f2fs: fix to do sanity check on ino and xnid

MITRE NVD CVE.ORG JSON API Print: PDF PDF

Summary

CVECVE-2025-38347
StatePUBLISHED
AssignerLinux
Source PriorityCVE Program / NVD first with legacy fallback
Published2025-07-10 09:15:29 UTC
Updated2026-05-12 13:16:48 UTC
DescriptionIn the Linux kernel, the following vulnerability has been resolved: f2fs: fix to do sanity check on ino and xnid syzbot reported a f2fs bug as below: INFO: task syz-executor140:5308 blocked for more than 143 seconds. Not tainted 6.14.0-rc7-syzkaller-00069-g81e4f8d68c66 #0 "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. task:syz-executor140 state:D stack:24016 pid:5308 tgid:5308 ppid:5306 task_flags:0x400140 flags:0x00000006 Call Trace: <TASK> context_switch kernel/sched/core.c:5378 [inline] __schedule+0x190e/0x4c90 kernel/sched/core.c:6765 __schedule_loop kernel/sched/core.c:6842 [inline] schedule+0x14b/0x320 kernel/sched/core.c:6857 io_schedule+0x8d/0x110 kernel/sched/core.c:7690 folio_wait_bit_common+0x839/0xee0 mm/filemap.c:1317 __folio_lock mm/filemap.c:1664 [inline] folio_lock include/linux/pagemap.h:1163 [inline] __filemap_get_folio+0x147/0xb40 mm/filemap.c:1917 pagecache_get_page+0x2c/0x130 mm/folio-compat.c:87 find_get_page_flags include/linux/pagemap.h:842 [inline] f2fs_grab_cache_page+0x2b/0x320 fs/f2fs/f2fs.h:2776 __get_node_page+0x131/0x11b0 fs/f2fs/node.c:1463 read_xattr_block+0xfb/0x190 fs/f2fs/xattr.c:306 lookup_all_xattrs fs/f2fs/xattr.c:355 [inline] f2fs_getxattr+0x676/0xf70 fs/f2fs/xattr.c:533 __f2fs_get_acl+0x52/0x870 fs/f2fs/acl.c:179 f2fs_acl_create fs/f2fs/acl.c:375 [inline] f2fs_init_acl+0xd7/0x9b0 fs/f2fs/acl.c:418 f2fs_init_inode_metadata+0xa0f/0x1050 fs/f2fs/dir.c:539 f2fs_add_inline_entry+0x448/0x860 fs/f2fs/inline.c:666 f2fs_add_dentry+0xba/0x1e0 fs/f2fs/dir.c:765 f2fs_do_add_link+0x28c/0x3a0 fs/f2fs/dir.c:808 f2fs_add_link fs/f2fs/f2fs.h:3616 [inline] f2fs_mknod+0x2e8/0x5b0 fs/f2fs/namei.c:766 vfs_mknod+0x36d/0x3b0 fs/namei.c:4191 unix_bind_bsd net/unix/af_unix.c:1286 [inline] unix_bind+0x563/0xe30 net/unix/af_unix.c:1379 __sys_bind_socket net/socket.c:1817 [inline] __sys_bind+0x1e4/0x290 net/socket.c:1848 __do_sys_bind net/socket.c:1853 [inline] __se_sys_bind net/socket.c:1851 [inline] __x64_sys_bind+0x7a/0x90 net/socket.c:1851 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f Let's dump and check metadata of corrupted inode, it shows its xattr_nid is the same to its i_ino. dump.f2fs -i 3 chaseyu.img.raw i_xattr_nid [0x 3 : 3] So that, during mknod in the corrupted directory, it tries to get and lock inode page twice, result in deadlock. - f2fs_mknod - f2fs_add_inline_entry - f2fs_get_inode_page --- lock dir's inode page - f2fs_init_acl - f2fs_acl_create(dir,..) - __f2fs_get_acl - f2fs_getxattr - lookup_all_xattrs - __get_node_page --- try to lock dir's inode page In order to fix this, let's add sanity check on ino and xnid.

