CVE-2025-21722

In the Linux kernel, the following vulnerability has been resolved:

nilfs2: do not force clear folio if buffer is referenced

Patch series "nilfs2: protect busy buffer heads from being force-cleared".

This series fixes the buffer head state inconsistency issues reported by syzbot that occurs when the filesystem is corrupted and falls back to read-only, and the associated buffer head use-after-free issue.

This patch (of 2):

Syzbot has reported that after nilfs2 detects filesystem corruption and falls back to read-only, inconsistencies in the buffer state may occur.

One of the inconsistencies is that when nilfs2 calls markbufferdirty() to set a data or metadata buffer as dirty, but it detects that the buffer is not in the uptodate state:

WARNING: CPU: 0 PID: 6049 at fs/buffer.c:1177 markbufferdirty+0x2e5/0x520 fs/buffer.c:1177 ... Call Trace: <TASK> nilfspalloccommitallocentry+0x4b/0x160 fs/nilfs2/alloc.c:598 nilfsifilecreateinode+0x1dd/0x3a0 fs/nilfs2/ifile.c:73 nilfsnewinode+0x254/0x830 fs/nilfs2/inode.c:344 nilfsmkdir+0x10d/0x340 fs/nilfs2/namei.c:218 vfsmkdir+0x2f9/0x4f0 fs/namei.c:4257 domkdirat+0x264/0x3a0 fs/namei.c:4280 _dosysmkdirat fs/namei.c:4295 [inline] _sesysmkdirat fs/namei.c:4293 [inline] _x64sysmkdirat+0x87/0xa0 fs/namei.c:4293 dosyscallx64 arch/x86/entry/common.c:52 [inline] dosyscall64+0xf3/0x230 arch/x86/entry/common.c:83 entrySYSCALL64after_hwframe+0x77/0x7f

The other is when nilfsbtreepropagate(), which propagates the dirty state to the ancestor nodes of a b-tree that point to a dirty buffer, detects that the origin buffer is not dirty, even though it should be:

WARNING: CPU: 0 PID: 5245 at fs/nilfs2/btree.c:2089 nilfsbtreepropagate+0xc79/0xdf0 fs/nilfs2/btree.c:2089 ... Call Trace: <TASK> nilfsbmappropagate+0x75/0x120 fs/nilfs2/bmap.c:345 nilfscollectfiledata+0x4d/0xd0 fs/nilfs2/segment.c:587 nilfssegctorapplybuffers+0x184/0x340 fs/nilfs2/segment.c:1006 nilfssegctorscanfile+0x28c/0xa50 fs/nilfs2/segment.c:1045 nilfssegctorcollectblocks fs/nilfs2/segment.c:1216 [inline] nilfssegctorcollect fs/nilfs2/segment.c:1540 [inline] nilfssegctordoconstruct+0x1c28/0x6b90 fs/nilfs2/segment.c:2115 nilfssegctorconstruct+0x181/0x6b0 fs/nilfs2/segment.c:2479 nilfssegctorthreadconstruct fs/nilfs2/segment.c:2587 [inline] nilfssegctorthread+0x69e/0xe80 fs/nilfs2/segment.c:2701 kthread+0x2f0/0x390 kernel/kthread.c:389 retfromfork+0x4b/0x80 arch/x86/kernel/process.c:147 retfromforkasm+0x1a/0x30 arch/x86/entry/entry64.S:244 </TASK>

Both of these issues are caused by the callbacks that handle the page/folio write requests, forcibly clear various states, including the working state of the buffers they hold, at unexpected times when they detect read-only fallback.

Fix these issues by checking if the buffer is referenced before clearing the page/folio state, and skipping the clear if it is.