CVE-2025-37999

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> fs/erofs/fileio: call erofs_onlinefolio_split() after bio_add_folio()<br /> <br /> If bio_add_folio() fails (because it is full),<br /> erofs_fileio_scan_folio() needs to submit the I/O request via<br /> erofs_fileio_rq_submit() and allocate a new I/O request with an empty<br /> `struct bio`. Then it retries the bio_add_folio() call.<br /> <br /> However, at this point, erofs_onlinefolio_split() has already been<br /> called which increments `folio-&gt;private`; the retry will call<br /> erofs_onlinefolio_split() again, but there will never be a matching<br /> erofs_onlinefolio_end() call. This leaves the folio locked forever<br /> and all waiters will be stuck in folio_wait_bit_common().<br /> <br /> This bug has been added by commit ce63cb62d794 ("erofs: support<br /> unencoded inodes for fileio"), but was practically unreachable because<br /> there was room for 256 folios in the `struct bio` - until commit<br /> 9f74ae8c9ac9 ("erofs: shorten bvecs[] for file-backed mounts") which<br /> reduced the array capacity to 16 folios.<br /> <br /> It was now trivial to trigger the bug by manually invoking readahead<br /> from userspace, e.g.:<br /> <br /> posix_fadvise(fd, 0, st.st_size, POSIX_FADV_WILLNEED);<br /> <br /> This should be fixed by invoking erofs_onlinefolio_split() only after<br /> bio_add_folio() has succeeded. This is safe: asynchronous completions<br /> invoking erofs_onlinefolio_end() will not unlock the folio because<br /> erofs_fileio_scan_folio() is still holding a reference to be released<br /> by erofs_onlinefolio_end() at the end.