CVE-2025-71237

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> nilfs2: Fix potential block overflow that cause system hang<br /> <br /> When a user executes the FITRIM command, an underflow can occur when<br /> calculating nblocks if end_block is too small. Since nblocks is of<br /> type sector_t, which is u64, a negative nblocks value will become a<br /> very large positive integer. This ultimately leads to the block layer<br /> function __blkdev_issue_discard() taking an excessively long time to<br /> process the bio chain, and the ns_segctor_sem lock remains held for a<br /> long period. This prevents other tasks from acquiring the ns_segctor_sem<br /> lock, resulting in the hang reported by syzbot in [1].<br /> <br /> If the ending block is too small, typically if it is smaller than 4KiB<br /> range, depending on the usage of the segment 0, it may be possible to<br /> attempt a discard request beyond the device size causing the hang.<br /> <br /> Exiting successfully and assign the discarded size (0 in this case)<br /> to range-&gt;len.<br /> <br /> Although the start and len values in the user input range are too small,<br /> a conservative strategy is adopted here to safely ignore them, which is<br /> equivalent to a no-op; it will not perform any trimming and will not<br /> throw an error.<br /> <br /> [1]<br /> task:segctord state:D stack:28968 pid:6093 tgid:6093 ppid:2 task_flags:0x200040 flags:0x00080000<br /> Call Trace:<br /> rwbase_write_lock+0x3dd/0x750 kernel/locking/rwbase_rt.c:272<br /> nilfs_transaction_lock+0x253/0x4c0 fs/nilfs2/segment.c:357<br /> nilfs_segctor_thread_construct fs/nilfs2/segment.c:2569 [inline]<br /> nilfs_segctor_thread+0x6ec/0xe00 fs/nilfs2/segment.c:2684<br /> <br /> [ryusuke: corrected part of the commit message about the consequences]