Security Vulnerabilities
In the Linux kernel, the following vulnerability has been resolved:
Revert "drm/gem-dma: Use dma_buf from GEM object instance"
This reverts commit e8afa1557f4f963c9a511bd2c6074a941c308685.
The dma_buf field in struct drm_gem_object is not stable over the
object instance's lifetime. The field becomes NULL when user space
releases the final GEM handle on the buffer object. This resulted
in a NULL-pointer deref.
Workarounds in commit 5307dce878d4 ("drm/gem: Acquire references on
GEM handles for framebuffers") and commit f6bfc9afc751 ("drm/framebuffer:
Acquire internal references on GEM handles") only solved the problem
partially. They especially don't work for buffer objects without a DRM
framebuffer associated.
Hence, this revert to going back to using .import_attach->dmabuf.
v3:
- cc stable
CVSS Score
5.5
EPSS Score
0.0
Published
2025-08-22
In the Linux kernel, the following vulnerability has been resolved:
Revert "drm/gem-framebuffer: Use dma_buf from GEM object instance"
This reverts commit cce16fcd7446dcff7480cd9d2b6417075ed81065.
The dma_buf field in struct drm_gem_object is not stable over the
object instance's lifetime. The field becomes NULL when user space
releases the final GEM handle on the buffer object. This resulted
in a NULL-pointer deref.
Workarounds in commit 5307dce878d4 ("drm/gem: Acquire references on
GEM handles for framebuffers") and commit f6bfc9afc751 ("drm/framebuffer:
Acquire internal references on GEM handles") only solved the problem
partially. They especially don't work for buffer objects without a DRM
framebuffer associated.
Hence, this revert to going back to using .import_attach->dmabuf.
v3:
- cc stable
CVSS Score
5.5
EPSS Score
0.0
Published
2025-08-22
In the Linux kernel, the following vulnerability has been resolved:
gfs2: No more self recovery
When a node withdraws and it turns out that it is the only node that has
the filesystem mounted, gfs2 currently tries to replay the local journal
to bring the filesystem back into a consistent state. Not only is that
a very bad idea, it has also never worked because gfs2_recover_func()
will refuse to do anything during a withdraw.
However, before even getting to this point, gfs2_recover_func()
dereferences sdp->sd_jdesc->jd_inode. This was a use-after-free before
commit 04133b607a78 ("gfs2: Prevent double iput for journal on error")
and is a NULL pointer dereference since then.
Simply get rid of self recovery to fix that.
CVSS Score
5.5
EPSS Score
0.0
Published
2025-08-22
In the Linux kernel, the following vulnerability has been resolved:
[ceph] parse_longname(): strrchr() expects NUL-terminated string
... and parse_longname() is not guaranteed that. That's the reason
why it uses kmemdup_nul() to build the argument for kstrtou64();
the problem is, kstrtou64() is not the only thing that need it.
Just get a NUL-terminated copy of the entire thing and be done
with that...
CVSS Score
5.5
EPSS Score
0.0
Published
2025-08-22
In the Linux kernel, the following vulnerability has been resolved:
platform/x86: alienware-wmi-wmax: Fix `dmi_system_id` array
Add missing empty member to `awcc_dmi_table`.
CVSS Score
5.5
EPSS Score
0.0
Published
2025-08-22
In the Linux kernel, the following vulnerability has been resolved:
ASoC: mediatek: mt8365-dai-i2s: pass correct size to mt8365_dai_set_priv
Given mt8365_dai_set_priv allocate priv_size space to copy priv_data which
means we should pass mt8365_i2s_priv[i] or "struct mtk_afe_i2s_priv"
instead of afe_priv which has the size of "struct mt8365_afe_private".
Otherwise the KASAN complains about.
[ 59.389765] BUG: KASAN: global-out-of-bounds in mt8365_dai_set_priv+0xc8/0x168 [snd_soc_mt8365_pcm]
...
[ 59.394789] Call trace:
[ 59.395167] dump_backtrace+0xa0/0x128
[ 59.395733] show_stack+0x20/0x38
[ 59.396238] dump_stack_lvl+0xe8/0x148
[ 59.396806] print_report+0x37c/0x5e0
[ 59.397358] kasan_report+0xac/0xf8
[ 59.397885] kasan_check_range+0xe8/0x190
[ 59.398485] asan_memcpy+0x3c/0x98
[ 59.399022] mt8365_dai_set_priv+0xc8/0x168 [snd_soc_mt8365_pcm]
[ 59.399928] mt8365_dai_i2s_register+0x1e8/0x2b0 [snd_soc_mt8365_pcm]
[ 59.400893] mt8365_afe_pcm_dev_probe+0x4d0/0xdf0 [snd_soc_mt8365_pcm]
[ 59.401873] platform_probe+0xcc/0x228
[ 59.402442] really_probe+0x340/0x9e8
[ 59.402992] driver_probe_device+0x16c/0x3f8
[ 59.403638] driver_probe_device+0x64/0x1d8
[ 59.404256] driver_attach+0x1dc/0x4c8
[ 59.404840] bus_for_each_dev+0x100/0x190
[ 59.405442] driver_attach+0x44/0x68
[ 59.405980] bus_add_driver+0x23c/0x500
[ 59.406550] driver_register+0xf8/0x3d0
[ 59.407122] platform_driver_register+0x68/0x98
[ 59.407810] mt8365_afe_pcm_driver_init+0x2c/0xff8 [snd_soc_mt8365_pcm]
CVSS Score
7.8
EPSS Score
0.0
Published
2025-08-22
In the Linux kernel, the following vulnerability has been resolved:
pinctrl: canaan: k230: Fix order of DT parse and pinctrl register
Move DT parse before pinctrl register. This ensures that device tree
parsing is done before calling devm_pinctrl_register() to prevent using
uninitialized pin resources.
CVSS Score
5.5
EPSS Score
0.0
Published
2025-08-22
In the Linux kernel, the following vulnerability has been resolved:
pinctrl: canaan: k230: add NULL check in DT parse
Add a NULL check for the return value of of_get_property() when
retrieving the "pinmux" property in the group parser. This avoids
a potential NULL pointer dereference if the property is missing
from the device tree node.
Also fix a typo ("sintenel") in the device ID match table comment,
correcting it to "sentinel".
CVSS Score
5.5
EPSS Score
0.0
Published
2025-08-22
In the Linux kernel, the following vulnerability has been resolved:
wifi: iwlwifi: Fix error code in iwl_op_mode_dvm_start()
Preserve the error code if iwl_setup_deferred_work() fails. The current
code returns ERR_PTR(0) (which is NULL) on this path. I believe the
missing error code potentially leads to a use after free involving
debugfs.
CVSS Score
7.8
EPSS Score
0.0
Published
2025-08-22
In the Linux kernel, the following vulnerability has been resolved:
wifi: rtw89: mcc: prevent shift wrapping in rtw89_core_mlsr_switch()
The "link_id" value comes from the user via debugfs. If it's larger
than BITS_PER_LONG then that would result in shift wrapping and
potentially an out of bounds access later. In fact, we can limit it
to IEEE80211_MLD_MAX_NUM_LINKS (15).
Fortunately, only root can write to debugfs files so the security
impact is minimal.
CVSS Score
7.1
EPSS Score
0.0
Published
2025-08-22