Skip to content

chore(deps): [security] #2162

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Jun 27, 2025
Merged

chore(deps): [security] #2162

merged 1 commit into from
Jun 27, 2025

Conversation

red-hat-konflux[bot]
Copy link
Contributor

@red-hat-konflux red-hat-konflux bot commented Jun 10, 2025
edited
Loading

This PR contains the following updates:

Package Update Change
glibc patch 2.28-251.el8_10.16 -> 2.28-251.el8_10.22
glibc-all-langpacks patch 2.28-251.el8_10.16 -> 2.28-251.el8_10.22
glibc-common patch 2.28-251.el8_10.16 -> 2.28-251.el8_10.22
glibc-devel patch 2.28-251.el8_10.16 -> 2.28-251.el8_10.22
glibc-gconv-extra patch 2.28-251.el8_10.16 -> 2.28-251.el8_10.22
glibc-headers patch 2.28-251.el8_10.16 -> 2.28-251.el8_10.22
kernel-headers patch 4.18.0-553.54.1.el8_10 -> 4.18.0-553.58.1.el8_10
libxml2 patch 2.9.7-19.el8_10 -> 2.9.7-20.el8_10
tar patch 2:1.30-9.el8 -> 2:1.30-10.el8_10

glibc: static setuid binary dlopen may incorrectly search LD_LIBRARY_PATH

CVE-2025-4802

More information

Details

A flaw was found in the glibc library. A statically linked setuid binary that calls dlopen(), including internal dlopen() calls after setlocale() or calls to NSS functions such as getaddrinfo(), may incorrectly search LD_LIBRARY_PATH to determine which library to load, allowing a local attacker to load malicious shared libraries, escalate privileges and execute arbitrary code.

Severity

Moderate

References

glibc: buffer overflow in the GNU C Library's assert()

CVE-2025-0395

More information

Details

A flaw was found in the GNU C Library (glibc). A buffer overflow condition via the assert() function may be triggered due to glibc not allocating enough space for the assertion failure message string and size information. In certain conditions, a local attacker can exploit this, potentially leading to an application crash or other undefined behavior.

Severity

Moderate

References

kernel: um: Fix out-of-bounds read in LDT setup

CVE-2022-49395

More information

Details

A vulnerability was found in the Linux kernel's user mode (um) subsystem, specifically within the Local Descriptor Table (LDT) setup functionality. The issue arises from the syscall_stub_data() function misinterpreting the data_count parameter as a byte count rather than a count of longs, leading to an out-of-bounds read. This flaw could expose sensitive kernel memory and cause system instability.

Severity

Moderate

References

kernel: idpf: fix idpf_vc_core_init error path

CVE-2024-53064

More information

Details

In the Linux kernel, the following vulnerability has been resolved:

idpf: fix idpf_vc_core_init error path

In an event where the platform running the device control plane
is rebooted, reset is detected on the driver. It releases
all the resources and waits for the reset to complete. Once the
reset is done, it tries to build the resources back. At this
time if the device control plane is not yet started, then
the driver timeouts on the virtchnl message and retries to
establish the mailbox again.

In the retry flow, mailbox is deinitialized but the mailbox
workqueue is still alive and polling for the mailbox message.
This results in accessing the released control queue leading to
null-ptr-deref. Fix it by unrolling the work queue cancellation
and mailbox deinitialization in the reverse order which they got
initialized.

Severity

Moderate

References

kernel: cifs: fix double free race when mount fails in cifs_get_root()

CVE-2022-48919

More information

Details

In the Linux kernel, the following vulnerability has been resolved:

cifs: fix double free race when mount fails in cifs_get_root()

When cifs_get_root() fails during cifs_smb3_do_mount() we call
deactivate_locked_super() which eventually will call delayed_free() which
will free the context.
In this situation we should not proceed to enter the out: section in
cifs_smb3_do_mount() and free the same resources a second time.

[Thu Feb 10 12:59:06 2022] BUG: KASAN: use-after-free in rcu_cblist_dequeue+0x32/0x60
[Thu Feb 10 12:59:06 2022] Read of size 8 at addr ffff888364f4d110 by task swapper/1/0

