CVE-2025-71072

Summary

In the Linux kernel, the following vulnerability has been resolved:

shmem: fix recovery on rename failures

maple_tree insertions can fail if we are seriously short on memory; simple_offset_rename() does not recover well if it runs into that. The same goes for simple_offset_rename_exchange().

Moreover, shmem_whiteout() expects that if it succeeds, the caller will progress to d_move(), i.e. that shmem_rename2() won't fail past the successful call of shmem_whiteout().

Not hard to fix, fortunately - mtree_store() can't fail if the index we are trying to store into is already present in the tree as a singleton.

For simple_offset_rename_exchange() that's enough - we just need to be careful about the order of operations.

For simple_offset_rename() solution is to preinsert the target into the tree for new_dir; the rest can be done without any potentially failing operations.

That preinsertion has to be done in shmem_rename2() rather than in simple_offset_rename() itself - otherwise we'd need to deal with the possibility of failure after successful shmem_whiteout().

Affected Software

VendorProductVersion RangeStatus
LinuxLinuxa2e459555c5f9da3e619b7e47a63f98574dc75f1 < 4b0fe71fb3965d0db83cdfc2f4fe0b3227d70113affected
LinuxLinuxa2e459555c5f9da3e619b7e47a63f98574dc75f1 < 4642686699a46718d7f2fb5acd1e9d866a9d9ccaaffected
LinuxLinuxa2e459555c5f9da3e619b7e47a63f98574dc75f1 < e1b4c6a58304fd490124cc2b454d80edc786665caffected
LinuxLinux6.6affected
LinuxLinux0 < 6.6unaffected
LinuxLinux6.12.64 <= 6.12.*unaffected
LinuxLinux6.18.3 <= 6.18.*unaffected
LinuxLinux6.19 <= *unaffected

Weaknesses

References