CVE-2025-38581

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2025-38581
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-38581.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2025-38581
Downstream
Related
Published
2025-08-19T17:03:03.718Z
Modified
2026-03-12T02:15:56.303494Z
Summary
crypto: ccp - Fix crash when rebind ccp device for ccp.ko
Details

In the Linux kernel, the following vulnerability has been resolved:

crypto: ccp - Fix crash when rebind ccp device for ccp.ko

When CONFIGCRYPTODEVCCPDEBUGFS is enabled, rebinding the ccp device causes the following crash:

$ echo '0000:0a:00.2' > /sys/bus/pci/drivers/ccp/unbind $ echo '0000:0a:00.2' > /sys/bus/pci/drivers/ccp/bind

[ 204.976930] BUG: kernel NULL pointer dereference, address: 0000000000000098 [ 204.978026] #PF: supervisor write access in kernel mode [ 204.979126] #PF: errorcode(0x0002) - not-present page [ 204.980226] PGD 0 P4D 0 [ 204.981317] Oops: Oops: 0002 [#1] SMP NOPTI ... [ 204.997852] Call Trace: [ 204.999074] <TASK> [ 205.000297] startcreating+0x9f/0x1c0 [ 205.001533] debugfscreatedir+0x1f/0x170 [ 205.002769] ? srsoreturnthunk+0x5/0x5f [ 205.004000] ccp5debugfssetup+0x87/0x170 [ccp] [ 205.005241] ccp5init+0x8b2/0x960 [ccp] [ 205.006469] ccpdevinit+0xd4/0x150 [ccp] [ 205.007709] spinit+0x5f/0x80 [ccp] [ 205.008942] sppciprobe+0x283/0x2e0 [ccp] [ 205.010165] ? srsoreturnthunk+0x5/0x5f [ 205.011376] localpciprobe+0x4f/0xb0 [ 205.012584] pcideviceprobe+0xdb/0x230 [ 205.013810] really_probe+0xed/0x380 [ 205.015024] __driverprobedevice+0x7e/0x160 [ 205.016240] devicedriverattach+0x2f/0x60 [ 205.017457] bindstore+0x7c/0xb0 [ 205.018663] drvattrstore+0x28/0x40 [ 205.019868] sysfskfwrite+0x5f/0x70 [ 205.021065] kernfsfopwriteiter+0x145/0x1d0 [ 205.022267] vfswrite+0x308/0x440 [ 205.023453] ksyswrite+0x6d/0xe0 [ 205.024616] __x64syswrite+0x1e/0x30 [ 205.025778] x64syscall+0x16ba/0x2150 [ 205.026942] dosyscall64+0x56/0x1e0 [ 205.028108] entrySYSCALL64afterhwframe+0x76/0x7e [ 205.029276] RIP: 0033:0x7fbc36f10104 [ 205.030420] Code: 89 02 48 c7 c0 ff ff ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 8d 05 e1 08 2e 00 8b 00 85 c0 75 13 b8 01 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 54 f3 c3 66 90 41 54 55 49 89 d4 53 48 89 f5

This patch sets ccpdebugfsdir to NULL after destroying it in ccp5debugfsdestroy, allowing the directory dentry to be recreated when rebinding the ccp device.

Tested on AMD Ryzen 7 1700X.

Database specific 
{
    "cna_assigner": "Linux",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/38xxx/CVE-2025-38581.json"
}
References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
3cdbe346ed3f380eae1cb3e9febfe703e7d8a7b0
Fixed
a25ab6dfa0ce323ec308966988be6b675eb9d3e5
Fixed
ce63a83925964ab7564bd216bd92b80bc365492e
Fixed
20c0ed8dd65834e6bab464f54cd6ff68659bacb9
Fixed
2d4060f05e74dbee884ba723f6afd9282befc3c5
Fixed
db111468531777cac8b4beb6515a88a54b0c4a74
Fixed
9dea08eac4f6d6fbbae59992978252e2edab995d
Fixed
6eadf50c1d894cb34f3237064063207460946040
Fixed
64ec9a7e7a6398b172ab6feba60e952163a1c3d5
Fixed
181698af38d3f93381229ad89c09b5bd0496661a

Database specific

source 
"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-38581.json"