cve/published/2025/CVE-2025-21672.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-7c5fe7eed585 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2025-21672: afs: Fix merge preference rule failure condition

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 afs: Fix merge preference rule failure condition

 syzbot reported a lock held when returning to userspace[1].  This is
 because if argc is less than 0 and the function returns directly, the held
 inode lock is not released.

 Fix this by store the error in ret and jump to done to clean up instead of
 returning directly.

 [dh: Modified Lizhi Xu's original patch to make it honour the error code
 from afs_split_string()]

 [1]
 WARNING: lock held when returning to user space!
 6.13.0-rc3-syzkaller-00209-g499551201b5f #0 Not tainted
 ------------------------------------------------
 syz-executor133/5823 is leaving the kernel with locks still held!
 1 lock held by syz-executor133/5823:
  #0: ffff888071cffc00 (&sb->s_type->i_mutex_key#9){++++}-{4:4}, at: inode_lock include/linux/fs.h:818 [inline]
  #0: ffff888071cffc00 (&sb->s_type->i_mutex_key#9){++++}-{4:4}, at: afs_proc_addr_prefs_write+0x2bb/0x14e0 fs/afs/addr_prefs.c:388

 The Linux kernel CVE team has assigned CVE-2025-21672 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 6.8 with commit f94f70d39cc2d54079ebae934862198516315db2 and fixed in 6.12.11 with commit 22be1d90a6211c88dd093b25d1f3aa974d0d9f9d
 	Issue introduced in 6.8 with commit f94f70d39cc2d54079ebae934862198516315db2 and fixed in 6.13 with commit 17a4fde81d3a7478d97d15304a6d61094a10c2e3

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2025-21672
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	fs/afs/addr_prefs.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/22be1d90a6211c88dd093b25d1f3aa974d0d9f9d
 	https://git.kernel.org/stable/c/17a4fde81d3a7478d97d15304a6d61094a10c2e3
	From bippy-7c5fe7eed585 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2025-21672: afs: Fix merge preference rule failure condition

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	afs: Fix merge preference rule failure condition

	syzbot reported a lock held when returning to userspace[1]. This is
	because if argc is less than 0 and the function returns directly, the held
	inode lock is not released.

	Fix this by store the error in ret and jump to done to clean up instead of
	returning directly.

	[dh: Modified Lizhi Xu's original patch to make it honour the error code
	from afs_split_string()]

	[1]
	WARNING: lock held when returning to user space!
	6.13.0-rc3-syzkaller-00209-g499551201b5f #0 Not tainted
	------------------------------------------------
	syz-executor133/5823 is leaving the kernel with locks still held!
	1 lock held by syz-executor133/5823:
	#0: ffff888071cffc00 (&sb->s_type->i_mutex_key#9){++++}-{4:4}, at: inode_lock include/linux/fs.h:818 [inline]
	#0: ffff888071cffc00 (&sb->s_type->i_mutex_key#9){++++}-{4:4}, at: afs_proc_addr_prefs_write+0x2bb/0x14e0 fs/afs/addr_prefs.c:388

	The Linux kernel CVE team has assigned CVE-2025-21672 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 6.8 with commit f94f70d39cc2d54079ebae934862198516315db2 and fixed in 6.12.11 with commit 22be1d90a6211c88dd093b25d1f3aa974d0d9f9d
	Issue introduced in 6.8 with commit f94f70d39cc2d54079ebae934862198516315db2 and fixed in 6.13 with commit 17a4fde81d3a7478d97d15304a6d61094a10c2e3

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2025-21672
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	fs/afs/addr_prefs.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/22be1d90a6211c88dd093b25d1f3aa974d0d9f9d
	https://git.kernel.org/stable/c/17a4fde81d3a7478d97d15304a6d61094a10c2e3