG: kernel NULL pointer dereference, address: 0000000000000098 amdgpu 0000:c8:00.0: amdgpu: Requesting 4 partitions through PSP PGD d78c68067 P4D d78c68067 kfd kfd: amdgpu: Allocated 3969056 bytes on gart PUD 1465b8067 PMD @ Oops: @002 [#1] SMP NOPTI kfd kfd: amdgpu: Total number of KFD nodes to be created: 4 CPU: 115 PID: @ Comm: swapper/115 Kdump: loaded Tainted: G S W OE K RIP: 0010:_raw_spin_lock_irqsave+0x12/0x40 Code: 89 e@ 41 5c c3 cc cc cc cc 66 66 2e Of 1f 84 00 00 00 00 00 OF 1f 40 00 Of 1f 44% 00 00 41 54 9c 41 5c fa 31 cO ba 01 00 00 00 OF b1 17 75 Ba 4c 89 e@ 41 Sc 89 c6 e8 07 38 5d RSP: 0018: ffffc90@1a6b0e28 EFLAGS: 00010046 RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000018 0000000000000001 RSI: ffff8883bb623e00 RDI: 0000000000000098 ffff8883bb000000 RO8: ffff888100055020 ROO: ffff888100055020 0000000000000000 R11: 0000000000000000 R12: 0900000000000002 ffff888F2b97da0@ R14: @000000000000098 R15: ffff8883babdfo00 CS: 010 DS: 0000 ES: 0000 CRO: 0000000080050033 CR2: 0000000000000098 CR3: 0000000e7cae2006 CR4: 0000000002770ce0 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 0000000000000000 DR6: 00000000fffeO7FO DR7: 0000000000000400 PKRU: 55555554 Call Trace: kgd2kfd_interrupt+@x6b/0x1f@ [amdgpu] ? amdgpu_fence_process+0xa4/0x150 [amdgpu] kfd kfd: amdgpu: Node: 0, interrupt_bitmap: 3 YcpxFl Rant tErace amdgpu_irq_dispatch+0x165/0x210 [amdgpu] amdgpu_ih_process+0x80/0x100 [amdgpu] amdgpu: Virtual CRAT table created for GPU amdgpu_irq_handler+0x1f/@x60 [amdgpu] __handle_irq_event_percpu+0x3d/0x170 amdgpu: Topology: Add dGPU node [0x74a2:0x1002] handle_irq_event+0x5a/@xcO handle_edge_irq+0x93/0x240 kfd kfd: amdgpu: KFD node 1 partition @ size 49148M asm_call_irq_on_stack+0xf/@x20 common_interrupt+0xb3/0x130 asm_common_interrupt+0x1le/0x40 5.10.134-010.a1i5000.a18.x86_64 #1", "cve_priority": "medium", "cve_public_date": "2025-12-08 01:16:00 UTC" }, { "cve": "CVE-2025-40361", "url": "https://ubuntu.com/security/CVE-2025-40361", "cve_description": "Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-40311", "url": "https://ubuntu.com/security/CVE-2025-40311", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: accel/habanalabs: support mapping cb with vmalloc-backed coherent memory When IOMMU is enabled, dma_alloc_coherent() with GFP_USER may return addresses from the vmalloc range. If such an address is mapped without VM_MIXEDMAP, vm_insert_page() will trigger a BUG_ON due to the VM_PFNMAP restriction. Fix this by checking for vmalloc addresses and setting VM_MIXEDMAP in the VMA before mapping. This ensures safe mapping and avoids kernel crashes. The memory is still driver-allocated and cannot be accessed directly by userspace.", "cve_priority": "medium", "cve_public_date": "2025-12-08 01:16:00 UTC" }, { "cve": "CVE-2025-68185", "url": "https://ubuntu.com/security/CVE-2025-68185", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: nfs4_setup_readdir(): insufficient locking for ->d_parent->d_inode dereferencing Theoretically it's an oopsable race, but I don't believe one can manage to hit it on real hardware; might become doable on a KVM, but it still won't be easy to attack. Anyway, it's easy to deal with - since xdr_encode_hyper() is just a call of put_unaligned_be64(), we can put that under ->d_lock and be done with that.", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-68176", "url": "https://ubuntu.com/security/CVE-2025-68176", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: PCI: cadence: Check for the existence of cdns_pcie::ops before using it cdns_pcie::ops might not be populated by all the Cadence glue drivers. This is going to be true for the upcoming Sophgo platform which doesn't set the ops. Hence, add a check to prevent NULL pointer dereference. [mani: reworded subject and description]", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-68190", "url": "https://ubuntu.com/security/CVE-2025-68190", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu/atom: Check kcalloc() for WS buffer in amdgpu_atom_execute_table_locked() kcalloc() may fail. When WS is non-zero and allocation fails, ectx.ws remains NULL while ectx.ws_size is set, leading to a potential NULL pointer dereference in atom_get_src_int() when accessing WS entries. Return -ENOMEM on allocation failure to avoid the NULL dereference.", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-68168", "url": "https://ubuntu.com/security/CVE-2025-68168", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: jfs: fix uninitialized waitqueue in transaction manager The transaction manager initialization in txInit() was not properly initializing TxBlock[0].waitor waitqueue, causing a crash when txEnd(0) is called on read-only filesystems. When a filesystem is mounted read-only, txBegin() returns tid=0 to indicate no transaction. However, txEnd(0) still gets called and tries to access TxBlock[0].waitor via tid_to_tblock(0), but this waitqueue was never initialized because the initialization loop started at index 1 instead of 0. This causes a 'non-static key' lockdep warning and system crash: INFO: trying to register non-static key in txEnd Fix by ensuring all transaction blocks including TxBlock[0] have their waitqueues properly initialized during txInit().", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-40312", "url": "https://ubuntu.com/security/CVE-2025-40312", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: jfs: Verify inode mode when loading from disk The inode mode loaded from corrupted disk can be invalid. Do like what commit 0a9e74051313 (\"isofs: Verify inode mode when loading from disk\") does.", "cve_priority": "medium", "cve_public_date": "2025-12-08 01:16:00 UTC" }, { "cve": "CVE-2025-40333", "url": "https://ubuntu.com/security/CVE-2025-40333", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: f2fs: fix infinite loop in __insert_extent_tree() When we get wrong extent info data, and look up extent_node in rb tree, it will cause infinite loop (CONFIG_F2FS_CHECK_FS=n). Avoiding this by return NULL and print some kernel messages in that case.", "cve_priority": "medium", "cve_public_date": "2025-12-09 16:17:00 UTC" }, { "cve": "CVE-2025-68321", "url": "https://ubuntu.com/security/CVE-2025-68321", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: page_pool: always add GFP_NOWARN for ATOMIC allocations Driver authors often forget to add GFP_NOWARN for page allocation from the datapath. This is annoying to users as OOMs are a fact of life, and we pretty much expect network Rx to hit page allocation failures during OOM. Make page pool add GFP_NOWARN for ATOMIC allocations by default.", "cve_priority": "medium", "cve_public_date": "2025-12-16 16:16:00 UTC" }, { "cve": "CVE-2025-40334", "url": "https://ubuntu.com/security/CVE-2025-40334", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: validate userq buffer virtual address and size It needs to validate the userq object virtual address to determine whether it is residented in a valid vm mapping.", "cve_priority": "medium", "cve_public_date": "2025-12-09 16:17:00 UTC" }, { "cve": "CVE-2025-68191", "url": "https://ubuntu.com/security/CVE-2025-68191", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: udp_tunnel: use netdev_warn() instead of netdev_WARN() netdev_WARN() uses WARN/WARN_ON to print a backtrace along with file and line information. In this case, udp_tunnel_nic_register() returning an error is just a failed operation, not a kernel bug. udp_tunnel_nic_register() can fail due to a memory allocation failure (kzalloc() or udp_tunnel_nic_alloc()). This is a normal runtime error and not a kernel bug. Replace netdev_WARN() with netdev_warn() accordingly.", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-68309", "url": "https://ubuntu.com/security/CVE-2025-68309", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: PCI/AER: Fix NULL pointer access by aer_info The kzalloc(GFP_KERNEL) may return NULL, so all accesses to aer_info->xxx will result in kernel panic. Fix it.", "cve_priority": "medium", "cve_public_date": "2025-12-16 16:16:00 UTC" }, { "cve": "CVE-2025-40313", "url": "https://ubuntu.com/security/CVE-2025-40313", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ntfs3: pretend $Extend records as regular files Since commit af153bb63a33 (\"vfs: catch invalid modes in may_open()\") requires any inode be one of S_IFDIR/S_IFLNK/S_IFREG/S_IFCHR/S_IFBLK/ S_IFIFO/S_IFSOCK type, use S_IFREG for $Extend records.", "cve_priority": "medium", "cve_public_date": "2025-12-08 01:16:00 UTC" }, { "cve": "CVE-2025-40335", "url": "https://ubuntu.com/security/CVE-2025-40335", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: validate userq input args This will help on validating the userq input args, and rejecting for the invalid userq request at the IOCTLs first place.", "cve_priority": "medium", "cve_public_date": "2025-12-09 16:17:00 UTC" }, { "cve": "CVE-2025-40314", "url": "https://ubuntu.com/security/CVE-2025-40314", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: usb: cdns3: gadget: Use-after-free during failed initialization and exit of cdnsp gadget In the __cdnsp_gadget_init() and cdnsp_gadget_exit() functions, the gadget structure (pdev->gadget) was freed before its endpoints. The endpoints are linked via the ep_list in the gadget structure. Freeing the gadget first leaves dangling pointers in the endpoint list. When the endpoints are subsequently freed, this results in a use-after-free. Fix: By separating the usb_del_gadget_udc() operation into distinct \"del\" and \"put\" steps, cdnsp_gadget_free_endpoints() can be executed prior to the final release of the gadget structure with usb_put_gadget(). A patch similar to bb9c74a5bd14(\"usb: dwc3: gadget: Free gadget structure only after freeing endpoints\").", "cve_priority": "medium", "cve_public_date": "2025-12-08 01:16:00 UTC" }, { "cve": "CVE-2025-40336", "url": "https://ubuntu.com/security/CVE-2025-40336", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/gpusvm: fix hmm_pfn_to_map_order() usage Handle the case where the hmm range partially covers a huge page (like 2M), otherwise we can potentially end up doing something nasty like mapping memory which is outside the range, and maybe not even mapped by the mm. Fix is based on the xe userptr code, which in a future patch will directly use gpusvm, so needs alignment here. v2: - Add kernel-doc (Matt B) - s/fls/ilog2/ (Thomas)", "cve_priority": "medium", "cve_public_date": "2025-12-09 16:17:00 UTC" }, { "cve": "CVE-2025-68193", "url": "https://ubuntu.com/security/CVE-2025-68193", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/xe/guc: Add devm release action to safely tear down CT When a buffer object (BO) is allocated with the XE_BO_FLAG_GGTT_INVALIDATE flag, the driver initiates TLB invalidation requests via the CTB mechanism while releasing the BO. However a premature release of the CTB BO can lead to system crashes, as observed in: Oops: Oops: 0000 [#1] SMP NOPTI RIP: 0010:h2g_write+0x2f3/0x7c0 [xe] Call Trace: guc_ct_send_locked+0x8b/0x670 [xe] xe_guc_ct_send_locked+0x19/0x60 [xe] send_tlb_invalidation+0xb4/0x460 [xe] xe_gt_tlb_invalidation_ggtt+0x15e/0x2e0 [xe] ggtt_invalidate_gt_tlb.part.0+0x16/0x90 [xe] ggtt_node_remove+0x110/0x140 [xe] xe_ggtt_node_remove+0x40/0xa0 [xe] xe_ggtt_remove_bo+0x87/0x250 [xe] Introduce a devm-managed release action during xe_guc_ct_init() and xe_guc_ct_init_post_hwconfig() to ensure proper CTB disablement before resource deallocation, preventing the use-after-free scenario.", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-68175", "url": "https://ubuntu.com/security/CVE-2025-68175", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: media: nxp: imx8-isi: Fix streaming cleanup on release The current implementation unconditionally calls mxc_isi_video_cleanup_streaming() in mxc_isi_video_release(). This can lead to situations where any release call (like from a simple \"v4l2-ctl -l\") may release a currently streaming queue when called on such a device. This is reproducible on an i.MX8MP board by streaming from an ISI capture device using gstreamer: \tgst-launch-1.0 -v v4l2src device=/dev/videoX ! \\ \t video/x-raw,format=GRAY8,width=1280,height=800,framerate=1/120 ! \\ \t fakesink While this stream is running, querying the caps of the same device provokes the error state: \tv4l2-ctl -l -d /dev/videoX This results in the following trace: [ 155.452152] ------------[ cut here ]------------ [ 155.452163] WARNING: CPU: 0 PID: 1708 at drivers/media/platform/nxp/imx8-isi/imx8-isi-pipe.c:713 mxc_isi_pipe_irq_handler+0x19c/0x1b0 [imx8_isi] [ 157.004248] Modules linked in: cfg80211 rpmsg_ctrl rpmsg_char rpmsg_tty virtio_rpmsg_bus rpmsg_ns rpmsg_core rfkill nft_ct nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 nf_tables mcp251x6 [ 157.053499] CPU: 0 UID: 0 PID: 1708 Comm: python3 Not tainted 6.15.4-00114-g1f61ca5cad76 #1 PREEMPT [ 157.064369] Hardware name: imx8mp_board_01 (DT) [ 157.068205] pstate: 400000c5 (nZcv daIF -PAN -UAO -TCO -DIT -SSBS BTYPE=--) [ 157.075169] pc : mxc_isi_pipe_irq_handler+0x19c/0x1b0 [imx8_isi] [ 157.081195] lr : mxc_isi_pipe_irq_handler+0x38/0x1b0 [imx8_isi] [ 157.087126] sp : ffff800080003ee0 [ 157.090438] x29: ffff800080003ee0 x28: ffff0000c3688000 x27: 0000000000000000 [ 157.097580] x26: 0000000000000000 x25: ffff0000c1e7ac00 x24: ffff800081b5ad50 [ 157.104723] x23: 00000000000000d1 x22: 0000000000000000 x21: ffff0000c25e4000 [ 157.111866] x20: 0000000060000200 x19: ffff80007a0608d0 x18: 0000000000000000 [ 157.119008] x17: ffff80006a4e3000 x16: ffff800080000000 x15: 0000000000000000 [ 157.126146] x14: 0000000000000000 x13: 0000000000000000 x12: 0000000000000000 [ 157.133287] x11: 0000000000000040 x10: ffff0000c01445f0 x9 : ffff80007a053a38 [ 157.140425] x8 : ffff0000c04004b8 x7 : 0000000000000000 x6 : 0000000000000000 [ 157.147567] x5 : ffff0000c0400490 x4 : ffff80006a4e3000 x3 : ffff0000c25e4000 [ 157.154706] x2 : 0000000000000000 x1 : ffff8000825c0014 x0 : 0000000060000200 [ 157.161850] Call trace: [ 157.164296] mxc_isi_pipe_irq_handler+0x19c/0x1b0 [imx8_isi] (P) [ 157.170319] __handle_irq_event_percpu+0x58/0x218 [ 157.175029] handle_irq_event+0x54/0xb8 [ 157.178867] handle_fasteoi_irq+0xac/0x248 [ 157.182968] handle_irq_desc+0x48/0x68 [ 157.186723] generic_handle_domain_irq+0x24/0x38 [ 157.191346] gic_handle_irq+0x54/0x120 [ 157.195098] call_on_irq_stack+0x24/0x30 [ 157.199027] do_interrupt_handler+0x88/0x98 [ 157.203212] el0_interrupt+0x44/0xc0 [ 157.206792] __el0_irq_handler_common+0x18/0x28 [ 157.211328] el0t_64_irq_handler+0x10/0x20 [ 157.215429] el0t_64_irq+0x198/0x1a0 [ 157.219009] ---[ end trace 0000000000000000 ]--- Address this issue by moving the streaming preparation and cleanup to the vb2 .prepare_streaming() and .unprepare_streaming() operations. This also simplifies the driver by allowing direct usage of the vb2_ioctl_streamon() and vb2_ioctl_streamoff() helpers, and removal of the manual cleanup from mxc_isi_video_release().", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-68188", "url": "https://ubuntu.com/security/CVE-2025-68188", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: tcp: use dst_dev_rcu() in tcp_fastopen_active_disable_ofo_check() Use RCU to avoid a pair of atomic operations and a potential UAF on dst_dev()->flags.", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-68315", "url": "https://ubuntu.com/security/CVE-2025-68315", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: f2fs: fix to detect potential corrupted nid in free_nid_list As reported, on-disk footer.ino and footer.nid is the same and out-of-range, let's add sanity check on f2fs_alloc_nid() to detect any potential corruption in free_nid_list.", "cve_priority": "medium", "cve_public_date": "2025-12-16 16:16:00 UTC" }, { "cve": "CVE-2025-40337", "url": "https://ubuntu.com/security/CVE-2025-40337", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net: stmmac: Correctly handle Rx checksum offload errors The stmmac_rx function would previously set skb->ip_summed to CHECKSUM_UNNECESSARY if hardware checksum offload (CoE) was enabled and the packet was of a known IP ethertype. However, this logic failed to check if the hardware had actually reported a checksum error. The hardware status, indicating a header or payload checksum failure, was being ignored at this stage. This could cause corrupt packets to be passed up the network stack as valid. This patch corrects the logic by checking the `csum_none` status flag, which is set when the hardware reports a checksum error. If this flag is set, skb->ip_summed is now correctly set to CHECKSUM_NONE, ensuring the kernel's network stack will perform its own validation and properly handle the corrupt packet.", "cve_priority": "medium", "cve_public_date": "2025-12-09 16:17:00 UTC" }, { "cve": "CVE-2025-40338", "url": "https://ubuntu.com/security/CVE-2025-40338", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ASoC: Intel: avs: Do not share the name pointer between components By sharing 'name' directly, tearing down components may lead to use-after-free errors. Duplicate the name to avoid that. At the same time, update the order of operations - since commit cee28113db17 (\"ASoC: dmaengine_pcm: Allow passing component name via config\") the framework does not override component->name if set before invoking the initializer.", "cve_priority": "medium", "cve_public_date": "2025-12-09 16:17:00 UTC" }, { "cve": "CVE-2025-40339", "url": "https://ubuntu.com/security/CVE-2025-40339", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: fix nullptr err of vm_handle_moved If a amdgpu_bo_va is fpriv->prt_va, the bo of this one is always NULL. So, such kind of amdgpu_bo_va should be updated separately before amdgpu_vm_handle_moved.", "cve_priority": "medium", "cve_public_date": "2025-12-09 16:17:00 UTC" }, { "cve": "CVE-2025-68194", "url": "https://ubuntu.com/security/CVE-2025-68194", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: media: imon: make send_packet() more robust syzbot is reporting that imon has three problems which result in hung tasks due to forever holding device lock [1]. First problem is that when usb_rx_callback_intf0() once got -EPROTO error after ictx->dev_present_intf0 became true, usb_rx_callback_intf0() resubmits urb after printk(), and resubmitted urb causes usb_rx_callback_intf0() to again get -EPROTO error. This results in printk() flooding (RCU stalls). Alan Stern commented [2] that In theory it's okay to resubmit _if_ the driver has a robust error-recovery scheme (such as giving up after some fixed limit on the number of errors or after some fixed time has elapsed, perhaps with a time delay to prevent a flood of errors). Most drivers don't bother to do this; they simply give up right away. This makes them more vulnerable to short-term noise interference during USB transfers, but in reality such interference is quite rare. There's nothing really wrong with giving up right away. but imon has a poor error-recovery scheme which just retries forever; this behavior should be fixed. Since I'm not sure whether it is safe for imon users to give up upon any error code, this patch takes care of only union of error codes chosen from modules in drivers/media/rc/ directory which handle -EPROTO error (i.e. ir_toy, mceusb and igorplugusb). Second problem is that when usb_rx_callback_intf0() once got -EPROTO error before ictx->dev_present_intf0 becomes true, usb_rx_callback_intf0() always resubmits urb due to commit 8791d63af0cf (\"[media] imon: don't wedge hardware after early callbacks\"). Move the ictx->dev_present_intf0 test introduced by commit 6f6b90c9231a (\"[media] imon: don't parse scancodes until intf configured\") to immediately before imon_incoming_packet(), or the first problem explained above happens without printk() flooding (i.e. hung task). Third problem is that when usb_rx_callback_intf0() is not called for some reason (e.g. flaky hardware; the reproducer for this problem sometimes prevents usb_rx_callback_intf0() from being called), wait_for_completion_interruptible() in send_packet() never returns (i.e. hung task). As a workaround for such situation, change send_packet() to wait for completion with timeout of 10 seconds.", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-40363", "url": "https://ubuntu.com/security/CVE-2025-40363", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net: ipv6: fix field-spanning memcpy warning in AH output Fix field-spanning memcpy warnings in ah6_output() and ah6_output_done() where extension headers are copied to/from IPv6 address fields, triggering fortify-string warnings about writes beyond the 16-byte address fields. memcpy: detected field-spanning write (size 40) of single field \"&top_iph->saddr\" at net/ipv6/ah6.c:439 (size 16) WARNING: CPU: 0 PID: 8838 at net/ipv6/ah6.c:439 ah6_output+0xe7e/0x14e0 net/ipv6/ah6.c:439 The warnings are false positives as the extension headers are intentionally placed after the IPv6 header in memory. Fix by properly copying addresses and extension headers separately, and introduce helper functions to avoid code duplication.", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-68311", "url": "https://ubuntu.com/security/CVE-2025-68311", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: tty: serial: ip22zilog: Use platform device for probing After commit 84a9582fd203 (\"serial: core: Start managing serial controllers to enable runtime PM\") serial drivers need to provide a device in struct uart_port.dev otherwise an oops happens. To fix this issue for ip22zilog driver switch driver to a platform driver and setup the serial device in sgi-ip22 code.", "cve_priority": "medium", "cve_public_date": "2025-12-16 16:16:00 UTC" }, { "cve": "CVE-2025-40340", "url": "https://ubuntu.com/security/CVE-2025-40340", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/xe: Fix oops in xe_gem_fault when running core_hotunplug test. I saw an oops in xe_gem_fault when running the xe-fast-feedback testlist against the realtime kernel without debug options enabled. The panic happens after core_hotunplug unbind-rebind finishes. Presumably what happens is that a process mmaps, unlocks because of the FAULT_FLAG_RETRY_NOWAIT logic, has no process memory left, causing ttm_bo_vm_dummy_page() to return VM_FAULT_NOPAGE, since there was nothing left to populate, and then oopses in \"mem_type_is_vram(tbo->resource->mem_type)\" because tbo->resource is NULL. It's convoluted, but fits the data and explains the oops after the test exits.", "cve_priority": "medium", "cve_public_date": "2025-12-09 16:17:00 UTC" }, { "cve": "CVE-2025-68196", "url": "https://ubuntu.com/security/CVE-2025-68196", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Cache streams targeting link when performing LT automation [WHY] Last LT automation update can cause crash by referencing current_state and calling into dc_update_planes_and_stream which may clobber current_state. [HOW] Cache relevant stream pointers and iterate through them instead of relying on the current_state.", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-68178", "url": "https://ubuntu.com/security/CVE-2025-68178", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: blk-cgroup: fix possible deadlock while configuring policy Following deadlock can be triggered easily by lockdep: WARNING: possible circular locking dependency detected 6.17.0-rc3-00124-ga12c2658ced0 #1665 Not tainted ------------------------------------------------------ check/1334 is trying to acquire lock: ff1100011d9d0678 (&q->sysfs_lock){+.+.}-{4:4}, at: blk_unregister_queue+0x53/0x180 but task is already holding lock: ff1100011d9d00e0 (&q->q_usage_counter(queue)#3){++++}-{0:0}, at: del_gendisk+0xba/0x110 which lock already depends on the new lock. the existing dependency chain (in reverse order) is: -> #2 (&q->q_usage_counter(queue)#3){++++}-{0:0}: blk_queue_enter+0x40b/0x470 blkg_conf_prep+0x7b/0x3c0 tg_set_limit+0x10a/0x3e0 cgroup_file_write+0xc6/0x420 kernfs_fop_write_iter+0x189/0x280 vfs_write+0x256/0x490 ksys_write+0x83/0x190 __x64_sys_write+0x21/0x30 x64_sys_call+0x4608/0x4630 do_syscall_64+0xdb/0x6b0 entry_SYSCALL_64_after_hwframe+0x76/0x7e -> #1 (&q->rq_qos_mutex){+.+.}-{4:4}: __mutex_lock+0xd8/0xf50 mutex_lock_nested+0x2b/0x40 wbt_init+0x17e/0x280 wbt_enable_default+0xe9/0x140 blk_register_queue+0x1da/0x2e0 __add_disk+0x38c/0x5d0 add_disk_fwnode+0x89/0x250 device_add_disk+0x18/0x30 virtblk_probe+0x13a3/0x1800 virtio_dev_probe+0x389/0x610 really_probe+0x136/0x620 __driver_probe_device+0xb3/0x230 driver_probe_device+0x2f/0xe0 __driver_attach+0x158/0x250 bus_for_each_dev+0xa9/0x130 driver_attach+0x26/0x40 bus_add_driver+0x178/0x3d0 driver_register+0x7d/0x1c0 __register_virtio_driver+0x2c/0x60 virtio_blk_init+0x6f/0xe0 do_one_initcall+0x94/0x540 kernel_init_freeable+0x56a/0x7b0 kernel_init+0x2b/0x270 ret_from_fork+0x268/0x4c0 ret_from_fork_asm+0x1a/0x30 -> #0 (&q->sysfs_lock){+.+.}-{4:4}: __lock_acquire+0x1835/0x2940 lock_acquire+0xf9/0x450 __mutex_lock+0xd8/0xf50 mutex_lock_nested+0x2b/0x40 blk_unregister_queue+0x53/0x180 __del_gendisk+0x226/0x690 del_gendisk+0xba/0x110 sd_remove+0x49/0xb0 [sd_mod] device_remove+0x87/0xb0 device_release_driver_internal+0x11e/0x230 device_release_driver+0x1a/0x30 bus_remove_device+0x14d/0x220 device_del+0x1e1/0x5a0 __scsi_remove_device+0x1ff/0x2f0 scsi_remove_device+0x37/0x60 sdev_store_delete+0x77/0x100 dev_attr_store+0x1f/0x40 sysfs_kf_write+0x65/0x90 kernfs_fop_write_iter+0x189/0x280 vfs_write+0x256/0x490 ksys_write+0x83/0x190 __x64_sys_write+0x21/0x30 x64_sys_call+0x4608/0x4630 do_syscall_64+0xdb/0x6b0 entry_SYSCALL_64_after_hwframe+0x76/0x7e other info that might help us debug this: Chain exists of: &q->sysfs_lock --> &q->rq_qos_mutex --> &q->q_usage_counter(queue)#3 Possible unsafe locking scenario: CPU0 CPU1 ---- ---- lock(&q->q_usage_counter(queue)#3); lock(&q->rq_qos_mutex); lock(&q->q_usage_counter(queue)#3); lock(&q->sysfs_lock); Root cause is that queue_usage_counter is grabbed with rq_qos_mutex held in blkg_conf_prep(), while queue should be freezed before rq_qos_mutex from other context. The blk_queue_enter() from blkg_conf_prep() is used to protect against policy deactivation, which is already protected with blkcg_mutex, hence convert blk_queue_enter() to blkcg_mutex to fix this problem. Meanwhile, consider that blkcg_mutex is held after queue is freezed from policy deactivation, also convert blkg_alloc() to use GFP_NOIO.", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-40341", "url": "https://ubuntu.com/security/CVE-2025-40341", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: futex: Don't leak robust_list pointer on exec race sys_get_robust_list() and compat_get_robust_list() use ptrace_may_access() to check if the calling task is allowed to access another task's robust_list pointer. This check is racy against a concurrent exec() in the target process. During exec(), a task may transition from a non-privileged binary to a privileged one (e.g., setuid binary) and its credentials/memory mappings may change. If get_robust_list() performs ptrace_may_access() before this transition, it may erroneously allow access to sensitive information after the target becomes privileged. A racy access allows an attacker to exploit a window during which ptrace_may_access() passes before a target process transitions to a privileged state via exec(). For example, consider a non-privileged task T that is about to execute a setuid-root binary. An attacker task A calls get_robust_list(T) while T is still unprivileged. Since ptrace_may_access() checks permissions based on current credentials, it succeeds. However, if T begins exec immediately afterwards, it becomes privileged and may change its memory mappings. Because get_robust_list() proceeds to access T->robust_list without synchronizing with exec() it may read user-space pointers from a now-privileged process. This violates the intended post-exec access restrictions and could expose sensitive memory addresses or be used as a primitive in a larger exploit chain. Consequently, the race can lead to unauthorized disclosure of information across privilege boundaries and poses a potential security risk. Take a read lock on signal->exec_update_lock prior to invoking ptrace_may_access() and accessing the robust_list/compat_robust_list. This ensures that the target task's exec state remains stable during the check, allowing for consistent and synchronized validation of credentials.", "cve_priority": "medium", "cve_public_date": "2025-12-09 16:17:00 UTC" }, { "cve": "CVE-2025-40342", "url": "https://ubuntu.com/security/CVE-2025-40342", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: nvme-fc: use lock accessing port_state and rport state nvme_fc_unregister_remote removes the remote port on a lport object at any point in time when there is no active association. This races with with the reconnect logic, because nvme_fc_create_association is not taking a lock to check the port_state and atomically increase the active count on the rport.", "cve_priority": "medium", "cve_public_date": "2025-12-09 16:17:00 UTC" }, { "cve": "CVE-2025-40343", "url": "https://ubuntu.com/security/CVE-2025-40343", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: nvmet-fc: avoid scheduling association deletion twice When forcefully shutting down a port via the configfs interface, nvmet_port_subsys_drop_link() first calls nvmet_port_del_ctrls() and then nvmet_disable_port(). Both functions will eventually schedule all remaining associations for deletion. The current implementation checks whether an association is about to be removed, but only after the work item has already been scheduled. As a result, it is possible for the first scheduled work item to free all resources, and then for the same work item to be scheduled again for deletion. Because the association list is an RCU list, it is not possible to take a lock and remove the list entry directly, so it cannot be looked up again. Instead, a flag (terminating) must be used to determine whether the association is already in the process of being deleted.", "cve_priority": "medium", "cve_public_date": "2025-12-09 16:17:00 UTC" }, { "cve": "CVE-2025-68177", "url": "https://ubuntu.com/security/CVE-2025-68177", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: cpufreq/longhaul: handle NULL policy in longhaul_exit longhaul_exit() was calling cpufreq_cpu_get(0) without checking for a NULL policy pointer. On some systems, this could lead to a NULL dereference and a kernel warning or panic. This patch adds a check using unlikely() and returns early if the policy is NULL. Bugzilla: #219962", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-68317", "url": "https://ubuntu.com/security/CVE-2025-68317", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: io_uring/zctx: check chained notif contexts Send zc only links ubuf_info for requests coming from the same context. There are some ambiguous syz reports, so let's check the assumption on notification completion.", "cve_priority": "medium", "cve_public_date": "2025-12-16 16:16:00 UTC" }, { "cve": "CVE-2025-40315", "url": "https://ubuntu.com/security/CVE-2025-40315", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: usb: gadget: f_fs: Fix epfile null pointer access after ep enable. A race condition occurs when ffs_func_eps_enable() runs concurrently with ffs_data_reset(). The ffs_data_clear() called in ffs_data_reset() sets ffs->epfiles to NULL before resetting ffs->eps_count to 0, leading to a NULL pointer dereference when accessing epfile->ep in ffs_func_eps_enable() after successful usb_ep_enable(). The ffs->epfiles pointer is set to NULL in both ffs_data_clear() and ffs_data_close() functions, and its modification is protected by the spinlock ffs->eps_lock. And the whole ffs_func_eps_enable() function is also protected by ffs->eps_lock. Thus, add NULL pointer handling for ffs->epfiles in the ffs_func_eps_enable() function to fix issues", "cve_priority": "medium", "cve_public_date": "2025-12-08 01:16:00 UTC" }, { "cve": "CVE-2025-40316", "url": "https://ubuntu.com/security/CVE-2025-40316", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/mediatek: Fix device use-after-free on unbind A recent change fixed device reference leaks when looking up drm platform device driver data during bind() but failed to remove a partial fix which had been added by commit 80805b62ea5b (\"drm/mediatek: Fix kobject put for component sub-drivers\"). This results in a reference imbalance on component bind() failures and on unbind() which could lead to a user-after-free. Make sure to only drop the references after retrieving the driver data by effectively reverting the previous partial fix. Note that holding a reference to a device does not prevent its driver data from going away so there is no point in keeping the reference.", "cve_priority": "medium", "cve_public_date": "2025-12-08 01:16:00 UTC" }, { "cve": "CVE-2025-40360", "url": "https://ubuntu.com/security/CVE-2025-40360", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/sysfb: Do not dereference NULL pointer in plane reset The plane state in __drm_gem_reset_shadow_plane() can be NULL. Do not deref that pointer, but forward NULL to the other plane-reset helpers. Clears plane->state to NULL. v2: - fix typo in commit description (Javier)", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-68179", "url": "https://ubuntu.com/security/CVE-2025-68179", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: s390: Disable ARCH_WANT_OPTIMIZE_HUGETLB_VMEMMAP As reported by Luiz Capitulino enabling HVO on s390 leads to reproducible crashes. The problem is that kernel page tables are modified without flushing corresponding TLB entries. Even if it looks like the empty flush_tlb_all() implementation on s390 is the problem, it is actually a different problem: on s390 it is not allowed to replace an active/valid page table entry with another valid page table entry without the detour over an invalid entry. A direct replacement may lead to random crashes and/or data corruption. In order to invalidate an entry special instructions have to be used (e.g. ipte or idte). Alternatively there are also special instructions available which allow to replace a valid entry with a different valid entry (e.g. crdte or cspg). Given that the HVO code currently does not provide the hooks to allow for an implementation which is compliant with the s390 architecture requirements, disable ARCH_WANT_OPTIMIZE_HUGETLB_VMEMMAP again, which is basically a revert of the original patch which enabled it.", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-68310", "url": "https://ubuntu.com/security/CVE-2025-68310", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: s390/pci: Avoid deadlock between PCI error recovery and mlx5 crdump Do not block PCI config accesses through pci_cfg_access_lock() when executing the s390 variant of PCI error recovery: Acquire just device_lock() instead of pci_dev_lock() as powerpc's EEH and generig PCI AER processing do. During error recovery testing a pair of tasks was reported to be hung: mlx5_core 0000:00:00.1: mlx5_health_try_recover:338:(pid 5553): health recovery flow aborted, PCI reads still not working INFO: task kmcheck:72 blocked for more than 122 seconds. Not tainted 5.14.0-570.12.1.bringup7.el9.s390x #1 \"echo 0 > /proc/sys/kernel/hung_task_timeout_secs\" disables this message. task:kmcheck state:D stack:0 pid:72 tgid:72 ppid:2 flags:0x00000000 Call Trace: [<000000065256f030>] __schedule+0x2a0/0x590 [<000000065256f356>] schedule+0x36/0xe0 [<000000065256f572>] schedule_preempt_disabled+0x22/0x30 [<0000000652570a94>] __mutex_lock.constprop.0+0x484/0x8a8 [<000003ff800673a4>] mlx5_unload_one+0x34/0x58 [mlx5_core] [<000003ff8006745c>] mlx5_pci_err_detected+0x94/0x140 [mlx5_core] [<0000000652556c5a>] zpci_event_attempt_error_recovery+0xf2/0x398 [<0000000651b9184a>] __zpci_event_error+0x23a/0x2c0 INFO: task kworker/u1664:6:1514 blocked for more than 122 seconds. Not tainted 5.14.0-570.12.1.bringup7.el9.s390x #1 \"echo 0 > /proc/sys/kernel/hung_task_timeout_secs\" disables this message. task:kworker/u1664:6 state:D stack:0 pid:1514 tgid:1514 ppid:2 flags:0x00000000 Workqueue: mlx5_health0000:00:00.0 mlx5_fw_fatal_reporter_err_work [mlx5_core] Call Trace: [<000000065256f030>] __schedule+0x2a0/0x590 [<000000065256f356>] schedule+0x36/0xe0 [<0000000652172e28>] pci_wait_cfg+0x80/0xe8 [<0000000652172f94>] pci_cfg_access_lock+0x74/0x88 [<000003ff800916b6>] mlx5_vsc_gw_lock+0x36/0x178 [mlx5_core] [<000003ff80098824>] mlx5_crdump_collect+0x34/0x1c8 [mlx5_core] [<000003ff80074b62>] mlx5_fw_fatal_reporter_dump+0x6a/0xe8 [mlx5_core] [<0000000652512242>] devlink_health_do_dump.part.0+0x82/0x168 [<0000000652513212>] devlink_health_report+0x19a/0x230 [<000003ff80075a12>] mlx5_fw_fatal_reporter_err_work+0xba/0x1b0 [mlx5_core] No kernel log of the exact same error with an upstream kernel is available - but the very same deadlock situation can be constructed there, too: - task: kmcheck mlx5_unload_one() tries to acquire devlink lock while the PCI error recovery code has set pdev->block_cfg_access by way of pci_cfg_access_lock() - task: kworker mlx5_crdump_collect() tries to set block_cfg_access through pci_cfg_access_lock() while devlink_health_report() had acquired the devlink lock. A similar deadlock situation can be reproduced by requesting a crdump with > devlink health dump show pci/ reporter fw_fatal while PCI error recovery is executed on the same physical function by mlx5_core's pci_error_handlers. On s390 this can be injected with > zpcictl --reset-fw Tests with this patch failed to reproduce that second deadlock situation, the devlink command is rejected with \"kernel answers: Permission denied\" - and we get a kernel log message of: mlx5_core 1ed0:00:00.1: mlx5_crdump_collect:50:(pid 254382): crdump: failed to lock vsc gw err -5 because the config read of VSC_SEMAPHORE is rejected by the underlying hardware. Two prior attempts to address this issue have been discussed and ultimately rejected [see link], with the primary argument that s390's implementation of PCI error recovery is imposing restrictions that neither powerpc's EEH nor PCI AER handling need. Tests show that PCI error recovery on s390 is running to completion even without blocking access to PCI config space.", "cve_priority": "medium", "cve_public_date": "2025-12-16 16:16:00 UTC" }, { "cve": "CVE-2025-40317", "url": "https://ubuntu.com/security/CVE-2025-40317", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: regmap: slimbus: fix bus_context pointer in regmap init calls Commit 4e65bda8273c (\"ASoC: wcd934x: fix error handling in wcd934x_codec_parse_data()\") revealed the problem in the slimbus regmap. That commit breaks audio playback, for instance, on sdm845 Thundercomm Dragonboard 845c board: Unable to handle kernel paging request at virtual address ffff8000847cbad4 ... CPU: 5 UID: 0 PID: 776 Comm: aplay Not tainted 6.18.0-rc1-00028-g7ea30958b305 #11 PREEMPT Hardware name: Thundercomm Dragonboard 845c (DT) ... Call trace: slim_xfer_msg+0x24/0x1ac [slimbus] (P) slim_read+0x48/0x74 [slimbus] regmap_slimbus_read+0x18/0x24 [regmap_slimbus] _regmap_raw_read+0xe8/0x174 _regmap_bus_read+0x44/0x80 _regmap_read+0x60/0xd8 _regmap_update_bits+0xf4/0x140 _regmap_select_page+0xa8/0x124 _regmap_raw_write_impl+0x3b8/0x65c _regmap_bus_raw_write+0x60/0x80 _regmap_write+0x58/0xc0 regmap_write+0x4c/0x80 wcd934x_hw_params+0x494/0x8b8 [snd_soc_wcd934x] snd_soc_dai_hw_params+0x3c/0x7c [snd_soc_core] __soc_pcm_hw_params+0x22c/0x634 [snd_soc_core] dpcm_be_dai_hw_params+0x1d4/0x38c [snd_soc_core] dpcm_fe_dai_hw_params+0x9c/0x17c [snd_soc_core] snd_pcm_hw_params+0x124/0x464 [snd_pcm] snd_pcm_common_ioctl+0x110c/0x1820 [snd_pcm] snd_pcm_ioctl+0x34/0x4c [snd_pcm] __arm64_sys_ioctl+0xac/0x104 invoke_syscall+0x48/0x104 el0_svc_common.constprop.0+0x40/0xe0 do_el0_svc+0x1c/0x28 el0_svc+0x34/0xec el0t_64_sync_handler+0xa0/0xf0 el0t_64_sync+0x198/0x19c The __devm_regmap_init_slimbus() started to be used instead of __regmap_init_slimbus() after the commit mentioned above and turns out the incorrect bus_context pointer (3rd argument) was used in __devm_regmap_init_slimbus(). It should be just \"slimbus\" (which is equal to &slimbus->dev). Correct it. The wcd934x codec seems to be the only or the first user of devm_regmap_init_slimbus() but we should fix it till the point where __devm_regmap_init_slimbus() was introduced therefore two \"Fixes\" tags. While at this, also correct the same argument in __regmap_init_slimbus().", "cve_priority": "medium", "cve_public_date": "2025-12-08 01:16:00 UTC" }, { "cve": "CVE-2025-40359", "url": "https://ubuntu.com/security/CVE-2025-40359", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: perf/x86/intel: Fix KASAN global-out-of-bounds warning When running \"perf mem record\" command on CWF, the below KASAN global-out-of-bounds warning is seen. ================================================================== BUG: KASAN: global-out-of-bounds in cmt_latency_data+0x176/0x1b0 Read of size 4 at addr ffffffffb721d000 by task dtlb/9850 Call Trace: kasan_report+0xb8/0xf0 cmt_latency_data+0x176/0x1b0 setup_arch_pebs_sample_data+0xf49/0x2560 intel_pmu_drain_arch_pebs+0x577/0xb00 handle_pmi_common+0x6c4/0xc80 The issue is caused by below code in __grt_latency_data(). The code tries to access x86_hybrid_pmu structure which doesn't exist on non-hybrid platform like CWF. WARN_ON_ONCE(hybrid_pmu(event->pmu)->pmu_type == hybrid_big) So add is_hybrid() check before calling this WARN_ON_ONCE to fix the global-out-of-bounds access issue.", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-68181", "url": "https://ubuntu.com/security/CVE-2025-68181", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/radeon: Remove calls to drm_put_dev() Since the allocation of the drivers main structure was changed to devm_drm_dev_alloc() drm_put_dev()'ing to trigger it to be free'd should be done by devres. However, drm_put_dev() is still in the probe error and device remove paths. When the driver fails to probe warnings like the following are shown because devres is trying to drm_put_dev() after the driver already did it. [ 5.642230] radeon 0000:01:05.0: probe with driver radeon failed with error -22 [ 5.649605] ------------[ cut here ]------------ [ 5.649607] refcount_t: underflow; use-after-free. [ 5.649620] WARNING: CPU: 0 PID: 357 at lib/refcount.c:28 refcount_warn_saturate+0xbe/0x110 (cherry picked from commit 3eb8c0b4c091da0a623ade0d3ee7aa4a93df1ea4)", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-68170", "url": "https://ubuntu.com/security/CVE-2025-68170", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/radeon: Do not kfree() devres managed rdev Since the allocation of the drivers main structure was changed to devm_drm_dev_alloc() rdev is managed by devres and we shouldn't be calling kfree() on it. This fixes things exploding if the driver probe fails and devres cleans up the rdev after we already free'd it. (cherry picked from commit 16c0681617b8a045773d4d87b6140002fa75b03b)", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-40213", "url": "https://ubuntu.com/security/CVE-2025-40213", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: Bluetooth: MGMT: fix crash in set_mesh_sync and set_mesh_complete There is a BUG: KASAN: stack-out-of-bounds in set_mesh_sync due to memcpy from badly declared on-stack flexible array. Another crash is in set_mesh_complete() due to double list_del via mgmt_pending_valid + mgmt_pending_remove. Use DEFINE_FLEX to declare the flexible array right, and don't memcpy outside bounds. As mgmt_pending_valid removes the cmd from list, use mgmt_pending_free, and also report status on error.", "cve_priority": "medium", "cve_public_date": "2025-11-24 16:15:00 UTC" }, { "cve": "CVE-2025-40318", "url": "https://ubuntu.com/security/CVE-2025-40318", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: Bluetooth: hci_sync: fix race in hci_cmd_sync_dequeue_once hci_cmd_sync_dequeue_once() does lookup and then cancel the entry under two separate lock sections. Meanwhile, hci_cmd_sync_work() can also delete the same entry, leading to double list_del() and \"UAF\". Fix this by holding cmd_sync_work_lock across both lookup and cancel, so that the entry cannot be removed concurrently.", "cve_priority": "medium", "cve_public_date": "2025-12-08 01:16:00 UTC" }, { "cve": "CVE-2025-68312", "url": "https://ubuntu.com/security/CVE-2025-68312", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: usbnet: Prevents free active kevent The root cause of this issue are: 1. When probing the usbnet device, executing usbnet_link_change(dev, 0, 0); put the kevent work in global workqueue. However, the kevent has not yet been scheduled when the usbnet device is unregistered. Therefore, executing free_netdev() results in the \"free active object (kevent)\" error reported here. 2. Another factor is that when calling usbnet_disconnect()->unregister_netdev(), if the usbnet device is up, ndo_stop() is executed to cancel the kevent. However, because the device is not up, ndo_stop() is not executed. The solution to this problem is to cancel the kevent before executing free_netdev().", "cve_priority": "medium", "cve_public_date": "2025-12-16 16:16:00 UTC" }, { "cve": "CVE-2025-40344", "url": "https://ubuntu.com/security/CVE-2025-40344", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ASoC: Intel: avs: Disable periods-elapsed work when closing PCM avs_dai_fe_shutdown() handles the shutdown procedure for HOST HDAudio stream while period-elapsed work services its IRQs. As the former frees the DAI's private context, these two operations shall be synchronized to avoid slab-use-after-free or worse errors.", "cve_priority": "medium", "cve_public_date": "2025-12-09 16:17:00 UTC" }, { "cve": "CVE-2025-68172", "url": "https://ubuntu.com/security/CVE-2025-68172", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: crypto: aspeed - fix double free caused by devm The clock obtained via devm_clk_get_enabled() is automatically managed by devres and will be disabled and freed on driver detach. Manually calling clk_disable_unprepare() in error path and remove function causes double free. Remove the manual clock cleanup in both aspeed_acry_probe()'s error path and aspeed_acry_remove().", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-40319", "url": "https://ubuntu.com/security/CVE-2025-40319", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: bpf: Sync pending IRQ work before freeing ring buffer Fix a race where irq_work can be queued in bpf_ringbuf_commit() but the ring buffer is freed before the work executes. In the syzbot reproducer, a BPF program attached to sched_switch triggers bpf_ringbuf_commit(), queuing an irq_work. If the ring buffer is freed before this work executes, the irq_work thread may accesses freed memory. Calling `irq_work_sync(&rb->work)` ensures that all pending irq_work complete before freeing the buffer.", "cve_priority": "medium", "cve_public_date": "2025-12-08 01:16:00 UTC" }, { "cve": "CVE-2025-68182", "url": "https://ubuntu.com/security/CVE-2025-68182", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: wifi: iwlwifi: fix potential use after free in iwl_mld_remove_link() This code frees \"link\" by calling kfree_rcu(link, rcu_head) and then it dereferences \"link\" to get the \"link->fw_id\". Save the \"link->fw_id\" first to avoid a potential use after free.", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-68314", "url": "https://ubuntu.com/security/CVE-2025-68314", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/msm: make sure last_fence is always updated Update last_fence in the vm-bind path instead of kernel managed path. last_fence is used to wait for work to finish in vm_bind contexts but not used for kernel managed contexts. This fixes a bug where last_fence is not waited on context close leading to faults as resources are freed while in use. Patchwork: https://patchwork.freedesktop.org/patch/680080/", "cve_priority": "medium", "cve_public_date": "2025-12-16 16:16:00 UTC" }, { "cve": "CVE-2025-68189", "url": "https://ubuntu.com/security/CVE-2025-68189", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/msm: Fix GEM free for imported dma-bufs Imported dma-bufs also have obj->resv != &obj->_resv. So we should check both this condition in addition to flags for handling the _NO_SHARE case. Fixes this splat that was reported with IRIS video playback: ------------[ cut here ]------------ WARNING: CPU: 3 PID: 2040 at drivers/gpu/drm/msm/msm_gem.c:1127 msm_gem_free_object+0x1f8/0x264 [msm] CPU: 3 UID: 1000 PID: 2040 Comm: .gnome-shell-wr Not tainted 6.17.0-rc7 #1 PREEMPT pstate: 81400005 (Nzcv daif +PAN -UAO -TCO +DIT -SSBS BTYPE=--) pc : msm_gem_free_object+0x1f8/0x264 [msm] lr : msm_gem_free_object+0x138/0x264 [msm] sp : ffff800092a1bb30 x29: ffff800092a1bb80 x28: ffff800092a1bce8 x27: ffffbc702dbdbe08 x26: 0000000000000008 x25: 0000000000000009 x24: 00000000000000a6 x23: ffff00083c72f850 x22: ffff00083c72f868 x21: ffff00087e69f200 x20: ffff00087e69f330 x19: ffff00084d157ae0 x18: 0000000000000000 x17: 0000000000000000 x16: ffffbc704bd46b80 x15: 0000ffffd0959540 x14: 0000000000000000 x13: 0000000000000000 x12: 0000000000000000 x11: ffffbc702e6cdb48 x10: 0000000000000000 x9 : 000000000000003f x8 : ffff800092a1ba90 x7 : 0000000000000000 x6 : 0000000000000020 x5 : ffffbc704bd46c40 x4 : fffffdffe102cf60 x3 : 0000000000400032 x2 : 0000000000020000 x1 : ffff00087e6978e8 x0 : ffff00087e6977e8 Call trace: msm_gem_free_object+0x1f8/0x264 [msm] (P) drm_gem_object_free+0x1c/0x30 [drm] drm_gem_object_handle_put_unlocked+0x138/0x150 [drm] drm_gem_object_release_handle+0x5c/0xcc [drm] drm_gem_handle_delete+0x68/0xbc [drm] drm_gem_close_ioctl+0x34/0x40 [drm] drm_ioctl_kernel+0xc0/0x130 [drm] drm_ioctl+0x360/0x4e0 [drm] __arm64_sys_ioctl+0xac/0x104 invoke_syscall+0x48/0x104 el0_svc_common.constprop.0+0x40/0xe0 do_el0_svc+0x1c/0x28 el0_svc+0x34/0xec el0t_64_sync_handler+0xa0/0xe4 el0t_64_sync+0x198/0x19c ---[ end trace 0000000000000000 ]--- ------------[ cut here ]------------ Patchwork: https://patchwork.freedesktop.org/patch/676273/", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-68171", "url": "https://ubuntu.com/security/CVE-2025-68171", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: x86/fpu: Ensure XFD state on signal delivery Sean reported [1] the following splat when running KVM tests: WARNING: CPU: 232 PID: 15391 at xfd_validate_state+0x65/0x70 Call Trace: fpu__clear_user_states+0x9c/0x100 arch_do_signal_or_restart+0x142/0x210 exit_to_user_mode_loop+0x55/0x100 do_syscall_64+0x205/0x2c0 entry_SYSCALL_64_after_hwframe+0x4b/0x53 Chao further identified [2] a reproducible scenario involving signal delivery: a non-AMX task is preempted by an AMX-enabled task which modifies the XFD MSR. When the non-AMX task resumes and reloads XSTATE with init values, a warning is triggered due to a mismatch between fpstate::xfd and the CPU's current XFD state. fpu__clear_user_states() does not currently re-synchronize the XFD state after such preemption. Invoke xfd_update_state() which detects and corrects the mismatch if there is a dynamic feature. This also benefits the sigreturn path, as fpu__restore_sig() may call fpu__clear_user_states() when the sigframe is inaccessible. [ dhansen: minor changelog munging ]", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-68313", "url": "https://ubuntu.com/security/CVE-2025-68313", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: x86/CPU/AMD: Add RDSEED fix for Zen5 There's an issue with RDSEED's 16-bit and 32-bit register output variants on Zen5 which return a random value of 0 \"at a rate inconsistent with randomness while incorrectly signaling success (CF=1)\". Search the web for AMD-SB-7055 for more detail. Add a fix glue which checks microcode revisions. [ bp: Add microcode revisions checking, rewrite. ]", "cve_priority": "medium", "cve_public_date": "2025-12-16 16:16:00 UTC" }, { "cve": "CVE-2025-40320", "url": "https://ubuntu.com/security/CVE-2025-40320", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: smb: client: fix potential cfid UAF in smb2_query_info_compound When smb2_query_info_compound() retries, a previously allocated cfid may have been freed in the first attempt. Because cfid wasn't reset on replay, later cleanup could act on a stale pointer, leading to a potential use-after-free. Reinitialize cfid to NULL under the replay label. Example trace (trimmed): refcount_t: underflow; use-after-free. WARNING: CPU: 1 PID: 11224 at ../lib/refcount.c:28 refcount_warn_saturate+0x9c/0x110 [...] RIP: 0010:refcount_warn_saturate+0x9c/0x110 [...] Call Trace: smb2_query_info_compound+0x29c/0x5c0 [cifs f90b72658819bd21c94769b6a652029a07a7172f] ? step_into+0x10d/0x690 ? __legitimize_path+0x28/0x60 smb2_queryfs+0x6a/0xf0 [cifs f90b72658819bd21c94769b6a652029a07a7172f] smb311_queryfs+0x12d/0x140 [cifs f90b72658819bd21c94769b6a652029a07a7172f] ? kmem_cache_alloc+0x18a/0x340 ? getname_flags+0x46/0x1e0 cifs_statfs+0x9f/0x2b0 [cifs f90b72658819bd21c94769b6a652029a07a7172f] statfs_by_dentry+0x67/0x90 vfs_statfs+0x16/0xd0 user_statfs+0x54/0xa0 __do_sys_statfs+0x20/0x50 do_syscall_64+0x58/0x80", "cve_priority": "medium", "cve_public_date": "2025-12-08 01:16:00 UTC" }, { "cve": "CVE-2025-40321", "url": "https://ubuntu.com/security/CVE-2025-40321", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: wifi: brcmfmac: fix crash while sending Action Frames in standalone AP Mode Currently, whenever there is a need to transmit an Action frame, the brcmfmac driver always uses the P2P vif to send the \"actframe\" IOVAR to firmware. The P2P interfaces were available when wpa_supplicant is managing the wlan interface. However, the P2P interfaces are not created/initialized when only hostapd is managing the wlan interface. And if hostapd receives an ANQP Query REQ Action frame even from an un-associated STA, the brcmfmac driver tries to use an uninitialized P2P vif pointer for sending the IOVAR to firmware. This NULL pointer dereferencing triggers a driver crash. [ 1417.074538] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000 [...] [ 1417.075188] Hardware name: Raspberry Pi 4 Model B Rev 1.5 (DT) [...] [ 1417.075653] Call trace: [ 1417.075662] brcmf_p2p_send_action_frame+0x23c/0xc58 [brcmfmac] [ 1417.075738] brcmf_cfg80211_mgmt_tx+0x304/0x5c0 [brcmfmac] [ 1417.075810] cfg80211_mlme_mgmt_tx+0x1b0/0x428 [cfg80211] [ 1417.076067] nl80211_tx_mgmt+0x238/0x388 [cfg80211] [ 1417.076281] genl_family_rcv_msg_doit+0xe0/0x158 [ 1417.076302] genl_rcv_msg+0x220/0x2a0 [ 1417.076317] netlink_rcv_skb+0x68/0x140 [ 1417.076330] genl_rcv+0x40/0x60 [ 1417.076343] netlink_unicast+0x330/0x3b8 [ 1417.076357] netlink_sendmsg+0x19c/0x3f8 [ 1417.076370] __sock_sendmsg+0x64/0xc0 [ 1417.076391] ____sys_sendmsg+0x268/0x2a0 [ 1417.076408] ___sys_sendmsg+0xb8/0x118 [ 1417.076427] __sys_sendmsg+0x90/0xf8 [ 1417.076445] __arm64_sys_sendmsg+0x2c/0x40 [ 1417.076465] invoke_syscall+0x50/0x120 [ 1417.076486] el0_svc_common.constprop.0+0x48/0xf0 [ 1417.076506] do_el0_svc+0x24/0x38 [ 1417.076525] el0_svc+0x30/0x100 [ 1417.076548] el0t_64_sync_handler+0x100/0x130 [ 1417.076569] el0t_64_sync+0x190/0x198 [ 1417.076589] Code: f9401e80 aa1603e2 f9403be1 5280e483 (f9400000) Fix this, by always using the vif corresponding to the wdev on which the Action frame Transmission request was initiated by the userspace. This way, even if P2P vif is not available, the IOVAR is sent to firmware on AP vif and the ANQP Query RESP Action frame is transmitted without crashing the driver. Move init_completion() for \"send_af_done\" from brcmf_p2p_create_p2pdev() to brcmf_p2p_attach(). Because the former function would not get executed when only hostapd is managing wlan interface, and it is not safe to do reinit_completion() later in brcmf_p2p_tx_action_frame(), without any prior init_completion(). And in the brcmf_p2p_tx_action_frame() function, the condition check for P2P Presence response frame is not needed, since the wpa_supplicant is properly sending the P2P Presense Response frame on the P2P-GO vif instead of the P2P-Device vif. [Cc stable]", "cve_priority": "medium", "cve_public_date": "2025-12-08 01:16:00 UTC" }, { "cve": "CVE-2025-40322", "url": "https://ubuntu.com/security/CVE-2025-40322", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: fbdev: bitblit: bound-check glyph index in bit_putcs* bit_putcs_aligned()/unaligned() derived the glyph pointer from the character value masked by 0xff/0x1ff, which may exceed the actual font's glyph count and read past the end of the built-in font array. Clamp the index to the actual glyph count before computing the address. This fixes a global out-of-bounds read reported by syzbot.", "cve_priority": "medium", "cve_public_date": "2025-12-08 01:16:00 UTC" }, { "cve": "CVE-2025-40211", "url": "https://ubuntu.com/security/CVE-2025-40211", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ACPI: video: Fix use-after-free in acpi_video_switch_brightness() The switch_brightness_work delayed work accesses device->brightness and device->backlight, freed by acpi_video_dev_unregister_backlight() during device removal. If the work executes after acpi_video_bus_unregister_backlight() frees these resources, it causes a use-after-free when acpi_video_switch_brightness() dereferences device->brightness or device->backlight. Fix this by calling cancel_delayed_work_sync() for each device's switch_brightness_work in acpi_video_bus_remove_notify_handler() after removing the notify handler that queues the work. This ensures the work completes before the memory is freed. [ rjw: Changelog edit ]", "cve_priority": "medium", "cve_public_date": "2025-11-21 11:15:00 UTC" }, { "cve": "CVE-2025-40323", "url": "https://ubuntu.com/security/CVE-2025-40323", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: fbcon: Set fb_display[i]->mode to NULL when the mode is released Recently, we discovered the following issue through syzkaller: BUG: KASAN: slab-use-after-free in fb_mode_is_equal+0x285/0x2f0 Read of size 4 at addr ff11000001b3c69c by task syz.xxx ... Call Trace: dump_stack_lvl+0xab/0xe0 print_address_description.constprop.0+0x2c/0x390 print_report+0xb9/0x280 kasan_report+0xb8/0xf0 fb_mode_is_equal+0x285/0x2f0 fbcon_mode_deleted+0x129/0x180 fb_set_var+0xe7f/0x11d0 do_fb_ioctl+0x6a0/0x750 fb_ioctl+0xe0/0x140 __x64_sys_ioctl+0x193/0x210 do_syscall_64+0x5f/0x9c0 entry_SYSCALL_64_after_hwframe+0x76/0x7e Based on experimentation and analysis, during framebuffer unregistration, only the memory of fb_info->modelist is freed, without setting the corresponding fb_display[i]->mode to NULL for the freed modes. This leads to UAF issues during subsequent accesses. Here's an example of reproduction steps: 1. With /dev/fb0 already registered in the system, load a kernel module to register a new device /dev/fb1; 2. Set fb1's mode to the global fb_display[] array (via FBIOPUT_CON2FBMAP); 3. Switch console from fb to VGA (to allow normal rmmod of the ko); 4. Unload the kernel module, at this point fb1's modelist is freed, leaving a wild pointer in fb_display[]; 5. Trigger the bug via system calls through fb0 attempting to delete a mode from fb0. Add a check in do_unregister_framebuffer(): if the mode to be freed exists in fb_display[], set the corresponding mode pointer to NULL.", "cve_priority": "medium", "cve_public_date": "2025-12-08 01:16:00 UTC" }, { "cve": "CVE-2025-40210", "url": "https://ubuntu.com/security/CVE-2025-40210", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: Revert \"NFSD: Remove the cap on number of operations per NFSv4 COMPOUND\" I've found that pynfs COMP6 now leaves the connection or lease in a strange state, which causes CLOSE9 to hang indefinitely. I've dug into it a little, but I haven't been able to root-cause it yet. However, I bisected to commit 48aab1606fa8 (\"NFSD: Remove the cap on number of operations per NFSv4 COMPOUND\"). Tianshuo Han also reports a potential vulnerability when decoding an NFSv4 COMPOUND. An attacker can place an arbitrarily large op count in the COMPOUND header, which results in: [ 51.410584] nfsd: vmalloc error: size 1209533382144, exceeds total pages, mode:0xdc0(GFP_KERNEL|__GFP_ZERO), nodemask=(null),cpuset=/,mems_allowed=0 when NFSD attempts to allocate the COMPOUND op array. Let's restore the operation-per-COMPOUND limit, but increased to 200 for now.", "cve_priority": "medium", "cve_public_date": "2025-11-21 11:15:00 UTC" }, { "cve": "CVE-2025-40324", "url": "https://ubuntu.com/security/CVE-2025-40324", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: NFSD: Fix crash in nfsd4_read_release() When tracing is enabled, the trace_nfsd_read_done trace point crashes during the pynfs read.testNoFh test.", "cve_priority": "medium", "cve_public_date": "2025-12-08 01:16:00 UTC" }, { "cve": "CVE-2025-40326", "url": "https://ubuntu.com/security/CVE-2025-40326", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: NFSD: Define actions for the new time_deleg FATTR4 attributes NFSv4 clients won't send legitimate GETATTR requests for these new attributes because they are intended to be used only with CB_GETATTR and SETATTR. But NFSD has to do something besides crashing if it ever sees a GETATTR request that queries these attributes. RFC 8881 Section 18.7.3 states: > The server MUST return a value for each attribute that the client > requests if the attribute is supported by the server for the > target file system. If the server does not support a particular > attribute on the target file system, then it MUST NOT return the > attribute value and MUST NOT set the attribute bit in the result > bitmap. The server MUST return an error if it supports an > attribute on the target but cannot obtain its value. In that case, > no attribute values will be returned. Further, RFC 9754 Section 5 states: > These new attributes are invalid to be used with GETATTR, VERIFY, > and NVERIFY, and they can only be used with CB_GETATTR and SETATTR > by a client holding an appropriate delegation. Thus there does not appear to be a specific server response mandated by specification. Taking the guidance that querying these attributes via GETATTR is \"invalid\", NFSD will return nfserr_inval, failing the request entirely.", "cve_priority": "medium", "cve_public_date": "2025-12-08 01:16:00 UTC" }, { "cve": "CVE-2025-40084", "url": "https://ubuntu.com/security/CVE-2025-40084", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ksmbd: transport_ipc: validate payload size before reading handle handle_response() dereferences the payload as a 4-byte handle without verifying that the declared payload size is at least 4 bytes. A malformed or truncated message from ksmbd.mountd can lead to a 4-byte read past the declared payload size. Validate the size before dereferencing. This is a minimal fix to guard the initial handle read.", "cve_priority": "medium", "cve_public_date": "2025-10-29 14:15:00 UTC" }, { "cve": "CVE-2025-40222", "url": "https://ubuntu.com/security/CVE-2025-40222", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: tty: serial: sh-sci: fix RSCI FIFO overrun handling The receive error handling code is shared between RSCI and all other SCIF port types, but the RSCI overrun_reg is specified as a memory offset, while for other SCIF types it is an enum value used to index into the sci_port_params->regs array, as mentioned above the sci_serial_in() function. For RSCI, the overrun_reg is CSR (0x48), causing the sci_getreg() call inside the sci_handle_fifo_overrun() function to index outside the bounds of the regs array, which currently has a size of 20, as specified by SCI_NR_REGS. Because of this, we end up accessing memory outside of RSCI's rsci_port_params structure, which, when interpreted as a plat_sci_reg, happens to have a non-zero size, causing the following WARN when sci_serial_in() is called, as the accidental size does not match the supported register sizes. The existence of the overrun_reg needs to be checked because SCIx_SH3_SCIF_REGTYPE has overrun_reg set to SCLSR, but SCLSR is not present in the regs array. Avoid calling sci_getreg() for port types which don't use standard register handling. Use the ops->read_reg() and ops->write_reg() functions to properly read and write registers for RSCI, and change the type of the status variable to accommodate the 32-bit CSR register. sci_getreg() and sci_serial_in() are also called with overrun_reg in the sci_mpxed_interrupt() interrupt handler, but that code path is not used for RSCI, as it does not have a muxed interrupt. ------------[ cut here ]------------ Invalid register access WARNING: CPU: 0 PID: 0 at drivers/tty/serial/sh-sci.c:522 sci_serial_in+0x38/0xac Modules linked in: renesas_usbhs at24 rzt2h_adc industrialio_adc sha256 cfg80211 bluetooth ecdh_generic ecc rfkill fuse drm backlight ipv6 CPU: 0 UID: 0 PID: 0 Comm: swapper/0 Not tainted 6.17.0-rc1+ #30 PREEMPT Hardware name: Renesas RZ/T2H EVK Board based on r9a09g077m44 (DT) pstate: 604000c5 (nZCv daIF +PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : sci_serial_in+0x38/0xac lr : sci_serial_in+0x38/0xac sp : ffff800080003e80 x29: ffff800080003e80 x28: ffff800082195b80 x27: 000000000000000d x26: ffff8000821956d0 x25: 0000000000000000 x24: ffff800082195b80 x23: ffff000180e0d800 x22: 0000000000000010 x21: 0000000000000000 x20: 0000000000000010 x19: ffff000180e72000 x18: 000000000000000a x17: ffff8002bcee7000 x16: ffff800080000000 x15: 0720072007200720 x14: 0720072007200720 x13: 0720072007200720 x12: 0720072007200720 x11: 0000000000000058 x10: 0000000000000018 x9 : ffff8000821a6a48 x8 : 0000000000057fa8 x7 : 0000000000000406 x6 : ffff8000821fea48 x5 : ffff00033ef88408 x4 : ffff8002bcee7000 x3 : ffff800082195b80 x2 : 0000000000000000 x1 : 0000000000000000 x0 : ffff800082195b80 Call trace: sci_serial_in+0x38/0xac (P) sci_handle_fifo_overrun.isra.0+0x70/0x134 sci_er_interrupt+0x50/0x39c __handle_irq_event_percpu+0x48/0x140 handle_irq_event+0x44/0xb0 handle_fasteoi_irq+0xf4/0x1a0 handle_irq_desc+0x34/0x58 generic_handle_domain_irq+0x1c/0x28 gic_handle_irq+0x4c/0x140 call_on_irq_stack+0x30/0x48 do_interrupt_handler+0x80/0x84 el1_interrupt+0x34/0x68 el1h_64_irq_handler+0x18/0x24 el1h_64_irq+0x6c/0x70 default_idle_call+0x28/0x58 (P) do_idle+0x1f8/0x250 cpu_startup_entry+0x34/0x3c rest_init+0xd8/0xe0 console_on_rootfs+0x0/0x6c __primary_switched+0x88/0x90 ---[ end trace 0000000000000000 ]---", "cve_priority": "medium", "cve_public_date": "2025-12-04 16:16:00 UTC" }, { "cve": "CVE-2025-40223", "url": "https://ubuntu.com/security/CVE-2025-40223", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: most: usb: Fix use-after-free in hdm_disconnect hdm_disconnect() calls most_deregister_interface(), which eventually unregisters the MOST interface device with device_unregister(iface->dev). If that drops the last reference, the device core may call release_mdev() immediately while hdm_disconnect() is still executing. The old code also freed several mdev-owned allocations in hdm_disconnect() and then performed additional put_device() calls. Depending on refcount order, this could lead to use-after-free or double-free when release_mdev() ran (or when unregister paths also performed puts). Fix by moving the frees of mdev-owned allocations into release_mdev(), so they happen exactly once when the device is truly released, and by dropping the extra put_device() calls in hdm_disconnect() that are redundant after device_unregister() and most_deregister_interface(). This addresses the KASAN slab-use-after-free reported by syzbot in hdm_disconnect(). See report and stack traces in the bug link below.", "cve_priority": "medium", "cve_public_date": "2025-12-04 16:16:00 UTC" }, { "cve": "CVE-2025-40106", "url": "https://ubuntu.com/security/CVE-2025-40106", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: comedi: fix divide-by-zero in comedi_buf_munge() The comedi_buf_munge() function performs a modulo operation `async->munge_chan %= async->cmd.chanlist_len` without first checking if chanlist_len is zero. If a user program submits a command with chanlist_len set to zero, this causes a divide-by-zero error when the device processes data in the interrupt handler path. Add a check for zero chanlist_len at the beginning of the function, similar to the existing checks for !map and CMDF_RAWDATA flag. When chanlist_len is zero, update munge_count and return early, indicating the data was handled without munging. This prevents potential kernel panics from malformed user commands.", "cve_priority": "medium", "cve_public_date": "2025-10-31 10:15:00 UTC" }, { "cve": "CVE-2025-40224", "url": "https://ubuntu.com/security/CVE-2025-40224", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: hwmon: (cgbc-hwmon) Add missing NULL check after devm_kzalloc() The driver allocates memory for sensor data using devm_kzalloc(), but did not check if the allocation succeeded. In case of memory allocation failure, dereferencing the NULL pointer would lead to a kernel crash. Add a NULL pointer check and return -ENOMEM to handle allocation failure properly.", "cve_priority": "medium", "cve_public_date": "2025-12-04 16:16:00 UTC" }, { "cve": "CVE-2025-40225", "url": "https://ubuntu.com/security/CVE-2025-40225", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/panthor: Fix kernel panic on partial unmap of a GPU VA region This commit address a kernel panic issue that can happen if Userspace tries to partially unmap a GPU virtual region (aka drm_gpuva). The VM_BIND interface allows partial unmapping of a BO. Panthor driver pre-allocates memory for the new drm_gpuva structures that would be needed for the map/unmap operation, done using drm_gpuvm layer. It expected that only one new drm_gpuva would be needed on umap but a partial unmap can require 2 new drm_gpuva and that's why it ended up doing a NULL pointer dereference causing a kernel panic. Following dump was seen when partial unmap was exercised. Unable to handle kernel NULL pointer dereference at virtual address 0000000000000078 Mem abort info: ESR = 0x0000000096000046 EC = 0x25: DABT (current EL), IL = 32 bits SET = 0, FnV = 0 EA = 0, S1PTW = 0 FSC = 0x06: level 2 translation fault Data abort info: ISV = 0, ISS = 0x00000046, ISS2 = 0x00000000 CM = 0, WnR = 1, TnD = 0, TagAccess = 0 GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0 user pgtable: 4k pages, 48-bit VAs, pgdp=000000088a863000 [000000000000078] pgd=080000088a842003, p4d=080000088a842003, pud=0800000884bf5003, pmd=0000000000000000 Internal error: Oops: 0000000096000046 [#1] PREEMPT SMP pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : panthor_gpuva_sm_step_remap+0xe4/0x330 [panthor] lr : panthor_gpuva_sm_step_remap+0x6c/0x330 [panthor] sp : ffff800085d43970 x29: ffff800085d43970 x28: ffff00080363e440 x27: ffff0008090c6000 x26: 0000000000000030 x25: ffff800085d439f8 x24: ffff00080d402000 x23: ffff800085d43b60 x22: ffff800085d439e0 x21: ffff00080abdb180 x20: 0000000000000000 x19: 0000000000000000 x18: 0000000000000010 x17: 6e656c202c303030 x16: 3666666666646466 x15: 393d61766f69202c x14: 312d3d7361203a70 x13: 303030323d6e656c x12: ffff80008324bf58 x11: 0000000000000003 x10: 0000000000000002 x9 : ffff8000801a6a9c x8 : ffff00080360b300 x7 : 0000000000000000 x6 : 000000088aa35fc7 x5 : fff1000080000000 x4 : ffff8000842ddd30 x3 : 0000000000000001 x2 : 0000000100000000 x1 : 0000000000000001 x0 : 0000000000000078 Call trace: panthor_gpuva_sm_step_remap+0xe4/0x330 [panthor] op_remap_cb.isra.22+0x50/0x80 __drm_gpuvm_sm_unmap+0x10c/0x1c8 drm_gpuvm_sm_unmap+0x40/0x60 panthor_vm_exec_op+0xb4/0x3d0 [panthor] panthor_vm_bind_exec_sync_op+0x154/0x278 [panthor] panthor_ioctl_vm_bind+0x160/0x4a0 [panthor] drm_ioctl_kernel+0xbc/0x138 drm_ioctl+0x240/0x500 __arm64_sys_ioctl+0xb0/0xf8 invoke_syscall+0x4c/0x110 el0_svc_common.constprop.1+0x98/0xf8 do_el0_svc+0x24/0x38 el0_svc+0x40/0xf8 el0t_64_sync_handler+0xa0/0xc8 el0t_64_sync+0x174/0x178", "cve_priority": "medium", "cve_public_date": "2025-12-04 16:16:00 UTC" }, { "cve": "CVE-2025-40226", "url": "https://ubuntu.com/security/CVE-2025-40226", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: firmware: arm_scmi: Account for failed debug initialization When the SCMI debug subsystem fails to initialize, the related debug root will be missing, and the underlying descriptor will be NULL. Handle this fault condition in the SCMI debug helpers that maintain metrics counters.", "cve_priority": "medium", "cve_public_date": "2025-12-04 16:16:00 UTC" }, { "cve": "CVE-2025-40227", "url": "https://ubuntu.com/security/CVE-2025-40227", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: mm/damon/sysfs: dealloc commit test ctx always The damon_ctx for testing online DAMON parameters commit inputs is deallocated only when the test fails. This means memory is leaked for every successful online DAMON parameters commit. Fix the leak by always deallocating it.", "cve_priority": "medium", "cve_public_date": "2025-12-04 16:16:00 UTC" }, { "cve": "CVE-2025-40228", "url": "https://ubuntu.com/security/CVE-2025-40228", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: mm/damon/sysfs: catch commit test ctx alloc failure Patch series \"mm/damon/sysfs: fix commit test damon_ctx [de]allocation\". DAMON sysfs interface dynamically allocates and uses a damon_ctx object for testing if given inputs for online DAMON parameters update is valid. The object is being used without an allocation failure check, and leaked when the test succeeds. Fix the two bugs. This patch (of 2): The damon_ctx for testing online DAMON parameters commit inputs is used without its allocation failure check. This could result in an invalid memory access. Fix it by directly returning an error when the allocation failed.", "cve_priority": "medium", "cve_public_date": "2025-12-04 16:16:00 UTC" }, { "cve": "CVE-2025-40229", "url": "https://ubuntu.com/security/CVE-2025-40229", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: mm/damon/core: fix potential memory leak by cleaning ops_filter in damon_destroy_scheme Currently, damon_destroy_scheme() only cleans up the filter list but leaves ops_filter untouched, which could lead to memory leaks when a scheme is destroyed. This patch ensures both filter and ops_filter are properly freed in damon_destroy_scheme(), preventing potential memory leaks.", "cve_priority": "medium", "cve_public_date": "2025-12-04 16:16:00 UTC" }, { "cve": "CVE-2025-40230", "url": "https://ubuntu.com/security/CVE-2025-40230", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: mm: prevent poison consumption when splitting THP When performing memory error injection on a THP (Transparent Huge Page) mapped to userspace on an x86 server, the kernel panics with the following trace. The expected behavior is to terminate the affected process instead of panicking the kernel, as the x86 Machine Check code can recover from an in-userspace #MC. mce: [Hardware Error]: CPU 0: Machine Check Exception: f Bank 3: bd80000000070134 mce: [Hardware Error]: RIP 10: {memchr_inv+0x4c/0xf0} mce: [Hardware Error]: TSC afff7bbff88a ADDR 1d301b000 MISC 80 PPIN 1e741e77539027db mce: [Hardware Error]: PROCESSOR 0:d06d0 TIME 1758093249 SOCKET 0 APIC 0 microcode 80000320 mce: [Hardware Error]: Run the above through 'mcelog --ascii' mce: [Hardware Error]: Machine check: Data load in unrecoverable area of kernel Kernel panic - not syncing: Fatal local machine check The root cause of this panic is that handling a memory failure triggered by an in-userspace #MC necessitates splitting the THP. The splitting process employs a mechanism, implemented in try_to_map_unused_to_zeropage(), which reads the pages in the THP to identify zero-filled pages. However, reading the pages in the THP results in a second in-kernel #MC, occurring before the initial memory_failure() completes, ultimately leading to a kernel panic. See the kernel panic call trace on the two #MCs. First Machine Check occurs // [1] memory_failure() // [2] try_to_split_thp_page() split_huge_page() split_huge_page_to_list_to_order() __folio_split() // [3] remap_page() remove_migration_ptes() remove_migration_pte() try_to_map_unused_to_zeropage() // [4] memchr_inv() // [5] Second Machine Check occurs // [6] Kernel panic [1] Triggered by accessing a hardware-poisoned THP in userspace, which is typically recoverable by terminating the affected process. [2] Call folio_set_has_hwpoisoned() before try_to_split_thp_page(). [3] Pass the RMP_USE_SHARED_ZEROPAGE remap flag to remap_page(). [4] Try to map the unused THP to zeropage. [5] Re-access pages in the hw-poisoned THP in the kernel. [6] Triggered in-kernel, leading to a panic kernel. In Step[2], memory_failure() sets the poisoned flag on the page in the THP by TestSetPageHWPoison() before calling try_to_split_thp_page(). As suggested by David Hildenbrand, fix this panic by not accessing to the poisoned page in the THP during zeropage identification, while continuing to scan unaffected pages in the THP for possible zeropage mapping. This prevents a second in-kernel #MC that would cause kernel panic in Step[4]. Thanks to Andrew Zaborowski for his initial work on fixing this issue.", "cve_priority": "medium", "cve_public_date": "2025-12-04 16:16:00 UTC" }, { "cve": "CVE-2025-40231", "url": "https://ubuntu.com/security/CVE-2025-40231", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: vsock: fix lock inversion in vsock_assign_transport() Syzbot reported a potential lock inversion deadlock between vsock_register_mutex and sk_lock-AF_VSOCK when vsock_linger() is called. The issue was introduced by commit 687aa0c5581b (\"vsock: Fix transport_* TOCTOU\") which added vsock_register_mutex locking in vsock_assign_transport() around the transport->release() call, that can call vsock_linger(). vsock_assign_transport() can be called with sk_lock held. vsock_linger() calls sk_wait_event() that temporarily releases and re-acquires sk_lock. During this window, if another thread hold vsock_register_mutex while trying to acquire sk_lock, a circular dependency is created. Fix this by releasing vsock_register_mutex before calling transport->release() and vsock_deassign_transport(). This is safe because we don't need to hold vsock_register_mutex while releasing the old transport, and we ensure the new transport won't disappear by obtaining a module reference first via try_module_get().", "cve_priority": "medium", "cve_public_date": "2025-12-04 16:16:00 UTC" }, { "cve": "CVE-2025-40233", "url": "https://ubuntu.com/security/CVE-2025-40233", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ocfs2: clear extent cache after moving/defragmenting extents The extent map cache can become stale when extents are moved or defragmented, causing subsequent operations to see outdated extent flags. This triggers a BUG_ON in ocfs2_refcount_cal_cow_clusters(). The problem occurs when: 1. copy_file_range() creates a reflinked extent with OCFS2_EXT_REFCOUNTED 2. ioctl(FITRIM) triggers ocfs2_move_extents() 3. __ocfs2_move_extents_range() reads and caches the extent (flags=0x2) 4. ocfs2_move_extent()/ocfs2_defrag_extent() calls __ocfs2_move_extent() which clears OCFS2_EXT_REFCOUNTED flag on disk (flags=0x0) 5. The extent map cache is not invalidated after the move 6. Later write() operations read stale cached flags (0x2) but disk has updated flags (0x0), causing a mismatch 7. BUG_ON(!(rec->e_flags & OCFS2_EXT_REFCOUNTED)) triggers Fix by clearing the extent map cache after each extent move/defrag operation in __ocfs2_move_extents_range(). This ensures subsequent operations read fresh extent data from disk.", "cve_priority": "medium", "cve_public_date": "2025-12-04 16:16:00 UTC" }, { "cve": "CVE-2025-40235", "url": "https://ubuntu.com/security/CVE-2025-40235", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: btrfs: directly free partially initialized fs_info in btrfs_check_leaked_roots() If fs_info->super_copy or fs_info->super_for_commit allocated failed in btrfs_get_tree_subvol(), then no need to call btrfs_free_fs_info(). Otherwise btrfs_check_leaked_roots() would access NULL pointer because fs_info->allocated_roots had not been initialised. syzkaller reported the following information: ------------[ cut here ]------------ BUG: unable to handle page fault for address: fffffffffffffbb0 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page PGD 64c9067 P4D 64c9067 PUD 64cb067 PMD 0 Oops: Oops: 0000 [#1] SMP KASAN PTI CPU: 0 UID: 0 PID: 1402 Comm: syz.1.35 Not tainted 6.15.8 #4 PREEMPT(lazy) Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), (...) RIP: 0010:arch_atomic_read arch/x86/include/asm/atomic.h:23 [inline] RIP: 0010:raw_atomic_read include/linux/atomic/atomic-arch-fallback.h:457 [inline] RIP: 0010:atomic_read include/linux/atomic/atomic-instrumented.h:33 [inline] RIP: 0010:refcount_read include/linux/refcount.h:170 [inline] RIP: 0010:btrfs_check_leaked_roots+0x18f/0x2c0 fs/btrfs/disk-io.c:1230 [...] Call Trace: btrfs_free_fs_info+0x310/0x410 fs/btrfs/disk-io.c:1280 btrfs_get_tree_subvol+0x592/0x6b0 fs/btrfs/super.c:2029 btrfs_get_tree+0x63/0x80 fs/btrfs/super.c:2097 vfs_get_tree+0x98/0x320 fs/super.c:1759 do_new_mount+0x357/0x660 fs/namespace.c:3899 path_mount+0x716/0x19c0 fs/namespace.c:4226 do_mount fs/namespace.c:4239 [inline] __do_sys_mount fs/namespace.c:4450 [inline] __se_sys_mount fs/namespace.c:4427 [inline] __x64_sys_mount+0x28c/0x310 fs/namespace.c:4427 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0x92/0x180 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x76/0x7e RIP: 0033:0x7f032eaffa8d [...]", "cve_priority": "medium", "cve_public_date": "2025-12-04 16:16:00 UTC" }, { "cve": "CVE-2025-40236", "url": "https://ubuntu.com/security/CVE-2025-40236", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: virtio-net: zero unused hash fields When GSO tunnel is negotiated virtio_net_hdr_tnl_from_skb() tries to initialize the tunnel metadata but forget to zero unused rxhash fields. This may leak information to another side. Fixing this by zeroing the unused hash fields.", "cve_priority": "medium", "cve_public_date": "2025-12-04 16:16:00 UTC" }, { "cve": "CVE-2025-40237", "url": "https://ubuntu.com/security/CVE-2025-40237", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: fs/notify: call exportfs_encode_fid with s_umount Calling intotify_show_fdinfo() on fd watching an overlayfs inode, while the overlayfs is being unmounted, can lead to dereferencing NULL ptr. This issue was found by syzkaller. Race Condition Diagram: Thread 1 Thread 2 -------- -------- generic_shutdown_super() shrink_dcache_for_umount sb->s_root = NULL | | vfs_read() | inotify_fdinfo() | * inode get from mark * | show_mark_fhandle(m, inode) | exportfs_encode_fid(inode, ..) | ovl_encode_fh(inode, ..) | ovl_check_encode_origin(inode) | * deref i_sb->s_root * | | v fsnotify_sb_delete(sb) Which then leads to: [ 32.133461] Oops: general protection fault, probably for non-canonical address 0xdffffc0000000006: 0000 [#1] SMP DEBUG_PAGEALLOC KASAN NOPTI [ 32.134438] KASAN: null-ptr-deref in range [0x0000000000000030-0x0000000000000037] [ 32.135032] CPU: 1 UID: 0 PID: 4468 Comm: systemd-coredum Not tainted 6.17.0-rc6 #22 PREEMPT(none) [ 32.143353] Call Trace: [ 32.143732] ovl_encode_fh+0xd5/0x170 [ 32.144031] exportfs_encode_inode_fh+0x12f/0x300 [ 32.144425] show_mark_fhandle+0xbe/0x1f0 [ 32.145805] inotify_fdinfo+0x226/0x2d0 [ 32.146442] inotify_show_fdinfo+0x1c5/0x350 [ 32.147168] seq_show+0x530/0x6f0 [ 32.147449] seq_read_iter+0x503/0x12a0 [ 32.148419] seq_read+0x31f/0x410 [ 32.150714] vfs_read+0x1f0/0x9e0 [ 32.152297] ksys_read+0x125/0x240 IOW ovl_check_encode_origin derefs inode->i_sb->s_root, after it was set to NULL in the unmount path. Fix it by protecting calling exportfs_encode_fid() from show_mark_fhandle() with s_umount lock. This form of fix was suggested by Amir in [1]. [1]: https://lore.kernel.org/all/CAOQ4uxhbDwhb+2Brs1UdkoF0a3NSdBAOQPNfEHjahrgoKJpLEw@mail.gmail.com/", "cve_priority": "medium", "cve_public_date": "2025-12-04 16:16:00 UTC" }, { "cve": "CVE-2025-40238", "url": "https://ubuntu.com/security/CVE-2025-40238", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net/mlx5: Fix IPsec cleanup over MPV device When we do mlx5e_detach_netdev() we eventually disable blocking events notifier, among those events are IPsec MPV events from IB to core. So before disabling those blocking events, make sure to also unregister the devcom device and mark all this device operations as complete, in order to prevent the other device from using invalid netdev during future devcom events which could cause the trace below. BUG: kernel NULL pointer dereference, address: 0000000000000010 PGD 146427067 P4D 146427067 PUD 146488067 PMD 0 Oops: Oops: 0000 [#1] SMP CPU: 1 UID: 0 PID: 7735 Comm: devlink Tainted: GW 6.12.0-rc6_for_upstream_min_debug_2024_11_08_00_46 #1 Tainted: [W]=WARN Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014 RIP: 0010:mlx5_devcom_comp_set_ready+0x5/0x40 [mlx5_core] Code: 00 01 48 83 05 23 32 1e 00 01 41 b8 ed ff ff ff e9 60 ff ff ff 48 83 05 00 32 1e 00 01 eb e3 66 0f 1f 44 00 00 0f 1f 44 00 00 <48> 8b 47 10 48 83 05 5f 32 1e 00 01 48 8b 50 40 48 85 d2 74 05 40 RSP: 0018:ffff88811a5c35f8 EFLAGS: 00010206 RAX: ffff888106e8ab80 RBX: ffff888107d7e200 RCX: ffff88810d6f0a00 RDX: ffff88810d6f0a00 RSI: 0000000000000001 RDI: 0000000000000000 RBP: ffff88811a17e620 R08: 0000000000000040 R09: 0000000000000000 R10: ffff88811a5c3618 R11: 0000000de85d51bd R12: ffff88811a17e600 R13: ffff88810d6f0a00 R14: 0000000000000000 R15: ffff8881034bda80 FS: 00007f27bdf89180(0000) GS:ffff88852c880000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000010 CR3: 000000010f159005 CR4: 0000000000372eb0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: ? __die+0x20/0x60 ? page_fault_oops+0x150/0x3e0 ? exc_page_fault+0x74/0x130 ? asm_exc_page_fault+0x22/0x30 ? mlx5_devcom_comp_set_ready+0x5/0x40 [mlx5_core] mlx5e_devcom_event_mpv+0x42/0x60 [mlx5_core] mlx5_devcom_send_event+0x8c/0x170 [mlx5_core] blocking_event+0x17b/0x230 [mlx5_core] notifier_call_chain+0x35/0xa0 blocking_notifier_call_chain+0x3d/0x60 mlx5_blocking_notifier_call_chain+0x22/0x30 [mlx5_core] mlx5_core_mp_event_replay+0x12/0x20 [mlx5_core] mlx5_ib_bind_slave_port+0x228/0x2c0 [mlx5_ib] mlx5_ib_stage_init_init+0x664/0x9d0 [mlx5_ib] ? idr_alloc_cyclic+0x50/0xb0 ? __kmalloc_cache_noprof+0x167/0x340 ? __kmalloc_noprof+0x1a7/0x430 __mlx5_ib_add+0x34/0xd0 [mlx5_ib] mlx5r_probe+0xe9/0x310 [mlx5_ib] ? kernfs_add_one+0x107/0x150 ? __mlx5_ib_add+0xd0/0xd0 [mlx5_ib] auxiliary_bus_probe+0x3e/0x90 really_probe+0xc5/0x3a0 ? driver_probe_device+0x90/0x90 __driver_probe_device+0x80/0x160 driver_probe_device+0x1e/0x90 __device_attach_driver+0x7d/0x100 bus_for_each_drv+0x80/0xd0 __device_attach+0xbc/0x1f0 bus_probe_device+0x86/0xa0 device_add+0x62d/0x830 __auxiliary_device_add+0x3b/0xa0 ? auxiliary_device_init+0x41/0x90 add_adev+0xd1/0x150 [mlx5_core] mlx5_rescan_drivers_locked+0x21c/0x300 [mlx5_core] esw_mode_change+0x6c/0xc0 [mlx5_core] mlx5_devlink_eswitch_mode_set+0x21e/0x640 [mlx5_core] devlink_nl_eswitch_set_doit+0x60/0xe0 genl_family_rcv_msg_doit+0xd0/0x120 genl_rcv_msg+0x180/0x2b0 ? devlink_get_from_attrs_lock+0x170/0x170 ? devlink_nl_eswitch_get_doit+0x290/0x290 ? devlink_nl_pre_doit_port_optional+0x50/0x50 ? genl_family_rcv_msg_dumpit+0xf0/0xf0 netlink_rcv_skb+0x54/0x100 genl_rcv+0x24/0x40 netlink_unicast+0x1fc/0x2d0 netlink_sendmsg+0x1e4/0x410 __sock_sendmsg+0x38/0x60 ? sockfd_lookup_light+0x12/0x60 __sys_sendto+0x105/0x160 ? __sys_recvmsg+0x4e/0x90 __x64_sys_sendto+0x20/0x30 do_syscall_64+0x4c/0x100 entry_SYSCALL_64_after_hwframe+0x4b/0x53 RIP: 0033:0x7f27bc91b13a Code: bb 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 8b 05 fa 96 2c 00 45 89 c9 4c 63 d1 48 63 ff 85 c0 75 15 b8 2c 00 00 00 0f 05 <48> 3d 00 f0 ff ff ---truncated---", "cve_priority": "medium", "cve_public_date": "2025-12-04 16:16:00 UTC" }, { "cve": "CVE-2025-40239", "url": "https://ubuntu.com/security/CVE-2025-40239", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net: phy: micrel: always set shared->phydev for LAN8814 Currently, during the LAN8814 PTP probe shared->phydev is only set if PTP clock gets actually set, otherwise the function will return before setting it. This is an issue as shared->phydev is unconditionally being used when IRQ is being handled, especially in lan8814_gpio_process_cap and since it was not set it will cause a NULL pointer exception and crash the kernel. So, simply always set shared->phydev to avoid the NULL pointer exception.", "cve_priority": "medium", "cve_public_date": "2025-12-04 16:16:00 UTC" }, { "cve": "CVE-2025-40240", "url": "https://ubuntu.com/security/CVE-2025-40240", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: sctp: avoid NULL dereference when chunk data buffer is missing chunk->skb pointer is dereferenced in the if-block where it's supposed to be NULL only. chunk->skb can only be NULL if chunk->head_skb is not. Check for frag_list instead and do it just before replacing chunk->skb. We're sure that otherwise chunk->skb is non-NULL because of outer if() condition.", "cve_priority": "medium", "cve_public_date": "2025-12-04 16:16:00 UTC" }, { "cve": "CVE-2025-40241", "url": "https://ubuntu.com/security/CVE-2025-40241", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: erofs: fix crafted invalid cases for encoded extents Robert recently reported two corrupted images that can cause system crashes, which are related to the new encoded extents introduced in Linux 6.15: - The first one [1] has plen != 0 (e.g. plen == 0x2000000) but (plen & Z_EROFS_EXTENT_PLEN_MASK) == 0. It is used to represent special extents such as sparse extents (!EROFS_MAP_MAPPED), but previously only plen == 0 was handled; - The second one [2] has pa 0xffffffffffdcffed and plen 0xb4000, then \"cur [0xfffffffffffff000] += bvec.bv_len [0x1000]\" in \"} while ((cur += bvec.bv_len) < end);\" wraps around, causing an out-of-bound access of pcl->compressed_bvecs[] in z_erofs_submit_queue(). EROFS only supports 48-bit physical block addresses (up to 1EiB for 4k blocks), so add a sanity check to enforce this.", "cve_priority": "medium", "cve_public_date": "2025-12-04 16:16:00 UTC" }, { "cve": "CVE-2025-40242", "url": "https://ubuntu.com/security/CVE-2025-40242", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: gfs2: Fix unlikely race in gdlm_put_lock In gdlm_put_lock(), there is a small window of time in which the DFL_UNMOUNT flag has been set but the lockspace hasn't been released, yet. In that window, dlm may still call gdlm_ast() and gdlm_bast(). To prevent it from dereferencing freed glock objects, only free the glock if the lockspace has actually been released.", "cve_priority": "medium", "cve_public_date": "2025-12-04 16:16:00 UTC" }, { "cve": "CVE-2025-40243", "url": "https://ubuntu.com/security/CVE-2025-40243", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: hfs: fix KMSAN uninit-value issue in hfs_find_set_zero_bits() The syzbot reported issue in hfs_find_set_zero_bits(): ===================================================== BUG: KMSAN: uninit-value in hfs_find_set_zero_bits+0x74d/0xb60 fs/hfs/bitmap.c:45 hfs_find_set_zero_bits+0x74d/0xb60 fs/hfs/bitmap.c:45 hfs_vbm_search_free+0x13c/0x5b0 fs/hfs/bitmap.c:151 hfs_extend_file+0x6a5/0x1b00 fs/hfs/extent.c:408 hfs_get_block+0x435/0x1150 fs/hfs/extent.c:353 __block_write_begin_int+0xa76/0x3030 fs/buffer.c:2151 block_write_begin fs/buffer.c:2262 [inline] cont_write_begin+0x10e1/0x1bc0 fs/buffer.c:2601 hfs_write_begin+0x85/0x130 fs/hfs/inode.c:52 cont_expand_zero fs/buffer.c:2528 [inline] cont_write_begin+0x35a/0x1bc0 fs/buffer.c:2591 hfs_write_begin+0x85/0x130 fs/hfs/inode.c:52 hfs_file_truncate+0x1d6/0xe60 fs/hfs/extent.c:494 hfs_inode_setattr+0x964/0xaa0 fs/hfs/inode.c:654 notify_change+0x1993/0x1aa0 fs/attr.c:552 do_truncate+0x28f/0x310 fs/open.c:68 do_ftruncate+0x698/0x730 fs/open.c:195 do_sys_ftruncate fs/open.c:210 [inline] __do_sys_ftruncate fs/open.c:215 [inline] __se_sys_ftruncate fs/open.c:213 [inline] __x64_sys_ftruncate+0x11b/0x250 fs/open.c:213 x64_sys_call+0xfe3/0x3db0 arch/x86/include/generated/asm/syscalls_64.h:78 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xd9/0x210 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f Uninit was created at: slab_post_alloc_hook mm/slub.c:4154 [inline] slab_alloc_node mm/slub.c:4197 [inline] __kmalloc_cache_noprof+0x7f7/0xed0 mm/slub.c:4354 kmalloc_noprof include/linux/slab.h:905 [inline] hfs_mdb_get+0x1cc8/0x2a90 fs/hfs/mdb.c:175 hfs_fill_super+0x3d0/0xb80 fs/hfs/super.c:337 get_tree_bdev_flags+0x6e3/0x920 fs/super.c:1681 get_tree_bdev+0x38/0x50 fs/super.c:1704 hfs_get_tree+0x35/0x40 fs/hfs/super.c:388 vfs_get_tree+0xb0/0x5c0 fs/super.c:1804 do_new_mount+0x738/0x1610 fs/namespace.c:3902 path_mount+0x6db/0x1e90 fs/namespace.c:4226 do_mount fs/namespace.c:4239 [inline] __do_sys_mount fs/namespace.c:4450 [inline] __se_sys_mount+0x6eb/0x7d0 fs/namespace.c:4427 __x64_sys_mount+0xe4/0x150 fs/namespace.c:4427 x64_sys_call+0xfa7/0x3db0 arch/x86/include/generated/asm/syscalls_64.h:166 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xd9/0x210 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f CPU: 1 UID: 0 PID: 12609 Comm: syz.1.2692 Not tainted 6.16.0-syzkaller #0 PREEMPT(none) Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/12/2025 ===================================================== The HFS_SB(sb)->bitmap buffer is allocated in hfs_mdb_get(): HFS_SB(sb)->bitmap = kmalloc(8192, GFP_KERNEL); Finally, it can trigger the reported issue because kmalloc() doesn't clear the allocated memory. If allocated memory contains only zeros, then everything will work pretty fine. But if the allocated memory contains the \"garbage\", then it can affect the bitmap operations and it triggers the reported issue. This patch simply exchanges the kmalloc() on kzalloc() with the goal to guarantee the correctness of bitmap operations. Because, newly created allocation bitmap should have all available blocks free. Potentially, initialization bitmap's read operation could not fill the whole allocated memory and \"garbage\" in the not initialized memory will be the reason of volume coruptions and file system driver bugs.", "cve_priority": "medium", "cve_public_date": "2025-12-04 16:16:00 UTC" }, { "cve": "CVE-2025-40244", "url": "https://ubuntu.com/security/CVE-2025-40244", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: hfsplus: fix KMSAN uninit-value issue in __hfsplus_ext_cache_extent() The syzbot reported issue in __hfsplus_ext_cache_extent(): [ 70.194323][ T9350] BUG: KMSAN: uninit-value in __hfsplus_ext_cache_extent+0x7d0/0x990 [ 70.195022][ T9350] __hfsplus_ext_cache_extent+0x7d0/0x990 [ 70.195530][ T9350] hfsplus_file_extend+0x74f/0x1cf0 [ 70.195998][ T9350] hfsplus_get_block+0xe16/0x17b0 [ 70.196458][ T9350] __block_write_begin_int+0x962/0x2ce0 [ 70.196959][ T9350] cont_write_begin+0x1000/0x1950 [ 70.197416][ T9350] hfsplus_write_begin+0x85/0x130 [ 70.197873][ T9350] generic_perform_write+0x3e8/0x1060 [ 70.198374][ T9350] __generic_file_write_iter+0x215/0x460 [ 70.198892][ T9350] generic_file_write_iter+0x109/0x5e0 [ 70.199393][ T9350] vfs_write+0xb0f/0x14e0 [ 70.199771][ T9350] ksys_write+0x23e/0x490 [ 70.200149][ T9350] __x64_sys_write+0x97/0xf0 [ 70.200570][ T9350] x64_sys_call+0x3015/0x3cf0 [ 70.201065][ T9350] do_syscall_64+0xd9/0x1d0 [ 70.201506][ T9350] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 70.202054][ T9350] [ 70.202279][ T9350] Uninit was created at: [ 70.202693][ T9350] __kmalloc_noprof+0x621/0xf80 [ 70.203149][ T9350] hfsplus_find_init+0x8d/0x1d0 [ 70.203602][ T9350] hfsplus_file_extend+0x6ca/0x1cf0 [ 70.204087][ T9350] hfsplus_get_block+0xe16/0x17b0 [ 70.204561][ T9350] __block_write_begin_int+0x962/0x2ce0 [ 70.205074][ T9350] cont_write_begin+0x1000/0x1950 [ 70.205547][ T9350] hfsplus_write_begin+0x85/0x130 [ 70.206017][ T9350] generic_perform_write+0x3e8/0x1060 [ 70.206519][ T9350] __generic_file_write_iter+0x215/0x460 [ 70.207042][ T9350] generic_file_write_iter+0x109/0x5e0 [ 70.207552][ T9350] vfs_write+0xb0f/0x14e0 [ 70.207961][ T9350] ksys_write+0x23e/0x490 [ 70.208375][ T9350] __x64_sys_write+0x97/0xf0 [ 70.208810][ T9350] x64_sys_call+0x3015/0x3cf0 [ 70.209255][ T9350] do_syscall_64+0xd9/0x1d0 [ 70.209680][ T9350] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 70.210230][ T9350] [ 70.210454][ T9350] CPU: 2 UID: 0 PID: 9350 Comm: repro Not tainted 6.12.0-rc5 #5 [ 70.211174][ T9350] Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 70.212115][ T9350] ===================================================== [ 70.212734][ T9350] Disabling lock debugging due to kernel taint [ 70.213284][ T9350] Kernel panic - not syncing: kmsan.panic set ... [ 70.213858][ T9350] CPU: 2 UID: 0 PID: 9350 Comm: repro Tainted: G B 6.12.0-rc5 #5 [ 70.214679][ T9350] Tainted: [B]=BAD_PAGE [ 70.215057][ T9350] Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 70.215999][ T9350] Call Trace: [ 70.216309][ T9350] [ 70.216585][ T9350] dump_stack_lvl+0x1fd/0x2b0 [ 70.217025][ T9350] dump_stack+0x1e/0x30 [ 70.217421][ T9350] panic+0x502/0xca0 [ 70.217803][ T9350] ? kmsan_get_metadata+0x13e/0x1c0 [ 70.218294][ Message fromT sy9350] kmsan_report+0x296/slogd@syzkaller 0x2aat Aug 18 22:11:058 ... kernel :[ 70.213284][ T9350] Kernel panic - not syncing: kmsan.panic [ 70.220179][ T9350] ? kmsan_get_metadata+0x13e/0x1c0 set ... [ 70.221254][ T9350] ? __msan_warning+0x96/0x120 [ 70.222066][ T9350] ? __hfsplus_ext_cache_extent+0x7d0/0x990 [ 70.223023][ T9350] ? hfsplus_file_extend+0x74f/0x1cf0 [ 70.224120][ T9350] ? hfsplus_get_block+0xe16/0x17b0 [ 70.224946][ T9350] ? __block_write_begin_int+0x962/0x2ce0 [ 70.225756][ T9350] ? cont_write_begin+0x1000/0x1950 [ 70.226337][ T9350] ? hfsplus_write_begin+0x85/0x130 [ 70.226852][ T9350] ? generic_perform_write+0x3e8/0x1060 [ 70.227405][ T9350] ? __generic_file_write_iter+0x215/0x460 [ 70.227979][ T9350] ? generic_file_write_iter+0x109/0x5e0 [ 70.228540][ T9350] ? vfs_write+0xb0f/0x14e0 [ 70.228997][ T9350] ? ksys_write+0x23e/0x490 ---truncated---", "cve_priority": "medium", "cve_public_date": "2025-12-04 16:16:00 UTC" }, { "cve": "CVE-2025-40245", "url": "https://ubuntu.com/security/CVE-2025-40245", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: nios2: ensure that memblock.current_limit is set when setting pfn limits On nios2, with CONFIG_FLATMEM set, the kernel relies on memblock_get_current_limit() to determine the limits of mem_map, in particular for max_low_pfn. Unfortunately, memblock.current_limit is only default initialized to MEMBLOCK_ALLOC_ANYWHERE at this point of the bootup, potentially leading to situations where max_low_pfn can erroneously exceed the value of max_pfn and, thus, the valid range of available DRAM. This can in turn cause kernel-level paging failures, e.g.: [ 76.900000] Unable to handle kernel paging request at virtual address 20303000 [ 76.900000] ea = c0080890, ra = c000462c, cause = 14 [ 76.900000] Kernel panic - not syncing: Oops [ 76.900000] ---[ end Kernel panic - not syncing: Oops ]--- This patch fixes this by pre-calculating memblock.current_limit based on the upper limits of the available memory ranges via adjust_lowmem_bounds, a simplified version of the equivalent implementation within the arm architecture.", "cve_priority": "medium", "cve_public_date": "2025-12-04 16:16:00 UTC" }, { "cve": "CVE-2025-40086", "url": "https://ubuntu.com/security/CVE-2025-40086", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/xe: Don't allow evicting of BOs in same VM in array of VM binds An array of VM binds can potentially evict other buffer objects (BOs) within the same VM under certain conditions, which may lead to NULL pointer dereferences later in the bind pipeline. To prevent this, clear the allow_res_evict flag in the xe_bo_validate call. v2: - Invert polarity of no_res_evict (Thomas) - Add comment in code explaining issue (Thomas) (cherry picked from commit 8b9ba8d6d95fe75fed6b0480bb03da4b321bea08)", "cve_priority": "medium", "cve_public_date": "2025-10-30 10:15:00 UTC" }, { "cve": "CVE-2025-40087", "url": "https://ubuntu.com/security/CVE-2025-40087", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: NFSD: Define a proc_layoutcommit for the FlexFiles layout type Avoid a crash if a pNFS client should happen to send a LAYOUTCOMMIT operation on a FlexFiles layout.", "cve_priority": "medium", "cve_public_date": "2025-10-30 10:15:00 UTC" }, { "cve": "CVE-2025-40088", "url": "https://ubuntu.com/security/CVE-2025-40088", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: hfsplus: fix slab-out-of-bounds read in hfsplus_strcasecmp() The hfsplus_strcasecmp() logic can trigger the issue: [ 117.317703][ T9855] ================================================================== [ 117.318353][ T9855] BUG: KASAN: slab-out-of-bounds in hfsplus_strcasecmp+0x1bc/0x490 [ 117.318991][ T9855] Read of size 2 at addr ffff88802160f40c by task repro/9855 [ 117.319577][ T9855] [ 117.319773][ T9855] CPU: 0 UID: 0 PID: 9855 Comm: repro Not tainted 6.17.0-rc6 #33 PREEMPT(full) [ 117.319780][ T9855] Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 117.319783][ T9855] Call Trace: [ 117.319785][ T9855] [ 117.319788][ T9855] dump_stack_lvl+0x1c1/0x2a0 [ 117.319795][ T9855] ? __virt_addr_valid+0x1c8/0x5c0 [ 117.319803][ T9855] ? __pfx_dump_stack_lvl+0x10/0x10 [ 117.319808][ T9855] ? rcu_is_watching+0x15/0xb0 [ 117.319816][ T9855] ? lock_release+0x4b/0x3e0 [ 117.319821][ T9855] ? __kasan_check_byte+0x12/0x40 [ 117.319828][ T9855] ? __virt_addr_valid+0x1c8/0x5c0 [ 117.319835][ T9855] ? __virt_addr_valid+0x4a5/0x5c0 [ 117.319842][ T9855] print_report+0x17e/0x7e0 [ 117.319848][ T9855] ? __virt_addr_valid+0x1c8/0x5c0 [ 117.319855][ T9855] ? __virt_addr_valid+0x4a5/0x5c0 [ 117.319862][ T9855] ? __phys_addr+0xd3/0x180 [ 117.319869][ T9855] ? hfsplus_strcasecmp+0x1bc/0x490 [ 117.319876][ T9855] kasan_report+0x147/0x180 [ 117.319882][ T9855] ? hfsplus_strcasecmp+0x1bc/0x490 [ 117.319891][ T9855] hfsplus_strcasecmp+0x1bc/0x490 [ 117.319900][ T9855] ? __pfx_hfsplus_cat_case_cmp_key+0x10/0x10 [ 117.319906][ T9855] hfs_find_rec_by_key+0xa9/0x1e0 [ 117.319913][ T9855] __hfsplus_brec_find+0x18e/0x470 [ 117.319920][ T9855] ? __pfx_hfsplus_bnode_find+0x10/0x10 [ 117.319926][ T9855] ? __pfx_hfs_find_rec_by_key+0x10/0x10 [ 117.319933][ T9855] ? __pfx___hfsplus_brec_find+0x10/0x10 [ 117.319942][ T9855] hfsplus_brec_find+0x28f/0x510 [ 117.319949][ T9855] ? __pfx_hfs_find_rec_by_key+0x10/0x10 [ 117.319956][ T9855] ? __pfx_hfsplus_brec_find+0x10/0x10 [ 117.319963][ T9855] ? __kmalloc_noprof+0x2a9/0x510 [ 117.319969][ T9855] ? hfsplus_find_init+0x8c/0x1d0 [ 117.319976][ T9855] hfsplus_brec_read+0x2b/0x120 [ 117.319983][ T9855] hfsplus_lookup+0x2aa/0x890 [ 117.319990][ T9855] ? __pfx_hfsplus_lookup+0x10/0x10 [ 117.320003][ T9855] ? d_alloc_parallel+0x2f0/0x15e0 [ 117.320008][ T9855] ? __lock_acquire+0xaec/0xd80 [ 117.320013][ T9855] ? __pfx_d_alloc_parallel+0x10/0x10 [ 117.320019][ T9855] ? __raw_spin_lock_init+0x45/0x100 [ 117.320026][ T9855] ? __init_waitqueue_head+0xa9/0x150 [ 117.320034][ T9855] __lookup_slow+0x297/0x3d0 [ 117.320039][ T9855] ? __pfx___lookup_slow+0x10/0x10 [ 117.320045][ T9855] ? down_read+0x1ad/0x2e0 [ 117.320055][ T9855] lookup_slow+0x53/0x70 [ 117.320065][ T9855] walk_component+0x2f0/0x430 [ 117.320073][ T9855] path_lookupat+0x169/0x440 [ 117.320081][ T9855] filename_lookup+0x212/0x590 [ 117.320089][ T9855] ? __pfx_filename_lookup+0x10/0x10 [ 117.320098][ T9855] ? strncpy_from_user+0x150/0x290 [ 117.320105][ T9855] ? getname_flags+0x1e5/0x540 [ 117.320112][ T9855] user_path_at+0x3a/0x60 [ 117.320117][ T9855] __x64_sys_umount+0xee/0x160 [ 117.320123][ T9855] ? __pfx___x64_sys_umount+0x10/0x10 [ 117.320129][ T9855] ? do_syscall_64+0xb7/0x3a0 [ 117.320135][ T9855] ? entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 117.320141][ T9855] ? entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 117.320145][ T9855] do_syscall_64+0xf3/0x3a0 [ 117.320150][ T9855] ? exc_page_fault+0x9f/0xf0 [ 117.320154][ T9855] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 117.320158][ T9855] RIP: 0033:0x7f7dd7908b07 [ 117.320163][ T9855] Code: 23 0d 00 f7 d8 64 89 01 48 83 c8 ff c3 66 0f 1f 44 00 00 31 f6 e9 09 00 00 00 66 0f 1f 84 00 00 08 [ 117.320167][ T9855] RSP: 002b:00007ffd5ebd9698 EFLAGS: 00000202 ---truncated---", "cve_priority": "medium", "cve_public_date": "2025-10-30 10:15:00 UTC" }, { "cve": "CVE-2025-40162", "url": "https://ubuntu.com/security/CVE-2025-40162", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ASoC: amd/sdw_utils: avoid NULL deref when devm_kasprintf() fails devm_kasprintf() may return NULL on memory allocation failure, but the debug message prints cpus->dai_name before checking it. Move the dev_dbg() call after the NULL check to prevent potential NULL pointer dereference.", "cve_priority": "medium", "cve_public_date": "2025-11-12 11:15:00 UTC" }, { "cve": "CVE-2025-40085", "url": "https://ubuntu.com/security/CVE-2025-40085", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ALSA: usb-audio: Fix NULL pointer deference in try_to_register_card In try_to_register_card(), the return value of usb_ifnum_to_if() is passed directly to usb_interface_claimed() without a NULL check, which will lead to a NULL pointer dereference when creating an invalid USB audio device. Fix this by adding a check to ensure the interface pointer is valid before passing it to usb_interface_claimed().", "cve_priority": "medium", "cve_public_date": "2025-10-29 14:15:00 UTC" }, { "cve": "CVE-2025-40172", "url": "https://ubuntu.com/security/CVE-2025-40172", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: accel/qaic: Treat remaining == 0 as error in find_and_map_user_pages() Currently, if find_and_map_user_pages() takes a DMA xfer request from the user with a length field set to 0, or in a rare case, the host receives QAIC_TRANS_DMA_XFER_CONT from the device where resources->xferred_dma_size is equal to the requested transaction size, the function will return 0 before allocating an sgt or setting the fields of the dma_xfer struct. In that case, encode_addr_size_pairs() will try to access the sgt which will lead to a general protection fault. Return an EINVAL in case the user provides a zero-sized ALP, or the device requests continuation after all of the bytes have been transferred.", "cve_priority": "medium", "cve_public_date": "2025-11-12 11:15:00 UTC" }, { "cve": "CVE-2025-40177", "url": "https://ubuntu.com/security/CVE-2025-40177", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: accel/qaic: Fix bootlog initialization ordering As soon as we queue MHI buffers to receive the bootlog from the device, we could be receiving data. Therefore all the resources needed to process that data need to be setup prior to queuing the buffers. We currently initialize some of the resources after queuing the buffers which creates a race between the probe() and any data that comes back from the device. If the uninitialized resources are accessed, we could see page faults. Fix the init ordering to close the race.", "cve_priority": "medium", "cve_public_date": "2025-11-12 11:15:00 UTC" }, { "cve": "CVE-2025-40163", "url": "https://ubuntu.com/security/CVE-2025-40163", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: sched/deadline: Stop dl_server before CPU goes offline IBM CI tool reported kernel warning[1] when running a CPU removal operation through drmgr[2]. i.e \"drmgr -c cpu -r -q 1\" WARNING: CPU: 0 PID: 0 at kernel/sched/cpudeadline.c:219 cpudl_set+0x58/0x170 NIP [c0000000002b6ed8] cpudl_set+0x58/0x170 LR [c0000000002b7cb8] dl_server_timer+0x168/0x2a0 Call Trace: [c000000002c2f8c0] init_stack+0x78c0/0x8000 (unreliable) [c0000000002b7cb8] dl_server_timer+0x168/0x2a0 [c00000000034df84] __hrtimer_run_queues+0x1a4/0x390 [c00000000034f624] hrtimer_interrupt+0x124/0x300 [c00000000002a230] timer_interrupt+0x140/0x320 Git bisects to: commit 4ae8d9aa9f9d (\"sched/deadline: Fix dl_server getting stuck\") This happens since: - dl_server hrtimer gets enqueued close to cpu offline, when kthread_park enqueues a fair task. - CPU goes offline and drmgr removes it from cpu_present_mask. - hrtimer fires and warning is hit. Fix it by stopping the dl_server before CPU is marked dead. [1]: https://lore.kernel.org/all/8218e149-7718-4432-9312-f97297c352b9@linux.ibm.com/ [2]: https://github.com/ibm-power-utilities/powerpc-utils/tree/next/src/drmgr [sshegde: wrote the changelog and tested it]", "cve_priority": "medium", "cve_public_date": "2025-11-12 11:15:00 UTC" }, { "cve": "CVE-2025-40174", "url": "https://ubuntu.com/security/CVE-2025-40174", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: x86/mm: Fix SMP ordering in switch_mm_irqs_off() Stephen noted that it is possible to not have an smp_mb() between the loaded_mm store and the tlb_gen load in switch_mm(), meaning the ordering against flush_tlb_mm_range() goes out the window, and it becomes possible for switch_mm() to not observe a recent tlb_gen update and fail to flush the TLBs. [ dhansen: merge conflict fixed by Ingo ]", "cve_priority": "medium", "cve_public_date": "2025-11-12 11:15:00 UTC" }, { "cve": "CVE-2025-40089", "url": "https://ubuntu.com/security/CVE-2025-40089", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: cxl/features: Add check for no entries in cxl_feature_info cxl EDAC calls cxl_feature_info() to get the feature information and if the hardware has no Features support, cxlfs may be passed in as NULL. [ 51.957498] BUG: kernel NULL pointer dereference, address: 0000000000000008 [ 51.965571] #PF: supervisor read access in kernel mode [ 51.971559] #PF: error_code(0x0000) - not-present page [ 51.977542] PGD 17e4f6067 P4D 0 [ 51.981384] Oops: Oops: 0000 [#1] SMP NOPTI [ 51.986300] CPU: 49 UID: 0 PID: 3782 Comm: systemd-udevd Not tainted 6.17.0dj test+ #64 PREEMPT(voluntary) [ 51.997355] Hardware name: [ 52.009790] RIP: 0010:cxl_feature_info+0xa/0x80 [cxl_core] Add a check for cxlfs before dereferencing it and return -EOPNOTSUPP if there is no cxlfs created due to no hardware support.", "cve_priority": "medium", "cve_public_date": "2025-10-30 10:15:00 UTC" }, { "cve": "CVE-2025-40176", "url": "https://ubuntu.com/security/CVE-2025-40176", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: tls: wait for pending async decryptions if tls_strp_msg_hold fails Async decryption calls tls_strp_msg_hold to create a clone of the input skb to hold references to the memory it uses. If we fail to allocate that clone, proceeding with async decryption can lead to various issues (UAF on the skb, writing into userspace memory after the recv() call has returned). In this case, wait for all pending decryption requests.", "cve_priority": "medium", "cve_public_date": "2025-11-12 11:15:00 UTC" }, { "cve": "CVE-2025-40164", "url": "https://ubuntu.com/security/CVE-2025-40164", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: usbnet: Fix using smp_processor_id() in preemptible code warnings Syzbot reported the following warning: BUG: using smp_processor_id() in preemptible [00000000] code: dhcpcd/2879 caller is usbnet_skb_return+0x74/0x490 drivers/net/usb/usbnet.c:331 CPU: 1 UID: 0 PID: 2879 Comm: dhcpcd Not tainted 6.15.0-rc4-syzkaller-00098-g615dca38c2ea #0 PREEMPT(voluntary) Call Trace: __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x16c/0x1f0 lib/dump_stack.c:120 check_preemption_disabled+0xd0/0xe0 lib/smp_processor_id.c:49 usbnet_skb_return+0x74/0x490 drivers/net/usb/usbnet.c:331 usbnet_resume_rx+0x4b/0x170 drivers/net/usb/usbnet.c:708 usbnet_change_mtu+0x1be/0x220 drivers/net/usb/usbnet.c:417 __dev_set_mtu net/core/dev.c:9443 [inline] netif_set_mtu_ext+0x369/0x5c0 net/core/dev.c:9496 netif_set_mtu+0xb0/0x160 net/core/dev.c:9520 dev_set_mtu+0xae/0x170 net/core/dev_api.c:247 dev_ifsioc+0xa31/0x18d0 net/core/dev_ioctl.c:572 dev_ioctl+0x223/0x10e0 net/core/dev_ioctl.c:821 sock_do_ioctl+0x19d/0x280 net/socket.c:1204 sock_ioctl+0x42f/0x6a0 net/socket.c:1311 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:906 [inline] __se_sys_ioctl fs/ioctl.c:892 [inline] __x64_sys_ioctl+0x190/0x200 fs/ioctl.c:892 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xcd/0x260 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f For historical and portability reasons, the netif_rx() is usually run in the softirq or interrupt context, this commit therefore add local_bh_disable/enable() protection in the usbnet_resume_rx().", "cve_priority": "medium", "cve_public_date": "2025-11-12 11:15:00 UTC" }, { "cve": "CVE-2025-40091", "url": "https://ubuntu.com/security/CVE-2025-40091", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ixgbe: fix too early devlink_free() in ixgbe_remove() Since ixgbe_adapter is embedded in devlink, calling devlink_free() prematurely in the ixgbe_remove() path can lead to UAF. Move devlink_free() to the end. KASAN report: BUG: KASAN: use-after-free in ixgbe_reset_interrupt_capability+0x140/0x180 [ixgbe] Read of size 8 at addr ffff0000adf813e0 by task bash/2095 CPU: 1 UID: 0 PID: 2095 Comm: bash Tainted: G S 6.17.0-rc2-tnguy.net-queue+ #1 PREEMPT(full) [...] Call trace: show_stack+0x30/0x90 (C) dump_stack_lvl+0x9c/0xd0 print_address_description.constprop.0+0x90/0x310 print_report+0x104/0x1f0 kasan_report+0x88/0x180 __asan_report_load8_noabort+0x20/0x30 ixgbe_reset_interrupt_capability+0x140/0x180 [ixgbe] ixgbe_clear_interrupt_scheme+0xf8/0x130 [ixgbe] ixgbe_remove+0x2d0/0x8c0 [ixgbe] pci_device_remove+0xa0/0x220 device_remove+0xb8/0x170 device_release_driver_internal+0x318/0x490 device_driver_detach+0x40/0x68 unbind_store+0xec/0x118 drv_attr_store+0x64/0xb8 sysfs_kf_write+0xcc/0x138 kernfs_fop_write_iter+0x294/0x440 new_sync_write+0x1fc/0x588 vfs_write+0x480/0x6a0 ksys_write+0xf0/0x1e0 __arm64_sys_write+0x70/0xc0 invoke_syscall.constprop.0+0xcc/0x280 el0_svc_common.constprop.0+0xa8/0x248 do_el0_svc+0x44/0x68 el0_svc+0x54/0x160 el0t_64_sync_handler+0xa0/0xe8 el0t_64_sync+0x1b0/0x1b8", "cve_priority": "medium", "cve_public_date": "2025-10-30 10:15:00 UTC" }, { "cve": "CVE-2025-40175", "url": "https://ubuntu.com/security/CVE-2025-40175", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: idpf: cleanup remaining SKBs in PTP flows When the driver requests Tx timestamp value, one of the first steps is to clone SKB using skb_get. It increases the reference counter for that SKB to prevent unexpected freeing by another component. However, there may be a case where the index is requested, SKB is assigned and never consumed by PTP flows - for example due to reset during running PTP apps. Add a check in release timestamping function to verify if the SKB assigned to Tx timestamp latch was freed, and release remaining SKBs.", "cve_priority": "medium", "cve_public_date": "2025-11-12 11:15:00 UTC" }, { "cve": "CVE-2025-40173", "url": "https://ubuntu.com/security/CVE-2025-40173", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net/ip6_tunnel: Prevent perpetual tunnel growth Similarly to ipv4 tunnel, ipv6 version updates dev->needed_headroom, too. While ipv4 tunnel headroom adjustment growth was limited in commit 5ae1e9922bbd (\"net: ip_tunnel: prevent perpetual headroom growth\"), ipv6 tunnel yet increases the headroom without any ceiling. Reflect ipv4 tunnel headroom adjustment limit on ipv6 version. Credits to Francesco Ruggeri, who was originally debugging this issue and wrote local Arista-specific patch and a reproducer.", "cve_priority": "medium", "cve_public_date": "2025-11-12 11:15:00 UTC" }, { "cve": "CVE-2025-40092", "url": "https://ubuntu.com/security/CVE-2025-40092", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: usb: gadget: f_ncm: Refactor bind path to use __free() After an bind/unbind cycle, the ncm->notify_req is left stale. If a subsequent bind fails, the unified error label attempts to free this stale request, leading to a NULL pointer dereference when accessing ep->ops->free_request. Refactor the error handling in the bind path to use the __free() automatic cleanup mechanism. Unable to handle kernel NULL pointer dereference at virtual address 0000000000000020 Call trace: usb_ep_free_request+0x2c/0xec ncm_bind+0x39c/0x3dc usb_add_function+0xcc/0x1f0 configfs_composite_bind+0x468/0x588 gadget_bind_driver+0x104/0x270 really_probe+0x190/0x374 __driver_probe_device+0xa0/0x12c driver_probe_device+0x3c/0x218 __device_attach_driver+0x14c/0x188 bus_for_each_drv+0x10c/0x168 __device_attach+0xfc/0x198 device_initial_probe+0x14/0x24 bus_probe_device+0x94/0x11c device_add+0x268/0x48c usb_add_gadget+0x198/0x28c dwc3_gadget_init+0x700/0x858 __dwc3_set_mode+0x3cc/0x664 process_scheduled_works+0x1d8/0x488 worker_thread+0x244/0x334 kthread+0x114/0x1bc ret_from_fork+0x10/0x20", "cve_priority": "medium", "cve_public_date": "2025-10-30 10:15:00 UTC" }, { "cve": "CVE-2025-40093", "url": "https://ubuntu.com/security/CVE-2025-40093", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: usb: gadget: f_ecm: Refactor bind path to use __free() After an bind/unbind cycle, the ecm->notify_req is left stale. If a subsequent bind fails, the unified error label attempts to free this stale request, leading to a NULL pointer dereference when accessing ep->ops->free_request. Refactor the error handling in the bind path to use the __free() automatic cleanup mechanism.", "cve_priority": "medium", "cve_public_date": "2025-10-30 10:15:00 UTC" }, { "cve": "CVE-2025-40094", "url": "https://ubuntu.com/security/CVE-2025-40094", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: usb: gadget: f_acm: Refactor bind path to use __free() After an bind/unbind cycle, the acm->notify_req is left stale. If a subsequent bind fails, the unified error label attempts to free this stale request, leading to a NULL pointer dereference when accessing ep->ops->free_request. Refactor the error handling in the bind path to use the __free() automatic cleanup mechanism. Unable to handle kernel NULL pointer dereference at virtual address 0000000000000020 Call trace: usb_ep_free_request+0x2c/0xec gs_free_req+0x30/0x44 acm_bind+0x1b8/0x1f4 usb_add_function+0xcc/0x1f0 configfs_composite_bind+0x468/0x588 gadget_bind_driver+0x104/0x270 really_probe+0x190/0x374 __driver_probe_device+0xa0/0x12c driver_probe_device+0x3c/0x218 __device_attach_driver+0x14c/0x188 bus_for_each_drv+0x10c/0x168 __device_attach+0xfc/0x198 device_initial_probe+0x14/0x24 bus_probe_device+0x94/0x11c device_add+0x268/0x48c usb_add_gadget+0x198/0x28c dwc3_gadget_init+0x700/0x858 __dwc3_set_mode+0x3cc/0x664 process_scheduled_works+0x1d8/0x488 worker_thread+0x244/0x334 kthread+0x114/0x1bc ret_from_fork+0x10/0x20", "cve_priority": "medium", "cve_public_date": "2025-10-30 10:15:00 UTC" }, { "cve": "CVE-2025-40095", "url": "https://ubuntu.com/security/CVE-2025-40095", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: usb: gadget: f_rndis: Refactor bind path to use __free() After an bind/unbind cycle, the rndis->notify_req is left stale. If a subsequent bind fails, the unified error label attempts to free this stale request, leading to a NULL pointer dereference when accessing ep->ops->free_request. Refactor the error handling in the bind path to use the __free() automatic cleanup mechanism.", "cve_priority": "medium", "cve_public_date": "2025-10-30 10:15:00 UTC" }, { "cve": "CVE-2025-40165", "url": "https://ubuntu.com/security/CVE-2025-40165", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: media: nxp: imx8-isi: m2m: Fix streaming cleanup on release If streamon/streamoff calls are imbalanced, such as when exiting an application with Ctrl+C when streaming, the m2m usage_count will never reach zero and the ISI channel won't be freed. Besides from that, if the input line width is more than 2K, it will trigger a WARN_ON(): [ 59.222120] ------------[ cut here ]------------ [ 59.226758] WARNING: drivers/media/platform/nxp/imx8-isi/imx8-isi-hw.c:631 at mxc_isi_channel_chain+0xa4/0x120, CPU#4: v4l2-ctl/654 [ 59.238569] Modules linked in: ap1302 [ 59.242231] CPU: 4 UID: 0 PID: 654 Comm: v4l2-ctl Not tainted 6.16.0-rc4-next-20250704-06511-gff0e002d480a-dirty #258 PREEMPT [ 59.253597] Hardware name: NXP i.MX95 15X15 board (DT) [ 59.258720] pstate: 80400009 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) [ 59.265669] pc : mxc_isi_channel_chain+0xa4/0x120 [ 59.270358] lr : mxc_isi_channel_chain+0x44/0x120 [ 59.275047] sp : ffff8000848c3b40 [ 59.278348] x29: ffff8000848c3b40 x28: ffff0000859b4c98 x27: ffff800081939f00 [ 59.285472] x26: 000000000000000a x25: ffff0000859b4cb8 x24: 0000000000000001 [ 59.292597] x23: ffff0000816f4760 x22: ffff0000816f4258 x21: ffff000084ceb780 [ 59.299720] x20: ffff000084342ff8 x19: ffff000084340000 x18: 0000000000000000 [ 59.306845] x17: 0000000000000000 x16: 0000000000000000 x15: 0000ffffdb369e1c [ 59.313969] x14: 0000000000000000 x13: 0000000000000000 x12: 0000000000000000 [ 59.321093] x11: 0000000000000000 x10: 0000000000000000 x9 : 0000000000000000 [ 59.328217] x8 : ffff8000848c3d48 x7 : ffff800081930b30 x6 : ffff800081930b30 [ 59.335340] x5 : ffff0000859b6000 x4 : ffff80008193ae80 x3 : ffff800081022420 [ 59.342464] x2 : ffff0000852f6900 x1 : 0000000000000001 x0 : ffff000084341000 [ 59.349590] Call trace: [ 59.352025] mxc_isi_channel_chain+0xa4/0x120 (P) [ 59.356722] mxc_isi_m2m_streamon+0x160/0x20c [ 59.361072] v4l_streamon+0x24/0x30 [ 59.364556] __video_do_ioctl+0x40c/0x4a0 [ 59.368560] video_usercopy+0x2bc/0x690 [ 59.372382] video_ioctl2+0x18/0x24 [ 59.375857] v4l2_ioctl+0x40/0x60 [ 59.379168] __arm64_sys_ioctl+0xac/0x104 [ 59.383172] invoke_syscall+0x48/0x104 [ 59.386916] el0_svc_common.constprop.0+0xc0/0xe0 [ 59.391613] do_el0_svc+0x1c/0x28 [ 59.394915] el0_svc+0x34/0xf4 [ 59.397966] el0t_64_sync_handler+0xa0/0xe4 [ 59.402143] el0t_64_sync+0x198/0x19c [ 59.405801] ---[ end trace 0000000000000000 ]--- Address this issue by moving the streaming preparation and cleanup to the vb2 .prepare_streaming() and .unprepare_streaming() operations. This also simplifies the driver by allowing direct usage of the v4l2_m2m_ioctl_streamon() and v4l2_m2m_ioctl_streamoff() helpers.", "cve_priority": "medium", "cve_public_date": "2025-11-12 11:15:00 UTC" }, { "cve": "CVE-2025-40096", "url": "https://ubuntu.com/security/CVE-2025-40096", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/sched: Fix potential double free in drm_sched_job_add_resv_dependencies When adding dependencies with drm_sched_job_add_dependency(), that function consumes the fence reference both on success and failure, so in the latter case the dma_fence_put() on the error path (xarray failed to expand) is a double free. Interestingly this bug appears to have been present ever since commit ebd5f74255b9 (\"drm/sched: Add dependency tracking\"), since the code back then looked like this: drm_sched_job_add_implicit_dependencies(): ... for (i = 0; i < fence_count; i++) { ret = drm_sched_job_add_dependency(job, fences[i]); if (ret) break; } for (; i < fence_count; i++) dma_fence_put(fences[i]); Which means for the failing 'i' the dma_fence_put was already a double free. Possibly there were no users at that time, or the test cases were insufficient to hit it. The bug was then only noticed and fixed after commit 9c2ba265352a (\"drm/scheduler: use new iterator in drm_sched_job_add_implicit_dependencies v2\") landed, with its fixup of commit 4eaf02d6076c (\"drm/scheduler: fix drm_sched_job_add_implicit_dependencies\"). At that point it was a slightly different flavour of a double free, which commit 963d0b356935 (\"drm/scheduler: fix drm_sched_job_add_implicit_dependencies harder\") noticed and attempted to fix. But it only moved the double free from happening inside the drm_sched_job_add_dependency(), when releasing the reference not yet obtained, to the caller, when releasing the reference already released by the former in the failure case. As such it is not easy to identify the right target for the fixes tag so lets keep it simple and just continue the chain. While fixing we also improve the comment and explain the reason for taking the reference and not dropping it.", "cve_priority": "medium", "cve_public_date": "2025-10-30 10:15:00 UTC" }, { "cve": "CVE-2025-40097", "url": "https://ubuntu.com/security/CVE-2025-40097", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ALSA: hda: Fix missing pointer check in hda_component_manager_init function The __component_match_add function may assign the 'matchptr' pointer the value ERR_PTR(-ENOMEM), which will subsequently be dereferenced. The call stack leading to the error looks like this: hda_component_manager_init |-> component_match_add |-> component_match_add_release |-> __component_match_add ( ... ,**matchptr, ... ) |-> *matchptr = ERR_PTR(-ENOMEM); // assign |-> component_master_add_with_match( ... match) |-> component_match_realloc(match, match->num); // dereference Add IS_ERR() check to prevent the crash. Found by Linux Verification Center (linuxtesting.org) with SVACE.", "cve_priority": "medium", "cve_public_date": "2025-10-30 10:15:00 UTC" }, { "cve": "CVE-2025-40098", "url": "https://ubuntu.com/security/CVE-2025-40098", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ALSA: hda: cs35l41: Fix NULL pointer dereference in cs35l41_get_acpi_mute_state() Return value of a function acpi_evaluate_dsm() is dereferenced without checking for NULL, but it is usually checked for this function. acpi_evaluate_dsm() may return NULL, when acpi_evaluate_object() returns acpi_status other than ACPI_SUCCESS, so add a check to prevent the crach. Found by Linux Verification Center (linuxtesting.org) with SVACE.", "cve_priority": "medium", "cve_public_date": "2025-10-30 10:15:00 UTC" }, { "cve": "CVE-2025-40099", "url": "https://ubuntu.com/security/CVE-2025-40099", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: cifs: parse_dfs_referrals: prevent oob on malformed input Malicious SMB server can send invalid reply to FSCTL_DFS_GET_REFERRALS - reply smaller than sizeof(struct get_dfs_referral_rsp) - reply with number of referrals smaller than NumberOfReferrals in the header Processing of such replies will cause oob. Return -EINVAL error on such replies to prevent oob-s.", "cve_priority": "medium", "cve_public_date": "2025-10-30 10:15:00 UTC" }, { "cve": "CVE-2025-40100", "url": "https://ubuntu.com/security/CVE-2025-40100", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: btrfs: do not assert we found block group item when creating free space tree Currently, when building a free space tree at populate_free_space_tree(), if we are not using the block group tree feature, we always expect to find block group items (either extent items or a block group item with key type BTRFS_BLOCK_GROUP_ITEM_KEY) when we search the extent tree with btrfs_search_slot_for_read(), so we assert that we found an item. However this expectation is wrong since we can have a new block group created in the current transaction which is still empty and for which we still have not added the block group's item to the extent tree, in which case we do not have any items in the extent tree associated to the block group. The insertion of a new block group's block group item in the extent tree happens at btrfs_create_pending_block_groups() when it calls the helper insert_block_group_item(). This typically is done when a transaction handle is released, committed or when running delayed refs (either as part of a transaction commit or when serving tickets for space reservation if we are low on free space). So remove the assertion at populate_free_space_tree() even when the block group tree feature is not enabled and update the comment to mention this case. Syzbot reported this with the following stack trace: BTRFS info (device loop3 state M): rebuilding free space tree assertion failed: ret == 0 :: 0, in fs/btrfs/free-space-tree.c:1115 ------------[ cut here ]------------ kernel BUG at fs/btrfs/free-space-tree.c:1115! Oops: invalid opcode: 0000 [#1] SMP KASAN PTI CPU: 1 UID: 0 PID: 6352 Comm: syz.3.25 Not tainted syzkaller #0 PREEMPT(full) Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/18/2025 RIP: 0010:populate_free_space_tree+0x700/0x710 fs/btrfs/free-space-tree.c:1115 Code: ff ff e8 d3 (...) RSP: 0018:ffffc9000430f780 EFLAGS: 00010246 RAX: 0000000000000043 RBX: ffff88805b709630 RCX: fea61d0e2e79d000 RDX: 0000000000000000 RSI: 0000000080000000 RDI: 0000000000000000 RBP: ffffc9000430f8b0 R08: ffffc9000430f4a7 R09: 1ffff92000861e94 R10: dffffc0000000000 R11: fffff52000861e95 R12: 0000000000000001 R13: 1ffff92000861f00 R14: dffffc0000000000 R15: 0000000000000000 FS: 00007f424d9fe6c0(0000) GS:ffff888125afc000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007fd78ad212c0 CR3: 0000000076d68000 CR4: 00000000003526f0 Call Trace: btrfs_rebuild_free_space_tree+0x1ba/0x6d0 fs/btrfs/free-space-tree.c:1364 btrfs_start_pre_rw_mount+0x128f/0x1bf0 fs/btrfs/disk-io.c:3062 btrfs_remount_rw fs/btrfs/super.c:1334 [inline] btrfs_reconfigure+0xaed/0x2160 fs/btrfs/super.c:1559 reconfigure_super+0x227/0x890 fs/super.c:1076 do_remount fs/namespace.c:3279 [inline] path_mount+0xd1a/0xfe0 fs/namespace.c:4027 do_mount fs/namespace.c:4048 [inline] __do_sys_mount fs/namespace.c:4236 [inline] __se_sys_mount+0x313/0x410 fs/namespace.c:4213 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xfa/0xfa0 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f424e39066a Code: d8 64 89 02 (...) RSP: 002b:00007f424d9fde68 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5 RAX: ffffffffffffffda RBX: 00007f424d9fdef0 RCX: 00007f424e39066a RDX: 0000200000000180 RSI: 0000200000000380 RDI: 0000000000000000 RBP: 0000200000000180 R08: 00007f424d9fdef0 R09: 0000000000000020 R10: 0000000000000020 R11: 0000000000000246 R12: 0000200000000380 R13: 00007f424d9fdeb0 R14: 0000000000000000 R15: 00002000000002c0 Modules linked in: ---[ end trace 0000000000000000 ]---", "cve_priority": "medium", "cve_public_date": "2025-10-30 10:15:00 UTC" }, { "cve": "CVE-2025-40101", "url": "https://ubuntu.com/security/CVE-2025-40101", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: btrfs: fix memory leaks when rejecting a non SINGLE data profile without an RST At the end of btrfs_load_block_group_zone_info() the first thing we do is to ensure that if the mapping type is not a SINGLE one and there is no RAID stripe tree, then we return early with an error. Doing that, though, prevents the code from running the last calls from this function which are about freeing memory allocated during its run. Hence, in this case, instead of returning early, we set the ret value and fall through the rest of the cleanup code.", "cve_priority": "medium", "cve_public_date": "2025-10-30 10:15:00 UTC" }, { "cve": "CVE-2025-40167", "url": "https://ubuntu.com/security/CVE-2025-40167", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ext4: detect invalid INLINE_DATA + EXTENTS flag combination syzbot reported a BUG_ON in ext4_es_cache_extent() when opening a verity file on a corrupted ext4 filesystem mounted without a journal. The issue is that the filesystem has an inode with both the INLINE_DATA and EXTENTS flags set: EXT4-fs error (device loop0): ext4_cache_extents:545: inode #15: comm syz.0.17: corrupted extent tree: lblk 0 < prev 66 Investigation revealed that the inode has both flags set: DEBUG: inode 15 - flag=1, i_inline_off=164, has_inline=1, extents_flag=1 This is an invalid combination since an inode should have either: - INLINE_DATA: data stored directly in the inode - EXTENTS: data stored in extent-mapped blocks Having both flags causes ext4_has_inline_data() to return true, skipping extent tree validation in __ext4_iget(). The unvalidated out-of-order extents then trigger a BUG_ON in ext4_es_cache_extent() due to integer underflow when calculating hole sizes. Fix this by detecting this invalid flag combination early in ext4_iget() and rejecting the corrupted inode.", "cve_priority": "medium", "cve_public_date": "2025-11-12 11:15:00 UTC" }, { "cve": "CVE-2025-40102", "url": "https://ubuntu.com/security/CVE-2025-40102", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: KVM: arm64: Prevent access to vCPU events before init Another day, another syzkaller bug. KVM erroneously allows userspace to pend vCPU events for a vCPU that hasn't been initialized yet, leading to KVM interpreting a bunch of uninitialized garbage for routing / injecting the exception. In one case the injection code and the hyp disagree on whether the vCPU has a 32bit EL1 and put the vCPU into an illegal mode for AArch64, tripping the BUG() in exception_target_el() during the next injection: kernel BUG at arch/arm64/kvm/inject_fault.c:40! Internal error: Oops - BUG: 00000000f2000800 [#1] SMP CPU: 3 UID: 0 PID: 318 Comm: repro Not tainted 6.17.0-rc4-00104-g10fd0285305d #6 PREEMPT Hardware name: linux,dummy-virt (DT) pstate: 21402009 (nzCv daif +PAN -UAO -TCO +DIT -SSBS BTYPE=--) pc : exception_target_el+0x88/0x8c lr : pend_serror_exception+0x18/0x13c sp : ffff800082f03a10 x29: ffff800082f03a10 x28: ffff0000cb132280 x27: 0000000000000000 x26: 0000000000000000 x25: ffff0000c2a99c20 x24: 0000000000000000 x23: 0000000000008000 x22: 0000000000000002 x21: 0000000000000004 x20: 0000000000008000 x19: ffff0000c2a99c20 x18: 0000000000000000 x17: 0000000000000000 x16: 0000000000000000 x15: 00000000200000c0 x14: 0000000000000000 x13: 0000000000000000 x12: 0000000000000000 x11: 0000000000000000 x10: 0000000000000000 x9 : 0000000000000000 x8 : ffff800082f03af8 x7 : 0000000000000000 x6 : 0000000000000000 x5 : ffff800080f621f0 x4 : 0000000000000000 x3 : 0000000000000000 x2 : 000000000040009b x1 : 0000000000000003 x0 : ffff0000c2a99c20 Call trace: exception_target_el+0x88/0x8c (P) kvm_inject_serror_esr+0x40/0x3b4 __kvm_arm_vcpu_set_events+0xf0/0x100 kvm_arch_vcpu_ioctl+0x180/0x9d4 kvm_vcpu_ioctl+0x60c/0x9f4 __arm64_sys_ioctl+0xac/0x104 invoke_syscall+0x48/0x110 el0_svc_common.constprop.0+0x40/0xe0 do_el0_svc+0x1c/0x28 el0_svc+0x34/0xf0 el0t_64_sync_handler+0xa0/0xe4 el0t_64_sync+0x198/0x19c Code: f946bc01 b4fffe61 9101e020 17fffff2 (d4210000) Reject the ioctls outright as no sane VMM would call these before KVM_ARM_VCPU_INIT anyway. Even if it did the exception would've been thrown away by the eventual reset of the vCPU's state.", "cve_priority": "medium", "cve_public_date": "2025-10-30 10:15:00 UTC" }, { "cve": "CVE-2025-40103", "url": "https://ubuntu.com/security/CVE-2025-40103", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: smb: client: Fix refcount leak for cifs_sb_tlink Fix three refcount inconsistency issues related to `cifs_sb_tlink`. Comments for `cifs_sb_tlink` state that `cifs_put_tlink()` needs to be called after successful calls to `cifs_sb_tlink()`. Three calls fail to update refcount accordingly, leading to possible resource leaks.", "cve_priority": "medium", "cve_public_date": "2025-10-30 10:15:00 UTC" }, { "cve": "CVE-2025-40104", "url": "https://ubuntu.com/security/CVE-2025-40104", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ixgbevf: fix mailbox API compatibility by negotiating supported features There was backward compatibility in the terms of mailbox API. Various drivers from various OSes supporting 10G adapters from Intel portfolio could easily negotiate mailbox API. This convention has been broken since introducing API 1.4. Commit 0062e7cc955e (\"ixgbevf: add VF IPsec offload code\") added support for IPSec which is specific only for the kernel ixgbe driver. None of the rest of the Intel 10G PF/VF drivers supports it. And actually lack of support was not included in the IPSec implementation - there were no such code paths. No possibility to negotiate support for the feature was introduced along with introduction of the feature itself. Commit 339f28964147 (\"ixgbevf: Add support for new mailbox communication between PF and VF\") increasing API version to 1.5 did the same - it introduced code supported specifically by the PF ESX driver. It altered API version for the VF driver in the same time not touching the version defined for the PF ixgbe driver. It led to additional discrepancies, as the code provided within API 1.6 cannot be supported for Linux ixgbe driver as it causes crashes. The issue was noticed some time ago and mitigated by Jake within the commit d0725312adf5 (\"ixgbevf: stop attempting IPSEC offload on Mailbox API 1.5\"). As a result we have regression for IPsec support and after increasing API to version 1.6 ixgbevf driver stopped to support ESX MBX. To fix this mess add new mailbox op asking PF driver about supported features. Basing on a response determine whether to set support for IPSec and ESX-specific enhanced mailbox. New mailbox op, for compatibility purposes, must be added within new API revision, as API version of OOT PF & VF drivers is already increased to 1.6 and doesn't incorporate features negotiate op. Features negotiation mechanism gives possibility to be extended with new features when needed in the future.", "cve_priority": "medium", "cve_public_date": "2025-10-30 10:15:00 UTC" }, { "cve": "CVE-2025-40166", "url": "https://ubuntu.com/security/CVE-2025-40166", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/xe/guc: Check GuC running state before deregistering exec queue In normal operation, a registered exec queue is disabled and deregistered through the GuC, and freed only after the GuC confirms completion. However, if the driver is forced to unbind while the exec queue is still running, the user may call exec_destroy() after the GuC has already been stopped and CT communication disabled. In this case, the driver cannot receive a response from the GuC, preventing proper cleanup of exec queue resources. Fix this by directly releasing the resources when GuC is not running. Here is the failure dmesg log: \" [ 468.089581] ---[ end trace 0000000000000000 ]--- [ 468.089608] pci 0000:03:00.0: [drm] *ERROR* GT0: GUC ID manager unclean (1/65535) [ 468.090558] pci 0000:03:00.0: [drm] GT0: total 65535 [ 468.090562] pci 0000:03:00.0: [drm] GT0: used 1 [ 468.090564] pci 0000:03:00.0: [drm] GT0: range 1..1 (1) [ 468.092716] ------------[ cut here ]------------ [ 468.092719] WARNING: CPU: 14 PID: 4775 at drivers/gpu/drm/xe/xe_ttm_vram_mgr.c:298 ttm_vram_mgr_fini+0xf8/0x130 [xe] \" v2: use xe_uc_fw_is_running() instead of xe_guc_ct_enabled(). As CT may go down and come back during VF migration. (cherry picked from commit 9b42321a02c50a12b2beb6ae9469606257fbecea)", "cve_priority": "medium", "cve_public_date": "2025-11-12 11:15:00 UTC" }, { "cve": "CVE-2025-40105", "url": "https://ubuntu.com/security/CVE-2025-40105", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: vfs: Don't leak disconnected dentries on umount When user calls open_by_handle_at() on some inode that is not cached, we will create disconnected dentry for it. If such dentry is a directory, exportfs_decode_fh_raw() will then try to connect this dentry to the dentry tree through reconnect_path(). It may happen for various reasons (such as corrupted fs or race with rename) that the call to lookup_one_unlocked() in reconnect_one() will fail to find the dentry we are trying to reconnect and instead create a new dentry under the parent. Now this dentry will not be marked as disconnected although the parent still may well be disconnected (at least in case this inconsistency happened because the fs is corrupted and .. doesn't point to the real parent directory). This creates inconsistency in disconnected flags but AFAICS it was mostly harmless. At least until commit f1ee616214cb (\"VFS: don't keep disconnected dentries on d_anon\") which removed adding of most disconnected dentries to sb->s_anon list. Thus after this commit cleanup of disconnected dentries implicitely relies on the fact that dput() will immediately reclaim such dentries. However when some leaf dentry isn't marked as disconnected, as in the scenario described above, the reclaim doesn't happen and the dentries are \"leaked\". Memory reclaim can eventually reclaim them but otherwise they stay in memory and if umount comes first, we hit infamous \"Busy inodes after unmount\" bug. Make sure all dentries created under a disconnected parent are marked as disconnected as well.", "cve_priority": "medium", "cve_public_date": "2025-10-30 10:15:00 UTC" }, { "cve": "CVE-2025-40019", "url": "https://ubuntu.com/security/CVE-2025-40019", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: crypto: essiv - Check ssize for decryption and in-place encryption Move the ssize check to the start in essiv_aead_crypt so that it's also checked for decryption and in-place encryption.", "cve_priority": "medium", "cve_public_date": "2025-10-24 12:15:00 UTC" }, { "cve": "CVE-2025-40214", "url": "https://ubuntu.com/security/CVE-2025-40214", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: af_unix: Initialise scc_index in unix_add_edge(). Quang Le reported that the AF_UNIX GC could garbage-collect a receive queue of an alive in-flight socket, with a nice repro. The repro consists of three stages. 1) 1-a. Create a single cyclic reference with many sockets 1-b. close() all sockets 1-c. Trigger GC 2) 2-a. Pass sk-A to an embryo sk-B 2-b. Pass sk-X to sk-X 2-c. Trigger GC 3) 3-a. accept() the embryo sk-B 3-b. Pass sk-B to sk-C 3-c. close() the in-flight sk-A 3-d. Trigger GC As of 2-c, sk-A and sk-X are linked to unix_unvisited_vertices, and unix_walk_scc() groups them into two different SCCs: unix_sk(sk-A)->vertex->scc_index = 2 (UNIX_VERTEX_INDEX_START) unix_sk(sk-X)->vertex->scc_index = 3 Once GC completes, unix_graph_grouped is set to true. Also, unix_graph_maybe_cyclic is set to true due to sk-X's cyclic self-reference, which makes close() trigger GC. At 3-b, unix_add_edge() allocates unix_sk(sk-B)->vertex and links it to unix_unvisited_vertices. unix_update_graph() is called at 3-a. and 3-b., but neither unix_graph_grouped nor unix_graph_maybe_cyclic is changed because both sk-B's listener and sk-C are not in-flight. 3-c decrements sk-A's file refcnt to 1. Since unix_graph_grouped is true at 3-d, unix_walk_scc_fast() is finally called and iterates 3 sockets sk-A, sk-B, and sk-X: sk-A -> sk-B (-> sk-C) sk-X -> sk-X This is totally fine. All of them are not yet close()d and should be grouped into different SCCs. However, unix_vertex_dead() misjudges that sk-A and sk-B are in the same SCC and sk-A is dead. unix_sk(sk-A)->scc_index == unix_sk(sk-B)->scc_index <-- Wrong! && sk-A's file refcnt == unix_sk(sk-A)->vertex->out_degree ^-- 1 in-flight count for sk-B -> sk-A is dead !? The problem is that unix_add_edge() does not initialise scc_index. Stage 1) is used for heap spraying, making a newly allocated vertex have vertex->scc_index == 2 (UNIX_VERTEX_INDEX_START) set by unix_walk_scc() at 1-c. Let's track the max SCC index from the previous unix_walk_scc() call and assign the max + 1 to a new vertex's scc_index. This way, we can continue to avoid Tarjan's algorithm while preventing misjudgments.", "cve_priority": "high", "cve_public_date": "2025-12-04 13:15:00 UTC" } ], "launchpad_bugs_fixed": [ 2137845, 1786013, 2137849, 1786013, 2136820, 2137698, 2129812, 2125022, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136813, 2132317, 2134982, 2134982, 2134982, 2134982, 2134982, 2134982, 2134982, 2134982, 2134982, 2134982, 2134982, 2134982, 2134982, 2134982, 2134982, 2134982, 2134982, 2134982, 2134982, 2134982, 2134982, 2134982, 2134982, 2134982, 2134982, 2133557, 2133557, 2133557, 2133557, 2133557, 2133557, 2133557, 2133557, 2133557, 2133557, 2133557, 2133557, 2133557, 2133557, 2133557, 2133557, 2133557, 2133557, 2133557, 2133557, 2133557, 2133557, 2133557, 2133557, 2133557, 2133557, 2133557, 2133557, 2133557, 2133557, 2133557, 2133557, 2133557, 2132095, 2131046, 2115860, 2128792, 2121852, 2131259, 2131259, 2131702, 2129610 ], "changes": [ { "cves": [ { "cve": "CVE-2025-40256", "url": "https://ubuntu.com/security/CVE-2025-40256", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: xfrm: also call xfrm_state_delete_tunnel at destroy time for states that were never added In commit b441cf3f8c4b (\"xfrm: delete x->tunnel as we delete x\"), I missed the case where state creation fails between full initialization (->init_state has been called) and being inserted on the lists. In this situation, ->init_state has been called, so for IPcomp tunnels, the fallback tunnel has been created and added onto the lists, but the user state never gets added, because we fail before that. The user state doesn't go through __xfrm_state_delete, so we don't call xfrm_state_delete_tunnel for those states, and we end up leaking the FB tunnel. There are several codepaths affected by this: the add/update paths, in both net/key and xfrm, and the migrate code (xfrm_migrate, xfrm_state_migrate). A \"proper\" rollback of the init_state work would probably be doable in the add/update code, but for migrate it gets more complicated as multiple states may be involved. At some point, the new (not-inserted) state will be destroyed, so call xfrm_state_delete_tunnel during xfrm_state_gc_destroy. Most states will have their fallback tunnel cleaned up during __xfrm_state_delete, which solves the issue that b441cf3f8c4b (and other patches before it) aimed at. All states (including FB tunnels) will be removed from the lists once xfrm_state_fini has called flush_work(&xfrm_state_gc_work).", "cve_priority": "medium", "cve_public_date": "2025-12-04 16:16:00 UTC" }, { "cve": "CVE-2025-68204", "url": "https://ubuntu.com/security/CVE-2025-68204", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: pmdomain: arm: scmi: Fix genpd leak on provider registration failure If of_genpd_add_provider_onecell() fails during probe, the previously created generic power domains are not removed, leading to a memory leak and potential kernel crash later in genpd_debug_add(). Add proper error handling to unwind the initialized domains before returning from probe to ensure all resources are correctly released on failure. Example crash trace observed without this fix: | Unable to handle kernel paging request at virtual address fffffffffffffc70 | CPU: 1 UID: 0 PID: 1 Comm: swapper/0 Not tainted 6.18.0-rc1 #405 PREEMPT | Hardware name: ARM LTD ARM Juno Development Platform/ARM Juno Development Platform | pstate: 00000005 (nzcv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--) | pc : genpd_debug_add+0x2c/0x160 | lr : genpd_debug_init+0x74/0x98 | Call trace: | genpd_debug_add+0x2c/0x160 (P) | genpd_debug_init+0x74/0x98 | do_one_initcall+0xd0/0x2d8 | do_initcall_level+0xa0/0x140 | do_initcalls+0x60/0xa8 | do_basic_setup+0x28/0x40 | kernel_init_freeable+0xe8/0x170 | kernel_init+0x2c/0x140 | ret_from_fork+0x10/0x20", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-68203", "url": "https://ubuntu.com/security/CVE-2025-68203", "cve_description": "Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-40267", "url": "https://ubuntu.com/security/CVE-2025-40267", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: io_uring/rw: ensure allocated iovec gets cleared for early failure A previous commit reused the recyling infrastructure for early cleanup, but this is not enough for the case where our internal caches have overflowed. If this happens, then the allocated iovec can get leaked if the request is also aborted early. Reinstate the previous forced free of the iovec for that situation.", "cve_priority": "medium", "cve_public_date": "2025-12-06 22:15:00 UTC" }, { "cve": "CVE-2025-68198", "url": "https://ubuntu.com/security/CVE-2025-68198", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: crash: fix crashkernel resource shrink When crashkernel is configured with a high reservation, shrinking its value below the low crashkernel reservation causes two issues: 1. Invalid crashkernel resource objects 2. Kernel crash if crashkernel shrinking is done twice For example, with crashkernel=200M,high, the kernel reserves 200MB of high memory and some default low memory (say 256MB). The reservation appears as: cat /proc/iomem | grep -i crash af000000-beffffff : Crash kernel 433000000-43f7fffff : Crash kernel If crashkernel is then shrunk to 50MB (echo 52428800 > /sys/kernel/kexec_crash_size), /proc/iomem still shows 256MB reserved: af000000-beffffff : Crash kernel Instead, it should show 50MB: af000000-b21fffff : Crash kernel Further shrinking crashkernel to 40MB causes a kernel crash with the following trace (x86): BUG: kernel NULL pointer dereference, address: 0000000000000038 PGD 0 P4D 0 Oops: 0000 [#1] PREEMPT SMP NOPTI Call Trace: ? __die_body.cold+0x19/0x27 ? page_fault_oops+0x15a/0x2f0 ? search_module_extables+0x19/0x60 ? search_bpf_extables+0x5f/0x80 ? exc_page_fault+0x7e/0x180 ? asm_exc_page_fault+0x26/0x30 ? __release_resource+0xd/0xb0 release_resource+0x26/0x40 __crash_shrink_memory+0xe5/0x110 crash_shrink_memory+0x12a/0x190 kexec_crash_size_store+0x41/0x80 kernfs_fop_write_iter+0x141/0x1f0 vfs_write+0x294/0x460 ksys_write+0x6d/0xf0 This happens because __crash_shrink_memory()/kernel/crash_core.c incorrectly updates the crashk_res resource object even when crashk_low_res should be updated. Fix this by ensuring the correct crashkernel resource object is updated when shrinking crashkernel memory.", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-68199", "url": "https://ubuntu.com/security/CVE-2025-68199", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: codetag: debug: handle existing CODETAG_EMPTY in mark_objexts_empty for slabobj_ext When alloc_slab_obj_exts() fails and then later succeeds in allocating a slab extension vector, it calls handle_failed_objexts_alloc() to mark all objects in the vector as empty. As a result all objects in this slab (slabA) will have their extensions set to CODETAG_EMPTY. Later on if this slabA is used to allocate a slabobj_ext vector for another slab (slabB), we end up with the slabB->obj_exts pointing to a slabobj_ext vector that itself has a non-NULL slabobj_ext equal to CODETAG_EMPTY. When slabB gets freed, free_slab_obj_exts() is called to free slabB->obj_exts vector. free_slab_obj_exts() calls mark_objexts_empty(slabB->obj_exts) which will generate a warning because it expects slabobj_ext vectors to have a NULL obj_ext, not CODETAG_EMPTY. Modify mark_objexts_empty() to skip the warning and setting the obj_ext value if it's already set to CODETAG_EMPTY. To quickly detect this WARN, I modified the code from WARN_ON(slab_exts[offs].ref.ct) to BUG_ON(slab_exts[offs].ref.ct == 1); We then obtained this message: [21630.898561] ------------[ cut here ]------------ [21630.898596] kernel BUG at mm/slub.c:2050! [21630.898611] Internal error: Oops - BUG: 00000000f2000800 [#1] SMP [21630.900372] Modules linked in: squashfs isofs vfio_iommu_type1 vhost_vsock vfio vhost_net vmw_vsock_virtio_transport_common vhost tap vhost_iotlb iommufd vsock binfmt_misc nfsv3 nfs_acl nfs lockd grace netfs tls rds dns_resolver tun brd overlay ntfs3 exfat btrfs blake2b_generic xor xor_neon raid6_pq loop sctp ip6_udp_tunnel udp_tunnel nft_fib_inet nft_fib_ipv4 nft_fib_ipv6 nft_fib nft_reject_inet nf_reject_ipv4 nf_reject_ipv6 nft_reject nft_ct nft_chain_nat nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 nf_tables rfkill ip_set sunrpc vfat fat joydev sg sch_fq_codel nfnetlink virtio_gpu sr_mod cdrom drm_client_lib virtio_dma_buf drm_shmem_helper drm_kms_helper drm ghash_ce backlight virtio_net virtio_blk virtio_scsi net_failover virtio_console failover virtio_mmio dm_mirror dm_region_hash dm_log dm_multipath dm_mod fuse i2c_dev virtio_pci virtio_pci_legacy_dev virtio_pci_modern_dev virtio virtio_ring autofs4 aes_neon_bs aes_ce_blk [last unloaded: hwpoison_inject] [21630.909177] CPU: 3 UID: 0 PID: 3787 Comm: kylin-process-m Kdump: loaded Tainted: G        W           6.18.0-rc1+ #74 PREEMPT(voluntary) [21630.910495] Tainted: [W]=WARN [21630.910867] Hardware name: QEMU KVM Virtual Machine, BIOS unknown 2/2/2022 [21630.911625] pstate: 80400005 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) [21630.912392] pc : __free_slab+0x228/0x250 [21630.912868] lr : __free_slab+0x18c/0x250[21630.913334] sp : ffff8000a02f73e0 [21630.913830] x29: ffff8000a02f73e0 x28: fffffdffc43fc800 x27: ffff0000c0011c40 [21630.914677] x26: ffff0000c000cac0 x25: ffff00010fe5e5f0 x24: ffff000102199b40 [21630.915469] x23: 0000000000000003 x22: 0000000000000003 x21: ffff0000c0011c40 [21630.916259] x20: fffffdffc4086600 x19: fffffdffc43fc800 x18: 0000000000000000 [21630.917048] x17: 0000000000000000 x16: 0000000000000000 x15: 0000000000000000 [21630.917837] x14: 0000000000000000 x13: 0000000000000000 x12: ffff70001405ee66 [21630.918640] x11: 1ffff0001405ee65 x10: ffff70001405ee65 x9 : ffff800080a295dc [21630.919442] x8 : ffff8000a02f7330 x7 : 0000000000000000 x6 : 0000000000003000 [21630.920232] x5 : 0000000024924925 x4 : 0000000000000001 x3 : 0000000000000007 [21630.921021] x2 : 0000000000001b40 x1 : 000000000000001f x0 : 0000000000000001 [21630.921810] Call trace: [21630.922130]  __free_slab+0x228/0x250 (P) [21630.922669]  free_slab+0x38/0x118 [21630.923079]  free_to_partial_list+0x1d4/0x340 [21630.923591]  __slab_free+0x24c/0x348 [21630.924024]  ___cache_free+0xf0/0x110 [21630.924468]  qlist_free_all+0x78/0x130 [21630.924922]  kasan_quarantine_reduce+0x11 ---truncated---", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-40268", "url": "https://ubuntu.com/security/CVE-2025-40268", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: cifs: client: fix memory leak in smb3_fs_context_parse_param The user calls fsconfig twice, but when the program exits, free() only frees ctx->source for the second fsconfig, not the first. Regarding fc->source, there is no code in the fs context related to its memory reclamation. To fix this memory leak, release the source memory corresponding to ctx or fc before each parsing. syzbot reported: BUG: memory leak unreferenced object 0xffff888128afa360 (size 96): backtrace (crc 79c9c7ba): kstrdup+0x3c/0x80 mm/util.c:84 smb3_fs_context_parse_param+0x229b/0x36c0 fs/smb/client/fs_context.c:1444 BUG: memory leak unreferenced object 0xffff888112c7d900 (size 96): backtrace (crc 79c9c7ba): smb3_fs_context_fullpath+0x70/0x1b0 fs/smb/client/fs_context.c:629 smb3_fs_context_parse_param+0x2266/0x36c0 fs/smb/client/fs_context.c:1438", "cve_priority": "medium", "cve_public_date": "2025-12-06 22:15:00 UTC" }, { "cve": "CVE-2025-40269", "url": "https://ubuntu.com/security/CVE-2025-40269", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ALSA: usb-audio: Fix potential overflow of PCM transfer buffer The PCM stream data in USB-audio driver is transferred over USB URB packet buffers, and each packet size is determined dynamically. The packet sizes are limited by some factors such as wMaxPacketSize USB descriptor. OTOH, in the current code, the actually used packet sizes are determined only by the rate and the PPS, which may be bigger than the size limit above. This results in a buffer overflow, as reported by syzbot. Basically when the limit is smaller than the calculated packet size, it implies that something is wrong, most likely a weird USB descriptor. So the best option would be just to return an error at the parameter setup time before doing any further operations. This patch introduces such a sanity check, and returns -EINVAL when the packet size is greater than maxpacksize. The comparison with ep->packsize[1] alone should suffice since it's always equal or greater than ep->packsize[0].", "cve_priority": "medium", "cve_public_date": "2025-12-06 22:15:00 UTC" }, { "cve": "CVE-2025-68205", "url": "https://ubuntu.com/security/CVE-2025-68205", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ALSA: hda/hdmi: Fix breakage at probing nvhdmi-mcp driver After restructuring and splitting the HDMI codec driver code, each HDMI codec driver contains the own build_controls and build_pcms ops. A copy-n-paste error put the wrong entries for nvhdmi-mcp driver; both build_controls and build_pcms are swapped. Unfortunately both callbacks have the very same form, and the compiler didn't complain it, either. This resulted in a NULL dereference because the PCM instance hasn't been initialized at calling the build_controls callback. Fix it by passing the proper entries.", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-40270", "url": "https://ubuntu.com/security/CVE-2025-40270", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: mm, swap: fix potential UAF issue for VMA readahead Since commit 78524b05f1a3 (\"mm, swap: avoid redundant swap device pinning\"), the common helper for allocating and preparing a folio in the swap cache layer no longer tries to get a swap device reference internally, because all callers of __read_swap_cache_async are already holding a swap entry reference. The repeated swap device pinning isn't needed on the same swap device. Caller of VMA readahead is also holding a reference to the target entry's swap device, but VMA readahead walks the page table, so it might encounter swap entries from other devices, and call __read_swap_cache_async on another device without holding a reference to it. So it is possible to cause a UAF when swapoff of device A raced with swapin on device B, and VMA readahead tries to read swap entries from device A. It's not easy to trigger, but in theory, it could cause real issues. Make VMA readahead try to get the device reference first if the swap device is a different one from the target entry.", "cve_priority": "medium", "cve_public_date": "2025-12-06 22:15:00 UTC" }, { "cve": "CVE-2025-40271", "url": "https://ubuntu.com/security/CVE-2025-40271", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: fs/proc: fix uaf in proc_readdir_de() Pde is erased from subdir rbtree through rb_erase(), but not set the node to EMPTY, which may result in uaf access. We should use RB_CLEAR_NODE() set the erased node to EMPTY, then pde_subdir_next() will return NULL to avoid uaf access. We found an uaf issue while using stress-ng testing, need to run testcase getdent and tun in the same time. The steps of the issue is as follows: 1) use getdent to traverse dir /proc/pid/net/dev_snmp6/, and current pde is tun3; 2) in the [time windows] unregister netdevice tun3 and tun2, and erase them from rbtree. erase tun3 first, and then erase tun2. the pde(tun2) will be released to slab; 3) continue to getdent process, then pde_subdir_next() will return pde(tun2) which is released, it will case uaf access. CPU 0 | CPU 1 ------------------------------------------------------------------------- traverse dir /proc/pid/net/dev_snmp6/ | unregister_netdevice(tun->dev) //tun3 tun2 sys_getdents64() | iterate_dir() | proc_readdir() | proc_readdir_de() | snmp6_unregister_dev() pde_get(de); | proc_remove() read_unlock(&proc_subdir_lock); | remove_proc_subtree() | write_lock(&proc_subdir_lock); [time window] | rb_erase(&root->subdir_node, &parent->subdir); | write_unlock(&proc_subdir_lock); read_lock(&proc_subdir_lock); | next = pde_subdir_next(de); | pde_put(de); | de = next; //UAF | rbtree of dev_snmp6 | pde(tun3) / \\ NULL pde(tun2)", "cve_priority": "medium", "cve_public_date": "2025-12-06 22:15:00 UTC" }, { "cve": "CVE-2025-40272", "url": "https://ubuntu.com/security/CVE-2025-40272", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: mm/secretmem: fix use-after-free race in fault handler When a page fault occurs in a secret memory file created with `memfd_secret(2)`, the kernel will allocate a new folio for it, mark the underlying page as not-present in the direct map, and add it to the file mapping. If two tasks cause a fault in the same page concurrently, both could end up allocating a folio and removing the page from the direct map, but only one would succeed in adding the folio to the file mapping. The task that failed undoes the effects of its attempt by (a) freeing the folio again and (b) putting the page back into the direct map. However, by doing these two operations in this order, the page becomes available to the allocator again before it is placed back in the direct mapping. If another task attempts to allocate the page between (a) and (b), and the kernel tries to access it via the direct map, it would result in a supervisor not-present page fault. Fix the ordering to restore the direct map before the folio is freed.", "cve_priority": "medium", "cve_public_date": "2025-12-06 22:15:00 UTC" }, { "cve": "CVE-2025-68245", "url": "https://ubuntu.com/security/CVE-2025-68245", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net: netpoll: fix incorrect refcount handling causing incorrect cleanup commit efa95b01da18 (\"netpoll: fix use after free\") incorrectly ignored the refcount and prematurely set dev->npinfo to NULL during netpoll cleanup, leading to improper behavior and memory leaks. Scenario causing lack of proper cleanup: 1) A netpoll is associated with a NIC (e.g., eth0) and netdev->npinfo is allocated, and refcnt = 1 - Keep in mind that npinfo is shared among all netpoll instances. In this case, there is just one. 2) Another netpoll is also associated with the same NIC and npinfo->refcnt += 1. - Now dev->npinfo->refcnt = 2; - There is just one npinfo associated to the netdev. 3) When the first netpolls goes to clean up: - The first cleanup succeeds and clears np->dev->npinfo, ignoring refcnt. - It basically calls `RCU_INIT_POINTER(np->dev->npinfo, NULL);` - Set dev->npinfo = NULL, without proper cleanup - No ->ndo_netpoll_cleanup() is either called 4) Now the second target tries to clean up - The second cleanup fails because np->dev->npinfo is already NULL. * In this case, ops->ndo_netpoll_cleanup() was never called, and the skb pool is not cleaned as well (for the second netpoll instance) - This leaks npinfo and skbpool skbs, which is clearly reported by kmemleak. Revert commit efa95b01da18 (\"netpoll: fix use after free\") and adds clarifying comments emphasizing that npinfo cleanup should only happen once the refcount reaches zero, ensuring stable and correct netpoll behavior.", "cve_priority": "medium", "cve_public_date": "2025-12-16 15:15:00 UTC" }, { "cve": "CVE-2025-68240", "url": "https://ubuntu.com/security/CVE-2025-68240", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: nilfs2: avoid having an active sc_timer before freeing sci Because kthread_stop did not stop sc_task properly and returned -EINTR, the sc_timer was not properly closed, ultimately causing the problem [1] reported by syzbot when freeing sci due to the sc_timer not being closed. Because the thread sc_task main function nilfs_segctor_thread() returns 0 when it succeeds, when the return value of kthread_stop() is not 0 in nilfs_segctor_destroy(), we believe that it has not properly closed sc_timer. We use timer_shutdown_sync() to sync wait for sc_timer to shutdown, and set the value of sc_task to NULL under the protection of lock sc_state_lock, so as to avoid the issue caused by sc_timer not being properly shutdowned. [1] ODEBUG: free active (active state 0) object: 00000000dacb411a object type: timer_list hint: nilfs_construction_timeout Call trace: nilfs_segctor_destroy fs/nilfs2/segment.c:2811 [inline] nilfs_detach_log_writer+0x668/0x8cc fs/nilfs2/segment.c:2877 nilfs_put_super+0x4c/0x12c fs/nilfs2/super.c:509", "cve_priority": "medium", "cve_public_date": "2025-12-16 15:15:00 UTC" }, { "cve": "CVE-2025-68241", "url": "https://ubuntu.com/security/CVE-2025-68241", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ipv4: route: Prevent rt_bind_exception() from rebinding stale fnhe The sit driver's packet transmission path calls: sit_tunnel_xmit() -> update_or_create_fnhe(), which lead to fnhe_remove_oldest() being called to delete entries exceeding FNHE_RECLAIM_DEPTH+random. The race window is between fnhe_remove_oldest() selecting fnheX for deletion and the subsequent kfree_rcu(). During this time, the concurrent path's __mkroute_output() -> find_exception() can fetch the soon-to-be-deleted fnheX, and rt_bind_exception() then binds it with a new dst using a dst_hold(). When the original fnheX is freed via RCU, the dst reference remains permanently leaked. CPU 0 CPU 1 __mkroute_output() find_exception() [fnheX] update_or_create_fnhe() fnhe_remove_oldest() [fnheX] rt_bind_exception() [bind dst] RCU callback [fnheX freed, dst leak] This issue manifests as a device reference count leak and a warning in dmesg when unregistering the net device: unregister_netdevice: waiting for sitX to become free. Usage count = N Ido Schimmel provided the simple test validation method [1]. The fix clears 'oldest->fnhe_daddr' before calling fnhe_flush_routes(). Since rt_bind_exception() checks this field, setting it to zero prevents the stale fnhe from being reused and bound to a new dst just before it is freed. [1] ip netns add ns1 ip -n ns1 link set dev lo up ip -n ns1 address add 192.0.2.1/32 dev lo ip -n ns1 link add name dummy1 up type dummy ip -n ns1 route add 192.0.2.2/32 dev dummy1 ip -n ns1 link add name gretap1 up arp off type gretap \\ local 192.0.2.1 remote 192.0.2.2 ip -n ns1 route add 198.51.0.0/16 dev gretap1 taskset -c 0 ip netns exec ns1 mausezahn gretap1 \\ -A 198.51.100.1 -B 198.51.0.0/16 -t udp -p 1000 -c 0 -q & taskset -c 2 ip netns exec ns1 mausezahn gretap1 \\ -A 198.51.100.1 -B 198.51.0.0/16 -t udp -p 1000 -c 0 -q & sleep 10 ip netns pids ns1 | xargs kill ip netns del ns1", "cve_priority": "medium", "cve_public_date": "2025-12-16 15:15:00 UTC" }, { "cve": "CVE-2025-68211", "url": "https://ubuntu.com/security/CVE-2025-68211", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ksm: use range-walk function to jump over holes in scan_get_next_rmap_item Currently, scan_get_next_rmap_item() walks every page address in a VMA to locate mergeable pages. This becomes highly inefficient when scanning large virtual memory areas that contain mostly unmapped regions, causing ksmd to use large amount of cpu without deduplicating much pages. This patch replaces the per-address lookup with a range walk using walk_page_range(). The range walker allows KSM to skip over entire unmapped holes in a VMA, avoiding unnecessary lookups. This problem was previously discussed in [1]. Consider the following test program which creates a 32 TiB mapping in the virtual address space but only populates a single page: #include #include #include /* 32 TiB */ const size_t size = 32ul * 1024 * 1024 * 1024 * 1024; int main() { char *area = mmap(NULL, size, PROT_READ | PROT_WRITE, MAP_NORESERVE | MAP_PRIVATE | MAP_ANON, -1, 0); if (area == MAP_FAILED) { perror(\"mmap() failed\\n\"); return -1; } /* Populate a single page such that we get an anon_vma. */ *area = 0; /* Enable KSM. */ madvise(area, size, MADV_MERGEABLE); pause(); return 0; } $ ./ksm-sparse & $ echo 1 > /sys/kernel/mm/ksm/run Without this patch ksmd uses 100% of the cpu for a long time (more then 1 hour in my test machine) scanning all the 32 TiB virtual address space that contain only one mapped page. This makes ksmd essentially deadlocked not able to deduplicate anything of value. With this patch ksmd walks only the one mapped page and skips the rest of the 32 TiB virtual address space, making the scan fast using little cpu.", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-68246", "url": "https://ubuntu.com/security/CVE-2025-68246", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ksmbd: close accepted socket when per-IP limit rejects connection When the per-IP connection limit is exceeded in ksmbd_kthread_fn(), the code sets ret = -EAGAIN and continues the accept loop without closing the just-accepted socket. That leaks one socket per rejected attempt from a single IP and enables a trivial remote DoS. Release client_sk before continuing. This bug was found with ZeroPath.", "cve_priority": "medium", "cve_public_date": "2025-12-16 15:15:00 UTC" }, { "cve": "CVE-2025-40273", "url": "https://ubuntu.com/security/CVE-2025-40273", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: NFSD: free copynotify stateid in nfs4_free_ol_stateid() Typically copynotify stateid is freed either when parent's stateid is being close/freed or in nfsd4_laundromat if the stateid hasn't been used in a lease period. However, in case when the server got an OPEN (which created a parent stateid), followed by a COPY_NOTIFY using that stateid, followed by a client reboot. New client instance while doing CREATE_SESSION would force expire previous state of this client. It leads to the open state being freed thru release_openowner-> nfs4_free_ol_stateid() and it finds that it still has copynotify stateid associated with it. We currently print a warning and is triggerred WARNING: CPU: 1 PID: 8858 at fs/nfsd/nfs4state.c:1550 nfs4_free_ol_stateid+0xb0/0x100 [nfsd] This patch, instead, frees the associated copynotify stateid here. If the parent stateid is freed (without freeing the copynotify stateids associated with it), it leads to the list corruption when laundromat ends up freeing the copynotify state later. [ 1626.839430] Internal error: Oops - BUG: 00000000f2000800 [#1] SMP [ 1626.842828] Modules linked in: nfnetlink_queue nfnetlink_log bluetooth cfg80211 rpcrdma rdma_cm iw_cm ib_cm ib_core nfsd nfs_acl lockd grace nfs_localio ext4 crc16 mbcache jbd2 overlay uinput snd_seq_dummy snd_hrtimer qrtr rfkill vfat fat uvcvideo snd_hda_codec_generic videobuf2_vmalloc videobuf2_memops snd_hda_intel uvc snd_intel_dspcfg videobuf2_v4l2 videobuf2_common snd_hda_codec snd_hda_core videodev snd_hwdep snd_seq mc snd_seq_device snd_pcm snd_timer snd soundcore sg loop auth_rpcgss vsock_loopback vmw_vsock_virtio_transport_common vmw_vsock_vmci_transport vmw_vmci vsock xfs 8021q garp stp llc mrp nvme ghash_ce e1000e nvme_core sr_mod nvme_keyring nvme_auth cdrom vmwgfx drm_ttm_helper ttm sunrpc dm_mirror dm_region_hash dm_log iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi fuse dm_multipath dm_mod nfnetlink [ 1626.855594] CPU: 2 UID: 0 PID: 199 Comm: kworker/u24:33 Kdump: loaded Tainted: G B W 6.17.0-rc7+ #22 PREEMPT(voluntary) [ 1626.857075] Tainted: [B]=BAD_PAGE, [W]=WARN [ 1626.857573] Hardware name: VMware, Inc. VMware20,1/VBSA, BIOS VMW201.00V.24006586.BA64.2406042154 06/04/2024 [ 1626.858724] Workqueue: nfsd4 laundromat_main [nfsd] [ 1626.859304] pstate: 61400005 (nZCv daif +PAN -UAO -TCO +DIT -SSBS BTYPE=--) [ 1626.860010] pc : __list_del_entry_valid_or_report+0x148/0x200 [ 1626.860601] lr : __list_del_entry_valid_or_report+0x148/0x200 [ 1626.861182] sp : ffff8000881d7a40 [ 1626.861521] x29: ffff8000881d7a40 x28: 0000000000000018 x27: ffff0000c2a98200 [ 1626.862260] x26: 0000000000000600 x25: 0000000000000000 x24: ffff8000881d7b20 [ 1626.862986] x23: ffff0000c2a981e8 x22: 1fffe00012410e7d x21: ffff0000920873e8 [ 1626.863701] x20: ffff0000920873e8 x19: ffff000086f22998 x18: 0000000000000000 [ 1626.864421] x17: 20747562202c3839 x16: 3932326636383030 x15: 3030666666662065 [ 1626.865092] x14: 6220646c756f6873 x13: 0000000000000001 x12: ffff60004fd9e4a3 [ 1626.865713] x11: 1fffe0004fd9e4a2 x10: ffff60004fd9e4a2 x9 : dfff800000000000 [ 1626.866320] x8 : 00009fffb0261b5e x7 : ffff00027ecf2513 x6 : 0000000000000001 [ 1626.866938] x5 : ffff00027ecf2510 x4 : ffff60004fd9e4a3 x3 : 0000000000000000 [ 1626.867553] x2 : 0000000000000000 x1 : ffff000096069640 x0 : 000000000000006d [ 1626.868167] Call trace: [ 1626.868382] __list_del_entry_valid_or_report+0x148/0x200 (P) [ 1626.868876] _free_cpntf_state_locked+0xd0/0x268 [nfsd] [ 1626.869368] nfs4_laundromat+0x6f8/0x1058 [nfsd] [ 1626.869813] laundromat_main+0x24/0x60 [nfsd] [ 1626.870231] process_one_work+0x584/0x1050 [ 1626.870595] worker_thread+0x4c4/0xc60 [ 1626.870893] kthread+0x2f8/0x398 [ 1626.871146] ret_from_fork+0x10/0x20 [ 1626.871422] Code: aa1303e1 aa1403e3 910e8000 97bc55d7 (d4210000) [ 1626.871892] SMP: stopping secondary CPUs", "cve_priority": "medium", "cve_public_date": "2025-12-06 22:15:00 UTC" }, { "cve": "CVE-2025-40212", "url": "https://ubuntu.com/security/CVE-2025-40212", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: nfsd: fix refcount leak in nfsd_set_fh_dentry() nfsd exports a \"pseudo root filesystem\" which is used by NFSv4 to find the various exported filesystems using LOOKUP requests from a known root filehandle. NFSv3 uses the MOUNT protocol to find those exported filesystems and so is not given access to the pseudo root filesystem. If a v3 (or v2) client uses a filehandle from that filesystem, nfsd_set_fh_dentry() will report an error, but still stores the export in \"struct svc_fh\" even though it also drops the reference (exp_put()). This means that when fh_put() is called an extra reference will be dropped which can lead to use-after-free and possible denial of service. Normal NFS usage will not provide a pseudo-root filehandle to a v3 client. This bug can only be triggered by the client synthesising an incorrect filehandle. To fix this we move the assignments to the svc_fh later, after all possible error cases have been detected.", "cve_priority": "medium", "cve_public_date": "2025-11-24 13:16:00 UTC" }, { "cve": "CVE-2025-40274", "url": "https://ubuntu.com/security/CVE-2025-40274", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: KVM: guest_memfd: Remove bindings on memslot deletion when gmem is dying When unbinding a memslot from a guest_memfd instance, remove the bindings even if the guest_memfd file is dying, i.e. even if its file refcount has gone to zero. If the memslot is freed before the file is fully released, nullifying the memslot side of the binding in kvm_gmem_release() will write to freed memory, as detected by syzbot+KASAN: ================================================================== BUG: KASAN: slab-use-after-free in kvm_gmem_release+0x176/0x440 virt/kvm/guest_memfd.c:353 Write of size 8 at addr ffff88807befa508 by task syz.0.17/6022 CPU: 0 UID: 0 PID: 6022 Comm: syz.0.17 Not tainted syzkaller #0 PREEMPT(full) Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/02/2025 Call Trace: dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:378 [inline] print_report+0xca/0x240 mm/kasan/report.c:482 kasan_report+0x118/0x150 mm/kasan/report.c:595 kvm_gmem_release+0x176/0x440 virt/kvm/guest_memfd.c:353 __fput+0x44c/0xa70 fs/file_table.c:468 task_work_run+0x1d4/0x260 kernel/task_work.c:227 resume_user_mode_work include/linux/resume_user_mode.h:50 [inline] exit_to_user_mode_loop+0xe9/0x130 kernel/entry/common.c:43 exit_to_user_mode_prepare include/linux/irq-entry-common.h:225 [inline] syscall_exit_to_user_mode_work include/linux/entry-common.h:175 [inline] syscall_exit_to_user_mode include/linux/entry-common.h:210 [inline] do_syscall_64+0x2bd/0xfa0 arch/x86/entry/syscall_64.c:100 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7fbeeff8efc9 Allocated by task 6023: kasan_save_stack mm/kasan/common.c:56 [inline] kasan_save_track+0x3e/0x80 mm/kasan/common.c:77 poison_kmalloc_redzone mm/kasan/common.c:397 [inline] __kasan_kmalloc+0x93/0xb0 mm/kasan/common.c:414 kasan_kmalloc include/linux/kasan.h:262 [inline] __kmalloc_cache_noprof+0x3e2/0x700 mm/slub.c:5758 kmalloc_noprof include/linux/slab.h:957 [inline] kzalloc_noprof include/linux/slab.h:1094 [inline] kvm_set_memory_region+0x747/0xb90 virt/kvm/kvm_main.c:2104 kvm_vm_ioctl_set_memory_region+0x6f/0xd0 virt/kvm/kvm_main.c:2154 kvm_vm_ioctl+0x957/0xc60 virt/kvm/kvm_main.c:5201 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:597 [inline] __se_sys_ioctl+0xfc/0x170 fs/ioctl.c:583 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xfa/0xfa0 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f Freed by task 6023: kasan_save_stack mm/kasan/common.c:56 [inline] kasan_save_track+0x3e/0x80 mm/kasan/common.c:77 kasan_save_free_info+0x46/0x50 mm/kasan/generic.c:584 poison_slab_object mm/kasan/common.c:252 [inline] __kasan_slab_free+0x5c/0x80 mm/kasan/common.c:284 kasan_slab_free include/linux/kasan.h:234 [inline] slab_free_hook mm/slub.c:2533 [inline] slab_free mm/slub.c:6622 [inline] kfree+0x19a/0x6d0 mm/slub.c:6829 kvm_set_memory_region+0x9c4/0xb90 virt/kvm/kvm_main.c:2130 kvm_vm_ioctl_set_memory_region+0x6f/0xd0 virt/kvm/kvm_main.c:2154 kvm_vm_ioctl+0x957/0xc60 virt/kvm/kvm_main.c:5201 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:597 [inline] __se_sys_ioctl+0xfc/0x170 fs/ioctl.c:583 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xfa/0xfa0 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f Deliberately don't acquire filemap invalid lock when the file is dying as the lifecycle of f_mapping is outside the purview of KVM. Dereferencing the mapping is *probably* fine, but there's no need to invalidate anything as memslot deletion is responsible for zapping SPTEs, and the only code that can access the dying file is kvm_gmem_release(), whose core code is mutual ---truncated---", "cve_priority": "medium", "cve_public_date": "2025-12-06 22:15:00 UTC" }, { "cve": "CVE-2025-68202", "url": "https://ubuntu.com/security/CVE-2025-68202", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: sched_ext: Fix unsafe locking in the scx_dump_state() For built with CONFIG_PREEMPT_RT=y kernels, the dump_lock will be converted sleepable spinlock and not disable-irq, so the following scenarios occur: inconsistent {IN-HARDIRQ-W} -> {HARDIRQ-ON-W} usage. irq_work/0/27 [HC0[0]:SC0[0]:HE1:SE1] takes: (&rq->__lock){?...}-{2:2}, at: raw_spin_rq_lock_nested+0x2b/0x40 {IN-HARDIRQ-W} state was registered at: lock_acquire+0x1e1/0x510 _raw_spin_lock_nested+0x42/0x80 raw_spin_rq_lock_nested+0x2b/0x40 sched_tick+0xae/0x7b0 update_process_times+0x14c/0x1b0 tick_periodic+0x62/0x1f0 tick_handle_periodic+0x48/0xf0 timer_interrupt+0x55/0x80 __handle_irq_event_percpu+0x20a/0x5c0 handle_irq_event_percpu+0x18/0xc0 handle_irq_event+0xb5/0x150 handle_level_irq+0x220/0x460 __common_interrupt+0xa2/0x1e0 common_interrupt+0xb0/0xd0 asm_common_interrupt+0x2b/0x40 _raw_spin_unlock_irqrestore+0x45/0x80 __setup_irq+0xc34/0x1a30 request_threaded_irq+0x214/0x2f0 hpet_time_init+0x3e/0x60 x86_late_time_init+0x5b/0xb0 start_kernel+0x308/0x410 x86_64_start_reservations+0x1c/0x30 x86_64_start_kernel+0x96/0xa0 common_startup_64+0x13e/0x148 other info that might help us debug this: Possible unsafe locking scenario: CPU0 ---- lock(&rq->__lock); lock(&rq->__lock); *** DEADLOCK *** stack backtrace: CPU: 0 UID: 0 PID: 27 Comm: irq_work/0 Call Trace: dump_stack_lvl+0x8c/0xd0 dump_stack+0x14/0x20 print_usage_bug+0x42e/0x690 mark_lock.part.44+0x867/0xa70 ? __pfx_mark_lock.part.44+0x10/0x10 ? string_nocheck+0x19c/0x310 ? number+0x739/0x9f0 ? __pfx_string_nocheck+0x10/0x10 ? __pfx_check_pointer+0x10/0x10 ? kvm_sched_clock_read+0x15/0x30 ? sched_clock_noinstr+0xd/0x20 ? local_clock_noinstr+0x1c/0xe0 __lock_acquire+0xc4b/0x62b0 ? __pfx_format_decode+0x10/0x10 ? __pfx_string+0x10/0x10 ? __pfx___lock_acquire+0x10/0x10 ? __pfx_vsnprintf+0x10/0x10 lock_acquire+0x1e1/0x510 ? raw_spin_rq_lock_nested+0x2b/0x40 ? __pfx_lock_acquire+0x10/0x10 ? dump_line+0x12e/0x270 ? raw_spin_rq_lock_nested+0x20/0x40 _raw_spin_lock_nested+0x42/0x80 ? raw_spin_rq_lock_nested+0x2b/0x40 raw_spin_rq_lock_nested+0x2b/0x40 scx_dump_state+0x3b3/0x1270 ? finish_task_switch+0x27e/0x840 scx_ops_error_irq_workfn+0x67/0x80 irq_work_single+0x113/0x260 irq_work_run_list.part.3+0x44/0x70 run_irq_workd+0x6b/0x90 ? __pfx_run_irq_workd+0x10/0x10 smpboot_thread_fn+0x529/0x870 ? __pfx_smpboot_thread_fn+0x10/0x10 kthread+0x305/0x3f0 ? __pfx_kthread+0x10/0x10 ret_from_fork+0x40/0x70 ? __pfx_kthread+0x10/0x10 ret_from_fork_asm+0x1a/0x30 This commit therefore use rq_lock_irqsave/irqrestore() to replace rq_lock/unlock() in the scx_dump_state().", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-68239", "url": "https://ubuntu.com/security/CVE-2025-68239", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: binfmt_misc: restore write access before closing files opened by open_exec() bm_register_write() opens an executable file using open_exec(), which internally calls do_open_execat() and denies write access on the file to avoid modification while it is being executed. However, when an error occurs, bm_register_write() closes the file using filp_close() directly. This does not restore the write permission, which may cause subsequent write operations on the same file to fail. Fix this by calling exe_file_allow_write_access() before filp_close() to restore the write permission properly.", "cve_priority": "medium", "cve_public_date": "2025-12-16 15:15:00 UTC" }, { "cve": "CVE-2025-68247", "url": "https://ubuntu.com/security/CVE-2025-68247", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: posix-timers: Plug potential memory leak in do_timer_create() When posix timer creation is set to allocate a given timer ID and the access to the user space value faults, the function terminates without freeing the already allocated posix timer structure. Move the allocation after the user space access to cure that. [ tglx: Massaged change log ]", "cve_priority": "medium", "cve_public_date": "2025-12-16 15:15:00 UTC" }, { "cve": "CVE-2025-68208", "url": "https://ubuntu.com/security/CVE-2025-68208", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: bpf: account for current allocated stack depth in widen_imprecise_scalars() The usage pattern for widen_imprecise_scalars() looks as follows: prev_st = find_prev_entry(env, ...); queued_st = push_stack(...); widen_imprecise_scalars(env, prev_st, queued_st); Where prev_st is an ancestor of the queued_st in the explored states tree. This ancestor is not guaranteed to have same allocated stack depth as queued_st. E.g. in the following case: def main(): for i in 1..2: foo(i) // same callsite, differnt param def foo(i): if i == 1: use 128 bytes of stack iterator based loop Here, for a second 'foo' call prev_st->allocated_stack is 128, while queued_st->allocated_stack is much smaller. widen_imprecise_scalars() needs to take this into account and avoid accessing bpf_verifier_state->frame[*]->stack out of bounds.", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-68200", "url": "https://ubuntu.com/security/CVE-2025-68200", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: bpf: Add bpf_prog_run_data_pointers() syzbot found that cls_bpf_classify() is able to change tc_skb_cb(skb)->drop_reason triggering a warning in sk_skb_reason_drop(). WARNING: CPU: 0 PID: 5965 at net/core/skbuff.c:1192 __sk_skb_reason_drop net/core/skbuff.c:1189 [inline] WARNING: CPU: 0 PID: 5965 at net/core/skbuff.c:1192 sk_skb_reason_drop+0x76/0x170 net/core/skbuff.c:1214 struct tc_skb_cb has been added in commit ec624fe740b4 (\"net/sched: Extend qdisc control block with tc control block\"), which added a wrong interaction with db58ba459202 (\"bpf: wire in data and data_end for cls_act_bpf\"). drop_reason was added later. Add bpf_prog_run_data_pointers() helper to save/restore the net_sched storage colliding with BPF data_meta/data_end.", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-40275", "url": "https://ubuntu.com/security/CVE-2025-40275", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ALSA: usb-audio: Fix NULL pointer dereference in snd_usb_mixer_controls_badd In snd_usb_create_streams(), for UAC version 3 devices, the Interface Association Descriptor (IAD) is retrieved via usb_ifnum_to_if(). If this call fails, a fallback routine attempts to obtain the IAD from the next interface and sets a BADD profile. However, snd_usb_mixer_controls_badd() assumes that the IAD retrieved from usb_ifnum_to_if() is always valid, without performing a NULL check. This can lead to a NULL pointer dereference when usb_ifnum_to_if() fails to find the interface descriptor. This patch adds a NULL pointer check after calling usb_ifnum_to_if() in snd_usb_mixer_controls_badd() to prevent the dereference. This issue was discovered by syzkaller, which triggered the bug by sending a crafted USB device descriptor.", "cve_priority": "medium", "cve_public_date": "2025-12-06 22:15:00 UTC" }, { "cve": "CVE-2025-68242", "url": "https://ubuntu.com/security/CVE-2025-68242", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: NFS: Fix LTP test failures when timestamps are delegated The utimes01 and utime06 tests fail when delegated timestamps are enabled, specifically in subtests that modify the atime and mtime fields using the 'nobody' user ID. The problem can be reproduced as follow: # echo \"/media *(rw,no_root_squash,sync)\" >> /etc/exports # export -ra # mount -o rw,nfsvers=4.2 127.0.0.1:/media /tmpdir # cd /opt/ltp # ./runltp -d /tmpdir -s utimes01 # ./runltp -d /tmpdir -s utime06 This issue occurs because nfs_setattr does not verify the inode's UID against the caller's fsuid when delegated timestamps are permitted for the inode. This patch adds the UID check and if it does not match then the request is sent to the server for permission checking.", "cve_priority": "medium", "cve_public_date": "2025-12-16 15:15:00 UTC" }, { "cve": "CVE-2025-68243", "url": "https://ubuntu.com/security/CVE-2025-68243", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: NFS: Check the TLS certificate fields in nfs_match_client() If the TLS security policy is of type RPC_XPRTSEC_TLS_X509, then the cert_serial and privkey_serial fields need to match as well since they define the client's identity, as presented to the server.", "cve_priority": "medium", "cve_public_date": "2025-12-16 15:15:00 UTC" }, { "cve": "CVE-2025-40276", "url": "https://ubuntu.com/security/CVE-2025-40276", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/panthor: Flush shmem writes before mapping buffers CPU-uncached The shmem layer zeroes out the new pages using cached mappings, and if we don't CPU-flush we might leave dirty cachelines behind, leading to potential data leaks and/or asynchronous buffer corruption when dirty cachelines are evicted.", "cve_priority": "medium", "cve_public_date": "2025-12-06 22:15:00 UTC" }, { "cve": "CVE-2025-40277", "url": "https://ubuntu.com/security/CVE-2025-40277", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/vmwgfx: Validate command header size against SVGA_CMD_MAX_DATASIZE This data originates from userspace and is used in buffer offset calculations which could potentially overflow causing an out-of-bounds access.", "cve_priority": "medium", "cve_public_date": "2025-12-06 22:15:00 UTC" }, { "cve": "CVE-2025-68206", "url": "https://ubuntu.com/security/CVE-2025-68206", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: netfilter: nft_ct: add seqadj extension for natted connections Sequence adjustment may be required for FTP traffic with PASV/EPSV modes. due to need to re-write packet payload (IP, port) on the ftp control connection. This can require changes to the TCP length and expected seq / ack_seq. The easiest way to reproduce this issue is with PASV mode. Example ruleset: table inet ftp_nat { ct helper ftp_helper { type \"ftp\" protocol tcp l3proto inet } chain prerouting { type filter hook prerouting priority 0; policy accept; tcp dport 21 ct state new ct helper set \"ftp_helper\" } } table ip nat { chain prerouting { type nat hook prerouting priority -100; policy accept; tcp dport 21 dnat ip prefix to ip daddr map { \t\t\t192.168.100.1 : 192.168.13.2/32 } } chain postrouting { type nat hook postrouting priority 100 ; policy accept; tcp sport 21 snat ip prefix to ip saddr map { \t\t\t192.168.13.2 : 192.168.100.1/32 } } } Note that the ftp helper gets assigned *after* the dnat setup. The inverse (nat after helper assign) is handled by an existing check in nf_nat_setup_info() and will not show the problem. Topoloy: +-------------------+ +----------------------------------+ | FTP: 192.168.13.2 | <-> | NAT: 192.168.13.3, 192.168.100.1 | +-------------------+ +----------------------------------+ | +-----------------------+ | Client: 192.168.100.2 | +-----------------------+ ftp nat changes do not work as expected in this case: Connected to 192.168.100.1. [..] ftp> epsv EPSV/EPRT on IPv4 off. ftp> ls 227 Entering passive mode (192,168,100,1,209,129). 421 Service not available, remote server has closed connection. Kernel logs: Missing nfct_seqadj_ext_add() setup call WARNING: CPU: 1 PID: 0 at net/netfilter/nf_conntrack_seqadj.c:41 [..] __nf_nat_mangle_tcp_packet+0x100/0x160 [nf_nat] nf_nat_ftp+0x142/0x280 [nf_nat_ftp] help+0x4d1/0x880 [nf_conntrack_ftp] nf_confirm+0x122/0x2e0 [nf_conntrack] nf_hook_slow+0x3c/0xb0 .. Fix this by adding the required extension when a conntrack helper is assigned to a connection that has a nat binding.", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-68209", "url": "https://ubuntu.com/security/CVE-2025-68209", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: mlx5: Fix default values in create CQ Currently, CQs without a completion function are assigned the mlx5_add_cq_to_tasklet function by default. This is problematic since only user CQs created through the mlx5_ib driver are intended to use this function. Additionally, all CQs that will use doorbells instead of polling for completions must call mlx5_cq_arm. However, the default CQ creation flow leaves a valid value in the CQ's arm_db field, allowing FW to send interrupts to polling-only CQs in certain corner cases. These two factors would allow a polling-only kernel CQ to be triggered by an EQ interrupt and call a completion function intended only for user CQs, causing a null pointer exception. Some areas in the driver have prevented this issue with one-off fixes but did not address the root cause. This patch fixes the described issue by adding defaults to the create CQ flow. It adds a default dummy completion function to protect against null pointer exceptions, and it sets an invalid command sequence number by default in kernel CQs to prevent the FW from sending an interrupt to the CQ until it is armed. User CQs are responsible for their own initialization values. Callers of mlx5_core_create_cq are responsible for changing the completion function and arming the CQ per their needs.", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-40278", "url": "https://ubuntu.com/security/CVE-2025-40278", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net: sched: act_ife: initialize struct tc_ife to fix KMSAN kernel-infoleak Fix a KMSAN kernel-infoleak detected by the syzbot . [net?] KMSAN: kernel-infoleak in __skb_datagram_iter In tcf_ife_dump(), the variable 'opt' was partially initialized using a designatied initializer. While the padding bytes are reamined uninitialized. nla_put() copies the entire structure into a netlink message, these uninitialized bytes leaked to userspace. Initialize the structure with memset before assigning its fields to ensure all members and padding are cleared prior to beign copied. This change silences the KMSAN report and prevents potential information leaks from the kernel memory. This fix has been tested and validated by syzbot. This patch closes the bug reported at the following syzkaller link and ensures no infoleak.", "cve_priority": "medium", "cve_public_date": "2025-12-06 22:15:00 UTC" }, { "cve": "CVE-2025-40279", "url": "https://ubuntu.com/security/CVE-2025-40279", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net: sched: act_connmark: initialize struct tc_ife to fix kernel leak In tcf_connmark_dump(), the variable 'opt' was partially initialized using a designatied initializer. While the padding bytes are reamined uninitialized. nla_put() copies the entire structure into a netlink message, these uninitialized bytes leaked to userspace. Initialize the structure with memset before assigning its fields to ensure all members and padding are cleared prior to beign copied.", "cve_priority": "medium", "cve_public_date": "2025-12-06 22:15:00 UTC" }, { "cve": "CVE-2025-40280", "url": "https://ubuntu.com/security/CVE-2025-40280", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: tipc: Fix use-after-free in tipc_mon_reinit_self(). syzbot reported use-after-free of tipc_net(net)->monitors[] in tipc_mon_reinit_self(). [0] The array is protected by RTNL, but tipc_mon_reinit_self() iterates over it without RTNL. tipc_mon_reinit_self() is called from tipc_net_finalize(), which is always under RTNL except for tipc_net_finalize_work(). Let's hold RTNL in tipc_net_finalize_work(). [0]: BUG: KASAN: slab-use-after-free in __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline] BUG: KASAN: slab-use-after-free in _raw_spin_lock_irqsave+0xa7/0xf0 kernel/locking/spinlock.c:162 Read of size 1 at addr ffff88805eae1030 by task kworker/0:7/5989 CPU: 0 UID: 0 PID: 5989 Comm: kworker/0:7 Not tainted syzkaller #0 PREEMPT_{RT,(full)} Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/18/2025 Workqueue: events tipc_net_finalize_work Call Trace: dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:378 [inline] print_report+0xca/0x240 mm/kasan/report.c:482 kasan_report+0x118/0x150 mm/kasan/report.c:595 __kasan_check_byte+0x2a/0x40 mm/kasan/common.c:568 kasan_check_byte include/linux/kasan.h:399 [inline] lock_acquire+0x8d/0x360 kernel/locking/lockdep.c:5842 __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline] _raw_spin_lock_irqsave+0xa7/0xf0 kernel/locking/spinlock.c:162 rtlock_slowlock kernel/locking/rtmutex.c:1894 [inline] rwbase_rtmutex_lock_state kernel/locking/spinlock_rt.c:160 [inline] rwbase_write_lock+0xd3/0x7e0 kernel/locking/rwbase_rt.c:244 rt_write_lock+0x76/0x110 kernel/locking/spinlock_rt.c:243 write_lock_bh include/linux/rwlock_rt.h:99 [inline] tipc_mon_reinit_self+0x79/0x430 net/tipc/monitor.c:718 tipc_net_finalize+0x115/0x190 net/tipc/net.c:140 process_one_work kernel/workqueue.c:3236 [inline] process_scheduled_works+0xade/0x17b0 kernel/workqueue.c:3319 worker_thread+0x8a0/0xda0 kernel/workqueue.c:3400 kthread+0x70e/0x8a0 kernel/kthread.c:463 ret_from_fork+0x439/0x7d0 arch/x86/kernel/process.c:148 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245 Allocated by task 6089: kasan_save_stack mm/kasan/common.c:47 [inline] kasan_save_track+0x3e/0x80 mm/kasan/common.c:68 poison_kmalloc_redzone mm/kasan/common.c:388 [inline] __kasan_kmalloc+0x93/0xb0 mm/kasan/common.c:405 kasan_kmalloc include/linux/kasan.h:260 [inline] __kmalloc_cache_noprof+0x1a8/0x320 mm/slub.c:4407 kmalloc_noprof include/linux/slab.h:905 [inline] kzalloc_noprof include/linux/slab.h:1039 [inline] tipc_mon_create+0xc3/0x4d0 net/tipc/monitor.c:657 tipc_enable_bearer net/tipc/bearer.c:357 [inline] __tipc_nl_bearer_enable+0xe16/0x13f0 net/tipc/bearer.c:1047 __tipc_nl_compat_doit net/tipc/netlink_compat.c:371 [inline] tipc_nl_compat_doit+0x3bc/0x5f0 net/tipc/netlink_compat.c:393 tipc_nl_compat_handle net/tipc/netlink_compat.c:-1 [inline] tipc_nl_compat_recv+0x83c/0xbe0 net/tipc/netlink_compat.c:1321 genl_family_rcv_msg_doit+0x215/0x300 net/netlink/genetlink.c:1115 genl_family_rcv_msg net/netlink/genetlink.c:1195 [inline] genl_rcv_msg+0x60e/0x790 net/netlink/genetlink.c:1210 netlink_rcv_skb+0x208/0x470 net/netlink/af_netlink.c:2552 genl_rcv+0x28/0x40 net/netlink/genetlink.c:1219 netlink_unicast_kernel net/netlink/af_netlink.c:1320 [inline] netlink_unicast+0x846/0xa10 net/netlink/af_netlink.c:1346 netlink_sendmsg+0x805/0xb30 net/netlink/af_netlink.c:1896 sock_sendmsg_nosec net/socket.c:714 [inline] __sock_sendmsg+0x21c/0x270 net/socket.c:729 ____sys_sendmsg+0x508/0x820 net/socket.c:2614 ___sys_sendmsg+0x21f/0x2a0 net/socket.c:2668 __sys_sendmsg net/socket.c:2700 [inline] __do_sys_sendmsg net/socket.c:2705 [inline] __se_sys_sendmsg net/socket.c:2703 [inline] __x64_sys_sendmsg+0x1a1/0x260 net/socket.c:2703 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xfa/0x3b0 arch/ ---truncated---", "cve_priority": "medium", "cve_public_date": "2025-12-06 22:15:00 UTC" }, { "cve": "CVE-2025-40281", "url": "https://ubuntu.com/security/CVE-2025-40281", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: sctp: prevent possible shift-out-of-bounds in sctp_transport_update_rto syzbot reported a possible shift-out-of-bounds [1] Blamed commit added rto_alpha_max and rto_beta_max set to 1000. It is unclear if some sctp users are setting very large rto_alpha and/or rto_beta. In order to prevent user regression, perform the test at run time. Also add READ_ONCE() annotations as sysctl values can change under us. [1] UBSAN: shift-out-of-bounds in net/sctp/transport.c:509:41 shift exponent 64 is too large for 32-bit type 'unsigned int' CPU: 0 UID: 0 PID: 16704 Comm: syz.2.2320 Not tainted syzkaller #0 PREEMPT(full) Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/02/2025 Call Trace: __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x16c/0x1f0 lib/dump_stack.c:120 ubsan_epilogue lib/ubsan.c:233 [inline] __ubsan_handle_shift_out_of_bounds+0x27f/0x420 lib/ubsan.c:494 sctp_transport_update_rto.cold+0x1c/0x34b net/sctp/transport.c:509 sctp_check_transmitted+0x11c4/0x1c30 net/sctp/outqueue.c:1502 sctp_outq_sack+0x4ef/0x1b20 net/sctp/outqueue.c:1338 sctp_cmd_process_sack net/sctp/sm_sideeffect.c:840 [inline] sctp_cmd_interpreter net/sctp/sm_sideeffect.c:1372 [inline]", "cve_priority": "medium", "cve_public_date": "2025-12-06 22:15:00 UTC" }, { "cve": "CVE-2025-40282", "url": "https://ubuntu.com/security/CVE-2025-40282", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: Bluetooth: 6lowpan: reset link-local header on ipv6 recv path Bluetooth 6lowpan.c netdev has header_ops, so it must set link-local header for RX skb, otherwise things crash, eg. with AF_PACKET SOCK_RAW Add missing skb_reset_mac_header() for uncompressed ipv6 RX path. For the compressed one, it is done in lowpan_header_decompress(). Log: (BlueZ 6lowpan-tester Client Recv Raw - Success) ------ kernel BUG at net/core/skbuff.c:212! Call Trace: ... packet_rcv (net/packet/af_packet.c:2152) ... __local_bh_enable_ip (kernel/softirq.c:407) netif_rx (net/core/dev.c:5648) chan_recv_cb (net/bluetooth/6lowpan.c:294 net/bluetooth/6lowpan.c:359) ------", "cve_priority": "medium", "cve_public_date": "2025-12-06 22:15:00 UTC" }, { "cve": "CVE-2025-40283", "url": "https://ubuntu.com/security/CVE-2025-40283", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: Bluetooth: btusb: reorder cleanup in btusb_disconnect to avoid UAF There is a KASAN: slab-use-after-free read in btusb_disconnect(). Calling \"usb_driver_release_interface(&btusb_driver, data->intf)\" will free the btusb data associated with the interface. The same data is then used later in the function, hence the UAF. Fix by moving the accesses to btusb data to before the data is free'd.", "cve_priority": "medium", "cve_public_date": "2025-12-06 22:15:00 UTC" }, { "cve": "CVE-2025-40284", "url": "https://ubuntu.com/security/CVE-2025-40284", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: Bluetooth: MGMT: cancel mesh send timer when hdev removed mesh_send_done timer is not canceled when hdev is removed, which causes crash if the timer triggers after hdev is gone. Cancel the timer when MGMT removes the hdev, like other MGMT timers. Should fix the BUG: sporadically seen by BlueZ test bot (in \"Mesh - Send cancel - 1\" test). Log: ------ BUG: KASAN: slab-use-after-free in run_timer_softirq+0x76b/0x7d0 ... Freed by task 36: kasan_save_stack+0x24/0x50 kasan_save_track+0x14/0x30 __kasan_save_free_info+0x3a/0x60 __kasan_slab_free+0x43/0x70 kfree+0x103/0x500 device_release+0x9a/0x210 kobject_put+0x100/0x1e0 vhci_release+0x18b/0x240 ------", "cve_priority": "medium", "cve_public_date": "2025-12-06 22:15:00 UTC" }, { "cve": "CVE-2025-68210", "url": "https://ubuntu.com/security/CVE-2025-68210", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: erofs: avoid infinite loop due to incomplete zstd-compressed data Currently, the decompression logic incorrectly spins if compressed data is truncated in crafted (deliberately corrupted) images.", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-40285", "url": "https://ubuntu.com/security/CVE-2025-40285", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: smb/server: fix possible refcount leak in smb2_sess_setup() Reference count of ksmbd_session will leak when session need reconnect. Fix this by adding the missing ksmbd_user_session_put().", "cve_priority": "medium", "cve_public_date": "2025-12-06 22:15:00 UTC" }, { "cve": "CVE-2025-40286", "url": "https://ubuntu.com/security/CVE-2025-40286", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: smb/server: fix possible memory leak in smb2_read() Memory leak occurs when ksmbd_vfs_read() fails. Fix this by adding the missing kvfree().", "cve_priority": "medium", "cve_public_date": "2025-12-06 22:15:00 UTC" }, { "cve": "CVE-2025-40287", "url": "https://ubuntu.com/security/CVE-2025-40287", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: exfat: fix improper check of dentry.stream.valid_size We found an infinite loop bug in the exFAT file system that can lead to a Denial-of-Service (DoS) condition. When a dentry in an exFAT filesystem is malformed, the following system calls — SYS_openat, SYS_ftruncate, and SYS_pwrite64 — can cause the kernel to hang. Root cause analysis shows that the size validation code in exfat_find() does not check whether dentry.stream.valid_size is negative. As a result, the system calls mentioned above can succeed and eventually trigger the DoS issue. This patch adds a check for negative dentry.stream.valid_size to prevent this vulnerability.", "cve_priority": "medium", "cve_public_date": "2025-12-06 22:15:00 UTC" }, { "cve": "CVE-2025-40288", "url": "https://ubuntu.com/security/CVE-2025-40288", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: Fix NULL pointer dereference in VRAM logic for APU devices Previously, APU platforms (and other scenarios with uninitialized VRAM managers) triggered a NULL pointer dereference in `ttm_resource_manager_usage()`. The root cause is not that the `struct ttm_resource_manager *man` pointer itself is NULL, but that `man->bdev` (the backing device pointer within the manager) remains uninitialized (NULL) on APUs—since APUs lack dedicated VRAM and do not fully set up VRAM manager structures. When `ttm_resource_manager_usage()` attempts to acquire `man->bdev->lru_lock`, it dereferences the NULL `man->bdev`, leading to a kernel OOPS. 1. **amdgpu_cs.c**: Extend the existing bandwidth control check in `amdgpu_cs_get_threshold_for_moves()` to include a check for `ttm_resource_manager_used()`. If the manager is not used (uninitialized `bdev`), return 0 for migration thresholds immediately—skipping VRAM-specific logic that would trigger the NULL dereference. 2. **amdgpu_kms.c**: Update the `AMDGPU_INFO_VRAM_USAGE` ioctl and memory info reporting to use a conditional: if the manager is used, return the real VRAM usage; otherwise, return 0. This avoids accessing `man->bdev` when it is NULL. 3. **amdgpu_virt.c**: Modify the vf2pf (virtual function to physical function) data write path. Use `ttm_resource_manager_used()` to check validity: if the manager is usable, calculate `fb_usage` from VRAM usage; otherwise, set `fb_usage` to 0 (APUs have no discrete framebuffer to report). This approach is more robust than APU-specific checks because it: - Works for all scenarios where the VRAM manager is uninitialized (not just APUs), - Aligns with TTM's design by using its native helper function, - Preserves correct behavior for discrete GPUs (which have fully initialized `man->bdev` and pass the `ttm_resource_manager_used()` check). v4: use ttm_resource_manager_used(&adev->mman.vram_mgr.manager) instead of checking the adev->gmc.is_app_apu flag (Christian)", "cve_priority": "medium", "cve_public_date": "2025-12-06 22:15:00 UTC" }, { "cve": "CVE-2025-40289", "url": "https://ubuntu.com/security/CVE-2025-40289", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: hide VRAM sysfs attributes on GPUs without VRAM Otherwise accessing them can cause a crash.", "cve_priority": "medium", "cve_public_date": "2025-12-06 22:15:00 UTC" }, { "cve": "CVE-2025-68201", "url": "https://ubuntu.com/security/CVE-2025-68201", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: remove two invalid BUG_ON()s Those can be triggered trivially by userspace.", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-68207", "url": "https://ubuntu.com/security/CVE-2025-68207", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/xe/guc: Synchronize Dead CT worker with unbind Cancel and wait for any Dead CT worker to complete before continuing with device unbinding. Else the worker will end up using resources freed by the undind operation. (cherry picked from commit 492671339114e376aaa38626d637a2751cdef263)", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-68244", "url": "https://ubuntu.com/security/CVE-2025-68244", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/i915: Avoid lock inversion when pinning to GGTT on CHV/BXT+VTD On completion of i915_vma_pin_ww(), a synchronous variant of dma_fence_work_commit() is called. When pinning a VMA to GGTT address space on a Cherry View family processor, or on a Broxton generation SoC with VTD enabled, i.e., when stop_machine() is then called from intel_ggtt_bind_vma(), that can potentially lead to lock inversion among reservation_ww and cpu_hotplug locks. [86.861179] ====================================================== [86.861193] WARNING: possible circular locking dependency detected [86.861209] 6.15.0-rc5-CI_DRM_16515-gca0305cadc2d+ #1 Tainted: G U [86.861226] ------------------------------------------------------ [86.861238] i915_module_loa/1432 is trying to acquire lock: [86.861252] ffffffff83489090 (cpu_hotplug_lock){++++}-{0:0}, at: stop_machine+0x1c/0x50 [86.861290] but task is already holding lock: [86.861303] ffffc90002e0b4c8 (reservation_ww_class_mutex){+.+.}-{3:3}, at: i915_vma_pin.constprop.0+0x39/0x1d0 [i915] [86.862233] which lock already depends on the new lock. [86.862251] the existing dependency chain (in reverse order) is: [86.862265] -> #5 (reservation_ww_class_mutex){+.+.}-{3:3}: [86.862292] dma_resv_lockdep+0x19a/0x390 [86.862315] do_one_initcall+0x60/0x3f0 [86.862334] kernel_init_freeable+0x3cd/0x680 [86.862353] kernel_init+0x1b/0x200 [86.862369] ret_from_fork+0x47/0x70 [86.862383] ret_from_fork_asm+0x1a/0x30 [86.862399] -> #4 (reservation_ww_class_acquire){+.+.}-{0:0}: [86.862425] dma_resv_lockdep+0x178/0x390 [86.862440] do_one_initcall+0x60/0x3f0 [86.862454] kernel_init_freeable+0x3cd/0x680 [86.862470] kernel_init+0x1b/0x200 [86.862482] ret_from_fork+0x47/0x70 [86.862495] ret_from_fork_asm+0x1a/0x30 [86.862509] -> #3 (&mm->mmap_lock){++++}-{3:3}: [86.862531] down_read_killable+0x46/0x1e0 [86.862546] lock_mm_and_find_vma+0xa2/0x280 [86.862561] do_user_addr_fault+0x266/0x8e0 [86.862578] exc_page_fault+0x8a/0x2f0 [86.862593] asm_exc_page_fault+0x27/0x30 [86.862607] filldir64+0xeb/0x180 [86.862620] kernfs_fop_readdir+0x118/0x480 [86.862635] iterate_dir+0xcf/0x2b0 [86.862648] __x64_sys_getdents64+0x84/0x140 [86.862661] x64_sys_call+0x1058/0x2660 [86.862675] do_syscall_64+0x91/0xe90 [86.862689] entry_SYSCALL_64_after_hwframe+0x76/0x7e [86.862703] -> #2 (&root->kernfs_rwsem){++++}-{3:3}: [86.862725] down_write+0x3e/0xf0 [86.862738] kernfs_add_one+0x30/0x3c0 [86.862751] kernfs_create_dir_ns+0x53/0xb0 [86.862765] internal_create_group+0x134/0x4c0 [86.862779] sysfs_create_group+0x13/0x20 [86.862792] topology_add_dev+0x1d/0x30 [86.862806] cpuhp_invoke_callback+0x4b5/0x850 [86.862822] cpuhp_issue_call+0xbf/0x1f0 [86.862836] __cpuhp_setup_state_cpuslocked+0x111/0x320 [86.862852] __cpuhp_setup_state+0xb0/0x220 [86.862866] topology_sysfs_init+0x30/0x50 [86.862879] do_one_initcall+0x60/0x3f0 [86.862893] kernel_init_freeable+0x3cd/0x680 [86.862908] kernel_init+0x1b/0x200 [86.862921] ret_from_fork+0x47/0x70 [86.862934] ret_from_fork_asm+0x1a/0x30 [86.862947] -> #1 (cpuhp_state_mutex){+.+.}-{3:3}: [86.862969] __mutex_lock+0xaa/0xed0 [86.862982] mutex_lock_nested+0x1b/0x30 [86.862995] __cpuhp_setup_state_cpuslocked+0x67/0x320 [86.863012] __cpuhp_setup_state+0xb0/0x220 [86.863026] page_alloc_init_cpuhp+0x2d/0x60 [86.863041] mm_core_init+0x22/0x2d0 [86.863054] start_kernel+0x576/0xbd0 [86.863068] x86_64_start_reservations+0x18/0x30 [86.863084] x86_64_start_kernel+0xbf/0x110 [86.863098] common_startup_64+0x13e/0x141 [86.863114] -> #0 (cpu_hotplug_lock){++++}-{0:0}: [86.863135] __lock_acquire+0x16 ---truncated---", "cve_priority": "medium", "cve_public_date": "2025-12-16 15:15:00 UTC" }, { "cve": "CVE-2025-68316", "url": "https://ubuntu.com/security/CVE-2025-68316", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: scsi: ufs: core: Fix invalid probe error return value After DME Link Startup, the error return value is set to the MIPI UniPro GenericErrorCode which can be 0 (SUCCESS) or 1 (FAILURE). Upon failure during driver probe, the error code 1 is propagated back to the driver probe function which must return a negative value to indicate an error, but 1 is not negative, so the probe is considered to be successful even though it failed. Subsequently, removing the driver results in an oops because it is not in a valid state. This happens because none of the callers of ufshcd_init() expect a non-negative error code. Fix the return value and documentation to match actual usage.", "cve_priority": "medium", "cve_public_date": "2025-12-16 16:16:00 UTC" }, { "cve": "CVE-2025-40292", "url": "https://ubuntu.com/security/CVE-2025-40292", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: virtio-net: fix received length check in big packets Since commit 4959aebba8c0 (\"virtio-net: use mtu size as buffer length for big packets\"), when guest gso is off, the allocated size for big packets is not MAX_SKB_FRAGS * PAGE_SIZE anymore but depends on negotiated MTU. The number of allocated frags for big packets is stored in vi->big_packets_num_skbfrags. Because the host announced buffer length can be malicious (e.g. the host vhost_net driver's get_rx_bufs is modified to announce incorrect length), we need a check in virtio_net receive path. Currently, the check is not adapted to the new change which can lead to NULL page pointer dereference in the below while loop when receiving length that is larger than the allocated one. This commit fixes the received length check corresponding to the new change.", "cve_priority": "medium", "cve_public_date": "2025-12-08 01:16:00 UTC" }, { "cve": "CVE-2025-68180", "url": "https://ubuntu.com/security/CVE-2025-68180", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Fix NULL deref in debugfs odm_combine_segments When a connector is connected but inactive (e.g., disabled by desktop environments), pipe_ctx->stream_res.tg will be destroyed. Then, reading odm_combine_segments causes kernel NULL pointer dereference. BUG: kernel NULL pointer dereference, address: 0000000000000000 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page PGD 0 P4D 0 Oops: Oops: 0000 [#1] SMP NOPTI CPU: 16 UID: 0 PID: 26474 Comm: cat Not tainted 6.17.0+ #2 PREEMPT(lazy) e6a17af9ee6db7c63e9d90dbe5b28ccab67520c6 Hardware name: LENOVO 21Q4/LNVNB161216, BIOS PXCN25WW 03/27/2025 RIP: 0010:odm_combine_segments_show+0x93/0xf0 [amdgpu] Code: 41 83 b8 b0 00 00 00 01 75 6e 48 98 ba a1 ff ff ff 48 c1 e0 0c 48 8d 8c 07 d8 02 00 00 48 85 c9 74 2d 48 8b bc 07 f0 08 00 00 <48> 8b 07 48 8b 80 08 02 00> RSP: 0018:ffffd1bf4b953c58 EFLAGS: 00010286 RAX: 0000000000005000 RBX: ffff8e35976b02d0 RCX: ffff8e3aeed052d8 RDX: 00000000ffffffa1 RSI: ffff8e35a3120800 RDI: 0000000000000000 RBP: 0000000000000000 R08: ffff8e3580eb0000 R09: ffff8e35976b02d0 R10: ffffd1bf4b953c78 R11: 0000000000000000 R12: ffffd1bf4b953d08 R13: 0000000000040000 R14: 0000000000000001 R15: 0000000000000001 FS: 00007f44d3f9f740(0000) GS:ffff8e3caa47f000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000000 CR3: 00000006485c2000 CR4: 0000000000f50ef0 PKRU: 55555554 Call Trace: seq_read_iter+0x125/0x490 ? __alloc_frozen_pages_noprof+0x18f/0x350 seq_read+0x12c/0x170 full_proxy_read+0x51/0x80 vfs_read+0xbc/0x390 ? __handle_mm_fault+0xa46/0xef0 ? do_syscall_64+0x71/0x900 ksys_read+0x73/0xf0 do_syscall_64+0x71/0x900 ? count_memcg_events+0xc2/0x190 ? handle_mm_fault+0x1d7/0x2d0 ? do_user_addr_fault+0x21a/0x690 ? exc_page_fault+0x7e/0x1a0 entry_SYSCALL_64_after_hwframe+0x6c/0x74 RIP: 0033:0x7f44d4031687 Code: 48 89 fa 4c 89 df e8 58 b3 00 00 8b 93 08 03 00 00 59 5e 48 83 f8 fc 74 1a 5b c3 0f 1f 84 00 00 00 00 00 48 8b 44 24 10 0f 05 <5b> c3 0f 1f 80 00 00 00 00> RSP: 002b:00007ffdb4b5f0b0 EFLAGS: 00000202 ORIG_RAX: 0000000000000000 RAX: ffffffffffffffda RBX: 00007f44d3f9f740 RCX: 00007f44d4031687 RDX: 0000000000040000 RSI: 00007f44d3f5e000 RDI: 0000000000000003 RBP: 0000000000040000 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000202 R12: 00007f44d3f5e000 R13: 0000000000000003 R14: 0000000000000000 R15: 0000000000040000 Modules linked in: tls tcp_diag inet_diag xt_mark ccm snd_hrtimer snd_seq_dummy snd_seq_midi snd_seq_oss snd_seq_midi_event snd_rawmidi snd_seq snd_seq_device x> snd_hda_codec_atihdmi snd_hda_codec_realtek_lib lenovo_wmi_helpers think_lmi snd_hda_codec_generic snd_hda_codec_hdmi snd_soc_core kvm snd_compress uvcvideo sn> platform_profile joydev amd_pmc mousedev mac_hid sch_fq_codel uinput i2c_dev parport_pc ppdev lp parport nvme_fabrics loop nfnetlink ip_tables x_tables dm_cryp> CR2: 0000000000000000 ---[ end trace 0000000000000000 ]--- RIP: 0010:odm_combine_segments_show+0x93/0xf0 [amdgpu] Code: 41 83 b8 b0 00 00 00 01 75 6e 48 98 ba a1 ff ff ff 48 c1 e0 0c 48 8d 8c 07 d8 02 00 00 48 85 c9 74 2d 48 8b bc 07 f0 08 00 00 <48> 8b 07 48 8b 80 08 02 00> RSP: 0018:ffffd1bf4b953c58 EFLAGS: 00010286 RAX: 0000000000005000 RBX: ffff8e35976b02d0 RCX: ffff8e3aeed052d8 RDX: 00000000ffffffa1 RSI: ffff8e35a3120800 RDI: 0000000000000000 RBP: 0000000000000000 R08: ffff8e3580eb0000 R09: ffff8e35976b02d0 R10: ffffd1bf4b953c78 R11: 0000000000000000 R12: ffffd1bf4b953d08 R13: 0000000000040000 R14: 0000000000000001 R15: 0000000000000001 FS: 00007f44d3f9f740(0000) GS:ffff8e3caa47f000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000000 CR3: 00000006485c2000 CR4: 0000000000f50ef0 PKRU: 55555554 Fix this by checking pipe_ctx-> ---truncated---", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-40327", "url": "https://ubuntu.com/security/CVE-2025-40327", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: perf/core: Fix system hang caused by cpu-clock usage cpu-clock usage by the async-profiler tool can trigger a system hang, which got bisected back to the following commit by Octavia Togami: 18dbcbfabfff (\"perf: Fix the POLL_HUP delivery breakage\") causes this issue The root cause of the hang is that cpu-clock is a special type of SW event which relies on hrtimers. The __perf_event_overflow() callback is invoked from the hrtimer handler for cpu-clock events, and __perf_event_overflow() tries to call cpu_clock_event_stop() to stop the event, which calls htimer_cancel() to cancel the hrtimer. But that's a recursion into the hrtimer code from a hrtimer handler, which (unsurprisingly) deadlocks. To fix this bug, use hrtimer_try_to_cancel() instead, and set the PERF_HES_STOPPED flag, which causes perf_swevent_hrtimer() to stop the event once it sees the PERF_HES_STOPPED flag. [ mingo: Fixed the comments and improved the changelog. ]", "cve_priority": "medium", "cve_public_date": "2025-12-09 16:17:00 UTC" }, { "cve": "CVE-2025-40328", "url": "https://ubuntu.com/security/CVE-2025-40328", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: smb: client: fix potential UAF in smb2_close_cached_fid() find_or_create_cached_dir() could grab a new reference after kref_put() had seen the refcount drop to zero but before cfid_list_lock is acquired in smb2_close_cached_fid(), leading to use-after-free. Switch to kref_put_lock() so cfid_release() is called with cfid_list_lock held, closing that gap.", "cve_priority": "medium", "cve_public_date": "2025-12-09 16:17:00 UTC" }, { "cve": "CVE-2025-40291", "url": "https://ubuntu.com/security/CVE-2025-40291", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: io_uring: fix regbuf vector size truncation There is a report of io_estimate_bvec_size() truncating the calculated number of segments that leads to corruption issues. Check it doesn't overflow \"int\"s used later. Rough but simple, can be improved on top.", "cve_priority": "medium", "cve_public_date": "2025-12-08 01:16:00 UTC" }, { "cve": "CVE-2025-68322", "url": "https://ubuntu.com/security/CVE-2025-68322", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: parisc: Avoid crash due to unaligned access in unwinder Guenter Roeck reported this kernel crash on his emulated B160L machine: Starting network: udhcpc: started, v1.36.1 Backtrace: [<104320d4>] unwind_once+0x1c/0x5c [<10434a00>] walk_stackframe.isra.0+0x74/0xb8 [<10434a6c>] arch_stack_walk+0x28/0x38 [<104e5efc>] stack_trace_save+0x48/0x5c [<105d1bdc>] set_track_prepare+0x44/0x6c [<105d9c80>] ___slab_alloc+0xfc4/0x1024 [<105d9d38>] __slab_alloc.isra.0+0x58/0x90 [<105dc80c>] kmem_cache_alloc_noprof+0x2ac/0x4a0 [<105b8e54>] __anon_vma_prepare+0x60/0x280 [<105a823c>] __vmf_anon_prepare+0x68/0x94 [<105a8b34>] do_wp_page+0x8cc/0xf10 [<105aad88>] handle_mm_fault+0x6c0/0xf08 [<10425568>] do_page_fault+0x110/0x440 [<10427938>] handle_interruption+0x184/0x748 [<11178398>] schedule+0x4c/0x190 BUG: spinlock recursion on CPU#0, ifconfig/2420 lock: terminate_lock.2+0x0/0x1c, .magic: dead4ead, .owner: ifconfig/2420, .owner_cpu: 0 While creating the stack trace, the unwinder uses the stack pointer to guess the previous frame to read the previous stack pointer from memory. The crash happens, because the unwinder tries to read from unaligned memory and as such triggers the unalignment trap handler which then leads to the spinlock recursion and finally to a deadlock. Fix it by checking the alignment before accessing the memory.", "cve_priority": "medium", "cve_public_date": "2025-12-16 16:16:00 UTC" }, { "cve": "CVE-2025-40293", "url": "https://ubuntu.com/security/CVE-2025-40293", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: iommufd: Don't overflow during division for dirty tracking If pgshift is 63 then BITS_PER_TYPE(*bitmap->bitmap) * pgsize will overflow to 0 and this triggers divide by 0. In this case the index should just be 0, so reorganize things to divide by shift and avoid hitting any overflows.", "cve_priority": "medium", "cve_public_date": "2025-12-08 01:16:00 UTC" }, { "cve": "CVE-2025-40294", "url": "https://ubuntu.com/security/CVE-2025-40294", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: Bluetooth: MGMT: Fix OOB access in parse_adv_monitor_pattern() In the parse_adv_monitor_pattern() function, the value of the 'length' variable is currently limited to HCI_MAX_EXT_AD_LENGTH(251). The size of the 'value' array in the mgmt_adv_pattern structure is 31. If the value of 'pattern[i].length' is set in the user space and exceeds 31, the 'patterns[i].value' array can be accessed out of bound when copied. Increasing the size of the 'value' array in the 'mgmt_adv_pattern' structure will break the userspace. Considering this, and to avoid OOB access revert the limits for 'offset' and 'length' back to the value of HCI_MAX_AD_LENGTH. Found by InfoTeCS on behalf of Linux Verification Center (linuxtesting.org) with SVACE.", "cve_priority": "medium", "cve_public_date": "2025-12-08 01:16:00 UTC" }, { "cve": "CVE-2025-40329", "url": "https://ubuntu.com/security/CVE-2025-40329", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/sched: Fix deadlock in drm_sched_entity_kill_jobs_cb The Mesa issue referenced below pointed out a possible deadlock: [ 1231.611031] Possible interrupt unsafe locking scenario: [ 1231.611033] CPU0 CPU1 [ 1231.611034] ---- ---- [ 1231.611035] lock(&xa->xa_lock#17); [ 1231.611038] local_irq_disable(); [ 1231.611039] lock(&fence->lock); [ 1231.611041] lock(&xa->xa_lock#17); [ 1231.611044] [ 1231.611045] lock(&fence->lock); [ 1231.611047] *** DEADLOCK *** In this example, CPU0 would be any function accessing job->dependencies through the xa_* functions that don't disable interrupts (eg: drm_sched_job_add_dependency(), drm_sched_entity_kill_jobs_cb()). CPU1 is executing drm_sched_entity_kill_jobs_cb() as a fence signalling callback so in an interrupt context. It will deadlock when trying to grab the xa_lock which is already held by CPU0. Replacing all xa_* usage by their xa_*_irq counterparts would fix this issue, but Christian pointed out another issue: dma_fence_signal takes fence.lock and so does dma_fence_add_callback. dma_fence_signal() // locks f1.lock -> drm_sched_entity_kill_jobs_cb() -> foreach dependencies -> dma_fence_add_callback() // locks f2.lock This will deadlock if f1 and f2 share the same spinlock. To fix both issues, the code iterating on dependencies and re-arming them is moved out to drm_sched_entity_kill_jobs_work(). [phasta: commit message nits]", "cve_priority": "medium", "cve_public_date": "2025-12-09 16:17:00 UTC" }, { "cve": "CVE-2025-40295", "url": "https://ubuntu.com/security/CVE-2025-40295", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: fscrypt: fix left shift underflow when inode->i_blkbits > PAGE_SHIFT When simulating an nvme device on qemu with both logical_block_size and physical_block_size set to 8 KiB, an error trace appears during partition table reading at boot time. The issue is caused by inode->i_blkbits being larger than PAGE_SHIFT, which leads to a left shift of -1 and triggering a UBSAN warning. [ 2.697306] ------------[ cut here ]------------ [ 2.697309] UBSAN: shift-out-of-bounds in fs/crypto/inline_crypt.c:336:37 [ 2.697311] shift exponent -1 is negative [ 2.697315] CPU: 3 UID: 0 PID: 274 Comm: (udev-worker) Not tainted 6.18.0-rc2+ #34 PREEMPT(voluntary) [ 2.697317] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014 [ 2.697320] Call Trace: [ 2.697324] [ 2.697325] dump_stack_lvl+0x76/0xa0 [ 2.697340] dump_stack+0x10/0x20 [ 2.697342] __ubsan_handle_shift_out_of_bounds+0x1e3/0x390 [ 2.697351] bh_get_inode_and_lblk_num.cold+0x12/0x94 [ 2.697359] fscrypt_set_bio_crypt_ctx_bh+0x44/0x90 [ 2.697365] submit_bh_wbc+0xb6/0x190 [ 2.697370] block_read_full_folio+0x194/0x270 [ 2.697371] ? __pfx_blkdev_get_block+0x10/0x10 [ 2.697375] ? __pfx_blkdev_read_folio+0x10/0x10 [ 2.697377] blkdev_read_folio+0x18/0x30 [ 2.697379] filemap_read_folio+0x40/0xe0 [ 2.697382] filemap_get_pages+0x5ef/0x7a0 [ 2.697385] ? mmap_region+0x63/0xd0 [ 2.697389] filemap_read+0x11d/0x520 [ 2.697392] blkdev_read_iter+0x7c/0x180 [ 2.697393] vfs_read+0x261/0x390 [ 2.697397] ksys_read+0x71/0xf0 [ 2.697398] __x64_sys_read+0x19/0x30 [ 2.697399] x64_sys_call+0x1e88/0x26a0 [ 2.697405] do_syscall_64+0x80/0x670 [ 2.697410] ? __x64_sys_newfstat+0x15/0x20 [ 2.697414] ? x64_sys_call+0x204a/0x26a0 [ 2.697415] ? do_syscall_64+0xb8/0x670 [ 2.697417] ? irqentry_exit_to_user_mode+0x2e/0x2a0 [ 2.697420] ? irqentry_exit+0x43/0x50 [ 2.697421] ? exc_page_fault+0x90/0x1b0 [ 2.697422] entry_SYSCALL_64_after_hwframe+0x76/0x7e [ 2.697425] RIP: 0033:0x75054cba4a06 [ 2.697426] Code: 5d e8 41 8b 93 08 03 00 00 59 5e 48 83 f8 fc 75 19 83 e2 39 83 fa 08 75 11 e8 26 ff ff ff 66 0f 1f 44 00 00 48 8b 45 10 0f 05 <48> 8b 5d f8 c9 c3 0f 1f 40 00 f3 0f 1e fa 55 48 89 e5 48 83 ec 08 [ 2.697427] RSP: 002b:00007fff973723a0 EFLAGS: 00000202 ORIG_RAX: 0000000000000000 [ 2.697430] RAX: ffffffffffffffda RBX: 00005ea9a2c02760 RCX: 000075054cba4a06 [ 2.697432] RDX: 0000000000002000 RSI: 000075054c190000 RDI: 000000000000001b [ 2.697433] RBP: 00007fff973723c0 R08: 0000000000000000 R09: 0000000000000000 [ 2.697434] R10: 0000000000000000 R11: 0000000000000202 R12: 0000000000000000 [ 2.697434] R13: 00005ea9a2c027c0 R14: 00005ea9a2be5608 R15: 00005ea9a2be55f0 [ 2.697436] [ 2.697436] ---[ end trace ]--- This situation can happen for block devices because when CONFIG_TRANSPARENT_HUGEPAGE is enabled, the maximum logical_block_size is 64 KiB. set_init_blocksize() then sets the block device inode->i_blkbits to 13, which is within this limit. File I/O does not trigger this problem because for filesystems that do not support the FS_LBS feature, sb_set_blocksize() prevents sb->s_blocksize_bits from being larger than PAGE_SHIFT. During inode allocation, alloc_inode()->inode_init_always() assigns inode->i_blkbits from sb->s_blocksize_bits. Currently, only xfs_fs_type has the FS_LBS flag, and since xfs I/O paths do not reach submit_bh_wbc(), it does not hit the left-shift underflow issue. [EB: use folio_pos() and consolidate the two shifts by i_blkbits]", "cve_priority": "medium", "cve_public_date": "2025-12-08 01:16:00 UTC" }, { "cve": "CVE-2025-40296", "url": "https://ubuntu.com/security/CVE-2025-40296", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: platform/x86: int3472: Fix double free of GPIO device during unregister regulator_unregister() already frees the associated GPIO device. On ThinkPad X9 (Lunar Lake), this causes a double free issue that leads to random failures when other drivers (typically Intel THC) attempt to allocate interrupts. The root cause is that the reference count of the pinctrl_intel_platform module unexpectedly drops to zero when this driver defers its probe. This behavior can also be reproduced by unloading the module directly. Fix the issue by removing the redundant release of the GPIO device during regulator unregistration.", "cve_priority": "medium", "cve_public_date": "2025-12-08 01:16:00 UTC" }, { "cve": "CVE-2025-40297", "url": "https://ubuntu.com/security/CVE-2025-40297", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net: bridge: fix use-after-free due to MST port state bypass syzbot reported[1] a use-after-free when deleting an expired fdb. It is due to a race condition between learning still happening and a port being deleted, after all its fdbs have been flushed. The port's state has been toggled to disabled so no learning should happen at that time, but if we have MST enabled, it will bypass the port's state, that together with VLAN filtering disabled can lead to fdb learning at a time when it shouldn't happen while the port is being deleted. VLAN filtering must be disabled because we flush the port VLANs when it's being deleted which will stop learning. This fix adds a check for the port's vlan group which is initialized to NULL when the port is getting deleted, that avoids the port state bypass. When MST is enabled there would be a minimal new overhead in the fast-path because the port's vlan group pointer is cache-hot. [1] https://syzkaller.appspot.com/bug?extid=dd280197f0f7ab3917be", "cve_priority": "medium", "cve_public_date": "2025-12-08 01:16:00 UTC" }, { "cve": "CVE-2025-68320", "url": "https://ubuntu.com/security/CVE-2025-68320", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: lan966x: Fix sleeping in atomic context The following warning was seen when we try to connect using ssh to the device. BUG: sleeping function called from invalid context at kernel/locking/mutex.c:575 in_atomic(): 1, irqs_disabled(): 0, non_block: 0, pid: 104, name: dropbear preempt_count: 1, expected: 0 INFO: lockdep is turned off. CPU: 0 UID: 0 PID: 104 Comm: dropbear Tainted: G W 6.18.0-rc2-00399-g6f1ab1b109b9-dirty #530 NONE Tainted: [W]=WARN Hardware name: Generic DT based system Call trace: unwind_backtrace from show_stack+0x10/0x14 show_stack from dump_stack_lvl+0x7c/0xac dump_stack_lvl from __might_resched+0x16c/0x2b0 __might_resched from __mutex_lock+0x64/0xd34 __mutex_lock from mutex_lock_nested+0x1c/0x24 mutex_lock_nested from lan966x_stats_get+0x5c/0x558 lan966x_stats_get from dev_get_stats+0x40/0x43c dev_get_stats from dev_seq_printf_stats+0x3c/0x184 dev_seq_printf_stats from dev_seq_show+0x10/0x30 dev_seq_show from seq_read_iter+0x350/0x4ec seq_read_iter from seq_read+0xfc/0x194 seq_read from proc_reg_read+0xac/0x100 proc_reg_read from vfs_read+0xb0/0x2b0 vfs_read from ksys_read+0x6c/0xec ksys_read from ret_fast_syscall+0x0/0x1c Exception stack(0xf0b11fa8 to 0xf0b11ff0) 1fa0: 00000001 00001000 00000008 be9048d8 00001000 00000001 1fc0: 00000001 00001000 00000008 00000003 be905920 0000001e 00000000 00000001 1fe0: 0005404c be9048c0 00018684 b6ec2cd8 It seems that we are using a mutex in a atomic context which is wrong. Change the mutex with a spinlock.", "cve_priority": "medium", "cve_public_date": "2025-12-16 16:16:00 UTC" }, { "cve": "CVE-2025-68169", "url": "https://ubuntu.com/security/CVE-2025-68169", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: netpoll: Fix deadlock in memory allocation under spinlock Fix a AA deadlock in refill_skbs() where memory allocation while holding skb_pool->lock can trigger a recursive lock acquisition attempt. The deadlock scenario occurs when the system is under severe memory pressure: 1. refill_skbs() acquires skb_pool->lock (spinlock) 2. alloc_skb() is called while holding the lock 3. Memory allocator fails and calls slab_out_of_memory() 4. This triggers printk() for the OOM warning 5. The console output path calls netpoll_send_udp() 6. netpoll_send_udp() attempts to acquire the same skb_pool->lock 7. Deadlock: the lock is already held by the same CPU Call stack: refill_skbs() spin_lock_irqsave(&skb_pool->lock) <- lock acquired __alloc_skb() kmem_cache_alloc_node_noprof() slab_out_of_memory() printk() console_flush_all() netpoll_send_udp() skb_dequeue() spin_lock_irqsave(&skb_pool->lock) <- deadlock attempt This bug was exposed by commit 248f6571fd4c51 (\"netpoll: Optimize skb refilling on critical path\") which removed refill_skbs() from the critical path (where nested printk was being deferred), letting nested printk being called from inside refill_skbs() Refactor refill_skbs() to never allocate memory while holding the spinlock. Another possible solution to fix this problem is protecting the refill_skbs() from nested printks, basically calling printk_deferred_{enter,exit}() in refill_skbs(), then, any nested pr_warn() would be deferred. I prefer this approach, given I _think_ it might be a good idea to move the alloc_skb() from GFP_ATOMIC to GFP_KERNEL in the future, so, having the alloc_skb() outside of the lock will be necessary step. There is a possible TOCTOU issue when checking for the pool length, and queueing the new allocated skb, but, this is not an issue, given that an extra SKB in the pool is harmless and it will be eventually used.", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-68197", "url": "https://ubuntu.com/security/CVE-2025-68197", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: bnxt_en: Fix null pointer dereference in bnxt_bs_trace_check_wrap() With older FW, we may get the ASYNC_EVENT_CMPL_EVENT_ID_DBG_BUF_PRODUCER for FW trace data type that has not been initialized. This will result in a crash in bnxt_bs_trace_type_wrap(). Add a guard to check for a valid magic_byte pointer before proceeding.", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-40330", "url": "https://ubuntu.com/security/CVE-2025-40330", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: bnxt_en: Shutdown FW DMA in bnxt_shutdown() The netif_close() call in bnxt_shutdown() only stops packet DMA. There may be FW DMA for trace logging (recently added) that will continue. If we kexec to a new kernel, the DMA will corrupt memory in the new kernel. Add bnxt_hwrm_func_drv_unrgtr() to unregister the driver from the FW. This will stop the FW DMA. In case the call fails, call pcie_flr() to reset the function and stop the DMA.", "cve_priority": "medium", "cve_public_date": "2025-12-09 16:17:00 UTC" }, { "cve": "CVE-2025-68192", "url": "https://ubuntu.com/security/CVE-2025-68192", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net: usb: qmi_wwan: initialize MAC header offset in qmimux_rx_fixup Raw IP packets have no MAC header, leaving skb->mac_header uninitialized. This can trigger kernel panics on ARM64 when xfrm or other subsystems access the offset due to strict alignment checks. Initialize the MAC header to prevent such crashes. This can trigger kernel panics on ARM when running IPsec over the qmimux0 interface. Example trace: Internal error: Oops: 000000009600004f [#1] SMP CPU: 0 UID: 0 PID: 0 Comm: swapper/0 Not tainted 6.12.34-gbe78e49cb433 #1 Hardware name: LS1028A RDB Board (DT) pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : xfrm_input+0xde8/0x1318 lr : xfrm_input+0x61c/0x1318 sp : ffff800080003b20 Call trace: xfrm_input+0xde8/0x1318 xfrm6_rcv+0x38/0x44 xfrm6_esp_rcv+0x48/0xa8 ip6_protocol_deliver_rcu+0x94/0x4b0 ip6_input_finish+0x44/0x70 ip6_input+0x44/0xc0 ipv6_rcv+0x6c/0x114 __netif_receive_skb_one_core+0x5c/0x8c __netif_receive_skb+0x18/0x60 process_backlog+0x78/0x17c __napi_poll+0x38/0x180 net_rx_action+0x168/0x2f0", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-40331", "url": "https://ubuntu.com/security/CVE-2025-40331", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: sctp: Prevent TOCTOU out-of-bounds write For the following path not holding the sock lock, sctp_diag_dump() -> sctp_for_each_endpoint() -> sctp_ep_dump() make sure not to exceed bounds in case the address list has grown between buffer allocation (time-of-check) and write (time-of-use).", "cve_priority": "medium", "cve_public_date": "2025-12-09 16:17:00 UTC" }, { "cve": "CVE-2025-68187", "url": "https://ubuntu.com/security/CVE-2025-68187", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net: mdio: Check regmap pointer returned by device_node_to_regmap() The call to device_node_to_regmap() in airoha_mdio_probe() can return an ERR_PTR() if regmap initialization fails. Currently, the driver stores the pointer without validation, which could lead to a crash if it is later dereferenced. Add an IS_ERR() check and return the corresponding error code to make the probe path more robust.", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-68167", "url": "https://ubuntu.com/security/CVE-2025-68167", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: gpiolib: fix invalid pointer access in debugfs If the memory allocation in gpiolib_seq_start() fails, the s->private field remains uninitialized and is later dereferenced without checking in gpiolib_seq_stop(). Initialize s->private to NULL before calling kzalloc() and check it before dereferencing it.", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-68319", "url": "https://ubuntu.com/security/CVE-2025-68319", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: netconsole: Acquire su_mutex before navigating configs hierarchy There is a race between operations that iterate over the userdata cg_children list and concurrent add/remove of userdata items through configfs. The update_userdata() function iterates over the nt->userdata_group.cg_children list, and count_extradata_entries() also iterates over this same list to count nodes. Quoting from Documentation/filesystems/configfs.rst: > A subsystem can navigate the cg_children list and the ci_parent pointer > to see the tree created by the subsystem. This can race with configfs' > management of the hierarchy, so configfs uses the subsystem mutex to > protect modifications. Whenever a subsystem wants to navigate the > hierarchy, it must do so under the protection of the subsystem > mutex. Without proper locking, if a userdata item is added or removed concurrently while these functions are iterating, the list can be accessed in an inconsistent state. For example, the list_for_each() loop can reach a node that is being removed from the list by list_del_init() which sets the nodes' .next pointer to point to itself, so the loop will never end (or reach the WARN_ON_ONCE in update_userdata() ). Fix this by holding the configfs subsystem mutex (su_mutex) during all operations that iterate over cg_children. This includes: - userdatum_value_store() which calls update_userdata() to iterate over cg_children - All sysdata_*_enabled_store() functions which call count_extradata_entries() to iterate over cg_children The su_mutex must be acquired before dynamic_netconsole_mutex to avoid potential lock ordering issues, as configfs operations may already hold su_mutex when calling into our code.", "cve_priority": "medium", "cve_public_date": "2025-12-16 16:16:00 UTC" }, { "cve": "CVE-2025-40298", "url": "https://ubuntu.com/security/CVE-2025-40298", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: gve: Implement settime64 with -EOPNOTSUPP ptp_clock_settime() assumes every ptp_clock has implemented settime64(). Stub it with -EOPNOTSUPP to prevent a NULL dereference.", "cve_priority": "medium", "cve_public_date": "2025-12-08 01:16:00 UTC" }, { "cve": "CVE-2025-40299", "url": "https://ubuntu.com/security/CVE-2025-40299", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: gve: Implement gettimex64 with -EOPNOTSUPP gve implemented a ptp_clock for sole use of do_aux_work at this time. ptp_clock_gettime() and ptp_sys_offset() assume every ptp_clock has implemented either gettimex64 or gettime64. Stub gettimex64 and return -EOPNOTSUPP to prevent NULL dereferencing.", "cve_priority": "medium", "cve_public_date": "2025-12-08 01:16:00 UTC" }, { "cve": "CVE-2025-40301", "url": "https://ubuntu.com/security/CVE-2025-40301", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: Bluetooth: hci_event: validate skb length for unknown CC opcode In hci_cmd_complete_evt(), if the command complete event has an unknown opcode, we assume the first byte of the remaining skb->data contains the return status. However, parameter data has previously been pulled in hci_event_func(), which may leave the skb empty. If so, using skb->data[0] for the return status uses un-init memory. The fix is to check skb->len before using skb->data.", "cve_priority": "medium", "cve_public_date": "2025-12-08 01:16:00 UTC" }, { "cve": "CVE-2025-40358", "url": "https://ubuntu.com/security/CVE-2025-40358", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: riscv: stacktrace: Disable KASAN checks for non-current tasks Unwinding the stack of a task other than current, KASAN would report \"BUG: KASAN: out-of-bounds in walk_stackframe+0x41c/0x460\" There is a same issue on x86 and has been resolved by the commit 84936118bdf3 (\"x86/unwind: Disable KASAN checks for non-current tasks\") The solution could be applied to RISC-V too. This patch also can solve the issue: https://seclists.org/oss-sec/2025/q4/23 [pjw@kernel.org: clean up checkpatch issues]", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-68186", "url": "https://ubuntu.com/security/CVE-2025-68186", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ring-buffer: Do not warn in ring_buffer_map_get_reader() when reader catches up The function ring_buffer_map_get_reader() is a bit more strict than the other get reader functions, and except for certain situations the rb_get_reader_page() should not return NULL. If it does, it triggers a warning. This warning was triggering but after looking at why, it was because another acceptable situation was happening and it wasn't checked for. If the reader catches up to the writer and there's still data to be read on the reader page, then the rb_get_reader_page() will return NULL as there's no new page to get. In this situation, the reader page should not be updated and no warning should trigger.", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-68184", "url": "https://ubuntu.com/security/CVE-2025-68184", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/mediatek: Disable AFBC support on Mediatek DRM driver Commit c410fa9b07c3 (\"drm/mediatek: Add AFBC support to Mediatek DRM driver\") added AFBC support to Mediatek DRM and enabled the 32x8/split/sparse modifier. However, this is currently broken on Mediatek MT8188 (Genio 700 EVK platform); tested using upstream Kernel and Mesa (v25.2.1), AFBC is used by default since Mesa v25.0. Kernel trace reports vblank timeouts constantly, and the render is garbled: ``` [CRTC:62:crtc-0] vblank wait timed out WARNING: CPU: 7 PID: 70 at drivers/gpu/drm/drm_atomic_helper.c:1835 drm_atomic_helper_wait_for_vblanks.part.0+0x24c/0x27c [...] Hardware name: MediaTek Genio-700 EVK (DT) Workqueue: events_unbound commit_work pstate: 60400009 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : drm_atomic_helper_wait_for_vblanks.part.0+0x24c/0x27c lr : drm_atomic_helper_wait_for_vblanks.part.0+0x24c/0x27c sp : ffff80008337bca0 x29: ffff80008337bcd0 x28: 0000000000000061 x27: 0000000000000000 x26: 0000000000000001 x25: 0000000000000000 x24: ffff0000c9dcc000 x23: 0000000000000001 x22: 0000000000000000 x21: ffff0000c66f2f80 x20: ffff0000c0d7d880 x19: 0000000000000000 x18: 000000000000000a x17: 000000040044ffff x16: 005000f2b5503510 x15: 0000000000000000 x14: 0000000000000000 x13: 74756f2064656d69 x12: 742074696177206b x11: 0000000000000058 x10: 0000000000000018 x9 : ffff800082396a70 x8 : 0000000000057fa8 x7 : 0000000000000cce x6 : ffff8000823eea70 x5 : ffff0001fef5f408 x4 : ffff80017ccee000 x3 : ffff0000c12cb480 x2 : 0000000000000000 x1 : 0000000000000000 x0 : ffff0000c12cb480 Call trace: drm_atomic_helper_wait_for_vblanks.part.0+0x24c/0x27c (P) drm_atomic_helper_commit_tail_rpm+0x64/0x80 commit_tail+0xa4/0x1a4 commit_work+0x14/0x20 process_one_work+0x150/0x290 worker_thread+0x2d0/0x3ec kthread+0x12c/0x210 ret_from_fork+0x10/0x20 ---[ end trace 0000000000000000 ]--- ``` Until this gets fixed upstream, disable AFBC support on this platform, as it's currently broken with upstream Mesa.", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-40302", "url": "https://ubuntu.com/security/CVE-2025-40302", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: media: videobuf2: forbid remove_bufs when legacy fileio is active vb2_ioctl_remove_bufs() call manipulates queue internal buffer list, potentially overwriting some pointers used by the legacy fileio access mode. Forbid that ioctl when fileio is active to protect internal queue state between subsequent read/write calls.", "cve_priority": "medium", "cve_public_date": "2025-12-08 01:16:00 UTC" }, { "cve": "CVE-2025-40303", "url": "https://ubuntu.com/security/CVE-2025-40303", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: btrfs: ensure no dirty metadata is written back for an fs with errors [BUG] During development of a minor feature (make sure all btrfs_bio::end_io() is called in task context), I noticed a crash in generic/388, where metadata writes triggered new works after btrfs_stop_all_workers(). It turns out that it can even happen without any code modification, just using RAID5 for metadata and the same workload from generic/388 is going to trigger the use-after-free. [CAUSE] If btrfs hits an error, the fs is marked as error, no new transaction is allowed thus metadata is in a frozen state. But there are some metadata modifications before that error, and they are still in the btree inode page cache. Since there will be no real transaction commit, all those dirty folios are just kept as is in the page cache, and they can not be invalidated by invalidate_inode_pages2() call inside close_ctree(), because they are dirty. And finally after btrfs_stop_all_workers(), we call iput() on btree inode, which triggers writeback of those dirty metadata. And if the fs is using RAID56 metadata, this will trigger RMW and queue new works into rmw_workers, which is already stopped, causing warning from queue_work() and use-after-free. [FIX] Add a special handling for write_one_eb(), that if the fs is already in an error state, immediately mark the bbio as failure, instead of really submitting them. Then during close_ctree(), iput() will just discard all those dirty tree blocks without really writing them back, thus no more new jobs for already stopped-and-freed workqueues. The extra discard in write_one_eb() also acts as an extra safenet. E.g. the transaction abort is triggered by some extent/free space tree corruptions, and since extent/free space tree is already corrupted some tree blocks may be allocated where they shouldn't be (overwriting existing tree blocks). In that case writing them back will further corrupting the fs.", "cve_priority": "medium", "cve_public_date": "2025-12-08 01:16:00 UTC" }, { "cve": "CVE-2025-40362", "url": "https://ubuntu.com/security/CVE-2025-40362", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ceph: fix multifs mds auth caps issue The mds auth caps check should also validate the fsname along with the associated caps. Not doing so would result in applying the mds auth caps of one fs on to the other fs in a multifs ceph cluster. The bug causes multiple issues w.r.t user authentication, following is one such example. Steps to Reproduce (on vstart cluster): 1. Create two file systems in a cluster, say 'fsname1' and 'fsname2' 2. Authorize read only permission to the user 'client.usr' on fs 'fsname1' $ceph fs authorize fsname1 client.usr / r 3. Authorize read and write permission to the same user 'client.usr' on fs 'fsname2' $ceph fs authorize fsname2 client.usr / rw 4. Update the keyring $ceph auth get client.usr >> ./keyring With above permssions for the user 'client.usr', following is the expectation. a. The 'client.usr' should be able to only read the contents and not allowed to create or delete files on file system 'fsname1'. b. The 'client.usr' should be able to read/write on file system 'fsname2'. But, with this bug, the 'client.usr' is allowed to read/write on file system 'fsname1'. See below. 