CVE-2025-71237
Published: February 21, 2026Last modified: February 25, 2026
Description
In the Linux kernel, the following vulnerability has been resolved: nilfs2: Fix potential block overflow that cause system hang When a user executes the FITRIM command, an underflow can occur when calculating nblocks if end_block is too small. Since nblocks is of type sector_t, which is u64, a negative nblocks value will become a very large positive integer. This ultimately leads to the block layer function __blkdev_issue_discard() taking an excessively long time to process the bio chain, and the ns_segctor_sem lock remains held for a long period. This prevents other tasks from acquiring the ns_segctor_sem lock, resulting in the hang reported by syzbot in [1]. If the ending block is too small, typically if it is smaller than 4KiB range, depending on the usage of the segment 0, it may be possible to attempt a discard request beyond the device size causing the hang. Exiting successfully and assign the discarded size (0 in this case) to range->len. Although the start and len values in the user input range are too small, a conservative strategy is adopted here to safely ignore them, which is equivalent to a no-op; it will not perform any trimming and will not throw an error. [1] task:segctord state:D stack:28968 pid:6093 tgid:6093 ppid:2 task_flags:0x200040 flags:0x00080000 Call Trace: rwbase_write_lock+0x3dd/0x750 kernel/locking/rwbase_rt.c:272 nilfs_transaction_lock+0x253/0x4c0 fs/nilfs2/segment.c:357 nilfs_segctor_thread_construct fs/nilfs2/segment.c:2569 [inline] nilfs_segctor_thread+0x6ec/0xe00 fs/nilfs2/segment.c:2684 [ryusuke: corrected part of the commit message about the consequences]
Status
| Product | Release | Package | Status |
|---|---|---|---|
| Alpaquita Linux | 23 LTS | linux-lts | Fixed (6.1.164-r0) |
| 25 LTS | linux-lts | Fixed (6.12.73-r0) | |
| Stream | linux-lts | Fixed (6.12.74-r0) |
References
- https://git.kernel.org/stable/c/2438982f635e6cc2009be68ba2efb2998727d8d4
- https://git.kernel.org/stable/c/4aa45f841413cca81882602b4042c53502f34cad
- https://git.kernel.org/stable/c/6457d3ee41a4c15082ac49c5aa7fb933b4a043f3
- https://git.kernel.org/stable/c/b8c5ee234bd54f1447c846101fdaef2cf70c2149
- https://git.kernel.org/stable/c/ba18e5f22f26aa4ef78bc3e81f639d1d4f3845e6
- https://git.kernel.org/stable/c/df1e20796c9f3d541cca47fb72e4369ea135642d
- https://git.kernel.org/stable/c/ea2278657ad0d62596589fbe2caf995e189e65e7
- https://git.kernel.org/stable/c/ed527ef0c264e4bed6c7b2a158ddf516b17f5f66