CVE-2025-37999
N/A
Summary
In the Linux kernel, the following vulnerability has been resolved:
fs/erofs/fileio: call erofs_onlinefolio_split() after bio_add_folio()
If bio_add_folio() fails (because it is full),
erofs_fileio_scan_folio() needs to submit the I/O request via
erofs_fileio_rq_submit() and allocate a new I/O request with an empty
struct bio. Then it retries the bio_add_folio() call.
However, at this point, erofs_onlinefolio_split() has already been
called which increments folio->private; the retry will call
erofs_onlinefolio_split() again, but there will never be a matching
erofs_onlinefolio_end() call. This leaves the folio locked forever
and all waiters will be stuck in folio_wait_bit_common().
This bug has been added by commit ce63cb62d794 ("erofs: support
unencoded inodes for fileio"), but was practically unreachable because
there was room for 256 folios in the struct bio - until commit
9f74ae8c9ac9 ("erofs: shorten bvecs[] for file-backed mounts") which
reduced the array capacity to 16 folios.
It was now trivial to trigger the bug by manually invoking readahead from userspace, e.g.:
posix_fadvise(fd, 0, st.st_size, POSIX_FADV_WILLNEED);
This should be fixed by invoking erofs_onlinefolio_split() only after bio_add_folio() has succeeded. This is safe: asynchronous completions invoking erofs_onlinefolio_end() will not unlock the folio because erofs_fileio_scan_folio() is still holding a reference to be released by erofs_onlinefolio_end() at the end.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Linux | Linux | ce63cb62d794c98c7631c2296fa845f2a8d0a4a1 < 61e0fc3312309867e5a3495329dad0286d2a5703 | affected |
| Linux | Linux | ce63cb62d794c98c7631c2296fa845f2a8d0a4a1 < c26076197df348c84cc23e5962d61902e072a0f5 | affected |
| Linux | Linux | ce63cb62d794c98c7631c2296fa845f2a8d0a4a1 < bbfe756dc3062c1e934f06e5ba39c239aa953b92 | affected |
| Linux | Linux | 6.12 | affected |
| Linux | Linux | 0 < 6.12 | unaffected |
| Linux | Linux | 6.12.29 <= 6.12.* | unaffected |
| Linux | Linux | 6.14.7 <= 6.14.* | unaffected |
| Linux | Linux | 6.15 <= * | unaffected |
Weaknesses
References
- https://git.kernel.org/stable/c/61e0fc3312309867e5a3495329dad0286d2a5703
- https://git.kernel.org/stable/c/c26076197df348c84cc23e5962d61902e072a0f5
- https://git.kernel.org/stable/c/bbfe756dc3062c1e934f06e5ba39c239aa953b92
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.