CVE-2025-39885

In the Linux kernel, the following vulnerability has been resolved:

ocfs2: fix recursive semaphore deadlock in fiemap call

syzbot detected a OCFS2 hang due to a recursive semaphore on a FSIOCFIEMAP of the extent list on a specially crafted mmap file.

contextswitch kernel/sched/core.c:5357 [inline] _schedule+0x1798/0x4cc0 kernel/sched/core.c:6961 _scheduleloop kernel/sched/core.c:7043 [inline] schedule+0x165/0x360 kernel/sched/core.c:7058 schedulepreemptdisabled+0x13/0x30 kernel/sched/core.c:7115 rwsemdownwriteslowpath+0x872/0xfe0 kernel/locking/rwsem.c:1185 _downwritecommon kernel/locking/rwsem.c:1317 [inline] _downwrite kernel/locking/rwsem.c:1326 [inline] downwrite+0x1ab/0x1f0 kernel/locking/rwsem.c:1591 ocfs2pagemkwrite+0x2ff/0xc40 fs/ocfs2/mmap.c:142 dopagemkwrite+0x14d/0x310 mm/memory.c:3361 wppageshared mm/memory.c:3762 [inline] dowppage+0x268d/0x5800 mm/memory.c:3981 handleptefault mm/memory.c:6068 [inline] _handlemmfault+0x1033/0x5440 mm/memory.c:6195 handlemmfault+0x40a/0x8e0 mm/memory.c:6364 douseraddrfault+0x764/0x1390 arch/x86/mm/fault.c:1387 handlepagefault arch/x86/mm/fault.c:1476 [inline] excpagefault+0x76/0xf0 arch/x86/mm/fault.c:1532 asmexcpagefault+0x26/0x30 arch/x86/include/asm/idtentry.h:623 RIP: 0010:copyusergeneric arch/x86/include/asm/uaccess64.h:126 [inline] RIP: 0010:rawcopytouser arch/x86/include/asm/uaccess64.h:147 [inline] RIP: 0010:inlinecopytouser include/linux/uaccess.h:197 [inline] RIP: 0010:copytouser+0x85/0xb0 lib/usercopy.c:26 Code: e8 00 bc f7 fc 4d 39 fc 72 3d 4d 39 ec 77 38 e8 91 b9 f7 fc 4c 89 f7 89 de e8 47 25 5b fd 0f 01 cb 4c 89 ff 48 89 d9 4c 89 f6 <f3> a4 0f 1f 00 48 89 cb 0f 01 ca 48 89 d8 5b 41 5c 41 5d 41 5e 41 RSP: 0018:ffffc9000403f950 EFLAGS: 00050256 RAX: ffffffff84c7f101 RBX: 0000000000000038 RCX: 0000000000000038 RDX: 0000000000000000 RSI: ffffc9000403f9e0 RDI: 0000200000000060 RBP: ffffc9000403fa90 R08: ffffc9000403fa17 R09: 1ffff92000807f42 R10: dffffc0000000000 R11: fffff52000807f43 R12: 0000200000000098 R13: 00007ffffffff000 R14: ffffc9000403f9e0 R15: 0000200000000060 copytouser include/linux/uaccess.h:225 [inline] fiemapfillnextextent+0x1c0/0x390 fs/ioctl.c:145 ocfs2fiemap+0x888/0xc90 fs/ocfs2/extentmap.c:806 ioctlfiemap fs/ioctl.c:220 [inline] dovfsioctl+0x1173/0x1430 fs/ioctl.c:532 _dosysioctl fs/ioctl.c:596 [inline] _sesysioctl+0x82/0x170 fs/ioctl.c:584 dosyscallx64 arch/x86/entry/syscall64.c:63 [inline] dosyscall64+0xfa/0x3b0 arch/x86/entry/syscall64.c:94 entrySYSCALL64afterhwframe+0x77/0x7f RIP: 0033:0x7f5f13850fd9 RSP: 002b:00007ffe3b3518b8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 RAX: ffffffffffffffda RBX: 0000200000000000 RCX: 00007f5f13850fd9 RDX: 0000200000000040 RSI: 00000000c020660b RDI: 0000000000000004 RBP: 6165627472616568 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 00007ffe3b3518f0 R13: 00007ffe3b351b18 R14: 431bde82d7b634db R15: 00007f5f1389a03b

ocfs2fiemap() takes a read lock of the ipallocsem semaphore (since v2.6.22-527-g7307de80510a) and calls fiemapfillnextextent() to read the extent list of this running mmap executable. The user supplied buffer to hold the fiemap information page faults calling ocfs2pagemkwrite() which will take a write lock (since v2.6.27-38-g00dc417fa3e7) of the same semaphore. This recursive semaphore will hold filesystem locks and causes a hang of the fileystem.

The ipallocsem protects the inode extent list and size. Release the read semphore before calling fiemapfillnextextent() in ocfs2fiemap() and ocfs2fiemapinline(). This does an unnecessary semaphore lock/unlock on the last extent but simplifies the error path.