Search criteria
13169 vulnerabilities by Linux
CVE-2025-68343 (GCVE-0-2025-68343)
Vulnerability from cvelistv5 – Published: 2025-12-23 13:58 – Updated: 2025-12-23 13:58
VLAI?
Title
can: gs_usb: gs_usb_receive_bulk_callback(): check actual_length before accessing header
Summary
In the Linux kernel, the following vulnerability has been resolved:
can: gs_usb: gs_usb_receive_bulk_callback(): check actual_length before accessing header
The driver expects to receive a struct gs_host_frame in
gs_usb_receive_bulk_callback().
Use struct_group to describe the header of the struct gs_host_frame and
check that we have at least received the header before accessing any
members of it.
To resubmit the URB, do not dereference the pointer chain
"dev->parent->hf_size_rx" but use "parent->hf_size_rx" instead. Since
"urb->context" contains "parent", it is always defined, while "dev" is not
defined if the URB it too short.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
d08e973a77d128b25e01a08c34d89593fdf222da , < 18cbce43363c9f84b90a92d57df341155eee0697
(git)
Affected: d08e973a77d128b25e01a08c34d89593fdf222da , < 3433680b759646efcacc64fe36aa2e51ae34b8f0 (git) Affected: d08e973a77d128b25e01a08c34d89593fdf222da , < 616eee3e895b8ca0028163fcb1dce5e3e9dea322 (git) Affected: d08e973a77d128b25e01a08c34d89593fdf222da , < f31693dc3a584c0ad3937e857b59dbc1a7ed2b87 (git) Affected: d08e973a77d128b25e01a08c34d89593fdf222da , < 6fe9f3279f7d2518439a7962c5870c6e9ecbadcf (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/can/usb/gs_usb.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "18cbce43363c9f84b90a92d57df341155eee0697",
"status": "affected",
"version": "d08e973a77d128b25e01a08c34d89593fdf222da",
"versionType": "git"
},
{
"lessThan": "3433680b759646efcacc64fe36aa2e51ae34b8f0",
"status": "affected",
"version": "d08e973a77d128b25e01a08c34d89593fdf222da",
"versionType": "git"
},
{
"lessThan": "616eee3e895b8ca0028163fcb1dce5e3e9dea322",
"status": "affected",
"version": "d08e973a77d128b25e01a08c34d89593fdf222da",
"versionType": "git"
},
{
"lessThan": "f31693dc3a584c0ad3937e857b59dbc1a7ed2b87",
"status": "affected",
"version": "d08e973a77d128b25e01a08c34d89593fdf222da",
"versionType": "git"
},
{
"lessThan": "6fe9f3279f7d2518439a7962c5870c6e9ecbadcf",
"status": "affected",
"version": "d08e973a77d128b25e01a08c34d89593fdf222da",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/can/usb/gs_usb.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.16"
},
{
"lessThan": "3.16",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.159",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.119",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.61",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.159",
"versionStartIncluding": "3.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.119",
"versionStartIncluding": "3.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.61",
"versionStartIncluding": "3.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.11",
"versionStartIncluding": "3.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "3.16",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncan: gs_usb: gs_usb_receive_bulk_callback(): check actual_length before accessing header\n\nThe driver expects to receive a struct gs_host_frame in\ngs_usb_receive_bulk_callback().\n\nUse struct_group to describe the header of the struct gs_host_frame and\ncheck that we have at least received the header before accessing any\nmembers of it.\n\nTo resubmit the URB, do not dereference the pointer chain\n\"dev-\u003eparent-\u003ehf_size_rx\" but use \"parent-\u003ehf_size_rx\" instead. Since\n\"urb-\u003econtext\" contains \"parent\", it is always defined, while \"dev\" is not\ndefined if the URB it too short."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-23T13:58:28.411Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/18cbce43363c9f84b90a92d57df341155eee0697"
},
{
"url": "https://git.kernel.org/stable/c/3433680b759646efcacc64fe36aa2e51ae34b8f0"
},
{
"url": "https://git.kernel.org/stable/c/616eee3e895b8ca0028163fcb1dce5e3e9dea322"
},
{
"url": "https://git.kernel.org/stable/c/f31693dc3a584c0ad3937e857b59dbc1a7ed2b87"
},
{
"url": "https://git.kernel.org/stable/c/6fe9f3279f7d2518439a7962c5870c6e9ecbadcf"
}
],
"title": "can: gs_usb: gs_usb_receive_bulk_callback(): check actual_length before accessing header",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68343",
"datePublished": "2025-12-23T13:58:28.411Z",
"dateReserved": "2025-12-16T14:48:05.298Z",
"dateUpdated": "2025-12-23T13:58:28.411Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68342 (GCVE-0-2025-68342)
Vulnerability from cvelistv5 – Published: 2025-12-23 13:58 – Updated: 2025-12-23 13:58
VLAI?
Title
can: gs_usb: gs_usb_receive_bulk_callback(): check actual_length before accessing data
Summary
In the Linux kernel, the following vulnerability has been resolved:
can: gs_usb: gs_usb_receive_bulk_callback(): check actual_length before accessing data
The URB received in gs_usb_receive_bulk_callback() contains a struct
gs_host_frame. The length of the data after the header depends on the
gs_host_frame hf::flags and the active device features (e.g. time
stamping).
Introduce a new function gs_usb_get_minimum_length() and check that we have
at least received the required amount of data before accessing it. Only
copy the data to that skb that has actually been received.
[mkl: rename gs_usb_get_minimum_length() -> +gs_usb_get_minimum_rx_length()]
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
d08e973a77d128b25e01a08c34d89593fdf222da , < 4ffac725154cf6a253f5e6aa0c8946232b6a0af5
(git)
Affected: d08e973a77d128b25e01a08c34d89593fdf222da , < ad55004a3cb5b41ef78aa6c09e7bc5a489ba652b (git) Affected: d08e973a77d128b25e01a08c34d89593fdf222da , < fb0c7c77a7ae3a2c3404b7d0173b8739a754b513 (git) Affected: d08e973a77d128b25e01a08c34d89593fdf222da , < 395d988f93861101ec89d0dd9e3b876ae9392a5b (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/can/usb/gs_usb.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "4ffac725154cf6a253f5e6aa0c8946232b6a0af5",
"status": "affected",
"version": "d08e973a77d128b25e01a08c34d89593fdf222da",
"versionType": "git"
},
{
"lessThan": "ad55004a3cb5b41ef78aa6c09e7bc5a489ba652b",
"status": "affected",
"version": "d08e973a77d128b25e01a08c34d89593fdf222da",
"versionType": "git"
},
{
"lessThan": "fb0c7c77a7ae3a2c3404b7d0173b8739a754b513",
"status": "affected",
"version": "d08e973a77d128b25e01a08c34d89593fdf222da",
"versionType": "git"
},
{
"lessThan": "395d988f93861101ec89d0dd9e3b876ae9392a5b",
"status": "affected",
"version": "d08e973a77d128b25e01a08c34d89593fdf222da",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/can/usb/gs_usb.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.16"
},
{
"lessThan": "3.16",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.119",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.61",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.119",
"versionStartIncluding": "3.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.61",
"versionStartIncluding": "3.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.11",
"versionStartIncluding": "3.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "3.16",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncan: gs_usb: gs_usb_receive_bulk_callback(): check actual_length before accessing data\n\nThe URB received in gs_usb_receive_bulk_callback() contains a struct\ngs_host_frame. The length of the data after the header depends on the\ngs_host_frame hf::flags and the active device features (e.g. time\nstamping).\n\nIntroduce a new function gs_usb_get_minimum_length() and check that we have\nat least received the required amount of data before accessing it. Only\ncopy the data to that skb that has actually been received.\n\n[mkl: rename gs_usb_get_minimum_length() -\u003e +gs_usb_get_minimum_rx_length()]"
}
],
"providerMetadata": {
"dateUpdated": "2025-12-23T13:58:27.579Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/4ffac725154cf6a253f5e6aa0c8946232b6a0af5"
},
{
"url": "https://git.kernel.org/stable/c/ad55004a3cb5b41ef78aa6c09e7bc5a489ba652b"
},
{
"url": "https://git.kernel.org/stable/c/fb0c7c77a7ae3a2c3404b7d0173b8739a754b513"
},
{
"url": "https://git.kernel.org/stable/c/395d988f93861101ec89d0dd9e3b876ae9392a5b"
}
],
"title": "can: gs_usb: gs_usb_receive_bulk_callback(): check actual_length before accessing data",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68342",
"datePublished": "2025-12-23T13:58:27.579Z",
"dateReserved": "2025-12-16T14:48:05.298Z",
"dateUpdated": "2025-12-23T13:58:27.579Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68341 (GCVE-0-2025-68341)
Vulnerability from cvelistv5 – Published: 2025-12-23 13:58 – Updated: 2025-12-23 13:58
VLAI?
Title
veth: reduce XDP no_direct return section to fix race
Summary
In the Linux kernel, the following vulnerability has been resolved:
veth: reduce XDP no_direct return section to fix race
As explain in commit fa349e396e48 ("veth: Fix race with AF_XDP exposing
old or uninitialized descriptors") for veth there is a chance after
napi_complete_done() that another CPU can manage start another NAPI
instance running veth_pool(). For NAPI this is correctly handled as the
napi_schedule_prep() check will prevent multiple instances from getting
scheduled, but for the remaining code in veth_pool() this can run
concurrent with the newly started NAPI instance.
The problem/race is that xdp_clear_return_frame_no_direct() isn't
designed to be nested.
Prior to commit 401cb7dae813 ("net: Reference bpf_redirect_info via
task_struct on PREEMPT_RT.") the temporary BPF net context
bpf_redirect_info was stored per CPU, where this wasn't an issue. Since
this commit the BPF context is stored in 'current' task_struct. When
running veth in threaded-NAPI mode, then the kthread becomes the storage
area. Now a race exists between two concurrent veth_pool() function calls
one exiting NAPI and one running new NAPI, both using the same BPF net
context.
Race is when another CPU gets within the xdp_set_return_frame_no_direct()
section before exiting veth_pool() calls the clear-function
xdp_clear_return_frame_no_direct().
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
401cb7dae8130fd34eb84648e02ab4c506df7d5e , < c1ceabcb347d1b0f7e70a7384ec7eff3847b7628
(git)
Affected: 401cb7dae8130fd34eb84648e02ab4c506df7d5e , < d0bd018ad72a8a598ae709588934135017f8af52 (git) Affected: 401cb7dae8130fd34eb84648e02ab4c506df7d5e , < a14602fcae17a3f1cb8a8521bedf31728f9e7e39 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/veth.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "c1ceabcb347d1b0f7e70a7384ec7eff3847b7628",
"status": "affected",
"version": "401cb7dae8130fd34eb84648e02ab4c506df7d5e",
"versionType": "git"
},
{
"lessThan": "d0bd018ad72a8a598ae709588934135017f8af52",
"status": "affected",
"version": "401cb7dae8130fd34eb84648e02ab4c506df7d5e",
"versionType": "git"
},
{
"lessThan": "a14602fcae17a3f1cb8a8521bedf31728f9e7e39",
"status": "affected",
"version": "401cb7dae8130fd34eb84648e02ab4c506df7d5e",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/veth.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.11"
},
{
"lessThan": "6.11",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.61",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.61",
"versionStartIncluding": "6.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.11",
"versionStartIncluding": "6.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "6.11",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nveth: reduce XDP no_direct return section to fix race\n\nAs explain in commit fa349e396e48 (\"veth: Fix race with AF_XDP exposing\nold or uninitialized descriptors\") for veth there is a chance after\nnapi_complete_done() that another CPU can manage start another NAPI\ninstance running veth_pool(). For NAPI this is correctly handled as the\nnapi_schedule_prep() check will prevent multiple instances from getting\nscheduled, but for the remaining code in veth_pool() this can run\nconcurrent with the newly started NAPI instance.\n\nThe problem/race is that xdp_clear_return_frame_no_direct() isn\u0027t\ndesigned to be nested.\n\nPrior to commit 401cb7dae813 (\"net: Reference bpf_redirect_info via\ntask_struct on PREEMPT_RT.\") the temporary BPF net context\nbpf_redirect_info was stored per CPU, where this wasn\u0027t an issue. Since\nthis commit the BPF context is stored in \u0027current\u0027 task_struct. When\nrunning veth in threaded-NAPI mode, then the kthread becomes the storage\narea. Now a race exists between two concurrent veth_pool() function calls\none exiting NAPI and one running new NAPI, both using the same BPF net\ncontext.\n\nRace is when another CPU gets within the xdp_set_return_frame_no_direct()\nsection before exiting veth_pool() calls the clear-function\nxdp_clear_return_frame_no_direct()."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-23T13:58:26.749Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/c1ceabcb347d1b0f7e70a7384ec7eff3847b7628"
},
{
"url": "https://git.kernel.org/stable/c/d0bd018ad72a8a598ae709588934135017f8af52"
},
{
"url": "https://git.kernel.org/stable/c/a14602fcae17a3f1cb8a8521bedf31728f9e7e39"
}
],
"title": "veth: reduce XDP no_direct return section to fix race",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68341",
"datePublished": "2025-12-23T13:58:26.749Z",
"dateReserved": "2025-12-16T14:48:05.298Z",
"dateUpdated": "2025-12-23T13:58:26.749Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68340 (GCVE-0-2025-68340)
Vulnerability from cvelistv5 – Published: 2025-12-23 13:58 – Updated: 2025-12-23 13:58
VLAI?
Title
team: Move team device type change at the end of team_port_add
Summary
In the Linux kernel, the following vulnerability has been resolved:
team: Move team device type change at the end of team_port_add
Attempting to add a port device that is already up will expectedly fail,
but not before modifying the team device header_ops.
In the case of the syzbot reproducer the gre0 device is
already in state UP when it attempts to add it as a
port device of team0, this fails but before that
header_ops->create of team0 is changed from eth_header to ipgre_header
in the call to team_dev_type_check_change.
Later when we end up in ipgre_header() struct ip_tunnel* points to nonsense
as the private data of the device still holds a struct team.
Example sequence of iproute2 commands to reproduce the hang/BUG():
ip link add dev team0 type team
ip link add dev gre0 type gre
ip link set dev gre0 up
ip link set dev gre0 master team0
ip link set dev team0 up
ping -I team0 1.1.1.1
Move team_dev_type_check_change down where all other checks have passed
as it changes the dev type with no way to restore it in case
one of the checks that follow it fail.
Also make sure to preserve the origial mtu assignment:
- If port_dev is not the same type as dev, dev takes mtu from port_dev
- If port_dev is the same type as dev, port_dev takes mtu from dev
This is done by adding a conditional before the call to dev_set_mtu
to prevent it from assigning port_dev->mtu = dev->mtu and instead
letting team_dev_type_check_change assign dev->mtu = port_dev->mtu.
The conditional is needed because the patch moves the call to
team_dev_type_check_change past dev_set_mtu.
Testing:
- team device driver in-tree selftests
- Add/remove various devices as slaves of team device
- syzbot
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
1d76efe1577b4323609b1bcbfafa8b731eda071a , < 4040b5e8963982a00aa821300cb746efc9f2947e
(git)
Affected: 1d76efe1577b4323609b1bcbfafa8b731eda071a , < e3eed4f038214494af62c7d2d64749e5108ce6ca (git) Affected: 1d76efe1577b4323609b1bcbfafa8b731eda071a , < 0ae9cfc454ea5ead5f3ddbdfe2e70270d8e2c8ef (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/team/team_core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "4040b5e8963982a00aa821300cb746efc9f2947e",
"status": "affected",
"version": "1d76efe1577b4323609b1bcbfafa8b731eda071a",
"versionType": "git"
},
{
"lessThan": "e3eed4f038214494af62c7d2d64749e5108ce6ca",
"status": "affected",
"version": "1d76efe1577b4323609b1bcbfafa8b731eda071a",
"versionType": "git"
},
{
"lessThan": "0ae9cfc454ea5ead5f3ddbdfe2e70270d8e2c8ef",
"status": "affected",
"version": "1d76efe1577b4323609b1bcbfafa8b731eda071a",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/team/team_core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.7"
},
{
"lessThan": "3.7",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.61",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.61",
"versionStartIncluding": "3.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.11",
"versionStartIncluding": "3.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "3.7",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nteam: Move team device type change at the end of team_port_add\n\nAttempting to add a port device that is already up will expectedly fail,\nbut not before modifying the team device header_ops.\n\nIn the case of the syzbot reproducer the gre0 device is\nalready in state UP when it attempts to add it as a\nport device of team0, this fails but before that\nheader_ops-\u003ecreate of team0 is changed from eth_header to ipgre_header\nin the call to team_dev_type_check_change.\n\nLater when we end up in ipgre_header() struct ip_tunnel* points to nonsense\nas the private data of the device still holds a struct team.\n\nExample sequence of iproute2 commands to reproduce the hang/BUG():\nip link add dev team0 type team\nip link add dev gre0 type gre\nip link set dev gre0 up\nip link set dev gre0 master team0\nip link set dev team0 up\nping -I team0 1.1.1.1\n\nMove team_dev_type_check_change down where all other checks have passed\nas it changes the dev type with no way to restore it in case\none of the checks that follow it fail.\n\nAlso make sure to preserve the origial mtu assignment:\n - If port_dev is not the same type as dev, dev takes mtu from port_dev\n - If port_dev is the same type as dev, port_dev takes mtu from dev\n\nThis is done by adding a conditional before the call to dev_set_mtu\nto prevent it from assigning port_dev-\u003emtu = dev-\u003emtu and instead\nletting team_dev_type_check_change assign dev-\u003emtu = port_dev-\u003emtu.\nThe conditional is needed because the patch moves the call to\nteam_dev_type_check_change past dev_set_mtu.\n\nTesting:\n - team device driver in-tree selftests\n - Add/remove various devices as slaves of team device\n - syzbot"
}
],
"providerMetadata": {
"dateUpdated": "2025-12-23T13:58:25.841Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/4040b5e8963982a00aa821300cb746efc9f2947e"
},
{
"url": "https://git.kernel.org/stable/c/e3eed4f038214494af62c7d2d64749e5108ce6ca"
},
{
"url": "https://git.kernel.org/stable/c/0ae9cfc454ea5ead5f3ddbdfe2e70270d8e2c8ef"
}
],
"title": "team: Move team device type change at the end of team_port_add",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68340",
"datePublished": "2025-12-23T13:58:25.841Z",
"dateReserved": "2025-12-16T14:48:05.297Z",
"dateUpdated": "2025-12-23T13:58:25.841Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68339 (GCVE-0-2025-68339)
Vulnerability from cvelistv5 – Published: 2025-12-23 13:58 – Updated: 2025-12-23 13:58
VLAI?
Title
atm/fore200e: Fix possible data race in fore200e_open()
Summary
In the Linux kernel, the following vulnerability has been resolved:
atm/fore200e: Fix possible data race in fore200e_open()
Protect access to fore200e->available_cell_rate with rate_mtx lock in the
error handling path of fore200e_open() to prevent a data race.
The field fore200e->available_cell_rate is a shared resource used to track
available bandwidth. It is concurrently accessed by fore200e_open(),
fore200e_close(), and fore200e_change_qos().
