{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2025-39879", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2025-04-16T07:20:57.144Z", "datePublished": "2025-09-23T06:00:49.377Z", "dateUpdated": "2025-09-23T06:00:49.377Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2025-09-23T06:00:49.377Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nceph: always call ceph_shift_unused_folios_left()\n\nThe function ceph_process_folio_batch() sets folio_batch entries to\nNULL, which is an illegal state. Before folio_batch_release() crashes\ndue to this API violation, the function ceph_shift_unused_folios_left()\nis supposed to remove those NULLs from the array.\n\nHowever, since commit ce80b76dd327 (\"ceph: introduce\nceph_process_folio_batch() method\"), this shifting doesn't happen\nanymore because the \"for\" loop got moved to ceph_process_folio_batch(),\nand now the `i` variable that remains in ceph_writepages_start()\ndoesn't get incremented anymore, making the shifting effectively\nunreachable much of the time.\n\nLater, commit 1551ec61dc55 (\"ceph: introduce ceph_submit_write()\nmethod\") added more preconditions for doing the shift, replacing the\n`i` check (with something that is still just as broken):\n\n- if ceph_process_folio_batch() fails, shifting never happens\n\n- if ceph_move_dirty_page_in_page_array() was never called (because\n ceph_process_folio_batch() has returned early for some of various\n reasons), shifting never happens\n\n- if `processed_in_fbatch` is zero (because ceph_process_folio_batch()\n has returned early for some of the reasons mentioned above or\n because ceph_move_dirty_page_in_page_array() has failed), shifting\n never happens\n\nSince those two commits, any problem in ceph_process_folio_batch()\ncould crash the kernel, e.g. this way:\n\n BUG: kernel NULL pointer dereference, address: 0000000000000034\n #PF: supervisor write access in kernel mode\n #PF: error_code(0x0002) - not-present page\n PGD 0 P4D 0\n Oops: Oops: 0002 [#1] SMP NOPTI\n CPU: 172 UID: 0 PID: 2342707 Comm: kworker/u778:8 Not tainted 6.15.10-cm4all1-es #714 NONE\n Hardware name: Dell Inc. PowerEdge R7615/0G9DHV, BIOS 1.6.10 12/08/2023\n Workqueue: writeback wb_workfn (flush-ceph-1)\n RIP: 0010:folios_put_refs+0x85/0x140\n Code: 83 c5 01 39 e8 7e 76 48 63 c5 49 8b 5c c4 08 b8 01 00 00 00 4d 85 ed 74 05 41 8b 44 ad 00 48 8b 15 b0 >\n RSP: 0018:ffffb880af8db778 EFLAGS: 00010207\n RAX: 0000000000000001 RBX: 0000000000000000 RCX: 0000000000000003\n RDX: ffffe377cc3b0000 RSI: 0000000000000000 RDI: ffffb880af8db8c0\n RBP: 0000000000000000 R08: 000000000000007d R09: 000000000102b86f\n R10: 0000000000000001 R11: 00000000000000ac R12: ffffb880af8db8c0\n R13: 0000000000000000 R14: 0000000000000000 R15: ffff9bd262c97000\n FS: 0000000000000000(0000) GS:ffff9c8efc303000(0000) knlGS:0000000000000000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 0000000000000034 CR3: 0000000160958004 CR4: 0000000000770ef0\n PKRU: 55555554\n Call Trace:\n <TASK>\n ceph_writepages_start+0xeb9/0x1410\n\nThe crash can be reproduced easily by changing the\nceph_check_page_before_write() return value to `-E2BIG`.\n\n(Interestingly, the crash happens only if `huge_zero_folio` has\nalready been allocated; without `huge_zero_folio`,\nis_huge_zero_folio(NULL) returns true and folios_put_refs() skips NULL\nentries instead of dereferencing them. That makes reproducing the bug\nsomewhat unreliable. See\nhttps://lore.kernel.org/20250826231626.218675-1-max.kellermann@ionos.com\nfor a discussion of this detail.)\n\nMy suggestion is to move the ceph_shift_unused_folios_left() to right\nafter ceph_process_folio_batch() to ensure it always gets called to\nfix up the illegal folio_batch state."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["fs/ceph/addr.c"], "versions": [{"version": "ce80b76dd32764cc914975777e058d4fae4f0ea0", "lessThan": "289b6615cf553d98509a9b273195d9936da1cfb2", "status": "affected", "versionType": "git"}, {"version": "ce80b76dd32764cc914975777e058d4fae4f0ea0", "lessThan": "cce7c15faaac79b532a07ed6ab8332280ad83762", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["fs/ceph/addr.c"], "versions": [{"version": "6.15", "status": "affected"}, {"version": "0", "lessThan": "6.15", "status": "unaffected", "versionType": "semver"}, {"version": "6.16.8", "lessThanOrEqual": "6.16.