5. Mount the file system 'fsname1' with the user 'client.usr' $sudo bin/mount.ceph usr@.fsname1=/ /kmnt_fsname1_usr/ 6. Try creating a file on file system 'fsname1' with user 'client.usr'. This should fail but passes with this bug. $touch /kmnt_fsname1_usr/file1 7. Mount the file system 'fsname1' with the user 'client.admin' and create a file. $sudo bin/mount.ceph admin@.fsname1=/ /kmnt_fsname1_admin $echo \"data\" > /kmnt_fsname1_admin/admin_file1 8. Try removing an existing file on file system 'fsname1' with the user 'client.usr'. This shoudn't succeed but succeeds with the bug. $rm -f /kmnt_fsname1_usr/admin_file1 For more information, please take a look at the corresponding mds/fuse patch and tests added by looking into the tracker mentioned below. v2: Fix a possible null dereference in doutc v3: Don't store fsname from mdsmap, validate against ceph_mount_options's fsname and use it v4: Code refactor, better warning message and fix possible compiler warning [ Slava.Dubeyko: \"fsname check failed\" -> \"fsname mismatch\" ]", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-40332", "url": "https://ubuntu.com/security/CVE-2025-40332", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/amdkfd: Fix mmap write lock not release If mmap write lock is taken while draining retry fault, mmap write lock is not released because svm_range_restore_pages calls mmap_read_unlock then returns. This causes deadlock and system hangs later because mmap read or write lock cannot be taken. Downgrade mmap write lock to read lock if draining retry fault fix this bug.", "cve_priority": "medium", "cve_public_date": "2025-12-09 16:17:00 UTC" }, { "cve": "CVE-2025-40304", "url": "https://ubuntu.com/security/CVE-2025-40304", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: fbdev: Add bounds checking in bit_putcs to fix vmalloc-out-of-bounds Add bounds checking to prevent writes past framebuffer boundaries when rendering text near screen edges. Return early if the Y position is off-screen and clip image height to screen boundary. Break from the rendering loop if the X position is off-screen. When clipping image width to fit the screen, update the character count to match the clipped width to prevent buffer size mismatches. Without the character count update, bit_putcs_aligned and bit_putcs_unaligned receive mismatched parameters where the buffer is allocated for the clipped width but cnt reflects the original larger count, causing out-of-bounds writes.", "cve_priority": "medium", "cve_public_date": "2025-12-08 01:16:00 UTC" }, { "cve": "CVE-2025-40305", "url": "https://ubuntu.com/security/CVE-2025-40305", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: 9p/trans_fd: p9_fd_request: kick rx thread if EPOLLIN p9_read_work() doesn't set Rworksched and doesn't do schedule_work(m->rq) if list_empty(&m->req_list). However, if the pipe is full, we need to read more data and this used to work prior to commit aaec5a95d59615 (\"pipe_read: don't wake up the writer if the pipe is still full\"). p9_read_work() does p9_fd_read() -> ... -> anon_pipe_read() which (before the commit above) triggered the unnecessary wakeup. This wakeup calls p9_pollwake() which kicks p9_poll_workfn() -> p9_poll_mux(), p9_poll_mux() will notice EPOLLIN and schedule_work(&m->rq). This no longer happens after the optimization above, change p9_fd_request() to use p9_poll_mux() instead of only checking for EPOLLOUT.", "cve_priority": "medium", "cve_public_date": "2025-12-08 01:16:00 UTC" }, { "cve": "CVE-2025-68318", "url": "https://ubuntu.com/security/CVE-2025-68318", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: clk: thead: th1520-ap: set all AXI clocks to CLK_IS_CRITICAL The AXI crossbar of TH1520 has no proper timeout handling, which means gating AXI clocks can easily lead to bus timeout and thus system hang. Set all AXI clock gates to CLK_IS_CRITICAL. All these clock gates are ungated by default on system reset. In addition, convert all current CLK_IGNORE_UNUSED usage to CLK_IS_CRITICAL to prevent unwanted clock gating.", "cve_priority": "medium", "cve_public_date": "2025-12-16 16:16:00 UTC" }, { "cve": "CVE-2025-40209", "url": "https://ubuntu.com/security/CVE-2025-40209", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: btrfs: fix memory leak of qgroup_list in btrfs_add_qgroup_relation When btrfs_add_qgroup_relation() is called with invalid qgroup levels (src >= dst), the function returns -EINVAL directly without freeing the preallocated qgroup_list structure passed by the caller. This causes a memory leak because the caller unconditionally sets the pointer to NULL after the call, preventing any cleanup. The issue occurs because the level validation check happens before the mutex is acquired and before any error handling path that would free the prealloc pointer. On this early return, the cleanup code at the 'out' label (which includes kfree(prealloc)) is never reached. In btrfs_ioctl_qgroup_assign(), the code pattern is: prealloc = kzalloc(sizeof(*prealloc), GFP_KERNEL); ret = btrfs_add_qgroup_relation(trans, sa->src, sa->dst, prealloc); prealloc = NULL; // Always set to NULL regardless of return value ... kfree(prealloc); // This becomes kfree(NULL), does nothing When the level check fails, 'prealloc' is never freed by either the callee or the caller, resulting in a 64-byte memory leak per failed operation. This can be triggered repeatedly by an unprivileged user with access to a writable btrfs mount, potentially exhausting kernel memory. Fix this by freeing prealloc before the early return, ensuring prealloc is always freed on all error paths.", "cve_priority": "medium", "cve_public_date": "2025-11-21 11:15:00 UTC" }, { "cve": "CVE-2025-68183", "url": "https://ubuntu.com/security/CVE-2025-68183", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ima: don't clear IMA_DIGSIG flag when setting or removing non-IMA xattr Currently when both IMA and EVM are in fix mode, the IMA signature will be reset to IMA hash if a program first stores IMA signature in security.ima and then writes/removes some other security xattr for the file. For example, on Fedora, after booting the kernel with \"ima_appraise=fix evm=fix ima_policy=appraise_tcb\" and installing rpm-plugin-ima, installing/reinstalling a package will not make good reference IMA signature generated. Instead IMA hash is generated, # getfattr -m - -d -e hex /usr/bin/bash # file: usr/bin/bash security.ima=0x0404... This happens because when setting security.selinux, the IMA_DIGSIG flag that had been set early was cleared. As a result, IMA hash is generated when the file is closed. Similarly, IMA signature can be cleared on file close after removing security xattr like security.evm or setting/removing ACL. Prevent replacing the IMA file signature with a file hash, by preventing the IMA_DIGSIG flag from being reset. Here's a minimal C reproducer which sets security.selinux as the last step which can also replaced by removing security.evm or setting ACL, #include #include #include #include #include #include int main() { const char* file_path = \"/usr/sbin/test_binary\"; const char* hex_string = \"030204d33204490066306402304\"; int length = strlen(hex_string); char* ima_attr_value; int fd; fd = open(file_path, O_WRONLY|O_CREAT|O_EXCL, 0644); if (fd == -1) { perror(\"Error opening file\"); return 1; } ima_attr_value = (char*)malloc(length / 2 ); for (int i = 0, j = 0; i < length; i += 2, j++) { sscanf(hex_string + i, \"%2hhx\", &ima_attr_value[j]); } if (fsetxattr(fd, \"security.ima\", ima_attr_value, length/2, 0) == -1) { perror(\"Error setting extended attribute\"); close(fd); return 1; } const char* selinux_value= \"system_u:object_r:bin_t:s0\"; if (fsetxattr(fd, \"security.selinux\", selinux_value, strlen(selinux_value), 0) == -1) { perror(\"Error setting extended attribute\"); close(fd); return 1; } close(fd); return 0; }", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-68173", "url": "https://ubuntu.com/security/CVE-2025-68173", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ftrace: Fix softlockup in ftrace_module_enable A soft lockup was observed when loading amdgpu module. If a module has a lot of tracable functions, multiple calls to kallsyms_lookup can spend too much time in RCU critical section and with disabled preemption, causing kernel panic. This is the same issue that was fixed in commit d0b24b4e91fc (\"ftrace: Prevent RCU stall on PREEMPT_VOLUNTARY kernels\") and commit 42ea22e754ba (\"ftrace: Add cond_resched() to ftrace_graph_set_hash()\"). Fix it the same way by adding cond_resched() in ftrace_module_enable.", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-40306", "url": "https://ubuntu.com/security/CVE-2025-40306", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: orangefs: fix xattr related buffer overflow... Willy Tarreau forwarded me a message from Disclosure with the following warning: > The helper `xattr_key()` uses the pointer variable in the loop condition > rather than dereferencing it. As `key` is incremented, it remains non-NULL > (until it runs into unmapped memory), so the loop does not terminate on > valid C strings and will walk memory indefinitely, consuming CPU or hanging > the thread. I easily reproduced this with setfattr and getfattr, causing a kernel oops, hung user processes and corrupted orangefs files. Disclosure sent along a diff (not a patch) with a suggested fix, which I based this patch on. After xattr_key started working right, xfstest generic/069 exposed an xattr related memory leak that lead to OOM. xattr_key returns a hashed key. When adding xattrs to the orangefs xattr cache, orangefs used hash_add, a kernel hashing macro. hash_add also hashes the key using hash_log which resulted in additions to the xattr cache going to the wrong hash bucket. generic/069 tortures a single file and orangefs does a getattr for the xattr \"security.capability\" every time. Orangefs negative caches on xattrs which includes a kmalloc. Since adds to the xattr cache were going to the wrong bucket, every getattr for \"security.capability\" resulted in another kmalloc, none of which were ever freed. I changed the two uses of hash_add to hlist_add_head instead and the memory leak ceased and generic/069 quit throwing furniture.", "cve_priority": "medium", "cve_public_date": "2025-12-08 01:16:00 UTC" }, { "cve": "CVE-2025-40307", "url": "https://ubuntu.com/security/CVE-2025-40307", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: exfat: validate cluster allocation bits of the allocation bitmap syzbot created an exfat image with cluster bits not set for the allocation bitmap. exfat-fs reads and uses the allocation bitmap without checking this. The problem is that if the start cluster of the allocation bitmap is 6, cluster 6 can be allocated when creating a directory with mkdir. exfat zeros out this cluster in exfat_mkdir, which can delete existing entries. This can reallocate the allocated entries. In addition, the allocation bitmap is also zeroed out, so cluster 6 can be reallocated. This patch adds exfat_test_bitmap_range to validate that clusters used for the allocation bitmap are correctly marked as in-use.", "cve_priority": "medium", "cve_public_date": "2025-12-08 01:16:00 UTC" }, { "cve": "CVE-2025-40308", "url": "https://ubuntu.com/security/CVE-2025-40308", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: Bluetooth: bcsp: receive data only if registered Currently, bcsp_recv() can be called even when the BCSP protocol has not been registered. This leads to a NULL pointer dereference, as shown in the following stack trace: KASAN: null-ptr-deref in range [0x0000000000000108-0x000000000000010f] RIP: 0010:bcsp_recv+0x13d/0x1740 drivers/bluetooth/hci_bcsp.c:590 Call Trace: hci_uart_tty_receive+0x194/0x220 drivers/bluetooth/hci_ldisc.c:627 tiocsti+0x23c/0x2c0 drivers/tty/tty_io.c:2290 tty_ioctl+0x626/0xde0 drivers/tty/tty_io.c:2706 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:907 [inline] __se_sys_ioctl+0xfc/0x170 fs/ioctl.c:893 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f To prevent this, ensure that the HCI_UART_REGISTERED flag is set before processing received data. If the protocol is not registered, return -EUNATCH.", "cve_priority": "medium", "cve_public_date": "2025-12-08 01:16:00 UTC" }, { "cve": "CVE-2025-40309", "url": "https://ubuntu.com/security/CVE-2025-40309", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: Bluetooth: SCO: Fix UAF on sco_conn_free BUG: KASAN: slab-use-after-free in sco_conn_free net/bluetooth/sco.c:87 [inline] BUG: KASAN: slab-use-after-free in kref_put include/linux/kref.h:65 [inline] BUG: KASAN: slab-use-after-free in sco_conn_put+0xdd/0x410 net/bluetooth/sco.c:107 Write of size 8 at addr ffff88811cb96b50 by task kworker/u17:4/352 CPU: 1 UID: 0 PID: 352 Comm: kworker/u17:4 Not tainted 6.17.0-rc5-g717368f83676 #4 PREEMPT(voluntary) Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014 Workqueue: hci13 hci_cmd_sync_work Call Trace: __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x10b/0x170 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:378 [inline] print_report+0x191/0x550 mm/kasan/report.c:482 kasan_report+0xc4/0x100 mm/kasan/report.c:595 sco_conn_free net/bluetooth/sco.c:87 [inline] kref_put include/linux/kref.h:65 [inline] sco_conn_put+0xdd/0x410 net/bluetooth/sco.c:107 sco_connect_cfm+0xb4/0xae0 net/bluetooth/sco.c:1441 hci_connect_cfm include/net/bluetooth/hci_core.h:2082 [inline] hci_conn_failed+0x20a/0x2e0 net/bluetooth/hci_conn.c:1313 hci_conn_unlink+0x55f/0x810 net/bluetooth/hci_conn.c:1121 hci_conn_del+0xb6/0x1110 net/bluetooth/hci_conn.c:1147 hci_abort_conn_sync+0x8c5/0xbb0 net/bluetooth/hci_sync.c:5689 hci_cmd_sync_work+0x281/0x380 net/bluetooth/hci_sync.c:332 process_one_work kernel/workqueue.c:3236 [inline] process_scheduled_works+0x77e/0x1040 kernel/workqueue.c:3319 worker_thread+0xbee/0x1200 kernel/workqueue.c:3400 kthread+0x3c7/0x870 kernel/kthread.c:463 ret_from_fork+0x13a/0x1e0 arch/x86/kernel/process.c:148 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245 Allocated by task 31370: kasan_save_stack mm/kasan/common.c:47 [inline] kasan_save_track+0x30/0x70 mm/kasan/common.c:68 poison_kmalloc_redzone mm/kasan/common.c:388 [inline] __kasan_kmalloc+0x82/0x90 mm/kasan/common.c:405 kasan_kmalloc include/linux/kasan.h:260 [inline] __do_kmalloc_node mm/slub.c:4382 [inline] __kmalloc_noprof+0x22f/0x390 mm/slub.c:4394 kmalloc_noprof include/linux/slab.h:909 [inline] sk_prot_alloc+0xae/0x220 net/core/sock.c:2239 sk_alloc+0x34/0x5a0 net/core/sock.c:2295 bt_sock_alloc+0x3c/0x330 net/bluetooth/af_bluetooth.c:151 sco_sock_alloc net/bluetooth/sco.c:562 [inline] sco_sock_create+0xc0/0x350 net/bluetooth/sco.c:593 bt_sock_create+0x161/0x3b0 net/bluetooth/af_bluetooth.c:135 __sock_create+0x3ad/0x780 net/socket.c:1589 sock_create net/socket.c:1647 [inline] __sys_socket_create net/socket.c:1684 [inline] __sys_socket+0xd5/0x330 net/socket.c:1731 __do_sys_socket net/socket.c:1745 [inline] __se_sys_socket net/socket.c:1743 [inline] __x64_sys_socket+0x7a/0x90 net/socket.c:1743 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xc7/0x240 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f Freed by task 31374: kasan_save_stack mm/kasan/common.c:47 [inline] kasan_save_track+0x30/0x70 mm/kasan/common.c:68 kasan_save_free_info+0x40/0x50 mm/kasan/generic.c:576 poison_slab_object mm/kasan/common.c:243 [inline] __kasan_slab_free+0x3d/0x50 mm/kasan/common.c:275 kasan_slab_free include/linux/kasan.h:233 [inline] slab_free_hook mm/slub.c:2428 [inline] slab_free mm/slub.c:4701 [inline] kfree+0x199/0x3b0 mm/slub.c:4900 sk_prot_free net/core/sock.c:2278 [inline] __sk_destruct+0x4aa/0x630 net/core/sock.c:2373 sco_sock_release+0x2ad/0x300 net/bluetooth/sco.c:1333 __sock_release net/socket.c:649 [inline] sock_close+0xb8/0x230 net/socket.c:1439 __fput+0x3d1/0x9e0 fs/file_table.c:468 task_work_run+0x206/0x2a0 kernel/task_work.c:227 get_signal+0x1201/0x1410 kernel/signal.c:2807 arch_do_signal_or_restart+0x34/0x740 arch/x86/kernel/signal.c:337 exit_to_user_mode_loop+0x68/0xc0 kernel/entry/common.c:40 exit_to_user_mode_prepare include/linux/irq-entry-common.h:225 [inline] s ---truncated---", "cve_priority": "medium", "cve_public_date": "2025-12-08 01:16:00 UTC" }, { "cve": "CVE-2025-68174", "url": "https://ubuntu.com/security/CVE-2025-68174", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: amd/amdkfd: enhance kfd process check in switch partition current switch partition only check if kfd_processes_table is empty. kfd_prcesses_table entry is deleted in kfd_process_notifier_release, but kfd_process tear down is in kfd_process_wq_release. consider two processes: Process A (workqueue) -> kfd_process_wq_release -> Access kfd_node member Process B switch partition -> amdgpu_xcp_pre_partition_switch -> amdgpu_amdkfd_device_fini_sw -> kfd_node tear down. Process A and B may trigger a race as shown in dmesg log. This patch is to resolve the race by adding an atomic kfd_process counter kfd_processes_count, it increment as create kfd process, decrement as finish kfd_process_wq_release. v2: Put kfd_processes_count per kfd_dev, move decrement to kfd_process_destroy_pdds and bug fix. (Philip Yang) [3966658.307702] divide error: 0000 [#1] SMP NOPTI [3966658.350818] i10nm_edac [3966658.356318] CPU: 124 PID: 38435 Comm: kworker/124:0 Kdump: loaded Tainted [3966658.356890] Workqueue: kfd_process_wq kfd_process_wq_release [amdgpu] [3966658.362839] nfit [3966658.366457] RIP: 0010:kfd_get_num_sdma_engines+0x17/0x40 [amdgpu] [3966658.366460] Code: 00 00 e9 ac 81 02 00 66 66 2e 0f 1f 84 00 00 00 00 00 90 0f 1f 44 00 00 48 8b 4f 08 48 8b b7 00 01 00 00 8b 81 58 26 03 00 99 be b8 01 00 00 80 b9 70 2e 00 00 00 74 0b 83 f8 02 ba 02 00 00 [3966658.380967] x86_pkg_temp_thermal [3966658.391529] RSP: 0018:ffffc900a0edfdd8 EFLAGS: 00010246 [3966658.391531] RAX: 0000000000000008 RBX: ffff8974e593b800 RCX: ffff888645900000 [3966658.391531] RDX: 0000000000000000 RSI: ffff888129154400 RDI: ffff888129151c00 [3966658.391532] RBP: ffff8883ad79d400 R08: 0000000000000000 R09: ffff8890d2750af4 [3966658.391532] R10: 0000000000000018 R11: 0000000000000018 R12: 0000000000000000 [3966658.391533] R13: ffff8883ad79d400 R14: ffffe87ff662ba00 R15: ffff8974e593b800 [3966658.391533] FS: 0000000000000000(0000) GS:ffff88fe7f600000(0000) knlGS:0000000000000000 [3966658.391534] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [3966658.391534] CR2: 0000000000d71000 CR3: 000000dd0e970004 CR4: 0000000002770ee0 [3966658.391535] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [3966658.391535] DR3: 0000000000000000 DR6: 00000000fffe07f0 DR7: 0000000000000400 [3966658.391536] PKRU: 55555554 [3966658.391536] Call Trace: [3966658.391674] deallocate_sdma_queue+0x38/0xa0 [amdgpu] [3966658.391762] process_termination_cpsch+0x1ed/0x480 [amdgpu] [3966658.399754] intel_powerclamp [3966658.402831] kfd_process_dequeue_from_all_devices+0x5b/0xc0 [amdgpu] [3966658.402908] kfd_process_wq_release+0x1a/0x1a0 [amdgpu] [3966658.410516] coretemp [3966658.434016] process_one_work+0x1ad/0x380 [3966658.434021] worker_thread+0x49/0x310 [3966658.438963] kvm_intel [3966658.446041] ? process_one_work+0x380/0x380 [3966658.446045] kthread+0x118/0x140 [3966658.446047] ? __kthread_bind_mask+0x60/0x60 [3966658.446050] ret_from_fork+0x1f/0x30 [3966658.446053] Modules linked in: kpatch_20765354(OEK) [3966658.455310] kvm [3966658.464534] mptcp_diag xsk_diag raw_diag unix_diag af_packet_diag netlink_diag udp_diag act_pedit act_mirred act_vlan cls_flower kpatch_21951273(OEK) kpatch_18424469(OEK) kpatch_19749756(OEK) [3966658.473462] idxd_mdev [3966658.482306] kpatch_17971294(OEK) sch_ingress xt_conntrack amdgpu(OE) amdxcp(OE) amddrm_buddy(OE) amd_sched(OE) amdttm(OE) amdkcl(OE) intel_ifs iptable_mangle tcm_loop target_core_pscsi tcp_diag target_core_file inet_diag target_core_iblock target_core_user target_core_mod coldpgs kpatch_18383292(OEK) ip6table_nat ip6table_filter ip6_tables ip_set_hash_ipportip ip_set_hash_ipportnet ip_set_hash_ipport ip_set_bitmap_port xt_comment iptable_nat nf_nat iptable_filter ip_tables ip_set ip_vs_sh ip_vs_wrr ip_vs_rr ip_vs nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 sn_core_odd(OE) i40e overlay binfmt_misc tun bonding(OE) aisqos(OE) aisqo ---truncated---", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-40310", "url": "https://ubuntu.com/security/CVE-2025-40310", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: amd/amdkfd: resolve a race in amdgpu_amdkfd_device_fini_sw There is race in amdgpu_amdkfd_device_fini_sw and interrupt. if amdgpu_amdkfd_device_fini_sw run in b/w kfd_cleanup_nodes and kfree(kfd), and KGD interrupt generated. kernel panic log: BUG: kernel NULL pointer dereference, address: 0000000000000098 amdgpu 0000:c8:00.0: amdgpu: Requesting 4 partitions through PSP PGD d78c68067 P4D d78c68067 kfd kfd: amdgpu: Allocated 3969056 bytes on gart PUD 1465b8067 PMD @ Oops: @002 [#1] SMP NOPTI kfd kfd: amdgpu: Total number of KFD nodes to be created: 4 CPU: 115 PID: @ Comm: swapper/115 Kdump: loaded Tainted: G S W OE K RIP: 0010:_raw_spin_lock_irqsave+0x12/0x40 Code: 89 e@ 41 5c c3 cc cc cc cc 66 66 2e Of 1f 84 00 00 00 00 00 OF 1f 40 00 Of 1f 44% 00 00 41 54 9c 41 5c fa 31 cO ba 01 00 00 00 OF b1 17 75 Ba 4c 89 e@ 41 Sc 89 c6 e8 07 38 5d RSP: 0018: ffffc90@1a6b0e28 EFLAGS: 00010046 RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000018 0000000000000001 RSI: ffff8883bb623e00 RDI: 0000000000000098 ffff8883bb000000 RO8: ffff888100055020 ROO: ffff888100055020 0000000000000000 R11: 0000000000000000 R12: 0900000000000002 ffff888F2b97da0@ R14: @000000000000098 R15: ffff8883babdfo00 CS: 010 DS: 0000 ES: 0000 CRO: 0000000080050033 CR2: 0000000000000098 CR3: 0000000e7cae2006 CR4: 0000000002770ce0 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 0000000000000000 DR6: 00000000fffeO7FO DR7: 0000000000000400 PKRU: 55555554 Call Trace: kgd2kfd_interrupt+@x6b/0x1f@ [amdgpu] ? amdgpu_fence_process+0xa4/0x150 [amdgpu] kfd kfd: amdgpu: Node: 0, interrupt_bitmap: 3 YcpxFl Rant tErace amdgpu_irq_dispatch+0x165/0x210 [amdgpu] amdgpu_ih_process+0x80/0x100 [amdgpu] amdgpu: Virtual CRAT table created for GPU amdgpu_irq_handler+0x1f/@x60 [amdgpu] __handle_irq_event_percpu+0x3d/0x170 amdgpu: Topology: Add dGPU node [0x74a2:0x1002] handle_irq_event+0x5a/@xcO handle_edge_irq+0x93/0x240 kfd kfd: amdgpu: KFD node 1 partition @ size 49148M asm_call_irq_on_stack+0xf/@x20 common_interrupt+0xb3/0x130 asm_common_interrupt+0x1le/0x40 5.10.134-010.a1i5000.a18.x86_64 #1", "cve_priority": "medium", "cve_public_date": "2025-12-08 01:16:00 UTC" }, { "cve": "CVE-2025-40361", "url": "https://ubuntu.com/security/CVE-2025-40361", "cve_description": "Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-40311", "url": "https://ubuntu.com/security/CVE-2025-40311", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: accel/habanalabs: support mapping cb with vmalloc-backed coherent memory When IOMMU is enabled, dma_alloc_coherent() with GFP_USER may return addresses from the vmalloc range. If such an address is mapped without VM_MIXEDMAP, vm_insert_page() will trigger a BUG_ON due to the VM_PFNMAP restriction. Fix this by checking for vmalloc addresses and setting VM_MIXEDMAP in the VMA before mapping. This ensures safe mapping and avoids kernel crashes. The memory is still driver-allocated and cannot be accessed directly by userspace.", "cve_priority": "medium", "cve_public_date": "2025-12-08 01:16:00 UTC" }, { "cve": "CVE-2025-68185", "url": "https://ubuntu.com/security/CVE-2025-68185", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: nfs4_setup_readdir(): insufficient locking for ->d_parent->d_inode dereferencing Theoretically it's an oopsable race, but I don't believe one can manage to hit it on real hardware; might become doable on a KVM, but it still won't be easy to attack. Anyway, it's easy to deal with - since xdr_encode_hyper() is just a call of put_unaligned_be64(), we can put that under ->d_lock and be done with that.", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-68176", "url": "https://ubuntu.com/security/CVE-2025-68176", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: PCI: cadence: Check for the existence of cdns_pcie::ops before using it cdns_pcie::ops might not be populated by all the Cadence glue drivers. This is going to be true for the upcoming Sophgo platform which doesn't set the ops. Hence, add a check to prevent NULL pointer dereference. [mani: reworded subject and description]", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-68190", "url": "https://ubuntu.com/security/CVE-2025-68190", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu/atom: Check kcalloc() for WS buffer in amdgpu_atom_execute_table_locked() kcalloc() may fail. When WS is non-zero and allocation fails, ectx.ws remains NULL while ectx.ws_size is set, leading to a potential NULL pointer dereference in atom_get_src_int() when accessing WS entries. Return -ENOMEM on allocation failure to avoid the NULL dereference.", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-68168", "url": "https://ubuntu.com/security/CVE-2025-68168", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: jfs: fix uninitialized waitqueue in transaction manager The transaction manager initialization in txInit() was not properly initializing TxBlock[0].waitor waitqueue, causing a crash when txEnd(0) is called on read-only filesystems. When a filesystem is mounted read-only, txBegin() returns tid=0 to indicate no transaction. However, txEnd(0) still gets called and tries to access TxBlock[0].waitor via tid_to_tblock(0), but this waitqueue was never initialized because the initialization loop started at index 1 instead of 0. This causes a 'non-static key' lockdep warning and system crash: INFO: trying to register non-static key in txEnd Fix by ensuring all transaction blocks including TxBlock[0] have their waitqueues properly initialized during txInit().", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-40312", "url": "https://ubuntu.com/security/CVE-2025-40312", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: jfs: Verify inode mode when loading from disk The inode mode loaded from corrupted disk can be invalid. Do like what commit 0a9e74051313 (\"isofs: Verify inode mode when loading from disk\") does.", "cve_priority": "medium", "cve_public_date": "2025-12-08 01:16:00 UTC" }, { "cve": "CVE-2025-40333", "url": "https://ubuntu.com/security/CVE-2025-40333", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: f2fs: fix infinite loop in __insert_extent_tree() When we get wrong extent info data, and look up extent_node in rb tree, it will cause infinite loop (CONFIG_F2FS_CHECK_FS=n). Avoiding this by return NULL and print some kernel messages in that case.", "cve_priority": "medium", "cve_public_date": "2025-12-09 16:17:00 UTC" }, { "cve": "CVE-2025-68321", "url": "https://ubuntu.com/security/CVE-2025-68321", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: page_pool: always add GFP_NOWARN for ATOMIC allocations Driver authors often forget to add GFP_NOWARN for page allocation from the datapath. This is annoying to users as OOMs are a fact of life, and we pretty much expect network Rx to hit page allocation failures during OOM. Make page pool add GFP_NOWARN for ATOMIC allocations by default.", "cve_priority": "medium", "cve_public_date": "2025-12-16 16:16:00 UTC" }, { "cve": "CVE-2025-40334", "url": "https://ubuntu.com/security/CVE-2025-40334", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: validate userq buffer virtual address and size It needs to validate the userq object virtual address to determine whether it is residented in a valid vm mapping.", "cve_priority": "medium", "cve_public_date": "2025-12-09 16:17:00 UTC" }, { "cve": "CVE-2025-68191", "url": "https://ubuntu.com/security/CVE-2025-68191", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: udp_tunnel: use netdev_warn() instead of netdev_WARN() netdev_WARN() uses WARN/WARN_ON to print a backtrace along with file and line information. In this case, udp_tunnel_nic_register() returning an error is just a failed operation, not a kernel bug. udp_tunnel_nic_register() can fail due to a memory allocation failure (kzalloc() or udp_tunnel_nic_alloc()). This is a normal runtime error and not a kernel bug. Replace netdev_WARN() with netdev_warn() accordingly.", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-68309", "url": "https://ubuntu.com/security/CVE-2025-68309", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: PCI/AER: Fix NULL pointer access by aer_info The kzalloc(GFP_KERNEL) may return NULL, so all accesses to aer_info->xxx will result in kernel panic. Fix it.", "cve_priority": "medium", "cve_public_date": "2025-12-16 16:16:00 UTC" }, { "cve": "CVE-2025-40313", "url": "https://ubuntu.com/security/CVE-2025-40313", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ntfs3: pretend $Extend records as regular files Since commit af153bb63a33 (\"vfs: catch invalid modes in may_open()\") requires any inode be one of S_IFDIR/S_IFLNK/S_IFREG/S_IFCHR/S_IFBLK/ S_IFIFO/S_IFSOCK type, use S_IFREG for $Extend records.", "cve_priority": "medium", "cve_public_date": "2025-12-08 01:16:00 UTC" }, { "cve": "CVE-2025-40335", "url": "https://ubuntu.com/security/CVE-2025-40335", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: validate userq input args This will help on validating the userq input args, and rejecting for the invalid userq request at the IOCTLs first place.", "cve_priority": "medium", "cve_public_date": "2025-12-09 16:17:00 UTC" }, { "cve": "CVE-2025-40314", "url": "https://ubuntu.com/security/CVE-2025-40314", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: usb: cdns3: gadget: Use-after-free during failed initialization and exit of cdnsp gadget In the __cdnsp_gadget_init() and cdnsp_gadget_exit() functions, the gadget structure (pdev->gadget) was freed before its endpoints. The endpoints are linked via the ep_list in the gadget structure. Freeing the gadget first leaves dangling pointers in the endpoint list. When the endpoints are subsequently freed, this results in a use-after-free. Fix: By separating the usb_del_gadget_udc() operation into distinct \"del\" and \"put\" steps, cdnsp_gadget_free_endpoints() can be executed prior to the final release of the gadget structure with usb_put_gadget(). A patch similar to bb9c74a5bd14(\"usb: dwc3: gadget: Free gadget structure only after freeing endpoints\").", "cve_priority": "medium", "cve_public_date": "2025-12-08 01:16:00 UTC" }, { "cve": "CVE-2025-40336", "url": "https://ubuntu.com/security/CVE-2025-40336", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/gpusvm: fix hmm_pfn_to_map_order() usage Handle the case where the hmm range partially covers a huge page (like 2M), otherwise we can potentially end up doing something nasty like mapping memory which is outside the range, and maybe not even mapped by the mm. Fix is based on the xe userptr code, which in a future patch will directly use gpusvm, so needs alignment here. v2: - Add kernel-doc (Matt B) - s/fls/ilog2/ (Thomas)", "cve_priority": "medium", "cve_public_date": "2025-12-09 16:17:00 UTC" }, { "cve": "CVE-2025-68193", "url": "https://ubuntu.com/security/CVE-2025-68193", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/xe/guc: Add devm release action to safely tear down CT When a buffer object (BO) is allocated with the XE_BO_FLAG_GGTT_INVALIDATE flag, the driver initiates TLB invalidation requests via the CTB mechanism while releasing the BO. However a premature release of the CTB BO can lead to system crashes, as observed in: Oops: Oops: 0000 [#1] SMP NOPTI RIP: 0010:h2g_write+0x2f3/0x7c0 [xe] Call Trace: guc_ct_send_locked+0x8b/0x670 [xe] xe_guc_ct_send_locked+0x19/0x60 [xe] send_tlb_invalidation+0xb4/0x460 [xe] xe_gt_tlb_invalidation_ggtt+0x15e/0x2e0 [xe] ggtt_invalidate_gt_tlb.part.0+0x16/0x90 [xe] ggtt_node_remove+0x110/0x140 [xe] xe_ggtt_node_remove+0x40/0xa0 [xe] xe_ggtt_remove_bo+0x87/0x250 [xe] Introduce a devm-managed release action during xe_guc_ct_init() and xe_guc_ct_init_post_hwconfig() to ensure proper CTB disablement before resource deallocation, preventing the use-after-free scenario.", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-68175", "url": "https://ubuntu.com/security/CVE-2025-68175", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: media: nxp: imx8-isi: Fix streaming cleanup on release The current implementation unconditionally calls mxc_isi_video_cleanup_streaming() in mxc_isi_video_release(). This can lead to situations where any release call (like from a simple \"v4l2-ctl -l\") may release a currently streaming queue when called on such a device. This is reproducible on an i.MX8MP board by streaming from an ISI capture device using gstreamer: \tgst-launch-1.0 -v v4l2src device=/dev/videoX ! \\ \t video/x-raw,format=GRAY8,width=1280,height=800,framerate=1/120 ! \\ \t fakesink While this stream is running, querying the caps of the same device provokes the error state: \tv4l2-ctl -l -d /dev/videoX This results in the following trace: [ 155.452152] ------------[ cut here ]------------ [ 155.452163] WARNING: CPU: 0 PID: 1708 at drivers/media/platform/nxp/imx8-isi/imx8-isi-pipe.c:713 mxc_isi_pipe_irq_handler+0x19c/0x1b0 [imx8_isi] [ 157.004248] Modules linked in: cfg80211 rpmsg_ctrl rpmsg_char rpmsg_tty virtio_rpmsg_bus rpmsg_ns rpmsg_core rfkill nft_ct nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 nf_tables mcp251x6 [ 157.053499] CPU: 0 UID: 0 PID: 1708 Comm: python3 Not tainted 6.15.4-00114-g1f61ca5cad76 #1 PREEMPT [ 157.064369] Hardware name: imx8mp_board_01 (DT) [ 157.068205] pstate: 400000c5 (nZcv daIF -PAN -UAO -TCO -DIT -SSBS BTYPE=--) [ 157.075169] pc : mxc_isi_pipe_irq_handler+0x19c/0x1b0 [imx8_isi] [ 157.081195] lr : mxc_isi_pipe_irq_handler+0x38/0x1b0 [imx8_isi] [ 157.087126] sp : ffff800080003ee0 [ 157.090438] x29: ffff800080003ee0 x28: ffff0000c3688000 x27: 0000000000000000 [ 157.097580] x26: 0000000000000000 x25: ffff0000c1e7ac00 x24: ffff800081b5ad50 [ 157.104723] x23: 00000000000000d1 x22: 0000000000000000 x21: ffff0000c25e4000 [ 157.111866] x20: 0000000060000200 x19: ffff80007a0608d0 x18: 0000000000000000 [ 157.119008] x17: ffff80006a4e3000 x16: ffff800080000000 x15: 0000000000000000 [ 157.126146] x14: 0000000000000000 x13: 0000000000000000 x12: 0000000000000000 [ 157.133287] x11: 0000000000000040 x10: ffff0000c01445f0 x9 : ffff80007a053a38 [ 157.140425] x8 : ffff0000c04004b8 x7 : 0000000000000000 x6 : 0000000000000000 [ 157.147567] x5 : ffff0000c0400490 x4 : ffff80006a4e3000 x3 : ffff0000c25e4000 [ 157.154706] x2 : 0000000000000000 x1 : ffff8000825c0014 x0 : 0000000060000200 [ 157.161850] Call trace: [ 157.164296] mxc_isi_pipe_irq_handler+0x19c/0x1b0 [imx8_isi] (P) [ 157.170319] __handle_irq_event_percpu+0x58/0x218 [ 157.175029] handle_irq_event+0x54/0xb8 [ 157.178867] handle_fasteoi_irq+0xac/0x248 [ 157.182968] handle_irq_desc+0x48/0x68 [ 157.186723] generic_handle_domain_irq+0x24/0x38 [ 157.191346] gic_handle_irq+0x54/0x120 [ 157.195098] call_on_irq_stack+0x24/0x30 [ 157.199027] do_interrupt_handler+0x88/0x98 [ 157.203212] el0_interrupt+0x44/0xc0 [ 157.206792] __el0_irq_handler_common+0x18/0x28 [ 157.211328] el0t_64_irq_handler+0x10/0x20 [ 157.215429] el0t_64_irq+0x198/0x1a0 [ 157.219009] ---[ end trace 0000000000000000 ]--- Address this issue by moving the streaming preparation and cleanup to the vb2 .prepare_streaming() and .unprepare_streaming() operations. This also simplifies the driver by allowing direct usage of the vb2_ioctl_streamon() and vb2_ioctl_streamoff() helpers, and removal of the manual cleanup from mxc_isi_video_release().", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-68188", "url": "https://ubuntu.com/security/CVE-2025-68188", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: tcp: use dst_dev_rcu() in tcp_fastopen_active_disable_ofo_check() Use RCU to avoid a pair of atomic operations and a potential UAF on dst_dev()->flags.", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-68315", "url": "https://ubuntu.com/security/CVE-2025-68315", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: f2fs: fix to detect potential corrupted nid in free_nid_list As reported, on-disk footer.ino and footer.nid is the same and out-of-range, let's add sanity check on f2fs_alloc_nid() to detect any potential corruption in free_nid_list.", "cve_priority": "medium", "cve_public_date": "2025-12-16 16:16:00 UTC" }, { "cve": "CVE-2025-40337", "url": "https://ubuntu.com/security/CVE-2025-40337", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net: stmmac: Correctly handle Rx checksum offload errors The stmmac_rx function would previously set skb->ip_summed to CHECKSUM_UNNECESSARY if hardware checksum offload (CoE) was enabled and the packet was of a known IP ethertype. However, this logic failed to check if the hardware had actually reported a checksum error. The hardware status, indicating a header or payload checksum failure, was being ignored at this stage. This could cause corrupt packets to be passed up the network stack as valid. This patch corrects the logic by checking the `csum_none` status flag, which is set when the hardware reports a checksum error. If this flag is set, skb->ip_summed is now correctly set to CHECKSUM_NONE, ensuring the kernel's network stack will perform its own validation and properly handle the corrupt packet.", "cve_priority": "medium", "cve_public_date": "2025-12-09 16:17:00 UTC" }, { "cve": "CVE-2025-40338", "url": "https://ubuntu.com/security/CVE-2025-40338", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ASoC: Intel: avs: Do not share the name pointer between components By sharing 'name' directly, tearing down components may lead to use-after-free errors. Duplicate the name to avoid that. At the same time, update the order of operations - since commit cee28113db17 (\"ASoC: dmaengine_pcm: Allow passing component name via config\") the framework does not override component->name if set before invoking the initializer.", "cve_priority": "medium", "cve_public_date": "2025-12-09 16:17:00 UTC" }, { "cve": "CVE-2025-40339", "url": "https://ubuntu.com/security/CVE-2025-40339", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: fix nullptr err of vm_handle_moved If a amdgpu_bo_va is fpriv->prt_va, the bo of this one is always NULL. So, such kind of amdgpu_bo_va should be updated separately before amdgpu_vm_handle_moved.", "cve_priority": "medium", "cve_public_date": "2025-12-09 16:17:00 UTC" }, { "cve": "CVE-2025-68194", "url": "https://ubuntu.com/security/CVE-2025-68194", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: media: imon: make send_packet() more robust syzbot is reporting that imon has three problems which result in hung tasks due to forever holding device lock [1]. First problem is that when usb_rx_callback_intf0() once got -EPROTO error after ictx->dev_present_intf0 became true, usb_rx_callback_intf0() resubmits urb after printk(), and resubmitted urb causes usb_rx_callback_intf0() to again get -EPROTO error. This results in printk() flooding (RCU stalls). Alan Stern commented [2] that In theory it's okay to resubmit _if_ the driver has a robust error-recovery scheme (such as giving up after some fixed limit on the number of errors or after some fixed time has elapsed, perhaps with a time delay to prevent a flood of errors). Most drivers don't bother to do this; they simply give up right away. This makes them more vulnerable to short-term noise interference during USB transfers, but in reality such interference is quite rare. There's nothing really wrong with giving up right away. but imon has a poor error-recovery scheme which just retries forever; this behavior should be fixed. Since I'm not sure whether it is safe for imon users to give up upon any error code, this patch takes care of only union of error codes chosen from modules in drivers/media/rc/ directory which handle -EPROTO error (i.e. ir_toy, mceusb and igorplugusb). Second problem is that when usb_rx_callback_intf0() once got -EPROTO error before ictx->dev_present_intf0 becomes true, usb_rx_callback_intf0() always resubmits urb due to commit 8791d63af0cf (\"[media] imon: don't wedge hardware after early callbacks\"). Move the ictx->dev_present_intf0 test introduced by commit 6f6b90c9231a (\"[media] imon: don't parse scancodes until intf configured\") to immediately before imon_incoming_packet(), or the first problem explained above happens without printk() flooding (i.e. hung task). Third problem is that when usb_rx_callback_intf0() is not called for some reason (e.g. flaky hardware; the reproducer for this problem sometimes prevents usb_rx_callback_intf0() from being called), wait_for_completion_interruptible() in send_packet() never returns (i.e. hung task). As a workaround for such situation, change send_packet() to wait for completion with timeout of 10 seconds.", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-40363", "url": "https://ubuntu.com/security/CVE-2025-40363", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net: ipv6: fix field-spanning memcpy warning in AH output Fix field-spanning memcpy warnings in ah6_output() and ah6_output_done() where extension headers are copied to/from IPv6 address fields, triggering fortify-string warnings about writes beyond the 16-byte address fields. memcpy: detected field-spanning write (size 40) of single field \"&top_iph->saddr\" at net/ipv6/ah6.c:439 (size 16) WARNING: CPU: 0 PID: 8838 at net/ipv6/ah6.c:439 ah6_output+0xe7e/0x14e0 net/ipv6/ah6.c:439 The warnings are false positives as the extension headers are intentionally placed after the IPv6 header in memory. Fix by properly copying addresses and extension headers separately, and introduce helper functions to avoid code duplication.", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-68311", "url": "https://ubuntu.com/security/CVE-2025-68311", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: tty: serial: ip22zilog: Use platform device for probing After commit 84a9582fd203 (\"serial: core: Start managing serial controllers to enable runtime PM\") serial drivers need to provide a device in struct uart_port.dev otherwise an oops happens. To fix this issue for ip22zilog driver switch driver to a platform driver and setup the serial device in sgi-ip22 code.", "cve_priority": "medium", "cve_public_date": "2025-12-16 16:16:00 UTC" }, { "cve": "CVE-2025-40340", "url": "https://ubuntu.com/security/CVE-2025-40340", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/xe: Fix oops in xe_gem_fault when running core_hotunplug test. I saw an oops in xe_gem_fault when running the xe-fast-feedback testlist against the realtime kernel without debug options enabled. The panic happens after core_hotunplug unbind-rebind finishes. Presumably what happens is that a process mmaps, unlocks because of the FAULT_FLAG_RETRY_NOWAIT logic, has no process memory left, causing ttm_bo_vm_dummy_page() to return VM_FAULT_NOPAGE, since there was nothing left to populate, and then oopses in \"mem_type_is_vram(tbo->resource->mem_type)\" because tbo->resource is NULL. It's convoluted, but fits the data and explains the oops after the test exits.", "cve_priority": "medium", "cve_public_date": "2025-12-09 16:17:00 UTC" }, { "cve": "CVE-2025-68196", "url": "https://ubuntu.com/security/CVE-2025-68196", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Cache streams targeting link when performing LT automation [WHY] Last LT automation update can cause crash by referencing current_state and calling into dc_update_planes_and_stream which may clobber current_state. [HOW] Cache relevant stream pointers and iterate through them instead of relying on the current_state.", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-68178", "url": "https://ubuntu.com/security/CVE-2025-68178", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: blk-cgroup: fix possible deadlock while configuring policy Following deadlock can be triggered easily by lockdep: WARNING: possible circular locking dependency detected 6.17.0-rc3-00124-ga12c2658ced0 #1665 Not tainted ------------------------------------------------------ check/1334 is trying to acquire lock: ff1100011d9d0678 (&q->sysfs_lock){+.+.}-{4:4}, at: blk_unregister_queue+0x53/0x180 but task is already holding lock: ff1100011d9d00e0 (&q->q_usage_counter(queue)#3){++++}-{0:0}, at: del_gendisk+0xba/0x110 which lock already depends on the new lock. the existing dependency chain (in reverse order) is: -> #2 (&q->q_usage_counter(queue)#3){++++}-{0:0}: blk_queue_enter+0x40b/0x470 blkg_conf_prep+0x7b/0x3c0 tg_set_limit+0x10a/0x3e0 cgroup_file_write+0xc6/0x420 kernfs_fop_write_iter+0x189/0x280 vfs_write+0x256/0x490 ksys_write+0x83/0x190 __x64_sys_write+0x21/0x30 x64_sys_call+0x4608/0x4630 do_syscall_64+0xdb/0x6b0 entry_SYSCALL_64_after_hwframe+0x76/0x7e -> #1 (&q->rq_qos_mutex){+.+.}-{4:4}: __mutex_lock+0xd8/0xf50 mutex_lock_nested+0x2b/0x40 wbt_init+0x17e/0x280 wbt_enable_default+0xe9/0x140 blk_register_queue+0x1da/0x2e0 __add_disk+0x38c/0x5d0 add_disk_fwnode+0x89/0x250 device_add_disk+0x18/0x30 virtblk_probe+0x13a3/0x1800 virtio_dev_probe+0x389/0x610 really_probe+0x136/0x620 __driver_probe_device+0xb3/0x230 driver_probe_device+0x2f/0xe0 __driver_attach+0x158/0x250 bus_for_each_dev+0xa9/0x130 driver_attach+0x26/0x40 bus_add_driver+0x178/0x3d0 driver_register+0x7d/0x1c0 __register_virtio_driver+0x2c/0x60 virtio_blk_init+0x6f/0xe0 do_one_initcall+0x94/0x540 kernel_init_freeable+0x56a/0x7b0 kernel_init+0x2b/0x270 ret_from_fork+0x268/0x4c0 ret_from_fork_asm+0x1a/0x30 -> #0 (&q->sysfs_lock){+.+.}-{4:4}: __lock_acquire+0x1835/0x2940 lock_acquire+0xf9/0x450 __mutex_lock+0xd8/0xf50 mutex_lock_nested+0x2b/0x40 blk_unregister_queue+0x53/0x180 __del_gendisk+0x226/0x690 del_gendisk+0xba/0x110 sd_remove+0x49/0xb0 [sd_mod] device_remove+0x87/0xb0 device_release_driver_internal+0x11e/0x230 device_release_driver+0x1a/0x30 bus_remove_device+0x14d/0x220 device_del+0x1e1/0x5a0 __scsi_remove_device+0x1ff/0x2f0 scsi_remove_device+0x37/0x60 sdev_store_delete+0x77/0x100 dev_attr_store+0x1f/0x40 sysfs_kf_write+0x65/0x90 kernfs_fop_write_iter+0x189/0x280 vfs_write+0x256/0x490 ksys_write+0x83/0x190 __x64_sys_write+0x21/0x30 x64_sys_call+0x4608/0x4630 do_syscall_64+0xdb/0x6b0 entry_SYSCALL_64_after_hwframe+0x76/0x7e other info that might help us debug this: Chain exists of: &q->sysfs_lock --> &q->rq_qos_mutex --> &q->q_usage_counter(queue)#3 Possible unsafe locking scenario: CPU0 CPU1 ---- ---- lock(&q->q_usage_counter(queue)#3); lock(&q->rq_qos_mutex); lock(&q->q_usage_counter(queue)#3); lock(&q->sysfs_lock); Root cause is that queue_usage_counter is grabbed with rq_qos_mutex held in blkg_conf_prep(), while queue should be freezed before rq_qos_mutex from other context. The blk_queue_enter() from blkg_conf_prep() is used to protect against policy deactivation, which is already protected with blkcg_mutex, hence convert blk_queue_enter() to blkcg_mutex to fix this problem. Meanwhile, consider that blkcg_mutex is held after queue is freezed from policy deactivation, also convert blkg_alloc() to use GFP_NOIO.", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-40341", "url": "https://ubuntu.com/security/CVE-2025-40341", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: futex: Don't leak robust_list pointer on exec race sys_get_robust_list() and compat_get_robust_list() use ptrace_may_access() to check if the calling task is allowed to access another task's robust_list pointer. This check is racy against a concurrent exec() in the target process. During exec(), a task may transition from a non-privileged binary to a privileged one (e.g., setuid binary) and its credentials/memory mappings may change. If get_robust_list() performs ptrace_may_access() before this transition, it may erroneously allow access to sensitive information after the target becomes privileged. A racy access allows an attacker to exploit a window during which ptrace_may_access() passes before a target process transitions to a privileged state via exec(). For example, consider a non-privileged task T that is about to execute a setuid-root binary. An attacker task A calls get_robust_list(T) while T is still unprivileged. Since ptrace_may_access() checks permissions based on current credentials, it succeeds. However, if T begins exec immediately afterwards, it becomes privileged and may change its memory mappings. Because get_robust_list() proceeds to access T->robust_list without synchronizing with exec() it may read user-space pointers from a now-privileged process. This violates the intended post-exec access restrictions and could expose sensitive memory addresses or be used as a primitive in a larger exploit chain. Consequently, the race can lead to unauthorized disclosure of information across privilege boundaries and poses a potential security risk. Take a read lock on signal->exec_update_lock prior to invoking ptrace_may_access() and accessing the robust_list/compat_robust_list. This ensures that the target task's exec state remains stable during the check, allowing for consistent and synchronized validation of credentials.", "cve_priority": "medium", "cve_public_date": "2025-12-09 16:17:00 UTC" }, { "cve": "CVE-2025-40342", "url": "https://ubuntu.com/security/CVE-2025-40342", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: nvme-fc: use lock accessing port_state and rport state nvme_fc_unregister_remote removes the remote port on a lport object at any point in time when there is no active association. This races with with the reconnect logic, because nvme_fc_create_association is not taking a lock to check the port_state and atomically increase the active count on the rport.", "cve_priority": "medium", "cve_public_date": "2025-12-09 16:17:00 UTC" }, { "cve": "CVE-2025-40343", "url": "https://ubuntu.com/security/CVE-2025-40343", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: nvmet-fc: avoid scheduling association deletion twice When forcefully shutting down a port via the configfs interface, nvmet_port_subsys_drop_link() first calls nvmet_port_del_ctrls() and then nvmet_disable_port(). Both functions will eventually schedule all remaining associations for deletion. The current implementation checks whether an association is about to be removed, but only after the work item has already been scheduled. As a result, it is possible for the first scheduled work item to free all resources, and then for the same work item to be scheduled again for deletion. Because the association list is an RCU list, it is not possible to take a lock and remove the list entry directly, so it cannot be looked up again. Instead, a flag (terminating) must be used to determine whether the association is already in the process of being deleted.", "cve_priority": "medium", "cve_public_date": "2025-12-09 16:17:00 UTC" }, { "cve": "CVE-2025-68177", "url": "https://ubuntu.com/security/CVE-2025-68177", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: cpufreq/longhaul: handle NULL policy in longhaul_exit longhaul_exit() was calling cpufreq_cpu_get(0) without checking for a NULL policy pointer. On some systems, this could lead to a NULL dereference and a kernel warning or panic. This patch adds a check using unlikely() and returns early if the policy is NULL. Bugzilla: #219962", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-68317", "url": "https://ubuntu.com/security/CVE-2025-68317", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: io_uring/zctx: check chained notif contexts Send zc only links ubuf_info for requests coming from the same context. There are some ambiguous syz reports, so let's check the assumption on notification completion.", "cve_priority": "medium", "cve_public_date": "2025-12-16 16:16:00 UTC" }, { "cve": "CVE-2025-40315", "url": "https://ubuntu.com/security/CVE-2025-40315", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: usb: gadget: f_fs: Fix epfile null pointer access after ep enable. A race condition occurs when ffs_func_eps_enable() runs concurrently with ffs_data_reset(). The ffs_data_clear() called in ffs_data_reset() sets ffs->epfiles to NULL before resetting ffs->eps_count to 0, leading to a NULL pointer dereference when accessing epfile->ep in ffs_func_eps_enable() after successful usb_ep_enable(). The ffs->epfiles pointer is set to NULL in both ffs_data_clear() and ffs_data_close() functions, and its modification is protected by the spinlock ffs->eps_lock. And the whole ffs_func_eps_enable() function is also protected by ffs->eps_lock. Thus, add NULL pointer handling for ffs->epfiles in the ffs_func_eps_enable() function to fix issues", "cve_priority": "medium", "cve_public_date": "2025-12-08 01:16:00 UTC" }, { "cve": "CVE-2025-40316", "url": "https://ubuntu.com/security/CVE-2025-40316", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/mediatek: Fix device use-after-free on unbind A recent change fixed device reference leaks when looking up drm platform device driver data during bind() but failed to remove a partial fix which had been added by commit 80805b62ea5b (\"drm/mediatek: Fix kobject put for component sub-drivers\"). This results in a reference imbalance on component bind() failures and on unbind() which could lead to a user-after-free. Make sure to only drop the references after retrieving the driver data by effectively reverting the previous partial fix. Note that holding a reference to a device does not prevent its driver data from going away so there is no point in keeping the reference.", "cve_priority": "medium", "cve_public_date": "2025-12-08 01:16:00 UTC" }, { "cve": "CVE-2025-40360", "url": "https://ubuntu.com/security/CVE-2025-40360", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/sysfb: Do not dereference NULL pointer in plane reset The plane state in __drm_gem_reset_shadow_plane() can be NULL. Do not deref that pointer, but forward NULL to the other plane-reset helpers. Clears plane->state to NULL. v2: - fix typo in commit description (Javier)", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-68179", "url": "https://ubuntu.com/security/CVE-2025-68179", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: s390: Disable ARCH_WANT_OPTIMIZE_HUGETLB_VMEMMAP As reported by Luiz Capitulino enabling HVO on s390 leads to reproducible crashes. The problem is that kernel page tables are modified without flushing corresponding TLB entries. Even if it looks like the empty flush_tlb_all() implementation on s390 is the problem, it is actually a different problem: on s390 it is not allowed to replace an active/valid page table entry with another valid page table entry without the detour over an invalid entry. A direct replacement may lead to random crashes and/or data corruption. In order to invalidate an entry special instructions have to be used (e.g. ipte or idte). Alternatively there are also special instructions available which allow to replace a valid entry with a different valid entry (e.g. crdte or cspg). Given that the HVO code currently does not provide the hooks to allow for an implementation which is compliant with the s390 architecture requirements, disable ARCH_WANT_OPTIMIZE_HUGETLB_VMEMMAP again, which is basically a revert of the original patch which enabled it.", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-68310", "url": "https://ubuntu.com/security/CVE-2025-68310", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: s390/pci: Avoid deadlock between PCI error recovery and mlx5 crdump Do not block PCI config accesses through pci_cfg_access_lock() when executing the s390 variant of PCI error recovery: Acquire just device_lock() instead of pci_dev_lock() as powerpc's EEH and generig PCI AER processing do. During error recovery testing a pair of tasks was reported to be hung: mlx5_core 0000:00:00.1: mlx5_health_try_recover:338:(pid 5553): health recovery flow aborted, PCI reads still not working INFO: task kmcheck:72 blocked for more than 122 seconds. Not tainted 5.14.0-570.12.1.bringup7.el9.s390x #1 \"echo 0 > /proc/sys/kernel/hung_task_timeout_secs\" disables this message. task:kmcheck state:D stack:0 pid:72 tgid:72 ppid:2 flags:0x00000000 Call Trace: [<000000065256f030>] __schedule+0x2a0/0x590 [<000000065256f356>] schedule+0x36/0xe0 [<000000065256f572>] schedule_preempt_disabled+0x22/0x30 [<0000000652570a94>] __mutex_lock.constprop.0+0x484/0x8a8 [<000003ff800673a4>] mlx5_unload_one+0x34/0x58 [mlx5_core] [<000003ff8006745c>] mlx5_pci_err_detected+0x94/0x140 [mlx5_core] [<0000000652556c5a>] zpci_event_attempt_error_recovery+0xf2/0x398 [<0000000651b9184a>] __zpci_event_error+0x23a/0x2c0 INFO: task kworker/u1664:6:1514 blocked for more than 122 seconds. Not tainted 5.14.0-570.12.1.bringup7.el9.s390x #1 \"echo 0 > /proc/sys/kernel/hung_task_timeout_secs\" disables this message. task:kworker/u1664:6 state:D stack:0 pid:1514 tgid:1514 ppid:2 flags:0x00000000 Workqueue: mlx5_health0000:00:00.0 mlx5_fw_fatal_reporter_err_work [mlx5_core] Call Trace: [<000000065256f030>] __schedule+0x2a0/0x590 [<000000065256f356>] schedule+0x36/0xe0 [<0000000652172e28>] pci_wait_cfg+0x80/0xe8 [<0000000652172f94>] pci_cfg_access_lock+0x74/0x88 [<000003ff800916b6>] mlx5_vsc_gw_lock+0x36/0x178 [mlx5_core] [<000003ff80098824>] mlx5_crdump_collect+0x34/0x1c8 [mlx5_core] [<000003ff80074b62>] mlx5_fw_fatal_reporter_dump+0x6a/0xe8 [mlx5_core] [<0000000652512242>] devlink_health_do_dump.part.0+0x82/0x168 [<0000000652513212>] devlink_health_report+0x19a/0x230 [<000003ff80075a12>] mlx5_fw_fatal_reporter_err_work+0xba/0x1b0 [mlx5_core] No kernel log of the exact same error with an upstream kernel is available - but the very same deadlock situation can be constructed there, too: - task: kmcheck mlx5_unload_one() tries to acquire devlink lock while the PCI error recovery code has set pdev->block_cfg_access by way of pci_cfg_access_lock() - task: kworker mlx5_crdump_collect() tries to set block_cfg_access through pci_cfg_access_lock() while devlink_health_report() had acquired the devlink lock. A similar deadlock situation can be reproduced by requesting a crdump with > devlink health dump show pci/ reporter fw_fatal while PCI error recovery is executed on the same physical function by mlx5_core's pci_error_handlers. On s390 this can be injected with > zpcictl --reset-fw Tests with this patch failed to reproduce that second deadlock situation, the devlink command is rejected with \"kernel answers: Permission denied\" - and we get a kernel log message of: mlx5_core 1ed0:00:00.1: mlx5_crdump_collect:50:(pid 254382): crdump: failed to lock vsc gw err -5 because the config read of VSC_SEMAPHORE is rejected by the underlying hardware. Two prior attempts to address this issue have been discussed and ultimately rejected [see link], with the primary argument that s390's implementation of PCI error recovery is imposing restrictions that neither powerpc's EEH nor PCI AER handling need. Tests show that PCI error recovery on s390 is running to completion even without blocking access to PCI config space.", "cve_priority": "medium", "cve_public_date": "2025-12-16 16:16:00 UTC" }, { "cve": "CVE-2025-40317", "url": "https://ubuntu.com/security/CVE-2025-40317", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: regmap: slimbus: fix bus_context pointer in regmap init calls Commit 4e65bda8273c (\"ASoC: wcd934x: fix error handling in wcd934x_codec_parse_data()\") revealed the problem in the slimbus regmap. That commit breaks audio playback, for instance, on sdm845 Thundercomm Dragonboard 845c board: Unable to handle kernel paging request at virtual address ffff8000847cbad4 ... CPU: 5 UID: 0 PID: 776 Comm: aplay Not tainted 6.18.0-rc1-00028-g7ea30958b305 #11 PREEMPT Hardware name: Thundercomm Dragonboard 845c (DT) ... Call trace: slim_xfer_msg+0x24/0x1ac [slimbus] (P) slim_read+0x48/0x74 [slimbus] regmap_slimbus_read+0x18/0x24 [regmap_slimbus] _regmap_raw_read+0xe8/0x174 _regmap_bus_read+0x44/0x80 _regmap_read+0x60/0xd8 _regmap_update_bits+0xf4/0x140 _regmap_select_page+0xa8/0x124 _regmap_raw_write_impl+0x3b8/0x65c _regmap_bus_raw_write+0x60/0x80 _regmap_write+0x58/0xc0 regmap_write+0x4c/0x80 wcd934x_hw_params+0x494/0x8b8 [snd_soc_wcd934x] snd_soc_dai_hw_params+0x3c/0x7c [snd_soc_core] __soc_pcm_hw_params+0x22c/0x634 [snd_soc_core] dpcm_be_dai_hw_params+0x1d4/0x38c [snd_soc_core] dpcm_fe_dai_hw_params+0x9c/0x17c [snd_soc_core] snd_pcm_hw_params+0x124/0x464 [snd_pcm] snd_pcm_common_ioctl+0x110c/0x1820 [snd_pcm] snd_pcm_ioctl+0x34/0x4c [snd_pcm] __arm64_sys_ioctl+0xac/0x104 invoke_syscall+0x48/0x104 el0_svc_common.constprop.0+0x40/0xe0 do_el0_svc+0x1c/0x28 el0_svc+0x34/0xec el0t_64_sync_handler+0xa0/0xf0 el0t_64_sync+0x198/0x19c The __devm_regmap_init_slimbus() started to be used instead of __regmap_init_slimbus() after the commit mentioned above and turns out the incorrect bus_context pointer (3rd argument) was used in __devm_regmap_init_slimbus(). It should be just \"slimbus\" (which is equal to &slimbus->dev). Correct it. The wcd934x codec seems to be the only or the first user of devm_regmap_init_slimbus() but we should fix it till the point where __devm_regmap_init_slimbus() was introduced therefore two \"Fixes\" tags. While at this, also correct the same argument in __regmap_init_slimbus().", "cve_priority": "medium", "cve_public_date": "2025-12-08 01:16:00 UTC" }, { "cve": "CVE-2025-40359", "url": "https://ubuntu.com/security/CVE-2025-40359", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: perf/x86/intel: Fix KASAN global-out-of-bounds warning When running \"perf mem record\" command on CWF, the below KASAN global-out-of-bounds warning is seen. ================================================================== BUG: KASAN: global-out-of-bounds in cmt_latency_data+0x176/0x1b0 Read of size 4 at addr ffffffffb721d000 by task dtlb/9850 Call Trace: kasan_report+0xb8/0xf0 cmt_latency_data+0x176/0x1b0 setup_arch_pebs_sample_data+0xf49/0x2560 intel_pmu_drain_arch_pebs+0x577/0xb00 handle_pmi_common+0x6c4/0xc80 The issue is caused by below code in __grt_latency_data(). The code tries to access x86_hybrid_pmu structure which doesn't exist on non-hybrid platform like CWF. WARN_ON_ONCE(hybrid_pmu(event->pmu)->pmu_type == hybrid_big) So add is_hybrid() check before calling this WARN_ON_ONCE to fix the global-out-of-bounds access issue.", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-68181", "url": "https://ubuntu.com/security/CVE-2025-68181", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/radeon: Remove calls to drm_put_dev() Since the allocation of the drivers main structure was changed to devm_drm_dev_alloc() drm_put_dev()'ing to trigger it to be free'd should be done by devres. However, drm_put_dev() is still in the probe error and device remove paths. When the driver fails to probe warnings like the following are shown because devres is trying to drm_put_dev() after the driver already did it. [ 5.642230] radeon 0000:01:05.0: probe with driver radeon failed with error -22 [ 5.649605] ------------[ cut here ]------------ [ 5.649607] refcount_t: underflow; use-after-free. [ 5.649620] WARNING: CPU: 0 PID: 357 at lib/refcount.c:28 refcount_warn_saturate+0xbe/0x110 (cherry picked from commit 3eb8c0b4c091da0a623ade0d3ee7aa4a93df1ea4)", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-68170", "url": "https://ubuntu.com/security/CVE-2025-68170", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/radeon: Do not kfree() devres managed rdev Since the allocation of the drivers main structure was changed to devm_drm_dev_alloc() rdev is managed by devres and we shouldn't be calling kfree() on it. This fixes things exploding if the driver probe fails and devres cleans up the rdev after we already free'd it. (cherry picked from commit 16c0681617b8a045773d4d87b6140002fa75b03b)", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-40213", "url": "https://ubuntu.com/security/CVE-2025-40213", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: Bluetooth: MGMT: fix crash in set_mesh_sync and set_mesh_complete There is a BUG: KASAN: stack-out-of-bounds in set_mesh_sync due to memcpy from badly declared on-stack flexible array. Another crash is in set_mesh_complete() due to double list_del via mgmt_pending_valid + mgmt_pending_remove. Use DEFINE_FLEX to declare the flexible array right, and don't memcpy outside bounds. As mgmt_pending_valid removes the cmd from list, use mgmt_pending_free, and also report status on error.", "cve_priority": "medium", "cve_public_date": "2025-11-24 16:15:00 UTC" }, { "cve": "CVE-2025-40318", "url": "https://ubuntu.com/security/CVE-2025-40318", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: Bluetooth: hci_sync: fix race in hci_cmd_sync_dequeue_once hci_cmd_sync_dequeue_once() does lookup and then cancel the entry under two separate lock sections. Meanwhile, hci_cmd_sync_work() can also delete the same entry, leading to double list_del() and \"UAF\". Fix this by holding cmd_sync_work_lock across both lookup and cancel, so that the entry cannot be removed concurrently.", "cve_priority": "medium", "cve_public_date": "2025-12-08 01:16:00 UTC" }, { "cve": "CVE-2025-68312", "url": "https://ubuntu.com/security/CVE-2025-68312", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: usbnet: Prevents free active kevent The root cause of this issue are: 1. When probing the usbnet device, executing usbnet_link_change(dev, 0, 0); put the kevent work in global workqueue. However, the kevent has not yet been scheduled when the usbnet device is unregistered. Therefore, executing free_netdev() results in the \"free active object (kevent)\" error reported here. 2. Another factor is that when calling usbnet_disconnect()->unregister_netdev(), if the usbnet device is up, ndo_stop() is executed to cancel the kevent. However, because the device is not up, ndo_stop() is not executed. The solution to this problem is to cancel the kevent before executing free_netdev().", "cve_priority": "medium", "cve_public_date": "2025-12-16 16:16:00 UTC" }, { "cve": "CVE-2025-40344", "url": "https://ubuntu.com/security/CVE-2025-40344", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ASoC: Intel: avs: Disable periods-elapsed work when closing PCM avs_dai_fe_shutdown() handles the shutdown procedure for HOST HDAudio stream while period-elapsed work services its IRQs. As the former frees the DAI's private context, these two operations shall be synchronized to avoid slab-use-after-free or worse errors.", "cve_priority": "medium", "cve_public_date": "2025-12-09 16:17:00 UTC" }, { "cve": "CVE-2025-68172", "url": "https://ubuntu.com/security/CVE-2025-68172", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: crypto: aspeed - fix double free caused by devm The clock obtained via devm_clk_get_enabled() is automatically managed by devres and will be disabled and freed on driver detach. Manually calling clk_disable_unprepare() in error path and remove function causes double free. Remove the manual clock cleanup in both aspeed_acry_probe()'s error path and aspeed_acry_remove().", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-40319", "url": "https://ubuntu.com/security/CVE-2025-40319", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: bpf: Sync pending IRQ work before freeing ring buffer Fix a race where irq_work can be queued in bpf_ringbuf_commit() but the ring buffer is freed before the work executes. In the syzbot reproducer, a BPF program attached to sched_switch triggers bpf_ringbuf_commit(), queuing an irq_work. If the ring buffer is freed before this work executes, the irq_work thread may accesses freed memory. Calling `irq_work_sync(&rb->work)` ensures that all pending irq_work complete before freeing the buffer.", "cve_priority": "medium", "cve_public_date": "2025-12-08 01:16:00 UTC" }, { "cve": "CVE-2025-68182", "url": "https://ubuntu.com/security/CVE-2025-68182", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: wifi: iwlwifi: fix potential use after free in iwl_mld_remove_link() This code frees \"link\" by calling kfree_rcu(link, rcu_head) and then it dereferences \"link\" to get the \"link->fw_id\". Save the \"link->fw_id\" first to avoid a potential use after free.", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-68314", "url": "https://ubuntu.com/security/CVE-2025-68314", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/msm: make sure last_fence is always updated Update last_fence in the vm-bind path instead of kernel managed path. last_fence is used to wait for work to finish in vm_bind contexts but not used for kernel managed contexts. This fixes a bug where last_fence is not waited on context close leading to faults as resources are freed while in use. Patchwork: https://patchwork.freedesktop.org/patch/680080/", "cve_priority": "medium", "cve_public_date": "2025-12-16 16:16:00 UTC" }, { "cve": "CVE-2025-68189", "url": "https://ubuntu.com/security/CVE-2025-68189", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/msm: Fix GEM free for imported dma-bufs Imported dma-bufs also have obj->resv != &obj->_resv. So we should check both this condition in addition to flags for handling the _NO_SHARE case. Fixes this splat that was reported with IRIS video playback: ------------[ cut here ]------------ WARNING: CPU: 3 PID: 2040 at drivers/gpu/drm/msm/msm_gem.c:1127 msm_gem_free_object+0x1f8/0x264 [msm] CPU: 3 UID: 1000 PID: 2040 Comm: .gnome-shell-wr Not tainted 6.17.0-rc7 #1 PREEMPT pstate: 81400005 (Nzcv daif +PAN -UAO -TCO +DIT -SSBS BTYPE=--) pc : msm_gem_free_object+0x1f8/0x264 [msm] lr : msm_gem_free_object+0x138/0x264 [msm] sp : ffff800092a1bb30 x29: ffff800092a1bb80 x28: ffff800092a1bce8 x27: ffffbc702dbdbe08 x26: 0000000000000008 x25: 0000000000000009 x24: 00000000000000a6 x23: ffff00083c72f850 x22: ffff00083c72f868 x21: ffff00087e69f200 x20: ffff00087e69f330 x19: ffff00084d157ae0 x18: 0000000000000000 x17: 0000000000000000 x16: ffffbc704bd46b80 x15: 0000ffffd0959540 x14: 0000000000000000 x13: 0000000000000000 x12: 0000000000000000 x11: ffffbc702e6cdb48 x10: 0000000000000000 x9 : 000000000000003f x8 : ffff800092a1ba90 x7 : 0000000000000000 x6 : 0000000000000020 x5 : ffffbc704bd46c40 x4 : fffffdffe102cf60 x3 : 0000000000400032 x2 : 0000000000020000 x1 : ffff00087e6978e8 x0 : ffff00087e6977e8 Call trace: msm_gem_free_object+0x1f8/0x264 [msm] (P) drm_gem_object_free+0x1c/0x30 [drm] drm_gem_object_handle_put_unlocked+0x138/0x150 [drm] drm_gem_object_release_handle+0x5c/0xcc [drm] drm_gem_handle_delete+0x68/0xbc [drm] drm_gem_close_ioctl+0x34/0x40 [drm] drm_ioctl_kernel+0xc0/0x130 [drm] drm_ioctl+0x360/0x4e0 [drm] __arm64_sys_ioctl+0xac/0x104 invoke_syscall+0x48/0x104 el0_svc_common.constprop.0+0x40/0xe0 do_el0_svc+0x1c/0x28 el0_svc+0x34/0xec el0t_64_sync_handler+0xa0/0xe4 el0t_64_sync+0x198/0x19c ---[ end trace 0000000000000000 ]--- ------------[ cut here ]------------ Patchwork: https://patchwork.freedesktop.org/patch/676273/", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-68171", "url": "https://ubuntu.com/security/CVE-2025-68171", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: x86/fpu: Ensure XFD state on signal delivery Sean reported [1] the following splat when running KVM tests: WARNING: CPU: 232 PID: 15391 at xfd_validate_state+0x65/0x70 Call Trace: fpu__clear_user_states+0x9c/0x100 arch_do_signal_or_restart+0x142/0x210 exit_to_user_mode_loop+0x55/0x100 do_syscall_64+0x205/0x2c0 entry_SYSCALL_64_after_hwframe+0x4b/0x53 Chao further identified [2] a reproducible scenario involving signal delivery: a non-AMX task is preempted by an AMX-enabled task which modifies the XFD MSR. When the non-AMX task resumes and reloads XSTATE with init values, a warning is triggered due to a mismatch between fpstate::xfd and the CPU's current XFD state. fpu__clear_user_states() does not currently re-synchronize the XFD state after such preemption. Invoke xfd_update_state() which detects and corrects the mismatch if there is a dynamic feature. This also benefits the sigreturn path, as fpu__restore_sig() may call fpu__clear_user_states() when the sigframe is inaccessible. [ dhansen: minor changelog munging ]", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-68313", "url": "https://ubuntu.com/security/CVE-2025-68313", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: x86/CPU/AMD: Add RDSEED fix for Zen5 There's an issue with RDSEED's 16-bit and 32-bit register output variants on Zen5 which return a random value of 0 \"at a rate inconsistent with randomness while incorrectly signaling success (CF=1)\". Search the web for AMD-SB-7055 for more detail. Add a fix glue which checks microcode revisions. [ bp: Add microcode revisions checking, rewrite. ]", "cve_priority": "medium", "cve_public_date": "2025-12-16 16:16:00 UTC" }, { "cve": "CVE-2025-40320", "url": "https://ubuntu.com/security/CVE-2025-40320", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: smb: client: fix potential cfid UAF in smb2_query_info_compound When smb2_query_info_compound() retries, a previously allocated cfid may have been freed in the first attempt. Because cfid wasn't reset on replay, later cleanup could act on a stale pointer, leading to a potential use-after-free. Reinitialize cfid to NULL under the replay label. Example trace (trimmed): refcount_t: underflow; use-after-free. WARNING: CPU: 1 PID: 11224 at ../lib/refcount.c:28 refcount_warn_saturate+0x9c/0x110 [...] RIP: 0010:refcount_warn_saturate+0x9c/0x110 [...] Call Trace: smb2_query_info_compound+0x29c/0x5c0 [cifs f90b72658819bd21c94769b6a652029a07a7172f] ? step_into+0x10d/0x690 ? __legitimize_path+0x28/0x60 smb2_queryfs+0x6a/0xf0 [cifs f90b72658819bd21c94769b6a652029a07a7172f] smb311_queryfs+0x12d/0x140 [cifs f90b72658819bd21c94769b6a652029a07a7172f] ? kmem_cache_alloc+0x18a/0x340 ? getname_flags+0x46/0x1e0 cifs_statfs+0x9f/0x2b0 [cifs f90b72658819bd21c94769b6a652029a07a7172f] statfs_by_dentry+0x67/0x90 vfs_statfs+0x16/0xd0 user_statfs+0x54/0xa0 __do_sys_statfs+0x20/0x50 do_syscall_64+0x58/0x80", "cve_priority": "medium", "cve_public_date": "2025-12-08 01:16:00 UTC" }, { "cve": "CVE-2025-40321", "url": "https://ubuntu.com/security/CVE-2025-40321", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: wifi: brcmfmac: fix crash while sending Action Frames in standalone AP Mode Currently, whenever there is a need to transmit an Action frame, the brcmfmac driver always uses the P2P vif to send the \"actframe\" IOVAR to firmware. The P2P interfaces were available when wpa_supplicant is managing the wlan interface. However, the P2P interfaces are not created/initialized when only hostapd is managing the wlan interface. And if hostapd receives an ANQP Query REQ Action frame even from an un-associated STA, the brcmfmac driver tries to use an uninitialized P2P vif pointer for sending the IOVAR to firmware. This NULL pointer dereferencing triggers a driver crash. [ 1417.074538] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000 [...] [ 1417.075188] Hardware name: Raspberry Pi 4 Model B Rev 1.5 (DT) [...] [ 1417.075653] Call trace: [ 1417.075662] brcmf_p2p_send_action_frame+0x23c/0xc58 [brcmfmac] [ 1417.075738] brcmf_cfg80211_mgmt_tx+0x304/0x5c0 [brcmfmac] [ 1417.075810] cfg80211_mlme_mgmt_tx+0x1b0/0x428 [cfg80211] [ 1417.076067] nl80211_tx_mgmt+0x238/0x388 [cfg80211] [ 1417.076281] genl_family_rcv_msg_doit+0xe0/0x158 [ 1417.076302] genl_rcv_msg+0x220/0x2a0 [ 1417.076317] netlink_rcv_skb+0x68/0x140 [ 1417.076330] genl_rcv+0x40/0x60 [ 1417.076343] netlink_unicast+0x330/0x3b8 [ 1417.076357] netlink_sendmsg+0x19c/0x3f8 [ 1417.076370] __sock_sendmsg+0x64/0xc0 [ 1417.076391] ____sys_sendmsg+0x268/0x2a0 [ 1417.076408] ___sys_sendmsg+0xb8/0x118 [ 1417.076427] __sys_sendmsg+0x90/0xf8 [ 1417.076445] __arm64_sys_sendmsg+0x2c/0x40 [ 1417.076465] invoke_syscall+0x50/0x120 [ 1417.076486] el0_svc_common.constprop.0+0x48/0xf0 [ 1417.076506] do_el0_svc+0x24/0x38 [ 1417.076525] el0_svc+0x30/0x100 [ 1417.076548] el0t_64_sync_handler+0x100/0x130 [ 1417.076569] el0t_64_sync+0x190/0x198 [ 1417.076589] Code: f9401e80 aa1603e2 f9403be1 5280e483 (f9400000) Fix this, by always using the vif corresponding to the wdev on which the Action frame Transmission request was initiated by the userspace. This way, even if P2P vif is not available, the IOVAR is sent to firmware on AP vif and the ANQP Query RESP Action frame is transmitted without crashing the driver. Move init_completion() for \"send_af_done\" from brcmf_p2p_create_p2pdev() to brcmf_p2p_attach(). Because the former function would not get executed when only hostapd is managing wlan interface, and it is not safe to do reinit_completion() later in brcmf_p2p_tx_action_frame(), without any prior init_completion(). And in the brcmf_p2p_tx_action_frame() function, the condition check for P2P Presence response frame is not needed, since the wpa_supplicant is properly sending the P2P Presense Response frame on the P2P-GO vif instead of the P2P-Device vif. [Cc stable]", "cve_priority": "medium", "cve_public_date": "2025-12-08 01:16:00 UTC" }, { "cve": "CVE-2025-40322", "url": "https://ubuntu.com/security/CVE-2025-40322", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: fbdev: bitblit: bound-check glyph index in bit_putcs* bit_putcs_aligned()/unaligned() derived the glyph pointer from the character value masked by 0xff/0x1ff, which may exceed the actual font's glyph count and read past the end of the built-in font array. Clamp the index to the actual glyph count before computing the address. This fixes a global out-of-bounds read reported by syzbot.", "cve_priority": "medium", "cve_public_date": "2025-12-08 01:16:00 UTC" }, { "cve": "CVE-2025-40211", "url": "https://ubuntu.com/security/CVE-2025-40211", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ACPI: video: Fix use-after-free in acpi_video_switch_brightness() The switch_brightness_work delayed work accesses device->brightness and device->backlight, freed by acpi_video_dev_unregister_backlight() during device removal. If the work executes after acpi_video_bus_unregister_backlight() frees these resources, it causes a use-after-free when acpi_video_switch_brightness() dereferences device->brightness or device->backlight. Fix this by calling cancel_delayed_work_sync() for each device's switch_brightness_work in acpi_video_bus_remove_notify_handler() after removing the notify handler that queues the work. This ensures the work completes before the memory is freed. [ rjw: Changelog edit ]", "cve_priority": "medium", "cve_public_date": "2025-11-21 11:15:00 UTC" }, { "cve": "CVE-2025-40323", "url": "https://ubuntu.com/security/CVE-2025-40323", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: fbcon: Set fb_display[i]->mode to NULL when the mode is released Recently, we discovered the following issue through syzkaller: BUG: KASAN: slab-use-after-free in fb_mode_is_equal+0x285/0x2f0 Read of size 4 at addr ff11000001b3c69c by task syz.xxx ... Call Trace: dump_stack_lvl+0xab/0xe0 print_address_description.constprop.0+0x2c/0x390 print_report+0xb9/0x280 kasan_report+0xb8/0xf0 fb_mode_is_equal+0x285/0x2f0 fbcon_mode_deleted+0x129/0x180 fb_set_var+0xe7f/0x11d0 do_fb_ioctl+0x6a0/0x750 fb_ioctl+0xe0/0x140 __x64_sys_ioctl+0x193/0x210 do_syscall_64+0x5f/0x9c0 entry_SYSCALL_64_after_hwframe+0x76/0x7e Based on experimentation and analysis, during framebuffer unregistration, only the memory of fb_info->modelist is freed, without setting the corresponding fb_display[i]->mode to NULL for the freed modes. This leads to UAF issues during subsequent accesses. Here's an example of reproduction steps: 1. With /dev/fb0 already registered in the system, load a kernel module to register a new device /dev/fb1; 2. Set fb1's mode to the global fb_display[] array (via FBIOPUT_CON2FBMAP); 3. Switch console from fb to VGA (to allow normal rmmod of the ko); 4. Unload the kernel module, at this point fb1's modelist is freed, leaving a wild pointer in fb_display[]; 5. Trigger the bug via system calls through fb0 attempting to delete a mode from fb0. Add a check in do_unregister_framebuffer(): if the mode to be freed exists in fb_display[], set the corresponding mode pointer to NULL.", "cve_priority": "medium", "cve_public_date": "2025-12-08 01:16:00 UTC" }, { "cve": "CVE-2025-40210", "url": "https://ubuntu.com/security/CVE-2025-40210", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: Revert \"NFSD: Remove the cap on number of operations per NFSv4 COMPOUND\" I've found that pynfs COMP6 now leaves the connection or lease in a strange state, which causes CLOSE9 to hang indefinitely. I've dug into it a little, but I haven't been able to root-cause it yet. However, I bisected to commit 48aab1606fa8 (\"NFSD: Remove the cap on number of operations per NFSv4 COMPOUND\"). Tianshuo Han also reports a potential vulnerability when decoding an NFSv4 COMPOUND. An attacker can place an arbitrarily large op count in the COMPOUND header, which results in: [ 51.410584] nfsd: vmalloc error: size 1209533382144, exceeds total pages, mode:0xdc0(GFP_KERNEL|__GFP_ZERO), nodemask=(null),cpuset=/,mems_allowed=0 when NFSD attempts to allocate the COMPOUND op array. Let's restore the operation-per-COMPOUND limit, but increased to 200 for now.", "cve_priority": "medium", "cve_public_date": "2025-11-21 11:15:00 UTC" }, { "cve": "CVE-2025-40324", "url": "https://ubuntu.com/security/CVE-2025-40324", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: NFSD: Fix crash in nfsd4_read_release() When tracing is enabled, the trace_nfsd_read_done trace point crashes during the pynfs read.testNoFh test.", "cve_priority": "medium", "cve_public_date": "2025-12-08 01:16:00 UTC" }, { "cve": "CVE-2025-40326", "url": "https://ubuntu.com/security/CVE-2025-40326", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: NFSD: Define actions for the new time_deleg FATTR4 attributes NFSv4 clients won't send legitimate GETATTR requests for these new attributes because they are intended to be used only with CB_GETATTR and SETATTR. But NFSD has to do something besides crashing if it ever sees a GETATTR request that queries these attributes. RFC 8881 Section 18.7.3 states: > The server MUST return a value for each attribute that the client > requests if the attribute is supported by the server for the > target file system. If the server does not support a particular > attribute on the target file system, then it MUST NOT return the > attribute value and MUST NOT set the attribute bit in the result > bitmap. The server MUST return an error if it supports an > attribute on the target but cannot obtain its value. In that case, > no attribute values will be returned. Further, RFC 9754 Section 5 states: > These new attributes are invalid to be used with GETATTR, VERIFY, > and NVERIFY, and they can only be used with CB_GETATTR and SETATTR > by a client holding an appropriate delegation. Thus there does not appear to be a specific server response mandated by specification. Taking the guidance that querying these attributes via GETATTR is \"invalid\", NFSD will return nfserr_inval, failing the request entirely.", "cve_priority": "medium", "cve_public_date": "2025-12-08 01:16:00 UTC" }, { "cve": "CVE-2025-40084", "url": "https://ubuntu.com/security/CVE-2025-40084", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ksmbd: transport_ipc: validate payload size before reading handle handle_response() dereferences the payload as a 4-byte handle without verifying that the declared payload size is at least 4 bytes. A malformed or truncated message from ksmbd.mountd can lead to a 4-byte read past the declared payload size. Validate the size before dereferencing. This is a minimal fix to guard the initial handle read.", "cve_priority": "medium", "cve_public_date": "2025-10-29 14:15:00 UTC" }, { "cve": "CVE-2025-40222", "url": "https://ubuntu.com/security/CVE-2025-40222", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: tty: serial: sh-sci: fix RSCI FIFO overrun handling The receive error handling code is shared between RSCI and all other SCIF port types, but the RSCI overrun_reg is specified as a memory offset, while for other SCIF types it is an enum value used to index into the sci_port_params->regs array, as mentioned above the sci_serial_in() function. For RSCI, the overrun_reg is CSR (0x48), causing the sci_getreg() call inside the sci_handle_fifo_overrun() function to index outside the bounds of the regs array, which currently has a size of 20, as specified by SCI_NR_REGS. Because of this, we end up accessing memory outside of RSCI's rsci_port_params structure, which, when interpreted as a plat_sci_reg, happens to have a non-zero size, causing the following WARN when sci_serial_in() is called, as the accidental size does not match the supported register sizes. The existence of the overrun_reg needs to be checked because SCIx_SH3_SCIF_REGTYPE has overrun_reg set to SCLSR, but SCLSR is not present in the regs array. Avoid calling sci_getreg() for port types which don't use standard register handling. Use the ops->read_reg() and ops->write_reg() functions to properly read and write registers for RSCI, and change the type of the status variable to accommodate the 32-bit CSR register. sci_getreg() and sci_serial_in() are also called with overrun_reg in the sci_mpxed_interrupt() interrupt handler, but that code path is not used for RSCI, as it does not have a muxed interrupt. ------------[ cut here ]------------ Invalid register access WARNING: CPU: 0 PID: 0 at drivers/tty/serial/sh-sci.c:522 sci_serial_in+0x38/0xac Modules linked in: renesas_usbhs at24 rzt2h_adc industrialio_adc sha256 cfg80211 bluetooth ecdh_generic ecc rfkill fuse drm backlight ipv6 CPU: 0 UID: 0 PID: 0 Comm: swapper/0 Not tainted 6.17.0-rc1+ #30 PREEMPT Hardware name: Renesas RZ/T2H EVK Board based on r9a09g077m44 (DT) pstate: 604000c5 (nZCv daIF +PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : sci_serial_in+0x38/0xac lr : sci_serial_in+0x38/0xac sp : ffff800080003e80 x29: ffff800080003e80 x28: ffff800082195b80 x27: 000000000000000d x26: ffff8000821956d0 x25: 0000000000000000 x24: ffff800082195b80 x23: ffff000180e0d800 x22: 0000000000000010 x21: 0000000000000000 x20: 0000000000000010 x19: ffff000180e72000 x18: 000000000000000a x17: ffff8002bcee7000 x16: ffff800080000000 x15: 0720072007200720 x14: 0720072007200720 x13: 0720072007200720 x12: 0720072007200720 x11: 0000000000000058 x10: 0000000000000018 x9 : ffff8000821a6a48 x8 : 0000000000057fa8 x7 : 0000000000000406 x6 : ffff8000821fea48 x5 : ffff00033ef88408 x4 : ffff8002bcee7000 x3 : ffff800082195b80 x2 : 0000000000000000 x1 : 0000000000000000 x0 : ffff800082195b80 Call trace: sci_serial_in+0x38/0xac (P) sci_handle_fifo_overrun.isra.0+0x70/0x134 sci_er_interrupt+0x50/0x39c __handle_irq_event_percpu+0x48/0x140 handle_irq_event+0x44/0xb0 handle_fasteoi_irq+0xf4/0x1a0 handle_irq_desc+0x34/0x58 generic_handle_domain_irq+0x1c/0x28 gic_handle_irq+0x4c/0x140 call_on_irq_stack+0x30/0x48 do_interrupt_handler+0x80/0x84 el1_interrupt+0x34/0x68 el1h_64_irq_handler+0x18/0x24 el1h_64_irq+0x6c/0x70 default_idle_call+0x28/0x58 (P) do_idle+0x1f8/0x250 cpu_startup_entry+0x34/0x3c rest_init+0xd8/0xe0 console_on_rootfs+0x0/0x6c __primary_switched+0x88/0x90 ---[ end trace 0000000000000000 ]---", "cve_priority": "medium", "cve_public_date": "2025-12-04 16:16:00 UTC" }, { "cve": "CVE-2025-40223", "url": "https://ubuntu.com/security/CVE-2025-40223", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: most: usb: Fix use-after-free in hdm_disconnect hdm_disconnect() calls most_deregister_interface(), which eventually unregisters the MOST interface device with device_unregister(iface->dev). If that drops the last reference, the device core may call release_mdev() immediately while hdm_disconnect() is still executing. The old code also freed several mdev-owned allocations in hdm_disconnect() and then performed additional put_device() calls. Depending on refcount order, this could lead to use-after-free or double-free when release_mdev() ran (or when unregister paths also performed puts). Fix by moving the frees of mdev-owned allocations into release_mdev(), so they happen exactly once when the device is truly released, and by dropping the extra put_device() calls in hdm_disconnect() that are redundant after device_unregister() and most_deregister_interface(). This addresses the KASAN slab-use-after-free reported by syzbot in hdm_disconnect(). See report and stack traces in the bug link below.", "cve_priority": "medium", "cve_public_date": "2025-12-04 16:16:00 UTC" }, { "cve": "CVE-2025-40106", "url": "https://ubuntu.com/security/CVE-2025-40106", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: comedi: fix divide-by-zero in comedi_buf_munge() The comedi_buf_munge() function performs a modulo operation `async->munge_chan %= async->cmd.chanlist_len` without first checking if chanlist_len is zero. If a user program submits a command with chanlist_len set to zero, this causes a divide-by-zero error when the device processes data in the interrupt handler path. Add a check for zero chanlist_len at the beginning of the function, similar to the existing checks for !map and CMDF_RAWDATA flag. When chanlist_len is zero, update munge_count and return early, indicating the data was handled without munging. This prevents potential kernel panics from malformed user commands.", "cve_priority": "medium", "cve_public_date": "2025-10-31 10:15:00 UTC" }, { "cve": "CVE-2025-40224", "url": "https://ubuntu.com/security/CVE-2025-40224", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: hwmon: (cgbc-hwmon) Add missing NULL check after devm_kzalloc() The driver allocates memory for sensor data using devm_kzalloc(), but did not check if the allocation succeeded. In case of memory allocation failure, dereferencing the NULL pointer would lead to a kernel crash. Add a NULL pointer check and return -ENOMEM to handle allocation failure properly.", "cve_priority": "medium", "cve_public_date": "2025-12-04 16:16:00 UTC" }, { "cve": "CVE-2025-40225", "url": "https://ubuntu.com/security/CVE-2025-40225", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/panthor: Fix kernel panic on partial unmap of a GPU VA region This commit address a kernel panic issue that can happen if Userspace tries to partially unmap a GPU virtual region (aka drm_gpuva). The VM_BIND interface allows partial unmapping of a BO. Panthor driver pre-allocates memory for the new drm_gpuva structures that would be needed for the map/unmap operation, done using drm_gpuvm layer. It expected that only one new drm_gpuva would be needed on umap but a partial unmap can require 2 new drm_gpuva and that's why it ended up doing a NULL pointer dereference causing a kernel panic. Following dump was seen when partial unmap was exercised. Unable to handle kernel NULL pointer dereference at virtual address 0000000000000078 Mem abort info: ESR = 0x0000000096000046 EC = 0x25: DABT (current EL), IL = 32 bits SET = 0, FnV = 0 EA = 0, S1PTW = 0 FSC = 0x06: level 2 translation fault Data abort info: ISV = 0, ISS = 0x00000046, ISS2 = 0x00000000 CM = 0, WnR = 1, TnD = 0, TagAccess = 0 GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0 user pgtable: 4k pages, 48-bit VAs, pgdp=000000088a863000 [000000000000078] pgd=080000088a842003, p4d=080000088a842003, pud=0800000884bf5003, pmd=0000000000000000 Internal error: Oops: 0000000096000046 [#1] PREEMPT SMP pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : panthor_gpuva_sm_step_remap+0xe4/0x330 [panthor] lr : panthor_gpuva_sm_step_remap+0x6c/0x330 [panthor] sp : ffff800085d43970 x29: ffff800085d43970 x28: ffff00080363e440 x27: ffff0008090c6000 x26: 0000000000000030 x25: ffff800085d439f8 x24: ffff00080d402000 x23: ffff800085d43b60 x22: ffff800085d439e0 x21: ffff00080abdb180 x20: 0000000000000000 x19: 0000000000000000 x18: 0000000000000010 x17: 6e656c202c303030 x16: 3666666666646466 x15: 393d61766f69202c x14: 312d3d7361203a70 x13: 303030323d6e656c x12: ffff80008324bf58 x11: 0000000000000003 x10: 0000000000000002 x9 : ffff8000801a6a9c x8 : ffff00080360b300 x7 : 0000000000000000 x6 : 000000088aa35fc7 x5 : fff1000080000000 x4 : ffff8000842ddd30 x3 : 0000000000000001 x2 : 0000000100000000 x1 : 0000000000000001 x0 : 0000000000000078 Call trace: panthor_gpuva_sm_step_remap+0xe4/0x330 [panthor] op_remap_cb.isra.22+0x50/0x80 __drm_gpuvm_sm_unmap+0x10c/0x1c8 drm_gpuvm_sm_unmap+0x40/0x60 panthor_vm_exec_op+0xb4/0x3d0 [panthor] panthor_vm_bind_exec_sync_op+0x154/0x278 [panthor] panthor_ioctl_vm_bind+0x160/0x4a0 [panthor] drm_ioctl_kernel+0xbc/0x138 drm_ioctl+0x240/0x500 __arm64_sys_ioctl+0xb0/0xf8 invoke_syscall+0x4c/0x110 el0_svc_common.constprop.1+0x98/0xf8 do_el0_svc+0x24/0x38 el0_svc+0x40/0xf8 el0t_64_sync_handler+0xa0/0xc8 el0t_64_sync+0x174/0x178", "cve_priority": "medium", "cve_public_date": "2025-12-04 16:16:00 UTC" }, { "cve": "CVE-2025-40226", "url": "https://ubuntu.com/security/CVE-2025-40226", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: firmware: arm_scmi: Account for failed debug initialization When the SCMI debug subsystem fails to initialize, the related debug root will be missing, and the underlying descriptor will be NULL. Handle this fault condition in the SCMI debug helpers that maintain metrics counters.", "cve_priority": "medium", "cve_public_date": "2025-12-04 16:16:00 UTC" }, { "cve": "CVE-2025-40227", "url": "https://ubuntu.com/security/CVE-2025-40227", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: mm/damon/sysfs: dealloc commit test ctx always The damon_ctx for testing online DAMON parameters commit inputs is deallocated only when the test fails. This means memory is leaked for every successful online DAMON parameters commit. Fix the leak by always deallocating it.", "cve_priority": "medium", "cve_public_date": "2025-12-04 16:16:00 UTC" }, { "cve": "CVE-2025-40228", "url": "https://ubuntu.com/security/CVE-2025-40228", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: mm/damon/sysfs: catch commit test ctx alloc failure Patch series \"mm/damon/sysfs: fix commit test damon_ctx [de]allocation\". DAMON sysfs interface dynamically allocates and uses a damon_ctx object for testing if given inputs for online DAMON parameters update is valid. The object is being used without an allocation failure check, and leaked when the test succeeds. Fix the two bugs. This patch (of 2): The damon_ctx for testing online DAMON parameters commit inputs is used without its allocation failure check. This could result in an invalid memory access. Fix it by directly returning an error when the allocation failed.", "cve_priority": "medium", "cve_public_date": "2025-12-04 16:16:00 UTC" }, { "cve": "CVE-2025-40229", "url": "https://ubuntu.com/security/CVE-2025-40229", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: mm/damon/core: fix potential memory leak by cleaning ops_filter in damon_destroy_scheme Currently, damon_destroy_scheme() only cleans up the filter list but leaves ops_filter untouched, which could lead to memory leaks when a scheme is destroyed. This patch ensures both filter and ops_filter are properly freed in damon_destroy_scheme(), preventing potential memory leaks.", "cve_priority": "medium", "cve_public_date": "2025-12-04 16:16:00 UTC" }, { "cve": "CVE-2025-40230", "url": "https://ubuntu.com/security/CVE-2025-40230", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: mm: prevent poison consumption when splitting THP When performing memory error injection on a THP (Transparent Huge Page) mapped to userspace on an x86 server, the kernel panics with the following trace. The expected behavior is to terminate the affected process instead of panicking the kernel, as the x86 Machine Check code can recover from an in-userspace #MC. mce: [Hardware Error]: CPU 0: Machine Check Exception: f Bank 3: bd80000000070134 mce: [Hardware Error]: RIP 10: {memchr_inv+0x4c/0xf0} mce: [Hardware Error]: TSC afff7bbff88a ADDR 1d301b000 MISC 80 PPIN 1e741e77539027db mce: [Hardware Error]: PROCESSOR 0:d06d0 TIME 1758093249 SOCKET 0 APIC 0 microcode 80000320 mce: [Hardware Error]: Run the above through 'mcelog --ascii' mce: [Hardware Error]: Machine check: Data load in unrecoverable area of kernel Kernel panic - not syncing: Fatal local machine check The root cause of this panic is that handling a memory failure triggered by an in-userspace #MC necessitates splitting the THP. The splitting process employs a mechanism, implemented in try_to_map_unused_to_zeropage(), which reads the pages in the THP to identify zero-filled pages. However, reading the pages in the THP results in a second in-kernel #MC, occurring before the initial memory_failure() completes, ultimately leading to a kernel panic. See the kernel panic call trace on the two #MCs. First Machine Check occurs // [1] memory_failure() // [2] try_to_split_thp_page() split_huge_page() split_huge_page_to_list_to_order() __folio_split() // [3] remap_page() remove_migration_ptes() remove_migration_pte() try_to_map_unused_to_zeropage() // [4] memchr_inv() // [5] Second Machine Check occurs // [6] Kernel panic [1] Triggered by accessing a hardware-poisoned THP in userspace, which is typically recoverable by terminating the affected process. [2] Call folio_set_has_hwpoisoned() before try_to_split_thp_page(). [3] Pass the RMP_USE_SHARED_ZEROPAGE remap flag to remap_page(). [4] Try to map the unused THP to zeropage. [5] Re-access pages in the hw-poisoned THP in the kernel. [6] Triggered in-kernel, leading to a panic kernel. In Step[2], memory_failure() sets the poisoned flag on the page in the THP by TestSetPageHWPoison() before calling try_to_split_thp_page(). As suggested by David Hildenbrand, fix this panic by not accessing to the poisoned page in the THP during zeropage identification, while continuing to scan unaffected pages in the THP for possible zeropage mapping. This prevents a second in-kernel #MC that would cause kernel panic in Step[4]. Thanks to Andrew Zaborowski for his initial work on fixing this issue.", "cve_priority": "medium", "cve_public_date": "2025-12-04 16:16:00 UTC" }, { "cve": "CVE-2025-40231", "url": "https://ubuntu.com/security/CVE-2025-40231", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: vsock: fix lock inversion in vsock_assign_transport() Syzbot reported a potential lock inversion deadlock between vsock_register_mutex and sk_lock-AF_VSOCK when vsock_linger() is called. The issue was introduced by commit 687aa0c5581b (\"vsock: Fix transport_* TOCTOU\") which added vsock_register_mutex locking in vsock_assign_transport() around the transport->release() call, that can call vsock_linger(). vsock_assign_transport() can be called with sk_lock held. vsock_linger() calls sk_wait_event() that temporarily releases and re-acquires sk_lock. During this window, if another thread hold vsock_register_mutex while trying to acquire sk_lock, a circular dependency is created. Fix this by releasing vsock_register_mutex before calling transport->release() and vsock_deassign_transport(). This is safe because we don't need to hold vsock_register_mutex while releasing the old transport, and we ensure the new transport won't disappear by obtaining a module reference first via try_module_get().", "cve_priority": "medium", "cve_public_date": "2025-12-04 16:16:00 UTC" }, { "cve": "CVE-2025-40233", "url": "https://ubuntu.com/security/CVE-2025-40233", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ocfs2: clear extent cache after moving/defragmenting extents The extent map cache can become stale when extents are moved or defragmented, causing subsequent operations to see outdated extent flags. This triggers a BUG_ON in ocfs2_refcount_cal_cow_clusters(). The problem occurs when: 1. copy_file_range() creates a reflinked extent with OCFS2_EXT_REFCOUNTED 2. ioctl(FITRIM) triggers ocfs2_move_extents() 3. __ocfs2_move_extents_range() reads and caches the extent (flags=0x2) 4. ocfs2_move_extent()/ocfs2_defrag_extent() calls __ocfs2_move_extent() which clears OCFS2_EXT_REFCOUNTED flag on disk (flags=0x0) 5. The extent map cache is not invalidated after the move 6. Later write() operations read stale cached flags (0x2) but disk has updated flags (0x0), causing a mismatch 7. BUG_ON(!(rec->e_flags & OCFS2_EXT_REFCOUNTED)) triggers Fix by clearing the extent map cache after each extent move/defrag operation in __ocfs2_move_extents_range(). This ensures subsequent operations read fresh extent data from disk.", "cve_priority": "medium", "cve_public_date": "2025-12-04 16:16:00 UTC" }, { "cve": "CVE-2025-40235", "url": "https://ubuntu.com/security/CVE-2025-40235", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: btrfs: directly free partially initialized fs_info in btrfs_check_leaked_roots() If fs_info->super_copy or fs_info->super_for_commit allocated failed in btrfs_get_tree_subvol(), then no need to call btrfs_free_fs_info(). Otherwise btrfs_check_leaked_roots() would access NULL pointer because fs_info->allocated_roots had not been initialised. syzkaller reported the following information: ------------[ cut here ]------------ BUG: unable to handle page fault for address: fffffffffffffbb0 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page PGD 64c9067 P4D 64c9067 PUD 64cb067 PMD 0 Oops: Oops: 0000 [#1] SMP KASAN PTI CPU: 0 UID: 0 PID: 1402 Comm: syz.1.35 Not tainted 6.15.8 #4 PREEMPT(lazy) Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), (...) RIP: 0010:arch_atomic_read arch/x86/include/asm/atomic.h:23 [inline] RIP: 0010:raw_atomic_read include/linux/atomic/atomic-arch-fallback.h:457 [inline] RIP: 0010:atomic_read include/linux/atomic/atomic-instrumented.h:33 [inline] RIP: 0010:refcount_read include/linux/refcount.h:170 [inline] RIP: 0010:btrfs_check_leaked_roots+0x18f/0x2c0 fs/btrfs/disk-io.c:1230 [...] Call Trace: btrfs_free_fs_info+0x310/0x410 fs/btrfs/disk-io.c:1280 btrfs_get_tree_subvol+0x592/0x6b0 fs/btrfs/super.c:2029 btrfs_get_tree+0x63/0x80 fs/btrfs/super.c:2097 vfs_get_tree+0x98/0x320 fs/super.c:1759 do_new_mount+0x357/0x660 fs/namespace.c:3899 path_mount+0x716/0x19c0 fs/namespace.c:4226 do_mount fs/namespace.c:4239 [inline] __do_sys_mount fs/namespace.c:4450 [inline] __se_sys_mount fs/namespace.c:4427 [inline] __x64_sys_mount+0x28c/0x310 fs/namespace.c:4427 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0x92/0x180 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x76/0x7e RIP: 0033:0x7f032eaffa8d [...]", "cve_priority": "medium", "cve_public_date": "2025-12-04 16:16:00 UTC" }, { "cve": "CVE-2025-40236", "url": "https://ubuntu.com/security/CVE-2025-40236", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: virtio-net: zero unused hash fields When GSO tunnel is negotiated virtio_net_hdr_tnl_from_skb() tries to initialize the tunnel metadata but forget to zero unused rxhash fields. This may leak information to another side. Fixing this by zeroing the unused hash fields.", "cve_priority": "medium", "cve_public_date": "2025-12-04 16:16:00 UTC" }, { "cve": "CVE-2025-40237", "url": "https://ubuntu.com/security/CVE-2025-40237", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: fs/notify: call exportfs_encode_fid with s_umount Calling intotify_show_fdinfo() on fd watching an overlayfs inode, while the overlayfs is being unmounted, can lead to dereferencing NULL ptr. This issue was found by syzkaller. Race Condition Diagram: Thread 1 Thread 2 -------- -------- generic_shutdown_super() shrink_dcache_for_umount sb->s_root = NULL | | vfs_read() | inotify_fdinfo() | * inode get from mark * | show_mark_fhandle(m, inode) | exportfs_encode_fid(inode, ..) | ovl_encode_fh(inode, ..) | ovl_check_encode_origin(inode) | * deref i_sb->s_root * | | v fsnotify_sb_delete(sb) Which then leads to: [ 32.133461] Oops: general protection fault, probably for non-canonical address 0xdffffc0000000006: 0000 [#1] SMP DEBUG_PAGEALLOC KASAN NOPTI [ 32.134438] KASAN: null-ptr-deref in range [0x0000000000000030-0x0000000000000037] [ 32.135032] CPU: 1 UID: 0 PID: 4468 Comm: systemd-coredum Not tainted 6.17.0-rc6 #22 PREEMPT(none) [ 32.143353] Call Trace: [ 32.143732] ovl_encode_fh+0xd5/0x170 [ 32.144031] exportfs_encode_inode_fh+0x12f/0x300 [ 32.144425] show_mark_fhandle+0xbe/0x1f0 [ 32.145805] inotify_fdinfo+0x226/0x2d0 [ 32.146442] inotify_show_fdinfo+0x1c5/0x350 [ 32.147168] seq_show+0x530/0x6f0 [ 32.147449] seq_read_iter+0x503/0x12a0 [ 32.148419] seq_read+0x31f/0x410 [ 32.150714] vfs_read+0x1f0/0x9e0 [ 32.152297] ksys_read+0x125/0x240 IOW ovl_check_encode_origin derefs inode->i_sb->s_root, after it was set to NULL in the unmount path. Fix it by protecting calling exportfs_encode_fid() from show_mark_fhandle() with s_umount lock. This form of fix was suggested by Amir in [1]. [1]: https://lore.kernel.org/all/CAOQ4uxhbDwhb+2Brs1UdkoF0a3NSdBAOQPNfEHjahrgoKJpLEw@mail.gmail.com/", "cve_priority": "medium", "cve_public_date": "2025-12-04 16:16:00 UTC" }, { "cve": "CVE-2025-40238", "url": "https://ubuntu.com/security/CVE-2025-40238", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net/mlx5: Fix IPsec cleanup over MPV device When we do mlx5e_detach_netdev() we eventually disable blocking events notifier, among those events are IPsec MPV events from IB to core. So before disabling those blocking events, make sure to also unregister the devcom device and mark all this device operations as complete, in order to prevent the other device from using invalid netdev during future devcom events which could cause the trace below. BUG: kernel NULL pointer dereference, address: 0000000000000010 PGD 146427067 P4D 146427067 PUD 146488067 PMD 0 Oops: Oops: 0000 [#1] SMP CPU: 1 UID: 0 PID: 7735 Comm: devlink Tainted: GW 6.12.0-rc6_for_upstream_min_debug_2024_11_08_00_46 #1 Tainted: [W]=WARN Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014 RIP: 0010:mlx5_devcom_comp_set_ready+0x5/0x40 [mlx5_core] Code: 00 01 48 83 05 23 32 1e 00 01 41 b8 ed ff ff ff e9 60 ff ff ff 48 83 05 00 32 1e 00 01 eb e3 66 0f 1f 44 00 00 0f 1f 44 00 00 <48> 8b 47 10 48 83 05 5f 32 1e 00 01 48 8b 50 40 48 85 d2 74 05 40 RSP: 0018:ffff88811a5c35f8 EFLAGS: 00010206 RAX: ffff888106e8ab80 RBX: ffff888107d7e200 RCX: ffff88810d6f0a00 RDX: ffff88810d6f0a00 RSI: 0000000000000001 RDI: 0000000000000000 RBP: ffff88811a17e620 R08: 0000000000000040 R09: 0000000000000000 R10: ffff88811a5c3618 R11: 0000000de85d51bd R12: ffff88811a17e600 R13: ffff88810d6f0a00 R14: 0000000000000000 R15: ffff8881034bda80 FS: 00007f27bdf89180(0000) GS:ffff88852c880000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000010 CR3: 000000010f159005 CR4: 0000000000372eb0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: ? __die+0x20/0x60 ? page_fault_oops+0x150/0x3e0 ? exc_page_fault+0x74/0x130 ? asm_exc_page_fault+0x22/0x30 ? mlx5_devcom_comp_set_ready+0x5/0x40 [mlx5_core] mlx5e_devcom_event_mpv+0x42/0x60 [mlx5_core] mlx5_devcom_send_event+0x8c/0x170 [mlx5_core] blocking_event+0x17b/0x230 [mlx5_core] notifier_call_chain+0x35/0xa0 blocking_notifier_call_chain+0x3d/0x60 mlx5_blocking_notifier_call_chain+0x22/0x30 [mlx5_core] mlx5_core_mp_event_replay+0x12/0x20 [mlx5_core] mlx5_ib_bind_slave_port+0x228/0x2c0 [mlx5_ib] mlx5_ib_stage_init_init+0x664/0x9d0 [mlx5_ib] ? idr_alloc_cyclic+0x50/0xb0 ? __kmalloc_cache_noprof+0x167/0x340 ? __kmalloc_noprof+0x1a7/0x430 __mlx5_ib_add+0x34/0xd0 [mlx5_ib] mlx5r_probe+0xe9/0x310 [mlx5_ib] ? kernfs_add_one+0x107/0x150 ? __mlx5_ib_add+0xd0/0xd0 [mlx5_ib] auxiliary_bus_probe+0x3e/0x90 really_probe+0xc5/0x3a0 ? driver_probe_device+0x90/0x90 __driver_probe_device+0x80/0x160 driver_probe_device+0x1e/0x90 __device_attach_driver+0x7d/0x100 bus_for_each_drv+0x80/0xd0 __device_attach+0xbc/0x1f0 bus_probe_device+0x86/0xa0 device_add+0x62d/0x830 __auxiliary_device_add+0x3b/0xa0 ? auxiliary_device_init+0x41/0x90 add_adev+0xd1/0x150 [mlx5_core] mlx5_rescan_drivers_locked+0x21c/0x300 [mlx5_core] esw_mode_change+0x6c/0xc0 [mlx5_core] mlx5_devlink_eswitch_mode_set+0x21e/0x640 [mlx5_core] devlink_nl_eswitch_set_doit+0x60/0xe0 genl_family_rcv_msg_doit+0xd0/0x120 genl_rcv_msg+0x180/0x2b0 ? devlink_get_from_attrs_lock+0x170/0x170 ? devlink_nl_eswitch_get_doit+0x290/0x290 ? devlink_nl_pre_doit_port_optional+0x50/0x50 ? genl_family_rcv_msg_dumpit+0xf0/0xf0 netlink_rcv_skb+0x54/0x100 genl_rcv+0x24/0x40 netlink_unicast+0x1fc/0x2d0 netlink_sendmsg+0x1e4/0x410 __sock_sendmsg+0x38/0x60 ? sockfd_lookup_light+0x12/0x60 __sys_sendto+0x105/0x160 ? __sys_recvmsg+0x4e/0x90 __x64_sys_sendto+0x20/0x30 do_syscall_64+0x4c/0x100 entry_SYSCALL_64_after_hwframe+0x4b/0x53 RIP: 0033:0x7f27bc91b13a Code: bb 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 8b 05 fa 96 2c 00 45 89 c9 4c 63 d1 48 63 ff 85 c0 75 15 b8 2c 00 00 00 0f 05 <48> 3d 00 f0 ff ff ---truncated---", "cve_priority": "medium", "cve_public_date": "2025-12-04 16:16:00 UTC" }, { "cve": "CVE-2025-40239", "url": "https://ubuntu.com/security/CVE-2025-40239", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net: phy: micrel: always set shared->phydev for LAN8814 Currently, during the LAN8814 PTP probe shared->phydev is only set if PTP clock gets actually set, otherwise the function will return before setting it. This is an issue as shared->phydev is unconditionally being used when IRQ is being handled, especially in lan8814_gpio_process_cap and since it was not set it will cause a NULL pointer exception and crash the kernel. So, simply always set shared->phydev to avoid the NULL pointer exception.", "cve_priority": "medium", "cve_public_date": "2025-12-04 16:16:00 UTC" }, { "cve": "CVE-2025-40240", "url": "https://ubuntu.com/security/CVE-2025-40240", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: sctp: avoid NULL dereference when chunk data buffer is missing chunk->skb pointer is dereferenced in the if-block where it's supposed to be NULL only. chunk->skb can only be NULL if chunk->head_skb is not. Check for frag_list instead and do it just before replacing chunk->skb. We're sure that otherwise chunk->skb is non-NULL because of outer if() condition.", "cve_priority": "medium", "cve_public_date": "2025-12-04 16:16:00 UTC" }, { "cve": "CVE-2025-40241", "url": "https://ubuntu.com/security/CVE-2025-40241", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: erofs: fix crafted invalid cases for encoded extents Robert recently reported two corrupted images that can cause system crashes, which are related to the new encoded extents introduced in Linux 6.15: - The first one [1] has plen != 0 (e.g. plen == 0x2000000) but (plen & Z_EROFS_EXTENT_PLEN_MASK) == 0. It is used to represent special extents such as sparse extents (!EROFS_MAP_MAPPED), but previously only plen == 0 was handled; - The second one [2] has pa 0xffffffffffdcffed and plen 0xb4000, then \"cur [0xfffffffffffff000] += bvec.bv_len [0x1000]\" in \"} while ((cur += bvec.bv_len) < end);\" wraps around, causing an out-of-bound access of pcl->compressed_bvecs[] in z_erofs_submit_queue(). EROFS only supports 48-bit physical block addresses (up to 1EiB for 4k blocks), so add a sanity check to enforce this.", "cve_priority": "medium", "cve_public_date": "2025-12-04 16:16:00 UTC" }, { "cve": "CVE-2025-40242", "url": "https://ubuntu.com/security/CVE-2025-40242", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: gfs2: Fix unlikely race in gdlm_put_lock In gdlm_put_lock(), there is a small window of time in which the DFL_UNMOUNT flag has been set but the lockspace hasn't been released, yet. In that window, dlm may still call gdlm_ast() and gdlm_bast(). To prevent it from dereferencing freed glock objects, only free the glock if the lockspace has actually been released.", "cve_priority": "medium", "cve_public_date": "2025-12-04 16:16:00 UTC" }, { "cve": "CVE-2025-40243", "url": "https://ubuntu.com/security/CVE-2025-40243", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: hfs: fix KMSAN uninit-value issue in hfs_find_set_zero_bits() The syzbot reported issue in hfs_find_set_zero_bits(): ===================================================== BUG: KMSAN: uninit-value in hfs_find_set_zero_bits+0x74d/0xb60 fs/hfs/bitmap.c:45 hfs_find_set_zero_bits+0x74d/0xb60 fs/hfs/bitmap.c:45 hfs_vbm_search_free+0x13c/0x5b0 fs/hfs/bitmap.c:151 hfs_extend_file+0x6a5/0x1b00 fs/hfs/extent.c:408 hfs_get_block+0x435/0x1150 fs/hfs/extent.c:353 __block_write_begin_int+0xa76/0x3030 fs/buffer.c:2151 block_write_begin fs/buffer.c:2262 [inline] cont_write_begin+0x10e1/0x1bc0 fs/buffer.c:2601 hfs_write_begin+0x85/0x130 fs/hfs/inode.c:52 cont_expand_zero fs/buffer.c:2528 [inline] cont_write_begin+0x35a/0x1bc0 fs/buffer.c:2591 hfs_write_begin+0x85/0x130 fs/hfs/inode.c:52 hfs_file_truncate+0x1d6/0xe60 fs/hfs/extent.c:494 hfs_inode_setattr+0x964/0xaa0 fs/hfs/inode.c:654 notify_change+0x1993/0x1aa0 fs/attr.c:552 do_truncate+0x28f/0x310 fs/open.c:68 do_ftruncate+0x698/0x730 fs/open.c:195 do_sys_ftruncate fs/open.c:210 [inline] __do_sys_ftruncate fs/open.c:215 [inline] __se_sys_ftruncate fs/open.c:213 [inline] __x64_sys_ftruncate+0x11b/0x250 fs/open.c:213 x64_sys_call+0xfe3/0x3db0 arch/x86/include/generated/asm/syscalls_64.h:78 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xd9/0x210 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f Uninit was created at: slab_post_alloc_hook mm/slub.c:4154 [inline] slab_alloc_node mm/slub.c:4197 [inline] __kmalloc_cache_noprof+0x7f7/0xed0 mm/slub.c:4354 kmalloc_noprof include/linux/slab.h:905 [inline] hfs_mdb_get+0x1cc8/0x2a90 fs/hfs/mdb.c:175 hfs_fill_super+0x3d0/0xb80 fs/hfs/super.c:337 get_tree_bdev_flags+0x6e3/0x920 fs/super.c:1681 get_tree_bdev+0x38/0x50 fs/super.c:1704 hfs_get_tree+0x35/0x40 fs/hfs/super.c:388 vfs_get_tree+0xb0/0x5c0 fs/super.c:1804 do_new_mount+0x738/0x1610 fs/namespace.c:3902 path_mount+0x6db/0x1e90 fs/namespace.c:4226 do_mount fs/namespace.c:4239 [inline] __do_sys_mount fs/namespace.c:4450 [inline] __se_sys_mount+0x6eb/0x7d0 fs/namespace.c:4427 __x64_sys_mount+0xe4/0x150 fs/namespace.c:4427 x64_sys_call+0xfa7/0x3db0 arch/x86/include/generated/asm/syscalls_64.h:166 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xd9/0x210 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f CPU: 1 UID: 0 PID: 12609 Comm: syz.1.2692 Not tainted 6.16.0-syzkaller #0 PREEMPT(none) Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/12/2025 ===================================================== The HFS_SB(sb)->bitmap buffer is allocated in hfs_mdb_get(): HFS_SB(sb)->bitmap = kmalloc(8192, GFP_KERNEL); Finally, it can trigger the reported issue because kmalloc() doesn't clear the allocated memory. If allocated memory contains only zeros, then everything will work pretty fine. But if the allocated memory contains the \"garbage\", then it can affect the bitmap operations and it triggers the reported issue. This patch simply exchanges the kmalloc() on kzalloc() with the goal to guarantee the correctness of bitmap operations. Because, newly created allocation bitmap should have all available blocks free. Potentially, initialization bitmap's read operation could not fill the whole allocated memory and \"garbage\" in the not initialized memory will be the reason of volume coruptions and file system driver bugs.", "cve_priority": "medium", "cve_public_date": "2025-12-04 16:16:00 UTC" }, { "cve": "CVE-2025-40244", "url": "https://ubuntu.com/security/CVE-2025-40244", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: hfsplus: fix KMSAN uninit-value issue in __hfsplus_ext_cache_extent() The syzbot reported issue in __hfsplus_ext_cache_extent(): [ 70.194323][ T9350] BUG: KMSAN: uninit-value in __hfsplus_ext_cache_extent+0x7d0/0x990 [ 70.195022][ T9350] __hfsplus_ext_cache_extent+0x7d0/0x990 [ 70.195530][ T9350] hfsplus_file_extend+0x74f/0x1cf0 [ 70.195998][ T9350] hfsplus_get_block+0xe16/0x17b0 [ 70.196458][ T9350] __block_write_begin_int+0x962/0x2ce0 [ 70.196959][ T9350] cont_write_begin+0x1000/0x1950 [ 70.197416][ T9350] hfsplus_write_begin+0x85/0x130 [ 70.197873][ T9350] generic_perform_write+0x3e8/0x1060 [ 70.198374][ T9350] __generic_file_write_iter+0x215/0x460 [ 70.198892][ T9350] generic_file_write_iter+0x109/0x5e0 [ 70.199393][ T9350] vfs_write+0xb0f/0x14e0 [ 70.199771][ T9350] ksys_write+0x23e/0x490 [ 70.200149][ T9350] __x64_sys_write+0x97/0xf0 [ 70.200570][ T9350] x64_sys_call+0x3015/0x3cf0 [ 70.201065][ T9350] do_syscall_64+0xd9/0x1d0 [ 70.201506][ T9350] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 70.202054][ T9350] [ 70.202279][ T9350] Uninit was created at: [ 70.202693][ T9350] __kmalloc_noprof+0x621/0xf80 [ 70.203149][ T9350] hfsplus_find_init+0x8d/0x1d0 [ 70.203602][ T9350] hfsplus_file_extend+0x6ca/0x1cf0 [ 70.204087][ T9350] hfsplus_get_block+0xe16/0x17b0 [ 70.204561][ T9350] __block_write_begin_int+0x962/0x2ce0 [ 70.205074][ T9350] cont_write_begin+0x1000/0x1950 [ 70.205547][ T9350] hfsplus_write_begin+0x85/0x130 [ 70.206017][ T9350] generic_perform_write+0x3e8/0x1060 [ 70.206519][ T9350] __generic_file_write_iter+0x215/0x460 [ 70.207042][ T9350] generic_file_write_iter+0x109/0x5e0 [ 70.207552][ T9350] vfs_write+0xb0f/0x14e0 [ 70.207961][ T9350] ksys_write+0x23e/0x490 [ 70.208375][ T9350] __x64_sys_write+0x97/0xf0 [ 70.208810][ T9350] x64_sys_call+0x3015/0x3cf0 [ 70.209255][ T9350] do_syscall_64+0xd9/0x1d0 [ 70.209680][ T9350] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 70.210230][ T9350] [ 70.210454][ T9350] CPU: 2 UID: 0 PID: 9350 Comm: repro Not tainted 6.12.0-rc5 #5 [ 70.211174][ T9350] Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 70.212115][ T9350] ===================================================== [ 70.212734][ T9350] Disabling lock debugging due to kernel taint [ 70.213284][ T9350] Kernel panic - not syncing: kmsan.panic set ... [ 70.213858][ T9350] CPU: 2 UID: 0 PID: 9350 Comm: repro Tainted: G B 6.12.0-rc5 #5 [ 70.214679][ T9350] Tainted: [B]=BAD_PAGE [ 70.215057][ T9350] Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 70.215999][ T9350] Call Trace: [ 70.216309][ T9350] [ 70.216585][ T9350] dump_stack_lvl+0x1fd/0x2b0 [ 70.217025][ T9350] dump_stack+0x1e/0x30 [ 70.217421][ T9350] panic+0x502/0xca0 [ 70.217803][ T9350] ? kmsan_get_metadata+0x13e/0x1c0 [ 70.218294][ Message fromT sy9350] kmsan_report+0x296/slogd@syzkaller 0x2aat Aug 18 22:11:058 ... kernel :[ 70.213284][ T9350] Kernel panic - not syncing: kmsan.panic [ 70.220179][ T9350] ? kmsan_get_metadata+0x13e/0x1c0 set ... [ 70.221254][ T9350] ? __msan_warning+0x96/0x120 [ 70.222066][ T9350] ? __hfsplus_ext_cache_extent+0x7d0/0x990 [ 70.223023][ T9350] ? hfsplus_file_extend+0x74f/0x1cf0 [ 70.224120][ T9350] ? hfsplus_get_block+0xe16/0x17b0 [ 70.224946][ T9350] ? __block_write_begin_int+0x962/0x2ce0 [ 70.225756][ T9350] ? cont_write_begin+0x1000/0x1950 [ 70.226337][ T9350] ? hfsplus_write_begin+0x85/0x130 [ 70.226852][ T9350] ? generic_perform_write+0x3e8/0x1060 [ 70.227405][ T9350] ? __generic_file_write_iter+0x215/0x460 [ 70.227979][ T9350] ? generic_file_write_iter+0x109/0x5e0 [ 70.228540][ T9350] ? vfs_write+0xb0f/0x14e0 [ 70.228997][ T9350] ? ksys_write+0x23e/0x490 ---truncated---", "cve_priority": "medium", "cve_public_date": "2025-12-04 16:16:00 UTC" }, { "cve": "CVE-2025-40245", "url": "https://ubuntu.com/security/CVE-2025-40245", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: nios2: ensure that memblock.current_limit is set when setting pfn limits On nios2, with CONFIG_FLATMEM set, the kernel relies on memblock_get_current_limit() to determine the limits of mem_map, in particular for max_low_pfn. Unfortunately, memblock.current_limit is only default initialized to MEMBLOCK_ALLOC_ANYWHERE at this point of the bootup, potentially leading to situations where max_low_pfn can erroneously exceed the value of max_pfn and, thus, the valid range of available DRAM. This can in turn cause kernel-level paging failures, e.g.: [ 76.900000] Unable to handle kernel paging request at virtual address 20303000 [ 76.900000] ea = c0080890, ra = c000462c, cause = 14 [ 76.900000] Kernel panic - not syncing: Oops [ 76.900000] ---[ end Kernel panic - not syncing: Oops ]--- This patch fixes this by pre-calculating memblock.current_limit based on the upper limits of the available memory ranges via adjust_lowmem_bounds, a simplified version of the equivalent implementation within the arm architecture.", "cve_priority": "medium", "cve_public_date": "2025-12-04 16:16:00 UTC" }, { "cve": "CVE-2025-40086", "url": "https://ubuntu.com/security/CVE-2025-40086", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/xe: Don't allow evicting of BOs in same VM in array of VM binds An array of VM binds can potentially evict other buffer objects (BOs) within the same VM under certain conditions, which may lead to NULL pointer dereferences later in the bind pipeline. To prevent this, clear the allow_res_evict flag in the xe_bo_validate call. v2: - Invert polarity of no_res_evict (Thomas) - Add comment in code explaining issue (Thomas) (cherry picked from commit 8b9ba8d6d95fe75fed6b0480bb03da4b321bea08)", "cve_priority": "medium", "cve_public_date": "2025-10-30 10:15:00 UTC" }, { "cve": "CVE-2025-40087", "url": "https://ubuntu.com/security/CVE-2025-40087", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: NFSD: Define a proc_layoutcommit for the FlexFiles layout type Avoid a crash if a pNFS client should happen to send a LAYOUTCOMMIT operation on a FlexFiles layout.", "cve_priority": "medium", "cve_public_date": "2025-10-30 10:15:00 UTC" }, { "cve": "CVE-2025-40088", "url": "https://ubuntu.com/security/CVE-2025-40088", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: hfsplus: fix slab-out-of-bounds read in hfsplus_strcasecmp() The hfsplus_strcasecmp() logic can trigger the issue: [ 117.317703][ T9855] ================================================================== [ 117.318353][ T9855] BUG: KASAN: slab-out-of-bounds in hfsplus_strcasecmp+0x1bc/0x490 [ 117.318991][ T9855] Read of size 2 at addr ffff88802160f40c by task repro/9855 [ 117.319577][ T9855] [ 117.319773][ T9855] CPU: 0 UID: 0 PID: 9855 Comm: repro Not tainted 6.17.0-rc6 #33 PREEMPT(full) [ 117.319780][ T9855] Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 117.319783][ T9855] Call Trace: [ 117.319785][ T9855] [ 117.319788][ T9855] dump_stack_lvl+0x1c1/0x2a0 [ 117.319795][ T9855] ? __virt_addr_valid+0x1c8/0x5c0 [ 117.319803][ T9855] ? __pfx_dump_stack_lvl+0x10/0x10 [ 117.319808][ T9855] ? rcu_is_watching+0x15/0xb0 [ 117.319816][ T9855] ? lock_release+0x4b/0x3e0 [ 117.319821][ T9855] ? __kasan_check_byte+0x12/0x40 [ 117.319828][ T9855] ? __virt_addr_valid+0x1c8/0x5c0 [ 117.319835][ T9855] ? __virt_addr_valid+0x4a5/0x5c0 [ 117.319842][ T9855] print_report+0x17e/0x7e0 [ 117.319848][ T9855] ? __virt_addr_valid+0x1c8/0x5c0 [ 117.319855][ T9855] ? __virt_addr_valid+0x4a5/0x5c0 [ 117.319862][ T9855] ? __phys_addr+0xd3/0x180 [ 117.319869][ T9855] ? hfsplus_strcasecmp+0x1bc/0x490 [ 117.319876][ T9855] kasan_report+0x147/0x180 [ 117.319882][ T9855] ? hfsplus_strcasecmp+0x1bc/0x490 [ 117.319891][ T9855] hfsplus_strcasecmp+0x1bc/0x490 [ 117.319900][ T9855] ? __pfx_hfsplus_cat_case_cmp_key+0x10/0x10 [ 117.319906][ T9855] hfs_find_rec_by_key+0xa9/0x1e0 [ 117.319913][ T9855] __hfsplus_brec_find+0x18e/0x470 [ 117.319920][ T9855] ? __pfx_hfsplus_bnode_find+0x10/0x10 [ 117.319926][ T9855] ? __pfx_hfs_find_rec_by_key+0x10/0x10 [ 117.319933][ T9855] ? __pfx___hfsplus_brec_find+0x10/0x10 [ 117.319942][ T9855] hfsplus_brec_find+0x28f/0x510 [ 117.319949][ T9855] ? __pfx_hfs_find_rec_by_key+0x10/0x10 [ 117.319956][ T9855] ? __pfx_hfsplus_brec_find+0x10/0x10 [ 117.319963][ T9855] ? __kmalloc_noprof+0x2a9/0x510 [ 117.319969][ T9855] ? hfsplus_find_init+0x8c/0x1d0 [ 117.319976][ T9855] hfsplus_brec_read+0x2b/0x120 [ 117.319983][ T9855] hfsplus_lookup+0x2aa/0x890 [ 117.319990][ T9855] ? __pfx_hfsplus_lookup+0x10/0x10 [ 117.320003][ T9855] ? d_alloc_parallel+0x2f0/0x15e0 [ 117.320008][ T9855] ? __lock_acquire+0xaec/0xd80 [ 117.320013][ T9855] ? __pfx_d_alloc_parallel+0x10/0x10 [ 117.320019][ T9855] ? __raw_spin_lock_init+0x45/0x100 [ 117.320026][ T9855] ? __init_waitqueue_head+0xa9/0x150 [ 117.320034][ T9855] __lookup_slow+0x297/0x3d0 [ 117.320039][ T9855] ? __pfx___lookup_slow+0x10/0x10 [ 117.320045][ T9855] ? down_read+0x1ad/0x2e0 [ 117.320055][ T9855] lookup_slow+0x53/0x70 [ 117.320065][ T9855] walk_component+0x2f0/0x430 [ 117.320073][ T9855] path_lookupat+0x169/0x440 [ 117.320081][ T9855] filename_lookup+0x212/0x590 [ 117.320089][ T9855] ? __pfx_filename_lookup+0x10/0x10 [ 117.320098][ T9855] ? strncpy_from_user+0x150/0x290 [ 117.320105][ T9855] ? getname_flags+0x1e5/0x540 [ 117.320112][ T9855] user_path_at+0x3a/0x60 [ 117.320117][ T9855] __x64_sys_umount+0xee/0x160 [ 117.320123][ T9855] ? __pfx___x64_sys_umount+0x10/0x10 [ 117.320129][ T9855] ? do_syscall_64+0xb7/0x3a0 [ 117.320135][ T9855] ? entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 117.320141][ T9855] ? entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 117.320145][ T9855] do_syscall_64+0xf3/0x3a0 [ 117.320150][ T9855] ? exc_page_fault+0x9f/0xf0 [ 117.320154][ T9855] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 117.320158][ T9855] RIP: 0033:0x7f7dd7908b07 [ 117.320163][ T9855] Code: 23 0d 00 f7 d8 64 89 01 48 83 c8 ff c3 66 0f 1f 44 00 00 31 f6 e9 09 00 00 00 66 0f 1f 84 00 00 08 [ 117.320167][ T9855] RSP: 002b:00007ffd5ebd9698 EFLAGS: 00000202 ---truncated---", "cve_priority": "medium", "cve_public_date": "2025-10-30 10:15:00 UTC" }, { "cve": "CVE-2025-40162", "url": "https://ubuntu.com/security/CVE-2025-40162", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ASoC: amd/sdw_utils: avoid NULL deref when devm_kasprintf() fails devm_kasprintf() may return NULL on memory allocation failure, but the debug message prints cpus->dai_name before checking it. Move the dev_dbg() call after the NULL check to prevent potential NULL pointer dereference.", "cve_priority": "medium", "cve_public_date": "2025-11-12 11:15:00 UTC" }, { "cve": "CVE-2025-40085", "url": "https://ubuntu.com/security/CVE-2025-40085", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ALSA: usb-audio: Fix NULL pointer deference in try_to_register_card In try_to_register_card(), the return value of usb_ifnum_to_if() is passed directly to usb_interface_claimed() without a NULL check, which will lead to a NULL pointer dereference when creating an invalid USB audio device. Fix this by adding a check to ensure the interface pointer is valid before passing it to usb_interface_claimed().", "cve_priority": "medium", "cve_public_date": "2025-10-29 14:15:00 UTC" }, { "cve": "CVE-2025-40172", "url": "https://ubuntu.com/security/CVE-2025-40172", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: accel/qaic: Treat remaining == 0 as error in find_and_map_user_pages() Currently, if find_and_map_user_pages() takes a DMA xfer request from the user with a length field set to 0, or in a rare case, the host receives QAIC_TRANS_DMA_XFER_CONT from the device where resources->xferred_dma_size is equal to the requested transaction size, the function will return 0 before allocating an sgt or setting the fields of the dma_xfer struct. In that case, encode_addr_size_pairs() will try to access the sgt which will lead to a general protection fault. Return an EINVAL in case the user provides a zero-sized ALP, or the device requests continuation after all of the bytes have been transferred.", "cve_priority": "medium", "cve_public_date": "2025-11-12 11:15:00 UTC" }, { "cve": "CVE-2025-40177", "url": "https://ubuntu.com/security/CVE-2025-40177", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: accel/qaic: Fix bootlog initialization ordering As soon as we queue MHI buffers to receive the bootlog from the device, we could be receiving data. Therefore all the resources needed to process that data need to be setup prior to queuing the buffers. We currently initialize some of the resources after queuing the buffers which creates a race between the probe() and any data that comes back from the device. If the uninitialized resources are accessed, we could see page faults. Fix the init ordering to close the race.", "cve_priority": "medium", "cve_public_date": "2025-11-12 11:15:00 UTC" }, { "cve": "CVE-2025-40163", "url": "https://ubuntu.com/security/CVE-2025-40163", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: sched/deadline: Stop dl_server before CPU goes offline IBM CI tool reported kernel warning[1] when running a CPU removal operation through drmgr[2]. i.e \"drmgr -c cpu -r -q 1\" WARNING: CPU: 0 PID: 0 at kernel/sched/cpudeadline.c:219 cpudl_set+0x58/0x170 NIP [c0000000002b6ed8] cpudl_set+0x58/0x170 LR [c0000000002b7cb8] dl_server_timer+0x168/0x2a0 Call Trace: [c000000002c2f8c0] init_stack+0x78c0/0x8000 (unreliable) [c0000000002b7cb8] dl_server_timer+0x168/0x2a0 [c00000000034df84] __hrtimer_run_queues+0x1a4/0x390 [c00000000034f624] hrtimer_interrupt+0x124/0x300 [c00000000002a230] timer_interrupt+0x140/0x320 Git bisects to: commit 4ae8d9aa9f9d (\"sched/deadline: Fix dl_server getting stuck\") This happens since: - dl_server hrtimer gets enqueued close to cpu offline, when kthread_park enqueues a fair task. - CPU goes offline and drmgr removes it from cpu_present_mask. - hrtimer fires and warning is hit. Fix it by stopping the dl_server before CPU is marked dead. [1]: https://lore.kernel.org/all/8218e149-7718-4432-9312-f97297c352b9@linux.ibm.com/ [2]: https://github.com/ibm-power-utilities/powerpc-utils/tree/next/src/drmgr [sshegde: wrote the changelog and tested it]", "cve_priority": "medium", "cve_public_date": "2025-11-12 11:15:00 UTC" }, { "cve": "CVE-2025-40174", "url": "https://ubuntu.com/security/CVE-2025-40174", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: x86/mm: Fix SMP ordering in switch_mm_irqs_off() Stephen noted that it is possible to not have an smp_mb() between the loaded_mm store and the tlb_gen load in switch_mm(), meaning the ordering against flush_tlb_mm_range() goes out the window, and it becomes possible for switch_mm() to not observe a recent tlb_gen update and fail to flush the TLBs. [ dhansen: merge conflict fixed by Ingo ]", "cve_priority": "medium", "cve_public_date": "2025-11-12 11:15:00 UTC" }, { "cve": "CVE-2025-40089", "url": "https://ubuntu.com/security/CVE-2025-40089", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: cxl/features: Add check for no entries in cxl_feature_info cxl EDAC calls cxl_feature_info() to get the feature information and if the hardware has no Features support, cxlfs may be passed in as NULL. [ 51.957498] BUG: kernel NULL pointer dereference, address: 0000000000000008 [ 51.965571] #PF: supervisor read access in kernel mode [ 51.971559] #PF: error_code(0x0000) - not-present page [ 51.977542] PGD 17e4f6067 P4D 0 [ 51.981384] Oops: Oops: 0000 [#1] SMP NOPTI [ 51.986300] CPU: 49 UID: 0 PID: 3782 Comm: systemd-udevd Not tainted 6.17.0dj test+ #64 PREEMPT(voluntary) [ 51.997355] Hardware name: [ 52.009790] RIP: 0010:cxl_feature_info+0xa/0x80 [cxl_core] Add a check for cxlfs before dereferencing it and return -EOPNOTSUPP if there is no cxlfs created due to no hardware support.", "cve_priority": "medium", "cve_public_date": "2025-10-30 10:15:00 UTC" }, { "cve": "CVE-2025-40176", "url": "https://ubuntu.com/security/CVE-2025-40176", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: tls: wait for pending async decryptions if tls_strp_msg_hold fails Async decryption calls tls_strp_msg_hold to create a clone of the input skb to hold references to the memory it uses. If we fail to allocate that clone, proceeding with async decryption can lead to various issues (UAF on the skb, writing into userspace memory after the recv() call has returned). In this case, wait for all pending decryption requests.", "cve_priority": "medium", "cve_public_date": "2025-11-12 11:15:00 UTC" }, { "cve": "CVE-2025-40164", "url": "https://ubuntu.com/security/CVE-2025-40164", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: usbnet: Fix using smp_processor_id() in preemptible code warnings Syzbot reported the following warning: BUG: using smp_processor_id() in preemptible [00000000] code: dhcpcd/2879 caller is usbnet_skb_return+0x74/0x490 drivers/net/usb/usbnet.c:331 CPU: 1 UID: 0 PID: 2879 Comm: dhcpcd Not tainted 6.15.0-rc4-syzkaller-00098-g615dca38c2ea #0 PREEMPT(voluntary) Call Trace: __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x16c/0x1f0 lib/dump_stack.c:120 check_preemption_disabled+0xd0/0xe0 lib/smp_processor_id.c:49 usbnet_skb_return+0x74/0x490 drivers/net/usb/usbnet.c:331 usbnet_resume_rx+0x4b/0x170 drivers/net/usb/usbnet.c:708 usbnet_change_mtu+0x1be/0x220 drivers/net/usb/usbnet.c:417 __dev_set_mtu net/core/dev.c:9443 [inline] netif_set_mtu_ext+0x369/0x5c0 net/core/dev.c:9496 netif_set_mtu+0xb0/0x160 net/core/dev.c:9520 dev_set_mtu+0xae/0x170 net/core/dev_api.c:247 dev_ifsioc+0xa31/0x18d0 net/core/dev_ioctl.c:572 dev_ioctl+0x223/0x10e0 net/core/dev_ioctl.c:821 sock_do_ioctl+0x19d/0x280 net/socket.c:1204 sock_ioctl+0x42f/0x6a0 net/socket.c:1311 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:906 [inline] __se_sys_ioctl fs/ioctl.c:892 [inline] __x64_sys_ioctl+0x190/0x200 fs/ioctl.c:892 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xcd/0x260 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f For historical and portability reasons, the netif_rx() is usually run in the softirq or interrupt context, this commit therefore add local_bh_disable/enable() protection in the usbnet_resume_rx().", "cve_priority": "medium", "cve_public_date": "2025-11-12 11:15:00 UTC" }, { "cve": "CVE-2025-40091", "url": "https://ubuntu.com/security/CVE-2025-40091", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ixgbe: fix too early devlink_free() in ixgbe_remove() Since ixgbe_adapter is embedded in devlink, calling devlink_free() prematurely in the ixgbe_remove() path can lead to UAF. Move devlink_free() to the end. KASAN report: BUG: KASAN: use-after-free in ixgbe_reset_interrupt_capability+0x140/0x180 [ixgbe] Read of size 8 at addr ffff0000adf813e0 by task bash/2095 CPU: 1 UID: 0 PID: 2095 Comm: bash Tainted: G S 6.17.0-rc2-tnguy.net-queue+ #1 PREEMPT(full) [...] Call trace: show_stack+0x30/0x90 (C) dump_stack_lvl+0x9c/0xd0 print_address_description.constprop.0+0x90/0x310 print_report+0x104/0x1f0 kasan_report+0x88/0x180 __asan_report_load8_noabort+0x20/0x30 ixgbe_reset_interrupt_capability+0x140/0x180 [ixgbe] ixgbe_clear_interrupt_scheme+0xf8/0x130 [ixgbe] ixgbe_remove+0x2d0/0x8c0 [ixgbe] pci_device_remove+0xa0/0x220 device_remove+0xb8/0x170 device_release_driver_internal+0x318/0x490 device_driver_detach+0x40/0x68 unbind_store+0xec/0x118 drv_attr_store+0x64/0xb8 sysfs_kf_write+0xcc/0x138 kernfs_fop_write_iter+0x294/0x440 new_sync_write+0x1fc/0x588 vfs_write+0x480/0x6a0 ksys_write+0xf0/0x1e0 __arm64_sys_write+0x70/0xc0 invoke_syscall.constprop.0+0xcc/0x280 el0_svc_common.constprop.0+0xa8/0x248 do_el0_svc+0x44/0x68 el0_svc+0x54/0x160 el0t_64_sync_handler+0xa0/0xe8 el0t_64_sync+0x1b0/0x1b8", "cve_priority": "medium", "cve_public_date": "2025-10-30 10:15:00 UTC" }, { "cve": "CVE-2025-40175", "url": "https://ubuntu.com/security/CVE-2025-40175", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: idpf: cleanup remaining SKBs in PTP flows When the driver requests Tx timestamp value, one of the first steps is to clone SKB using skb_get. It increases the reference counter for that SKB to prevent unexpected freeing by another component. However, there may be a case where the index is requested, SKB is assigned and never consumed by PTP flows - for example due to reset during running PTP apps. Add a check in release timestamping function to verify if the SKB assigned to Tx timestamp latch was freed, and release remaining SKBs.", "cve_priority": "medium", "cve_public_date": "2025-11-12 11:15:00 UTC" }, { "cve": "CVE-2025-40173", "url": "https://ubuntu.com/security/CVE-2025-40173", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net/ip6_tunnel: Prevent perpetual tunnel growth Similarly to ipv4 tunnel, ipv6 version updates dev->needed_headroom, too. While ipv4 tunnel headroom adjustment growth was limited in commit 5ae1e9922bbd (\"net: ip_tunnel: prevent perpetual headroom growth\"), ipv6 tunnel yet increases the headroom without any ceiling. Reflect ipv4 tunnel headroom adjustment limit on ipv6 version. Credits to Francesco Ruggeri, who was originally debugging this issue and wrote local Arista-specific patch and a reproducer.", "cve_priority": "medium", "cve_public_date": "2025-11-12 11:15:00 UTC" }, { "cve": "CVE-2025-40092", "url": "https://ubuntu.com/security/CVE-2025-40092", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: usb: gadget: f_ncm: Refactor bind path to use __free() After an bind/unbind cycle, the ncm->notify_req is left stale. If a subsequent bind fails, the unified error label attempts to free this stale request, leading to a NULL pointer dereference when accessing ep->ops->free_request. Refactor the error handling in the bind path to use the __free() automatic cleanup mechanism. Unable to handle kernel NULL pointer dereference at virtual address 0000000000000020 Call trace: usb_ep_free_request+0x2c/0xec ncm_bind+0x39c/0x3dc usb_add_function+0xcc/0x1f0 configfs_composite_bind+0x468/0x588 gadget_bind_driver+0x104/0x270 really_probe+0x190/0x374 __driver_probe_device+0xa0/0x12c driver_probe_device+0x3c/0x218 __device_attach_driver+0x14c/0x188 bus_for_each_drv+0x10c/0x168 __device_attach+0xfc/0x198 device_initial_probe+0x14/0x24 bus_probe_device+0x94/0x11c device_add+0x268/0x48c usb_add_gadget+0x198/0x28c dwc3_gadget_init+0x700/0x858 __dwc3_set_mode+0x3cc/0x664 process_scheduled_works+0x1d8/0x488 worker_thread+0x244/0x334 kthread+0x114/0x1bc ret_from_fork+0x10/0x20", "cve_priority": "medium", "cve_public_date": "2025-10-30 10:15:00 UTC" }, { "cve": "CVE-2025-40093", "url": "https://ubuntu.com/security/CVE-2025-40093", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: usb: gadget: f_ecm: Refactor bind path to use __free() After an bind/unbind cycle, the ecm->notify_req is left stale. If a subsequent bind fails, the unified error label attempts to free this stale request, leading to a NULL pointer dereference when accessing ep->ops->free_request. Refactor the error handling in the bind path to use the __free() automatic cleanup mechanism.", "cve_priority": "medium", "cve_public_date": "2025-10-30 10:15:00 UTC" }, { "cve": "CVE-2025-40094", "url": "https://ubuntu.com/security/CVE-2025-40094", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: usb: gadget: f_acm: Refactor bind path to use __free() After an bind/unbind cycle, the acm->notify_req is left stale. If a subsequent bind fails, the unified error label attempts to free this stale request, leading to a NULL pointer dereference when accessing ep->ops->free_request. Refactor the error handling in the bind path to use the __free() automatic cleanup mechanism. Unable to handle kernel NULL pointer dereference at virtual address 0000000000000020 Call trace: usb_ep_free_request+0x2c/0xec gs_free_req+0x30/0x44 acm_bind+0x1b8/0x1f4 usb_add_function+0xcc/0x1f0 configfs_composite_bind+0x468/0x588 gadget_bind_driver+0x104/0x270 really_probe+0x190/0x374 __driver_probe_device+0xa0/0x12c driver_probe_device+0x3c/0x218 __device_attach_driver+0x14c/0x188 bus_for_each_drv+0x10c/0x168 __device_attach+0xfc/0x198 device_initial_probe+0x14/0x24 bus_probe_device+0x94/0x11c device_add+0x268/0x48c usb_add_gadget+0x198/0x28c dwc3_gadget_init+0x700/0x858 __dwc3_set_mode+0x3cc/0x664 process_scheduled_works+0x1d8/0x488 worker_thread+0x244/0x334 kthread+0x114/0x1bc ret_from_fork+0x10/0x20", "cve_priority": "medium", "cve_public_date": "2025-10-30 10:15:00 UTC" }, { "cve": "CVE-2025-40095", "url": "https://ubuntu.com/security/CVE-2025-40095", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: usb: gadget: f_rndis: Refactor bind path to use __free() After an bind/unbind cycle, the rndis->notify_req is left stale. If a subsequent bind fails, the unified error label attempts to free this stale request, leading to a NULL pointer dereference when accessing ep->ops->free_request. Refactor the error handling in the bind path to use the __free() automatic cleanup mechanism.", "cve_priority": "medium", "cve_public_date": "2025-10-30 10:15:00 UTC" }, { "cve": "CVE-2025-40165", "url": "https://ubuntu.com/security/CVE-2025-40165", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: media: nxp: imx8-isi: m2m: Fix streaming cleanup on release If streamon/streamoff calls are imbalanced, such as when exiting an application with Ctrl+C when streaming, the m2m usage_count will never reach zero and the ISI channel won't be freed. Besides from that, if the input line width is more than 2K, it will trigger a WARN_ON(): [ 59.222120] ------------[ cut here ]------------ [ 59.226758] WARNING: drivers/media/platform/nxp/imx8-isi/imx8-isi-hw.c:631 at mxc_isi_channel_chain+0xa4/0x120, CPU#4: v4l2-ctl/654 [ 59.238569] Modules linked in: ap1302 [ 59.242231] CPU: 4 UID: 0 PID: 654 Comm: v4l2-ctl Not tainted 6.16.0-rc4-next-20250704-06511-gff0e002d480a-dirty #258 PREEMPT [ 59.253597] Hardware name: NXP i.MX95 15X15 board (DT) [ 59.258720] pstate: 80400009 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) [ 59.265669] pc : mxc_isi_channel_chain+0xa4/0x120 [ 59.270358] lr : mxc_isi_channel_chain+0x44/0x120 [ 59.275047] sp : ffff8000848c3b40 [ 59.278348] x29: ffff8000848c3b40 x28: ffff0000859b4c98 x27: ffff800081939f00 [ 59.285472] x26: 000000000000000a x25: ffff0000859b4cb8 x24: 0000000000000001 [ 59.292597] x23: ffff0000816f4760 x22: ffff0000816f4258 x21: ffff000084ceb780 [ 59.299720] x20: ffff000084342ff8 x19: ffff000084340000 x18: 0000000000000000 [ 59.306845] x17: 0000000000000000 x16: 0000000000000000 x15: 0000ffffdb369e1c [ 59.313969] x14: 0000000000000000 x13: 0000000000000000 x12: 0000000000000000 [ 59.321093] x11: 0000000000000000 x10: 0000000000000000 x9 : 0000000000000000 [ 59.328217] x8 : ffff8000848c3d48 x7 : ffff800081930b30 x6 : ffff800081930b30 [ 59.335340] x5 : ffff0000859b6000 x4 : ffff80008193ae80 x3 : ffff800081022420 [ 59.342464] x2 : ffff0000852f6900 x1 : 0000000000000001 x0 : ffff000084341000 [ 59.349590] Call trace: [ 59.352025] mxc_isi_channel_chain+0xa4/0x120 (P) [ 59.356722] mxc_isi_m2m_streamon+0x160/0x20c [ 59.361072] v4l_streamon+0x24/0x30 [ 59.364556] __video_do_ioctl+0x40c/0x4a0 [ 59.368560] video_usercopy+0x2bc/0x690 [ 59.372382] video_ioctl2+0x18/0x24 [ 59.375857] v4l2_ioctl+0x40/0x60 [ 59.379168] __arm64_sys_ioctl+0xac/0x104 [ 59.383172] invoke_syscall+0x48/0x104 [ 59.386916] el0_svc_common.constprop.0+0xc0/0xe0 [ 59.391613] do_el0_svc+0x1c/0x28 [ 59.394915] el0_svc+0x34/0xf4 [ 59.397966] el0t_64_sync_handler+0xa0/0xe4 [ 59.402143] el0t_64_sync+0x198/0x19c [ 59.405801] ---[ end trace 0000000000000000 ]--- Address this issue by moving the streaming preparation and cleanup to the vb2 .prepare_streaming() and .unprepare_streaming() operations. This also simplifies the driver by allowing direct usage of the v4l2_m2m_ioctl_streamon() and v4l2_m2m_ioctl_streamoff() helpers.", "cve_priority": "medium", "cve_public_date": "2025-11-12 11:15:00 UTC" }, { "cve": "CVE-2025-40096", "url": "https://ubuntu.com/security/CVE-2025-40096", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/sched: Fix potential double free in drm_sched_job_add_resv_dependencies When adding dependencies with drm_sched_job_add_dependency(), that function consumes the fence reference both on success and failure, so in the latter case the dma_fence_put() on the error path (xarray failed to expand) is a double free. Interestingly this bug appears to have been present ever since commit ebd5f74255b9 (\"drm/sched: Add dependency tracking\"), since the code back then looked like this: drm_sched_job_add_implicit_dependencies(): ... for (i = 0; i < fence_count; i++) { ret = drm_sched_job_add_dependency(job, fences[i]); if (ret) break; } for (; i < fence_count; i++) dma_fence_put(fences[i]); Which means for the failing 'i' the dma_fence_put was already a double free. Possibly there were no users at that time, or the test cases were insufficient to hit it. The bug was then only noticed and fixed after commit 9c2ba265352a (\"drm/scheduler: use new iterator in drm_sched_job_add_implicit_dependencies v2\") landed, with its fixup of commit 4eaf02d6076c (\"drm/scheduler: fix drm_sched_job_add_implicit_dependencies\"). At that point it was a slightly different flavour of a double free, which commit 963d0b356935 (\"drm/scheduler: fix drm_sched_job_add_implicit_dependencies harder\") noticed and attempted to fix. But it only moved the double free from happening inside the drm_sched_job_add_dependency(), when releasing the reference not yet obtained, to the caller, when releasing the reference already released by the former in the failure case. As such it is not easy to identify the right target for the fixes tag so lets keep it simple and just continue the chain. While fixing we also improve the comment and explain the reason for taking the reference and not dropping it.", "cve_priority": "medium", "cve_public_date": "2025-10-30 10:15:00 UTC" }, { "cve": "CVE-2025-40097", "url": "https://ubuntu.com/security/CVE-2025-40097", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ALSA: hda: Fix missing pointer check in hda_component_manager_init function The __component_match_add function may assign the 'matchptr' pointer the value ERR_PTR(-ENOMEM), which will subsequently be dereferenced. The call stack leading to the error looks like this: hda_component_manager_init |-> component_match_add |-> component_match_add_release |-> __component_match_add ( ... ,**matchptr, ... ) |-> *matchptr = ERR_PTR(-ENOMEM); // assign |-> component_master_add_with_match( ... match) |-> component_match_realloc(match, match->num); // dereference Add IS_ERR() check to prevent the crash. Found by Linux Verification Center (linuxtesting.org) with SVACE.", "cve_priority": "medium", "cve_public_date": "2025-10-30 10:15:00 UTC" }, { "cve": "CVE-2025-40098", "url": "https://ubuntu.com/security/CVE-2025-40098", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ALSA: hda: cs35l41: Fix NULL pointer dereference in cs35l41_get_acpi_mute_state() Return value of a function acpi_evaluate_dsm() is dereferenced without checking for NULL, but it is usually checked for this function. acpi_evaluate_dsm() may return NULL, when acpi_evaluate_object() returns acpi_status other than ACPI_SUCCESS, so add a check to prevent the crach. Found by Linux Verification Center (linuxtesting.org) with SVACE.", "cve_priority": "medium", "cve_public_date": "2025-10-30 10:15:00 UTC" }, { "cve": "CVE-2025-40099", "url": "https://ubuntu.com/security/CVE-2025-40099", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: cifs: parse_dfs_referrals: prevent oob on malformed input Malicious SMB server can send invalid reply to FSCTL_DFS_GET_REFERRALS - reply smaller than sizeof(struct get_dfs_referral_rsp) - reply with number of referrals smaller than NumberOfReferrals in the header Processing of such replies will cause oob. Return -EINVAL error on such replies to prevent oob-s.", "cve_priority": "medium", "cve_public_date": "2025-10-30 10:15:00 UTC" }, { "cve": "CVE-2025-40100", "url": "https://ubuntu.com/security/CVE-2025-40100", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: btrfs: do not assert we found block group item when creating free space tree Currently, when building a free space tree at populate_free_space_tree(), if we are not using the block group tree feature, we always expect to find block group items (either extent items or a block group item with key type BTRFS_BLOCK_GROUP_ITEM_KEY) when we search the extent tree with btrfs_search_slot_for_read(), so we assert that we found an item. However this expectation is wrong since we can have a new block group created in the current transaction which is still empty and for which we still have not added the block group's item to the extent tree, in which case we do not have any items in the extent tree associated to the block group. The insertion of a new block group's block group item in the extent tree happens at btrfs_create_pending_block_groups() when it calls the helper insert_block_group_item(). This typically is done when a transaction handle is released, committed or when running delayed refs (either as part of a transaction commit or when serving tickets for space reservation if we are low on free space). So remove the assertion at populate_free_space_tree() even when the block group tree feature is not enabled and update the comment to mention this case. Syzbot reported this with the following stack trace: BTRFS info (device loop3 state M): rebuilding free space tree assertion failed: ret == 0 :: 0, in fs/btrfs/free-space-tree.c:1115 ------------[ cut here ]------------ kernel BUG at fs/btrfs/free-space-tree.c:1115! Oops: invalid opcode: 0000 [#1] SMP KASAN PTI CPU: 1 UID: 0 PID: 6352 Comm: syz.3.25 Not tainted syzkaller #0 PREEMPT(full) Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/18/2025 RIP: 0010:populate_free_space_tree+0x700/0x710 fs/btrfs/free-space-tree.c:1115 Code: ff ff e8 d3 (...) RSP: 0018:ffffc9000430f780 EFLAGS: 00010246 RAX: 0000000000000043 RBX: ffff88805b709630 RCX: fea61d0e2e79d000 RDX: 0000000000000000 RSI: 0000000080000000 RDI: 0000000000000000 RBP: ffffc9000430f8b0 R08: ffffc9000430f4a7 R09: 1ffff92000861e94 R10: dffffc0000000000 R11: fffff52000861e95 R12: 0000000000000001 R13: 1ffff92000861f00 R14: dffffc0000000000 R15: 0000000000000000 FS: 00007f424d9fe6c0(0000) GS:ffff888125afc000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007fd78ad212c0 CR3: 0000000076d68000 CR4: 00000000003526f0 Call Trace: btrfs_rebuild_free_space_tree+0x1ba/0x6d0 fs/btrfs/free-space-tree.c:1364 btrfs_start_pre_rw_mount+0x128f/0x1bf0 fs/btrfs/disk-io.c:3062 btrfs_remount_rw fs/btrfs/super.c:1334 [inline] btrfs_reconfigure+0xaed/0x2160 fs/btrfs/super.c:1559 reconfigure_super+0x227/0x890 fs/super.c:1076 do_remount fs/namespace.c:3279 [inline] path_mount+0xd1a/0xfe0 fs/namespace.c:4027 do_mount fs/namespace.c:4048 [inline] __do_sys_mount fs/namespace.c:4236 [inline] __se_sys_mount+0x313/0x410 fs/namespace.c:4213 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xfa/0xfa0 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f424e39066a Code: d8 64 89 02 (...) RSP: 002b:00007f424d9fde68 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5 RAX: ffffffffffffffda RBX: 00007f424d9fdef0 RCX: 00007f424e39066a RDX: 0000200000000180 RSI: 0000200000000380 RDI: 0000000000000000 RBP: 0000200000000180 R08: 00007f424d9fdef0 R09: 0000000000000020 R10: 0000000000000020 R11: 0000000000000246 R12: 0000200000000380 R13: 00007f424d9fdeb0 R14: 0000000000000000 R15: 00002000000002c0 Modules linked in: ---[ end trace 0000000000000000 ]---", "cve_priority": "medium", "cve_public_date": "2025-10-30 10:15:00 UTC" }, { "cve": "CVE-2025-40101", "url": "https://ubuntu.com/security/CVE-2025-40101", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: btrfs: fix memory leaks when rejecting a non SINGLE data profile without an RST At the end of btrfs_load_block_group_zone_info() the first thing we do is to ensure that if the mapping type is not a SINGLE one and there is no RAID stripe tree, then we return early with an error. Doing that, though, prevents the code from running the last calls from this function which are about freeing memory allocated during its run. Hence, in this case, instead of returning early, we set the ret value and fall through the rest of the cleanup code.", "cve_priority": "medium", "cve_public_date": "2025-10-30 10:15:00 UTC" }, { "cve": "CVE-2025-40167", "url": "https://ubuntu.com/security/CVE-2025-40167", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ext4: detect invalid INLINE_DATA + EXTENTS flag combination syzbot reported a BUG_ON in ext4_es_cache_extent() when opening a verity file on a corrupted ext4 filesystem mounted without a journal. The issue is that the filesystem has an inode with both the INLINE_DATA and EXTENTS flags set: EXT4-fs error (device loop0): ext4_cache_extents:545: inode #15: comm syz.0.17: corrupted extent tree: lblk 0 < prev 66 Investigation revealed that the inode has both flags set: DEBUG: inode 15 - flag=1, i_inline_off=164, has_inline=1, extents_flag=1 This is an invalid combination since an inode should have either: - INLINE_DATA: data stored directly in the inode - EXTENTS: data stored in extent-mapped blocks Having both flags causes ext4_has_inline_data() to return true, skipping extent tree validation in __ext4_iget(). The unvalidated out-of-order extents then trigger a BUG_ON in ext4_es_cache_extent() due to integer underflow when calculating hole sizes. Fix this by detecting this invalid flag combination early in ext4_iget() and rejecting the corrupted inode.", "cve_priority": "medium", "cve_public_date": "2025-11-12 11:15:00 UTC" }, { "cve": "CVE-2025-40102", "url": "https://ubuntu.com/security/CVE-2025-40102", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: KVM: arm64: Prevent access to vCPU events before init Another day, another syzkaller bug. KVM erroneously allows userspace to pend vCPU events for a vCPU that hasn't been initialized yet, leading to KVM interpreting a bunch of uninitialized garbage for routing / injecting the exception. In one case the injection code and the hyp disagree on whether the vCPU has a 32bit EL1 and put the vCPU into an illegal mode for AArch64, tripping the BUG() in exception_target_el() during the next injection: kernel BUG at arch/arm64/kvm/inject_fault.c:40! Internal error: Oops - BUG: 00000000f2000800 [#1] SMP CPU: 3 UID: 0 PID: 318 Comm: repro Not tainted 6.17.0-rc4-00104-g10fd0285305d #6 PREEMPT Hardware name: linux,dummy-virt (DT) pstate: 21402009 (nzCv daif +PAN -UAO -TCO +DIT -SSBS BTYPE=--) pc : exception_target_el+0x88/0x8c lr : pend_serror_exception+0x18/0x13c sp : ffff800082f03a10 x29: ffff800082f03a10 x28: ffff0000cb132280 x27: 0000000000000000 x26: 0000000000000000 x25: ffff0000c2a99c20 x24: 0000000000000000 x23: 0000000000008000 x22: 0000000000000002 x21: 0000000000000004 x20: 0000000000008000 x19: ffff0000c2a99c20 x18: 0000000000000000 x17: 0000000000000000 x16: 0000000000000000 x15: 00000000200000c0 x14: 0000000000000000 x13: 0000000000000000 x12: 0000000000000000 x11: 0000000000000000 x10: 0000000000000000 x9 : 0000000000000000 x8 : ffff800082f03af8 x7 : 0000000000000000 x6 : 0000000000000000 x5 : ffff800080f621f0 x4 : 0000000000000000 x3 : 0000000000000000 x2 : 000000000040009b x1 : 0000000000000003 x0 : ffff0000c2a99c20 Call trace: exception_target_el+0x88/0x8c (P) kvm_inject_serror_esr+0x40/0x3b4 __kvm_arm_vcpu_set_events+0xf0/0x100 kvm_arch_vcpu_ioctl+0x180/0x9d4 kvm_vcpu_ioctl+0x60c/0x9f4 __arm64_sys_ioctl+0xac/0x104 invoke_syscall+0x48/0x110 el0_svc_common.constprop.0+0x40/0xe0 do_el0_svc+0x1c/0x28 el0_svc+0x34/0xf0 el0t_64_sync_handler+0xa0/0xe4 el0t_64_sync+0x198/0x19c Code: f946bc01 b4fffe61 9101e020 17fffff2 (d4210000) Reject the ioctls outright as no sane VMM would call these before KVM_ARM_VCPU_INIT anyway. Even if it did the exception would've been thrown away by the eventual reset of the vCPU's state.", "cve_priority": "medium", "cve_public_date": "2025-10-30 10:15:00 UTC" }, { "cve": "CVE-2025-40103", "url": "https://ubuntu.com/security/CVE-2025-40103", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: smb: client: Fix refcount leak for cifs_sb_tlink Fix three refcount inconsistency issues related to `cifs_sb_tlink`. Comments for `cifs_sb_tlink` state that `cifs_put_tlink()` needs to be called after successful calls to `cifs_sb_tlink()`. Three calls fail to update refcount accordingly, leading to possible resource leaks.", "cve_priority": "medium", "cve_public_date": "2025-10-30 10:15:00 UTC" }, { "cve": "CVE-2025-40104", "url": "https://ubuntu.com/security/CVE-2025-40104", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ixgbevf: fix mailbox API compatibility by negotiating supported features There was backward compatibility in the terms of mailbox API. Various drivers from various OSes supporting 10G adapters from Intel portfolio could easily negotiate mailbox API. This convention has been broken since introducing API 1.4. Commit 0062e7cc955e (\"ixgbevf: add VF IPsec offload code\") added support for IPSec which is specific only for the kernel ixgbe driver. None of the rest of the Intel 10G PF/VF drivers supports it. And actually lack of support was not included in the IPSec implementation - there were no such code paths. No possibility to negotiate support for the feature was introduced along with introduction of the feature itself. Commit 339f28964147 (\"ixgbevf: Add support for new mailbox communication between PF and VF\") increasing API version to 1.5 did the same - it introduced code supported specifically by the PF ESX driver. It altered API version for the VF driver in the same time not touching the version defined for the PF ixgbe driver. It led to additional discrepancies, as the code provided within API 1.6 cannot be supported for Linux ixgbe driver as it causes crashes. The issue was noticed some time ago and mitigated by Jake within the commit d0725312adf5 (\"ixgbevf: stop attempting IPSEC offload on Mailbox API 1.5\"). As a result we have regression for IPsec support and after increasing API to version 1.6 ixgbevf driver stopped to support ESX MBX. To fix this mess add new mailbox op asking PF driver about supported features. Basing on a response determine whether to set support for IPSec and ESX-specific enhanced mailbox. New mailbox op, for compatibility purposes, must be added within new API revision, as API version of OOT PF & VF drivers is already increased to 1.6 and doesn't incorporate features negotiate op. Features negotiation mechanism gives possibility to be extended with new features when needed in the future.", "cve_priority": "medium", "cve_public_date": "2025-10-30 10:15:00 UTC" }, { "cve": "CVE-2025-40166", "url": "https://ubuntu.com/security/CVE-2025-40166", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/xe/guc: Check GuC running state before deregistering exec queue In normal operation, a registered exec queue is disabled and deregistered through the GuC, and freed only after the GuC confirms completion. However, if the driver is forced to unbind while the exec queue is still running, the user may call exec_destroy() after the GuC has already been stopped and CT communication disabled. In this case, the driver cannot receive a response from the GuC, preventing proper cleanup of exec queue resources. Fix this by directly releasing the resources when GuC is not running. Here is the failure dmesg log: \" [ 468.089581] ---[ end trace 0000000000000000 ]--- [ 468.089608] pci 0000:03:00.0: [drm] *ERROR* GT0: GUC ID manager unclean (1/65535) [ 468.090558] pci 0000:03:00.0: [drm] GT0: total 65535 [ 468.090562] pci 0000:03:00.0: [drm] GT0: used 1 [ 468.090564] pci 0000:03:00.0: [drm] GT0: range 1..1 (1) [ 468.092716] ------------[ cut here ]------------ [ 468.092719] WARNING: CPU: 14 PID: 4775 at drivers/gpu/drm/xe/xe_ttm_vram_mgr.c:298 ttm_vram_mgr_fini+0xf8/0x130 [xe] \" v2: use xe_uc_fw_is_running() instead of xe_guc_ct_enabled(). As CT may go down and come back during VF migration. (cherry picked from commit 9b42321a02c50a12b2beb6ae9469606257fbecea)", "cve_priority": "medium", "cve_public_date": "2025-11-12 11:15:00 UTC" }, { "cve": "CVE-2025-40105", "url": "https://ubuntu.com/security/CVE-2025-40105", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: vfs: Don't leak disconnected dentries on umount When user calls open_by_handle_at() on some inode that is not cached, we will create disconnected dentry for it. If such dentry is a directory, exportfs_decode_fh_raw() will then try to connect this dentry to the dentry tree through reconnect_path(). It may happen for various reasons (such as corrupted fs or race with rename) that the call to lookup_one_unlocked() in reconnect_one() will fail to find the dentry we are trying to reconnect and instead create a new dentry under the parent. Now this dentry will not be marked as disconnected although the parent still may well be disconnected (at least in case this inconsistency happened because the fs is corrupted and .. doesn't point to the real parent directory). This creates inconsistency in disconnected flags but AFAICS it was mostly harmless. At least until commit f1ee616214cb (\"VFS: don't keep disconnected dentries on d_anon\") which removed adding of most disconnected dentries to sb->s_anon list. Thus after this commit cleanup of disconnected dentries implicitely relies on the fact that dput() will immediately reclaim such dentries. However when some leaf dentry isn't marked as disconnected, as in the scenario described above, the reclaim doesn't happen and the dentries are \"leaked\". Memory reclaim can eventually reclaim them but otherwise they stay in memory and if umount comes first, we hit infamous \"Busy inodes after unmount\" bug. Make sure all dentries created under a disconnected parent are marked as disconnected as well.", "cve_priority": "medium", "cve_public_date": "2025-10-30 10:15:00 UTC" }, { "cve": "CVE-2025-40019", "url": "https://ubuntu.com/security/CVE-2025-40019", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: crypto: essiv - Check ssize for decryption and in-place encryption Move the ssize check to the start in essiv_aead_crypt so that it's also checked for decryption and in-place encryption.", "cve_priority": "medium", "cve_public_date": "2025-10-24 12:15:00 UTC" }, { "cve": "CVE-2025-40214", "url": "https://ubuntu.com/security/CVE-2025-40214", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: af_unix: Initialise scc_index in unix_add_edge(). Quang Le reported that the AF_UNIX GC could garbage-collect a receive queue of an alive in-flight socket, with a nice repro. The repro consists of three stages. 1) 1-a. Create a single cyclic reference with many sockets 1-b. close() all sockets 1-c. Trigger GC 2) 2-a. Pass sk-A to an embryo sk-B 2-b. Pass sk-X to sk-X 2-c. Trigger GC 3) 3-a. accept() the embryo sk-B 3-b. Pass sk-B to sk-C 3-c. close() the in-flight sk-A 3-d. Trigger GC As of 2-c, sk-A and sk-X are linked to unix_unvisited_vertices, and unix_walk_scc() groups them into two different SCCs: unix_sk(sk-A)->vertex->scc_index = 2 (UNIX_VERTEX_INDEX_START) unix_sk(sk-X)->vertex->scc_index = 3 Once GC completes, unix_graph_grouped is set to true. Also, unix_graph_maybe_cyclic is set to true due to sk-X's cyclic self-reference, which makes close() trigger GC. At 3-b, unix_add_edge() allocates unix_sk(sk-B)->vertex and links it to unix_unvisited_vertices. unix_update_graph() is called at 3-a. and 3-b., but neither unix_graph_grouped nor unix_graph_maybe_cyclic is changed because both sk-B's listener and sk-C are not in-flight. 3-c decrements sk-A's file refcnt to 1. Since unix_graph_grouped is true at 3-d, unix_walk_scc_fast() is finally called and iterates 3 sockets sk-A, sk-B, and sk-X: sk-A -> sk-B (-> sk-C) sk-X -> sk-X This is totally fine. All of them are not yet close()d and should be grouped into different SCCs. However, unix_vertex_dead() misjudges that sk-A and sk-B are in the same SCC and sk-A is dead. unix_sk(sk-A)->scc_index == unix_sk(sk-B)->scc_index <-- Wrong! && sk-A's file refcnt == unix_sk(sk-A)->vertex->out_degree ^-- 1 in-flight count for sk-B -> sk-A is dead !? The problem is that unix_add_edge() does not initialise scc_index. Stage 1) is used for heap spraying, making a newly allocated vertex have vertex->scc_index == 2 (UNIX_VERTEX_INDEX_START) set by unix_walk_scc() at 1-c. Let's track the max SCC index from the previous unix_walk_scc() call and assign the max + 1 to a new vertex's scc_index. This way, we can continue to avoid Tarjan's algorithm while preventing misjudgments.", "cve_priority": "high", "cve_public_date": "2025-12-04 13:15:00 UTC" } ], "log": [ "", " * questing/linux-riscv: 6.17.0-14.14.1 -proposed tracker (LP: #2137845)", "", " * Packaging resync (LP: #1786013)", " - [Packaging] debian.riscv/dkms-versions -- update from kernel-versions", " (main/2026.01.12)", "", " [ Ubuntu: 6.17.0-14.14 ]", "", " * questing/linux: 6.17.0-14.14 -proposed tracker (LP: #2137849)", " * Packaging resync (LP: #1786013)", " - [Packaging] debian.master/dkms-versions -- update from kernel-versions", " (main/2026.01.12)", " * ubuntu_kselftests:_net/net:gre_gso.sh failing (LP: #2136820)", " - SAUCE increase socat timeout in gre_gso.sh", " * ubuntu_blktrace_smoke_test fails on questing with rust coreutils", " (LP: #2137698)", " - SAUCE: Revert \"ext4: fail unaligned direct IO write with EINVAL\"", " * bareudp.sh in ubuntu_kselftests_net fails because of dash default shell", " (LP: #2129812)", " - selftests: net: use BASH for bareudp testing", " * CVE-2025-40256", " - xfrm: also call xfrm_state_delete_tunnel at destroy time for states that", " were never added", " * Enable PMF on AMD HPT/STX/KRK (LP: #2125022)", " - platform/x86/amd/pmf: Add support for adjusting PMF PPT and PPT APU", " thresholds", " - platform/x86/amd/pmf: Extend custom BIOS inputs for more policies", " - platform/x86/amd/pmf: Update ta_pmf_action structure member", " - platform/x86/amd/pmf: Add helper to verify BIOS input notifications are", " enable/disable", " - platform/x86/amd/pmf: Add custom BIOS input support for AMD_CPU_ID_PS", " - platform/x86/amd/pmf: Preserve custom BIOS inputs for evaluating the", " policies", " - platform/x86/amd/pmf: Call enact function sooner to process early", " pending requests", " - platform/x86/amd/pmf: Add debug logs for pending requests and custom", " BIOS inputs", " * Questing update: v6.17.8 upstream stable release (LP: #2136850)", " - iommufd/selftest: Fix ioctl return value in _test_cmd_trigger_vevents()", " - drm/mediatek: Add pm_runtime support for GCE power control", " - drm/i915: Fix conversion between clock ticks and nanoseconds", " - drm/amdgpu: set default gfx reset masks for gfx6-8", " - drm/amd/display: Don't stretch non-native images by default in eDP", " - smb: client: fix refcount leak in smb2_set_path_attr", " - iommufd: Make vfio_compat's unmap succeed if the range is already empty", " - futex: Optimize per-cpu reference counting", " - drm/amd: Fix suspend failure with secure display TA", " - drm/xe: Move declarations under conditional branch", " - drm/xe: Do clean shutdown also when using flr", " - drm/amd/display: Add pixel_clock to amd_pp_display_configuration", " - drm/amd/pm: Use pm_display_cfg in legacy DPM (v2)", " - drm/amd/display: Disable fastboot on DCE 6 too", " - drm/amd/pm: Disable MCLK switching on SI at high pixel clocks", " - drm/amd: Disable ASPM on SI", " - arm64: kprobes: check the return value of set_memory_rox()", " - compiler_types: Move unused static inline functions warning to W=2", " - riscv: Build loader.bin exclusively for Canaan K210", " - RISC-V: clear hot-unplugged cores from all task mm_cpumasks to avoid", " rfence errors", " - riscv: acpi: avoid errors caused by probing DT devices when ACPI is used", " - fs: return EOPNOTSUPP from file_setattr/file_getattr syscalls", " - ASoC: nau8821: Avoid unnecessary blocking in IRQ handler", " - NFS4: Fix state renewals missing after boot", " - drm/amdkfd: fix suspend/resume all calls in mes based eviction path", " - NFS4: Apply delay_retrans to async operations", " - HID: intel-thc-hid: intel-quickspi: Add ARL PCI Device Id's", " - HID: quirks: avoid Cooler Master MM712 dongle wakeup bug", " - ixgbe: handle IXGBE_VF_GET_PF_LINK_STATE mailbox operation", " - HID: nintendo: Wait longer for initial probe", " - NFS: check if suid/sgid was cleared after a write as needed", " - HID: quirks: Add ALWAYS_POLL quirk for VRS R295 steering wheel", " - io_uring: fix unexpected placement on same size resizing", " - HID: logitech-hidpp: Add HIDPP_QUIRK_RESET_HI_RES_SCROLL", " - ASoC: max98090/91: fixed max98091 ALSA widget powering up/down", " - ALSA: hda/realtek: Fix mute led for HP Omen 17-cb0xxx", " - ixgbe: handle IXGBE_VF_FEATURES_NEGOTIATE mbox cmd", " - wifi: ath11k: zero init info->status in wmi_process_mgmt_tx_comp()", " - selftests: net: local_termination: Wait for interfaces to come up", " - net: fec: correct rx_bytes statistic for the case SHIFT16 is set", " - net: phy: micrel: Introduce lanphy_modify_page_reg", " - net: phy: micrel: Replace hardcoded pages with defines", " - net: phy: micrel: lan8814 fix reset of the QSGMII interface", " - rust: Add -fno-isolate-erroneous-paths-dereference to", " bindgen_skip_c_flags", " - NFSD: Skip close replay processing if XDR encoding fails", " - Bluetooth: 6lowpan: fix BDADDR_LE vs ADDR_LE_DEV address type confusion", " - Bluetooth: 6lowpan: Don't hold spin lock over sleeping functions", " - Bluetooth: hci_conn: Fix not cleaning up PA_LINK connections", " - net: dsa: tag_brcm: do not mark link local traffic as offloaded", " - net/smc: fix mismatch between CLC header and proposal", " - net/handshake: Fix memory leak in tls_handshake_accept()", " - net: ethernet: ti: am65-cpsw-qos: fix IET verify/response timeout", " - net: ethernet: ti: am65-cpsw-qos: fix IET verify retry mechanism", " - net: mdio: fix resource leak in mdiobus_register_device()", " - wifi: mac80211: skip rate verification for not captured PSDUs", " - Bluetooth: hci_event: Fix not handling PA Sync Lost event", " - net/mlx5e: Fix missing error assignment in mlx5e_xfrm_add_state()", " - net/mlx5e: Fix maxrate wraparound in threshold between units", " - net/mlx5e: Fix wraparound in rate limiting for values above 255 Gbps", " - net/mlx5e: Fix potentially misleading debug message", " - net/mlx5: Fix typo of MLX5_EQ_DOORBEL_OFFSET", " - net/mlx5: Store the global doorbell in mlx5_priv", " - net/mlx5e: Prepare for using different CQ doorbells", " - net_sched: limit try_bulk_dequeue_skb() batches", " - wifi: iwlwifi: mvm: fix beacon template/fixed rate", " - wifi: iwlwifi: mld: always take beacon ies in link grading", " - virtio-net: fix incorrect flags recording in big mode", " - hsr: Fix supervision frame sending on HSRv0", " - hsr: Follow standard for HSRv0 supervision frames", " - ACPI: CPPC: Detect preferred core availability on online CPUs", " - ACPI: CPPC: Check _CPC validity for only the online CPUs", " - ACPI: CPPC: Perform fast check switch only for online CPUs", " - ACPI: CPPC: Limit perf ctrs in PCC check only to online CPUs", " - cpufreq: intel_pstate: Check IDA only before MSR_IA32_PERF_CTL writes", " - Bluetooth: L2CAP: export l2cap_chan_hold for modules", " - io_uring/rsrc: don't use blk_rq_nr_phys_segments() as number of bvecs", " - acpi,srat: Fix incorrect device handle check for Generic Initiator", " - regulator: fixed: fix GPIO descriptor leak on register failure", " - ASoC: cs4271: Fix regulator leak on probe failure", " - ASoC: codecs: va-macro: fix resource leak in probe error path", " - drm/vmwgfx: Restore Guest-Backed only cursor plane support", " - ASoC: tas2781: fix getting the wrong device number", " - pnfs: Fix TLS logic in _nfs4_pnfs_v3_ds_connect()", " - pnfs: Fix TLS logic in _nfs4_pnfs_v4_ds_connect()", " - pnfs: Set transport security policy to RPC_XPRTSEC_NONE unless using TLS", " - simplify nfs_atomic_open_v23()", " - NFSv2/v3: Fix error handling in nfs_atomic_open_v23()", " - NFS: sysfs: fix leak when nfs_client kobject add fails", " - NFSv4: Fix an incorrect parameter when calling nfs4_call_sync()", " - drm/amd/amdgpu: Ensure isp_kernel_buffer_alloc() creates a new BO", " - acpi/hmat: Fix lockdep warning for hmem_register_resource()", " - ASoC: rsnd: fix OF node reference leak in rsnd_ssiu_probe()", " - drm/client: fix MODULE_PARM_DESC string for \"active\"", " - irqchip/riscv-intc: Add missing free() callback in riscv_intc_domain_ops", " - lib/crypto: arm/curve25519: Disable on CPU_BIG_ENDIAN", " - hostfs: Fix only passing host root in boot stage with new mount", " - afs: Fix dynamic lookup to fail on cell lookup failure", " - mtd: onenand: Pass correct pointer to IRQ handler", " - virtio-fs: fix incorrect check for fsvq->kobj", " - fs/namespace: correctly handle errors returned by grab_requested_mnt_ns", " - perf header: Write bpf_prog (infos|btfs)_cnt to data file", " - perf build: Don't fail fast path feature detection when binutils-devel", " is not available", " - perf lock: Fix segfault due to missing kernel map", " - perf test shell lock_contention: Extra debug diagnostics", " - perf test: Fix lock contention test", " - arm64: dts: rockchip: Set correct pinctrl for I2S1 8ch TX on odroid-m1", " - arm64: dts: rockchip: Fix PCIe power enable pin for BigTreeTech CB2 and", " Pi2", " - arm64: dts: rockchip: Make RK3588 GPU OPP table naming less generic", " - ARM: dts: imx6ull-engicam-microgea-rmm: fix report-rate-hz value", " - ARM: dts: imx51-zii-rdu1: Fix audmux node names", " - arm64: dts: imx8-ss-img: Avoid gpio0_mipi_csi GPIOs being deferred", " - arm64: dts: imx8mp-kontron: Fix USB OTG role switching", " - HID: hid-ntrig: Prevent memory leak in ntrig_report_version()", " - ARM: dts: BCM53573: Fix address of Luxul XAP-1440's Ethernet PHY", " - arm64: dts: rockchip: Fix USB power enable pin for BTT CB2 and Pi2", " - arm64: dts: rockchip: drop reset from rk3576 i2c9 node", " - pwm: adp5585: Correct mismatched pwm chip info", " - HID: playstation: Fix memory leak in dualshock4_get_calibration_data()", " - HID: uclogic: Fix potential memory leak in error path", " - LoongArch: KVM: Restore guest PMU if it is enabled", " - LoongArch: KVM: Add delay until timer interrupt injected", " - LoongArch: KVM: Fix max supported vCPUs set with EIOINTC", " - KVM: arm64: Make all 32bit ID registers fully writable", " - KVM: SVM: Mark VMCB_LBR dirty when MSR_IA32_DEBUGCTLMSR is updated", " - KVM: nSVM: Always recalculate LBR MSR intercepts in svm_update_lbrv()", " - KVM: nSVM: Fix and simplify LBR virtualization handling with nested", " - KVM: VMX: Fix check for valid GVA on an EPT violation", " - nfsd: add missing FATTR4_WORD2_CLONE_BLKSIZE from supported attributes", " - gcov: add support for GCC 15", " - kho: warn and exit when unpreserved page wasn't preserved", " - strparser: Fix signed/unsigned mismatch bug", " - dma-mapping: benchmark: Restore padding to ensure uABI remained", " consistent", " - maple_tree: fix tracepoint string pointers", " - LoongArch: Consolidate early_ioremap()/ioremap_prot()", " - LoongArch: Use correct accessor to read FWPC/MWPC", " - LoongArch: Let {pte,pmd}_modify() record the status of _PAGE_DIRTY", " - mm/damon/sysfs: change next_update_jiffies to a global variable", " - selftests/tracing: Run sample events to clear page cache events", " - wifi: mac80211: reject address change while connecting", " - mm/huge_memory: preserve PG_has_hwpoisoned if a folio is split to >0", " order", " - mm/mm_init: fix hash table order logging in alloc_large_system_hash()", " - mm/damon/stat: change last_refresh_jiffies to a global variable", " - mm/kmsan: fix kmsan kmalloc hook when no stack depots are allocated yet", " - mm/shmem: fix THP allocation and fallback loop", " - mm/mremap: honour writable bit in mremap pte batching", " - mm/huge_memory: fix folio split check for anon folios in swapcache", " - mmc: sdhci-of-dwcmshc: Change DLL_STRBIN_TAPNUM_DEFAULT to 0x4", " - mmc: pxamci: Simplify pxamci_probe() error handling using devm APIs", " - mmc: dw_mmc-rockchip: Fix wrong internal phase calculate", " - ASoC: sdw_utils: fix device reference leak in is_sdca_endpoint_present()", " - crypto: hisilicon/qm - Fix device reference leak in qm_get_qos_value", " - smb: client: fix cifs_pick_channel when channel needs reconnect", " - spi: Try to get ACPI GPIO IRQ earlier", " - x86/microcode/AMD: Add Zen5 model 0x44, stepping 0x1 minrev", " - x86/CPU/AMD: Add additional fixed RDSEED microcode revisions", " - selftests/user_events: fix type cast for write_index packed member in", " perf_test", " - gendwarfksyms: Skip files with no exports", " - ftrace: Fix BPF fexit with livepatch", " - LoongArch: Consolidate max_pfn & max_low_pfn calculation", " - LoongArch: Use physical addresses for CSR_MERRENTRY/CSR_TLBRENTRY", " - EDAC/altera: Handle OCRAM ECC enable after warm reset", " - EDAC/altera: Use INTTEST register for Ethernet and USB SBE injection", " - PM: hibernate: Emit an error when image writing fails", " - PM: hibernate: Use atomic64_t for compressed_size variable", " - btrfs: zoned: fix conventional zone capacity calculation", " - btrfs: zoned: fix stripe width calculation", " - btrfs: scrub: put bio after errors in scrub_raid56_parity_stripe()", " - btrfs: do not update last_log_commit when logging inode due to a new", " name", " - btrfs: release root after error in data_reloc_print_warning_inode()", " - drm/amdkfd: relax checks for over allocation of save area", " - drm/amdgpu: disable peer-to-peer access for DCC-enabled GC12 VRAM", " surfaces", " - drm/i915/psr: fix pipe to vblank conversion", " - drm/xe/xe3lpg: Extend Wa_15016589081 for xe3lpg", " - drm/xe/xe3: Extend wa_14023061436", " - drm/xe/xe3: Add WA_14024681466 for Xe3_LPG", " - pmdomain: imx: Fix reference count leak in imx_gpc_remove", " - pmdomain: samsung: plug potential memleak during probe", " - pmdomain: samsung: Rework legacy splash-screen handover workaround", " - selftests: mptcp: connect: fix fallback note due to OoO", " - selftests: mptcp: join: rm: set backup flag", " - selftests: mptcp: join: endpoints: longer transfer", " - selftests: mptcp: connect: trunc: read all recv data", " - selftests: mptcp: join: userspace: longer transfer", " - selftests: mptcp: join: properly kill background tasks", " - mm/huge_memory: do not change split_huge_page*() target order silently", " - mm/memory: do not populate page table entries beyond i_size", " - scripts/decode_stacktrace.sh: symbol: avoid trailing whitespaces", " - scripts/decode_stacktrace.sh: symbol: preserve alignment", " - scripts/decode_stacktrace.sh: fix build ID and PC source parsing", " - ASoC: da7213: Convert to DEFINE_RUNTIME_DEV_PM_OPS()", " - ASoC: da7213: Use component driver suspend/resume", " - KVM: x86: Rename local \"ecx\" variables to \"msr\" and \"pmc\" as appropriate", " - KVM: x86: Add support for RDMSR/WRMSRNS w/ immediate on Intel", " - KVM: VMX: Inject #UD if guest tries to execute SEAMCALL or TDCALL", " - isdn: mISDN: hfcsusb: fix memory leak in hfcsusb_probe()", " - net: phy: micrel: Fix lan8814_config_init", " - Linux 6.17.9", " * Questing update: v6.17.8 upstream stable release (LP: #2136850) //", " CVE-2025-68204", " - pmdomain: arm: scmi: Fix genpd leak on provider registration failure", " * Questing update: v6.17.8 upstream stable release (LP: #2136850) //", " CVE-2025-68203", " - drm/amdgpu: fix lock warning in amdgpu_userq_fence_driver_process", " * Questing update: v6.17.8 upstream stable release (LP: #2136850) //", " CVE-2025-40267", " - io_uring/rw: ensure allocated iovec gets cleared for early failure", " * Questing update: v6.17.8 upstream stable release (LP: #2136850) //", " CVE-2025-68198", " - crash: fix crashkernel resource shrink", " * Questing update: v6.17.8 upstream stable release (LP: #2136850) //", " CVE-2025-68199", " - codetag: debug: handle existing CODETAG_EMPTY in mark_objexts_empty for", " slabobj_ext", " * Questing update: v6.17.8 upstream stable release (LP: #2136850) //", " CVE-2025-40268", " - cifs: client: fix memory leak in smb3_fs_context_parse_param", " * Questing update: v6.17.8 upstream stable release (LP: #2136850) //", " CVE-2025-40269", " - ALSA: usb-audio: Fix potential overflow of PCM transfer buffer", " * Questing update: v6.17.8 upstream stable release (LP: #2136850) //", " CVE-2025-68205", " - ALSA: hda/hdmi: Fix breakage at probing nvhdmi-mcp driver", " * Questing update: v6.17.8 upstream stable release (LP: #2136850) //", " CVE-2025-40270", " - mm, swap: fix potential UAF issue for VMA readahead", " * Questing update: v6.17.8 upstream stable release (LP: #2136850) //", " CVE-2025-40271", " - fs/proc: fix uaf in proc_readdir_de()", " * Questing update: v6.17.8 upstream stable release (LP: #2136850) //", " CVE-2025-40272", " - mm/secretmem: fix use-after-free race in fault handler", " * Questing update: v6.17.8 upstream stable release (LP: #2136850) //", " CVE-2025-68245", " - net: netpoll: fix incorrect refcount handling causing incorrect cleanup", " * Questing update: v6.17.8 upstream stable release (LP: #2136850) //", " CVE-2025-68240", " - nilfs2: avoid having an active sc_timer before freeing sci", " * Questing update: v6.17.8 upstream stable release (LP: #2136850) //", " CVE-2025-68241", " - ipv4: route: Prevent rt_bind_exception() from rebinding stale fnhe", " * Questing update: v6.17.8 upstream stable release (LP: #2136850) //", " CVE-2025-68211", " - ksm: use range-walk function to jump over holes in", " scan_get_next_rmap_item", " * Questing update: v6.17.8 upstream stable release (LP: #2136850) //", " CVE-2025-68246", " - ksmbd: close accepted socket when per-IP limit rejects connection", " * Questing update: v6.17.8 upstream stable release (LP: #2136850) //", " CVE-2025-40273", " - NFSD: free copynotify stateid in nfs4_free_ol_stateid()", " * Questing update: v6.17.8 upstream stable release (LP: #2136850) //", " CVE-2025-40212", " - nfsd: fix refcount leak in nfsd_set_fh_dentry()", " * Questing update: v6.17.8 upstream stable release (LP: #2136850) //", " CVE-2025-40274", " - KVM: guest_memfd: Remove bindings on memslot deletion when gmem is dying", " * Questing update: v6.17.8 upstream stable release (LP: #2136850) //", " CVE-2025-68202", " - sched_ext: Fix unsafe locking in the scx_dump_state()", " * Questing update: v6.17.8 upstream stable release (LP: #2136850) //", " CVE-2025-68239", " - binfmt_misc: restore write access before closing files opened by", " open_exec()", " * Questing update: v6.17.8 upstream stable release (LP: #2136850) //", " CVE-2025-68247", " - posix-timers: Plug potential memory leak in do_timer_create()", " * Questing update: v6.17.8 upstream stable release (LP: #2136850) //", " CVE-2025-68208", " - bpf: account for current allocated stack depth in", " widen_imprecise_scalars()", " * Questing update: v6.17.8 upstream stable release (LP: #2136850) //", " CVE-2025-68200", " - bpf: Add bpf_prog_run_data_pointers()", " * Questing update: v6.17.8 upstream stable release (LP: #2136850) //", " CVE-2025-40275", " - ALSA: usb-audio: Fix NULL pointer dereference in", " snd_usb_mixer_controls_badd", " * Questing update: v6.17.8 upstream stable release (LP: #2136850) //", " CVE-2025-68242", " - NFS: Fix LTP test failures when timestamps are delegated", " * Questing update: v6.17.8 upstream stable release (LP: #2136850) //", " CVE-2025-68243", " - NFS: Check the TLS certificate fields in nfs_match_client()", " * Questing update: v6.17.8 upstream stable release (LP: #2136850) //", " CVE-2025-40276", " - drm/panthor: Flush shmem writes before mapping buffers CPU-uncached", " * Questing update: v6.17.8 upstream stable release (LP: #2136850) //", " CVE-2025-40277", " - drm/vmwgfx: Validate command header size against SVGA_CMD_MAX_DATASIZE", " * Questing update: v6.17.8 upstream stable release (LP: #2136850) //", " CVE-2025-68206", " - netfilter: nft_ct: add seqadj extension for natted connections", " * Questing update: v6.17.8 upstream stable release (LP: #2136850) //", " CVE-2025-68209", " - mlx5: Fix default values in create CQ", " * Questing update: v6.17.8 upstream stable release (LP: #2136850) //", " CVE-2025-40278", " - net: sched: act_ife: initialize struct tc_ife to fix KMSAN kernel-", " infoleak", " * Questing update: v6.17.8 upstream stable release (LP: #2136850) //", " CVE-2025-40279", " - net: sched: act_connmark: initialize struct tc_ife to fix kernel leak", " * Questing update: v6.17.8 upstream stable release (LP: #2136850) //", " CVE-2025-40280", " - tipc: Fix use-after-free in tipc_mon_reinit_self().", " * Questing update: v6.17.8 upstream stable release (LP: #2136850) //", " CVE-2025-40281", " - sctp: prevent possible shift-out-of-bounds in sctp_transport_update_rto", " * Questing update: v6.17.8 upstream stable release (LP: #2136850) //", " CVE-2025-40282", " - Bluetooth: 6lowpan: reset link-local header on ipv6 recv path", " * Questing update: v6.17.8 upstream stable release (LP: #2136850) //", " CVE-2025-40283", " - Bluetooth: btusb: reorder cleanup in btusb_disconnect to avoid UAF", " * Questing update: v6.17.8 upstream stable release (LP: #2136850) //", " CVE-2025-40284", " - Bluetooth: MGMT: cancel mesh send timer when hdev removed", " * Questing update: v6.17.8 upstream stable release (LP: #2136850) //", " CVE-2025-68210", " - erofs: avoid infinite loop due to incomplete zstd-compressed data", " * Questing update: v6.17.8 upstream stable release (LP: #2136850) //", " CVE-2025-40285", " - smb/server: fix possible refcount leak in smb2_sess_setup()", " * Questing update: v6.17.8 upstream stable release (LP: #2136850) //", " CVE-2025-40286", " - smb/server: fix possible memory leak in smb2_read()", " * Questing update: v6.17.8 upstream stable release (LP: #2136850) //", " CVE-2025-40287", " - exfat: fix improper check of dentry.stream.valid_size", " * Questing update: v6.17.8 upstream stable release (LP: #2136850) //", " CVE-2025-40288", " - drm/amdgpu: Fix NULL pointer dereference in VRAM logic for APU devices", " * Questing update: v6.17.8 upstream stable release (LP: #2136850) //", " CVE-2025-40289", " - drm/amdgpu: hide VRAM sysfs attributes on GPUs without VRAM", " * Questing update: v6.17.8 upstream stable release (LP: #2136850) //", " CVE-2025-68201", " - drm/amdgpu: remove two invalid BUG_ON()s", " * Questing update: v6.17.8 upstream stable release (LP: #2136850) //", " CVE-2025-68207", " - drm/xe/guc: Synchronize Dead CT worker with unbind", " * Questing update: v6.17.8 upstream stable release (LP: #2136850) //", " CVE-2025-68244", " - drm/i915: Avoid lock inversion when pinning to GGTT on CHV/BXT+VTD", " * Questing update: v6.17.8 upstream stable release (LP: #2136833)", " - Revert \"Bluetooth: L2CAP: convert timeouts to secs_to_jiffies()\"", " - sched_ext: Mark scx_bpf_dsq_move_set_[slice|vtime]() with KF_RCU", " - net: usb: asix_devices: Check return value of usbnet_get_endpoints", " - fbdev: atyfb: Check if pll_ops->init_pll failed", " - ACPI: button: Call input_free_device() on failing input device", " registration", " - ACPI: fan: Use platform device for devres-related actions", " - virtio-net: drop the multi-buffer XDP packet in zerocopy", " - batman-adv: Release references to inactive interfaces", " - Bluetooth: rfcomm: fix modem control handling", " - net: phy: dp83867: Disable EEE support as not implemented", " - fbdev: pvr2fb: Fix leftover reference to ONCHIP_NR_DMA_CHANNELS", " - fbdev: valkyriefb: Fix reference count leak in valkyriefb_init", " - mptcp: drop bogus optimization in __mptcp_check_push()", " - mptcp: restore window probe", " - ASoC: qdsp6: q6asm: do not sleep while atomic", " - ASoC: renesas: rz-ssi: Use proper dma_buffer_pos after resume", " - s390/pci: Restore IRQ unconditionally for the zPCI device", " - x86/build: Disable SSE4a", " - wifi: ath10k: Fix memory leak on unsupported WMI command", " - wifi: ath11k: Add missing platform IDs for quirk table", " - wifi: ath12k: free skb during idr cleanup callback", " - wifi: ath11k: avoid bit operation on key flags", " - drm/msm/a6xx: Fix GMU firmware parser", " - ALSA: usb-audio: fix control pipe direction", " - ASoC: cs-amp-lib-test: Fix missing include of kunit/test-bug.h", " - wifi: mac80211: reset FILS discovery and unsol probe resp intervals", " - wifi: mac80211: fix key tailroom accounting leak", " - wifi: nl80211: call kfree without a NULL check", " - kunit: test_dev_action: Correctly cast 'priv' pointer to long*", " - scsi: ufs: core: Initialize value of an attribute returned by uic cmd", " - scsi: core: Fix the unit attention counter implementation", " - bpf: Do not audit capability check in do_jit()", " - nvmet-auth: update sc_c in host response", " - crypto: s390/phmac - Do not modify the req->nbytes value", " - ASoC: Intel: avs: Unprepare a stream when XRUN occurs", " - ASoC: fsl_sai: fix bit order for DSD format", " - ASoC: fsl_micfil: correct the endian format for DSD", " - libbpf: Fix powerpc's stack register definition in bpf_tracing.h", " - ASoC: mediatek: Fix double pm_runtime_disable in remove functions", " - Bluetooth: ISO: Fix BIS connection dst_type handling", " - Bluetooth: btmtksdio: Add pmctrl handling for BT closed state during", " reset", " - Bluetooth: HCI: Fix tracking of advertisement set/instance 0x00", " - Bluetooth: ISO: Fix another instance of dst_type handling", " - Bluetooth: btintel_pcie: Fix event packet loss issue", " - Bluetooth: hci_conn: Fix connection cleanup with BIG with 2 or more BIS", " - Bluetooth: hci_core: Fix tracking of periodic advertisement", " - bpf: Conditionally include dynptr copy kfuncs", " - drm/msm: Ensure vm is created in VM_BIND ioctl", " - ALSA: usb-audio: add mono main switch to Presonus S1824c", " - ALSA: usb-audio: don't log messages meant for 1810c when initializing", " 1824c", " - ACPI: MRRM: Check revision of MRRM table", " - drm/etnaviv: fix flush sequence logic", " - tools: ynl: fix string attribute length to include null terminator", " - net: hns3: return error code when function fails", " - sfc: fix potential memory leak in efx_mae_process_mport()", " - tools: ynl: avoid print_field when there is no reply", " - dpll: spec: add missing module-name and clock-id to pin-get reply", " - ASoC: fsl_sai: Fix sync error in consumer mode", " - ASoC: soc_sdw_utils: remove cs42l43 component_name", " - drm/amd/pm: fix smu table id bound check issue in smu_cmn_update_table()", " - drm/amd/pm/powerplay/smumgr: Fix PCIeBootLinkLevel value on Fiji", " - drm/amd/pm/powerplay/smumgr: Fix PCIeBootLinkLevel value on Iceland", " - drm/amdgpu: fix SPDX headers on amdgpu_cper.c/h", " - drm/amdgpu: fix SPDX header on amd_cper.h", " - drm/amdgpu: fix SPDX header on irqsrcs_vcn_5_0.h", " - ACPI: fan: Use ACPI handle when retrieving _FST", " - block: fix op_is_zone_mgmt() to handle REQ_OP_ZONE_RESET_ALL", " - block: make REQ_OP_ZONE_OPEN a write operation", " - dma-fence: Fix safe access wrapper to call timeline name method", " - kbuild: align modinfo section for Secureboot Authenticode EDK2 compat", " - regmap: irq: Correct documentation of wake_invert flag", " - [Config] Disable ARCH_WANT_OPTIMIZE_HUGETLB_VMEMMAP for s390x", " - s390/mm: Fix memory leak in add_marker() when kvrealloc() fails", " - drm/xe: Do not wake device during a GT reset", " - drm/sched: avoid killing parent entity on child SIGKILL", " - drm/sched: Fix race in drm_sched_entity_select_rq()", " - drm/nouveau: Fix race in nouveau_sched_fini()", " - drm/i915/dmc: Clear HRR EVT_CTL/HTP to zero on ADL-S", " - drm/ast: Clear preserved bits from register output value", " - drm/amd: Check that VPE has reached DPM0 in idle handler", " - drm/amd/display: Fix incorrect return of vblank enable on unconfigured", " crtc", " - drm/amd/display: Don't program BLNDGAM_MEM_PWR_FORCE when CM low-power", " is disabled on DCN30", " - drm/amd/display: Add HDR workaround for a specific eDP", " - mptcp: leverage skb deferral free", " - mptcp: fix MSG_PEEK stream corruption", " - cpuidle: governors: menu: Rearrange main loop in menu_select()", " - cpuidle: governors: menu: Select polling state in some more cases", " - PM: hibernate: Combine return paths in power_down()", " - PM: sleep: Allow pm_restrict_gfp_mask() stacking", " - mfd: kempld: Switch back to earlier ->init() behavior", " - soc: aspeed: socinfo: Add AST27xx silicon IDs", " - firmware: qcom: scm: preserve assign_mem() error return value", " - soc: qcom: smem: Fix endian-unaware access of num_entries", " - spi: loopback-test: Don't use %pK through printk", " - spi: spi-qpic-snand: handle 'use_ecc' parameter of", " qcom_spi_config_cw_read()", " - soc: ti: pruss: don't use %pK through printk", " - bpf: Don't use %pK through printk", " - mmc: sdhci: Disable SD card clock before changing parameters", " - pinctrl: single: fix bias pull up/down handling in pin_config_set", " - mmc: host: renesas_sdhi: Fix the actual clock", " - memstick: Add timeout to prevent indefinite waiting", " - cpufreq: ti: Add support for AM62D2", " - bpf: Use tnums for JEQ/JNE is_branch_taken logic", " - firmware: ti_sci: Enable abort handling of entry to LPM", " - firewire: ohci: move self_id_complete tracepoint after validating", " register", " - irqchip/sifive-plic: Respect mask state when setting affinity", " - irqchip/loongson-eiointc: Route interrupt parsed from bios table", " - ACPI: sysfs: Use ACPI_FREE() for freeing an ACPI object", " - ACPI: video: force native for Lenovo 82K8", " - libbpf: Fix USDT SIB argument handling causing unrecognized register", " error", " - selftests/bpf: Fix bpf_prog_detach2 usage in test_lirc_mode2", " - arm64: versal-net: Update rtc calibration value", " - Revert \"UBUNTU: SAUCE: firmware: qcom: scm: Allow QSEECOM on Dell", " Inspiron 7441 / Latitude 7455\"", " - firmware: qcom: scm: Allow QSEECOM on Dell Inspiron 7441 / Latitude 7455", " - kselftest/arm64: tpidr2: Switch to waitpid() over wait4()", " - arc: Fix __fls() const-foldability via __builtin_clzl()", " - selftests/bpf: Upon failures, exit with code 1 in test_xsk.sh", " - irqchip/gic-v2m: Handle Multiple MSI base IRQ Alignment", " - ACPI: PRM: Skip handlers with NULL handler_address or NULL VA", " - ACPI: resource: Skip IRQ override on ASUS Vivobook Pro N6506CU", " - ACPI: scan: Add Intel CVS ACPI HIDs to acpi_ignore_dep_ids[]", " - thermal: gov_step_wise: Allow cooling level to be reduced earlier", " - thermal: intel: selftests: workload_hint: Mask unsupported types", " - power: supply: qcom_battmgr: add OOI chemistry", " - hwmon: (k10temp) Add thermal support for AMD Family 1Ah-based models", " - hwmon: (k10temp) Add device ID for Strix Halo", " - hwmon: (lenovo-ec-sensors) Update P8 supprt", " - hwmon: (sbtsi_temp) AMD CPU extended temperature range support", " - pinctrl: renesas: rzg2l: Add suspend/resume support for Schmitt control", " registers", " - pinctrl: keembay: release allocated memory in detach path", " - power: supply: sbs-charger: Support multiple devices", " - io_uring/rsrc: respect submitter_task in io_register_clone_buffers()", " - hwmon: sy7636a: add alias", " - selftests/bpf: Fix incorrect array size calculation", " - block: check for valid bio while splitting", " - irqchip/loongson-pch-lpc: Use legacy domain for PCH-LPC IRQ controller", " - cpufreq: ondemand: Update the efficient idle check for Intel extended", " Families", " - arm64: zynqmp: Disable coresight by default", " - arm64: zynqmp: Revert usb node drive strength and slew rate for zcu106", " - soc/tegra: fuse: Add Tegra114 nvmem cells and fuse lookups", " - ARM: tegra: p880: set correct touchscreen clipping", " - ARM: tegra: transformer-20: add missing magnetometer interrupt", " - ARM: tegra: transformer-20: fix audio-codec interrupt", " - firmware: qcom: tzmem: disable sc7180 platform", " - soc: ti: k3-socinfo: Add information for AM62L SR1.1", " - mmc: sdhci-msm: Enable tuning for SDR50 mode for SD card", " - pwm: pca9685: Use bulk write to atomicially update registers", " - ACPICA: dispatcher: Use acpi_ds_clear_operands() in", " acpi_ds_call_control_method()", " - tee: allow a driver to allocate a tee_device without a pool", " - kunit: Enable PCI on UML without triggering WARN()", " - selftests/bpf: Fix arena_spin_lock selftest failure", " - bpf: Do not limit bpf_cgroup_from_id to current's namespace", " - i3c: mipi-i3c-hci-pci: Add support for Intel Wildcat Lake-U I3C", " - rust: kunit: allow `cfg` on `test`s", " - video: backlight: lp855x_bl: Set correct EPROM start for LP8556", " - i3c: dw: Add shutdown support to dw_i3c_master driver", " - io_uring/zcrx: check all niovs filled with dma addresses", " - tools/cpupower: fix error return value in cpupower_write_sysfs()", " - io_uring/zcrx: account niov arrays to cgroup", " - pmdomain: apple: Add \"apple,t8103-pmgr-pwrstate\"", " - power: supply: qcom_battmgr: handle charging state change notifications", " - bpftool: Fix -Wuninitialized-const-pointer warnings with clang >= 21", " - cpuidle: Fail cpuidle device registration if there is one already", " - selftests/bpf: Fix selftest verifier_arena_large failure", " - selftests: ublk: fix behavior when fio is not installed", " - spi: rpc-if: Add resume support for RZ/G3E", " - ACPI: SPCR: Support Precise Baud Rate field", " - clocksource/drivers/vf-pit: Replace raw_readl/writel to readl/writel", " - clocksource/drivers/timer-rtl-otto: Work around dying timers", " - clocksource/drivers/timer-rtl-otto: Do not interfere with interrupts", " - riscv: bpf: Fix uninitialized symbol 'retval_off'", " - bpf: Clear pfmemalloc flag when freeing all fragments", " - selftests: drv-net: Pull data before parsing headers", " - nvme: Use non zero KATO for persistent discovery connections", " - uprobe: Do not emulate/sstep original instruction when ip is changed", " - hwmon: (asus-ec-sensors) increase timeout for locking ACPI mutex", " - hwmon: (dell-smm) Remove Dell Precision 490 custom config data", " - hwmon: (dell-smm) Add support for Dell OptiPlex 7040", " - tools/cpupower: Fix incorrect size in cpuidle_state_disable()", " - selftests/bpf: Fix flaky bpf_cookie selftest", " - tools/power turbostat: Fix incorrect sorting of PMT telemetry", " - tools/power x86_energy_perf_policy: Fix incorrect fopen mode usage", " - tools/power x86_energy_perf_policy: Enhance HWP enable", " - tools/power x86_energy_perf_policy: Prefer driver HWP limits", " - mfd: simple-mfd-i2c: Add compatible strings for Layerscape QIXIS FPGA", " - mfd: stmpe: Remove IRQ domain upon removal", " - mfd: stmpe-i2c: Add missing MODULE_LICENSE", " - mfd: qnap-mcu: Handle errors returned from qnap_mcu_write", " - mfd: qnap-mcu: Include linux/types.h in qnap-mcu.h shared header", " - mfd: madera: Work around false-positive -Wininitialized warning", " - mfd: da9063: Split chip variant reading in two bus transactions", " - mfd: macsmc: Add \"apple,t8103-smc\" compatible", " - mfd: core: Increment of_node's refcount before linking it to the", " platform device", " - mfd: cs42l43: Move IRQ enable/disable to encompass force suspend", " - mfd: intel-lpss: Add Intel Wildcat Lake LPSS PCI IDs", " - drm/xe/ptl: Apply Wa_16026007364", " - drm/xe/configfs: Enforce canonical device names", " - drm/amd/display: Update tiled to tiled copy command", " - drm/amd/display: fix condition for setting timing_adjust_pending", " - drm/amd/display: ensure committing streams is seamless", " - drm/amdgpu: add range check for RAS bad page address", " - drm/amdgpu: Check vcn sram load return value", " - drm/amd/display: Remove check DPIA HPD status for BW Allocation", " - drm/amd/display: Increase AUX Intra-Hop Done Max Wait Duration", " - drm/amd/display: Fix dmub_cmd header alignment", " - drm/xe/guc: Add more GuC load error status codes", " - drm/xe/pf: Don't resume device from restart worker", " - drm/amdgpu: Fix build error when CONFIG_SUSPEND is disabled", " - drm/amdgpu: Update IPID value for bad page threshold CPER", " - drm/amdgpu: Avoid rma causes GPU duplicate reset", " - drm/amdgpu: Effective health check before reset", " - drm/amd/amdgpu: Release xcp drm memory after unplug", " - drm/amdgpu: Fix vcn v5.0.1 poison irq call trace", " - drm/xe: Extend wa_13012615864 to additional Xe2 and Xe3 platforms", " - drm/amdgpu: Skip poison aca bank from UE channel", " - drm/amd/display: add more cyan skillfish devices", " - drm/amdgpu: Initialize jpeg v5_0_1 ras function", " - drm/amdgpu: skip mgpu fan boost for multi-vf", " - drm/amd/display: fix dmub access race condition", " - drm/amd/display: update dpp/disp clock from smu clock table", " - drm/amd/pm: Use cached metrics data on aldebaran", " - drm/amd/pm: Use cached metrics data on arcturus", " - accel/amdxdna: Unify pm and rpm suspend and resume callbacks", " - drm/amdgpu/jpeg: Hold pg_lock before jpeg poweroff", " - drm/xe/pf: Program LMTT directory pointer on all GTs within a tile", " - drm/nouveau: replace snprintf() with scnprintf() in nvkm_snprintbf()", " - ASoC: tas2781: Add keyword \"init\" in profile section", " - ASoC: mediatek: Use SND_JACK_AVOUT for HDMI/DP jacks", " - drm/amd/display: Reset apply_eamless_boot_optimization when dpms_off", " - drm/amdgpu: add to custom amdgpu_drm_release drm_dev_enter/exit", " - drm/amd/display: Wait until OTG enable state is cleared", " - drm/xe: rework PDE PAT index selection", " - docs: kernel-doc: avoid script crash on ancient Python", " - drm/sharp-memory: Do not access GEM-DMA vaddr directly", " - PCI: Disable MSI on RDC PCI to PCIe bridges", " - drm/nouveau: always set RMDevidCheckIgnore for GSP-RM", " - drm/panel-edp: Add SHP LQ134Z1 panel for Dell XPS 9345", " - selftests/net: Replace non-standard __WORDSIZE with sizeof(long) * 8", " - selftests/net: Ensure assert() triggers in psock_tpacket.c", " - wifi: rtw89: print just once for unknown C2H events", " - wifi: rtw88: sdio: use indirect IO for device registers before power-on", " - wifi: rtw89: add dummy C2H handlers for BCN resend and update done", " - drm/amdkfd: return -ENOTTY for unsupported IOCTLs", " - selftests: drv-net: devmem: add / correct the IPv6 support", " - selftests: drv-net: devmem: flip the direction of Tx tests", " - media: pci: ivtv: Don't create fake v4l2_fh", " - media: amphion: Delete v4l2_fh synchronously in .release()", " - drm/tidss: Use the crtc_* timings when programming the HW", " - drm/bridge: cdns-dsi: Fix REG_WAKEUP_TIME value", " - drm/bridge: cdns-dsi: Don't fail on MIPI_DSI_MODE_VIDEO_BURST", " - drm/tidss: Set crtc modesetting parameters with adjusted mode", " - drm/tidss: Remove early fb", " - RDMA/mana_ib: Drain send wrs of GSI QP", " - media: i2c: Kconfig: Ensure a dependency on HAVE_CLK for", " VIDEO_CAMERA_SENSOR", " - PCI/ERR: Update device error_state already after reset", " - x86/vsyscall: Do not require X86_PF_INSTR to emulate vsyscall", " - net: stmmac: Check stmmac_hw_setup() in stmmac_resume()", " - ice: Don't use %pK through printk or tracepoints", " - thunderbolt: Use is_pciehp instead of is_hotplug_bridge", " - ASoC: es8323: enable DAPM power widgets for playback DAC and output", " - powerpc/eeh: Use result of error_detected() in uevent", " - s390/pci: Use pci_uevent_ers() in PCI recovery", " - bridge: Redirect to backup port when port is administratively down", " - selftests: drv-net: wait for carrier", " - net: phy: mscc: report and configure in-band auto-negotiation for", " SGMII/QSGMII", " - scsi: ufs: host: mediatek: Fix auto-hibern8 timer configuration", " - scsi: ufs: host: mediatek: Fix PWM mode switch issue", " - scsi: ufs: host: mediatek: Assign power mode userdata before FASTAUTO", " mode change", " - scsi: ufs: host: mediatek: Change reset sequence for improved stability", " - scsi: ufs: host: mediatek: Fix invalid access in vccqx handling", " - gpu: nova-core: register: allow fields named `offset`", " - drm/panthor: Serialize GPU cache flush operations", " - HID: pidff: Use direction fix only for conditional effects", " - HID: pidff: PERMISSIVE_CONTROL quirk autodetection", " - drm/bridge: display-connector: don't set OP_DETECT for DisplayPorts", " - drm/amdkfd: Handle lack of READ permissions in SVM mapping", " - drm/amdgpu: refactor bad_page_work for corner case handling", " - hwrng: timeriomem - Use us_to_ktime() where appropriate", " - iio: adc: spear_adc: mask SPEAR_ADC_STATUS channel and avg sample before", " setting register", " - iio: adc: imx93_adc: load calibrated values even calibration failed", " - usb: gadget: f_ncm: Fix MAC assignment NCM ethernet", " - ASoC: es8323: remove DAC enablement write from es8323_probe", " - ASoC: es8323: add proper left/right mixer controls via DAPM", " - ASoC: codecs: wsa883x: Handle shared reset GPIO for WSA883x speakers", " - drm/xe: Make page size consistent in loop", " - wifi: rtw89: wow: remove notify during WoWLAN net-detect", " - wifi: rtw89: fix BSSID comparison for non-transmitted BSSID", " - wifi: rtw89: 8851b: rfk: update IQK TIA setting", " - dm error: mark as DM_TARGET_PASSES_INTEGRITY", " - char: misc: Make misc_register() reentry for miscdevice who wants", " dynamic minor", " - char: misc: Does not request module for miscdevice with dynamic minor", " - net: When removing nexthops, don't call synchronize_net if it is not", " necessary", " - net: Call trace_sock_exceed_buf_limit() for memcg failure with", " SK_MEM_RECV.", " - dmaengine: idxd: Add a new IAA device ID for Wildcat Lake family", " platforms", " - PCI/P2PDMA: Fix incorrect pointer usage in devm_kfree() call", " - bnxt_en: Add Hyper-V VF ID", " - tty: serial: Modify the use of dev_err_probe()", " - ALSA: usb-audio: Add validation of UAC2/UAC3 effect units", " - Octeontx2-af: Broadcast XON on all channels", " - idpf: do not linearize big TSO packets", " - drm/xe/pcode: Initialize data0 for pcode read routine", " - drm/panel: ilitek-ili9881c: turn off power-supply when init fails", " - drm/panel: ilitek-ili9881c: move display_on/_off dcs calls to", " (un-)prepare", " - rds: Fix endianness annotation for RDS_MPATH_HASH", " - net: wangxun: limit tx_max_coalesced_frames_irq", " - iio: imu: bmi270: Match PNP ID found on newer GPD firmware", " - media: ipu6: isys: Set embedded data type correctly for metadata formats", " - rpmsg: char: Export alias for RPMSG ID rpmsg-raw from table", " - net: ipv4: allow directed broadcast routes to use dst hint", " - scsi: mpi3mr: Fix device loss during enclosure reboot due to zero link", " speed", " - wifi: rtw89: coex: Limit Wi-Fi scan slot cost to avoid A2DP glitch", " - scsi: mpi3mr: Fix I/O failures during controller reset", " - scsi: mpi3mr: Fix controller init failure on fault during queue creation", " - scsi: pm80xx: Fix race condition caused by static variables", " - extcon: adc-jack: Fix wakeup source leaks on device unbind", " - extcon: fsa9480: Fix wakeup source leaks on device unbind", " - extcon: axp288: Fix wakeup source leaks on device unbind", " - drm/xe: Set GT as wedged before sending wedged uevent", " - remoteproc: wkup_m3: Use devm_pm_runtime_enable() helper", " - drm/xe/wcl: Extend L3bank mask workaround", " - net: phy: fixed_phy: let fixed_phy_unregister free the phy_device", " - selftests: drv-net: hds: restore hds settings", " - fuse: zero initialize inode private data", " - virtio_fs: fix the hash table using in virtio_fs_enqueue_req()", " - selftests: pci_endpoint: Skip IRQ test if IRQ is out of range.", " - drm/xe: Ensure GT is in C0 during resumes", " - misc: pci_endpoint_test: Skip IRQ tests if irq is out of range", " - drm/amdgpu: Correct the loss of aca bank reg info", " - drm/amdgpu: Correct the counts of nr_banks and nr_errors", " - drm/amdkfd: fix vram allocation failure for a special case", " - drm/amd/display: Support HW cursor 180 rot for any number of pipe splits", " - drm/amdkfd: Tie UNMAP_LATENCY to queue_preemption", " - drm/amd/display: wait for otg update pending latch before clock", " optimization", " - drm/amd/display: Consider sink max slice width limitation for dsc", " - drm/amdgpu/vpe: cancel delayed work in hw_fini", " - drm/xe: Cancel pending TLB inval workers on teardown", " - net: Prevent RPS table overwrite of active flows", " - eth: fbnic: Reset hw stats upon PCI error", " - wifi: iwlwifi: mld: trigger mlo scan only when not in EMLSR", " - platform/x86/intel-uncore-freq: Fix warning in partitioned system", " - drm/msm/dpu: Filter modes based on adjusted mode clock", " - drm/msm: Use of_reserved_mem_region_to_resource() for \"memory-region\"", " - selftests: drv-net: rss_ctx: fix the queue count check", " - media: fix uninitialized symbol warnings", " - media: pci: mgb4: Fix timings comparison in VIDIOC_S_DV_TIMINGS", " - ASoC: SOF: ipc4-pcm: Add fixup for channels", " - drm/amdgpu: Notify pmfw bad page threshold exceeded", " - drm/amd/display: Increase minimum clock for TMDS 420 with pipe splitting", " - drm/amdgpu: Avoid jpeg v5.0.1 poison irq call trace on sriov guest", " - drm/amd/display: incorrect conditions for failing dto calculations", " - drm/amdgpu: Avoid vcn v5.0.1 poison irq call trace on sriov guest", " - drm/amdgpu: Respect max pixel clock for HDMI and DVI-D (v2)", " - mips: lantiq: danube: add missing properties to cpu node", " - mips: lantiq: danube: add model to EASY50712 dts", " - mips: lantiq: danube: add missing device_type in pci node", " - mips: lantiq: xway: sysctrl: rename stp clock", " - mips: lantiq: danube: rename stp node on EASY50712 reference board", " - inet_diag: annotate data-races in inet_diag_bc_sk()", " - microchip: lan865x: add ndo_eth_ioctl handler to enable PHY ioctl", " support", " - crypto: qat - use kcalloc() in qat_uclo_map_objs_from_mof()", " - scsi: pm8001: Use int instead of u32 to store error codes", " - iio: adc: ad7124: do not require mclk", " - scsi: ufs: exynos: fsd: Gate ref_clk and put UFS device in reset on", " suspend", " - media: imx-mipi-csis: Only set clock rate when specified in DT", " - wifi: iwlwifi: pcie: remember when interrupts are disabled", " - drm/st7571-i2c: add support for inverted pixel format", " - ptp: Limit time setting of PTP clocks", " - dmaengine: sh: setup_xref error handling", " - dmaengine: mv_xor: match alloc_wc and free_wc", " - dmaengine: dw-edma: Set status for callback_result", " - netfilter: nf_tables: all transaction allocations can now sleep", " - drm/msm/dsi/phy: Toggle back buffer resync after preparing PLL", " - drm/msm/dsi/phy_7nm: Fix missing initial VCO rate", " - drm/amdgpu: Allow kfd CRIU with no buffer objects", " - drm/xe/guc: Increase GuC crash dump buffer size", " - drm/amd/pm: Increase SMC timeout on SI and warn (v3)", " - move_mount(2): take sanity checks in 'beneath' case into do_lock_mount()", " - selftests: drv-net: rss_ctx: make the test pass with few queues", " - ipv6: Add sanity checks on ipv6_devconf.rpl_seg_enabled", " - drm/xe: Extend Wa_22021007897 to Xe3 platforms", " - wifi: mac80211: count reg connection element in the size", " - drm/panthor: check bo offset alignment in vm bind", " - drm: panel-backlight-quirks: Make EDID match optional", " - ixgbe: reduce number of reads when getting OROM data", " - netlink: specs: fou: change local-v6/peer-v6 check", " - net: nfc: nci: Increase NCI_DATA_TIMEOUT to 3000 ms", " - media: adv7180: Add missing lock in suspend callback", " - media: adv7180: Do not write format to device in set_fmt", " - media: adv7180: Only validate format in querystd", " - media: verisilicon: Explicitly disable selection api ioctls for decoders", " - wifi: mac80211: Fix 6 GHz Band capabilities element advertisement in", " lower bands", " - platform/x86: think-lmi: Add extra TC BIOS error messages", " - platform/x86/intel-uncore-freq: Present unique domain ID per package", " - ALSA: usb-audio: apply quirk for MOONDROP Quark2", " - PCI: imx6: Enable the Vaux supply if available", " - drm/xe/guc: Set upper limit of H2G retries over CTB", " - net: call cond_resched() less often in __release_sock()", " - smsc911x: add second read of EEPROM mac when possible corruption seen", " - drm/xe: improve dma-resv handling for backup object", " - iommu/amd: Add support to remap/unmap IOMMU buffers for kdump", " - iommu/amd: Skip enabling command/event buffers for kdump", " - iommu/amd: Reuse device table for kdump", " - crypto: ccp: Skip SEV and SNP INIT for kdump boot", " - iommu/apple-dart: Clear stream error indicator bits for T8110 DARTs", " - bus: mhi: host: pci_generic: Add support for all Foxconn T99W696 SKU", " variants", " - drm/amdgpu: Correct info field of bad page threshold exceed CPER", " - drm/amd: add more cyan skillfish PCI ids", " - drm/amdgpu: don't enable SMU on cyan skillfish", " - drm/amdgpu: add support for cyan skillfish gpu_info", " - drm/amd/display: Fix pbn_div Calculation Error", " - drm/amd/display: dont wait for pipe update during medupdate/highirq", " - drm/amd/pm: refine amdgpu pm sysfs node error code", " - drm/amd/display: Indicate when custom brightness curves are in use", " - selftests: ncdevmem: don't retry EFAULT", " - net: dsa: felix: support phy-mode = \"10g-qxgmii\"", " - usb: gadget: f_hid: Fix zero length packet transfer", " - serial: qcom-geni: Add DFS clock mode support to GENI UART driver", " - serdev: Drop dev_pm_domain_detach() call", " - tty/vt: Add missing return value for VT_RESIZE in vt_ioctl()", " - eeprom: at25: support Cypress FRAMs without device ID", " - drm/msm/adreno: Add speedbins for A663 GPU", " - drm/msm: Fix 32b size truncation", " - dt-bindings: display/msm/gmu: Update Adreno 623 bindings", " - drm/msm: make sure to not queue up recovery more than once", " - char: Use list_del_init() in misc_deregister() to reinitialize list", " pointer", " - drm/msm/adreno: Add speedbin data for A623 GPU", " - drm/msm/adreno: Add fenced regwrite support", " - drm/msm/a6xx: Switch to GMU AO counter", " - idpf: link NAPIs to queues", " - selftests: net: make the dump test less sensitive to mem accounting", " - PCI: endpoint: pci-epf-test: Limit PCIe BAR size for fixed BARs", " - wifi: rtw89: Add USB ID 2001:332a for D-Link AX9U rev. A1", " - wifi: rtw89: Add USB ID 2001:3327 for D-Link AX18U rev. A1", " - wifi: iwlwifi: fw: Add ASUS to PPAG and TAS list", " - drm/xe/i2c: Enable bus mastering", " - media: ov08x40: Fix the horizontal flip control", " - media: i2c: og01a1b: Specify monochrome media bus format instead of", " Bayer", " - media: qcom: camss: csiphy-3ph: Add CSIPHY 2ph DPHY v2.0.1 init sequence", " - drm/bridge: write full Audio InfoFrame", " - drm/xe/guc: Always add CT disable action during second init step", " - f2fs: fix wrong layout information on 16KB page", " - selftests: mptcp: join: allow more time to send ADD_ADDR", " - scsi: ufs: host: mediatek: Enhance recovery on resume failure", " - scsi: ufs: ufs-qcom: Align programming sequence of Shared ICE for UFS", " controller v5", " - scsi: ufs: host: mediatek: Fix unbalanced IRQ enable issue", " - scsi: ufs: host: mediatek: Enhance recovery on hibernation exit failure", " - net: phy: marvell: Fix 88e1510 downshift counter errata", " - scsi: ufs: host: mediatek: Correct system PM flow", " - scsi: ufs: host: mediatek: Disable auto-hibern8 during power mode", " changes", " - scsi: ufs: host: mediatek: Fix adapt issue after PA_Init", " - wifi: cfg80211: update the time stamps in hidden ssid", " - wifi: mac80211: Fix HE capabilities element check", " - fbcon: Use screen info to find primary device", " - phy: cadence: cdns-dphy: Enable lower resolutions in dphy", " - Fix access to video_is_primary_device() when compiled without", " CONFIG_VIDEO", " - phy: renesas: r8a779f0-ether-serdes: add new step added to latest", " datasheet", " - phy: rockchip: phy-rockchip-inno-csidphy: allow writes to grf register 0", " - drm/msm/registers: Generate _HI/LO builders for reg64", " - net: sh_eth: Disable WoL if system can not suspend", " - selftests: net: replace sleeps in fcnal-test with waits", " - media: redrat3: use int type to store negative error codes", " - platform/x86/amd/pmf: Fix the custom bios input handling mechanism", " - selftests: traceroute: Use require_command()", " - selftests: traceroute: Return correct value on failure", " - openrisc: Add R_OR1K_32_PCREL relocation type module support", " - netfilter: nf_reject: don't reply to icmp error messages", " - x86/kvm: Prefer native qspinlock for dedicated vCPUs irrespective of", " PV_UNHALT", " - x86/virt/tdx: Use precalculated TDVPR page physical address", " - selftests: Disable dad for ipv6 in fcnal-test.sh", " - eth: 8139too: Make 8139TOO_PIO depend on !NO_IOPORT_MAP", " - [Config] No longer enable `CONFIG_8139TOO_PIO` for armhf", " - selftests: Replace sleep with slowwait", " - net: devmem: expose tcp_recvmsg_locked errors", " - selftests: net: lib.sh: Don't defer failed commands", " - HID: asus: add Z13 folio to generic group for multitouch to work", " - watchdog: s3c2410_wdt: Fix max_timeout being calculated larger", " - crypto: sun8i-ce - remove channel timeout field", " - PCI: dwc: Verify the single eDMA IRQ in dw_pcie_edma_irq_verify()", " - crypto: ccp - Fix incorrect payload size calculation in", " psp_poulate_hsti()", " - crypto: caam - double the entropy delay interval for retry", " - can: rcar_canfd: Update bit rate constants for RZ/G3E and R-Car Gen4", " - net: mana: Reduce waiting time if HWC not responding", " - ionic: use int type for err in ionic_get_module_eeprom_by_page", " - net/cls_cgroup: Fix task_get_classid() during qdisc run", " - wifi: mt76: mt7921: Add 160MHz beamformee capability for mt7922 device", " - wifi: mt76: mt7925: add pci restore for hibernate", " - wifi: mt76: mt7996: Fix mt7996_reverse_frag0_hdr_trans for MLO", " - wifi: mt76: mt7996: Set def_wcid pointer in mt7996_mac_sta_init_link()", " - wifi: mt76: mt7996: Temporarily disable EPCS", " - wifi: mt76: mt7996: support writing MAC TXD for AddBA Request", " - wifi: mt76: mt76_eeprom_override to int", " - ALSA: serial-generic: remove shared static buffer", " - wifi: mt76: mt7996: fix memory leak on mt7996_mcu_sta_key_tlv error", " - wifi: mt76: mt7996: disable promiscuous mode by default", " - wifi: mt76: use altx queue for offchannel tx on connac+", " - wifi: mt76: improve phy reset on hw restart", " - drm/amdgpu: Use memdup_array_user in amdgpu_cs_wait_fences_ioctl", " - drm/amdgpu: Release hive reference properly", " - drm/amd/display: Fix DMCUB loading sequence for DCN3.2", " - drm/amd/display: Set up pixel encoding for YCBCR422", " - drm/amd/display: fix dml ms order of operations", " - drm/amd/display: Don't use non-registered VUPDATE on DCE 6", " - drm/amd/display: Keep PLL0 running on DCE 6.0 and 6.4", " - drm/amd/display: Fix DVI-D/HDMI adapters", " - drm/amd/display: Disable VRR on DCE 6", " - drm/amd/display/dml2: Guard dml21_map_dc_state_into_dml_display_cfg with", " DC_FP_START", " - net: phy: clear EEE runtime state in PHY_HALTED/PHY_ERROR", " - ethernet: Extend device_get_mac_address() to use NVMEM", " - scsi: ufs: ufs-qcom: Disable lane clocks during phy hibern8", " - HID: i2c-hid: Resolve touchpad issues on Dell systems during S4", " - hinic3: Queue pair endianness improvements", " - hinic3: Fix missing napi->dev in netif_queue_set_napi", " - tools: ynl-gen: validate nested arrays", " - drm/xe/guc: Return an error code if the GuC load fails", " - drm/amdgpu: reject gang submissions under SRIOV", " - selftests/Makefile: include $(INSTALL_DEP_TARGETS) in clean target to", " clean net/lib dependency", " - scsi: ufs: core: Disable timestamp functionality if not supported", " - scsi: lpfc: Clean up allocated queues when queue setup mbox commands", " fail", " - scsi: lpfc: Decrement ndlp kref after FDISC retries exhausted", " - scsi: lpfc: Check return status of lpfc_reset_flush_io_context during", " TGT_RESET", " - scsi: lpfc: Remove ndlp kref decrement clause for F_Port_Ctrl in", " lpfc_cleanup", " - scsi: lpfc: Define size of debugfs entry for xri rebalancing", " - scsi: lpfc: Ensure PLOGI_ACC is sent prior to PRLI in Point to Point", " topology", " - allow finish_no_open(file, ERR_PTR(-E...))", " - usb: mon: Increase BUFF_MAX to 64 MiB to support multi-MB URBs", " - usb: xhci: plat: Facilitate using autosuspend for xhci plat devices", " - wifi: rtw89: disable RTW89_PHYSTS_IE09_FTR_0 for ppdu status", " - wifi: rtw89: obtain RX path from ppdu status IE00", " - wifi: rtw89: renew a completion for each H2C command waiting C2H event", " - usb: xhci-pci: add support for hosts with zero USB3 ports", " - ipv6: np->rxpmtu race annotation", " - RDMA/irdma: Update Kconfig", " - IB/ipoib: Ignore L3 master device", " - bnxt_en: Add fw log trace support for 5731X/5741X chips", " - mei: make a local copy of client uuid in connect", " - ASoC: qcom: sc8280xp: explicitly set S16LE format in", " sc8280xp_be_hw_params_fixup()", " - net: phy: clear link parameters on admin link down", " - net: ethernet: microchip: sparx5: make it selectable for ARCH_LAN969X", " - bus: mhi: core: Improve mhi_sync_power_up handling for SYS_ERR state", " - iommu/vt-d: Replace snprintf with scnprintf in dmar_latency_snapshot()", " - wifi: ath10k: Fix connection after GTK rekeying", " - iommu/vt-d: Remove LPIG from page group response descriptor", " - wifi: mac80211: Get the correct interface for non-netdev skb status", " - wifi: mac80211: Track NAN interface start/stop", " - net: intel: fm10k: Fix parameter idx set but not used", " - sparc/module: Add R_SPARC_UA64 relocation handling", " - sparc64: fix prototypes of reads[bwl]()", " - vfio: return -ENOTTY for unsupported device feature", " - ptp_ocp: make ptp_ocp driver compatible with PTP_EXTTS_REQUEST2", " - crypto: hisilicon/qm - invalidate queues in use", " - crypto: hisilicon/qm - clear all VF configurations in the hardware", " - ASoC: ops: improve snd_soc_get_volsw", " - PCI/PM: Skip resuming to D0 if device is disconnected", " - selftests: forwarding: Reorder (ar)ping arguments to obey POSIX getopt", " - remoteproc: qcom: q6v5: Avoid handling handover twice", " - wifi: ath12k: Increase DP_REO_CMD_RING_SIZE to 256", " - net: dsa: microchip: Set SPI as bus interface during reset for KSZ8463", " - bng_en: make bnge_alloc_ring() self-unwind on failure", " - ALSA: usb-audio: don't apply interface quirk to Presonus S1824c", " - tcp: Update bind bucket state on port release", " - ovl: make sure that ovl_create_real() returns a hashed dentry", " - drm/amd/display: Add missing post flip calls", " - drm/amd/display: Add AVI infoframe copy in copy_stream_update_to_stream", " - drm/amd/display: Add fast sync field in ultra sleep more for DMUB", " - drm/amd/display: Init dispclk from bootup clock for DCN314", " - drm/amd/display: Fix for test crash due to power gating", " - drm/amd/display: change dc stream color settings only in atomic commit", " - NFSv4: handle ERR_GRACE on delegation recalls", " - NFSv4.1: fix mount hang after CREATE_SESSION failure", " - net: bridge: Install FDB for bridge MAC on VLAN 0", " - net: phy: dp83640: improve phydev and driver removal handling", " - scsi: ufs: core: Change MCQ interrupt enable flow", " - scsi: libfc: Fix potential buffer overflow in fc_ct_ms_fill()", " - accel/habanalabs/gaudi2: fix BMON disable configuration", " - scsi: mpt3sas: Add support for 22.5 Gbps SAS link rate", " - accel/habanalabs: return ENOMEM if less than requested pages were pinned", " - accel/habanalabs/gaudi2: read preboot status after recovering from dirty", " state", " - ASoC: renesas: msiof: add .symmetric_xxx on snd_soc_dai_driver", " - ASoC: renesas: msiof: use reset controller", " - ASoC: renesas: msiof: tidyup DMAC stop timing", " - ASoC: renesas: msiof: set SIFCTR register", " - ext4: increase IO priority of fastcommit", " - drm/amdgpu: Add fallback to pipe reset if KCQ ring reset fails", " - drm/amdgpu: Fix fence signaling race condition in userqueue", " - ASoC: stm32: sai: manage context in set_sysclk callback", " - ASoC: tlv320aic3x: Fix class-D initialization for tlv320aic3007", " - ACPI: scan: Update honor list for RPMI System MSI", " - platform/x86: x86-android-tablets: Stop using EPROBE_DEFER", " - vfio/pci: Fix INTx handling on legacy non-PCI 2.3 devices", " - vfio/nvgrace-gpu: Add GB300 SKU to the devid table", " - selftest: net: Fix error message if empty variable", " - net/mlx5e: Don't query FEC statistics when FEC is disabled", " - Bluetooth: btintel: Add support for BlazarIW core", " - net: macb: avoid dealing with endianness in macb_set_hwaddr()", " - Bluetooth: btusb: Add new VID/PID 13d3/3627 for MT7925", " - Bluetooth: btintel_pcie: Define hdev->wakeup() callback", " - Bluetooth: ISO: Don't initiate CIS connections if there are no buffers", " - Bluetooth: btusb: Check for unexpected bytes when defragmenting HCI", " frames", " - Bluetooth: ISO: Use sk_sndtimeo as conn_timeout", " - Bluetooth: btusb: Add new VID/PID 13d3/3633 for MT7922", " - net: stmmac: est: Drop frames causing HLBS error", " - exfat: limit log print for IO error", " - 6pack: drop redundant locking and refcounting", " - page_pool: Clamp pool size to max 16K pages", " - net/mlx5e: Prevent entering switchdev mode with inconsistent netns", " - ksmbd: use sock_create_kern interface to create kernel socket", " - smb: client: update cfid->last_access_time in", " open_cached_dir_by_dentry()", " - smb: client: transport: avoid reconnects triggered by pending task work", " - usb: xhci-pci: Fix USB2-only root hub registration", " - drm/amd/display: Add fallback path for YCBCR422", " - ACPICA: Update dsmethod.c to get rid of unused variable warning", " - RDMA/bnxt_re: Fix a potential memory leak in destroy_gsi_sqp", " - RDMA/irdma: Fix SD index calculation", " - RDMA/irdma: Remove unused struct irdma_cq fields", " - RDMA/irdma: Set irdma_cq cq_num field during CQ create", " - RDMA/uverbs: Fix umem release in UVERBS_METHOD_CQ_CREATE", " - RDMA/hns: Fix recv CQ and QP cache affinity", " - RDMA/hns: Fix the modification of max_send_sge", " - RDMA/hns: Fix wrong WQE data when QP wraps around", " - btrfs: mark dirty extent range for out of bound prealloc extents", " - clk: qcom: gcc-ipq6018: rework nss_port5 clock to multiple conf", " - clk: renesas: rzv2h: Re-assert reset on deassert timeout", " - clk: samsung: exynos990: Add missing USB clock registers to HSI0", " - fs/hpfs: Fix error code for new_inode() failure in", " mkdir/create/mknod/symlink", " - clocksource: hyper-v: Skip unnecessary checks for the root partition", " - hyperv: Add missing field to hv_output_map_device_interrupt", " - um: Fix help message for ssl-non-raw", " - clk: sunxi-ng: sun6i-rtc: Add A523 specifics", " - rtc: pcf2127: clear minute/second interrupt", " - ARM: at91: pm: save and restore ACR during PLL disable/enable", " - clk: at91: add ACR in all PLL settings", " - clk: at91: sam9x7: Add peripheral clock id for pmecc", " - clk: at91: clk-master: Add check for divide by 3", " - clk: at91: clk-sam9x60-pll: force write to PLL_UPDT register", " - clk: ti: am33xx: keep WKUP_DEBUGSS_CLKCTRL enabled", " - clk: scmi: Add duty cycle ops only when duty cycle is supported", " - clk: clocking-wizard: Fix output clock register offset for Versal", " platforms", " - NTB: epf: Allow arbitrary BAR mapping", " - 9p: fix /sys/fs/9p/caches overwriting itself", " - cpufreq: tegra186: Initialize all cores to max frequencies", " - 9p: sysfs_init: don't hardcode error to ENOMEM", " - scsi: ufs: core: Include UTP error in INT_FATAL_ERRORS", " - fbdev: core: Fix ubsan warning in pixel_to_pat", " - ACPI: property: Return present device nodes only on fwnode interface", " - LoongArch: Handle new atomic instructions for probes", " - tools bitmap: Add missing asm-generic/bitsperlong.h include", " - tools: lib: thermal: don't preserve owner in install", " - tools: lib: thermal: use pkg-config to locate libnl3", " - ALSA: hda/realtek: Add quirk for ASUS ROG Zephyrus Duo", " - rtc: zynqmp: Restore alarm functionality after kexec transition", " - rtc: pcf2127: fix watchdog interrupt mask on pcf2131", " - net: wwan: t7xx: add support for HP DRMR-H01", " - kbuild: uapi: Strip comments before size type check", " - ASoC: meson: aiu-encoder-i2s: fix bit clock polarity", " - ASoC: rt722: add settings for rt722VB", " - drm/amdgpu: Report individual reset error", " - ceph: add checking of wait_for_completion_killable() return value", " - ceph: fix potential race condition in ceph_ioctl_lazyio()", " - ceph: refactor wake_up_bit() pattern of calling", " - x86: uaccess: don't use runtime-const rewriting in modules", " - rust: condvar: fix broken intra-doc link", " - rust: devres: fix private intra-doc link", " - rust: kbuild: workaround `rustdoc` doctests modifier bug", " - rust: kbuild: treat `build_error` and `rustdoc` as kernel objects", " - media: uvcvideo: Use heuristic to find stream entity", " - Revert \"wifi: ath10k: avoid unnecessary wait for service ready message\"", " - tracing: tprobe-events: Fix to register tracepoint correctly", " - tracing: tprobe-events: Fix to put tracepoint_user when disable the", " tprobe", " - net: libwx: fix device bus LAN ID", " - scsi: ufs: core: Fix a race condition related to the \"hid\" attribute", " group", " - riscv: ptdump: use seq_puts() in pt_dump_seq_puts() macro", " - Revert \"wifi: ath12k: Fix missing station power save configuration\"", " - scsi: ufs: core: Revert \"Make HID attributes visible\"", " - Bluetooth: btrtl: Fix memory leak in rtlbt_parse_firmware_v2()", " - net: dsa: tag_brcm: legacy: fix untagged rx on unbridged ports for", " bcm63xx", " - selftests/net: fix out-of-order delivery of FIN in gro:tcp test", " - selftests/net: use destination options instead of hop-by-hop", " - selftests: netdevsim: Fix ethtool-coalesce.sh fail by installing", " ethtool-common.sh", " - net: vlan: sync VLAN features with lower device", " - net: dsa: b53: fix resetting speed and pause on forced link", " - net: dsa: b53: fix bcm63xx RGMII port link adjustment", " - net: dsa: b53: fix enabling ip multicast", " - net: dsa: b53: stop reading ARL entries if search is done", " - net: dsa: b53: properly bound ARL searches for < 4 ARL bin chips", " - sctp: Hold RCU read lock while iterating over address list", " - sctp: Hold sock lock while iterating over address list", " - net: ionic: add dma_wmb() before ringing TX doorbell", " - net: ionic: map SKB after pseudo-header checksum prep", " - octeontx2-pf: Fix devm_kcalloc() error checking", " - bnxt_en: Fix a possible memory leak in bnxt_ptp_init", " - bnxt_en: Always provide max entry and entry size in coredump segments", " - bnxt_en: Fix warning in bnxt_dl_reload_down()", " - wifi: mac80211_hwsim: Limit destroy_on_close radio removal to netgroup", " - io_uring: fix types for region size calulation", " - net/mlx5e: Fix return value in case of module EEPROM read error", " - net: ti: icssg-prueth: Fix fdb hash size configuration", " - net/mlx5e: SHAMPO, Fix header mapping for 64K pages", " - net/mlx5e: SHAMPO, Fix skb size check for 64K pages", " - net/mlx5e: SHAMPO, Fix header formulas for higher MTUs and 64K pages", " - net: wan: framer: pef2256: Switch to devm_mfd_add_devices()", " - net: dsa: microchip: Fix reserved multicast address table programming", " - net: bridge: fix MST static key usage", " - selftests/vsock: avoid false-positives when checking dmesg", " - tracing: Fix memory leaks in create_field_var()", " - drm/amd/display: Enable mst when it's detected but yet to be initialized", " - wifi: cfg80211: add an hrtimer based delayed work item", " - wifi: mac80211: use wiphy_hrtimer_work for ml_reconf_work", " - wifi: mac80211: use wiphy_hrtimer_work for ttlm_work", " - wifi: mac80211: use wiphy_hrtimer_work for csa.switch_work", " - riscv: Fix memory leak in module_frob_arch_sections()", " - rtc: rx8025: fix incorrect register reference", " - x86/microcode/AMD: Add more known models to entry sign checking", " - smb: client: validate change notify buffer before copy", " - x86/amd_node: Fix AMD root device caching", " - xfs: fix delalloc write failures in software-provided atomic writes", " - xfs: fix various problems in xfs_atomic_write_cow_iomap_begin", " - x86/CPU/AMD: Add missing terminator for zen5_rdseed_microcode", " - drm: define NVIDIA DRM format modifiers for GB20x", " - drm/nouveau: Advertise correct modifiers on GB20x", " - drm/amdgpu/smu: Handle S0ix for vangogh", " - drm/amdkfd: Don't clear PT after process killed", " - virtio_net: fix alignment for virtio_net_hdr_v1_hash", " - lib/crypto: curve25519-hacl64: Fix older clang KASAN workaround for GCC", " - scsi: ufs: ufs-pci: Fix S0ix/S3 for Intel controllers", " - scsi: ufs: ufs-pci: Set UFSHCD_QUIRK_PERFORM_LINK_STARTUP_ONCE for Intel", " ADL", " - scsi: ufs: core: Add a quirk to suppress link_startup_again", " - drm/amd/display: update color on atomic commit time", " - extcon: adc-jack: Cleanup wakeup source only if it was enabled", " - kunit: Extend kconfig help text for KUNIT_UML_PCI", " - ALSA: hda/tas2781: Enable init_profile_id for device initialization", " - ACPI: SPCR: Check for table version when using precise baudrate", " - kbuild: Strip trailing padding bytes from modules.builtin.modinfo", " - drm/amdgpu: Fix unintended error log in VCN5_0_0", " - drm/amd/display: Fix vupdate_offload_work doc", " - drm/amdgpu: Fix function header names in amdgpu_connectors.c", " - drm/amdgpu/userq: assign an error code for invalid userq va", " - drm/msm/dpu: Fix adjusted mode clock check for 3d merge", " - drm/amd/display: Reject modes with too high pixel clock on DCE6-10", " - drm/amd/display: use GFP_NOWAIT for allocation in interrupt handler", " - drm/amd/display: Fix black screen with HDMI outputs", " - selftests: drv-net: Reload pkt pointer after calling filter_udphdr", " - dt-bindings: eeprom: at25: use \"size\" for FRAMs without device ID", " - Linux 6.17.8", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-68316", " - scsi: ufs: core: Fix invalid probe error return value", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-40292", " - virtio-net: fix received length check in big packets", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-68180", " - drm/amd/display: Fix NULL deref in debugfs odm_combine_segments", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-40327", " - perf/core: Fix system hang caused by cpu-clock usage", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-40328", " - smb: client: fix potential UAF in smb2_close_cached_fid()", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-40291", " - io_uring: fix regbuf vector size truncation", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-68322", " - parisc: Avoid crash due to unaligned access in unwinder", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-40293", " - iommufd: Don't overflow during division for dirty tracking", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-40294", " - Bluetooth: MGMT: Fix OOB access in parse_adv_monitor_pattern()", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-40329", " - drm/sched: Fix deadlock in drm_sched_entity_kill_jobs_cb", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-40295", " - fscrypt: fix left shift underflow when inode->i_blkbits > PAGE_SHIFT", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-40296", " - platform/x86: int3472: Fix double free of GPIO device during unregister", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-40297", " - net: bridge: fix use-after-free due to MST port state bypass", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-68320", " - lan966x: Fix sleeping in atomic context", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-68169", " - netpoll: Fix deadlock in memory allocation under spinlock", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-68197", " - bnxt_en: Fix null pointer dereference in bnxt_bs_trace_check_wrap()", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-40330", " - bnxt_en: Shutdown FW DMA in bnxt_shutdown()", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-68192", " - net: usb: qmi_wwan: initialize MAC header offset in qmimux_rx_fixup", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-40331", " - sctp: Prevent TOCTOU out-of-bounds write", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-68187", " - net: mdio: Check regmap pointer returned by device_node_to_regmap()", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-68167", " - gpiolib: fix invalid pointer access in debugfs", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-68319", " - netconsole: Acquire su_mutex before navigating configs hierarchy", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-40298", " - gve: Implement settime64 with -EOPNOTSUPP", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-40299", " - gve: Implement gettimex64 with -EOPNOTSUPP", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-40301", " - Bluetooth: hci_event: validate skb length for unknown CC opcode", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-40358", " - riscv: stacktrace: Disable KASAN checks for non-current tasks", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-68186", " - ring-buffer: Do not warn in ring_buffer_map_get_reader() when reader", " catches up", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-68184", " - drm/mediatek: Disable AFBC support on Mediatek DRM driver", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-40302", " - media: videobuf2: forbid remove_bufs when legacy fileio is active", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-40303", " - btrfs: ensure no dirty metadata is written back for an fs with errors", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-40362", " - ceph: fix multifs mds auth caps issue", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-40332", " - drm/amdkfd: Fix mmap write lock not release", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-40304", " - fbdev: Add bounds checking in bit_putcs to fix vmalloc-out-of-bounds", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-40305", " - 9p/trans_fd: p9_fd_request: kick rx thread if EPOLLIN", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-68318", " - clk: thead: th1520-ap: set all AXI clocks to CLK_IS_CRITICAL", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-40209", " - btrfs: fix memory leak of qgroup_list in btrfs_add_qgroup_relation", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-68183", " - ima: don't clear IMA_DIGSIG flag when setting or removing non-IMA xattr", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-68173", " - ftrace: Fix softlockup in ftrace_module_enable", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-40306", " - orangefs: fix xattr related buffer overflow...", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-40307", " - exfat: validate cluster allocation bits of the allocation bitmap", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-40308", " - Bluetooth: bcsp: receive data only if registered", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-40309", " - Bluetooth: SCO: Fix UAF on sco_conn_free", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-68174", " - amd/amdkfd: enhance kfd process check in switch partition", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-40310", " - amd/amdkfd: resolve a race in amdgpu_amdkfd_device_fini_sw", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-40361", " - fs: ext4: change GFP_KERNEL to GFP_NOFS to avoid deadlock", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-40311", " - accel/habanalabs: support mapping cb with vmalloc-backed coherent memory", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-68185", " - nfs4_setup_readdir(): insufficient locking for ->d_parent->d_inode", " dereferencing", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-68176", " - PCI: cadence: Check for the existence of cdns_pcie::ops before using it", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-68190", " - drm/amdgpu/atom: Check kcalloc() for WS buffer in", " amdgpu_atom_execute_table_locked()", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-68168", " - jfs: fix uninitialized waitqueue in transaction manager", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-40312", " - jfs: Verify inode mode when loading from disk", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-40333", " - f2fs: fix infinite loop in __insert_extent_tree()", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-68321", " - page_pool: always add GFP_NOWARN for ATOMIC allocations", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-40334", " - drm/amdgpu: validate userq buffer virtual address and size", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-68191", " - udp_tunnel: use netdev_warn() instead of netdev_WARN()", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-68309", " - PCI/AER: Fix NULL pointer access by aer_info", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-40313", " - ntfs3: pretend $Extend records as regular files", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-40335", " - drm/amdgpu: validate userq input args", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-40314", " - usb: cdns3: gadget: Use-after-free during failed initialization and exit", " of cdnsp gadget", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-40336", " - drm/gpusvm: fix hmm_pfn_to_map_order() usage", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-68193", " - drm/xe/guc: Add devm release action to safely tear down CT", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-68175", " - media: nxp: imx8-isi: Fix streaming cleanup on release", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-68188", " - tcp: use dst_dev_rcu() in tcp_fastopen_active_disable_ofo_check()", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-68315", " - f2fs: fix to detect potential corrupted nid in free_nid_list", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-40337", " - net: stmmac: Correctly handle Rx checksum offload errors", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-40338", " - ASoC: Intel: avs: Do not share the name pointer between components", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-40339", " - drm/amdgpu: fix nullptr err of vm_handle_moved", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-68194", " - media: imon: make send_packet() more robust", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-40363", " - net: ipv6: fix field-spanning memcpy warning in AH output", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-68311", " - tty: serial: ip22zilog: Use platform device for probing", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-40340", " - drm/xe: Fix oops in xe_gem_fault when running core_hotunplug test.", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-68196", " - drm/amd/display: Cache streams targeting link when performing LT", " automation", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-68178", " - blk-cgroup: fix possible deadlock while configuring policy", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-40341", " - futex: Don't leak robust_list pointer on exec race", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-40342", " - nvme-fc: use lock accessing port_state and rport state", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-40343", " - nvmet-fc: avoid scheduling association deletion twice", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-68177", " - cpufreq/longhaul: handle NULL policy in longhaul_exit", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-68317", " - io_uring/zctx: check chained notif contexts", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-40315", " - usb: gadget: f_fs: Fix epfile null pointer access after ep enable.", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-40316", " - drm/mediatek: Fix device use-after-free on unbind", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-40360", " - drm/sysfb: Do not dereference NULL pointer in plane reset", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-68179", " - s390: Disable ARCH_WANT_OPTIMIZE_HUGETLB_VMEMMAP", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-68310", " - s390/pci: Avoid deadlock between PCI error recovery and mlx5 crdump", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-40317", " - regmap: slimbus: fix bus_context pointer in regmap init calls", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-40359", " - perf/x86/intel: Fix KASAN global-out-of-bounds warning", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-68181", " - drm/radeon: Remove calls to drm_put_dev()", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-68170", " - drm/radeon: Do not kfree() devres managed rdev", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-40213", " - Bluetooth: MGMT: fix crash in set_mesh_sync and set_mesh_complete", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-40318", " - Bluetooth: hci_sync: fix race in hci_cmd_sync_dequeue_once", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-68312", " - usbnet: Prevents free active kevent", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-40344", " - ASoC: Intel: avs: Disable periods-elapsed work when closing PCM", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-68172", " - crypto: aspeed - fix double free caused by devm", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-40319", " - bpf: Sync pending IRQ work before freeing ring buffer", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-68182", " - wifi: iwlwifi: fix potential use after free in iwl_mld_remove_link()", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-68314", " - drm/msm: make sure last_fence is always updated", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-68189", " - drm/msm: Fix GEM free for imported dma-bufs", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-68171", " - x86/fpu: Ensure XFD state on signal delivery", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-68313", " - x86/CPU/AMD: Add RDSEED fix for Zen5", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-40320", " - smb: client: fix potential cfid UAF in smb2_query_info_compound", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-40321", " - wifi: brcmfmac: fix crash while sending Action Frames in standalone AP", " Mode", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-40322", " - fbdev: bitblit: bound-check glyph index in bit_putcs*", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-40211", " - ACPI: video: Fix use-after-free in acpi_video_switch_brightness()", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-40323", " - fbcon: Set fb_display[i]->mode to NULL when the mode is released", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-40210", " - Revert \"NFSD: Remove the cap on number of operations per NFSv4 COMPOUND\"", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-40324", " - NFSD: Fix crash in nfsd4_read_release()", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-40326", " - NFSD: Define actions for the new time_deleg FATTR4 attributes", " * Questing update: v6.17.7 upstream stable release (LP: #2136813)", " - sched_ext: Move internal type and accessor definitions to ext_internal.h", " - sched_ext: Put event_stats_cpu in struct scx_sched_pcpu", " - sched_ext: Sync error_irq_work before freeing scx_sched", " - timekeeping: Fix aux clocks sysfs initialization loop bound", " - x86/bugs: Report correct retbleed mitigation status", " - x86/bugs: Qualify RETBLEED_INTEL_MSG", " - genirq/chip: Add buslock back in to irq_set_handler()", " - genirq/manage: Add buslock back in to __disable_irq_nosync()", " - genirq/manage: Add buslock back in to enable_irq()", " - audit: record fanotify event regardless of presence of rules", " - EDAC/ie31200: Add two more Intel Alder Lake-S SoCs for EDAC support", " - perf/x86/intel: Add ICL_FIXED_0_ADAPTIVE bit into INTEL_FIXED_BITS_MASK", " - perf: Use current->flags & PF_KTHREAD|PF_USER_WORKER instead of", " current->mm == NULL", " - perf: Have get_perf_callchain() return NULL if crosstask and user are", " set", " - perf: Skip user unwind if the task is a kernel thread", " - EDAC: Fix wrong executable file modes for C source files", " - seccomp: passthrough uprobe systemcall without filtering", " - sched_ext: Keep bypass on between enable failure and", " scx_disable_workfn()", " - x86/bugs: Add attack vector controls for VMSCAPE", " - x86/bugs: Fix reporting of LFENCE retpoline", " - EDAC/mc_sysfs: Increase legacy channel support to 16", " - cpuset: Use new excpus for nocpu error check when enabling root", " partition", " - btrfs: abort transaction on specific error places when walking log tree", " - btrfs: abort transaction in the process_one_buffer() log tree walk", " callback", " - btrfs: zoned: return error from btrfs_zone_finish_endio()", " - btrfs: zoned: refine extent allocator hint selection", " - btrfs: scrub: replace max_t()/min_t() with clamp() in", " scrub_throttle_dev_io()", " - btrfs: always drop log root tree reference in btrfs_replay_log()", " - btrfs: use level argument in log tree walk callback replay_one_buffer()", " - btrfs: abort transaction if we fail to update inode in log replay dir", " fixup", " - btrfs: tree-checker: add inode extref checks", " - btrfs: use smp_mb__after_atomic() when forcing COW in", " create_pending_snapshot()", " - sched_ext: Make qmap dump operation non-destructive", " - arch: Add the macro COMPILE_OFFSETS to all the asm-offsets.c", " - btrfs: tree-checker: fix bounds check in check_inode_extref()", " - Linux 6.17.7", " * [UBUNTU 24.04] KVM: s390: improve interrupt cpu for wakeup (LP: #2132317)", " - KVM: s390: improve interrupt cpu for wakeup", " * Questing update: v6.17.6 upstream stable release (LP: #2134982)", " - sched/fair: Block delayed tasks on throttled hierarchy during dequeue", " - vfio/cdx: update driver to build without CONFIG_GENERIC_MSI_IRQ", " - expfs: Fix exportfs_can_encode_fh() for EXPORT_FH_FID", " - cgroup/misc: fix misc_res_type kernel-doc warning", " - dlm: move to rinfo for all middle conversion cases", " - exec: Fix incorrect type for ret", " - s390/pkey: Forward keygenflags to ep11_unwrapkey", " - hfs: clear offset and space out of valid records in b-tree node", " - hfs: make proper initalization of struct hfs_find_data", " - hfs: validate record offset in hfsplus_bmap_alloc", " - hfsplus: fix KMSAN uninit-value issue in hfsplus_delete_cat()", " - dlm: check for defined force value in dlm_lockspace_release", " - hfsplus: return EIO when type of hidden directory mismatch in", " hfsplus_fill_super()", " - PCI: Test for bit underflow in pcie_set_readrq()", " - lkdtm: fortify: Fix potential NULL dereference on kmalloc failure", " - arm64: sysreg: Correct sign definitions for EIESB and DoubleLock", " - m68k: bitops: Fix find_*_bit() signatures", " - powerpc/32: Remove PAGE_KERNEL_TEXT to fix startup failure", " - riscv: mm: Return intended SATP mode for noXlvl options", " - riscv: mm: Use mmu-type from FDT to limit SATP mode", " - riscv: cpufeature: add validation for zfa, zfh and zfhmin", " - drivers/perf: hisi: Relax the event ID check in the framework", " - s390/mm: Use __GFP_ACCOUNT for user page table allocations", " - smb: client: queue post_recv_credits_work also if the peer raises the", " credit target", " - smb: client: limit the range of info->receive_credit_target", " - smb: client: make use of ib_wc_status_msg() and skip IB_WC_WR_FLUSH_ERR", " logging", " - smb: server: let smb_direct_flush_send_list() invalidate a remote key", " first", " - Unbreak 'make tools/*' for user-space targets", " - platform/mellanox: mlxbf-pmc: add sysfs_attr_init() to count_clock init", " - cpufreq/amd-pstate: Fix a regression leading to EPP 0 after hibernate", " - net/mlx5e: Return 1 instead of 0 in invalid case in", " mlx5e_mpwrq_umr_entry_size()", " - rtnetlink: Allow deleting FDB entries in user namespace", " - net: enetc: fix the deadlock of enetc_mdio_lock", " - net: enetc: correct the value of ENETC_RXB_TRUESIZE", " - dpaa2-eth: fix the pointer passed to PTR_ALIGN on Tx path", " - net: phy: realtek: fix rtl8221b-vm-cg name", " - can: bxcan: bxcan_start_xmit(): use can_dev_dropped_skb() instead of", " can_dropped_invalid_skb()", " - can: esd: acc_start_xmit(): use can_dev_dropped_skb() instead of", " can_dropped_invalid_skb()", " - can: rockchip-canfd: rkcanfd_start_xmit(): use can_dev_dropped_skb()", " instead of can_dropped_invalid_skb()", " - selftests: net: fix server bind failure in sctp_vrf.sh", " - net/mlx5e: RX, Fix generating skb from non-linear xdp_buff for legacy RQ", " - net/mlx5e: RX, Fix generating skb from non-linear xdp_buff for striding", " RQ", " - net/smc: fix general protection fault in __smc_diag_dump", " - net: ethernet: ti: am65-cpts: fix timestamp loss due to race conditions", " - arm64, mm: avoid always making PTE dirty in pte_mkwrite()", " - erofs: avoid infinite loops due to corrupted subpage compact indexes", " - net: hibmcge: select FIXED_PHY", " - ptp: ocp: Fix typo using index 1 instead of i in SMA initialization loop", " - net: hsr: prevent creation of HSR device with slaves from another netns", " - espintcp: use datagram_poll_queue for socket readiness", " - net: datagram: introduce datagram_poll_queue for custom receive queues", " - ovpn: use datagram_poll_queue for socket readiness in TCP", " - net: bonding: fix possible peer notify event loss or dup issue", " - hung_task: fix warnings caused by unaligned lock pointers", " - mm: don't spin in add_stack_record when gfp flags don't allow", " - dma-debug: don't report false positives with", " DMA_BOUNCE_UNALIGNED_KMALLOC", " - arch_topology: Fix incorrect error check in", " topology_parse_cpu_capacity()", " - riscv: hwprobe: Fix stale vDSO data for late-initialized keys at boot", " - io_uring/sqpoll: switch away from getrusage() for CPU accounting", " - io_uring/sqpoll: be smarter on when to update the stime usage", " - btrfs: send: fix duplicated rmdir operations when using extrefs", " - btrfs: ref-verify: fix IS_ERR() vs NULL check in btrfs_build_ref_tree()", " - gpio: pci-idio-16: Define maximum valid register address offset", " - gpio: 104-idio-16: Define maximum valid register address offset", " - xfs: fix locking in xchk_nlinks_collect_dir", " - platform/x86: alienware-wmi-wmax: Add AWCC support to Dell G15 5530", " - Revert \"cpuidle: menu: Avoid discarding useful information\"", " - riscv: cpufeature: avoid uninitialized variable in", " has_thead_homogeneous_vlenb()", " - rust: device: fix device context of Device::parent()", " - slab: Avoid race on slab->obj_exts in alloc_slab_obj_exts", " - slab: Fix obj_ext mistakenly considered NULL due to race condition", " - smb: client: get rid of d_drop() in cifs_do_rename()", " - ACPICA: Work around bogus -Wstringop-overread warning since GCC 11", " - arm64: mte: Do not warn if the page is already tagged in copy_highpage()", " - can: netlink: can_changelink(): allow disabling of automatic restart", " - cifs: Fix TCP_Server_Info::credits to be signed", " - devcoredump: Fix circular locking dependency with devcd->mutex.", " - hwmon: (pmbus/max34440) Update adpm12160 coeff due to latest FW", " - MIPS: Malta: Fix keyboard resource preventing i8042 driver from", " registering", " - rv: Make rtapp/pagefault monitor depends on CONFIG_MMU", " - net: bonding: update the slave array for broadcast mode", " - net: stmmac: dwmac-rk: Fix disabling set_clock_selection", " - net: usb: rtl8150: Fix frame padding", " - net: ravb: Enforce descriptor type ordering", " - net: ravb: Ensure memory write completes before ringing TX doorbell", " - mptcp: pm: in-kernel: C-flag: handle late ADD_ADDR", " - selftests: mptcp: join: mark 'flush re-add' as skipped if not supported", " - selftests: mptcp: join: mark implicit tests as skipped if not supported", " - selftests: mptcp: join: mark 'delete re-add signal' as skipped if not", " supported", " - mm/mremap: correctly account old mapping after MREMAP_DONTUNMAP remap", " - drm/xe: Check return value of GGTT workqueue allocation", " - drm/amd/display: increase max link count and fix link->enc NULL pointer", " access", " - mm/damon/core: use damos_commit_quota_goal() for new goal commit", " - mm/damon/core: fix list_add_tail() call on damon_call()", " - spi: rockchip-sfc: Fix DMA-API usage", " - firmware: arm_ffa: Add support for IMPDEF value in the memory access", " descriptor", " - spi: spi-nxp-fspi: add the support for sample data from DQS pad", " - spi: spi-nxp-fspi: re-config the clock rate when operation require new", " clock rate", " - spi: spi-nxp-fspi: add extra delay after dll locked", " - spi: spi-nxp-fspi: limit the clock rate for different sample clock", " source selection", " - spi: cadence-quadspi: Fix pm_runtime unbalance on dma EPROBE_DEFER", " - arm64: dts: broadcom: bcm2712: Add default GIC address cells", " - arm64: dts: broadcom: bcm2712: Define VGIC interrupt", " - include: trace: Fix inflight count helper on failed initialization", " - firmware: arm_scmi: Fix premature SCMI_XFER_FLAG_IS_RAW clearing in raw", " mode", " - spi: airoha: return an error for continuous mode dirmap creation cases", " - spi: airoha: add support of dual/quad wires spi modes to exec_op()", " handler", " - spi: airoha: switch back to non-dma mode in the case of error", " - spi: airoha: fix reading/writing of flashes with more than one plane per", " lun", " - sysfs: check visibility before changing group attribute ownership", " - RISC-V: Define pgprot_dmacoherent() for non-coherent devices", " - RISC-V: Don't print details of CPUs disabled in DT", " - riscv: hwprobe: avoid uninitialized variable use in hwprobe_arch_id()", " - hwmon: (pmbus/isl68137) Fix child node reference leak on early return", " - hwmon: (sht3x) Fix error handling", " - io_uring: fix incorrect unlikely() usage in io_waitid_prep()", " - nbd: override creds to kernel when calling sock_{send,recv}msg()", " - drm/panic: Fix drawing the logo on a small narrow screen", " - drm/panic: Fix qr_code, ensure vmargin is positive", " - drm/panic: Fix 24bit pixel crossing page boundaries", " - of/irq: Convert of_msi_map_id() callers to of_msi_xlate()", " - of/irq: Add msi-parent check to of_msi_xlate()", " - block: require LBA dma_alignment when using PI", " - gpio: ljca: Fix duplicated IRQ mapping", " - io_uring: correct __must_hold annotation in io_install_fixed_file", " - sched: Remove never used code in mm_cid_get()", " - USB: serial: option: add UNISOC UIS7720", " - USB: serial: option: add Quectel RG255C", " - USB: serial: option: add Telit FN920C04 ECM compositions", " - usb/core/quirks: Add Huawei ME906S to wakeup quirk", " - usb: raw-gadget: do not limit transfer length", " - xhci: dbc: enable back DbC in resume if it was enabled before suspend", " - xhci: dbc: fix bogus 1024 byte prefix if ttyDBC read races with stall", " event", " - x86/microcode: Fix Entrysign revision check for Zen1/Naples", " - binder: remove \"invalid inc weak\" check", " - mei: me: add wildcat lake P DID", " - objtool/rust: add one more `noreturn` Rust function", " - nvmem: rcar-efuse: add missing MODULE_DEVICE_TABLE", " - misc: fastrpc: Fix dma_buf object leak in fastrpc_map_lookup", " - most: usb: hdm_probe: Fix calling put_device() before device", " initialization", " - tcpm: switch check for role_sw device with fw_node", " - dt-bindings: serial: sh-sci: Fix r8a78000 interrupts", " - dt-bindings: usb: dwc3-imx8mp: dma-range is required only for imx8mp", " - dt-bindings: usb: qcom,snps-dwc3: Fix bindings for X1E80100", " - serial: 8250_dw: handle reset control deassert error", " - serial: 8250_exar: add support for Advantech 2 port card with Device ID", " 0x0018", " - serial: 8250_mtk: Enable baud clock and manage in runtime PM", " - serial: sc16is7xx: remove useless enable of enhanced features", " - staging: gpib: Fix device reference leak in fmh_gpib driver", " - staging: gpib: Fix no EOI on 1 and 2 byte writes", " - staging: gpib: Return -EINTR on device clear", " - staging: gpib: Fix sending clear and trigger events", " - mm/migrate: remove MIGRATEPAGE_UNMAP", " - treewide: remove MIGRATEPAGE_SUCCESS", " - vmw_balloon: indicate success when effectively deflating during", " migration", " - xfs: always warn about deprecated mount options", " - gpio: regmap: Allow to allocate regmap-irq device", " - gpio: regmap: add the .fixed_direction_output configuration parameter", " - gpio: idio-16: Define fixed direction of the GPIO lines", " - Linux 6.17.6", " * Questing update: v6.17.6 upstream stable release (LP: #2134982) //", " CVE-2025-40084", " - ksmbd: transport_ipc: validate payload size before reading handle", " * Questing update: v6.17.6 upstream stable release (LP: #2134982) //", " CVE-2025-40222", " - tty: serial: sh-sci: fix RSCI FIFO overrun handling", " * Questing update: v6.17.6 upstream stable release (LP: #2134982) //", " CVE-2025-40223", " - most: usb: Fix use-after-free in hdm_disconnect", " * Questing update: v6.17.6 upstream stable release (LP: #2134982) //", " CVE-2025-40106", " - comedi: fix divide-by-zero in comedi_buf_munge()", " * Questing update: v6.17.6 upstream stable release (LP: #2134982) //", " CVE-2025-40224", " - hwmon: (cgbc-hwmon) Add missing NULL check after devm_kzalloc()", " * Questing update: v6.17.6 upstream stable release (LP: #2134982) //", " CVE-2025-40225", " - drm/panthor: Fix kernel panic on partial unmap of a GPU VA region", " * Questing update: v6.17.6 upstream stable release (LP: #2134982) //", " CVE-2025-40226", " - firmware: arm_scmi: Account for failed debug initialization", " * Questing update: v6.17.6 upstream stable release (LP: #2134982) //", " CVE-2025-40227", " - mm/damon/sysfs: dealloc commit test ctx always", " * Questing update: v6.17.6 upstream stable release (LP: #2134982) //", " CVE-2025-40228", " - mm/damon/sysfs: catch commit test ctx alloc failure", " * Questing update: v6.17.6 upstream stable release (LP: #2134982) //", " CVE-2025-40229", " - mm/damon/core: fix potential memory leak by cleaning ops_filter in", " damon_destroy_scheme", " * Questing update: v6.17.6 upstream stable release (LP: #2134982) //", " CVE-2025-40230", " - mm: prevent poison consumption when splitting THP", " * Questing update: v6.17.6 upstream stable release (LP: #2134982) //", " CVE-2025-40231", " - vsock: fix lock inversion in vsock_assign_transport()", " * Questing update: v6.17.6 upstream stable release (LP: #2134982) //", " CVE-2025-40233", " - ocfs2: clear extent cache after moving/defragmenting extents", " * Questing update: v6.17.6 upstream stable release (LP: #2134982) //", " CVE-2025-40235", " - btrfs: directly free partially initialized fs_info in", " btrfs_check_leaked_roots()", " * Questing update: v6.17.6 upstream stable release (LP: #2134982) //", " CVE-2025-40236", " - virtio-net: zero unused hash fields", " * Questing update: v6.17.6 upstream stable release (LP: #2134982) //", " CVE-2025-40237", " - fs/notify: call exportfs_encode_fid with s_umount", " * Questing update: v6.17.6 upstream stable release (LP: #2134982) //", " CVE-2025-40238", " - net/mlx5: Fix IPsec cleanup over MPV device", " * Questing update: v6.17.6 upstream stable release (LP: #2134982) //", " CVE-2025-40239", " - net: phy: micrel: always set shared->phydev for LAN8814", " * Questing update: v6.17.6 upstream stable release (LP: #2134982) //", " CVE-2025-40240", " - sctp: avoid NULL dereference when chunk data buffer is missing", " * Questing update: v6.17.6 upstream stable release (LP: #2134982) //", " CVE-2025-40241", " - erofs: fix crafted invalid cases for encoded extents", " * Questing update: v6.17.6 upstream stable release (LP: #2134982) //", " CVE-2025-40242", " - gfs2: Fix unlikely race in gdlm_put_lock", " * Questing update: v6.17.6 upstream stable release (LP: #2134982) //", " CVE-2025-40243", " - hfs: fix KMSAN uninit-value issue in hfs_find_set_zero_bits()", " * Questing update: v6.17.6 upstream stable release (LP: #2134982) //", " CVE-2025-40244", " - hfsplus: fix KMSAN uninit-value issue in __hfsplus_ext_cache_extent()", " * Questing update: v6.17.6 upstream stable release (LP: #2134982) //", " CVE-2025-40245", " - nios2: ensure that memblock.current_limit is set when setting pfn limits", " * Questing update: v6.17.5 upstream stable release (LP: #2133557)", " - docs: kdoc: handle the obsolescensce of docutils.ErrorString()", " - Revert \"fs: make vfs_fileattr_[get|set] return -EOPNOTSUPP\"", " - PCI: vmd: Override irq_startup()/irq_shutdown() in", " vmd_init_dev_msi_info()", " - ata: libata-core: relax checks in ata_read_log_directory()", " - arm64/sysreg: Fix GIC CDEOI instruction encoding", " - ixgbevf: fix getting link speed data for E610 devices", " - rust: cfi: only 64-bit arm and x86 support CFI_CLANG", " - x86/CPU/AMD: Prevent reset reasons from being retained across reboot", " - slab: reset slab->obj_ext when freeing and it is OBJEXTS_ALLOC_FAIL", " - Revert \"io_uring/rw: drop -EOPNOTSUPP check in", " __io_complete_rw_common()\"", " - io_uring: protect mem region deregistration", " - Revert \"drm/amd/display: Only restore backlight after amdgpu_dm_init or", " dm_resume\"", " - r8152: add error handling in rtl8152_driver_init", " - net: usb: lan78xx: Fix lost EEPROM write timeout error(-ETIMEDOUT) in", " lan78xx_write_raw_eeprom", " - f2fs: fix wrong block mapping for multi-devices", " - gve: Check valid ts bit on RX descriptor before hw timestamping", " - jbd2: ensure that all ongoing I/O complete before freeing blocks", " - ext4: wait for ongoing I/O to complete before freeing blocks", " - btrfs: fix clearing of BTRFS_FS_RELOC_RUNNING if relocation already", " running", " - btrfs: fix memory leak on duplicated memory in the qgroup assign ioctl", " - btrfs: only set the device specific options after devices are opened", " - btrfs: fix incorrect readahead expansion length", " - can: gs_usb: gs_make_candev(): populate net_device->dev_port", " - can: gs_usb: increase max interface to U8_MAX", " - cxl/acpi: Fix setup of memory resource in cxl_acpi_set_cache_size()", " - ALSA: hda/intel: Add MSI X870E Tomahawk to denylist", " - ALSA: hda/realtek: Add quirk entry for HP ZBook 17 G6", " - drm/amdgpu: use atomic functions with memory barriers for vm fault info", " - drm/amdgpu: fix gfx12 mes packet status return check", " - drm/xe: Increase global invalidation timeout to 1000us", " - perf/core: Fix address filter match with backing files", " - perf/core: Fix MMAP event path names with backing files", " - perf/core: Fix MMAP2 event device with backing files", " - drm/amd: Check whether secure display TA loaded successfully", " - PM: hibernate: Add pm_hibernation_mode_is_suspend()", " - drm/amd: Fix hybrid sleep", " - usb: gadget: Store endpoint pointer in usb_request", " - usb: gadget: Introduce free_usb_request helper", " - HID: multitouch: fix sticky fingers", " - dax: skip read lock assertion for read-only filesystems", " - coredump: fix core_pattern input validation", " - can: m_can: m_can_plat_remove(): add missing pm_runtime_disable()", " - can: m_can: m_can_handle_state_errors(): fix CAN state transition to", " Error Active", " - can: m_can: m_can_chip_config(): bring up interface in correct state", " - can: m_can: fix CAN state in system PM", " - net: mtk: wed: add dma mask limitation and GFP_DMA32 for device with", " more than 4GB DRAM", " - net: dlink: handle dma_map_single() failure properly", " - doc: fix seg6_flowlabel path", " - can: j1939: add missing calls in NETDEV_UNREGISTER notification handler", " - dpll: zl3073x: Refactor DPLL initialization", " - dpll: zl3073x: Handle missing or corrupted flash configuration", " - r8169: fix packet truncation after S4 resume on RTL8168H/RTL8111H", " - net: phy: bcm54811: Fix GMII/MII/MII-Lite selection", " - net: phy: realtek: Avoid PHYCR2 access if PHYCR2 not present", " - amd-xgbe: Avoid spurious link down messages during interface toggle", " - Octeontx2-af: Fix missing error code in cgx_probe()", " - tcp: fix tcp_tso_should_defer() vs large RTT", " - net: airoha: Take into account out-of-order tx completions in", " airoha_dev_xmit()", " - selftests: net: check jq command is supported", " - net: core: fix lockdep splat on device unregister", " - ksmbd: fix recursive locking in RPC handle list access", " - tg3: prevent use of uninitialized remote_adv and local_adv variables", " - tls: trim encrypted message to match the plaintext on short splice", " - tls: wait for async encrypt in case of error during latter iterations of", " sendmsg", " - tls: always set record_type in tls_process_cmsg", " - tls: don't rely on tx_work during send()", " - netdevsim: set the carrier when the device goes up", " - net: usb: lan78xx: fix use of improperly initialized dev->chipid in", " lan78xx_reset", " - drm/panthor: Ensure MCU is disabled on suspend", " - nvme-multipath: Skip nr_active increments in RETRY disposition", " - riscv: kprobes: Fix probe address validation", " - drm/bridge: lt9211: Drop check for last nibble of version register", " - powerpc/fadump: skip parameter area allocation when fadump is disabled", " - ASoC: codecs: Fix gain setting ranges for Renesas IDT821034 codec", " - ASoC: nau8821: Cancel jdet_work before handling jack ejection", " - ASoC: nau8821: Generalize helper to clear IRQ status", " - ASoC: nau8821: Consistently clear interrupts before unmasking", " - ASoC: nau8821: Add DMI quirk to bypass jack debounce circuit", " - drm/i915/guc: Skip communication warning on reset in progress", " - drm/i915/frontbuffer: Move bo refcounting", " intel_frontbuffer_{get,release}()", " - drm/i915/fb: Fix the set_tiling vs. addfb race, again", " - drm/amdgpu: add ip offset support for cyan skillfish", " - drm/amdgpu: add support for cyan skillfish without IP discovery", " - drm/amdgpu: fix handling of harvesting for ip_discovery firmware", " - drm/amdgpu: handle wrap around in reemit handling", " - drm/amdgpu: set an error on all fences from a bad context", " - drm/amdgpu: drop unused structures in amdgpu_drm.h", " - drm/amd/powerplay: Fix CIK shutdown temperature", " - drm/xe: Enable media sampler power gating", " - drm/draw: fix color truncation in drm_draw_fill24", " - drm/rockchip: vop2: use correct destination rectangle height check", " - HID: intel-thc-hid: Intel-quickspi: switch first interrupt from level to", " edge detection", " - sched/fair: Fix pelt lost idle time detection", " - ALSA: firewire: amdtp-stream: fix enum kernel-doc warnings", " - accel/qaic: Synchronize access to DBC request queue head & tail pointer", " - nvme-auth: update sc_c in host response", " - cxl/trace: Subtract to find an hpa_alias0 in cxl_poison events", " - selftests/bpf: make arg_parsing.c more robust to crashes", " - blk-mq: fix stale tag depth for shared sched tags in", " blk_mq_update_nr_requests()", " - block: Remove elevator_lock usage from blkg_conf frozen operations", " - HID: hid-input: only ignore 0 battery events for digitizers", " - HID: multitouch: fix name of Stylus input devices", " - drm/xe/evict: drop bogus assert", " - selftests: arg_parsing: Ensure data is flushed to disk before reading.", " - nvme/tcp: handle tls partially sent records in write_space()", " - rust: cpufreq: fix formatting", " - arm64: debug: always unmask interrupts in el0_softstp()", " - arm64: cputype: Add Neoverse-V3AE definitions", " - arm64: errata: Apply workarounds for Neoverse-V3AE", " - xfs: rename the old_crc variable in xlog_recover_process", " - xfs: fix log CRC mismatches between i386 and other architectures", " - NFSD: Rework encoding and decoding of nfsd4_deviceid", " - NFSD: Minor cleanup in layoutcommit processing", " - NFSD: Implement large extent array support in pNFS", " - NFSD: Fix last write offset handling in layoutcommit", " - phy: cdns-dphy: Store hs_clk_rate and return it", " - phy: cadence: cdns-dphy: Fix PLL lock and O_CMN_READY polling", " - x86/resctrl: Refactor resctrl_arch_rmid_read()", " - x86/resctrl: Fix miscount of bandwidth event when reactivating", " previously unavailable RMID", " - cxl: Fix match_region_by_range() to use region_res_match_cxl_range()", " - phy: cadence: cdns-dphy: Update calibration wait time for startup state", " machine", " - drm/xe: Use devm_ioremap_wc for VRAM mapping and drop manual unmap", " - drm/xe: Use dynamic allocation for tile and device VRAM region", " structures", " - drm/xe: Move struct xe_vram_region to a dedicated header", " - drm/xe: Unify the initialization of VRAM regions", " - drm/xe: Move rebar to be done earlier", " - PM: hibernate: Fix pm_hibernation_mode_is_suspend() build breakage", " - drm/xe: Fix an IS_ERR() vs NULL bug in xe_tile_alloc_vram()", " - Linux 6.17.5", " * Questing update: v6.17.5 upstream stable release (LP: #2133557) //", " CVE-2025-40086", " - drm/xe: Don't allow evicting of BOs in same VM in array of VM binds", " * Questing update: v6.17.5 upstream stable release (LP: #2133557) //", " CVE-2025-40087", " - NFSD: Define a proc_layoutcommit for the FlexFiles layout type", " * Questing update: v6.17.5 upstream stable release (LP: #2133557) //", " CVE-2025-40088", " - hfsplus: fix slab-out-of-bounds read in hfsplus_strcasecmp()", " * Questing update: v6.17.5 upstream stable release (LP: #2133557) //", " CVE-2025-40162", " - ASoC: amd/sdw_utils: avoid NULL deref when devm_kasprintf() fails", " * Questing update: v6.17.5 upstream stable release (LP: #2133557) //", " CVE-2025-40085", " - ALSA: usb-audio: Fix NULL pointer deference in try_to_register_card", " * Questing update: v6.17.5 upstream stable release (LP: #2133557) //", " CVE-2025-40172", " - accel/qaic: Treat remaining == 0 as error in find_and_map_user_pages()", " * Questing update: v6.17.5 upstream stable release (LP: #2133557) //", " CVE-2025-40177", " - accel/qaic: Fix bootlog initialization ordering", " * Questing update: v6.17.5 upstream stable release (LP: #2133557) //", " CVE-2025-40163", " - sched/deadline: Stop dl_server before CPU goes offline", " * Questing update: v6.17.5 upstream stable release (LP: #2133557) //", " CVE-2025-40174", " - x86/mm: Fix SMP ordering in switch_mm_irqs_off()", " * Questing update: v6.17.5 upstream stable release (LP: #2133557) //", " CVE-2025-40089", " - cxl/features: Add check for no entries in cxl_feature_info", " * Questing update: v6.17.5 upstream stable release (LP: #2133557) //", " CVE-2025-40176", " - tls: wait for pending async decryptions if tls_strp_msg_hold fails", " * Questing update: v6.17.5 upstream stable release (LP: #2133557) //", " CVE-2025-40164", " - usbnet: Fix using smp_processor_id() in preemptible code warnings", " * Questing update: v6.17.5 upstream stable release (LP: #2133557) //", " CVE-2025-40091", " - ixgbe: fix too early devlink_free() in ixgbe_remove()", " * Questing update: v6.17.5 upstream stable release (LP: #2133557) //", " CVE-2025-40175", " - idpf: cleanup remaining SKBs in PTP flows", " * Questing update: v6.17.5 upstream stable release (LP: #2133557) //", " CVE-2025-40173", " - net/ip6_tunnel: Prevent perpetual tunnel growth", " * Questing update: v6.17.5 upstream stable release (LP: #2133557) //", " CVE-2025-40092", " - usb: gadget: f_ncm: Refactor bind path to use __free()", " * Questing update: v6.17.5 upstream stable release (LP: #2133557) //", " CVE-2025-40093", " - usb: gadget: f_ecm: Refactor bind path to use __free()", " * Questing update: v6.17.5 upstream stable release (LP: #2133557) //", " CVE-2025-40094", " - usb: gadget: f_acm: Refactor bind path to use __free()", " * Questing update: v6.17.5 upstream stable release (LP: #2133557) //", " CVE-2025-40095", " - usb: gadget: f_rndis: Refactor bind path to use __free()", " * Questing update: v6.17.5 upstream stable release (LP: #2133557) //", " CVE-2025-40165", " - media: nxp: imx8-isi: m2m: Fix streaming cleanup on release", " * Questing update: v6.17.5 upstream stable release (LP: #2133557) //", " CVE-2025-40096", " - drm/sched: Fix potential double free in", " drm_sched_job_add_resv_dependencies", " * Questing update: v6.17.5 upstream stable release (LP: #2133557) //", " CVE-2025-40097", " - ALSA: hda: Fix missing pointer check in hda_component_manager_init", " function", " * Questing update: v6.17.5 upstream stable release (LP: #2133557) //", " CVE-2025-40098", " - ALSA: hda: cs35l41: Fix NULL pointer dereference in", " cs35l41_get_acpi_mute_state()", " * Questing update: v6.17.5 upstream stable release (LP: #2133557) //", " CVE-2025-40099", " - cifs: parse_dfs_referrals: prevent oob on malformed input", " * Questing update: v6.17.5 upstream stable release (LP: #2133557) //", " CVE-2025-40100", " - btrfs: do not assert we found block group item when creating free space", " tree", " * Questing update: v6.17.5 upstream stable release (LP: #2133557) //", " CVE-2025-40101", " - btrfs: fix memory leaks when rejecting a non SINGLE data profile without", " an RST", " * Questing update: v6.17.5 upstream stable release (LP: #2133557) //", " CVE-2025-40167", " - ext4: detect invalid INLINE_DATA + EXTENTS flag combination", " * Questing update: v6.17.5 upstream stable release (LP: #2133557) //", " CVE-2025-40102", " - KVM: arm64: Prevent access to vCPU events before init", " * Questing update: v6.17.5 upstream stable release (LP: #2133557) //", " CVE-2025-40103", " - smb: client: Fix refcount leak for cifs_sb_tlink", " * Questing update: v6.17.5 upstream stable release (LP: #2133557) //", " CVE-2025-40104", " - ixgbevf: fix mailbox API compatibility by negotiating supported features", " * Questing update: v6.17.5 upstream stable release (LP: #2133557) //", " CVE-2025-40166", " - drm/xe/guc: Check GuC running state before deregistering exec queue", " * Questing update: v6.17.5 upstream stable release (LP: #2133557) //", " CVE-2025-40105", " - vfs: Don't leak disconnected dentries on umount", " * The machine didn’t go into suspend and got stuck (LP: #2132095)", " - platform/x86: alienware-wmi-wmax: Fix NULL pointer dereference in sleep", " handlers", " * CAP_PERFMON insufficient to get perf data (LP: #2131046)", " - SAUCE: perf/core: Allow CAP_PERFMON for paranoid level 4", " * Poweroff not working consistently after upgrading kernel 6.14.0-17.17 or", " later (LP: #2115860)", " - drm/amd: Unify shutdown() callback behavior", " - drm/amd: Stop exporting amdgpu_device_ip_suspend() outside amdgpu_device", " - drm/amd: Remove comment about handling errors in", " amdgpu_device_ip_suspend_phase1()", " - drm/amd: Don't always set IP block HW status to false", " - drm/amd: Pass IP suspend errors up to callers", " - drm/amd: Avoid evicting resources at S5", " * Re-enable INTEL_SKL_INT3472 for kernels >= 6.16 for Intel IPU camera", " (LP: #2128792)", " - Revert \"UBUNTU: [Config] FTBFS: disable INTEL_SKL_INT3472\"", " - Revert \"UBUNTU: SAUCE: platform/x86: int3472: Add handshake GPIO", " function\"", " * Support Samsung S5K3J1 sensor for Intel MIPI camera (LP: #2121852)", " - SAUCE: media: ipu-bridge: Support s5k3j1 sensor", " * Questing update: v6.17.4 upstream stable release (LP: #2131259)", " - fs: always return zero on success from replace_fd()", " - fscontext: do not consume log entries when returning -EMSGSIZE", " - btrfs: fix the incorrect max_bytes value for find_lock_delalloc_range()", " - arm64: map [_text, _stext) virtual address range non-executable+read-", " only", " - rseq: Protect event mask against membarrier IPI", " - statmount: don't call path_put() under namespace semaphore", " - listmount: don't call path_put() under namespace semaphore", " - clocksource/drivers/clps711x: Fix resource leaks in error paths", " - memcg: skip cgroup_file_notify if spinning is not allowed", " - page_pool: Fix PP_MAGIC_MASK to avoid crashing on some 32-bit arches", " - PM: runtime: Update kerneldoc return codes", " - dma-mapping: fix direction in dma_alloc direction traces", " - cpufreq: Make drivers using CPUFREQ_ETERNAL specify transition latency", " - nfsd: unregister with rpcbind when deleting a transport", " - KVM: x86: Add helper to retrieve current value of user return MSR", " - KVM: SVM: Emulate PERF_CNTR_GLOBAL_STATUS_SET for PerfMonV2", " - iio: frequency: adf4350: Fix ADF4350_REG3_12BIT_CLKDIV_MODE", " - media: v4l2-subdev: Fix alloc failure check in", " v4l2_subdev_call_state_try()", " - asm-generic/io.h: Skip trace helpers if rwmmio events are disabled", " - clk: npcm: select CONFIG_AUXILIARY_BUS", " - clk: thead: th1520-ap: describe gate clocks with clk_gate", " - clk: thead: th1520-ap: fix parent of padctrl0 clock", " - clk: thead: Correct parent for DPU pixel clocks", " - clk: renesas: r9a08g045: Add MSTOP for GPIO", " - perf disasm: Avoid undefined behavior in incrementing NULL", " - perf test trace_btf_enum: Skip if permissions are insufficient", " - perf evsel: Avoid container_of on a NULL leader", " - libperf event: Ensure tracing data is multiple of 8 sized", " - clk: qcom: common: Fix NULL vs IS_ERR() check in qcom_cc_icc_register()", " - clk: qcom: Select the intended config in QCS_DISPCC_615", " - perf parse-events: Handle fake PMUs in CPU terms", " - clk: at91: peripheral: fix return value", " - clk: renesas: cpg-mssr: Fix memory leak in cpg_mssr_reserved_init()", " - perf: Completely remove possibility to override MAX_NR_CPUS", " - perf drm_pmu: Fix fd_dir leaks in for_each_drm_fdinfo_in_dir()", " - perf util: Fix compression checks returning -1 as bool", " - rtc: x1205: Fix Xicor X1205 vendor prefix", " - rtc: optee: fix memory leak on driver removal", " - perf arm_spe: Correct setting remote access", " - perf arm_spe: Correct memory level for remote access", " - perf vendor events arm64 AmpereOneX: Fix typo - should be", " l1d_cache_access_prefetches", " - perf test: AMD IBS swfilt skip kernel tests if paranoia is >1", " - perf test shell lbr: Avoid failures with perf event paranoia", " - perf trace: Fix IS_ERR() vs NULL check bug", " - perf session: Fix handling when buffer exceeds 2 GiB", " - perf test: Don't leak workload gopipe in PERF_RECORD_*", " - perf evsel: Fix uniquification when PMU given without suffix", " - perf test: Avoid uncore_imc/clockticks in uniquification test", " - perf evsel: Ensure the fallback message is always written to", " - perf build-id: Ensure snprintf string is empty when size is 0", " - clk: mediatek: mt8195-infra_ao: Fix parent for infra_ao_hdmi_26m", " - clk: mediatek: clk-mux: Do not pass flags to", " clk_mux_determine_rate_flags()", " - clk: nxp: lpc18xx-cgu: convert from round_rate() to determine_rate()", " - clk: nxp: Fix pll0 rate check condition in LPC18xx CGU driver", " - clk: tegra: do not overallocate memory for bpmp clocks", " - nfsd: fix assignment of ia_ctime.tv_nsec on delegated mtime update", " - nfsd: ignore ATTR_DELEG when checking ia_valid before notify_change()", " - vfs: add ATTR_CTIME_SET flag", " - nfsd: use ATTR_CTIME_SET for delegated ctime updates", " - nfsd: track original timestamps in nfs4_delegation", " - nfsd: fix SETATTR updates for delegated timestamps", " - nfsd: fix timestamp updates in CB_GETATTR", " - tracing: Fix the bug where bpf_get_stackid returns -EFAULT on the ARM64", " - PM: core: Annotate loops walking device links as _srcu", " - PM: core: Add two macros for walking device links", " - PM: sleep: Do not wait on SYNC_STATE_ONLY device links", " - cpufreq: tegra186: Set target frequency for all cpus in policy", " - scsi: mvsas: Fix use-after-free bugs in mvs_work_queue", " - perf bpf-filter: Fix opts declaration on older libbpfs", " - scsi: ufs: sysfs: Make HID attributes visible", " - mshv: Handle NEED_RESCHED_LAZY before transferring to guest", " - perf bpf_counter: Fix handling of cpumap fixing hybrid", " - ASoC: SOF: ipc4-topology: Correct the minimum host DMA buffer size", " - ASoC: SOF: ipc4-topology: Account for different ChainDMA host buffer", " size", " - ASoC: SOF: Intel: hda-pcm: Place the constraint on period time instead", " of buffer time", " - LoongArch: Add cflag -fno-isolate-erroneous-paths-dereference", " - LoongArch: Fix build error for LTO with LLVM-18", " - LoongArch: Init acpi_gbl_use_global_lock to false", " - ASoC: SOF: Intel: Read the LLP via the associated Link DMA channel", " - net: usb: lan78xx: Fix lost EEPROM read timeout error(-ETIMEDOUT) in", " lan78xx_read_raw_eeprom", " - net/mlx4: prevent potential use after free in mlx4_en_do_uc_filter()", " - drm/xe/hw_engine_group: Fix double write lock release in error path", " - drm/xe/i2c: Don't rely on d3cold.allowed flag in system PM path", " - s390/cio: Update purge function to unregister the unused subchannels", " - drm/vmwgfx: Fix a null-ptr access in the cursor snooper", " - drm/vmwgfx: Fix Use-after-free in validation", " - drm/vmwgfx: Fix copy-paste typo in validation", " - net/sctp: fix a null dereference in sctp_disposition", " sctp_sf_do_5_1D_ce()", " - tcp: Don't call reqsk_fastopen_remove() in tcp_conn_request().", " - net: mscc: ocelot: Fix use-after-free caused by cyclic delayed work", " - selftest: net: ovpn: Fix uninit return values", " - ice: ice_adapter: release xa entry on adapter allocation failure", " - net: fsl_pq_mdio: Fix device node reference leak in fsl_pq_mdio_probe", " - tools build: Align warning options with perf", " - perf python: split Clang options when invoking Popen", " - tcp: take care of zero tp->window_clamp in tcp_set_rcvlowat()", " - mailbox: zynqmp-ipi: Remove redundant mbox_controller_unregister() call", " - mailbox: zynqmp-ipi: Remove dev.parent check in zynqmp_ipi_free_mboxes", " - mailbox: zynqmp-ipi: Fix out-of-bounds access in mailbox cleanup loop", " - mailbox: zynqmp-ipi: Fix SGI cleanup on unbind", " - bpf: Fix metadata_dst leak __bpf_redirect_neigh_v{4,6}", " - net: mdio: mdio-i2c: Hold the i2c bus lock during smbus transactions", " - net: sparx5/lan969x: fix flooding configuration on bridge join/leave", " - net/mlx5: Prevent tunnel mode conflicts between FDB and NIC IPsec tables", " - net/mlx5e: Prevent tunnel reformat when tunnel mode not allowed", " - mailbox: mtk-cmdq: Remove pm_runtime APIs from cmdq_mbox_send_data()", " - drm/amdgpu: Add additional DCE6 SCL registers", " - drm/amd/display: Add missing DCE6 SCL_HORZ_FILTER_INIT* SRIs", " - drm/amd/display: Properly clear SCL_*_FILTER_CONTROL on DCE6", " - drm/amd/display: Properly disable scaling on DCE6", " - drm/amd/display: Disable scaling on DCE6 for now", " - drm/amdkfd: Fix kfd process ref leaking when userptr unmapping", " - net: pse-pd: tps23881: Fix current measurement scaling", " - crypto: skcipher - Fix reqsize handling", " - netfilter: nft_objref: validate objref and objrefmap expressions", " - bridge: br_vlan_fill_forward_path_pvid: use br_vlan_group_rcu()", " - selftests: netfilter: nft_fib.sh: fix spurious test failures", " - selftests: netfilter: query conntrack state to check for port clash", " resolution", " - io_uring/zcrx: increment fallback loop src offset", " - net: airoha: Fix loopback mode configuration for GDM2 port", " - cifs: Fix copy_to_iter return value check", " - smb: client: fix missing timestamp updates after utime(2)", " - rtc: isl12022: Fix initial enable_irq/disable_irq balance", " - cifs: Query EA $LXMOD in cifs_query_path_info() for WSL reparse points", " - tpm_tis: Fix incorrect arguments in tpm_tis_probe_irq_single", " - gpio: wcd934x: mark the GPIO controller as sleeping", " - bpf: Avoid RCU context warning when unpinning htab with internal structs", " - kbuild: always create intermediate vmlinux.unstripped", " - kbuild: keep .modinfo section in vmlinux.unstripped", " - kbuild: Restore pattern to avoid stripping .rela.dyn from vmlinux", " - kbuild: Add '.rel.