CVE-2025-68240

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> nilfs2: avoid having an active sc_timer before freeing sci<br /> <br /> Because kthread_stop did not stop sc_task properly and returned -EINTR,<br /> the sc_timer was not properly closed, ultimately causing the problem [1]<br /> reported by syzbot when freeing sci due to the sc_timer not being closed.<br /> <br /> Because the thread sc_task main function nilfs_segctor_thread() returns 0<br /> when it succeeds, when the return value of kthread_stop() is not 0 in<br /> nilfs_segctor_destroy(), we believe that it has not properly closed<br /> sc_timer.<br /> <br /> We use timer_shutdown_sync() to sync wait for sc_timer to shutdown, and<br /> set the value of sc_task to NULL under the protection of lock<br /> sc_state_lock, so as to avoid the issue caused by sc_timer not being<br /> properly shutdowned.<br /> <br /> [1]<br /> ODEBUG: free active (active state 0) object: 00000000dacb411a object type: timer_list hint: nilfs_construction_timeout<br /> Call trace:<br /> nilfs_segctor_destroy fs/nilfs2/segment.c:2811 [inline]<br /> nilfs_detach_log_writer+0x668/0x8cc fs/nilfs2/segment.c:2877<br /> nilfs_put_super+0x4c/0x12c fs/nilfs2/super.c:509