{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2025-39885", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2025-04-16T07:20:57.145Z", "datePublished": "2025-09-23T06:00:52.584Z", "dateUpdated": "2025-09-23T06:00:52.584Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2025-09-23T06:00:52.584Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nocfs2: fix recursive semaphore deadlock in fiemap call\n\nsyzbot detected a OCFS2 hang due to a recursive semaphore on a\nFS_IOC_FIEMAP of the extent list on a specially crafted mmap file.\n\ncontext_switch kernel/sched/core.c:5357 [inline]\n __schedule+0x1798/0x4cc0 kernel/sched/core.c:6961\n __schedule_loop kernel/sched/core.c:7043 [inline]\n schedule+0x165/0x360 kernel/sched/core.c:7058\n schedule_preempt_disabled+0x13/0x30 kernel/sched/core.c:7115\n rwsem_down_write_slowpath+0x872/0xfe0 kernel/locking/rwsem.c:1185\n __down_write_common kernel/locking/rwsem.c:1317 [inline]\n __down_write kernel/locking/rwsem.c:1326 [inline]\n down_write+0x1ab/0x1f0 kernel/locking/rwsem.c:1591\n ocfs2_page_mkwrite+0x2ff/0xc40 fs/ocfs2/mmap.c:142\n do_page_mkwrite+0x14d/0x310 mm/memory.c:3361\n wp_page_shared mm/memory.c:3762 [inline]\n do_wp_page+0x268d/0x5800 mm/memory.c:3981\n handle_pte_fault mm/memory.c:6068 [inline]\n __handle_mm_fault+0x1033/0x5440 mm/memory.c:6195\n handle_mm_fault+0x40a/0x8e0 mm/memory.c:6364\n do_user_addr_fault+0x764/0x1390 arch/x86/mm/fault.c:1387\n handle_page_fault arch/x86/mm/fault.c:1476 [inline]\n exc_page_fault+0x76/0xf0 arch/x86/mm/fault.c:1532\n asm_exc_page_fault+0x26/0x30 arch/x86/include/asm/idtentry.h:623\nRIP: 0010:copy_user_generic arch/x86/include/asm/uaccess_64.h:126 [inline]\nRIP: 0010:raw_copy_to_user arch/x86/include/asm/uaccess_64.h:147 [inline]\nRIP: 0010:_inline_copy_to_user include/linux/uaccess.h:197 [inline]\nRIP: 0010:_copy_to_user+0x85/0xb0 lib/usercopy.c:26\nCode: e8 00 bc f7 fc 4d 39 fc 72 3d 4d 39 ec 77 38 e8 91 b9 f7 fc 4c 89\nf7 89 de e8 47 25 5b fd 0f 01 cb 4c 89 ff 48 89 d9 4c 89 f6 <f3> a4 0f\n1f 00 48 89 cb 0f 01 ca 48 89 d8 5b 41 5c 41 5d 41 5e 41\nRSP: 0018:ffffc9000403f950 EFLAGS: 00050256\nRAX: ffffffff84c7f101 RBX: 0000000000000038 RCX: 0000000000000038\nRDX: 0000000000000000 RSI: ffffc9000403f9e0 RDI: 0000200000000060\nRBP: ffffc9000403fa90 R08: ffffc9000403fa17 R09: 1ffff92000807f42\nR10: dffffc0000000000 R11: fffff52000807f43 R12: 0000200000000098\nR13: 00007ffffffff000 R14: ffffc9000403f9e0 R15: 0000200000000060\n copy_to_user include/linux/uaccess.h:225 [inline]\n fiemap_fill_next_extent+0x1c0/0x390 fs/ioctl.c:145\n ocfs2_fiemap+0x888/0xc90 fs/ocfs2/extent_map.c:806\n ioctl_fiemap fs/ioctl.c:220 [inline]\n do_vfs_ioctl+0x1173/0x1430 fs/ioctl.c:532\n __do_sys_ioctl fs/ioctl.c:596 [inline]\n __se_sys_ioctl+0x82/0x170 fs/ioctl.c:584\n do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]\n do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\nRIP: 0033:0x7f5f13850fd9\nRSP: 002b:00007ffe3b3518b8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010\nRAX: ffffffffffffffda RBX: 0000200000000000 RCX: 00007f5f13850fd9\nRDX: 0000200000000040 RSI: 00000000c020660b RDI: 0000000000000004\nRBP: 6165627472616568 R08: 0000000000000000 R09: 0000000000000000\nR10: 0000000000000000 R11: 0000000000000246 R12: 00007ffe3b3518f0\nR13: 00007ffe3b351b18 R14: 431bde82d7b634db R15: 00007f5f1389a03b\n\nocfs2_fiemap() takes a read lock of the ip_alloc_sem semaphore (since\nv2.6.22-527-g7307de80510a) and calls fiemap_fill_next_extent() to read the\nextent list of this running mmap executable. The user supplied buffer to\nhold the fiemap information page faults calling ocfs2_page_mkwrite() which\nwill take a write lock (since v2.6.27-38-g00dc417fa3e7) of the same\nsemaphore. This recursive semaphore will hold filesystem locks and causes\na hang of the fileystem.