CVE-2025-38210

In the Linux kernel, the following vulnerability has been resolved:

configfs-tsm-report: Fix NULL dereference of tsm_ops

Unlike sysfs, the lifetime of configfs objects is controlled by userspace. There is no mechanism for the kernel to find and delete all created config-items. Instead, the configfs-tsm-report mechanism has an expectation that tsm_unregister() can happen at any time and cause established config-item access to start failing.

That expectation is not fully satisfied. While tsmreportread(), tsmreport{is,isbin}visible(), and tsmreportmakeitem() safely fail if tsmops have been unregistered, tsmreportprivlevelstore() tsmreportprovidershow() fail to check for ops registration. Add the missing checks for tsm_ops having been removed.

Now, in supporting the ability for tsmunregister() to always succeed, it leaves the problem of what to do with lingering config-items. The expectation is that the admin that arranges for the ->remove() (unbind) of the ${tsmarch}-guest driver is also responsible for deletion of all open config-items. Until that deletion happens, ->probe() (reload / bind) of the ${tsm_arch}-guest driver fails.

This allows for emergency shutdown / revocation of attestation interfaces, and requires coordinated restart.