CVE-2025-39783
published 2025-09-11CVE-2025-39783: In the Linux kernel, the following vulnerability has been resolved: PCI: endpoint: Fix configfs group list head handling Doing a list_del() on the epf_group…
high7.8CVSS 3.1
AVLACLPRLUINSUCHIHAH
In the Linux kernel, the following vulnerability has been resolved:
PCI: endpoint: Fix configfs group list head handling
Doing a list_del() on the epf_group field of struct pci_epf_driver in
pci_epf_remove_cfs() is not correct as this field is a list head, not
a list entry. This list_del() call triggers a KASAN warning when an
endpoint function driver which has a configfs attribute group is torn
down:
BUG: KASAN: slab-use-after-free in pci_epf_remove_cfs+0x17c/0x198
Write of size 8 at addr ffff00010f4a0d80 by task rmmod/319
CPU: 3 UID: 0 PID: 319 Comm: rmmod Not tainted 6.16.0-rc2 #1 NONE
Hardware name: Radxa ROCK 5B (DT)
Call trace:
show_stack+0x2c/0x84 (C)
dump_stack_lvl+0x70/0x98
print_report+0x17c/0x538
kasan_report+0xb8/0x190
__asan_report_store8_noabort+0x20/0x2c
pci_epf_remove_cfs+0x17c/0x198
pci_epf_unregister_driver+0x18/0x30
nvmet_pci_epf_cleanup_module+0x24/0x30 [nvmet_pci_epf]
__arm64_sys_delete_module+0x264/0x424
invoke_syscall+0x70/0x260
el0_svc_common.constprop.0+0xac/0x230
do_el0_svc+0x40/0x58
el0_svc+0x48/0xdc
el0t_64_sync_handler+0x10c/0x138
el0t_64_sync+0x198/0x19c
...
Remove this incorrect list_del() call from pci_epf_remove_cfs().
Affected
36 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | debian_linux | — | — |
| debian | linux | < linux 6.1.153-1 (bookworm) | linux 6.1.153-1 (bookworm) |
| debian | linux-6.1 | < linux 6.1.153-1 (bookworm) | linux 6.1.153-1 (bookworm) |
| linux | linux | — | — |
| linux | linux | >= ef1433f717a2c63747a519d86965d73ff9bd08b3 < 80ea6e6904fb2ba4ccb5d909579988466ec65358 | 80ea6e6904fb2ba4ccb5d909579988466ec65358 |
| linux | linux | >= ef1433f717a2c63747a519d86965d73ff9bd08b3 < d5aecddc3452371d9da82cdbb0c715812524b54b | d5aecddc3452371d9da82cdbb0c715812524b54b |
| linux | linux | >= ef1433f717a2c63747a519d86965d73ff9bd08b3 < dc4ffbd571716ff3b171418fb03abe80e720a7b1 | dc4ffbd571716ff3b171418fb03abe80e720a7b1 |
| linux | linux | >= ef1433f717a2c63747a519d86965d73ff9bd08b3 < 409af8b9f7b4f23cd0464e71c6cd6fe13c076ae2 | 409af8b9f7b4f23cd0464e71c6cd6fe13c076ae2 |
| linux | linux | >= ef1433f717a2c63747a519d86965d73ff9bd08b3 < 0758862386f114d9ab1e23181461bd1e2e9ec4c6 | 0758862386f114d9ab1e23181461bd1e2e9ec4c6 |
| linux | linux | >= ef1433f717a2c63747a519d86965d73ff9bd08b3 < 6cf65505523224cab1449d726d2ce8180c2941ee | 6cf65505523224cab1449d726d2ce8180c2941ee |
| linux | linux | >= ef1433f717a2c63747a519d86965d73ff9bd08b3 < a302bd89db35d8b7e279de4d2b41c16c7f191069 | a302bd89db35d8b7e279de4d2b41c16c7f191069 |
| linux | linux | >= ef1433f717a2c63747a519d86965d73ff9bd08b3 < d79123d79a8154b4318529b7b2ff7e15806f480b | d79123d79a8154b4318529b7b2ff7e15806f480b |
| linux | linux_kernel | >= 0 < 5.10.244-1 | 5.10.244-1 |
| linux | linux_kernel | >= 0 < 6.1.153-1 | 6.1.153-1 |
| linux | linux_kernel | >= 0 < 6.12.48-1 | 6.12.48-1 |
| linux | linux_kernel | >= 0 < 6.16.5-1 | 6.16.5-1 |
| linux | linux_kernel | >= 0 < 5.15.0-163.173 | 5.15.0-163.173 |
| linux | linux_kernel | >= 0 < 6.8.0-100.100 | 6.8.0-100.100 |
| linux | linux_kernel | >= 4.18 < 5.4.297 | 5.4.297 |
| linux | linux_kernel | >= 5.11 < 5.15.190 | 5.15.190 |
| linux | linux_kernel | >= 5.16 < 6.1.149 | 6.1.149 |
| linux | linux_kernel | >= 5.5 < 5.10.241 | 5.10.241 |
| linux | linux_kernel | >= 6.13 < 6.16.4 | 6.16.4 |
| linux | linux_kernel | >= 6.2 < 6.6.103 | 6.6.103 |
| linux | linux_kernel | >= 6.7 < 6.12.44 | 6.12.44 |
CVSS provenance
nvdv3.17.8HIGHCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
osv7.8HIGH