Updated: 2025-12-28 03:41:48.10417
Description:
In the Linux kernel, the following vulnerability has been resolved: jbd2: fix data-race and null-ptr-deref in jbd2_journal_dirty_metadata() Since handle->h_transaction may be a NULL pointer, so we should change it to call is_handle_aborted(handle) first before dereferencing it. And the following data-race was reported in my fuzzer: ================================================================== BUG: KCSAN: data-race in jbd2_journal_dirty_metadata / jbd2_journal_dirty_metadata write to 0xffff888011024104 of 4 bytes by task 10881 on cpu 1: jbd2_journal_dirty_metadata+0x2a5/0x770 fs/jbd2/transaction.c:1556 __ext4_handle_dirty_metadata+0xe7/0x4b0 fs/ext4/ext4_jbd2.c:358 ext4_do_update_inode fs/ext4/inode.c:5220 [inline] ext4_mark_iloc_dirty+0x32c/0xd50 fs/ext4/inode.c:5869 __ext4_mark_inode_dirty+0xe1/0x450 fs/ext4/inode.c:6074 ext4_dirty_inode+0x98/0xc0 fs/ext4/inode.c:6103 .... read to 0xffff888011024104 of 4 bytes by task 10880 on cpu 0: jbd2_journal_dirty_metadata+0xf2/0x770 fs/jbd2/transaction.c:1512 __ext4_handle_dirty_metadata+0xe7/0x4b0 fs/ext4/ext4_jbd2.c:358 ext4_do_update_inode fs/ext4/inode.c:5220 [inline] ext4_mark_iloc_dirty+0x32c/0xd50 fs/ext4/inode.c:5869 __ext4_mark_inode_dirty+0xe1/0x450 fs/ext4/inode.c:6074 ext4_dirty_inode+0x98/0xc0 fs/ext4/inode.c:6103 .... value changed: 0x00000000 -> 0x00000001 ================================================================== This issue is caused by missing data-race annotation for jh->b_modified. Therefore, the missing annotation needs to be added.
| Links | NIST | CIRCL | RHEL | Ubuntu |
| Severity | Score | |
|---|---|---|
| CVSS Version 2.x | 0.0 | |
| CVSS Version 3.x | MEDIUM | 5.5 |
| OS name | Project name | Version | Score | Severity | Status | Errata | Last updated | Statement |
|---|---|---|---|---|---|---|---|---|
| AlmaLinux 9.2 ESU | kernel | 5.14.0 | 5.5 | MEDIUM | Needs Triage | 2025-12-28 08:08:01 | ||
| CentOS 8.4 ELS | kernel | 4.18.0 | 5.5 | MEDIUM | Ignored | 2026-01-17 01:06:30 | This flaw is a local-only, timing‑sensitive race in ext4’s jbd2 that can lead to a NULL‑pointe... | |
| CentOS 8.5 ELS | kernel | 4.18.0 | 5.5 | MEDIUM | Ignored | 2026-01-17 01:06:31 | This flaw is a local-only, timing‑sensitive race in ext4’s jbd2 that can lead to a NULL‑pointe... | |
| CentOS Stream 8 ELS | kernel | 4.18.0 | 5.5 | MEDIUM | Ignored | 2026-01-17 01:06:28 | This flaw is a local-only, timing‑sensitive race in ext4’s jbd2 that can lead to a NULL‑pointe... | |
| Oracle Linux 7 ELS | kernel-uek | 5.4.17 | 5.5 | MEDIUM | Released | CLSA-2025:1757963029 | 2025-09-16 11:19:42 | |
| TuxCare 9.6 ESU | kernel | 5.14.0 | 5.5 | MEDIUM | Needs Triage | 2025-12-28 08:08:00 | ||
| Ubuntu 16.04 ELS | linux-hwe | 4.15.0 | 5.5 | MEDIUM | Ignored | 2026-01-17 01:18:52 | This flaw is a local-only, timing‑sensitive race in ext4’s jbd2 that can lead to a NULL‑pointe... | |
| Ubuntu 16.04 ELS | linux | 4.4.0 | 5.5 | MEDIUM | Ignored | 2026-01-17 01:14:12 | This flaw is a local-only, timing‑sensitive race in ext4’s jbd2 that can lead to a NULL‑pointe... | |
| Ubuntu 18.04 ELS | linux | 4.15.0 | 5.5 | MEDIUM | Ignored | 2026-01-17 01:14:13 | This flaw is a local-only, timing‑sensitive race in ext4’s jbd2 that can lead to a NULL‑pointe... | |
| Ubuntu 20.04 ELS | linux | 5.4.0 | 5.5 | MEDIUM | Ignored | 2026-01-17 01:14:12 | This flaw is a local-only, timing‑sensitive race in ext4’s jbd2 that can lead to a NULL‑pointe... |