This bug was fixed in the package linux-hwe-6.14 - 6.14.0-24.24~24.04.3
---------------
linux-hwe-6.14 (6.14.0-24.24~24.04.3) noble; urgency=medium
* noble/linux-hwe-6.14: 6.14.0-24.24~24.04.3 -proposed tracker (LP:
#2116100)
* [UBUNTU 25.04] lszcrypt output shows no cards because ap module has to be
loaded manually (LP: #2116061)
- [Config] s390: Build ap driver into the kernel
* auxiliary intel_ipu6.psys.40: deferred probe pending: (reason unknown)
(LP: #2115083)
- [Packaging] debian.hwe-6.14/dkms-versions -- update from kernel-versions
(main/2025.06.16)
* Don't suggests fdutils package anymore (LP: #2104355)
- [Packaging] Stop suggesting fdutils from linux-image
linux-hwe-6.14 (6.14.0-24.24~24.04.2) noble; urgency=medium
* noble/linux-hwe-6.14: 6.14.0-24.24~24.04.2 -proposed tracker (LP:
#2115477)
* Creating a VXLAN interface with a Fan mapping causes a NULL pointer
dereference caught by ubuntu_fan_smoke_test:sut-scan (LP: #2113992)
- SAUCE: fan: vxlan: parse fan-map from IFLA_VXLAN_FAN_MAP attribute ID
linux-hwe-6.14 (6.14.0-24.24~24.04.1) noble; urgency=medium
* noble/linux-hwe-6.14: 6.14.0-24.24~24.04.1 -proposed tracker (LP:
#2114499)
* Packaging resync (LP: #1786013)
- [Packaging] update variants
- [Packaging] debian.hwe-6.14/dkms-versions -- update from kernel-versions
(main/2025.06.16)
[ Ubuntu: 6.14.0-24.24 ]
* plucky/linux: 6.14.0-24.24 -proposed tracker (LP: #2114501)
* Packaging resync (LP: #1786013)
- [Packaging] update variants
- [Packaging] update annotations scripts
- [Packaging] debian.master/dkms-versions -- update from kernel-versions
(main/2025.06.16)
* Apple spi keyboard/trackpad not working 25.04 (LP: #2107976)
- iommu/vt-d: Restore context entry setup order for aliased devices
* Unexpected system reboot at loading GUI session on some AMD platforms
(LP: #2112462)
- drm/amdgpu/hdp4: use memcfg register to post the write for HDP flush
- drm/amdgpu/hdp5: use memcfg register to post the write for HDP flush
- drm/amdgpu/hdp5.2: use memcfg register to post the write for HDP flush
- drm/amdgpu/hdp6: use memcfg register to post the write for HDP flush
- drm/amdgpu/hdp7: use memcfg register to post the write for HDP flush
* Fix ARL-U/H suspend issues (LP: #2112469)
- platform/x86/intel/pmc: Remove duplicate enum
- platform/x86:intel/pmc: Make tgl_core_generic_init() static
- platform/x86:intel/pmc: Create generic_core_init() for all platforms
- platform/x86/intel/pmc: Remove simple init functions
- platform/x86/intel/pmc: Add Arrow Lake U/H support to intel_pmc_core
driver
- platform/x86/intel/pmc: Fix Arrow Lake U/H NPU PCI ID
* [UBUNTU 24.04] s390/pci: Fix immediate re-add of PCI function after remove
(LP: #2114174)
- s390/pci: Remove redundant bus removal and disable from
zpci_release_device()
- s390/pci: Prevent self deletion in disable_slot()
- s390/pci: Allow re-add of a reserved but not yet removed device
- s390/pci: Serialize device addition and removal
* [UBUNTU 24.04] s390/pci: Fix immediate re-add of PCI function after remove
(LP: #2114174) // CVE-2025-37946
- s390/pci: Fix duplicate pci_dev_put() in disable_slot() when PF has
child VFs
* [UBUNTU 24.04] s390/pci: Fix immediate re-add of PCI function after remove
(LP: #2114174) // CVE-2025-37974
- s390/pci: Fix missing check for zpci_create_device() error return
* HW accelerated video playback causes VCN timeout on VCN 4.0.5 (AMD Strix)
(LP: #2112582)
- drm/amdgpu: read back register after written for VCN v4.0.5
* kvmppc_set_passthru_irq_hv: Could not assign IRQ map traces are seen when
pci device is attached to kvm guest when "xive=off" is set (LP: #2109951)
- KVM: PPC: Book3S HV: Fix IRQ map warnings with XICS on pSeries KVM Guest
* System will restart while resuming with SATA HDD or nvme installed with
password set (LP: #2110090)
- PCI: Explicitly put devices into D0 when initializing
* VM boots slowly with large-BAR GPU Passthrough (Root Cause Fix SRU)
(LP: #2111861)
- mm: Provide address mask in struct follow_pfnmap_args
- vfio/type1: Convert all vaddr_get_pfns() callers to use vfio_batch
- vfio/type1: Catch zero from pin_user_pages_remote()
- vfio/type1: Use vfio_batch for vaddr_get_pfns()
- vfio/type1: Use consistent types for page counts
- vfio/type1: Use mapping page mask for pfnmaps
* Plucky update: v6.14.6 upstream stable release (LP: #2113881)
- Revert "rndis_host: Flag RNDIS modems as WWAN devices"
- ALSA: hda/realtek - Add more HP laptops which need mute led fixup
- ALSA: usb-audio: Add retry on -EPROTO from usb_set_interface()
- ALSA: usb-audio: Add second USB ID for Jabra Evolve 65 headset
- ASoC: renesas: rz-ssi: Use NOIRQ_SYSTEM_SLEEP_PM_OPS()
- btrfs: fix COW handling in run_delalloc_nocow()
- cpufreq: intel_pstate: Unchecked MSR aceess in legacy mode