In fore200e_open(), the lock rate_mtx is correctly held when subtracting
vcc->qos.txtp.max_pcr from available_cell_rate to reserve bandwidth.
However, if the subsequent call to fore200e_activate_vcin() fails, the
function restores the reserved bandwidth by adding back to
available_cell_rate without holding the lock.
This introduces a race condition because available_cell_rate is a global
device resource shared across all VCCs. If the error path in
fore200e_open() executes concurrently with operations like
fore200e_close() or fore200e_change_qos() on other VCCs, a
read-modify-write race occurs.
Specifically, the error path reads the rate without the lock. If another
CPU acquires the lock and modifies the rate (e.g., releasing bandwidth in
fore200e_close()) between this read and the subsequent write, the error
path will overwrite the concurrent update with a stale value. This results
in incorrect bandwidth accounting.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 1b60f42a639999c37da7f1fbfa1ad29cf4cbdd2d
(git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < bd1415efbab507b9b995918105eef953013449dd (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < ed34c70d88e2b8b9bc6c3ede88751186d6c6d5d1 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 9917ba597cf95f307778e495f71ff25a5064d167 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 667ac868823224374f819500adc5baa2889c7bc5 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 6610361458e7eb6502dd3182f586f91fcc218039 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 82fca3d8a4a34667f01ec2351a607135249c9cff (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/atm/fore200e.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "1b60f42a639999c37da7f1fbfa1ad29cf4cbdd2d",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "bd1415efbab507b9b995918105eef953013449dd",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "ed34c70d88e2b8b9bc6c3ede88751186d6c6d5d1",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "9917ba597cf95f307778e495f71ff25a5064d167",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "667ac868823224374f819500adc5baa2889c7bc5",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "6610361458e7eb6502dd3182f586f91fcc218039",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "82fca3d8a4a34667f01ec2351a607135249c9cff",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/atm/fore200e.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.12"
},
{
"lessThan": "2.6.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.247",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.197",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.159",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.119",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.61",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.247",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.197",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.159",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.119",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.61",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.11",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "2.6.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\natm/fore200e: Fix possible data race in fore200e_open()\n\nProtect access to fore200e-\u003eavailable_cell_rate with rate_mtx lock in the\nerror handling path of fore200e_open() to prevent a data race.\n\nThe field fore200e-\u003eavailable_cell_rate is a shared resource used to track\navailable bandwidth. It is concurrently accessed by fore200e_open(),\nfore200e_close(), and fore200e_change_qos().\n\nIn fore200e_open(), the lock rate_mtx is correctly held when subtracting\nvcc-\u003eqos.txtp.max_pcr from available_cell_rate to reserve bandwidth.\nHowever, if the subsequent call to fore200e_activate_vcin() fails, the\nfunction restores the reserved bandwidth by adding back to\navailable_cell_rate without holding the lock.\n\nThis introduces a race condition because available_cell_rate is a global\ndevice resource shared across all VCCs. If the error path in\nfore200e_open() executes concurrently with operations like\nfore200e_close() or fore200e_change_qos() on other VCCs, a\nread-modify-write race occurs.\n\nSpecifically, the error path reads the rate without the lock. If another\nCPU acquires the lock and modifies the rate (e.g., releasing bandwidth in\nfore200e_close()) between this read and the subsequent write, the error\npath will overwrite the concurrent update with a stale value. This results\nin incorrect bandwidth accounting."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-23T13:58:24.955Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/1b60f42a639999c37da7f1fbfa1ad29cf4cbdd2d"
},
{
"url": "https://git.kernel.org/stable/c/bd1415efbab507b9b995918105eef953013449dd"
},
{
"url": "https://git.kernel.org/stable/c/ed34c70d88e2b8b9bc6c3ede88751186d6c6d5d1"
},
{
"url": "https://git.kernel.org/stable/c/9917ba597cf95f307778e495f71ff25a5064d167"
},
{
"url": "https://git.kernel.org/stable/c/667ac868823224374f819500adc5baa2889c7bc5"
},
{
"url": "https://git.kernel.org/stable/c/6610361458e7eb6502dd3182f586f91fcc218039"
},
{
"url": "https://git.kernel.org/stable/c/82fca3d8a4a34667f01ec2351a607135249c9cff"
}
],
"title": "atm/fore200e: Fix possible data race in fore200e_open()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68339",
"datePublished": "2025-12-23T13:58:24.955Z",
"dateReserved": "2025-12-16T14:48:05.297Z",
"dateUpdated": "2025-12-23T13:58:24.955Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68338 (GCVE-0-2025-68338)
Vulnerability from cvelistv5 – Published: 2025-12-23 13:58 – Updated: 2025-12-23 13:58
VLAI?
Title
net: dsa: microchip: Don't free uninitialized ksz_irq
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: dsa: microchip: Don't free uninitialized ksz_irq
If something goes wrong at setup, ksz_irq_free() can be called on
uninitialized ksz_irq (for example when ksz_ptp_irq_setup() fails). It
leads to freeing uninitialized IRQ numbers and/or domains.
Use dsa_switch_for_each_user_port_continue_reverse() in the error path
to iterate only over the fully initialized ports.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
cc13ab18b201ab630f03511060ba289b70052959 , < 9428654c827fa8d38b898135d26d39ee2d544246
(git)
Affected: cc13ab18b201ab630f03511060ba289b70052959 , < 32abbcf4379a0f851d7eb9d4389e7bf5c64bf6c0 (git) Affected: cc13ab18b201ab630f03511060ba289b70052959 , < 25b62cc5b22c45face094ae3e8717258e46d1d19 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/dsa/microchip/ksz_common.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "9428654c827fa8d38b898135d26d39ee2d544246",
"status": "affected",
"version": "cc13ab18b201ab630f03511060ba289b70052959",
"versionType": "git"
},
{
"lessThan": "32abbcf4379a0f851d7eb9d4389e7bf5c64bf6c0",
"status": "affected",
"version": "cc13ab18b201ab630f03511060ba289b70052959",
"versionType": "git"
},
{
"lessThan": "25b62cc5b22c45face094ae3e8717258e46d1d19",
"status": "affected",
"version": "cc13ab18b201ab630f03511060ba289b70052959",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/dsa/microchip/ksz_common.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.3"
},
{
"lessThan": "6.3",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.61",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.61",
"versionStartIncluding": "6.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.11",
"versionStartIncluding": "6.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "6.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: dsa: microchip: Don\u0027t free uninitialized ksz_irq\n\nIf something goes wrong at setup, ksz_irq_free() can be called on\nuninitialized ksz_irq (for example when ksz_ptp_irq_setup() fails). It\nleads to freeing uninitialized IRQ numbers and/or domains.\n\nUse dsa_switch_for_each_user_port_continue_reverse() in the error path\nto iterate only over the fully initialized ports."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-23T13:58:24.121Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/9428654c827fa8d38b898135d26d39ee2d544246"
},
{
"url": "https://git.kernel.org/stable/c/32abbcf4379a0f851d7eb9d4389e7bf5c64bf6c0"
},
{
"url": "https://git.kernel.org/stable/c/25b62cc5b22c45face094ae3e8717258e46d1d19"
}
],
"title": "net: dsa: microchip: Don\u0027t free uninitialized ksz_irq",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68338",
"datePublished": "2025-12-23T13:58:24.121Z",
"dateReserved": "2025-12-16T14:48:05.297Z",
"dateUpdated": "2025-12-23T13:58:24.121Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68337 (GCVE-0-2025-68337)
Vulnerability from cvelistv5 – Published: 2025-12-22 16:14 – Updated: 2025-12-22 16:14
VLAI?
Title
jbd2: avoid bug_on in jbd2_journal_get_create_access() when file system corrupted
Summary
In the Linux kernel, the following vulnerability has been resolved:
jbd2: avoid bug_on in jbd2_journal_get_create_access() when file system corrupted
There's issue when file system corrupted:
------------[ cut here ]------------
kernel BUG at fs/jbd2/transaction.c:1289!
Oops: invalid opcode: 0000 [#1] SMP KASAN PTI
CPU: 5 UID: 0 PID: 2031 Comm: mkdir Not tainted 6.18.0-rc1-next
RIP: 0010:jbd2_journal_get_create_access+0x3b6/0x4d0
RSP: 0018:ffff888117aafa30 EFLAGS: 00010202
RAX: 0000000000000000 RBX: ffff88811a86b000 RCX: ffffffff89a63534
RDX: 1ffff110200ec602 RSI: 0000000000000004 RDI: ffff888100763010
RBP: ffff888100763000 R08: 0000000000000001 R09: ffff888100763028
R10: 0000000000000003 R11: 0000000000000000 R12: 0000000000000000
R13: ffff88812c432000 R14: ffff88812c608000 R15: ffff888120bfc000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f91d6970c99 CR3: 00000001159c4000 CR4: 00000000000006f0
Call Trace:
<TASK>
__ext4_journal_get_create_access+0x42/0x170
ext4_getblk+0x319/0x6f0
ext4_bread+0x11/0x100
ext4_append+0x1e6/0x4a0
ext4_init_new_dir+0x145/0x1d0
ext4_mkdir+0x326/0x920
vfs_mkdir+0x45c/0x740
do_mkdirat+0x234/0x2f0
__x64_sys_mkdir+0xd6/0x120
do_syscall_64+0x5f/0xfa0
entry_SYSCALL_64_after_hwframe+0x76/0x7e
The above issue occurs with us in errors=continue mode when accompanied by
storage failures. There have been many inconsistencies in the file system
data.
In the case of file system data inconsistency, for example, if the block
bitmap of a referenced block is not set, it can lead to the situation where
a block being committed is allocated and used again. As a result, the
following condition will not be satisfied then trigger BUG_ON. Of course,
it is entirely possible to construct a problematic image that can trigger
this BUG_ON through specific operations. In fact, I have constructed such
an image and easily reproduced this issue.
Therefore, J_ASSERT() holds true only under ideal conditions, but it may
not necessarily be satisfied in exceptional scenarios. Using J_ASSERT()
directly in abnormal situations would cause the system to crash, which is
clearly not what we want. So here we directly trigger a JBD abort instead
of immediately invoking BUG_ON.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
470decc613ab2048b619a01028072d932d9086ee , < a2a7f854d154a3e9232fec80782dad951655f52f
(git)
Affected: 470decc613ab2048b619a01028072d932d9086ee , < bf34c72337e40c4670cceeb79b353356933a254b (git) Affected: 470decc613ab2048b619a01028072d932d9086ee , < aa1703f3f706ea0867fb1991dcac709c9ec94cfb (git) Affected: 470decc613ab2048b619a01028072d932d9086ee , < 986835bf4d11032bba4ab8414d18fce038c61bb4 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/jbd2/transaction.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "a2a7f854d154a3e9232fec80782dad951655f52f",
"status": "affected",
"version": "470decc613ab2048b619a01028072d932d9086ee",
"versionType": "git"
},
{
"lessThan": "bf34c72337e40c4670cceeb79b353356933a254b",
"status": "affected",
"version": "470decc613ab2048b619a01028072d932d9086ee",
"versionType": "git"
},
{
"lessThan": "aa1703f3f706ea0867fb1991dcac709c9ec94cfb",
"status": "affected",
"version": "470decc613ab2048b619a01028072d932d9086ee",
"versionType": "git"
},
{
"lessThan": "986835bf4d11032bba4ab8414d18fce038c61bb4",
"status": "affected",
"version": "470decc613ab2048b619a01028072d932d9086ee",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/jbd2/transaction.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.19"
},
{
"lessThan": "2.6.19",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.62",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.12",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.1",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19-rc1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.62",
"versionStartIncluding": "2.6.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.12",
"versionStartIncluding": "2.6.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.1",
"versionStartIncluding": "2.6.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19-rc1",
"versionStartIncluding": "2.6.19",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\njbd2: avoid bug_on in jbd2_journal_get_create_access() when file system corrupted\n\nThere\u0027s issue when file system corrupted:\n------------[ cut here ]------------\nkernel BUG at fs/jbd2/transaction.c:1289!\nOops: invalid opcode: 0000 [#1] SMP KASAN PTI\nCPU: 5 UID: 0 PID: 2031 Comm: mkdir Not tainted 6.18.0-rc1-next\nRIP: 0010:jbd2_journal_get_create_access+0x3b6/0x4d0\nRSP: 0018:ffff888117aafa30 EFLAGS: 00010202\nRAX: 0000000000000000 RBX: ffff88811a86b000 RCX: ffffffff89a63534\nRDX: 1ffff110200ec602 RSI: 0000000000000004 RDI: ffff888100763010\nRBP: ffff888100763000 R08: 0000000000000001 R09: ffff888100763028\nR10: 0000000000000003 R11: 0000000000000000 R12: 0000000000000000\nR13: ffff88812c432000 R14: ffff88812c608000 R15: ffff888120bfc000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00007f91d6970c99 CR3: 00000001159c4000 CR4: 00000000000006f0\nCall Trace:\n \u003cTASK\u003e\n __ext4_journal_get_create_access+0x42/0x170\n ext4_getblk+0x319/0x6f0\n ext4_bread+0x11/0x100\n ext4_append+0x1e6/0x4a0\n ext4_init_new_dir+0x145/0x1d0\n ext4_mkdir+0x326/0x920\n vfs_mkdir+0x45c/0x740\n do_mkdirat+0x234/0x2f0\n __x64_sys_mkdir+0xd6/0x120\n do_syscall_64+0x5f/0xfa0\n entry_SYSCALL_64_after_hwframe+0x76/0x7e\n\nThe above issue occurs with us in errors=continue mode when accompanied by\nstorage failures. There have been many inconsistencies in the file system\ndata.\nIn the case of file system data inconsistency, for example, if the block\nbitmap of a referenced block is not set, it can lead to the situation where\na block being committed is allocated and used again. As a result, the\nfollowing condition will not be satisfied then trigger BUG_ON. Of course,\nit is entirely possible to construct a problematic image that can trigger\nthis BUG_ON through specific operations. In fact, I have constructed such\nan image and easily reproduced this issue.\nTherefore, J_ASSERT() holds true only under ideal conditions, but it may\nnot necessarily be satisfied in exceptional scenarios. Using J_ASSERT()\ndirectly in abnormal situations would cause the system to crash, which is\nclearly not what we want. So here we directly trigger a JBD abort instead\nof immediately invoking BUG_ON."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-22T16:14:14.145Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/a2a7f854d154a3e9232fec80782dad951655f52f"
},
{
"url": "https://git.kernel.org/stable/c/bf34c72337e40c4670cceeb79b353356933a254b"
},
{
"url": "https://git.kernel.org/stable/c/aa1703f3f706ea0867fb1991dcac709c9ec94cfb"
},
{
"url": "https://git.kernel.org/stable/c/986835bf4d11032bba4ab8414d18fce038c61bb4"
}
],
"title": "jbd2: avoid bug_on in jbd2_journal_get_create_access() when file system corrupted",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68337",
"datePublished": "2025-12-22T16:14:14.145Z",
"dateReserved": "2025-12-16T14:48:05.297Z",
"dateUpdated": "2025-12-22T16:14:14.145Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68336 (GCVE-0-2025-68336)
Vulnerability from cvelistv5 – Published: 2025-12-22 16:14 – Updated: 2025-12-22 16:14
VLAI?
Title
locking/spinlock/debug: Fix data-race in do_raw_write_lock
Summary
In the Linux kernel, the following vulnerability has been resolved:
locking/spinlock/debug: Fix data-race in do_raw_write_lock
KCSAN reports:
BUG: KCSAN: data-race in do_raw_write_lock / do_raw_write_lock
write (marked) to 0xffff800009cf504c of 4 bytes by task 1102 on cpu 1:
do_raw_write_lock+0x120/0x204
_raw_write_lock_irq
do_exit
call_usermodehelper_exec_async
ret_from_fork
read to 0xffff800009cf504c of 4 bytes by task 1103 on cpu 0:
do_raw_write_lock+0x88/0x204
_raw_write_lock_irq
do_exit
call_usermodehelper_exec_async
ret_from_fork
value changed: 0xffffffff -> 0x00000001
Reported by Kernel Concurrency Sanitizer on:
CPU: 0 PID: 1103 Comm: kworker/u4:1 6.1.111
Commit 1a365e822372 ("locking/spinlock/debug: Fix various data races") has
adressed most of these races, but seems to be not consistent/not complete.
>From do_raw_write_lock() only debug_write_lock_after() part has been
converted to WRITE_ONCE(), but not debug_write_lock_before() part.
Do it now.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
1a365e822372ba24c9da0822bc583894f6f3d821 , < b163a5e8c703201c905d6ec7920ed79d167e8442
(git)
Affected: 1a365e822372ba24c9da0822bc583894f6f3d821 , < 16b3590c0e1e615757dade098c8fbc0d4f040c76 (git) Affected: 1a365e822372ba24c9da0822bc583894f6f3d821 , < 396a9270a7b90886be501611b13aa636f2e8c703 (git) Affected: 1a365e822372ba24c9da0822bc583894f6f3d821 , < c14ecb555c3ee80eeb030a4e46d00e679537f03a (git) Affected: 3106fb78d3579c8e9c9b3040f7f7841981919624 (git) Affected: c0911024ff927ba5c4786b507004cb615be1d776 (git) Affected: 09226e5c38639437565af01e6009a9286a351d04 (git) Affected: c7673f01604fa722b9d7c1e29e17cec1b8ae09c5 (git) Affected: c120c3dbeb76305235c8e557f84d9e2d7d0f5933 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"kernel/locking/spinlock_debug.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "b163a5e8c703201c905d6ec7920ed79d167e8442",
"status": "affected",
"version": "1a365e822372ba24c9da0822bc583894f6f3d821",
"versionType": "git"
},
{
"lessThan": "16b3590c0e1e615757dade098c8fbc0d4f040c76",
"status": "affected",
"version": "1a365e822372ba24c9da0822bc583894f6f3d821",
"versionType": "git"
},
{
"lessThan": "396a9270a7b90886be501611b13aa636f2e8c703",
"status": "affected",
"version": "1a365e822372ba24c9da0822bc583894f6f3d821",
"versionType": "git"
},
{
"lessThan": "c14ecb555c3ee80eeb030a4e46d00e679537f03a",
"status": "affected",
"version": "1a365e822372ba24c9da0822bc583894f6f3d821",
"versionType": "git"
},
{
"status": "affected",
"version": "3106fb78d3579c8e9c9b3040f7f7841981919624",
"versionType": "git"
},
{
"status": "affected",
"version": "c0911024ff927ba5c4786b507004cb615be1d776",
"versionType": "git"
},
{
"status": "affected",
"version": "09226e5c38639437565af01e6009a9286a351d04",
"versionType": "git"
},
{
"status": "affected",
"version": "c7673f01604fa722b9d7c1e29e17cec1b8ae09c5",
"versionType": "git"
},
{
"status": "affected",
"version": "c120c3dbeb76305235c8e557f84d9e2d7d0f5933",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"kernel/locking/spinlock_debug.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.5"
},
{
"lessThan": "5.5",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.62",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.12",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.1",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19-rc1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.62",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.12",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.1",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19-rc1",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.4.209",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.9.209",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.14.164",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.19.95",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.4.11",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nlocking/spinlock/debug: Fix data-race in do_raw_write_lock\n\nKCSAN reports:\n\nBUG: KCSAN: data-race in do_raw_write_lock / do_raw_write_lock\n\nwrite (marked) to 0xffff800009cf504c of 4 bytes by task 1102 on cpu 1:\n do_raw_write_lock+0x120/0x204\n _raw_write_lock_irq\n do_exit\n call_usermodehelper_exec_async\n ret_from_fork\n\nread to 0xffff800009cf504c of 4 bytes by task 1103 on cpu 0:\n do_raw_write_lock+0x88/0x204\n _raw_write_lock_irq\n do_exit\n call_usermodehelper_exec_async\n ret_from_fork\n\nvalue changed: 0xffffffff -\u003e 0x00000001\n\nReported by Kernel Concurrency Sanitizer on:\nCPU: 0 PID: 1103 Comm: kworker/u4:1 6.1.111\n\nCommit 1a365e822372 (\"locking/spinlock/debug: Fix various data races\") has\nadressed most of these races, but seems to be not consistent/not complete.\n\n\u003eFrom do_raw_write_lock() only debug_write_lock_after() part has been\nconverted to WRITE_ONCE(), but not debug_write_lock_before() part.\nDo it now."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-22T16:14:13.425Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/b163a5e8c703201c905d6ec7920ed79d167e8442"
},
{
"url": "https://git.kernel.org/stable/c/16b3590c0e1e615757dade098c8fbc0d4f040c76"
},
{
"url": "https://git.kernel.org/stable/c/396a9270a7b90886be501611b13aa636f2e8c703"
},
{
"url": "https://git.kernel.org/stable/c/c14ecb555c3ee80eeb030a4e46d00e679537f03a"
}
],
"title": "locking/spinlock/debug: Fix data-race in do_raw_write_lock",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68336",
"datePublished": "2025-12-22T16:14:13.425Z",
"dateReserved": "2025-12-16T14:48:05.297Z",
"dateUpdated": "2025-12-22T16:14:13.425Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68335 (GCVE-0-2025-68335)
Vulnerability from cvelistv5 – Published: 2025-12-22 16:14 – Updated: 2025-12-22 16:14
VLAI?
