CVE-2025-38389 drm/i915/gt: Fix timeline left held on VMA alloc error

In the Linux kernel, the following vulnerability has been resolved: drm/i915/gt: Fix timeline left held on VMA alloc error The following error has been reported sporadically by CI when a testunbinds the i915 driver on a ring submission platform: [239.330153] ------------[ cut here ]------------ [2...

CVE-2025-38390 firmware: arm_ffa: Fix memory leak by freeing notifier callback node

In the Linux kernel, the following vulnerability has been resolved: firmware: arm_ffa: Fix memory leak by freeing notifier callback node Commit e0573444edbf ("firmware: arm_ffa: Add interfaces to requestnotification callbacks") adds support for notifier callbacks by allocatingand inserting a callba...

CVE-2025-38392 idpf: convert control queue mutex to a spinlock

In the Linux kernel, the following vulnerability has been resolved: idpf: convert control queue mutex to a spinlock With VIRTCHNL2_CAP_MACFILTER enabled, the following warning is generatedon module load: [ 324.701677] BUG: sleeping function called from invalid context at kernel/locking/mutex.c:578[...

CVE-2025-38394 HID: appletb-kbd: fix memory corruption of input_handler_list

In the Linux kernel, the following vulnerability has been resolved: HID: appletb-kbd: fix memory corruption of input_handler_list In appletb_kbd_probe an input handler is initialised and then registeredwith input core through input_register_handler(). When this happens inputcore will add the input ...

CVE-2025-38395 regulator: gpio: Fix the out-of-bounds access to drvdata::gpiods

In the Linux kernel, the following vulnerability has been resolved: regulator: gpio: Fix the out-of-bounds access to drvdata::gpiods drvdata::gpiods is supposed to hold an array of 'gpio_desc' pointers. Butthe memory is allocated for only one pointer. This will lead toout-of-bounds access later in ...

CVE-2025-38397 nvme-multipath: fix suspicious RCU usage warning

In the Linux kernel, the following vulnerability has been resolved: nvme-multipath: fix suspicious RCU usage warning When I run the NVME over TCP test in virtme-ng, I get the following"suspicious RCU usage" warning in nvme_mpath_add_sysfs_link(): '''[ 5.024557][ T44] nvmet: Created nvm controller 1...

CVE-2025-38399 scsi: target: Fix NULL pointer dereference in core_scsi3_decode_spec_i_port()

In the Linux kernel, the following vulnerability has been resolved: scsi: target: Fix NULL pointer dereference in core_scsi3_decode_spec_i_port() The function core_scsi3_decode_spec_i_port(), in its error code path,unconditionally calls core_scsi3_lunacl_undepend_item() passing thedest_se_deve poin...

CVE-2025-38400 nfs: Clean up /proc/net/rpc/nfs when nfs_fs_proc_net_init() fails.

In the Linux kernel, the following vulnerability has been resolved: nfs: Clean up /proc/net/rpc/nfs when nfs_fs_proc_net_init() fails. syzbot reported a warning below [1] following a fault injection innfs_fs_proc_net_init(). [0] When nfs_fs_proc_net_init() fails, /proc/net/rpc/nfs is not removed. L...

CVE-2025-38401 mtk-sd: Prevent memory corruption from DMA map failure

In the Linux kernel, the following vulnerability has been resolved: mtk-sd: Prevent memory corruption from DMA map failure If msdc_prepare_data() fails to map the DMA region, the request isnot prepared for data receiving, but msdc_start_data() proceedsthe DMA with previous setting.Since this will l...

CVE-2025-38402 idpf: return 0 size for RSS key if not supported

In the Linux kernel, the following vulnerability has been resolved: idpf: return 0 size for RSS key if not supported Returning -EOPNOTSUPP from function returning u32 is leading tocast and invalid size value as a result. -EOPNOTSUPP as a size probably will lead to allocation fail. Command: ethtool ...

CVE-2025-38404 usb: typec: displayport: Fix potential deadlock

In the Linux kernel, the following vulnerability has been resolved: usb: typec: displayport: Fix potential deadlock The deadlock can occur due to a recursive lock acquisition ofcros_typec_altmode_data::mutex.The call chain is as follows: cros_typec_altmode_work() acquires the mutex typec_altmode_vd...

CVE-2025-38405 nvmet: fix memory leak of bio integrity

In the Linux kernel, the following vulnerability has been resolved: nvmet: fix memory leak of bio integrity If nvmet receives commands with metadata there is a continuous memoryleak of kmalloc-128 slab or more precisely bio->bi_integrity. Since commit bf4c89fc8797 ("block: don't call bio_uninit ...