- drm/fdinfo: Protect against driver unbind
- EDAC/altera: Test the correct error reg offset
- EDAC/altera: Set DDR and SDMMC interrupt mask before registration
- i2c: imx-lpi2c: Fix clock count when probe defers
- pinctrl: airoha: fix wrong PHY LED mapping and PHY2 LED defines
- perf/x86/intel: Only check the group flag for X86 leader
- amd-xgbe: Fix to ensure dependent features are toggled with RX checksum
offload
- mm/memblock: pass size instead of end to memblock_set_node()
- mm/memblock: repeat setting reserved region nid if array is doubled
- mmc: renesas_sdhi: Fix error handling in renesas_sdhi_probe
- spi: tegra114: Don't fail set_cs_timing when delays are zero
- tracing: Do not take trace_event_sem in print_event_fields()
- x86/boot/sev: Support memory acceptance in the EFI stub under SVSM
- dm-integrity: fix a warning on invalid table line
- dm: always update the array size in realloc_argv on success
- drm/amdgpu: Fix offset for HDP remap in nbio v7.11
- drm: Select DRM_KMS_HELPER from DRM_DEBUG_DP_MST_TOPOLOGY_REFS
- iommu/arm-smmu-v3: Fix iommu_device_probe bug due to duplicated stream
ids
- iommu/arm-smmu-v3: Fix pgsize_bit for sva domains
- iommu/vt-d: Apply quirk_iommu_igfx for 8086:0044 (QM57/QS57)
- platform/x86/amd: pmc: Require at least 2.5 seconds between HW sleep
cycles
- platform/x86/intel-uncore-freq: Fix missing uncore sysfs during CPU
hotplug
- smb: client: fix zero length for mkdir POSIX create context
- cpufreq: Avoid using inconsistent policy->min and policy->max
- cpufreq: Fix setting policy limits when frequency tables are used
- bcachefs: Remove incorrect __counted_by annotation
- drm/amd/display: Default IPS to RCG_IN_ACTIVE_IPS2_IN_OFF
- ASoC: soc-core: Stop using of_property_read_bool() for non-boolean
properties
- ASoC: cs-amp-lib-test: Don't select SND_SOC_CS_AMP_LIB
- firmware: cs_dsp: tests: Depend on FW_CS_DSP rather then enabling it
- ASoC: soc-pcm: Fix hw_params() and DAPM widget sequence
- Revert "UBUNTU: SAUCE: powerpc64/ftrace: fix module loading without
patchable function entries"
- pinctrl: imx: Return NULL if no group is matched and found
- powerpc/boot: Check for ld-option support
- ASoC: Intel: sof_sdw: Add NULL check in asoc_sdw_rt_dmic_rtd_init()
- iommu/arm-smmu-v3: Add missing S2FWB feature detection
- ALSA: hda/realtek - Enable speaker for HP platform
- drm/i915/pxp: fix undefined reference to
`intel_pxp_gsccs_is_ready_for_sessions'
- wifi: iwlwifi: back off on continuous errors
- wifi: iwlwifi: don't warn if the NIC is gone in resume
- wifi: iwlwifi: fix the check for the SCRATCH register upon resume
- powerpc/boot: Fix dash warning
- xsk: Fix offset calculation in unaligned mode
- net/mlx5e: Use custom tunnel header for vxlan gbp
- net/mlx5: E-Switch, Initialize MAC Address for Default GID
- net/mlx5e: TC, Continue the attr process even if encap entry is invalid
- net/mlx5e: Fix lock order in mlx5e_tx_reporter_ptpsq_unhealthy_recover
- net/mlx5: E-switch, Fix error handling for enabling roce
- accel/ivpu: Correct DCT interrupt handling
- cpufreq: Introduce policy->boost_supported flag
- cpufreq: acpi: Set policy->boost_supported
- cpufreq: ACPI: Re-sync CPU boost state on system resume
- Bluetooth: hci_conn: Fix not setting conn_timeout for Broadcast Receiver
- Bluetooth: hci_conn: Fix not setting timeout for BIG Create Sync
- Bluetooth: btintel_pcie: Avoid redundant buffer allocation
- Bluetooth: btintel_pcie: Add additional to checks to clear TX/RX paths
- Bluetooth: L2CAP: copy RX timestamp to new fragments
- net: mscc: ocelot: delete PVID VLAN when readding it as non-PVID
- octeon_ep_vf: Resolve netdevice usage count issue
- bnxt_en: improve TX timestamping FIFO configuration
- rtase: Modify the condition used to detect overflow in
rtase_calc_time_mitigation
- net: ethernet: mtk-star-emac: rearm interrupts in rx_poll only when
advised
- net: ethernet: mtk_eth_soc: sync mtk_clks_source_name array
- pds_core: make pdsc_auxbus_dev_del() void
- pds_core: specify auxiliary_device to be created
- ice: Don't check device type when checking GNSS presence
- ice: Remove unnecessary ice_is_e8xx() functions
- ice: fix Get Tx Topology AQ command error on E830
- idpf: fix offloads support for encapsulated packets
- scsi: ufs: core: Remove redundant query_complete trace
- drm/xe/guc: Fix capture of steering registers
- pinctrl: qcom: Fix PINGROUP definition for sm8750
- nvme-pci: fix queue unquiesce check on slot_reset
- drm/tests: shmem: Fix memleak
- drm/mipi-dbi: Fix blanking for non-16 bit formats
- net: dlink: Correct endianness handling of led_mode
- net: mdio: mux-meson-gxl: set reversed bit when using internal phy
- idpf: fix potential memory leak on kcalloc() failure
- idpf: protect shutdown from reset
