CVE-2025-71107

Summary

In the Linux kernel, the following vulnerability has been resolved:

f2fs: ensure node page reads complete before f2fs_put_super() finishes

Xfstests generic/335, generic/336 sometimes crash with the following message:

F2FS-fs (dm-0): detect filesystem reference count leak during umount, type: 9, count: 1 ————[ cut here ]———— kernel BUG at fs/f2fs/super.c:1939! Oops: invalid opcode: 0000 [#1] SMP NOPTI CPU: 1 UID: 0 PID: 609351 Comm: umount Tainted: G W 6.17.0-rc5-xfstests-g9dd1835ecda5 #1 PREEMPT(none) Tainted: [W]=WARN Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 RIP: 0010:f2fs_put_super+0x3b3/0x3c0 Call Trace: <TASK> generic_shutdown_super+0x7e/0x190 kill_block_super+0x1a/0x40 kill_f2fs_super+0x9d/0x190 deactivate_locked_super+0x30/0xb0 cleanup_mnt+0xba/0x150 task_work_run+0x5c/0xa0 exit_to_user_mode_loop+0xb7/0xc0 do_syscall_64+0x1ae/0x1c0 entry_SYSCALL_64_after_hwframe+0x76/0x7e </TASK> —[ end trace 0000000000000000 ]—

It appears that sometimes it is possible that f2fs_put_super() is called before all node page reads are completed. Adding a call to f2fs_wait_on_all_pages() for F2FS_RD_NODE fixes the problem.

Affected Software

VendorProductVersion RangeStatus
LinuxLinux20872584b8c0b006c007da9588a272c9e28d2e18 < c3031cf2b61f1508662fc95ef9ad505cb0882a5faffected
LinuxLinux20872584b8c0b006c007da9588a272c9e28d2e18 < 3b15d5f12935e9e25f9a571e680716bc9ee61025affected
LinuxLinux20872584b8c0b006c007da9588a272c9e28d2e18 < 0b36fae23621a09e772c8adf918b9011158f8511affected
LinuxLinux20872584b8c0b006c007da9588a272c9e28d2e18 < 297baa4aa263ff8f5b3d246ee16a660d76aa82c4affected
LinuxLinux0e2577074b459bba7f4016f4d725ede37d48bb22affected
LinuxLinux6.4.16 < 6.5affected
LinuxLinux6.5affected
LinuxLinux0 < 6.5unaffected
LinuxLinux6.6.120 <= 6.6.*unaffected
LinuxLinux6.12.64 <= 6.12.*unaffected
LinuxLinux6.18.3 <= 6.18.*unaffected
LinuxLinux6.19 <= *unaffected

Weaknesses

References