CVE-2025-38578

In the Linux kernel, the following vulnerability has been resolved:

f2fs: fix to avoid UAF in f2fssyncinode_meta()

syzbot reported an UAF issue as below: [1] [2]

[1] https://syzkaller.appspot.com/text?tag=CrashReport&x=16594c60580000

================================================================== BUG: KASAN: use-after-free in __listdelentryvalid+0xa6/0x130 lib/listdebug.c:62 Read of size 8 at addr ffff888100567dc8 by task kworker/u4:0/8

CPU: 1 PID: 8 Comm: kworker/u4:0 Tainted: G W 6.1.129-syzkaller-00017-g642656a36791 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2025 Workqueue: writeback wb_workfn (flush-7:0) Call Trace: <TASK> __dumpstack lib/dumpstack.c:88 [inline] dumpstacklvl+0x151/0x1b7 lib/dumpstack.c:106 printaddressdescription mm/kasan/report.c:316 [inline] printreport+0x158/0x4e0 mm/kasan/report.c:427 kasan_report+0x13c/0x170 mm/kasan/report.c:531 __asanreportload8noabort+0x14/0x20 mm/kasan/reportgeneric.c:351 __listdelentryvalid+0xa6/0x130 lib/listdebug.c:62 __listdelentry include/linux/list.h:134 [inline] listdelinit include/linux/list.h:206 [inline] f2fsinodesynced+0x100/0x2e0 fs/f2fs/super.c:1553 f2fsupdateinode+0x72/0x1c40 fs/f2fs/inode.c:588 f2fsupdateinodepage+0x135/0x170 fs/f2fs/inode.c:706 f2fswriteinode+0x416/0x790 fs/f2fs/inode.c:734 writeinode fs/fs-writeback.c:1460 [inline] __writebacksingleinode+0x4cf/0xb80 fs/fs-writeback.c:1677 writebacksbinodes+0xb32/0x1910 fs/fs-writeback.c:1903 _writebackinodeswb+0x118/0x3f0 fs/fs-writeback.c:1974 wbwriteback+0x3da/0xa00 fs/fs-writeback.c:2081 wbcheckbackgroundflush fs/fs-writeback.c:2151 [inline] wbdowriteback fs/fs-writeback.c:2239 [inline] wbworkfn+0xbba/0x1030 fs/fs-writeback.c:2266 processonework+0x73d/0xcb0 kernel/workqueue.c:2299 workerthread+0xa60/0x1260 kernel/workqueue.c:2446 kthread+0x26d/0x300 kernel/kthread.c:386 retfromfork+0x1f/0x30 arch/x86/entry/entry64.S:295 </TASK>

Allocated by task 298: kasansavestack mm/kasan/common.c:45 [inline] kasansettrack+0x4b/0x70 mm/kasan/common.c:52 kasansavealloc_info+0x1f/0x30 mm/kasan/generic.c:505 __kasanslaballoc+0x6c/0x80 mm/kasan/common.c:333 kasanslaballoc include/linux/kasan.h:202 [inline] slabpostallochook+0x53/0x2c0 mm/slab.h:768 slaballocnode mm/slub.c:3421 [inline] slaballoc mm/slub.c:3431 [inline] __kmemcachealloclru mm/slub.c:3438 [inline] kmemcachealloclru+0x102/0x270 mm/slub.c:3454 allocinodesb include/linux/fs.h:3255 [inline] f2fsallocinode+0x2d/0x350 fs/f2fs/super.c:1437 allocinode fs/inode.c:261 [inline] igetlocked+0x18c/0x7e0 fs/inode.c:1373 f2fsiget+0x55/0x4ca0 fs/f2fs/inode.c:486 f2fslookup+0x3c1/0xb50 fs/f2fs/namei.c:484 __lookupslow+0x2b9/0x3e0 fs/namei.c:1689 lookupslow+0x5a/0x80 fs/namei.c:1706 walkcomponent+0x2e7/0x410 fs/namei.c:1997 lookuplast fs/namei.c:2454 [inline] pathlookupat+0x16d/0x450 fs/namei.c:2478 filenamelookup+0x251/0x600 fs/namei.c:2507 vfsstatx+0x107/0x4b0 fs/stat.c:229 vfsfstatat fs/stat.c:267 [inline] vfs_lstat include/linux/fs.h:3434 [inline] __dosysnewlstat fs/stat.c:423 [inline] __sesysnewlstat+0xda/0x7c0 fs/stat.c:417 _x64sysnewlstat+0x5b/0x70 fs/stat.c:417 x64syscall+0x52/0x9a0 arch/x86/include/generated/asm/syscalls64.h:7 dosyscallx64 arch/x86/entry/common.c:51 [inline] dosyscall64+0x3b/0x80 arch/x86/entry/common.c:81 entrySYSCALL64afterhwframe+0x68/0xd2

Freed by task 0: kasansavestack mm/kasan/common.c:45 [inline] kasansettrack+0x4b/0x70 mm/kasan/common.c:52 kasansavefree_info+0x2b/0x40 mm/kasan/generic.c:516 ____kasanslabfree+0x131/0x180 mm/kasan/common.c:241 __kasanslabfree+0x11/0x20 mm/kasan/common.c:249 kasanslabfree include/linux/kasan.h:178 [inline] slabfreehook mm/slub.c:1745 [inline] slabfreefreelisthook mm/slub.c:1771 [inline] slabfree mm/slub.c:3686 [inline] kmemcachefree+0x ---truncated---