| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <2026011324-CVE-2025-71069-33d4@gregkh> Date: Tue, 13 Jan 2026 16:31:27 +0100 From: Greg Kroah-Hartman <gregkh@...uxfoundation.org> To: linux-cve-announce@...r.kernel.org Cc: Greg Kroah-Hartman <gregkh@...nel.org> Subject: CVE-2025-71069: f2fs: invalidate dentry cache on failed whiteout creation From: Greg Kroah-Hartman <gregkh@...nel.org> Description =========== In the Linux kernel, the following vulnerability has been resolved: f2fs: invalidate dentry cache on failed whiteout creation F2FS can mount filesystems with corrupted directory depth values that get runtime-clamped to MAX_DIR_HASH_DEPTH. When RENAME_WHITEOUT operations are performed on such directories, f2fs_rename performs directory modifications (updating target entry and deleting source entry) before attempting to add the whiteout entry via f2fs_add_link. If f2fs_add_link fails due to the corrupted directory structure, the function returns an error to VFS, but the partial directory modifications have already been committed to disk. VFS assumes the entire rename operation failed and does not update the dentry cache, leaving stale mappings. In the error path, VFS does not call d_move() to update the dentry cache. This results in new_dentry still pointing to the old inode (new_inode) which has already had its i_nlink decremented to zero. The stale cache causes subsequent operations to incorrectly reference the freed inode. This causes subsequent operations to use cached dentry information that no longer matches the on-disk state. When a second rename targets the same entry, VFS attempts to decrement i_nlink on the stale inode, which may already have i_nlink=0, triggering a WARNING in drop_nlink(). Example sequence: 1. First rename (RENAME_WHITEOUT): file2 → file1 - f2fs updates file1 entry on disk (points to inode 8) - f2fs deletes file2 entry on disk - f2fs_add_link(whiteout) fails (corrupted directory) - Returns error to VFS - VFS does not call d_move() due to error - VFS cache still has: file1 → inode 7 (stale!) - inode 7 has i_nlink=0 (already decremented) 2. Second rename: file3 → file1 - VFS uses stale cache: file1 → inode 7 - Tries to drop_nlink on inode 7 (i_nlink already 0) - WARNING in drop_nlink() Fix this by explicitly invalidating old_dentry and new_dentry when f2fs_add_link fails during whiteout creation. This forces VFS to refresh from disk on subsequent operations, ensuring cache consistency even when the rename partially succeeds. Reproducer: 1. Mount F2FS image with corrupted i_current_depth 2. renameat2(file2, file1, RENAME_WHITEOUT) 3. renameat2(file3, file1, 0) 4. System triggers WARNING in drop_nlink() The Linux kernel CVE team has assigned CVE-2025-71069 to this issue. Affected and fixed versions =========================== Issue introduced in 4.2 with commit 7e01e7ad746bc8198a8b46163ddc73a1c7d22339 and fixed in 6.1.160 with commit 64587ab4d1f16fc94f70e04fa87b2e3f69f8a7bb Issue introduced in 4.2 with commit 7e01e7ad746bc8198a8b46163ddc73a1c7d22339 and fixed in 6.6.120 with commit 3d65e27e57aaa9d66709fda4cbfb62a87c04a3f5 Issue introduced in 4.2 with commit 7e01e7ad746bc8198a8b46163ddc73a1c7d22339 and fixed in 6.12.64 with commit c89845fae250efdd59c1d4ec60e9e1c652cee4b6 Issue introduced in 4.2 with commit 7e01e7ad746bc8198a8b46163ddc73a1c7d22339 and fixed in 6.18.3 with commit 0dde30753c1e8648665dbe069d814e540ce2fd37 Issue introduced in 4.2 with commit 7e01e7ad746bc8198a8b46163ddc73a1c7d22339 and fixed in 6.19-rc1 with commit d33f89b34aa313f50f9a512d58dd288999f246b0 Please see https://www.kernel.org for a full list of currently supported kernel versions by the kernel community. Unaffected versions might change over time as fixes are backported to older supported kernel versions. The official CVE entry at https://cve.org/CVERecord/?id=CVE-2025-71069 will be updated if fixes are backported, please check that for the most up to date information about this issue. Affected files ============== The file(s) affected by this issue are: fs/f2fs/namei.c Mitigation ========== The Linux kernel CVE team recommends that you update to the latest stable kernel version for this, and many other bugfixes. Individual changes are never tested alone, but rather are part of a larger kernel release. Cherry-picking individual commits is not recommended or supported by the Linux kernel community at all. If however, updating to the latest release is impossible, the individual changes to resolve this issue can be found at these commits: https://git.kernel.org/stable/c/64587ab4d1f16fc94f70e04fa87b2e3f69f8a7bb https://git.kernel.org/stable/c/3d65e27e57aaa9d66709fda4cbfb62a87c04a3f5 https://git.kernel.org/stable/c/c89845fae250efdd59c1d4ec60e9e1c652cee4b6 https://git.kernel.org/stable/c/0dde30753c1e8648665dbe069d814e540ce2fd37 https://git.kernel.org/stable/c/d33f89b34aa313f50f9a512d58dd288999f246b0
Powered by blists - more mailing lists