[Thu Feb 10 12:59:06 2022] CPU: 1 PID: 0 Comm: swapper/1 Tainted: G OE 5.17.0-rc3+ #​4
[Thu Feb 10 12:59:06 2022] Hardware name: Microsoft Corporation Virtual Machine/Virtual Machine, BIOS Hyper-V UEFI Release v4.0 12/17/2019
[Thu Feb 10 12:59:06 2022] Call Trace:
[Thu Feb 10 12:59:06 2022]
[Thu Feb 10 12:59:06 2022] dump_stack_lvl+0x5d/0x78
[Thu Feb 10 12:59:06 2022] print_address_description.constprop.0+0x24/0x150
[Thu Feb 10 12:59:06 2022] ? rcu_cblist_dequeue+0x32/0x60
[Thu Feb 10 12:59:06 2022] kasan_report.cold+0x7d/0x117
[Thu Feb 10 12:59:06 2022] ? rcu_cblist_dequeue+0x32/0x60
[Thu Feb 10 12:59:06 2022] __asan_load8+0x86/0xa0
[Thu Feb 10 12:59:06 2022] rcu_cblist_dequeue+0x32/0x60
[Thu Feb 10 12:59:06 2022] rcu_core+0x547/0xca0
[Thu Feb 10 12:59:06 2022] ? call_rcu+0x3c0/0x3c0
[Thu Feb 10 12:59:06 2022] ? __this_cpu_preempt_check+0x13/0x20
[Thu Feb 10 12:59:06 2022] ? lock_is_held_type+0xea/0x140
[Thu Feb 10 12:59:06 2022] rcu_core_si+0xe/0x10
[Thu Feb 10 12:59:06 2022] __do_softirq+0x1d4/0x67b
[Thu Feb 10 12:59:06 2022] __irq_exit_rcu+0x100/0x150
[Thu Feb 10 12:59:06 2022] irq_exit_rcu+0xe/0x30
[Thu Feb 10 12:59:06 2022] sysvec_hyperv_stimer0+0x9d/0xc0
...
[Thu Feb 10 12:59:07 2022] Freed by task 58179:
[Thu Feb 10 12:59:07 2022] kasan_save_stack+0x26/0x50
[Thu Feb 10 12:59:07 2022] kasan_set_track+0x25/0x30
[Thu Feb 10 12:59:07 2022] kasan_set_free_info+0x24/0x40
[Thu Feb 10 12:59:07 2022] ____kasan_slab_free+0x137/0x170
[Thu Feb 10 12:59:07 2022] __kasan_slab_free+0x12/0x20
[Thu Feb 10 12:59:07 2022] slab_free_freelist_hook+0xb3/0x1d0
[Thu Feb 10 12:59:07 2022] kfree+0xcd/0x520
[Thu Feb 10 12:59:07 2022] cifs_smb3_do_mount+0x149/0xbe0 [cifs]
[Thu Feb 10 12:59:07 2022] smb3_get_tree+0x1a0/0x2e0 [cifs]
[Thu Feb 10 12:59:07 2022] vfs_get_tree+0x52/0x140
[Thu Feb 10 12:59:07 2022] path_mount+0x635/0x10c0
[Thu Feb 10 12:59:07 2022] __x64_sys_mount+0x1bf/0x210
[Thu Feb 10 12:59:07 2022] do_syscall_64+0x5c/0xc0
[Thu Feb 10 12:59:07 2022] entry_SYSCALL_64_after_hwframe+0x44/0xae

[Thu Feb 10 12:59:07 2022] Last potentially related work creation:
[Thu Feb 10 12:59:07 2022] kasan_save_stack+0x26/0x50
[Thu Feb 10 12:59:07 2022] __kasan_record_aux_stack+0xb6/0xc0
[Thu Feb 10 12:59:07 2022] kasan_record_aux_stack_noalloc+0xb/0x10
[Thu Feb 10 12:59:07 2022] call_rcu+0x76/0x3c0
[Thu Feb 10 12:59:07 2022] cifs_umount+0xce/0xe0 [cifs]
[Thu Feb 10 12:59:07 2022] cifs_kill_sb+0xc8/0xe0 [cifs]
[Thu Feb 10 12:59:07 2022] deactivate_locked_super+0x5d/0xd0
[Thu Feb 10 12:59:07 2022] cifs_smb3_do_mount+0xab9/0xbe0 [cifs]
[Thu Feb 10 12:59:07 2022] smb3_get_tree+0x1a0/0x2e0 [cifs]
[Thu Feb 10 12:59:07 2022] vfs_get_tree+0x52/0x140
[Thu Feb 10 12:59:07 2022] path_mount+0x635/0x10c0
[Thu Feb 10 12:59:07 2022] __x64_sys_mount+0x1bf/0x210
[Thu Feb 10 12:59:07 2022] do_syscall_64+0x5c/0xc0
[Thu Feb 10 12:59:07 2022] entry_SYSCALL_64_after_hwframe+0x44/0xae

Severity

Moderate

References

kernel: security/keys: fix slab-out-of-bounds in key_task_permission

CVE-2024-50301

More information

Details

In the Linux kernel, the following vulnerability has been resolved:

security/keys: fix slab-out-of-bounds in key_task_permission

KASAN reports an out of bounds read:
BUG: KASAN: slab-out-of-bounds in __kuid_val include/linux/uidgid.h:36
BUG: KASAN: slab-out-of-bounds in uid_eq include/linux/uidgid.h:63 [inline]
BUG: KASAN: slab-out-of-bounds in key_task_permission+0x394/0x410
security/keys/permission.c:54
Read of size 4 at addr ffff88813c3ab618 by task stress-ng/4362

CPU: 2 PID: 4362 Comm: stress-ng Not tainted 5.10.0-14930-gafbffd6c3ede #​15
Call Trace:
__dump_stack lib/dump_stack.c:82 [inline]
dump_stack+0x107/0x167 lib/dump_stack.c:123
print_address_description.constprop.0+0x19/0x170 mm/kasan/report.c:400
__kasan_report.cold+0x6c/0x84 mm/kasan/report.c:560
kasan_report+0x3a/0x50 mm/kasan/report.c:585
__kuid_val include/linux/uidgid.h:36 [inline]
uid_eq include/linux/uidgid.h:63 [inline]
key_task_permission+0x394/0x410 security/keys/permission.c:54
search_nested_keyrings+0x90e/0xe90 security/keys/keyring.c:793

This issue was also reported by syzbot.

It can be reproduced by following these steps(more details [1]):

  1. Obtain more than 32 inputs that have similar hashes, which ends with the
    pattern '0xxxxxxxe6'.
  2. Reboot and add the keys obtained in step 1.

The reproducer demonstrates how this issue happened:

  1. In the search_nested_keyrings function, when it iterates through the
    slots in a node(below tag ascend_to_node), if the slot pointer is meta
    and node->back_pointer != NULL(it means a root), it will proceed to
    descend_to_node. However, there is an exception. If node is the root,
    and one of the slots points to a shortcut, it will be treated as a
    keyring.

