CVE-2025-68299

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> afs: Fix delayed allocation of a cell&amp;#39;s anonymous key<br /> <br /> The allocation of a cell&amp;#39;s anonymous key is done in a background thread<br /> along with other cell setup such as doing a DNS upcall. In the reported<br /> bug, this is triggered by afs_parse_source() parsing the device name given<br /> to mount() and calling afs_lookup_cell() with the name of the cell.<br /> <br /> The normal key lookup then tries to use the key description on the<br /> anonymous authentication key as the reference for request_key() - but it<br /> may not yet be set and so an oops can happen.<br /> <br /> This has been made more likely to happen by the fix for dynamic lookup<br /> failure.<br /> <br /> Fix this by firstly allocating a reference name and attaching it to the<br /> afs_cell record when the record is created. It can share the memory<br /> allocation with the cell name (unfortunately it can&amp;#39;t just overlap the cell<br /> name by prepending it with "afs@" as the cell name already has a &amp;#39;.&amp;#39;<br /> prepended for other purposes). This reference name is then passed to<br /> request_key().<br /> <br /> Secondly, the anon key is now allocated on demand at the point a key is<br /> requested in afs_request_key() if it is not already allocated. A mutex is<br /> used to prevent multiple allocation for a cell.<br /> <br /> Thirdly, make afs_request_key_rcu() return NULL if the anonymous key isn&amp;#39;t<br /> yet allocated (if we need it) and then the caller can return -ECHILD to<br /> drop out of RCU-mode and afs_request_key() can be called.<br /> <br /> Note that the anonymous key is kind of necessary to make the key lookup<br /> cache work as that doesn&amp;#39;t currently cache a negative lookup, but it&amp;#39;s<br /> probably worth some investigation to see if NULL can be used instead.