*' strip pattern for vmlinux", " - s390: vmlinux.lds.S: Reorder sections", " - s390/vmlinux.lds.S: Move .vmlinux.info to end of allocatable sections", " - ACPICA: acpidump: drop ACPI_NONSTRING attribute from file_name", " - ACPI: property: Fix buffer properties extraction for subnodes", " - ACPI: TAD: Add missing sysfs_remove_group() for ACPI_TAD_RT", " - ACPICA: Debugger: drop ACPI_NONSTRING attribute from name_seg", " - ACPI: debug: fix signedness issues in read/write helpers", " - ACPI: battery: Add synchronization between interface updates", " - arm64: dts: qcom: msm8916: Add missing MDSS reset", " - arm64: dts: qcom: msm8939: Add missing MDSS reset", " - arm64: dts: qcom: sdm845: Fix slimbam num-channels/ees", " - Revert \"UBUNTU: SAUCE: arm64: dts: qcom: x1e80100-pmics: Disable pm8010", " by default\"", " - arm64: dts: qcom: x1e80100-pmics: Disable pm8010 by default", " - arm64: dts: ti: k3-am62a-main: Fix main padcfg length", " - arm64: dts: ti: k3-am62p: Fix supported hardware for 1GHz OPP", " - arm64: kprobes: call set_memory_rox() for kprobe page", " - arm64: mte: Do not flag the zero page as PG_mte_tagged", " - ARM: AM33xx: Implement TI advisory 1.0.36 (EMU0/EMU1 pins state on", " reset)", " - ARM: OMAP2+: pm33xx-core: ix device node reference leaks in", " amx3_idle_init", " - firmware: arm_scmi: quirk: Prevent writes to string constants", " - perf/arm-cmn: Fix CMN S3 DTM offset", " - KVM: s390: Fix to clear PTE when discarding a swapped page", " - KVM: arm64: Fix debug checking for np-guests using huge mappings", " - KVM: arm64: Fix page leak in user_mem_abort()", " - x86/kvm: Force legacy PCI hole to UC when overriding MTRRs for TDX/SNP", " - KVM: SVM: Re-load current, not host, TSC_AUX on #VMEXIT from SEV-ES", " guest", " - KVM: TDX: Fix uninitialized error code for __tdx_bringup()", " - dt-bindings: phy: rockchip-inno-csi-dphy: make power-domains non-", " required", " - xen: take system_transition_mutex on suspend", " - xen/events: Cleanup find_virq() return codes", " - xen/manage: Fix suspend error path", " - xen/events: Return -EEXIST for bound VIRQs", " - xen/events: Update virq_to_irq on migration", " - firmware: exynos-acpm: fix PMIC returned errno", " - firmware: meson_sm: fix device leak at probe", " - media: cec: extron-da-hd-4k-plus: drop external-module make commands", " - media: cx18: Add missing check after DMA map", " - media: i2c: mt9p031: fix mbus code initialization", " - media: i2c: mt9v111: fix incorrect type for ret", " - media: mc: Fix MUST_CONNECT handling for pads with no links", " - media: pci: ivtv: Add missing check after DMA map", " - media: pci: mg4b: fix uninitialized iio scan data", " - media: platform: mtk-mdp3: Add missing MT8188 compatible to comp_dt_ids", " - media: s5p-mfc: remove an unused/uninitialized variable", " - media: staging/ipu7: fix isys device runtime PM usage in firmware", " closing", " - media: uvcvideo: Avoid variable shadowing in uvc_ctrl_cleanup_fh", " - media: venus: firmware: Use correct reset sequence for IRIS2", " - media: venus: pm_helpers: add fallback for the opp-table", " - media: vivid: fix disappearing messages", " - media: vsp1: Export missing vsp1_isp_free_buffer symbol", " - media: ti: j721e-csi2rx: Use devm_of_platform_populate", " - media: ti: j721e-csi2rx: Fix source subdev link creation", " - media: lirc: Fix error handling in lirc_register()", " - drm/exynos: exynos7_drm_decon: remove ctx->suspended", " - drm/panthor: Fix memory leak in panthor_ioctl_group_create()", " - drm/msm/a6xx: Fix PDC sleep sequence", " - drm/rcar-du: dsi: Fix 1/2/3 lane support", " - drm/nouveau: fix bad ret code in nouveau_bo_move_prep", " - drm/xe/uapi: loosen used tracking restriction", " - drm/amd/display: Incorrect Mirror Cositing", " - drm/amd/display: Enable Dynamic DTBCLK Switch", " - drm/amd/display: Fix unsafe uses of kernel mode FPU", " - blk-crypto: fix missing blktrace bio split events", " - btrfs: avoid potential out-of-bounds in btrfs_encode_fh()", " - bus: mhi: ep: Fix chained transfer handling in read path", " - bus: mhi: host: Do not use uninitialized 'dev' pointer in", " mhi_init_irq_setup()", " - cdx: Fix device node reference leak in cdx_msi_domain_init", " - clk: qcom: tcsrcc-x1e80100: Set the bi_tcxo as parent to eDP refclk", " - clk: samsung: exynos990: Use PLL_CON0 for PLL parent muxes", " - clk: samsung: exynos990: Fix CMU_TOP mux/div bit widths", " - clk: samsung: exynos990: Replace bogus divs with fixed-factor clocks", " - copy_sighand: Handle architectures where sizeof(unsigned long) <", " sizeof(u64)", " - cpufreq: CPPC: Avoid using CPUFREQ_ETERNAL as transition delay", " - cpufreq: intel_pstate: Fix object lifecycle issue in", " update_qos_request()", " - crypto: aspeed - Fix dma_unmap_sg() direction", " - crypto: atmel - Fix dma_unmap_sg() direction", " - crypto: rockchip - Fix dma_unmap_sg() nents value", " - eventpoll: Replace rwlock with spinlock", " - fbdev: Fix logic error in \"offb\" name match", " - fs/ntfs3: Fix a resource leak bug in wnd_extend()", " - fs: quota: create dedicated workqueue for quota_release_work", " - fsnotify: pass correct offset to fsnotify_mmap_perm()", " - fuse: fix possibly missing fuse_copy_finish() call in fuse_notify()", " - fuse: fix livelock in synchronous file put from fuseblk workers", " - gpio: mpfs: fix setting gpio direction to output", " - i3c: Fix default I2C adapter timeout value", " - iio/adc/pac1934: fix channel disable configuration", " - iio: dac: ad5360: use int type to store negative error codes", " - iio: dac: ad5421: use int type to store negative error codes", " - iio: frequency: adf4350: Fix prescaler usage.", " - iio: xilinx-ams: Fix AMS_ALARM_THR_DIRECT_MASK", " - iio: xilinx-ams: Unmask interrupts after updating alarms", " - init: handle bootloader identifier in kernel parameters", " - iio: imu: inv_icm42600: Simplify pm_runtime setup", " - iio: imu: inv_icm42600: Drop redundant pm_runtime reinitialization in", " resume", " - iio: imu: inv_icm42600: Avoid configuring if already pm_runtime", " suspended", " - iommu/vt-d: PRS isn't usable if PDS isn't supported", " - ipmi: Rework user message limit handling", " - ipmi:msghandler:Change seq_lock to a mutex", " - kernel/sys.c: fix the racy usage of task_lock(tsk->group_leader) in", " sys_prlimit64() paths", " - KEYS: trusted_tpm1: Compare HMAC values in constant time", " - kho: only fill kimage if KHO is finalized", " - lib/genalloc: fix device leak in of_gen_pool_get()", " - loop: fix backing file reference leak on validation error", " - md: fix mssing blktrace bio split events", " - of: unittest: Fix device reference count leak in", " of_unittest_pci_node_verify", " - openat2: don't trigger automounts with RESOLVE_NO_XDEV", " - padata: Reset next CPU when reorder sequence wraps around", " - parisc: don't reference obsolete termio struct for TC* constants", " - parisc: Remove spurious if statement from raw_copy_from_user()", " - nvme-pci: Add TUXEDO IBS Gen8 to Samsung sleep quirk", " - pinctrl: samsung: Drop unused S3C24xx driver data", " - PM: EM: Fix late boot with holes in CPU topology", " - PM: hibernate: Fix hybrid-sleep", " - PM: hibernate: Restrict GFP mask in power_down()", " - power: supply: max77976_charger: fix constant current reporting", " - powerpc/powernv/pci: Fix underflow and leak issue", " - powerpc/pseries/msi: Fix potential underflow and leak issue", " - pwm: berlin: Fix wrong register in suspend/resume", " - pwm: Fix incorrect variable used in error message", " - Revert \"ipmi: fix msg stack when IPMI is disconnected\"", " - sched/deadline: Fix race in push_dl_task()", " - scsi: hpsa: Fix potential memory leak in hpsa_big_passthru_ioctl()", " - scsi: sd: Fix build warning in sd_revalidate_disk()", " - sctp: Fix MAC comparison to be constant-time", " - smb client: fix bug with newly created file in cached dir", " - sparc64: fix hugetlb for sun4u", " - sparc: fix error handling in scan_one_device()", " - xtensa: simdisk: add input size check in proc_write_simdisk", " - xsk: Harden userspace-supplied xdp_desc validation", " - mtd: rawnand: fsmc: Default to autodetect buswidth", " - mtd: nand: raw: gpmi: fix clocks when CONFIG_PM=N", " - mmc: core: SPI mode remove cmd7", " - mmc: mmc_spi: multiple block read remove read crc ack", " - memory: samsung: exynos-srom: Fix of_iomap leak in exynos_srom_probe", " - memory: stm32_omm: Fix req2ack update test", " - rtc: interface: Ensure alarm irq is enabled when UIE is enabled", " - rtc: interface: Fix long-standing race when setting alarm", " - rseq/selftests: Use weak symbol reference, not definition, to link with", " glibc", " - PCI: xilinx-nwl: Fix ECAM programming", " - PCI: tegra: Convert struct tegra_msi mask_lock into raw spinlock", " - PCI/sysfs: Ensure devices are powered for config reads", " - PCI/IOV: Add PCI rescan-remove locking when enabling/disabling SR-IOV", " - PCI/ERR: Fix uevent on failure to recover", " - PCI/AER: Fix missing uevent on recovery when a reset is requested", " - PCI/AER: Support errors introduced by PCIe r6.0", " - PCI: Ensure relaxed tail alignment does not increase min_align", " - PCI: Fix failure detection during resource resize", " - PCI: j721e: Fix module autoloading", " - PCI: j721e: Fix programming sequence of \"strap\" settings", " - PCI: keystone: Use devm_request_irq() to free \"ks-pcie-error-irq\" on", " exit", " - PCI: rcar-gen4: Fix PHY initialization", " - PCI: rcar-host: Drop PMSR spinlock", " - PCI: rcar-host: Convert struct rcar_msi mask_lock into raw spinlock", " - PCI: tegra194: Fix broken tegra_pcie_ep_raise_msi_irq()", " - PCI: tegra194: Handle errors in BPMP response", " - PCI: tegra194: Reset BARs when running in PCIe endpoint mode", " - PCI/pwrctrl: Fix device leak at registration", " - PCI/pwrctrl: Fix device and OF node leak at bus scan", " - PCI/pwrctrl: Fix device leak at device stop", " - spi: cadence-quadspi: Flush posted register writes before INDAC access", " - spi: cadence-quadspi: Flush posted register writes before DAC access", " - spi: cadence-quadspi: Fix cqspi_setup_flash()", " - xfs: use deferred intent items for reaping crosslinked blocks", " - x86/fred: Remove ENDBR64 from FRED entry points", " - x86/umip: Check that the instruction opcode is at least two bytes", " - x86/umip: Fix decoding of register forms of 0F 01 (SGDT and SIDT", " aliases)", " - mptcp: pm: in-kernel: usable client side with C-flag", " - mptcp: reset blackhole on success with non-loopback ifaces", " - selftests: mptcp: join: validate C-flag + def limit", " - s390/cio/ioasm: Fix __xsch() condition code handling", " - s390/dasd: enforce dma_alignment to ensure proper buffer validation", " - s390/dasd: Return BLK_STS_INVAL for EINVAL from do_dasd_request", " - s390: Add -Wno-pointer-sign to KBUILD_CFLAGS_DECOMPRESSOR", " - slab: prevent warnings when slab obj_exts vector allocation fails", " - slab: mark slab->obj_exts allocation failures unconditionally", " - wifi: ath11k: HAL SRNG: don't deinitialize and re-initialize again", " - wifi: iwlwifi: Fix dentry reference leak in iwl_mld_add_link_debugfs", " - wifi: rtw89: avoid possible TX wait initialization race", " - wifi: mt76: mt7925u: Add VID/PID for Netgear A9000", " - wifi: mt76: mt7921u: Add VID/PID for Netgear A7500", " - mm/thp: fix MTE tag mismatch when replacing zero-filled subpages", " - mm/rmap: fix soft-dirty and uffd-wp bit loss when remapping zero-filled", " mTHP subpage to shared zeropage", " - mm/page_alloc: only set ALLOC_HIGHATOMIC for __GPF_HIGH allocations", " - mm/hugetlb: early exit from hugetlb_pages_alloc_boot() when", " max_huge_pages=0", " - mm/damon/vaddr: do not repeat pte_offset_map_lock() until success", " - mm/damon/lru_sort: use param_ctx for damon_attrs staging", " - nfsd: decouple the xprtsec policy check from check_nfsd_access()", " - NFSD: Fix destination buffer size in nfsd4_ssc_setup_dul()", " - nfsd: nfserr_jukebox in nlm_fopen should lead to a retry", " - media: iris: Call correct power off callback in cleanup path", " - media: iris: Fix firmware reference leak and unmap memory after load", " - media: iris: fix module removal if firmware download failed", " - media: iris: vpu3x: Add MNoC low power handshake during hardware power-", " off", " - media: iris: Fix port streaming handling", " - media: iris: Fix buffer count reporting in internal buffer check", " - media: iris: Allow substate transition to load resources during output", " streaming", " - media: iris: Always destroy internal buffers on firmware release", " response", " - media: iris: Simplify session stop logic by relying on vb2 checks", " - media: iris: Update vbuf flags before v4l2_m2m_buf_done", " - media: iris: Send dummy buffer address for all codecs during drain", " - media: iris: Fix missing LAST flag handling during drain", " - media: iris: Fix format check for CAPTURE plane in try_fmt", " - media: iris: Allow stop on firmware only if start was issued.", " - ext4: add ext4_sb_bread_nofail() helper function for", " ext4_free_branches()", " - ext4: fail unaligned direct IO write with EINVAL", " - ext4: verify orphan file size is not too big", " - ext4: increase i_disksize to offset + len in", " ext4_update_disksize_before_punch()", " - ext4: correctly handle queries for metadata mappings", " - ext4: avoid potential buffer over-read in parse_apply_sb_mount_options()", " - ext4: fix an off-by-one issue during moving extents", " - ext4: guard against EA inode refcount underflow in xattr update", " - ext4: validate ea_ino and size in check_xattrs", " - ACPICA: Allow to skip Global Lock initialization", " - ext4: free orphan info with kvfree", " - ipmi: Fix handling of messages with provided receive message pointer", " - Squashfs: add additional inode sanity checking", " - Squashfs: reject negative file sizes in squashfs_read_inode()", " - mm/ksm: fix incorrect KSM counter handling in mm_struct during fork", " - media: mc: Clear minor number before put device", " - arm64: dts: qcom: qcs615: add missing dt property in QUP SEs", " - ACPI: property: Disregard references in data-only subnode lists", " - ACPI: property: Add code comments explaining what is going on", " - ACPI: property: Do not pass NULL handles to acpi_attach_data()", " - irqchip/sifive-plic: Avoid interrupt ID 0 handling during suspend/resume", " - copy_file_range: limit size if in compat mode", " - minixfs: Verify inode mode when loading from disk", " - pid: Add a judgment for ns null in pid_nr_ns", " - fs: Add 'initramfs_options' to set initramfs mount options", " - cramfs: Verify inode mode when loading from disk", " - nsfs: validate extensible ioctls", " - mnt_ns_tree_remove(): DTRT if mnt_ns had never been added to mnt_ns_list", " - writeback: Avoid softlockup when switching many inodes", " - writeback: Avoid excessively long inode switching times", " - iomap: error out on file IO when there is no inline_data buffer", " - pidfs: validate extensible ioctls", " - mount: handle NULL values in mnt_ns_release()", " - Linux 6.17.4", " * Questing update: v6.17.4 upstream stable release (LP: #2131259) // Race", " condition in perf build causes build failure due to missing unistd_64.h", " header on arm64 (LP: #2131702)", " - perf tools: Fix arm64 libjvmti build by generating unistd_64.h", " * Questing update: v6.17.3 upstream stable release (LP: #2129610)", " - arch: copy_thread: pass clone_flags as u64", " - filelock: add FL_RECLAIM to show_fl_flags() macro", " - init: INITRAMFS_PRESERVE_MTIME should depend on BLK_DEV_INITRD", " - pid: use ns_capable_noaudit() when determining net sysctl permissions", " - Fix CC_HAS_ASM_GOTO_OUTPUT on non-x86 architectures", " - [Config]: Update CC configs for v6.17.3", " - seccomp: Fix a race with WAIT_KILLABLE_RECV if the tracer replies too", " fast", " - kbuild: Add missing $(objtree) prefix to powerpc crtsavres.o artifact", " - selftests: arm64: Check fread return value in exec_target", " - selftests: arm64: Fix -Waddress warning in tpidr2 test", " - kselftest/arm64/gcs: Correctly check return value when disabling GCS", " - hfsplus: fix slab-out-of-bounds read in hfsplus_uni2asc()", " - gfs2: Fix GLF_INVALIDATE_IN_PROGRESS flag clearing in do_xmote", " - gfs2: Remove space before newline", " - gfs2: Further sanitize lock_dlm.c", " - gfs2: Fix LM_FLAG_TRY* logic in add_to_queue", " - gfs2: Remove duplicate check in do_xmote", " - gfs2: Get rid of GLF_INVALIDATE_IN_PROGRESS", " - gfs2: do_xmote cleanup", " - gfs2: Add proper lockspace locking", " - powerpc/8xx: Remove left-over instruction and comments in", " DataStoreTLBMiss handler", " - powerpc/603: Really copy kernel PGD entries into all PGDIRs", " - powerpc/ftrace: ensure ftrace record ops are always set for NOPs", " - powerpc64/modules: correctly iterate over stubs in", " setup_ftrace_ool_stubs", " - uprobes: uprobe_warn should use passed task", " - raid6: riscv: Clean up unused header file inclusion", " - coresight: trbe: Prevent overflow in PERF_IDX2OFF()", " - perf: arm_spe: Prevent overflow in PERF_IDX2OFF()", " - erofs: avoid reading more for fragment maps", " - smb: client: fix sending the iwrap custom IRD/ORD negotiation messages", " - smb: server: fix IRD/ORD negotiation with the client", " - perf/x86/intel: Use early_initcall() to hook bts_init()", " - perf/x86/intel: Fix IA32_PMC_x_CFG_B MSRs access error", " - x86/vdso: Fix output operand size of RDPID", " - selftests: cgroup: Make test_pids backwards compatible", " - sched/fair: Get rid of sched_domains_curr_level hack for tl->cpumask()", " - [Config]: Update CONFIG_SCHED_MC for v6.17.3", " - lsm: CONFIG_LSM can depend on CONFIG_SECURITY", " - cpuset: fix failure to enable isolated partition when containing", " isolcpus", " - btrfs: return any hit error from extent_writepage_io()", " - btrfs: fix symbolic link reading when bs > ps", " - pinctrl: renesas: rzg2l: Fix invalid unsigned return in rzg3s_oen_read()", " - arm64: dts: renesas: rzg2lc-smarc: Disable CAN-FD channel0", " - bpf: Tidy verifier bug message", " - regmap: Remove superfluous check for !config in __regmap_init()", " - selftests/bpf: Copy test_kmods when installing selftest", " - rust: cpumask: Mark CpumaskVar as transparent", " - bpf/selftests: Fix test_tcpnotify_user", " - bpf: Remove migrate_disable in kprobe_multi_link_prog_run", " - libbpf: Fix reuse of DEVMAP", " - tools/nolibc: fix error return value of clock_nanosleep()", " - ARM: dts: renesas: porter: Fix CAN pin group", " - leds: max77705: Function return instead of variable assignment", " - leds: flash: leds-qcom-flash: Update torch current clamp setting", " - s390/bpf: Do not write tail call counter into helper and kfunc frames", " - s390/bpf: Write back tail call counter for BPF_PSEUDO_CALL", " - s390/bpf: Write back tail call counter for BPF_TRAMP_F_CALL_ORIG", " - cpufreq: scmi: Account for malformed DT in scmi_dev_used_by_cpus()", " - arm64: dts: renesas: sparrow-hawk: Invert microSD voltage selector on", " EVTB1", " - arm64: dts: renesas: sparrow-hawk: Set VDDQ18_25_AVB voltage on EVTB1", " - libbpf: Export bpf_object__prepare symbol", " - firmware: arm_scmi: Mark VirtIO ready before registering", " scmi_virtio_driver", " - arm64: dts: imx93-kontron: Fix GPIO for panel regulator", " - arm64: dts: imx93-kontron: Fix USB port assignment", " - arm64: dts: imx95: Correct the lpuart7 and lpuart8 srcid", " - bpf: Remove preempt_disable in bpf_try_get_buffers", " - ACPI: processor: idle: Fix memory leak when register cpuidle device", " failed", " - genirq: Add irq_chip_(startup/shutdown)_parent()", " - PCI/MSI: Add startup/shutdown for per device domains", " - irqchip/sg2042-msi: Fix broken affinity setting", " - scripts/misc-check: update export checks for EXPORT_SYMBOL_FOR_MODULES()", " - soc: qcom: rpmh-rsc: Unconditionally clear _TRIGGER bit for TCS", " - pinctrl: meson-gxl: add missing i2c_d pinmux", " - blk-mq: check kobject state_in_sysfs before deleting in", " blk_mq_unregister_hctx", " - selftests/futex: Remove the -g parameter from futex_priv_hash", " - ARM: at91: pm: fix MCKx restore routine", " - arm64: dts: apple: t8103-j457: Fix PCIe ethernet iommu-map", " - regulator: scmi: Use int type to store negative error codes", " - selftests/futex: Fix some futex_numa_mpol subtests", " - tools/nolibc: avoid error in dup2() if old fd equals new fd", " - selftests/nolibc: fix EXPECT_NZ macro", " - leds: leds-lp55xx: Use correct address for memory programming", " - PCI/MSI: Check MSI_FLAG_PCI_MSI_MASK_PARENT in", " cond_[startup|shutdown]_parent()", " - block: use int to store blk_stack_limits() return value", " - ARM: dts: stm32: stm32mp151c-plyaqm: Use correct dai-format property", " - dt-bindings: vendor-prefixes: Add undocumented vendor prefixes", " - genirq/test: Fix depth tests on architectures with NOREQUEST by default.", " - genirq/test: Select IRQ_DOMAIN", " - genirq/test: Depend on SPARSE_IRQ", " - genirq/test: Drop CONFIG_GENERIC_IRQ_MIGRATION assumptions", " - genirq/test: Ensure CPU 1 is online for hotplug test", " - selftests/bpf: Fix count write in testapp_xdp_metadata_copy()", " - vdso/datastore: Gate time data behind CONFIG_GENERIC_GETTIMEOFDAY", " - PM: sleep: core: Clear power.must_resume in noirq suspend error path", " - blk-mq: fix elevator depth_updated method", " - vdso: Add struct __kernel_old_timeval forward declaration to gettime.h", " - ARM: dts: ti: omap: am335x-baltos: Fix ti,en-ck32k-xtal property in DTS", " to use correct boolean syntax", " - ARM: dts: ti: omap: omap3-devkit8000-lcd: Fix ti,keep-vref-on property", " to use correct boolean syntax in DTS", " - ARM: dts: omap: am335x-cm-t335: Remove unused mcasp num-serializer", " property", " - PM / devfreq: mtk-cci: Fix potential error pointer dereference in", " probe()", " - power: supply: cw2015: Fix a alignment coding style issue", " - hwmon: (asus-ec-sensors) Narrow lock for X870E-CREATOR WIFI", " - pinctrl: renesas: Use int type to store negative error codes", " - pinctrl: eswin: Fix regulator error check and Kconfig dependency", " - null_blk: Fix the description of the cache_size module argument", " - blk-throttle: fix access race during throttle policy activation", " - selftests: vDSO: Fix -Wunitialized in powerpc VDSO_CALL() wrapper", " - selftests: vDSO: vdso_test_abi: Correctly skip whole test with missing", " vDSO", " - irqchip/gic-v5: Fix loop in gicv5_its_create_itt_two_level() cleanup", " path", " - irqchip/gic-v5: Fix error handling in gicv5_its_irq_domain_alloc()", " - tick: Do not set device to detached state in tick_shutdown()", " - arm64: dts: mediatek: mt8195: Remove suspend-breaking reset from pcie0", " - arm64: dts: mediatek: mt8183: Fix out of range pull values", " - nbd: restrict sockets to TCP and UDP", " - PM / devfreq: rockchip-dfi: double count on RK3588", " - firmware: firmware: meson-sm: fix compile-test default", " - dts: arm: amlogic: fix pwm node for c3", " - soc: mediatek: mtk-svs: fix device leaks on mt8183 probe failure", " - soc: mediatek: mtk-svs: fix device leaks on mt8192 probe failure", " - cpuidle: qcom-spm: fix device and OF node leaks at probe", " - block: cleanup bio_issue", " - block: initialize bio issue time in blk_mq_submit_bio()", " - block: factor out a helper bio_submit_split_bioset()", " - block: skip unnecessary checks for split bio", " - block: fix ordering of recursive split IO", " - blk-mq: remove useless checkings in blk_mq_update_nr_requests()", " - blk-mq: check invalid nr_requests in queue_requests_store()", " - blk-mq: convert to serialize updating nr_requests with", " update_nr_hwq_lock", " - blk-mq: cleanup shared tags case in blk_mq_update_nr_requests()", " - blk-mq: split bitmap grow and resize case in blk_mq_update_nr_requests()", " - blk-mq-sched: add new parameter nr_requests in blk_mq_alloc_sched_tags()", " - blk-mq: fix potential deadlock while nr_requests grown", " - arm64: dts: allwinner: a527: cubie-a5e: Add ethernet PHY reset setting", " - arm64: dts: allwinner: t527: avaota-a1: Add ethernet PHY reset setting", " - arm64: dts: rockchip: Add RTC on rk3576-evb1-v10", " - arm64: dts: rockchip: Add WiFi on rk3576-evb1-v10", " - arm64: dts: rockchip: Fix network on rk3576 evb1 board", " - arm64: dts: ti: k3-j742s2-mcu-wakeup: Override firmware-name for MCU R5F", " cores", " - arm64: dts: ti: k3: Rename rproc reserved-mem nodes to 'memory@addr'", " - Revert \"arm64: dts: ti: k3-j721e-sk: Fix reversed C6x carveout", " locations\"", " - Revert \"arm64: dts: ti: k3-j721e-beagleboneai64: Fix reversed C6x", " carveout locations\"", " - arm64: dts: mediatek: mt8188: Change efuse fallback compatible to mt8186", " - arm64: dts: mediatek: mt8186-tentacruel: Fix touchscreen model", " - arm64: dts: ti: k3-pinctrl: Fix the bug in existing macros", " - arm64: dts: renesas: r9a09g047e57-smarc: Fix gpio key's pin control node", " - arm64: dts: mediatek: mt6331: Fix pmic, regulators, rtc, keys node names", " - mmc: core: Fix variable shadowing in mmc_route_rpmb_frames()", " - arm64: dts: mediatek: mt6795-xperia-m5: Fix mmc0 latch-ck value", " - arm64: dts: mediatek: mt7986a: Fix PCI-Express T-PHY node address", " - arm64: dts: mediatek: mt8395-kontron-i1200: Fix MT6360 regulator nodes", " - arm64: dts: mediatek: mt8516-pumpkin: Fix machine compatible", " - arm64: dts: allwinner: a527: cubie-a5e: Add LEDs", " - arm64: dts: allwinner: a527: cubie-a5e: Drop external 32.768 KHz crystal", " - arm64: dts: allwinner: t527: avaota-a1: hook up external 32k crystal", " - arm64: dts: allwinner: t527: orangepi-4a: hook up external 32k crystal", " - pwm: tiehrpwm: Don't drop runtime PM reference in .free()", " - pwm: tiehrpwm: Make code comment in .free() more useful", " - pwm: tiehrpwm: Fix various off-by-one errors in duty-cycle calculation", " - pwm: tiehrpwm: Fix corner case in clock divisor calculation", " - ACPICA: Apply ACPI_NONSTRING", " - ACPICA: Fix largest possible resource descriptor index", " - riscv, bpf: Sign extend struct ops return values properly", " - nvme-auth: update bi_directional flag", " - nvmet-fc: move lsop put work to nvmet_fc_ls_req_op", " - nvmet-fcloop: call done callback even when remote port is gone", " - nvme-tcp: send only permitted commands for secure concat", " - i3c: master: svc: Use manual response for IBI events", " - i3c: master: svc: Recycle unused IBI slot", " - block: update validation of atomic writes boundary for stacked devices", " - block: fix stacking of atomic writes when atomics are not supported", " - selftests: watchdog: skip ping loop if WDIOF_KEEPALIVEPING not supported", " - selftests/kselftest_harness: Add harness-selftest.expected to TEST_FILES", " - blk-throttle: fix throtl_data leak during disk release", " - bpf: Explicitly check accesses to bpf_sock_addr", " - mmc: select REGMAP_MMIO with MMC_LOONGSON2", " - selftests/futex: Fix futex_wait() for 32bit ARM", " - selftest/futex: Make the error check more precise for futex_numa_mpol", " - selftest/futex: Compile also with libnuma < 2.0.16", " - bpf: dont report verifier bug for missing bpf_scc_visit on speculative", " path", " - bpf, arm64: Call bpf_jit_binary_pack_finalize() in bpf_jit_free()", " - arm64: dts: apple: t600x: Add missing WiFi properties", " - arm64: dts: apple: t600x: Add bluetooth device nodes", " - arm64: dts: apple: Add ethernet0 alias for J375 template", " - selftests: always install UAPI headers to the correct directory", " - smp: Fix up and expand the smp_call_function_many() kerneldoc", " - mfd: max77705: max77705_charger: move active discharge setting to mfd", " parent", " - power: supply: max77705_charger: refactoring: rename charger to chg", " - power: supply: max77705_charger: use regfields for config registers", " - power: supply: max77705_charger: rework interrupts", " - tools/nolibc: make time_t robust if __kernel_old_time_t is missing in", " host headers", " - spi: fix return code when spi device has too many chipselects", " - clocksource/drivers/timer-tegra186: Avoid 64-bit divide operation", " - clocksource/drivers/tegra186: Avoid 64-bit division", " - bpf: Mark kfuncs as __noclone", " - once: fix race by moving DO_ONCE to separate section", " - hwmon: (mlxreg-fan) Separate methods of fan setting coming from", " different subsystems", " - tools/nolibc: add stdbool.h to nolibc includes", " - thermal/drivers/qcom: Make LMH select QCOM_SCM", " - thermal/drivers/qcom/lmh: Add missing IRQ includes", " - i2c: mediatek: fix potential incorrect use of I2C_MASTER_WRRD", " - i2c: spacemit: ensure bus release check runs when wait_bus_idle() fails", " - i2c: spacemit: remove stop function to avoid bus error", " - i2c: spacemit: disable SDA glitch fix to avoid restart delay", " - i2c: spacemit: check SDA instead of SCL after bus reset", " - i2c: spacemit: ensure SDA is released after bus reset", " - i2c: designware: Fix clock issue when PM is disabled", " - i2c: designware: Add disabling clocks when probe fails", " - libbpf: Fix error when st-prefix_ops and ops from differ btf", " - bpf: Enforce expected_attach_type for tailcall compatibility", " - i3c: fix big-endian FIFO transfers", " - mfd: max77705: Setup the core driver as an interrupt controller", " - drm/sched: Fix a race in DRM_GPU_SCHED_STAT_NO_HANG test", " - drm/panel-edp: Add disable to 100ms for MNB601LS1-4", " - drm/display: bridge-connector: correct CEC bridge pointers in", " drm_bridge_connector_init", " - drm/panel-edp: Add 50ms disable delay for four panels", " - drm/vmwgfx: fix missing assignment to ts", " - drm/amd/display: Reduce Stack Usage by moving 'audio_output' into", " 'stream_res' v4", " - drm/panel: novatek-nt35560: Fix invalid return value", " - drm/amdgpu: fix link error for !PM_SLEEP", " - drm/amdgpu: Fix jpeg v4.0.3 poison irq call trace on sriov guest", " - drm/amdgpu: Fix vcn v4.0.3 poison irq call trace on sriov guest", " - PCI: endpoint: pci-ep-msi: Fix NULL vs IS_ERR() check in", " pci_epf_write_msi_msg()", " - PCI: xgene-msi: Return negative -EINVAL in xgene_msi_handler_setup()", " - drm/radeon/r600_cs: clean up of dead code in r600_cs", " - f2fs: fix condition in __allow_reserved_blocks()", " - f2fs: fix to avoid overflow while left shift operation", " - f2fs: fix to zero data after EOF for compressed file correctly", " - drm/bridge: it6505: select REGMAP_I2C", " - wifi: rtw88: Lock rtwdev->mutex before setting the LED", " - HID: steelseries: refactor probe() and remove()", " - media: zoran: Remove zoran_fh structure", " - phy: rockchip: naneng-combphy: Enable U3 OTG port for RK3568", " - drm/bridge: cdns-dsi: Fix the _atomic_check()", " - usb: host: max3421-hcd: Fix error pointer dereference in probe cleanup", " - usb: misc: qcom_eud: Access EUD_MODE_MANAGER2 through secure calls", " - PCI/pwrctrl: Fix double cleanup on devm_add_action_or_reset() failure", " - misc: pci_endpoint_test: Fix array underflow in", " pci_endpoint_test_ioctl()", " - serial: max310x: Add error checking in probe()", " - drm/amd/display: Remove redundant semicolons", " - drm/amd/display: Add NULL pointer checks in dc_stream cursor attribute", " functions", " - crypto: keembay - Add missing check after sg_nents_for_len()", " - hwrng: nomadik - add ARM_AMBA dependency", " - docs: iio: ad3552r: Fix malformed code-block directive", " - fwctl/mlx5: Fix memory alloc/free in mlx5ctl_fw_rpc()", " - scsi: pm80xx: Restore support for expanders", " - scsi: pm80xx: Fix array-index-out-of-of-bounds on rmmod", " - scsi: libsas: Add dev_parent_is_expander() helper", " - scsi: pm80xx: Use dev_parent_is_expander() helper", " - scsi: pm80xx: Add helper function to get the local phy id", " - scsi: pm80xx: Fix pm8001_abort_task() for chip_8006 when using an", " expander", " - mptcp: Fix up subflow's memcg when CONFIG_SOCK_CGROUP_DATA=n.", " - scsi: myrs: Fix dma_alloc_coherent() error check", " - f2fs: fix to clear unusable_cap for checkpoint=enable", " - f2fs: fix to avoid NULL pointer dereference in", " f2fs_check_quota_consistency()", " - f2fs: fix to allow removing qf_name", " - Revert \"UBUNTU: SAUCE: drm/dp: drm_edp_backlight_set_level: do not", " always send 3-byte commands\"", " - drm/dp: drm_edp_backlight_set_level: do not always send 3-byte commands", " - crypto: octeontx2 - Call strscpy() with correct size argument", " - drm: re-allow no-op changes on non-primary planes in async flips", " - media: rj54n1cb0c: Fix memleak in rj54n1_probe()", " - media: staging/ipu7: convert to use pci_alloc_irq_vectors() API", " - media: staging/ipu7: Don't set name for IPU7 PCI device", " - media: staging/ipu7: cleanup the MMU correctly in IPU7 driver release", " - media: i2c: vd55g1: Fix duster register address", " - drm/panel: Allow powering on panel follower after panel is enabled", " - HID: i2c-hid: Make elan touch controllers power on after panel is", " enabled", " - RDMA/mlx5: Better estimate max_qp_wr to reflect WQE count", " - RDMA/mlx5: Fix vport loopback forcing for MPV device", " - wifi: rtw88: Use led->brightness_set_blocking for PCI too", " - net: phy: introduce phy_id_compare_vendor() PHY ID helper", " - net: phy: as21xxx: better handle PHY HW reset on soft-reboot", " - PCI: rcar-host: Pass proper IRQ domain to generic_handle_domain_irq()", " - fuse: remove unneeded offset assignment when filling write pages", " - PCI: qcom: Restrict port parsing only to PCIe bridge child nodes", " - cdx: don't select CONFIG_GENERIC_MSI_IRQ", " - PCI/ACPI: Fix pci_acpi_preserve_config() memory leak", " - HID: i2c-hid: Fix test in i2c_hid_core_register_panel_follower()", " - ALSA: lx_core: use int type to store negative error codes", " - media: st-delta: avoid excessive stack usage", " - drm/amdgpu/vcn: Add regdump helper functions", " - drm/amdgpu/vcn: Hold pg_lock before vcn power off", " - drm/amdgpu: Check vcn state before profile switch", " - accel/amdxdna: Use int instead of u32 to store error codes", " - efi: Explain OVMF acronym in OVMF_DEBUG_LOG help text", " - net: dst: introduce dst->dev_rcu", " - ipv6: mcast: Add ip6_mc_find_idev() helper", " - ipv6: start using dst_dev_rcu()", " - ipv6: use RCU in ip6_xmit()", " - ipv6: use RCU in ip6_output()", " - net: use dst_dev_rcu() in sk_setup_caps()", " - tcp_metrics: use dst_dev_net_rcu()", " - ipv4: start using dst_dev_rcu()", " - crypto: hisilicon/zip - remove unnecessary validation for high-", " performance mode configurations", " - crypto: hisilicon - re-enable address prefetch after device resuming", " - crypto: hisilicon - check the sva module status while enabling or", " disabling address prefetch", " - crypto: hisilicon/qm - check whether the input function and PF are on", " the same device", " - crypto: hisilicon/qm - request reserved interrupt for virtual function", " - inet: ping: check sock_net() in ping_get_port() and ping_lookup()", " - dmaengine: Fix dma_async_tx_descriptor->tx_submit documentation", " - coresight: trbe: Add ISB after TRBLIMITR write", " - coresight: Fix missing include for FIELD_GET", " - coresight: Only register perf symlink for sinks with alloc_buffer", " - drm/amdgpu: Power up UVD 3 for FW validation (v2)", " - drm/amd/pm: Disable ULV even if unsupported (v3)", " - drm/amd/pm: Fix si_upload_smc_data (v3)", " - drm/amd/pm: Adjust si_upload_smc_data register programming (v3)", " - drm/amd/pm: Treat zero vblank time as too short in si_dpm (v3)", " - drm/amd/pm: Disable MCLK switching with non-DC at 120 Hz+ (v2)", " - drm/amd/pm: Disable SCLK switching on Oland with high pixel clocks (v3)", " - wifi: mac80211: Make CONNECTION_MONITOR optional for MLO sta", " - wifi: mwifiex: send world regulatory domain to driver", " - wifi: brcmfmac: fix 43752 SDIO FWVID incorrectly labelled as Cypress", " (CYW)", " - drm/msm: Do not validate SSPP when it is not ready", " - PCI: tegra: Fix devm_kcalloc() argument order for port->phys allocation", " - wifi: mac80211: consider links for validating SCAN_FLAG_AP in scan", " request during MLO", " - PCI: qcom: Add equalization settings for 8.0 GT/s and 32.0 GT/s", " - tcp: fix __tcp_close() to only send RST when required", " - fanotify: Validate the return value of mnt_ns_from_dentry() before", " dereferencing", " - drm/amdkfd: Fix error code sign for EINVAL in svm_ioctl()", " - usb: phy: twl6030: Fix incorrect type for ret", " - usb: gadget: configfs: Correctly set use_os_string at bind", " - tty: n_gsm: Don't block input queue by waiting MSC", " - misc: genwqe: Fix incorrect cmd field being reported in error", " - pps: fix warning in pps_register_cdev when register device fail", " - drm/msm: Fix obj leak in VM_BIND error path", " - drm/msm: Fix missing VM_BIND offset/range validation", " - wifi: iwlwifi: Remove redundant header files", " - drm/msm/mdp4: stop supporting no-IOMMU configuration", " - drm/msm: stop supporting no-IOMMU configuration", " - idpf: fix Rx descriptor ready check barrier in splitq", " - ASoC: Intel: bytcht_es8316: Fix invalid quirk input mapping", " - ASoC: Intel: bytcr_rt5640: Fix invalid quirk input mapping", " - ASoC: Intel: bytcr_rt5651: Fix invalid quirk input mapping", " - ipv6: snmp: do not use SNMP_MIB_SENTINEL anymore", " - ipv6: snmp: do not track per idev ICMP6_MIB_RATELIMITHOST", " - drm/msm: Fix bootup splat with separate_gpu_drm modparam", " - drm/msm/dpu: fix incorrect type for ret", " - wifi: mac80211: fix reporting of all valid links in sta_set_sinfo()", " - fs: ntfs3: Fix integer overflow in run_unpack()", " - fs/ntfs3: reject index allocation if $BITMAP is empty but blocks exist", " - iio: consumers: Fix handling of negative channel scale in", " iio_convert_raw_to_processed()", " - iio: consumers: Fix offset handling in iio_convert_raw_to_processed()", " - mm/slub: Fix cmp_loc_by_count() to return 0 when counts are equal", " - tools: ynl: fix undefined variable name", " - RDMA/mlx5: Fix page size bitmap calculation for KSM mode", " - netfilter: ipset: Remove unused htable_bits in macro ahash_region", " - ipvs: Use READ_ONCE/WRITE_ONCE for ipvs->enable", " - HID: steelseries: Fix STEELSERIES_SRWS1 handling in steelseries_remove()", " - watchdog: intel_oc_wdt: Do not try to write into const memory", " - watchdog: mpc8xxx_wdt: Reload the watchdog timer when enabling the", " watchdog", " - PCI: endpoint: pci-epf-test: Fix doorbell test support", " - drivers/base/node: handle error properly in register_one_node()", " - RDMA/cm: Rate limit destroy CM ID timeout error message", " - wifi: mt76: mt7996: Fix mt7996_mcu_sta_ba wcid configuration", " - wifi: mt76: mt7996: Fix mt7996_mcu_bss_mld_tlv routine", " - wifi: mt76: fix potential memory leak in mt76_wmac_probe()", " - wifi: mt76: mt7996: Use proper link_id in link_sta_rc_update callback", " - wifi: mt76: mt7996: Check phy before init msta_link in", " mt7996_mac_sta_add_links()", " - wifi: mt76: mt7996: Fix tx-queues initialization for second phy on", " mt7996", " - wifi: mt76: mt7996: Fix RX packets configuration for primary WED device", " - wifi: mt76: mt7996: Convert mt7996_wed_rro_addr to LE", " - wifi: mt76: mt7915: fix mt7981 pre-calibration", " - wifi: mt76: mt7996: remove redundant per-phy mac80211 calls during", " restart", " - ASoC: Intel: hda-sdw-bpt: set persistent_buffer false", " - srcu/tiny: Remove preempt_disable/enable() in srcu_gp_start_if_needed()", " - drm/amdgpu: Fix allocating extra dwords for rings (v2)", " - f2fs: fix to update map->m_next_extent correctly in f2fs_map_blocks()", " - f2fs: fix to truncate first page in error path of f2fs_truncate()", " - f2fs: fix to avoid migrating empty section", " - f2fs: fix to mitigate overhead of f2fs_zero_post_eof_page()", " - RISC-V: KVM: Write hgatp register with valid mode bits", " - ALSA: pcm: Disable bottom softirqs as part of spin_lock_irq() on", " PREEMPT_RT", " - ACPI: NFIT: Fix incorrect ndr_desc being reportedin dev_err message", " - scsi: qla2xxx: edif: Fix incorrect sign of error code", " - scsi: qla2xxx: Fix incorrect sign of error code in START_SP_W_RETRIES()", " - scsi: qla2xxx: Fix incorrect sign of error code in qla_nvme_xmt_ls_rsp()", " - HID: hidraw: tighten ioctl command parsing", " - f2fs: fix zero-sized extent for precache extents", " - smc: Fix use-after-free in __pnet_find_base_ndev().", " - smc: Use __sk_dst_get() and dst_dev_rcu() in in smc_clc_prfx_set().", " - smc: Use __sk_dst_get() and dst_dev_rcu() in smc_clc_prfx_match().", " - smc: Use __sk_dst_get() and dst_dev_rcu() in smc_vlan_by_tcpsk().", " - tls: Use __sk_dst_get() and dst_dev_rcu() in get_netdev_for_sock().", " - mptcp: Call dst_release() in mptcp_active_enable().", " - mptcp: Use __sk_dst_get() and dst_dev_rcu() in mptcp_active_enable().", " - Revert \"usb: xhci: Avoid Stop Endpoint retry loop if the endpoint seems", " Running\"", " - RDMA/core: Resolve MAC of next-hop device without ARP support", " - IB/sa: Fix sa_local_svc_timeout_ms read race", " - Documentation: trace: historgram-design: Separate sched_waking histogram", " section heading and the following diagram", " - ASoC: SOF: ipc4-pcm: Fix incorrect comparison with number of tdm_slots", " - wifi: ath12k: initialize eirp_power before use", " - wifi: ath12k: fix overflow warning on num_pwr_levels", " - wifi: ath12k: fix signal in radiotap for WCN7850", " - wifi: ath12k: fix HAL_PHYRX_COMMON_USER_INFO handling in monitor mode", " - wifi: ath12k: fix the fetching of combined rssi", " - wifi: ath12k: Add fallback for invalid channel number in PHY metadata", " - wifi: ath12k: fix wrong logging ID used for CE", " - wifi: ath10k: avoid unnecessary wait for service ready message", " - iommu/vt-d: debugfs: Fix legacy mode page table dump logic", " - wifi: mac80211: fix Rx packet handling when pubsta information is not", " available", " - ASoC: Intel: sof_sdw: Prevent jump to NULL add_sidecar callback", " - sparc: fix accurate exception reporting in copy_{from_to}_user for", " UltraSPARC", " - sparc: fix accurate exception reporting in copy_{from_to}_user for", " UltraSPARC III", " - sparc: fix accurate exception reporting in copy_{from_to}_user for", " Niagara", " - sparc: fix accurate exception reporting in copy_to_user for Niagara 4", " - sparc: fix accurate exception reporting in copy_{from,to}_user for M7", " - vfio/pds: replace bitmap_free with vfree", " - crypto: comp - Use same definition of context alloc and free ops", " - crypto: hisilicon/qm - set NULL to qm->debug.qm_diff_regs", " - wifi: ath12k: Fix peer lookup in ath12k_dp_mon_rx_deliver_msdu()", " - rpmsg: qcom_smd: Fix fallback to qcom,ipc parse", " - remoteproc: qcom_q6v5_mss: support loading MBN file on msm8974", " - RDMA/rxe: Fix race in do_task() when draining", " - selftests/mm: fix va_high_addr_switch.sh failure on x86_64", " - wifi: rtw89: fix leak in rtw89_core_send_nullfunc()", " - wifi: rtw89: avoid circular locking dependency in ser_state_run()", " - PCI: tegra194: Fix duplicate PLL disable in", " pex_ep_event_pex_rst_assert()", " - remoteproc: qcom: q6v5: Avoid disabling handover IRQ twice", " - remoteproc: qcom: pas: Shutdown lite ADSP DTB on X1E", " - wifi: ath12k: Refactor RX TID deletion handling into helper function", " - wifi: ath12k: Fix flush cache failure during RX queue update", " - wifi: cfg80211: fix width unit in cfg80211_radio_chandef_valid()", " - dm vdo: return error on corrupted metadata in start_restoring_volume", " functions", " - coresight: fix indentation error in cscfg_remove_owned_csdev_configs()", " - coresight-etm4x: Conditionally access register TRCEXTINSELR", " - coresight: tmc: Support atclk", " - coresight: catu: Support atclk", " - coresight: etm4x: Support atclk", " - coresight: Appropriately disable programming clocks", " - coresight: Appropriately disable trace bus clocks", " - coresight: Avoid enable programming clock duplicately", " - coresight: trbe: Return NULL pointer for allocation failures", " - coresight: tpda: fix the logic to setup the element size", " - coresight: Fix incorrect handling for return value of devm_kzalloc", " - NFSv4.1: fix backchannel max_resp_sz verification check", " - net: ethtool: tsconfig: set command must provide a reply", " - netfilter: nfnetlink: reset nlh pointer during batch replay", " - netfilter: nf_conntrack: do not skip entries in /proc/net/nf_conntrack", " - scsi: ufs: core: Fix data race in CPU latency PM QoS request handling", " - scsi: mpt3sas: Fix crash in transport port remove by using ioc_info()", " - usb: vhci-hcd: Prevent suspending virtually attached devices", " - PCI: rcar-gen4: Add missing 1ms delay after PWR reset assertion", " - PCI: rcar-gen4: Assure reset occurs before DBI access", " - PCI: rcar-gen4: Fix inverted break condition in PHY initialization", " - ASoC: qcom: sc8280xp: use sa8775p/ subdir for QCS9100 / QCS9075", " - iommu/vt-d: Disallow dirty tracking if incoherent page walk", " - iommu/selftest: prevent use of uninitialized variable", " - RDMA/siw: Always report immediate post SQ errors", " - net: enetc: Fix probing error message typo for the ENETCv4 PF driver", " - net: usb: Remove disruptive netif_wake_queue in rtl8150_set_multicast", " - ptp: Add a upper bound on max_vclocks", " - vhost: vringh: Fix copy_to_iter return value check", " - net: macb: remove illusion about TBQPH/RBQPH being per-queue", " - net: macb: move ring size computation to functions", " - net: macb: single dma_alloc_coherent() for DMA descriptors", " - Bluetooth: btintel_pcie: Refactor Device Coredump", " - Bluetooth: MGMT: Fix not exposing debug UUID on", " MGMT_OP_READ_EXP_FEATURES_INFO", " - Bluetooth: ISO: Fix possible UAF on iso_conn_free", " - Bluetooth: ISO: free rx_skb if not consumed", " - Bluetooth: ISO: don't leak skb in ISO_CONT RX", " - Bluetooth: hci_sync: Fix using random address for BIG/PA advertisements", " - KEYS: X.509: Fix Basic Constraints CA flag parsing", " - hwrng: ks-sa - fix division by zero in ks_sa_rng_init", " - cramfs: fix incorrect physical page address calculation", " - ocfs2: fix double free in user_cluster_connect()", " - drivers/base/node: fix double free in register_one_node()", " - f2fs: fix UAF issue in f2fs_merge_page_bio()", " - mtd: rawnand: atmel: Fix error handling path in", " atmel_nand_controller_add_nands", " - PCI: j721e: Fix incorrect error message in probe()", " - idpf: fix mismatched free function for dma_alloc_coherent", " - tcp: use skb->len instead of skb->truesize in tcp_can_ingest()", " - nfp: fix RSS hash key size when RSS is not supported", " - net: ena: return 0 in ena_get_rxfh_key_size() when RSS hash key is not", " configurable", " - net: dlink: handle copy_thresh allocation failure", " - net/mlx5: Stop polling for command response if interface goes down", " - net/mlx5: pagealloc: Fix reclaim race during command interface teardown", " - net/mlx5: fw reset, add reset timeout work", " - smb: client: fix crypto buffers in non-linear memory", " - bonding: fix xfrm offload feature setup on active-backup mode", " - net: enetc: initialize SW PIR and CIR based HW PIR and CIR values", " - iommufd: Register iommufd mock devices with fwspec", " - Revert \"net/mlx5e: Update and set Xon/Xoff upon MTU set\"", " - NFSD: filecache: add STATX_DIOALIGN and STATX_DIO_READ_ALIGN support", " - nfs/localio: avoid issuing misaligned IO using O_DIRECT", " - octeontx2-vf: fix bitmap leak", " - octeontx2-pf: fix bitmap leak", " - vhost: vringh: Modify the return value check", " - selftests/bpf: Fix typos and grammar in test sources", " - selftests/bpf: move get_ksyms and get_addrs to trace_helpers.c", " - selftests/bpf: Fix realloc size in bpf_get_addrs", " - bpf: Skip scalar adjustment for BPF_NEG if dst is a pointer", " - bpf: Reject negative offsets for ALU ops", " - tpm: Disable TPM2_TCG_HMAC by default", " - ALSA: hda/hdmi: Add pin fix for HP ProDesk model", " - ALSA: hda/realtek: Add quirk for HP Spectre 14t-ea100", " - Squashfs: fix uninit-value in squashfs_get_parent", " - uio_hv_generic: Let userspace take care of interrupt mask", " - hisi_acc_vfio_pci: Fix reference leak in hisi_acc_vfio_debug_init", " - io_uring/waitid: always prune wait queue entry in io_waitid_wait()", " - io_uring/zcrx: fix overshooting recv limit", " - ASoC: wcd934x: fix error handling in wcd934x_codec_parse_data()", " - ASoC: SOF: ipc3-topology: Fix multi-core and static pipelines tear down", " - ASoC: codecs: wcd937x: set the comp soundwire port correctly", " - ASoC: codecs: wcd937x: make stub functions inline", " - ASoC: SOF: ipc4-pcm: fix delay calculation when DSP resamples", " - ASoC: SOF: ipc4-pcm: fix start offset calculation for chain DMA", " - fs: udf: fix OOB read in lengthAllocDescs handling", " - net: nfc: nci: Add parameter validation for packet data", " - mfd: rz-mtu3: Fix MTU5 NFCR register offset", " - mfd: intel_soc_pmic_chtdc_ti: Set use_single_read regmap_config flag", " - mfd: vexpress-sysreg: Check the return value of devm_gpiochip_add_data()", " - tracing: Fix lock imbalance in s_start() memory allocation failure path", " - tracing: Fix race condition in kprobe initialization causing NULL", " pointer dereference", " - tracing: Fix wakeup tracers on failure of acquiring calltime", " - tracing: Fix irqoff tracers on failure of acquiring calltime", " - tracing: Have trace_marker use per-cpu data to read user space", " - tracing: Fix tracing_mark_raw_write() to use buf and not ubuf", " - tracing: Stop fortify-string from warning in tracing_mark_raw_write()", " - dm: fix queue start/stop imbalance under suspend/load/resume races", " - dm: fix NULL pointer dereference in __dm_suspend()", " - LoongArch: Automatically disable kaslr if boot from kexec_file", " - pwm: loongson: Fix LOONGSON_PWM_FREQ_DEFAULT", " - LoongArch: BPF: Sign-extend struct ops return values properly", " - LoongArch: BPF: No support of struct argument in trampoline programs", " - LoongArch: BPF: Don't align trampoline size", " - LoongArch: BPF: Make trampoline size stable", " - LoongArch: BPF: Make error handling robust in", " arch_prepare_bpf_trampoline()", " - LoongArch: BPF: Remove duplicated bpf_flush_icache()", " - LoongArch: BPF: No text_poke() for kernel text", " - LoongArch: BPF: Remove duplicated flags check", " - LoongArch: BPF: Fix uninitialized symbol 'retval_off'", " - mm/ksm: fix flag-dropping behavior in ksm_madvise", " - ksmbd: Fix race condition in RPC handle list access", " - ksmbd: fix error code overwriting in smb2_get_info_filesystem()", " - ksmbd: add max ip connections parameter", " - ext4: fix potential null deref in ext4_mb_init()", " - ext4: fix checks for orphan inodes", " - KVM: SVM: Skip fastpath emulation on VM-Exit if next RIP isn't valid", " - fbdev: simplefb: Fix use after free in simplefb_detach_genpds()", " - mm: hugetlb: avoid soft lockup when mprotect to large memory area", " - selftests/mm: skip soft-dirty tests when CONFIG_MEM_SOFT_DIRTY is", " disabled", " - nvdimm: ndtest: Return -ENOMEM if devm_kcalloc() fails in ndtest_probe()", " - misc: fastrpc: Save actual DMA size in fastrpc_map structure", " - misc: fastrpc: Fix fastrpc_map_lookup operation", " - misc: fastrpc: fix possible map leak in fastrpc_put_args", " - misc: fastrpc: Skip reference for DMA handles", " - Input: atmel_mxt_ts - allow reset GPIO to sleep", " - Input: uinput - zero-initialize uinput_ff_upload_compat to avoid info", " leak", " - sunrpc: fix null pointer dereference on zero-length checksum", " - PCI/AER: Avoid NULL pointer dereference in aer_ratelimit()", " - remoteproc: pru: Fix potential NULL pointer dereference in", " pru_rproc_set_ctable()", " - PCI: endpoint: pci-epf-test: Add NULL check for DMA channels before", " release", " - thunderbolt: Fix use-after-free in tb_dp_dprx_work", " - tee: fix register_shm_helper()", " - pinctrl: check the return value of pinmux_ops::get_function_name()", " - bus: fsl-mc: Check return value of platform_get_resource()", " - net/9p: Fix buffer overflow in USB transport layer", " - net: usb: asix: hold PM usage ref to avoid PM/MDIO + RTNL deadlock", " - usb: typec: tipd: Clear interrupts first", " - arm64: dts: qcom: qcm2290: Disable USB SS bus instances in park mode", " - usb: cdns3: cdnsp-pci: remove redundant pci_disable_device() call", " - scsi: ufs: core: Fix PM QoS mutex initialization", " - drm/amdgpu/vcn: Fix double-free of vcn dump buffer", " - Linux 6.17.3", " * CVE-2025-40019", " - crypto: essiv - Check ssize for decryption and in-place encryption", " * CVE-2025-40214", " - af_unix: Initialise scc_index in unix_add_edge().", " * Miscellaneous Ubuntu changes", " - [SAUCE] Fix selftest/net/rtnetlink.sh for Big Endian", "" ], "package": "linux-riscv", "version": "6.17.0-14.14.1", "urgency": "medium", "distributions": "questing", "launchpad_bugs_fixed": [ 2137845, 1786013, 2137849, 1786013, 2136820, 2137698, 2129812, 2125022, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136813, 2132317, 2134982, 2134982, 2134982, 2134982, 2134982, 2134982, 2134982, 2134982, 2134982, 2134982, 2134982, 2134982, 2134982, 2134982, 2134982, 2134982, 2134982, 2134982, 2134982, 2134982, 2134982, 2134982, 2134982, 2134982, 2134982, 2133557, 2133557, 2133557, 2133557, 2133557, 2133557, 2133557, 2133557, 2133557, 2133557, 2133557, 2133557, 2133557, 2133557, 2133557, 2133557, 2133557, 2133557, 2133557, 2133557, 2133557, 2133557, 2133557, 2133557, 2133557, 2133557, 2133557, 2133557, 2133557, 2133557, 2133557, 2133557, 2133557, 2132095, 2131046, 2115860, 2128792, 2121852, 2131259, 2131259, 2131702, 2129610 ], "author": "Sarah Emery ", "date": "Fri, 23 Jan 2026 09:46:46 +0100" } ], "notes": "linux-riscv-headers-6.17.0-14 version '6.17.0-14.14.1' (source package linux-riscv version '6.17.0-14.14.1') was added. linux-riscv-headers-6.17.0-14 version '6.17.0-14.14.1' has the same source package name, linux-riscv, as removed package linux-headers-6.17.0-12-generic. As such we can use the source package version of the removed package, '6.17.0-12.12.1', as the starting point in our changelog diff. Kernel packages are an example of where the binary package name changes for the same source package. Using the removed package source package version as our starting point means we can still get meaningful changelog diffs even for what appears to be a new package.", "is_version_downgrade": false }, { "name": "linux-riscv-tools-6.17.0-14", "from_version": { "source_package_name": "linux-riscv", "source_package_version": "6.17.0-12.12.1", "version": null }, "to_version": { "source_package_name": "linux-riscv", "source_package_version": "6.17.0-14.14.1", "version": "6.17.0-14.14.1" }, "cves": [ { "cve": "CVE-2025-40256", "url": "https://ubuntu.com/security/CVE-2025-40256", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: xfrm: also call xfrm_state_delete_tunnel at destroy time for states that were never added In commit b441cf3f8c4b (\"xfrm: delete x->tunnel as we delete x\"), I missed the case where state creation fails between full initialization (->init_state has been called) and being inserted on the lists. In this situation, ->init_state has been called, so for IPcomp tunnels, the fallback tunnel has been created and added onto the lists, but the user state never gets added, because we fail before that. The user state doesn't go through __xfrm_state_delete, so we don't call xfrm_state_delete_tunnel for those states, and we end up leaking the FB tunnel. There are several codepaths affected by this: the add/update paths, in both net/key and xfrm, and the migrate code (xfrm_migrate, xfrm_state_migrate). A \"proper\" rollback of the init_state work would probably be doable in the add/update code, but for migrate it gets more complicated as multiple states may be involved. At some point, the new (not-inserted) state will be destroyed, so call xfrm_state_delete_tunnel during xfrm_state_gc_destroy. Most states will have their fallback tunnel cleaned up during __xfrm_state_delete, which solves the issue that b441cf3f8c4b (and other patches before it) aimed at. All states (including FB tunnels) will be removed from the lists once xfrm_state_fini has called flush_work(&xfrm_state_gc_work).", "cve_priority": "medium", "cve_public_date": "2025-12-04 16:16:00 UTC" }, { "cve": "CVE-2025-68204", "url": "https://ubuntu.com/security/CVE-2025-68204", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: pmdomain: arm: scmi: Fix genpd leak on provider registration failure If of_genpd_add_provider_onecell() fails during probe, the previously created generic power domains are not removed, leading to a memory leak and potential kernel crash later in genpd_debug_add(). Add proper error handling to unwind the initialized domains before returning from probe to ensure all resources are correctly released on failure. Example crash trace observed without this fix: | Unable to handle kernel paging request at virtual address fffffffffffffc70 | CPU: 1 UID: 0 PID: 1 Comm: swapper/0 Not tainted 6.18.0-rc1 #405 PREEMPT | Hardware name: ARM LTD ARM Juno Development Platform/ARM Juno Development Platform | pstate: 00000005 (nzcv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--) | pc : genpd_debug_add+0x2c/0x160 | lr : genpd_debug_init+0x74/0x98 | Call trace: | genpd_debug_add+0x2c/0x160 (P) | genpd_debug_init+0x74/0x98 | do_one_initcall+0xd0/0x2d8 | do_initcall_level+0xa0/0x140 | do_initcalls+0x60/0xa8 | do_basic_setup+0x28/0x40 | kernel_init_freeable+0xe8/0x170 | kernel_init+0x2c/0x140 | ret_from_fork+0x10/0x20", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-68203", "url": "https://ubuntu.com/security/CVE-2025-68203", "cve_description": "Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-40267", "url": "https://ubuntu.com/security/CVE-2025-40267", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: io_uring/rw: ensure allocated iovec gets cleared for early failure A previous commit reused the recyling infrastructure for early cleanup, but this is not enough for the case where our internal caches have overflowed. If this happens, then the allocated iovec can get leaked if the request is also aborted early. Reinstate the previous forced free of the iovec for that situation.", "cve_priority": "medium", "cve_public_date": "2025-12-06 22:15:00 UTC" }, { "cve": "CVE-2025-68198", "url": "https://ubuntu.com/security/CVE-2025-68198", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: crash: fix crashkernel resource shrink When crashkernel is configured with a high reservation, shrinking its value below the low crashkernel reservation causes two issues: 1. Invalid crashkernel resource objects 2. Kernel crash if crashkernel shrinking is done twice For example, with crashkernel=200M,high, the kernel reserves 200MB of high memory and some default low memory (say 256MB). The reservation appears as: cat /proc/iomem | grep -i crash af000000-beffffff : Crash kernel 433000000-43f7fffff : Crash kernel If crashkernel is then shrunk to 50MB (echo 52428800 > /sys/kernel/kexec_crash_size), /proc/iomem still shows 256MB reserved: af000000-beffffff : Crash kernel Instead, it should show 50MB: af000000-b21fffff : Crash kernel Further shrinking crashkernel to 40MB causes a kernel crash with the following trace (x86): BUG: kernel NULL pointer dereference, address: 0000000000000038 PGD 0 P4D 0 Oops: 0000 [#1] PREEMPT SMP NOPTI Call Trace: ? __die_body.cold+0x19/0x27 ? page_fault_oops+0x15a/0x2f0 ? search_module_extables+0x19/0x60 ? search_bpf_extables+0x5f/0x80 ? exc_page_fault+0x7e/0x180 ? asm_exc_page_fault+0x26/0x30 ? __release_resource+0xd/0xb0 release_resource+0x26/0x40 __crash_shrink_memory+0xe5/0x110 crash_shrink_memory+0x12a/0x190 kexec_crash_size_store+0x41/0x80 kernfs_fop_write_iter+0x141/0x1f0 vfs_write+0x294/0x460 ksys_write+0x6d/0xf0 This happens because __crash_shrink_memory()/kernel/crash_core.c incorrectly updates the crashk_res resource object even when crashk_low_res should be updated. Fix this by ensuring the correct crashkernel resource object is updated when shrinking crashkernel memory.", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-68199", "url": "https://ubuntu.com/security/CVE-2025-68199", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: codetag: debug: handle existing CODETAG_EMPTY in mark_objexts_empty for slabobj_ext When alloc_slab_obj_exts() fails and then later succeeds in allocating a slab extension vector, it calls handle_failed_objexts_alloc() to mark all objects in the vector as empty. As a result all objects in this slab (slabA) will have their extensions set to CODETAG_EMPTY. Later on if this slabA is used to allocate a slabobj_ext vector for another slab (slabB), we end up with the slabB->obj_exts pointing to a slabobj_ext vector that itself has a non-NULL slabobj_ext equal to CODETAG_EMPTY. When slabB gets freed, free_slab_obj_exts() is called to free slabB->obj_exts vector. free_slab_obj_exts() calls mark_objexts_empty(slabB->obj_exts) which will generate a warning because it expects slabobj_ext vectors to have a NULL obj_ext, not CODETAG_EMPTY. Modify mark_objexts_empty() to skip the warning and setting the obj_ext value if it's already set to CODETAG_EMPTY. To quickly detect this WARN, I modified the code from WARN_ON(slab_exts[offs].ref.ct) to BUG_ON(slab_exts[offs].ref.ct == 1); We then obtained this message: [21630.898561] ------------[ cut here ]------------ [21630.898596] kernel BUG at mm/slub.c:2050! [21630.898611] Internal error: Oops - BUG: 00000000f2000800 [#1] SMP [21630.900372] Modules linked in: squashfs isofs vfio_iommu_type1 vhost_vsock vfio vhost_net vmw_vsock_virtio_transport_common vhost tap vhost_iotlb iommufd vsock binfmt_misc nfsv3 nfs_acl nfs lockd grace netfs tls rds dns_resolver tun brd overlay ntfs3 exfat btrfs blake2b_generic xor xor_neon raid6_pq loop sctp ip6_udp_tunnel udp_tunnel nft_fib_inet nft_fib_ipv4 nft_fib_ipv6 nft_fib nft_reject_inet nf_reject_ipv4 nf_reject_ipv6 nft_reject nft_ct nft_chain_nat nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 nf_tables rfkill ip_set sunrpc vfat fat joydev sg sch_fq_codel nfnetlink virtio_gpu sr_mod cdrom drm_client_lib virtio_dma_buf drm_shmem_helper drm_kms_helper drm ghash_ce backlight virtio_net virtio_blk virtio_scsi net_failover virtio_console failover virtio_mmio dm_mirror dm_region_hash dm_log dm_multipath dm_mod fuse i2c_dev virtio_pci virtio_pci_legacy_dev virtio_pci_modern_dev virtio virtio_ring autofs4 aes_neon_bs aes_ce_blk [last unloaded: hwpoison_inject] [21630.909177] CPU: 3 UID: 0 PID: 3787 Comm: kylin-process-m Kdump: loaded Tainted: G        W           6.18.0-rc1+ #74 PREEMPT(voluntary) [21630.910495] Tainted: [W]=WARN [21630.910867] Hardware name: QEMU KVM Virtual Machine, BIOS unknown 2/2/2022 [21630.911625] pstate: 80400005 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) [21630.912392] pc : __free_slab+0x228/0x250 [21630.912868] lr : __free_slab+0x18c/0x250[21630.913334] sp : ffff8000a02f73e0 [21630.913830] x29: ffff8000a02f73e0 x28: fffffdffc43fc800 x27: ffff0000c0011c40 [21630.914677] x26: ffff0000c000cac0 x25: ffff00010fe5e5f0 x24: ffff000102199b40 [21630.915469] x23: 0000000000000003 x22: 0000000000000003 x21: ffff0000c0011c40 [21630.916259] x20: fffffdffc4086600 x19: fffffdffc43fc800 x18: 0000000000000000 [21630.917048] x17: 0000000000000000 x16: 0000000000000000 x15: 0000000000000000 [21630.917837] x14: 0000000000000000 x13: 0000000000000000 x12: ffff70001405ee66 [21630.918640] x11: 1ffff0001405ee65 x10: ffff70001405ee65 x9 : ffff800080a295dc [21630.919442] x8 : ffff8000a02f7330 x7 : 0000000000000000 x6 : 0000000000003000 [21630.920232] x5 : 0000000024924925 x4 : 0000000000000001 x3 : 0000000000000007 [21630.921021] x2 : 0000000000001b40 x1 : 000000000000001f x0 : 0000000000000001 [21630.921810] Call trace: [21630.922130]  __free_slab+0x228/0x250 (P) [21630.922669]  free_slab+0x38/0x118 [21630.923079]  free_to_partial_list+0x1d4/0x340 [21630.923591]  __slab_free+0x24c/0x348 [21630.924024]  ___cache_free+0xf0/0x110 [21630.924468]  qlist_free_all+0x78/0x130 [21630.924922]  kasan_quarantine_reduce+0x11 ---truncated---", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-40268", "url": "https://ubuntu.com/security/CVE-2025-40268", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: cifs: client: fix memory leak in smb3_fs_context_parse_param The user calls fsconfig twice, but when the program exits, free() only frees ctx->source for the second fsconfig, not the first. Regarding fc->source, there is no code in the fs context related to its memory reclamation. To fix this memory leak, release the source memory corresponding to ctx or fc before each parsing. syzbot reported: BUG: memory leak unreferenced object 0xffff888128afa360 (size 96): backtrace (crc 79c9c7ba): kstrdup+0x3c/0x80 mm/util.c:84 smb3_fs_context_parse_param+0x229b/0x36c0 fs/smb/client/fs_context.c:1444 BUG: memory leak unreferenced object 0xffff888112c7d900 (size 96): backtrace (crc 79c9c7ba): smb3_fs_context_fullpath+0x70/0x1b0 fs/smb/client/fs_context.c:629 smb3_fs_context_parse_param+0x2266/0x36c0 fs/smb/client/fs_context.c:1438", "cve_priority": "medium", "cve_public_date": "2025-12-06 22:15:00 UTC" }, { "cve": "CVE-2025-40269", "url": "https://ubuntu.com/security/CVE-2025-40269", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ALSA: usb-audio: Fix potential overflow of PCM transfer buffer The PCM stream data in USB-audio driver is transferred over USB URB packet buffers, and each packet size is determined dynamically. The packet sizes are limited by some factors such as wMaxPacketSize USB descriptor. OTOH, in the current code, the actually used packet sizes are determined only by the rate and the PPS, which may be bigger than the size limit above. This results in a buffer overflow, as reported by syzbot. Basically when the limit is smaller than the calculated packet size, it implies that something is wrong, most likely a weird USB descriptor. So the best option would be just to return an error at the parameter setup time before doing any further operations. This patch introduces such a sanity check, and returns -EINVAL when the packet size is greater than maxpacksize. The comparison with ep->packsize[1] alone should suffice since it's always equal or greater than ep->packsize[0].", "cve_priority": "medium", "cve_public_date": "2025-12-06 22:15:00 UTC" }, { "cve": "CVE-2025-68205", "url": "https://ubuntu.com/security/CVE-2025-68205", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ALSA: hda/hdmi: Fix breakage at probing nvhdmi-mcp driver After restructuring and splitting the HDMI codec driver code, each HDMI codec driver contains the own build_controls and build_pcms ops. A copy-n-paste error put the wrong entries for nvhdmi-mcp driver; both build_controls and build_pcms are swapped. Unfortunately both callbacks have the very same form, and the compiler didn't complain it, either. This resulted in a NULL dereference because the PCM instance hasn't been initialized at calling the build_controls callback. Fix it by passing the proper entries.", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-40270", "url": "https://ubuntu.com/security/CVE-2025-40270", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: mm, swap: fix potential UAF issue for VMA readahead Since commit 78524b05f1a3 (\"mm, swap: avoid redundant swap device pinning\"), the common helper for allocating and preparing a folio in the swap cache layer no longer tries to get a swap device reference internally, because all callers of __read_swap_cache_async are already holding a swap entry reference. The repeated swap device pinning isn't needed on the same swap device. Caller of VMA readahead is also holding a reference to the target entry's swap device, but VMA readahead walks the page table, so it might encounter swap entries from other devices, and call __read_swap_cache_async on another device without holding a reference to it. So it is possible to cause a UAF when swapoff of device A raced with swapin on device B, and VMA readahead tries to read swap entries from device A. It's not easy to trigger, but in theory, it could cause real issues. Make VMA readahead try to get the device reference first if the swap device is a different one from the target entry.", "cve_priority": "medium", "cve_public_date": "2025-12-06 22:15:00 UTC" }, { "cve": "CVE-2025-40271", "url": "https://ubuntu.com/security/CVE-2025-40271", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: fs/proc: fix uaf in proc_readdir_de() Pde is erased from subdir rbtree through rb_erase(), but not set the node to EMPTY, which may result in uaf access. We should use RB_CLEAR_NODE() set the erased node to EMPTY, then pde_subdir_next() will return NULL to avoid uaf access. We found an uaf issue while using stress-ng testing, need to run testcase getdent and tun in the same time. The steps of the issue is as follows: 1) use getdent to traverse dir /proc/pid/net/dev_snmp6/, and current pde is tun3; 2) in the [time windows] unregister netdevice tun3 and tun2, and erase them from rbtree. erase tun3 first, and then erase tun2. the pde(tun2) will be released to slab; 3) continue to getdent process, then pde_subdir_next() will return pde(tun2) which is released, it will case uaf access. CPU 0 | CPU 1 ------------------------------------------------------------------------- traverse dir /proc/pid/net/dev_snmp6/ | unregister_netdevice(tun->dev) //tun3 tun2 sys_getdents64() | iterate_dir() | proc_readdir() | proc_readdir_de() | snmp6_unregister_dev() pde_get(de); | proc_remove() read_unlock(&proc_subdir_lock); | remove_proc_subtree() | write_lock(&proc_subdir_lock); [time window] | rb_erase(&root->subdir_node, &parent->subdir); | write_unlock(&proc_subdir_lock); read_lock(&proc_subdir_lock); | next = pde_subdir_next(de); | pde_put(de); | de = next; //UAF | rbtree of dev_snmp6 | pde(tun3) / \\ NULL pde(tun2)", "cve_priority": "medium", "cve_public_date": "2025-12-06 22:15:00 UTC" }, { "cve": "CVE-2025-40272", "url": "https://ubuntu.com/security/CVE-2025-40272", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: mm/secretmem: fix use-after-free race in fault handler When a page fault occurs in a secret memory file created with `memfd_secret(2)`, the kernel will allocate a new folio for it, mark the underlying page as not-present in the direct map, and add it to the file mapping. If two tasks cause a fault in the same page concurrently, both could end up allocating a folio and removing the page from the direct map, but only one would succeed in adding the folio to the file mapping. The task that failed undoes the effects of its attempt by (a) freeing the folio again and (b) putting the page back into the direct map. However, by doing these two operations in this order, the page becomes available to the allocator again before it is placed back in the direct mapping. If another task attempts to allocate the page between (a) and (b), and the kernel tries to access it via the direct map, it would result in a supervisor not-present page fault. Fix the ordering to restore the direct map before the folio is freed.", "cve_priority": "medium", "cve_public_date": "2025-12-06 22:15:00 UTC" }, { "cve": "CVE-2025-68245", "url": "https://ubuntu.com/security/CVE-2025-68245", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net: netpoll: fix incorrect refcount handling causing incorrect cleanup commit efa95b01da18 (\"netpoll: fix use after free\") incorrectly ignored the refcount and prematurely set dev->npinfo to NULL during netpoll cleanup, leading to improper behavior and memory leaks. Scenario causing lack of proper cleanup: 1) A netpoll is associated with a NIC (e.g., eth0) and netdev->npinfo is allocated, and refcnt = 1 - Keep in mind that npinfo is shared among all netpoll instances. In this case, there is just one. 2) Another netpoll is also associated with the same NIC and npinfo->refcnt += 1. - Now dev->npinfo->refcnt = 2; - There is just one npinfo associated to the netdev. 3) When the first netpolls goes to clean up: - The first cleanup succeeds and clears np->dev->npinfo, ignoring refcnt. - It basically calls `RCU_INIT_POINTER(np->dev->npinfo, NULL);` - Set dev->npinfo = NULL, without proper cleanup - No ->ndo_netpoll_cleanup() is either called 4) Now the second target tries to clean up - The second cleanup fails because np->dev->npinfo is already NULL. * In this case, ops->ndo_netpoll_cleanup() was never called, and the skb pool is not cleaned as well (for the second netpoll instance) - This leaks npinfo and skbpool skbs, which is clearly reported by kmemleak. Revert commit efa95b01da18 (\"netpoll: fix use after free\") and adds clarifying comments emphasizing that npinfo cleanup should only happen once the refcount reaches zero, ensuring stable and correct netpoll behavior.", "cve_priority": "medium", "cve_public_date": "2025-12-16 15:15:00 UTC" }, { "cve": "CVE-2025-68240", "url": "https://ubuntu.com/security/CVE-2025-68240", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: nilfs2: avoid having an active sc_timer before freeing sci Because kthread_stop did not stop sc_task properly and returned -EINTR, the sc_timer was not properly closed, ultimately causing the problem [1] reported by syzbot when freeing sci due to the sc_timer not being closed. Because the thread sc_task main function nilfs_segctor_thread() returns 0 when it succeeds, when the return value of kthread_stop() is not 0 in nilfs_segctor_destroy(), we believe that it has not properly closed sc_timer. We use timer_shutdown_sync() to sync wait for sc_timer to shutdown, and set the value of sc_task to NULL under the protection of lock sc_state_lock, so as to avoid the issue caused by sc_timer not being properly shutdowned. [1] ODEBUG: free active (active state 0) object: 00000000dacb411a object type: timer_list hint: nilfs_construction_timeout Call trace: nilfs_segctor_destroy fs/nilfs2/segment.c:2811 [inline] nilfs_detach_log_writer+0x668/0x8cc fs/nilfs2/segment.c:2877 nilfs_put_super+0x4c/0x12c fs/nilfs2/super.c:509", "cve_priority": "medium", "cve_public_date": "2025-12-16 15:15:00 UTC" }, { "cve": "CVE-2025-68241", "url": "https://ubuntu.com/security/CVE-2025-68241", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ipv4: route: Prevent rt_bind_exception() from rebinding stale fnhe The sit driver's packet transmission path calls: sit_tunnel_xmit() -> update_or_create_fnhe(), which lead to fnhe_remove_oldest() being called to delete entries exceeding FNHE_RECLAIM_DEPTH+random. The race window is between fnhe_remove_oldest() selecting fnheX for deletion and the subsequent kfree_rcu(). During this time, the concurrent path's __mkroute_output() -> find_exception() can fetch the soon-to-be-deleted fnheX, and rt_bind_exception() then binds it with a new dst using a dst_hold(). When the original fnheX is freed via RCU, the dst reference remains permanently leaked. CPU 0 CPU 1 __mkroute_output() find_exception() [fnheX] update_or_create_fnhe() fnhe_remove_oldest() [fnheX] rt_bind_exception() [bind dst] RCU callback [fnheX freed, dst leak] This issue manifests as a device reference count leak and a warning in dmesg when unregistering the net device: unregister_netdevice: waiting for sitX to become free. Usage count = N Ido Schimmel provided the simple test validation method [1]. The fix clears 'oldest->fnhe_daddr' before calling fnhe_flush_routes(). Since rt_bind_exception() checks this field, setting it to zero prevents the stale fnhe from being reused and bound to a new dst just before it is freed. [1] ip netns add ns1 ip -n ns1 link set dev lo up ip -n ns1 address add 192.0.2.1/32 dev lo ip -n ns1 link add name dummy1 up type dummy ip -n ns1 route add 192.0.2.2/32 dev dummy1 ip -n ns1 link add name gretap1 up arp off type gretap \\ local 192.0.2.1 remote 192.0.2.2 ip -n ns1 route add 198.51.0.0/16 dev gretap1 taskset -c 0 ip netns exec ns1 mausezahn gretap1 \\ -A 198.51.100.1 -B 198.51.0.0/16 -t udp -p 1000 -c 0 -q & taskset -c 2 ip netns exec ns1 mausezahn gretap1 \\ -A 198.51.100.1 -B 198.51.0.0/16 -t udp -p 1000 -c 0 -q & sleep 10 ip netns pids ns1 | xargs kill ip netns del ns1", "cve_priority": "medium", "cve_public_date": "2025-12-16 15:15:00 UTC" }, { "cve": "CVE-2025-68211", "url": "https://ubuntu.com/security/CVE-2025-68211", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ksm: use range-walk function to jump over holes in scan_get_next_rmap_item Currently, scan_get_next_rmap_item() walks every page address in a VMA to locate mergeable pages. This becomes highly inefficient when scanning large virtual memory areas that contain mostly unmapped regions, causing ksmd to use large amount of cpu without deduplicating much pages. This patch replaces the per-address lookup with a range walk using walk_page_range(). The range walker allows KSM to skip over entire unmapped holes in a VMA, avoiding unnecessary lookups. This problem was previously discussed in [1]. Consider the following test program which creates a 32 TiB mapping in the virtual address space but only populates a single page: #include #include #include /* 32 TiB */ const size_t size = 32ul * 1024 * 1024 * 1024 * 1024; int main() { char *area = mmap(NULL, size, PROT_READ | PROT_WRITE, MAP_NORESERVE | MAP_PRIVATE | MAP_ANON, -1, 0); if (area == MAP_FAILED) { perror(\"mmap() failed\\n\"); return -1; } /* Populate a single page such that we get an anon_vma. */ *area = 0; /* Enable KSM. */ madvise(area, size, MADV_MERGEABLE); pause(); return 0; } $ ./ksm-sparse & $ echo 1 > /sys/kernel/mm/ksm/run Without this patch ksmd uses 100% of the cpu for a long time (more then 1 hour in my test machine) scanning all the 32 TiB virtual address space that contain only one mapped page. This makes ksmd essentially deadlocked not able to deduplicate anything of value. With this patch ksmd walks only the one mapped page and skips the rest of the 32 TiB virtual address space, making the scan fast using little cpu.", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-68246", "url": "https://ubuntu.com/security/CVE-2025-68246", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ksmbd: close accepted socket when per-IP limit rejects connection When the per-IP connection limit is exceeded in ksmbd_kthread_fn(), the code sets ret = -EAGAIN and continues the accept loop without closing the just-accepted socket. That leaks one socket per rejected attempt from a single IP and enables a trivial remote DoS. Release client_sk before continuing. This bug was found with ZeroPath.", "cve_priority": "medium", "cve_public_date": "2025-12-16 15:15:00 UTC" }, { "cve": "CVE-2025-40273", "url": "https://ubuntu.com/security/CVE-2025-40273", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: NFSD: free copynotify stateid in nfs4_free_ol_stateid() Typically copynotify stateid is freed either when parent's stateid is being close/freed or in nfsd4_laundromat if the stateid hasn't been used in a lease period. However, in case when the server got an OPEN (which created a parent stateid), followed by a COPY_NOTIFY using that stateid, followed by a client reboot. New client instance while doing CREATE_SESSION would force expire previous state of this client. It leads to the open state being freed thru release_openowner-> nfs4_free_ol_stateid() and it finds that it still has copynotify stateid associated with it. We currently print a warning and is triggerred WARNING: CPU: 1 PID: 8858 at fs/nfsd/nfs4state.c:1550 nfs4_free_ol_stateid+0xb0/0x100 [nfsd] This patch, instead, frees the associated copynotify stateid here. If the parent stateid is freed (without freeing the copynotify stateids associated with it), it leads to the list corruption when laundromat ends up freeing the copynotify state later. [ 1626.839430] Internal error: Oops - BUG: 00000000f2000800 [#1] SMP [ 1626.842828] Modules linked in: nfnetlink_queue nfnetlink_log bluetooth cfg80211 rpcrdma rdma_cm iw_cm ib_cm ib_core nfsd nfs_acl lockd grace nfs_localio ext4 crc16 mbcache jbd2 overlay uinput snd_seq_dummy snd_hrtimer qrtr rfkill vfat fat uvcvideo snd_hda_codec_generic videobuf2_vmalloc videobuf2_memops snd_hda_intel uvc snd_intel_dspcfg videobuf2_v4l2 videobuf2_common snd_hda_codec snd_hda_core videodev snd_hwdep snd_seq mc snd_seq_device snd_pcm snd_timer snd soundcore sg loop auth_rpcgss vsock_loopback vmw_vsock_virtio_transport_common vmw_vsock_vmci_transport vmw_vmci vsock xfs 8021q garp stp llc mrp nvme ghash_ce e1000e nvme_core sr_mod nvme_keyring nvme_auth cdrom vmwgfx drm_ttm_helper ttm sunrpc dm_mirror dm_region_hash dm_log iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi fuse dm_multipath dm_mod nfnetlink [ 1626.855594] CPU: 2 UID: 0 PID: 199 Comm: kworker/u24:33 Kdump: loaded Tainted: G B W 6.17.0-rc7+ #22 PREEMPT(voluntary) [ 1626.857075] Tainted: [B]=BAD_PAGE, [W]=WARN [ 1626.857573] Hardware name: VMware, Inc. VMware20,1/VBSA, BIOS VMW201.00V.24006586.BA64.2406042154 06/04/2024 [ 1626.858724] Workqueue: nfsd4 laundromat_main [nfsd] [ 1626.859304] pstate: 61400005 (nZCv daif +PAN -UAO -TCO +DIT -SSBS BTYPE=--) [ 1626.860010] pc : __list_del_entry_valid_or_report+0x148/0x200 [ 1626.860601] lr : __list_del_entry_valid_or_report+0x148/0x200 [ 1626.861182] sp : ffff8000881d7a40 [ 1626.861521] x29: ffff8000881d7a40 x28: 0000000000000018 x27: ffff0000c2a98200 [ 1626.862260] x26: 0000000000000600 x25: 0000000000000000 x24: ffff8000881d7b20 [ 1626.862986] x23: ffff0000c2a981e8 x22: 1fffe00012410e7d x21: ffff0000920873e8 [ 1626.863701] x20: ffff0000920873e8 x19: ffff000086f22998 x18: 0000000000000000 [ 1626.864421] x17: 20747562202c3839 x16: 3932326636383030 x15: 3030666666662065 [ 1626.865092] x14: 6220646c756f6873 x13: 0000000000000001 x12: ffff60004fd9e4a3 [ 1626.865713] x11: 1fffe0004fd9e4a2 x10: ffff60004fd9e4a2 x9 : dfff800000000000 [ 1626.866320] x8 : 00009fffb0261b5e x7 : ffff00027ecf2513 x6 : 0000000000000001 [ 1626.866938] x5 : ffff00027ecf2510 x4 : ffff60004fd9e4a3 x3 : 0000000000000000 [ 1626.867553] x2 : 0000000000000000 x1 : ffff000096069640 x0 : 000000000000006d [ 1626.868167] Call trace: [ 1626.868382] __list_del_entry_valid_or_report+0x148/0x200 (P) [ 1626.868876] _free_cpntf_state_locked+0xd0/0x268 [nfsd] [ 1626.869368] nfs4_laundromat+0x6f8/0x1058 [nfsd] [ 1626.869813] laundromat_main+0x24/0x60 [nfsd] [ 1626.870231] process_one_work+0x584/0x1050 [ 1626.870595] worker_thread+0x4c4/0xc60 [ 1626.870893] kthread+0x2f8/0x398 [ 1626.871146] ret_from_fork+0x10/0x20 [ 1626.871422] Code: aa1303e1 aa1403e3 910e8000 97bc55d7 (d4210000) [ 1626.871892] SMP: stopping secondary CPUs", "cve_priority": "medium", "cve_public_date": "2025-12-06 22:15:00 UTC" }, { "cve": "CVE-2025-40212", "url": "https://ubuntu.com/security/CVE-2025-40212", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: nfsd: fix refcount leak in nfsd_set_fh_dentry() nfsd exports a \"pseudo root filesystem\" which is used by NFSv4 to find the various exported filesystems using LOOKUP requests from a known root filehandle. NFSv3 uses the MOUNT protocol to find those exported filesystems and so is not given access to the pseudo root filesystem. If a v3 (or v2) client uses a filehandle from that filesystem, nfsd_set_fh_dentry() will report an error, but still stores the export in \"struct svc_fh\" even though it also drops the reference (exp_put()). This means that when fh_put() is called an extra reference will be dropped which can lead to use-after-free and possible denial of service. Normal NFS usage will not provide a pseudo-root filehandle to a v3 client. This bug can only be triggered by the client synthesising an incorrect filehandle. To fix this we move the assignments to the svc_fh later, after all possible error cases have been detected.", "cve_priority": "medium", "cve_public_date": "2025-11-24 13:16:00 UTC" }, { "cve": "CVE-2025-40274", "url": "https://ubuntu.com/security/CVE-2025-40274", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: KVM: guest_memfd: Remove bindings on memslot deletion when gmem is dying When unbinding a memslot from a guest_memfd instance, remove the bindings even if the guest_memfd file is dying, i.e. even if its file refcount has gone to zero. If the memslot is freed before the file is fully released, nullifying the memslot side of the binding in kvm_gmem_release() will write to freed memory, as detected by syzbot+KASAN: ================================================================== BUG: KASAN: slab-use-after-free in kvm_gmem_release+0x176/0x440 virt/kvm/guest_memfd.c:353 Write of size 8 at addr ffff88807befa508 by task syz.0.17/6022 CPU: 0 UID: 0 PID: 6022 Comm: syz.0.17 Not tainted syzkaller #0 PREEMPT(full) Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/02/2025 Call Trace: dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:378 [inline] print_report+0xca/0x240 mm/kasan/report.c:482 kasan_report+0x118/0x150 mm/kasan/report.c:595 kvm_gmem_release+0x176/0x440 virt/kvm/guest_memfd.c:353 __fput+0x44c/0xa70 fs/file_table.c:468 task_work_run+0x1d4/0x260 kernel/task_work.c:227 resume_user_mode_work include/linux/resume_user_mode.h:50 [inline] exit_to_user_mode_loop+0xe9/0x130 kernel/entry/common.c:43 exit_to_user_mode_prepare include/linux/irq-entry-common.h:225 [inline] syscall_exit_to_user_mode_work include/linux/entry-common.h:175 [inline] syscall_exit_to_user_mode include/linux/entry-common.h:210 [inline] do_syscall_64+0x2bd/0xfa0 arch/x86/entry/syscall_64.c:100 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7fbeeff8efc9 Allocated by task 6023: kasan_save_stack mm/kasan/common.c:56 [inline] kasan_save_track+0x3e/0x80 mm/kasan/common.c:77 poison_kmalloc_redzone mm/kasan/common.c:397 [inline] __kasan_kmalloc+0x93/0xb0 mm/kasan/common.c:414 kasan_kmalloc include/linux/kasan.h:262 [inline] __kmalloc_cache_noprof+0x3e2/0x700 mm/slub.c:5758 kmalloc_noprof include/linux/slab.h:957 [inline] kzalloc_noprof include/linux/slab.h:1094 [inline] kvm_set_memory_region+0x747/0xb90 virt/kvm/kvm_main.c:2104 kvm_vm_ioctl_set_memory_region+0x6f/0xd0 virt/kvm/kvm_main.c:2154 kvm_vm_ioctl+0x957/0xc60 virt/kvm/kvm_main.c:5201 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:597 [inline] __se_sys_ioctl+0xfc/0x170 fs/ioctl.c:583 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xfa/0xfa0 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f Freed by task 6023: kasan_save_stack mm/kasan/common.c:56 [inline] kasan_save_track+0x3e/0x80 mm/kasan/common.c:77 kasan_save_free_info+0x46/0x50 mm/kasan/generic.c:584 poison_slab_object mm/kasan/common.c:252 [inline] __kasan_slab_free+0x5c/0x80 mm/kasan/common.c:284 kasan_slab_free include/linux/kasan.h:234 [inline] slab_free_hook mm/slub.c:2533 [inline] slab_free mm/slub.c:6622 [inline] kfree+0x19a/0x6d0 mm/slub.c:6829 kvm_set_memory_region+0x9c4/0xb90 virt/kvm/kvm_main.c:2130 kvm_vm_ioctl_set_memory_region+0x6f/0xd0 virt/kvm/kvm_main.c:2154 kvm_vm_ioctl+0x957/0xc60 virt/kvm/kvm_main.c:5201 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:597 [inline] __se_sys_ioctl+0xfc/0x170 fs/ioctl.c:583 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xfa/0xfa0 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f Deliberately don't acquire filemap invalid lock when the file is dying as the lifecycle of f_mapping is outside the purview of KVM. Dereferencing the mapping is *probably* fine, but there's no need to invalidate anything as memslot deletion is responsible for zapping SPTEs, and the only code that can access the dying file is kvm_gmem_release(), whose core code is mutual ---truncated---", "cve_priority": "medium", "cve_public_date": "2025-12-06 22:15:00 UTC" }, { "cve": "CVE-2025-68202", "url": "https://ubuntu.com/security/CVE-2025-68202", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: sched_ext: Fix unsafe locking in the scx_dump_state() For built with CONFIG_PREEMPT_RT=y kernels, the dump_lock will be converted sleepable spinlock and not disable-irq, so the following scenarios occur: inconsistent {IN-HARDIRQ-W} -> {HARDIRQ-ON-W} usage. irq_work/0/27 [HC0[0]:SC0[0]:HE1:SE1] takes: (&rq->__lock){?...}-{2:2}, at: raw_spin_rq_lock_nested+0x2b/0x40 {IN-HARDIRQ-W} state was registered at: lock_acquire+0x1e1/0x510 _raw_spin_lock_nested+0x42/0x80 raw_spin_rq_lock_nested+0x2b/0x40 sched_tick+0xae/0x7b0 update_process_times+0x14c/0x1b0 tick_periodic+0x62/0x1f0 tick_handle_periodic+0x48/0xf0 timer_interrupt+0x55/0x80 __handle_irq_event_percpu+0x20a/0x5c0 handle_irq_event_percpu+0x18/0xc0 handle_irq_event+0xb5/0x150 handle_level_irq+0x220/0x460 __common_interrupt+0xa2/0x1e0 common_interrupt+0xb0/0xd0 asm_common_interrupt+0x2b/0x40 _raw_spin_unlock_irqrestore+0x45/0x80 __setup_irq+0xc34/0x1a30 request_threaded_irq+0x214/0x2f0 hpet_time_init+0x3e/0x60 x86_late_time_init+0x5b/0xb0 start_kernel+0x308/0x410 x86_64_start_reservations+0x1c/0x30 x86_64_start_kernel+0x96/0xa0 common_startup_64+0x13e/0x148 other info that might help us debug this: Possible unsafe locking scenario: CPU0 ---- lock(&rq->__lock); lock(&rq->__lock); *** DEADLOCK *** stack backtrace: CPU: 0 UID: 0 PID: 27 Comm: irq_work/0 Call Trace: dump_stack_lvl+0x8c/0xd0 dump_stack+0x14/0x20 print_usage_bug+0x42e/0x690 mark_lock.part.44+0x867/0xa70 ? __pfx_mark_lock.part.44+0x10/0x10 ? string_nocheck+0x19c/0x310 ? number+0x739/0x9f0 ? __pfx_string_nocheck+0x10/0x10 ? __pfx_check_pointer+0x10/0x10 ? kvm_sched_clock_read+0x15/0x30 ? sched_clock_noinstr+0xd/0x20 ? local_clock_noinstr+0x1c/0xe0 __lock_acquire+0xc4b/0x62b0 ? __pfx_format_decode+0x10/0x10 ? __pfx_string+0x10/0x10 ? __pfx___lock_acquire+0x10/0x10 ? __pfx_vsnprintf+0x10/0x10 lock_acquire+0x1e1/0x510 ? raw_spin_rq_lock_nested+0x2b/0x40 ? __pfx_lock_acquire+0x10/0x10 ? dump_line+0x12e/0x270 ? raw_spin_rq_lock_nested+0x20/0x40 _raw_spin_lock_nested+0x42/0x80 ? raw_spin_rq_lock_nested+0x2b/0x40 raw_spin_rq_lock_nested+0x2b/0x40 scx_dump_state+0x3b3/0x1270 ? finish_task_switch+0x27e/0x840 scx_ops_error_irq_workfn+0x67/0x80 irq_work_single+0x113/0x260 irq_work_run_list.part.3+0x44/0x70 run_irq_workd+0x6b/0x90 ? __pfx_run_irq_workd+0x10/0x10 smpboot_thread_fn+0x529/0x870 ? __pfx_smpboot_thread_fn+0x10/0x10 kthread+0x305/0x3f0 ? __pfx_kthread+0x10/0x10 ret_from_fork+0x40/0x70 ? __pfx_kthread+0x10/0x10 ret_from_fork_asm+0x1a/0x30 This commit therefore use rq_lock_irqsave/irqrestore() to replace rq_lock/unlock() in the scx_dump_state().", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-68239", "url": "https://ubuntu.com/security/CVE-2025-68239", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: binfmt_misc: restore write access before closing files opened by open_exec() bm_register_write() opens an executable file using open_exec(), which internally calls do_open_execat() and denies write access on the file to avoid modification while it is being executed. However, when an error occurs, bm_register_write() closes the file using filp_close() directly. This does not restore the write permission, which may cause subsequent write operations on the same file to fail. Fix this by calling exe_file_allow_write_access() before filp_close() to restore the write permission properly.", "cve_priority": "medium", "cve_public_date": "2025-12-16 15:15:00 UTC" }, { "cve": "CVE-2025-68247", "url": "https://ubuntu.com/security/CVE-2025-68247", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: posix-timers: Plug potential memory leak in do_timer_create() When posix timer creation is set to allocate a given timer ID and the access to the user space value faults, the function terminates without freeing the already allocated posix timer structure. Move the allocation after the user space access to cure that. [ tglx: Massaged change log ]", "cve_priority": "medium", "cve_public_date": "2025-12-16 15:15:00 UTC" }, { "cve": "CVE-2025-68208", "url": "https://ubuntu.com/security/CVE-2025-68208", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: bpf: account for current allocated stack depth in widen_imprecise_scalars() The usage pattern for widen_imprecise_scalars() looks as follows: prev_st = find_prev_entry(env, ...); queued_st = push_stack(...); widen_imprecise_scalars(env, prev_st, queued_st); Where prev_st is an ancestor of the queued_st in the explored states tree. This ancestor is not guaranteed to have same allocated stack depth as queued_st. E.g. in the following case: def main(): for i in 1..2: foo(i) // same callsite, differnt param def foo(i): if i == 1: use 128 bytes of stack iterator based loop Here, for a second 'foo' call prev_st->allocated_stack is 128, while queued_st->allocated_stack is much smaller. widen_imprecise_scalars() needs to take this into account and avoid accessing bpf_verifier_state->frame[*]->stack out of bounds.", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-68200", "url": "https://ubuntu.com/security/CVE-2025-68200", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: bpf: Add bpf_prog_run_data_pointers() syzbot found that cls_bpf_classify() is able to change tc_skb_cb(skb)->drop_reason triggering a warning in sk_skb_reason_drop(). WARNING: CPU: 0 PID: 5965 at net/core/skbuff.c:1192 __sk_skb_reason_drop net/core/skbuff.c:1189 [inline] WARNING: CPU: 0 PID: 5965 at net/core/skbuff.c:1192 sk_skb_reason_drop+0x76/0x170 net/core/skbuff.c:1214 struct tc_skb_cb has been added in commit ec624fe740b4 (\"net/sched: Extend qdisc control block with tc control block\"), which added a wrong interaction with db58ba459202 (\"bpf: wire in data and data_end for cls_act_bpf\"). drop_reason was added later. Add bpf_prog_run_data_pointers() helper to save/restore the net_sched storage colliding with BPF data_meta/data_end.", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-40275", "url": "https://ubuntu.com/security/CVE-2025-40275", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ALSA: usb-audio: Fix NULL pointer dereference in snd_usb_mixer_controls_badd In snd_usb_create_streams(), for UAC version 3 devices, the Interface Association Descriptor (IAD) is retrieved via usb_ifnum_to_if(). If this call fails, a fallback routine attempts to obtain the IAD from the next interface and sets a BADD profile. However, snd_usb_mixer_controls_badd() assumes that the IAD retrieved from usb_ifnum_to_if() is always valid, without performing a NULL check. This can lead to a NULL pointer dereference when usb_ifnum_to_if() fails to find the interface descriptor. This patch adds a NULL pointer check after calling usb_ifnum_to_if() in snd_usb_mixer_controls_badd() to prevent the dereference. This issue was discovered by syzkaller, which triggered the bug by sending a crafted USB device descriptor.", "cve_priority": "medium", "cve_public_date": "2025-12-06 22:15:00 UTC" }, { "cve": "CVE-2025-68242", "url": "https://ubuntu.com/security/CVE-2025-68242", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: NFS: Fix LTP test failures when timestamps are delegated The utimes01 and utime06 tests fail when delegated timestamps are enabled, specifically in subtests that modify the atime and mtime fields using the 'nobody' user ID. The problem can be reproduced as follow: # echo \"/media *(rw,no_root_squash,sync)\" >> /etc/exports # export -ra # mount -o rw,nfsvers=4.2 127.0.0.1:/media /tmpdir # cd /opt/ltp # ./runltp -d /tmpdir -s utimes01 # ./runltp -d /tmpdir -s utime06 This issue occurs because nfs_setattr does not verify the inode's UID against the caller's fsuid when delegated timestamps are permitted for the inode. This patch adds the UID check and if it does not match then the request is sent to the server for permission checking.", "cve_priority": "medium", "cve_public_date": "2025-12-16 15:15:00 UTC" }, { "cve": "CVE-2025-68243", "url": "https://ubuntu.com/security/CVE-2025-68243", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: NFS: Check the TLS certificate fields in nfs_match_client() If the TLS security policy is of type RPC_XPRTSEC_TLS_X509, then the cert_serial and privkey_serial fields need to match as well since they define the client's identity, as presented to the server.", "cve_priority": "medium", "cve_public_date": "2025-12-16 15:15:00 UTC" }, { "cve": "CVE-2025-40276", "url": "https://ubuntu.com/security/CVE-2025-40276", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/panthor: Flush shmem writes before mapping buffers CPU-uncached The shmem layer zeroes out the new pages using cached mappings, and if we don't CPU-flush we might leave dirty cachelines behind, leading to potential data leaks and/or asynchronous buffer corruption when dirty cachelines are evicted.", "cve_priority": "medium", "cve_public_date": "2025-12-06 22:15:00 UTC" }, { "cve": "CVE-2025-40277", "url": "https://ubuntu.com/security/CVE-2025-40277", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/vmwgfx: Validate command header size against SVGA_CMD_MAX_DATASIZE This data originates from userspace and is used in buffer offset calculations which could potentially overflow causing an out-of-bounds access.", "cve_priority": "medium", "cve_public_date": "2025-12-06 22:15:00 UTC" }, { "cve": "CVE-2025-68206", "url": "https://ubuntu.com/security/CVE-2025-68206", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: netfilter: nft_ct: add seqadj extension for natted connections Sequence adjustment may be required for FTP traffic with PASV/EPSV modes. due to need to re-write packet payload (IP, port) on the ftp control connection. This can require changes to the TCP length and expected seq / ack_seq. The easiest way to reproduce this issue is with PASV mode. Example ruleset: table inet ftp_nat { ct helper ftp_helper { type \"ftp\" protocol tcp l3proto inet } chain prerouting { type filter hook prerouting priority 0; policy accept; tcp dport 21 ct state new ct helper set \"ftp_helper\" } } table ip nat { chain prerouting { type nat hook prerouting priority -100; policy accept; tcp dport 21 dnat ip prefix to ip daddr map { \t\t\t192.168.100.1 : 192.168.13.2/32 } } chain postrouting { type nat hook postrouting priority 100 ; policy accept; tcp sport 21 snat ip prefix to ip saddr map { \t\t\t192.168.13.2 : 192.168.100.1/32 } } } Note that the ftp helper gets assigned *after* the dnat setup. The inverse (nat after helper assign) is handled by an existing check in nf_nat_setup_info() and will not show the problem. Topoloy: +-------------------+ +----------------------------------+ | FTP: 192.168.13.2 | <-> | NAT: 192.168.13.3, 192.168.100.1 | +-------------------+ +----------------------------------+ | +-----------------------+ | Client: 192.168.100.2 | +-----------------------+ ftp nat changes do not work as expected in this case: Connected to 192.168.100.1. [..] ftp> epsv EPSV/EPRT on IPv4 off. ftp> ls 227 Entering passive mode (192,168,100,1,209,129). 421 Service not available, remote server has closed connection. Kernel logs: Missing nfct_seqadj_ext_add() setup call WARNING: CPU: 1 PID: 0 at net/netfilter/nf_conntrack_seqadj.c:41 [..] __nf_nat_mangle_tcp_packet+0x100/0x160 [nf_nat] nf_nat_ftp+0x142/0x280 [nf_nat_ftp] help+0x4d1/0x880 [nf_conntrack_ftp] nf_confirm+0x122/0x2e0 [nf_conntrack] nf_hook_slow+0x3c/0xb0 .. Fix this by adding the required extension when a conntrack helper is assigned to a connection that has a nat binding.", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-68209", "url": "https://ubuntu.com/security/CVE-2025-68209", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: mlx5: Fix default values in create CQ Currently, CQs without a completion function are assigned the mlx5_add_cq_to_tasklet function by default. This is problematic since only user CQs created through the mlx5_ib driver are intended to use this function. Additionally, all CQs that will use doorbells instead of polling for completions must call mlx5_cq_arm. However, the default CQ creation flow leaves a valid value in the CQ's arm_db field, allowing FW to send interrupts to polling-only CQs in certain corner cases. These two factors would allow a polling-only kernel CQ to be triggered by an EQ interrupt and call a completion function intended only for user CQs, causing a null pointer exception. Some areas in the driver have prevented this issue with one-off fixes but did not address the root cause. This patch fixes the described issue by adding defaults to the create CQ flow. It adds a default dummy completion function to protect against null pointer exceptions, and it sets an invalid command sequence number by default in kernel CQs to prevent the FW from sending an interrupt to the CQ until it is armed. User CQs are responsible for their own initialization values. Callers of mlx5_core_create_cq are responsible for changing the completion function and arming the CQ per their needs.", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-40278", "url": "https://ubuntu.com/security/CVE-2025-40278", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net: sched: act_ife: initialize struct tc_ife to fix KMSAN kernel-infoleak Fix a KMSAN kernel-infoleak detected by the syzbot . [net?] KMSAN: kernel-infoleak in __skb_datagram_iter In tcf_ife_dump(), the variable 'opt' was partially initialized using a designatied initializer. While the padding bytes are reamined uninitialized. nla_put() copies the entire structure into a netlink message, these uninitialized bytes leaked to userspace. Initialize the structure with memset before assigning its fields to ensure all members and padding are cleared prior to beign copied. This change silences the KMSAN report and prevents potential information leaks from the kernel memory. This fix has been tested and validated by syzbot. This patch closes the bug reported at the following syzkaller link and ensures no infoleak.", "cve_priority": "medium", "cve_public_date": "2025-12-06 22:15:00 UTC" }, { "cve": "CVE-2025-40279", "url": "https://ubuntu.com/security/CVE-2025-40279", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net: sched: act_connmark: initialize struct tc_ife to fix kernel leak In tcf_connmark_dump(), the variable 'opt' was partially initialized using a designatied initializer. While the padding bytes are reamined uninitialized. nla_put() copies the entire structure into a netlink message, these uninitialized bytes leaked to userspace. Initialize the structure with memset before assigning its fields to ensure all members and padding are cleared prior to beign copied.", "cve_priority": "medium", "cve_public_date": "2025-12-06 22:15:00 UTC" }, { "cve": "CVE-2025-40280", "url": "https://ubuntu.com/security/CVE-2025-40280", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: tipc: Fix use-after-free in tipc_mon_reinit_self(). syzbot reported use-after-free of tipc_net(net)->monitors[] in tipc_mon_reinit_self(). [0] The array is protected by RTNL, but tipc_mon_reinit_self() iterates over it without RTNL. tipc_mon_reinit_self() is called from tipc_net_finalize(), which is always under RTNL except for tipc_net_finalize_work(). Let's hold RTNL in tipc_net_finalize_work(). [0]: BUG: KASAN: slab-use-after-free in __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline] BUG: KASAN: slab-use-after-free in _raw_spin_lock_irqsave+0xa7/0xf0 kernel/locking/spinlock.c:162 Read of size 1 at addr ffff88805eae1030 by task kworker/0:7/5989 CPU: 0 UID: 0 PID: 5989 Comm: kworker/0:7 Not tainted syzkaller #0 PREEMPT_{RT,(full)} Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/18/2025 Workqueue: events tipc_net_finalize_work Call Trace: dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:378 [inline] print_report+0xca/0x240 mm/kasan/report.c:482 kasan_report+0x118/0x150 mm/kasan/report.c:595 __kasan_check_byte+0x2a/0x40 mm/kasan/common.c:568 kasan_check_byte include/linux/kasan.h:399 [inline] lock_acquire+0x8d/0x360 kernel/locking/lockdep.c:5842 __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline] _raw_spin_lock_irqsave+0xa7/0xf0 kernel/locking/spinlock.c:162 rtlock_slowlock kernel/locking/rtmutex.c:1894 [inline] rwbase_rtmutex_lock_state kernel/locking/spinlock_rt.c:160 [inline] rwbase_write_lock+0xd3/0x7e0 kernel/locking/rwbase_rt.c:244 rt_write_lock+0x76/0x110 kernel/locking/spinlock_rt.c:243 write_lock_bh include/linux/rwlock_rt.h:99 [inline] tipc_mon_reinit_self+0x79/0x430 net/tipc/monitor.c:718 tipc_net_finalize+0x115/0x190 net/tipc/net.c:140 process_one_work kernel/workqueue.c:3236 [inline] process_scheduled_works+0xade/0x17b0 kernel/workqueue.c:3319 worker_thread+0x8a0/0xda0 kernel/workqueue.c:3400 kthread+0x70e/0x8a0 kernel/kthread.c:463 ret_from_fork+0x439/0x7d0 arch/x86/kernel/process.c:148 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245 Allocated by task 6089: kasan_save_stack mm/kasan/common.c:47 [inline] kasan_save_track+0x3e/0x80 mm/kasan/common.c:68 poison_kmalloc_redzone mm/kasan/common.c:388 [inline] __kasan_kmalloc+0x93/0xb0 mm/kasan/common.c:405 kasan_kmalloc include/linux/kasan.h:260 [inline] __kmalloc_cache_noprof+0x1a8/0x320 mm/slub.c:4407 kmalloc_noprof include/linux/slab.h:905 [inline] kzalloc_noprof include/linux/slab.h:1039 [inline] tipc_mon_create+0xc3/0x4d0 net/tipc/monitor.c:657 tipc_enable_bearer net/tipc/bearer.c:357 [inline] __tipc_nl_bearer_enable+0xe16/0x13f0 net/tipc/bearer.c:1047 __tipc_nl_compat_doit net/tipc/netlink_compat.c:371 [inline] tipc_nl_compat_doit+0x3bc/0x5f0 net/tipc/netlink_compat.c:393 tipc_nl_compat_handle net/tipc/netlink_compat.c:-1 [inline] tipc_nl_compat_recv+0x83c/0xbe0 net/tipc/netlink_compat.c:1321 genl_family_rcv_msg_doit+0x215/0x300 net/netlink/genetlink.c:1115 genl_family_rcv_msg net/netlink/genetlink.c:1195 [inline] genl_rcv_msg+0x60e/0x790 net/netlink/genetlink.c:1210 netlink_rcv_skb+0x208/0x470 net/netlink/af_netlink.c:2552 genl_rcv+0x28/0x40 net/netlink/genetlink.c:1219 netlink_unicast_kernel net/netlink/af_netlink.c:1320 [inline] netlink_unicast+0x846/0xa10 net/netlink/af_netlink.c:1346 netlink_sendmsg+0x805/0xb30 net/netlink/af_netlink.c:1896 sock_sendmsg_nosec net/socket.c:714 [inline] __sock_sendmsg+0x21c/0x270 net/socket.c:729 ____sys_sendmsg+0x508/0x820 net/socket.c:2614 ___sys_sendmsg+0x21f/0x2a0 net/socket.c:2668 __sys_sendmsg net/socket.c:2700 [inline] __do_sys_sendmsg net/socket.c:2705 [inline] __se_sys_sendmsg net/socket.c:2703 [inline] __x64_sys_sendmsg+0x1a1/0x260 net/socket.c:2703 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xfa/0x3b0 arch/ ---truncated---", "cve_priority": "medium", "cve_public_date": "2025-12-06 22:15:00 UTC" }, { "cve": "CVE-2025-40281", "url": "https://ubuntu.com/security/CVE-2025-40281", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: sctp: prevent possible shift-out-of-bounds in sctp_transport_update_rto syzbot reported a possible shift-out-of-bounds [1] Blamed commit added rto_alpha_max and rto_beta_max set to 1000. It is unclear if some sctp users are setting very large rto_alpha and/or rto_beta. In order to prevent user regression, perform the test at run time. Also add READ_ONCE() annotations as sysctl values can change under us. [1] UBSAN: shift-out-of-bounds in net/sctp/transport.c:509:41 shift exponent 64 is too large for 32-bit type 'unsigned int' CPU: 0 UID: 0 PID: 16704 Comm: syz.2.2320 Not tainted syzkaller #0 PREEMPT(full) Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/02/2025 Call Trace: __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x16c/0x1f0 lib/dump_stack.c:120 ubsan_epilogue lib/ubsan.c:233 [inline] __ubsan_handle_shift_out_of_bounds+0x27f/0x420 lib/ubsan.c:494 sctp_transport_update_rto.cold+0x1c/0x34b net/sctp/transport.c:509 sctp_check_transmitted+0x11c4/0x1c30 net/sctp/outqueue.c:1502 sctp_outq_sack+0x4ef/0x1b20 net/sctp/outqueue.c:1338 sctp_cmd_process_sack net/sctp/sm_sideeffect.c:840 [inline] sctp_cmd_interpreter net/sctp/sm_sideeffect.c:1372 [inline]", "cve_priority": "medium", "cve_public_date": "2025-12-06 22:15:00 UTC" }, { "cve": "CVE-2025-40282", "url": "https://ubuntu.com/security/CVE-2025-40282", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: Bluetooth: 6lowpan: reset link-local header on ipv6 recv path Bluetooth 6lowpan.c netdev has header_ops, so it must set link-local header for RX skb, otherwise things crash, eg. with AF_PACKET SOCK_RAW Add missing skb_reset_mac_header() for uncompressed ipv6 RX path. For the compressed one, it is done in lowpan_header_decompress(). Log: (BlueZ 6lowpan-tester Client Recv Raw - Success) ------ kernel BUG at net/core/skbuff.c:212! Call Trace: ... packet_rcv (net/packet/af_packet.c:2152) ... __local_bh_enable_ip (kernel/softirq.c:407) netif_rx (net/core/dev.c:5648) chan_recv_cb (net/bluetooth/6lowpan.c:294 net/bluetooth/6lowpan.c:359) ------", "cve_priority": "medium", "cve_public_date": "2025-12-06 22:15:00 UTC" }, { "cve": "CVE-2025-40283", "url": "https://ubuntu.com/security/CVE-2025-40283", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: Bluetooth: btusb: reorder cleanup in btusb_disconnect to avoid UAF There is a KASAN: slab-use-after-free read in btusb_disconnect(). Calling \"usb_driver_release_interface(&btusb_driver, data->intf)\" will free the btusb data associated with the interface. The same data is then used later in the function, hence the UAF. Fix by moving the accesses to btusb data to before the data is free'd.", "cve_priority": "medium", "cve_public_date": "2025-12-06 22:15:00 UTC" }, { "cve": "CVE-2025-40284", "url": "https://ubuntu.com/security/CVE-2025-40284", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: Bluetooth: MGMT: cancel mesh send timer when hdev removed mesh_send_done timer is not canceled when hdev is removed, which causes crash if the timer triggers after hdev is gone. Cancel the timer when MGMT removes the hdev, like other MGMT timers. Should fix the BUG: sporadically seen by BlueZ test bot (in \"Mesh - Send cancel - 1\" test). Log: ------ BUG: KASAN: slab-use-after-free in run_timer_softirq+0x76b/0x7d0 ... Freed by task 36: kasan_save_stack+0x24/0x50 kasan_save_track+0x14/0x30 __kasan_save_free_info+0x3a/0x60 __kasan_slab_free+0x43/0x70 kfree+0x103/0x500 device_release+0x9a/0x210 kobject_put+0x100/0x1e0 vhci_release+0x18b/0x240 ------", "cve_priority": "medium", "cve_public_date": "2025-12-06 22:15:00 UTC" }, { "cve": "CVE-2025-68210", "url": "https://ubuntu.com/security/CVE-2025-68210", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: erofs: avoid infinite loop due to incomplete zstd-compressed data Currently, the decompression logic incorrectly spins if compressed data is truncated in crafted (deliberately corrupted) images.", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-40285", "url": "https://ubuntu.com/security/CVE-2025-40285", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: smb/server: fix possible refcount leak in smb2_sess_setup() Reference count of ksmbd_session will leak when session need reconnect. Fix this by adding the missing ksmbd_user_session_put().", "cve_priority": "medium", "cve_public_date": "2025-12-06 22:15:00 UTC" }, { "cve": "CVE-2025-40286", "url": "https://ubuntu.com/security/CVE-2025-40286", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: smb/server: fix possible memory leak in smb2_read() Memory leak occurs when ksmbd_vfs_read() fails. Fix this by adding the missing kvfree().", "cve_priority": "medium", "cve_public_date": "2025-12-06 22:15:00 UTC" }, { "cve": "CVE-2025-40287", "url": "https://ubuntu.com/security/CVE-2025-40287", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: exfat: fix improper check of dentry.stream.valid_size We found an infinite loop bug in the exFAT file system that can lead to a Denial-of-Service (DoS) condition. When a dentry in an exFAT filesystem is malformed, the following system calls — SYS_openat, SYS_ftruncate, and SYS_pwrite64 — can cause the kernel to hang. Root cause analysis shows that the size validation code in exfat_find() does not check whether dentry.stream.valid_size is negative. As a result, the system calls mentioned above can succeed and eventually trigger the DoS issue. This patch adds a check for negative dentry.stream.valid_size to prevent this vulnerability.", "cve_priority": "medium", "cve_public_date": "2025-12-06 22:15:00 UTC" }, { "cve": "CVE-2025-40288", "url": "https://ubuntu.com/security/CVE-2025-40288", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: Fix NULL pointer dereference in VRAM logic for APU devices Previously, APU platforms (and other scenarios with uninitialized VRAM managers) triggered a NULL pointer dereference in `ttm_resource_manager_usage()`. The root cause is not that the `struct ttm_resource_manager *man` pointer itself is NULL, but that `man->bdev` (the backing device pointer within the manager) remains uninitialized (NULL) on APUs—since APUs lack dedicated VRAM and do not fully set up VRAM manager structures. When `ttm_resource_manager_usage()` attempts to acquire `man->bdev->lru_lock`, it dereferences the NULL `man->bdev`, leading to a kernel OOPS. 1. **amdgpu_cs.c**: Extend the existing bandwidth control check in `amdgpu_cs_get_threshold_for_moves()` to include a check for `ttm_resource_manager_used()`. If the manager is not used (uninitialized `bdev`), return 0 for migration thresholds immediately—skipping VRAM-specific logic that would trigger the NULL dereference. 2. **amdgpu_kms.c**: Update the `AMDGPU_INFO_VRAM_USAGE` ioctl and memory info reporting to use a conditional: if the manager is used, return the real VRAM usage; otherwise, return 0. This avoids accessing `man->bdev` when it is NULL. 3. **amdgpu_virt.c**: Modify the vf2pf (virtual function to physical function) data write path. Use `ttm_resource_manager_used()` to check validity: if the manager is usable, calculate `fb_usage` from VRAM usage; otherwise, set `fb_usage` to 0 (APUs have no discrete framebuffer to report). This approach is more robust than APU-specific checks because it: - Works for all scenarios where the VRAM manager is uninitialized (not just APUs), - Aligns with TTM's design by using its native helper function, - Preserves correct behavior for discrete GPUs (which have fully initialized `man->bdev` and pass the `ttm_resource_manager_used()` check). v4: use ttm_resource_manager_used(&adev->mman.vram_mgr.manager) instead of checking the adev->gmc.is_app_apu flag (Christian)", "cve_priority": "medium", "cve_public_date": "2025-12-06 22:15:00 UTC" }, { "cve": "CVE-2025-40289", "url": "https://ubuntu.com/security/CVE-2025-40289", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: hide VRAM sysfs attributes on GPUs without VRAM Otherwise accessing them can cause a crash.", "cve_priority": "medium", "cve_public_date": "2025-12-06 22:15:00 UTC" }, { "cve": "CVE-2025-68201", "url": "https://ubuntu.com/security/CVE-2025-68201", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: remove two invalid BUG_ON()s Those can be triggered trivially by userspace.", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-68207", "url": "https://ubuntu.com/security/CVE-2025-68207", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/xe/guc: Synchronize Dead CT worker with unbind Cancel and wait for any Dead CT worker to complete before continuing with device unbinding. Else the worker will end up using resources freed by the undind operation. (cherry picked from commit 492671339114e376aaa38626d637a2751cdef263)", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-68244", "url": "https://ubuntu.com/security/CVE-2025-68244", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/i915: Avoid lock inversion when pinning to GGTT on CHV/BXT+VTD On completion of i915_vma_pin_ww(), a synchronous variant of dma_fence_work_commit() is called. When pinning a VMA to GGTT address space on a Cherry View family processor, or on a Broxton generation SoC with VTD enabled, i.e., when stop_machine() is then called from intel_ggtt_bind_vma(), that can potentially lead to lock inversion among reservation_ww and cpu_hotplug locks. [86.861179] ====================================================== [86.861193] WARNING: possible circular locking dependency detected [86.861209] 6.15.0-rc5-CI_DRM_16515-gca0305cadc2d+ #1 Tainted: G U [86.861226] ------------------------------------------------------ [86.861238] i915_module_loa/1432 is trying to acquire lock: [86.861252] ffffffff83489090 (cpu_hotplug_lock){++++}-{0:0}, at: stop_machine+0x1c/0x50 [86.861290] but task is already holding lock: [86.861303] ffffc90002e0b4c8 (reservation_ww_class_mutex){+.+.}-{3:3}, at: i915_vma_pin.constprop.0+0x39/0x1d0 [i915] [86.862233] which lock already depends on the new lock. [86.862251] the existing dependency chain (in reverse order) is: [86.862265] -> #5 (reservation_ww_class_mutex){+.+.}-{3:3}: [86.862292] dma_resv_lockdep+0x19a/0x390 [86.862315] do_one_initcall+0x60/0x3f0 [86.862334] kernel_init_freeable+0x3cd/0x680 [86.862353] kernel_init+0x1b/0x200 [86.862369] ret_from_fork+0x47/0x70 [86.862383] ret_from_fork_asm+0x1a/0x30 [86.862399] -> #4 (reservation_ww_class_acquire){+.+.}-{0:0}: [86.862425] dma_resv_lockdep+0x178/0x390 [86.862440] do_one_initcall+0x60/0x3f0 [86.862454] kernel_init_freeable+0x3cd/0x680 [86.862470] kernel_init+0x1b/0x200 [86.862482] ret_from_fork+0x47/0x70 [86.862495] ret_from_fork_asm+0x1a/0x30 [86.862509] -> #3 (&mm->mmap_lock){++++}-{3:3}: [86.862531] down_read_killable+0x46/0x1e0 [86.862546] lock_mm_and_find_vma+0xa2/0x280 [86.862561] do_user_addr_fault+0x266/0x8e0 [86.862578] exc_page_fault+0x8a/0x2f0 [86.862593] asm_exc_page_fault+0x27/0x30 [86.862607] filldir64+0xeb/0x180 [86.862620] kernfs_fop_readdir+0x118/0x480 [86.862635] iterate_dir+0xcf/0x2b0 [86.862648] __x64_sys_getdents64+0x84/0x140 [86.862661] x64_sys_call+0x1058/0x2660 [86.862675] do_syscall_64+0x91/0xe90 [86.862689] entry_SYSCALL_64_after_hwframe+0x76/0x7e [86.862703] -> #2 (&root->kernfs_rwsem){++++}-{3:3}: [86.862725] down_write+0x3e/0xf0 [86.862738] kernfs_add_one+0x30/0x3c0 [86.862751] kernfs_create_dir_ns+0x53/0xb0 [86.862765] internal_create_group+0x134/0x4c0 [86.862779] sysfs_create_group+0x13/0x20 [86.862792] topology_add_dev+0x1d/0x30 [86.862806] cpuhp_invoke_callback+0x4b5/0x850 [86.862822] cpuhp_issue_call+0xbf/0x1f0 [86.862836] __cpuhp_setup_state_cpuslocked+0x111/0x320 [86.862852] __cpuhp_setup_state+0xb0/0x220 [86.862866] topology_sysfs_init+0x30/0x50 [86.862879] do_one_initcall+0x60/0x3f0 [86.862893] kernel_init_freeable+0x3cd/0x680 [86.862908] kernel_init+0x1b/0x200 [86.862921] ret_from_fork+0x47/0x70 [86.862934] ret_from_fork_asm+0x1a/0x30 [86.862947] -> #1 (cpuhp_state_mutex){+.+.}-{3:3}: [86.862969] __mutex_lock+0xaa/0xed0 [86.862982] mutex_lock_nested+0x1b/0x30 [86.862995] __cpuhp_setup_state_cpuslocked+0x67/0x320 [86.863012] __cpuhp_setup_state+0xb0/0x220 [86.863026] page_alloc_init_cpuhp+0x2d/0x60 [86.863041] mm_core_init+0x22/0x2d0 [86.863054] start_kernel+0x576/0xbd0 [86.863068] x86_64_start_reservations+0x18/0x30 [86.863084] x86_64_start_kernel+0xbf/0x110 [86.863098] common_startup_64+0x13e/0x141 [86.863114] -> #0 (cpu_hotplug_lock){++++}-{0:0}: [86.863135] __lock_acquire+0x16 ---truncated---", "cve_priority": "medium", "cve_public_date": "2025-12-16 15:15:00 UTC" }, { "cve": "CVE-2025-68316", "url": "https://ubuntu.com/security/CVE-2025-68316", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: scsi: ufs: core: Fix invalid probe error return value After DME Link Startup, the error return value is set to the MIPI UniPro GenericErrorCode which can be 0 (SUCCESS) or 1 (FAILURE). Upon failure during driver probe, the error code 1 is propagated back to the driver probe function which must return a negative value to indicate an error, but 1 is not negative, so the probe is considered to be successful even though it failed. Subsequently, removing the driver results in an oops because it is not in a valid state. This happens because none of the callers of ufshcd_init() expect a non-negative error code. Fix the return value and documentation to match actual usage.", "cve_priority": "medium", "cve_public_date": "2025-12-16 16:16:00 UTC" }, { "cve": "CVE-2025-40292", "url": "https://ubuntu.com/security/CVE-2025-40292", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: virtio-net: fix received length check in big packets Since commit 4959aebba8c0 (\"virtio-net: use mtu size as buffer length for big packets\"), when guest gso is off, the allocated size for big packets is not MAX_SKB_FRAGS * PAGE_SIZE anymore but depends on negotiated MTU. The number of allocated frags for big packets is stored in vi->big_packets_num_skbfrags. Because the host announced buffer length can be malicious (e.g. the host vhost_net driver's get_rx_bufs is modified to announce incorrect length), we need a check in virtio_net receive path. Currently, the check is not adapted to the new change which can lead to NULL page pointer dereference in the below while loop when receiving length that is larger than the allocated one. This commit fixes the received length check corresponding to the new change.", "cve_priority": "medium", "cve_public_date": "2025-12-08 01:16:00 UTC" }, { "cve": "CVE-2025-68180", "url": "https://ubuntu.com/security/CVE-2025-68180", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Fix NULL deref in debugfs odm_combine_segments When a connector is connected but inactive (e.g., disabled by desktop environments), pipe_ctx->stream_res.tg will be destroyed. Then, reading odm_combine_segments causes kernel NULL pointer dereference. BUG: kernel NULL pointer dereference, address: 0000000000000000 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page PGD 0 P4D 0 Oops: Oops: 0000 [#1] SMP NOPTI CPU: 16 UID: 0 PID: 26474 Comm: cat Not tainted 6.17.0+ #2 PREEMPT(lazy) e6a17af9ee6db7c63e9d90dbe5b28ccab67520c6 Hardware name: LENOVO 21Q4/LNVNB161216, BIOS PXCN25WW 03/27/2025 RIP: 0010:odm_combine_segments_show+0x93/0xf0 [amdgpu] Code: 41 83 b8 b0 00 00 00 01 75 6e 48 98 ba a1 ff ff ff 48 c1 e0 0c 48 8d 8c 07 d8 02 00 00 48 85 c9 74 2d 48 8b bc 07 f0 08 00 00 <48> 8b 07 48 8b 80 08 02 00> RSP: 0018:ffffd1bf4b953c58 EFLAGS: 00010286 RAX: 0000000000005000 RBX: ffff8e35976b02d0 RCX: ffff8e3aeed052d8 RDX: 00000000ffffffa1 RSI: ffff8e35a3120800 RDI: 0000000000000000 RBP: 0000000000000000 R08: ffff8e3580eb0000 R09: ffff8e35976b02d0 R10: ffffd1bf4b953c78 R11: 0000000000000000 R12: ffffd1bf4b953d08 R13: 0000000000040000 R14: 0000000000000001 R15: 0000000000000001 FS: 00007f44d3f9f740(0000) GS:ffff8e3caa47f000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000000 CR3: 00000006485c2000 CR4: 0000000000f50ef0 PKRU: 55555554 Call Trace: seq_read_iter+0x125/0x490 ? __alloc_frozen_pages_noprof+0x18f/0x350 seq_read+0x12c/0x170 full_proxy_read+0x51/0x80 vfs_read+0xbc/0x390 ? __handle_mm_fault+0xa46/0xef0 ? do_syscall_64+0x71/0x900 ksys_read+0x73/0xf0 do_syscall_64+0x71/0x900 ? count_memcg_events+0xc2/0x190 ? handle_mm_fault+0x1d7/0x2d0 ? do_user_addr_fault+0x21a/0x690 ? exc_page_fault+0x7e/0x1a0 entry_SYSCALL_64_after_hwframe+0x6c/0x74 RIP: 0033:0x7f44d4031687 Code: 48 89 fa 4c 89 df e8 58 b3 00 00 8b 93 08 03 00 00 59 5e 48 83 f8 fc 74 1a 5b c3 0f 1f 84 00 00 00 00 00 48 8b 44 24 10 0f 05 <5b> c3 0f 1f 80 00 00 00 00> RSP: 002b:00007ffdb4b5f0b0 EFLAGS: 00000202 ORIG_RAX: 0000000000000000 RAX: ffffffffffffffda RBX: 00007f44d3f9f740 RCX: 00007f44d4031687 RDX: 0000000000040000 RSI: 00007f44d3f5e000 RDI: 0000000000000003 RBP: 0000000000040000 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000202 R12: 00007f44d3f5e000 R13: 0000000000000003 R14: 0000000000000000 R15: 0000000000040000 Modules linked in: tls tcp_diag inet_diag xt_mark ccm snd_hrtimer snd_seq_dummy snd_seq_midi snd_seq_oss snd_seq_midi_event snd_rawmidi snd_seq snd_seq_device x> snd_hda_codec_atihdmi snd_hda_codec_realtek_lib lenovo_wmi_helpers think_lmi snd_hda_codec_generic snd_hda_codec_hdmi snd_soc_core kvm snd_compress uvcvideo sn> platform_profile joydev amd_pmc mousedev mac_hid sch_fq_codel uinput i2c_dev parport_pc ppdev lp parport nvme_fabrics loop nfnetlink ip_tables x_tables dm_cryp> CR2: 0000000000000000 ---[ end trace 0000000000000000 ]--- RIP: 0010:odm_combine_segments_show+0x93/0xf0 [amdgpu] Code: 41 83 b8 b0 00 00 00 01 75 6e 48 98 ba a1 ff ff ff 48 c1 e0 0c 48 8d 8c 07 d8 02 00 00 48 85 c9 74 2d 48 8b bc 07 f0 08 00 00 <48> 8b 07 48 8b 80 08 02 00> RSP: 0018:ffffd1bf4b953c58 EFLAGS: 00010286 RAX: 0000000000005000 RBX: ffff8e35976b02d0 RCX: ffff8e3aeed052d8 RDX: 00000000ffffffa1 RSI: ffff8e35a3120800 RDI: 0000000000000000 RBP: 0000000000000000 R08: ffff8e3580eb0000 R09: ffff8e35976b02d0 R10: ffffd1bf4b953c78 R11: 0000000000000000 R12: ffffd1bf4b953d08 R13: 0000000000040000 R14: 0000000000000001 R15: 0000000000000001 FS: 00007f44d3f9f740(0000) GS:ffff8e3caa47f000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000000 CR3: 00000006485c2000 CR4: 0000000000f50ef0 PKRU: 55555554 Fix this by checking pipe_ctx-> ---truncated---", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-40327", "url": "https://ubuntu.com/security/CVE-2025-40327", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: perf/core: Fix system hang caused by cpu-clock usage cpu-clock usage by the async-profiler tool can trigger a system hang, which got bisected back to the following commit by Octavia Togami: 18dbcbfabfff (\"perf: Fix the POLL_HUP delivery breakage\") causes this issue The root cause of the hang is that cpu-clock is a special type of SW event which relies on hrtimers. The __perf_event_overflow() callback is invoked from the hrtimer handler for cpu-clock events, and __perf_event_overflow() tries to call cpu_clock_event_stop() to stop the event, which calls htimer_cancel() to cancel the hrtimer. But that's a recursion into the hrtimer code from a hrtimer handler, which (unsurprisingly) deadlocks. To fix this bug, use hrtimer_try_to_cancel() instead, and set the PERF_HES_STOPPED flag, which causes perf_swevent_hrtimer() to stop the event once it sees the PERF_HES_STOPPED flag. [ mingo: Fixed the comments and improved the changelog. ]", "cve_priority": "medium", "cve_public_date": "2025-12-09 16:17:00 UTC" }, { "cve": "CVE-2025-40328", "url": "https://ubuntu.com/security/CVE-2025-40328", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: smb: client: fix potential UAF in smb2_close_cached_fid() find_or_create_cached_dir() could grab a new reference after kref_put() had seen the refcount drop to zero but before cfid_list_lock is acquired in smb2_close_cached_fid(), leading to use-after-free. Switch to kref_put_lock() so cfid_release() is called with cfid_list_lock held, closing that gap.", "cve_priority": "medium", "cve_public_date": "2025-12-09 16:17:00 UTC" }, { "cve": "CVE-2025-40291", "url": "https://ubuntu.com/security/CVE-2025-40291", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: io_uring: fix regbuf vector size truncation There is a report of io_estimate_bvec_size() truncating the calculated number of segments that leads to corruption issues. Check it doesn't overflow \"int\"s used later. Rough but simple, can be improved on top.", "cve_priority": "medium", "cve_public_date": "2025-12-08 01:16:00 UTC" }, { "cve": "CVE-2025-68322", "url": "https://ubuntu.com/security/CVE-2025-68322", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: parisc: Avoid crash due to unaligned access in unwinder Guenter Roeck reported this kernel crash on his emulated B160L machine: Starting network: udhcpc: started, v1.36.1 Backtrace: [<104320d4>] unwind_once+0x1c/0x5c [<10434a00>] walk_stackframe.isra.0+0x74/0xb8 [<10434a6c>] arch_stack_walk+0x28/0x38 [<104e5efc>] stack_trace_save+0x48/0x5c [<105d1bdc>] set_track_prepare+0x44/0x6c [<105d9c80>] ___slab_alloc+0xfc4/0x1024 [<105d9d38>] __slab_alloc.isra.0+0x58/0x90 [<105dc80c>] kmem_cache_alloc_noprof+0x2ac/0x4a0 [<105b8e54>] __anon_vma_prepare+0x60/0x280 [<105a823c>] __vmf_anon_prepare+0x68/0x94 [<105a8b34>] do_wp_page+0x8cc/0xf10 [<105aad88>] handle_mm_fault+0x6c0/0xf08 [<10425568>] do_page_fault+0x110/0x440 [<10427938>] handle_interruption+0x184/0x748 [<11178398>] schedule+0x4c/0x190 BUG: spinlock recursion on CPU#0, ifconfig/2420 lock: terminate_lock.2+0x0/0x1c, .magic: dead4ead, .owner: ifconfig/2420, .owner_cpu: 0 While creating the stack trace, the unwinder uses the stack pointer to guess the previous frame to read the previous stack pointer from memory. The crash happens, because the unwinder tries to read from unaligned memory and as such triggers the unalignment trap handler which then leads to the spinlock recursion and finally to a deadlock. Fix it by checking the alignment before accessing the memory.", "cve_priority": "medium", "cve_public_date": "2025-12-16 16:16:00 UTC" }, { "cve": "CVE-2025-40293", "url": "https://ubuntu.com/security/CVE-2025-40293", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: iommufd: Don't overflow during division for dirty tracking If pgshift is 63 then BITS_PER_TYPE(*bitmap->bitmap) * pgsize will overflow to 0 and this triggers divide by 0. In this case the index should just be 0, so reorganize things to divide by shift and avoid hitting any overflows.", "cve_priority": "medium", "cve_public_date": "2025-12-08 01:16:00 UTC" }, { "cve": "CVE-2025-40294", "url": "https://ubuntu.com/security/CVE-2025-40294", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: Bluetooth: MGMT: Fix OOB access in parse_adv_monitor_pattern() In the parse_adv_monitor_pattern() function, the value of the 'length' variable is currently limited to HCI_MAX_EXT_AD_LENGTH(251). The size of the 'value' array in the mgmt_adv_pattern structure is 31. If the value of 'pattern[i].length' is set in the user space and exceeds 31, the 'patterns[i].value' array can be accessed out of bound when copied. Increasing the size of the 'value' array in the 'mgmt_adv_pattern' structure will break the userspace. Considering this, and to avoid OOB access revert the limits for 'offset' and 'length' back to the value of HCI_MAX_AD_LENGTH. Found by InfoTeCS on behalf of Linux Verification Center (linuxtesting.org) with SVACE.", "cve_priority": "medium", "cve_public_date": "2025-12-08 01:16:00 UTC" }, { "cve": "CVE-2025-40329", "url": "https://ubuntu.com/security/CVE-2025-40329", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/sched: Fix deadlock in drm_sched_entity_kill_jobs_cb The Mesa issue referenced below pointed out a possible deadlock: [ 1231.611031] Possible interrupt unsafe locking scenario: [ 1231.611033] CPU0 CPU1 [ 1231.611034] ---- ---- [ 1231.611035] lock(&xa->xa_lock#17); [ 1231.611038] local_irq_disable(); [ 1231.611039] lock(&fence->lock); [ 1231.611041] lock(&xa->xa_lock#17); [ 1231.611044] [ 1231.611045] lock(&fence->lock); [ 1231.611047] *** DEADLOCK *** In this example, CPU0 would be any function accessing job->dependencies through the xa_* functions that don't disable interrupts (eg: drm_sched_job_add_dependency(), drm_sched_entity_kill_jobs_cb()). CPU1 is executing drm_sched_entity_kill_jobs_cb() as a fence signalling callback so in an interrupt context. It will deadlock when trying to grab the xa_lock which is already held by CPU0. Replacing all xa_* usage by their xa_*_irq counterparts would fix this issue, but Christian pointed out another issue: dma_fence_signal takes fence.lock and so does dma_fence_add_callback. dma_fence_signal() // locks f1.lock -> drm_sched_entity_kill_jobs_cb() -> foreach dependencies -> dma_fence_add_callback() // locks f2.lock This will deadlock if f1 and f2 share the same spinlock. To fix both issues, the code iterating on dependencies and re-arming them is moved out to drm_sched_entity_kill_jobs_work(). [phasta: commit message nits]", "cve_priority": "medium", "cve_public_date": "2025-12-09 16:17:00 UTC" }, { "cve": "CVE-2025-40295", "url": "https://ubuntu.com/security/CVE-2025-40295", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: fscrypt: fix left shift underflow when inode->i_blkbits > PAGE_SHIFT When simulating an nvme device on qemu with both logical_block_size and physical_block_size set to 8 KiB, an error trace appears during partition table reading at boot time. The issue is caused by inode->i_blkbits being larger than PAGE_SHIFT, which leads to a left shift of -1 and triggering a UBSAN warning. [ 2.697306] ------------[ cut here ]------------ [ 2.697309] UBSAN: shift-out-of-bounds in fs/crypto/inline_crypt.c:336:37 [ 2.697311] shift exponent -1 is negative [ 2.697315] CPU: 3 UID: 0 PID: 274 Comm: (udev-worker) Not tainted 6.18.0-rc2+ #34 PREEMPT(voluntary) [ 2.697317] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014 [ 2.697320] Call Trace: [ 2.697324] [ 2.697325] dump_stack_lvl+0x76/0xa0 [ 2.697340] dump_stack+0x10/0x20 [ 2.697342] __ubsan_handle_shift_out_of_bounds+0x1e3/0x390 [ 2.697351] bh_get_inode_and_lblk_num.cold+0x12/0x94 [ 2.697359] fscrypt_set_bio_crypt_ctx_bh+0x44/0x90 [ 2.697365] submit_bh_wbc+0xb6/0x190 [ 2.697370] block_read_full_folio+0x194/0x270 [ 2.697371] ? __pfx_blkdev_get_block+0x10/0x10 [ 2.697375] ? __pfx_blkdev_read_folio+0x10/0x10 [ 2.697377] blkdev_read_folio+0x18/0x30 [ 2.697379] filemap_read_folio+0x40/0xe0 [ 2.697382] filemap_get_pages+0x5ef/0x7a0 [ 2.697385] ? mmap_region+0x63/0xd0 [ 2.697389] filemap_read+0x11d/0x520 [ 2.697392] blkdev_read_iter+0x7c/0x180 [ 2.697393] vfs_read+0x261/0x390 [ 2.697397] ksys_read+0x71/0xf0 [ 2.697398] __x64_sys_read+0x19/0x30 [ 2.697399] x64_sys_call+0x1e88/0x26a0 [ 2.697405] do_syscall_64+0x80/0x670 [ 2.697410] ? __x64_sys_newfstat+0x15/0x20 [ 2.697414] ? x64_sys_call+0x204a/0x26a0 [ 2.697415] ? do_syscall_64+0xb8/0x670 [ 2.697417] ? irqentry_exit_to_user_mode+0x2e/0x2a0 [ 2.697420] ? irqentry_exit+0x43/0x50 [ 2.697421] ? exc_page_fault+0x90/0x1b0 [ 2.697422] entry_SYSCALL_64_after_hwframe+0x76/0x7e [ 2.697425] RIP: 0033:0x75054cba4a06 [ 2.697426] Code: 5d e8 41 8b 93 08 03 00 00 59 5e 48 83 f8 fc 75 19 83 e2 39 83 fa 08 75 11 e8 26 ff ff ff 66 0f 1f 44 00 00 48 8b 45 10 0f 05 <48> 8b 5d f8 c9 c3 0f 1f 40 00 f3 0f 1e fa 55 48 89 e5 48 83 ec 08 [ 2.697427] RSP: 002b:00007fff973723a0 EFLAGS: 00000202 ORIG_RAX: 0000000000000000 [ 2.697430] RAX: ffffffffffffffda RBX: 00005ea9a2c02760 RCX: 000075054cba4a06 [ 2.697432] RDX: 0000000000002000 RSI: 000075054c190000 RDI: 000000000000001b [ 2.697433] RBP: 00007fff973723c0 R08: 0000000000000000 R09: 0000000000000000 [ 2.697434] R10: 0000000000000000 R11: 0000000000000202 R12: 0000000000000000 [ 2.697434] R13: 00005ea9a2c027c0 R14: 00005ea9a2be5608 R15: 00005ea9a2be55f0 [ 2.697436] [ 2.697436] ---[ end trace ]--- This situation can happen for block devices because when CONFIG_TRANSPARENT_HUGEPAGE is enabled, the maximum logical_block_size is 64 KiB. set_init_blocksize() then sets the block device inode->i_blkbits to 13, which is within this limit. File I/O does not trigger this problem because for filesystems that do not support the FS_LBS feature, sb_set_blocksize() prevents sb->s_blocksize_bits from being larger than PAGE_SHIFT. During inode allocation, alloc_inode()->inode_init_always() assigns inode->i_blkbits from sb->s_blocksize_bits. Currently, only xfs_fs_type has the FS_LBS flag, and since xfs I/O paths do not reach submit_bh_wbc(), it does not hit the left-shift underflow issue. [EB: use folio_pos() and consolidate the two shifts by i_blkbits]", "cve_priority": "medium", "cve_public_date": "2025-12-08 01:16:00 UTC" }, { "cve": "CVE-2025-40296", "url": "https://ubuntu.com/security/CVE-2025-40296", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: platform/x86: int3472: Fix double free of GPIO device during unregister regulator_unregister() already frees the associated GPIO device. On ThinkPad X9 (Lunar Lake), this causes a double free issue that leads to random failures when other drivers (typically Intel THC) attempt to allocate interrupts. The root cause is that the reference count of the pinctrl_intel_platform module unexpectedly drops to zero when this driver defers its probe. This behavior can also be reproduced by unloading the module directly. Fix the issue by removing the redundant release of the GPIO device during regulator unregistration.", "cve_priority": "medium", "cve_public_date": "2025-12-08 01:16:00 UTC" }, { "cve": "CVE-2025-40297", "url": "https://ubuntu.com/security/CVE-2025-40297", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net: bridge: fix use-after-free due to MST port state bypass syzbot reported[1] a use-after-free when deleting an expired fdb. It is due to a race condition between learning still happening and a port being deleted, after all its fdbs have been flushed. The port's state has been toggled to disabled so no learning should happen at that time, but if we have MST enabled, it will bypass the port's state, that together with VLAN filtering disabled can lead to fdb learning at a time when it shouldn't happen while the port is being deleted. VLAN filtering must be disabled because we flush the port VLANs when it's being deleted which will stop learning. This fix adds a check for the port's vlan group which is initialized to NULL when the port is getting deleted, that avoids the port state bypass. When MST is enabled there would be a minimal new overhead in the fast-path because the port's vlan group pointer is cache-hot. [1] https://syzkaller.appspot.com/bug?extid=dd280197f0f7ab3917be", "cve_priority": "medium", "cve_public_date": "2025-12-08 01:16:00 UTC" }, { "cve": "CVE-2025-68320", "url": "https://ubuntu.com/security/CVE-2025-68320", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: lan966x: Fix sleeping in atomic context The following warning was seen when we try to connect using ssh to the device. BUG: sleeping function called from invalid context at kernel/locking/mutex.c:575 in_atomic(): 1, irqs_disabled(): 0, non_block: 0, pid: 104, name: dropbear preempt_count: 1, expected: 0 INFO: lockdep is turned off. CPU: 0 UID: 0 PID: 104 Comm: dropbear Tainted: G W 6.18.0-rc2-00399-g6f1ab1b109b9-dirty #530 NONE Tainted: [W]=WARN Hardware name: Generic DT based system Call trace: unwind_backtrace from show_stack+0x10/0x14 show_stack from dump_stack_lvl+0x7c/0xac dump_stack_lvl from __might_resched+0x16c/0x2b0 __might_resched from __mutex_lock+0x64/0xd34 __mutex_lock from mutex_lock_nested+0x1c/0x24 mutex_lock_nested from lan966x_stats_get+0x5c/0x558 lan966x_stats_get from dev_get_stats+0x40/0x43c dev_get_stats from dev_seq_printf_stats+0x3c/0x184 dev_seq_printf_stats from dev_seq_show+0x10/0x30 dev_seq_show from seq_read_iter+0x350/0x4ec seq_read_iter from seq_read+0xfc/0x194 seq_read from proc_reg_read+0xac/0x100 proc_reg_read from vfs_read+0xb0/0x2b0 vfs_read from ksys_read+0x6c/0xec ksys_read from ret_fast_syscall+0x0/0x1c Exception stack(0xf0b11fa8 to 0xf0b11ff0) 1fa0: 00000001 00001000 00000008 be9048d8 00001000 00000001 1fc0: 00000001 00001000 00000008 00000003 be905920 0000001e 00000000 00000001 1fe0: 0005404c be9048c0 00018684 b6ec2cd8 It seems that we are using a mutex in a atomic context which is wrong. Change the mutex with a spinlock.", "cve_priority": "medium", "cve_public_date": "2025-12-16 16:16:00 UTC" }, { "cve": "CVE-2025-68169", "url": "https://ubuntu.com/security/CVE-2025-68169", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: netpoll: Fix deadlock in memory allocation under spinlock Fix a AA deadlock in refill_skbs() where memory allocation while holding skb_pool->lock can trigger a recursive lock acquisition attempt. The deadlock scenario occurs when the system is under severe memory pressure: 1. refill_skbs() acquires skb_pool->lock (spinlock) 2. alloc_skb() is called while holding the lock 3. Memory allocator fails and calls slab_out_of_memory() 4. This triggers printk() for the OOM warning 5. The console output path calls netpoll_send_udp() 6. netpoll_send_udp() attempts to acquire the same skb_pool->lock 7. Deadlock: the lock is already held by the same CPU Call stack: refill_skbs() spin_lock_irqsave(&skb_pool->lock) <- lock acquired __alloc_skb() kmem_cache_alloc_node_noprof() slab_out_of_memory() printk() console_flush_all() netpoll_send_udp() skb_dequeue() spin_lock_irqsave(&skb_pool->lock) <- deadlock attempt This bug was exposed by commit 248f6571fd4c51 (\"netpoll: Optimize skb refilling on critical path\") which removed refill_skbs() from the critical path (where nested printk was being deferred), letting nested printk being called from inside refill_skbs() Refactor refill_skbs() to never allocate memory while holding the spinlock. Another possible solution to fix this problem is protecting the refill_skbs() from nested printks, basically calling printk_deferred_{enter,exit}() in refill_skbs(), then, any nested pr_warn() would be deferred. I prefer this approach, given I _think_ it might be a good idea to move the alloc_skb() from GFP_ATOMIC to GFP_KERNEL in the future, so, having the alloc_skb() outside of the lock will be necessary step. There is a possible TOCTOU issue when checking for the pool length, and queueing the new allocated skb, but, this is not an issue, given that an extra SKB in the pool is harmless and it will be eventually used.", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-68197", "url": "https://ubuntu.com/security/CVE-2025-68197", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: bnxt_en: Fix null pointer dereference in bnxt_bs_trace_check_wrap() With older FW, we may get the ASYNC_EVENT_CMPL_EVENT_ID_DBG_BUF_PRODUCER for FW trace data type that has not been initialized. This will result in a crash in bnxt_bs_trace_type_wrap(). Add a guard to check for a valid magic_byte pointer before proceeding.", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-40330", "url": "https://ubuntu.com/security/CVE-2025-40330", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: bnxt_en: Shutdown FW DMA in bnxt_shutdown() The netif_close() call in bnxt_shutdown() only stops packet DMA. There may be FW DMA for trace logging (recently added) that will continue. If we kexec to a new kernel, the DMA will corrupt memory in the new kernel. Add bnxt_hwrm_func_drv_unrgtr() to unregister the driver from the FW. This will stop the FW DMA. In case the call fails, call pcie_flr() to reset the function and stop the DMA.", "cve_priority": "medium", "cve_public_date": "2025-12-09 16:17:00 UTC" }, { "cve": "CVE-2025-68192", "url": "https://ubuntu.com/security/CVE-2025-68192", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net: usb: qmi_wwan: initialize MAC header offset in qmimux_rx_fixup Raw IP packets have no MAC header, leaving skb->mac_header uninitialized. This can trigger kernel panics on ARM64 when xfrm or other subsystems access the offset due to strict alignment checks. Initialize the MAC header to prevent such crashes. This can trigger kernel panics on ARM when running IPsec over the qmimux0 interface. Example trace: Internal error: Oops: 000000009600004f [#1] SMP CPU: 0 UID: 0 PID: 0 Comm: swapper/0 Not tainted 6.12.34-gbe78e49cb433 #1 Hardware name: LS1028A RDB Board (DT) pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : xfrm_input+0xde8/0x1318 lr : xfrm_input+0x61c/0x1318 sp : ffff800080003b20 Call trace: xfrm_input+0xde8/0x1318 xfrm6_rcv+0x38/0x44 xfrm6_esp_rcv+0x48/0xa8 ip6_protocol_deliver_rcu+0x94/0x4b0 ip6_input_finish+0x44/0x70 ip6_input+0x44/0xc0 ipv6_rcv+0x6c/0x114 __netif_receive_skb_one_core+0x5c/0x8c __netif_receive_skb+0x18/0x60 process_backlog+0x78/0x17c __napi_poll+0x38/0x180 net_rx_action+0x168/0x2f0", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-40331", "url": "https://ubuntu.com/security/CVE-2025-40331", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: sctp: Prevent TOCTOU out-of-bounds write For the following path not holding the sock lock, sctp_diag_dump() -> sctp_for_each_endpoint() -> sctp_ep_dump() make sure not to exceed bounds in case the address list has grown between buffer allocation (time-of-check) and write (time-of-use).", "cve_priority": "medium", "cve_public_date": "2025-12-09 16:17:00 UTC" }, { "cve": "CVE-2025-68187", "url": "https://ubuntu.com/security/CVE-2025-68187", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net: mdio: Check regmap pointer returned by device_node_to_regmap() The call to device_node_to_regmap() in airoha_mdio_probe() can return an ERR_PTR() if regmap initialization fails. Currently, the driver stores the pointer without validation, which could lead to a crash if it is later dereferenced. Add an IS_ERR() check and return the corresponding error code to make the probe path more robust.", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-68167", "url": "https://ubuntu.com/security/CVE-2025-68167", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: gpiolib: fix invalid pointer access in debugfs If the memory allocation in gpiolib_seq_start() fails, the s->private field remains uninitialized and is later dereferenced without checking in gpiolib_seq_stop(). Initialize s->private to NULL before calling kzalloc() and check it before dereferencing it.", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-68319", "url": "https://ubuntu.com/security/CVE-2025-68319", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: netconsole: Acquire su_mutex before navigating configs hierarchy There is a race between operations that iterate over the userdata cg_children list and concurrent add/remove of userdata items through configfs. The update_userdata() function iterates over the nt->userdata_group.cg_children list, and count_extradata_entries() also iterates over this same list to count nodes. Quoting from Documentation/filesystems/configfs.rst: > A subsystem can navigate the cg_children list and the ci_parent pointer > to see the tree created by the subsystem. This can race with configfs' > management of the hierarchy, so configfs uses the subsystem mutex to > protect modifications. Whenever a subsystem wants to navigate the > hierarchy, it must do so under the protection of the subsystem > mutex. Without proper locking, if a userdata item is added or removed concurrently while these functions are iterating, the list can be accessed in an inconsistent state. For example, the list_for_each() loop can reach a node that is being removed from the list by list_del_init() which sets the nodes' .next pointer to point to itself, so the loop will never end (or reach the WARN_ON_ONCE in update_userdata() ). Fix this by holding the configfs subsystem mutex (su_mutex) during all operations that iterate over cg_children. This includes: - userdatum_value_store() which calls update_userdata() to iterate over cg_children - All sysdata_*_enabled_store() functions which call count_extradata_entries() to iterate over cg_children The su_mutex must be acquired before dynamic_netconsole_mutex to avoid potential lock ordering issues, as configfs operations may already hold su_mutex when calling into our code.", "cve_priority": "medium", "cve_public_date": "2025-12-16 16:16:00 UTC" }, { "cve": "CVE-2025-40298", "url": "https://ubuntu.com/security/CVE-2025-40298", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: gve: Implement settime64 with -EOPNOTSUPP ptp_clock_settime() assumes every ptp_clock has implemented settime64(). Stub it with -EOPNOTSUPP to prevent a NULL dereference.", "cve_priority": "medium", "cve_public_date": "2025-12-08 01:16:00 UTC" }, { "cve": "CVE-2025-40299", "url": "https://ubuntu.com/security/CVE-2025-40299", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: gve: Implement gettimex64 with -EOPNOTSUPP gve implemented a ptp_clock for sole use of do_aux_work at this time. ptp_clock_gettime() and ptp_sys_offset() assume every ptp_clock has implemented either gettimex64 or gettime64. Stub gettimex64 and return -EOPNOTSUPP to prevent NULL dereferencing.", "cve_priority": "medium", "cve_public_date": "2025-12-08 01:16:00 UTC" }, { "cve": "CVE-2025-40301", "url": "https://ubuntu.com/security/CVE-2025-40301", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: Bluetooth: hci_event: validate skb length for unknown CC opcode In hci_cmd_complete_evt(), if the command complete event has an unknown opcode, we assume the first byte of the remaining skb->data contains the return status. However, parameter data has previously been pulled in hci_event_func(), which may leave the skb empty. If so, using skb->data[0] for the return status uses un-init memory. The fix is to check skb->len before using skb->data.", "cve_priority": "medium", "cve_public_date": "2025-12-08 01:16:00 UTC" }, { "cve": "CVE-2025-40358", "url": "https://ubuntu.com/security/CVE-2025-40358", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: riscv: stacktrace: Disable KASAN checks for non-current tasks Unwinding the stack of a task other than current, KASAN would report \"BUG: KASAN: out-of-bounds in walk_stackframe+0x41c/0x460\" There is a same issue on x86 and has been resolved by the commit 84936118bdf3 (\"x86/unwind: Disable KASAN checks for non-current tasks\") The solution could be applied to RISC-V too. This patch also can solve the issue: https://seclists.org/oss-sec/2025/q4/23 [pjw@kernel.org: clean up checkpatch issues]", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-68186", "url": "https://ubuntu.com/security/CVE-2025-68186", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ring-buffer: Do not warn in ring_buffer_map_get_reader() when reader catches up The function ring_buffer_map_get_reader() is a bit more strict than the other get reader functions, and except for certain situations the rb_get_reader_page() should not return NULL. If it does, it triggers a warning. This warning was triggering but after looking at why, it was because another acceptable situation was happening and it wasn't checked for. If the reader catches up to the writer and there's still data to be read on the reader page, then the rb_get_reader_page() will return NULL as there's no new page to get. In this situation, the reader page should not be updated and no warning should trigger.", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-68184", "url": "https://ubuntu.com/security/CVE-2025-68184", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/mediatek: Disable AFBC support on Mediatek DRM driver Commit c410fa9b07c3 (\"drm/mediatek: Add AFBC support to Mediatek DRM driver\") added AFBC support to Mediatek DRM and enabled the 32x8/split/sparse modifier. However, this is currently broken on Mediatek MT8188 (Genio 700 EVK platform); tested using upstream Kernel and Mesa (v25.2.1), AFBC is used by default since Mesa v25.0. Kernel trace reports vblank timeouts constantly, and the render is garbled: ``` [CRTC:62:crtc-0] vblank wait timed out WARNING: CPU: 7 PID: 70 at drivers/gpu/drm/drm_atomic_helper.c:1835 drm_atomic_helper_wait_for_vblanks.part.0+0x24c/0x27c [...] Hardware name: MediaTek Genio-700 EVK (DT) Workqueue: events_unbound commit_work pstate: 60400009 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : drm_atomic_helper_wait_for_vblanks.part.0+0x24c/0x27c lr : drm_atomic_helper_wait_for_vblanks.part.0+0x24c/0x27c sp : ffff80008337bca0 x29: ffff80008337bcd0 x28: 0000000000000061 x27: 0000000000000000 x26: 0000000000000001 x25: 0000000000000000 x24: ffff0000c9dcc000 x23: 0000000000000001 x22: 0000000000000000 x21: ffff0000c66f2f80 x20: ffff0000c0d7d880 x19: 0000000000000000 x18: 000000000000000a x17: 000000040044ffff x16: 005000f2b5503510 x15: 0000000000000000 x14: 0000000000000000 x13: 74756f2064656d69 x12: 742074696177206b x11: 0000000000000058 x10: 0000000000000018 x9 : ffff800082396a70 x8 : 0000000000057fa8 x7 : 0000000000000cce x6 : ffff8000823eea70 x5 : ffff0001fef5f408 x4 : ffff80017ccee000 x3 : ffff0000c12cb480 x2 : 0000000000000000 x1 : 0000000000000000 x0 : ffff0000c12cb480 Call trace: drm_atomic_helper_wait_for_vblanks.part.0+0x24c/0x27c (P) drm_atomic_helper_commit_tail_rpm+0x64/0x80 commit_tail+0xa4/0x1a4 commit_work+0x14/0x20 process_one_work+0x150/0x290 worker_thread+0x2d0/0x3ec kthread+0x12c/0x210 ret_from_fork+0x10/0x20 ---[ end trace 0000000000000000 ]--- ``` Until this gets fixed upstream, disable AFBC support on this platform, as it's currently broken with upstream Mesa.", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-40302", "url": "https://ubuntu.com/security/CVE-2025-40302", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: media: videobuf2: forbid remove_bufs when legacy fileio is active vb2_ioctl_remove_bufs() call manipulates queue internal buffer list, potentially overwriting some pointers used by the legacy fileio access mode. Forbid that ioctl when fileio is active to protect internal queue state between subsequent read/write calls.", "cve_priority": "medium", "cve_public_date": "2025-12-08 01:16:00 UTC" }, { "cve": "CVE-2025-40303", "url": "https://ubuntu.com/security/CVE-2025-40303", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: btrfs: ensure no dirty metadata is written back for an fs with errors [BUG] During development of a minor feature (make sure all btrfs_bio::end_io() is called in task context), I noticed a crash in generic/388, where metadata writes triggered new works after btrfs_stop_all_workers(). It turns out that it can even happen without any code modification, just using RAID5 for metadata and the same workload from generic/388 is going to trigger the use-after-free. [CAUSE] If btrfs hits an error, the fs is marked as error, no new transaction is allowed thus metadata is in a frozen state. But there are some metadata modifications before that error, and they are still in the btree inode page cache. Since there will be no real transaction commit, all those dirty folios are just kept as is in the page cache, and they can not be invalidated by invalidate_inode_pages2() call inside close_ctree(), because they are dirty. And finally after btrfs_stop_all_workers(), we call iput() on btree inode, which triggers writeback of those dirty metadata. And if the fs is using RAID56 metadata, this will trigger RMW and queue new works into rmw_workers, which is already stopped, causing warning from queue_work() and use-after-free. [FIX] Add a special handling for write_one_eb(), that if the fs is already in an error state, immediately mark the bbio as failure, instead of really submitting them. Then during close_ctree(), iput() will just discard all those dirty tree blocks without really writing them back, thus no more new jobs for already stopped-and-freed workqueues. The extra discard in write_one_eb() also acts as an extra safenet. E.g. the transaction abort is triggered by some extent/free space tree corruptions, and since extent/free space tree is already corrupted some tree blocks may be allocated where they shouldn't be (overwriting existing tree blocks). In that case writing them back will further corrupting the fs.", "cve_priority": "medium", "cve_public_date": "2025-12-08 01:16:00 UTC" }, { "cve": "CVE-2025-40362", "url": "https://ubuntu.com/security/CVE-2025-40362", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ceph: fix multifs mds auth caps issue The mds auth caps check should also validate the fsname along with the associated caps. Not doing so would result in applying the mds auth caps of one fs on to the other fs in a multifs ceph cluster. The bug causes multiple issues w.r.t user authentication, following is one such example. Steps to Reproduce (on vstart cluster): 1. Create two file systems in a cluster, say 'fsname1' and 'fsname2' 2. Authorize read only permission to the user 'client.usr' on fs 'fsname1' $ceph fs authorize fsname1 client.usr / r 3. Authorize read and write permission to the same user 'client.usr' on fs 'fsname2' $ceph fs authorize fsname2 client.usr / rw 4. Update the keyring $ceph auth get client.usr >> ./keyring With above permssions for the user 'client.usr', following is the expectation. a. The 'client.usr' should be able to only read the contents and not allowed to create or delete files on file system 'fsname1'. b. The 'client.usr' should be able to read/write on file system 'fsname2'. But, with this bug, the 'client.usr' is allowed to read/write on file system 'fsname1'. See below. 5. Mount the file system 'fsname1' with the user 'client.usr' $sudo bin/mount.ceph usr@.fsname1=/ /kmnt_fsname1_usr/ 6. Try creating a file on file system 'fsname1' with user 'client.usr'. This should fail but passes with this bug. $touch /kmnt_fsname1_usr/file1 7. Mount the file system 'fsname1' with the user 'client.admin' and create a file. $sudo bin/mount.ceph admin@.fsname1=/ /kmnt_fsname1_admin $echo \"data\" > /kmnt_fsname1_admin/admin_file1 8. Try removing an existing file on file system 'fsname1' with the user 'client.usr'. This shoudn't succeed but succeeds with the bug. $rm -f /kmnt_fsname1_usr/admin_file1 For more information, please take a look at the corresponding mds/fuse patch and tests added by looking into the tracker mentioned below. v2: Fix a possible null dereference in doutc v3: Don't store fsname from mdsmap, validate against ceph_mount_options's fsname and use it v4: Code refactor, better warning message and fix possible compiler warning [ Slava.Dubeyko: \"fsname check failed\" -> \"fsname mismatch\" ]", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-40332", "url": "https://ubuntu.com/security/CVE-2025-40332", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/amdkfd: Fix mmap write lock not release If mmap write lock is taken while draining retry fault, mmap write lock is not released because svm_range_restore_pages calls mmap_read_unlock then returns. This causes deadlock and system hangs later because mmap read or write lock cannot be taken. Downgrade mmap write lock to read lock if draining retry fault fix this bug.", "cve_priority": "medium", "cve_public_date": "2025-12-09 16:17:00 UTC" }, { "cve": "CVE-2025-40304", "url": "https://ubuntu.com/security/CVE-2025-40304", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: fbdev: Add bounds checking in bit_putcs to fix vmalloc-out-of-bounds Add bounds checking to prevent writes past framebuffer boundaries when rendering text near screen edges. Return early if the Y position is off-screen and clip image height to screen boundary. Break from the rendering loop if the X position is off-screen. When clipping image width to fit the screen, update the character count to match the clipped width to prevent buffer size mismatches. Without the character count update, bit_putcs_aligned and bit_putcs_unaligned receive mismatched parameters where the buffer is allocated for the clipped width but cnt reflects the original larger count, causing out-of-bounds writes.", "cve_priority": "medium", "cve_public_date": "2025-12-08 01:16:00 UTC" }, { "cve": "CVE-2025-40305", "url": "https://ubuntu.com/security/CVE-2025-40305", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: 9p/trans_fd: p9_fd_request: kick rx thread if EPOLLIN p9_read_work() doesn't set Rworksched and doesn't do schedule_work(m->rq) if list_empty(&m->req_list). However, if the pipe is full, we need to read more data and this used to work prior to commit aaec5a95d59615 (\"pipe_read: don't wake up the writer if the pipe is still full\"). p9_read_work() does p9_fd_read() -> ... -> anon_pipe_read() which (before the commit above) triggered the unnecessary wakeup. This wakeup calls p9_pollwake() which kicks p9_poll_workfn() -> p9_poll_mux(), p9_poll_mux() will notice EPOLLIN and schedule_work(&m->rq). This no longer happens after the optimization above, change p9_fd_request() to use p9_poll_mux() instead of only checking for EPOLLOUT.", "cve_priority": "medium", "cve_public_date": "2025-12-08 01:16:00 UTC" }, { "cve": "CVE-2025-68318", "url": "https://ubuntu.com/security/CVE-2025-68318", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: clk: thead: th1520-ap: set all AXI clocks to CLK_IS_CRITICAL The AXI crossbar of TH1520 has no proper timeout handling, which means gating AXI clocks can easily lead to bus timeout and thus system hang. Set all AXI clock gates to CLK_IS_CRITICAL. All these clock gates are ungated by default on system reset. In addition, convert all current CLK_IGNORE_UNUSED usage to CLK_IS_CRITICAL to prevent unwanted clock gating.", "cve_priority": "medium", "cve_public_date": "2025-12-16 16:16:00 UTC" }, { "cve": "CVE-2025-40209", "url": "https://ubuntu.com/security/CVE-2025-40209", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: btrfs: fix memory leak of qgroup_list in btrfs_add_qgroup_relation When btrfs_add_qgroup_relation() is called with invalid qgroup levels (src >= dst), the function returns -EINVAL directly without freeing the preallocated qgroup_list structure passed by the caller. This causes a memory leak because the caller unconditionally sets the pointer to NULL after the call, preventing any cleanup. The issue occurs because the level validation check happens before the mutex is acquired and before any error handling path that would free the prealloc pointer. On this early return, the cleanup code at the 'out' label (which includes kfree(prealloc)) is never reached. In btrfs_ioctl_qgroup_assign(), the code pattern is: prealloc = kzalloc(sizeof(*prealloc), GFP_KERNEL); ret = btrfs_add_qgroup_relation(trans, sa->src, sa->dst, prealloc); prealloc = NULL; // Always set to NULL regardless of return value ... kfree(prealloc); // This becomes kfree(NULL), does nothing When the level check fails, 'prealloc' is never freed by either the callee or the caller, resulting in a 64-byte memory leak per failed operation. This can be triggered repeatedly by an unprivileged user with access to a writable btrfs mount, potentially exhausting kernel memory. Fix this by freeing prealloc before the early return, ensuring prealloc is always freed on all error paths.", "cve_priority": "medium", "cve_public_date": "2025-11-21 11:15:00 UTC" }, { "cve": "CVE-2025-68183", "url": "https://ubuntu.com/security/CVE-2025-68183", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ima: don't clear IMA_DIGSIG flag when setting or removing non-IMA xattr Currently when both IMA and EVM are in fix mode, the IMA signature will be reset to IMA hash if a program first stores IMA signature in security.ima and then writes/removes some other security xattr for the file. For example, on Fedora, after booting the kernel with \"ima_appraise=fix evm=fix ima_policy=appraise_tcb\" and installing rpm-plugin-ima, installing/reinstalling a package will not make good reference IMA signature generated. Instead IMA hash is generated, # getfattr -m - -d -e hex /usr/bin/bash # file: usr/bin/bash security.ima=0x0404... This happens because when setting security.selinux, the IMA_DIGSIG flag that had been set early was cleared. As a result, IMA hash is generated when the file is closed. Similarly, IMA signature can be cleared on file close after removing security xattr like security.evm or setting/removing ACL. Prevent replacing the IMA file signature with a file hash, by preventing the IMA_DIGSIG flag from being reset. Here's a minimal C reproducer which sets security.selinux as the last step which can also replaced by removing security.evm or setting ACL, #include #include #include #include #include #include int main() { const char* file_path = \"/usr/sbin/test_binary\"; const char* hex_string = \"030204d33204490066306402304\"; int length = strlen(hex_string); char* ima_attr_value; int fd; fd = open(file_path, O_WRONLY|O_CREAT|O_EXCL, 0644); if (fd == -1) { perror(\"Error opening file\"); return 1; } ima_attr_value = (char*)malloc(length / 2 ); for (int i = 0, j = 0; i < length; i += 2, j++) { sscanf(hex_string + i, \"%2hhx\", &ima_attr_value[j]); } if (fsetxattr(fd, \"security.ima\", ima_attr_value, length/2, 0) == -1) { perror(\"Error setting extended attribute\"); close(fd); return 1; } const char* selinux_value= \"system_u:object_r:bin_t:s0\"; if (fsetxattr(fd, \"security.selinux\", selinux_value, strlen(selinux_value), 0) == -1) { perror(\"Error setting extended attribute\"); close(fd); return 1; } close(fd); return 0; }", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-68173", "url": "https://ubuntu.com/security/CVE-2025-68173", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ftrace: Fix softlockup in ftrace_module_enable A soft lockup was observed when loading amdgpu module. If a module has a lot of tracable functions, multiple calls to kallsyms_lookup can spend too much time in RCU critical section and with disabled preemption, causing kernel panic. This is the same issue that was fixed in commit d0b24b4e91fc (\"ftrace: Prevent RCU stall on PREEMPT_VOLUNTARY kernels\") and commit 42ea22e754ba (\"ftrace: Add cond_resched() to ftrace_graph_set_hash()\"). Fix it the same way by adding cond_resched() in ftrace_module_enable.", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-40306", "url": "https://ubuntu.com/security/CVE-2025-40306", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: orangefs: fix xattr related buffer overflow... Willy Tarreau forwarded me a message from Disclosure with the following warning: > The helper `xattr_key()` uses the pointer variable in the loop condition > rather than dereferencing it. As `key` is incremented, it remains non-NULL > (until it runs into unmapped memory), so the loop does not terminate on > valid C strings and will walk memory indefinitely, consuming CPU or hanging > the thread. I easily reproduced this with setfattr and getfattr, causing a kernel oops, hung user processes and corrupted orangefs files. Disclosure sent along a diff (not a patch) with a suggested fix, which I based this patch on. After xattr_key started working right, xfstest generic/069 exposed an xattr related memory leak that lead to OOM. xattr_key returns a hashed key. When adding xattrs to the orangefs xattr cache, orangefs used hash_add, a kernel hashing macro. hash_add also hashes the key using hash_log which resulted in additions to the xattr cache going to the wrong hash bucket. generic/069 tortures a single file and orangefs does a getattr for the xattr \"security.capability\" every time. Orangefs negative caches on xattrs which includes a kmalloc. Since adds to the xattr cache were going to the wrong bucket, every getattr for \"security.capability\" resulted in another kmalloc, none of which were ever freed. I changed the two uses of hash_add to hlist_add_head instead and the memory leak ceased and generic/069 quit throwing furniture.", "cve_priority": "medium", "cve_public_date": "2025-12-08 01:16:00 UTC" }, { "cve": "CVE-2025-40307", "url": "https://ubuntu.com/security/CVE-2025-40307", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: exfat: validate cluster allocation bits of the allocation bitmap syzbot created an exfat image with cluster bits not set for the allocation bitmap. exfat-fs reads and uses the allocation bitmap without checking this. The problem is that if the start cluster of the allocation bitmap is 6, cluster 6 can be allocated when creating a directory with mkdir. exfat zeros out this cluster in exfat_mkdir, which can delete existing entries. This can reallocate the allocated entries. In addition, the allocation bitmap is also zeroed out, so cluster 6 can be reallocated. This patch adds exfat_test_bitmap_range to validate that clusters used for the allocation bitmap are correctly marked as in-use.", "cve_priority": "medium", "cve_public_date": "2025-12-08 01:16:00 UTC" }, { "cve": "CVE-2025-40308", "url": "https://ubuntu.com/security/CVE-2025-40308", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: Bluetooth: bcsp: receive data only if registered Currently, bcsp_recv() can be called even when the BCSP protocol has not been registered. This leads to a NULL pointer dereference, as shown in the following stack trace: KASAN: null-ptr-deref in range [0x0000000000000108-0x000000000000010f] RIP: 0010:bcsp_recv+0x13d/0x1740 drivers/bluetooth/hci_bcsp.c:590 Call Trace: hci_uart_tty_receive+0x194/0x220 drivers/bluetooth/hci_ldisc.c:627 tiocsti+0x23c/0x2c0 drivers/tty/tty_io.c:2290 tty_ioctl+0x626/0xde0 drivers/tty/tty_io.c:2706 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:907 [inline] __se_sys_ioctl+0xfc/0x170 fs/ioctl.c:893 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f To prevent this, ensure that the HCI_UART_REGISTERED flag is set before processing received data. If the protocol is not registered, return -EUNATCH.", "cve_priority": "medium", "cve_public_date": "2025-12-08 01:16:00 UTC" }, { "cve": "CVE-2025-40309", "url": "https://ubuntu.com/security/CVE-2025-40309", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: Bluetooth: SCO: Fix UAF on sco_conn_free BUG: KASAN: slab-use-after-free in sco_conn_free net/bluetooth/sco.c:87 [inline] BUG: KASAN: slab-use-after-free in kref_put include/linux/kref.h:65 [inline] BUG: KASAN: slab-use-after-free in sco_conn_put+0xdd/0x410 net/bluetooth/sco.c:107 Write of size 8 at addr ffff88811cb96b50 by task kworker/u17:4/352 CPU: 1 UID: 0 PID: 352 Comm: kworker/u17:4 Not tainted 6.17.0-rc5-g717368f83676 #4 PREEMPT(voluntary) Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014 Workqueue: hci13 hci_cmd_sync_work Call Trace: __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x10b/0x170 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:378 [inline] print_report+0x191/0x550 mm/kasan/report.c:482 kasan_report+0xc4/0x100 mm/kasan/report.c:595 sco_conn_free net/bluetooth/sco.c:87 [inline] kref_put include/linux/kref.h:65 [inline] sco_conn_put+0xdd/0x410 net/bluetooth/sco.c:107 sco_connect_cfm+0xb4/0xae0 net/bluetooth/sco.c:1441 hci_connect_cfm include/net/bluetooth/hci_core.h:2082 [inline] hci_conn_failed+0x20a/0x2e0 net/bluetooth/hci_conn.c:1313 hci_conn_unlink+0x55f/0x810 net/bluetooth/hci_conn.c:1121 hci_conn_del+0xb6/0x1110 net/bluetooth/hci_conn.c:1147 hci_abort_conn_sync+0x8c5/0xbb0 net/bluetooth/hci_sync.c:5689 hci_cmd_sync_work+0x281/0x380 net/bluetooth/hci_sync.c:332 process_one_work kernel/workqueue.c:3236 [inline] process_scheduled_works+0x77e/0x1040 kernel/workqueue.c:3319 worker_thread+0xbee/0x1200 kernel/workqueue.c:3400 kthread+0x3c7/0x870 kernel/kthread.c:463 ret_from_fork+0x13a/0x1e0 arch/x86/kernel/process.c:148 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245 Allocated by task 31370: kasan_save_stack mm/kasan/common.c:47 [inline] kasan_save_track+0x30/0x70 mm/kasan/common.c:68 poison_kmalloc_redzone mm/kasan/common.c:388 [inline] __kasan_kmalloc+0x82/0x90 mm/kasan/common.c:405 kasan_kmalloc include/linux/kasan.h:260 [inline] __do_kmalloc_node mm/slub.c:4382 [inline] __kmalloc_noprof+0x22f/0x390 mm/slub.c:4394 kmalloc_noprof include/linux/slab.h:909 [inline] sk_prot_alloc+0xae/0x220 net/core/sock.c:2239 sk_alloc+0x34/0x5a0 net/core/sock.c:2295 bt_sock_alloc+0x3c/0x330 net/bluetooth/af_bluetooth.c:151 sco_sock_alloc net/bluetooth/sco.c:562 [inline] sco_sock_create+0xc0/0x350 net/bluetooth/sco.c:593 bt_sock_create+0x161/0x3b0 net/bluetooth/af_bluetooth.c:135 __sock_create+0x3ad/0x780 net/socket.c:1589 sock_create net/socket.c:1647 [inline] __sys_socket_create net/socket.c:1684 [inline] __sys_socket+0xd5/0x330 net/socket.c:1731 __do_sys_socket net/socket.c:1745 [inline] __se_sys_socket net/socket.c:1743 [inline] __x64_sys_socket+0x7a/0x90 net/socket.c:1743 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xc7/0x240 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f Freed by task 31374: kasan_save_stack mm/kasan/common.c:47 [inline] kasan_save_track+0x30/0x70 mm/kasan/common.c:68 kasan_save_free_info+0x40/0x50 mm/kasan/generic.c:576 poison_slab_object mm/kasan/common.c:243 [inline] __kasan_slab_free+0x3d/0x50 mm/kasan/common.c:275 kasan_slab_free include/linux/kasan.h:233 [inline] slab_free_hook mm/slub.c:2428 [inline] slab_free mm/slub.c:4701 [inline] kfree+0x199/0x3b0 mm/slub.c:4900 sk_prot_free net/core/sock.c:2278 [inline] __sk_destruct+0x4aa/0x630 net/core/sock.c:2373 sco_sock_release+0x2ad/0x300 net/bluetooth/sco.c:1333 __sock_release net/socket.c:649 [inline] sock_close+0xb8/0x230 net/socket.c:1439 __fput+0x3d1/0x9e0 fs/file_table.c:468 task_work_run+0x206/0x2a0 kernel/task_work.c:227 get_signal+0x1201/0x1410 kernel/signal.c:2807 arch_do_signal_or_restart+0x34/0x740 arch/x86/kernel/signal.c:337 exit_to_user_mode_loop+0x68/0xc0 kernel/entry/common.c:40 exit_to_user_mode_prepare include/linux/irq-entry-common.h:225 [inline] s ---truncated---", "cve_priority": "medium", "cve_public_date": "2025-12-08 01:16:00 UTC" }, { "cve": "CVE-2025-68174", "url": "https://ubuntu.com/security/CVE-2025-68174", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: amd/amdkfd: enhance kfd process check in switch partition current switch partition only check if kfd_processes_table is empty. kfd_prcesses_table entry is deleted in kfd_process_notifier_release, but kfd_process tear down is in kfd_process_wq_release. consider two processes: Process A (workqueue) -> kfd_process_wq_release -> Access kfd_node member Process B switch partition -> amdgpu_xcp_pre_partition_switch -> amdgpu_amdkfd_device_fini_sw -> kfd_node tear down. Process A and B may trigger a race as shown in dmesg log. This patch is to resolve the race by adding an atomic kfd_process counter kfd_processes_count, it increment as create kfd process, decrement as finish kfd_process_wq_release. v2: Put kfd_processes_count per kfd_dev, move decrement to kfd_process_destroy_pdds and bug fix. (Philip Yang) [3966658.307702] divide error: 0000 [#1] SMP NOPTI [3966658.350818] i10nm_edac [3966658.356318] CPU: 124 PID: 38435 Comm: kworker/124:0 Kdump: loaded Tainted [3966658.356890] Workqueue: kfd_process_wq kfd_process_wq_release [amdgpu] [3966658.362839] nfit [3966658.366457] RIP: 0010:kfd_get_num_sdma_engines+0x17/0x40 [amdgpu] [3966658.366460] Code: 00 00 e9 ac 81 02 00 66 66 2e 0f 1f 84 00 00 00 00 00 90 0f 1f 44 00 00 48 8b 4f 08 48 8b b7 00 01 00 00 8b 81 58 26 03 00 99 be b8 01 00 00 80 b9 70 2e 00 00 00 74 0b 83 f8 02 ba 02 00 00 [3966658.380967] x86_pkg_temp_thermal [3966658.391529] RSP: 0018:ffffc900a0edfdd8 EFLAGS: 00010246 [3966658.391531] RAX: 0000000000000008 RBX: ffff8974e593b800 RCX: ffff888645900000 [3966658.391531] RDX: 0000000000000000 RSI: ffff888129154400 RDI: ffff888129151c00 [3966658.391532] RBP: ffff8883ad79d400 R08: 0000000000000000 R09: ffff8890d2750af4 [3966658.391532] R10: 0000000000000018 R11: 0000000000000018 R12: 0000000000000000 [3966658.391533] R13: ffff8883ad79d400 R14: ffffe87ff662ba00 R15: ffff8974e593b800 [3966658.391533] FS: 0000000000000000(0000) GS:ffff88fe7f600000(0000) knlGS:0000000000000000 [3966658.391534] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [3966658.391534] CR2: 0000000000d71000 CR3: 000000dd0e970004 CR4: 0000000002770ee0 [3966658.391535] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [3966658.391535] DR3: 0000000000000000 DR6: 00000000fffe07f0 DR7: 0000000000000400 [3966658.391536] PKRU: 55555554 [3966658.391536] Call Trace: [3966658.391674] deallocate_sdma_queue+0x38/0xa0 [amdgpu] [3966658.391762] process_termination_cpsch+0x1ed/0x480 [amdgpu] [3966658.399754] intel_powerclamp [3966658.402831] kfd_process_dequeue_from_all_devices+0x5b/0xc0 [amdgpu] [3966658.402908] kfd_process_wq_release+0x1a/0x1a0 [amdgpu] [3966658.410516] coretemp [3966658.434016] process_one_work+0x1ad/0x380 [3966658.434021] worker_thread+0x49/0x310 [3966658.438963] kvm_intel [3966658.446041] ? process_one_work+0x380/0x380 [3966658.446045] kthread+0x118/0x140 [3966658.446047] ? __kthread_bind_mask+0x60/0x60 [3966658.446050] ret_from_fork+0x1f/0x30 [3966658.446053] Modules linked in: kpatch_20765354(OEK) [3966658.455310] kvm [3966658.464534] mptcp_diag xsk_diag raw_diag unix_diag af_packet_diag netlink_diag udp_diag act_pedit act_mirred act_vlan cls_flower kpatch_21951273(OEK) kpatch_18424469(OEK) kpatch_19749756(OEK) [3966658.473462] idxd_mdev [3966658.482306] kpatch_17971294(OEK) sch_ingress xt_conntrack amdgpu(OE) amdxcp(OE) amddrm_buddy(OE) amd_sched(OE) amdttm(OE) amdkcl(OE) intel_ifs iptable_mangle tcm_loop target_core_pscsi tcp_diag target_core_file inet_diag target_core_iblock target_core_user target_core_mod coldpgs kpatch_18383292(OEK) ip6table_nat ip6table_filter ip6_tables ip_set_hash_ipportip ip_set_hash_ipportnet ip_set_hash_ipport ip_set_bitmap_port xt_comment iptable_nat nf_nat iptable_filter ip_tables ip_set ip_vs_sh ip_vs_wrr ip_vs_rr ip_vs nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 sn_core_odd(OE) i40e overlay binfmt_misc tun bonding(OE) aisqos(OE) aisqo ---truncated---", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-40310", "url": "https://ubuntu.com/security/CVE-2025-40310", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: amd/amdkfd: resolve a race in amdgpu_amdkfd_device_fini_sw There is race in amdgpu_amdkfd_device_fini_sw and interrupt. if amdgpu_amdkfd_device_fini_sw run in b/w kfd_cleanup_nodes and kfree(kfd), and KGD interrupt generated. kernel panic log: BUG: kernel NULL pointer dereference, address: 0000000000000098 amdgpu 0000:c8:00.0: amdgpu: Requesting 4 partitions through PSP PGD d78c68067 P4D d78c68067 kfd kfd: amdgpu: Allocated 3969056 bytes on gart PUD 1465b8067 PMD @ Oops: @002 [#1] SMP NOPTI kfd kfd: amdgpu: Total number of KFD nodes to be created: 4 CPU: 115 PID: @ Comm: swapper/115 Kdump: loaded Tainted: G S W OE K RIP: 0010:_raw_spin_lock_irqsave+0x12/0x40 Code: 89 e@ 41 5c c3 cc cc cc cc 66 66 2e Of 1f 84 00 00 00 00 00 OF 1f 40 00 Of 1f 44% 00 00 41 54 9c 41 5c fa 31 cO ba 01 00 00 00 OF b1 17 75 Ba 4c 89 e@ 41 Sc 89 c6 e8 07 38 5d RSP: 0018: ffffc90@1a6b0e28 EFLAGS: 00010046 RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000018 0000000000000001 RSI: ffff8883bb623e00 RDI: 0000000000000098 ffff8883bb000000 RO8: ffff888100055020 ROO: ffff888100055020 0000000000000000 R11: 0000000000000000 R12: 0900000000000002 ffff888F2b97da0@ R14: @000000000000098 R15: ffff8883babdfo00 CS: 010 DS: 0000 ES: 0000 CRO: 0000000080050033 CR2: 0000000000000098 CR3: 0000000e7cae2006 CR4: 0000000002770ce0 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 0000000000000000 DR6: 00000000fffeO7FO DR7: 0000000000000400 PKRU: 55555554 Call Trace: kgd2kfd_interrupt+@x6b/0x1f@ [amdgpu] ? amdgpu_fence_process+0xa4/0x150 [amdgpu] kfd kfd: amdgpu: Node: 0, interrupt_bitmap: 3 YcpxFl Rant tErace amdgpu_irq_dispatch+0x165/0x210 [amdgpu] amdgpu_ih_process+0x80/0x100 [amdgpu] amdgpu: Virtual CRAT table created for GPU amdgpu_irq_handler+0x1f/@x60 [amdgpu] __handle_irq_event_percpu+0x3d/0x170 amdgpu: Topology: Add dGPU node [0x74a2:0x1002] handle_irq_event+0x5a/@xcO handle_edge_irq+0x93/0x240 kfd kfd: amdgpu: KFD node 1 partition @ size 49148M asm_call_irq_on_stack+0xf/@x20 common_interrupt+0xb3/0x130 asm_common_interrupt+0x1le/0x40 5.10.134-010.a1i5000.a18.x86_64 #1", "cve_priority": "medium", "cve_public_date": "2025-12-08 01:16:00 UTC" }, { "cve": "CVE-2025-40361", "url": "https://ubuntu.com/security/CVE-2025-40361", "cve_description": "Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-40311", "url": "https://ubuntu.com/security/CVE-2025-40311", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: accel/habanalabs: support mapping cb with vmalloc-backed coherent memory When IOMMU is enabled, dma_alloc_coherent() with GFP_USER may return addresses from the vmalloc range. If such an address is mapped without VM_MIXEDMAP, vm_insert_page() will trigger a BUG_ON due to the VM_PFNMAP restriction. Fix this by checking for vmalloc addresses and setting VM_MIXEDMAP in the VMA before mapping. This ensures safe mapping and avoids kernel crashes. The memory is still driver-allocated and cannot be accessed directly by userspace.", "cve_priority": "medium", "cve_public_date": "2025-12-08 01:16:00 UTC" }, { "cve": "CVE-2025-68185", "url": "https://ubuntu.com/security/CVE-2025-68185", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: nfs4_setup_readdir(): insufficient locking for ->d_parent->d_inode dereferencing Theoretically it's an oopsable race, but I don't believe one can manage to hit it on real hardware; might become doable on a KVM, but it still won't be easy to attack. Anyway, it's easy to deal with - since xdr_encode_hyper() is just a call of put_unaligned_be64(), we can put that under ->d_lock and be done with that.", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-68176", "url": "https://ubuntu.com/security/CVE-2025-68176", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: PCI: cadence: Check for the existence of cdns_pcie::ops before using it cdns_pcie::ops might not be populated by all the Cadence glue drivers. This is going to be true for the upcoming Sophgo platform which doesn't set the ops. Hence, add a check to prevent NULL pointer dereference. [mani: reworded subject and description]", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-68190", "url": "https://ubuntu.com/security/CVE-2025-68190", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu/atom: Check kcalloc() for WS buffer in amdgpu_atom_execute_table_locked() kcalloc() may fail. When WS is non-zero and allocation fails, ectx.ws remains NULL while ectx.ws_size is set, leading to a potential NULL pointer dereference in atom_get_src_int() when accessing WS entries. Return -ENOMEM on allocation failure to avoid the NULL dereference.", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-68168", "url": "https://ubuntu.com/security/CVE-2025-68168", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: jfs: fix uninitialized waitqueue in transaction manager The transaction manager initialization in txInit() was not properly initializing TxBlock[0].waitor waitqueue, causing a crash when txEnd(0) is called on read-only filesystems. When a filesystem is mounted read-only, txBegin() returns tid=0 to indicate no transaction. However, txEnd(0) still gets called and tries to access TxBlock[0].waitor via tid_to_tblock(0), but this waitqueue was never initialized because the initialization loop started at index 1 instead of 0. This causes a 'non-static key' lockdep warning and system crash: INFO: trying to register non-static key in txEnd Fix by ensuring all transaction blocks including TxBlock[0] have their waitqueues properly initialized during txInit().", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-40312", "url": "https://ubuntu.com/security/CVE-2025-40312", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: jfs: Verify inode mode when loading from disk The inode mode loaded from corrupted disk can be invalid. Do like what commit 0a9e74051313 (\"isofs: Verify inode mode when loading from disk\") does.", "cve_priority": "medium", "cve_public_date": "2025-12-08 01:16:00 UTC" }, { "cve": "CVE-2025-40333", "url": "https://ubuntu.com/security/CVE-2025-40333", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: f2fs: fix infinite loop in __insert_extent_tree() When we get wrong extent info data, and look up extent_node in rb tree, it will cause infinite loop (CONFIG_F2FS_CHECK_FS=n). Avoiding this by return NULL and print some kernel messages in that case.", "cve_priority": "medium", "cve_public_date": "2025-12-09 16:17:00 UTC" }, { "cve": "CVE-2025-68321", "url": "https://ubuntu.com/security/CVE-2025-68321", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: page_pool: always add GFP_NOWARN for ATOMIC allocations Driver authors often forget to add GFP_NOWARN for page allocation from the datapath. This is annoying to users as OOMs are a fact of life, and we pretty much expect network Rx to hit page allocation failures during OOM. Make page pool add GFP_NOWARN for ATOMIC allocations by default.", "cve_priority": "medium", "cve_public_date": "2025-12-16 16:16:00 UTC" }, { "cve": "CVE-2025-40334", "url": "https://ubuntu.com/security/CVE-2025-40334", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: validate userq buffer virtual address and size It needs to validate the userq object virtual address to determine whether it is residented in a valid vm mapping.", "cve_priority": "medium", "cve_public_date": "2025-12-09 16:17:00 UTC" }, { "cve": "CVE-2025-68191", "url": "https://ubuntu.com/security/CVE-2025-68191", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: udp_tunnel: use netdev_warn() instead of netdev_WARN() netdev_WARN() uses WARN/WARN_ON to print a backtrace along with file and line information. In this case, udp_tunnel_nic_register() returning an error is just a failed operation, not a kernel bug. udp_tunnel_nic_register() can fail due to a memory allocation failure (kzalloc() or udp_tunnel_nic_alloc()). This is a normal runtime error and not a kernel bug. Replace netdev_WARN() with netdev_warn() accordingly.", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-68309", "url": "https://ubuntu.com/security/CVE-2025-68309", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: PCI/AER: Fix NULL pointer access by aer_info The kzalloc(GFP_KERNEL) may return NULL, so all accesses to aer_info->xxx will result in kernel panic. Fix it.", "cve_priority": "medium", "cve_public_date": "2025-12-16 16:16:00 UTC" }, { "cve": "CVE-2025-40313", "url": "https://ubuntu.com/security/CVE-2025-40313", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ntfs3: pretend $Extend records as regular files Since commit af153bb63a33 (\"vfs: catch invalid modes in may_open()\") requires any inode be one of S_IFDIR/S_IFLNK/S_IFREG/S_IFCHR/S_IFBLK/ S_IFIFO/S_IFSOCK type, use S_IFREG for $Extend records.", "cve_priority": "medium", "cve_public_date": "2025-12-08 01:16:00 UTC" }, { "cve": "CVE-2025-40335", "url": "https://ubuntu.com/security/CVE-2025-40335", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: validate userq input args This will help on validating the userq input args, and rejecting for the invalid userq request at the IOCTLs first place.", "cve_priority": "medium", "cve_public_date": "2025-12-09 16:17:00 UTC" }, { "cve": "CVE-2025-40314", "url": "https://ubuntu.com/security/CVE-2025-40314", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: usb: cdns3: gadget: Use-after-free during failed initialization and exit of cdnsp gadget In the __cdnsp_gadget_init() and cdnsp_gadget_exit() functions, the gadget structure (pdev->gadget) was freed before its endpoints. The endpoints are linked via the ep_list in the gadget structure. Freeing the gadget first leaves dangling pointers in the endpoint list. When the endpoints are subsequently freed, this results in a use-after-free. Fix: By separating the usb_del_gadget_udc() operation into distinct \"del\" and \"put\" steps, cdnsp_gadget_free_endpoints() can be executed prior to the final release of the gadget structure with usb_put_gadget(). A patch similar to bb9c74a5bd14(\"usb: dwc3: gadget: Free gadget structure only after freeing endpoints\").", "cve_priority": "medium", "cve_public_date": "2025-12-08 01:16:00 UTC" }, { "cve": "CVE-2025-40336", "url": "https://ubuntu.com/security/CVE-2025-40336", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/gpusvm: fix hmm_pfn_to_map_order() usage Handle the case where the hmm range partially covers a huge page (like 2M), otherwise we can potentially end up doing something nasty like mapping memory which is outside the range, and maybe not even mapped by the mm. Fix is based on the xe userptr code, which in a future patch will directly use gpusvm, so needs alignment here. v2: - Add kernel-doc (Matt B) - s/fls/ilog2/ (Thomas)", "cve_priority": "medium", "cve_public_date": "2025-12-09 16:17:00 UTC" }, { "cve": "CVE-2025-68193", "url": "https://ubuntu.com/security/CVE-2025-68193", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/xe/guc: Add devm release action to safely tear down CT When a buffer object (BO) is allocated with the XE_BO_FLAG_GGTT_INVALIDATE flag, the driver initiates TLB invalidation requests via the CTB mechanism while releasing the BO. However a premature release of the CTB BO can lead to system crashes, as observed in: Oops: Oops: 0000 [#1] SMP NOPTI RIP: 0010:h2g_write+0x2f3/0x7c0 [xe] Call Trace: guc_ct_send_locked+0x8b/0x670 [xe] xe_guc_ct_send_locked+0x19/0x60 [xe] send_tlb_invalidation+0xb4/0x460 [xe] xe_gt_tlb_invalidation_ggtt+0x15e/0x2e0 [xe] ggtt_invalidate_gt_tlb.part.0+0x16/0x90 [xe] ggtt_node_remove+0x110/0x140 [xe] xe_ggtt_node_remove+0x40/0xa0 [xe] xe_ggtt_remove_bo+0x87/0x250 [xe] Introduce a devm-managed release action during xe_guc_ct_init() and xe_guc_ct_init_post_hwconfig() to ensure proper CTB disablement before resource deallocation, preventing the use-after-free scenario.", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-68175", "url": "https://ubuntu.com/security/CVE-2025-68175", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: media: nxp: imx8-isi: Fix streaming cleanup on release The current implementation unconditionally calls mxc_isi_video_cleanup_streaming() in mxc_isi_video_release(). This can lead to situations where any release call (like from a simple \"v4l2-ctl -l\") may release a currently streaming queue when called on such a device. This is reproducible on an i.MX8MP board by streaming from an ISI capture device using gstreamer: \tgst-launch-1.0 -v v4l2src device=/dev/videoX ! \\ \t video/x-raw,format=GRAY8,width=1280,height=800,framerate=1/120 ! \\ \t fakesink While this stream is running, querying the caps of the same device provokes the error state: \tv4l2-ctl -l -d /dev/videoX This results in the following trace: [ 155.452152] ------------[ cut here ]------------ [ 155.452163] WARNING: CPU: 0 PID: 1708 at drivers/media/platform/nxp/imx8-isi/imx8-isi-pipe.c:713 mxc_isi_pipe_irq_handler+0x19c/0x1b0 [imx8_isi] [ 157.004248] Modules linked in: cfg80211 rpmsg_ctrl rpmsg_char rpmsg_tty virtio_rpmsg_bus rpmsg_ns rpmsg_core rfkill nft_ct nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 nf_tables mcp251x6 [ 157.053499] CPU: 0 UID: 0 PID: 1708 Comm: python3 Not tainted 6.15.4-00114-g1f61ca5cad76 #1 PREEMPT [ 157.064369] Hardware name: imx8mp_board_01 (DT) [ 157.068205] pstate: 400000c5 (nZcv daIF -PAN -UAO -TCO -DIT -SSBS BTYPE=--) [ 157.075169] pc : mxc_isi_pipe_irq_handler+0x19c/0x1b0 [imx8_isi] [ 157.081195] lr : mxc_isi_pipe_irq_handler+0x38/0x1b0 [imx8_isi] [ 157.087126] sp : ffff800080003ee0 [ 157.090438] x29: ffff800080003ee0 x28: ffff0000c3688000 x27: 0000000000000000 [ 157.097580] x26: 0000000000000000 x25: ffff0000c1e7ac00 x24: ffff800081b5ad50 [ 157.104723] x23: 00000000000000d1 x22: 0000000000000000 x21: ffff0000c25e4000 [ 157.111866] x20: 0000000060000200 x19: ffff80007a0608d0 x18: 0000000000000000 [ 157.119008] x17: ffff80006a4e3000 x16: ffff800080000000 x15: 0000000000000000 [ 157.126146] x14: 0000000000000000 x13: 0000000000000000 x12: 0000000000000000 [ 157.133287] x11: 0000000000000040 x10: ffff0000c01445f0 x9 : ffff80007a053a38 [ 157.140425] x8 : ffff0000c04004b8 x7 : 0000000000000000 x6 : 0000000000000000 [ 157.147567] x5 : ffff0000c0400490 x4 : ffff80006a4e3000 x3 : ffff0000c25e4000 [ 157.154706] x2 : 0000000000000000 x1 : ffff8000825c0014 x0 : 0000000060000200 [ 157.161850] Call trace: [ 157.164296] mxc_isi_pipe_irq_handler+0x19c/0x1b0 [imx8_isi] (P) [ 157.170319] __handle_irq_event_percpu+0x58/0x218 [ 157.175029] handle_irq_event+0x54/0xb8 [ 157.178867] handle_fasteoi_irq+0xac/0x248 [ 157.182968] handle_irq_desc+0x48/0x68 [ 157.186723] generic_handle_domain_irq+0x24/0x38 [ 157.191346] gic_handle_irq+0x54/0x120 [ 157.195098] call_on_irq_stack+0x24/0x30 [ 157.199027] do_interrupt_handler+0x88/0x98 [ 157.203212] el0_interrupt+0x44/0xc0 [ 157.206792] __el0_irq_handler_common+0x18/0x28 [ 157.211328] el0t_64_irq_handler+0x10/0x20 [ 157.215429] el0t_64_irq+0x198/0x1a0 [ 157.219009] ---[ end trace 0000000000000000 ]--- Address this issue by moving the streaming preparation and cleanup to the vb2 .prepare_streaming() and .unprepare_streaming() operations. This also simplifies the driver by allowing direct usage of the vb2_ioctl_streamon() and vb2_ioctl_streamoff() helpers, and removal of the manual cleanup from mxc_isi_video_release().", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-68188", "url": "https://ubuntu.com/security/CVE-2025-68188", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: tcp: use dst_dev_rcu() in tcp_fastopen_active_disable_ofo_check() Use RCU to avoid a pair of atomic operations and a potential UAF on dst_dev()->flags.", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-68315", "url": "https://ubuntu.com/security/CVE-2025-68315", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: f2fs: fix to detect potential corrupted nid in free_nid_list As reported, on-disk footer.ino and footer.nid is the same and out-of-range, let's add sanity check on f2fs_alloc_nid() to detect any potential corruption in free_nid_list.", "cve_priority": "medium", "cve_public_date": "2025-12-16 16:16:00 UTC" }, { "cve": "CVE-2025-40337", "url": "https://ubuntu.com/security/CVE-2025-40337", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net: stmmac: Correctly handle Rx checksum offload errors The stmmac_rx function would previously set skb->ip_summed to CHECKSUM_UNNECESSARY if hardware checksum offload (CoE) was enabled and the packet was of a known IP ethertype. However, this logic failed to check if the hardware had actually reported a checksum error. The hardware status, indicating a header or payload checksum failure, was being ignored at this stage. This could cause corrupt packets to be passed up the network stack as valid. This patch corrects the logic by checking the `csum_none` status flag, which is set when the hardware reports a checksum error. If this flag is set, skb->ip_summed is now correctly set to CHECKSUM_NONE, ensuring the kernel's network stack will perform its own validation and properly handle the corrupt packet.", "cve_priority": "medium", "cve_public_date": "2025-12-09 16:17:00 UTC" }, { "cve": "CVE-2025-40338", "url": "https://ubuntu.com/security/CVE-2025-40338", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ASoC: Intel: avs: Do not share the name pointer between components By sharing 'name' directly, tearing down components may lead to use-after-free errors. Duplicate the name to avoid that. At the same time, update the order of operations - since commit cee28113db17 (\"ASoC: dmaengine_pcm: Allow passing component name via config\") the framework does not override component->name if set before invoking the initializer.", "cve_priority": "medium", "cve_public_date": "2025-12-09 16:17:00 UTC" }, { "cve": "CVE-2025-40339", "url": "https://ubuntu.com/security/CVE-2025-40339", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: fix nullptr err of vm_handle_moved If a amdgpu_bo_va is fpriv->prt_va, the bo of this one is always NULL. So, such kind of amdgpu_bo_va should be updated separately before amdgpu_vm_handle_moved.", "cve_priority": "medium", "cve_public_date": "2025-12-09 16:17:00 UTC" }, { "cve": "CVE-2025-68194", "url": "https://ubuntu.com/security/CVE-2025-68194", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: media: imon: make send_packet() more robust syzbot is reporting that imon has three problems which result in hung tasks due to forever holding device lock [1]. First problem is that when usb_rx_callback_intf0() once got -EPROTO error after ictx->dev_present_intf0 became true, usb_rx_callback_intf0() resubmits urb after printk(), and resubmitted urb causes usb_rx_callback_intf0() to again get -EPROTO error. This results in printk() flooding (RCU stalls). Alan Stern commented [2] that In theory it's okay to resubmit _if_ the driver has a robust error-recovery scheme (such as giving up after some fixed limit on the number of errors or after some fixed time has elapsed, perhaps with a time delay to prevent a flood of errors). Most drivers don't bother to do this; they simply give up right away. This makes them more vulnerable to short-term noise interference during USB transfers, but in reality such interference is quite rare. There's nothing really wrong with giving up right away. but imon has a poor error-recovery scheme which just retries forever; this behavior should be fixed. Since I'm not sure whether it is safe for imon users to give up upon any error code, this patch takes care of only union of error codes chosen from modules in drivers/media/rc/ directory which handle -EPROTO error (i.e. ir_toy, mceusb and igorplugusb). Second problem is that when usb_rx_callback_intf0() once got -EPROTO error before ictx->dev_present_intf0 becomes true, usb_rx_callback_intf0() always resubmits urb due to commit 8791d63af0cf (\"[media] imon: don't wedge hardware after early callbacks\"). Move the ictx->dev_present_intf0 test introduced by commit 6f6b90c9231a (\"[media] imon: don't parse scancodes until intf configured\") to immediately before imon_incoming_packet(), or the first problem explained above happens without printk() flooding (i.e. hung task). Third problem is that when usb_rx_callback_intf0() is not called for some reason (e.g. flaky hardware; the reproducer for this problem sometimes prevents usb_rx_callback_intf0() from being called), wait_for_completion_interruptible() in send_packet() never returns (i.e. hung task). As a workaround for such situation, change send_packet() to wait for completion with timeout of 10 seconds.", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-40363", "url": "https://ubuntu.com/security/CVE-2025-40363", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net: ipv6: fix field-spanning memcpy warning in AH output Fix field-spanning memcpy warnings in ah6_output() and ah6_output_done() where extension headers are copied to/from IPv6 address fields, triggering fortify-string warnings about writes beyond the 16-byte address fields. memcpy: detected field-spanning write (size 40) of single field \"&top_iph->saddr\" at net/ipv6/ah6.c:439 (size 16) WARNING: CPU: 0 PID: 8838 at net/ipv6/ah6.c:439 ah6_output+0xe7e/0x14e0 net/ipv6/ah6.c:439 The warnings are false positives as the extension headers are intentionally placed after the IPv6 header in memory. Fix by properly copying addresses and extension headers separately, and introduce helper functions to avoid code duplication.", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-68311", "url": "https://ubuntu.com/security/CVE-2025-68311", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: tty: serial: ip22zilog: Use platform device for probing After commit 84a9582fd203 (\"serial: core: Start managing serial controllers to enable runtime PM\") serial drivers need to provide a device in struct uart_port.dev otherwise an oops happens. To fix this issue for ip22zilog driver switch driver to a platform driver and setup the serial device in sgi-ip22 code.", "cve_priority": "medium", "cve_public_date": "2025-12-16 16:16:00 UTC" }, { "cve": "CVE-2025-40340", "url": "https://ubuntu.com/security/CVE-2025-40340", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/xe: Fix oops in xe_gem_fault when running core_hotunplug test. I saw an oops in xe_gem_fault when running the xe-fast-feedback testlist against the realtime kernel without debug options enabled. The panic happens after core_hotunplug unbind-rebind finishes. Presumably what happens is that a process mmaps, unlocks because of the FAULT_FLAG_RETRY_NOWAIT logic, has no process memory left, causing ttm_bo_vm_dummy_page() to return VM_FAULT_NOPAGE, since there was nothing left to populate, and then oopses in \"mem_type_is_vram(tbo->resource->mem_type)\" because tbo->resource is NULL. It's convoluted, but fits the data and explains the oops after the test exits.", "cve_priority": "medium", "cve_public_date": "2025-12-09 16:17:00 UTC" }, { "cve": "CVE-2025-68196", "url": "https://ubuntu.com/security/CVE-2025-68196", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Cache streams targeting link when performing LT automation [WHY] Last LT automation update can cause crash by referencing current_state and calling into dc_update_planes_and_stream which may clobber current_state. [HOW] Cache relevant stream pointers and iterate through them instead of relying on the current_state.", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-68178", "url": "https://ubuntu.com/security/CVE-2025-68178", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: blk-cgroup: fix possible deadlock while configuring policy Following deadlock can be triggered easily by lockdep: WARNING: possible circular locking dependency detected 6.17.0-rc3-00124-ga12c2658ced0 #1665 Not tainted ------------------------------------------------------ check/1334 is trying to acquire lock: ff1100011d9d0678 (&q->sysfs_lock){+.+.}-{4:4}, at: blk_unregister_queue+0x53/0x180 but task is already holding lock: ff1100011d9d00e0 (&q->q_usage_counter(queue)#3){++++}-{0:0}, at: del_gendisk+0xba/0x110 which lock already depends on the new lock. the existing dependency chain (in reverse order) is: -> #2 (&q->q_usage_counter(queue)#3){++++}-{0:0}: blk_queue_enter+0x40b/0x470 blkg_conf_prep+0x7b/0x3c0 tg_set_limit+0x10a/0x3e0 cgroup_file_write+0xc6/0x420 kernfs_fop_write_iter+0x189/0x280 vfs_write+0x256/0x490 ksys_write+0x83/0x190 __x64_sys_write+0x21/0x30 x64_sys_call+0x4608/0x4630 do_syscall_64+0xdb/0x6b0 entry_SYSCALL_64_after_hwframe+0x76/0x7e -> #1 (&q->rq_qos_mutex){+.+.}-{4:4}: __mutex_lock+0xd8/0xf50 mutex_lock_nested+0x2b/0x40 wbt_init+0x17e/0x280 wbt_enable_default+0xe9/0x140 blk_register_queue+0x1da/0x2e0 __add_disk+0x38c/0x5d0 add_disk_fwnode+0x89/0x250 device_add_disk+0x18/0x30 virtblk_probe+0x13a3/0x1800 virtio_dev_probe+0x389/0x610 really_probe+0x136/0x620 __driver_probe_device+0xb3/0x230 driver_probe_device+0x2f/0xe0 __driver_attach+0x158/0x250 bus_for_each_dev+0xa9/0x130 driver_attach+0x26/0x40 bus_add_driver+0x178/0x3d0 driver_register+0x7d/0x1c0 __register_virtio_driver+0x2c/0x60 virtio_blk_init+0x6f/0xe0 do_one_initcall+0x94/0x540 kernel_init_freeable+0x56a/0x7b0 kernel_init+0x2b/0x270 ret_from_fork+0x268/0x4c0 ret_from_fork_asm+0x1a/0x30 -> #0 (&q->sysfs_lock){+.+.