{"id":63913,"date":"2025-05-29T19:32:45","date_gmt":"2025-05-29T16:02:45","guid":{"rendered":"https:\/\/afaghhosting.net\/blog\/cve-2025-37999-erofs-linux-kernel-file-system-lockup-vulnerability\/"},"modified":"2025-05-29T19:32:45","modified_gmt":"2025-05-29T16:02:45","slug":"cve-2025-37999-erofs-linux-kernel-file-system-lockup-vulnerability","status":"publish","type":"post","link":"https:\/\/afaghhosting.net\/blog\/cve-2025-37999-erofs-linux-kernel-file-system-lockup-vulnerability\/","title":{"rendered":"CVE-2025-37999 &#8211; &#8220;Erofs Linux Kernel File System Lockup Vulnerability&#8221;"},"content":{"rendered":"<p><strong>CVE ID : <\/strong>CVE-2025-37999<br \/>\n<br \/>\n<strong>Published : <\/strong> May 29, 2025, 2:15 p.m. | 1\u00a0hour, 36\u00a0minutes ago<br \/>\n<br \/>\n<strong>Description : <\/strong>In the Linux kernel, the following vulnerability has been resolved:<\/p>\n<p>fs\/erofs\/fileio: call erofs_onlinefolio_split() after bio_add_folio()<\/p>\n<p>If bio_add_folio() fails (because it is full),<br \/>\nerofs_fileio_scan_folio() needs to submit the I\/O request via<br \/>\nerofs_fileio_rq_submit() and allocate a new I\/O request with an empty<br \/>\n`struct bio`.  Then it retries the bio_add_folio() call.<\/p>\n<p>However, at this point, erofs_onlinefolio_split() has already been<br \/>\ncalled which increments `folio-&gt;private`; the retry will call<br \/>\nerofs_onlinefolio_split() again, but there will never be a matching<br \/>\nerofs_onlinefolio_end() call.  This leaves the folio locked forever<br \/>\nand all waiters will be stuck in folio_wait_bit_common().<\/p>\n<p>This bug has been added by commit ce63cb62d794 (&#8220;erofs: support<br \/>\nunencoded inodes for fileio&#8221;), but was practically unreachable because<br \/>\nthere was room for 256 folios in the `struct bio` &#8211; until commit<br \/>\n9f74ae8c9ac9 (&#8220;erofs: shorten bvecs[] for file-backed mounts&#8221;) which<br \/>\nreduced the array capacity to 16 folios.<\/p>\n<p>It was now trivial to trigger the bug by manually invoking readahead<br \/>\nfrom userspace, e.g.:<\/p>\n<p> posix_fadvise(fd, 0, st.st_size, POSIX_FADV_WILLNEED);<\/p>\n<p>This should be fixed by invoking erofs_onlinefolio_split() only after<br \/>\nbio_add_folio() has succeeded.  This is safe: asynchronous completions<br \/>\ninvoking erofs_onlinefolio_end() will not unlock the folio because<br \/>\nerofs_fileio_scan_folio() is still holding a reference to be released<br \/>\nby erofs_onlinefolio_end() at the end.<br \/>\n<br \/>\n<strong>Severity:<\/strong> 0.0 | NA<br \/>\n<br \/>\nVisit the link for more details, such as CVSS details, affected products, timeline, and more&#8230;<\/p>\n","protected":false},"excerpt":{"rendered":"<p>CVE ID : CVE-2025-37999 Published : May 29, 2025, 2:15 p.m. | 1\u00a0hour, 36\u00a0minutes ago Description : In the Linux kernel, the following vulnerability has been resolved: fs\/erofs\/fileio: call erofs_onlinefolio_split() after bio_add_folio() If bio_add_folio() fails (because it is full), erofs_fileio_scan_folio() needs to submit the I\/O request via erofs_fileio_rq_submit() and allocate a new I\/O request with &hellip;<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[26],"tags":[],"class_list":["post-63913","post","type-post","status-publish","format-standard","hentry","category-vulnerability"],"_links":{"self":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/63913","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/comments?post=63913"}],"version-history":[{"count":0,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/63913\/revisions"}],"wp:attachment":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/media?parent=63913"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/categories?post=63913"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/tags?post=63913"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}