ALAS2KERNEL-5.15-2025-073


Amazon Linux 2 Security Advisory: ALAS2KERNEL-5.15-2025-073
Advisory Released Date: 2025-06-09
Advisory Updated Date: 2025-06-09
Severity: Important

Issue Overview:

In the Linux kernel, the following vulnerability has been resolved:

scsi: target: Fix WRITE_SAME No Data Buffer crash

In newer version of the SBC specs, we have a NDOB bit that indicates there
is no data buffer that gets written out. If this bit is set using commands
like "sg_write_same --ndob" we will crash in target_core_iblock/file's
execute_write_same handlers when we go to access the se_cmd->t_data_sg
because its NULL.

This patch adds a check for the NDOB bit in the common WRITE SAME code
because we don't support it. And, it adds a check for zero SG elements in
each handler in case the initiator tries to send a normal WRITE SAME with
no data buffer. (CVE-2022-21546)

In the Linux kernel, the following vulnerability has been resolved:

drm/i915/gt: Cleanup partial engine discovery failures (CVE-2022-48893)

In the Linux kernel, the following vulnerability has been resolved:

cifs: Fix UAF in cifs_demultiplex_thread() (CVE-2023-52572)

In the Linux kernel, the following vulnerability has been resolved:

bpf: Check rcu_read_lock_trace_held() before calling bpf map helpers (CVE-2023-52621)

In the Linux kernel, the following vulnerability has been resolved:

smb: client: fix use-after-free bug in cifs_debug_data_proc_show() (CVE-2023-52752)

In the Linux kernel, the following vulnerability has been resolved:

smb: client: fix potential deadlock when releasing mids (CVE-2023-52757)

In the Linux kernel, the following vulnerability has been resolved:

fs/proc: do_task_stat: use sig->stats_lock to gather the threads/children stats (CVE-2024-26686)

In the Linux kernel, the following vulnerability has been resolved:

net/sched: act_mirred: don't override retval if we already lost the skb (CVE-2024-26739)

In the Linux kernel, the following vulnerability has been resolved:

smb: client: fix potential UAF in cifs_dump_full_key() (CVE-2024-35866)

In the Linux kernel, the following vulnerability has been resolved:

smb: client: fix potential UAF in cifs_stats_proc_show() (CVE-2024-35867)

In the Linux kernel, the following vulnerability has been resolved:

blk-iocost: do not WARN if iocg was already offlined (CVE-2024-36908)

In the Linux kernel, the following vulnerability has been resolved:

of: module: add buffer overflow check in of_modalias() (CVE-2024-38541)

In the Linux kernel, the following vulnerability has been resolved:

smb/server: fix potential null-ptr-deref of lease_ctx_info in smb2_open() (CVE-2024-46742)

In the Linux kernel, the following vulnerability has been resolved:

net: mana: Fix error handling in mana_create_txq/rxq's NAPI cleanup (CVE-2024-46784)

In the Linux kernel, the following vulnerability has been resolved:

smb: client: fix UAF in async decryption (CVE-2024-50047)

In the Linux kernel, the following vulnerability has been resolved:

net: fix crash when config small gso_max_size/gso_ipv4_max_size (CVE-2024-50258)

In the Linux kernel, the following vulnerability has been resolved:

filemap: Fix bounds checking in filemap_read() (CVE-2024-50272)

In the Linux kernel, the following vulnerability has been resolved:

dm cache: fix flushing uninitialized delayed_work on cache_ctr error (CVE-2024-50280)

In the Linux kernel, the following vulnerability has been resolved:

sched/task_stack: fix object_is_on_stack() for KASAN tagged pointers (CVE-2024-53128)

In the Linux kernel, the following vulnerability has been resolved:

wifi: ath10k: avoid NULL pointer error during sdio remove (CVE-2024-56599)

In the Linux kernel, the following vulnerability has been resolved:

ipv6: release nexthop on device removal

The CI is hitting some aperiodic hangup at device removal time in the
pmtu.sh self-test:

unregister_netdevice: waiting for veth_A-R1 to become free. Usage count = 6
ref_tracker: veth_A-R1@ffff888013df15d8 has 1/5 users at
dst_init+0x84/0x4a0
dst_alloc+0x97/0x150
ip6_dst_alloc+0x23/0x90
ip6_rt_pcpu_alloc+0x1e6/0x520
ip6_pol_route+0x56f/0x840
fib6_rule_lookup+0x334/0x630
ip6_route_output_flags+0x259/0x480
ip6_dst_lookup_tail.constprop.0+0x5c2/0x940
ip6_dst_lookup_flow+0x88/0x190
udp_tunnel6_dst_lookup+0x2a7/0x4c0
vxlan_xmit_one+0xbde/0x4a50 [vxlan]
vxlan_xmit+0x9ad/0xf20 [vxlan]
dev_hard_start_xmit+0x10e/0x360
__dev_queue_xmit+0xf95/0x18c0
arp_solicit+0x4a2/0xe00
neigh_probe+0xaa/0xf0

