CVE-2025-37925

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> jfs: reject on-disk inodes of an unsupported type<br /> <br /> Syzbot has reported the following BUG:<br /> <br /> kernel BUG at fs/inode.c:668!<br /> Oops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN PTI<br /> CPU: 3 UID: 0 PID: 139 Comm: jfsCommit Not tainted 6.12.0-rc4-syzkaller-00085-g4e46774408d9 #0<br /> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-3.fc41 04/01/2014<br /> RIP: 0010:clear_inode+0x168/0x190<br /> Code: 4c 89 f7 e8 ba fe e5 ff e9 61 ff ff ff 44 89 f1 80 e1 07 80 c1 03 38 c1 7c c1 4c 89 f7 e8 90 ff e5 ff eb b7<br /> 0b e8 01 5d 7f ff 90 0f 0b e8 f9 5c 7f ff 90 0f 0b e8 f1 5c 7f<br /> RSP: 0018:ffffc900027dfae8 EFLAGS: 00010093<br /> RAX: ffffffff82157a87 RBX: 0000000000000001 RCX: ffff888104d4b980<br /> RDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000000000000000<br /> RBP: ffffc900027dfc90 R08: ffffffff82157977 R09: fffff520004fbf38<br /> R10: dffffc0000000000 R11: fffff520004fbf38 R12: dffffc0000000000<br /> R13: ffff88811315bc00 R14: ffff88811315bda8 R15: ffff88811315bb80<br /> FS: 0000000000000000(0000) GS:ffff888135f00000(0000) knlGS:0000000000000000<br /> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033<br /> CR2: 00005565222e0578 CR3: 0000000026ef0000 CR4: 00000000000006f0<br /> Call Trace:<br /> <br /> ? __die_body+0x5f/0xb0<br /> ? die+0x9e/0xc0<br /> ? do_trap+0x15a/0x3a0<br /> ? clear_inode+0x168/0x190<br /> ? do_error_trap+0x1dc/0x2c0<br /> ? clear_inode+0x168/0x190<br /> ? __pfx_do_error_trap+0x10/0x10<br /> ? report_bug+0x3cd/0x500<br /> ? handle_invalid_op+0x34/0x40<br /> ? clear_inode+0x168/0x190<br /> ? exc_invalid_op+0x38/0x50<br /> ? asm_exc_invalid_op+0x1a/0x20<br /> ? clear_inode+0x57/0x190<br /> ? clear_inode+0x167/0x190<br /> ? clear_inode+0x168/0x190<br /> ? clear_inode+0x167/0x190<br /> jfs_evict_inode+0xb5/0x440<br /> ? __pfx_jfs_evict_inode+0x10/0x10<br /> evict+0x4ea/0x9b0<br /> ? __pfx_evict+0x10/0x10<br /> ? iput+0x713/0xa50<br /> txUpdateMap+0x931/0xb10<br /> ? __pfx_txUpdateMap+0x10/0x10<br /> jfs_lazycommit+0x49a/0xb80<br /> ? _raw_spin_unlock_irqrestore+0x8f/0x140<br /> ? lockdep_hardirqs_on+0x99/0x150<br /> ? __pfx_jfs_lazycommit+0x10/0x10<br /> ? __pfx_default_wake_function+0x10/0x10<br /> ? __kthread_parkme+0x169/0x1d0<br /> ? __pfx_jfs_lazycommit+0x10/0x10<br /> kthread+0x2f2/0x390<br /> ? __pfx_jfs_lazycommit+0x10/0x10<br /> ? __pfx_kthread+0x10/0x10<br /> ret_from_fork+0x4d/0x80<br /> ? __pfx_kthread+0x10/0x10<br /> ret_from_fork_asm+0x1a/0x30<br /> <br /> <br /> This happens when &amp;#39;clear_inode()&amp;#39; makes an attempt to finalize an underlying<br /> JFS inode of unknown type. According to JFS layout description from<br /> https://jfs.sourceforge.net/project/pub/jfslayout.pdf, inode types from 5 to<br /> 15 are reserved for future extensions and should not be encountered on a valid<br /> filesystem. So add an extra check for valid inode type in &amp;#39;copy_from_dinode()&amp;#39;.