CVE-2025-38407 riscv: cpu_ops_sbi: Use static array for boot_data

In the Linux kernel, the following vulnerability has been resolved: riscv: cpu_ops_sbi: Use static array for boot_data Since commit 6b9f29b81b15 ("riscv: Enable pcpu page first chunkallocator"), if NUMA is enabled, the page percpu allocator may be usedon very sparse configurations, or when requeste...

CVE-2025-38411 netfs: Fix double put of request

In the Linux kernel, the following vulnerability has been resolved: netfs: Fix double put of request If a netfs request finishes during the pause loop, it will have the refthat belongs to the IN_PROGRESS flag removed at that point - however, if itthen goes to the final wait loop, that will also put...

CVE-2025-38413 virtio-net: xsk: rx: fix the frame's length check

In the Linux kernel, the following vulnerability has been resolved: virtio-net: xsk: rx: fix the frame's length check When calling buf_to_xdp, the len argument is the frame data's lengthwithout virtio header's length (vi->hdr_len). We check that len with xsk_pool_get_rx_frame_size() + vi->hdr...

CVE-2025-38414 wifi: ath12k: fix GCC_GCC_PCIE_HOT_RST definition for WCN7850

In the Linux kernel, the following vulnerability has been resolved: wifi: ath12k: fix GCC_GCC_PCIE_HOT_RST definition for WCN7850 GCC_GCC_PCIE_HOT_RST is wrongly defined for WCN7850, causing kernel crashon some specific platforms. Since this register is divergent for WCN7850 and QCN9274, move it to...

CVE-2025-38416 NFC: nci: uart: Set tty->disc_data only in success path

In the Linux kernel, the following vulnerability has been resolved: NFC: nci: uart: Set tty->disc_data only in success path Setting tty->disc_data before opening the NCI device means we need toclean it up on error paths. This also opens some short window if devicestarts sending data, even bef...

CVE-2025-38417 ice: fix eswitch code memory leak in reset scenario

In the Linux kernel, the following vulnerability has been resolved: ice: fix eswitch code memory leak in reset scenario Add simple eswitch mode checker in attaching VF procedure and allocaterequired port representor memory structures only in switchdev mode.The reset flows triggers VF (if present) d...

CVE-2025-38418 remoteproc: core: Release rproc->clean_table after rproc_attach() fails

In the Linux kernel, the following vulnerability has been resolved: remoteproc: core: Release rproc->clean_table after rproc_attach() fails When rproc->state = RPROC_DETACHED is attached to remote processorthrough rproc_attach(), if rproc_handle_resources() returns failure,then the clean tabl...

CVE-2025-38419 remoteproc: core: Cleanup acquired resources when rproc_handle_resources() fails in rproc_attach()

In the Linux kernel, the following vulnerability has been resolved: remoteproc: core: Cleanup acquired resources when rproc_handle_resources() fails in rproc_attach() When rproc->state = RPROC_DETACHED and rproc_attach() is usedto attach to the remote processor, if rproc_handle_resources()return...

CVE-2025-38422 net: lan743x: Modify the EEPROM and OTP size for PCI1xxxx devices

In the Linux kernel, the following vulnerability has been resolved: net: lan743x: Modify the EEPROM and OTP size for PCI1xxxx devices Maximum OTP and EEPROM size for hearthstone PCI1xxxx devices are 8 Kband 64 Kb respectively. Adjust max size definitions and return correctEEPROM length based on dev...

CVE-2025-38423 ASoC: codecs: wcd9375: Fix double free of regulator supplies

In the Linux kernel, the following vulnerability has been resolved: ASoC: codecs: wcd9375: Fix double free of regulator supplies Driver gets regulator supplies in probe path withdevm_regulator_bulk_get(), so should not call regulator_bulk_free() inerror and remove paths to avoid double free.

CVE-2025-38424 perf: Fix sample vs do_exit()

In the Linux kernel, the following vulnerability has been resolved: perf: Fix sample vs do_exit() Baisheng Gao reported an ARM64 crash, which Mark decoded as being asynchronous external abort -- most likely due to trying to accessMMIO in bad ways. The crash further shows perf trying to do a user st...

CVE-2025-38425 i2c: tegra: check msg length in SMBUS block read

In the Linux kernel, the following vulnerability has been resolved: i2c: tegra: check msg length in SMBUS block read For SMBUS block read, do not continue to read if the message lengthpassed from the device is '0' or greater than the maximum allowed bytes.

CVE-2025-38428 Input: ims-pcu - check record size in ims_pcu_flash_firmware()

In the Linux kernel, the following vulnerability has been resolved: Input: ims-pcu - check record size in ims_pcu_flash_firmware() The "len" variable comes from the firmware and we generally dotrust firmware, but it's always better to double check. If the "len"is too large it could result in memory...