}-{4:4}: __lock_acquire+0x1835/0x2940 lock_acquire+0xf9/0x450 __mutex_lock+0xd8/0xf50 mutex_lock_nested+0x2b/0x40 blk_unregister_queue+0x53/0x180 __del_gendisk+0x226/0x690 del_gendisk+0xba/0x110 sd_remove+0x49/0xb0 [sd_mod] device_remove+0x87/0xb0 device_release_driver_internal+0x11e/0x230 device_release_driver+0x1a/0x30 bus_remove_device+0x14d/0x220 device_del+0x1e1/0x5a0 __scsi_remove_device+0x1ff/0x2f0 scsi_remove_device+0x37/0x60 sdev_store_delete+0x77/0x100 dev_attr_store+0x1f/0x40 sysfs_kf_write+0x65/0x90 kernfs_fop_write_iter+0x189/0x280 vfs_write+0x256/0x490 ksys_write+0x83/0x190 __x64_sys_write+0x21/0x30 x64_sys_call+0x4608/0x4630 do_syscall_64+0xdb/0x6b0 entry_SYSCALL_64_after_hwframe+0x76/0x7e other info that might help us debug this: Chain exists of: &q->sysfs_lock --> &q->rq_qos_mutex --> &q->q_usage_counter(queue)#3 Possible unsafe locking scenario: CPU0 CPU1 ---- ---- lock(&q->q_usage_counter(queue)#3); lock(&q->rq_qos_mutex); lock(&q->q_usage_counter(queue)#3); lock(&q->sysfs_lock); Root cause is that queue_usage_counter is grabbed with rq_qos_mutex held in blkg_conf_prep(), while queue should be freezed before rq_qos_mutex from other context. The blk_queue_enter() from blkg_conf_prep() is used to protect against policy deactivation, which is already protected with blkcg_mutex, hence convert blk_queue_enter() to blkcg_mutex to fix this problem. Meanwhile, consider that blkcg_mutex is held after queue is freezed from policy deactivation, also convert blkg_alloc() to use GFP_NOIO.", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-40341", "url": "https://ubuntu.com/security/CVE-2025-40341", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: futex: Don't leak robust_list pointer on exec race sys_get_robust_list() and compat_get_robust_list() use ptrace_may_access() to check if the calling task is allowed to access another task's robust_list pointer. This check is racy against a concurrent exec() in the target process. During exec(), a task may transition from a non-privileged binary to a privileged one (e.g., setuid binary) and its credentials/memory mappings may change. If get_robust_list() performs ptrace_may_access() before this transition, it may erroneously allow access to sensitive information after the target becomes privileged. A racy access allows an attacker to exploit a window during which ptrace_may_access() passes before a target process transitions to a privileged state via exec(). For example, consider a non-privileged task T that is about to execute a setuid-root binary. An attacker task A calls get_robust_list(T) while T is still unprivileged. Since ptrace_may_access() checks permissions based on current credentials, it succeeds. However, if T begins exec immediately afterwards, it becomes privileged and may change its memory mappings. Because get_robust_list() proceeds to access T->robust_list without synchronizing with exec() it may read user-space pointers from a now-privileged process. This violates the intended post-exec access restrictions and could expose sensitive memory addresses or be used as a primitive in a larger exploit chain. Consequently, the race can lead to unauthorized disclosure of information across privilege boundaries and poses a potential security risk. Take a read lock on signal->exec_update_lock prior to invoking ptrace_may_access() and accessing the robust_list/compat_robust_list. This ensures that the target task's exec state remains stable during the check, allowing for consistent and synchronized validation of credentials.", "cve_priority": "medium", "cve_public_date": "2025-12-09 16:17:00 UTC" }, { "cve": "CVE-2025-40342", "url": "https://ubuntu.com/security/CVE-2025-40342", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: nvme-fc: use lock accessing port_state and rport state nvme_fc_unregister_remote removes the remote port on a lport object at any point in time when there is no active association. This races with with the reconnect logic, because nvme_fc_create_association is not taking a lock to check the port_state and atomically increase the active count on the rport.", "cve_priority": "medium", "cve_public_date": "2025-12-09 16:17:00 UTC" }, { "cve": "CVE-2025-40343", "url": "https://ubuntu.com/security/CVE-2025-40343", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: nvmet-fc: avoid scheduling association deletion twice When forcefully shutting down a port via the configfs interface, nvmet_port_subsys_drop_link() first calls nvmet_port_del_ctrls() and then nvmet_disable_port(). Both functions will eventually schedule all remaining associations for deletion. The current implementation checks whether an association is about to be removed, but only after the work item has already been scheduled. As a result, it is possible for the first scheduled work item to free all resources, and then for the same work item to be scheduled again for deletion. Because the association list is an RCU list, it is not possible to take a lock and remove the list entry directly, so it cannot be looked up again. Instead, a flag (terminating) must be used to determine whether the association is already in the process of being deleted.", "cve_priority": "medium", "cve_public_date": "2025-12-09 16:17:00 UTC" }, { "cve": "CVE-2025-68177", "url": "https://ubuntu.com/security/CVE-2025-68177", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: cpufreq/longhaul: handle NULL policy in longhaul_exit longhaul_exit() was calling cpufreq_cpu_get(0) without checking for a NULL policy pointer. On some systems, this could lead to a NULL dereference and a kernel warning or panic. This patch adds a check using unlikely() and returns early if the policy is NULL. Bugzilla: #219962", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-68317", "url": "https://ubuntu.com/security/CVE-2025-68317", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: io_uring/zctx: check chained notif contexts Send zc only links ubuf_info for requests coming from the same context. There are some ambiguous syz reports, so let's check the assumption on notification completion.", "cve_priority": "medium", "cve_public_date": "2025-12-16 16:16:00 UTC" }, { "cve": "CVE-2025-40315", "url": "https://ubuntu.com/security/CVE-2025-40315", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: usb: gadget: f_fs: Fix epfile null pointer access after ep enable. A race condition occurs when ffs_func_eps_enable() runs concurrently with ffs_data_reset(). The ffs_data_clear() called in ffs_data_reset() sets ffs->epfiles to NULL before resetting ffs->eps_count to 0, leading to a NULL pointer dereference when accessing epfile->ep in ffs_func_eps_enable() after successful usb_ep_enable(). The ffs->epfiles pointer is set to NULL in both ffs_data_clear() and ffs_data_close() functions, and its modification is protected by the spinlock ffs->eps_lock. And the whole ffs_func_eps_enable() function is also protected by ffs->eps_lock. Thus, add NULL pointer handling for ffs->epfiles in the ffs_func_eps_enable() function to fix issues", "cve_priority": "medium", "cve_public_date": "2025-12-08 01:16:00 UTC" }, { "cve": "CVE-2025-40316", "url": "https://ubuntu.com/security/CVE-2025-40316", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/mediatek: Fix device use-after-free on unbind A recent change fixed device reference leaks when looking up drm platform device driver data during bind() but failed to remove a partial fix which had been added by commit 80805b62ea5b (\"drm/mediatek: Fix kobject put for component sub-drivers\"). This results in a reference imbalance on component bind() failures and on unbind() which could lead to a user-after-free. Make sure to only drop the references after retrieving the driver data by effectively reverting the previous partial fix. Note that holding a reference to a device does not prevent its driver data from going away so there is no point in keeping the reference.", "cve_priority": "medium", "cve_public_date": "2025-12-08 01:16:00 UTC" }, { "cve": "CVE-2025-40360", "url": "https://ubuntu.com/security/CVE-2025-40360", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/sysfb: Do not dereference NULL pointer in plane reset The plane state in __drm_gem_reset_shadow_plane() can be NULL. Do not deref that pointer, but forward NULL to the other plane-reset helpers. Clears plane->state to NULL. v2: - fix typo in commit description (Javier)", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-68179", "url": "https://ubuntu.com/security/CVE-2025-68179", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: s390: Disable ARCH_WANT_OPTIMIZE_HUGETLB_VMEMMAP As reported by Luiz Capitulino enabling HVO on s390 leads to reproducible crashes. The problem is that kernel page tables are modified without flushing corresponding TLB entries. Even if it looks like the empty flush_tlb_all() implementation on s390 is the problem, it is actually a different problem: on s390 it is not allowed to replace an active/valid page table entry with another valid page table entry without the detour over an invalid entry. A direct replacement may lead to random crashes and/or data corruption. In order to invalidate an entry special instructions have to be used (e.g. ipte or idte). Alternatively there are also special instructions available which allow to replace a valid entry with a different valid entry (e.g. crdte or cspg). Given that the HVO code currently does not provide the hooks to allow for an implementation which is compliant with the s390 architecture requirements, disable ARCH_WANT_OPTIMIZE_HUGETLB_VMEMMAP again, which is basically a revert of the original patch which enabled it.", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-68310", "url": "https://ubuntu.com/security/CVE-2025-68310", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: s390/pci: Avoid deadlock between PCI error recovery and mlx5 crdump Do not block PCI config accesses through pci_cfg_access_lock() when executing the s390 variant of PCI error recovery: Acquire just device_lock() instead of pci_dev_lock() as powerpc's EEH and generig PCI AER processing do. During error recovery testing a pair of tasks was reported to be hung: mlx5_core 0000:00:00.1: mlx5_health_try_recover:338:(pid 5553): health recovery flow aborted, PCI reads still not working INFO: task kmcheck:72 blocked for more than 122 seconds. Not tainted 5.14.0-570.12.1.bringup7.el9.s390x #1 \"echo 0 > /proc/sys/kernel/hung_task_timeout_secs\" disables this message. task:kmcheck state:D stack:0 pid:72 tgid:72 ppid:2 flags:0x00000000 Call Trace: [<000000065256f030>] __schedule+0x2a0/0x590 [<000000065256f356>] schedule+0x36/0xe0 [<000000065256f572>] schedule_preempt_disabled+0x22/0x30 [<0000000652570a94>] __mutex_lock.constprop.0+0x484/0x8a8 [<000003ff800673a4>] mlx5_unload_one+0x34/0x58 [mlx5_core] [<000003ff8006745c>] mlx5_pci_err_detected+0x94/0x140 [mlx5_core] [<0000000652556c5a>] zpci_event_attempt_error_recovery+0xf2/0x398 [<0000000651b9184a>] __zpci_event_error+0x23a/0x2c0 INFO: task kworker/u1664:6:1514 blocked for more than 122 seconds. Not tainted 5.14.0-570.12.1.bringup7.el9.s390x #1 \"echo 0 > /proc/sys/kernel/hung_task_timeout_secs\" disables this message. task:kworker/u1664:6 state:D stack:0 pid:1514 tgid:1514 ppid:2 flags:0x00000000 Workqueue: mlx5_health0000:00:00.0 mlx5_fw_fatal_reporter_err_work [mlx5_core] Call Trace: [<000000065256f030>] __schedule+0x2a0/0x590 [<000000065256f356>] schedule+0x36/0xe0 [<0000000652172e28>] pci_wait_cfg+0x80/0xe8 [<0000000652172f94>] pci_cfg_access_lock+0x74/0x88 [<000003ff800916b6>] mlx5_vsc_gw_lock+0x36/0x178 [mlx5_core] [<000003ff80098824>] mlx5_crdump_collect+0x34/0x1c8 [mlx5_core] [<000003ff80074b62>] mlx5_fw_fatal_reporter_dump+0x6a/0xe8 [mlx5_core] [<0000000652512242>] devlink_health_do_dump.part.0+0x82/0x168 [<0000000652513212>] devlink_health_report+0x19a/0x230 [<000003ff80075a12>] mlx5_fw_fatal_reporter_err_work+0xba/0x1b0 [mlx5_core] No kernel log of the exact same error with an upstream kernel is available - but the very same deadlock situation can be constructed there, too: - task: kmcheck mlx5_unload_one() tries to acquire devlink lock while the PCI error recovery code has set pdev->block_cfg_access by way of pci_cfg_access_lock() - task: kworker mlx5_crdump_collect() tries to set block_cfg_access through pci_cfg_access_lock() while devlink_health_report() had acquired the devlink lock. A similar deadlock situation can be reproduced by requesting a crdump with > devlink health dump show pci/ reporter fw_fatal while PCI error recovery is executed on the same physical function by mlx5_core's pci_error_handlers. On s390 this can be injected with > zpcictl --reset-fw Tests with this patch failed to reproduce that second deadlock situation, the devlink command is rejected with \"kernel answers: Permission denied\" - and we get a kernel log message of: mlx5_core 1ed0:00:00.1: mlx5_crdump_collect:50:(pid 254382): crdump: failed to lock vsc gw err -5 because the config read of VSC_SEMAPHORE is rejected by the underlying hardware. Two prior attempts to address this issue have been discussed and ultimately rejected [see link], with the primary argument that s390's implementation of PCI error recovery is imposing restrictions that neither powerpc's EEH nor PCI AER handling need. Tests show that PCI error recovery on s390 is running to completion even without blocking access to PCI config space.", "cve_priority": "medium", "cve_public_date": "2025-12-16 16:16:00 UTC" }, { "cve": "CVE-2025-40317", "url": "https://ubuntu.com/security/CVE-2025-40317", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: regmap: slimbus: fix bus_context pointer in regmap init calls Commit 4e65bda8273c (\"ASoC: wcd934x: fix error handling in wcd934x_codec_parse_data()\") revealed the problem in the slimbus regmap. That commit breaks audio playback, for instance, on sdm845 Thundercomm Dragonboard 845c board: Unable to handle kernel paging request at virtual address ffff8000847cbad4 ... CPU: 5 UID: 0 PID: 776 Comm: aplay Not tainted 6.18.0-rc1-00028-g7ea30958b305 #11 PREEMPT Hardware name: Thundercomm Dragonboard 845c (DT) ... Call trace: slim_xfer_msg+0x24/0x1ac [slimbus] (P) slim_read+0x48/0x74 [slimbus] regmap_slimbus_read+0x18/0x24 [regmap_slimbus] _regmap_raw_read+0xe8/0x174 _regmap_bus_read+0x44/0x80 _regmap_read+0x60/0xd8 _regmap_update_bits+0xf4/0x140 _regmap_select_page+0xa8/0x124 _regmap_raw_write_impl+0x3b8/0x65c _regmap_bus_raw_write+0x60/0x80 _regmap_write+0x58/0xc0 regmap_write+0x4c/0x80 wcd934x_hw_params+0x494/0x8b8 [snd_soc_wcd934x] snd_soc_dai_hw_params+0x3c/0x7c [snd_soc_core] __soc_pcm_hw_params+0x22c/0x634 [snd_soc_core] dpcm_be_dai_hw_params+0x1d4/0x38c [snd_soc_core] dpcm_fe_dai_hw_params+0x9c/0x17c [snd_soc_core] snd_pcm_hw_params+0x124/0x464 [snd_pcm] snd_pcm_common_ioctl+0x110c/0x1820 [snd_pcm] snd_pcm_ioctl+0x34/0x4c [snd_pcm] __arm64_sys_ioctl+0xac/0x104 invoke_syscall+0x48/0x104 el0_svc_common.constprop.0+0x40/0xe0 do_el0_svc+0x1c/0x28 el0_svc+0x34/0xec el0t_64_sync_handler+0xa0/0xf0 el0t_64_sync+0x198/0x19c The __devm_regmap_init_slimbus() started to be used instead of __regmap_init_slimbus() after the commit mentioned above and turns out the incorrect bus_context pointer (3rd argument) was used in __devm_regmap_init_slimbus(). It should be just \"slimbus\" (which is equal to &slimbus->dev). Correct it. The wcd934x codec seems to be the only or the first user of devm_regmap_init_slimbus() but we should fix it till the point where __devm_regmap_init_slimbus() was introduced therefore two \"Fixes\" tags. While at this, also correct the same argument in __regmap_init_slimbus().", "cve_priority": "medium", "cve_public_date": "2025-12-08 01:16:00 UTC" }, { "cve": "CVE-2025-40359", "url": "https://ubuntu.com/security/CVE-2025-40359", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: perf/x86/intel: Fix KASAN global-out-of-bounds warning When running \"perf mem record\" command on CWF, the below KASAN global-out-of-bounds warning is seen. ================================================================== BUG: KASAN: global-out-of-bounds in cmt_latency_data+0x176/0x1b0 Read of size 4 at addr ffffffffb721d000 by task dtlb/9850 Call Trace: kasan_report+0xb8/0xf0 cmt_latency_data+0x176/0x1b0 setup_arch_pebs_sample_data+0xf49/0x2560 intel_pmu_drain_arch_pebs+0x577/0xb00 handle_pmi_common+0x6c4/0xc80 The issue is caused by below code in __grt_latency_data(). The code tries to access x86_hybrid_pmu structure which doesn't exist on non-hybrid platform like CWF. WARN_ON_ONCE(hybrid_pmu(event->pmu)->pmu_type == hybrid_big) So add is_hybrid() check before calling this WARN_ON_ONCE to fix the global-out-of-bounds access issue.", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-68181", "url": "https://ubuntu.com/security/CVE-2025-68181", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/radeon: Remove calls to drm_put_dev() Since the allocation of the drivers main structure was changed to devm_drm_dev_alloc() drm_put_dev()'ing to trigger it to be free'd should be done by devres. However, drm_put_dev() is still in the probe error and device remove paths. When the driver fails to probe warnings like the following are shown because devres is trying to drm_put_dev() after the driver already did it. [ 5.642230] radeon 0000:01:05.0: probe with driver radeon failed with error -22 [ 5.649605] ------------[ cut here ]------------ [ 5.649607] refcount_t: underflow; use-after-free. [ 5.649620] WARNING: CPU: 0 PID: 357 at lib/refcount.c:28 refcount_warn_saturate+0xbe/0x110 (cherry picked from commit 3eb8c0b4c091da0a623ade0d3ee7aa4a93df1ea4)", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-68170", "url": "https://ubuntu.com/security/CVE-2025-68170", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/radeon: Do not kfree() devres managed rdev Since the allocation of the drivers main structure was changed to devm_drm_dev_alloc() rdev is managed by devres and we shouldn't be calling kfree() on it. This fixes things exploding if the driver probe fails and devres cleans up the rdev after we already free'd it. (cherry picked from commit 16c0681617b8a045773d4d87b6140002fa75b03b)", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-40213", "url": "https://ubuntu.com/security/CVE-2025-40213", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: Bluetooth: MGMT: fix crash in set_mesh_sync and set_mesh_complete There is a BUG: KASAN: stack-out-of-bounds in set_mesh_sync due to memcpy from badly declared on-stack flexible array. Another crash is in set_mesh_complete() due to double list_del via mgmt_pending_valid + mgmt_pending_remove. Use DEFINE_FLEX to declare the flexible array right, and don't memcpy outside bounds. As mgmt_pending_valid removes the cmd from list, use mgmt_pending_free, and also report status on error.", "cve_priority": "medium", "cve_public_date": "2025-11-24 16:15:00 UTC" }, { "cve": "CVE-2025-40318", "url": "https://ubuntu.com/security/CVE-2025-40318", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: Bluetooth: hci_sync: fix race in hci_cmd_sync_dequeue_once hci_cmd_sync_dequeue_once() does lookup and then cancel the entry under two separate lock sections. Meanwhile, hci_cmd_sync_work() can also delete the same entry, leading to double list_del() and \"UAF\". Fix this by holding cmd_sync_work_lock across both lookup and cancel, so that the entry cannot be removed concurrently.", "cve_priority": "medium", "cve_public_date": "2025-12-08 01:16:00 UTC" }, { "cve": "CVE-2025-68312", "url": "https://ubuntu.com/security/CVE-2025-68312", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: usbnet: Prevents free active kevent The root cause of this issue are: 1. When probing the usbnet device, executing usbnet_link_change(dev, 0, 0); put the kevent work in global workqueue. However, the kevent has not yet been scheduled when the usbnet device is unregistered. Therefore, executing free_netdev() results in the \"free active object (kevent)\" error reported here. 2. Another factor is that when calling usbnet_disconnect()->unregister_netdev(), if the usbnet device is up, ndo_stop() is executed to cancel the kevent. However, because the device is not up, ndo_stop() is not executed. The solution to this problem is to cancel the kevent before executing free_netdev().", "cve_priority": "medium", "cve_public_date": "2025-12-16 16:16:00 UTC" }, { "cve": "CVE-2025-40344", "url": "https://ubuntu.com/security/CVE-2025-40344", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ASoC: Intel: avs: Disable periods-elapsed work when closing PCM avs_dai_fe_shutdown() handles the shutdown procedure for HOST HDAudio stream while period-elapsed work services its IRQs. As the former frees the DAI's private context, these two operations shall be synchronized to avoid slab-use-after-free or worse errors.", "cve_priority": "medium", "cve_public_date": "2025-12-09 16:17:00 UTC" }, { "cve": "CVE-2025-68172", "url": "https://ubuntu.com/security/CVE-2025-68172", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: crypto: aspeed - fix double free caused by devm The clock obtained via devm_clk_get_enabled() is automatically managed by devres and will be disabled and freed on driver detach. Manually calling clk_disable_unprepare() in error path and remove function causes double free. Remove the manual clock cleanup in both aspeed_acry_probe()'s error path and aspeed_acry_remove().", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-40319", "url": "https://ubuntu.com/security/CVE-2025-40319", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: bpf: Sync pending IRQ work before freeing ring buffer Fix a race where irq_work can be queued in bpf_ringbuf_commit() but the ring buffer is freed before the work executes. In the syzbot reproducer, a BPF program attached to sched_switch triggers bpf_ringbuf_commit(), queuing an irq_work. If the ring buffer is freed before this work executes, the irq_work thread may accesses freed memory. Calling `irq_work_sync(&rb->work)` ensures that all pending irq_work complete before freeing the buffer.", "cve_priority": "medium", "cve_public_date": "2025-12-08 01:16:00 UTC" }, { "cve": "CVE-2025-68182", "url": "https://ubuntu.com/security/CVE-2025-68182", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: wifi: iwlwifi: fix potential use after free in iwl_mld_remove_link() This code frees \"link\" by calling kfree_rcu(link, rcu_head) and then it dereferences \"link\" to get the \"link->fw_id\". Save the \"link->fw_id\" first to avoid a potential use after free.", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-68314", "url": "https://ubuntu.com/security/CVE-2025-68314", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/msm: make sure last_fence is always updated Update last_fence in the vm-bind path instead of kernel managed path. last_fence is used to wait for work to finish in vm_bind contexts but not used for kernel managed contexts. This fixes a bug where last_fence is not waited on context close leading to faults as resources are freed while in use. Patchwork: https://patchwork.freedesktop.org/patch/680080/", "cve_priority": "medium", "cve_public_date": "2025-12-16 16:16:00 UTC" }, { "cve": "CVE-2025-68189", "url": "https://ubuntu.com/security/CVE-2025-68189", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/msm: Fix GEM free for imported dma-bufs Imported dma-bufs also have obj->resv != &obj->_resv. So we should check both this condition in addition to flags for handling the _NO_SHARE case. Fixes this splat that was reported with IRIS video playback: ------------[ cut here ]------------ WARNING: CPU: 3 PID: 2040 at drivers/gpu/drm/msm/msm_gem.c:1127 msm_gem_free_object+0x1f8/0x264 [msm] CPU: 3 UID: 1000 PID: 2040 Comm: .gnome-shell-wr Not tainted 6.17.0-rc7 #1 PREEMPT pstate: 81400005 (Nzcv daif +PAN -UAO -TCO +DIT -SSBS BTYPE=--) pc : msm_gem_free_object+0x1f8/0x264 [msm] lr : msm_gem_free_object+0x138/0x264 [msm] sp : ffff800092a1bb30 x29: ffff800092a1bb80 x28: ffff800092a1bce8 x27: ffffbc702dbdbe08 x26: 0000000000000008 x25: 0000000000000009 x24: 00000000000000a6 x23: ffff00083c72f850 x22: ffff00083c72f868 x21: ffff00087e69f200 x20: ffff00087e69f330 x19: ffff00084d157ae0 x18: 0000000000000000 x17: 0000000000000000 x16: ffffbc704bd46b80 x15: 0000ffffd0959540 x14: 0000000000000000 x13: 0000000000000000 x12: 0000000000000000 x11: ffffbc702e6cdb48 x10: 0000000000000000 x9 : 000000000000003f x8 : ffff800092a1ba90 x7 : 0000000000000000 x6 : 0000000000000020 x5 : ffffbc704bd46c40 x4 : fffffdffe102cf60 x3 : 0000000000400032 x2 : 0000000000020000 x1 : ffff00087e6978e8 x0 : ffff00087e6977e8 Call trace: msm_gem_free_object+0x1f8/0x264 [msm] (P) drm_gem_object_free+0x1c/0x30 [drm] drm_gem_object_handle_put_unlocked+0x138/0x150 [drm] drm_gem_object_release_handle+0x5c/0xcc [drm] drm_gem_handle_delete+0x68/0xbc [drm] drm_gem_close_ioctl+0x34/0x40 [drm] drm_ioctl_kernel+0xc0/0x130 [drm] drm_ioctl+0x360/0x4e0 [drm] __arm64_sys_ioctl+0xac/0x104 invoke_syscall+0x48/0x104 el0_svc_common.constprop.0+0x40/0xe0 do_el0_svc+0x1c/0x28 el0_svc+0x34/0xec el0t_64_sync_handler+0xa0/0xe4 el0t_64_sync+0x198/0x19c ---[ end trace 0000000000000000 ]--- ------------[ cut here ]------------ Patchwork: https://patchwork.freedesktop.org/patch/676273/", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-68171", "url": "https://ubuntu.com/security/CVE-2025-68171", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: x86/fpu: Ensure XFD state on signal delivery Sean reported [1] the following splat when running KVM tests: WARNING: CPU: 232 PID: 15391 at xfd_validate_state+0x65/0x70 Call Trace: fpu__clear_user_states+0x9c/0x100 arch_do_signal_or_restart+0x142/0x210 exit_to_user_mode_loop+0x55/0x100 do_syscall_64+0x205/0x2c0 entry_SYSCALL_64_after_hwframe+0x4b/0x53 Chao further identified [2] a reproducible scenario involving signal delivery: a non-AMX task is preempted by an AMX-enabled task which modifies the XFD MSR. When the non-AMX task resumes and reloads XSTATE with init values, a warning is triggered due to a mismatch between fpstate::xfd and the CPU's current XFD state. fpu__clear_user_states() does not currently re-synchronize the XFD state after such preemption. Invoke xfd_update_state() which detects and corrects the mismatch if there is a dynamic feature. This also benefits the sigreturn path, as fpu__restore_sig() may call fpu__clear_user_states() when the sigframe is inaccessible. [ dhansen: minor changelog munging ]", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-68313", "url": "https://ubuntu.com/security/CVE-2025-68313", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: x86/CPU/AMD: Add RDSEED fix for Zen5 There's an issue with RDSEED's 16-bit and 32-bit register output variants on Zen5 which return a random value of 0 \"at a rate inconsistent with randomness while incorrectly signaling success (CF=1)\". Search the web for AMD-SB-7055 for more detail. Add a fix glue which checks microcode revisions. [ bp: Add microcode revisions checking, rewrite. ]", "cve_priority": "medium", "cve_public_date": "2025-12-16 16:16:00 UTC" }, { "cve": "CVE-2025-40320", "url": "https://ubuntu.com/security/CVE-2025-40320", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: smb: client: fix potential cfid UAF in smb2_query_info_compound When smb2_query_info_compound() retries, a previously allocated cfid may have been freed in the first attempt. Because cfid wasn't reset on replay, later cleanup could act on a stale pointer, leading to a potential use-after-free. Reinitialize cfid to NULL under the replay label. Example trace (trimmed): refcount_t: underflow; use-after-free. WARNING: CPU: 1 PID: 11224 at ../lib/refcount.c:28 refcount_warn_saturate+0x9c/0x110 [...] RIP: 0010:refcount_warn_saturate+0x9c/0x110 [...] Call Trace: smb2_query_info_compound+0x29c/0x5c0 [cifs f90b72658819bd21c94769b6a652029a07a7172f] ? step_into+0x10d/0x690 ? __legitimize_path+0x28/0x60 smb2_queryfs+0x6a/0xf0 [cifs f90b72658819bd21c94769b6a652029a07a7172f] smb311_queryfs+0x12d/0x140 [cifs f90b72658819bd21c94769b6a652029a07a7172f] ? kmem_cache_alloc+0x18a/0x340 ? getname_flags+0x46/0x1e0 cifs_statfs+0x9f/0x2b0 [cifs f90b72658819bd21c94769b6a652029a07a7172f] statfs_by_dentry+0x67/0x90 vfs_statfs+0x16/0xd0 user_statfs+0x54/0xa0 __do_sys_statfs+0x20/0x50 do_syscall_64+0x58/0x80", "cve_priority": "medium", "cve_public_date": "2025-12-08 01:16:00 UTC" }, { "cve": "CVE-2025-40321", "url": "https://ubuntu.com/security/CVE-2025-40321", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: wifi: brcmfmac: fix crash while sending Action Frames in standalone AP Mode Currently, whenever there is a need to transmit an Action frame, the brcmfmac driver always uses the P2P vif to send the \"actframe\" IOVAR to firmware. The P2P interfaces were available when wpa_supplicant is managing the wlan interface. However, the P2P interfaces are not created/initialized when only hostapd is managing the wlan interface. And if hostapd receives an ANQP Query REQ Action frame even from an un-associated STA, the brcmfmac driver tries to use an uninitialized P2P vif pointer for sending the IOVAR to firmware. This NULL pointer dereferencing triggers a driver crash. [ 1417.074538] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000 [...] [ 1417.075188] Hardware name: Raspberry Pi 4 Model B Rev 1.5 (DT) [...] [ 1417.075653] Call trace: [ 1417.075662] brcmf_p2p_send_action_frame+0x23c/0xc58 [brcmfmac] [ 1417.075738] brcmf_cfg80211_mgmt_tx+0x304/0x5c0 [brcmfmac] [ 1417.075810] cfg80211_mlme_mgmt_tx+0x1b0/0x428 [cfg80211] [ 1417.076067] nl80211_tx_mgmt+0x238/0x388 [cfg80211] [ 1417.076281] genl_family_rcv_msg_doit+0xe0/0x158 [ 1417.076302] genl_rcv_msg+0x220/0x2a0 [ 1417.076317] netlink_rcv_skb+0x68/0x140 [ 1417.076330] genl_rcv+0x40/0x60 [ 1417.076343] netlink_unicast+0x330/0x3b8 [ 1417.076357] netlink_sendmsg+0x19c/0x3f8 [ 1417.076370] __sock_sendmsg+0x64/0xc0 [ 1417.076391] ____sys_sendmsg+0x268/0x2a0 [ 1417.076408] ___sys_sendmsg+0xb8/0x118 [ 1417.076427] __sys_sendmsg+0x90/0xf8 [ 1417.076445] __arm64_sys_sendmsg+0x2c/0x40 [ 1417.076465] invoke_syscall+0x50/0x120 [ 1417.076486] el0_svc_common.constprop.0+0x48/0xf0 [ 1417.076506] do_el0_svc+0x24/0x38 [ 1417.076525] el0_svc+0x30/0x100 [ 1417.076548] el0t_64_sync_handler+0x100/0x130 [ 1417.076569] el0t_64_sync+0x190/0x198 [ 1417.076589] Code: f9401e80 aa1603e2 f9403be1 5280e483 (f9400000) Fix this, by always using the vif corresponding to the wdev on which the Action frame Transmission request was initiated by the userspace. This way, even if P2P vif is not available, the IOVAR is sent to firmware on AP vif and the ANQP Query RESP Action frame is transmitted without crashing the driver. Move init_completion() for \"send_af_done\" from brcmf_p2p_create_p2pdev() to brcmf_p2p_attach(). Because the former function would not get executed when only hostapd is managing wlan interface, and it is not safe to do reinit_completion() later in brcmf_p2p_tx_action_frame(), without any prior init_completion(). And in the brcmf_p2p_tx_action_frame() function, the condition check for P2P Presence response frame is not needed, since the wpa_supplicant is properly sending the P2P Presense Response frame on the P2P-GO vif instead of the P2P-Device vif. [Cc stable]", "cve_priority": "medium", "cve_public_date": "2025-12-08 01:16:00 UTC" }, { "cve": "CVE-2025-40322", "url": "https://ubuntu.com/security/CVE-2025-40322", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: fbdev: bitblit: bound-check glyph index in bit_putcs* bit_putcs_aligned()/unaligned() derived the glyph pointer from the character value masked by 0xff/0x1ff, which may exceed the actual font's glyph count and read past the end of the built-in font array. Clamp the index to the actual glyph count before computing the address. This fixes a global out-of-bounds read reported by syzbot.", "cve_priority": "medium", "cve_public_date": "2025-12-08 01:16:00 UTC" }, { "cve": "CVE-2025-40211", "url": "https://ubuntu.com/security/CVE-2025-40211", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ACPI: video: Fix use-after-free in acpi_video_switch_brightness() The switch_brightness_work delayed work accesses device->brightness and device->backlight, freed by acpi_video_dev_unregister_backlight() during device removal. If the work executes after acpi_video_bus_unregister_backlight() frees these resources, it causes a use-after-free when acpi_video_switch_brightness() dereferences device->brightness or device->backlight. Fix this by calling cancel_delayed_work_sync() for each device's switch_brightness_work in acpi_video_bus_remove_notify_handler() after removing the notify handler that queues the work. This ensures the work completes before the memory is freed. [ rjw: Changelog edit ]", "cve_priority": "medium", "cve_public_date": "2025-11-21 11:15:00 UTC" }, { "cve": "CVE-2025-40323", "url": "https://ubuntu.com/security/CVE-2025-40323", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: fbcon: Set fb_display[i]->mode to NULL when the mode is released Recently, we discovered the following issue through syzkaller: BUG: KASAN: slab-use-after-free in fb_mode_is_equal+0x285/0x2f0 Read of size 4 at addr ff11000001b3c69c by task syz.xxx ... Call Trace: dump_stack_lvl+0xab/0xe0 print_address_description.constprop.0+0x2c/0x390 print_report+0xb9/0x280 kasan_report+0xb8/0xf0 fb_mode_is_equal+0x285/0x2f0 fbcon_mode_deleted+0x129/0x180 fb_set_var+0xe7f/0x11d0 do_fb_ioctl+0x6a0/0x750 fb_ioctl+0xe0/0x140 __x64_sys_ioctl+0x193/0x210 do_syscall_64+0x5f/0x9c0 entry_SYSCALL_64_after_hwframe+0x76/0x7e Based on experimentation and analysis, during framebuffer unregistration, only the memory of fb_info->modelist is freed, without setting the corresponding fb_display[i]->mode to NULL for the freed modes. This leads to UAF issues during subsequent accesses. Here's an example of reproduction steps: 1. With /dev/fb0 already registered in the system, load a kernel module to register a new device /dev/fb1; 2. Set fb1's mode to the global fb_display[] array (via FBIOPUT_CON2FBMAP); 3. Switch console from fb to VGA (to allow normal rmmod of the ko); 4. Unload the kernel module, at this point fb1's modelist is freed, leaving a wild pointer in fb_display[]; 5. Trigger the bug via system calls through fb0 attempting to delete a mode from fb0. Add a check in do_unregister_framebuffer(): if the mode to be freed exists in fb_display[], set the corresponding mode pointer to NULL.", "cve_priority": "medium", "cve_public_date": "2025-12-08 01:16:00 UTC" }, { "cve": "CVE-2025-40210", "url": "https://ubuntu.com/security/CVE-2025-40210", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: Revert \"NFSD: Remove the cap on number of operations per NFSv4 COMPOUND\" I've found that pynfs COMP6 now leaves the connection or lease in a strange state, which causes CLOSE9 to hang indefinitely. I've dug into it a little, but I haven't been able to root-cause it yet. However, I bisected to commit 48aab1606fa8 (\"NFSD: Remove the cap on number of operations per NFSv4 COMPOUND\"). Tianshuo Han also reports a potential vulnerability when decoding an NFSv4 COMPOUND. An attacker can place an arbitrarily large op count in the COMPOUND header, which results in: [ 51.410584] nfsd: vmalloc error: size 1209533382144, exceeds total pages, mode:0xdc0(GFP_KERNEL|__GFP_ZERO), nodemask=(null),cpuset=/,mems_allowed=0 when NFSD attempts to allocate the COMPOUND op array. Let's restore the operation-per-COMPOUND limit, but increased to 200 for now.", "cve_priority": "medium", "cve_public_date": "2025-11-21 11:15:00 UTC" }, { "cve": "CVE-2025-40324", "url": "https://ubuntu.com/security/CVE-2025-40324", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: NFSD: Fix crash in nfsd4_read_release() When tracing is enabled, the trace_nfsd_read_done trace point crashes during the pynfs read.testNoFh test.", "cve_priority": "medium", "cve_public_date": "2025-12-08 01:16:00 UTC" }, { "cve": "CVE-2025-40326", "url": "https://ubuntu.com/security/CVE-2025-40326", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: NFSD: Define actions for the new time_deleg FATTR4 attributes NFSv4 clients won't send legitimate GETATTR requests for these new attributes because they are intended to be used only with CB_GETATTR and SETATTR. But NFSD has to do something besides crashing if it ever sees a GETATTR request that queries these attributes. RFC 8881 Section 18.7.3 states: > The server MUST return a value for each attribute that the client > requests if the attribute is supported by the server for the > target file system. If the server does not support a particular > attribute on the target file system, then it MUST NOT return the > attribute value and MUST NOT set the attribute bit in the result > bitmap. The server MUST return an error if it supports an > attribute on the target but cannot obtain its value. In that case, > no attribute values will be returned. Further, RFC 9754 Section 5 states: > These new attributes are invalid to be used with GETATTR, VERIFY, > and NVERIFY, and they can only be used with CB_GETATTR and SETATTR > by a client holding an appropriate delegation. Thus there does not appear to be a specific server response mandated by specification. Taking the guidance that querying these attributes via GETATTR is \"invalid\", NFSD will return nfserr_inval, failing the request entirely.", "cve_priority": "medium", "cve_public_date": "2025-12-08 01:16:00 UTC" }, { "cve": "CVE-2025-40084", "url": "https://ubuntu.com/security/CVE-2025-40084", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ksmbd: transport_ipc: validate payload size before reading handle handle_response() dereferences the payload as a 4-byte handle without verifying that the declared payload size is at least 4 bytes. A malformed or truncated message from ksmbd.mountd can lead to a 4-byte read past the declared payload size. Validate the size before dereferencing. This is a minimal fix to guard the initial handle read.", "cve_priority": "medium", "cve_public_date": "2025-10-29 14:15:00 UTC" }, { "cve": "CVE-2025-40222", "url": "https://ubuntu.com/security/CVE-2025-40222", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: tty: serial: sh-sci: fix RSCI FIFO overrun handling The receive error handling code is shared between RSCI and all other SCIF port types, but the RSCI overrun_reg is specified as a memory offset, while for other SCIF types it is an enum value used to index into the sci_port_params->regs array, as mentioned above the sci_serial_in() function. For RSCI, the overrun_reg is CSR (0x48), causing the sci_getreg() call inside the sci_handle_fifo_overrun() function to index outside the bounds of the regs array, which currently has a size of 20, as specified by SCI_NR_REGS. Because of this, we end up accessing memory outside of RSCI's rsci_port_params structure, which, when interpreted as a plat_sci_reg, happens to have a non-zero size, causing the following WARN when sci_serial_in() is called, as the accidental size does not match the supported register sizes. The existence of the overrun_reg needs to be checked because SCIx_SH3_SCIF_REGTYPE has overrun_reg set to SCLSR, but SCLSR is not present in the regs array. Avoid calling sci_getreg() for port types which don't use standard register handling. Use the ops->read_reg() and ops->write_reg() functions to properly read and write registers for RSCI, and change the type of the status variable to accommodate the 32-bit CSR register. sci_getreg() and sci_serial_in() are also called with overrun_reg in the sci_mpxed_interrupt() interrupt handler, but that code path is not used for RSCI, as it does not have a muxed interrupt. ------------[ cut here ]------------ Invalid register access WARNING: CPU: 0 PID: 0 at drivers/tty/serial/sh-sci.c:522 sci_serial_in+0x38/0xac Modules linked in: renesas_usbhs at24 rzt2h_adc industrialio_adc sha256 cfg80211 bluetooth ecdh_generic ecc rfkill fuse drm backlight ipv6 CPU: 0 UID: 0 PID: 0 Comm: swapper/0 Not tainted 6.17.0-rc1+ #30 PREEMPT Hardware name: Renesas RZ/T2H EVK Board based on r9a09g077m44 (DT) pstate: 604000c5 (nZCv daIF +PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : sci_serial_in+0x38/0xac lr : sci_serial_in+0x38/0xac sp : ffff800080003e80 x29: ffff800080003e80 x28: ffff800082195b80 x27: 000000000000000d x26: ffff8000821956d0 x25: 0000000000000000 x24: ffff800082195b80 x23: ffff000180e0d800 x22: 0000000000000010 x21: 0000000000000000 x20: 0000000000000010 x19: ffff000180e72000 x18: 000000000000000a x17: ffff8002bcee7000 x16: ffff800080000000 x15: 0720072007200720 x14: 0720072007200720 x13: 0720072007200720 x12: 0720072007200720 x11: 0000000000000058 x10: 0000000000000018 x9 : ffff8000821a6a48 x8 : 0000000000057fa8 x7 : 0000000000000406 x6 : ffff8000821fea48 x5 : ffff00033ef88408 x4 : ffff8002bcee7000 x3 : ffff800082195b80 x2 : 0000000000000000 x1 : 0000000000000000 x0 : ffff800082195b80 Call trace: sci_serial_in+0x38/0xac (P) sci_handle_fifo_overrun.isra.0+0x70/0x134 sci_er_interrupt+0x50/0x39c __handle_irq_event_percpu+0x48/0x140 handle_irq_event+0x44/0xb0 handle_fasteoi_irq+0xf4/0x1a0 handle_irq_desc+0x34/0x58 generic_handle_domain_irq+0x1c/0x28 gic_handle_irq+0x4c/0x140 call_on_irq_stack+0x30/0x48 do_interrupt_handler+0x80/0x84 el1_interrupt+0x34/0x68 el1h_64_irq_handler+0x18/0x24 el1h_64_irq+0x6c/0x70 default_idle_call+0x28/0x58 (P) do_idle+0x1f8/0x250 cpu_startup_entry+0x34/0x3c rest_init+0xd8/0xe0 console_on_rootfs+0x0/0x6c __primary_switched+0x88/0x90 ---[ end trace 0000000000000000 ]---", "cve_priority": "medium", "cve_public_date": "2025-12-04 16:16:00 UTC" }, { "cve": "CVE-2025-40223", "url": "https://ubuntu.com/security/CVE-2025-40223", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: most: usb: Fix use-after-free in hdm_disconnect hdm_disconnect() calls most_deregister_interface(), which eventually unregisters the MOST interface device with device_unregister(iface->dev). If that drops the last reference, the device core may call release_mdev() immediately while hdm_disconnect() is still executing. The old code also freed several mdev-owned allocations in hdm_disconnect() and then performed additional put_device() calls. Depending on refcount order, this could lead to use-after-free or double-free when release_mdev() ran (or when unregister paths also performed puts). Fix by moving the frees of mdev-owned allocations into release_mdev(), so they happen exactly once when the device is truly released, and by dropping the extra put_device() calls in hdm_disconnect() that are redundant after device_unregister() and most_deregister_interface(). This addresses the KASAN slab-use-after-free reported by syzbot in hdm_disconnect(). See report and stack traces in the bug link below.", "cve_priority": "medium", "cve_public_date": "2025-12-04 16:16:00 UTC" }, { "cve": "CVE-2025-40106", "url": "https://ubuntu.com/security/CVE-2025-40106", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: comedi: fix divide-by-zero in comedi_buf_munge() The comedi_buf_munge() function performs a modulo operation `async->munge_chan %= async->cmd.chanlist_len` without first checking if chanlist_len is zero. If a user program submits a command with chanlist_len set to zero, this causes a divide-by-zero error when the device processes data in the interrupt handler path. Add a check for zero chanlist_len at the beginning of the function, similar to the existing checks for !map and CMDF_RAWDATA flag. When chanlist_len is zero, update munge_count and return early, indicating the data was handled without munging. This prevents potential kernel panics from malformed user commands.", "cve_priority": "medium", "cve_public_date": "2025-10-31 10:15:00 UTC" }, { "cve": "CVE-2025-40224", "url": "https://ubuntu.com/security/CVE-2025-40224", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: hwmon: (cgbc-hwmon) Add missing NULL check after devm_kzalloc() The driver allocates memory for sensor data using devm_kzalloc(), but did not check if the allocation succeeded. In case of memory allocation failure, dereferencing the NULL pointer would lead to a kernel crash. Add a NULL pointer check and return -ENOMEM to handle allocation failure properly.", "cve_priority": "medium", "cve_public_date": "2025-12-04 16:16:00 UTC" }, { "cve": "CVE-2025-40225", "url": "https://ubuntu.com/security/CVE-2025-40225", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/panthor: Fix kernel panic on partial unmap of a GPU VA region This commit address a kernel panic issue that can happen if Userspace tries to partially unmap a GPU virtual region (aka drm_gpuva). The VM_BIND interface allows partial unmapping of a BO. Panthor driver pre-allocates memory for the new drm_gpuva structures that would be needed for the map/unmap operation, done using drm_gpuvm layer. It expected that only one new drm_gpuva would be needed on umap but a partial unmap can require 2 new drm_gpuva and that's why it ended up doing a NULL pointer dereference causing a kernel panic. Following dump was seen when partial unmap was exercised. Unable to handle kernel NULL pointer dereference at virtual address 0000000000000078 Mem abort info: ESR = 0x0000000096000046 EC = 0x25: DABT (current EL), IL = 32 bits SET = 0, FnV = 0 EA = 0, S1PTW = 0 FSC = 0x06: level 2 translation fault Data abort info: ISV = 0, ISS = 0x00000046, ISS2 = 0x00000000 CM = 0, WnR = 1, TnD = 0, TagAccess = 0 GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0 user pgtable: 4k pages, 48-bit VAs, pgdp=000000088a863000 [000000000000078] pgd=080000088a842003, p4d=080000088a842003, pud=0800000884bf5003, pmd=0000000000000000 Internal error: Oops: 0000000096000046 [#1] PREEMPT SMP pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : panthor_gpuva_sm_step_remap+0xe4/0x330 [panthor] lr : panthor_gpuva_sm_step_remap+0x6c/0x330 [panthor] sp : ffff800085d43970 x29: ffff800085d43970 x28: ffff00080363e440 x27: ffff0008090c6000 x26: 0000000000000030 x25: ffff800085d439f8 x24: ffff00080d402000 x23: ffff800085d43b60 x22: ffff800085d439e0 x21: ffff00080abdb180 x20: 0000000000000000 x19: 0000000000000000 x18: 0000000000000010 x17: 6e656c202c303030 x16: 3666666666646466 x15: 393d61766f69202c x14: 312d3d7361203a70 x13: 303030323d6e656c x12: ffff80008324bf58 x11: 0000000000000003 x10: 0000000000000002 x9 : ffff8000801a6a9c x8 : ffff00080360b300 x7 : 0000000000000000 x6 : 000000088aa35fc7 x5 : fff1000080000000 x4 : ffff8000842ddd30 x3 : 0000000000000001 x2 : 0000000100000000 x1 : 0000000000000001 x0 : 0000000000000078 Call trace: panthor_gpuva_sm_step_remap+0xe4/0x330 [panthor] op_remap_cb.isra.22+0x50/0x80 __drm_gpuvm_sm_unmap+0x10c/0x1c8 drm_gpuvm_sm_unmap+0x40/0x60 panthor_vm_exec_op+0xb4/0x3d0 [panthor] panthor_vm_bind_exec_sync_op+0x154/0x278 [panthor] panthor_ioctl_vm_bind+0x160/0x4a0 [panthor] drm_ioctl_kernel+0xbc/0x138 drm_ioctl+0x240/0x500 __arm64_sys_ioctl+0xb0/0xf8 invoke_syscall+0x4c/0x110 el0_svc_common.constprop.1+0x98/0xf8 do_el0_svc+0x24/0x38 el0_svc+0x40/0xf8 el0t_64_sync_handler+0xa0/0xc8 el0t_64_sync+0x174/0x178", "cve_priority": "medium", "cve_public_date": "2025-12-04 16:16:00 UTC" }, { "cve": "CVE-2025-40226", "url": "https://ubuntu.com/security/CVE-2025-40226", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: firmware: arm_scmi: Account for failed debug initialization When the SCMI debug subsystem fails to initialize, the related debug root will be missing, and the underlying descriptor will be NULL. Handle this fault condition in the SCMI debug helpers that maintain metrics counters.", "cve_priority": "medium", "cve_public_date": "2025-12-04 16:16:00 UTC" }, { "cve": "CVE-2025-40227", "url": "https://ubuntu.com/security/CVE-2025-40227", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: mm/damon/sysfs: dealloc commit test ctx always The damon_ctx for testing online DAMON parameters commit inputs is deallocated only when the test fails. This means memory is leaked for every successful online DAMON parameters commit. Fix the leak by always deallocating it.", "cve_priority": "medium", "cve_public_date": "2025-12-04 16:16:00 UTC" }, { "cve": "CVE-2025-40228", "url": "https://ubuntu.com/security/CVE-2025-40228", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: mm/damon/sysfs: catch commit test ctx alloc failure Patch series \"mm/damon/sysfs: fix commit test damon_ctx [de]allocation\". DAMON sysfs interface dynamically allocates and uses a damon_ctx object for testing if given inputs for online DAMON parameters update is valid. The object is being used without an allocation failure check, and leaked when the test succeeds. Fix the two bugs. This patch (of 2): The damon_ctx for testing online DAMON parameters commit inputs is used without its allocation failure check. This could result in an invalid memory access. Fix it by directly returning an error when the allocation failed.", "cve_priority": "medium", "cve_public_date": "2025-12-04 16:16:00 UTC" }, { "cve": "CVE-2025-40229", "url": "https://ubuntu.com/security/CVE-2025-40229", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: mm/damon/core: fix potential memory leak by cleaning ops_filter in damon_destroy_scheme Currently, damon_destroy_scheme() only cleans up the filter list but leaves ops_filter untouched, which could lead to memory leaks when a scheme is destroyed. This patch ensures both filter and ops_filter are properly freed in damon_destroy_scheme(), preventing potential memory leaks.", "cve_priority": "medium", "cve_public_date": "2025-12-04 16:16:00 UTC" }, { "cve": "CVE-2025-40230", "url": "https://ubuntu.com/security/CVE-2025-40230", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: mm: prevent poison consumption when splitting THP When performing memory error injection on a THP (Transparent Huge Page) mapped to userspace on an x86 server, the kernel panics with the following trace. The expected behavior is to terminate the affected process instead of panicking the kernel, as the x86 Machine Check code can recover from an in-userspace #MC. mce: [Hardware Error]: CPU 0: Machine Check Exception: f Bank 3: bd80000000070134 mce: [Hardware Error]: RIP 10: {memchr_inv+0x4c/0xf0} mce: [Hardware Error]: TSC afff7bbff88a ADDR 1d301b000 MISC 80 PPIN 1e741e77539027db mce: [Hardware Error]: PROCESSOR 0:d06d0 TIME 1758093249 SOCKET 0 APIC 0 microcode 80000320 mce: [Hardware Error]: Run the above through 'mcelog --ascii' mce: [Hardware Error]: Machine check: Data load in unrecoverable area of kernel Kernel panic - not syncing: Fatal local machine check The root cause of this panic is that handling a memory failure triggered by an in-userspace #MC necessitates splitting the THP. The splitting process employs a mechanism, implemented in try_to_map_unused_to_zeropage(), which reads the pages in the THP to identify zero-filled pages. However, reading the pages in the THP results in a second in-kernel #MC, occurring before the initial memory_failure() completes, ultimately leading to a kernel panic. See the kernel panic call trace on the two #MCs. First Machine Check occurs // [1] memory_failure() // [2] try_to_split_thp_page() split_huge_page() split_huge_page_to_list_to_order() __folio_split() // [3] remap_page() remove_migration_ptes() remove_migration_pte() try_to_map_unused_to_zeropage() // [4] memchr_inv() // [5] Second Machine Check occurs // [6] Kernel panic [1] Triggered by accessing a hardware-poisoned THP in userspace, which is typically recoverable by terminating the affected process. [2] Call folio_set_has_hwpoisoned() before try_to_split_thp_page(). [3] Pass the RMP_USE_SHARED_ZEROPAGE remap flag to remap_page(). [4] Try to map the unused THP to zeropage. [5] Re-access pages in the hw-poisoned THP in the kernel. [6] Triggered in-kernel, leading to a panic kernel. In Step[2], memory_failure() sets the poisoned flag on the page in the THP by TestSetPageHWPoison() before calling try_to_split_thp_page(). As suggested by David Hildenbrand, fix this panic by not accessing to the poisoned page in the THP during zeropage identification, while continuing to scan unaffected pages in the THP for possible zeropage mapping. This prevents a second in-kernel #MC that would cause kernel panic in Step[4]. Thanks to Andrew Zaborowski for his initial work on fixing this issue.", "cve_priority": "medium", "cve_public_date": "2025-12-04 16:16:00 UTC" }, { "cve": "CVE-2025-40231", "url": "https://ubuntu.com/security/CVE-2025-40231", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: vsock: fix lock inversion in vsock_assign_transport() Syzbot reported a potential lock inversion deadlock between vsock_register_mutex and sk_lock-AF_VSOCK when vsock_linger() is called. The issue was introduced by commit 687aa0c5581b (\"vsock: Fix transport_* TOCTOU\") which added vsock_register_mutex locking in vsock_assign_transport() around the transport->release() call, that can call vsock_linger(). vsock_assign_transport() can be called with sk_lock held. vsock_linger() calls sk_wait_event() that temporarily releases and re-acquires sk_lock. During this window, if another thread hold vsock_register_mutex while trying to acquire sk_lock, a circular dependency is created. Fix this by releasing vsock_register_mutex before calling transport->release() and vsock_deassign_transport(). This is safe because we don't need to hold vsock_register_mutex while releasing the old transport, and we ensure the new transport won't disappear by obtaining a module reference first via try_module_get().", "cve_priority": "medium", "cve_public_date": "2025-12-04 16:16:00 UTC" }, { "cve": "CVE-2025-40233", "url": "https://ubuntu.com/security/CVE-2025-40233", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ocfs2: clear extent cache after moving/defragmenting extents The extent map cache can become stale when extents are moved or defragmented, causing subsequent operations to see outdated extent flags. This triggers a BUG_ON in ocfs2_refcount_cal_cow_clusters(). The problem occurs when: 1. copy_file_range() creates a reflinked extent with OCFS2_EXT_REFCOUNTED 2. ioctl(FITRIM) triggers ocfs2_move_extents() 3. __ocfs2_move_extents_range() reads and caches the extent (flags=0x2) 4. ocfs2_move_extent()/ocfs2_defrag_extent() calls __ocfs2_move_extent() which clears OCFS2_EXT_REFCOUNTED flag on disk (flags=0x0) 5. The extent map cache is not invalidated after the move 6. Later write() operations read stale cached flags (0x2) but disk has updated flags (0x0), causing a mismatch 7. BUG_ON(!(rec->e_flags & OCFS2_EXT_REFCOUNTED)) triggers Fix by clearing the extent map cache after each extent move/defrag operation in __ocfs2_move_extents_range(). This ensures subsequent operations read fresh extent data from disk.", "cve_priority": "medium", "cve_public_date": "2025-12-04 16:16:00 UTC" }, { "cve": "CVE-2025-40235", "url": "https://ubuntu.com/security/CVE-2025-40235", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: btrfs: directly free partially initialized fs_info in btrfs_check_leaked_roots() If fs_info->super_copy or fs_info->super_for_commit allocated failed in btrfs_get_tree_subvol(), then no need to call btrfs_free_fs_info(). Otherwise btrfs_check_leaked_roots() would access NULL pointer because fs_info->allocated_roots had not been initialised. syzkaller reported the following information: ------------[ cut here ]------------ BUG: unable to handle page fault for address: fffffffffffffbb0 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page PGD 64c9067 P4D 64c9067 PUD 64cb067 PMD 0 Oops: Oops: 0000 [#1] SMP KASAN PTI CPU: 0 UID: 0 PID: 1402 Comm: syz.1.35 Not tainted 6.15.8 #4 PREEMPT(lazy) Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), (...) RIP: 0010:arch_atomic_read arch/x86/include/asm/atomic.h:23 [inline] RIP: 0010:raw_atomic_read include/linux/atomic/atomic-arch-fallback.h:457 [inline] RIP: 0010:atomic_read include/linux/atomic/atomic-instrumented.h:33 [inline] RIP: 0010:refcount_read include/linux/refcount.h:170 [inline] RIP: 0010:btrfs_check_leaked_roots+0x18f/0x2c0 fs/btrfs/disk-io.c:1230 [...] Call Trace: btrfs_free_fs_info+0x310/0x410 fs/btrfs/disk-io.c:1280 btrfs_get_tree_subvol+0x592/0x6b0 fs/btrfs/super.c:2029 btrfs_get_tree+0x63/0x80 fs/btrfs/super.c:2097 vfs_get_tree+0x98/0x320 fs/super.c:1759 do_new_mount+0x357/0x660 fs/namespace.c:3899 path_mount+0x716/0x19c0 fs/namespace.c:4226 do_mount fs/namespace.c:4239 [inline] __do_sys_mount fs/namespace.c:4450 [inline] __se_sys_mount fs/namespace.c:4427 [inline] __x64_sys_mount+0x28c/0x310 fs/namespace.c:4427 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0x92/0x180 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x76/0x7e RIP: 0033:0x7f032eaffa8d [...]", "cve_priority": "medium", "cve_public_date": "2025-12-04 16:16:00 UTC" }, { "cve": "CVE-2025-40236", "url": "https://ubuntu.com/security/CVE-2025-40236", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: virtio-net: zero unused hash fields When GSO tunnel is negotiated virtio_net_hdr_tnl_from_skb() tries to initialize the tunnel metadata but forget to zero unused rxhash fields. This may leak information to another side. Fixing this by zeroing the unused hash fields.", "cve_priority": "medium", "cve_public_date": "2025-12-04 16:16:00 UTC" }, { "cve": "CVE-2025-40237", "url": "https://ubuntu.com/security/CVE-2025-40237", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: fs/notify: call exportfs_encode_fid with s_umount Calling intotify_show_fdinfo() on fd watching an overlayfs inode, while the overlayfs is being unmounted, can lead to dereferencing NULL ptr. This issue was found by syzkaller. Race Condition Diagram: Thread 1 Thread 2 -------- -------- generic_shutdown_super() shrink_dcache_for_umount sb->s_root = NULL | | vfs_read() | inotify_fdinfo() | * inode get from mark * | show_mark_fhandle(m, inode) | exportfs_encode_fid(inode, ..) | ovl_encode_fh(inode, ..) | ovl_check_encode_origin(inode) | * deref i_sb->s_root * | | v fsnotify_sb_delete(sb) Which then leads to: [ 32.133461] Oops: general protection fault, probably for non-canonical address 0xdffffc0000000006: 0000 [#1] SMP DEBUG_PAGEALLOC KASAN NOPTI [ 32.134438] KASAN: null-ptr-deref in range [0x0000000000000030-0x0000000000000037] [ 32.135032] CPU: 1 UID: 0 PID: 4468 Comm: systemd-coredum Not tainted 6.17.0-rc6 #22 PREEMPT(none) [ 32.143353] Call Trace: [ 32.143732] ovl_encode_fh+0xd5/0x170 [ 32.144031] exportfs_encode_inode_fh+0x12f/0x300 [ 32.144425] show_mark_fhandle+0xbe/0x1f0 [ 32.145805] inotify_fdinfo+0x226/0x2d0 [ 32.146442] inotify_show_fdinfo+0x1c5/0x350 [ 32.147168] seq_show+0x530/0x6f0 [ 32.147449] seq_read_iter+0x503/0x12a0 [ 32.148419] seq_read+0x31f/0x410 [ 32.150714] vfs_read+0x1f0/0x9e0 [ 32.152297] ksys_read+0x125/0x240 IOW ovl_check_encode_origin derefs inode->i_sb->s_root, after it was set to NULL in the unmount path. Fix it by protecting calling exportfs_encode_fid() from show_mark_fhandle() with s_umount lock. This form of fix was suggested by Amir in [1]. [1]: https://lore.kernel.org/all/CAOQ4uxhbDwhb+2Brs1UdkoF0a3NSdBAOQPNfEHjahrgoKJpLEw@mail.gmail.com/", "cve_priority": "medium", "cve_public_date": "2025-12-04 16:16:00 UTC" }, { "cve": "CVE-2025-40238", "url": "https://ubuntu.com/security/CVE-2025-40238", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net/mlx5: Fix IPsec cleanup over MPV device When we do mlx5e_detach_netdev() we eventually disable blocking events notifier, among those events are IPsec MPV events from IB to core. So before disabling those blocking events, make sure to also unregister the devcom device and mark all this device operations as complete, in order to prevent the other device from using invalid netdev during future devcom events which could cause the trace below. BUG: kernel NULL pointer dereference, address: 0000000000000010 PGD 146427067 P4D 146427067 PUD 146488067 PMD 0 Oops: Oops: 0000 [#1] SMP CPU: 1 UID: 0 PID: 7735 Comm: devlink Tainted: GW 6.12.0-rc6_for_upstream_min_debug_2024_11_08_00_46 #1 Tainted: [W]=WARN Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014 RIP: 0010:mlx5_devcom_comp_set_ready+0x5/0x40 [mlx5_core] Code: 00 01 48 83 05 23 32 1e 00 01 41 b8 ed ff ff ff e9 60 ff ff ff 48 83 05 00 32 1e 00 01 eb e3 66 0f 1f 44 00 00 0f 1f 44 00 00 <48> 8b 47 10 48 83 05 5f 32 1e 00 01 48 8b 50 40 48 85 d2 74 05 40 RSP: 0018:ffff88811a5c35f8 EFLAGS: 00010206 RAX: ffff888106e8ab80 RBX: ffff888107d7e200 RCX: ffff88810d6f0a00 RDX: ffff88810d6f0a00 RSI: 0000000000000001 RDI: 0000000000000000 RBP: ffff88811a17e620 R08: 0000000000000040 R09: 0000000000000000 R10: ffff88811a5c3618 R11: 0000000de85d51bd R12: ffff88811a17e600 R13: ffff88810d6f0a00 R14: 0000000000000000 R15: ffff8881034bda80 FS: 00007f27bdf89180(0000) GS:ffff88852c880000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000010 CR3: 000000010f159005 CR4: 0000000000372eb0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: ? __die+0x20/0x60 ? page_fault_oops+0x150/0x3e0 ? exc_page_fault+0x74/0x130 ? asm_exc_page_fault+0x22/0x30 ? mlx5_devcom_comp_set_ready+0x5/0x40 [mlx5_core] mlx5e_devcom_event_mpv+0x42/0x60 [mlx5_core] mlx5_devcom_send_event+0x8c/0x170 [mlx5_core] blocking_event+0x17b/0x230 [mlx5_core] notifier_call_chain+0x35/0xa0 blocking_notifier_call_chain+0x3d/0x60 mlx5_blocking_notifier_call_chain+0x22/0x30 [mlx5_core] mlx5_core_mp_event_replay+0x12/0x20 [mlx5_core] mlx5_ib_bind_slave_port+0x228/0x2c0 [mlx5_ib] mlx5_ib_stage_init_init+0x664/0x9d0 [mlx5_ib] ? idr_alloc_cyclic+0x50/0xb0 ? __kmalloc_cache_noprof+0x167/0x340 ? __kmalloc_noprof+0x1a7/0x430 __mlx5_ib_add+0x34/0xd0 [mlx5_ib] mlx5r_probe+0xe9/0x310 [mlx5_ib] ? kernfs_add_one+0x107/0x150 ? __mlx5_ib_add+0xd0/0xd0 [mlx5_ib] auxiliary_bus_probe+0x3e/0x90 really_probe+0xc5/0x3a0 ? driver_probe_device+0x90/0x90 __driver_probe_device+0x80/0x160 driver_probe_device+0x1e/0x90 __device_attach_driver+0x7d/0x100 bus_for_each_drv+0x80/0xd0 __device_attach+0xbc/0x1f0 bus_probe_device+0x86/0xa0 device_add+0x62d/0x830 __auxiliary_device_add+0x3b/0xa0 ? auxiliary_device_init+0x41/0x90 add_adev+0xd1/0x150 [mlx5_core] mlx5_rescan_drivers_locked+0x21c/0x300 [mlx5_core] esw_mode_change+0x6c/0xc0 [mlx5_core] mlx5_devlink_eswitch_mode_set+0x21e/0x640 [mlx5_core] devlink_nl_eswitch_set_doit+0x60/0xe0 genl_family_rcv_msg_doit+0xd0/0x120 genl_rcv_msg+0x180/0x2b0 ? devlink_get_from_attrs_lock+0x170/0x170 ? devlink_nl_eswitch_get_doit+0x290/0x290 ? devlink_nl_pre_doit_port_optional+0x50/0x50 ? genl_family_rcv_msg_dumpit+0xf0/0xf0 netlink_rcv_skb+0x54/0x100 genl_rcv+0x24/0x40 netlink_unicast+0x1fc/0x2d0 netlink_sendmsg+0x1e4/0x410 __sock_sendmsg+0x38/0x60 ? sockfd_lookup_light+0x12/0x60 __sys_sendto+0x105/0x160 ? __sys_recvmsg+0x4e/0x90 __x64_sys_sendto+0x20/0x30 do_syscall_64+0x4c/0x100 entry_SYSCALL_64_after_hwframe+0x4b/0x53 RIP: 0033:0x7f27bc91b13a Code: bb 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 8b 05 fa 96 2c 00 45 89 c9 4c 63 d1 48 63 ff 85 c0 75 15 b8 2c 00 00 00 0f 05 <48> 3d 00 f0 ff ff ---truncated---", "cve_priority": "medium", "cve_public_date": "2025-12-04 16:16:00 UTC" }, { "cve": "CVE-2025-40239", "url": "https://ubuntu.com/security/CVE-2025-40239", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net: phy: micrel: always set shared->phydev for LAN8814 Currently, during the LAN8814 PTP probe shared->phydev is only set if PTP clock gets actually set, otherwise the function will return before setting it. This is an issue as shared->phydev is unconditionally being used when IRQ is being handled, especially in lan8814_gpio_process_cap and since it was not set it will cause a NULL pointer exception and crash the kernel. So, simply always set shared->phydev to avoid the NULL pointer exception.", "cve_priority": "medium", "cve_public_date": "2025-12-04 16:16:00 UTC" }, { "cve": "CVE-2025-40240", "url": "https://ubuntu.com/security/CVE-2025-40240", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: sctp: avoid NULL dereference when chunk data buffer is missing chunk->skb pointer is dereferenced in the if-block where it's supposed to be NULL only. chunk->skb can only be NULL if chunk->head_skb is not. Check for frag_list instead and do it just before replacing chunk->skb. We're sure that otherwise chunk->skb is non-NULL because of outer if() condition.", "cve_priority": "medium", "cve_public_date": "2025-12-04 16:16:00 UTC" }, { "cve": "CVE-2025-40241", "url": "https://ubuntu.com/security/CVE-2025-40241", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: erofs: fix crafted invalid cases for encoded extents Robert recently reported two corrupted images that can cause system crashes, which are related to the new encoded extents introduced in Linux 6.15: - The first one [1] has plen != 0 (e.g. plen == 0x2000000) but (plen & Z_EROFS_EXTENT_PLEN_MASK) == 0. It is used to represent special extents such as sparse extents (!EROFS_MAP_MAPPED), but previously only plen == 0 was handled; - The second one [2] has pa 0xffffffffffdcffed and plen 0xb4000, then \"cur [0xfffffffffffff000] += bvec.bv_len [0x1000]\" in \"} while ((cur += bvec.bv_len) < end);\" wraps around, causing an out-of-bound access of pcl->compressed_bvecs[] in z_erofs_submit_queue(). EROFS only supports 48-bit physical block addresses (up to 1EiB for 4k blocks), so add a sanity check to enforce this.", "cve_priority": "medium", "cve_public_date": "2025-12-04 16:16:00 UTC" }, { "cve": "CVE-2025-40242", "url": "https://ubuntu.com/security/CVE-2025-40242", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: gfs2: Fix unlikely race in gdlm_put_lock In gdlm_put_lock(), there is a small window of time in which the DFL_UNMOUNT flag has been set but the lockspace hasn't been released, yet. In that window, dlm may still call gdlm_ast() and gdlm_bast(). To prevent it from dereferencing freed glock objects, only free the glock if the lockspace has actually been released.", "cve_priority": "medium", "cve_public_date": "2025-12-04 16:16:00 UTC" }, { "cve": "CVE-2025-40243", "url": "https://ubuntu.com/security/CVE-2025-40243", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: hfs: fix KMSAN uninit-value issue in hfs_find_set_zero_bits() The syzbot reported issue in hfs_find_set_zero_bits(): ===================================================== BUG: KMSAN: uninit-value in hfs_find_set_zero_bits+0x74d/0xb60 fs/hfs/bitmap.c:45 hfs_find_set_zero_bits+0x74d/0xb60 fs/hfs/bitmap.c:45 hfs_vbm_search_free+0x13c/0x5b0 fs/hfs/bitmap.c:151 hfs_extend_file+0x6a5/0x1b00 fs/hfs/extent.c:408 hfs_get_block+0x435/0x1150 fs/hfs/extent.c:353 __block_write_begin_int+0xa76/0x3030 fs/buffer.c:2151 block_write_begin fs/buffer.c:2262 [inline] cont_write_begin+0x10e1/0x1bc0 fs/buffer.c:2601 hfs_write_begin+0x85/0x130 fs/hfs/inode.c:52 cont_expand_zero fs/buffer.c:2528 [inline] cont_write_begin+0x35a/0x1bc0 fs/buffer.c:2591 hfs_write_begin+0x85/0x130 fs/hfs/inode.c:52 hfs_file_truncate+0x1d6/0xe60 fs/hfs/extent.c:494 hfs_inode_setattr+0x964/0xaa0 fs/hfs/inode.c:654 notify_change+0x1993/0x1aa0 fs/attr.c:552 do_truncate+0x28f/0x310 fs/open.c:68 do_ftruncate+0x698/0x730 fs/open.c:195 do_sys_ftruncate fs/open.c:210 [inline] __do_sys_ftruncate fs/open.c:215 [inline] __se_sys_ftruncate fs/open.c:213 [inline] __x64_sys_ftruncate+0x11b/0x250 fs/open.c:213 x64_sys_call+0xfe3/0x3db0 arch/x86/include/generated/asm/syscalls_64.h:78 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xd9/0x210 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f Uninit was created at: slab_post_alloc_hook mm/slub.c:4154 [inline] slab_alloc_node mm/slub.c:4197 [inline] __kmalloc_cache_noprof+0x7f7/0xed0 mm/slub.c:4354 kmalloc_noprof include/linux/slab.h:905 [inline] hfs_mdb_get+0x1cc8/0x2a90 fs/hfs/mdb.c:175 hfs_fill_super+0x3d0/0xb80 fs/hfs/super.c:337 get_tree_bdev_flags+0x6e3/0x920 fs/super.c:1681 get_tree_bdev+0x38/0x50 fs/super.c:1704 hfs_get_tree+0x35/0x40 fs/hfs/super.c:388 vfs_get_tree+0xb0/0x5c0 fs/super.c:1804 do_new_mount+0x738/0x1610 fs/namespace.c:3902 path_mount+0x6db/0x1e90 fs/namespace.c:4226 do_mount fs/namespace.c:4239 [inline] __do_sys_mount fs/namespace.c:4450 [inline] __se_sys_mount+0x6eb/0x7d0 fs/namespace.c:4427 __x64_sys_mount+0xe4/0x150 fs/namespace.c:4427 x64_sys_call+0xfa7/0x3db0 arch/x86/include/generated/asm/syscalls_64.h:166 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xd9/0x210 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f CPU: 1 UID: 0 PID: 12609 Comm: syz.1.2692 Not tainted 6.16.0-syzkaller #0 PREEMPT(none) Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/12/2025 ===================================================== The HFS_SB(sb)->bitmap buffer is allocated in hfs_mdb_get(): HFS_SB(sb)->bitmap = kmalloc(8192, GFP_KERNEL); Finally, it can trigger the reported issue because kmalloc() doesn't clear the allocated memory. If allocated memory contains only zeros, then everything will work pretty fine. But if the allocated memory contains the \"garbage\", then it can affect the bitmap operations and it triggers the reported issue. This patch simply exchanges the kmalloc() on kzalloc() with the goal to guarantee the correctness of bitmap operations. Because, newly created allocation bitmap should have all available blocks free. Potentially, initialization bitmap's read operation could not fill the whole allocated memory and \"garbage\" in the not initialized memory will be the reason of volume coruptions and file system driver bugs.", "cve_priority": "medium", "cve_public_date": "2025-12-04 16:16:00 UTC" }, { "cve": "CVE-2025-40244", "url": "https://ubuntu.com/security/CVE-2025-40244", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: hfsplus: fix KMSAN uninit-value issue in __hfsplus_ext_cache_extent() The syzbot reported issue in __hfsplus_ext_cache_extent(): [ 70.194323][ T9350] BUG: KMSAN: uninit-value in __hfsplus_ext_cache_extent+0x7d0/0x990 [ 70.195022][ T9350] __hfsplus_ext_cache_extent+0x7d0/0x990 [ 70.195530][ T9350] hfsplus_file_extend+0x74f/0x1cf0 [ 70.195998][ T9350] hfsplus_get_block+0xe16/0x17b0 [ 70.196458][ T9350] __block_write_begin_int+0x962/0x2ce0 [ 70.196959][ T9350] cont_write_begin+0x1000/0x1950 [ 70.197416][ T9350] hfsplus_write_begin+0x85/0x130 [ 70.197873][ T9350] generic_perform_write+0x3e8/0x1060 [ 70.198374][ T9350] __generic_file_write_iter+0x215/0x460 [ 70.198892][ T9350] generic_file_write_iter+0x109/0x5e0 [ 70.199393][ T9350] vfs_write+0xb0f/0x14e0 [ 70.199771][ T9350] ksys_write+0x23e/0x490 [ 70.200149][ T9350] __x64_sys_write+0x97/0xf0 [ 70.200570][ T9350] x64_sys_call+0x3015/0x3cf0 [ 70.201065][ T9350] do_syscall_64+0xd9/0x1d0 [ 70.201506][ T9350] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 70.202054][ T9350] [ 70.202279][ T9350] Uninit was created at: [ 70.202693][ T9350] __kmalloc_noprof+0x621/0xf80 [ 70.203149][ T9350] hfsplus_find_init+0x8d/0x1d0 [ 70.203602][ T9350] hfsplus_file_extend+0x6ca/0x1cf0 [ 70.204087][ T9350] hfsplus_get_block+0xe16/0x17b0 [ 70.204561][ T9350] __block_write_begin_int+0x962/0x2ce0 [ 70.205074][ T9350] cont_write_begin+0x1000/0x1950 [ 70.205547][ T9350] hfsplus_write_begin+0x85/0x130 [ 70.206017][ T9350] generic_perform_write+0x3e8/0x1060 [ 70.206519][ T9350] __generic_file_write_iter+0x215/0x460 [ 70.207042][ T9350] generic_file_write_iter+0x109/0x5e0 [ 70.207552][ T9350] vfs_write+0xb0f/0x14e0 [ 70.207961][ T9350] ksys_write+0x23e/0x490 [ 70.208375][ T9350] __x64_sys_write+0x97/0xf0 [ 70.208810][ T9350] x64_sys_call+0x3015/0x3cf0 [ 70.209255][ T9350] do_syscall_64+0xd9/0x1d0 [ 70.209680][ T9350] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 70.210230][ T9350] [ 70.210454][ T9350] CPU: 2 UID: 0 PID: 9350 Comm: repro Not tainted 6.12.0-rc5 #5 [ 70.211174][ T9350] Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 70.212115][ T9350] ===================================================== [ 70.212734][ T9350] Disabling lock debugging due to kernel taint [ 70.213284][ T9350] Kernel panic - not syncing: kmsan.panic set ... [ 70.213858][ T9350] CPU: 2 UID: 0 PID: 9350 Comm: repro Tainted: G B 6.12.0-rc5 #5 [ 70.214679][ T9350] Tainted: [B]=BAD_PAGE [ 70.215057][ T9350] Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 70.215999][ T9350] Call Trace: [ 70.216309][ T9350] [ 70.216585][ T9350] dump_stack_lvl+0x1fd/0x2b0 [ 70.217025][ T9350] dump_stack+0x1e/0x30 [ 70.217421][ T9350] panic+0x502/0xca0 [ 70.217803][ T9350] ? kmsan_get_metadata+0x13e/0x1c0 [ 70.218294][ Message fromT sy9350] kmsan_report+0x296/slogd@syzkaller 0x2aat Aug 18 22:11:058 ... kernel :[ 70.213284][ T9350] Kernel panic - not syncing: kmsan.panic [ 70.220179][ T9350] ? kmsan_get_metadata+0x13e/0x1c0 set ... [ 70.221254][ T9350] ? __msan_warning+0x96/0x120 [ 70.222066][ T9350] ? __hfsplus_ext_cache_extent+0x7d0/0x990 [ 70.223023][ T9350] ? hfsplus_file_extend+0x74f/0x1cf0 [ 70.224120][ T9350] ? hfsplus_get_block+0xe16/0x17b0 [ 70.224946][ T9350] ? __block_write_begin_int+0x962/0x2ce0 [ 70.225756][ T9350] ? cont_write_begin+0x1000/0x1950 [ 70.226337][ T9350] ? hfsplus_write_begin+0x85/0x130 [ 70.226852][ T9350] ? generic_perform_write+0x3e8/0x1060 [ 70.227405][ T9350] ? __generic_file_write_iter+0x215/0x460 [ 70.227979][ T9350] ? generic_file_write_iter+0x109/0x5e0 [ 70.228540][ T9350] ? vfs_write+0xb0f/0x14e0 [ 70.228997][ T9350] ? ksys_write+0x23e/0x490 ---truncated---", "cve_priority": "medium", "cve_public_date": "2025-12-04 16:16:00 UTC" }, { "cve": "CVE-2025-40245", "url": "https://ubuntu.com/security/CVE-2025-40245", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: nios2: ensure that memblock.current_limit is set when setting pfn limits On nios2, with CONFIG_FLATMEM set, the kernel relies on memblock_get_current_limit() to determine the limits of mem_map, in particular for max_low_pfn. Unfortunately, memblock.current_limit is only default initialized to MEMBLOCK_ALLOC_ANYWHERE at this point of the bootup, potentially leading to situations where max_low_pfn can erroneously exceed the value of max_pfn and, thus, the valid range of available DRAM. This can in turn cause kernel-level paging failures, e.g.: [ 76.900000] Unable to handle kernel paging request at virtual address 20303000 [ 76.900000] ea = c0080890, ra = c000462c, cause = 14 [ 76.900000] Kernel panic - not syncing: Oops [ 76.900000] ---[ end Kernel panic - not syncing: Oops ]--- This patch fixes this by pre-calculating memblock.current_limit based on the upper limits of the available memory ranges via adjust_lowmem_bounds, a simplified version of the equivalent implementation within the arm architecture.", "cve_priority": "medium", "cve_public_date": "2025-12-04 16:16:00 UTC" }, { "cve": "CVE-2025-40086", "url": "https://ubuntu.com/security/CVE-2025-40086", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/xe: Don't allow evicting of BOs in same VM in array of VM binds An array of VM binds can potentially evict other buffer objects (BOs) within the same VM under certain conditions, which may lead to NULL pointer dereferences later in the bind pipeline. To prevent this, clear the allow_res_evict flag in the xe_bo_validate call. v2: - Invert polarity of no_res_evict (Thomas) - Add comment in code explaining issue (Thomas) (cherry picked from commit 8b9ba8d6d95fe75fed6b0480bb03da4b321bea08)", "cve_priority": "medium", "cve_public_date": "2025-10-30 10:15:00 UTC" }, { "cve": "CVE-2025-40087", "url": "https://ubuntu.com/security/CVE-2025-40087", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: NFSD: Define a proc_layoutcommit for the FlexFiles layout type Avoid a crash if a pNFS client should happen to send a LAYOUTCOMMIT operation on a FlexFiles layout.", "cve_priority": "medium", "cve_public_date": "2025-10-30 10:15:00 UTC" }, { "cve": "CVE-2025-40088", "url": "https://ubuntu.com/security/CVE-2025-40088", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: hfsplus: fix slab-out-of-bounds read in hfsplus_strcasecmp() The hfsplus_strcasecmp() logic can trigger the issue: [ 117.317703][ T9855] ================================================================== [ 117.318353][ T9855] BUG: KASAN: slab-out-of-bounds in hfsplus_strcasecmp+0x1bc/0x490 [ 117.318991][ T9855] Read of size 2 at addr ffff88802160f40c by task repro/9855 [ 117.319577][ T9855] [ 117.319773][ T9855] CPU: 0 UID: 0 PID: 9855 Comm: repro Not tainted 6.17.0-rc6 #33 PREEMPT(full) [ 117.319780][ T9855] Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 117.319783][ T9855] Call Trace: [ 117.319785][ T9855] [ 117.319788][ T9855] dump_stack_lvl+0x1c1/0x2a0 [ 117.319795][ T9855] ? __virt_addr_valid+0x1c8/0x5c0 [ 117.319803][ T9855] ? __pfx_dump_stack_lvl+0x10/0x10 [ 117.319808][ T9855] ? rcu_is_watching+0x15/0xb0 [ 117.319816][ T9855] ? lock_release+0x4b/0x3e0 [ 117.319821][ T9855] ? __kasan_check_byte+0x12/0x40 [ 117.319828][ T9855] ? __virt_addr_valid+0x1c8/0x5c0 [ 117.319835][ T9855] ? __virt_addr_valid+0x4a5/0x5c0 [ 117.319842][ T9855] print_report+0x17e/0x7e0 [ 117.319848][ T9855] ? __virt_addr_valid+0x1c8/0x5c0 [ 117.319855][ T9855] ? __virt_addr_valid+0x4a5/0x5c0 [ 117.319862][ T9855] ? __phys_addr+0xd3/0x180 [ 117.319869][ T9855] ? hfsplus_strcasecmp+0x1bc/0x490 [ 117.319876][ T9855] kasan_report+0x147/0x180 [ 117.319882][ T9855] ? hfsplus_strcasecmp+0x1bc/0x490 [ 117.319891][ T9855] hfsplus_strcasecmp+0x1bc/0x490 [ 117.319900][ T9855] ? __pfx_hfsplus_cat_case_cmp_key+0x10/0x10 [ 117.319906][ T9855] hfs_find_rec_by_key+0xa9/0x1e0 [ 117.319913][ T9855] __hfsplus_brec_find+0x18e/0x470 [ 117.319920][ T9855] ? __pfx_hfsplus_bnode_find+0x10/0x10 [ 117.319926][ T9855] ? __pfx_hfs_find_rec_by_key+0x10/0x10 [ 117.319933][ T9855] ? __pfx___hfsplus_brec_find+0x10/0x10 [ 117.319942][ T9855] hfsplus_brec_find+0x28f/0x510 [ 117.319949][ T9855] ? __pfx_hfs_find_rec_by_key+0x10/0x10 [ 117.319956][ T9855] ? __pfx_hfsplus_brec_find+0x10/0x10 [ 117.319963][ T9855] ? __kmalloc_noprof+0x2a9/0x510 [ 117.319969][ T9855] ? hfsplus_find_init+0x8c/0x1d0 [ 117.319976][ T9855] hfsplus_brec_read+0x2b/0x120 [ 117.319983][ T9855] hfsplus_lookup+0x2aa/0x890 [ 117.319990][ T9855] ? __pfx_hfsplus_lookup+0x10/0x10 [ 117.320003][ T9855] ? d_alloc_parallel+0x2f0/0x15e0 [ 117.320008][ T9855] ? __lock_acquire+0xaec/0xd80 [ 117.320013][ T9855] ? __pfx_d_alloc_parallel+0x10/0x10 [ 117.320019][ T9855] ? __raw_spin_lock_init+0x45/0x100 [ 117.320026][ T9855] ? __init_waitqueue_head+0xa9/0x150 [ 117.320034][ T9855] __lookup_slow+0x297/0x3d0 [ 117.320039][ T9855] ? __pfx___lookup_slow+0x10/0x10 [ 117.320045][ T9855] ? down_read+0x1ad/0x2e0 [ 117.320055][ T9855] lookup_slow+0x53/0x70 [ 117.320065][ T9855] walk_component+0x2f0/0x430 [ 117.320073][ T9855] path_lookupat+0x169/0x440 [ 117.320081][ T9855] filename_lookup+0x212/0x590 [ 117.320089][ T9855] ? __pfx_filename_lookup+0x10/0x10 [ 117.320098][ T9855] ? strncpy_from_user+0x150/0x290 [ 117.320105][ T9855] ? getname_flags+0x1e5/0x540 [ 117.320112][ T9855] user_path_at+0x3a/0x60 [ 117.320117][ T9855] __x64_sys_umount+0xee/0x160 [ 117.320123][ T9855] ? __pfx___x64_sys_umount+0x10/0x10 [ 117.320129][ T9855] ? do_syscall_64+0xb7/0x3a0 [ 117.320135][ T9855] ? entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 117.320141][ T9855] ? entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 117.320145][ T9855] do_syscall_64+0xf3/0x3a0 [ 117.320150][ T9855] ? exc_page_fault+0x9f/0xf0 [ 117.320154][ T9855] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 117.320158][ T9855] RIP: 0033:0x7f7dd7908b07 [ 117.320163][ T9855] Code: 23 0d 00 f7 d8 64 89 01 48 83 c8 ff c3 66 0f 1f 44 00 00 31 f6 e9 09 00 00 00 66 0f 1f 84 00 00 08 [ 117.320167][ T9855] RSP: 002b:00007ffd5ebd9698 EFLAGS: 00000202 ---truncated---", "cve_priority": "medium", "cve_public_date": "2025-10-30 10:15:00 UTC" }, { "cve": "CVE-2025-40162", "url": "https://ubuntu.com/security/CVE-2025-40162", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ASoC: amd/sdw_utils: avoid NULL deref when devm_kasprintf() fails devm_kasprintf() may return NULL on memory allocation failure, but the debug message prints cpus->dai_name before checking it. Move the dev_dbg() call after the NULL check to prevent potential NULL pointer dereference.", "cve_priority": "medium", "cve_public_date": "2025-11-12 11:15:00 UTC" }, { "cve": "CVE-2025-40085", "url": "https://ubuntu.com/security/CVE-2025-40085", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ALSA: usb-audio: Fix NULL pointer deference in try_to_register_card In try_to_register_card(), the return value of usb_ifnum_to_if() is passed directly to usb_interface_claimed() without a NULL check, which will lead to a NULL pointer dereference when creating an invalid USB audio device. Fix this by adding a check to ensure the interface pointer is valid before passing it to usb_interface_claimed().", "cve_priority": "medium", "cve_public_date": "2025-10-29 14:15:00 UTC" }, { "cve": "CVE-2025-40172", "url": "https://ubuntu.com/security/CVE-2025-40172", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: accel/qaic: Treat remaining == 0 as error in find_and_map_user_pages() Currently, if find_and_map_user_pages() takes a DMA xfer request from the user with a length field set to 0, or in a rare case, the host receives QAIC_TRANS_DMA_XFER_CONT from the device where resources->xferred_dma_size is equal to the requested transaction size, the function will return 0 before allocating an sgt or setting the fields of the dma_xfer struct. In that case, encode_addr_size_pairs() will try to access the sgt which will lead to a general protection fault. Return an EINVAL in case the user provides a zero-sized ALP, or the device requests continuation after all of the bytes have been transferred.", "cve_priority": "medium", "cve_public_date": "2025-11-12 11:15:00 UTC" }, { "cve": "CVE-2025-40177", "url": "https://ubuntu.com/security/CVE-2025-40177", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: accel/qaic: Fix bootlog initialization ordering As soon as we queue MHI buffers to receive the bootlog from the device, we could be receiving data. Therefore all the resources needed to process that data need to be setup prior to queuing the buffers. We currently initialize some of the resources after queuing the buffers which creates a race between the probe() and any data that comes back from the device. If the uninitialized resources are accessed, we could see page faults. Fix the init ordering to close the race.", "cve_priority": "medium", "cve_public_date": "2025-11-12 11:15:00 UTC" }, { "cve": "CVE-2025-40163", "url": "https://ubuntu.com/security/CVE-2025-40163", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: sched/deadline: Stop dl_server before CPU goes offline IBM CI tool reported kernel warning[1] when running a CPU removal operation through drmgr[2]. i.e \"drmgr -c cpu -r -q 1\" WARNING: CPU: 0 PID: 0 at kernel/sched/cpudeadline.c:219 cpudl_set+0x58/0x170 NIP [c0000000002b6ed8] cpudl_set+0x58/0x170 LR [c0000000002b7cb8] dl_server_timer+0x168/0x2a0 Call Trace: [c000000002c2f8c0] init_stack+0x78c0/0x8000 (unreliable) [c0000000002b7cb8] dl_server_timer+0x168/0x2a0 [c00000000034df84] __hrtimer_run_queues+0x1a4/0x390 [c00000000034f624] hrtimer_interrupt+0x124/0x300 [c00000000002a230] timer_interrupt+0x140/0x320 Git bisects to: commit 4ae8d9aa9f9d (\"sched/deadline: Fix dl_server getting stuck\") This happens since: - dl_server hrtimer gets enqueued close to cpu offline, when kthread_park enqueues a fair task. - CPU goes offline and drmgr removes it from cpu_present_mask. - hrtimer fires and warning is hit. Fix it by stopping the dl_server before CPU is marked dead. [1]: https://lore.kernel.org/all/8218e149-7718-4432-9312-f97297c352b9@linux.ibm.com/ [2]: https://github.com/ibm-power-utilities/powerpc-utils/tree/next/src/drmgr [sshegde: wrote the changelog and tested it]", "cve_priority": "medium", "cve_public_date": "2025-11-12 11:15:00 UTC" }, { "cve": "CVE-2025-40174", "url": "https://ubuntu.com/security/CVE-2025-40174", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: x86/mm: Fix SMP ordering in switch_mm_irqs_off() Stephen noted that it is possible to not have an smp_mb() between the loaded_mm store and the tlb_gen load in switch_mm(), meaning the ordering against flush_tlb_mm_range() goes out the window, and it becomes possible for switch_mm() to not observe a recent tlb_gen update and fail to flush the TLBs. [ dhansen: merge conflict fixed by Ingo ]", "cve_priority": "medium", "cve_public_date": "2025-11-12 11:15:00 UTC" }, { "cve": "CVE-2025-40089", "url": "https://ubuntu.com/security/CVE-2025-40089", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: cxl/features: Add check for no entries in cxl_feature_info cxl EDAC calls cxl_feature_info() to get the feature information and if the hardware has no Features support, cxlfs may be passed in as NULL. [ 51.957498] BUG: kernel NULL pointer dereference, address: 0000000000000008 [ 51.965571] #PF: supervisor read access in kernel mode [ 51.971559] #PF: error_code(0x0000) - not-present page [ 51.977542] PGD 17e4f6067 P4D 0 [ 51.981384] Oops: Oops: 0000 [#1] SMP NOPTI [ 51.986300] CPU: 49 UID: 0 PID: 3782 Comm: systemd-udevd Not tainted 6.17.0dj test+ #64 PREEMPT(voluntary) [ 51.997355] Hardware name: [ 52.009790] RIP: 0010:cxl_feature_info+0xa/0x80 [cxl_core] Add a check for cxlfs before dereferencing it and return -EOPNOTSUPP if there is no cxlfs created due to no hardware support.", "cve_priority": "medium", "cve_public_date": "2025-10-30 10:15:00 UTC" }, { "cve": "CVE-2025-40176", "url": "https://ubuntu.com/security/CVE-2025-40176", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: tls: wait for pending async decryptions if tls_strp_msg_hold fails Async decryption calls tls_strp_msg_hold to create a clone of the input skb to hold references to the memory it uses. If we fail to allocate that clone, proceeding with async decryption can lead to various issues (UAF on the skb, writing into userspace memory after the recv() call has returned). In this case, wait for all pending decryption requests.", "cve_priority": "medium", "cve_public_date": "2025-11-12 11:15:00 UTC" }, { "cve": "CVE-2025-40164", "url": "https://ubuntu.com/security/CVE-2025-40164", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: usbnet: Fix using smp_processor_id() in preemptible code warnings Syzbot reported the following warning: BUG: using smp_processor_id() in preemptible [00000000] code: dhcpcd/2879 caller is usbnet_skb_return+0x74/0x490 drivers/net/usb/usbnet.c:331 CPU: 1 UID: 0 PID: 2879 Comm: dhcpcd Not tainted 6.15.0-rc4-syzkaller-00098-g615dca38c2ea #0 PREEMPT(voluntary) Call Trace: __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x16c/0x1f0 lib/dump_stack.c:120 check_preemption_disabled+0xd0/0xe0 lib/smp_processor_id.c:49 usbnet_skb_return+0x74/0x490 drivers/net/usb/usbnet.c:331 usbnet_resume_rx+0x4b/0x170 drivers/net/usb/usbnet.c:708 usbnet_change_mtu+0x1be/0x220 drivers/net/usb/usbnet.c:417 __dev_set_mtu net/core/dev.c:9443 [inline] netif_set_mtu_ext+0x369/0x5c0 net/core/dev.c:9496 netif_set_mtu+0xb0/0x160 net/core/dev.c:9520 dev_set_mtu+0xae/0x170 net/core/dev_api.c:247 dev_ifsioc+0xa31/0x18d0 net/core/dev_ioctl.c:572 dev_ioctl+0x223/0x10e0 net/core/dev_ioctl.c:821 sock_do_ioctl+0x19d/0x280 net/socket.c:1204 sock_ioctl+0x42f/0x6a0 net/socket.c:1311 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:906 [inline] __se_sys_ioctl fs/ioctl.c:892 [inline] __x64_sys_ioctl+0x190/0x200 fs/ioctl.c:892 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xcd/0x260 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f For historical and portability reasons, the netif_rx() is usually run in the softirq or interrupt context, this commit therefore add local_bh_disable/enable() protection in the usbnet_resume_rx().", "cve_priority": "medium", "cve_public_date": "2025-11-12 11:15:00 UTC" }, { "cve": "CVE-2025-40091", "url": "https://ubuntu.com/security/CVE-2025-40091", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ixgbe: fix too early devlink_free() in ixgbe_remove() Since ixgbe_adapter is embedded in devlink, calling devlink_free() prematurely in the ixgbe_remove() path can lead to UAF. Move devlink_free() to the end. KASAN report: BUG: KASAN: use-after-free in ixgbe_reset_interrupt_capability+0x140/0x180 [ixgbe] Read of size 8 at addr ffff0000adf813e0 by task bash/2095 CPU: 1 UID: 0 PID: 2095 Comm: bash Tainted: G S 6.17.0-rc2-tnguy.net-queue+ #1 PREEMPT(full) [...] Call trace: show_stack+0x30/0x90 (C) dump_stack_lvl+0x9c/0xd0 print_address_description.constprop.0+0x90/0x310 print_report+0x104/0x1f0 kasan_report+0x88/0x180 __asan_report_load8_noabort+0x20/0x30 ixgbe_reset_interrupt_capability+0x140/0x180 [ixgbe] ixgbe_clear_interrupt_scheme+0xf8/0x130 [ixgbe] ixgbe_remove+0x2d0/0x8c0 [ixgbe] pci_device_remove+0xa0/0x220 device_remove+0xb8/0x170 device_release_driver_internal+0x318/0x490 device_driver_detach+0x40/0x68 unbind_store+0xec/0x118 drv_attr_store+0x64/0xb8 sysfs_kf_write+0xcc/0x138 kernfs_fop_write_iter+0x294/0x440 new_sync_write+0x1fc/0x588 vfs_write+0x480/0x6a0 ksys_write+0xf0/0x1e0 __arm64_sys_write+0x70/0xc0 invoke_syscall.constprop.0+0xcc/0x280 el0_svc_common.constprop.0+0xa8/0x248 do_el0_svc+0x44/0x68 el0_svc+0x54/0x160 el0t_64_sync_handler+0xa0/0xe8 el0t_64_sync+0x1b0/0x1b8", "cve_priority": "medium", "cve_public_date": "2025-10-30 10:15:00 UTC" }, { "cve": "CVE-2025-40175", "url": "https://ubuntu.com/security/CVE-2025-40175", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: idpf: cleanup remaining SKBs in PTP flows When the driver requests Tx timestamp value, one of the first steps is to clone SKB using skb_get. It increases the reference counter for that SKB to prevent unexpected freeing by another component. However, there may be a case where the index is requested, SKB is assigned and never consumed by PTP flows - for example due to reset during running PTP apps. Add a check in release timestamping function to verify if the SKB assigned to Tx timestamp latch was freed, and release remaining SKBs.", "cve_priority": "medium", "cve_public_date": "2025-11-12 11:15:00 UTC" }, { "cve": "CVE-2025-40173", "url": "https://ubuntu.com/security/CVE-2025-40173", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net/ip6_tunnel: Prevent perpetual tunnel growth Similarly to ipv4 tunnel, ipv6 version updates dev->needed_headroom, too. While ipv4 tunnel headroom adjustment growth was limited in commit 5ae1e9922bbd (\"net: ip_tunnel: prevent perpetual headroom growth\"), ipv6 tunnel yet increases the headroom without any ceiling. Reflect ipv4 tunnel headroom adjustment limit on ipv6 version. Credits to Francesco Ruggeri, who was originally debugging this issue and wrote local Arista-specific patch and a reproducer.", "cve_priority": "medium", "cve_public_date": "2025-11-12 11:15:00 UTC" }, { "cve": "CVE-2025-40092", "url": "https://ubuntu.com/security/CVE-2025-40092", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: usb: gadget: f_ncm: Refactor bind path to use __free() After an bind/unbind cycle, the ncm->notify_req is left stale. If a subsequent bind fails, the unified error label attempts to free this stale request, leading to a NULL pointer dereference when accessing ep->ops->free_request. Refactor the error handling in the bind path to use the __free() automatic cleanup mechanism. Unable to handle kernel NULL pointer dereference at virtual address 0000000000000020 Call trace: usb_ep_free_request+0x2c/0xec ncm_bind+0x39c/0x3dc usb_add_function+0xcc/0x1f0 configfs_composite_bind+0x468/0x588 gadget_bind_driver+0x104/0x270 really_probe+0x190/0x374 __driver_probe_device+0xa0/0x12c driver_probe_device+0x3c/0x218 __device_attach_driver+0x14c/0x188 bus_for_each_drv+0x10c/0x168 __device_attach+0xfc/0x198 device_initial_probe+0x14/0x24 bus_probe_device+0x94/0x11c device_add+0x268/0x48c usb_add_gadget+0x198/0x28c dwc3_gadget_init+0x700/0x858 __dwc3_set_mode+0x3cc/0x664 process_scheduled_works+0x1d8/0x488 worker_thread+0x244/0x334 kthread+0x114/0x1bc ret_from_fork+0x10/0x20", "cve_priority": "medium", "cve_public_date": "2025-10-30 10:15:00 UTC" }, { "cve": "CVE-2025-40093", "url": "https://ubuntu.com/security/CVE-2025-40093", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: usb: gadget: f_ecm: Refactor bind path to use __free() After an bind/unbind cycle, the ecm->notify_req is left stale. If a subsequent bind fails, the unified error label attempts to free this stale request, leading to a NULL pointer dereference when accessing ep->ops->free_request. Refactor the error handling in the bind path to use the __free() automatic cleanup mechanism.", "cve_priority": "medium", "cve_public_date": "2025-10-30 10:15:00 UTC" }, { "cve": "CVE-2025-40094", "url": "https://ubuntu.com/security/CVE-2025-40094", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: usb: gadget: f_acm: Refactor bind path to use __free() After an bind/unbind cycle, the acm->notify_req is left stale. If a subsequent bind fails, the unified error label attempts to free this stale request, leading to a NULL pointer dereference when accessing ep->ops->free_request. Refactor the error handling in the bind path to use the __free() automatic cleanup mechanism. Unable to handle kernel NULL pointer dereference at virtual address 0000000000000020 Call trace: usb_ep_free_request+0x2c/0xec gs_free_req+0x30/0x44 acm_bind+0x1b8/0x1f4 usb_add_function+0xcc/0x1f0 configfs_composite_bind+0x468/0x588 gadget_bind_driver+0x104/0x270 really_probe+0x190/0x374 __driver_probe_device+0xa0/0x12c driver_probe_device+0x3c/0x218 __device_attach_driver+0x14c/0x188 bus_for_each_drv+0x10c/0x168 __device_attach+0xfc/0x198 device_initial_probe+0x14/0x24 bus_probe_device+0x94/0x11c device_add+0x268/0x48c usb_add_gadget+0x198/0x28c dwc3_gadget_init+0x700/0x858 __dwc3_set_mode+0x3cc/0x664 process_scheduled_works+0x1d8/0x488 worker_thread+0x244/0x334 kthread+0x114/0x1bc ret_from_fork+0x10/0x20", "cve_priority": "medium", "cve_public_date": "2025-10-30 10:15:00 UTC" }, { "cve": "CVE-2025-40095", "url": "https://ubuntu.com/security/CVE-2025-40095", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: usb: gadget: f_rndis: Refactor bind path to use __free() After an bind/unbind cycle, the rndis->notify_req is left stale. If a subsequent bind fails, the unified error label attempts to free this stale request, leading to a NULL pointer dereference when accessing ep->ops->free_request. Refactor the error handling in the bind path to use the __free() automatic cleanup mechanism.", "cve_priority": "medium", "cve_public_date": "2025-10-30 10:15:00 UTC" }, { "cve": "CVE-2025-40165", "url": "https://ubuntu.com/security/CVE-2025-40165", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: media: nxp: imx8-isi: m2m: Fix streaming cleanup on release If streamon/streamoff calls are imbalanced, such as when exiting an application with Ctrl+C when streaming, the m2m usage_count will never reach zero and the ISI channel won't be freed. Besides from that, if the input line width is more than 2K, it will trigger a WARN_ON(): [ 59.222120] ------------[ cut here ]------------ [ 59.226758] WARNING: drivers/media/platform/nxp/imx8-isi/imx8-isi-hw.c:631 at mxc_isi_channel_chain+0xa4/0x120, CPU#4: v4l2-ctl/654 [ 59.238569] Modules linked in: ap1302 [ 59.242231] CPU: 4 UID: 0 PID: 654 Comm: v4l2-ctl Not tainted 6.16.0-rc4-next-20250704-06511-gff0e002d480a-dirty #258 PREEMPT [ 59.253597] Hardware name: NXP i.MX95 15X15 board (DT) [ 59.258720] pstate: 80400009 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) [ 59.265669] pc : mxc_isi_channel_chain+0xa4/0x120 [ 59.270358] lr : mxc_isi_channel_chain+0x44/0x120 [ 59.275047] sp : ffff8000848c3b40 [ 59.278348] x29: ffff8000848c3b40 x28: ffff0000859b4c98 x27: ffff800081939f00 [ 59.285472] x26: 000000000000000a x25: ffff0000859b4cb8 x24: 0000000000000001 [ 59.292597] x23: ffff0000816f4760 x22: ffff0000816f4258 x21: ffff000084ceb780 [ 59.299720] x20: ffff000084342ff8 x19: ffff000084340000 x18: 0000000000000000 [ 59.306845] x17: 0000000000000000 x16: 0000000000000000 x15: 0000ffffdb369e1c [ 59.313969] x14: 0000000000000000 x13: 0000000000000000 x12: 0000000000000000 [ 59.321093] x11: 0000000000000000 x10: 0000000000000000 x9 : 0000000000000000 [ 59.328217] x8 : ffff8000848c3d48 x7 : ffff800081930b30 x6 : ffff800081930b30 [ 59.335340] x5 : ffff0000859b6000 x4 : ffff80008193ae80 x3 : ffff800081022420 [ 59.342464] x2 : ffff0000852f6900 x1 : 0000000000000001 x0 : ffff000084341000 [ 59.349590] Call trace: [ 59.352025] mxc_isi_channel_chain+0xa4/0x120 (P) [ 59.356722] mxc_isi_m2m_streamon+0x160/0x20c [ 59.361072] v4l_streamon+0x24/0x30 [ 59.364556] __video_do_ioctl+0x40c/0x4a0 [ 59.368560] video_usercopy+0x2bc/0x690 [ 59.372382] video_ioctl2+0x18/0x24 [ 59.375857] v4l2_ioctl+0x40/0x60 [ 59.379168] __arm64_sys_ioctl+0xac/0x104 [ 59.383172] invoke_syscall+0x48/0x104 [ 59.386916] el0_svc_common.constprop.0+0xc0/0xe0 [ 59.391613] do_el0_svc+0x1c/0x28 [ 59.394915] el0_svc+0x34/0xf4 [ 59.397966] el0t_64_sync_handler+0xa0/0xe4 [ 59.402143] el0t_64_sync+0x198/0x19c [ 59.405801] ---[ end trace 0000000000000000 ]--- Address this issue by moving the streaming preparation and cleanup to the vb2 .prepare_streaming() and .unprepare_streaming() operations. This also simplifies the driver by allowing direct usage of the v4l2_m2m_ioctl_streamon() and v4l2_m2m_ioctl_streamoff() helpers.", "cve_priority": "medium", "cve_public_date": "2025-11-12 11:15:00 UTC" }, { "cve": "CVE-2025-40096", "url": "https://ubuntu.com/security/CVE-2025-40096", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/sched: Fix potential double free in drm_sched_job_add_resv_dependencies When adding dependencies with drm_sched_job_add_dependency(), that function consumes the fence reference both on success and failure, so in the latter case the dma_fence_put() on the error path (xarray failed to expand) is a double free. Interestingly this bug appears to have been present ever since commit ebd5f74255b9 (\"drm/sched: Add dependency tracking\"), since the code back then looked like this: drm_sched_job_add_implicit_dependencies(): ... for (i = 0; i < fence_count; i++) { ret = drm_sched_job_add_dependency(job, fences[i]); if (ret) break; } for (; i < fence_count; i++) dma_fence_put(fences[i]); Which means for the failing 'i' the dma_fence_put was already a double free. Possibly there were no users at that time, or the test cases were insufficient to hit it. The bug was then only noticed and fixed after commit 9c2ba265352a (\"drm/scheduler: use new iterator in drm_sched_job_add_implicit_dependencies v2\") landed, with its fixup of commit 4eaf02d6076c (\"drm/scheduler: fix drm_sched_job_add_implicit_dependencies\"). At that point it was a slightly different flavour of a double free, which commit 963d0b356935 (\"drm/scheduler: fix drm_sched_job_add_implicit_dependencies harder\") noticed and attempted to fix. But it only moved the double free from happening inside the drm_sched_job_add_dependency(), when releasing the reference not yet obtained, to the caller, when releasing the reference already released by the former in the failure case. As such it is not easy to identify the right target for the fixes tag so lets keep it simple and just continue the chain. While fixing we also improve the comment and explain the reason for taking the reference and not dropping it.", "cve_priority": "medium", "cve_public_date": "2025-10-30 10:15:00 UTC" }, { "cve": "CVE-2025-40097", "url": "https://ubuntu.com/security/CVE-2025-40097", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ALSA: hda: Fix missing pointer check in hda_component_manager_init function The __component_match_add function may assign the 'matchptr' pointer the value ERR_PTR(-ENOMEM), which will subsequently be dereferenced. The call stack leading to the error looks like this: hda_component_manager_init |-> component_match_add |-> component_match_add_release |-> __component_match_add ( ... ,**matchptr, ... ) |-> *matchptr = ERR_PTR(-ENOMEM); // assign |-> component_master_add_with_match( ... match) |-> component_match_realloc(match, match->num); // dereference Add IS_ERR() check to prevent the crash. Found by Linux Verification Center (linuxtesting.org) with SVACE.", "cve_priority": "medium", "cve_public_date": "2025-10-30 10:15:00 UTC" }, { "cve": "CVE-2025-40098", "url": "https://ubuntu.com/security/CVE-2025-40098", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ALSA: hda: cs35l41: Fix NULL pointer dereference in cs35l41_get_acpi_mute_state() Return value of a function acpi_evaluate_dsm() is dereferenced without checking for NULL, but it is usually checked for this function. acpi_evaluate_dsm() may return NULL, when acpi_evaluate_object() returns acpi_status other than ACPI_SUCCESS, so add a check to prevent the crach. Found by Linux Verification Center (linuxtesting.org) with SVACE.", "cve_priority": "medium", "cve_public_date": "2025-10-30 10:15:00 UTC" }, { "cve": "CVE-2025-40099", "url": "https://ubuntu.com/security/CVE-2025-40099", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: cifs: parse_dfs_referrals: prevent oob on malformed input Malicious SMB server can send invalid reply to FSCTL_DFS_GET_REFERRALS - reply smaller than sizeof(struct get_dfs_referral_rsp) - reply with number of referrals smaller than NumberOfReferrals in the header Processing of such replies will cause oob. Return -EINVAL error on such replies to prevent oob-s.", "cve_priority": "medium", "cve_public_date": "2025-10-30 10:15:00 UTC" }, { "cve": "CVE-2025-40100", "url": "https://ubuntu.com/security/CVE-2025-40100", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: btrfs: do not assert we found block group item when creating free space tree Currently, when building a free space tree at populate_free_space_tree(), if we are not using the block group tree feature, we always expect to find block group items (either extent items or a block group item with key type BTRFS_BLOCK_GROUP_ITEM_KEY) when we search the extent tree with btrfs_search_slot_for_read(), so we assert that we found an item. However this expectation is wrong since we can have a new block group created in the current transaction which is still empty and for which we still have not added the block group's item to the extent tree, in which case we do not have any items in the extent tree associated to the block group. The insertion of a new block group's block group item in the extent tree happens at btrfs_create_pending_block_groups() when it calls the helper insert_block_group_item(). This typically is done when a transaction handle is released, committed or when running delayed refs (either as part of a transaction commit or when serving tickets for space reservation if we are low on free space). So remove the assertion at populate_free_space_tree() even when the block group tree feature is not enabled and update the comment to mention this case. Syzbot reported this with the following stack trace: BTRFS info (device loop3 state M): rebuilding free space tree assertion failed: ret == 0 :: 0, in fs/btrfs/free-space-tree.c:1115 ------------[ cut here ]------------ kernel BUG at fs/btrfs/free-space-tree.c:1115! Oops: invalid opcode: 0000 [#1] SMP KASAN PTI CPU: 1 UID: 0 PID: 6352 Comm: syz.3.25 Not tainted syzkaller #0 PREEMPT(full) Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/18/2025 RIP: 0010:populate_free_space_tree+0x700/0x710 fs/btrfs/free-space-tree.c:1115 Code: ff ff e8 d3 (...) RSP: 0018:ffffc9000430f780 EFLAGS: 00010246 RAX: 0000000000000043 RBX: ffff88805b709630 RCX: fea61d0e2e79d000 RDX: 0000000000000000 RSI: 0000000080000000 RDI: 0000000000000000 RBP: ffffc9000430f8b0 R08: ffffc9000430f4a7 R09: 1ffff92000861e94 R10: dffffc0000000000 R11: fffff52000861e95 R12: 0000000000000001 R13: 1ffff92000861f00 R14: dffffc0000000000 R15: 0000000000000000 FS: 00007f424d9fe6c0(0000) GS:ffff888125afc000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007fd78ad212c0 CR3: 0000000076d68000 CR4: 00000000003526f0 Call Trace: btrfs_rebuild_free_space_tree+0x1ba/0x6d0 fs/btrfs/free-space-tree.c:1364 btrfs_start_pre_rw_mount+0x128f/0x1bf0 fs/btrfs/disk-io.c:3062 btrfs_remount_rw fs/btrfs/super.c:1334 [inline] btrfs_reconfigure+0xaed/0x2160 fs/btrfs/super.c:1559 reconfigure_super+0x227/0x890 fs/super.c:1076 do_remount fs/namespace.c:3279 [inline] path_mount+0xd1a/0xfe0 fs/namespace.c:4027 do_mount fs/namespace.c:4048 [inline] __do_sys_mount fs/namespace.c:4236 [inline] __se_sys_mount+0x313/0x410 fs/namespace.c:4213 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xfa/0xfa0 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f424e39066a Code: d8 64 89 02 (...) RSP: 002b:00007f424d9fde68 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5 RAX: ffffffffffffffda RBX: 00007f424d9fdef0 RCX: 00007f424e39066a RDX: 0000200000000180 RSI: 0000200000000380 RDI: 0000000000000000 RBP: 0000200000000180 R08: 00007f424d9fdef0 R09: 0000000000000020 R10: 0000000000000020 R11: 0000000000000246 R12: 0000200000000380 R13: 00007f424d9fdeb0 R14: 0000000000000000 R15: 00002000000002c0 Modules linked in: ---[ end trace 0000000000000000 ]---", "cve_priority": "medium", "cve_public_date": "2025-10-30 10:15:00 UTC" }, { "cve": "CVE-2025-40101", "url": "https://ubuntu.com/security/CVE-2025-40101", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: btrfs: fix memory leaks when rejecting a non SINGLE data profile without an RST At the end of btrfs_load_block_group_zone_info() the first thing we do is to ensure that if the mapping type is not a SINGLE one and there is no RAID stripe tree, then we return early with an error. Doing that, though, prevents the code from running the last calls from this function which are about freeing memory allocated during its run. Hence, in this case, instead of returning early, we set the ret value and fall through the rest of the cleanup code.", "cve_priority": "medium", "cve_public_date": "2025-10-30 10:15:00 UTC" }, { "cve": "CVE-2025-40167", "url": "https://ubuntu.com/security/CVE-2025-40167", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ext4: detect invalid INLINE_DATA + EXTENTS flag combination syzbot reported a BUG_ON in ext4_es_cache_extent() when opening a verity file on a corrupted ext4 filesystem mounted without a journal. The issue is that the filesystem has an inode with both the INLINE_DATA and EXTENTS flags set: EXT4-fs error (device loop0): ext4_cache_extents:545: inode #15: comm syz.0.17: corrupted extent tree: lblk 0 < prev 66 Investigation revealed that the inode has both flags set: DEBUG: inode 15 - flag=1, i_inline_off=164, has_inline=1, extents_flag=1 This is an invalid combination since an inode should have either: - INLINE_DATA: data stored directly in the inode - EXTENTS: data stored in extent-mapped blocks Having both flags causes ext4_has_inline_data() to return true, skipping extent tree validation in __ext4_iget(). The unvalidated out-of-order extents then trigger a BUG_ON in ext4_es_cache_extent() due to integer underflow when calculating hole sizes. Fix this by detecting this invalid flag combination early in ext4_iget() and rejecting the corrupted inode.", "cve_priority": "medium", "cve_public_date": "2025-11-12 11:15:00 UTC" }, { "cve": "CVE-2025-40102", "url": "https://ubuntu.com/security/CVE-2025-40102", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: KVM: arm64: Prevent access to vCPU events before init Another day, another syzkaller bug. KVM erroneously allows userspace to pend vCPU events for a vCPU that hasn't been initialized yet, leading to KVM interpreting a bunch of uninitialized garbage for routing / injecting the exception. In one case the injection code and the hyp disagree on whether the vCPU has a 32bit EL1 and put the vCPU into an illegal mode for AArch64, tripping the BUG() in exception_target_el() during the next injection: kernel BUG at arch/arm64/kvm/inject_fault.c:40! Internal error: Oops - BUG: 00000000f2000800 [#1] SMP CPU: 3 UID: 0 PID: 318 Comm: repro Not tainted 6.17.0-rc4-00104-g10fd0285305d #6 PREEMPT Hardware name: linux,dummy-virt (DT) pstate: 21402009 (nzCv daif +PAN -UAO -TCO +DIT -SSBS BTYPE=--) pc : exception_target_el+0x88/0x8c lr : pend_serror_exception+0x18/0x13c sp : ffff800082f03a10 x29: ffff800082f03a10 x28: ffff0000cb132280 x27: 0000000000000000 x26: 0000000000000000 x25: ffff0000c2a99c20 x24: 0000000000000000 x23: 0000000000008000 x22: 0000000000000002 x21: 0000000000000004 x20: 0000000000008000 x19: ffff0000c2a99c20 x18: 0000000000000000 x17: 0000000000000000 x16: 0000000000000000 x15: 00000000200000c0 x14: 0000000000000000 x13: 0000000000000000 x12: 0000000000000000 x11: 0000000000000000 x10: 0000000000000000 x9 : 0000000000000000 x8 : ffff800082f03af8 x7 : 0000000000000000 x6 : 0000000000000000 x5 : ffff800080f621f0 x4 : 0000000000000000 x3 : 0000000000000000 x2 : 000000000040009b x1 : 0000000000000003 x0 : ffff0000c2a99c20 Call trace: exception_target_el+0x88/0x8c (P) kvm_inject_serror_esr+0x40/0x3b4 __kvm_arm_vcpu_set_events+0xf0/0x100 kvm_arch_vcpu_ioctl+0x180/0x9d4 kvm_vcpu_ioctl+0x60c/0x9f4 __arm64_sys_ioctl+0xac/0x104 invoke_syscall+0x48/0x110 el0_svc_common.constprop.0+0x40/0xe0 do_el0_svc+0x1c/0x28 el0_svc+0x34/0xf0 el0t_64_sync_handler+0xa0/0xe4 el0t_64_sync+0x198/0x19c Code: f946bc01 b4fffe61 9101e020 17fffff2 (d4210000) Reject the ioctls outright as no sane VMM would call these before KVM_ARM_VCPU_INIT anyway. Even if it did the exception would've been thrown away by the eventual reset of the vCPU's state.", "cve_priority": "medium", "cve_public_date": "2025-10-30 10:15:00 UTC" }, { "cve": "CVE-2025-40103", "url": "https://ubuntu.com/security/CVE-2025-40103", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: smb: client: Fix refcount leak for cifs_sb_tlink Fix three refcount inconsistency issues related to `cifs_sb_tlink`. Comments for `cifs_sb_tlink` state that `cifs_put_tlink()` needs to be called after successful calls to `cifs_sb_tlink()`. Three calls fail to update refcount accordingly, leading to possible resource leaks.", "cve_priority": "medium", "cve_public_date": "2025-10-30 10:15:00 UTC" }, { "cve": "CVE-2025-40104", "url": "https://ubuntu.com/security/CVE-2025-40104", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ixgbevf: fix mailbox API compatibility by negotiating supported features There was backward compatibility in the terms of mailbox API. Various drivers from various OSes supporting 10G adapters from Intel portfolio could easily negotiate mailbox API. This convention has been broken since introducing API 1.4. Commit 0062e7cc955e (\"ixgbevf: add VF IPsec offload code\") added support for IPSec which is specific only for the kernel ixgbe driver. None of the rest of the Intel 10G PF/VF drivers supports it. And actually lack of support was not included in the IPSec implementation - there were no such code paths. No possibility to negotiate support for the feature was introduced along with introduction of the feature itself. Commit 339f28964147 (\"ixgbevf: Add support for new mailbox communication between PF and VF\") increasing API version to 1.5 did the same - it introduced code supported specifically by the PF ESX driver. It altered API version for the VF driver in the same time not touching the version defined for the PF ixgbe driver. It led to additional discrepancies, as the code provided within API 1.6 cannot be supported for Linux ixgbe driver as it causes crashes. The issue was noticed some time ago and mitigated by Jake within the commit d0725312adf5 (\"ixgbevf: stop attempting IPSEC offload on Mailbox API 1.5\"). As a result we have regression for IPsec support and after increasing API to version 1.6 ixgbevf driver stopped to support ESX MBX. To fix this mess add new mailbox op asking PF driver about supported features. Basing on a response determine whether to set support for IPSec and ESX-specific enhanced mailbox. New mailbox op, for compatibility purposes, must be added within new API revision, as API version of OOT PF & VF drivers is already increased to 1.6 and doesn't incorporate features negotiate op. Features negotiation mechanism gives possibility to be extended with new features when needed in the future.", "cve_priority": "medium", "cve_public_date": "2025-10-30 10:15:00 UTC" }, { "cve": "CVE-2025-40166", "url": "https://ubuntu.com/security/CVE-2025-40166", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/xe/guc: Check GuC running state before deregistering exec queue In normal operation, a registered exec queue is disabled and deregistered through the GuC, and freed only after the GuC confirms completion. However, if the driver is forced to unbind while the exec queue is still running, the user may call exec_destroy() after the GuC has already been stopped and CT communication disabled. In this case, the driver cannot receive a response from the GuC, preventing proper cleanup of exec queue resources. Fix this by directly releasing the resources when GuC is not running. Here is the failure dmesg log: \" [ 468.089581] ---[ end trace 0000000000000000 ]--- [ 468.089608] pci 0000:03:00.0: [drm] *ERROR* GT0: GUC ID manager unclean (1/65535) [ 468.090558] pci 0000:03:00.0: [drm] GT0: total 65535 [ 468.090562] pci 0000:03:00.0: [drm] GT0: used 1 [ 468.090564] pci 0000:03:00.0: [drm] GT0: range 1..1 (1) [ 468.092716] ------------[ cut here ]------------ [ 468.092719] WARNING: CPU: 14 PID: 4775 at drivers/gpu/drm/xe/xe_ttm_vram_mgr.c:298 ttm_vram_mgr_fini+0xf8/0x130 [xe] \" v2: use xe_uc_fw_is_running() instead of xe_guc_ct_enabled(). As CT may go down and come back during VF migration. (cherry picked from commit 9b42321a02c50a12b2beb6ae9469606257fbecea)", "cve_priority": "medium", "cve_public_date": "2025-11-12 11:15:00 UTC" }, { "cve": "CVE-2025-40105", "url": "https://ubuntu.com/security/CVE-2025-40105", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: vfs: Don't leak disconnected dentries on umount When user calls open_by_handle_at() on some inode that is not cached, we will create disconnected dentry for it. If such dentry is a directory, exportfs_decode_fh_raw() will then try to connect this dentry to the dentry tree through reconnect_path(). It may happen for various reasons (such as corrupted fs or race with rename) that the call to lookup_one_unlocked() in reconnect_one() will fail to find the dentry we are trying to reconnect and instead create a new dentry under the parent. Now this dentry will not be marked as disconnected although the parent still may well be disconnected (at least in case this inconsistency happened because the fs is corrupted and .. doesn't point to the real parent directory). This creates inconsistency in disconnected flags but AFAICS it was mostly harmless. At least until commit f1ee616214cb (\"VFS: don't keep disconnected dentries on d_anon\") which removed adding of most disconnected dentries to sb->s_anon list. Thus after this commit cleanup of disconnected dentries implicitely relies on the fact that dput() will immediately reclaim such dentries. However when some leaf dentry isn't marked as disconnected, as in the scenario described above, the reclaim doesn't happen and the dentries are \"leaked\". Memory reclaim can eventually reclaim them but otherwise they stay in memory and if umount comes first, we hit infamous \"Busy inodes after unmount\" bug. Make sure all dentries created under a disconnected parent are marked as disconnected as well.", "cve_priority": "medium", "cve_public_date": "2025-10-30 10:15:00 UTC" }, { "cve": "CVE-2025-40019", "url": "https://ubuntu.com/security/CVE-2025-40019", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: crypto: essiv - Check ssize for decryption and in-place encryption Move the ssize check to the start in essiv_aead_crypt so that it's also checked for decryption and in-place encryption.", "cve_priority": "medium", "cve_public_date": "2025-10-24 12:15:00 UTC" }, { "cve": "CVE-2025-40214", "url": "https://ubuntu.com/security/CVE-2025-40214", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: af_unix: Initialise scc_index in unix_add_edge(). Quang Le reported that the AF_UNIX GC could garbage-collect a receive queue of an alive in-flight socket, with a nice repro. The repro consists of three stages. 1) 1-a. Create a single cyclic reference with many sockets 1-b. close() all sockets 1-c. Trigger GC 2) 2-a. Pass sk-A to an embryo sk-B 2-b. Pass sk-X to sk-X 2-c. Trigger GC 3) 3-a. accept() the embryo sk-B 3-b. Pass sk-B to sk-C 3-c. close() the in-flight sk-A 3-d. Trigger GC As of 2-c, sk-A and sk-X are linked to unix_unvisited_vertices, and unix_walk_scc() groups them into two different SCCs: unix_sk(sk-A)->vertex->scc_index = 2 (UNIX_VERTEX_INDEX_START) unix_sk(sk-X)->vertex->scc_index = 3 Once GC completes, unix_graph_grouped is set to true. Also, unix_graph_maybe_cyclic is set to true due to sk-X's cyclic self-reference, which makes close() trigger GC. At 3-b, unix_add_edge() allocates unix_sk(sk-B)->vertex and links it to unix_unvisited_vertices. unix_update_graph() is called at 3-a. and 3-b., but neither unix_graph_grouped nor unix_graph_maybe_cyclic is changed because both sk-B's listener and sk-C are not in-flight. 3-c decrements sk-A's file refcnt to 1. Since unix_graph_grouped is true at 3-d, unix_walk_scc_fast() is finally called and iterates 3 sockets sk-A, sk-B, and sk-X: sk-A -> sk-B (-> sk-C) sk-X -> sk-X This is totally fine. All of them are not yet close()d and should be grouped into different SCCs. However, unix_vertex_dead() misjudges that sk-A and sk-B are in the same SCC and sk-A is dead. unix_sk(sk-A)->scc_index == unix_sk(sk-B)->scc_index <-- Wrong! && sk-A's file refcnt == unix_sk(sk-A)->vertex->out_degree ^-- 1 in-flight count for sk-B -> sk-A is dead !? The problem is that unix_add_edge() does not initialise scc_index. Stage 1) is used for heap spraying, making a newly allocated vertex have vertex->scc_index == 2 (UNIX_VERTEX_INDEX_START) set by unix_walk_scc() at 1-c. Let's track the max SCC index from the previous unix_walk_scc() call and assign the max + 1 to a new vertex's scc_index. This way, we can continue to avoid Tarjan's algorithm while preventing misjudgments.", "cve_priority": "high", "cve_public_date": "2025-12-04 13:15:00 UTC" } ], "launchpad_bugs_fixed": [ 2137845, 1786013, 2137849, 1786013, 2136820, 2137698, 2129812, 2125022, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136813, 2132317, 2134982, 2134982, 2134982, 2134982, 2134982, 2134982, 2134982, 2134982, 2134982, 2134982, 2134982, 2134982, 2134982, 2134982, 2134982, 2134982, 2134982, 2134982, 2134982, 2134982, 2134982, 2134982, 2134982, 2134982, 2134982, 2133557, 2133557, 2133557, 2133557, 2133557, 2133557, 2133557, 2133557, 2133557, 2133557, 2133557, 2133557, 2133557, 2133557, 2133557, 2133557, 2133557, 2133557, 2133557, 2133557, 2133557, 2133557, 2133557, 2133557, 2133557, 2133557, 2133557, 2133557, 2133557, 2133557, 2133557, 2133557, 2133557, 2132095, 2131046, 2115860, 2128792, 2121852, 2131259, 2131259, 2131702, 2129610 ], "changes": [ { "cves": [ { "cve": "CVE-2025-40256", "url": "https://ubuntu.com/security/CVE-2025-40256", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: xfrm: also call xfrm_state_delete_tunnel at destroy time for states that were never added In commit b441cf3f8c4b (\"xfrm: delete x->tunnel as we delete x\"), I missed the case where state creation fails between full initialization (->init_state has been called) and being inserted on the lists. In this situation, ->init_state has been called, so for IPcomp tunnels, the fallback tunnel has been created and added onto the lists, but the user state never gets added, because we fail before that. The user state doesn't go through __xfrm_state_delete, so we don't call xfrm_state_delete_tunnel for those states, and we end up leaking the FB tunnel. There are several codepaths affected by this: the add/update paths, in both net/key and xfrm, and the migrate code (xfrm_migrate, xfrm_state_migrate). A \"proper\" rollback of the init_state work would probably be doable in the add/update code, but for migrate it gets more complicated as multiple states may be involved. At some point, the new (not-inserted) state will be destroyed, so call xfrm_state_delete_tunnel during xfrm_state_gc_destroy. Most states will have their fallback tunnel cleaned up during __xfrm_state_delete, which solves the issue that b441cf3f8c4b (and other patches before it) aimed at. All states (including FB tunnels) will be removed from the lists once xfrm_state_fini has called flush_work(&xfrm_state_gc_work).", "cve_priority": "medium", "cve_public_date": "2025-12-04 16:16:00 UTC" }, { "cve": "CVE-2025-68204", "url": "https://ubuntu.com/security/CVE-2025-68204", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: pmdomain: arm: scmi: Fix genpd leak on provider registration failure If of_genpd_add_provider_onecell() fails during probe, the previously created generic power domains are not removed, leading to a memory leak and potential kernel crash later in genpd_debug_add(). Add proper error handling to unwind the initialized domains before returning from probe to ensure all resources are correctly released on failure. Example crash trace observed without this fix: | Unable to handle kernel paging request at virtual address fffffffffffffc70 | CPU: 1 UID: 0 PID: 1 Comm: swapper/0 Not tainted 6.18.0-rc1 #405 PREEMPT | Hardware name: ARM LTD ARM Juno Development Platform/ARM Juno Development Platform | pstate: 00000005 (nzcv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--) | pc : genpd_debug_add+0x2c/0x160 | lr : genpd_debug_init+0x74/0x98 | Call trace: | genpd_debug_add+0x2c/0x160 (P) | genpd_debug_init+0x74/0x98 | do_one_initcall+0xd0/0x2d8 | do_initcall_level+0xa0/0x140 | do_initcalls+0x60/0xa8 | do_basic_setup+0x28/0x40 | kernel_init_freeable+0xe8/0x170 | kernel_init+0x2c/0x140 | ret_from_fork+0x10/0x20", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-68203", "url": "https://ubuntu.com/security/CVE-2025-68203", "cve_description": "Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-40267", "url": "https://ubuntu.com/security/CVE-2025-40267", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: io_uring/rw: ensure allocated iovec gets cleared for early failure A previous commit reused the recyling infrastructure for early cleanup, but this is not enough for the case where our internal caches have overflowed. If this happens, then the allocated iovec can get leaked if the request is also aborted early. Reinstate the previous forced free of the iovec for that situation.", "cve_priority": "medium", "cve_public_date": "2025-12-06 22:15:00 UTC" }, { "cve": "CVE-2025-68198", "url": "https://ubuntu.com/security/CVE-2025-68198", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: crash: fix crashkernel resource shrink When crashkernel is configured with a high reservation, shrinking its value below the low crashkernel reservation causes two issues: 1. Invalid crashkernel resource objects 2. Kernel crash if crashkernel shrinking is done twice For example, with crashkernel=200M,high, the kernel reserves 200MB of high memory and some default low memory (say 256MB). The reservation appears as: cat /proc/iomem | grep -i crash af000000-beffffff : Crash kernel 433000000-43f7fffff : Crash kernel If crashkernel is then shrunk to 50MB (echo 52428800 > /sys/kernel/kexec_crash_size), /proc/iomem still shows 256MB reserved: af000000-beffffff : Crash kernel Instead, it should show 50MB: af000000-b21fffff : Crash kernel Further shrinking crashkernel to 40MB causes a kernel crash with the following trace (x86): BUG: kernel NULL pointer dereference, address: 0000000000000038 PGD 0 P4D 0 Oops: 0000 [#1] PREEMPT SMP NOPTI Call Trace: ? __die_body.cold+0x19/0x27 ? page_fault_oops+0x15a/0x2f0 ? search_module_extables+0x19/0x60 ? search_bpf_extables+0x5f/0x80 ? exc_page_fault+0x7e/0x180 ? asm_exc_page_fault+0x26/0x30 ? __release_resource+0xd/0xb0 release_resource+0x26/0x40 __crash_shrink_memory+0xe5/0x110 crash_shrink_memory+0x12a/0x190 kexec_crash_size_store+0x41/0x80 kernfs_fop_write_iter+0x141/0x1f0 vfs_write+0x294/0x460 ksys_write+0x6d/0xf0 This happens because __crash_shrink_memory()/kernel/crash_core.c incorrectly updates the crashk_res resource object even when crashk_low_res should be updated. Fix this by ensuring the correct crashkernel resource object is updated when shrinking crashkernel memory.", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-68199", "url": "https://ubuntu.com/security/CVE-2025-68199", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: codetag: debug: handle existing CODETAG_EMPTY in mark_objexts_empty for slabobj_ext When alloc_slab_obj_exts() fails and then later succeeds in allocating a slab extension vector, it calls handle_failed_objexts_alloc() to mark all objects in the vector as empty. As a result all objects in this slab (slabA) will have their extensions set to CODETAG_EMPTY. Later on if this slabA is used to allocate a slabobj_ext vector for another slab (slabB), we end up with the slabB->obj_exts pointing to a slabobj_ext vector that itself has a non-NULL slabobj_ext equal to CODETAG_EMPTY. When slabB gets freed, free_slab_obj_exts() is called to free slabB->obj_exts vector. free_slab_obj_exts() calls mark_objexts_empty(slabB->obj_exts) which will generate a warning because it expects slabobj_ext vectors to have a NULL obj_ext, not CODETAG_EMPTY. Modify mark_objexts_empty() to skip the warning and setting the obj_ext value if it's already set to CODETAG_EMPTY. To quickly detect this WARN, I modified the code from WARN_ON(slab_exts[offs].ref.ct) to BUG_ON(slab_exts[offs].ref.ct == 1); We then obtained this message: [21630.898561] ------------[ cut here ]------------ [21630.898596] kernel BUG at mm/slub.c:2050! [21630.898611] Internal error: Oops - BUG: 00000000f2000800 [#1] SMP [21630.900372] Modules linked in: squashfs isofs vfio_iommu_type1 vhost_vsock vfio vhost_net vmw_vsock_virtio_transport_common vhost tap vhost_iotlb iommufd vsock binfmt_misc nfsv3 nfs_acl nfs lockd grace netfs tls rds dns_resolver tun brd overlay ntfs3 exfat btrfs blake2b_generic xor xor_neon raid6_pq loop sctp ip6_udp_tunnel udp_tunnel nft_fib_inet nft_fib_ipv4 nft_fib_ipv6 nft_fib nft_reject_inet nf_reject_ipv4 nf_reject_ipv6 nft_reject nft_ct nft_chain_nat nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 nf_tables rfkill ip_set sunrpc vfat fat joydev sg sch_fq_codel nfnetlink virtio_gpu sr_mod cdrom drm_client_lib virtio_dma_buf drm_shmem_helper drm_kms_helper drm ghash_ce backlight virtio_net virtio_blk virtio_scsi net_failover virtio_console failover virtio_mmio dm_mirror dm_region_hash dm_log dm_multipath dm_mod fuse i2c_dev virtio_pci virtio_pci_legacy_dev virtio_pci_modern_dev virtio virtio_ring autofs4 aes_neon_bs aes_ce_blk [last unloaded: hwpoison_inject] [21630.909177] CPU: 3 UID: 0 PID: 3787 Comm: kylin-process-m Kdump: loaded Tainted: G        W           6.18.0-rc1+ #74 PREEMPT(voluntary) [21630.910495] Tainted: [W]=WARN [21630.910867] Hardware name: QEMU KVM Virtual Machine, BIOS unknown 2/2/2022 [21630.911625] pstate: 80400005 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) [21630.912392] pc : __free_slab+0x228/0x250 [21630.912868] lr : __free_slab+0x18c/0x250[21630.913334] sp : ffff8000a02f73e0 [21630.913830] x29: ffff8000a02f73e0 x28: fffffdffc43fc800 x27: ffff0000c0011c40 [21630.914677] x26: ffff0000c000cac0 x25: ffff00010fe5e5f0 x24: ffff000102199b40 [21630.915469] x23: 0000000000000003 x22: 0000000000000003 x21: ffff0000c0011c40 [21630.916259] x20: fffffdffc4086600 x19: fffffdffc43fc800 x18: 0000000000000000 [21630.917048] x17: 0000000000000000 x16: 0000000000000000 x15: 0000000000000000 [21630.917837] x14: 0000000000000000 x13: 0000000000000000 x12: ffff70001405ee66 [21630.918640] x11: 1ffff0001405ee65 x10: ffff70001405ee65 x9 : ffff800080a295dc [21630.919442] x8 : ffff8000a02f7330 x7 : 0000000000000000 x6 : 0000000000003000 [21630.920232] x5 : 0000000024924925 x4 : 0000000000000001 x3 : 0000000000000007 [21630.921021] x2 : 0000000000001b40 x1 : 000000000000001f x0 : 0000000000000001 [21630.921810] Call trace: [21630.922130]  __free_slab+0x228/0x250 (P) [21630.922669]  free_slab+0x38/0x118 [21630.923079]  free_to_partial_list+0x1d4/0x340 [21630.923591]  __slab_free+0x24c/0x348 [21630.924024]  ___cache_free+0xf0/0x110 [21630.924468]  qlist_free_all+0x78/0x130 [21630.924922]  kasan_quarantine_reduce+0x11 ---truncated---", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-40268", "url": "https://ubuntu.com/security/CVE-2025-40268", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: cifs: client: fix memory leak in smb3_fs_context_parse_param The user calls fsconfig twice, but when the program exits, free() only frees ctx->source for the second fsconfig, not the first. Regarding fc->source, there is no code in the fs context related to its memory reclamation. To fix this memory leak, release the source memory corresponding to ctx or fc before each parsing. syzbot reported: BUG: memory leak unreferenced object 0xffff888128afa360 (size 96): backtrace (crc 79c9c7ba): kstrdup+0x3c/0x80 mm/util.c:84 smb3_fs_context_parse_param+0x229b/0x36c0 fs/smb/client/fs_context.c:1444 BUG: memory leak unreferenced object 0xffff888112c7d900 (size 96): backtrace (crc 79c9c7ba): smb3_fs_context_fullpath+0x70/0x1b0 fs/smb/client/fs_context.c:629 smb3_fs_context_parse_param+0x2266/0x36c0 fs/smb/client/fs_context.c:1438", "cve_priority": "medium", "cve_public_date": "2025-12-06 22:15:00 UTC" }, { "cve": "CVE-2025-40269", "url": "https://ubuntu.com/security/CVE-2025-40269", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ALSA: usb-audio: Fix potential overflow of PCM transfer buffer The PCM stream data in USB-audio driver is transferred over USB URB packet buffers, and each packet size is determined dynamically. The packet sizes are limited by some factors such as wMaxPacketSize USB descriptor. OTOH, in the current code, the actually used packet sizes are determined only by the rate and the PPS, which may be bigger than the size limit above. This results in a buffer overflow, as reported by syzbot. Basically when the limit is smaller than the calculated packet size, it implies that something is wrong, most likely a weird USB descriptor. So the best option would be just to return an error at the parameter setup time before doing any further operations. This patch introduces such a sanity check, and returns -EINVAL when the packet size is greater than maxpacksize. The comparison with ep->packsize[1] alone should suffice since it's always equal or greater than ep->packsize[0].", "cve_priority": "medium", "cve_public_date": "2025-12-06 22:15:00 UTC" }, { "cve": "CVE-2025-68205", "url": "https://ubuntu.com/security/CVE-2025-68205", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ALSA: hda/hdmi: Fix breakage at probing nvhdmi-mcp driver After restructuring and splitting the HDMI codec driver code, each HDMI codec driver contains the own build_controls and build_pcms ops. A copy-n-paste error put the wrong entries for nvhdmi-mcp driver; both build_controls and build_pcms are swapped. Unfortunately both callbacks have the very same form, and the compiler didn't complain it, either. This resulted in a NULL dereference because the PCM instance hasn't been initialized at calling the build_controls callback. Fix it by passing the proper entries.", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-40270", "url": "https://ubuntu.com/security/CVE-2025-40270", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: mm, swap: fix potential UAF issue for VMA readahead Since commit 78524b05f1a3 (\"mm, swap: avoid redundant swap device pinning\"), the common helper for allocating and preparing a folio in the swap cache layer no longer tries to get a swap device reference internally, because all callers of __read_swap_cache_async are already holding a swap entry reference. The repeated swap device pinning isn't needed on the same swap device. Caller of VMA readahead is also holding a reference to the target entry's swap device, but VMA readahead walks the page table, so it might encounter swap entries from other devices, and call __read_swap_cache_async on another device without holding a reference to it. So it is possible to cause a UAF when swapoff of device A raced with swapin on device B, and VMA readahead tries to read swap entries from device A. It's not easy to trigger, but in theory, it could cause real issues. Make VMA readahead try to get the device reference first if the swap device is a different one from the target entry.", "cve_priority": "medium", "cve_public_date": "2025-12-06 22:15:00 UTC" }, { "cve": "CVE-2025-40271", "url": "https://ubuntu.com/security/CVE-2025-40271", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: fs/proc: fix uaf in proc_readdir_de() Pde is erased from subdir rbtree through rb_erase(), but not set the node to EMPTY, which may result in uaf access. We should use RB_CLEAR_NODE() set the erased node to EMPTY, then pde_subdir_next() will return NULL to avoid uaf access. We found an uaf issue while using stress-ng testing, need to run testcase getdent and tun in the same time. The steps of the issue is as follows: 1) use getdent to traverse dir /proc/pid/net/dev_snmp6/, and current pde is tun3; 2) in the [time windows] unregister netdevice tun3 and tun2, and erase them from rbtree. erase tun3 first, and then erase tun2. the pde(tun2) will be released to slab; 3) continue to getdent process, then pde_subdir_next() will return pde(tun2) which is released, it will case uaf access. CPU 0 | CPU 1 ------------------------------------------------------------------------- traverse dir /proc/pid/net/dev_snmp6/ | unregister_netdevice(tun->dev) //tun3 tun2 sys_getdents64() | iterate_dir() | proc_readdir() | proc_readdir_de() | snmp6_unregister_dev() pde_get(de); | proc_remove() read_unlock(&proc_subdir_lock); | remove_proc_subtree() | write_lock(&proc_subdir_lock); [time window] | rb_erase(&root->subdir_node, &parent->subdir); | write_unlock(&proc_subdir_lock); read_lock(&proc_subdir_lock); | next = pde_subdir_next(de); | pde_put(de); | de = next; //UAF | rbtree of dev_snmp6 | pde(tun3) / \\ NULL pde(tun2)", "cve_priority": "medium", "cve_public_date": "2025-12-06 22:15:00 UTC" }, { "cve": "CVE-2025-40272", "url": "https://ubuntu.com/security/CVE-2025-40272", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: mm/secretmem: fix use-after-free race in fault handler When a page fault occurs in a secret memory file created with `memfd_secret(2)`, the kernel will allocate a new folio for it, mark the underlying page as not-present in the direct map, and add it to the file mapping. If two tasks cause a fault in the same page concurrently, both could end up allocating a folio and removing the page from the direct map, but only one would succeed in adding the folio to the file mapping. The task that failed undoes the effects of its attempt by (a) freeing the folio again and (b) putting the page back into the direct map. However, by doing these two operations in this order, the page becomes available to the allocator again before it is placed back in the direct mapping. If another task attempts to allocate the page between (a) and (b), and the kernel tries to access it via the direct map, it would result in a supervisor not-present page fault. Fix the ordering to restore the direct map before the folio is freed.", "cve_priority": "medium", "cve_public_date": "2025-12-06 22:15:00 UTC" }, { "cve": "CVE-2025-68245", "url": "https://ubuntu.com/security/CVE-2025-68245", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net: netpoll: fix incorrect refcount handling causing incorrect cleanup commit efa95b01da18 (\"netpoll: fix use after free\") incorrectly ignored the refcount and prematurely set dev->npinfo to NULL during netpoll cleanup, leading to improper behavior and memory leaks. Scenario causing lack of proper cleanup: 1) A netpoll is associated with a NIC (e.g., eth0) and netdev->npinfo is allocated, and refcnt = 1 - Keep in mind that npinfo is shared among all netpoll instances. In this case, there is just one. 2) Another netpoll is also associated with the same NIC and npinfo->refcnt += 1. - Now dev->npinfo->refcnt = 2; - There is just one npinfo associated to the netdev. 3) When the first netpolls goes to clean up: - The first cleanup succeeds and clears np->dev->npinfo, ignoring refcnt. - It basically calls `RCU_INIT_POINTER(np->dev->npinfo, NULL);` - Set dev->npinfo = NULL, without proper cleanup - No ->ndo_netpoll_cleanup() is either called 4) Now the second target tries to clean up - The second cleanup fails because np->dev->npinfo is already NULL. * In this case, ops->ndo_netpoll_cleanup() was never called, and the skb pool is not cleaned as well (for the second netpoll instance) - This leaks npinfo and skbpool skbs, which is clearly reported by kmemleak. Revert commit efa95b01da18 (\"netpoll: fix use after free\") and adds clarifying comments emphasizing that npinfo cleanup should only happen once the refcount reaches zero, ensuring stable and correct netpoll behavior.", "cve_priority": "medium", "cve_public_date": "2025-12-16 15:15:00 UTC" }, { "cve": "CVE-2025-68240", "url": "https://ubuntu.com/security/CVE-2025-68240", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: nilfs2: avoid having an active sc_timer before freeing sci Because kthread_stop did not stop sc_task properly and returned -EINTR, the sc_timer was not properly closed, ultimately causing the problem [1] reported by syzbot when freeing sci due to the sc_timer not being closed. Because the thread sc_task main function nilfs_segctor_thread() returns 0 when it succeeds, when the return value of kthread_stop() is not 0 in nilfs_segctor_destroy(), we believe that it has not properly closed sc_timer. We use timer_shutdown_sync() to sync wait for sc_timer to shutdown, and set the value of sc_task to NULL under the protection of lock sc_state_lock, so as to avoid the issue caused by sc_timer not being properly shutdowned. [1] ODEBUG: free active (active state 0) object: 00000000dacb411a object type: timer_list hint: nilfs_construction_timeout Call trace: nilfs_segctor_destroy fs/nilfs2/segment.c:2811 [inline] nilfs_detach_log_writer+0x668/0x8cc fs/nilfs2/segment.c:2877 nilfs_put_super+0x4c/0x12c fs/nilfs2/super.c:509", "cve_priority": "medium", "cve_public_date": "2025-12-16 15:15:00 UTC" }, { "cve": "CVE-2025-68241", "url": "https://ubuntu.com/security/CVE-2025-68241", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ipv4: route: Prevent rt_bind_exception() from rebinding stale fnhe The sit driver's packet transmission path calls: sit_tunnel_xmit() -> update_or_create_fnhe(), which lead to fnhe_remove_oldest() being called to delete entries exceeding FNHE_RECLAIM_DEPTH+random. The race window is between fnhe_remove_oldest() selecting fnheX for deletion and the subsequent kfree_rcu(). During this time, the concurrent path's __mkroute_output() -> find_exception() can fetch the soon-to-be-deleted fnheX, and rt_bind_exception() then binds it with a new dst using a dst_hold(). When the original fnheX is freed via RCU, the dst reference remains permanently leaked. CPU 0 CPU 1 __mkroute_output() find_exception() [fnheX] update_or_create_fnhe() fnhe_remove_oldest() [fnheX] rt_bind_exception() [bind dst] RCU callback [fnheX freed, dst leak] This issue manifests as a device reference count leak and a warning in dmesg when unregistering the net device: unregister_netdevice: waiting for sitX to become free. Usage count = N Ido Schimmel provided the simple test validation method [1]. The fix clears 'oldest->fnhe_daddr' before calling fnhe_flush_routes(). Since rt_bind_exception() checks this field, setting it to zero prevents the stale fnhe from being reused and bound to a new dst just before it is freed. [1] ip netns add ns1 ip -n ns1 link set dev lo up ip -n ns1 address add 192.0.2.1/32 dev lo ip -n ns1 link add name dummy1 up type dummy ip -n ns1 route add 192.0.2.2/32 dev dummy1 ip -n ns1 link add name gretap1 up arp off type gretap \\ local 192.0.2.1 remote 192.0.2.2 ip -n ns1 route add 198.51.0.0/16 dev gretap1 taskset -c 0 ip netns exec ns1 mausezahn gretap1 \\ -A 198.51.100.1 -B 198.51.0.0/16 -t udp -p 1000 -c 0 -q & taskset -c 2 ip netns exec ns1 mausezahn gretap1 \\ -A 198.51.100.1 -B 198.51.0.0/16 -t udp -p 1000 -c 0 -q & sleep 10 ip netns pids ns1 | xargs kill ip netns del ns1", "cve_priority": "medium", "cve_public_date": "2025-12-16 15:15:00 UTC" }, { "cve": "CVE-2025-68211", "url": "https://ubuntu.com/security/CVE-2025-68211", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ksm: use range-walk function to jump over holes in scan_get_next_rmap_item Currently, scan_get_next_rmap_item() walks every page address in a VMA to locate mergeable pages. This becomes highly inefficient when scanning large virtual memory areas that contain mostly unmapped regions, causing ksmd to use large amount of cpu without deduplicating much pages. This patch replaces the per-address lookup with a range walk using walk_page_range(). The range walker allows KSM to skip over entire unmapped holes in a VMA, avoiding unnecessary lookups. This problem was previously discussed in [1]. Consider the following test program which creates a 32 TiB mapping in the virtual address space but only populates a single page: #include #include #include /* 32 TiB */ const size_t size = 32ul * 1024 * 1024 * 1024 * 1024; int main() { char *area = mmap(NULL, size, PROT_READ | PROT_WRITE, MAP_NORESERVE | MAP_PRIVATE | MAP_ANON, -1, 0); if (area == MAP_FAILED) { perror(\"mmap() failed\\n\"); return -1; } /* Populate a single page such that we get an anon_vma. */ *area = 0; /* Enable KSM. */ madvise(area, size, MADV_MERGEABLE); pause(); return 0; } $ ./ksm-sparse & $ echo 1 > /sys/kernel/mm/ksm/run Without this patch ksmd uses 100% of the cpu for a long time (more then 1 hour in my test machine) scanning all the 32 TiB virtual address space that contain only one mapped page. This makes ksmd essentially deadlocked not able to deduplicate anything of value. With this patch ksmd walks only the one mapped page and skips the rest of the 32 TiB virtual address space, making the scan fast using little cpu.", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-68246", "url": "https://ubuntu.com/security/CVE-2025-68246", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ksmbd: close accepted socket when per-IP limit rejects connection When the per-IP connection limit is exceeded in ksmbd_kthread_fn(), the code sets ret = -EAGAIN and continues the accept loop without closing the just-accepted socket. That leaks one socket per rejected attempt from a single IP and enables a trivial remote DoS. Release client_sk before continuing. This bug was found with ZeroPath.", "cve_priority": "medium", "cve_public_date": "2025-12-16 15:15:00 UTC" }, { "cve": "CVE-2025-40273", "url": "https://ubuntu.com/security/CVE-2025-40273", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: NFSD: free copynotify stateid in nfs4_free_ol_stateid() Typically copynotify stateid is freed either when parent's stateid is being close/freed or in nfsd4_laundromat if the stateid hasn't been used in a lease period. However, in case when the server got an OPEN (which created a parent stateid), followed by a COPY_NOTIFY using that stateid, followed by a client reboot. New client instance while doing CREATE_SESSION would force expire previous state of this client. It leads to the open state being freed thru release_openowner-> nfs4_free_ol_stateid() and it finds that it still has copynotify stateid associated with it. We currently print a warning and is triggerred WARNING: CPU: 1 PID: 8858 at fs/nfsd/nfs4state.c:1550 nfs4_free_ol_stateid+0xb0/0x100 [nfsd] This patch, instead, frees the associated copynotify stateid here. If the parent stateid is freed (without freeing the copynotify stateids associated with it), it leads to the list corruption when laundromat ends up freeing the copynotify state later. [ 1626.839430] Internal error: Oops - BUG: 00000000f2000800 [#1] SMP [ 1626.842828] Modules linked in: nfnetlink_queue nfnetlink_log bluetooth cfg80211 rpcrdma rdma_cm iw_cm ib_cm ib_core nfsd nfs_acl lockd grace nfs_localio ext4 crc16 mbcache jbd2 overlay uinput snd_seq_dummy snd_hrtimer qrtr rfkill vfat fat uvcvideo snd_hda_codec_generic videobuf2_vmalloc videobuf2_memops snd_hda_intel uvc snd_intel_dspcfg videobuf2_v4l2 videobuf2_common snd_hda_codec snd_hda_core videodev snd_hwdep snd_seq mc snd_seq_device snd_pcm snd_timer snd soundcore sg loop auth_rpcgss vsock_loopback vmw_vsock_virtio_transport_common vmw_vsock_vmci_transport vmw_vmci vsock xfs 8021q garp stp llc mrp nvme ghash_ce e1000e nvme_core sr_mod nvme_keyring nvme_auth cdrom vmwgfx drm_ttm_helper ttm sunrpc dm_mirror dm_region_hash dm_log iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi fuse dm_multipath dm_mod nfnetlink [ 1626.855594] CPU: 2 UID: 0 PID: 199 Comm: kworker/u24:33 Kdump: loaded Tainted: G B W 6.17.0-rc7+ #22 PREEMPT(voluntary) [ 1626.857075] Tainted: [B]=BAD_PAGE, [W]=WARN [ 1626.857573] Hardware name: VMware, Inc. VMware20,1/VBSA, BIOS VMW201.00V.24006586.BA64.2406042154 06/04/2024 [ 1626.858724] Workqueue: nfsd4 laundromat_main [nfsd] [ 1626.859304] pstate: 61400005 (nZCv daif +PAN -UAO -TCO +DIT -SSBS BTYPE=--) [ 1626.860010] pc : __list_del_entry_valid_or_report+0x148/0x200 [ 1626.860601] lr : __list_del_entry_valid_or_report+0x148/0x200 [ 1626.861182] sp : ffff8000881d7a40 [ 1626.861521] x29: ffff8000881d7a40 x28: 0000000000000018 x27: ffff0000c2a98200 [ 1626.862260] x26: 0000000000000600 x25: 0000000000000000 x24: ffff8000881d7b20 [ 1626.862986] x23: ffff0000c2a981e8 x22: 1fffe00012410e7d x21: ffff0000920873e8 [ 1626.863701] x20: ffff0000920873e8 x19: ffff000086f22998 x18: 0000000000000000 [ 1626.864421] x17: 20747562202c3839 x16: 3932326636383030 x15: 3030666666662065 [ 1626.865092] x14: 6220646c756f6873 x13: 0000000000000001 x12: ffff60004fd9e4a3 [ 1626.865713] x11: 1fffe0004fd9e4a2 x10: ffff60004fd9e4a2 x9 : dfff800000000000 [ 1626.866320] x8 : 00009fffb0261b5e x7 : ffff00027ecf2513 x6 : 0000000000000001 [ 1626.866938] x5 : ffff00027ecf2510 x4 : ffff60004fd9e4a3 x3 : 0000000000000000 [ 1626.867553] x2 : 0000000000000000 x1 : ffff000096069640 x0 : 000000000000006d [ 1626.868167] Call trace: [ 1626.868382] __list_del_entry_valid_or_report+0x148/0x200 (P) [ 1626.868876] _free_cpntf_state_locked+0xd0/0x268 [nfsd] [ 1626.869368] nfs4_laundromat+0x6f8/0x1058 [nfsd] [ 1626.869813] laundromat_main+0x24/0x60 [nfsd] [ 1626.870231] process_one_work+0x584/0x1050 [ 1626.870595] worker_thread+0x4c4/0xc60 [ 1626.870893] kthread+0x2f8/0x398 [ 1626.871146] ret_from_fork+0x10/0x20 [ 1626.871422] Code: aa1303e1 aa1403e3 910e8000 97bc55d7 (d4210000) [ 1626.871892] SMP: stopping secondary CPUs", "cve_priority": "medium", "cve_public_date": "2025-12-06 22:15:00 UTC" }, { "cve": "CVE-2025-40212", "url": "https://ubuntu.com/security/CVE-2025-40212", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: nfsd: fix refcount leak in nfsd_set_fh_dentry() nfsd exports a \"pseudo root filesystem\" which is used by NFSv4 to find the various exported filesystems using LOOKUP requests from a known root filehandle. NFSv3 uses the MOUNT protocol to find those exported filesystems and so is not given access to the pseudo root filesystem. If a v3 (or v2) client uses a filehandle from that filesystem, nfsd_set_fh_dentry() will report an error, but still stores the export in \"struct svc_fh\" even though it also drops the reference (exp_put()). This means that when fh_put() is called an extra reference will be dropped which can lead to use-after-free and possible denial of service. Normal NFS usage will not provide a pseudo-root filehandle to a v3 client. This bug can only be triggered by the client synthesising an incorrect filehandle. To fix this we move the assignments to the svc_fh later, after all possible error cases have been detected.", "cve_priority": "medium", "cve_public_date": "2025-11-24 13:16:00 UTC" }, { "cve": "CVE-2025-40274", "url": "https://ubuntu.com/security/CVE-2025-40274", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: KVM: guest_memfd: Remove bindings on memslot deletion when gmem is dying When unbinding a memslot from a guest_memfd instance, remove the bindings even if the guest_memfd file is dying, i.e. even if its file refcount has gone to zero. If the memslot is freed before the file is fully released, nullifying the memslot side of the binding in kvm_gmem_release() will write to freed memory, as detected by syzbot+KASAN: ================================================================== BUG: KASAN: slab-use-after-free in kvm_gmem_release+0x176/0x440 virt/kvm/guest_memfd.c:353 Write of size 8 at addr ffff88807befa508 by task syz.0.17/6022 CPU: 0 UID: 0 PID: 6022 Comm: syz.0.17 Not tainted syzkaller #0 PREEMPT(full) Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/02/2025 Call Trace: dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:378 [inline] print_report+0xca/0x240 mm/kasan/report.c:482 kasan_report+0x118/0x150 mm/kasan/report.c:595 kvm_gmem_release+0x176/0x440 virt/kvm/guest_memfd.c:353 __fput+0x44c/0xa70 fs/file_table.c:468 task_work_run+0x1d4/0x260 kernel/task_work.c:227 resume_user_mode_work include/linux/resume_user_mode.h:50 [inline] exit_to_user_mode_loop+0xe9/0x130 kernel/entry/common.c:43 exit_to_user_mode_prepare include/linux/irq-entry-common.h:225 [inline] syscall_exit_to_user_mode_work include/linux/entry-common.h:175 [inline] syscall_exit_to_user_mode include/linux/entry-common.h:210 [inline] do_syscall_64+0x2bd/0xfa0 arch/x86/entry/syscall_64.c:100 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7fbeeff8efc9 Allocated by task 6023: kasan_save_stack mm/kasan/common.c:56 [inline] kasan_save_track+0x3e/0x80 mm/kasan/common.c:77 poison_kmalloc_redzone mm/kasan/common.c:397 [inline] __kasan_kmalloc+0x93/0xb0 mm/kasan/common.c:414 kasan_kmalloc include/linux/kasan.h:262 [inline] __kmalloc_cache_noprof+0x3e2/0x700 mm/slub.c:5758 kmalloc_noprof include/linux/slab.h:957 [inline] kzalloc_noprof include/linux/slab.h:1094 [inline] kvm_set_memory_region+0x747/0xb90 virt/kvm/kvm_main.c:2104 kvm_vm_ioctl_set_memory_region+0x6f/0xd0 virt/kvm/kvm_main.c:2154 kvm_vm_ioctl+0x957/0xc60 virt/kvm/kvm_main.c:5201 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:597 [inline] __se_sys_ioctl+0xfc/0x170 fs/ioctl.c:583 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xfa/0xfa0 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f Freed by task 6023: kasan_save_stack mm/kasan/common.c:56 [inline] kasan_save_track+0x3e/0x80 mm/kasan/common.c:77 kasan_save_free_info+0x46/0x50 mm/kasan/generic.c:584 poison_slab_object mm/kasan/common.c:252 [inline] __kasan_slab_free+0x5c/0x80 mm/kasan/common.c:284 kasan_slab_free include/linux/kasan.h:234 [inline] slab_free_hook mm/slub.c:2533 [inline] slab_free mm/slub.c:6622 [inline] kfree+0x19a/0x6d0 mm/slub.c:6829 kvm_set_memory_region+0x9c4/0xb90 virt/kvm/kvm_main.c:2130 kvm_vm_ioctl_set_memory_region+0x6f/0xd0 virt/kvm/kvm_main.c:2154 kvm_vm_ioctl+0x957/0xc60 virt/kvm/kvm_main.c:5201 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:597 [inline] __se_sys_ioctl+0xfc/0x170 fs/ioctl.c:583 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xfa/0xfa0 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f Deliberately don't acquire filemap invalid lock when the file is dying as the lifecycle of f_mapping is outside the purview of KVM. Dereferencing the mapping is *probably* fine, but there's no need to invalidate anything as memslot deletion is responsible for zapping SPTEs, and the only code that can access the dying file is kvm_gmem_release(), whose core code is mutual ---truncated---", "cve_priority": "medium", "cve_public_date": "2025-12-06 22:15:00 UTC" }, { "cve": "CVE-2025-68202", "url": "https://ubuntu.com/security/CVE-2025-68202", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: sched_ext: Fix unsafe locking in the scx_dump_state() For built with CONFIG_PREEMPT_RT=y kernels, the dump_lock will be converted sleepable spinlock and not disable-irq, so the following scenarios occur: inconsistent {IN-HARDIRQ-W} -> {HARDIRQ-ON-W} usage. irq_work/0/27 [HC0[0]:SC0[0]:HE1:SE1] takes: (&rq->__lock){?...}-{2:2}, at: raw_spin_rq_lock_nested+0x2b/0x40 {IN-HARDIRQ-W} state was registered at: lock_acquire+0x1e1/0x510 _raw_spin_lock_nested+0x42/0x80 raw_spin_rq_lock_nested+0x2b/0x40 sched_tick+0xae/0x7b0 update_process_times+0x14c/0x1b0 tick_periodic+0x62/0x1f0 tick_handle_periodic+0x48/0xf0 timer_interrupt+0x55/0x80 __handle_irq_event_percpu+0x20a/0x5c0 handle_irq_event_percpu+0x18/0xc0 handle_irq_event+0xb5/0x150 handle_level_irq+0x220/0x460 __common_interrupt+0xa2/0x1e0 common_interrupt+0xb0/0xd0 asm_common_interrupt+0x2b/0x40 _raw_spin_unlock_irqrestore+0x45/0x80 __setup_irq+0xc34/0x1a30 request_threaded_irq+0x214/0x2f0 hpet_time_init+0x3e/0x60 x86_late_time_init+0x5b/0xb0 start_kernel+0x308/0x410 x86_64_start_reservations+0x1c/0x30 x86_64_start_kernel+0x96/0xa0 common_startup_64+0x13e/0x148 other info that might help us debug this: Possible unsafe locking scenario: CPU0 ---- lock(&rq->__lock); lock(&rq->__lock); *** DEADLOCK *** stack backtrace: CPU: 0 UID: 0 PID: 27 Comm: irq_work/0 Call Trace: dump_stack_lvl+0x8c/0xd0 dump_stack+0x14/0x20 print_usage_bug+0x42e/0x690 mark_lock.part.44+0x867/0xa70 ? __pfx_mark_lock.part.44+0x10/0x10 ? string_nocheck+0x19c/0x310 ? number+0x739/0x9f0 ? __pfx_string_nocheck+0x10/0x10 ? __pfx_check_pointer+0x10/0x10 ? kvm_sched_clock_read+0x15/0x30 ? sched_clock_noinstr+0xd/0x20 ? local_clock_noinstr+0x1c/0xe0 __lock_acquire+0xc4b/0x62b0 ? __pfx_format_decode+0x10/0x10 ? __pfx_string+0x10/0x10 ? __pfx___lock_acquire+0x10/0x10 ? __pfx_vsnprintf+0x10/0x10 lock_acquire+0x1e1/0x510 ? raw_spin_rq_lock_nested+0x2b/0x40 ? __pfx_lock_acquire+0x10/0x10 ? dump_line+0x12e/0x270 ? raw_spin_rq_lock_nested+0x20/0x40 _raw_spin_lock_nested+0x42/0x80 ? raw_spin_rq_lock_nested+0x2b/0x40 raw_spin_rq_lock_nested+0x2b/0x40 scx_dump_state+0x3b3/0x1270 ? finish_task_switch+0x27e/0x840 scx_ops_error_irq_workfn+0x67/0x80 irq_work_single+0x113/0x260 irq_work_run_list.part.3+0x44/0x70 run_irq_workd+0x6b/0x90 ? __pfx_run_irq_workd+0x10/0x10 smpboot_thread_fn+0x529/0x870 ? __pfx_smpboot_thread_fn+0x10/0x10 kthread+0x305/0x3f0 ? __pfx_kthread+0x10/0x10 ret_from_fork+0x40/0x70 ? __pfx_kthread+0x10/0x10 ret_from_fork_asm+0x1a/0x30 This commit therefore use rq_lock_irqsave/irqrestore() to replace rq_lock/unlock() in the scx_dump_state().", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-68239", "url": "https://ubuntu.com/security/CVE-2025-68239", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: binfmt_misc: restore write access before closing files opened by open_exec() bm_register_write() opens an executable file using open_exec(), which internally calls do_open_execat() and denies write access on the file to avoid modification while it is being executed. However, when an error occurs, bm_register_write() closes the file using filp_close() directly. This does not restore the write permission, which may cause subsequent write operations on the same file to fail. Fix this by calling exe_file_allow_write_access() before filp_close() to restore the write permission properly.", "cve_priority": "medium", "cve_public_date": "2025-12-16 15:15:00 UTC" }, { "cve": "CVE-2025-68247", "url": "https://ubuntu.com/security/CVE-2025-68247", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: posix-timers: Plug potential memory leak in do_timer_create() When posix timer creation is set to allocate a given timer ID and the access to the user space value faults, the function terminates without freeing the already allocated posix timer structure. Move the allocation after the user space access to cure that. [ tglx: Massaged change log ]", "cve_priority": "medium", "cve_public_date": "2025-12-16 15:15:00 UTC" }, { "cve": "CVE-2025-68208", "url": "https://ubuntu.com/security/CVE-2025-68208", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: bpf: account for current allocated stack depth in widen_imprecise_scalars() The usage pattern for widen_imprecise_scalars() looks as follows: prev_st = find_prev_entry(env, ...); queued_st = push_stack(...); widen_imprecise_scalars(env, prev_st, queued_st); Where prev_st is an ancestor of the queued_st in the explored states tree. This ancestor is not guaranteed to have same allocated stack depth as queued_st. E.g. in the following case: def main(): for i in 1..2: foo(i) // same callsite, differnt param def foo(i): if i == 1: use 128 bytes of stack iterator based loop Here, for a second 'foo' call prev_st->allocated_stack is 128, while queued_st->allocated_stack is much smaller. widen_imprecise_scalars() needs to take this into account and avoid accessing bpf_verifier_state->frame[*]->stack out of bounds.", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-68200", "url": "https://ubuntu.com/security/CVE-2025-68200", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: bpf: Add bpf_prog_run_data_pointers() syzbot found that cls_bpf_classify() is able to change tc_skb_cb(skb)->drop_reason triggering a warning in sk_skb_reason_drop(). WARNING: CPU: 0 PID: 5965 at net/core/skbuff.c:1192 __sk_skb_reason_drop net/core/skbuff.c:1189 [inline] WARNING: CPU: 0 PID: 5965 at net/core/skbuff.c:1192 sk_skb_reason_drop+0x76/0x170 net/core/skbuff.c:1214 struct tc_skb_cb has been added in commit ec624fe740b4 (\"net/sched: Extend qdisc control block with tc control block\"), which added a wrong interaction with db58ba459202 (\"bpf: wire in data and data_end for cls_act_bpf\"). drop_reason was added later. Add bpf_prog_run_data_pointers() helper to save/restore the net_sched storage colliding with BPF data_meta/data_end.", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-40275", "url": "https://ubuntu.com/security/CVE-2025-40275", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ALSA: usb-audio: Fix NULL pointer dereference in snd_usb_mixer_controls_badd In snd_usb_create_streams(), for UAC version 3 devices, the Interface Association Descriptor (IAD) is retrieved via usb_ifnum_to_if(). If this call fails, a fallback routine attempts to obtain the IAD from the next interface and sets a BADD profile. However, snd_usb_mixer_controls_badd() assumes that the IAD retrieved from usb_ifnum_to_if() is always valid, without performing a NULL check. This can lead to a NULL pointer dereference when usb_ifnum_to_if() fails to find the interface descriptor. This patch adds a NULL pointer check after calling usb_ifnum_to_if() in snd_usb_mixer_controls_badd() to prevent the dereference. This issue was discovered by syzkaller, which triggered the bug by sending a crafted USB device descriptor.", "cve_priority": "medium", "cve_public_date": "2025-12-06 22:15:00 UTC" }, { "cve": "CVE-2025-68242", "url": "https://ubuntu.com/security/CVE-2025-68242", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: NFS: Fix LTP test failures when timestamps are delegated The utimes01 and utime06 tests fail when delegated timestamps are enabled, specifically in subtests that modify the atime and mtime fields using the 'nobody' user ID. The problem can be reproduced as follow: # echo \"/media *(rw,no_root_squash,sync)\" >> /etc/exports # export -ra # mount -o rw,nfsvers=4.2 127.0.0.1:/media /tmpdir # cd /opt/ltp # ./runltp -d /tmpdir -s utimes01 # ./runltp -d /tmpdir -s utime06 This issue occurs because nfs_setattr does not verify the inode's UID against the caller's fsuid when delegated timestamps are permitted for the inode. This patch adds the UID check and if it does not match then the request is sent to the server for permission checking.", "cve_priority": "medium", "cve_public_date": "2025-12-16 15:15:00 UTC" }, { "cve": "CVE-2025-68243", "url": "https://ubuntu.com/security/CVE-2025-68243", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: NFS: Check the TLS certificate fields in nfs_match_client() If the TLS security policy is of type RPC_XPRTSEC_TLS_X509, then the cert_serial and privkey_serial fields need to match as well since they define the client's identity, as presented to the server.", "cve_priority": "medium", "cve_public_date": "2025-12-16 15:15:00 UTC" }, { "cve": "CVE-2025-40276", "url": "https://ubuntu.com/security/CVE-2025-40276", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/panthor: Flush shmem writes before mapping buffers CPU-uncached The shmem layer zeroes out the new pages using cached mappings, and if we don't CPU-flush we might leave dirty cachelines behind, leading to potential data leaks and/or asynchronous buffer corruption when dirty cachelines are evicted.", "cve_priority": "medium", "cve_public_date": "2025-12-06 22:15:00 UTC" }, { "cve": "CVE-2025-40277", "url": "https://ubuntu.com/security/CVE-2025-40277", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/vmwgfx: Validate command header size against SVGA_CMD_MAX_DATASIZE This data originates from userspace and is used in buffer offset calculations which could potentially overflow causing an out-of-bounds access.", "cve_priority": "medium", "cve_public_date": "2025-12-06 22:15:00 UTC" }, { "cve": "CVE-2025-68206", "url": "https://ubuntu.com/security/CVE-2025-68206", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: netfilter: nft_ct: add seqadj extension for natted connections Sequence adjustment may be required for FTP traffic with PASV/EPSV modes. due to need to re-write packet payload (IP, port) on the ftp control connection. This can require changes to the TCP length and expected seq / ack_seq. The easiest way to reproduce this issue is with PASV mode. Example ruleset: table inet ftp_nat { ct helper ftp_helper { type \"ftp\" protocol tcp l3proto inet } chain prerouting { type filter hook prerouting priority 0; policy accept; tcp dport 21 ct state new ct helper set \"ftp_helper\" } } table ip nat { chain prerouting { type nat hook prerouting priority -100; policy accept; tcp dport 21 dnat ip prefix to ip daddr map { \t\t\t192.168.100.1 : 192.168.13.2/32 } } chain postrouting { type nat hook postrouting priority 100 ; policy accept; tcp sport 21 snat ip prefix to ip saddr map { \t\t\t192.168.13.2 : 192.168.100.1/32 } } } Note that the ftp helper gets assigned *after* the dnat setup. The inverse (nat after helper assign) is handled by an existing check in nf_nat_setup_info() and will not show the problem. Topoloy: +-------------------+ +----------------------------------+ | FTP: 192.168.13.2 | <-> | NAT: 192.168.13.3, 192.168.100.1 | +-------------------+ +----------------------------------+ | +-----------------------+ | Client: 192.168.100.2 | +-----------------------+ ftp nat changes do not work as expected in this case: Connected to 192.168.100.1. [..] ftp> epsv EPSV/EPRT on IPv4 off. ftp> ls 227 Entering passive mode (192,168,100,1,209,129). 421 Service not available, remote server has closed connection. Kernel logs: Missing nfct_seqadj_ext_add() setup call WARNING: CPU: 1 PID: 0 at net/netfilter/nf_conntrack_seqadj.c:41 [..] __nf_nat_mangle_tcp_packet+0x100/0x160 [nf_nat] nf_nat_ftp+0x142/0x280 [nf_nat_ftp] help+0x4d1/0x880 [nf_conntrack_ftp] nf_confirm+0x122/0x2e0 [nf_conntrack] nf_hook_slow+0x3c/0xb0 .. Fix this by adding the required extension when a conntrack helper is assigned to a connection that has a nat binding.", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-68209", "url": "https://ubuntu.com/security/CVE-2025-68209", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: mlx5: Fix default values in create CQ Currently, CQs without a completion function are assigned the mlx5_add_cq_to_tasklet function by default. This is problematic since only user CQs created through the mlx5_ib driver are intended to use this function. Additionally, all CQs that will use doorbells instead of polling for completions must call mlx5_cq_arm. However, the default CQ creation flow leaves a valid value in the CQ's arm_db field, allowing FW to send interrupts to polling-only CQs in certain corner cases. These two factors would allow a polling-only kernel CQ to be triggered by an EQ interrupt and call a completion function intended only for user CQs, causing a null pointer exception. Some areas in the driver have prevented this issue with one-off fixes but did not address the root cause. This patch fixes the described issue by adding defaults to the create CQ flow. It adds a default dummy completion function to protect against null pointer exceptions, and it sets an invalid command sequence number by default in kernel CQs to prevent the FW from sending an interrupt to the CQ until it is armed. User CQs are responsible for their own initialization values. Callers of mlx5_core_create_cq are responsible for changing the completion function and arming the CQ per their needs.", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-40278", "url": "https://ubuntu.com/security/CVE-2025-40278", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net: sched: act_ife: initialize struct tc_ife to fix KMSAN kernel-infoleak Fix a KMSAN kernel-infoleak detected by the syzbot . [net?] KMSAN: kernel-infoleak in __skb_datagram_iter In tcf_ife_dump(), the variable 'opt' was partially initialized using a designatied initializer. While the padding bytes are reamined uninitialized. nla_put() copies the entire structure into a netlink message, these uninitialized bytes leaked to userspace. Initialize the structure with memset before assigning its fields to ensure all members and padding are cleared prior to beign copied. This change silences the KMSAN report and prevents potential information leaks from the kernel memory. This fix has been tested and validated by syzbot. This patch closes the bug reported at the following syzkaller link and ensures no infoleak.", "cve_priority": "medium", "cve_public_date": "2025-12-06 22:15:00 UTC" }, { "cve": "CVE-2025-40279", "url": "https://ubuntu.com/security/CVE-2025-40279", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net: sched: act_connmark: initialize struct tc_ife to fix kernel leak In tcf_connmark_dump(), the variable 'opt' was partially initialized using a designatied initializer. While the padding bytes are reamined uninitialized. nla_put() copies the entire structure into a netlink message, these uninitialized bytes leaked to userspace. Initialize the structure with memset before assigning its fields to ensure all members and padding are cleared prior to beign copied.", "cve_priority": "medium", "cve_public_date": "2025-12-06 22:15:00 UTC" }, { "cve": "CVE-2025-40280", "url": "https://ubuntu.com/security/CVE-2025-40280", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: tipc: Fix use-after-free in tipc_mon_reinit_self(). syzbot reported use-after-free of tipc_net(net)->monitors[] in tipc_mon_reinit_self(). [0] The array is protected by RTNL, but tipc_mon_reinit_self() iterates over it without RTNL. tipc_mon_reinit_self() is called from tipc_net_finalize(), which is always under RTNL except for tipc_net_finalize_work(). Let's hold RTNL in tipc_net_finalize_work(). [0]: BUG: KASAN: slab-use-after-free in __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline] BUG: KASAN: slab-use-after-free in _raw_spin_lock_irqsave+0xa7/0xf0 kernel/locking/spinlock.c:162 Read of size 1 at addr ffff88805eae1030 by task kworker/0:7/5989 CPU: 0 UID: 0 PID: 5989 Comm: kworker/0:7 Not tainted syzkaller #0 PREEMPT_{RT,(full)} Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/18/2025 Workqueue: events tipc_net_finalize_work Call Trace: dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:378 [inline] print_report+0xca/0x240 mm/kasan/report.c:482 kasan_report+0x118/0x150 mm/kasan/report.c:595 __kasan_check_byte+0x2a/0x40 mm/kasan/common.c:568 kasan_check_byte include/linux/kasan.h:399 [inline] lock_acquire+0x8d/0x360 kernel/locking/lockdep.c:5842 __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline] _raw_spin_lock_irqsave+0xa7/0xf0 kernel/locking/spinlock.c:162 rtlock_slowlock kernel/locking/rtmutex.c:1894 [inline] rwbase_rtmutex_lock_state kernel/locking/spinlock_rt.c:160 [inline] rwbase_write_lock+0xd3/0x7e0 kernel/locking/rwbase_rt.c:244 rt_write_lock+0x76/0x110 kernel/locking/spinlock_rt.c:243 write_lock_bh include/linux/rwlock_rt.h:99 [inline] tipc_mon_reinit_self+0x79/0x430 net/tipc/monitor.c:718 tipc_net_finalize+0x115/0x190 net/tipc/net.c:140 process_one_work kernel/workqueue.c:3236 [inline] process_scheduled_works+0xade/0x17b0 kernel/workqueue.c:3319 worker_thread+0x8a0/0xda0 kernel/workqueue.c:3400 kthread+0x70e/0x8a0 kernel/kthread.c:463 ret_from_fork+0x439/0x7d0 arch/x86/kernel/process.c:148 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245 Allocated by task 6089: kasan_save_stack mm/kasan/common.c:47 [inline] kasan_save_track+0x3e/0x80 mm/kasan/common.c:68 poison_kmalloc_redzone mm/kasan/common.c:388 [inline] __kasan_kmalloc+0x93/0xb0 mm/kasan/common.c:405 kasan_kmalloc include/linux/kasan.h:260 [inline] __kmalloc_cache_noprof+0x1a8/0x320 mm/slub.c:4407 kmalloc_noprof include/linux/slab.h:905 [inline] kzalloc_noprof include/linux/slab.h:1039 [inline] tipc_mon_create+0xc3/0x4d0 net/tipc/monitor.c:657 tipc_enable_bearer net/tipc/bearer.c:357 [inline] __tipc_nl_bearer_enable+0xe16/0x13f0 net/tipc/bearer.c:1047 __tipc_nl_compat_doit net/tipc/netlink_compat.c:371 [inline] tipc_nl_compat_doit+0x3bc/0x5f0 net/tipc/netlink_compat.c:393 tipc_nl_compat_handle net/tipc/netlink_compat.c:-1 [inline] tipc_nl_compat_recv+0x83c/0xbe0 net/tipc/netlink_compat.c:1321 genl_family_rcv_msg_doit+0x215/0x300 net/netlink/genetlink.c:1115 genl_family_rcv_msg net/netlink/genetlink.c:1195 [inline] genl_rcv_msg+0x60e/0x790 net/netlink/genetlink.c:1210 netlink_rcv_skb+0x208/0x470 net/netlink/af_netlink.c:2552 genl_rcv+0x28/0x40 net/netlink/genetlink.c:1219 netlink_unicast_kernel net/netlink/af_netlink.c:1320 [inline] netlink_unicast+0x846/0xa10 net/netlink/af_netlink.c:1346 netlink_sendmsg+0x805/0xb30 net/netlink/af_netlink.c:1896 sock_sendmsg_nosec net/socket.c:714 [inline] __sock_sendmsg+0x21c/0x270 net/socket.c:729 ____sys_sendmsg+0x508/0x820 net/socket.c:2614 ___sys_sendmsg+0x21f/0x2a0 net/socket.c:2668 __sys_sendmsg net/socket.c:2700 [inline] __do_sys_sendmsg net/socket.c:2705 [inline] __se_sys_sendmsg net/socket.c:2703 [inline] __x64_sys_sendmsg+0x1a1/0x260 net/socket.c:2703 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xfa/0x3b0 arch/ ---truncated---", "cve_priority": "medium", "cve_public_date": "2025-12-06 22:15:00 UTC" }, { "cve": "CVE-2025-40281", "url": "https://ubuntu.com/security/CVE-2025-40281", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: sctp: prevent possible shift-out-of-bounds in sctp_transport_update_rto syzbot reported a possible shift-out-of-bounds [1] Blamed commit added rto_alpha_max and rto_beta_max set to 1000. It is unclear if some sctp users are setting very large rto_alpha and/or rto_beta. In order to prevent user regression, perform the test at run time. Also add READ_ONCE() annotations as sysctl values can change under us. [1] UBSAN: shift-out-of-bounds in net/sctp/transport.c:509:41 shift exponent 64 is too large for 32-bit type 'unsigned int' CPU: 0 UID: 0 PID: 16704 Comm: syz.2.2320 Not tainted syzkaller #0 PREEMPT(full) Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/02/2025 Call Trace: __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x16c/0x1f0 lib/dump_stack.c:120 ubsan_epilogue lib/ubsan.c:233 [inline] __ubsan_handle_shift_out_of_bounds+0x27f/0x420 lib/ubsan.c:494 sctp_transport_update_rto.cold+0x1c/0x34b net/sctp/transport.c:509 sctp_check_transmitted+0x11c4/0x1c30 net/sctp/outqueue.c:1502 sctp_outq_sack+0x4ef/0x1b20 net/sctp/outqueue.c:1338 sctp_cmd_process_sack net/sctp/sm_sideeffect.c:840 [inline] sctp_cmd_interpreter net/sctp/sm_sideeffect.c:1372 [inline]", "cve_priority": "medium", "cve_public_date": "2025-12-06 22:15:00 UTC" }, { "cve": "CVE-2025-40282", "url": "https://ubuntu.com/security/CVE-2025-40282", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: Bluetooth: 6lowpan: reset link-local header on ipv6 recv path Bluetooth 6lowpan.c netdev has header_ops, so it must set link-local header for RX skb, otherwise things crash, eg. with AF_PACKET SOCK_RAW Add missing skb_reset_mac_header() for uncompressed ipv6 RX path. For the compressed one, it is done in lowpan_header_decompress(). Log: (BlueZ 6lowpan-tester Client Recv Raw - Success) ------ kernel BUG at net/core/skbuff.c:212! Call Trace: ... packet_rcv (net/packet/af_packet.c:2152) ... __local_bh_enable_ip (kernel/softirq.c:407) netif_rx (net/core/dev.c:5648) chan_recv_cb (net/bluetooth/6lowpan.c:294 net/bluetooth/6lowpan.c:359) ------", "cve_priority": "medium", "cve_public_date": "2025-12-06 22:15:00 UTC" }, { "cve": "CVE-2025-40283", "url": "https://ubuntu.com/security/CVE-2025-40283", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: Bluetooth: btusb: reorder cleanup in btusb_disconnect to avoid UAF There is a KASAN: slab-use-after-free read in btusb_disconnect(). Calling \"usb_driver_release_interface(&btusb_driver, data->intf)\" will free the btusb data associated with the interface. The same data is then used later in the function, hence the UAF. Fix by moving the accesses to btusb data to before the data is free'd.", "cve_priority": "medium", "cve_public_date": "2025-12-06 22:15:00 UTC" }, { "cve": "CVE-2025-40284", "url": "https://ubuntu.com/security/CVE-2025-40284", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: Bluetooth: MGMT: cancel mesh send timer when hdev removed mesh_send_done timer is not canceled when hdev is removed, which causes crash if the timer triggers after hdev is gone. Cancel the timer when MGMT removes the hdev, like other MGMT timers. Should fix the BUG: sporadically seen by BlueZ test bot (in \"Mesh - Send cancel - 1\" test). Log: ------ BUG: KASAN: slab-use-after-free in run_timer_softirq+0x76b/0x7d0 ... Freed by task 36: kasan_save_stack+0x24/0x50 kasan_save_track+0x14/0x30 __kasan_save_free_info+0x3a/0x60 __kasan_slab_free+0x43/0x70 kfree+0x103/0x500 device_release+0x9a/0x210 kobject_put+0x100/0x1e0 vhci_release+0x18b/0x240 ------", "cve_priority": "medium", "cve_public_date": "2025-12-06 22:15:00 UTC" }, { "cve": "CVE-2025-68210", "url": "https://ubuntu.com/security/CVE-2025-68210", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: erofs: avoid infinite loop due to incomplete zstd-compressed data Currently, the decompression logic incorrectly spins if compressed data is truncated in crafted (deliberately corrupted) images.", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-40285", "url": "https://ubuntu.com/security/CVE-2025-40285", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: smb/server: fix possible refcount leak in smb2_sess_setup() Reference count of ksmbd_session will leak when session need reconnect. Fix this by adding the missing ksmbd_user_session_put().", "cve_priority": "medium", "cve_public_date": "2025-12-06 22:15:00 UTC" }, { "cve": "CVE-2025-40286", "url": "https://ubuntu.com/security/CVE-2025-40286", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: smb/server: fix possible memory leak in smb2_read() Memory leak occurs when ksmbd_vfs_read() fails. Fix this by adding the missing kvfree().", "cve_priority": "medium", "cve_public_date": "2025-12-06 22:15:00 UTC" }, { "cve": "CVE-2025-40287", "url": "https://ubuntu.com/security/CVE-2025-40287", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: exfat: fix improper check of dentry.stream.valid_size We found an infinite loop bug in the exFAT file system that can lead to a Denial-of-Service (DoS) condition. When a dentry in an exFAT filesystem is malformed, the following system calls — SYS_openat, SYS_ftruncate, and SYS_pwrite64 — can cause the kernel to hang. Root cause analysis shows that the size validation code in exfat_find() does not check whether dentry.stream.valid_size is negative. As a result, the system calls mentioned above can succeed and eventually trigger the DoS issue. This patch adds a check for negative dentry.stream.valid_size to prevent this vulnerability.", "cve_priority": "medium", "cve_public_date": "2025-12-06 22:15:00 UTC" }, { "cve": "CVE-2025-40288", "url": "https://ubuntu.com/security/CVE-2025-40288", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: Fix NULL pointer dereference in VRAM logic for APU devices Previously, APU platforms (and other scenarios with uninitialized VRAM managers) triggered a NULL pointer dereference in `ttm_resource_manager_usage()`. The root cause is not that the `struct ttm_resource_manager *man` pointer itself is NULL, but that `man->bdev` (the backing device pointer within the manager) remains uninitialized (NULL) on APUs—since APUs lack dedicated VRAM and do not fully set up VRAM manager structures. When `ttm_resource_manager_usage()` attempts to acquire `man->bdev->lru_lock`, it dereferences the NULL `man->bdev`, leading to a kernel OOPS. 1. **amdgpu_cs.c**: Extend the existing bandwidth control check in `amdgpu_cs_get_threshold_for_moves()` to include a check for `ttm_resource_manager_used()`. If the manager is not used (uninitialized `bdev`), return 0 for migration thresholds immediately—skipping VRAM-specific logic that would trigger the NULL dereference. 2. **amdgpu_kms.c**: Update the `AMDGPU_INFO_VRAM_USAGE` ioctl and memory info reporting to use a conditional: if the manager is used, return the real VRAM usage; otherwise, return 0. This avoids accessing `man->bdev` when it is NULL. 3. **amdgpu_virt.c**: Modify the vf2pf (virtual function to physical function) data write path. Use `ttm_resource_manager_used()` to check validity: if the manager is usable, calculate `fb_usage` from VRAM usage; otherwise, set `fb_usage` to 0 (APUs have no discrete framebuffer to report). This approach is more robust than APU-specific checks because it: - Works for all scenarios where the VRAM manager is uninitialized (not just APUs), - Aligns with TTM's design by using its native helper function, - Preserves correct behavior for discrete GPUs (which have fully initialized `man->bdev` and pass the `ttm_resource_manager_used()` check). v4: use ttm_resource_manager_used(&adev->mman.vram_mgr.manager) instead of checking the adev->gmc.is_app_apu flag (Christian)", "cve_priority": "medium", "cve_public_date": "2025-12-06 22:15:00 UTC" }, { "cve": "CVE-2025-40289", "url": "https://ubuntu.com/security/CVE-2025-40289", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: hide VRAM sysfs attributes on GPUs without VRAM Otherwise accessing them can cause a crash.", "cve_priority": "medium", "cve_public_date": "2025-12-06 22:15:00 UTC" }, { "cve": "CVE-2025-68201", "url": "https://ubuntu.com/security/CVE-2025-68201", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: remove two invalid BUG_ON()s Those can be triggered trivially by userspace.", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-68207", "url": "https://ubuntu.com/security/CVE-2025-68207", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/xe/guc: Synchronize Dead CT worker with unbind Cancel and wait for any Dead CT worker to complete before continuing with device unbinding. Else the worker will end up using resources freed by the undind operation. (cherry picked from commit 492671339114e376aaa38626d637a2751cdef263)", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-68244", "url": "https://ubuntu.com/security/CVE-2025-68244", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/i915: Avoid lock inversion when pinning to GGTT on CHV/BXT+VTD On completion of i915_vma_pin_ww(), a synchronous variant of dma_fence_work_commit() is called. When pinning a VMA to GGTT address space on a Cherry View family processor, or on a Broxton generation SoC with VTD enabled, i.e., when stop_machine() is then called from intel_ggtt_bind_vma(), that can potentially lead to lock inversion among reservation_ww and cpu_hotplug locks. [86.861179] ====================================================== [86.861193] WARNING: possible circular locking dependency detected [86.861209] 6.15.0-rc5-CI_DRM_16515-gca0305cadc2d+ #1 Tainted: G U [86.861226] ------------------------------------------------------ [86.861238] i915_module_loa/1432 is trying to acquire lock: [86.861252] ffffffff83489090 (cpu_hotplug_lock){++++}-{0:0}, at: stop_machine+0x1c/0x50 [86.861290] but task is already holding lock: [86.861303] ffffc90002e0b4c8 (reservation_ww_class_mutex){+.+.}-{3:3}, at: i915_vma_pin.constprop.0+0x39/0x1d0 [i915] [86.862233] which lock already depends on the new lock. [86.862251] the existing dependency chain (in reverse order) is: [86.862265] -> #5 (reservation_ww_class_mutex){+.+.}-{3:3}: [86.862292] dma_resv_lockdep+0x19a/0x390 [86.862315] do_one_initcall+0x60/0x3f0 [86.862334] kernel_init_freeable+0x3cd/0x680 [86.862353] kernel_init+0x1b/0x200 [86.862369] ret_from_fork+0x47/0x70 [86.862383] ret_from_fork_asm+0x1a/0x30 [86.862399] -> #4 (reservation_ww_class_acquire){+.+.}-{0:0}: [86.862425] dma_resv_lockdep+0x178/0x390 [86.862440] do_one_initcall+0x60/0x3f0 [86.862454] kernel_init_freeable+0x3cd/0x680 [86.862470] kernel_init+0x1b/0x200 [86.862482] ret_from_fork+0x47/0x70 [86.862495] ret_from_fork_asm+0x1a/0x30 [86.862509] -> #3 (&mm->mmap_lock){++++}-{3:3}: [86.862531] down_read_killable+0x46/0x1e0 [86.862546] lock_mm_and_find_vma+0xa2/0x280 [86.862561] do_user_addr_fault+0x266/0x8e0 [86.862578] exc_page_fault+0x8a/0x2f0 [86.862593] asm_exc_page_fault+0x27/0x30 [86.862607] filldir64+0xeb/0x180 [86.862620] kernfs_fop_readdir+0x118/0x480 [86.862635] iterate_dir+0xcf/0x2b0 [86.862648] __x64_sys_getdents64+0x84/0x140 [86.862661] x64_sys_call+0x1058/0x2660 [86.862675] do_syscall_64+0x91/0xe90 [86.862689] entry_SYSCALL_64_after_hwframe+0x76/0x7e [86.862703] -> #2 (&root->kernfs_rwsem){++++}-{3:3}: [86.862725] down_write+0x3e/0xf0 [86.862738] kernfs_add_one+0x30/0x3c0 [86.862751] kernfs_create_dir_ns+0x53/0xb0 [86.862765] internal_create_group+0x134/0x4c0 [86.862779] sysfs_create_group+0x13/0x20 [86.862792] topology_add_dev+0x1d/0x30 [86.862806] cpuhp_invoke_callback+0x4b5/0x850 [86.862822] cpuhp_issue_call+0xbf/0x1f0 [86.862836] __cpuhp_setup_state_cpuslocked+0x111/0x320 [86.862852] __cpuhp_setup_state+0xb0/0x220 [86.862866] topology_sysfs_init+0x30/0x50 [86.862879] do_one_initcall+0x60/0x3f0 [86.862893] kernel_init_freeable+0x3cd/0x680 [86.862908] kernel_init+0x1b/0x200 [86.862921] ret_from_fork+0x47/0x70 [86.862934] ret_from_fork_asm+0x1a/0x30 [86.862947] -> #1 (cpuhp_state_mutex){+.+.}-{3:3}: [86.862969] __mutex_lock+0xaa/0xed0 [86.862982] mutex_lock_nested+0x1b/0x30 [86.862995] __cpuhp_setup_state_cpuslocked+0x67/0x320 [86.863012] __cpuhp_setup_state+0xb0/0x220 [86.863026] page_alloc_init_cpuhp+0x2d/0x60 [86.863041] mm_core_init+0x22/0x2d0 [86.863054] start_kernel+0x576/0xbd0 [86.863068] x86_64_start_reservations+0x18/0x30 [86.863084] x86_64_start_kernel+0xbf/0x110 [86.863098] common_startup_64+0x13e/0x141 [86.863114] -> #0 (cpu_hotplug_lock){++++}-{0:0}: [86.863135] __lock_acquire+0x16 ---truncated---", "cve_priority": "medium", "cve_public_date": "2025-12-16 15:15:00 UTC" }, { "cve": "CVE-2025-68316", "url": "https://ubuntu.com/security/CVE-2025-68316", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: scsi: ufs: core: Fix invalid probe error return value After DME Link Startup, the error return value is set to the MIPI UniPro GenericErrorCode which can be 0 (SUCCESS) or 1 (FAILURE). Upon failure during driver probe, the error code 1 is propagated back to the driver probe function which must return a negative value to indicate an error, but 1 is not negative, so the probe is considered to be successful even though it failed. Subsequently, removing the driver results in an oops because it is not in a valid state. This happens because none of the callers of ufshcd_init() expect a non-negative error code. Fix the return value and documentation to match actual usage.", "cve_priority": "medium", "cve_public_date": "2025-12-16 16:16:00 UTC" }, { "cve": "CVE-2025-40292", "url": "https://ubuntu.com/security/CVE-2025-40292", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: virtio-net: fix received length check in big packets Since commit 4959aebba8c0 (\"virtio-net: use mtu size as buffer length for big packets\"), when guest gso is off, the allocated size for big packets is not MAX_SKB_FRAGS * PAGE_SIZE anymore but depends on negotiated MTU. The number of allocated frags for big packets is stored in vi->big_packets_num_skbfrags. Because the host announced buffer length can be malicious (e.g. the host vhost_net driver's get_rx_bufs is modified to announce incorrect length), we need a check in virtio_net receive path. Currently, the check is not adapted to the new change which can lead to NULL page pointer dereference in the below while loop when receiving length that is larger than the allocated one. This commit fixes the received length check corresponding to the new change.", "cve_priority": "medium", "cve_public_date": "2025-12-08 01:16:00 UTC" }, { "cve": "CVE-2025-68180", "url": "https://ubuntu.com/security/CVE-2025-68180", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Fix NULL deref in debugfs odm_combine_segments When a connector is connected but inactive (e.g., disabled by desktop environments), pipe_ctx->stream_res.tg will be destroyed. Then, reading odm_combine_segments causes kernel NULL pointer dereference. BUG: kernel NULL pointer dereference, address: 0000000000000000 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page PGD 0 P4D 0 Oops: Oops: 0000 [#1] SMP NOPTI CPU: 16 UID: 0 PID: 26474 Comm: cat Not tainted 6.17.0+ #2 PREEMPT(lazy) e6a17af9ee6db7c63e9d90dbe5b28ccab67520c6 Hardware name: LENOVO 21Q4/LNVNB161216, BIOS PXCN25WW 03/27/2025 RIP: 0010:odm_combine_segments_show+0x93/0xf0 [amdgpu] Code: 41 83 b8 b0 00 00 00 01 75 6e 48 98 ba a1 ff ff ff 48 c1 e0 0c 48 8d 8c 07 d8 02 00 00 48 85 c9 74 2d 48 8b bc 07 f0 08 00 00 <48> 8b 07 48 8b 80 08 02 00> RSP: 0018:ffffd1bf4b953c58 EFLAGS: 00010286 RAX: 0000000000005000 RBX: ffff8e35976b02d0 RCX: ffff8e3aeed052d8 RDX: 00000000ffffffa1 RSI: ffff8e35a3120800 RDI: 0000000000000000 RBP: 0000000000000000 R08: ffff8e3580eb0000 R09: ffff8e35976b02d0 R10: ffffd1bf4b953c78 R11: 0000000000000000 R12: ffffd1bf4b953d08 R13: 0000000000040000 R14: 0000000000000001 R15: 0000000000000001 FS: 00007f44d3f9f740(0000) GS:ffff8e3caa47f000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000000 CR3: 00000006485c2000 CR4: 0000000000f50ef0 PKRU: 55555554 Call Trace: seq_read_iter+0x125/0x490 ? __alloc_frozen_pages_noprof+0x18f/0x350 seq_read+0x12c/0x170 full_proxy_read+0x51/0x80 vfs_read+0xbc/0x390 ? __handle_mm_fault+0xa46/0xef0 ? do_syscall_64+0x71/0x900 ksys_read+0x73/0xf0 do_syscall_64+0x71/0x900 ? count_memcg_events+0xc2/0x190 ? handle_mm_fault+0x1d7/0x2d0 ? do_user_addr_fault+0x21a/0x690 ? exc_page_fault+0x7e/0x1a0 entry_SYSCALL_64_after_hwframe+0x6c/0x74 RIP: 0033:0x7f44d4031687 Code: 48 89 fa 4c 89 df e8 58 b3 00 00 8b 93 08 03 00 00 59 5e 48 83 f8 fc 74 1a 5b c3 0f 1f 84 00 00 00 00 00 48 8b 44 24 10 0f 05 <5b> c3 0f 1f 80 00 00 00 00> RSP: 002b:00007ffdb4b5f0b0 EFLAGS: 00000202 ORIG_RAX: 0000000000000000 RAX: ffffffffffffffda RBX: 00007f44d3f9f740 RCX: 00007f44d4031687 RDX: 0000000000040000 RSI: 00007f44d3f5e000 RDI: 0000000000000003 RBP: 0000000000040000 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000202 R12: 00007f44d3f5e000 R13: 0000000000000003 R14: 0000000000000000 R15: 0000000000040000 Modules linked in: tls tcp_diag inet_diag xt_mark ccm snd_hrtimer snd_seq_dummy snd_seq_midi snd_seq_oss snd_seq_midi_event snd_rawmidi snd_seq snd_seq_device x> snd_hda_codec_atihdmi snd_hda_codec_realtek_lib lenovo_wmi_helpers think_lmi snd_hda_codec_generic snd_hda_codec_hdmi snd_soc_core kvm snd_compress uvcvideo sn> platform_profile joydev amd_pmc mousedev mac_hid sch_fq_codel uinput i2c_dev parport_pc ppdev lp parport nvme_fabrics loop nfnetlink ip_tables x_tables dm_cryp> CR2: 0000000000000000 ---[ end trace 0000000000000000 ]--- RIP: 0010:odm_combine_segments_show+0x93/0xf0 [amdgpu] Code: 41 83 b8 b0 00 00 00 01 75 6e 48 98 ba a1 ff ff ff 48 c1 e0 0c 48 8d 8c 07 d8 02 00 00 48 85 c9 74 2d 48 8b bc 07 f0 08 00 00 <48> 8b 07 48 8b 80 08 02 00> RSP: 0018:ffffd1bf4b953c58 EFLAGS: 00010286 RAX: 0000000000005000 RBX: ffff8e35976b02d0 RCX: ffff8e3aeed052d8 RDX: 00000000ffffffa1 RSI: ffff8e35a3120800 RDI: 0000000000000000 RBP: 0000000000000000 R08: ffff8e3580eb0000 R09: ffff8e35976b02d0 R10: ffffd1bf4b953c78 R11: 0000000000000000 R12: ffffd1bf4b953d08 R13: 0000000000040000 R14: 0000000000000001 R15: 0000000000000001 FS: 00007f44d3f9f740(0000) GS:ffff8e3caa47f000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000000 CR3: 00000006485c2000 CR4: 0000000000f50ef0 PKRU: 55555554 Fix this by checking pipe_ctx-> ---truncated---", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-40327", "url": "https://ubuntu.com/security/CVE-2025-40327", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: perf/core: Fix system hang caused by cpu-clock usage cpu-clock usage by the async-profiler tool can trigger a system hang, which got bisected back to the following commit by Octavia Togami: 18dbcbfabfff (\"perf: Fix the POLL_HUP delivery breakage\") causes this issue The root cause of the hang is that cpu-clock is a special type of SW event which relies on hrtimers. The __perf_event_overflow() callback is invoked from the hrtimer handler for cpu-clock events, and __perf_event_overflow() tries to call cpu_clock_event_stop() to stop the event, which calls htimer_cancel() to cancel the hrtimer. But that's a recursion into the hrtimer code from a hrtimer handler, which (unsurprisingly) deadlocks. To fix this bug, use hrtimer_try_to_cancel() instead, and set the PERF_HES_STOPPED flag, which causes perf_swevent_hrtimer() to stop the event once it sees the PERF_HES_STOPPED flag. [ mingo: Fixed the comments and improved the changelog. ]", "cve_priority": "medium", "cve_public_date": "2025-12-09 16:17:00 UTC" }, { "cve": "CVE-2025-40328", "url": "https://ubuntu.com/security/CVE-2025-40328", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: smb: client: fix potential UAF in smb2_close_cached_fid() find_or_create_cached_dir() could grab a new reference after kref_put() had seen the refcount drop to zero but before cfid_list_lock is acquired in smb2_close_cached_fid(), leading to use-after-free. Switch to kref_put_lock() so cfid_release() is called with cfid_list_lock held, closing that gap.", "cve_priority": "medium", "cve_public_date": "2025-12-09 16:17:00 UTC" }, { "cve": "CVE-2025-40291", "url": "https://ubuntu.com/security/CVE-2025-40291", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: io_uring: fix regbuf vector size truncation There is a report of io_estimate_bvec_size() truncating the calculated number of segments that leads to corruption issues. Check it doesn't overflow \"int\"s used later. Rough but simple, can be improved on top.", "cve_priority": "medium", "cve_public_date": "2025-12-08 01:16:00 UTC" }, { "cve": "CVE-2025-68322", "url": "https://ubuntu.com/security/CVE-2025-68322", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: parisc: Avoid crash due to unaligned access in unwinder Guenter Roeck reported this kernel crash on his emulated B160L machine: Starting network: udhcpc: started, v1.36.1 Backtrace: [<104320d4>] unwind_once+0x1c/0x5c [<10434a00>] walk_stackframe.isra.0+0x74/0xb8 [<10434a6c>] arch_stack_walk+0x28/0x38 [<104e5efc>] stack_trace_save+0x48/0x5c [<105d1bdc>] set_track_prepare+0x44/0x6c [<105d9c80>] ___slab_alloc+0xfc4/0x1024 [<105d9d38>] __slab_alloc.isra.0+0x58/0x90 [<105dc80c>] kmem_cache_alloc_noprof+0x2ac/0x4a0 [<105b8e54>] __anon_vma_prepare+0x60/0x280 [<105a823c>] __vmf_anon_prepare+0x68/0x94 [<105a8b34>] do_wp_page+0x8cc/0xf10 [<105aad88>] handle_mm_fault+0x6c0/0xf08 [<10425568>] do_page_fault+0x110/0x440 [<10427938>] handle_interruption+0x184/0x748 [<11178398>] schedule+0x4c/0x190 BUG: spinlock recursion on CPU#0, ifconfig/2420 lock: terminate_lock.2+0x0/0x1c, .magic: dead4ead, .owner: ifconfig/2420, .owner_cpu: 0 While creating the stack trace, the unwinder uses the stack pointer to guess the previous frame to read the previous stack pointer from memory. The crash happens, because the unwinder tries to read from unaligned memory and as such triggers the unalignment trap handler which then leads to the spinlock recursion and finally to a deadlock. Fix it by checking the alignment before accessing the memory.", "cve_priority": "medium", "cve_public_date": "2025-12-16 16:16:00 UTC" }, { "cve": "CVE-2025-40293", "url": "https://ubuntu.com/security/CVE-2025-40293", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: iommufd: Don't overflow during division for dirty tracking If pgshift is 63 then BITS_PER_TYPE(*bitmap->bitmap) * pgsize will overflow to 0 and this triggers divide by 0. In this case the index should just be 0, so reorganize things to divide by shift and avoid hitting any overflows.", "cve_priority": "medium", "cve_public_date": "2025-12-08 01:16:00 UTC" }, { "cve": "CVE-2025-40294", "url": "https://ubuntu.com/security/CVE-2025-40294", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: Bluetooth: MGMT: Fix OOB access in parse_adv_monitor_pattern() In the parse_adv_monitor_pattern() function, the value of the 'length' variable is currently limited to HCI_MAX_EXT_AD_LENGTH(251). The size of the 'value' array in the mgmt_adv_pattern structure is 31. If the value of 'pattern[i].length' is set in the user space and exceeds 31, the 'patterns[i].value' array can be accessed out of bound when copied. Increasing the size of the 'value' array in the 'mgmt_adv_pattern' structure will break the userspace. Considering this, and to avoid OOB access revert the limits for 'offset' and 'length' back to the value of HCI_MAX_AD_LENGTH. Found by InfoTeCS on behalf of Linux Verification Center (linuxtesting.org) with SVACE.", "cve_priority": "medium", "cve_public_date": "2025-12-08 01:16:00 UTC" }, { "cve": "CVE-2025-40329", "url": "https://ubuntu.com/security/CVE-2025-40329", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/sched: Fix deadlock in drm_sched_entity_kill_jobs_cb The Mesa issue referenced below pointed out a possible deadlock: [ 1231.611031] Possible interrupt unsafe locking scenario: [ 1231.611033] CPU0 CPU1 [ 1231.611034] ---- ---- [ 1231.611035] lock(&xa->xa_lock#17); [ 1231.611038] local_irq_disable(); [ 1231.611039] lock(&fence->lock); [ 1231.611041] lock(&xa->xa_lock#17); [ 1231.611044] [ 1231.611045] lock(&fence->lock); [ 1231.611047] *** DEADLOCK *** In this example, CPU0 would be any function accessing job->dependencies through the xa_* functions that don't disable interrupts (eg: drm_sched_job_add_dependency(), drm_sched_entity_kill_jobs_cb()). CPU1 is executing drm_sched_entity_kill_jobs_cb() as a fence signalling callback so in an interrupt context. It will deadlock when trying to grab the xa_lock which is already held by CPU0. Replacing all xa_* usage by their xa_*_irq counterparts would fix this issue, but Christian pointed out another issue: dma_fence_signal takes fence.lock and so does dma_fence_add_callback. dma_fence_signal() // locks f1.lock -> drm_sched_entity_kill_jobs_cb() -> foreach dependencies -> dma_fence_add_callback() // locks f2.lock This will deadlock if f1 and f2 share the same spinlock. To fix both issues, the code iterating on dependencies and re-arming them is moved out to drm_sched_entity_kill_jobs_work(). [phasta: commit message nits]", "cve_priority": "medium", "cve_public_date": "2025-12-09 16:17:00 UTC" }, { "cve": "CVE-2025-40295", "url": "https://ubuntu.com/security/CVE-2025-40295", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: fscrypt: fix left shift underflow when inode->i_blkbits > PAGE_SHIFT When simulating an nvme device on qemu with both logical_block_size and physical_block_size set to 8 KiB, an error trace appears during partition table reading at boot time. The issue is caused by inode->i_blkbits being larger than PAGE_SHIFT, which leads to a left shift of -1 and triggering a UBSAN warning. [ 2.697306] ------------[ cut here ]------------ [ 2.697309] UBSAN: shift-out-of-bounds in fs/crypto/inline_crypt.c:336:37 [ 2.697311] shift exponent -1 is negative [ 2.697315] CPU: 3 UID: 0 PID: 274 Comm: (udev-worker) Not tainted 6.18.0-rc2+ #34 PREEMPT(voluntary) [ 2.697317] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014 [ 2.697320] Call Trace: [ 2.697324] [ 2.697325] dump_stack_lvl+0x76/0xa0 [ 2.697340] dump_stack+0x10/0x20 [ 2.697342] __ubsan_handle_shift_out_of_bounds+0x1e3/0x390 [ 2.697351] bh_get_inode_and_lblk_num.cold+0x12/0x94 [ 2.697359] fscrypt_set_bio_crypt_ctx_bh+0x44/0x90 [ 2.697365] submit_bh_wbc+0xb6/0x190 [ 2.697370] block_read_full_folio+0x194/0x270 [ 2.697371] ? __pfx_blkdev_get_block+0x10/0x10 [ 2.697375] ? __pfx_blkdev_read_folio+0x10/0x10 [ 2.697377] blkdev_read_folio+0x18/0x30 [ 2.697379] filemap_read_folio+0x40/0xe0 [ 2.697382] filemap_get_pages+0x5ef/0x7a0 [ 2.697385] ? mmap_region+0x63/0xd0 [ 2.697389] filemap_read+0x11d/0x520 [ 2.697392] blkdev_read_iter+0x7c/0x180 [ 2.697393] vfs_read+0x261/0x390 [ 2.697397] ksys_read+0x71/0xf0 [ 2.697398] __x64_sys_read+0x19/0x30 [ 2.697399] x64_sys_call+0x1e88/0x26a0 [ 2.697405] do_syscall_64+0x80/0x670 [ 2.697410] ? __x64_sys_newfstat+0x15/0x20 [ 2.697414] ? x64_sys_call+0x204a/0x26a0 [ 2.697415] ? do_syscall_64+0xb8/0x670 [ 2.697417] ? irqentry_exit_to_user_mode+0x2e/0x2a0 [ 2.697420] ? irqentry_exit+0x43/0x50 [ 2.697421] ? exc_page_fault+0x90/0x1b0 [ 2.697422] entry_SYSCALL_64_after_hwframe+0x76/0x7e [ 2.697425] RIP: 0033:0x75054cba4a06 [ 2.697426] Code: 5d e8 41 8b 93 08 03 00 00 59 5e 48 83 f8 fc 75 19 83 e2 39 83 fa 08 75 11 e8 26 ff ff ff 66 0f 1f 44 00 00 48 8b 45 10 0f 05 <48> 8b 5d f8 c9 c3 0f 1f 40 00 f3 0f 1e fa 55 48 89 e5 48 83 ec 08 [ 2.697427] RSP: 002b:00007fff973723a0 EFLAGS: 00000202 ORIG_RAX: 0000000000000000 [ 2.697430] RAX: ffffffffffffffda RBX: 00005ea9a2c02760 RCX: 000075054cba4a06 [ 2.697432] RDX: 0000000000002000 RSI: 000075054c190000 RDI: 000000000000001b [ 2.697433] RBP: 00007fff973723c0 R08: 0000000000000000 R09: 0000000000000000 [ 2.697434] R10: 0000000000000000 R11: 0000000000000202 R12: 0000000000000000 [ 2.697434] R13: 00005ea9a2c027c0 R14: 00005ea9a2be5608 R15: 00005ea9a2be55f0 [ 2.697436] [ 2.697436] ---[ end trace ]--- This situation can happen for block devices because when CONFIG_TRANSPARENT_HUGEPAGE is enabled, the maximum logical_block_size is 64 KiB. set_init_blocksize() then sets the block device inode->i_blkbits to 13, which is within this limit. File I/O does not trigger this problem because for filesystems that do not support the FS_LBS feature, sb_set_blocksize() prevents sb->s_blocksize_bits from being larger than PAGE_SHIFT. During inode allocation, alloc_inode()->inode_init_always() assigns inode->i_blkbits from sb->s_blocksize_bits. Currently, only xfs_fs_type has the FS_LBS flag, and since xfs I/O paths do not reach submit_bh_wbc(), it does not hit the left-shift underflow issue. [EB: use folio_pos() and consolidate the two shifts by i_blkbits]", "cve_priority": "medium", "cve_public_date": "2025-12-08 01:16:00 UTC" }, { "cve": "CVE-2025-40296", "url": "https://ubuntu.com/security/CVE-2025-40296", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: platform/x86: int3472: Fix double free of GPIO device during unregister regulator_unregister() already frees the associated GPIO device. On ThinkPad X9 (Lunar Lake), this causes a double free issue that leads to random failures when other drivers (typically Intel THC) attempt to allocate interrupts. The root cause is that the reference count of the pinctrl_intel_platform module unexpectedly drops to zero when this driver defers its probe. This behavior can also be reproduced by unloading the module directly. Fix the issue by removing the redundant release of the GPIO device during regulator unregistration.", "cve_priority": "medium", "cve_public_date": "2025-12-08 01:16:00 UTC" }, { "cve": "CVE-2025-40297", "url": "https://ubuntu.com/security/CVE-2025-40297", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net: bridge: fix use-after-free due to MST port state bypass syzbot reported[1] a use-after-free when deleting an expired fdb. It is due to a race condition between learning still happening and a port being deleted, after all its fdbs have been flushed. The port's state has been toggled to disabled so no learning should happen at that time, but if we have MST enabled, it will bypass the port's state, that together with VLAN filtering disabled can lead to fdb learning at a time when it shouldn't happen while the port is being deleted. VLAN filtering must be disabled because we flush the port VLANs when it's being deleted which will stop learning. This fix adds a check for the port's vlan group which is initialized to NULL when the port is getting deleted, that avoids the port state bypass. When MST is enabled there would be a minimal new overhead in the fast-path because the port's vlan group pointer is cache-hot. [1] https://syzkaller.appspot.com/bug?extid=dd280197f0f7ab3917be", "cve_priority": "medium", "cve_public_date": "2025-12-08 01:16:00 UTC" }, { "cve": "CVE-2025-68320", "url": "https://ubuntu.com/security/CVE-2025-68320", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: lan966x: Fix sleeping in atomic context The following warning was seen when we try to connect using ssh to the device. BUG: sleeping function called from invalid context at kernel/locking/mutex.c:575 in_atomic(): 1, irqs_disabled(): 0, non_block: 0, pid: 104, name: dropbear preempt_count: 1, expected: 0 INFO: lockdep is turned off. CPU: 0 UID: 0 PID: 104 Comm: dropbear Tainted: G W 6.18.0-rc2-00399-g6f1ab1b109b9-dirty #530 NONE Tainted: [W]=WARN Hardware name: Generic DT based system Call trace: unwind_backtrace from show_stack+0x10/0x14 show_stack from dump_stack_lvl+0x7c/0xac dump_stack_lvl from __might_resched+0x16c/0x2b0 __might_resched from __mutex_lock+0x64/0xd34 __mutex_lock from mutex_lock_nested+0x1c/0x24 mutex_lock_nested from lan966x_stats_get+0x5c/0x558 lan966x_stats_get from dev_get_stats+0x40/0x43c dev_get_stats from dev_seq_printf_stats+0x3c/0x184 dev_seq_printf_stats from dev_seq_show+0x10/0x30 dev_seq_show from seq_read_iter+0x350/0x4ec seq_read_iter from seq_read+0xfc/0x194 seq_read from proc_reg_read+0xac/0x100 proc_reg_read from vfs_read+0xb0/0x2b0 vfs_read from ksys_read+0x6c/0xec ksys_read from ret_fast_syscall+0x0/0x1c Exception stack(0xf0b11fa8 to 0xf0b11ff0) 1fa0: 00000001 00001000 00000008 be9048d8 00001000 00000001 1fc0: 00000001 00001000 00000008 00000003 be905920 0000001e 00000000 00000001 1fe0: 0005404c be9048c0 00018684 b6ec2cd8 It seems that we are using a mutex in a atomic context which is wrong. Change the mutex with a spinlock.", "cve_priority": "medium", "cve_public_date": "2025-12-16 16:16:00 UTC" }, { "cve": "CVE-2025-68169", "url": "https://ubuntu.com/security/CVE-2025-68169", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: netpoll: Fix deadlock in memory allocation under spinlock Fix a AA deadlock in refill_skbs() where memory allocation while holding skb_pool->lock can trigger a recursive lock acquisition attempt. The deadlock scenario occurs when the system is under severe memory pressure: 1. refill_skbs() acquires skb_pool->lock (spinlock) 2. alloc_skb() is called while holding the lock 3. Memory allocator fails and calls slab_out_of_memory() 4. This triggers printk() for the OOM warning 5. The console output path calls netpoll_send_udp() 6. netpoll_send_udp() attempts to acquire the same skb_pool->lock 7. Deadlock: the lock is already held by the same CPU Call stack: refill_skbs() spin_lock_irqsave(&skb_pool->lock) <- lock acquired __alloc_skb() kmem_cache_alloc_node_noprof() slab_out_of_memory() printk() console_flush_all() netpoll_send_udp() skb_dequeue() spin_lock_irqsave(&skb_pool->lock) <- deadlock attempt This bug was exposed by commit 248f6571fd4c51 (\"netpoll: Optimize skb refilling on critical path\") which removed refill_skbs() from the critical path (where nested printk was being deferred), letting nested printk being called from inside refill_skbs() Refactor refill_skbs() to never allocate memory while holding the spinlock. Another possible solution to fix this problem is protecting the refill_skbs() from nested printks, basically calling printk_deferred_{enter,exit}() in refill_skbs(), then, any nested pr_warn() would be deferred. I prefer this approach, given I _think_ it might be a good idea to move the alloc_skb() from GFP_ATOMIC to GFP_KERNEL in the future, so, having the alloc_skb() outside of the lock will be necessary step. There is a possible TOCTOU issue when checking for the pool length, and queueing the new allocated skb, but, this is not an issue, given that an extra SKB in the pool is harmless and it will be eventually used.", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-68197", "url": "https://ubuntu.com/security/CVE-2025-68197", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: bnxt_en: Fix null pointer dereference in bnxt_bs_trace_check_wrap() With older FW, we may get the ASYNC_EVENT_CMPL_EVENT_ID_DBG_BUF_PRODUCER for FW trace data type that has not been initialized. This will result in a crash in bnxt_bs_trace_type_wrap(). Add a guard to check for a valid magic_byte pointer before proceeding.", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-40330", "url": "https://ubuntu.com/security/CVE-2025-40330", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: bnxt_en: Shutdown FW DMA in bnxt_shutdown() The netif_close() call in bnxt_shutdown() only stops packet DMA. There may be FW DMA for trace logging (recently added) that will continue. If we kexec to a new kernel, the DMA will corrupt memory in the new kernel. Add bnxt_hwrm_func_drv_unrgtr() to unregister the driver from the FW. This will stop the FW DMA. In case the call fails, call pcie_flr() to reset the function and stop the DMA.", "cve_priority": "medium", "cve_public_date": "2025-12-09 16:17:00 UTC" }, { "cve": "CVE-2025-68192", "url": "https://ubuntu.com/security/CVE-2025-68192", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net: usb: qmi_wwan: initialize MAC header offset in qmimux_rx_fixup Raw IP packets have no MAC header, leaving skb->mac_header uninitialized. This can trigger kernel panics on ARM64 when xfrm or other subsystems access the offset due to strict alignment checks. Initialize the MAC header to prevent such crashes. This can trigger kernel panics on ARM when running IPsec over the qmimux0 interface. Example trace: Internal error: Oops: 000000009600004f [#1] SMP CPU: 0 UID: 0 PID: 0 Comm: swapper/0 Not tainted 6.12.34-gbe78e49cb433 #1 Hardware name: LS1028A RDB Board (DT) pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : xfrm_input+0xde8/0x1318 lr : xfrm_input+0x61c/0x1318 sp : ffff800080003b20 Call trace: xfrm_input+0xde8/0x1318 xfrm6_rcv+0x38/0x44 xfrm6_esp_rcv+0x48/0xa8 ip6_protocol_deliver_rcu+0x94/0x4b0 ip6_input_finish+0x44/0x70 ip6_input+0x44/0xc0 ipv6_rcv+0x6c/0x114 __netif_receive_skb_one_core+0x5c/0x8c __netif_receive_skb+0x18/0x60 process_backlog+0x78/0x17c __napi_poll+0x38/0x180 net_rx_action+0x168/0x2f0", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-40331", "url": "https://ubuntu.com/security/CVE-2025-40331", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: sctp: Prevent TOCTOU out-of-bounds write For the following path not holding the sock lock, sctp_diag_dump() -> sctp_for_each_endpoint() -> sctp_ep_dump() make sure not to exceed bounds in case the address list has grown between buffer allocation (time-of-check) and write (time-of-use).", "cve_priority": "medium", "cve_public_date": "2025-12-09 16:17:00 UTC" }, { "cve": "CVE-2025-68187", "url": "https://ubuntu.com/security/CVE-2025-68187", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net: mdio: Check regmap pointer returned by device_node_to_regmap() The call to device_node_to_regmap() in airoha_mdio_probe() can return an ERR_PTR() if regmap initialization fails. Currently, the driver stores the pointer without validation, which could lead to a crash if it is later dereferenced. Add an IS_ERR() check and return the corresponding error code to make the probe path more robust.", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-68167", "url": "https://ubuntu.com/security/CVE-2025-68167", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: gpiolib: fix invalid pointer access in debugfs If the memory allocation in gpiolib_seq_start() fails, the s->private field remains uninitialized and is later dereferenced without checking in gpiolib_seq_stop(). Initialize s->private to NULL before calling kzalloc() and check it before dereferencing it.", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-68319", "url": "https://ubuntu.com/security/CVE-2025-68319", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: netconsole: Acquire su_mutex before navigating configs hierarchy There is a race between operations that iterate over the userdata cg_children list and concurrent add/remove of userdata items through configfs. The update_userdata() function iterates over the nt->userdata_group.cg_children list, and count_extradata_entries() also iterates over this same list to count nodes. Quoting from Documentation/filesystems/configfs.rst: > A subsystem can navigate the cg_children list and the ci_parent pointer > to see the tree created by the subsystem. This can race with configfs' > management of the hierarchy, so configfs uses the subsystem mutex to > protect modifications. Whenever a subsystem wants to navigate the > hierarchy, it must do so under the protection of the subsystem > mutex. Without proper locking, if a userdata item is added or removed concurrently while these functions are iterating, the list can be accessed in an inconsistent state. For example, the list_for_each() loop can reach a node that is being removed from the list by list_del_init() which sets the nodes' .next pointer to point to itself, so the loop will never end (or reach the WARN_ON_ONCE in update_userdata() ). Fix this by holding the configfs subsystem mutex (su_mutex) during all operations that iterate over cg_children. This includes: - userdatum_value_store() which calls update_userdata() to iterate over cg_children - All sysdata_*_enabled_store() functions which call count_extradata_entries() to iterate over cg_children The su_mutex must be acquired before dynamic_netconsole_mutex to avoid potential lock ordering issues, as configfs operations may already hold su_mutex when calling into our code.", "cve_priority": "medium", "cve_public_date": "2025-12-16 16:16:00 UTC" }, { "cve": "CVE-2025-40298", "url": "https://ubuntu.com/security/CVE-2025-40298", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: gve: Implement settime64 with -EOPNOTSUPP ptp_clock_settime() assumes every ptp_clock has implemented settime64(). Stub it with -EOPNOTSUPP to prevent a NULL dereference.", "cve_priority": "medium", "cve_public_date": "2025-12-08 01:16:00 UTC" }, { "cve": "CVE-2025-40299", "url": "https://ubuntu.com/security/CVE-2025-40299", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: gve: Implement gettimex64 with -EOPNOTSUPP gve implemented a ptp_clock for sole use of do_aux_work at this time. ptp_clock_gettime() and ptp_sys_offset() assume every ptp_clock has implemented either gettimex64 or gettime64. Stub gettimex64 and return -EOPNOTSUPP to prevent NULL dereferencing.", "cve_priority": "medium", "cve_public_date": "2025-12-08 01:16:00 UTC" }, { "cve": "CVE-2025-40301", "url": "https://ubuntu.com/security/CVE-2025-40301", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: Bluetooth: hci_event: validate skb length for unknown CC opcode In hci_cmd_complete_evt(), if the command complete event has an unknown opcode, we assume the first byte of the remaining skb->data contains the return status. However, parameter data has previously been pulled in hci_event_func(), which may leave the skb empty. If so, using skb->data[0] for the return status uses un-init memory. The fix is to check skb->len before using skb->data.", "cve_priority": "medium", "cve_public_date": "2025-12-08 01:16:00 UTC" }, { "cve": "CVE-2025-40358", "url": "https://ubuntu.com/security/CVE-2025-40358", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: riscv: stacktrace: Disable KASAN checks for non-current tasks Unwinding the stack of a task other than current, KASAN would report \"BUG: KASAN: out-of-bounds in walk_stackframe+0x41c/0x460\" There is a same issue on x86 and has been resolved by the commit 84936118bdf3 (\"x86/unwind: Disable KASAN checks for non-current tasks\") The solution could be applied to RISC-V too. This patch also can solve the issue: https://seclists.org/oss-sec/2025/q4/23 [pjw@kernel.org: clean up checkpatch issues]", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-68186", "url": "https://ubuntu.com/security/CVE-2025-68186", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ring-buffer: Do not warn in ring_buffer_map_get_reader() when reader catches up The function ring_buffer_map_get_reader() is a bit more strict than the other get reader functions, and except for certain situations the rb_get_reader_page() should not return NULL. If it does, it triggers a warning. This warning was triggering but after looking at why, it was because another acceptable situation was happening and it wasn't checked for. If the reader catches up to the writer and there's still data to be read on the reader page, then the rb_get_reader_page() will return NULL as there's no new page to get. In this situation, the reader page should not be updated and no warning should trigger.", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-68184", "url": "https://ubuntu.com/security/CVE-2025-68184", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/mediatek: Disable AFBC support on Mediatek DRM driver Commit c410fa9b07c3 (\"drm/mediatek: Add AFBC support to Mediatek DRM driver\") added AFBC support to Mediatek DRM and enabled the 32x8/split/sparse modifier. However, this is currently broken on Mediatek MT8188 (Genio 700 EVK platform); tested using upstream Kernel and Mesa (v25.2.1), AFBC is used by default since Mesa v25.0. Kernel trace reports vblank timeouts constantly, and the render is garbled: ``` [CRTC:62:crtc-0] vblank wait timed out WARNING: CPU: 7 PID: 70 at drivers/gpu/drm/drm_atomic_helper.c:1835 drm_atomic_helper_wait_for_vblanks.part.0+0x24c/0x27c [...] Hardware name: MediaTek Genio-700 EVK (DT) Workqueue: events_unbound commit_work pstate: 60400009 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : drm_atomic_helper_wait_for_vblanks.part.0+0x24c/0x27c lr : drm_atomic_helper_wait_for_vblanks.part.0+0x24c/0x27c sp : ffff80008337bca0 x29: ffff80008337bcd0 x28: 0000000000000061 x27: 0000000000000000 x26: 0000000000000001 x25: 0000000000000000 x24: ffff0000c9dcc000 x23: 0000000000000001 x22: 0000000000000000 x21: ffff0000c66f2f80 x20: ffff0000c0d7d880 x19: 0000000000000000 x18: 000000000000000a x17: 000000040044ffff x16: 005000f2b5503510 x15: 0000000000000000 x14: 0000000000000000 x13: 74756f2064656d69 x12: 742074696177206b x11: 0000000000000058 x10: 0000000000000018 x9 : ffff800082396a70 x8 : 0000000000057fa8 x7 : 0000000000000cce x6 : ffff8000823eea70 x5 : ffff0001fef5f408 x4 : ffff80017ccee000 x3 : ffff0000c12cb480 x2 : 0000000000000000 x1 : 0000000000000000 x0 : ffff0000c12cb480 Call trace: drm_atomic_helper_wait_for_vblanks.part.0+0x24c/0x27c (P) drm_atomic_helper_commit_tail_rpm+0x64/0x80 commit_tail+0xa4/0x1a4 commit_work+0x14/0x20 process_one_work+0x150/0x290 worker_thread+0x2d0/0x3ec kthread+0x12c/0x210 ret_from_fork+0x10/0x20 ---[ end trace 0000000000000000 ]--- ``` Until this gets fixed upstream, disable AFBC support on this platform, as it's currently broken with upstream Mesa.", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-40302", "url": "https://ubuntu.com/security/CVE-2025-40302", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: media: videobuf2: forbid remove_bufs when legacy fileio is active vb2_ioctl_remove_bufs() call manipulates queue internal buffer list, potentially overwriting some pointers used by the legacy fileio access mode. Forbid that ioctl when fileio is active to protect internal queue state between subsequent read/write calls.", "cve_priority": "medium", "cve_public_date": "2025-12-08 01:16:00 UTC" }, { "cve": "CVE-2025-40303", "url": "https://ubuntu.com/security/CVE-2025-40303", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: btrfs: ensure no dirty metadata is written back for an fs with errors [BUG] During development of a minor feature (make sure all btrfs_bio::end_io() is called in task context), I noticed a crash in generic/388, where metadata writes triggered new works after btrfs_stop_all_workers(). It turns out that it can even happen without any code modification, just using RAID5 for metadata and the same workload from generic/388 is going to trigger the use-after-free. [CAUSE] If btrfs hits an error, the fs is marked as error, no new transaction is allowed thus metadata is in a frozen state. But there are some metadata modifications before that error, and they are still in the btree inode page cache. Since there will be no real transaction commit, all those dirty folios are just kept as is in the page cache, and they can not be invalidated by invalidate_inode_pages2() call inside close_ctree(), because they are dirty. And finally after btrfs_stop_all_workers(), we call iput() on btree inode, which triggers writeback of those dirty metadata. And if the fs is using RAID56 metadata, this will trigger RMW and queue new works into rmw_workers, which is already stopped, causing warning from queue_work() and use-after-free. [FIX] Add a special handling for write_one_eb(), that if the fs is already in an error state, immediately mark the bbio as failure, instead of really submitting them. Then during close_ctree(), iput() will just discard all those dirty tree blocks without really writing them back, thus no more new jobs for already stopped-and-freed workqueues. The extra discard in write_one_eb() also acts as an extra safenet. E.g. the transaction abort is triggered by some extent/free space tree corruptions, and since extent/free space tree is already corrupted some tree blocks may be allocated where they shouldn't be (overwriting existing tree blocks). In that case writing them back will further corrupting the fs.", "cve_priority": "medium", "cve_public_date": "2025-12-08 01:16:00 UTC" }, { "cve": "CVE-2025-40362", "url": "https://ubuntu.com/security/CVE-2025-40362", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ceph: fix multifs mds auth caps issue The mds auth caps check should also validate the fsname along with the associated caps. Not doing so would result in applying the mds auth caps of one fs on to the other fs in a multifs ceph cluster. The bug causes multiple issues w.r.t user authentication, following is one such example. Steps to Reproduce (on vstart cluster): 1. Create two file systems in a cluster, say 'fsname1' and 'fsname2' 2. Authorize read only permission to the user 'client.usr' on fs 'fsname1' $ceph fs authorize fsname1 client.usr / r 3. Authorize read and write permission to the same user 'client.usr' on fs 'fsname2' $ceph fs authorize fsname2 client.usr / rw 4. Update the keyring $ceph auth get client.usr >> ./keyring With above permssions for the user 'client.usr', following is the expectation. a. The 'client.usr' should be able to only read the contents and not allowed to create or delete files on file system 'fsname1'. b. The 'client.usr' should be able to read/write on file system 'fsname2'. But, with this bug, the 'client.usr' is allowed to read/write on file system 'fsname1'. See below. 5. Mount the file system 'fsname1' with the user 'client.usr' $sudo bin/mount.ceph usr@.fsname1=/ /kmnt_fsname1_usr/ 6. Try creating a file on file system 'fsname1' with user 'client.usr'. This should fail but passes with this bug. $touch /kmnt_fsname1_usr/file1 7. Mount the file system 'fsname1' with the user 'client.admin' and create a file. $sudo bin/mount.ceph admin@.fsname1=/ /kmnt_fsname1_admin $echo \"data\" > /kmnt_fsname1_admin/admin_file1 8. Try removing an existing file on file system 'fsname1' with the user 'client.usr'. This shoudn't succeed but succeeds with the bug. $rm -f /kmnt_fsname1_usr/admin_file1 For more information, please take a look at the corresponding mds/fuse patch and tests added by looking into the tracker mentioned below. v2: Fix a possible null dereference in doutc v3: Don't store fsname from mdsmap, validate against ceph_mount_options's fsname and use it v4: Code refactor, better warning message and fix possible compiler warning [ Slava.Dubeyko: \"fsname check failed\" -> \"fsname mismatch\" ]", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-40332", "url": "https://ubuntu.com/security/CVE-2025-40332", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/amdkfd: Fix mmap write lock not release If mmap write lock is taken while draining retry fault, mmap write lock is not released because svm_range_restore_pages calls mmap_read_unlock then returns. This causes deadlock and system hangs later because mmap read or write lock cannot be taken. Downgrade mmap write lock to read lock if draining retry fault fix this bug.", "cve_priority": "medium", "cve_public_date": "2025-12-09 16:17:00 UTC" }, { "cve": "CVE-2025-40304", "url": "https://ubuntu.com/security/CVE-2025-40304", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: fbdev: Add bounds checking in bit_putcs to fix vmalloc-out-of-bounds Add bounds checking to prevent writes past framebuffer boundaries when rendering text near screen edges. Return early if the Y position is off-screen and clip image height to screen boundary. Break from the rendering loop if the X position is off-screen. When clipping image width to fit the screen, update the character count to match the clipped width to prevent buffer size mismatches. Without the character count update, bit_putcs_aligned and bit_putcs_unaligned receive mismatched parameters where the buffer is allocated for the clipped width but cnt reflects the original larger count, causing out-of-bounds writes.", "cve_priority": "medium", "cve_public_date": "2025-12-08 01:16:00 UTC" }, { "cve": "CVE-2025-40305", "url": "https://ubuntu.com/security/CVE-2025-40305", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: 9p/trans_fd: p9_fd_request: kick rx thread if EPOLLIN p9_read_work() doesn't set Rworksched and doesn't do schedule_work(m->rq) if list_empty(&m->req_list). However, if the pipe is full, we need to read more data and this used to work prior to commit aaec5a95d59615 (\"pipe_read: don't wake up the writer if the pipe is still full\"). p9_read_work() does p9_fd_read() -> ... -> anon_pipe_read() which (before the commit above) triggered the unnecessary wakeup. This wakeup calls p9_pollwake() which kicks p9_poll_workfn() -> p9_poll_mux(), p9_poll_mux() will notice EPOLLIN and schedule_work(&m->rq). This no longer happens after the optimization above, change p9_fd_request() to use p9_poll_mux() instead of only checking for EPOLLOUT.", "cve_priority": "medium", "cve_public_date": "2025-12-08 01:16:00 UTC" }, { "cve": "CVE-2025-68318", "url": "https://ubuntu.com/security/CVE-2025-68318", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: clk: thead: th1520-ap: set all AXI clocks to CLK_IS_CRITICAL The AXI crossbar of TH1520 has no proper timeout handling, which means gating AXI clocks can easily lead to bus timeout and thus system hang. Set all AXI clock gates to CLK_IS_CRITICAL. All these clock gates are ungated by default on system reset. In addition, convert all current CLK_IGNORE_UNUSED usage to CLK_IS_CRITICAL to prevent unwanted clock gating.", "cve_priority": "medium", "cve_public_date": "2025-12-16 16:16:00 UTC" }, { "cve": "CVE-2025-40209", "url": "https://ubuntu.com/security/CVE-2025-40209", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: btrfs: fix memory leak of qgroup_list in btrfs_add_qgroup_relation When btrfs_add_qgroup_relation() is called with invalid qgroup levels (src >= dst), the function returns -EINVAL directly without freeing the preallocated qgroup_list structure passed by the caller. This causes a memory leak because the caller unconditionally sets the pointer to NULL after the call, preventing any cleanup. The issue occurs because the level validation check happens before the mutex is acquired and before any error handling path that would free the prealloc pointer. On this early return, the cleanup code at the 'out' label (which includes kfree(prealloc)) is never reached. In btrfs_ioctl_qgroup_assign(), the code pattern is: prealloc = kzalloc(sizeof(*prealloc), GFP_KERNEL); ret = btrfs_add_qgroup_relation(trans, sa->src, sa->dst, prealloc); prealloc = NULL; // Always set to NULL regardless of return value ... kfree(prealloc); // This becomes kfree(NULL), does nothing When the level check fails, 'prealloc' is never freed by either the callee or the caller, resulting in a 64-byte memory leak per failed operation. This can be triggered repeatedly by an unprivileged user with access to a writable btrfs mount, potentially exhausting kernel memory. Fix this by freeing prealloc before the early return, ensuring prealloc is always freed on all error paths.", "cve_priority": "medium", "cve_public_date": "2025-11-21 11:15:00 UTC" }, { "cve": "CVE-2025-68183", "url": "https://ubuntu.com/security/CVE-2025-68183", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ima: don't clear IMA_DIGSIG flag when setting or removing non-IMA xattr Currently when both IMA and EVM are in fix mode, the IMA signature will be reset to IMA hash if a program first stores IMA signature in security.ima and then writes/removes some other security xattr for the file. For example, on Fedora, after booting the kernel with \"ima_appraise=fix evm=fix ima_policy=appraise_tcb\" and installing rpm-plugin-ima, installing/reinstalling a package will not make good reference IMA signature generated. Instead IMA hash is generated, # getfattr -m - -d -e hex /usr/bin/bash # file: usr/bin/bash security.ima=0x0404... This happens because when setting security.selinux, the IMA_DIGSIG flag that had been set early was cleared. As a result, IMA hash is generated when the file is closed. Similarly, IMA signature can be cleared on file close after removing security xattr like security.evm or setting/removing ACL. Prevent replacing the IMA file signature with a file hash, by preventing the IMA_DIGSIG flag from being reset. Here's a minimal C reproducer which sets security.selinux as the last step which can also replaced by removing security.evm or setting ACL, #include #include #include #include #include #include int main() { const char* file_path = \"/usr/sbin/test_binary\"; const char* hex_string = \"030204d33204490066306402304\"; int length = strlen(hex_string); char* ima_attr_value; int fd; fd = open(file_path, O_WRONLY|O_CREAT|O_EXCL, 0644); if (fd == -1) { perror(\"Error opening file\"); return 1; } ima_attr_value = (char*)malloc(length / 2 ); for (int i = 0, j = 0; i < length; i += 2, j++) { sscanf(hex_string + i, \"%2hhx\", &ima_attr_value[j]); } if (fsetxattr(fd, \"security.ima\", ima_attr_value, length/2, 0) == -1) { perror(\"Error setting extended attribute\"); close(fd); return 1; } const char* selinux_value= \"system_u:object_r:bin_t:s0\"; if (fsetxattr(fd, \"security.selinux\", selinux_value, strlen(selinux_value), 0) == -1) { perror(\"Error setting extended attribute\"); close(fd); return 1; } close(fd); return 0; }", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-68173", "url": "https://ubuntu.com/security/CVE-2025-68173", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ftrace: Fix softlockup in ftrace_module_enable A soft lockup was observed when loading amdgpu module. If a module has a lot of tracable functions, multiple calls to kallsyms_lookup can spend too much time in RCU critical section and with disabled preemption, causing kernel panic. This is the same issue that was fixed in commit d0b24b4e91fc (\"ftrace: Prevent RCU stall on PREEMPT_VOLUNTARY kernels\") and commit 42ea22e754ba (\"ftrace: Add cond_resched() to ftrace_graph_set_hash()\"). Fix it the same way by adding cond_resched() in ftrace_module_enable.", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-40306", "url": "https://ubuntu.com/security/CVE-2025-40306", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: orangefs: fix xattr related buffer overflow... Willy Tarreau forwarded me a message from Disclosure with the following warning: > The helper `xattr_key()` uses the pointer variable in the loop condition > rather than dereferencing it. As `key` is incremented, it remains non-NULL > (until it runs into unmapped memory), so the loop does not terminate on > valid C strings and will walk memory indefinitely, consuming CPU or hanging > the thread. I easily reproduced this with setfattr and getfattr, causing a kernel oops, hung user processes and corrupted orangefs files. Disclosure sent along a diff (not a patch) with a suggested fix, which I based this patch on. After xattr_key started working right, xfstest generic/069 exposed an xattr related memory leak that lead to OOM. xattr_key returns a hashed key. When adding xattrs to the orangefs xattr cache, orangefs used hash_add, a kernel hashing macro. hash_add also hashes the key using hash_log which resulted in additions to the xattr cache going to the wrong hash bucket. generic/069 tortures a single file and orangefs does a getattr for the xattr \"security.capability\" every time. Orangefs negative caches on xattrs which includes a kmalloc. Since adds to the xattr cache were going to the wrong bucket, every getattr for \"security.capability\" resulted in another kmalloc, none of which were ever freed. I changed the two uses of hash_add to hlist_add_head instead and the memory leak ceased and generic/069 quit throwing furniture.", "cve_priority": "medium", "cve_public_date": "2025-12-08 01:16:00 UTC" }, { "cve": "CVE-2025-40307", "url": "https://ubuntu.com/security/CVE-2025-40307", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: exfat: validate cluster allocation bits of the allocation bitmap syzbot created an exfat image with cluster bits not set for the allocation bitmap. exfat-fs reads and uses the allocation bitmap without checking this. The problem is that if the start cluster of the allocation bitmap is 6, cluster 6 can be allocated when creating a directory with mkdir. exfat zeros out this cluster in exfat_mkdir, which can delete existing entries. This can reallocate the allocated entries. In addition, the allocation bitmap is also zeroed out, so cluster 6 can be reallocated. This patch adds exfat_test_bitmap_range to validate that clusters used for the allocation bitmap are correctly marked as in-use.", "cve_priority": "medium", "cve_public_date": "2025-12-08 01:16:00 UTC" }, { "cve": "CVE-2025-40308", "url": "https://ubuntu.com/security/CVE-2025-40308", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: Bluetooth: bcsp: receive data only if registered Currently, bcsp_recv() can be called even when the BCSP protocol has not been registered. This leads to a NULL pointer dereference, as shown in the following stack trace: KASAN: null-ptr-deref in range [0x0000000000000108-0x000000000000010f] RIP: 0010:bcsp_recv+0x13d/0x1740 drivers/bluetooth/hci_bcsp.c:590 Call Trace: hci_uart_tty_receive+0x194/0x220 drivers/bluetooth/hci_ldisc.c:627 tiocsti+0x23c/0x2c0 drivers/tty/tty_io.c:2290 tty_ioctl+0x626/0xde0 drivers/tty/tty_io.c:2706 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:907 [inline] __se_sys_ioctl+0xfc/0x170 fs/ioctl.c:893 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f To prevent this, ensure that the HCI_UART_REGISTERED flag is set before processing received data. If the protocol is not registered, return -EUNATCH.", "cve_priority": "medium", "cve_public_date": "2025-12-08 01:16:00 UTC" }, { "cve": "CVE-2025-40309", "url": "https://ubuntu.com/security/CVE-2025-40309", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: Bluetooth: SCO: Fix UAF on sco_conn_free BUG: KASAN: slab-use-after-free in sco_conn_free net/bluetooth/sco.c:87 [inline] BUG: KASAN: slab-use-after-free in kref_put include/linux/kref.h:65 [inline] BUG: KASAN: slab-use-after-free in sco_conn_put+0xdd/0x410 net/bluetooth/sco.c:107 Write of size 8 at addr ffff88811cb96b50 by task kworker/u17:4/352 CPU: 1 UID: 0 PID: 352 Comm: kworker/u17:4 Not tainted 6.17.0-rc5-g717368f83676 #4 PREEMPT(voluntary) Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014 Workqueue: hci13 hci_cmd_sync_work Call Trace: __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x10b/0x170 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:378 [inline] print_report+0x191/0x550 mm/kasan/report.c:482 kasan_report+0xc4/0x100 mm/kasan/report.c:595 sco_conn_free net/bluetooth/sco.c:87 [inline] kref_put include/linux/kref.h:65 [inline] sco_conn_put+0xdd/0x410 net/bluetooth/sco.c:107 sco_connect_cfm+0xb4/0xae0 net/bluetooth/sco.c:1441 hci_connect_cfm include/net/bluetooth/hci_core.h:2082 [inline] hci_conn_failed+0x20a/0x2e0 net/bluetooth/hci_conn.c:1313 hci_conn_unlink+0x55f/0x810 net/bluetooth/hci_conn.c:1121 hci_conn_del+0xb6/0x1110 net/bluetooth/hci_conn.c:1147 hci_abort_conn_sync+0x8c5/0xbb0 net/bluetooth/hci_sync.c:5689 hci_cmd_sync_work+0x281/0x380 net/bluetooth/hci_sync.c:332 process_one_work kernel/workqueue.c:3236 [inline] process_scheduled_works+0x77e/0x1040 kernel/workqueue.c:3319 worker_thread+0xbee/0x1200 kernel/workqueue.c:3400 kthread+0x3c7/0x870 kernel/kthread.c:463 ret_from_fork+0x13a/0x1e0 arch/x86/kernel/process.c:148 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245 Allocated by task 31370: kasan_save_stack mm/kasan/common.c:47 [inline] kasan_save_track+0x30/0x70 mm/kasan/common.c:68 poison_kmalloc_redzone mm/kasan/common.c:388 [inline] __kasan_kmalloc+0x82/0x90 mm/kasan/common.c:405 kasan_kmalloc include/linux/kasan.h:260 [inline] __do_kmalloc_node mm/slub.c:4382 [inline] __kmalloc_noprof+0x22f/0x390 mm/slub.c:4394 kmalloc_noprof include/linux/slab.h:909 [inline] sk_prot_alloc+0xae/0x220 net/core/sock.c:2239 sk_alloc+0x34/0x5a0 net/core/sock.c:2295 bt_sock_alloc+0x3c/0x330 net/bluetooth/af_bluetooth.c:151 sco_sock_alloc net/bluetooth/sco.c:562 [inline] sco_sock_create+0xc0/0x350 net/bluetooth/sco.c:593 bt_sock_create+0x161/0x3b0 net/bluetooth/af_bluetooth.c:135 __sock_create+0x3ad/0x780 net/socket.c:1589 sock_create net/socket.c:1647 [inline] __sys_socket_create net/socket.c:1684 [inline] __sys_socket+0xd5/0x330 net/socket.c:1731 __do_sys_socket net/socket.c:1745 [inline] __se_sys_socket net/socket.c:1743 [inline] __x64_sys_socket+0x7a/0x90 net/socket.c:1743 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xc7/0x240 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f Freed by task 31374: kasan_save_stack mm/kasan/common.c:47 [inline] kasan_save_track+0x30/0x70 mm/kasan/common.c:68 kasan_save_free_info+0x40/0x50 mm/kasan/generic.c:576 poison_slab_object mm/kasan/common.c:243 [inline] __kasan_slab_free+0x3d/0x50 mm/kasan/common.c:275 kasan_slab_free include/linux/kasan.h:233 [inline] slab_free_hook mm/slub.c:2428 [inline] slab_free mm/slub.c:4701 [inline] kfree+0x199/0x3b0 mm/slub.c:4900 sk_prot_free net/core/sock.c:2278 [inline] __sk_destruct+0x4aa/0x630 net/core/sock.c:2373 sco_sock_release+0x2ad/0x300 net/bluetooth/sco.c:1333 __sock_release net/socket.c:649 [inline] sock_close+0xb8/0x230 net/socket.c:1439 __fput+0x3d1/0x9e0 fs/file_table.c:468 task_work_run+0x206/0x2a0 kernel/task_work.c:227 get_signal+0x1201/0x1410 kernel/signal.c:2807 arch_do_signal_or_restart+0x34/0x740 arch/x86/kernel/signal.c:337 exit_to_user_mode_loop+0x68/0xc0 kernel/entry/common.c:40 exit_to_user_mode_prepare include/linux/irq-entry-common.h:225 [inline] s ---truncated---", "cve_priority": "medium", "cve_public_date": "2025-12-08 01:16:00 UTC" }, { "cve": "CVE-2025-68174", "url": "https://ubuntu.com/security/CVE-2025-68174", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: amd/amdkfd: enhance kfd process check in switch partition current switch partition only check if kfd_processes_table is empty. kfd_prcesses_table entry is deleted in kfd_process_notifier_release, but kfd_process tear down is in kfd_process_wq_release. consider two processes: Process A (workqueue) -> kfd_process_wq_release -> Access kfd_node member Process B switch partition -> amdgpu_xcp_pre_partition_switch -> amdgpu_amdkfd_device_fini_sw -> kfd_node tear down. Process A and B may trigger a race as shown in dmesg log. This patch is to resolve the race by adding an atomic kfd_process counter kfd_processes_count, it increment as create kfd process, decrement as finish kfd_process_wq_release. v2: Put kfd_processes_count per kfd_dev, move decrement to kfd_process_destroy_pdds and bug fix. (Philip Yang) [3966658.307702] divide error: 0000 [#1] SMP NOPTI [3966658.350818] i10nm_edac [3966658.356318] CPU: 124 PID: 38435 Comm: kworker/124:0 Kdump: loaded Tainted [3966658.356890] Workqueue: kfd_process_wq kfd_process_wq_release [amdgpu] [3966658.362839] nfit [3966658.366457] RIP: 0010:kfd_get_num_sdma_engines+0x17/0x40 [amdgpu] [3966658.366460] Code: 00 00 e9 ac 81 02 00 66 66 2e 0f 1f 84 00 00 00 00 00 90 0f 1f 44 00 00 48 8b 4f 08 48 8b b7 00 01 00 00 8b 81 58 26 03 00 99 be b8 01 00 00 80 b9 70 2e 00 00 00 74 0b 83 f8 02 ba 02 00 00 [3966658.380967] x86_pkg_temp_thermal [3966658.391529] RSP: 0018:ffffc900a0edfdd8 EFLAGS: 00010246 [3966658.391531] RAX: 0000000000000008 RBX: ffff8974e593b800 RCX: ffff888645900000 [3966658.391531] RDX: 0000000000000000 RSI: ffff888129154400 RDI: ffff888129151c00 [3966658.391532] RBP: ffff8883ad79d400 R08: 0000000000000000 R09: ffff8890d2750af4 [3966658.391532] R10: 0000000000000018 R11: 0000000000000018 R12: 0000000000000000 [3966658.391533] R13: ffff8883ad79d400 R14: ffffe87ff662ba00 R15: ffff8974e593b800 [3966658.391533] FS: 0000000000000000(0000) GS:ffff88fe7f600000(0000) knlGS:0000000000000000 [3966658.391534] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [3966658.391534] CR2: 0000000000d71000 CR3: 000000dd0e970004 CR4: 0000000002770ee0 [3966658.391535] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [3966658.391535] DR3: 0000000000000000 DR6: 00000000fffe07f0 DR7: 0000000000000400 [3966658.391536] PKRU: 55555554 [3966658.391536] Call Trace: [3966658.391674] deallocate_sdma_queue+0x38/0xa0 [amdgpu] [3966658.391762] process_termination_cpsch+0x1ed/0x480 [amdgpu] [3966658.399754] intel_powerclamp [3966658.402831] kfd_process_dequeue_from_all_devices+0x5b/0xc0 [amdgpu] [3966658.402908] kfd_process_wq_release+0x1a/0x1a0 [amdgpu] [3966658.410516] coretemp [3966658.434016] process_one_work+0x1ad/0x380 [3966658.434021] worker_thread+0x49/0x310 [3966658.438963] kvm_intel [3966658.446041] ? process_one_work+0x380/0x380 [3966658.446045] kthread+0x118/0x140 [3966658.446047] ? __kthread_bind_mask+0x60/0x60 [3966658.446050] ret_from_fork+0x1f/0x30 [3966658.446053] Modules linked in: kpatch_20765354(OEK) [3966658.455310] kvm [3966658.464534] mptcp_diag xsk_diag raw_diag unix_diag af_packet_diag netlink_diag udp_diag act_pedit act_mirred act_vlan cls_flower kpatch_21951273(OEK) kpatch_18424469(OEK) kpatch_19749756(OEK) [3966658.473462] idxd_mdev [3966658.482306] kpatch_17971294(OEK) sch_ingress xt_conntrack amdgpu(OE) amdxcp(OE) amddrm_buddy(OE) amd_sched(OE) amdttm(OE) amdkcl(OE) intel_ifs iptable_mangle tcm_loop target_core_pscsi tcp_diag target_core_file inet_diag target_core_iblock target_core_user target_core_mod coldpgs kpatch_18383292(OEK) ip6table_nat ip6table_filter ip6_tables ip_set_hash_ipportip ip_set_hash_ipportnet ip_set_hash_ipport ip_set_bitmap_port xt_comment iptable_nat nf_nat iptable_filter ip_tables ip_set ip_vs_sh ip_vs_wrr ip_vs_rr ip_vs nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 sn_core_odd(OE) i40e overlay binfmt_misc tun bonding(OE) aisqos(OE) aisqo ---truncated---", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-40310", "url": "https://ubuntu.com/security/CVE-2025-40310", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: amd/amdkfd: resolve a race in amdgpu_amdkfd_device_fini_sw There is race in amdgpu_amdkfd_device_fini_sw and interrupt. if amdgpu_amdkfd_device_fini_sw run in b/w kfd_cleanup_nodes and kfree(kfd), and KGD interrupt generated. kernel panic log: BUG: kernel NULL pointer dereference, address: 0000000000000098 amdgpu 0000:c8:00.0: amdgpu: Requesting 4 partitions through PSP PGD d78c68067 P4D d78c68067 kfd kfd: amdgpu: Allocated 3969056 bytes on gart PUD 1465b8067 PMD @ Oops: @002 [#1] SMP NOPTI kfd kfd: amdgpu: Total number of KFD nodes to be created: 4 CPU: 115 PID: @ Comm: swapper/115 Kdump: loaded Tainted: G S W OE K RIP: 0010:_raw_spin_lock_irqsave+0x12/0x40 Code: 89 e@ 41 5c c3 cc cc cc cc 66 66 2e Of 1f 84 00 00 00 00 00 OF 1f 40 00 Of 1f 44% 00 00 41 54 9c 41 5c fa 31 cO ba 01 00 00 00 OF b1 17 75 Ba 4c 89 e@ 41 Sc 89 c6 e8 07 38 5d RSP: 0018: ffffc90@1a6b0e28 EFLAGS: 00010046 RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000018 0000000000000001 RSI: ffff8883bb623e00 RDI: 0000000000000098 ffff8883bb000000 RO8: ffff888100055020 ROO: ffff888100055020 0000000000000000 R11: 0000000000000000 R12: 0900000000000002 ffff888F2b97da0@ R14: @000000000000098 R15: ffff8883babdfo00 CS: 010 DS: 0000 ES: 0000 CRO: 0000000080050033 CR2: 0000000000000098 CR3: 0000000e7cae2006 CR4: 0000000002770ce0 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 0000000000000000 DR6: 00000000fffeO7FO DR7: 0000000000000400 PKRU: 55555554 Call Trace: kgd2kfd_interrupt+@x6b/0x1f@ [amdgpu] ? amdgpu_fence_process+0xa4/0x150 [amdgpu] kfd kfd: amdgpu: Node: 0, interrupt_bitmap: 3 YcpxFl Rant tErace amdgpu_irq_dispatch+0x165/0x210 [amdgpu] amdgpu_ih_process+0x80/0x100 [amdgpu] amdgpu: Virtual CRAT table created for GPU amdgpu_irq_handler+0x1f/@x60 [amdgpu] __handle_irq_event_percpu+0x3d/0x170 amdgpu: Topology: Add dGPU node [0x74a2:0x1002] handle_irq_event+0x5a/@xcO handle_edge_irq+0x93/0x240 kfd kfd: amdgpu: KFD node 1 partition @ size 49148M asm_call_irq_on_stack+0xf/@x20 common_interrupt+0xb3/0x130 asm_common_interrupt+0x1le/0x40 5.10.134-010.a1i5000.a18.x86_64 #1", "cve_priority": "medium", "cve_public_date": "2025-12-08 01:16:00 UTC" }, { "cve": "CVE-2025-40361", "url": "https://ubuntu.com/security/CVE-2025-40361", "cve_description": "Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-40311", "url": "https://ubuntu.com/security/CVE-2025-40311", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: accel/habanalabs: support mapping cb with vmalloc-backed coherent memory When IOMMU is enabled, dma_alloc_coherent() with GFP_USER may return addresses from the vmalloc range. If such an address is mapped without VM_MIXEDMAP, vm_insert_page() will trigger a BUG_ON due to the VM_PFNMAP restriction. Fix this by checking for vmalloc addresses and setting VM_MIXEDMAP in the VMA before mapping. This ensures safe mapping and avoids kernel crashes. The memory is still driver-allocated and cannot be accessed directly by userspace.", "cve_priority": "medium", "cve_public_date": "2025-12-08 01:16:00 UTC" }, { "cve": "CVE-2025-68185", "url": "https://ubuntu.com/security/CVE-2025-68185", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: nfs4_setup_readdir(): insufficient locking for ->d_parent->d_inode dereferencing Theoretically it's an oopsable race, but I don't believe one can manage to hit it on real hardware; might become doable on a KVM, but it still won't be easy to attack. Anyway, it's easy to deal with - since xdr_encode_hyper() is just a call of put_unaligned_be64(), we can put that under ->d_lock and be done with that.", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-68176", "url": "https://ubuntu.com/security/CVE-2025-68176", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: PCI: cadence: Check for the existence of cdns_pcie::ops before using it cdns_pcie::ops might not be populated by all the Cadence glue drivers. This is going to be true for the upcoming Sophgo platform which doesn't set the ops. Hence, add a check to prevent NULL pointer dereference. [mani: reworded subject and description]", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-68190", "url": "https://ubuntu.com/security/CVE-2025-68190", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu/atom: Check kcalloc() for WS buffer in amdgpu_atom_execute_table_locked() kcalloc() may fail. When WS is non-zero and allocation fails, ectx.ws remains NULL while ectx.ws_size is set, leading to a potential NULL pointer dereference in atom_get_src_int() when accessing WS entries. Return -ENOMEM on allocation failure to avoid the NULL dereference.", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-68168", "url": "https://ubuntu.com/security/CVE-2025-68168", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: jfs: fix uninitialized waitqueue in transaction manager The transaction manager initialization in txInit() was not properly initializing TxBlock[0].waitor waitqueue, causing a crash when txEnd(0) is called on read-only filesystems. When a filesystem is mounted read-only, txBegin() returns tid=0 to indicate no transaction. However, txEnd(0) still gets called and tries to access TxBlock[0].waitor via tid_to_tblock(0), but this waitqueue was never initialized because the initialization loop started at index 1 instead of 0. This causes a 'non-static key' lockdep warning and system crash: INFO: trying to register non-static key in txEnd Fix by ensuring all transaction blocks including TxBlock[0] have their waitqueues properly initialized during txInit().", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-40312", "url": "https://ubuntu.com/security/CVE-2025-40312", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: jfs: Verify inode mode when loading from disk The inode mode loaded from corrupted disk can be invalid. Do like what commit 0a9e74051313 (\"isofs: Verify inode mode when loading from disk\") does.", "cve_priority": "medium", "cve_public_date": "2025-12-08 01:16:00 UTC" }, { "cve": "CVE-2025-40333", "url": "https://ubuntu.com/security/CVE-2025-40333", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: f2fs: fix infinite loop in __insert_extent_tree() When we get wrong extent info data, and look up extent_node in rb tree, it will cause infinite loop (CONFIG_F2FS_CHECK_FS=n). Avoiding this by return NULL and print some kernel messages in that case.", "cve_priority": "medium", "cve_public_date": "2025-12-09 16:17:00 UTC" }, { "cve": "CVE-2025-68321", "url": "https://ubuntu.com/security/CVE-2025-68321", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: page_pool: always add GFP_NOWARN for ATOMIC allocations Driver authors often forget to add GFP_NOWARN for page allocation from the datapath. This is annoying to users as OOMs are a fact of life, and we pretty much expect network Rx to hit page allocation failures during OOM. Make page pool add GFP_NOWARN for ATOMIC allocations by default.", "cve_priority": "medium", "cve_public_date": "2025-12-16 16:16:00 UTC" }, { "cve": "CVE-2025-40334", "url": "https://ubuntu.com/security/CVE-2025-40334", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: validate userq buffer virtual address and size It needs to validate the userq object virtual address to determine whether it is residented in a valid vm mapping.", "cve_priority": "medium", "cve_public_date": "2025-12-09 16:17:00 UTC" }, { "cve": "CVE-2025-68191", "url": "https://ubuntu.com/security/CVE-2025-68191", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: udp_tunnel: use netdev_warn() instead of netdev_WARN() netdev_WARN() uses WARN/WARN_ON to print a backtrace along with file and line information. In this case, udp_tunnel_nic_register() returning an error is just a failed operation, not a kernel bug. udp_tunnel_nic_register() can fail due to a memory allocation failure (kzalloc() or udp_tunnel_nic_alloc()). This is a normal runtime error and not a kernel bug. Replace netdev_WARN() with netdev_warn() accordingly.", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-68309", "url": "https://ubuntu.com/security/CVE-2025-68309", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: PCI/AER: Fix NULL pointer access by aer_info The kzalloc(GFP_KERNEL) may return NULL, so all accesses to aer_info->xxx will result in kernel panic. Fix it.", "cve_priority": "medium", "cve_public_date": "2025-12-16 16:16:00 UTC" }, { "cve": "CVE-2025-40313", "url": "https://ubuntu.com/security/CVE-2025-40313", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ntfs3: pretend $Extend records as regular files Since commit af153bb63a33 (\"vfs: catch invalid modes in may_open()\") requires any inode be one of S_IFDIR/S_IFLNK/S_IFREG/S_IFCHR/S_IFBLK/ S_IFIFO/S_IFSOCK type, use S_IFREG for $Extend records.", "cve_priority": "medium", "cve_public_date": "2025-12-08 01:16:00 UTC" }, { "cve": "CVE-2025-40335", "url": "https://ubuntu.com/security/CVE-2025-40335", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: validate userq input args This will help on validating the userq input args, and rejecting for the invalid userq request at the IOCTLs first place.", "cve_priority": "medium", "cve_public_date": "2025-12-09 16:17:00 UTC" }, { "cve": "CVE-2025-40314", "url": "https://ubuntu.com/security/CVE-2025-40314", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: usb: cdns3: gadget: Use-after-free during failed initialization and exit of cdnsp gadget In the __cdnsp_gadget_init() and cdnsp_gadget_exit() functions, the gadget structure (pdev->gadget) was freed before its endpoints. The endpoints are linked via the ep_list in the gadget structure. Freeing the gadget first leaves dangling pointers in the endpoint list. When the endpoints are subsequently freed, this results in a use-after-free. Fix: By separating the usb_del_gadget_udc() operation into distinct \"del\" and \"put\" steps, cdnsp_gadget_free_endpoints() can be executed prior to the final release of the gadget structure with usb_put_gadget(). A patch similar to bb9c74a5bd14(\"usb: dwc3: gadget: Free gadget structure only after freeing endpoints\").", "cve_priority": "medium", "cve_public_date": "2025-12-08 01:16:00 UTC" }, { "cve": "CVE-2025-40336", "url": "https://ubuntu.com/security/CVE-2025-40336", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/gpusvm: fix hmm_pfn_to_map_order() usage Handle the case where the hmm range partially covers a huge page (like 2M), otherwise we can potentially end up doing something nasty like mapping memory which is outside the range, and maybe not even mapped by the mm. Fix is based on the xe userptr code, which in a future patch will directly use gpusvm, so needs alignment here. v2: - Add kernel-doc (Matt B) - s/fls/ilog2/ (Thomas)", "cve_priority": "medium", "cve_public_date": "2025-12-09 16:17:00 UTC" }, { "cve": "CVE-2025-68193", "url": "https://ubuntu.com/security/CVE-2025-68193", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/xe/guc: Add devm release action to safely tear down CT When a buffer object (BO) is allocated with the XE_BO_FLAG_GGTT_INVALIDATE flag, the driver initiates TLB invalidation requests via the CTB mechanism while releasing the BO. However a premature release of the CTB BO can lead to system crashes, as observed in: Oops: Oops: 0000 [#1] SMP NOPTI RIP: 0010:h2g_write+0x2f3/0x7c0 [xe] Call Trace: guc_ct_send_locked+0x8b/0x670 [xe] xe_guc_ct_send_locked+0x19/0x60 [xe] send_tlb_invalidation+0xb4/0x460 [xe] xe_gt_tlb_invalidation_ggtt+0x15e/0x2e0 [xe] ggtt_invalidate_gt_tlb.part.0+0x16/0x90 [xe] ggtt_node_remove+0x110/0x140 [xe] xe_ggtt_node_remove+0x40/0xa0 [xe] xe_ggtt_remove_bo+0x87/0x250 [xe] Introduce a devm-managed release action during xe_guc_ct_init() and xe_guc_ct_init_post_hwconfig() to ensure proper CTB disablement before resource deallocation, preventing the use-after-free scenario.", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-68175", "url": "https://ubuntu.com/security/CVE-2025-68175", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: media: nxp: imx8-isi: Fix streaming cleanup on release The current implementation unconditionally calls mxc_isi_video_cleanup_streaming() in mxc_isi_video_release(). This can lead to situations where any release call (like from a simple \"v4l2-ctl -l\") may release a currently streaming queue when called on such a device. This is reproducible on an i.MX8MP board by streaming from an ISI capture device using gstreamer: \tgst-launch-1.0 -v v4l2src device=/dev/videoX ! \\ \t video/x-raw,format=GRAY8,width=1280,height=800,framerate=1/120 ! \\ \t fakesink While this stream is running, querying the caps of the same device provokes the error state: \tv4l2-ctl -l -d /dev/videoX This results in the following trace: [ 155.452152] ------------[ cut here ]------------ [ 155.452163] WARNING: CPU: 0 PID: 1708 at drivers/media/platform/nxp/imx8-isi/imx8-isi-pipe.c:713 mxc_isi_pipe_irq_handler+0x19c/0x1b0 [imx8_isi] [ 157.004248] Modules linked in: cfg80211 rpmsg_ctrl rpmsg_char rpmsg_tty virtio_rpmsg_bus rpmsg_ns rpmsg_core rfkill nft_ct nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 nf_tables mcp251x6 [ 157.053499] CPU: 0 UID: 0 PID: 1708 Comm: python3 Not tainted 6.15.4-00114-g1f61ca5cad76 #1 PREEMPT [ 157.064369] Hardware name: imx8mp_board_01 (DT) [ 157.068205] pstate: 400000c5 (nZcv daIF -PAN -UAO -TCO -DIT -SSBS BTYPE=--) [ 157.075169] pc : mxc_isi_pipe_irq_handler+0x19c/0x1b0 [imx8_isi] [ 157.081195] lr : mxc_isi_pipe_irq_handler+0x38/0x1b0 [imx8_isi] [ 157.087126] sp : ffff800080003ee0 [ 157.090438] x29: ffff800080003ee0 x28: ffff0000c3688000 x27: 0000000000000000 [ 157.097580] x26: 0000000000000000 x25: ffff0000c1e7ac00 x24: ffff800081b5ad50 [ 157.104723] x23: 00000000000000d1 x22: 0000000000000000 x21: ffff0000c25e4000 [ 157.111866] x20: 0000000060000200 x19: ffff80007a0608d0 x18: 0000000000000000 [ 157.119008] x17: ffff80006a4e3000 x16: ffff800080000000 x15: 0000000000000000 [ 157.126146] x14: 0000000000000000 x13: 0000000000000000 x12: 0000000000000000 [ 157.133287] x11: 0000000000000040 x10: ffff0000c01445f0 x9 : ffff80007a053a38 [ 157.140425] x8 : ffff0000c04004b8 x7 : 0000000000000000 x6 : 0000000000000000 [ 157.147567] x5 : ffff0000c0400490 x4 : ffff80006a4e3000 x3 : ffff0000c25e4000 [ 157.154706] x2 : 0000000000000000 x1 : ffff8000825c0014 x0 : 0000000060000200 [ 157.161850] Call trace: [ 157.164296] mxc_isi_pipe_irq_handler+0x19c/0x1b0 [imx8_isi] (P) [ 157.170319] __handle_irq_event_percpu+0x58/0x218 [ 157.175029] handle_irq_event+0x54/0xb8 [ 157.178867] handle_fasteoi_irq+0xac/0x248 [ 157.182968] handle_irq_desc+0x48/0x68 [ 157.186723] generic_handle_domain_irq+0x24/0x38 [ 157.191346] gic_handle_irq+0x54/0x120 [ 157.195098] call_on_irq_stack+0x24/0x30 [ 157.199027] do_interrupt_handler+0x88/0x98 [ 157.203212] el0_interrupt+0x44/0xc0 [ 157.206792] __el0_irq_handler_common+0x18/0x28 [ 157.211328] el0t_64_irq_handler+0x10/0x20 [ 157.215429] el0t_64_irq+0x198/0x1a0 [ 157.219009] ---[ end trace 0000000000000000 ]--- Address this issue by moving the streaming preparation and cleanup to the vb2 .prepare_streaming() and .unprepare_streaming() operations. This also simplifies the driver by allowing direct usage of the vb2_ioctl_streamon() and vb2_ioctl_streamoff() helpers, and removal of the manual cleanup from mxc_isi_video_release().", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-68188", "url": "https://ubuntu.com/security/CVE-2025-68188", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: tcp: use dst_dev_rcu() in tcp_fastopen_active_disable_ofo_check() Use RCU to avoid a pair of atomic operations and a potential UAF on dst_dev()->flags.", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-68315", "url": "https://ubuntu.com/security/CVE-2025-68315", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: f2fs: fix to detect potential corrupted nid in free_nid_list As reported, on-disk footer.ino and footer.nid is the same and out-of-range, let's add sanity check on f2fs_alloc_nid() to detect any potential corruption in free_nid_list.", "cve_priority": "medium", "cve_public_date": "2025-12-16 16:16:00 UTC" }, { "cve": "CVE-2025-40337", "url": "https://ubuntu.com/security/CVE-2025-40337", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net: stmmac: Correctly handle Rx checksum offload errors The stmmac_rx function would previously set skb->ip_summed to CHECKSUM_UNNECESSARY if hardware checksum offload (CoE) was enabled and the packet was of a known IP ethertype. However, this logic failed to check if the hardware had actually reported a checksum error. The hardware status, indicating a header or payload checksum failure, was being ignored at this stage. This could cause corrupt packets to be passed up the network stack as valid. This patch corrects the logic by checking the `csum_none` status flag, which is set when the hardware reports a checksum error. If this flag is set, skb->ip_summed is now correctly set to CHECKSUM_NONE, ensuring the kernel's network stack will perform its own validation and properly handle the corrupt packet.", "cve_priority": "medium", "cve_public_date": "2025-12-09 16:17:00 UTC" }, { "cve": "CVE-2025-40338", "url": "https://ubuntu.com/security/CVE-2025-40338", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ASoC: Intel: avs: Do not share the name pointer between components By sharing 'name' directly, tearing down components may lead to use-after-free errors. Duplicate the name to avoid that. At the same time, update the order of operations - since commit cee28113db17 (\"ASoC: dmaengine_pcm: Allow passing component name via config\") the framework does not override component->name if set before invoking the initializer.", "cve_priority": "medium", "cve_public_date": "2025-12-09 16:17:00 UTC" }, { "cve": "CVE-2025-40339", "url": "https://ubuntu.com/security/CVE-2025-40339", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: fix nullptr err of vm_handle_moved If a amdgpu_bo_va is fpriv->prt_va, the bo of this one is always NULL. So, such kind of amdgpu_bo_va should be updated separately before amdgpu_vm_handle_moved.", "cve_priority": "medium", "cve_public_date": "2025-12-09 16:17:00 UTC" }, { "cve": "CVE-2025-68194", "url": "https://ubuntu.com/security/CVE-2025-68194", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: media: imon: make send_packet() more robust syzbot is reporting that imon has three problems which result in hung tasks due to forever holding device lock [1]. First problem is that when usb_rx_callback_intf0() once got -EPROTO error after ictx->dev_present_intf0 became true, usb_rx_callback_intf0() resubmits urb after printk(), and resubmitted urb causes usb_rx_callback_intf0() to again get -EPROTO error. This results in printk() flooding (RCU stalls). Alan Stern commented [2] that In theory it's okay to resubmit _if_ the driver has a robust error-recovery scheme (such as giving up after some fixed limit on the number of errors or after some fixed time has elapsed, perhaps with a time delay to prevent a flood of errors). Most drivers don't bother to do this; they simply give up right away. This makes them more vulnerable to short-term noise interference during USB transfers, but in reality such interference is quite rare. There's nothing really wrong with giving up right away. but imon has a poor error-recovery scheme which just retries forever; this behavior should be fixed. Since I'm not sure whether it is safe for imon users to give up upon any error code, this patch takes care of only union of error codes chosen from modules in drivers/media/rc/ directory which handle -EPROTO error (i.e. ir_toy, mceusb and igorplugusb). Second problem is that when usb_rx_callback_intf0() once got -EPROTO error before ictx->dev_present_intf0 becomes true, usb_rx_callback_intf0() always resubmits urb due to commit 8791d63af0cf (\"[media] imon: don't wedge hardware after early callbacks\"). Move the ictx->dev_present_intf0 test introduced by commit 6f6b90c9231a (\"[media] imon: don't parse scancodes until intf configured\") to immediately before imon_incoming_packet(), or the first problem explained above happens without printk() flooding (i.e. hung task). Third problem is that when usb_rx_callback_intf0() is not called for some reason (e.g. flaky hardware; the reproducer for this problem sometimes prevents usb_rx_callback_intf0() from being called), wait_for_completion_interruptible() in send_packet() never returns (i.e. hung task). As a workaround for such situation, change send_packet() to wait for completion with timeout of 10 seconds.", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-40363", "url": "https://ubuntu.com/security/CVE-2025-40363", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net: ipv6: fix field-spanning memcpy warning in AH output Fix field-spanning memcpy warnings in ah6_output() and ah6_output_done() where extension headers are copied to/from IPv6 address fields, triggering fortify-string warnings about writes beyond the 16-byte address fields. memcpy: detected field-spanning write (size 40) of single field \"&top_iph->saddr\" at net/ipv6/ah6.c:439 (size 16) WARNING: CPU: 0 PID: 8838 at net/ipv6/ah6.c:439 ah6_output+0xe7e/0x14e0 net/ipv6/ah6.c:439 The warnings are false positives as the extension headers are intentionally placed after the IPv6 header in memory. Fix by properly copying addresses and extension headers separately, and introduce helper functions to avoid code duplication.", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-68311", "url": "https://ubuntu.com/security/CVE-2025-68311", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: tty: serial: ip22zilog: Use platform device for probing After commit 84a9582fd203 (\"serial: core: Start managing serial controllers to enable runtime PM\") serial drivers need to provide a device in struct uart_port.dev otherwise an oops happens. To fix this issue for ip22zilog driver switch driver to a platform driver and setup the serial device in sgi-ip22 code.", "cve_priority": "medium", "cve_public_date": "2025-12-16 16:16:00 UTC" }, { "cve": "CVE-2025-40340", "url": "https://ubuntu.com/security/CVE-2025-40340", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/xe: Fix oops in xe_gem_fault when running core_hotunplug test. I saw an oops in xe_gem_fault when running the xe-fast-feedback testlist against the realtime kernel without debug options enabled. The panic happens after core_hotunplug unbind-rebind finishes. Presumably what happens is that a process mmaps, unlocks because of the FAULT_FLAG_RETRY_NOWAIT logic, has no process memory left, causing ttm_bo_vm_dummy_page() to return VM_FAULT_NOPAGE, since there was nothing left to populate, and then oopses in \"mem_type_is_vram(tbo->resource->mem_type)\" because tbo->resource is NULL. It's convoluted, but fits the data and explains the oops after the test exits.", "cve_priority": "medium", "cve_public_date": "2025-12-09 16:17:00 UTC" }, { "cve": "CVE-2025-68196", "url": "https://ubuntu.com/security/CVE-2025-68196", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Cache streams targeting link when performing LT automation [WHY] Last LT automation update can cause crash by referencing current_state and calling into dc_update_planes_and_stream which may clobber current_state. [HOW] Cache relevant stream pointers and iterate through them instead of relying on the current_state.", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-68178", "url": "https://ubuntu.com/security/CVE-2025-68178", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: blk-cgroup: fix possible deadlock while configuring policy Following deadlock can be triggered easily by lockdep: WARNING: possible circular locking dependency detected 6.17.0-rc3-00124-ga12c2658ced0 #1665 Not tainted ------------------------------------------------------ check/1334 is trying to acquire lock: ff1100011d9d0678 (&q->sysfs_lock){+.+.}-{4:4}, at: blk_unregister_queue+0x53/0x180 but task is already holding lock: ff1100011d9d00e0 (&q->q_usage_counter(queue)#3){++++}-{0:0}, at: del_gendisk+0xba/0x110 which lock already depends on the new lock. the existing dependency chain (in reverse order) is: -> #2 (&q->q_usage_counter(queue)#3){++++}-{0:0}: blk_queue_enter+0x40b/0x470 blkg_conf_prep+0x7b/0x3c0 tg_set_limit+0x10a/0x3e0 cgroup_file_write+0xc6/0x420 kernfs_fop_write_iter+0x189/0x280 vfs_write+0x256/0x490 ksys_write+0x83/0x190 __x64_sys_write+0x21/0x30 x64_sys_call+0x4608/0x4630 do_syscall_64+0xdb/0x6b0 entry_SYSCALL_64_after_hwframe+0x76/0x7e -> #1 (&q->rq_qos_mutex){+.+.}-{4:4}: __mutex_lock+0xd8/0xf50 mutex_lock_nested+0x2b/0x40 wbt_init+0x17e/0x280 wbt_enable_default+0xe9/0x140 blk_register_queue+0x1da/0x2e0 __add_disk+0x38c/0x5d0 add_disk_fwnode+0x89/0x250 device_add_disk+0x18/0x30 virtblk_probe+0x13a3/0x1800 virtio_dev_probe+0x389/0x610 really_probe+0x136/0x620 __driver_probe_device+0xb3/0x230 driver_probe_device+0x2f/0xe0 __driver_attach+0x158/0x250 bus_for_each_dev+0xa9/0x130 driver_attach+0x26/0x40 bus_add_driver+0x178/0x3d0 driver_register+0x7d/0x1c0 __register_virtio_driver+0x2c/0x60 virtio_blk_init+0x6f/0xe0 do_one_initcall+0x94/0x540 kernel_init_freeable+0x56a/0x7b0 kernel_init+0x2b/0x270 ret_from_fork+0x268/0x4c0 ret_from_fork_asm+0x1a/0x30 -> #0 (&q->sysfs_lock){+.+.