Title
comedi: pcl818: fix null-ptr-deref in pcl818_ai_cancel()
Summary
In the Linux kernel, the following vulnerability has been resolved:
comedi: pcl818: fix null-ptr-deref in pcl818_ai_cancel()
Syzbot identified an issue [1] in pcl818_ai_cancel(), which stems from
the fact that in case of early device detach via pcl818_detach(),
subdevice dev->read_subdev may not have initialized its pointer to
&struct comedi_async as intended. Thus, any such dereferencing of
&s->async->cmd will lead to general protection fault and kernel crash.
Mitigate this problem by removing a call to pcl818_ai_cancel() from
pcl818_detach() altogether. This way, if the subdevice setups its
support for async commands, everything async-related will be
handled via subdevice's own ->cancel() function in
comedi_device_detach_locked() even before pcl818_detach(). If no
support for asynchronous commands is provided, there is no need
to cancel anything either.
[1] Syzbot crash:
Oops: general protection fault, probably for non-canonical address 0xdffffc0000000005: 0000 [#1] SMP KASAN PTI
KASAN: null-ptr-deref in range [0x0000000000000028-0x000000000000002f]
CPU: 1 UID: 0 PID: 6050 Comm: syz.0.18 Not tainted syzkaller #0 PREEMPT(full)
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/18/2025
RIP: 0010:pcl818_ai_cancel+0x69/0x3f0 drivers/comedi/drivers/pcl818.c:762
...
Call Trace:
<TASK>
pcl818_detach+0x66/0xd0 drivers/comedi/drivers/pcl818.c:1115
comedi_device_detach_locked+0x178/0x750 drivers/comedi/drivers.c:207
do_devconfig_ioctl drivers/comedi/comedi_fops.c:848 [inline]
comedi_unlocked_ioctl+0xcde/0x1020 drivers/comedi/comedi_fops.c:2178
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:597 [inline]
...
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
00aba6e7b5653a6607238ecdab7172318059d984 , < 5caa40e7c6a43e08e3574f990865127705c22861
(git)
Affected: 00aba6e7b5653a6607238ecdab7172318059d984 , < d948c53dec36dafe182631457597c49c1f1df5ea (git) Affected: 00aba6e7b5653a6607238ecdab7172318059d984 , < 877adccfacb32687b90714a27cfb09f444fdfa16 (git) Affected: 00aba6e7b5653a6607238ecdab7172318059d984 , < a51f025b5038abd3d22eed2ede4cd46793d89565 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/comedi/drivers/pcl818.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "5caa40e7c6a43e08e3574f990865127705c22861",
"status": "affected",
"version": "00aba6e7b5653a6607238ecdab7172318059d984",
"versionType": "git"
},
{
"lessThan": "d948c53dec36dafe182631457597c49c1f1df5ea",
"status": "affected",
"version": "00aba6e7b5653a6607238ecdab7172318059d984",
"versionType": "git"
},
{
"lessThan": "877adccfacb32687b90714a27cfb09f444fdfa16",
"status": "affected",
"version": "00aba6e7b5653a6607238ecdab7172318059d984",
"versionType": "git"
},
{
"lessThan": "a51f025b5038abd3d22eed2ede4cd46793d89565",
"status": "affected",
"version": "00aba6e7b5653a6607238ecdab7172318059d984",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/comedi/drivers/pcl818.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.15"
},
{
"lessThan": "3.15",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.62",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.12",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.1",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19-rc1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.62",
"versionStartIncluding": "3.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.12",
"versionStartIncluding": "3.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.1",
"versionStartIncluding": "3.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19-rc1",
"versionStartIncluding": "3.15",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncomedi: pcl818: fix null-ptr-deref in pcl818_ai_cancel()\n\nSyzbot identified an issue [1] in pcl818_ai_cancel(), which stems from\nthe fact that in case of early device detach via pcl818_detach(),\nsubdevice dev-\u003eread_subdev may not have initialized its pointer to\n\u0026struct comedi_async as intended. Thus, any such dereferencing of\n\u0026s-\u003easync-\u003ecmd will lead to general protection fault and kernel crash.\n\nMitigate this problem by removing a call to pcl818_ai_cancel() from\npcl818_detach() altogether. This way, if the subdevice setups its\nsupport for async commands, everything async-related will be\nhandled via subdevice\u0027s own -\u003ecancel() function in\ncomedi_device_detach_locked() even before pcl818_detach(). If no\nsupport for asynchronous commands is provided, there is no need\nto cancel anything either.\n\n[1] Syzbot crash:\nOops: general protection fault, probably for non-canonical address 0xdffffc0000000005: 0000 [#1] SMP KASAN PTI\nKASAN: null-ptr-deref in range [0x0000000000000028-0x000000000000002f]\nCPU: 1 UID: 0 PID: 6050 Comm: syz.0.18 Not tainted syzkaller #0 PREEMPT(full)\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/18/2025\nRIP: 0010:pcl818_ai_cancel+0x69/0x3f0 drivers/comedi/drivers/pcl818.c:762\n...\nCall Trace:\n \u003cTASK\u003e\n pcl818_detach+0x66/0xd0 drivers/comedi/drivers/pcl818.c:1115\n comedi_device_detach_locked+0x178/0x750 drivers/comedi/drivers.c:207\n do_devconfig_ioctl drivers/comedi/comedi_fops.c:848 [inline]\n comedi_unlocked_ioctl+0xcde/0x1020 drivers/comedi/comedi_fops.c:2178\n vfs_ioctl fs/ioctl.c:51 [inline]\n __do_sys_ioctl fs/ioctl.c:597 [inline]\n..."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-22T16:14:12.614Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/5caa40e7c6a43e08e3574f990865127705c22861"
},
{
"url": "https://git.kernel.org/stable/c/d948c53dec36dafe182631457597c49c1f1df5ea"
},
{
"url": "https://git.kernel.org/stable/c/877adccfacb32687b90714a27cfb09f444fdfa16"
},
{
"url": "https://git.kernel.org/stable/c/a51f025b5038abd3d22eed2ede4cd46793d89565"
}
],
"title": "comedi: pcl818: fix null-ptr-deref in pcl818_ai_cancel()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68335",
"datePublished": "2025-12-22T16:14:12.614Z",
"dateReserved": "2025-12-16T14:48:05.297Z",
"dateUpdated": "2025-12-22T16:14:12.614Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68333 (GCVE-0-2025-68333)
Vulnerability from cvelistv5 – Published: 2025-12-22 16:14 – Updated: 2025-12-22 16:14
VLAI?
Title
sched_ext: Fix possible deadlock in the deferred_irq_workfn()
Summary
In the Linux kernel, the following vulnerability has been resolved:
sched_ext: Fix possible deadlock in the deferred_irq_workfn()
For PREEMPT_RT=y kernels, the deferred_irq_workfn() is executed in
the per-cpu irq_work/* task context and not disable-irq, if the rq
returned by container_of() is current CPU's rq, the following scenarios
may occur:
lock(&rq->__lock);
<Interrupt>
lock(&rq->__lock);
This commit use IRQ_WORK_INIT_HARD() to replace init_irq_work() to
initialize rq->scx.deferred_irq_work, make the deferred_irq_workfn()
is always invoked in hard-irq context.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"kernel/sched/ext.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "600b4379b9a7ba41340d652211fb29699da4c629",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "a257e974210320ede524f340ffe16bf4bf0dda1e",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"kernel/sched/ext.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.12",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nsched_ext: Fix possible deadlock in the deferred_irq_workfn()\n\nFor PREEMPT_RT=y kernels, the deferred_irq_workfn() is executed in\nthe per-cpu irq_work/* task context and not disable-irq, if the rq\nreturned by container_of() is current CPU\u0027s rq, the following scenarios\nmay occur:\n\nlock(\u0026rq-\u003e__lock);\n\u003cInterrupt\u003e\n lock(\u0026rq-\u003e__lock);\n\nThis commit use IRQ_WORK_INIT_HARD() to replace init_irq_work() to\ninitialize rq-\u003escx.deferred_irq_work, make the deferred_irq_workfn()\nis always invoked in hard-irq context."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-22T16:14:11.081Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/600b4379b9a7ba41340d652211fb29699da4c629"
},
{
"url": "https://git.kernel.org/stable/c/a257e974210320ede524f340ffe16bf4bf0dda1e"
}
],
"title": "sched_ext: Fix possible deadlock in the deferred_irq_workfn()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68333",
"datePublished": "2025-12-22T16:14:11.081Z",
"dateReserved": "2025-12-16T14:48:05.297Z",
"dateUpdated": "2025-12-22T16:14:11.081Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68334 (GCVE-0-2025-68334)
Vulnerability from cvelistv5 – Published: 2025-12-22 16:14 – Updated: 2025-12-22 16:14
VLAI?
Title
platform/x86/amd/pmc: Add support for Van Gogh SoC
Summary
In the Linux kernel, the following vulnerability has been resolved:
platform/x86/amd/pmc: Add support for Van Gogh SoC
The ROG Xbox Ally (non-X) SoC features a similar architecture to the
Steam Deck. While the Steam Deck supports S3 (s2idle causes a crash),
this support was dropped by the Xbox Ally which only S0ix suspend.
Since the handler is missing here, this causes the device to not suspend
and the AMD GPU driver to crash while trying to resume afterwards due to
a power hang.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/platform/x86/amd/pmc/pmc.c",
"drivers/platform/x86/amd/pmc/pmc.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "9654c56b111cd1415aca7e77f0c63c109453c409",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "db4a3f0fbedb0398f77b9047e8b8bb2b49f355bb",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/platform/x86/amd/pmc/pmc.c",
"drivers/platform/x86/amd/pmc/pmc.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.12",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nplatform/x86/amd/pmc: Add support for Van Gogh SoC\n\nThe ROG Xbox Ally (non-X) SoC features a similar architecture to the\nSteam Deck. While the Steam Deck supports S3 (s2idle causes a crash),\nthis support was dropped by the Xbox Ally which only S0ix suspend.\n\nSince the handler is missing here, this causes the device to not suspend\nand the AMD GPU driver to crash while trying to resume afterwards due to\na power hang."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-22T16:14:11.815Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/9654c56b111cd1415aca7e77f0c63c109453c409"
},
{
"url": "https://git.kernel.org/stable/c/db4a3f0fbedb0398f77b9047e8b8bb2b49f355bb"
}
],
"title": "platform/x86/amd/pmc: Add support for Van Gogh SoC",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68334",
"datePublished": "2025-12-22T16:14:11.815Z",
"dateReserved": "2025-12-16T14:48:05.297Z",
"dateUpdated": "2025-12-22T16:14:11.815Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68332 (GCVE-0-2025-68332)
Vulnerability from cvelistv5 – Published: 2025-12-22 16:14 – Updated: 2025-12-22 16:14
VLAI?
Title
comedi: c6xdigio: Fix invalid PNP driver unregistration
Summary
In the Linux kernel, the following vulnerability has been resolved:
comedi: c6xdigio: Fix invalid PNP driver unregistration
The Comedi low-level driver "c6xdigio" seems to be for a parallel port
connected device. When the Comedi core calls the driver's Comedi
"attach" handler `c6xdigio_attach()` to configure a Comedi to use this
driver, it tries to enable the parallel port PNP resources by
registering a PNP driver with `pnp_register_driver()`, but ignores the
return value. (The `struct pnp_driver` it uses has only the `name` and
`id_table` members filled in.) The driver's Comedi "detach" handler
`c6xdigio_detach()` unconditionally unregisters the PNP driver with
`pnp_unregister_driver()`.
It is possible for `c6xdigio_attach()` to return an error before it
calls `pnp_register_driver()` and it is possible for the call to
`pnp_register_driver()` to return an error (that is ignored). In both
cases, the driver should not be calling `pnp_unregister_driver()` as it
does in `c6xdigio_detach()`. (Note that `c6xdigio_detach()` will be
called by the Comedi core if `c6xdigio_attach()` returns an error, or if
the Comedi core decides to detach the Comedi device from the driver for
some other reason.)
The unconditional call to `pnp_unregister_driver()` without a previous
successful call to `pnp_register_driver()` will cause
`driver_unregister()` to issue a warning "Unexpected driver
unregister!". This was detected by Syzbot [1].
Also, the PNP driver registration and unregistration should be done at
module init and exit time, respectively, not when attaching or detaching
Comedi devices to the driver. (There might be more than one Comedi
device being attached to the driver, although that is unlikely.)
Change the driver to do the PNP driver registration at module init time,
and the unregistration at module exit time. Since `c6xdigio_detach()`
now only calls `comedi_legacy_detach()`, remove the function and change
the Comedi driver "detach" handler to `comedi_legacy_detach`.
-------------------------------------------
[1] Syzbot sample crash report:
Unexpected driver unregister!
