CVE-2025-21721

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> nilfs2: handle errors that nilfs_prepare_chunk() may return<br /> <br /> Patch series "nilfs2: fix issues with rename operations".<br /> <br /> This series fixes BUG_ON check failures reported by syzbot around rename<br /> operations, and a minor behavioral issue where the mtime of a child<br /> directory changes when it is renamed instead of moved.<br /> <br /> <br /> This patch (of 2):<br /> <br /> The directory manipulation routines nilfs_set_link() and<br /> nilfs_delete_entry() rewrite the directory entry in the folio/page<br /> previously read by nilfs_find_entry(), so error handling is omitted on the<br /> assumption that nilfs_prepare_chunk(), which prepares the buffer for<br /> rewriting, will always succeed for these. And if an error is returned, it<br /> triggers the legacy BUG_ON() checks in each routine.<br /> <br /> This assumption is wrong, as proven by syzbot: the buffer layer called by<br /> nilfs_prepare_chunk() may call nilfs_get_block() if necessary, which may<br /> fail due to metadata corruption or other reasons. This has been there all<br /> along, but improved sanity checks and error handling may have made it more<br /> reproducible in fuzzing tests.<br /> <br /> Fix this issue by adding missing error paths in nilfs_set_link(),<br /> nilfs_delete_entry(), and their caller nilfs_rename().