CVE-2025-37741

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> jfs: Prevent copying of nlink with value 0 from disk inode<br /> <br /> syzbot report a deadlock in diFree. [1]<br /> <br /> When calling "ioctl$LOOP_SET_STATUS64", the offset value passed in is 4,<br /> which does not match the mounted loop device, causing the mapping of the<br /> mounted loop device to be invalidated.<br /> <br /> When creating the directory and creating the inode of iag in diReadSpecial(),<br /> read the page of fixed disk inode (AIT) in raw mode in read_metapage(), the<br /> metapage data it returns is corrupted, which causes the nlink value of 0 to be<br /> assigned to the iag inode when executing copy_from_dinode(), which ultimately<br /> causes a deadlock when entering diFree().<br /> <br /> To avoid this, first check the nlink value of dinode before setting iag inode.<br /> <br /> [1]<br /> WARNING: possible recursive locking detected<br /> 6.12.0-rc7-syzkaller-00212-g4a5df3796467 #0 Not tainted<br /> --------------------------------------------<br /> syz-executor301/5309 is trying to acquire lock:<br /> ffff888044548920 (&amp;(imap-&gt;im_aglock[index])){+.+.}-{3:3}, at: diFree+0x37c/0x2fb0 fs/jfs/jfs_imap.c:889<br /> <br /> but task is already holding lock:<br /> ffff888044548920 (&amp;(imap-&gt;im_aglock[index])){+.+.}-{3:3}, at: diAlloc+0x1b6/0x1630<br /> <br /> other info that might help us debug this:<br /> Possible unsafe locking scenario:<br /> <br /> CPU0<br /> ----<br /> lock(&amp;(imap-&gt;im_aglock[index]));<br /> lock(&amp;(imap-&gt;im_aglock[index]));<br /> <br /> *** DEADLOCK ***<br /> <br /> May be due to missing lock nesting notation<br /> <br /> 5 locks held by syz-executor301/5309:<br /> #0: ffff8880422a4420 (sb_writers#9){.+.+}-{0:0}, at: mnt_want_write+0x3f/0x90 fs/namespace.c:515<br /> #1: ffff88804755b390 (&amp;type-&gt;i_mutex_dir_key#6/1){+.+.}-{3:3}, at: inode_lock_nested include/linux/fs.h:850 [inline]<br /> #1: ffff88804755b390 (&amp;type-&gt;i_mutex_dir_key#6/1){+.+.}-{3:3}, at: filename_create+0x260/0x540 fs/namei.c:4026<br /> #2: ffff888044548920 (&amp;(imap-&gt;im_aglock[index])){+.+.}-{3:3}, at: diAlloc+0x1b6/0x1630<br /> #3: ffff888044548890 (&amp;imap-&gt;im_freelock){+.+.}-{3:3}, at: diNewIAG fs/jfs/jfs_imap.c:2460 [inline]<br /> #3: ffff888044548890 (&amp;imap-&gt;im_freelock){+.+.}-{3:3}, at: diAllocExt fs/jfs/jfs_imap.c:1905 [inline]<br /> #3: ffff888044548890 (&amp;imap-&gt;im_freelock){+.+.}-{3:3}, at: diAllocAG+0x4b7/0x1e50 fs/jfs/jfs_imap.c:1669<br /> #4: ffff88804755a618 (&amp;jfs_ip-&gt;rdwrlock/1){++++}-{3:3}, at: diNewIAG fs/jfs/jfs_imap.c:2477 [inline]<br /> #4: ffff88804755a618 (&amp;jfs_ip-&gt;rdwrlock/1){++++}-{3:3}, at: diAllocExt fs/jfs/jfs_imap.c:1905 [inline]<br /> #4: ffff88804755a618 (&amp;jfs_ip-&gt;rdwrlock/1){++++}-{3:3}, at: diAllocAG+0x869/0x1e50 fs/jfs/jfs_imap.c:1669<br /> <br /> stack backtrace:<br /> CPU: 0 UID: 0 PID: 5309 Comm: syz-executor301 Not tainted 6.12.0-rc7-syzkaller-00212-g4a5df3796467 #0<br /> Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014<br /> Call Trace:<br /> <br /> __dump_stack lib/dump_stack.c:94 [inline]<br /> dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120<br /> print_deadlock_bug+0x483/0x620 kernel/locking/lockdep.c:3037<br /> check_deadlock kernel/locking/lockdep.c:3089 [inline]<br /> validate_chain+0x15e2/0x5920 kernel/locking/lockdep.c:3891<br /> __lock_acquire+0x1384/0x2050 kernel/locking/lockdep.c:5202<br /> lock_acquire+0x1ed/0x550 kernel/locking/lockdep.c:5825<br /> __mutex_lock_common kernel/locking/mutex.c:608 [inline]<br /> __mutex_lock+0x136/0xd70 kernel/locking/mutex.c:752<br /> diFree+0x37c/0x2fb0 fs/jfs/jfs_imap.c:889<br /> jfs_evict_inode+0x32d/0x440 fs/jfs/inode.c:156<br /> evict+0x4e8/0x9b0 fs/inode.c:725<br /> diFreeSpecial fs/jfs/jfs_imap.c:552 [inline]<br /> duplicateIXtree+0x3c6/0x550 fs/jfs/jfs_imap.c:3022<br /> diNewIAG fs/jfs/jfs_imap.c:2597 [inline]<br /> diAllocExt fs/jfs/jfs_imap.c:1905 [inline]<br /> diAllocAG+0x17dc/0x1e50 fs/jfs/jfs_imap.c:1669<br /> diAlloc+0x1d2/0x1630 fs/jfs/jfs_imap.c:1590<br /> ialloc+0x8f/0x900 fs/jfs/jfs_inode.c:56<br /> jfs_mkdir+0x1c5/0xba0 fs/jfs/namei.c:225<br /> vfs_mkdir+0x2f9/0x4f0 fs/namei.c:4257<br /> do_mkdirat+0x264/0x3a0 fs/namei.c:4280<br /> __do_sys_mkdirat fs/namei.c:4295 [inline]<br /> __se_sys_mkdirat fs/namei.c:4293 [inline]<br /> __x64_sys_mkdirat+0x87/0xa0 fs/namei.c:4293<br /> do_syscall_x64 arch/x86/en<br /> ---truncated---