cve/published/2025/CVE-2025-23130.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-1.2.0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@kernel.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2025-23130: f2fs: fix to avoid panic once fallocation fails for pinfile

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 f2fs: fix to avoid panic once fallocation fails for pinfile

 syzbot reports a f2fs bug as below:

 ------------[ cut here ]------------
 kernel BUG at fs/f2fs/segment.c:2746!
 CPU: 0 UID: 0 PID: 5323 Comm: syz.0.0 Not tainted 6.13.0-rc2-syzkaller-00018-g7cb1b4663150 #0
 RIP: 0010:get_new_segment fs/f2fs/segment.c:2746 [inline]
 RIP: 0010:new_curseg+0x1f52/0x1f70 fs/f2fs/segment.c:2876
 Call Trace:
  <TASK>
  __allocate_new_segment+0x1ce/0x940 fs/f2fs/segment.c:3210
  f2fs_allocate_new_section fs/f2fs/segment.c:3224 [inline]
  f2fs_allocate_pinning_section+0xfa/0x4e0 fs/f2fs/segment.c:3238
  f2fs_expand_inode_data+0x696/0xca0 fs/f2fs/file.c:1830
  f2fs_fallocate+0x537/0xa10 fs/f2fs/file.c:1940
  vfs_fallocate+0x569/0x6e0 fs/open.c:327
  do_vfs_ioctl+0x258c/0x2e40 fs/ioctl.c:885
  __do_sys_ioctl fs/ioctl.c:904 [inline]
  __se_sys_ioctl+0x80/0x170 fs/ioctl.c:892
  do_syscall_x64 arch/x86/entry/common.c:52 [inline]
  do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
  entry_SYSCALL_64_after_hwframe+0x77/0x7f

 Concurrent pinfile allocation may run out of free section, result in
 panic in get_new_segment(), let's expand pin_sem lock coverage to
 include f2fs_gc(), so that we can make sure to reclaim enough free
 space for following allocation.

 In addition, do below changes to enhance error path handling:
 - call f2fs_bug_on() only in non-pinfile allocation path in
 get_new_segment().
 - call reset_curseg_fields() to reset all fields of curseg in
 new_curseg()

 The Linux kernel CVE team has assigned CVE-2025-23130 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 5.5 with commit f5a53edcf01eae21dc3ef1845515229e8459e5cc and fixed in 6.14.2 with commit 9392862608d081a8346a3b841f862d732fce954b
 	Issue introduced in 5.5 with commit f5a53edcf01eae21dc3ef1845515229e8459e5cc and fixed in 6.15 with commit 48ea8b200414ac69ea96f4c231f5c7ef1fbeffef

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2025-23130
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	fs/f2fs/file.c
 	fs/f2fs/segment.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/9392862608d081a8346a3b841f862d732fce954b
 	https://git.kernel.org/stable/c/48ea8b200414ac69ea96f4c231f5c7ef1fbeffef
	From bippy-1.2.0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@kernel.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2025-23130: f2fs: fix to avoid panic once fallocation fails for pinfile

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	f2fs: fix to avoid panic once fallocation fails for pinfile

	syzbot reports a f2fs bug as below:

	------------[ cut here ]------------
	kernel BUG at fs/f2fs/segment.c:2746!
	CPU: 0 UID: 0 PID: 5323 Comm: syz.0.0 Not tainted 6.13.0-rc2-syzkaller-00018-g7cb1b4663150 #0
	RIP: 0010:get_new_segment fs/f2fs/segment.c:2746 [inline]
	RIP: 0010:new_curseg+0x1f52/0x1f70 fs/f2fs/segment.c:2876
	Call Trace:
	<TASK>
	__allocate_new_segment+0x1ce/0x940 fs/f2fs/segment.c:3210
	f2fs_allocate_new_section fs/f2fs/segment.c:3224 [inline]
	f2fs_allocate_pinning_section+0xfa/0x4e0 fs/f2fs/segment.c:3238
	f2fs_expand_inode_data+0x696/0xca0 fs/f2fs/file.c:1830
	f2fs_fallocate+0x537/0xa10 fs/f2fs/file.c:1940
	vfs_fallocate+0x569/0x6e0 fs/open.c:327
	do_vfs_ioctl+0x258c/0x2e40 fs/ioctl.c:885
	__do_sys_ioctl fs/ioctl.c:904 [inline]
	__se_sys_ioctl+0x80/0x170 fs/ioctl.c:892
	do_syscall_x64 arch/x86/entry/common.c:52 [inline]
	do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
	entry_SYSCALL_64_after_hwframe+0x77/0x7f

	Concurrent pinfile allocation may run out of free section, result in
	panic in get_new_segment(), let's expand pin_sem lock coverage to
	include f2fs_gc(), so that we can make sure to reclaim enough free
	space for following allocation.

	In addition, do below changes to enhance error path handling:
	- call f2fs_bug_on() only in non-pinfile allocation path in
	get_new_segment().
	- call reset_curseg_fields() to reset all fields of curseg in
	new_curseg()

	The Linux kernel CVE team has assigned CVE-2025-23130 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 5.5 with commit f5a53edcf01eae21dc3ef1845515229e8459e5cc and fixed in 6.14.2 with commit 9392862608d081a8346a3b841f862d732fce954b
	Issue introduced in 5.5 with commit f5a53edcf01eae21dc3ef1845515229e8459e5cc and fixed in 6.15 with commit 48ea8b200414ac69ea96f4c231f5c7ef1fbeffef

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2025-23130
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	fs/f2fs/file.c
	fs/f2fs/segment.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/9392862608d081a8346a3b841f862d732fce954b
	https://git.kernel.org/stable/c/48ea8b200414ac69ea96f4c231f5c7ef1fbeffef