DEBIAN-CVE-2025-40237

In the Linux kernel, the following vulnerability has been resolved: fs/notify: call exportfsencodefid with sumount Calling intotifyshowfdinfo() on fd watching an overlayfs inode, while the overlayfs is being unmounted, can lead to dereferencing NULL ptr. This issue was found by syzkaller. Race Condition Diagram: Thread 1 Thread 2 -------- -------- genericshutdownsuper() shrinkdcacheforumount sb->sroot = NULL | | vfsread() | inotifyfdinfo() | * inode get from mark * | showmarkfhandle(m, inode) | exportfsencodefid(inode, ..) | ovlencodefh(inode, ..) | ovlcheckencodeorigin(inode) | * deref isb->sroot * | | v fsnotifysbdelete(sb) Which then leads to: [ 32.133461] Oops: general protection fault, probably for non-canonical address 0xdffffc0000000006: 0000 [#1] SMP DEBUGPAGEALLOC KASAN NOPTI [ 32.134438] KASAN: null-ptr-deref in range [0x0000000000000030-0x0000000000000037] [ 32.135032] CPU: 1 UID: 0 PID: 4468 Comm: systemd-coredum Not tainted 6.17.0-rc6 #22 PREEMPT(none) <snip registers, unreliable trace> [ 32.143353] Call Trace: [ 32.143732] ovlencodefh+0xd5/0x170 [ 32.144031] exportfsencodeinodefh+0x12f/0x300 [ 32.144425] showmarkfhandle+0xbe/0x1f0 [ 32.145805] inotifyfdinfo+0x226/0x2d0 [ 32.146442] inotifyshowfdinfo+0x1c5/0x350 [ 32.147168] seqshow+0x530/0x6f0 [ 32.147449] seqreaditer+0x503/0x12a0 [ 32.148419] seqread+0x31f/0x410 [ 32.150714] vfsread+0x1f0/0x9e0 [ 32.152297] ksysread+0x125/0x240 IOW ovlcheckencodeorigin derefs inode->isb->sroot, after it was set to NULL in the unmount path. Fix it by protecting calling exportfsencodefid() from showmarkfhandle() with s_umount lock. This form of fix was suggested by Amir in [1]. [1]: https://lore.kernel.org/all/CAOQ4uxhbDwhb+2Brs1UdkoF0a3NSdBAOQPNfEHjahrgoKJpLEw@mail.gmail.com/