CVE-2025-68772 (GCVE-0-2025-68772)
Vulnerability from cvelistv5 – Published: 2026-01-13 15:28 – Updated: 2026-01-13 15:28
VLAI?
Title
f2fs: fix to avoid updating compression context during writeback
Summary
In the Linux kernel, the following vulnerability has been resolved:
f2fs: fix to avoid updating compression context during writeback
Bai, Shuangpeng <sjb7183@psu.edu> reported a bug as below:
Oops: divide error: 0000 [#1] SMP KASAN PTI
CPU: 0 UID: 0 PID: 11441 Comm: syz.0.46 Not tainted 6.17.0 #1 PREEMPT(full)
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014
RIP: 0010:f2fs_all_cluster_page_ready+0x106/0x550 fs/f2fs/compress.c:857
Call Trace:
<TASK>
f2fs_write_cache_pages fs/f2fs/data.c:3078 [inline]
__f2fs_write_data_pages fs/f2fs/data.c:3290 [inline]
f2fs_write_data_pages+0x1c19/0x3600 fs/f2fs/data.c:3317
do_writepages+0x38e/0x640 mm/page-writeback.c:2634
filemap_fdatawrite_wbc mm/filemap.c:386 [inline]
__filemap_fdatawrite_range mm/filemap.c:419 [inline]
file_write_and_wait_range+0x2ba/0x3e0 mm/filemap.c:794
f2fs_do_sync_file+0x6e6/0x1b00 fs/f2fs/file.c:294
generic_write_sync include/linux/fs.h:3043 [inline]
f2fs_file_write_iter+0x76e/0x2700 fs/f2fs/file.c:5259
new_sync_write fs/read_write.c:593 [inline]
vfs_write+0x7e9/0xe00 fs/read_write.c:686
ksys_write+0x19d/0x2d0 fs/read_write.c:738
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xf7/0x470 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
The bug was triggered w/ below race condition:
fsync setattr ioctl
- f2fs_do_sync_file
- file_write_and_wait_range
- f2fs_write_cache_pages
: inode is non-compressed
: cc.cluster_size =
F2FS_I(inode)->i_cluster_size = 0
- tag_pages_for_writeback
- f2fs_setattr
- truncate_setsize
- f2fs_truncate
- f2fs_fileattr_set
- f2fs_setflags_common
- set_compress_context
: F2FS_I(inode)->i_cluster_size = 4
: set_inode_flag(inode, FI_COMPRESSED_FILE)
- f2fs_compressed_file
: return true
- f2fs_all_cluster_page_ready
: "pgidx % cc->cluster_size" trigger dividing 0 issue
Let's change as below to fix this issue:
- introduce a new atomic type variable .writeback in structure f2fs_inode_info
to track the number of threads which calling f2fs_write_cache_pages().
- use .i_sem lock to protect .writeback update.
- check .writeback before update compression context in f2fs_setflags_common()
to avoid race w/ ->writepages.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
4c8ff7095bef64fc47e996a938f7d57f9e077da3 , < ad26bfbc085c939b5dca77ff8c14798c06d151c4
(git)
Affected: 4c8ff7095bef64fc47e996a938f7d57f9e077da3 , < bcd0086ee5a2e88c1224ff2ec1e4a43c83efe5a0 (git) Affected: 4c8ff7095bef64fc47e996a938f7d57f9e077da3 , < 0bf1a02494c7eb5bd43445de4c83c8592e02c4bf (git) Affected: 4c8ff7095bef64fc47e996a938f7d57f9e077da3 , < 0df713a9c082a474c8b0bcf670edc8e98461d5a0 (git) Affected: 4c8ff7095bef64fc47e996a938f7d57f9e077da3 , < 10b591e7fb7cdc8c1e53e9c000dc0ef7069aaa76 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/f2fs/data.c",
"fs/f2fs/f2fs.h",
"fs/f2fs/file.c",
"fs/f2fs/super.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "ad26bfbc085c939b5dca77ff8c14798c06d151c4",
"status": "affected",
"version": "4c8ff7095bef64fc47e996a938f7d57f9e077da3",
"versionType": "git"
},
{
"lessThan": "bcd0086ee5a2e88c1224ff2ec1e4a43c83efe5a0",
"status": "affected",
"version": "4c8ff7095bef64fc47e996a938f7d57f9e077da3",
"versionType": "git"
},
{
"lessThan": "0bf1a02494c7eb5bd43445de4c83c8592e02c4bf",
"status": "affected",
"version": "4c8ff7095bef64fc47e996a938f7d57f9e077da3",
"versionType": "git"
},
{
"lessThan": "0df713a9c082a474c8b0bcf670edc8e98461d5a0",
"status": "affected",
"version": "4c8ff7095bef64fc47e996a938f7d57f9e077da3",
"versionType": "git"
},
{
"lessThan": "10b591e7fb7cdc8c1e53e9c000dc0ef7069aaa76",
"status": "affected",
"version": "4c8ff7095bef64fc47e996a938f7d57f9e077da3",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/f2fs/data.c",
"fs/f2fs/f2fs.h",
"fs/f2fs/file.c",
"fs/f2fs/super.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.6"
},
{
"lessThan": "5.6",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.64",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19-rc1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.64",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.3",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19-rc1",