WARNING: CPU: 0 PID: 5970 at drivers/base/driver.c:273 driver_unregister drivers/base/driver.c:273 [inline]
WARNING: CPU: 0 PID: 5970 at drivers/base/driver.c:273 driver_unregister+0x90/0xb0 drivers/base/driver.c:270
Modules linked in:
CPU: 0 UID: 0 PID: 5970 Comm: syz.0.17 Not tainted syzkaller #0 PREEMPT(full)
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/02/2025
RIP: 0010:driver_unregister drivers/base/driver.c:273 [inline]
RIP: 0010:driver_unregister+0x90/0xb0 drivers/base/driver.c:270
Code: 48 89 ef e8 c2 e6 82 fc 48 89 df e8 3a 93 ff ff 5b 5d e9 c3 6d d9 fb e8 be 6d d9 fb 90 48 c7 c7 e0 f8 1f 8c e8 51 a2 97 fb 90 <0f> 0b 90 90 5b 5d e9 a5 6d d9 fb e8 e0 f4 41 fc eb 94 e8 d9 f4 41
RSP: 0018:ffffc9000373f9a0 EFLAGS: 00010282
RAX: 0000000000000000 RBX: ffffffff8ff24720 RCX: ffffffff817b6ee8
RDX: ffff88807c932480 RSI: ffffffff817b6ef5 RDI: 0000000000000001
RBP: 0000000000000000 R08: 0000000000000001 R09: 0000000000000000
R10: 0000000000000001 R11: 0000000000000001 R12: ffffffff8ff24660
R13: dffffc0000000000 R14: 0000000000000000 R15: ffff88814cca0000
FS: 000055556dab1500(0000) GS:ffff8881249d9000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000055f77f285cd0 CR3: 000000007d871000 CR4: 00000000003526f0
Call Trace:
<TASK>
comedi_device_detach_locked+0x12f/0xa50 drivers/comedi/drivers.c:207
comedi_device_detach+0x67/0xb0 drivers/comedi/drivers.c:215
comedi_device_attach+0x43d/0x900 drivers/comedi/drivers.c:1011
do_devconfig_ioctl+0x1b1/0x710 drivers/comedi/comedi_fops.c:872
comedi_unlocked_ioctl+0x165d/0x2f00 drivers/comedi/comedi_fops.c:2178
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:597 [inline]
__se_sys_ioctl fs/ioctl.c:583 [inline]
__x64_sys_ioctl+0x18e/0x210 fs/ioctl.c:583
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_sys
---truncated---
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
2c89e159cd2f386285e9522d6476dd7e801bee22 , < 9fd8c8ad35c8d2390ce5ca2eb523c044bebdc072
(git)
Affected: 2c89e159cd2f386285e9522d6476dd7e801bee22 , < 698149d797d0178162f394c55d4ed52aa0e0b7f6 (git) Affected: 2c89e159cd2f386285e9522d6476dd7e801bee22 , < 888f7e2847bcb9df8257e656e1e837828942c53b (git) Affected: 2c89e159cd2f386285e9522d6476dd7e801bee22 , < 72262330f7b3ad2130e800cecf02adcce3c32c77 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/comedi/drivers/c6xdigio.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "9fd8c8ad35c8d2390ce5ca2eb523c044bebdc072",
"status": "affected",
"version": "2c89e159cd2f386285e9522d6476dd7e801bee22",
"versionType": "git"
},
{
"lessThan": "698149d797d0178162f394c55d4ed52aa0e0b7f6",
"status": "affected",
"version": "2c89e159cd2f386285e9522d6476dd7e801bee22",
"versionType": "git"
},
{
"lessThan": "888f7e2847bcb9df8257e656e1e837828942c53b",
"status": "affected",
"version": "2c89e159cd2f386285e9522d6476dd7e801bee22",
"versionType": "git"
},
{
"lessThan": "72262330f7b3ad2130e800cecf02adcce3c32c77",
"status": "affected",
"version": "2c89e159cd2f386285e9522d6476dd7e801bee22",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/comedi/drivers/c6xdigio.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.30"
},
{
"lessThan": "2.6.30",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.62",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.12",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.1",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19-rc1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.62",
"versionStartIncluding": "2.6.30",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.12",
"versionStartIncluding": "2.6.30",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.1",
"versionStartIncluding": "2.6.30",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19-rc1",
"versionStartIncluding": "2.6.30",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncomedi: c6xdigio: Fix invalid PNP driver unregistration\n\nThe Comedi low-level driver \"c6xdigio\" seems to be for a parallel port\nconnected device. When the Comedi core calls the driver\u0027s Comedi\n\"attach\" handler `c6xdigio_attach()` to configure a Comedi to use this\ndriver, it tries to enable the parallel port PNP resources by\nregistering a PNP driver with `pnp_register_driver()`, but ignores the\nreturn value. (The `struct pnp_driver` it uses has only the `name` and\n`id_table` members filled in.) The driver\u0027s Comedi \"detach\" handler\n`c6xdigio_detach()` unconditionally unregisters the PNP driver with\n`pnp_unregister_driver()`.\n\nIt is possible for `c6xdigio_attach()` to return an error before it\ncalls `pnp_register_driver()` and it is possible for the call to\n`pnp_register_driver()` to return an error (that is ignored). In both\ncases, the driver should not be calling `pnp_unregister_driver()` as it\ndoes in `c6xdigio_detach()`. (Note that `c6xdigio_detach()` will be\ncalled by the Comedi core if `c6xdigio_attach()` returns an error, or if\nthe Comedi core decides to detach the Comedi device from the driver for\nsome other reason.)\n\nThe unconditional call to `pnp_unregister_driver()` without a previous\nsuccessful call to `pnp_register_driver()` will cause\n`driver_unregister()` to issue a warning \"Unexpected driver\nunregister!\". This was detected by Syzbot [1].\n\nAlso, the PNP driver registration and unregistration should be done at\nmodule init and exit time, respectively, not when attaching or detaching\nComedi devices to the driver. (There might be more than one Comedi\ndevice being attached to the driver, although that is unlikely.)\n\nChange the driver to do the PNP driver registration at module init time,\nand the unregistration at module exit time. Since `c6xdigio_detach()`\nnow only calls `comedi_legacy_detach()`, remove the function and change\nthe Comedi driver \"detach\" handler to `comedi_legacy_detach`.\n\n-------------------------------------------\n[1] Syzbot sample crash report:\nUnexpected driver unregister!\nWARNING: CPU: 0 PID: 5970 at drivers/base/driver.c:273 driver_unregister drivers/base/driver.c:273 [inline]\nWARNING: CPU: 0 PID: 5970 at drivers/base/driver.c:273 driver_unregister+0x90/0xb0 drivers/base/driver.c:270\nModules linked in:\nCPU: 0 UID: 0 PID: 5970 Comm: syz.0.17 Not tainted syzkaller #0 PREEMPT(full)\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/02/2025\nRIP: 0010:driver_unregister drivers/base/driver.c:273 [inline]\nRIP: 0010:driver_unregister+0x90/0xb0 drivers/base/driver.c:270\nCode: 48 89 ef e8 c2 e6 82 fc 48 89 df e8 3a 93 ff ff 5b 5d e9 c3 6d d9 fb e8 be 6d d9 fb 90 48 c7 c7 e0 f8 1f 8c e8 51 a2 97 fb 90 \u003c0f\u003e 0b 90 90 5b 5d e9 a5 6d d9 fb e8 e0 f4 41 fc eb 94 e8 d9 f4 41\nRSP: 0018:ffffc9000373f9a0 EFLAGS: 00010282\nRAX: 0000000000000000 RBX: ffffffff8ff24720 RCX: ffffffff817b6ee8\nRDX: ffff88807c932480 RSI: ffffffff817b6ef5 RDI: 0000000000000001\nRBP: 0000000000000000 R08: 0000000000000001 R09: 0000000000000000\nR10: 0000000000000001 R11: 0000000000000001 R12: ffffffff8ff24660\nR13: dffffc0000000000 R14: 0000000000000000 R15: ffff88814cca0000\nFS: 000055556dab1500(0000) GS:ffff8881249d9000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 000055f77f285cd0 CR3: 000000007d871000 CR4: 00000000003526f0\nCall Trace:\n \u003cTASK\u003e\n comedi_device_detach_locked+0x12f/0xa50 drivers/comedi/drivers.c:207\n comedi_device_detach+0x67/0xb0 drivers/comedi/drivers.c:215\n comedi_device_attach+0x43d/0x900 drivers/comedi/drivers.c:1011\n do_devconfig_ioctl+0x1b1/0x710 drivers/comedi/comedi_fops.c:872\n comedi_unlocked_ioctl+0x165d/0x2f00 drivers/comedi/comedi_fops.c:2178\n vfs_ioctl fs/ioctl.c:51 [inline]\n __do_sys_ioctl fs/ioctl.c:597 [inline]\n __se_sys_ioctl fs/ioctl.c:583 [inline]\n __x64_sys_ioctl+0x18e/0x210 fs/ioctl.c:583\n do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]\n do_sys\n---truncated---"
}
],
"providerMetadata": {
"dateUpdated": "2025-12-22T16:14:10.146Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/9fd8c8ad35c8d2390ce5ca2eb523c044bebdc072"
},
{
"url": "https://git.kernel.org/stable/c/698149d797d0178162f394c55d4ed52aa0e0b7f6"
},
{
"url": "https://git.kernel.org/stable/c/888f7e2847bcb9df8257e656e1e837828942c53b"
},
{
"url": "https://git.kernel.org/stable/c/72262330f7b3ad2130e800cecf02adcce3c32c77"
}
],
"title": "comedi: c6xdigio: Fix invalid PNP driver unregistration",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68332",
"datePublished": "2025-12-22T16:14:10.146Z",
"dateReserved": "2025-12-16T14:48:05.297Z",
"dateUpdated": "2025-12-22T16:14:10.146Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68331 (GCVE-0-2025-68331)
Vulnerability from cvelistv5 – Published: 2025-12-22 16:12 – Updated: 2025-12-22 16:14
VLAI?
Title
usb: uas: fix urb unmapping issue when the uas device is remove during ongoing data transfer
Summary
In the Linux kernel, the following vulnerability has been resolved:
usb: uas: fix urb unmapping issue when the uas device is remove during ongoing data transfer
When a UAS device is unplugged during data transfer, there is
a probability of a system panic occurring. The root cause is
an access to an invalid memory address during URB callback handling.
Specifically, this happens when the dma_direct_unmap_sg() function
is called within the usb_hcd_unmap_urb_for_dma() interface, but the
sg->dma_address field is 0 and the sg data structure has already been
freed.
The SCSI driver sends transfer commands by invoking uas_queuecommand_lck()
in uas.c, using the uas_submit_urbs() function to submit requests to USB.
Within the uas_submit_urbs() implementation, three URBs (sense_urb,
data_urb, and cmd_urb) are sequentially submitted. Device removal may
occur at any point during uas_submit_urbs execution, which may result
in URB submission failure. However, some URBs might have been successfully
submitted before the failure, and uas_submit_urbs will return the -ENODEV
error code in this case. The current error handling directly calls
scsi_done(). In the SCSI driver, this eventually triggers scsi_complete()
to invoke scsi_end_request() for releasing the sgtable. The successfully
submitted URBs, when being unlinked to giveback, call
usb_hcd_unmap_urb_for_dma() in hcd.c, leading to exceptions during sg
unmapping operations since the sg data structure has already been freed.
This patch modifies the error condition check in the uas_submit_urbs()
function. When a UAS device is removed but one or more URBs have already
been successfully submitted to USB, it avoids immediately invoking
scsi_done() and save the cmnd to devinfo->cmnd array. If the successfully
submitted URBs is completed before devinfo->resetting being set, then
the scsi_done() function will be called within uas_try_complete() after
all pending URB operations are finalized. Otherwise, the scsi_done()
function will be called within uas_zap_pending(), which is executed after
usb_kill_anchored_urbs().
The error handling only takes effect when uas_queuecommand_lck() calls
uas_submit_urbs() and returns the error value -ENODEV . In this case,
the device is disconnected, and the flow proceeds to uas_disconnect(),
where uas_zap_pending() is invoked to call uas_try_complete().
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
eb2a86ae8c544be0ab04aa8169390c0669bc7148 , < 6289fc489e94c9beb6be2b502ccc263663733d72
(git)
Affected: eb2a86ae8c544be0ab04aa8169390c0669bc7148 , < 66ac05e7b0d6bbd1bee9fcf729e20fd4cce86d17 (git) Affected: eb2a86ae8c544be0ab04aa8169390c0669bc7148 , < 75f8e2643085db4f7e136fc6b368eb114dd80a64 (git) Affected: eb2a86ae8c544be0ab04aa8169390c0669bc7148 , < e3a55221f4de080cb7a91ba10f01c4f708603f8d (git) Affected: eb2a86ae8c544be0ab04aa8169390c0669bc7148 , < 2b90a8131c83f6f2be69397d2b7d14d217d95d2f (git) Affected: eb2a86ae8c544be0ab04aa8169390c0669bc7148 , < 426edbfc88b22601ea34a441a469092e7b301c52 (git) Affected: eb2a86ae8c544be0ab04aa8169390c0669bc7148 , < 26d56a9fcb2014b99e654127960aa0a48a391e3c (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/usb/storage/uas.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "6289fc489e94c9beb6be2b502ccc263663733d72",
"status": "affected",
"version": "eb2a86ae8c544be0ab04aa8169390c0669bc7148",
"versionType": "git"
},
{
"lessThan": "66ac05e7b0d6bbd1bee9fcf729e20fd4cce86d17",
"status": "affected",
"version": "eb2a86ae8c544be0ab04aa8169390c0669bc7148",
"versionType": "git"
},
{
"lessThan": "75f8e2643085db4f7e136fc6b368eb114dd80a64",
"status": "affected",
"version": "eb2a86ae8c544be0ab04aa8169390c0669bc7148",
"versionType": "git"
},
{
"lessThan": "e3a55221f4de080cb7a91ba10f01c4f708603f8d",
"status": "affected",
"version": "eb2a86ae8c544be0ab04aa8169390c0669bc7148",
"versionType": "git"
},
{
"lessThan": "2b90a8131c83f6f2be69397d2b7d14d217d95d2f",
"status": "affected",
"version": "eb2a86ae8c544be0ab04aa8169390c0669bc7148",
"versionType": "git"
},
{
"lessThan": "426edbfc88b22601ea34a441a469092e7b301c52",
"status": "affected",
"version": "eb2a86ae8c544be0ab04aa8169390c0669bc7148",
"versionType": "git"
},
{
"lessThan": "26d56a9fcb2014b99e654127960aa0a48a391e3c",
"status": "affected",
"version": "eb2a86ae8c544be0ab04aa8169390c0669bc7148",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/usb/storage/uas.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.10"
},
{
"lessThan": "5.10",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.247",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.197",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.159",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.119",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.61",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.247",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.197",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.159",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.119",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.61",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.11",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "5.10",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: uas: fix urb unmapping issue when the uas device is remove during ongoing data transfer\n\nWhen a UAS device is unplugged during data transfer, there is\na probability of a system panic occurring. The root cause is\nan access to an invalid memory address during URB callback handling.\nSpecifically, this happens when the dma_direct_unmap_sg() function\nis called within the usb_hcd_unmap_urb_for_dma() interface, but the\nsg-\u003edma_address field is 0 and the sg data structure has already been\nfreed.\n\nThe SCSI driver sends transfer commands by invoking uas_queuecommand_lck()\nin uas.c, using the uas_submit_urbs() function to submit requests to USB.\nWithin the uas_submit_urbs() implementation, three URBs (sense_urb,\ndata_urb, and cmd_urb) are sequentially submitted. Device removal may\noccur at any point during uas_submit_urbs execution, which may result\nin URB submission failure. However, some URBs might have been successfully\nsubmitted before the failure, and uas_submit_urbs will return the -ENODEV\nerror code in this case. The current error handling directly calls\nscsi_done(). In the SCSI driver, this eventually triggers scsi_complete()\nto invoke scsi_end_request() for releasing the sgtable. The successfully\nsubmitted URBs, when being unlinked to giveback, call\nusb_hcd_unmap_urb_for_dma() in hcd.c, leading to exceptions during sg\nunmapping operations since the sg data structure has already been freed.\n\nThis patch modifies the error condition check in the uas_submit_urbs()\nfunction. When a UAS device is removed but one or more URBs have already\nbeen successfully submitted to USB, it avoids immediately invoking\nscsi_done() and save the cmnd to devinfo-\u003ecmnd array. If the successfully\nsubmitted URBs is completed before devinfo-\u003eresetting being set, then\nthe scsi_done() function will be called within uas_try_complete() after\nall pending URB operations are finalized. Otherwise, the scsi_done()\nfunction will be called within uas_zap_pending(), which is executed after\nusb_kill_anchored_urbs().\n\nThe error handling only takes effect when uas_queuecommand_lck() calls\nuas_submit_urbs() and returns the error value -ENODEV . In this case,\nthe device is disconnected, and the flow proceeds to uas_disconnect(),\nwhere uas_zap_pending() is invoked to call uas_try_complete()."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-22T16:14:09.243Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/6289fc489e94c9beb6be2b502ccc263663733d72"
},
{
"url": "https://git.kernel.org/stable/c/66ac05e7b0d6bbd1bee9fcf729e20fd4cce86d17"
},
{
"url": "https://git.kernel.org/stable/c/75f8e2643085db4f7e136fc6b368eb114dd80a64"
},
{
"url": "https://git.kernel.org/stable/c/e3a55221f4de080cb7a91ba10f01c4f708603f8d"
},
{
"url": "https://git.kernel.org/stable/c/2b90a8131c83f6f2be69397d2b7d14d217d95d2f"
},
{
"url": "https://git.kernel.org/stable/c/426edbfc88b22601ea34a441a469092e7b301c52"
},
{
"url": "https://git.kernel.org/stable/c/26d56a9fcb2014b99e654127960aa0a48a391e3c"
}
],
"title": "usb: uas: fix urb unmapping issue when the uas device is remove during ongoing data transfer",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68331",
"datePublished": "2025-12-22T16:12:24.607Z",
"dateReserved": "2025-12-16T14:48:05.296Z",
"dateUpdated": "2025-12-22T16:14:09.243Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68329 (GCVE-0-2025-68329)
Vulnerability from cvelistv5 – Published: 2025-12-22 16:12 – Updated: 2025-12-22 16:14
VLAI?
Title
tracing: Fix WARN_ON in tracing_buffers_mmap_close for split VMAs
Summary
In the Linux kernel, the following vulnerability has been resolved:
tracing: Fix WARN_ON in tracing_buffers_mmap_close for split VMAs
When a VMA is split (e.g., by partial munmap or MAP_FIXED), the kernel
calls vm_ops->close on each portion. For trace buffer mappings, this
results in ring_buffer_unmap() being called multiple times while
ring_buffer_map() was only called once.
This causes ring_buffer_unmap() to return -ENODEV on subsequent calls
because user_mapped is already 0, triggering a WARN_ON.
Trace buffer mappings cannot support partial mappings because the ring
buffer structure requires the complete buffer including the meta page.
Fix this by adding a may_split callback that returns -EINVAL to prevent
VMA splits entirely.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
cf9f0f7c4c5bb45e7bb270e48bab6f7837825a64 , < 922fdd0b755a84f9933b3ca195f60092b6bb88ee
(git)
Affected: cf9f0f7c4c5bb45e7bb270e48bab6f7837825a64 , < 45053c12c45f0fb8ef6ab95118dd928d2fec0255 (git) Affected: cf9f0f7c4c5bb45e7bb270e48bab6f7837825a64 , < b042fdf18e89a347177a49e795d8e5184778b5b6 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"kernel/trace/trace.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "922fdd0b755a84f9933b3ca195f60092b6bb88ee",
"status": "affected",
"version": "cf9f0f7c4c5bb45e7bb270e48bab6f7837825a64",
"versionType": "git"
},
{
"lessThan": "45053c12c45f0fb8ef6ab95118dd928d2fec0255",
"status": "affected",
"version": "cf9f0f7c4c5bb45e7bb270e48bab6f7837825a64",
"versionType": "git"
},
{
"lessThan": "b042fdf18e89a347177a49e795d8e5184778b5b6",
"status": "affected",
"version": "cf9f0f7c4c5bb45e7bb270e48bab6f7837825a64",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"kernel/trace/trace.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.10"
},
{
"lessThan": "6.10",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.61",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.61",
"versionStartIncluding": "6.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.11",
"versionStartIncluding": "6.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "6.10",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ntracing: Fix WARN_ON in tracing_buffers_mmap_close for split VMAs\n\nWhen a VMA is split (e.g., by partial munmap or MAP_FIXED), the kernel\ncalls vm_ops-\u003eclose on each portion. For trace buffer mappings, this\nresults in ring_buffer_unmap() being called multiple times while\nring_buffer_map() was only called once.\n\nThis causes ring_buffer_unmap() to return -ENODEV on subsequent calls\nbecause user_mapped is already 0, triggering a WARN_ON.\n\nTrace buffer mappings cannot support partial mappings because the ring\nbuffer structure requires the complete buffer including the meta page.\n\nFix this by adding a may_split callback that returns -EINVAL to prevent\nVMA splits entirely."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-22T16:14:06.466Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/922fdd0b755a84f9933b3ca195f60092b6bb88ee"
},
{
"url": "https://git.kernel.org/stable/c/45053c12c45f0fb8ef6ab95118dd928d2fec0255"
},
{
"url": "https://git.kernel.org/stable/c/b042fdf18e89a347177a49e795d8e5184778b5b6"
}
],
"title": "tracing: Fix WARN_ON in tracing_buffers_mmap_close for split VMAs",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68329",
"datePublished": "2025-12-22T16:12:23.133Z",
"dateReserved": "2025-12-16T14:48:05.296Z",
"dateUpdated": "2025-12-22T16:14:06.466Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68330 (GCVE-0-2025-68330)
Vulnerability from cvelistv5 – Published: 2025-12-22 16:12 – Updated: 2025-12-22 16:14
VLAI?
Title
iio: accel: bmc150: Fix irq assumption regression
Summary
In the Linux kernel, the following vulnerability has been resolved:
iio: accel: bmc150: Fix irq assumption regression
The code in bmc150-accel-core.c unconditionally calls
bmc150_accel_set_interrupt() in the iio_buffer_setup_ops,
such as on the runtime PM resume path giving a kernel
splat like this if the device has no interrupts:
Unable to handle kernel NULL pointer dereference at virtual
address 00000001 when read
PC is at bmc150_accel_set_interrupt+0x98/0x194
LR is at __pm_runtime_resume+0x5c/0x64
(...)
Call trace:
bmc150_accel_set_interrupt from bmc150_accel_buffer_postenable+0x40/0x108
bmc150_accel_buffer_postenable from __iio_update_buffers+0xbe0/0xcbc
__iio_update_buffers from enable_store+0x84/0xc8
enable_store from kernfs_fop_write_iter+0x154/0x1b4
This bug seems to have been in the driver since the beginning,
but it only manifests recently, I do not know why.
