CVE-2025-38306

Summary

In the Linux kernel, the following vulnerability has been resolved:

fs/fhandle.c: fix a race in call of has_locked_children()

may_decode_fh() is calling has_locked_children() while holding no locks. That's an oopsable race…

The rest of the callers are safe since they are holding namespace_sem and are guaranteed a positive refcount on the mount in question.

Rename the current has_locked_children() to __has_locked_children(), make it static and switch the fs/namespace.c users to it.

Make has_locked_children() a wrapper for __has_locked_children(), calling the latter under read_seqlock_excl(&mount_lock).

Affected Software

VendorProductVersion RangeStatus
LinuxLinux620c266f394932e5decc4b34683a75dfc59dc2f4 < 6482c3dccbfb8d20e2856ce67c75856859930b3faffected
LinuxLinux620c266f394932e5decc4b34683a75dfc59dc2f4 < 287c7d34eedd37af1272dfb3b6e8656f4f026424affected
LinuxLinux620c266f394932e5decc4b34683a75dfc59dc2f4 < 1f282cdc1d219c4a557f7009e81bc792820d9d9aaffected
LinuxLinux6.11affected
LinuxLinux0 < 6.11unaffected
LinuxLinux6.12.46 <= 6.12.*unaffected
LinuxLinux6.15.3 <= 6.15.*unaffected
LinuxLinux6.16 <= *unaffected

Weaknesses

References