CVE-2025-68339

Summary

In the Linux kernel, the following vulnerability has been resolved:

atm/fore200e: Fix possible data race in fore200e_open()

Protect access to fore200e->available_cell_rate with rate_mtx lock in the error handling path of fore200e_open() to prevent a data race.

The field fore200e->available_cell_rate is a shared resource used to track available bandwidth. It is concurrently accessed by fore200e_open(), fore200e_close(), and fore200e_change_qos().

In fore200e_open(), the lock rate_mtx is correctly held when subtracting vcc->qos.txtp.max_pcr from available_cell_rate to reserve bandwidth. However, if the subsequent call to fore200e_activate_vcin() fails, the function restores the reserved bandwidth by adding back to available_cell_rate without holding the lock.

This introduces a race condition because available_cell_rate is a global device resource shared across all VCCs. If the error path in fore200e_open() executes concurrently with operations like fore200e_close() or fore200e_change_qos() on other VCCs, a read-modify-write race occurs.

Specifically, the error path reads the rate without the lock. If another CPU acquires the lock and modifies the rate (e.g., releasing bandwidth in fore200e_close()) between this read and the subsequent write, the error path will overwrite the concurrent update with a stale value. This results in incorrect bandwidth accounting.

Affected Software

VendorProductVersion RangeStatus
LinuxLinux1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 < 1b60f42a639999c37da7f1fbfa1ad29cf4cbdd2daffected
LinuxLinux1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 < bd1415efbab507b9b995918105eef953013449ddaffected
LinuxLinux1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 < ed34c70d88e2b8b9bc6c3ede88751186d6c6d5d1affected
LinuxLinux1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 < 9917ba597cf95f307778e495f71ff25a5064d167affected
LinuxLinux1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 < 667ac868823224374f819500adc5baa2889c7bc5affected
LinuxLinux1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 < 6610361458e7eb6502dd3182f586f91fcc218039affected
LinuxLinux1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 < 82fca3d8a4a34667f01ec2351a607135249c9cffaffected
LinuxLinux2.6.12affected
LinuxLinux0 < 2.6.12unaffected
LinuxLinux5.10.247 <= 5.10.*unaffected
LinuxLinux5.15.197 <= 5.15.*unaffected
LinuxLinux6.1.159 <= 6.1.*unaffected
LinuxLinux6.6.119 <= 6.6.*unaffected
LinuxLinux6.12.61 <= 6.12.*unaffected
LinuxLinux6.17.11 <= 6.17.*unaffected
LinuxLinux6.18 <= *unaffected

Weaknesses

References