ghsa-6mfc-3rhj-8xmq
Vulnerability from github
Published
2025-07-03 09:30
Modified
2025-07-03 09:30
Details

In the Linux kernel, the following vulnerability has been resolved:

f2fs: zone: fix to avoid inconsistence in between SIT and SSA

w/ below testcase, it will cause inconsistence in between SIT and SSA.

create_null_blk 512 2 1024 1024 mkfs.f2fs -m /dev/nullb0 mount /dev/nullb0 /mnt/f2fs/ touch /mnt/f2fs/file f2fs_io pinfile set /mnt/f2fs/file fallocate -l 4GiB /mnt/f2fs/file

F2FS-fs (nullb0): Inconsistent segment (0) type [1, 0] in SSA and SIT CPU: 5 UID: 0 PID: 2398 Comm: fallocate Tainted: G O 6.13.0-rc1 #84 Tainted: [O]=OOT_MODULE Hardware name: innotek GmbH VirtualBox/VirtualBox, BIOS VirtualBox 12/01/2006 Call Trace: dump_stack_lvl+0xb3/0xd0 dump_stack+0x14/0x20 f2fs_handle_critical_error+0x18c/0x220 [f2fs] f2fs_stop_checkpoint+0x38/0x50 [f2fs] do_garbage_collect+0x674/0x6e0 [f2fs] f2fs_gc_range+0x12b/0x230 [f2fs] f2fs_allocate_pinning_section+0x5c/0x150 [f2fs] f2fs_expand_inode_data+0x1cc/0x3c0 [f2fs] f2fs_fallocate+0x3c3/0x410 [f2fs] vfs_fallocate+0x15f/0x4b0 __x64_sys_fallocate+0x4a/0x80 x64_sys_call+0x15e8/0x1b80 do_syscall_64+0x68/0x130 entry_SYSCALL_64_after_hwframe+0x67/0x6f RIP: 0033:0x7f9dba5197ca F2FS-fs (nullb0): Stopped filesystem due to reason: 4

The reason is f2fs_gc_range() may try to migrate block in curseg, however, its SSA block is not uptodate due to the last summary block data is still in cache of curseg.

In this patch, we add a condition in f2fs_gc_range() to check whether section is opened or not, and skip block migration for opened section.

Show details on source website

To clipboard 

{
  "affected": [],
  "aliases": [
    "CVE-2025-38164"
  ],
  "database_specific": {
    "cwe_ids": [],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-07-03T09:15:31Z",
    "severity": null
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nf2fs: zone: fix to avoid inconsistence in between SIT and SSA\n\nw/ below testcase, it will cause inconsistence in between SIT and SSA.\n\ncreate_null_blk 512 2 1024 1024\nmkfs.f2fs -m /dev/nullb0\nmount /dev/nullb0 /mnt/f2fs/\ntouch /mnt/f2fs/file\nf2fs_io pinfile set /mnt/f2fs/file\nfallocate -l 4GiB /mnt/f2fs/file\n\nF2FS-fs (nullb0): Inconsistent segment (0) type [1, 0] in SSA and SIT\nCPU: 5 UID: 0 PID: 2398 Comm: fallocate Tainted: G           O       6.13.0-rc1 #84\nTainted: [O]=OOT_MODULE\nHardware name: innotek GmbH VirtualBox/VirtualBox, BIOS VirtualBox 12/01/2006\nCall Trace:\n \u003cTASK\u003e\n dump_stack_lvl+0xb3/0xd0\n dump_stack+0x14/0x20\n f2fs_handle_critical_error+0x18c/0x220 [f2fs]\n f2fs_stop_checkpoint+0x38/0x50 [f2fs]\n do_garbage_collect+0x674/0x6e0 [f2fs]\n f2fs_gc_range+0x12b/0x230 [f2fs]\n f2fs_allocate_pinning_section+0x5c/0x150 [f2fs]\n f2fs_expand_inode_data+0x1cc/0x3c0 [f2fs]\n f2fs_fallocate+0x3c3/0x410 [f2fs]\n vfs_fallocate+0x15f/0x4b0\n __x64_sys_fallocate+0x4a/0x80\n x64_sys_call+0x15e8/0x1b80\n do_syscall_64+0x68/0x130\n entry_SYSCALL_64_after_hwframe+0x67/0x6f\nRIP: 0033:0x7f9dba5197ca\nF2FS-fs (nullb0): Stopped filesystem due to reason: 4\n\nThe reason is f2fs_gc_range() may try to migrate block in curseg, however,\nits SSA block is not uptodate due to the last summary block data is still\nin cache of curseg.\n\nIn this patch, we add a condition in f2fs_gc_range() to check whether\nsection is opened or not, and skip block migration for opened section.",
  "id": "GHSA-6mfc-3rhj-8xmq",
  "modified": "2025-07-03T09:30:35Z",
  "published": "2025-07-03T09:30:35Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-38164"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/44a51592ac657d8e422585414d7ec17a5b50fb0e"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/773704c1ef96a8b70d0d186ab725f50548de82c4"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/8d9431b0d11a5030aa1ce477defee455b3821701"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.