cve/published/2025/CVE-2025-21811.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2025-21811: nilfs2: protect access to buffers with no active references

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 nilfs2: protect access to buffers with no active references

 nilfs_lookup_dirty_data_buffers(), which iterates through the buffers
 attached to dirty data folios/pages, accesses the attached buffers without
 locking the folios/pages.

 For data cache, nilfs_clear_folio_dirty() may be called asynchronously
 when the file system degenerates to read only, so
 nilfs_lookup_dirty_data_buffers() still has the potential to cause use
 after free issues when buffers lose the protection of their dirty state
 midway due to this asynchronous clearing and are unintentionally freed by
 try_to_free_buffers().

 Eliminate this race issue by adjusting the lock section in this function.

 The Linux kernel CVE team has assigned CVE-2025-21811 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 3.10 with commit 8c26c4e2694a163d525976e804d81cd955bbb40c and fixed in 5.4.291 with commit e1fc4a90a90ea8514246c45435662531975937d9
 	Issue introduced in 3.10 with commit 8c26c4e2694a163d525976e804d81cd955bbb40c and fixed in 5.10.235 with commit 72cf688d0ce7e642b12ddc9b2a42524737ec1b4a
 	Issue introduced in 3.10 with commit 8c26c4e2694a163d525976e804d81cd955bbb40c and fixed in 5.15.179 with commit d8ff250e085a4c4cdda4ad1cdd234ed110393143
 	Issue introduced in 3.10 with commit 8c26c4e2694a163d525976e804d81cd955bbb40c and fixed in 6.1.129 with commit 58c27fa7a610b6e8d44e6220e7dbddfbaccaf439
 	Issue introduced in 3.10 with commit 8c26c4e2694a163d525976e804d81cd955bbb40c and fixed in 6.6.76 with commit 8e1b9201c9a24638cf09c6e1c9f224157328010b
 	Issue introduced in 3.10 with commit 8c26c4e2694a163d525976e804d81cd955bbb40c and fixed in 6.12.13 with commit 4b08d23d7d1917bef4fbee8ad81372f49b006656
 	Issue introduced in 3.10 with commit 8c26c4e2694a163d525976e804d81cd955bbb40c and fixed in 6.13.2 with commit c437dfac9f7a5a46ac2a5e6d6acd3059e9f68188
 	Issue introduced in 3.10 with commit 8c26c4e2694a163d525976e804d81cd955bbb40c and fixed in 6.14 with commit 367a9bffabe08c04f6d725032cce3d891b2b9e1a

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2025-21811
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	fs/nilfs2/segment.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/e1fc4a90a90ea8514246c45435662531975937d9
 	https://git.kernel.org/stable/c/72cf688d0ce7e642b12ddc9b2a42524737ec1b4a
 	https://git.kernel.org/stable/c/d8ff250e085a4c4cdda4ad1cdd234ed110393143
 	https://git.kernel.org/stable/c/58c27fa7a610b6e8d44e6220e7dbddfbaccaf439
 	https://git.kernel.org/stable/c/8e1b9201c9a24638cf09c6e1c9f224157328010b
 	https://git.kernel.org/stable/c/4b08d23d7d1917bef4fbee8ad81372f49b006656
 	https://git.kernel.org/stable/c/c437dfac9f7a5a46ac2a5e6d6acd3059e9f68188
 	https://git.kernel.org/stable/c/367a9bffabe08c04f6d725032cce3d891b2b9e1a
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2025-21811: nilfs2: protect access to buffers with no active references

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	nilfs2: protect access to buffers with no active references

	nilfs_lookup_dirty_data_buffers(), which iterates through the buffers
	attached to dirty data folios/pages, accesses the attached buffers without
	locking the folios/pages.

	For data cache, nilfs_clear_folio_dirty() may be called asynchronously
	when the file system degenerates to read only, so
	nilfs_lookup_dirty_data_buffers() still has the potential to cause use
	after free issues when buffers lose the protection of their dirty state
	midway due to this asynchronous clearing and are unintentionally freed by
	try_to_free_buffers().

	Eliminate this race issue by adjusting the lock section in this function.

	The Linux kernel CVE team has assigned CVE-2025-21811 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 3.10 with commit 8c26c4e2694a163d525976e804d81cd955bbb40c and fixed in 5.4.291 with commit e1fc4a90a90ea8514246c45435662531975937d9
	Issue introduced in 3.10 with commit 8c26c4e2694a163d525976e804d81cd955bbb40c and fixed in 5.10.235 with commit 72cf688d0ce7e642b12ddc9b2a42524737ec1b4a
	Issue introduced in 3.10 with commit 8c26c4e2694a163d525976e804d81cd955bbb40c and fixed in 5.15.179 with commit d8ff250e085a4c4cdda4ad1cdd234ed110393143
	Issue introduced in 3.10 with commit 8c26c4e2694a163d525976e804d81cd955bbb40c and fixed in 6.1.129 with commit 58c27fa7a610b6e8d44e6220e7dbddfbaccaf439
	Issue introduced in 3.10 with commit 8c26c4e2694a163d525976e804d81cd955bbb40c and fixed in 6.6.76 with commit 8e1b9201c9a24638cf09c6e1c9f224157328010b
	Issue introduced in 3.10 with commit 8c26c4e2694a163d525976e804d81cd955bbb40c and fixed in 6.12.13 with commit 4b08d23d7d1917bef4fbee8ad81372f49b006656
	Issue introduced in 3.10 with commit 8c26c4e2694a163d525976e804d81cd955bbb40c and fixed in 6.13.2 with commit c437dfac9f7a5a46ac2a5e6d6acd3059e9f68188
	Issue introduced in 3.10 with commit 8c26c4e2694a163d525976e804d81cd955bbb40c and fixed in 6.14 with commit 367a9bffabe08c04f6d725032cce3d891b2b9e1a

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2025-21811
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	fs/nilfs2/segment.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/e1fc4a90a90ea8514246c45435662531975937d9
	https://git.kernel.org/stable/c/72cf688d0ce7e642b12ddc9b2a42524737ec1b4a
	https://git.kernel.org/stable/c/d8ff250e085a4c4cdda4ad1cdd234ed110393143
	https://git.kernel.org/stable/c/58c27fa7a610b6e8d44e6220e7dbddfbaccaf439
	https://git.kernel.org/stable/c/8e1b9201c9a24638cf09c6e1c9f224157328010b
	https://git.kernel.org/stable/c/4b08d23d7d1917bef4fbee8ad81372f49b006656
	https://git.kernel.org/stable/c/c437dfac9f7a5a46ac2a5e6d6acd3059e9f68188
	https://git.kernel.org/stable/c/367a9bffabe08c04f6d725032cce3d891b2b9e1a