cve/published/2025/CVE-2025-37741.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-1.2.0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@kernel.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2025-37741: jfs: Prevent copying of nlink with value 0 from disk inode

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 jfs: Prevent copying of nlink with value 0 from disk inode

 syzbot report a deadlock in diFree. [1]

 When calling "ioctl$LOOP_SET_STATUS64", the offset value passed in is 4,
 which does not match the mounted loop device, causing the mapping of the
 mounted loop device to be invalidated.

 When creating the directory and creating the inode of iag in diReadSpecial(),
 read the page of fixed disk inode (AIT) in raw mode in read_metapage(), the
 metapage data it returns is corrupted, which causes the nlink value of 0 to be
 assigned to the iag inode when executing copy_from_dinode(), which ultimately
 causes a deadlock when entering diFree().

 To avoid this, first check the nlink value of dinode before setting iag inode.

 [1]
 WARNING: possible recursive locking detected
 6.12.0-rc7-syzkaller-00212-g4a5df3796467 #0 Not tainted
 --------------------------------------------
 syz-executor301/5309 is trying to acquire lock:
 ffff888044548920 (&(imap->im_aglock[index])){+.+.}-{3:3}, at: diFree+0x37c/0x2fb0 fs/jfs/jfs_imap.c:889

 but task is already holding lock:
 ffff888044548920 (&(imap->im_aglock[index])){+.+.}-{3:3}, at: diAlloc+0x1b6/0x1630

 other info that might help us debug this:
  Possible unsafe locking scenario:

        CPU0
        ----
   lock(&(imap->im_aglock[index]));
   lock(&(imap->im_aglock[index]));

  *** DEADLOCK ***

  May be due to missing lock nesting notation

 5 locks held by syz-executor301/5309:
  #0: ffff8880422a4420 (sb_writers#9){.+.+}-{0:0}, at: mnt_want_write+0x3f/0x90 fs/namespace.c:515
  #1: ffff88804755b390 (&type->i_mutex_dir_key#6/1){+.+.}-{3:3}, at: inode_lock_nested include/linux/fs.h:850 [inline]
  #1: ffff88804755b390 (&type->i_mutex_dir_key#6/1){+.+.}-{3:3}, at: filename_create+0x260/0x540 fs/namei.c:4026
  #2: ffff888044548920 (&(imap->im_aglock[index])){+.+.}-{3:3}, at: diAlloc+0x1b6/0x1630
  #3: ffff888044548890 (&imap->im_freelock){+.+.}-{3:3}, at: diNewIAG fs/jfs/jfs_imap.c:2460 [inline]
  #3: ffff888044548890 (&imap->im_freelock){+.+.}-{3:3}, at: diAllocExt fs/jfs/jfs_imap.c:1905 [inline]
  #3: ffff888044548890 (&imap->im_freelock){+.+.}-{3:3}, at: diAllocAG+0x4b7/0x1e50 fs/jfs/jfs_imap.c:1669
  #4: ffff88804755a618 (&jfs_ip->rdwrlock/1){++++}-{3:3}, at: diNewIAG fs/jfs/jfs_imap.c:2477 [inline]
  #4: ffff88804755a618 (&jfs_ip->rdwrlock/1){++++}-{3:3}, at: diAllocExt fs/jfs/jfs_imap.c:1905 [inline]
  #4: ffff88804755a618 (&jfs_ip->rdwrlock/1){++++}-{3:3}, at: diAllocAG+0x869/0x1e50 fs/jfs/jfs_imap.c:1669