  2. Whether the ptr is keyring decided by keyring_ptr_is_keyring function.
    However, KEYRING_PTR_SUBTYPE is 0x2UL, the same as
    ASSOC_ARRAY_PTR_SUBTYPE_MASK.

  3. When 32 keys with the similar hashes are added to the tree, the ROOT
    has keys with hashes that are not similar (e.g. slot 0) and it splits
    NODE A without using a shortcut. When NODE A is filled with keys that
    all hashes are xxe6, the keys are similar, NODE A will split with a
    shortcut. Finally, it forms the tree as shown below, where slot 6 points
    to a shortcut.

                   NODE A
       +------>+---+

    ROOT | | 0 | xxe6
    +---+ | +---+
    xxxx | 0 | shortcut : : xxe6
    +---+ | +---+
    xxe6 : : | | | xxe6
    +---+ | +---+
    | 6 |---+ : : xxe6
    +---+ +---+
    xxe6 : : | f | xxe6
    +---+ +---+
    xxe6 | f |
    +---+

  4. As mentioned above, If a slot(slot 6) of the root points to a shortcut,
    it may be mistakenly transferred to a key*, leading to a read
    out-of-bounds read.

To fix this issue, one should jump to descend_to_node if the ptr is a
shortcut, regardless of whether the node is root or not.

[1] https://lore.kernel.org/linux-kernel/1cfa878e-8c7b-4570-8606-21daf5e13ce7@​huaweicloud.com/

[jarkko: tweaked the commit message a bit to have an appropriate closes
tag.]

Severity

Moderate

References

kernel: ndisc: use RCU protection in ndisc_alloc_skb()

CVE-2025-21764

More information

Details

A vulnerability was found in the Linux kernel's IPv6 Neighbor Discovery (NDISC) subsystem, which manages network neighbor information. The issue arises from improper synchronization mechanisms when allocating socket buffers (sk_buff) in the ndisc_alloc_skb() function. Specifically, the function can be called without holding the necessary Read-Copy-Update (RCU) or Routing Netlink (RTNL) locks, leading to a potential use-after-free (UAF) condition. This flaw allows an attacker with local access and low privileges to exploit the race condition, potentially causing system instability or crashes.

Severity

Moderate

References

kernel: can: bcm: Fix UAF in bcm_proc_show()

CVE-2023-52922

More information

Details

In the Linux kernel, the following vulnerability has been resolved:

can: bcm: Fix UAF in bcm_proc_show()

BUG: KASAN: slab-use-after-free in bcm_proc_show+0x969/0xa80
Read of size 8 at addr ffff888155846230 by task cat/7862

CPU: 1 PID: 7862 Comm: cat Not tainted 6.5.0-rc1-00153-gc8746099c197 #​230
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014
Call Trace:

dump_stack_lvl+0xd5/0x150
print_report+0xc1/0x5e0
kasan_report+0xba/0xf0
bcm_proc_show+0x969/0xa80
seq_read_iter+0x4f6/0x1260
seq_read+0x165/0x210
proc_reg_read+0x227/0x300
vfs_read+0x1d5/0x8d0
ksys_read+0x11e/0x240
do_syscall_64+0x35/0xb0
entry_SYSCALL_64_after_hwframe+0x63/0xcd

Allocated by task 7846:
kasan_save_stack+0x1e/0x40
kasan_set_track+0x21/0x30
__kasan_kmalloc+0x9e/0xa0
bcm_sendmsg+0x264b/0x44e0
sock_sendmsg+0xda/0x180
____sys_sendmsg+0x735/0x920
___sys_sendmsg+0x11d/0x1b0
__sys_sendmsg+0xfa/0x1d0
do_syscall_64+0x35/0xb0
entry_SYSCALL_64_after_hwframe+0x63/0xcd

Freed by task 7846:
kasan_save_stack+0x1e/0x40
kasan_set_track+0x21/0x30
kasan_save_free_info+0x27/0x40
____kasan_slab_free+0x161/0x1c0
slab_free_freelist_hook+0x119/0x220
__kmem_cache_free+0xb4/0x2e0
rcu_core+0x809/0x1bd0

bcm_op is freed before procfs entry be removed in bcm_release(),
this lead to bcm_proc_show() may read the freed bcm_op.

Severity

Important

References

kernel: ALSA: usb-audio: Fix potential out-of-bound accesses for Extigy and Mbox devices

CVE-2024-53197

More information

Details

A vulnerability was found in the Linux kernel's USB Audio driver. This flaw allows an attacker with physical access to the system to use a malicious USB device to gain additional access. This is possible by manipulating system memory, potentially escalating privileges, or executing arbitrary code.

Severity

Important

References

kernel: HID: core: zero-initialize the report buffer

CVE-2024-50302

More information

Details

A vulnerability was found in the Linux kernel's driver for Human Interface Devices. This flaw allows an attacker to use a malicious input device to read information from the report buffer. This could be used to leak kernel memory, enabling the exploitation of additional vulnerabilities.

Severity

Important

References

kernel: arm64: cacheinfo: Avoid out-of-bounds write to cacheinfo array

CVE-2025-21785

More information

Details

In the Linux kernel, the following vulnerability has been resolved:

arm64: cacheinfo: Avoid out-of-bounds write to cacheinfo array

The loop that detects/populates cache information already has a bounds
check on the array size but does not account for cache levels with
separate data/instructions cache. Fix this by incrementing the index
for any populated leaf (instead of any populated level).

