DEBIAN-CVE-2025-40052

In the Linux kernel, the following vulnerability has been resolved: smb: client: fix crypto buffers in non-linear memory The crypto API, through the scatterlist API, expects input buffers to be in linear memory. We handle this with the cifssgsetbuf() helper that converts vmalloc'd memory to their corresponding pages. However, when we allocate our aeadrequest buffer (@creq in smb2ops.c::cryptmessage()), we do so with kvzalloc(), which possibly puts aeadrequest->ctx in vmalloc area. AEAD algorithm then uses ->ctx for its private/internal data and operations, and uses sgsetbuf() for such data on a few places. This works fine as long as @creq falls into kmalloc zone (small requests) or vmalloc'd memory is still within linear range. Tasks' stacks are vmalloc'd by default (CONFIGVMAPSTACK=y), so too many tasks will increment the base stacks' addresses to a point where virtaddrvalid(buf) will fail (BUG() in sgsetbuf()) when that happens. In practice: too many parallel reads and writes on an encrypted mount will trigger this bug. To fix this, always alloc @creq with kmalloc() instead. Also drop the @sensitivesize variable/arguments since kfreesensitive() doesn't need it. Backtrace: [ 945.272081] ------------[ cut here ]------------ [ 945.272774] kernel BUG at include/linux/scatterlist.h:209! [ 945.273520] Oops: invalid opcode: 0000 [#1] SMP DEBUGPAGEALLOC NOPTI [ 945.274412] CPU: 7 UID: 0 PID: 56 Comm: kworker/u33:0 Kdump: loaded Not tainted 6.15.0-lku-11779-g8e9d6efccdd7-dirty #1 PREEMPT(voluntary) [ 945.275736] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.16.3-2-gc13ff2cd-prebuilt.qemu.org 04/01/2014 [ 945.276877] Workqueue: writeback wbworkfn (flush-cifs-2) [ 945.277457] RIP: 0010:cryptogcminitcommon+0x1f9/0x220 [ 945.278018] Code: b0 00 00 00 48 83 c4 08 5b 5d 41 5c 41 5d 41 5e 41 5f c3 cc cc cc cc 48 c7 c0 00 00 00 80 48 2b 05 5c 58 e5 00 e9 58 ff ff ff <0f> 0b 0f 0b 0f 0b 0f 0b 0f 0b 0f 0b 48 c7 04 24 01 00 00 00 48 8b [ 945.279992] RSP: 0018:ffffc90000a27360 EFLAGS: 00010246 [ 945.280578] RAX: 0000000000000000 RBX: ffffc90001d85060 RCX: 0000000000000030 [ 945.281376] RDX: 0000000000080000 RSI: 0000000000000000 RDI: ffffc90081d85070 [ 945.282145] RBP: ffffc90001d85010 R08: ffffc90001d85000 R09: 0000000000000000 [ 945.282898] R10: ffffc90001d85090 R11: 0000000000001000 R12: ffffc90001d85070 [ 945.283656] R13: ffff888113522948 R14: ffffc90001d85060 R15: ffffc90001d85010 [ 945.284407] FS: 0000000000000000(0000) GS:ffff8882e66cf000(0000) knlGS:0000000000000000 [ 945.285262] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 945.285884] CR2: 00007fa7ffdd31f4 CR3: 000000010540d000 CR4: 0000000000350ef0 [ 945.286683] Call Trace: [ 945.286952] <TASK> [ 945.287184] ? cryptmessage+0x33f/0xad0 [cifs] [ 945.287719] cryptogcmencrypt+0x36/0xe0 [ 945.288152] cryptmessage+0x54a/0xad0 [cifs] [ 945.288724] smb3inittransformrq+0x277/0x300 [cifs] [ 945.289300] smbsendrqst+0xa3/0x160 [cifs] [ 945.289944] cifscallasync+0x178/0x340 [cifs] [ 945.290514] ? pfxsmb2writevcallback+0x10/0x10 [cifs] [ 945.291177] smb2asyncwritev+0x3e3/0x670 [cifs] [ 945.291759] ? findheldlock+0x32/0x90 [ 945.292212] ? netfsadvancewrite+0xf2/0x310 [ 945.292723] netfsadvancewrite+0xf2/0x310 [ 945.293210] netfswritefolio+0x346/0xcc0 [ 945.293689] ? _pfxrawspinunlockirq+0x10/0x10 [ 945.294250] netfswritepages+0x117/0x460 [ 945.294724] dowritepages+0xbe/0x170 [ 945.295152] ? findheldlock+0x32/0x90 [ 945.295600] ? kvmschedclockread+0x11/0x20 [ 945.296103] _writebacksingleinode+0x56/0x4b0 [ 945.296643] writebacksbinodes+0x229/0x550 [ 945.297140] _writebackinodeswb+0x4c/0xe0 [ 945.297642] wbwriteback+0x2f1/0x3f0 [ 945.298069] wbworkfn+0x300/0x490 [ 945.298472] processonework+0x1fe/0x590 [ 945.298949] workerthread+0x1ce/0x3c0 [ 945.299397] ? _pfxworkerthread+0x10/0x10 [ 945.299900] kthr ---truncated---