CVE-2025-38691

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> pNFS: Fix uninited ptr deref in block/scsi layout<br /> <br /> The error occurs on the third attempt to encode extents. When function<br /> ext_tree_prepare_commit() reallocates a larger buffer to retry encoding<br /> extents, the "layoutupdate_pages" page array is initialized only after the<br /> retry loop. But ext_tree_free_commitdata() is called on every iteration<br /> and tries to put pages in the array, thus dereferencing uninitialized<br /> pointers.<br /> <br /> An additional problem is that there is no limit on the maximum possible<br /> buffer_size. When there are too many extents, the client may create a<br /> layoutcommit that is larger than the maximum possible RPC size accepted<br /> by the server.<br /> <br /> During testing, we observed two typical scenarios. First, one memory page<br /> for extents is enough when we work with small files, append data to the<br /> end of the file, or preallocate extents before writing. But when we fill<br /> a new large file without preallocating, the number of extents can be huge,<br /> and counting the number of written extents in ext_tree_encode_commit()<br /> does not help much. Since this number increases even more between<br /> unlocking and locking of ext_tree, the reallocated buffer may not be<br /> large enough again and again.