CVE-2025-21896

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> fuse: revert back to __readahead_folio() for readahead<br /> <br /> In commit 3eab9d7bc2f4 ("fuse: convert readahead to use folios"), the<br /> logic was converted to using the new folio readahead code, which drops<br /> the reference on the folio once it is locked, using an inferred<br /> reference on the folio. Previously we held a reference on the folio for<br /> the entire duration of the readpages call.<br /> <br /> This is fine, however for the case for splice pipe responses where we<br /> will remove the old folio and splice in the new folio (see<br /> fuse_try_move_page()), we assume that there is a reference held on the<br /> folio for ap-&gt;folios, which is no longer the case.<br /> <br /> To fix this, revert back to __readahead_folio() which allows us to hold<br /> the reference on the folio for the duration of readpages until either we<br /> drop the reference ourselves in fuse_readpages_end() or the reference is<br /> dropped after it&amp;#39;s replaced in the page cache in the splice case.<br /> This will fix the UAF bug that was reported.