Vulnerabilities

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> RDMA/ionic: Fix potential NULL pointer dereference in ionic_query_port<br /> <br /> The function ionic_query_port() calls ib_device_get_netdev() without<br /> checking the return value which could lead to NULL pointer dereference,<br /> Fix it by checking the return value and return -ENODEV if the &amp;#39;ndev&amp;#39; is<br /> NULL.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net: ethernet: ec_bhf: Fix dma_free_coherent() dma handle<br /> <br /> dma_free_coherent() in error path takes priv-&gt;rx_buf.alloc_len as<br /> the dma handle. This would lead to improper unmapping of the buffer.<br /> <br /> Change the dma handle to priv-&gt;rx_buf.alloc_phys.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> drm/atmel-hlcdc: fix memory leak from the atomic_destroy_state callback<br /> <br /> After several commits, the slab memory increases. Some drm_crtc_commit<br /> objects are not freed. The atomic_destroy_state callback only put the<br /> framebuffer. Use the __drm_atomic_helper_plane_destroy_state() function<br /> to put all the objects that are no longer needed.<br /> <br /> It has been seen after hours of usage of a graphics application or using<br /> kmemleak:<br /> <br /> unreferenced object 0xc63a6580 (size 64):<br /> comm "egt_basic", pid 171, jiffies 4294940784<br /> hex dump (first 32 bytes):<br /> 40 50 34 c5 01 00 00 00 ff ff ff ff 8c 65 3a c6 @P4..........e:.<br /> 8c 65 3a c6 ff ff ff ff 98 65 3a c6 98 65 3a c6 .e:......e:..e:.<br /> backtrace (crc c25aa925):<br /> kmemleak_alloc+0x34/0x3c<br /> __kmalloc_cache_noprof+0x150/0x1a4<br /> drm_atomic_helper_setup_commit+0x1e8/0x7bc<br /> drm_atomic_helper_commit+0x3c/0x15c<br /> drm_atomic_commit+0xc0/0xf4<br /> drm_atomic_helper_set_config+0x84/0xb8<br /> drm_mode_setcrtc+0x32c/0x810<br /> drm_ioctl+0x20c/0x488<br /> sys_ioctl+0x14c/0xc20<br /> ret_fast_syscall+0x0/0x54

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> media: mtk-mdp: Fix a reference leak bug in mtk_mdp_remove()<br /> <br /> In mtk_mdp_probe(), vpu_get_plat_device() increases the reference<br /> count of the returned platform device. Add platform_device_put()<br /> to prevent reference leak.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> md-cluster: fix NULL pointer dereference in process_metadata_update<br /> <br /> The function process_metadata_update() blindly dereferences the &amp;#39;thread&amp;#39;<br /> pointer (acquired via rcu_dereference_protected) within the wait_event()<br /> macro.<br /> <br /> While the code comment states "daemon thread must exist", there is a valid<br /> race condition window during the MD array startup sequence (md_run):<br /> <br /> 1. bitmap_load() is called, which invokes md_cluster_ops-&gt;join().<br /> 2. join() starts the "cluster_recv" thread (recv_daemon).<br /> 3. At this point, recv_daemon is active and processing messages.<br /> 4. However, mddev-&gt;thread (the main MD thread) is not initialized until<br /> later in md_run().<br /> <br /> If a METADATA_UPDATED message is received from a remote node during this<br /> specific window, process_metadata_update() will be called while<br /> mddev-&gt;thread is still NULL, leading to a kernel panic.<br /> <br /> To fix this, we must validate the &amp;#39;thread&amp;#39; pointer. If it is NULL, we<br /> release the held lock (no_new_dev_lockres) and return early, safely<br /> ignoring the update request as the array is not yet fully ready to<br /> process it.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ring-buffer: Fix possible dereference of uninitialized pointer<br /> <br /> There is a pointer head_page in rb_meta_validate_events() which is not<br /> initialized at the beginning of a function. This pointer can be dereferenced<br /> if there is a failure during reader page validation. In this case the control<br /> is passed to "invalid" label where the pointer is dereferenced in a loop.<br /> <br /> To fix the issue initialize orig_head and head_page before calling<br /> rb_validate_buffer.<br /> <br /> Found by Linux Verification Center (linuxtesting.org) with SVACE.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ceph: supply snapshot context in ceph_zero_partial_object()<br /> <br /> The ceph_zero_partial_object function was missing proper snapshot<br /> context for its OSD write operations, which could lead to data<br /> inconsistencies in snapshots.<br /> <br /> Reproducer:<br /> ../src/vstart.sh --new -x --localhost --bluestore<br /> ./bin/ceph auth caps client.fs_a mds &amp;#39;allow rwps fsname=a&amp;#39; mon &amp;#39;allow r fsname=a&amp;#39; osd &amp;#39;allow rw tag cephfs data=a&amp;#39;<br /> mount -t ceph fs_a@.a=/ /mnt/mycephfs/ -o conf=./ceph.conf<br /> dd if=/dev/urandom of=/mnt/mycephfs/foo bs=64K count=1<br /> mkdir /mnt/mycephfs/.snap/snap1<br /> md5sum /mnt/mycephfs/.snap/snap1/foo<br /> fallocate -p -o 0 -l 4096 /mnt/mycephfs/foo<br /> echo 3 &gt; /proc/sys/vm/drop/caches<br /> md5sum /mnt/mycephfs/.snap/snap1/foo # get different md5sum!!

