In the Linux kernel, the following vulnerability has been resolved:

f2fs: fix to avoid panic in f2fsevictinode

As syzbot [1] reported as below:

R10: 0000000000000100 R11: 0000000000000206 R12: 00007ffe17473450 R13: 00007f28b1c10854 R14: 000000000000dae5 R15: 00007ffe17474520 </TASK>

---[ end trace 0000000000000000 ]---

BUG: KASAN: use-after-free in _listdelentryvalid+0xa6/0x130 lib/list_debug.c:62 Read of size 8 at addr ffff88812d962278 by task syz-executor/564

CPU: 1 PID: 564 Comm: syz-executor Tainted: G W 6.1.129-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2025 Call Trace: <TASK> _dumpstack+0x21/0x24 lib/dumpstack.c:88 dumpstacklvl+0xee/0x158 lib/dumpstack.c:106 printaddressdescription+0x71/0x210 mm/kasan/report.c:316 printreport+0x4a/0x60 mm/kasan/report.c:427 kasanreport+0x122/0x150 mm/kasan/report.c:531 _asanreportload8noabort+0x14/0x20 mm/kasan/reportgeneric.c:351 _listdelentryvalid+0xa6/0x130 lib/listdebug.c:62 _listdelentry include/linux/list.h:134 [inline] listdelinit include/linux/list.h:206 [inline] f2fsinodesynced+0xf7/0x2e0 fs/f2fs/super.c:1531 f2fsupdateinode+0x74/0x1c40 fs/f2fs/inode.c:585 f2fsupdateinodepage+0x137/0x170 fs/f2fs/inode.c:703 f2fswriteinode+0x4ec/0x770 fs/f2fs/inode.c:731 writeinode fs/fs-writeback.c:1460 [inline] _writebacksingleinode+0x4a0/0xab0 fs/fs-writeback.c:1677 writebacksingleinode+0x221/0x8b0 fs/fs-writeback.c:1733 syncinodemetadata+0xb6/0x110 fs/fs-writeback.c:2789 f2fssyncinodemeta+0x16d/0x2a0 fs/f2fs/checkpoint.c:1159 blockoperations fs/f2fs/checkpoint.c:1269 [inline] f2fswritecheckpoint+0xca3/0x2100 fs/f2fs/checkpoint.c:1658 killf2fssuper+0x231/0x390 fs/f2fs/super.c:4668 deactivatelockedsuper+0x98/0x100 fs/super.c:332 deactivatesuper+0xaf/0xe0 fs/super.c:363 cleanupmnt+0x45f/0x4e0 fs/namespace.c:1186 _cleanupmnt+0x19/0x20 fs/namespace.c:1193 taskworkrun+0x1c6/0x230 kernel/taskwork.c:203 exittaskwork include/linux/taskwork.h:39 [inline] doexit+0x9fb/0x2410 kernel/exit.c:871 dogroupexit+0x210/0x2d0 kernel/exit.c:1021 _dosysexitgroup kernel/exit.c:1032 [inline] _sesysexitgroup kernel/exit.c:1030 [inline] _x64sysexitgroup+0x3f/0x40 kernel/exit.c:1030 x64syscall+0x7b4/0x9a0 arch/x86/include/generated/asm/syscalls64.h:232 dosyscallx64 arch/x86/entry/common.c:51 [inline] dosyscall64+0x4c/0xa0 arch/x86/entry/common.c:81 entrySYSCALL64afterhwframe+0x68/0xd2 RIP: 0033:0x7f28b1b8e169 Code: Unable to access opcode bytes at 0x7f28b1b8e13f. RSP: 002b:00007ffe174710a8 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 RAX: ffffffffffffffda RBX: 00007f28b1c10879 RCX: 00007f28b1b8e169 RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000001 RBP: 0000000000000002 R08: 00007ffe1746ee47 R09: 00007ffe17472360 R10: 0000000000000009 R11: 0000000000000246 R12: 00007ffe17472360 R13: 00007f28b1c10854 R14: 000000000000dae5 R15: 00007ffe17474520 </TASK>

Allocated by task 569: kasansavestack mm/kasan/common.c:45 [inline] kasansettrack+0x4b/0x70 mm/kasan/common.c:52 kasansaveallocinfo+0x25/0x30 mm/kasan/generic.c:505 _kasanslaballoc+0x72/0x80 mm/kasan/common.c:328 kasanslaballoc include/linux/kasan.h:201 [inline] slabpostallochook+0x4f/0x2c0 mm/slab.h:737 slaballocnode mm/slub.c:3398 [inline] slaballoc mm/slub.c:3406 [inline] _kmemcachealloclru mm/slub.c:3413 [inline] kmemcachealloclru+0x104/0x220 mm/slub.c:3429 allocinodesb include/linux/fs.h:3245 [inline] f2fsallocinode+0x2d/0x340 fs/f2fs/super.c:1419 allocinode fs/inode.c:261 [inline] igetlocked+0x186/0x880 fs/inode.c:1373 f2fsiget+0x55/0x4c60 fs/f2fs/inode.c:483 f2fslookup+0x366/0xab0 fs/f2fs/namei.c:487 _lookupslow+0x2a3/0x3d0 fs/namei.c:1690 lookupslow+0x57/0x70 fs/namei.c:1707 walk_component+0x2e6/0x410 fs/namei ---truncated---