In the Linux kernel, the following vulnerability has been resolved:fs/erofs/fileio: call erofs_onlinefolio_split() after bio_add_folio()If bio_add_folio() fails (because it is full),erofs_fileio_scan_folio() needs to submit the I/O request viaerofs_fileio_rq_submit() and allocate a new I/O request with an empty`struct bio`. Then it retries the bio_add_folio() call.However, at this point, erofs_onlinefolio_split() has already beencalled which increments `folio->private`; the retry will callerofs_onlinefolio_split() again, but there will never be a matchingerofs_onlinefolio_end() call. This leaves the folio locked foreverand all waiters will be stuck in folio_wait_bit_common().This bug has been added by commit ce63cb62d794 ( erofs: supportunencoded inodes for fileio ), but was practically unreachable becausethere was room for 256 folios in the `struct bio` - until commit9f74ae8c9ac9 ( erofs: shorten bvecs[] for file-backed mounts ) whichreduced the array capacity to 16 folios.It was now trivial to trigger the bug by manually invoking readaheadfrom userspace, e.g.: posix_fadvise(fd, 0, st.st_size, POSIX_FADV_WILLNEED);This should be fixed by invoking erofs_onlinefolio_split() only afterbio_add_folio() has succeeded. This is safe: asynchronous completionsinvoking erofs_onlinefolio_end() will not unlock the folio becauseerofs_fileio_scan_folio() is still holding a reference to be releasedby erofs_onlinefolio_end() at the end.
In the Linux kernel, the following vulnerability has been resolved:fs/erofs/fileio: call erofs_onlinefolio_split() after bio_add_folio()If bio_add_folio() fails (because it is full),erofs_fileio_scan_folio() needs to submit the I/O request viaerofs_fileio_rq_submit() and allocate a new I/O request with an empty`struct bio`. Then it retries the bio_add_folio() call.However, at this point, erofs_onlinefolio_split() has already beencalled which increments `folio->private`; the retry will callerofs_onlinefolio_split() again, but there will never be a matchingerofs_onlinefolio_end() call. This leaves the folio locked foreverand all waiters will be stuck in folio_wait_bit_common().This bug has been added by commit ce63cb62d794 ( erofs: supportunencoded inodes for fileio ), but was practically unreachable becausethere was room for 256 folios in the `struct bio` - until commit9f74ae8c9ac9 ( erofs: shorten bvecs[] for file-backed mounts ) whichreduced the array capacity to 16 folios.It was now trivial to trigger the bug by manually invoking readaheadfrom userspace, e.g.: posix_fadvise(fd, 0, st.st_size, POSIX_FADV_WILLNEED);This should be fixed by invoking erofs_onlinefolio_split() only afterbio_add_folio() has succeeded. This is safe: asynchronous completionsinvoking erofs_onlinefolio_end() will not unlock the folio becauseerofs_fileio_scan_folio() is still holding a reference to be releasedby erofs_onlinefolio_end() at the end.
In the Linux kernel, the following vulnerability has been resolved:fs/erofs/fileio: call erofs_onlinefolio_split() after bio_add_folio()If bio_add_folio() fails (because it is full),erofs_fileio_scan_folio() needs to submit the I/O request viaerofs_fileio_rq_submit() and allocate a new I/O request with an empty`struct bio`. Then it retries the bio_add_folio() call.However, at this point, erofs_onlinefolio_split() has already beencalled which increments `folio->private`; the retry will callerofs_onlinefolio_split() again, but there will never be a matchingerofs_onlinefolio_end() call. This leaves the folio locked foreverand all waiters will be stuck in folio_wait_bit_common().This bug has been added by commit ce63cb62d794 ("erofs: supportunencoded inodes for fileio"), but was practically unreachable becausethere was room for 256 folios in the `struct bio` - until commit9f74ae8c9ac9 ("erofs: shorten bvecs[] for file-backed mounts") whichreduced the array capacity to 16 folios.It was now trivial to trigger the bug by manually invoking readaheadfrom userspace, e.g.: posix_fadvise(fd, 0, st.st_size, POSIX_FADV_WILLNEED);This should be fixed by invoking erofs_onlinefolio_split() only afterbio_add_folio() has succeeded. This is safe: asynchronous completionsinvoking erofs_onlinefolio_end() will not unlock the folio becauseerofs_fileio_scan_folio() is still holding a reference to be releasedby erofs_onlinefolio_end() at the end.The Linux kernel CVE team has assigned CVE-2025-37999 to this issue.