\n\nThe ip_alloc_sem protects the inode extent list and size. Release the\nread semphore before calling fiemap_fill_next_extent() in ocfs2_fiemap()\nand ocfs2_fiemap_inline(). This does an unnecessary semaphore lock/unlock\non the last extent but simplifies the error path."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["fs/ocfs2/extent_map.c"], "versions": [{"version": "00dc417fa3e763345b34ccb6034d72de76eea0a1", "lessThan": "36054554772f95d090eb45793faf6aa3c0254b02", "status": "affected", "versionType": "git"}, {"version": "00dc417fa3e763345b34ccb6034d72de76eea0a1", "lessThan": "0709bc11b942870fc0a7be150e42aea42321093a", "status": "affected", "versionType": "git"}, {"version": "00dc417fa3e763345b34ccb6034d72de76eea0a1", "lessThan": "1d3c96547ee2ddeaddf8f19a3ef99ea06cc8115e", "status": "affected", "versionType": "git"}, {"version": "00dc417fa3e763345b34ccb6034d72de76eea0a1", "lessThan": "9efcb7a8b97310efed995397941a292cf89fa94f", "status": "affected", "versionType": "git"}, {"version": "00dc417fa3e763345b34ccb6034d72de76eea0a1", "lessThan": "04100f775c2ea501927f508f17ad824ad1f23c8d", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["fs/ocfs2/extent_map.c"], "versions": [{"version": "2.6.28", "status": "affected"}, {"version": "0", "lessThan": "2.6.28", "status": "unaffected", "versionType": "semver"}, {"version": "6.1.153", "lessThanOrEqual": "6.1.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.6.107", "lessThanOrEqual": "6.6.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.12.48", "lessThanOrEqual": "6.12.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.16.8", "lessThanOrEqual": "6.16.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.17-rc6", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.28", "versionEndExcluding": "6.1.153"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.28", "versionEndExcluding": "6.6.107"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.28", "versionEndExcluding": "6.12.48"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.28", "versionEndExcluding": "6.16.8"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.28", "versionEndExcluding": "6.17-rc6"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/36054554772f95d090eb45793faf6aa3c0254b02"}, {"url": "https://git.kernel.org/stable/c/0709bc11b942870fc0a7be150e42aea42321093a"}, {"url": "https://git.kernel.org/stable/c/1d3c96547ee2ddeaddf8f19a3ef99ea06cc8115e"}, {"url": "https://git.kernel.org/stable/c/9efcb7a8b97310efed995397941a292cf89fa94f"}, {"url": "https://git.kernel.org/stable/c/04100f775c2ea501927f508f17ad824ad1f23c8d"}], "title": "ocfs2: fix recursive semaphore deadlock in fiemap call", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nocfs2: fix recursive semaphore deadlock in fiemap call\n\nsyzbot detected a OCFS2 hang due to a recursive semaphore on a\nFS_IOC_FIEMAP of the extent list on a specially crafted mmap file.\n\ncontext_switch kernel/sched/core.c:5357 [inline]\n __schedule+0x1798/0x4cc0 kernel/sched/core.c:6961\n __schedule_loop kernel/sched/core.c:7043 [inline]\n schedule+0x165/0x360 kernel/sched/core.c:7058\n schedule_preempt_disabled+0x13/0x30 kernel/sched/core.c:7115\n rwsem_down_write_slowpath+0x872/0xfe0 kernel/locking/rwsem.c:1185\n __down_write_common kernel/locking/rwsem.c:1317 [inline]\n __down_write kernel/locking/rwsem.c:1326 [inline]\n down_write+0x1ab/0x1f0 kernel/locking/rwsem.c:1591\n ocfs2_page_mkwrite+0x2ff/0xc40 fs/ocfs2/mmap.c:142\n do_page_mkwrite+0x14d/0x310 mm/memory.c:3361\n wp_page_shared mm/memory.c:3762 [inline]\n do_wp_page+0x268d/0x5800 