CVE-2025-68769

In the Linux kernel, the following vulnerability has been resolved:

f2fs: fix return value of f2fsrecoverfsync_data()

With below scripts, it will trigger panic in f2fs:

mkfs.f2fs -f /dev/vdd mount /dev/vdd /mnt/f2fs touch /mnt/f2fs/foo sync echo 111 >> /mnt/f2fs/foo f2fsio fsync /mnt/f2fs/foo f2fsio shutdown 2 /mnt/f2fs umount /mnt/f2fs mount -o ro,norecovery /dev/vdd /mnt/f2fs or mount -o ro,disablerollforward /dev/vdd /mnt/f2fs

F2FS-fs (vdd): f2fsrecoverfsyncdata: recovery fsync data, checkonly: 0 F2FS-fs (vdd): Mounted with checkpoint version = 7f5c361f F2FS-fs (vdd): Stopped filesystem due to reason: 0 F2FS-fs (vdd): f2fsrecoverfsyncdata: recovery fsync data, checkonly: 1 Filesystem f2fs gettree() didn't set fc->root, returned 1 ------------[ cut here ]------------ kernel BUG at fs/super.c:1761! Oops: invalid opcode: 0000 [#1] SMP PTI CPU: 3 UID: 0 PID: 722 Comm: mount Not tainted 6.18.0-rc2+ #721 PREEMPT(voluntary) Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 RIP: 0010:vfsgettree.cold+0x18/0x1a Call Trace: <TASK> fcmount+0x13/0xa0 path_mount+0x34e/0xc50 __x64sysmount+0x121/0x150 dosyscall64+0x84/0x800 entrySYSCALL64afterhwframe+0x76/0x7e RIP: 0033:0x7fa6cc126cfe

The root cause is we missed to handle error number returned from f2fsrecoverfsyncdata() when mounting image w/ ro,norecovery or ro,disablerollforward mount option, result in returning a positive error number to vfsget_tree(), fix it.