Wind River Support Network

Description

In the Linux kernel, the following vulnerability has been resolved:EOL][EOL]jffs2: check that raw node were preallocated before writing summary[EOL][EOL]Syzkaller detected a kernel bug in jffs2_link_node_ref, caused by fault[EOL]injection in jffs2_prealloc_raw_node_refs. jffs2_sum_write_sumnode doesn't[EOL]check return value of jffs2_prealloc_raw_node_refs and simply lets any[EOL]error propagate into jffs2_sum_write_data, which eventually calls[EOL]jffs2_link_node_ref in order to link the summary to an expectedly allocated[EOL]node.[EOL][EOL]kernel BUG at fs/jffs2/nodelist.c:592![EOL]invalid opcode: 0000 [#1] PREEMPT SMP KASAN NOPTI[EOL]CPU: 1 PID: 31277 Comm: syz-executor.7 Not tainted 6.1.128-syzkaller-00139-ge10f83ca10a1 #0[EOL]Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-1 04/01/2014[EOL]RIP: 0010:jffs2_link_node_ref+0x570/0x690 fs/jffs2/nodelist.c:592[EOL]Call Trace:[EOL] <TASK>[EOL] jffs2_sum_write_data fs/jffs2/summary.c:841 [inline][EOL] jffs2_sum_write_sumnode+0xd1a/0x1da0 fs/jffs2/summary.c:874[EOL] jffs2_do_reserve_space+0xa18/0xd60 fs/jffs2/nodemgmt.c:388[EOL] jffs2_reserve_space+0x55f/0xaa0 fs/jffs2/nodemgmt.c:197[EOL] jffs2_write_inode_range+0x246/0xb50 fs/jffs2/write.c:362[EOL] jffs2_write_end+0x726/0x15d0 fs/jffs2/file.c:301[EOL] generic_perform_write+0x314/0x5d0 mm/filemap.c:3856[EOL] __generic_file_write_iter+0x2ae/0x4d0 mm/filemap.c:3973[EOL] generic_file_write_iter+0xe3/0x350 mm/filemap.c:4005[EOL] call_write_iter include/linux/fs.h:2265 [inline][EOL] do_iter_readv_writev+0x20f/0x3c0 fs/read_write.c:735[EOL] do_iter_write+0x186/0x710 fs/read_write.c:861[EOL] vfs_iter_write+0x70/0xa0 fs/read_write.c:902[EOL] iter_file_splice_write+0x73b/0xc90 fs/splice.c:685[EOL] do_splice_from fs/splice.c:763 [inline][EOL] direct_splice_actor+0x10c/0x170 fs/splice.c:950[EOL] splice_direct_to_actor+0x337/0xa10 fs/splice.c:896[EOL] do_splice_direct+0x1a9/0x280 fs/splice.c:1002[EOL] do_sendfile+0xb13/0x12c0 fs/read_write.c:1255[EOL] __do_sys_sendfile64 fs/read_write.c:1323 [inline][EOL] __se_sys_sendfile64 fs/read_write.c:1309 [inline][EOL] __x64_sys_sendfile64+0x1cf/0x210 fs/read_write.c:1309[EOL] do_syscall_x64 arch/x86/entry/common.c:51 [inline][EOL] do_syscall_64+0x35/0x80 arch/x86/entry/common.c:81[EOL] entry_SYSCALL_64_after_hwframe+0x6e/0xd8[EOL][EOL]Fix this issue by checking return value of jffs2_prealloc_raw_node_refs[EOL]before calling jffs2_sum_write_data.[EOL][EOL]Found by Linux Verification Center (linuxtesting.org) with Syzkaller.

CREATE(Triage):(User=admin) [CVE-2025-38194 (https://nvd.nist.gov/vuln/detail/CVE-2025-38194)