Store the IRQ number in the state struct, as this is a common
pattern in other drivers, then use this to determine if we have
IRQ support or not.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < aad9d048a3211c48ec02efa405bf462856feb862
(git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < c891f504bb66604c822e7985e093cf39b97fdeb0 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < cdd4a9e98004bd7c7488311951fa6dbae38b2b80 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 65ad4ed983fd9ee0259d86391d6a53f78203918c (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 93eaa5ddc5fc4f50ac396afad8ce261102ebd4f3 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 3aa385a9c75c09b59dcab2ff76423439d23673ab (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/iio/accel/bmc150-accel-core.c",
"drivers/iio/accel/bmc150-accel.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "aad9d048a3211c48ec02efa405bf462856feb862",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "c891f504bb66604c822e7985e093cf39b97fdeb0",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "cdd4a9e98004bd7c7488311951fa6dbae38b2b80",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "65ad4ed983fd9ee0259d86391d6a53f78203918c",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "93eaa5ddc5fc4f50ac396afad8ce261102ebd4f3",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "3aa385a9c75c09b59dcab2ff76423439d23673ab",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/iio/accel/bmc150-accel-core.c",
"drivers/iio/accel/bmc150-accel.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.197",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.159",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.119",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.61",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.197",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.159",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.119",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.61",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\niio: accel: bmc150: Fix irq assumption regression\n\nThe code in bmc150-accel-core.c unconditionally calls\nbmc150_accel_set_interrupt() in the iio_buffer_setup_ops,\nsuch as on the runtime PM resume path giving a kernel\nsplat like this if the device has no interrupts:\n\nUnable to handle kernel NULL pointer dereference at virtual\n address 00000001 when read\n\nPC is at bmc150_accel_set_interrupt+0x98/0x194\nLR is at __pm_runtime_resume+0x5c/0x64\n(...)\nCall trace:\nbmc150_accel_set_interrupt from bmc150_accel_buffer_postenable+0x40/0x108\nbmc150_accel_buffer_postenable from __iio_update_buffers+0xbe0/0xcbc\n__iio_update_buffers from enable_store+0x84/0xc8\nenable_store from kernfs_fop_write_iter+0x154/0x1b4\n\nThis bug seems to have been in the driver since the beginning,\nbut it only manifests recently, I do not know why.\n\nStore the IRQ number in the state struct, as this is a common\npattern in other drivers, then use this to determine if we have\nIRQ support or not."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-22T16:14:07.891Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/aad9d048a3211c48ec02efa405bf462856feb862"
},
{
"url": "https://git.kernel.org/stable/c/c891f504bb66604c822e7985e093cf39b97fdeb0"
},
{
"url": "https://git.kernel.org/stable/c/cdd4a9e98004bd7c7488311951fa6dbae38b2b80"
},
{
"url": "https://git.kernel.org/stable/c/65ad4ed983fd9ee0259d86391d6a53f78203918c"
},
{
"url": "https://git.kernel.org/stable/c/93eaa5ddc5fc4f50ac396afad8ce261102ebd4f3"
},
{
"url": "https://git.kernel.org/stable/c/3aa385a9c75c09b59dcab2ff76423439d23673ab"
}
],
"title": "iio: accel: bmc150: Fix irq assumption regression",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68330",
"datePublished": "2025-12-22T16:12:23.864Z",
"dateReserved": "2025-12-16T14:48:05.296Z",
"dateUpdated": "2025-12-22T16:14:07.891Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68328 (GCVE-0-2025-68328)
Vulnerability from cvelistv5 – Published: 2025-12-22 16:12 – Updated: 2025-12-22 16:14
VLAI?
Title
firmware: stratix10-svc: fix bug in saving controller data
Summary
In the Linux kernel, the following vulnerability has been resolved:
firmware: stratix10-svc: fix bug in saving controller data
Fix the incorrect usage of platform_set_drvdata and dev_set_drvdata. They
both are of the same data and overrides each other. This resulted in the
rmmod of the svc driver to fail and throw a kernel panic for kthread_stop
and fifo free.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
b5dc75c915cdaebab9b9875022e45638d6b14a7e , < 9d0a330abd9e49bcebf6307aac185081bde49a43
(git)
Affected: b5dc75c915cdaebab9b9875022e45638d6b14a7e , < 354fb03002da0970d337f0d3edbeb46cc4fa6f41 (git) Affected: b5dc75c915cdaebab9b9875022e45638d6b14a7e , < b359df793f609b1efce31dadfe6883ec73852619 (git) Affected: b5dc75c915cdaebab9b9875022e45638d6b14a7e , < 71796c91ee8e33faf4434a9e210b5063c28ea907 (git) Affected: b5dc75c915cdaebab9b9875022e45638d6b14a7e , < 60ab1851614e6007344042b66da6e31d1cc26cb3 (git) Affected: b5dc75c915cdaebab9b9875022e45638d6b14a7e , < bd226fa02ed6db6fce0fae010802f0950fd14fb9 (git) Affected: b5dc75c915cdaebab9b9875022e45638d6b14a7e , < d0fcf70c680e4d1669fcb3a8632f41400b9a73c2 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/firmware/stratix10-svc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "9d0a330abd9e49bcebf6307aac185081bde49a43",
"status": "affected",
"version": "b5dc75c915cdaebab9b9875022e45638d6b14a7e",
"versionType": "git"
},
{
"lessThan": "354fb03002da0970d337f0d3edbeb46cc4fa6f41",
"status": "affected",
"version": "b5dc75c915cdaebab9b9875022e45638d6b14a7e",
"versionType": "git"
},
{
"lessThan": "b359df793f609b1efce31dadfe6883ec73852619",
"status": "affected",
"version": "b5dc75c915cdaebab9b9875022e45638d6b14a7e",
"versionType": "git"
},
{
"lessThan": "71796c91ee8e33faf4434a9e210b5063c28ea907",
"status": "affected",
"version": "b5dc75c915cdaebab9b9875022e45638d6b14a7e",
"versionType": "git"
},
{
"lessThan": "60ab1851614e6007344042b66da6e31d1cc26cb3",
"status": "affected",
"version": "b5dc75c915cdaebab9b9875022e45638d6b14a7e",
"versionType": "git"
},
{
"lessThan": "bd226fa02ed6db6fce0fae010802f0950fd14fb9",
"status": "affected",
"version": "b5dc75c915cdaebab9b9875022e45638d6b14a7e",
"versionType": "git"
},
{
"lessThan": "d0fcf70c680e4d1669fcb3a8632f41400b9a73c2",
"status": "affected",
"version": "b5dc75c915cdaebab9b9875022e45638d6b14a7e",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/firmware/stratix10-svc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.4"
},
{
"lessThan": "5.4",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.247",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.197",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.159",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.119",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.61",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.247",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.197",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.159",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.119",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.61",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.11",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "5.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nfirmware: stratix10-svc: fix bug in saving controller data\n\nFix the incorrect usage of platform_set_drvdata and dev_set_drvdata. They\nboth are of the same data and overrides each other. This resulted in the\nrmmod of the svc driver to fail and throw a kernel panic for kthread_stop\nand fifo free."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-22T16:14:00.130Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/9d0a330abd9e49bcebf6307aac185081bde49a43"
},
{
"url": "https://git.kernel.org/stable/c/354fb03002da0970d337f0d3edbeb46cc4fa6f41"
},
{
"url": "https://git.kernel.org/stable/c/b359df793f609b1efce31dadfe6883ec73852619"
},
{
"url": "https://git.kernel.org/stable/c/71796c91ee8e33faf4434a9e210b5063c28ea907"
},
{
"url": "https://git.kernel.org/stable/c/60ab1851614e6007344042b66da6e31d1cc26cb3"
},
{
"url": "https://git.kernel.org/stable/c/bd226fa02ed6db6fce0fae010802f0950fd14fb9"
},
{
"url": "https://git.kernel.org/stable/c/d0fcf70c680e4d1669fcb3a8632f41400b9a73c2"
}
],
"title": "firmware: stratix10-svc: fix bug in saving controller data",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68328",
"datePublished": "2025-12-22T16:12:22.218Z",
"dateReserved": "2025-12-16T14:48:05.296Z",
"dateUpdated": "2025-12-22T16:14:00.130Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68327 (GCVE-0-2025-68327)
Vulnerability from cvelistv5 – Published: 2025-12-22 16:12 – Updated: 2025-12-22 16:13
VLAI?
Title
usb: renesas_usbhs: Fix synchronous external abort on unbind
Summary
In the Linux kernel, the following vulnerability has been resolved:
usb: renesas_usbhs: Fix synchronous external abort on unbind
A synchronous external abort occurs on the Renesas RZ/G3S SoC if unbind is
executed after the configuration sequence described above:
modprobe usb_f_ecm
modprobe libcomposite
modprobe configfs
cd /sys/kernel/config/usb_gadget
mkdir -p g1
cd g1
echo "0x1d6b" > idVendor
echo "0x0104" > idProduct
mkdir -p strings/0x409
echo "0123456789" > strings/0x409/serialnumber
echo "Renesas." > strings/0x409/manufacturer
echo "Ethernet Gadget" > strings/0x409/product
mkdir -p functions/ecm.usb0
mkdir -p configs/c.1
mkdir -p configs/c.1/strings/0x409
echo "ECM" > configs/c.1/strings/0x409/configuration
if [ ! -L configs/c.1/ecm.usb0 ]; then
ln -s functions/ecm.usb0 configs/c.1
fi
echo 11e20000.usb > UDC
echo 11e20000.usb > /sys/bus/platform/drivers/renesas_usbhs/unbind
The displayed trace is as follows:
Internal error: synchronous external abort: 0000000096000010 [#1] SMP
CPU: 0 UID: 0 PID: 188 Comm: sh Tainted: G M 6.17.0-rc7-next-20250922-00010-g41050493b2bd #55 PREEMPT
Tainted: [M]=MACHINE_CHECK
Hardware name: Renesas SMARC EVK version 2 based on r9a08g045s33 (DT)
pstate: 604000c5 (nZCv daIF +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
pc : usbhs_sys_function_pullup+0x10/0x40 [renesas_usbhs]
lr : usbhsg_update_pullup+0x3c/0x68 [renesas_usbhs]
sp : ffff8000838b3920
x29: ffff8000838b3920 x28: ffff00000d585780 x27: 0000000000000000
x26: 0000000000000000 x25: 0000000000000000 x24: ffff00000c3e3810
x23: ffff00000d5e5c80 x22: ffff00000d5e5d40 x21: 0000000000000000
x20: 0000000000000000 x19: ffff00000d5e5c80 x18: 0000000000000020
x17: 2e30303230316531 x16: 312d7968703a7968 x15: 3d454d414e5f4344
x14: 000000000000002c x13: 0000000000000000 x12: 0000000000000000
x11: ffff00000f358f38 x10: ffff00000f358db0 x9 : ffff00000b41f418
x8 : 0101010101010101 x7 : 7f7f7f7f7f7f7f7f x6 : fefefeff6364626d
x5 : 8080808000000000 x4 : 000000004b5ccb9d x3 : 0000000000000000
x2 : 0000000000000000 x1 : ffff800083790000 x0 : ffff00000d5e5c80
Call trace:
usbhs_sys_function_pullup+0x10/0x40 [renesas_usbhs] (P)
usbhsg_pullup+0x4c/0x7c [renesas_usbhs]
usb_gadget_disconnect_locked+0x48/0xd4
gadget_unbind_driver+0x44/0x114
device_remove+0x4c/0x80
device_release_driver_internal+0x1c8/0x224
device_release_driver+0x18/0x24
bus_remove_device+0xcc/0x10c
device_del+0x14c/0x404
usb_del_gadget+0x88/0xc0
usb_del_gadget_udc+0x18/0x30
usbhs_mod_gadget_remove+0x24/0x44 [renesas_usbhs]
usbhs_mod_remove+0x20/0x30 [renesas_usbhs]
usbhs_remove+0x98/0xdc [renesas_usbhs]
platform_remove+0x20/0x30
device_remove+0x4c/0x80
device_release_driver_internal+0x1c8/0x224
device_driver_detach+0x18/0x24
unbind_store+0xb4/0xb8
drv_attr_store+0x24/0x38
sysfs_kf_write+0x7c/0x94
kernfs_fop_write_iter+0x128/0x1b8
vfs_write+0x2ac/0x350
ksys_write+0x68/0xfc
__arm64_sys_write+0x1c/0x28
invoke_syscall+0x48/0x110
el0_svc_common.constprop.0+0xc0/0xe0
do_el0_svc+0x1c/0x28
el0_svc+0x34/0xf0
el0t_64_sync_handler+0xa0/0xe4
el0t_64_sync+0x198/0x19c
Code: 7100003f 1a9f07e1 531c6c22 f9400001 (79400021)
---[ end trace 0000000000000000 ]---
note: sh[188] exited with irqs disabled
note: sh[188] exited with preempt_count 1
The issue occurs because usbhs_sys_function_pullup(), which accesses the IP
registers, is executed after the USBHS clocks have been disabled. The
problem is reproducible on the Renesas RZ/G3S SoC starting with the
addition of module stop in the clock enable/disable APIs. With module stop
functionality enabled, a bus error is expected if a master accesses a
module whose clock has been stopped and module stop activated.
Disable the IP clocks at the end of remove.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
f1407d5c66240b33d11a7f1a41d55ccf6a9d7647 , < fd1a7bf3a8cac13f6d2d52d8c7570ba41621db9a
(git)
Affected: f1407d5c66240b33d11a7f1a41d55ccf6a9d7647 , < cd5e86e34c66a831b5cb9b720ad411a006962cc8 (git) Affected: f1407d5c66240b33d11a7f1a41d55ccf6a9d7647 , < 230b1bc1310edcd5c1b71dcd6b77ccba43139cb5 (git) Affected: f1407d5c66240b33d11a7f1a41d55ccf6a9d7647 , < 9d86bc8b188a77c8d6f7252280ec2bd24ad6fbc1 (git) Affected: f1407d5c66240b33d11a7f1a41d55ccf6a9d7647 , < 26838f147aeaa8f820ff799d72815fba5e209bd9 (git) Affected: f1407d5c66240b33d11a7f1a41d55ccf6a9d7647 , < aa658a6d5ac21c7cde54c6d015f2d4daff32e02d (git) Affected: f1407d5c66240b33d11a7f1a41d55ccf6a9d7647 , < eb9ac779830b2235847b72cb15cf07c7e3333c5e (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/usb/renesas_usbhs/common.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "fd1a7bf3a8cac13f6d2d52d8c7570ba41621db9a",
"status": "affected",
"version": "f1407d5c66240b33d11a7f1a41d55ccf6a9d7647",
"versionType": "git"
},
{
"lessThan": "cd5e86e34c66a831b5cb9b720ad411a006962cc8",
"status": "affected",
"version": "f1407d5c66240b33d11a7f1a41d55ccf6a9d7647",
"versionType": "git"
},
{
"lessThan": "230b1bc1310edcd5c1b71dcd6b77ccba43139cb5",
"status": "affected",
"version": "f1407d5c66240b33d11a7f1a41d55ccf6a9d7647",
"versionType": "git"
},
{
"lessThan": "9d86bc8b188a77c8d6f7252280ec2bd24ad6fbc1",
"status": "affected",
"version": "f1407d5c66240b33d11a7f1a41d55ccf6a9d7647",
"versionType": "git"
},
{
"lessThan": "26838f147aeaa8f820ff799d72815fba5e209bd9",
"status": "affected",
"version": "f1407d5c66240b33d11a7f1a41d55ccf6a9d7647",
"versionType": "git"
},
{
"lessThan": "aa658a6d5ac21c7cde54c6d015f2d4daff32e02d",
"status": "affected",
"version": "f1407d5c66240b33d11a7f1a41d55ccf6a9d7647",
"versionType": "git"
},
{
"lessThan": "eb9ac779830b2235847b72cb15cf07c7e3333c5e",
"status": "affected",
"version": "f1407d5c66240b33d11a7f1a41d55ccf6a9d7647",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/usb/renesas_usbhs/common.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.0"
},
{
"lessThan": "3.0",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.247",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.197",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.159",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.119",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.61",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.247",
"versionStartIncluding": "3.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.197",
"versionStartIncluding": "3.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.159",
"versionStartIncluding": "3.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.119",
"versionStartIncluding": "3.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.61",
"versionStartIncluding": "3.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.11",
"versionStartIncluding": "3.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "3.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: renesas_usbhs: Fix synchronous external abort on unbind\n\nA synchronous external abort occurs on the Renesas RZ/G3S SoC if unbind is\nexecuted after the configuration sequence described above:\n\nmodprobe usb_f_ecm\nmodprobe libcomposite\nmodprobe configfs\ncd /sys/kernel/config/usb_gadget\nmkdir -p g1\ncd g1\necho \"0x1d6b\" \u003e idVendor\necho \"0x0104\" \u003e idProduct\nmkdir -p strings/0x409\necho \"0123456789\" \u003e strings/0x409/serialnumber\necho \"Renesas.\" \u003e strings/0x409/manufacturer\necho \"Ethernet Gadget\" \u003e strings/0x409/product\nmkdir -p functions/ecm.usb0\nmkdir -p configs/c.1\nmkdir -p configs/c.1/strings/0x409\necho \"ECM\" \u003e configs/c.1/strings/0x409/configuration\n\nif [ ! -L configs/c.1/ecm.usb0 ]; then\n ln -s functions/ecm.usb0 configs/c.1\nfi\n\necho 11e20000.usb \u003e UDC\necho 11e20000.usb \u003e /sys/bus/platform/drivers/renesas_usbhs/unbind\n\nThe displayed trace is as follows:\n\n Internal error: synchronous external abort: 0000000096000010 [#1] SMP\n CPU: 0 UID: 0 PID: 188 Comm: sh Tainted: G M 6.17.0-rc7-next-20250922-00010-g41050493b2bd #55 PREEMPT\n Tainted: [M]=MACHINE_CHECK\n Hardware name: Renesas SMARC EVK version 2 based on r9a08g045s33 (DT)\n pstate: 604000c5 (nZCv daIF +PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n pc : usbhs_sys_function_pullup+0x10/0x40 [renesas_usbhs]\n lr : usbhsg_update_pullup+0x3c/0x68 [renesas_usbhs]\n sp : ffff8000838b3920\n x29: ffff8000838b3920 x28: ffff00000d585780 x27: 0000000000000000\n x26: 0000000000000000 x25: 0000000000000000 x24: ffff00000c3e3810\n x23: ffff00000d5e5c80 x22: ffff00000d5e5d40 x21: 0000000000000000\n x20: 0000000000000000 x19: ffff00000d5e5c80 x18: 0000000000000020\n x17: 2e30303230316531 x16: 312d7968703a7968 x15: 3d454d414e5f4344\n x14: 000000000000002c x13: 0000000000000000 x12: 0000000000000000\n x11: ffff00000f358f38 x10: ffff00000f358db0 x9 : ffff00000b41f418\n x8 : 0101010101010101 x7 : 7f7f7f7f7f7f7f7f x6 : fefefeff6364626d\n x5 : 8080808000000000 x4 : 000000004b5ccb9d x3 : 0000000000000000\n x2 : 0000000000000000 x1 : ffff800083790000 x0 : ffff00000d5e5c80\n Call trace:\n usbhs_sys_function_pullup+0x10/0x40 [renesas_usbhs] (P)\n usbhsg_pullup+0x4c/0x7c [renesas_usbhs]\n usb_gadget_disconnect_locked+0x48/0xd4\n gadget_unbind_driver+0x44/0x114\n device_remove+0x4c/0x80\n device_release_driver_internal+0x1c8/0x224\n device_release_driver+0x18/0x24\n bus_remove_device+0xcc/0x10c\n device_del+0x14c/0x404\n usb_del_gadget+0x88/0xc0\n usb_del_gadget_udc+0x18/0x30\n usbhs_mod_gadget_remove+0x24/0x44 [renesas_usbhs]\n usbhs_mod_remove+0x20/0x30 [renesas_usbhs]\n usbhs_remove+0x98/0xdc [renesas_usbhs]\n platform_remove+0x20/0x30\n device_remove+0x4c/0x80\n device_release_driver_internal+0x1c8/0x224\n device_driver_detach+0x18/0x24\n unbind_store+0xb4/0xb8\n drv_attr_store+0x24/0x38\n sysfs_kf_write+0x7c/0x94\n kernfs_fop_write_iter+0x128/0x1b8\n vfs_write+0x2ac/0x350\n ksys_write+0x68/0xfc\n __arm64_sys_write+0x1c/0x28\n invoke_syscall+0x48/0x110\n el0_svc_common.constprop.0+0xc0/0xe0\n do_el0_svc+0x1c/0x28\n el0_svc+0x34/0xf0\n el0t_64_sync_handler+0xa0/0xe4\n el0t_64_sync+0x198/0x19c\n Code: 7100003f 1a9f07e1 531c6c22 f9400001 (79400021)\n ---[ end trace 0000000000000000 ]---\n note: sh[188] exited with irqs disabled\n note: sh[188] exited with preempt_count 1\n\nThe issue occurs because usbhs_sys_function_pullup(), which accesses the IP\nregisters, is executed after the USBHS clocks have been disabled. The\nproblem is reproducible on the Renesas RZ/G3S SoC starting with the\naddition of module stop in the clock enable/disable APIs. With module stop\nfunctionality enabled, a bus error is expected if a master accesses a\nmodule whose clock has been stopped and module stop activated.\n\nDisable the IP clocks at the end of remove."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-22T16:13:58.409Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/fd1a7bf3a8cac13f6d2d52d8c7570ba41621db9a"
},
{
"url": "https://git.kernel.org/stable/c/cd5e86e34c66a831b5cb9b720ad411a006962cc8"
},
{
"url": "https://git.kernel.org/stable/c/230b1bc1310edcd5c1b71dcd6b77ccba43139cb5"
},
{
"url": "https://git.kernel.org/stable/c/9d86bc8b188a77c8d6f7252280ec2bd24ad6fbc1"
},
{
"url": "https://git.kernel.org/stable/c/26838f147aeaa8f820ff799d72815fba5e209bd9"
},
{
"url": "https://git.kernel.org/stable/c/aa658a6d5ac21c7cde54c6d015f2d4daff32e02d"
},
{
"url": "https://git.kernel.org/stable/c/eb9ac779830b2235847b72cb15cf07c7e3333c5e"
}
],
"title": "usb: renesas_usbhs: Fix synchronous external abort on unbind",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68327",
"datePublished": "2025-12-22T16:12:21.402Z",
"dateReserved": "2025-12-16T14:48:05.296Z",
"dateUpdated": "2025-12-22T16:13:58.409Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68326 (GCVE-0-2025-68326)
Vulnerability from cvelistv5 – Published: 2025-12-22 16:12 – Updated: 2025-12-22 16:13
VLAI?
