Home

Description

In the Linux kernel, the following vulnerability has been resolved: f2fs: fix to avoid updating compression context during writeback Bai, Shuangpeng <sjb7183@psu.edu> reported a bug as below: Oops: divide error: 0000 [#1] SMP KASAN PTI CPU: 0 UID: 0 PID: 11441 Comm: syz.0.46 Not tainted 6.17.0 #1 PREEMPT(full) Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014 RIP: 0010:f2fs_all_cluster_page_ready+0x106/0x550 fs/f2fs/compress.c:857 Call Trace: <TASK> f2fs_write_cache_pages fs/f2fs/data.c:3078 [inline] __f2fs_write_data_pages fs/f2fs/data.c:3290 [inline] f2fs_write_data_pages+0x1c19/0x3600 fs/f2fs/data.c:3317 do_writepages+0x38e/0x640 mm/page-writeback.c:2634 filemap_fdatawrite_wbc mm/filemap.c:386 [inline] __filemap_fdatawrite_range mm/filemap.c:419 [inline] file_write_and_wait_range+0x2ba/0x3e0 mm/filemap.c:794 f2fs_do_sync_file+0x6e6/0x1b00 fs/f2fs/file.c:294 generic_write_sync include/linux/fs.h:3043 [inline] f2fs_file_write_iter+0x76e/0x2700 fs/f2fs/file.c:5259 new_sync_write fs/read_write.c:593 [inline] vfs_write+0x7e9/0xe00 fs/read_write.c:686 ksys_write+0x19d/0x2d0 fs/read_write.c:738 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xf7/0x470 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f The bug was triggered w/ below race condition: fsync setattr ioctl - f2fs_do_sync_file - file_write_and_wait_range - f2fs_write_cache_pages : inode is non-compressed : cc.cluster_size = F2FS_I(inode)->i_cluster_size = 0 - tag_pages_for_writeback - f2fs_setattr - truncate_setsize - f2fs_truncate - f2fs_fileattr_set - f2fs_setflags_common - set_compress_context : F2FS_I(inode)->i_cluster_size = 4 : set_inode_flag(inode, FI_COMPRESSED_FILE) - f2fs_compressed_file : return true - f2fs_all_cluster_page_ready : "pgidx % cc->cluster_size" trigger dividing 0 issue Let's change as below to fix this issue: - introduce a new atomic type variable .writeback in structure f2fs_inode_info to track the number of threads which calling f2fs_write_cache_pages(). - use .i_sem lock to protect .writeback update. - check .writeback before update compression context in f2fs_setflags_common() to avoid race w/ ->writepages.

PUBLISHED Reserved 2025-12-24 | Published 2026-01-13 | Updated 2026-02-09 | Assigner Linux

Product status

Default status
unaffected

4c8ff7095bef64fc47e996a938f7d57f9e077da3 (git) before ad26bfbc085c939b5dca77ff8c14798c06d151c4
affected

4c8ff7095bef64fc47e996a938f7d57f9e077da3 (git) before bcd0086ee5a2e88c1224ff2ec1e4a43c83efe5a0
affected

4c8ff7095bef64fc47e996a938f7d57f9e077da3 (git) before 0bf1a02494c7eb5bd43445de4c83c8592e02c4bf
affected

4c8ff7095bef64fc47e996a938f7d57f9e077da3 (git) before 0df713a9c082a474c8b0bcf670edc8e98461d5a0
affected

4c8ff7095bef64fc47e996a938f7d57f9e077da3 (git) before 10b591e7fb7cdc8c1e53e9c000dc0ef7069aaa76
affected

Default status
affected

5.6
affected

Any version before 5.6
unaffected

6.1.160 (semver)
unaffected

6.6.120 (semver)
unaffected

6.12.64 (semver)
unaffected

6.18.3 (semver)
unaffected

6.19 (original_commit_for_fix)
unaffected

References

git.kernel.org/...c/ad26bfbc085c939b5dca77ff8c14798c06d151c4

git.kernel.org/...c/bcd0086ee5a2e88c1224ff2ec1e4a43c83efe5a0

git.kernel.org/...c/0bf1a02494c7eb5bd43445de4c83c8592e02c4bf

git.kernel.org/...c/0df713a9c082a474c8b0bcf670edc8e98461d5a0

git.kernel.org/...c/10b591e7fb7cdc8c1e53e9c000dc0ef7069aaa76

cve.org (CVE-2025-68772)

nvd.nist.gov (CVE-2025-68772)

Download JSON