CVE-2025-38584

There is a race condition/UAF in padatareorder that goes back to the initial commit. A reference count is taken at the start of the process in padatadoparallel, and released at the end in padataserial_worker.

This reference count is (and only is) required for padatareplace to function correctly. If padatareplace is never called then there is no issue.

In the function padata_reorder which serves as the core of padata, as soon as padata is added to queue->serial.list, and the associated spin lock released, that padata may be processed and the reference count on pd would go away.

Fix this by getting the next padata before the squeue->serial lock is released.

In order to make this possible, simplify padata_reorder by only calling it once the next padata arrives.

Database specific

{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/38xxx/CVE-2025-38584.json",
    "cna_assigner": "Linux"
}

References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

16295bec6398a3eedc9377e1af6ff4c71b98c300

Fixed

f231d5d001ec75f5886c02d496a4c79edc383d45

Fixed

dbe3e911a59bda6de96e7cae387ff882c2c177fa

Fixed

cdf79bd2e1ecb3cc75631c73d8f4149be6019a52

Fixed

71203f68c7749609d7fc8ae6ad054bdedeb24f91

Database specific

source

"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-38584.json"

Linux / Kernel

Package

Name: Kernel

Affected ranges

Type: ECOSYSTEM
Events: Introduced

2.6.34

Fixed

6.12.86

Type: ECOSYSTEM
Events: Introduced

6.13.0

Fixed

6.15.10

Type: ECOSYSTEM
Events: Introduced

6.16.0

Fixed

6.16.1

Database specific

source

"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-38584.json"