Title
drm/xe/guc: Fix stack_depot usage
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/xe/guc: Fix stack_depot usage
Add missing stack_depot_init() call when CONFIG_DRM_XE_DEBUG_GUC is
enabled to fix the following call stack:
[] BUG: kernel NULL pointer dereference, address: 0000000000000000
[] Workqueue: drm_sched_run_job_work [gpu_sched]
[] RIP: 0010:stack_depot_save_flags+0x172/0x870
[] Call Trace:
[] <TASK>
[] fast_req_track+0x58/0xb0 [xe]
(cherry picked from commit 64fdf496a6929a0a194387d2bb5efaf5da2b542f)
Severity ?
No CVSS data available.
Assigner
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/xe/xe_guc_ct.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "1966838d1c82149cbf4a652322d26a6e5aae9c4e",
"status": "affected",
"version": "16b7e65d299d56442879405ac85800877fa51355",
"versionType": "git"
},
{
"lessThan": "0e234632e39bd21dd28ffc9ba3ae8eec4deb949c",
"status": "affected",
"version": "16b7e65d299d56442879405ac85800877fa51355",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/xe/xe_guc_ct.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.17"
},
{
"lessThan": "6.17",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.11",
"versionStartIncluding": "6.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "6.17",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/xe/guc: Fix stack_depot usage\n\nAdd missing stack_depot_init() call when CONFIG_DRM_XE_DEBUG_GUC is\nenabled to fix the following call stack:\n\n\t[] BUG: kernel NULL pointer dereference, address: 0000000000000000\n\t[] Workqueue: drm_sched_run_job_work [gpu_sched]\n\t[] RIP: 0010:stack_depot_save_flags+0x172/0x870\n\t[] Call Trace:\n\t[] \u003cTASK\u003e\n\t[] fast_req_track+0x58/0xb0 [xe]\n\n(cherry picked from commit 64fdf496a6929a0a194387d2bb5efaf5da2b542f)"
}
],
"providerMetadata": {
"dateUpdated": "2025-12-22T16:13:56.845Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/1966838d1c82149cbf4a652322d26a6e5aae9c4e"
},
{
"url": "https://git.kernel.org/stable/c/0e234632e39bd21dd28ffc9ba3ae8eec4deb949c"
}
],
"title": "drm/xe/guc: Fix stack_depot usage",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68326",
"datePublished": "2025-12-22T16:12:15.664Z",
"dateReserved": "2025-12-16T14:48:05.296Z",
"dateUpdated": "2025-12-22T16:13:56.845Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68325 (GCVE-0-2025-68325)
Vulnerability from cvelistv5 – Published: 2025-12-18 15:02 – Updated: 2025-12-18 15:02
VLAI?
Title
net/sched: sch_cake: Fix incorrect qlen reduction in cake_drop
Summary
In the Linux kernel, the following vulnerability has been resolved:
net/sched: sch_cake: Fix incorrect qlen reduction in cake_drop
In cake_drop(), qdisc_tree_reduce_backlog() is used to update the qlen
and backlog of the qdisc hierarchy. Its caller, cake_enqueue(), assumes
that the parent qdisc will enqueue the current packet. However, this
assumption breaks when cake_enqueue() returns NET_XMIT_CN: the parent
qdisc stops enqueuing current packet, leaving the tree qlen/backlog
accounting inconsistent. This mismatch can lead to a NULL dereference
(e.g., when the parent Qdisc is qfq_qdisc).
This patch computes the qlen/backlog delta in a more robust way by
observing the difference before and after the series of cake_drop()
calls, and then compensates the qdisc tree accounting if cake_enqueue()
returns NET_XMIT_CN.
To ensure correct compensation when ACK thinning is enabled, a new
variable is introduced to keep qlen unchanged.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
ff57186b2cc39766672c4c0332323933e5faaa88 , < 0b6216f9b3d1c33c76f74511026e5de5385ee520
(git)
Affected: 15de71d06a400f7fdc15bf377a2552b0ec437cf5 , < 529c284cc2815c8350860e9a31722050fe7117cb (git) Affected: 15de71d06a400f7fdc15bf377a2552b0ec437cf5 , < 3ed6c458530a547ed0c9ea0b02b19bab620be88b (git) Affected: 15de71d06a400f7fdc15bf377a2552b0ec437cf5 , < 9fefc78f7f02d71810776fdeb119a05a946a27cc (git) Affected: 7689ab22de36f8db19095f6bdf11f28cfde92f5c (git) Affected: de04ddd2980b48caa8d7e24a7db2742917a8b280 (git) Affected: 0dacfc5372e314d1219f03e64dde3ab495a5a25e (git) Affected: 710866fc0a64eafcb8bacd91bcb1329eb7e5035f (git) Affected: aa12ee1c1bd260943fd6ab556d8635811c332eeb (git) Affected: 62d591dde4defb1333d202410609c4ddeae060b3 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/sched/sch_cake.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "0b6216f9b3d1c33c76f74511026e5de5385ee520",
"status": "affected",
"version": "ff57186b2cc39766672c4c0332323933e5faaa88",
"versionType": "git"
},
{
"lessThan": "529c284cc2815c8350860e9a31722050fe7117cb",
"status": "affected",
"version": "15de71d06a400f7fdc15bf377a2552b0ec437cf5",
"versionType": "git"
},
{
"lessThan": "3ed6c458530a547ed0c9ea0b02b19bab620be88b",
"status": "affected",
"version": "15de71d06a400f7fdc15bf377a2552b0ec437cf5",
"versionType": "git"
},
{
"lessThan": "9fefc78f7f02d71810776fdeb119a05a946a27cc",
"status": "affected",
"version": "15de71d06a400f7fdc15bf377a2552b0ec437cf5",
"versionType": "git"
},
{
"status": "affected",
"version": "7689ab22de36f8db19095f6bdf11f28cfde92f5c",
"versionType": "git"
},
{
"status": "affected",
"version": "de04ddd2980b48caa8d7e24a7db2742917a8b280",
"versionType": "git"
},
{
"status": "affected",
"version": "0dacfc5372e314d1219f03e64dde3ab495a5a25e",
"versionType": "git"
},
{
"status": "affected",
"version": "710866fc0a64eafcb8bacd91bcb1329eb7e5035f",
"versionType": "git"
},
{
"status": "affected",
"version": "aa12ee1c1bd260943fd6ab556d8635811c332eeb",
"versionType": "git"
},
{
"status": "affected",
"version": "62d591dde4defb1333d202410609c4ddeae060b3",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/sched/sch_cake.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.17"
},
{
"lessThan": "6.17",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.63",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19-rc1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.63",
"versionStartIncluding": "6.12.44",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.13",
"versionStartIncluding": "6.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.2",
"versionStartIncluding": "6.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19-rc1",
"versionStartIncluding": "6.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.4.297",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.10.241",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.15.190",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.1.149",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.6.103",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.16.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/sched: sch_cake: Fix incorrect qlen reduction in cake_drop\n\nIn cake_drop(), qdisc_tree_reduce_backlog() is used to update the qlen\nand backlog of the qdisc hierarchy. Its caller, cake_enqueue(), assumes\nthat the parent qdisc will enqueue the current packet. However, this\nassumption breaks when cake_enqueue() returns NET_XMIT_CN: the parent\nqdisc stops enqueuing current packet, leaving the tree qlen/backlog\naccounting inconsistent. This mismatch can lead to a NULL dereference\n(e.g., when the parent Qdisc is qfq_qdisc).\n\nThis patch computes the qlen/backlog delta in a more robust way by\nobserving the difference before and after the series of cake_drop()\ncalls, and then compensates the qdisc tree accounting if cake_enqueue()\nreturns NET_XMIT_CN.\n\nTo ensure correct compensation when ACK thinning is enabled, a new\nvariable is introduced to keep qlen unchanged."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-18T15:02:50.214Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/0b6216f9b3d1c33c76f74511026e5de5385ee520"
},
{
"url": "https://git.kernel.org/stable/c/529c284cc2815c8350860e9a31722050fe7117cb"
},
{
"url": "https://git.kernel.org/stable/c/3ed6c458530a547ed0c9ea0b02b19bab620be88b"
},
{
"url": "https://git.kernel.org/stable/c/9fefc78f7f02d71810776fdeb119a05a946a27cc"
}
],
"title": "net/sched: sch_cake: Fix incorrect qlen reduction in cake_drop",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68325",
"datePublished": "2025-12-18T15:02:50.214Z",
"dateReserved": "2025-12-16T14:48:05.296Z",
"dateUpdated": "2025-12-18T15:02:50.214Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68324 (GCVE-0-2025-68324)
Vulnerability from cvelistv5 – Published: 2025-12-18 15:02 – Updated: 2025-12-18 15:02
VLAI?
Title
scsi: imm: Fix use-after-free bug caused by unfinished delayed work
Summary
In the Linux kernel, the following vulnerability has been resolved:
scsi: imm: Fix use-after-free bug caused by unfinished delayed work
The delayed work item 'imm_tq' is initialized in imm_attach() and
scheduled via imm_queuecommand() for processing SCSI commands. When the
IMM parallel port SCSI host adapter is detached through imm_detach(),
the imm_struct device instance is deallocated.
However, the delayed work might still be pending or executing
when imm_detach() is called, leading to use-after-free bugs
when the work function imm_interrupt() accesses the already
freed imm_struct memory.
The race condition can occur as follows:
CPU 0(detach thread) | CPU 1
| imm_queuecommand()
| imm_queuecommand_lck()
imm_detach() | schedule_delayed_work()
kfree(dev) //FREE | imm_interrupt()
| dev = container_of(...) //USE
dev-> //USE
Add disable_delayed_work_sync() in imm_detach() to guarantee proper
cancellation of the delayed work item before imm_struct is deallocated.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 31ab2aad7a7b7501e904a09bf361e44671f66092
(git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 48dd41fa2d6c6a0c50e714deeba06ffe7f91961b (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 9e434426cc23ad5e2aad649327b59aea00294b13 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < ab58153ec64fa3fc9aea09ca09dc9322e0b54a7c (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/scsi/imm.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "31ab2aad7a7b7501e904a09bf361e44671f66092",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "48dd41fa2d6c6a0c50e714deeba06ffe7f91961b",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "9e434426cc23ad5e2aad649327b59aea00294b13",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "ab58153ec64fa3fc9aea09ca09dc9322e0b54a7c",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/scsi/imm.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.12"
},
{
"lessThan": "2.6.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.63",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19-rc1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.63",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.13",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.2",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19-rc1",
"versionStartIncluding": "2.6.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: imm: Fix use-after-free bug caused by unfinished delayed work\n\nThe delayed work item \u0027imm_tq\u0027 is initialized in imm_attach() and\nscheduled via imm_queuecommand() for processing SCSI commands. When the\nIMM parallel port SCSI host adapter is detached through imm_detach(),\nthe imm_struct device instance is deallocated.\n\nHowever, the delayed work might still be pending or executing\nwhen imm_detach() is called, leading to use-after-free bugs\nwhen the work function imm_interrupt() accesses the already\nfreed imm_struct memory.\n\nThe race condition can occur as follows:\n\nCPU 0(detach thread) | CPU 1\n | imm_queuecommand()\n | imm_queuecommand_lck()\nimm_detach() | schedule_delayed_work()\n kfree(dev) //FREE | imm_interrupt()\n | dev = container_of(...) //USE\n dev-\u003e //USE\n\nAdd disable_delayed_work_sync() in imm_detach() to guarantee proper\ncancellation of the delayed work item before imm_struct is deallocated."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-18T15:02:49.230Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/31ab2aad7a7b7501e904a09bf361e44671f66092"
},
{
"url": "https://git.kernel.org/stable/c/48dd41fa2d6c6a0c50e714deeba06ffe7f91961b"
},
{
"url": "https://git.kernel.org/stable/c/9e434426cc23ad5e2aad649327b59aea00294b13"
},
{
"url": "https://git.kernel.org/stable/c/ab58153ec64fa3fc9aea09ca09dc9322e0b54a7c"
}
],
"title": "scsi: imm: Fix use-after-free bug caused by unfinished delayed work",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68324",
"datePublished": "2025-12-18T15:02:49.230Z",
"dateReserved": "2025-12-16T14:48:05.296Z",
"dateUpdated": "2025-12-18T15:02:49.230Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68323 (GCVE-0-2025-68323)
Vulnerability from cvelistv5 – Published: 2025-12-18 15:02 – Updated: 2025-12-18 15:02
VLAI?
Title
usb: typec: ucsi: fix use-after-free caused by uec->work
Summary
In the Linux kernel, the following vulnerability has been resolved:
usb: typec: ucsi: fix use-after-free caused by uec->work
The delayed work uec->work is scheduled in gaokun_ucsi_probe()
but never properly canceled in gaokun_ucsi_remove(). This creates
use-after-free scenarios where the ucsi and gaokun_ucsi structure
are freed after ucsi_destroy() completes execution, while the
gaokun_ucsi_register_worker() might be either currently executing
or still pending in the work queue. The already-freed gaokun_ucsi
or ucsi structure may then be accessed.
Furthermore, the race window is 3 seconds, which is sufficiently
long to make this bug easily reproducible. The following is the
trace captured by KASAN:
==================================================================
BUG: KASAN: slab-use-after-free in __run_timers+0x5ec/0x630
Write of size 8 at addr ffff00000ec28cc8 by task swapper/0/0
...
Call trace:
show_stack+0x18/0x24 (C)
dump_stack_lvl+0x78/0x90
print_report+0x114/0x580
kasan_report+0xa4/0xf0
__asan_report_store8_noabort+0x20/0x2c
__run_timers+0x5ec/0x630
run_timer_softirq+0xe8/0x1cc
handle_softirqs+0x294/0x720
__do_softirq+0x14/0x20
____do_softirq+0x10/0x1c
call_on_irq_stack+0x30/0x48
do_softirq_own_stack+0x1c/0x28
__irq_exit_rcu+0x27c/0x364
irq_exit_rcu+0x10/0x1c
el1_interrupt+0x40/0x60
el1h_64_irq_handler+0x18/0x24
el1h_64_irq+0x6c/0x70
arch_local_irq_enable+0x4/0x8 (P)
do_idle+0x334/0x458
cpu_startup_entry+0x60/0x70
rest_init+0x158/0x174
start_kernel+0x2f8/0x394
__primary_switched+0x8c/0x94
Allocated by task 72 on cpu 0 at 27.510341s:
kasan_save_stack+0x2c/0x54
kasan_save_track+0x24/0x5c
kasan_save_alloc_info+0x40/0x54
__kasan_kmalloc+0xa0/0xb8
__kmalloc_node_track_caller_noprof+0x1c0/0x588
devm_kmalloc+0x7c/0x1c8
gaokun_ucsi_probe+0xa0/0x840 auxiliary_bus_probe+0x94/0xf8
really_probe+0x17c/0x5b8
__driver_probe_device+0x158/0x2c4
driver_probe_device+0x10c/0x264
__device_attach_driver+0x168/0x2d0
bus_for_each_drv+0x100/0x188
__device_attach+0x174/0x368
device_initial_probe+0x14/0x20
bus_probe_device+0x120/0x150
device_add+0xb3c/0x10fc
__auxiliary_device_add+0x88/0x130
...
Freed by task 73 on cpu 1 at 28.910627s:
kasan_save_stack+0x2c/0x54
kasan_save_track+0x24/0x5c
__kasan_save_free_info+0x4c/0x74
__kasan_slab_free+0x60/0x8c
kfree+0xd4/0x410
devres_release_all+0x140/0x1f0
device_unbind_cleanup+0x20/0x190
device_release_driver_internal+0x344/0x460
device_release_driver+0x18/0x24
bus_remove_device+0x198/0x274
device_del+0x310/0xa84
...