}-{4:4}: __lock_acquire+0x1835/0x2940 lock_acquire+0xf9/0x450 __mutex_lock+0xd8/0xf50 mutex_lock_nested+0x2b/0x40 blk_unregister_queue+0x53/0x180 __del_gendisk+0x226/0x690 del_gendisk+0xba/0x110 sd_remove+0x49/0xb0 [sd_mod] device_remove+0x87/0xb0 device_release_driver_internal+0x11e/0x230 device_release_driver+0x1a/0x30 bus_remove_device+0x14d/0x220 device_del+0x1e1/0x5a0 __scsi_remove_device+0x1ff/0x2f0 scsi_remove_device+0x37/0x60 sdev_store_delete+0x77/0x100 dev_attr_store+0x1f/0x40 sysfs_kf_write+0x65/0x90 kernfs_fop_write_iter+0x189/0x280 vfs_write+0x256/0x490 ksys_write+0x83/0x190 __x64_sys_write+0x21/0x30 x64_sys_call+0x4608/0x4630 do_syscall_64+0xdb/0x6b0 entry_SYSCALL_64_after_hwframe+0x76/0x7e other info that might help us debug this: Chain exists of: &q->sysfs_lock --> &q->rq_qos_mutex --> &q->q_usage_counter(queue)#3 Possible unsafe locking scenario: CPU0 CPU1 ---- ---- lock(&q->q_usage_counter(queue)#3); lock(&q->rq_qos_mutex); lock(&q->q_usage_counter(queue)#3); lock(&q->sysfs_lock); Root cause is that queue_usage_counter is grabbed with rq_qos_mutex held in blkg_conf_prep(), while queue should be freezed before rq_qos_mutex from other context. The blk_queue_enter() from blkg_conf_prep() is used to protect against policy deactivation, which is already protected with blkcg_mutex, hence convert blk_queue_enter() to blkcg_mutex to fix this problem. Meanwhile, consider that blkcg_mutex is held after queue is freezed from policy deactivation, also convert blkg_alloc() to use GFP_NOIO.", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-40341", "url": "https://ubuntu.com/security/CVE-2025-40341", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: futex: Don't leak robust_list pointer on exec race sys_get_robust_list() and compat_get_robust_list() use ptrace_may_access() to check if the calling task is allowed to access another task's robust_list pointer. This check is racy against a concurrent exec() in the target process. During exec(), a task may transition from a non-privileged binary to a privileged one (e.g., setuid binary) and its credentials/memory mappings may change. If get_robust_list() performs ptrace_may_access() before this transition, it may erroneously allow access to sensitive information after the target becomes privileged. A racy access allows an attacker to exploit a window during which ptrace_may_access() passes before a target process transitions to a privileged state via exec(). For example, consider a non-privileged task T that is about to execute a setuid-root binary. An attacker task A calls get_robust_list(T) while T is still unprivileged. Since ptrace_may_access() checks permissions based on current credentials, it succeeds. However, if T begins exec immediately afterwards, it becomes privileged and may change its memory mappings. Because get_robust_list() proceeds to access T->robust_list without synchronizing with exec() it may read user-space pointers from a now-privileged process. This violates the intended post-exec access restrictions and could expose sensitive memory addresses or be used as a primitive in a larger exploit chain. Consequently, the race can lead to unauthorized disclosure of information across privilege boundaries and poses a potential security risk. Take a read lock on signal->exec_update_lock prior to invoking ptrace_may_access() and accessing the robust_list/compat_robust_list. This ensures that the target task's exec state remains stable during the check, allowing for consistent and synchronized validation of credentials.", "cve_priority": "medium", "cve_public_date": "2025-12-09 16:17:00 UTC" }, { "cve": "CVE-2025-40342", "url": "https://ubuntu.com/security/CVE-2025-40342", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: nvme-fc: use lock accessing port_state and rport state nvme_fc_unregister_remote removes the remote port on a lport object at any point in time when there is no active association. This races with with the reconnect logic, because nvme_fc_create_association is not taking a lock to check the port_state and atomically increase the active count on the rport.", "cve_priority": "medium", "cve_public_date": "2025-12-09 16:17:00 UTC" }, { "cve": "CVE-2025-40343", "url": "https://ubuntu.com/security/CVE-2025-40343", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: nvmet-fc: avoid scheduling association deletion twice When forcefully shutting down a port via the configfs interface, nvmet_port_subsys_drop_link() first calls nvmet_port_del_ctrls() and then nvmet_disable_port(). Both functions will eventually schedule all remaining associations for deletion. The current implementation checks whether an association is about to be removed, but only after the work item has already been scheduled. As a result, it is possible for the first scheduled work item to free all resources, and then for the same work item to be scheduled again for deletion. Because the association list is an RCU list, it is not possible to take a lock and remove the list entry directly, so it cannot be looked up again. Instead, a flag (terminating) must be used to determine whether the association is already in the process of being deleted.", "cve_priority": "medium", "cve_public_date": "2025-12-09 16:17:00 UTC" }, { "cve": "CVE-2025-68177", "url": "https://ubuntu.com/security/CVE-2025-68177", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: cpufreq/longhaul: handle NULL policy in longhaul_exit longhaul_exit() was calling cpufreq_cpu_get(0) without checking for a NULL policy pointer. On some systems, this could lead to a NULL dereference and a kernel warning or panic. This patch adds a check using unlikely() and returns early if the policy is NULL. Bugzilla: #219962", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-68317", "url": "https://ubuntu.com/security/CVE-2025-68317", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: io_uring/zctx: check chained notif contexts Send zc only links ubuf_info for requests coming from the same context. There are some ambiguous syz reports, so let's check the assumption on notification completion.", "cve_priority": "medium", "cve_public_date": "2025-12-16 16:16:00 UTC" }, { "cve": "CVE-2025-40315", "url": "https://ubuntu.com/security/CVE-2025-40315", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: usb: gadget: f_fs: Fix epfile null pointer access after ep enable. A race condition occurs when ffs_func_eps_enable() runs concurrently with ffs_data_reset(). The ffs_data_clear() called in ffs_data_reset() sets ffs->epfiles to NULL before resetting ffs->eps_count to 0, leading to a NULL pointer dereference when accessing epfile->ep in ffs_func_eps_enable() after successful usb_ep_enable(). The ffs->epfiles pointer is set to NULL in both ffs_data_clear() and ffs_data_close() functions, and its modification is protected by the spinlock ffs->eps_lock. And the whole ffs_func_eps_enable() function is also protected by ffs->eps_lock. Thus, add NULL pointer handling for ffs->epfiles in the ffs_func_eps_enable() function to fix issues", "cve_priority": "medium", "cve_public_date": "2025-12-08 01:16:00 UTC" }, { "cve": "CVE-2025-40316", "url": "https://ubuntu.com/security/CVE-2025-40316", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/mediatek: Fix device use-after-free on unbind A recent change fixed device reference leaks when looking up drm platform device driver data during bind() but failed to remove a partial fix which had been added by commit 80805b62ea5b (\"drm/mediatek: Fix kobject put for component sub-drivers\"). This results in a reference imbalance on component bind() failures and on unbind() which could lead to a user-after-free. Make sure to only drop the references after retrieving the driver data by effectively reverting the previous partial fix. Note that holding a reference to a device does not prevent its driver data from going away so there is no point in keeping the reference.", "cve_priority": "medium", "cve_public_date": "2025-12-08 01:16:00 UTC" }, { "cve": "CVE-2025-40360", "url": "https://ubuntu.com/security/CVE-2025-40360", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/sysfb: Do not dereference NULL pointer in plane reset The plane state in __drm_gem_reset_shadow_plane() can be NULL. Do not deref that pointer, but forward NULL to the other plane-reset helpers. Clears plane->state to NULL. v2: - fix typo in commit description (Javier)", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-68179", "url": "https://ubuntu.com/security/CVE-2025-68179", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: s390: Disable ARCH_WANT_OPTIMIZE_HUGETLB_VMEMMAP As reported by Luiz Capitulino enabling HVO on s390 leads to reproducible crashes. The problem is that kernel page tables are modified without flushing corresponding TLB entries. Even if it looks like the empty flush_tlb_all() implementation on s390 is the problem, it is actually a different problem: on s390 it is not allowed to replace an active/valid page table entry with another valid page table entry without the detour over an invalid entry. A direct replacement may lead to random crashes and/or data corruption. In order to invalidate an entry special instructions have to be used (e.g. ipte or idte). Alternatively there are also special instructions available which allow to replace a valid entry with a different valid entry (e.g. crdte or cspg). Given that the HVO code currently does not provide the hooks to allow for an implementation which is compliant with the s390 architecture requirements, disable ARCH_WANT_OPTIMIZE_HUGETLB_VMEMMAP again, which is basically a revert of the original patch which enabled it.", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-68310", "url": "https://ubuntu.com/security/CVE-2025-68310", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: s390/pci: Avoid deadlock between PCI error recovery and mlx5 crdump Do not block PCI config accesses through pci_cfg_access_lock() when executing the s390 variant of PCI error recovery: Acquire just device_lock() instead of pci_dev_lock() as powerpc's EEH and generig PCI AER processing do. During error recovery testing a pair of tasks was reported to be hung: mlx5_core 0000:00:00.1: mlx5_health_try_recover:338:(pid 5553): health recovery flow aborted, PCI reads still not working INFO: task kmcheck:72 blocked for more than 122 seconds. Not tainted 5.14.0-570.12.1.bringup7.el9.s390x #1 \"echo 0 > /proc/sys/kernel/hung_task_timeout_secs\" disables this message. task:kmcheck state:D stack:0 pid:72 tgid:72 ppid:2 flags:0x00000000 Call Trace: [<000000065256f030>] __schedule+0x2a0/0x590 [<000000065256f356>] schedule+0x36/0xe0 [<000000065256f572>] schedule_preempt_disabled+0x22/0x30 [<0000000652570a94>] __mutex_lock.constprop.0+0x484/0x8a8 [<000003ff800673a4>] mlx5_unload_one+0x34/0x58 [mlx5_core] [<000003ff8006745c>] mlx5_pci_err_detected+0x94/0x140 [mlx5_core] [<0000000652556c5a>] zpci_event_attempt_error_recovery+0xf2/0x398 [<0000000651b9184a>] __zpci_event_error+0x23a/0x2c0 INFO: task kworker/u1664:6:1514 blocked for more than 122 seconds. Not tainted 5.14.0-570.12.1.bringup7.el9.s390x #1 \"echo 0 > /proc/sys/kernel/hung_task_timeout_secs\" disables this message. task:kworker/u1664:6 state:D stack:0 pid:1514 tgid:1514 ppid:2 flags:0x00000000 Workqueue: mlx5_health0000:00:00.0 mlx5_fw_fatal_reporter_err_work [mlx5_core] Call Trace: [<000000065256f030>] __schedule+0x2a0/0x590 [<000000065256f356>] schedule+0x36/0xe0 [<0000000652172e28>] pci_wait_cfg+0x80/0xe8 [<0000000652172f94>] pci_cfg_access_lock+0x74/0x88 [<000003ff800916b6>] mlx5_vsc_gw_lock+0x36/0x178 [mlx5_core] [<000003ff80098824>] mlx5_crdump_collect+0x34/0x1c8 [mlx5_core] [<000003ff80074b62>] mlx5_fw_fatal_reporter_dump+0x6a/0xe8 [mlx5_core] [<0000000652512242>] devlink_health_do_dump.part.0+0x82/0x168 [<0000000652513212>] devlink_health_report+0x19a/0x230 [<000003ff80075a12>] mlx5_fw_fatal_reporter_err_work+0xba/0x1b0 [mlx5_core] No kernel log of the exact same error with an upstream kernel is available - but the very same deadlock situation can be constructed there, too: - task: kmcheck mlx5_unload_one() tries to acquire devlink lock while the PCI error recovery code has set pdev->block_cfg_access by way of pci_cfg_access_lock() - task: kworker mlx5_crdump_collect() tries to set block_cfg_access through pci_cfg_access_lock() while devlink_health_report() had acquired the devlink lock. A similar deadlock situation can be reproduced by requesting a crdump with > devlink health dump show pci/ reporter fw_fatal while PCI error recovery is executed on the same physical function by mlx5_core's pci_error_handlers. On s390 this can be injected with > zpcictl --reset-fw Tests with this patch failed to reproduce that second deadlock situation, the devlink command is rejected with \"kernel answers: Permission denied\" - and we get a kernel log message of: mlx5_core 1ed0:00:00.1: mlx5_crdump_collect:50:(pid 254382): crdump: failed to lock vsc gw err -5 because the config read of VSC_SEMAPHORE is rejected by the underlying hardware. Two prior attempts to address this issue have been discussed and ultimately rejected [see link], with the primary argument that s390's implementation of PCI error recovery is imposing restrictions that neither powerpc's EEH nor PCI AER handling need. Tests show that PCI error recovery on s390 is running to completion even without blocking access to PCI config space.", "cve_priority": "medium", "cve_public_date": "2025-12-16 16:16:00 UTC" }, { "cve": "CVE-2025-40317", "url": "https://ubuntu.com/security/CVE-2025-40317", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: regmap: slimbus: fix bus_context pointer in regmap init calls Commit 4e65bda8273c (\"ASoC: wcd934x: fix error handling in wcd934x_codec_parse_data()\") revealed the problem in the slimbus regmap. That commit breaks audio playback, for instance, on sdm845 Thundercomm Dragonboard 845c board: Unable to handle kernel paging request at virtual address ffff8000847cbad4 ... CPU: 5 UID: 0 PID: 776 Comm: aplay Not tainted 6.18.0-rc1-00028-g7ea30958b305 #11 PREEMPT Hardware name: Thundercomm Dragonboard 845c (DT) ... Call trace: slim_xfer_msg+0x24/0x1ac [slimbus] (P) slim_read+0x48/0x74 [slimbus] regmap_slimbus_read+0x18/0x24 [regmap_slimbus] _regmap_raw_read+0xe8/0x174 _regmap_bus_read+0x44/0x80 _regmap_read+0x60/0xd8 _regmap_update_bits+0xf4/0x140 _regmap_select_page+0xa8/0x124 _regmap_raw_write_impl+0x3b8/0x65c _regmap_bus_raw_write+0x60/0x80 _regmap_write+0x58/0xc0 regmap_write+0x4c/0x80 wcd934x_hw_params+0x494/0x8b8 [snd_soc_wcd934x] snd_soc_dai_hw_params+0x3c/0x7c [snd_soc_core] __soc_pcm_hw_params+0x22c/0x634 [snd_soc_core] dpcm_be_dai_hw_params+0x1d4/0x38c [snd_soc_core] dpcm_fe_dai_hw_params+0x9c/0x17c [snd_soc_core] snd_pcm_hw_params+0x124/0x464 [snd_pcm] snd_pcm_common_ioctl+0x110c/0x1820 [snd_pcm] snd_pcm_ioctl+0x34/0x4c [snd_pcm] __arm64_sys_ioctl+0xac/0x104 invoke_syscall+0x48/0x104 el0_svc_common.constprop.0+0x40/0xe0 do_el0_svc+0x1c/0x28 el0_svc+0x34/0xec el0t_64_sync_handler+0xa0/0xf0 el0t_64_sync+0x198/0x19c The __devm_regmap_init_slimbus() started to be used instead of __regmap_init_slimbus() after the commit mentioned above and turns out the incorrect bus_context pointer (3rd argument) was used in __devm_regmap_init_slimbus(). It should be just \"slimbus\" (which is equal to &slimbus->dev). Correct it. The wcd934x codec seems to be the only or the first user of devm_regmap_init_slimbus() but we should fix it till the point where __devm_regmap_init_slimbus() was introduced therefore two \"Fixes\" tags. While at this, also correct the same argument in __regmap_init_slimbus().", "cve_priority": "medium", "cve_public_date": "2025-12-08 01:16:00 UTC" }, { "cve": "CVE-2025-40359", "url": "https://ubuntu.com/security/CVE-2025-40359", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: perf/x86/intel: Fix KASAN global-out-of-bounds warning When running \"perf mem record\" command on CWF, the below KASAN global-out-of-bounds warning is seen. ================================================================== BUG: KASAN: global-out-of-bounds in cmt_latency_data+0x176/0x1b0 Read of size 4 at addr ffffffffb721d000 by task dtlb/9850 Call Trace: kasan_report+0xb8/0xf0 cmt_latency_data+0x176/0x1b0 setup_arch_pebs_sample_data+0xf49/0x2560 intel_pmu_drain_arch_pebs+0x577/0xb00 handle_pmi_common+0x6c4/0xc80 The issue is caused by below code in __grt_latency_data(). The code tries to access x86_hybrid_pmu structure which doesn't exist on non-hybrid platform like CWF. WARN_ON_ONCE(hybrid_pmu(event->pmu)->pmu_type == hybrid_big) So add is_hybrid() check before calling this WARN_ON_ONCE to fix the global-out-of-bounds access issue.", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-68181", "url": "https://ubuntu.com/security/CVE-2025-68181", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/radeon: Remove calls to drm_put_dev() Since the allocation of the drivers main structure was changed to devm_drm_dev_alloc() drm_put_dev()'ing to trigger it to be free'd should be done by devres. However, drm_put_dev() is still in the probe error and device remove paths. When the driver fails to probe warnings like the following are shown because devres is trying to drm_put_dev() after the driver already did it. [ 5.642230] radeon 0000:01:05.0: probe with driver radeon failed with error -22 [ 5.649605] ------------[ cut here ]------------ [ 5.649607] refcount_t: underflow; use-after-free. [ 5.649620] WARNING: CPU: 0 PID: 357 at lib/refcount.c:28 refcount_warn_saturate+0xbe/0x110 (cherry picked from commit 3eb8c0b4c091da0a623ade0d3ee7aa4a93df1ea4)", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-68170", "url": "https://ubuntu.com/security/CVE-2025-68170", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/radeon: Do not kfree() devres managed rdev Since the allocation of the drivers main structure was changed to devm_drm_dev_alloc() rdev is managed by devres and we shouldn't be calling kfree() on it. This fixes things exploding if the driver probe fails and devres cleans up the rdev after we already free'd it. (cherry picked from commit 16c0681617b8a045773d4d87b6140002fa75b03b)", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-40213", "url": "https://ubuntu.com/security/CVE-2025-40213", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: Bluetooth: MGMT: fix crash in set_mesh_sync and set_mesh_complete There is a BUG: KASAN: stack-out-of-bounds in set_mesh_sync due to memcpy from badly declared on-stack flexible array. Another crash is in set_mesh_complete() due to double list_del via mgmt_pending_valid + mgmt_pending_remove. Use DEFINE_FLEX to declare the flexible array right, and don't memcpy outside bounds. As mgmt_pending_valid removes the cmd from list, use mgmt_pending_free, and also report status on error.", "cve_priority": "medium", "cve_public_date": "2025-11-24 16:15:00 UTC" }, { "cve": "CVE-2025-40318", "url": "https://ubuntu.com/security/CVE-2025-40318", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: Bluetooth: hci_sync: fix race in hci_cmd_sync_dequeue_once hci_cmd_sync_dequeue_once() does lookup and then cancel the entry under two separate lock sections. Meanwhile, hci_cmd_sync_work() can also delete the same entry, leading to double list_del() and \"UAF\". Fix this by holding cmd_sync_work_lock across both lookup and cancel, so that the entry cannot be removed concurrently.", "cve_priority": "medium", "cve_public_date": "2025-12-08 01:16:00 UTC" }, { "cve": "CVE-2025-68312", "url": "https://ubuntu.com/security/CVE-2025-68312", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: usbnet: Prevents free active kevent The root cause of this issue are: 1. When probing the usbnet device, executing usbnet_link_change(dev, 0, 0); put the kevent work in global workqueue. However, the kevent has not yet been scheduled when the usbnet device is unregistered. Therefore, executing free_netdev() results in the \"free active object (kevent)\" error reported here. 2. Another factor is that when calling usbnet_disconnect()->unregister_netdev(), if the usbnet device is up, ndo_stop() is executed to cancel the kevent. However, because the device is not up, ndo_stop() is not executed. The solution to this problem is to cancel the kevent before executing free_netdev().", "cve_priority": "medium", "cve_public_date": "2025-12-16 16:16:00 UTC" }, { "cve": "CVE-2025-40344", "url": "https://ubuntu.com/security/CVE-2025-40344", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ASoC: Intel: avs: Disable periods-elapsed work when closing PCM avs_dai_fe_shutdown() handles the shutdown procedure for HOST HDAudio stream while period-elapsed work services its IRQs. As the former frees the DAI's private context, these two operations shall be synchronized to avoid slab-use-after-free or worse errors.", "cve_priority": "medium", "cve_public_date": "2025-12-09 16:17:00 UTC" }, { "cve": "CVE-2025-68172", "url": "https://ubuntu.com/security/CVE-2025-68172", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: crypto: aspeed - fix double free caused by devm The clock obtained via devm_clk_get_enabled() is automatically managed by devres and will be disabled and freed on driver detach. Manually calling clk_disable_unprepare() in error path and remove function causes double free. Remove the manual clock cleanup in both aspeed_acry_probe()'s error path and aspeed_acry_remove().", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-40319", "url": "https://ubuntu.com/security/CVE-2025-40319", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: bpf: Sync pending IRQ work before freeing ring buffer Fix a race where irq_work can be queued in bpf_ringbuf_commit() but the ring buffer is freed before the work executes. In the syzbot reproducer, a BPF program attached to sched_switch triggers bpf_ringbuf_commit(), queuing an irq_work. If the ring buffer is freed before this work executes, the irq_work thread may accesses freed memory. Calling `irq_work_sync(&rb->work)` ensures that all pending irq_work complete before freeing the buffer.", "cve_priority": "medium", "cve_public_date": "2025-12-08 01:16:00 UTC" }, { "cve": "CVE-2025-68182", "url": "https://ubuntu.com/security/CVE-2025-68182", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: wifi: iwlwifi: fix potential use after free in iwl_mld_remove_link() This code frees \"link\" by calling kfree_rcu(link, rcu_head) and then it dereferences \"link\" to get the \"link->fw_id\". Save the \"link->fw_id\" first to avoid a potential use after free.", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-68314", "url": "https://ubuntu.com/security/CVE-2025-68314", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/msm: make sure last_fence is always updated Update last_fence in the vm-bind path instead of kernel managed path. last_fence is used to wait for work to finish in vm_bind contexts but not used for kernel managed contexts. This fixes a bug where last_fence is not waited on context close leading to faults as resources are freed while in use. Patchwork: https://patchwork.freedesktop.org/patch/680080/", "cve_priority": "medium", "cve_public_date": "2025-12-16 16:16:00 UTC" }, { "cve": "CVE-2025-68189", "url": "https://ubuntu.com/security/CVE-2025-68189", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/msm: Fix GEM free for imported dma-bufs Imported dma-bufs also have obj->resv != &obj->_resv. So we should check both this condition in addition to flags for handling the _NO_SHARE case. Fixes this splat that was reported with IRIS video playback: ------------[ cut here ]------------ WARNING: CPU: 3 PID: 2040 at drivers/gpu/drm/msm/msm_gem.c:1127 msm_gem_free_object+0x1f8/0x264 [msm] CPU: 3 UID: 1000 PID: 2040 Comm: .gnome-shell-wr Not tainted 6.17.0-rc7 #1 PREEMPT pstate: 81400005 (Nzcv daif +PAN -UAO -TCO +DIT -SSBS BTYPE=--) pc : msm_gem_free_object+0x1f8/0x264 [msm] lr : msm_gem_free_object+0x138/0x264 [msm] sp : ffff800092a1bb30 x29: ffff800092a1bb80 x28: ffff800092a1bce8 x27: ffffbc702dbdbe08 x26: 0000000000000008 x25: 0000000000000009 x24: 00000000000000a6 x23: ffff00083c72f850 x22: ffff00083c72f868 x21: ffff00087e69f200 x20: ffff00087e69f330 x19: ffff00084d157ae0 x18: 0000000000000000 x17: 0000000000000000 x16: ffffbc704bd46b80 x15: 0000ffffd0959540 x14: 0000000000000000 x13: 0000000000000000 x12: 0000000000000000 x11: ffffbc702e6cdb48 x10: 0000000000000000 x9 : 000000000000003f x8 : ffff800092a1ba90 x7 : 0000000000000000 x6 : 0000000000000020 x5 : ffffbc704bd46c40 x4 : fffffdffe102cf60 x3 : 0000000000400032 x2 : 0000000000020000 x1 : ffff00087e6978e8 x0 : ffff00087e6977e8 Call trace: msm_gem_free_object+0x1f8/0x264 [msm] (P) drm_gem_object_free+0x1c/0x30 [drm] drm_gem_object_handle_put_unlocked+0x138/0x150 [drm] drm_gem_object_release_handle+0x5c/0xcc [drm] drm_gem_handle_delete+0x68/0xbc [drm] drm_gem_close_ioctl+0x34/0x40 [drm] drm_ioctl_kernel+0xc0/0x130 [drm] drm_ioctl+0x360/0x4e0 [drm] __arm64_sys_ioctl+0xac/0x104 invoke_syscall+0x48/0x104 el0_svc_common.constprop.0+0x40/0xe0 do_el0_svc+0x1c/0x28 el0_svc+0x34/0xec el0t_64_sync_handler+0xa0/0xe4 el0t_64_sync+0x198/0x19c ---[ end trace 0000000000000000 ]--- ------------[ cut here ]------------ Patchwork: https://patchwork.freedesktop.org/patch/676273/", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-68171", "url": "https://ubuntu.com/security/CVE-2025-68171", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: x86/fpu: Ensure XFD state on signal delivery Sean reported [1] the following splat when running KVM tests: WARNING: CPU: 232 PID: 15391 at xfd_validate_state+0x65/0x70 Call Trace: fpu__clear_user_states+0x9c/0x100 arch_do_signal_or_restart+0x142/0x210 exit_to_user_mode_loop+0x55/0x100 do_syscall_64+0x205/0x2c0 entry_SYSCALL_64_after_hwframe+0x4b/0x53 Chao further identified [2] a reproducible scenario involving signal delivery: a non-AMX task is preempted by an AMX-enabled task which modifies the XFD MSR. When the non-AMX task resumes and reloads XSTATE with init values, a warning is triggered due to a mismatch between fpstate::xfd and the CPU's current XFD state. fpu__clear_user_states() does not currently re-synchronize the XFD state after such preemption. Invoke xfd_update_state() which detects and corrects the mismatch if there is a dynamic feature. This also benefits the sigreturn path, as fpu__restore_sig() may call fpu__clear_user_states() when the sigframe is inaccessible. [ dhansen: minor changelog munging ]", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-68313", "url": "https://ubuntu.com/security/CVE-2025-68313", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: x86/CPU/AMD: Add RDSEED fix for Zen5 There's an issue with RDSEED's 16-bit and 32-bit register output variants on Zen5 which return a random value of 0 \"at a rate inconsistent with randomness while incorrectly signaling success (CF=1)\". Search the web for AMD-SB-7055 for more detail. Add a fix glue which checks microcode revisions. [ bp: Add microcode revisions checking, rewrite. ]", "cve_priority": "medium", "cve_public_date": "2025-12-16 16:16:00 UTC" }, { "cve": "CVE-2025-40320", "url": "https://ubuntu.com/security/CVE-2025-40320", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: smb: client: fix potential cfid UAF in smb2_query_info_compound When smb2_query_info_compound() retries, a previously allocated cfid may have been freed in the first attempt. Because cfid wasn't reset on replay, later cleanup could act on a stale pointer, leading to a potential use-after-free. Reinitialize cfid to NULL under the replay label. Example trace (trimmed): refcount_t: underflow; use-after-free. WARNING: CPU: 1 PID: 11224 at ../lib/refcount.c:28 refcount_warn_saturate+0x9c/0x110 [...] RIP: 0010:refcount_warn_saturate+0x9c/0x110 [...] Call Trace: smb2_query_info_compound+0x29c/0x5c0 [cifs f90b72658819bd21c94769b6a652029a07a7172f] ? step_into+0x10d/0x690 ? __legitimize_path+0x28/0x60 smb2_queryfs+0x6a/0xf0 [cifs f90b72658819bd21c94769b6a652029a07a7172f] smb311_queryfs+0x12d/0x140 [cifs f90b72658819bd21c94769b6a652029a07a7172f] ? kmem_cache_alloc+0x18a/0x340 ? getname_flags+0x46/0x1e0 cifs_statfs+0x9f/0x2b0 [cifs f90b72658819bd21c94769b6a652029a07a7172f] statfs_by_dentry+0x67/0x90 vfs_statfs+0x16/0xd0 user_statfs+0x54/0xa0 __do_sys_statfs+0x20/0x50 do_syscall_64+0x58/0x80", "cve_priority": "medium", "cve_public_date": "2025-12-08 01:16:00 UTC" }, { "cve": "CVE-2025-40321", "url": "https://ubuntu.com/security/CVE-2025-40321", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: wifi: brcmfmac: fix crash while sending Action Frames in standalone AP Mode Currently, whenever there is a need to transmit an Action frame, the brcmfmac driver always uses the P2P vif to send the \"actframe\" IOVAR to firmware. The P2P interfaces were available when wpa_supplicant is managing the wlan interface. However, the P2P interfaces are not created/initialized when only hostapd is managing the wlan interface. And if hostapd receives an ANQP Query REQ Action frame even from an un-associated STA, the brcmfmac driver tries to use an uninitialized P2P vif pointer for sending the IOVAR to firmware. This NULL pointer dereferencing triggers a driver crash. [ 1417.074538] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000 [...] [ 1417.075188] Hardware name: Raspberry Pi 4 Model B Rev 1.5 (DT) [...] [ 1417.075653] Call trace: [ 1417.075662] brcmf_p2p_send_action_frame+0x23c/0xc58 [brcmfmac] [ 1417.075738] brcmf_cfg80211_mgmt_tx+0x304/0x5c0 [brcmfmac] [ 1417.075810] cfg80211_mlme_mgmt_tx+0x1b0/0x428 [cfg80211] [ 1417.076067] nl80211_tx_mgmt+0x238/0x388 [cfg80211] [ 1417.076281] genl_family_rcv_msg_doit+0xe0/0x158 [ 1417.076302] genl_rcv_msg+0x220/0x2a0 [ 1417.076317] netlink_rcv_skb+0x68/0x140 [ 1417.076330] genl_rcv+0x40/0x60 [ 1417.076343] netlink_unicast+0x330/0x3b8 [ 1417.076357] netlink_sendmsg+0x19c/0x3f8 [ 1417.076370] __sock_sendmsg+0x64/0xc0 [ 1417.076391] ____sys_sendmsg+0x268/0x2a0 [ 1417.076408] ___sys_sendmsg+0xb8/0x118 [ 1417.076427] __sys_sendmsg+0x90/0xf8 [ 1417.076445] __arm64_sys_sendmsg+0x2c/0x40 [ 1417.076465] invoke_syscall+0x50/0x120 [ 1417.076486] el0_svc_common.constprop.0+0x48/0xf0 [ 1417.076506] do_el0_svc+0x24/0x38 [ 1417.076525] el0_svc+0x30/0x100 [ 1417.076548] el0t_64_sync_handler+0x100/0x130 [ 1417.076569] el0t_64_sync+0x190/0x198 [ 1417.076589] Code: f9401e80 aa1603e2 f9403be1 5280e483 (f9400000) Fix this, by always using the vif corresponding to the wdev on which the Action frame Transmission request was initiated by the userspace. This way, even if P2P vif is not available, the IOVAR is sent to firmware on AP vif and the ANQP Query RESP Action frame is transmitted without crashing the driver. Move init_completion() for \"send_af_done\" from brcmf_p2p_create_p2pdev() to brcmf_p2p_attach(). Because the former function would not get executed when only hostapd is managing wlan interface, and it is not safe to do reinit_completion() later in brcmf_p2p_tx_action_frame(), without any prior init_completion(). And in the brcmf_p2p_tx_action_frame() function, the condition check for P2P Presence response frame is not needed, since the wpa_supplicant is properly sending the P2P Presense Response frame on the P2P-GO vif instead of the P2P-Device vif. [Cc stable]", "cve_priority": "medium", "cve_public_date": "2025-12-08 01:16:00 UTC" }, { "cve": "CVE-2025-40322", "url": "https://ubuntu.com/security/CVE-2025-40322", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: fbdev: bitblit: bound-check glyph index in bit_putcs* bit_putcs_aligned()/unaligned() derived the glyph pointer from the character value masked by 0xff/0x1ff, which may exceed the actual font's glyph count and read past the end of the built-in font array. Clamp the index to the actual glyph count before computing the address. This fixes a global out-of-bounds read reported by syzbot.", "cve_priority": "medium", "cve_public_date": "2025-12-08 01:16:00 UTC" }, { "cve": "CVE-2025-40211", "url": "https://ubuntu.com/security/CVE-2025-40211", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ACPI: video: Fix use-after-free in acpi_video_switch_brightness() The switch_brightness_work delayed work accesses device->brightness and device->backlight, freed by acpi_video_dev_unregister_backlight() during device removal. If the work executes after acpi_video_bus_unregister_backlight() frees these resources, it causes a use-after-free when acpi_video_switch_brightness() dereferences device->brightness or device->backlight. Fix this by calling cancel_delayed_work_sync() for each device's switch_brightness_work in acpi_video_bus_remove_notify_handler() after removing the notify handler that queues the work. This ensures the work completes before the memory is freed. [ rjw: Changelog edit ]", "cve_priority": "medium", "cve_public_date": "2025-11-21 11:15:00 UTC" }, { "cve": "CVE-2025-40323", "url": "https://ubuntu.com/security/CVE-2025-40323", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: fbcon: Set fb_display[i]->mode to NULL when the mode is released Recently, we discovered the following issue through syzkaller: BUG: KASAN: slab-use-after-free in fb_mode_is_equal+0x285/0x2f0 Read of size 4 at addr ff11000001b3c69c by task syz.xxx ... Call Trace: dump_stack_lvl+0xab/0xe0 print_address_description.constprop.0+0x2c/0x390 print_report+0xb9/0x280 kasan_report+0xb8/0xf0 fb_mode_is_equal+0x285/0x2f0 fbcon_mode_deleted+0x129/0x180 fb_set_var+0xe7f/0x11d0 do_fb_ioctl+0x6a0/0x750 fb_ioctl+0xe0/0x140 __x64_sys_ioctl+0x193/0x210 do_syscall_64+0x5f/0x9c0 entry_SYSCALL_64_after_hwframe+0x76/0x7e Based on experimentation and analysis, during framebuffer unregistration, only the memory of fb_info->modelist is freed, without setting the corresponding fb_display[i]->mode to NULL for the freed modes. This leads to UAF issues during subsequent accesses. Here's an example of reproduction steps: 1. With /dev/fb0 already registered in the system, load a kernel module to register a new device /dev/fb1; 2. Set fb1's mode to the global fb_display[] array (via FBIOPUT_CON2FBMAP); 3. Switch console from fb to VGA (to allow normal rmmod of the ko); 4. Unload the kernel module, at this point fb1's modelist is freed, leaving a wild pointer in fb_display[]; 5. Trigger the bug via system calls through fb0 attempting to delete a mode from fb0. Add a check in do_unregister_framebuffer(): if the mode to be freed exists in fb_display[], set the corresponding mode pointer to NULL.", "cve_priority": "medium", "cve_public_date": "2025-12-08 01:16:00 UTC" }, { "cve": "CVE-2025-40210", "url": "https://ubuntu.com/security/CVE-2025-40210", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: Revert \"NFSD: Remove the cap on number of operations per NFSv4 COMPOUND\" I've found that pynfs COMP6 now leaves the connection or lease in a strange state, which causes CLOSE9 to hang indefinitely. I've dug into it a little, but I haven't been able to root-cause it yet. However, I bisected to commit 48aab1606fa8 (\"NFSD: Remove the cap on number of operations per NFSv4 COMPOUND\"). Tianshuo Han also reports a potential vulnerability when decoding an NFSv4 COMPOUND. An attacker can place an arbitrarily large op count in the COMPOUND header, which results in: [ 51.410584] nfsd: vmalloc error: size 1209533382144, exceeds total pages, mode:0xdc0(GFP_KERNEL|__GFP_ZERO), nodemask=(null),cpuset=/,mems_allowed=0 when NFSD attempts to allocate the COMPOUND op array. Let's restore the operation-per-COMPOUND limit, but increased to 200 for now.", "cve_priority": "medium", "cve_public_date": "2025-11-21 11:15:00 UTC" }, { "cve": "CVE-2025-40324", "url": "https://ubuntu.com/security/CVE-2025-40324", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: NFSD: Fix crash in nfsd4_read_release() When tracing is enabled, the trace_nfsd_read_done trace point crashes during the pynfs read.testNoFh test.", "cve_priority": "medium", "cve_public_date": "2025-12-08 01:16:00 UTC" }, { "cve": "CVE-2025-40326", "url": "https://ubuntu.com/security/CVE-2025-40326", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: NFSD: Define actions for the new time_deleg FATTR4 attributes NFSv4 clients won't send legitimate GETATTR requests for these new attributes because they are intended to be used only with CB_GETATTR and SETATTR. But NFSD has to do something besides crashing if it ever sees a GETATTR request that queries these attributes. RFC 8881 Section 18.7.3 states: > The server MUST return a value for each attribute that the client > requests if the attribute is supported by the server for the > target file system. If the server does not support a particular > attribute on the target file system, then it MUST NOT return the > attribute value and MUST NOT set the attribute bit in the result > bitmap. The server MUST return an error if it supports an > attribute on the target but cannot obtain its value. In that case, > no attribute values will be returned. Further, RFC 9754 Section 5 states: > These new attributes are invalid to be used with GETATTR, VERIFY, > and NVERIFY, and they can only be used with CB_GETATTR and SETATTR > by a client holding an appropriate delegation. Thus there does not appear to be a specific server response mandated by specification. Taking the guidance that querying these attributes via GETATTR is \"invalid\", NFSD will return nfserr_inval, failing the request entirely.", "cve_priority": "medium", "cve_public_date": "2025-12-08 01:16:00 UTC" }, { "cve": "CVE-2025-40084", "url": "https://ubuntu.com/security/CVE-2025-40084", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ksmbd: transport_ipc: validate payload size before reading handle handle_response() dereferences the payload as a 4-byte handle without verifying that the declared payload size is at least 4 bytes. A malformed or truncated message from ksmbd.mountd can lead to a 4-byte read past the declared payload size. Validate the size before dereferencing. This is a minimal fix to guard the initial handle read.", "cve_priority": "medium", "cve_public_date": "2025-10-29 14:15:00 UTC" }, { "cve": "CVE-2025-40222", "url": "https://ubuntu.com/security/CVE-2025-40222", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: tty: serial: sh-sci: fix RSCI FIFO overrun handling The receive error handling code is shared between RSCI and all other SCIF port types, but the RSCI overrun_reg is specified as a memory offset, while for other SCIF types it is an enum value used to index into the sci_port_params->regs array, as mentioned above the sci_serial_in() function. For RSCI, the overrun_reg is CSR (0x48), causing the sci_getreg() call inside the sci_handle_fifo_overrun() function to index outside the bounds of the regs array, which currently has a size of 20, as specified by SCI_NR_REGS. Because of this, we end up accessing memory outside of RSCI's rsci_port_params structure, which, when interpreted as a plat_sci_reg, happens to have a non-zero size, causing the following WARN when sci_serial_in() is called, as the accidental size does not match the supported register sizes. The existence of the overrun_reg needs to be checked because SCIx_SH3_SCIF_REGTYPE has overrun_reg set to SCLSR, but SCLSR is not present in the regs array. Avoid calling sci_getreg() for port types which don't use standard register handling. Use the ops->read_reg() and ops->write_reg() functions to properly read and write registers for RSCI, and change the type of the status variable to accommodate the 32-bit CSR register. sci_getreg() and sci_serial_in() are also called with overrun_reg in the sci_mpxed_interrupt() interrupt handler, but that code path is not used for RSCI, as it does not have a muxed interrupt. ------------[ cut here ]------------ Invalid register access WARNING: CPU: 0 PID: 0 at drivers/tty/serial/sh-sci.c:522 sci_serial_in+0x38/0xac Modules linked in: renesas_usbhs at24 rzt2h_adc industrialio_adc sha256 cfg80211 bluetooth ecdh_generic ecc rfkill fuse drm backlight ipv6 CPU: 0 UID: 0 PID: 0 Comm: swapper/0 Not tainted 6.17.0-rc1+ #30 PREEMPT Hardware name: Renesas RZ/T2H EVK Board based on r9a09g077m44 (DT) pstate: 604000c5 (nZCv daIF +PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : sci_serial_in+0x38/0xac lr : sci_serial_in+0x38/0xac sp : ffff800080003e80 x29: ffff800080003e80 x28: ffff800082195b80 x27: 000000000000000d x26: ffff8000821956d0 x25: 0000000000000000 x24: ffff800082195b80 x23: ffff000180e0d800 x22: 0000000000000010 x21: 0000000000000000 x20: 0000000000000010 x19: ffff000180e72000 x18: 000000000000000a x17: ffff8002bcee7000 x16: ffff800080000000 x15: 0720072007200720 x14: 0720072007200720 x13: 0720072007200720 x12: 0720072007200720 x11: 0000000000000058 x10: 0000000000000018 x9 : ffff8000821a6a48 x8 : 0000000000057fa8 x7 : 0000000000000406 x6 : ffff8000821fea48 x5 : ffff00033ef88408 x4 : ffff8002bcee7000 x3 : ffff800082195b80 x2 : 0000000000000000 x1 : 0000000000000000 x0 : ffff800082195b80 Call trace: sci_serial_in+0x38/0xac (P) sci_handle_fifo_overrun.isra.0+0x70/0x134 sci_er_interrupt+0x50/0x39c __handle_irq_event_percpu+0x48/0x140 handle_irq_event+0x44/0xb0 handle_fasteoi_irq+0xf4/0x1a0 handle_irq_desc+0x34/0x58 generic_handle_domain_irq+0x1c/0x28 gic_handle_irq+0x4c/0x140 call_on_irq_stack+0x30/0x48 do_interrupt_handler+0x80/0x84 el1_interrupt+0x34/0x68 el1h_64_irq_handler+0x18/0x24 el1h_64_irq+0x6c/0x70 default_idle_call+0x28/0x58 (P) do_idle+0x1f8/0x250 cpu_startup_entry+0x34/0x3c rest_init+0xd8/0xe0 console_on_rootfs+0x0/0x6c __primary_switched+0x88/0x90 ---[ end trace 0000000000000000 ]---", "cve_priority": "medium", "cve_public_date": "2025-12-04 16:16:00 UTC" }, { "cve": "CVE-2025-40223", "url": "https://ubuntu.com/security/CVE-2025-40223", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: most: usb: Fix use-after-free in hdm_disconnect hdm_disconnect() calls most_deregister_interface(), which eventually unregisters the MOST interface device with device_unregister(iface->dev). If that drops the last reference, the device core may call release_mdev() immediately while hdm_disconnect() is still executing. The old code also freed several mdev-owned allocations in hdm_disconnect() and then performed additional put_device() calls. Depending on refcount order, this could lead to use-after-free or double-free when release_mdev() ran (or when unregister paths also performed puts). Fix by moving the frees of mdev-owned allocations into release_mdev(), so they happen exactly once when the device is truly released, and by dropping the extra put_device() calls in hdm_disconnect() that are redundant after device_unregister() and most_deregister_interface(). This addresses the KASAN slab-use-after-free reported by syzbot in hdm_disconnect(). See report and stack traces in the bug link below.", "cve_priority": "medium", "cve_public_date": "2025-12-04 16:16:00 UTC" }, { "cve": "CVE-2025-40106", "url": "https://ubuntu.com/security/CVE-2025-40106", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: comedi: fix divide-by-zero in comedi_buf_munge() The comedi_buf_munge() function performs a modulo operation `async->munge_chan %= async->cmd.chanlist_len` without first checking if chanlist_len is zero. If a user program submits a command with chanlist_len set to zero, this causes a divide-by-zero error when the device processes data in the interrupt handler path. Add a check for zero chanlist_len at the beginning of the function, similar to the existing checks for !map and CMDF_RAWDATA flag. When chanlist_len is zero, update munge_count and return early, indicating the data was handled without munging. This prevents potential kernel panics from malformed user commands.", "cve_priority": "medium", "cve_public_date": "2025-10-31 10:15:00 UTC" }, { "cve": "CVE-2025-40224", "url": "https://ubuntu.com/security/CVE-2025-40224", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: hwmon: (cgbc-hwmon) Add missing NULL check after devm_kzalloc() The driver allocates memory for sensor data using devm_kzalloc(), but did not check if the allocation succeeded. In case of memory allocation failure, dereferencing the NULL pointer would lead to a kernel crash. Add a NULL pointer check and return -ENOMEM to handle allocation failure properly.", "cve_priority": "medium", "cve_public_date": "2025-12-04 16:16:00 UTC" }, { "cve": "CVE-2025-40225", "url": "https://ubuntu.com/security/CVE-2025-40225", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/panthor: Fix kernel panic on partial unmap of a GPU VA region This commit address a kernel panic issue that can happen if Userspace tries to partially unmap a GPU virtual region (aka drm_gpuva). The VM_BIND interface allows partial unmapping of a BO. Panthor driver pre-allocates memory for the new drm_gpuva structures that would be needed for the map/unmap operation, done using drm_gpuvm layer. It expected that only one new drm_gpuva would be needed on umap but a partial unmap can require 2 new drm_gpuva and that's why it ended up doing a NULL pointer dereference causing a kernel panic. Following dump was seen when partial unmap was exercised. Unable to handle kernel NULL pointer dereference at virtual address 0000000000000078 Mem abort info: ESR = 0x0000000096000046 EC = 0x25: DABT (current EL), IL = 32 bits SET = 0, FnV = 0 EA = 0, S1PTW = 0 FSC = 0x06: level 2 translation fault Data abort info: ISV = 0, ISS = 0x00000046, ISS2 = 0x00000000 CM = 0, WnR = 1, TnD = 0, TagAccess = 0 GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0 user pgtable: 4k pages, 48-bit VAs, pgdp=000000088a863000 [000000000000078] pgd=080000088a842003, p4d=080000088a842003, pud=0800000884bf5003, pmd=0000000000000000 Internal error: Oops: 0000000096000046 [#1] PREEMPT SMP pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : panthor_gpuva_sm_step_remap+0xe4/0x330 [panthor] lr : panthor_gpuva_sm_step_remap+0x6c/0x330 [panthor] sp : ffff800085d43970 x29: ffff800085d43970 x28: ffff00080363e440 x27: ffff0008090c6000 x26: 0000000000000030 x25: ffff800085d439f8 x24: ffff00080d402000 x23: ffff800085d43b60 x22: ffff800085d439e0 x21: ffff00080abdb180 x20: 0000000000000000 x19: 0000000000000000 x18: 0000000000000010 x17: 6e656c202c303030 x16: 3666666666646466 x15: 393d61766f69202c x14: 312d3d7361203a70 x13: 303030323d6e656c x12: ffff80008324bf58 x11: 0000000000000003 x10: 0000000000000002 x9 : ffff8000801a6a9c x8 : ffff00080360b300 x7 : 0000000000000000 x6 : 000000088aa35fc7 x5 : fff1000080000000 x4 : ffff8000842ddd30 x3 : 0000000000000001 x2 : 0000000100000000 x1 : 0000000000000001 x0 : 0000000000000078 Call trace: panthor_gpuva_sm_step_remap+0xe4/0x330 [panthor] op_remap_cb.isra.22+0x50/0x80 __drm_gpuvm_sm_unmap+0x10c/0x1c8 drm_gpuvm_sm_unmap+0x40/0x60 panthor_vm_exec_op+0xb4/0x3d0 [panthor] panthor_vm_bind_exec_sync_op+0x154/0x278 [panthor] panthor_ioctl_vm_bind+0x160/0x4a0 [panthor] drm_ioctl_kernel+0xbc/0x138 drm_ioctl+0x240/0x500 __arm64_sys_ioctl+0xb0/0xf8 invoke_syscall+0x4c/0x110 el0_svc_common.constprop.1+0x98/0xf8 do_el0_svc+0x24/0x38 el0_svc+0x40/0xf8 el0t_64_sync_handler+0xa0/0xc8 el0t_64_sync+0x174/0x178", "cve_priority": "medium", "cve_public_date": "2025-12-04 16:16:00 UTC" }, { "cve": "CVE-2025-40226", "url": "https://ubuntu.com/security/CVE-2025-40226", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: firmware: arm_scmi: Account for failed debug initialization When the SCMI debug subsystem fails to initialize, the related debug root will be missing, and the underlying descriptor will be NULL. Handle this fault condition in the SCMI debug helpers that maintain metrics counters.", "cve_priority": "medium", "cve_public_date": "2025-12-04 16:16:00 UTC" }, { "cve": "CVE-2025-40227", "url": "https://ubuntu.com/security/CVE-2025-40227", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: mm/damon/sysfs: dealloc commit test ctx always The damon_ctx for testing online DAMON parameters commit inputs is deallocated only when the test fails. This means memory is leaked for every successful online DAMON parameters commit. Fix the leak by always deallocating it.", "cve_priority": "medium", "cve_public_date": "2025-12-04 16:16:00 UTC" }, { "cve": "CVE-2025-40228", "url": "https://ubuntu.com/security/CVE-2025-40228", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: mm/damon/sysfs: catch commit test ctx alloc failure Patch series \"mm/damon/sysfs: fix commit test damon_ctx [de]allocation\". DAMON sysfs interface dynamically allocates and uses a damon_ctx object for testing if given inputs for online DAMON parameters update is valid. The object is being used without an allocation failure check, and leaked when the test succeeds. Fix the two bugs. This patch (of 2): The damon_ctx for testing online DAMON parameters commit inputs is used without its allocation failure check. This could result in an invalid memory access. Fix it by directly returning an error when the allocation failed.", "cve_priority": "medium", "cve_public_date": "2025-12-04 16:16:00 UTC" }, { "cve": "CVE-2025-40229", "url": "https://ubuntu.com/security/CVE-2025-40229", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: mm/damon/core: fix potential memory leak by cleaning ops_filter in damon_destroy_scheme Currently, damon_destroy_scheme() only cleans up the filter list but leaves ops_filter untouched, which could lead to memory leaks when a scheme is destroyed. This patch ensures both filter and ops_filter are properly freed in damon_destroy_scheme(), preventing potential memory leaks.", "cve_priority": "medium", "cve_public_date": "2025-12-04 16:16:00 UTC" }, { "cve": "CVE-2025-40230", "url": "https://ubuntu.com/security/CVE-2025-40230", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: mm: prevent poison consumption when splitting THP When performing memory error injection on a THP (Transparent Huge Page) mapped to userspace on an x86 server, the kernel panics with the following trace. The expected behavior is to terminate the affected process instead of panicking the kernel, as the x86 Machine Check code can recover from an in-userspace #MC. mce: [Hardware Error]: CPU 0: Machine Check Exception: f Bank 3: bd80000000070134 mce: [Hardware Error]: RIP 10: {memchr_inv+0x4c/0xf0} mce: [Hardware Error]: TSC afff7bbff88a ADDR 1d301b000 MISC 80 PPIN 1e741e77539027db mce: [Hardware Error]: PROCESSOR 0:d06d0 TIME 1758093249 SOCKET 0 APIC 0 microcode 80000320 mce: [Hardware Error]: Run the above through 'mcelog --ascii' mce: [Hardware Error]: Machine check: Data load in unrecoverable area of kernel Kernel panic - not syncing: Fatal local machine check The root cause of this panic is that handling a memory failure triggered by an in-userspace #MC necessitates splitting the THP. The splitting process employs a mechanism, implemented in try_to_map_unused_to_zeropage(), which reads the pages in the THP to identify zero-filled pages. However, reading the pages in the THP results in a second in-kernel #MC, occurring before the initial memory_failure() completes, ultimately leading to a kernel panic. See the kernel panic call trace on the two #MCs. First Machine Check occurs // [1] memory_failure() // [2] try_to_split_thp_page() split_huge_page() split_huge_page_to_list_to_order() __folio_split() // [3] remap_page() remove_migration_ptes() remove_migration_pte() try_to_map_unused_to_zeropage() // [4] memchr_inv() // [5] Second Machine Check occurs // [6] Kernel panic [1] Triggered by accessing a hardware-poisoned THP in userspace, which is typically recoverable by terminating the affected process. [2] Call folio_set_has_hwpoisoned() before try_to_split_thp_page(). [3] Pass the RMP_USE_SHARED_ZEROPAGE remap flag to remap_page(). [4] Try to map the unused THP to zeropage. [5] Re-access pages in the hw-poisoned THP in the kernel. [6] Triggered in-kernel, leading to a panic kernel. In Step[2], memory_failure() sets the poisoned flag on the page in the THP by TestSetPageHWPoison() before calling try_to_split_thp_page(). As suggested by David Hildenbrand, fix this panic by not accessing to the poisoned page in the THP during zeropage identification, while continuing to scan unaffected pages in the THP for possible zeropage mapping. This prevents a second in-kernel #MC that would cause kernel panic in Step[4]. Thanks to Andrew Zaborowski for his initial work on fixing this issue.", "cve_priority": "medium", "cve_public_date": "2025-12-04 16:16:00 UTC" }, { "cve": "CVE-2025-40231", "url": "https://ubuntu.com/security/CVE-2025-40231", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: vsock: fix lock inversion in vsock_assign_transport() Syzbot reported a potential lock inversion deadlock between vsock_register_mutex and sk_lock-AF_VSOCK when vsock_linger() is called. The issue was introduced by commit 687aa0c5581b (\"vsock: Fix transport_* TOCTOU\") which added vsock_register_mutex locking in vsock_assign_transport() around the transport->release() call, that can call vsock_linger(). vsock_assign_transport() can be called with sk_lock held. vsock_linger() calls sk_wait_event() that temporarily releases and re-acquires sk_lock. During this window, if another thread hold vsock_register_mutex while trying to acquire sk_lock, a circular dependency is created. Fix this by releasing vsock_register_mutex before calling transport->release() and vsock_deassign_transport(). This is safe because we don't need to hold vsock_register_mutex while releasing the old transport, and we ensure the new transport won't disappear by obtaining a module reference first via try_module_get().", "cve_priority": "medium", "cve_public_date": "2025-12-04 16:16:00 UTC" }, { "cve": "CVE-2025-40233", "url": "https://ubuntu.com/security/CVE-2025-40233", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ocfs2: clear extent cache after moving/defragmenting extents The extent map cache can become stale when extents are moved or defragmented, causing subsequent operations to see outdated extent flags. This triggers a BUG_ON in ocfs2_refcount_cal_cow_clusters(). The problem occurs when: 1. copy_file_range() creates a reflinked extent with OCFS2_EXT_REFCOUNTED 2. ioctl(FITRIM) triggers ocfs2_move_extents() 3. __ocfs2_move_extents_range() reads and caches the extent (flags=0x2) 4. ocfs2_move_extent()/ocfs2_defrag_extent() calls __ocfs2_move_extent() which clears OCFS2_EXT_REFCOUNTED flag on disk (flags=0x0) 5. The extent map cache is not invalidated after the move 6. Later write() operations read stale cached flags (0x2) but disk has updated flags (0x0), causing a mismatch 7. BUG_ON(!(rec->e_flags & OCFS2_EXT_REFCOUNTED)) triggers Fix by clearing the extent map cache after each extent move/defrag operation in __ocfs2_move_extents_range(). This ensures subsequent operations read fresh extent data from disk.", "cve_priority": "medium", "cve_public_date": "2025-12-04 16:16:00 UTC" }, { "cve": "CVE-2025-40235", "url": "https://ubuntu.com/security/CVE-2025-40235", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: btrfs: directly free partially initialized fs_info in btrfs_check_leaked_roots() If fs_info->super_copy or fs_info->super_for_commit allocated failed in btrfs_get_tree_subvol(), then no need to call btrfs_free_fs_info(). Otherwise btrfs_check_leaked_roots() would access NULL pointer because fs_info->allocated_roots had not been initialised. syzkaller reported the following information: ------------[ cut here ]------------ BUG: unable to handle page fault for address: fffffffffffffbb0 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page PGD 64c9067 P4D 64c9067 PUD 64cb067 PMD 0 Oops: Oops: 0000 [#1] SMP KASAN PTI CPU: 0 UID: 0 PID: 1402 Comm: syz.1.35 Not tainted 6.15.8 #4 PREEMPT(lazy) Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), (...) RIP: 0010:arch_atomic_read arch/x86/include/asm/atomic.h:23 [inline] RIP: 0010:raw_atomic_read include/linux/atomic/atomic-arch-fallback.h:457 [inline] RIP: 0010:atomic_read include/linux/atomic/atomic-instrumented.h:33 [inline] RIP: 0010:refcount_read include/linux/refcount.h:170 [inline] RIP: 0010:btrfs_check_leaked_roots+0x18f/0x2c0 fs/btrfs/disk-io.c:1230 [...] Call Trace: btrfs_free_fs_info+0x310/0x410 fs/btrfs/disk-io.c:1280 btrfs_get_tree_subvol+0x592/0x6b0 fs/btrfs/super.c:2029 btrfs_get_tree+0x63/0x80 fs/btrfs/super.c:2097 vfs_get_tree+0x98/0x320 fs/super.c:1759 do_new_mount+0x357/0x660 fs/namespace.c:3899 path_mount+0x716/0x19c0 fs/namespace.c:4226 do_mount fs/namespace.c:4239 [inline] __do_sys_mount fs/namespace.c:4450 [inline] __se_sys_mount fs/namespace.c:4427 [inline] __x64_sys_mount+0x28c/0x310 fs/namespace.c:4427 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0x92/0x180 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x76/0x7e RIP: 0033:0x7f032eaffa8d [...]", "cve_priority": "medium", "cve_public_date": "2025-12-04 16:16:00 UTC" }, { "cve": "CVE-2025-40236", "url": "https://ubuntu.com/security/CVE-2025-40236", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: virtio-net: zero unused hash fields When GSO tunnel is negotiated virtio_net_hdr_tnl_from_skb() tries to initialize the tunnel metadata but forget to zero unused rxhash fields. This may leak information to another side. Fixing this by zeroing the unused hash fields.", "cve_priority": "medium", "cve_public_date": "2025-12-04 16:16:00 UTC" }, { "cve": "CVE-2025-40237", "url": "https://ubuntu.com/security/CVE-2025-40237", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: fs/notify: call exportfs_encode_fid with s_umount Calling intotify_show_fdinfo() on fd watching an overlayfs inode, while the overlayfs is being unmounted, can lead to dereferencing NULL ptr. This issue was found by syzkaller. Race Condition Diagram: Thread 1 Thread 2 -------- -------- generic_shutdown_super() shrink_dcache_for_umount sb->s_root = NULL | | vfs_read() | inotify_fdinfo() | * inode get from mark * | show_mark_fhandle(m, inode) | exportfs_encode_fid(inode, ..) | ovl_encode_fh(inode, ..) | ovl_check_encode_origin(inode) | * deref i_sb->s_root * | | v fsnotify_sb_delete(sb) Which then leads to: [ 32.133461] Oops: general protection fault, probably for non-canonical address 0xdffffc0000000006: 0000 [#1] SMP DEBUG_PAGEALLOC KASAN NOPTI [ 32.134438] KASAN: null-ptr-deref in range [0x0000000000000030-0x0000000000000037] [ 32.135032] CPU: 1 UID: 0 PID: 4468 Comm: systemd-coredum Not tainted 6.17.0-rc6 #22 PREEMPT(none) [ 32.143353] Call Trace: [ 32.143732] ovl_encode_fh+0xd5/0x170 [ 32.144031] exportfs_encode_inode_fh+0x12f/0x300 [ 32.144425] show_mark_fhandle+0xbe/0x1f0 [ 32.145805] inotify_fdinfo+0x226/0x2d0 [ 32.146442] inotify_show_fdinfo+0x1c5/0x350 [ 32.147168] seq_show+0x530/0x6f0 [ 32.147449] seq_read_iter+0x503/0x12a0 [ 32.148419] seq_read+0x31f/0x410 [ 32.150714] vfs_read+0x1f0/0x9e0 [ 32.152297] ksys_read+0x125/0x240 IOW ovl_check_encode_origin derefs inode->i_sb->s_root, after it was set to NULL in the unmount path. Fix it by protecting calling exportfs_encode_fid() from show_mark_fhandle() with s_umount lock. This form of fix was suggested by Amir in [1]. [1]: https://lore.kernel.org/all/CAOQ4uxhbDwhb+2Brs1UdkoF0a3NSdBAOQPNfEHjahrgoKJpLEw@mail.gmail.com/", "cve_priority": "medium", "cve_public_date": "2025-12-04 16:16:00 UTC" }, { "cve": "CVE-2025-40238", "url": "https://ubuntu.com/security/CVE-2025-40238", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net/mlx5: Fix IPsec cleanup over MPV device When we do mlx5e_detach_netdev() we eventually disable blocking events notifier, among those events are IPsec MPV events from IB to core. So before disabling those blocking events, make sure to also unregister the devcom device and mark all this device operations as complete, in order to prevent the other device from using invalid netdev during future devcom events which could cause the trace below. BUG: kernel NULL pointer dereference, address: 0000000000000010 PGD 146427067 P4D 146427067 PUD 146488067 PMD 0 Oops: Oops: 0000 [#1] SMP CPU: 1 UID: 0 PID: 7735 Comm: devlink Tainted: GW 6.12.0-rc6_for_upstream_min_debug_2024_11_08_00_46 #1 Tainted: [W]=WARN Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014 RIP: 0010:mlx5_devcom_comp_set_ready+0x5/0x40 [mlx5_core] Code: 00 01 48 83 05 23 32 1e 00 01 41 b8 ed ff ff ff e9 60 ff ff ff 48 83 05 00 32 1e 00 01 eb e3 66 0f 1f 44 00 00 0f 1f 44 00 00 <48> 8b 47 10 48 83 05 5f 32 1e 00 01 48 8b 50 40 48 85 d2 74 05 40 RSP: 0018:ffff88811a5c35f8 EFLAGS: 00010206 RAX: ffff888106e8ab80 RBX: ffff888107d7e200 RCX: ffff88810d6f0a00 RDX: ffff88810d6f0a00 RSI: 0000000000000001 RDI: 0000000000000000 RBP: ffff88811a17e620 R08: 0000000000000040 R09: 0000000000000000 R10: ffff88811a5c3618 R11: 0000000de85d51bd R12: ffff88811a17e600 R13: ffff88810d6f0a00 R14: 0000000000000000 R15: ffff8881034bda80 FS: 00007f27bdf89180(0000) GS:ffff88852c880000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000010 CR3: 000000010f159005 CR4: 0000000000372eb0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: ? __die+0x20/0x60 ? page_fault_oops+0x150/0x3e0 ? exc_page_fault+0x74/0x130 ? asm_exc_page_fault+0x22/0x30 ? mlx5_devcom_comp_set_ready+0x5/0x40 [mlx5_core] mlx5e_devcom_event_mpv+0x42/0x60 [mlx5_core] mlx5_devcom_send_event+0x8c/0x170 [mlx5_core] blocking_event+0x17b/0x230 [mlx5_core] notifier_call_chain+0x35/0xa0 blocking_notifier_call_chain+0x3d/0x60 mlx5_blocking_notifier_call_chain+0x22/0x30 [mlx5_core] mlx5_core_mp_event_replay+0x12/0x20 [mlx5_core] mlx5_ib_bind_slave_port+0x228/0x2c0 [mlx5_ib] mlx5_ib_stage_init_init+0x664/0x9d0 [mlx5_ib] ? idr_alloc_cyclic+0x50/0xb0 ? __kmalloc_cache_noprof+0x167/0x340 ? __kmalloc_noprof+0x1a7/0x430 __mlx5_ib_add+0x34/0xd0 [mlx5_ib] mlx5r_probe+0xe9/0x310 [mlx5_ib] ? kernfs_add_one+0x107/0x150 ? __mlx5_ib_add+0xd0/0xd0 [mlx5_ib] auxiliary_bus_probe+0x3e/0x90 really_probe+0xc5/0x3a0 ? driver_probe_device+0x90/0x90 __driver_probe_device+0x80/0x160 driver_probe_device+0x1e/0x90 __device_attach_driver+0x7d/0x100 bus_for_each_drv+0x80/0xd0 __device_attach+0xbc/0x1f0 bus_probe_device+0x86/0xa0 device_add+0x62d/0x830 __auxiliary_device_add+0x3b/0xa0 ? auxiliary_device_init+0x41/0x90 add_adev+0xd1/0x150 [mlx5_core] mlx5_rescan_drivers_locked+0x21c/0x300 [mlx5_core] esw_mode_change+0x6c/0xc0 [mlx5_core] mlx5_devlink_eswitch_mode_set+0x21e/0x640 [mlx5_core] devlink_nl_eswitch_set_doit+0x60/0xe0 genl_family_rcv_msg_doit+0xd0/0x120 genl_rcv_msg+0x180/0x2b0 ? devlink_get_from_attrs_lock+0x170/0x170 ? devlink_nl_eswitch_get_doit+0x290/0x290 ? devlink_nl_pre_doit_port_optional+0x50/0x50 ? genl_family_rcv_msg_dumpit+0xf0/0xf0 netlink_rcv_skb+0x54/0x100 genl_rcv+0x24/0x40 netlink_unicast+0x1fc/0x2d0 netlink_sendmsg+0x1e4/0x410 __sock_sendmsg+0x38/0x60 ? sockfd_lookup_light+0x12/0x60 __sys_sendto+0x105/0x160 ? __sys_recvmsg+0x4e/0x90 __x64_sys_sendto+0x20/0x30 do_syscall_64+0x4c/0x100 entry_SYSCALL_64_after_hwframe+0x4b/0x53 RIP: 0033:0x7f27bc91b13a Code: bb 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 8b 05 fa 96 2c 00 45 89 c9 4c 63 d1 48 63 ff 85 c0 75 15 b8 2c 00 00 00 0f 05 <48> 3d 00 f0 ff ff ---truncated---", "cve_priority": "medium", "cve_public_date": "2025-12-04 16:16:00 UTC" }, { "cve": "CVE-2025-40239", "url": "https://ubuntu.com/security/CVE-2025-40239", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net: phy: micrel: always set shared->phydev for LAN8814 Currently, during the LAN8814 PTP probe shared->phydev is only set if PTP clock gets actually set, otherwise the function will return before setting it. This is an issue as shared->phydev is unconditionally being used when IRQ is being handled, especially in lan8814_gpio_process_cap and since it was not set it will cause a NULL pointer exception and crash the kernel. So, simply always set shared->phydev to avoid the NULL pointer exception.", "cve_priority": "medium", "cve_public_date": "2025-12-04 16:16:00 UTC" }, { "cve": "CVE-2025-40240", "url": "https://ubuntu.com/security/CVE-2025-40240", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: sctp: avoid NULL dereference when chunk data buffer is missing chunk->skb pointer is dereferenced in the if-block where it's supposed to be NULL only. chunk->skb can only be NULL if chunk->head_skb is not. Check for frag_list instead and do it just before replacing chunk->skb. We're sure that otherwise chunk->skb is non-NULL because of outer if() condition.", "cve_priority": "medium", "cve_public_date": "2025-12-04 16:16:00 UTC" }, { "cve": "CVE-2025-40241", "url": "https://ubuntu.com/security/CVE-2025-40241", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: erofs: fix crafted invalid cases for encoded extents Robert recently reported two corrupted images that can cause system crashes, which are related to the new encoded extents introduced in Linux 6.15: - The first one [1] has plen != 0 (e.g. plen == 0x2000000) but (plen & Z_EROFS_EXTENT_PLEN_MASK) == 0. It is used to represent special extents such as sparse extents (!EROFS_MAP_MAPPED), but previously only plen == 0 was handled; - The second one [2] has pa 0xffffffffffdcffed and plen 0xb4000, then \"cur [0xfffffffffffff000] += bvec.bv_len [0x1000]\" in \"} while ((cur += bvec.bv_len) < end);\" wraps around, causing an out-of-bound access of pcl->compressed_bvecs[] in z_erofs_submit_queue(). EROFS only supports 48-bit physical block addresses (up to 1EiB for 4k blocks), so add a sanity check to enforce this.", "cve_priority": "medium", "cve_public_date": "2025-12-04 16:16:00 UTC" }, { "cve": "CVE-2025-40242", "url": "https://ubuntu.com/security/CVE-2025-40242", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: gfs2: Fix unlikely race in gdlm_put_lock In gdlm_put_lock(), there is a small window of time in which the DFL_UNMOUNT flag has been set but the lockspace hasn't been released, yet. In that window, dlm may still call gdlm_ast() and gdlm_bast(). To prevent it from dereferencing freed glock objects, only free the glock if the lockspace has actually been released.", "cve_priority": "medium", "cve_public_date": "2025-12-04 16:16:00 UTC" }, { "cve": "CVE-2025-40243", "url": "https://ubuntu.com/security/CVE-2025-40243", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: hfs: fix KMSAN uninit-value issue in hfs_find_set_zero_bits() The syzbot reported issue in hfs_find_set_zero_bits(): ===================================================== BUG: KMSAN: uninit-value in hfs_find_set_zero_bits+0x74d/0xb60 fs/hfs/bitmap.c:45 hfs_find_set_zero_bits+0x74d/0xb60 fs/hfs/bitmap.c:45 hfs_vbm_search_free+0x13c/0x5b0 fs/hfs/bitmap.c:151 hfs_extend_file+0x6a5/0x1b00 fs/hfs/extent.c:408 hfs_get_block+0x435/0x1150 fs/hfs/extent.c:353 __block_write_begin_int+0xa76/0x3030 fs/buffer.c:2151 block_write_begin fs/buffer.c:2262 [inline] cont_write_begin+0x10e1/0x1bc0 fs/buffer.c:2601 hfs_write_begin+0x85/0x130 fs/hfs/inode.c:52 cont_expand_zero fs/buffer.c:2528 [inline] cont_write_begin+0x35a/0x1bc0 fs/buffer.c:2591 hfs_write_begin+0x85/0x130 fs/hfs/inode.c:52 hfs_file_truncate+0x1d6/0xe60 fs/hfs/extent.c:494 hfs_inode_setattr+0x964/0xaa0 fs/hfs/inode.c:654 notify_change+0x1993/0x1aa0 fs/attr.c:552 do_truncate+0x28f/0x310 fs/open.c:68 do_ftruncate+0x698/0x730 fs/open.c:195 do_sys_ftruncate fs/open.c:210 [inline] __do_sys_ftruncate fs/open.c:215 [inline] __se_sys_ftruncate fs/open.c:213 [inline] __x64_sys_ftruncate+0x11b/0x250 fs/open.c:213 x64_sys_call+0xfe3/0x3db0 arch/x86/include/generated/asm/syscalls_64.h:78 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xd9/0x210 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f Uninit was created at: slab_post_alloc_hook mm/slub.c:4154 [inline] slab_alloc_node mm/slub.c:4197 [inline] __kmalloc_cache_noprof+0x7f7/0xed0 mm/slub.c:4354 kmalloc_noprof include/linux/slab.h:905 [inline] hfs_mdb_get+0x1cc8/0x2a90 fs/hfs/mdb.c:175 hfs_fill_super+0x3d0/0xb80 fs/hfs/super.c:337 get_tree_bdev_flags+0x6e3/0x920 fs/super.c:1681 get_tree_bdev+0x38/0x50 fs/super.c:1704 hfs_get_tree+0x35/0x40 fs/hfs/super.c:388 vfs_get_tree+0xb0/0x5c0 fs/super.c:1804 do_new_mount+0x738/0x1610 fs/namespace.c:3902 path_mount+0x6db/0x1e90 fs/namespace.c:4226 do_mount fs/namespace.c:4239 [inline] __do_sys_mount fs/namespace.c:4450 [inline] __se_sys_mount+0x6eb/0x7d0 fs/namespace.c:4427 __x64_sys_mount+0xe4/0x150 fs/namespace.c:4427 x64_sys_call+0xfa7/0x3db0 arch/x86/include/generated/asm/syscalls_64.h:166 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xd9/0x210 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f CPU: 1 UID: 0 PID: 12609 Comm: syz.1.2692 Not tainted 6.16.0-syzkaller #0 PREEMPT(none) Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/12/2025 ===================================================== The HFS_SB(sb)->bitmap buffer is allocated in hfs_mdb_get(): HFS_SB(sb)->bitmap = kmalloc(8192, GFP_KERNEL); Finally, it can trigger the reported issue because kmalloc() doesn't clear the allocated memory. If allocated memory contains only zeros, then everything will work pretty fine. But if the allocated memory contains the \"garbage\", then it can affect the bitmap operations and it triggers the reported issue. This patch simply exchanges the kmalloc() on kzalloc() with the goal to guarantee the correctness of bitmap operations. Because, newly created allocation bitmap should have all available blocks free. Potentially, initialization bitmap's read operation could not fill the whole allocated memory and \"garbage\" in the not initialized memory will be the reason of volume coruptions and file system driver bugs.", "cve_priority": "medium", "cve_public_date": "2025-12-04 16:16:00 UTC" }, { "cve": "CVE-2025-40244", "url": "https://ubuntu.com/security/CVE-2025-40244", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: hfsplus: fix KMSAN uninit-value issue in __hfsplus_ext_cache_extent() The syzbot reported issue in __hfsplus_ext_cache_extent(): [ 70.194323][ T9350] BUG: KMSAN: uninit-value in __hfsplus_ext_cache_extent+0x7d0/0x990 [ 70.195022][ T9350] __hfsplus_ext_cache_extent+0x7d0/0x990 [ 70.195530][ T9350] hfsplus_file_extend+0x74f/0x1cf0 [ 70.195998][ T9350] hfsplus_get_block+0xe16/0x17b0 [ 70.196458][ T9350] __block_write_begin_int+0x962/0x2ce0 [ 70.196959][ T9350] cont_write_begin+0x1000/0x1950 [ 70.197416][ T9350] hfsplus_write_begin+0x85/0x130 [ 70.197873][ T9350] generic_perform_write+0x3e8/0x1060 [ 70.198374][ T9350] __generic_file_write_iter+0x215/0x460 [ 70.198892][ T9350] generic_file_write_iter+0x109/0x5e0 [ 70.199393][ T9350] vfs_write+0xb0f/0x14e0 [ 70.199771][ T9350] ksys_write+0x23e/0x490 [ 70.200149][ T9350] __x64_sys_write+0x97/0xf0 [ 70.200570][ T9350] x64_sys_call+0x3015/0x3cf0 [ 70.201065][ T9350] do_syscall_64+0xd9/0x1d0 [ 70.201506][ T9350] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 70.202054][ T9350] [ 70.202279][ T9350] Uninit was created at: [ 70.202693][ T9350] __kmalloc_noprof+0x621/0xf80 [ 70.203149][ T9350] hfsplus_find_init+0x8d/0x1d0 [ 70.203602][ T9350] hfsplus_file_extend+0x6ca/0x1cf0 [ 70.204087][ T9350] hfsplus_get_block+0xe16/0x17b0 [ 70.204561][ T9350] __block_write_begin_int+0x962/0x2ce0 [ 70.205074][ T9350] cont_write_begin+0x1000/0x1950 [ 70.205547][ T9350] hfsplus_write_begin+0x85/0x130 [ 70.206017][ T9350] generic_perform_write+0x3e8/0x1060 [ 70.206519][ T9350] __generic_file_write_iter+0x215/0x460 [ 70.207042][ T9350] generic_file_write_iter+0x109/0x5e0 [ 70.207552][ T9350] vfs_write+0xb0f/0x14e0 [ 70.207961][ T9350] ksys_write+0x23e/0x490 [ 70.208375][ T9350] __x64_sys_write+0x97/0xf0 [ 70.208810][ T9350] x64_sys_call+0x3015/0x3cf0 [ 70.209255][ T9350] do_syscall_64+0xd9/0x1d0 [ 70.209680][ T9350] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 70.210230][ T9350] [ 70.210454][ T9350] CPU: 2 UID: 0 PID: 9350 Comm: repro Not tainted 6.12.0-rc5 #5 [ 70.211174][ T9350] Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 70.212115][ T9350] ===================================================== [ 70.212734][ T9350] Disabling lock debugging due to kernel taint [ 70.213284][ T9350] Kernel panic - not syncing: kmsan.panic set ... [ 70.213858][ T9350] CPU: 2 UID: 0 PID: 9350 Comm: repro Tainted: G B 6.12.0-rc5 #5 [ 70.214679][ T9350] Tainted: [B]=BAD_PAGE [ 70.215057][ T9350] Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 70.215999][ T9350] Call Trace: [ 70.216309][ T9350] [ 70.216585][ T9350] dump_stack_lvl+0x1fd/0x2b0 [ 70.217025][ T9350] dump_stack+0x1e/0x30 [ 70.217421][ T9350] panic+0x502/0xca0 [ 70.217803][ T9350] ? kmsan_get_metadata+0x13e/0x1c0 [ 70.218294][ Message fromT sy9350] kmsan_report+0x296/slogd@syzkaller 0x2aat Aug 18 22:11:058 ... kernel :[ 70.213284][ T9350] Kernel panic - not syncing: kmsan.panic [ 70.220179][ T9350] ? kmsan_get_metadata+0x13e/0x1c0 set ... [ 70.221254][ T9350] ? __msan_warning+0x96/0x120 [ 70.222066][ T9350] ? __hfsplus_ext_cache_extent+0x7d0/0x990 [ 70.223023][ T9350] ? hfsplus_file_extend+0x74f/0x1cf0 [ 70.224120][ T9350] ? hfsplus_get_block+0xe16/0x17b0 [ 70.224946][ T9350] ? __block_write_begin_int+0x962/0x2ce0 [ 70.225756][ T9350] ? cont_write_begin+0x1000/0x1950 [ 70.226337][ T9350] ? hfsplus_write_begin+0x85/0x130 [ 70.226852][ T9350] ? generic_perform_write+0x3e8/0x1060 [ 70.227405][ T9350] ? __generic_file_write_iter+0x215/0x460 [ 70.227979][ T9350] ? generic_file_write_iter+0x109/0x5e0 [ 70.228540][ T9350] ? vfs_write+0xb0f/0x14e0 [ 70.228997][ T9350] ? ksys_write+0x23e/0x490 ---truncated---", "cve_priority": "medium", "cve_public_date": "2025-12-04 16:16:00 UTC" }, { "cve": "CVE-2025-40245", "url": "https://ubuntu.com/security/CVE-2025-40245", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: nios2: ensure that memblock.current_limit is set when setting pfn limits On nios2, with CONFIG_FLATMEM set, the kernel relies on memblock_get_current_limit() to determine the limits of mem_map, in particular for max_low_pfn. Unfortunately, memblock.current_limit is only default initialized to MEMBLOCK_ALLOC_ANYWHERE at this point of the bootup, potentially leading to situations where max_low_pfn can erroneously exceed the value of max_pfn and, thus, the valid range of available DRAM. This can in turn cause kernel-level paging failures, e.g.: [ 76.900000] Unable to handle kernel paging request at virtual address 20303000 [ 76.900000] ea = c0080890, ra = c000462c, cause = 14 [ 76.900000] Kernel panic - not syncing: Oops [ 76.900000] ---[ end Kernel panic - not syncing: Oops ]--- This patch fixes this by pre-calculating memblock.current_limit based on the upper limits of the available memory ranges via adjust_lowmem_bounds, a simplified version of the equivalent implementation within the arm architecture.", "cve_priority": "medium", "cve_public_date": "2025-12-04 16:16:00 UTC" }, { "cve": "CVE-2025-40086", "url": "https://ubuntu.com/security/CVE-2025-40086", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/xe: Don't allow evicting of BOs in same VM in array of VM binds An array of VM binds can potentially evict other buffer objects (BOs) within the same VM under certain conditions, which may lead to NULL pointer dereferences later in the bind pipeline. To prevent this, clear the allow_res_evict flag in the xe_bo_validate call. v2: - Invert polarity of no_res_evict (Thomas) - Add comment in code explaining issue (Thomas) (cherry picked from commit 8b9ba8d6d95fe75fed6b0480bb03da4b321bea08)", "cve_priority": "medium", "cve_public_date": "2025-10-30 10:15:00 UTC" }, { "cve": "CVE-2025-40087", "url": "https://ubuntu.com/security/CVE-2025-40087", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: NFSD: Define a proc_layoutcommit for the FlexFiles layout type Avoid a crash if a pNFS client should happen to send a LAYOUTCOMMIT operation on a FlexFiles layout.", "cve_priority": "medium", "cve_public_date": "2025-10-30 10:15:00 UTC" }, { "cve": "CVE-2025-40088", "url": "https://ubuntu.com/security/CVE-2025-40088", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: hfsplus: fix slab-out-of-bounds read in hfsplus_strcasecmp() The hfsplus_strcasecmp() logic can trigger the issue: [ 117.317703][ T9855] ================================================================== [ 117.318353][ T9855] BUG: KASAN: slab-out-of-bounds in hfsplus_strcasecmp+0x1bc/0x490 [ 117.318991][ T9855] Read of size 2 at addr ffff88802160f40c by task repro/9855 [ 117.319577][ T9855] [ 117.319773][ T9855] CPU: 0 UID: 0 PID: 9855 Comm: repro Not tainted 6.17.0-rc6 #33 PREEMPT(full) [ 117.319780][ T9855] Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 117.319783][ T9855] Call Trace: [ 117.319785][ T9855] [ 117.319788][ T9855] dump_stack_lvl+0x1c1/0x2a0 [ 117.319795][ T9855] ? __virt_addr_valid+0x1c8/0x5c0 [ 117.319803][ T9855] ? __pfx_dump_stack_lvl+0x10/0x10 [ 117.319808][ T9855] ? rcu_is_watching+0x15/0xb0 [ 117.319816][ T9855] ? lock_release+0x4b/0x3e0 [ 117.319821][ T9855] ? __kasan_check_byte+0x12/0x40 [ 117.319828][ T9855] ? __virt_addr_valid+0x1c8/0x5c0 [ 117.319835][ T9855] ? __virt_addr_valid+0x4a5/0x5c0 [ 117.319842][ T9855] print_report+0x17e/0x7e0 [ 117.319848][ T9855] ? __virt_addr_valid+0x1c8/0x5c0 [ 117.319855][ T9855] ? __virt_addr_valid+0x4a5/0x5c0 [ 117.319862][ T9855] ? __phys_addr+0xd3/0x180 [ 117.319869][ T9855] ? hfsplus_strcasecmp+0x1bc/0x490 [ 117.319876][ T9855] kasan_report+0x147/0x180 [ 117.319882][ T9855] ? hfsplus_strcasecmp+0x1bc/0x490 [ 117.319891][ T9855] hfsplus_strcasecmp+0x1bc/0x490 [ 117.319900][ T9855] ? __pfx_hfsplus_cat_case_cmp_key+0x10/0x10 [ 117.319906][ T9855] hfs_find_rec_by_key+0xa9/0x1e0 [ 117.319913][ T9855] __hfsplus_brec_find+0x18e/0x470 [ 117.319920][ T9855] ? __pfx_hfsplus_bnode_find+0x10/0x10 [ 117.319926][ T9855] ? __pfx_hfs_find_rec_by_key+0x10/0x10 [ 117.319933][ T9855] ? __pfx___hfsplus_brec_find+0x10/0x10 [ 117.319942][ T9855] hfsplus_brec_find+0x28f/0x510 [ 117.319949][ T9855] ? __pfx_hfs_find_rec_by_key+0x10/0x10 [ 117.319956][ T9855] ? __pfx_hfsplus_brec_find+0x10/0x10 [ 117.319963][ T9855] ? __kmalloc_noprof+0x2a9/0x510 [ 117.319969][ T9855] ? hfsplus_find_init+0x8c/0x1d0 [ 117.319976][ T9855] hfsplus_brec_read+0x2b/0x120 [ 117.319983][ T9855] hfsplus_lookup+0x2aa/0x890 [ 117.319990][ T9855] ? __pfx_hfsplus_lookup+0x10/0x10 [ 117.320003][ T9855] ? d_alloc_parallel+0x2f0/0x15e0 [ 117.320008][ T9855] ? __lock_acquire+0xaec/0xd80 [ 117.320013][ T9855] ? __pfx_d_alloc_parallel+0x10/0x10 [ 117.320019][ T9855] ? __raw_spin_lock_init+0x45/0x100 [ 117.320026][ T9855] ? __init_waitqueue_head+0xa9/0x150 [ 117.320034][ T9855] __lookup_slow+0x297/0x3d0 [ 117.320039][ T9855] ? __pfx___lookup_slow+0x10/0x10 [ 117.320045][ T9855] ? down_read+0x1ad/0x2e0 [ 117.320055][ T9855] lookup_slow+0x53/0x70 [ 117.320065][ T9855] walk_component+0x2f0/0x430 [ 117.320073][ T9855] path_lookupat+0x169/0x440 [ 117.320081][ T9855] filename_lookup+0x212/0x590 [ 117.320089][ T9855] ? __pfx_filename_lookup+0x10/0x10 [ 117.320098][ T9855] ? strncpy_from_user+0x150/0x290 [ 117.320105][ T9855] ? getname_flags+0x1e5/0x540 [ 117.320112][ T9855] user_path_at+0x3a/0x60 [ 117.320117][ T9855] __x64_sys_umount+0xee/0x160 [ 117.320123][ T9855] ? __pfx___x64_sys_umount+0x10/0x10 [ 117.320129][ T9855] ? do_syscall_64+0xb7/0x3a0 [ 117.320135][ T9855] ? entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 117.320141][ T9855] ? entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 117.320145][ T9855] do_syscall_64+0xf3/0x3a0 [ 117.320150][ T9855] ? exc_page_fault+0x9f/0xf0 [ 117.320154][ T9855] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 117.320158][ T9855] RIP: 0033:0x7f7dd7908b07 [ 117.320163][ T9855] Code: 23 0d 00 f7 d8 64 89 01 48 83 c8 ff c3 66 0f 1f 44 00 00 31 f6 e9 09 00 00 00 66 0f 1f 84 00 00 08 [ 117.320167][ T9855] RSP: 002b:00007ffd5ebd9698 EFLAGS: 00000202 ---truncated---", "cve_priority": "medium", "cve_public_date": "2025-10-30 10:15:00 UTC" }, { "cve": "CVE-2025-40162", "url": "https://ubuntu.com/security/CVE-2025-40162", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ASoC: amd/sdw_utils: avoid NULL deref when devm_kasprintf() fails devm_kasprintf() may return NULL on memory allocation failure, but the debug message prints cpus->dai_name before checking it. Move the dev_dbg() call after the NULL check to prevent potential NULL pointer dereference.", "cve_priority": "medium", "cve_public_date": "2025-11-12 11:15:00 UTC" }, { "cve": "CVE-2025-40085", "url": "https://ubuntu.com/security/CVE-2025-40085", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ALSA: usb-audio: Fix NULL pointer deference in try_to_register_card In try_to_register_card(), the return value of usb_ifnum_to_if() is passed directly to usb_interface_claimed() without a NULL check, which will lead to a NULL pointer dereference when creating an invalid USB audio device. Fix this by adding a check to ensure the interface pointer is valid before passing it to usb_interface_claimed().", "cve_priority": "medium", "cve_public_date": "2025-10-29 14:15:00 UTC" }, { "cve": "CVE-2025-40172", "url": "https://ubuntu.com/security/CVE-2025-40172", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: accel/qaic: Treat remaining == 0 as error in find_and_map_user_pages() Currently, if find_and_map_user_pages() takes a DMA xfer request from the user with a length field set to 0, or in a rare case, the host receives QAIC_TRANS_DMA_XFER_CONT from the device where resources->xferred_dma_size is equal to the requested transaction size, the function will return 0 before allocating an sgt or setting the fields of the dma_xfer struct. In that case, encode_addr_size_pairs() will try to access the sgt which will lead to a general protection fault. Return an EINVAL in case the user provides a zero-sized ALP, or the device requests continuation after all of the bytes have been transferred.", "cve_priority": "medium", "cve_public_date": "2025-11-12 11:15:00 UTC" }, { "cve": "CVE-2025-40177", "url": "https://ubuntu.com/security/CVE-2025-40177", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: accel/qaic: Fix bootlog initialization ordering As soon as we queue MHI buffers to receive the bootlog from the device, we could be receiving data. Therefore all the resources needed to process that data need to be setup prior to queuing the buffers. We currently initialize some of the resources after queuing the buffers which creates a race between the probe() and any data that comes back from the device. If the uninitialized resources are accessed, we could see page faults. Fix the init ordering to close the race.", "cve_priority": "medium", "cve_public_date": "2025-11-12 11:15:00 UTC" }, { "cve": "CVE-2025-40163", "url": "https://ubuntu.com/security/CVE-2025-40163", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: sched/deadline: Stop dl_server before CPU goes offline IBM CI tool reported kernel warning[1] when running a CPU removal operation through drmgr[2]. i.e \"drmgr -c cpu -r -q 1\" WARNING: CPU: 0 PID: 0 at kernel/sched/cpudeadline.c:219 cpudl_set+0x58/0x170 NIP [c0000000002b6ed8] cpudl_set+0x58/0x170 LR [c0000000002b7cb8] dl_server_timer+0x168/0x2a0 Call Trace: [c000000002c2f8c0] init_stack+0x78c0/0x8000 (unreliable) [c0000000002b7cb8] dl_server_timer+0x168/0x2a0 [c00000000034df84] __hrtimer_run_queues+0x1a4/0x390 [c00000000034f624] hrtimer_interrupt+0x124/0x300 [c00000000002a230] timer_interrupt+0x140/0x320 Git bisects to: commit 4ae8d9aa9f9d (\"sched/deadline: Fix dl_server getting stuck\") This happens since: - dl_server hrtimer gets enqueued close to cpu offline, when kthread_park enqueues a fair task. - CPU goes offline and drmgr removes it from cpu_present_mask. - hrtimer fires and warning is hit. Fix it by stopping the dl_server before CPU is marked dead. [1]: https://lore.kernel.org/all/8218e149-7718-4432-9312-f97297c352b9@linux.ibm.com/ [2]: https://github.com/ibm-power-utilities/powerpc-utils/tree/next/src/drmgr [sshegde: wrote the changelog and tested it]", "cve_priority": "medium", "cve_public_date": "2025-11-12 11:15:00 UTC" }, { "cve": "CVE-2025-40174", "url": "https://ubuntu.com/security/CVE-2025-40174", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: x86/mm: Fix SMP ordering in switch_mm_irqs_off() Stephen noted that it is possible to not have an smp_mb() between the loaded_mm store and the tlb_gen load in switch_mm(), meaning the ordering against flush_tlb_mm_range() goes out the window, and it becomes possible for switch_mm() to not observe a recent tlb_gen update and fail to flush the TLBs. [ dhansen: merge conflict fixed by Ingo ]", "cve_priority": "medium", "cve_public_date": "2025-11-12 11:15:00 UTC" }, { "cve": "CVE-2025-40089", "url": "https://ubuntu.com/security/CVE-2025-40089", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: cxl/features: Add check for no entries in cxl_feature_info cxl EDAC calls cxl_feature_info() to get the feature information and if the hardware has no Features support, cxlfs may be passed in as NULL. [ 51.957498] BUG: kernel NULL pointer dereference, address: 0000000000000008 [ 51.965571] #PF: supervisor read access in kernel mode [ 51.971559] #PF: error_code(0x0000) - not-present page [ 51.977542] PGD 17e4f6067 P4D 0 [ 51.981384] Oops: Oops: 0000 [#1] SMP NOPTI [ 51.986300] CPU: 49 UID: 0 PID: 3782 Comm: systemd-udevd Not tainted 6.17.0dj test+ #64 PREEMPT(voluntary) [ 51.997355] Hardware name: [ 52.009790] RIP: 0010:cxl_feature_info+0xa/0x80 [cxl_core] Add a check for cxlfs before dereferencing it and return -EOPNOTSUPP if there is no cxlfs created due to no hardware support.", "cve_priority": "medium", "cve_public_date": "2025-10-30 10:15:00 UTC" }, { "cve": "CVE-2025-40176", "url": "https://ubuntu.com/security/CVE-2025-40176", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: tls: wait for pending async decryptions if tls_strp_msg_hold fails Async decryption calls tls_strp_msg_hold to create a clone of the input skb to hold references to the memory it uses. If we fail to allocate that clone, proceeding with async decryption can lead to various issues (UAF on the skb, writing into userspace memory after the recv() call has returned). In this case, wait for all pending decryption requests.", "cve_priority": "medium", "cve_public_date": "2025-11-12 11:15:00 UTC" }, { "cve": "CVE-2025-40164", "url": "https://ubuntu.com/security/CVE-2025-40164", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: usbnet: Fix using smp_processor_id() in preemptible code warnings Syzbot reported the following warning: BUG: using smp_processor_id() in preemptible [00000000] code: dhcpcd/2879 caller is usbnet_skb_return+0x74/0x490 drivers/net/usb/usbnet.c:331 CPU: 1 UID: 0 PID: 2879 Comm: dhcpcd Not tainted 6.15.0-rc4-syzkaller-00098-g615dca38c2ea #0 PREEMPT(voluntary) Call Trace: __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x16c/0x1f0 lib/dump_stack.c:120 check_preemption_disabled+0xd0/0xe0 lib/smp_processor_id.c:49 usbnet_skb_return+0x74/0x490 drivers/net/usb/usbnet.c:331 usbnet_resume_rx+0x4b/0x170 drivers/net/usb/usbnet.c:708 usbnet_change_mtu+0x1be/0x220 drivers/net/usb/usbnet.c:417 __dev_set_mtu net/core/dev.c:9443 [inline] netif_set_mtu_ext+0x369/0x5c0 net/core/dev.c:9496 netif_set_mtu+0xb0/0x160 net/core/dev.c:9520 dev_set_mtu+0xae/0x170 net/core/dev_api.c:247 dev_ifsioc+0xa31/0x18d0 net/core/dev_ioctl.c:572 dev_ioctl+0x223/0x10e0 net/core/dev_ioctl.c:821 sock_do_ioctl+0x19d/0x280 net/socket.c:1204 sock_ioctl+0x42f/0x6a0 net/socket.c:1311 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:906 [inline] __se_sys_ioctl fs/ioctl.c:892 [inline] __x64_sys_ioctl+0x190/0x200 fs/ioctl.c:892 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xcd/0x260 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f For historical and portability reasons, the netif_rx() is usually run in the softirq or interrupt context, this commit therefore add local_bh_disable/enable() protection in the usbnet_resume_rx().", "cve_priority": "medium", "cve_public_date": "2025-11-12 11:15:00 UTC" }, { "cve": "CVE-2025-40091", "url": "https://ubuntu.com/security/CVE-2025-40091", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ixgbe: fix too early devlink_free() in ixgbe_remove() Since ixgbe_adapter is embedded in devlink, calling devlink_free() prematurely in the ixgbe_remove() path can lead to UAF. Move devlink_free() to the end. KASAN report: BUG: KASAN: use-after-free in ixgbe_reset_interrupt_capability+0x140/0x180 [ixgbe] Read of size 8 at addr ffff0000adf813e0 by task bash/2095 CPU: 1 UID: 0 PID: 2095 Comm: bash Tainted: G S 6.17.0-rc2-tnguy.net-queue+ #1 PREEMPT(full) [...] Call trace: show_stack+0x30/0x90 (C) dump_stack_lvl+0x9c/0xd0 print_address_description.constprop.0+0x90/0x310 print_report+0x104/0x1f0 kasan_report+0x88/0x180 __asan_report_load8_noabort+0x20/0x30 ixgbe_reset_interrupt_capability+0x140/0x180 [ixgbe] ixgbe_clear_interrupt_scheme+0xf8/0x130 [ixgbe] ixgbe_remove+0x2d0/0x8c0 [ixgbe] pci_device_remove+0xa0/0x220 device_remove+0xb8/0x170 device_release_driver_internal+0x318/0x490 device_driver_detach+0x40/0x68 unbind_store+0xec/0x118 drv_attr_store+0x64/0xb8 sysfs_kf_write+0xcc/0x138 kernfs_fop_write_iter+0x294/0x440 new_sync_write+0x1fc/0x588 vfs_write+0x480/0x6a0 ksys_write+0xf0/0x1e0 __arm64_sys_write+0x70/0xc0 invoke_syscall.constprop.0+0xcc/0x280 el0_svc_common.constprop.0+0xa8/0x248 do_el0_svc+0x44/0x68 el0_svc+0x54/0x160 el0t_64_sync_handler+0xa0/0xe8 el0t_64_sync+0x1b0/0x1b8", "cve_priority": "medium", "cve_public_date": "2025-10-30 10:15:00 UTC" }, { "cve": "CVE-2025-40175", "url": "https://ubuntu.com/security/CVE-2025-40175", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: idpf: cleanup remaining SKBs in PTP flows When the driver requests Tx timestamp value, one of the first steps is to clone SKB using skb_get. It increases the reference counter for that SKB to prevent unexpected freeing by another component. However, there may be a case where the index is requested, SKB is assigned and never consumed by PTP flows - for example due to reset during running PTP apps. Add a check in release timestamping function to verify if the SKB assigned to Tx timestamp latch was freed, and release remaining SKBs.", "cve_priority": "medium", "cve_public_date": "2025-11-12 11:15:00 UTC" }, { "cve": "CVE-2025-40173", "url": "https://ubuntu.com/security/CVE-2025-40173", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net/ip6_tunnel: Prevent perpetual tunnel growth Similarly to ipv4 tunnel, ipv6 version updates dev->needed_headroom, too. While ipv4 tunnel headroom adjustment growth was limited in commit 5ae1e9922bbd (\"net: ip_tunnel: prevent perpetual headroom growth\"), ipv6 tunnel yet increases the headroom without any ceiling. Reflect ipv4 tunnel headroom adjustment limit on ipv6 version. Credits to Francesco Ruggeri, who was originally debugging this issue and wrote local Arista-specific patch and a reproducer.", "cve_priority": "medium", "cve_public_date": "2025-11-12 11:15:00 UTC" }, { "cve": "CVE-2025-40092", "url": "https://ubuntu.com/security/CVE-2025-40092", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: usb: gadget: f_ncm: Refactor bind path to use __free() After an bind/unbind cycle, the ncm->notify_req is left stale. If a subsequent bind fails, the unified error label attempts to free this stale request, leading to a NULL pointer dereference when accessing ep->ops->free_request. Refactor the error handling in the bind path to use the __free() automatic cleanup mechanism. Unable to handle kernel NULL pointer dereference at virtual address 0000000000000020 Call trace: usb_ep_free_request+0x2c/0xec ncm_bind+0x39c/0x3dc usb_add_function+0xcc/0x1f0 configfs_composite_bind+0x468/0x588 gadget_bind_driver+0x104/0x270 really_probe+0x190/0x374 __driver_probe_device+0xa0/0x12c driver_probe_device+0x3c/0x218 __device_attach_driver+0x14c/0x188 bus_for_each_drv+0x10c/0x168 __device_attach+0xfc/0x198 device_initial_probe+0x14/0x24 bus_probe_device+0x94/0x11c device_add+0x268/0x48c usb_add_gadget+0x198/0x28c dwc3_gadget_init+0x700/0x858 __dwc3_set_mode+0x3cc/0x664 process_scheduled_works+0x1d8/0x488 worker_thread+0x244/0x334 kthread+0x114/0x1bc ret_from_fork+0x10/0x20", "cve_priority": "medium", "cve_public_date": "2025-10-30 10:15:00 UTC" }, { "cve": "CVE-2025-40093", "url": "https://ubuntu.com/security/CVE-2025-40093", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: usb: gadget: f_ecm: Refactor bind path to use __free() After an bind/unbind cycle, the ecm->notify_req is left stale. If a subsequent bind fails, the unified error label attempts to free this stale request, leading to a NULL pointer dereference when accessing ep->ops->free_request. Refactor the error handling in the bind path to use the __free() automatic cleanup mechanism.", "cve_priority": "medium", "cve_public_date": "2025-10-30 10:15:00 UTC" }, { "cve": "CVE-2025-40094", "url": "https://ubuntu.com/security/CVE-2025-40094", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: usb: gadget: f_acm: Refactor bind path to use __free() After an bind/unbind cycle, the acm->notify_req is left stale. If a subsequent bind fails, the unified error label attempts to free this stale request, leading to a NULL pointer dereference when accessing ep->ops->free_request. Refactor the error handling in the bind path to use the __free() automatic cleanup mechanism. Unable to handle kernel NULL pointer dereference at virtual address 0000000000000020 Call trace: usb_ep_free_request+0x2c/0xec gs_free_req+0x30/0x44 acm_bind+0x1b8/0x1f4 usb_add_function+0xcc/0x1f0 configfs_composite_bind+0x468/0x588 gadget_bind_driver+0x104/0x270 really_probe+0x190/0x374 __driver_probe_device+0xa0/0x12c driver_probe_device+0x3c/0x218 __device_attach_driver+0x14c/0x188 bus_for_each_drv+0x10c/0x168 __device_attach+0xfc/0x198 device_initial_probe+0x14/0x24 bus_probe_device+0x94/0x11c device_add+0x268/0x48c usb_add_gadget+0x198/0x28c dwc3_gadget_init+0x700/0x858 __dwc3_set_mode+0x3cc/0x664 process_scheduled_works+0x1d8/0x488 worker_thread+0x244/0x334 kthread+0x114/0x1bc ret_from_fork+0x10/0x20", "cve_priority": "medium", "cve_public_date": "2025-10-30 10:15:00 UTC" }, { "cve": "CVE-2025-40095", "url": "https://ubuntu.com/security/CVE-2025-40095", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: usb: gadget: f_rndis: Refactor bind path to use __free() After an bind/unbind cycle, the rndis->notify_req is left stale. If a subsequent bind fails, the unified error label attempts to free this stale request, leading to a NULL pointer dereference when accessing ep->ops->free_request. Refactor the error handling in the bind path to use the __free() automatic cleanup mechanism.", "cve_priority": "medium", "cve_public_date": "2025-10-30 10:15:00 UTC" }, { "cve": "CVE-2025-40165", "url": "https://ubuntu.com/security/CVE-2025-40165", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: media: nxp: imx8-isi: m2m: Fix streaming cleanup on release If streamon/streamoff calls are imbalanced, such as when exiting an application with Ctrl+C when streaming, the m2m usage_count will never reach zero and the ISI channel won't be freed. Besides from that, if the input line width is more than 2K, it will trigger a WARN_ON(): [ 59.222120] ------------[ cut here ]------------ [ 59.226758] WARNING: drivers/media/platform/nxp/imx8-isi/imx8-isi-hw.c:631 at mxc_isi_channel_chain+0xa4/0x120, CPU#4: v4l2-ctl/654 [ 59.238569] Modules linked in: ap1302 [ 59.242231] CPU: 4 UID: 0 PID: 654 Comm: v4l2-ctl Not tainted 6.16.0-rc4-next-20250704-06511-gff0e002d480a-dirty #258 PREEMPT [ 59.253597] Hardware name: NXP i.MX95 15X15 board (DT) [ 59.258720] pstate: 80400009 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) [ 59.265669] pc : mxc_isi_channel_chain+0xa4/0x120 [ 59.270358] lr : mxc_isi_channel_chain+0x44/0x120 [ 59.275047] sp : ffff8000848c3b40 [ 59.278348] x29: ffff8000848c3b40 x28: ffff0000859b4c98 x27: ffff800081939f00 [ 59.285472] x26: 000000000000000a x25: ffff0000859b4cb8 x24: 0000000000000001 [ 59.292597] x23: ffff0000816f4760 x22: ffff0000816f4258 x21: ffff000084ceb780 [ 59.299720] x20: ffff000084342ff8 x19: ffff000084340000 x18: 0000000000000000 [ 59.306845] x17: 0000000000000000 x16: 0000000000000000 x15: 0000ffffdb369e1c [ 59.313969] x14: 0000000000000000 x13: 0000000000000000 x12: 0000000000000000 [ 59.321093] x11: 0000000000000000 x10: 0000000000000000 x9 : 0000000000000000 [ 59.328217] x8 : ffff8000848c3d48 x7 : ffff800081930b30 x6 : ffff800081930b30 [ 59.335340] x5 : ffff0000859b6000 x4 : ffff80008193ae80 x3 : ffff800081022420 [ 59.342464] x2 : ffff0000852f6900 x1 : 0000000000000001 x0 : ffff000084341000 [ 59.349590] Call trace: [ 59.352025] mxc_isi_channel_chain+0xa4/0x120 (P) [ 59.356722] mxc_isi_m2m_streamon+0x160/0x20c [ 59.361072] v4l_streamon+0x24/0x30 [ 59.364556] __video_do_ioctl+0x40c/0x4a0 [ 59.368560] video_usercopy+0x2bc/0x690 [ 59.372382] video_ioctl2+0x18/0x24 [ 59.375857] v4l2_ioctl+0x40/0x60 [ 59.379168] __arm64_sys_ioctl+0xac/0x104 [ 59.383172] invoke_syscall+0x48/0x104 [ 59.386916] el0_svc_common.constprop.0+0xc0/0xe0 [ 59.391613] do_el0_svc+0x1c/0x28 [ 59.394915] el0_svc+0x34/0xf4 [ 59.397966] el0t_64_sync_handler+0xa0/0xe4 [ 59.402143] el0t_64_sync+0x198/0x19c [ 59.405801] ---[ end trace 0000000000000000 ]--- Address this issue by moving the streaming preparation and cleanup to the vb2 .prepare_streaming() and .unprepare_streaming() operations. This also simplifies the driver by allowing direct usage of the v4l2_m2m_ioctl_streamon() and v4l2_m2m_ioctl_streamoff() helpers.", "cve_priority": "medium", "cve_public_date": "2025-11-12 11:15:00 UTC" }, { "cve": "CVE-2025-40096", "url": "https://ubuntu.com/security/CVE-2025-40096", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/sched: Fix potential double free in drm_sched_job_add_resv_dependencies When adding dependencies with drm_sched_job_add_dependency(), that function consumes the fence reference both on success and failure, so in the latter case the dma_fence_put() on the error path (xarray failed to expand) is a double free. Interestingly this bug appears to have been present ever since commit ebd5f74255b9 (\"drm/sched: Add dependency tracking\"), since the code back then looked like this: drm_sched_job_add_implicit_dependencies(): ... for (i = 0; i < fence_count; i++) { ret = drm_sched_job_add_dependency(job, fences[i]); if (ret) break; } for (; i < fence_count; i++) dma_fence_put(fences[i]); Which means for the failing 'i' the dma_fence_put was already a double free. Possibly there were no users at that time, or the test cases were insufficient to hit it. The bug was then only noticed and fixed after commit 9c2ba265352a (\"drm/scheduler: use new iterator in drm_sched_job_add_implicit_dependencies v2\") landed, with its fixup of commit 4eaf02d6076c (\"drm/scheduler: fix drm_sched_job_add_implicit_dependencies\"). At that point it was a slightly different flavour of a double free, which commit 963d0b356935 (\"drm/scheduler: fix drm_sched_job_add_implicit_dependencies harder\") noticed and attempted to fix. But it only moved the double free from happening inside the drm_sched_job_add_dependency(), when releasing the reference not yet obtained, to the caller, when releasing the reference already released by the former in the failure case. As such it is not easy to identify the right target for the fixes tag so lets keep it simple and just continue the chain. While fixing we also improve the comment and explain the reason for taking the reference and not dropping it.", "cve_priority": "medium", "cve_public_date": "2025-10-30 10:15:00 UTC" }, { "cve": "CVE-2025-40097", "url": "https://ubuntu.com/security/CVE-2025-40097", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ALSA: hda: Fix missing pointer check in hda_component_manager_init function The __component_match_add function may assign the 'matchptr' pointer the value ERR_PTR(-ENOMEM), which will subsequently be dereferenced. The call stack leading to the error looks like this: hda_component_manager_init |-> component_match_add |-> component_match_add_release |-> __component_match_add ( ... ,**matchptr, ... ) |-> *matchptr = ERR_PTR(-ENOMEM); // assign |-> component_master_add_with_match( ... match) |-> component_match_realloc(match, match->num); // dereference Add IS_ERR() check to prevent the crash. Found by Linux Verification Center (linuxtesting.org) with SVACE.", "cve_priority": "medium", "cve_public_date": "2025-10-30 10:15:00 UTC" }, { "cve": "CVE-2025-40098", "url": "https://ubuntu.com/security/CVE-2025-40098", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ALSA: hda: cs35l41: Fix NULL pointer dereference in cs35l41_get_acpi_mute_state() Return value of a function acpi_evaluate_dsm() is dereferenced without checking for NULL, but it is usually checked for this function. acpi_evaluate_dsm() may return NULL, when acpi_evaluate_object() returns acpi_status other than ACPI_SUCCESS, so add a check to prevent the crach. Found by Linux Verification Center (linuxtesting.org) with SVACE.", "cve_priority": "medium", "cve_public_date": "2025-10-30 10:15:00 UTC" }, { "cve": "CVE-2025-40099", "url": "https://ubuntu.com/security/CVE-2025-40099", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: cifs: parse_dfs_referrals: prevent oob on malformed input Malicious SMB server can send invalid reply to FSCTL_DFS_GET_REFERRALS - reply smaller than sizeof(struct get_dfs_referral_rsp) - reply with number of referrals smaller than NumberOfReferrals in the header Processing of such replies will cause oob. Return -EINVAL error on such replies to prevent oob-s.", "cve_priority": "medium", "cve_public_date": "2025-10-30 10:15:00 UTC" }, { "cve": "CVE-2025-40100", "url": "https://ubuntu.com/security/CVE-2025-40100", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: btrfs: do not assert we found block group item when creating free space tree Currently, when building a free space tree at populate_free_space_tree(), if we are not using the block group tree feature, we always expect to find block group items (either extent items or a block group item with key type BTRFS_BLOCK_GROUP_ITEM_KEY) when we search the extent tree with btrfs_search_slot_for_read(), so we assert that we found an item. However this expectation is wrong since we can have a new block group created in the current transaction which is still empty and for which we still have not added the block group's item to the extent tree, in which case we do not have any items in the extent tree associated to the block group. The insertion of a new block group's block group item in the extent tree happens at btrfs_create_pending_block_groups() when it calls the helper insert_block_group_item(). This typically is done when a transaction handle is released, committed or when running delayed refs (either as part of a transaction commit or when serving tickets for space reservation if we are low on free space). So remove the assertion at populate_free_space_tree() even when the block group tree feature is not enabled and update the comment to mention this case. Syzbot reported this with the following stack trace: BTRFS info (device loop3 state M): rebuilding free space tree assertion failed: ret == 0 :: 0, in fs/btrfs/free-space-tree.c:1115 ------------[ cut here ]------------ kernel BUG at fs/btrfs/free-space-tree.c:1115! Oops: invalid opcode: 0000 [#1] SMP KASAN PTI CPU: 1 UID: 0 PID: 6352 Comm: syz.3.25 Not tainted syzkaller #0 PREEMPT(full) Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/18/2025 RIP: 0010:populate_free_space_tree+0x700/0x710 fs/btrfs/free-space-tree.c:1115 Code: ff ff e8 d3 (...) RSP: 0018:ffffc9000430f780 EFLAGS: 00010246 RAX: 0000000000000043 RBX: ffff88805b709630 RCX: fea61d0e2e79d000 RDX: 0000000000000000 RSI: 0000000080000000 RDI: 0000000000000000 RBP: ffffc9000430f8b0 R08: ffffc9000430f4a7 R09: 1ffff92000861e94 R10: dffffc0000000000 R11: fffff52000861e95 R12: 0000000000000001 R13: 1ffff92000861f00 R14: dffffc0000000000 R15: 0000000000000000 FS: 00007f424d9fe6c0(0000) GS:ffff888125afc000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007fd78ad212c0 CR3: 0000000076d68000 CR4: 00000000003526f0 Call Trace: btrfs_rebuild_free_space_tree+0x1ba/0x6d0 fs/btrfs/free-space-tree.c:1364 btrfs_start_pre_rw_mount+0x128f/0x1bf0 fs/btrfs/disk-io.c:3062 btrfs_remount_rw fs/btrfs/super.c:1334 [inline] btrfs_reconfigure+0xaed/0x2160 fs/btrfs/super.c:1559 reconfigure_super+0x227/0x890 fs/super.c:1076 do_remount fs/namespace.c:3279 [inline] path_mount+0xd1a/0xfe0 fs/namespace.c:4027 do_mount fs/namespace.c:4048 [inline] __do_sys_mount fs/namespace.c:4236 [inline] __se_sys_mount+0x313/0x410 fs/namespace.c:4213 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xfa/0xfa0 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f424e39066a Code: d8 64 89 02 (...) RSP: 002b:00007f424d9fde68 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5 RAX: ffffffffffffffda RBX: 00007f424d9fdef0 RCX: 00007f424e39066a RDX: 0000200000000180 RSI: 0000200000000380 RDI: 0000000000000000 RBP: 0000200000000180 R08: 00007f424d9fdef0 R09: 0000000000000020 R10: 0000000000000020 R11: 0000000000000246 R12: 0000200000000380 R13: 00007f424d9fdeb0 R14: 0000000000000000 R15: 00002000000002c0 Modules linked in: ---[ end trace 0000000000000000 ]---", "cve_priority": "medium", "cve_public_date": "2025-10-30 10:15:00 UTC" }, { "cve": "CVE-2025-40101", "url": "https://ubuntu.com/security/CVE-2025-40101", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: btrfs: fix memory leaks when rejecting a non SINGLE data profile without an RST At the end of btrfs_load_block_group_zone_info() the first thing we do is to ensure that if the mapping type is not a SINGLE one and there is no RAID stripe tree, then we return early with an error. Doing that, though, prevents the code from running the last calls from this function which are about freeing memory allocated during its run. Hence, in this case, instead of returning early, we set the ret value and fall through the rest of the cleanup code.", "cve_priority": "medium", "cve_public_date": "2025-10-30 10:15:00 UTC" }, { "cve": "CVE-2025-40167", "url": "https://ubuntu.com/security/CVE-2025-40167", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ext4: detect invalid INLINE_DATA + EXTENTS flag combination syzbot reported a BUG_ON in ext4_es_cache_extent() when opening a verity file on a corrupted ext4 filesystem mounted without a journal. The issue is that the filesystem has an inode with both the INLINE_DATA and EXTENTS flags set: EXT4-fs error (device loop0): ext4_cache_extents:545: inode #15: comm syz.0.17: corrupted extent tree: lblk 0 < prev 66 Investigation revealed that the inode has both flags set: DEBUG: inode 15 - flag=1, i_inline_off=164, has_inline=1, extents_flag=1 This is an invalid combination since an inode should have either: - INLINE_DATA: data stored directly in the inode - EXTENTS: data stored in extent-mapped blocks Having both flags causes ext4_has_inline_data() to return true, skipping extent tree validation in __ext4_iget(). The unvalidated out-of-order extents then trigger a BUG_ON in ext4_es_cache_extent() due to integer underflow when calculating hole sizes. Fix this by detecting this invalid flag combination early in ext4_iget() and rejecting the corrupted inode.", "cve_priority": "medium", "cve_public_date": "2025-11-12 11:15:00 UTC" }, { "cve": "CVE-2025-40102", "url": "https://ubuntu.com/security/CVE-2025-40102", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: KVM: arm64: Prevent access to vCPU events before init Another day, another syzkaller bug. KVM erroneously allows userspace to pend vCPU events for a vCPU that hasn't been initialized yet, leading to KVM interpreting a bunch of uninitialized garbage for routing / injecting the exception. In one case the injection code and the hyp disagree on whether the vCPU has a 32bit EL1 and put the vCPU into an illegal mode for AArch64, tripping the BUG() in exception_target_el() during the next injection: kernel BUG at arch/arm64/kvm/inject_fault.c:40! Internal error: Oops - BUG: 00000000f2000800 [#1] SMP CPU: 3 UID: 0 PID: 318 Comm: repro Not tainted 6.17.0-rc4-00104-g10fd0285305d #6 PREEMPT Hardware name: linux,dummy-virt (DT) pstate: 21402009 (nzCv daif +PAN -UAO -TCO +DIT -SSBS BTYPE=--) pc : exception_target_el+0x88/0x8c lr : pend_serror_exception+0x18/0x13c sp : ffff800082f03a10 x29: ffff800082f03a10 x28: ffff0000cb132280 x27: 0000000000000000 x26: 0000000000000000 x25: ffff0000c2a99c20 x24: 0000000000000000 x23: 0000000000008000 x22: 0000000000000002 x21: 0000000000000004 x20: 0000000000008000 x19: ffff0000c2a99c20 x18: 0000000000000000 x17: 0000000000000000 x16: 0000000000000000 x15: 00000000200000c0 x14: 0000000000000000 x13: 0000000000000000 x12: 0000000000000000 x11: 0000000000000000 x10: 0000000000000000 x9 : 0000000000000000 x8 : ffff800082f03af8 x7 : 0000000000000000 x6 : 0000000000000000 x5 : ffff800080f621f0 x4 : 0000000000000000 x3 : 0000000000000000 x2 : 000000000040009b x1 : 0000000000000003 x0 : ffff0000c2a99c20 Call trace: exception_target_el+0x88/0x8c (P) kvm_inject_serror_esr+0x40/0x3b4 __kvm_arm_vcpu_set_events+0xf0/0x100 kvm_arch_vcpu_ioctl+0x180/0x9d4 kvm_vcpu_ioctl+0x60c/0x9f4 __arm64_sys_ioctl+0xac/0x104 invoke_syscall+0x48/0x110 el0_svc_common.constprop.0+0x40/0xe0 do_el0_svc+0x1c/0x28 el0_svc+0x34/0xf0 el0t_64_sync_handler+0xa0/0xe4 el0t_64_sync+0x198/0x19c Code: f946bc01 b4fffe61 9101e020 17fffff2 (d4210000) Reject the ioctls outright as no sane VMM would call these before KVM_ARM_VCPU_INIT anyway. Even if it did the exception would've been thrown away by the eventual reset of the vCPU's state.", "cve_priority": "medium", "cve_public_date": "2025-10-30 10:15:00 UTC" }, { "cve": "CVE-2025-40103", "url": "https://ubuntu.com/security/CVE-2025-40103", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: smb: client: Fix refcount leak for cifs_sb_tlink Fix three refcount inconsistency issues related to `cifs_sb_tlink`. Comments for `cifs_sb_tlink` state that `cifs_put_tlink()` needs to be called after successful calls to `cifs_sb_tlink()`. Three calls fail to update refcount accordingly, leading to possible resource leaks.", "cve_priority": "medium", "cve_public_date": "2025-10-30 10:15:00 UTC" }, { "cve": "CVE-2025-40104", "url": "https://ubuntu.com/security/CVE-2025-40104", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ixgbevf: fix mailbox API compatibility by negotiating supported features There was backward compatibility in the terms of mailbox API. Various drivers from various OSes supporting 10G adapters from Intel portfolio could easily negotiate mailbox API. This convention has been broken since introducing API 1.4. Commit 0062e7cc955e (\"ixgbevf: add VF IPsec offload code\") added support for IPSec which is specific only for the kernel ixgbe driver. None of the rest of the Intel 10G PF/VF drivers supports it. And actually lack of support was not included in the IPSec implementation - there were no such code paths. No possibility to negotiate support for the feature was introduced along with introduction of the feature itself. Commit 339f28964147 (\"ixgbevf: Add support for new mailbox communication between PF and VF\") increasing API version to 1.5 did the same - it introduced code supported specifically by the PF ESX driver. It altered API version for the VF driver in the same time not touching the version defined for the PF ixgbe driver. It led to additional discrepancies, as the code provided within API 1.6 cannot be supported for Linux ixgbe driver as it causes crashes. The issue was noticed some time ago and mitigated by Jake within the commit d0725312adf5 (\"ixgbevf: stop attempting IPSEC offload on Mailbox API 1.5\"). As a result we have regression for IPsec support and after increasing API to version 1.6 ixgbevf driver stopped to support ESX MBX. To fix this mess add new mailbox op asking PF driver about supported features. Basing on a response determine whether to set support for IPSec and ESX-specific enhanced mailbox. New mailbox op, for compatibility purposes, must be added within new API revision, as API version of OOT PF & VF drivers is already increased to 1.6 and doesn't incorporate features negotiate op. Features negotiation mechanism gives possibility to be extended with new features when needed in the future.", "cve_priority": "medium", "cve_public_date": "2025-10-30 10:15:00 UTC" }, { "cve": "CVE-2025-40166", "url": "https://ubuntu.com/security/CVE-2025-40166", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/xe/guc: Check GuC running state before deregistering exec queue In normal operation, a registered exec queue is disabled and deregistered through the GuC, and freed only after the GuC confirms completion. However, if the driver is forced to unbind while the exec queue is still running, the user may call exec_destroy() after the GuC has already been stopped and CT communication disabled. In this case, the driver cannot receive a response from the GuC, preventing proper cleanup of exec queue resources. Fix this by directly releasing the resources when GuC is not running. Here is the failure dmesg log: \" [ 468.089581] ---[ end trace 0000000000000000 ]--- [ 468.089608] pci 0000:03:00.0: [drm] *ERROR* GT0: GUC ID manager unclean (1/65535) [ 468.090558] pci 0000:03:00.0: [drm] GT0: total 65535 [ 468.090562] pci 0000:03:00.0: [drm] GT0: used 1 [ 468.090564] pci 0000:03:00.0: [drm] GT0: range 1..1 (1) [ 468.092716] ------------[ cut here ]------------ [ 468.092719] WARNING: CPU: 14 PID: 4775 at drivers/gpu/drm/xe/xe_ttm_vram_mgr.c:298 ttm_vram_mgr_fini+0xf8/0x130 [xe] \" v2: use xe_uc_fw_is_running() instead of xe_guc_ct_enabled(). As CT may go down and come back during VF migration. (cherry picked from commit 9b42321a02c50a12b2beb6ae9469606257fbecea)", "cve_priority": "medium", "cve_public_date": "2025-11-12 11:15:00 UTC" }, { "cve": "CVE-2025-40105", "url": "https://ubuntu.com/security/CVE-2025-40105", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: vfs: Don't leak disconnected dentries on umount When user calls open_by_handle_at() on some inode that is not cached, we will create disconnected dentry for it. If such dentry is a directory, exportfs_decode_fh_raw() will then try to connect this dentry to the dentry tree through reconnect_path(). It may happen for various reasons (such as corrupted fs or race with rename) that the call to lookup_one_unlocked() in reconnect_one() will fail to find the dentry we are trying to reconnect and instead create a new dentry under the parent. Now this dentry will not be marked as disconnected although the parent still may well be disconnected (at least in case this inconsistency happened because the fs is corrupted and .. doesn't point to the real parent directory). This creates inconsistency in disconnected flags but AFAICS it was mostly harmless. At least until commit f1ee616214cb (\"VFS: don't keep disconnected dentries on d_anon\") which removed adding of most disconnected dentries to sb->s_anon list. Thus after this commit cleanup of disconnected dentries implicitely relies on the fact that dput() will immediately reclaim such dentries. However when some leaf dentry isn't marked as disconnected, as in the scenario described above, the reclaim doesn't happen and the dentries are \"leaked\". Memory reclaim can eventually reclaim them but otherwise they stay in memory and if umount comes first, we hit infamous \"Busy inodes after unmount\" bug. Make sure all dentries created under a disconnected parent are marked as disconnected as well.", "cve_priority": "medium", "cve_public_date": "2025-10-30 10:15:00 UTC" }, { "cve": "CVE-2025-40019", "url": "https://ubuntu.com/security/CVE-2025-40019", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: crypto: essiv - Check ssize for decryption and in-place encryption Move the ssize check to the start in essiv_aead_crypt so that it's also checked for decryption and in-place encryption.", "cve_priority": "medium", "cve_public_date": "2025-10-24 12:15:00 UTC" }, { "cve": "CVE-2025-40214", "url": "https://ubuntu.com/security/CVE-2025-40214", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: af_unix: Initialise scc_index in unix_add_edge(). Quang Le reported that the AF_UNIX GC could garbage-collect a receive queue of an alive in-flight socket, with a nice repro. The repro consists of three stages. 1) 1-a. Create a single cyclic reference with many sockets 1-b. close() all sockets 1-c. Trigger GC 2) 2-a. Pass sk-A to an embryo sk-B 2-b. Pass sk-X to sk-X 2-c. Trigger GC 3) 3-a. accept() the embryo sk-B 3-b. Pass sk-B to sk-C 3-c. close() the in-flight sk-A 3-d. Trigger GC As of 2-c, sk-A and sk-X are linked to unix_unvisited_vertices, and unix_walk_scc() groups them into two different SCCs: unix_sk(sk-A)->vertex->scc_index = 2 (UNIX_VERTEX_INDEX_START) unix_sk(sk-X)->vertex->scc_index = 3 Once GC completes, unix_graph_grouped is set to true. Also, unix_graph_maybe_cyclic is set to true due to sk-X's cyclic self-reference, which makes close() trigger GC. At 3-b, unix_add_edge() allocates unix_sk(sk-B)->vertex and links it to unix_unvisited_vertices. unix_update_graph() is called at 3-a. and 3-b., but neither unix_graph_grouped nor unix_graph_maybe_cyclic is changed because both sk-B's listener and sk-C are not in-flight. 3-c decrements sk-A's file refcnt to 1. Since unix_graph_grouped is true at 3-d, unix_walk_scc_fast() is finally called and iterates 3 sockets sk-A, sk-B, and sk-X: sk-A -> sk-B (-> sk-C) sk-X -> sk-X This is totally fine. All of them are not yet close()d and should be grouped into different SCCs. However, unix_vertex_dead() misjudges that sk-A and sk-B are in the same SCC and sk-A is dead. unix_sk(sk-A)->scc_index == unix_sk(sk-B)->scc_index <-- Wrong! && sk-A's file refcnt == unix_sk(sk-A)->vertex->out_degree ^-- 1 in-flight count for sk-B -> sk-A is dead !? The problem is that unix_add_edge() does not initialise scc_index. Stage 1) is used for heap spraying, making a newly allocated vertex have vertex->scc_index == 2 (UNIX_VERTEX_INDEX_START) set by unix_walk_scc() at 1-c. Let's track the max SCC index from the previous unix_walk_scc() call and assign the max + 1 to a new vertex's scc_index. This way, we can continue to avoid Tarjan's algorithm while preventing misjudgments.", "cve_priority": "high", "cve_public_date": "2025-12-04 13:15:00 UTC" } ], "log": [ "", " * questing/linux-riscv: 6.17.0-14.14.1 -proposed tracker (LP: #2137845)", "", " * Packaging resync (LP: #1786013)", " - [Packaging] debian.riscv/dkms-versions -- update from kernel-versions", " (main/2026.01.12)", "", " [ Ubuntu: 6.17.0-14.14 ]", "", " * questing/linux: 6.17.0-14.14 -proposed tracker (LP: #2137849)", " * Packaging resync (LP: #1786013)", " - [Packaging] debian.master/dkms-versions -- update from kernel-versions", " (main/2026.01.12)", " * ubuntu_kselftests:_net/net:gre_gso.sh failing (LP: #2136820)", " - SAUCE increase socat timeout in gre_gso.sh", " * ubuntu_blktrace_smoke_test fails on questing with rust coreutils", " (LP: #2137698)", " - SAUCE: Revert \"ext4: fail unaligned direct IO write with EINVAL\"", " * bareudp.sh in ubuntu_kselftests_net fails because of dash default shell", " (LP: #2129812)", " - selftests: net: use BASH for bareudp testing", " * CVE-2025-40256", " - xfrm: also call xfrm_state_delete_tunnel at destroy time for states that", " were never added", " * Enable PMF on AMD HPT/STX/KRK (LP: #2125022)", " - platform/x86/amd/pmf: Add support for adjusting PMF PPT and PPT APU", " thresholds", " - platform/x86/amd/pmf: Extend custom BIOS inputs for more policies", " - platform/x86/amd/pmf: Update ta_pmf_action structure member", " - platform/x86/amd/pmf: Add helper to verify BIOS input notifications are", " enable/disable", " - platform/x86/amd/pmf: Add custom BIOS input support for AMD_CPU_ID_PS", " - platform/x86/amd/pmf: Preserve custom BIOS inputs for evaluating the", " policies", " - platform/x86/amd/pmf: Call enact function sooner to process early", " pending requests", " - platform/x86/amd/pmf: Add debug logs for pending requests and custom", " BIOS inputs", " * Questing update: v6.17.8 upstream stable release (LP: #2136850)", " - iommufd/selftest: Fix ioctl return value in _test_cmd_trigger_vevents()", " - drm/mediatek: Add pm_runtime support for GCE power control", " - drm/i915: Fix conversion between clock ticks and nanoseconds", " - drm/amdgpu: set default gfx reset masks for gfx6-8", " - drm/amd/display: Don't stretch non-native images by default in eDP", " - smb: client: fix refcount leak in smb2_set_path_attr", " - iommufd: Make vfio_compat's unmap succeed if the range is already empty", " - futex: Optimize per-cpu reference counting", " - drm/amd: Fix suspend failure with secure display TA", " - drm/xe: Move declarations under conditional branch", " - drm/xe: Do clean shutdown also when using flr", " - drm/amd/display: Add pixel_clock to amd_pp_display_configuration", " - drm/amd/pm: Use pm_display_cfg in legacy DPM (v2)", " - drm/amd/display: Disable fastboot on DCE 6 too", " - drm/amd/pm: Disable MCLK switching on SI at high pixel clocks", " - drm/amd: Disable ASPM on SI", " - arm64: kprobes: check the return value of set_memory_rox()", " - compiler_types: Move unused static inline functions warning to W=2", " - riscv: Build loader.bin exclusively for Canaan K210", " - RISC-V: clear hot-unplugged cores from all task mm_cpumasks to avoid", " rfence errors", " - riscv: acpi: avoid errors caused by probing DT devices when ACPI is used", " - fs: return EOPNOTSUPP from file_setattr/file_getattr syscalls", " - ASoC: nau8821: Avoid unnecessary blocking in IRQ handler", " - NFS4: Fix state renewals missing after boot", " - drm/amdkfd: fix suspend/resume all calls in mes based eviction path", " - NFS4: Apply delay_retrans to async operations", " - HID: intel-thc-hid: intel-quickspi: Add ARL PCI Device Id's", " - HID: quirks: avoid Cooler Master MM712 dongle wakeup bug", " - ixgbe: handle IXGBE_VF_GET_PF_LINK_STATE mailbox operation", " - HID: nintendo: Wait longer for initial probe", " - NFS: check if suid/sgid was cleared after a write as needed", " - HID: quirks: Add ALWAYS_POLL quirk for VRS R295 steering wheel", " - io_uring: fix unexpected placement on same size resizing", " - HID: logitech-hidpp: Add HIDPP_QUIRK_RESET_HI_RES_SCROLL", " - ASoC: max98090/91: fixed max98091 ALSA widget powering up/down", " - ALSA: hda/realtek: Fix mute led for HP Omen 17-cb0xxx", " - ixgbe: handle IXGBE_VF_FEATURES_NEGOTIATE mbox cmd", " - wifi: ath11k: zero init info->status in wmi_process_mgmt_tx_comp()", " - selftests: net: local_termination: Wait for interfaces to come up", " - net: fec: correct rx_bytes statistic for the case SHIFT16 is set", " - net: phy: micrel: Introduce lanphy_modify_page_reg", " - net: phy: micrel: Replace hardcoded pages with defines", " - net: phy: micrel: lan8814 fix reset of the QSGMII interface", " - rust: Add -fno-isolate-erroneous-paths-dereference to", " bindgen_skip_c_flags", " - NFSD: Skip close replay processing if XDR encoding fails", " - Bluetooth: 6lowpan: fix BDADDR_LE vs ADDR_LE_DEV address type confusion", " - Bluetooth: 6lowpan: Don't hold spin lock over sleeping functions", " - Bluetooth: hci_conn: Fix not cleaning up PA_LINK connections", " - net: dsa: tag_brcm: do not mark link local traffic as offloaded", " - net/smc: fix mismatch between CLC header and proposal", " - net/handshake: Fix memory leak in tls_handshake_accept()", " - net: ethernet: ti: am65-cpsw-qos: fix IET verify/response timeout", " - net: ethernet: ti: am65-cpsw-qos: fix IET verify retry mechanism", " - net: mdio: fix resource leak in mdiobus_register_device()", " - wifi: mac80211: skip rate verification for not captured PSDUs", " - Bluetooth: hci_event: Fix not handling PA Sync Lost event", " - net/mlx5e: Fix missing error assignment in mlx5e_xfrm_add_state()", " - net/mlx5e: Fix maxrate wraparound in threshold between units", " - net/mlx5e: Fix wraparound in rate limiting for values above 255 Gbps", " - net/mlx5e: Fix potentially misleading debug message", " - net/mlx5: Fix typo of MLX5_EQ_DOORBEL_OFFSET", " - net/mlx5: Store the global doorbell in mlx5_priv", " - net/mlx5e: Prepare for using different CQ doorbells", " - net_sched: limit try_bulk_dequeue_skb() batches", " - wifi: iwlwifi: mvm: fix beacon template/fixed rate", " - wifi: iwlwifi: mld: always take beacon ies in link grading", " - virtio-net: fix incorrect flags recording in big mode", " - hsr: Fix supervision frame sending on HSRv0", " - hsr: Follow standard for HSRv0 supervision frames", " - ACPI: CPPC: Detect preferred core availability on online CPUs", " - ACPI: CPPC: Check _CPC validity for only the online CPUs", " - ACPI: CPPC: Perform fast check switch only for online CPUs", " - ACPI: CPPC: Limit perf ctrs in PCC check only to online CPUs", " - cpufreq: intel_pstate: Check IDA only before MSR_IA32_PERF_CTL writes", " - Bluetooth: L2CAP: export l2cap_chan_hold for modules", " - io_uring/rsrc: don't use blk_rq_nr_phys_segments() as number of bvecs", " - acpi,srat: Fix incorrect device handle check for Generic Initiator", " - regulator: fixed: fix GPIO descriptor leak on register failure", " - ASoC: cs4271: Fix regulator leak on probe failure", " - ASoC: codecs: va-macro: fix resource leak in probe error path", " - drm/vmwgfx: Restore Guest-Backed only cursor plane support", " - ASoC: tas2781: fix getting the wrong device number", " - pnfs: Fix TLS logic in _nfs4_pnfs_v3_ds_connect()", " - pnfs: Fix TLS logic in _nfs4_pnfs_v4_ds_connect()", " - pnfs: Set transport security policy to RPC_XPRTSEC_NONE unless using TLS", " - simplify nfs_atomic_open_v23()", " - NFSv2/v3: Fix error handling in nfs_atomic_open_v23()", " - NFS: sysfs: fix leak when nfs_client kobject add fails", " - NFSv4: Fix an incorrect parameter when calling nfs4_call_sync()", " - drm/amd/amdgpu: Ensure isp_kernel_buffer_alloc() creates a new BO", " - acpi/hmat: Fix lockdep warning for hmem_register_resource()", " - ASoC: rsnd: fix OF node reference leak in rsnd_ssiu_probe()", " - drm/client: fix MODULE_PARM_DESC string for \"active\"", " - irqchip/riscv-intc: Add missing free() callback in riscv_intc_domain_ops", " - lib/crypto: arm/curve25519: Disable on CPU_BIG_ENDIAN", " - hostfs: Fix only passing host root in boot stage with new mount", " - afs: Fix dynamic lookup to fail on cell lookup failure", " - mtd: onenand: Pass correct pointer to IRQ handler", " - virtio-fs: fix incorrect check for fsvq->kobj", " - fs/namespace: correctly handle errors returned by grab_requested_mnt_ns", " - perf header: Write bpf_prog (infos|btfs)_cnt to data file", " - perf build: Don't fail fast path feature detection when binutils-devel", " is not available", " - perf lock: Fix segfault due to missing kernel map", " - perf test shell lock_contention: Extra debug diagnostics", " - perf test: Fix lock contention test", " - arm64: dts: rockchip: Set correct pinctrl for I2S1 8ch TX on odroid-m1", " - arm64: dts: rockchip: Fix PCIe power enable pin for BigTreeTech CB2 and", " Pi2", " - arm64: dts: rockchip: Make RK3588 GPU OPP table naming less generic", " - ARM: dts: imx6ull-engicam-microgea-rmm: fix report-rate-hz value", " - ARM: dts: imx51-zii-rdu1: Fix audmux node names", " - arm64: dts: imx8-ss-img: Avoid gpio0_mipi_csi GPIOs being deferred", " - arm64: dts: imx8mp-kontron: Fix USB OTG role switching", " - HID: hid-ntrig: Prevent memory leak in ntrig_report_version()", " - ARM: dts: BCM53573: Fix address of Luxul XAP-1440's Ethernet PHY", " - arm64: dts: rockchip: Fix USB power enable pin for BTT CB2 and Pi2", " - arm64: dts: rockchip: drop reset from rk3576 i2c9 node", " - pwm: adp5585: Correct mismatched pwm chip info", " - HID: playstation: Fix memory leak in dualshock4_get_calibration_data()", " - HID: uclogic: Fix potential memory leak in error path", " - LoongArch: KVM: Restore guest PMU if it is enabled", " - LoongArch: KVM: Add delay until timer interrupt injected", " - LoongArch: KVM: Fix max supported vCPUs set with EIOINTC", " - KVM: arm64: Make all 32bit ID registers fully writable", " - KVM: SVM: Mark VMCB_LBR dirty when MSR_IA32_DEBUGCTLMSR is updated", " - KVM: nSVM: Always recalculate LBR MSR intercepts in svm_update_lbrv()", " - KVM: nSVM: Fix and simplify LBR virtualization handling with nested", " - KVM: VMX: Fix check for valid GVA on an EPT violation", " - nfsd: add missing FATTR4_WORD2_CLONE_BLKSIZE from supported attributes", " - gcov: add support for GCC 15", " - kho: warn and exit when unpreserved page wasn't preserved", " - strparser: Fix signed/unsigned mismatch bug", " - dma-mapping: benchmark: Restore padding to ensure uABI remained", " consistent", " - maple_tree: fix tracepoint string pointers", " - LoongArch: Consolidate early_ioremap()/ioremap_prot()", " - LoongArch: Use correct accessor to read FWPC/MWPC", " - LoongArch: Let {pte,pmd}_modify() record the status of _PAGE_DIRTY", " - mm/damon/sysfs: change next_update_jiffies to a global variable", " - selftests/tracing: Run sample events to clear page cache events", " - wifi: mac80211: reject address change while connecting", " - mm/huge_memory: preserve PG_has_hwpoisoned if a folio is split to >0", " order", " - mm/mm_init: fix hash table order logging in alloc_large_system_hash()", " - mm/damon/stat: change last_refresh_jiffies to a global variable", " - mm/kmsan: fix kmsan kmalloc hook when no stack depots are allocated yet", " - mm/shmem: fix THP allocation and fallback loop", " - mm/mremap: honour writable bit in mremap pte batching", " - mm/huge_memory: fix folio split check for anon folios in swapcache", " - mmc: sdhci-of-dwcmshc: Change DLL_STRBIN_TAPNUM_DEFAULT to 0x4", " - mmc: pxamci: Simplify pxamci_probe() error handling using devm APIs", " - mmc: dw_mmc-rockchip: Fix wrong internal phase calculate", " - ASoC: sdw_utils: fix device reference leak in is_sdca_endpoint_present()", " - crypto: hisilicon/qm - Fix device reference leak in qm_get_qos_value", " - smb: client: fix cifs_pick_channel when channel needs reconnect", " - spi: Try to get ACPI GPIO IRQ earlier", " - x86/microcode/AMD: Add Zen5 model 0x44, stepping 0x1 minrev", " - x86/CPU/AMD: Add additional fixed RDSEED microcode revisions", " - selftests/user_events: fix type cast for write_index packed member in", " perf_test", " - gendwarfksyms: Skip files with no exports", " - ftrace: Fix BPF fexit with livepatch", " - LoongArch: Consolidate max_pfn & max_low_pfn calculation", " - LoongArch: Use physical addresses for CSR_MERRENTRY/CSR_TLBRENTRY", " - EDAC/altera: Handle OCRAM ECC enable after warm reset", " - EDAC/altera: Use INTTEST register for Ethernet and USB SBE injection", " - PM: hibernate: Emit an error when image writing fails", " - PM: hibernate: Use atomic64_t for compressed_size variable", " - btrfs: zoned: fix conventional zone capacity calculation", " - btrfs: zoned: fix stripe width calculation", " - btrfs: scrub: put bio after errors in scrub_raid56_parity_stripe()", " - btrfs: do not update last_log_commit when logging inode due to a new", " name", " - btrfs: release root after error in data_reloc_print_warning_inode()", " - drm/amdkfd: relax checks for over allocation of save area", " - drm/amdgpu: disable peer-to-peer access for DCC-enabled GC12 VRAM", " surfaces", " - drm/i915/psr: fix pipe to vblank conversion", " - drm/xe/xe3lpg: Extend Wa_15016589081 for xe3lpg", " - drm/xe/xe3: Extend wa_14023061436", " - drm/xe/xe3: Add WA_14024681466 for Xe3_LPG", " - pmdomain: imx: Fix reference count leak in imx_gpc_remove", " - pmdomain: samsung: plug potential memleak during probe", " - pmdomain: samsung: Rework legacy splash-screen handover workaround", " - selftests: mptcp: connect: fix fallback note due to OoO", " - selftests: mptcp: join: rm: set backup flag", " - selftests: mptcp: join: endpoints: longer transfer", " - selftests: mptcp: connect: trunc: read all recv data", " - selftests: mptcp: join: userspace: longer transfer", " - selftests: mptcp: join: properly kill background tasks", " - mm/huge_memory: do not change split_huge_page*() target order silently", " - mm/memory: do not populate page table entries beyond i_size", " - scripts/decode_stacktrace.sh: symbol: avoid trailing whitespaces", " - scripts/decode_stacktrace.sh: symbol: preserve alignment", " - scripts/decode_stacktrace.sh: fix build ID and PC source parsing", " - ASoC: da7213: Convert to DEFINE_RUNTIME_DEV_PM_OPS()", " - ASoC: da7213: Use component driver suspend/resume", " - KVM: x86: Rename local \"ecx\" variables to \"msr\" and \"pmc\" as appropriate", " - KVM: x86: Add support for RDMSR/WRMSRNS w/ immediate on Intel", " - KVM: VMX: Inject #UD if guest tries to execute SEAMCALL or TDCALL", " - isdn: mISDN: hfcsusb: fix memory leak in hfcsusb_probe()", " - net: phy: micrel: Fix lan8814_config_init", " - Linux 6.17.9", " * Questing update: v6.17.8 upstream stable release (LP: #2136850) //", " CVE-2025-68204", " - pmdomain: arm: scmi: Fix genpd leak on provider registration failure", " * Questing update: v6.17.8 upstream stable release (LP: #2136850) //", " CVE-2025-68203", " - drm/amdgpu: fix lock warning in amdgpu_userq_fence_driver_process", " * Questing update: v6.17.8 upstream stable release (LP: #2136850) //", " CVE-2025-40267", " - io_uring/rw: ensure allocated iovec gets cleared for early failure", " * Questing update: v6.17.8 upstream stable release (LP: #2136850) //", " CVE-2025-68198", " - crash: fix crashkernel resource shrink", " * Questing update: v6.17.8 upstream stable release (LP: #2136850) //", " CVE-2025-68199", " - codetag: debug: handle existing CODETAG_EMPTY in mark_objexts_empty for", " slabobj_ext", " * Questing update: v6.17.8 upstream stable release (LP: #2136850) //", " CVE-2025-40268", " - cifs: client: fix memory leak in smb3_fs_context_parse_param", " * Questing update: v6.17.8 upstream stable release (LP: #2136850) //", " CVE-2025-40269", " - ALSA: usb-audio: Fix potential overflow of PCM transfer buffer", " * Questing update: v6.17.8 upstream stable release (LP: #2136850) //", " CVE-2025-68205", " - ALSA: hda/hdmi: Fix breakage at probing nvhdmi-mcp driver", " * Questing update: v6.17.8 upstream stable release (LP: #2136850) //", " CVE-2025-40270", " - mm, swap: fix potential UAF issue for VMA readahead", " * Questing update: v6.17.8 upstream stable release (LP: #2136850) //", " CVE-2025-40271", " - fs/proc: fix uaf in proc_readdir_de()", " * Questing update: v6.17.8 upstream stable release (LP: #2136850) //", " CVE-2025-40272", " - mm/secretmem: fix use-after-free race in fault handler", " * Questing update: v6.17.8 upstream stable release (LP: #2136850) //", " CVE-2025-68245", " - net: netpoll: fix incorrect refcount handling causing incorrect cleanup", " * Questing update: v6.17.8 upstream stable release (LP: #2136850) //", " CVE-2025-68240", " - nilfs2: avoid having an active sc_timer before freeing sci", " * Questing update: v6.17.8 upstream stable release (LP: #2136850) //", " CVE-2025-68241", " - ipv4: route: Prevent rt_bind_exception() from rebinding stale fnhe", " * Questing update: v6.17.8 upstream stable release (LP: #2136850) //", " CVE-2025-68211", " - ksm: use range-walk function to jump over holes in", " scan_get_next_rmap_item", " * Questing update: v6.17.8 upstream stable release (LP: #2136850) //", " CVE-2025-68246", " - ksmbd: close accepted socket when per-IP limit rejects connection", " * Questing update: v6.17.8 upstream stable release (LP: #2136850) //", " CVE-2025-40273", " - NFSD: free copynotify stateid in nfs4_free_ol_stateid()", " * Questing update: v6.17.8 upstream stable release (LP: #2136850) //", " CVE-2025-40212", " - nfsd: fix refcount leak in nfsd_set_fh_dentry()", " * Questing update: v6.17.8 upstream stable release (LP: #2136850) //", " CVE-2025-40274", " - KVM: guest_memfd: Remove bindings on memslot deletion when gmem is dying", " * Questing update: v6.17.8 upstream stable release (LP: #2136850) //", " CVE-2025-68202", " - sched_ext: Fix unsafe locking in the scx_dump_state()", " * Questing update: v6.17.8 upstream stable release (LP: #2136850) //", " CVE-2025-68239", " - binfmt_misc: restore write access before closing files opened by", " open_exec()", " * Questing update: v6.17.8 upstream stable release (LP: #2136850) //", " CVE-2025-68247", " - posix-timers: Plug potential memory leak in do_timer_create()", " * Questing update: v6.17.8 upstream stable release (LP: #2136850) //", " CVE-2025-68208", " - bpf: account for current allocated stack depth in", " widen_imprecise_scalars()", " * Questing update: v6.17.8 upstream stable release (LP: #2136850) //", " CVE-2025-68200", " - bpf: Add bpf_prog_run_data_pointers()", " * Questing update: v6.17.8 upstream stable release (LP: #2136850) //", " CVE-2025-40275", " - ALSA: usb-audio: Fix NULL pointer dereference in", " snd_usb_mixer_controls_badd", " * Questing update: v6.17.8 upstream stable release (LP: #2136850) //", " CVE-2025-68242", " - NFS: Fix LTP test failures when timestamps are delegated", " * Questing update: v6.17.8 upstream stable release (LP: #2136850) //", " CVE-2025-68243", " - NFS: Check the TLS certificate fields in nfs_match_client()", " * Questing update: v6.17.8 upstream stable release (LP: #2136850) //", " CVE-2025-40276", " - drm/panthor: Flush shmem writes before mapping buffers CPU-uncached", " * Questing update: v6.17.8 upstream stable release (LP: #2136850) //", " CVE-2025-40277", " - drm/vmwgfx: Validate command header size against SVGA_CMD_MAX_DATASIZE", " * Questing update: v6.17.8 upstream stable release (LP: #2136850) //", " CVE-2025-68206", " - netfilter: nft_ct: add seqadj extension for natted connections", " * Questing update: v6.17.8 upstream stable release (LP: #2136850) //", " CVE-2025-68209", " - mlx5: Fix default values in create CQ", " * Questing update: v6.17.8 upstream stable release (LP: #2136850) //", " CVE-2025-40278", " - net: sched: act_ife: initialize struct tc_ife to fix KMSAN kernel-", " infoleak", " * Questing update: v6.17.8 upstream stable release (LP: #2136850) //", " CVE-2025-40279", " - net: sched: act_connmark: initialize struct tc_ife to fix kernel leak", " * Questing update: v6.17.8 upstream stable release (LP: #2136850) //", " CVE-2025-40280", " - tipc: Fix use-after-free in tipc_mon_reinit_self().", " * Questing update: v6.17.8 upstream stable release (LP: #2136850) //", " CVE-2025-40281", " - sctp: prevent possible shift-out-of-bounds in sctp_transport_update_rto", " * Questing update: v6.17.8 upstream stable release (LP: #2136850) //", " CVE-2025-40282", " - Bluetooth: 6lowpan: reset link-local header on ipv6 recv path", " * Questing update: v6.17.8 upstream stable release (LP: #2136850) //", " CVE-2025-40283", " - Bluetooth: btusb: reorder cleanup in btusb_disconnect to avoid UAF", " * Questing update: v6.17.8 upstream stable release (LP: #2136850) //", " CVE-2025-40284", " - Bluetooth: MGMT: cancel mesh send timer when hdev removed", " * Questing update: v6.17.8 upstream stable release (LP: #2136850) //", " CVE-2025-68210", " - erofs: avoid infinite loop due to incomplete zstd-compressed data", " * Questing update: v6.17.8 upstream stable release (LP: #2136850) //", " CVE-2025-40285", " - smb/server: fix possible refcount leak in smb2_sess_setup()", " * Questing update: v6.17.8 upstream stable release (LP: #2136850) //", " CVE-2025-40286", " - smb/server: fix possible memory leak in smb2_read()", " * Questing update: v6.17.8 upstream stable release (LP: #2136850) //", " CVE-2025-40287", " - exfat: fix improper check of dentry.stream.valid_size", " * Questing update: v6.17.8 upstream stable release (LP: #2136850) //", " CVE-2025-40288", " - drm/amdgpu: Fix NULL pointer dereference in VRAM logic for APU devices", " * Questing update: v6.17.8 upstream stable release (LP: #2136850) //", " CVE-2025-40289", " - drm/amdgpu: hide VRAM sysfs attributes on GPUs without VRAM", " * Questing update: v6.17.8 upstream stable release (LP: #2136850) //", " CVE-2025-68201", " - drm/amdgpu: remove two invalid BUG_ON()s", " * Questing update: v6.17.8 upstream stable release (LP: #2136850) //", " CVE-2025-68207", " - drm/xe/guc: Synchronize Dead CT worker with unbind", " * Questing update: v6.17.8 upstream stable release (LP: #2136850) //", " CVE-2025-68244", " - drm/i915: Avoid lock inversion when pinning to GGTT on CHV/BXT+VTD", " * Questing update: v6.17.8 upstream stable release (LP: #2136833)", " - Revert \"Bluetooth: L2CAP: convert timeouts to secs_to_jiffies()\"", " - sched_ext: Mark scx_bpf_dsq_move_set_[slice|vtime]() with KF_RCU", " - net: usb: asix_devices: Check return value of usbnet_get_endpoints", " - fbdev: atyfb: Check if pll_ops->init_pll failed", " - ACPI: button: Call input_free_device() on failing input device", " registration", " - ACPI: fan: Use platform device for devres-related actions", " - virtio-net: drop the multi-buffer XDP packet in zerocopy", " - batman-adv: Release references to inactive interfaces", " - Bluetooth: rfcomm: fix modem control handling", " - net: phy: dp83867: Disable EEE support as not implemented", " - fbdev: pvr2fb: Fix leftover reference to ONCHIP_NR_DMA_CHANNELS", " - fbdev: valkyriefb: Fix reference count leak in valkyriefb_init", " - mptcp: drop bogus optimization in __mptcp_check_push()", " - mptcp: restore window probe", " - ASoC: qdsp6: q6asm: do not sleep while atomic", " - ASoC: renesas: rz-ssi: Use proper dma_buffer_pos after resume", " - s390/pci: Restore IRQ unconditionally for the zPCI device", " - x86/build: Disable SSE4a", " - wifi: ath10k: Fix memory leak on unsupported WMI command", " - wifi: ath11k: Add missing platform IDs for quirk table", " - wifi: ath12k: free skb during idr cleanup callback", " - wifi: ath11k: avoid bit operation on key flags", " - drm/msm/a6xx: Fix GMU firmware parser", " - ALSA: usb-audio: fix control pipe direction", " - ASoC: cs-amp-lib-test: Fix missing include of kunit/test-bug.h", " - wifi: mac80211: reset FILS discovery and unsol probe resp intervals", " - wifi: mac80211: fix key tailroom accounting leak", " - wifi: nl80211: call kfree without a NULL check", " - kunit: test_dev_action: Correctly cast 'priv' pointer to long*", " - scsi: ufs: core: Initialize value of an attribute returned by uic cmd", " - scsi: core: Fix the unit attention counter implementation", " - bpf: Do not audit capability check in do_jit()", " - nvmet-auth: update sc_c in host response", " - crypto: s390/phmac - Do not modify the req->nbytes value", " - ASoC: Intel: avs: Unprepare a stream when XRUN occurs", " - ASoC: fsl_sai: fix bit order for DSD format", " - ASoC: fsl_micfil: correct the endian format for DSD", " - libbpf: Fix powerpc's stack register definition in bpf_tracing.h", " - ASoC: mediatek: Fix double pm_runtime_disable in remove functions", " - Bluetooth: ISO: Fix BIS connection dst_type handling", " - Bluetooth: btmtksdio: Add pmctrl handling for BT closed state during", " reset", " - Bluetooth: HCI: Fix tracking of advertisement set/instance 0x00", " - Bluetooth: ISO: Fix another instance of dst_type handling", " - Bluetooth: btintel_pcie: Fix event packet loss issue", " - Bluetooth: hci_conn: Fix connection cleanup with BIG with 2 or more BIS", " - Bluetooth: hci_core: Fix tracking of periodic advertisement", " - bpf: Conditionally include dynptr copy kfuncs", " - drm/msm: Ensure vm is created in VM_BIND ioctl", " - ALSA: usb-audio: add mono main switch to Presonus S1824c", " - ALSA: usb-audio: don't log messages meant for 1810c when initializing", " 1824c", " - ACPI: MRRM: Check revision of MRRM table", " - drm/etnaviv: fix flush sequence logic", " - tools: ynl: fix string attribute length to include null terminator", " - net: hns3: return error code when function fails", " - sfc: fix potential memory leak in efx_mae_process_mport()", " - tools: ynl: avoid print_field when there is no reply", " - dpll: spec: add missing module-name and clock-id to pin-get reply", " - ASoC: fsl_sai: Fix sync error in consumer mode", " - ASoC: soc_sdw_utils: remove cs42l43 component_name", " - drm/amd/pm: fix smu table id bound check issue in smu_cmn_update_table()", " - drm/amd/pm/powerplay/smumgr: Fix PCIeBootLinkLevel value on Fiji", " - drm/amd/pm/powerplay/smumgr: Fix PCIeBootLinkLevel value on Iceland", " - drm/amdgpu: fix SPDX headers on amdgpu_cper.c/h", " - drm/amdgpu: fix SPDX header on amd_cper.h", " - drm/amdgpu: fix SPDX header on irqsrcs_vcn_5_0.h", " - ACPI: fan: Use ACPI handle when retrieving _FST", " - block: fix op_is_zone_mgmt() to handle REQ_OP_ZONE_RESET_ALL", " - block: make REQ_OP_ZONE_OPEN a write operation", " - dma-fence: Fix safe access wrapper to call timeline name method", " - kbuild: align modinfo section for Secureboot Authenticode EDK2 compat", " - regmap: irq: Correct documentation of wake_invert flag", " - [Config] Disable ARCH_WANT_OPTIMIZE_HUGETLB_VMEMMAP for s390x", " - s390/mm: Fix memory leak in add_marker() when kvrealloc() fails", " - drm/xe: Do not wake device during a GT reset", " - drm/sched: avoid killing parent entity on child SIGKILL", " - drm/sched: Fix race in drm_sched_entity_select_rq()", " - drm/nouveau: Fix race in nouveau_sched_fini()", " - drm/i915/dmc: Clear HRR EVT_CTL/HTP to zero on ADL-S", " - drm/ast: Clear preserved bits from register output value", " - drm/amd: Check that VPE has reached DPM0 in idle handler", " - drm/amd/display: Fix incorrect return of vblank enable on unconfigured", " crtc", " - drm/amd/display: Don't program BLNDGAM_MEM_PWR_FORCE when CM low-power", " is disabled on DCN30", " - drm/amd/display: Add HDR workaround for a specific eDP", " - mptcp: leverage skb deferral free", " - mptcp: fix MSG_PEEK stream corruption", " - cpuidle: governors: menu: Rearrange main loop in menu_select()", " - cpuidle: governors: menu: Select polling state in some more cases", " - PM: hibernate: Combine return paths in power_down()", " - PM: sleep: Allow pm_restrict_gfp_mask() stacking", " - mfd: kempld: Switch back to earlier ->init() behavior", " - soc: aspeed: socinfo: Add AST27xx silicon IDs", " - firmware: qcom: scm: preserve assign_mem() error return value", " - soc: qcom: smem: Fix endian-unaware access of num_entries", " - spi: loopback-test: Don't use %pK through printk", " - spi: spi-qpic-snand: handle 'use_ecc' parameter of", " qcom_spi_config_cw_read()", " - soc: ti: pruss: don't use %pK through printk", " - bpf: Don't use %pK through printk", " - mmc: sdhci: Disable SD card clock before changing parameters", " - pinctrl: single: fix bias pull up/down handling in pin_config_set", " - mmc: host: renesas_sdhi: Fix the actual clock", " - memstick: Add timeout to prevent indefinite waiting", " - cpufreq: ti: Add support for AM62D2", " - bpf: Use tnums for JEQ/JNE is_branch_taken logic", " - firmware: ti_sci: Enable abort handling of entry to LPM", " - firewire: ohci: move self_id_complete tracepoint after validating", " register", " - irqchip/sifive-plic: Respect mask state when setting affinity", " - irqchip/loongson-eiointc: Route interrupt parsed from bios table", " - ACPI: sysfs: Use ACPI_FREE() for freeing an ACPI object", " - ACPI: video: force native for Lenovo 82K8", " - libbpf: Fix USDT SIB argument handling causing unrecognized register", " error", " - selftests/bpf: Fix bpf_prog_detach2 usage in test_lirc_mode2", " - arm64: versal-net: Update rtc calibration value", " - Revert \"UBUNTU: SAUCE: firmware: qcom: scm: Allow QSEECOM on Dell", " Inspiron 7441 / Latitude 7455\"", " - firmware: qcom: scm: Allow QSEECOM on Dell Inspiron 7441 / Latitude 7455", " - kselftest/arm64: tpidr2: Switch to waitpid() over wait4()", " - arc: Fix __fls() const-foldability via __builtin_clzl()", " - selftests/bpf: Upon failures, exit with code 1 in test_xsk.sh", " - irqchip/gic-v2m: Handle Multiple MSI base IRQ Alignment", " - ACPI: PRM: Skip handlers with NULL handler_address or NULL VA", " - ACPI: resource: Skip IRQ override on ASUS Vivobook Pro N6506CU", " - ACPI: scan: Add Intel CVS ACPI HIDs to acpi_ignore_dep_ids[]", " - thermal: gov_step_wise: Allow cooling level to be reduced earlier", " - thermal: intel: selftests: workload_hint: Mask unsupported types", " - power: supply: qcom_battmgr: add OOI chemistry", " - hwmon: (k10temp) Add thermal support for AMD Family 1Ah-based models", " - hwmon: (k10temp) Add device ID for Strix Halo", " - hwmon: (lenovo-ec-sensors) Update P8 supprt", " - hwmon: (sbtsi_temp) AMD CPU extended temperature range support", " - pinctrl: renesas: rzg2l: Add suspend/resume support for Schmitt control", " registers", " - pinctrl: keembay: release allocated memory in detach path", " - power: supply: sbs-charger: Support multiple devices", " - io_uring/rsrc: respect submitter_task in io_register_clone_buffers()", " - hwmon: sy7636a: add alias", " - selftests/bpf: Fix incorrect array size calculation", " - block: check for valid bio while splitting", " - irqchip/loongson-pch-lpc: Use legacy domain for PCH-LPC IRQ controller", " - cpufreq: ondemand: Update the efficient idle check for Intel extended", " Families", " - arm64: zynqmp: Disable coresight by default", " - arm64: zynqmp: Revert usb node drive strength and slew rate for zcu106", " - soc/tegra: fuse: Add Tegra114 nvmem cells and fuse lookups", " - ARM: tegra: p880: set correct touchscreen clipping", " - ARM: tegra: transformer-20: add missing magnetometer interrupt", " - ARM: tegra: transformer-20: fix audio-codec interrupt", " - firmware: qcom: tzmem: disable sc7180 platform", " - soc: ti: k3-socinfo: Add information for AM62L SR1.1", " - mmc: sdhci-msm: Enable tuning for SDR50 mode for SD card", " - pwm: pca9685: Use bulk write to atomicially update registers", " - ACPICA: dispatcher: Use acpi_ds_clear_operands() in", " acpi_ds_call_control_method()", " - tee: allow a driver to allocate a tee_device without a pool", " - kunit: Enable PCI on UML without triggering WARN()", " - selftests/bpf: Fix arena_spin_lock selftest failure", " - bpf: Do not limit bpf_cgroup_from_id to current's namespace", " - i3c: mipi-i3c-hci-pci: Add support for Intel Wildcat Lake-U I3C", " - rust: kunit: allow `cfg` on `test`s", " - video: backlight: lp855x_bl: Set correct EPROM start for LP8556", " - i3c: dw: Add shutdown support to dw_i3c_master driver", " - io_uring/zcrx: check all niovs filled with dma addresses", " - tools/cpupower: fix error return value in cpupower_write_sysfs()", " - io_uring/zcrx: account niov arrays to cgroup", " - pmdomain: apple: Add \"apple,t8103-pmgr-pwrstate\"", " - power: supply: qcom_battmgr: handle charging state change notifications", " - bpftool: Fix -Wuninitialized-const-pointer warnings with clang >= 21", " - cpuidle: Fail cpuidle device registration if there is one already", " - selftests/bpf: Fix selftest verifier_arena_large failure", " - selftests: ublk: fix behavior when fio is not installed", " - spi: rpc-if: Add resume support for RZ/G3E", " - ACPI: SPCR: Support Precise Baud Rate field", " - clocksource/drivers/vf-pit: Replace raw_readl/writel to readl/writel", " - clocksource/drivers/timer-rtl-otto: Work around dying timers", " - clocksource/drivers/timer-rtl-otto: Do not interfere with interrupts", " - riscv: bpf: Fix uninitialized symbol 'retval_off'", " - bpf: Clear pfmemalloc flag when freeing all fragments", " - selftests: drv-net: Pull data before parsing headers", " - nvme: Use non zero KATO for persistent discovery connections", " - uprobe: Do not emulate/sstep original instruction when ip is changed", " - hwmon: (asus-ec-sensors) increase timeout for locking ACPI mutex", " - hwmon: (dell-smm) Remove Dell Precision 490 custom config data", " - hwmon: (dell-smm) Add support for Dell OptiPlex 7040", " - tools/cpupower: Fix incorrect size in cpuidle_state_disable()", " - selftests/bpf: Fix flaky bpf_cookie selftest", " - tools/power turbostat: Fix incorrect sorting of PMT telemetry", " - tools/power x86_energy_perf_policy: Fix incorrect fopen mode usage", " - tools/power x86_energy_perf_policy: Enhance HWP enable", " - tools/power x86_energy_perf_policy: Prefer driver HWP limits", " - mfd: simple-mfd-i2c: Add compatible strings for Layerscape QIXIS FPGA", " - mfd: stmpe: Remove IRQ domain upon removal", " - mfd: stmpe-i2c: Add missing MODULE_LICENSE", " - mfd: qnap-mcu: Handle errors returned from qnap_mcu_write", " - mfd: qnap-mcu: Include linux/types.h in qnap-mcu.h shared header", " - mfd: madera: Work around false-positive -Wininitialized warning", " - mfd: da9063: Split chip variant reading in two bus transactions", " - mfd: macsmc: Add \"apple,t8103-smc\" compatible", " - mfd: core: Increment of_node's refcount before linking it to the", " platform device", " - mfd: cs42l43: Move IRQ enable/disable to encompass force suspend", " - mfd: intel-lpss: Add Intel Wildcat Lake LPSS PCI IDs", " - drm/xe/ptl: Apply Wa_16026007364", " - drm/xe/configfs: Enforce canonical device names", " - drm/amd/display: Update tiled to tiled copy command", " - drm/amd/display: fix condition for setting timing_adjust_pending", " - drm/amd/display: ensure committing streams is seamless", " - drm/amdgpu: add range check for RAS bad page address", " - drm/amdgpu: Check vcn sram load return value", " - drm/amd/display: Remove check DPIA HPD status for BW Allocation", " - drm/amd/display: Increase AUX Intra-Hop Done Max Wait Duration", " - drm/amd/display: Fix dmub_cmd header alignment", " - drm/xe/guc: Add more GuC load error status codes", " - drm/xe/pf: Don't resume device from restart worker", " - drm/amdgpu: Fix build error when CONFIG_SUSPEND is disabled", " - drm/amdgpu: Update IPID value for bad page threshold CPER", " - drm/amdgpu: Avoid rma causes GPU duplicate reset", " - drm/amdgpu: Effective health check before reset", " - drm/amd/amdgpu: Release xcp drm memory after unplug", " - drm/amdgpu: Fix vcn v5.0.1 poison irq call trace", " - drm/xe: Extend wa_13012615864 to additional Xe2 and Xe3 platforms", " - drm/amdgpu: Skip poison aca bank from UE channel", " - drm/amd/display: add more cyan skillfish devices", " - drm/amdgpu: Initialize jpeg v5_0_1 ras function", " - drm/amdgpu: skip mgpu fan boost for multi-vf", " - drm/amd/display: fix dmub access race condition", " - drm/amd/display: update dpp/disp clock from smu clock table", " - drm/amd/pm: Use cached metrics data on aldebaran", " - drm/amd/pm: Use cached metrics data on arcturus", " - accel/amdxdna: Unify pm and rpm suspend and resume callbacks", " - drm/amdgpu/jpeg: Hold pg_lock before jpeg poweroff", " - drm/xe/pf: Program LMTT directory pointer on all GTs within a tile", " - drm/nouveau: replace snprintf() with scnprintf() in nvkm_snprintbf()", " - ASoC: tas2781: Add keyword \"init\" in profile section", " - ASoC: mediatek: Use SND_JACK_AVOUT for HDMI/DP jacks", " - drm/amd/display: Reset apply_eamless_boot_optimization when dpms_off", " - drm/amdgpu: add to custom amdgpu_drm_release drm_dev_enter/exit", " - drm/amd/display: Wait until OTG enable state is cleared", " - drm/xe: rework PDE PAT index selection", " - docs: kernel-doc: avoid script crash on ancient Python", " - drm/sharp-memory: Do not access GEM-DMA vaddr directly", " - PCI: Disable MSI on RDC PCI to PCIe bridges", " - drm/nouveau: always set RMDevidCheckIgnore for GSP-RM", " - drm/panel-edp: Add SHP LQ134Z1 panel for Dell XPS 9345", " - selftests/net: Replace non-standard __WORDSIZE with sizeof(long) * 8", " - selftests/net: Ensure assert() triggers in psock_tpacket.c", " - wifi: rtw89: print just once for unknown C2H events", " - wifi: rtw88: sdio: use indirect IO for device registers before power-on", " - wifi: rtw89: add dummy C2H handlers for BCN resend and update done", " - drm/amdkfd: return -ENOTTY for unsupported IOCTLs", " - selftests: drv-net: devmem: add / correct the IPv6 support", " - selftests: drv-net: devmem: flip the direction of Tx tests", " - media: pci: ivtv: Don't create fake v4l2_fh", " - media: amphion: Delete v4l2_fh synchronously in .release()", " - drm/tidss: Use the crtc_* timings when programming the HW", " - drm/bridge: cdns-dsi: Fix REG_WAKEUP_TIME value", " - drm/bridge: cdns-dsi: Don't fail on MIPI_DSI_MODE_VIDEO_BURST", " - drm/tidss: Set crtc modesetting parameters with adjusted mode", " - drm/tidss: Remove early fb", " - RDMA/mana_ib: Drain send wrs of GSI QP", " - media: i2c: Kconfig: Ensure a dependency on HAVE_CLK for", " VIDEO_CAMERA_SENSOR", " - PCI/ERR: Update device error_state already after reset", " - x86/vsyscall: Do not require X86_PF_INSTR to emulate vsyscall", " - net: stmmac: Check stmmac_hw_setup() in stmmac_resume()", " - ice: Don't use %pK through printk or tracepoints", " - thunderbolt: Use is_pciehp instead of is_hotplug_bridge", " - ASoC: es8323: enable DAPM power widgets for playback DAC and output", " - powerpc/eeh: Use result of error_detected() in uevent", " - s390/pci: Use pci_uevent_ers() in PCI recovery", " - bridge: Redirect to backup port when port is administratively down", " - selftests: drv-net: wait for carrier", " - net: phy: mscc: report and configure in-band auto-negotiation for", " SGMII/QSGMII", " - scsi: ufs: host: mediatek: Fix auto-hibern8 timer configuration", " - scsi: ufs: host: mediatek: Fix PWM mode switch issue", " - scsi: ufs: host: mediatek: Assign power mode userdata before FASTAUTO", " mode change", " - scsi: ufs: host: mediatek: Change reset sequence for improved stability", " - scsi: ufs: host: mediatek: Fix invalid access in vccqx handling", " - gpu: nova-core: register: allow fields named `offset`", " - drm/panthor: Serialize GPU cache flush operations", " - HID: pidff: Use direction fix only for conditional effects", " - HID: pidff: PERMISSIVE_CONTROL quirk autodetection", " - drm/bridge: display-connector: don't set OP_DETECT for DisplayPorts", " - drm/amdkfd: Handle lack of READ permissions in SVM mapping", " - drm/amdgpu: refactor bad_page_work for corner case handling", " - hwrng: timeriomem - Use us_to_ktime() where appropriate", " - iio: adc: spear_adc: mask SPEAR_ADC_STATUS channel and avg sample before", " setting register", " - iio: adc: imx93_adc: load calibrated values even calibration failed", " - usb: gadget: f_ncm: Fix MAC assignment NCM ethernet", " - ASoC: es8323: remove DAC enablement write from es8323_probe", " - ASoC: es8323: add proper left/right mixer controls via DAPM", " - ASoC: codecs: wsa883x: Handle shared reset GPIO for WSA883x speakers", " - drm/xe: Make page size consistent in loop", " - wifi: rtw89: wow: remove notify during WoWLAN net-detect", " - wifi: rtw89: fix BSSID comparison for non-transmitted BSSID", " - wifi: rtw89: 8851b: rfk: update IQK TIA setting", " - dm error: mark as DM_TARGET_PASSES_INTEGRITY", " - char: misc: Make misc_register() reentry for miscdevice who wants", " dynamic minor", " - char: misc: Does not request module for miscdevice with dynamic minor", " - net: When removing nexthops, don't call synchronize_net if it is not", " necessary", " - net: Call trace_sock_exceed_buf_limit() for memcg failure with", " SK_MEM_RECV.", " - dmaengine: idxd: Add a new IAA device ID for Wildcat Lake family", " platforms", " - PCI/P2PDMA: Fix incorrect pointer usage in devm_kfree() call", " - bnxt_en: Add Hyper-V VF ID", " - tty: serial: Modify the use of dev_err_probe()", " - ALSA: usb-audio: Add validation of UAC2/UAC3 effect units", " - Octeontx2-af: Broadcast XON on all channels", " - idpf: do not linearize big TSO packets", " - drm/xe/pcode: Initialize data0 for pcode read routine", " - drm/panel: ilitek-ili9881c: turn off power-supply when init fails", " - drm/panel: ilitek-ili9881c: move display_on/_off dcs calls to", " (un-)prepare", " - rds: Fix endianness annotation for RDS_MPATH_HASH", " - net: wangxun: limit tx_max_coalesced_frames_irq", " - iio: imu: bmi270: Match PNP ID found on newer GPD firmware", " - media: ipu6: isys: Set embedded data type correctly for metadata formats", " - rpmsg: char: Export alias for RPMSG ID rpmsg-raw from table", " - net: ipv4: allow directed broadcast routes to use dst hint", " - scsi: mpi3mr: Fix device loss during enclosure reboot due to zero link", " speed", " - wifi: rtw89: coex: Limit Wi-Fi scan slot cost to avoid A2DP glitch", " - scsi: mpi3mr: Fix I/O failures during controller reset", " - scsi: mpi3mr: Fix controller init failure on fault during queue creation", " - scsi: pm80xx: Fix race condition caused by static variables", " - extcon: adc-jack: Fix wakeup source leaks on device unbind", " - extcon: fsa9480: Fix wakeup source leaks on device unbind", " - extcon: axp288: Fix wakeup source leaks on device unbind", " - drm/xe: Set GT as wedged before sending wedged uevent", " - remoteproc: wkup_m3: Use devm_pm_runtime_enable() helper", " - drm/xe/wcl: Extend L3bank mask workaround", " - net: phy: fixed_phy: let fixed_phy_unregister free the phy_device", " - selftests: drv-net: hds: restore hds settings", " - fuse: zero initialize inode private data", " - virtio_fs: fix the hash table using in virtio_fs_enqueue_req()", " - selftests: pci_endpoint: Skip IRQ test if IRQ is out of range.", " - drm/xe: Ensure GT is in C0 during resumes", " - misc: pci_endpoint_test: Skip IRQ tests if irq is out of range", " - drm/amdgpu: Correct the loss of aca bank reg info", " - drm/amdgpu: Correct the counts of nr_banks and nr_errors", " - drm/amdkfd: fix vram allocation failure for a special case", " - drm/amd/display: Support HW cursor 180 rot for any number of pipe splits", " - drm/amdkfd: Tie UNMAP_LATENCY to queue_preemption", " - drm/amd/display: wait for otg update pending latch before clock", " optimization", " - drm/amd/display: Consider sink max slice width limitation for dsc", " - drm/amdgpu/vpe: cancel delayed work in hw_fini", " - drm/xe: Cancel pending TLB inval workers on teardown", " - net: Prevent RPS table overwrite of active flows", " - eth: fbnic: Reset hw stats upon PCI error", " - wifi: iwlwifi: mld: trigger mlo scan only when not in EMLSR", " - platform/x86/intel-uncore-freq: Fix warning in partitioned system", " - drm/msm/dpu: Filter modes based on adjusted mode clock", " - drm/msm: Use of_reserved_mem_region_to_resource() for \"memory-region\"", " - selftests: drv-net: rss_ctx: fix the queue count check", " - media: fix uninitialized symbol warnings", " - media: pci: mgb4: Fix timings comparison in VIDIOC_S_DV_TIMINGS", " - ASoC: SOF: ipc4-pcm: Add fixup for channels", " - drm/amdgpu: Notify pmfw bad page threshold exceeded", " - drm/amd/display: Increase minimum clock for TMDS 420 with pipe splitting", " - drm/amdgpu: Avoid jpeg v5.0.1 poison irq call trace on sriov guest", " - drm/amd/display: incorrect conditions for failing dto calculations", " - drm/amdgpu: Avoid vcn v5.0.1 poison irq call trace on sriov guest", " - drm/amdgpu: Respect max pixel clock for HDMI and DVI-D (v2)", " - mips: lantiq: danube: add missing properties to cpu node", " - mips: lantiq: danube: add model to EASY50712 dts", " - mips: lantiq: danube: add missing device_type in pci node", " - mips: lantiq: xway: sysctrl: rename stp clock", " - mips: lantiq: danube: rename stp node on EASY50712 reference board", " - inet_diag: annotate data-races in inet_diag_bc_sk()", " - microchip: lan865x: add ndo_eth_ioctl handler to enable PHY ioctl", " support", " - crypto: qat - use kcalloc() in qat_uclo_map_objs_from_mof()", " - scsi: pm8001: Use int instead of u32 to store error codes", " - iio: adc: ad7124: do not require mclk", " - scsi: ufs: exynos: fsd: Gate ref_clk and put UFS device in reset on", " suspend", " - media: imx-mipi-csis: Only set clock rate when specified in DT", " - wifi: iwlwifi: pcie: remember when interrupts are disabled", " - drm/st7571-i2c: add support for inverted pixel format", " - ptp: Limit time setting of PTP clocks", " - dmaengine: sh: setup_xref error handling", " - dmaengine: mv_xor: match alloc_wc and free_wc", " - dmaengine: dw-edma: Set status for callback_result", " - netfilter: nf_tables: all transaction allocations can now sleep", " - drm/msm/dsi/phy: Toggle back buffer resync after preparing PLL", " - drm/msm/dsi/phy_7nm: Fix missing initial VCO rate", " - drm/amdgpu: Allow kfd CRIU with no buffer objects", " - drm/xe/guc: Increase GuC crash dump buffer size", " - drm/amd/pm: Increase SMC timeout on SI and warn (v3)", " - move_mount(2): take sanity checks in 'beneath' case into do_lock_mount()", " - selftests: drv-net: rss_ctx: make the test pass with few queues", " - ipv6: Add sanity checks on ipv6_devconf.rpl_seg_enabled", " - drm/xe: Extend Wa_22021007897 to Xe3 platforms", " - wifi: mac80211: count reg connection element in the size", " - drm/panthor: check bo offset alignment in vm bind", " - drm: panel-backlight-quirks: Make EDID match optional", " - ixgbe: reduce number of reads when getting OROM data", " - netlink: specs: fou: change local-v6/peer-v6 check", " - net: nfc: nci: Increase NCI_DATA_TIMEOUT to 3000 ms", " - media: adv7180: Add missing lock in suspend callback", " - media: adv7180: Do not write format to device in set_fmt", " - media: adv7180: Only validate format in querystd", " - media: verisilicon: Explicitly disable selection api ioctls for decoders", " - wifi: mac80211: Fix 6 GHz Band capabilities element advertisement in", " lower bands", " - platform/x86: think-lmi: Add extra TC BIOS error messages", " - platform/x86/intel-uncore-freq: Present unique domain ID per package", " - ALSA: usb-audio: apply quirk for MOONDROP Quark2", " - PCI: imx6: Enable the Vaux supply if available", " - drm/xe/guc: Set upper limit of H2G retries over CTB", " - net: call cond_resched() less often in __release_sock()", " - smsc911x: add second read of EEPROM mac when possible corruption seen", " - drm/xe: improve dma-resv handling for backup object", " - iommu/amd: Add support to remap/unmap IOMMU buffers for kdump", " - iommu/amd: Skip enabling command/event buffers for kdump", " - iommu/amd: Reuse device table for kdump", " - crypto: ccp: Skip SEV and SNP INIT for kdump boot", " - iommu/apple-dart: Clear stream error indicator bits for T8110 DARTs", " - bus: mhi: host: pci_generic: Add support for all Foxconn T99W696 SKU", " variants", " - drm/amdgpu: Correct info field of bad page threshold exceed CPER", " - drm/amd: add more cyan skillfish PCI ids", " - drm/amdgpu: don't enable SMU on cyan skillfish", " - drm/amdgpu: add support for cyan skillfish gpu_info", " - drm/amd/display: Fix pbn_div Calculation Error", " - drm/amd/display: dont wait for pipe update during medupdate/highirq", " - drm/amd/pm: refine amdgpu pm sysfs node error code", " - drm/amd/display: Indicate when custom brightness curves are in use", " - selftests: ncdevmem: don't retry EFAULT", " - net: dsa: felix: support phy-mode = \"10g-qxgmii\"", " - usb: gadget: f_hid: Fix zero length packet transfer", " - serial: qcom-geni: Add DFS clock mode support to GENI UART driver", " - serdev: Drop dev_pm_domain_detach() call", " - tty/vt: Add missing return value for VT_RESIZE in vt_ioctl()", " - eeprom: at25: support Cypress FRAMs without device ID", " - drm/msm/adreno: Add speedbins for A663 GPU", " - drm/msm: Fix 32b size truncation", " - dt-bindings: display/msm/gmu: Update Adreno 623 bindings", " - drm/msm: make sure to not queue up recovery more than once", " - char: Use list_del_init() in misc_deregister() to reinitialize list", " pointer", " - drm/msm/adreno: Add speedbin data for A623 GPU", " - drm/msm/adreno: Add fenced regwrite support", " - drm/msm/a6xx: Switch to GMU AO counter", " - idpf: link NAPIs to queues", " - selftests: net: make the dump test less sensitive to mem accounting", " - PCI: endpoint: pci-epf-test: Limit PCIe BAR size for fixed BARs", " - wifi: rtw89: Add USB ID 2001:332a for D-Link AX9U rev. A1", " - wifi: rtw89: Add USB ID 2001:3327 for D-Link AX18U rev. A1", " - wifi: iwlwifi: fw: Add ASUS to PPAG and TAS list", " - drm/xe/i2c: Enable bus mastering", " - media: ov08x40: Fix the horizontal flip control", " - media: i2c: og01a1b: Specify monochrome media bus format instead of", " Bayer", " - media: qcom: camss: csiphy-3ph: Add CSIPHY 2ph DPHY v2.0.1 init sequence", " - drm/bridge: write full Audio InfoFrame", " - drm/xe/guc: Always add CT disable action during second init step", " - f2fs: fix wrong layout information on 16KB page", " - selftests: mptcp: join: allow more time to send ADD_ADDR", " - scsi: ufs: host: mediatek: Enhance recovery on resume failure", " - scsi: ufs: ufs-qcom: Align programming sequence of Shared ICE for UFS", " controller v5", " - scsi: ufs: host: mediatek: Fix unbalanced IRQ enable issue", " - scsi: ufs: host: mediatek: Enhance recovery on hibernation exit failure", " - net: phy: marvell: Fix 88e1510 downshift counter errata", " - scsi: ufs: host: mediatek: Correct system PM flow", " - scsi: ufs: host: mediatek: Disable auto-hibern8 during power mode", " changes", " - scsi: ufs: host: mediatek: Fix adapt issue after PA_Init", " - wifi: cfg80211: update the time stamps in hidden ssid", " - wifi: mac80211: Fix HE capabilities element check", " - fbcon: Use screen info to find primary device", " - phy: cadence: cdns-dphy: Enable lower resolutions in dphy", " - Fix access to video_is_primary_device() when compiled without", " CONFIG_VIDEO", " - phy: renesas: r8a779f0-ether-serdes: add new step added to latest", " datasheet", " - phy: rockchip: phy-rockchip-inno-csidphy: allow writes to grf register 0", " - drm/msm/registers: Generate _HI/LO builders for reg64", " - net: sh_eth: Disable WoL if system can not suspend", " - selftests: net: replace sleeps in fcnal-test with waits", " - media: redrat3: use int type to store negative error codes", " - platform/x86/amd/pmf: Fix the custom bios input handling mechanism", " - selftests: traceroute: Use require_command()", " - selftests: traceroute: Return correct value on failure", " - openrisc: Add R_OR1K_32_PCREL relocation type module support", " - netfilter: nf_reject: don't reply to icmp error messages", " - x86/kvm: Prefer native qspinlock for dedicated vCPUs irrespective of", " PV_UNHALT", " - x86/virt/tdx: Use precalculated TDVPR page physical address", " - selftests: Disable dad for ipv6 in fcnal-test.sh", " - eth: 8139too: Make 8139TOO_PIO depend on !NO_IOPORT_MAP", " - [Config] No longer enable `CONFIG_8139TOO_PIO` for armhf", " - selftests: Replace sleep with slowwait", " - net: devmem: expose tcp_recvmsg_locked errors", " - selftests: net: lib.sh: Don't defer failed commands", " - HID: asus: add Z13 folio to generic group for multitouch to work", " - watchdog: s3c2410_wdt: Fix max_timeout being calculated larger", " - crypto: sun8i-ce - remove channel timeout field", " - PCI: dwc: Verify the single eDMA IRQ in dw_pcie_edma_irq_verify()", " - crypto: ccp - Fix incorrect payload size calculation in", " psp_poulate_hsti()", " - crypto: caam - double the entropy delay interval for retry", " - can: rcar_canfd: Update bit rate constants for RZ/G3E and R-Car Gen4", " - net: mana: Reduce waiting time if HWC not responding", " - ionic: use int type for err in ionic_get_module_eeprom_by_page", " - net/cls_cgroup: Fix task_get_classid() during qdisc run", " - wifi: mt76: mt7921: Add 160MHz beamformee capability for mt7922 device", " - wifi: mt76: mt7925: add pci restore for hibernate", " - wifi: mt76: mt7996: Fix mt7996_reverse_frag0_hdr_trans for MLO", " - wifi: mt76: mt7996: Set def_wcid pointer in mt7996_mac_sta_init_link()", " - wifi: mt76: mt7996: Temporarily disable EPCS", " - wifi: mt76: mt7996: support writing MAC TXD for AddBA Request", " - wifi: mt76: mt76_eeprom_override to int", " - ALSA: serial-generic: remove shared static buffer", " - wifi: mt76: mt7996: fix memory leak on mt7996_mcu_sta_key_tlv error", " - wifi: mt76: mt7996: disable promiscuous mode by default", " - wifi: mt76: use altx queue for offchannel tx on connac+", " - wifi: mt76: improve phy reset on hw restart", " - drm/amdgpu: Use memdup_array_user in amdgpu_cs_wait_fences_ioctl", " - drm/amdgpu: Release hive reference properly", " - drm/amd/display: Fix DMCUB loading sequence for DCN3.2", " - drm/amd/display: Set up pixel encoding for YCBCR422", " - drm/amd/display: fix dml ms order of operations", " - drm/amd/display: Don't use non-registered VUPDATE on DCE 6", " - drm/amd/display: Keep PLL0 running on DCE 6.0 and 6.4", " - drm/amd/display: Fix DVI-D/HDMI adapters", " - drm/amd/display: Disable VRR on DCE 6", " - drm/amd/display/dml2: Guard dml21_map_dc_state_into_dml_display_cfg with", " DC_FP_START", " - net: phy: clear EEE runtime state in PHY_HALTED/PHY_ERROR", " - ethernet: Extend device_get_mac_address() to use NVMEM", " - scsi: ufs: ufs-qcom: Disable lane clocks during phy hibern8", " - HID: i2c-hid: Resolve touchpad issues on Dell systems during S4", " - hinic3: Queue pair endianness improvements", " - hinic3: Fix missing napi->dev in netif_queue_set_napi", " - tools: ynl-gen: validate nested arrays", " - drm/xe/guc: Return an error code if the GuC load fails", " - drm/amdgpu: reject gang submissions under SRIOV", " - selftests/Makefile: include $(INSTALL_DEP_TARGETS) in clean target to", " clean net/lib dependency", " - scsi: ufs: core: Disable timestamp functionality if not supported", " - scsi: lpfc: Clean up allocated queues when queue setup mbox commands", " fail", " - scsi: lpfc: Decrement ndlp kref after FDISC retries exhausted", " - scsi: lpfc: Check return status of lpfc_reset_flush_io_context during", " TGT_RESET", " - scsi: lpfc: Remove ndlp kref decrement clause for F_Port_Ctrl in", " lpfc_cleanup", " - scsi: lpfc: Define size of debugfs entry for xri rebalancing", " - scsi: lpfc: Ensure PLOGI_ACC is sent prior to PRLI in Point to Point", " topology", " - allow finish_no_open(file, ERR_PTR(-E...))", " - usb: mon: Increase BUFF_MAX to 64 MiB to support multi-MB URBs", " - usb: xhci: plat: Facilitate using autosuspend for xhci plat devices", " - wifi: rtw89: disable RTW89_PHYSTS_IE09_FTR_0 for ppdu status", " - wifi: rtw89: obtain RX path from ppdu status IE00", " - wifi: rtw89: renew a completion for each H2C command waiting C2H event", " - usb: xhci-pci: add support for hosts with zero USB3 ports", " - ipv6: np->rxpmtu race annotation", " - RDMA/irdma: Update Kconfig", " - IB/ipoib: Ignore L3 master device", " - bnxt_en: Add fw log trace support for 5731X/5741X chips", " - mei: make a local copy of client uuid in connect", " - ASoC: qcom: sc8280xp: explicitly set S16LE format in", " sc8280xp_be_hw_params_fixup()", " - net: phy: clear link parameters on admin link down", " - net: ethernet: microchip: sparx5: make it selectable for ARCH_LAN969X", " - bus: mhi: core: Improve mhi_sync_power_up handling for SYS_ERR state", " - iommu/vt-d: Replace snprintf with scnprintf in dmar_latency_snapshot()", " - wifi: ath10k: Fix connection after GTK rekeying", " - iommu/vt-d: Remove LPIG from page group response descriptor", " - wifi: mac80211: Get the correct interface for non-netdev skb status", " - wifi: mac80211: Track NAN interface start/stop", " - net: intel: fm10k: Fix parameter idx set but not used", " - sparc/module: Add R_SPARC_UA64 relocation handling", " - sparc64: fix prototypes of reads[bwl]()", " - vfio: return -ENOTTY for unsupported device feature", " - ptp_ocp: make ptp_ocp driver compatible with PTP_EXTTS_REQUEST2", " - crypto: hisilicon/qm - invalidate queues in use", " - crypto: hisilicon/qm - clear all VF configurations in the hardware", " - ASoC: ops: improve snd_soc_get_volsw", " - PCI/PM: Skip resuming to D0 if device is disconnected", " - selftests: forwarding: Reorder (ar)ping arguments to obey POSIX getopt", " - remoteproc: qcom: q6v5: Avoid handling handover twice", " - wifi: ath12k: Increase DP_REO_CMD_RING_SIZE to 256", " - net: dsa: microchip: Set SPI as bus interface during reset for KSZ8463", " - bng_en: make bnge_alloc_ring() self-unwind on failure", " - ALSA: usb-audio: don't apply interface quirk to Presonus S1824c", " - tcp: Update bind bucket state on port release", " - ovl: make sure that ovl_create_real() returns a hashed dentry", " - drm/amd/display: Add missing post flip calls", " - drm/amd/display: Add AVI infoframe copy in copy_stream_update_to_stream", " - drm/amd/display: Add fast sync field in ultra sleep more for DMUB", " - drm/amd/display: Init dispclk from bootup clock for DCN314", " - drm/amd/display: Fix for test crash due to power gating", " - drm/amd/display: change dc stream color settings only in atomic commit", " - NFSv4: handle ERR_GRACE on delegation recalls", " - NFSv4.1: fix mount hang after CREATE_SESSION failure", " - net: bridge: Install FDB for bridge MAC on VLAN 0", " - net: phy: dp83640: improve phydev and driver removal handling", " - scsi: ufs: core: Change MCQ interrupt enable flow", " - scsi: libfc: Fix potential buffer overflow in fc_ct_ms_fill()", " - accel/habanalabs/gaudi2: fix BMON disable configuration", " - scsi: mpt3sas: Add support for 22.5 Gbps SAS link rate", " - accel/habanalabs: return ENOMEM if less than requested pages were pinned", " - accel/habanalabs/gaudi2: read preboot status after recovering from dirty", " state", " - ASoC: renesas: msiof: add .symmetric_xxx on snd_soc_dai_driver", " - ASoC: renesas: msiof: use reset controller", " - ASoC: renesas: msiof: tidyup DMAC stop timing", " - ASoC: renesas: msiof: set SIFCTR register", " - ext4: increase IO priority of fastcommit", " - drm/amdgpu: Add fallback to pipe reset if KCQ ring reset fails", " - drm/amdgpu: Fix fence signaling race condition in userqueue", " - ASoC: stm32: sai: manage context in set_sysclk callback", " - ASoC: tlv320aic3x: Fix class-D initialization for tlv320aic3007", " - ACPI: scan: Update honor list for RPMI System MSI", " - platform/x86: x86-android-tablets: Stop using EPROBE_DEFER", " - vfio/pci: Fix INTx handling on legacy non-PCI 2.3 devices", " - vfio/nvgrace-gpu: Add GB300 SKU to the devid table", " - selftest: net: Fix error message if empty variable", " - net/mlx5e: Don't query FEC statistics when FEC is disabled", " - Bluetooth: btintel: Add support for BlazarIW core", " - net: macb: avoid dealing with endianness in macb_set_hwaddr()", " - Bluetooth: btusb: Add new VID/PID 13d3/3627 for MT7925", " - Bluetooth: btintel_pcie: Define hdev->wakeup() callback", " - Bluetooth: ISO: Don't initiate CIS connections if there are no buffers", " - Bluetooth: btusb: Check for unexpected bytes when defragmenting HCI", " frames", " - Bluetooth: ISO: Use sk_sndtimeo as conn_timeout", " - Bluetooth: btusb: Add new VID/PID 13d3/3633 for MT7922", " - net: stmmac: est: Drop frames causing HLBS error", " - exfat: limit log print for IO error", " - 6pack: drop redundant locking and refcounting", " - page_pool: Clamp pool size to max 16K pages", " - net/mlx5e: Prevent entering switchdev mode with inconsistent netns", " - ksmbd: use sock_create_kern interface to create kernel socket", " - smb: client: update cfid->last_access_time in", " open_cached_dir_by_dentry()", " - smb: client: transport: avoid reconnects triggered by pending task work", " - usb: xhci-pci: Fix USB2-only root hub registration", " - drm/amd/display: Add fallback path for YCBCR422", " - ACPICA: Update dsmethod.c to get rid of unused variable warning", " - RDMA/bnxt_re: Fix a potential memory leak in destroy_gsi_sqp", " - RDMA/irdma: Fix SD index calculation", " - RDMA/irdma: Remove unused struct irdma_cq fields", " - RDMA/irdma: Set irdma_cq cq_num field during CQ create", " - RDMA/uverbs: Fix umem release in UVERBS_METHOD_CQ_CREATE", " - RDMA/hns: Fix recv CQ and QP cache affinity", " - RDMA/hns: Fix the modification of max_send_sge", " - RDMA/hns: Fix wrong WQE data when QP wraps around", " - btrfs: mark dirty extent range for out of bound prealloc extents", " - clk: qcom: gcc-ipq6018: rework nss_port5 clock to multiple conf", " - clk: renesas: rzv2h: Re-assert reset on deassert timeout", " - clk: samsung: exynos990: Add missing USB clock registers to HSI0", " - fs/hpfs: Fix error code for new_inode() failure in", " mkdir/create/mknod/symlink", " - clocksource: hyper-v: Skip unnecessary checks for the root partition", " - hyperv: Add missing field to hv_output_map_device_interrupt", " - um: Fix help message for ssl-non-raw", " - clk: sunxi-ng: sun6i-rtc: Add A523 specifics", " - rtc: pcf2127: clear minute/second interrupt", " - ARM: at91: pm: save and restore ACR during PLL disable/enable", " - clk: at91: add ACR in all PLL settings", " - clk: at91: sam9x7: Add peripheral clock id for pmecc", " - clk: at91: clk-master: Add check for divide by 3", " - clk: at91: clk-sam9x60-pll: force write to PLL_UPDT register", " - clk: ti: am33xx: keep WKUP_DEBUGSS_CLKCTRL enabled", " - clk: scmi: Add duty cycle ops only when duty cycle is supported", " - clk: clocking-wizard: Fix output clock register offset for Versal", " platforms", " - NTB: epf: Allow arbitrary BAR mapping", " - 9p: fix /sys/fs/9p/caches overwriting itself", " - cpufreq: tegra186: Initialize all cores to max frequencies", " - 9p: sysfs_init: don't hardcode error to ENOMEM", " - scsi: ufs: core: Include UTP error in INT_FATAL_ERRORS", " - fbdev: core: Fix ubsan warning in pixel_to_pat", " - ACPI: property: Return present device nodes only on fwnode interface", " - LoongArch: Handle new atomic instructions for probes", " - tools bitmap: Add missing asm-generic/bitsperlong.h include", " - tools: lib: thermal: don't preserve owner in install", " - tools: lib: thermal: use pkg-config to locate libnl3", " - ALSA: hda/realtek: Add quirk for ASUS ROG Zephyrus Duo", " - rtc: zynqmp: Restore alarm functionality after kexec transition", " - rtc: pcf2127: fix watchdog interrupt mask on pcf2131", " - net: wwan: t7xx: add support for HP DRMR-H01", " - kbuild: uapi: Strip comments before size type check", " - ASoC: meson: aiu-encoder-i2s: fix bit clock polarity", " - ASoC: rt722: add settings for rt722VB", " - drm/amdgpu: Report individual reset error", " - ceph: add checking of wait_for_completion_killable() return value", " - ceph: fix potential race condition in ceph_ioctl_lazyio()", " - ceph: refactor wake_up_bit() pattern of calling", " - x86: uaccess: don't use runtime-const rewriting in modules", " - rust: condvar: fix broken intra-doc link", " - rust: devres: fix private intra-doc link", " - rust: kbuild: workaround `rustdoc` doctests modifier bug", " - rust: kbuild: treat `build_error` and `rustdoc` as kernel objects", " - media: uvcvideo: Use heuristic to find stream entity", " - Revert \"wifi: ath10k: avoid unnecessary wait for service ready message\"", " - tracing: tprobe-events: Fix to register tracepoint correctly", " - tracing: tprobe-events: Fix to put tracepoint_user when disable the", " tprobe", " - net: libwx: fix device bus LAN ID", " - scsi: ufs: core: Fix a race condition related to the \"hid\" attribute", " group", " - riscv: ptdump: use seq_puts() in pt_dump_seq_puts() macro", " - Revert \"wifi: ath12k: Fix missing station power save configuration\"", " - scsi: ufs: core: Revert \"Make HID attributes visible\"", " - Bluetooth: btrtl: Fix memory leak in rtlbt_parse_firmware_v2()", " - net: dsa: tag_brcm: legacy: fix untagged rx on unbridged ports for", " bcm63xx", " - selftests/net: fix out-of-order delivery of FIN in gro:tcp test", " - selftests/net: use destination options instead of hop-by-hop", " - selftests: netdevsim: Fix ethtool-coalesce.sh fail by installing", " ethtool-common.sh", " - net: vlan: sync VLAN features with lower device", " - net: dsa: b53: fix resetting speed and pause on forced link", " - net: dsa: b53: fix bcm63xx RGMII port link adjustment", " - net: dsa: b53: fix enabling ip multicast", " - net: dsa: b53: stop reading ARL entries if search is done", " - net: dsa: b53: properly bound ARL searches for < 4 ARL bin chips", " - sctp: Hold RCU read lock while iterating over address list", " - sctp: Hold sock lock while iterating over address list", " - net: ionic: add dma_wmb() before ringing TX doorbell", " - net: ionic: map SKB after pseudo-header checksum prep", " - octeontx2-pf: Fix devm_kcalloc() error checking", " - bnxt_en: Fix a possible memory leak in bnxt_ptp_init", " - bnxt_en: Always provide max entry and entry size in coredump segments", " - bnxt_en: Fix warning in bnxt_dl_reload_down()", " - wifi: mac80211_hwsim: Limit destroy_on_close radio removal to netgroup", " - io_uring: fix types for region size calulation", " - net/mlx5e: Fix return value in case of module EEPROM read error", " - net: ti: icssg-prueth: Fix fdb hash size configuration", " - net/mlx5e: SHAMPO, Fix header mapping for 64K pages", " - net/mlx5e: SHAMPO, Fix skb size check for 64K pages", " - net/mlx5e: SHAMPO, Fix header formulas for higher MTUs and 64K pages", " - net: wan: framer: pef2256: Switch to devm_mfd_add_devices()", " - net: dsa: microchip: Fix reserved multicast address table programming", " - net: bridge: fix MST static key usage", " - selftests/vsock: avoid false-positives when checking dmesg", " - tracing: Fix memory leaks in create_field_var()", " - drm/amd/display: Enable mst when it's detected but yet to be initialized", " - wifi: cfg80211: add an hrtimer based delayed work item", " - wifi: mac80211: use wiphy_hrtimer_work for ml_reconf_work", " - wifi: mac80211: use wiphy_hrtimer_work for ttlm_work", " - wifi: mac80211: use wiphy_hrtimer_work for csa.switch_work", " - riscv: Fix memory leak in module_frob_arch_sections()", " - rtc: rx8025: fix incorrect register reference", " - x86/microcode/AMD: Add more known models to entry sign checking", " - smb: client: validate change notify buffer before copy", " - x86/amd_node: Fix AMD root device caching", " - xfs: fix delalloc write failures in software-provided atomic writes", " - xfs: fix various problems in xfs_atomic_write_cow_iomap_begin", " - x86/CPU/AMD: Add missing terminator for zen5_rdseed_microcode", " - drm: define NVIDIA DRM format modifiers for GB20x", " - drm/nouveau: Advertise correct modifiers on GB20x", " - drm/amdgpu/smu: Handle S0ix for vangogh", " - drm/amdkfd: Don't clear PT after process killed", " - virtio_net: fix alignment for virtio_net_hdr_v1_hash", " - lib/crypto: curve25519-hacl64: Fix older clang KASAN workaround for GCC", " - scsi: ufs: ufs-pci: Fix S0ix/S3 for Intel controllers", " - scsi: ufs: ufs-pci: Set UFSHCD_QUIRK_PERFORM_LINK_STARTUP_ONCE for Intel", " ADL", " - scsi: ufs: core: Add a quirk to suppress link_startup_again", " - drm/amd/display: update color on atomic commit time", " - extcon: adc-jack: Cleanup wakeup source only if it was enabled", " - kunit: Extend kconfig help text for KUNIT_UML_PCI", " - ALSA: hda/tas2781: Enable init_profile_id for device initialization", " - ACPI: SPCR: Check for table version when using precise baudrate", " - kbuild: Strip trailing padding bytes from modules.builtin.modinfo", " - drm/amdgpu: Fix unintended error log in VCN5_0_0", " - drm/amd/display: Fix vupdate_offload_work doc", " - drm/amdgpu: Fix function header names in amdgpu_connectors.c", " - drm/amdgpu/userq: assign an error code for invalid userq va", " - drm/msm/dpu: Fix adjusted mode clock check for 3d merge", " - drm/amd/display: Reject modes with too high pixel clock on DCE6-10", " - drm/amd/display: use GFP_NOWAIT for allocation in interrupt handler", " - drm/amd/display: Fix black screen with HDMI outputs", " - selftests: drv-net: Reload pkt pointer after calling filter_udphdr", " - dt-bindings: eeprom: at25: use \"size\" for FRAMs without device ID", " - Linux 6.17.8", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-68316", " - scsi: ufs: core: Fix invalid probe error return value", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-40292", " - virtio-net: fix received length check in big packets", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-68180", " - drm/amd/display: Fix NULL deref in debugfs odm_combine_segments", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-40327", " - perf/core: Fix system hang caused by cpu-clock usage", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-40328", " - smb: client: fix potential UAF in smb2_close_cached_fid()", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-40291", " - io_uring: fix regbuf vector size truncation", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-68322", " - parisc: Avoid crash due to unaligned access in unwinder", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-40293", " - iommufd: Don't overflow during division for dirty tracking", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-40294", " - Bluetooth: MGMT: Fix OOB access in parse_adv_monitor_pattern()", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-40329", " - drm/sched: Fix deadlock in drm_sched_entity_kill_jobs_cb", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-40295", " - fscrypt: fix left shift underflow when inode->i_blkbits > PAGE_SHIFT", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-40296", " - platform/x86: int3472: Fix double free of GPIO device during unregister", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-40297", " - net: bridge: fix use-after-free due to MST port state bypass", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-68320", " - lan966x: Fix sleeping in atomic context", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-68169", " - netpoll: Fix deadlock in memory allocation under spinlock", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-68197", " - bnxt_en: Fix null pointer dereference in bnxt_bs_trace_check_wrap()", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-40330", " - bnxt_en: Shutdown FW DMA in bnxt_shutdown()", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-68192", " - net: usb: qmi_wwan: initialize MAC header offset in qmimux_rx_fixup", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-40331", " - sctp: Prevent TOCTOU out-of-bounds write", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-68187", " - net: mdio: Check regmap pointer returned by device_node_to_regmap()", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-68167", " - gpiolib: fix invalid pointer access in debugfs", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-68319", " - netconsole: Acquire su_mutex before navigating configs hierarchy", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-40298", " - gve: Implement settime64 with -EOPNOTSUPP", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-40299", " - gve: Implement gettimex64 with -EOPNOTSUPP", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-40301", " - Bluetooth: hci_event: validate skb length for unknown CC opcode", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-40358", " - riscv: stacktrace: Disable KASAN checks for non-current tasks", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-68186", " - ring-buffer: Do not warn in ring_buffer_map_get_reader() when reader", " catches up", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-68184", " - drm/mediatek: Disable AFBC support on Mediatek DRM driver", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-40302", " - media: videobuf2: forbid remove_bufs when legacy fileio is active", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-40303", " - btrfs: ensure no dirty metadata is written back for an fs with errors", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-40362", " - ceph: fix multifs mds auth caps issue", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-40332", " - drm/amdkfd: Fix mmap write lock not release", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-40304", " - fbdev: Add bounds checking in bit_putcs to fix vmalloc-out-of-bounds", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-40305", " - 9p/trans_fd: p9_fd_request: kick rx thread if EPOLLIN", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-68318", " - clk: thead: th1520-ap: set all AXI clocks to CLK_IS_CRITICAL", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-40209", " - btrfs: fix memory leak of qgroup_list in btrfs_add_qgroup_relation", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-68183", " - ima: don't clear IMA_DIGSIG flag when setting or removing non-IMA xattr", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-68173", " - ftrace: Fix softlockup in ftrace_module_enable", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-40306", " - orangefs: fix xattr related buffer overflow...", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-40307", " - exfat: validate cluster allocation bits of the allocation bitmap", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-40308", " - Bluetooth: bcsp: receive data only if registered", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-40309", " - Bluetooth: SCO: Fix UAF on sco_conn_free", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-68174", " - amd/amdkfd: enhance kfd process check in switch partition", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-40310", " - amd/amdkfd: resolve a race in amdgpu_amdkfd_device_fini_sw", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-40361", " - fs: ext4: change GFP_KERNEL to GFP_NOFS to avoid deadlock", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-40311", " - accel/habanalabs: support mapping cb with vmalloc-backed coherent memory", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-68185", " - nfs4_setup_readdir(): insufficient locking for ->d_parent->d_inode", " dereferencing", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-68176", " - PCI: cadence: Check for the existence of cdns_pcie::ops before using it", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-68190", " - drm/amdgpu/atom: Check kcalloc() for WS buffer in", " amdgpu_atom_execute_table_locked()", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-68168", " - jfs: fix uninitialized waitqueue in transaction manager", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-40312", " - jfs: Verify inode mode when loading from disk", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-40333", " - f2fs: fix infinite loop in __insert_extent_tree()", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-68321", " - page_pool: always add GFP_NOWARN for ATOMIC allocations", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-40334", " - drm/amdgpu: validate userq buffer virtual address and size", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-68191", " - udp_tunnel: use netdev_warn() instead of netdev_WARN()", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-68309", " - PCI/AER: Fix NULL pointer access by aer_info", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-40313", " - ntfs3: pretend $Extend records as regular files", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-40335", " - drm/amdgpu: validate userq input args", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-40314", " - usb: cdns3: gadget: Use-after-free during failed initialization and exit", " of cdnsp gadget", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-40336", " - drm/gpusvm: fix hmm_pfn_to_map_order() usage", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-68193", " - drm/xe/guc: Add devm release action to safely tear down CT", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-68175", " - media: nxp: imx8-isi: Fix streaming cleanup on release", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-68188", " - tcp: use dst_dev_rcu() in tcp_fastopen_active_disable_ofo_check()", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-68315", " - f2fs: fix to detect potential corrupted nid in free_nid_list", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-40337", " - net: stmmac: Correctly handle Rx checksum offload errors", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-40338", " - ASoC: Intel: avs: Do not share the name pointer between components", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-40339", " - drm/amdgpu: fix nullptr err of vm_handle_moved", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-68194", " - media: imon: make send_packet() more robust", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-40363", " - net: ipv6: fix field-spanning memcpy warning in AH output", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-68311", " - tty: serial: ip22zilog: Use platform device for probing", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-40340", " - drm/xe: Fix oops in xe_gem_fault when running core_hotunplug test.", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-68196", " - drm/amd/display: Cache streams targeting link when performing LT", " automation", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-68178", " - blk-cgroup: fix possible deadlock while configuring policy", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-40341", " - futex: Don't leak robust_list pointer on exec race", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-40342", " - nvme-fc: use lock accessing port_state and rport state", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-40343", " - nvmet-fc: avoid scheduling association deletion twice", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-68177", " - cpufreq/longhaul: handle NULL policy in longhaul_exit", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-68317", " - io_uring/zctx: check chained notif contexts", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-40315", " - usb: gadget: f_fs: Fix epfile null pointer access after ep enable.", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-40316", " - drm/mediatek: Fix device use-after-free on unbind", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-40360", " - drm/sysfb: Do not dereference NULL pointer in plane reset", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-68179", " - s390: Disable ARCH_WANT_OPTIMIZE_HUGETLB_VMEMMAP", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-68310", " - s390/pci: Avoid deadlock between PCI error recovery and mlx5 crdump", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-40317", " - regmap: slimbus: fix bus_context pointer in regmap init calls", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-40359", " - perf/x86/intel: Fix KASAN global-out-of-bounds warning", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-68181", " - drm/radeon: Remove calls to drm_put_dev()", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-68170", " - drm/radeon: Do not kfree() devres managed rdev", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-40213", " - Bluetooth: MGMT: fix crash in set_mesh_sync and set_mesh_complete", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-40318", " - Bluetooth: hci_sync: fix race in hci_cmd_sync_dequeue_once", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-68312", " - usbnet: Prevents free active kevent", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-40344", " - ASoC: Intel: avs: Disable periods-elapsed work when closing PCM", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-68172", " - crypto: aspeed - fix double free caused by devm", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-40319", " - bpf: Sync pending IRQ work before freeing ring buffer", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-68182", " - wifi: iwlwifi: fix potential use after free in iwl_mld_remove_link()", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-68314", " - drm/msm: make sure last_fence is always updated", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-68189", " - drm/msm: Fix GEM free for imported dma-bufs", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-68171", " - x86/fpu: Ensure XFD state on signal delivery", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-68313", " - x86/CPU/AMD: Add RDSEED fix for Zen5", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-40320", " - smb: client: fix potential cfid UAF in smb2_query_info_compound", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-40321", " - wifi: brcmfmac: fix crash while sending Action Frames in standalone AP", " Mode", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-40322", " - fbdev: bitblit: bound-check glyph index in bit_putcs*", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-40211", " - ACPI: video: Fix use-after-free in acpi_video_switch_brightness()", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-40323", " - fbcon: Set fb_display[i]->mode to NULL when the mode is released", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-40210", " - Revert \"NFSD: Remove the cap on number of operations per NFSv4 COMPOUND\"", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-40324", " - NFSD: Fix crash in nfsd4_read_release()", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-40326", " - NFSD: Define actions for the new time_deleg FATTR4 attributes", " * Questing update: v6.17.7 upstream stable release (LP: #2136813)", " - sched_ext: Move internal type and accessor definitions to ext_internal.h", " - sched_ext: Put event_stats_cpu in struct scx_sched_pcpu", " - sched_ext: Sync error_irq_work before freeing scx_sched", " - timekeeping: Fix aux clocks sysfs initialization loop bound", " - x86/bugs: Report correct retbleed mitigation status", " - x86/bugs: Qualify RETBLEED_INTEL_MSG", " - genirq/chip: Add buslock back in to irq_set_handler()", " - genirq/manage: Add buslock back in to __disable_irq_nosync()", " - genirq/manage: Add buslock back in to enable_irq()", " - audit: record fanotify event regardless of presence of rules", " - EDAC/ie31200: Add two more Intel Alder Lake-S SoCs for EDAC support", " - perf/x86/intel: Add ICL_FIXED_0_ADAPTIVE bit into INTEL_FIXED_BITS_MASK", " - perf: Use current->flags & PF_KTHREAD|PF_USER_WORKER instead of", " current->mm == NULL", " - perf: Have get_perf_callchain() return NULL if crosstask and user are", " set", " - perf: Skip user unwind if the task is a kernel thread", " - EDAC: Fix wrong executable file modes for C source files", " - seccomp: passthrough uprobe systemcall without filtering", " - sched_ext: Keep bypass on between enable failure and", " scx_disable_workfn()", " - x86/bugs: Add attack vector controls for VMSCAPE", " - x86/bugs: Fix reporting of LFENCE retpoline", " - EDAC/mc_sysfs: Increase legacy channel support to 16", " - cpuset: Use new excpus for nocpu error check when enabling root", " partition", " - btrfs: abort transaction on specific error places when walking log tree", " - btrfs: abort transaction in the process_one_buffer() log tree walk", " callback", " - btrfs: zoned: return error from btrfs_zone_finish_endio()", " - btrfs: zoned: refine extent allocator hint selection", " - btrfs: scrub: replace max_t()/min_t() with clamp() in", " scrub_throttle_dev_io()", " - btrfs: always drop log root tree reference in btrfs_replay_log()", " - btrfs: use level argument in log tree walk callback replay_one_buffer()", " - btrfs: abort transaction if we fail to update inode in log replay dir", " fixup", " - btrfs: tree-checker: add inode extref checks", " - btrfs: use smp_mb__after_atomic() when forcing COW in", " create_pending_snapshot()", " - sched_ext: Make qmap dump operation non-destructive", " - arch: Add the macro COMPILE_OFFSETS to all the asm-offsets.c", " - btrfs: tree-checker: fix bounds check in check_inode_extref()", " - Linux 6.17.7", " * [UBUNTU 24.04] KVM: s390: improve interrupt cpu for wakeup (LP: #2132317)", " - KVM: s390: improve interrupt cpu for wakeup", " * Questing update: v6.17.6 upstream stable release (LP: #2134982)", " - sched/fair: Block delayed tasks on throttled hierarchy during dequeue", " - vfio/cdx: update driver to build without CONFIG_GENERIC_MSI_IRQ", " - expfs: Fix exportfs_can_encode_fh() for EXPORT_FH_FID", " - cgroup/misc: fix misc_res_type kernel-doc warning", " - dlm: move to rinfo for all middle conversion cases", " - exec: Fix incorrect type for ret", " - s390/pkey: Forward keygenflags to ep11_unwrapkey", " - hfs: clear offset and space out of valid records in b-tree node", " - hfs: make proper initalization of struct hfs_find_data", " - hfs: validate record offset in hfsplus_bmap_alloc", " - hfsplus: fix KMSAN uninit-value issue in hfsplus_delete_cat()", " - dlm: check for defined force value in dlm_lockspace_release", " - hfsplus: return EIO when type of hidden directory mismatch in", " hfsplus_fill_super()", " - PCI: Test for bit underflow in pcie_set_readrq()", " - lkdtm: fortify: Fix potential NULL dereference on kmalloc failure", " - arm64: sysreg: Correct sign definitions for EIESB and DoubleLock", " - m68k: bitops: Fix find_*_bit() signatures", " - powerpc/32: Remove PAGE_KERNEL_TEXT to fix startup failure", " - riscv: mm: Return intended SATP mode for noXlvl options", " - riscv: mm: Use mmu-type from FDT to limit SATP mode", " - riscv: cpufeature: add validation for zfa, zfh and zfhmin", " - drivers/perf: hisi: Relax the event ID check in the framework", " - s390/mm: Use __GFP_ACCOUNT for user page table allocations", " - smb: client: queue post_recv_credits_work also if the peer raises the", " credit target", " - smb: client: limit the range of info->receive_credit_target", " - smb: client: make use of ib_wc_status_msg() and skip IB_WC_WR_FLUSH_ERR", " logging", " - smb: server: let smb_direct_flush_send_list() invalidate a remote key", " first", " - Unbreak 'make tools/*' for user-space targets", " - platform/mellanox: mlxbf-pmc: add sysfs_attr_init() to count_clock init", " - cpufreq/amd-pstate: Fix a regression leading to EPP 0 after hibernate", " - net/mlx5e: Return 1 instead of 0 in invalid case in", " mlx5e_mpwrq_umr_entry_size()", " - rtnetlink: Allow deleting FDB entries in user namespace", " - net: enetc: fix the deadlock of enetc_mdio_lock", " - net: enetc: correct the value of ENETC_RXB_TRUESIZE", " - dpaa2-eth: fix the pointer passed to PTR_ALIGN on Tx path", " - net: phy: realtek: fix rtl8221b-vm-cg name", " - can: bxcan: bxcan_start_xmit(): use can_dev_dropped_skb() instead of", " can_dropped_invalid_skb()", " - can: esd: acc_start_xmit(): use can_dev_dropped_skb() instead of", " can_dropped_invalid_skb()", " - can: rockchip-canfd: rkcanfd_start_xmit(): use can_dev_dropped_skb()", " instead of can_dropped_invalid_skb()", " - selftests: net: fix server bind failure in sctp_vrf.sh", " - net/mlx5e: RX, Fix generating skb from non-linear xdp_buff for legacy RQ", " - net/mlx5e: RX, Fix generating skb from non-linear xdp_buff for striding", " RQ", " - net/smc: fix general protection fault in __smc_diag_dump", " - net: ethernet: ti: am65-cpts: fix timestamp loss due to race conditions", " - arm64, mm: avoid always making PTE dirty in pte_mkwrite()", " - erofs: avoid infinite loops due to corrupted subpage compact indexes", " - net: hibmcge: select FIXED_PHY", " - ptp: ocp: Fix typo using index 1 instead of i in SMA initialization loop", " - net: hsr: prevent creation of HSR device with slaves from another netns", " - espintcp: use datagram_poll_queue for socket readiness", " - net: datagram: introduce datagram_poll_queue for custom receive queues", " - ovpn: use datagram_poll_queue for socket readiness in TCP", " - net: bonding: fix possible peer notify event loss or dup issue", " - hung_task: fix warnings caused by unaligned lock pointers", " - mm: don't spin in add_stack_record when gfp flags don't allow", " - dma-debug: don't report false positives with", " DMA_BOUNCE_UNALIGNED_KMALLOC", " - arch_topology: Fix incorrect error check in", " topology_parse_cpu_capacity()", " - riscv: hwprobe: Fix stale vDSO data for late-initialized keys at boot", " - io_uring/sqpoll: switch away from getrusage() for CPU accounting", " - io_uring/sqpoll: be smarter on when to update the stime usage", " - btrfs: send: fix duplicated rmdir operations when using extrefs", " - btrfs: ref-verify: fix IS_ERR() vs NULL check in btrfs_build_ref_tree()", " - gpio: pci-idio-16: Define maximum valid register address offset", " - gpio: 104-idio-16: Define maximum valid register address offset", " - xfs: fix locking in xchk_nlinks_collect_dir", " - platform/x86: alienware-wmi-wmax: Add AWCC support to Dell G15 5530", " - Revert \"cpuidle: menu: Avoid discarding useful information\"", " - riscv: cpufeature: avoid uninitialized variable in", " has_thead_homogeneous_vlenb()", " - rust: device: fix device context of Device::parent()", " - slab: Avoid race on slab->obj_exts in alloc_slab_obj_exts", " - slab: Fix obj_ext mistakenly considered NULL due to race condition", " - smb: client: get rid of d_drop() in cifs_do_rename()", " - ACPICA: Work around bogus -Wstringop-overread warning since GCC 11", " - arm64: mte: Do not warn if the page is already tagged in copy_highpage()", " - can: netlink: can_changelink(): allow disabling of automatic restart", " - cifs: Fix TCP_Server_Info::credits to be signed", " - devcoredump: Fix circular locking dependency with devcd->mutex.", " - hwmon: (pmbus/max34440) Update adpm12160 coeff due to latest FW", " - MIPS: Malta: Fix keyboard resource preventing i8042 driver from", " registering", " - rv: Make rtapp/pagefault monitor depends on CONFIG_MMU", " - net: bonding: update the slave array for broadcast mode", " - net: stmmac: dwmac-rk: Fix disabling set_clock_selection", " - net: usb: rtl8150: Fix frame padding", " - net: ravb: Enforce descriptor type ordering", " - net: ravb: Ensure memory write completes before ringing TX doorbell", " - mptcp: pm: in-kernel: C-flag: handle late ADD_ADDR", " - selftests: mptcp: join: mark 'flush re-add' as skipped if not supported", " - selftests: mptcp: join: mark implicit tests as skipped if not supported", " - selftests: mptcp: join: mark 'delete re-add signal' as skipped if not", " supported", " - mm/mremap: correctly account old mapping after MREMAP_DONTUNMAP remap", " - drm/xe: Check return value of GGTT workqueue allocation", " - drm/amd/display: increase max link count and fix link->enc NULL pointer", " access", " - mm/damon/core: use damos_commit_quota_goal() for new goal commit", " - mm/damon/core: fix list_add_tail() call on damon_call()", " - spi: rockchip-sfc: Fix DMA-API usage", " - firmware: arm_ffa: Add support for IMPDEF value in the memory access", " descriptor", " - spi: spi-nxp-fspi: add the support for sample data from DQS pad", " - spi: spi-nxp-fspi: re-config the clock rate when operation require new", " clock rate", " - spi: spi-nxp-fspi: add extra delay after dll locked", " - spi: spi-nxp-fspi: limit the clock rate for different sample clock", " source selection", " - spi: cadence-quadspi: Fix pm_runtime unbalance on dma EPROBE_DEFER", " - arm64: dts: broadcom: bcm2712: Add default GIC address cells", " - arm64: dts: broadcom: bcm2712: Define VGIC interrupt", " - include: trace: Fix inflight count helper on failed initialization", " - firmware: arm_scmi: Fix premature SCMI_XFER_FLAG_IS_RAW clearing in raw", " mode", " - spi: airoha: return an error for continuous mode dirmap creation cases", " - spi: airoha: add support of dual/quad wires spi modes to exec_op()", " handler", " - spi: airoha: switch back to non-dma mode in the case of error", " - spi: airoha: fix reading/writing of flashes with more than one plane per", " lun", " - sysfs: check visibility before changing group attribute ownership", " - RISC-V: Define pgprot_dmacoherent() for non-coherent devices", " - RISC-V: Don't print details of CPUs disabled in DT", " - riscv: hwprobe: avoid uninitialized variable use in hwprobe_arch_id()", " - hwmon: (pmbus/isl68137) Fix child node reference leak on early return", " - hwmon: (sht3x) Fix error handling", " - io_uring: fix incorrect unlikely() usage in io_waitid_prep()", " - nbd: override creds to kernel when calling sock_{send,recv}msg()", " - drm/panic: Fix drawing the logo on a small narrow screen", " - drm/panic: Fix qr_code, ensure vmargin is positive", " - drm/panic: Fix 24bit pixel crossing page boundaries", " - of/irq: Convert of_msi_map_id() callers to of_msi_xlate()", " - of/irq: Add msi-parent check to of_msi_xlate()", " - block: require LBA dma_alignment when using PI", " - gpio: ljca: Fix duplicated IRQ mapping", " - io_uring: correct __must_hold annotation in io_install_fixed_file", " - sched: Remove never used code in mm_cid_get()", " - USB: serial: option: add UNISOC UIS7720", " - USB: serial: option: add Quectel RG255C", " - USB: serial: option: add Telit FN920C04 ECM compositions", " - usb/core/quirks: Add Huawei ME906S to wakeup quirk", " - usb: raw-gadget: do not limit transfer length", " - xhci: dbc: enable back DbC in resume if it was enabled before suspend", " - xhci: dbc: fix bogus 1024 byte prefix if ttyDBC read races with stall", " event", " - x86/microcode: Fix Entrysign revision check for Zen1/Naples", " - binder: remove \"invalid inc weak\" check", " - mei: me: add wildcat lake P DID", " - objtool/rust: add one more `noreturn` Rust function", " - nvmem: rcar-efuse: add missing MODULE_DEVICE_TABLE", " - misc: fastrpc: Fix dma_buf object leak in fastrpc_map_lookup", " - most: usb: hdm_probe: Fix calling put_device() before device", " initialization", " - tcpm: switch check for role_sw device with fw_node", " - dt-bindings: serial: sh-sci: Fix r8a78000 interrupts", " - dt-bindings: usb: dwc3-imx8mp: dma-range is required only for imx8mp", " - dt-bindings: usb: qcom,snps-dwc3: Fix bindings for X1E80100", " - serial: 8250_dw: handle reset control deassert error", " - serial: 8250_exar: add support for Advantech 2 port card with Device ID", " 0x0018", " - serial: 8250_mtk: Enable baud clock and manage in runtime PM", " - serial: sc16is7xx: remove useless enable of enhanced features", " - staging: gpib: Fix device reference leak in fmh_gpib driver", " - staging: gpib: Fix no EOI on 1 and 2 byte writes", " - staging: gpib: Return -EINTR on device clear", " - staging: gpib: Fix sending clear and trigger events", " - mm/migrate: remove MIGRATEPAGE_UNMAP", " - treewide: remove MIGRATEPAGE_SUCCESS", " - vmw_balloon: indicate success when effectively deflating during", " migration", " - xfs: always warn about deprecated mount options", " - gpio: regmap: Allow to allocate regmap-irq device", " - gpio: regmap: add the .fixed_direction_output configuration parameter", " - gpio: idio-16: Define fixed direction of the GPIO lines", " - Linux 6.17.6", " * Questing update: v6.17.6 upstream stable release (LP: #2134982) //", " CVE-2025-40084", " - ksmbd: transport_ipc: validate payload size before reading handle", " * Questing update: v6.17.6 upstream stable release (LP: #2134982) //", " CVE-2025-40222", " - tty: serial: sh-sci: fix RSCI FIFO overrun handling", " * Questing update: v6.17.6 upstream stable release (LP: #2134982) //", " CVE-2025-40223", " - most: usb: Fix use-after-free in hdm_disconnect", " * Questing update: v6.17.6 upstream stable release (LP: #2134982) //", " CVE-2025-40106", " - comedi: fix divide-by-zero in comedi_buf_munge()", " * Questing update: v6.17.6 upstream stable release (LP: #2134982) //", " CVE-2025-40224", " - hwmon: (cgbc-hwmon) Add missing NULL check after devm_kzalloc()", " * Questing update: v6.17.6 upstream stable release (LP: #2134982) //", " CVE-2025-40225", " - drm/panthor: Fix kernel panic on partial unmap of a GPU VA region", " * Questing update: v6.17.6 upstream stable release (LP: #2134982) //", " CVE-2025-40226", " - firmware: arm_scmi: Account for failed debug initialization", " * Questing update: v6.17.6 upstream stable release (LP: #2134982) //", " CVE-2025-40227", " - mm/damon/sysfs: dealloc commit test ctx always", " * Questing update: v6.17.6 upstream stable release (LP: #2134982) //", " CVE-2025-40228", " - mm/damon/sysfs: catch commit test ctx alloc failure", " * Questing update: v6.17.6 upstream stable release (LP: #2134982) //", " CVE-2025-40229", " - mm/damon/core: fix potential memory leak by cleaning ops_filter in", " damon_destroy_scheme", " * Questing update: v6.17.6 upstream stable release (LP: #2134982) //", " CVE-2025-40230", " - mm: prevent poison consumption when splitting THP", " * Questing update: v6.17.6 upstream stable release (LP: #2134982) //", " CVE-2025-40231", " - vsock: fix lock inversion in vsock_assign_transport()", " * Questing update: v6.17.6 upstream stable release (LP: #2134982) //", " CVE-2025-40233", " - ocfs2: clear extent cache after moving/defragmenting extents", " * Questing update: v6.17.6 upstream stable release (LP: #2134982) //", " CVE-2025-40235", " - btrfs: directly free partially initialized fs_info in", " btrfs_check_leaked_roots()", " * Questing update: v6.17.6 upstream stable release (LP: #2134982) //", " CVE-2025-40236", " - virtio-net: zero unused hash fields", " * Questing update: v6.17.6 upstream stable release (LP: #2134982) //", " CVE-2025-40237", " - fs/notify: call exportfs_encode_fid with s_umount", " * Questing update: v6.17.6 upstream stable release (LP: #2134982) //", " CVE-2025-40238", " - net/mlx5: Fix IPsec cleanup over MPV device", " * Questing update: v6.17.6 upstream stable release (LP: #2134982) //", " CVE-2025-40239", " - net: phy: micrel: always set shared->phydev for LAN8814", " * Questing update: v6.17.6 upstream stable release (LP: #2134982) //", " CVE-2025-40240", " - sctp: avoid NULL dereference when chunk data buffer is missing", " * Questing update: v6.17.6 upstream stable release (LP: #2134982) //", " CVE-2025-40241", " - erofs: fix crafted invalid cases for encoded extents", " * Questing update: v6.17.6 upstream stable release (LP: #2134982) //", " CVE-2025-40242", " - gfs2: Fix unlikely race in gdlm_put_lock", " * Questing update: v6.17.6 upstream stable release (LP: #2134982) //", " CVE-2025-40243", " - hfs: fix KMSAN uninit-value issue in hfs_find_set_zero_bits()", " * Questing update: v6.17.6 upstream stable release (LP: #2134982) //", " CVE-2025-40244", " - hfsplus: fix KMSAN uninit-value issue in __hfsplus_ext_cache_extent()", " * Questing update: v6.17.6 upstream stable release (LP: #2134982) //", " CVE-2025-40245", " - nios2: ensure that memblock.current_limit is set when setting pfn limits", " * Questing update: v6.17.5 upstream stable release (LP: #2133557)", " - docs: kdoc: handle the obsolescensce of docutils.ErrorString()", " - Revert \"fs: make vfs_fileattr_[get|set] return -EOPNOTSUPP\"", " - PCI: vmd: Override irq_startup()/irq_shutdown() in", " vmd_init_dev_msi_info()", " - ata: libata-core: relax checks in ata_read_log_directory()", " - arm64/sysreg: Fix GIC CDEOI instruction encoding", " - ixgbevf: fix getting link speed data for E610 devices", " - rust: cfi: only 64-bit arm and x86 support CFI_CLANG", " - x86/CPU/AMD: Prevent reset reasons from being retained across reboot", " - slab: reset slab->obj_ext when freeing and it is OBJEXTS_ALLOC_FAIL", " - Revert \"io_uring/rw: drop -EOPNOTSUPP check in", " __io_complete_rw_common()\"", " - io_uring: protect mem region deregistration", " - Revert \"drm/amd/display: Only restore backlight after amdgpu_dm_init or", " dm_resume\"", " - r8152: add error handling in rtl8152_driver_init", " - net: usb: lan78xx: Fix lost EEPROM write timeout error(-ETIMEDOUT) in", " lan78xx_write_raw_eeprom", " - f2fs: fix wrong block mapping for multi-devices", " - gve: Check valid ts bit on RX descriptor before hw timestamping", " - jbd2: ensure that all ongoing I/O complete before freeing blocks", " - ext4: wait for ongoing I/O to complete before freeing blocks", " - btrfs: fix clearing of BTRFS_FS_RELOC_RUNNING if relocation already", " running", " - btrfs: fix memory leak on duplicated memory in the qgroup assign ioctl", " - btrfs: only set the device specific options after devices are opened", " - btrfs: fix incorrect readahead expansion length", " - can: gs_usb: gs_make_candev(): populate net_device->dev_port", " - can: gs_usb: increase max interface to U8_MAX", " - cxl/acpi: Fix setup of memory resource in cxl_acpi_set_cache_size()", " - ALSA: hda/intel: Add MSI X870E Tomahawk to denylist", " - ALSA: hda/realtek: Add quirk entry for HP ZBook 17 G6", " - drm/amdgpu: use atomic functions with memory barriers for vm fault info", " - drm/amdgpu: fix gfx12 mes packet status return check", " - drm/xe: Increase global invalidation timeout to 1000us", " - perf/core: Fix address filter match with backing files", " - perf/core: Fix MMAP event path names with backing files", " - perf/core: Fix MMAP2 event device with backing files", " - drm/amd: Check whether secure display TA loaded successfully", " - PM: hibernate: Add pm_hibernation_mode_is_suspend()", " - drm/amd: Fix hybrid sleep", " - usb: gadget: Store endpoint pointer in usb_request", " - usb: gadget: Introduce free_usb_request helper", " - HID: multitouch: fix sticky fingers", " - dax: skip read lock assertion for read-only filesystems", " - coredump: fix core_pattern input validation", " - can: m_can: m_can_plat_remove(): add missing pm_runtime_disable()", " - can: m_can: m_can_handle_state_errors(): fix CAN state transition to", " Error Active", " - can: m_can: m_can_chip_config(): bring up interface in correct state", " - can: m_can: fix CAN state in system PM", " - net: mtk: wed: add dma mask limitation and GFP_DMA32 for device with", " more than 4GB DRAM", " - net: dlink: handle dma_map_single() failure properly", " - doc: fix seg6_flowlabel path", " - can: j1939: add missing calls in NETDEV_UNREGISTER notification handler", " - dpll: zl3073x: Refactor DPLL initialization", " - dpll: zl3073x: Handle missing or corrupted flash configuration", " - r8169: fix packet truncation after S4 resume on RTL8168H/RTL8111H", " - net: phy: bcm54811: Fix GMII/MII/MII-Lite selection", " - net: phy: realtek: Avoid PHYCR2 access if PHYCR2 not present", " - amd-xgbe: Avoid spurious link down messages during interface toggle", " - Octeontx2-af: Fix missing error code in cgx_probe()", " - tcp: fix tcp_tso_should_defer() vs large RTT", " - net: airoha: Take into account out-of-order tx completions in", " airoha_dev_xmit()", " - selftests: net: check jq command is supported", " - net: core: fix lockdep splat on device unregister", " - ksmbd: fix recursive locking in RPC handle list access", " - tg3: prevent use of uninitialized remote_adv and local_adv variables", " - tls: trim encrypted message to match the plaintext on short splice", " - tls: wait for async encrypt in case of error during latter iterations of", " sendmsg", " - tls: always set record_type in tls_process_cmsg", " - tls: don't rely on tx_work during send()", " - netdevsim: set the carrier when the device goes up", " - net: usb: lan78xx: fix use of improperly initialized dev->chipid in", " lan78xx_reset", " - drm/panthor: Ensure MCU is disabled on suspend", " - nvme-multipath: Skip nr_active increments in RETRY disposition", " - riscv: kprobes: Fix probe address validation", " - drm/bridge: lt9211: Drop check for last nibble of version register", " - powerpc/fadump: skip parameter area allocation when fadump is disabled", " - ASoC: codecs: Fix gain setting ranges for Renesas IDT821034 codec", " - ASoC: nau8821: Cancel jdet_work before handling jack ejection", " - ASoC: nau8821: Generalize helper to clear IRQ status", " - ASoC: nau8821: Consistently clear interrupts before unmasking", " - ASoC: nau8821: Add DMI quirk to bypass jack debounce circuit", " - drm/i915/guc: Skip communication warning on reset in progress", " - drm/i915/frontbuffer: Move bo refcounting", " intel_frontbuffer_{get,release}()", " - drm/i915/fb: Fix the set_tiling vs. addfb race, again", " - drm/amdgpu: add ip offset support for cyan skillfish", " - drm/amdgpu: add support for cyan skillfish without IP discovery", " - drm/amdgpu: fix handling of harvesting for ip_discovery firmware", " - drm/amdgpu: handle wrap around in reemit handling", " - drm/amdgpu: set an error on all fences from a bad context", " - drm/amdgpu: drop unused structures in amdgpu_drm.h", " - drm/amd/powerplay: Fix CIK shutdown temperature", " - drm/xe: Enable media sampler power gating", " - drm/draw: fix color truncation in drm_draw_fill24", " - drm/rockchip: vop2: use correct destination rectangle height check", " - HID: intel-thc-hid: Intel-quickspi: switch first interrupt from level to", " edge detection", " - sched/fair: Fix pelt lost idle time detection", " - ALSA: firewire: amdtp-stream: fix enum kernel-doc warnings", " - accel/qaic: Synchronize access to DBC request queue head & tail pointer", " - nvme-auth: update sc_c in host response", " - cxl/trace: Subtract to find an hpa_alias0 in cxl_poison events", " - selftests/bpf: make arg_parsing.c more robust to crashes", " - blk-mq: fix stale tag depth for shared sched tags in", " blk_mq_update_nr_requests()", " - block: Remove elevator_lock usage from blkg_conf frozen operations", " - HID: hid-input: only ignore 0 battery events for digitizers", " - HID: multitouch: fix name of Stylus input devices", " - drm/xe/evict: drop bogus assert", " - selftests: arg_parsing: Ensure data is flushed to disk before reading.", " - nvme/tcp: handle tls partially sent records in write_space()", " - rust: cpufreq: fix formatting", " - arm64: debug: always unmask interrupts in el0_softstp()", " - arm64: cputype: Add Neoverse-V3AE definitions", " - arm64: errata: Apply workarounds for Neoverse-V3AE", " - xfs: rename the old_crc variable in xlog_recover_process", " - xfs: fix log CRC mismatches between i386 and other architectures", " - NFSD: Rework encoding and decoding of nfsd4_deviceid", " - NFSD: Minor cleanup in layoutcommit processing", " - NFSD: Implement large extent array support in pNFS", " - NFSD: Fix last write offset handling in layoutcommit", " - phy: cdns-dphy: Store hs_clk_rate and return it", " - phy: cadence: cdns-dphy: Fix PLL lock and O_CMN_READY polling", " - x86/resctrl: Refactor resctrl_arch_rmid_read()", " - x86/resctrl: Fix miscount of bandwidth event when reactivating", " previously unavailable RMID", " - cxl: Fix match_region_by_range() to use region_res_match_cxl_range()", " - phy: cadence: cdns-dphy: Update calibration wait time for startup state", " machine", " - drm/xe: Use devm_ioremap_wc for VRAM mapping and drop manual unmap", " - drm/xe: Use dynamic allocation for tile and device VRAM region", " structures", " - drm/xe: Move struct xe_vram_region to a dedicated header", " - drm/xe: Unify the initialization of VRAM regions", " - drm/xe: Move rebar to be done earlier", " - PM: hibernate: Fix pm_hibernation_mode_is_suspend() build breakage", " - drm/xe: Fix an IS_ERR() vs NULL bug in xe_tile_alloc_vram()", " - Linux 6.17.5", " * Questing update: v6.17.5 upstream stable release (LP: #2133557) //", " CVE-2025-40086", " - drm/xe: Don't allow evicting of BOs in same VM in array of VM binds", " * Questing update: v6.17.5 upstream stable release (LP: #2133557) //", " CVE-2025-40087", " - NFSD: Define a proc_layoutcommit for the FlexFiles layout type", " * Questing update: v6.17.5 upstream stable release (LP: #2133557) //", " CVE-2025-40088", " - hfsplus: fix slab-out-of-bounds read in hfsplus_strcasecmp()", " * Questing update: v6.17.5 upstream stable release (LP: #2133557) //", " CVE-2025-40162", " - ASoC: amd/sdw_utils: avoid NULL deref when devm_kasprintf() fails", " * Questing update: v6.17.5 upstream stable release (LP: #2133557) //", " CVE-2025-40085", " - ALSA: usb-audio: Fix NULL pointer deference in try_to_register_card", " * Questing update: v6.17.5 upstream stable release (LP: #2133557) //", " CVE-2025-40172", " - accel/qaic: Treat remaining == 0 as error in find_and_map_user_pages()", " * Questing update: v6.17.5 upstream stable release (LP: #2133557) //", " CVE-2025-40177", " - accel/qaic: Fix bootlog initialization ordering", " * Questing update: v6.17.5 upstream stable release (LP: #2133557) //", " CVE-2025-40163", " - sched/deadline: Stop dl_server before CPU goes offline", " * Questing update: v6.17.5 upstream stable release (LP: #2133557) //", " CVE-2025-40174", " - x86/mm: Fix SMP ordering in switch_mm_irqs_off()", " * Questing update: v6.17.5 upstream stable release (LP: #2133557) //", " CVE-2025-40089", " - cxl/features: Add check for no entries in cxl_feature_info", " * Questing update: v6.17.5 upstream stable release (LP: #2133557) //", " CVE-2025-40176", " - tls: wait for pending async decryptions if tls_strp_msg_hold fails", " * Questing update: v6.17.5 upstream stable release (LP: #2133557) //", " CVE-2025-40164", " - usbnet: Fix using smp_processor_id() in preemptible code warnings", " * Questing update: v6.17.5 upstream stable release (LP: #2133557) //", " CVE-2025-40091", " - ixgbe: fix too early devlink_free() in ixgbe_remove()", " * Questing update: v6.17.5 upstream stable release (LP: #2133557) //", " CVE-2025-40175", " - idpf: cleanup remaining SKBs in PTP flows", " * Questing update: v6.17.5 upstream stable release (LP: #2133557) //", " CVE-2025-40173", " - net/ip6_tunnel: Prevent perpetual tunnel growth", " * Questing update: v6.17.5 upstream stable release (LP: #2133557) //", " CVE-2025-40092", " - usb: gadget: f_ncm: Refactor bind path to use __free()", " * Questing update: v6.17.5 upstream stable release (LP: #2133557) //", " CVE-2025-40093", " - usb: gadget: f_ecm: Refactor bind path to use __free()", " * Questing update: v6.17.5 upstream stable release (LP: #2133557) //", " CVE-2025-40094", " - usb: gadget: f_acm: Refactor bind path to use __free()", " * Questing update: v6.17.5 upstream stable release (LP: #2133557) //", " CVE-2025-40095", " - usb: gadget: f_rndis: Refactor bind path to use __free()", " * Questing update: v6.17.5 upstream stable release (LP: #2133557) //", " CVE-2025-40165", " - media: nxp: imx8-isi: m2m: Fix streaming cleanup on release", " * Questing update: v6.17.5 upstream stable release (LP: #2133557) //", " CVE-2025-40096", " - drm/sched: Fix potential double free in", " drm_sched_job_add_resv_dependencies", " * Questing update: v6.17.5 upstream stable release (LP: #2133557) //", " CVE-2025-40097", " - ALSA: hda: Fix missing pointer check in hda_component_manager_init", " function", " * Questing update: v6.17.5 upstream stable release (LP: #2133557) //", " CVE-2025-40098", " - ALSA: hda: cs35l41: Fix NULL pointer dereference in", " cs35l41_get_acpi_mute_state()", " * Questing update: v6.17.5 upstream stable release (LP: #2133557) //", " CVE-2025-40099", " - cifs: parse_dfs_referrals: prevent oob on malformed input", " * Questing update: v6.17.5 upstream stable release (LP: #2133557) //", " CVE-2025-40100", " - btrfs: do not assert we found block group item when creating free space", " tree", " * Questing update: v6.17.5 upstream stable release (LP: #2133557) //", " CVE-2025-40101", " - btrfs: fix memory leaks when rejecting a non SINGLE data profile without", " an RST", " * Questing update: v6.17.5 upstream stable release (LP: #2133557) //", " CVE-2025-40167", " - ext4: detect invalid INLINE_DATA + EXTENTS flag combination", " * Questing update: v6.17.5 upstream stable release (LP: #2133557) //", " CVE-2025-40102", " - KVM: arm64: Prevent access to vCPU events before init", " * Questing update: v6.17.5 upstream stable release (LP: #2133557) //", " CVE-2025-40103", " - smb: client: Fix refcount leak for cifs_sb_tlink", " * Questing update: v6.17.5 upstream stable release (LP: #2133557) //", " CVE-2025-40104", " - ixgbevf: fix mailbox API compatibility by negotiating supported features", " * Questing update: v6.17.5 upstream stable release (LP: #2133557) //", " CVE-2025-40166", " - drm/xe/guc: Check GuC running state before deregistering exec queue", " * Questing update: v6.17.5 upstream stable release (LP: #2133557) //", " CVE-2025-40105", " - vfs: Don't leak disconnected dentries on umount", " * The machine didn’t go into suspend and got stuck (LP: #2132095)", " - platform/x86: alienware-wmi-wmax: Fix NULL pointer dereference in sleep", " handlers", " * CAP_PERFMON insufficient to get perf data (LP: #2131046)", " - SAUCE: perf/core: Allow CAP_PERFMON for paranoid level 4", " * Poweroff not working consistently after upgrading kernel 6.14.0-17.17 or", " later (LP: #2115860)", " - drm/amd: Unify shutdown() callback behavior", " - drm/amd: Stop exporting amdgpu_device_ip_suspend() outside amdgpu_device", " - drm/amd: Remove comment about handling errors in", " amdgpu_device_ip_suspend_phase1()", " - drm/amd: Don't always set IP block HW status to false", " - drm/amd: Pass IP suspend errors up to callers", " - drm/amd: Avoid evicting resources at S5", " * Re-enable INTEL_SKL_INT3472 for kernels >= 6.16 for Intel IPU camera", " (LP: #2128792)", " - Revert \"UBUNTU: [Config] FTBFS: disable INTEL_SKL_INT3472\"", " - Revert \"UBUNTU: SAUCE: platform/x86: int3472: Add handshake GPIO", " function\"", " * Support Samsung S5K3J1 sensor for Intel MIPI camera (LP: #2121852)", " - SAUCE: media: ipu-bridge: Support s5k3j1 sensor", " * Questing update: v6.17.4 upstream stable release (LP: #2131259)", " - fs: always return zero on success from replace_fd()", " - fscontext: do not consume log entries when returning -EMSGSIZE", " - btrfs: fix the incorrect max_bytes value for find_lock_delalloc_range()", " - arm64: map [_text, _stext) virtual address range non-executable+read-", " only", " - rseq: Protect event mask against membarrier IPI", " - statmount: don't call path_put() under namespace semaphore", " - listmount: don't call path_put() under namespace semaphore", " - clocksource/drivers/clps711x: Fix resource leaks in error paths", " - memcg: skip cgroup_file_notify if spinning is not allowed", " - page_pool: Fix PP_MAGIC_MASK to avoid crashing on some 32-bit arches", " - PM: runtime: Update kerneldoc return codes", " - dma-mapping: fix direction in dma_alloc direction traces", " - cpufreq: Make drivers using CPUFREQ_ETERNAL specify transition latency", " - nfsd: unregister with rpcbind when deleting a transport", " - KVM: x86: Add helper to retrieve current value of user return MSR", " - KVM: SVM: Emulate PERF_CNTR_GLOBAL_STATUS_SET for PerfMonV2", " - iio: frequency: adf4350: Fix ADF4350_REG3_12BIT_CLKDIV_MODE", " - media: v4l2-subdev: Fix alloc failure check in", " v4l2_subdev_call_state_try()", " - asm-generic/io.h: Skip trace helpers if rwmmio events are disabled", " - clk: npcm: select CONFIG_AUXILIARY_BUS", " - clk: thead: th1520-ap: describe gate clocks with clk_gate", " - clk: thead: th1520-ap: fix parent of padctrl0 clock", " - clk: thead: Correct parent for DPU pixel clocks", " - clk: renesas: r9a08g045: Add MSTOP for GPIO", " - perf disasm: Avoid undefined behavior in incrementing NULL", " - perf test trace_btf_enum: Skip if permissions are insufficient", " - perf evsel: Avoid container_of on a NULL leader", " - libperf event: Ensure tracing data is multiple of 8 sized", " - clk: qcom: common: Fix NULL vs IS_ERR() check in qcom_cc_icc_register()", " - clk: qcom: Select the intended config in QCS_DISPCC_615", " - perf parse-events: Handle fake PMUs in CPU terms", " - clk: at91: peripheral: fix return value", " - clk: renesas: cpg-mssr: Fix memory leak in cpg_mssr_reserved_init()", " - perf: Completely remove possibility to override MAX_NR_CPUS", " - perf drm_pmu: Fix fd_dir leaks in for_each_drm_fdinfo_in_dir()", " - perf util: Fix compression checks returning -1 as bool", " - rtc: x1205: Fix Xicor X1205 vendor prefix", " - rtc: optee: fix memory leak on driver removal", " - perf arm_spe: Correct setting remote access", " - perf arm_spe: Correct memory level for remote access", " - perf vendor events arm64 AmpereOneX: Fix typo - should be", " l1d_cache_access_prefetches", " - perf test: AMD IBS swfilt skip kernel tests if paranoia is >1", " - perf test shell lbr: Avoid failures with perf event paranoia", " - perf trace: Fix IS_ERR() vs NULL check bug", " - perf session: Fix handling when buffer exceeds 2 GiB", " - perf test: Don't leak workload gopipe in PERF_RECORD_*", " - perf evsel: Fix uniquification when PMU given without suffix", " - perf test: Avoid uncore_imc/clockticks in uniquification test", " - perf evsel: Ensure the fallback message is always written to", " - perf build-id: Ensure snprintf string is empty when size is 0", " - clk: mediatek: mt8195-infra_ao: Fix parent for infra_ao_hdmi_26m", " - clk: mediatek: clk-mux: Do not pass flags to", " clk_mux_determine_rate_flags()", " - clk: nxp: lpc18xx-cgu: convert from round_rate() to determine_rate()", " - clk: nxp: Fix pll0 rate check condition in LPC18xx CGU driver", " - clk: tegra: do not overallocate memory for bpmp clocks", " - nfsd: fix assignment of ia_ctime.tv_nsec on delegated mtime update", " - nfsd: ignore ATTR_DELEG when checking ia_valid before notify_change()", " - vfs: add ATTR_CTIME_SET flag", " - nfsd: use ATTR_CTIME_SET for delegated ctime updates", " - nfsd: track original timestamps in nfs4_delegation", " - nfsd: fix SETATTR updates for delegated timestamps", " - nfsd: fix timestamp updates in CB_GETATTR", " - tracing: Fix the bug where bpf_get_stackid returns -EFAULT on the ARM64", " - PM: core: Annotate loops walking device links as _srcu", " - PM: core: Add two macros for walking device links", " - PM: sleep: Do not wait on SYNC_STATE_ONLY device links", " - cpufreq: tegra186: Set target frequency for all cpus in policy", " - scsi: mvsas: Fix use-after-free bugs in mvs_work_queue", " - perf bpf-filter: Fix opts declaration on older libbpfs", " - scsi: ufs: sysfs: Make HID attributes visible", " - mshv: Handle NEED_RESCHED_LAZY before transferring to guest", " - perf bpf_counter: Fix handling of cpumap fixing hybrid", " - ASoC: SOF: ipc4-topology: Correct the minimum host DMA buffer size", " - ASoC: SOF: ipc4-topology: Account for different ChainDMA host buffer", " size", " - ASoC: SOF: Intel: hda-pcm: Place the constraint on period time instead", " of buffer time", " - LoongArch: Add cflag -fno-isolate-erroneous-paths-dereference", " - LoongArch: Fix build error for LTO with LLVM-18", " - LoongArch: Init acpi_gbl_use_global_lock to false", " - ASoC: SOF: Intel: Read the LLP via the associated Link DMA channel", " - net: usb: lan78xx: Fix lost EEPROM read timeout error(-ETIMEDOUT) in", " lan78xx_read_raw_eeprom", " - net/mlx4: prevent potential use after free in mlx4_en_do_uc_filter()", " - drm/xe/hw_engine_group: Fix double write lock release in error path", " - drm/xe/i2c: Don't rely on d3cold.allowed flag in system PM path", " - s390/cio: Update purge function to unregister the unused subchannels", " - drm/vmwgfx: Fix a null-ptr access in the cursor snooper", " - drm/vmwgfx: Fix Use-after-free in validation", " - drm/vmwgfx: Fix copy-paste typo in validation", " - net/sctp: fix a null dereference in sctp_disposition", " sctp_sf_do_5_1D_ce()", " - tcp: Don't call reqsk_fastopen_remove() in tcp_conn_request().", " - net: mscc: ocelot: Fix use-after-free caused by cyclic delayed work", " - selftest: net: ovpn: Fix uninit return values", " - ice: ice_adapter: release xa entry on adapter allocation failure", " - net: fsl_pq_mdio: Fix device node reference leak in fsl_pq_mdio_probe", " - tools build: Align warning options with perf", " - perf python: split Clang options when invoking Popen", " - tcp: take care of zero tp->window_clamp in tcp_set_rcvlowat()", " - mailbox: zynqmp-ipi: Remove redundant mbox_controller_unregister() call", " - mailbox: zynqmp-ipi: Remove dev.parent check in zynqmp_ipi_free_mboxes", " - mailbox: zynqmp-ipi: Fix out-of-bounds access in mailbox cleanup loop", " - mailbox: zynqmp-ipi: Fix SGI cleanup on unbind", " - bpf: Fix metadata_dst leak __bpf_redirect_neigh_v{4,6}", " - net: mdio: mdio-i2c: Hold the i2c bus lock during smbus transactions", " - net: sparx5/lan969x: fix flooding configuration on bridge join/leave", " - net/mlx5: Prevent tunnel mode conflicts between FDB and NIC IPsec tables", " - net/mlx5e: Prevent tunnel reformat when tunnel mode not allowed", " - mailbox: mtk-cmdq: Remove pm_runtime APIs from cmdq_mbox_send_data()", " - drm/amdgpu: Add additional DCE6 SCL registers", " - drm/amd/display: Add missing DCE6 SCL_HORZ_FILTER_INIT* SRIs", " - drm/amd/display: Properly clear SCL_*_FILTER_CONTROL on DCE6", " - drm/amd/display: Properly disable scaling on DCE6", " - drm/amd/display: Disable scaling on DCE6 for now", " - drm/amdkfd: Fix kfd process ref leaking when userptr unmapping", " - net: pse-pd: tps23881: Fix current measurement scaling", " - crypto: skcipher - Fix reqsize handling", " - netfilter: nft_objref: validate objref and objrefmap expressions", " - bridge: br_vlan_fill_forward_path_pvid: use br_vlan_group_rcu()", " - selftests: netfilter: nft_fib.sh: fix spurious test failures", " - selftests: netfilter: query conntrack state to check for port clash", " resolution", " - io_uring/zcrx: increment fallback loop src offset", " - net: airoha: Fix loopback mode configuration for GDM2 port", " - cifs: Fix copy_to_iter return value check", " - smb: client: fix missing timestamp updates after utime(2)", " - rtc: isl12022: Fix initial enable_irq/disable_irq balance", " - cifs: Query EA $LXMOD in cifs_query_path_info() for WSL reparse points", " - tpm_tis: Fix incorrect arguments in tpm_tis_probe_irq_single", " - gpio: wcd934x: mark the GPIO controller as sleeping", " - bpf: Avoid RCU context warning when unpinning htab with internal structs", " - kbuild: always create intermediate vmlinux.unstripped", " - kbuild: keep .modinfo section in vmlinux.unstripped", " - kbuild: Restore pattern to avoid stripping .rela.dyn from vmlinux", " - kbuild: Add '.rel.