CVE-2025-38595

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> xen: fix UAF in dmabuf_exp_from_pages()<br /> <br /> [dma_buf_fd() fixes; no preferences regarding the tree it goes through -<br /> up to xen folks]<br /> <br /> As soon as we&amp;#39;d inserted a file reference into descriptor table, another<br /> thread could close it. That&amp;#39;s fine for the case when all we are doing is<br /> returning that descriptor to userland (it&amp;#39;s a race, but it&amp;#39;s a userland<br /> race and there&amp;#39;s nothing the kernel can do about it). However, if we<br /> follow fd_install() with any kind of access to objects that would be<br /> destroyed on close (be it the struct file itself or anything destroyed<br /> by its -&gt;release()), we have a UAF.<br /> <br /> dma_buf_fd() is a combination of reserving a descriptor and fd_install().<br /> gntdev dmabuf_exp_from_pages() calls it and then proceeds to access the<br /> objects destroyed on close - starting with gntdev_dmabuf itself.<br /> <br /> Fix that by doing reserving descriptor before anything else and do<br /> fd_install() only when everything had been set up.