ghsa-7qr6-vjfq-429r
Vulnerability from github
Published
2025-05-29 15:31
Modified
2025-05-29 15:31
Details

In the Linux kernel, the following vulnerability has been resolved:

fs/erofs/fileio: call erofs_onlinefolio_split() after bio_add_folio()

If bio_add_folio() fails (because it is full), erofs_fileio_scan_folio() needs to submit the I/O request via erofs_fileio_rq_submit() and allocate a new I/O request with an empty struct bio. Then it retries the bio_add_folio() call.

However, at this point, erofs_onlinefolio_split() has already been called which increments folio->private; the retry will call erofs_onlinefolio_split() again, but there will never be a matching erofs_onlinefolio_end() call. This leaves the folio locked forever and all waiters will be stuck in folio_wait_bit_common().

This bug has been added by commit ce63cb62d794 ("erofs: support unencoded inodes for fileio"), but was practically unreachable because there was room for 256 folios in the struct bio - until commit 9f74ae8c9ac9 ("erofs: shorten bvecs[] for file-backed mounts") which reduced the array capacity to 16 folios.

It was now trivial to trigger the bug by manually invoking readahead from userspace, e.g.:

posix_fadvise(fd, 0, st.st_size, POSIX_FADV_WILLNEED);

This should be fixed by invoking erofs_onlinefolio_split() only after bio_add_folio() has succeeded. This is safe: asynchronous completions invoking erofs_onlinefolio_end() will not unlock the folio because erofs_fileio_scan_folio() is still holding a reference to be released by erofs_onlinefolio_end() at the end.

Show details on source website

To clipboard 

{
  "affected": [],
  "aliases": [
    "CVE-2025-37999"
  ],
  "database_specific": {
    "cwe_ids": [],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-05-29T14:15:36Z",
    "severity": null
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nfs/erofs/fileio: call erofs_onlinefolio_split() after bio_add_folio()\n\nIf bio_add_folio() fails (because it is full),\nerofs_fileio_scan_folio() needs to submit the I/O request via\nerofs_fileio_rq_submit() and allocate a new I/O request with an empty\n`struct bio`.  Then it retries the bio_add_folio() call.\n\nHowever, at this point, erofs_onlinefolio_split() has already been\ncalled which increments `folio-\u003eprivate`; the retry will call\nerofs_onlinefolio_split() again, but there will never be a matching\nerofs_onlinefolio_end() call.  This leaves the folio locked forever\nand all waiters will be stuck in folio_wait_bit_common().\n\nThis bug has been added by commit ce63cb62d794 (\"erofs: support\nunencoded inodes for fileio\"), but was practically unreachable because\nthere was room for 256 folios in the `struct bio` - until commit\n9f74ae8c9ac9 (\"erofs: shorten bvecs[] for file-backed mounts\") which\nreduced the array capacity to 16 folios.\n\nIt was now trivial to trigger the bug by manually invoking readahead\nfrom userspace, e.g.:\n\n posix_fadvise(fd, 0, st.st_size, POSIX_FADV_WILLNEED);\n\nThis should be fixed by invoking erofs_onlinefolio_split() only after\nbio_add_folio() has succeeded.  This is safe: asynchronous completions\ninvoking erofs_onlinefolio_end() will not unlock the folio because\nerofs_fileio_scan_folio() is still holding a reference to be released\nby erofs_onlinefolio_end() at the end.",
  "id": "GHSA-7qr6-vjfq-429r",
  "modified": "2025-05-29T15:31:09Z",
  "published": "2025-05-29T15:31:09Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-37999"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/61e0fc3312309867e5a3495329dad0286d2a5703"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/bbfe756dc3062c1e934f06e5ba39c239aa953b92"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/c26076197df348c84cc23e5962d61902e072a0f5"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.