Acknowledged
Created: Jul 7, 2025
Updated: Jul 8, 2025
Found In Version: 10.22.33.1
Severity: Standard
Applicable for: Wind River Linux LTS 22
Component/s: Kernel
In the Linux kernel, the following vulnerability has been resolved:EOL][EOL]jfs: Fix null-ptr-deref in jfs_ioc_trim[EOL][EOL][ Syzkaller Report ][EOL][EOL]Oops: general protection fault, probably for non-canonical address[EOL]0xdffffc0000000087: 0000 [#1[EOL]KASAN: null-ptr-deref in range [0x0000000000000438-0x000000000000043f][EOL]CPU: 2 UID: 0 PID: 10614 Comm: syz-executor.0 Not tainted[EOL]6.13.0-rc6-gfbfd64d25c7a-dirty #1[EOL]Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014[EOL]Sched_ext: serialise (enabled+all), task: runnable_at=-30ms[EOL]RIP: 0010:jfs_ioc_trim+0x34b/0x8f0[EOL]Code: e7 e8 59 a4 87 fe 4d 8b 24 24 4d 8d bc 24 38 04 00 00 48 8d 93[EOL]90 82 fe ff 4c 89 ff 31 f6[EOL]RSP: 0018:ffffc900055f7cd0 EFLAGS: 00010206[EOL]RAX: 0000000000000087 RBX: 00005866a9e67ff8 RCX: 000000000000000a[EOL]RDX: 0000000000000001 RSI: 0000000000000004 RDI: 0000000000000001[EOL]RBP: dffffc0000000000 R08: ffff88807c180003 R09: 1ffff1100f830000[EOL]R10: dffffc0000000000 R11: ffffed100f830001 R12: 0000000000000000[EOL]R13: 0000000000000000 R14: 0000000000000001 R15: 0000000000000438[EOL]FS: 00007fe520225640(0000) GS:ffff8880b7e80000(0000) knlGS:0000000000000000[EOL]CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033[EOL]CR2: 00005593c91b2c88 CR3: 000000014927c000 CR4: 00000000000006f0[EOL]DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000[EOL]DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400[EOL]Call Trace:[EOL]<TASK>[EOL]? __die_body+0x61/0xb0[EOL]? die_addr+0xb1/0xe0[EOL]? exc_general_protection+0x333/0x510[EOL]? asm_exc_general_protection+0x26/0x30[EOL]? jfs_ioc_trim+0x34b/0x8f0[EOL]jfs_ioctl+0x3c8/0x4f0[EOL]? __pfx_jfs_ioctl+0x10/0x10[EOL]? __pfx_jfs_ioctl+0x10/0x10[EOL]__se_sys_ioctl+0x269/0x350[EOL]? __pfx___se_sys_ioctl+0x10/0x10[EOL]? do_syscall_64+0xfb/0x210[EOL]do_syscall_64+0xee/0x210[EOL]? syscall_exit_to_user_mode+0x1e0/0x330[EOL]entry_SYSCALL_64_after_hwframe+0x77/0x7f[EOL]RIP: 0033:0x7fe51f4903ad[EOL]Code: c3 e8 a7 2b 00 00 0f 1f 80 00 00 00 00 f3 0f 1e fa 48 89 f8 48[EOL]89 f7 48 89 d6 48 89 ca 4d[EOL]RSP: 002b:00007fe5202250c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010[EOL]RAX: ffffffffffffffda RBX: 00007fe51f5cbf80 RCX: 00007fe51f4903ad[EOL]RDX: 0000000020000680 RSI: 00000000c0185879 RDI: 0000000000000005[EOL]RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000[EOL]R10: 0000000000000000 R11: 0000000000000246 R12: 00007fe520225640[EOL]R13: 000000000000000e R14: 00007fe51f44fca0 R15: 00007fe52021d000[EOL]</TASK>[EOL]Modules linked in:[EOL]---[ end trace 0000000000000000 ]---[EOL]RIP: 0010:jfs_ioc_trim+0x34b/0x8f0[EOL]Code: e7 e8 59 a4 87 fe 4d 8b 24 24 4d 8d bc 24 38 04 00 00 48 8d 93[EOL]90 82 fe ff 4c 89 ff 31 f6[EOL]RSP: 0018:ffffc900055f7cd0 EFLAGS: 00010206[EOL]RAX: 0000000000000087 RBX: 00005866a9e67ff8 RCX: 000000000000000a[EOL]RDX: 0000000000000001 RSI: 0000000000000004 RDI: 0000000000000001[EOL]RBP: dffffc0000000000 R08: ffff88807c180003 R09: 1ffff1100f830000[EOL]R10: dffffc0000000000 R11: ffffed100f830001 R12: 0000000000000000[EOL]R13: 0000000000000000 R14: 0000000000000001 R15: 0000000000000438[EOL]FS: 00007fe520225640(0000) GS:ffff8880b7e80000(0000) knlGS:0000000000000000[EOL]CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033[EOL]CR2: 00005593c91b2c88 CR3: 000000014927c000 CR4: 00000000000006f0[EOL]DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000[EOL]DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400[EOL]Kernel panic - not syncing: Fatal exception[EOL][EOL][ Analysis ][EOL][EOL]We believe that we have found a concurrency bug in the `fs/jfs` module[EOL]that results in a null pointer dereference. There is a closely related[EOL]issue which has been fixed:[EOL][EOL]https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=d6c1b3599b2feb5c7291f5ac3a36e5fa7cedb234[EOL][EOL]... but, unfortunately, the accepted patch appears to still be[EOL]susceptible to a null pointer dereference under some interleavings.[EOL][EOL]To trigger the bug, we think that `JFS_SBI(ipbmap->i_sb)->bmap` is set[EOL]to NULL in `dbFreeBits` and then dereferenced in `jfs_ioc_trim`. This[EOL]bug manifests quite rarely under normal circumstances, but is[EOL]triggereable from a syz-program.
CREATE(Triage):(User=admin) [CVE-2025-38203 (https://nvd.nist.gov/vuln/detail/CVE-2025-38203)
