CVE-2025-38492— netfs: Fix race between cache write completion and ALL_QUEUED being set
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2025-38492
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
netfs: Fix race between cache write completion and ALL_QUEUED being set
Source: NVD (National Vulnerability Database)
Vulnerability Description
In the Linux kernel, the following vulnerability has been resolved: netfs: Fix race between cache write completion and ALL_QUEUED being set When netfslib is issuing subrequests, the subrequests start processing immediately and may complete before we reach the end of the issuing function. At the end of the issuing function we set NETFS_RREQ_ALL_QUEUED to indicate to the collector that we aren't going to issue any more subreqs and that it can do the final notifications and cleanup. Now, this isn't a problem if the request is synchronous (NETFS_RREQ_OFFLOAD_COLLECTION is unset) as the result collection will be done in-thread and we're guaranteed an opportunity to run the collector. However, if the request is asynchronous, collection is primarily triggered by the termination of subrequests queuing it on a workqueue. Now, a race can occur here if the app thread sets ALL_QUEUED after the last subrequest terminates. This can happen most easily with the copy2cache code (as used by Ceph) where, in the collection routine of a read request, an asynchronous write request is spawned to copy data to the cache. Folios are added to the write request as they're unlocked, but there may be a delay before ALL_QUEUED is set as the write subrequests may complete before we get there. If all the write subreqs have finished by the ALL_QUEUED point, no further events happen and the collection never happens, leaving the request hanging. Fix this by queuing the collector after setting ALL_QUEUED. This is a bit heavy-handed and it may be sufficient to do it only if there are no extant subreqs. Also add a tracepoint to cross-reference both requests in a copy-to-request operation and add a trace to the netfs_rreq tracepoint to indicate the setting of ALL_QUEUED.
Source: NVD (National Vulnerability Database)
CVSS Information
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Type
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Title
Linux kernel 安全漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
Linux kernel是美国Linux基金会的开源操作系统Linux所使用的内核。 Linux kernel存在安全漏洞,该漏洞源于缓存写入完成和ALL_QUEUED设置之间的竞争条件。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
II. Public POCs for CVE-2025-38492
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2025-38492
请登录查看更多情报信息。
Same Patch Batch · Linux · 2025-07-28 · 29 CVEs total
| CVE-2025-38483 | comedi: das16m1: Fix bit shift out of bounds | |
| CVE-2025-38497 | usb: gadget: configfs: Fix OOB read on empty string write | |
| CVE-2025-38496 | dm-bufio: fix sched in atomic context | |
| CVE-2025-38495 | HID: core: ensure the allocated report buffer can contain the reserved report ID | |
| CVE-2025-38494 | HID: core: do not bypass hid_hw_raw_request | |
| CVE-2025-38493 | tracing/osnoise: Fix crash in timerlat_dump_stack() | |
| CVE-2025-38491 | mptcp: make fallback action and fallback decision atomic | |
| CVE-2025-38490 | net: libwx: remove duplicate page_pool_put_full_page() | |
| CVE-2025-38489 | s390/bpf: Fix bpf_arch_text_poke() with new_addr == NULL again | |
| CVE-2025-38488 | smb: client: fix use-after-free in crypt_message when using async crypto | |
| CVE-2025-38487 | soc: aspeed: lpc-snoop: Don't disable channels that aren't enabled | |
| CVE-2025-38485 | iio: accel: fxls8962af: Fix use after free in fxls8962af_fifo_flush | |
| CVE-2025-38486 | soundwire: Revert "soundwire: qcom: Add set_channel_map api support" | |
| CVE-2025-38484 | iio: backend: fix out-of-bound write | |
| CVE-2025-38468 | net/sched: Return NULL when htb_lookup_leaf encounters an empty rbtree | |
| CVE-2025-38482 | comedi: das6402: Fix bit shift out of bounds | |
| CVE-2025-38481 | comedi: Fail COMEDI_INSNLIST ioctl if n_insns is too large | |
| CVE-2025-38480 | comedi: Fix use of uninitialized data in insn_rw_emulate_bits() | |
| CVE-2025-38478 | comedi: Fix initialization of data for instructions that write to subdevice | |
| CVE-2025-38477 | net/sched: sch_qfq: Fix race condition on qfq_aggregate |
Showing top 20 of 29 CVEs. View all on vendor page → →
IV. Related Vulnerabilities
Same product: Linux
- CVE-2026-43500
rxrpc: Also unshare DATA/RESPONSE packets when paged frags a - CVE-2026-43475
scsi: storvsc: Fix scheduling while atomic on PREEMPT_RT - CVE-2026-43474
fs: init flags_valid before calling vfs_fileattr_get - CVE-2026-43473
scsi: mpi3mr: Add NULL checks when resetting request and rep - CVE-2026-43472
unshare: fix unshare_fs() handling
Same vendor: Linux
- CVE-2026-43500
rxrpc: Also unshare DATA/RESPONSE packets when paged frags a - CVE-2026-43475
scsi: storvsc: Fix scheduling while atomic on PREEMPT_RT - CVE-2026-43474
fs: init flags_valid before calling vfs_fileattr_get - CVE-2026-43473
scsi: mpi3mr: Add NULL checks when resetting request and rep - CVE-2026-43472
unshare: fix unshare_fs() handling
V. Comments for CVE-2025-38492
No comments yet