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.17-rc6", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.15", "versionEndExcluding": "6.16.8"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.15", "versionEndExcluding": "6.17-rc6"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/289b6615cf553d98509a9b273195d9936da1cfb2"}, {"url": "https://git.kernel.org/stable/c/cce7c15faaac79b532a07ed6ab8332280ad83762"}], "title": "ceph: always call ceph_shift_unused_folios_left()", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nceph: always call ceph_shift_unused_folios_left()\n\nThe function ceph_process_folio_batch() sets folio_batch entries to\nNULL, which is an illegal state. Before folio_batch_release() crashes\ndue to this API violation, the function ceph_shift_unused_folios_left()\nis supposed to remove those NULLs from the array.\n\nHowever, since commit ce80b76dd327 (\"ceph: introduce\nceph_process_folio_batch() method\"), this shifting doesn't happen\nanymore because the \"for\" loop got moved to ceph_process_folio_batch(),\nand now the `i` variable that remains in ceph_writepages_start()\ndoesn't get incremented anymore, making the shifting effectively\nunreachable much of the time.\n\nLater, commit 1551ec61dc55 (\"ceph: introduce ceph_submit_write()\nmethod\") added more preconditions for doing the shift, replacing the\n`i` check (with something that is still just as broken):\n\n- if ceph_process_folio_batch() fails, shifting never happens\n\n- if ceph_move_dirty_page_in_page_array() was never called (because\n ceph_process_folio_batch() has returned early for some of various\n reasons), shifting never happens\n\n- if `processed_in_fbatch` is zero (because ceph_process_folio_batch()\n has returned early for some of the reasons mentioned above or\n because ceph_move_dirty_page_in_page_array() has failed), shifting\n never happens\n\nSince those two commits, any problem in ceph_process_folio_batch()\ncould crash the kernel, e.g. this way:\n\n BUG: kernel NULL pointer dereference, address: 0000000000000034\n #PF: supervisor write access in kernel mode\n #PF: error_code(0x0002) - not-present page\n PGD 0 P4D 0\n Oops: Oops: 0002 [#1] SMP NOPTI\n CPU: 172 UID: 0 PID: 2342707 Comm: kworker/u778:8 Not tainted 6.15.10-cm4all1-es #714 NONE\n Hardware name: Dell Inc. PowerEdge R7615/0G9DHV, BIOS 1.6.10 12/08/2023\n Workqueue: writeback wb_workfn (flush-ceph-1)\n RIP: 0010:folios_put_refs+0x85/0x140\n Code: 83 c5 01 39 e8 7e 76 48 63 c5 49 8b 5c c4 08 b8 01 00 00 00 4d 85 ed 74 05 41 8b 44 ad 00 48 8b 15 b0 >\n RSP: 0018:ffffb880af8db778 EFLAGS: 00010207\n RAX: 0000000000000001 RBX: 0000000000000000 RCX: 0000000000000003\n RDX: ffffe377cc3b0000 RSI: 0000000000000000 RDI: ffffb880af8db8c0\n RBP: 0000000000000000 R08: 000000000000007d R09: 000000000102b86f\n R10: 0000000000000001 R11: 00000000000000ac R12: ffffb880af8db8c0\n R13: 0000000000000000 R14: 0000000000000000 R15: ffff9bd262c97000\n FS: 0000000000000000(0000) GS:ffff9c8efc303000(0000) knlGS:0000000000000000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 0000000000000034 CR3: 0000000160958004 CR4: 0000000000770ef0\n PKRU: 55555554\n Call Trace:\n <TASK>\n ceph_writepages_start+0xeb9/0x1410\n\nThe crash can be reproduced easily by changing the\nceph_check_page_before_write() return value to `-E2BIG`.\n\n(Interestingly, the crash happens only if `huge_zero_folio` has\nalready been allocated; without `huge_zero_folio`,\nis_huge_zero_folio(NULL) returns true and folios_put_refs() skips NULL\nentries instead of dereferencing them. That makes reproducing the bug\nsomewhat unreliable. See\nhttps://lore.kernel.org/20250826231626.218675-1-max.kellermann@ionos.com\nfor a discussion of this detail.)\n\nMy suggestion is to move the ceph_shift_unused_folios_left() to right\nafter ceph_process_folio_batch() to ensure it always gets called to\nfix up the illegal folio_batch state."}], "id": "CVE-2025-39879", "lastModified": "2025-09-23T06:15:47.523", "metrics": {}, "published": "2025-09-23T06:15:47.523", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/289b6615cf553d98509a9b273195d9936da1cfb2"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/cce7c15faaac79b532a07ed6ab8332280ad83762"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Received"}

{}

{"created": "2025-09-23T16:03:17.511668+00:00", "updated": "2025-09-23T16:03:17.511730+00:00", "vendors": ["linux", "linux$PRODUCT$linux_kernel"]}