Severity

Important

References

kernel: ALSA: usb-audio: Fix out of bounds reads when finding clock sources

CVE-2024-53150

More information

Details

A vulnerability was found in the Linux kernel's USB Audio driver. This flaw can allow an attacker with physical access to the system to use a malicious USB device to gain additional access. This is possible by reading arbitrary system memory.

Severity

Important

References

kernel: cifs: fix potential double free during failed mount

CVE-2022-49541

More information

Details

In the Linux kernel, the following vulnerability has been resolved:

cifs: fix potential double free during failed mount

RHBZ: https://bugzilla.redhat.com/show_bug.cgi?id=2088799

Severity

Important

References

kernel: nvme-tcp: fix potential memory corruption in nvme_tcp_recv_pdu()

CVE-2025-21927

More information

Details

In the Linux kernel, the following vulnerability has been resolved:

nvme-tcp: fix potential memory corruption in nvme_tcp_recv_pdu()

nvme_tcp_recv_pdu() doesn't check the validity of the header length.
When header digests are enabled, a target might send a packet with an
invalid header length (e.g. 255), causing nvme_tcp_verify_hdgst()
to access memory outside the allocated area and cause memory corruptions
by overwriting it with the calculated digest.

Fix this by rejecting packets with an unexpected header length.

Severity

Important

References

kernel: netfilter: ipset: add missing range check in bitmap_ip_uadt

CVE-2024-53141

More information

Details

In the Linux kernel, the following vulnerability has been resolved:

netfilter: ipset: add missing range check in bitmap_ip_uadt

When tb[IPSET_ATTR_IP_TO] is not present but tb[IPSET_ATTR_CIDR] exists,
the values of ip and ip_to are slightly swapped. Therefore, the range check
for ip should be done later, but this part is missing and it seems that the
vulnerability occurs.

So we should add missing range checks and remove unnecessary range checks.

Severity

Important

References

kernel: vsock: Keep the binding until socket destruction

CVE-2025-21756

More information

Details

A flaw was found in the Linux kernel's virtual socket protocol network driver, where an improperly timed socket unbinding could result in a use-after-free issue. This flaw allows an attacker who can create and destroy arbitrary connections on virtual connections to read or modify system memory, potentially leading to an escalation of privileges or the compromise of sensitive data.

Severity

Important

References

kernel: tipc: fix use-after-free Read in tipc_named_reinit

CVE-2022-49696

More information

Details

A vulnerability was found in the Linux kernel's Transparent Inter-Process Communication (TIPC) subsystem, allowing a use-after-free condition during the cleanup process. This issue arises when the kernel's work queue mechanism does not properly synchronize the destruction of TIPC namespaces with the completion of pending work items.

Specifically, the function responsible for canceling pending work (cancel_work_sync()) ensures that a particular work item (tipc_net_finalize_work) is completed before the namespace is destroyed. However, it does not guarantee that this work item is the last one queued, leading to the possibility of accessing freed memory if additional work is enqueued afterward.

Severity

Moderate

References

kernel: mt76: fix use-after-free by removing a non-RCU wcid pointer

CVE-2022-49328

More information

Details

A vulnerability was found in the Linux kernel's mt76 wi-fi driver. A concurrency bug causes the mtxq TX queue to maintain a raw pointer to a wcid structure (mtxq->wcid) that might be freed by the time it is accessed. This issue can lead to a use-after-free scenario, leading to system instability, memory corruption, and potentially arbitrary code execution.

Severity

Moderate

References

podman: buildah: Container breakout by using --jobs=2 and a race condition when building a malicious Containerfile

CVE-2024-11218

More information

Details

A vulnerability was found in podman build and buildah. This issue occurs in a container breakout by using --jobs=2 and a race condition when building a malicious Containerfile. SELinux might mitigate it, but even with SELinux on, it still allows the enumeration of files and directories on the host.

Severity

Important

References

kernel: ALSA: usb-audio: Fix out of bounds reads when finding clock sources

CVE-2024-53150

More information

Details

A vulnerability was found in the Linux kernel's USB Audio driver. This flaw can allow an attacker with physical access to the system to use a malicious USB device to gain additional access. This is possible by reading arbitrary system memory.

Severity

Moderate

References

kernel: vsock: Keep the binding until socket destruction

CVE-2025-21756

More information

Details

A flaw was found in the Linux kernel's virtual socket protocol network driver, where an improperly timed socket unbinding could result in a use-after-free issue. This flaw allows an attacker who can create and destroy arbitrary connections on virtual connections to read or modify system memory, potentially leading to an escalation of privileges or the compromise of sensitive data.

Severity

Moderate

References

kernel: mm: call the security_mmap_file() LSM hook in remap_file_pages()

CVE-2024-47745

More information

Details

A flaw was found in the remap_file_pages function in mm/mmap.c in the Linux kernel, where it does not properly restrict execute access. This vulnerability allows local users to bypass intended SELinux W^X policy restrictions.

Severity

Moderate

References

kernel: veth: Fix use after free in XDP_REDIRECT

CVE-2023-53107

More information

Details

A use-after-free vulnerability has been identified within the veth_convert_skb_to_xdp_buff() function of the Linux kernel's veth driver. The flaw stems from improper memory management during packet headroom expansion for XDP (eXpress Data Path). Specifically, when the pskb_expand_head() function allocates new memory via kmalloc to increase the packet headroom to meet the XDP_PACKET_HEADROOM requirement, a subsequent call to consume_skb() can prematurely free this memory while the AF_XDP subsystem is still actively processing the packet. This premature deallocation leads to a use-after-free condition. Successful exploitation of this vulnerability could result in memory corruption, denial of service, and overall system instability.

