OESA-2025-1318

The Linux Kernel, the operating system core itself.

Security Fix(es):

In the Linux kernel, the following vulnerability has been resolved:

KVM: x86/mmu: Zap all roots when unmapping gfn range in TDP MMU

Zap both valid and invalid roots when zapping/unmapping a gfn range, as KVM must ensure it holds no references to the freed page after returning from the unmap operation. Most notably, the TDP MMU doesn't zap invalid roots in mmunotifier callbacks. This leads to use-after-free and other issues if the mmunotifier runs to completion while an invalid root zapper yields as KVM fails to honor the requirement that there must be no references to the page after the mmu_notifier returns.

The bug is most easily reproduced by hacking KVM to cause a collision between setnxhugepages() and kvmmmunotifierrelease(), but the bug exists between kvmmmunotifierinvalidaterangestart() and memslot updates as well. Invalidating a root ensures pages aren't accessible by the guest, and KVM won't read or write page data itself, but KVM will trigger e.g. kvmsetpfndirty() when zapping SPTEs, and thus completing a zap of an invalid root after the mmu_notifier returns is fatal.

WARNING: CPU: 24 PID: 1496 at arch/x86/kvm/../../../virt/kvm/kvmmain.c:173 [kvm] RIP: 0010:kvmiszonedevicepfn+0x96/0xa0 [kvm] Call Trace: <TASK> kvmsetpfndirty+0xa8/0xe0 [kvm] _handlechangedspte+0x2ab/0x5e0 [kvm] _handlechangedspte+0x2ab/0x5e0 [kvm] _handlechangedspte+0x2ab/0x5e0 [kvm] zapgfnrange+0x1f3/0x310 [kvm] kvmtdpmmuzapinvalidatedroots+0x50/0x90 [kvm] kvmmmuzapallfast+0x177/0x1a0 [kvm] setnxhugepages+0xb4/0x190 [kvm] paramattrstore+0x70/0x100 moduleattrstore+0x19/0x30 kernfsfopwriteiter+0x119/0x1b0 newsyncwrite+0x11c/0x1b0 vfswrite+0x1cc/0x270 ksyswrite+0x5f/0xe0 dosyscall64+0x38/0xc0 entrySYSCALL64afterhwframe+0x44/0xae </TASK>(CVE-2021-47639)

In the Linux kernel, the following vulnerability has been resolved:

ubifs: skip dumping tnc tree when zroot is null

Clearing slab cache will free all znode in memory and make c->zroot.znode = NULL, then dumping tnc tree will access c->zroot.znode which cause null pointer dereference.(CVE-2024-58058)

In the Linux kernel, the following vulnerability has been resolved:

net/mlx5: Fix variable not being completed when function returns

When cmdallocindex(), fails cmdworkhandler() needs to complete ent->slotted before returning early. Otherwise the task which issued the command may hang:

mlx5core 0000:01:00.0: cmdworkhandler:877:(pid 3880418): failed to allocate command entry INFO: task kworker/13:2:4055883 blocked for more than 120 seconds. Not tainted 4.19.90-25.44.v2101.ky10.aarch64 #1 "echo 0 > /proc/sys/kernel/hungtasktimeoutsecs" disables this message. kworker/13:2 D 0 4055883 2 0x00000228 Workqueue: events mlx5etxdimwork [mlx5core] Call trace: _switchto+0xe8/0x150 _schedule+0x2a8/0x9b8 schedule+0x2c/0x88 scheduletimeout+0x204/0x478 waitforcommon+0x154/0x250 waitforcompletion+0x28/0x38 cmdexec+0x7a0/0xa00 [mlx5core] mlx5cmdexec+0x54/0x80 [mlx5core] mlx5coremodifycq+0x6c/0x80 [mlx5core] mlx5coremodifycqmoderation+0xa0/0xb8 [mlx5core] mlx5etxdimwork+0x54/0x68 [mlx5core] processonework+0x1b0/0x448 workerthread+0x54/0x468 kthread+0x134/0x138 retfrom_fork+0x10/0x18(CVE-2025-21662)