CVE-2025-22123

F2FS-fs (loop3): Stopped filesystem due to reason: 7 kworker/u8:7: attempt to access beyond end of device BUG: unable to handle page fault for address: ffffed1604ea3dfa RIP: 0010:getckptvalidblocks fs/f2fs/segment.h:361 [inline] RIP: 0010:hascursegenoughspace fs/f2fs/segment.h:570 [inline] RIP: 0010:_getsecsrequired fs/f2fs/segment.h:620 [inline] RIP: 0010:hasnotenoughfreesecs fs/f2fs/segment.h:633 [inline] RIP: 0010:hasenoughfreesecs+0x575/0x1660 fs/f2fs/segment.h:649 <TASK> f2fsischeckpointready fs/f2fs/segment.h:671 [inline] f2fswriteinode+0x425/0x540 fs/f2fs/inode.c:791 writeinode fs/fs-writeback.c:1525 [inline] _writebacksingleinode+0x708/0x10d0 fs/fs-writeback.c:1745 writebacksbinodes+0x820/0x1360 fs/fs-writeback.c:1976 wbwriteback+0x413/0xb80 fs/fs-writeback.c:2156 wbdowriteback fs/fs-writeback.c:2303 [inline] wbworkfn+0x410/0x1080 fs/fs-writeback.c:2343 processonework kernel/workqueue.c:3236 [inline] processscheduledworks+0xa66/0x1840 kernel/workqueue.c:3317 workerthread+0x870/0xd30 kernel/workqueue.c:3398 kthread+0x7a9/0x920 kernel/kthread.c:464 retfromfork+0x4b/0x80 arch/x86/kernel/process.c:148 retfromforkasm+0x1a/0x30 arch/x86/entry/entry64.S:244

Commit 8b10d3653735 ("f2fs: introduce FAULTNOSEGMENT") allows to trigger no free segment fault in allocator, then it will update curseg->segno to NULLSEGNO, though, CPERRORFLAG has been set, f2fswrite_inode() missed to check the flag, and access invalid curseg->segno directly in below call path, then resulting in panic:

f2fswriteinode
- f2fsischeckpointready
  - hasenoughfreesecs
    - hasnotenoughfreesecs
      - getsecsrequired
        
        hascursegenoughspace
        
        getckptvalidblocks : access invalid curseg->segno

To avoid this issue, let's: - check CPERRORFLAG flag in prior to f2fsischeckpointready() in f2fswriteinode(). - in hascursegenoughspace(), save curseg->segno into a temp variable, and verify its validation before use.

References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

8b10d3653735e117bc1954ade80d75ad7b46b801

Fixed

bf49527089ec1ba894c6e587affabbfb2329f52e

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

8b10d3653735e117bc1954ade80d75ad7b46b801

Fixed

7f90e5d423cd2d4c74b2abb527872f335108637f

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

8b10d3653735e117bc1954ade80d75ad7b46b801

Fixed

986c50f6bca109c6cf362b4e2babcb85aba958f6

Affected versions

v6.*

v6.10

v6.10-rc1

v6.10-rc2

v6.10-rc3

v6.10-rc4

v6.10-rc5

v6.10-rc6

v6.10-rc7

v6.11

v6.11-rc1

v6.11-rc2

v6.11-rc3

v6.11-rc4

v6.11-rc5

v6.11-rc6

v6.11-rc7

v6.12

v6.12-rc1

v6.12-rc2

v6.12-rc3

v6.12-rc4

v6.12-rc5

v6.12-rc6

v6.12-rc7

v6.12.1

v6.12.10

v6.12.11

v6.12.12

v6.12.13

v6.12.14

v6.12.15

v6.12.16

v6.12.17

v6.12.18

v6.12.19

v6.12.2

v6.12.20

v6.12.21

v6.12.22

v6.12.23

v6.12.24

v6.12.25

v6.12.26

v6.12.27

v6.12.28

v6.12.29

v6.12.3

v6.12.30

v6.12.31

v6.12.32

v6.12.4

v6.12.5

v6.12.6

v6.12.7

v6.12.8

v6.12.9

v6.13

v6.13-rc1

v6.13-rc2

v6.13-rc3

v6.13-rc4

v6.13-rc5

v6.13-rc6

v6.13-rc7

v6.14

v6.14-rc1

v6.14-rc2

v6.14-rc3

v6.14-rc4

v6.14-rc5

v6.14-rc6

v6.14-rc7

v6.14.1

v6.8

v6.8-rc4

v6.8-rc5

v6.8-rc6

v6.8-rc7

v6.9

v6.9-rc1

v6.9-rc2

v6.9-rc3

v6.9-rc4

v6.9-rc5

v6.9-rc6

v6.9-rc7

Linux / Kernel

Package

Name: Kernel

Affected ranges

Type: ECOSYSTEM
Events: Introduced

6.9.0

Fixed

6.12.33

Type: ECOSYSTEM
Events: Introduced

6.13.0

Fixed

6.14.2