In the Linux kernel, the following vulnerability has been resolved:EOL][EOL]coresight: prevent deactivate active config while enabling the config[EOL][EOL]While enable active config via cscfg_csdev_enable_active_config(),[EOL]active config could be deactivated via configfs' sysfs interface.[EOL]This could make UAF issue in below scenario:[EOL][EOL]CPU0 CPU1[EOL](sysfs enable) load module[EOL] cscfg_load_config_sets()[EOL] activate config. // sysfs[EOL] (sys_active_cnt == 1)[EOL]...[EOL]cscfg_csdev_enable_active_config()[EOL]lock(csdev->cscfg_csdev_lock)[EOL]// here load config activate by CPU1[EOL]unlock(csdev->cscfg_csdev_lock)[EOL][EOL] deactivate config // sysfs[EOL] (sys_activec_cnt == 0)[EOL] cscfg_unload_config_sets()[EOL] unload module[EOL][EOL]// access to config_desc which freed[EOL]// while unloading module.[EOL]cscfg_csdev_enable_config[EOL][EOL]To address this, use cscfg_config_desc's active_cnt as a reference count[EOL] which will be holded when[EOL] - activate the config.[EOL] - enable the activated config.[EOL]and put the module reference when config_active_cnt == 0. CREATE(Triage):(User=lchen-cn) [CVE-2025-38131 (https://nvd.nist.gov/vuln/detail/CVE-2025-38131)