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> mailbox: mchp-ipc-sbi: fix out-of-bounds access in mchp_ipc_get_cluster_aggr_irq()<br /> <br /> The cluster_cfg array is dynamically allocated to hold per-CPU<br /> configuration structures, with its size based on the number of online<br /> CPUs. Previously, this array was indexed using hartid, which may be<br /> non-contiguous or exceed the bounds of the array, leading to<br /> out-of-bounds access.<br /> Switch to using cpuid as the index, as it is guaranteed to be within<br /> the valid range provided by for_each_online_cpu().

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> scsi: ufs: core: Flush exception handling work when RPM level is zero<br /> <br /> Ensure that the exception event handling work is explicitly flushed during<br /> suspend when the runtime power management level is set to UFS_PM_LVL_0.<br /> <br /> When the RPM level is zero, the device power mode and link state both<br /> remain active. Previously, the UFS core driver bypassed flushing exception<br /> event handling jobs in this configuration. This created a race condition<br /> where the driver could attempt to access the host controller to handle an<br /> exception after the system had already entered a deep power-down state,<br /> resulting in a system crash.<br /> <br /> Explicitly flush this work and disable auto BKOPs before the suspend<br /> callback proceeds. This guarantees that pending exception tasks complete<br /> and prevents illegal hardware access during the power-down sequence.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net: mana: Fix double destroy_workqueue on service rescan PCI path<br /> <br /> While testing corner cases in the driver, a use-after-free crash<br /> was found on the service rescan PCI path.<br /> <br /> When mana_serv_reset() calls mana_gd_suspend(), mana_gd_cleanup()<br /> destroys gc-&gt;service_wq. If the subsequent mana_gd_resume() fails<br /> with -ETIMEDOUT or -EPROTO, the code falls through to<br /> mana_serv_rescan() which triggers pci_stop_and_remove_bus_device().<br /> This invokes the PCI .remove callback (mana_gd_remove), which calls<br /> mana_gd_cleanup() a second time, attempting to destroy the already-<br /> freed workqueue. Fix this by NULL-checking gc-&gt;service_wq in<br /> mana_gd_cleanup() and setting it to NULL after destruction.<br /> <br /> Call stack of issue for reference:<br /> [Sat Feb 21 18:53:48 2026] Call Trace:<br /> [Sat Feb 21 18:53:48 2026] <br /> [Sat Feb 21 18:53:48 2026] mana_gd_cleanup+0x33/0x70 [mana]<br /> [Sat Feb 21 18:53:48 2026] mana_gd_remove+0x3a/0xc0 [mana]<br /> [Sat Feb 21 18:53:48 2026] pci_device_remove+0x41/0xb0<br /> [Sat Feb 21 18:53:48 2026] device_remove+0x46/0x70<br /> [Sat Feb 21 18:53:48 2026] device_release_driver_internal+0x1e3/0x250<br /> [Sat Feb 21 18:53:48 2026] device_release_driver+0x12/0x20<br /> [Sat Feb 21 18:53:48 2026] pci_stop_bus_device+0x6a/0x90<br /> [Sat Feb 21 18:53:48 2026] pci_stop_and_remove_bus_device+0x13/0x30<br /> [Sat Feb 21 18:53:48 2026] mana_do_service+0x180/0x290 [mana]<br /> [Sat Feb 21 18:53:48 2026] mana_serv_func+0x24/0x50 [mana]<br /> [Sat Feb 21 18:53:48 2026] process_one_work+0x190/0x3d0<br /> [Sat Feb 21 18:53:48 2026] worker_thread+0x16e/0x2e0<br /> [Sat Feb 21 18:53:48 2026] kthread+0xf7/0x130<br /> [Sat Feb 21 18:53:48 2026] ? __pfx_worker_thread+0x10/0x10<br /> [Sat Feb 21 18:53:48 2026] ? __pfx_kthread+0x10/0x10<br /> [Sat Feb 21 18:53:48 2026] ret_from_fork+0x269/0x350<br /> [Sat Feb 21 18:53:48 2026] ? __pfx_kthread+0x10/0x10<br /> [Sat Feb 21 18:53:48 2026] ret_from_fork_asm+0x1a/0x30<br /> [Sat Feb 21 18:53:48 2026]

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> arm64: Add support for TSV110 Spectre-BHB mitigation<br /> <br /> The TSV110 processor is vulnerable to the Spectre-BHB (Branch History<br /> Buffer) attack, which can be exploited to leak information through<br /> branch prediction side channels. This commit adds the MIDR of TSV110<br /> to the list for software mitigation.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> gfs2: fiemap page fault fix<br /> <br /> In gfs2_fiemap(), we are calling iomap_fiemap() while holding the inode<br /> glock. This can lead to recursive glock taking if the fiemap buffer is<br /> memory mapped to the same inode and accessing it triggers a page fault.<br /> <br /> Fix by disabling page faults for iomap_fiemap() and faulting in the<br /> buffer by hand if necessary.<br /> <br /> Fixes xfstest generic/742.