Severity

Important

References

kernel: nvme-fc: do not wait in vain when unloading module

CVE-2024-26846

More information

Details

In the Linux kernel, the following vulnerability has been resolved:

nvme-fc: do not wait in vain when unloading module

The module exit path has race between deleting all controllers and
freeing 'left over IDs'. To prevent double free a synchronization
between nvme_delete_ctrl and ida_destroy has been added by the initial
commit.

There is some logic around trying to prevent from hanging forever in
wait_for_completion, though it does not handling all cases. E.g.
blktests is able to reproduce the situation where the module unload
hangs forever.

If we completely rely on the cleanup code executed from the
nvme_delete_ctrl path, all IDs will be freed eventually. This makes
calling ida_destroy unnecessary. We only have to ensure that all
nvme_delete_ctrl code has been executed before we leave
nvme_fc_exit_module. This is done by flushing the nvme_delete_wq
workqueue.

While at it, remove the unused nvme_fc_wq workqueue too.

Severity

Moderate

References

kernel: mm/swap: fix race when skipping swapcache

CVE-2024-26759

More information

Details

In the Linux kernel, the following vulnerability has been resolved:

mm/swap: fix race when skipping swapcache

When skipping swapcache for SWP_SYNCHRONOUS_IO, if two or more threads
swapin the same entry at the same time, they get different pages (A, B).
Before one thread (T0) finishes the swapin and installs page (A) to the
PTE, another thread (T1) could finish swapin of page (B), swap_free the
entry, then swap out the possibly modified page reusing the same entry.
It breaks the pte_same check in (T0) because PTE value is unchanged,
causing ABA problem. Thread (T0) will install a stalled page (A) into the
PTE and cause data corruption.

One possible callstack is like this:

CPU0 CPU1

do_swap_page() do_swap_page() with same entry


swap_read_folio() <- read to page A swap_read_folio() <- read to page B

... set_pte_at()
swap_free() <- entry is free
<write to page B, now page A stalled>

pte_same() <- Check pass, PTE seems
unchanged, but page A
is stalled!
swap_free() <- page B content lost!
set_pte_at() <- staled page A installed!

And besides, for ZRAM, swap_free() allows the swap device to discard the
entry content, so even if page (B) is not modified, if swap_read_folio()
on CPU0 happens later than swap_free() on CPU1, it may also cause data
loss.

To fix this, reuse swapcache_prepare which will pin the swap entry using
the cache flag, and allow only one thread to swap it in, also prevent any
parallel code from putting the entry in the cache. Release the pin after
PT unlocked.

Racers just loop and wait since it's a rare and very short event. A
schedule_timeout_uninterruptible(1) call is added to avoid repeated page
faults wasting too much CPU, causing livelock or adding too much noise to
perf statistics. A similar livelock issue was described in commit
029c4628b2eb ("mm: swap: get rid of livelock in swapin readahead")

Reproducer:

This race issue can be triggered easily using a well constructed
reproducer and patched brd (with a delay in read path) [1]:

With latest 6.8 mainline, race caused data loss can be observed easily:
$ gcc -g -lpthread test-thread-swap-race.c && ./a.out
Polulating 32MB of memory region...
Keep swapping out...
Starting round 0...
Spawning 65536 workers...
32746 workers spawned, wait for done...
Round 0: Error on 0x5aa00, expected 32746, got 32743, 3 data loss!
Round 0: Error on 0x395200, expected 32746, got 32743, 3 data loss!
Round 0: Error on 0x3fd000, expected 32746, got 32737, 9 data loss!
Round 0 Failed, 15 data loss!

This reproducer spawns multiple threads sharing the same memory region
using a small swap device. Every two threads updates mapped pages one by
one in opposite direction trying to create a race, with one dedicated
thread keep swapping out the data out using madvise.

The reproducer created a reproduce rate of about once every 5 minutes, so
the race should be totally possible in production.

After this patch, I ran the reproducer for over a few hundred rounds and
no data loss observed.

Performance overhead is minimal, microbenchmark swapin 10G from 32G
zram:

Before: 10934698 us
After: 11157121 us
Cached: 13155355 us (Dropping SWP_SYNCHRONOUS_IO flag)

[kasong@tencent.com: v4]

Severity

Moderate

References

kernel: tcp: defer shutdown(SEND_SHUTDOWN) for TCP_SYN_RECV sockets

CVE-2024-36905

More information

Details

In the Linux kernel, the following vulnerability has been resolved:

tcp: defer shutdown(SEND_SHUTDOWN) for TCP_SYN_RECV sockets

TCP_SYN_RECV state is really special, it is only used by
cross-syn connections, mostly used by fuzzers.

In the following crash [1], syzbot managed to trigger a divide
by zero in tcp_rcv_space_adjust()

A socket makes the following state transitions,
without ever calling tcp_init_transfer(),
meaning tcp_init_buffer_space() is also not called.

     TCP_CLOSE

connect()
TCP_SYN_SENT
TCP_SYN_RECV
shutdown() -> tcp_shutdown(sk, SEND_SHUTDOWN)
TCP_FIN_WAIT1

To fix this issue, change tcp_shutdown() to not
perform a TCP_SYN_RECV -> TCP_FIN_WAIT1 transition,
which makes no sense anyway.

When tcp_rcv_state_process() later changes socket state
from TCP_SYN_RECV to TCP_ESTABLISH, then look at
sk->sk_shutdown to finally enter TCP_FIN_WAIT1 state,
and send a FIN packet from a sane socket state.