- igc: fix lock order in igc_ptp_reset
- net: dsa: felix: fix broken taprio gate states after clock jump
- net: ipv6: fix UDPv6 GSO segmentation with NAT
- ALSA: hda/realtek: Fix built-mic regression on other ASUS models
- bnxt_en: Fix ethtool selftest output in one of the failure cases
- bnxt_en: Add missing skb_mark_for_recycle() in bnxt_rx_vlan()
- bnxt_en: call pci_alloc_irq_vectors() after bnxt_reserve_rings()
- bnxt_en: Fix coredump logic to free allocated buffer
- bnxt_en: Fix ethtool -d byte order for 32-bit values
- nvme-tcp: fix premature queue removal and I/O failover
- nvme-tcp: select CONFIG_TLS from CONFIG_NVME_TCP_TLS
- nvmet-tcp: select CONFIG_TLS from CONFIG_NVME_TARGET_TCP_TLS
- ASoC: stm32: sai: skip useless iterations on kernel rate loop
- ASoC: stm32: sai: add a check on minimal kernel frequency
- bnxt_en: fix module unload sequence
- net: fec: ERR007885 Workaround for conventional TX
- net: hns3: store rx VLAN tag offload state for VF
- net: hns3: fix an interrupt residual problem
- net: hns3: fixed debugfs tm_qset size
- net: hns3: defer calling ptp_clock_register()
- net: vertexcom: mse102x: Fix possible stuck of SPI interrupt
- net: vertexcom: mse102x: Fix LEN_MASK
- net: vertexcom: mse102x: Add range check for CMD_RTS
- net: vertexcom: mse102x: Fix RX error handling
- accel/ivpu: Abort all jobs after command queue unregister
- accel/ivpu: Add handling of VPU_JSM_STATUS_MVNCI_CONTEXT_VIOLATION_HW
- drm/xe: Invalidate L3 read-only cachelines for geometry streams too
- platform/x86: alienware-wmi-wmax: Add support for Alienware m15 R7
- ublk: add helper of ublk_need_map_io()
- ublk: properly serialize all FETCH_REQs
- ublk: move device reset into ublk_ch_release()
- ublk: improve detection and handling of ublk server exit
- ublk: remove __ublk_quiesce_dev()
- ublk: simplify aborting ublk request
- firmware: arm_ffa: Skip Rx buffer ownership release if not acquired
- arm64: dts: imx95: Correct the range of PCIe app-reg region
- ARM: dts: opos6ul: add ksz8081 phy properties
- arm64: dts: st: Adjust interrupt-controller for stm32mp25 SoCs
- arm64: dts: st: Use 128kB size for aliased GIC400 register access on
stm32mp25 SoCs
- block: introduce zone capacity helper
- btrfs: zoned: skip reporting zone for new block group
- kernel: param: rename locate_module_kobject
- kernel: globalize lookup_or_create_module_kobject()
- drivers: base: handle module_kobject creation
- btrfs: expose per-inode stable writes flag
- btrfs: pass struct btrfs_inode to btrfs_read_locked_inode()
- btrfs: pass struct btrfs_inode to btrfs_iget_locked()
- drm/amd/display: Add scoped mutexes for amdgpu_dm_dhcp
- bcachefs: Change btree_insert_node() assertion to error
- dm: fix copying after src array boundaries
- Linux 6.14.6
* Plucky update: v6.14.6 upstream stable release (LP: #2113881) //
CVE-2025-37903
- drm/amd/display: Fix slab-use-after-free in hdcp
* Plucky update: v6.14.6 upstream stable release (LP: #2113881) //
CVE-2025-37904
- btrfs: fix the inode leak in btrfs_iget()
* Plucky update: v6.14.6 upstream stable release (LP: #2113881) //
CVE-2025-37905
- firmware: arm_scmi: Balance device refcount when destroying devices
* Plucky update: v6.14.6 upstream stable release (LP: #2113881) //
CVE-2025-37906
- ublk: fix race between io_uring_cmd_complete_in_task and ublk_cancel_cmd
* Plucky update: v6.14.6 upstream stable release (LP: #2113881) //
CVE-2025-37907
- accel/ivpu: Fix locking order in ivpu_job_submit
* Plucky update: v6.14.6 upstream stable release (LP: #2113881) //
CVE-2025-37908
- mm, slab: clean up slab->obj_exts always
* Plucky update: v6.14.6 upstream stable release (LP: #2113881) //
CVE-2025-37933
- octeon_ep: Fix host hang issue during device reboot
* Plucky update: v6.14.6 upstream stable release (LP: #2113881) //
CVE-2025-37909
- net: lan743x: Fix memleak issue when GSO enabled
* Plucky update: v6.14.6 upstream stable release (LP: #2113881) //
CVE-2025-37910
- ptp: ocp: Fix NULL dereference in Adva board SMA sysfs operations
* Plucky update: v6.14.6 upstream stable release (LP: #2113881) //
CVE-2025-37894
- net: use sock_gen_put() when sk_state is TCP_TIME_WAIT
* Plucky update: v6.14.6 upstream stable release (LP: #2113881) //
CVE-2025-37934
- ASoC: simple-card-utils: Fix pointer check in
graph_util_parse_link_direction
* Plucky update: v6.14.6 upstream stable release (LP: #2113881) //
CVE-2025-37911
- bnxt_en: Fix out-of-bound memcpy() during ethtool -w
* Plucky update: v6.14.6 upstream stable release (LP: #2113881) //
CVE-2025-37895
- bnxt_en: Fix error handling path in bnxt_init_chip()
* Plucky update: v6.14.6 upstream stable release (LP: #2113881) //
CVE-2025-37935
- net: ethernet: mtk_eth_soc: fix SER panic with 4GB+ RAM
