CVE-2025-68339

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> atm/fore200e: Fix possible data race in fore200e_open()<br /> <br /> Protect access to fore200e-&gt;available_cell_rate with rate_mtx lock in the<br /> error handling path of fore200e_open() to prevent a data race.<br /> <br /> The field fore200e-&gt;available_cell_rate is a shared resource used to track<br /> available bandwidth. It is concurrently accessed by fore200e_open(),<br /> fore200e_close(), and fore200e_change_qos().<br /> <br /> In fore200e_open(), the lock rate_mtx is correctly held when subtracting<br /> vcc-&gt;qos.txtp.max_pcr from available_cell_rate to reserve bandwidth.<br /> However, if the subsequent call to fore200e_activate_vcin() fails, the<br /> function restores the reserved bandwidth by adding back to<br /> available_cell_rate without holding the lock.<br /> <br /> This introduces a race condition because available_cell_rate is a global<br /> device resource shared across all VCCs. If the error path in<br /> fore200e_open() executes concurrently with operations like<br /> fore200e_close() or fore200e_change_qos() on other VCCs, a<br /> read-modify-write race occurs.<br /> <br /> Specifically, the error path reads the rate without the lock. If another<br /> CPU acquires the lock and modifies the rate (e.g., releasing bandwidth in<br /> fore200e_close()) between this read and the subsequent write, the error<br /> path will overwrite the concurrent update with a stale value. This results<br /> in incorrect bandwidth accounting.