CVE-2025-22123
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2025-22123
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-22123.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CVE-2025-22123
- Downstream
- Published
- 2025-04-16T14:13:07Z
- Modified
- 2025-10-17T23:39:00.645529Z
- Summary
- f2fs: fix to avoid accessing uninitialized curseg
- Details
-
In the Linux kernel, the following vulnerability has been resolved:
f2fs: fix to avoid accessing uninitialized curseg
syzbot reports a f2fs bug as below:
F2FS-fs (loop3): Stopped filesystem due to reason: 7 kworker/u8:7: attempt to access beyond end of device BUG: unable to handle page fault for address: ffffed1604ea3dfa RIP: 0010:getckptvalidblocks fs/f2fs/segment.h:361 [inline] RIP: 0010:hascursegenoughspace fs/f2fs/segment.h:570 [inline] RIP: 0010:_getsecsrequired fs/f2fs/segment.h:620 [inline] RIP: 0010:hasnotenoughfreesecs fs/f2fs/segment.h:633 [inline] RIP: 0010:hasenoughfreesecs+0x575/0x1660 fs/f2fs/segment.h:649 <TASK> f2fsischeckpointready fs/f2fs/segment.h:671 [inline] f2fswriteinode+0x425/0x540 fs/f2fs/inode.c:791 writeinode fs/fs-writeback.c:1525 [inline] _writebacksingleinode+0x708/0x10d0 fs/fs-writeback.c:1745 writebacksbinodes+0x820/0x1360 fs/fs-writeback.c:1976 wbwriteback+0x413/0xb80 fs/fs-writeback.c:2156 wbdowriteback fs/fs-writeback.c:2303 [inline] wbworkfn+0x410/0x1080 fs/fs-writeback.c:2343 processonework kernel/workqueue.c:3236 [inline] processscheduledworks+0xa66/0x1840 kernel/workqueue.c:3317 workerthread+0x870/0xd30 kernel/workqueue.c:3398 kthread+0x7a9/0x920 kernel/kthread.c:464 retfromfork+0x4b/0x80 arch/x86/kernel/process.c:148 retfromforkasm+0x1a/0x30 arch/x86/entry/entry64.S:244
Commit 8b10d3653735 ("f2fs: introduce FAULTNOSEGMENT") allows to trigger no free segment fault in allocator, then it will update curseg->segno to NULLSEGNO, though, CPERRORFLAG has been set, f2fswrite_inode() missed to check the flag, and access invalid curseg->segno directly in below call path, then resulting in panic:
- f2fswriteinode
- f2fsischeckpointready
- hasenoughfree
- hasnotenoughfreesecs
- getsecsrequired
- hascursegenoughspace
- getckptvalid
- hascursegenoughspace
- getsecsrequired
- f2fsischeckpointready
To avoid this issue, let's: - check CPERRORFLAG flag in prior to f2fsischeckpointready() in f2fswriteinode(). - in hascursegenoughspace(), save curseg->segno into a temp variable, and verify its validation before use.
- f2fswriteinode
- References
Affected packages
Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Affected ranges
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introduced8b10d3653735e117bc1954ade80d75ad7b46b801Fixedbf49527089ec1ba894c6e587affabbfb2329f52e
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introduced8b10d3653735e117bc1954ade80d75ad7b46b801Fixed7f90e5d423cd2d4c74b2abb527872f335108637f
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introduced8b10d3653735e117bc1954ade80d75ad7b46b801Fixed986c50f6bca109c6cf362b4e2babcb85aba958f6
Affected versions
v6.*
v6.10
v6.10-rc1
v6.10-rc2
v6.10-rc3
v6.10-rc4
v6.10-rc5
v6.10-rc6
v6.10-rc7
v6.11
v6.11-rc1
v6.11-rc2
v6.11-rc3
v6.11-rc4
v6.11-rc5
v6.11-rc6
v6.11-rc7
v6.12
v6.12-rc1
v6.12-rc2
v6.12-rc3
v6.12-rc4
v6.12-rc5
v6.12-rc6
v6.12-rc7
v6.12.1
v6.12.10
v6.12.11
v6.12.12
v6.12.13
v6.12.14
v6.12.15
v6.12.16
v6.12.17
v6.12.18
v6.12.19
v6.12.2
v6.12.20
v6.12.21
v6.12.22
v6.12.23
v6.12.24
v6.12.25
v6.12.26
v6.12.27
v6.12.28
v6.12.29
v6.12.3
v6.12.30
v6.12.31
v6.12.32
v6.12.4
v6.12.5
v6.12.6
v6.12.7
v6.12.8
v6.12.9
v6.13
v6.13-rc1
v6.13-rc2
v6.13-rc3
v6.13-rc4
v6.13-rc5
v6.13-rc6
v6.13-rc7
v6.14
v6.14-rc1
v6.14-rc2
v6.14-rc3
v6.14-rc4
v6.14-rc5
v6.14-rc6
v6.14-rc7
v6.14.1
v6.8
v6.8-rc4
v6.8-rc5
v6.8-rc6
v6.8-rc7
v6.9
v6.9-rc1
v6.9-rc2
v6.9-rc3
v6.9-rc4
v6.9-rc5
v6.9-rc6
v6.9-rc7
Database specific
vanir_signatures
[
{
"signature_type": "Function",
"id": "CVE-2025-22123-1b2ebe1c",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@986c50f6bca109c6cf362b4e2babcb85aba958f6",
"signature_version": "v1",
"target": {
"function": "f2fs_write_inode",
"file": "fs/f2fs/inode.c"
},
"digest": {
"function_hash": "204697592875829879787454710253492405870",
"length": 427.0
},
"deprecated": false
},
{
"signature_type": "Line",
"id": "CVE-2025-22123-227fcbff",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@bf49527089ec1ba894c6e587affabbfb2329f52e",
"signature_version": "v1",
"target": {
"file": "fs/f2fs/inode.c"
},
"digest": {
"threshold": 0.9,
"line_hashes": [
"66595862133701124659536898199330633509",
"309238412311286554210169759982858065909",
"221837837885988608269513844396456823264"
]
},
"deprecated": false
},
{
"signature_type": "Line",
"id": "CVE-2025-22123-5cdf609e",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@bf49527089ec1ba894c6e587affabbfb2329f52e",
"signature_version": "v1",
"target": {
"file": "fs/f2fs/segment.h"
