PT-2026-43810 · Linux · Linux
Published
2026-05-27
·
Updated
2026-05-27
·
CVE-2026-45943
None
No severity ratings or metrics are available. When they are, we'll update the corresponding info on the page.
In the Linux kernel, the following vulnerability has been resolved:
erofs: fix inline data read failure for ztailpacking pclusters
Compressed folios for ztailpacking pclusters must be valid before adding
these pclusters to I/O chains. Otherwise, z erofs decompress pcluster()
may assume they are already valid and then trigger a NULL pointer
dereference.
It is somewhat hard to reproduce because the inline data is in the same
block as the tail of the compressed indexes, which are usually read just
before. However, it may still happen if a fatal signal arrives while
read mapping folio() is running, as shown below:
erofs: (device dm-1): z erofs pcluster begin: failed to get inline data -4
Unable to handle kernel NULL pointer dereference at virtual address 0000000000000008
...
pc : z erofs decompress queue+0x4c8/0xa14
lr : z erofs decompress queue+0x160/0xa14
sp : ffffffc08b3eb3a0
x29: ffffffc08b3eb570 x28: ffffffc08b3eb418 x27: 0000000000001000
x26: ffffff8086ebdbb8 x25: ffffff8086ebdbb8 x24: 0000000000000001
x23: 0000000000000008 x22: 00000000fffffffb x21: dead000000000700
x20: 00000000000015e7 x19: ffffff808babb400 x18: ffffffc089edc098
x17: 00000000c006287d x16: 00000000c006287d x15: 0000000000000004
x14: ffffff80ba8f8000 x13: 0000000000000004 x12: 00000006589a77c9
x11: 0000000000000015 x10: 0000000000000000 x9 : 0000000000000000
x8 : 0000000000000000 x7 : 0000000000000000 x6 : 000000000000003f
x5 : 0000000000000040 x4 : ffffffffffffffe0 x3 : 0000000000000020
x2 : 0000000000000008 x1 : 0000000000000000 x0 : 0000000000000000
Call trace:
z erofs decompress queue+0x4c8/0xa14
z erofs runqueue+0x908/0x97c
z erofs read folio+0x128/0x228
filemap read folio+0x68/0x128
filemap get pages+0x44c/0x8b4
filemap read+0x12c/0x5b8
generic file read iter+0x4c/0x15c
do iter readv writev+0x188/0x1e0
vfs iter read+0xac/0x1a4
backing file read iter+0x170/0x34c
ovl read iter+0xf0/0x140
vfs read+0x28c/0x344
ksys read+0x80/0xf0
arm64 sys read+0x24/0x34
invoke syscall+0x60/0x114
el0 svc common+0x88/0xe4
do el0 svc+0x24/0x30
el0 svc+0x40/0xa8
el0t 64 sync handler+0x70/0xbc
el0t 64 sync+0x1bc/0x1c0
Fix this by reading the inline data before allocating and adding
the pclusters to the I/O chains.
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Linux