The buggy address belongs to the object at ffff00000ec28c00
which belongs to the cache kmalloc-512 of size 512
The buggy address is located 200 bytes inside of
freed 512-byte region
The buggy address belongs to the physical page:
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x4ec28
head: order:2 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
flags: 0x3fffe0000000040(head|node=0|zone=0|lastcpupid=0x1ffff)
page_type: f5(slab)
raw: 03fffe0000000040 ffff000008801c80 dead000000000122 0000000000000000
raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000
head: 03fffe0000000040 ffff000008801c80 dead000000000122 0000000000000000
head: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000
head: 03fffe0000000002 fffffdffc03b0a01 00000000ffffffff 00000000ffffffff
head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000004
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff00000ec28b80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff00000ec28c00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff00000ec28c80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff00000ec28d00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff00000ec28d80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
================================================================
---truncated---
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
00327d7f2c8c512c9b168daae02c8b989f79ec71 , < d8ac85c76a4279979b917d4b2f9c6b07d9783003
(git)
Affected: 00327d7f2c8c512c9b168daae02c8b989f79ec71 , < a880ef71a1c8da266b88491213c37893e2126489 (git) Affected: 00327d7f2c8c512c9b168daae02c8b989f79ec71 , < 2b7a0f47aaf2439d517ba0a6b29c66a535302154 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/usb/typec/ucsi/ucsi_huawei_gaokun.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "d8ac85c76a4279979b917d4b2f9c6b07d9783003",
"status": "affected",
"version": "00327d7f2c8c512c9b168daae02c8b989f79ec71",
"versionType": "git"
},
{
"lessThan": "a880ef71a1c8da266b88491213c37893e2126489",
"status": "affected",
"version": "00327d7f2c8c512c9b168daae02c8b989f79ec71",
"versionType": "git"
},
{
"lessThan": "2b7a0f47aaf2439d517ba0a6b29c66a535302154",
"status": "affected",
"version": "00327d7f2c8c512c9b168daae02c8b989f79ec71",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/usb/typec/ucsi/ucsi_huawei_gaokun.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.16"
},
{
"lessThan": "6.16",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19-rc1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.13",
"versionStartIncluding": "6.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.2",
"versionStartIncluding": "6.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19-rc1",
"versionStartIncluding": "6.16",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: typec: ucsi: fix use-after-free caused by uec-\u003ework\n\nThe delayed work uec-\u003ework is scheduled in gaokun_ucsi_probe()\nbut never properly canceled in gaokun_ucsi_remove(). This creates\nuse-after-free scenarios where the ucsi and gaokun_ucsi structure\nare freed after ucsi_destroy() completes execution, while the\ngaokun_ucsi_register_worker() might be either currently executing\nor still pending in the work queue. The already-freed gaokun_ucsi\nor ucsi structure may then be accessed.\n\nFurthermore, the race window is 3 seconds, which is sufficiently\nlong to make this bug easily reproducible. The following is the\ntrace captured by KASAN:\n\n==================================================================\nBUG: KASAN: slab-use-after-free in __run_timers+0x5ec/0x630\nWrite of size 8 at addr ffff00000ec28cc8 by task swapper/0/0\n...\nCall trace:\n show_stack+0x18/0x24 (C)\n dump_stack_lvl+0x78/0x90\n print_report+0x114/0x580\n kasan_report+0xa4/0xf0\n __asan_report_store8_noabort+0x20/0x2c\n __run_timers+0x5ec/0x630\n run_timer_softirq+0xe8/0x1cc\n handle_softirqs+0x294/0x720\n __do_softirq+0x14/0x20\n ____do_softirq+0x10/0x1c\n call_on_irq_stack+0x30/0x48\n do_softirq_own_stack+0x1c/0x28\n __irq_exit_rcu+0x27c/0x364\n irq_exit_rcu+0x10/0x1c\n el1_interrupt+0x40/0x60\n el1h_64_irq_handler+0x18/0x24\n el1h_64_irq+0x6c/0x70\n arch_local_irq_enable+0x4/0x8 (P)\n do_idle+0x334/0x458\n cpu_startup_entry+0x60/0x70\n rest_init+0x158/0x174\n start_kernel+0x2f8/0x394\n __primary_switched+0x8c/0x94\n\nAllocated by task 72 on cpu 0 at 27.510341s:\n kasan_save_stack+0x2c/0x54\n kasan_save_track+0x24/0x5c\n kasan_save_alloc_info+0x40/0x54\n __kasan_kmalloc+0xa0/0xb8\n __kmalloc_node_track_caller_noprof+0x1c0/0x588\n devm_kmalloc+0x7c/0x1c8\n gaokun_ucsi_probe+0xa0/0x840 auxiliary_bus_probe+0x94/0xf8\n really_probe+0x17c/0x5b8\n __driver_probe_device+0x158/0x2c4\n driver_probe_device+0x10c/0x264\n __device_attach_driver+0x168/0x2d0\n bus_for_each_drv+0x100/0x188\n __device_attach+0x174/0x368\n device_initial_probe+0x14/0x20\n bus_probe_device+0x120/0x150\n device_add+0xb3c/0x10fc\n __auxiliary_device_add+0x88/0x130\n...\n\nFreed by task 73 on cpu 1 at 28.910627s:\n kasan_save_stack+0x2c/0x54\n kasan_save_track+0x24/0x5c\n __kasan_save_free_info+0x4c/0x74\n __kasan_slab_free+0x60/0x8c\n kfree+0xd4/0x410\n devres_release_all+0x140/0x1f0\n device_unbind_cleanup+0x20/0x190\n device_release_driver_internal+0x344/0x460\n device_release_driver+0x18/0x24\n bus_remove_device+0x198/0x274\n device_del+0x310/0xa84\n...\n\nThe buggy address belongs to the object at ffff00000ec28c00\n which belongs to the cache kmalloc-512 of size 512\nThe buggy address is located 200 bytes inside of\n freed 512-byte region\nThe buggy address belongs to the physical page:\npage: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x4ec28\nhead: order:2 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0\nflags: 0x3fffe0000000040(head|node=0|zone=0|lastcpupid=0x1ffff)\npage_type: f5(slab)\nraw: 03fffe0000000040 ffff000008801c80 dead000000000122 0000000000000000\nraw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000\nhead: 03fffe0000000040 ffff000008801c80 dead000000000122 0000000000000000\nhead: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000\nhead: 03fffe0000000002 fffffdffc03b0a01 00000000ffffffff 00000000ffffffff\nhead: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000004\npage dumped because: kasan: bad access detected\n\nMemory state around the buggy address:\n ffff00000ec28b80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc\n ffff00000ec28c00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n\u003effff00000ec28c80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n ^\n ffff00000ec28d00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n ffff00000ec28d80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n================================================================\n---truncated---"
}
],
"providerMetadata": {
"dateUpdated": "2025-12-18T15:02:48.403Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/d8ac85c76a4279979b917d4b2f9c6b07d9783003"
},
{
"url": "https://git.kernel.org/stable/c/a880ef71a1c8da266b88491213c37893e2126489"
},
{
"url": "https://git.kernel.org/stable/c/2b7a0f47aaf2439d517ba0a6b29c66a535302154"
}
],
"title": "usb: typec: ucsi: fix use-after-free caused by uec-\u003ework",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68323",
"datePublished": "2025-12-18T15:02:48.403Z",
"dateReserved": "2025-12-16T14:48:05.296Z",
"dateUpdated": "2025-12-18T15:02:48.403Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68321 (GCVE-0-2025-68321)
Vulnerability from cvelistv5 – Published: 2025-12-16 15:44 – Updated: 2025-12-16 15:44
VLAI?
Title
page_pool: always add GFP_NOWARN for ATOMIC allocations
Summary
In the Linux kernel, the following vulnerability has been resolved:
page_pool: always add GFP_NOWARN for ATOMIC allocations
Driver authors often forget to add GFP_NOWARN for page allocation
from the datapath. This is annoying to users as OOMs are a fact
of life, and we pretty much expect network Rx to hit page allocation
failures during OOM. Make page pool add GFP_NOWARN for ATOMIC allocations
by default.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 0ec2cd5c58793d0c622797cd5fbe26634b357210
(git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 9835a0fd59a1df5ec0740fdab6d50db68e0f10de (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 7613c06ffa89c1e2266fb532e23ef7dfdf269d73 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 3671a0775952026228ae44e096eb144bca75f8dc (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < ab48dc0e23eb714b3f233f8e8f6deed7df2051f5 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < f3b52167a0cb23b27414452fbc1278da2ee884fc (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/core/page_pool.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "0ec2cd5c58793d0c622797cd5fbe26634b357210",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "9835a0fd59a1df5ec0740fdab6d50db68e0f10de",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "7613c06ffa89c1e2266fb532e23ef7dfdf269d73",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "3671a0775952026228ae44e096eb144bca75f8dc",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "ab48dc0e23eb714b3f233f8e8f6deed7df2051f5",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "f3b52167a0cb23b27414452fbc1278da2ee884fc",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/core/page_pool.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.197",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.159",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.117",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.58",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.197",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.159",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.117",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.58",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\npage_pool: always add GFP_NOWARN for ATOMIC allocations\n\nDriver authors often forget to add GFP_NOWARN for page allocation\nfrom the datapath. This is annoying to users as OOMs are a fact\nof life, and we pretty much expect network Rx to hit page allocation\nfailures during OOM. Make page pool add GFP_NOWARN for ATOMIC allocations\nby default."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-16T15:44:19.066Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/0ec2cd5c58793d0c622797cd5fbe26634b357210"
},
{
"url": "https://git.kernel.org/stable/c/9835a0fd59a1df5ec0740fdab6d50db68e0f10de"
},
{
"url": "https://git.kernel.org/stable/c/7613c06ffa89c1e2266fb532e23ef7dfdf269d73"
},
{
"url": "https://git.kernel.org/stable/c/3671a0775952026228ae44e096eb144bca75f8dc"
},
{
"url": "https://git.kernel.org/stable/c/ab48dc0e23eb714b3f233f8e8f6deed7df2051f5"
},
{
"url": "https://git.kernel.org/stable/c/f3b52167a0cb23b27414452fbc1278da2ee884fc"
}
],
"title": "page_pool: always add GFP_NOWARN for ATOMIC allocations",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68321",
"datePublished": "2025-12-16T15:44:19.066Z",
"dateReserved": "2025-12-16T14:48:05.295Z",
"dateUpdated": "2025-12-16T15:44:19.066Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68322 (GCVE-0-2025-68322)
Vulnerability from cvelistv5 – Published: 2025-12-16 15:44 – Updated: 2025-12-16 15:44
VLAI?
Title
parisc: Avoid crash due to unaligned access in unwinder
Summary
In the Linux kernel, the following vulnerability has been resolved:
parisc: Avoid crash due to unaligned access in unwinder
Guenter Roeck reported this kernel crash on his emulated B160L machine:
Starting network: udhcpc: started, v1.36.1
Backtrace:
[<104320d4>] unwind_once+0x1c/0x5c
[<10434a00>] walk_stackframe.isra.0+0x74/0xb8
[<10434a6c>] arch_stack_walk+0x28/0x38
[<104e5efc>] stack_trace_save+0x48/0x5c
[<105d1bdc>] set_track_prepare+0x44/0x6c
[<105d9c80>] ___slab_alloc+0xfc4/0x1024
[<105d9d38>] __slab_alloc.isra.0+0x58/0x90
[<105dc80c>] kmem_cache_alloc_noprof+0x2ac/0x4a0
[<105b8e54>] __anon_vma_prepare+0x60/0x280
[<105a823c>] __vmf_anon_prepare+0x68/0x94
[<105a8b34>] do_wp_page+0x8cc/0xf10
[<105aad88>] handle_mm_fault+0x6c0/0xf08
[<10425568>] do_page_fault+0x110/0x440
[<10427938>] handle_interruption+0x184/0x748
[<11178398>] schedule+0x4c/0x190
BUG: spinlock recursion on CPU#0, ifconfig/2420
lock: terminate_lock.2+0x0/0x1c, .magic: dead4ead, .owner: ifconfig/2420, .owner_cpu: 0
While creating the stack trace, the unwinder uses the stack pointer to guess
the previous frame to read the previous stack pointer from memory. The crash
happens, because the unwinder tries to read from unaligned memory and as such
triggers the unalignment trap handler which then leads to the spinlock
recursion and finally to a deadlock.
Fix it by checking the alignment before accessing the memory.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 9ac1f44723f26881b9fe7e69c7bc25397b879155
(git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 009270208f76456c2cefcd565da263b90bb2eadb (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < fd9f30d1038ee1624baa17a6ff11effe5f7617cb (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"arch/parisc/kernel/unwind.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "9ac1f44723f26881b9fe7e69c7bc25397b879155",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "009270208f76456c2cefcd565da263b90bb2eadb",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "fd9f30d1038ee1624baa17a6ff11effe5f7617cb",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"arch/parisc/kernel/unwind.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.58",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.58",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nparisc: Avoid crash due to unaligned access in unwinder\n\nGuenter Roeck reported this kernel crash on his emulated B160L machine:\n\nStarting network: udhcpc: started, v1.36.1\n Backtrace:\n [\u003c104320d4\u003e] unwind_once+0x1c/0x5c\n [\u003c10434a00\u003e] walk_stackframe.isra.0+0x74/0xb8\n [\u003c10434a6c\u003e] arch_stack_walk+0x28/0x38\n [\u003c104e5efc\u003e] stack_trace_save+0x48/0x5c\n [\u003c105d1bdc\u003e] set_track_prepare+0x44/0x6c\n [\u003c105d9c80\u003e] ___slab_alloc+0xfc4/0x1024\n [\u003c105d9d38\u003e] __slab_alloc.isra.0+0x58/0x90\n [\u003c105dc80c\u003e] kmem_cache_alloc_noprof+0x2ac/0x4a0\n [\u003c105b8e54\u003e] __anon_vma_prepare+0x60/0x280\n [\u003c105a823c\u003e] __vmf_anon_prepare+0x68/0x94\n [\u003c105a8b34\u003e] do_wp_page+0x8cc/0xf10\n [\u003c105aad88\u003e] handle_mm_fault+0x6c0/0xf08\n [\u003c10425568\u003e] do_page_fault+0x110/0x440\n [\u003c10427938\u003e] handle_interruption+0x184/0x748\n [\u003c11178398\u003e] schedule+0x4c/0x190\n BUG: spinlock recursion on CPU#0, ifconfig/2420\n lock: terminate_lock.2+0x0/0x1c, .magic: dead4ead, .owner: ifconfig/2420, .owner_cpu: 0\n\nWhile creating the stack trace, the unwinder uses the stack pointer to guess\nthe previous frame to read the previous stack pointer from memory. The crash\nhappens, because the unwinder tries to read from unaligned memory and as such\ntriggers the unalignment trap handler which then leads to the spinlock\nrecursion and finally to a deadlock.\n\nFix it by checking the alignment before accessing the memory."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-16T15:44:19.850Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/9ac1f44723f26881b9fe7e69c7bc25397b879155"
},
{
"url": "https://git.kernel.org/stable/c/009270208f76456c2cefcd565da263b90bb2eadb"
},
{
"url": "https://git.kernel.org/stable/c/fd9f30d1038ee1624baa17a6ff11effe5f7617cb"
}
],
"title": "parisc: Avoid crash due to unaligned access in unwinder",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68322",
"datePublished": "2025-12-16T15:44:19.850Z",
"dateReserved": "2025-12-16T14:48:05.296Z",
"dateUpdated": "2025-12-16T15:44:19.850Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68320 (GCVE-0-2025-68320)
Vulnerability from cvelistv5 – Published: 2025-12-16 15:44 – Updated: 2025-12-16 15:44
VLAI?
Title
lan966x: Fix sleeping in atomic context
Summary
In the Linux kernel, the following vulnerability has been resolved:
lan966x: Fix sleeping in atomic context
The following warning was seen when we try to connect using ssh to the device.
BUG: sleeping function called from invalid context at kernel/locking/mutex.c:575
in_atomic(): 1, irqs_disabled(): 0, non_block: 0, pid: 104, name: dropbear
preempt_count: 1, expected: 0
INFO: lockdep is turned off.
CPU: 0 UID: 0 PID: 104 Comm: dropbear Tainted: G W 6.18.0-rc2-00399-g6f1ab1b109b9-dirty #530 NONE
Tainted: [W]=WARN
Hardware name: Generic DT based system
Call trace:
unwind_backtrace from show_stack+0x10/0x14
show_stack from dump_stack_lvl+0x7c/0xac
dump_stack_lvl from __might_resched+0x16c/0x2b0
__might_resched from __mutex_lock+0x64/0xd34
__mutex_lock from mutex_lock_nested+0x1c/0x24
mutex_lock_nested from lan966x_stats_get+0x5c/0x558
lan966x_stats_get from dev_get_stats+0x40/0x43c
dev_get_stats from dev_seq_printf_stats+0x3c/0x184
dev_seq_printf_stats from dev_seq_show+0x10/0x30
dev_seq_show from seq_read_iter+0x350/0x4ec
seq_read_iter from seq_read+0xfc/0x194
seq_read from proc_reg_read+0xac/0x100
proc_reg_read from vfs_read+0xb0/0x2b0
vfs_read from ksys_read+0x6c/0xec
ksys_read from ret_fast_syscall+0x0/0x1c
Exception stack(0xf0b11fa8 to 0xf0b11ff0)
1fa0: 00000001 00001000 00000008 be9048d8 00001000 00000001
1fc0: 00000001 00001000 00000008 00000003 be905920 0000001e 00000000 00000001
1fe0: 0005404c be9048c0 00018684 b6ec2cd8
It seems that we are using a mutex in a atomic context which is wrong.