},
"digest": {
"threshold": 0.9,
"line_hashes": [
"237650967250431159537224213433487448853",
"130875306991981559891854191411500065920",
"307633625486823373658101529021390960364",
"286203188378828232575656978557932671842",
"45886600030647123407964551341676964798",
"45778306453875324277029254639782075608",
"179821305238912383895923510908495305720",
"8846579865180775035762948536132354203",
"260216955171805661259055229001587042481",
"125839475307973332562009424990875621429",
"114069499581655455424084604005756500684"
]
},
"deprecated": false
},
{
"signature_type": "Function",
"id": "CVE-2025-22123-5d749122",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@986c50f6bca109c6cf362b4e2babcb85aba958f6",
"signature_version": "v1",
"target": {
"function": "has_curseg_enough_space",
"file": "fs/f2fs/segment.h"
},
"digest": {
"function_hash": "270926455195989993717433040081691846442",
"length": 575.0
},
"deprecated": false
},
{
"signature_type": "Function",
"id": "CVE-2025-22123-732ab3ab",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@bf49527089ec1ba894c6e587affabbfb2329f52e",
"signature_version": "v1",
"target": {
"function": "has_curseg_enough_space",
"file": "fs/f2fs/segment.h"
},
"digest": {
"function_hash": "270926455195989993717433040081691846442",
"length": 575.0
},
"deprecated": false
},
{
"signature_type": "Line",
"id": "CVE-2025-22123-96c115db",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@7f90e5d423cd2d4c74b2abb527872f335108637f",
"signature_version": "v1",
"target": {
"file": "fs/f2fs/inode.c"
},
"digest": {
"threshold": 0.9,
"line_hashes": [
"66595862133701124659536898199330633509",
"309238412311286554210169759982858065909",
"221837837885988608269513844396456823264"
]
},
"deprecated": false
},
{
"signature_type": "Line",
"id": "CVE-2025-22123-a67bdaeb",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@986c50f6bca109c6cf362b4e2babcb85aba958f6",
"signature_version": "v1",
"target": {
"file": "fs/f2fs/segment.h"
},
"digest": {
"threshold": 0.9,
"line_hashes": [
"237650967250431159537224213433487448853",
"130875306991981559891854191411500065920",
"307633625486823373658101529021390960364",
"286203188378828232575656978557932671842",
"45886600030647123407964551341676964798",
"45778306453875324277029254639782075608",
"179821305238912383895923510908495305720",
"8846579865180775035762948536132354203",
"260216955171805661259055229001587042481",
"125839475307973332562009424990875621429",
"114069499581655455424084604005756500684"
]
},
"deprecated": false
},
{
"signature_type": "Function",
"id": "CVE-2025-22123-a80b2159",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@7f90e5d423cd2d4c74b2abb527872f335108637f",
"signature_version": "v1",
"target": {
"function": "f2fs_write_inode",
"file": "fs/f2fs/inode.c"
},
"digest": {
"function_hash": "204697592875829879787454710253492405870",
"length": 427.0
},
"deprecated": false
},
{
"signature_type": "Line",
"id": "CVE-2025-22123-cf735c7f",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@986c50f6bca109c6cf362b4e2babcb85aba958f6",
"signature_version": "v1",
"target": {
"file": "fs/f2fs/inode.c"
},
"digest": {
"threshold": 0.9,
"line_hashes": [
"66595862133701124659536898199330633509",
"309238412311286554210169759982858065909",
"221837837885988608269513844396456823264"
]
},
"deprecated": false
},
{
"signature_type": "Function",
"id": "CVE-2025-22123-d67b673e",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@7f90e5d423cd2d4c74b2abb527872f335108637f",
"signature_version": "v1",
"target": {
"function": "has_curseg_enough_space",
"file": "fs/f2fs/segment.h"
},
"digest": {
"function_hash": "270926455195989993717433040081691846442",
"length": 575.0
},
"deprecated": false
},
{
"signature_type": "Function",
"id": "CVE-2025-22123-fbcffe48",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@bf49527089ec1ba894c6e587affabbfb2329f52e",
"signature_version": "v1",
"target": {
"function": "f2fs_write_inode",
"file": "fs/f2fs/inode.c"
},
"digest": {
"function_hash": "204697592875829879787454710253492405870",
"length": 427.0
},
"deprecated": false
},
{
"signature_type": "Line",
"id": "CVE-2025-22123-fcb513a4",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@7f90e5d423cd2d4c74b2abb527872f335108637f",
"signature_version": "v1",
"target": {
"file": "fs/f2fs/segment.h"
},
"digest": {
"threshold": 0.9,
"line_hashes": [
"237650967250431159537224213433487448853",
"130875306991981559891854191411500065920",
"307633625486823373658101529021390960364",
"286203188378828232575656978557932671842",
"45886600030647123407964551341676964798",
"45778306453875324277029254639782075608",
"179821305238912383895923510908495305720",
"8846579865180775035762948536132354203",
"260216955171805661259055229001587042481",
"125839475307973332562009424990875621429",
"114069499581655455424084604005756500684"
]
},
"deprecated": false
}
]