* Plucky update: v6.14.6 upstream stable release (LP: #2113881) //
CVE-2025-37891
- ALSA: ump: Fix buffer overflow at UMP SysEx message conversion
* Plucky update: v6.14.6 upstream stable release (LP: #2113881) //
CVE-2025-37912
- ice: Check VF VSI Pointer Value in ice_vc_add_fdir_fltr()
* Plucky update: v6.14.6 upstream stable release (LP: #2113881) //
CVE-2025-37913
- net_sched: qfq: Fix double list add in class with netem as child qdisc
* Plucky update: v6.14.6 upstream stable release (LP: #2113881) //
CVE-2025-37914
- net_sched: ets: Fix double list add in class with netem as child qdisc
* Plucky update: v6.14.6 upstream stable release (LP: #2113881) //
CVE-2025-37915
- net_sched: drr: Fix double list add in class with netem as child qdisc
* Plucky update: v6.14.6 upstream stable release (LP: #2113881) //
CVE-2025-37916
- pds_core: remove write-after-free of client_id
* Plucky update: v6.14.6 upstream stable release (LP: #2113881) //
CVE-2025-37917
- net: ethernet: mtk-star-emac: fix spinlock recursion issues on rx/tx
poll
* Plucky update: v6.14.6 upstream stable release (LP: #2113881) //
CVE-2025-37918
- Bluetooth: btusb: avoid NULL pointer dereference in skb_dequeue()
* Plucky update: v6.14.6 upstream stable release (LP: #2113881) //
CVE-2025-37919
- ASoC: amd: acp: Fix NULL pointer deref in acp_i2s_set_tdm_slot
* Plucky update: v6.14.6 upstream stable release (LP: #2113881) //
CVE-2025-37896
- spi: spi-mem: Add fix to avoid divide error
* Plucky update: v6.14.6 upstream stable release (LP: #2113881) //
CVE-2025-37920
- xsk: Fix race condition in AF_XDP generic RX path
* Plucky update: v6.14.6 upstream stable release (LP: #2113881) //
CVE-2025-37921
- vxlan: vnifilter: Fix unlocked deletion of default FDB entry
* Plucky update: v6.14.6 upstream stable release (LP: #2113881) //
CVE-2025-37897
- wifi: plfxlc: Remove erroneous assert in plfxlc_mac_release
* Plucky update: v6.14.6 upstream stable release (LP: #2113881) //
CVE-2025-37898
- powerpc64/ftrace: fix module loading without patchable function entries
* Plucky update: v6.14.6 upstream stable release (LP: #2113881) //
CVE-2025-37922
- book3s64/radix : Align section vmemmap start address to PAGE_SIZE
* Plucky update: v6.14.6 upstream stable release (LP: #2113881) //
CVE-2025-37923
- tracing: Fix oob write in trace_seq_to_buffer()
* Plucky update: v6.14.6 upstream stable release (LP: #2113881) //
CVE-2025-37899
- ksmbd: fix use-after-free in session logoff
* Plucky update: v6.14.6 upstream stable release (LP: #2113881) //
CVE-2025-37924
- ksmbd: fix use-after-free in kerberos authentication
* Plucky update: v6.14.6 upstream stable release (LP: #2113881) //
CVE-2025-37926
- ksmbd: fix use-after-free in ksmbd_session_rpc_open
* Plucky update: v6.14.6 upstream stable release (LP: #2113881) //
CVE-2025-37900
- iommu: Fix two issues in iommu_copy_struct_from_user()
* Plucky update: v6.14.6 upstream stable release (LP: #2113881) //
CVE-2025-37927
- iommu/amd: Fix potential buffer overflow in parse_ivrs_acpihid
* Plucky update: v6.14.6 upstream stable release (LP: #2113881) //
CVE-2025-37928
- dm-bufio: don't schedule in atomic context
* Plucky update: v6.14.6 upstream stable release (LP: #2113881) //
CVE-2025-37990
- wifi: brcm80211: fmac: Add error handling for brcmf_usb_dl_writeimage()
* Plucky update: v6.14.6 upstream stable release (LP: #2113881) //
CVE-2025-37901
- irqchip/qcom-mpm: Prevent crash when trying to handle non-wake GPIOs
* Plucky update: v6.14.6 upstream stable release (LP: #2113881) //
CVE-2025-37936
- perf/x86/intel: KVM: Mask PEBS_ENABLE loaded for guest with vCPU's
value.
* Plucky update: v6.14.6 upstream stable release (LP: #2113881) //
CVE-2025-37991
- parisc: Fix double SIGFPE crash
* Plucky update: v6.14.6 upstream stable release (LP: #2113881) //
CVE-2025-37929
- arm64: errata: Add missing sentinels to Spectre-BHB MIDR arrays
* Plucky update: v6.14.6 upstream stable release (LP: #2113881) //
CVE-2025-37930
- drm/nouveau: Fix WARN_ON in nouveau_fence_context_kill()
* Plucky update: v6.14.6 upstream stable release (LP: #2113881) //
CVE-2025-37931
- btrfs: adjust subpage bit start based on sectorsize
* Support Sony IMX471 camera sensor for Intel IPU7 platforms (LP: #2107320)
- SAUCE: media: ipu-bridge: Support imx471 sensor
* deadlock on cpu_hotplug_lock in __accept_page() (LP: #2109543)
- mm/page_alloc: fix deadlock on cpu_hotplug_lock in __accept_page()
* Plucky fails to boot on (older) Macs (LP: #2105402)
- SAUCE: hack: efi/libstub: enable t14s boot failure hack only on arm64
* CVE-2025-37798
- sch_htb: make htb_qlen_notify() idempotent
- sch_htb: make htb_deactivate() idempotent
- sch_drr: make drr_qlen_notify() idempotent
- sch_hfsc: make hfsc_qlen_notify() idempotent
- sch_qfq: make qfq_qlen_notify() idempotent
