CVE-2025-38220

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2025-38220

Import Source

https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-38220.json

JSON Data

https://api.test.osv.dev/v1/vulns/CVE-2025-38220

Downstream

BELL-CVE-2025-38220

UBUNTU-CVE-2025-38220

Published

2025-07-04T14:15:30Z

Modified

2025-07-10T17:08:24.888713Z

Summary

[none]

Details

In the Linux kernel, the following vulnerability has been resolved:

ext4: only dirty folios when data journaling regular files

fstest generic/388 occasionally reproduces a crash that looks as follows:

BUG: kernel NULL pointer dereference, address: 0000000000000000 ... Call Trace: <TASK> ext4blockzeropagerange+0x30c/0x380 [ext4] ext4truncate+0x436/0x440 [ext4] ext4processorphan+0x5d/0x110 [ext4] ext4orphancleanup+0x124/0x4f0 [ext4] ext4fillsuper+0x262d/0x3110 [ext4] gettreebdevflags+0x132/0x1d0 vfsgettree+0x26/0xd0 vfscmdcreate+0x59/0xe0 _dosysfsconfig+0x4ed/0x6b0 dosyscall_64+0x82/0x170 ...

This occurs when processing a symlink inode from the orphan list. The partial block zeroing code in the truncate path calls ext4dirtyjournalleddata() -> foliomarkdirty(). The latter calls mapping->aops->dirtyfolio(), but symlink inodes are not assigned an aops vector in ext4, hence the crash.

To avoid this problem, update the ext4dirtyjournalleddata() helper to only mark the folio dirty on regular files (for which aops is assigned). This also matches the journaling logic in the ext4symlink() creation path, where ext4handledirtymetadata() is called directly.

References

Affected packages

Debian:13 / linux

Package

Name: linux
Purl: pkg:deb/debian/linux?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

6.12.35-1

Affected versions

6.*

6.1.27-1

6.1.37-1

6.1.38-1

6.1.38-2~bpo11+1

6.1.38-2

6.1.38-3

6.1.38-4~bpo11+1

6.1.38-4

6.1.52-1

6.1.55-1~bpo11+1

6.1.55-1

6.1.64-1

6.1.66-1

6.1.67-1

6.1.69-1~bpo11+1

6.1.69-1

6.1.76-1~bpo11+1

6.1.76-1

6.1.82-1

6.1.85-1

6.1.90-1~bpo11+1

6.1.90-1

6.1.94-1~bpo11+1

6.1.94-1

6.1.98-1

6.1.99-1

6.1.106-1

6.1.106-2

6.1.106-3

6.1.112-1

6.1.115-1

6.1.119-1

6.1.123-1

6.1.124-1

6.1.128-1

6.1.129-1

6.1.133-1

6.1.135-1

6.1.137-1

6.1.139-1

6.1.140-1

6.3.1-1~exp1

6.3.2-1~exp1

6.3.4-1~exp1

6.3.5-1~exp1

6.3.7-1~bpo12+1

6.3.7-1

6.3.11-1

6.4~rc6-1~exp1

6.4~rc7-1~exp1

6.4.1-1~exp1

6.4.4-1~bpo12+1

6.4.4-1

6.4.4-2

6.4.4-3~bpo12+1

6.4.4-3

6.4.11-1

6.4.13-1

6.5~rc4-1~exp1

6.5~rc6-1~exp1

6.5~rc7-1~exp1

6.5.1-1~exp1

6.5.3-1~bpo12+1

6.5.3-1

6.5.6-1

6.5.8-1

6.5.10-1~bpo12+1

6.5.10-1

6.5.13-1

6.6.3-1~exp1

6.6.4-1~exp1

6.6.7-1~exp1

6.6.8-1

6.6.9-1

6.6.11-1

6.6.13-1~bpo12+1

6.6.13-1

6.6.15-1

6.6.15-2

6.7-1~exp1

6.7.1-1~exp1

6.7.4-1~exp1

6.7.7-1

6.7.9-1

6.7.9-2

6.7.12-1~bpo12+1

6.7.12-1

6.8.9-1

6.8.11-1

6.8.12-1~bpo12+1

6.8.12-1

6.9.2-1~exp1

6.9.7-1~bpo12+1

6.9.7-1

6.9.8-1

6.9.9-1

6.9.10-1~bpo12+1

6.9.10-1

6.9.11-1

6.9.12-1

6.10-1~exp1

6.10.1-1~exp1

6.10.3-1

6.10.4-1

6.10.6-1~bpo12+1

6.10.6-1

6.10.7-1

6.10.9-1

6.10.11-1~bpo12+1

6.10.11-1

6.10.12-1

6.11~rc4-1~exp1

6.11~rc5-1~exp1

6.11-1~exp1

6.11.2-1

6.11.4-1

6.11.5-1~bpo12+1

6.11.5-1

6.11.6-1

6.11.7-1

6.11.9-1

6.11.10-1~bpo12+1

6.11.10-1

6.12~rc6-1~exp1

6.12.3-1

6.12.5-1

6.12.6-1

6.12.8-1

6.12.9-1~bpo12+1

6.12.9-1

6.12.9-1+alpha

6.12.10-1

6.12.11-1

6.12.11-1+alpha

6.12.11-1+alpha.1

6.12.12-1~bpo12+1

6.12.12-1

6.12.13-1

6.12.15-1

6.12.16-1

6.12.17-1

6.12.19-1

6.12.20-1

6.12.21-1

6.12.22-1~bpo12+1

6.12.22-1

6.12.25-1

6.12.27-1~bpo12+1

6.12.27-1

6.12.29-1

6.12.30-1~bpo12+1

6.12.30-1

6.12.31-1

6.12.32-1~bpo12+1

6.12.32-1

6.12.33-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}