CVE-2025-21722

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> nilfs2: do not force clear folio if buffer is referenced<br /> <br /> Patch series "nilfs2: protect busy buffer heads from being force-cleared".<br /> <br /> This series fixes the buffer head state inconsistency issues reported by<br /> syzbot that occurs when the filesystem is corrupted and falls back to<br /> read-only, and the associated buffer head use-after-free issue.<br /> <br /> <br /> This patch (of 2):<br /> <br /> Syzbot has reported that after nilfs2 detects filesystem corruption and<br /> falls back to read-only, inconsistencies in the buffer state may occur.<br /> <br /> One of the inconsistencies is that when nilfs2 calls mark_buffer_dirty()<br /> to set a data or metadata buffer as dirty, but it detects that the buffer<br /> is not in the uptodate state:<br /> <br /> WARNING: CPU: 0 PID: 6049 at fs/buffer.c:1177 mark_buffer_dirty+0x2e5/0x520<br /> fs/buffer.c:1177<br /> ...<br /> Call Trace:<br /> <br /> nilfs_palloc_commit_alloc_entry+0x4b/0x160 fs/nilfs2/alloc.c:598<br /> nilfs_ifile_create_inode+0x1dd/0x3a0 fs/nilfs2/ifile.c:73<br /> nilfs_new_inode+0x254/0x830 fs/nilfs2/inode.c:344<br /> nilfs_mkdir+0x10d/0x340 fs/nilfs2/namei.c:218<br /> vfs_mkdir+0x2f9/0x4f0 fs/namei.c:4257<br /> do_mkdirat+0x264/0x3a0 fs/namei.c:4280<br /> __do_sys_mkdirat fs/namei.c:4295 [inline]<br /> __se_sys_mkdirat fs/namei.c:4293 [inline]<br /> __x64_sys_mkdirat+0x87/0xa0 fs/namei.c:4293<br /> do_syscall_x64 arch/x86/entry/common.c:52 [inline]<br /> do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83<br /> entry_SYSCALL_64_after_hwframe+0x77/0x7f<br /> <br /> The other is when nilfs_btree_propagate(), which propagates the dirty<br /> state to the ancestor nodes of a b-tree that point to a dirty buffer,<br /> detects that the origin buffer is not dirty, even though it should be:<br /> <br /> WARNING: CPU: 0 PID: 5245 at fs/nilfs2/btree.c:2089<br /> nilfs_btree_propagate+0xc79/0xdf0 fs/nilfs2/btree.c:2089<br /> ...<br /> Call Trace:<br /> <br /> nilfs_bmap_propagate+0x75/0x120 fs/nilfs2/bmap.c:345<br /> nilfs_collect_file_data+0x4d/0xd0 fs/nilfs2/segment.c:587<br /> nilfs_segctor_apply_buffers+0x184/0x340 fs/nilfs2/segment.c:1006<br /> nilfs_segctor_scan_file+0x28c/0xa50 fs/nilfs2/segment.c:1045<br /> nilfs_segctor_collect_blocks fs/nilfs2/segment.c:1216 [inline]<br /> nilfs_segctor_collect fs/nilfs2/segment.c:1540 [inline]<br /> nilfs_segctor_do_construct+0x1c28/0x6b90 fs/nilfs2/segment.c:2115<br /> nilfs_segctor_construct+0x181/0x6b0 fs/nilfs2/segment.c:2479<br /> nilfs_segctor_thread_construct fs/nilfs2/segment.c:2587 [inline]<br /> nilfs_segctor_thread+0x69e/0xe80 fs/nilfs2/segment.c:2701<br /> kthread+0x2f0/0x390 kernel/kthread.c:389<br /> ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147<br /> ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244<br /> <br /> <br /> Both of these issues are caused by the callbacks that handle the<br /> page/folio write requests, forcibly clear various states, including the<br /> working state of the buffers they hold, at unexpected times when they<br /> detect read-only fallback.<br /> <br /> Fix these issues by checking if the buffer is referenced before clearing<br /> the page/folio state, and skipping the clear if it is.