CVE-2025-22036

In the Linux kernel, the following vulnerability has been resolved:

exfat: fix random stack corruption after get_block

When getblock is called with a bufferhead allocated on the stack, such as dompagereadpage, stack corruption due to buffer_head UAF may occur in the following race condition situation.

 <CPU 0>                      <CPU 1>

mpagereadfolio <<bh on stack>> dompagereadpage exfatgetblock bh_read __bhread getbh(bh) submitbh waitonbuffer ... endbufferreadsync __endbufferreadnotouch unlockbuffer <<keep going>> ... ... ... ... <<bh is not valid out of mpagereadfolio>> . . anotherfunction <<variable A on stack>> putbh(bh) atomicdec(bh->bcount) * stack corruption here *

This patch returns -EAGAIN if a folio does not have buffers when bhread needs to be called. By doing this, the caller can fallback to functions like blockreadfullfolio(), create a bufferhead in the folio, and then call getblock again.

Let's do not call bhread() with on-stack bufferhead.