CVE-2025-38429 bus: mhi: ep: Update read pointer only after buffer is written

In the Linux kernel, the following vulnerability has been resolved: bus: mhi: ep: Update read pointer only after buffer is written Inside mhi_ep_ring_add_element, the read pointer (rd_offset) is updatedbefore the buffer is written, potentially causing race conditions wherethe host sees an updated r...

CVE-2025-38430 nfsd: nfsd4_spo_must_allow() must check this is a v4 compound request

In the Linux kernel, the following vulnerability has been resolved: nfsd: nfsd4_spo_must_allow() must check this is a v4 compound request If the request being processed is not a v4 compound request, thenexamining the cstate can have undefined results. This patch adds a check that the rpc procedure ...

CVE-2025-38431 smb: client: fix regression with native SMB symlinks

In the Linux kernel, the following vulnerability has been resolved: smb: client: fix regression with native SMB symlinks Some users and customers reported that their backup/copy tools startedto fail when the directory being copied contained symlink targets thatthe client couldn't parse - even when ...

CVE-2025-38432 net: netpoll: Initialize UDP checksum field before checksumming

In the Linux kernel, the following vulnerability has been resolved: net: netpoll: Initialize UDP checksum field before checksumming commit f1fce08e63fe ("netpoll: Eliminate redundant assignment") removedthe initialization of the UDP checksum, which was wrong and brokenetpoll IPv6 transmission due t...

CVE-2025-38433 riscv: fix runtime constant support for nommu kernels

In the Linux kernel, the following vulnerability has been resolved: riscv: fix runtime constant support for nommu kernels the __runtime_fixup_32 function does not handle the case where val iszero correctly (as might occur when patching a nommu kernel and referringto a physical address below the 4Gi...

CVE-2025-38434 Revert "riscv: Define TASK_SIZE_MAX for __access_ok()"

In the Linux kernel, the following vulnerability has been resolved: Revert "riscv: Define TASK_SIZE_MAX for __access_ok()" This reverts commit ad5643cf2f69 ("riscv: Define TASK_SIZE_MAX for__access_ok()"). This commit changes TASK_SIZE_MAX to be LONG_MAX to optimize access_ok(),because the previous...

CVE-2025-38435 riscv: vector: Fix context save/restore with xtheadvector

In the Linux kernel, the following vulnerability has been resolved: riscv: vector: Fix context save/restore with xtheadvector Previously only v0-v7 were correctly saved/restored,and the context of v8-v31 are damanged.Correctly save/restore v8-v31 to avoid breaking userspace.

CVE-2025-38437 ksmbd: fix potential use-after-free in oplock/lease break ack

In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix potential use-after-free in oplock/lease break ack If ksmbd_iov_pin_rsp return error, use-after-free can happen byaccessing opinfo->state and opinfo_put and ksmbd_fd_put couldcalled twice.

CVE-2025-38438 ASoC: SOF: Intel: hda: Use devm_kstrdup() to avoid memleak.

In the Linux kernel, the following vulnerability has been resolved: ASoC: SOF: Intel: hda: Use devm_kstrdup() to avoid memleak. sof_pdata->tplg_filename can have address allocated by kstrdup()and can be overwritten. Memory leak was detected with kmemleak: unreferenced object 0xffff88812391ff60 (...

CVE-2025-38439 bnxt_en: Set DMA unmap len correctly for XDP_REDIRECT

In the Linux kernel, the following vulnerability has been resolved: bnxt_en: Set DMA unmap len correctly for XDP_REDIRECT When transmitting an XDP_REDIRECT packet, call dma_unmap_len_set()with the proper length instead of 0. This bug triggers this warningon a system with IOMMU enabled: WARNING: CPU...

CVE-2025-38440 net/mlx5e: Fix race between DIM disable and net_dim()

In the Linux kernel, the following vulnerability has been resolved: net/mlx5e: Fix race between DIM disable and net_dim() There's a race between disabling DIM and NAPI callbacks using the dimpointer on the RQ or SQ. If NAPI checks the DIM state bit and sees it still set, it assumesrq->dim or sq-...

CVE-2025-38441 netfilter: flowtable: account for Ethernet header in nf_flow_pppoe_proto()

In the Linux kernel, the following vulnerability has been resolved: netfilter: flowtable: account for Ethernet header in nf_flow_pppoe_proto() syzbot found a potential access to uninit-value in nf_flow_pppoe_proto() Blamed commit forgot the Ethernet header. BUG: KMSAN: uninit-value in nf_flow_offlo...

CVE-2025-38442 block: reject bs > ps block devices when THP is disabled

In the Linux kernel, the following vulnerability has been resolved: block: reject bs > ps block devices when THP is disabled If THP is disabled and when a block device with logical block size >page size is present, the following null ptr deref panic happens duringboot: [ [13.2 mK AOSAN: null-...

