CVE-2025-68261

Summary

In the Linux kernel, the following vulnerability has been resolved:

ext4: add i_data_sem protection in ext4_destroy_inline_data_nolock()

Fix a race between inline data destruction and block mapping.

The function ext4_destroy_inline_data_nolock() changes the inode data layout by clearing EXT4_INODE_INLINE_DATA and setting EXT4_INODE_EXTENTS. At the same time, another thread may execute ext4_map_blocks(), which tests EXT4_INODE_EXTENTS to decide whether to call ext4_ext_map_blocks() or ext4_ind_map_blocks().

Without i_data_sem protection, ext4_ind_map_blocks() may receive inode with EXT4_INODE_EXTENTS flag and triggering assert.

kernel BUG at fs/ext4/indirect.c:546! EXT4-fs (loop2): unmounting filesystem. invalid opcode: 0000 [#1] PREEMPT SMP KASAN NOPTI Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-1 04/01/2014 RIP: 0010:ext4_ind_map_blocks.cold+0x2b/0x5a fs/ext4/indirect.c:546

Call Trace: <TASK> ext4_map_blocks+0xb9b/0x16f0 fs/ext4/inode.c:681 _ext4_get_block+0x242/0x590 fs/ext4/inode.c:822 ext4_block_write_begin+0x48b/0x12c0 fs/ext4/inode.c:1124 ext4_write_begin+0x598/0xef0 fs/ext4/inode.c:1255 ext4_da_write_begin+0x21e/0x9c0 fs/ext4/inode.c:3000 generic_perform_write+0x259/0x5d0 mm/filemap.c:3846 ext4_buffered_write_iter+0x15b/0x470 fs/ext4/file.c:285 ext4_file_write_iter+0x8e0/0x17f0 fs/ext4/file.c:679 call_write_iter include/linux/fs.h:2271 [inline] do_iter_readv_writev+0x212/0x3c0 fs/read_write.c:735 do_iter_write+0x186/0x710 fs/read_write.c:861 vfs_iter_write+0x70/0xa0 fs/read_write.c:902 iter_file_splice_write+0x73b/0xc90 fs/splice.c:685 do_splice_from fs/splice.c:763 [inline] direct_splice_actor+0x10f/0x170 fs/splice.c:950 splice_direct_to_actor+0x33a/0xa10 fs/splice.c:896 do_splice_direct+0x1a9/0x280 fs/splice.c:1002 do_sendfile+0xb13/0x12c0 fs/read_write.c:1255 __do_sys_sendfile64 fs/read_write.c:1323 [inline] __se_sys_sendfile64 fs/read_write.c:1309 [inline] __x64_sys_sendfile64+0x1cf/0x210 fs/read_write.c:1309 do_syscall_x64 arch/x86/entry/common.c:51 [inline] do_syscall_64+0x35/0x80 arch/x86/entry/common.c:81 entry_SYSCALL_64_after_hwframe+0x6e/0xd8

Affected Software

VendorProductVersion RangeStatus
LinuxLinuxc755e251357a0cee0679081f08c3f4ba797a8009 < b322bac9f01d03190b5abc52be5d9dd9f22a2b41affected
LinuxLinuxc755e251357a0cee0679081f08c3f4ba797a8009 < 61e03dc3794ebf77a706b85e5a36c9c6d70be6deaffected
LinuxLinuxc755e251357a0cee0679081f08c3f4ba797a8009 < 5b266cf6851ce72b11b067fe02adf5a8687104adaffected
LinuxLinuxc755e251357a0cee0679081f08c3f4ba797a8009 < 144c48da33a01d92995aeccd8208eb47d2a8e659affected
LinuxLinuxc755e251357a0cee0679081f08c3f4ba797a8009 < 22a76b0861ae61a299c8e126c1aca8c4fda820fdaffected
LinuxLinuxc755e251357a0cee0679081f08c3f4ba797a8009 < ba8aeff294ac7ff6dfe293663d815c54c5ee218caffected
LinuxLinuxc755e251357a0cee0679081f08c3f4ba797a8009 < 5cad18e527ba8a9ca5463cc170073eeb5a4826f4affected
LinuxLinuxc755e251357a0cee0679081f08c3f4ba797a8009 < 0cd8feea8777f8d9b9a862b89c688b049a5c8475affected
LinuxLinux3e96c3fdcfccb321a9e1623f78cc71b44593e965affected
LinuxLinux5781ac24bbd998ebb1ff30143bb06244d847af48affected
LinuxLinux9b06cce3ca4d60d442c39bfa7c058b71b1cee6c2affected
LinuxLinuxda1e40237f8f3516581b534c484c236a79ccfd14affected
LinuxLinux7cf6b709b6412afd1d93b2c4b37163c3602e3b95affected
LinuxLinux3.16.44 < 3.17affected
LinuxLinux3.18.107 < 3.19affected
LinuxLinux4.4.129 < 4.5affected
LinuxLinux4.9.14 < 4.10affected
LinuxLinux4.10.2 < 4.11affected
LinuxLinux4.11affected
LinuxLinux0 < 4.11unaffected
LinuxLinux5.10.248 <= 5.10.*unaffected
LinuxLinux5.15.198 <= 5.15.*unaffected
LinuxLinux6.1.160 <= 6.1.*unaffected
LinuxLinux6.6.120 <= 6.6.*unaffected
LinuxLinux6.12.62 <= 6.12.*unaffected
LinuxLinux6.17.12 <= 6.17.*unaffected
LinuxLinux6.18.1 <= 6.18.*unaffected
LinuxLinux6.19 <= *unaffected

Weaknesses

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References