CVE-2025-23154

[ 114.987980][ T5313] WARNING: CPU: 6 PID: 5313 at iouring/iouring.c:872 ioreqpostcqe+0x12e/0x4f0 [ 114.991597][ T5313] RIP: 0010:ioreqpostcqe+0x12e/0x4f0 [ 115.001880][ T5313] Call Trace: [ 115.002222][ T5313] <TASK> [ 115.007813][ T5313] iosend+0x4fe/0x10f0 [ 115.009317][ T5313] ioissuesqe+0x1a6/0x1740 [ 115.012094][ T5313] iowqsubmitwork+0x38b/0xed0 [ 115.013223][ T5313] ioworkerhandlework+0x62a/0x1600 [ 115.013876][ T5313] iowq_worker+0x34f/0xdf0

As the comment states, ioreqpostcqe() should only be used by multishot requests, i.e. REQFAPOLLMULTISHOT, which bundled sends are not. Add a flag signifying whether a request wants to post multiple CQEs. Eventually REQFAPOLL_MULTISHOT should imply the new flag, but that's left out for simplicity.

Database specific

{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/23xxx/CVE-2025-23154.json",
    "cna_assigner": "Linux"
}

References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

a05d1f625c7aa681d8816bc0f10089289ad07aad

Fixed

b7c6d081c19a5e11bbd77bb97a62cff2b6b21cb5

Fixed

7888c9fc0b2d3636f2e821ed1ad3c6920fa8e378

Fixed

9aa804e6b9696998308095fb9d335046a71550f1

Fixed

6889ae1b4df1579bcdffef023e2ea9a982565dff

Affected versions

v6.*

v6.10

v6.10-rc1

v6.10-rc2

v6.10-rc3

v6.10-rc4

v6.10-rc5

v6.10-rc6

v6.10-rc7

v6.11

v6.11-rc1

v6.11-rc2

v6.11-rc3

v6.11-rc4

v6.11-rc5

v6.11-rc6

v6.11-rc7

v6.12

v6.12-rc1

v6.12-rc2

v6.12-rc3

v6.12-rc4

v6.12-rc5

v6.12-rc6

v6.12-rc7

v6.12.1

v6.12.10

v6.12.11

v6.12.12

v6.12.13

v6.12.14

v6.12.15

v6.12.16

v6.12.17

v6.12.18

v6.12.19

v6.12.2

v6.12.20

v6.12.21

v6.12.22

v6.12.23

v6.12.3

v6.12.4

v6.12.5

v6.12.6

v6.12.7

v6.12.8

v6.12.9

v6.13

v6.13-rc1

v6.13-rc2

v6.13-rc3

v6.13-rc4

v6.13-rc5

v6.13-rc6

v6.13-rc7

v6.13.1

v6.13.10

v6.13.11

v6.13.2

v6.13.3

v6.13.4

v6.13.5

v6.13.6

v6.13.7

v6.13.8

v6.13.9

v6.14

v6.14-rc1

v6.14-rc2

v6.14-rc3

v6.14-rc4

v6.14-rc5

v6.14-rc6

v6.14-rc7

v6.14.1

v6.14.2

v6.9

v6.9-rc5

v6.9-rc6

v6.9-rc7

Database specific

vanir_signatures

[
    {
        "target": {
            "file": "io_uring/net.c"
        },
        "id": "CVE-2025-23154-19fe2948",
        "digest": {
            "line_hashes": [
                "196420981099048862159449169176316437323",
                "66287690975636227892217003041727297072",
                "71313028760445085391683376858437934920",
                "251616196056047911603626630305575988318"
            ],
            "threshold": 0.9
        },
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@6889ae1b4df1579bcdffef023e2ea9a982565dff",
        "signature_version": "v1",
        "deprecated": false,
        "signature_type": "Line"
    },
    {
        "target": {
            "file": "include/linux/io_uring_types.h"
        },
        "id": "CVE-2025-23154-5a1a3277",
        "digest": {
            "line_hashes": [
                "195040803319479751734336481170156239310",
                "129481752769259687047438114907443126062",
                "149407149355541126710146089838110405745",
                "324585812439808898471237329594945966380",
                "167289937515891340379239810305275555606",
                "175885971505280967801769359843009857425",
                "57483844497407050853377891247377254527",
                "36850041530173736001269847157932131005"
            ],
            "threshold": 0.9
        },
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@6889ae1b4df1579bcdffef023e2ea9a982565dff",
        "signature_version": "v1",
        "deprecated": false,
        "signature_type": "Line"
    },
    {
        "target": {
            "file": "io_uring/io_uring.c"
        },
        "id": "CVE-2025-23154-8f3c2cdb",
        "digest": {
            "line_hashes": [
                "236176422645552860699154459816911555097",
                "168495117124767436227539728116765125977",
                "324717837169984440108403251319978745724",
                "293250737014261560810404840582119220699",
                "111171016424683753062987989483106081445",
                "162550669212933034261930117561265710708",
                "236245453440526289232883345125133579043",
                "80313641336097351299486060143521595147"
            ],
            "threshold": 0.9
        },
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@6889ae1b4df1579bcdffef023e2ea9a982565dff",
        "signature_version": "v1",
        "deprecated": false,
        "signature_type": "Line"
    },
    {
        "target": {
            "function": "io_wq_submit_work",
            "file": "io_uring/io_uring.c"
        },
        "id": "CVE-2025-23154-c9446338",
        "digest": {
            "function_hash": "187617054436489460517697915244260734111",
            "length": 1504.0
        },
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@6889ae1b4df1579bcdffef023e2ea9a982565dff",
        "signature_version": "v1",
        "deprecated": false,
        "signature_type": "Function"
    },
    {
        "target": {
            "function": "io_sendmsg_prep",
            "file": "io_uring/net.c"
        },
        "id": "CVE-2025-23154-dea893e2",
        "digest": {
            "function_hash": "41280547677304087914145094633442428231",
            "length": 1078.0
        },
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@6889ae1b4df1579bcdffef023e2ea9a982565dff",
        "signature_version": "v1",
        "deprecated": false,
        "signature_type": "Function"
    }
]

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-23154.json"