{"id":"CVE-2025-21999","summary":"proc: fix UAF in proc_get_inode()","details":"In the Linux kernel, the following vulnerability has been resolved:\n\nproc: fix UAF in proc_get_inode()\n\nFix race between rmmod and /proc/XXX's inode instantiation.\n\nThe bug is that pde-\u003eproc_ops don't belong to /proc, it belongs to a\nmodule, therefore dereferencing it after /proc entry has been registered\nis a bug unless use_pde/unuse_pde() pair has been used.\n\nuse_pde/unuse_pde can be avoided (2 atomic ops!) because pde-\u003eproc_ops\nnever changes so information necessary for inode instantiation can be\nsaved _before_ proc_register() in PDE itself and used later, avoiding\npde-\u003eproc_ops-\u003e...  dereference.\n\n      rmmod                         lookup\nsys_delete_module\n                         proc_lookup_de\n\t\t\t   pde_get(de);\n\t\t\t   proc_get_inode(dir-\u003ei_sb, de);\n  mod-\u003eexit()\n    proc_remove\n      remove_proc_subtree\n       proc_entry_rundown(de);\n  free_module(mod);\n\n                               if (S_ISREG(inode-\u003ei_mode))\n\t                         if (de-\u003eproc_ops-\u003eproc_read_iter)\n                           --\u003e As module is already freed, will trigger UAF\n\nBUG: unable to handle page fault for address: fffffbfff80a702b\nPGD 817fc4067 P4D 817fc4067 PUD 817fc0067 PMD 102ef4067 PTE 0\nOops: Oops: 0000 [#1] PREEMPT SMP KASAN PTI\nCPU: 26 UID: 0 PID: 2667 Comm: ls Tainted: G\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996)\nRIP: 0010:proc_get_inode+0x302/0x6e0\nRSP: 0018:ffff88811c837998 EFLAGS: 00010a06\nRAX: dffffc0000000000 RBX: ffffffffc0538140 RCX: 0000000000000007\nRDX: 1ffffffff80a702b RSI: 0000000000000001 RDI: ffffffffc0538158\nRBP: ffff8881299a6000 R08: 0000000067bbe1e5 R09: 1ffff11023906f20\nR10: ffffffffb560ca07 R11: ffffffffb2b43a58 R12: ffff888105bb78f0\nR13: ffff888100518048 R14: ffff8881299a6004 R15: 0000000000000001\nFS:  00007f95b9686840(0000) GS:ffff8883af100000(0000) knlGS:0000000000000000\nCS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: fffffbfff80a702b CR3: 0000000117dd2000 CR4: 00000000000006f0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nCall Trace:\n \u003cTASK\u003e\n proc_lookup_de+0x11f/0x2e0\n __lookup_slow+0x188/0x350\n walk_component+0x2ab/0x4f0\n path_lookupat+0x120/0x660\n filename_lookup+0x1ce/0x560\n vfs_statx+0xac/0x150\n __do_sys_newstat+0x96/0x110\n do_syscall_64+0x5f/0x170\n entry_SYSCALL_64_after_hwframe+0x76/0x7e\n\n[adobriyan@gmail.com: don't do 2 atomic ops on the common path]","modified":"2026-04-03T13:14:36.658639Z","published":"2025-04-03T07:19:03.040Z","related":["ALSA-2025:9080","MGASA-2025-0142","MGASA-2025-0146","SUSE-SU-2025:01614-1","SUSE-SU-2025:01707-1","SUSE-SU-2025:01918-1","SUSE-SU-2025:01919-1","SUSE-SU-2025:01951-1","SUSE-SU-2025:01964-1","SUSE-SU-2025:01966-1","SUSE-SU-2025:01967-1","SUSE-SU-2025:01982-1","SUSE-SU-2025:01995-1","SUSE-SU-2025:02173-1","SUSE-SU-2025:02262-1","SUSE-SU-2025:03097-1","SUSE-SU-2025:03100-1","SUSE-SU-2025:03108-1","SUSE-SU-2025:03109-1","SUSE-SU-2025:03111-1","SUSE-SU-2025:03123-1","SUSE-SU-2025:03124-1","SUSE-SU-2025:03126-1","SUSE-SU-2025:03129-1","SUSE-SU-2025:03130-1","SUSE-SU-2025:03133-1","SUSE-SU-2025:03148-1","SUSE-SU-2025:03153-1","SUSE-SU-2025:03156-1","SUSE-SU-2025:03160-1","SUSE-SU-2025:03165-1","SUSE-SU-2025:03175-1","SUSE-SU-2025:03179-1","SUSE-SU-2025:03180-1","SUSE-SU-2025:03181-1","SUSE-SU-2025:03184-1","SUSE-SU-2025:03185-1","SUSE-SU-2025:03186-1","SUSE-SU-2025:03190-1","SUSE-SU-2025:03191-1","SUSE-SU-2025:03194-1","SUSE-SU-2025:03207-1","SUSE-SU-2025:03208-1","SUSE-SU-2025:03209-1","SUSE-SU-2025:03210-1","SUSE-SU-2025:03212-1","SUSE-SU-2025:03215-1","SUSE-SU-2025:03217-1","SUSE-SU-2025:03223-1","SUSE-SU-2025:03226-1","SUSE-SU-2025:03235-1","SUSE-SU-2025:20343-1","SUSE-SU-2025:20344-1","SUSE-SU-2025:20354-1","SUSE-SU-2025:20355-1","SUSE-SU-2025:20698-1","SUSE-SU-2025:20699-1","SUSE-SU-2025:20700-1","SUSE-SU-2025:20703-1","SUSE-SU-2025:20704-1","SUSE-SU-2025:20705-1","SUSE-SU-2025:20706-1","SUSE-SU-2025:20707-1","SUSE-SU-2025:20711-1","SUSE-SU-2025:20712-1","SUSE-SU-2025:20714-1","SUSE-SU-2025:20761-1","SUSE-SU-2025:20763-1","SUSE-SU-2025:20766-1","SUSE-SU-2025:20767-1","SUSE-SU-2025:20775-1","SUSE-SU-2025:20776-1","SUSE-SU-2025:20777-1","SUSE-SU-2025:20778-1","SUSE-SU-2025:20782-1"],"database_specific":{"cna_assigner":"Linux","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/21xxx/CVE-2025-21999.json"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/4b0b8445b6fd41e6f62ac90547a0ea9d348de3fa"},{"type":"WEB","url":"https://git.kernel.org/stable/c/63b53198aff2e4e6c5866a4ff73c7891f958ffa4"},{"type":"WEB","url":"https://git.kernel.org/stable/c/64dc7c68e040251d9ec6e989acb69f8f6ae4a10b"},{"type":"WEB","url":"https://git.kernel.org/stable/c/654b33ada4ab5e926cd9c570196fefa7bec7c1df"},{"type":"WEB","url":"https://git.kernel.org/stable/c/966f331403dc3ed04ff64eaf3930cf1267965e53"},{"type":"WEB","url":"https://git.kernel.org/stable/c/eda279586e571b05dff44d48e05f8977ad05855d"},{"type":"WEB","url":"https://git.kernel.org/stable/c/ede3e8ac90ae106f0b29cd759aadebc1568f1308"},{"type":"WEB","url":"https://lists.debian.org/debian-lts-announce/2025/05/msg00030.html"},{"type":"WEB","url":"https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/21xxx/CVE-2025-21999.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-21999"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"97a32539b9568bb653683349e5a76d02ff3c3e2c"},{"fixed":"eda279586e571b05dff44d48e05f8977ad05855d"},{"fixed":"4b0b8445b6fd41e6f62ac90547a0ea9d348de3fa"},{"fixed":"966f331403dc3ed04ff64eaf3930cf1267965e53"},{"fixed":"63b53198aff2e4e6c5866a4ff73c7891f958ffa4"},{"fixed":"ede3e8ac90ae106f0b29cd759aadebc1568f1308"},{"fixed":"64dc7c68e040251d9ec6e989acb69f8f6ae4a10b"},{"fixed":"654b33ada4ab5e926cd9c570196fefa7bec7c1df"}]}],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-21999.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}]}