1.7 KiB
CVE-2025-38282
Description
In the Linux kernel, the following vulnerability has been resolved:kernfs: Relax constraint in draining guardThe active reference lifecycle provides the break/unbreak mechanism butthe active reference is not truly active after unbreak -- callers don'tuse it afterwards but it's important for proper pairing of kn->activecounting. Assuming this mechanism is in place, the WARN check inkernfs_should_drain_open_files() is too sensitive -- it may transientlycatch those (rightful) callers betweenkernfs_unbreak_active_protection() and kernfs_put_active() as found out by ChenRidong: kernfs_remove_by_name_ns kernfs_get_active // active=1 __kernfs_remove // active=0x80000002 kernfs_drain ... wait_event //waiting (active == 0x80000001) kernfs_break_active_protection // active = 0x80000001 // continue kernfs_unbreak_active_protection // active = 0x80000002 ... kernfs_should_drain_open_files // warning occurs kernfs_put_activeTo avoid the false positives (mind panic_on_warn) remove the check altogether.(This is meant as quick fix, I think active reference break/unbreak may besimplified with larger rework.)
POC
Reference
No PoCs from references.