In the Linux kernel, the following vulnerability has been resolved:
jbd2: fix data-race and null-ptr-deref in jbd2journaldirty_metadata()
Since handle->htransaction may be a NULL pointer, so we should change it to call ishandle_aborted(handle) first before dereferencing it.
And the following data-race was reported in my fuzzer:
================================================================== BUG: KCSAN: data-race in jbd2journaldirtymetadata / jbd2journaldirtymetadata
write to 0xffff888011024104 of 4 bytes by task 10881 on cpu 1: jbd2journaldirtymetadata+0x2a5/0x770 fs/jbd2/transaction.c:1556 _ext4handledirtymetadata+0xe7/0x4b0 fs/ext4/ext4jbd2.c:358 ext4doupdateinode fs/ext4/inode.c:5220 [inline] ext4markilocdirty+0x32c/0xd50 fs/ext4/inode.c:5869 _ext4markinodedirty+0xe1/0x450 fs/ext4/inode.c:6074 ext4dirtyinode+0x98/0xc0 fs/ext4/inode.c:6103 ....
read to 0xffff888011024104 of 4 bytes by task 10880 on cpu 0: jbd2journaldirtymetadata+0xf2/0x770 fs/jbd2/transaction.c:1512 _ext4handledirtymetadata+0xe7/0x4b0 fs/ext4/ext4jbd2.c:358 ext4doupdateinode fs/ext4/inode.c:5220 [inline] ext4markilocdirty+0x32c/0xd50 fs/ext4/inode.c:5869 _ext4markinodedirty+0xe1/0x450 fs/ext4/inode.c:6074 ext4dirtyinode+0x98/0xc0 fs/ext4/inode.c:6103 ....
This issue is caused by missing data-race annotation for jh->b_modified. Therefore, the missing annotation needs to be added.
[
{
"digest": {
"line_hashes": [
"231224694226331733280331075266354153279",
"256495132197657548380248529060046877960",
"9761181448363055865219548000199811890",
"149445041383658714860957466072618638574",
"199484902928894406787912892483757611274",
"324451981095990616871000588639307991479",
"76103660558282633717425645488518415796",
"280525561445359126537028928974545447919",
"301677903097073176734471963413332728769",
"66668950306002547579367214251619748626",
"107478032996867919318295317397267155904"
],
"threshold": 0.9
},
"id": "CVE-2025-38337-030badf2",
"target": {
"file": "fs/jbd2/transaction.c"
},
"signature_version": "v1",
"deprecated": false,
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@43d5e3bb5f1dcd91e30238ea0b59a5f77063f84e",
"signature_type": "Line"
},
{
"digest": {
"function_hash": "11476434480569757163641445182684280938",
"length": 3092.0
},
"id": "CVE-2025-38337-0a085fe6",
"target": {
"function": "jbd2_journal_dirty_metadata",
"file": "fs/jbd2/transaction.c"
},
"signature_version": "v1",
"deprecated": false,
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@ec669e5bf409f16e464bfad75f0ba039a45de29a",
"signature_type": "Function"
},
{
"digest": {
"function_hash": "11476434480569757163641445182684280938",
"length": 3092.0
},
"id": "CVE-2025-38337-0cc426ba",
"target": {
"function": "jbd2_journal_dirty_metadata",
"file": "fs/jbd2/transaction.c"
},
"signature_version": "v1",
"deprecated": false,
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@43d5e3bb5f1dcd91e30238ea0b59a5f77063f84e",
"signature_type": "Function"
},
{
"digest": {
"function_hash": "11476434480569757163641445182684280938",
"length": 3092.0
},
"id": "CVE-2025-38337-26521598",
"target": {
"function": "jbd2_journal_dirty_metadata",
"file": "fs/jbd2/transaction.c"
},
"signature_version": "v1",
"deprecated": false,
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@a377996d714afb8d4d5f4906336f78510039da29",
"signature_type": "Function"
},
{
"digest": {
"line_hashes": [
"231224694226331733280331075266354153279",
"256495132197657548380248529060046877960",
"9761181448363055865219548000199811890",
"149445041383658714860957466072618638574",
"199484902928894406787912892483757611274",
"324451981095990616871000588639307991479",
"76103660558282633717425645488518415796",
"280525561445359126537028928974545447919",
"301677903097073176734471963413332728769",
"66668950306002547579367214251619748626",
"107478032996867919318295317397267155904"
],
"threshold": 0.9
},
"id": "CVE-2025-38337-2a7a6068",
"target": {
"file": "fs/jbd2/transaction.c"
},
"signature_version": "v1",
"deprecated": false,
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@ec669e5bf409f16e464bfad75f0ba039a45de29a",
"signature_type": "Line"
},
{
"digest": {
"function_hash": "289199807912902060251506908694682905585",
"length": 2965.0
},
"id": "CVE-2025-38337-43323a88",
"target": {
"function": "jbd2_journal_dirty_metadata",
"file": "fs/jbd2/transaction.c"
},
"signature_version": "v1",
"deprecated": false,
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@5c1a34ff5b0bfdfd2f9343aa9b08d25df618bac5",
"signature_type": "Function"
},
{
"digest": {
"function_hash": "11476434480569757163641445182684280938",
"length": 3092.0
},
"id": "CVE-2025-38337-6d563b09",
"target": {
"function": "jbd2_journal_dirty_metadata",
"file": "fs/jbd2/transaction.c"
},
"signature_version": "v1",
"deprecated": false,
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@f78b38af3540b4875147b7b884ee11a27b3dbf4c",
"signature_type": "Function"
},
{
"digest": {
"line_hashes": [
"199484902928894406787912892483757611274",
"291648640610320562457972279686445664746",
"167272599809082359079101764985652303798",
"59655621511626091589908680461428612239",
"301677903097073176734471963413332728769",
"128771334248913159131461115093858261398",
"239200019572480371861416254484752906198"
],
"threshold": 0.9
},
"id": "CVE-2025-38337-81ba5422",