*' strip pattern for vmlinux", " - s390: vmlinux.lds.S: Reorder sections", " - s390/vmlinux.lds.S: Move .vmlinux.info to end of allocatable sections", " - ACPICA: acpidump: drop ACPI_NONSTRING attribute from file_name", " - ACPI: property: Fix buffer properties extraction for subnodes", " - ACPI: TAD: Add missing sysfs_remove_group() for ACPI_TAD_RT", " - ACPICA: Debugger: drop ACPI_NONSTRING attribute from name_seg", " - ACPI: debug: fix signedness issues in read/write helpers", " - ACPI: battery: Add synchronization between interface updates", " - arm64: dts: qcom: msm8916: Add missing MDSS reset", " - arm64: dts: qcom: msm8939: Add missing MDSS reset", " - arm64: dts: qcom: sdm845: Fix slimbam num-channels/ees", " - Revert \"UBUNTU: SAUCE: arm64: dts: qcom: x1e80100-pmics: Disable pm8010", " by default\"", " - arm64: dts: qcom: x1e80100-pmics: Disable pm8010 by default", " - arm64: dts: ti: k3-am62a-main: Fix main padcfg length", " - arm64: dts: ti: k3-am62p: Fix supported hardware for 1GHz OPP", " - arm64: kprobes: call set_memory_rox() for kprobe page", " - arm64: mte: Do not flag the zero page as PG_mte_tagged", " - ARM: AM33xx: Implement TI advisory 1.0.36 (EMU0/EMU1 pins state on", " reset)", " - ARM: OMAP2+: pm33xx-core: ix device node reference leaks in", " amx3_idle_init", " - firmware: arm_scmi: quirk: Prevent writes to string constants", " - perf/arm-cmn: Fix CMN S3 DTM offset", " - KVM: s390: Fix to clear PTE when discarding a swapped page", " - KVM: arm64: Fix debug checking for np-guests using huge mappings", " - KVM: arm64: Fix page leak in user_mem_abort()", " - x86/kvm: Force legacy PCI hole to UC when overriding MTRRs for TDX/SNP", " - KVM: SVM: Re-load current, not host, TSC_AUX on #VMEXIT from SEV-ES", " guest", " - KVM: TDX: Fix uninitialized error code for __tdx_bringup()", " - dt-bindings: phy: rockchip-inno-csi-dphy: make power-domains non-", " required", " - xen: take system_transition_mutex on suspend", " - xen/events: Cleanup find_virq() return codes", " - xen/manage: Fix suspend error path", " - xen/events: Return -EEXIST for bound VIRQs", " - xen/events: Update virq_to_irq on migration", " - firmware: exynos-acpm: fix PMIC returned errno", " - firmware: meson_sm: fix device leak at probe", " - media: cec: extron-da-hd-4k-plus: drop external-module make commands", " - media: cx18: Add missing check after DMA map", " - media: i2c: mt9p031: fix mbus code initialization", " - media: i2c: mt9v111: fix incorrect type for ret", " - media: mc: Fix MUST_CONNECT handling for pads with no links", " - media: pci: ivtv: Add missing check after DMA map", " - media: pci: mg4b: fix uninitialized iio scan data", " - media: platform: mtk-mdp3: Add missing MT8188 compatible to comp_dt_ids", " - media: s5p-mfc: remove an unused/uninitialized variable", " - media: staging/ipu7: fix isys device runtime PM usage in firmware", " closing", " - media: uvcvideo: Avoid variable shadowing in uvc_ctrl_cleanup_fh", " - media: venus: firmware: Use correct reset sequence for IRIS2", " - media: venus: pm_helpers: add fallback for the opp-table", " - media: vivid: fix disappearing messages", " - media: vsp1: Export missing vsp1_isp_free_buffer symbol", " - media: ti: j721e-csi2rx: Use devm_of_platform_populate", " - media: ti: j721e-csi2rx: Fix source subdev link creation", " - media: lirc: Fix error handling in lirc_register()", " - drm/exynos: exynos7_drm_decon: remove ctx->suspended", " - drm/panthor: Fix memory leak in panthor_ioctl_group_create()", " - drm/msm/a6xx: Fix PDC sleep sequence", " - drm/rcar-du: dsi: Fix 1/2/3 lane support", " - drm/nouveau: fix bad ret code in nouveau_bo_move_prep", " - drm/xe/uapi: loosen used tracking restriction", " - drm/amd/display: Incorrect Mirror Cositing", " - drm/amd/display: Enable Dynamic DTBCLK Switch", " - drm/amd/display: Fix unsafe uses of kernel mode FPU", " - blk-crypto: fix missing blktrace bio split events", " - btrfs: avoid potential out-of-bounds in btrfs_encode_fh()", " - bus: mhi: ep: Fix chained transfer handling in read path", " - bus: mhi: host: Do not use uninitialized 'dev' pointer in", " mhi_init_irq_setup()", " - cdx: Fix device node reference leak in cdx_msi_domain_init", " - clk: qcom: tcsrcc-x1e80100: Set the bi_tcxo as parent to eDP refclk", " - clk: samsung: exynos990: Use PLL_CON0 for PLL parent muxes", " - clk: samsung: exynos990: Fix CMU_TOP mux/div bit widths", " - clk: samsung: exynos990: Replace bogus divs with fixed-factor clocks", " - copy_sighand: Handle architectures where sizeof(unsigned long) <", " sizeof(u64)", " - cpufreq: CPPC: Avoid using CPUFREQ_ETERNAL as transition delay", " - cpufreq: intel_pstate: Fix object lifecycle issue in", " update_qos_request()", " - crypto: aspeed - Fix dma_unmap_sg() direction", " - crypto: atmel - Fix dma_unmap_sg() direction", " - crypto: rockchip - Fix dma_unmap_sg() nents value", " - eventpoll: Replace rwlock with spinlock", " - fbdev: Fix logic error in \"offb\" name match", " - fs/ntfs3: Fix a resource leak bug in wnd_extend()", " - fs: quota: create dedicated workqueue for quota_release_work", " - fsnotify: pass correct offset to fsnotify_mmap_perm()", " - fuse: fix possibly missing fuse_copy_finish() call in fuse_notify()", " - fuse: fix livelock in synchronous file put from fuseblk workers", " - gpio: mpfs: fix setting gpio direction to output", " - i3c: Fix default I2C adapter timeout value", " - iio/adc/pac1934: fix channel disable configuration", " - iio: dac: ad5360: use int type to store negative error codes", " - iio: dac: ad5421: use int type to store negative error codes", " - iio: frequency: adf4350: Fix prescaler usage.", " - iio: xilinx-ams: Fix AMS_ALARM_THR_DIRECT_MASK", " - iio: xilinx-ams: Unmask interrupts after updating alarms", " - init: handle bootloader identifier in kernel parameters", " - iio: imu: inv_icm42600: Simplify pm_runtime setup", " - iio: imu: inv_icm42600: Drop redundant pm_runtime reinitialization in", " resume", " - iio: imu: inv_icm42600: Avoid configuring if already pm_runtime", " suspended", " - iommu/vt-d: PRS isn't usable if PDS isn't supported", " - ipmi: Rework user message limit handling", " - ipmi:msghandler:Change seq_lock to a mutex", " - kernel/sys.c: fix the racy usage of task_lock(tsk->group_leader) in", " sys_prlimit64() paths", " - KEYS: trusted_tpm1: Compare HMAC values in constant time", " - kho: only fill kimage if KHO is finalized", " - lib/genalloc: fix device leak in of_gen_pool_get()", " - loop: fix backing file reference leak on validation error", " - md: fix mssing blktrace bio split events", " - of: unittest: Fix device reference count leak in", " of_unittest_pci_node_verify", " - openat2: don't trigger automounts with RESOLVE_NO_XDEV", " - padata: Reset next CPU when reorder sequence wraps around", " - parisc: don't reference obsolete termio struct for TC* constants", " - parisc: Remove spurious if statement from raw_copy_from_user()", " - nvme-pci: Add TUXEDO IBS Gen8 to Samsung sleep quirk", " - pinctrl: samsung: Drop unused S3C24xx driver data", " - PM: EM: Fix late boot with holes in CPU topology", " - PM: hibernate: Fix hybrid-sleep", " - PM: hibernate: Restrict GFP mask in power_down()", " - power: supply: max77976_charger: fix constant current reporting", " - powerpc/powernv/pci: Fix underflow and leak issue", " - powerpc/pseries/msi: Fix potential underflow and leak issue", " - pwm: berlin: Fix wrong register in suspend/resume", " - pwm: Fix incorrect variable used in error message", " - Revert \"ipmi: fix msg stack when IPMI is disconnected\"", " - sched/deadline: Fix race in push_dl_task()", " - scsi: hpsa: Fix potential memory leak in hpsa_big_passthru_ioctl()", " - scsi: sd: Fix build warning in sd_revalidate_disk()", " - sctp: Fix MAC comparison to be constant-time", " - smb client: fix bug with newly created file in cached dir", " - sparc64: fix hugetlb for sun4u", " - sparc: fix error handling in scan_one_device()", " - xtensa: simdisk: add input size check in proc_write_simdisk", " - xsk: Harden userspace-supplied xdp_desc validation", " - mtd: rawnand: fsmc: Default to autodetect buswidth", " - mtd: nand: raw: gpmi: fix clocks when CONFIG_PM=N", " - mmc: core: SPI mode remove cmd7", " - mmc: mmc_spi: multiple block read remove read crc ack", " - memory: samsung: exynos-srom: Fix of_iomap leak in exynos_srom_probe", " - memory: stm32_omm: Fix req2ack update test", " - rtc: interface: Ensure alarm irq is enabled when UIE is enabled", " - rtc: interface: Fix long-standing race when setting alarm", " - rseq/selftests: Use weak symbol reference, not definition, to link with", " glibc", " - PCI: xilinx-nwl: Fix ECAM programming", " - PCI: tegra: Convert struct tegra_msi mask_lock into raw spinlock", " - PCI/sysfs: Ensure devices are powered for config reads", " - PCI/IOV: Add PCI rescan-remove locking when enabling/disabling SR-IOV", " - PCI/ERR: Fix uevent on failure to recover", " - PCI/AER: Fix missing uevent on recovery when a reset is requested", " - PCI/AER: Support errors introduced by PCIe r6.0", " - PCI: Ensure relaxed tail alignment does not increase min_align", " - PCI: Fix failure detection during resource resize", " - PCI: j721e: Fix module autoloading", " - PCI: j721e: Fix programming sequence of \"strap\" settings", " - PCI: keystone: Use devm_request_irq() to free \"ks-pcie-error-irq\" on", " exit", " - PCI: rcar-gen4: Fix PHY initialization", " - PCI: rcar-host: Drop PMSR spinlock", " - PCI: rcar-host: Convert struct rcar_msi mask_lock into raw spinlock", " - PCI: tegra194: Fix broken tegra_pcie_ep_raise_msi_irq()", " - PCI: tegra194: Handle errors in BPMP response", " - PCI: tegra194: Reset BARs when running in PCIe endpoint mode", " - PCI/pwrctrl: Fix device leak at registration", " - PCI/pwrctrl: Fix device and OF node leak at bus scan", " - PCI/pwrctrl: Fix device leak at device stop", " - spi: cadence-quadspi: Flush posted register writes before INDAC access", " - spi: cadence-quadspi: Flush posted register writes before DAC access", " - spi: cadence-quadspi: Fix cqspi_setup_flash()", " - xfs: use deferred intent items for reaping crosslinked blocks", " - x86/fred: Remove ENDBR64 from FRED entry points", " - x86/umip: Check that the instruction opcode is at least two bytes", " - x86/umip: Fix decoding of register forms of 0F 01 (SGDT and SIDT", " aliases)", " - mptcp: pm: in-kernel: usable client side with C-flag", " - mptcp: reset blackhole on success with non-loopback ifaces", " - selftests: mptcp: join: validate C-flag + def limit", " - s390/cio/ioasm: Fix __xsch() condition code handling", " - s390/dasd: enforce dma_alignment to ensure proper buffer validation", " - s390/dasd: Return BLK_STS_INVAL for EINVAL from do_dasd_request", " - s390: Add -Wno-pointer-sign to KBUILD_CFLAGS_DECOMPRESSOR", " - slab: prevent warnings when slab obj_exts vector allocation fails", " - slab: mark slab->obj_exts allocation failures unconditionally", " - wifi: ath11k: HAL SRNG: don't deinitialize and re-initialize again", " - wifi: iwlwifi: Fix dentry reference leak in iwl_mld_add_link_debugfs", " - wifi: rtw89: avoid possible TX wait initialization race", " - wifi: mt76: mt7925u: Add VID/PID for Netgear A9000", " - wifi: mt76: mt7921u: Add VID/PID for Netgear A7500", " - mm/thp: fix MTE tag mismatch when replacing zero-filled subpages", " - mm/rmap: fix soft-dirty and uffd-wp bit loss when remapping zero-filled", " mTHP subpage to shared zeropage", " - mm/page_alloc: only set ALLOC_HIGHATOMIC for __GPF_HIGH allocations", " - mm/hugetlb: early exit from hugetlb_pages_alloc_boot() when", " max_huge_pages=0", " - mm/damon/vaddr: do not repeat pte_offset_map_lock() until success", " - mm/damon/lru_sort: use param_ctx for damon_attrs staging", " - nfsd: decouple the xprtsec policy check from check_nfsd_access()", " - NFSD: Fix destination buffer size in nfsd4_ssc_setup_dul()", " - nfsd: nfserr_jukebox in nlm_fopen should lead to a retry", " - media: iris: Call correct power off callback in cleanup path", " - media: iris: Fix firmware reference leak and unmap memory after load", " - media: iris: fix module removal if firmware download failed", " - media: iris: vpu3x: Add MNoC low power handshake during hardware power-", " off", " - media: iris: Fix port streaming handling", " - media: iris: Fix buffer count reporting in internal buffer check", " - media: iris: Allow substate transition to load resources during output", " streaming", " - media: iris: Always destroy internal buffers on firmware release", " response", " - media: iris: Simplify session stop logic by relying on vb2 checks", " - media: iris: Update vbuf flags before v4l2_m2m_buf_done", " - media: iris: Send dummy buffer address for all codecs during drain", " - media: iris: Fix missing LAST flag handling during drain", " - media: iris: Fix format check for CAPTURE plane in try_fmt", " - media: iris: Allow stop on firmware only if start was issued.", " - ext4: add ext4_sb_bread_nofail() helper function for", " ext4_free_branches()", " - ext4: fail unaligned direct IO write with EINVAL", " - ext4: verify orphan file size is not too big", " - ext4: increase i_disksize to offset + len in", " ext4_update_disksize_before_punch()", " - ext4: correctly handle queries for metadata mappings", " - ext4: avoid potential buffer over-read in parse_apply_sb_mount_options()", " - ext4: fix an off-by-one issue during moving extents", " - ext4: guard against EA inode refcount underflow in xattr update", " - ext4: validate ea_ino and size in check_xattrs", " - ACPICA: Allow to skip Global Lock initialization", " - ext4: free orphan info with kvfree", " - ipmi: Fix handling of messages with provided receive message pointer", " - Squashfs: add additional inode sanity checking", " - Squashfs: reject negative file sizes in squashfs_read_inode()", " - mm/ksm: fix incorrect KSM counter handling in mm_struct during fork", " - media: mc: Clear minor number before put device", " - arm64: dts: qcom: qcs615: add missing dt property in QUP SEs", " - ACPI: property: Disregard references in data-only subnode lists", " - ACPI: property: Add code comments explaining what is going on", " - ACPI: property: Do not pass NULL handles to acpi_attach_data()", " - irqchip/sifive-plic: Avoid interrupt ID 0 handling during suspend/resume", " - copy_file_range: limit size if in compat mode", " - minixfs: Verify inode mode when loading from disk", " - pid: Add a judgment for ns null in pid_nr_ns", " - fs: Add 'initramfs_options' to set initramfs mount options", " - cramfs: Verify inode mode when loading from disk", " - nsfs: validate extensible ioctls", " - mnt_ns_tree_remove(): DTRT if mnt_ns had never been added to mnt_ns_list", " - writeback: Avoid softlockup when switching many inodes", " - writeback: Avoid excessively long inode switching times", " - iomap: error out on file IO when there is no inline_data buffer", " - pidfs: validate extensible ioctls", " - mount: handle NULL values in mnt_ns_release()", " - Linux 6.17.4", " * Questing update: v6.17.4 upstream stable release (LP: #2131259) // Race", " condition in perf build causes build failure due to missing unistd_64.h", " header on arm64 (LP: #2131702)", " - perf tools: Fix arm64 libjvmti build by generating unistd_64.h", " * Questing update: v6.17.3 upstream stable release (LP: #2129610)", " - arch: copy_thread: pass clone_flags as u64", " - filelock: add FL_RECLAIM to show_fl_flags() macro", " - init: INITRAMFS_PRESERVE_MTIME should depend on BLK_DEV_INITRD", " - pid: use ns_capable_noaudit() when determining net sysctl permissions", " - Fix CC_HAS_ASM_GOTO_OUTPUT on non-x86 architectures", " - [Config]: Update CC configs for v6.17.3", " - seccomp: Fix a race with WAIT_KILLABLE_RECV if the tracer replies too", " fast", " - kbuild: Add missing $(objtree) prefix to powerpc crtsavres.o artifact", " - selftests: arm64: Check fread return value in exec_target", " - selftests: arm64: Fix -Waddress warning in tpidr2 test", " - kselftest/arm64/gcs: Correctly check return value when disabling GCS", " - hfsplus: fix slab-out-of-bounds read in hfsplus_uni2asc()", " - gfs2: Fix GLF_INVALIDATE_IN_PROGRESS flag clearing in do_xmote", " - gfs2: Remove space before newline", " - gfs2: Further sanitize lock_dlm.c", " - gfs2: Fix LM_FLAG_TRY* logic in add_to_queue", " - gfs2: Remove duplicate check in do_xmote", " - gfs2: Get rid of GLF_INVALIDATE_IN_PROGRESS", " - gfs2: do_xmote cleanup", " - gfs2: Add proper lockspace locking", " - powerpc/8xx: Remove left-over instruction and comments in", " DataStoreTLBMiss handler", " - powerpc/603: Really copy kernel PGD entries into all PGDIRs", " - powerpc/ftrace: ensure ftrace record ops are always set for NOPs", " - powerpc64/modules: correctly iterate over stubs in", " setup_ftrace_ool_stubs", " - uprobes: uprobe_warn should use passed task", " - raid6: riscv: Clean up unused header file inclusion", " - coresight: trbe: Prevent overflow in PERF_IDX2OFF()", " - perf: arm_spe: Prevent overflow in PERF_IDX2OFF()", " - erofs: avoid reading more for fragment maps", " - smb: client: fix sending the iwrap custom IRD/ORD negotiation messages", " - smb: server: fix IRD/ORD negotiation with the client", " - perf/x86/intel: Use early_initcall() to hook bts_init()", " - perf/x86/intel: Fix IA32_PMC_x_CFG_B MSRs access error", " - x86/vdso: Fix output operand size of RDPID", " - selftests: cgroup: Make test_pids backwards compatible", " - sched/fair: Get rid of sched_domains_curr_level hack for tl->cpumask()", " - [Config]: Update CONFIG_SCHED_MC for v6.17.3", " - lsm: CONFIG_LSM can depend on CONFIG_SECURITY", " - cpuset: fix failure to enable isolated partition when containing", " isolcpus", " - btrfs: return any hit error from extent_writepage_io()", " - btrfs: fix symbolic link reading when bs > ps", " - pinctrl: renesas: rzg2l: Fix invalid unsigned return in rzg3s_oen_read()", " - arm64: dts: renesas: rzg2lc-smarc: Disable CAN-FD channel0", " - bpf: Tidy verifier bug message", " - regmap: Remove superfluous check for !config in __regmap_init()", " - selftests/bpf: Copy test_kmods when installing selftest", " - rust: cpumask: Mark CpumaskVar as transparent", " - bpf/selftests: Fix test_tcpnotify_user", " - bpf: Remove migrate_disable in kprobe_multi_link_prog_run", " - libbpf: Fix reuse of DEVMAP", " - tools/nolibc: fix error return value of clock_nanosleep()", " - ARM: dts: renesas: porter: Fix CAN pin group", " - leds: max77705: Function return instead of variable assignment", " - leds: flash: leds-qcom-flash: Update torch current clamp setting", " - s390/bpf: Do not write tail call counter into helper and kfunc frames", " - s390/bpf: Write back tail call counter for BPF_PSEUDO_CALL", " - s390/bpf: Write back tail call counter for BPF_TRAMP_F_CALL_ORIG", " - cpufreq: scmi: Account for malformed DT in scmi_dev_used_by_cpus()", " - arm64: dts: renesas: sparrow-hawk: Invert microSD voltage selector on", " EVTB1", " - arm64: dts: renesas: sparrow-hawk: Set VDDQ18_25_AVB voltage on EVTB1", " - libbpf: Export bpf_object__prepare symbol", " - firmware: arm_scmi: Mark VirtIO ready before registering", " scmi_virtio_driver", " - arm64: dts: imx93-kontron: Fix GPIO for panel regulator", " - arm64: dts: imx93-kontron: Fix USB port assignment", " - arm64: dts: imx95: Correct the lpuart7 and lpuart8 srcid", " - bpf: Remove preempt_disable in bpf_try_get_buffers", " - ACPI: processor: idle: Fix memory leak when register cpuidle device", " failed", " - genirq: Add irq_chip_(startup/shutdown)_parent()", " - PCI/MSI: Add startup/shutdown for per device domains", " - irqchip/sg2042-msi: Fix broken affinity setting", " - scripts/misc-check: update export checks for EXPORT_SYMBOL_FOR_MODULES()", " - soc: qcom: rpmh-rsc: Unconditionally clear _TRIGGER bit for TCS", " - pinctrl: meson-gxl: add missing i2c_d pinmux", " - blk-mq: check kobject state_in_sysfs before deleting in", " blk_mq_unregister_hctx", " - selftests/futex: Remove the -g parameter from futex_priv_hash", " - ARM: at91: pm: fix MCKx restore routine", " - arm64: dts: apple: t8103-j457: Fix PCIe ethernet iommu-map", " - regulator: scmi: Use int type to store negative error codes", " - selftests/futex: Fix some futex_numa_mpol subtests", " - tools/nolibc: avoid error in dup2() if old fd equals new fd", " - selftests/nolibc: fix EXPECT_NZ macro", " - leds: leds-lp55xx: Use correct address for memory programming", " - PCI/MSI: Check MSI_FLAG_PCI_MSI_MASK_PARENT in", " cond_[startup|shutdown]_parent()", " - block: use int to store blk_stack_limits() return value", " - ARM: dts: stm32: stm32mp151c-plyaqm: Use correct dai-format property", " - dt-bindings: vendor-prefixes: Add undocumented vendor prefixes", " - genirq/test: Fix depth tests on architectures with NOREQUEST by default.", " - genirq/test: Select IRQ_DOMAIN", " - genirq/test: Depend on SPARSE_IRQ", " - genirq/test: Drop CONFIG_GENERIC_IRQ_MIGRATION assumptions", " - genirq/test: Ensure CPU 1 is online for hotplug test", " - selftests/bpf: Fix count write in testapp_xdp_metadata_copy()", " - vdso/datastore: Gate time data behind CONFIG_GENERIC_GETTIMEOFDAY", " - PM: sleep: core: Clear power.must_resume in noirq suspend error path", " - blk-mq: fix elevator depth_updated method", " - vdso: Add struct __kernel_old_timeval forward declaration to gettime.h", " - ARM: dts: ti: omap: am335x-baltos: Fix ti,en-ck32k-xtal property in DTS", " to use correct boolean syntax", " - ARM: dts: ti: omap: omap3-devkit8000-lcd: Fix ti,keep-vref-on property", " to use correct boolean syntax in DTS", " - ARM: dts: omap: am335x-cm-t335: Remove unused mcasp num-serializer", " property", " - PM / devfreq: mtk-cci: Fix potential error pointer dereference in", " probe()", " - power: supply: cw2015: Fix a alignment coding style issue", " - hwmon: (asus-ec-sensors) Narrow lock for X870E-CREATOR WIFI", " - pinctrl: renesas: Use int type to store negative error codes", " - pinctrl: eswin: Fix regulator error check and Kconfig dependency", " - null_blk: Fix the description of the cache_size module argument", " - blk-throttle: fix access race during throttle policy activation", " - selftests: vDSO: Fix -Wunitialized in powerpc VDSO_CALL() wrapper", " - selftests: vDSO: vdso_test_abi: Correctly skip whole test with missing", " vDSO", " - irqchip/gic-v5: Fix loop in gicv5_its_create_itt_two_level() cleanup", " path", " - irqchip/gic-v5: Fix error handling in gicv5_its_irq_domain_alloc()", " - tick: Do not set device to detached state in tick_shutdown()", " - arm64: dts: mediatek: mt8195: Remove suspend-breaking reset from pcie0", " - arm64: dts: mediatek: mt8183: Fix out of range pull values", " - nbd: restrict sockets to TCP and UDP", " - PM / devfreq: rockchip-dfi: double count on RK3588", " - firmware: firmware: meson-sm: fix compile-test default", " - dts: arm: amlogic: fix pwm node for c3", " - soc: mediatek: mtk-svs: fix device leaks on mt8183 probe failure", " - soc: mediatek: mtk-svs: fix device leaks on mt8192 probe failure", " - cpuidle: qcom-spm: fix device and OF node leaks at probe", " - block: cleanup bio_issue", " - block: initialize bio issue time in blk_mq_submit_bio()", " - block: factor out a helper bio_submit_split_bioset()", " - block: skip unnecessary checks for split bio", " - block: fix ordering of recursive split IO", " - blk-mq: remove useless checkings in blk_mq_update_nr_requests()", " - blk-mq: check invalid nr_requests in queue_requests_store()", " - blk-mq: convert to serialize updating nr_requests with", " update_nr_hwq_lock", " - blk-mq: cleanup shared tags case in blk_mq_update_nr_requests()", " - blk-mq: split bitmap grow and resize case in blk_mq_update_nr_requests()", " - blk-mq-sched: add new parameter nr_requests in blk_mq_alloc_sched_tags()", " - blk-mq: fix potential deadlock while nr_requests grown", " - arm64: dts: allwinner: a527: cubie-a5e: Add ethernet PHY reset setting", " - arm64: dts: allwinner: t527: avaota-a1: Add ethernet PHY reset setting", " - arm64: dts: rockchip: Add RTC on rk3576-evb1-v10", " - arm64: dts: rockchip: Add WiFi on rk3576-evb1-v10", " - arm64: dts: rockchip: Fix network on rk3576 evb1 board", " - arm64: dts: ti: k3-j742s2-mcu-wakeup: Override firmware-name for MCU R5F", " cores", " - arm64: dts: ti: k3: Rename rproc reserved-mem nodes to 'memory@addr'", " - Revert \"arm64: dts: ti: k3-j721e-sk: Fix reversed C6x carveout", " locations\"", " - Revert \"arm64: dts: ti: k3-j721e-beagleboneai64: Fix reversed C6x", " carveout locations\"", " - arm64: dts: mediatek: mt8188: Change efuse fallback compatible to mt8186", " - arm64: dts: mediatek: mt8186-tentacruel: Fix touchscreen model", " - arm64: dts: ti: k3-pinctrl: Fix the bug in existing macros", " - arm64: dts: renesas: r9a09g047e57-smarc: Fix gpio key's pin control node", " - arm64: dts: mediatek: mt6331: Fix pmic, regulators, rtc, keys node names", " - mmc: core: Fix variable shadowing in mmc_route_rpmb_frames()", " - arm64: dts: mediatek: mt6795-xperia-m5: Fix mmc0 latch-ck value", " - arm64: dts: mediatek: mt7986a: Fix PCI-Express T-PHY node address", " - arm64: dts: mediatek: mt8395-kontron-i1200: Fix MT6360 regulator nodes", " - arm64: dts: mediatek: mt8516-pumpkin: Fix machine compatible", " - arm64: dts: allwinner: a527: cubie-a5e: Add LEDs", " - arm64: dts: allwinner: a527: cubie-a5e: Drop external 32.768 KHz crystal", " - arm64: dts: allwinner: t527: avaota-a1: hook up external 32k crystal", " - arm64: dts: allwinner: t527: orangepi-4a: hook up external 32k crystal", " - pwm: tiehrpwm: Don't drop runtime PM reference in .free()", " - pwm: tiehrpwm: Make code comment in .free() more useful", " - pwm: tiehrpwm: Fix various off-by-one errors in duty-cycle calculation", " - pwm: tiehrpwm: Fix corner case in clock divisor calculation", " - ACPICA: Apply ACPI_NONSTRING", " - ACPICA: Fix largest possible resource descriptor index", " - riscv, bpf: Sign extend struct ops return values properly", " - nvme-auth: update bi_directional flag", " - nvmet-fc: move lsop put work to nvmet_fc_ls_req_op", " - nvmet-fcloop: call done callback even when remote port is gone", " - nvme-tcp: send only permitted commands for secure concat", " - i3c: master: svc: Use manual response for IBI events", " - i3c: master: svc: Recycle unused IBI slot", " - block: update validation of atomic writes boundary for stacked devices", " - block: fix stacking of atomic writes when atomics are not supported", " - selftests: watchdog: skip ping loop if WDIOF_KEEPALIVEPING not supported", " - selftests/kselftest_harness: Add harness-selftest.expected to TEST_FILES", " - blk-throttle: fix throtl_data leak during disk release", " - bpf: Explicitly check accesses to bpf_sock_addr", " - mmc: select REGMAP_MMIO with MMC_LOONGSON2", " - selftests/futex: Fix futex_wait() for 32bit ARM", " - selftest/futex: Make the error check more precise for futex_numa_mpol", " - selftest/futex: Compile also with libnuma < 2.0.16", " - bpf: dont report verifier bug for missing bpf_scc_visit on speculative", " path", " - bpf, arm64: Call bpf_jit_binary_pack_finalize() in bpf_jit_free()", " - arm64: dts: apple: t600x: Add missing WiFi properties", " - arm64: dts: apple: t600x: Add bluetooth device nodes", " - arm64: dts: apple: Add ethernet0 alias for J375 template", " - selftests: always install UAPI headers to the correct directory", " - smp: Fix up and expand the smp_call_function_many() kerneldoc", " - mfd: max77705: max77705_charger: move active discharge setting to mfd", " parent", " - power: supply: max77705_charger: refactoring: rename charger to chg", " - power: supply: max77705_charger: use regfields for config registers", " - power: supply: max77705_charger: rework interrupts", " - tools/nolibc: make time_t robust if __kernel_old_time_t is missing in", " host headers", " - spi: fix return code when spi device has too many chipselects", " - clocksource/drivers/timer-tegra186: Avoid 64-bit divide operation", " - clocksource/drivers/tegra186: Avoid 64-bit division", " - bpf: Mark kfuncs as __noclone", " - once: fix race by moving DO_ONCE to separate section", " - hwmon: (mlxreg-fan) Separate methods of fan setting coming from", " different subsystems", " - tools/nolibc: add stdbool.h to nolibc includes", " - thermal/drivers/qcom: Make LMH select QCOM_SCM", " - thermal/drivers/qcom/lmh: Add missing IRQ includes", " - i2c: mediatek: fix potential incorrect use of I2C_MASTER_WRRD", " - i2c: spacemit: ensure bus release check runs when wait_bus_idle() fails", " - i2c: spacemit: remove stop function to avoid bus error", " - i2c: spacemit: disable SDA glitch fix to avoid restart delay", " - i2c: spacemit: check SDA instead of SCL after bus reset", " - i2c: spacemit: ensure SDA is released after bus reset", " - i2c: designware: Fix clock issue when PM is disabled", " - i2c: designware: Add disabling clocks when probe fails", " - libbpf: Fix error when st-prefix_ops and ops from differ btf", " - bpf: Enforce expected_attach_type for tailcall compatibility", " - i3c: fix big-endian FIFO transfers", " - mfd: max77705: Setup the core driver as an interrupt controller", " - drm/sched: Fix a race in DRM_GPU_SCHED_STAT_NO_HANG test", " - drm/panel-edp: Add disable to 100ms for MNB601LS1-4", " - drm/display: bridge-connector: correct CEC bridge pointers in", " drm_bridge_connector_init", " - drm/panel-edp: Add 50ms disable delay for four panels", " - drm/vmwgfx: fix missing assignment to ts", " - drm/amd/display: Reduce Stack Usage by moving 'audio_output' into", " 'stream_res' v4", " - drm/panel: novatek-nt35560: Fix invalid return value", " - drm/amdgpu: fix link error for !PM_SLEEP", " - drm/amdgpu: Fix jpeg v4.0.3 poison irq call trace on sriov guest", " - drm/amdgpu: Fix vcn v4.0.3 poison irq call trace on sriov guest", " - PCI: endpoint: pci-ep-msi: Fix NULL vs IS_ERR() check in", " pci_epf_write_msi_msg()", " - PCI: xgene-msi: Return negative -EINVAL in xgene_msi_handler_setup()", " - drm/radeon/r600_cs: clean up of dead code in r600_cs", " - f2fs: fix condition in __allow_reserved_blocks()", " - f2fs: fix to avoid overflow while left shift operation", " - f2fs: fix to zero data after EOF for compressed file correctly", " - drm/bridge: it6505: select REGMAP_I2C", " - wifi: rtw88: Lock rtwdev->mutex before setting the LED", " - HID: steelseries: refactor probe() and remove()", " - media: zoran: Remove zoran_fh structure", " - phy: rockchip: naneng-combphy: Enable U3 OTG port for RK3568", " - drm/bridge: cdns-dsi: Fix the _atomic_check()", " - usb: host: max3421-hcd: Fix error pointer dereference in probe cleanup", " - usb: misc: qcom_eud: Access EUD_MODE_MANAGER2 through secure calls", " - PCI/pwrctrl: Fix double cleanup on devm_add_action_or_reset() failure", " - misc: pci_endpoint_test: Fix array underflow in", " pci_endpoint_test_ioctl()", " - serial: max310x: Add error checking in probe()", " - drm/amd/display: Remove redundant semicolons", " - drm/amd/display: Add NULL pointer checks in dc_stream cursor attribute", " functions", " - crypto: keembay - Add missing check after sg_nents_for_len()", " - hwrng: nomadik - add ARM_AMBA dependency", " - docs: iio: ad3552r: Fix malformed code-block directive", " - fwctl/mlx5: Fix memory alloc/free in mlx5ctl_fw_rpc()", " - scsi: pm80xx: Restore support for expanders", " - scsi: pm80xx: Fix array-index-out-of-of-bounds on rmmod", " - scsi: libsas: Add dev_parent_is_expander() helper", " - scsi: pm80xx: Use dev_parent_is_expander() helper", " - scsi: pm80xx: Add helper function to get the local phy id", " - scsi: pm80xx: Fix pm8001_abort_task() for chip_8006 when using an", " expander", " - mptcp: Fix up subflow's memcg when CONFIG_SOCK_CGROUP_DATA=n.", " - scsi: myrs: Fix dma_alloc_coherent() error check", " - f2fs: fix to clear unusable_cap for checkpoint=enable", " - f2fs: fix to avoid NULL pointer dereference in", " f2fs_check_quota_consistency()", " - f2fs: fix to allow removing qf_name", " - Revert \"UBUNTU: SAUCE: drm/dp: drm_edp_backlight_set_level: do not", " always send 3-byte commands\"", " - drm/dp: drm_edp_backlight_set_level: do not always send 3-byte commands", " - crypto: octeontx2 - Call strscpy() with correct size argument", " - drm: re-allow no-op changes on non-primary planes in async flips", " - media: rj54n1cb0c: Fix memleak in rj54n1_probe()", " - media: staging/ipu7: convert to use pci_alloc_irq_vectors() API", " - media: staging/ipu7: Don't set name for IPU7 PCI device", " - media: staging/ipu7: cleanup the MMU correctly in IPU7 driver release", " - media: i2c: vd55g1: Fix duster register address", " - drm/panel: Allow powering on panel follower after panel is enabled", " - HID: i2c-hid: Make elan touch controllers power on after panel is", " enabled", " - RDMA/mlx5: Better estimate max_qp_wr to reflect WQE count", " - RDMA/mlx5: Fix vport loopback forcing for MPV device", " - wifi: rtw88: Use led->brightness_set_blocking for PCI too", " - net: phy: introduce phy_id_compare_vendor() PHY ID helper", " - net: phy: as21xxx: better handle PHY HW reset on soft-reboot", " - PCI: rcar-host: Pass proper IRQ domain to generic_handle_domain_irq()", " - fuse: remove unneeded offset assignment when filling write pages", " - PCI: qcom: Restrict port parsing only to PCIe bridge child nodes", " - cdx: don't select CONFIG_GENERIC_MSI_IRQ", " - PCI/ACPI: Fix pci_acpi_preserve_config() memory leak", " - HID: i2c-hid: Fix test in i2c_hid_core_register_panel_follower()", " - ALSA: lx_core: use int type to store negative error codes", " - media: st-delta: avoid excessive stack usage", " - drm/amdgpu/vcn: Add regdump helper functions", " - drm/amdgpu/vcn: Hold pg_lock before vcn power off", " - drm/amdgpu: Check vcn state before profile switch", " - accel/amdxdna: Use int instead of u32 to store error codes", " - efi: Explain OVMF acronym in OVMF_DEBUG_LOG help text", " - net: dst: introduce dst->dev_rcu", " - ipv6: mcast: Add ip6_mc_find_idev() helper", " - ipv6: start using dst_dev_rcu()", " - ipv6: use RCU in ip6_xmit()", " - ipv6: use RCU in ip6_output()", " - net: use dst_dev_rcu() in sk_setup_caps()", " - tcp_metrics: use dst_dev_net_rcu()", " - ipv4: start using dst_dev_rcu()", " - crypto: hisilicon/zip - remove unnecessary validation for high-", " performance mode configurations", " - crypto: hisilicon - re-enable address prefetch after device resuming", " - crypto: hisilicon - check the sva module status while enabling or", " disabling address prefetch", " - crypto: hisilicon/qm - check whether the input function and PF are on", " the same device", " - crypto: hisilicon/qm - request reserved interrupt for virtual function", " - inet: ping: check sock_net() in ping_get_port() and ping_lookup()", " - dmaengine: Fix dma_async_tx_descriptor->tx_submit documentation", " - coresight: trbe: Add ISB after TRBLIMITR write", " - coresight: Fix missing include for FIELD_GET", " - coresight: Only register perf symlink for sinks with alloc_buffer", " - drm/amdgpu: Power up UVD 3 for FW validation (v2)", " - drm/amd/pm: Disable ULV even if unsupported (v3)", " - drm/amd/pm: Fix si_upload_smc_data (v3)", " - drm/amd/pm: Adjust si_upload_smc_data register programming (v3)", " - drm/amd/pm: Treat zero vblank time as too short in si_dpm (v3)", " - drm/amd/pm: Disable MCLK switching with non-DC at 120 Hz+ (v2)", " - drm/amd/pm: Disable SCLK switching on Oland with high pixel clocks (v3)", " - wifi: mac80211: Make CONNECTION_MONITOR optional for MLO sta", " - wifi: mwifiex: send world regulatory domain to driver", " - wifi: brcmfmac: fix 43752 SDIO FWVID incorrectly labelled as Cypress", " (CYW)", " - drm/msm: Do not validate SSPP when it is not ready", " - PCI: tegra: Fix devm_kcalloc() argument order for port->phys allocation", " - wifi: mac80211: consider links for validating SCAN_FLAG_AP in scan", " request during MLO", " - PCI: qcom: Add equalization settings for 8.0 GT/s and 32.0 GT/s", " - tcp: fix __tcp_close() to only send RST when required", " - fanotify: Validate the return value of mnt_ns_from_dentry() before", " dereferencing", " - drm/amdkfd: Fix error code sign for EINVAL in svm_ioctl()", " - usb: phy: twl6030: Fix incorrect type for ret", " - usb: gadget: configfs: Correctly set use_os_string at bind", " - tty: n_gsm: Don't block input queue by waiting MSC", " - misc: genwqe: Fix incorrect cmd field being reported in error", " - pps: fix warning in pps_register_cdev when register device fail", " - drm/msm: Fix obj leak in VM_BIND error path", " - drm/msm: Fix missing VM_BIND offset/range validation", " - wifi: iwlwifi: Remove redundant header files", " - drm/msm/mdp4: stop supporting no-IOMMU configuration", " - drm/msm: stop supporting no-IOMMU configuration", " - idpf: fix Rx descriptor ready check barrier in splitq", " - ASoC: Intel: bytcht_es8316: Fix invalid quirk input mapping", " - ASoC: Intel: bytcr_rt5640: Fix invalid quirk input mapping", " - ASoC: Intel: bytcr_rt5651: Fix invalid quirk input mapping", " - ipv6: snmp: do not use SNMP_MIB_SENTINEL anymore", " - ipv6: snmp: do not track per idev ICMP6_MIB_RATELIMITHOST", " - drm/msm: Fix bootup splat with separate_gpu_drm modparam", " - drm/msm/dpu: fix incorrect type for ret", " - wifi: mac80211: fix reporting of all valid links in sta_set_sinfo()", " - fs: ntfs3: Fix integer overflow in run_unpack()", " - fs/ntfs3: reject index allocation if $BITMAP is empty but blocks exist", " - iio: consumers: Fix handling of negative channel scale in", " iio_convert_raw_to_processed()", " - iio: consumers: Fix offset handling in iio_convert_raw_to_processed()", " - mm/slub: Fix cmp_loc_by_count() to return 0 when counts are equal", " - tools: ynl: fix undefined variable name", " - RDMA/mlx5: Fix page size bitmap calculation for KSM mode", " - netfilter: ipset: Remove unused htable_bits in macro ahash_region", " - ipvs: Use READ_ONCE/WRITE_ONCE for ipvs->enable", " - HID: steelseries: Fix STEELSERIES_SRWS1 handling in steelseries_remove()", " - watchdog: intel_oc_wdt: Do not try to write into const memory", " - watchdog: mpc8xxx_wdt: Reload the watchdog timer when enabling the", " watchdog", " - PCI: endpoint: pci-epf-test: Fix doorbell test support", " - drivers/base/node: handle error properly in register_one_node()", " - RDMA/cm: Rate limit destroy CM ID timeout error message", " - wifi: mt76: mt7996: Fix mt7996_mcu_sta_ba wcid configuration", " - wifi: mt76: mt7996: Fix mt7996_mcu_bss_mld_tlv routine", " - wifi: mt76: fix potential memory leak in mt76_wmac_probe()", " - wifi: mt76: mt7996: Use proper link_id in link_sta_rc_update callback", " - wifi: mt76: mt7996: Check phy before init msta_link in", " mt7996_mac_sta_add_links()", " - wifi: mt76: mt7996: Fix tx-queues initialization for second phy on", " mt7996", " - wifi: mt76: mt7996: Fix RX packets configuration for primary WED device", " - wifi: mt76: mt7996: Convert mt7996_wed_rro_addr to LE", " - wifi: mt76: mt7915: fix mt7981 pre-calibration", " - wifi: mt76: mt7996: remove redundant per-phy mac80211 calls during", " restart", " - ASoC: Intel: hda-sdw-bpt: set persistent_buffer false", " - srcu/tiny: Remove preempt_disable/enable() in srcu_gp_start_if_needed()", " - drm/amdgpu: Fix allocating extra dwords for rings (v2)", " - f2fs: fix to update map->m_next_extent correctly in f2fs_map_blocks()", " - f2fs: fix to truncate first page in error path of f2fs_truncate()", " - f2fs: fix to avoid migrating empty section", " - f2fs: fix to mitigate overhead of f2fs_zero_post_eof_page()", " - RISC-V: KVM: Write hgatp register with valid mode bits", " - ALSA: pcm: Disable bottom softirqs as part of spin_lock_irq() on", " PREEMPT_RT", " - ACPI: NFIT: Fix incorrect ndr_desc being reportedin dev_err message", " - scsi: qla2xxx: edif: Fix incorrect sign of error code", " - scsi: qla2xxx: Fix incorrect sign of error code in START_SP_W_RETRIES()", " - scsi: qla2xxx: Fix incorrect sign of error code in qla_nvme_xmt_ls_rsp()", " - HID: hidraw: tighten ioctl command parsing", " - f2fs: fix zero-sized extent for precache extents", " - smc: Fix use-after-free in __pnet_find_base_ndev().", " - smc: Use __sk_dst_get() and dst_dev_rcu() in in smc_clc_prfx_set().", " - smc: Use __sk_dst_get() and dst_dev_rcu() in smc_clc_prfx_match().", " - smc: Use __sk_dst_get() and dst_dev_rcu() in smc_vlan_by_tcpsk().", " - tls: Use __sk_dst_get() and dst_dev_rcu() in get_netdev_for_sock().", " - mptcp: Call dst_release() in mptcp_active_enable().", " - mptcp: Use __sk_dst_get() and dst_dev_rcu() in mptcp_active_enable().", " - Revert \"usb: xhci: Avoid Stop Endpoint retry loop if the endpoint seems", " Running\"", " - RDMA/core: Resolve MAC of next-hop device without ARP support", " - IB/sa: Fix sa_local_svc_timeout_ms read race", " - Documentation: trace: historgram-design: Separate sched_waking histogram", " section heading and the following diagram", " - ASoC: SOF: ipc4-pcm: Fix incorrect comparison with number of tdm_slots", " - wifi: ath12k: initialize eirp_power before use", " - wifi: ath12k: fix overflow warning on num_pwr_levels", " - wifi: ath12k: fix signal in radiotap for WCN7850", " - wifi: ath12k: fix HAL_PHYRX_COMMON_USER_INFO handling in monitor mode", " - wifi: ath12k: fix the fetching of combined rssi", " - wifi: ath12k: Add fallback for invalid channel number in PHY metadata", " - wifi: ath12k: fix wrong logging ID used for CE", " - wifi: ath10k: avoid unnecessary wait for service ready message", " - iommu/vt-d: debugfs: Fix legacy mode page table dump logic", " - wifi: mac80211: fix Rx packet handling when pubsta information is not", " available", " - ASoC: Intel: sof_sdw: Prevent jump to NULL add_sidecar callback", " - sparc: fix accurate exception reporting in copy_{from_to}_user for", " UltraSPARC", " - sparc: fix accurate exception reporting in copy_{from_to}_user for", " UltraSPARC III", " - sparc: fix accurate exception reporting in copy_{from_to}_user for", " Niagara", " - sparc: fix accurate exception reporting in copy_to_user for Niagara 4", " - sparc: fix accurate exception reporting in copy_{from,to}_user for M7", " - vfio/pds: replace bitmap_free with vfree", " - crypto: comp - Use same definition of context alloc and free ops", " - crypto: hisilicon/qm - set NULL to qm->debug.qm_diff_regs", " - wifi: ath12k: Fix peer lookup in ath12k_dp_mon_rx_deliver_msdu()", " - rpmsg: qcom_smd: Fix fallback to qcom,ipc parse", " - remoteproc: qcom_q6v5_mss: support loading MBN file on msm8974", " - RDMA/rxe: Fix race in do_task() when draining", " - selftests/mm: fix va_high_addr_switch.sh failure on x86_64", " - wifi: rtw89: fix leak in rtw89_core_send_nullfunc()", " - wifi: rtw89: avoid circular locking dependency in ser_state_run()", " - PCI: tegra194: Fix duplicate PLL disable in", " pex_ep_event_pex_rst_assert()", " - remoteproc: qcom: q6v5: Avoid disabling handover IRQ twice", " - remoteproc: qcom: pas: Shutdown lite ADSP DTB on X1E", " - wifi: ath12k: Refactor RX TID deletion handling into helper function", " - wifi: ath12k: Fix flush cache failure during RX queue update", " - wifi: cfg80211: fix width unit in cfg80211_radio_chandef_valid()", " - dm vdo: return error on corrupted metadata in start_restoring_volume", " functions", " - coresight: fix indentation error in cscfg_remove_owned_csdev_configs()", " - coresight-etm4x: Conditionally access register TRCEXTINSELR", " - coresight: tmc: Support atclk", " - coresight: catu: Support atclk", " - coresight: etm4x: Support atclk", " - coresight: Appropriately disable programming clocks", " - coresight: Appropriately disable trace bus clocks", " - coresight: Avoid enable programming clock duplicately", " - coresight: trbe: Return NULL pointer for allocation failures", " - coresight: tpda: fix the logic to setup the element size", " - coresight: Fix incorrect handling for return value of devm_kzalloc", " - NFSv4.1: fix backchannel max_resp_sz verification check", " - net: ethtool: tsconfig: set command must provide a reply", " - netfilter: nfnetlink: reset nlh pointer during batch replay", " - netfilter: nf_conntrack: do not skip entries in /proc/net/nf_conntrack", " - scsi: ufs: core: Fix data race in CPU latency PM QoS request handling", " - scsi: mpt3sas: Fix crash in transport port remove by using ioc_info()", " - usb: vhci-hcd: Prevent suspending virtually attached devices", " - PCI: rcar-gen4: Add missing 1ms delay after PWR reset assertion", " - PCI: rcar-gen4: Assure reset occurs before DBI access", " - PCI: rcar-gen4: Fix inverted break condition in PHY initialization", " - ASoC: qcom: sc8280xp: use sa8775p/ subdir for QCS9100 / QCS9075", " - iommu/vt-d: Disallow dirty tracking if incoherent page walk", " - iommu/selftest: prevent use of uninitialized variable", " - RDMA/siw: Always report immediate post SQ errors", " - net: enetc: Fix probing error message typo for the ENETCv4 PF driver", " - net: usb: Remove disruptive netif_wake_queue in rtl8150_set_multicast", " - ptp: Add a upper bound on max_vclocks", " - vhost: vringh: Fix copy_to_iter return value check", " - net: macb: remove illusion about TBQPH/RBQPH being per-queue", " - net: macb: move ring size computation to functions", " - net: macb: single dma_alloc_coherent() for DMA descriptors", " - Bluetooth: btintel_pcie: Refactor Device Coredump", " - Bluetooth: MGMT: Fix not exposing debug UUID on", " MGMT_OP_READ_EXP_FEATURES_INFO", " - Bluetooth: ISO: Fix possible UAF on iso_conn_free", " - Bluetooth: ISO: free rx_skb if not consumed", " - Bluetooth: ISO: don't leak skb in ISO_CONT RX", " - Bluetooth: hci_sync: Fix using random address for BIG/PA advertisements", " - KEYS: X.509: Fix Basic Constraints CA flag parsing", " - hwrng: ks-sa - fix division by zero in ks_sa_rng_init", " - cramfs: fix incorrect physical page address calculation", " - ocfs2: fix double free in user_cluster_connect()", " - drivers/base/node: fix double free in register_one_node()", " - f2fs: fix UAF issue in f2fs_merge_page_bio()", " - mtd: rawnand: atmel: Fix error handling path in", " atmel_nand_controller_add_nands", " - PCI: j721e: Fix incorrect error message in probe()", " - idpf: fix mismatched free function for dma_alloc_coherent", " - tcp: use skb->len instead of skb->truesize in tcp_can_ingest()", " - nfp: fix RSS hash key size when RSS is not supported", " - net: ena: return 0 in ena_get_rxfh_key_size() when RSS hash key is not", " configurable", " - net: dlink: handle copy_thresh allocation failure", " - net/mlx5: Stop polling for command response if interface goes down", " - net/mlx5: pagealloc: Fix reclaim race during command interface teardown", " - net/mlx5: fw reset, add reset timeout work", " - smb: client: fix crypto buffers in non-linear memory", " - bonding: fix xfrm offload feature setup on active-backup mode", " - net: enetc: initialize SW PIR and CIR based HW PIR and CIR values", " - iommufd: Register iommufd mock devices with fwspec", " - Revert \"net/mlx5e: Update and set Xon/Xoff upon MTU set\"", " - NFSD: filecache: add STATX_DIOALIGN and STATX_DIO_READ_ALIGN support", " - nfs/localio: avoid issuing misaligned IO using O_DIRECT", " - octeontx2-vf: fix bitmap leak", " - octeontx2-pf: fix bitmap leak", " - vhost: vringh: Modify the return value check", " - selftests/bpf: Fix typos and grammar in test sources", " - selftests/bpf: move get_ksyms and get_addrs to trace_helpers.c", " - selftests/bpf: Fix realloc size in bpf_get_addrs", " - bpf: Skip scalar adjustment for BPF_NEG if dst is a pointer", " - bpf: Reject negative offsets for ALU ops", " - tpm: Disable TPM2_TCG_HMAC by default", " - ALSA: hda/hdmi: Add pin fix for HP ProDesk model", " - ALSA: hda/realtek: Add quirk for HP Spectre 14t-ea100", " - Squashfs: fix uninit-value in squashfs_get_parent", " - uio_hv_generic: Let userspace take care of interrupt mask", " - hisi_acc_vfio_pci: Fix reference leak in hisi_acc_vfio_debug_init", " - io_uring/waitid: always prune wait queue entry in io_waitid_wait()", " - io_uring/zcrx: fix overshooting recv limit", " - ASoC: wcd934x: fix error handling in wcd934x_codec_parse_data()", " - ASoC: SOF: ipc3-topology: Fix multi-core and static pipelines tear down", " - ASoC: codecs: wcd937x: set the comp soundwire port correctly", " - ASoC: codecs: wcd937x: make stub functions inline", " - ASoC: SOF: ipc4-pcm: fix delay calculation when DSP resamples", " - ASoC: SOF: ipc4-pcm: fix start offset calculation for chain DMA", " - fs: udf: fix OOB read in lengthAllocDescs handling", " - net: nfc: nci: Add parameter validation for packet data", " - mfd: rz-mtu3: Fix MTU5 NFCR register offset", " - mfd: intel_soc_pmic_chtdc_ti: Set use_single_read regmap_config flag", " - mfd: vexpress-sysreg: Check the return value of devm_gpiochip_add_data()", " - tracing: Fix lock imbalance in s_start() memory allocation failure path", " - tracing: Fix race condition in kprobe initialization causing NULL", " pointer dereference", " - tracing: Fix wakeup tracers on failure of acquiring calltime", " - tracing: Fix irqoff tracers on failure of acquiring calltime", " - tracing: Have trace_marker use per-cpu data to read user space", " - tracing: Fix tracing_mark_raw_write() to use buf and not ubuf", " - tracing: Stop fortify-string from warning in tracing_mark_raw_write()", " - dm: fix queue start/stop imbalance under suspend/load/resume races", " - dm: fix NULL pointer dereference in __dm_suspend()", " - LoongArch: Automatically disable kaslr if boot from kexec_file", " - pwm: loongson: Fix LOONGSON_PWM_FREQ_DEFAULT", " - LoongArch: BPF: Sign-extend struct ops return values properly", " - LoongArch: BPF: No support of struct argument in trampoline programs", " - LoongArch: BPF: Don't align trampoline size", " - LoongArch: BPF: Make trampoline size stable", " - LoongArch: BPF: Make error handling robust in", " arch_prepare_bpf_trampoline()", " - LoongArch: BPF: Remove duplicated bpf_flush_icache()", " - LoongArch: BPF: No text_poke() for kernel text", " - LoongArch: BPF: Remove duplicated flags check", " - LoongArch: BPF: Fix uninitialized symbol 'retval_off'", " - mm/ksm: fix flag-dropping behavior in ksm_madvise", " - ksmbd: Fix race condition in RPC handle list access", " - ksmbd: fix error code overwriting in smb2_get_info_filesystem()", " - ksmbd: add max ip connections parameter", " - ext4: fix potential null deref in ext4_mb_init()", " - ext4: fix checks for orphan inodes", " - KVM: SVM: Skip fastpath emulation on VM-Exit if next RIP isn't valid", " - fbdev: simplefb: Fix use after free in simplefb_detach_genpds()", " - mm: hugetlb: avoid soft lockup when mprotect to large memory area", " - selftests/mm: skip soft-dirty tests when CONFIG_MEM_SOFT_DIRTY is", " disabled", " - nvdimm: ndtest: Return -ENOMEM if devm_kcalloc() fails in ndtest_probe()", " - misc: fastrpc: Save actual DMA size in fastrpc_map structure", " - misc: fastrpc: Fix fastrpc_map_lookup operation", " - misc: fastrpc: fix possible map leak in fastrpc_put_args", " - misc: fastrpc: Skip reference for DMA handles", " - Input: atmel_mxt_ts - allow reset GPIO to sleep", " - Input: uinput - zero-initialize uinput_ff_upload_compat to avoid info", " leak", " - sunrpc: fix null pointer dereference on zero-length checksum", " - PCI/AER: Avoid NULL pointer dereference in aer_ratelimit()", " - remoteproc: pru: Fix potential NULL pointer dereference in", " pru_rproc_set_ctable()", " - PCI: endpoint: pci-epf-test: Add NULL check for DMA channels before", " release", " - thunderbolt: Fix use-after-free in tb_dp_dprx_work", " - tee: fix register_shm_helper()", " - pinctrl: check the return value of pinmux_ops::get_function_name()", " - bus: fsl-mc: Check return value of platform_get_resource()", " - net/9p: Fix buffer overflow in USB transport layer", " - net: usb: asix: hold PM usage ref to avoid PM/MDIO + RTNL deadlock", " - usb: typec: tipd: Clear interrupts first", " - arm64: dts: qcom: qcm2290: Disable USB SS bus instances in park mode", " - usb: cdns3: cdnsp-pci: remove redundant pci_disable_device() call", " - scsi: ufs: core: Fix PM QoS mutex initialization", " - drm/amdgpu/vcn: Fix double-free of vcn dump buffer", " - Linux 6.17.3", " * CVE-2025-40019", " - crypto: essiv - Check ssize for decryption and in-place encryption", " * CVE-2025-40214", " - af_unix: Initialise scc_index in unix_add_edge().", " * Miscellaneous Ubuntu changes", " - [SAUCE] Fix selftest/net/rtnetlink.sh for Big Endian", "" ], "package": "linux-riscv", "version": "6.17.0-14.14.1", "urgency": "medium", "distributions": "questing", "launchpad_bugs_fixed": [ 2137845, 1786013, 2137849, 1786013, 2136820, 2137698, 2129812, 2125022, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136813, 2132317, 2134982, 2134982, 2134982, 2134982, 2134982, 2134982, 2134982, 2134982, 2134982, 2134982, 2134982, 2134982, 2134982, 2134982, 2134982, 2134982, 2134982, 2134982, 2134982, 2134982, 2134982, 2134982, 2134982, 2134982, 2134982, 2133557, 2133557, 2133557, 2133557, 2133557, 2133557, 2133557, 2133557, 2133557, 2133557, 2133557, 2133557, 2133557, 2133557, 2133557, 2133557, 2133557, 2133557, 2133557, 2133557, 2133557, 2133557, 2133557, 2133557, 2133557, 2133557, 2133557, 2133557, 2133557, 2133557, 2133557, 2133557, 2133557, 2132095, 2131046, 2115860, 2128792, 2121852, 2131259, 2131259, 2131702, 2129610 ], "author": "Sarah Emery ", "date": "Fri, 23 Jan 2026 09:46:46 +0100" } ], "notes": "linux-riscv-tools-6.17.0-14 version '6.17.0-14.14.1' (source package linux-riscv version '6.17.0-14.14.1') was added. linux-riscv-tools-6.17.0-14 version '6.17.0-14.14.1' has the same source package name, linux-riscv, as removed package linux-headers-6.17.0-12-generic. As such we can use the source package version of the removed package, '6.17.0-12.12.1', as the starting point in our changelog diff. Kernel packages are an example of where the binary package name changes for the same source package. Using the removed package source package version as our starting point means we can still get meaningful changelog diffs even for what appears to be a new package.", "is_version_downgrade": false }, { "name": "linux-tools-6.17.0-14-generic", "from_version": { "source_package_name": "linux-riscv", "source_package_version": "6.17.0-12.12.1", "version": null }, "to_version": { "source_package_name": "linux-riscv", "source_package_version": "6.17.0-14.14.1", "version": "6.17.0-14.14.1" }, "cves": [ { "cve": "CVE-2025-40256", "url": "https://ubuntu.com/security/CVE-2025-40256", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: xfrm: also call xfrm_state_delete_tunnel at destroy time for states that were never added In commit b441cf3f8c4b (\"xfrm: delete x->tunnel as we delete x\"), I missed the case where state creation fails between full initialization (->init_state has been called) and being inserted on the lists. In this situation, ->init_state has been called, so for IPcomp tunnels, the fallback tunnel has been created and added onto the lists, but the user state never gets added, because we fail before that. The user state doesn't go through __xfrm_state_delete, so we don't call xfrm_state_delete_tunnel for those states, and we end up leaking the FB tunnel. There are several codepaths affected by this: the add/update paths, in both net/key and xfrm, and the migrate code (xfrm_migrate, xfrm_state_migrate). A \"proper\" rollback of the init_state work would probably be doable in the add/update code, but for migrate it gets more complicated as multiple states may be involved. At some point, the new (not-inserted) state will be destroyed, so call xfrm_state_delete_tunnel during xfrm_state_gc_destroy. Most states will have their fallback tunnel cleaned up during __xfrm_state_delete, which solves the issue that b441cf3f8c4b (and other patches before it) aimed at. All states (including FB tunnels) will be removed from the lists once xfrm_state_fini has called flush_work(&xfrm_state_gc_work).", "cve_priority": "medium", "cve_public_date": "2025-12-04 16:16:00 UTC" }, { "cve": "CVE-2025-68204", "url": "https://ubuntu.com/security/CVE-2025-68204", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: pmdomain: arm: scmi: Fix genpd leak on provider registration failure If of_genpd_add_provider_onecell() fails during probe, the previously created generic power domains are not removed, leading to a memory leak and potential kernel crash later in genpd_debug_add(). Add proper error handling to unwind the initialized domains before returning from probe to ensure all resources are correctly released on failure. Example crash trace observed without this fix: | Unable to handle kernel paging request at virtual address fffffffffffffc70 | CPU: 1 UID: 0 PID: 1 Comm: swapper/0 Not tainted 6.18.0-rc1 #405 PREEMPT | Hardware name: ARM LTD ARM Juno Development Platform/ARM Juno Development Platform | pstate: 00000005 (nzcv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--) | pc : genpd_debug_add+0x2c/0x160 | lr : genpd_debug_init+0x74/0x98 | Call trace: | genpd_debug_add+0x2c/0x160 (P) | genpd_debug_init+0x74/0x98 | do_one_initcall+0xd0/0x2d8 | do_initcall_level+0xa0/0x140 | do_initcalls+0x60/0xa8 | do_basic_setup+0x28/0x40 | kernel_init_freeable+0xe8/0x170 | kernel_init+0x2c/0x140 | ret_from_fork+0x10/0x20", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-68203", "url": "https://ubuntu.com/security/CVE-2025-68203", "cve_description": "Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-40267", "url": "https://ubuntu.com/security/CVE-2025-40267", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: io_uring/rw: ensure allocated iovec gets cleared for early failure A previous commit reused the recyling infrastructure for early cleanup, but this is not enough for the case where our internal caches have overflowed. If this happens, then the allocated iovec can get leaked if the request is also aborted early. Reinstate the previous forced free of the iovec for that situation.", "cve_priority": "medium", "cve_public_date": "2025-12-06 22:15:00 UTC" }, { "cve": "CVE-2025-68198", "url": "https://ubuntu.com/security/CVE-2025-68198", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: crash: fix crashkernel resource shrink When crashkernel is configured with a high reservation, shrinking its value below the low crashkernel reservation causes two issues: 1. Invalid crashkernel resource objects 2. Kernel crash if crashkernel shrinking is done twice For example, with crashkernel=200M,high, the kernel reserves 200MB of high memory and some default low memory (say 256MB). The reservation appears as: cat /proc/iomem | grep -i crash af000000-beffffff : Crash kernel 433000000-43f7fffff : Crash kernel If crashkernel is then shrunk to 50MB (echo 52428800 > /sys/kernel/kexec_crash_size), /proc/iomem still shows 256MB reserved: af000000-beffffff : Crash kernel Instead, it should show 50MB: af000000-b21fffff : Crash kernel Further shrinking crashkernel to 40MB causes a kernel crash with the following trace (x86): BUG: kernel NULL pointer dereference, address: 0000000000000038 PGD 0 P4D 0 Oops: 0000 [#1] PREEMPT SMP NOPTI Call Trace: ? __die_body.cold+0x19/0x27 ? page_fault_oops+0x15a/0x2f0 ? search_module_extables+0x19/0x60 ? search_bpf_extables+0x5f/0x80 ? exc_page_fault+0x7e/0x180 ? asm_exc_page_fault+0x26/0x30 ? __release_resource+0xd/0xb0 release_resource+0x26/0x40 __crash_shrink_memory+0xe5/0x110 crash_shrink_memory+0x12a/0x190 kexec_crash_size_store+0x41/0x80 kernfs_fop_write_iter+0x141/0x1f0 vfs_write+0x294/0x460 ksys_write+0x6d/0xf0 This happens because __crash_shrink_memory()/kernel/crash_core.c incorrectly updates the crashk_res resource object even when crashk_low_res should be updated. Fix this by ensuring the correct crashkernel resource object is updated when shrinking crashkernel memory.", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-68199", "url": "https://ubuntu.com/security/CVE-2025-68199", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: codetag: debug: handle existing CODETAG_EMPTY in mark_objexts_empty for slabobj_ext When alloc_slab_obj_exts() fails and then later succeeds in allocating a slab extension vector, it calls handle_failed_objexts_alloc() to mark all objects in the vector as empty. As a result all objects in this slab (slabA) will have their extensions set to CODETAG_EMPTY. Later on if this slabA is used to allocate a slabobj_ext vector for another slab (slabB), we end up with the slabB->obj_exts pointing to a slabobj_ext vector that itself has a non-NULL slabobj_ext equal to CODETAG_EMPTY. When slabB gets freed, free_slab_obj_exts() is called to free slabB->obj_exts vector. free_slab_obj_exts() calls mark_objexts_empty(slabB->obj_exts) which will generate a warning because it expects slabobj_ext vectors to have a NULL obj_ext, not CODETAG_EMPTY. Modify mark_objexts_empty() to skip the warning and setting the obj_ext value if it's already set to CODETAG_EMPTY. To quickly detect this WARN, I modified the code from WARN_ON(slab_exts[offs].ref.ct) to BUG_ON(slab_exts[offs].ref.ct == 1); We then obtained this message: [21630.898561] ------------[ cut here ]------------ [21630.898596] kernel BUG at mm/slub.c:2050! [21630.898611] Internal error: Oops - BUG: 00000000f2000800 [#1] SMP [21630.900372] Modules linked in: squashfs isofs vfio_iommu_type1 vhost_vsock vfio vhost_net vmw_vsock_virtio_transport_common vhost tap vhost_iotlb iommufd vsock binfmt_misc nfsv3 nfs_acl nfs lockd grace netfs tls rds dns_resolver tun brd overlay ntfs3 exfat btrfs blake2b_generic xor xor_neon raid6_pq loop sctp ip6_udp_tunnel udp_tunnel nft_fib_inet nft_fib_ipv4 nft_fib_ipv6 nft_fib nft_reject_inet nf_reject_ipv4 nf_reject_ipv6 nft_reject nft_ct nft_chain_nat nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 nf_tables rfkill ip_set sunrpc vfat fat joydev sg sch_fq_codel nfnetlink virtio_gpu sr_mod cdrom drm_client_lib virtio_dma_buf drm_shmem_helper drm_kms_helper drm ghash_ce backlight virtio_net virtio_blk virtio_scsi net_failover virtio_console failover virtio_mmio dm_mirror dm_region_hash dm_log dm_multipath dm_mod fuse i2c_dev virtio_pci virtio_pci_legacy_dev virtio_pci_modern_dev virtio virtio_ring autofs4 aes_neon_bs aes_ce_blk [last unloaded: hwpoison_inject] [21630.909177] CPU: 3 UID: 0 PID: 3787 Comm: kylin-process-m Kdump: loaded Tainted: G        W           6.18.0-rc1+ #74 PREEMPT(voluntary) [21630.910495] Tainted: [W]=WARN [21630.910867] Hardware name: QEMU KVM Virtual Machine, BIOS unknown 2/2/2022 [21630.911625] pstate: 80400005 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) [21630.912392] pc : __free_slab+0x228/0x250 [21630.912868] lr : __free_slab+0x18c/0x250[21630.913334] sp : ffff8000a02f73e0 [21630.913830] x29: ffff8000a02f73e0 x28: fffffdffc43fc800 x27: ffff0000c0011c40 [21630.914677] x26: ffff0000c000cac0 x25: ffff00010fe5e5f0 x24: ffff000102199b40 [21630.915469] x23: 0000000000000003 x22: 0000000000000003 x21: ffff0000c0011c40 [21630.916259] x20: fffffdffc4086600 x19: fffffdffc43fc800 x18: 0000000000000000 [21630.917048] x17: 0000000000000000 x16: 0000000000000000 x15: 0000000000000000 [21630.917837] x14: 0000000000000000 x13: 0000000000000000 x12: ffff70001405ee66 [21630.918640] x11: 1ffff0001405ee65 x10: ffff70001405ee65 x9 : ffff800080a295dc [21630.919442] x8 : ffff8000a02f7330 x7 : 0000000000000000 x6 : 0000000000003000 [21630.920232] x5 : 0000000024924925 x4 : 0000000000000001 x3 : 0000000000000007 [21630.921021] x2 : 0000000000001b40 x1 : 000000000000001f x0 : 0000000000000001 [21630.921810] Call trace: [21630.922130]  __free_slab+0x228/0x250 (P) [21630.922669]  free_slab+0x38/0x118 [21630.923079]  free_to_partial_list+0x1d4/0x340 [21630.923591]  __slab_free+0x24c/0x348 [21630.924024]  ___cache_free+0xf0/0x110 [21630.924468]  qlist_free_all+0x78/0x130 [21630.924922]  kasan_quarantine_reduce+0x11 ---truncated---", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-40268", "url": "https://ubuntu.com/security/CVE-2025-40268", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: cifs: client: fix memory leak in smb3_fs_context_parse_param The user calls fsconfig twice, but when the program exits, free() only frees ctx->source for the second fsconfig, not the first. Regarding fc->source, there is no code in the fs context related to its memory reclamation. To fix this memory leak, release the source memory corresponding to ctx or fc before each parsing. syzbot reported: BUG: memory leak unreferenced object 0xffff888128afa360 (size 96): backtrace (crc 79c9c7ba): kstrdup+0x3c/0x80 mm/util.c:84 smb3_fs_context_parse_param+0x229b/0x36c0 fs/smb/client/fs_context.c:1444 BUG: memory leak unreferenced object 0xffff888112c7d900 (size 96): backtrace (crc 79c9c7ba): smb3_fs_context_fullpath+0x70/0x1b0 fs/smb/client/fs_context.c:629 smb3_fs_context_parse_param+0x2266/0x36c0 fs/smb/client/fs_context.c:1438", "cve_priority": "medium", "cve_public_date": "2025-12-06 22:15:00 UTC" }, { "cve": "CVE-2025-40269", "url": "https://ubuntu.com/security/CVE-2025-40269", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ALSA: usb-audio: Fix potential overflow of PCM transfer buffer The PCM stream data in USB-audio driver is transferred over USB URB packet buffers, and each packet size is determined dynamically. The packet sizes are limited by some factors such as wMaxPacketSize USB descriptor. OTOH, in the current code, the actually used packet sizes are determined only by the rate and the PPS, which may be bigger than the size limit above. This results in a buffer overflow, as reported by syzbot. Basically when the limit is smaller than the calculated packet size, it implies that something is wrong, most likely a weird USB descriptor. So the best option would be just to return an error at the parameter setup time before doing any further operations. This patch introduces such a sanity check, and returns -EINVAL when the packet size is greater than maxpacksize. The comparison with ep->packsize[1] alone should suffice since it's always equal or greater than ep->packsize[0].", "cve_priority": "medium", "cve_public_date": "2025-12-06 22:15:00 UTC" }, { "cve": "CVE-2025-68205", "url": "https://ubuntu.com/security/CVE-2025-68205", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ALSA: hda/hdmi: Fix breakage at probing nvhdmi-mcp driver After restructuring and splitting the HDMI codec driver code, each HDMI codec driver contains the own build_controls and build_pcms ops. A copy-n-paste error put the wrong entries for nvhdmi-mcp driver; both build_controls and build_pcms are swapped. Unfortunately both callbacks have the very same form, and the compiler didn't complain it, either. This resulted in a NULL dereference because the PCM instance hasn't been initialized at calling the build_controls callback. Fix it by passing the proper entries.", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-40270", "url": "https://ubuntu.com/security/CVE-2025-40270", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: mm, swap: fix potential UAF issue for VMA readahead Since commit 78524b05f1a3 (\"mm, swap: avoid redundant swap device pinning\"), the common helper for allocating and preparing a folio in the swap cache layer no longer tries to get a swap device reference internally, because all callers of __read_swap_cache_async are already holding a swap entry reference. The repeated swap device pinning isn't needed on the same swap device. Caller of VMA readahead is also holding a reference to the target entry's swap device, but VMA readahead walks the page table, so it might encounter swap entries from other devices, and call __read_swap_cache_async on another device without holding a reference to it. So it is possible to cause a UAF when swapoff of device A raced with swapin on device B, and VMA readahead tries to read swap entries from device A. It's not easy to trigger, but in theory, it could cause real issues. Make VMA readahead try to get the device reference first if the swap device is a different one from the target entry.", "cve_priority": "medium", "cve_public_date": "2025-12-06 22:15:00 UTC" }, { "cve": "CVE-2025-40271", "url": "https://ubuntu.com/security/CVE-2025-40271", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: fs/proc: fix uaf in proc_readdir_de() Pde is erased from subdir rbtree through rb_erase(), but not set the node to EMPTY, which may result in uaf access. We should use RB_CLEAR_NODE() set the erased node to EMPTY, then pde_subdir_next() will return NULL to avoid uaf access. We found an uaf issue while using stress-ng testing, need to run testcase getdent and tun in the same time. The steps of the issue is as follows: 1) use getdent to traverse dir /proc/pid/net/dev_snmp6/, and current pde is tun3; 2) in the [time windows] unregister netdevice tun3 and tun2, and erase them from rbtree. erase tun3 first, and then erase tun2. the pde(tun2) will be released to slab; 3) continue to getdent process, then pde_subdir_next() will return pde(tun2) which is released, it will case uaf access. CPU 0 | CPU 1 ------------------------------------------------------------------------- traverse dir /proc/pid/net/dev_snmp6/ | unregister_netdevice(tun->dev) //tun3 tun2 sys_getdents64() | iterate_dir() | proc_readdir() | proc_readdir_de() | snmp6_unregister_dev() pde_get(de); | proc_remove() read_unlock(&proc_subdir_lock); | remove_proc_subtree() | write_lock(&proc_subdir_lock); [time window] | rb_erase(&root->subdir_node, &parent->subdir); | write_unlock(&proc_subdir_lock); read_lock(&proc_subdir_lock); | next = pde_subdir_next(de); | pde_put(de); | de = next; //UAF | rbtree of dev_snmp6 | pde(tun3) / \\ NULL pde(tun2)", "cve_priority": "medium", "cve_public_date": "2025-12-06 22:15:00 UTC" }, { "cve": "CVE-2025-40272", "url": "https://ubuntu.com/security/CVE-2025-40272", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: mm/secretmem: fix use-after-free race in fault handler When a page fault occurs in a secret memory file created with `memfd_secret(2)`, the kernel will allocate a new folio for it, mark the underlying page as not-present in the direct map, and add it to the file mapping. If two tasks cause a fault in the same page concurrently, both could end up allocating a folio and removing the page from the direct map, but only one would succeed in adding the folio to the file mapping. The task that failed undoes the effects of its attempt by (a) freeing the folio again and (b) putting the page back into the direct map. However, by doing these two operations in this order, the page becomes available to the allocator again before it is placed back in the direct mapping. If another task attempts to allocate the page between (a) and (b), and the kernel tries to access it via the direct map, it would result in a supervisor not-present page fault. Fix the ordering to restore the direct map before the folio is freed.", "cve_priority": "medium", "cve_public_date": "2025-12-06 22:15:00 UTC" }, { "cve": "CVE-2025-68245", "url": "https://ubuntu.com/security/CVE-2025-68245", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net: netpoll: fix incorrect refcount handling causing incorrect cleanup commit efa95b01da18 (\"netpoll: fix use after free\") incorrectly ignored the refcount and prematurely set dev->npinfo to NULL during netpoll cleanup, leading to improper behavior and memory leaks. Scenario causing lack of proper cleanup: 1) A netpoll is associated with a NIC (e.g., eth0) and netdev->npinfo is allocated, and refcnt = 1 - Keep in mind that npinfo is shared among all netpoll instances. In this case, there is just one. 2) Another netpoll is also associated with the same NIC and npinfo->refcnt += 1. - Now dev->npinfo->refcnt = 2; - There is just one npinfo associated to the netdev. 3) When the first netpolls goes to clean up: - The first cleanup succeeds and clears np->dev->npinfo, ignoring refcnt. - It basically calls `RCU_INIT_POINTER(np->dev->npinfo, NULL);` - Set dev->npinfo = NULL, without proper cleanup - No ->ndo_netpoll_cleanup() is either called 4) Now the second target tries to clean up - The second cleanup fails because np->dev->npinfo is already NULL. * In this case, ops->ndo_netpoll_cleanup() was never called, and the skb pool is not cleaned as well (for the second netpoll instance) - This leaks npinfo and skbpool skbs, which is clearly reported by kmemleak. Revert commit efa95b01da18 (\"netpoll: fix use after free\") and adds clarifying comments emphasizing that npinfo cleanup should only happen once the refcount reaches zero, ensuring stable and correct netpoll behavior.", "cve_priority": "medium", "cve_public_date": "2025-12-16 15:15:00 UTC" }, { "cve": "CVE-2025-68240", "url": "https://ubuntu.com/security/CVE-2025-68240", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: nilfs2: avoid having an active sc_timer before freeing sci Because kthread_stop did not stop sc_task properly and returned -EINTR, the sc_timer was not properly closed, ultimately causing the problem [1] reported by syzbot when freeing sci due to the sc_timer not being closed. Because the thread sc_task main function nilfs_segctor_thread() returns 0 when it succeeds, when the return value of kthread_stop() is not 0 in nilfs_segctor_destroy(), we believe that it has not properly closed sc_timer. We use timer_shutdown_sync() to sync wait for sc_timer to shutdown, and set the value of sc_task to NULL under the protection of lock sc_state_lock, so as to avoid the issue caused by sc_timer not being properly shutdowned. [1] ODEBUG: free active (active state 0) object: 00000000dacb411a object type: timer_list hint: nilfs_construction_timeout Call trace: nilfs_segctor_destroy fs/nilfs2/segment.c:2811 [inline] nilfs_detach_log_writer+0x668/0x8cc fs/nilfs2/segment.c:2877 nilfs_put_super+0x4c/0x12c fs/nilfs2/super.c:509", "cve_priority": "medium", "cve_public_date": "2025-12-16 15:15:00 UTC" }, { "cve": "CVE-2025-68241", "url": "https://ubuntu.com/security/CVE-2025-68241", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ipv4: route: Prevent rt_bind_exception() from rebinding stale fnhe The sit driver's packet transmission path calls: sit_tunnel_xmit() -> update_or_create_fnhe(), which lead to fnhe_remove_oldest() being called to delete entries exceeding FNHE_RECLAIM_DEPTH+random. The race window is between fnhe_remove_oldest() selecting fnheX for deletion and the subsequent kfree_rcu(). During this time, the concurrent path's __mkroute_output() -> find_exception() can fetch the soon-to-be-deleted fnheX, and rt_bind_exception() then binds it with a new dst using a dst_hold(). When the original fnheX is freed via RCU, the dst reference remains permanently leaked. CPU 0 CPU 1 __mkroute_output() find_exception() [fnheX] update_or_create_fnhe() fnhe_remove_oldest() [fnheX] rt_bind_exception() [bind dst] RCU callback [fnheX freed, dst leak] This issue manifests as a device reference count leak and a warning in dmesg when unregistering the net device: unregister_netdevice: waiting for sitX to become free. Usage count = N Ido Schimmel provided the simple test validation method [1]. The fix clears 'oldest->fnhe_daddr' before calling fnhe_flush_routes(). Since rt_bind_exception() checks this field, setting it to zero prevents the stale fnhe from being reused and bound to a new dst just before it is freed. [1] ip netns add ns1 ip -n ns1 link set dev lo up ip -n ns1 address add 192.0.2.1/32 dev lo ip -n ns1 link add name dummy1 up type dummy ip -n ns1 route add 192.0.2.2/32 dev dummy1 ip -n ns1 link add name gretap1 up arp off type gretap \\ local 192.0.2.1 remote 192.0.2.2 ip -n ns1 route add 198.51.0.0/16 dev gretap1 taskset -c 0 ip netns exec ns1 mausezahn gretap1 \\ -A 198.51.100.1 -B 198.51.0.0/16 -t udp -p 1000 -c 0 -q & taskset -c 2 ip netns exec ns1 mausezahn gretap1 \\ -A 198.51.100.1 -B 198.51.0.0/16 -t udp -p 1000 -c 0 -q & sleep 10 ip netns pids ns1 | xargs kill ip netns del ns1", "cve_priority": "medium", "cve_public_date": "2025-12-16 15:15:00 UTC" }, { "cve": "CVE-2025-68211", "url": "https://ubuntu.com/security/CVE-2025-68211", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ksm: use range-walk function to jump over holes in scan_get_next_rmap_item Currently, scan_get_next_rmap_item() walks every page address in a VMA to locate mergeable pages. This becomes highly inefficient when scanning large virtual memory areas that contain mostly unmapped regions, causing ksmd to use large amount of cpu without deduplicating much pages. This patch replaces the per-address lookup with a range walk using walk_page_range(). The range walker allows KSM to skip over entire unmapped holes in a VMA, avoiding unnecessary lookups. This problem was previously discussed in [1]. Consider the following test program which creates a 32 TiB mapping in the virtual address space but only populates a single page: #include #include #include /* 32 TiB */ const size_t size = 32ul * 1024 * 1024 * 1024 * 1024; int main() { char *area = mmap(NULL, size, PROT_READ | PROT_WRITE, MAP_NORESERVE | MAP_PRIVATE | MAP_ANON, -1, 0); if (area == MAP_FAILED) { perror(\"mmap() failed\\n\"); return -1; } /* Populate a single page such that we get an anon_vma. */ *area = 0; /* Enable KSM. */ madvise(area, size, MADV_MERGEABLE); pause(); return 0; } $ ./ksm-sparse & $ echo 1 > /sys/kernel/mm/ksm/run Without this patch ksmd uses 100% of the cpu for a long time (more then 1 hour in my test machine) scanning all the 32 TiB virtual address space that contain only one mapped page. This makes ksmd essentially deadlocked not able to deduplicate anything of value. With this patch ksmd walks only the one mapped page and skips the rest of the 32 TiB virtual address space, making the scan fast using little cpu.", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-68246", "url": "https://ubuntu.com/security/CVE-2025-68246", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ksmbd: close accepted socket when per-IP limit rejects connection When the per-IP connection limit is exceeded in ksmbd_kthread_fn(), the code sets ret = -EAGAIN and continues the accept loop without closing the just-accepted socket. That leaks one socket per rejected attempt from a single IP and enables a trivial remote DoS. Release client_sk before continuing. This bug was found with ZeroPath.", "cve_priority": "medium", "cve_public_date": "2025-12-16 15:15:00 UTC" }, { "cve": "CVE-2025-40273", "url": "https://ubuntu.com/security/CVE-2025-40273", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: NFSD: free copynotify stateid in nfs4_free_ol_stateid() Typically copynotify stateid is freed either when parent's stateid is being close/freed or in nfsd4_laundromat if the stateid hasn't been used in a lease period. However, in case when the server got an OPEN (which created a parent stateid), followed by a COPY_NOTIFY using that stateid, followed by a client reboot. New client instance while doing CREATE_SESSION would force expire previous state of this client. It leads to the open state being freed thru release_openowner-> nfs4_free_ol_stateid() and it finds that it still has copynotify stateid associated with it. We currently print a warning and is triggerred WARNING: CPU: 1 PID: 8858 at fs/nfsd/nfs4state.c:1550 nfs4_free_ol_stateid+0xb0/0x100 [nfsd] This patch, instead, frees the associated copynotify stateid here. If the parent stateid is freed (without freeing the copynotify stateids associated with it), it leads to the list corruption when laundromat ends up freeing the copynotify state later. [ 1626.839430] Internal error: Oops - BUG: 00000000f2000800 [#1] SMP [ 1626.842828] Modules linked in: nfnetlink_queue nfnetlink_log bluetooth cfg80211 rpcrdma rdma_cm iw_cm ib_cm ib_core nfsd nfs_acl lockd grace nfs_localio ext4 crc16 mbcache jbd2 overlay uinput snd_seq_dummy snd_hrtimer qrtr rfkill vfat fat uvcvideo snd_hda_codec_generic videobuf2_vmalloc videobuf2_memops snd_hda_intel uvc snd_intel_dspcfg videobuf2_v4l2 videobuf2_common snd_hda_codec snd_hda_core videodev snd_hwdep snd_seq mc snd_seq_device snd_pcm snd_timer snd soundcore sg loop auth_rpcgss vsock_loopback vmw_vsock_virtio_transport_common vmw_vsock_vmci_transport vmw_vmci vsock xfs 8021q garp stp llc mrp nvme ghash_ce e1000e nvme_core sr_mod nvme_keyring nvme_auth cdrom vmwgfx drm_ttm_helper ttm sunrpc dm_mirror dm_region_hash dm_log iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi fuse dm_multipath dm_mod nfnetlink [ 1626.855594] CPU: 2 UID: 0 PID: 199 Comm: kworker/u24:33 Kdump: loaded Tainted: G B W 6.17.0-rc7+ #22 PREEMPT(voluntary) [ 1626.857075] Tainted: [B]=BAD_PAGE, [W]=WARN [ 1626.857573] Hardware name: VMware, Inc. VMware20,1/VBSA, BIOS VMW201.00V.24006586.BA64.2406042154 06/04/2024 [ 1626.858724] Workqueue: nfsd4 laundromat_main [nfsd] [ 1626.859304] pstate: 61400005 (nZCv daif +PAN -UAO -TCO +DIT -SSBS BTYPE=--) [ 1626.860010] pc : __list_del_entry_valid_or_report+0x148/0x200 [ 1626.860601] lr : __list_del_entry_valid_or_report+0x148/0x200 [ 1626.861182] sp : ffff8000881d7a40 [ 1626.861521] x29: ffff8000881d7a40 x28: 0000000000000018 x27: ffff0000c2a98200 [ 1626.862260] x26: 0000000000000600 x25: 0000000000000000 x24: ffff8000881d7b20 [ 1626.862986] x23: ffff0000c2a981e8 x22: 1fffe00012410e7d x21: ffff0000920873e8 [ 1626.863701] x20: ffff0000920873e8 x19: ffff000086f22998 x18: 0000000000000000 [ 1626.864421] x17: 20747562202c3839 x16: 3932326636383030 x15: 3030666666662065 [ 1626.865092] x14: 6220646c756f6873 x13: 0000000000000001 x12: ffff60004fd9e4a3 [ 1626.865713] x11: 1fffe0004fd9e4a2 x10: ffff60004fd9e4a2 x9 : dfff800000000000 [ 1626.866320] x8 : 00009fffb0261b5e x7 : ffff00027ecf2513 x6 : 0000000000000001 [ 1626.866938] x5 : ffff00027ecf2510 x4 : ffff60004fd9e4a3 x3 : 0000000000000000 [ 1626.867553] x2 : 0000000000000000 x1 : ffff000096069640 x0 : 000000000000006d [ 1626.868167] Call trace: [ 1626.868382] __list_del_entry_valid_or_report+0x148/0x200 (P) [ 1626.868876] _free_cpntf_state_locked+0xd0/0x268 [nfsd] [ 1626.869368] nfs4_laundromat+0x6f8/0x1058 [nfsd] [ 1626.869813] laundromat_main+0x24/0x60 [nfsd] [ 1626.870231] process_one_work+0x584/0x1050 [ 1626.870595] worker_thread+0x4c4/0xc60 [ 1626.870893] kthread+0x2f8/0x398 [ 1626.871146] ret_from_fork+0x10/0x20 [ 1626.871422] Code: aa1303e1 aa1403e3 910e8000 97bc55d7 (d4210000) [ 1626.871892] SMP: stopping secondary CPUs", "cve_priority": "medium", "cve_public_date": "2025-12-06 22:15:00 UTC" }, { "cve": "CVE-2025-40212", "url": "https://ubuntu.com/security/CVE-2025-40212", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: nfsd: fix refcount leak in nfsd_set_fh_dentry() nfsd exports a \"pseudo root filesystem\" which is used by NFSv4 to find the various exported filesystems using LOOKUP requests from a known root filehandle. NFSv3 uses the MOUNT protocol to find those exported filesystems and so is not given access to the pseudo root filesystem. If a v3 (or v2) client uses a filehandle from that filesystem, nfsd_set_fh_dentry() will report an error, but still stores the export in \"struct svc_fh\" even though it also drops the reference (exp_put()). This means that when fh_put() is called an extra reference will be dropped which can lead to use-after-free and possible denial of service. Normal NFS usage will not provide a pseudo-root filehandle to a v3 client. This bug can only be triggered by the client synthesising an incorrect filehandle. To fix this we move the assignments to the svc_fh later, after all possible error cases have been detected.", "cve_priority": "medium", "cve_public_date": "2025-11-24 13:16:00 UTC" }, { "cve": "CVE-2025-40274", "url": "https://ubuntu.com/security/CVE-2025-40274", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: KVM: guest_memfd: Remove bindings on memslot deletion when gmem is dying When unbinding a memslot from a guest_memfd instance, remove the bindings even if the guest_memfd file is dying, i.e. even if its file refcount has gone to zero. If the memslot is freed before the file is fully released, nullifying the memslot side of the binding in kvm_gmem_release() will write to freed memory, as detected by syzbot+KASAN: ================================================================== BUG: KASAN: slab-use-after-free in kvm_gmem_release+0x176/0x440 virt/kvm/guest_memfd.c:353 Write of size 8 at addr ffff88807befa508 by task syz.0.17/6022 CPU: 0 UID: 0 PID: 6022 Comm: syz.0.17 Not tainted syzkaller #0 PREEMPT(full) Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/02/2025 Call Trace: dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:378 [inline] print_report+0xca/0x240 mm/kasan/report.c:482 kasan_report+0x118/0x150 mm/kasan/report.c:595 kvm_gmem_release+0x176/0x440 virt/kvm/guest_memfd.c:353 __fput+0x44c/0xa70 fs/file_table.c:468 task_work_run+0x1d4/0x260 kernel/task_work.c:227 resume_user_mode_work include/linux/resume_user_mode.h:50 [inline] exit_to_user_mode_loop+0xe9/0x130 kernel/entry/common.c:43 exit_to_user_mode_prepare include/linux/irq-entry-common.h:225 [inline] syscall_exit_to_user_mode_work include/linux/entry-common.h:175 [inline] syscall_exit_to_user_mode include/linux/entry-common.h:210 [inline] do_syscall_64+0x2bd/0xfa0 arch/x86/entry/syscall_64.c:100 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7fbeeff8efc9 Allocated by task 6023: kasan_save_stack mm/kasan/common.c:56 [inline] kasan_save_track+0x3e/0x80 mm/kasan/common.c:77 poison_kmalloc_redzone mm/kasan/common.c:397 [inline] __kasan_kmalloc+0x93/0xb0 mm/kasan/common.c:414 kasan_kmalloc include/linux/kasan.h:262 [inline] __kmalloc_cache_noprof+0x3e2/0x700 mm/slub.c:5758 kmalloc_noprof include/linux/slab.h:957 [inline] kzalloc_noprof include/linux/slab.h:1094 [inline] kvm_set_memory_region+0x747/0xb90 virt/kvm/kvm_main.c:2104 kvm_vm_ioctl_set_memory_region+0x6f/0xd0 virt/kvm/kvm_main.c:2154 kvm_vm_ioctl+0x957/0xc60 virt/kvm/kvm_main.c:5201 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:597 [inline] __se_sys_ioctl+0xfc/0x170 fs/ioctl.c:583 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xfa/0xfa0 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f Freed by task 6023: kasan_save_stack mm/kasan/common.c:56 [inline] kasan_save_track+0x3e/0x80 mm/kasan/common.c:77 kasan_save_free_info+0x46/0x50 mm/kasan/generic.c:584 poison_slab_object mm/kasan/common.c:252 [inline] __kasan_slab_free+0x5c/0x80 mm/kasan/common.c:284 kasan_slab_free include/linux/kasan.h:234 [inline] slab_free_hook mm/slub.c:2533 [inline] slab_free mm/slub.c:6622 [inline] kfree+0x19a/0x6d0 mm/slub.c:6829 kvm_set_memory_region+0x9c4/0xb90 virt/kvm/kvm_main.c:2130 kvm_vm_ioctl_set_memory_region+0x6f/0xd0 virt/kvm/kvm_main.c:2154 kvm_vm_ioctl+0x957/0xc60 virt/kvm/kvm_main.c:5201 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:597 [inline] __se_sys_ioctl+0xfc/0x170 fs/ioctl.c:583 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xfa/0xfa0 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f Deliberately don't acquire filemap invalid lock when the file is dying as the lifecycle of f_mapping is outside the purview of KVM. Dereferencing the mapping is *probably* fine, but there's no need to invalidate anything as memslot deletion is responsible for zapping SPTEs, and the only code that can access the dying file is kvm_gmem_release(), whose core code is mutual ---truncated---", "cve_priority": "medium", "cve_public_date": "2025-12-06 22:15:00 UTC" }, { "cve": "CVE-2025-68202", "url": "https://ubuntu.com/security/CVE-2025-68202", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: sched_ext: Fix unsafe locking in the scx_dump_state() For built with CONFIG_PREEMPT_RT=y kernels, the dump_lock will be converted sleepable spinlock and not disable-irq, so the following scenarios occur: inconsistent {IN-HARDIRQ-W} -> {HARDIRQ-ON-W} usage. irq_work/0/27 [HC0[0]:SC0[0]:HE1:SE1] takes: (&rq->__lock){?...}-{2:2}, at: raw_spin_rq_lock_nested+0x2b/0x40 {IN-HARDIRQ-W} state was registered at: lock_acquire+0x1e1/0x510 _raw_spin_lock_nested+0x42/0x80 raw_spin_rq_lock_nested+0x2b/0x40 sched_tick+0xae/0x7b0 update_process_times+0x14c/0x1b0 tick_periodic+0x62/0x1f0 tick_handle_periodic+0x48/0xf0 timer_interrupt+0x55/0x80 __handle_irq_event_percpu+0x20a/0x5c0 handle_irq_event_percpu+0x18/0xc0 handle_irq_event+0xb5/0x150 handle_level_irq+0x220/0x460 __common_interrupt+0xa2/0x1e0 common_interrupt+0xb0/0xd0 asm_common_interrupt+0x2b/0x40 _raw_spin_unlock_irqrestore+0x45/0x80 __setup_irq+0xc34/0x1a30 request_threaded_irq+0x214/0x2f0 hpet_time_init+0x3e/0x60 x86_late_time_init+0x5b/0xb0 start_kernel+0x308/0x410 x86_64_start_reservations+0x1c/0x30 x86_64_start_kernel+0x96/0xa0 common_startup_64+0x13e/0x148 other info that might help us debug this: Possible unsafe locking scenario: CPU0 ---- lock(&rq->__lock); lock(&rq->__lock); *** DEADLOCK *** stack backtrace: CPU: 0 UID: 0 PID: 27 Comm: irq_work/0 Call Trace: dump_stack_lvl+0x8c/0xd0 dump_stack+0x14/0x20 print_usage_bug+0x42e/0x690 mark_lock.part.44+0x867/0xa70 ? __pfx_mark_lock.part.44+0x10/0x10 ? string_nocheck+0x19c/0x310 ? number+0x739/0x9f0 ? __pfx_string_nocheck+0x10/0x10 ? __pfx_check_pointer+0x10/0x10 ? kvm_sched_clock_read+0x15/0x30 ? sched_clock_noinstr+0xd/0x20 ? local_clock_noinstr+0x1c/0xe0 __lock_acquire+0xc4b/0x62b0 ? __pfx_format_decode+0x10/0x10 ? __pfx_string+0x10/0x10 ? __pfx___lock_acquire+0x10/0x10 ? __pfx_vsnprintf+0x10/0x10 lock_acquire+0x1e1/0x510 ? raw_spin_rq_lock_nested+0x2b/0x40 ? __pfx_lock_acquire+0x10/0x10 ? dump_line+0x12e/0x270 ? raw_spin_rq_lock_nested+0x20/0x40 _raw_spin_lock_nested+0x42/0x80 ? raw_spin_rq_lock_nested+0x2b/0x40 raw_spin_rq_lock_nested+0x2b/0x40 scx_dump_state+0x3b3/0x1270 ? finish_task_switch+0x27e/0x840 scx_ops_error_irq_workfn+0x67/0x80 irq_work_single+0x113/0x260 irq_work_run_list.part.3+0x44/0x70 run_irq_workd+0x6b/0x90 ? __pfx_run_irq_workd+0x10/0x10 smpboot_thread_fn+0x529/0x870 ? __pfx_smpboot_thread_fn+0x10/0x10 kthread+0x305/0x3f0 ? __pfx_kthread+0x10/0x10 ret_from_fork+0x40/0x70 ? __pfx_kthread+0x10/0x10 ret_from_fork_asm+0x1a/0x30 This commit therefore use rq_lock_irqsave/irqrestore() to replace rq_lock/unlock() in the scx_dump_state().", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-68239", "url": "https://ubuntu.com/security/CVE-2025-68239", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: binfmt_misc: restore write access before closing files opened by open_exec() bm_register_write() opens an executable file using open_exec(), which internally calls do_open_execat() and denies write access on the file to avoid modification while it is being executed. However, when an error occurs, bm_register_write() closes the file using filp_close() directly. This does not restore the write permission, which may cause subsequent write operations on the same file to fail. Fix this by calling exe_file_allow_write_access() before filp_close() to restore the write permission properly.", "cve_priority": "medium", "cve_public_date": "2025-12-16 15:15:00 UTC" }, { "cve": "CVE-2025-68247", "url": "https://ubuntu.com/security/CVE-2025-68247", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: posix-timers: Plug potential memory leak in do_timer_create() When posix timer creation is set to allocate a given timer ID and the access to the user space value faults, the function terminates without freeing the already allocated posix timer structure. Move the allocation after the user space access to cure that. [ tglx: Massaged change log ]", "cve_priority": "medium", "cve_public_date": "2025-12-16 15:15:00 UTC" }, { "cve": "CVE-2025-68208", "url": "https://ubuntu.com/security/CVE-2025-68208", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: bpf: account for current allocated stack depth in widen_imprecise_scalars() The usage pattern for widen_imprecise_scalars() looks as follows: prev_st = find_prev_entry(env, ...); queued_st = push_stack(...); widen_imprecise_scalars(env, prev_st, queued_st); Where prev_st is an ancestor of the queued_st in the explored states tree. This ancestor is not guaranteed to have same allocated stack depth as queued_st. E.g. in the following case: def main(): for i in 1..2: foo(i) // same callsite, differnt param def foo(i): if i == 1: use 128 bytes of stack iterator based loop Here, for a second 'foo' call prev_st->allocated_stack is 128, while queued_st->allocated_stack is much smaller. widen_imprecise_scalars() needs to take this into account and avoid accessing bpf_verifier_state->frame[*]->stack out of bounds.", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-68200", "url": "https://ubuntu.com/security/CVE-2025-68200", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: bpf: Add bpf_prog_run_data_pointers() syzbot found that cls_bpf_classify() is able to change tc_skb_cb(skb)->drop_reason triggering a warning in sk_skb_reason_drop(). WARNING: CPU: 0 PID: 5965 at net/core/skbuff.c:1192 __sk_skb_reason_drop net/core/skbuff.c:1189 [inline] WARNING: CPU: 0 PID: 5965 at net/core/skbuff.c:1192 sk_skb_reason_drop+0x76/0x170 net/core/skbuff.c:1214 struct tc_skb_cb has been added in commit ec624fe740b4 (\"net/sched: Extend qdisc control block with tc control block\"), which added a wrong interaction with db58ba459202 (\"bpf: wire in data and data_end for cls_act_bpf\"). drop_reason was added later. Add bpf_prog_run_data_pointers() helper to save/restore the net_sched storage colliding with BPF data_meta/data_end.", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-40275", "url": "https://ubuntu.com/security/CVE-2025-40275", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ALSA: usb-audio: Fix NULL pointer dereference in snd_usb_mixer_controls_badd In snd_usb_create_streams(), for UAC version 3 devices, the Interface Association Descriptor (IAD) is retrieved via usb_ifnum_to_if(). If this call fails, a fallback routine attempts to obtain the IAD from the next interface and sets a BADD profile. However, snd_usb_mixer_controls_badd() assumes that the IAD retrieved from usb_ifnum_to_if() is always valid, without performing a NULL check. This can lead to a NULL pointer dereference when usb_ifnum_to_if() fails to find the interface descriptor. This patch adds a NULL pointer check after calling usb_ifnum_to_if() in snd_usb_mixer_controls_badd() to prevent the dereference. This issue was discovered by syzkaller, which triggered the bug by sending a crafted USB device descriptor.", "cve_priority": "medium", "cve_public_date": "2025-12-06 22:15:00 UTC" }, { "cve": "CVE-2025-68242", "url": "https://ubuntu.com/security/CVE-2025-68242", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: NFS: Fix LTP test failures when timestamps are delegated The utimes01 and utime06 tests fail when delegated timestamps are enabled, specifically in subtests that modify the atime and mtime fields using the 'nobody' user ID. The problem can be reproduced as follow: # echo \"/media *(rw,no_root_squash,sync)\" >> /etc/exports # export -ra # mount -o rw,nfsvers=4.2 127.0.0.1:/media /tmpdir # cd /opt/ltp # ./runltp -d /tmpdir -s utimes01 # ./runltp -d /tmpdir -s utime06 This issue occurs because nfs_setattr does not verify the inode's UID against the caller's fsuid when delegated timestamps are permitted for the inode. This patch adds the UID check and if it does not match then the request is sent to the server for permission checking.", "cve_priority": "medium", "cve_public_date": "2025-12-16 15:15:00 UTC" }, { "cve": "CVE-2025-68243", "url": "https://ubuntu.com/security/CVE-2025-68243", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: NFS: Check the TLS certificate fields in nfs_match_client() If the TLS security policy is of type RPC_XPRTSEC_TLS_X509, then the cert_serial and privkey_serial fields need to match as well since they define the client's identity, as presented to the server.", "cve_priority": "medium", "cve_public_date": "2025-12-16 15:15:00 UTC" }, { "cve": "CVE-2025-40276", "url": "https://ubuntu.com/security/CVE-2025-40276", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/panthor: Flush shmem writes before mapping buffers CPU-uncached The shmem layer zeroes out the new pages using cached mappings, and if we don't CPU-flush we might leave dirty cachelines behind, leading to potential data leaks and/or asynchronous buffer corruption when dirty cachelines are evicted.", "cve_priority": "medium", "cve_public_date": "2025-12-06 22:15:00 UTC" }, { "cve": "CVE-2025-40277", "url": "https://ubuntu.com/security/CVE-2025-40277", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/vmwgfx: Validate command header size against SVGA_CMD_MAX_DATASIZE This data originates from userspace and is used in buffer offset calculations which could potentially overflow causing an out-of-bounds access.", "cve_priority": "medium", "cve_public_date": "2025-12-06 22:15:00 UTC" }, { "cve": "CVE-2025-68206", "url": "https://ubuntu.com/security/CVE-2025-68206", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: netfilter: nft_ct: add seqadj extension for natted connections Sequence adjustment may be required for FTP traffic with PASV/EPSV modes. due to need to re-write packet payload (IP, port) on the ftp control connection. This can require changes to the TCP length and expected seq / ack_seq. The easiest way to reproduce this issue is with PASV mode. Example ruleset: table inet ftp_nat { ct helper ftp_helper { type \"ftp\" protocol tcp l3proto inet } chain prerouting { type filter hook prerouting priority 0; policy accept; tcp dport 21 ct state new ct helper set \"ftp_helper\" } } table ip nat { chain prerouting { type nat hook prerouting priority -100; policy accept; tcp dport 21 dnat ip prefix to ip daddr map { \t\t\t192.168.100.1 : 192.168.13.2/32 } } chain postrouting { type nat hook postrouting priority 100 ; policy accept; tcp sport 21 snat ip prefix to ip saddr map { \t\t\t192.168.13.2 : 192.168.100.1/32 } } } Note that the ftp helper gets assigned *after* the dnat setup. The inverse (nat after helper assign) is handled by an existing check in nf_nat_setup_info() and will not show the problem. Topoloy: +-------------------+ +----------------------------------+ | FTP: 192.168.13.2 | <-> | NAT: 192.168.13.3, 192.168.100.1 | +-------------------+ +----------------------------------+ | +-----------------------+ | Client: 192.168.100.2 | +-----------------------+ ftp nat changes do not work as expected in this case: Connected to 192.168.100.1. [..] ftp> epsv EPSV/EPRT on IPv4 off. ftp> ls 227 Entering passive mode (192,168,100,1,209,129). 421 Service not available, remote server has closed connection. Kernel logs: Missing nfct_seqadj_ext_add() setup call WARNING: CPU: 1 PID: 0 at net/netfilter/nf_conntrack_seqadj.c:41 [..] __nf_nat_mangle_tcp_packet+0x100/0x160 [nf_nat] nf_nat_ftp+0x142/0x280 [nf_nat_ftp] help+0x4d1/0x880 [nf_conntrack_ftp] nf_confirm+0x122/0x2e0 [nf_conntrack] nf_hook_slow+0x3c/0xb0 .. Fix this by adding the required extension when a conntrack helper is assigned to a connection that has a nat binding.", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-68209", "url": "https://ubuntu.com/security/CVE-2025-68209", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: mlx5: Fix default values in create CQ Currently, CQs without a completion function are assigned the mlx5_add_cq_to_tasklet function by default. This is problematic since only user CQs created through the mlx5_ib driver are intended to use this function. Additionally, all CQs that will use doorbells instead of polling for completions must call mlx5_cq_arm. However, the default CQ creation flow leaves a valid value in the CQ's arm_db field, allowing FW to send interrupts to polling-only CQs in certain corner cases. These two factors would allow a polling-only kernel CQ to be triggered by an EQ interrupt and call a completion function intended only for user CQs, causing a null pointer exception. Some areas in the driver have prevented this issue with one-off fixes but did not address the root cause. This patch fixes the described issue by adding defaults to the create CQ flow. It adds a default dummy completion function to protect against null pointer exceptions, and it sets an invalid command sequence number by default in kernel CQs to prevent the FW from sending an interrupt to the CQ until it is armed. User CQs are responsible for their own initialization values. Callers of mlx5_core_create_cq are responsible for changing the completion function and arming the CQ per their needs.", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-40278", "url": "https://ubuntu.com/security/CVE-2025-40278", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net: sched: act_ife: initialize struct tc_ife to fix KMSAN kernel-infoleak Fix a KMSAN kernel-infoleak detected by the syzbot . [net?] KMSAN: kernel-infoleak in __skb_datagram_iter In tcf_ife_dump(), the variable 'opt' was partially initialized using a designatied initializer. While the padding bytes are reamined uninitialized. nla_put() copies the entire structure into a netlink message, these uninitialized bytes leaked to userspace. Initialize the structure with memset before assigning its fields to ensure all members and padding are cleared prior to beign copied. This change silences the KMSAN report and prevents potential information leaks from the kernel memory. This fix has been tested and validated by syzbot. This patch closes the bug reported at the following syzkaller link and ensures no infoleak.", "cve_priority": "medium", "cve_public_date": "2025-12-06 22:15:00 UTC" }, { "cve": "CVE-2025-40279", "url": "https://ubuntu.com/security/CVE-2025-40279", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net: sched: act_connmark: initialize struct tc_ife to fix kernel leak In tcf_connmark_dump(), the variable 'opt' was partially initialized using a designatied initializer. While the padding bytes are reamined uninitialized. nla_put() copies the entire structure into a netlink message, these uninitialized bytes leaked to userspace. Initialize the structure with memset before assigning its fields to ensure all members and padding are cleared prior to beign copied.", "cve_priority": "medium", "cve_public_date": "2025-12-06 22:15:00 UTC" }, { "cve": "CVE-2025-40280", "url": "https://ubuntu.com/security/CVE-2025-40280", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: tipc: Fix use-after-free in tipc_mon_reinit_self(). syzbot reported use-after-free of tipc_net(net)->monitors[] in tipc_mon_reinit_self(). [0] The array is protected by RTNL, but tipc_mon_reinit_self() iterates over it without RTNL. tipc_mon_reinit_self() is called from tipc_net_finalize(), which is always under RTNL except for tipc_net_finalize_work(). Let's hold RTNL in tipc_net_finalize_work(). [0]: BUG: KASAN: slab-use-after-free in __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline] BUG: KASAN: slab-use-after-free in _raw_spin_lock_irqsave+0xa7/0xf0 kernel/locking/spinlock.c:162 Read of size 1 at addr ffff88805eae1030 by task kworker/0:7/5989 CPU: 0 UID: 0 PID: 5989 Comm: kworker/0:7 Not tainted syzkaller #0 PREEMPT_{RT,(full)} Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/18/2025 Workqueue: events tipc_net_finalize_work Call Trace: dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:378 [inline] print_report+0xca/0x240 mm/kasan/report.c:482 kasan_report+0x118/0x150 mm/kasan/report.c:595 __kasan_check_byte+0x2a/0x40 mm/kasan/common.c:568 kasan_check_byte include/linux/kasan.h:399 [inline] lock_acquire+0x8d/0x360 kernel/locking/lockdep.c:5842 __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline] _raw_spin_lock_irqsave+0xa7/0xf0 kernel/locking/spinlock.c:162 rtlock_slowlock kernel/locking/rtmutex.c:1894 [inline] rwbase_rtmutex_lock_state kernel/locking/spinlock_rt.c:160 [inline] rwbase_write_lock+0xd3/0x7e0 kernel/locking/rwbase_rt.c:244 rt_write_lock+0x76/0x110 kernel/locking/spinlock_rt.c:243 write_lock_bh include/linux/rwlock_rt.h:99 [inline] tipc_mon_reinit_self+0x79/0x430 net/tipc/monitor.c:718 tipc_net_finalize+0x115/0x190 net/tipc/net.c:140 process_one_work kernel/workqueue.c:3236 [inline] process_scheduled_works+0xade/0x17b0 kernel/workqueue.c:3319 worker_thread+0x8a0/0xda0 kernel/workqueue.c:3400 kthread+0x70e/0x8a0 kernel/kthread.c:463 ret_from_fork+0x439/0x7d0 arch/x86/kernel/process.c:148 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245 Allocated by task 6089: kasan_save_stack mm/kasan/common.c:47 [inline] kasan_save_track+0x3e/0x80 mm/kasan/common.c:68 poison_kmalloc_redzone mm/kasan/common.c:388 [inline] __kasan_kmalloc+0x93/0xb0 mm/kasan/common.c:405 kasan_kmalloc include/linux/kasan.h:260 [inline] __kmalloc_cache_noprof+0x1a8/0x320 mm/slub.c:4407 kmalloc_noprof include/linux/slab.h:905 [inline] kzalloc_noprof include/linux/slab.h:1039 [inline] tipc_mon_create+0xc3/0x4d0 net/tipc/monitor.c:657 tipc_enable_bearer net/tipc/bearer.c:357 [inline] __tipc_nl_bearer_enable+0xe16/0x13f0 net/tipc/bearer.c:1047 __tipc_nl_compat_doit net/tipc/netlink_compat.c:371 [inline] tipc_nl_compat_doit+0x3bc/0x5f0 net/tipc/netlink_compat.c:393 tipc_nl_compat_handle net/tipc/netlink_compat.c:-1 [inline] tipc_nl_compat_recv+0x83c/0xbe0 net/tipc/netlink_compat.c:1321 genl_family_rcv_msg_doit+0x215/0x300 net/netlink/genetlink.c:1115 genl_family_rcv_msg net/netlink/genetlink.c:1195 [inline] genl_rcv_msg+0x60e/0x790 net/netlink/genetlink.c:1210 netlink_rcv_skb+0x208/0x470 net/netlink/af_netlink.c:2552 genl_rcv+0x28/0x40 net/netlink/genetlink.c:1219 netlink_unicast_kernel net/netlink/af_netlink.c:1320 [inline] netlink_unicast+0x846/0xa10 net/netlink/af_netlink.c:1346 netlink_sendmsg+0x805/0xb30 net/netlink/af_netlink.c:1896 sock_sendmsg_nosec net/socket.c:714 [inline] __sock_sendmsg+0x21c/0x270 net/socket.c:729 ____sys_sendmsg+0x508/0x820 net/socket.c:2614 ___sys_sendmsg+0x21f/0x2a0 net/socket.c:2668 __sys_sendmsg net/socket.c:2700 [inline] __do_sys_sendmsg net/socket.c:2705 [inline] __se_sys_sendmsg net/socket.c:2703 [inline] __x64_sys_sendmsg+0x1a1/0x260 net/socket.c:2703 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xfa/0x3b0 arch/ ---truncated---", "cve_priority": "medium", "cve_public_date": "2025-12-06 22:15:00 UTC" }, { "cve": "CVE-2025-40281", "url": "https://ubuntu.com/security/CVE-2025-40281", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: sctp: prevent possible shift-out-of-bounds in sctp_transport_update_rto syzbot reported a possible shift-out-of-bounds [1] Blamed commit added rto_alpha_max and rto_beta_max set to 1000. It is unclear if some sctp users are setting very large rto_alpha and/or rto_beta. In order to prevent user regression, perform the test at run time. Also add READ_ONCE() annotations as sysctl values can change under us. [1] UBSAN: shift-out-of-bounds in net/sctp/transport.c:509:41 shift exponent 64 is too large for 32-bit type 'unsigned int' CPU: 0 UID: 0 PID: 16704 Comm: syz.2.2320 Not tainted syzkaller #0 PREEMPT(full) Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/02/2025 Call Trace: __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x16c/0x1f0 lib/dump_stack.c:120 ubsan_epilogue lib/ubsan.c:233 [inline] __ubsan_handle_shift_out_of_bounds+0x27f/0x420 lib/ubsan.c:494 sctp_transport_update_rto.cold+0x1c/0x34b net/sctp/transport.c:509 sctp_check_transmitted+0x11c4/0x1c30 net/sctp/outqueue.c:1502 sctp_outq_sack+0x4ef/0x1b20 net/sctp/outqueue.c:1338 sctp_cmd_process_sack net/sctp/sm_sideeffect.c:840 [inline] sctp_cmd_interpreter net/sctp/sm_sideeffect.c:1372 [inline]", "cve_priority": "medium", "cve_public_date": "2025-12-06 22:15:00 UTC" }, { "cve": "CVE-2025-40282", "url": "https://ubuntu.com/security/CVE-2025-40282", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: Bluetooth: 6lowpan: reset link-local header on ipv6 recv path Bluetooth 6lowpan.c netdev has header_ops, so it must set link-local header for RX skb, otherwise things crash, eg. with AF_PACKET SOCK_RAW Add missing skb_reset_mac_header() for uncompressed ipv6 RX path. For the compressed one, it is done in lowpan_header_decompress(). Log: (BlueZ 6lowpan-tester Client Recv Raw - Success) ------ kernel BUG at net/core/skbuff.c:212! Call Trace: ... packet_rcv (net/packet/af_packet.c:2152) ... __local_bh_enable_ip (kernel/softirq.c:407) netif_rx (net/core/dev.c:5648) chan_recv_cb (net/bluetooth/6lowpan.c:294 net/bluetooth/6lowpan.c:359) ------", "cve_priority": "medium", "cve_public_date": "2025-12-06 22:15:00 UTC" }, { "cve": "CVE-2025-40283", "url": "https://ubuntu.com/security/CVE-2025-40283", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: Bluetooth: btusb: reorder cleanup in btusb_disconnect to avoid UAF There is a KASAN: slab-use-after-free read in btusb_disconnect(). Calling \"usb_driver_release_interface(&btusb_driver, data->intf)\" will free the btusb data associated with the interface. The same data is then used later in the function, hence the UAF. Fix by moving the accesses to btusb data to before the data is free'd.", "cve_priority": "medium", "cve_public_date": "2025-12-06 22:15:00 UTC" }, { "cve": "CVE-2025-40284", "url": "https://ubuntu.com/security/CVE-2025-40284", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: Bluetooth: MGMT: cancel mesh send timer when hdev removed mesh_send_done timer is not canceled when hdev is removed, which causes crash if the timer triggers after hdev is gone. Cancel the timer when MGMT removes the hdev, like other MGMT timers. Should fix the BUG: sporadically seen by BlueZ test bot (in \"Mesh - Send cancel - 1\" test). Log: ------ BUG: KASAN: slab-use-after-free in run_timer_softirq+0x76b/0x7d0 ... Freed by task 36: kasan_save_stack+0x24/0x50 kasan_save_track+0x14/0x30 __kasan_save_free_info+0x3a/0x60 __kasan_slab_free+0x43/0x70 kfree+0x103/0x500 device_release+0x9a/0x210 kobject_put+0x100/0x1e0 vhci_release+0x18b/0x240 ------", "cve_priority": "medium", "cve_public_date": "2025-12-06 22:15:00 UTC" }, { "cve": "CVE-2025-68210", "url": "https://ubuntu.com/security/CVE-2025-68210", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: erofs: avoid infinite loop due to incomplete zstd-compressed data Currently, the decompression logic incorrectly spins if compressed data is truncated in crafted (deliberately corrupted) images.", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-40285", "url": "https://ubuntu.com/security/CVE-2025-40285", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: smb/server: fix possible refcount leak in smb2_sess_setup() Reference count of ksmbd_session will leak when session need reconnect. Fix this by adding the missing ksmbd_user_session_put().", "cve_priority": "medium", "cve_public_date": "2025-12-06 22:15:00 UTC" }, { "cve": "CVE-2025-40286", "url": "https://ubuntu.com/security/CVE-2025-40286", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: smb/server: fix possible memory leak in smb2_read() Memory leak occurs when ksmbd_vfs_read() fails. Fix this by adding the missing kvfree().", "cve_priority": "medium", "cve_public_date": "2025-12-06 22:15:00 UTC" }, { "cve": "CVE-2025-40287", "url": "https://ubuntu.com/security/CVE-2025-40287", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: exfat: fix improper check of dentry.stream.valid_size We found an infinite loop bug in the exFAT file system that can lead to a Denial-of-Service (DoS) condition. When a dentry in an exFAT filesystem is malformed, the following system calls — SYS_openat, SYS_ftruncate, and SYS_pwrite64 — can cause the kernel to hang. Root cause analysis shows that the size validation code in exfat_find() does not check whether dentry.stream.valid_size is negative. As a result, the system calls mentioned above can succeed and eventually trigger the DoS issue. This patch adds a check for negative dentry.stream.valid_size to prevent this vulnerability.", "cve_priority": "medium", "cve_public_date": "2025-12-06 22:15:00 UTC" }, { "cve": "CVE-2025-40288", "url": "https://ubuntu.com/security/CVE-2025-40288", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: Fix NULL pointer dereference in VRAM logic for APU devices Previously, APU platforms (and other scenarios with uninitialized VRAM managers) triggered a NULL pointer dereference in `ttm_resource_manager_usage()`. The root cause is not that the `struct ttm_resource_manager *man` pointer itself is NULL, but that `man->bdev` (the backing device pointer within the manager) remains uninitialized (NULL) on APUs—since APUs lack dedicated VRAM and do not fully set up VRAM manager structures. When `ttm_resource_manager_usage()` attempts to acquire `man->bdev->lru_lock`, it dereferences the NULL `man->bdev`, leading to a kernel OOPS. 1. **amdgpu_cs.c**: Extend the existing bandwidth control check in `amdgpu_cs_get_threshold_for_moves()` to include a check for `ttm_resource_manager_used()`. If the manager is not used (uninitialized `bdev`), return 0 for migration thresholds immediately—skipping VRAM-specific logic that would trigger the NULL dereference. 2. **amdgpu_kms.c**: Update the `AMDGPU_INFO_VRAM_USAGE` ioctl and memory info reporting to use a conditional: if the manager is used, return the real VRAM usage; otherwise, return 0. This avoids accessing `man->bdev` when it is NULL. 3. **amdgpu_virt.c**: Modify the vf2pf (virtual function to physical function) data write path. Use `ttm_resource_manager_used()` to check validity: if the manager is usable, calculate `fb_usage` from VRAM usage; otherwise, set `fb_usage` to 0 (APUs have no discrete framebuffer to report). This approach is more robust than APU-specific checks because it: - Works for all scenarios where the VRAM manager is uninitialized (not just APUs), - Aligns with TTM's design by using its native helper function, - Preserves correct behavior for discrete GPUs (which have fully initialized `man->bdev` and pass the `ttm_resource_manager_used()` check). v4: use ttm_resource_manager_used(&adev->mman.vram_mgr.manager) instead of checking the adev->gmc.is_app_apu flag (Christian)", "cve_priority": "medium", "cve_public_date": "2025-12-06 22:15:00 UTC" }, { "cve": "CVE-2025-40289", "url": "https://ubuntu.com/security/CVE-2025-40289", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: hide VRAM sysfs attributes on GPUs without VRAM Otherwise accessing them can cause a crash.", "cve_priority": "medium", "cve_public_date": "2025-12-06 22:15:00 UTC" }, { "cve": "CVE-2025-68201", "url": "https://ubuntu.com/security/CVE-2025-68201", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: remove two invalid BUG_ON()s Those can be triggered trivially by userspace.", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-68207", "url": "https://ubuntu.com/security/CVE-2025-68207", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/xe/guc: Synchronize Dead CT worker with unbind Cancel and wait for any Dead CT worker to complete before continuing with device unbinding. Else the worker will end up using resources freed by the undind operation. (cherry picked from commit 492671339114e376aaa38626d637a2751cdef263)", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-68244", "url": "https://ubuntu.com/security/CVE-2025-68244", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/i915: Avoid lock inversion when pinning to GGTT on CHV/BXT+VTD On completion of i915_vma_pin_ww(), a synchronous variant of dma_fence_work_commit() is called. When pinning a VMA to GGTT address space on a Cherry View family processor, or on a Broxton generation SoC with VTD enabled, i.e., when stop_machine() is then called from intel_ggtt_bind_vma(), that can potentially lead to lock inversion among reservation_ww and cpu_hotplug locks. [86.861179] ====================================================== [86.861193] WARNING: possible circular locking dependency detected [86.861209] 6.15.0-rc5-CI_DRM_16515-gca0305cadc2d+ #1 Tainted: G U [86.861226] ------------------------------------------------------ [86.861238] i915_module_loa/1432 is trying to acquire lock: [86.861252] ffffffff83489090 (cpu_hotplug_lock){++++}-{0:0}, at: stop_machine+0x1c/0x50 [86.861290] but task is already holding lock: [86.861303] ffffc90002e0b4c8 (reservation_ww_class_mutex){+.+.}-{3:3}, at: i915_vma_pin.constprop.0+0x39/0x1d0 [i915] [86.862233] which lock already depends on the new lock. [86.862251] the existing dependency chain (in reverse order) is: [86.862265] -> #5 (reservation_ww_class_mutex){+.+.}-{3:3}: [86.862292] dma_resv_lockdep+0x19a/0x390 [86.862315] do_one_initcall+0x60/0x3f0 [86.862334] kernel_init_freeable+0x3cd/0x680 [86.862353] kernel_init+0x1b/0x200 [86.862369] ret_from_fork+0x47/0x70 [86.862383] ret_from_fork_asm+0x1a/0x30 [86.862399] -> #4 (reservation_ww_class_acquire){+.+.}-{0:0}: [86.862425] dma_resv_lockdep+0x178/0x390 [86.862440] do_one_initcall+0x60/0x3f0 [86.862454] kernel_init_freeable+0x3cd/0x680 [86.862470] kernel_init+0x1b/0x200 [86.862482] ret_from_fork+0x47/0x70 [86.862495] ret_from_fork_asm+0x1a/0x30 [86.862509] -> #3 (&mm->mmap_lock){++++}-{3:3}: [86.862531] down_read_killable+0x46/0x1e0 [86.862546] lock_mm_and_find_vma+0xa2/0x280 [86.862561] do_user_addr_fault+0x266/0x8e0 [86.862578] exc_page_fault+0x8a/0x2f0 [86.862593] asm_exc_page_fault+0x27/0x30 [86.862607] filldir64+0xeb/0x180 [86.862620] kernfs_fop_readdir+0x118/0x480 [86.862635] iterate_dir+0xcf/0x2b0 [86.862648] __x64_sys_getdents64+0x84/0x140 [86.862661] x64_sys_call+0x1058/0x2660 [86.862675] do_syscall_64+0x91/0xe90 [86.862689] entry_SYSCALL_64_after_hwframe+0x76/0x7e [86.862703] -> #2 (&root->kernfs_rwsem){++++}-{3:3}: [86.862725] down_write+0x3e/0xf0 [86.862738] kernfs_add_one+0x30/0x3c0 [86.862751] kernfs_create_dir_ns+0x53/0xb0 [86.862765] internal_create_group+0x134/0x4c0 [86.862779] sysfs_create_group+0x13/0x20 [86.862792] topology_add_dev+0x1d/0x30 [86.862806] cpuhp_invoke_callback+0x4b5/0x850 [86.862822] cpuhp_issue_call+0xbf/0x1f0 [86.862836] __cpuhp_setup_state_cpuslocked+0x111/0x320 [86.862852] __cpuhp_setup_state+0xb0/0x220 [86.862866] topology_sysfs_init+0x30/0x50 [86.862879] do_one_initcall+0x60/0x3f0 [86.862893] kernel_init_freeable+0x3cd/0x680 [86.862908] kernel_init+0x1b/0x200 [86.862921] ret_from_fork+0x47/0x70 [86.862934] ret_from_fork_asm+0x1a/0x30 [86.862947] -> #1 (cpuhp_state_mutex){+.+.}-{3:3}: [86.862969] __mutex_lock+0xaa/0xed0 [86.862982] mutex_lock_nested+0x1b/0x30 [86.862995] __cpuhp_setup_state_cpuslocked+0x67/0x320 [86.863012] __cpuhp_setup_state+0xb0/0x220 [86.863026] page_alloc_init_cpuhp+0x2d/0x60 [86.863041] mm_core_init+0x22/0x2d0 [86.863054] start_kernel+0x576/0xbd0 [86.863068] x86_64_start_reservations+0x18/0x30 [86.863084] x86_64_start_kernel+0xbf/0x110 [86.863098] common_startup_64+0x13e/0x141 [86.863114] -> #0 (cpu_hotplug_lock){++++}-{0:0}: [86.863135] __lock_acquire+0x16 ---truncated---", "cve_priority": "medium", "cve_public_date": "2025-12-16 15:15:00 UTC" }, { "cve": "CVE-2025-68316", "url": "https://ubuntu.com/security/CVE-2025-68316", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: scsi: ufs: core: Fix invalid probe error return value After DME Link Startup, the error return value is set to the MIPI UniPro GenericErrorCode which can be 0 (SUCCESS) or 1 (FAILURE). Upon failure during driver probe, the error code 1 is propagated back to the driver probe function which must return a negative value to indicate an error, but 1 is not negative, so the probe is considered to be successful even though it failed. Subsequently, removing the driver results in an oops because it is not in a valid state. This happens because none of the callers of ufshcd_init() expect a non-negative error code. Fix the return value and documentation to match actual usage.", "cve_priority": "medium", "cve_public_date": "2025-12-16 16:16:00 UTC" }, { "cve": "CVE-2025-40292", "url": "https://ubuntu.com/security/CVE-2025-40292", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: virtio-net: fix received length check in big packets Since commit 4959aebba8c0 (\"virtio-net: use mtu size as buffer length for big packets\"), when guest gso is off, the allocated size for big packets is not MAX_SKB_FRAGS * PAGE_SIZE anymore but depends on negotiated MTU. The number of allocated frags for big packets is stored in vi->big_packets_num_skbfrags. Because the host announced buffer length can be malicious (e.g. the host vhost_net driver's get_rx_bufs is modified to announce incorrect length), we need a check in virtio_net receive path. Currently, the check is not adapted to the new change which can lead to NULL page pointer dereference in the below while loop when receiving length that is larger than the allocated one. This commit fixes the received length check corresponding to the new change.", "cve_priority": "medium", "cve_public_date": "2025-12-08 01:16:00 UTC" }, { "cve": "CVE-2025-68180", "url": "https://ubuntu.com/security/CVE-2025-68180", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Fix NULL deref in debugfs odm_combine_segments When a connector is connected but inactive (e.g., disabled by desktop environments), pipe_ctx->stream_res.tg will be destroyed. Then, reading odm_combine_segments causes kernel NULL pointer dereference. BUG: kernel NULL pointer dereference, address: 0000000000000000 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page PGD 0 P4D 0 Oops: Oops: 0000 [#1] SMP NOPTI CPU: 16 UID: 0 PID: 26474 Comm: cat Not tainted 6.17.0+ #2 PREEMPT(lazy) e6a17af9ee6db7c63e9d90dbe5b28ccab67520c6 Hardware name: LENOVO 21Q4/LNVNB161216, BIOS PXCN25WW 03/27/2025 RIP: 0010:odm_combine_segments_show+0x93/0xf0 [amdgpu] Code: 41 83 b8 b0 00 00 00 01 75 6e 48 98 ba a1 ff ff ff 48 c1 e0 0c 48 8d 8c 07 d8 02 00 00 48 85 c9 74 2d 48 8b bc 07 f0 08 00 00 <48> 8b 07 48 8b 80 08 02 00> RSP: 0018:ffffd1bf4b953c58 EFLAGS: 00010286 RAX: 0000000000005000 RBX: ffff8e35976b02d0 RCX: ffff8e3aeed052d8 RDX: 00000000ffffffa1 RSI: ffff8e35a3120800 RDI: 0000000000000000 RBP: 0000000000000000 R08: ffff8e3580eb0000 R09: ffff8e35976b02d0 R10: ffffd1bf4b953c78 R11: 0000000000000000 R12: ffffd1bf4b953d08 R13: 0000000000040000 R14: 0000000000000001 R15: 0000000000000001 FS: 00007f44d3f9f740(0000) GS:ffff8e3caa47f000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000000 CR3: 00000006485c2000 CR4: 0000000000f50ef0 PKRU: 55555554 Call Trace: seq_read_iter+0x125/0x490 ? __alloc_frozen_pages_noprof+0x18f/0x350 seq_read+0x12c/0x170 full_proxy_read+0x51/0x80 vfs_read+0xbc/0x390 ? __handle_mm_fault+0xa46/0xef0 ? do_syscall_64+0x71/0x900 ksys_read+0x73/0xf0 do_syscall_64+0x71/0x900 ? count_memcg_events+0xc2/0x190 ? handle_mm_fault+0x1d7/0x2d0 ? do_user_addr_fault+0x21a/0x690 ? exc_page_fault+0x7e/0x1a0 entry_SYSCALL_64_after_hwframe+0x6c/0x74 RIP: 0033:0x7f44d4031687 Code: 48 89 fa 4c 89 df e8 58 b3 00 00 8b 93 08 03 00 00 59 5e 48 83 f8 fc 74 1a 5b c3 0f 1f 84 00 00 00 00 00 48 8b 44 24 10 0f 05 <5b> c3 0f 1f 80 00 00 00 00> RSP: 002b:00007ffdb4b5f0b0 EFLAGS: 00000202 ORIG_RAX: 0000000000000000 RAX: ffffffffffffffda RBX: 00007f44d3f9f740 RCX: 00007f44d4031687 RDX: 0000000000040000 RSI: 00007f44d3f5e000 RDI: 0000000000000003 RBP: 0000000000040000 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000202 R12: 00007f44d3f5e000 R13: 0000000000000003 R14: 0000000000000000 R15: 0000000000040000 Modules linked in: tls tcp_diag inet_diag xt_mark ccm snd_hrtimer snd_seq_dummy snd_seq_midi snd_seq_oss snd_seq_midi_event snd_rawmidi snd_seq snd_seq_device x> snd_hda_codec_atihdmi snd_hda_codec_realtek_lib lenovo_wmi_helpers think_lmi snd_hda_codec_generic snd_hda_codec_hdmi snd_soc_core kvm snd_compress uvcvideo sn> platform_profile joydev amd_pmc mousedev mac_hid sch_fq_codel uinput i2c_dev parport_pc ppdev lp parport nvme_fabrics loop nfnetlink ip_tables x_tables dm_cryp> CR2: 0000000000000000 ---[ end trace 0000000000000000 ]--- RIP: 0010:odm_combine_segments_show+0x93/0xf0 [amdgpu] Code: 41 83 b8 b0 00 00 00 01 75 6e 48 98 ba a1 ff ff ff 48 c1 e0 0c 48 8d 8c 07 d8 02 00 00 48 85 c9 74 2d 48 8b bc 07 f0 08 00 00 <48> 8b 07 48 8b 80 08 02 00> RSP: 0018:ffffd1bf4b953c58 EFLAGS: 00010286 RAX: 0000000000005000 RBX: ffff8e35976b02d0 RCX: ffff8e3aeed052d8 RDX: 00000000ffffffa1 RSI: ffff8e35a3120800 RDI: 0000000000000000 RBP: 0000000000000000 R08: ffff8e3580eb0000 R09: ffff8e35976b02d0 R10: ffffd1bf4b953c78 R11: 0000000000000000 R12: ffffd1bf4b953d08 R13: 0000000000040000 R14: 0000000000000001 R15: 0000000000000001 FS: 00007f44d3f9f740(0000) GS:ffff8e3caa47f000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000000 CR3: 00000006485c2000 CR4: 0000000000f50ef0 PKRU: 55555554 Fix this by checking pipe_ctx-> ---truncated---", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-40327", "url": "https://ubuntu.com/security/CVE-2025-40327", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: perf/core: Fix system hang caused by cpu-clock usage cpu-clock usage by the async-profiler tool can trigger a system hang, which got bisected back to the following commit by Octavia Togami: 18dbcbfabfff (\"perf: Fix the POLL_HUP delivery breakage\") causes this issue The root cause of the hang is that cpu-clock is a special type of SW event which relies on hrtimers. The __perf_event_overflow() callback is invoked from the hrtimer handler for cpu-clock events, and __perf_event_overflow() tries to call cpu_clock_event_stop() to stop the event, which calls htimer_cancel() to cancel the hrtimer. But that's a recursion into the hrtimer code from a hrtimer handler, which (unsurprisingly) deadlocks. To fix this bug, use hrtimer_try_to_cancel() instead, and set the PERF_HES_STOPPED flag, which causes perf_swevent_hrtimer() to stop the event once it sees the PERF_HES_STOPPED flag. [ mingo: Fixed the comments and improved the changelog. ]", "cve_priority": "medium", "cve_public_date": "2025-12-09 16:17:00 UTC" }, { "cve": "CVE-2025-40328", "url": "https://ubuntu.com/security/CVE-2025-40328", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: smb: client: fix potential UAF in smb2_close_cached_fid() find_or_create_cached_dir() could grab a new reference after kref_put() had seen the refcount drop to zero but before cfid_list_lock is acquired in smb2_close_cached_fid(), leading to use-after-free. Switch to kref_put_lock() so cfid_release() is called with cfid_list_lock held, closing that gap.", "cve_priority": "medium", "cve_public_date": "2025-12-09 16:17:00 UTC" }, { "cve": "CVE-2025-40291", "url": "https://ubuntu.com/security/CVE-2025-40291", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: io_uring: fix regbuf vector size truncation There is a report of io_estimate_bvec_size() truncating the calculated number of segments that leads to corruption issues. Check it doesn't overflow \"int\"s used later. Rough but simple, can be improved on top.", "cve_priority": "medium", "cve_public_date": "2025-12-08 01:16:00 UTC" }, { "cve": "CVE-2025-68322", "url": "https://ubuntu.com/security/CVE-2025-68322", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: parisc: Avoid crash due to unaligned access in unwinder Guenter Roeck reported this kernel crash on his emulated B160L machine: Starting network: udhcpc: started, v1.36.1 Backtrace: [<104320d4>] unwind_once+0x1c/0x5c [<10434a00>] walk_stackframe.isra.0+0x74/0xb8 [<10434a6c>] arch_stack_walk+0x28/0x38 [<104e5efc>] stack_trace_save+0x48/0x5c [<105d1bdc>] set_track_prepare+0x44/0x6c [<105d9c80>] ___slab_alloc+0xfc4/0x1024 [<105d9d38>] __slab_alloc.isra.0+0x58/0x90 [<105dc80c>] kmem_cache_alloc_noprof+0x2ac/0x4a0 [<105b8e54>] __anon_vma_prepare+0x60/0x280 [<105a823c>] __vmf_anon_prepare+0x68/0x94 [<105a8b34>] do_wp_page+0x8cc/0xf10 [<105aad88>] handle_mm_fault+0x6c0/0xf08 [<10425568>] do_page_fault+0x110/0x440 [<10427938>] handle_interruption+0x184/0x748 [<11178398>] schedule+0x4c/0x190 BUG: spinlock recursion on CPU#0, ifconfig/2420 lock: terminate_lock.2+0x0/0x1c, .magic: dead4ead, .owner: ifconfig/2420, .owner_cpu: 0 While creating the stack trace, the unwinder uses the stack pointer to guess the previous frame to read the previous stack pointer from memory. The crash happens, because the unwinder tries to read from unaligned memory and as such triggers the unalignment trap handler which then leads to the spinlock recursion and finally to a deadlock. Fix it by checking the alignment before accessing the memory.", "cve_priority": "medium", "cve_public_date": "2025-12-16 16:16:00 UTC" }, { "cve": "CVE-2025-40293", "url": "https://ubuntu.com/security/CVE-2025-40293", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: iommufd: Don't overflow during division for dirty tracking If pgshift is 63 then BITS_PER_TYPE(*bitmap->bitmap) * pgsize will overflow to 0 and this triggers divide by 0. In this case the index should just be 0, so reorganize things to divide by shift and avoid hitting any overflows.", "cve_priority": "medium", "cve_public_date": "2025-12-08 01:16:00 UTC" }, { "cve": "CVE-2025-40294", "url": "https://ubuntu.com/security/CVE-2025-40294", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: Bluetooth: MGMT: Fix OOB access in parse_adv_monitor_pattern() In the parse_adv_monitor_pattern() function, the value of the 'length' variable is currently limited to HCI_MAX_EXT_AD_LENGTH(251). The size of the 'value' array in the mgmt_adv_pattern structure is 31. If the value of 'pattern[i].length' is set in the user space and exceeds 31, the 'patterns[i].value' array can be accessed out of bound when copied. Increasing the size of the 'value' array in the 'mgmt_adv_pattern' structure will break the userspace. Considering this, and to avoid OOB access revert the limits for 'offset' and 'length' back to the value of HCI_MAX_AD_LENGTH. Found by InfoTeCS on behalf of Linux Verification Center (linuxtesting.org) with SVACE.", "cve_priority": "medium", "cve_public_date": "2025-12-08 01:16:00 UTC" }, { "cve": "CVE-2025-40329", "url": "https://ubuntu.com/security/CVE-2025-40329", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/sched: Fix deadlock in drm_sched_entity_kill_jobs_cb The Mesa issue referenced below pointed out a possible deadlock: [ 1231.611031] Possible interrupt unsafe locking scenario: [ 1231.611033] CPU0 CPU1 [ 1231.611034] ---- ---- [ 1231.611035] lock(&xa->xa_lock#17); [ 1231.611038] local_irq_disable(); [ 1231.611039] lock(&fence->lock); [ 1231.611041] lock(&xa->xa_lock#17); [ 1231.611044] [ 1231.611045] lock(&fence->lock); [ 1231.611047] *** DEADLOCK *** In this example, CPU0 would be any function accessing job->dependencies through the xa_* functions that don't disable interrupts (eg: drm_sched_job_add_dependency(), drm_sched_entity_kill_jobs_cb()). CPU1 is executing drm_sched_entity_kill_jobs_cb() as a fence signalling callback so in an interrupt context. It will deadlock when trying to grab the xa_lock which is already held by CPU0. Replacing all xa_* usage by their xa_*_irq counterparts would fix this issue, but Christian pointed out another issue: dma_fence_signal takes fence.lock and so does dma_fence_add_callback. dma_fence_signal() // locks f1.lock -> drm_sched_entity_kill_jobs_cb() -> foreach dependencies -> dma_fence_add_callback() // locks f2.lock This will deadlock if f1 and f2 share the same spinlock. To fix both issues, the code iterating on dependencies and re-arming them is moved out to drm_sched_entity_kill_jobs_work(). [phasta: commit message nits]", "cve_priority": "medium", "cve_public_date": "2025-12-09 16:17:00 UTC" }, { "cve": "CVE-2025-40295", "url": "https://ubuntu.com/security/CVE-2025-40295", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: fscrypt: fix left shift underflow when inode->i_blkbits > PAGE_SHIFT When simulating an nvme device on qemu with both logical_block_size and physical_block_size set to 8 KiB, an error trace appears during partition table reading at boot time. The issue is caused by inode->i_blkbits being larger than PAGE_SHIFT, which leads to a left shift of -1 and triggering a UBSAN warning. [ 2.697306] ------------[ cut here ]------------ [ 2.697309] UBSAN: shift-out-of-bounds in fs/crypto/inline_crypt.c:336:37 [ 2.697311] shift exponent -1 is negative [ 2.697315] CPU: 3 UID: 0 PID: 274 Comm: (udev-worker) Not tainted 6.18.0-rc2+ #34 PREEMPT(voluntary) [ 2.697317] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014 [ 2.697320] Call Trace: [ 2.697324] [ 2.697325] dump_stack_lvl+0x76/0xa0 [ 2.697340] dump_stack+0x10/0x20 [ 2.697342] __ubsan_handle_shift_out_of_bounds+0x1e3/0x390 [ 2.697351] bh_get_inode_and_lblk_num.cold+0x12/0x94 [ 2.697359] fscrypt_set_bio_crypt_ctx_bh+0x44/0x90 [ 2.697365] submit_bh_wbc+0xb6/0x190 [ 2.697370] block_read_full_folio+0x194/0x270 [ 2.697371] ? __pfx_blkdev_get_block+0x10/0x10 [ 2.697375] ? __pfx_blkdev_read_folio+0x10/0x10 [ 2.697377] blkdev_read_folio+0x18/0x30 [ 2.697379] filemap_read_folio+0x40/0xe0 [ 2.697382] filemap_get_pages+0x5ef/0x7a0 [ 2.697385] ? mmap_region+0x63/0xd0 [ 2.697389] filemap_read+0x11d/0x520 [ 2.697392] blkdev_read_iter+0x7c/0x180 [ 2.697393] vfs_read+0x261/0x390 [ 2.697397] ksys_read+0x71/0xf0 [ 2.697398] __x64_sys_read+0x19/0x30 [ 2.697399] x64_sys_call+0x1e88/0x26a0 [ 2.697405] do_syscall_64+0x80/0x670 [ 2.697410] ? __x64_sys_newfstat+0x15/0x20 [ 2.697414] ? x64_sys_call+0x204a/0x26a0 [ 2.697415] ? do_syscall_64+0xb8/0x670 [ 2.697417] ? irqentry_exit_to_user_mode+0x2e/0x2a0 [ 2.697420] ? irqentry_exit+0x43/0x50 [ 2.697421] ? exc_page_fault+0x90/0x1b0 [ 2.697422] entry_SYSCALL_64_after_hwframe+0x76/0x7e [ 2.697425] RIP: 0033:0x75054cba4a06 [ 2.697426] Code: 5d e8 41 8b 93 08 03 00 00 59 5e 48 83 f8 fc 75 19 83 e2 39 83 fa 08 75 11 e8 26 ff ff ff 66 0f 1f 44 00 00 48 8b 45 10 0f 05 <48> 8b 5d f8 c9 c3 0f 1f 40 00 f3 0f 1e fa 55 48 89 e5 48 83 ec 08 [ 2.697427] RSP: 002b:00007fff973723a0 EFLAGS: 00000202 ORIG_RAX: 0000000000000000 [ 2.697430] RAX: ffffffffffffffda RBX: 00005ea9a2c02760 RCX: 000075054cba4a06 [ 2.697432] RDX: 0000000000002000 RSI: 000075054c190000 RDI: 000000000000001b [ 2.697433] RBP: 00007fff973723c0 R08: 0000000000000000 R09: 0000000000000000 [ 2.697434] R10: 0000000000000000 R11: 0000000000000202 R12: 0000000000000000 [ 2.697434] R13: 00005ea9a2c027c0 R14: 00005ea9a2be5608 R15: 00005ea9a2be55f0 [ 2.697436] [ 2.697436] ---[ end trace ]--- This situation can happen for block devices because when CONFIG_TRANSPARENT_HUGEPAGE is enabled, the maximum logical_block_size is 64 KiB. set_init_blocksize() then sets the block device inode->i_blkbits to 13, which is within this limit. File I/O does not trigger this problem because for filesystems that do not support the FS_LBS feature, sb_set_blocksize() prevents sb->s_blocksize_bits from being larger than PAGE_SHIFT. During inode allocation, alloc_inode()->inode_init_always() assigns inode->i_blkbits from sb->s_blocksize_bits. Currently, only xfs_fs_type has the FS_LBS flag, and since xfs I/O paths do not reach submit_bh_wbc(), it does not hit the left-shift underflow issue. [EB: use folio_pos() and consolidate the two shifts by i_blkbits]", "cve_priority": "medium", "cve_public_date": "2025-12-08 01:16:00 UTC" }, { "cve": "CVE-2025-40296", "url": "https://ubuntu.com/security/CVE-2025-40296", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: platform/x86: int3472: Fix double free of GPIO device during unregister regulator_unregister() already frees the associated GPIO device. On ThinkPad X9 (Lunar Lake), this causes a double free issue that leads to random failures when other drivers (typically Intel THC) attempt to allocate interrupts. The root cause is that the reference count of the pinctrl_intel_platform module unexpectedly drops to zero when this driver defers its probe. This behavior can also be reproduced by unloading the module directly. Fix the issue by removing the redundant release of the GPIO device during regulator unregistration.", "cve_priority": "medium", "cve_public_date": "2025-12-08 01:16:00 UTC" }, { "cve": "CVE-2025-40297", "url": "https://ubuntu.com/security/CVE-2025-40297", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net: bridge: fix use-after-free due to MST port state bypass syzbot reported[1] a use-after-free when deleting an expired fdb. It is due to a race condition between learning still happening and a port being deleted, after all its fdbs have been flushed. The port's state has been toggled to disabled so no learning should happen at that time, but if we have MST enabled, it will bypass the port's state, that together with VLAN filtering disabled can lead to fdb learning at a time when it shouldn't happen while the port is being deleted. VLAN filtering must be disabled because we flush the port VLANs when it's being deleted which will stop learning. This fix adds a check for the port's vlan group which is initialized to NULL when the port is getting deleted, that avoids the port state bypass. When MST is enabled there would be a minimal new overhead in the fast-path because the port's vlan group pointer is cache-hot. [1] https://syzkaller.appspot.com/bug?extid=dd280197f0f7ab3917be", "cve_priority": "medium", "cve_public_date": "2025-12-08 01:16:00 UTC" }, { "cve": "CVE-2025-68320", "url": "https://ubuntu.com/security/CVE-2025-68320", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: lan966x: Fix sleeping in atomic context The following warning was seen when we try to connect using ssh to the device. BUG: sleeping function called from invalid context at kernel/locking/mutex.c:575 in_atomic(): 1, irqs_disabled(): 0, non_block: 0, pid: 104, name: dropbear preempt_count: 1, expected: 0 INFO: lockdep is turned off. CPU: 0 UID: 0 PID: 104 Comm: dropbear Tainted: G W 6.18.0-rc2-00399-g6f1ab1b109b9-dirty #530 NONE Tainted: [W]=WARN Hardware name: Generic DT based system Call trace: unwind_backtrace from show_stack+0x10/0x14 show_stack from dump_stack_lvl+0x7c/0xac dump_stack_lvl from __might_resched+0x16c/0x2b0 __might_resched from __mutex_lock+0x64/0xd34 __mutex_lock from mutex_lock_nested+0x1c/0x24 mutex_lock_nested from lan966x_stats_get+0x5c/0x558 lan966x_stats_get from dev_get_stats+0x40/0x43c dev_get_stats from dev_seq_printf_stats+0x3c/0x184 dev_seq_printf_stats from dev_seq_show+0x10/0x30 dev_seq_show from seq_read_iter+0x350/0x4ec seq_read_iter from seq_read+0xfc/0x194 seq_read from proc_reg_read+0xac/0x100 proc_reg_read from vfs_read+0xb0/0x2b0 vfs_read from ksys_read+0x6c/0xec ksys_read from ret_fast_syscall+0x0/0x1c Exception stack(0xf0b11fa8 to 0xf0b11ff0) 1fa0: 00000001 00001000 00000008 be9048d8 00001000 00000001 1fc0: 00000001 00001000 00000008 00000003 be905920 0000001e 00000000 00000001 1fe0: 0005404c be9048c0 00018684 b6ec2cd8 It seems that we are using a mutex in a atomic context which is wrong. Change the mutex with a spinlock.", "cve_priority": "medium", "cve_public_date": "2025-12-16 16:16:00 UTC" }, { "cve": "CVE-2025-68169", "url": "https://ubuntu.com/security/CVE-2025-68169", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: netpoll: Fix deadlock in memory allocation under spinlock Fix a AA deadlock in refill_skbs() where memory allocation while holding skb_pool->lock can trigger a recursive lock acquisition attempt. The deadlock scenario occurs when the system is under severe memory pressure: 1. refill_skbs() acquires skb_pool->lock (spinlock) 2. alloc_skb() is called while holding the lock 3. Memory allocator fails and calls slab_out_of_memory() 4. This triggers printk() for the OOM warning 5. The console output path calls netpoll_send_udp() 6. netpoll_send_udp() attempts to acquire the same skb_pool->lock 7. Deadlock: the lock is already held by the same CPU Call stack: refill_skbs() spin_lock_irqsave(&skb_pool->lock) <- lock acquired __alloc_skb() kmem_cache_alloc_node_noprof() slab_out_of_memory() printk() console_flush_all() netpoll_send_udp() skb_dequeue() spin_lock_irqsave(&skb_pool->lock) <- deadlock attempt This bug was exposed by commit 248f6571fd4c51 (\"netpoll: Optimize skb refilling on critical path\") which removed refill_skbs() from the critical path (where nested printk was being deferred), letting nested printk being called from inside refill_skbs() Refactor refill_skbs() to never allocate memory while holding the spinlock. Another possible solution to fix this problem is protecting the refill_skbs() from nested printks, basically calling printk_deferred_{enter,exit}() in refill_skbs(), then, any nested pr_warn() would be deferred. I prefer this approach, given I _think_ it might be a good idea to move the alloc_skb() from GFP_ATOMIC to GFP_KERNEL in the future, so, having the alloc_skb() outside of the lock will be necessary step. There is a possible TOCTOU issue when checking for the pool length, and queueing the new allocated skb, but, this is not an issue, given that an extra SKB in the pool is harmless and it will be eventually used.", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-68197", "url": "https://ubuntu.com/security/CVE-2025-68197", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: bnxt_en: Fix null pointer dereference in bnxt_bs_trace_check_wrap() With older FW, we may get the ASYNC_EVENT_CMPL_EVENT_ID_DBG_BUF_PRODUCER for FW trace data type that has not been initialized. This will result in a crash in bnxt_bs_trace_type_wrap(). Add a guard to check for a valid magic_byte pointer before proceeding.", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-40330", "url": "https://ubuntu.com/security/CVE-2025-40330", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: bnxt_en: Shutdown FW DMA in bnxt_shutdown() The netif_close() call in bnxt_shutdown() only stops packet DMA. There may be FW DMA for trace logging (recently added) that will continue. If we kexec to a new kernel, the DMA will corrupt memory in the new kernel. Add bnxt_hwrm_func_drv_unrgtr() to unregister the driver from the FW. This will stop the FW DMA. In case the call fails, call pcie_flr() to reset the function and stop the DMA.", "cve_priority": "medium", "cve_public_date": "2025-12-09 16:17:00 UTC" }, { "cve": "CVE-2025-68192", "url": "https://ubuntu.com/security/CVE-2025-68192", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net: usb: qmi_wwan: initialize MAC header offset in qmimux_rx_fixup Raw IP packets have no MAC header, leaving skb->mac_header uninitialized. This can trigger kernel panics on ARM64 when xfrm or other subsystems access the offset due to strict alignment checks. Initialize the MAC header to prevent such crashes. This can trigger kernel panics on ARM when running IPsec over the qmimux0 interface. Example trace: Internal error: Oops: 000000009600004f [#1] SMP CPU: 0 UID: 0 PID: 0 Comm: swapper/0 Not tainted 6.12.34-gbe78e49cb433 #1 Hardware name: LS1028A RDB Board (DT) pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : xfrm_input+0xde8/0x1318 lr : xfrm_input+0x61c/0x1318 sp : ffff800080003b20 Call trace: xfrm_input+0xde8/0x1318 xfrm6_rcv+0x38/0x44 xfrm6_esp_rcv+0x48/0xa8 ip6_protocol_deliver_rcu+0x94/0x4b0 ip6_input_finish+0x44/0x70 ip6_input+0x44/0xc0 ipv6_rcv+0x6c/0x114 __netif_receive_skb_one_core+0x5c/0x8c __netif_receive_skb+0x18/0x60 process_backlog+0x78/0x17c __napi_poll+0x38/0x180 net_rx_action+0x168/0x2f0", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-40331", "url": "https://ubuntu.com/security/CVE-2025-40331", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: sctp: Prevent TOCTOU out-of-bounds write For the following path not holding the sock lock, sctp_diag_dump() -> sctp_for_each_endpoint() -> sctp_ep_dump() make sure not to exceed bounds in case the address list has grown between buffer allocation (time-of-check) and write (time-of-use).", "cve_priority": "medium", "cve_public_date": "2025-12-09 16:17:00 UTC" }, { "cve": "CVE-2025-68187", "url": "https://ubuntu.com/security/CVE-2025-68187", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net: mdio: Check regmap pointer returned by device_node_to_regmap() The call to device_node_to_regmap() in airoha_mdio_probe() can return an ERR_PTR() if regmap initialization fails. Currently, the driver stores the pointer without validation, which could lead to a crash if it is later dereferenced. Add an IS_ERR() check and return the corresponding error code to make the probe path more robust.", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-68167", "url": "https://ubuntu.com/security/CVE-2025-68167", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: gpiolib: fix invalid pointer access in debugfs If the memory allocation in gpiolib_seq_start() fails, the s->private field remains uninitialized and is later dereferenced without checking in gpiolib_seq_stop(). Initialize s->private to NULL before calling kzalloc() and check it before dereferencing it.", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-68319", "url": "https://ubuntu.com/security/CVE-2025-68319", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: netconsole: Acquire su_mutex before navigating configs hierarchy There is a race between operations that iterate over the userdata cg_children list and concurrent add/remove of userdata items through configfs. The update_userdata() function iterates over the nt->userdata_group.cg_children list, and count_extradata_entries() also iterates over this same list to count nodes. Quoting from Documentation/filesystems/configfs.rst: > A subsystem can navigate the cg_children list and the ci_parent pointer > to see the tree created by the subsystem. This can race with configfs' > management of the hierarchy, so configfs uses the subsystem mutex to > protect modifications. Whenever a subsystem wants to navigate the > hierarchy, it must do so under the protection of the subsystem > mutex. Without proper locking, if a userdata item is added or removed concurrently while these functions are iterating, the list can be accessed in an inconsistent state. For example, the list_for_each() loop can reach a node that is being removed from the list by list_del_init() which sets the nodes' .next pointer to point to itself, so the loop will never end (or reach the WARN_ON_ONCE in update_userdata() ). Fix this by holding the configfs subsystem mutex (su_mutex) during all operations that iterate over cg_children. This includes: - userdatum_value_store() which calls update_userdata() to iterate over cg_children - All sysdata_*_enabled_store() functions which call count_extradata_entries() to iterate over cg_children The su_mutex must be acquired before dynamic_netconsole_mutex to avoid potential lock ordering issues, as configfs operations may already hold su_mutex when calling into our code.", "cve_priority": "medium", "cve_public_date": "2025-12-16 16:16:00 UTC" }, { "cve": "CVE-2025-40298", "url": "https://ubuntu.com/security/CVE-2025-40298", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: gve: Implement settime64 with -EOPNOTSUPP ptp_clock_settime() assumes every ptp_clock has implemented settime64(). Stub it with -EOPNOTSUPP to prevent a NULL dereference.", "cve_priority": "medium", "cve_public_date": "2025-12-08 01:16:00 UTC" }, { "cve": "CVE-2025-40299", "url": "https://ubuntu.com/security/CVE-2025-40299", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: gve: Implement gettimex64 with -EOPNOTSUPP gve implemented a ptp_clock for sole use of do_aux_work at this time. ptp_clock_gettime() and ptp_sys_offset() assume every ptp_clock has implemented either gettimex64 or gettime64. Stub gettimex64 and return -EOPNOTSUPP to prevent NULL dereferencing.", "cve_priority": "medium", "cve_public_date": "2025-12-08 01:16:00 UTC" }, { "cve": "CVE-2025-40301", "url": "https://ubuntu.com/security/CVE-2025-40301", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: Bluetooth: hci_event: validate skb length for unknown CC opcode In hci_cmd_complete_evt(), if the command complete event has an unknown opcode, we assume the first byte of the remaining skb->data contains the return status. However, parameter data has previously been pulled in hci_event_func(), which may leave the skb empty. If so, using skb->data[0] for the return status uses un-init memory. The fix is to check skb->len before using skb->data.", "cve_priority": "medium", "cve_public_date": "2025-12-08 01:16:00 UTC" }, { "cve": "CVE-2025-40358", "url": "https://ubuntu.com/security/CVE-2025-40358", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: riscv: stacktrace: Disable KASAN checks for non-current tasks Unwinding the stack of a task other than current, KASAN would report \"BUG: KASAN: out-of-bounds in walk_stackframe+0x41c/0x460\" There is a same issue on x86 and has been resolved by the commit 84936118bdf3 (\"x86/unwind: Disable KASAN checks for non-current tasks\") The solution could be applied to RISC-V too. This patch also can solve the issue: https://seclists.org/oss-sec/2025/q4/23 [pjw@kernel.org: clean up checkpatch issues]", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-68186", "url": "https://ubuntu.com/security/CVE-2025-68186", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ring-buffer: Do not warn in ring_buffer_map_get_reader() when reader catches up The function ring_buffer_map_get_reader() is a bit more strict than the other get reader functions, and except for certain situations the rb_get_reader_page() should not return NULL. If it does, it triggers a warning. This warning was triggering but after looking at why, it was because another acceptable situation was happening and it wasn't checked for. If the reader catches up to the writer and there's still data to be read on the reader page, then the rb_get_reader_page() will return NULL as there's no new page to get. In this situation, the reader page should not be updated and no warning should trigger.", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-68184", "url": "https://ubuntu.com/security/CVE-2025-68184", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/mediatek: Disable AFBC support on Mediatek DRM driver Commit c410fa9b07c3 (\"drm/mediatek: Add AFBC support to Mediatek DRM driver\") added AFBC support to Mediatek DRM and enabled the 32x8/split/sparse modifier. However, this is currently broken on Mediatek MT8188 (Genio 700 EVK platform); tested using upstream Kernel and Mesa (v25.2.1), AFBC is used by default since Mesa v25.0. Kernel trace reports vblank timeouts constantly, and the render is garbled: ``` [CRTC:62:crtc-0] vblank wait timed out WARNING: CPU: 7 PID: 70 at drivers/gpu/drm/drm_atomic_helper.c:1835 drm_atomic_helper_wait_for_vblanks.part.0+0x24c/0x27c [...] Hardware name: MediaTek Genio-700 EVK (DT) Workqueue: events_unbound commit_work pstate: 60400009 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : drm_atomic_helper_wait_for_vblanks.part.0+0x24c/0x27c lr : drm_atomic_helper_wait_for_vblanks.part.0+0x24c/0x27c sp : ffff80008337bca0 x29: ffff80008337bcd0 x28: 0000000000000061 x27: 0000000000000000 x26: 0000000000000001 x25: 0000000000000000 x24: ffff0000c9dcc000 x23: 0000000000000001 x22: 0000000000000000 x21: ffff0000c66f2f80 x20: ffff0000c0d7d880 x19: 0000000000000000 x18: 000000000000000a x17: 000000040044ffff x16: 005000f2b5503510 x15: 0000000000000000 x14: 0000000000000000 x13: 74756f2064656d69 x12: 742074696177206b x11: 0000000000000058 x10: 0000000000000018 x9 : ffff800082396a70 x8 : 0000000000057fa8 x7 : 0000000000000cce x6 : ffff8000823eea70 x5 : ffff0001fef5f408 x4 : ffff80017ccee000 x3 : ffff0000c12cb480 x2 : 0000000000000000 x1 : 0000000000000000 x0 : ffff0000c12cb480 Call trace: drm_atomic_helper_wait_for_vblanks.part.0+0x24c/0x27c (P) drm_atomic_helper_commit_tail_rpm+0x64/0x80 commit_tail+0xa4/0x1a4 commit_work+0x14/0x20 process_one_work+0x150/0x290 worker_thread+0x2d0/0x3ec kthread+0x12c/0x210 ret_from_fork+0x10/0x20 ---[ end trace 0000000000000000 ]--- ``` Until this gets fixed upstream, disable AFBC support on this platform, as it's currently broken with upstream Mesa.", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-40302", "url": "https://ubuntu.com/security/CVE-2025-40302", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: media: videobuf2: forbid remove_bufs when legacy fileio is active vb2_ioctl_remove_bufs() call manipulates queue internal buffer list, potentially overwriting some pointers used by the legacy fileio access mode. Forbid that ioctl when fileio is active to protect internal queue state between subsequent read/write calls.", "cve_priority": "medium", "cve_public_date": "2025-12-08 01:16:00 UTC" }, { "cve": "CVE-2025-40303", "url": "https://ubuntu.com/security/CVE-2025-40303", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: btrfs: ensure no dirty metadata is written back for an fs with errors [BUG] During development of a minor feature (make sure all btrfs_bio::end_io() is called in task context), I noticed a crash in generic/388, where metadata writes triggered new works after btrfs_stop_all_workers(). It turns out that it can even happen without any code modification, just using RAID5 for metadata and the same workload from generic/388 is going to trigger the use-after-free. [CAUSE] If btrfs hits an error, the fs is marked as error, no new transaction is allowed thus metadata is in a frozen state. But there are some metadata modifications before that error, and they are still in the btree inode page cache. Since there will be no real transaction commit, all those dirty folios are just kept as is in the page cache, and they can not be invalidated by invalidate_inode_pages2() call inside close_ctree(), because they are dirty. And finally after btrfs_stop_all_workers(), we call iput() on btree inode, which triggers writeback of those dirty metadata. And if the fs is using RAID56 metadata, this will trigger RMW and queue new works into rmw_workers, which is already stopped, causing warning from queue_work() and use-after-free. [FIX] Add a special handling for write_one_eb(), that if the fs is already in an error state, immediately mark the bbio as failure, instead of really submitting them. Then during close_ctree(), iput() will just discard all those dirty tree blocks without really writing them back, thus no more new jobs for already stopped-and-freed workqueues. The extra discard in write_one_eb() also acts as an extra safenet. E.g. the transaction abort is triggered by some extent/free space tree corruptions, and since extent/free space tree is already corrupted some tree blocks may be allocated where they shouldn't be (overwriting existing tree blocks). In that case writing them back will further corrupting the fs.", "cve_priority": "medium", "cve_public_date": "2025-12-08 01:16:00 UTC" }, { "cve": "CVE-2025-40362", "url": "https://ubuntu.com/security/CVE-2025-40362", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ceph: fix multifs mds auth caps issue The mds auth caps check should also validate the fsname along with the associated caps. Not doing so would result in applying the mds auth caps of one fs on to the other fs in a multifs ceph cluster. The bug causes multiple issues w.r.t user authentication, following is one such example. Steps to Reproduce (on vstart cluster): 1. Create two file systems in a cluster, say 'fsname1' and 'fsname2' 2. Authorize read only permission to the user 'client.usr' on fs 'fsname1' $ceph fs authorize fsname1 client.usr / r 3. Authorize read and write permission to the same user 'client.usr' on fs 'fsname2' $ceph fs authorize fsname2 client.usr / rw 4. Update the keyring $ceph auth get client.usr >> ./keyring With above permssions for the user 'client.usr', following is the expectation. a. The 'client.usr' should be able to only read the contents and not allowed to create or delete files on file system 'fsname1'. b. The 'client.usr' should be able to read/write on file system 'fsname2'. But, with this bug, the 'client.usr' is allowed to read/write on file system 'fsname1'. See below. 5. Mount the file system 'fsname1' with the user 'client.usr' $sudo bin/mount.ceph usr@.fsname1=/ /kmnt_fsname1_usr/ 6. Try creating a file on file system 'fsname1' with user 'client.usr'. This should fail but passes with this bug. $touch /kmnt_fsname1_usr/file1 7. Mount the file system 'fsname1' with the user 'client.admin' and create a file. $sudo bin/mount.ceph admin@.fsname1=/ /kmnt_fsname1_admin $echo \"data\" > /kmnt_fsname1_admin/admin_file1 8. Try removing an existing file on file system 'fsname1' with the user 'client.usr'. This shoudn't succeed but succeeds with the bug. $rm -f /kmnt_fsname1_usr/admin_file1 For more information, please take a look at the corresponding mds/fuse patch and tests added by looking into the tracker mentioned below. v2: Fix a possible null dereference in doutc v3: Don't store fsname from mdsmap, validate against ceph_mount_options's fsname and use it v4: Code refactor, better warning message and fix possible compiler warning [ Slava.Dubeyko: \"fsname check failed\" -> \"fsname mismatch\" ]", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-40332", "url": "https://ubuntu.com/security/CVE-2025-40332", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/amdkfd: Fix mmap write lock not release If mmap write lock is taken while draining retry fault, mmap write lock is not released because svm_range_restore_pages calls mmap_read_unlock then returns. This causes deadlock and system hangs later because mmap read or write lock cannot be taken. Downgrade mmap write lock to read lock if draining retry fault fix this bug.", "cve_priority": "medium", "cve_public_date": "2025-12-09 16:17:00 UTC" }, { "cve": "CVE-2025-40304", "url": "https://ubuntu.com/security/CVE-2025-40304", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: fbdev: Add bounds checking in bit_putcs to fix vmalloc-out-of-bounds Add bounds checking to prevent writes past framebuffer boundaries when rendering text near screen edges. Return early if the Y position is off-screen and clip image height to screen boundary. Break from the rendering loop if the X position is off-screen. When clipping image width to fit the screen, update the character count to match the clipped width to prevent buffer size mismatches. Without the character count update, bit_putcs_aligned and bit_putcs_unaligned receive mismatched parameters where the buffer is allocated for the clipped width but cnt reflects the original larger count, causing out-of-bounds writes.", "cve_priority": "medium", "cve_public_date": "2025-12-08 01:16:00 UTC" }, { "cve": "CVE-2025-40305", "url": "https://ubuntu.com/security/CVE-2025-40305", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: 9p/trans_fd: p9_fd_request: kick rx thread if EPOLLIN p9_read_work() doesn't set Rworksched and doesn't do schedule_work(m->rq) if list_empty(&m->req_list). However, if the pipe is full, we need to read more data and this used to work prior to commit aaec5a95d59615 (\"pipe_read: don't wake up the writer if the pipe is still full\"). p9_read_work() does p9_fd_read() -> ... -> anon_pipe_read() which (before the commit above) triggered the unnecessary wakeup. This wakeup calls p9_pollwake() which kicks p9_poll_workfn() -> p9_poll_mux(), p9_poll_mux() will notice EPOLLIN and schedule_work(&m->rq). This no longer happens after the optimization above, change p9_fd_request() to use p9_poll_mux() instead of only checking for EPOLLOUT.", "cve_priority": "medium", "cve_public_date": "2025-12-08 01:16:00 UTC" }, { "cve": "CVE-2025-68318", "url": "https://ubuntu.com/security/CVE-2025-68318", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: clk: thead: th1520-ap: set all AXI clocks to CLK_IS_CRITICAL The AXI crossbar of TH1520 has no proper timeout handling, which means gating AXI clocks can easily lead to bus timeout and thus system hang. Set all AXI clock gates to CLK_IS_CRITICAL. All these clock gates are ungated by default on system reset. In addition, convert all current CLK_IGNORE_UNUSED usage to CLK_IS_CRITICAL to prevent unwanted clock gating.", "cve_priority": "medium", "cve_public_date": "2025-12-16 16:16:00 UTC" }, { "cve": "CVE-2025-40209", "url": "https://ubuntu.com/security/CVE-2025-40209", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: btrfs: fix memory leak of qgroup_list in btrfs_add_qgroup_relation When btrfs_add_qgroup_relation() is called with invalid qgroup levels (src >= dst), the function returns -EINVAL directly without freeing the preallocated qgroup_list structure passed by the caller. This causes a memory leak because the caller unconditionally sets the pointer to NULL after the call, preventing any cleanup. The issue occurs because the level validation check happens before the mutex is acquired and before any error handling path that would free the prealloc pointer. On this early return, the cleanup code at the 'out' label (which includes kfree(prealloc)) is never reached. In btrfs_ioctl_qgroup_assign(), the code pattern is: prealloc = kzalloc(sizeof(*prealloc), GFP_KERNEL); ret = btrfs_add_qgroup_relation(trans, sa->src, sa->dst, prealloc); prealloc = NULL; // Always set to NULL regardless of return value ... kfree(prealloc); // This becomes kfree(NULL), does nothing When the level check fails, 'prealloc' is never freed by either the callee or the caller, resulting in a 64-byte memory leak per failed operation. This can be triggered repeatedly by an unprivileged user with access to a writable btrfs mount, potentially exhausting kernel memory. Fix this by freeing prealloc before the early return, ensuring prealloc is always freed on all error paths.", "cve_priority": "medium", "cve_public_date": "2025-11-21 11:15:00 UTC" }, { "cve": "CVE-2025-68183", "url": "https://ubuntu.com/security/CVE-2025-68183", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ima: don't clear IMA_DIGSIG flag when setting or removing non-IMA xattr Currently when both IMA and EVM are in fix mode, the IMA signature will be reset to IMA hash if a program first stores IMA signature in security.ima and then writes/removes some other security xattr for the file. For example, on Fedora, after booting the kernel with \"ima_appraise=fix evm=fix ima_policy=appraise_tcb\" and installing rpm-plugin-ima, installing/reinstalling a package will not make good reference IMA signature generated. Instead IMA hash is generated, # getfattr -m - -d -e hex /usr/bin/bash # file: usr/bin/bash security.ima=0x0404... This happens because when setting security.selinux, the IMA_DIGSIG flag that had been set early was cleared. As a result, IMA hash is generated when the file is closed. Similarly, IMA signature can be cleared on file close after removing security xattr like security.evm or setting/removing ACL. Prevent replacing the IMA file signature with a file hash, by preventing the IMA_DIGSIG flag from being reset. Here's a minimal C reproducer which sets security.selinux as the last step which can also replaced by removing security.evm or setting ACL, #include #include #include #include #include #include int main() { const char* file_path = \"/usr/sbin/test_binary\"; const char* hex_string = \"030204d33204490066306402304\"; int length = strlen(hex_string); char* ima_attr_value; int fd; fd = open(file_path, O_WRONLY|O_CREAT|O_EXCL, 0644); if (fd == -1) { perror(\"Error opening file\"); return 1; } ima_attr_value = (char*)malloc(length / 2 ); for (int i = 0, j = 0; i < length; i += 2, j++) { sscanf(hex_string + i, \"%2hhx\", &ima_attr_value[j]); } if (fsetxattr(fd, \"security.ima\", ima_attr_value, length/2, 0) == -1) { perror(\"Error setting extended attribute\"); close(fd); return 1; } const char* selinux_value= \"system_u:object_r:bin_t:s0\"; if (fsetxattr(fd, \"security.selinux\", selinux_value, strlen(selinux_value), 0) == -1) { perror(\"Error setting extended attribute\"); close(fd); return 1; } close(fd); return 0; }", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-68173", "url": "https://ubuntu.com/security/CVE-2025-68173", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ftrace: Fix softlockup in ftrace_module_enable A soft lockup was observed when loading amdgpu module. If a module has a lot of tracable functions, multiple calls to kallsyms_lookup can spend too much time in RCU critical section and with disabled preemption, causing kernel panic. This is the same issue that was fixed in commit d0b24b4e91fc (\"ftrace: Prevent RCU stall on PREEMPT_VOLUNTARY kernels\") and commit 42ea22e754ba (\"ftrace: Add cond_resched() to ftrace_graph_set_hash()\"). Fix it the same way by adding cond_resched() in ftrace_module_enable.", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-40306", "url": "https://ubuntu.com/security/CVE-2025-40306", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: orangefs: fix xattr related buffer overflow... Willy Tarreau forwarded me a message from Disclosure with the following warning: > The helper `xattr_key()` uses the pointer variable in the loop condition > rather than dereferencing it. As `key` is incremented, it remains non-NULL > (until it runs into unmapped memory), so the loop does not terminate on > valid C strings and will walk memory indefinitely, consuming CPU or hanging > the thread. I easily reproduced this with setfattr and getfattr, causing a kernel oops, hung user processes and corrupted orangefs files. Disclosure sent along a diff (not a patch) with a suggested fix, which I based this patch on. After xattr_key started working right, xfstest generic/069 exposed an xattr related memory leak that lead to OOM. xattr_key returns a hashed key. When adding xattrs to the orangefs xattr cache, orangefs used hash_add, a kernel hashing macro. hash_add also hashes the key using hash_log which resulted in additions to the xattr cache going to the wrong hash bucket. generic/069 tortures a single file and orangefs does a getattr for the xattr \"security.capability\" every time. Orangefs negative caches on xattrs which includes a kmalloc. Since adds to the xattr cache were going to the wrong bucket, every getattr for \"security.capability\" resulted in another kmalloc, none of which were ever freed. I changed the two uses of hash_add to hlist_add_head instead and the memory leak ceased and generic/069 quit throwing furniture.", "cve_priority": "medium", "cve_public_date": "2025-12-08 01:16:00 UTC" }, { "cve": "CVE-2025-40307", "url": "https://ubuntu.com/security/CVE-2025-40307", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: exfat: validate cluster allocation bits of the allocation bitmap syzbot created an exfat image with cluster bits not set for the allocation bitmap. exfat-fs reads and uses the allocation bitmap without checking this. The problem is that if the start cluster of the allocation bitmap is 6, cluster 6 can be allocated when creating a directory with mkdir. exfat zeros out this cluster in exfat_mkdir, which can delete existing entries. This can reallocate the allocated entries. In addition, the allocation bitmap is also zeroed out, so cluster 6 can be reallocated. This patch adds exfat_test_bitmap_range to validate that clusters used for the allocation bitmap are correctly marked as in-use.", "cve_priority": "medium", "cve_public_date": "2025-12-08 01:16:00 UTC" }, { "cve": "CVE-2025-40308", "url": "https://ubuntu.com/security/CVE-2025-40308", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: Bluetooth: bcsp: receive data only if registered Currently, bcsp_recv() can be called even when the BCSP protocol has not been registered. This leads to a NULL pointer dereference, as shown in the following stack trace: KASAN: null-ptr-deref in range [0x0000000000000108-0x000000000000010f] RIP: 0010:bcsp_recv+0x13d/0x1740 drivers/bluetooth/hci_bcsp.c:590 Call Trace: hci_uart_tty_receive+0x194/0x220 drivers/bluetooth/hci_ldisc.c:627 tiocsti+0x23c/0x2c0 drivers/tty/tty_io.c:2290 tty_ioctl+0x626/0xde0 drivers/tty/tty_io.c:2706 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:907 [inline] __se_sys_ioctl+0xfc/0x170 fs/ioctl.c:893 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f To prevent this, ensure that the HCI_UART_REGISTERED flag is set before processing received data. If the protocol is not registered, return -EUNATCH.", "cve_priority": "medium", "cve_public_date": "2025-12-08 01:16:00 UTC" }, { "cve": "CVE-2025-40309", "url": "https://ubuntu.com/security/CVE-2025-40309", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: Bluetooth: SCO: Fix UAF on sco_conn_free BUG: KASAN: slab-use-after-free in sco_conn_free net/bluetooth/sco.c:87 [inline] BUG: KASAN: slab-use-after-free in kref_put include/linux/kref.h:65 [inline] BUG: KASAN: slab-use-after-free in sco_conn_put+0xdd/0x410 net/bluetooth/sco.c:107 Write of size 8 at addr ffff88811cb96b50 by task kworker/u17:4/352 CPU: 1 UID: 0 PID: 352 Comm: kworker/u17:4 Not tainted 6.17.0-rc5-g717368f83676 #4 PREEMPT(voluntary) Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014 Workqueue: hci13 hci_cmd_sync_work Call Trace: __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x10b/0x170 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:378 [inline] print_report+0x191/0x550 mm/kasan/report.c:482 kasan_report+0xc4/0x100 mm/kasan/report.c:595 sco_conn_free net/bluetooth/sco.c:87 [inline] kref_put include/linux/kref.h:65 [inline] sco_conn_put+0xdd/0x410 net/bluetooth/sco.c:107 sco_connect_cfm+0xb4/0xae0 net/bluetooth/sco.c:1441 hci_connect_cfm include/net/bluetooth/hci_core.h:2082 [inline] hci_conn_failed+0x20a/0x2e0 net/bluetooth/hci_conn.c:1313 hci_conn_unlink+0x55f/0x810 net/bluetooth/hci_conn.c:1121 hci_conn_del+0xb6/0x1110 net/bluetooth/hci_conn.c:1147 hci_abort_conn_sync+0x8c5/0xbb0 net/bluetooth/hci_sync.c:5689 hci_cmd_sync_work+0x281/0x380 net/bluetooth/hci_sync.c:332 process_one_work kernel/workqueue.c:3236 [inline] process_scheduled_works+0x77e/0x1040 kernel/workqueue.c:3319 worker_thread+0xbee/0x1200 kernel/workqueue.c:3400 kthread+0x3c7/0x870 kernel/kthread.c:463 ret_from_fork+0x13a/0x1e0 arch/x86/kernel/process.c:148 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245 Allocated by task 31370: kasan_save_stack mm/kasan/common.c:47 [inline] kasan_save_track+0x30/0x70 mm/kasan/common.c:68 poison_kmalloc_redzone mm/kasan/common.c:388 [inline] __kasan_kmalloc+0x82/0x90 mm/kasan/common.c:405 kasan_kmalloc include/linux/kasan.h:260 [inline] __do_kmalloc_node mm/slub.c:4382 [inline] __kmalloc_noprof+0x22f/0x390 mm/slub.c:4394 kmalloc_noprof include/linux/slab.h:909 [inline] sk_prot_alloc+0xae/0x220 net/core/sock.c:2239 sk_alloc+0x34/0x5a0 net/core/sock.c:2295 bt_sock_alloc+0x3c/0x330 net/bluetooth/af_bluetooth.c:151 sco_sock_alloc net/bluetooth/sco.c:562 [inline] sco_sock_create+0xc0/0x350 net/bluetooth/sco.c:593 bt_sock_create+0x161/0x3b0 net/bluetooth/af_bluetooth.c:135 __sock_create+0x3ad/0x780 net/socket.c:1589 sock_create net/socket.c:1647 [inline] __sys_socket_create net/socket.c:1684 [inline] __sys_socket+0xd5/0x330 net/socket.c:1731 __do_sys_socket net/socket.c:1745 [inline] __se_sys_socket net/socket.c:1743 [inline] __x64_sys_socket+0x7a/0x90 net/socket.c:1743 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xc7/0x240 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f Freed by task 31374: kasan_save_stack mm/kasan/common.c:47 [inline] kasan_save_track+0x30/0x70 mm/kasan/common.c:68 kasan_save_free_info+0x40/0x50 mm/kasan/generic.c:576 poison_slab_object mm/kasan/common.c:243 [inline] __kasan_slab_free+0x3d/0x50 mm/kasan/common.c:275 kasan_slab_free include/linux/kasan.h:233 [inline] slab_free_hook mm/slub.c:2428 [inline] slab_free mm/slub.c:4701 [inline] kfree+0x199/0x3b0 mm/slub.c:4900 sk_prot_free net/core/sock.c:2278 [inline] __sk_destruct+0x4aa/0x630 net/core/sock.c:2373 sco_sock_release+0x2ad/0x300 net/bluetooth/sco.c:1333 __sock_release net/socket.c:649 [inline] sock_close+0xb8/0x230 net/socket.c:1439 __fput+0x3d1/0x9e0 fs/file_table.c:468 task_work_run+0x206/0x2a0 kernel/task_work.c:227 get_signal+0x1201/0x1410 kernel/signal.c:2807 arch_do_signal_or_restart+0x34/0x740 arch/x86/kernel/signal.c:337 exit_to_user_mode_loop+0x68/0xc0 kernel/entry/common.c:40 exit_to_user_mode_prepare include/linux/irq-entry-common.h:225 [inline] s ---truncated---", "cve_priority": "medium", "cve_public_date": "2025-12-08 01:16:00 UTC" }, { "cve": "CVE-2025-68174", "url": "https://ubuntu.com/security/CVE-2025-68174", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: amd/amdkfd: enhance kfd process check in switch partition current switch partition only check if kfd_processes_table is empty. kfd_prcesses_table entry is deleted in kfd_process_notifier_release, but kfd_process tear down is in kfd_process_wq_release. consider two processes: Process A (workqueue) -> kfd_process_wq_release -> Access kfd_node member Process B switch partition -> amdgpu_xcp_pre_partition_switch -> amdgpu_amdkfd_device_fini_sw -> kfd_node tear down. Process A and B may trigger a race as shown in dmesg log. This patch is to resolve the race by adding an atomic kfd_process counter kfd_processes_count, it increment as create kfd process, decrement as finish kfd_process_wq_release. v2: Put kfd_processes_count per kfd_dev, move decrement to kfd_process_destroy_pdds and bug fix. (Philip Yang) [3966658.307702] divide error: 0000 [#1] SMP NOPTI [3966658.350818] i10nm_edac [3966658.356318] CPU: 124 PID: 38435 Comm: kworker/124:0 Kdump: loaded Tainted [3966658.356890] Workqueue: kfd_process_wq kfd_process_wq_release [amdgpu] [3966658.362839] nfit [3966658.366457] RIP: 0010:kfd_get_num_sdma_engines+0x17/0x40 [amdgpu] [3966658.366460] Code: 00 00 e9 ac 81 02 00 66 66 2e 0f 1f 84 00 00 00 00 00 90 0f 1f 44 00 00 48 8b 4f 08 48 8b b7 00 01 00 00 8b 81 58 26 03 00 99 be b8 01 00 00 80 b9 70 2e 00 00 00 74 0b 83 f8 02 ba 02 00 00 [3966658.380967] x86_pkg_temp_thermal [3966658.391529] RSP: 0018:ffffc900a0edfdd8 EFLAGS: 00010246 [3966658.391531] RAX: 0000000000000008 RBX: ffff8974e593b800 RCX: ffff888645900000 [3966658.391531] RDX: 0000000000000000 RSI: ffff888129154400 RDI: ffff888129151c00 [3966658.391532] RBP: ffff8883ad79d400 R08: 0000000000000000 R09: ffff8890d2750af4 [3966658.391532] R10: 0000000000000018 R11: 0000000000000018 R12: 0000000000000000 [3966658.391533] R13: ffff8883ad79d400 R14: ffffe87ff662ba00 R15: ffff8974e593b800 [3966658.391533] FS: 0000000000000000(0000) GS:ffff88fe7f600000(0000) knlGS:0000000000000000 [3966658.391534] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [3966658.391534] CR2: 0000000000d71000 CR3: 000000dd0e970004 CR4: 0000000002770ee0 [3966658.391535] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [3966658.391535] DR3: 0000000000000000 DR6: 00000000fffe07f0 DR7: 0000000000000400 [3966658.391536] PKRU: 55555554 [3966658.391536] Call Trace: [3966658.391674] deallocate_sdma_queue+0x38/0xa0 [amdgpu] [3966658.391762] process_termination_cpsch+0x1ed/0x480 [amdgpu] [3966658.399754] intel_powerclamp [3966658.402831] kfd_process_dequeue_from_all_devices+0x5b/0xc0 [amdgpu] [3966658.402908] kfd_process_wq_release+0x1a/0x1a0 [amdgpu] [3966658.410516] coretemp [3966658.434016] process_one_work+0x1ad/0x380 [3966658.434021] worker_thread+0x49/0x310 [3966658.438963] kvm_intel [3966658.446041] ? process_one_work+0x380/0x380 [3966658.446045] kthread+0x118/0x140 [3966658.446047] ? __kthread_bind_mask+0x60/0x60 [3966658.446050] ret_from_fork+0x1f/0x30 [3966658.446053] Modules linked in: kpatch_20765354(OEK) [3966658.455310] kvm [3966658.464534] mptcp_diag xsk_diag raw_diag unix_diag af_packet_diag netlink_diag udp_diag act_pedit act_mirred act_vlan cls_flower kpatch_21951273(OEK) kpatch_18424469(OEK) kpatch_19749756(OEK) [3966658.473462] idxd_mdev [3966658.482306] kpatch_17971294(OEK) sch_ingress xt_conntrack amdgpu(OE) amdxcp(OE) amddrm_buddy(OE) amd_sched(OE) amdttm(OE) amdkcl(OE) intel_ifs iptable_mangle tcm_loop target_core_pscsi tcp_diag target_core_file inet_diag target_core_iblock target_core_user target_core_mod coldpgs kpatch_18383292(OEK) ip6table_nat ip6table_filter ip6_tables ip_set_hash_ipportip ip_set_hash_ipportnet ip_set_hash_ipport ip_set_bitmap_port xt_comment iptable_nat nf_nat iptable_filter ip_tables ip_set ip_vs_sh ip_vs_wrr ip_vs_rr ip_vs nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 sn_core_odd(OE) i40e overlay binfmt_misc tun bonding(OE) aisqos(OE) aisqo ---truncated---", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-40310", "url": "https://ubuntu.com/security/CVE-2025-40310", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: amd/amdkfd: resolve a race in amdgpu_amdkfd_device_fini_sw There is race in amdgpu_amdkfd_device_fini_sw and interrupt. if amdgpu_amdkfd_device_fini_sw run in b/w kfd_cleanup_nodes and kfree(kfd), and KGD interrupt generated. kernel panic log: BUG: kernel NULL pointer dereference, address: 0000000000000098 amdgpu 0000:c8:00.0: amdgpu: Requesting 4 partitions through PSP PGD d78c68067 P4D d78c68067 kfd kfd: amdgpu: Allocated 3969056 bytes on gart PUD 1465b8067 PMD @ Oops: @002 [#1] SMP NOPTI kfd kfd: amdgpu: Total number of KFD nodes to be created: 4 CPU: 115 PID: @ Comm: swapper/115 Kdump: loaded Tainted: G S W OE K RIP: 0010:_raw_spin_lock_irqsave+0x12/0x40 Code: 89 e@ 41 5c c3 cc cc cc cc 66 66 2e Of 1f 84 00 00 00 00 00 OF 1f 40 00 Of 1f 44% 00 00 41 54 9c 41 5c fa 31 cO ba 01 00 00 00 OF b1 17 75 Ba 4c 89 e@ 41 Sc 89 c6 e8 07 38 5d RSP: 0018: ffffc90@1a6b0e28 EFLAGS: 00010046 RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000018 0000000000000001 RSI: ffff8883bb623e00 RDI: 0000000000000098 ffff8883bb000000 RO8: ffff888100055020 ROO: ffff888100055020 0000000000000000 R11: 0000000000000000 R12: 0900000000000002 ffff888F2b97da0@ R14: @000000000000098 R15: ffff8883babdfo00 CS: 010 DS: 0000 ES: 0000 CRO: 0000000080050033 CR2: 0000000000000098 CR3: 0000000e7cae2006 CR4: 0000000002770ce0 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 0000000000000000 DR6: 00000000fffeO7FO DR7: 0000000000000400 PKRU: 55555554 Call Trace: kgd2kfd_interrupt+@x6b/0x1f@ [amdgpu] ? amdgpu_fence_process+0xa4/0x150 [amdgpu] kfd kfd: amdgpu: Node: 0, interrupt_bitmap: 3 YcpxFl Rant tErace amdgpu_irq_dispatch+0x165/0x210 [amdgpu] amdgpu_ih_process+0x80/0x100 [amdgpu] amdgpu: Virtual CRAT table created for GPU amdgpu_irq_handler+0x1f/@x60 [amdgpu] __handle_irq_event_percpu+0x3d/0x170 amdgpu: Topology: Add dGPU node [0x74a2:0x1002] handle_irq_event+0x5a/@xcO handle_edge_irq+0x93/0x240 kfd kfd: amdgpu: KFD node 1 partition @ size 49148M asm_call_irq_on_stack+0xf/@x20 common_interrupt+0xb3/0x130 asm_common_interrupt+0x1le/0x40 5.10.134-010.a1i5000.a18.x86_64 #1", "cve_priority": "medium", "cve_public_date": "2025-12-08 01:16:00 UTC" }, { "cve": "CVE-2025-40361", "url": "https://ubuntu.com/security/CVE-2025-40361", "cve_description": "Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-40311", "url": "https://ubuntu.com/security/CVE-2025-40311", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: accel/habanalabs: support mapping cb with vmalloc-backed coherent memory When IOMMU is enabled, dma_alloc_coherent() with GFP_USER may return addresses from the vmalloc range. If such an address is mapped without VM_MIXEDMAP, vm_insert_page() will trigger a BUG_ON due to the VM_PFNMAP restriction. Fix this by checking for vmalloc addresses and setting VM_MIXEDMAP in the VMA before mapping. This ensures safe mapping and avoids kernel crashes. The memory is still driver-allocated and cannot be accessed directly by userspace.", "cve_priority": "medium", "cve_public_date": "2025-12-08 01:16:00 UTC" }, { "cve": "CVE-2025-68185", "url": "https://ubuntu.com/security/CVE-2025-68185", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: nfs4_setup_readdir(): insufficient locking for ->d_parent->d_inode dereferencing Theoretically it's an oopsable race, but I don't believe one can manage to hit it on real hardware; might become doable on a KVM, but it still won't be easy to attack. Anyway, it's easy to deal with - since xdr_encode_hyper() is just a call of put_unaligned_be64(), we can put that under ->d_lock and be done with that.", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-68176", "url": "https://ubuntu.com/security/CVE-2025-68176", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: PCI: cadence: Check for the existence of cdns_pcie::ops before using it cdns_pcie::ops might not be populated by all the Cadence glue drivers. This is going to be true for the upcoming Sophgo platform which doesn't set the ops. Hence, add a check to prevent NULL pointer dereference. [mani: reworded subject and description]", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-68190", "url": "https://ubuntu.com/security/CVE-2025-68190", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu/atom: Check kcalloc() for WS buffer in amdgpu_atom_execute_table_locked() kcalloc() may fail. When WS is non-zero and allocation fails, ectx.ws remains NULL while ectx.ws_size is set, leading to a potential NULL pointer dereference in atom_get_src_int() when accessing WS entries. Return -ENOMEM on allocation failure to avoid the NULL dereference.", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-68168", "url": "https://ubuntu.com/security/CVE-2025-68168", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: jfs: fix uninitialized waitqueue in transaction manager The transaction manager initialization in txInit() was not properly initializing TxBlock[0].waitor waitqueue, causing a crash when txEnd(0) is called on read-only filesystems. When a filesystem is mounted read-only, txBegin() returns tid=0 to indicate no transaction. However, txEnd(0) still gets called and tries to access TxBlock[0].waitor via tid_to_tblock(0), but this waitqueue was never initialized because the initialization loop started at index 1 instead of 0. This causes a 'non-static key' lockdep warning and system crash: INFO: trying to register non-static key in txEnd Fix by ensuring all transaction blocks including TxBlock[0] have their waitqueues properly initialized during txInit().", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-40312", "url": "https://ubuntu.com/security/CVE-2025-40312", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: jfs: Verify inode mode when loading from disk The inode mode loaded from corrupted disk can be invalid. Do like what commit 0a9e74051313 (\"isofs: Verify inode mode when loading from disk\") does.", "cve_priority": "medium", "cve_public_date": "2025-12-08 01:16:00 UTC" }, { "cve": "CVE-2025-40333", "url": "https://ubuntu.com/security/CVE-2025-40333", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: f2fs: fix infinite loop in __insert_extent_tree() When we get wrong extent info data, and look up extent_node in rb tree, it will cause infinite loop (CONFIG_F2FS_CHECK_FS=n). Avoiding this by return NULL and print some kernel messages in that case.", "cve_priority": "medium", "cve_public_date": "2025-12-09 16:17:00 UTC" }, { "cve": "CVE-2025-68321", "url": "https://ubuntu.com/security/CVE-2025-68321", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: page_pool: always add GFP_NOWARN for ATOMIC allocations Driver authors often forget to add GFP_NOWARN for page allocation from the datapath. This is annoying to users as OOMs are a fact of life, and we pretty much expect network Rx to hit page allocation failures during OOM. Make page pool add GFP_NOWARN for ATOMIC allocations by default.", "cve_priority": "medium", "cve_public_date": "2025-12-16 16:16:00 UTC" }, { "cve": "CVE-2025-40334", "url": "https://ubuntu.com/security/CVE-2025-40334", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: validate userq buffer virtual address and size It needs to validate the userq object virtual address to determine whether it is residented in a valid vm mapping.", "cve_priority": "medium", "cve_public_date": "2025-12-09 16:17:00 UTC" }, { "cve": "CVE-2025-68191", "url": "https://ubuntu.com/security/CVE-2025-68191", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: udp_tunnel: use netdev_warn() instead of netdev_WARN() netdev_WARN() uses WARN/WARN_ON to print a backtrace along with file and line information. In this case, udp_tunnel_nic_register() returning an error is just a failed operation, not a kernel bug. udp_tunnel_nic_register() can fail due to a memory allocation failure (kzalloc() or udp_tunnel_nic_alloc()). This is a normal runtime error and not a kernel bug. Replace netdev_WARN() with netdev_warn() accordingly.", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-68309", "url": "https://ubuntu.com/security/CVE-2025-68309", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: PCI/AER: Fix NULL pointer access by aer_info The kzalloc(GFP_KERNEL) may return NULL, so all accesses to aer_info->xxx will result in kernel panic. Fix it.", "cve_priority": "medium", "cve_public_date": "2025-12-16 16:16:00 UTC" }, { "cve": "CVE-2025-40313", "url": "https://ubuntu.com/security/CVE-2025-40313", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ntfs3: pretend $Extend records as regular files Since commit af153bb63a33 (\"vfs: catch invalid modes in may_open()\") requires any inode be one of S_IFDIR/S_IFLNK/S_IFREG/S_IFCHR/S_IFBLK/ S_IFIFO/S_IFSOCK type, use S_IFREG for $Extend records.", "cve_priority": "medium", "cve_public_date": "2025-12-08 01:16:00 UTC" }, { "cve": "CVE-2025-40335", "url": "https://ubuntu.com/security/CVE-2025-40335", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: validate userq input args This will help on validating the userq input args, and rejecting for the invalid userq request at the IOCTLs first place.", "cve_priority": "medium", "cve_public_date": "2025-12-09 16:17:00 UTC" }, { "cve": "CVE-2025-40314", "url": "https://ubuntu.com/security/CVE-2025-40314", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: usb: cdns3: gadget: Use-after-free during failed initialization and exit of cdnsp gadget In the __cdnsp_gadget_init() and cdnsp_gadget_exit() functions, the gadget structure (pdev->gadget) was freed before its endpoints. The endpoints are linked via the ep_list in the gadget structure. Freeing the gadget first leaves dangling pointers in the endpoint list. When the endpoints are subsequently freed, this results in a use-after-free. Fix: By separating the usb_del_gadget_udc() operation into distinct \"del\" and \"put\" steps, cdnsp_gadget_free_endpoints() can be executed prior to the final release of the gadget structure with usb_put_gadget(). A patch similar to bb9c74a5bd14(\"usb: dwc3: gadget: Free gadget structure only after freeing endpoints\").", "cve_priority": "medium", "cve_public_date": "2025-12-08 01:16:00 UTC" }, { "cve": "CVE-2025-40336", "url": "https://ubuntu.com/security/CVE-2025-40336", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/gpusvm: fix hmm_pfn_to_map_order() usage Handle the case where the hmm range partially covers a huge page (like 2M), otherwise we can potentially end up doing something nasty like mapping memory which is outside the range, and maybe not even mapped by the mm. Fix is based on the xe userptr code, which in a future patch will directly use gpusvm, so needs alignment here. v2: - Add kernel-doc (Matt B) - s/fls/ilog2/ (Thomas)", "cve_priority": "medium", "cve_public_date": "2025-12-09 16:17:00 UTC" }, { "cve": "CVE-2025-68193", "url": "https://ubuntu.com/security/CVE-2025-68193", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/xe/guc: Add devm release action to safely tear down CT When a buffer object (BO) is allocated with the XE_BO_FLAG_GGTT_INVALIDATE flag, the driver initiates TLB invalidation requests via the CTB mechanism while releasing the BO. However a premature release of the CTB BO can lead to system crashes, as observed in: Oops: Oops: 0000 [#1] SMP NOPTI RIP: 0010:h2g_write+0x2f3/0x7c0 [xe] Call Trace: guc_ct_send_locked+0x8b/0x670 [xe] xe_guc_ct_send_locked+0x19/0x60 [xe] send_tlb_invalidation+0xb4/0x460 [xe] xe_gt_tlb_invalidation_ggtt+0x15e/0x2e0 [xe] ggtt_invalidate_gt_tlb.part.0+0x16/0x90 [xe] ggtt_node_remove+0x110/0x140 [xe] xe_ggtt_node_remove+0x40/0xa0 [xe] xe_ggtt_remove_bo+0x87/0x250 [xe] Introduce a devm-managed release action during xe_guc_ct_init() and xe_guc_ct_init_post_hwconfig() to ensure proper CTB disablement before resource deallocation, preventing the use-after-free scenario.", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-68175", "url": "https://ubuntu.com/security/CVE-2025-68175", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: media: nxp: imx8-isi: Fix streaming cleanup on release The current implementation unconditionally calls mxc_isi_video_cleanup_streaming() in mxc_isi_video_release(). This can lead to situations where any release call (like from a simple \"v4l2-ctl -l\") may release a currently streaming queue when called on such a device. This is reproducible on an i.MX8MP board by streaming from an ISI capture device using gstreamer: \tgst-launch-1.0 -v v4l2src device=/dev/videoX ! \\ \t video/x-raw,format=GRAY8,width=1280,height=800,framerate=1/120 ! \\ \t fakesink While this stream is running, querying the caps of the same device provokes the error state: \tv4l2-ctl -l -d /dev/videoX This results in the following trace: [ 155.452152] ------------[ cut here ]------------ [ 155.452163] WARNING: CPU: 0 PID: 1708 at drivers/media/platform/nxp/imx8-isi/imx8-isi-pipe.c:713 mxc_isi_pipe_irq_handler+0x19c/0x1b0 [imx8_isi] [ 157.004248] Modules linked in: cfg80211 rpmsg_ctrl rpmsg_char rpmsg_tty virtio_rpmsg_bus rpmsg_ns rpmsg_core rfkill nft_ct nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 nf_tables mcp251x6 [ 157.053499] CPU: 0 UID: 0 PID: 1708 Comm: python3 Not tainted 6.15.4-00114-g1f61ca5cad76 #1 PREEMPT [ 157.064369] Hardware name: imx8mp_board_01 (DT) [ 157.068205] pstate: 400000c5 (nZcv daIF -PAN -UAO -TCO -DIT -SSBS BTYPE=--) [ 157.075169] pc : mxc_isi_pipe_irq_handler+0x19c/0x1b0 [imx8_isi] [ 157.081195] lr : mxc_isi_pipe_irq_handler+0x38/0x1b0 [imx8_isi] [ 157.087126] sp : ffff800080003ee0 [ 157.090438] x29: ffff800080003ee0 x28: ffff0000c3688000 x27: 0000000000000000 [ 157.097580] x26: 0000000000000000 x25: ffff0000c1e7ac00 x24: ffff800081b5ad50 [ 157.104723] x23: 00000000000000d1 x22: 0000000000000000 x21: ffff0000c25e4000 [ 157.111866] x20: 0000000060000200 x19: ffff80007a0608d0 x18: 0000000000000000 [ 157.119008] x17: ffff80006a4e3000 x16: ffff800080000000 x15: 0000000000000000 [ 157.126146] x14: 0000000000000000 x13: 0000000000000000 x12: 0000000000000000 [ 157.133287] x11: 0000000000000040 x10: ffff0000c01445f0 x9 : ffff80007a053a38 [ 157.140425] x8 : ffff0000c04004b8 x7 : 0000000000000000 x6 : 0000000000000000 [ 157.147567] x5 : ffff0000c0400490 x4 : ffff80006a4e3000 x3 : ffff0000c25e4000 [ 157.154706] x2 : 0000000000000000 x1 : ffff8000825c0014 x0 : 0000000060000200 [ 157.161850] Call trace: [ 157.164296] mxc_isi_pipe_irq_handler+0x19c/0x1b0 [imx8_isi] (P) [ 157.170319] __handle_irq_event_percpu+0x58/0x218 [ 157.175029] handle_irq_event+0x54/0xb8 [ 157.178867] handle_fasteoi_irq+0xac/0x248 [ 157.182968] handle_irq_desc+0x48/0x68 [ 157.186723] generic_handle_domain_irq+0x24/0x38 [ 157.191346] gic_handle_irq+0x54/0x120 [ 157.195098] call_on_irq_stack+0x24/0x30 [ 157.199027] do_interrupt_handler+0x88/0x98 [ 157.203212] el0_interrupt+0x44/0xc0 [ 157.206792] __el0_irq_handler_common+0x18/0x28 [ 157.211328] el0t_64_irq_handler+0x10/0x20 [ 157.215429] el0t_64_irq+0x198/0x1a0 [ 157.219009] ---[ end trace 0000000000000000 ]--- Address this issue by moving the streaming preparation and cleanup to the vb2 .prepare_streaming() and .unprepare_streaming() operations. This also simplifies the driver by allowing direct usage of the vb2_ioctl_streamon() and vb2_ioctl_streamoff() helpers, and removal of the manual cleanup from mxc_isi_video_release().", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-68188", "url": "https://ubuntu.com/security/CVE-2025-68188", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: tcp: use dst_dev_rcu() in tcp_fastopen_active_disable_ofo_check() Use RCU to avoid a pair of atomic operations and a potential UAF on dst_dev()->flags.", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-68315", "url": "https://ubuntu.com/security/CVE-2025-68315", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: f2fs: fix to detect potential corrupted nid in free_nid_list As reported, on-disk footer.ino and footer.nid is the same and out-of-range, let's add sanity check on f2fs_alloc_nid() to detect any potential corruption in free_nid_list.", "cve_priority": "medium", "cve_public_date": "2025-12-16 16:16:00 UTC" }, { "cve": "CVE-2025-40337", "url": "https://ubuntu.com/security/CVE-2025-40337", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net: stmmac: Correctly handle Rx checksum offload errors The stmmac_rx function would previously set skb->ip_summed to CHECKSUM_UNNECESSARY if hardware checksum offload (CoE) was enabled and the packet was of a known IP ethertype. However, this logic failed to check if the hardware had actually reported a checksum error. The hardware status, indicating a header or payload checksum failure, was being ignored at this stage. This could cause corrupt packets to be passed up the network stack as valid. This patch corrects the logic by checking the `csum_none` status flag, which is set when the hardware reports a checksum error. If this flag is set, skb->ip_summed is now correctly set to CHECKSUM_NONE, ensuring the kernel's network stack will perform its own validation and properly handle the corrupt packet.", "cve_priority": "medium", "cve_public_date": "2025-12-09 16:17:00 UTC" }, { "cve": "CVE-2025-40338", "url": "https://ubuntu.com/security/CVE-2025-40338", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ASoC: Intel: avs: Do not share the name pointer between components By sharing 'name' directly, tearing down components may lead to use-after-free errors. Duplicate the name to avoid that. At the same time, update the order of operations - since commit cee28113db17 (\"ASoC: dmaengine_pcm: Allow passing component name via config\") the framework does not override component->name if set before invoking the initializer.", "cve_priority": "medium", "cve_public_date": "2025-12-09 16:17:00 UTC" }, { "cve": "CVE-2025-40339", "url": "https://ubuntu.com/security/CVE-2025-40339", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: fix nullptr err of vm_handle_moved If a amdgpu_bo_va is fpriv->prt_va, the bo of this one is always NULL. So, such kind of amdgpu_bo_va should be updated separately before amdgpu_vm_handle_moved.", "cve_priority": "medium", "cve_public_date": "2025-12-09 16:17:00 UTC" }, { "cve": "CVE-2025-68194", "url": "https://ubuntu.com/security/CVE-2025-68194", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: media: imon: make send_packet() more robust syzbot is reporting that imon has three problems which result in hung tasks due to forever holding device lock [1]. First problem is that when usb_rx_callback_intf0() once got -EPROTO error after ictx->dev_present_intf0 became true, usb_rx_callback_intf0() resubmits urb after printk(), and resubmitted urb causes usb_rx_callback_intf0() to again get -EPROTO error. This results in printk() flooding (RCU stalls). Alan Stern commented [2] that In theory it's okay to resubmit _if_ the driver has a robust error-recovery scheme (such as giving up after some fixed limit on the number of errors or after some fixed time has elapsed, perhaps with a time delay to prevent a flood of errors). Most drivers don't bother to do this; they simply give up right away. This makes them more vulnerable to short-term noise interference during USB transfers, but in reality such interference is quite rare. There's nothing really wrong with giving up right away. but imon has a poor error-recovery scheme which just retries forever; this behavior should be fixed. Since I'm not sure whether it is safe for imon users to give up upon any error code, this patch takes care of only union of error codes chosen from modules in drivers/media/rc/ directory which handle -EPROTO error (i.e. ir_toy, mceusb and igorplugusb). Second problem is that when usb_rx_callback_intf0() once got -EPROTO error before ictx->dev_present_intf0 becomes true, usb_rx_callback_intf0() always resubmits urb due to commit 8791d63af0cf (\"[media] imon: don't wedge hardware after early callbacks\"). Move the ictx->dev_present_intf0 test introduced by commit 6f6b90c9231a (\"[media] imon: don't parse scancodes until intf configured\") to immediately before imon_incoming_packet(), or the first problem explained above happens without printk() flooding (i.e. hung task). Third problem is that when usb_rx_callback_intf0() is not called for some reason (e.g. flaky hardware; the reproducer for this problem sometimes prevents usb_rx_callback_intf0() from being called), wait_for_completion_interruptible() in send_packet() never returns (i.e. hung task). As a workaround for such situation, change send_packet() to wait for completion with timeout of 10 seconds.", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-40363", "url": "https://ubuntu.com/security/CVE-2025-40363", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net: ipv6: fix field-spanning memcpy warning in AH output Fix field-spanning memcpy warnings in ah6_output() and ah6_output_done() where extension headers are copied to/from IPv6 address fields, triggering fortify-string warnings about writes beyond the 16-byte address fields. memcpy: detected field-spanning write (size 40) of single field \"&top_iph->saddr\" at net/ipv6/ah6.c:439 (size 16) WARNING: CPU: 0 PID: 8838 at net/ipv6/ah6.c:439 ah6_output+0xe7e/0x14e0 net/ipv6/ah6.c:439 The warnings are false positives as the extension headers are intentionally placed after the IPv6 header in memory. Fix by properly copying addresses and extension headers separately, and introduce helper functions to avoid code duplication.", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-68311", "url": "https://ubuntu.com/security/CVE-2025-68311", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: tty: serial: ip22zilog: Use platform device for probing After commit 84a9582fd203 (\"serial: core: Start managing serial controllers to enable runtime PM\") serial drivers need to provide a device in struct uart_port.dev otherwise an oops happens. To fix this issue for ip22zilog driver switch driver to a platform driver and setup the serial device in sgi-ip22 code.", "cve_priority": "medium", "cve_public_date": "2025-12-16 16:16:00 UTC" }, { "cve": "CVE-2025-40340", "url": "https://ubuntu.com/security/CVE-2025-40340", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/xe: Fix oops in xe_gem_fault when running core_hotunplug test. I saw an oops in xe_gem_fault when running the xe-fast-feedback testlist against the realtime kernel without debug options enabled. The panic happens after core_hotunplug unbind-rebind finishes. Presumably what happens is that a process mmaps, unlocks because of the FAULT_FLAG_RETRY_NOWAIT logic, has no process memory left, causing ttm_bo_vm_dummy_page() to return VM_FAULT_NOPAGE, since there was nothing left to populate, and then oopses in \"mem_type_is_vram(tbo->resource->mem_type)\" because tbo->resource is NULL. It's convoluted, but fits the data and explains the oops after the test exits.", "cve_priority": "medium", "cve_public_date": "2025-12-09 16:17:00 UTC" }, { "cve": "CVE-2025-68196", "url": "https://ubuntu.com/security/CVE-2025-68196", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Cache streams targeting link when performing LT automation [WHY] Last LT automation update can cause crash by referencing current_state and calling into dc_update_planes_and_stream which may clobber current_state. [HOW] Cache relevant stream pointers and iterate through them instead of relying on the current_state.", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-68178", "url": "https://ubuntu.com/security/CVE-2025-68178", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: blk-cgroup: fix possible deadlock while configuring policy Following deadlock can be triggered easily by lockdep: WARNING: possible circular locking dependency detected 6.17.0-rc3-00124-ga12c2658ced0 #1665 Not tainted ------------------------------------------------------ check/1334 is trying to acquire lock: ff1100011d9d0678 (&q->sysfs_lock){+.+.}-{4:4}, at: blk_unregister_queue+0x53/0x180 but task is already holding lock: ff1100011d9d00e0 (&q->q_usage_counter(queue)#3){++++}-{0:0}, at: del_gendisk+0xba/0x110 which lock already depends on the new lock. the existing dependency chain (in reverse order) is: -> #2 (&q->q_usage_counter(queue)#3){++++}-{0:0}: blk_queue_enter+0x40b/0x470 blkg_conf_prep+0x7b/0x3c0 tg_set_limit+0x10a/0x3e0 cgroup_file_write+0xc6/0x420 kernfs_fop_write_iter+0x189/0x280 vfs_write+0x256/0x490 ksys_write+0x83/0x190 __x64_sys_write+0x21/0x30 x64_sys_call+0x4608/0x4630 do_syscall_64+0xdb/0x6b0 entry_SYSCALL_64_after_hwframe+0x76/0x7e -> #1 (&q->rq_qos_mutex){+.+.}-{4:4}: __mutex_lock+0xd8/0xf50 mutex_lock_nested+0x2b/0x40 wbt_init+0x17e/0x280 wbt_enable_default+0xe9/0x140 blk_register_queue+0x1da/0x2e0 __add_disk+0x38c/0x5d0 add_disk_fwnode+0x89/0x250 device_add_disk+0x18/0x30 virtblk_probe+0x13a3/0x1800 virtio_dev_probe+0x389/0x610 really_probe+0x136/0x620 __driver_probe_device+0xb3/0x230 driver_probe_device+0x2f/0xe0 __driver_attach+0x158/0x250 bus_for_each_dev+0xa9/0x130 driver_attach+0x26/0x40 bus_add_driver+0x178/0x3d0 driver_register+0x7d/0x1c0 __register_virtio_driver+0x2c/0x60 virtio_blk_init+0x6f/0xe0 do_one_initcall+0x94/0x540 kernel_init_freeable+0x56a/0x7b0 kernel_init+0x2b/0x270 ret_from_fork+0x268/0x4c0 ret_from_fork_asm+0x1a/0x30 -> #0 (&q->sysfs_lock){+.+.}-{4:4}: __lock_acquire+0x1835/0x2940 lock_acquire+0xf9/0x450 __mutex_lock+0xd8/0xf50 mutex_lock_nested+0x2b/0x40 blk_unregister_queue+0x53/0x180 __del_gendisk+0x226/0x690 del_gendisk+0xba/0x110 sd_remove+0x49/0xb0 [sd_mod] device_remove+0x87/0xb0 device_release_driver_internal+0x11e/0x230 device_release_driver+0x1a/0x30 bus_remove_device+0x14d/0x220 device_del+0x1e1/0x5a0 __scsi_remove_device+0x1ff/0x2f0 scsi_remove_device+0x37/0x60 sdev_store_delete+0x77/0x100 dev_attr_store+0x1f/0x40 sysfs_kf_write+0x65/0x90 kernfs_fop_write_iter+0x189/0x280 vfs_write+0x256/0x490 ksys_write+0x83/0x190 __x64_sys_write+0x21/0x30 x64_sys_call+0x4608/0x4630 do_syscall_64+0xdb/0x6b0 entry_SYSCALL_64_after_hwframe+0x76/0x7e other info that might help us debug this: Chain exists of: &q->sysfs_lock --> &q->rq_qos_mutex --> &q->q_usage_counter(queue)#3 Possible unsafe locking scenario: CPU0 CPU1 ---- ---- lock(&q->q_usage_counter(queue)#3); lock(&q->rq_qos_mutex); lock(&q->q_usage_counter(queue)#3); lock(&q->sysfs_lock); Root cause is that queue_usage_counter is grabbed with rq_qos_mutex held in blkg_conf_prep(), while queue should be freezed before rq_qos_mutex from other context. The blk_queue_enter() from blkg_conf_prep() is used to protect against policy deactivation, which is already protected with blkcg_mutex, hence convert blk_queue_enter() to blkcg_mutex to fix this problem. Meanwhile, consider that blkcg_mutex is held after queue is freezed from policy deactivation, also convert blkg_alloc() to use GFP_NOIO.", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-40341", "url": "https://ubuntu.com/security/CVE-2025-40341", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: futex: Don't leak robust_list pointer on exec race sys_get_robust_list() and compat_get_robust_list() use ptrace_may_access() to check if the calling task is allowed to access another task's robust_list pointer. This check is racy against a concurrent exec() in the target process. During exec(), a task may transition from a non-privileged binary to a privileged one (e.g., setuid binary) and its credentials/memory mappings may change. If get_robust_list() performs ptrace_may_access() before this transition, it may erroneously allow access to sensitive information after the target becomes privileged. A racy access allows an attacker to exploit a window during which ptrace_may_access() passes before a target process transitions to a privileged state via exec(). For example, consider a non-privileged task T that is about to execute a setuid-root binary. An attacker task A calls get_robust_list(T) while T is still unprivileged. Since ptrace_may_access() checks permissions based on current credentials, it succeeds. However, if T begins exec immediately afterwards, it becomes privileged and may change its memory mappings. Because get_robust_list() proceeds to access T->robust_list without synchronizing with exec() it may read user-space pointers from a now-privileged process. This violates the intended post-exec access restrictions and could expose sensitive memory addresses or be used as a primitive in a larger exploit chain. Consequently, the race can lead to unauthorized disclosure of information across privilege boundaries and poses a potential security risk. Take a read lock on signal->exec_update_lock prior to invoking ptrace_may_access() and accessing the robust_list/compat_robust_list. This ensures that the target task's exec state remains stable during the check, allowing for consistent and synchronized validation of credentials.", "cve_priority": "medium", "cve_public_date": "2025-12-09 16:17:00 UTC" }, { "cve": "CVE-2025-40342", "url": "https://ubuntu.com/security/CVE-2025-40342", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: nvme-fc: use lock accessing port_state and rport state nvme_fc_unregister_remote removes the remote port on a lport object at any point in time when there is no active association. This races with with the reconnect logic, because nvme_fc_create_association is not taking a lock to check the port_state and atomically increase the active count on the rport.", "cve_priority": "medium", "cve_public_date": "2025-12-09 16:17:00 UTC" }, { "cve": "CVE-2025-40343", "url": "https://ubuntu.com/security/CVE-2025-40343", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: nvmet-fc: avoid scheduling association deletion twice When forcefully shutting down a port via the configfs interface, nvmet_port_subsys_drop_link() first calls nvmet_port_del_ctrls() and then nvmet_disable_port(). Both functions will eventually schedule all remaining associations for deletion. The current implementation checks whether an association is about to be removed, but only after the work item has already been scheduled. As a result, it is possible for the first scheduled work item to free all resources, and then for the same work item to be scheduled again for deletion. Because the association list is an RCU list, it is not possible to take a lock and remove the list entry directly, so it cannot be looked up again. Instead, a flag (terminating) must be used to determine whether the association is already in the process of being deleted.", "cve_priority": "medium", "cve_public_date": "2025-12-09 16:17:00 UTC" }, { "cve": "CVE-2025-68177", "url": "https://ubuntu.com/security/CVE-2025-68177", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: cpufreq/longhaul: handle NULL policy in longhaul_exit longhaul_exit() was calling cpufreq_cpu_get(0) without checking for a NULL policy pointer. On some systems, this could lead to a NULL dereference and a kernel warning or panic. This patch adds a check using unlikely() and returns early if the policy is NULL. Bugzilla: #219962", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-68317", "url": "https://ubuntu.com/security/CVE-2025-68317", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: io_uring/zctx: check chained notif contexts Send zc only links ubuf_info for requests coming from the same context. There are some ambiguous syz reports, so let's check the assumption on notification completion.", "cve_priority": "medium", "cve_public_date": "2025-12-16 16:16:00 UTC" }, { "cve": "CVE-2025-40315", "url": "https://ubuntu.com/security/CVE-2025-40315", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: usb: gadget: f_fs: Fix epfile null pointer access after ep enable. A race condition occurs when ffs_func_eps_enable() runs concurrently with ffs_data_reset(). The ffs_data_clear() called in ffs_data_reset() sets ffs->epfiles to NULL before resetting ffs->eps_count to 0, leading to a NULL pointer dereference when accessing epfile->ep in ffs_func_eps_enable() after successful usb_ep_enable(). The ffs->epfiles pointer is set to NULL in both ffs_data_clear() and ffs_data_close() functions, and its modification is protected by the spinlock ffs->eps_lock. And the whole ffs_func_eps_enable() function is also protected by ffs->eps_lock. Thus, add NULL pointer handling for ffs->epfiles in the ffs_func_eps_enable() function to fix issues", "cve_priority": "medium", "cve_public_date": "2025-12-08 01:16:00 UTC" }, { "cve": "CVE-2025-40316", "url": "https://ubuntu.com/security/CVE-2025-40316", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/mediatek: Fix device use-after-free on unbind A recent change fixed device reference leaks when looking up drm platform device driver data during bind() but failed to remove a partial fix which had been added by commit 80805b62ea5b (\"drm/mediatek: Fix kobject put for component sub-drivers\"). This results in a reference imbalance on component bind() failures and on unbind() which could lead to a user-after-free. Make sure to only drop the references after retrieving the driver data by effectively reverting the previous partial fix. Note that holding a reference to a device does not prevent its driver data from going away so there is no point in keeping the reference.", "cve_priority": "medium", "cve_public_date": "2025-12-08 01:16:00 UTC" }, { "cve": "CVE-2025-40360", "url": "https://ubuntu.com/security/CVE-2025-40360", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/sysfb: Do not dereference NULL pointer in plane reset The plane state in __drm_gem_reset_shadow_plane() can be NULL. Do not deref that pointer, but forward NULL to the other plane-reset helpers. Clears plane->state to NULL. v2: - fix typo in commit description (Javier)", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-68179", "url": "https://ubuntu.com/security/CVE-2025-68179", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: s390: Disable ARCH_WANT_OPTIMIZE_HUGETLB_VMEMMAP As reported by Luiz Capitulino enabling HVO on s390 leads to reproducible crashes. The problem is that kernel page tables are modified without flushing corresponding TLB entries. Even if it looks like the empty flush_tlb_all() implementation on s390 is the problem, it is actually a different problem: on s390 it is not allowed to replace an active/valid page table entry with another valid page table entry without the detour over an invalid entry. A direct replacement may lead to random crashes and/or data corruption. In order to invalidate an entry special instructions have to be used (e.g. ipte or idte). Alternatively there are also special instructions available which allow to replace a valid entry with a different valid entry (e.g. crdte or cspg). Given that the HVO code currently does not provide the hooks to allow for an implementation which is compliant with the s390 architecture requirements, disable ARCH_WANT_OPTIMIZE_HUGETLB_VMEMMAP again, which is basically a revert of the original patch which enabled it.", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-68310", "url": "https://ubuntu.com/security/CVE-2025-68310", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: s390/pci: Avoid deadlock between PCI error recovery and mlx5 crdump Do not block PCI config accesses through pci_cfg_access_lock() when executing the s390 variant of PCI error recovery: Acquire just device_lock() instead of pci_dev_lock() as powerpc's EEH and generig PCI AER processing do. During error recovery testing a pair of tasks was reported to be hung: mlx5_core 0000:00:00.1: mlx5_health_try_recover:338:(pid 5553): health recovery flow aborted, PCI reads still not working INFO: task kmcheck:72 blocked for more than 122 seconds. Not tainted 5.14.0-570.12.1.bringup7.el9.s390x #1 \"echo 0 > /proc/sys/kernel/hung_task_timeout_secs\" disables this message. task:kmcheck state:D stack:0 pid:72 tgid:72 ppid:2 flags:0x00000000 Call Trace: [<000000065256f030>] __schedule+0x2a0/0x590 [<000000065256f356>] schedule+0x36/0xe0 [<000000065256f572>] schedule_preempt_disabled+0x22/0x30 [<0000000652570a94>] __mutex_lock.constprop.0+0x484/0x8a8 [<000003ff800673a4>] mlx5_unload_one+0x34/0x58 [mlx5_core] [<000003ff8006745c>] mlx5_pci_err_detected+0x94/0x140 [mlx5_core] [<0000000652556c5a>] zpci_event_attempt_error_recovery+0xf2/0x398 [<0000000651b9184a>] __zpci_event_error+0x23a/0x2c0 INFO: task kworker/u1664:6:1514 blocked for more than 122 seconds. Not tainted 5.14.0-570.12.1.bringup7.el9.s390x #1 \"echo 0 > /proc/sys/kernel/hung_task_timeout_secs\" disables this message. task:kworker/u1664:6 state:D stack:0 pid:1514 tgid:1514 ppid:2 flags:0x00000000 Workqueue: mlx5_health0000:00:00.0 mlx5_fw_fatal_reporter_err_work [mlx5_core] Call Trace: [<000000065256f030>] __schedule+0x2a0/0x590 [<000000065256f356>] schedule+0x36/0xe0 [<0000000652172e28>] pci_wait_cfg+0x80/0xe8 [<0000000652172f94>] pci_cfg_access_lock+0x74/0x88 [<000003ff800916b6>] mlx5_vsc_gw_lock+0x36/0x178 [mlx5_core] [<000003ff80098824>] mlx5_crdump_collect+0x34/0x1c8 [mlx5_core] [<000003ff80074b62>] mlx5_fw_fatal_reporter_dump+0x6a/0xe8 [mlx5_core] [<0000000652512242>] devlink_health_do_dump.part.0+0x82/0x168 [<0000000652513212>] devlink_health_report+0x19a/0x230 [<000003ff80075a12>] mlx5_fw_fatal_reporter_err_work+0xba/0x1b0 [mlx5_core] No kernel log of the exact same error with an upstream kernel is available - but the very same deadlock situation can be constructed there, too: - task: kmcheck mlx5_unload_one() tries to acquire devlink lock while the PCI error recovery code has set pdev->block_cfg_access by way of pci_cfg_access_lock() - task: kworker mlx5_crdump_collect() tries to set block_cfg_access through pci_cfg_access_lock() while devlink_health_report() had acquired the devlink lock. A similar deadlock situation can be reproduced by requesting a crdump with > devlink health dump show pci/ reporter fw_fatal while PCI error recovery is executed on the same physical function by mlx5_core's pci_error_handlers. On s390 this can be injected with > zpcictl --reset-fw Tests with this patch failed to reproduce that second deadlock situation, the devlink command is rejected with \"kernel answers: Permission denied\" - and we get a kernel log message of: mlx5_core 1ed0:00:00.1: mlx5_crdump_collect:50:(pid 254382): crdump: failed to lock vsc gw err -5 because the config read of VSC_SEMAPHORE is rejected by the underlying hardware. Two prior attempts to address this issue have been discussed and ultimately rejected [see link], with the primary argument that s390's implementation of PCI error recovery is imposing restrictions that neither powerpc's EEH nor PCI AER handling need. Tests show that PCI error recovery on s390 is running to completion even without blocking access to PCI config space.", "cve_priority": "medium", "cve_public_date": "2025-12-16 16:16:00 UTC" }, { "cve": "CVE-2025-40317", "url": "https://ubuntu.com/security/CVE-2025-40317", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: regmap: slimbus: fix bus_context pointer in regmap init calls Commit 4e65bda8273c (\"ASoC: wcd934x: fix error handling in wcd934x_codec_parse_data()\") revealed the problem in the slimbus regmap. That commit breaks audio playback, for instance, on sdm845 Thundercomm Dragonboard 845c board: Unable to handle kernel paging request at virtual address ffff8000847cbad4 ... CPU: 5 UID: 0 PID: 776 Comm: aplay Not tainted 6.18.0-rc1-00028-g7ea30958b305 #11 PREEMPT Hardware name: Thundercomm Dragonboard 845c (DT) ... Call trace: slim_xfer_msg+0x24/0x1ac [slimbus] (P) slim_read+0x48/0x74 [slimbus] regmap_slimbus_read+0x18/0x24 [regmap_slimbus] _regmap_raw_read+0xe8/0x174 _regmap_bus_read+0x44/0x80 _regmap_read+0x60/0xd8 _regmap_update_bits+0xf4/0x140 _regmap_select_page+0xa8/0x124 _regmap_raw_write_impl+0x3b8/0x65c _regmap_bus_raw_write+0x60/0x80 _regmap_write+0x58/0xc0 regmap_write+0x4c/0x80 wcd934x_hw_params+0x494/0x8b8 [snd_soc_wcd934x] snd_soc_dai_hw_params+0x3c/0x7c [snd_soc_core] __soc_pcm_hw_params+0x22c/0x634 [snd_soc_core] dpcm_be_dai_hw_params+0x1d4/0x38c [snd_soc_core] dpcm_fe_dai_hw_params+0x9c/0x17c [snd_soc_core] snd_pcm_hw_params+0x124/0x464 [snd_pcm] snd_pcm_common_ioctl+0x110c/0x1820 [snd_pcm] snd_pcm_ioctl+0x34/0x4c [snd_pcm] __arm64_sys_ioctl+0xac/0x104 invoke_syscall+0x48/0x104 el0_svc_common.constprop.0+0x40/0xe0 do_el0_svc+0x1c/0x28 el0_svc+0x34/0xec el0t_64_sync_handler+0xa0/0xf0 el0t_64_sync+0x198/0x19c The __devm_regmap_init_slimbus() started to be used instead of __regmap_init_slimbus() after the commit mentioned above and turns out the incorrect bus_context pointer (3rd argument) was used in __devm_regmap_init_slimbus(). It should be just \"slimbus\" (which is equal to &slimbus->dev). Correct it. The wcd934x codec seems to be the only or the first user of devm_regmap_init_slimbus() but we should fix it till the point where __devm_regmap_init_slimbus() was introduced therefore two \"Fixes\" tags. While at this, also correct the same argument in __regmap_init_slimbus().", "cve_priority": "medium", "cve_public_date": "2025-12-08 01:16:00 UTC" }, { "cve": "CVE-2025-40359", "url": "https://ubuntu.com/security/CVE-2025-40359", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: perf/x86/intel: Fix KASAN global-out-of-bounds warning When running \"perf mem record\" command on CWF, the below KASAN global-out-of-bounds warning is seen. ================================================================== BUG: KASAN: global-out-of-bounds in cmt_latency_data+0x176/0x1b0 Read of size 4 at addr ffffffffb721d000 by task dtlb/9850 Call Trace: kasan_report+0xb8/0xf0 cmt_latency_data+0x176/0x1b0 setup_arch_pebs_sample_data+0xf49/0x2560 intel_pmu_drain_arch_pebs+0x577/0xb00 handle_pmi_common+0x6c4/0xc80 The issue is caused by below code in __grt_latency_data(). The code tries to access x86_hybrid_pmu structure which doesn't exist on non-hybrid platform like CWF. WARN_ON_ONCE(hybrid_pmu(event->pmu)->pmu_type == hybrid_big) So add is_hybrid() check before calling this WARN_ON_ONCE to fix the global-out-of-bounds access issue.", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-68181", "url": "https://ubuntu.com/security/CVE-2025-68181", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/radeon: Remove calls to drm_put_dev() Since the allocation of the drivers main structure was changed to devm_drm_dev_alloc() drm_put_dev()'ing to trigger it to be free'd should be done by devres. However, drm_put_dev() is still in the probe error and device remove paths. When the driver fails to probe warnings like the following are shown because devres is trying to drm_put_dev() after the driver already did it. [ 5.642230] radeon 0000:01:05.0: probe with driver radeon failed with error -22 [ 5.649605] ------------[ cut here ]------------ [ 5.649607] refcount_t: underflow; use-after-free. [ 5.649620] WARNING: CPU: 0 PID: 357 at lib/refcount.c:28 refcount_warn_saturate+0xbe/0x110 (cherry picked from commit 3eb8c0b4c091da0a623ade0d3ee7aa4a93df1ea4)", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-68170", "url": "https://ubuntu.com/security/CVE-2025-68170", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/radeon: Do not kfree() devres managed rdev Since the allocation of the drivers main structure was changed to devm_drm_dev_alloc() rdev is managed by devres and we shouldn't be calling kfree() on it. This fixes things exploding if the driver probe fails and devres cleans up the rdev after we already free'd it. (cherry picked from commit 16c0681617b8a045773d4d87b6140002fa75b03b)", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-40213", "url": "https://ubuntu.com/security/CVE-2025-40213", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: Bluetooth: MGMT: fix crash in set_mesh_sync and set_mesh_complete There is a BUG: KASAN: stack-out-of-bounds in set_mesh_sync due to memcpy from badly declared on-stack flexible array. Another crash is in set_mesh_complete() due to double list_del via mgmt_pending_valid + mgmt_pending_remove. Use DEFINE_FLEX to declare the flexible array right, and don't memcpy outside bounds. As mgmt_pending_valid removes the cmd from list, use mgmt_pending_free, and also report status on error.", "cve_priority": "medium", "cve_public_date": "2025-11-24 16:15:00 UTC" }, { "cve": "CVE-2025-40318", "url": "https://ubuntu.com/security/CVE-2025-40318", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: Bluetooth: hci_sync: fix race in hci_cmd_sync_dequeue_once hci_cmd_sync_dequeue_once() does lookup and then cancel the entry under two separate lock sections. Meanwhile, hci_cmd_sync_work() can also delete the same entry, leading to double list_del() and \"UAF\". Fix this by holding cmd_sync_work_lock across both lookup and cancel, so that the entry cannot be removed concurrently.", "cve_priority": "medium", "cve_public_date": "2025-12-08 01:16:00 UTC" }, { "cve": "CVE-2025-68312", "url": "https://ubuntu.com/security/CVE-2025-68312", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: usbnet: Prevents free active kevent The root cause of this issue are: 1. When probing the usbnet device, executing usbnet_link_change(dev, 0, 0); put the kevent work in global workqueue. However, the kevent has not yet been scheduled when the usbnet device is unregistered. Therefore, executing free_netdev() results in the \"free active object (kevent)\" error reported here. 2. Another factor is that when calling usbnet_disconnect()->unregister_netdev(), if the usbnet device is up, ndo_stop() is executed to cancel the kevent. However, because the device is not up, ndo_stop() is not executed. The solution to this problem is to cancel the kevent before executing free_netdev().", "cve_priority": "medium", "cve_public_date": "2025-12-16 16:16:00 UTC" }, { "cve": "CVE-2025-40344", "url": "https://ubuntu.com/security/CVE-2025-40344", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ASoC: Intel: avs: Disable periods-elapsed work when closing PCM avs_dai_fe_shutdown() handles the shutdown procedure for HOST HDAudio stream while period-elapsed work services its IRQs. As the former frees the DAI's private context, these two operations shall be synchronized to avoid slab-use-after-free or worse errors.", "cve_priority": "medium", "cve_public_date": "2025-12-09 16:17:00 UTC" }, { "cve": "CVE-2025-68172", "url": "https://ubuntu.com/security/CVE-2025-68172", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: crypto: aspeed - fix double free caused by devm The clock obtained via devm_clk_get_enabled() is automatically managed by devres and will be disabled and freed on driver detach. Manually calling clk_disable_unprepare() in error path and remove function causes double free. Remove the manual clock cleanup in both aspeed_acry_probe()'s error path and aspeed_acry_remove().", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-40319", "url": "https://ubuntu.com/security/CVE-2025-40319", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: bpf: Sync pending IRQ work before freeing ring buffer Fix a race where irq_work can be queued in bpf_ringbuf_commit() but the ring buffer is freed before the work executes. In the syzbot reproducer, a BPF program attached to sched_switch triggers bpf_ringbuf_commit(), queuing an irq_work. If the ring buffer is freed before this work executes, the irq_work thread may accesses freed memory. Calling `irq_work_sync(&rb->work)` ensures that all pending irq_work complete before freeing the buffer.", "cve_priority": "medium", "cve_public_date": "2025-12-08 01:16:00 UTC" }, { "cve": "CVE-2025-68182", "url": "https://ubuntu.com/security/CVE-2025-68182", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: wifi: iwlwifi: fix potential use after free in iwl_mld_remove_link() This code frees \"link\" by calling kfree_rcu(link, rcu_head) and then it dereferences \"link\" to get the \"link->fw_id\". Save the \"link->fw_id\" first to avoid a potential use after free.", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-68314", "url": "https://ubuntu.com/security/CVE-2025-68314", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/msm: make sure last_fence is always updated Update last_fence in the vm-bind path instead of kernel managed path. last_fence is used to wait for work to finish in vm_bind contexts but not used for kernel managed contexts. This fixes a bug where last_fence is not waited on context close leading to faults as resources are freed while in use. Patchwork: https://patchwork.freedesktop.org/patch/680080/", "cve_priority": "medium", "cve_public_date": "2025-12-16 16:16:00 UTC" }, { "cve": "CVE-2025-68189", "url": "https://ubuntu.com/security/CVE-2025-68189", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/msm: Fix GEM free for imported dma-bufs Imported dma-bufs also have obj->resv != &obj->_resv. So we should check both this condition in addition to flags for handling the _NO_SHARE case. Fixes this splat that was reported with IRIS video playback: ------------[ cut here ]------------ WARNING: CPU: 3 PID: 2040 at drivers/gpu/drm/msm/msm_gem.c:1127 msm_gem_free_object+0x1f8/0x264 [msm] CPU: 3 UID: 1000 PID: 2040 Comm: .gnome-shell-wr Not tainted 6.17.0-rc7 #1 PREEMPT pstate: 81400005 (Nzcv daif +PAN -UAO -TCO +DIT -SSBS BTYPE=--) pc : msm_gem_free_object+0x1f8/0x264 [msm] lr : msm_gem_free_object+0x138/0x264 [msm] sp : ffff800092a1bb30 x29: ffff800092a1bb80 x28: ffff800092a1bce8 x27: ffffbc702dbdbe08 x26: 0000000000000008 x25: 0000000000000009 x24: 00000000000000a6 x23: ffff00083c72f850 x22: ffff00083c72f868 x21: ffff00087e69f200 x20: ffff00087e69f330 x19: ffff00084d157ae0 x18: 0000000000000000 x17: 0000000000000000 x16: ffffbc704bd46b80 x15: 0000ffffd0959540 x14: 0000000000000000 x13: 0000000000000000 x12: 0000000000000000 x11: ffffbc702e6cdb48 x10: 0000000000000000 x9 : 000000000000003f x8 : ffff800092a1ba90 x7 : 0000000000000000 x6 : 0000000000000020 x5 : ffffbc704bd46c40 x4 : fffffdffe102cf60 x3 : 0000000000400032 x2 : 0000000000020000 x1 : ffff00087e6978e8 x0 : ffff00087e6977e8 Call trace: msm_gem_free_object+0x1f8/0x264 [msm] (P) drm_gem_object_free+0x1c/0x30 [drm] drm_gem_object_handle_put_unlocked+0x138/0x150 [drm] drm_gem_object_release_handle+0x5c/0xcc [drm] drm_gem_handle_delete+0x68/0xbc [drm] drm_gem_close_ioctl+0x34/0x40 [drm] drm_ioctl_kernel+0xc0/0x130 [drm] drm_ioctl+0x360/0x4e0 [drm] __arm64_sys_ioctl+0xac/0x104 invoke_syscall+0x48/0x104 el0_svc_common.constprop.0+0x40/0xe0 do_el0_svc+0x1c/0x28 el0_svc+0x34/0xec el0t_64_sync_handler+0xa0/0xe4 el0t_64_sync+0x198/0x19c ---[ end trace 0000000000000000 ]--- ------------[ cut here ]------------ Patchwork: https://patchwork.freedesktop.org/patch/676273/", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-68171", "url": "https://ubuntu.com/security/CVE-2025-68171", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: x86/fpu: Ensure XFD state on signal delivery Sean reported [1] the following splat when running KVM tests: WARNING: CPU: 232 PID: 15391 at xfd_validate_state+0x65/0x70 Call Trace: fpu__clear_user_states+0x9c/0x100 arch_do_signal_or_restart+0x142/0x210 exit_to_user_mode_loop+0x55/0x100 do_syscall_64+0x205/0x2c0 entry_SYSCALL_64_after_hwframe+0x4b/0x53 Chao further identified [2] a reproducible scenario involving signal delivery: a non-AMX task is preempted by an AMX-enabled task which modifies the XFD MSR. When the non-AMX task resumes and reloads XSTATE with init values, a warning is triggered due to a mismatch between fpstate::xfd and the CPU's current XFD state. fpu__clear_user_states() does not currently re-synchronize the XFD state after such preemption. Invoke xfd_update_state() which detects and corrects the mismatch if there is a dynamic feature. This also benefits the sigreturn path, as fpu__restore_sig() may call fpu__clear_user_states() when the sigframe is inaccessible. [ dhansen: minor changelog munging ]", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-68313", "url": "https://ubuntu.com/security/CVE-2025-68313", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: x86/CPU/AMD: Add RDSEED fix for Zen5 There's an issue with RDSEED's 16-bit and 32-bit register output variants on Zen5 which return a random value of 0 \"at a rate inconsistent with randomness while incorrectly signaling success (CF=1)\". Search the web for AMD-SB-7055 for more detail. Add a fix glue which checks microcode revisions. [ bp: Add microcode revisions checking, rewrite. ]", "cve_priority": "medium", "cve_public_date": "2025-12-16 16:16:00 UTC" }, { "cve": "CVE-2025-40320", "url": "https://ubuntu.com/security/CVE-2025-40320", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: smb: client: fix potential cfid UAF in smb2_query_info_compound When smb2_query_info_compound() retries, a previously allocated cfid may have been freed in the first attempt. Because cfid wasn't reset on replay, later cleanup could act on a stale pointer, leading to a potential use-after-free. Reinitialize cfid to NULL under the replay label. Example trace (trimmed): refcount_t: underflow; use-after-free. WARNING: CPU: 1 PID: 11224 at ../lib/refcount.c:28 refcount_warn_saturate+0x9c/0x110 [...] RIP: 0010:refcount_warn_saturate+0x9c/0x110 [...] Call Trace: smb2_query_info_compound+0x29c/0x5c0 [cifs f90b72658819bd21c94769b6a652029a07a7172f] ? step_into+0x10d/0x690 ? __legitimize_path+0x28/0x60 smb2_queryfs+0x6a/0xf0 [cifs f90b72658819bd21c94769b6a652029a07a7172f] smb311_queryfs+0x12d/0x140 [cifs f90b72658819bd21c94769b6a652029a07a7172f] ? kmem_cache_alloc+0x18a/0x340 ? getname_flags+0x46/0x1e0 cifs_statfs+0x9f/0x2b0 [cifs f90b72658819bd21c94769b6a652029a07a7172f] statfs_by_dentry+0x67/0x90 vfs_statfs+0x16/0xd0 user_statfs+0x54/0xa0 __do_sys_statfs+0x20/0x50 do_syscall_64+0x58/0x80", "cve_priority": "medium", "cve_public_date": "2025-12-08 01:16:00 UTC" }, { "cve": "CVE-2025-40321", "url": "https://ubuntu.com/security/CVE-2025-40321", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: wifi: brcmfmac: fix crash while sending Action Frames in standalone AP Mode Currently, whenever there is a need to transmit an Action frame, the brcmfmac driver always uses the P2P vif to send the \"actframe\" IOVAR to firmware. The P2P interfaces were available when wpa_supplicant is managing the wlan interface. However, the P2P interfaces are not created/initialized when only hostapd is managing the wlan interface. And if hostapd receives an ANQP Query REQ Action frame even from an un-associated STA, the brcmfmac driver tries to use an uninitialized P2P vif pointer for sending the IOVAR to firmware. This NULL pointer dereferencing triggers a driver crash. [ 1417.074538] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000 [...] [ 1417.075188] Hardware name: Raspberry Pi 4 Model B Rev 1.5 (DT) [...] [ 1417.075653] Call trace: [ 1417.075662] brcmf_p2p_send_action_frame+0x23c/0xc58 [brcmfmac] [ 1417.075738] brcmf_cfg80211_mgmt_tx+0x304/0x5c0 [brcmfmac] [ 1417.075810] cfg80211_mlme_mgmt_tx+0x1b0/0x428 [cfg80211] [ 1417.076067] nl80211_tx_mgmt+0x238/0x388 [cfg80211] [ 1417.076281] genl_family_rcv_msg_doit+0xe0/0x158 [ 1417.076302] genl_rcv_msg+0x220/0x2a0 [ 1417.076317] netlink_rcv_skb+0x68/0x140 [ 1417.076330] genl_rcv+0x40/0x60 [ 1417.076343] netlink_unicast+0x330/0x3b8 [ 1417.076357] netlink_sendmsg+0x19c/0x3f8 [ 1417.076370] __sock_sendmsg+0x64/0xc0 [ 1417.076391] ____sys_sendmsg+0x268/0x2a0 [ 1417.076408] ___sys_sendmsg+0xb8/0x118 [ 1417.076427] __sys_sendmsg+0x90/0xf8 [ 1417.076445] __arm64_sys_sendmsg+0x2c/0x40 [ 1417.076465] invoke_syscall+0x50/0x120 [ 1417.076486] el0_svc_common.constprop.0+0x48/0xf0 [ 1417.076506] do_el0_svc+0x24/0x38 [ 1417.076525] el0_svc+0x30/0x100 [ 1417.076548] el0t_64_sync_handler+0x100/0x130 [ 1417.076569] el0t_64_sync+0x190/0x198 [ 1417.076589] Code: f9401e80 aa1603e2 f9403be1 5280e483 (f9400000) Fix this, by always using the vif corresponding to the wdev on which the Action frame Transmission request was initiated by the userspace. This way, even if P2P vif is not available, the IOVAR is sent to firmware on AP vif and the ANQP Query RESP Action frame is transmitted without crashing the driver. Move init_completion() for \"send_af_done\" from brcmf_p2p_create_p2pdev() to brcmf_p2p_attach(). Because the former function would not get executed when only hostapd is managing wlan interface, and it is not safe to do reinit_completion() later in brcmf_p2p_tx_action_frame(), without any prior init_completion(). And in the brcmf_p2p_tx_action_frame() function, the condition check for P2P Presence response frame is not needed, since the wpa_supplicant is properly sending the P2P Presense Response frame on the P2P-GO vif instead of the P2P-Device vif. [Cc stable]", "cve_priority": "medium", "cve_public_date": "2025-12-08 01:16:00 UTC" }, { "cve": "CVE-2025-40322", "url": "https://ubuntu.com/security/CVE-2025-40322", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: fbdev: bitblit: bound-check glyph index in bit_putcs* bit_putcs_aligned()/unaligned() derived the glyph pointer from the character value masked by 0xff/0x1ff, which may exceed the actual font's glyph count and read past the end of the built-in font array. Clamp the index to the actual glyph count before computing the address. This fixes a global out-of-bounds read reported by syzbot.", "cve_priority": "medium", "cve_public_date": "2025-12-08 01:16:00 UTC" }, { "cve": "CVE-2025-40211", "url": "https://ubuntu.com/security/CVE-2025-40211", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ACPI: video: Fix use-after-free in acpi_video_switch_brightness() The switch_brightness_work delayed work accesses device->brightness and device->backlight, freed by acpi_video_dev_unregister_backlight() during device removal. If the work executes after acpi_video_bus_unregister_backlight() frees these resources, it causes a use-after-free when acpi_video_switch_brightness() dereferences device->brightness or device->backlight. Fix this by calling cancel_delayed_work_sync() for each device's switch_brightness_work in acpi_video_bus_remove_notify_handler() after removing the notify handler that queues the work. This ensures the work completes before the memory is freed. [ rjw: Changelog edit ]", "cve_priority": "medium", "cve_public_date": "2025-11-21 11:15:00 UTC" }, { "cve": "CVE-2025-40323", "url": "https://ubuntu.com/security/CVE-2025-40323", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: fbcon: Set fb_display[i]->mode to NULL when the mode is released Recently, we discovered the following issue through syzkaller: BUG: KASAN: slab-use-after-free in fb_mode_is_equal+0x285/0x2f0 Read of size 4 at addr ff11000001b3c69c by task syz.xxx ... Call Trace: dump_stack_lvl+0xab/0xe0 print_address_description.constprop.0+0x2c/0x390 print_report+0xb9/0x280 kasan_report+0xb8/0xf0 fb_mode_is_equal+0x285/0x2f0 fbcon_mode_deleted+0x129/0x180 fb_set_var+0xe7f/0x11d0 do_fb_ioctl+0x6a0/0x750 fb_ioctl+0xe0/0x140 __x64_sys_ioctl+0x193/0x210 do_syscall_64+0x5f/0x9c0 entry_SYSCALL_64_after_hwframe+0x76/0x7e Based on experimentation and analysis, during framebuffer unregistration, only the memory of fb_info->modelist is freed, without setting the corresponding fb_display[i]->mode to NULL for the freed modes. This leads to UAF issues during subsequent accesses. Here's an example of reproduction steps: 1. With /dev/fb0 already registered in the system, load a kernel module to register a new device /dev/fb1; 2. Set fb1's mode to the global fb_display[] array (via FBIOPUT_CON2FBMAP); 3. Switch console from fb to VGA (to allow normal rmmod of the ko); 4. Unload the kernel module, at this point fb1's modelist is freed, leaving a wild pointer in fb_display[]; 5. Trigger the bug via system calls through fb0 attempting to delete a mode from fb0. Add a check in do_unregister_framebuffer(): if the mode to be freed exists in fb_display[], set the corresponding mode pointer to NULL.", "cve_priority": "medium", "cve_public_date": "2025-12-08 01:16:00 UTC" }, { "cve": "CVE-2025-40210", "url": "https://ubuntu.com/security/CVE-2025-40210", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: Revert \"NFSD: Remove the cap on number of operations per NFSv4 COMPOUND\" I've found that pynfs COMP6 now leaves the connection or lease in a strange state, which causes CLOSE9 to hang indefinitely. I've dug into it a little, but I haven't been able to root-cause it yet. However, I bisected to commit 48aab1606fa8 (\"NFSD: Remove the cap on number of operations per NFSv4 COMPOUND\"). Tianshuo Han also reports a potential vulnerability when decoding an NFSv4 COMPOUND. An attacker can place an arbitrarily large op count in the COMPOUND header, which results in: [ 51.410584] nfsd: vmalloc error: size 1209533382144, exceeds total pages, mode:0xdc0(GFP_KERNEL|__GFP_ZERO), nodemask=(null),cpuset=/,mems_allowed=0 when NFSD attempts to allocate the COMPOUND op array. Let's restore the operation-per-COMPOUND limit, but increased to 200 for now.", "cve_priority": "medium", "cve_public_date": "2025-11-21 11:15:00 UTC" }, { "cve": "CVE-2025-40324", "url": "https://ubuntu.com/security/CVE-2025-40324", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: NFSD: Fix crash in nfsd4_read_release() When tracing is enabled, the trace_nfsd_read_done trace point crashes during the pynfs read.testNoFh test.", "cve_priority": "medium", "cve_public_date": "2025-12-08 01:16:00 UTC" }, { "cve": "CVE-2025-40326", "url": "https://ubuntu.com/security/CVE-2025-40326", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: NFSD: Define actions for the new time_deleg FATTR4 attributes NFSv4 clients won't send legitimate GETATTR requests for these new attributes because they are intended to be used only with CB_GETATTR and SETATTR. But NFSD has to do something besides crashing if it ever sees a GETATTR request that queries these attributes. RFC 8881 Section 18.7.3 states: > The server MUST return a value for each attribute that the client > requests if the attribute is supported by the server for the > target file system. If the server does not support a particular > attribute on the target file system, then it MUST NOT return the > attribute value and MUST NOT set the attribute bit in the result > bitmap. The server MUST return an error if it supports an > attribute on the target but cannot obtain its value. In that case, > no attribute values will be returned. Further, RFC 9754 Section 5 states: > These new attributes are invalid to be used with GETATTR, VERIFY, > and NVERIFY, and they can only be used with CB_GETATTR and SETATTR > by a client holding an appropriate delegation. Thus there does not appear to be a specific server response mandated by specification. Taking the guidance that querying these attributes via GETATTR is \"invalid\", NFSD will return nfserr_inval, failing the request entirely.", "cve_priority": "medium", "cve_public_date": "2025-12-08 01:16:00 UTC" }, { "cve": "CVE-2025-40084", "url": "https://ubuntu.com/security/CVE-2025-40084", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ksmbd: transport_ipc: validate payload size before reading handle handle_response() dereferences the payload as a 4-byte handle without verifying that the declared payload size is at least 4 bytes. A malformed or truncated message from ksmbd.mountd can lead to a 4-byte read past the declared payload size. Validate the size before dereferencing. This is a minimal fix to guard the initial handle read.", "cve_priority": "medium", "cve_public_date": "2025-10-29 14:15:00 UTC" }, { "cve": "CVE-2025-40222", "url": "https://ubuntu.com/security/CVE-2025-40222", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: tty: serial: sh-sci: fix RSCI FIFO overrun handling The receive error handling code is shared between RSCI and all other SCIF port types, but the RSCI overrun_reg is specified as a memory offset, while for other SCIF types it is an enum value used to index into the sci_port_params->regs array, as mentioned above the sci_serial_in() function. For RSCI, the overrun_reg is CSR (0x48), causing the sci_getreg() call inside the sci_handle_fifo_overrun() function to index outside the bounds of the regs array, which currently has a size of 20, as specified by SCI_NR_REGS. Because of this, we end up accessing memory outside of RSCI's rsci_port_params structure, which, when interpreted as a plat_sci_reg, happens to have a non-zero size, causing the following WARN when sci_serial_in() is called, as the accidental size does not match the supported register sizes. The existence of the overrun_reg needs to be checked because SCIx_SH3_SCIF_REGTYPE has overrun_reg set to SCLSR, but SCLSR is not present in the regs array. Avoid calling sci_getreg() for port types which don't use standard register handling. Use the ops->read_reg() and ops->write_reg() functions to properly read and write registers for RSCI, and change the type of the status variable to accommodate the 32-bit CSR register. sci_getreg() and sci_serial_in() are also called with overrun_reg in the sci_mpxed_interrupt() interrupt handler, but that code path is not used for RSCI, as it does not have a muxed interrupt. ------------[ cut here ]------------ Invalid register access WARNING: CPU: 0 PID: 0 at drivers/tty/serial/sh-sci.c:522 sci_serial_in+0x38/0xac Modules linked in: renesas_usbhs at24 rzt2h_adc industrialio_adc sha256 cfg80211 bluetooth ecdh_generic ecc rfkill fuse drm backlight ipv6 CPU: 0 UID: 0 PID: 0 Comm: swapper/0 Not tainted 6.17.0-rc1+ #30 PREEMPT Hardware name: Renesas RZ/T2H EVK Board based on r9a09g077m44 (DT) pstate: 604000c5 (nZCv daIF +PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : sci_serial_in+0x38/0xac lr : sci_serial_in+0x38/0xac sp : ffff800080003e80 x29: ffff800080003e80 x28: ffff800082195b80 x27: 000000000000000d x26: ffff8000821956d0 x25: 0000000000000000 x24: ffff800082195b80 x23: ffff000180e0d800 x22: 0000000000000010 x21: 0000000000000000 x20: 0000000000000010 x19: ffff000180e72000 x18: 000000000000000a x17: ffff8002bcee7000 x16: ffff800080000000 x15: 0720072007200720 x14: 0720072007200720 x13: 0720072007200720 x12: 0720072007200720 x11: 0000000000000058 x10: 0000000000000018 x9 : ffff8000821a6a48 x8 : 0000000000057fa8 x7 : 0000000000000406 x6 : ffff8000821fea48 x5 : ffff00033ef88408 x4 : ffff8002bcee7000 x3 : ffff800082195b80 x2 : 0000000000000000 x1 : 0000000000000000 x0 : ffff800082195b80 Call trace: sci_serial_in+0x38/0xac (P) sci_handle_fifo_overrun.isra.0+0x70/0x134 sci_er_interrupt+0x50/0x39c __handle_irq_event_percpu+0x48/0x140 handle_irq_event+0x44/0xb0 handle_fasteoi_irq+0xf4/0x1a0 handle_irq_desc+0x34/0x58 generic_handle_domain_irq+0x1c/0x28 gic_handle_irq+0x4c/0x140 call_on_irq_stack+0x30/0x48 do_interrupt_handler+0x80/0x84 el1_interrupt+0x34/0x68 el1h_64_irq_handler+0x18/0x24 el1h_64_irq+0x6c/0x70 default_idle_call+0x28/0x58 (P) do_idle+0x1f8/0x250 cpu_startup_entry+0x34/0x3c rest_init+0xd8/0xe0 console_on_rootfs+0x0/0x6c __primary_switched+0x88/0x90 ---[ end trace 0000000000000000 ]---", "cve_priority": "medium", "cve_public_date": "2025-12-04 16:16:00 UTC" }, { "cve": "CVE-2025-40223", "url": "https://ubuntu.com/security/CVE-2025-40223", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: most: usb: Fix use-after-free in hdm_disconnect hdm_disconnect() calls most_deregister_interface(), which eventually unregisters the MOST interface device with device_unregister(iface->dev). If that drops the last reference, the device core may call release_mdev() immediately while hdm_disconnect() is still executing. The old code also freed several mdev-owned allocations in hdm_disconnect() and then performed additional put_device() calls. Depending on refcount order, this could lead to use-after-free or double-free when release_mdev() ran (or when unregister paths also performed puts). Fix by moving the frees of mdev-owned allocations into release_mdev(), so they happen exactly once when the device is truly released, and by dropping the extra put_device() calls in hdm_disconnect() that are redundant after device_unregister() and most_deregister_interface(). This addresses the KASAN slab-use-after-free reported by syzbot in hdm_disconnect(). See report and stack traces in the bug link below.", "cve_priority": "medium", "cve_public_date": "2025-12-04 16:16:00 UTC" }, { "cve": "CVE-2025-40106", "url": "https://ubuntu.com/security/CVE-2025-40106", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: comedi: fix divide-by-zero in comedi_buf_munge() The comedi_buf_munge() function performs a modulo operation `async->munge_chan %= async->cmd.chanlist_len` without first checking if chanlist_len is zero. If a user program submits a command with chanlist_len set to zero, this causes a divide-by-zero error when the device processes data in the interrupt handler path. Add a check for zero chanlist_len at the beginning of the function, similar to the existing checks for !map and CMDF_RAWDATA flag. When chanlist_len is zero, update munge_count and return early, indicating the data was handled without munging. This prevents potential kernel panics from malformed user commands.", "cve_priority": "medium", "cve_public_date": "2025-10-31 10:15:00 UTC" }, { "cve": "CVE-2025-40224", "url": "https://ubuntu.com/security/CVE-2025-40224", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: hwmon: (cgbc-hwmon) Add missing NULL check after devm_kzalloc() The driver allocates memory for sensor data using devm_kzalloc(), but did not check if the allocation succeeded. In case of memory allocation failure, dereferencing the NULL pointer would lead to a kernel crash. Add a NULL pointer check and return -ENOMEM to handle allocation failure properly.", "cve_priority": "medium", "cve_public_date": "2025-12-04 16:16:00 UTC" }, { "cve": "CVE-2025-40225", "url": "https://ubuntu.com/security/CVE-2025-40225", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/panthor: Fix kernel panic on partial unmap of a GPU VA region This commit address a kernel panic issue that can happen if Userspace tries to partially unmap a GPU virtual region (aka drm_gpuva). The VM_BIND interface allows partial unmapping of a BO. Panthor driver pre-allocates memory for the new drm_gpuva structures that would be needed for the map/unmap operation, done using drm_gpuvm layer. It expected that only one new drm_gpuva would be needed on umap but a partial unmap can require 2 new drm_gpuva and that's why it ended up doing a NULL pointer dereference causing a kernel panic. Following dump was seen when partial unmap was exercised. Unable to handle kernel NULL pointer dereference at virtual address 0000000000000078 Mem abort info: ESR = 0x0000000096000046 EC = 0x25: DABT (current EL), IL = 32 bits SET = 0, FnV = 0 EA = 0, S1PTW = 0 FSC = 0x06: level 2 translation fault Data abort info: ISV = 0, ISS = 0x00000046, ISS2 = 0x00000000 CM = 0, WnR = 1, TnD = 0, TagAccess = 0 GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0 user pgtable: 4k pages, 48-bit VAs, pgdp=000000088a863000 [000000000000078] pgd=080000088a842003, p4d=080000088a842003, pud=0800000884bf5003, pmd=0000000000000000 Internal error: Oops: 0000000096000046 [#1] PREEMPT SMP pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : panthor_gpuva_sm_step_remap+0xe4/0x330 [panthor] lr : panthor_gpuva_sm_step_remap+0x6c/0x330 [panthor] sp : ffff800085d43970 x29: ffff800085d43970 x28: ffff00080363e440 x27: ffff0008090c6000 x26: 0000000000000030 x25: ffff800085d439f8 x24: ffff00080d402000 x23: ffff800085d43b60 x22: ffff800085d439e0 x21: ffff00080abdb180 x20: 0000000000000000 x19: 0000000000000000 x18: 0000000000000010 x17: 6e656c202c303030 x16: 3666666666646466 x15: 393d61766f69202c x14: 312d3d7361203a70 x13: 303030323d6e656c x12: ffff80008324bf58 x11: 0000000000000003 x10: 0000000000000002 x9 : ffff8000801a6a9c x8 : ffff00080360b300 x7 : 0000000000000000 x6 : 000000088aa35fc7 x5 : fff1000080000000 x4 : ffff8000842ddd30 x3 : 0000000000000001 x2 : 0000000100000000 x1 : 0000000000000001 x0 : 0000000000000078 Call trace: panthor_gpuva_sm_step_remap+0xe4/0x330 [panthor] op_remap_cb.isra.22+0x50/0x80 __drm_gpuvm_sm_unmap+0x10c/0x1c8 drm_gpuvm_sm_unmap+0x40/0x60 panthor_vm_exec_op+0xb4/0x3d0 [panthor] panthor_vm_bind_exec_sync_op+0x154/0x278 [panthor] panthor_ioctl_vm_bind+0x160/0x4a0 [panthor] drm_ioctl_kernel+0xbc/0x138 drm_ioctl+0x240/0x500 __arm64_sys_ioctl+0xb0/0xf8 invoke_syscall+0x4c/0x110 el0_svc_common.constprop.1+0x98/0xf8 do_el0_svc+0x24/0x38 el0_svc+0x40/0xf8 el0t_64_sync_handler+0xa0/0xc8 el0t_64_sync+0x174/0x178", "cve_priority": "medium", "cve_public_date": "2025-12-04 16:16:00 UTC" }, { "cve": "CVE-2025-40226", "url": "https://ubuntu.com/security/CVE-2025-40226", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: firmware: arm_scmi: Account for failed debug initialization When the SCMI debug subsystem fails to initialize, the related debug root will be missing, and the underlying descriptor will be NULL. Handle this fault condition in the SCMI debug helpers that maintain metrics counters.", "cve_priority": "medium", "cve_public_date": "2025-12-04 16:16:00 UTC" }, { "cve": "CVE-2025-40227", "url": "https://ubuntu.com/security/CVE-2025-40227", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: mm/damon/sysfs: dealloc commit test ctx always The damon_ctx for testing online DAMON parameters commit inputs is deallocated only when the test fails. This means memory is leaked for every successful online DAMON parameters commit. Fix the leak by always deallocating it.", "cve_priority": "medium", "cve_public_date": "2025-12-04 16:16:00 UTC" }, { "cve": "CVE-2025-40228", "url": "https://ubuntu.com/security/CVE-2025-40228", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: mm/damon/sysfs: catch commit test ctx alloc failure Patch series \"mm/damon/sysfs: fix commit test damon_ctx [de]allocation\". DAMON sysfs interface dynamically allocates and uses a damon_ctx object for testing if given inputs for online DAMON parameters update is valid. The object is being used without an allocation failure check, and leaked when the test succeeds. Fix the two bugs. This patch (of 2): The damon_ctx for testing online DAMON parameters commit inputs is used without its allocation failure check. This could result in an invalid memory access. Fix it by directly returning an error when the allocation failed.", "cve_priority": "medium", "cve_public_date": "2025-12-04 16:16:00 UTC" }, { "cve": "CVE-2025-40229", "url": "https://ubuntu.com/security/CVE-2025-40229", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: mm/damon/core: fix potential memory leak by cleaning ops_filter in damon_destroy_scheme Currently, damon_destroy_scheme() only cleans up the filter list but leaves ops_filter untouched, which could lead to memory leaks when a scheme is destroyed. This patch ensures both filter and ops_filter are properly freed in damon_destroy_scheme(), preventing potential memory leaks.", "cve_priority": "medium", "cve_public_date": "2025-12-04 16:16:00 UTC" }, { "cve": "CVE-2025-40230", "url": "https://ubuntu.com/security/CVE-2025-40230", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: mm: prevent poison consumption when splitting THP When performing memory error injection on a THP (Transparent Huge Page) mapped to userspace on an x86 server, the kernel panics with the following trace. The expected behavior is to terminate the affected process instead of panicking the kernel, as the x86 Machine Check code can recover from an in-userspace #MC. mce: [Hardware Error]: CPU 0: Machine Check Exception: f Bank 3: bd80000000070134 mce: [Hardware Error]: RIP 10: {memchr_inv+0x4c/0xf0} mce: [Hardware Error]: TSC afff7bbff88a ADDR 1d301b000 MISC 80 PPIN 1e741e77539027db mce: [Hardware Error]: PROCESSOR 0:d06d0 TIME 1758093249 SOCKET 0 APIC 0 microcode 80000320 mce: [Hardware Error]: Run the above through 'mcelog --ascii' mce: [Hardware Error]: Machine check: Data load in unrecoverable area of kernel Kernel panic - not syncing: Fatal local machine check The root cause of this panic is that handling a memory failure triggered by an in-userspace #MC necessitates splitting the THP. The splitting process employs a mechanism, implemented in try_to_map_unused_to_zeropage(), which reads the pages in the THP to identify zero-filled pages. However, reading the pages in the THP results in a second in-kernel #MC, occurring before the initial memory_failure() completes, ultimately leading to a kernel panic. See the kernel panic call trace on the two #MCs. First Machine Check occurs // [1] memory_failure() // [2] try_to_split_thp_page() split_huge_page() split_huge_page_to_list_to_order() __folio_split() // [3] remap_page() remove_migration_ptes() remove_migration_pte() try_to_map_unused_to_zeropage() // [4] memchr_inv() // [5] Second Machine Check occurs // [6] Kernel panic [1] Triggered by accessing a hardware-poisoned THP in userspace, which is typically recoverable by terminating the affected process. [2] Call folio_set_has_hwpoisoned() before try_to_split_thp_page(). [3] Pass the RMP_USE_SHARED_ZEROPAGE remap flag to remap_page(). [4] Try to map the unused THP to zeropage. [5] Re-access pages in the hw-poisoned THP in the kernel. [6] Triggered in-kernel, leading to a panic kernel. In Step[2], memory_failure() sets the poisoned flag on the page in the THP by TestSetPageHWPoison() before calling try_to_split_thp_page(). As suggested by David Hildenbrand, fix this panic by not accessing to the poisoned page in the THP during zeropage identification, while continuing to scan unaffected pages in the THP for possible zeropage mapping. This prevents a second in-kernel #MC that would cause kernel panic in Step[4]. Thanks to Andrew Zaborowski for his initial work on fixing this issue.", "cve_priority": "medium", "cve_public_date": "2025-12-04 16:16:00 UTC" }, { "cve": "CVE-2025-40231", "url": "https://ubuntu.com/security/CVE-2025-40231", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: vsock: fix lock inversion in vsock_assign_transport() Syzbot reported a potential lock inversion deadlock between vsock_register_mutex and sk_lock-AF_VSOCK when vsock_linger() is called. The issue was introduced by commit 687aa0c5581b (\"vsock: Fix transport_* TOCTOU\") which added vsock_register_mutex locking in vsock_assign_transport() around the transport->release() call, that can call vsock_linger(). vsock_assign_transport() can be called with sk_lock held. vsock_linger() calls sk_wait_event() that temporarily releases and re-acquires sk_lock. During this window, if another thread hold vsock_register_mutex while trying to acquire sk_lock, a circular dependency is created. Fix this by releasing vsock_register_mutex before calling transport->release() and vsock_deassign_transport(). This is safe because we don't need to hold vsock_register_mutex while releasing the old transport, and we ensure the new transport won't disappear by obtaining a module reference first via try_module_get().", "cve_priority": "medium", "cve_public_date": "2025-12-04 16:16:00 UTC" }, { "cve": "CVE-2025-40233", "url": "https://ubuntu.com/security/CVE-2025-40233", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ocfs2: clear extent cache after moving/defragmenting extents The extent map cache can become stale when extents are moved or defragmented, causing subsequent operations to see outdated extent flags. This triggers a BUG_ON in ocfs2_refcount_cal_cow_clusters(). The problem occurs when: 1. copy_file_range() creates a reflinked extent with OCFS2_EXT_REFCOUNTED 2. ioctl(FITRIM) triggers ocfs2_move_extents() 3. __ocfs2_move_extents_range() reads and caches the extent (flags=0x2) 4. ocfs2_move_extent()/ocfs2_defrag_extent() calls __ocfs2_move_extent() which clears OCFS2_EXT_REFCOUNTED flag on disk (flags=0x0) 5. The extent map cache is not invalidated after the move 6. Later write() operations read stale cached flags (0x2) but disk has updated flags (0x0), causing a mismatch 7. BUG_ON(!