CVE-2025-38443 nbd: fix uaf in nbd_genl_connect() error path

In the Linux kernel, the following vulnerability has been resolved: nbd: fix uaf in nbd_genl_connect() error path There is a use-after-free issue in nbd: block nbd6: Receive control failed (result -104)block nbd6: shutting down sockets BUG: KASAN: slab-use-after-free in recv_work+0x694/0xa80 driver...

CVE-2025-38444 raid10: cleanup memleak at raid10_make_request

In the Linux kernel, the following vulnerability has been resolved: raid10: cleanup memleak at raid10_make_request If raid10_read_request or raid10_write_request registers a newrequest and the REQ_NOWAIT flag is set, the code does notfree the malloc from the mempool. unreferenced object 0xffff88848...

CVE-2025-38445 md/raid1: Fix stack memory use after return in raid1_reshape

In the Linux kernel, the following vulnerability has been resolved: md/raid1: Fix stack memory use after return in raid1_reshape In the raid1_reshape function, newpool isallocated on the stack and assigned to conf->r1bio_pool.This results in conf->r1bio_pool.wait.head pointingto a stack addre...

CVE-2025-38446 clk: imx: Fix an out-of-bounds access in dispmix_csr_clk_dev_data

In the Linux kernel, the following vulnerability has been resolved: clk: imx: Fix an out-of-bounds access in dispmix_csr_clk_dev_data When num_parents is 4, __clk_register() occurs an out-of-boundswhen accessing parent_names member. Use ARRAY_SIZE() instead ofhardcode number here. BUG: KASAN: globa...

CVE-2025-38447 mm/rmap: fix potential out-of-bounds page table access during batched unmap

In the Linux kernel, the following vulnerability has been resolved: mm/rmap: fix potential out-of-bounds page table access during batched unmap As pointed out by David[1], the batched unmap logic intry_to_unmap_one() may read past the end of a PTE table when a largefolio's PTE mappings are not full...

CVE-2025-38448 usb: gadget: u_serial: Fix race condition in TTY wakeup

In the Linux kernel, the following vulnerability has been resolved: usb: gadget: u_serial: Fix race condition in TTY wakeup A race condition occurs when gs_start_io() calls either gs_start_rx() orgs_start_tx(), as those functions briefly drop the port_lock forusb_ep_queue(). This allows gs_close() ...

CVE-2025-38449 drm/gem: Acquire references on GEM handles for framebuffers

In the Linux kernel, the following vulnerability has been resolved: drm/gem: Acquire references on GEM handles for framebuffers A GEM handle can be released while the GEM buffer object is attachedto a DRM framebuffer. This leads to the release of the dma-buf backingthe buffer object, if any. [1] Tr...

CVE-2025-38450 wifi: mt76: mt7925: prevent NULL pointer dereference in mt7925_sta_set_decap_offload()

In the Linux kernel, the following vulnerability has been resolved: wifi: mt76: mt7925: prevent NULL pointer dereference in mt7925_sta_set_decap_offload() Add a NULL check for msta->vif before accessing its members to preventa kernel panic in AP mode deployment. This also fix the issue reportedi...

CVE-2025-38451 md/md-bitmap: fix GPF in bitmap_get_stats()

In the Linux kernel, the following vulnerability has been resolved: md/md-bitmap: fix GPF in bitmap_get_stats() The commit message of commit 6ec1f0239485 ("md/md-bitmap: fix statscollection for external bitmaps") states: Remove the external bitmap check as the statistics should be available regardl...

CVE-2025-38452 net: ethernet: rtsn: Fix a null pointer dereference in rtsn_probe()

In the Linux kernel, the following vulnerability has been resolved: net: ethernet: rtsn: Fix a null pointer dereference in rtsn_probe() Add check for the return value of rcar_gen4_ptp_alloc()to prevent potential null pointer dereference.

CVE-2025-38453 io_uring/msg_ring: ensure io_kiocb freeing is deferred for RCU

In the Linux kernel, the following vulnerability has been resolved: io_uring/msg_ring: ensure io_kiocb freeing is deferred for RCU syzbot reports that defer/local task_work adding via msg_ring can hita request that has been freed: CPU: 1 UID: 0 PID: 19356 Comm: iou-wrk-19354 Not tainted 6.16.0-rc4-...

CVE-2025-38454 ALSA: ad1816a: Fix potential NULL pointer deref in snd_card_ad1816a_pnp()

In the Linux kernel, the following vulnerability has been resolved: ALSA: ad1816a: Fix potential NULL pointer deref in snd_card_ad1816a_pnp() Use pr_warn() instead of dev_warn() when 'pdev' is NULL to avoid apotential NULL pointer dereference.