mm/memory.c:3981\n handle_pte_fault mm/memory.c:6068 [inline]\n __handle_mm_fault+0x1033/0x5440 mm/memory.c:6195\n handle_mm_fault+0x40a/0x8e0 mm/memory.c:6364\n do_user_addr_fault+0x764/0x1390 arch/x86/mm/fault.c:1387\n handle_page_fault arch/x86/mm/fault.c:1476 [inline]\n exc_page_fault+0x76/0xf0 arch/x86/mm/fault.c:1532\n asm_exc_page_fault+0x26/0x30 arch/x86/include/asm/idtentry.h:623\nRIP: 0010:copy_user_generic arch/x86/include/asm/uaccess_64.h:126 [inline]\nRIP: 0010:raw_copy_to_user arch/x86/include/asm/uaccess_64.h:147 [inline]\nRIP: 0010:_inline_copy_to_user include/linux/uaccess.h:197 [inline]\nRIP: 0010:_copy_to_user+0x85/0xb0 lib/usercopy.c:26\nCode: e8 00 bc f7 fc 4d 39 fc 72 3d 4d 39 ec 77 38 e8 91 b9 f7 fc 4c 89\nf7 89 de e8 47 25 5b fd 0f 01 cb 4c 89 ff 48 89 d9 4c 89 f6 <f3> a4 0f\n1f 00 48 89 cb 0f 01 ca 48 89 d8 5b 41 5c 41 5d 41 5e 41\nRSP: 0018:ffffc9000403f950 EFLAGS: 00050256\nRAX: ffffffff84c7f101 RBX: 0000000000000038 RCX: 0000000000000038\nRDX: 0000000000000000 RSI: ffffc9000403f9e0 RDI: 0000200000000060\nRBP: ffffc9000403fa90 R08: ffffc9000403fa17 R09: 1ffff92000807f42\nR10: dffffc0000000000 R11: fffff52000807f43 R12: 0000200000000098\nR13: 00007ffffffff000 R14: ffffc9000403f9e0 R15: 0000200000000060\n copy_to_user include/linux/uaccess.h:225 [inline]\n fiemap_fill_next_extent+0x1c0/0x390 fs/ioctl.c:145\n ocfs2_fiemap+0x888/0xc90 fs/ocfs2/extent_map.c:806\n ioctl_fiemap fs/ioctl.c:220 [inline]\n do_vfs_ioctl+0x1173/0x1430 fs/ioctl.c:532\n __do_sys_ioctl fs/ioctl.c:596 [inline]\n __se_sys_ioctl+0x82/0x170 fs/ioctl.c:584\n do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]\n do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\nRIP: 0033:0x7f5f13850fd9\nRSP: 002b:00007ffe3b3518b8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010\nRAX: ffffffffffffffda RBX: 0000200000000000 RCX: 00007f5f13850fd9\nRDX: 0000200000000040 RSI: 00000000c020660b RDI: 0000000000000004\nRBP: 6165627472616568 R08: 0000000000000000 R09: 0000000000000000\nR10: 0000000000000000 R11: 0000000000000246 R12: 00007ffe3b3518f0\nR13: 00007ffe3b351b18 R14: 431bde82d7b634db R15: 00007f5f1389a03b\n\nocfs2_fiemap() takes a read lock of the ip_alloc_sem semaphore (since\nv2.6.22-527-g7307de80510a) and calls fiemap_fill_next_extent() to read the\nextent list of this running mmap executable. The user supplied buffer to\nhold the fiemap information page faults calling ocfs2_page_mkwrite() which\nwill take a write lock (since v2.6.27-38-g00dc417fa3e7) of the same\nsemaphore. This recursive semaphore will hold filesystem locks and causes\na hang of the fileystem.\n\nThe ip_alloc_sem protects the inode extent list and size. Release the\nread semphore before calling fiemap_fill_next_extent() in ocfs2_fiemap()\nand ocfs2_fiemap_inline(). This does an unnecessary semaphore lock/unlock\non the last extent but simplifies the error path."}], "id": "CVE-2025-39885", "lastModified": "2025-09-23T06:15:48.370", "metrics": {}, "published": "2025-09-23T06:15:48.370", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/04100f775c2ea501927f508f17ad824ad1f23c8d"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/0709bc11b942870fc0a7be150e42aea42321093a"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/1d3c96547ee2ddeaddf8f19a3ef99ea06cc8115e"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/36054554772f95d090eb45793faf6aa3c0254b02"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/9efcb7a8b97310efed995397941a292cf89fa94f"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Received"}

{}

{"created": "2025-09-23T16:03:07.797008+00:00", "updated": "2025-09-23T16:03:07.797080+00:00", "vendors": ["linux", "linux$PRODUCT$linux_kernel"]}