CVE-2025-21915

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> cdx: Fix possible UAF error in driver_override_show()<br /> <br /> Fixed a possible UAF problem in driver_override_show() in drivers/cdx/cdx.c<br /> <br /> This function driver_override_show() is part of DEVICE_ATTR_RW, which<br /> includes both driver_override_show() and driver_override_store().<br /> These functions can be executed concurrently in sysfs.<br /> <br /> The driver_override_store() function uses driver_set_override() to<br /> update the driver_override value, and driver_set_override() internally<br /> locks the device (device_lock(dev)). If driver_override_show() reads<br /> cdx_dev-&gt;driver_override without locking, it could potentially access<br /> a freed pointer if driver_override_store() frees the string<br /> concurrently. This could lead to printing a kernel address, which is a<br /> security risk since DEVICE_ATTR can be read by all users.<br /> <br /> Additionally, a similar pattern is used in drivers/amba/bus.c, as well<br /> as many other bus drivers, where device_lock() is taken in the show<br /> function, and it has been working without issues.<br /> <br /> This potential bug was detected by our experimental static analysis<br /> tool, which analyzes locking APIs and paired functions to identify<br /> data races and atomicity violations.