(rec->e_flags & OCFS2_EXT_REFCOUNTED)) triggers Fix by clearing the extent map cache after each extent move/defrag operation in __ocfs2_move_extents_range(). This ensures subsequent operations read fresh extent data from disk.", "cve_priority": "medium", "cve_public_date": "2025-12-04 16:16:00 UTC" }, { "cve": "CVE-2025-40235", "url": "https://ubuntu.com/security/CVE-2025-40235", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: btrfs: directly free partially initialized fs_info in btrfs_check_leaked_roots() If fs_info->super_copy or fs_info->super_for_commit allocated failed in btrfs_get_tree_subvol(), then no need to call btrfs_free_fs_info(). Otherwise btrfs_check_leaked_roots() would access NULL pointer because fs_info->allocated_roots had not been initialised. syzkaller reported the following information: ------------[ cut here ]------------ BUG: unable to handle page fault for address: fffffffffffffbb0 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page PGD 64c9067 P4D 64c9067 PUD 64cb067 PMD 0 Oops: Oops: 0000 [#1] SMP KASAN PTI CPU: 0 UID: 0 PID: 1402 Comm: syz.1.35 Not tainted 6.15.8 #4 PREEMPT(lazy) Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), (...) RIP: 0010:arch_atomic_read arch/x86/include/asm/atomic.h:23 [inline] RIP: 0010:raw_atomic_read include/linux/atomic/atomic-arch-fallback.h:457 [inline] RIP: 0010:atomic_read include/linux/atomic/atomic-instrumented.h:33 [inline] RIP: 0010:refcount_read include/linux/refcount.h:170 [inline] RIP: 0010:btrfs_check_leaked_roots+0x18f/0x2c0 fs/btrfs/disk-io.c:1230 [...] Call Trace: btrfs_free_fs_info+0x310/0x410 fs/btrfs/disk-io.c:1280 btrfs_get_tree_subvol+0x592/0x6b0 fs/btrfs/super.c:2029 btrfs_get_tree+0x63/0x80 fs/btrfs/super.c:2097 vfs_get_tree+0x98/0x320 fs/super.c:1759 do_new_mount+0x357/0x660 fs/namespace.c:3899 path_mount+0x716/0x19c0 fs/namespace.c:4226 do_mount fs/namespace.c:4239 [inline] __do_sys_mount fs/namespace.c:4450 [inline] __se_sys_mount fs/namespace.c:4427 [inline] __x64_sys_mount+0x28c/0x310 fs/namespace.c:4427 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0x92/0x180 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x76/0x7e RIP: 0033:0x7f032eaffa8d [...]", "cve_priority": "medium", "cve_public_date": "2025-12-04 16:16:00 UTC" }, { "cve": "CVE-2025-40236", "url": "https://ubuntu.com/security/CVE-2025-40236", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: virtio-net: zero unused hash fields When GSO tunnel is negotiated virtio_net_hdr_tnl_from_skb() tries to initialize the tunnel metadata but forget to zero unused rxhash fields. This may leak information to another side. Fixing this by zeroing the unused hash fields.", "cve_priority": "medium", "cve_public_date": "2025-12-04 16:16:00 UTC" }, { "cve": "CVE-2025-40237", "url": "https://ubuntu.com/security/CVE-2025-40237", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: fs/notify: call exportfs_encode_fid with s_umount Calling intotify_show_fdinfo() on fd watching an overlayfs inode, while the overlayfs is being unmounted, can lead to dereferencing NULL ptr. This issue was found by syzkaller. Race Condition Diagram: Thread 1 Thread 2 -------- -------- generic_shutdown_super() shrink_dcache_for_umount sb->s_root = NULL | | vfs_read() | inotify_fdinfo() | * inode get from mark * | show_mark_fhandle(m, inode) | exportfs_encode_fid(inode, ..) | ovl_encode_fh(inode, ..) | ovl_check_encode_origin(inode) | * deref i_sb->s_root * | | v fsnotify_sb_delete(sb) Which then leads to: [ 32.133461] Oops: general protection fault, probably for non-canonical address 0xdffffc0000000006: 0000 [#1] SMP DEBUG_PAGEALLOC KASAN NOPTI [ 32.134438] KASAN: null-ptr-deref in range [0x0000000000000030-0x0000000000000037] [ 32.135032] CPU: 1 UID: 0 PID: 4468 Comm: systemd-coredum Not tainted 6.17.0-rc6 #22 PREEMPT(none) [ 32.143353] Call Trace: [ 32.143732] ovl_encode_fh+0xd5/0x170 [ 32.144031] exportfs_encode_inode_fh+0x12f/0x300 [ 32.144425] show_mark_fhandle+0xbe/0x1f0 [ 32.145805] inotify_fdinfo+0x226/0x2d0 [ 32.146442] inotify_show_fdinfo+0x1c5/0x350 [ 32.147168] seq_show+0x530/0x6f0 [ 32.147449] seq_read_iter+0x503/0x12a0 [ 32.148419] seq_read+0x31f/0x410 [ 32.150714] vfs_read+0x1f0/0x9e0 [ 32.152297] ksys_read+0x125/0x240 IOW ovl_check_encode_origin derefs inode->i_sb->s_root, after it was set to NULL in the unmount path. Fix it by protecting calling exportfs_encode_fid() from show_mark_fhandle() with s_umount lock. This form of fix was suggested by Amir in [1]. [1]: https://lore.kernel.org/all/CAOQ4uxhbDwhb+2Brs1UdkoF0a3NSdBAOQPNfEHjahrgoKJpLEw@mail.gmail.com/", "cve_priority": "medium", "cve_public_date": "2025-12-04 16:16:00 UTC" }, { "cve": "CVE-2025-40238", "url": "https://ubuntu.com/security/CVE-2025-40238", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net/mlx5: Fix IPsec cleanup over MPV device When we do mlx5e_detach_netdev() we eventually disable blocking events notifier, among those events are IPsec MPV events from IB to core. So before disabling those blocking events, make sure to also unregister the devcom device and mark all this device operations as complete, in order to prevent the other device from using invalid netdev during future devcom events which could cause the trace below. BUG: kernel NULL pointer dereference, address: 0000000000000010 PGD 146427067 P4D 146427067 PUD 146488067 PMD 0 Oops: Oops: 0000 [#1] SMP CPU: 1 UID: 0 PID: 7735 Comm: devlink Tainted: GW 6.12.0-rc6_for_upstream_min_debug_2024_11_08_00_46 #1 Tainted: [W]=WARN Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014 RIP: 0010:mlx5_devcom_comp_set_ready+0x5/0x40 [mlx5_core] Code: 00 01 48 83 05 23 32 1e 00 01 41 b8 ed ff ff ff e9 60 ff ff ff 48 83 05 00 32 1e 00 01 eb e3 66 0f 1f 44 00 00 0f 1f 44 00 00 <48> 8b 47 10 48 83 05 5f 32 1e 00 01 48 8b 50 40 48 85 d2 74 05 40 RSP: 0018:ffff88811a5c35f8 EFLAGS: 00010206 RAX: ffff888106e8ab80 RBX: ffff888107d7e200 RCX: ffff88810d6f0a00 RDX: ffff88810d6f0a00 RSI: 0000000000000001 RDI: 0000000000000000 RBP: ffff88811a17e620 R08: 0000000000000040 R09: 0000000000000000 R10: ffff88811a5c3618 R11: 0000000de85d51bd R12: ffff88811a17e600 R13: ffff88810d6f0a00 R14: 0000000000000000 R15: ffff8881034bda80 FS: 00007f27bdf89180(0000) GS:ffff88852c880000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000010 CR3: 000000010f159005 CR4: 0000000000372eb0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: ? __die+0x20/0x60 ? page_fault_oops+0x150/0x3e0 ? exc_page_fault+0x74/0x130 ? asm_exc_page_fault+0x22/0x30 ? mlx5_devcom_comp_set_ready+0x5/0x40 [mlx5_core] mlx5e_devcom_event_mpv+0x42/0x60 [mlx5_core] mlx5_devcom_send_event+0x8c/0x170 [mlx5_core] blocking_event+0x17b/0x230 [mlx5_core] notifier_call_chain+0x35/0xa0 blocking_notifier_call_chain+0x3d/0x60 mlx5_blocking_notifier_call_chain+0x22/0x30 [mlx5_core] mlx5_core_mp_event_replay+0x12/0x20 [mlx5_core] mlx5_ib_bind_slave_port+0x228/0x2c0 [mlx5_ib] mlx5_ib_stage_init_init+0x664/0x9d0 [mlx5_ib] ? idr_alloc_cyclic+0x50/0xb0 ? __kmalloc_cache_noprof+0x167/0x340 ? __kmalloc_noprof+0x1a7/0x430 __mlx5_ib_add+0x34/0xd0 [mlx5_ib] mlx5r_probe+0xe9/0x310 [mlx5_ib] ? kernfs_add_one+0x107/0x150 ? __mlx5_ib_add+0xd0/0xd0 [mlx5_ib] auxiliary_bus_probe+0x3e/0x90 really_probe+0xc5/0x3a0 ? driver_probe_device+0x90/0x90 __driver_probe_device+0x80/0x160 driver_probe_device+0x1e/0x90 __device_attach_driver+0x7d/0x100 bus_for_each_drv+0x80/0xd0 __device_attach+0xbc/0x1f0 bus_probe_device+0x86/0xa0 device_add+0x62d/0x830 __auxiliary_device_add+0x3b/0xa0 ? auxiliary_device_init+0x41/0x90 add_adev+0xd1/0x150 [mlx5_core] mlx5_rescan_drivers_locked+0x21c/0x300 [mlx5_core] esw_mode_change+0x6c/0xc0 [mlx5_core] mlx5_devlink_eswitch_mode_set+0x21e/0x640 [mlx5_core] devlink_nl_eswitch_set_doit+0x60/0xe0 genl_family_rcv_msg_doit+0xd0/0x120 genl_rcv_msg+0x180/0x2b0 ? devlink_get_from_attrs_lock+0x170/0x170 ? devlink_nl_eswitch_get_doit+0x290/0x290 ? devlink_nl_pre_doit_port_optional+0x50/0x50 ? genl_family_rcv_msg_dumpit+0xf0/0xf0 netlink_rcv_skb+0x54/0x100 genl_rcv+0x24/0x40 netlink_unicast+0x1fc/0x2d0 netlink_sendmsg+0x1e4/0x410 __sock_sendmsg+0x38/0x60 ? sockfd_lookup_light+0x12/0x60 __sys_sendto+0x105/0x160 ? __sys_recvmsg+0x4e/0x90 __x64_sys_sendto+0x20/0x30 do_syscall_64+0x4c/0x100 entry_SYSCALL_64_after_hwframe+0x4b/0x53 RIP: 0033:0x7f27bc91b13a Code: bb 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 8b 05 fa 96 2c 00 45 89 c9 4c 63 d1 48 63 ff 85 c0 75 15 b8 2c 00 00 00 0f 05 <48> 3d 00 f0 ff ff ---truncated---", "cve_priority": "medium", "cve_public_date": "2025-12-04 16:16:00 UTC" }, { "cve": "CVE-2025-40239", "url": "https://ubuntu.com/security/CVE-2025-40239", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net: phy: micrel: always set shared->phydev for LAN8814 Currently, during the LAN8814 PTP probe shared->phydev is only set if PTP clock gets actually set, otherwise the function will return before setting it. This is an issue as shared->phydev is unconditionally being used when IRQ is being handled, especially in lan8814_gpio_process_cap and since it was not set it will cause a NULL pointer exception and crash the kernel. So, simply always set shared->phydev to avoid the NULL pointer exception.", "cve_priority": "medium", "cve_public_date": "2025-12-04 16:16:00 UTC" }, { "cve": "CVE-2025-40240", "url": "https://ubuntu.com/security/CVE-2025-40240", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: sctp: avoid NULL dereference when chunk data buffer is missing chunk->skb pointer is dereferenced in the if-block where it's supposed to be NULL only. chunk->skb can only be NULL if chunk->head_skb is not. Check for frag_list instead and do it just before replacing chunk->skb. We're sure that otherwise chunk->skb is non-NULL because of outer if() condition.", "cve_priority": "medium", "cve_public_date": "2025-12-04 16:16:00 UTC" }, { "cve": "CVE-2025-40241", "url": "https://ubuntu.com/security/CVE-2025-40241", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: erofs: fix crafted invalid cases for encoded extents Robert recently reported two corrupted images that can cause system crashes, which are related to the new encoded extents introduced in Linux 6.15: - The first one [1] has plen != 0 (e.g. plen == 0x2000000) but (plen & Z_EROFS_EXTENT_PLEN_MASK) == 0. It is used to represent special extents such as sparse extents (!EROFS_MAP_MAPPED), but previously only plen == 0 was handled; - The second one [2] has pa 0xffffffffffdcffed and plen 0xb4000, then \"cur [0xfffffffffffff000] += bvec.bv_len [0x1000]\" in \"} while ((cur += bvec.bv_len) < end);\" wraps around, causing an out-of-bound access of pcl->compressed_bvecs[] in z_erofs_submit_queue(). EROFS only supports 48-bit physical block addresses (up to 1EiB for 4k blocks), so add a sanity check to enforce this.", "cve_priority": "medium", "cve_public_date": "2025-12-04 16:16:00 UTC" }, { "cve": "CVE-2025-40242", "url": "https://ubuntu.com/security/CVE-2025-40242", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: gfs2: Fix unlikely race in gdlm_put_lock In gdlm_put_lock(), there is a small window of time in which the DFL_UNMOUNT flag has been set but the lockspace hasn't been released, yet. In that window, dlm may still call gdlm_ast() and gdlm_bast(). To prevent it from dereferencing freed glock objects, only free the glock if the lockspace has actually been released.", "cve_priority": "medium", "cve_public_date": "2025-12-04 16:16:00 UTC" }, { "cve": "CVE-2025-40243", "url": "https://ubuntu.com/security/CVE-2025-40243", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: hfs: fix KMSAN uninit-value issue in hfs_find_set_zero_bits() The syzbot reported issue in hfs_find_set_zero_bits(): ===================================================== BUG: KMSAN: uninit-value in hfs_find_set_zero_bits+0x74d/0xb60 fs/hfs/bitmap.c:45 hfs_find_set_zero_bits+0x74d/0xb60 fs/hfs/bitmap.c:45 hfs_vbm_search_free+0x13c/0x5b0 fs/hfs/bitmap.c:151 hfs_extend_file+0x6a5/0x1b00 fs/hfs/extent.c:408 hfs_get_block+0x435/0x1150 fs/hfs/extent.c:353 __block_write_begin_int+0xa76/0x3030 fs/buffer.c:2151 block_write_begin fs/buffer.c:2262 [inline] cont_write_begin+0x10e1/0x1bc0 fs/buffer.c:2601 hfs_write_begin+0x85/0x130 fs/hfs/inode.c:52 cont_expand_zero fs/buffer.c:2528 [inline] cont_write_begin+0x35a/0x1bc0 fs/buffer.c:2591 hfs_write_begin+0x85/0x130 fs/hfs/inode.c:52 hfs_file_truncate+0x1d6/0xe60 fs/hfs/extent.c:494 hfs_inode_setattr+0x964/0xaa0 fs/hfs/inode.c:654 notify_change+0x1993/0x1aa0 fs/attr.c:552 do_truncate+0x28f/0x310 fs/open.c:68 do_ftruncate+0x698/0x730 fs/open.c:195 do_sys_ftruncate fs/open.c:210 [inline] __do_sys_ftruncate fs/open.c:215 [inline] __se_sys_ftruncate fs/open.c:213 [inline] __x64_sys_ftruncate+0x11b/0x250 fs/open.c:213 x64_sys_call+0xfe3/0x3db0 arch/x86/include/generated/asm/syscalls_64.h:78 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xd9/0x210 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f Uninit was created at: slab_post_alloc_hook mm/slub.c:4154 [inline] slab_alloc_node mm/slub.c:4197 [inline] __kmalloc_cache_noprof+0x7f7/0xed0 mm/slub.c:4354 kmalloc_noprof include/linux/slab.h:905 [inline] hfs_mdb_get+0x1cc8/0x2a90 fs/hfs/mdb.c:175 hfs_fill_super+0x3d0/0xb80 fs/hfs/super.c:337 get_tree_bdev_flags+0x6e3/0x920 fs/super.c:1681 get_tree_bdev+0x38/0x50 fs/super.c:1704 hfs_get_tree+0x35/0x40 fs/hfs/super.c:388 vfs_get_tree+0xb0/0x5c0 fs/super.c:1804 do_new_mount+0x738/0x1610 fs/namespace.c:3902 path_mount+0x6db/0x1e90 fs/namespace.c:4226 do_mount fs/namespace.c:4239 [inline] __do_sys_mount fs/namespace.c:4450 [inline] __se_sys_mount+0x6eb/0x7d0 fs/namespace.c:4427 __x64_sys_mount+0xe4/0x150 fs/namespace.c:4427 x64_sys_call+0xfa7/0x3db0 arch/x86/include/generated/asm/syscalls_64.h:166 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xd9/0x210 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f CPU: 1 UID: 0 PID: 12609 Comm: syz.1.2692 Not tainted 6.16.0-syzkaller #0 PREEMPT(none) Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/12/2025 ===================================================== The HFS_SB(sb)->bitmap buffer is allocated in hfs_mdb_get(): HFS_SB(sb)->bitmap = kmalloc(8192, GFP_KERNEL); Finally, it can trigger the reported issue because kmalloc() doesn't clear the allocated memory. If allocated memory contains only zeros, then everything will work pretty fine. But if the allocated memory contains the \"garbage\", then it can affect the bitmap operations and it triggers the reported issue. This patch simply exchanges the kmalloc() on kzalloc() with the goal to guarantee the correctness of bitmap operations. Because, newly created allocation bitmap should have all available blocks free. Potentially, initialization bitmap's read operation could not fill the whole allocated memory and \"garbage\" in the not initialized memory will be the reason of volume coruptions and file system driver bugs.", "cve_priority": "medium", "cve_public_date": "2025-12-04 16:16:00 UTC" }, { "cve": "CVE-2025-40244", "url": "https://ubuntu.com/security/CVE-2025-40244", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: hfsplus: fix KMSAN uninit-value issue in __hfsplus_ext_cache_extent() The syzbot reported issue in __hfsplus_ext_cache_extent(): [ 70.194323][ T9350] BUG: KMSAN: uninit-value in __hfsplus_ext_cache_extent+0x7d0/0x990 [ 70.195022][ T9350] __hfsplus_ext_cache_extent+0x7d0/0x990 [ 70.195530][ T9350] hfsplus_file_extend+0x74f/0x1cf0 [ 70.195998][ T9350] hfsplus_get_block+0xe16/0x17b0 [ 70.196458][ T9350] __block_write_begin_int+0x962/0x2ce0 [ 70.196959][ T9350] cont_write_begin+0x1000/0x1950 [ 70.197416][ T9350] hfsplus_write_begin+0x85/0x130 [ 70.197873][ T9350] generic_perform_write+0x3e8/0x1060 [ 70.198374][ T9350] __generic_file_write_iter+0x215/0x460 [ 70.198892][ T9350] generic_file_write_iter+0x109/0x5e0 [ 70.199393][ T9350] vfs_write+0xb0f/0x14e0 [ 70.199771][ T9350] ksys_write+0x23e/0x490 [ 70.200149][ T9350] __x64_sys_write+0x97/0xf0 [ 70.200570][ T9350] x64_sys_call+0x3015/0x3cf0 [ 70.201065][ T9350] do_syscall_64+0xd9/0x1d0 [ 70.201506][ T9350] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 70.202054][ T9350] [ 70.202279][ T9350] Uninit was created at: [ 70.202693][ T9350] __kmalloc_noprof+0x621/0xf80 [ 70.203149][ T9350] hfsplus_find_init+0x8d/0x1d0 [ 70.203602][ T9350] hfsplus_file_extend+0x6ca/0x1cf0 [ 70.204087][ T9350] hfsplus_get_block+0xe16/0x17b0 [ 70.204561][ T9350] __block_write_begin_int+0x962/0x2ce0 [ 70.205074][ T9350] cont_write_begin+0x1000/0x1950 [ 70.205547][ T9350] hfsplus_write_begin+0x85/0x130 [ 70.206017][ T9350] generic_perform_write+0x3e8/0x1060 [ 70.206519][ T9350] __generic_file_write_iter+0x215/0x460 [ 70.207042][ T9350] generic_file_write_iter+0x109/0x5e0 [ 70.207552][ T9350] vfs_write+0xb0f/0x14e0 [ 70.207961][ T9350] ksys_write+0x23e/0x490 [ 70.208375][ T9350] __x64_sys_write+0x97/0xf0 [ 70.208810][ T9350] x64_sys_call+0x3015/0x3cf0 [ 70.209255][ T9350] do_syscall_64+0xd9/0x1d0 [ 70.209680][ T9350] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 70.210230][ T9350] [ 70.210454][ T9350] CPU: 2 UID: 0 PID: 9350 Comm: repro Not tainted 6.12.0-rc5 #5 [ 70.211174][ T9350] Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 70.212115][ T9350] ===================================================== [ 70.212734][ T9350] Disabling lock debugging due to kernel taint [ 70.213284][ T9350] Kernel panic - not syncing: kmsan.panic set ... [ 70.213858][ T9350] CPU: 2 UID: 0 PID: 9350 Comm: repro Tainted: G B 6.12.0-rc5 #5 [ 70.214679][ T9350] Tainted: [B]=BAD_PAGE [ 70.215057][ T9350] Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 70.215999][ T9350] Call Trace: [ 70.216309][ T9350] [ 70.216585][ T9350] dump_stack_lvl+0x1fd/0x2b0 [ 70.217025][ T9350] dump_stack+0x1e/0x30 [ 70.217421][ T9350] panic+0x502/0xca0 [ 70.217803][ T9350] ? kmsan_get_metadata+0x13e/0x1c0 [ 70.218294][ Message fromT sy9350] kmsan_report+0x296/slogd@syzkaller 0x2aat Aug 18 22:11:058 ... kernel :[ 70.213284][ T9350] Kernel panic - not syncing: kmsan.panic [ 70.220179][ T9350] ? kmsan_get_metadata+0x13e/0x1c0 set ... [ 70.221254][ T9350] ? __msan_warning+0x96/0x120 [ 70.222066][ T9350] ? __hfsplus_ext_cache_extent+0x7d0/0x990 [ 70.223023][ T9350] ? hfsplus_file_extend+0x74f/0x1cf0 [ 70.224120][ T9350] ? hfsplus_get_block+0xe16/0x17b0 [ 70.224946][ T9350] ? __block_write_begin_int+0x962/0x2ce0 [ 70.225756][ T9350] ? cont_write_begin+0x1000/0x1950 [ 70.226337][ T9350] ? hfsplus_write_begin+0x85/0x130 [ 70.226852][ T9350] ? generic_perform_write+0x3e8/0x1060 [ 70.227405][ T9350] ? __generic_file_write_iter+0x215/0x460 [ 70.227979][ T9350] ? generic_file_write_iter+0x109/0x5e0 [ 70.228540][ T9350] ? vfs_write+0xb0f/0x14e0 [ 70.228997][ T9350] ? ksys_write+0x23e/0x490 ---truncated---", "cve_priority": "medium", "cve_public_date": "2025-12-04 16:16:00 UTC" }, { "cve": "CVE-2025-40245", "url": "https://ubuntu.com/security/CVE-2025-40245", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: nios2: ensure that memblock.current_limit is set when setting pfn limits On nios2, with CONFIG_FLATMEM set, the kernel relies on memblock_get_current_limit() to determine the limits of mem_map, in particular for max_low_pfn. Unfortunately, memblock.current_limit is only default initialized to MEMBLOCK_ALLOC_ANYWHERE at this point of the bootup, potentially leading to situations where max_low_pfn can erroneously exceed the value of max_pfn and, thus, the valid range of available DRAM. This can in turn cause kernel-level paging failures, e.g.: [ 76.900000] Unable to handle kernel paging request at virtual address 20303000 [ 76.900000] ea = c0080890, ra = c000462c, cause = 14 [ 76.900000] Kernel panic - not syncing: Oops [ 76.900000] ---[ end Kernel panic - not syncing: Oops ]--- This patch fixes this by pre-calculating memblock.current_limit based on the upper limits of the available memory ranges via adjust_lowmem_bounds, a simplified version of the equivalent implementation within the arm architecture.", "cve_priority": "medium", "cve_public_date": "2025-12-04 16:16:00 UTC" }, { "cve": "CVE-2025-40086", "url": "https://ubuntu.com/security/CVE-2025-40086", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/xe: Don't allow evicting of BOs in same VM in array of VM binds An array of VM binds can potentially evict other buffer objects (BOs) within the same VM under certain conditions, which may lead to NULL pointer dereferences later in the bind pipeline. To prevent this, clear the allow_res_evict flag in the xe_bo_validate call. v2: - Invert polarity of no_res_evict (Thomas) - Add comment in code explaining issue (Thomas) (cherry picked from commit 8b9ba8d6d95fe75fed6b0480bb03da4b321bea08)", "cve_priority": "medium", "cve_public_date": "2025-10-30 10:15:00 UTC" }, { "cve": "CVE-2025-40087", "url": "https://ubuntu.com/security/CVE-2025-40087", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: NFSD: Define a proc_layoutcommit for the FlexFiles layout type Avoid a crash if a pNFS client should happen to send a LAYOUTCOMMIT operation on a FlexFiles layout.", "cve_priority": "medium", "cve_public_date": "2025-10-30 10:15:00 UTC" }, { "cve": "CVE-2025-40088", "url": "https://ubuntu.com/security/CVE-2025-40088", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: hfsplus: fix slab-out-of-bounds read in hfsplus_strcasecmp() The hfsplus_strcasecmp() logic can trigger the issue: [ 117.317703][ T9855] ================================================================== [ 117.318353][ T9855] BUG: KASAN: slab-out-of-bounds in hfsplus_strcasecmp+0x1bc/0x490 [ 117.318991][ T9855] Read of size 2 at addr ffff88802160f40c by task repro/9855 [ 117.319577][ T9855] [ 117.319773][ T9855] CPU: 0 UID: 0 PID: 9855 Comm: repro Not tainted 6.17.0-rc6 #33 PREEMPT(full) [ 117.319780][ T9855] Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 117.319783][ T9855] Call Trace: [ 117.319785][ T9855] [ 117.319788][ T9855] dump_stack_lvl+0x1c1/0x2a0 [ 117.319795][ T9855] ? __virt_addr_valid+0x1c8/0x5c0 [ 117.319803][ T9855] ? __pfx_dump_stack_lvl+0x10/0x10 [ 117.319808][ T9855] ? rcu_is_watching+0x15/0xb0 [ 117.319816][ T9855] ? lock_release+0x4b/0x3e0 [ 117.319821][ T9855] ? __kasan_check_byte+0x12/0x40 [ 117.319828][ T9855] ? __virt_addr_valid+0x1c8/0x5c0 [ 117.319835][ T9855] ? __virt_addr_valid+0x4a5/0x5c0 [ 117.319842][ T9855] print_report+0x17e/0x7e0 [ 117.319848][ T9855] ? __virt_addr_valid+0x1c8/0x5c0 [ 117.319855][ T9855] ? __virt_addr_valid+0x4a5/0x5c0 [ 117.319862][ T9855] ? __phys_addr+0xd3/0x180 [ 117.319869][ T9855] ? hfsplus_strcasecmp+0x1bc/0x490 [ 117.319876][ T9855] kasan_report+0x147/0x180 [ 117.319882][ T9855] ? hfsplus_strcasecmp+0x1bc/0x490 [ 117.319891][ T9855] hfsplus_strcasecmp+0x1bc/0x490 [ 117.319900][ T9855] ? __pfx_hfsplus_cat_case_cmp_key+0x10/0x10 [ 117.319906][ T9855] hfs_find_rec_by_key+0xa9/0x1e0 [ 117.319913][ T9855] __hfsplus_brec_find+0x18e/0x470 [ 117.319920][ T9855] ? __pfx_hfsplus_bnode_find+0x10/0x10 [ 117.319926][ T9855] ? __pfx_hfs_find_rec_by_key+0x10/0x10 [ 117.319933][ T9855] ? __pfx___hfsplus_brec_find+0x10/0x10 [ 117.319942][ T9855] hfsplus_brec_find+0x28f/0x510 [ 117.319949][ T9855] ? __pfx_hfs_find_rec_by_key+0x10/0x10 [ 117.319956][ T9855] ? __pfx_hfsplus_brec_find+0x10/0x10 [ 117.319963][ T9855] ? __kmalloc_noprof+0x2a9/0x510 [ 117.319969][ T9855] ? hfsplus_find_init+0x8c/0x1d0 [ 117.319976][ T9855] hfsplus_brec_read+0x2b/0x120 [ 117.319983][ T9855] hfsplus_lookup+0x2aa/0x890 [ 117.319990][ T9855] ? __pfx_hfsplus_lookup+0x10/0x10 [ 117.320003][ T9855] ? d_alloc_parallel+0x2f0/0x15e0 [ 117.320008][ T9855] ? __lock_acquire+0xaec/0xd80 [ 117.320013][ T9855] ? __pfx_d_alloc_parallel+0x10/0x10 [ 117.320019][ T9855] ? __raw_spin_lock_init+0x45/0x100 [ 117.320026][ T9855] ? __init_waitqueue_head+0xa9/0x150 [ 117.320034][ T9855] __lookup_slow+0x297/0x3d0 [ 117.320039][ T9855] ? __pfx___lookup_slow+0x10/0x10 [ 117.320045][ T9855] ? down_read+0x1ad/0x2e0 [ 117.320055][ T9855] lookup_slow+0x53/0x70 [ 117.320065][ T9855] walk_component+0x2f0/0x430 [ 117.320073][ T9855] path_lookupat+0x169/0x440 [ 117.320081][ T9855] filename_lookup+0x212/0x590 [ 117.320089][ T9855] ? __pfx_filename_lookup+0x10/0x10 [ 117.320098][ T9855] ? strncpy_from_user+0x150/0x290 [ 117.320105][ T9855] ? getname_flags+0x1e5/0x540 [ 117.320112][ T9855] user_path_at+0x3a/0x60 [ 117.320117][ T9855] __x64_sys_umount+0xee/0x160 [ 117.320123][ T9855] ? __pfx___x64_sys_umount+0x10/0x10 [ 117.320129][ T9855] ? do_syscall_64+0xb7/0x3a0 [ 117.320135][ T9855] ? entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 117.320141][ T9855] ? entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 117.320145][ T9855] do_syscall_64+0xf3/0x3a0 [ 117.320150][ T9855] ? exc_page_fault+0x9f/0xf0 [ 117.320154][ T9855] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 117.320158][ T9855] RIP: 0033:0x7f7dd7908b07 [ 117.320163][ T9855] Code: 23 0d 00 f7 d8 64 89 01 48 83 c8 ff c3 66 0f 1f 44 00 00 31 f6 e9 09 00 00 00 66 0f 1f 84 00 00 08 [ 117.320167][ T9855] RSP: 002b:00007ffd5ebd9698 EFLAGS: 00000202 ---truncated---", "cve_priority": "medium", "cve_public_date": "2025-10-30 10:15:00 UTC" }, { "cve": "CVE-2025-40162", "url": "https://ubuntu.com/security/CVE-2025-40162", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ASoC: amd/sdw_utils: avoid NULL deref when devm_kasprintf() fails devm_kasprintf() may return NULL on memory allocation failure, but the debug message prints cpus->dai_name before checking it. Move the dev_dbg() call after the NULL check to prevent potential NULL pointer dereference.", "cve_priority": "medium", "cve_public_date": "2025-11-12 11:15:00 UTC" }, { "cve": "CVE-2025-40085", "url": "https://ubuntu.com/security/CVE-2025-40085", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ALSA: usb-audio: Fix NULL pointer deference in try_to_register_card In try_to_register_card(), the return value of usb_ifnum_to_if() is passed directly to usb_interface_claimed() without a NULL check, which will lead to a NULL pointer dereference when creating an invalid USB audio device. Fix this by adding a check to ensure the interface pointer is valid before passing it to usb_interface_claimed().", "cve_priority": "medium", "cve_public_date": "2025-10-29 14:15:00 UTC" }, { "cve": "CVE-2025-40172", "url": "https://ubuntu.com/security/CVE-2025-40172", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: accel/qaic: Treat remaining == 0 as error in find_and_map_user_pages() Currently, if find_and_map_user_pages() takes a DMA xfer request from the user with a length field set to 0, or in a rare case, the host receives QAIC_TRANS_DMA_XFER_CONT from the device where resources->xferred_dma_size is equal to the requested transaction size, the function will return 0 before allocating an sgt or setting the fields of the dma_xfer struct. In that case, encode_addr_size_pairs() will try to access the sgt which will lead to a general protection fault. Return an EINVAL in case the user provides a zero-sized ALP, or the device requests continuation after all of the bytes have been transferred.", "cve_priority": "medium", "cve_public_date": "2025-11-12 11:15:00 UTC" }, { "cve": "CVE-2025-40177", "url": "https://ubuntu.com/security/CVE-2025-40177", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: accel/qaic: Fix bootlog initialization ordering As soon as we queue MHI buffers to receive the bootlog from the device, we could be receiving data. Therefore all the resources needed to process that data need to be setup prior to queuing the buffers. We currently initialize some of the resources after queuing the buffers which creates a race between the probe() and any data that comes back from the device. If the uninitialized resources are accessed, we could see page faults. Fix the init ordering to close the race.", "cve_priority": "medium", "cve_public_date": "2025-11-12 11:15:00 UTC" }, { "cve": "CVE-2025-40163", "url": "https://ubuntu.com/security/CVE-2025-40163", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: sched/deadline: Stop dl_server before CPU goes offline IBM CI tool reported kernel warning[1] when running a CPU removal operation through drmgr[2]. i.e \"drmgr -c cpu -r -q 1\" WARNING: CPU: 0 PID: 0 at kernel/sched/cpudeadline.c:219 cpudl_set+0x58/0x170 NIP [c0000000002b6ed8] cpudl_set+0x58/0x170 LR [c0000000002b7cb8] dl_server_timer+0x168/0x2a0 Call Trace: [c000000002c2f8c0] init_stack+0x78c0/0x8000 (unreliable) [c0000000002b7cb8] dl_server_timer+0x168/0x2a0 [c00000000034df84] __hrtimer_run_queues+0x1a4/0x390 [c00000000034f624] hrtimer_interrupt+0x124/0x300 [c00000000002a230] timer_interrupt+0x140/0x320 Git bisects to: commit 4ae8d9aa9f9d (\"sched/deadline: Fix dl_server getting stuck\") This happens since: - dl_server hrtimer gets enqueued close to cpu offline, when kthread_park enqueues a fair task. - CPU goes offline and drmgr removes it from cpu_present_mask. - hrtimer fires and warning is hit. Fix it by stopping the dl_server before CPU is marked dead. [1]: https://lore.kernel.org/all/8218e149-7718-4432-9312-f97297c352b9@linux.ibm.com/ [2]: https://github.com/ibm-power-utilities/powerpc-utils/tree/next/src/drmgr [sshegde: wrote the changelog and tested it]", "cve_priority": "medium", "cve_public_date": "2025-11-12 11:15:00 UTC" }, { "cve": "CVE-2025-40174", "url": "https://ubuntu.com/security/CVE-2025-40174", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: x86/mm: Fix SMP ordering in switch_mm_irqs_off() Stephen noted that it is possible to not have an smp_mb() between the loaded_mm store and the tlb_gen load in switch_mm(), meaning the ordering against flush_tlb_mm_range() goes out the window, and it becomes possible for switch_mm() to not observe a recent tlb_gen update and fail to flush the TLBs. [ dhansen: merge conflict fixed by Ingo ]", "cve_priority": "medium", "cve_public_date": "2025-11-12 11:15:00 UTC" }, { "cve": "CVE-2025-40089", "url": "https://ubuntu.com/security/CVE-2025-40089", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: cxl/features: Add check for no entries in cxl_feature_info cxl EDAC calls cxl_feature_info() to get the feature information and if the hardware has no Features support, cxlfs may be passed in as NULL. [ 51.957498] BUG: kernel NULL pointer dereference, address: 0000000000000008 [ 51.965571] #PF: supervisor read access in kernel mode [ 51.971559] #PF: error_code(0x0000) - not-present page [ 51.977542] PGD 17e4f6067 P4D 0 [ 51.981384] Oops: Oops: 0000 [#1] SMP NOPTI [ 51.986300] CPU: 49 UID: 0 PID: 3782 Comm: systemd-udevd Not tainted 6.17.0dj test+ #64 PREEMPT(voluntary) [ 51.997355] Hardware name: [ 52.009790] RIP: 0010:cxl_feature_info+0xa/0x80 [cxl_core] Add a check for cxlfs before dereferencing it and return -EOPNOTSUPP if there is no cxlfs created due to no hardware support.", "cve_priority": "medium", "cve_public_date": "2025-10-30 10:15:00 UTC" }, { "cve": "CVE-2025-40176", "url": "https://ubuntu.com/security/CVE-2025-40176", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: tls: wait for pending async decryptions if tls_strp_msg_hold fails Async decryption calls tls_strp_msg_hold to create a clone of the input skb to hold references to the memory it uses. If we fail to allocate that clone, proceeding with async decryption can lead to various issues (UAF on the skb, writing into userspace memory after the recv() call has returned). In this case, wait for all pending decryption requests.", "cve_priority": "medium", "cve_public_date": "2025-11-12 11:15:00 UTC" }, { "cve": "CVE-2025-40164", "url": "https://ubuntu.com/security/CVE-2025-40164", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: usbnet: Fix using smp_processor_id() in preemptible code warnings Syzbot reported the following warning: BUG: using smp_processor_id() in preemptible [00000000] code: dhcpcd/2879 caller is usbnet_skb_return+0x74/0x490 drivers/net/usb/usbnet.c:331 CPU: 1 UID: 0 PID: 2879 Comm: dhcpcd Not tainted 6.15.0-rc4-syzkaller-00098-g615dca38c2ea #0 PREEMPT(voluntary) Call Trace: __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x16c/0x1f0 lib/dump_stack.c:120 check_preemption_disabled+0xd0/0xe0 lib/smp_processor_id.c:49 usbnet_skb_return+0x74/0x490 drivers/net/usb/usbnet.c:331 usbnet_resume_rx+0x4b/0x170 drivers/net/usb/usbnet.c:708 usbnet_change_mtu+0x1be/0x220 drivers/net/usb/usbnet.c:417 __dev_set_mtu net/core/dev.c:9443 [inline] netif_set_mtu_ext+0x369/0x5c0 net/core/dev.c:9496 netif_set_mtu+0xb0/0x160 net/core/dev.c:9520 dev_set_mtu+0xae/0x170 net/core/dev_api.c:247 dev_ifsioc+0xa31/0x18d0 net/core/dev_ioctl.c:572 dev_ioctl+0x223/0x10e0 net/core/dev_ioctl.c:821 sock_do_ioctl+0x19d/0x280 net/socket.c:1204 sock_ioctl+0x42f/0x6a0 net/socket.c:1311 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:906 [inline] __se_sys_ioctl fs/ioctl.c:892 [inline] __x64_sys_ioctl+0x190/0x200 fs/ioctl.c:892 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xcd/0x260 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f For historical and portability reasons, the netif_rx() is usually run in the softirq or interrupt context, this commit therefore add local_bh_disable/enable() protection in the usbnet_resume_rx().", "cve_priority": "medium", "cve_public_date": "2025-11-12 11:15:00 UTC" }, { "cve": "CVE-2025-40091", "url": "https://ubuntu.com/security/CVE-2025-40091", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ixgbe: fix too early devlink_free() in ixgbe_remove() Since ixgbe_adapter is embedded in devlink, calling devlink_free() prematurely in the ixgbe_remove() path can lead to UAF. Move devlink_free() to the end. KASAN report: BUG: KASAN: use-after-free in ixgbe_reset_interrupt_capability+0x140/0x180 [ixgbe] Read of size 8 at addr ffff0000adf813e0 by task bash/2095 CPU: 1 UID: 0 PID: 2095 Comm: bash Tainted: G S 6.17.0-rc2-tnguy.net-queue+ #1 PREEMPT(full) [...] Call trace: show_stack+0x30/0x90 (C) dump_stack_lvl+0x9c/0xd0 print_address_description.constprop.0+0x90/0x310 print_report+0x104/0x1f0 kasan_report+0x88/0x180 __asan_report_load8_noabort+0x20/0x30 ixgbe_reset_interrupt_capability+0x140/0x180 [ixgbe] ixgbe_clear_interrupt_scheme+0xf8/0x130 [ixgbe] ixgbe_remove+0x2d0/0x8c0 [ixgbe] pci_device_remove+0xa0/0x220 device_remove+0xb8/0x170 device_release_driver_internal+0x318/0x490 device_driver_detach+0x40/0x68 unbind_store+0xec/0x118 drv_attr_store+0x64/0xb8 sysfs_kf_write+0xcc/0x138 kernfs_fop_write_iter+0x294/0x440 new_sync_write+0x1fc/0x588 vfs_write+0x480/0x6a0 ksys_write+0xf0/0x1e0 __arm64_sys_write+0x70/0xc0 invoke_syscall.constprop.0+0xcc/0x280 el0_svc_common.constprop.0+0xa8/0x248 do_el0_svc+0x44/0x68 el0_svc+0x54/0x160 el0t_64_sync_handler+0xa0/0xe8 el0t_64_sync+0x1b0/0x1b8", "cve_priority": "medium", "cve_public_date": "2025-10-30 10:15:00 UTC" }, { "cve": "CVE-2025-40175", "url": "https://ubuntu.com/security/CVE-2025-40175", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: idpf: cleanup remaining SKBs in PTP flows When the driver requests Tx timestamp value, one of the first steps is to clone SKB using skb_get. It increases the reference counter for that SKB to prevent unexpected freeing by another component. However, there may be a case where the index is requested, SKB is assigned and never consumed by PTP flows - for example due to reset during running PTP apps. Add a check in release timestamping function to verify if the SKB assigned to Tx timestamp latch was freed, and release remaining SKBs.", "cve_priority": "medium", "cve_public_date": "2025-11-12 11:15:00 UTC" }, { "cve": "CVE-2025-40173", "url": "https://ubuntu.com/security/CVE-2025-40173", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net/ip6_tunnel: Prevent perpetual tunnel growth Similarly to ipv4 tunnel, ipv6 version updates dev->needed_headroom, too. While ipv4 tunnel headroom adjustment growth was limited in commit 5ae1e9922bbd (\"net: ip_tunnel: prevent perpetual headroom growth\"), ipv6 tunnel yet increases the headroom without any ceiling. Reflect ipv4 tunnel headroom adjustment limit on ipv6 version. Credits to Francesco Ruggeri, who was originally debugging this issue and wrote local Arista-specific patch and a reproducer.", "cve_priority": "medium", "cve_public_date": "2025-11-12 11:15:00 UTC" }, { "cve": "CVE-2025-40092", "url": "https://ubuntu.com/security/CVE-2025-40092", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: usb: gadget: f_ncm: Refactor bind path to use __free() After an bind/unbind cycle, the ncm->notify_req is left stale. If a subsequent bind fails, the unified error label attempts to free this stale request, leading to a NULL pointer dereference when accessing ep->ops->free_request. Refactor the error handling in the bind path to use the __free() automatic cleanup mechanism. Unable to handle kernel NULL pointer dereference at virtual address 0000000000000020 Call trace: usb_ep_free_request+0x2c/0xec ncm_bind+0x39c/0x3dc usb_add_function+0xcc/0x1f0 configfs_composite_bind+0x468/0x588 gadget_bind_driver+0x104/0x270 really_probe+0x190/0x374 __driver_probe_device+0xa0/0x12c driver_probe_device+0x3c/0x218 __device_attach_driver+0x14c/0x188 bus_for_each_drv+0x10c/0x168 __device_attach+0xfc/0x198 device_initial_probe+0x14/0x24 bus_probe_device+0x94/0x11c device_add+0x268/0x48c usb_add_gadget+0x198/0x28c dwc3_gadget_init+0x700/0x858 __dwc3_set_mode+0x3cc/0x664 process_scheduled_works+0x1d8/0x488 worker_thread+0x244/0x334 kthread+0x114/0x1bc ret_from_fork+0x10/0x20", "cve_priority": "medium", "cve_public_date": "2025-10-30 10:15:00 UTC" }, { "cve": "CVE-2025-40093", "url": "https://ubuntu.com/security/CVE-2025-40093", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: usb: gadget: f_ecm: Refactor bind path to use __free() After an bind/unbind cycle, the ecm->notify_req is left stale. If a subsequent bind fails, the unified error label attempts to free this stale request, leading to a NULL pointer dereference when accessing ep->ops->free_request. Refactor the error handling in the bind path to use the __free() automatic cleanup mechanism.", "cve_priority": "medium", "cve_public_date": "2025-10-30 10:15:00 UTC" }, { "cve": "CVE-2025-40094", "url": "https://ubuntu.com/security/CVE-2025-40094", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: usb: gadget: f_acm: Refactor bind path to use __free() After an bind/unbind cycle, the acm->notify_req is left stale. If a subsequent bind fails, the unified error label attempts to free this stale request, leading to a NULL pointer dereference when accessing ep->ops->free_request. Refactor the error handling in the bind path to use the __free() automatic cleanup mechanism. Unable to handle kernel NULL pointer dereference at virtual address 0000000000000020 Call trace: usb_ep_free_request+0x2c/0xec gs_free_req+0x30/0x44 acm_bind+0x1b8/0x1f4 usb_add_function+0xcc/0x1f0 configfs_composite_bind+0x468/0x588 gadget_bind_driver+0x104/0x270 really_probe+0x190/0x374 __driver_probe_device+0xa0/0x12c driver_probe_device+0x3c/0x218 __device_attach_driver+0x14c/0x188 bus_for_each_drv+0x10c/0x168 __device_attach+0xfc/0x198 device_initial_probe+0x14/0x24 bus_probe_device+0x94/0x11c device_add+0x268/0x48c usb_add_gadget+0x198/0x28c dwc3_gadget_init+0x700/0x858 __dwc3_set_mode+0x3cc/0x664 process_scheduled_works+0x1d8/0x488 worker_thread+0x244/0x334 kthread+0x114/0x1bc ret_from_fork+0x10/0x20", "cve_priority": "medium", "cve_public_date": "2025-10-30 10:15:00 UTC" }, { "cve": "CVE-2025-40095", "url": "https://ubuntu.com/security/CVE-2025-40095", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: usb: gadget: f_rndis: Refactor bind path to use __free() After an bind/unbind cycle, the rndis->notify_req is left stale. If a subsequent bind fails, the unified error label attempts to free this stale request, leading to a NULL pointer dereference when accessing ep->ops->free_request. Refactor the error handling in the bind path to use the __free() automatic cleanup mechanism.", "cve_priority": "medium", "cve_public_date": "2025-10-30 10:15:00 UTC" }, { "cve": "CVE-2025-40165", "url": "https://ubuntu.com/security/CVE-2025-40165", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: media: nxp: imx8-isi: m2m: Fix streaming cleanup on release If streamon/streamoff calls are imbalanced, such as when exiting an application with Ctrl+C when streaming, the m2m usage_count will never reach zero and the ISI channel won't be freed. Besides from that, if the input line width is more than 2K, it will trigger a WARN_ON(): [ 59.222120] ------------[ cut here ]------------ [ 59.226758] WARNING: drivers/media/platform/nxp/imx8-isi/imx8-isi-hw.c:631 at mxc_isi_channel_chain+0xa4/0x120, CPU#4: v4l2-ctl/654 [ 59.238569] Modules linked in: ap1302 [ 59.242231] CPU: 4 UID: 0 PID: 654 Comm: v4l2-ctl Not tainted 6.16.0-rc4-next-20250704-06511-gff0e002d480a-dirty #258 PREEMPT [ 59.253597] Hardware name: NXP i.MX95 15X15 board (DT) [ 59.258720] pstate: 80400009 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) [ 59.265669] pc : mxc_isi_channel_chain+0xa4/0x120 [ 59.270358] lr : mxc_isi_channel_chain+0x44/0x120 [ 59.275047] sp : ffff8000848c3b40 [ 59.278348] x29: ffff8000848c3b40 x28: ffff0000859b4c98 x27: ffff800081939f00 [ 59.285472] x26: 000000000000000a x25: ffff0000859b4cb8 x24: 0000000000000001 [ 59.292597] x23: ffff0000816f4760 x22: ffff0000816f4258 x21: ffff000084ceb780 [ 59.299720] x20: ffff000084342ff8 x19: ffff000084340000 x18: 0000000000000000 [ 59.306845] x17: 0000000000000000 x16: 0000000000000000 x15: 0000ffffdb369e1c [ 59.313969] x14: 0000000000000000 x13: 0000000000000000 x12: 0000000000000000 [ 59.321093] x11: 0000000000000000 x10: 0000000000000000 x9 : 0000000000000000 [ 59.328217] x8 : ffff8000848c3d48 x7 : ffff800081930b30 x6 : ffff800081930b30 [ 59.335340] x5 : ffff0000859b6000 x4 : ffff80008193ae80 x3 : ffff800081022420 [ 59.342464] x2 : ffff0000852f6900 x1 : 0000000000000001 x0 : ffff000084341000 [ 59.349590] Call trace: [ 59.352025] mxc_isi_channel_chain+0xa4/0x120 (P) [ 59.356722] mxc_isi_m2m_streamon+0x160/0x20c [ 59.361072] v4l_streamon+0x24/0x30 [ 59.364556] __video_do_ioctl+0x40c/0x4a0 [ 59.368560] video_usercopy+0x2bc/0x690 [ 59.372382] video_ioctl2+0x18/0x24 [ 59.375857] v4l2_ioctl+0x40/0x60 [ 59.379168] __arm64_sys_ioctl+0xac/0x104 [ 59.383172] invoke_syscall+0x48/0x104 [ 59.386916] el0_svc_common.constprop.0+0xc0/0xe0 [ 59.391613] do_el0_svc+0x1c/0x28 [ 59.394915] el0_svc+0x34/0xf4 [ 59.397966] el0t_64_sync_handler+0xa0/0xe4 [ 59.402143] el0t_64_sync+0x198/0x19c [ 59.405801] ---[ end trace 0000000000000000 ]--- Address this issue by moving the streaming preparation and cleanup to the vb2 .prepare_streaming() and .unprepare_streaming() operations. This also simplifies the driver by allowing direct usage of the v4l2_m2m_ioctl_streamon() and v4l2_m2m_ioctl_streamoff() helpers.", "cve_priority": "medium", "cve_public_date": "2025-11-12 11:15:00 UTC" }, { "cve": "CVE-2025-40096", "url": "https://ubuntu.com/security/CVE-2025-40096", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/sched: Fix potential double free in drm_sched_job_add_resv_dependencies When adding dependencies with drm_sched_job_add_dependency(), that function consumes the fence reference both on success and failure, so in the latter case the dma_fence_put() on the error path (xarray failed to expand) is a double free. Interestingly this bug appears to have been present ever since commit ebd5f74255b9 (\"drm/sched: Add dependency tracking\"), since the code back then looked like this: drm_sched_job_add_implicit_dependencies(): ... for (i = 0; i < fence_count; i++) { ret = drm_sched_job_add_dependency(job, fences[i]); if (ret) break; } for (; i < fence_count; i++) dma_fence_put(fences[i]); Which means for the failing 'i' the dma_fence_put was already a double free. Possibly there were no users at that time, or the test cases were insufficient to hit it. The bug was then only noticed and fixed after commit 9c2ba265352a (\"drm/scheduler: use new iterator in drm_sched_job_add_implicit_dependencies v2\") landed, with its fixup of commit 4eaf02d6076c (\"drm/scheduler: fix drm_sched_job_add_implicit_dependencies\"). At that point it was a slightly different flavour of a double free, which commit 963d0b356935 (\"drm/scheduler: fix drm_sched_job_add_implicit_dependencies harder\") noticed and attempted to fix. But it only moved the double free from happening inside the drm_sched_job_add_dependency(), when releasing the reference not yet obtained, to the caller, when releasing the reference already released by the former in the failure case. As such it is not easy to identify the right target for the fixes tag so lets keep it simple and just continue the chain. While fixing we also improve the comment and explain the reason for taking the reference and not dropping it.", "cve_priority": "medium", "cve_public_date": "2025-10-30 10:15:00 UTC" }, { "cve": "CVE-2025-40097", "url": "https://ubuntu.com/security/CVE-2025-40097", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ALSA: hda: Fix missing pointer check in hda_component_manager_init function The __component_match_add function may assign the 'matchptr' pointer the value ERR_PTR(-ENOMEM), which will subsequently be dereferenced. The call stack leading to the error looks like this: hda_component_manager_init |-> component_match_add |-> component_match_add_release |-> __component_match_add ( ... ,**matchptr, ... ) |-> *matchptr = ERR_PTR(-ENOMEM); // assign |-> component_master_add_with_match( ... match) |-> component_match_realloc(match, match->num); // dereference Add IS_ERR() check to prevent the crash. Found by Linux Verification Center (linuxtesting.org) with SVACE.", "cve_priority": "medium", "cve_public_date": "2025-10-30 10:15:00 UTC" }, { "cve": "CVE-2025-40098", "url": "https://ubuntu.com/security/CVE-2025-40098", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ALSA: hda: cs35l41: Fix NULL pointer dereference in cs35l41_get_acpi_mute_state() Return value of a function acpi_evaluate_dsm() is dereferenced without checking for NULL, but it is usually checked for this function. acpi_evaluate_dsm() may return NULL, when acpi_evaluate_object() returns acpi_status other than ACPI_SUCCESS, so add a check to prevent the crach. Found by Linux Verification Center (linuxtesting.org) with SVACE.", "cve_priority": "medium", "cve_public_date": "2025-10-30 10:15:00 UTC" }, { "cve": "CVE-2025-40099", "url": "https://ubuntu.com/security/CVE-2025-40099", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: cifs: parse_dfs_referrals: prevent oob on malformed input Malicious SMB server can send invalid reply to FSCTL_DFS_GET_REFERRALS - reply smaller than sizeof(struct get_dfs_referral_rsp) - reply with number of referrals smaller than NumberOfReferrals in the header Processing of such replies will cause oob. Return -EINVAL error on such replies to prevent oob-s.", "cve_priority": "medium", "cve_public_date": "2025-10-30 10:15:00 UTC" }, { "cve": "CVE-2025-40100", "url": "https://ubuntu.com/security/CVE-2025-40100", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: btrfs: do not assert we found block group item when creating free space tree Currently, when building a free space tree at populate_free_space_tree(), if we are not using the block group tree feature, we always expect to find block group items (either extent items or a block group item with key type BTRFS_BLOCK_GROUP_ITEM_KEY) when we search the extent tree with btrfs_search_slot_for_read(), so we assert that we found an item. However this expectation is wrong since we can have a new block group created in the current transaction which is still empty and for which we still have not added the block group's item to the extent tree, in which case we do not have any items in the extent tree associated to the block group. The insertion of a new block group's block group item in the extent tree happens at btrfs_create_pending_block_groups() when it calls the helper insert_block_group_item(). This typically is done when a transaction handle is released, committed or when running delayed refs (either as part of a transaction commit or when serving tickets for space reservation if we are low on free space). So remove the assertion at populate_free_space_tree() even when the block group tree feature is not enabled and update the comment to mention this case. Syzbot reported this with the following stack trace: BTRFS info (device loop3 state M): rebuilding free space tree assertion failed: ret == 0 :: 0, in fs/btrfs/free-space-tree.c:1115 ------------[ cut here ]------------ kernel BUG at fs/btrfs/free-space-tree.c:1115! Oops: invalid opcode: 0000 [#1] SMP KASAN PTI CPU: 1 UID: 0 PID: 6352 Comm: syz.3.25 Not tainted syzkaller #0 PREEMPT(full) Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/18/2025 RIP: 0010:populate_free_space_tree+0x700/0x710 fs/btrfs/free-space-tree.c:1115 Code: ff ff e8 d3 (...) RSP: 0018:ffffc9000430f780 EFLAGS: 00010246 RAX: 0000000000000043 RBX: ffff88805b709630 RCX: fea61d0e2e79d000 RDX: 0000000000000000 RSI: 0000000080000000 RDI: 0000000000000000 RBP: ffffc9000430f8b0 R08: ffffc9000430f4a7 R09: 1ffff92000861e94 R10: dffffc0000000000 R11: fffff52000861e95 R12: 0000000000000001 R13: 1ffff92000861f00 R14: dffffc0000000000 R15: 0000000000000000 FS: 00007f424d9fe6c0(0000) GS:ffff888125afc000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007fd78ad212c0 CR3: 0000000076d68000 CR4: 00000000003526f0 Call Trace: btrfs_rebuild_free_space_tree+0x1ba/0x6d0 fs/btrfs/free-space-tree.c:1364 btrfs_start_pre_rw_mount+0x128f/0x1bf0 fs/btrfs/disk-io.c:3062 btrfs_remount_rw fs/btrfs/super.c:1334 [inline] btrfs_reconfigure+0xaed/0x2160 fs/btrfs/super.c:1559 reconfigure_super+0x227/0x890 fs/super.c:1076 do_remount fs/namespace.c:3279 [inline] path_mount+0xd1a/0xfe0 fs/namespace.c:4027 do_mount fs/namespace.c:4048 [inline] __do_sys_mount fs/namespace.c:4236 [inline] __se_sys_mount+0x313/0x410 fs/namespace.c:4213 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xfa/0xfa0 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f424e39066a Code: d8 64 89 02 (...) RSP: 002b:00007f424d9fde68 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5 RAX: ffffffffffffffda RBX: 00007f424d9fdef0 RCX: 00007f424e39066a RDX: 0000200000000180 RSI: 0000200000000380 RDI: 0000000000000000 RBP: 0000200000000180 R08: 00007f424d9fdef0 R09: 0000000000000020 R10: 0000000000000020 R11: 0000000000000246 R12: 0000200000000380 R13: 00007f424d9fdeb0 R14: 0000000000000000 R15: 00002000000002c0 Modules linked in: ---[ end trace 0000000000000000 ]---", "cve_priority": "medium", "cve_public_date": "2025-10-30 10:15:00 UTC" }, { "cve": "CVE-2025-40101", "url": "https://ubuntu.com/security/CVE-2025-40101", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: btrfs: fix memory leaks when rejecting a non SINGLE data profile without an RST At the end of btrfs_load_block_group_zone_info() the first thing we do is to ensure that if the mapping type is not a SINGLE one and there is no RAID stripe tree, then we return early with an error. Doing that, though, prevents the code from running the last calls from this function which are about freeing memory allocated during its run. Hence, in this case, instead of returning early, we set the ret value and fall through the rest of the cleanup code.", "cve_priority": "medium", "cve_public_date": "2025-10-30 10:15:00 UTC" }, { "cve": "CVE-2025-40167", "url": "https://ubuntu.com/security/CVE-2025-40167", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ext4: detect invalid INLINE_DATA + EXTENTS flag combination syzbot reported a BUG_ON in ext4_es_cache_extent() when opening a verity file on a corrupted ext4 filesystem mounted without a journal. The issue is that the filesystem has an inode with both the INLINE_DATA and EXTENTS flags set: EXT4-fs error (device loop0): ext4_cache_extents:545: inode #15: comm syz.0.17: corrupted extent tree: lblk 0 < prev 66 Investigation revealed that the inode has both flags set: DEBUG: inode 15 - flag=1, i_inline_off=164, has_inline=1, extents_flag=1 This is an invalid combination since an inode should have either: - INLINE_DATA: data stored directly in the inode - EXTENTS: data stored in extent-mapped blocks Having both flags causes ext4_has_inline_data() to return true, skipping extent tree validation in __ext4_iget(). The unvalidated out-of-order extents then trigger a BUG_ON in ext4_es_cache_extent() due to integer underflow when calculating hole sizes. Fix this by detecting this invalid flag combination early in ext4_iget() and rejecting the corrupted inode.", "cve_priority": "medium", "cve_public_date": "2025-11-12 11:15:00 UTC" }, { "cve": "CVE-2025-40102", "url": "https://ubuntu.com/security/CVE-2025-40102", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: KVM: arm64: Prevent access to vCPU events before init Another day, another syzkaller bug. KVM erroneously allows userspace to pend vCPU events for a vCPU that hasn't been initialized yet, leading to KVM interpreting a bunch of uninitialized garbage for routing / injecting the exception. In one case the injection code and the hyp disagree on whether the vCPU has a 32bit EL1 and put the vCPU into an illegal mode for AArch64, tripping the BUG() in exception_target_el() during the next injection: kernel BUG at arch/arm64/kvm/inject_fault.c:40! Internal error: Oops - BUG: 00000000f2000800 [#1] SMP CPU: 3 UID: 0 PID: 318 Comm: repro Not tainted 6.17.0-rc4-00104-g10fd0285305d #6 PREEMPT Hardware name: linux,dummy-virt (DT) pstate: 21402009 (nzCv daif +PAN -UAO -TCO +DIT -SSBS BTYPE=--) pc : exception_target_el+0x88/0x8c lr : pend_serror_exception+0x18/0x13c sp : ffff800082f03a10 x29: ffff800082f03a10 x28: ffff0000cb132280 x27: 0000000000000000 x26: 0000000000000000 x25: ffff0000c2a99c20 x24: 0000000000000000 x23: 0000000000008000 x22: 0000000000000002 x21: 0000000000000004 x20: 0000000000008000 x19: ffff0000c2a99c20 x18: 0000000000000000 x17: 0000000000000000 x16: 0000000000000000 x15: 00000000200000c0 x14: 0000000000000000 x13: 0000000000000000 x12: 0000000000000000 x11: 0000000000000000 x10: 0000000000000000 x9 : 0000000000000000 x8 : ffff800082f03af8 x7 : 0000000000000000 x6 : 0000000000000000 x5 : ffff800080f621f0 x4 : 0000000000000000 x3 : 0000000000000000 x2 : 000000000040009b x1 : 0000000000000003 x0 : ffff0000c2a99c20 Call trace: exception_target_el+0x88/0x8c (P) kvm_inject_serror_esr+0x40/0x3b4 __kvm_arm_vcpu_set_events+0xf0/0x100 kvm_arch_vcpu_ioctl+0x180/0x9d4 kvm_vcpu_ioctl+0x60c/0x9f4 __arm64_sys_ioctl+0xac/0x104 invoke_syscall+0x48/0x110 el0_svc_common.constprop.0+0x40/0xe0 do_el0_svc+0x1c/0x28 el0_svc+0x34/0xf0 el0t_64_sync_handler+0xa0/0xe4 el0t_64_sync+0x198/0x19c Code: f946bc01 b4fffe61 9101e020 17fffff2 (d4210000) Reject the ioctls outright as no sane VMM would call these before KVM_ARM_VCPU_INIT anyway. Even if it did the exception would've been thrown away by the eventual reset of the vCPU's state.", "cve_priority": "medium", "cve_public_date": "2025-10-30 10:15:00 UTC" }, { "cve": "CVE-2025-40103", "url": "https://ubuntu.com/security/CVE-2025-40103", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: smb: client: Fix refcount leak for cifs_sb_tlink Fix three refcount inconsistency issues related to `cifs_sb_tlink`. Comments for `cifs_sb_tlink` state that `cifs_put_tlink()` needs to be called after successful calls to `cifs_sb_tlink()`. Three calls fail to update refcount accordingly, leading to possible resource leaks.", "cve_priority": "medium", "cve_public_date": "2025-10-30 10:15:00 UTC" }, { "cve": "CVE-2025-40104", "url": "https://ubuntu.com/security/CVE-2025-40104", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ixgbevf: fix mailbox API compatibility by negotiating supported features There was backward compatibility in the terms of mailbox API. Various drivers from various OSes supporting 10G adapters from Intel portfolio could easily negotiate mailbox API. This convention has been broken since introducing API 1.4. Commit 0062e7cc955e (\"ixgbevf: add VF IPsec offload code\") added support for IPSec which is specific only for the kernel ixgbe driver. None of the rest of the Intel 10G PF/VF drivers supports it. And actually lack of support was not included in the IPSec implementation - there were no such code paths. No possibility to negotiate support for the feature was introduced along with introduction of the feature itself. Commit 339f28964147 (\"ixgbevf: Add support for new mailbox communication between PF and VF\") increasing API version to 1.5 did the same - it introduced code supported specifically by the PF ESX driver. It altered API version for the VF driver in the same time not touching the version defined for the PF ixgbe driver. It led to additional discrepancies, as the code provided within API 1.6 cannot be supported for Linux ixgbe driver as it causes crashes. The issue was noticed some time ago and mitigated by Jake within the commit d0725312adf5 (\"ixgbevf: stop attempting IPSEC offload on Mailbox API 1.5\"). As a result we have regression for IPsec support and after increasing API to version 1.6 ixgbevf driver stopped to support ESX MBX. To fix this mess add new mailbox op asking PF driver about supported features. Basing on a response determine whether to set support for IPSec and ESX-specific enhanced mailbox. New mailbox op, for compatibility purposes, must be added within new API revision, as API version of OOT PF & VF drivers is already increased to 1.6 and doesn't incorporate features negotiate op. Features negotiation mechanism gives possibility to be extended with new features when needed in the future.", "cve_priority": "medium", "cve_public_date": "2025-10-30 10:15:00 UTC" }, { "cve": "CVE-2025-40166", "url": "https://ubuntu.com/security/CVE-2025-40166", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/xe/guc: Check GuC running state before deregistering exec queue In normal operation, a registered exec queue is disabled and deregistered through the GuC, and freed only after the GuC confirms completion. However, if the driver is forced to unbind while the exec queue is still running, the user may call exec_destroy() after the GuC has already been stopped and CT communication disabled. In this case, the driver cannot receive a response from the GuC, preventing proper cleanup of exec queue resources. Fix this by directly releasing the resources when GuC is not running. Here is the failure dmesg log: \" [ 468.089581] ---[ end trace 0000000000000000 ]--- [ 468.089608] pci 0000:03:00.0: [drm] *ERROR* GT0: GUC ID manager unclean (1/65535) [ 468.090558] pci 0000:03:00.0: [drm] GT0: total 65535 [ 468.090562] pci 0000:03:00.0: [drm] GT0: used 1 [ 468.090564] pci 0000:03:00.0: [drm] GT0: range 1..1 (1) [ 468.092716] ------------[ cut here ]------------ [ 468.092719] WARNING: CPU: 14 PID: 4775 at drivers/gpu/drm/xe/xe_ttm_vram_mgr.c:298 ttm_vram_mgr_fini+0xf8/0x130 [xe] \" v2: use xe_uc_fw_is_running() instead of xe_guc_ct_enabled(). As CT may go down and come back during VF migration. (cherry picked from commit 9b42321a02c50a12b2beb6ae9469606257fbecea)", "cve_priority": "medium", "cve_public_date": "2025-11-12 11:15:00 UTC" }, { "cve": "CVE-2025-40105", "url": "https://ubuntu.com/security/CVE-2025-40105", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: vfs: Don't leak disconnected dentries on umount When user calls open_by_handle_at() on some inode that is not cached, we will create disconnected dentry for it. If such dentry is a directory, exportfs_decode_fh_raw() will then try to connect this dentry to the dentry tree through reconnect_path(). It may happen for various reasons (such as corrupted fs or race with rename) that the call to lookup_one_unlocked() in reconnect_one() will fail to find the dentry we are trying to reconnect and instead create a new dentry under the parent. Now this dentry will not be marked as disconnected although the parent still may well be disconnected (at least in case this inconsistency happened because the fs is corrupted and .. doesn't point to the real parent directory). This creates inconsistency in disconnected flags but AFAICS it was mostly harmless. At least until commit f1ee616214cb (\"VFS: don't keep disconnected dentries on d_anon\") which removed adding of most disconnected dentries to sb->s_anon list. Thus after this commit cleanup of disconnected dentries implicitely relies on the fact that dput() will immediately reclaim such dentries. However when some leaf dentry isn't marked as disconnected, as in the scenario described above, the reclaim doesn't happen and the dentries are \"leaked\". Memory reclaim can eventually reclaim them but otherwise they stay in memory and if umount comes first, we hit infamous \"Busy inodes after unmount\" bug. Make sure all dentries created under a disconnected parent are marked as disconnected as well.", "cve_priority": "medium", "cve_public_date": "2025-10-30 10:15:00 UTC" }, { "cve": "CVE-2025-40019", "url": "https://ubuntu.com/security/CVE-2025-40019", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: crypto: essiv - Check ssize for decryption and in-place encryption Move the ssize check to the start in essiv_aead_crypt so that it's also checked for decryption and in-place encryption.", "cve_priority": "medium", "cve_public_date": "2025-10-24 12:15:00 UTC" }, { "cve": "CVE-2025-40214", "url": "https://ubuntu.com/security/CVE-2025-40214", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: af_unix: Initialise scc_index in unix_add_edge(). Quang Le reported that the AF_UNIX GC could garbage-collect a receive queue of an alive in-flight socket, with a nice repro. The repro consists of three stages. 1) 1-a. Create a single cyclic reference with many sockets 1-b. close() all sockets 1-c. Trigger GC 2) 2-a. Pass sk-A to an embryo sk-B 2-b. Pass sk-X to sk-X 2-c. Trigger GC 3) 3-a. accept() the embryo sk-B 3-b. Pass sk-B to sk-C 3-c. close() the in-flight sk-A 3-d. Trigger GC As of 2-c, sk-A and sk-X are linked to unix_unvisited_vertices, and unix_walk_scc() groups them into two different SCCs: unix_sk(sk-A)->vertex->scc_index = 2 (UNIX_VERTEX_INDEX_START) unix_sk(sk-X)->vertex->scc_index = 3 Once GC completes, unix_graph_grouped is set to true. Also, unix_graph_maybe_cyclic is set to true due to sk-X's cyclic self-reference, which makes close() trigger GC. At 3-b, unix_add_edge() allocates unix_sk(sk-B)->vertex and links it to unix_unvisited_vertices. unix_update_graph() is called at 3-a. and 3-b., but neither unix_graph_grouped nor unix_graph_maybe_cyclic is changed because both sk-B's listener and sk-C are not in-flight. 3-c decrements sk-A's file refcnt to 1. Since unix_graph_grouped is true at 3-d, unix_walk_scc_fast() is finally called and iterates 3 sockets sk-A, sk-B, and sk-X: sk-A -> sk-B (-> sk-C) sk-X -> sk-X This is totally fine. All of them are not yet close()d and should be grouped into different SCCs. However, unix_vertex_dead() misjudges that sk-A and sk-B are in the same SCC and sk-A is dead. unix_sk(sk-A)->scc_index == unix_sk(sk-B)->scc_index <-- Wrong! && sk-A's file refcnt == unix_sk(sk-A)->vertex->out_degree ^-- 1 in-flight count for sk-B -> sk-A is dead !? The problem is that unix_add_edge() does not initialise scc_index. Stage 1) is used for heap spraying, making a newly allocated vertex have vertex->scc_index == 2 (UNIX_VERTEX_INDEX_START) set by unix_walk_scc() at 1-c. Let's track the max SCC index from the previous unix_walk_scc() call and assign the max + 1 to a new vertex's scc_index. This way, we can continue to avoid Tarjan's algorithm while preventing misjudgments.", "cve_priority": "high", "cve_public_date": "2025-12-04 13:15:00 UTC" } ], "launchpad_bugs_fixed": [ 2137845, 1786013, 2137849, 1786013, 2136820, 2137698, 2129812, 2125022, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136813, 2132317, 2134982, 2134982, 2134982, 2134982, 2134982, 2134982, 2134982, 2134982, 2134982, 2134982, 2134982, 2134982, 2134982, 2134982, 2134982, 2134982, 2134982, 2134982, 2134982, 2134982, 2134982, 2134982, 2134982, 2134982, 2134982, 2133557, 2133557, 2133557, 2133557, 2133557, 2133557, 2133557, 2133557, 2133557, 2133557, 2133557, 2133557, 2133557, 2133557, 2133557, 2133557, 2133557, 2133557, 2133557, 2133557, 2133557, 2133557, 2133557, 2133557, 2133557, 2133557, 2133557, 2133557, 2133557, 2133557, 2133557, 2133557, 2133557, 2132095, 2131046, 2115860, 2128792, 2121852, 2131259, 2131259, 2131702, 2129610 ], "changes": [ { "cves": [ { "cve": "CVE-2025-40256", "url": "https://ubuntu.com/security/CVE-2025-40256", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: xfrm: also call xfrm_state_delete_tunnel at destroy time for states that were never added In commit b441cf3f8c4b (\"xfrm: delete x->tunnel as we delete x\"), I missed the case where state creation fails between full initialization (->init_state has been called) and being inserted on the lists. In this situation, ->init_state has been called, so for IPcomp tunnels, the fallback tunnel has been created and added onto the lists, but the user state never gets added, because we fail before that. The user state doesn't go through __xfrm_state_delete, so we don't call xfrm_state_delete_tunnel for those states, and we end up leaking the FB tunnel. There are several codepaths affected by this: the add/update paths, in both net/key and xfrm, and the migrate code (xfrm_migrate, xfrm_state_migrate). A \"proper\" rollback of the init_state work would probably be doable in the add/update code, but for migrate it gets more complicated as multiple states may be involved. At some point, the new (not-inserted) state will be destroyed, so call xfrm_state_delete_tunnel during xfrm_state_gc_destroy. Most states will have their fallback tunnel cleaned up during __xfrm_state_delete, which solves the issue that b441cf3f8c4b (and other patches before it) aimed at. All states (including FB tunnels) will be removed from the lists once xfrm_state_fini has called flush_work(&xfrm_state_gc_work).", "cve_priority": "medium", "cve_public_date": "2025-12-04 16:16:00 UTC" }, { "cve": "CVE-2025-68204", "url": "https://ubuntu.com/security/CVE-2025-68204", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: pmdomain: arm: scmi: Fix genpd leak on provider registration failure If of_genpd_add_provider_onecell() fails during probe, the previously created generic power domains are not removed, leading to a memory leak and potential kernel crash later in genpd_debug_add(). Add proper error handling to unwind the initialized domains before returning from probe to ensure all resources are correctly released on failure. Example crash trace observed without this fix: | Unable to handle kernel paging request at virtual address fffffffffffffc70 | CPU: 1 UID: 0 PID: 1 Comm: swapper/0 Not tainted 6.18.0-rc1 #405 PREEMPT | Hardware name: ARM LTD ARM Juno Development Platform/ARM Juno Development Platform | pstate: 00000005 (nzcv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--) | pc : genpd_debug_add+0x2c/0x160 | lr : genpd_debug_init+0x74/0x98 | Call trace: | genpd_debug_add+0x2c/0x160 (P) | genpd_debug_init+0x74/0x98 | do_one_initcall+0xd0/0x2d8 | do_initcall_level+0xa0/0x140 | do_initcalls+0x60/0xa8 | do_basic_setup+0x28/0x40 | kernel_init_freeable+0xe8/0x170 | kernel_init+0x2c/0x140 | ret_from_fork+0x10/0x20", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-68203", "url": "https://ubuntu.com/security/CVE-2025-68203", "cve_description": "Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-40267", "url": "https://ubuntu.com/security/CVE-2025-40267", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: io_uring/rw: ensure allocated iovec gets cleared for early failure A previous commit reused the recyling infrastructure for early cleanup, but this is not enough for the case where our internal caches have overflowed. If this happens, then the allocated iovec can get leaked if the request is also aborted early. Reinstate the previous forced free of the iovec for that situation.", "cve_priority": "medium", "cve_public_date": "2025-12-06 22:15:00 UTC" }, { "cve": "CVE-2025-68198", "url": "https://ubuntu.com/security/CVE-2025-68198", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: crash: fix crashkernel resource shrink When crashkernel is configured with a high reservation, shrinking its value below the low crashkernel reservation causes two issues: 1. Invalid crashkernel resource objects 2. Kernel crash if crashkernel shrinking is done twice For example, with crashkernel=200M,high, the kernel reserves 200MB of high memory and some default low memory (say 256MB). The reservation appears as: cat /proc/iomem | grep -i crash af000000-beffffff : Crash kernel 433000000-43f7fffff : Crash kernel If crashkernel is then shrunk to 50MB (echo 52428800 > /sys/kernel/kexec_crash_size), /proc/iomem still shows 256MB reserved: af000000-beffffff : Crash kernel Instead, it should show 50MB: af000000-b21fffff : Crash kernel Further shrinking crashkernel to 40MB causes a kernel crash with the following trace (x86): BUG: kernel NULL pointer dereference, address: 0000000000000038 PGD 0 P4D 0 Oops: 0000 [#1] PREEMPT SMP NOPTI Call Trace: ? __die_body.cold+0x19/0x27 ? page_fault_oops+0x15a/0x2f0 ? search_module_extables+0x19/0x60 ? search_bpf_extables+0x5f/0x80 ? exc_page_fault+0x7e/0x180 ? asm_exc_page_fault+0x26/0x30 ? __release_resource+0xd/0xb0 release_resource+0x26/0x40 __crash_shrink_memory+0xe5/0x110 crash_shrink_memory+0x12a/0x190 kexec_crash_size_store+0x41/0x80 kernfs_fop_write_iter+0x141/0x1f0 vfs_write+0x294/0x460 ksys_write+0x6d/0xf0 This happens because __crash_shrink_memory()/kernel/crash_core.c incorrectly updates the crashk_res resource object even when crashk_low_res should be updated. Fix this by ensuring the correct crashkernel resource object is updated when shrinking crashkernel memory.", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-68199", "url": "https://ubuntu.com/security/CVE-2025-68199", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: codetag: debug: handle existing CODETAG_EMPTY in mark_objexts_empty for slabobj_ext When alloc_slab_obj_exts() fails and then later succeeds in allocating a slab extension vector, it calls handle_failed_objexts_alloc() to mark all objects in the vector as empty. As a result all objects in this slab (slabA) will have their extensions set to CODETAG_EMPTY. Later on if this slabA is used to allocate a slabobj_ext vector for another slab (slabB), we end up with the slabB->obj_exts pointing to a slabobj_ext vector that itself has a non-NULL slabobj_ext equal to CODETAG_EMPTY. When slabB gets freed, free_slab_obj_exts() is called to free slabB->obj_exts vector. free_slab_obj_exts() calls mark_objexts_empty(slabB->obj_exts) which will generate a warning because it expects slabobj_ext vectors to have a NULL obj_ext, not CODETAG_EMPTY. Modify mark_objexts_empty() to skip the warning and setting the obj_ext value if it's already set to CODETAG_EMPTY. To quickly detect this WARN, I modified the code from WARN_ON(slab_exts[offs].ref.ct) to BUG_ON(slab_exts[offs].ref.ct == 1); We then obtained this message: [21630.898561] ------------[ cut here ]------------ [21630.898596] kernel BUG at mm/slub.c:2050! [21630.898611] Internal error: Oops - BUG: 00000000f2000800 [#1] SMP [21630.900372] Modules linked in: squashfs isofs vfio_iommu_type1 vhost_vsock vfio vhost_net vmw_vsock_virtio_transport_common vhost tap vhost_iotlb iommufd vsock binfmt_misc nfsv3 nfs_acl nfs lockd grace netfs tls rds dns_resolver tun brd overlay ntfs3 exfat btrfs blake2b_generic xor xor_neon raid6_pq loop sctp ip6_udp_tunnel udp_tunnel nft_fib_inet nft_fib_ipv4 nft_fib_ipv6 nft_fib nft_reject_inet nf_reject_ipv4 nf_reject_ipv6 nft_reject nft_ct nft_chain_nat nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 nf_tables rfkill ip_set sunrpc vfat fat joydev sg sch_fq_codel nfnetlink virtio_gpu sr_mod cdrom drm_client_lib virtio_dma_buf drm_shmem_helper drm_kms_helper drm ghash_ce backlight virtio_net virtio_blk virtio_scsi net_failover virtio_console failover virtio_mmio dm_mirror dm_region_hash dm_log dm_multipath dm_mod fuse i2c_dev virtio_pci virtio_pci_legacy_dev virtio_pci_modern_dev virtio virtio_ring autofs4 aes_neon_bs aes_ce_blk [last unloaded: hwpoison_inject] [21630.909177] CPU: 3 UID: 0 PID: 3787 Comm: kylin-process-m Kdump: loaded Tainted: G        W           6.18.0-rc1+ #74 PREEMPT(voluntary) [21630.910495] Tainted: [W]=WARN [21630.910867] Hardware name: QEMU KVM Virtual Machine, BIOS unknown 2/2/2022 [21630.911625] pstate: 80400005 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) [21630.912392] pc : __free_slab+0x228/0x250 [21630.912868] lr : __free_slab+0x18c/0x250[21630.913334] sp : ffff8000a02f73e0 [21630.913830] x29: ffff8000a02f73e0 x28: fffffdffc43fc800 x27: ffff0000c0011c40 [21630.914677] x26: ffff0000c000cac0 x25: ffff00010fe5e5f0 x24: ffff000102199b40 [21630.915469] x23: 0000000000000003 x22: 0000000000000003 x21: ffff0000c0011c40 [21630.916259] x20: fffffdffc4086600 x19: fffffdffc43fc800 x18: 0000000000000000 [21630.917048] x17: 0000000000000000 x16: 0000000000000000 x15: 0000000000000000 [21630.917837] x14: 0000000000000000 x13: 0000000000000000 x12: ffff70001405ee66 [21630.918640] x11: 1ffff0001405ee65 x10: ffff70001405ee65 x9 : ffff800080a295dc [21630.919442] x8 : ffff8000a02f7330 x7 : 0000000000000000 x6 : 0000000000003000 [21630.920232] x5 : 0000000024924925 x4 : 0000000000000001 x3 : 0000000000000007 [21630.921021] x2 : 0000000000001b40 x1 : 000000000000001f x0 : 0000000000000001 [21630.921810] Call trace: [21630.922130]  __free_slab+0x228/0x250 (P) [21630.922669]  free_slab+0x38/0x118 [21630.923079]  free_to_partial_list+0x1d4/0x340 [21630.923591]  __slab_free+0x24c/0x348 [21630.924024]  ___cache_free+0xf0/0x110 [21630.924468]  qlist_free_all+0x78/0x130 [21630.924922]  kasan_quarantine_reduce+0x11 ---truncated---", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-40268", "url": "https://ubuntu.com/security/CVE-2025-40268", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: cifs: client: fix memory leak in smb3_fs_context_parse_param The user calls fsconfig twice, but when the program exits, free() only frees ctx->source for the second fsconfig, not the first. Regarding fc->source, there is no code in the fs context related to its memory reclamation. To fix this memory leak, release the source memory corresponding to ctx or fc before each parsing. syzbot reported: BUG: memory leak unreferenced object 0xffff888128afa360 (size 96): backtrace (crc 79c9c7ba): kstrdup+0x3c/0x80 mm/util.c:84 smb3_fs_context_parse_param+0x229b/0x36c0 fs/smb/client/fs_context.c:1444 BUG: memory leak unreferenced object 0xffff888112c7d900 (size 96): backtrace (crc 79c9c7ba): smb3_fs_context_fullpath+0x70/0x1b0 fs/smb/client/fs_context.c:629 smb3_fs_context_parse_param+0x2266/0x36c0 fs/smb/client/fs_context.c:1438", "cve_priority": "medium", "cve_public_date": "2025-12-06 22:15:00 UTC" }, { "cve": "CVE-2025-40269", "url": "https://ubuntu.com/security/CVE-2025-40269", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ALSA: usb-audio: Fix potential overflow of PCM transfer buffer The PCM stream data in USB-audio driver is transferred over USB URB packet buffers, and each packet size is determined dynamically. The packet sizes are limited by some factors such as wMaxPacketSize USB descriptor. OTOH, in the current code, the actually used packet sizes are determined only by the rate and the PPS, which may be bigger than the size limit above. This results in a buffer overflow, as reported by syzbot. Basically when the limit is smaller than the calculated packet size, it implies that something is wrong, most likely a weird USB descriptor. So the best option would be just to return an error at the parameter setup time before doing any further operations. This patch introduces such a sanity check, and returns -EINVAL when the packet size is greater than maxpacksize. The comparison with ep->packsize[1] alone should suffice since it's always equal or greater than ep->packsize[0].", "cve_priority": "medium", "cve_public_date": "2025-12-06 22:15:00 UTC" }, { "cve": "CVE-2025-68205", "url": "https://ubuntu.com/security/CVE-2025-68205", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ALSA: hda/hdmi: Fix breakage at probing nvhdmi-mcp driver After restructuring and splitting the HDMI codec driver code, each HDMI codec driver contains the own build_controls and build_pcms ops. A copy-n-paste error put the wrong entries for nvhdmi-mcp driver; both build_controls and build_pcms are swapped. Unfortunately both callbacks have the very same form, and the compiler didn't complain it, either. This resulted in a NULL dereference because the PCM instance hasn't been initialized at calling the build_controls callback. Fix it by passing the proper entries.", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-40270", "url": "https://ubuntu.com/security/CVE-2025-40270", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: mm, swap: fix potential UAF issue for VMA readahead Since commit 78524b05f1a3 (\"mm, swap: avoid redundant swap device pinning\"), the common helper for allocating and preparing a folio in the swap cache layer no longer tries to get a swap device reference internally, because all callers of __read_swap_cache_async are already holding a swap entry reference. The repeated swap device pinning isn't needed on the same swap device. Caller of VMA readahead is also holding a reference to the target entry's swap device, but VMA readahead walks the page table, so it might encounter swap entries from other devices, and call __read_swap_cache_async on another device without holding a reference to it. So it is possible to cause a UAF when swapoff of device A raced with swapin on device B, and VMA readahead tries to read swap entries from device A. It's not easy to trigger, but in theory, it could cause real issues. Make VMA readahead try to get the device reference first if the swap device is a different one from the target entry.", "cve_priority": "medium", "cve_public_date": "2025-12-06 22:15:00 UTC" }, { "cve": "CVE-2025-40271", "url": "https://ubuntu.com/security/CVE-2025-40271", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: fs/proc: fix uaf in proc_readdir_de() Pde is erased from subdir rbtree through rb_erase(), but not set the node to EMPTY, which may result in uaf access. We should use RB_CLEAR_NODE() set the erased node to EMPTY, then pde_subdir_next() will return NULL to avoid uaf access. We found an uaf issue while using stress-ng testing, need to run testcase getdent and tun in the same time. The steps of the issue is as follows: 1) use getdent to traverse dir /proc/pid/net/dev_snmp6/, and current pde is tun3; 2) in the [time windows] unregister netdevice tun3 and tun2, and erase them from rbtree. erase tun3 first, and then erase tun2. the pde(tun2) will be released to slab; 3) continue to getdent process, then pde_subdir_next() will return pde(tun2) which is released, it will case uaf access. CPU 0 | CPU 1 ------------------------------------------------------------------------- traverse dir /proc/pid/net/dev_snmp6/ | unregister_netdevice(tun->dev) //tun3 tun2 sys_getdents64() | iterate_dir() | proc_readdir() | proc_readdir_de() | snmp6_unregister_dev() pde_get(de); | proc_remove() read_unlock(&proc_subdir_lock); | remove_proc_subtree() | write_lock(&proc_subdir_lock); [time window] | rb_erase(&root->subdir_node, &parent->subdir); | write_unlock(&proc_subdir_lock); read_lock(&proc_subdir_lock); | next = pde_subdir_next(de); | pde_put(de); | de = next; //UAF | rbtree of dev_snmp6 | pde(tun3) / \\ NULL pde(tun2)", "cve_priority": "medium", "cve_public_date": "2025-12-06 22:15:00 UTC" }, { "cve": "CVE-2025-40272", "url": "https://ubuntu.com/security/CVE-2025-40272", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: mm/secretmem: fix use-after-free race in fault handler When a page fault occurs in a secret memory file created with `memfd_secret(2)`, the kernel will allocate a new folio for it, mark the underlying page as not-present in the direct map, and add it to the file mapping. If two tasks cause a fault in the same page concurrently, both could end up allocating a folio and removing the page from the direct map, but only one would succeed in adding the folio to the file mapping. The task that failed undoes the effects of its attempt by (a) freeing the folio again and (b) putting the page back into the direct map. However, by doing these two operations in this order, the page becomes available to the allocator again before it is placed back in the direct mapping. If another task attempts to allocate the page between (a) and (b), and the kernel tries to access it via the direct map, it would result in a supervisor not-present page fault. Fix the ordering to restore the direct map before the folio is freed.", "cve_priority": "medium", "cve_public_date": "2025-12-06 22:15:00 UTC" }, { "cve": "CVE-2025-68245", "url": "https://ubuntu.com/security/CVE-2025-68245", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net: netpoll: fix incorrect refcount handling causing incorrect cleanup commit efa95b01da18 (\"netpoll: fix use after free\") incorrectly ignored the refcount and prematurely set dev->npinfo to NULL during netpoll cleanup, leading to improper behavior and memory leaks. Scenario causing lack of proper cleanup: 1) A netpoll is associated with a NIC (e.g., eth0) and netdev->npinfo is allocated, and refcnt = 1 - Keep in mind that npinfo is shared among all netpoll instances. In this case, there is just one. 2) Another netpoll is also associated with the same NIC and npinfo->refcnt += 1. - Now dev->npinfo->refcnt = 2; - There is just one npinfo associated to the netdev. 3) When the first netpolls goes to clean up: - The first cleanup succeeds and clears np->dev->npinfo, ignoring refcnt. - It basically calls `RCU_INIT_POINTER(np->dev->npinfo, NULL);` - Set dev->npinfo = NULL, without proper cleanup - No ->ndo_netpoll_cleanup() is either called 4) Now the second target tries to clean up - The second cleanup fails because np->dev->npinfo is already NULL. * In this case, ops->ndo_netpoll_cleanup() was never called, and the skb pool is not cleaned as well (for the second netpoll instance) - This leaks npinfo and skbpool skbs, which is clearly reported by kmemleak. Revert commit efa95b01da18 (\"netpoll: fix use after free\") and adds clarifying comments emphasizing that npinfo cleanup should only happen once the refcount reaches zero, ensuring stable and correct netpoll behavior.", "cve_priority": "medium", "cve_public_date": "2025-12-16 15:15:00 UTC" }, { "cve": "CVE-2025-68240", "url": "https://ubuntu.com/security/CVE-2025-68240", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: nilfs2: avoid having an active sc_timer before freeing sci Because kthread_stop did not stop sc_task properly and returned -EINTR, the sc_timer was not properly closed, ultimately causing the problem [1] reported by syzbot when freeing sci due to the sc_timer not being closed. Because the thread sc_task main function nilfs_segctor_thread() returns 0 when it succeeds, when the return value of kthread_stop() is not 0 in nilfs_segctor_destroy(), we believe that it has not properly closed sc_timer. We use timer_shutdown_sync() to sync wait for sc_timer to shutdown, and set the value of sc_task to NULL under the protection of lock sc_state_lock, so as to avoid the issue caused by sc_timer not being properly shutdowned. [1] ODEBUG: free active (active state 0) object: 00000000dacb411a object type: timer_list hint: nilfs_construction_timeout Call trace: nilfs_segctor_destroy fs/nilfs2/segment.c:2811 [inline] nilfs_detach_log_writer+0x668/0x8cc fs/nilfs2/segment.c:2877 nilfs_put_super+0x4c/0x12c fs/nilfs2/super.c:509", "cve_priority": "medium", "cve_public_date": "2025-12-16 15:15:00 UTC" }, { "cve": "CVE-2025-68241", "url": "https://ubuntu.com/security/CVE-2025-68241", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ipv4: route: Prevent rt_bind_exception() from rebinding stale fnhe The sit driver's packet transmission path calls: sit_tunnel_xmit() -> update_or_create_fnhe(), which lead to fnhe_remove_oldest() being called to delete entries exceeding FNHE_RECLAIM_DEPTH+random. The race window is between fnhe_remove_oldest() selecting fnheX for deletion and the subsequent kfree_rcu(). During this time, the concurrent path's __mkroute_output() -> find_exception() can fetch the soon-to-be-deleted fnheX, and rt_bind_exception() then binds it with a new dst using a dst_hold(). When the original fnheX is freed via RCU, the dst reference remains permanently leaked. CPU 0 CPU 1 __mkroute_output() find_exception() [fnheX] update_or_create_fnhe() fnhe_remove_oldest() [fnheX] rt_bind_exception() [bind dst] RCU callback [fnheX freed, dst leak] This issue manifests as a device reference count leak and a warning in dmesg when unregistering the net device: unregister_netdevice: waiting for sitX to become free. Usage count = N Ido Schimmel provided the simple test validation method [1]. The fix clears 'oldest->fnhe_daddr' before calling fnhe_flush_routes(). Since rt_bind_exception() checks this field, setting it to zero prevents the stale fnhe from being reused and bound to a new dst just before it is freed. [1] ip netns add ns1 ip -n ns1 link set dev lo up ip -n ns1 address add 192.0.2.1/32 dev lo ip -n ns1 link add name dummy1 up type dummy ip -n ns1 route add 192.0.2.2/32 dev dummy1 ip -n ns1 link add name gretap1 up arp off type gretap \\ local 192.0.2.1 remote 192.0.2.2 ip -n ns1 route add 198.51.0.0/16 dev gretap1 taskset -c 0 ip netns exec ns1 mausezahn gretap1 \\ -A 198.51.100.1 -B 198.51.0.0/16 -t udp -p 1000 -c 0 -q & taskset -c 2 ip netns exec ns1 mausezahn gretap1 \\ -A 198.51.100.1 -B 198.51.0.0/16 -t udp -p 1000 -c 0 -q & sleep 10 ip netns pids ns1 | xargs kill ip netns del ns1", "cve_priority": "medium", "cve_public_date": "2025-12-16 15:15:00 UTC" }, { "cve": "CVE-2025-68211", "url": "https://ubuntu.com/security/CVE-2025-68211", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ksm: use range-walk function to jump over holes in scan_get_next_rmap_item Currently, scan_get_next_rmap_item() walks every page address in a VMA to locate mergeable pages. This becomes highly inefficient when scanning large virtual memory areas that contain mostly unmapped regions, causing ksmd to use large amount of cpu without deduplicating much pages. This patch replaces the per-address lookup with a range walk using walk_page_range(). The range walker allows KSM to skip over entire unmapped holes in a VMA, avoiding unnecessary lookups. This problem was previously discussed in [1]. Consider the following test program which creates a 32 TiB mapping in the virtual address space but only populates a single page: #include #include #include /* 32 TiB */ const size_t size = 32ul * 1024 * 1024 * 1024 * 1024; int main() { char *area = mmap(NULL, size, PROT_READ | PROT_WRITE, MAP_NORESERVE | MAP_PRIVATE | MAP_ANON, -1, 0); if (area == MAP_FAILED) { perror(\"mmap() failed\\n\"); return -1; } /* Populate a single page such that we get an anon_vma. */ *area = 0; /* Enable KSM. */ madvise(area, size, MADV_MERGEABLE); pause(); return 0; } $ ./ksm-sparse & $ echo 1 > /sys/kernel/mm/ksm/run Without this patch ksmd uses 100% of the cpu for a long time (more then 1 hour in my test machine) scanning all the 32 TiB virtual address space that contain only one mapped page. This makes ksmd essentially deadlocked not able to deduplicate anything of value. With this patch ksmd walks only the one mapped page and skips the rest of the 32 TiB virtual address space, making the scan fast using little cpu.", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-68246", "url": "https://ubuntu.com/security/CVE-2025-68246", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ksmbd: close accepted socket when per-IP limit rejects connection When the per-IP connection limit is exceeded in ksmbd_kthread_fn(), the code sets ret = -EAGAIN and continues the accept loop without closing the just-accepted socket. That leaks one socket per rejected attempt from a single IP and enables a trivial remote DoS. Release client_sk before continuing. This bug was found with ZeroPath.", "cve_priority": "medium", "cve_public_date": "2025-12-16 15:15:00 UTC" }, { "cve": "CVE-2025-40273", "url": "https://ubuntu.com/security/CVE-2025-40273", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: NFSD: free copynotify stateid in nfs4_free_ol_stateid() Typically copynotify stateid is freed either when parent's stateid is being close/freed or in nfsd4_laundromat if the stateid hasn't been used in a lease period. However, in case when the server got an OPEN (which created a parent stateid), followed by a COPY_NOTIFY using that stateid, followed by a client reboot. New client instance while doing CREATE_SESSION would force expire previous state of this client. It leads to the open state being freed thru release_openowner-> nfs4_free_ol_stateid() and it finds that it still has copynotify stateid associated with it. We currently print a warning and is triggerred WARNING: CPU: 1 PID: 8858 at fs/nfsd/nfs4state.c:1550 nfs4_free_ol_stateid+0xb0/0x100 [nfsd] This patch, instead, frees the associated copynotify stateid here. If the parent stateid is freed (without freeing the copynotify stateids associated with it), it leads to the list corruption when laundromat ends up freeing the copynotify state later. [ 1626.839430] Internal error: Oops - BUG: 00000000f2000800 [#1] SMP [ 1626.842828] Modules linked in: nfnetlink_queue nfnetlink_log bluetooth cfg80211 rpcrdma rdma_cm iw_cm ib_cm ib_core nfsd nfs_acl lockd grace nfs_localio ext4 crc16 mbcache jbd2 overlay uinput snd_seq_dummy snd_hrtimer qrtr rfkill vfat fat uvcvideo snd_hda_codec_generic videobuf2_vmalloc videobuf2_memops snd_hda_intel uvc snd_intel_dspcfg videobuf2_v4l2 videobuf2_common snd_hda_codec snd_hda_core videodev snd_hwdep snd_seq mc snd_seq_device snd_pcm snd_timer snd soundcore sg loop auth_rpcgss vsock_loopback vmw_vsock_virtio_transport_common vmw_vsock_vmci_transport vmw_vmci vsock xfs 8021q garp stp llc mrp nvme ghash_ce e1000e nvme_core sr_mod nvme_keyring nvme_auth cdrom vmwgfx drm_ttm_helper ttm sunrpc dm_mirror dm_region_hash dm_log iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi fuse dm_multipath dm_mod nfnetlink [ 1626.855594] CPU: 2 UID: 0 PID: 199 Comm: kworker/u24:33 Kdump: loaded Tainted: G B W 6.17.0-rc7+ #22 PREEMPT(voluntary) [ 1626.857075] Tainted: [B]=BAD_PAGE, [W]=WARN [ 1626.857573] Hardware name: VMware, Inc. VMware20,1/VBSA, BIOS VMW201.00V.24006586.BA64.2406042154 06/04/2024 [ 1626.858724] Workqueue: nfsd4 laundromat_main [nfsd] [ 1626.859304] pstate: 61400005 (nZCv daif +PAN -UAO -TCO +DIT -SSBS BTYPE=--) [ 1626.860010] pc : __list_del_entry_valid_or_report+0x148/0x200 [ 1626.860601] lr : __list_del_entry_valid_or_report+0x148/0x200 [ 1626.861182] sp : ffff8000881d7a40 [ 1626.861521] x29: ffff8000881d7a40 x28: 0000000000000018 x27: ffff0000c2a98200 [ 1626.862260] x26: 0000000000000600 x25: 0000000000000000 x24: ffff8000881d7b20 [ 1626.862986] x23: ffff0000c2a981e8 x22: 1fffe00012410e7d x21: ffff0000920873e8 [ 1626.863701] x20: ffff0000920873e8 x19: ffff000086f22998 x18: 0000000000000000 [ 1626.864421] x17: 20747562202c3839 x16: 3932326636383030 x15: 3030666666662065 [ 1626.865092] x14: 6220646c756f6873 x13: 0000000000000001 x12: ffff60004fd9e4a3 [ 1626.865713] x11: 1fffe0004fd9e4a2 x10: ffff60004fd9e4a2 x9 : dfff800000000000 [ 1626.866320] x8 : 00009fffb0261b5e x7 : ffff00027ecf2513 x6 : 0000000000000001 [ 1626.866938] x5 : ffff00027ecf2510 x4 : ffff60004fd9e4a3 x3 : 0000000000000000 [ 1626.867553] x2 : 0000000000000000 x1 : ffff000096069640 x0 : 000000000000006d [ 1626.868167] Call trace: [ 1626.868382] __list_del_entry_valid_or_report+0x148/0x200 (P) [ 1626.868876] _free_cpntf_state_locked+0xd0/0x268 [nfsd] [ 1626.869368] nfs4_laundromat+0x6f8/0x1058 [nfsd] [ 1626.869813] laundromat_main+0x24/0x60 [nfsd] [ 1626.870231] process_one_work+0x584/0x1050 [ 1626.870595] worker_thread+0x4c4/0xc60 [ 1626.870893] kthread+0x2f8/0x398 [ 1626.871146] ret_from_fork+0x10/0x20 [ 1626.871422] Code: aa1303e1 aa1403e3 910e8000 97bc55d7 (d4210000) [ 1626.871892] SMP: stopping secondary CPUs", "cve_priority": "medium", "cve_public_date": "2025-12-06 22:15:00 UTC" }, { "cve": "CVE-2025-40212", "url": "https://ubuntu.com/security/CVE-2025-40212", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: nfsd: fix refcount leak in nfsd_set_fh_dentry() nfsd exports a \"pseudo root filesystem\" which is used by NFSv4 to find the various exported filesystems using LOOKUP requests from a known root filehandle. NFSv3 uses the MOUNT protocol to find those exported filesystems and so is not given access to the pseudo root filesystem. If a v3 (or v2) client uses a filehandle from that filesystem, nfsd_set_fh_dentry() will report an error, but still stores the export in \"struct svc_fh\" even though it also drops the reference (exp_put()). This means that when fh_put() is called an extra reference will be dropped which can lead to use-after-free and possible denial of service. Normal NFS usage will not provide a pseudo-root filehandle to a v3 client. This bug can only be triggered by the client synthesising an incorrect filehandle. To fix this we move the assignments to the svc_fh later, after all possible error cases have been detected.", "cve_priority": "medium", "cve_public_date": "2025-11-24 13:16:00 UTC" }, { "cve": "CVE-2025-40274", "url": "https://ubuntu.com/security/CVE-2025-40274", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: KVM: guest_memfd: Remove bindings on memslot deletion when gmem is dying When unbinding a memslot from a guest_memfd instance, remove the bindings even if the guest_memfd file is dying, i.e. even if its file refcount has gone to zero. If the memslot is freed before the file is fully released, nullifying the memslot side of the binding in kvm_gmem_release() will write to freed memory, as detected by syzbot+KASAN: ================================================================== BUG: KASAN: slab-use-after-free in kvm_gmem_release+0x176/0x440 virt/kvm/guest_memfd.c:353 Write of size 8 at addr ffff88807befa508 by task syz.0.17/6022 CPU: 0 UID: 0 PID: 6022 Comm: syz.0.17 Not tainted syzkaller #0 PREEMPT(full) Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/02/2025 Call Trace: dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:378 [inline] print_report+0xca/0x240 mm/kasan/report.c:482 kasan_report+0x118/0x150 mm/kasan/report.c:595 kvm_gmem_release+0x176/0x440 virt/kvm/guest_memfd.c:353 __fput+0x44c/0xa70 fs/file_table.c:468 task_work_run+0x1d4/0x260 kernel/task_work.c:227 resume_user_mode_work include/linux/resume_user_mode.h:50 [inline] exit_to_user_mode_loop+0xe9/0x130 kernel/entry/common.c:43 exit_to_user_mode_prepare include/linux/irq-entry-common.h:225 [inline] syscall_exit_to_user_mode_work include/linux/entry-common.h:175 [inline] syscall_exit_to_user_mode include/linux/entry-common.h:210 [inline] do_syscall_64+0x2bd/0xfa0 arch/x86/entry/syscall_64.c:100 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7fbeeff8efc9 Allocated by task 6023: kasan_save_stack mm/kasan/common.c:56 [inline] kasan_save_track+0x3e/0x80 mm/kasan/common.c:77 poison_kmalloc_redzone mm/kasan/common.c:397 [inline] __kasan_kmalloc+0x93/0xb0 mm/kasan/common.c:414 kasan_kmalloc include/linux/kasan.h:262 [inline] __kmalloc_cache_noprof+0x3e2/0x700 mm/slub.c:5758 kmalloc_noprof include/linux/slab.h:957 [inline] kzalloc_noprof include/linux/slab.h:1094 [inline] kvm_set_memory_region+0x747/0xb90 virt/kvm/kvm_main.c:2104 kvm_vm_ioctl_set_memory_region+0x6f/0xd0 virt/kvm/kvm_main.c:2154 kvm_vm_ioctl+0x957/0xc60 virt/kvm/kvm_main.c:5201 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:597 [inline] __se_sys_ioctl+0xfc/0x170 fs/ioctl.c:583 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xfa/0xfa0 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f Freed by task 6023: kasan_save_stack mm/kasan/common.c:56 [inline] kasan_save_track+0x3e/0x80 mm/kasan/common.c:77 kasan_save_free_info+0x46/0x50 mm/kasan/generic.c:584 poison_slab_object mm/kasan/common.c:252 [inline] __kasan_slab_free+0x5c/0x80 mm/kasan/common.c:284 kasan_slab_free include/linux/kasan.h:234 [inline] slab_free_hook mm/slub.c:2533 [inline] slab_free mm/slub.c:6622 [inline] kfree+0x19a/0x6d0 mm/slub.c:6829 kvm_set_memory_region+0x9c4/0xb90 virt/kvm/kvm_main.c:2130 kvm_vm_ioctl_set_memory_region+0x6f/0xd0 virt/kvm/kvm_main.c:2154 kvm_vm_ioctl+0x957/0xc60 virt/kvm/kvm_main.c:5201 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:597 [inline] __se_sys_ioctl+0xfc/0x170 fs/ioctl.c:583 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xfa/0xfa0 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f Deliberately don't acquire filemap invalid lock when the file is dying as the lifecycle of f_mapping is outside the purview of KVM. Dereferencing the mapping is *probably* fine, but there's no need to invalidate anything as memslot deletion is responsible for zapping SPTEs, and the only code that can access the dying file is kvm_gmem_release(), whose core code is mutual ---truncated---", "cve_priority": "medium", "cve_public_date": "2025-12-06 22:15:00 UTC" }, { "cve": "CVE-2025-68202", "url": "https://ubuntu.com/security/CVE-2025-68202", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: sched_ext: Fix unsafe locking in the scx_dump_state() For built with CONFIG_PREEMPT_RT=y kernels, the dump_lock will be converted sleepable spinlock and not disable-irq, so the following scenarios occur: inconsistent {IN-HARDIRQ-W} -> {HARDIRQ-ON-W} usage. irq_work/0/27 [HC0[0]:SC0[0]:HE1:SE1] takes: (&rq->__lock){?...}-{2:2}, at: raw_spin_rq_lock_nested+0x2b/0x40 {IN-HARDIRQ-W} state was registered at: lock_acquire+0x1e1/0x510 _raw_spin_lock_nested+0x42/0x80 raw_spin_rq_lock_nested+0x2b/0x40 sched_tick+0xae/0x7b0 update_process_times+0x14c/0x1b0 tick_periodic+0x62/0x1f0 tick_handle_periodic+0x48/0xf0 timer_interrupt+0x55/0x80 __handle_irq_event_percpu+0x20a/0x5c0 handle_irq_event_percpu+0x18/0xc0 handle_irq_event+0xb5/0x150 handle_level_irq+0x220/0x460 __common_interrupt+0xa2/0x1e0 common_interrupt+0xb0/0xd0 asm_common_interrupt+0x2b/0x40 _raw_spin_unlock_irqrestore+0x45/0x80 __setup_irq+0xc34/0x1a30 request_threaded_irq+0x214/0x2f0 hpet_time_init+0x3e/0x60 x86_late_time_init+0x5b/0xb0 start_kernel+0x308/0x410 x86_64_start_reservations+0x1c/0x30 x86_64_start_kernel+0x96/0xa0 common_startup_64+0x13e/0x148 other info that might help us debug this: Possible unsafe locking scenario: CPU0 ---- lock(&rq->__lock); lock(&rq->__lock); *** DEADLOCK *** stack backtrace: CPU: 0 UID: 0 PID: 27 Comm: irq_work/0 Call Trace: dump_stack_lvl+0x8c/0xd0 dump_stack+0x14/0x20 print_usage_bug+0x42e/0x690 mark_lock.part.44+0x867/0xa70 ? __pfx_mark_lock.part.44+0x10/0x10 ? string_nocheck+0x19c/0x310 ? number+0x739/0x9f0 ? __pfx_string_nocheck+0x10/0x10 ? __pfx_check_pointer+0x10/0x10 ? kvm_sched_clock_read+0x15/0x30 ? sched_clock_noinstr+0xd/0x20 ? local_clock_noinstr+0x1c/0xe0 __lock_acquire+0xc4b/0x62b0 ? __pfx_format_decode+0x10/0x10 ? __pfx_string+0x10/0x10 ? __pfx___lock_acquire+0x10/0x10 ? __pfx_vsnprintf+0x10/0x10 lock_acquire+0x1e1/0x510 ? raw_spin_rq_lock_nested+0x2b/0x40 ? __pfx_lock_acquire+0x10/0x10 ? dump_line+0x12e/0x270 ? raw_spin_rq_lock_nested+0x20/0x40 _raw_spin_lock_nested+0x42/0x80 ? raw_spin_rq_lock_nested+0x2b/0x40 raw_spin_rq_lock_nested+0x2b/0x40 scx_dump_state+0x3b3/0x1270 ? finish_task_switch+0x27e/0x840 scx_ops_error_irq_workfn+0x67/0x80 irq_work_single+0x113/0x260 irq_work_run_list.part.3+0x44/0x70 run_irq_workd+0x6b/0x90 ? __pfx_run_irq_workd+0x10/0x10 smpboot_thread_fn+0x529/0x870 ? __pfx_smpboot_thread_fn+0x10/0x10 kthread+0x305/0x3f0 ? __pfx_kthread+0x10/0x10 ret_from_fork+0x40/0x70 ? __pfx_kthread+0x10/0x10 ret_from_fork_asm+0x1a/0x30 This commit therefore use rq_lock_irqsave/irqrestore() to replace rq_lock/unlock() in the scx_dump_state().", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-68239", "url": "https://ubuntu.com/security/CVE-2025-68239", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: binfmt_misc: restore write access before closing files opened by open_exec() bm_register_write() opens an executable file using open_exec(), which internally calls do_open_execat() and denies write access on the file to avoid modification while it is being executed. However, when an error occurs, bm_register_write() closes the file using filp_close() directly. This does not restore the write permission, which may cause subsequent write operations on the same file to fail. Fix this by calling exe_file_allow_write_access() before filp_close() to restore the write permission properly.", "cve_priority": "medium", "cve_public_date": "2025-12-16 15:15:00 UTC" }, { "cve": "CVE-2025-68247", "url": "https://ubuntu.com/security/CVE-2025-68247", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: posix-timers: Plug potential memory leak in do_timer_create() When posix timer creation is set to allocate a given timer ID and the access to the user space value faults, the function terminates without freeing the already allocated posix timer structure. Move the allocation after the user space access to cure that. [ tglx: Massaged change log ]", "cve_priority": "medium", "cve_public_date": "2025-12-16 15:15:00 UTC" }, { "cve": "CVE-2025-68208", "url": "https://ubuntu.com/security/CVE-2025-68208", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: bpf: account for current allocated stack depth in widen_imprecise_scalars() The usage pattern for widen_imprecise_scalars() looks as follows: prev_st = find_prev_entry(env, ...); queued_st = push_stack(...); widen_imprecise_scalars(env, prev_st, queued_st); Where prev_st is an ancestor of the queued_st in the explored states tree. This ancestor is not guaranteed to have same allocated stack depth as queued_st. E.g. in the following case: def main(): for i in 1..2: foo(i) // same callsite, differnt param def foo(i): if i == 1: use 128 bytes of stack iterator based loop Here, for a second 'foo' call prev_st->allocated_stack is 128, while queued_st->allocated_stack is much smaller. widen_imprecise_scalars() needs to take this into account and avoid accessing bpf_verifier_state->frame[*]->stack out of bounds.", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-68200", "url": "https://ubuntu.com/security/CVE-2025-68200", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: bpf: Add bpf_prog_run_data_pointers() syzbot found that cls_bpf_classify() is able to change tc_skb_cb(skb)->drop_reason triggering a warning in sk_skb_reason_drop(). WARNING: CPU: 0 PID: 5965 at net/core/skbuff.c:1192 __sk_skb_reason_drop net/core/skbuff.c:1189 [inline] WARNING: CPU: 0 PID: 5965 at net/core/skbuff.c:1192 sk_skb_reason_drop+0x76/0x170 net/core/skbuff.c:1214 struct tc_skb_cb has been added in commit ec624fe740b4 (\"net/sched: Extend qdisc control block with tc control block\"), which added a wrong interaction with db58ba459202 (\"bpf: wire in data and data_end for cls_act_bpf\"). drop_reason was added later. Add bpf_prog_run_data_pointers() helper to save/restore the net_sched storage colliding with BPF data_meta/data_end.", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-40275", "url": "https://ubuntu.com/security/CVE-2025-40275", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ALSA: usb-audio: Fix NULL pointer dereference in snd_usb_mixer_controls_badd In snd_usb_create_streams(), for UAC version 3 devices, the Interface Association Descriptor (IAD) is retrieved via usb_ifnum_to_if(). If this call fails, a fallback routine attempts to obtain the IAD from the next interface and sets a BADD profile. However, snd_usb_mixer_controls_badd() assumes that the IAD retrieved from usb_ifnum_to_if() is always valid, without performing a NULL check. This can lead to a NULL pointer dereference when usb_ifnum_to_if() fails to find the interface descriptor. This patch adds a NULL pointer check after calling usb_ifnum_to_if() in snd_usb_mixer_controls_badd() to prevent the dereference. This issue was discovered by syzkaller, which triggered the bug by sending a crafted USB device descriptor.", "cve_priority": "medium", "cve_public_date": "2025-12-06 22:15:00 UTC" }, { "cve": "CVE-2025-68242", "url": "https://ubuntu.com/security/CVE-2025-68242", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: NFS: Fix LTP test failures when timestamps are delegated The utimes01 and utime06 tests fail when delegated timestamps are enabled, specifically in subtests that modify the atime and mtime fields using the 'nobody' user ID. The problem can be reproduced as follow: # echo \"/media *(rw,no_root_squash,sync)\" >> /etc/exports # export -ra # mount -o rw,nfsvers=4.2 127.0.0.1:/media /tmpdir # cd /opt/ltp # ./runltp -d /tmpdir -s utimes01 # ./runltp -d /tmpdir -s utime06 This issue occurs because nfs_setattr does not verify the inode's UID against the caller's fsuid when delegated timestamps are permitted for the inode. This patch adds the UID check and if it does not match then the request is sent to the server for permission checking.", "cve_priority": "medium", "cve_public_date": "2025-12-16 15:15:00 UTC" }, { "cve": "CVE-2025-68243", "url": "https://ubuntu.com/security/CVE-2025-68243", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: NFS: Check the TLS certificate fields in nfs_match_client() If the TLS security policy is of type RPC_XPRTSEC_TLS_X509, then the cert_serial and privkey_serial fields need to match as well since they define the client's identity, as presented to the server.", "cve_priority": "medium", "cve_public_date": "2025-12-16 15:15:00 UTC" }, { "cve": "CVE-2025-40276", "url": "https://ubuntu.com/security/CVE-2025-40276", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/panthor: Flush shmem writes before mapping buffers CPU-uncached The shmem layer zeroes out the new pages using cached mappings, and if we don't CPU-flush we might leave dirty cachelines behind, leading to potential data leaks and/or asynchronous buffer corruption when dirty cachelines are evicted.", "cve_priority": "medium", "cve_public_date": "2025-12-06 22:15:00 UTC" }, { "cve": "CVE-2025-40277", "url": "https://ubuntu.com/security/CVE-2025-40277", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/vmwgfx: Validate command header size against SVGA_CMD_MAX_DATASIZE This data originates from userspace and is used in buffer offset calculations which could potentially overflow causing an out-of-bounds access.", "cve_priority": "medium", "cve_public_date": "2025-12-06 22:15:00 UTC" }, { "cve": "CVE-2025-68206", "url": "https://ubuntu.com/security/CVE-2025-68206", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: netfilter: nft_ct: add seqadj extension for natted connections Sequence adjustment may be required for FTP traffic with PASV/EPSV modes. due to need to re-write packet payload (IP, port) on the ftp control connection. This can require changes to the TCP length and expected seq / ack_seq. The easiest way to reproduce this issue is with PASV mode. Example ruleset: table inet ftp_nat { ct helper ftp_helper { type \"ftp\" protocol tcp l3proto inet } chain prerouting { type filter hook prerouting priority 0; policy accept; tcp dport 21 ct state new ct helper set \"ftp_helper\" } } table ip nat { chain prerouting { type nat hook prerouting priority -100; policy accept; tcp dport 21 dnat ip prefix to ip daddr map { \t\t\t192.168.100.1 : 192.168.13.2/32 } } chain postrouting { type nat hook postrouting priority 100 ; policy accept; tcp sport 21 snat ip prefix to ip saddr map { \t\t\t192.168.13.2 : 192.168.100.1/32 } } } Note that the ftp helper gets assigned *after* the dnat setup. The inverse (nat after helper assign) is handled by an existing check in nf_nat_setup_info() and will not show the problem. Topoloy: +-------------------+ +----------------------------------+ | FTP: 192.168.13.2 | <-> | NAT: 192.168.13.3, 192.168.100.1 | +-------------------+ +----------------------------------+ | +-----------------------+ | Client: 192.168.100.2 | +-----------------------+ ftp nat changes do not work as expected in this case: Connected to 192.168.100.1. [..] ftp> epsv EPSV/EPRT on IPv4 off. ftp> ls 227 Entering passive mode (192,168,100,1,209,129). 421 Service not available, remote server has closed connection. Kernel logs: Missing nfct_seqadj_ext_add() setup call WARNING: CPU: 1 PID: 0 at net/netfilter/nf_conntrack_seqadj.c:41 [..] __nf_nat_mangle_tcp_packet+0x100/0x160 [nf_nat] nf_nat_ftp+0x142/0x280 [nf_nat_ftp] help+0x4d1/0x880 [nf_conntrack_ftp] nf_confirm+0x122/0x2e0 [nf_conntrack] nf_hook_slow+0x3c/0xb0 .. Fix this by adding the required extension when a conntrack helper is assigned to a connection that has a nat binding.", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-68209", "url": "https://ubuntu.com/security/CVE-2025-68209", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: mlx5: Fix default values in create CQ Currently, CQs without a completion function are assigned the mlx5_add_cq_to_tasklet function by default. This is problematic since only user CQs created through the mlx5_ib driver are intended to use this function. Additionally, all CQs that will use doorbells instead of polling for completions must call mlx5_cq_arm. However, the default CQ creation flow leaves a valid value in the CQ's arm_db field, allowing FW to send interrupts to polling-only CQs in certain corner cases. These two factors would allow a polling-only kernel CQ to be triggered by an EQ interrupt and call a completion function intended only for user CQs, causing a null pointer exception. Some areas in the driver have prevented this issue with one-off fixes but did not address the root cause. This patch fixes the described issue by adding defaults to the create CQ flow. It adds a default dummy completion function to protect against null pointer exceptions, and it sets an invalid command sequence number by default in kernel CQs to prevent the FW from sending an interrupt to the CQ until it is armed. User CQs are responsible for their own initialization values. Callers of mlx5_core_create_cq are responsible for changing the completion function and arming the CQ per their needs.", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-40278", "url": "https://ubuntu.com/security/CVE-2025-40278", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net: sched: act_ife: initialize struct tc_ife to fix KMSAN kernel-infoleak Fix a KMSAN kernel-infoleak detected by the syzbot . [net?] KMSAN: kernel-infoleak in __skb_datagram_iter In tcf_ife_dump(), the variable 'opt' was partially initialized using a designatied initializer. While the padding bytes are reamined uninitialized. nla_put() copies the entire structure into a netlink message, these uninitialized bytes leaked to userspace. Initialize the structure with memset before assigning its fields to ensure all members and padding are cleared prior to beign copied. This change silences the KMSAN report and prevents potential information leaks from the kernel memory. This fix has been tested and validated by syzbot. This patch closes the bug reported at the following syzkaller link and ensures no infoleak.", "cve_priority": "medium", "cve_public_date": "2025-12-06 22:15:00 UTC" }, { "cve": "CVE-2025-40279", "url": "https://ubuntu.com/security/CVE-2025-40279", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net: sched: act_connmark: initialize struct tc_ife to fix kernel leak In tcf_connmark_dump(), the variable 'opt' was partially initialized using a designatied initializer. While the padding bytes are reamined uninitialized. nla_put() copies the entire structure into a netlink message, these uninitialized bytes leaked to userspace. Initialize the structure with memset before assigning its fields to ensure all members and padding are cleared prior to beign copied.", "cve_priority": "medium", "cve_public_date": "2025-12-06 22:15:00 UTC" }, { "cve": "CVE-2025-40280", "url": "https://ubuntu.com/security/CVE-2025-40280", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: tipc: Fix use-after-free in tipc_mon_reinit_self(). syzbot reported use-after-free of tipc_net(net)->monitors[] in tipc_mon_reinit_self(). [0] The array is protected by RTNL, but tipc_mon_reinit_self() iterates over it without RTNL. tipc_mon_reinit_self() is called from tipc_net_finalize(), which is always under RTNL except for tipc_net_finalize_work(). Let's hold RTNL in tipc_net_finalize_work(). [0]: BUG: KASAN: slab-use-after-free in __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline] BUG: KASAN: slab-use-after-free in _raw_spin_lock_irqsave+0xa7/0xf0 kernel/locking/spinlock.c:162 Read of size 1 at addr ffff88805eae1030 by task kworker/0:7/5989 CPU: 0 UID: 0 PID: 5989 Comm: kworker/0:7 Not tainted syzkaller #0 PREEMPT_{RT,(full)} Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/18/2025 Workqueue: events tipc_net_finalize_work Call Trace: dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:378 [inline] print_report+0xca/0x240 mm/kasan/report.c:482 kasan_report+0x118/0x150 mm/kasan/report.c:595 __kasan_check_byte+0x2a/0x40 mm/kasan/common.c:568 kasan_check_byte include/linux/kasan.h:399 [inline] lock_acquire+0x8d/0x360 kernel/locking/lockdep.c:5842 __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline] _raw_spin_lock_irqsave+0xa7/0xf0 kernel/locking/spinlock.c:162 rtlock_slowlock kernel/locking/rtmutex.c:1894 [inline] rwbase_rtmutex_lock_state kernel/locking/spinlock_rt.c:160 [inline] rwbase_write_lock+0xd3/0x7e0 kernel/locking/rwbase_rt.c:244 rt_write_lock+0x76/0x110 kernel/locking/spinlock_rt.c:243 write_lock_bh include/linux/rwlock_rt.h:99 [inline] tipc_mon_reinit_self+0x79/0x430 net/tipc/monitor.c:718 tipc_net_finalize+0x115/0x190 net/tipc/net.c:140 process_one_work kernel/workqueue.c:3236 [inline] process_scheduled_works+0xade/0x17b0 kernel/workqueue.c:3319 worker_thread+0x8a0/0xda0 kernel/workqueue.c:3400 kthread+0x70e/0x8a0 kernel/kthread.c:463 ret_from_fork+0x439/0x7d0 arch/x86/kernel/process.c:148 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245 Allocated by task 6089: kasan_save_stack mm/kasan/common.c:47 [inline] kasan_save_track+0x3e/0x80 mm/kasan/common.c:68 poison_kmalloc_redzone mm/kasan/common.c:388 [inline] __kasan_kmalloc+0x93/0xb0 mm/kasan/common.c:405 kasan_kmalloc include/linux/kasan.h:260 [inline] __kmalloc_cache_noprof+0x1a8/0x320 mm/slub.c:4407 kmalloc_noprof include/linux/slab.h:905 [inline] kzalloc_noprof include/linux/slab.h:1039 [inline] tipc_mon_create+0xc3/0x4d0 net/tipc/monitor.c:657 tipc_enable_bearer net/tipc/bearer.c:357 [inline] __tipc_nl_bearer_enable+0xe16/0x13f0 net/tipc/bearer.c:1047 __tipc_nl_compat_doit net/tipc/netlink_compat.c:371 [inline] tipc_nl_compat_doit+0x3bc/0x5f0 net/tipc/netlink_compat.c:393 tipc_nl_compat_handle net/tipc/netlink_compat.c:-1 [inline] tipc_nl_compat_recv+0x83c/0xbe0 net/tipc/netlink_compat.c:1321 genl_family_rcv_msg_doit+0x215/0x300 net/netlink/genetlink.c:1115 genl_family_rcv_msg net/netlink/genetlink.c:1195 [inline] genl_rcv_msg+0x60e/0x790 net/netlink/genetlink.c:1210 netlink_rcv_skb+0x208/0x470 net/netlink/af_netlink.c:2552 genl_rcv+0x28/0x40 net/netlink/genetlink.c:1219 netlink_unicast_kernel net/netlink/af_netlink.c:1320 [inline] netlink_unicast+0x846/0xa10 net/netlink/af_netlink.c:1346 netlink_sendmsg+0x805/0xb30 net/netlink/af_netlink.c:1896 sock_sendmsg_nosec net/socket.c:714 [inline] __sock_sendmsg+0x21c/0x270 net/socket.c:729 ____sys_sendmsg+0x508/0x820 net/socket.c:2614 ___sys_sendmsg+0x21f/0x2a0 net/socket.c:2668 __sys_sendmsg net/socket.c:2700 [inline] __do_sys_sendmsg net/socket.c:2705 [inline] __se_sys_sendmsg net/socket.c:2703 [inline] __x64_sys_sendmsg+0x1a1/0x260 net/socket.c:2703 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xfa/0x3b0 arch/ ---truncated---", "cve_priority": "medium", "cve_public_date": "2025-12-06 22:15:00 UTC" }, { "cve": "CVE-2025-40281", "url": "https://ubuntu.com/security/CVE-2025-40281", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: sctp: prevent possible shift-out-of-bounds in sctp_transport_update_rto syzbot reported a possible shift-out-of-bounds [1] Blamed commit added rto_alpha_max and rto_beta_max set to 1000. It is unclear if some sctp users are setting very large rto_alpha and/or rto_beta. In order to prevent user regression, perform the test at run time. Also add READ_ONCE() annotations as sysctl values can change under us. [1] UBSAN: shift-out-of-bounds in net/sctp/transport.c:509:41 shift exponent 64 is too large for 32-bit type 'unsigned int' CPU: 0 UID: 0 PID: 16704 Comm: syz.2.2320 Not tainted syzkaller #0 PREEMPT(full) Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/02/2025 Call Trace: __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x16c/0x1f0 lib/dump_stack.c:120 ubsan_epilogue lib/ubsan.c:233 [inline] __ubsan_handle_shift_out_of_bounds+0x27f/0x420 lib/ubsan.c:494 sctp_transport_update_rto.cold+0x1c/0x34b net/sctp/transport.c:509 sctp_check_transmitted+0x11c4/0x1c30 net/sctp/outqueue.c:1502 sctp_outq_sack+0x4ef/0x1b20 net/sctp/outqueue.c:1338 sctp_cmd_process_sack net/sctp/sm_sideeffect.c:840 [inline] sctp_cmd_interpreter net/sctp/sm_sideeffect.c:1372 [inline]", "cve_priority": "medium", "cve_public_date": "2025-12-06 22:15:00 UTC" }, { "cve": "CVE-2025-40282", "url": "https://ubuntu.com/security/CVE-2025-40282", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: Bluetooth: 6lowpan: reset link-local header on ipv6 recv path Bluetooth 6lowpan.c netdev has header_ops, so it must set link-local header for RX skb, otherwise things crash, eg. with AF_PACKET SOCK_RAW Add missing skb_reset_mac_header() for uncompressed ipv6 RX path. For the compressed one, it is done in lowpan_header_decompress(). Log: (BlueZ 6lowpan-tester Client Recv Raw - Success) ------ kernel BUG at net/core/skbuff.c:212! Call Trace: ... packet_rcv (net/packet/af_packet.c:2152) ... __local_bh_enable_ip (kernel/softirq.c:407) netif_rx (net/core/dev.c:5648) chan_recv_cb (net/bluetooth/6lowpan.c:294 net/bluetooth/6lowpan.c:359) ------", "cve_priority": "medium", "cve_public_date": "2025-12-06 22:15:00 UTC" }, { "cve": "CVE-2025-40283", "url": "https://ubuntu.com/security/CVE-2025-40283", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: Bluetooth: btusb: reorder cleanup in btusb_disconnect to avoid UAF There is a KASAN: slab-use-after-free read in btusb_disconnect(). Calling \"usb_driver_release_interface(&btusb_driver, data->intf)\" will free the btusb data associated with the interface. The same data is then used later in the function, hence the UAF. Fix by moving the accesses to btusb data to before the data is free'd.", "cve_priority": "medium", "cve_public_date": "2025-12-06 22:15:00 UTC" }, { "cve": "CVE-2025-40284", "url": "https://ubuntu.com/security/CVE-2025-40284", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: Bluetooth: MGMT: cancel mesh send timer when hdev removed mesh_send_done timer is not canceled when hdev is removed, which causes crash if the timer triggers after hdev is gone. Cancel the timer when MGMT removes the hdev, like other MGMT timers. Should fix the BUG: sporadically seen by BlueZ test bot (in \"Mesh - Send cancel - 1\" test). Log: ------ BUG: KASAN: slab-use-after-free in run_timer_softirq+0x76b/0x7d0 ... Freed by task 36: kasan_save_stack+0x24/0x50 kasan_save_track+0x14/0x30 __kasan_save_free_info+0x3a/0x60 __kasan_slab_free+0x43/0x70 kfree+0x103/0x500 device_release+0x9a/0x210 kobject_put+0x100/0x1e0 vhci_release+0x18b/0x240 ------", "cve_priority": "medium", "cve_public_date": "2025-12-06 22:15:00 UTC" }, { "cve": "CVE-2025-68210", "url": "https://ubuntu.com/security/CVE-2025-68210", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: erofs: avoid infinite loop due to incomplete zstd-compressed data Currently, the decompression logic incorrectly spins if compressed data is truncated in crafted (deliberately corrupted) images.", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-40285", "url": "https://ubuntu.com/security/CVE-2025-40285", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: smb/server: fix possible refcount leak in smb2_sess_setup() Reference count of ksmbd_session will leak when session need reconnect. Fix this by adding the missing ksmbd_user_session_put().", "cve_priority": "medium", "cve_public_date": "2025-12-06 22:15:00 UTC" }, { "cve": "CVE-2025-40286", "url": "https://ubuntu.com/security/CVE-2025-40286", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: smb/server: fix possible memory leak in smb2_read() Memory leak occurs when ksmbd_vfs_read() fails. Fix this by adding the missing kvfree().", "cve_priority": "medium", "cve_public_date": "2025-12-06 22:15:00 UTC" }, { "cve": "CVE-2025-40287", "url": "https://ubuntu.com/security/CVE-2025-40287", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: exfat: fix improper check of dentry.stream.valid_size We found an infinite loop bug in the exFAT file system that can lead to a Denial-of-Service (DoS) condition. When a dentry in an exFAT filesystem is malformed, the following system calls — SYS_openat, SYS_ftruncate, and SYS_pwrite64 — can cause the kernel to hang. Root cause analysis shows that the size validation code in exfat_find() does not check whether dentry.stream.valid_size is negative. As a result, the system calls mentioned above can succeed and eventually trigger the DoS issue. This patch adds a check for negative dentry.stream.valid_size to prevent this vulnerability.", "cve_priority": "medium", "cve_public_date": "2025-12-06 22:15:00 UTC" }, { "cve": "CVE-2025-40288", "url": "https://ubuntu.com/security/CVE-2025-40288", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: Fix NULL pointer dereference in VRAM logic for APU devices Previously, APU platforms (and other scenarios with uninitialized VRAM managers) triggered a NULL pointer dereference in `ttm_resource_manager_usage()`. The root cause is not that the `struct ttm_resource_manager *man` pointer itself is NULL, but that `man->bdev` (the backing device pointer within the manager) remains uninitialized (NULL) on APUs—since APUs lack dedicated VRAM and do not fully set up VRAM manager structures. When `ttm_resource_manager_usage()` attempts to acquire `man->bdev->lru_lock`, it dereferences the NULL `man->bdev`, leading to a kernel OOPS. 1. **amdgpu_cs.c**: Extend the existing bandwidth control check in `amdgpu_cs_get_threshold_for_moves()` to include a check for `ttm_resource_manager_used()`. If the manager is not used (uninitialized `bdev`), return 0 for migration thresholds immediately—skipping VRAM-specific logic that would trigger the NULL dereference. 2. **amdgpu_kms.c**: Update the `AMDGPU_INFO_VRAM_USAGE` ioctl and memory info reporting to use a conditional: if the manager is used, return the real VRAM usage; otherwise, return 0. This avoids accessing `man->bdev` when it is NULL. 3. **amdgpu_virt.c**: Modify the vf2pf (virtual function to physical function) data write path. Use `ttm_resource_manager_used()` to check validity: if the manager is usable, calculate `fb_usage` from VRAM usage; otherwise, set `fb_usage` to 0 (APUs have no discrete framebuffer to report). This approach is more robust than APU-specific checks because it: - Works for all scenarios where the VRAM manager is uninitialized (not just APUs), - Aligns with TTM's design by using its native helper function, - Preserves correct behavior for discrete GPUs (which have fully initialized `man->bdev` and pass the `ttm_resource_manager_used()` check). v4: use ttm_resource_manager_used(&adev->mman.vram_mgr.manager) instead of checking the adev->gmc.is_app_apu flag (Christian)", "cve_priority": "medium", "cve_public_date": "2025-12-06 22:15:00 UTC" }, { "cve": "CVE-2025-40289", "url": "https://ubuntu.com/security/CVE-2025-40289", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: hide VRAM sysfs attributes on GPUs without VRAM Otherwise accessing them can cause a crash.", "cve_priority": "medium", "cve_public_date": "2025-12-06 22:15:00 UTC" }, { "cve": "CVE-2025-68201", "url": "https://ubuntu.com/security/CVE-2025-68201", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: remove two invalid BUG_ON()s Those can be triggered trivially by userspace.", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-68207", "url": "https://ubuntu.com/security/CVE-2025-68207", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/xe/guc: Synchronize Dead CT worker with unbind Cancel and wait for any Dead CT worker to complete before continuing with device unbinding. Else the worker will end up using resources freed by the undind operation. (cherry picked from commit 492671339114e376aaa38626d637a2751cdef263)", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-68244", "url": "https://ubuntu.com/security/CVE-2025-68244", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/i915: Avoid lock inversion when pinning to GGTT on CHV/BXT+VTD On completion of i915_vma_pin_ww(), a synchronous variant of dma_fence_work_commit() is called. When pinning a VMA to GGTT address space on a Cherry View family processor, or on a Broxton generation SoC with VTD enabled, i.e., when stop_machine() is then called from intel_ggtt_bind_vma(), that can potentially lead to lock inversion among reservation_ww and cpu_hotplug locks. [86.861179] ====================================================== [86.861193] WARNING: possible circular locking dependency detected [86.861209] 6.15.0-rc5-CI_DRM_16515-gca0305cadc2d+ #1 Tainted: G U [86.861226] ------------------------------------------------------ [86.861238] i915_module_loa/1432 is trying to acquire lock: [86.861252] ffffffff83489090 (cpu_hotplug_lock){++++}-{0:0}, at: stop_machine+0x1c/0x50 [86.861290] but task is already holding lock: [86.861303] ffffc90002e0b4c8 (reservation_ww_class_mutex){+.+.}-{3:3}, at: i915_vma_pin.constprop.0+0x39/0x1d0 [i915] [86.862233] which lock already depends on the new lock. [86.862251] the existing dependency chain (in reverse order) is: [86.862265] -> #5 (reservation_ww_class_mutex){+.+.}-{3:3}: [86.862292] dma_resv_lockdep+0x19a/0x390 [86.862315] do_one_initcall+0x60/0x3f0 [86.862334] kernel_init_freeable+0x3cd/0x680 [86.862353] kernel_init+0x1b/0x200 [86.862369] ret_from_fork+0x47/0x70 [86.862383] ret_from_fork_asm+0x1a/0x30 [86.862399] -> #4 (reservation_ww_class_acquire){+.+.}-{0:0}: [86.862425] dma_resv_lockdep+0x178/0x390 [86.862440] do_one_initcall+0x60/0x3f0 [86.862454] kernel_init_freeable+0x3cd/0x680 [86.862470] kernel_init+0x1b/0x200 [86.862482] ret_from_fork+0x47/0x70 [86.862495] ret_from_fork_asm+0x1a/0x30 [86.862509] -> #3 (&mm->mmap_lock){++++}-{3:3}: [86.862531] down_read_killable+0x46/0x1e0 [86.862546] lock_mm_and_find_vma+0xa2/0x280 [86.862561] do_user_addr_fault+0x266/0x8e0 [86.862578] exc_page_fault+0x8a/0x2f0 [86.862593] asm_exc_page_fault+0x27/0x30 [86.862607] filldir64+0xeb/0x180 [86.862620] kernfs_fop_readdir+0x118/0x480 [86.862635] iterate_dir+0xcf/0x2b0 [86.862648] __x64_sys_getdents64+0x84/0x140 [86.862661] x64_sys_call+0x1058/0x2660 [86.862675] do_syscall_64+0x91/0xe90 [86.862689] entry_SYSCALL_64_after_hwframe+0x76/0x7e [86.862703] -> #2 (&root->kernfs_rwsem){++++}-{3:3}: [86.862725] down_write+0x3e/0xf0 [86.862738] kernfs_add_one+0x30/0x3c0 [86.862751] kernfs_create_dir_ns+0x53/0xb0 [86.862765] internal_create_group+0x134/0x4c0 [86.862779] sysfs_create_group+0x13/0x20 [86.862792] topology_add_dev+0x1d/0x30 [86.862806] cpuhp_invoke_callback+0x4b5/0x850 [86.862822] cpuhp_issue_call+0xbf/0x1f0 [86.862836] __cpuhp_setup_state_cpuslocked+0x111/0x320 [86.862852] __cpuhp_setup_state+0xb0/0x220 [86.862866] topology_sysfs_init+0x30/0x50 [86.862879] do_one_initcall+0x60/0x3f0 [86.862893] kernel_init_freeable+0x3cd/0x680 [86.862908] kernel_init+0x1b/0x200 [86.862921] ret_from_fork+0x47/0x70 [86.862934] ret_from_fork_asm+0x1a/0x30 [86.862947] -> #1 (cpuhp_state_mutex){+.+.}-{3:3}: [86.862969] __mutex_lock+0xaa/0xed0 [86.862982] mutex_lock_nested+0x1b/0x30 [86.862995] __cpuhp_setup_state_cpuslocked+0x67/0x320 [86.863012] __cpuhp_setup_state+0xb0/0x220 [86.863026] page_alloc_init_cpuhp+0x2d/0x60 [86.863041] mm_core_init+0x22/0x2d0 [86.863054] start_kernel+0x576/0xbd0 [86.863068] x86_64_start_reservations+0x18/0x30 [86.863084] x86_64_start_kernel+0xbf/0x110 [86.863098] common_startup_64+0x13e/0x141 [86.863114] -> #0 (cpu_hotplug_lock){++++}-{0:0}: [86.863135] __lock_acquire+0x16 ---truncated---", "cve_priority": "medium", "cve_public_date": "2025-12-16 15:15:00 UTC" }, { "cve": "CVE-2025-68316", "url": "https://ubuntu.com/security/CVE-2025-68316", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: scsi: ufs: core: Fix invalid probe error return value After DME Link Startup, the error return value is set to the MIPI UniPro GenericErrorCode which can be 0 (SUCCESS) or 1 (FAILURE). Upon failure during driver probe, the error code 1 is propagated back to the driver probe function which must return a negative value to indicate an error, but 1 is not negative, so the probe is considered to be successful even though it failed. Subsequently, removing the driver results in an oops because it is not in a valid state. This happens because none of the callers of ufshcd_init() expect a non-negative error code. Fix the return value and documentation to match actual usage.", "cve_priority": "medium", "cve_public_date": "2025-12-16 16:16:00 UTC" }, { "cve": "CVE-2025-40292", "url": "https://ubuntu.com/security/CVE-2025-40292", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: virtio-net: fix received length check in big packets Since commit 4959aebba8c0 (\"virtio-net: use mtu size as buffer length for big packets\"), when guest gso is off, the allocated size for big packets is not MAX_SKB_FRAGS * PAGE_SIZE anymore but depends on negotiated MTU. The number of allocated frags for big packets is stored in vi->big_packets_num_skbfrags. Because the host announced buffer length can be malicious (e.g. the host vhost_net driver's get_rx_bufs is modified to announce incorrect length), we need a check in virtio_net receive path. Currently, the check is not adapted to the new change which can lead to NULL page pointer dereference in the below while loop when receiving length that is larger than the allocated one. This commit fixes the received length check corresponding to the new change.", "cve_priority": "medium", "cve_public_date": "2025-12-08 01:16:00 UTC" }, { "cve": "CVE-2025-68180", "url": "https://ubuntu.com/security/CVE-2025-68180", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Fix NULL deref in debugfs odm_combine_segments When a connector is connected but inactive (e.g., disabled by desktop environments), pipe_ctx->stream_res.tg will be destroyed. Then, reading odm_combine_segments causes kernel NULL pointer dereference. BUG: kernel NULL pointer dereference, address: 0000000000000000 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page PGD 0 P4D 0 Oops: Oops: 0000 [#1] SMP NOPTI CPU: 16 UID: 0 PID: 26474 Comm: cat Not tainted 6.17.0+ #2 PREEMPT(lazy) e6a17af9ee6db7c63e9d90dbe5b28ccab67520c6 Hardware name: LENOVO 21Q4/LNVNB161216, BIOS PXCN25WW 03/27/2025 RIP: 0010:odm_combine_segments_show+0x93/0xf0 [amdgpu] Code: 41 83 b8 b0 00 00 00 01 75 6e 48 98 ba a1 ff ff ff 48 c1 e0 0c 48 8d 8c 07 d8 02 00 00 48 85 c9 74 2d 48 8b bc 07 f0 08 00 00 <48> 8b 07 48 8b 80 08 02 00> RSP: 0018:ffffd1bf4b953c58 EFLAGS: 00010286 RAX: 0000000000005000 RBX: ffff8e35976b02d0 RCX: ffff8e3aeed052d8 RDX: 00000000ffffffa1 RSI: ffff8e35a3120800 RDI: 0000000000000000 RBP: 0000000000000000 R08: ffff8e3580eb0000 R09: ffff8e35976b02d0 R10: ffffd1bf4b953c78 R11: 0000000000000000 R12: ffffd1bf4b953d08 R13: 0000000000040000 R14: 0000000000000001 R15: 0000000000000001 FS: 00007f44d3f9f740(0000) GS:ffff8e3caa47f000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000000 CR3: 00000006485c2000 CR4: 0000000000f50ef0 PKRU: 55555554 Call Trace: seq_read_iter+0x125/0x490 ? __alloc_frozen_pages_noprof+0x18f/0x350 seq_read+0x12c/0x170 full_proxy_read+0x51/0x80 vfs_read+0xbc/0x390 ? __handle_mm_fault+0xa46/0xef0 ? do_syscall_64+0x71/0x900 ksys_read+0x73/0xf0 do_syscall_64+0x71/0x900 ? count_memcg_events+0xc2/0x190 ? handle_mm_fault+0x1d7/0x2d0 ? do_user_addr_fault+0x21a/0x690 ? exc_page_fault+0x7e/0x1a0 entry_SYSCALL_64_after_hwframe+0x6c/0x74 RIP: 0033:0x7f44d4031687 Code: 48 89 fa 4c 89 df e8 58 b3 00 00 8b 93 08 03 00 00 59 5e 48 83 f8 fc 74 1a 5b c3 0f 1f 84 00 00 00 00 00 48 8b 44 24 10 0f 05 <5b> c3 0f 1f 80 00 00 00 00> RSP: 002b:00007ffdb4b5f0b0 EFLAGS: 00000202 ORIG_RAX: 0000000000000000 RAX: ffffffffffffffda RBX: 00007f44d3f9f740 RCX: 00007f44d4031687 RDX: 0000000000040000 RSI: 00007f44d3f5e000 RDI: 0000000000000003 RBP: 0000000000040000 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000202 R12: 00007f44d3f5e000 R13: 0000000000000003 R14: 0000000000000000 R15: 0000000000040000 Modules linked in: tls tcp_diag inet_diag xt_mark ccm snd_hrtimer snd_seq_dummy snd_seq_midi snd_seq_oss snd_seq_midi_event snd_rawmidi snd_seq snd_seq_device x> snd_hda_codec_atihdmi snd_hda_codec_realtek_lib lenovo_wmi_helpers think_lmi snd_hda_codec_generic snd_hda_codec_hdmi snd_soc_core kvm snd_compress uvcvideo sn> platform_profile joydev amd_pmc mousedev mac_hid sch_fq_codel uinput i2c_dev parport_pc ppdev lp parport nvme_fabrics loop nfnetlink ip_tables x_tables dm_cryp> CR2: 0000000000000000 ---[ end trace 0000000000000000 ]--- RIP: 0010:odm_combine_segments_show+0x93/0xf0 [amdgpu] Code: 41 83 b8 b0 00 00 00 01 75 6e 48 98 ba a1 ff ff ff 48 c1 e0 0c 48 8d 8c 07 d8 02 00 00 48 85 c9 74 2d 48 8b bc 07 f0 08 00 00 <48> 8b 07 48 8b 80 08 02 00> RSP: 0018:ffffd1bf4b953c58 EFLAGS: 00010286 RAX: 0000000000005000 RBX: ffff8e35976b02d0 RCX: ffff8e3aeed052d8 RDX: 00000000ffffffa1 RSI: ffff8e35a3120800 RDI: 0000000000000000 RBP: 0000000000000000 R08: ffff8e3580eb0000 R09: ffff8e35976b02d0 R10: ffffd1bf4b953c78 R11: 0000000000000000 R12: ffffd1bf4b953d08 R13: 0000000000040000 R14: 0000000000000001 R15: 0000000000000001 FS: 00007f44d3f9f740(0000) GS:ffff8e3caa47f000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000000 CR3: 00000006485c2000 CR4: 0000000000f50ef0 PKRU: 55555554 Fix this by checking pipe_ctx-> ---truncated---", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-40327", "url": "https://ubuntu.com/security/CVE-2025-40327", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: perf/core: Fix system hang caused by cpu-clock usage cpu-clock usage by the async-profiler tool can trigger a system hang, which got bisected back to the following commit by Octavia Togami: 18dbcbfabfff (\"perf: Fix the POLL_HUP delivery breakage\") causes this issue The root cause of the hang is that cpu-clock is a special type of SW event which relies on hrtimers. The __perf_event_overflow() callback is invoked from the hrtimer handler for cpu-clock events, and __perf_event_overflow() tries to call cpu_clock_event_stop() to stop the event, which calls htimer_cancel() to cancel the hrtimer. But that's a recursion into the hrtimer code from a hrtimer handler, which (unsurprisingly) deadlocks. To fix this bug, use hrtimer_try_to_cancel() instead, and set the PERF_HES_STOPPED flag, which causes perf_swevent_hrtimer() to stop the event once it sees the PERF_HES_STOPPED flag. [ mingo: Fixed the comments and improved the changelog. ]", "cve_priority": "medium", "cve_public_date": "2025-12-09 16:17:00 UTC" }, { "cve": "CVE-2025-40328", "url": "https://ubuntu.com/security/CVE-2025-40328", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: smb: client: fix potential UAF in smb2_close_cached_fid() find_or_create_cached_dir() could grab a new reference after kref_put() had seen the refcount drop to zero but before cfid_list_lock is acquired in smb2_close_cached_fid(), leading to use-after-free. Switch to kref_put_lock() so cfid_release() is called with cfid_list_lock held, closing that gap.", "cve_priority": "medium", "cve_public_date": "2025-12-09 16:17:00 UTC" }, { "cve": "CVE-2025-40291", "url": "https://ubuntu.com/security/CVE-2025-40291", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: io_uring: fix regbuf vector size truncation There is a report of io_estimate_bvec_size() truncating the calculated number of segments that leads to corruption issues. Check it doesn't overflow \"int\"s used later. Rough but simple, can be improved on top.", "cve_priority": "medium", "cve_public_date": "2025-12-08 01:16:00 UTC" }, { "cve": "CVE-2025-68322", "url": "https://ubuntu.com/security/CVE-2025-68322", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: parisc: Avoid crash due to unaligned access in unwinder Guenter Roeck reported this kernel crash on his emulated B160L machine: Starting network: udhcpc: started, v1.36.1 Backtrace: [<104320d4>] unwind_once+0x1c/0x5c [<10434a00>] walk_stackframe.isra.0+0x74/0xb8 [<10434a6c>] arch_stack_walk+0x28/0x38 [<104e5efc>] stack_trace_save+0x48/0x5c [<105d1bdc>] set_track_prepare+0x44/0x6c [<105d9c80>] ___slab_alloc+0xfc4/0x1024 [<105d9d38>] __slab_alloc.isra.0+0x58/0x90 [<105dc80c>] kmem_cache_alloc_noprof+0x2ac/0x4a0 [<105b8e54>] __anon_vma_prepare+0x60/0x280 [<105a823c>] __vmf_anon_prepare+0x68/0x94 [<105a8b34>] do_wp_page+0x8cc/0xf10 [<105aad88>] handle_mm_fault+0x6c0/0xf08 [<10425568>] do_page_fault+0x110/0x440 [<10427938>] handle_interruption+0x184/0x748 [<11178398>] schedule+0x4c/0x190 BUG: spinlock recursion on CPU#0, ifconfig/2420 lock: terminate_lock.2+0x0/0x1c, .magic: dead4ead, .owner: ifconfig/2420, .owner_cpu: 0 While creating the stack trace, the unwinder uses the stack pointer to guess the previous frame to read the previous stack pointer from memory. The crash happens, because the unwinder tries to read from unaligned memory and as such triggers the unalignment trap handler which then leads to the spinlock recursion and finally to a deadlock. Fix it by checking the alignment before accessing the memory.", "cve_priority": "medium", "cve_public_date": "2025-12-16 16:16:00 UTC" }, { "cve": "CVE-2025-40293", "url": "https://ubuntu.com/security/CVE-2025-40293", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: iommufd: Don't overflow during division for dirty tracking If pgshift is 63 then BITS_PER_TYPE(*bitmap->bitmap) * pgsize will overflow to 0 and this triggers divide by 0. In this case the index should just be 0, so reorganize things to divide by shift and avoid hitting any overflows.", "cve_priority": "medium", "cve_public_date": "2025-12-08 01:16:00 UTC" }, { "cve": "CVE-2025-40294", "url": "https://ubuntu.com/security/CVE-2025-40294", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: Bluetooth: MGMT: Fix OOB access in parse_adv_monitor_pattern() In the parse_adv_monitor_pattern() function, the value of the 'length' variable is currently limited to HCI_MAX_EXT_AD_LENGTH(251). The size of the 'value' array in the mgmt_adv_pattern structure is 31. If the value of 'pattern[i].length' is set in the user space and exceeds 31, the 'patterns[i].value' array can be accessed out of bound when copied. Increasing the size of the 'value' array in the 'mgmt_adv_pattern' structure will break the userspace. Considering this, and to avoid OOB access revert the limits for 'offset' and 'length' back to the value of HCI_MAX_AD_LENGTH. Found by InfoTeCS on behalf of Linux Verification Center (linuxtesting.org) with SVACE.", "cve_priority": "medium", "cve_public_date": "2025-12-08 01:16:00 UTC" }, { "cve": "CVE-2025-40329", "url": "https://ubuntu.com/security/CVE-2025-40329", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/sched: Fix deadlock in drm_sched_entity_kill_jobs_cb The Mesa issue referenced below pointed out a possible deadlock: [ 1231.611031] Possible interrupt unsafe locking scenario: [ 1231.611033] CPU0 CPU1 [ 1231.611034] ---- ---- [ 1231.611035] lock(&xa->xa_lock#17); [ 1231.611038] local_irq_disable(); [ 1231.611039] lock(&fence->lock); [ 1231.611041] lock(&xa->xa_lock#17); [ 1231.611044] [ 1231.611045] lock(&fence->lock); [ 1231.611047] *** DEADLOCK *** In this example, CPU0 would be any function accessing job->dependencies through the xa_* functions that don't disable interrupts (eg: drm_sched_job_add_dependency(), drm_sched_entity_kill_jobs_cb()). CPU1 is executing drm_sched_entity_kill_jobs_cb() as a fence signalling callback so in an interrupt context. It will deadlock when trying to grab the xa_lock which is already held by CPU0. Replacing all xa_* usage by their xa_*_irq counterparts would fix this issue, but Christian pointed out another issue: dma_fence_signal takes fence.lock and so does dma_fence_add_callback. dma_fence_signal() // locks f1.lock -> drm_sched_entity_kill_jobs_cb() -> foreach dependencies -> dma_fence_add_callback() // locks f2.lock This will deadlock if f1 and f2 share the same spinlock. To fix both issues, the code iterating on dependencies and re-arming them is moved out to drm_sched_entity_kill_jobs_work(). [phasta: commit message nits]", "cve_priority": "medium", "cve_public_date": "2025-12-09 16:17:00 UTC" }, { "cve": "CVE-2025-40295", "url": "https://ubuntu.com/security/CVE-2025-40295", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: fscrypt: fix left shift underflow when inode->i_blkbits > PAGE_SHIFT When simulating an nvme device on qemu with both logical_block_size and physical_block_size set to 8 KiB, an error trace appears during partition table reading at boot time. The issue is caused by inode->i_blkbits being larger than PAGE_SHIFT, which leads to a left shift of -1 and triggering a UBSAN warning. [ 2.697306] ------------[ cut here ]------------ [ 2.697309] UBSAN: shift-out-of-bounds in fs/crypto/inline_crypt.c:336:37 [ 2.697311] shift exponent -1 is negative [ 2.697315] CPU: 3 UID: 0 PID: 274 Comm: (udev-worker) Not tainted 6.18.0-rc2+ #34 PREEMPT(voluntary) [ 2.697317] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014 [ 2.697320] Call Trace: [ 2.697324] [ 2.697325] dump_stack_lvl+0x76/0xa0 [ 2.697340] dump_stack+0x10/0x20 [ 2.697342] __ubsan_handle_shift_out_of_bounds+0x1e3/0x390 [ 2.697351] bh_get_inode_and_lblk_num.cold+0x12/0x94 [ 2.697359] fscrypt_set_bio_crypt_ctx_bh+0x44/0x90 [ 2.697365] submit_bh_wbc+0xb6/0x190 [ 2.697370] block_read_full_folio+0x194/0x270 [ 2.697371] ? __pfx_blkdev_get_block+0x10/0x10 [ 2.697375] ? __pfx_blkdev_read_folio+0x10/0x10 [ 2.697377] blkdev_read_folio+0x18/0x30 [ 2.697379] filemap_read_folio+0x40/0xe0 [ 2.697382] filemap_get_pages+0x5ef/0x7a0 [ 2.697385] ? mmap_region+0x63/0xd0 [ 2.697389] filemap_read+0x11d/0x520 [ 2.697392] blkdev_read_iter+0x7c/0x180 [ 2.697393] vfs_read+0x261/0x390 [ 2.697397] ksys_read+0x71/0xf0 [ 2.697398] __x64_sys_read+0x19/0x30 [ 2.697399] x64_sys_call+0x1e88/0x26a0 [ 2.697405] do_syscall_64+0x80/0x670 [ 2.697410] ? __x64_sys_newfstat+0x15/0x20 [ 2.697414] ? x64_sys_call+0x204a/0x26a0 [ 2.697415] ? do_syscall_64+0xb8/0x670 [ 2.697417] ? irqentry_exit_to_user_mode+0x2e/0x2a0 [ 2.697420] ? irqentry_exit+0x43/0x50 [ 2.697421] ? exc_page_fault+0x90/0x1b0 [ 2.697422] entry_SYSCALL_64_after_hwframe+0x76/0x7e [ 2.697425] RIP: 0033:0x75054cba4a06 [ 2.697426] Code: 5d e8 41 8b 93 08 03 00 00 59 5e 48 83 f8 fc 75 19 83 e2 39 83 fa 08 75 11 e8 26 ff ff ff 66 0f 1f 44 00 00 48 8b 45 10 0f 05 <48> 8b 5d f8 c9 c3 0f 1f 40 00 f3 0f 1e fa 55 48 89 e5 48 83 ec 08 [ 2.697427] RSP: 002b:00007fff973723a0 EFLAGS: 00000202 ORIG_RAX: 0000000000000000 [ 2.697430] RAX: ffffffffffffffda RBX: 00005ea9a2c02760 RCX: 000075054cba4a06 [ 2.697432] RDX: 0000000000002000 RSI: 000075054c190000 RDI: 000000000000001b [ 2.697433] RBP: 00007fff973723c0 R08: 0000000000000000 R09: 0000000000000000 [ 2.697434] R10: 0000000000000000 R11: 0000000000000202 R12: 0000000000000000 [ 2.697434] R13: 00005ea9a2c027c0 R14: 00005ea9a2be5608 R15: 00005ea9a2be55f0 [ 2.697436] [ 2.697436] ---[ end trace ]--- This situation can happen for block devices because when CONFIG_TRANSPARENT_HUGEPAGE is enabled, the maximum logical_block_size is 64 KiB. set_init_blocksize() then sets the block device inode->i_blkbits to 13, which is within this limit. File I/O does not trigger this problem because for filesystems that do not support the FS_LBS feature, sb_set_blocksize() prevents sb->s_blocksize_bits from being larger than PAGE_SHIFT. During inode allocation, alloc_inode()->inode_init_always() assigns inode->i_blkbits from sb->s_blocksize_bits. Currently, only xfs_fs_type has the FS_LBS flag, and since xfs I/O paths do not reach submit_bh_wbc(), it does not hit the left-shift underflow issue. [EB: use folio_pos() and consolidate the two shifts by i_blkbits]", "cve_priority": "medium", "cve_public_date": "2025-12-08 01:16:00 UTC" }, { "cve": "CVE-2025-40296", "url": "https://ubuntu.com/security/CVE-2025-40296", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: platform/x86: int3472: Fix double free of GPIO device during unregister regulator_unregister() already frees the associated GPIO device. On ThinkPad X9 (Lunar Lake), this causes a double free issue that leads to random failures when other drivers (typically Intel THC) attempt to allocate interrupts. The root cause is that the reference count of the pinctrl_intel_platform module unexpectedly drops to zero when this driver defers its probe. This behavior can also be reproduced by unloading the module directly. Fix the issue by removing the redundant release of the GPIO device during regulator unregistration.", "cve_priority": "medium", "cve_public_date": "2025-12-08 01:16:00 UTC" }, { "cve": "CVE-2025-40297", "url": "https://ubuntu.com/security/CVE-2025-40297", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net: bridge: fix use-after-free due to MST port state bypass syzbot reported[1] a use-after-free when deleting an expired fdb. It is due to a race condition between learning still happening and a port being deleted, after all its fdbs have been flushed. The port's state has been toggled to disabled so no learning should happen at that time, but if we have MST enabled, it will bypass the port's state, that together with VLAN filtering disabled can lead to fdb learning at a time when it shouldn't happen while the port is being deleted. VLAN filtering must be disabled because we flush the port VLANs when it's being deleted which will stop learning. This fix adds a check for the port's vlan group which is initialized to NULL when the port is getting deleted, that avoids the port state bypass. When MST is enabled there would be a minimal new overhead in the fast-path because the port's vlan group pointer is cache-hot. [1] https://syzkaller.appspot.com/bug?extid=dd280197f0f7ab3917be", "cve_priority": "medium", "cve_public_date": "2025-12-08 01:16:00 UTC" }, { "cve": "CVE-2025-68320", "url": "https://ubuntu.com/security/CVE-2025-68320", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: lan966x: Fix sleeping in atomic context The following warning was seen when we try to connect using ssh to the device. BUG: sleeping function called from invalid context at kernel/locking/mutex.c:575 in_atomic(): 1, irqs_disabled(): 0, non_block: 0, pid: 104, name: dropbear preempt_count: 1, expected: 0 INFO: lockdep is turned off. CPU: 0 UID: 0 PID: 104 Comm: dropbear Tainted: G W 6.18.0-rc2-00399-g6f1ab1b109b9-dirty #530 NONE Tainted: [W]=WARN Hardware name: Generic DT based system Call trace: unwind_backtrace from show_stack+0x10/0x14 show_stack from dump_stack_lvl+0x7c/0xac dump_stack_lvl from __might_resched+0x16c/0x2b0 __might_resched from __mutex_lock+0x64/0xd34 __mutex_lock from mutex_lock_nested+0x1c/0x24 mutex_lock_nested from lan966x_stats_get+0x5c/0x558 lan966x_stats_get from dev_get_stats+0x40/0x43c dev_get_stats from dev_seq_printf_stats+0x3c/0x184 dev_seq_printf_stats from dev_seq_show+0x10/0x30 dev_seq_show from seq_read_iter+0x350/0x4ec seq_read_iter from seq_read+0xfc/0x194 seq_read from proc_reg_read+0xac/0x100 proc_reg_read from vfs_read+0xb0/0x2b0 vfs_read from ksys_read+0x6c/0xec ksys_read from ret_fast_syscall+0x0/0x1c Exception stack(0xf0b11fa8 to 0xf0b11ff0) 1fa0: 00000001 00001000 00000008 be9048d8 00001000 00000001 1fc0: 00000001 00001000 00000008 00000003 be905920 0000001e 00000000 00000001 1fe0: 0005404c be9048c0 00018684 b6ec2cd8 It seems that we are using a mutex in a atomic context which is wrong. Change the mutex with a spinlock.", "cve_priority": "medium", "cve_public_date": "2025-12-16 16:16:00 UTC" }, { "cve": "CVE-2025-68169", "url": "https://ubuntu.com/security/CVE-2025-68169", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: netpoll: Fix deadlock in memory allocation under spinlock Fix a AA deadlock in refill_skbs() where memory allocation while holding skb_pool->lock can trigger a recursive lock acquisition attempt. The deadlock scenario occurs when the system is under severe memory pressure: 1. refill_skbs() acquires skb_pool->lock (spinlock) 2. alloc_skb() is called while holding the lock 3. Memory allocator fails and calls slab_out_of_memory() 4. This triggers printk() for the OOM warning 5. The console output path calls netpoll_send_udp() 6. netpoll_send_udp() attempts to acquire the same skb_pool->lock 7. Deadlock: the lock is already held by the same CPU Call stack: refill_skbs() spin_lock_irqsave(&skb_pool->lock) <- lock acquired __alloc_skb() kmem_cache_alloc_node_noprof() slab_out_of_memory() printk() console_flush_all() netpoll_send_udp() skb_dequeue() spin_lock_irqsave(&skb_pool->lock) <- deadlock attempt This bug was exposed by commit 248f6571fd4c51 (\"netpoll: Optimize skb refilling on critical path\") which removed refill_skbs() from the critical path (where nested printk was being deferred), letting nested printk being called from inside refill_skbs() Refactor refill_skbs() to never allocate memory while holding the spinlock. Another possible solution to fix this problem is protecting the refill_skbs() from nested printks, basically calling printk_deferred_{enter,exit}() in refill_skbs(), then, any nested pr_warn() would be deferred. I prefer this approach, given I _think_ it might be a good idea to move the alloc_skb() from GFP_ATOMIC to GFP_KERNEL in the future, so, having the alloc_skb() outside of the lock will be necessary step. There is a possible TOCTOU issue when checking for the pool length, and queueing the new allocated skb, but, this is not an issue, given that an extra SKB in the pool is harmless and it will be eventually used.", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-68197", "url": "https://ubuntu.com/security/CVE-2025-68197", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: bnxt_en: Fix null pointer dereference in bnxt_bs_trace_check_wrap() With older FW, we may get the ASYNC_EVENT_CMPL_EVENT_ID_DBG_BUF_PRODUCER for FW trace data type that has not been initialized. This will result in a crash in bnxt_bs_trace_type_wrap(). Add a guard to check for a valid magic_byte pointer before proceeding.", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-40330", "url": "https://ubuntu.com/security/CVE-2025-40330", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: bnxt_en: Shutdown FW DMA in bnxt_shutdown() The netif_close() call in bnxt_shutdown() only stops packet DMA. There may be FW DMA for trace logging (recently added) that will continue. If we kexec to a new kernel, the DMA will corrupt memory in the new kernel. Add bnxt_hwrm_func_drv_unrgtr() to unregister the driver from the FW. This will stop the FW DMA. In case the call fails, call pcie_flr() to reset the function and stop the DMA.", "cve_priority": "medium", "cve_public_date": "2025-12-09 16:17:00 UTC" }, { "cve": "CVE-2025-68192", "url": "https://ubuntu.com/security/CVE-2025-68192", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net: usb: qmi_wwan: initialize MAC header offset in qmimux_rx_fixup Raw IP packets have no MAC header, leaving skb->mac_header uninitialized. This can trigger kernel panics on ARM64 when xfrm or other subsystems access the offset due to strict alignment checks. Initialize the MAC header to prevent such crashes. This can trigger kernel panics on ARM when running IPsec over the qmimux0 interface. Example trace: Internal error: Oops: 000000009600004f [#1] SMP CPU: 0 UID: 0 PID: 0 Comm: swapper/0 Not tainted 6.12.34-gbe78e49cb433 #1 Hardware name: LS1028A RDB Board (DT) pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : xfrm_input+0xde8/0x1318 lr : xfrm_input+0x61c/0x1318 sp : ffff800080003b20 Call trace: xfrm_input+0xde8/0x1318 xfrm6_rcv+0x38/0x44 xfrm6_esp_rcv+0x48/0xa8 ip6_protocol_deliver_rcu+0x94/0x4b0 ip6_input_finish+0x44/0x70 ip6_input+0x44/0xc0 ipv6_rcv+0x6c/0x114 __netif_receive_skb_one_core+0x5c/0x8c __netif_receive_skb+0x18/0x60 process_backlog+0x78/0x17c __napi_poll+0x38/0x180 net_rx_action+0x168/0x2f0", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-40331", "url": "https://ubuntu.com/security/CVE-2025-40331", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: sctp: Prevent TOCTOU out-of-bounds write For the following path not holding the sock lock, sctp_diag_dump() -> sctp_for_each_endpoint() -> sctp_ep_dump() make sure not to exceed bounds in case the address list has grown between buffer allocation (time-of-check) and write (time-of-use).", "cve_priority": "medium", "cve_public_date": "2025-12-09 16:17:00 UTC" }, { "cve": "CVE-2025-68187", "url": "https://ubuntu.com/security/CVE-2025-68187", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net: mdio: Check regmap pointer returned by device_node_to_regmap() The call to device_node_to_regmap() in airoha_mdio_probe() can return an ERR_PTR() if regmap initialization fails. Currently, the driver stores the pointer without validation, which could lead to a crash if it is later dereferenced. Add an IS_ERR() check and return the corresponding error code to make the probe path more robust.", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-68167", "url": "https://ubuntu.com/security/CVE-2025-68167", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: gpiolib: fix invalid pointer access in debugfs If the memory allocation in gpiolib_seq_start() fails, the s->private field remains uninitialized and is later dereferenced without checking in gpiolib_seq_stop(). Initialize s->private to NULL before calling kzalloc() and check it before dereferencing it.", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-68319", "url": "https://ubuntu.com/security/CVE-2025-68319", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: netconsole: Acquire su_mutex before navigating configs hierarchy There is a race between operations that iterate over the userdata cg_children list and concurrent add/remove of userdata items through configfs. The update_userdata() function iterates over the nt->userdata_group.cg_children list, and count_extradata_entries() also iterates over this same list to count nodes. Quoting from Documentation/filesystems/configfs.rst: > A subsystem can navigate the cg_children list and the ci_parent pointer > to see the tree created by the subsystem. This can race with configfs' > management of the hierarchy, so configfs uses the subsystem mutex to > protect modifications. Whenever a subsystem wants to navigate the > hierarchy, it must do so under the protection of the subsystem > mutex. Without proper locking, if a userdata item is added or removed concurrently while these functions are iterating, the list can be accessed in an inconsistent state. For example, the list_for_each() loop can reach a node that is being removed from the list by list_del_init() which sets the nodes' .next pointer to point to itself, so the loop will never end (or reach the WARN_ON_ONCE in update_userdata() ). Fix this by holding the configfs subsystem mutex (su_mutex) during all operations that iterate over cg_children. This includes: - userdatum_value_store() which calls update_userdata() to iterate over cg_children - All sysdata_*_enabled_store() functions which call count_extradata_entries() to iterate over cg_children The su_mutex must be acquired before dynamic_netconsole_mutex to avoid potential lock ordering issues, as configfs operations may already hold su_mutex when calling into our code.", "cve_priority": "medium", "cve_public_date": "2025-12-16 16:16:00 UTC" }, { "cve": "CVE-2025-40298", "url": "https://ubuntu.com/security/CVE-2025-40298", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: gve: Implement settime64 with -EOPNOTSUPP ptp_clock_settime() assumes every ptp_clock has implemented settime64(). Stub it with -EOPNOTSUPP to prevent a NULL dereference.", "cve_priority": "medium", "cve_public_date": "2025-12-08 01:16:00 UTC" }, { "cve": "CVE-2025-40299", "url": "https://ubuntu.com/security/CVE-2025-40299", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: gve: Implement gettimex64 with -EOPNOTSUPP gve implemented a ptp_clock for sole use of do_aux_work at this time. ptp_clock_gettime() and ptp_sys_offset() assume every ptp_clock has implemented either gettimex64 or gettime64. Stub gettimex64 and return -EOPNOTSUPP to prevent NULL dereferencing.", "cve_priority": "medium", "cve_public_date": "2025-12-08 01:16:00 UTC" }, { "cve": "CVE-2025-40301", "url": "https://ubuntu.com/security/CVE-2025-40301", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: Bluetooth: hci_event: validate skb length for unknown CC opcode In hci_cmd_complete_evt(), if the command complete event has an unknown opcode, we assume the first byte of the remaining skb->data contains the return status. However, parameter data has previously been pulled in hci_event_func(), which may leave the skb empty. If so, using skb->data[0] for the return status uses un-init memory. The fix is to check skb->len before using skb->data.", "cve_priority": "medium", "cve_public_date": "2025-12-08 01:16:00 UTC" }, { "cve": "CVE-2025-40358", "url": "https://ubuntu.com/security/CVE-2025-40358", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: riscv: stacktrace: Disable KASAN checks for non-current tasks Unwinding the stack of a task other than current, KASAN would report \"BUG: KASAN: out-of-bounds in walk_stackframe+0x41c/0x460\" There is a same issue on x86 and has been resolved by the commit 84936118bdf3 (\"x86/unwind: Disable KASAN checks for non-current tasks\") The solution could be applied to RISC-V too. This patch also can solve the issue: https://seclists.org/oss-sec/2025/q4/23 [pjw@kernel.org: clean up checkpatch issues]", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-68186", "url": "https://ubuntu.com/security/CVE-2025-68186", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ring-buffer: Do not warn in ring_buffer_map_get_reader() when reader catches up The function ring_buffer_map_get_reader() is a bit more strict than the other get reader functions, and except for certain situations the rb_get_reader_page() should not return NULL. If it does, it triggers a warning. This warning was triggering but after looking at why, it was because another acceptable situation was happening and it wasn't checked for. If the reader catches up to the writer and there's still data to be read on the reader page, then the rb_get_reader_page() will return NULL as there's no new page to get. In this situation, the reader page should not be updated and no warning should trigger.", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-68184", "url": "https://ubuntu.com/security/CVE-2025-68184", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/mediatek: Disable AFBC support on Mediatek DRM driver Commit c410fa9b07c3 (\"drm/mediatek: Add AFBC support to Mediatek DRM driver\") added AFBC support to Mediatek DRM and enabled the 32x8/split/sparse modifier. However, this is currently broken on Mediatek MT8188 (Genio 700 EVK platform); tested using upstream Kernel and Mesa (v25.2.1), AFBC is used by default since Mesa v25.0. Kernel trace reports vblank timeouts constantly, and the render is garbled: ``` [CRTC:62:crtc-0] vblank wait timed out WARNING: CPU: 7 PID: 70 at drivers/gpu/drm/drm_atomic_helper.c:1835 drm_atomic_helper_wait_for_vblanks.part.0+0x24c/0x27c [...] Hardware name: MediaTek Genio-700 EVK (DT) Workqueue: events_unbound commit_work pstate: 60400009 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : drm_atomic_helper_wait_for_vblanks.part.0+0x24c/0x27c lr : drm_atomic_helper_wait_for_vblanks.part.0+0x24c/0x27c sp : ffff80008337bca0 x29: ffff80008337bcd0 x28: 0000000000000061 x27: 0000000000000000 x26: 0000000000000001 x25: 0000000000000000 x24: ffff0000c9dcc000 x23: 0000000000000001 x22: 0000000000000000 x21: ffff0000c66f2f80 x20: ffff0000c0d7d880 x19: 0000000000000000 x18: 000000000000000a x17: 000000040044ffff x16: 005000f2b5503510 x15: 0000000000000000 x14: 0000000000000000 x13: 74756f2064656d69 x12: 742074696177206b x11: 0000000000000058 x10: 0000000000000018 x9 : ffff800082396a70 x8 : 0000000000057fa8 x7 : 0000000000000cce x6 : ffff8000823eea70 x5 : ffff0001fef5f408 x4 : ffff80017ccee000 x3 : ffff0000c12cb480 x2 : 0000000000000000 x1 : 0000000000000000 x0 : ffff0000c12cb480 Call trace: drm_atomic_helper_wait_for_vblanks.part.0+0x24c/0x27c (P) drm_atomic_helper_commit_tail_rpm+0x64/0x80 commit_tail+0xa4/0x1a4 commit_work+0x14/0x20 process_one_work+0x150/0x290 worker_thread+0x2d0/0x3ec kthread+0x12c/0x210 ret_from_fork+0x10/0x20 ---[ end trace 0000000000000000 ]--- ``` Until this gets fixed upstream, disable AFBC support on this platform, as it's currently broken with upstream Mesa.", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-40302", "url": "https://ubuntu.com/security/CVE-2025-40302", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: media: videobuf2: forbid remove_bufs when legacy fileio is active vb2_ioctl_remove_bufs() call manipulates queue internal buffer list, potentially overwriting some pointers used by the legacy fileio access mode. Forbid that ioctl when fileio is active to protect internal queue state between subsequent read/write calls.", "cve_priority": "medium", "cve_public_date": "2025-12-08 01:16:00 UTC" }, { "cve": "CVE-2025-40303", "url": "https://ubuntu.com/security/CVE-2025-40303", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: btrfs: ensure no dirty metadata is written back for an fs with errors [BUG] During development of a minor feature (make sure all btrfs_bio::end_io() is called in task context), I noticed a crash in generic/388, where metadata writes triggered new works after btrfs_stop_all_workers(). It turns out that it can even happen without any code modification, just using RAID5 for metadata and the same workload from generic/388 is going to trigger the use-after-free. [CAUSE] If btrfs hits an error, the fs is marked as error, no new transaction is allowed thus metadata is in a frozen state. But there are some metadata modifications before that error, and they are still in the btree inode page cache. Since there will be no real transaction commit, all those dirty folios are just kept as is in the page cache, and they can not be invalidated by invalidate_inode_pages2() call inside close_ctree(), because they are dirty. And finally after btrfs_stop_all_workers(), we call iput() on btree inode, which triggers writeback of those dirty metadata. And if the fs is using RAID56 metadata, this will trigger RMW and queue new works into rmw_workers, which is already stopped, causing warning from queue_work() and use-after-free. [FIX] Add a special handling for write_one_eb(), that if the fs is already in an error state, immediately mark the bbio as failure, instead of really submitting them. Then during close_ctree(), iput() will just discard all those dirty tree blocks without really writing them back, thus no more new jobs for already stopped-and-freed workqueues. The extra discard in write_one_eb() also acts as an extra safenet. E.g. the transaction abort is triggered by some extent/free space tree corruptions, and since extent/free space tree is already corrupted some tree blocks may be allocated where they shouldn't be (overwriting existing tree blocks). In that case writing them back will further corrupting the fs.", "cve_priority": "medium", "cve_public_date": "2025-12-08 01:16:00 UTC" }, { "cve": "CVE-2025-40362", "url": "https://ubuntu.com/security/CVE-2025-40362", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ceph: fix multifs mds auth caps issue The mds auth caps check should also validate the fsname along with the associated caps. Not doing so would result in applying the mds auth caps of one fs on to the other fs in a multifs ceph cluster. The bug causes multiple issues w.r.t user authentication, following is one such example. Steps to Reproduce (on vstart cluster): 1. Create two file systems in a cluster, say 'fsname1' and 'fsname2' 2. Authorize read only permission to the user 'client.usr' on fs 'fsname1' $ceph fs authorize fsname1 client.usr / r 3. Authorize read and write permission to the same user 'client.usr' on fs 'fsname2' $ceph fs authorize fsname2 client.usr / rw 4. Update the keyring $ceph auth get client.usr >> ./keyring With above permssions for the user 'client.usr', following is the expectation. a. The 'client.usr' should be able to only read the contents and not allowed to create or delete files on file system 'fsname1'. b. The 'client.usr' should be able to read/write on file system 'fsname2'. But, with this bug, the 'client.usr' is allowed to read/write on file system 'fsname1'. See below. 5. Mount the file system 'fsname1' with the user 'client.usr' $sudo bin/mount.ceph usr@.fsname1=/ /kmnt_fsname1_usr/ 6. Try creating a file on file system 'fsname1' with user 'client.usr'. This should fail but passes with this bug. $touch /kmnt_fsname1_usr/file1 7. Mount the file system 'fsname1' with the user 'client.admin' and create a file. $sudo bin/mount.ceph admin@.fsname1=/ /kmnt_fsname1_admin $echo \"data\" > /kmnt_fsname1_admin/admin_file1 8. Try removing an existing file on file system 'fsname1' with the user 'client.usr'. This shoudn't succeed but succeeds with the bug. $rm -f /kmnt_fsname1_usr/admin_file1 For more information, please take a look at the corresponding mds/fuse patch and tests added by looking into the tracker mentioned below. v2: Fix a possible null dereference in doutc v3: Don't store fsname from mdsmap, validate against ceph_mount_options's fsname and use it v4: Code refactor, better warning message and fix possible compiler warning [ Slava.Dubeyko: \"fsname check failed\" -> \"fsname mismatch\" ]", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-40332", "url": "https://ubuntu.com/security/CVE-2025-40332", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/amdkfd: Fix mmap write lock not release If mmap write lock is taken while draining retry fault, mmap write lock is not released because svm_range_restore_pages calls mmap_read_unlock then returns. This causes deadlock and system hangs later because mmap read or write lock cannot be taken. Downgrade mmap write lock to read lock if draining retry fault fix this bug.", "cve_priority": "medium", "cve_public_date": "2025-12-09 16:17:00 UTC" }, { "cve": "CVE-2025-40304", "url": "https://ubuntu.com/security/CVE-2025-40304", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: fbdev: Add bounds checking in bit_putcs to fix vmalloc-out-of-bounds Add bounds checking to prevent writes past framebuffer boundaries when rendering text near screen edges. Return early if the Y position is off-screen and clip image height to screen boundary. Break from the rendering loop if the X position is off-screen. When clipping image width to fit the screen, update the character count to match the clipped width to prevent buffer size mismatches. Without the character count update, bit_putcs_aligned and bit_putcs_unaligned receive mismatched parameters where the buffer is allocated for the clipped width but cnt reflects the original larger count, causing out-of-bounds writes.", "cve_priority": "medium", "cve_public_date": "2025-12-08 01:16:00 UTC" }, { "cve": "CVE-2025-40305", "url": "https://ubuntu.com/security/CVE-2025-40305", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: 9p/trans_fd: p9_fd_request: kick rx thread if EPOLLIN p9_read_work() doesn't set Rworksched and doesn't do schedule_work(m->rq) if list_empty(&m->req_list). However, if the pipe is full, we need to read more data and this used to work prior to commit aaec5a95d59615 (\"pipe_read: don't wake up the writer if the pipe is still full\"). p9_read_work() does p9_fd_read() -> ... -> anon_pipe_read() which (before the commit above) triggered the unnecessary wakeup. This wakeup calls p9_pollwake() which kicks p9_poll_workfn() -> p9_poll_mux(), p9_poll_mux() will notice EPOLLIN and schedule_work(&m->rq). This no longer happens after the optimization above, change p9_fd_request() to use p9_poll_mux() instead of only checking for EPOLLOUT.", "cve_priority": "medium", "cve_public_date": "2025-12-08 01:16:00 UTC" }, { "cve": "CVE-2025-68318", "url": "https://ubuntu.com/security/CVE-2025-68318", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: clk: thead: th1520-ap: set all AXI clocks to CLK_IS_CRITICAL The AXI crossbar of TH1520 has no proper timeout handling, which means gating AXI clocks can easily lead to bus timeout and thus system hang. Set all AXI clock gates to CLK_IS_CRITICAL. All these clock gates are ungated by default on system reset. In addition, convert all current CLK_IGNORE_UNUSED usage to CLK_IS_CRITICAL to prevent unwanted clock gating.", "cve_priority": "medium", "cve_public_date": "2025-12-16 16:16:00 UTC" }, { "cve": "CVE-2025-40209", "url": "https://ubuntu.com/security/CVE-2025-40209", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: btrfs: fix memory leak of qgroup_list in btrfs_add_qgroup_relation When btrfs_add_qgroup_relation() is called with invalid qgroup levels (src >= dst), the function returns -EINVAL directly without freeing the preallocated qgroup_list structure passed by the caller. This causes a memory leak because the caller unconditionally sets the pointer to NULL after the call, preventing any cleanup. The issue occurs because the level validation check happens before the mutex is acquired and before any error handling path that would free the prealloc pointer. On this early return, the cleanup code at the 'out' label (which includes kfree(prealloc)) is never reached. In btrfs_ioctl_qgroup_assign(), the code pattern is: prealloc = kzalloc(sizeof(*prealloc), GFP_KERNEL); ret = btrfs_add_qgroup_relation(trans, sa->src, sa->dst, prealloc); prealloc = NULL; // Always set to NULL regardless of return value ... kfree(prealloc); // This becomes kfree(NULL), does nothing When the level check fails, 'prealloc' is never freed by either the callee or the caller, resulting in a 64-byte memory leak per failed operation. This can be triggered repeatedly by an unprivileged user with access to a writable btrfs mount, potentially exhausting kernel memory. Fix this by freeing prealloc before the early return, ensuring prealloc is always freed on all error paths.", "cve_priority": "medium", "cve_public_date": "2025-11-21 11:15:00 UTC" }, { "cve": "CVE-2025-68183", "url": "https://ubuntu.com/security/CVE-2025-68183", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ima: don't clear IMA_DIGSIG flag when setting or removing non-IMA xattr Currently when both IMA and EVM are in fix mode, the IMA signature will be reset to IMA hash if a program first stores IMA signature in security.ima and then writes/removes some other security xattr for the file. For example, on Fedora, after booting the kernel with \"ima_appraise=fix evm=fix ima_policy=appraise_tcb\" and installing rpm-plugin-ima, installing/reinstalling a package will not make good reference IMA signature generated. Instead IMA hash is generated, # getfattr -m - -d -e hex /usr/bin/bash # file: usr/bin/bash security.ima=0x0404... This happens because when setting security.selinux, the IMA_DIGSIG flag that had been set early was cleared. As a result, IMA hash is generated when the file is closed. Similarly, IMA signature can be cleared on file close after removing security xattr like security.evm or setting/removing ACL. Prevent replacing the IMA file signature with a file hash, by preventing the IMA_DIGSIG flag from being reset. Here's a minimal C reproducer which sets security.selinux as the last step which can also replaced by removing security.evm or setting ACL, #include #include #include #include #include #include int main() { const char* file_path = \"/usr/sbin/test_binary\"; const char* hex_string = \"030204d33204490066306402304\"; int length = strlen(hex_string); char* ima_attr_value; int fd; fd = open(file_path, O_WRONLY|O_CREAT|O_EXCL, 0644); if (fd == -1) { perror(\"Error opening file\"); return 1; } ima_attr_value = (char*)malloc(length / 2 ); for (int i = 0, j = 0; i < length; i += 2, j++) { sscanf(hex_string + i, \"%2hhx\", &ima_attr_value[j]); } if (fsetxattr(fd, \"security.ima\", ima_attr_value, length/2, 0) == -1) { perror(\"Error setting extended attribute\"); close(fd); return 1; } const char* selinux_value= \"system_u:object_r:bin_t:s0\"; if (fsetxattr(fd, \"security.selinux\", selinux_value, strlen(selinux_value), 0) == -1) { perror(\"Error setting extended attribute\"); close(fd); return 1; } close(fd); return 0; }", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-68173", "url": "https://ubuntu.com/security/CVE-2025-68173", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ftrace: Fix softlockup in ftrace_module_enable A soft lockup was observed when loading amdgpu module. If a module has a lot of tracable functions, multiple calls to kallsyms_lookup can spend too much time in RCU critical section and with disabled preemption, causing kernel panic. This is the same issue that was fixed in commit d0b24b4e91fc (\"ftrace: Prevent RCU stall on PREEMPT_VOLUNTARY kernels\") and commit 42ea22e754ba (\"ftrace: Add cond_resched() to ftrace_graph_set_hash()\"). Fix it the same way by adding cond_resched() in ftrace_module_enable.", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-40306", "url": "https://ubuntu.com/security/CVE-2025-40306", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: orangefs: fix xattr related buffer overflow... Willy Tarreau forwarded me a message from Disclosure with the following warning: > The helper `xattr_key()` uses the pointer variable in the loop condition > rather than dereferencing it. As `key` is incremented, it remains non-NULL > (until it runs into unmapped memory), so the loop does not terminate on > valid C strings and will walk memory indefinitely, consuming CPU or hanging > the thread. I easily reproduced this with setfattr and getfattr, causing a kernel oops, hung user processes and corrupted orangefs files. Disclosure sent along a diff (not a patch) with a suggested fix, which I based this patch on. After xattr_key started working right, xfstest generic/069 exposed an xattr related memory leak that lead to OOM. xattr_key returns a hashed key. When adding xattrs to the orangefs xattr cache, orangefs used hash_add, a kernel hashing macro. hash_add also hashes the key using hash_log which resulted in additions to the xattr cache going to the wrong hash bucket. generic/069 tortures a single file and orangefs does a getattr for the xattr \"security.capability\" every time. Orangefs negative caches on xattrs which includes a kmalloc. Since adds to the xattr cache were going to the wrong bucket, every getattr for \"security.capability\" resulted in another kmalloc, none of which were ever freed. I changed the two uses of hash_add to hlist_add_head instead and the memory leak ceased and generic/069 quit throwing furniture.", "cve_priority": "medium", "cve_public_date": "2025-12-08 01:16:00 UTC" }, { "cve": "CVE-2025-40307", "url": "https://ubuntu.com/security/CVE-2025-40307", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: exfat: validate cluster allocation bits of the allocation bitmap syzbot created an exfat image with cluster bits not set for the allocation bitmap. exfat-fs reads and uses the allocation bitmap without checking this. The problem is that if the start cluster of the allocation bitmap is 6, cluster 6 can be allocated when creating a directory with mkdir. exfat zeros out this cluster in exfat_mkdir, which can delete existing entries. This can reallocate the allocated entries. In addition, the allocation bitmap is also zeroed out, so cluster 6 can be reallocated. This patch adds exfat_test_bitmap_range to validate that clusters used for the allocation bitmap are correctly marked as in-use.", "cve_priority": "medium", "cve_public_date": "2025-12-08 01:16:00 UTC" }, { "cve": "CVE-2025-40308", "url": "https://ubuntu.com/security/CVE-2025-40308", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: Bluetooth: bcsp: receive data only if registered Currently, bcsp_recv() can be called even when the BCSP protocol has not been registered. This leads to a NULL pointer dereference, as shown in the following stack trace: KASAN: null-ptr-deref in range [0x0000000000000108-0x000000000000010f] RIP: 0010:bcsp_recv+0x13d/0x1740 drivers/bluetooth/hci_bcsp.c:590 Call Trace: hci_uart_tty_receive+0x194/0x220 drivers/bluetooth/hci_ldisc.c:627 tiocsti+0x23c/0x2c0 drivers/tty/tty_io.c:2290 tty_ioctl+0x626/0xde0 drivers/tty/tty_io.c:2706 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:907 [inline] __se_sys_ioctl+0xfc/0x170 fs/ioctl.c:893 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f To prevent this, ensure that the HCI_UART_REGISTERED flag is set before processing received data. If the protocol is not registered, return -EUNATCH.", "cve_priority": "medium", "cve_public_date": "2025-12-08 01:16:00 UTC" }, { "cve": "CVE-2025-40309", "url": "https://ubuntu.com/security/CVE-2025-40309", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: Bluetooth: SCO: Fix UAF on sco_conn_free BUG: KASAN: slab-use-after-free in sco_conn_free net/bluetooth/sco.c:87 [inline] BUG: KASAN: slab-use-after-free in kref_put include/linux/kref.h:65 [inline] BUG: KASAN: slab-use-after-free in sco_conn_put+0xdd/0x410 net/bluetooth/sco.c:107 Write of size 8 at addr ffff88811cb96b50 by task kworker/u17:4/352 CPU: 1 UID: 0 PID: 352 Comm: kworker/u17:4 Not tainted 6.17.0-rc5-g717368f83676 #4 PREEMPT(voluntary) Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014 Workqueue: hci13 hci_cmd_sync_work Call Trace: __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x10b/0x170 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:378 [inline] print_report+0x191/0x550 mm/kasan/report.c:482 kasan_report+0xc4/0x100 mm/kasan/report.c:595 sco_conn_free net/bluetooth/sco.c:87 [inline] kref_put include/linux/kref.h:65 [inline] sco_conn_put+0xdd/0x410 net/bluetooth/sco.c:107 sco_connect_cfm+0xb4/0xae0 net/bluetooth/sco.c:1441 hci_connect_cfm include/net/bluetooth/hci_core.h:2082 [inline] hci_conn_failed+0x20a/0x2e0 net/bluetooth/hci_conn.c:1313 hci_conn_unlink+0x55f/0x810 net/bluetooth/hci_conn.c:1121 hci_conn_del+0xb6/0x1110 net/bluetooth/hci_conn.c:1147 hci_abort_conn_sync+0x8c5/0xbb0 net/bluetooth/hci_sync.c:5689 hci_cmd_sync_work+0x281/0x380 net/bluetooth/hci_sync.c:332 process_one_work kernel/workqueue.c:3236 [inline] process_scheduled_works+0x77e/0x1040 kernel/workqueue.c:3319 worker_thread+0xbee/0x1200 kernel/workqueue.c:3400 kthread+0x3c7/0x870 kernel/kthread.c:463 ret_from_fork+0x13a/0x1e0 arch/x86/kernel/process.c:148 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245 Allocated by task 31370: kasan_save_stack mm/kasan/common.c:47 [inline] kasan_save_track+0x30/0x70 mm/kasan/common.c:68 poison_kmalloc_redzone mm/kasan/common.c:388 [inline] __kasan_kmalloc+0x82/0x90 mm/kasan/common.c:405 kasan_kmalloc include/linux/kasan.h:260 [inline] __do_kmalloc_node mm/slub.c:4382 [inline] __kmalloc_noprof+0x22f/0x390 mm/slub.c:4394 kmalloc_noprof include/linux/slab.h:909 [inline] sk_prot_alloc+0xae/0x220 net/core/sock.c:2239 sk_alloc+0x34/0x5a0 net/core/sock.c:2295 bt_sock_alloc+0x3c/0x330 net/bluetooth/af_bluetooth.c:151 sco_sock_alloc net/bluetooth/sco.c:562 [inline] sco_sock_create+0xc0/0x350 net/bluetooth/sco.c:593 bt_sock_create+0x161/0x3b0 net/bluetooth/af_bluetooth.c:135 __sock_create+0x3ad/0x780 net/socket.c:1589 sock_create net/socket.c:1647 [inline] __sys_socket_create net/socket.c:1684 [inline] __sys_socket+0xd5/0x330 net/socket.c:1731 __do_sys_socket net/socket.c:1745 [inline] __se_sys_socket net/socket.c:1743 [inline] __x64_sys_socket+0x7a/0x90 net/socket.c:1743 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xc7/0x240 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f Freed by task 31374: kasan_save_stack mm/kasan/common.c:47 [inline] kasan_save_track+0x30/0x70 mm/kasan/common.c:68 kasan_save_free_info+0x40/0x50 mm/kasan/generic.c:576 poison_slab_object mm/kasan/common.c:243 [inline] __kasan_slab_free+0x3d/0x50 mm/kasan/common.c:275 kasan_slab_free include/linux/kasan.h:233 [inline] slab_free_hook mm/slub.c:2428 [inline] slab_free mm/slub.c:4701 [inline] kfree+0x199/0x3b0 mm/slub.c:4900 sk_prot_free net/core/sock.c:2278 [inline] __sk_destruct+0x4aa/0x630 net/core/sock.c:2373 sco_sock_release+0x2ad/0x300 net/bluetooth/sco.c:1333 __sock_release net/socket.c:649 [inline] sock_close+0xb8/0x230 net/socket.c:1439 __fput+0x3d1/0x9e0 fs/file_table.c:468 task_work_run+0x206/0x2a0 kernel/task_work.c:227 get_signal+0x1201/0x1410 kernel/signal.c:2807 arch_do_signal_or_restart+0x34/0x740 arch/x86/kernel/signal.c:337 exit_to_user_mode_loop+0x68/0xc0 kernel/entry/common.c:40 exit_to_user_mode_prepare include/linux/irq-entry-common.h:225 [inline] s ---truncated---", "cve_priority": "medium", "cve_public_date": "2025-12-08 01:16:00 UTC" }, { "cve": "CVE-2025-68174", "url": "https://ubuntu.com/security/CVE-2025-68174", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: amd/amdkfd: enhance kfd process check in switch partition current switch partition only check if kfd_processes_table is empty. kfd_prcesses_table entry is deleted in kfd_process_notifier_release, but kfd_process tear down is in kfd_process_wq_release. consider two processes: Process A (workqueue) -> kfd_process_wq_release -> Access kfd_node member Process B switch partition -> amdgpu_xcp_pre_partition_switch -> amdgpu_amdkfd_device_fini_sw -> kfd_node tear down. Process A and B may trigger a race as shown in dmesg log. This patch is to resolve the race by adding an atomic kfd_process counter kfd_processes_count, it increment as create kfd process, decrement as finish kfd_process_wq_release. v2: Put kfd_processes_count per kfd_dev, move decrement to kfd_process_destroy_pdds and bug fix. (Philip Yang) [3966658.307702] divide error: 0000 [#1] SMP NOPTI [3966658.350818] i10nm_edac [3966658.356318] CPU: 124 PID: 38435 Comm: kworker/124:0 Kdump: loaded Tainted [3966658.356890] Workqueue: kfd_process_wq kfd_process_wq_release [amdgpu] [3966658.362839] nfit [3966658.366457] RIP: 0010:kfd_get_num_sdma_engines+0x17/0x40 [amdgpu] [3966658.366460] Code: 00 00 e9 ac 81 02 00 66 66 2e 0f 1f 84 00 00 00 00 00 90 0f 1f 44 00 00 48 8b 4f 08 48 8b b7 00 01 00 00 8b 81 58 26 03 00 99 be b8 01 00 00 80 b9 70 2e 00 00 00 74 0b 83 f8 02 ba 02 00 00 [3966658.380967] x86_pkg_temp_thermal [3966658.391529] RSP: 0018:ffffc900a0edfdd8 EFLAGS: 00010246 [3966658.391531] RAX: 0000000000000008 RBX: ffff8974e593b800 RCX: ffff888645900000 [3966658.391531] RDX: 0000000000000000 RSI: ffff888129154400 RDI: ffff888129151c00 [3966658.391532] RBP: ffff8883ad79d400 R08: 0000000000000000 R09: ffff8890d2750af4 [3966658.391532] R10: 0000000000000018 R11: 0000000000000018 R12: 0000000000000000 [3966658.391533] R13: ffff8883ad79d400 R14: ffffe87ff662ba00 R15: ffff8974e593b800 [3966658.391533] FS: 0000000000000000(0000) GS:ffff88fe7f600000(0000) knlGS:0000000000000000 [3966658.391534] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [3966658.391534] CR2: 0000000000d71000 CR3: 000000dd0e970004 CR4: 0000000002770ee0 [3966658.391535] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [3966658.391535] DR3: 0000000000000000 DR6: 00000000fffe07f0 DR7: 0000000000000400 [3966658.391536] PKRU: 55555554 [3966658.391536] Call Trace: [3966658.391674] deallocate_sdma_queue+0x38/0xa0 [amdgpu] [3966658.391762] process_termination_cpsch+0x1ed/0x480 [amdgpu] [3966658.399754] intel_powerclamp [3966658.402831] kfd_process_dequeue_from_all_devices+0x5b/0xc0 [amdgpu] [3966658.402908] kfd_process_wq_release+0x1a/0x1a0 [amdgpu] [3966658.410516] coretemp [3966658.434016] process_one_work+0x1ad/0x380 [3966658.434021] worker_thread+0x49/0x310 [3966658.438963] kvm_intel [3966658.446041] ? process_one_work+0x380/0x380 [3966658.446045] kthread+0x118/0x140 [3966658.446047] ? __kthread_bind_mask+0x60/0x60 [3966658.446050] ret_from_fork+0x1f/0x30 [3966658.446053] Modules linked in: kpatch_20765354(OEK) [3966658.455310] kvm [3966658.464534] mptcp_diag xsk_diag raw_diag unix_diag af_packet_diag netlink_diag udp_diag act_pedit act_mirred act_vlan cls_flower kpatch_21951273(OEK) kpatch_18424469(OEK) kpatch_19749756(OEK) [3966658.473462] idxd_mdev [3966658.482306] kpatch_17971294(OEK) sch_ingress xt_conntrack amdgpu(OE) amdxcp(OE) amddrm_buddy(OE) amd_sched(OE) amdttm(OE) amdkcl(OE) intel_ifs iptable_mangle tcm_loop target_core_pscsi tcp_diag target_core_file inet_diag target_core_iblock target_core_user target_core_mod coldpgs kpatch_18383292(OEK) ip6table_nat ip6table_filter ip6_tables ip_set_hash_ipportip ip_set_hash_ipportnet ip_set_hash_ipport ip_set_bitmap_port xt_comment iptable_nat nf_nat iptable_filter ip_tables ip_set ip_vs_sh ip_vs_wrr ip_vs_rr ip_vs nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 sn_core_odd(OE) i40e overlay binfmt_misc tun bonding(OE) aisqos(OE) aisqo ---truncated---", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-40310", "url": "https://ubuntu.com/security/CVE-2025-40310", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: amd/amdkfd: resolve a race in amdgpu_amdkfd_device_fini_sw There is race in amdgpu_amdkfd_device_fini_sw and interrupt. if amdgpu_amdkfd_device_fini_sw run in b/w kfd_cleanup_nodes and kfree(kfd), and KGD interrupt generated. kernel panic log: BUG: kernel NULL pointer dereference, address: 0000000000000098 amdgpu 0000:c8:00.0: amdgpu: Requesting 4 partitions through PSP PGD d78c68067 P4D d78c68067 kfd kfd: amdgpu: Allocated 3969056 bytes on gart PUD 1465b8067 PMD @ Oops: @002 [#1] SMP NOPTI kfd kfd: amdgpu: Total number of KFD nodes to be created: 4 CPU: 115 PID: @ Comm: swapper/115 Kdump: loaded Tainted: G S W OE K RIP: 0010:_raw_spin_lock_irqsave+0x12/0x40 Code: 89 e@ 41 5c c3 cc cc cc cc 66 66 2e Of 1f 84 00 00 00 00 00 OF 1f 40 00 Of 1f 44% 00 00 41 54 9c 41 5c fa 31 cO ba 01 00 00 00 OF b1 17 75 Ba 4c 89 e@ 41 Sc 89 c6 e8 07 38 5d RSP: 0018: ffffc90@1a6b0e28 EFLAGS: 00010046 RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000018 0000000000000001 RSI: ffff8883bb623e00 RDI: 0000000000000098 ffff8883bb000000 RO8: ffff888100055020 ROO: ffff888100055020 0000000000000000 R11: 0000000000000000 R12: 0900000000000002 ffff888F2b97da0@ R14: @000000000000098 R15: ffff8883babdfo00 CS: 010 DS: 0000 ES: 0000 CRO: 0000000080050033 CR2: 0000000000000098 CR3: 0000000e7cae2006 CR4: 0000000002770ce0 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 0000000000000000 DR6: 00000000fffeO7FO DR7: 0000000000000400 PKRU: 55555554 Call Trace: kgd2kfd_interrupt+@x6b/0x1f@ [amdgpu] ? amdgpu_fence_process+0xa4/0x150 [amdgpu] kfd kfd: amdgpu: Node: 0, interrupt_bitmap: 3 YcpxFl Rant tErace amdgpu_irq_dispatch+0x165/0x210 [amdgpu] amdgpu_ih_process+0x80/0x100 [amdgpu] amdgpu: Virtual CRAT table created for GPU amdgpu_irq_handler+0x1f/@x60 [amdgpu] __handle_irq_event_percpu+0x3d/0x170 amdgpu: Topology: Add dGPU node [0x74a2:0x1002] handle_irq_event+0x5a/@xcO handle_edge_irq+0x93/0x240 kfd kfd: amdgpu: KFD node 1 partition @ size 49148M asm_call_irq_on_stack+0xf/@x20 common_interrupt+0xb3/0x130 asm_common_interrupt+0x1le/0x40 5.10.134-010.a1i5000.a18.x86_64 #1", "cve_priority": "medium", "cve_public_date": "2025-12-08 01:16:00 UTC" }, { "cve": "CVE-2025-40361", "url": "https://ubuntu.com/security/CVE-2025-40361", "cve_description": "Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-40311", "url": "https://ubuntu.com/security/CVE-2025-40311", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: accel/habanalabs: support mapping cb with vmalloc-backed coherent memory When IOMMU is enabled, dma_alloc_coherent() with GFP_USER may return addresses from the vmalloc range. If such an address is mapped without VM_MIXEDMAP, vm_insert_page() will trigger a BUG_ON due to the VM_PFNMAP restriction. Fix this by checking for vmalloc addresses and setting VM_MIXEDMAP in the VMA before mapping. This ensures safe mapping and avoids kernel crashes. The memory is still driver-allocated and cannot be accessed directly by userspace.", "cve_priority": "medium", "cve_public_date": "2025-12-08 01:16:00 UTC" }, { "cve": "CVE-2025-68185", "url": "https://ubuntu.com/security/CVE-2025-68185", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: nfs4_setup_readdir(): insufficient locking for ->d_parent->d_inode dereferencing Theoretically it's an oopsable race, but I don't believe one can manage to hit it on real hardware; might become doable on a KVM, but it still won't be easy to attack. Anyway, it's easy to deal with - since xdr_encode_hyper() is just a call of put_unaligned_be64(), we can put that under ->d_lock and be done with that.", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-68176", "url": "https://ubuntu.com/security/CVE-2025-68176", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: PCI: cadence: Check for the existence of cdns_pcie::ops before using it cdns_pcie::ops might not be populated by all the Cadence glue drivers. This is going to be true for the upcoming Sophgo platform which doesn't set the ops. Hence, add a check to prevent NULL pointer dereference. [mani: reworded subject and description]", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-68190", "url": "https://ubuntu.com/security/CVE-2025-68190", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu/atom: Check kcalloc() for WS buffer in amdgpu_atom_execute_table_locked() kcalloc() may fail. When WS is non-zero and allocation fails, ectx.ws remains NULL while ectx.ws_size is set, leading to a potential NULL pointer dereference in atom_get_src_int() when accessing WS entries. Return -ENOMEM on allocation failure to avoid the NULL dereference.", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-68168", "url": "https://ubuntu.com/security/CVE-2025-68168", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: jfs: fix uninitialized waitqueue in transaction manager The transaction manager initialization in txInit() was not properly initializing TxBlock[0].waitor waitqueue, causing a crash when txEnd(0) is called on read-only filesystems. When a filesystem is mounted read-only, txBegin() returns tid=0 to indicate no transaction. However, txEnd(0) still gets called and tries to access TxBlock[0].waitor via tid_to_tblock(0), but this waitqueue was never initialized because the initialization loop started at index 1 instead of 0. This causes a 'non-static key' lockdep warning and system crash: INFO: trying to register non-static key in txEnd Fix by ensuring all transaction blocks including TxBlock[0] have their waitqueues properly initialized during txInit().", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-40312", "url": "https://ubuntu.com/security/CVE-2025-40312", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: jfs: Verify inode mode when loading from disk The inode mode loaded from corrupted disk can be invalid. Do like what commit 0a9e74051313 (\"isofs: Verify inode mode when loading from disk\") does.", "cve_priority": "medium", "cve_public_date": "2025-12-08 01:16:00 UTC" }, { "cve": "CVE-2025-40333", "url": "https://ubuntu.com/security/CVE-2025-40333", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: f2fs: fix infinite loop in __insert_extent_tree() When we get wrong extent info data, and look up extent_node in rb tree, it will cause infinite loop (CONFIG_F2FS_CHECK_FS=n). Avoiding this by return NULL and print some kernel messages in that case.", "cve_priority": "medium", "cve_public_date": "2025-12-09 16:17:00 UTC" }, { "cve": "CVE-2025-68321", "url": "https://ubuntu.com/security/CVE-2025-68321", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: page_pool: always add GFP_NOWARN for ATOMIC allocations Driver authors often forget to add GFP_NOWARN for page allocation from the datapath. This is annoying to users as OOMs are a fact of life, and we pretty much expect network Rx to hit page allocation failures during OOM. Make page pool add GFP_NOWARN for ATOMIC allocations by default.", "cve_priority": "medium", "cve_public_date": "2025-12-16 16:16:00 UTC" }, { "cve": "CVE-2025-40334", "url": "https://ubuntu.com/security/CVE-2025-40334", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: validate userq buffer virtual address and size It needs to validate the userq object virtual address to determine whether it is residented in a valid vm mapping.", "cve_priority": "medium", "cve_public_date": "2025-12-09 16:17:00 UTC" }, { "cve": "CVE-2025-68191", "url": "https://ubuntu.com/security/CVE-2025-68191", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: udp_tunnel: use netdev_warn() instead of netdev_WARN() netdev_WARN() uses WARN/WARN_ON to print a backtrace along with file and line information. In this case, udp_tunnel_nic_register() returning an error is just a failed operation, not a kernel bug. udp_tunnel_nic_register() can fail due to a memory allocation failure (kzalloc() or udp_tunnel_nic_alloc()). This is a normal runtime error and not a kernel bug. Replace netdev_WARN() with netdev_warn() accordingly.", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-68309", "url": "https://ubuntu.com/security/CVE-2025-68309", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: PCI/AER: Fix NULL pointer access by aer_info The kzalloc(GFP_KERNEL) may return NULL, so all accesses to aer_info->xxx will result in kernel panic. Fix it.", "cve_priority": "medium", "cve_public_date": "2025-12-16 16:16:00 UTC" }, { "cve": "CVE-2025-40313", "url": "https://ubuntu.com/security/CVE-2025-40313", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ntfs3: pretend $Extend records as regular files Since commit af153bb63a33 (\"vfs: catch invalid modes in may_open()\") requires any inode be one of S_IFDIR/S_IFLNK/S_IFREG/S_IFCHR/S_IFBLK/ S_IFIFO/S_IFSOCK type, use S_IFREG for $Extend records.", "cve_priority": "medium", "cve_public_date": "2025-12-08 01:16:00 UTC" }, { "cve": "CVE-2025-40335", "url": "https://ubuntu.com/security/CVE-2025-40335", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: validate userq input args This will help on validating the userq input args, and rejecting for the invalid userq request at the IOCTLs first place.", "cve_priority": "medium", "cve_public_date": "2025-12-09 16:17:00 UTC" }, { "cve": "CVE-2025-40314", "url": "https://ubuntu.com/security/CVE-2025-40314", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: usb: cdns3: gadget: Use-after-free during failed initialization and exit of cdnsp gadget In the __cdnsp_gadget_init() and cdnsp_gadget_exit() functions, the gadget structure (pdev->gadget) was freed before its endpoints. The endpoints are linked via the ep_list in the gadget structure. Freeing the gadget first leaves dangling pointers in the endpoint list. When the endpoints are subsequently freed, this results in a use-after-free. Fix: By separating the usb_del_gadget_udc() operation into distinct \"del\" and \"put\" steps, cdnsp_gadget_free_endpoints() can be executed prior to the final release of the gadget structure with usb_put_gadget(). A patch similar to bb9c74a5bd14(\"usb: dwc3: gadget: Free gadget structure only after freeing endpoints\").", "cve_priority": "medium", "cve_public_date": "2025-12-08 01:16:00 UTC" }, { "cve": "CVE-2025-40336", "url": "https://ubuntu.com/security/CVE-2025-40336", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/gpusvm: fix hmm_pfn_to_map_order() usage Handle the case where the hmm range partially covers a huge page (like 2M), otherwise we can potentially end up doing something nasty like mapping memory which is outside the range, and maybe not even mapped by the mm. Fix is based on the xe userptr code, which in a future patch will directly use gpusvm, so needs alignment here. v2: - Add kernel-doc (Matt B) - s/fls/ilog2/ (Thomas)", "cve_priority": "medium", "cve_public_date": "2025-12-09 16:17:00 UTC" }, { "cve": "CVE-2025-68193", "url": "https://ubuntu.com/security/CVE-2025-68193", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/xe/guc: Add devm release action to safely tear down CT When a buffer object (BO) is allocated with the XE_BO_FLAG_GGTT_INVALIDATE flag, the driver initiates TLB invalidation requests via the CTB mechanism while releasing the BO. However a premature release of the CTB BO can lead to system crashes, as observed in: Oops: Oops: 0000 [#1] SMP NOPTI RIP: 0010:h2g_write+0x2f3/0x7c0 [xe] Call Trace: guc_ct_send_locked+0x8b/0x670 [xe] xe_guc_ct_send_locked+0x19/0x60 [xe] send_tlb_invalidation+0xb4/0x460 [xe] xe_gt_tlb_invalidation_ggtt+0x15e/0x2e0 [xe] ggtt_invalidate_gt_tlb.part.0+0x16/0x90 [xe] ggtt_node_remove+0x110/0x140 [xe] xe_ggtt_node_remove+0x40/0xa0 [xe] xe_ggtt_remove_bo+0x87/0x250 [xe] Introduce a devm-managed release action during xe_guc_ct_init() and xe_guc_ct_init_post_hwconfig() to ensure proper CTB disablement before resource deallocation, preventing the use-after-free scenario.", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-68175", "url": "https://ubuntu.com/security/CVE-2025-68175", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: media: nxp: imx8-isi: Fix streaming cleanup on release The current implementation unconditionally calls mxc_isi_video_cleanup_streaming() in mxc_isi_video_release(). This can lead to situations where any release call (like from a simple \"v4l2-ctl -l\") may release a currently streaming queue when called on such a device. This is reproducible on an i.MX8MP board by streaming from an ISI capture device using gstreamer: \tgst-launch-1.0 -v v4l2src device=/dev/videoX ! \\ \t video/x-raw,format=GRAY8,width=1280,height=800,framerate=1/120 ! \\ \t fakesink While this stream is running, querying the caps of the same device provokes the error state: \tv4l2-ctl -l -d /dev/videoX This results in the following trace: [ 155.452152] ------------[ cut here ]------------ [ 155.452163] WARNING: CPU: 0 PID: 1708 at drivers/media/platform/nxp/imx8-isi/imx8-isi-pipe.c:713 mxc_isi_pipe_irq_handler+0x19c/0x1b0 [imx8_isi] [ 157.004248] Modules linked in: cfg80211 rpmsg_ctrl rpmsg_char rpmsg_tty virtio_rpmsg_bus rpmsg_ns rpmsg_core rfkill nft_ct nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 nf_tables mcp251x6 [ 157.053499] CPU: 0 UID: 0 PID: 1708 Comm: python3 Not tainted 6.15.4-00114-g1f61ca5cad76 #1 PREEMPT [ 157.064369] Hardware name: imx8mp_board_01 (DT) [ 157.068205] pstate: 400000c5 (nZcv daIF -PAN -UAO -TCO -DIT -SSBS BTYPE=--) [ 157.075169] pc : mxc_isi_pipe_irq_handler+0x19c/0x1b0 [imx8_isi] [ 157.081195] lr : mxc_isi_pipe_irq_handler+0x38/0x1b0 [imx8_isi] [ 157.087126] sp : ffff800080003ee0 [ 157.090438] x29: ffff800080003ee0 x28: ffff0000c3688000 x27: 0000000000000000 [ 157.097580] x26: 0000000000000000 x25: ffff0000c1e7ac00 x24: ffff800081b5ad50 [ 157.104723] x23: 00000000000000d1 x22: 0000000000000000 x21: ffff0000c25e4000 [ 157.111866] x20: 0000000060000200 x19: ffff80007a0608d0 x18: 0000000000000000 [ 157.119008] x17: ffff80006a4e3000 x16: ffff800080000000 x15: 0000000000000000 [ 157.126146] x14: 0000000000000000 x13: 0000000000000000 x12: 0000000000000000 [ 157.133287] x11: 0000000000000040 x10: ffff0000c01445f0 x9 : ffff80007a053a38 [ 157.140425] x8 : ffff0000c04004b8 x7 : 0000000000000000 x6 : 0000000000000000 [ 157.147567] x5 : ffff0000c0400490 x4 : ffff80006a4e3000 x3 : ffff0000c25e4000 [ 157.154706] x2 : 0000000000000000 x1 : ffff8000825c0014 x0 : 0000000060000200 [ 157.161850] Call trace: [ 157.164296] mxc_isi_pipe_irq_handler+0x19c/0x1b0 [imx8_isi] (P) [ 157.170319] __handle_irq_event_percpu+0x58/0x218 [ 157.175029] handle_irq_event+0x54/0xb8 [ 157.178867] handle_fasteoi_irq+0xac/0x248 [ 157.182968] handle_irq_desc+0x48/0x68 [ 157.186723] generic_handle_domain_irq+0x24/0x38 [ 157.191346] gic_handle_irq+0x54/0x120 [ 157.195098] call_on_irq_stack+0x24/0x30 [ 157.199027] do_interrupt_handler+0x88/0x98 [ 157.203212] el0_interrupt+0x44/0xc0 [ 157.206792] __el0_irq_handler_common+0x18/0x28 [ 157.211328] el0t_64_irq_handler+0x10/0x20 [ 157.215429] el0t_64_irq+0x198/0x1a0 [ 157.219009] ---[ end trace 0000000000000000 ]--- Address this issue by moving the streaming preparation and cleanup to the vb2 .prepare_streaming() and .unprepare_streaming() operations. This also simplifies the driver by allowing direct usage of the vb2_ioctl_streamon() and vb2_ioctl_streamoff() helpers, and removal of the manual cleanup from mxc_isi_video_release().", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-68188", "url": "https://ubuntu.com/security/CVE-2025-68188", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: tcp: use dst_dev_rcu() in tcp_fastopen_active_disable_ofo_check() Use RCU to avoid a pair of atomic operations and a potential UAF on dst_dev()->flags.", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-68315", "url": "https://ubuntu.com/security/CVE-2025-68315", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: f2fs: fix to detect potential corrupted nid in free_nid_list As reported, on-disk footer.ino and footer.nid is the same and out-of-range, let's add sanity check on f2fs_alloc_nid() to detect any potential corruption in free_nid_list.", "cve_priority": "medium", "cve_public_date": "2025-12-16 16:16:00 UTC" }, { "cve": "CVE-2025-40337", "url": "https://ubuntu.com/security/CVE-2025-40337", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net: stmmac: Correctly handle Rx checksum offload errors The stmmac_rx function would previously set skb->ip_summed to CHECKSUM_UNNECESSARY if hardware checksum offload (CoE) was enabled and the packet was of a known IP ethertype. However, this logic failed to check if the hardware had actually reported a checksum error. The hardware status, indicating a header or payload checksum failure, was being ignored at this stage. This could cause corrupt packets to be passed up the network stack as valid. This patch corrects the logic by checking the `csum_none` status flag, which is set when the hardware reports a checksum error. If this flag is set, skb->ip_summed is now correctly set to CHECKSUM_NONE, ensuring the kernel's network stack will perform its own validation and properly handle the corrupt packet.", "cve_priority": "medium", "cve_public_date": "2025-12-09 16:17:00 UTC" }, { "cve": "CVE-2025-40338", "url": "https://ubuntu.com/security/CVE-2025-40338", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ASoC: Intel: avs: Do not share the name pointer between components By sharing 'name' directly, tearing down components may lead to use-after-free errors. Duplicate the name to avoid that. At the same time, update the order of operations - since commit cee28113db17 (\"ASoC: dmaengine_pcm: Allow passing component name via config\") the framework does not override component->name if set before invoking the initializer.", "cve_priority": "medium", "cve_public_date": "2025-12-09 16:17:00 UTC" }, { "cve": "CVE-2025-40339", "url": "https://ubuntu.com/security/CVE-2025-40339", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: fix nullptr err of vm_handle_moved If a amdgpu_bo_va is fpriv->prt_va, the bo of this one is always NULL. So, such kind of amdgpu_bo_va should be updated separately before amdgpu_vm_handle_moved.", "cve_priority": "medium", "cve_public_date": "2025-12-09 16:17:00 UTC" }, { "cve": "CVE-2025-68194", "url": "https://ubuntu.com/security/CVE-2025-68194", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: media: imon: make send_packet() more robust syzbot is reporting that imon has three problems which result in hung tasks due to forever holding device lock [1]. First problem is that when usb_rx_callback_intf0() once got -EPROTO error after ictx->dev_present_intf0 became true, usb_rx_callback_intf0() resubmits urb after printk(), and resubmitted urb causes usb_rx_callback_intf0() to again get -EPROTO error. This results in printk() flooding (RCU stalls). Alan Stern commented [2] that In theory it's okay to resubmit _if_ the driver has a robust error-recovery scheme (such as giving up after some fixed limit on the number of errors or after some fixed time has elapsed, perhaps with a time delay to prevent a flood of errors). Most drivers don't bother to do this; they simply give up right away. This makes them more vulnerable to short-term noise interference during USB transfers, but in reality such interference is quite rare. There's nothing really wrong with giving up right away. but imon has a poor error-recovery scheme which just retries forever; this behavior should be fixed. Since I'm not sure whether it is safe for imon users to give up upon any error code, this patch takes care of only union of error codes chosen from modules in drivers/media/rc/ directory which handle -EPROTO error (i.e. ir_toy, mceusb and igorplugusb). Second problem is that when usb_rx_callback_intf0() once got -EPROTO error before ictx->dev_present_intf0 becomes true, usb_rx_callback_intf0() always resubmits urb due to commit 8791d63af0cf (\"[media] imon: don't wedge hardware after early callbacks\"). Move the ictx->dev_present_intf0 test introduced by commit 6f6b90c9231a (\"[media] imon: don't parse scancodes until intf configured\") to immediately before imon_incoming_packet(), or the first problem explained above happens without printk() flooding (i.e. hung task). Third problem is that when usb_rx_callback_intf0() is not called for some reason (e.g. flaky hardware; the reproducer for this problem sometimes prevents usb_rx_callback_intf0() from being called), wait_for_completion_interruptible() in send_packet() never returns (i.e. hung task). As a workaround for such situation, change send_packet() to wait for completion with timeout of 10 seconds.", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-40363", "url": "https://ubuntu.com/security/CVE-2025-40363", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net: ipv6: fix field-spanning memcpy warning in AH output Fix field-spanning memcpy warnings in ah6_output() and ah6_output_done() where extension headers are copied to/from IPv6 address fields, triggering fortify-string warnings about writes beyond the 16-byte address fields. memcpy: detected field-spanning write (size 40) of single field \"&top_iph->saddr\" at net/ipv6/ah6.c:439 (size 16) WARNING: CPU: 0 PID: 8838 at net/ipv6/ah6.c:439 ah6_output+0xe7e/0x14e0 net/ipv6/ah6.c:439 The warnings are false positives as the extension headers are intentionally placed after the IPv6 header in memory. Fix by properly copying addresses and extension headers separately, and introduce helper functions to avoid code duplication.", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-68311", "url": "https://ubuntu.com/security/CVE-2025-68311", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: tty: serial: ip22zilog: Use platform device for probing After commit 84a9582fd203 (\"serial: core: Start managing serial controllers to enable runtime PM\") serial drivers need to provide a device in struct uart_port.dev otherwise an oops happens. To fix this issue for ip22zilog driver switch driver to a platform driver and setup the serial device in sgi-ip22 code.", "cve_priority": "medium", "cve_public_date": "2025-12-16 16:16:00 UTC" }, { "cve": "CVE-2025-40340", "url": "https://ubuntu.com/security/CVE-2025-40340", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/xe: Fix oops in xe_gem_fault when running core_hotunplug test. I saw an oops in xe_gem_fault when running the xe-fast-feedback testlist against the realtime kernel without debug options enabled. The panic happens after core_hotunplug unbind-rebind finishes. Presumably what happens is that a process mmaps, unlocks because of the FAULT_FLAG_RETRY_NOWAIT logic, has no process memory left, causing ttm_bo_vm_dummy_page() to return VM_FAULT_NOPAGE, since there was nothing left to populate, and then oopses in \"mem_type_is_vram(tbo->resource->mem_type)\" because tbo->resource is NULL. It's convoluted, but fits the data and explains the oops after the test exits.", "cve_priority": "medium", "cve_public_date": "2025-12-09 16:17:00 UTC" }, { "cve": "CVE-2025-68196", "url": "https://ubuntu.com/security/CVE-2025-68196", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Cache streams targeting link when performing LT automation [WHY] Last LT automation update can cause crash by referencing current_state and calling into dc_update_planes_and_stream which may clobber current_state. [HOW] Cache relevant stream pointers and iterate through them instead of relying on the current_state.", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-68178", "url": "https://ubuntu.com/security/CVE-2025-68178", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: blk-cgroup: fix possible deadlock while configuring policy Following deadlock can be triggered easily by lockdep: WARNING: possible circular locking dependency detected 6.17.0-rc3-00124-ga12c2658ced0 #1665 Not tainted ------------------------------------------------------ check/1334 is trying to acquire lock: ff1100011d9d0678 (&q->sysfs_lock){+.+.}-{4:4}, at: blk_unregister_queue+0x53/0x180 but task is already holding lock: ff1100011d9d00e0 (&q->q_usage_counter(queue)#3){++++}-{0:0}, at: del_gendisk+0xba/0x110 which lock already depends on the new lock. the existing dependency chain (in reverse order) is: -> #2 (&q->q_usage_counter(queue)#3){++++}-{0:0}: blk_queue_enter+0x40b/0x470 blkg_conf_prep+0x7b/0x3c0 tg_set_limit+0x10a/0x3e0 cgroup_file_write+0xc6/0x420 kernfs_fop_write_iter+0x189/0x280 vfs_write+0x256/0x490 ksys_write+0x83/0x190 __x64_sys_write+0x21/0x30 x64_sys_call+0x4608/0x4630 do_syscall_64+0xdb/0x6b0 entry_SYSCALL_64_after_hwframe+0x76/0x7e -> #1 (&q->rq_qos_mutex){+.+.}-{4:4}: __mutex_lock+0xd8/0xf50 mutex_lock_nested+0x2b/0x40 wbt_init+0x17e/0x280 wbt_enable_default+0xe9/0x140 blk_register_queue+0x1da/0x2e0 __add_disk+0x38c/0x5d0 add_disk_fwnode+0x89/0x250 device_add_disk+0x18/0x30 virtblk_probe+0x13a3/0x1800 virtio_dev_probe+0x389/0x610 really_probe+0x136/0x620 __driver_probe_device+0xb3/0x230 driver_probe_device+0x2f/0xe0 __driver_attach+0x158/0x250 bus_for_each_dev+0xa9/0x130 driver_attach+0x26/0x40 bus_add_driver+0x178/0x3d0 driver_register+0x7d/0x1c0 __register_virtio_driver+0x2c/0x60 virtio_blk_init+0x6f/0xe0 do_one_initcall+0x94/0x540 kernel_init_freeable+0x56a/0x7b0 kernel_init+0x2b/0x270 ret_from_fork+0x268/0x4c0 ret_from_fork_asm+0x1a/0x30 -> #0 (&q->sysfs_lock){+.+.}-{4:4}: __lock_acquire+0x1835/0x2940 lock_acquire+0xf9/0x450 __mutex_lock+0xd8/0xf50 mutex_lock_nested+0x2b/0x40 blk_unregister_queue+0x53/0x180 __del_gendisk+0x226/0x690 del_gendisk+0xba/0x110 sd_remove+0x49/0xb0 [sd_mod] device_remove+0x87/0xb0 device_release_driver_internal+0x11e/0x230 device_release_driver+0x1a/0x30 bus_remove_device+0x14d/0x220 device_del+0x1e1/0x5a0 __scsi_remove_device+0x1ff/0x2f0 scsi_remove_device+0x37/0x60 sdev_store_delete+0x77/0x100 dev_attr_store+0x1f/0x40 sysfs_kf_write+0x65/0x90 kernfs_fop_write_iter+0x189/0x280 vfs_write+0x256/0x490 ksys_write+0x83/0x190 __x64_sys_write+0x21/0x30 x64_sys_call+0x4608/0x4630 do_syscall_64+0xdb/0x6b0 entry_SYSCALL_64_after_hwframe+0x76/0x7e other info that might help us debug this: Chain exists of: &q->sysfs_lock --> &q->rq_qos_mutex --> &q->q_usage_counter(queue)#3 Possible unsafe locking scenario: CPU0 CPU1 ---- ---- lock(&q->q_usage_counter(queue)#3); lock(&q->rq_qos_mutex); lock(&q->q_usage_counter(queue)#3); lock(&q->sysfs_lock); Root cause is that queue_usage_counter is grabbed with rq_qos_mutex held in blkg_conf_prep(), while queue should be freezed before rq_qos_mutex from other context. The blk_queue_enter() from blkg_conf_prep() is used to protect against policy deactivation, which is already protected with blkcg_mutex, hence convert blk_queue_enter() to blkcg_mutex to fix this problem. Meanwhile, consider that blkcg_mutex is held after queue is freezed from policy deactivation, also convert blkg_alloc() to use GFP_NOIO.", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-40341", "url": "https://ubuntu.com/security/CVE-2025-40341", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: futex: Don't leak robust_list pointer on exec race sys_get_robust_list() and compat_get_robust_list() use ptrace_may_access() to check if the calling task is allowed to access another task's robust_list pointer. This check is racy against a concurrent exec() in the target process. During exec(), a task may transition from a non-privileged binary to a privileged one (e.g., setuid binary) and its credentials/memory mappings may change. If get_robust_list() performs ptrace_may_access() before this transition, it may erroneously allow access to sensitive information after the target becomes privileged. A racy access allows an attacker to exploit a window during which ptrace_may_access() passes before a target process transitions to a privileged state via exec(). For example, consider a non-privileged task T that is about to execute a setuid-root binary. An attacker task A calls get_robust_list(T) while T is still unprivileged. Since ptrace_may_access() checks permissions based on current credentials, it succeeds. However, if T begins exec immediately afterwards, it becomes privileged and may change its memory mappings. Because get_robust_list() proceeds to access T->robust_list without synchronizing with exec() it may read user-space pointers from a now-privileged process. This violates the intended post-exec access restrictions and could expose sensitive memory addresses or be used as a primitive in a larger exploit chain. Consequently, the race can lead to unauthorized disclosure of information across privilege boundaries and poses a potential security risk. Take a read lock on signal->exec_update_lock prior to invoking ptrace_may_access() and accessing the robust_list/compat_robust_list. This ensures that the target task's exec state remains stable during the check, allowing for consistent and synchronized validation of credentials.", "cve_priority": "medium", "cve_public_date": "2025-12-09 16:17:00 UTC" }, { "cve": "CVE-2025-40342", "url": "https://ubuntu.com/security/CVE-2025-40342", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: nvme-fc: use lock accessing port_state and rport state nvme_fc_unregister_remote removes the remote port on a lport object at any point in time when there is no active association. This races with with the reconnect logic, because nvme_fc_create_association is not taking a lock to check the port_state and atomically increase the active count on the rport.", "cve_priority": "medium", "cve_public_date": "2025-12-09 16:17:00 UTC" }, { "cve": "CVE-2025-40343", "url": "https://ubuntu.com/security/CVE-2025-40343", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: nvmet-fc: avoid scheduling association deletion twice When forcefully shutting down a port via the configfs interface, nvmet_port_subsys_drop_link() first calls nvmet_port_del_ctrls() and then nvmet_disable_port(). Both functions will eventually schedule all remaining associations for deletion. The current implementation checks whether an association is about to be removed, but only after the work item has already been scheduled. As a result, it is possible for the first scheduled work item to free all resources, and then for the same work item to be scheduled again for deletion. Because the association list is an RCU list, it is not possible to take a lock and remove the list entry directly, so it cannot be looked up again. Instead, a flag (terminating) must be used to determine whether the association is already in the process of being deleted.", "cve_priority": "medium", "cve_public_date": "2025-12-09 16:17:00 UTC" }, { "cve": "CVE-2025-68177", "url": "https://ubuntu.com/security/CVE-2025-68177", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: cpufreq/longhaul: handle NULL policy in longhaul_exit longhaul_exit() was calling cpufreq_cpu_get(0) without checking for a NULL policy pointer. On some systems, this could lead to a NULL dereference and a kernel warning or panic. This patch adds a check using unlikely() and returns early if the policy is NULL. Bugzilla: #219962", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-68317", "url": "https://ubuntu.com/security/CVE-2025-68317", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: io_uring/zctx: check chained notif contexts Send zc only links ubuf_info for requests coming from the same context. There are some ambiguous syz reports, so let's check the assumption on notification completion.", "cve_priority": "medium", "cve_public_date": "2025-12-16 16:16:00 UTC" }, { "cve": "CVE-2025-40315", "url": "https://ubuntu.com/security/CVE-2025-40315", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: usb: gadget: f_fs: Fix epfile null pointer access after ep enable. A race condition occurs when ffs_func_eps_enable() runs concurrently with ffs_data_reset(). The ffs_data_clear() called in ffs_data_reset() sets ffs->epfiles to NULL before resetting ffs->eps_count to 0, leading to a NULL pointer dereference when accessing epfile->ep in ffs_func_eps_enable() after successful usb_ep_enable(). The ffs->epfiles pointer is set to NULL in both ffs_data_clear() and ffs_data_close() functions, and its modification is protected by the spinlock ffs->eps_lock. And the whole ffs_func_eps_enable() function is also protected by ffs->eps_lock. Thus, add NULL pointer handling for ffs->epfiles in the ffs_func_eps_enable() function to fix issues", "cve_priority": "medium", "cve_public_date": "2025-12-08 01:16:00 UTC" }, { "cve": "CVE-2025-40316", "url": "https://ubuntu.com/security/CVE-2025-40316", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/mediatek: Fix device use-after-free on unbind A recent change fixed device reference leaks when looking up drm platform device driver data during bind() but failed to remove a partial fix which had been added by commit 80805b62ea5b (\"drm/mediatek: Fix kobject put for component sub-drivers\"). This results in a reference imbalance on component bind() failures and on unbind() which could lead to a user-after-free. Make sure to only drop the references after retrieving the driver data by effectively reverting the previous partial fix. Note that holding a reference to a device does not prevent its driver data from going away so there is no point in keeping the reference.", "cve_priority": "medium", "cve_public_date": "2025-12-08 01:16:00 UTC" }, { "cve": "CVE-2025-40360", "url": "https://ubuntu.com/security/CVE-2025-40360", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/sysfb: Do not dereference NULL pointer in plane reset The plane state in __drm_gem_reset_shadow_plane() can be NULL. Do not deref that pointer, but forward NULL to the other plane-reset helpers. Clears plane->state to NULL. v2: - fix typo in commit description (Javier)", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-68179", "url": "https://ubuntu.com/security/CVE-2025-68179", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: s390: Disable ARCH_WANT_OPTIMIZE_HUGETLB_VMEMMAP As reported by Luiz Capitulino enabling HVO on s390 leads to reproducible crashes. The problem is that kernel page tables are modified without flushing corresponding TLB entries. Even if it looks like the empty flush_tlb_all() implementation on s390 is the problem, it is actually a different problem: on s390 it is not allowed to replace an active/valid page table entry with another valid page table entry without the detour over an invalid entry. A direct replacement may lead to random crashes and/or data corruption. In order to invalidate an entry special instructions have to be used (e.g. ipte or idte). Alternatively there are also special instructions available which allow to replace a valid entry with a different valid entry (e.g. crdte or cspg). Given that the HVO code currently does not provide the hooks to allow for an implementation which is compliant with the s390 architecture requirements, disable ARCH_WANT_OPTIMIZE_HUGETLB_VMEMMAP again, which is basically a revert of the original patch which enabled it.", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-68310", "url": "https://ubuntu.com/security/CVE-2025-68310", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: s390/pci: Avoid deadlock between PCI error recovery and mlx5 crdump Do not block PCI config accesses through pci_cfg_access_lock() when executing the s390 variant of PCI error recovery: Acquire just device_lock() instead of pci_dev_lock() as powerpc's EEH and generig PCI AER processing do. During error recovery testing a pair of tasks was reported to be hung: mlx5_core 0000:00:00.1: mlx5_health_try_recover:338:(pid 5553): health recovery flow aborted, PCI reads still not working INFO: task kmcheck:72 blocked for more than 122 seconds. Not tainted 5.14.0-570.12.1.bringup7.el9.s390x #1 \"echo 0 > /proc/sys/kernel/hung_task_timeout_secs\" disables this message. task:kmcheck state:D stack:0 pid:72 tgid:72 ppid:2 flags:0x00000000 Call Trace: [<000000065256f030>] __schedule+0x2a0/0x590 [<000000065256f356>] schedule+0x36/0xe0 [<000000065256f572>] schedule_preempt_disabled+0x22/0x30 [<0000000652570a94>] __mutex_lock.constprop.0+0x484/0x8a8 [<000003ff800673a4>] mlx5_unload_one+0x34/0x58 [mlx5_core] [<000003ff8006745c>] mlx5_pci_err_detected+0x94/0x140 [mlx5_core] [<0000000652556c5a>] zpci_event_attempt_error_recovery+0xf2/0x398 [<0000000651b9184a>] __zpci_event_error+0x23a/0x2c0 INFO: task kworker/u1664:6:1514 blocked for more than 122 seconds. Not tainted 5.14.0-570.12.1.bringup7.el9.s390x #1 \"echo 0 > /proc/sys/kernel/hung_task_timeout_secs\" disables this message. task:kworker/u1664:6 state:D stack:0 pid:1514 tgid:1514 ppid:2 flags:0x00000000 Workqueue: mlx5_health0000:00:00.0 mlx5_fw_fatal_reporter_err_work [mlx5_core] Call Trace: [<000000065256f030>] __schedule+0x2a0/0x590 [<000000065256f356>] schedule+0x36/0xe0 [<0000000652172e28>] pci_wait_cfg+0x80/0xe8 [<0000000652172f94>] pci_cfg_access_lock+0x74/0x88 [<000003ff800916b6>] mlx5_vsc_gw_lock+0x36/0x178 [mlx5_core] [<000003ff80098824>] mlx5_crdump_collect+0x34/0x1c8 [mlx5_core] [<000003ff80074b62>] mlx5_fw_fatal_reporter_dump+0x6a/0xe8 [mlx5_core] [<0000000652512242>] devlink_health_do_dump.part.0+0x82/0x168 [<0000000652513212>] devlink_health_report+0x19a/0x230 [<000003ff80075a12>] mlx5_fw_fatal_reporter_err_work+0xba/0x1b0 [mlx5_core] No kernel log of the exact same error with an upstream kernel is available - but the very same deadlock situation can be constructed there, too: - task: kmcheck mlx5_unload_one() tries to acquire devlink lock while the PCI error recovery code has set pdev->block_cfg_access by way of pci_cfg_access_lock() - task: kworker mlx5_crdump_collect() tries to set block_cfg_access through pci_cfg_access_lock() while devlink_health_report() had acquired the devlink lock. A similar deadlock situation can be reproduced by requesting a crdump with > devlink health dump show pci/ reporter fw_fatal while PCI error recovery is executed on the same physical function by mlx5_core's pci_error_handlers. On s390 this can be injected with > zpcictl --reset-fw Tests with this patch failed to reproduce that second deadlock situation, the devlink command is rejected with \"kernel answers: Permission denied\" - and we get a kernel log message of: mlx5_core 1ed0:00:00.1: mlx5_crdump_collect:50:(pid 254382): crdump: failed to lock vsc gw err -5 because the config read of VSC_SEMAPHORE is rejected by the underlying hardware. Two prior attempts to address this issue have been discussed and ultimately rejected [see link], with the primary argument that s390's implementation of PCI error recovery is imposing restrictions that neither powerpc's EEH nor PCI AER handling need. Tests show that PCI error recovery on s390 is running to completion even without blocking access to PCI config space.", "cve_priority": "medium", "cve_public_date": "2025-12-16 16:16:00 UTC" }, { "cve": "CVE-2025-40317", "url": "https://ubuntu.com/security/CVE-2025-40317", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: regmap: slimbus: fix bus_context pointer in regmap init calls Commit 4e65bda8273c (\"ASoC: wcd934x: fix error handling in wcd934x_codec_parse_data()\") revealed the problem in the slimbus regmap. That commit breaks audio playback, for instance, on sdm845 Thundercomm Dragonboard 845c board: Unable to handle kernel paging request at virtual address ffff8000847cbad4 ... CPU: 5 UID: 0 PID: 776 Comm: aplay Not tainted 6.18.0-rc1-00028-g7ea30958b305 #11 PREEMPT Hardware name: Thundercomm Dragonboard 845c (DT) ... Call trace: slim_xfer_msg+0x24/0x1ac [slimbus] (P) slim_read+0x48/0x74 [slimbus] regmap_slimbus_read+0x18/0x24 [regmap_slimbus] _regmap_raw_read+0xe8/0x174 _regmap_bus_read+0x44/0x80 _regmap_read+0x60/0xd8 _regmap_update_bits+0xf4/0x140 _regmap_select_page+0xa8/0x124 _regmap_raw_write_impl+0x3b8/0x65c _regmap_bus_raw_write+0x60/0x80 _regmap_write+0x58/0xc0 regmap_write+0x4c/0x80 wcd934x_hw_params+0x494/0x8b8 [snd_soc_wcd934x] snd_soc_dai_hw_params+0x3c/0x7c [snd_soc_core] __soc_pcm_hw_params+0x22c/0x634 [snd_soc_core] dpcm_be_dai_hw_params+0x1d4/0x38c [snd_soc_core] dpcm_fe_dai_hw_params+0x9c/0x17c [snd_soc_core] snd_pcm_hw_params+0x124/0x464 [snd_pcm] snd_pcm_common_ioctl+0x110c/0x1820 [snd_pcm] snd_pcm_ioctl+0x34/0x4c [snd_pcm] __arm64_sys_ioctl+0xac/0x104 invoke_syscall+0x48/0x104 el0_svc_common.constprop.0+0x40/0xe0 do_el0_svc+0x1c/0x28 el0_svc+0x34/0xec el0t_64_sync_handler+0xa0/0xf0 el0t_64_sync+0x198/0x19c The __devm_regmap_init_slimbus() started to be used instead of __regmap_init_slimbus() after the commit mentioned above and turns out the incorrect bus_context pointer (3rd argument) was used in __devm_regmap_init_slimbus(). It should be just \"slimbus\" (which is equal to &slimbus->dev). Correct it. The wcd934x codec seems to be the only or the first user of devm_regmap_init_slimbus() but we should fix it till the point where __devm_regmap_init_slimbus() was introduced therefore two \"Fixes\" tags. While at this, also correct the same argument in __regmap_init_slimbus().", "cve_priority": "medium", "cve_public_date": "2025-12-08 01:16:00 UTC" }, { "cve": "CVE-2025-40359", "url": "https://ubuntu.com/security/CVE-2025-40359", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: perf/x86/intel: Fix KASAN global-out-of-bounds warning When running \"perf mem record\" command on CWF, the below KASAN global-out-of-bounds warning is seen. ================================================================== BUG: KASAN: global-out-of-bounds in cmt_latency_data+0x176/0x1b0 Read of size 4 at addr ffffffffb721d000 by task dtlb/9850 Call Trace: kasan_report+0xb8/0xf0 cmt_latency_data+0x176/0x1b0 setup_arch_pebs_sample_data+0xf49/0x2560 intel_pmu_drain_arch_pebs+0x577/0xb00 handle_pmi_common+0x6c4/0xc80 The issue is caused by below code in __grt_latency_data(). The code tries to access x86_hybrid_pmu structure which doesn't exist on non-hybrid platform like CWF. WARN_ON_ONCE(hybrid_pmu(event->pmu)->pmu_type == hybrid_big) So add is_hybrid() check before calling this WARN_ON_ONCE to fix the global-out-of-bounds access issue.", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-68181", "url": "https://ubuntu.com/security/CVE-2025-68181", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/radeon: Remove calls to drm_put_dev() Since the allocation of the drivers main structure was changed to devm_drm_dev_alloc() drm_put_dev()'ing to trigger it to be free'd should be done by devres. However, drm_put_dev() is still in the probe error and device remove paths. When the driver fails to probe warnings like the following are shown because devres is trying to drm_put_dev() after the driver already did it. [ 5.642230] radeon 0000:01:05.0: probe with driver radeon failed with error -22 [ 5.649605] ------------[ cut here ]------------ [ 5.649607] refcount_t: underflow; use-after-free. [ 5.649620] WARNING: CPU: 0 PID: 357 at lib/refcount.c:28 refcount_warn_saturate+0xbe/0x110 (cherry picked from commit 3eb8c0b4c091da0a623ade0d3ee7aa4a93df1ea4)", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-68170", "url": "https://ubuntu.com/security/CVE-2025-68170", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/radeon: Do not kfree() devres managed rdev Since the allocation of the drivers main structure was changed to devm_drm_dev_alloc() rdev is managed by devres and we shouldn't be calling kfree() on it. This fixes things exploding if the driver probe fails and devres cleans up the rdev after we already free'd it. (cherry picked from commit 16c0681617b8a045773d4d87b6140002fa75b03b)", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-40213", "url": "https://ubuntu.com/security/CVE-2025-40213", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: Bluetooth: MGMT: fix crash in set_mesh_sync and set_mesh_complete There is a BUG: KASAN: stack-out-of-bounds in set_mesh_sync due to memcpy from badly declared on-stack flexible array. Another crash is in set_mesh_complete() due to double list_del via mgmt_pending_valid + mgmt_pending_remove. Use DEFINE_FLEX to declare the flexible array right, and don't memcpy outside bounds. As mgmt_pending_valid removes the cmd from list, use mgmt_pending_free, and also report status on error.", "cve_priority": "medium", "cve_public_date": "2025-11-24 16:15:00 UTC" }, { "cve": "CVE-2025-40318", "url": "https://ubuntu.com/security/CVE-2025-40318", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: Bluetooth: hci_sync: fix race in hci_cmd_sync_dequeue_once hci_cmd_sync_dequeue_once() does lookup and then cancel the entry under two separate lock sections. Meanwhile, hci_cmd_sync_work() can also delete the same entry, leading to double list_del() and \"UAF\". Fix this by holding cmd_sync_work_lock across both lookup and cancel, so that the entry cannot be removed concurrently.", "cve_priority": "medium", "cve_public_date": "2025-12-08 01:16:00 UTC" }, { "cve": "CVE-2025-68312", "url": "https://ubuntu.com/security/CVE-2025-68312", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: usbnet: Prevents free active kevent The root cause of this issue are: 1. When probing the usbnet device, executing usbnet_link_change(dev, 0, 0); put the kevent work in global workqueue. However, the kevent has not yet been scheduled when the usbnet device is unregistered. Therefore, executing free_netdev() results in the \"free active object (kevent)\" error reported here. 2. Another factor is that when calling usbnet_disconnect()->unregister_netdev(), if the usbnet device is up, ndo_stop() is executed to cancel the kevent. However, because the device is not up, ndo_stop() is not executed. The solution to this problem is to cancel the kevent before executing free_netdev().", "cve_priority": "medium", "cve_public_date": "2025-12-16 16:16:00 UTC" }, { "cve": "CVE-2025-40344", "url": "https://ubuntu.com/security/CVE-2025-40344", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ASoC: Intel: avs: Disable periods-elapsed work when closing PCM avs_dai_fe_shutdown() handles the shutdown procedure for HOST HDAudio stream while period-elapsed work services its IRQs. As the former frees the DAI's private context, these two operations shall be synchronized to avoid slab-use-after-free or worse errors.", "cve_priority": "medium", "cve_public_date": "2025-12-09 16:17:00 UTC" }, { "cve": "CVE-2025-68172", "url": "https://ubuntu.com/security/CVE-2025-68172", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: crypto: aspeed - fix double free caused by devm The clock obtained via devm_clk_get_enabled() is automatically managed by devres and will be disabled and freed on driver detach. Manually calling clk_disable_unprepare() in error path and remove function causes double free. Remove the manual clock cleanup in both aspeed_acry_probe()'s error path and aspeed_acry_remove().", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-40319", "url": "https://ubuntu.com/security/CVE-2025-40319", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: bpf: Sync pending IRQ work before freeing ring buffer Fix a race where irq_work can be queued in bpf_ringbuf_commit() but the ring buffer is freed before the work executes. In the syzbot reproducer, a BPF program attached to sched_switch triggers bpf_ringbuf_commit(), queuing an irq_work. If the ring buffer is freed before this work executes, the irq_work thread may accesses freed memory. Calling `irq_work_sync(&rb->work)` ensures that all pending irq_work complete before freeing the buffer.", "cve_priority": "medium", "cve_public_date": "2025-12-08 01:16:00 UTC" }, { "cve": "CVE-2025-68182", "url": "https://ubuntu.com/security/CVE-2025-68182", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: wifi: iwlwifi: fix potential use after free in iwl_mld_remove_link() This code frees \"link\" by calling kfree_rcu(link, rcu_head) and then it dereferences \"link\" to get the \"link->fw_id\". Save the \"link->fw_id\" first to avoid a potential use after free.", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-68314", "url": "https://ubuntu.com/security/CVE-2025-68314", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/msm: make sure last_fence is always updated Update last_fence in the vm-bind path instead of kernel managed path. last_fence is used to wait for work to finish in vm_bind contexts but not used for kernel managed contexts. This fixes a bug where last_fence is not waited on context close leading to faults as resources are freed while in use. Patchwork: https://patchwork.freedesktop.org/patch/680080/", "cve_priority": "medium", "cve_public_date": "2025-12-16 16:16:00 UTC" }, { "cve": "CVE-2025-68189", "url": "https://ubuntu.com/security/CVE-2025-68189", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/msm: Fix GEM free for imported dma-bufs Imported dma-bufs also have obj->resv != &obj->_resv. So we should check both this condition in addition to flags for handling the _NO_SHARE case. Fixes this splat that was reported with IRIS video playback: ------------[ cut here ]------------ WARNING: CPU: 3 PID: 2040 at drivers/gpu/drm/msm/msm_gem.c:1127 msm_gem_free_object+0x1f8/0x264 [msm] CPU: 3 UID: 1000 PID: 2040 Comm: .gnome-shell-wr Not tainted 6.17.0-rc7 #1 PREEMPT pstate: 81400005 (Nzcv daif +PAN -UAO -TCO +DIT -SSBS BTYPE=--) pc : msm_gem_free_object+0x1f8/0x264 [msm] lr : msm_gem_free_object+0x138/0x264 [msm] sp : ffff800092a1bb30 x29: ffff800092a1bb80 x28: ffff800092a1bce8 x27: ffffbc702dbdbe08 x26: 0000000000000008 x25: 0000000000000009 x24: 00000000000000a6 x23: ffff00083c72f850 x22: ffff00083c72f868 x21: ffff00087e69f200 x20: ffff00087e69f330 x19: ffff00084d157ae0 x18: 0000000000000000 x17: 0000000000000000 x16: ffffbc704bd46b80 x15: 0000ffffd0959540 x14: 0000000000000000 x13: 0000000000000000 x12: 0000000000000000 x11: ffffbc702e6cdb48 x10: 0000000000000000 x9 : 000000000000003f x8 : ffff800092a1ba90 x7 : 0000000000000000 x6 : 0000000000000020 x5 : ffffbc704bd46c40 x4 : fffffdffe102cf60 x3 : 0000000000400032 x2 : 0000000000020000 x1 : ffff00087e6978e8 x0 : ffff00087e6977e8 Call trace: msm_gem_free_object+0x1f8/0x264 [msm] (P) drm_gem_object_free+0x1c/0x30 [drm] drm_gem_object_handle_put_unlocked+0x138/0x150 [drm] drm_gem_object_release_handle+0x5c/0xcc [drm] drm_gem_handle_delete+0x68/0xbc [drm] drm_gem_close_ioctl+0x34/0x40 [drm] drm_ioctl_kernel+0xc0/0x130 [drm] drm_ioctl+0x360/0x4e0 [drm] __arm64_sys_ioctl+0xac/0x104 invoke_syscall+0x48/0x104 el0_svc_common.constprop.0+0x40/0xe0 do_el0_svc+0x1c/0x28 el0_svc+0x34/0xec el0t_64_sync_handler+0xa0/0xe4 el0t_64_sync+0x198/0x19c ---[ end trace 0000000000000000 ]--- ------------[ cut here ]------------ Patchwork: https://patchwork.freedesktop.org/patch/676273/", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-68171", "url": "https://ubuntu.com/security/CVE-2025-68171", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: x86/fpu: Ensure XFD state on signal delivery Sean reported [1] the following splat when running KVM tests: WARNING: CPU: 232 PID: 15391 at xfd_validate_state+0x65/0x70 Call Trace: fpu__clear_user_states+0x9c/0x100 arch_do_signal_or_restart+0x142/0x210 exit_to_user_mode_loop+0x55/0x100 do_syscall_64+0x205/0x2c0 entry_SYSCALL_64_after_hwframe+0x4b/0x53 Chao further identified [2] a reproducible scenario involving signal delivery: a non-AMX task is preempted by an AMX-enabled task which modifies the XFD MSR. When the non-AMX task resumes and reloads XSTATE with init values, a warning is triggered due to a mismatch between fpstate::xfd and the CPU's current XFD state. fpu__clear_user_states() does not currently re-synchronize the XFD state after such preemption. Invoke xfd_update_state() which detects and corrects the mismatch if there is a dynamic feature. This also benefits the sigreturn path, as fpu__restore_sig() may call fpu__clear_user_states() when the sigframe is inaccessible. [ dhansen: minor changelog munging ]", "cve_priority": "medium", "cve_public_date": "2025-12-16 14:15:00 UTC" }, { "cve": "CVE-2025-68313", "url": "https://ubuntu.com/security/CVE-2025-68313", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: x86/CPU/AMD: Add RDSEED fix for Zen5 There's an issue with RDSEED's 16-bit and 32-bit register output variants on Zen5 which return a random value of 0 \"at a rate inconsistent with randomness while incorrectly signaling success (CF=1)\". Search the web for AMD-SB-7055 for more detail. Add a fix glue which checks microcode revisions. [ bp: Add microcode revisions checking, rewrite. ]", "cve_priority": "medium", "cve_public_date": "2025-12-16 16:16:00 UTC" }, { "cve": "CVE-2025-40320", "url": "https://ubuntu.com/security/CVE-2025-40320", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: smb: client: fix potential cfid UAF in smb2_query_info_compound When smb2_query_info_compound() retries, a previously allocated cfid may have been freed in the first attempt. Because cfid wasn't reset on replay, later cleanup could act on a stale pointer, leading to a potential use-after-free. Reinitialize cfid to NULL under the replay label. Example trace (trimmed): refcount_t: underflow; use-after-free. WARNING: CPU: 1 PID: 11224 at ../lib/refcount.c:28 refcount_warn_saturate+0x9c/0x110 [...] RIP: 0010:refcount_warn_saturate+0x9c/0x110 [...] Call Trace: smb2_query_info_compound+0x29c/0x5c0 [cifs f90b72658819bd21c94769b6a652029a07a7172f] ? step_into+0x10d/0x690 ? __legitimize_path+0x28/0x60 smb2_queryfs+0x6a/0xf0 [cifs f90b72658819bd21c94769b6a652029a07a7172f] smb311_queryfs+0x12d/0x140 [cifs f90b72658819bd21c94769b6a652029a07a7172f] ? kmem_cache_alloc+0x18a/0x340 ? getname_flags+0x46/0x1e0 cifs_statfs+0x9f/0x2b0 [cifs f90b72658819bd21c94769b6a652029a07a7172f] statfs_by_dentry+0x67/0x90 vfs_statfs+0x16/0xd0 user_statfs+0x54/0xa0 __do_sys_statfs+0x20/0x50 do_syscall_64+0x58/0x80", "cve_priority": "medium", "cve_public_date": "2025-12-08 01:16:00 UTC" }, { "cve": "CVE-2025-40321", "url": "https://ubuntu.com/security/CVE-2025-40321", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: wifi: brcmfmac: fix crash while sending Action Frames in standalone AP Mode Currently, whenever there is a need to transmit an Action frame, the brcmfmac driver always uses the P2P vif to send the \"actframe\" IOVAR to firmware. The P2P interfaces were available when wpa_supplicant is managing the wlan interface. However, the P2P interfaces are not created/initialized when only hostapd is managing the wlan interface. And if hostapd receives an ANQP Query REQ Action frame even from an un-associated STA, the brcmfmac driver tries to use an uninitialized P2P vif pointer for sending the IOVAR to firmware. This NULL pointer dereferencing triggers a driver crash. [ 1417.074538] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000 [...] [ 1417.075188] Hardware name: Raspberry Pi 4 Model B Rev 1.5 (DT) [...] [ 1417.075653] Call trace: [ 1417.075662] brcmf_p2p_send_action_frame+0x23c/0xc58 [brcmfmac] [ 1417.075738] brcmf_cfg80211_mgmt_tx+0x304/0x5c0 [brcmfmac] [ 1417.075810] cfg80211_mlme_mgmt_tx+0x1b0/0x428 [cfg80211] [ 1417.076067] nl80211_tx_mgmt+0x238/0x388 [cfg80211] [ 1417.076281] genl_family_rcv_msg_doit+0xe0/0x158 [ 1417.076302] genl_rcv_msg+0x220/0x2a0 [ 1417.076317] netlink_rcv_skb+0x68/0x140 [ 1417.076330] genl_rcv+0x40/0x60 [ 1417.076343] netlink_unicast+0x330/0x3b8 [ 1417.076357] netlink_sendmsg+0x19c/0x3f8 [ 1417.076370] __sock_sendmsg+0x64/0xc0 [ 1417.076391] ____sys_sendmsg+0x268/0x2a0 [ 1417.076408] ___sys_sendmsg+0xb8/0x118 [ 1417.076427] __sys_sendmsg+0x90/0xf8 [ 1417.076445] __arm64_sys_sendmsg+0x2c/0x40 [ 1417.076465] invoke_syscall+0x50/0x120 [ 1417.076486] el0_svc_common.constprop.0+0x48/0xf0 [ 1417.076506] do_el0_svc+0x24/0x38 [ 1417.076525] el0_svc+0x30/0x100 [ 1417.076548] el0t_64_sync_handler+0x100/0x130 [ 1417.076569] el0t_64_sync+0x190/0x198 [ 1417.076589] Code: f9401e80 aa1603e2 f9403be1 5280e483 (f9400000) Fix this, by always using the vif corresponding to the wdev on which the Action frame Transmission request was initiated by the userspace. This way, even if P2P vif is not available, the IOVAR is sent to firmware on AP vif and the ANQP Query RESP Action frame is transmitted without crashing the driver. Move init_completion() for \"send_af_done\" from brcmf_p2p_create_p2pdev() to brcmf_p2p_attach(). Because the former function would not get executed when only hostapd is managing wlan interface, and it is not safe to do reinit_completion() later in brcmf_p2p_tx_action_frame(), without any prior init_completion(). And in the brcmf_p2p_tx_action_frame() function, the condition check for P2P Presence response frame is not needed, since the wpa_supplicant is properly sending the P2P Presense Response frame on the P2P-GO vif instead of the P2P-Device vif. [Cc stable]", "cve_priority": "medium", "cve_public_date": "2025-12-08 01:16:00 UTC" }, { "cve": "CVE-2025-40322", "url": "https://ubuntu.com/security/CVE-2025-40322", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: fbdev: bitblit: bound-check glyph index in bit_putcs* bit_putcs_aligned()/unaligned() derived the glyph pointer from the character value masked by 0xff/0x1ff, which may exceed the actual font's glyph count and read past the end of the built-in font array. Clamp the index to the actual glyph count before computing the address. This fixes a global out-of-bounds read reported by syzbot.", "cve_priority": "medium", "cve_public_date": "2025-12-08 01:16:00 UTC" }, { "cve": "CVE-2025-40211", "url": "https://ubuntu.com/security/CVE-2025-40211", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ACPI: video: Fix use-after-free in acpi_video_switch_brightness() The switch_brightness_work delayed work accesses device->brightness and device->backlight, freed by acpi_video_dev_unregister_backlight() during device removal. If the work executes after acpi_video_bus_unregister_backlight() frees these resources, it causes a use-after-free when acpi_video_switch_brightness() dereferences device->brightness or device->backlight. Fix this by calling cancel_delayed_work_sync() for each device's switch_brightness_work in acpi_video_bus_remove_notify_handler() after removing the notify handler that queues the work. This ensures the work completes before the memory is freed. [ rjw: Changelog edit ]", "cve_priority": "medium", "cve_public_date": "2025-11-21 11:15:00 UTC" }, { "cve": "CVE-2025-40323", "url": "https://ubuntu.com/security/CVE-2025-40323", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: fbcon: Set fb_display[i]->mode to NULL when the mode is released Recently, we discovered the following issue through syzkaller: BUG: KASAN: slab-use-after-free in fb_mode_is_equal+0x285/0x2f0 Read of size 4 at addr ff11000001b3c69c by task syz.xxx ... Call Trace: dump_stack_lvl+0xab/0xe0 print_address_description.constprop.0+0x2c/0x390 print_report+0xb9/0x280 kasan_report+0xb8/0xf0 fb_mode_is_equal+0x285/0x2f0 fbcon_mode_deleted+0x129/0x180 fb_set_var+0xe7f/0x11d0 do_fb_ioctl+0x6a0/0x750 fb_ioctl+0xe0/0x140 __x64_sys_ioctl+0x193/0x210 do_syscall_64+0x5f/0x9c0 entry_SYSCALL_64_after_hwframe+0x76/0x7e Based on experimentation and analysis, during framebuffer unregistration, only the memory of fb_info->modelist is freed, without setting the corresponding fb_display[i]->mode to NULL for the freed modes. This leads to UAF issues during subsequent accesses. Here's an example of reproduction steps: 1. With /dev/fb0 already registered in the system, load a kernel module to register a new device /dev/fb1; 2. Set fb1's mode to the global fb_display[] array (via FBIOPUT_CON2FBMAP); 3. Switch console from fb to VGA (to allow normal rmmod of the ko); 4. Unload the kernel module, at this point fb1's modelist is freed, leaving a wild pointer in fb_display[]; 5. Trigger the bug via system calls through fb0 attempting to delete a mode from fb0. Add a check in do_unregister_framebuffer(): if the mode to be freed exists in fb_display[], set the corresponding mode pointer to NULL.", "cve_priority": "medium", "cve_public_date": "2025-12-08 01:16:00 UTC" }, { "cve": "CVE-2025-40210", "url": "https://ubuntu.com/security/CVE-2025-40210", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: Revert \"NFSD: Remove the cap on number of operations per NFSv4 COMPOUND\" I've found that pynfs COMP6 now leaves the connection or lease in a strange state, which causes CLOSE9 to hang indefinitely. I've dug into it a little, but I haven't been able to root-cause it yet. However, I bisected to commit 48aab1606fa8 (\"NFSD: Remove the cap on number of operations per NFSv4 COMPOUND\"). Tianshuo Han also reports a potential vulnerability when decoding an NFSv4 COMPOUND. An attacker can place an arbitrarily large op count in the COMPOUND header, which results in: [ 51.410584] nfsd: vmalloc error: size 1209533382144, exceeds total pages, mode:0xdc0(GFP_KERNEL|__GFP_ZERO), nodemask=(null),cpuset=/,mems_allowed=0 when NFSD attempts to allocate the COMPOUND op array. Let's restore the operation-per-COMPOUND limit, but increased to 200 for now.", "cve_priority": "medium", "cve_public_date": "2025-11-21 11:15:00 UTC" }, { "cve": "CVE-2025-40324", "url": "https://ubuntu.com/security/CVE-2025-40324", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: NFSD: Fix crash in nfsd4_read_release() When tracing is enabled, the trace_nfsd_read_done trace point crashes during the pynfs read.testNoFh test.", "cve_priority": "medium", "cve_public_date": "2025-12-08 01:16:00 UTC" }, { "cve": "CVE-2025-40326", "url": "https://ubuntu.com/security/CVE-2025-40326", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: NFSD: Define actions for the new time_deleg FATTR4 attributes NFSv4 clients won't send legitimate GETATTR requests for these new attributes because they are intended to be used only with CB_GETATTR and SETATTR. But NFSD has to do something besides crashing if it ever sees a GETATTR request that queries these attributes. RFC 8881 Section 18.7.3 states: > The server MUST return a value for each attribute that the client > requests if the attribute is supported by the server for the > target file system. If the server does not support a particular > attribute on the target file system, then it MUST NOT return the > attribute value and MUST NOT set the attribute bit in the result > bitmap. The server MUST return an error if it supports an > attribute on the target but cannot obtain its value. In that case, > no attribute values will be returned. Further, RFC 9754 Section 5 states: > These new attributes are invalid to be used with GETATTR, VERIFY, > and NVERIFY, and they can only be used with CB_GETATTR and SETATTR > by a client holding an appropriate delegation. Thus there does not appear to be a specific server response mandated by specification. Taking the guidance that querying these attributes via GETATTR is \"invalid\", NFSD will return nfserr_inval, failing the request entirely.", "cve_priority": "medium", "cve_public_date": "2025-12-08 01:16:00 UTC" }, { "cve": "CVE-2025-40084", "url": "https://ubuntu.com/security/CVE-2025-40084", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ksmbd: transport_ipc: validate payload size before reading handle handle_response() dereferences the payload as a 4-byte handle without verifying that the declared payload size is at least 4 bytes. A malformed or truncated message from ksmbd.mountd can lead to a 4-byte read past the declared payload size. Validate the size before dereferencing. This is a minimal fix to guard the initial handle read.", "cve_priority": "medium", "cve_public_date": "2025-10-29 14:15:00 UTC" }, { "cve": "CVE-2025-40222", "url": "https://ubuntu.com/security/CVE-2025-40222", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: tty: serial: sh-sci: fix RSCI FIFO overrun handling The receive error handling code is shared between RSCI and all other SCIF port types, but the RSCI overrun_reg is specified as a memory offset, while for other SCIF types it is an enum value used to index into the sci_port_params->regs array, as mentioned above the sci_serial_in() function. For RSCI, the overrun_reg is CSR (0x48), causing the sci_getreg() call inside the sci_handle_fifo_overrun() function to index outside the bounds of the regs array, which currently has a size of 20, as specified by SCI_NR_REGS. Because of this, we end up accessing memory outside of RSCI's rsci_port_params structure, which, when interpreted as a plat_sci_reg, happens to have a non-zero size, causing the following WARN when sci_serial_in() is called, as the accidental size does not match the supported register sizes. The existence of the overrun_reg needs to be checked because SCIx_SH3_SCIF_REGTYPE has overrun_reg set to SCLSR, but SCLSR is not present in the regs array. Avoid calling sci_getreg() for port types which don't use standard register handling. Use the ops->read_reg() and ops->write_reg() functions to properly read and write registers for RSCI, and change the type of the status variable to accommodate the 32-bit CSR register. sci_getreg() and sci_serial_in() are also called with overrun_reg in the sci_mpxed_interrupt() interrupt handler, but that code path is not used for RSCI, as it does not have a muxed interrupt. ------------[ cut here ]------------ Invalid register access WARNING: CPU: 0 PID: 0 at drivers/tty/serial/sh-sci.c:522 sci_serial_in+0x38/0xac Modules linked in: renesas_usbhs at24 rzt2h_adc industrialio_adc sha256 cfg80211 bluetooth ecdh_generic ecc rfkill fuse drm backlight ipv6 CPU: 0 UID: 0 PID: 0 Comm: swapper/0 Not tainted 6.17.0-rc1+ #30 PREEMPT Hardware name: Renesas RZ/T2H EVK Board based on r9a09g077m44 (DT) pstate: 604000c5 (nZCv daIF +PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : sci_serial_in+0x38/0xac lr : sci_serial_in+0x38/0xac sp : ffff800080003e80 x29: ffff800080003e80 x28: ffff800082195b80 x27: 000000000000000d x26: ffff8000821956d0 x25: 0000000000000000 x24: ffff800082195b80 x23: ffff000180e0d800 x22: 0000000000000010 x21: 0000000000000000 x20: 0000000000000010 x19: ffff000180e72000 x18: 000000000000000a x17: ffff8002bcee7000 x16: ffff800080000000 x15: 0720072007200720 x14: 0720072007200720 x13: 0720072007200720 x12: 0720072007200720 x11: 0000000000000058 x10: 0000000000000018 x9 : ffff8000821a6a48 x8 : 0000000000057fa8 x7 : 0000000000000406 x6 : ffff8000821fea48 x5 : ffff00033ef88408 x4 : ffff8002bcee7000 x3 : ffff800082195b80 x2 : 0000000000000000 x1 : 0000000000000000 x0 : ffff800082195b80 Call trace: sci_serial_in+0x38/0xac (P) sci_handle_fifo_overrun.isra.0+0x70/0x134 sci_er_interrupt+0x50/0x39c __handle_irq_event_percpu+0x48/0x140 handle_irq_event+0x44/0xb0 handle_fasteoi_irq+0xf4/0x1a0 handle_irq_desc+0x34/0x58 generic_handle_domain_irq+0x1c/0x28 gic_handle_irq+0x4c/0x140 call_on_irq_stack+0x30/0x48 do_interrupt_handler+0x80/0x84 el1_interrupt+0x34/0x68 el1h_64_irq_handler+0x18/0x24 el1h_64_irq+0x6c/0x70 default_idle_call+0x28/0x58 (P) do_idle+0x1f8/0x250 cpu_startup_entry+0x34/0x3c rest_init+0xd8/0xe0 console_on_rootfs+0x0/0x6c __primary_switched+0x88/0x90 ---[ end trace 0000000000000000 ]---", "cve_priority": "medium", "cve_public_date": "2025-12-04 16:16:00 UTC" }, { "cve": "CVE-2025-40223", "url": "https://ubuntu.com/security/CVE-2025-40223", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: most: usb: Fix use-after-free in hdm_disconnect hdm_disconnect() calls most_deregister_interface(), which eventually unregisters the MOST interface device with device_unregister(iface->dev). If that drops the last reference, the device core may call release_mdev() immediately while hdm_disconnect() is still executing. The old code also freed several mdev-owned allocations in hdm_disconnect() and then performed additional put_device() calls. Depending on refcount order, this could lead to use-after-free or double-free when release_mdev() ran (or when unregister paths also performed puts). Fix by moving the frees of mdev-owned allocations into release_mdev(), so they happen exactly once when the device is truly released, and by dropping the extra put_device() calls in hdm_disconnect() that are redundant after device_unregister() and most_deregister_interface(). This addresses the KASAN slab-use-after-free reported by syzbot in hdm_disconnect(). See report and stack traces in the bug link below.", "cve_priority": "medium", "cve_public_date": "2025-12-04 16:16:00 UTC" }, { "cve": "CVE-2025-40106", "url": "https://ubuntu.com/security/CVE-2025-40106", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: comedi: fix divide-by-zero in comedi_buf_munge() The comedi_buf_munge() function performs a modulo operation `async->munge_chan %= async->cmd.chanlist_len` without first checking if chanlist_len is zero. If a user program submits a command with chanlist_len set to zero, this causes a divide-by-zero error when the device processes data in the interrupt handler path. Add a check for zero chanlist_len at the beginning of the function, similar to the existing checks for !map and CMDF_RAWDATA flag. When chanlist_len is zero, update munge_count and return early, indicating the data was handled without munging. This prevents potential kernel panics from malformed user commands.", "cve_priority": "medium", "cve_public_date": "2025-10-31 10:15:00 UTC" }, { "cve": "CVE-2025-40224", "url": "https://ubuntu.com/security/CVE-2025-40224", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: hwmon: (cgbc-hwmon) Add missing NULL check after devm_kzalloc() The driver allocates memory for sensor data using devm_kzalloc(), but did not check if the allocation succeeded. In case of memory allocation failure, dereferencing the NULL pointer would lead to a kernel crash. Add a NULL pointer check and return -ENOMEM to handle allocation failure properly.", "cve_priority": "medium", "cve_public_date": "2025-12-04 16:16:00 UTC" }, { "cve": "CVE-2025-40225", "url": "https://ubuntu.com/security/CVE-2025-40225", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/panthor: Fix kernel panic on partial unmap of a GPU VA region This commit address a kernel panic issue that can happen if Userspace tries to partially unmap a GPU virtual region (aka drm_gpuva). The VM_BIND interface allows partial unmapping of a BO. Panthor driver pre-allocates memory for the new drm_gpuva structures that would be needed for the map/unmap operation, done using drm_gpuvm layer. It expected that only one new drm_gpuva would be needed on umap but a partial unmap can require 2 new drm_gpuva and that's why it ended up doing a NULL pointer dereference causing a kernel panic. Following dump was seen when partial unmap was exercised. Unable to handle kernel NULL pointer dereference at virtual address 0000000000000078 Mem abort info: ESR = 0x0000000096000046 EC = 0x25: DABT (current EL), IL = 32 bits SET = 0, FnV = 0 EA = 0, S1PTW = 0 FSC = 0x06: level 2 translation fault Data abort info: ISV = 0, ISS = 0x00000046, ISS2 = 0x00000000 CM = 0, WnR = 1, TnD = 0, TagAccess = 0 GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0 user pgtable: 4k pages, 48-bit VAs, pgdp=000000088a863000 [000000000000078] pgd=080000088a842003, p4d=080000088a842003, pud=0800000884bf5003, pmd=0000000000000000 Internal error: Oops: 0000000096000046 [#1] PREEMPT SMP pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : panthor_gpuva_sm_step_remap+0xe4/0x330 [panthor] lr : panthor_gpuva_sm_step_remap+0x6c/0x330 [panthor] sp : ffff800085d43970 x29: ffff800085d43970 x28: ffff00080363e440 x27: ffff0008090c6000 x26: 0000000000000030 x25: ffff800085d439f8 x24: ffff00080d402000 x23: ffff800085d43b60 x22: ffff800085d439e0 x21: ffff00080abdb180 x20: 0000000000000000 x19: 0000000000000000 x18: 0000000000000010 x17: 6e656c202c303030 x16: 3666666666646466 x15: 393d61766f69202c x14: 312d3d7361203a70 x13: 303030323d6e656c x12: ffff80008324bf58 x11: 0000000000000003 x10: 0000000000000002 x9 : ffff8000801a6a9c x8 : ffff00080360b300 x7 : 0000000000000000 x6 : 000000088aa35fc7 x5 : fff1000080000000 x4 : ffff8000842ddd30 x3 : 0000000000000001 x2 : 0000000100000000 x1 : 0000000000000001 x0 : 0000000000000078 Call trace: panthor_gpuva_sm_step_remap+0xe4/0x330 [panthor] op_remap_cb.isra.22+0x50/0x80 __drm_gpuvm_sm_unmap+0x10c/0x1c8 drm_gpuvm_sm_unmap+0x40/0x60 panthor_vm_exec_op+0xb4/0x3d0 [panthor] panthor_vm_bind_exec_sync_op+0x154/0x278 [panthor] panthor_ioctl_vm_bind+0x160/0x4a0 [panthor] drm_ioctl_kernel+0xbc/0x138 drm_ioctl+0x240/0x500 __arm64_sys_ioctl+0xb0/0xf8 invoke_syscall+0x4c/0x110 el0_svc_common.constprop.1+0x98/0xf8 do_el0_svc+0x24/0x38 el0_svc+0x40/0xf8 el0t_64_sync_handler+0xa0/0xc8 el0t_64_sync+0x174/0x178", "cve_priority": "medium", "cve_public_date": "2025-12-04 16:16:00 UTC" }, { "cve": "CVE-2025-40226", "url": "https://ubuntu.com/security/CVE-2025-40226", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: firmware: arm_scmi: Account for failed debug initialization When the SCMI debug subsystem fails to initialize, the related debug root will be missing, and the underlying descriptor will be NULL. Handle this fault condition in the SCMI debug helpers that maintain metrics counters.", "cve_priority": "medium", "cve_public_date": "2025-12-04 16:16:00 UTC" }, { "cve": "CVE-2025-40227", "url": "https://ubuntu.com/security/CVE-2025-40227", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: mm/damon/sysfs: dealloc commit test ctx always The damon_ctx for testing online DAMON parameters commit inputs is deallocated only when the test fails. This means memory is leaked for every successful online DAMON parameters commit. Fix the leak by always deallocating it.", "cve_priority": "medium", "cve_public_date": "2025-12-04 16:16:00 UTC" }, { "cve": "CVE-2025-40228", "url": "https://ubuntu.com/security/CVE-2025-40228", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: mm/damon/sysfs: catch commit test ctx alloc failure Patch series \"mm/damon/sysfs: fix commit test damon_ctx [de]allocation\". DAMON sysfs interface dynamically allocates and uses a damon_ctx object for testing if given inputs for online DAMON parameters update is valid. The object is being used without an allocation failure check, and leaked when the test succeeds. Fix the two bugs. This patch (of 2): The damon_ctx for testing online DAMON parameters commit inputs is used without its allocation failure check. This could result in an invalid memory access. Fix it by directly returning an error when the allocation failed.", "cve_priority": "medium", "cve_public_date": "2025-12-04 16:16:00 UTC" }, { "cve": "CVE-2025-40229", "url": "https://ubuntu.com/security/CVE-2025-40229", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: mm/damon/core: fix potential memory leak by cleaning ops_filter in damon_destroy_scheme Currently, damon_destroy_scheme() only cleans up the filter list but leaves ops_filter untouched, which could lead to memory leaks when a scheme is destroyed. This patch ensures both filter and ops_filter are properly freed in damon_destroy_scheme(), preventing potential memory leaks.", "cve_priority": "medium", "cve_public_date": "2025-12-04 16:16:00 UTC" }, { "cve": "CVE-2025-40230", "url": "https://ubuntu.com/security/CVE-2025-40230", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: mm: prevent poison consumption when splitting THP When performing memory error injection on a THP (Transparent Huge Page) mapped to userspace on an x86 server, the kernel panics with the following trace. The expected behavior is to terminate the affected process instead of panicking the kernel, as the x86 Machine Check code can recover from an in-userspace #MC. mce: [Hardware Error]: CPU 0: Machine Check Exception: f Bank 3: bd80000000070134 mce: [Hardware Error]: RIP 10: {memchr_inv+0x4c/0xf0} mce: [Hardware Error]: TSC afff7bbff88a ADDR 1d301b000 MISC 80 PPIN 1e741e77539027db mce: [Hardware Error]: PROCESSOR 0:d06d0 TIME 1758093249 SOCKET 0 APIC 0 microcode 80000320 mce: [Hardware Error]: Run the above through 'mcelog --ascii' mce: [Hardware Error]: Machine check: Data load in unrecoverable area of kernel Kernel panic - not syncing: Fatal local machine check The root cause of this panic is that handling a memory failure triggered by an in-userspace #MC necessitates splitting the THP. The splitting process employs a mechanism, implemented in try_to_map_unused_to_zeropage(), which reads the pages in the THP to identify zero-filled pages. However, reading the pages in the THP results in a second in-kernel #MC, occurring before the initial memory_failure() completes, ultimately leading to a kernel panic. See the kernel panic call trace on the two #MCs. First Machine Check occurs // [1] memory_failure() // [2] try_to_split_thp_page() split_huge_page() split_huge_page_to_list_to_order() __folio_split() // [3] remap_page() remove_migration_ptes() remove_migration_pte() try_to_map_unused_to_zeropage() // [4] memchr_inv() // [5] Second Machine Check occurs // [6] Kernel panic [1] Triggered by accessing a hardware-poisoned THP in userspace, which is typically recoverable by terminating the affected process. [2] Call folio_set_has_hwpoisoned() before try_to_split_thp_page(). [3] Pass the RMP_USE_SHARED_ZEROPAGE remap flag to remap_page(). [4] Try to map the unused THP to zeropage. [5] Re-access pages in the hw-poisoned THP in the kernel. [6] Triggered in-kernel, leading to a panic kernel. In Step[2], memory_failure() sets the poisoned flag on the page in the THP by TestSetPageHWPoison() before calling try_to_split_thp_page(). As suggested by David Hildenbrand, fix this panic by not accessing to the poisoned page in the THP during zeropage identification, while continuing to scan unaffected pages in the THP for possible zeropage mapping. This prevents a second in-kernel #MC that would cause kernel panic in Step[4]. Thanks to Andrew Zaborowski for his initial work on fixing this issue.", "cve_priority": "medium", "cve_public_date": "2025-12-04 16:16:00 UTC" }, { "cve": "CVE-2025-40231", "url": "https://ubuntu.com/security/CVE-2025-40231", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: vsock: fix lock inversion in vsock_assign_transport() Syzbot reported a potential lock inversion deadlock between vsock_register_mutex and sk_lock-AF_VSOCK when vsock_linger() is called. The issue was introduced by commit 687aa0c5581b (\"vsock: Fix transport_* TOCTOU\") which added vsock_register_mutex locking in vsock_assign_transport() around the transport->release() call, that can call vsock_linger(). vsock_assign_transport() can be called with sk_lock held. vsock_linger() calls sk_wait_event() that temporarily releases and re-acquires sk_lock. During this window, if another thread hold vsock_register_mutex while trying to acquire sk_lock, a circular dependency is created. Fix this by releasing vsock_register_mutex before calling transport->release() and vsock_deassign_transport(). This is safe because we don't need to hold vsock_register_mutex while releasing the old transport, and we ensure the new transport won't disappear by obtaining a module reference first via try_module_get().", "cve_priority": "medium", "cve_public_date": "2025-12-04 16:16:00 UTC" }, { "cve": "CVE-2025-40233", "url": "https://ubuntu.com/security/CVE-2025-40233", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ocfs2: clear extent cache after moving/defragmenting extents The extent map cache can become stale when extents are moved or defragmented, causing subsequent operations to see outdated extent flags. This triggers a BUG_ON in ocfs2_refcount_cal_cow_clusters(). The problem occurs when: 1. copy_file_range() creates a reflinked extent with OCFS2_EXT_REFCOUNTED 2. ioctl(FITRIM) triggers ocfs2_move_extents() 3. __ocfs2_move_extents_range() reads and caches the extent (flags=0x2) 4. ocfs2_move_extent()/ocfs2_defrag_extent() calls __ocfs2_move_extent() which clears OCFS2_EXT_REFCOUNTED flag on disk (flags=0x0) 5. The extent map cache is not invalidated after the move 6. Later write() operations read stale cached flags (0x2) but disk has updated flags (0x0), causing a mismatch 7. BUG_ON(!