CVE-2025-71069

In the Linux kernel, the following vulnerability has been resolved:

f2fs: invalidate dentry cache on failed whiteout creation

F2FS can mount filesystems with corrupted directory depth values that get runtime-clamped to MAXDIRHASHDEPTH. When RENAMEWHITEOUT operations are performed on such directories, f2fsrename performs directory modifications (updating target entry and deleting source entry) before attempting to add the whiteout entry via f2fsadd_link.

If f2fsaddlink fails due to the corrupted directory structure, the function returns an error to VFS, but the partial directory modifications have already been committed to disk. VFS assumes the entire rename operation failed and does not update the dentry cache, leaving stale mappings.

In the error path, VFS does not call dmove() to update the dentry cache. This results in newdentry still pointing to the old inode (newinode) which has already had its inlink decremented to zero. The stale cache causes subsequent operations to incorrectly reference the freed inode.

This causes subsequent operations to use cached dentry information that no longer matches the on-disk state. When a second rename targets the same entry, VFS attempts to decrement inlink on the stale inode, which may already have inlink=0, triggering a WARNING in drop_nlink().

Example sequence: 1. First rename (RENAMEWHITEOUT): file2 → file1 - f2fs updates file1 entry on disk (points to inode 8) - f2fs deletes file2 entry on disk - f2fsaddlink(whiteout) fails (corrupted directory) - Returns error to VFS - VFS does not call dmove() due to error - VFS cache still has: file1 → inode 7 (stale!) - inode 7 has i_nlink=0 (already decremented)

2. Second rename: file3 → file1
   • VFS uses stale cache: file1 → inode 7
   • Tries to dropnlink on inode 7 (inlink already 0)
   • WARNING in drop_nlink()

Fix this by explicitly invalidating olddentry and newdentry when f2fsaddlink fails during whiteout creation. This forces VFS to refresh from disk on subsequent operations, ensuring cache consistency even when the rename partially succeeds.

Reproducer: 1. Mount F2FS image with corrupted icurrentdepth 2. renameat2(file2, file1, RENAMEWHITEOUT) 3. renameat2(file3, file1, 0) 4. System triggers WARNING in dropnlink()