CVE-2025-37806

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> fs/ntfs3: Keep write operations atomic<br /> <br /> syzbot reported a NULL pointer dereference in __generic_file_write_iter. [1]<br /> <br /> Before the write operation is completed, the user executes ioctl[2] to clear<br /> the compress flag of the file, which causes the is_compressed() judgment to<br /> return 0, further causing the program to enter the wrong process and call the<br /> wrong ops ntfs_aops_cmpr, which triggers the null pointer dereference of<br /> write_begin.<br /> <br /> Use inode lock to synchronize ioctl and write to avoid this case.<br /> <br /> [1]<br /> Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000<br /> Mem abort info:<br /> ESR = 0x0000000086000006<br /> EC = 0x21: IABT (current EL), IL = 32 bits<br /> SET = 0, FnV = 0<br /> EA = 0, S1PTW = 0<br /> FSC = 0x06: level 2 translation fault<br /> user pgtable: 4k pages, 48-bit VAs, pgdp=000000011896d000<br /> [0000000000000000] pgd=0800000118b44403, p4d=0800000118b44403, pud=0800000117517403, pmd=0000000000000000<br /> Internal error: Oops: 0000000086000006 [#1] PREEMPT SMP<br /> Modules linked in:<br /> CPU: 0 UID: 0 PID: 6427 Comm: syz-executor347 Not tainted 6.13.0-rc3-syzkaller-g573067a5a685 #0<br /> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024<br /> pstate: 80400005 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)<br /> pc : 0x0<br /> lr : generic_perform_write+0x29c/0x868 mm/filemap.c:4055<br /> sp : ffff80009d4978a0<br /> x29: ffff80009d4979c0 x28: dfff800000000000 x27: ffff80009d497bc8<br /> x26: 0000000000000000 x25: ffff80009d497960 x24: ffff80008ba71c68<br /> x23: 0000000000000000 x22: ffff0000c655dac0 x21: 0000000000001000<br /> x20: 000000000000000c x19: 1ffff00013a92f2c x18: ffff0000e183aa1c<br /> x17: 0004060000000014 x16: ffff800083275834 x15: 0000000000000001<br /> x14: 0000000000000000 x13: 0000000000000001 x12: ffff0000c655dac0<br /> x11: 0000000000ff0100 x10: 0000000000ff0100 x9 : 0000000000000000<br /> x8 : 0000000000000000 x7 : 0000000000000000 x6 : 0000000000000000<br /> x5 : ffff80009d497980 x4 : ffff80009d497960 x3 : 0000000000001000<br /> x2 : 0000000000000000 x1 : ffff0000e183a928 x0 : ffff0000d60b0fc0<br /> Call trace:<br /> 0x0 (P)<br /> __generic_file_write_iter+0xfc/0x204 mm/filemap.c:4156<br /> ntfs_file_write_iter+0x54c/0x630 fs/ntfs3/file.c:1267<br /> new_sync_write fs/read_write.c:586 [inline]<br /> vfs_write+0x920/0xcf4 fs/read_write.c:679<br /> ksys_write+0x15c/0x26c fs/read_write.c:731<br /> __do_sys_write fs/read_write.c:742 [inline]<br /> __se_sys_write fs/read_write.c:739 [inline]<br /> __arm64_sys_write+0x7c/0x90 fs/read_write.c:739<br /> __invoke_syscall arch/arm64/kernel/syscall.c:35 [inline]<br /> invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:49<br /> el0_svc_common+0x130/0x23c arch/arm64/kernel/syscall.c:132<br /> do_el0_svc+0x48/0x58 arch/arm64/kernel/syscall.c:151<br /> el0_svc+0x54/0x168 arch/arm64/kernel/entry-common.c:744<br /> el0t_64_sync_handler+0x84/0x108 arch/arm64/kernel/entry-common.c:762<br /> <br /> [2]<br /> ioctl$FS_IOC_SETFLAGS(r0, 0x40086602, &amp;(0x7f00000000c0)=0x20)