CVE-2025-22121

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ext4: fix out-of-bound read in ext4_xattr_inode_dec_ref_all()<br /> <br /> There&amp;#39;s issue as follows:<br /> BUG: KASAN: use-after-free in ext4_xattr_inode_dec_ref_all+0x6ff/0x790<br /> Read of size 4 at addr ffff88807b003000 by task syz-executor.0/15172<br /> <br /> CPU: 3 PID: 15172 Comm: syz-executor.0<br /> Call Trace:<br /> __dump_stack lib/dump_stack.c:82 [inline]<br /> dump_stack+0xbe/0xfd lib/dump_stack.c:123<br /> print_address_description.constprop.0+0x1e/0x280 mm/kasan/report.c:400<br /> __kasan_report.cold+0x6c/0x84 mm/kasan/report.c:560<br /> kasan_report+0x3a/0x50 mm/kasan/report.c:585<br /> ext4_xattr_inode_dec_ref_all+0x6ff/0x790 fs/ext4/xattr.c:1137<br /> ext4_xattr_delete_inode+0x4c7/0xda0 fs/ext4/xattr.c:2896<br /> ext4_evict_inode+0xb3b/0x1670 fs/ext4/inode.c:323<br /> evict+0x39f/0x880 fs/inode.c:622<br /> iput_final fs/inode.c:1746 [inline]<br /> iput fs/inode.c:1772 [inline]<br /> iput+0x525/0x6c0 fs/inode.c:1758<br /> ext4_orphan_cleanup fs/ext4/super.c:3298 [inline]<br /> ext4_fill_super+0x8c57/0xba40 fs/ext4/super.c:5300<br /> mount_bdev+0x355/0x410 fs/super.c:1446<br /> legacy_get_tree+0xfe/0x220 fs/fs_context.c:611<br /> vfs_get_tree+0x8d/0x2f0 fs/super.c:1576<br /> do_new_mount fs/namespace.c:2983 [inline]<br /> path_mount+0x119a/0x1ad0 fs/namespace.c:3316<br /> do_mount+0xfc/0x110 fs/namespace.c:3329<br /> __do_sys_mount fs/namespace.c:3540 [inline]<br /> __se_sys_mount+0x219/0x2e0 fs/namespace.c:3514<br /> do_syscall_64+0x33/0x40 arch/x86/entry/common.c:46<br /> entry_SYSCALL_64_after_hwframe+0x67/0xd1<br /> <br /> Memory state around the buggy address:<br /> ffff88807b002f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00<br /> ffff88807b002f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00<br /> &gt;ffff88807b003000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff<br /> ^<br /> ffff88807b003080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff<br /> ffff88807b003100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff<br /> <br /> Above issue happens as ext4_xattr_delete_inode() isn&amp;#39;t check xattr<br /> is valid if xattr is in inode.<br /> To solve above issue call xattr_check_inode() check if xattr if valid<br /> in inode. In fact, we can directly verify in ext4_iget_extra_inode(),<br /> so that there is no divergent verification.