CVE-2025-40190

In the Linux kernel, the following vulnerability has been resolved:

ext4: guard against EA inode refcount underflow in xattr update

syzkaller found a path where ext4_xattr_inode_update_ref() reads an EA
inode refcount that is already <= 0 and then applies ref_change (often
-1). That lets the refcount underflow and we proceed with a bogus value,
triggering errors like:

  EXT4-fs error: EA inode <n> ref underflow: ref_count=-1 ref_change=-1
  EXT4-fs warning: ea_inode dec ref err=-117

Make the invariant explicit: if the current refcount is non-positive,
treat this as on-disk corruption, emit ext4_error_inode(), and fail the
operation with -EFSCORRUPTED instead of updating the refcount. Delete the
WARN_ONCE() as negative refcounts are now impossible; keep error reporting
in ext4_error_inode().

This prevents the underflow and the follow-on orphan/cleanup churn.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
UNKNOWN
---
LinuxCNA
---
---
Awaiting analysis
This vulnerability is currently awaiting analysis.
Base Score
CVSS 3.x
EPSS Score
Percentile: Unknown
References
https://git.kernel.org/stable/c/1cfb3e4ddbdc8e02e637b8852540bd4718bf4814
https://git.kernel.org/stable/c/3d6269028246f4484bfed403c947a114bb583631
https://git.kernel.org/stable/c/440b003f449a4ff2a00b08c8eab9ba5cd28f3943
https://git.kernel.org/stable/c/505e69f76ac497e788f4ea0267826ec7266b40c8
https://git.kernel.org/stable/c/57295e835408d8d425bef58da5253465db3d6888
https://git.kernel.org/stable/c/6b879c4c6bbaab03c0ad2a983953bd1410bb165e
https://git.kernel.org/stable/c/79ea7f3e11effe1bd9e753172981d9029133a278
https://git.kernel.org/stable/c/ea39e712c2f5ae148ee5515798ae03523673e002