NAK/cmt: Re: [SRU][P/N/J][PATCH v4 0/2] CVE-2025-38584

[Paolo Pisati]

On Tue, Oct 14, 2025 at 10:26:28AM -0400, Alice C. Munduruca wrote:
> v4 -> Fixed tag added in previous series.
> v3 -> Added followup patch to remove irrelevant comment and added a CVE tag.
> v2 -> Reworked structure to match flat hierarchy standard.
> 
> [ Impact ]
> 
> Despite previous attempts to fix this bug, a UAF still occurs in certain
> situations within padata. In order to fix it for good, the previous queueing
> system is completely removed and logic is rewritten to be safe.
> 
> [ Fix ]
> 
> plucky: backported from upstream, writing over a minor change with `cpumask_next_wrap`.
> noble: redid backport from same provenance due to context changes.
> jammy: cleanly applied plucky fix.
> 
> [ Tests ]
> 
> Compile, boot, and stress-ng (cpu) tested.
> 
> [ Where problems could occur ]
> 
> Given that padata has had this UAF for a while, there is not really a risk of
> regression, so much as not having fixed the problem. The fact that changes to the
> original patch are minor minimizes this risk.
> 
> Herbert Xu (2):
>   padata: Fix pd UAF once and for all
>   padata: Remove comment for reorder_work
> 
>  include/linux/padata.h |   4 --
>  kernel/padata.c        | 132 ++++++++++++-----------------------------
>  2 files changed, 37 insertions(+), 99 deletions(-)

Thanks for you patches Alice, but they are all missing the BugLink (please add
it to every patch).

Other than that, it seems ok to me.
-- 
bye,
p.