CVE-2025-38337
N/A
Summary
In the Linux kernel, the following vulnerability has been resolved:
jbd2: fix data-race and null-ptr-deref in jbd2_journal_dirty_metadata()
Since handle->h_transaction may be a NULL pointer, so we should change it to call is_handle_aborted(handle) first before dereferencing it.
And the following data-race was reported in my fuzzer:
================================================================== BUG: KCSAN: data-race in jbd2_journal_dirty_metadata / jbd2_journal_dirty_metadata
write to 0xffff888011024104 of 4 bytes by task 10881 on cpu 1: jbd2_journal_dirty_metadata+0x2a5/0x770 fs/jbd2/transaction.c:1556 __ext4_handle_dirty_metadata+0xe7/0x4b0 fs/ext4/ext4_jbd2.c:358 ext4_do_update_inode fs/ext4/inode.c:5220 [inline] ext4_mark_iloc_dirty+0x32c/0xd50 fs/ext4/inode.c:5869 __ext4_mark_inode_dirty+0xe1/0x450 fs/ext4/inode.c:6074 ext4_dirty_inode+0x98/0xc0 fs/ext4/inode.c:6103 ….
read to 0xffff888011024104 of 4 bytes by task 10880 on cpu 0: jbd2_journal_dirty_metadata+0xf2/0x770 fs/jbd2/transaction.c:1512 __ext4_handle_dirty_metadata+0xe7/0x4b0 fs/ext4/ext4_jbd2.c:358 ext4_do_update_inode fs/ext4/inode.c:5220 [inline] ext4_mark_iloc_dirty+0x32c/0xd50 fs/ext4/inode.c:5869 __ext4_mark_inode_dirty+0xe1/0x450 fs/ext4/inode.c:6074 ext4_dirty_inode+0x98/0xc0 fs/ext4/inode.c:6103 ….
value changed: 0x00000000 -> 0x00000001
This issue is caused by missing data-race annotation for jh->b_modified. Therefore, the missing annotation needs to be added.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Linux | Linux | 6e06ae88edae77379bef7c0cb7d3c2dd88676867 < 5c1a34ff5b0bfdfd2f9343aa9b08d25df618bac5 | affected |
| Linux | Linux | 6e06ae88edae77379bef7c0cb7d3c2dd88676867 < ec669e5bf409f16e464bfad75f0ba039a45de29a | affected |
| Linux | Linux | 6e06ae88edae77379bef7c0cb7d3c2dd88676867 < 43d5e3bb5f1dcd91e30238ea0b59a5f77063f84e | affected |
| Linux | Linux | 6e06ae88edae77379bef7c0cb7d3c2dd88676867 < 23361b479f2700c00960d3ae9cdc8ededa762d47 | affected |
| Linux | Linux | 6e06ae88edae77379bef7c0cb7d3c2dd88676867 < 2e7c64d7a92c031d016f11c8e8cb05131ab7b75a | affected |
| Linux | Linux | 6e06ae88edae77379bef7c0cb7d3c2dd88676867 < f78b38af3540b4875147b7b884ee11a27b3dbf4c | affected |
| Linux | Linux | 6e06ae88edae77379bef7c0cb7d3c2dd88676867 < a377996d714afb8d4d5f4906336f78510039da29 | affected |
| Linux | Linux | 6e06ae88edae77379bef7c0cb7d3c2dd88676867 < af98b0157adf6504fade79b3e6cb260c4ff68e37 | affected |
| Linux | Linux | 4.3 | affected |
| Linux | Linux | 0 < 4.3 | unaffected |
| Linux | Linux | 5.4.295 <= 5.4.* | unaffected |
| Linux | Linux | 5.10.239 <= 5.10.* | unaffected |
| Linux | Linux | 5.15.186 <= 5.15.* | unaffected |
| Linux | Linux | 6.1.142 <= 6.1.* | unaffected |
| Linux | Linux | 6.6.95 <= 6.6.* | unaffected |
| Linux | Linux | 6.12.35 <= 6.12.* | unaffected |
| Linux | Linux | 6.15.4 <= 6.15.* | unaffected |
| Linux | Linux | 6.16 <= * | unaffected |
Weaknesses
ADP Enrichment
CVE Program Container
Additional References
- https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html
- https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html
References
- https://git.kernel.org/stable/c/5c1a34ff5b0bfdfd2f9343aa9b08d25df618bac5
- https://git.kernel.org/stable/c/ec669e5bf409f16e464bfad75f0ba039a45de29a
- https://git.kernel.org/stable/c/43d5e3bb5f1dcd91e30238ea0b59a5f77063f84e
- https://git.kernel.org/stable/c/23361b479f2700c00960d3ae9cdc8ededa762d47
- https://git.kernel.org/stable/c/2e7c64d7a92c031d016f11c8e8cb05131ab7b75a
- https://git.kernel.org/stable/c/f78b38af3540b4875147b7b884ee11a27b3dbf4c
- https://git.kernel.org/stable/c/a377996d714afb8d4d5f4906336f78510039da29
- https://git.kernel.org/stable/c/af98b0157adf6504fade79b3e6cb260c4ff68e37
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.