CVE-2025-39885: 
Linux Debian vulnerability analysis and mitigation

CVE-2025-39885 is a vulnerability discovered in the Linux kernel affecting the OCFS2 filesystem. The issue was disclosed on September 23, 2025, and involves a recursive semaphore deadlock in the fiemap call functionality (NVD, Debian Tracker).

The vulnerability occurs when ocfs2fiemap() takes a read lock of the ipallocsem semaphore and calls fiemapfillnextextent() to read the extent list of a running mmap executable. When the user-supplied buffer to hold the fiemap information page faults, it calls ocfs2pagemkwrite() which attempts to take a write lock of the same semaphore. This recursive semaphore condition holds filesystem locks and causes a filesystem hang (NVD).

The vulnerability can cause a filesystem hang in the OCFS2 filesystem when triggered, potentially leading to system unavailability. The issue affects systems using the OCFS2 filesystem and can be triggered through a specially crafted mmap file (NVD).

The fix involves releasing the read semaphore before calling fiemapfillnextextent() in ocfs2fiemap() and ocfs2fiemapinline(). While this creates an unnecessary semaphore lock/unlock on the last extent, it simplifies the error path. Fixed versions are available in Linux kernel 6.12.48-1 for Debian trixie and 6.16.8-1 for Debian sid (Debian Tracker).