(rec->e_flags & OCFS2_EXT_REFCOUNTED)) triggers Fix by clearing the extent map cache after each extent move/defrag operation in __ocfs2_move_extents_range(). This ensures subsequent operations read fresh extent data from disk.", "cve_priority": "medium", "cve_public_date": "2025-12-04 16:16:00 UTC" }, { "cve": "CVE-2025-40235", "url": "https://ubuntu.com/security/CVE-2025-40235", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: btrfs: directly free partially initialized fs_info in btrfs_check_leaked_roots() If fs_info->super_copy or fs_info->super_for_commit allocated failed in btrfs_get_tree_subvol(), then no need to call btrfs_free_fs_info(). Otherwise btrfs_check_leaked_roots() would access NULL pointer because fs_info->allocated_roots had not been initialised. syzkaller reported the following information: ------------[ cut here ]------------ BUG: unable to handle page fault for address: fffffffffffffbb0 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page PGD 64c9067 P4D 64c9067 PUD 64cb067 PMD 0 Oops: Oops: 0000 [#1] SMP KASAN PTI CPU: 0 UID: 0 PID: 1402 Comm: syz.1.35 Not tainted 6.15.8 #4 PREEMPT(lazy) Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), (...) RIP: 0010:arch_atomic_read arch/x86/include/asm/atomic.h:23 [inline] RIP: 0010:raw_atomic_read include/linux/atomic/atomic-arch-fallback.h:457 [inline] RIP: 0010:atomic_read include/linux/atomic/atomic-instrumented.h:33 [inline] RIP: 0010:refcount_read include/linux/refcount.h:170 [inline] RIP: 0010:btrfs_check_leaked_roots+0x18f/0x2c0 fs/btrfs/disk-io.c:1230 [...] Call Trace: btrfs_free_fs_info+0x310/0x410 fs/btrfs/disk-io.c:1280 btrfs_get_tree_subvol+0x592/0x6b0 fs/btrfs/super.c:2029 btrfs_get_tree+0x63/0x80 fs/btrfs/super.c:2097 vfs_get_tree+0x98/0x320 fs/super.c:1759 do_new_mount+0x357/0x660 fs/namespace.c:3899 path_mount+0x716/0x19c0 fs/namespace.c:4226 do_mount fs/namespace.c:4239 [inline] __do_sys_mount fs/namespace.c:4450 [inline] __se_sys_mount fs/namespace.c:4427 [inline] __x64_sys_mount+0x28c/0x310 fs/namespace.c:4427 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0x92/0x180 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x76/0x7e RIP: 0033:0x7f032eaffa8d [...]", "cve_priority": "medium", "cve_public_date": "2025-12-04 16:16:00 UTC" }, { "cve": "CVE-2025-40236", "url": "https://ubuntu.com/security/CVE-2025-40236", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: virtio-net: zero unused hash fields When GSO tunnel is negotiated virtio_net_hdr_tnl_from_skb() tries to initialize the tunnel metadata but forget to zero unused rxhash fields. This may leak information to another side. Fixing this by zeroing the unused hash fields.", "cve_priority": "medium", "cve_public_date": "2025-12-04 16:16:00 UTC" }, { "cve": "CVE-2025-40237", "url": "https://ubuntu.com/security/CVE-2025-40237", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: fs/notify: call exportfs_encode_fid with s_umount Calling intotify_show_fdinfo() on fd watching an overlayfs inode, while the overlayfs is being unmounted, can lead to dereferencing NULL ptr. This issue was found by syzkaller. Race Condition Diagram: Thread 1 Thread 2 -------- -------- generic_shutdown_super() shrink_dcache_for_umount sb->s_root = NULL | | vfs_read() | inotify_fdinfo() | * inode get from mark * | show_mark_fhandle(m, inode) | exportfs_encode_fid(inode, ..) | ovl_encode_fh(inode, ..) | ovl_check_encode_origin(inode) | * deref i_sb->s_root * | | v fsnotify_sb_delete(sb) Which then leads to: [ 32.133461] Oops: general protection fault, probably for non-canonical address 0xdffffc0000000006: 0000 [#1] SMP DEBUG_PAGEALLOC KASAN NOPTI [ 32.134438] KASAN: null-ptr-deref in range [0x0000000000000030-0x0000000000000037] [ 32.135032] CPU: 1 UID: 0 PID: 4468 Comm: systemd-coredum Not tainted 6.17.0-rc6 #22 PREEMPT(none) [ 32.143353] Call Trace: [ 32.143732] ovl_encode_fh+0xd5/0x170 [ 32.144031] exportfs_encode_inode_fh+0x12f/0x300 [ 32.144425] show_mark_fhandle+0xbe/0x1f0 [ 32.145805] inotify_fdinfo+0x226/0x2d0 [ 32.146442] inotify_show_fdinfo+0x1c5/0x350 [ 32.147168] seq_show+0x530/0x6f0 [ 32.147449] seq_read_iter+0x503/0x12a0 [ 32.148419] seq_read+0x31f/0x410 [ 32.150714] vfs_read+0x1f0/0x9e0 [ 32.152297] ksys_read+0x125/0x240 IOW ovl_check_encode_origin derefs inode->i_sb->s_root, after it was set to NULL in the unmount path. Fix it by protecting calling exportfs_encode_fid() from show_mark_fhandle() with s_umount lock. This form of fix was suggested by Amir in [1]. [1]: https://lore.kernel.org/all/CAOQ4uxhbDwhb+2Brs1UdkoF0a3NSdBAOQPNfEHjahrgoKJpLEw@mail.gmail.com/", "cve_priority": "medium", "cve_public_date": "2025-12-04 16:16:00 UTC" }, { "cve": "CVE-2025-40238", "url": "https://ubuntu.com/security/CVE-2025-40238", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net/mlx5: Fix IPsec cleanup over MPV device When we do mlx5e_detach_netdev() we eventually disable blocking events notifier, among those events are IPsec MPV events from IB to core. So before disabling those blocking events, make sure to also unregister the devcom device and mark all this device operations as complete, in order to prevent the other device from using invalid netdev during future devcom events which could cause the trace below. BUG: kernel NULL pointer dereference, address: 0000000000000010 PGD 146427067 P4D 146427067 PUD 146488067 PMD 0 Oops: Oops: 0000 [#1] SMP CPU: 1 UID: 0 PID: 7735 Comm: devlink Tainted: GW 6.12.0-rc6_for_upstream_min_debug_2024_11_08_00_46 #1 Tainted: [W]=WARN Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014 RIP: 0010:mlx5_devcom_comp_set_ready+0x5/0x40 [mlx5_core] Code: 00 01 48 83 05 23 32 1e 00 01 41 b8 ed ff ff ff e9 60 ff ff ff 48 83 05 00 32 1e 00 01 eb e3 66 0f 1f 44 00 00 0f 1f 44 00 00 <48> 8b 47 10 48 83 05 5f 32 1e 00 01 48 8b 50 40 48 85 d2 74 05 40 RSP: 0018:ffff88811a5c35f8 EFLAGS: 00010206 RAX: ffff888106e8ab80 RBX: ffff888107d7e200 RCX: ffff88810d6f0a00 RDX: ffff88810d6f0a00 RSI: 0000000000000001 RDI: 0000000000000000 RBP: ffff88811a17e620 R08: 0000000000000040 R09: 0000000000000000 R10: ffff88811a5c3618 R11: 0000000de85d51bd R12: ffff88811a17e600 R13: ffff88810d6f0a00 R14: 0000000000000000 R15: ffff8881034bda80 FS: 00007f27bdf89180(0000) GS:ffff88852c880000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000010 CR3: 000000010f159005 CR4: 0000000000372eb0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: ? __die+0x20/0x60 ? page_fault_oops+0x150/0x3e0 ? exc_page_fault+0x74/0x130 ? asm_exc_page_fault+0x22/0x30 ? mlx5_devcom_comp_set_ready+0x5/0x40 [mlx5_core] mlx5e_devcom_event_mpv+0x42/0x60 [mlx5_core] mlx5_devcom_send_event+0x8c/0x170 [mlx5_core] blocking_event+0x17b/0x230 [mlx5_core] notifier_call_chain+0x35/0xa0 blocking_notifier_call_chain+0x3d/0x60 mlx5_blocking_notifier_call_chain+0x22/0x30 [mlx5_core] mlx5_core_mp_event_replay+0x12/0x20 [mlx5_core] mlx5_ib_bind_slave_port+0x228/0x2c0 [mlx5_ib] mlx5_ib_stage_init_init+0x664/0x9d0 [mlx5_ib] ? idr_alloc_cyclic+0x50/0xb0 ? __kmalloc_cache_noprof+0x167/0x340 ? __kmalloc_noprof+0x1a7/0x430 __mlx5_ib_add+0x34/0xd0 [mlx5_ib] mlx5r_probe+0xe9/0x310 [mlx5_ib] ? kernfs_add_one+0x107/0x150 ? __mlx5_ib_add+0xd0/0xd0 [mlx5_ib] auxiliary_bus_probe+0x3e/0x90 really_probe+0xc5/0x3a0 ? driver_probe_device+0x90/0x90 __driver_probe_device+0x80/0x160 driver_probe_device+0x1e/0x90 __device_attach_driver+0x7d/0x100 bus_for_each_drv+0x80/0xd0 __device_attach+0xbc/0x1f0 bus_probe_device+0x86/0xa0 device_add+0x62d/0x830 __auxiliary_device_add+0x3b/0xa0 ? auxiliary_device_init+0x41/0x90 add_adev+0xd1/0x150 [mlx5_core] mlx5_rescan_drivers_locked+0x21c/0x300 [mlx5_core] esw_mode_change+0x6c/0xc0 [mlx5_core] mlx5_devlink_eswitch_mode_set+0x21e/0x640 [mlx5_core] devlink_nl_eswitch_set_doit+0x60/0xe0 genl_family_rcv_msg_doit+0xd0/0x120 genl_rcv_msg+0x180/0x2b0 ? devlink_get_from_attrs_lock+0x170/0x170 ? devlink_nl_eswitch_get_doit+0x290/0x290 ? devlink_nl_pre_doit_port_optional+0x50/0x50 ? genl_family_rcv_msg_dumpit+0xf0/0xf0 netlink_rcv_skb+0x54/0x100 genl_rcv+0x24/0x40 netlink_unicast+0x1fc/0x2d0 netlink_sendmsg+0x1e4/0x410 __sock_sendmsg+0x38/0x60 ? sockfd_lookup_light+0x12/0x60 __sys_sendto+0x105/0x160 ? __sys_recvmsg+0x4e/0x90 __x64_sys_sendto+0x20/0x30 do_syscall_64+0x4c/0x100 entry_SYSCALL_64_after_hwframe+0x4b/0x53 RIP: 0033:0x7f27bc91b13a Code: bb 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 8b 05 fa 96 2c 00 45 89 c9 4c 63 d1 48 63 ff 85 c0 75 15 b8 2c 00 00 00 0f 05 <48> 3d 00 f0 ff ff ---truncated---", "cve_priority": "medium", "cve_public_date": "2025-12-04 16:16:00 UTC" }, { "cve": "CVE-2025-40239", "url": "https://ubuntu.com/security/CVE-2025-40239", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net: phy: micrel: always set shared->phydev for LAN8814 Currently, during the LAN8814 PTP probe shared->phydev is only set if PTP clock gets actually set, otherwise the function will return before setting it. This is an issue as shared->phydev is unconditionally being used when IRQ is being handled, especially in lan8814_gpio_process_cap and since it was not set it will cause a NULL pointer exception and crash the kernel. So, simply always set shared->phydev to avoid the NULL pointer exception.", "cve_priority": "medium", "cve_public_date": "2025-12-04 16:16:00 UTC" }, { "cve": "CVE-2025-40240", "url": "https://ubuntu.com/security/CVE-2025-40240", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: sctp: avoid NULL dereference when chunk data buffer is missing chunk->skb pointer is dereferenced in the if-block where it's supposed to be NULL only. chunk->skb can only be NULL if chunk->head_skb is not. Check for frag_list instead and do it just before replacing chunk->skb. We're sure that otherwise chunk->skb is non-NULL because of outer if() condition.", "cve_priority": "medium", "cve_public_date": "2025-12-04 16:16:00 UTC" }, { "cve": "CVE-2025-40241", "url": "https://ubuntu.com/security/CVE-2025-40241", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: erofs: fix crafted invalid cases for encoded extents Robert recently reported two corrupted images that can cause system crashes, which are related to the new encoded extents introduced in Linux 6.15: - The first one [1] has plen != 0 (e.g. plen == 0x2000000) but (plen & Z_EROFS_EXTENT_PLEN_MASK) == 0. It is used to represent special extents such as sparse extents (!EROFS_MAP_MAPPED), but previously only plen == 0 was handled; - The second one [2] has pa 0xffffffffffdcffed and plen 0xb4000, then \"cur [0xfffffffffffff000] += bvec.bv_len [0x1000]\" in \"} while ((cur += bvec.bv_len) < end);\" wraps around, causing an out-of-bound access of pcl->compressed_bvecs[] in z_erofs_submit_queue(). EROFS only supports 48-bit physical block addresses (up to 1EiB for 4k blocks), so add a sanity check to enforce this.", "cve_priority": "medium", "cve_public_date": "2025-12-04 16:16:00 UTC" }, { "cve": "CVE-2025-40242", "url": "https://ubuntu.com/security/CVE-2025-40242", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: gfs2: Fix unlikely race in gdlm_put_lock In gdlm_put_lock(), there is a small window of time in which the DFL_UNMOUNT flag has been set but the lockspace hasn't been released, yet. In that window, dlm may still call gdlm_ast() and gdlm_bast(). To prevent it from dereferencing freed glock objects, only free the glock if the lockspace has actually been released.", "cve_priority": "medium", "cve_public_date": "2025-12-04 16:16:00 UTC" }, { "cve": "CVE-2025-40243", "url": "https://ubuntu.com/security/CVE-2025-40243", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: hfs: fix KMSAN uninit-value issue in hfs_find_set_zero_bits() The syzbot reported issue in hfs_find_set_zero_bits(): ===================================================== BUG: KMSAN: uninit-value in hfs_find_set_zero_bits+0x74d/0xb60 fs/hfs/bitmap.c:45 hfs_find_set_zero_bits+0x74d/0xb60 fs/hfs/bitmap.c:45 hfs_vbm_search_free+0x13c/0x5b0 fs/hfs/bitmap.c:151 hfs_extend_file+0x6a5/0x1b00 fs/hfs/extent.c:408 hfs_get_block+0x435/0x1150 fs/hfs/extent.c:353 __block_write_begin_int+0xa76/0x3030 fs/buffer.c:2151 block_write_begin fs/buffer.c:2262 [inline] cont_write_begin+0x10e1/0x1bc0 fs/buffer.c:2601 hfs_write_begin+0x85/0x130 fs/hfs/inode.c:52 cont_expand_zero fs/buffer.c:2528 [inline] cont_write_begin+0x35a/0x1bc0 fs/buffer.c:2591 hfs_write_begin+0x85/0x130 fs/hfs/inode.c:52 hfs_file_truncate+0x1d6/0xe60 fs/hfs/extent.c:494 hfs_inode_setattr+0x964/0xaa0 fs/hfs/inode.c:654 notify_change+0x1993/0x1aa0 fs/attr.c:552 do_truncate+0x28f/0x310 fs/open.c:68 do_ftruncate+0x698/0x730 fs/open.c:195 do_sys_ftruncate fs/open.c:210 [inline] __do_sys_ftruncate fs/open.c:215 [inline] __se_sys_ftruncate fs/open.c:213 [inline] __x64_sys_ftruncate+0x11b/0x250 fs/open.c:213 x64_sys_call+0xfe3/0x3db0 arch/x86/include/generated/asm/syscalls_64.h:78 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xd9/0x210 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f Uninit was created at: slab_post_alloc_hook mm/slub.c:4154 [inline] slab_alloc_node mm/slub.c:4197 [inline] __kmalloc_cache_noprof+0x7f7/0xed0 mm/slub.c:4354 kmalloc_noprof include/linux/slab.h:905 [inline] hfs_mdb_get+0x1cc8/0x2a90 fs/hfs/mdb.c:175 hfs_fill_super+0x3d0/0xb80 fs/hfs/super.c:337 get_tree_bdev_flags+0x6e3/0x920 fs/super.c:1681 get_tree_bdev+0x38/0x50 fs/super.c:1704 hfs_get_tree+0x35/0x40 fs/hfs/super.c:388 vfs_get_tree+0xb0/0x5c0 fs/super.c:1804 do_new_mount+0x738/0x1610 fs/namespace.c:3902 path_mount+0x6db/0x1e90 fs/namespace.c:4226 do_mount fs/namespace.c:4239 [inline] __do_sys_mount fs/namespace.c:4450 [inline] __se_sys_mount+0x6eb/0x7d0 fs/namespace.c:4427 __x64_sys_mount+0xe4/0x150 fs/namespace.c:4427 x64_sys_call+0xfa7/0x3db0 arch/x86/include/generated/asm/syscalls_64.h:166 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xd9/0x210 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f CPU: 1 UID: 0 PID: 12609 Comm: syz.1.2692 Not tainted 6.16.0-syzkaller #0 PREEMPT(none) Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/12/2025 ===================================================== The HFS_SB(sb)->bitmap buffer is allocated in hfs_mdb_get(): HFS_SB(sb)->bitmap = kmalloc(8192, GFP_KERNEL); Finally, it can trigger the reported issue because kmalloc() doesn't clear the allocated memory. If allocated memory contains only zeros, then everything will work pretty fine. But if the allocated memory contains the \"garbage\", then it can affect the bitmap operations and it triggers the reported issue. This patch simply exchanges the kmalloc() on kzalloc() with the goal to guarantee the correctness of bitmap operations. Because, newly created allocation bitmap should have all available blocks free. Potentially, initialization bitmap's read operation could not fill the whole allocated memory and \"garbage\" in the not initialized memory will be the reason of volume coruptions and file system driver bugs.", "cve_priority": "medium", "cve_public_date": "2025-12-04 16:16:00 UTC" }, { "cve": "CVE-2025-40244", "url": "https://ubuntu.com/security/CVE-2025-40244", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: hfsplus: fix KMSAN uninit-value issue in __hfsplus_ext_cache_extent() The syzbot reported issue in __hfsplus_ext_cache_extent(): [ 70.194323][ T9350] BUG: KMSAN: uninit-value in __hfsplus_ext_cache_extent+0x7d0/0x990 [ 70.195022][ T9350] __hfsplus_ext_cache_extent+0x7d0/0x990 [ 70.195530][ T9350] hfsplus_file_extend+0x74f/0x1cf0 [ 70.195998][ T9350] hfsplus_get_block+0xe16/0x17b0 [ 70.196458][ T9350] __block_write_begin_int+0x962/0x2ce0 [ 70.196959][ T9350] cont_write_begin+0x1000/0x1950 [ 70.197416][ T9350] hfsplus_write_begin+0x85/0x130 [ 70.197873][ T9350] generic_perform_write+0x3e8/0x1060 [ 70.198374][ T9350] __generic_file_write_iter+0x215/0x460 [ 70.198892][ T9350] generic_file_write_iter+0x109/0x5e0 [ 70.199393][ T9350] vfs_write+0xb0f/0x14e0 [ 70.199771][ T9350] ksys_write+0x23e/0x490 [ 70.200149][ T9350] __x64_sys_write+0x97/0xf0 [ 70.200570][ T9350] x64_sys_call+0x3015/0x3cf0 [ 70.201065][ T9350] do_syscall_64+0xd9/0x1d0 [ 70.201506][ T9350] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 70.202054][ T9350] [ 70.202279][ T9350] Uninit was created at: [ 70.202693][ T9350] __kmalloc_noprof+0x621/0xf80 [ 70.203149][ T9350] hfsplus_find_init+0x8d/0x1d0 [ 70.203602][ T9350] hfsplus_file_extend+0x6ca/0x1cf0 [ 70.204087][ T9350] hfsplus_get_block+0xe16/0x17b0 [ 70.204561][ T9350] __block_write_begin_int+0x962/0x2ce0 [ 70.205074][ T9350] cont_write_begin+0x1000/0x1950 [ 70.205547][ T9350] hfsplus_write_begin+0x85/0x130 [ 70.206017][ T9350] generic_perform_write+0x3e8/0x1060 [ 70.206519][ T9350] __generic_file_write_iter+0x215/0x460 [ 70.207042][ T9350] generic_file_write_iter+0x109/0x5e0 [ 70.207552][ T9350] vfs_write+0xb0f/0x14e0 [ 70.207961][ T9350] ksys_write+0x23e/0x490 [ 70.208375][ T9350] __x64_sys_write+0x97/0xf0 [ 70.208810][ T9350] x64_sys_call+0x3015/0x3cf0 [ 70.209255][ T9350] do_syscall_64+0xd9/0x1d0 [ 70.209680][ T9350] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 70.210230][ T9350] [ 70.210454][ T9350] CPU: 2 UID: 0 PID: 9350 Comm: repro Not tainted 6.12.0-rc5 #5 [ 70.211174][ T9350] Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 70.212115][ T9350] ===================================================== [ 70.212734][ T9350] Disabling lock debugging due to kernel taint [ 70.213284][ T9350] Kernel panic - not syncing: kmsan.panic set ... [ 70.213858][ T9350] CPU: 2 UID: 0 PID: 9350 Comm: repro Tainted: G B 6.12.0-rc5 #5 [ 70.214679][ T9350] Tainted: [B]=BAD_PAGE [ 70.215057][ T9350] Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 70.215999][ T9350] Call Trace: [ 70.216309][ T9350] [ 70.216585][ T9350] dump_stack_lvl+0x1fd/0x2b0 [ 70.217025][ T9350] dump_stack+0x1e/0x30 [ 70.217421][ T9350] panic+0x502/0xca0 [ 70.217803][ T9350] ? kmsan_get_metadata+0x13e/0x1c0 [ 70.218294][ Message fromT sy9350] kmsan_report+0x296/slogd@syzkaller 0x2aat Aug 18 22:11:058 ... kernel :[ 70.213284][ T9350] Kernel panic - not syncing: kmsan.panic [ 70.220179][ T9350] ? kmsan_get_metadata+0x13e/0x1c0 set ... [ 70.221254][ T9350] ? __msan_warning+0x96/0x120 [ 70.222066][ T9350] ? __hfsplus_ext_cache_extent+0x7d0/0x990 [ 70.223023][ T9350] ? hfsplus_file_extend+0x74f/0x1cf0 [ 70.224120][ T9350] ? hfsplus_get_block+0xe16/0x17b0 [ 70.224946][ T9350] ? __block_write_begin_int+0x962/0x2ce0 [ 70.225756][ T9350] ? cont_write_begin+0x1000/0x1950 [ 70.226337][ T9350] ? hfsplus_write_begin+0x85/0x130 [ 70.226852][ T9350] ? generic_perform_write+0x3e8/0x1060 [ 70.227405][ T9350] ? __generic_file_write_iter+0x215/0x460 [ 70.227979][ T9350] ? generic_file_write_iter+0x109/0x5e0 [ 70.228540][ T9350] ? vfs_write+0xb0f/0x14e0 [ 70.228997][ T9350] ? ksys_write+0x23e/0x490 ---truncated---", "cve_priority": "medium", "cve_public_date": "2025-12-04 16:16:00 UTC" }, { "cve": "CVE-2025-40245", "url": "https://ubuntu.com/security/CVE-2025-40245", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: nios2: ensure that memblock.current_limit is set when setting pfn limits On nios2, with CONFIG_FLATMEM set, the kernel relies on memblock_get_current_limit() to determine the limits of mem_map, in particular for max_low_pfn. Unfortunately, memblock.current_limit is only default initialized to MEMBLOCK_ALLOC_ANYWHERE at this point of the bootup, potentially leading to situations where max_low_pfn can erroneously exceed the value of max_pfn and, thus, the valid range of available DRAM. This can in turn cause kernel-level paging failures, e.g.: [ 76.900000] Unable to handle kernel paging request at virtual address 20303000 [ 76.900000] ea = c0080890, ra = c000462c, cause = 14 [ 76.900000] Kernel panic - not syncing: Oops [ 76.900000] ---[ end Kernel panic - not syncing: Oops ]--- This patch fixes this by pre-calculating memblock.current_limit based on the upper limits of the available memory ranges via adjust_lowmem_bounds, a simplified version of the equivalent implementation within the arm architecture.", "cve_priority": "medium", "cve_public_date": "2025-12-04 16:16:00 UTC" }, { "cve": "CVE-2025-40086", "url": "https://ubuntu.com/security/CVE-2025-40086", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/xe: Don't allow evicting of BOs in same VM in array of VM binds An array of VM binds can potentially evict other buffer objects (BOs) within the same VM under certain conditions, which may lead to NULL pointer dereferences later in the bind pipeline. To prevent this, clear the allow_res_evict flag in the xe_bo_validate call. v2: - Invert polarity of no_res_evict (Thomas) - Add comment in code explaining issue (Thomas) (cherry picked from commit 8b9ba8d6d95fe75fed6b0480bb03da4b321bea08)", "cve_priority": "medium", "cve_public_date": "2025-10-30 10:15:00 UTC" }, { "cve": "CVE-2025-40087", "url": "https://ubuntu.com/security/CVE-2025-40087", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: NFSD: Define a proc_layoutcommit for the FlexFiles layout type Avoid a crash if a pNFS client should happen to send a LAYOUTCOMMIT operation on a FlexFiles layout.", "cve_priority": "medium", "cve_public_date": "2025-10-30 10:15:00 UTC" }, { "cve": "CVE-2025-40088", "url": "https://ubuntu.com/security/CVE-2025-40088", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: hfsplus: fix slab-out-of-bounds read in hfsplus_strcasecmp() The hfsplus_strcasecmp() logic can trigger the issue: [ 117.317703][ T9855] ================================================================== [ 117.318353][ T9855] BUG: KASAN: slab-out-of-bounds in hfsplus_strcasecmp+0x1bc/0x490 [ 117.318991][ T9855] Read of size 2 at addr ffff88802160f40c by task repro/9855 [ 117.319577][ T9855] [ 117.319773][ T9855] CPU: 0 UID: 0 PID: 9855 Comm: repro Not tainted 6.17.0-rc6 #33 PREEMPT(full) [ 117.319780][ T9855] Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 117.319783][ T9855] Call Trace: [ 117.319785][ T9855] [ 117.319788][ T9855] dump_stack_lvl+0x1c1/0x2a0 [ 117.319795][ T9855] ? __virt_addr_valid+0x1c8/0x5c0 [ 117.319803][ T9855] ? __pfx_dump_stack_lvl+0x10/0x10 [ 117.319808][ T9855] ? rcu_is_watching+0x15/0xb0 [ 117.319816][ T9855] ? lock_release+0x4b/0x3e0 [ 117.319821][ T9855] ? __kasan_check_byte+0x12/0x40 [ 117.319828][ T9855] ? __virt_addr_valid+0x1c8/0x5c0 [ 117.319835][ T9855] ? __virt_addr_valid+0x4a5/0x5c0 [ 117.319842][ T9855] print_report+0x17e/0x7e0 [ 117.319848][ T9855] ? __virt_addr_valid+0x1c8/0x5c0 [ 117.319855][ T9855] ? __virt_addr_valid+0x4a5/0x5c0 [ 117.319862][ T9855] ? __phys_addr+0xd3/0x180 [ 117.319869][ T9855] ? hfsplus_strcasecmp+0x1bc/0x490 [ 117.319876][ T9855] kasan_report+0x147/0x180 [ 117.319882][ T9855] ? hfsplus_strcasecmp+0x1bc/0x490 [ 117.319891][ T9855] hfsplus_strcasecmp+0x1bc/0x490 [ 117.319900][ T9855] ? __pfx_hfsplus_cat_case_cmp_key+0x10/0x10 [ 117.319906][ T9855] hfs_find_rec_by_key+0xa9/0x1e0 [ 117.319913][ T9855] __hfsplus_brec_find+0x18e/0x470 [ 117.319920][ T9855] ? __pfx_hfsplus_bnode_find+0x10/0x10 [ 117.319926][ T9855] ? __pfx_hfs_find_rec_by_key+0x10/0x10 [ 117.319933][ T9855] ? __pfx___hfsplus_brec_find+0x10/0x10 [ 117.319942][ T9855] hfsplus_brec_find+0x28f/0x510 [ 117.319949][ T9855] ? __pfx_hfs_find_rec_by_key+0x10/0x10 [ 117.319956][ T9855] ? __pfx_hfsplus_brec_find+0x10/0x10 [ 117.319963][ T9855] ? __kmalloc_noprof+0x2a9/0x510 [ 117.319969][ T9855] ? hfsplus_find_init+0x8c/0x1d0 [ 117.319976][ T9855] hfsplus_brec_read+0x2b/0x120 [ 117.319983][ T9855] hfsplus_lookup+0x2aa/0x890 [ 117.319990][ T9855] ? __pfx_hfsplus_lookup+0x10/0x10 [ 117.320003][ T9855] ? d_alloc_parallel+0x2f0/0x15e0 [ 117.320008][ T9855] ? __lock_acquire+0xaec/0xd80 [ 117.320013][ T9855] ? __pfx_d_alloc_parallel+0x10/0x10 [ 117.320019][ T9855] ? __raw_spin_lock_init+0x45/0x100 [ 117.320026][ T9855] ? __init_waitqueue_head+0xa9/0x150 [ 117.320034][ T9855] __lookup_slow+0x297/0x3d0 [ 117.320039][ T9855] ? __pfx___lookup_slow+0x10/0x10 [ 117.320045][ T9855] ? down_read+0x1ad/0x2e0 [ 117.320055][ T9855] lookup_slow+0x53/0x70 [ 117.320065][ T9855] walk_component+0x2f0/0x430 [ 117.320073][ T9855] path_lookupat+0x169/0x440 [ 117.320081][ T9855] filename_lookup+0x212/0x590 [ 117.320089][ T9855] ? __pfx_filename_lookup+0x10/0x10 [ 117.320098][ T9855] ? strncpy_from_user+0x150/0x290 [ 117.320105][ T9855] ? getname_flags+0x1e5/0x540 [ 117.320112][ T9855] user_path_at+0x3a/0x60 [ 117.320117][ T9855] __x64_sys_umount+0xee/0x160 [ 117.320123][ T9855] ? __pfx___x64_sys_umount+0x10/0x10 [ 117.320129][ T9855] ? do_syscall_64+0xb7/0x3a0 [ 117.320135][ T9855] ? entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 117.320141][ T9855] ? entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 117.320145][ T9855] do_syscall_64+0xf3/0x3a0 [ 117.320150][ T9855] ? exc_page_fault+0x9f/0xf0 [ 117.320154][ T9855] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 117.320158][ T9855] RIP: 0033:0x7f7dd7908b07 [ 117.320163][ T9855] Code: 23 0d 00 f7 d8 64 89 01 48 83 c8 ff c3 66 0f 1f 44 00 00 31 f6 e9 09 00 00 00 66 0f 1f 84 00 00 08 [ 117.320167][ T9855] RSP: 002b:00007ffd5ebd9698 EFLAGS: 00000202 ---truncated---", "cve_priority": "medium", "cve_public_date": "2025-10-30 10:15:00 UTC" }, { "cve": "CVE-2025-40162", "url": "https://ubuntu.com/security/CVE-2025-40162", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ASoC: amd/sdw_utils: avoid NULL deref when devm_kasprintf() fails devm_kasprintf() may return NULL on memory allocation failure, but the debug message prints cpus->dai_name before checking it. Move the dev_dbg() call after the NULL check to prevent potential NULL pointer dereference.", "cve_priority": "medium", "cve_public_date": "2025-11-12 11:15:00 UTC" }, { "cve": "CVE-2025-40085", "url": "https://ubuntu.com/security/CVE-2025-40085", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ALSA: usb-audio: Fix NULL pointer deference in try_to_register_card In try_to_register_card(), the return value of usb_ifnum_to_if() is passed directly to usb_interface_claimed() without a NULL check, which will lead to a NULL pointer dereference when creating an invalid USB audio device. Fix this by adding a check to ensure the interface pointer is valid before passing it to usb_interface_claimed().", "cve_priority": "medium", "cve_public_date": "2025-10-29 14:15:00 UTC" }, { "cve": "CVE-2025-40172", "url": "https://ubuntu.com/security/CVE-2025-40172", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: accel/qaic: Treat remaining == 0 as error in find_and_map_user_pages() Currently, if find_and_map_user_pages() takes a DMA xfer request from the user with a length field set to 0, or in a rare case, the host receives QAIC_TRANS_DMA_XFER_CONT from the device where resources->xferred_dma_size is equal to the requested transaction size, the function will return 0 before allocating an sgt or setting the fields of the dma_xfer struct. In that case, encode_addr_size_pairs() will try to access the sgt which will lead to a general protection fault. Return an EINVAL in case the user provides a zero-sized ALP, or the device requests continuation after all of the bytes have been transferred.", "cve_priority": "medium", "cve_public_date": "2025-11-12 11:15:00 UTC" }, { "cve": "CVE-2025-40177", "url": "https://ubuntu.com/security/CVE-2025-40177", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: accel/qaic: Fix bootlog initialization ordering As soon as we queue MHI buffers to receive the bootlog from the device, we could be receiving data. Therefore all the resources needed to process that data need to be setup prior to queuing the buffers. We currently initialize some of the resources after queuing the buffers which creates a race between the probe() and any data that comes back from the device. If the uninitialized resources are accessed, we could see page faults. Fix the init ordering to close the race.", "cve_priority": "medium", "cve_public_date": "2025-11-12 11:15:00 UTC" }, { "cve": "CVE-2025-40163", "url": "https://ubuntu.com/security/CVE-2025-40163", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: sched/deadline: Stop dl_server before CPU goes offline IBM CI tool reported kernel warning[1] when running a CPU removal operation through drmgr[2]. i.e \"drmgr -c cpu -r -q 1\" WARNING: CPU: 0 PID: 0 at kernel/sched/cpudeadline.c:219 cpudl_set+0x58/0x170 NIP [c0000000002b6ed8] cpudl_set+0x58/0x170 LR [c0000000002b7cb8] dl_server_timer+0x168/0x2a0 Call Trace: [c000000002c2f8c0] init_stack+0x78c0/0x8000 (unreliable) [c0000000002b7cb8] dl_server_timer+0x168/0x2a0 [c00000000034df84] __hrtimer_run_queues+0x1a4/0x390 [c00000000034f624] hrtimer_interrupt+0x124/0x300 [c00000000002a230] timer_interrupt+0x140/0x320 Git bisects to: commit 4ae8d9aa9f9d (\"sched/deadline: Fix dl_server getting stuck\") This happens since: - dl_server hrtimer gets enqueued close to cpu offline, when kthread_park enqueues a fair task. - CPU goes offline and drmgr removes it from cpu_present_mask. - hrtimer fires and warning is hit. Fix it by stopping the dl_server before CPU is marked dead. [1]: https://lore.kernel.org/all/8218e149-7718-4432-9312-f97297c352b9@linux.ibm.com/ [2]: https://github.com/ibm-power-utilities/powerpc-utils/tree/next/src/drmgr [sshegde: wrote the changelog and tested it]", "cve_priority": "medium", "cve_public_date": "2025-11-12 11:15:00 UTC" }, { "cve": "CVE-2025-40174", "url": "https://ubuntu.com/security/CVE-2025-40174", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: x86/mm: Fix SMP ordering in switch_mm_irqs_off() Stephen noted that it is possible to not have an smp_mb() between the loaded_mm store and the tlb_gen load in switch_mm(), meaning the ordering against flush_tlb_mm_range() goes out the window, and it becomes possible for switch_mm() to not observe a recent tlb_gen update and fail to flush the TLBs. [ dhansen: merge conflict fixed by Ingo ]", "cve_priority": "medium", "cve_public_date": "2025-11-12 11:15:00 UTC" }, { "cve": "CVE-2025-40089", "url": "https://ubuntu.com/security/CVE-2025-40089", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: cxl/features: Add check for no entries in cxl_feature_info cxl EDAC calls cxl_feature_info() to get the feature information and if the hardware has no Features support, cxlfs may be passed in as NULL. [ 51.957498] BUG: kernel NULL pointer dereference, address: 0000000000000008 [ 51.965571] #PF: supervisor read access in kernel mode [ 51.971559] #PF: error_code(0x0000) - not-present page [ 51.977542] PGD 17e4f6067 P4D 0 [ 51.981384] Oops: Oops: 0000 [#1] SMP NOPTI [ 51.986300] CPU: 49 UID: 0 PID: 3782 Comm: systemd-udevd Not tainted 6.17.0dj test+ #64 PREEMPT(voluntary) [ 51.997355] Hardware name: [ 52.009790] RIP: 0010:cxl_feature_info+0xa/0x80 [cxl_core] Add a check for cxlfs before dereferencing it and return -EOPNOTSUPP if there is no cxlfs created due to no hardware support.", "cve_priority": "medium", "cve_public_date": "2025-10-30 10:15:00 UTC" }, { "cve": "CVE-2025-40176", "url": "https://ubuntu.com/security/CVE-2025-40176", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: tls: wait for pending async decryptions if tls_strp_msg_hold fails Async decryption calls tls_strp_msg_hold to create a clone of the input skb to hold references to the memory it uses. If we fail to allocate that clone, proceeding with async decryption can lead to various issues (UAF on the skb, writing into userspace memory after the recv() call has returned). In this case, wait for all pending decryption requests.", "cve_priority": "medium", "cve_public_date": "2025-11-12 11:15:00 UTC" }, { "cve": "CVE-2025-40164", "url": "https://ubuntu.com/security/CVE-2025-40164", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: usbnet: Fix using smp_processor_id() in preemptible code warnings Syzbot reported the following warning: BUG: using smp_processor_id() in preemptible [00000000] code: dhcpcd/2879 caller is usbnet_skb_return+0x74/0x490 drivers/net/usb/usbnet.c:331 CPU: 1 UID: 0 PID: 2879 Comm: dhcpcd Not tainted 6.15.0-rc4-syzkaller-00098-g615dca38c2ea #0 PREEMPT(voluntary) Call Trace: __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x16c/0x1f0 lib/dump_stack.c:120 check_preemption_disabled+0xd0/0xe0 lib/smp_processor_id.c:49 usbnet_skb_return+0x74/0x490 drivers/net/usb/usbnet.c:331 usbnet_resume_rx+0x4b/0x170 drivers/net/usb/usbnet.c:708 usbnet_change_mtu+0x1be/0x220 drivers/net/usb/usbnet.c:417 __dev_set_mtu net/core/dev.c:9443 [inline] netif_set_mtu_ext+0x369/0x5c0 net/core/dev.c:9496 netif_set_mtu+0xb0/0x160 net/core/dev.c:9520 dev_set_mtu+0xae/0x170 net/core/dev_api.c:247 dev_ifsioc+0xa31/0x18d0 net/core/dev_ioctl.c:572 dev_ioctl+0x223/0x10e0 net/core/dev_ioctl.c:821 sock_do_ioctl+0x19d/0x280 net/socket.c:1204 sock_ioctl+0x42f/0x6a0 net/socket.c:1311 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:906 [inline] __se_sys_ioctl fs/ioctl.c:892 [inline] __x64_sys_ioctl+0x190/0x200 fs/ioctl.c:892 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xcd/0x260 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f For historical and portability reasons, the netif_rx() is usually run in the softirq or interrupt context, this commit therefore add local_bh_disable/enable() protection in the usbnet_resume_rx().", "cve_priority": "medium", "cve_public_date": "2025-11-12 11:15:00 UTC" }, { "cve": "CVE-2025-40091", "url": "https://ubuntu.com/security/CVE-2025-40091", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ixgbe: fix too early devlink_free() in ixgbe_remove() Since ixgbe_adapter is embedded in devlink, calling devlink_free() prematurely in the ixgbe_remove() path can lead to UAF. Move devlink_free() to the end. KASAN report: BUG: KASAN: use-after-free in ixgbe_reset_interrupt_capability+0x140/0x180 [ixgbe] Read of size 8 at addr ffff0000adf813e0 by task bash/2095 CPU: 1 UID: 0 PID: 2095 Comm: bash Tainted: G S 6.17.0-rc2-tnguy.net-queue+ #1 PREEMPT(full) [...] Call trace: show_stack+0x30/0x90 (C) dump_stack_lvl+0x9c/0xd0 print_address_description.constprop.0+0x90/0x310 print_report+0x104/0x1f0 kasan_report+0x88/0x180 __asan_report_load8_noabort+0x20/0x30 ixgbe_reset_interrupt_capability+0x140/0x180 [ixgbe] ixgbe_clear_interrupt_scheme+0xf8/0x130 [ixgbe] ixgbe_remove+0x2d0/0x8c0 [ixgbe] pci_device_remove+0xa0/0x220 device_remove+0xb8/0x170 device_release_driver_internal+0x318/0x490 device_driver_detach+0x40/0x68 unbind_store+0xec/0x118 drv_attr_store+0x64/0xb8 sysfs_kf_write+0xcc/0x138 kernfs_fop_write_iter+0x294/0x440 new_sync_write+0x1fc/0x588 vfs_write+0x480/0x6a0 ksys_write+0xf0/0x1e0 __arm64_sys_write+0x70/0xc0 invoke_syscall.constprop.0+0xcc/0x280 el0_svc_common.constprop.0+0xa8/0x248 do_el0_svc+0x44/0x68 el0_svc+0x54/0x160 el0t_64_sync_handler+0xa0/0xe8 el0t_64_sync+0x1b0/0x1b8", "cve_priority": "medium", "cve_public_date": "2025-10-30 10:15:00 UTC" }, { "cve": "CVE-2025-40175", "url": "https://ubuntu.com/security/CVE-2025-40175", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: idpf: cleanup remaining SKBs in PTP flows When the driver requests Tx timestamp value, one of the first steps is to clone SKB using skb_get. It increases the reference counter for that SKB to prevent unexpected freeing by another component. However, there may be a case where the index is requested, SKB is assigned and never consumed by PTP flows - for example due to reset during running PTP apps. Add a check in release timestamping function to verify if the SKB assigned to Tx timestamp latch was freed, and release remaining SKBs.", "cve_priority": "medium", "cve_public_date": "2025-11-12 11:15:00 UTC" }, { "cve": "CVE-2025-40173", "url": "https://ubuntu.com/security/CVE-2025-40173", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net/ip6_tunnel: Prevent perpetual tunnel growth Similarly to ipv4 tunnel, ipv6 version updates dev->needed_headroom, too. While ipv4 tunnel headroom adjustment growth was limited in commit 5ae1e9922bbd (\"net: ip_tunnel: prevent perpetual headroom growth\"), ipv6 tunnel yet increases the headroom without any ceiling. Reflect ipv4 tunnel headroom adjustment limit on ipv6 version. Credits to Francesco Ruggeri, who was originally debugging this issue and wrote local Arista-specific patch and a reproducer.", "cve_priority": "medium", "cve_public_date": "2025-11-12 11:15:00 UTC" }, { "cve": "CVE-2025-40092", "url": "https://ubuntu.com/security/CVE-2025-40092", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: usb: gadget: f_ncm: Refactor bind path to use __free() After an bind/unbind cycle, the ncm->notify_req is left stale. If a subsequent bind fails, the unified error label attempts to free this stale request, leading to a NULL pointer dereference when accessing ep->ops->free_request. Refactor the error handling in the bind path to use the __free() automatic cleanup mechanism. Unable to handle kernel NULL pointer dereference at virtual address 0000000000000020 Call trace: usb_ep_free_request+0x2c/0xec ncm_bind+0x39c/0x3dc usb_add_function+0xcc/0x1f0 configfs_composite_bind+0x468/0x588 gadget_bind_driver+0x104/0x270 really_probe+0x190/0x374 __driver_probe_device+0xa0/0x12c driver_probe_device+0x3c/0x218 __device_attach_driver+0x14c/0x188 bus_for_each_drv+0x10c/0x168 __device_attach+0xfc/0x198 device_initial_probe+0x14/0x24 bus_probe_device+0x94/0x11c device_add+0x268/0x48c usb_add_gadget+0x198/0x28c dwc3_gadget_init+0x700/0x858 __dwc3_set_mode+0x3cc/0x664 process_scheduled_works+0x1d8/0x488 worker_thread+0x244/0x334 kthread+0x114/0x1bc ret_from_fork+0x10/0x20", "cve_priority": "medium", "cve_public_date": "2025-10-30 10:15:00 UTC" }, { "cve": "CVE-2025-40093", "url": "https://ubuntu.com/security/CVE-2025-40093", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: usb: gadget: f_ecm: Refactor bind path to use __free() After an bind/unbind cycle, the ecm->notify_req is left stale. If a subsequent bind fails, the unified error label attempts to free this stale request, leading to a NULL pointer dereference when accessing ep->ops->free_request. Refactor the error handling in the bind path to use the __free() automatic cleanup mechanism.", "cve_priority": "medium", "cve_public_date": "2025-10-30 10:15:00 UTC" }, { "cve": "CVE-2025-40094", "url": "https://ubuntu.com/security/CVE-2025-40094", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: usb: gadget: f_acm: Refactor bind path to use __free() After an bind/unbind cycle, the acm->notify_req is left stale. If a subsequent bind fails, the unified error label attempts to free this stale request, leading to a NULL pointer dereference when accessing ep->ops->free_request. Refactor the error handling in the bind path to use the __free() automatic cleanup mechanism. Unable to handle kernel NULL pointer dereference at virtual address 0000000000000020 Call trace: usb_ep_free_request+0x2c/0xec gs_free_req+0x30/0x44 acm_bind+0x1b8/0x1f4 usb_add_function+0xcc/0x1f0 configfs_composite_bind+0x468/0x588 gadget_bind_driver+0x104/0x270 really_probe+0x190/0x374 __driver_probe_device+0xa0/0x12c driver_probe_device+0x3c/0x218 __device_attach_driver+0x14c/0x188 bus_for_each_drv+0x10c/0x168 __device_attach+0xfc/0x198 device_initial_probe+0x14/0x24 bus_probe_device+0x94/0x11c device_add+0x268/0x48c usb_add_gadget+0x198/0x28c dwc3_gadget_init+0x700/0x858 __dwc3_set_mode+0x3cc/0x664 process_scheduled_works+0x1d8/0x488 worker_thread+0x244/0x334 kthread+0x114/0x1bc ret_from_fork+0x10/0x20", "cve_priority": "medium", "cve_public_date": "2025-10-30 10:15:00 UTC" }, { "cve": "CVE-2025-40095", "url": "https://ubuntu.com/security/CVE-2025-40095", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: usb: gadget: f_rndis: Refactor bind path to use __free() After an bind/unbind cycle, the rndis->notify_req is left stale. If a subsequent bind fails, the unified error label attempts to free this stale request, leading to a NULL pointer dereference when accessing ep->ops->free_request. Refactor the error handling in the bind path to use the __free() automatic cleanup mechanism.", "cve_priority": "medium", "cve_public_date": "2025-10-30 10:15:00 UTC" }, { "cve": "CVE-2025-40165", "url": "https://ubuntu.com/security/CVE-2025-40165", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: media: nxp: imx8-isi: m2m: Fix streaming cleanup on release If streamon/streamoff calls are imbalanced, such as when exiting an application with Ctrl+C when streaming, the m2m usage_count will never reach zero and the ISI channel won't be freed. Besides from that, if the input line width is more than 2K, it will trigger a WARN_ON(): [ 59.222120] ------------[ cut here ]------------ [ 59.226758] WARNING: drivers/media/platform/nxp/imx8-isi/imx8-isi-hw.c:631 at mxc_isi_channel_chain+0xa4/0x120, CPU#4: v4l2-ctl/654 [ 59.238569] Modules linked in: ap1302 [ 59.242231] CPU: 4 UID: 0 PID: 654 Comm: v4l2-ctl Not tainted 6.16.0-rc4-next-20250704-06511-gff0e002d480a-dirty #258 PREEMPT [ 59.253597] Hardware name: NXP i.MX95 15X15 board (DT) [ 59.258720] pstate: 80400009 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) [ 59.265669] pc : mxc_isi_channel_chain+0xa4/0x120 [ 59.270358] lr : mxc_isi_channel_chain+0x44/0x120 [ 59.275047] sp : ffff8000848c3b40 [ 59.278348] x29: ffff8000848c3b40 x28: ffff0000859b4c98 x27: ffff800081939f00 [ 59.285472] x26: 000000000000000a x25: ffff0000859b4cb8 x24: 0000000000000001 [ 59.292597] x23: ffff0000816f4760 x22: ffff0000816f4258 x21: ffff000084ceb780 [ 59.299720] x20: ffff000084342ff8 x19: ffff000084340000 x18: 0000000000000000 [ 59.306845] x17: 0000000000000000 x16: 0000000000000000 x15: 0000ffffdb369e1c [ 59.313969] x14: 0000000000000000 x13: 0000000000000000 x12: 0000000000000000 [ 59.321093] x11: 0000000000000000 x10: 0000000000000000 x9 : 0000000000000000 [ 59.328217] x8 : ffff8000848c3d48 x7 : ffff800081930b30 x6 : ffff800081930b30 [ 59.335340] x5 : ffff0000859b6000 x4 : ffff80008193ae80 x3 : ffff800081022420 [ 59.342464] x2 : ffff0000852f6900 x1 : 0000000000000001 x0 : ffff000084341000 [ 59.349590] Call trace: [ 59.352025] mxc_isi_channel_chain+0xa4/0x120 (P) [ 59.356722] mxc_isi_m2m_streamon+0x160/0x20c [ 59.361072] v4l_streamon+0x24/0x30 [ 59.364556] __video_do_ioctl+0x40c/0x4a0 [ 59.368560] video_usercopy+0x2bc/0x690 [ 59.372382] video_ioctl2+0x18/0x24 [ 59.375857] v4l2_ioctl+0x40/0x60 [ 59.379168] __arm64_sys_ioctl+0xac/0x104 [ 59.383172] invoke_syscall+0x48/0x104 [ 59.386916] el0_svc_common.constprop.0+0xc0/0xe0 [ 59.391613] do_el0_svc+0x1c/0x28 [ 59.394915] el0_svc+0x34/0xf4 [ 59.397966] el0t_64_sync_handler+0xa0/0xe4 [ 59.402143] el0t_64_sync+0x198/0x19c [ 59.405801] ---[ end trace 0000000000000000 ]--- Address this issue by moving the streaming preparation and cleanup to the vb2 .prepare_streaming() and .unprepare_streaming() operations. This also simplifies the driver by allowing direct usage of the v4l2_m2m_ioctl_streamon() and v4l2_m2m_ioctl_streamoff() helpers.", "cve_priority": "medium", "cve_public_date": "2025-11-12 11:15:00 UTC" }, { "cve": "CVE-2025-40096", "url": "https://ubuntu.com/security/CVE-2025-40096", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/sched: Fix potential double free in drm_sched_job_add_resv_dependencies When adding dependencies with drm_sched_job_add_dependency(), that function consumes the fence reference both on success and failure, so in the latter case the dma_fence_put() on the error path (xarray failed to expand) is a double free. Interestingly this bug appears to have been present ever since commit ebd5f74255b9 (\"drm/sched: Add dependency tracking\"), since the code back then looked like this: drm_sched_job_add_implicit_dependencies(): ... for (i = 0; i < fence_count; i++) { ret = drm_sched_job_add_dependency(job, fences[i]); if (ret) break; } for (; i < fence_count; i++) dma_fence_put(fences[i]); Which means for the failing 'i' the dma_fence_put was already a double free. Possibly there were no users at that time, or the test cases were insufficient to hit it. The bug was then only noticed and fixed after commit 9c2ba265352a (\"drm/scheduler: use new iterator in drm_sched_job_add_implicit_dependencies v2\") landed, with its fixup of commit 4eaf02d6076c (\"drm/scheduler: fix drm_sched_job_add_implicit_dependencies\"). At that point it was a slightly different flavour of a double free, which commit 963d0b356935 (\"drm/scheduler: fix drm_sched_job_add_implicit_dependencies harder\") noticed and attempted to fix. But it only moved the double free from happening inside the drm_sched_job_add_dependency(), when releasing the reference not yet obtained, to the caller, when releasing the reference already released by the former in the failure case. As such it is not easy to identify the right target for the fixes tag so lets keep it simple and just continue the chain. While fixing we also improve the comment and explain the reason for taking the reference and not dropping it.", "cve_priority": "medium", "cve_public_date": "2025-10-30 10:15:00 UTC" }, { "cve": "CVE-2025-40097", "url": "https://ubuntu.com/security/CVE-2025-40097", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ALSA: hda: Fix missing pointer check in hda_component_manager_init function The __component_match_add function may assign the 'matchptr' pointer the value ERR_PTR(-ENOMEM), which will subsequently be dereferenced. The call stack leading to the error looks like this: hda_component_manager_init |-> component_match_add |-> component_match_add_release |-> __component_match_add ( ... ,**matchptr, ... ) |-> *matchptr = ERR_PTR(-ENOMEM); // assign |-> component_master_add_with_match( ... match) |-> component_match_realloc(match, match->num); // dereference Add IS_ERR() check to prevent the crash. Found by Linux Verification Center (linuxtesting.org) with SVACE.", "cve_priority": "medium", "cve_public_date": "2025-10-30 10:15:00 UTC" }, { "cve": "CVE-2025-40098", "url": "https://ubuntu.com/security/CVE-2025-40098", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ALSA: hda: cs35l41: Fix NULL pointer dereference in cs35l41_get_acpi_mute_state() Return value of a function acpi_evaluate_dsm() is dereferenced without checking for NULL, but it is usually checked for this function. acpi_evaluate_dsm() may return NULL, when acpi_evaluate_object() returns acpi_status other than ACPI_SUCCESS, so add a check to prevent the crach. Found by Linux Verification Center (linuxtesting.org) with SVACE.", "cve_priority": "medium", "cve_public_date": "2025-10-30 10:15:00 UTC" }, { "cve": "CVE-2025-40099", "url": "https://ubuntu.com/security/CVE-2025-40099", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: cifs: parse_dfs_referrals: prevent oob on malformed input Malicious SMB server can send invalid reply to FSCTL_DFS_GET_REFERRALS - reply smaller than sizeof(struct get_dfs_referral_rsp) - reply with number of referrals smaller than NumberOfReferrals in the header Processing of such replies will cause oob. Return -EINVAL error on such replies to prevent oob-s.", "cve_priority": "medium", "cve_public_date": "2025-10-30 10:15:00 UTC" }, { "cve": "CVE-2025-40100", "url": "https://ubuntu.com/security/CVE-2025-40100", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: btrfs: do not assert we found block group item when creating free space tree Currently, when building a free space tree at populate_free_space_tree(), if we are not using the block group tree feature, we always expect to find block group items (either extent items or a block group item with key type BTRFS_BLOCK_GROUP_ITEM_KEY) when we search the extent tree with btrfs_search_slot_for_read(), so we assert that we found an item. However this expectation is wrong since we can have a new block group created in the current transaction which is still empty and for which we still have not added the block group's item to the extent tree, in which case we do not have any items in the extent tree associated to the block group. The insertion of a new block group's block group item in the extent tree happens at btrfs_create_pending_block_groups() when it calls the helper insert_block_group_item(). This typically is done when a transaction handle is released, committed or when running delayed refs (either as part of a transaction commit or when serving tickets for space reservation if we are low on free space). So remove the assertion at populate_free_space_tree() even when the block group tree feature is not enabled and update the comment to mention this case. Syzbot reported this with the following stack trace: BTRFS info (device loop3 state M): rebuilding free space tree assertion failed: ret == 0 :: 0, in fs/btrfs/free-space-tree.c:1115 ------------[ cut here ]------------ kernel BUG at fs/btrfs/free-space-tree.c:1115! Oops: invalid opcode: 0000 [#1] SMP KASAN PTI CPU: 1 UID: 0 PID: 6352 Comm: syz.3.25 Not tainted syzkaller #0 PREEMPT(full) Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/18/2025 RIP: 0010:populate_free_space_tree+0x700/0x710 fs/btrfs/free-space-tree.c:1115 Code: ff ff e8 d3 (...) RSP: 0018:ffffc9000430f780 EFLAGS: 00010246 RAX: 0000000000000043 RBX: ffff88805b709630 RCX: fea61d0e2e79d000 RDX: 0000000000000000 RSI: 0000000080000000 RDI: 0000000000000000 RBP: ffffc9000430f8b0 R08: ffffc9000430f4a7 R09: 1ffff92000861e94 R10: dffffc0000000000 R11: fffff52000861e95 R12: 0000000000000001 R13: 1ffff92000861f00 R14: dffffc0000000000 R15: 0000000000000000 FS: 00007f424d9fe6c0(0000) GS:ffff888125afc000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007fd78ad212c0 CR3: 0000000076d68000 CR4: 00000000003526f0 Call Trace: btrfs_rebuild_free_space_tree+0x1ba/0x6d0 fs/btrfs/free-space-tree.c:1364 btrfs_start_pre_rw_mount+0x128f/0x1bf0 fs/btrfs/disk-io.c:3062 btrfs_remount_rw fs/btrfs/super.c:1334 [inline] btrfs_reconfigure+0xaed/0x2160 fs/btrfs/super.c:1559 reconfigure_super+0x227/0x890 fs/super.c:1076 do_remount fs/namespace.c:3279 [inline] path_mount+0xd1a/0xfe0 fs/namespace.c:4027 do_mount fs/namespace.c:4048 [inline] __do_sys_mount fs/namespace.c:4236 [inline] __se_sys_mount+0x313/0x410 fs/namespace.c:4213 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xfa/0xfa0 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f424e39066a Code: d8 64 89 02 (...) RSP: 002b:00007f424d9fde68 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5 RAX: ffffffffffffffda RBX: 00007f424d9fdef0 RCX: 00007f424e39066a RDX: 0000200000000180 RSI: 0000200000000380 RDI: 0000000000000000 RBP: 0000200000000180 R08: 00007f424d9fdef0 R09: 0000000000000020 R10: 0000000000000020 R11: 0000000000000246 R12: 0000200000000380 R13: 00007f424d9fdeb0 R14: 0000000000000000 R15: 00002000000002c0 Modules linked in: ---[ end trace 0000000000000000 ]---", "cve_priority": "medium", "cve_public_date": "2025-10-30 10:15:00 UTC" }, { "cve": "CVE-2025-40101", "url": "https://ubuntu.com/security/CVE-2025-40101", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: btrfs: fix memory leaks when rejecting a non SINGLE data profile without an RST At the end of btrfs_load_block_group_zone_info() the first thing we do is to ensure that if the mapping type is not a SINGLE one and there is no RAID stripe tree, then we return early with an error. Doing that, though, prevents the code from running the last calls from this function which are about freeing memory allocated during its run. Hence, in this case, instead of returning early, we set the ret value and fall through the rest of the cleanup code.", "cve_priority": "medium", "cve_public_date": "2025-10-30 10:15:00 UTC" }, { "cve": "CVE-2025-40167", "url": "https://ubuntu.com/security/CVE-2025-40167", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ext4: detect invalid INLINE_DATA + EXTENTS flag combination syzbot reported a BUG_ON in ext4_es_cache_extent() when opening a verity file on a corrupted ext4 filesystem mounted without a journal. The issue is that the filesystem has an inode with both the INLINE_DATA and EXTENTS flags set: EXT4-fs error (device loop0): ext4_cache_extents:545: inode #15: comm syz.0.17: corrupted extent tree: lblk 0 < prev 66 Investigation revealed that the inode has both flags set: DEBUG: inode 15 - flag=1, i_inline_off=164, has_inline=1, extents_flag=1 This is an invalid combination since an inode should have either: - INLINE_DATA: data stored directly in the inode - EXTENTS: data stored in extent-mapped blocks Having both flags causes ext4_has_inline_data() to return true, skipping extent tree validation in __ext4_iget(). The unvalidated out-of-order extents then trigger a BUG_ON in ext4_es_cache_extent() due to integer underflow when calculating hole sizes. Fix this by detecting this invalid flag combination early in ext4_iget() and rejecting the corrupted inode.", "cve_priority": "medium", "cve_public_date": "2025-11-12 11:15:00 UTC" }, { "cve": "CVE-2025-40102", "url": "https://ubuntu.com/security/CVE-2025-40102", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: KVM: arm64: Prevent access to vCPU events before init Another day, another syzkaller bug. KVM erroneously allows userspace to pend vCPU events for a vCPU that hasn't been initialized yet, leading to KVM interpreting a bunch of uninitialized garbage for routing / injecting the exception. In one case the injection code and the hyp disagree on whether the vCPU has a 32bit EL1 and put the vCPU into an illegal mode for AArch64, tripping the BUG() in exception_target_el() during the next injection: kernel BUG at arch/arm64/kvm/inject_fault.c:40! Internal error: Oops - BUG: 00000000f2000800 [#1] SMP CPU: 3 UID: 0 PID: 318 Comm: repro Not tainted 6.17.0-rc4-00104-g10fd0285305d #6 PREEMPT Hardware name: linux,dummy-virt (DT) pstate: 21402009 (nzCv daif +PAN -UAO -TCO +DIT -SSBS BTYPE=--) pc : exception_target_el+0x88/0x8c lr : pend_serror_exception+0x18/0x13c sp : ffff800082f03a10 x29: ffff800082f03a10 x28: ffff0000cb132280 x27: 0000000000000000 x26: 0000000000000000 x25: ffff0000c2a99c20 x24: 0000000000000000 x23: 0000000000008000 x22: 0000000000000002 x21: 0000000000000004 x20: 0000000000008000 x19: ffff0000c2a99c20 x18: 0000000000000000 x17: 0000000000000000 x16: 0000000000000000 x15: 00000000200000c0 x14: 0000000000000000 x13: 0000000000000000 x12: 0000000000000000 x11: 0000000000000000 x10: 0000000000000000 x9 : 0000000000000000 x8 : ffff800082f03af8 x7 : 0000000000000000 x6 : 0000000000000000 x5 : ffff800080f621f0 x4 : 0000000000000000 x3 : 0000000000000000 x2 : 000000000040009b x1 : 0000000000000003 x0 : ffff0000c2a99c20 Call trace: exception_target_el+0x88/0x8c (P) kvm_inject_serror_esr+0x40/0x3b4 __kvm_arm_vcpu_set_events+0xf0/0x100 kvm_arch_vcpu_ioctl+0x180/0x9d4 kvm_vcpu_ioctl+0x60c/0x9f4 __arm64_sys_ioctl+0xac/0x104 invoke_syscall+0x48/0x110 el0_svc_common.constprop.0+0x40/0xe0 do_el0_svc+0x1c/0x28 el0_svc+0x34/0xf0 el0t_64_sync_handler+0xa0/0xe4 el0t_64_sync+0x198/0x19c Code: f946bc01 b4fffe61 9101e020 17fffff2 (d4210000) Reject the ioctls outright as no sane VMM would call these before KVM_ARM_VCPU_INIT anyway. Even if it did the exception would've been thrown away by the eventual reset of the vCPU's state.", "cve_priority": "medium", "cve_public_date": "2025-10-30 10:15:00 UTC" }, { "cve": "CVE-2025-40103", "url": "https://ubuntu.com/security/CVE-2025-40103", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: smb: client: Fix refcount leak for cifs_sb_tlink Fix three refcount inconsistency issues related to `cifs_sb_tlink`. Comments for `cifs_sb_tlink` state that `cifs_put_tlink()` needs to be called after successful calls to `cifs_sb_tlink()`. Three calls fail to update refcount accordingly, leading to possible resource leaks.", "cve_priority": "medium", "cve_public_date": "2025-10-30 10:15:00 UTC" }, { "cve": "CVE-2025-40104", "url": "https://ubuntu.com/security/CVE-2025-40104", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ixgbevf: fix mailbox API compatibility by negotiating supported features There was backward compatibility in the terms of mailbox API. Various drivers from various OSes supporting 10G adapters from Intel portfolio could easily negotiate mailbox API. This convention has been broken since introducing API 1.4. Commit 0062e7cc955e (\"ixgbevf: add VF IPsec offload code\") added support for IPSec which is specific only for the kernel ixgbe driver. None of the rest of the Intel 10G PF/VF drivers supports it. And actually lack of support was not included in the IPSec implementation - there were no such code paths. No possibility to negotiate support for the feature was introduced along with introduction of the feature itself. Commit 339f28964147 (\"ixgbevf: Add support for new mailbox communication between PF and VF\") increasing API version to 1.5 did the same - it introduced code supported specifically by the PF ESX driver. It altered API version for the VF driver in the same time not touching the version defined for the PF ixgbe driver. It led to additional discrepancies, as the code provided within API 1.6 cannot be supported for Linux ixgbe driver as it causes crashes. The issue was noticed some time ago and mitigated by Jake within the commit d0725312adf5 (\"ixgbevf: stop attempting IPSEC offload on Mailbox API 1.5\"). As a result we have regression for IPsec support and after increasing API to version 1.6 ixgbevf driver stopped to support ESX MBX. To fix this mess add new mailbox op asking PF driver about supported features. Basing on a response determine whether to set support for IPSec and ESX-specific enhanced mailbox. New mailbox op, for compatibility purposes, must be added within new API revision, as API version of OOT PF & VF drivers is already increased to 1.6 and doesn't incorporate features negotiate op. Features negotiation mechanism gives possibility to be extended with new features when needed in the future.", "cve_priority": "medium", "cve_public_date": "2025-10-30 10:15:00 UTC" }, { "cve": "CVE-2025-40166", "url": "https://ubuntu.com/security/CVE-2025-40166", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/xe/guc: Check GuC running state before deregistering exec queue In normal operation, a registered exec queue is disabled and deregistered through the GuC, and freed only after the GuC confirms completion. However, if the driver is forced to unbind while the exec queue is still running, the user may call exec_destroy() after the GuC has already been stopped and CT communication disabled. In this case, the driver cannot receive a response from the GuC, preventing proper cleanup of exec queue resources. Fix this by directly releasing the resources when GuC is not running. Here is the failure dmesg log: \" [ 468.089581] ---[ end trace 0000000000000000 ]--- [ 468.089608] pci 0000:03:00.0: [drm] *ERROR* GT0: GUC ID manager unclean (1/65535) [ 468.090558] pci 0000:03:00.0: [drm] GT0: total 65535 [ 468.090562] pci 0000:03:00.0: [drm] GT0: used 1 [ 468.090564] pci 0000:03:00.0: [drm] GT0: range 1..1 (1) [ 468.092716] ------------[ cut here ]------------ [ 468.092719] WARNING: CPU: 14 PID: 4775 at drivers/gpu/drm/xe/xe_ttm_vram_mgr.c:298 ttm_vram_mgr_fini+0xf8/0x130 [xe] \" v2: use xe_uc_fw_is_running() instead of xe_guc_ct_enabled(). As CT may go down and come back during VF migration. (cherry picked from commit 9b42321a02c50a12b2beb6ae9469606257fbecea)", "cve_priority": "medium", "cve_public_date": "2025-11-12 11:15:00 UTC" }, { "cve": "CVE-2025-40105", "url": "https://ubuntu.com/security/CVE-2025-40105", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: vfs: Don't leak disconnected dentries on umount When user calls open_by_handle_at() on some inode that is not cached, we will create disconnected dentry for it. If such dentry is a directory, exportfs_decode_fh_raw() will then try to connect this dentry to the dentry tree through reconnect_path(). It may happen for various reasons (such as corrupted fs or race with rename) that the call to lookup_one_unlocked() in reconnect_one() will fail to find the dentry we are trying to reconnect and instead create a new dentry under the parent. Now this dentry will not be marked as disconnected although the parent still may well be disconnected (at least in case this inconsistency happened because the fs is corrupted and .. doesn't point to the real parent directory). This creates inconsistency in disconnected flags but AFAICS it was mostly harmless. At least until commit f1ee616214cb (\"VFS: don't keep disconnected dentries on d_anon\") which removed adding of most disconnected dentries to sb->s_anon list. Thus after this commit cleanup of disconnected dentries implicitely relies on the fact that dput() will immediately reclaim such dentries. However when some leaf dentry isn't marked as disconnected, as in the scenario described above, the reclaim doesn't happen and the dentries are \"leaked\". Memory reclaim can eventually reclaim them but otherwise they stay in memory and if umount comes first, we hit infamous \"Busy inodes after unmount\" bug. Make sure all dentries created under a disconnected parent are marked as disconnected as well.", "cve_priority": "medium", "cve_public_date": "2025-10-30 10:15:00 UTC" }, { "cve": "CVE-2025-40019", "url": "https://ubuntu.com/security/CVE-2025-40019", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: crypto: essiv - Check ssize for decryption and in-place encryption Move the ssize check to the start in essiv_aead_crypt so that it's also checked for decryption and in-place encryption.", "cve_priority": "medium", "cve_public_date": "2025-10-24 12:15:00 UTC" }, { "cve": "CVE-2025-40214", "url": "https://ubuntu.com/security/CVE-2025-40214", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: af_unix: Initialise scc_index in unix_add_edge(). Quang Le reported that the AF_UNIX GC could garbage-collect a receive queue of an alive in-flight socket, with a nice repro. The repro consists of three stages. 1) 1-a. Create a single cyclic reference with many sockets 1-b. close() all sockets 1-c. Trigger GC 2) 2-a. Pass sk-A to an embryo sk-B 2-b. Pass sk-X to sk-X 2-c. Trigger GC 3) 3-a. accept() the embryo sk-B 3-b. Pass sk-B to sk-C 3-c. close() the in-flight sk-A 3-d. Trigger GC As of 2-c, sk-A and sk-X are linked to unix_unvisited_vertices, and unix_walk_scc() groups them into two different SCCs: unix_sk(sk-A)->vertex->scc_index = 2 (UNIX_VERTEX_INDEX_START) unix_sk(sk-X)->vertex->scc_index = 3 Once GC completes, unix_graph_grouped is set to true. Also, unix_graph_maybe_cyclic is set to true due to sk-X's cyclic self-reference, which makes close() trigger GC. At 3-b, unix_add_edge() allocates unix_sk(sk-B)->vertex and links it to unix_unvisited_vertices. unix_update_graph() is called at 3-a. and 3-b., but neither unix_graph_grouped nor unix_graph_maybe_cyclic is changed because both sk-B's listener and sk-C are not in-flight. 3-c decrements sk-A's file refcnt to 1. Since unix_graph_grouped is true at 3-d, unix_walk_scc_fast() is finally called and iterates 3 sockets sk-A, sk-B, and sk-X: sk-A -> sk-B (-> sk-C) sk-X -> sk-X This is totally fine. All of them are not yet close()d and should be grouped into different SCCs. However, unix_vertex_dead() misjudges that sk-A and sk-B are in the same SCC and sk-A is dead. unix_sk(sk-A)->scc_index == unix_sk(sk-B)->scc_index <-- Wrong! && sk-A's file refcnt == unix_sk(sk-A)->vertex->out_degree ^-- 1 in-flight count for sk-B -> sk-A is dead !? The problem is that unix_add_edge() does not initialise scc_index. Stage 1) is used for heap spraying, making a newly allocated vertex have vertex->scc_index == 2 (UNIX_VERTEX_INDEX_START) set by unix_walk_scc() at 1-c. Let's track the max SCC index from the previous unix_walk_scc() call and assign the max + 1 to a new vertex's scc_index. This way, we can continue to avoid Tarjan's algorithm while preventing misjudgments.", "cve_priority": "high", "cve_public_date": "2025-12-04 13:15:00 UTC" } ], "log": [ "", " * questing/linux-riscv: 6.17.0-14.14.1 -proposed tracker (LP: #2137845)", "", " * Packaging resync (LP: #1786013)", " - [Packaging] debian.riscv/dkms-versions -- update from kernel-versions", " (main/2026.01.12)", "", " [ Ubuntu: 6.17.0-14.14 ]", "", " * questing/linux: 6.17.0-14.14 -proposed tracker (LP: #2137849)", " * Packaging resync (LP: #1786013)", " - [Packaging] debian.master/dkms-versions -- update from kernel-versions", " (main/2026.01.12)", " * ubuntu_kselftests:_net/net:gre_gso.sh failing (LP: #2136820)", " - SAUCE increase socat timeout in gre_gso.sh", " * ubuntu_blktrace_smoke_test fails on questing with rust coreutils", " (LP: #2137698)", " - SAUCE: Revert \"ext4: fail unaligned direct IO write with EINVAL\"", " * bareudp.sh in ubuntu_kselftests_net fails because of dash default shell", " (LP: #2129812)", " - selftests: net: use BASH for bareudp testing", " * CVE-2025-40256", " - xfrm: also call xfrm_state_delete_tunnel at destroy time for states that", " were never added", " * Enable PMF on AMD HPT/STX/KRK (LP: #2125022)", " - platform/x86/amd/pmf: Add support for adjusting PMF PPT and PPT APU", " thresholds", " - platform/x86/amd/pmf: Extend custom BIOS inputs for more policies", " - platform/x86/amd/pmf: Update ta_pmf_action structure member", " - platform/x86/amd/pmf: Add helper to verify BIOS input notifications are", " enable/disable", " - platform/x86/amd/pmf: Add custom BIOS input support for AMD_CPU_ID_PS", " - platform/x86/amd/pmf: Preserve custom BIOS inputs for evaluating the", " policies", " - platform/x86/amd/pmf: Call enact function sooner to process early", " pending requests", " - platform/x86/amd/pmf: Add debug logs for pending requests and custom", " BIOS inputs", " * Questing update: v6.17.8 upstream stable release (LP: #2136850)", " - iommufd/selftest: Fix ioctl return value in _test_cmd_trigger_vevents()", " - drm/mediatek: Add pm_runtime support for GCE power control", " - drm/i915: Fix conversion between clock ticks and nanoseconds", " - drm/amdgpu: set default gfx reset masks for gfx6-8", " - drm/amd/display: Don't stretch non-native images by default in eDP", " - smb: client: fix refcount leak in smb2_set_path_attr", " - iommufd: Make vfio_compat's unmap succeed if the range is already empty", " - futex: Optimize per-cpu reference counting", " - drm/amd: Fix suspend failure with secure display TA", " - drm/xe: Move declarations under conditional branch", " - drm/xe: Do clean shutdown also when using flr", " - drm/amd/display: Add pixel_clock to amd_pp_display_configuration", " - drm/amd/pm: Use pm_display_cfg in legacy DPM (v2)", " - drm/amd/display: Disable fastboot on DCE 6 too", " - drm/amd/pm: Disable MCLK switching on SI at high pixel clocks", " - drm/amd: Disable ASPM on SI", " - arm64: kprobes: check the return value of set_memory_rox()", " - compiler_types: Move unused static inline functions warning to W=2", " - riscv: Build loader.bin exclusively for Canaan K210", " - RISC-V: clear hot-unplugged cores from all task mm_cpumasks to avoid", " rfence errors", " - riscv: acpi: avoid errors caused by probing DT devices when ACPI is used", " - fs: return EOPNOTSUPP from file_setattr/file_getattr syscalls", " - ASoC: nau8821: Avoid unnecessary blocking in IRQ handler", " - NFS4: Fix state renewals missing after boot", " - drm/amdkfd: fix suspend/resume all calls in mes based eviction path", " - NFS4: Apply delay_retrans to async operations", " - HID: intel-thc-hid: intel-quickspi: Add ARL PCI Device Id's", " - HID: quirks: avoid Cooler Master MM712 dongle wakeup bug", " - ixgbe: handle IXGBE_VF_GET_PF_LINK_STATE mailbox operation", " - HID: nintendo: Wait longer for initial probe", " - NFS: check if suid/sgid was cleared after a write as needed", " - HID: quirks: Add ALWAYS_POLL quirk for VRS R295 steering wheel", " - io_uring: fix unexpected placement on same size resizing", " - HID: logitech-hidpp: Add HIDPP_QUIRK_RESET_HI_RES_SCROLL", " - ASoC: max98090/91: fixed max98091 ALSA widget powering up/down", " - ALSA: hda/realtek: Fix mute led for HP Omen 17-cb0xxx", " - ixgbe: handle IXGBE_VF_FEATURES_NEGOTIATE mbox cmd", " - wifi: ath11k: zero init info->status in wmi_process_mgmt_tx_comp()", " - selftests: net: local_termination: Wait for interfaces to come up", " - net: fec: correct rx_bytes statistic for the case SHIFT16 is set", " - net: phy: micrel: Introduce lanphy_modify_page_reg", " - net: phy: micrel: Replace hardcoded pages with defines", " - net: phy: micrel: lan8814 fix reset of the QSGMII interface", " - rust: Add -fno-isolate-erroneous-paths-dereference to", " bindgen_skip_c_flags", " - NFSD: Skip close replay processing if XDR encoding fails", " - Bluetooth: 6lowpan: fix BDADDR_LE vs ADDR_LE_DEV address type confusion", " - Bluetooth: 6lowpan: Don't hold spin lock over sleeping functions", " - Bluetooth: hci_conn: Fix not cleaning up PA_LINK connections", " - net: dsa: tag_brcm: do not mark link local traffic as offloaded", " - net/smc: fix mismatch between CLC header and proposal", " - net/handshake: Fix memory leak in tls_handshake_accept()", " - net: ethernet: ti: am65-cpsw-qos: fix IET verify/response timeout", " - net: ethernet: ti: am65-cpsw-qos: fix IET verify retry mechanism", " - net: mdio: fix resource leak in mdiobus_register_device()", " - wifi: mac80211: skip rate verification for not captured PSDUs", " - Bluetooth: hci_event: Fix not handling PA Sync Lost event", " - net/mlx5e: Fix missing error assignment in mlx5e_xfrm_add_state()", " - net/mlx5e: Fix maxrate wraparound in threshold between units", " - net/mlx5e: Fix wraparound in rate limiting for values above 255 Gbps", " - net/mlx5e: Fix potentially misleading debug message", " - net/mlx5: Fix typo of MLX5_EQ_DOORBEL_OFFSET", " - net/mlx5: Store the global doorbell in mlx5_priv", " - net/mlx5e: Prepare for using different CQ doorbells", " - net_sched: limit try_bulk_dequeue_skb() batches", " - wifi: iwlwifi: mvm: fix beacon template/fixed rate", " - wifi: iwlwifi: mld: always take beacon ies in link grading", " - virtio-net: fix incorrect flags recording in big mode", " - hsr: Fix supervision frame sending on HSRv0", " - hsr: Follow standard for HSRv0 supervision frames", " - ACPI: CPPC: Detect preferred core availability on online CPUs", " - ACPI: CPPC: Check _CPC validity for only the online CPUs", " - ACPI: CPPC: Perform fast check switch only for online CPUs", " - ACPI: CPPC: Limit perf ctrs in PCC check only to online CPUs", " - cpufreq: intel_pstate: Check IDA only before MSR_IA32_PERF_CTL writes", " - Bluetooth: L2CAP: export l2cap_chan_hold for modules", " - io_uring/rsrc: don't use blk_rq_nr_phys_segments() as number of bvecs", " - acpi,srat: Fix incorrect device handle check for Generic Initiator", " - regulator: fixed: fix GPIO descriptor leak on register failure", " - ASoC: cs4271: Fix regulator leak on probe failure", " - ASoC: codecs: va-macro: fix resource leak in probe error path", " - drm/vmwgfx: Restore Guest-Backed only cursor plane support", " - ASoC: tas2781: fix getting the wrong device number", " - pnfs: Fix TLS logic in _nfs4_pnfs_v3_ds_connect()", " - pnfs: Fix TLS logic in _nfs4_pnfs_v4_ds_connect()", " - pnfs: Set transport security policy to RPC_XPRTSEC_NONE unless using TLS", " - simplify nfs_atomic_open_v23()", " - NFSv2/v3: Fix error handling in nfs_atomic_open_v23()", " - NFS: sysfs: fix leak when nfs_client kobject add fails", " - NFSv4: Fix an incorrect parameter when calling nfs4_call_sync()", " - drm/amd/amdgpu: Ensure isp_kernel_buffer_alloc() creates a new BO", " - acpi/hmat: Fix lockdep warning for hmem_register_resource()", " - ASoC: rsnd: fix OF node reference leak in rsnd_ssiu_probe()", " - drm/client: fix MODULE_PARM_DESC string for \"active\"", " - irqchip/riscv-intc: Add missing free() callback in riscv_intc_domain_ops", " - lib/crypto: arm/curve25519: Disable on CPU_BIG_ENDIAN", " - hostfs: Fix only passing host root in boot stage with new mount", " - afs: Fix dynamic lookup to fail on cell lookup failure", " - mtd: onenand: Pass correct pointer to IRQ handler", " - virtio-fs: fix incorrect check for fsvq->kobj", " - fs/namespace: correctly handle errors returned by grab_requested_mnt_ns", " - perf header: Write bpf_prog (infos|btfs)_cnt to data file", " - perf build: Don't fail fast path feature detection when binutils-devel", " is not available", " - perf lock: Fix segfault due to missing kernel map", " - perf test shell lock_contention: Extra debug diagnostics", " - perf test: Fix lock contention test", " - arm64: dts: rockchip: Set correct pinctrl for I2S1 8ch TX on odroid-m1", " - arm64: dts: rockchip: Fix PCIe power enable pin for BigTreeTech CB2 and", " Pi2", " - arm64: dts: rockchip: Make RK3588 GPU OPP table naming less generic", " - ARM: dts: imx6ull-engicam-microgea-rmm: fix report-rate-hz value", " - ARM: dts: imx51-zii-rdu1: Fix audmux node names", " - arm64: dts: imx8-ss-img: Avoid gpio0_mipi_csi GPIOs being deferred", " - arm64: dts: imx8mp-kontron: Fix USB OTG role switching", " - HID: hid-ntrig: Prevent memory leak in ntrig_report_version()", " - ARM: dts: BCM53573: Fix address of Luxul XAP-1440's Ethernet PHY", " - arm64: dts: rockchip: Fix USB power enable pin for BTT CB2 and Pi2", " - arm64: dts: rockchip: drop reset from rk3576 i2c9 node", " - pwm: adp5585: Correct mismatched pwm chip info", " - HID: playstation: Fix memory leak in dualshock4_get_calibration_data()", " - HID: uclogic: Fix potential memory leak in error path", " - LoongArch: KVM: Restore guest PMU if it is enabled", " - LoongArch: KVM: Add delay until timer interrupt injected", " - LoongArch: KVM: Fix max supported vCPUs set with EIOINTC", " - KVM: arm64: Make all 32bit ID registers fully writable", " - KVM: SVM: Mark VMCB_LBR dirty when MSR_IA32_DEBUGCTLMSR is updated", " - KVM: nSVM: Always recalculate LBR MSR intercepts in svm_update_lbrv()", " - KVM: nSVM: Fix and simplify LBR virtualization handling with nested", " - KVM: VMX: Fix check for valid GVA on an EPT violation", " - nfsd: add missing FATTR4_WORD2_CLONE_BLKSIZE from supported attributes", " - gcov: add support for GCC 15", " - kho: warn and exit when unpreserved page wasn't preserved", " - strparser: Fix signed/unsigned mismatch bug", " - dma-mapping: benchmark: Restore padding to ensure uABI remained", " consistent", " - maple_tree: fix tracepoint string pointers", " - LoongArch: Consolidate early_ioremap()/ioremap_prot()", " - LoongArch: Use correct accessor to read FWPC/MWPC", " - LoongArch: Let {pte,pmd}_modify() record the status of _PAGE_DIRTY", " - mm/damon/sysfs: change next_update_jiffies to a global variable", " - selftests/tracing: Run sample events to clear page cache events", " - wifi: mac80211: reject address change while connecting", " - mm/huge_memory: preserve PG_has_hwpoisoned if a folio is split to >0", " order", " - mm/mm_init: fix hash table order logging in alloc_large_system_hash()", " - mm/damon/stat: change last_refresh_jiffies to a global variable", " - mm/kmsan: fix kmsan kmalloc hook when no stack depots are allocated yet", " - mm/shmem: fix THP allocation and fallback loop", " - mm/mremap: honour writable bit in mremap pte batching", " - mm/huge_memory: fix folio split check for anon folios in swapcache", " - mmc: sdhci-of-dwcmshc: Change DLL_STRBIN_TAPNUM_DEFAULT to 0x4", " - mmc: pxamci: Simplify pxamci_probe() error handling using devm APIs", " - mmc: dw_mmc-rockchip: Fix wrong internal phase calculate", " - ASoC: sdw_utils: fix device reference leak in is_sdca_endpoint_present()", " - crypto: hisilicon/qm - Fix device reference leak in qm_get_qos_value", " - smb: client: fix cifs_pick_channel when channel needs reconnect", " - spi: Try to get ACPI GPIO IRQ earlier", " - x86/microcode/AMD: Add Zen5 model 0x44, stepping 0x1 minrev", " - x86/CPU/AMD: Add additional fixed RDSEED microcode revisions", " - selftests/user_events: fix type cast for write_index packed member in", " perf_test", " - gendwarfksyms: Skip files with no exports", " - ftrace: Fix BPF fexit with livepatch", " - LoongArch: Consolidate max_pfn & max_low_pfn calculation", " - LoongArch: Use physical addresses for CSR_MERRENTRY/CSR_TLBRENTRY", " - EDAC/altera: Handle OCRAM ECC enable after warm reset", " - EDAC/altera: Use INTTEST register for Ethernet and USB SBE injection", " - PM: hibernate: Emit an error when image writing fails", " - PM: hibernate: Use atomic64_t for compressed_size variable", " - btrfs: zoned: fix conventional zone capacity calculation", " - btrfs: zoned: fix stripe width calculation", " - btrfs: scrub: put bio after errors in scrub_raid56_parity_stripe()", " - btrfs: do not update last_log_commit when logging inode due to a new", " name", " - btrfs: release root after error in data_reloc_print_warning_inode()", " - drm/amdkfd: relax checks for over allocation of save area", " - drm/amdgpu: disable peer-to-peer access for DCC-enabled GC12 VRAM", " surfaces", " - drm/i915/psr: fix pipe to vblank conversion", " - drm/xe/xe3lpg: Extend Wa_15016589081 for xe3lpg", " - drm/xe/xe3: Extend wa_14023061436", " - drm/xe/xe3: Add WA_14024681466 for Xe3_LPG", " - pmdomain: imx: Fix reference count leak in imx_gpc_remove", " - pmdomain: samsung: plug potential memleak during probe", " - pmdomain: samsung: Rework legacy splash-screen handover workaround", " - selftests: mptcp: connect: fix fallback note due to OoO", " - selftests: mptcp: join: rm: set backup flag", " - selftests: mptcp: join: endpoints: longer transfer", " - selftests: mptcp: connect: trunc: read all recv data", " - selftests: mptcp: join: userspace: longer transfer", " - selftests: mptcp: join: properly kill background tasks", " - mm/huge_memory: do not change split_huge_page*() target order silently", " - mm/memory: do not populate page table entries beyond i_size", " - scripts/decode_stacktrace.sh: symbol: avoid trailing whitespaces", " - scripts/decode_stacktrace.sh: symbol: preserve alignment", " - scripts/decode_stacktrace.sh: fix build ID and PC source parsing", " - ASoC: da7213: Convert to DEFINE_RUNTIME_DEV_PM_OPS()", " - ASoC: da7213: Use component driver suspend/resume", " - KVM: x86: Rename local \"ecx\" variables to \"msr\" and \"pmc\" as appropriate", " - KVM: x86: Add support for RDMSR/WRMSRNS w/ immediate on Intel", " - KVM: VMX: Inject #UD if guest tries to execute SEAMCALL or TDCALL", " - isdn: mISDN: hfcsusb: fix memory leak in hfcsusb_probe()", " - net: phy: micrel: Fix lan8814_config_init", " - Linux 6.17.9", " * Questing update: v6.17.8 upstream stable release (LP: #2136850) //", " CVE-2025-68204", " - pmdomain: arm: scmi: Fix genpd leak on provider registration failure", " * Questing update: v6.17.8 upstream stable release (LP: #2136850) //", " CVE-2025-68203", " - drm/amdgpu: fix lock warning in amdgpu_userq_fence_driver_process", " * Questing update: v6.17.8 upstream stable release (LP: #2136850) //", " CVE-2025-40267", " - io_uring/rw: ensure allocated iovec gets cleared for early failure", " * Questing update: v6.17.8 upstream stable release (LP: #2136850) //", " CVE-2025-68198", " - crash: fix crashkernel resource shrink", " * Questing update: v6.17.8 upstream stable release (LP: #2136850) //", " CVE-2025-68199", " - codetag: debug: handle existing CODETAG_EMPTY in mark_objexts_empty for", " slabobj_ext", " * Questing update: v6.17.8 upstream stable release (LP: #2136850) //", " CVE-2025-40268", " - cifs: client: fix memory leak in smb3_fs_context_parse_param", " * Questing update: v6.17.8 upstream stable release (LP: #2136850) //", " CVE-2025-40269", " - ALSA: usb-audio: Fix potential overflow of PCM transfer buffer", " * Questing update: v6.17.8 upstream stable release (LP: #2136850) //", " CVE-2025-68205", " - ALSA: hda/hdmi: Fix breakage at probing nvhdmi-mcp driver", " * Questing update: v6.17.8 upstream stable release (LP: #2136850) //", " CVE-2025-40270", " - mm, swap: fix potential UAF issue for VMA readahead", " * Questing update: v6.17.8 upstream stable release (LP: #2136850) //", " CVE-2025-40271", " - fs/proc: fix uaf in proc_readdir_de()", " * Questing update: v6.17.8 upstream stable release (LP: #2136850) //", " CVE-2025-40272", " - mm/secretmem: fix use-after-free race in fault handler", " * Questing update: v6.17.8 upstream stable release (LP: #2136850) //", " CVE-2025-68245", " - net: netpoll: fix incorrect refcount handling causing incorrect cleanup", " * Questing update: v6.17.8 upstream stable release (LP: #2136850) //", " CVE-2025-68240", " - nilfs2: avoid having an active sc_timer before freeing sci", " * Questing update: v6.17.8 upstream stable release (LP: #2136850) //", " CVE-2025-68241", " - ipv4: route: Prevent rt_bind_exception() from rebinding stale fnhe", " * Questing update: v6.17.8 upstream stable release (LP: #2136850) //", " CVE-2025-68211", " - ksm: use range-walk function to jump over holes in", " scan_get_next_rmap_item", " * Questing update: v6.17.8 upstream stable release (LP: #2136850) //", " CVE-2025-68246", " - ksmbd: close accepted socket when per-IP limit rejects connection", " * Questing update: v6.17.8 upstream stable release (LP: #2136850) //", " CVE-2025-40273", " - NFSD: free copynotify stateid in nfs4_free_ol_stateid()", " * Questing update: v6.17.8 upstream stable release (LP: #2136850) //", " CVE-2025-40212", " - nfsd: fix refcount leak in nfsd_set_fh_dentry()", " * Questing update: v6.17.8 upstream stable release (LP: #2136850) //", " CVE-2025-40274", " - KVM: guest_memfd: Remove bindings on memslot deletion when gmem is dying", " * Questing update: v6.17.8 upstream stable release (LP: #2136850) //", " CVE-2025-68202", " - sched_ext: Fix unsafe locking in the scx_dump_state()", " * Questing update: v6.17.8 upstream stable release (LP: #2136850) //", " CVE-2025-68239", " - binfmt_misc: restore write access before closing files opened by", " open_exec()", " * Questing update: v6.17.8 upstream stable release (LP: #2136850) //", " CVE-2025-68247", " - posix-timers: Plug potential memory leak in do_timer_create()", " * Questing update: v6.17.8 upstream stable release (LP: #2136850) //", " CVE-2025-68208", " - bpf: account for current allocated stack depth in", " widen_imprecise_scalars()", " * Questing update: v6.17.8 upstream stable release (LP: #2136850) //", " CVE-2025-68200", " - bpf: Add bpf_prog_run_data_pointers()", " * Questing update: v6.17.8 upstream stable release (LP: #2136850) //", " CVE-2025-40275", " - ALSA: usb-audio: Fix NULL pointer dereference in", " snd_usb_mixer_controls_badd", " * Questing update: v6.17.8 upstream stable release (LP: #2136850) //", " CVE-2025-68242", " - NFS: Fix LTP test failures when timestamps are delegated", " * Questing update: v6.17.8 upstream stable release (LP: #2136850) //", " CVE-2025-68243", " - NFS: Check the TLS certificate fields in nfs_match_client()", " * Questing update: v6.17.8 upstream stable release (LP: #2136850) //", " CVE-2025-40276", " - drm/panthor: Flush shmem writes before mapping buffers CPU-uncached", " * Questing update: v6.17.8 upstream stable release (LP: #2136850) //", " CVE-2025-40277", " - drm/vmwgfx: Validate command header size against SVGA_CMD_MAX_DATASIZE", " * Questing update: v6.17.8 upstream stable release (LP: #2136850) //", " CVE-2025-68206", " - netfilter: nft_ct: add seqadj extension for natted connections", " * Questing update: v6.17.8 upstream stable release (LP: #2136850) //", " CVE-2025-68209", " - mlx5: Fix default values in create CQ", " * Questing update: v6.17.8 upstream stable release (LP: #2136850) //", " CVE-2025-40278", " - net: sched: act_ife: initialize struct tc_ife to fix KMSAN kernel-", " infoleak", " * Questing update: v6.17.8 upstream stable release (LP: #2136850) //", " CVE-2025-40279", " - net: sched: act_connmark: initialize struct tc_ife to fix kernel leak", " * Questing update: v6.17.8 upstream stable release (LP: #2136850) //", " CVE-2025-40280", " - tipc: Fix use-after-free in tipc_mon_reinit_self().", " * Questing update: v6.17.8 upstream stable release (LP: #2136850) //", " CVE-2025-40281", " - sctp: prevent possible shift-out-of-bounds in sctp_transport_update_rto", " * Questing update: v6.17.8 upstream stable release (LP: #2136850) //", " CVE-2025-40282", " - Bluetooth: 6lowpan: reset link-local header on ipv6 recv path", " * Questing update: v6.17.8 upstream stable release (LP: #2136850) //", " CVE-2025-40283", " - Bluetooth: btusb: reorder cleanup in btusb_disconnect to avoid UAF", " * Questing update: v6.17.8 upstream stable release (LP: #2136850) //", " CVE-2025-40284", " - Bluetooth: MGMT: cancel mesh send timer when hdev removed", " * Questing update: v6.17.8 upstream stable release (LP: #2136850) //", " CVE-2025-68210", " - erofs: avoid infinite loop due to incomplete zstd-compressed data", " * Questing update: v6.17.8 upstream stable release (LP: #2136850) //", " CVE-2025-40285", " - smb/server: fix possible refcount leak in smb2_sess_setup()", " * Questing update: v6.17.8 upstream stable release (LP: #2136850) //", " CVE-2025-40286", " - smb/server: fix possible memory leak in smb2_read()", " * Questing update: v6.17.8 upstream stable release (LP: #2136850) //", " CVE-2025-40287", " - exfat: fix improper check of dentry.stream.valid_size", " * Questing update: v6.17.8 upstream stable release (LP: #2136850) //", " CVE-2025-40288", " - drm/amdgpu: Fix NULL pointer dereference in VRAM logic for APU devices", " * Questing update: v6.17.8 upstream stable release (LP: #2136850) //", " CVE-2025-40289", " - drm/amdgpu: hide VRAM sysfs attributes on GPUs without VRAM", " * Questing update: v6.17.8 upstream stable release (LP: #2136850) //", " CVE-2025-68201", " - drm/amdgpu: remove two invalid BUG_ON()s", " * Questing update: v6.17.8 upstream stable release (LP: #2136850) //", " CVE-2025-68207", " - drm/xe/guc: Synchronize Dead CT worker with unbind", " * Questing update: v6.17.8 upstream stable release (LP: #2136850) //", " CVE-2025-68244", " - drm/i915: Avoid lock inversion when pinning to GGTT on CHV/BXT+VTD", " * Questing update: v6.17.8 upstream stable release (LP: #2136833)", " - Revert \"Bluetooth: L2CAP: convert timeouts to secs_to_jiffies()\"", " - sched_ext: Mark scx_bpf_dsq_move_set_[slice|vtime]() with KF_RCU", " - net: usb: asix_devices: Check return value of usbnet_get_endpoints", " - fbdev: atyfb: Check if pll_ops->init_pll failed", " - ACPI: button: Call input_free_device() on failing input device", " registration", " - ACPI: fan: Use platform device for devres-related actions", " - virtio-net: drop the multi-buffer XDP packet in zerocopy", " - batman-adv: Release references to inactive interfaces", " - Bluetooth: rfcomm: fix modem control handling", " - net: phy: dp83867: Disable EEE support as not implemented", " - fbdev: pvr2fb: Fix leftover reference to ONCHIP_NR_DMA_CHANNELS", " - fbdev: valkyriefb: Fix reference count leak in valkyriefb_init", " - mptcp: drop bogus optimization in __mptcp_check_push()", " - mptcp: restore window probe", " - ASoC: qdsp6: q6asm: do not sleep while atomic", " - ASoC: renesas: rz-ssi: Use proper dma_buffer_pos after resume", " - s390/pci: Restore IRQ unconditionally for the zPCI device", " - x86/build: Disable SSE4a", " - wifi: ath10k: Fix memory leak on unsupported WMI command", " - wifi: ath11k: Add missing platform IDs for quirk table", " - wifi: ath12k: free skb during idr cleanup callback", " - wifi: ath11k: avoid bit operation on key flags", " - drm/msm/a6xx: Fix GMU firmware parser", " - ALSA: usb-audio: fix control pipe direction", " - ASoC: cs-amp-lib-test: Fix missing include of kunit/test-bug.h", " - wifi: mac80211: reset FILS discovery and unsol probe resp intervals", " - wifi: mac80211: fix key tailroom accounting leak", " - wifi: nl80211: call kfree without a NULL check", " - kunit: test_dev_action: Correctly cast 'priv' pointer to long*", " - scsi: ufs: core: Initialize value of an attribute returned by uic cmd", " - scsi: core: Fix the unit attention counter implementation", " - bpf: Do not audit capability check in do_jit()", " - nvmet-auth: update sc_c in host response", " - crypto: s390/phmac - Do not modify the req->nbytes value", " - ASoC: Intel: avs: Unprepare a stream when XRUN occurs", " - ASoC: fsl_sai: fix bit order for DSD format", " - ASoC: fsl_micfil: correct the endian format for DSD", " - libbpf: Fix powerpc's stack register definition in bpf_tracing.h", " - ASoC: mediatek: Fix double pm_runtime_disable in remove functions", " - Bluetooth: ISO: Fix BIS connection dst_type handling", " - Bluetooth: btmtksdio: Add pmctrl handling for BT closed state during", " reset", " - Bluetooth: HCI: Fix tracking of advertisement set/instance 0x00", " - Bluetooth: ISO: Fix another instance of dst_type handling", " - Bluetooth: btintel_pcie: Fix event packet loss issue", " - Bluetooth: hci_conn: Fix connection cleanup with BIG with 2 or more BIS", " - Bluetooth: hci_core: Fix tracking of periodic advertisement", " - bpf: Conditionally include dynptr copy kfuncs", " - drm/msm: Ensure vm is created in VM_BIND ioctl", " - ALSA: usb-audio: add mono main switch to Presonus S1824c", " - ALSA: usb-audio: don't log messages meant for 1810c when initializing", " 1824c", " - ACPI: MRRM: Check revision of MRRM table", " - drm/etnaviv: fix flush sequence logic", " - tools: ynl: fix string attribute length to include null terminator", " - net: hns3: return error code when function fails", " - sfc: fix potential memory leak in efx_mae_process_mport()", " - tools: ynl: avoid print_field when there is no reply", " - dpll: spec: add missing module-name and clock-id to pin-get reply", " - ASoC: fsl_sai: Fix sync error in consumer mode", " - ASoC: soc_sdw_utils: remove cs42l43 component_name", " - drm/amd/pm: fix smu table id bound check issue in smu_cmn_update_table()", " - drm/amd/pm/powerplay/smumgr: Fix PCIeBootLinkLevel value on Fiji", " - drm/amd/pm/powerplay/smumgr: Fix PCIeBootLinkLevel value on Iceland", " - drm/amdgpu: fix SPDX headers on amdgpu_cper.c/h", " - drm/amdgpu: fix SPDX header on amd_cper.h", " - drm/amdgpu: fix SPDX header on irqsrcs_vcn_5_0.h", " - ACPI: fan: Use ACPI handle when retrieving _FST", " - block: fix op_is_zone_mgmt() to handle REQ_OP_ZONE_RESET_ALL", " - block: make REQ_OP_ZONE_OPEN a write operation", " - dma-fence: Fix safe access wrapper to call timeline name method", " - kbuild: align modinfo section for Secureboot Authenticode EDK2 compat", " - regmap: irq: Correct documentation of wake_invert flag", " - [Config] Disable ARCH_WANT_OPTIMIZE_HUGETLB_VMEMMAP for s390x", " - s390/mm: Fix memory leak in add_marker() when kvrealloc() fails", " - drm/xe: Do not wake device during a GT reset", " - drm/sched: avoid killing parent entity on child SIGKILL", " - drm/sched: Fix race in drm_sched_entity_select_rq()", " - drm/nouveau: Fix race in nouveau_sched_fini()", " - drm/i915/dmc: Clear HRR EVT_CTL/HTP to zero on ADL-S", " - drm/ast: Clear preserved bits from register output value", " - drm/amd: Check that VPE has reached DPM0 in idle handler", " - drm/amd/display: Fix incorrect return of vblank enable on unconfigured", " crtc", " - drm/amd/display: Don't program BLNDGAM_MEM_PWR_FORCE when CM low-power", " is disabled on DCN30", " - drm/amd/display: Add HDR workaround for a specific eDP", " - mptcp: leverage skb deferral free", " - mptcp: fix MSG_PEEK stream corruption", " - cpuidle: governors: menu: Rearrange main loop in menu_select()", " - cpuidle: governors: menu: Select polling state in some more cases", " - PM: hibernate: Combine return paths in power_down()", " - PM: sleep: Allow pm_restrict_gfp_mask() stacking", " - mfd: kempld: Switch back to earlier ->init() behavior", " - soc: aspeed: socinfo: Add AST27xx silicon IDs", " - firmware: qcom: scm: preserve assign_mem() error return value", " - soc: qcom: smem: Fix endian-unaware access of num_entries", " - spi: loopback-test: Don't use %pK through printk", " - spi: spi-qpic-snand: handle 'use_ecc' parameter of", " qcom_spi_config_cw_read()", " - soc: ti: pruss: don't use %pK through printk", " - bpf: Don't use %pK through printk", " - mmc: sdhci: Disable SD card clock before changing parameters", " - pinctrl: single: fix bias pull up/down handling in pin_config_set", " - mmc: host: renesas_sdhi: Fix the actual clock", " - memstick: Add timeout to prevent indefinite waiting", " - cpufreq: ti: Add support for AM62D2", " - bpf: Use tnums for JEQ/JNE is_branch_taken logic", " - firmware: ti_sci: Enable abort handling of entry to LPM", " - firewire: ohci: move self_id_complete tracepoint after validating", " register", " - irqchip/sifive-plic: Respect mask state when setting affinity", " - irqchip/loongson-eiointc: Route interrupt parsed from bios table", " - ACPI: sysfs: Use ACPI_FREE() for freeing an ACPI object", " - ACPI: video: force native for Lenovo 82K8", " - libbpf: Fix USDT SIB argument handling causing unrecognized register", " error", " - selftests/bpf: Fix bpf_prog_detach2 usage in test_lirc_mode2", " - arm64: versal-net: Update rtc calibration value", " - Revert \"UBUNTU: SAUCE: firmware: qcom: scm: Allow QSEECOM on Dell", " Inspiron 7441 / Latitude 7455\"", " - firmware: qcom: scm: Allow QSEECOM on Dell Inspiron 7441 / Latitude 7455", " - kselftest/arm64: tpidr2: Switch to waitpid() over wait4()", " - arc: Fix __fls() const-foldability via __builtin_clzl()", " - selftests/bpf: Upon failures, exit with code 1 in test_xsk.sh", " - irqchip/gic-v2m: Handle Multiple MSI base IRQ Alignment", " - ACPI: PRM: Skip handlers with NULL handler_address or NULL VA", " - ACPI: resource: Skip IRQ override on ASUS Vivobook Pro N6506CU", " - ACPI: scan: Add Intel CVS ACPI HIDs to acpi_ignore_dep_ids[]", " - thermal: gov_step_wise: Allow cooling level to be reduced earlier", " - thermal: intel: selftests: workload_hint: Mask unsupported types", " - power: supply: qcom_battmgr: add OOI chemistry", " - hwmon: (k10temp) Add thermal support for AMD Family 1Ah-based models", " - hwmon: (k10temp) Add device ID for Strix Halo", " - hwmon: (lenovo-ec-sensors) Update P8 supprt", " - hwmon: (sbtsi_temp) AMD CPU extended temperature range support", " - pinctrl: renesas: rzg2l: Add suspend/resume support for Schmitt control", " registers", " - pinctrl: keembay: release allocated memory in detach path", " - power: supply: sbs-charger: Support multiple devices", " - io_uring/rsrc: respect submitter_task in io_register_clone_buffers()", " - hwmon: sy7636a: add alias", " - selftests/bpf: Fix incorrect array size calculation", " - block: check for valid bio while splitting", " - irqchip/loongson-pch-lpc: Use legacy domain for PCH-LPC IRQ controller", " - cpufreq: ondemand: Update the efficient idle check for Intel extended", " Families", " - arm64: zynqmp: Disable coresight by default", " - arm64: zynqmp: Revert usb node drive strength and slew rate for zcu106", " - soc/tegra: fuse: Add Tegra114 nvmem cells and fuse lookups", " - ARM: tegra: p880: set correct touchscreen clipping", " - ARM: tegra: transformer-20: add missing magnetometer interrupt", " - ARM: tegra: transformer-20: fix audio-codec interrupt", " - firmware: qcom: tzmem: disable sc7180 platform", " - soc: ti: k3-socinfo: Add information for AM62L SR1.1", " - mmc: sdhci-msm: Enable tuning for SDR50 mode for SD card", " - pwm: pca9685: Use bulk write to atomicially update registers", " - ACPICA: dispatcher: Use acpi_ds_clear_operands() in", " acpi_ds_call_control_method()", " - tee: allow a driver to allocate a tee_device without a pool", " - kunit: Enable PCI on UML without triggering WARN()", " - selftests/bpf: Fix arena_spin_lock selftest failure", " - bpf: Do not limit bpf_cgroup_from_id to current's namespace", " - i3c: mipi-i3c-hci-pci: Add support for Intel Wildcat Lake-U I3C", " - rust: kunit: allow `cfg` on `test`s", " - video: backlight: lp855x_bl: Set correct EPROM start for LP8556", " - i3c: dw: Add shutdown support to dw_i3c_master driver", " - io_uring/zcrx: check all niovs filled with dma addresses", " - tools/cpupower: fix error return value in cpupower_write_sysfs()", " - io_uring/zcrx: account niov arrays to cgroup", " - pmdomain: apple: Add \"apple,t8103-pmgr-pwrstate\"", " - power: supply: qcom_battmgr: handle charging state change notifications", " - bpftool: Fix -Wuninitialized-const-pointer warnings with clang >= 21", " - cpuidle: Fail cpuidle device registration if there is one already", " - selftests/bpf: Fix selftest verifier_arena_large failure", " - selftests: ublk: fix behavior when fio is not installed", " - spi: rpc-if: Add resume support for RZ/G3E", " - ACPI: SPCR: Support Precise Baud Rate field", " - clocksource/drivers/vf-pit: Replace raw_readl/writel to readl/writel", " - clocksource/drivers/timer-rtl-otto: Work around dying timers", " - clocksource/drivers/timer-rtl-otto: Do not interfere with interrupts", " - riscv: bpf: Fix uninitialized symbol 'retval_off'", " - bpf: Clear pfmemalloc flag when freeing all fragments", " - selftests: drv-net: Pull data before parsing headers", " - nvme: Use non zero KATO for persistent discovery connections", " - uprobe: Do not emulate/sstep original instruction when ip is changed", " - hwmon: (asus-ec-sensors) increase timeout for locking ACPI mutex", " - hwmon: (dell-smm) Remove Dell Precision 490 custom config data", " - hwmon: (dell-smm) Add support for Dell OptiPlex 7040", " - tools/cpupower: Fix incorrect size in cpuidle_state_disable()", " - selftests/bpf: Fix flaky bpf_cookie selftest", " - tools/power turbostat: Fix incorrect sorting of PMT telemetry", " - tools/power x86_energy_perf_policy: Fix incorrect fopen mode usage", " - tools/power x86_energy_perf_policy: Enhance HWP enable", " - tools/power x86_energy_perf_policy: Prefer driver HWP limits", " - mfd: simple-mfd-i2c: Add compatible strings for Layerscape QIXIS FPGA", " - mfd: stmpe: Remove IRQ domain upon removal", " - mfd: stmpe-i2c: Add missing MODULE_LICENSE", " - mfd: qnap-mcu: Handle errors returned from qnap_mcu_write", " - mfd: qnap-mcu: Include linux/types.h in qnap-mcu.h shared header", " - mfd: madera: Work around false-positive -Wininitialized warning", " - mfd: da9063: Split chip variant reading in two bus transactions", " - mfd: macsmc: Add \"apple,t8103-smc\" compatible", " - mfd: core: Increment of_node's refcount before linking it to the", " platform device", " - mfd: cs42l43: Move IRQ enable/disable to encompass force suspend", " - mfd: intel-lpss: Add Intel Wildcat Lake LPSS PCI IDs", " - drm/xe/ptl: Apply Wa_16026007364", " - drm/xe/configfs: Enforce canonical device names", " - drm/amd/display: Update tiled to tiled copy command", " - drm/amd/display: fix condition for setting timing_adjust_pending", " - drm/amd/display: ensure committing streams is seamless", " - drm/amdgpu: add range check for RAS bad page address", " - drm/amdgpu: Check vcn sram load return value", " - drm/amd/display: Remove check DPIA HPD status for BW Allocation", " - drm/amd/display: Increase AUX Intra-Hop Done Max Wait Duration", " - drm/amd/display: Fix dmub_cmd header alignment", " - drm/xe/guc: Add more GuC load error status codes", " - drm/xe/pf: Don't resume device from restart worker", " - drm/amdgpu: Fix build error when CONFIG_SUSPEND is disabled", " - drm/amdgpu: Update IPID value for bad page threshold CPER", " - drm/amdgpu: Avoid rma causes GPU duplicate reset", " - drm/amdgpu: Effective health check before reset", " - drm/amd/amdgpu: Release xcp drm memory after unplug", " - drm/amdgpu: Fix vcn v5.0.1 poison irq call trace", " - drm/xe: Extend wa_13012615864 to additional Xe2 and Xe3 platforms", " - drm/amdgpu: Skip poison aca bank from UE channel", " - drm/amd/display: add more cyan skillfish devices", " - drm/amdgpu: Initialize jpeg v5_0_1 ras function", " - drm/amdgpu: skip mgpu fan boost for multi-vf", " - drm/amd/display: fix dmub access race condition", " - drm/amd/display: update dpp/disp clock from smu clock table", " - drm/amd/pm: Use cached metrics data on aldebaran", " - drm/amd/pm: Use cached metrics data on arcturus", " - accel/amdxdna: Unify pm and rpm suspend and resume callbacks", " - drm/amdgpu/jpeg: Hold pg_lock before jpeg poweroff", " - drm/xe/pf: Program LMTT directory pointer on all GTs within a tile", " - drm/nouveau: replace snprintf() with scnprintf() in nvkm_snprintbf()", " - ASoC: tas2781: Add keyword \"init\" in profile section", " - ASoC: mediatek: Use SND_JACK_AVOUT for HDMI/DP jacks", " - drm/amd/display: Reset apply_eamless_boot_optimization when dpms_off", " - drm/amdgpu: add to custom amdgpu_drm_release drm_dev_enter/exit", " - drm/amd/display: Wait until OTG enable state is cleared", " - drm/xe: rework PDE PAT index selection", " - docs: kernel-doc: avoid script crash on ancient Python", " - drm/sharp-memory: Do not access GEM-DMA vaddr directly", " - PCI: Disable MSI on RDC PCI to PCIe bridges", " - drm/nouveau: always set RMDevidCheckIgnore for GSP-RM", " - drm/panel-edp: Add SHP LQ134Z1 panel for Dell XPS 9345", " - selftests/net: Replace non-standard __WORDSIZE with sizeof(long) * 8", " - selftests/net: Ensure assert() triggers in psock_tpacket.c", " - wifi: rtw89: print just once for unknown C2H events", " - wifi: rtw88: sdio: use indirect IO for device registers before power-on", " - wifi: rtw89: add dummy C2H handlers for BCN resend and update done", " - drm/amdkfd: return -ENOTTY for unsupported IOCTLs", " - selftests: drv-net: devmem: add / correct the IPv6 support", " - selftests: drv-net: devmem: flip the direction of Tx tests", " - media: pci: ivtv: Don't create fake v4l2_fh", " - media: amphion: Delete v4l2_fh synchronously in .release()", " - drm/tidss: Use the crtc_* timings when programming the HW", " - drm/bridge: cdns-dsi: Fix REG_WAKEUP_TIME value", " - drm/bridge: cdns-dsi: Don't fail on MIPI_DSI_MODE_VIDEO_BURST", " - drm/tidss: Set crtc modesetting parameters with adjusted mode", " - drm/tidss: Remove early fb", " - RDMA/mana_ib: Drain send wrs of GSI QP", " - media: i2c: Kconfig: Ensure a dependency on HAVE_CLK for", " VIDEO_CAMERA_SENSOR", " - PCI/ERR: Update device error_state already after reset", " - x86/vsyscall: Do not require X86_PF_INSTR to emulate vsyscall", " - net: stmmac: Check stmmac_hw_setup() in stmmac_resume()", " - ice: Don't use %pK through printk or tracepoints", " - thunderbolt: Use is_pciehp instead of is_hotplug_bridge", " - ASoC: es8323: enable DAPM power widgets for playback DAC and output", " - powerpc/eeh: Use result of error_detected() in uevent", " - s390/pci: Use pci_uevent_ers() in PCI recovery", " - bridge: Redirect to backup port when port is administratively down", " - selftests: drv-net: wait for carrier", " - net: phy: mscc: report and configure in-band auto-negotiation for", " SGMII/QSGMII", " - scsi: ufs: host: mediatek: Fix auto-hibern8 timer configuration", " - scsi: ufs: host: mediatek: Fix PWM mode switch issue", " - scsi: ufs: host: mediatek: Assign power mode userdata before FASTAUTO", " mode change", " - scsi: ufs: host: mediatek: Change reset sequence for improved stability", " - scsi: ufs: host: mediatek: Fix invalid access in vccqx handling", " - gpu: nova-core: register: allow fields named `offset`", " - drm/panthor: Serialize GPU cache flush operations", " - HID: pidff: Use direction fix only for conditional effects", " - HID: pidff: PERMISSIVE_CONTROL quirk autodetection", " - drm/bridge: display-connector: don't set OP_DETECT for DisplayPorts", " - drm/amdkfd: Handle lack of READ permissions in SVM mapping", " - drm/amdgpu: refactor bad_page_work for corner case handling", " - hwrng: timeriomem - Use us_to_ktime() where appropriate", " - iio: adc: spear_adc: mask SPEAR_ADC_STATUS channel and avg sample before", " setting register", " - iio: adc: imx93_adc: load calibrated values even calibration failed", " - usb: gadget: f_ncm: Fix MAC assignment NCM ethernet", " - ASoC: es8323: remove DAC enablement write from es8323_probe", " - ASoC: es8323: add proper left/right mixer controls via DAPM", " - ASoC: codecs: wsa883x: Handle shared reset GPIO for WSA883x speakers", " - drm/xe: Make page size consistent in loop", " - wifi: rtw89: wow: remove notify during WoWLAN net-detect", " - wifi: rtw89: fix BSSID comparison for non-transmitted BSSID", " - wifi: rtw89: 8851b: rfk: update IQK TIA setting", " - dm error: mark as DM_TARGET_PASSES_INTEGRITY", " - char: misc: Make misc_register() reentry for miscdevice who wants", " dynamic minor", " - char: misc: Does not request module for miscdevice with dynamic minor", " - net: When removing nexthops, don't call synchronize_net if it is not", " necessary", " - net: Call trace_sock_exceed_buf_limit() for memcg failure with", " SK_MEM_RECV.", " - dmaengine: idxd: Add a new IAA device ID for Wildcat Lake family", " platforms", " - PCI/P2PDMA: Fix incorrect pointer usage in devm_kfree() call", " - bnxt_en: Add Hyper-V VF ID", " - tty: serial: Modify the use of dev_err_probe()", " - ALSA: usb-audio: Add validation of UAC2/UAC3 effect units", " - Octeontx2-af: Broadcast XON on all channels", " - idpf: do not linearize big TSO packets", " - drm/xe/pcode: Initialize data0 for pcode read routine", " - drm/panel: ilitek-ili9881c: turn off power-supply when init fails", " - drm/panel: ilitek-ili9881c: move display_on/_off dcs calls to", " (un-)prepare", " - rds: Fix endianness annotation for RDS_MPATH_HASH", " - net: wangxun: limit tx_max_coalesced_frames_irq", " - iio: imu: bmi270: Match PNP ID found on newer GPD firmware", " - media: ipu6: isys: Set embedded data type correctly for metadata formats", " - rpmsg: char: Export alias for RPMSG ID rpmsg-raw from table", " - net: ipv4: allow directed broadcast routes to use dst hint", " - scsi: mpi3mr: Fix device loss during enclosure reboot due to zero link", " speed", " - wifi: rtw89: coex: Limit Wi-Fi scan slot cost to avoid A2DP glitch", " - scsi: mpi3mr: Fix I/O failures during controller reset", " - scsi: mpi3mr: Fix controller init failure on fault during queue creation", " - scsi: pm80xx: Fix race condition caused by static variables", " - extcon: adc-jack: Fix wakeup source leaks on device unbind", " - extcon: fsa9480: Fix wakeup source leaks on device unbind", " - extcon: axp288: Fix wakeup source leaks on device unbind", " - drm/xe: Set GT as wedged before sending wedged uevent", " - remoteproc: wkup_m3: Use devm_pm_runtime_enable() helper", " - drm/xe/wcl: Extend L3bank mask workaround", " - net: phy: fixed_phy: let fixed_phy_unregister free the phy_device", " - selftests: drv-net: hds: restore hds settings", " - fuse: zero initialize inode private data", " - virtio_fs: fix the hash table using in virtio_fs_enqueue_req()", " - selftests: pci_endpoint: Skip IRQ test if IRQ is out of range.", " - drm/xe: Ensure GT is in C0 during resumes", " - misc: pci_endpoint_test: Skip IRQ tests if irq is out of range", " - drm/amdgpu: Correct the loss of aca bank reg info", " - drm/amdgpu: Correct the counts of nr_banks and nr_errors", " - drm/amdkfd: fix vram allocation failure for a special case", " - drm/amd/display: Support HW cursor 180 rot for any number of pipe splits", " - drm/amdkfd: Tie UNMAP_LATENCY to queue_preemption", " - drm/amd/display: wait for otg update pending latch before clock", " optimization", " - drm/amd/display: Consider sink max slice width limitation for dsc", " - drm/amdgpu/vpe: cancel delayed work in hw_fini", " - drm/xe: Cancel pending TLB inval workers on teardown", " - net: Prevent RPS table overwrite of active flows", " - eth: fbnic: Reset hw stats upon PCI error", " - wifi: iwlwifi: mld: trigger mlo scan only when not in EMLSR", " - platform/x86/intel-uncore-freq: Fix warning in partitioned system", " - drm/msm/dpu: Filter modes based on adjusted mode clock", " - drm/msm: Use of_reserved_mem_region_to_resource() for \"memory-region\"", " - selftests: drv-net: rss_ctx: fix the queue count check", " - media: fix uninitialized symbol warnings", " - media: pci: mgb4: Fix timings comparison in VIDIOC_S_DV_TIMINGS", " - ASoC: SOF: ipc4-pcm: Add fixup for channels", " - drm/amdgpu: Notify pmfw bad page threshold exceeded", " - drm/amd/display: Increase minimum clock for TMDS 420 with pipe splitting", " - drm/amdgpu: Avoid jpeg v5.0.1 poison irq call trace on sriov guest", " - drm/amd/display: incorrect conditions for failing dto calculations", " - drm/amdgpu: Avoid vcn v5.0.1 poison irq call trace on sriov guest", " - drm/amdgpu: Respect max pixel clock for HDMI and DVI-D (v2)", " - mips: lantiq: danube: add missing properties to cpu node", " - mips: lantiq: danube: add model to EASY50712 dts", " - mips: lantiq: danube: add missing device_type in pci node", " - mips: lantiq: xway: sysctrl: rename stp clock", " - mips: lantiq: danube: rename stp node on EASY50712 reference board", " - inet_diag: annotate data-races in inet_diag_bc_sk()", " - microchip: lan865x: add ndo_eth_ioctl handler to enable PHY ioctl", " support", " - crypto: qat - use kcalloc() in qat_uclo_map_objs_from_mof()", " - scsi: pm8001: Use int instead of u32 to store error codes", " - iio: adc: ad7124: do not require mclk", " - scsi: ufs: exynos: fsd: Gate ref_clk and put UFS device in reset on", " suspend", " - media: imx-mipi-csis: Only set clock rate when specified in DT", " - wifi: iwlwifi: pcie: remember when interrupts are disabled", " - drm/st7571-i2c: add support for inverted pixel format", " - ptp: Limit time setting of PTP clocks", " - dmaengine: sh: setup_xref error handling", " - dmaengine: mv_xor: match alloc_wc and free_wc", " - dmaengine: dw-edma: Set status for callback_result", " - netfilter: nf_tables: all transaction allocations can now sleep", " - drm/msm/dsi/phy: Toggle back buffer resync after preparing PLL", " - drm/msm/dsi/phy_7nm: Fix missing initial VCO rate", " - drm/amdgpu: Allow kfd CRIU with no buffer objects", " - drm/xe/guc: Increase GuC crash dump buffer size", " - drm/amd/pm: Increase SMC timeout on SI and warn (v3)", " - move_mount(2): take sanity checks in 'beneath' case into do_lock_mount()", " - selftests: drv-net: rss_ctx: make the test pass with few queues", " - ipv6: Add sanity checks on ipv6_devconf.rpl_seg_enabled", " - drm/xe: Extend Wa_22021007897 to Xe3 platforms", " - wifi: mac80211: count reg connection element in the size", " - drm/panthor: check bo offset alignment in vm bind", " - drm: panel-backlight-quirks: Make EDID match optional", " - ixgbe: reduce number of reads when getting OROM data", " - netlink: specs: fou: change local-v6/peer-v6 check", " - net: nfc: nci: Increase NCI_DATA_TIMEOUT to 3000 ms", " - media: adv7180: Add missing lock in suspend callback", " - media: adv7180: Do not write format to device in set_fmt", " - media: adv7180: Only validate format in querystd", " - media: verisilicon: Explicitly disable selection api ioctls for decoders", " - wifi: mac80211: Fix 6 GHz Band capabilities element advertisement in", " lower bands", " - platform/x86: think-lmi: Add extra TC BIOS error messages", " - platform/x86/intel-uncore-freq: Present unique domain ID per package", " - ALSA: usb-audio: apply quirk for MOONDROP Quark2", " - PCI: imx6: Enable the Vaux supply if available", " - drm/xe/guc: Set upper limit of H2G retries over CTB", " - net: call cond_resched() less often in __release_sock()", " - smsc911x: add second read of EEPROM mac when possible corruption seen", " - drm/xe: improve dma-resv handling for backup object", " - iommu/amd: Add support to remap/unmap IOMMU buffers for kdump", " - iommu/amd: Skip enabling command/event buffers for kdump", " - iommu/amd: Reuse device table for kdump", " - crypto: ccp: Skip SEV and SNP INIT for kdump boot", " - iommu/apple-dart: Clear stream error indicator bits for T8110 DARTs", " - bus: mhi: host: pci_generic: Add support for all Foxconn T99W696 SKU", " variants", " - drm/amdgpu: Correct info field of bad page threshold exceed CPER", " - drm/amd: add more cyan skillfish PCI ids", " - drm/amdgpu: don't enable SMU on cyan skillfish", " - drm/amdgpu: add support for cyan skillfish gpu_info", " - drm/amd/display: Fix pbn_div Calculation Error", " - drm/amd/display: dont wait for pipe update during medupdate/highirq", " - drm/amd/pm: refine amdgpu pm sysfs node error code", " - drm/amd/display: Indicate when custom brightness curves are in use", " - selftests: ncdevmem: don't retry EFAULT", " - net: dsa: felix: support phy-mode = \"10g-qxgmii\"", " - usb: gadget: f_hid: Fix zero length packet transfer", " - serial: qcom-geni: Add DFS clock mode support to GENI UART driver", " - serdev: Drop dev_pm_domain_detach() call", " - tty/vt: Add missing return value for VT_RESIZE in vt_ioctl()", " - eeprom: at25: support Cypress FRAMs without device ID", " - drm/msm/adreno: Add speedbins for A663 GPU", " - drm/msm: Fix 32b size truncation", " - dt-bindings: display/msm/gmu: Update Adreno 623 bindings", " - drm/msm: make sure to not queue up recovery more than once", " - char: Use list_del_init() in misc_deregister() to reinitialize list", " pointer", " - drm/msm/adreno: Add speedbin data for A623 GPU", " - drm/msm/adreno: Add fenced regwrite support", " - drm/msm/a6xx: Switch to GMU AO counter", " - idpf: link NAPIs to queues", " - selftests: net: make the dump test less sensitive to mem accounting", " - PCI: endpoint: pci-epf-test: Limit PCIe BAR size for fixed BARs", " - wifi: rtw89: Add USB ID 2001:332a for D-Link AX9U rev. A1", " - wifi: rtw89: Add USB ID 2001:3327 for D-Link AX18U rev. A1", " - wifi: iwlwifi: fw: Add ASUS to PPAG and TAS list", " - drm/xe/i2c: Enable bus mastering", " - media: ov08x40: Fix the horizontal flip control", " - media: i2c: og01a1b: Specify monochrome media bus format instead of", " Bayer", " - media: qcom: camss: csiphy-3ph: Add CSIPHY 2ph DPHY v2.0.1 init sequence", " - drm/bridge: write full Audio InfoFrame", " - drm/xe/guc: Always add CT disable action during second init step", " - f2fs: fix wrong layout information on 16KB page", " - selftests: mptcp: join: allow more time to send ADD_ADDR", " - scsi: ufs: host: mediatek: Enhance recovery on resume failure", " - scsi: ufs: ufs-qcom: Align programming sequence of Shared ICE for UFS", " controller v5", " - scsi: ufs: host: mediatek: Fix unbalanced IRQ enable issue", " - scsi: ufs: host: mediatek: Enhance recovery on hibernation exit failure", " - net: phy: marvell: Fix 88e1510 downshift counter errata", " - scsi: ufs: host: mediatek: Correct system PM flow", " - scsi: ufs: host: mediatek: Disable auto-hibern8 during power mode", " changes", " - scsi: ufs: host: mediatek: Fix adapt issue after PA_Init", " - wifi: cfg80211: update the time stamps in hidden ssid", " - wifi: mac80211: Fix HE capabilities element check", " - fbcon: Use screen info to find primary device", " - phy: cadence: cdns-dphy: Enable lower resolutions in dphy", " - Fix access to video_is_primary_device() when compiled without", " CONFIG_VIDEO", " - phy: renesas: r8a779f0-ether-serdes: add new step added to latest", " datasheet", " - phy: rockchip: phy-rockchip-inno-csidphy: allow writes to grf register 0", " - drm/msm/registers: Generate _HI/LO builders for reg64", " - net: sh_eth: Disable WoL if system can not suspend", " - selftests: net: replace sleeps in fcnal-test with waits", " - media: redrat3: use int type to store negative error codes", " - platform/x86/amd/pmf: Fix the custom bios input handling mechanism", " - selftests: traceroute: Use require_command()", " - selftests: traceroute: Return correct value on failure", " - openrisc: Add R_OR1K_32_PCREL relocation type module support", " - netfilter: nf_reject: don't reply to icmp error messages", " - x86/kvm: Prefer native qspinlock for dedicated vCPUs irrespective of", " PV_UNHALT", " - x86/virt/tdx: Use precalculated TDVPR page physical address", " - selftests: Disable dad for ipv6 in fcnal-test.sh", " - eth: 8139too: Make 8139TOO_PIO depend on !NO_IOPORT_MAP", " - [Config] No longer enable `CONFIG_8139TOO_PIO` for armhf", " - selftests: Replace sleep with slowwait", " - net: devmem: expose tcp_recvmsg_locked errors", " - selftests: net: lib.sh: Don't defer failed commands", " - HID: asus: add Z13 folio to generic group for multitouch to work", " - watchdog: s3c2410_wdt: Fix max_timeout being calculated larger", " - crypto: sun8i-ce - remove channel timeout field", " - PCI: dwc: Verify the single eDMA IRQ in dw_pcie_edma_irq_verify()", " - crypto: ccp - Fix incorrect payload size calculation in", " psp_poulate_hsti()", " - crypto: caam - double the entropy delay interval for retry", " - can: rcar_canfd: Update bit rate constants for RZ/G3E and R-Car Gen4", " - net: mana: Reduce waiting time if HWC not responding", " - ionic: use int type for err in ionic_get_module_eeprom_by_page", " - net/cls_cgroup: Fix task_get_classid() during qdisc run", " - wifi: mt76: mt7921: Add 160MHz beamformee capability for mt7922 device", " - wifi: mt76: mt7925: add pci restore for hibernate", " - wifi: mt76: mt7996: Fix mt7996_reverse_frag0_hdr_trans for MLO", " - wifi: mt76: mt7996: Set def_wcid pointer in mt7996_mac_sta_init_link()", " - wifi: mt76: mt7996: Temporarily disable EPCS", " - wifi: mt76: mt7996: support writing MAC TXD for AddBA Request", " - wifi: mt76: mt76_eeprom_override to int", " - ALSA: serial-generic: remove shared static buffer", " - wifi: mt76: mt7996: fix memory leak on mt7996_mcu_sta_key_tlv error", " - wifi: mt76: mt7996: disable promiscuous mode by default", " - wifi: mt76: use altx queue for offchannel tx on connac+", " - wifi: mt76: improve phy reset on hw restart", " - drm/amdgpu: Use memdup_array_user in amdgpu_cs_wait_fences_ioctl", " - drm/amdgpu: Release hive reference properly", " - drm/amd/display: Fix DMCUB loading sequence for DCN3.2", " - drm/amd/display: Set up pixel encoding for YCBCR422", " - drm/amd/display: fix dml ms order of operations", " - drm/amd/display: Don't use non-registered VUPDATE on DCE 6", " - drm/amd/display: Keep PLL0 running on DCE 6.0 and 6.4", " - drm/amd/display: Fix DVI-D/HDMI adapters", " - drm/amd/display: Disable VRR on DCE 6", " - drm/amd/display/dml2: Guard dml21_map_dc_state_into_dml_display_cfg with", " DC_FP_START", " - net: phy: clear EEE runtime state in PHY_HALTED/PHY_ERROR", " - ethernet: Extend device_get_mac_address() to use NVMEM", " - scsi: ufs: ufs-qcom: Disable lane clocks during phy hibern8", " - HID: i2c-hid: Resolve touchpad issues on Dell systems during S4", " - hinic3: Queue pair endianness improvements", " - hinic3: Fix missing napi->dev in netif_queue_set_napi", " - tools: ynl-gen: validate nested arrays", " - drm/xe/guc: Return an error code if the GuC load fails", " - drm/amdgpu: reject gang submissions under SRIOV", " - selftests/Makefile: include $(INSTALL_DEP_TARGETS) in clean target to", " clean net/lib dependency", " - scsi: ufs: core: Disable timestamp functionality if not supported", " - scsi: lpfc: Clean up allocated queues when queue setup mbox commands", " fail", " - scsi: lpfc: Decrement ndlp kref after FDISC retries exhausted", " - scsi: lpfc: Check return status of lpfc_reset_flush_io_context during", " TGT_RESET", " - scsi: lpfc: Remove ndlp kref decrement clause for F_Port_Ctrl in", " lpfc_cleanup", " - scsi: lpfc: Define size of debugfs entry for xri rebalancing", " - scsi: lpfc: Ensure PLOGI_ACC is sent prior to PRLI in Point to Point", " topology", " - allow finish_no_open(file, ERR_PTR(-E...))", " - usb: mon: Increase BUFF_MAX to 64 MiB to support multi-MB URBs", " - usb: xhci: plat: Facilitate using autosuspend for xhci plat devices", " - wifi: rtw89: disable RTW89_PHYSTS_IE09_FTR_0 for ppdu status", " - wifi: rtw89: obtain RX path from ppdu status IE00", " - wifi: rtw89: renew a completion for each H2C command waiting C2H event", " - usb: xhci-pci: add support for hosts with zero USB3 ports", " - ipv6: np->rxpmtu race annotation", " - RDMA/irdma: Update Kconfig", " - IB/ipoib: Ignore L3 master device", " - bnxt_en: Add fw log trace support for 5731X/5741X chips", " - mei: make a local copy of client uuid in connect", " - ASoC: qcom: sc8280xp: explicitly set S16LE format in", " sc8280xp_be_hw_params_fixup()", " - net: phy: clear link parameters on admin link down", " - net: ethernet: microchip: sparx5: make it selectable for ARCH_LAN969X", " - bus: mhi: core: Improve mhi_sync_power_up handling for SYS_ERR state", " - iommu/vt-d: Replace snprintf with scnprintf in dmar_latency_snapshot()", " - wifi: ath10k: Fix connection after GTK rekeying", " - iommu/vt-d: Remove LPIG from page group response descriptor", " - wifi: mac80211: Get the correct interface for non-netdev skb status", " - wifi: mac80211: Track NAN interface start/stop", " - net: intel: fm10k: Fix parameter idx set but not used", " - sparc/module: Add R_SPARC_UA64 relocation handling", " - sparc64: fix prototypes of reads[bwl]()", " - vfio: return -ENOTTY for unsupported device feature", " - ptp_ocp: make ptp_ocp driver compatible with PTP_EXTTS_REQUEST2", " - crypto: hisilicon/qm - invalidate queues in use", " - crypto: hisilicon/qm - clear all VF configurations in the hardware", " - ASoC: ops: improve snd_soc_get_volsw", " - PCI/PM: Skip resuming to D0 if device is disconnected", " - selftests: forwarding: Reorder (ar)ping arguments to obey POSIX getopt", " - remoteproc: qcom: q6v5: Avoid handling handover twice", " - wifi: ath12k: Increase DP_REO_CMD_RING_SIZE to 256", " - net: dsa: microchip: Set SPI as bus interface during reset for KSZ8463", " - bng_en: make bnge_alloc_ring() self-unwind on failure", " - ALSA: usb-audio: don't apply interface quirk to Presonus S1824c", " - tcp: Update bind bucket state on port release", " - ovl: make sure that ovl_create_real() returns a hashed dentry", " - drm/amd/display: Add missing post flip calls", " - drm/amd/display: Add AVI infoframe copy in copy_stream_update_to_stream", " - drm/amd/display: Add fast sync field in ultra sleep more for DMUB", " - drm/amd/display: Init dispclk from bootup clock for DCN314", " - drm/amd/display: Fix for test crash due to power gating", " - drm/amd/display: change dc stream color settings only in atomic commit", " - NFSv4: handle ERR_GRACE on delegation recalls", " - NFSv4.1: fix mount hang after CREATE_SESSION failure", " - net: bridge: Install FDB for bridge MAC on VLAN 0", " - net: phy: dp83640: improve phydev and driver removal handling", " - scsi: ufs: core: Change MCQ interrupt enable flow", " - scsi: libfc: Fix potential buffer overflow in fc_ct_ms_fill()", " - accel/habanalabs/gaudi2: fix BMON disable configuration", " - scsi: mpt3sas: Add support for 22.5 Gbps SAS link rate", " - accel/habanalabs: return ENOMEM if less than requested pages were pinned", " - accel/habanalabs/gaudi2: read preboot status after recovering from dirty", " state", " - ASoC: renesas: msiof: add .symmetric_xxx on snd_soc_dai_driver", " - ASoC: renesas: msiof: use reset controller", " - ASoC: renesas: msiof: tidyup DMAC stop timing", " - ASoC: renesas: msiof: set SIFCTR register", " - ext4: increase IO priority of fastcommit", " - drm/amdgpu: Add fallback to pipe reset if KCQ ring reset fails", " - drm/amdgpu: Fix fence signaling race condition in userqueue", " - ASoC: stm32: sai: manage context in set_sysclk callback", " - ASoC: tlv320aic3x: Fix class-D initialization for tlv320aic3007", " - ACPI: scan: Update honor list for RPMI System MSI", " - platform/x86: x86-android-tablets: Stop using EPROBE_DEFER", " - vfio/pci: Fix INTx handling on legacy non-PCI 2.3 devices", " - vfio/nvgrace-gpu: Add GB300 SKU to the devid table", " - selftest: net: Fix error message if empty variable", " - net/mlx5e: Don't query FEC statistics when FEC is disabled", " - Bluetooth: btintel: Add support for BlazarIW core", " - net: macb: avoid dealing with endianness in macb_set_hwaddr()", " - Bluetooth: btusb: Add new VID/PID 13d3/3627 for MT7925", " - Bluetooth: btintel_pcie: Define hdev->wakeup() callback", " - Bluetooth: ISO: Don't initiate CIS connections if there are no buffers", " - Bluetooth: btusb: Check for unexpected bytes when defragmenting HCI", " frames", " - Bluetooth: ISO: Use sk_sndtimeo as conn_timeout", " - Bluetooth: btusb: Add new VID/PID 13d3/3633 for MT7922", " - net: stmmac: est: Drop frames causing HLBS error", " - exfat: limit log print for IO error", " - 6pack: drop redundant locking and refcounting", " - page_pool: Clamp pool size to max 16K pages", " - net/mlx5e: Prevent entering switchdev mode with inconsistent netns", " - ksmbd: use sock_create_kern interface to create kernel socket", " - smb: client: update cfid->last_access_time in", " open_cached_dir_by_dentry()", " - smb: client: transport: avoid reconnects triggered by pending task work", " - usb: xhci-pci: Fix USB2-only root hub registration", " - drm/amd/display: Add fallback path for YCBCR422", " - ACPICA: Update dsmethod.c to get rid of unused variable warning", " - RDMA/bnxt_re: Fix a potential memory leak in destroy_gsi_sqp", " - RDMA/irdma: Fix SD index calculation", " - RDMA/irdma: Remove unused struct irdma_cq fields", " - RDMA/irdma: Set irdma_cq cq_num field during CQ create", " - RDMA/uverbs: Fix umem release in UVERBS_METHOD_CQ_CREATE", " - RDMA/hns: Fix recv CQ and QP cache affinity", " - RDMA/hns: Fix the modification of max_send_sge", " - RDMA/hns: Fix wrong WQE data when QP wraps around", " - btrfs: mark dirty extent range for out of bound prealloc extents", " - clk: qcom: gcc-ipq6018: rework nss_port5 clock to multiple conf", " - clk: renesas: rzv2h: Re-assert reset on deassert timeout", " - clk: samsung: exynos990: Add missing USB clock registers to HSI0", " - fs/hpfs: Fix error code for new_inode() failure in", " mkdir/create/mknod/symlink", " - clocksource: hyper-v: Skip unnecessary checks for the root partition", " - hyperv: Add missing field to hv_output_map_device_interrupt", " - um: Fix help message for ssl-non-raw", " - clk: sunxi-ng: sun6i-rtc: Add A523 specifics", " - rtc: pcf2127: clear minute/second interrupt", " - ARM: at91: pm: save and restore ACR during PLL disable/enable", " - clk: at91: add ACR in all PLL settings", " - clk: at91: sam9x7: Add peripheral clock id for pmecc", " - clk: at91: clk-master: Add check for divide by 3", " - clk: at91: clk-sam9x60-pll: force write to PLL_UPDT register", " - clk: ti: am33xx: keep WKUP_DEBUGSS_CLKCTRL enabled", " - clk: scmi: Add duty cycle ops only when duty cycle is supported", " - clk: clocking-wizard: Fix output clock register offset for Versal", " platforms", " - NTB: epf: Allow arbitrary BAR mapping", " - 9p: fix /sys/fs/9p/caches overwriting itself", " - cpufreq: tegra186: Initialize all cores to max frequencies", " - 9p: sysfs_init: don't hardcode error to ENOMEM", " - scsi: ufs: core: Include UTP error in INT_FATAL_ERRORS", " - fbdev: core: Fix ubsan warning in pixel_to_pat", " - ACPI: property: Return present device nodes only on fwnode interface", " - LoongArch: Handle new atomic instructions for probes", " - tools bitmap: Add missing asm-generic/bitsperlong.h include", " - tools: lib: thermal: don't preserve owner in install", " - tools: lib: thermal: use pkg-config to locate libnl3", " - ALSA: hda/realtek: Add quirk for ASUS ROG Zephyrus Duo", " - rtc: zynqmp: Restore alarm functionality after kexec transition", " - rtc: pcf2127: fix watchdog interrupt mask on pcf2131", " - net: wwan: t7xx: add support for HP DRMR-H01", " - kbuild: uapi: Strip comments before size type check", " - ASoC: meson: aiu-encoder-i2s: fix bit clock polarity", " - ASoC: rt722: add settings for rt722VB", " - drm/amdgpu: Report individual reset error", " - ceph: add checking of wait_for_completion_killable() return value", " - ceph: fix potential race condition in ceph_ioctl_lazyio()", " - ceph: refactor wake_up_bit() pattern of calling", " - x86: uaccess: don't use runtime-const rewriting in modules", " - rust: condvar: fix broken intra-doc link", " - rust: devres: fix private intra-doc link", " - rust: kbuild: workaround `rustdoc` doctests modifier bug", " - rust: kbuild: treat `build_error` and `rustdoc` as kernel objects", " - media: uvcvideo: Use heuristic to find stream entity", " - Revert \"wifi: ath10k: avoid unnecessary wait for service ready message\"", " - tracing: tprobe-events: Fix to register tracepoint correctly", " - tracing: tprobe-events: Fix to put tracepoint_user when disable the", " tprobe", " - net: libwx: fix device bus LAN ID", " - scsi: ufs: core: Fix a race condition related to the \"hid\" attribute", " group", " - riscv: ptdump: use seq_puts() in pt_dump_seq_puts() macro", " - Revert \"wifi: ath12k: Fix missing station power save configuration\"", " - scsi: ufs: core: Revert \"Make HID attributes visible\"", " - Bluetooth: btrtl: Fix memory leak in rtlbt_parse_firmware_v2()", " - net: dsa: tag_brcm: legacy: fix untagged rx on unbridged ports for", " bcm63xx", " - selftests/net: fix out-of-order delivery of FIN in gro:tcp test", " - selftests/net: use destination options instead of hop-by-hop", " - selftests: netdevsim: Fix ethtool-coalesce.sh fail by installing", " ethtool-common.sh", " - net: vlan: sync VLAN features with lower device", " - net: dsa: b53: fix resetting speed and pause on forced link", " - net: dsa: b53: fix bcm63xx RGMII port link adjustment", " - net: dsa: b53: fix enabling ip multicast", " - net: dsa: b53: stop reading ARL entries if search is done", " - net: dsa: b53: properly bound ARL searches for < 4 ARL bin chips", " - sctp: Hold RCU read lock while iterating over address list", " - sctp: Hold sock lock while iterating over address list", " - net: ionic: add dma_wmb() before ringing TX doorbell", " - net: ionic: map SKB after pseudo-header checksum prep", " - octeontx2-pf: Fix devm_kcalloc() error checking", " - bnxt_en: Fix a possible memory leak in bnxt_ptp_init", " - bnxt_en: Always provide max entry and entry size in coredump segments", " - bnxt_en: Fix warning in bnxt_dl_reload_down()", " - wifi: mac80211_hwsim: Limit destroy_on_close radio removal to netgroup", " - io_uring: fix types for region size calulation", " - net/mlx5e: Fix return value in case of module EEPROM read error", " - net: ti: icssg-prueth: Fix fdb hash size configuration", " - net/mlx5e: SHAMPO, Fix header mapping for 64K pages", " - net/mlx5e: SHAMPO, Fix skb size check for 64K pages", " - net/mlx5e: SHAMPO, Fix header formulas for higher MTUs and 64K pages", " - net: wan: framer: pef2256: Switch to devm_mfd_add_devices()", " - net: dsa: microchip: Fix reserved multicast address table programming", " - net: bridge: fix MST static key usage", " - selftests/vsock: avoid false-positives when checking dmesg", " - tracing: Fix memory leaks in create_field_var()", " - drm/amd/display: Enable mst when it's detected but yet to be initialized", " - wifi: cfg80211: add an hrtimer based delayed work item", " - wifi: mac80211: use wiphy_hrtimer_work for ml_reconf_work", " - wifi: mac80211: use wiphy_hrtimer_work for ttlm_work", " - wifi: mac80211: use wiphy_hrtimer_work for csa.switch_work", " - riscv: Fix memory leak in module_frob_arch_sections()", " - rtc: rx8025: fix incorrect register reference", " - x86/microcode/AMD: Add more known models to entry sign checking", " - smb: client: validate change notify buffer before copy", " - x86/amd_node: Fix AMD root device caching", " - xfs: fix delalloc write failures in software-provided atomic writes", " - xfs: fix various problems in xfs_atomic_write_cow_iomap_begin", " - x86/CPU/AMD: Add missing terminator for zen5_rdseed_microcode", " - drm: define NVIDIA DRM format modifiers for GB20x", " - drm/nouveau: Advertise correct modifiers on GB20x", " - drm/amdgpu/smu: Handle S0ix for vangogh", " - drm/amdkfd: Don't clear PT after process killed", " - virtio_net: fix alignment for virtio_net_hdr_v1_hash", " - lib/crypto: curve25519-hacl64: Fix older clang KASAN workaround for GCC", " - scsi: ufs: ufs-pci: Fix S0ix/S3 for Intel controllers", " - scsi: ufs: ufs-pci: Set UFSHCD_QUIRK_PERFORM_LINK_STARTUP_ONCE for Intel", " ADL", " - scsi: ufs: core: Add a quirk to suppress link_startup_again", " - drm/amd/display: update color on atomic commit time", " - extcon: adc-jack: Cleanup wakeup source only if it was enabled", " - kunit: Extend kconfig help text for KUNIT_UML_PCI", " - ALSA: hda/tas2781: Enable init_profile_id for device initialization", " - ACPI: SPCR: Check for table version when using precise baudrate", " - kbuild: Strip trailing padding bytes from modules.builtin.modinfo", " - drm/amdgpu: Fix unintended error log in VCN5_0_0", " - drm/amd/display: Fix vupdate_offload_work doc", " - drm/amdgpu: Fix function header names in amdgpu_connectors.c", " - drm/amdgpu/userq: assign an error code for invalid userq va", " - drm/msm/dpu: Fix adjusted mode clock check for 3d merge", " - drm/amd/display: Reject modes with too high pixel clock on DCE6-10", " - drm/amd/display: use GFP_NOWAIT for allocation in interrupt handler", " - drm/amd/display: Fix black screen with HDMI outputs", " - selftests: drv-net: Reload pkt pointer after calling filter_udphdr", " - dt-bindings: eeprom: at25: use \"size\" for FRAMs without device ID", " - Linux 6.17.8", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-68316", " - scsi: ufs: core: Fix invalid probe error return value", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-40292", " - virtio-net: fix received length check in big packets", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-68180", " - drm/amd/display: Fix NULL deref in debugfs odm_combine_segments", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-40327", " - perf/core: Fix system hang caused by cpu-clock usage", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-40328", " - smb: client: fix potential UAF in smb2_close_cached_fid()", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-40291", " - io_uring: fix regbuf vector size truncation", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-68322", " - parisc: Avoid crash due to unaligned access in unwinder", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-40293", " - iommufd: Don't overflow during division for dirty tracking", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-40294", " - Bluetooth: MGMT: Fix OOB access in parse_adv_monitor_pattern()", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-40329", " - drm/sched: Fix deadlock in drm_sched_entity_kill_jobs_cb", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-40295", " - fscrypt: fix left shift underflow when inode->i_blkbits > PAGE_SHIFT", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-40296", " - platform/x86: int3472: Fix double free of GPIO device during unregister", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-40297", " - net: bridge: fix use-after-free due to MST port state bypass", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-68320", " - lan966x: Fix sleeping in atomic context", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-68169", " - netpoll: Fix deadlock in memory allocation under spinlock", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-68197", " - bnxt_en: Fix null pointer dereference in bnxt_bs_trace_check_wrap()", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-40330", " - bnxt_en: Shutdown FW DMA in bnxt_shutdown()", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-68192", " - net: usb: qmi_wwan: initialize MAC header offset in qmimux_rx_fixup", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-40331", " - sctp: Prevent TOCTOU out-of-bounds write", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-68187", " - net: mdio: Check regmap pointer returned by device_node_to_regmap()", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-68167", " - gpiolib: fix invalid pointer access in debugfs", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-68319", " - netconsole: Acquire su_mutex before navigating configs hierarchy", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-40298", " - gve: Implement settime64 with -EOPNOTSUPP", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-40299", " - gve: Implement gettimex64 with -EOPNOTSUPP", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-40301", " - Bluetooth: hci_event: validate skb length for unknown CC opcode", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-40358", " - riscv: stacktrace: Disable KASAN checks for non-current tasks", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-68186", " - ring-buffer: Do not warn in ring_buffer_map_get_reader() when reader", " catches up", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-68184", " - drm/mediatek: Disable AFBC support on Mediatek DRM driver", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-40302", " - media: videobuf2: forbid remove_bufs when legacy fileio is active", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-40303", " - btrfs: ensure no dirty metadata is written back for an fs with errors", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-40362", " - ceph: fix multifs mds auth caps issue", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-40332", " - drm/amdkfd: Fix mmap write lock not release", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-40304", " - fbdev: Add bounds checking in bit_putcs to fix vmalloc-out-of-bounds", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-40305", " - 9p/trans_fd: p9_fd_request: kick rx thread if EPOLLIN", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-68318", " - clk: thead: th1520-ap: set all AXI clocks to CLK_IS_CRITICAL", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-40209", " - btrfs: fix memory leak of qgroup_list in btrfs_add_qgroup_relation", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-68183", " - ima: don't clear IMA_DIGSIG flag when setting or removing non-IMA xattr", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-68173", " - ftrace: Fix softlockup in ftrace_module_enable", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-40306", " - orangefs: fix xattr related buffer overflow...", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-40307", " - exfat: validate cluster allocation bits of the allocation bitmap", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-40308", " - Bluetooth: bcsp: receive data only if registered", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-40309", " - Bluetooth: SCO: Fix UAF on sco_conn_free", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-68174", " - amd/amdkfd: enhance kfd process check in switch partition", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-40310", " - amd/amdkfd: resolve a race in amdgpu_amdkfd_device_fini_sw", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-40361", " - fs: ext4: change GFP_KERNEL to GFP_NOFS to avoid deadlock", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-40311", " - accel/habanalabs: support mapping cb with vmalloc-backed coherent memory", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-68185", " - nfs4_setup_readdir(): insufficient locking for ->d_parent->d_inode", " dereferencing", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-68176", " - PCI: cadence: Check for the existence of cdns_pcie::ops before using it", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-68190", " - drm/amdgpu/atom: Check kcalloc() for WS buffer in", " amdgpu_atom_execute_table_locked()", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-68168", " - jfs: fix uninitialized waitqueue in transaction manager", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-40312", " - jfs: Verify inode mode when loading from disk", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-40333", " - f2fs: fix infinite loop in __insert_extent_tree()", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-68321", " - page_pool: always add GFP_NOWARN for ATOMIC allocations", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-40334", " - drm/amdgpu: validate userq buffer virtual address and size", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-68191", " - udp_tunnel: use netdev_warn() instead of netdev_WARN()", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-68309", " - PCI/AER: Fix NULL pointer access by aer_info", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-40313", " - ntfs3: pretend $Extend records as regular files", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-40335", " - drm/amdgpu: validate userq input args", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-40314", " - usb: cdns3: gadget: Use-after-free during failed initialization and exit", " of cdnsp gadget", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-40336", " - drm/gpusvm: fix hmm_pfn_to_map_order() usage", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-68193", " - drm/xe/guc: Add devm release action to safely tear down CT", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-68175", " - media: nxp: imx8-isi: Fix streaming cleanup on release", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-68188", " - tcp: use dst_dev_rcu() in tcp_fastopen_active_disable_ofo_check()", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-68315", " - f2fs: fix to detect potential corrupted nid in free_nid_list", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-40337", " - net: stmmac: Correctly handle Rx checksum offload errors", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-40338", " - ASoC: Intel: avs: Do not share the name pointer between components", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-40339", " - drm/amdgpu: fix nullptr err of vm_handle_moved", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-68194", " - media: imon: make send_packet() more robust", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-40363", " - net: ipv6: fix field-spanning memcpy warning in AH output", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-68311", " - tty: serial: ip22zilog: Use platform device for probing", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-40340", " - drm/xe: Fix oops in xe_gem_fault when running core_hotunplug test.", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-68196", " - drm/amd/display: Cache streams targeting link when performing LT", " automation", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-68178", " - blk-cgroup: fix possible deadlock while configuring policy", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-40341", " - futex: Don't leak robust_list pointer on exec race", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-40342", " - nvme-fc: use lock accessing port_state and rport state", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-40343", " - nvmet-fc: avoid scheduling association deletion twice", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-68177", " - cpufreq/longhaul: handle NULL policy in longhaul_exit", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-68317", " - io_uring/zctx: check chained notif contexts", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-40315", " - usb: gadget: f_fs: Fix epfile null pointer access after ep enable.", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-40316", " - drm/mediatek: Fix device use-after-free on unbind", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-40360", " - drm/sysfb: Do not dereference NULL pointer in plane reset", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-68179", " - s390: Disable ARCH_WANT_OPTIMIZE_HUGETLB_VMEMMAP", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-68310", " - s390/pci: Avoid deadlock between PCI error recovery and mlx5 crdump", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-40317", " - regmap: slimbus: fix bus_context pointer in regmap init calls", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-40359", " - perf/x86/intel: Fix KASAN global-out-of-bounds warning", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-68181", " - drm/radeon: Remove calls to drm_put_dev()", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-68170", " - drm/radeon: Do not kfree() devres managed rdev", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-40213", " - Bluetooth: MGMT: fix crash in set_mesh_sync and set_mesh_complete", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-40318", " - Bluetooth: hci_sync: fix race in hci_cmd_sync_dequeue_once", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-68312", " - usbnet: Prevents free active kevent", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-40344", " - ASoC: Intel: avs: Disable periods-elapsed work when closing PCM", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-68172", " - crypto: aspeed - fix double free caused by devm", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-40319", " - bpf: Sync pending IRQ work before freeing ring buffer", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-68182", " - wifi: iwlwifi: fix potential use after free in iwl_mld_remove_link()", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-68314", " - drm/msm: make sure last_fence is always updated", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-68189", " - drm/msm: Fix GEM free for imported dma-bufs", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-68171", " - x86/fpu: Ensure XFD state on signal delivery", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-68313", " - x86/CPU/AMD: Add RDSEED fix for Zen5", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-40320", " - smb: client: fix potential cfid UAF in smb2_query_info_compound", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-40321", " - wifi: brcmfmac: fix crash while sending Action Frames in standalone AP", " Mode", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-40322", " - fbdev: bitblit: bound-check glyph index in bit_putcs*", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-40211", " - ACPI: video: Fix use-after-free in acpi_video_switch_brightness()", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-40323", " - fbcon: Set fb_display[i]->mode to NULL when the mode is released", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-40210", " - Revert \"NFSD: Remove the cap on number of operations per NFSv4 COMPOUND\"", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-40324", " - NFSD: Fix crash in nfsd4_read_release()", " * Questing update: v6.17.8 upstream stable release (LP: #2136833) //", " CVE-2025-40326", " - NFSD: Define actions for the new time_deleg FATTR4 attributes", " * Questing update: v6.17.7 upstream stable release (LP: #2136813)", " - sched_ext: Move internal type and accessor definitions to ext_internal.h", " - sched_ext: Put event_stats_cpu in struct scx_sched_pcpu", " - sched_ext: Sync error_irq_work before freeing scx_sched", " - timekeeping: Fix aux clocks sysfs initialization loop bound", " - x86/bugs: Report correct retbleed mitigation status", " - x86/bugs: Qualify RETBLEED_INTEL_MSG", " - genirq/chip: Add buslock back in to irq_set_handler()", " - genirq/manage: Add buslock back in to __disable_irq_nosync()", " - genirq/manage: Add buslock back in to enable_irq()", " - audit: record fanotify event regardless of presence of rules", " - EDAC/ie31200: Add two more Intel Alder Lake-S SoCs for EDAC support", " - perf/x86/intel: Add ICL_FIXED_0_ADAPTIVE bit into INTEL_FIXED_BITS_MASK", " - perf: Use current->flags & PF_KTHREAD|PF_USER_WORKER instead of", " current->mm == NULL", " - perf: Have get_perf_callchain() return NULL if crosstask and user are", " set", " - perf: Skip user unwind if the task is a kernel thread", " - EDAC: Fix wrong executable file modes for C source files", " - seccomp: passthrough uprobe systemcall without filtering", " - sched_ext: Keep bypass on between enable failure and", " scx_disable_workfn()", " - x86/bugs: Add attack vector controls for VMSCAPE", " - x86/bugs: Fix reporting of LFENCE retpoline", " - EDAC/mc_sysfs: Increase legacy channel support to 16", " - cpuset: Use new excpus for nocpu error check when enabling root", " partition", " - btrfs: abort transaction on specific error places when walking log tree", " - btrfs: abort transaction in the process_one_buffer() log tree walk", " callback", " - btrfs: zoned: return error from btrfs_zone_finish_endio()", " - btrfs: zoned: refine extent allocator hint selection", " - btrfs: scrub: replace max_t()/min_t() with clamp() in", " scrub_throttle_dev_io()", " - btrfs: always drop log root tree reference in btrfs_replay_log()", " - btrfs: use level argument in log tree walk callback replay_one_buffer()", " - btrfs: abort transaction if we fail to update inode in log replay dir", " fixup", " - btrfs: tree-checker: add inode extref checks", " - btrfs: use smp_mb__after_atomic() when forcing COW in", " create_pending_snapshot()", " - sched_ext: Make qmap dump operation non-destructive", " - arch: Add the macro COMPILE_OFFSETS to all the asm-offsets.c", " - btrfs: tree-checker: fix bounds check in check_inode_extref()", " - Linux 6.17.7", " * [UBUNTU 24.04] KVM: s390: improve interrupt cpu for wakeup (LP: #2132317)", " - KVM: s390: improve interrupt cpu for wakeup", " * Questing update: v6.17.6 upstream stable release (LP: #2134982)", " - sched/fair: Block delayed tasks on throttled hierarchy during dequeue", " - vfio/cdx: update driver to build without CONFIG_GENERIC_MSI_IRQ", " - expfs: Fix exportfs_can_encode_fh() for EXPORT_FH_FID", " - cgroup/misc: fix misc_res_type kernel-doc warning", " - dlm: move to rinfo for all middle conversion cases", " - exec: Fix incorrect type for ret", " - s390/pkey: Forward keygenflags to ep11_unwrapkey", " - hfs: clear offset and space out of valid records in b-tree node", " - hfs: make proper initalization of struct hfs_find_data", " - hfs: validate record offset in hfsplus_bmap_alloc", " - hfsplus: fix KMSAN uninit-value issue in hfsplus_delete_cat()", " - dlm: check for defined force value in dlm_lockspace_release", " - hfsplus: return EIO when type of hidden directory mismatch in", " hfsplus_fill_super()", " - PCI: Test for bit underflow in pcie_set_readrq()", " - lkdtm: fortify: Fix potential NULL dereference on kmalloc failure", " - arm64: sysreg: Correct sign definitions for EIESB and DoubleLock", " - m68k: bitops: Fix find_*_bit() signatures", " - powerpc/32: Remove PAGE_KERNEL_TEXT to fix startup failure", " - riscv: mm: Return intended SATP mode for noXlvl options", " - riscv: mm: Use mmu-type from FDT to limit SATP mode", " - riscv: cpufeature: add validation for zfa, zfh and zfhmin", " - drivers/perf: hisi: Relax the event ID check in the framework", " - s390/mm: Use __GFP_ACCOUNT for user page table allocations", " - smb: client: queue post_recv_credits_work also if the peer raises the", " credit target", " - smb: client: limit the range of info->receive_credit_target", " - smb: client: make use of ib_wc_status_msg() and skip IB_WC_WR_FLUSH_ERR", " logging", " - smb: server: let smb_direct_flush_send_list() invalidate a remote key", " first", " - Unbreak 'make tools/*' for user-space targets", " - platform/mellanox: mlxbf-pmc: add sysfs_attr_init() to count_clock init", " - cpufreq/amd-pstate: Fix a regression leading to EPP 0 after hibernate", " - net/mlx5e: Return 1 instead of 0 in invalid case in", " mlx5e_mpwrq_umr_entry_size()", " - rtnetlink: Allow deleting FDB entries in user namespace", " - net: enetc: fix the deadlock of enetc_mdio_lock", " - net: enetc: correct the value of ENETC_RXB_TRUESIZE", " - dpaa2-eth: fix the pointer passed to PTR_ALIGN on Tx path", " - net: phy: realtek: fix rtl8221b-vm-cg name", " - can: bxcan: bxcan_start_xmit(): use can_dev_dropped_skb() instead of", " can_dropped_invalid_skb()", " - can: esd: acc_start_xmit(): use can_dev_dropped_skb() instead of", " can_dropped_invalid_skb()", " - can: rockchip-canfd: rkcanfd_start_xmit(): use can_dev_dropped_skb()", " instead of can_dropped_invalid_skb()", " - selftests: net: fix server bind failure in sctp_vrf.sh", " - net/mlx5e: RX, Fix generating skb from non-linear xdp_buff for legacy RQ", " - net/mlx5e: RX, Fix generating skb from non-linear xdp_buff for striding", " RQ", " - net/smc: fix general protection fault in __smc_diag_dump", " - net: ethernet: ti: am65-cpts: fix timestamp loss due to race conditions", " - arm64, mm: avoid always making PTE dirty in pte_mkwrite()", " - erofs: avoid infinite loops due to corrupted subpage compact indexes", " - net: hibmcge: select FIXED_PHY", " - ptp: ocp: Fix typo using index 1 instead of i in SMA initialization loop", " - net: hsr: prevent creation of HSR device with slaves from another netns", " - espintcp: use datagram_poll_queue for socket readiness", " - net: datagram: introduce datagram_poll_queue for custom receive queues", " - ovpn: use datagram_poll_queue for socket readiness in TCP", " - net: bonding: fix possible peer notify event loss or dup issue", " - hung_task: fix warnings caused by unaligned lock pointers", " - mm: don't spin in add_stack_record when gfp flags don't allow", " - dma-debug: don't report false positives with", " DMA_BOUNCE_UNALIGNED_KMALLOC", " - arch_topology: Fix incorrect error check in", " topology_parse_cpu_capacity()", " - riscv: hwprobe: Fix stale vDSO data for late-initialized keys at boot", " - io_uring/sqpoll: switch away from getrusage() for CPU accounting", " - io_uring/sqpoll: be smarter on when to update the stime usage", " - btrfs: send: fix duplicated rmdir operations when using extrefs", " - btrfs: ref-verify: fix IS_ERR() vs NULL check in btrfs_build_ref_tree()", " - gpio: pci-idio-16: Define maximum valid register address offset", " - gpio: 104-idio-16: Define maximum valid register address offset", " - xfs: fix locking in xchk_nlinks_collect_dir", " - platform/x86: alienware-wmi-wmax: Add AWCC support to Dell G15 5530", " - Revert \"cpuidle: menu: Avoid discarding useful information\"", " - riscv: cpufeature: avoid uninitialized variable in", " has_thead_homogeneous_vlenb()", " - rust: device: fix device context of Device::parent()", " - slab: Avoid race on slab->obj_exts in alloc_slab_obj_exts", " - slab: Fix obj_ext mistakenly considered NULL due to race condition", " - smb: client: get rid of d_drop() in cifs_do_rename()", " - ACPICA: Work around bogus -Wstringop-overread warning since GCC 11", " - arm64: mte: Do not warn if the page is already tagged in copy_highpage()", " - can: netlink: can_changelink(): allow disabling of automatic restart", " - cifs: Fix TCP_Server_Info::credits to be signed", " - devcoredump: Fix circular locking dependency with devcd->mutex.", " - hwmon: (pmbus/max34440) Update adpm12160 coeff due to latest FW", " - MIPS: Malta: Fix keyboard resource preventing i8042 driver from", " registering", " - rv: Make rtapp/pagefault monitor depends on CONFIG_MMU", " - net: bonding: update the slave array for broadcast mode", " - net: stmmac: dwmac-rk: Fix disabling set_clock_selection", " - net: usb: rtl8150: Fix frame padding", " - net: ravb: Enforce descriptor type ordering", " - net: ravb: Ensure memory write completes before ringing TX doorbell", " - mptcp: pm: in-kernel: C-flag: handle late ADD_ADDR", " - selftests: mptcp: join: mark 'flush re-add' as skipped if not supported", " - selftests: mptcp: join: mark implicit tests as skipped if not supported", " - selftests: mptcp: join: mark 'delete re-add signal' as skipped if not", " supported", " - mm/mremap: correctly account old mapping after MREMAP_DONTUNMAP remap", " - drm/xe: Check return value of GGTT workqueue allocation", " - drm/amd/display: increase max link count and fix link->enc NULL pointer", " access", " - mm/damon/core: use damos_commit_quota_goal() for new goal commit", " - mm/damon/core: fix list_add_tail() call on damon_call()", " - spi: rockchip-sfc: Fix DMA-API usage", " - firmware: arm_ffa: Add support for IMPDEF value in the memory access", " descriptor", " - spi: spi-nxp-fspi: add the support for sample data from DQS pad", " - spi: spi-nxp-fspi: re-config the clock rate when operation require new", " clock rate", " - spi: spi-nxp-fspi: add extra delay after dll locked", " - spi: spi-nxp-fspi: limit the clock rate for different sample clock", " source selection", " - spi: cadence-quadspi: Fix pm_runtime unbalance on dma EPROBE_DEFER", " - arm64: dts: broadcom: bcm2712: Add default GIC address cells", " - arm64: dts: broadcom: bcm2712: Define VGIC interrupt", " - include: trace: Fix inflight count helper on failed initialization", " - firmware: arm_scmi: Fix premature SCMI_XFER_FLAG_IS_RAW clearing in raw", " mode", " - spi: airoha: return an error for continuous mode dirmap creation cases", " - spi: airoha: add support of dual/quad wires spi modes to exec_op()", " handler", " - spi: airoha: switch back to non-dma mode in the case of error", " - spi: airoha: fix reading/writing of flashes with more than one plane per", " lun", " - sysfs: check visibility before changing group attribute ownership", " - RISC-V: Define pgprot_dmacoherent() for non-coherent devices", " - RISC-V: Don't print details of CPUs disabled in DT", " - riscv: hwprobe: avoid uninitialized variable use in hwprobe_arch_id()", " - hwmon: (pmbus/isl68137) Fix child node reference leak on early return", " - hwmon: (sht3x) Fix error handling", " - io_uring: fix incorrect unlikely() usage in io_waitid_prep()", " - nbd: override creds to kernel when calling sock_{send,recv}msg()", " - drm/panic: Fix drawing the logo on a small narrow screen", " - drm/panic: Fix qr_code, ensure vmargin is positive", " - drm/panic: Fix 24bit pixel crossing page boundaries", " - of/irq: Convert of_msi_map_id() callers to of_msi_xlate()", " - of/irq: Add msi-parent check to of_msi_xlate()", " - block: require LBA dma_alignment when using PI", " - gpio: ljca: Fix duplicated IRQ mapping", " - io_uring: correct __must_hold annotation in io_install_fixed_file", " - sched: Remove never used code in mm_cid_get()", " - USB: serial: option: add UNISOC UIS7720", " - USB: serial: option: add Quectel RG255C", " - USB: serial: option: add Telit FN920C04 ECM compositions", " - usb/core/quirks: Add Huawei ME906S to wakeup quirk", " - usb: raw-gadget: do not limit transfer length", " - xhci: dbc: enable back DbC in resume if it was enabled before suspend", " - xhci: dbc: fix bogus 1024 byte prefix if ttyDBC read races with stall", " event", " - x86/microcode: Fix Entrysign revision check for Zen1/Naples", " - binder: remove \"invalid inc weak\" check", " - mei: me: add wildcat lake P DID", " - objtool/rust: add one more `noreturn` Rust function", " - nvmem: rcar-efuse: add missing MODULE_DEVICE_TABLE", " - misc: fastrpc: Fix dma_buf object leak in fastrpc_map_lookup", " - most: usb: hdm_probe: Fix calling put_device() before device", " initialization", " - tcpm: switch check for role_sw device with fw_node", " - dt-bindings: serial: sh-sci: Fix r8a78000 interrupts", " - dt-bindings: usb: dwc3-imx8mp: dma-range is required only for imx8mp", " - dt-bindings: usb: qcom,snps-dwc3: Fix bindings for X1E80100", " - serial: 8250_dw: handle reset control deassert error", " - serial: 8250_exar: add support for Advantech 2 port card with Device ID", " 0x0018", " - serial: 8250_mtk: Enable baud clock and manage in runtime PM", " - serial: sc16is7xx: remove useless enable of enhanced features", " - staging: gpib: Fix device reference leak in fmh_gpib driver", " - staging: gpib: Fix no EOI on 1 and 2 byte writes", " - staging: gpib: Return -EINTR on device clear", " - staging: gpib: Fix sending clear and trigger events", " - mm/migrate: remove MIGRATEPAGE_UNMAP", " - treewide: remove MIGRATEPAGE_SUCCESS", " - vmw_balloon: indicate success when effectively deflating during", " migration", " - xfs: always warn about deprecated mount options", " - gpio: regmap: Allow to allocate regmap-irq device", " - gpio: regmap: add the .fixed_direction_output configuration parameter", " - gpio: idio-16: Define fixed direction of the GPIO lines", " - Linux 6.17.6", " * Questing update: v6.17.6 upstream stable release (LP: #2134982) //", " CVE-2025-40084", " - ksmbd: transport_ipc: validate payload size before reading handle", " * Questing update: v6.17.6 upstream stable release (LP: #2134982) //", " CVE-2025-40222", " - tty: serial: sh-sci: fix RSCI FIFO overrun handling", " * Questing update: v6.17.6 upstream stable release (LP: #2134982) //", " CVE-2025-40223", " - most: usb: Fix use-after-free in hdm_disconnect", " * Questing update: v6.17.6 upstream stable release (LP: #2134982) //", " CVE-2025-40106", " - comedi: fix divide-by-zero in comedi_buf_munge()", " * Questing update: v6.17.6 upstream stable release (LP: #2134982) //", " CVE-2025-40224", " - hwmon: (cgbc-hwmon) Add missing NULL check after devm_kzalloc()", " * Questing update: v6.17.6 upstream stable release (LP: #2134982) //", " CVE-2025-40225", " - drm/panthor: Fix kernel panic on partial unmap of a GPU VA region", " * Questing update: v6.17.6 upstream stable release (LP: #2134982) //", " CVE-2025-40226", " - firmware: arm_scmi: Account for failed debug initialization", " * Questing update: v6.17.6 upstream stable release (LP: #2134982) //", " CVE-2025-40227", " - mm/damon/sysfs: dealloc commit test ctx always", " * Questing update: v6.17.6 upstream stable release (LP: #2134982) //", " CVE-2025-40228", " - mm/damon/sysfs: catch commit test ctx alloc failure", " * Questing update: v6.17.6 upstream stable release (LP: #2134982) //", " CVE-2025-40229", " - mm/damon/core: fix potential memory leak by cleaning ops_filter in", " damon_destroy_scheme", " * Questing update: v6.17.6 upstream stable release (LP: #2134982) //", " CVE-2025-40230", " - mm: prevent poison consumption when splitting THP", " * Questing update: v6.17.6 upstream stable release (LP: #2134982) //", " CVE-2025-40231", " - vsock: fix lock inversion in vsock_assign_transport()", " * Questing update: v6.17.6 upstream stable release (LP: #2134982) //", " CVE-2025-40233", " - ocfs2: clear extent cache after moving/defragmenting extents", " * Questing update: v6.17.6 upstream stable release (LP: #2134982) //", " CVE-2025-40235", " - btrfs: directly free partially initialized fs_info in", " btrfs_check_leaked_roots()", " * Questing update: v6.17.6 upstream stable release (LP: #2134982) //", " CVE-2025-40236", " - virtio-net: zero unused hash fields", " * Questing update: v6.17.6 upstream stable release (LP: #2134982) //", " CVE-2025-40237", " - fs/notify: call exportfs_encode_fid with s_umount", " * Questing update: v6.17.6 upstream stable release (LP: #2134982) //", " CVE-2025-40238", " - net/mlx5: Fix IPsec cleanup over MPV device", " * Questing update: v6.17.6 upstream stable release (LP: #2134982) //", " CVE-2025-40239", " - net: phy: micrel: always set shared->phydev for LAN8814", " * Questing update: v6.17.6 upstream stable release (LP: #2134982) //", " CVE-2025-40240", " - sctp: avoid NULL dereference when chunk data buffer is missing", " * Questing update: v6.17.6 upstream stable release (LP: #2134982) //", " CVE-2025-40241", " - erofs: fix crafted invalid cases for encoded extents", " * Questing update: v6.17.6 upstream stable release (LP: #2134982) //", " CVE-2025-40242", " - gfs2: Fix unlikely race in gdlm_put_lock", " * Questing update: v6.17.6 upstream stable release (LP: #2134982) //", " CVE-2025-40243", " - hfs: fix KMSAN uninit-value issue in hfs_find_set_zero_bits()", " * Questing update: v6.17.6 upstream stable release (LP: #2134982) //", " CVE-2025-40244", " - hfsplus: fix KMSAN uninit-value issue in __hfsplus_ext_cache_extent()", " * Questing update: v6.17.6 upstream stable release (LP: #2134982) //", " CVE-2025-40245", " - nios2: ensure that memblock.current_limit is set when setting pfn limits", " * Questing update: v6.17.5 upstream stable release (LP: #2133557)", " - docs: kdoc: handle the obsolescensce of docutils.ErrorString()", " - Revert \"fs: make vfs_fileattr_[get|set] return -EOPNOTSUPP\"", " - PCI: vmd: Override irq_startup()/irq_shutdown() in", " vmd_init_dev_msi_info()", " - ata: libata-core: relax checks in ata_read_log_directory()", " - arm64/sysreg: Fix GIC CDEOI instruction encoding", " - ixgbevf: fix getting link speed data for E610 devices", " - rust: cfi: only 64-bit arm and x86 support CFI_CLANG", " - x86/CPU/AMD: Prevent reset reasons from being retained across reboot", " - slab: reset slab->obj_ext when freeing and it is OBJEXTS_ALLOC_FAIL", " - Revert \"io_uring/rw: drop -EOPNOTSUPP check in", " __io_complete_rw_common()\"", " - io_uring: protect mem region deregistration", " - Revert \"drm/amd/display: Only restore backlight after amdgpu_dm_init or", " dm_resume\"", " - r8152: add error handling in rtl8152_driver_init", " - net: usb: lan78xx: Fix lost EEPROM write timeout error(-ETIMEDOUT) in", " lan78xx_write_raw_eeprom", " - f2fs: fix wrong block mapping for multi-devices", " - gve: Check valid ts bit on RX descriptor before hw timestamping", " - jbd2: ensure that all ongoing I/O complete before freeing blocks", " - ext4: wait for ongoing I/O to complete before freeing blocks", " - btrfs: fix clearing of BTRFS_FS_RELOC_RUNNING if relocation already", " running", " - btrfs: fix memory leak on duplicated memory in the qgroup assign ioctl", " - btrfs: only set the device specific options after devices are opened", " - btrfs: fix incorrect readahead expansion length", " - can: gs_usb: gs_make_candev(): populate net_device->dev_port", " - can: gs_usb: increase max interface to U8_MAX", " - cxl/acpi: Fix setup of memory resource in cxl_acpi_set_cache_size()", " - ALSA: hda/intel: Add MSI X870E Tomahawk to denylist", " - ALSA: hda/realtek: Add quirk entry for HP ZBook 17 G6", " - drm/amdgpu: use atomic functions with memory barriers for vm fault info", " - drm/amdgpu: fix gfx12 mes packet status return check", " - drm/xe: Increase global invalidation timeout to 1000us", " - perf/core: Fix address filter match with backing files", " - perf/core: Fix MMAP event path names with backing files", " - perf/core: Fix MMAP2 event device with backing files", " - drm/amd: Check whether secure display TA loaded successfully", " - PM: hibernate: Add pm_hibernation_mode_is_suspend()", " - drm/amd: Fix hybrid sleep", " - usb: gadget: Store endpoint pointer in usb_request", " - usb: gadget: Introduce free_usb_request helper", " - HID: multitouch: fix sticky fingers", " - dax: skip read lock assertion for read-only filesystems", " - coredump: fix core_pattern input validation", " - can: m_can: m_can_plat_remove(): add missing pm_runtime_disable()", " - can: m_can: m_can_handle_state_errors(): fix CAN state transition to", " Error Active", " - can: m_can: m_can_chip_config(): bring up interface in correct state", " - can: m_can: fix CAN state in system PM", " - net: mtk: wed: add dma mask limitation and GFP_DMA32 for device with", " more than 4GB DRAM", " - net: dlink: handle dma_map_single() failure properly", " - doc: fix seg6_flowlabel path", " - can: j1939: add missing calls in NETDEV_UNREGISTER notification handler", " - dpll: zl3073x: Refactor DPLL initialization", " - dpll: zl3073x: Handle missing or corrupted flash configuration", " - r8169: fix packet truncation after S4 resume on RTL8168H/RTL8111H", " - net: phy: bcm54811: Fix GMII/MII/MII-Lite selection", " - net: phy: realtek: Avoid PHYCR2 access if PHYCR2 not present", " - amd-xgbe: Avoid spurious link down messages during interface toggle", " - Octeontx2-af: Fix missing error code in cgx_probe()", " - tcp: fix tcp_tso_should_defer() vs large RTT", " - net: airoha: Take into account out-of-order tx completions in", " airoha_dev_xmit()", " - selftests: net: check jq command is supported", " - net: core: fix lockdep splat on device unregister", " - ksmbd: fix recursive locking in RPC handle list access", " - tg3: prevent use of uninitialized remote_adv and local_adv variables", " - tls: trim encrypted message to match the plaintext on short splice", " - tls: wait for async encrypt in case of error during latter iterations of", " sendmsg", " - tls: always set record_type in tls_process_cmsg", " - tls: don't rely on tx_work during send()", " - netdevsim: set the carrier when the device goes up", " - net: usb: lan78xx: fix use of improperly initialized dev->chipid in", " lan78xx_reset", " - drm/panthor: Ensure MCU is disabled on suspend", " - nvme-multipath: Skip nr_active increments in RETRY disposition", " - riscv: kprobes: Fix probe address validation", " - drm/bridge: lt9211: Drop check for last nibble of version register", " - powerpc/fadump: skip parameter area allocation when fadump is disabled", " - ASoC: codecs: Fix gain setting ranges for Renesas IDT821034 codec", " - ASoC: nau8821: Cancel jdet_work before handling jack ejection", " - ASoC: nau8821: Generalize helper to clear IRQ status", " - ASoC: nau8821: Consistently clear interrupts before unmasking", " - ASoC: nau8821: Add DMI quirk to bypass jack debounce circuit", " - drm/i915/guc: Skip communication warning on reset in progress", " - drm/i915/frontbuffer: Move bo refcounting", " intel_frontbuffer_{get,release}()", " - drm/i915/fb: Fix the set_tiling vs. addfb race, again", " - drm/amdgpu: add ip offset support for cyan skillfish", " - drm/amdgpu: add support for cyan skillfish without IP discovery", " - drm/amdgpu: fix handling of harvesting for ip_discovery firmware", " - drm/amdgpu: handle wrap around in reemit handling", " - drm/amdgpu: set an error on all fences from a bad context", " - drm/amdgpu: drop unused structures in amdgpu_drm.h", " - drm/amd/powerplay: Fix CIK shutdown temperature", " - drm/xe: Enable media sampler power gating", " - drm/draw: fix color truncation in drm_draw_fill24", " - drm/rockchip: vop2: use correct destination rectangle height check", " - HID: intel-thc-hid: Intel-quickspi: switch first interrupt from level to", " edge detection", " - sched/fair: Fix pelt lost idle time detection", " - ALSA: firewire: amdtp-stream: fix enum kernel-doc warnings", " - accel/qaic: Synchronize access to DBC request queue head & tail pointer", " - nvme-auth: update sc_c in host response", " - cxl/trace: Subtract to find an hpa_alias0 in cxl_poison events", " - selftests/bpf: make arg_parsing.c more robust to crashes", " - blk-mq: fix stale tag depth for shared sched tags in", " blk_mq_update_nr_requests()", " - block: Remove elevator_lock usage from blkg_conf frozen operations", " - HID: hid-input: only ignore 0 battery events for digitizers", " - HID: multitouch: fix name of Stylus input devices", " - drm/xe/evict: drop bogus assert", " - selftests: arg_parsing: Ensure data is flushed to disk before reading.", " - nvme/tcp: handle tls partially sent records in write_space()", " - rust: cpufreq: fix formatting", " - arm64: debug: always unmask interrupts in el0_softstp()", " - arm64: cputype: Add Neoverse-V3AE definitions", " - arm64: errata: Apply workarounds for Neoverse-V3AE", " - xfs: rename the old_crc variable in xlog_recover_process", " - xfs: fix log CRC mismatches between i386 and other architectures", " - NFSD: Rework encoding and decoding of nfsd4_deviceid", " - NFSD: Minor cleanup in layoutcommit processing", " - NFSD: Implement large extent array support in pNFS", " - NFSD: Fix last write offset handling in layoutcommit", " - phy: cdns-dphy: Store hs_clk_rate and return it", " - phy: cadence: cdns-dphy: Fix PLL lock and O_CMN_READY polling", " - x86/resctrl: Refactor resctrl_arch_rmid_read()", " - x86/resctrl: Fix miscount of bandwidth event when reactivating", " previously unavailable RMID", " - cxl: Fix match_region_by_range() to use region_res_match_cxl_range()", " - phy: cadence: cdns-dphy: Update calibration wait time for startup state", " machine", " - drm/xe: Use devm_ioremap_wc for VRAM mapping and drop manual unmap", " - drm/xe: Use dynamic allocation for tile and device VRAM region", " structures", " - drm/xe: Move struct xe_vram_region to a dedicated header", " - drm/xe: Unify the initialization of VRAM regions", " - drm/xe: Move rebar to be done earlier", " - PM: hibernate: Fix pm_hibernation_mode_is_suspend() build breakage", " - drm/xe: Fix an IS_ERR() vs NULL bug in xe_tile_alloc_vram()", " - Linux 6.17.5", " * Questing update: v6.17.5 upstream stable release (LP: #2133557) //", " CVE-2025-40086", " - drm/xe: Don't allow evicting of BOs in same VM in array of VM binds", " * Questing update: v6.17.5 upstream stable release (LP: #2133557) //", " CVE-2025-40087", " - NFSD: Define a proc_layoutcommit for the FlexFiles layout type", " * Questing update: v6.17.5 upstream stable release (LP: #2133557) //", " CVE-2025-40088", " - hfsplus: fix slab-out-of-bounds read in hfsplus_strcasecmp()", " * Questing update: v6.17.5 upstream stable release (LP: #2133557) //", " CVE-2025-40162", " - ASoC: amd/sdw_utils: avoid NULL deref when devm_kasprintf() fails", " * Questing update: v6.17.5 upstream stable release (LP: #2133557) //", " CVE-2025-40085", " - ALSA: usb-audio: Fix NULL pointer deference in try_to_register_card", " * Questing update: v6.17.5 upstream stable release (LP: #2133557) //", " CVE-2025-40172", " - accel/qaic: Treat remaining == 0 as error in find_and_map_user_pages()", " * Questing update: v6.17.5 upstream stable release (LP: #2133557) //", " CVE-2025-40177", " - accel/qaic: Fix bootlog initialization ordering", " * Questing update: v6.17.5 upstream stable release (LP: #2133557) //", " CVE-2025-40163", " - sched/deadline: Stop dl_server before CPU goes offline", " * Questing update: v6.17.5 upstream stable release (LP: #2133557) //", " CVE-2025-40174", " - x86/mm: Fix SMP ordering in switch_mm_irqs_off()", " * Questing update: v6.17.5 upstream stable release (LP: #2133557) //", " CVE-2025-40089", " - cxl/features: Add check for no entries in cxl_feature_info", " * Questing update: v6.17.5 upstream stable release (LP: #2133557) //", " CVE-2025-40176", " - tls: wait for pending async decryptions if tls_strp_msg_hold fails", " * Questing update: v6.17.5 upstream stable release (LP: #2133557) //", " CVE-2025-40164", " - usbnet: Fix using smp_processor_id() in preemptible code warnings", " * Questing update: v6.17.5 upstream stable release (LP: #2133557) //", " CVE-2025-40091", " - ixgbe: fix too early devlink_free() in ixgbe_remove()", " * Questing update: v6.17.5 upstream stable release (LP: #2133557) //", " CVE-2025-40175", " - idpf: cleanup remaining SKBs in PTP flows", " * Questing update: v6.17.5 upstream stable release (LP: #2133557) //", " CVE-2025-40173", " - net/ip6_tunnel: Prevent perpetual tunnel growth", " * Questing update: v6.17.5 upstream stable release (LP: #2133557) //", " CVE-2025-40092", " - usb: gadget: f_ncm: Refactor bind path to use __free()", " * Questing update: v6.17.5 upstream stable release (LP: #2133557) //", " CVE-2025-40093", " - usb: gadget: f_ecm: Refactor bind path to use __free()", " * Questing update: v6.17.5 upstream stable release (LP: #2133557) //", " CVE-2025-40094", " - usb: gadget: f_acm: Refactor bind path to use __free()", " * Questing update: v6.17.5 upstream stable release (LP: #2133557) //", " CVE-2025-40095", " - usb: gadget: f_rndis: Refactor bind path to use __free()", " * Questing update: v6.17.5 upstream stable release (LP: #2133557) //", " CVE-2025-40165", " - media: nxp: imx8-isi: m2m: Fix streaming cleanup on release", " * Questing update: v6.17.5 upstream stable release (LP: #2133557) //", " CVE-2025-40096", " - drm/sched: Fix potential double free in", " drm_sched_job_add_resv_dependencies", " * Questing update: v6.17.5 upstream stable release (LP: #2133557) //", " CVE-2025-40097", " - ALSA: hda: Fix missing pointer check in hda_component_manager_init", " function", " * Questing update: v6.17.5 upstream stable release (LP: #2133557) //", " CVE-2025-40098", " - ALSA: hda: cs35l41: Fix NULL pointer dereference in", " cs35l41_get_acpi_mute_state()", " * Questing update: v6.17.5 upstream stable release (LP: #2133557) //", " CVE-2025-40099", " - cifs: parse_dfs_referrals: prevent oob on malformed input", " * Questing update: v6.17.5 upstream stable release (LP: #2133557) //", " CVE-2025-40100", " - btrfs: do not assert we found block group item when creating free space", " tree", " * Questing update: v6.17.5 upstream stable release (LP: #2133557) //", " CVE-2025-40101", " - btrfs: fix memory leaks when rejecting a non SINGLE data profile without", " an RST", " * Questing update: v6.17.5 upstream stable release (LP: #2133557) //", " CVE-2025-40167", " - ext4: detect invalid INLINE_DATA + EXTENTS flag combination", " * Questing update: v6.17.5 upstream stable release (LP: #2133557) //", " CVE-2025-40102", " - KVM: arm64: Prevent access to vCPU events before init", " * Questing update: v6.17.5 upstream stable release (LP: #2133557) //", " CVE-2025-40103", " - smb: client: Fix refcount leak for cifs_sb_tlink", " * Questing update: v6.17.5 upstream stable release (LP: #2133557) //", " CVE-2025-40104", " - ixgbevf: fix mailbox API compatibility by negotiating supported features", " * Questing update: v6.17.5 upstream stable release (LP: #2133557) //", " CVE-2025-40166", " - drm/xe/guc: Check GuC running state before deregistering exec queue", " * Questing update: v6.17.5 upstream stable release (LP: #2133557) //", " CVE-2025-40105", " - vfs: Don't leak disconnected dentries on umount", " * The machine didn’t go into suspend and got stuck (LP: #2132095)", " - platform/x86: alienware-wmi-wmax: Fix NULL pointer dereference in sleep", " handlers", " * CAP_PERFMON insufficient to get perf data (LP: #2131046)", " - SAUCE: perf/core: Allow CAP_PERFMON for paranoid level 4", " * Poweroff not working consistently after upgrading kernel 6.14.0-17.17 or", " later (LP: #2115860)", " - drm/amd: Unify shutdown() callback behavior", " - drm/amd: Stop exporting amdgpu_device_ip_suspend() outside amdgpu_device", " - drm/amd: Remove comment about handling errors in", " amdgpu_device_ip_suspend_phase1()", " - drm/amd: Don't always set IP block HW status to false", " - drm/amd: Pass IP suspend errors up to callers", " - drm/amd: Avoid evicting resources at S5", " * Re-enable INTEL_SKL_INT3472 for kernels >= 6.16 for Intel IPU camera", " (LP: #2128792)", " - Revert \"UBUNTU: [Config] FTBFS: disable INTEL_SKL_INT3472\"", " - Revert \"UBUNTU: SAUCE: platform/x86: int3472: Add handshake GPIO", " function\"", " * Support Samsung S5K3J1 sensor for Intel MIPI camera (LP: #2121852)", " - SAUCE: media: ipu-bridge: Support s5k3j1 sensor", " * Questing update: v6.17.4 upstream stable release (LP: #2131259)", " - fs: always return zero on success from replace_fd()", " - fscontext: do not consume log entries when returning -EMSGSIZE", " - btrfs: fix the incorrect max_bytes value for find_lock_delalloc_range()", " - arm64: map [_text, _stext) virtual address range non-executable+read-", " only", " - rseq: Protect event mask against membarrier IPI", " - statmount: don't call path_put() under namespace semaphore", " - listmount: don't call path_put() under namespace semaphore", " - clocksource/drivers/clps711x: Fix resource leaks in error paths", " - memcg: skip cgroup_file_notify if spinning is not allowed", " - page_pool: Fix PP_MAGIC_MASK to avoid crashing on some 32-bit arches", " - PM: runtime: Update kerneldoc return codes", " - dma-mapping: fix direction in dma_alloc direction traces", " - cpufreq: Make drivers using CPUFREQ_ETERNAL specify transition latency", " - nfsd: unregister with rpcbind when deleting a transport", " - KVM: x86: Add helper to retrieve current value of user return MSR", " - KVM: SVM: Emulate PERF_CNTR_GLOBAL_STATUS_SET for PerfMonV2", " - iio: frequency: adf4350: Fix ADF4350_REG3_12BIT_CLKDIV_MODE", " - media: v4l2-subdev: Fix alloc failure check in", " v4l2_subdev_call_state_try()", " - asm-generic/io.h: Skip trace helpers if rwmmio events are disabled", " - clk: npcm: select CONFIG_AUXILIARY_BUS", " - clk: thead: th1520-ap: describe gate clocks with clk_gate", " - clk: thead: th1520-ap: fix parent of padctrl0 clock", " - clk: thead: Correct parent for DPU pixel clocks", " - clk: renesas: r9a08g045: Add MSTOP for GPIO", " - perf disasm: Avoid undefined behavior in incrementing NULL", " - perf test trace_btf_enum: Skip if permissions are insufficient", " - perf evsel: Avoid container_of on a NULL leader", " - libperf event: Ensure tracing data is multiple of 8 sized", " - clk: qcom: common: Fix NULL vs IS_ERR() check in qcom_cc_icc_register()", " - clk: qcom: Select the intended config in QCS_DISPCC_615", " - perf parse-events: Handle fake PMUs in CPU terms", " - clk: at91: peripheral: fix return value", " - clk: renesas: cpg-mssr: Fix memory leak in cpg_mssr_reserved_init()", " - perf: Completely remove possibility to override MAX_NR_CPUS", " - perf drm_pmu: Fix fd_dir leaks in for_each_drm_fdinfo_in_dir()", " - perf util: Fix compression checks returning -1 as bool", " - rtc: x1205: Fix Xicor X1205 vendor prefix", " - rtc: optee: fix memory leak on driver removal", " - perf arm_spe: Correct setting remote access", " - perf arm_spe: Correct memory level for remote access", " - perf vendor events arm64 AmpereOneX: Fix typo - should be", " l1d_cache_access_prefetches", " - perf test: AMD IBS swfilt skip kernel tests if paranoia is >1", " - perf test shell lbr: Avoid failures with perf event paranoia", " - perf trace: Fix IS_ERR() vs NULL check bug", " - perf session: Fix handling when buffer exceeds 2 GiB", " - perf test: Don't leak workload gopipe in PERF_RECORD_*", " - perf evsel: Fix uniquification when PMU given without suffix", " - perf test: Avoid uncore_imc/clockticks in uniquification test", " - perf evsel: Ensure the fallback message is always written to", " - perf build-id: Ensure snprintf string is empty when size is 0", " - clk: mediatek: mt8195-infra_ao: Fix parent for infra_ao_hdmi_26m", " - clk: mediatek: clk-mux: Do not pass flags to", " clk_mux_determine_rate_flags()", " - clk: nxp: lpc18xx-cgu: convert from round_rate() to determine_rate()", " - clk: nxp: Fix pll0 rate check condition in LPC18xx CGU driver", " - clk: tegra: do not overallocate memory for bpmp clocks", " - nfsd: fix assignment of ia_ctime.tv_nsec on delegated mtime update", " - nfsd: ignore ATTR_DELEG when checking ia_valid before notify_change()", " - vfs: add ATTR_CTIME_SET flag", " - nfsd: use ATTR_CTIME_SET for delegated ctime updates", " - nfsd: track original timestamps in nfs4_delegation", " - nfsd: fix SETATTR updates for delegated timestamps", " - nfsd: fix timestamp updates in CB_GETATTR", " - tracing: Fix the bug where bpf_get_stackid returns -EFAULT on the ARM64", " - PM: core: Annotate loops walking device links as _srcu", " - PM: core: Add two macros for walking device links", " - PM: sleep: Do not wait on SYNC_STATE_ONLY device links", " - cpufreq: tegra186: Set target frequency for all cpus in policy", " - scsi: mvsas: Fix use-after-free bugs in mvs_work_queue", " - perf bpf-filter: Fix opts declaration on older libbpfs", " - scsi: ufs: sysfs: Make HID attributes visible", " - mshv: Handle NEED_RESCHED_LAZY before transferring to guest", " - perf bpf_counter: Fix handling of cpumap fixing hybrid", " - ASoC: SOF: ipc4-topology: Correct the minimum host DMA buffer size", " - ASoC: SOF: ipc4-topology: Account for different ChainDMA host buffer", " size", " - ASoC: SOF: Intel: hda-pcm: Place the constraint on period time instead", " of buffer time", " - LoongArch: Add cflag -fno-isolate-erroneous-paths-dereference", " - LoongArch: Fix build error for LTO with LLVM-18", " - LoongArch: Init acpi_gbl_use_global_lock to false", " - ASoC: SOF: Intel: Read the LLP via the associated Link DMA channel", " - net: usb: lan78xx: Fix lost EEPROM read timeout error(-ETIMEDOUT) in", " lan78xx_read_raw_eeprom", " - net/mlx4: prevent potential use after free in mlx4_en_do_uc_filter()", " - drm/xe/hw_engine_group: Fix double write lock release in error path", " - drm/xe/i2c: Don't rely on d3cold.allowed flag in system PM path", " - s390/cio: Update purge function to unregister the unused subchannels", " - drm/vmwgfx: Fix a null-ptr access in the cursor snooper", " - drm/vmwgfx: Fix Use-after-free in validation", " - drm/vmwgfx: Fix copy-paste typo in validation", " - net/sctp: fix a null dereference in sctp_disposition", " sctp_sf_do_5_1D_ce()", " - tcp: Don't call reqsk_fastopen_remove() in tcp_conn_request().", " - net: mscc: ocelot: Fix use-after-free caused by cyclic delayed work", " - selftest: net: ovpn: Fix uninit return values", " - ice: ice_adapter: release xa entry on adapter allocation failure", " - net: fsl_pq_mdio: Fix device node reference leak in fsl_pq_mdio_probe", " - tools build: Align warning options with perf", " - perf python: split Clang options when invoking Popen", " - tcp: take care of zero tp->window_clamp in tcp_set_rcvlowat()", " - mailbox: zynqmp-ipi: Remove redundant mbox_controller_unregister() call", " - mailbox: zynqmp-ipi: Remove dev.parent check in zynqmp_ipi_free_mboxes", " - mailbox: zynqmp-ipi: Fix out-of-bounds access in mailbox cleanup loop", " - mailbox: zynqmp-ipi: Fix SGI cleanup on unbind", " - bpf: Fix metadata_dst leak __bpf_redirect_neigh_v{4,6}", " - net: mdio: mdio-i2c: Hold the i2c bus lock during smbus transactions", " - net: sparx5/lan969x: fix flooding configuration on bridge join/leave", " - net/mlx5: Prevent tunnel mode conflicts between FDB and NIC IPsec tables", " - net/mlx5e: Prevent tunnel reformat when tunnel mode not allowed", " - mailbox: mtk-cmdq: Remove pm_runtime APIs from cmdq_mbox_send_data()", " - drm/amdgpu: Add additional DCE6 SCL registers", " - drm/amd/display: Add missing DCE6 SCL_HORZ_FILTER_INIT* SRIs", " - drm/amd/display: Properly clear SCL_*_FILTER_CONTROL on DCE6", " - drm/amd/display: Properly disable scaling on DCE6", " - drm/amd/display: Disable scaling on DCE6 for now", " - drm/amdkfd: Fix kfd process ref leaking when userptr unmapping", " - net: pse-pd: tps23881: Fix current measurement scaling", " - crypto: skcipher - Fix reqsize handling", " - netfilter: nft_objref: validate objref and objrefmap expressions", " - bridge: br_vlan_fill_forward_path_pvid: use br_vlan_group_rcu()", " - selftests: netfilter: nft_fib.sh: fix spurious test failures", " - selftests: netfilter: query conntrack state to check for port clash", " resolution", " - io_uring/zcrx: increment fallback loop src offset", " - net: airoha: Fix loopback mode configuration for GDM2 port", " - cifs: Fix copy_to_iter return value check", " - smb: client: fix missing timestamp updates after utime(2)", " - rtc: isl12022: Fix initial enable_irq/disable_irq balance", " - cifs: Query EA $LXMOD in cifs_query_path_info() for WSL reparse points", " - tpm_tis: Fix incorrect arguments in tpm_tis_probe_irq_single", " - gpio: wcd934x: mark the GPIO controller as sleeping", " - bpf: Avoid RCU context warning when unpinning htab with internal structs", " - kbuild: always create intermediate vmlinux.unstripped", " - kbuild: keep .modinfo section in vmlinux.unstripped", " - kbuild: Restore pattern to avoid stripping .rela.dyn from vmlinux", " - kbuild: Add '.rel.*' strip pattern for vmlinux", " - s390: vmlinux.lds.S: Reorder sections", " - s390/vmlinux.lds.S: Move .vmlinux.info to end of allocatable sections", " - ACPICA: acpidump: drop ACPI_NONSTRING attribute from file_name", " - ACPI: property: Fix buffer properties extraction for subnodes", " - ACPI: TAD: Add missing sysfs_remove_group() for ACPI_TAD_RT", " - ACPICA: Debugger: drop ACPI_NONSTRING attribute from name_seg", " - ACPI: debug: fix signedness issues in read/write helpers", " - ACPI: battery: Add synchronization between interface updates", " - arm64: dts: qcom: msm8916: Add missing MDSS reset", " - arm64: dts: qcom: msm8939: Add missing MDSS reset", " - arm64: dts: qcom: sdm845: Fix slimbam num-channels/ees", " - Revert \"UBUNTU: SAUCE: arm64: dts: qcom: x1e80100-pmics: Disable pm8010", " by default\"", " - arm64: dts: qcom: x1e80100-pmics: Disable pm8010 by default", " - arm64: dts: ti: k3-am62a-main: Fix main padcfg length", " - arm64: dts: ti: k3-am62p: Fix supported hardware for 1GHz OPP", " - arm64: kprobes: call set_memory_rox() for kprobe page", " - arm64: mte: Do not flag the zero page as PG_mte_tagged", " - ARM: AM33xx: Implement TI advisory 1.0.36 (EMU0/EMU1 pins state on", " reset)", " - ARM: OMAP2+: pm33xx-core: ix device node reference leaks in", " amx3_idle_init", " - firmware: arm_scmi: quirk: Prevent writes to string constants", " - perf/arm-cmn: Fix CMN S3 DTM offset", " - KVM: s390: Fix to clear PTE when discarding a swapped page", " - KVM: arm64: Fix debug checking for np-guests using huge mappings", " - KVM: arm64: Fix page leak in user_mem_abort()", " - x86/kvm: Force legacy PCI hole to UC when overriding MTRRs for TDX/SNP", " - KVM: SVM: Re-load current, not host, TSC_AUX on #VMEXIT from SEV-ES", " guest", " - KVM: TDX: Fix uninitialized error code for __tdx_bringup()", " - dt-bindings: phy: rockchip-inno-csi-dphy: make power-domains non-", " required", " - xen: take system_transition_mutex on suspend", " - xen/events: Cleanup find_virq() return codes", " - xen/manage: Fix suspend error path", " - xen/events: Return -EEXIST for bound VIRQs", " - xen/events: Update virq_to_irq on migration", " - firmware: exynos-acpm: fix PMIC returned errno", " - firmware: meson_sm: fix device leak at probe", " - media: cec: extron-da-hd-4k-plus: drop external-module make commands", " - media: cx18: Add missing check after DMA map", " - media: i2c: mt9p031: fix mbus code initialization", " - media: i2c: mt9v111: fix incorrect type for ret", " - media: mc: Fix MUST_CONNECT handling for pads with no links", " - media: pci: ivtv: Add missing check after DMA map", " - media: pci: mg4b: fix uninitialized iio scan data", " - media: platform: mtk-mdp3: Add missing MT8188 compatible to comp_dt_ids", " - media: s5p-mfc: remove an unused/uninitialized variable", " - media: staging/ipu7: fix isys device runtime PM usage in firmware", " closing", " - media: uvcvideo: Avoid variable shadowing in uvc_ctrl_cleanup_fh", " - media: venus: firmware: Use correct reset sequence for IRIS2", " - media: venus: pm_helpers: add fallback for the opp-table", " - media: vivid: fix disappearing messages", " - media: vsp1: Export missing vsp1_isp_free_buffer symbol", " - media: ti: j721e-csi2rx: Use devm_of_platform_populate", " - media: ti: j721e-csi2rx: Fix source subdev link creation", " - media: lirc: Fix error handling in lirc_register()", " - drm/exynos: exynos7_drm_decon: remove ctx->suspended", " - drm/panthor: Fix memory leak in panthor_ioctl_group_create()", " - drm/msm/a6xx: Fix PDC sleep sequence", " - drm/rcar-du: dsi: Fix 1/2/3 lane support", " - drm/nouveau: fix bad ret code in nouveau_bo_move_prep", " - drm/xe/uapi: loosen used tracking restriction", " - drm/amd/display: Incorrect Mirror Cositing", " - drm/amd/display: Enable Dynamic DTBCLK Switch", " - drm/amd/display: Fix unsafe uses of kernel mode FPU", " - blk-crypto: fix missing blktrace bio split events", " - btrfs: avoid potential out-of-bounds in btrfs_encode_fh()", " - bus: mhi: ep: Fix chained transfer handling in read path", " - bus: mhi: host: Do not use uninitialized 'dev' pointer in", " mhi_init_irq_setup()", " - cdx: Fix device node reference leak in cdx_msi_domain_init", " - clk: qcom: tcsrcc-x1e80100: Set the bi_tcxo as parent to eDP refclk", " - clk: samsung: exynos990: Use PLL_CON0 for PLL parent muxes", " - clk: samsung: exynos990: Fix CMU_TOP mux/div bit widths", " - clk: samsung: exynos990: Replace bogus divs with fixed-factor clocks", " - copy_sighand: Handle architectures where sizeof(unsigned long) <", " sizeof(u64)", " - cpufreq: CPPC: Avoid using CPUFREQ_ETERNAL as transition delay", " - cpufreq: intel_pstate: Fix object lifecycle issue in", " update_qos_request()", " - crypto: aspeed - Fix dma_unmap_sg() direction", " - crypto: atmel - Fix dma_unmap_sg() direction", " - crypto: rockchip - Fix dma_unmap_sg() nents value", " - eventpoll: Replace rwlock with spinlock", " - fbdev: Fix logic error in \"offb\" name match", " - fs/ntfs3: Fix a resource leak bug in wnd_extend()", " - fs: quota: create dedicated workqueue for quota_release_work", " - fsnotify: pass correct offset to fsnotify_mmap_perm()", " - fuse: fix possibly missing fuse_copy_finish() call in fuse_notify()", " - fuse: fix livelock in synchronous file put from fuseblk workers", " - gpio: mpfs: fix setting gpio direction to output", " - i3c: Fix default I2C adapter timeout value", " - iio/adc/pac1934: fix channel disable configuration", " - iio: dac: ad5360: use int type to store negative error codes", " - iio: dac: ad5421: use int type to store negative error codes", " - iio: frequency: adf4350: Fix prescaler usage.", " - iio: xilinx-ams: Fix AMS_ALARM_THR_DIRECT_MASK", " - iio: xilinx-ams: Unmask interrupts after updating alarms", " - init: handle bootloader identifier in kernel parameters", " - iio: imu: inv_icm42600: Simplify pm_runtime setup", " - iio: imu: inv_icm42600: Drop redundant pm_runtime reinitialization in", " resume", " - iio: imu: inv_icm42600: Avoid configuring if already pm_runtime", " suspended", " - iommu/vt-d: PRS isn't usable if PDS isn't supported", " - ipmi: Rework user message limit handling", " - ipmi:msghandler:Change seq_lock to a mutex", " - kernel/sys.c: fix the racy usage of task_lock(tsk->group_leader) in", " sys_prlimit64() paths", " - KEYS: trusted_tpm1: Compare HMAC values in constant time", " - kho: only fill kimage if KHO is finalized", " - lib/genalloc: fix device leak in of_gen_pool_get()", " - loop: fix backing file reference leak on validation error", " - md: fix mssing blktrace bio split events", " - of: unittest: Fix device reference count leak in", " of_unittest_pci_node_verify", " - openat2: don't trigger automounts with RESOLVE_NO_XDEV", " - padata: Reset next CPU when reorder sequence wraps around", " - parisc: don't reference obsolete termio struct for TC* constants", " - parisc: Remove spurious if statement from raw_copy_from_user()", " - nvme-pci: Add TUXEDO IBS Gen8 to Samsung sleep quirk", " - pinctrl: samsung: Drop unused S3C24xx driver data", " - PM: EM: Fix late boot with holes in CPU topology", " - PM: hibernate: Fix hybrid-sleep", " - PM: hibernate: Restrict GFP mask in power_down()", " - power: supply: max77976_charger: fix constant current reporting", " - powerpc/powernv/pci: Fix underflow and leak issue", " - powerpc/pseries/msi: Fix potential underflow and leak issue", " - pwm: berlin: Fix wrong register in suspend/resume", " - pwm: Fix incorrect variable used in error message", " - Revert \"ipmi: fix msg stack when IPMI is disconnected\"", " - sched/deadline: Fix race in push_dl_task()", " - scsi: hpsa: Fix potential memory leak in hpsa_big_passthru_ioctl()", " - scsi: sd: Fix build warning in sd_revalidate_disk()", " - sctp: Fix MAC comparison to be constant-time", " - smb client: fix bug with newly created file in cached dir", " - sparc64: fix hugetlb for sun4u", " - sparc: fix error handling in scan_one_device()", " - xtensa: simdisk: add input size check in proc_write_simdisk", " - xsk: Harden userspace-supplied xdp_desc validation", " - mtd: rawnand: fsmc: Default to autodetect buswidth", " - mtd: nand: raw: gpmi: fix clocks when CONFIG_PM=N", " - mmc: core: SPI mode remove cmd7", " - mmc: mmc_spi: multiple block read remove read crc ack", " - memory: samsung: exynos-srom: Fix of_iomap leak in exynos_srom_probe", " - memory: stm32_omm: Fix req2ack update test", " - rtc: interface: Ensure alarm irq is enabled when UIE is enabled", " - rtc: interface: Fix long-standing race when setting alarm", " - rseq/selftests: Use weak symbol reference, not definition, to link with", " glibc", " - PCI: xilinx-nwl: Fix ECAM programming", " - PCI: tegra: Convert struct tegra_msi mask_lock into raw spinlock", " - PCI/sysfs: Ensure devices are powered for config reads", " - PCI/IOV: Add PCI rescan-remove locking when enabling/disabling SR-IOV", " - PCI/ERR: Fix uevent on failure to recover", " - PCI/AER: Fix missing uevent on recovery when a reset is requested", " - PCI/AER: Support errors introduced by PCIe r6.0", " - PCI: Ensure relaxed tail alignment does not increase min_align", " - PCI: Fix failure detection during resource resize", " - PCI: j721e: Fix module autoloading", " - PCI: j721e: Fix programming sequence of \"strap\" settings", " - PCI: keystone: Use devm_request_irq() to free \"ks-pcie-error-irq\" on", " exit", " - PCI: rcar-gen4: Fix PHY initialization", " - PCI: rcar-host: Drop PMSR spinlock", " - PCI: rcar-host: Convert struct rcar_msi mask_lock into raw spinlock", " - PCI: tegra194: Fix broken tegra_pcie_ep_raise_msi_irq()", " - PCI: tegra194: Handle errors in BPMP response", " - PCI: tegra194: Reset BARs when running in PCIe endpoint mode", " - PCI/pwrctrl: Fix device leak at registration", " - PCI/pwrctrl: Fix device and OF node leak at bus scan", " - PCI/pwrctrl: Fix device leak at device stop", " - spi: cadence-quadspi: Flush posted register writes before INDAC access", " - spi: cadence-quadspi: Flush posted register writes before DAC access", " - spi: cadence-quadspi: Fix cqspi_setup_flash()", " - xfs: use deferred intent items for reaping crosslinked blocks", " - x86/fred: Remove ENDBR64 from FRED entry points", " - x86/umip: Check that the instruction opcode is at least two bytes", " - x86/umip: Fix decoding of register forms of 0F 01 (SGDT and SIDT", " aliases)", " - mptcp: pm: in-kernel: usable client side with C-flag", " - mptcp: reset blackhole on success with non-loopback ifaces", " - selftests: mptcp: join: validate C-flag + def limit", " - s390/cio/ioasm: Fix __xsch() condition code handling", " - s390/dasd: enforce dma_alignment to ensure proper buffer validation", " - s390/dasd: Return BLK_STS_INVAL for EINVAL from do_dasd_request", " - s390: Add -Wno-pointer-sign to KBUILD_CFLAGS_DECOMPRESSOR", " - slab: prevent warnings when slab obj_exts vector allocation fails", " - slab: mark slab->obj_exts allocation failures unconditionally", " - wifi: ath11k: HAL SRNG: don't deinitialize and re-initialize again", " - wifi: iwlwifi: Fix dentry reference leak in iwl_mld_add_link_debugfs", " - wifi: rtw89: avoid possible TX wait initialization race", " - wifi: mt76: mt7925u: Add VID/PID for Netgear A9000", " - wifi: mt76: mt7921u: Add VID/PID for Netgear A7500", " - mm/thp: fix MTE tag mismatch when replacing zero-filled subpages", " - mm/rmap: fix soft-dirty and uffd-wp bit loss when remapping zero-filled", " mTHP subpage to shared zeropage", " - mm/page_alloc: only set ALLOC_HIGHATOMIC for __GPF_HIGH allocations", " - mm/hugetlb: early exit from hugetlb_pages_alloc_boot() when", " max_huge_pages=0", " - mm/damon/vaddr: do not repeat pte_offset_map_lock() until success", " - mm/damon/lru_sort: use param_ctx for damon_attrs staging", " - nfsd: decouple the xprtsec policy check from check_nfsd_access()", " - NFSD: Fix destination buffer size in nfsd4_ssc_setup_dul()", " - nfsd: nfserr_jukebox in nlm_fopen should lead to a retry", " - media: iris: Call correct power off callback in cleanup path", " - media: iris: Fix firmware reference leak and unmap memory after load", " - media: iris: fix module removal if firmware download failed", " - media: iris: vpu3x: Add MNoC low power handshake during hardware power-", " off", " - media: iris: Fix port streaming handling", " - media: iris: Fix buffer count reporting in internal buffer check", " - media: iris: Allow substate transition to load resources during output", " streaming", " - media: iris: Always destroy internal buffers on firmware release", " response", " - media: iris: Simplify session stop logic by relying on vb2 checks", " - media: iris: Update vbuf flags before v4l2_m2m_buf_done", " - media: iris: Send dummy buffer address for all codecs during drain", " - media: iris: Fix missing LAST flag handling during drain", " - media: iris: Fix format check for CAPTURE plane in try_fmt", " - media: iris: Allow stop on firmware only if start was issued.", " - ext4: add ext4_sb_bread_nofail() helper function for", " ext4_free_branches()", " - ext4: fail unaligned direct IO write with EINVAL", " - ext4: verify orphan file size is not too big", " - ext4: increase i_disksize to offset + len in", " ext4_update_disksize_before_punch()", " - ext4: correctly handle queries for metadata mappings", " - ext4: avoid potential buffer over-read in parse_apply_sb_mount_options()", " - ext4: fix an off-by-one issue during moving extents", " - ext4: guard against EA inode refcount underflow in xattr update", " - ext4: validate ea_ino and size in check_xattrs", " - ACPICA: Allow to skip Global Lock initialization", " - ext4: free orphan info with kvfree", " - ipmi: Fix handling of messages with provided receive message pointer", " - Squashfs: add additional inode sanity checking", " - Squashfs: reject negative file sizes in squashfs_read_inode()", " - mm/ksm: fix incorrect KSM counter handling in mm_struct during fork", " - media: mc: Clear minor number before put device", " - arm64: dts: qcom: qcs615: add missing dt property in QUP SEs", " - ACPI: property: Disregard references in data-only subnode lists", " - ACPI: property: Add code comments explaining what is going on", " - ACPI: property: Do not pass NULL handles to acpi_attach_data()", " - irqchip/sifive-plic: Avoid interrupt ID 0 handling during suspend/resume", " - copy_file_range: limit size if in compat mode", " - minixfs: Verify inode mode when loading from disk", " - pid: Add a judgment for ns null in pid_nr_ns", " - fs: Add 'initramfs_options' to set initramfs mount options", " - cramfs: Verify inode mode when loading from disk", " - nsfs: validate extensible ioctls", " - mnt_ns_tree_remove(): DTRT if mnt_ns had never been added to mnt_ns_list", " - writeback: Avoid softlockup when switching many inodes", " - writeback: Avoid excessively long inode switching times", " - iomap: error out on file IO when there is no inline_data buffer", " - pidfs: validate extensible ioctls", " - mount: handle NULL values in mnt_ns_release()", " - Linux 6.17.4", " * Questing update: v6.17.4 upstream stable release (LP: #2131259) // Race", " condition in perf build causes build failure due to missing unistd_64.h", " header on arm64 (LP: #2131702)", " - perf tools: Fix arm64 libjvmti build by generating unistd_64.h", " * Questing update: v6.17.3 upstream stable release (LP: #2129610)", " - arch: copy_thread: pass clone_flags as u64", " - filelock: add FL_RECLAIM to show_fl_flags() macro", " - init: INITRAMFS_PRESERVE_MTIME should depend on BLK_DEV_INITRD", " - pid: use ns_capable_noaudit() when determining net sysctl permissions", " - Fix CC_HAS_ASM_GOTO_OUTPUT on non-x86 architectures", " - [Config]: Update CC configs for v6.17.3", " - seccomp: Fix a race with WAIT_KILLABLE_RECV if the tracer replies too", " fast", " - kbuild: Add missing $(objtree) prefix to powerpc crtsavres.o artifact", " - selftests: arm64: Check fread return value in exec_target", " - selftests: arm64: Fix -Waddress warning in tpidr2 test", " - kselftest/arm64/gcs: Correctly check return value when disabling GCS", " - hfsplus: fix slab-out-of-bounds read in hfsplus_uni2asc()", " - gfs2: Fix GLF_INVALIDATE_IN_PROGRESS flag clearing in do_xmote", " - gfs2: Remove space before newline", " - gfs2: Further sanitize lock_dlm.c", " - gfs2: Fix LM_FLAG_TRY* logic in add_to_queue", " - gfs2: Remove duplicate check in do_xmote", " - gfs2: Get rid of GLF_INVALIDATE_IN_PROGRESS", " - gfs2: do_xmote cleanup", " - gfs2: Add proper lockspace locking", " - powerpc/8xx: Remove left-over instruction and comments in", " DataStoreTLBMiss handler", " - powerpc/603: Really copy kernel PGD entries into all PGDIRs", " - powerpc/ftrace: ensure ftrace record ops are always set for NOPs", " - powerpc64/modules: correctly iterate over stubs in", " setup_ftrace_ool_stubs", " - uprobes: uprobe_warn should use passed task", " - raid6: riscv: Clean up unused header file inclusion", " - coresight: trbe: Prevent overflow in PERF_IDX2OFF()", " - perf: arm_spe: Prevent overflow in PERF_IDX2OFF()", " - erofs: avoid reading more for fragment maps", " - smb: client: fix sending the iwrap custom IRD/ORD negotiation messages", " - smb: server: fix IRD/ORD negotiation with the client", " - perf/x86/intel: Use early_initcall() to hook bts_init()", " - perf/x86/intel: Fix IA32_PMC_x_CFG_B MSRs access error", " - x86/vdso: Fix output operand size of RDPID", " - selftests: cgroup: Make test_pids backwards compatible", " - sched/fair: Get rid of sched_domains_curr_level hack for tl->cpumask()", " - [Config]: Update CONFIG_SCHED_MC for v6.17.3", " - lsm: CONFIG_LSM can depend on CONFIG_SECURITY", " - cpuset: fix failure to enable isolated partition when containing", " isolcpus", " - btrfs: return any hit error from extent_writepage_io()", " - btrfs: fix symbolic link reading when bs > ps", " - pinctrl: renesas: rzg2l: Fix invalid unsigned return in rzg3s_oen_read()", " - arm64: dts: renesas: rzg2lc-smarc: Disable CAN-FD channel0", " - bpf: Tidy verifier bug message", " - regmap: Remove superfluous check for !config in __regmap_init()", " - selftests/bpf: Copy test_kmods when installing selftest", " - rust: cpumask: Mark CpumaskVar as transparent", " - bpf/selftests: Fix test_tcpnotify_user", " - bpf: Remove migrate_disable in kprobe_multi_link_prog_run", " - libbpf: Fix reuse of DEVMAP", " - tools/nolibc: fix error return value of clock_nanosleep()", " - ARM: dts: renesas: porter: Fix CAN pin group", " - leds: max77705: Function return instead of variable assignment", " - leds: flash: leds-qcom-flash: Update torch current clamp setting", " - s390/bpf: Do not write tail call counter into helper and kfunc frames", " - s390/bpf: Write back tail call counter for BPF_PSEUDO_CALL", " - s390/bpf: Write back tail call counter for BPF_TRAMP_F_CALL_ORIG", " - cpufreq: scmi: Account for malformed DT in scmi_dev_used_by_cpus()", " - arm64: dts: renesas: sparrow-hawk: Invert microSD voltage selector on", " EVTB1", " - arm64: dts: renesas: sparrow-hawk: Set VDDQ18_25_AVB voltage on EVTB1", " - libbpf: Export bpf_object__prepare symbol", " - firmware: arm_scmi: Mark VirtIO ready before registering", " scmi_virtio_driver", " - arm64: dts: imx93-kontron: Fix GPIO for panel regulator", " - arm64: dts: imx93-kontron: Fix USB port assignment", " - arm64: dts: imx95: Correct the lpuart7 and lpuart8 srcid", " - bpf: Remove preempt_disable in bpf_try_get_buffers", " - ACPI: processor: idle: Fix memory leak when register cpuidle device", " failed", " - genirq: Add irq_chip_(startup/shutdown)_parent()", " - PCI/MSI: Add startup/shutdown for per device domains", " - irqchip/sg2042-msi: Fix broken affinity setting", " - scripts/misc-check: update export checks for EXPORT_SYMBOL_FOR_MODULES()", " - soc: qcom: rpmh-rsc: Unconditionally clear _TRIGGER bit for TCS", " - pinctrl: meson-gxl: add missing i2c_d pinmux", " - blk-mq: check kobject state_in_sysfs before deleting in", " blk_mq_unregister_hctx", " - selftests/futex: Remove the -g parameter from futex_priv_hash", " - ARM: at91: pm: fix MCKx restore routine", " - arm64: dts: apple: t8103-j457: Fix PCIe ethernet iommu-map", " - regulator: scmi: Use int type to store negative error codes", " - selftests/futex: Fix some futex_numa_mpol subtests", " - tools/nolibc: avoid error in dup2() if old fd equals new fd", " - selftests/nolibc: fix EXPECT_NZ macro", " - leds: leds-lp55xx: Use correct address for memory programming", " - PCI/MSI: Check MSI_FLAG_PCI_MSI_MASK_PARENT in", " cond_[startup|shutdown]_parent()", " - block: use int to store blk_stack_limits() return value", " - ARM: dts: stm32: stm32mp151c-plyaqm: Use correct dai-format property", " - dt-bindings: vendor-prefixes: Add undocumented vendor prefixes", " - genirq/test: Fix depth tests on architectures with NOREQUEST by default.", " - genirq/test: Select IRQ_DOMAIN", " - genirq/test: Depend on SPARSE_IRQ", " - genirq/test: Drop CONFIG_GENERIC_IRQ_MIGRATION assumptions", " - genirq/test: Ensure CPU 1 is online for hotplug test", " - selftests/bpf: Fix count write in testapp_xdp_metadata_copy()", " - vdso/datastore: Gate time data behind CONFIG_GENERIC_GETTIMEOFDAY", " - PM: sleep: core: Clear power.must_resume in noirq suspend error path", " - blk-mq: fix elevator depth_updated method", " - vdso: Add struct __kernel_old_timeval forward declaration to gettime.h", " - ARM: dts: ti: omap: am335x-baltos: Fix ti,en-ck32k-xtal property in DTS", " to use correct boolean syntax", " - ARM: dts: ti: omap: omap3-devkit8000-lcd: Fix ti,keep-vref-on property", " to use correct boolean syntax in DTS", " - ARM: dts: omap: am335x-cm-t335: Remove unused mcasp num-serializer", " property", " - PM / devfreq: mtk-cci: Fix potential error pointer dereference in", " probe()", " - power: supply: cw2015: Fix a alignment coding style issue", " - hwmon: (asus-ec-sensors) Narrow lock for X870E-CREATOR WIFI", " - pinctrl: renesas: Use int type to store negative error codes", " - pinctrl: eswin: Fix regulator error check and Kconfig dependency", " - null_blk: Fix the description of the cache_size module argument", " - blk-throttle: fix access race during throttle policy activation", " - selftests: vDSO: Fix -Wunitialized in powerpc VDSO_CALL() wrapper", " - selftests: vDSO: vdso_test_abi: Correctly skip whole test with missing", " vDSO", " - irqchip/gic-v5: Fix loop in gicv5_its_create_itt_two_level() cleanup", " path", " - irqchip/gic-v5: Fix error handling in gicv5_its_irq_domain_alloc()", " - tick: Do not set device to detached state in tick_shutdown()", " - arm64: dts: mediatek: mt8195: Remove suspend-breaking reset from pcie0", " - arm64: dts: mediatek: mt8183: Fix out of range pull values", " - nbd: restrict sockets to TCP and UDP", " - PM / devfreq: rockchip-dfi: double count on RK3588", " - firmware: firmware: meson-sm: fix compile-test default", " - dts: arm: amlogic: fix pwm node for c3", " - soc: mediatek: mtk-svs: fix device leaks on mt8183 probe failure", " - soc: mediatek: mtk-svs: fix device leaks on mt8192 probe failure", " - cpuidle: qcom-spm: fix device and OF node leaks at probe", " - block: cleanup bio_issue", " - block: initialize bio issue time in blk_mq_submit_bio()", " - block: factor out a helper bio_submit_split_bioset()", " - block: skip unnecessary checks for split bio", " - block: fix ordering of recursive split IO", " - blk-mq: remove useless checkings in blk_mq_update_nr_requests()", " - blk-mq: check invalid nr_requests in queue_requests_store()", " - blk-mq: convert to serialize updating nr_requests with", " update_nr_hwq_lock", " - blk-mq: cleanup shared tags case in blk_mq_update_nr_requests()", " - blk-mq: split bitmap grow and resize case in blk_mq_update_nr_requests()", " - blk-mq-sched: add new parameter nr_requests in blk_mq_alloc_sched_tags()", " - blk-mq: fix potential deadlock while nr_requests grown", " - arm64: dts: allwinner: a527: cubie-a5e: Add ethernet PHY reset setting", " - arm64: dts: allwinner: t527: avaota-a1: Add ethernet PHY reset setting", " - arm64: dts: rockchip: Add RTC on rk3576-evb1-v10", " - arm64: dts: rockchip: Add WiFi on rk3576-evb1-v10", " - arm64: dts: rockchip: Fix network on rk3576 evb1 board", " - arm64: dts: ti: k3-j742s2-mcu-wakeup: Override firmware-name for MCU R5F", " cores", " - arm64: dts: ti: k3: Rename rproc reserved-mem nodes to 'memory@addr'", " - Revert \"arm64: dts: ti: k3-j721e-sk: Fix reversed C6x carveout", " locations\"", " - Revert \"arm64: dts: ti: k3-j721e-beagleboneai64: Fix reversed C6x", " carveout locations\"", " - arm64: dts: mediatek: mt8188: Change efuse fallback compatible to mt8186", " - arm64: dts: mediatek: mt8186-tentacruel: Fix touchscreen model", " - arm64: dts: ti: k3-pinctrl: Fix the bug in existing macros", " - arm64: dts: renesas: r9a09g047e57-smarc: Fix gpio key's pin control node", " - arm64: dts: mediatek: mt6331: Fix pmic, regulators, rtc, keys node names", " - mmc: core: Fix variable shadowing in mmc_route_rpmb_frames()", " - arm64: dts: mediatek: mt6795-xperia-m5: Fix mmc0 latch-ck value", " - arm64: dts: mediatek: mt7986a: Fix PCI-Express T-PHY node address", " - arm64: dts: mediatek: mt8395-kontron-i1200: Fix MT6360 regulator nodes", " - arm64: dts: mediatek: mt8516-pumpkin: Fix machine compatible", " - arm64: dts: allwinner: a527: cubie-a5e: Add LEDs", " - arm64: dts: allwinner: a527: cubie-a5e: Drop external 32.768 KHz crystal", " - arm64: dts: allwinner: t527: avaota-a1: hook up external 32k crystal", " - arm64: dts: allwinner: t527: orangepi-4a: hook up external 32k crystal", " - pwm: tiehrpwm: Don't drop runtime PM reference in .free()", " - pwm: tiehrpwm: Make code comment in .free() more useful", " - pwm: tiehrpwm: Fix various off-by-one errors in duty-cycle calculation", " - pwm: tiehrpwm: Fix corner case in clock divisor calculation", " - ACPICA: Apply ACPI_NONSTRING", " - ACPICA: Fix largest possible resource descriptor index", " - riscv, bpf: Sign extend struct ops return values properly", " - nvme-auth: update bi_directional flag", " - nvmet-fc: move lsop put work to nvmet_fc_ls_req_op", " - nvmet-fcloop: call done callback even when remote port is gone", " - nvme-tcp: send only permitted commands for secure concat", " - i3c: master: svc: Use manual response for IBI events", " - i3c: master: svc: Recycle unused IBI slot", " - block: update validation of atomic writes boundary for stacked devices", " - block: fix stacking of atomic writes when atomics are not supported", " - selftests: watchdog: skip ping loop if WDIOF_KEEPALIVEPING not supported", " - selftests/kselftest_harness: Add harness-selftest.expected to TEST_FILES", " - blk-throttle: fix throtl_data leak during disk release", " - bpf: Explicitly check accesses to bpf_sock_addr", " - mmc: select REGMAP_MMIO with MMC_LOONGSON2", " - selftests/futex: Fix futex_wait() for 32bit ARM", " - selftest/futex: Make the error check more precise for futex_numa_mpol", " - selftest/futex: Compile also with libnuma < 2.0.16", " - bpf: dont report verifier bug for missing bpf_scc_visit on speculative", " path", " - bpf, arm64: Call bpf_jit_binary_pack_finalize() in bpf_jit_free()", " - arm64: dts: apple: t600x: Add missing WiFi properties", " - arm64: dts: apple: t600x: Add bluetooth device nodes", " - arm64: dts: apple: Add ethernet0 alias for J375 template", " - selftests: always install UAPI headers to the correct directory", " - smp: Fix up and expand the smp_call_function_many() kerneldoc", " - mfd: max77705: max77705_charger: move active discharge setting to mfd", " parent", " - power: supply: max77705_charger: refactoring: rename charger to chg", " - power: supply: max77705_charger: use regfields for config registers", " - power: supply: max77705_charger: rework interrupts", " - tools/nolibc: make time_t robust if __kernel_old_time_t is missing in", " host headers", " - spi: fix return code when spi device has too many chipselects", " - clocksource/drivers/timer-tegra186: Avoid 64-bit divide operation", " - clocksource/drivers/tegra186: Avoid 64-bit division", " - bpf: Mark kfuncs as __noclone", " - once: fix race by moving DO_ONCE to separate section", " - hwmon: (mlxreg-fan) Separate methods of fan setting coming from", " different subsystems", " - tools/nolibc: add stdbool.h to nolibc includes", " - thermal/drivers/qcom: Make LMH select QCOM_SCM", " - thermal/drivers/qcom/lmh: Add missing IRQ includes", " - i2c: mediatek: fix potential incorrect use of I2C_MASTER_WRRD", " - i2c: spacemit: ensure bus release check runs when wait_bus_idle() fails", " - i2c: spacemit: remove stop function to avoid bus error", " - i2c: spacemit: disable SDA glitch fix to avoid restart delay", " - i2c: spacemit: check SDA instead of SCL after bus reset", " - i2c: spacemit: ensure SDA is released after bus reset", " - i2c: designware: Fix clock issue when PM is disabled", " - i2c: designware: Add disabling clocks when probe fails", " - libbpf: Fix error when st-prefix_ops and ops from differ btf", " - bpf: Enforce expected_attach_type for tailcall compatibility", " - i3c: fix big-endian FIFO transfers", " - mfd: max77705: Setup the core driver as an interrupt controller", " - drm/sched: Fix a race in DRM_GPU_SCHED_STAT_NO_HANG test", " - drm/panel-edp: Add disable to 100ms for MNB601LS1-4", " - drm/display: bridge-connector: correct CEC bridge pointers in", " drm_bridge_connector_init", " - drm/panel-edp: Add 50ms disable delay for four panels", " - drm/vmwgfx: fix missing assignment to ts", " - drm/amd/display: Reduce Stack Usage by moving 'audio_output' into", " 'stream_res' v4", " - drm/panel: novatek-nt35560: Fix invalid return value", " - drm/amdgpu: fix link error for !PM_SLEEP", " - drm/amdgpu: Fix jpeg v4.0.3 poison irq call trace on sriov guest", " - drm/amdgpu: Fix vcn v4.0.3 poison irq call trace on sriov guest", " - PCI: endpoint: pci-ep-msi: Fix NULL vs IS_ERR() check in", " pci_epf_write_msi_msg()", " - PCI: xgene-msi: Return negative -EINVAL in xgene_msi_handler_setup()", " - drm/radeon/r600_cs: clean up of dead code in r600_cs", " - f2fs: fix condition in __allow_reserved_blocks()", " - f2fs: fix to avoid overflow while left shift operation", " - f2fs: fix to zero data after EOF for compressed file correctly", " - drm/bridge: it6505: select REGMAP_I2C", " - wifi: rtw88: Lock rtwdev->mutex before setting the LED", " - HID: steelseries: refactor probe() and remove()", " - media: zoran: Remove zoran_fh structure", " - phy: rockchip: naneng-combphy: Enable U3 OTG port for RK3568", " - drm/bridge: cdns-dsi: Fix the _atomic_check()", " - usb: host: max3421-hcd: Fix error pointer dereference in probe cleanup", " - usb: misc: qcom_eud: Access EUD_MODE_MANAGER2 through secure calls", " - PCI/pwrctrl: Fix double cleanup on devm_add_action_or_reset() failure", " - misc: pci_endpoint_test: Fix array underflow in", " pci_endpoint_test_ioctl()", " - serial: max310x: Add error checking in probe()", " - drm/amd/display: Remove redundant semicolons", " - drm/amd/display: Add NULL pointer checks in dc_stream cursor attribute", " functions", " - crypto: keembay - Add missing check after sg_nents_for_len()", " - hwrng: nomadik - add ARM_AMBA dependency", " - docs: iio: ad3552r: Fix malformed code-block directive", " - fwctl/mlx5: Fix memory alloc/free in mlx5ctl_fw_rpc()", " - scsi: pm80xx: Restore support for expanders", " - scsi: pm80xx: Fix array-index-out-of-of-bounds on rmmod", " - scsi: libsas: Add dev_parent_is_expander() helper", " - scsi: pm80xx: Use dev_parent_is_expander() helper", " - scsi: pm80xx: Add helper function to get the local phy id", " - scsi: pm80xx: Fix pm8001_abort_task() for chip_8006 when using an", " expander", " - mptcp: Fix up subflow's memcg when CONFIG_SOCK_CGROUP_DATA=n.", " - scsi: myrs: Fix dma_alloc_coherent() error check", " - f2fs: fix to clear unusable_cap for checkpoint=enable", " - f2fs: fix to avoid NULL pointer dereference in", " f2fs_check_quota_consistency()", " - f2fs: fix to allow removing qf_name", " - Revert \"UBUNTU: SAUCE: drm/dp: drm_edp_backlight_set_level: do not", " always send 3-byte commands\"", " - drm/dp: drm_edp_backlight_set_level: do not always send 3-byte commands", " - crypto: octeontx2 - Call strscpy() with correct size argument", " - drm: re-allow no-op changes on non-primary planes in async flips", " - media: rj54n1cb0c: Fix memleak in rj54n1_probe()", " - media: staging/ipu7: convert to use pci_alloc_irq_vectors() API", " - media: staging/ipu7: Don't set name for IPU7 PCI device", " - media: staging/ipu7: cleanup the MMU correctly in IPU7 driver release", " - media: i2c: vd55g1: Fix duster register address", " - drm/panel: Allow powering on panel follower after panel is enabled", " - HID: i2c-hid: Make elan touch controllers power on after panel is", " enabled", " - RDMA/mlx5: Better estimate max_qp_wr to reflect WQE count", " - RDMA/mlx5: Fix vport loopback forcing for MPV device", " - wifi: rtw88: Use led->brightness_set_blocking for PCI too", " - net: phy: introduce phy_id_compare_vendor() PHY ID helper", " - net: phy: as21xxx: better handle PHY HW reset on soft-reboot", " - PCI: rcar-host: Pass proper IRQ domain to generic_handle_domain_irq()", " - fuse: remove unneeded offset assignment when filling write pages", " - PCI: qcom: Restrict port parsing only to PCIe bridge child nodes", " - cdx: don't select CONFIG_GENERIC_MSI_IRQ", " - PCI/ACPI: Fix pci_acpi_preserve_config() memory leak", " - HID: i2c-hid: Fix test in i2c_hid_core_register_panel_follower()", " - ALSA: lx_core: use int type to store negative error codes", " - media: st-delta: avoid excessive stack usage", " - drm/amdgpu/vcn: Add regdump helper functions", " - drm/amdgpu/vcn: Hold pg_lock before vcn power off", " - drm/amdgpu: Check vcn state before profile switch", " - accel/amdxdna: Use int instead of u32 to store error codes", " - efi: Explain OVMF acronym in OVMF_DEBUG_LOG help text", " - net: dst: introduce dst->dev_rcu", " - ipv6: mcast: Add ip6_mc_find_idev() helper", " - ipv6: start using dst_dev_rcu()", " - ipv6: use RCU in ip6_xmit()", " - ipv6: use RCU in ip6_output()", " - net: use dst_dev_rcu() in sk_setup_caps()", " - tcp_metrics: use dst_dev_net_rcu()", " - ipv4: start using dst_dev_rcu()", " - crypto: hisilicon/zip - remove unnecessary validation for high-", " performance mode configurations", " - crypto: hisilicon - re-enable address prefetch after device resuming", " - crypto: hisilicon - check the sva module status while enabling or", " disabling address prefetch", " - crypto: hisilicon/qm - check whether the input function and PF are on", " the same device", " - crypto: hisilicon/qm - request reserved interrupt for virtual function", " - inet: ping: check sock_net() in ping_get_port() and ping_lookup()", " - dmaengine: Fix dma_async_tx_descriptor->tx_submit documentation", " - coresight: trbe: Add ISB after TRBLIMITR write", " - coresight: Fix missing include for FIELD_GET", " - coresight: Only register perf symlink for sinks with alloc_buffer", " - drm/amdgpu: Power up UVD 3 for FW validation (v2)", " - drm/amd/pm: Disable ULV even if unsupported (v3)", " - drm/amd/pm: Fix si_upload_smc_data (v3)", " - drm/amd/pm: Adjust si_upload_smc_data register programming (v3)", " - drm/amd/pm: Treat zero vblank time as too short in si_dpm (v3)", " - drm/amd/pm: Disable MCLK switching with non-DC at 120 Hz+ (v2)", " - drm/amd/pm: Disable SCLK switching on Oland with high pixel clocks (v3)", " - wifi: mac80211: Make CONNECTION_MONITOR optional for MLO sta", " - wifi: mwifiex: send world regulatory domain to driver", " - wifi: brcmfmac: fix 43752 SDIO FWVID incorrectly labelled as Cypress", " (CYW)", " - drm/msm: Do not validate SSPP when it is not ready", " - PCI: tegra: Fix devm_kcalloc() argument order for port->phys allocation", " - wifi: mac80211: consider links for validating SCAN_FLAG_AP in scan", " request during MLO", " - PCI: qcom: Add equalization settings for 8.0 GT/s and 32.0 GT/s", " - tcp: fix __tcp_close() to only send RST when required", " - fanotify: Validate the return value of mnt_ns_from_dentry() before", " dereferencing", " - drm/amdkfd: Fix error code sign for EINVAL in svm_ioctl()", " - usb: phy: twl6030: Fix incorrect type for ret", " - usb: gadget: configfs: Correctly set use_os_string at bind", " - tty: n_gsm: Don't block input queue by waiting MSC", " - misc: genwqe: Fix incorrect cmd field being reported in error", " - pps: fix warning in pps_register_cdev when register device fail", " - drm/msm: Fix obj leak in VM_BIND error path", " - drm/msm: Fix missing VM_BIND offset/range validation", " - wifi: iwlwifi: Remove redundant header files", " - drm/msm/mdp4: stop supporting no-IOMMU configuration", " - drm/msm: stop supporting no-IOMMU configuration", " - idpf: fix Rx descriptor ready check barrier in splitq", " - ASoC: Intel: bytcht_es8316: Fix invalid quirk input mapping", " - ASoC: Intel: bytcr_rt5640: Fix invalid quirk input mapping", " - ASoC: Intel: bytcr_rt5651: Fix invalid quirk input mapping", " - ipv6: snmp: do not use SNMP_MIB_SENTINEL anymore", " - ipv6: snmp: do not track per idev ICMP6_MIB_RATELIMITHOST", " - drm/msm: Fix bootup splat with separate_gpu_drm modparam", " - drm/msm/dpu: fix incorrect type for ret", " - wifi: mac80211: fix reporting of all valid links in sta_set_sinfo()", " - fs: ntfs3: Fix integer overflow in run_unpack()", " - fs/ntfs3: reject index allocation if $BITMAP is empty but blocks exist", " - iio: consumers: Fix handling of negative channel scale in", " iio_convert_raw_to_processed()", " - iio: consumers: Fix offset handling in iio_convert_raw_to_processed()", " - mm/slub: Fix cmp_loc_by_count() to return 0 when counts are equal", " - tools: ynl: fix undefined variable name", " - RDMA/mlx5: Fix page size bitmap calculation for KSM mode", " - netfilter: ipset: Remove unused htable_bits in macro ahash_region", " - ipvs: Use READ_ONCE/WRITE_ONCE for ipvs->enable", " - HID: steelseries: Fix STEELSERIES_SRWS1 handling in steelseries_remove()", " - watchdog: intel_oc_wdt: Do not try to write into const memory", " - watchdog: mpc8xxx_wdt: Reload the watchdog timer when enabling the", " watchdog", " - PCI: endpoint: pci-epf-test: Fix doorbell test support", " - drivers/base/node: handle error properly in register_one_node()", " - RDMA/cm: Rate limit destroy CM ID timeout error message", " - wifi: mt76: mt7996: Fix mt7996_mcu_sta_ba wcid configuration", " - wifi: mt76: mt7996: Fix mt7996_mcu_bss_mld_tlv routine", " - wifi: mt76: fix potential memory leak in mt76_wmac_probe()", " - wifi: mt76: mt7996: Use proper link_id in link_sta_rc_update callback", " - wifi: mt76: mt7996: Check phy before init msta_link in", " mt7996_mac_sta_add_links()", " - wifi: mt76: mt7996: Fix tx-queues initialization for second phy on", " mt7996", " - wifi: mt76: mt7996: Fix RX packets configuration for primary WED device", " - wifi: mt76: mt7996: Convert mt7996_wed_rro_addr to LE", " - wifi: mt76: mt7915: fix mt7981 pre-calibration", " - wifi: mt76: mt7996: remove redundant per-phy mac80211 calls during", " restart", " - ASoC: Intel: hda-sdw-bpt: set persistent_buffer false", " - srcu/tiny: Remove preempt_disable/enable() in srcu_gp_start_if_needed()", " - drm/amdgpu: Fix allocating extra dwords for rings (v2)", " - f2fs: fix to update map->m_next_extent correctly in f2fs_map_blocks()", " - f2fs: fix to truncate first page in error path of f2fs_truncate()", " - f2fs: fix to avoid migrating empty section", " - f2fs: fix to mitigate overhead of f2fs_zero_post_eof_page()", " - RISC-V: KVM: Write hgatp register with valid mode bits", " - ALSA: pcm: Disable bottom softirqs as part of spin_lock_irq() on", " PREEMPT_RT", " - ACPI: NFIT: Fix incorrect ndr_desc being reportedin dev_err message", " - scsi: qla2xxx: edif: Fix incorrect sign of error code", " - scsi: qla2xxx: Fix incorrect sign of error code in START_SP_W_RETRIES()", " - scsi: qla2xxx: Fix incorrect sign of error code in qla_nvme_xmt_ls_rsp()", " - HID: hidraw: tighten ioctl command parsing", " - f2fs: fix zero-sized extent for precache extents", " - smc: Fix use-after-free in __pnet_find_base_ndev().", " - smc: Use __sk_dst_get() and dst_dev_rcu() in in smc_clc_prfx_set().", " - smc: Use __sk_dst_get() and dst_dev_rcu() in smc_clc_prfx_match().", " - smc: Use __sk_dst_get() and dst_dev_rcu() in smc_vlan_by_tcpsk().", " - tls: Use __sk_dst_get() and dst_dev_rcu() in get_netdev_for_sock().", " - mptcp: Call dst_release() in mptcp_active_enable().", " - mptcp: Use __sk_dst_get() and dst_dev_rcu() in mptcp_active_enable().", " - Revert \"usb: xhci: Avoid Stop Endpoint retry loop if the endpoint seems", " Running\"", " - RDMA/core: Resolve MAC of next-hop device without ARP support", " - IB/sa: Fix sa_local_svc_timeout_ms read race", " - Documentation: trace: historgram-design: Separate sched_waking histogram", " section heading and the following diagram", " - ASoC: SOF: ipc4-pcm: Fix incorrect comparison with number of tdm_slots", " - wifi: ath12k: initialize eirp_power before use", " - wifi: ath12k: fix overflow warning on num_pwr_levels", " - wifi: ath12k: fix signal in radiotap for WCN7850", " - wifi: ath12k: fix HAL_PHYRX_COMMON_USER_INFO handling in monitor mode", " - wifi: ath12k: fix the fetching of combined rssi", " - wifi: ath12k: Add fallback for invalid channel number in PHY metadata", " - wifi: ath12k: fix wrong logging ID used for CE", " - wifi: ath10k: avoid unnecessary wait for service ready message", " - iommu/vt-d: debugfs: Fix legacy mode page table dump logic", " - wifi: mac80211: fix Rx packet handling when pubsta information is not", " available", " - ASoC: Intel: sof_sdw: Prevent jump to NULL add_sidecar callback", " - sparc: fix accurate exception reporting in copy_{from_to}_user for", " UltraSPARC", " - sparc: fix accurate exception reporting in copy_{from_to}_user for", " UltraSPARC III", " - sparc: fix accurate exception reporting in copy_{from_to}_user for", " Niagara", " - sparc: fix accurate exception reporting in copy_to_user for Niagara 4", " - sparc: fix accurate exception reporting in copy_{from,to}_user for M7", " - vfio/pds: replace bitmap_free with vfree", " - crypto: comp - Use same definition of context alloc and free ops", " - crypto: hisilicon/qm - set NULL to qm->debug.qm_diff_regs", " - wifi: ath12k: Fix peer lookup in ath12k_dp_mon_rx_deliver_msdu()", " - rpmsg: qcom_smd: Fix fallback to qcom,ipc parse", " - remoteproc: qcom_q6v5_mss: support loading MBN file on msm8974", " - RDMA/rxe: Fix race in do_task() when draining", " - selftests/mm: fix va_high_addr_switch.sh failure on x86_64", " - wifi: rtw89: fix leak in rtw89_core_send_nullfunc()", " - wifi: rtw89: avoid circular locking dependency in ser_state_run()", " - PCI: tegra194: Fix duplicate PLL disable in", " pex_ep_event_pex_rst_assert()", " - remoteproc: qcom: q6v5: Avoid disabling handover IRQ twice", " - remoteproc: qcom: pas: Shutdown lite ADSP DTB on X1E", " - wifi: ath12k: Refactor RX TID deletion handling into helper function", " - wifi: ath12k: Fix flush cache failure during RX queue update", " - wifi: cfg80211: fix width unit in cfg80211_radio_chandef_valid()", " - dm vdo: return error on corrupted metadata in start_restoring_volume", " functions", " - coresight: fix indentation error in cscfg_remove_owned_csdev_configs()", " - coresight-etm4x: Conditionally access register TRCEXTINSELR", " - coresight: tmc: Support atclk", " - coresight: catu: Support atclk", " - coresight: etm4x: Support atclk", " - coresight: Appropriately disable programming clocks", " - coresight: Appropriately disable trace bus clocks", " - coresight: Avoid enable programming clock duplicately", " - coresight: trbe: Return NULL pointer for allocation failures", " - coresight: tpda: fix the logic to setup the element size", " - coresight: Fix incorrect handling for return value of devm_kzalloc", " - NFSv4.1: fix backchannel max_resp_sz verification check", " - net: ethtool: tsconfig: set command must provide a reply", " - netfilter: nfnetlink: reset nlh pointer during batch replay", " - netfilter: nf_conntrack: do not skip entries in /proc/net/nf_conntrack", " - scsi: ufs: core: Fix data race in CPU latency PM QoS request handling", " - scsi: mpt3sas: Fix crash in transport port remove by using ioc_info()", " - usb: vhci-hcd: Prevent suspending virtually attached devices", " - PCI: rcar-gen4: Add missing 1ms delay after PWR reset assertion", " - PCI: rcar-gen4: Assure reset occurs before DBI access", " - PCI: rcar-gen4: Fix inverted break condition in PHY initialization", " - ASoC: qcom: sc8280xp: use sa8775p/ subdir for QCS9100 / QCS9075", " - iommu/vt-d: Disallow dirty tracking if incoherent page walk", " - iommu/selftest: prevent use of uninitialized variable", " - RDMA/siw: Always report immediate post SQ errors", " - net: enetc: Fix probing error message typo for the ENETCv4 PF driver", " - net: usb: Remove disruptive netif_wake_queue in rtl8150_set_multicast", " - ptp: Add a upper bound on max_vclocks", " - vhost: vringh: Fix copy_to_iter return value check", " - net: macb: remove illusion about TBQPH/RBQPH being per-queue", " - net: macb: move ring size computation to functions", " - net: macb: single dma_alloc_coherent() for DMA descriptors", " - Bluetooth: btintel_pcie: Refactor Device Coredump", " - Bluetooth: MGMT: Fix not exposing debug UUID on", " MGMT_OP_READ_EXP_FEATURES_INFO", " - Bluetooth: ISO: Fix possible UAF on iso_conn_free", " - Bluetooth: ISO: free rx_skb if not consumed", " - Bluetooth: ISO: don't leak skb in ISO_CONT RX", " - Bluetooth: hci_sync: Fix using random address for BIG/PA advertisements", " - KEYS: X.509: Fix Basic Constraints CA flag parsing", " - hwrng: ks-sa - fix division by zero in ks_sa_rng_init", " - cramfs: fix incorrect physical page address calculation", " - ocfs2: fix double free in user_cluster_connect()", " - drivers/base/node: fix double free in register_one_node()", " - f2fs: fix UAF issue in f2fs_merge_page_bio()", " - mtd: rawnand: atmel: Fix error handling path in", " atmel_nand_controller_add_nands", " - PCI: j721e: Fix incorrect error message in probe()", " - idpf: fix mismatched free function for dma_alloc_coherent", " - tcp: use skb->len instead of skb->truesize in tcp_can_ingest()", " - nfp: fix RSS hash key size when RSS is not supported", " - net: ena: return 0 in ena_get_rxfh_key_size() when RSS hash key is not", " configurable", " - net: dlink: handle copy_thresh allocation failure", " - net/mlx5: Stop polling for command response if interface goes down", " - net/mlx5: pagealloc: Fix reclaim race during command interface teardown", " - net/mlx5: fw reset, add reset timeout work", " - smb: client: fix crypto buffers in non-linear memory", " - bonding: fix xfrm offload feature setup on active-backup mode", " - net: enetc: initialize SW PIR and CIR based HW PIR and CIR values", " - iommufd: Register iommufd mock devices with fwspec", " - Revert \"net/mlx5e: Update and set Xon/Xoff upon MTU set\"", " - NFSD: filecache: add STATX_DIOALIGN and STATX_DIO_READ_ALIGN support", " - nfs/localio: avoid issuing misaligned IO using O_DIRECT", " - octeontx2-vf: fix bitmap leak", " - octeontx2-pf: fix bitmap leak", " - vhost: vringh: Modify the return value check", " - selftests/bpf: Fix typos and grammar in test sources", " - selftests/bpf: move get_ksyms and get_addrs to trace_helpers.c", " - selftests/bpf: Fix realloc size in bpf_get_addrs", " - bpf: Skip scalar adjustment for BPF_NEG if dst is a pointer", " - bpf: Reject negative offsets for ALU ops", " - tpm: Disable TPM2_TCG_HMAC by default", " - ALSA: hda/hdmi: Add pin fix for HP ProDesk model", " - ALSA: hda/realtek: Add quirk for HP Spectre 14t-ea100", " - Squashfs: fix uninit-value in squashfs_get_parent", " - uio_hv_generic: Let userspace take care of interrupt mask", " - hisi_acc_vfio_pci: Fix reference leak in hisi_acc_vfio_debug_init", " - io_uring/waitid: always prune wait queue entry in io_waitid_wait()", " - io_uring/zcrx: fix overshooting recv limit", " - ASoC: wcd934x: fix error handling in wcd934x_codec_parse_data()", " - ASoC: SOF: ipc3-topology: Fix multi-core and static pipelines tear down", " - ASoC: codecs: wcd937x: set the comp soundwire port correctly", " - ASoC: codecs: wcd937x: make stub functions inline", " - ASoC: SOF: ipc4-pcm: fix delay calculation when DSP resamples", " - ASoC: SOF: ipc4-pcm: fix start offset calculation for chain DMA", " - fs: udf: fix OOB read in lengthAllocDescs handling", " - net: nfc: nci: Add parameter validation for packet data", " - mfd: rz-mtu3: Fix MTU5 NFCR register offset", " - mfd: intel_soc_pmic_chtdc_ti: Set use_single_read regmap_config flag", " - mfd: vexpress-sysreg: Check the return value of devm_gpiochip_add_data()", " - tracing: Fix lock imbalance in s_start() memory allocation failure path", " - tracing: Fix race condition in kprobe initialization causing NULL", " pointer dereference", " - tracing: Fix wakeup tracers on failure of acquiring calltime", " - tracing: Fix irqoff tracers on failure of acquiring calltime", " - tracing: Have trace_marker use per-cpu data to read user space", " - tracing: Fix tracing_mark_raw_write() to use buf and not ubuf", " - tracing: Stop fortify-string from warning in tracing_mark_raw_write()", " - dm: fix queue start/stop imbalance under suspend/load/resume races", " - dm: fix NULL pointer dereference in __dm_suspend()", " - LoongArch: Automatically disable kaslr if boot from kexec_file", " - pwm: loongson: Fix LOONGSON_PWM_FREQ_DEFAULT", " - LoongArch: BPF: Sign-extend struct ops return values properly", " - LoongArch: BPF: No support of struct argument in trampoline programs", " - LoongArch: BPF: Don't align trampoline size", " - LoongArch: BPF: Make trampoline size stable", " - LoongArch: BPF: Make error handling robust in", " arch_prepare_bpf_trampoline()", " - LoongArch: BPF: Remove duplicated bpf_flush_icache()", " - LoongArch: BPF: No text_poke() for kernel text", " - LoongArch: BPF: Remove duplicated flags check", " - LoongArch: BPF: Fix uninitialized symbol 'retval_off'", " - mm/ksm: fix flag-dropping behavior in ksm_madvise", " - ksmbd: Fix race condition in RPC handle list access", " - ksmbd: fix error code overwriting in smb2_get_info_filesystem()", " - ksmbd: add max ip connections parameter", " - ext4: fix potential null deref in ext4_mb_init()", " - ext4: fix checks for orphan inodes", " - KVM: SVM: Skip fastpath emulation on VM-Exit if next RIP isn't valid", " - fbdev: simplefb: Fix use after free in simplefb_detach_genpds()", " - mm: hugetlb: avoid soft lockup when mprotect to large memory area", " - selftests/mm: skip soft-dirty tests when CONFIG_MEM_SOFT_DIRTY is", " disabled", " - nvdimm: ndtest: Return -ENOMEM if devm_kcalloc() fails in ndtest_probe()", " - misc: fastrpc: Save actual DMA size in fastrpc_map structure", " - misc: fastrpc: Fix fastrpc_map_lookup operation", " - misc: fastrpc: fix possible map leak in fastrpc_put_args", " - misc: fastrpc: Skip reference for DMA handles", " - Input: atmel_mxt_ts - allow reset GPIO to sleep", " - Input: uinput - zero-initialize uinput_ff_upload_compat to avoid info", " leak", " - sunrpc: fix null pointer dereference on zero-length checksum", " - PCI/AER: Avoid NULL pointer dereference in aer_ratelimit()", " - remoteproc: pru: Fix potential NULL pointer dereference in", " pru_rproc_set_ctable()", " - PCI: endpoint: pci-epf-test: Add NULL check for DMA channels before", " release", " - thunderbolt: Fix use-after-free in tb_dp_dprx_work", " - tee: fix register_shm_helper()", " - pinctrl: check the return value of pinmux_ops::get_function_name()", " - bus: fsl-mc: Check return value of platform_get_resource()", " - net/9p: Fix buffer overflow in USB transport layer", " - net: usb: asix: hold PM usage ref to avoid PM/MDIO + RTNL deadlock", " - usb: typec: tipd: Clear interrupts first", " - arm64: dts: qcom: qcm2290: Disable USB SS bus instances in park mode", " - usb: cdns3: cdnsp-pci: remove redundant pci_disable_device() call", " - scsi: ufs: core: Fix PM QoS mutex initialization", " - drm/amdgpu/vcn: Fix double-free of vcn dump buffer", " - Linux 6.17.3", " * CVE-2025-40019", " - crypto: essiv - Check ssize for decryption and in-place encryption", " * CVE-2025-40214", " - af_unix: Initialise scc_index in unix_add_edge().", " * Miscellaneous Ubuntu changes", " - [SAUCE] Fix selftest/net/rtnetlink.sh for Big Endian", "" ], "package": "linux-riscv", "version": "6.17.0-14.14.1", "urgency": "medium", "distributions": "questing", "launchpad_bugs_fixed": [ 2137845, 1786013, 2137849, 1786013, 2136820, 2137698, 2129812, 2125022, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136850, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136833, 2136813, 2132317, 2134982, 2134982, 2134982, 2134982, 2134982, 2134982, 2134982, 2134982, 2134982, 2134982, 2134982, 2134982, 2134982, 2134982, 2134982, 2134982, 2134982, 2134982, 2134982, 2134982, 2134982, 2134982, 2134982, 2134982, 2134982, 2133557, 2133557, 2133557, 2133557, 2133557, 2133557, 2133557, 2133557, 2133557, 2133557, 2133557, 2133557, 2133557, 2133557, 2133557, 2133557, 2133557, 2133557, 2133557, 2133557, 2133557, 2133557, 2133557, 2133557, 2133557, 2133557, 2133557, 2133557, 2133557, 2133557, 2133557, 2133557, 2133557, 2132095, 2131046, 2115860, 2128792, 2121852, 2131259, 2131259, 2131702, 2129610 ], "author": "Sarah Emery ", "date": "Fri, 23 Jan 2026 09:46:46 +0100" } ], "notes": "linux-tools-6.17.0-14-generic version '6.17.0-14.14.1' (source package linux-riscv version '6.17.0-14.14.1') was added. linux-tools-6.17.0-14-generic version '6.17.0-14.14.1' has the same source package name, linux-riscv, as removed package linux-headers-6.17.0-12-generic. As such we can use the source package version of the removed package, '6.17.0-12.12.1', as the starting point in our changelog diff. Kernel packages are an example of where the binary package name changes for the same source package. Using the removed package source package version as our starting point means we can still get meaningful changelog diffs even for what appears to be a new package.", "is_version_downgrade": false } ], "snap": [] }, "removed": { "deb": [ { "name": "linux-headers-6.17.0-12-generic", "from_version": { "source_package_name": "linux-riscv", "source_package_version": "6.17.0-12.12.1", "version": "6.17.0-12.12.1" }, "to_version": { "source_package_name": null, "source_package_version": null, "version": null }, "cves": [], "launchpad_bugs_fixed": [], "changes": [], "notes": null, "is_version_downgrade": false }, { "name": "linux-image-6.17.0-12-generic", "from_version": { "source_package_name": "linux-riscv", "source_package_version": "6.17.0-12.12.1", "version": "6.17.0-12.12.1" }, "to_version": { "source_package_name": null, "source_package_version": null, "version": null }, "cves": [], "launchpad_bugs_fixed": [], "changes": [], "notes": null, "is_version_downgrade": false }, { "name": "linux-modules-6.17.0-12-generic", "from_version": { "source_package_name": "linux-riscv", "source_package_version": "6.17.0-12.12.1", "version": "6.17.0-12.12.1" }, "to_version": { "source_package_name": null, "source_package_version": null, "version": null }, "cves": [], "launchpad_bugs_fixed": [], "changes": [], "notes": null, "is_version_downgrade": false }, { "name": "linux-riscv-headers-6.17.0-12", "from_version": { "source_package_name": "linux-riscv", "source_package_version": "6.17.0-12.12.1", "version": "6.17.0-12.12.1" }, "to_version": { "source_package_name": null, "source_package_version": null, "version": null }, "cves": [], "launchpad_bugs_fixed": [], "changes": [], "notes": null, "is_version_downgrade": false }, { "name": "linux-riscv-tools-6.17.0-12", "from_version": { "source_package_name": "linux-riscv", "source_package_version": "6.17.0-12.12.1", "version": "6.17.0-12.12.1" }, "to_version": { "source_package_name": null, "source_package_version": null, "version": null }, "cves": [], "launchpad_bugs_fixed": [], "changes": [], "notes": null, "is_version_downgrade": false }, { "name": "linux-tools-6.17.0-12-generic", "from_version": { "source_package_name": "linux-riscv", "source_package_version": "6.17.0-12.12.1", "version": "6.17.0-12.12.1" }, "to_version": { "source_package_name": null, "source_package_version": null, "version": null }, "cves": [], "launchpad_bugs_fixed": [], "changes": [], "notes": null, "is_version_downgrade": false } ], "snap": [] }, "notes": "Changelog diff for Ubuntu 25.10 questing image from daily image serial 20260209 to 20260212", "from_series": "questing", "to_series": "questing", "from_serial": "20260209", "to_serial": "20260212", "from_manifest_filename": "daily_manifest.previous", "to_manifest_filename": "manifest.current" }