This means tcp_send_fin() can now be called from BH
context, and must use GFP_ATOMIC allocations.

[1]
divide error: 0000 [#​1] PREEMPT SMP KASAN NOPTI
CPU: 1 PID: 5084 Comm: syz-executor358 Not tainted 6.9.0-rc6-syzkaller-00022-g98369dccd2f8 #​0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024
RIP: 0010:tcp_rcv_space_adjust+0x2df/0x890 net/ipv4/tcp_input.c:767
Code: e3 04 4c 01 eb 48 8b 44 24 38 0f b6 04 10 84 c0 49 89 d5 0f 85 a5 03 00 00 41 8b 8e c8 09 00 00 89 e8 29 c8 48 0f af c3 31 d2 <48> f7 f1 48 8d 1c 43 49 8d 96 76 08 00 00 48 89 d0 48 c1 e8 03 48
RSP: 0018:ffffc900031ef3f0 EFLAGS: 00010246
RAX: 0c677a10441f8f42 RBX: 000000004fb95e7e RCX: 0000000000000000
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
RBP: 0000000027d4b11f R08: ffffffff89e535a4 R09: 1ffffffff25e6ab7
R10: dffffc0000000000 R11: ffffffff8135e920 R12: ffff88802a9f8d30
R13: dffffc0000000000 R14: ffff88802a9f8d00 R15: 1ffff1100553f2da
FS: 00005555775c0380(0000) GS:ffff8880b9500000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f1155bf2304 CR3: 000000002b9f2000 CR4: 0000000000350ef0
Call Trace:

tcp_recvmsg_locked+0x106d/0x25a0 net/ipv4/tcp.c:2513
tcp_recvmsg+0x25d/0x920 net/ipv4/tcp.c:2578
inet6_recvmsg+0x16a/0x730 net/ipv6/af_inet6.c:680
sock_recvmsg_nosec net/socket.c:1046 [inline]
sock_recvmsg+0x109/0x280 net/socket.c:1068
____sys_recvmsg+0x1db/0x470 net/socket.c:2803
___sys_recvmsg net/socket.c:2845 [inline]
do_recvmmsg+0x474/0xae0 net/socket.c:2939
__sys_recvmmsg net/socket.c:3018 [inline]
__do_sys_recvmmsg net/socket.c:3041 [inline]
__se_sys_recvmmsg net/socket.c:3034 [inline]
__x64_sys_recvmmsg+0x199/0x250 net/socket.c:3034
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xf5/0x240 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7faeb6363db9
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 c1 17 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ffcc1997168 EFLAGS: 00000246 ORIG_RAX: 000000000000012b
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007faeb6363db9
RDX: 0000000000000001 RSI: 0000000020000bc0 RDI: 0000000000000005
RBP: 0000000000000000 R08: 0000000000000000 R09: 000000000000001c
R10: 0000000000000122 R11: 0000000000000246 R12: 0000000000000000
R13: 0000000000000000 R14: 0000000000000001 R15: 0000000000000001

Severity

Moderate

References

kernel: net: avoid potential underflow in qdisc_pkt_len_init() with UFO

CVE-2024-49949

More information

Details

In the Linux kernel, the following vulnerability has been resolved:

net: avoid potential underflow in qdisc_pkt_len_init() with UFO

After commit 7c6d2ecbda83 ("net: be more gentle about silly gso
requests coming from user") virtio_net_hdr_to_skb() had sanity check
to detect malicious attempts from user space to cook a bad GSO packet.

Then commit cf9acc90c80ec ("net: virtio_net_hdr_to_skb: count
transport header in UFO") while fixing one issue, allowed user space
to cook a GSO packet with the following characteristic :

IPv4 SKB_GSO_UDP, gso_size=3, skb->len = 28.

When this packet arrives in qdisc_pkt_len_init(), we end up
with hdr_len = 28 (IPv4 header + UDP header), matching skb->len

Then the following sets gso_segs to 0 :

gso_segs = DIV_ROUND_UP(skb->len - hdr_len,
shinfo->gso_size);

Then later we set qdisc_skb_cb(skb)->pkt_len to back to zero :/

qdisc_skb_cb(skb)->pkt_len += (gso_segs - 1) * hdr_len;

This leads to the following crash in fq_codel [1]

qdisc_pkt_len_init() is best effort, we only want an estimation
of the bytes sent on the wire, not crashing the kernel.

This patch is fixing this particular issue, a following one
adds more sanity checks for another potential bug.

[1]
[ 70.724101] BUG: kernel NULL pointer dereference, address: 0000000000000000
[ 70.724561] #PF: supervisor read access in kernel mode
[ 70.724561] #PF: error_code(0x0000) - not-present page
[ 70.724561] PGD 10ac61067 P4D 10ac61067 PUD 107ee2067 PMD 0
[ 70.724561] Oops: Oops: 0000 [#​1] SMP NOPTI
[ 70.724561] CPU: 11 UID: 0 PID: 2163 Comm: b358537762 Not tainted 6.11.0-virtme #​991
[ 70.724561] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[ 70.724561] RIP: 0010:fq_codel_enqueue (net/sched/sch_fq_codel.c:120 net/sched/sch_fq_codel.c:168 net/sched/sch_fq_codel.c:230) sch_fq_codel
[ 70.724561] Code: 24 08 49 c1 e1 06 44 89 7c 24 18 45 31 ed 45 31 c0 31 ff 89 44 24 14 4c 03 8b 90 01 00 00 eb 04 39 ca 73 37 4d 8b 39 83 c7 01 <49> 8b 17 49 89 11 41 8b 57 28 45 8b 5f 34 49 c7 07 00 00 00 00 49
All code