 stack backtrace:
 CPU: 0 UID: 0 PID: 5309 Comm: syz-executor301 Not tainted 6.12.0-rc7-syzkaller-00212-g4a5df3796467 #0
 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
 Call Trace:
  <TASK>
  __dump_stack lib/dump_stack.c:94 [inline]
  dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120
  print_deadlock_bug+0x483/0x620 kernel/locking/lockdep.c:3037
  check_deadlock kernel/locking/lockdep.c:3089 [inline]
  validate_chain+0x15e2/0x5920 kernel/locking/lockdep.c:3891
  __lock_acquire+0x1384/0x2050 kernel/locking/lockdep.c:5202
  lock_acquire+0x1ed/0x550 kernel/locking/lockdep.c:5825
  __mutex_lock_common kernel/locking/mutex.c:608 [inline]
  __mutex_lock+0x136/0xd70 kernel/locking/mutex.c:752
  diFree+0x37c/0x2fb0 fs/jfs/jfs_imap.c:889
  jfs_evict_inode+0x32d/0x440 fs/jfs/inode.c:156
  evict+0x4e8/0x9b0 fs/inode.c:725
  diFreeSpecial fs/jfs/jfs_imap.c:552 [inline]
  duplicateIXtree+0x3c6/0x550 fs/jfs/jfs_imap.c:3022
  diNewIAG fs/jfs/jfs_imap.c:2597 [inline]
  diAllocExt fs/jfs/jfs_imap.c:1905 [inline]
  diAllocAG+0x17dc/0x1e50 fs/jfs/jfs_imap.c:1669
  diAlloc+0x1d2/0x1630 fs/jfs/jfs_imap.c:1590
  ialloc+0x8f/0x900 fs/jfs/jfs_inode.c:56
  jfs_mkdir+0x1c5/0xba0 fs/jfs/namei.c:225
  vfs_mkdir+0x2f9/0x4f0 fs/namei.c:4257
  do_mkdirat+0x264/0x3a0 fs/namei.c:4280
  __do_sys_mkdirat fs/namei.c:4295 [inline]
  __se_sys_mkdirat fs/namei.c:4293 [inline]
  __x64_sys_mkdirat+0x87/0xa0 fs/namei.c:4293
  do_syscall_x64 arch/x86/entry/common.c:52 [inline]
  do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
  entry_SYSCALL_64_after_hwframe+0x77/0x7f

 The Linux kernel CVE team has assigned CVE-2025-37741 to this issue.


 Affected and fixed versions
 ===========================

 	Fixed in 5.4.293 with commit 5b2f26d3fba4e9aac314f8bc0963b3fc28c0e456
 	Fixed in 5.10.237 with commit 8b5ce75f8bd3ddf480cc0a240d7ff5cdea0444f9
 	Fixed in 5.15.181 with commit 86bfeaa18f9e4615b97f2d613e0fcc4ced196527
 	Fixed in 6.1.135 with commit c9541c2bd0edbdbc5c1148a84d3b48dc8d1b8af2
 	Fixed in 6.6.88 with commit b3c4884b987e5d8d0ec061a4d52653c4f4b9c37e
 	Fixed in 6.12.24 with commit aeb926e605f97857504bdf748f575e40617e2ef9
 	Fixed in 6.13.12 with commit 994787341358816d91b2fded288ecb7f129f2b27
 	Fixed in 6.14.3 with commit a2b560815528ae8e266fca6038bb5585d13aaef4
 	Fixed in 6.15 with commit b61e69bb1c049cf507e3c654fa3dc1568231bd07

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2025-37741
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	fs/jfs/jfs_imap.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/5b2f26d3fba4e9aac314f8bc0963b3fc28c0e456
 	https://git.kernel.org/stable/c/8b5ce75f8bd3ddf480cc0a240d7ff5cdea0444f9
 	https://git.kernel.org/stable/c/86bfeaa18f9e4615b97f2d613e0fcc4ced196527
 	https://git.kernel.org/stable/c/c9541c2bd0edbdbc5c1148a84d3b48dc8d1b8af2
 	https://git.kernel.org/stable/c/b3c4884b987e5d8d0ec061a4d52653c4f4b9c37e
 	https://git.kernel.org/stable/c/aeb926e605f97857504bdf748f575e40617e2ef9
 	https://git.kernel.org/stable/c/994787341358816d91b2fded288ecb7f129f2b27
 	https://git.kernel.org/stable/c/a2b560815528ae8e266fca6038bb5585d13aaef4
 	https://git.kernel.org/stable/c/b61e69bb1c049cf507e3c654fa3dc1568231bd07
	From bippy-1.2.0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@kernel.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2025-37741: jfs: Prevent copying of nlink with value 0 from disk inode

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	jfs: Prevent copying of nlink with value 0 from disk inode

	syzbot report a deadlock in diFree. [1]

	When calling "ioctl$LOOP_SET_STATUS64", the offset value passed in is 4,
	which does not match the mounted loop device, causing the mapping of the
	mounted loop device to be invalidated.