- sch_ets: make est_qlen_notify() idempotent
- selftests/tc-testing: Add a test case for FQ_CODEL with HTB parent
- selftests/tc-testing: Add a test case for FQ_CODEL with QFQ parent
- selftests/tc-testing: Add a test case for FQ_CODEL with HFSC parent
- selftests/tc-testing: Add a test case for FQ_CODEL with DRR parent
- selftests/tc-testing: Add a test case for FQ_CODEL with ETS parent
* CVE-2025-37997
- netfilter: ipset: fix region locking in hash types
* CVE-2025-37890
- net_sched: hfsc: Fix a UAF vulnerability in class with netem as child
qdisc
- sch_hfsc: Fix qlen accounting bug when using peek in hfsc_enqueue()
- net_sched: hfsc: Address reentrant enqueue adding class to eltree twice
-- Stefan Bader <[email protected]> Mon, 07 Jul 2025 16:27:57
+0200
** Changed in: linux-hwe-6.14 (Ubuntu Noble)
Status: Fix Committed => Fix Released
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2025-37798
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2025-37890
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2025-37891
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2025-37894
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2025-37895
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2025-37896
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2025-37897
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2025-37898
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2025-37899
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2025-37900
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2025-37901
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2025-37903
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2025-37904
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2025-37905
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2025-37906
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2025-37907
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2025-37908
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2025-37909
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2025-37910
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2025-37911
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2025-37912
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2025-37913
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2025-37914
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2025-37915
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2025-37916
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2025-37917
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2025-37918
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2025-37919
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2025-37920
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2025-37921
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2025-37922
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2025-37923
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2025-37924
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2025-37926
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2025-37927
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2025-37928
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2025-37929
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2025-37930
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2025-37931
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2025-37933
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2025-37934
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2025-37935
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2025-37936
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2025-37946
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2025-37974
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2025-37990
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2025-37991
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2025-37997
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/2113992
Title:
Creating a VXLAN interface with a Fan mapping causes a NULL pointer
dereference caught by ubuntu_fan_smoke_test:sut-scan
Status in linux package in Ubuntu:
Invalid
Status in linux-gcp package in Ubuntu:
Invalid
Status in linux-hwe-6.14 package in Ubuntu:
New
Status in linux source package in Noble:
Invalid
Status in linux-gcp source package in Noble:
Invalid
Status in linux-hwe-6.14 source package in Noble:
Fix Released
Status in linux source package in Plucky:
Fix Committed
Status in linux-gcp source package in Plucky:
New
Status in linux-hwe-6.14 source package in Plucky:
Invalid
Bug description:
SRU Justification:
[Impact]
Creating a VXLAN link with a Fan map reliably results in a kernel NULL
pointer dereference.
