Bug 2389472 (CVE-2025-38580) - CVE-2025-38580 kernel: ext4: fix inode use after free in ext4_end_io_rsv_work()
Summary: CVE-2025-38580 kernel: ext4: fix inode use after free in ext4_end_io_rsv_work()
Keywords:
Status: NEW
Alias: CVE-2025-38580
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Product Security DevOps Team
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2025-08-19 18:02 UTC by OSIDB Bzimport
Modified: 2025-08-20 17:34 UTC (History)
0 users

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)

Description OSIDB Bzimport 2025-08-19 18:02:37 UTC 
In the Linux kernel, the following vulnerability has been resolved:

ext4: fix inode use after free in ext4_end_io_rsv_work()

In ext4_io_end_defer_completion(), check if io_end->list_vec is empty to
avoid adding an io_end that requires no conversion to the
i_rsv_conversion_list, which in turn prevents starting an unnecessary
worker. An ext4_emergency_state() check is also added to avoid attempting
to abort the journal in an emergency state.

Additionally, ext4_put_io_end_defer() is refactored to call
ext4_io_end_defer_completion() directly instead of being open-coded.
This also prevents starting an unnecessary worker when EXT4_IO_END_FAILED
is set but data_err=abort is not enabled.

This ensures that the check in ext4_put_io_end_defer() is consistent with
the check in ext4_end_bio(). Otherwise, we might add an io_end to the
i_rsv_conversion_list and then call ext4_finish_bio(), after which the
inode could be freed before ext4_end_io_rsv_work() is called, triggering
a use-after-free issue.
Comment 1 Keith Grant 2025-08-20 17:32:53 UTC 
Upstream advisory:
https://lore.kernel.org/linux-cve-announce/2025081913-CVE-2025-38580-554b@gregkh/T
Note You need to log in before you can comment on or make changes to this bug.