CVE-2025-37999 Information

Description

In the Linux kernel the following vulnerability has been resolved:

fs/erofs/fileio: call erofs_onlinefolio_split() after bio_add_folio()

If bio_add_folio() fails (because it is full) erofs_fileio_scan_folio() needs to submit the I/O request via erofs_fileio_rq_submit() and allocate a new I/O request with an empty struct bio. Then it retries the bio_add_folio() call.

However at this point erofs_onlinefolio_split() has already been called which increments folio->private; the retry will call erofs_onlinefolio_split() again but there will never be a matching erofs_onlinefolio_end() call. This leaves the folio locked forever and all waiters will be stuck in folio_wait_bit_common().

This bug has been added by commit ce63cb62d794 (rofs: support unencoded inodes for fileio) but was practically unreachable because there was room for 256 folios in the struct bio - until commit 9f74ae8c9ac9 (rofs: shorten bvecs[] for file-backed mounts) which reduced the array capacity to 16 folios.

It was now trivial to trigger the bug by manually invoking readahead from userspace e.g.:

posix_fadvise(fd 0 st.st_size POSIX_FADV_WILLNEED);

This should be fixed by invoking erofs_onlinefolio_split() only after bio_add_folio() has succeeded. This is safe: asynchronous completions invoking erofs_onlinefolio_end() will not unlock the folio because erofs_fileio_scan_folio() is still holding a reference to be released by erofs_onlinefolio_end() at the end.

Reference

https://git.kernel.org/stable/c/61e0fc3312309867e5a3495329dad0286d2a5703 https://git.kernel.org/stable/c/bbfe756dc3062c1e934f06e5ba39c239aa953b92 https://git.kernel.org/stable/c/c26076197df348c84cc23e5962d61902e072a0f5