| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <2025082231-CVE-2025-38626-1e63@gregkh> Date: Fri, 22 Aug 2025 18:00:35 +0200 From: Greg Kroah-Hartman <gregkh@...uxfoundation.org> To: linux-cve-announce@...r.kernel.org Cc: Greg Kroah-Hartman <gregkh@...nel.org> Subject: CVE-2025-38626: f2fs: fix to trigger foreground gc during f2fs_map_blocks() in lfs mode From: Greg Kroah-Hartman <gregkh@...nel.org> Description =========== In the Linux kernel, the following vulnerability has been resolved: f2fs: fix to trigger foreground gc during f2fs_map_blocks() in lfs mode w/ "mode=lfs" mount option, generic/299 will cause system panic as below: ------------[ cut here ]------------ kernel BUG at fs/f2fs/segment.c:2835! Call Trace: <TASK> f2fs_allocate_data_block+0x6f4/0xc50 f2fs_map_blocks+0x970/0x1550 f2fs_iomap_begin+0xb2/0x1e0 iomap_iter+0x1d6/0x430 __iomap_dio_rw+0x208/0x9a0 f2fs_file_write_iter+0x6b3/0xfa0 aio_write+0x15d/0x2e0 io_submit_one+0x55e/0xab0 __x64_sys_io_submit+0xa5/0x230 do_syscall_64+0x84/0x2f0 entry_SYSCALL_64_after_hwframe+0x76/0x7e RIP: 0010:new_curseg+0x70f/0x720 The root cause of we run out-of-space is: in f2fs_map_blocks(), f2fs may trigger foreground gc only if it allocates any physical block, it will be a little bit later when there is multiple threads writing data w/ aio/dio/bufio method in parallel, since we always use OPU in lfs mode, so f2fs_map_blocks() does block allocations aggressively. In order to fix this issue, let's give a chance to trigger foreground gc in prior to block allocation in f2fs_map_blocks(). The Linux kernel CVE team has assigned CVE-2025-38626 to this issue. Affected and fixed versions =========================== Issue introduced in 4.8 with commit 36abef4e796d382e81a0c2d21ea5327481dd7154 and fixed in 6.6.102 with commit f289690f50a01c3e085d87853392d5b7436a4cee Issue introduced in 4.8 with commit 36abef4e796d382e81a0c2d21ea5327481dd7154 and fixed in 6.12.42 with commit 82765ce5c7a56f9309ee45328e763610eaf11253 Issue introduced in 4.8 with commit 36abef4e796d382e81a0c2d21ea5327481dd7154 and fixed in 6.15.10 with commit 264ede8a52f18647ed5bb5f2bd9bf54f556ad8f5 Issue introduced in 4.8 with commit 36abef4e796d382e81a0c2d21ea5327481dd7154 and fixed in 6.16.1 with commit 385e64a0744584397b4b52b27c96703516f39968 Issue introduced in 4.8 with commit 36abef4e796d382e81a0c2d21ea5327481dd7154 and fixed in 6.17-rc1 with commit 1005a3ca28e90c7a64fa43023f866b960a60f791 Please see https://www.kernel.org for a full list of currently supported kernel versions by the kernel community. Unaffected versions might change over time as fixes are backported to older supported kernel versions. The official CVE entry at https://cve.org/CVERecord/?id=CVE-2025-38626 will be updated if fixes are backported, please check that for the most up to date information about this issue. Affected files ============== The file(s) affected by this issue are: fs/f2fs/data.c Mitigation ========== The Linux kernel CVE team recommends that you update to the latest stable kernel version for this, and many other bugfixes. Individual changes are never tested alone, but rather are part of a larger kernel release. Cherry-picking individual commits is not recommended or supported by the Linux kernel community at all. If however, updating to the latest release is impossible, the individual changes to resolve this issue can be found at these commits: https://git.kernel.org/stable/c/f289690f50a01c3e085d87853392d5b7436a4cee https://git.kernel.org/stable/c/82765ce5c7a56f9309ee45328e763610eaf11253 https://git.kernel.org/stable/c/264ede8a52f18647ed5bb5f2bd9bf54f556ad8f5 https://git.kernel.org/stable/c/385e64a0744584397b4b52b27c96703516f39968 https://git.kernel.org/stable/c/1005a3ca28e90c7a64fa43023f866b960a60f791
Powered by blists - more mailing lists