	When creating the directory and creating the inode of iag in diReadSpecial(),
	read the page of fixed disk inode (AIT) in raw mode in read_metapage(), the
	metapage data it returns is corrupted, which causes the nlink value of 0 to be
	assigned to the iag inode when executing copy_from_dinode(), which ultimately
	causes a deadlock when entering diFree().

	To avoid this, first check the nlink value of dinode before setting iag inode.

	[1]
	WARNING: possible recursive locking detected
	6.12.0-rc7-syzkaller-00212-g4a5df3796467 #0 Not tainted
	--------------------------------------------
	syz-executor301/5309 is trying to acquire lock:
	ffff888044548920 (&(imap->im_aglock[index])){+.+.}-{3:3}, at: diFree+0x37c/0x2fb0 fs/jfs/jfs_imap.c:889

	but task is already holding lock:
	ffff888044548920 (&(imap->im_aglock[index])){+.+.}-{3:3}, at: diAlloc+0x1b6/0x1630

	other info that might help us debug this:
	Possible unsafe locking scenario:

	CPU0
	----
	lock(&(imap->im_aglock[index]));
	lock(&(imap->im_aglock[index]));

	* DEADLOCK *

	May be due to missing lock nesting notation

	5 locks held by syz-executor301/5309:
	#0: ffff8880422a4420 (sb_writers#9){.+.+}-{0:0}, at: mnt_want_write+0x3f/0x90 fs/namespace.c:515
	#1: ffff88804755b390 (&type->i_mutex_dir_key#6/1){+.+.}-{3:3}, at: inode_lock_nested include/linux/fs.h:850 [inline]
	#1: ffff88804755b390 (&type->i_mutex_dir_key#6/1){+.+.}-{3:3}, at: filename_create+0x260/0x540 fs/namei.c:4026
	#2: ffff888044548920 (&(imap->im_aglock[index])){+.+.}-{3:3}, at: diAlloc+0x1b6/0x1630
	#3: ffff888044548890 (&imap->im_freelock){+.+.}-{3:3}, at: diNewIAG fs/jfs/jfs_imap.c:2460 [inline]
	#3: ffff888044548890 (&imap->im_freelock){+.+.}-{3:3}, at: diAllocExt fs/jfs/jfs_imap.c:1905 [inline]
	#3: ffff888044548890 (&imap->im_freelock){+.+.}-{3:3}, at: diAllocAG+0x4b7/0x1e50 fs/jfs/jfs_imap.c:1669
	#4: ffff88804755a618 (&jfs_ip->rdwrlock/1){++++}-{3:3}, at: diNewIAG fs/jfs/jfs_imap.c:2477 [inline]
	#4: ffff88804755a618 (&jfs_ip->rdwrlock/1){++++}-{3:3}, at: diAllocExt fs/jfs/jfs_imap.c:1905 [inline]
	#4: ffff88804755a618 (&jfs_ip->rdwrlock/1){++++}-{3:3}, at: diAllocAG+0x869/0x1e50 fs/jfs/jfs_imap.c:1669

