| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <2025111253-CVE-2025-40125-cb33@gregkh> Date: Wed, 12 Nov 2025 19:24:01 +0900 From: Greg Kroah-Hartman <gregkh@...uxfoundation.org> To: linux-cve-announce@...r.kernel.org Cc: Greg Kroah-Hartman <gregkh@...nel.org> Subject: CVE-2025-40125: blk-mq: check kobject state_in_sysfs before deleting in blk_mq_unregister_hctx From: Greg Kroah-Hartman <gregkh@...nel.org> Description =========== In the Linux kernel, the following vulnerability has been resolved: blk-mq: check kobject state_in_sysfs before deleting in blk_mq_unregister_hctx In __blk_mq_update_nr_hw_queues() the return value of blk_mq_sysfs_register_hctxs() is not checked. If sysfs creation for hctx fails, later changing the number of hw_queues or removing disk will trigger the following warning: kernfs: can not remove 'nr_tags', no directory WARNING: CPU: 2 PID: 637 at fs/kernfs/dir.c:1707 kernfs_remove_by_name_ns+0x13f/0x160 Call Trace: remove_files.isra.1+0x38/0xb0 sysfs_remove_group+0x4d/0x100 sysfs_remove_groups+0x31/0x60 __kobject_del+0x23/0xf0 kobject_del+0x17/0x40 blk_mq_unregister_hctx+0x5d/0x80 blk_mq_sysfs_unregister_hctxs+0x94/0xd0 blk_mq_update_nr_hw_queues+0x124/0x760 nullb_update_nr_hw_queues+0x71/0xf0 [null_blk] nullb_device_submit_queues_store+0x92/0x120 [null_blk] kobjct_del() was called unconditionally even if sysfs creation failed. Fix it by checkig the kobject creation statusbefore deleting it. The Linux kernel CVE team has assigned CVE-2025-40125 to this issue. Affected and fixed versions =========================== Issue introduced in 4.20 with commit 477e19dedc9d3e1f4443a1d4ae00572a988120ea and fixed in 5.4.301 with commit a8c53553f1833cc2d14175d2d72cf37193a01898 Issue introduced in 4.20 with commit 477e19dedc9d3e1f4443a1d4ae00572a988120ea and fixed in 5.10.246 with commit cc14ea21c4e658814d737ed4dedde6cd626a15ad Issue introduced in 4.20 with commit 477e19dedc9d3e1f4443a1d4ae00572a988120ea and fixed in 5.15.195 with commit 4b97e99b87a773d52699521d40864f3ec888e9a6 Issue introduced in 4.20 with commit 477e19dedc9d3e1f4443a1d4ae00572a988120ea and fixed in 6.1.156 with commit 6e7dadc5763c48eb3b9b91265a21f312599ebb2c Issue introduced in 4.20 with commit 477e19dedc9d3e1f4443a1d4ae00572a988120ea and fixed in 6.6.112 with commit 06c4826b1d900611096e4621e93133db57e13911 Issue introduced in 4.20 with commit 477e19dedc9d3e1f4443a1d4ae00572a988120ea and fixed in 6.12.53 with commit babc634e9fe2803962dba98a07587e835dbc0731 Issue introduced in 4.20 with commit 477e19dedc9d3e1f4443a1d4ae00572a988120ea and fixed in 6.17.3 with commit d5ddd76ee52bdc16e9f8b1e7791291e785dab032 Issue introduced in 4.20 with commit 477e19dedc9d3e1f4443a1d4ae00572a988120ea and fixed in 6.18-rc1 with commit 4c7ef92f6d4d08a27d676e4c348f4e2922cab3ed Please see https://www.kernel.org for a full list of currently supported kernel versions by the kernel community. Unaffected versions might change over time as fixes are backported to older supported kernel versions. The official CVE entry at https://cve.org/CVERecord/?id=CVE-2025-40125 will be updated if fixes are backported, please check that for the most up to date information about this issue. Affected files ============== The file(s) affected by this issue are: block/blk-mq-sysfs.c Mitigation ========== The Linux kernel CVE team recommends that you update to the latest stable kernel version for this, and many other bugfixes. Individual changes are never tested alone, but rather are part of a larger kernel release. Cherry-picking individual commits is not recommended or supported by the Linux kernel community at all. If however, updating to the latest release is impossible, the individual changes to resolve this issue can be found at these commits: https://git.kernel.org/stable/c/a8c53553f1833cc2d14175d2d72cf37193a01898 https://git.kernel.org/stable/c/cc14ea21c4e658814d737ed4dedde6cd626a15ad https://git.kernel.org/stable/c/4b97e99b87a773d52699521d40864f3ec888e9a6 https://git.kernel.org/stable/c/6e7dadc5763c48eb3b9b91265a21f312599ebb2c https://git.kernel.org/stable/c/06c4826b1d900611096e4621e93133db57e13911 https://git.kernel.org/stable/c/babc634e9fe2803962dba98a07587e835dbc0731 https://git.kernel.org/stable/c/d5ddd76ee52bdc16e9f8b1e7791291e785dab032 https://git.kernel.org/stable/c/4c7ef92f6d4d08a27d676e4c348f4e2922cab3ed
Powered by blists - more mailing lists