OESA-2025-1667

The Linux Kernel, the operating system core itself.

Security Fix(es):

In the Linux kernel, the following vulnerability has been resolved:

btrfs: flush delalloc workers queue before stopping cleaner kthread during unmount

During the unmount path, at closectree(), we first stop the cleaner kthread, using kthreadstop() which frees the associated taskstruct, and then stop and destroy all the work queues. However after we stopped the cleaner we may still have a worker from the delallocworkers queue running inode.c:submitcompressedextents(), which calls btrfsadddelayediput(), which in turn tries to wake up the cleaner kthread - which was already destroyed before, resulting in a use-after-free on the taskstruct.

Syzbot reported this with the following stack traces:

BUG: KASAN: slab-use-after-free in _lockacquire+0x78/0x2100 kernel/locking/lockdep.c:5089 Read of size 8 at addr ffff8880259d2818 by task kworker/u8:3/52

CPU: 1 UID: 0 PID: 52 Comm: kworker/u8:3 Not tainted 6.13.0-rc1-syzkaller-00002-gcdd30ebb1b9f #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024 Workqueue: btrfs-delalloc btrfsworkhelper Call Trace: <TASK> _dumpstack lib/dumpstack.c:94 [inline] dumpstacklvl+0x241/0x360 lib/dumpstack.c:120 printaddressdescription mm/kasan/report.c:378 [inline] printreport+0x169/0x550 mm/kasan/report.c:489 kasanreport+0x143/0x180 mm/kasan/report.c:602 _lockacquire+0x78/0x2100 kernel/locking/lockdep.c:5089 lockacquire+0x1ed/0x550 kernel/locking/lockdep.c:5849 _rawspinlockirqsave include/linux/spinlockapismp.h:110 [inline] _rawspinlockirqsave+0xd5/0x120 kernel/locking/spinlock.c:162 classrawspinlockirqsaveconstructor include/linux/spinlock.h:551 [inline] trytowakeup+0xc2/0x1470 kernel/sched/core.c:4205 submitcompressedextents+0xdf/0x16e0 fs/btrfs/inode.c:1615 runorderedwork fs/btrfs/async-thread.c:288 [inline] btrfsworkhelper+0x96f/0xc40 fs/btrfs/async-thread.c:324 processonework kernel/workqueue.c:3229 [inline] processscheduledworks+0xa66/0x1840 kernel/workqueue.c:3310 workerthread+0x870/0xd30 kernel/workqueue.c:3391 kthread+0x2f0/0x390 kernel/kthread.c:389 retfromfork+0x4b/0x80 arch/x86/kernel/process.c:147 retfromforkasm+0x1a/0x30 arch/x86/entry/entry64.S:244 </TASK>

Allocated by task 2: kasansavestack mm/kasan/common.c:47 [inline] kasansavetrack+0x3f/0x80 mm/kasan/common.c:68 unpoisonslabobject mm/kasan/common.c:319 [inline] _kasanslaballoc+0x66/0x80 mm/kasan/common.c:345 kasanslaballoc include/linux/kasan.h:250 [inline] slabpostallochook mm/slub.c:4104 [inline] slaballocnode mm/slub.c:4153 [inline] kmemcacheallocnodenoprof+0x1d9/0x380 mm/slub.c:4205 alloctaskstructnode kernel/fork.c:180 [inline] duptaskstruct+0x57/0x8c0 kernel/fork.c:1113 copyprocess+0x5d1/0x3d50 kernel/fork.c:2225 kernelclone+0x223/0x870 kernel/fork.c:2807 kernelthread+0x1bc/0x240 kernel/fork.c:2869 createkthread kernel/kthread.c:412 [inline] kthreadd+0x60d/0x810 kernel/kthread.c:767 retfromfork+0x4b/0x80 arch/x86/kernel/process.c:147 retfromforkasm+0x1a/0x30 arch/x86/entry/entry_64.S:244

Freed by task 24: kasansavestack mm/kasan/common.c:47 [inline] kasansavetrack+0x3f/0x80 mm/kasan/common.c:68 kasansavefreeinfo+0x40/0x50 mm/kasan/generic.c:582 poisonslabobject mm/kasan/common.c:247 [inline] _kasanslabfree+0x59/0x70 mm/kasan/common.c:264 kasanslabfree include/linux/kasan.h:233 [inline] slabfreehook mm/slub.c:2338 [inline] slabfree mm/slub.c:4598 [inline] kmemcachefree+0x195/0x410 mm/slub.c:4700 puttaskstruct include/linux/sched/task.h:144 [inline] delayedputtaskstruct+0x125/0x300 kernel/exit.c:227 rcudobatch kernel/rcu/tree.c:2567 [inline] rcucore+0xaaa/0x17a0 kernel/rcu/tree.c:2823 handlesoftirqs+0x2d4/0x9b0 kernel/softirq.c:554 run_ksoftirqd+0xca/0x130 kernel/softirq.c:943

---truncated---(CVE-2024-57896)

In the Linux kernel, the following vulnerability has been resolved:

ext4: ignore xattrs past end

Once inside 'ext4xattrinodedecref_all' we should ignore xattrs entries past the 'end' entry.

