iomap: avoid potential null folio->mapping deref during error reporting

7.5 / 10

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Description

In the Linux kernel, the following vulnerability has been resolved:

iomap: avoid potential null folio->mapping deref during error reporting

When a buffered read fails, iomap_finish_folio_read() reports the error
with fserror_report_io(folio->mapping->host, ...). This is called after
ifs->read_bytes_pending has been decremented by the bytes attempted to
be read.

For a folio split across multiple read completions, the folio is only
guaranteed to stay locked while read_bytes_pending > 0. Once
iomap_finish_folio_read() decrements read_bytes_pending, another
in-flight read can complete and end the read on the folio, which unlocks
it. This allows truncate logic to run and detach the folio (set
folio->mapping to NULL). The error reporting path then can dereference a
NULL folio->mapping. As reported by Sam Sun, this is the race that can
occur:

CPU0: failed completion CPU1: final completion CPU2: truncate
----------------------- ---------------------- --------------
read_bytes_pending -= len
finished = false
/* preempted before
fserror_report_io() */
read_bytes_pending -= len
finished = true
folio_end_read()
truncate clears
folio->mapping
fserror_report_io(
folio->mapping->host, ...)
^ NULL deref

Fix this by reporting the error first before decrementing
ifs->read_bytes_pending.

Basic Information

ID CVE-2026-53165

Source Linux

Published Jun 25, 2026 at 08:38

Modified Jun 28, 2026 at 06:39

Affected Product

Vendor Linux

Product Linux

Version a9d573ee88af980f14fdadb5c12bbf6a195fb3f1

Affected Versions Linux Linux a9d573ee88af980f14fdadb5c12bbf6a195fb3f1
Linux Linux a9d573ee88af980f14fdadb5c12bbf6a195fb3f1
Linux Linux 7.0

References

{
    "lastseen": "",
    "description": "In the Linux kernel, the following vulnerability has been resolved:\n\niomap: avoid potential null folio->mapping deref during error reporting\n\nWhen a buffered read fails, iomap_finish_folio_read() reports the error\nwith fserror_report_io(folio->mapping->host, ...). This is called after\nifs->read_bytes_pending has been decremented by the bytes attempted to\nbe read.\n\nFor a folio split across multiple read completions, the folio is only\nguaranteed to stay locked while read_bytes_pending > 0. Once\niomap_finish_folio_read() decrements read_bytes_pending, another\nin-flight read can complete and end the read on the folio, which unlocks\nit. This allows truncate logic to run and detach the folio (set\nfolio->mapping to NULL). The error reporting path then can dereference a\nNULL folio->mapping. As reported by Sam Sun, this is the race that can\noccur:\n\nCPU0: failed completion      CPU1: final completion     CPU2: truncate\n-----------------------      ----------------------     --------------\nread_bytes_pending -= len\nfinished = false\n/* preempted before\n   fserror_report_io() */\n\t\t\t     read_bytes_pending -= len\n\t\t\t     finished = true\n\t\t\t     folio_end_read()\n\t\t\t\t\t\t\ttruncate clears\n\t\t\t\t\t\t\tfolio->mapping\nfserror_report_io(\n  folio->mapping->host, ...)\n\t      ^ NULL deref\n\nFix this by reporting the error first before decrementing\nifs->read_bytes_pending.",
    "published": "2026-06-25T08:38:45.445Z",
    "modified": "2026-06-28T06:39:40.470Z",
    "type": "cve",
    "title": "iomap: avoid potential null folio->mapping deref during error reporting",
    "source": "Linux",
    "references": "https://git.kernel.org/stable/c/1ad453817a4077230d1ba88eb0868f05f824449a\nhttps://git.kernel.org/stable/c/2eea7f44b9c8b42fd7d3a1a87c06a7cd1b99c327",
    "id": "CVE-2026-53165",
    "bulletinFamily": "",
    "cwe": null,
    "cvelist": null,
    "sourceData": "Linux Linux a9d573ee88af980f14fdadb5c12bbf6a195fb3f1\nLinux Linux a9d573ee88af980f14fdadb5c12bbf6a195fb3f1\nLinux Linux 7.0",
    "sourceHref": "",
    "cvss": {
        "score": 7.5,
        "severity": "HIGH",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "Linux",
    "version": "a9d573ee88af980f14fdadb5c12bbf6a195fb3f1",
    "vendor": "Linux",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

iomap: avoid potential null folio->mapping deref during error reporting_CVE-2026-53165

Description

Basic Information

Affected Product

References

💭 Join the Security Discussion ❌ Cancel Reply