"target": {
"file": "fs/jbd2/transaction.c"
},
"signature_version": "v1",
"deprecated": false,
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@5c1a34ff5b0bfdfd2f9343aa9b08d25df618bac5",
"signature_type": "Line"
},
{
"digest": {
"line_hashes": [
"231224694226331733280331075266354153279",
"256495132197657548380248529060046877960",
"9761181448363055865219548000199811890",
"149445041383658714860957466072618638574",
"199484902928894406787912892483757611274",
"324451981095990616871000588639307991479",
"76103660558282633717425645488518415796",
"280525561445359126537028928974545447919",
"301677903097073176734471963413332728769",
"66668950306002547579367214251619748626",
"107478032996867919318295317397267155904"
],
"threshold": 0.9
},
"id": "CVE-2025-38337-8b58f81a",
"target": {
"file": "fs/jbd2/transaction.c"
},
"signature_version": "v1",
"deprecated": false,
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@23361b479f2700c00960d3ae9cdc8ededa762d47",
"signature_type": "Line"
},
{
"digest": {
"function_hash": "11476434480569757163641445182684280938",
"length": 3092.0
},
"id": "CVE-2025-38337-9c48dbae",
"target": {
"function": "jbd2_journal_dirty_metadata",
"file": "fs/jbd2/transaction.c"
},
"signature_version": "v1",
"deprecated": false,
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@2e7c64d7a92c031d016f11c8e8cb05131ab7b75a",
"signature_type": "Function"
},
{
"digest": {
"line_hashes": [
"231224694226331733280331075266354153279",
"256495132197657548380248529060046877960",
"9761181448363055865219548000199811890",
"149445041383658714860957466072618638574",
"199484902928894406787912892483757611274",
"324451981095990616871000588639307991479",
"76103660558282633717425645488518415796",
"280525561445359126537028928974545447919",
"301677903097073176734471963413332728769",
"66668950306002547579367214251619748626",
"107478032996867919318295317397267155904"
],
"threshold": 0.9
},
"id": "CVE-2025-38337-bc8f2bd7",
"target": {
"file": "fs/jbd2/transaction.c"
},
"signature_version": "v1",
"deprecated": false,
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@f78b38af3540b4875147b7b884ee11a27b3dbf4c",
"signature_type": "Line"
},
{
"digest": {
"line_hashes": [
"231224694226331733280331075266354153279",
"256495132197657548380248529060046877960",
"9761181448363055865219548000199811890",
"149445041383658714860957466072618638574",
"199484902928894406787912892483757611274",
"324451981095990616871000588639307991479",
"76103660558282633717425645488518415796",
"280525561445359126537028928974545447919",
"301677903097073176734471963413332728769",
"66668950306002547579367214251619748626",
"107478032996867919318295317397267155904"
],
"threshold": 0.9
},
"id": "CVE-2025-38337-be2e4be7",
"target": {
"file": "fs/jbd2/transaction.c"
},
"signature_version": "v1",
"deprecated": false,
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@2e7c64d7a92c031d016f11c8e8cb05131ab7b75a",
"signature_type": "Line"
},
{
"digest": {
"line_hashes": [
"231224694226331733280331075266354153279",
"256495132197657548380248529060046877960",
"9761181448363055865219548000199811890",
"149445041383658714860957466072618638574",
"199484902928894406787912892483757611274",
"324451981095990616871000588639307991479",
"76103660558282633717425645488518415796",
"280525561445359126537028928974545447919",
"301677903097073176734471963413332728769",
"66668950306002547579367214251619748626",
"107478032996867919318295317397267155904"
],
"threshold": 0.9
},
"id": "CVE-2025-38337-cb1682c4",
"target": {
"file": "fs/jbd2/transaction.c"
},
"signature_version": "v1",
"deprecated": false,
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@af98b0157adf6504fade79b3e6cb260c4ff68e37",
"signature_type": "Line"
},
{
"digest": {
"function_hash": "11476434480569757163641445182684280938",
"length": 3092.0
},
"id": "CVE-2025-38337-cf079997",
"target": {
"function": "jbd2_journal_dirty_metadata",
"file": "fs/jbd2/transaction.c"
},
"signature_version": "v1",
"deprecated": false,
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@af98b0157adf6504fade79b3e6cb260c4ff68e37",
"signature_type": "Function"
},
{
"digest": {
"line_hashes": [
"231224694226331733280331075266354153279",
"256495132197657548380248529060046877960",
"9761181448363055865219548000199811890",
"149445041383658714860957466072618638574",
"199484902928894406787912892483757611274",
"324451981095990616871000588639307991479",
"76103660558282633717425645488518415796",
"280525561445359126537028928974545447919",
"301677903097073176734471963413332728769",
"66668950306002547579367214251619748626",
"107478032996867919318295317397267155904"
],
"threshold": 0.9
},
"id": "CVE-2025-38337-ddbc2902",
"target": {
"file": "fs/jbd2/transaction.c"
},
"signature_version": "v1",
"deprecated": false,
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@a377996d714afb8d4d5f4906336f78510039da29",
"signature_type": "Line"
},
{
"digest": {
"function_hash": "11476434480569757163641445182684280938",
"length": 3092.0
},
"id": "CVE-2025-38337-f3ca30ab",
"target": {
"function": "jbd2_journal_dirty_metadata",
"file": "fs/jbd2/transaction.c"
},
"signature_version": "v1",
"deprecated": false,
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@23361b479f2700c00960d3ae9cdc8ededa762d47",
"signature_type": "Function"
}
]