[ 1035.676861] BUG: kernel NULL pointer dereference, address: 0000000000000000
[ 1035.678459] #PF: supervisor read access in kernel mode
[ 1035.679321] #PF: error_code(0x0000) - not-present page
[ 1035.680092] PGD 0 P4D 0
[ 1035.680509] Oops: Oops: 0000 [#1] PREEMPT SMP PTI
[ 1035.681179] CPU: 1 UID: 0 PID: 8470 Comm: ip Not tainted 6.14.0-15-generic
#15-Ubuntu
[ 1035.682291] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009)/LXD, BIOS
unknown 2/2/2022
...
This affects 6.14 kernels only.
[Fix]
Author: Jacob Martin <[email protected]>
Date: Fri Jun 13 10:33:42 2025 -0500
UBUNTU: SAUCE: fan: vxlan: parse fan-map from IFLA_VXLAN_FAN_MAP
attribute ID
BugLink: https://bugs.launchpad.net/bugs/2113992
Before 6c11379b104e ("vxlan: Add an attribute to make VXLAN header
validation configurable"), IFLA_IPTUN_FAN_MAP and IFLA_VXLAN_FAN_MAP
shared the same integer value, allowing them to be used interchangeably
without issue, even though they represented attributes for different
link types. The introduction of IFLA_VXLAN_RESERVED_BITS led to
IFLA_VXLAN_FAN_MAP's integer value being incremented by 1 (33 to 34).
Thus the presence of attribute IFLA_VXLAN_FAN_MAP is checked but parsing
of the fan-map is attempted by accessing IFLA_IPTUN_FAN_MAP, causing a
NULL pointer dereference when creating a VXLAN device with a Fan
mapping.
This is resolved by adjusting the vxlan_parse_fan_map() function to
access the correct IFLA_VXLAN_FAN_MAP attribute instead of
IFLA_IPTUN_FAN_MAP.
Fixes: 9ce64bb8afd8 ("UBUNTU: SAUCE: fan: add VXLAN implementation")
Signed-off-by: Jacob Martin <[email protected]>
[Test Plan]
The NULL pointer dereference can be reproduced 100% of the time with the
following:
# ip link add vxlan0 type vxlan dstport 0 local 192.168.0.1 id 16384000
fan-map 240.0.0.0/8:192.168.0.0/16
Thus, this can be used to easily verify the issue was resolved.
I also ran the ubuntu_fan_smoke_test autotest test after patching the
kernel, and verified that it now passes.
[Where problems could occur]
This change affects the vxlan driver, specifically the code that parses
an optional Ubuntu Fan configuration. Issues could manifest as
misbehavior of the vxlan driver.
-------------- above SRU justification added by ~jacobmartin
--------------
SRU cycle 2025.05.19 regression test results showed a kernel panic
caused by test ubuntu_fan_smoke_test:sut-scan for plucky:linux-gcp
6.14.0-1008.8
The failure was subsequently determined to affect the generic kernel
as well.
