CVE-2025-38276

{"id": "CVE-2025-38276", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.5, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 1.8}]}, "published": "2025-07-10T08:15:25.887", "references": [{"url": "https://git.kernel.org/stable/c/61009dd2252ab4391d44a240e891f1e04c00b9ca", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/dd59137bfe70cf3646021b4721e430213b9c71bd", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-667"}]}], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nfs/dax: Fix \"don't skip locked entries when scanning entries\"\n\nCommit 6be3e21d25ca (\"fs/dax: don't skip locked entries when scanning\nentries\") introduced a new function, wait_entry_unlocked_exclusive(),\nwhich waits for the current entry to become unlocked without advancing\nthe XArray iterator state.\n\nWaiting for the entry to become unlocked requires dropping the XArray\nlock. This requires calling xas_pause() prior to dropping the lock\nwhich leaves the xas in a suitable state for the next iteration. However\nthis has the side-effect of advancing the xas state to the next index.\nNormally this isn't an issue because xas_for_each() contains code to\ndetect this state and thus avoid advancing the index a second time on\nthe next loop iteration.\n\nHowever both callers of and wait_entry_unlocked_exclusive() itself\nsubsequently use the xas state to reload the entry. As xas_pause()\nupdated the state to the next index this will cause the current entry\nwhich is being waited on to be skipped. This caused the following\nwarning to fire intermittently when running xftest generic/068 on an XFS\nfilesystem with FS DAX enabled:\n\n[ 35.067397] ------------[ cut here ]------------\n[ 35.068229] WARNING: CPU: 21 PID: 1640 at mm/truncate.c:89 truncate_folio_batch_exceptionals+0xd8/0x1e0\n[ 35.069717] Modules linked in: nd_pmem dax_pmem nd_btt nd_e820 libnvdimm\n[ 35.071006] CPU: 21 UID: 0 PID: 1640 Comm: fstest Not tainted 6.15.0-rc7+ #77 PREEMPT(voluntary)\n[ 35.072613] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/204\n[ 35.074845] RIP: 0010:truncate_folio_batch_exceptionals+0xd8/0x1e0\n[ 35.075962] Code: a1 00 00 00 f6 47 0d 20 0f 84 97 00 00 00 4c 63 e8 41 39 c4 7f 0b eb 61 49 83 c5 01 45 39 ec 7e 58 42 f68\n[ 35.079522] RSP: 0018:ffffb04e426c7850 EFLAGS: 00010202\n[ 35.080359] RAX: 0000000000000000 RBX: ffff9d21e3481908 RCX: ffffb04e426c77f4\n[ 35.081477] RDX: ffffb04e426c79e8 RSI: ffffb04e426c79e0 RDI: ffff9d21e34816e8\n[ 35.082590] RBP: ffffb04e426c79e0 R08: 0000000000000001 R09: 0000000000000003\n[ 35.083733] R10: 0000000000000000 R11: 822b53c0f7a49868 R12: 000000000000001f\n[ 35.084850] R13: 0000000000000000 R14: ffffb04e426c78e8 R15: fffffffffffffffe\n[ 35.085953] FS: 00007f9134c87740(0000) GS:ffff9d22abba0000(0000) knlGS:0000000000000000\n[ 35.087346] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 35.088244] CR2: 00007f9134c86000 CR3: 000000040afff000 CR4: 00000000000006f0\n[ 35.089354] Call Trace:\n[ 35.089749] <TASK>\n[ 35.090168] truncate_inode_pages_range+0xfc/0x4d0\n[ 35.091078] truncate_pagecache+0x47/0x60\n[ 35.091735] xfs_setattr_size+0xc7/0x3e0\n[ 35.092648] xfs_vn_setattr+0x1ea/0x270\n[ 35.093437] notify_change+0x1f4/0x510\n[ 35.094219] ? do_truncate+0x97/0xe0\n[ 35.094879] do_truncate+0x97/0xe0\n[ 35.095640] path_openat+0xabd/0xca0\n[ 35.096278] do_filp_open+0xd7/0x190\n[ 35.096860] do_sys_openat2+0x8a/0xe0\n[ 35.097459] __x64_sys_openat+0x6d/0xa0\n[ 35.098076] do_syscall_64+0xbb/0x1d0\n[ 35.098647] entry_SYSCALL_64_after_hwframe+0x77/0x7f\n[ 35.099444] RIP: 0033:0x7f9134d81fc1\n[ 35.100033] Code: 75 57 89 f0 25 00 00 41 00 3d 00 00 41 00 74 49 80 3d 2a 26 0e 00 00 74 6d 89 da 48 89 ee bf 9c ff ff ff5\n[ 35.102993] RSP: 002b:00007ffcd41e0d10 EFLAGS: 00000202 ORIG_RAX: 0000000000000101\n[ 35.104263] RAX: ffffffffffffffda RBX: 0000000000000242 RCX: 00007f9134d81fc1\n[ 35.105452] RDX: 0000000000000242 RSI: 00007ffcd41e1200 RDI: 00000000ffffff9c\n[ 35.106663] RBP: 00007ffcd41e1200 R08: 0000000000000000 R09: 0000000000000064\n[ 35.107923] R10: 00000000000001a4 R11: 0000000000000202 R12: 0000000000000066\n[ 35.109112] R13: 0000000000100000 R14: 0000000000100000 R15: 0000000000000400\n[ 35.110357] </TASK>\n[ 35.110769] irq event stamp: 8415587\n[ 35.111486] hardirqs last enabled at (8415599): [<ffffffff8d74b562>] __up_console_se\n---truncated---"}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: fs/dax: Correcci\u00f3n del problema \"no omitir entradas bloqueadas al escanear entradas\". El commit 6be3e21d25ca (\"fs/dax: no omitir entradas bloqueadas al escanear entradas\") introdujo una nueva funci\u00f3n, wait_entry_unlocked_exclusive(), que espera a que la entrada actual se desbloquee sin avanzar el estado del iterador de XArray. Esperar a que la entrada se desbloquee requiere liberar el bloqueo de XArray. Esto requiere llamar a xas_pause() antes de liberar el bloqueo, lo que deja el xas en un estado adecuado para la siguiente iteraci\u00f3n. Sin embargo, esto tiene el efecto secundario de avanzar el estado de xas al siguiente \u00edndice. Normalmente, esto no supone un problema, ya que xas_for_each() contiene c\u00f3digo para detectar este estado y, por lo tanto, evitar avanzar el \u00edndice una segunda vez en la siguiente iteraci\u00f3n del bucle. No obstante, tanto los que llaman a wait_entry_unlocked_exclusive() como la propia funci\u00f3n wait_entry_unlocked_exclusive() utilizan posteriormente el estado de xas para recargar la entrada. Como xas_pause() actualiza el estado al pr\u00f3ximo \u00edndice, esto provocar\u00e1 que se omita la entrada actual que se est\u00e1 esperando. Esto provoc\u00f3 que la siguiente advertencia se disparara de forma intermitente al ejecutar xftest generic/068 en un sistema de archivos XFS con FS DAX habilitado: [ 35.067397] ------------[ cortar aqu\u00ed ]------------ [ 35.068229] ADVERTENCIA: CPU: 21 PID: 1640 at mm/truncate.c:89 truncate_folio_batch_exceptionals+0xd8/0x1e0 [ 35.069717] Modules linked in: nd_pmem dax_pmem nd_btt nd_e820 libnvdimm [ 35.071006] CPU: 21 UID: 0 PID: 1640 Comm: fstest Not tainted 6.15.0-rc7+ #77 PREEMPT(voluntary) [ 35.072613] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/204 [ 35.074845] RIP: 0010:truncate_folio_batch_exceptionals+0xd8/0x1e0 [ 35.075962] Code: a1 00 00 00 f6 47 0d 20 0f 84 97 00 00 00 4c 63 e8 41 39 c4 7f 0b eb 61 49 83 c5 01 45 39 ec 7e 58 42 f68 [ 35.079522] RSP: 0018:ffffb04e426c7850 EFLAGS: 00010202 [ 35.080359] RAX: 0000000000000000 RBX: ffff9d21e3481908 RCX: ffffb04e426c77f4 [ 35.081477] RDX: ffffb04e426c79e8 RSI: ffffb04e426c79e0 RDI: ffff9d21e34816e8 [ 35.082590] RBP: ffffb04e426c79e0 R08: 0000000000000001 R09: 0000000000000003 [ 35.083733] R10: 0000000000000000 R11: 822b53c0f7a49868 R12: 000000000000001f [ 35.084850] R13: 0000000000000000 R14: ffffb04e426c78e8 R15: fffffffffffffffe [ 35.085953] FS: 00007f9134c87740(0000) GS:ffff9d22abba0000(0000) knlGS:0000000000000000 [ 35.087346] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 35.088244] CR2: 00007f9134c86000 CR3: 000000040afff000 CR4: 00000000000006f0 [ 35.089354] Call Trace: [ 35.089749] [ 35.090168] truncate_inode_pages_range+0xfc/0x4d0 [ 35.091078] truncate_pagecache+0x47/0x60 [ 35.091735] xfs_setattr_size+0xc7/0x3e0 [ 35.092648] xfs_vn_setattr+0x1ea/0x270 [ 35.093437] notify_change+0x1f4/0x510 [ 35.094219] ? do_truncate+0x97/0xe0 [ 35.094879] do_truncate+0x97/0xe0 [ 35.095640] path_openat+0xabd/0xca0 [ 35.096278] do_filp_open+0xd7/0x190 [ 35.096860] do_sys_openat2+0x8a/0xe0 [ 35.097459] __x64_sys_openat+0x6d/0xa0 [ 35.098076] do_syscall_64+0xbb/0x1d0 [ 35.098647] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 35.099444] RIP: 0033:0x7f9134d81fc1 [ 35.100033] Code: 75 57 89 f0 25 00 00 41 00 3d 00 00 41 00 74 49 80 3d 2a 26 0e 00 00 74 6d 89 da 48 89 ee bf 9c ff ff ff5 [ 35.102993] RSP: 002b:00007ffcd41e0d10 EFLAGS: 00000202 ORIG_RAX: 0000000000000101 [ 35.104263] RAX: ffffffffffffffda RBX: 0000000000000242 RCX: 00007f9134d81fc1 [ 35.105452] RDX: 0000000000000242 RSI: 00007ffcd41e1200 RDI: 00000000ffffff9c [ 35.106663] RBP: 00007ffcd41e1200 R08: 0000000000000000 R09: 0000000000000064 [ 35.107923] R10: 00000000000001a4 R11: 0000000000000202 R12: 0000000000000066 [ 35.109112] R13: 0000000000100000 R14: 0000000000100000 R15: 0000000000000400 [ 35.110357] [ 35.110769] irq event stamp: 8415587 [ 35.111486] hardirqs last enabled at (8415599): [] ---truncado---"}], "lastModified": "2025-11-19T22:04:06.150", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "658B94DB-A94A-4588-94DD-614A72725C45", "versionEndExcluding": "6.15.3", "versionStartIncluding": "6.15"}], "operator": "OR"}]}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}