In the Linux kernel, the following vulnerability has been resolved: exfat: fix random stack corruption after getblock When getblock is called with a bufferhead allocated on the stack, such as dompagereadpage, stack corruption due to bufferhead UAF may occur in the following race condition situation. <CPU 0> <CPU 1> mpagereadfolio <<bh on stack>> dompagereadpage exfatgetblock bhread _bhread getbh(bh) submitbh waitonbuffer ... endbufferreadsync _endbufferreadnotouch unlockbuffer <<keep going>> ... ... ... ... <<bh is not valid out of mpagereadfolio>> . . anotherfunction <<variable A on stack>> putbh(bh) atomicdec(bh->bcount) * stack corruption here * This patch returns -EAGAIN if a folio does not have buffers when bhread needs to be called. By doing this, the caller can fallback to functions like blockreadfullfolio(), create a bufferhead in the folio, and then call getblock again. Let's do not call bhread() with on-stack buffer_head.