CVE-2025-38276

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> fs/dax: Fix "don&amp;#39;t skip locked entries when scanning entries"<br /> <br /> Commit 6be3e21d25ca ("fs/dax: don&amp;#39;t skip locked entries when scanning<br /> entries") introduced a new function, wait_entry_unlocked_exclusive(),<br /> which waits for the current entry to become unlocked without advancing<br /> the XArray iterator state.<br /> <br /> Waiting for the entry to become unlocked requires dropping the XArray<br /> lock. This requires calling xas_pause() prior to dropping the lock<br /> which leaves the xas in a suitable state for the next iteration. However<br /> this has the side-effect of advancing the xas state to the next index.<br /> Normally this isn&amp;#39;t an issue because xas_for_each() contains code to<br /> detect this state and thus avoid advancing the index a second time on<br /> the next loop iteration.<br /> <br /> However both callers of and wait_entry_unlocked_exclusive() itself<br /> subsequently use the xas state to reload the entry. As xas_pause()<br /> updated the state to the next index this will cause the current entry<br /> which is being waited on to be skipped. This caused the following<br /> warning to fire intermittently when running xftest generic/068 on an XFS<br /> filesystem with FS DAX enabled:<br /> <br /> [ 35.067397] ------------[ cut here ]------------<br /> [ 35.068229] WARNING: CPU: 21 PID: 1640 at mm/truncate.c:89 truncate_folio_batch_exceptionals+0xd8/0x1e0<br /> [ 35.069717] Modules linked in: nd_pmem dax_pmem nd_btt nd_e820 libnvdimm<br /> [ 35.071006] CPU: 21 UID: 0 PID: 1640 Comm: fstest Not tainted 6.15.0-rc7+ #77 PREEMPT(voluntary)<br /> [ 35.072613] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/204<br /> [ 35.074845] RIP: 0010:truncate_folio_batch_exceptionals+0xd8/0x1e0<br /> [ 35.075962] Code: a1 00 00 00 f6 47 0d 20 0f 84 97 00 00 00 4c 63 e8 41 39 c4 7f 0b eb 61 49 83 c5 01 45 39 ec 7e 58 42 f68<br /> [ 35.079522] RSP: 0018:ffffb04e426c7850 EFLAGS: 00010202<br /> [ 35.080359] RAX: 0000000000000000 RBX: ffff9d21e3481908 RCX: ffffb04e426c77f4<br /> [ 35.081477] RDX: ffffb04e426c79e8 RSI: ffffb04e426c79e0 RDI: ffff9d21e34816e8<br /> [ 35.082590] RBP: ffffb04e426c79e0 R08: 0000000000000001 R09: 0000000000000003<br /> [ 35.083733] R10: 0000000000000000 R11: 822b53c0f7a49868 R12: 000000000000001f<br /> [ 35.084850] R13: 0000000000000000 R14: ffffb04e426c78e8 R15: fffffffffffffffe<br /> [ 35.085953] FS: 00007f9134c87740(0000) GS:ffff9d22abba0000(0000) knlGS:0000000000000000<br /> [ 35.087346] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033<br /> [ 35.088244] CR2: 00007f9134c86000 CR3: 000000040afff000 CR4: 00000000000006f0<br /> [ 35.089354] Call Trace:<br /> [ 35.089749] <br /> [ 35.090168] truncate_inode_pages_range+0xfc/0x4d0<br /> [ 35.091078] truncate_pagecache+0x47/0x60<br /> [ 35.091735] xfs_setattr_size+0xc7/0x3e0<br /> [ 35.092648] xfs_vn_setattr+0x1ea/0x270<br /> [ 35.093437] notify_change+0x1f4/0x510<br /> [ 35.094219] ? do_truncate+0x97/0xe0<br /> [ 35.094879] do_truncate+0x97/0xe0<br /> [ 35.095640] path_openat+0xabd/0xca0<br /> [ 35.096278] do_filp_open+0xd7/0x190<br /> [ 35.096860] do_sys_openat2+0x8a/0xe0<br /> [ 35.097459] __x64_sys_openat+0x6d/0xa0<br /> [ 35.098076] do_syscall_64+0xbb/0x1d0<br /> [ 35.098647] entry_SYSCALL_64_after_hwframe+0x77/0x7f<br /> [ 35.099444] RIP: 0033:0x7f9134d81fc1<br /> [ 35.100033] Code: 75 57 89 f0 25 00 00 41 00 3d 00 00 41 00 74 49 80 3d 2a 26 0e 00 00 74 6d 89 da 48 89 ee bf 9c ff ff ff5<br /> [ 35.102993] RSP: 002b:00007ffcd41e0d10 EFLAGS: 00000202 ORIG_RAX: 0000000000000101<br /> [ 35.104263] RAX: ffffffffffffffda RBX: 0000000000000242 RCX: 00007f9134d81fc1<br /> [ 35.105452] RDX: 0000000000000242 RSI: 00007ffcd41e1200 RDI: 00000000ffffff9c<br /> [ 35.106663] RBP: 00007ffcd41e1200 R08: 0000000000000000 R09: 0000000000000064<br /> [ 35.107923] R10: 00000000000001a4 R11: 0000000000000202 R12: 0000000000000066<br /> [ 35.109112] R13: 0000000000100000 R14: 0000000000100000 R15: 0000000000000400<br /> [ 35.110357] <br /> [ 35.110769] irq event stamp: 8415587<br /> [ 35.111486] hardirqs last enabled at (8415599): [] __up_console_se<br /> ---truncated---