	stack backtrace:
	CPU: 0 UID: 0 PID: 5309 Comm: syz-executor301 Not tainted 6.12.0-rc7-syzkaller-00212-g4a5df3796467 #0
	Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
	Call Trace:
	<TASK>
	__dump_stack lib/dump_stack.c:94 [inline]
	dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120
	print_deadlock_bug+0x483/0x620 kernel/locking/lockdep.c:3037
	check_deadlock kernel/locking/lockdep.c:3089 [inline]
	validate_chain+0x15e2/0x5920 kernel/locking/lockdep.c:3891
	__lock_acquire+0x1384/0x2050 kernel/locking/lockdep.c:5202
	lock_acquire+0x1ed/0x550 kernel/locking/lockdep.c:5825
	__mutex_lock_common kernel/locking/mutex.c:608 [inline]
	__mutex_lock+0x136/0xd70 kernel/locking/mutex.c:752
	diFree+0x37c/0x2fb0 fs/jfs/jfs_imap.c:889
	jfs_evict_inode+0x32d/0x440 fs/jfs/inode.c:156
	evict+0x4e8/0x9b0 fs/inode.c:725
	diFreeSpecial fs/jfs/jfs_imap.c:552 [inline]
	duplicateIXtree+0x3c6/0x550 fs/jfs/jfs_imap.c:3022
	diNewIAG fs/jfs/jfs_imap.c:2597 [inline]
	diAllocExt fs/jfs/jfs_imap.c:1905 [inline]
	diAllocAG+0x17dc/0x1e50 fs/jfs/jfs_imap.c:1669
	diAlloc+0x1d2/0x1630 fs/jfs/jfs_imap.c:1590
	ialloc+0x8f/0x900 fs/jfs/jfs_inode.c:56
	jfs_mkdir+0x1c5/0xba0 fs/jfs/namei.c:225
	vfs_mkdir+0x2f9/0x4f0 fs/namei.c:4257
	do_mkdirat+0x264/0x3a0 fs/namei.c:4280
	__do_sys_mkdirat fs/namei.c:4295 [inline]
	__se_sys_mkdirat fs/namei.c:4293 [inline]
	__x64_sys_mkdirat+0x87/0xa0 fs/namei.c:4293
	do_syscall_x64 arch/x86/entry/common.c:52 [inline]
	do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
	entry_SYSCALL_64_after_hwframe+0x77/0x7f

	The Linux kernel CVE team has assigned CVE-2025-37741 to this issue.


	Affected and fixed versions
	===========================

	Fixed in 5.4.293 with commit 5b2f26d3fba4e9aac314f8bc0963b3fc28c0e456
	Fixed in 5.10.237 with commit 8b5ce75f8bd3ddf480cc0a240d7ff5cdea0444f9
	Fixed in 5.15.181 with commit 86bfeaa18f9e4615b97f2d613e0fcc4ced196527
	Fixed in 6.1.135 with commit c9541c2bd0edbdbc5c1148a84d3b48dc8d1b8af2
	Fixed in 6.6.88 with commit b3c4884b987e5d8d0ec061a4d52653c4f4b9c37e
	Fixed in 6.12.24 with commit aeb926e605f97857504bdf748f575e40617e2ef9
	Fixed in 6.13.12 with commit 994787341358816d91b2fded288ecb7f129f2b27
	Fixed in 6.14.3 with commit a2b560815528ae8e266fca6038bb5585d13aaef4
	Fixed in 6.15 with commit b61e69bb1c049cf507e3c654fa3dc1568231bd07

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2025-37741
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	fs/jfs/jfs_imap.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/5b2f26d3fba4e9aac314f8bc0963b3fc28c0e456
	https://git.kernel.org/stable/c/8b5ce75f8bd3ddf480cc0a240d7ff5cdea0444f9
	https://git.kernel.org/stable/c/86bfeaa18f9e4615b97f2d613e0fcc4ced196527
	https://git.kernel.org/stable/c/c9541c2bd0edbdbc5c1148a84d3b48dc8d1b8af2
	https://git.kernel.org/stable/c/b3c4884b987e5d8d0ec061a4d52653c4f4b9c37e
	https://git.kernel.org/stable/c/aeb926e605f97857504bdf748f575e40617e2ef9
	https://git.kernel.org/stable/c/994787341358816d91b2fded288ecb7f129f2b27
	https://git.kernel.org/stable/c/a2b560815528ae8e266fca6038bb5585d13aaef4
	https://git.kernel.org/stable/c/b61e69bb1c049cf507e3c654fa3dc1568231bd07