This fixes the following KASAN reported issue:

================================================================== BUG: KASAN: slab-use-after-free in ext4xattrinodedecref_all+0xb8c/0xe90 Read of size 4 at addr ffff888012c120c4 by task repro/2065

CPU: 1 UID: 0 PID: 2065 Comm: repro Not tainted 6.13.0-rc2+ #11 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014 Call Trace: <TASK> dumpstacklvl+0x1fd/0x300 ? tcpgrodevwarn+0x260/0x260 ? _printk+0xc0/0x100 ? readlockisrecursive+0x10/0x10 ? irqworkqueue+0x72/0xf0 ? _virtaddrvalid+0x17b/0x4b0 printaddressdescription+0x78/0x390 printreport+0x107/0x1f0 ? _virtaddrvalid+0x17b/0x4b0 ? _virtaddrvalid+0x3ff/0x4b0 ? _physaddr+0xb5/0x160 ? ext4xattrinodedecrefall+0xb8c/0xe90 kasanreport+0xcc/0x100 ? ext4xattrinodedecrefall+0xb8c/0xe90 ext4xattrinodedecrefall+0xb8c/0xe90 ? ext4xattrdeleteinode+0xd30/0xd30 ? _ext4journalensurecredits+0x5f0/0x5f0 ? _ext4journalensurecredits+0x2b/0x5f0 ? inodeupdatetimestamps+0x410/0x410 ext4xattrdeleteinode+0xb64/0xd30 ? ext4truncate+0xb70/0xdc0 ? ext4expandextraisizeea+0x1d20/0x1d20 ? _ext4markinodedirty+0x670/0x670 ? ext4journalcheckstart+0x16f/0x240 ? ext4inodeisfastsymlink+0x2f2/0x3a0 ext4evictinode+0xc8c/0xff0 ? ext4inodeisfastsymlink+0x3a0/0x3a0 ? dorawspinunlock+0x53/0x8a0 ? ext4inodeisfastsymlink+0x3a0/0x3a0 evict+0x4ac/0x950 ? procnrinodes+0x310/0x310 ? traceext4dropinode+0xa2/0x220 ? rawspinunlock+0x1a/0x30 ? iput+0x4cb/0x7e0 dounlinkat+0x495/0x7c0 ? trybreakdeleg+0x120/0x120 ? 0xffffffff81000000 ? _checkobjectsize+0x15a/0x210 ? strncpyfromuser+0x13e/0x250 ? getnameflags+0x1dc/0x530 _x64sysunlinkat+0xc8/0xf0 dosyscall64+0x65/0x110 entrySYSCALL64afterhwframe+0x67/0x6f RIP: 0033:0x434ffd Code: 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 8 RSP: 002b:00007ffc50fa7b28 EFLAGS: 00000246 ORIGRAX: 0000000000000107 RAX: ffffffffffffffda RBX: 00007ffc50fa7e18 RCX: 0000000000434ffd RDX: 0000000000000000 RSI: 0000000020000240 RDI: 0000000000000005 RBP: 00007ffc50fa7be0 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000001 R13: 00007ffc50fa7e08 R14: 00000000004bbf30 R15: 0000000000000001 </TASK>

The buggy address belongs to the object at ffff888012c12000 which belongs to the cache filp of size 360 The buggy address is located 196 bytes inside of freed 360-byte region [ffff888012c12000, ffff888012c12168)

The buggy address belongs to the physical page: page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x12c12 head: order:1 mapcount:0 entiremapcount:0 nrpagesmapped:0 pincount:0 flags: 0x40(head|node=0|zone=0) pagetype: f5(slab) raw: 0000000000000040 ffff888000ad7640 ffffea0000497a00 dead000000000004 raw: 0000000000000000 0000000000100010 00000001f5000000 0000000000000000 head: 0000000000000040 ffff888000ad7640 ffffea0000497a00 dead000000000004 head: 0000000000000000 0000000000100010 00000001f5000000 0000000000000000 head: 0000000000000001 ffffea00004b0481 ffffffffffffffff 0000000000000000 head: 0000000000000002 0000000000000000 00000000ffffffff 0000000000000000 page dumped because: kasan: bad access detected

Memory state around the buggy address: ffff888012c11f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffff888012c12000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb > ffff888012c12080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff888012c12100: fb fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc ffff888012c12180: fc fc fc fc fc fc fc fc fc ---truncated---(CVE-2025-37738)

In the Linux kernel, the following vulnerability has been resolved:

objtool, media: dib8000: Prevent divide-by-zero in dib8000setdds()

If dib8000setdds()'s call to dib8000_read32() returns zero, the result is a divide-by-zero. Prevent that from happening.

Fixes the following warning with an UBSAN kernel:

drivers/media/dvb-frontends/dib8000.o: warning: objtool: dib8000tune() falls through to next function dib8096pcfg_DibRx()(CVE-2025-37937)