CVE-2025-38048

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> virtio_ring: Fix data race by tagging event_triggered as racy for KCSAN<br /> <br /> syzbot reports a data-race when accessing the event_triggered, here is the<br /> simplified stack when the issue occurred:<br /> <br /> ==================================================================<br /> BUG: KCSAN: data-race in virtqueue_disable_cb / virtqueue_enable_cb_delayed<br /> <br /> write to 0xffff8881025bc452 of 1 bytes by task 3288 on cpu 0:<br /> virtqueue_enable_cb_delayed+0x42/0x3c0 drivers/virtio/virtio_ring.c:2653<br /> start_xmit+0x230/0x1310 drivers/net/virtio_net.c:3264<br /> __netdev_start_xmit include/linux/netdevice.h:5151 [inline]<br /> netdev_start_xmit include/linux/netdevice.h:5160 [inline]<br /> xmit_one net/core/dev.c:3800 [inline]<br /> <br /> read to 0xffff8881025bc452 of 1 bytes by interrupt on cpu 1:<br /> virtqueue_disable_cb_split drivers/virtio/virtio_ring.c:880 [inline]<br /> virtqueue_disable_cb+0x92/0x180 drivers/virtio/virtio_ring.c:2566<br /> skb_xmit_done+0x5f/0x140 drivers/net/virtio_net.c:777<br /> vring_interrupt+0x161/0x190 drivers/virtio/virtio_ring.c:2715<br /> __handle_irq_event_percpu+0x95/0x490 kernel/irq/handle.c:158<br /> handle_irq_event_percpu kernel/irq/handle.c:193 [inline]<br /> <br /> value changed: 0x01 -&gt; 0x00<br /> ==================================================================<br /> <br /> When the data race occurs, the function virtqueue_enable_cb_delayed() sets<br /> event_triggered to false, and virtqueue_disable_cb_split/packed() reads it<br /> as false due to the race condition. Since event_triggered is an unreliable<br /> hint used for optimization, this should only cause the driver temporarily<br /> suggest that the device not send an interrupt notification when the event<br /> index is used.<br /> <br /> Fix this KCSAN reported data-race issue by explicitly tagging the access as<br /> data_racy.