CVE-2025-22002

See a problem?
Please try reporting it to the source first.
Source
https://nvd.nist.gov/vuln/detail/CVE-2025-22002
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-22002.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2025-22002
Downstream
Published
2025-04-03T07:19:04.875Z
Modified
2025-11-14T23:48:38.488048Z
Severity
  • 5.5 (Medium) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
Summary
netfs: Call `invalidate_cache` only if implemented
Details

In the Linux kernel, the following vulnerability has been resolved:

netfs: Call invalidate_cache only if implemented

Many filesystems such as NFS and Ceph do not implement the invalidate_cache method. On those filesystems, if writing to the cache (NETFS_WRITE_TO_CACHE) fails for some reason, the kernel crashes like this:

BUG: kernel NULL pointer dereference, address: 0000000000000000 #PF: supervisor instruction fetch in kernel mode #PF: errorcode(0x0010) - not-present page PGD 0 P4D 0 Oops: Oops: 0010 [#1] SMP PTI CPU: 9 UID: 0 PID: 3380 Comm: kworker/u193:11 Not tainted 6.13.3-cm4all1-hp #437 Hardware name: HP ProLiant DL380 Gen9/ProLiant DL380 Gen9, BIOS P89 10/17/2018 Workqueue: eventsunbound netfswritecollectionworker RIP: 0010:0x0 Code: Unable to access opcode bytes at 0xffffffffffffffd6. RSP: 0018:ffff9b86e2ca7dc0 EFLAGS: 00010202 RAX: 0000000000000000 RBX: 0000000000000000 RCX: 7fffffffffffffff RDX: 0000000000000001 RSI: ffff89259d576a18 RDI: ffff89259d576900 RBP: ffff89259d5769b0 R08: ffff9b86e2ca7d28 R09: 0000000000000002 R10: ffff89258ceaca80 R11: 0000000000000001 R12: 0000000000000020 R13: ffff893d158b9338 R14: ffff89259d576900 R15: ffff89259d5769b0 FS: 0000000000000000(0000) GS:ffff893c9fa40000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: ffffffffffffffd6 CR3: 000000054442e003 CR4: 00000000001706f0 Call Trace: <TASK> ? _die+0x1f/0x60 ? pagefaultoops+0x15c/0x460 ? trytowakeup+0x2d2/0x530 ? excpagefault+0x5e/0x100 ? asmexcpagefault+0x22/0x30 netfswritecollectionworker+0xe9f/0x12b0 ? xspollcheckreadable+0x3f/0x80 ? xsstreamdatareceiveworkfn+0x8d/0x110 processonework+0x134/0x2d0 workerthread+0x299/0x3a0 ? _pfxworkerthread+0x10/0x10 kthread+0xba/0xe0 ? _pfxkthread+0x10/0x10 retfromfork+0x30/0x50 ? _pfxkthread+0x10/0x10 retfromfork_asm+0x1a/0x30 </TASK> Modules linked in: CR2: 0000000000000000

This patch adds the missing NULL check.

References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
0e0f2dfe880fb19e4b15a7ca468623eb0b4ba586
Fixed
0def1a40c3e76a468f8f66aa572caed44ec37277
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
0e0f2dfe880fb19e4b15a7ca468623eb0b4ba586
Fixed
c2d5d14a7bcbb045d0cd0095cefe95f2a4b91159
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
0e0f2dfe880fb19e4b15a7ca468623eb0b4ba586
Fixed
344b7ef248f420ed4ba3a3539cb0a0fc18df9a6c

