CVE-2025-68339

In the Linux kernel, the following vulnerability has been resolved:

atm/fore200e: Fix possible data race in fore200e_open()

Protect access to fore200e->availablecellrate with ratemtx lock in the error handling path of fore200eopen() to prevent a data race.

The field fore200e->availablecellrate is a shared resource used to track available bandwidth. It is concurrently accessed by fore200eopen(), fore200eclose(), and fore200echangeqos().

In fore200eopen(), the lock ratemtx is correctly held when subtracting vcc->qos.txtp.maxpcr from availablecellrate to reserve bandwidth. However, if the subsequent call to fore200eactivatevcin() fails, the function restores the reserved bandwidth by adding back to availablecell_rate without holding the lock.

This introduces a race condition because availablecellrate is a global device resource shared across all VCCs. If the error path in fore200eopen() executes concurrently with operations like fore200eclose() or fore200echangeqos() on other VCCs, a read-modify-write race occurs.

Specifically, the error path reads the rate without the lock. If another CPU acquires the lock and modifies the rate (e.g., releasing bandwidth in fore200e_close()) between this read and the subsequent write, the error path will overwrite the concurrent update with a stale value. This results in incorrect bandwidth accounting.