Change the mutex with a spinlock.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
12c2d0a5b8e2a1afc8c7738e19a0d1dd7f3d4007 , < 5a5d2f7727752b64d13263eacd9f8d08a322e662
(git)
Affected: 12c2d0a5b8e2a1afc8c7738e19a0d1dd7f3d4007 , < c8ab03aa5bd9fd8bfe5d9552d8605826759fdd4d (git) Affected: 12c2d0a5b8e2a1afc8c7738e19a0d1dd7f3d4007 , < 3ac743c60ec502163c435712d527eeced8d83348 (git) Affected: 12c2d0a5b8e2a1afc8c7738e19a0d1dd7f3d4007 , < 0216721ce71252f60d89af49c8dff613358058d3 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/microchip/lan966x/lan966x_ethtool.c",
"drivers/net/ethernet/microchip/lan966x/lan966x_main.c",
"drivers/net/ethernet/microchip/lan966x/lan966x_main.h",
"drivers/net/ethernet/microchip/lan966x/lan966x_vcap_impl.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "5a5d2f7727752b64d13263eacd9f8d08a322e662",
"status": "affected",
"version": "12c2d0a5b8e2a1afc8c7738e19a0d1dd7f3d4007",
"versionType": "git"
},
{
"lessThan": "c8ab03aa5bd9fd8bfe5d9552d8605826759fdd4d",
"status": "affected",
"version": "12c2d0a5b8e2a1afc8c7738e19a0d1dd7f3d4007",
"versionType": "git"
},
{
"lessThan": "3ac743c60ec502163c435712d527eeced8d83348",
"status": "affected",
"version": "12c2d0a5b8e2a1afc8c7738e19a0d1dd7f3d4007",
"versionType": "git"
},
{
"lessThan": "0216721ce71252f60d89af49c8dff613358058d3",
"status": "affected",
"version": "12c2d0a5b8e2a1afc8c7738e19a0d1dd7f3d4007",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/microchip/lan966x/lan966x_ethtool.c",
"drivers/net/ethernet/microchip/lan966x/lan966x_main.c",
"drivers/net/ethernet/microchip/lan966x/lan966x_main.h",
"drivers/net/ethernet/microchip/lan966x/lan966x_vcap_impl.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.17"
},
{
"lessThan": "5.17",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.117",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.58",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.117",
"versionStartIncluding": "5.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.58",
"versionStartIncluding": "5.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.8",
"versionStartIncluding": "5.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "5.17",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nlan966x: Fix sleeping in atomic context\n\nThe following warning was seen when we try to connect using ssh to the device.\n\nBUG: sleeping function called from invalid context at kernel/locking/mutex.c:575\nin_atomic(): 1, irqs_disabled(): 0, non_block: 0, pid: 104, name: dropbear\npreempt_count: 1, expected: 0\nINFO: lockdep is turned off.\nCPU: 0 UID: 0 PID: 104 Comm: dropbear Tainted: G W 6.18.0-rc2-00399-g6f1ab1b109b9-dirty #530 NONE\nTainted: [W]=WARN\nHardware name: Generic DT based system\nCall trace:\n unwind_backtrace from show_stack+0x10/0x14\n show_stack from dump_stack_lvl+0x7c/0xac\n dump_stack_lvl from __might_resched+0x16c/0x2b0\n __might_resched from __mutex_lock+0x64/0xd34\n __mutex_lock from mutex_lock_nested+0x1c/0x24\n mutex_lock_nested from lan966x_stats_get+0x5c/0x558\n lan966x_stats_get from dev_get_stats+0x40/0x43c\n dev_get_stats from dev_seq_printf_stats+0x3c/0x184\n dev_seq_printf_stats from dev_seq_show+0x10/0x30\n dev_seq_show from seq_read_iter+0x350/0x4ec\n seq_read_iter from seq_read+0xfc/0x194\n seq_read from proc_reg_read+0xac/0x100\n proc_reg_read from vfs_read+0xb0/0x2b0\n vfs_read from ksys_read+0x6c/0xec\n ksys_read from ret_fast_syscall+0x0/0x1c\nException stack(0xf0b11fa8 to 0xf0b11ff0)\n1fa0: 00000001 00001000 00000008 be9048d8 00001000 00000001\n1fc0: 00000001 00001000 00000008 00000003 be905920 0000001e 00000000 00000001\n1fe0: 0005404c be9048c0 00018684 b6ec2cd8\n\nIt seems that we are using a mutex in a atomic context which is wrong.\nChange the mutex with a spinlock."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-16T15:44:18.217Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/5a5d2f7727752b64d13263eacd9f8d08a322e662"
},
{
"url": "https://git.kernel.org/stable/c/c8ab03aa5bd9fd8bfe5d9552d8605826759fdd4d"
},
{
"url": "https://git.kernel.org/stable/c/3ac743c60ec502163c435712d527eeced8d83348"
},
{
"url": "https://git.kernel.org/stable/c/0216721ce71252f60d89af49c8dff613358058d3"
}
],
"title": "lan966x: Fix sleeping in atomic context",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68320",
"datePublished": "2025-12-16T15:44:18.217Z",
"dateReserved": "2025-12-16T14:48:05.295Z",
"dateUpdated": "2025-12-16T15:44:18.217Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68319 (GCVE-0-2025-68319)
Vulnerability from cvelistv5 – Published: 2025-12-16 15:39 – Updated: 2025-12-16 15:39
VLAI?
Title
netconsole: Acquire su_mutex before navigating configs hierarchy
Summary
In the Linux kernel, the following vulnerability has been resolved:
netconsole: Acquire su_mutex before navigating configs hierarchy
There is a race between operations that iterate over the userdata
cg_children list and concurrent add/remove of userdata items through
configfs. The update_userdata() function iterates over the
nt->userdata_group.cg_children list, and count_extradata_entries() also
iterates over this same list to count nodes.
Quoting from Documentation/filesystems/configfs.rst:
> A subsystem can navigate the cg_children list and the ci_parent pointer
> to see the tree created by the subsystem. This can race with configfs'
> management of the hierarchy, so configfs uses the subsystem mutex to
> protect modifications. Whenever a subsystem wants to navigate the
> hierarchy, it must do so under the protection of the subsystem
> mutex.
Without proper locking, if a userdata item is added or removed
concurrently while these functions are iterating, the list can be
accessed in an inconsistent state. For example, the list_for_each() loop
can reach a node that is being removed from the list by list_del_init()
which sets the nodes' .next pointer to point to itself, so the loop will
never end (or reach the WARN_ON_ONCE in update_userdata() ).
Fix this by holding the configfs subsystem mutex (su_mutex) during all
operations that iterate over cg_children.
This includes:
- userdatum_value_store() which calls update_userdata() to iterate over
cg_children
- All sysdata_*_enabled_store() functions which call
count_extradata_entries() to iterate over cg_children
The su_mutex must be acquired before dynamic_netconsole_mutex to avoid
potential lock ordering issues, as configfs operations may already hold
su_mutex when calling into our code.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/netconsole.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "ff70aa7e8cf05745fdba7258952a8bedf33ea336",
"status": "affected",
"version": "df03f830d099f0811281a222aefdd9d400fa0b72",
"versionType": "git"
},
{
"lessThan": "d7d2fcf7ae31471b4e08b7e448b8fd0ec2e06a1b",
"status": "affected",
"version": "df03f830d099f0811281a222aefdd9d400fa0b72",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/netconsole.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.9"
},
{
"lessThan": "6.9",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.8",
"versionStartIncluding": "6.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "6.9",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetconsole: Acquire su_mutex before navigating configs hierarchy\n\nThere is a race between operations that iterate over the userdata\ncg_children list and concurrent add/remove of userdata items through\nconfigfs. The update_userdata() function iterates over the\nnt-\u003euserdata_group.cg_children list, and count_extradata_entries() also\niterates over this same list to count nodes.\n\nQuoting from Documentation/filesystems/configfs.rst:\n\u003e A subsystem can navigate the cg_children list and the ci_parent pointer\n\u003e to see the tree created by the subsystem. This can race with configfs\u0027\n\u003e management of the hierarchy, so configfs uses the subsystem mutex to\n\u003e protect modifications. Whenever a subsystem wants to navigate the\n\u003e hierarchy, it must do so under the protection of the subsystem\n\u003e mutex.\n\nWithout proper locking, if a userdata item is added or removed\nconcurrently while these functions are iterating, the list can be\naccessed in an inconsistent state. For example, the list_for_each() loop\ncan reach a node that is being removed from the list by list_del_init()\nwhich sets the nodes\u0027 .next pointer to point to itself, so the loop will\nnever end (or reach the WARN_ON_ONCE in update_userdata() ).\n\nFix this by holding the configfs subsystem mutex (su_mutex) during all\noperations that iterate over cg_children.\nThis includes:\n- userdatum_value_store() which calls update_userdata() to iterate over\n cg_children\n- All sysdata_*_enabled_store() functions which call\n count_extradata_entries() to iterate over cg_children\n\nThe su_mutex must be acquired before dynamic_netconsole_mutex to avoid\npotential lock ordering issues, as configfs operations may already hold\nsu_mutex when calling into our code."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-16T15:39:48.903Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/ff70aa7e8cf05745fdba7258952a8bedf33ea336"
},
{
"url": "https://git.kernel.org/stable/c/d7d2fcf7ae31471b4e08b7e448b8fd0ec2e06a1b"
}
],
"title": "netconsole: Acquire su_mutex before navigating configs hierarchy",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68319",
"datePublished": "2025-12-16T15:39:48.903Z",
"dateReserved": "2025-12-16T14:48:05.295Z",
"dateUpdated": "2025-12-16T15:39:48.903Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68317 (GCVE-0-2025-68317)
Vulnerability from cvelistv5 – Published: 2025-12-16 15:39 – Updated: 2025-12-16 15:39
VLAI?
Title
io_uring/zctx: check chained notif contexts
Summary
In the Linux kernel, the following vulnerability has been resolved:
io_uring/zctx: check chained notif contexts
Send zc only links ubuf_info for requests coming from the same context.
There are some ambiguous syz reports, so let's check the assumption on
notification completion.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < aaafd17d3f4be2c15539359a5b4bfa00237f687f
(git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < d664a3ce3a604231a0b144c152a3755d03b18b60 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < ab3ea6eac5f45669b091309f592c4ea324003053 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"io_uring/notif.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "aaafd17d3f4be2c15539359a5b4bfa00237f687f",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "d664a3ce3a604231a0b144c152a3755d03b18b60",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "ab3ea6eac5f45669b091309f592c4ea324003053",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"io_uring/notif.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.58",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.58",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nio_uring/zctx: check chained notif contexts\n\nSend zc only links ubuf_info for requests coming from the same context.\nThere are some ambiguous syz reports, so let\u0027s check the assumption on\nnotification completion."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-16T15:39:47.159Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/aaafd17d3f4be2c15539359a5b4bfa00237f687f"
},
{
"url": "https://git.kernel.org/stable/c/d664a3ce3a604231a0b144c152a3755d03b18b60"
},
{
"url": "https://git.kernel.org/stable/c/ab3ea6eac5f45669b091309f592c4ea324003053"
}
],
"title": "io_uring/zctx: check chained notif contexts",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68317",
"datePublished": "2025-12-16T15:39:47.159Z",
"dateReserved": "2025-12-16T14:48:05.295Z",
"dateUpdated": "2025-12-16T15:39:47.159Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68318 (GCVE-0-2025-68318)
Vulnerability from cvelistv5 – Published: 2025-12-16 15:39 – Updated: 2025-12-16 15:39
VLAI?
Title
clk: thead: th1520-ap: set all AXI clocks to CLK_IS_CRITICAL
Summary
In the Linux kernel, the following vulnerability has been resolved:
clk: thead: th1520-ap: set all AXI clocks to CLK_IS_CRITICAL
The AXI crossbar of TH1520 has no proper timeout handling, which means
gating AXI clocks can easily lead to bus timeout and thus system hang.
Set all AXI clock gates to CLK_IS_CRITICAL. All these clock gates are
ungated by default on system reset.
In addition, convert all current CLK_IGNORE_UNUSED usage to
CLK_IS_CRITICAL to prevent unwanted clock gating.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/clk/thead/clk-th1520-ap.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "bdec5e01fc2f3114d1fb1daeb1000911d783c4ae",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "c567bc5fc68c4388c00e11fc65fd14fe86b52070",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/clk/thead/clk-th1520-ap.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nclk: thead: th1520-ap: set all AXI clocks to CLK_IS_CRITICAL\n\nThe AXI crossbar of TH1520 has no proper timeout handling, which means\ngating AXI clocks can easily lead to bus timeout and thus system hang.\n\nSet all AXI clock gates to CLK_IS_CRITICAL. All these clock gates are\nungated by default on system reset.\n\nIn addition, convert all current CLK_IGNORE_UNUSED usage to\nCLK_IS_CRITICAL to prevent unwanted clock gating."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-16T15:39:47.965Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/bdec5e01fc2f3114d1fb1daeb1000911d783c4ae"
},
{
"url": "https://git.kernel.org/stable/c/c567bc5fc68c4388c00e11fc65fd14fe86b52070"
}
],
"title": "clk: thead: th1520-ap: set all AXI clocks to CLK_IS_CRITICAL",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68318",
"datePublished": "2025-12-16T15:39:47.965Z",
"dateReserved": "2025-12-16T14:48:05.295Z",
"dateUpdated": "2025-12-16T15:39:47.965Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68316 (GCVE-0-2025-68316)
Vulnerability from cvelistv5 – Published: 2025-12-16 15:39 – Updated: 2025-12-16 15:39
VLAI?
Title
scsi: ufs: core: Fix invalid probe error return value
Summary
In the Linux kernel, the following vulnerability has been resolved:
scsi: ufs: core: Fix invalid probe error return value
After DME Link Startup, the error return value is set to the MIPI UniPro
GenericErrorCode which can be 0 (SUCCESS) or 1 (FAILURE). Upon failure
during driver probe, the error code 1 is propagated back to the driver
probe function which must return a negative value to indicate an error,
but 1 is not negative, so the probe is considered to be successful even
though it failed. Subsequently, removing the driver results in an oops
because it is not in a valid state.
This happens because none of the callers of ufshcd_init() expect a
non-negative error code.
Fix the return value and documentation to match actual usage.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/ufs/core/ufshcd.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "df96dbe1af7f6591c09f862f1226d3619b07e1b6",
"status": "affected",
"version": "69f5eb78d4b0cc978fe83dd2bfea1b67547290bf",
"versionType": "git"
},
{
"lessThan": "a2b32bc1d9e359a9f90d0de6af16699facb10935",
"status": "affected",
"version": "69f5eb78d4b0cc978fe83dd2bfea1b67547290bf",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/ufs/core/ufshcd.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.13"
},
{
"lessThan": "6.13",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.8",
"versionStartIncluding": "6.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "6.13",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: ufs: core: Fix invalid probe error return value\n\nAfter DME Link Startup, the error return value is set to the MIPI UniPro\nGenericErrorCode which can be 0 (SUCCESS) or 1 (FAILURE). Upon failure\nduring driver probe, the error code 1 is propagated back to the driver\nprobe function which must return a negative value to indicate an error,\nbut 1 is not negative, so the probe is considered to be successful even\nthough it failed. Subsequently, removing the driver results in an oops\nbecause it is not in a valid state.\n\nThis happens because none of the callers of ufshcd_init() expect a\nnon-negative error code.\n\nFix the return value and documentation to match actual usage."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-16T15:39:46.434Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/df96dbe1af7f6591c09f862f1226d3619b07e1b6"
},
{
"url": "https://git.kernel.org/stable/c/a2b32bc1d9e359a9f90d0de6af16699facb10935"
}
],
"title": "scsi: ufs: core: Fix invalid probe error return value",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68316",
"datePublished": "2025-12-16T15:39:46.434Z",
"dateReserved": "2025-12-16T14:48:05.295Z",
"dateUpdated": "2025-12-16T15:39:46.434Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68315 (GCVE-0-2025-68315)
Vulnerability from cvelistv5 – Published: 2025-12-16 15:39 – Updated: 2025-12-20 08:52
VLAI?
Title
f2fs: fix to detect potential corrupted nid in free_nid_list
Summary
In the Linux kernel, the following vulnerability has been resolved:
f2fs: fix to detect potential corrupted nid in free_nid_list
As reported, on-disk footer.ino and footer.nid is the same and
out-of-range, let's add sanity check on f2fs_alloc_nid() to detect
any potential corruption in free_nid_list.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
98e4da8ca301e062d79ae168c67e56f3c3de3ce4 , < 6b9525596a83cd5b7bbc2c7bd5f9ad9cf5ad60fa
(git)
Affected: 98e4da8ca301e062d79ae168c67e56f3c3de3ce4 , < adbcb34f03abb89e681a5907c4c3ce4bf224991d (git) Affected: 98e4da8ca301e062d79ae168c67e56f3c3de3ce4 , < 8fc6056dcf79937c46c97fa4996cda65956437a9 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/f2fs/node.c",
"include/linux/f2fs_fs.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "6b9525596a83cd5b7bbc2c7bd5f9ad9cf5ad60fa",
"status": "affected",
"version": "98e4da8ca301e062d79ae168c67e56f3c3de3ce4",
"versionType": "git"
},
{
"lessThan": "adbcb34f03abb89e681a5907c4c3ce4bf224991d",
"status": "affected",
"version": "98e4da8ca301e062d79ae168c67e56f3c3de3ce4",
"versionType": "git"
},
{
"lessThan": "8fc6056dcf79937c46c97fa4996cda65956437a9",
"status": "affected",
"version": "98e4da8ca301e062d79ae168c67e56f3c3de3ce4",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/f2fs/node.c",
"include/linux/f2fs_fs.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.8"
},
{
"lessThan": "3.8",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.58",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.58",
"versionStartIncluding": "3.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.8",
"versionStartIncluding": "3.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "3.8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nf2fs: fix to detect potential corrupted nid in free_nid_list\n\nAs reported, on-disk footer.ino and footer.nid is the same and\nout-of-range, let\u0027s add sanity check on f2fs_alloc_nid() to detect\nany potential corruption in free_nid_list."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-20T08:52:21.439Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/6b9525596a83cd5b7bbc2c7bd5f9ad9cf5ad60fa"
},
{
"url": "https://git.kernel.org/stable/c/adbcb34f03abb89e681a5907c4c3ce4bf224991d"
},
{
"url": "https://git.kernel.org/stable/c/8fc6056dcf79937c46c97fa4996cda65956437a9"
}
],
"title": "f2fs: fix to detect potential corrupted nid in free_nid_list",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68315",
"datePublished": "2025-12-16T15:39:45.716Z",
"dateReserved": "2025-12-16T14:48:05.295Z",
"dateUpdated": "2025-12-20T08:52:21.439Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68314 (GCVE-0-2025-68314)
Vulnerability from cvelistv5 – Published: 2025-12-16 15:39 – Updated: 2025-12-16 15:39
VLAI?
Title
drm/msm: make sure last_fence is always updated
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/msm: make sure last_fence is always updated
Update last_fence in the vm-bind path instead of kernel managed path.
last_fence is used to wait for work to finish in vm_bind contexts but not
used for kernel managed contexts.
This fixes a bug where last_fence is not waited on context close leading
to faults as resources are freed while in use.
Patchwork: https://patchwork.freedesktop.org/patch/680080/
Severity ?
No CVSS data available.
Assigner
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/msm/msm_gem_submit.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "8ee817ceafba266d9c6f3a09babd2ac7441d9a2b",
"status": "affected",
"version": "92395af63a9958615edfa9d4ef1ea72c92a00410",
"versionType": "git"
},
{
"lessThan": "86404a9e3013d814a772ac407573be5d3cd4ee0d",
"status": "affected",
"version": "92395af63a9958615edfa9d4ef1ea72c92a00410",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/msm/msm_gem_submit.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.17"
},
{
"lessThan": "6.17",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.8",
"versionStartIncluding": "6.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "6.17",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/msm: make sure last_fence is always updated\n\nUpdate last_fence in the vm-bind path instead of kernel managed path.\n\nlast_fence is used to wait for work to finish in vm_bind contexts but not\nused for kernel managed contexts.\n\nThis fixes a bug where last_fence is not waited on context close leading\nto faults as resources are freed while in use.\n\nPatchwork: https://patchwork.freedesktop.org/patch/680080/"
}
],
"providerMetadata": {
"dateUpdated": "2025-12-16T15:39:44.791Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/8ee817ceafba266d9c6f3a09babd2ac7441d9a2b"
},
{
"url": "https://git.kernel.org/stable/c/86404a9e3013d814a772ac407573be5d3cd4ee0d"
}
],
"title": "drm/msm: make sure last_fence is always updated",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68314",
"datePublished": "2025-12-16T15:39:44.791Z",
"dateReserved": "2025-12-16T14:48:05.295Z",
"dateUpdated": "2025-12-16T15:39:44.791Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}