[ 1012.062312] BUG: kernel NULL pointer dereference, address: 0000000000000000
[ 1012.069603] #PF: supervisor read access in kernel mode
[ 1012.074864] #PF: error_code(0x0000) - not-present page
[ 1012.080097] PGD 0 P4D 0
[ 1012.082728] Oops: Oops: 0000 [#1] SMP NOPTI
[ 1012.087010] CPU: 2 UID: 0 PID: 4687 Comm: ip Not tainted 6.14.0-1008-gcp
#8-Ubuntu
[ 1012.094688] Hardware name: Google Google Compute Engine/Google Compute
Engine, BIOS Google 05/29/2025
[ 1012.104000] RIP: 0010:vxlan_nl2conf+0xa5/0xff0 [vxlan]
[ 1012.109256] Code: 48 85 c0 0f 84 4c 06 00 00 8b 40 04 89 43 04 b8 02 00 00
00 66 89 03 49 83 bc 24 10 01 00 00 00 74 6d 49 8b 84 24 08 01 00 00 <0f> b7 38
8d 57 fc 0f b7 d2 83 fa 03 7e 57 49 81 c2 80 0a 00 00 48
[ 1012.128119] RSP: 0018:ffffa1f802c63380 EFLAGS: 00010286
[ 1012.133439] RAX: 0000000000000000 RBX: ffffa1f802c63418 RCX:
0000000000000000
[ 1012.140668] RDX: ffff95bcce0d2000 RSI: 0000000000000000 RDI:
ffffa1f802c63490
[ 1012.147898] RBP: ffffa1f802c63400 R08: 0000000000000000 R09:
ffffa1f802c63760
[ 1012.155128] R10: ffff95bcce0d2000 R11: 0000000000000000 R12:
ffff95bd2f144a48
[ 1012.162356] R13: ffffa1f802c63760 R14: 00ffffff00000008 R15:
0000000000000000
[ 1012.169588] FS: 00007eb23310c840(0000) GS:ffff95cbbf700000(0000)
knlGS:0000000000000000
[ 1012.177777] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 1012.183618] CR2: 0000000000000000 CR3: 000000015b6a3002 CR4:
0000000000370ef0
[ 1012.190850] Call Trace:
[ 1012.193393] <TASK>
[ 1012.195589] ? alloc_netdev_mqs+0x3bc/0x560
[ 1012.199869] ? __kvmalloc_node_noprof+0x5f/0x100
[ 1012.204584] vxlan_newlink+0x58/0xb0 [vxlan]
[ 1012.208971] ? vxlan_newlink+0x58/0xb0 [vxlan]
[ 1012.213515] rtnl_newlink_create+0x118/0x2a0
[ 1012.217884] __rtnl_newlink+0xc4/0x3f0
[ 1012.221730] rtnl_newlink+0x4df/0x960
[ 1012.225513] rtnetlink_rcv_msg+0x22f/0x440
[ 1012.229705] ? srso_alias_return_thunk+0x5/0xfbef5
[ 1012.234590] ? update_io_ticks+0x79/0x80
[ 1012.238620] ? __pfx_rtnetlink_rcv_msg+0x10/0x10
[ 1012.243334] netlink_rcv_skb+0x55/0x100
[ 1012.247270] rtnetlink_rcv+0x15/0x30
[ 1012.250940] netlink_unicast+0x229/0x350
[ 1012.254957] netlink_sendmsg+0x214/0x460
[ 1012.258974] ____sys_sendmsg+0x3b4/0x3f0
[ 1012.262994] ___sys_sendmsg+0x9a/0xf0
[ 1012.266754] __sys_sendmsg+0x8d/0xf0
[ 1012.270426] __x64_sys_sendmsg+0x1d/0x30
[ 1012.274441] x64_sys_call+0x6f9/0x2310
[ 1012.278285] do_syscall_64+0x7e/0x170
[ 1012.282045] ? srso_alias_return_thunk+0x5/0xfbef5
[ 1012.286929] ? filemap_map_pages+0x523/0x5d0
[ 1012.291293] ? __lruvec_stat_mod_folio+0x79/0xd0
[ 1012.296006] ? srso_alias_return_thunk+0x5/0xfbef5
[ 1012.300891] ? srso_alias_return_thunk+0x5/0xfbef5
[ 1012.305778] ? do_read_fault+0xee/0x1e0
[ 1012.309711] ? srso_alias_return_thunk+0x5/0xfbef5
[ 1012.314596] ? do_fault+0x151/0x210
[ 1012.318180] ? srso_alias_return_thunk+0x5/0xfbef5
[ 1012.323065] ? handle_pte_fault+0x97/0x1f0
[ 1012.327260] ? srso_alias_return_thunk+0x5/0xfbef5
[ 1012.332406] ? __handle_mm_fault+0x3d2/0x7a0
[ 1012.336773] ? srso_alias_return_thunk+0x5/0xfbef5
[ 1012.341657] ? rseq_get_rseq_cs+0x22/0x240
[ 1012.345853] ? srso_alias_return_thunk+0x5/0xfbef5
[ 1012.350737] ? rseq_ip_fixup+0x8d/0x1a0
[ 1012.354683] ? srso_alias_return_thunk+0x5/0xfbef5
[ 1012.359568] ? arch_exit_to_user_mode_prepare.isra.0+0xc8/0xd0
