CVE-2025-68367

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> macintosh/mac_hid: fix race condition in mac_hid_toggle_emumouse<br /> <br /> The following warning appears when running syzkaller, and this issue also<br /> exists in the mainline code.<br /> <br /> ------------[ cut here ]------------<br /> list_add double add: new=ffffffffa57eee28, prev=ffffffffa57eee28, next=ffffffffa5e63100.<br /> WARNING: CPU: 0 PID: 1491 at lib/list_debug.c:35 __list_add_valid_or_report+0xf7/0x130<br /> Modules linked in:<br /> CPU: 0 PID: 1491 Comm: syz.1.28 Not tainted 6.6.0+ #3<br /> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014<br /> RIP: 0010:__list_add_valid_or_report+0xf7/0x130<br /> RSP: 0018:ff1100010dfb7b78 EFLAGS: 00010282<br /> RAX: 0000000000000000 RBX: ffffffffa57eee18 RCX: ffffffff97fc9817<br /> RDX: 0000000000040000 RSI: ffa0000002383000 RDI: 0000000000000001<br /> RBP: ffffffffa57eee28 R08: 0000000000000001 R09: ffe21c0021bf6f2c<br /> R10: 0000000000000001 R11: 6464615f7473696c R12: ffffffffa5e63100<br /> R13: ffffffffa57eee28 R14: ffffffffa57eee28 R15: ff1100010dfb7d48<br /> FS: 00007fb14398b640(0000) GS:ff11000119600000(0000) knlGS:0000000000000000<br /> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033<br /> CR2: 0000000000000000 CR3: 000000010d096005 CR4: 0000000000773ef0<br /> DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000<br /> DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400<br /> PKRU: 80000000<br /> Call Trace:<br /> <br /> input_register_handler+0xb3/0x210<br /> mac_hid_start_emulation+0x1c5/0x290<br /> mac_hid_toggle_emumouse+0x20a/0x240<br /> proc_sys_call_handler+0x4c2/0x6e0<br /> new_sync_write+0x1b1/0x2d0<br /> vfs_write+0x709/0x950<br /> ksys_write+0x12a/0x250<br /> do_syscall_64+0x5a/0x110<br /> entry_SYSCALL_64_after_hwframe+0x78/0xe2<br /> <br /> The WARNING occurs when two processes concurrently write to the mac-hid<br /> emulation sysctl, causing a race condition in mac_hid_toggle_emumouse().<br /> Both processes read old_val=0, then both try to register the input handler,<br /> leading to a double list_add of the same handler.<br /> <br /> CPU0 CPU1<br /> ------------------------- -------------------------<br /> vfs_write() //write 1 vfs_write() //write 1<br /> proc_sys_write() proc_sys_write()<br /> mac_hid_toggle_emumouse() mac_hid_toggle_emumouse()<br /> old_val = *valp // old_val=0<br /> old_val = *valp // old_val=0<br /> mutex_lock_killable()<br /> proc_dointvec() // *valp=1<br /> mac_hid_start_emulation()<br /> input_register_handler()<br /> mutex_unlock()<br /> mutex_lock_killable()<br /> proc_dointvec()<br /> mac_hid_start_emulation()<br /> input_register_handler() //Trigger Warning<br /> mutex_unlock()<br /> <br /> Fix this by moving the old_val read inside the mutex lock region.