While the first suspect is the dst_cache, explicitly tracking the dst
owing the last device reference via probes proved such dst is held by
the nexthop in the originating fib6_info.

Similar to commit f5b51fe804ec ("ipv6: route: purge exception on
removal"), we need to explicitly release the originating fib info when
disconnecting a to-be-removed device from a live ipv6 dst: move the
fib6_info cleanup into ip6_dst_ifdown().

Tested running:

./pmtu.sh cleanup_ipv6_exception

in a tight loop for more than 400 iterations with no spat, running an
unpatched kernel I observed a splat every ~10 iterations. (CVE-2024-56751)

In the Linux kernel, the following vulnerability has been resolved:

bpf: avoid holding freeze_mutex during mmap operation (CVE-2025-21853)

In the Linux kernel, the following vulnerability has been resolved:

nvme-tcp: fix potential memory corruption in nvme_tcp_recv_pdu() (CVE-2025-21927)

In the Linux kernel, the following vulnerability has been resolved:

net_sched: ets: Fix double list add in class with netem as child qdisc (CVE-2025-37914)


Affected Packages:

kernel


Note:

This advisory is applicable to Amazon Linux 2 - Kernel-5.15 Extra. Visit this page to learn more about Amazon Linux 2 (AL2) Extras and this FAQ section for the difference between AL2 Core and AL2 Extras advisories.


Issue Correction:
Run yum update kernel to update your system.
System reboot is required in order to complete this update.

New Packages:
aarch64:
    kernel-5.15.184-125.190.amzn2.aarch64
    kernel-headers-5.15.184-125.190.amzn2.aarch64
    kernel-debuginfo-common-aarch64-5.15.184-125.190.amzn2.aarch64
    perf-5.15.184-125.190.amzn2.aarch64
    perf-debuginfo-5.15.184-125.190.amzn2.aarch64
    python-perf-5.15.184-125.190.amzn2.aarch64
    python-perf-debuginfo-5.15.184-125.190.amzn2.aarch64
    kernel-tools-5.15.184-125.190.amzn2.aarch64
    kernel-tools-devel-5.15.184-125.190.amzn2.aarch64
    kernel-tools-debuginfo-5.15.184-125.190.amzn2.aarch64
    bpftool-5.15.184-125.190.amzn2.aarch64
    bpftool-debuginfo-5.15.184-125.190.amzn2.aarch64
    kernel-devel-5.15.184-125.190.amzn2.aarch64
    kernel-debuginfo-5.15.184-125.190.amzn2.aarch64
    kernel-livepatch-5.15.184-125.190-1.0-0.amzn2.aarch64

i686:
    kernel-headers-5.15.184-125.190.amzn2.i686

src:
    kernel-5.15.184-125.190.amzn2.src

x86_64:
    kernel-5.15.184-125.190.amzn2.x86_64
    kernel-headers-5.15.184-125.190.amzn2.x86_64
    kernel-debuginfo-common-x86_64-5.15.184-125.190.amzn2.x86_64
    perf-5.15.184-125.190.amzn2.x86_64
    perf-debuginfo-5.15.184-125.190.amzn2.x86_64
    python-perf-5.15.184-125.190.amzn2.x86_64
    python-perf-debuginfo-5.15.184-125.190.amzn2.x86_64
    kernel-tools-5.15.184-125.190.amzn2.x86_64
    kernel-tools-devel-5.15.184-125.190.amzn2.x86_64
    kernel-tools-debuginfo-5.15.184-125.190.amzn2.x86_64
    bpftool-5.15.184-125.190.amzn2.x86_64
    bpftool-debuginfo-5.15.184-125.190.amzn2.x86_64
    kernel-devel-5.15.184-125.190.amzn2.x86_64
    kernel-debuginfo-5.15.184-125.190.amzn2.x86_64
    kernel-livepatch-5.15.184-125.190-1.0-0.amzn2.x86_64