Risk And Classification

Primary CVSS: v3.1 5.5 MEDIUM from [email protected]

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Problem Types: NVD-CWE-noinfo

CVSS v3.1 Breakdown

Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

NVD Known Affected Configurations (CPE 2.3)

TypeVendorProductVersionUpdateEditionLanguage
Operating System Linux Linux Kernel All All All All

Vendor Declared Affected Products

SourceVendorProductVersionPlatforms
CNA Linux Linux affected 98e4da8ca301e062d79ae168c67e56f3c3de3ce4 44e904a1ad09e84039058dcbbb1b9ea5b8d7d75d git Not specified
CNA Linux Linux affected 98e4da8ca301e062d79ae168c67e56f3c3de3ce4 ecff54aa20b5b21db82e63e46066b55e43d72e78 git Not specified
CNA Linux Linux affected 98e4da8ca301e062d79ae168c67e56f3c3de3ce4 c4029044cc408b149e63db7dc8617a0783a3f10d git Not specified
CNA Linux Linux affected 98e4da8ca301e062d79ae168c67e56f3c3de3ce4 e98dc1909f3d5bc078ec7a605524f1e3f4c0eb14 git Not specified
CNA Linux Linux affected 98e4da8ca301e062d79ae168c67e56f3c3de3ce4 aaddc6c696bd1bff20eaacfa88579d6eae64d541 git Not specified
CNA Linux Linux affected 98e4da8ca301e062d79ae168c67e56f3c3de3ce4 fed611bd8c7b76b070aa407d0c7558e20d9e1f68 git Not specified
CNA Linux Linux affected 98e4da8ca301e062d79ae168c67e56f3c3de3ce4 5a06d97d5340c00510f24e80e8de821bd3bd9285 git Not specified
CNA Linux Linux affected 98e4da8ca301e062d79ae168c67e56f3c3de3ce4 061cf3a84bde038708eb0f1d065b31b7c2456533 git Not specified
CNA Linux Linux affected 3.8 Not specified
CNA Linux Linux unaffected 3.8 semver Not specified
CNA Linux Linux unaffected 5.4.297 5.4.* semver Not specified
CNA Linux Linux unaffected 5.10.241 5.10.* semver Not specified
CNA Linux Linux unaffected 5.15.190 5.15.* semver Not specified
CNA Linux Linux unaffected 6.1.149 6.1.* semver Not specified
CNA Linux Linux unaffected 6.6.95 6.6.* semver Not specified
CNA Linux Linux unaffected 6.12.35 6.12.* semver Not specified
CNA Linux Linux unaffected 6.15.4 6.15.* semver Not specified
CNA Linux Linux unaffected 6.16 * original_commit_for_fix Not specified
ADP Siemens SIMATIC CN 4100 affected V5.0 custom Not specified

References

ReferenceSourceLinkTags
lists.debian.org/debian-lts-announce/2025/10/msg00008.html af854a3a-2127-422b-91ae-364da2661108 lists.debian.org Third Party Advisory
git.kernel.org/stable/c/c4029044cc408b149e63db7dc8617a0783a3f10d 416baaa9-dc9f-4396-8d5f-8c081fb06d67 git.kernel.org Patch
git.kernel.org/stable/c/e98dc1909f3d5bc078ec7a605524f1e3f4c0eb14 416baaa9-dc9f-4396-8d5f-8c081fb06d67 git.kernel.org Patch
git.kernel.org/stable/c/5a06d97d5340c00510f24e80e8de821bd3bd9285 416baaa9-dc9f-4396-8d5f-8c081fb06d67 git.kernel.org Patch
cert-portal.siemens.com/productcert/html/ssa-032379.html 0b142b55-0307-4c5a-b3c9-f314f3fb7c5e cert-portal.siemens.com
git.kernel.org/stable/c/061cf3a84bde038708eb0f1d065b31b7c2456533 416baaa9-dc9f-4396-8d5f-8c081fb06d67 git.kernel.org Patch
git.kernel.org/stable/c/fed611bd8c7b76b070aa407d0c7558e20d9e1f68 416baaa9-dc9f-4396-8d5f-8c081fb06d67 git.kernel.org Patch
git.kernel.org/stable/c/44e904a1ad09e84039058dcbbb1b9ea5b8d7d75d 416baaa9-dc9f-4396-8d5f-8c081fb06d67 git.kernel.org Patch
lists.debian.org/debian-lts-announce/2025/10/msg00007.html af854a3a-2127-422b-91ae-364da2661108 lists.debian.org Third Party Advisory
git.kernel.org/stable/c/aaddc6c696bd1bff20eaacfa88579d6eae64d541 416baaa9-dc9f-4396-8d5f-8c081fb06d67 git.kernel.org Patch
git.kernel.org/stable/c/ecff54aa20b5b21db82e63e46066b55e43d72e78 416baaa9-dc9f-4396-8d5f-8c081fb06d67 git.kernel.org Patch
CVE Program record CVE.ORG www.cve.org canonical
NVD vulnerability detail NVD nvd.nist.gov canonical, analysis
© CVE.report 2026 |

Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.

CVE, CWE, and OVAL are registred trademarks of The MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. This site includes MITRE data granted under the following license.

Free CVE JSON API cve.report/api

CVE.report and Source URL Uptime Status status.cve.report