CVE-2025-37925

In the Linux kernel, the following vulnerability has been resolved:

jfs: reject on-disk inodes of an unsupported type

Syzbot has reported the following BUG:

kernel BUG at fs/inode.c:668! Oops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN PTI CPU: 3 UID: 0 PID: 139 Comm: jfsCommit Not tainted 6.12.0-rc4-syzkaller-00085-g4e46774408d9 #0 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-3.fc41 04/01/2014 RIP: 0010:clear_inode+0x168/0x190 Code: 4c 89 f7 e8 ba fe e5 ff e9 61 ff ff ff 44 89 f1 80 e1 07 80 c1 03 38 c1 7c c1 4c 89 f7 e8 90 ff e5 ff eb b7 0b e8 01 5d 7f ff 90 0f 0b e8 f9 5c 7f ff 90 0f 0b e8 f1 5c 7f RSP: 0018:ffffc900027dfae8 EFLAGS: 00010093 RAX: ffffffff82157a87 RBX: 0000000000000001 RCX: ffff888104d4b980 RDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000000000000000 RBP: ffffc900027dfc90 R08: ffffffff82157977 R09: fffff520004fbf38 R10: dffffc0000000000 R11: fffff520004fbf38 R12: dffffc0000000000 R13: ffff88811315bc00 R14: ffff88811315bda8 R15: ffff88811315bb80 FS: 0000000000000000(0000) GS:ffff888135f00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00005565222e0578 CR3: 0000000026ef0000 CR4: 00000000000006f0 Call Trace: <TASK> ? __diebody+0x5f/0xb0 ? die+0x9e/0xc0 ? dotrap+0x15a/0x3a0 ? clearinode+0x168/0x190 ? doerrortrap+0x1dc/0x2c0 ? clearinode+0x168/0x190 ? __pfxdoerrortrap+0x10/0x10 ? reportbug+0x3cd/0x500 ? handleinvalidop+0x34/0x40 ? clearinode+0x168/0x190 ? excinvalidop+0x38/0x50 ? asmexcinvalidop+0x1a/0x20 ? clearinode+0x57/0x190 ? clearinode+0x167/0x190 ? clearinode+0x168/0x190 ? clearinode+0x167/0x190 jfsevictinode+0xb5/0x440 ? __pfxjfsevict_inode+0x10/0x10 evict+0x4ea/0x9b0 ? __pfx_evict+0x10/0x10 ? iput+0x713/0xa50 txUpdateMap+0x931/0xb10 ? __pfxtxUpdateMap+0x10/0x10 jfslazycommit+0x49a/0xb80 ? rawspinunlockirqrestore+0x8f/0x140 ? lockdephardirqson+0x99/0x150 ? __pfxjfslazycommit+0x10/0x10 ? __pfxdefaultwake_function+0x10/0x10 ? __kthread_parkme+0x169/0x1d0 ? __pfxjfslazycommit+0x10/0x10 kthread+0x2f2/0x390 ? __pfxjfslazycommit+0x10/0x10 ? __pfxkthread+0x10/0x10 retfrom_fork+0x4d/0x80 ? __pfxkthread+0x10/0x10 retfromforkasm+0x1a/0x30 </TASK>

This happens when 'clearinode()' makes an attempt to finalize an underlying JFS inode of unknown type. According to JFS layout description from https://jfs.sourceforge.net/project/pub/jfslayout.pdf, inode types from 5 to 15 are reserved for future extensions and should not be encountered on a valid filesystem. So add an extra check for valid inode type in 'copyfrom_dinode()'.