)]}'
{
  "commit": "5241cda1d789949bbcddde5d9320a36c610237d4",
  "tree": "194b4a3d4f0fdce606ec8b996c93d72ca1b54d95",
  "parents": [
    "6af0af9e7e03b8e104b310ee4d0c9333a62fe5b9"
  ],
  "author": {
    "name": "Herbert Xu",
    "email": "herbert@gondor.apana.org.au",
    "time": "Sat Apr 25 16:14:29 2026 +0800"
  },
  "committer": {
    "name": "Daniel Velasquez",
    "email": "rdvelasquez@google.com",
    "time": "Tue May 19 15:34:04 2026 -0700"
  },
  "message": "padata: Fix pd UAF once and for all\n\n[ Upstream commit 71203f68c7749609d7fc8ae6ad054bdedeb24f91 ]\n\nThere is a race condition/UAF in padata_reorder that goes back\nto the initial commit.  A reference count is taken at the start\nof the process in padata_do_parallel, and released at the end in\npadata_serial_worker.\n\nThis reference count is (and only is) required for padata_replace\nto function correctly.  If padata_replace is never called then\nthere is no issue.\n\nIn the function padata_reorder which serves as the core of padata,\nas soon as padata is added to queue-\u003eserial.list, and the associated\nspin lock released, that padata may be processed and the reference\ncount on pd would go away.\n\nFix this by getting the next padata before the squeue-\u003eserial lock\nis released.\n\nIn order to make this possible, simplify padata_reorder by only\ncalling it once the next padata arrives.\n\nBUG\u003db/440034137\nTEST\u003dpresubmit\nRELEASE_NOTE\u003dFixed CVE-2025-38584 in the Linux kernel.\n\ncos-patch: security-moderate\nFixes: 16295bec6398 (\"padata: Generic parallelization/serialization interface\")\nChange-Id: I4083200549ddd489346f5ba724411763aab2a660\nSigned-off-by: Herbert Xu \u003cherbert@gondor.apana.org.au\u003e\n[ Adjust context of padata_find_next(). Replace\ncpumask_next_wrap(cpu, pd-\u003ecpumask.pcpu) with\ncpumask_next_wrap(cpu, pd-\u003ecpumask.pcpu, -1, false) in padata_reorder() in\nv6.12 according to dc5bb9b769c9 (\"cpumask: deprecate cpumask_next_wrap()\") and\nf954a2d37637 (\"padata: switch padata_find_next() to using cpumask_next_wrap()\")\n. ]\nSigned-off-by: Bin Lan \u003clanbincn@139.com\u003e\nSigned-off-by: Sasha Levin \u003csashal@kernel.org\u003e\nSigned-off-by: Kernel CVE Triage Automation \u003ccloud-image-kernel-cve-triage-automation@prod.google.com\u003e\nReviewed-on: https://cos-review.googlesource.com/c/third_party/kernel/+/152303\nReviewed-by: Miri Amarilio \u003cmirilio@google.com\u003e\nReviewed-by: Daniel Velasquez \u003crdvelasquez@google.com\u003e\nTested-by: Cusky Presubmit Bot \u003cpresubmit@cos-infra-prod.iam.gserviceaccount.com\u003e\n",
  "tree_diff": [
    {
      "type": "modify",
      "old_id": "0146daf3443066d8097181a5cdf49e87af24070d",
      "old_mode": 33188,
      "old_path": "include/linux/padata.h",
      "new_id": "b486c7359de2bb64b848e74e4e739b5ff6425431",
      "new_mode": 33188,
      "new_path": "include/linux/padata.h"
    },
    {
      "type": "modify",
      "old_id": "c3810f5bd7156351f9de34fd036df763b195fe73",
      "old_mode": 33188,
      "old_path": "kernel/padata.c",
      "new_id": "e61bdc248551f68d7a368bc6fae51d9ffca5f2dd",
      "new_mode": 33188,
      "new_path": "kernel/padata.c"
    }
  ]
}