Affected versions

v6.*

v6.10
v6.10-rc1
v6.10-rc2
v6.10-rc3
v6.10-rc4
v6.10-rc5
v6.10-rc6
v6.10-rc7
v6.11
v6.11-rc1
v6.11-rc2
v6.11-rc3
v6.11-rc4
v6.11-rc5
v6.11-rc6
v6.11-rc7
v6.12
v6.12-rc1
v6.12-rc2
v6.12-rc3
v6.12-rc4
v6.12-rc5
v6.12-rc6
v6.12-rc7
v6.12.1
v6.12.10
v6.12.11
v6.12.12
v6.12.13
v6.12.14
v6.12.15
v6.12.16
v6.12.17
v6.12.18
v6.12.19
v6.12.2
v6.12.20
v6.12.3
v6.12.4
v6.12.5
v6.12.6
v6.12.7
v6.12.8
v6.12.9
v6.13
v6.13-rc1
v6.13-rc2
v6.13-rc3
v6.13-rc4
v6.13-rc5
v6.13-rc6
v6.13-rc7
v6.13.1
v6.13.2
v6.13.3
v6.13.4
v6.13.5
v6.13.6
v6.13.7
v6.13.8
v6.14-rc1
v6.14-rc2
v6.14-rc3
v6.14-rc4
v6.14-rc5
v6.14-rc6
v6.14-rc7
v6.7
v6.7-rc8
v6.8
v6.8-rc1
v6.8-rc2
v6.8-rc3
v6.8-rc4
v6.8-rc5
v6.8-rc6
v6.8-rc7
v6.9
v6.9-rc1
v6.9-rc2
v6.9-rc3
v6.9-rc4
v6.9-rc5
v6.9-rc6
v6.9-rc7

Database specific

vanir_signatures

[
    {
        "digest": {
            "function_hash": "115306432762890404643323271335466821323",
            "length": 1905.0
        },
        "deprecated": false,
        "signature_version": "v1",
        "id": "CVE-2025-22002-1527e31d",
        "target": {
            "file": "fs/netfs/write_collect.c",
            "function": "netfs_write_collection_worker"
        },
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@344b7ef248f420ed4ba3a3539cb0a0fc18df9a6c",
        "signature_type": "Function"
    },
    {
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "253190829739632914664865289836521131834",
                "233548909284131472544954919250929679408",
                "277492700711973610917846258234791585369",
                "337216038527819590157744702742209505891"
            ]
        },
        "deprecated": false,
        "signature_version": "v1",
        "id": "CVE-2025-22002-449c3c58",
        "target": {
            "file": "fs/netfs/write_collect.c"
        },
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@0def1a40c3e76a468f8f66aa572caed44ec37277",
        "signature_type": "Line"
    },
    {
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "253190829739632914664865289836521131834",
                "233548909284131472544954919250929679408",
                "277492700711973610917846258234791585369",
                "337216038527819590157744702742209505891"
            ]
        },
        "deprecated": false,
        "signature_version": "v1",
        "id": "CVE-2025-22002-46de6582",
        "target": {
            "file": "fs/netfs/write_collect.c"
        },
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@344b7ef248f420ed4ba3a3539cb0a0fc18df9a6c",
        "signature_type": "Line"
    },
    {
        "digest": {
            "function_hash": "115306432762890404643323271335466821323",
            "length": 1905.0
        },
        "deprecated": false,
        "signature_version": "v1",
        "id": "CVE-2025-22002-58d5c0c9",
        "target": {
            "file": "fs/netfs/write_collect.c",
            "function": "netfs_write_collection_worker"
        },
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@0def1a40c3e76a468f8f66aa572caed44ec37277",
        "signature_type": "Function"
    },
    {
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "253190829739632914664865289836521131834",
                "233548909284131472544954919250929679408",
                "277492700711973610917846258234791585369",
                "337216038527819590157744702742209505891"
            ]
        },
        "deprecated": false,
        "signature_version": "v1",
        "id": "CVE-2025-22002-5baf966f",
        "target": {
            "file": "fs/netfs/write_collect.c"
        },
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@c2d5d14a7bcbb045d0cd0095cefe95f2a4b91159",
        "signature_type": "Line"
    },
    {
        "digest": {
            "function_hash": "115306432762890404643323271335466821323",
            "length": 1905.0
        },
        "deprecated": false,
        "signature_version": "v1",
        "id": "CVE-2025-22002-6866c9e3",
        "target": {
            "file": "fs/netfs/write_collect.c",
            "function": "netfs_write_collection_worker"
        },
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@c2d5d14a7bcbb045d0cd0095cefe95f2a4b91159",
        "signature_type": "Function"
    }
]

Linux / Kernel

Package

Name
Kernel

Affected ranges

Type
ECOSYSTEM
Events
Introduced
6.8.0
Fixed
6.12.21
Type
ECOSYSTEM
Events
Introduced
6.13.0
Fixed
6.13.9