0: 24 08 and $0x8,%al
2: 49 c1 e1 06 shl $0x6,%r9
6: 44 89 7c 24 18 mov %r15d,0x18(%rsp)
b: 45 31 ed xor %r13d,%r13d
e: 45 31 c0 xor %r8d,%r8d
11: 31 ff xor %edi,%edi
13: 89 44 24 14 mov %eax,0x14(%rsp)
17: 4c 03 8b 90 01 00 00 add 0x190(%rbx),%r9
1e: eb 04 jmp 0x24
20: 39 ca cmp %ecx,%edx
22: 73 37 jae 0x5b
24: 4d 8b 39 mov (%r9),%r15
27: 83 c7 01 add $0x1,%edi
2a:* 49 8b 17 mov (%r15),%rdx <-- trapping instruction
2d: 49 89 11 mov %rdx,(%r9)
30: 41 8b 57 28 mov 0x28(%r15),%edx
34: 45 8b 5f 34 mov 0x34(%r15),%r11d
38: 49 c7 07 00 00 00 00 movq $0x0,(%r15)
3f: 49 rex.WB

Code starting with the faulting instruction

0: 49 8b 17 mov (%r15),%rdx
3: 49 89 11 mov %rdx,(%r9)
6: 41 8b 57 28 mov 0x28(%r15),%edx
a: 45 8b 5f 34 mov 0x34(%r15),%r11d
e: 49 c7 07 00 00 00 00 movq $0x0,(%r15)
15: 49 rex.WB
[ 70.724561] RSP: 0018:ffff95ae85e6fb90 EFLAGS: 00000202
[ 70.724561] RAX: 0000000002000000 RBX: ffff95ae841de000 RCX: 0000000000000000
[ 70.724561] RDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000000000000001
[ 70.724561] RBP: ffff95ae85e6fbf8 R08: 0000000000000000 R09: ffff95b710a30000
[ 70.724561] R10: 0000000000000000 R11: bdf289445ce31881 R12: ffff95ae85e6fc58
[ 70.724561] R13: 0000000000000000 R14: 0000000000000040 R15: 0000000000000000
[ 70.724561] FS: 000000002c5c1380(0000) GS:ffff95bd7fcc0000(0000) knlGS:0000000000000000
[ 70.724561] CS: 0010 DS: 0000 ES: 0000 C
---truncated---

Severity

Moderate

References

kernel: drm/vmwgfx: Unmap the surface before resetting it on a plane state

CVE-2023-52648

More information

Details

In the Linux kernel, the following vulnerability has been resolved:

drm/vmwgfx: Unmap the surface before resetting it on a plane state

Switch to a new plane state requires unreferencing of all held surfaces.
In the work required for mob cursors the mapped surfaces started being
cached but the variable indicating whether the surface is currently
mapped was not being reset. This leads to crashes as the duplicated
state, incorrectly, indicates the that surface is mapped even when
no surface is present. That's because after unreferencing the surface
it's perfectly possible for the plane to be backed by a bo instead of a
surface.

Reset the surface mapped flag when unreferencing the plane state surface
to fix null derefs in cleanup. Fixes crashes in KDE KWin 6.0 on Wayland:

Oops: 0000 [#​1] PREEMPT SMP PTI
CPU: 4 PID: 2533 Comm: kwin_wayland Not tainted 6.7.0-rc3-vmwgfx #​2
Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 11/12/2020
RIP: 0010:vmw_du_cursor_plane_cleanup_fb+0x124/0x140 [vmwgfx]
Code: 00 00 00 75 3a 48 83 c4 10 5b 5d c3 cc cc cc cc 48 8b b3 a8 00 00 00 48 c7 c7 99 90 43 c0 e8 93 c5 db ca 48 8b 83 a8 00 00 00 <48> 8b 78 28 e8 e3 f>
RSP: 0018:ffffb6b98216fa80 EFLAGS: 00010246
RAX: 0000000000000000 RBX: ffff969d84cdcb00 RCX: 0000000000000027
RDX: 0000000000000000 RSI: 0000000000000001 RDI: ffff969e75f21600
RBP: ffff969d4143dc50 R08: 0000000000000000 R09: ffffb6b98216f920
R10: 0000000000000003 R11: ffff969e7feb3b10 R12: 0000000000000000
R13: 0000000000000000 R14: 000000000000027b R15: ffff969d49c9fc00
FS: 00007f1e8f1b4180(0000) GS:ffff969e75f00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000028 CR3: 0000000104006004 CR4: 00000000003706f0
Call Trace:

? __die+0x23/0x70
? page_fault_oops+0x171/0x4e0
? exc_page_fault+0x7f/0x180
? asm_exc_page_fault+0x26/0x30
? vmw_du_cursor_plane_cleanup_fb+0x124/0x140 [vmwgfx]
drm_atomic_helper_cleanup_planes+0x9b/0xc0
commit_tail+0xd1/0x130
drm_atomic_helper_commit+0x11a/0x140
drm_atomic_commit+0x97/0xd0
? __pfx___drm_printfn_info+0x10/0x10
drm_atomic_helper_update_plane+0xf5/0x160
drm_mode_cursor_universal+0x10e/0x270
drm_mode_cursor_common+0x102/0x230
? __pfx_drm_mode_cursor2_ioctl+0x10/0x10
drm_ioctl_kernel+0xb2/0x110
drm_ioctl+0x26d/0x4b0
? __pfx_drm_mode_cursor2_ioctl+0x10/0x10
? __pfx_drm_ioctl+0x10/0x10
vmw_generic_ioctl+0xa4/0x110 [vmwgfx]
__x64_sys_ioctl+0x94/0xd0
do_syscall_64+0x61/0xe0
? __x64_sys_ioctl+0xaf/0xd0
? syscall_exit_to_user_mode+0x2b/0x40
? do_syscall_64+0x70/0xe0
? __x64_sys_ioctl+0xaf/0xd0
? syscall_exit_to_user_mode+0x2b/0x40
? do_syscall_64+0x70/0xe0
? exc_page_fault+0x7f/0x180
entry_SYSCALL_64_after_hwframe+0x6e/0x76
RIP: 0033:0x7f1e93f279ed
Code: 04 25 28 00 00 00 48 89 45 c8 31 c0 48 8d 45 10 c7 45 b0 10 00 00 00 48 89 45 b8 48 8d 45 d0 48 89 45 c0 b8 10 00 00 00 0f 05 <89> c2 3d 00 f0 ff f>
RSP: 002b:00007ffca0faf600 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 000055db876ed2c0 RCX: 00007f1e93f279ed
RDX: 00007ffca0faf6c0 RSI: 00000000c02464bb RDI: 0000000000000015
RBP: 00007ffca0faf650 R08: 000055db87184010 R09: 0000000000000007
R10: 000055db886471a0 R11: 0000000000000246 R12: 00007ffca0faf6c0
R13: 00000000c02464bb R14: 0000000000000015 R15: 00007ffca0faf790

Modules linked in: snd_seq_dummy snd_hrtimer nf_conntrack_netbios_ns nf_conntrack_broadcast nft_fib_inet nft_fib_ipv4 nft_fib_ipv6 nft_fib nft_reject_ine>
CR2: 0000000000000028
---[ end trace 0000000000000000 ]---
RIP: 0010:vmw_du_cursor_plane_cleanup_fb+0x124/0x140 [vmwgfx]
Code: 00 00 00 75 3a 48 83 c4 10 5b 5d c3 cc cc cc cc 48 8b b3 a8 00 00 00 48 c7 c7 99 90 43 c0 e8 93 c5 db ca 48 8b 83 a8 00 00 00 <48> 8b 78 28 e8 e3 f>
RSP: 0018:ffffb6b98216fa80 EFLAGS: 00010246
RAX: 0000000000000000 RBX: ffff969d84cdcb00 RCX: 0000000000000027
RDX: 0000000000000000 RSI: 0000000000000001 RDI: ffff969e75f21600
RBP: ffff969d4143
---truncated---

Severity

Moderate

References

kernel: dyndbg: fix old BUG_ON in >control parser

CVE-2024-35947

More information

Details

In the Linux kernel, the following vulnerability has been resolved:

dyndbg: fix old BUG_ON in >control parser

Fix a BUG_ON from 2009. Even if it looks "unreachable" (I didn't
really look), lets make sure by removing it, doing pr_err and return
-EINVAL instead.

Severity

Moderate

References

kernel: kobject_uevent: Fix OOB access within zap_modalias_env()

CVE-2024-42292

More information

Details

In the Linux kernel, the following vulnerability has been resolved:

kobject_uevent: Fix OOB access within zap_modalias_env()

zap_modalias_env() wrongly calculates size of memory block to move, so
will cause OOB memory access issue if variable MODALIAS is not the last
one within its @​env parameter, fixed by correcting size to memmove.

Severity

Moderate

References

@red-hat-konflux red-hat-konflux bot requested a review from a team as a code owner June 10, 2025 21:06
@codecov-commenter
Copy link

codecov-commenter commented Jun 10, 2025
edited
Loading

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 28.83%. Comparing base (62b7586) to head (6966140).

✅ All tests successful. No failed tests found.

Additional details and impacted files 
@@              Coverage Diff              @@
##           release-3.22    #2162   +/-   ##
=============================================
  Coverage         28.83%   28.83%           
=============================================
  Files                96       96           
  Lines              5799     5799           
  Branches           2551     2551           
=============================================
  Hits               1672     1672           
  Misses             3408     3408           
  Partials            719      719
Flag Coverage Δ
collector-unit-tests 28.83% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

@red-hat-konflux red-hat-konflux bot force-pushed the konflux/mintmaker/release-3.22/rpm-updates branch 14 times, most recently from 9c2cb92 to d3dd284 Compare June 17, 2025 22:26
@red-hat-konflux red-hat-konflux bot force-pushed the konflux/mintmaker/release-3.22/rpm-updates branch 9 times, most recently from 7dd1776 to 5021e15 Compare June 25, 2025 10:28
@red-hat-konflux red-hat-konflux bot force-pushed the konflux/mintmaker/release-3.22/rpm-updates branch 2 times, most recently from bb2e815 to 34fbe08 Compare June 26, 2025 16:42
@red-hat-konflux
chore(deps): [security]
6966140 
Signed-off-by: red-hat-konflux <126015336+red-hat-konflux[bot]@users.noreply.github.com>
@red-hat-konflux red-hat-konflux bot force-pushed the konflux/mintmaker/release-3.22/rpm-updates branch from 34fbe08 to 6966140 Compare June 26, 2025 21:20
@tommartensen tommartensen merged commit 8713367 into release-3.22 Jun 27, 2025
83 of 86 checks passed
@tommartensen tommartensen deleted the konflux/mintmaker/release-3.22/rpm-updates branch June 27, 2025 07:06
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@tommartensen tommartensen tommartensen approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@codecov-commenter @tommartensen