CVE-2025-40249

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> gpio: cdev: make sure the cdev fd is still active before emitting events<br /> <br /> With the final call to fput() on a file descriptor, the release action<br /> may be deferred and scheduled on a work queue. The reference count of<br /> that descriptor is still zero and it must not be used. It&amp;#39;s possible<br /> that a GPIO change, we want to notify the user-space about, happens<br /> AFTER the reference count on the file descriptor associated with the<br /> character device went down to zero but BEFORE the .release() callback<br /> was called from the workqueue and so BEFORE we unregistered from the<br /> notifier.<br /> <br /> Using the regular get_file() routine in this situation triggers the<br /> following warning:<br /> <br /> struct file::f_count incremented from zero; use-after-free condition present!<br /> <br /> So use the get_file_active() variant that will return NULL on file<br /> descriptors that have been or are being released.