CVE-2025-68240
Description
In the Linux kernel, the following vulnerability has been resolved:
nilfs2: avoid having an active sc_timer before freeing sci
Because kthread_stop did not stop sc_task properly and returned -EINTR, the sc_timer was not properly closed, ultimately causing the problem [1] reported by syzbot when freeing sci due to the sc_timer not being closed.
Because the thread sc_task main function nilfs_segctor_thread() returns 0 when it succeeds, when the return value of kthread_stop() is not 0 in nilfs_segctor_destroy(), we believe that it has not properly closed sc_timer.
We use timer_shutdown_sync() to sync wait for sc_timer to shutdown, and set the value of sc_task to NULL under the protection of lock sc_state_lock, so as to avoid the issue caused by sc_timer not being properly shutdowned.
[1] ODEBUG: free active (active state 0) object: 00000000dacb411a object type: timer_list hint: nilfs_construction_timeout Call trace: nilfs_segctor_destroy fs/nilfs2/segment.c:2811 [inline] nilfs_detach_log_writer+0x668/0x8cc fs/nilfs2/segment.c:2877 nilfs_put_super+0x4c/0x12c fs/nilfs2/super.c:509
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Fix in nilfs2 ensures sc_timer is properly shutdown before freeing sci, preventing a use-after-free vulnerability.
Vulnerability
Overview
In the Linux kernel's nilfs2 filesystem, a race condition exists in the log writer thread teardown. The sc_timer (segment construction timer) can remain active after the segmentor thread (sc_task) has stopped, because kthread_stop() may return -EINTR if the thread exits prematurely. This leads to the timer being freed while still active, triggering a debug object warning and potentially a use-after-free condition [1].
Exploitation and
Impact
An attacker with the ability to mount and unmount a nilfs2 filesystem (or trigger the log writer detach) can exploit this race. The bug manifests as an active timer that is destroyed without being shut down, resulting in kernel memory corruption. Successful exploitation could lead to a denial-of-service (system crash) or, under certain conditions, arbitrary code execution with kernel privileges [1].
Mitigation
A patch from the Linux kernel stable tree addresses the issue by using timer_shutdown_sync() to synchronously shut down the timer before freeing the structure. Additionally, the sc_task pointer is set to NULL under the protection of sc_state_lock to prevent race conditions. Users should apply the patch from commit 9a6b60cb147d53968753a34805211d2e5e08c027 [1].
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3News mentions
0No linked articles in our index yet.