CVE-2025-40237

Summary

In the Linux kernel, the following vulnerability has been resolved:

fs/notify: call exportfs_encode_fid with s_umount

Calling intotify_show_fdinfo() on fd watching an overlayfs inode, while the overlayfs is being unmounted, can lead to dereferencing NULL ptr.

This issue was found by syzkaller.

Race Condition Diagram:

Thread 1 Thread 2


generic_shutdown_super() shrink_dcache_for_umount sb->s_root = NULL

                |
                |             vfs_read()
                |              inotify_fdinfo()
                |               * inode get from mark *
                |               show_mark_fhandle(m, inode)
                |                exportfs_encode_fid(inode, ..)
                |                 ovl_encode_fh(inode, ..)
                |                  ovl_check_encode_origin(inode)
                |                   * deref i_sb->s_root *
                |
                |
                v

fsnotify_sb_delete(sb)

Which then leads to:

[ 32.133461] Oops: general protection fault, probably for non-canonical address 0xdffffc0000000006: 0000 [#1] SMP DEBUG_PAGEALLOC KASAN NOPTI [ 32.134438] KASAN: null-ptr-deref in range [0x0000000000000030-0x0000000000000037] [ 32.135032] CPU: 1 UID: 0 PID: 4468 Comm: systemd-coredum Not tainted 6.17.0-rc6 #22 PREEMPT(none)

<snip registers, unreliable trace>

[ 32.143353] Call Trace: [ 32.143732] ovl_encode_fh+0xd5/0x170 [ 32.144031] exportfs_encode_inode_fh+0x12f/0x300 [ 32.144425] show_mark_fhandle+0xbe/0x1f0 [ 32.145805] inotify_fdinfo+0x226/0x2d0 [ 32.146442] inotify_show_fdinfo+0x1c5/0x350 [ 32.147168] seq_show+0x530/0x6f0 [ 32.147449] seq_read_iter+0x503/0x12a0 [ 32.148419] seq_read+0x31f/0x410 [ 32.150714] vfs_read+0x1f0/0x9e0 [ 32.152297] ksys_read+0x125/0x240

IOW ovl_check_encode_origin derefs inode->i_sb->s_root, after it was set to NULL in the unmount path.

Fix it by protecting calling exportfs_encode_fid() from show_mark_fhandle() with s_umount lock.

This form of fix was suggested by Amir in 1.

Affected Software

VendorProductVersion RangeStatus
LinuxLinuxa1a541fbfa7e97c1100144db34b57553d7164ce5 < 950b604384fd75d62e860bec7135b2b62eb4d508affected
LinuxLinuxf0c0ac84de17c37e6e84da65fb920f91dada55ad < bc1c6b803e14ea2b8f7e33b7164013f666ceb656affected
LinuxLinux3c7c90274ae339e1ad443c9be1c67a20b80b9c76 < 3f307a9f7a7a2822e38ac451b73e2244e7279496affected
LinuxLinuxc45beebfde34aa71afbc48b2c54cdda623515037 < d1894bc542becb0fda61e7e513b09523cab44030affected
LinuxLinuxc45beebfde34aa71afbc48b2c54cdda623515037 < a7c4bb43bfdc2b9f06ee9d036028ed13a83df42aaffected
LinuxLinux6.6.72 < 6.6.73affected
LinuxLinux6.6.74 < 6.6.115affected
LinuxLinux6.12.10 < 6.12.56affected
LinuxLinux6.13affected
LinuxLinux0 < 6.13unaffected
LinuxLinux6.6.73 <= 6.6.*unaffected
LinuxLinux6.6.115 <= 6.6.*unaffected
LinuxLinux6.12.56 <= 6.12.*unaffected
LinuxLinux6.17.6 <= 6.17.*unaffected
LinuxLinux6.18 <= *unaffected

Weaknesses

References