CVE-2025-38722

Summary

In the Linux kernel, the following vulnerability has been resolved:

habanalabs: fix UAF in export_dmabuf()

As soon as we'd inserted a file reference into descriptor table, another thread could close it. That's fine for the case when all we are doing is returning that descriptor to userland (it's a race, but it's a userland race and there's nothing the kernel can do about it). However, if we follow fd_install() with any kind of access to objects that would be destroyed on close (be it the struct file itself or anything destroyed by its ->release()), we have a UAF.

dma_buf_fd() is a combination of reserving a descriptor and fd_install(). habanalabs export_dmabuf() calls it and then proceeds to access the objects destroyed on close. In particular, it grabs an extra reference to another struct file that will be dropped as part of ->release() for ours; that "will be" is actually "might have already been".

Fix that by reserving descriptor before anything else and do fd_install() only when everything had been set up. As a side benefit, we no longer have the failure exit with file already created, but reference to underlying file (as well as ->dmabuf_export_cnt, etc.) not grabbed yet; unlike dma_buf_fd(), fd_install() can't fail.

Affected Software

VendorProductVersion RangeStatus
LinuxLinuxdb1a8dd916aac986871f6b873a3aefad906f383a < c07886761fd6251db6938d4e747002e3d150d231affected
LinuxLinuxdb1a8dd916aac986871f6b873a3aefad906f383a < 40deceb38f9db759772d1c289c28fd2a543f57fcaffected
LinuxLinuxdb1a8dd916aac986871f6b873a3aefad906f383a < 55c232d7e0241f1d5120b595e7a9de24c75ed3d8affected
LinuxLinuxdb1a8dd916aac986871f6b873a3aefad906f383a < 33927f3d0ecdcff06326d6e4edb6166aed42811caffected
LinuxLinux5.16affected
LinuxLinux0 < 5.16unaffected
LinuxLinux6.12.43 <= 6.12.*unaffected
LinuxLinux6.15.11 <= 6.15.*unaffected
LinuxLinux6.16.2 <= 6.16.*unaffected
LinuxLinux6.17 <= *unaffected

Weaknesses

References