CVE-2025-37741

In the Linux kernel, the following vulnerability has been resolved:

jfs: Prevent copying of nlink with value 0 from disk inode

syzbot report a deadlock in diFree. [1]

When calling "ioctl$LOOPSETSTATUS64", the offset value passed in is 4, which does not match the mounted loop device, causing the mapping of the mounted loop device to be invalidated.

When creating the directory and creating the inode of iag in diReadSpecial(), read the page of fixed disk inode (AIT) in raw mode in readmetapage(), the metapage data it returns is corrupted, which causes the nlink value of 0 to be assigned to the iag inode when executing copyfrom_dinode(), which ultimately causes a deadlock when entering diFree().

To avoid this, first check the nlink value of dinode before setting iag inode.

[1] WARNING: possible recursive locking detected

6.12.0-rc7-syzkaller-00212-g4a5df3796467 #0 Not tainted

syz-executor301/5309 is trying to acquire lock: ffff888044548920 (&(imap->imaglock[index])){+.+.}-{3:3}, at: diFree+0x37c/0x2fb0 fs/jfs/jfsimap.c:889

but task is already holding lock: ffff888044548920 (&(imap->im_aglock[index])){+.+.}-{3:3}, at: diAlloc+0x1b6/0x1630

other info that might help us debug this: Possible unsafe locking scenario:

   CPU0
   ----

lock(&(imap->imaglock[index])); lock(&(imap->imaglock[index]));

* DEADLOCK *

May be due to missing lock nesting notation

5 locks held by syz-executor301/5309: #0: ffff8880422a4420 (sbwriters#9){.+.+}-{0:0}, at: mntwantwrite+0x3f/0x90 fs/namespace.c:515 #1: ffff88804755b390 (&type->imutexdirkey#6/1){+.+.}-{3:3}, at: inodelocknested include/linux/fs.h:850 [inline] #1: ffff88804755b390 (&type->imutexdirkey#6/1){+.+.}-{3:3}, at: filenamecreate+0x260/0x540 fs/namei.c:4026 #2: ffff888044548920 (&(imap->imaglock[index])){+.+.}-{3:3}, at: diAlloc+0x1b6/0x1630 #3: ffff888044548890 (&imap->imfreelock){+.+.}-{3:3}, at: diNewIAG fs/jfs/jfsimap.c:2460 [inline] #3: ffff888044548890 (&imap->imfreelock){+.+.}-{3:3}, at: diAllocExt fs/jfs/jfsimap.c:1905 [inline] #3: ffff888044548890 (&imap->imfreelock){+.+.}-{3:3}, at: diAllocAG+0x4b7/0x1e50 fs/jfs/jfsimap.c:1669 #4: ffff88804755a618 (&jfsip->rdwrlock/1){++++}-{3:3}, at: diNewIAG fs/jfs/jfsimap.c:2477 [inline] #4: ffff88804755a618 (&jfsip->rdwrlock/1){++++}-{3:3}, at: diAllocExt fs/jfs/jfsimap.c:1905 [inline] #4: ffff88804755a618 (&jfsip->rdwrlock/1){++++}-{3:3}, at: diAllocAG+0x869/0x1e50 fs/jfs/jfs_imap.c:1669

stack backtrace: CPU: 0 UID: 0 PID: 5309 Comm: syz-executor301 Not tainted 6.12.0-rc7-syzkaller-00212-g4a5df3796467 #0 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 Call Trace: <TASK> _dumpstack lib/dumpstack.c:94 [inline] dumpstacklvl+0x241/0x360 lib/dumpstack.c:120 printdeadlockbug+0x483/0x620 kernel/locking/lockdep.c:3037 checkdeadlock kernel/locking/lockdep.c:3089 [inline] validatechain+0x15e2/0x5920 kernel/locking/lockdep.c:3891 _lockacquire+0x1384/0x2050 kernel/locking/lockdep.c:5202 lockacquire+0x1ed/0x550 kernel/locking/lockdep.c:5825 _mutexlockcommon kernel/locking/mutex.c:608 [inline] _mutexlock+0x136/0xd70 kernel/locking/mutex.c:752 diFree+0x37c/0x2fb0 fs/jfs/jfsimap.c:889 jfsevictinode+0x32d/0x440 fs/jfs/inode.c:156 evict+0x4e8/0x9b0 fs/inode.c:725 diFreeSpecial fs/jfs/jfsimap.c:552 [inline] duplicateIXtree+0x3c6/0x550 fs/jfs/jfsimap.c:3022 diNewIAG fs/jfs/jfsimap.c:2597 [inline] diAllocExt fs/jfs/jfsimap.c:1905 [inline] diAllocAG+0x17dc/0x1e50 fs/jfs/jfsimap.c:1669 diAlloc+0x1d2/0x1630 fs/jfs/jfsimap.c:1590 ialloc+0x8f/0x900 fs/jfs/jfsinode.c:56 jfsmkdir+0x1c5/0xba0 fs/jfs/namei.c:225 vfsmkdir+0x2f9/0x4f0 fs/namei.c:4257 domkdirat+0x264/0x3a0 fs/namei.c:4280 _dosysmkdirat fs/namei.c:4295 [inline] _sesysmkdirat fs/namei.c:4293 [inline] _x64sysmkdirat+0x87/0xa0 fs/namei.c:4293 dosyscallx64 arch/x86/en ---truncated---