{"id":"CVE-2025-38194","summary":"jffs2: check that raw node were preallocated before writing summary","details":"In the Linux kernel, the following vulnerability has been resolved:\n\njffs2: check that raw node were preallocated before writing summary\n\nSyzkaller detected a kernel bug in jffs2_link_node_ref, caused by fault\ninjection in jffs2_prealloc_raw_node_refs. jffs2_sum_write_sumnode doesn't\ncheck return value of jffs2_prealloc_raw_node_refs and simply lets any\nerror propagate into jffs2_sum_write_data, which eventually calls\njffs2_link_node_ref in order to link the summary to an expectedly allocated\nnode.\n\nkernel BUG at fs/jffs2/nodelist.c:592!\ninvalid opcode: 0000 [#1] PREEMPT SMP KASAN NOPTI\nCPU: 1 PID: 31277 Comm: syz-executor.7 Not tainted 6.1.128-syzkaller-00139-ge10f83ca10a1 #0\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-1 04/01/2014\nRIP: 0010:jffs2_link_node_ref+0x570/0x690 fs/jffs2/nodelist.c:592\nCall Trace:\n \u003cTASK\u003e\n jffs2_sum_write_data fs/jffs2/summary.c:841 [inline]\n jffs2_sum_write_sumnode+0xd1a/0x1da0 fs/jffs2/summary.c:874\n jffs2_do_reserve_space+0xa18/0xd60 fs/jffs2/nodemgmt.c:388\n jffs2_reserve_space+0x55f/0xaa0 fs/jffs2/nodemgmt.c:197\n jffs2_write_inode_range+0x246/0xb50 fs/jffs2/write.c:362\n jffs2_write_end+0x726/0x15d0 fs/jffs2/file.c:301\n generic_perform_write+0x314/0x5d0 mm/filemap.c:3856\n __generic_file_write_iter+0x2ae/0x4d0 mm/filemap.c:3973\n generic_file_write_iter+0xe3/0x350 mm/filemap.c:4005\n call_write_iter include/linux/fs.h:2265 [inline]\n do_iter_readv_writev+0x20f/0x3c0 fs/read_write.c:735\n do_iter_write+0x186/0x710 fs/read_write.c:861\n vfs_iter_write+0x70/0xa0 fs/read_write.c:902\n iter_file_splice_write+0x73b/0xc90 fs/splice.c:685\n do_splice_from fs/splice.c:763 [inline]\n direct_splice_actor+0x10c/0x170 fs/splice.c:950\n splice_direct_to_actor+0x337/0xa10 fs/splice.c:896\n do_splice_direct+0x1a9/0x280 fs/splice.c:1002\n do_sendfile+0xb13/0x12c0 fs/read_write.c:1255\n __do_sys_sendfile64 fs/read_write.c:1323 [inline]\n __se_sys_sendfile64 fs/read_write.c:1309 [inline]\n __x64_sys_sendfile64+0x1cf/0x210 fs/read_write.c:1309\n do_syscall_x64 arch/x86/entry/common.c:51 [inline]\n do_syscall_64+0x35/0x80 arch/x86/entry/common.c:81\n entry_SYSCALL_64_after_hwframe+0x6e/0xd8\n\nFix this issue by checking return value of jffs2_prealloc_raw_node_refs\nbefore calling jffs2_sum_write_data.\n\nFound by Linux Verification Center (linuxtesting.org) with Syzkaller.","modified":"2026-04-16T04:32:27.095667383Z","published":"2025-07-04T13:37:17.922Z","related":["SUSE-SU-2025:02853-1","SUSE-SU-2025:02923-1","SUSE-SU-2025:02969-1","SUSE-SU-2025:02996-1","SUSE-SU-2025:02997-1","SUSE-SU-2025:03011-1","SUSE-SU-2025:03023-1","SUSE-SU-2025:20577-1","SUSE-SU-2025:20586-1","SUSE-SU-2025:20601-1","SUSE-SU-2025:20602-1"],"database_specific":{"cna_assigner":"Linux","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/38xxx/CVE-2025-38194.json"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/337f80f3d546e131c7aa90b61d8cde051ae858c7"},{"type":"WEB","url":"https://git.kernel.org/stable/c/346cfb9d19ea7feb6fb57917b21c4797fb444dab"},{"type":"WEB","url":"https://git.kernel.org/stable/c/3f46644a5131a4793fc95c32a7d0a769745b06e7"},{"type":"WEB","url":"https://git.kernel.org/stable/c/4adee34098a6ee86a54bf3ec885eab620c126a6b"},{"type":"WEB","url":"https://git.kernel.org/stable/c/8ce46dc5b10b0b6f67663202a4921b0e11ad7367"},{"type":"WEB","url":"https://git.kernel.org/stable/c/c0edcdb4fc106d69a2d1a0ce4868193511c389f3"},{"type":"WEB","url":"https://git.kernel.org/stable/c/da12ef7e19048dc5714032c2db587a215852b200"},{"type":"WEB","url":"https://git.kernel.org/stable/c/ec9e6f22bce433b260ea226de127ec68042849b0"},{"type":"WEB","url":"https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"},{"type":"WEB","url":"https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/38xxx/CVE-2025-38194.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-38194"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"2f785402f39b96a077b6e62bf26164bfb8e0c980"},{"fixed":"337f80f3d546e131c7aa90b61d8cde051ae858c7"},{"fixed":"8ce46dc5b10b0b6f67663202a4921b0e11ad7367"},{"fixed":"4adee34098a6ee86a54bf3ec885eab620c126a6b"},{"fixed":"c0edcdb4fc106d69a2d1a0ce4868193511c389f3"},{"fixed":"3f46644a5131a4793fc95c32a7d0a769745b06e7"},{"fixed":"da12ef7e19048dc5714032c2db587a215852b200"},{"fixed":"346cfb9d19ea7feb6fb57917b21c4797fb444dab"},{"fixed":"ec9e6f22bce433b260ea226de127ec68042849b0"}]}],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-38194.json"}}],"schema_version":"1.7.5"}