CVE-2025-21643

Source
https://nvd.nist.gov/vuln/detail/CVE-2025-21643
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-21643.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2025-21643
Downstream
Related
Published
2025-01-19T10:17:59Z
Modified
2025-10-17T21:16:01.900816Z
Summary
netfs: Fix kernel async DIO
Details

In the Linux kernel, the following vulnerability has been resolved:

netfs: Fix kernel async DIO

Netfslib needs to be able to handle kernel-initiated asynchronous DIO that is supplied with a biovec[] array. Currently, because of the async flag, this gets passed to netfsextractuseriter() which throws a warning and fails because it only handles IOVEC and UBUF iterators. This can be triggered through a combination of cifs and a loopback blockdev with something like:

    mount //my/cifs/share /foo
    dd if=/dev/zero of=/foo/m0 bs=4K count=1K
    losetup --sector-size 4096 --direct-io=on /dev/loop2046 /foo/m0
    echo hello >/dev/loop2046

This causes the following to appear in syslog:

    WARNING: CPU: 2 PID: 109 at fs/netfs/iterator.c:50 netfs_extract_user_iter+0x170/0x250 [netfs]

and the write to fail.

Fix this by removing the check in netfsunbufferedwriteiterlocked() that causes async kernel DIO writes to be handled as userspace writes. Note that this change relies on the kernel caller maintaining the existence of the biovec array (or kvec[] or folioqueue) until the op is complete.

References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
153a9961b551101cd38e94e26cd92fbfd198b19b
Fixed
9f3a265836844eda30bf34c2584b8011fd4f0f49
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
153a9961b551101cd38e94e26cd92fbfd198b19b
Fixed
3f6bc9e3ab9b127171d39f9ac6eca1abb693b731

Affected versions

v6.*

v6.10
v6.10-rc1
v6.10-rc2
v6.10-rc3
v6.10-rc4
v6.10-rc5
v6.10-rc6
v6.10-rc7
v6.11
v6.11-rc1
v6.11-rc2
v6.11-rc3
v6.11-rc4
v6.11-rc5
v6.11-rc6
v6.11-rc7
v6.12
v6.12-rc1
v6.12-rc2
v6.12-rc3
v6.12-rc4
v6.12-rc5
v6.12-rc6
v6.12-rc7
v6.12.1
v6.12.2
v6.12.3
v6.12.4
v6.12.5
v6.12.6
v6.12.7
v6.12.8
v6.12.9
v6.13-rc1
v6.13-rc2
v6.13-rc3
v6.13-rc4
v6.13-rc5
v6.13-rc6
v6.7
v6.7-rc8
v6.8
v6.8-rc1
v6.8-rc2
v6.8-rc3
v6.8-rc4
v6.8-rc5
v6.8-rc6
v6.8-rc7
v6.9
v6.9-rc1
v6.9-rc2
v6.9-rc3
v6.9-rc4
v6.9-rc5
v6.9-rc6
v6.9-rc7

Linux / Kernel

Package

Name
Kernel

Affected ranges

Type
ECOSYSTEM
Events
Introduced
6.8.0
Fixed
6.12.10