CVE-2025-39713

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> media: rainshadow-cec: fix TOCTOU race condition in rain_interrupt()<br /> <br /> In the interrupt handler rain_interrupt(), the buffer full check on<br /> rain-&gt;buf_len is performed before acquiring rain-&gt;buf_lock. This<br /> creates a Time-of-Check to Time-of-Use (TOCTOU) race condition, as<br /> rain-&gt;buf_len is concurrently accessed and modified in the work<br /> handler rain_irq_work_handler() under the same lock.<br /> <br /> Multiple interrupt invocations can race, with each reading buf_len<br /> before it becomes full and then proceeding. This can lead to both<br /> interrupts attempting to write to the buffer, incrementing buf_len<br /> beyond its capacity (DATA_SIZE) and causing a buffer overflow.<br /> <br /> Fix this bug by moving the spin_lock() to before the buffer full<br /> check. This ensures that the check and the subsequent buffer modification<br /> are performed atomically, preventing the race condition. An corresponding<br /> spin_unlock() is added to the overflow path to correctly release the<br /> lock.<br /> <br /> This possible bug was found by an experimental static analysis tool<br /> developed by our team.