[ 1012.365495] ? srso_alias_return_thunk+0x5/0xfbef5
[ 1012.370380] ? irqentry_exit_to_user_mode+0x2d/0x1d0
[ 1012.375441] ? srso_alias_return_thunk+0x5/0xfbef5
[ 1012.380325] ? irqentry_exit+0x21/0x40
[ 1012.384171] ? srso_alias_return_thunk+0x5/0xfbef5
[ 1012.389055] ? exc_page_fault+0x96/0x1a0
[ 1012.393084] entry_SYSCALL_64_after_hwframe+0x76/0x7e
[ 1012.398230] RIP: 0033:0x7eb23329f2a6
[ 1012.401906] Code: 00 00 48 8b 15 53 1b 17 00 64 89 02 48 c7 c2 ff ff ff ff
48 8b 5d f8 c9 48 89 d0 c3 0f 1f 84 00 00 00 00 00 48 8b 45 10 0f 05 <48> 63 d0
3d 00 f0 ff ff 77 10 48 8b 5d f8 48 89 d0 c9 c3 0f 1f 80
[ 1012.421218] RSP: 002b:00007ffe067eedb0 EFLAGS: 00000202 ORIG_RAX:
000000000000002e
[ 1012.428886] RAX: ffffffffffffffda RBX: 00007eb23310c840 RCX:
00007eb23329f2a6
[ 1012.436223] RDX: 0000000000000000 RSI: 00007ffe067eee40 RDI:
0000000000000003
[ 1012.443452] RBP: 00007ffe067eedc0 R08: 0000000000000000 R09:
0000000000000000
[ 1012.450680] R10: 0000000000000000 R11: 0000000000000202 R12:
0000000000000048
[ 1012.457908] R13: 00005c51e00c1040 R14: 000000000000002c R15:
00007ffe067ef4c8
[ 1012.465141] </TASK>
[ 1012.467419] Modules linked in: vxlan ip6_udp_tunnel udp_tunnel
xt_conntrack nft_chain_nat xt_MASQUERADE nf_nat bridge xfrm_user xfrm_algo
xt_addrtype nft_compat nf_tables overlay binfmt_misc 8021q garp mrp stp llc
nls_iso8859_1 input_leds sch_fq_codel nvme_fabrics efi_pstore dm_multipath
vsock_loopback vmw_vsock_virtio_transport_common vmw_vsock_vmci_transport vsock
vmw_vmci dmi_sysfs ip_tables x_tables autofs4 btrfs blake2b_generic raid10
raid456 async_raid6_recov async_memcpy async_pq async_xor async_tx xor raid6_pq
raid1 raid0 linear polyval_clmulni polyval_generic ghash_clmulni_intel psmouse
sha256_ssse3 sha1_ssse3 gve serio_raw virtio_rng aesni_intel crypto_simd cryptd
[ 1012.527936] CR2: 0000000000000000
[ 1012.531362] ---[ end trace 0000000000000000 ]---
[ 1012.556588] RIP: 0010:vxlan_nl2conf+0xa5/0xff0 [vxlan]
[ 1012.561837] Code: 48 85 c0 0f 84 4c 06 00 00 8b 40 04 89 43 04 b8 02 00 00
00 66 89 03 49 83 bc 24 10 01 00 00 00 74 6d 49 8b 84 24 08 01 00 00 <0f> b7 38
8d 57 fc 0f b7 d2 83 fa 03 7e 57 49 81 c2 80 0a 00 00 48
[ 1012.580702] RSP: 0018:ffffa1f802c63380 EFLAGS: 00010286
[ 1012.586044] RAX: 0000000000000000 RBX: ffffa1f802c63418 RCX:
0000000000000000
[ 1012.593273] RDX: ffff95bcce0d2000 RSI: 0000000000000000 RDI:
ffffa1f802c63490
[ 1012.600501] RBP: ffffa1f802c63400 R08: 0000000000000000 R09:
ffffa1f802c63760
[ 1012.607728] R10: ffff95bcce0d2000 R11: 0000000000000000 R12:
ffff95bd2f144a48
[ 1012.614960] R13: ffffa1f802c63760 R14: 00ffffff00000008 R15:
0000000000000000
[ 1012.622190] FS: 00007eb23310c840(0000) GS:ffff95cbbf700000(0000)
knlGS:0000000000000000
[ 1012.630374] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 1012.636213] CR2: 0000000000000000 CR3: 000000015b6a3002 CR4:
0000000000370ef0
[ 1012.643445] Kernel panic - not syncing: Fatal exception
[ 1012.649071] Kernel Offset: 0x1d000000 from 0xffffffff81000000 (relocation
range: 0xffffffff80000000-0xffffffffbfffffff)
[ 1012.686314] Rebooting in 10 seconds..
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/2113992/+subscriptions
--
Mailing list: https://launchpad.net/~kernel-packages
Post to : [email protected]
Unsubscribe : https://launchpad.net/~kernel-packages
More help : https://help.launchpad.net/ListHelp