"versionStartIncluding": "5.6",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nf2fs: fix to avoid updating compression context during writeback\n\nBai, Shuangpeng \u003csjb7183@psu.edu\u003e reported a bug as below:\n\nOops: divide error: 0000 [#1] SMP KASAN PTI\nCPU: 0 UID: 0 PID: 11441 Comm: syz.0.46 Not tainted 6.17.0 #1 PREEMPT(full)\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014\nRIP: 0010:f2fs_all_cluster_page_ready+0x106/0x550 fs/f2fs/compress.c:857\nCall Trace:\n \u003cTASK\u003e\n f2fs_write_cache_pages fs/f2fs/data.c:3078 [inline]\n __f2fs_write_data_pages fs/f2fs/data.c:3290 [inline]\n f2fs_write_data_pages+0x1c19/0x3600 fs/f2fs/data.c:3317\n do_writepages+0x38e/0x640 mm/page-writeback.c:2634\n filemap_fdatawrite_wbc mm/filemap.c:386 [inline]\n __filemap_fdatawrite_range mm/filemap.c:419 [inline]\n file_write_and_wait_range+0x2ba/0x3e0 mm/filemap.c:794\n f2fs_do_sync_file+0x6e6/0x1b00 fs/f2fs/file.c:294\n generic_write_sync include/linux/fs.h:3043 [inline]\n f2fs_file_write_iter+0x76e/0x2700 fs/f2fs/file.c:5259\n new_sync_write fs/read_write.c:593 [inline]\n vfs_write+0x7e9/0xe00 fs/read_write.c:686\n ksys_write+0x19d/0x2d0 fs/read_write.c:738\n do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]\n do_syscall_64+0xf7/0x470 arch/x86/entry/syscall_64.c:94\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n\nThe bug was triggered w/ below race condition:\n\nfsync\t\t\t\tsetattr\t\t\tioctl\n- f2fs_do_sync_file\n - file_write_and_wait_range\n - f2fs_write_cache_pages\n : inode is non-compressed\n : cc.cluster_size =\n F2FS_I(inode)-\u003ei_cluster_size = 0\n - tag_pages_for_writeback\n\t\t\t\t- f2fs_setattr\n\t\t\t\t - truncate_setsize\n\t\t\t\t - f2fs_truncate\n\t\t\t\t\t\t\t- f2fs_fileattr_set\n\t\t\t\t\t\t\t - f2fs_setflags_common\n\t\t\t\t\t\t\t - set_compress_context\n\t\t\t\t\t\t\t : F2FS_I(inode)-\u003ei_cluster_size = 4\n\t\t\t\t\t\t\t : set_inode_flag(inode, FI_COMPRESSED_FILE)\n - f2fs_compressed_file\n : return true\n - f2fs_all_cluster_page_ready\n : \"pgidx % cc-\u003ecluster_size\" trigger dividing 0 issue\n\nLet\u0027s change as below to fix this issue:\n- introduce a new atomic type variable .writeback in structure f2fs_inode_info\nto track the number of threads which calling f2fs_write_cache_pages().\n- use .i_sem lock to protect .writeback update.\n- check .writeback before update compression context in f2fs_setflags_common()\nto avoid race w/ -\u003ewritepages."
}
],
"providerMetadata": {
"dateUpdated": "2026-01-13T15:28:49.924Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/ad26bfbc085c939b5dca77ff8c14798c06d151c4"
},
{
"url": "https://git.kernel.org/stable/c/bcd0086ee5a2e88c1224ff2ec1e4a43c83efe5a0"
},
{
"url": "https://git.kernel.org/stable/c/0bf1a02494c7eb5bd43445de4c83c8592e02c4bf"
},
{
"url": "https://git.kernel.org/stable/c/0df713a9c082a474c8b0bcf670edc8e98461d5a0"
},
{
"url": "https://git.kernel.org/stable/c/10b591e7fb7cdc8c1e53e9c000dc0ef7069aaa76"
}
],
"title": "f2fs: fix to avoid updating compression context during writeback",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68772",
"datePublished": "2026-01-13T15:28:49.924Z",
"dateReserved": "2025-12-24T10:30:51.035Z",
"dateUpdated": "2026-01-13T15:28:49.924Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"vulnerability-lookup:meta": {
"nvd": "{\"cve\":{\"id\":\"CVE-2025-68772\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2026-01-13T16:15:56.707\",\"lastModified\":\"2026-01-13T16:15:56.707\",\"vulnStatus\":\"Received\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\nf2fs: fix to avoid updating compression context during writeback\\n\\nBai, Shuangpeng \u003csjb7183@psu.edu\u003e reported a bug as below:\\n\\nOops: divide error: 0000 [#1] SMP KASAN PTI\\nCPU: 0 UID: 0 PID: 11441 Comm: syz.0.46 Not tainted 6.17.0 #1 PREEMPT(full)\\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014\\nRIP: 0010:f2fs_all_cluster_page_ready+0x106/0x550 fs/f2fs/compress.c:857\\nCall Trace:\\n \u003cTASK\u003e\\n f2fs_write_cache_pages fs/f2fs/data.c:3078 [inline]\\n __f2fs_write_data_pages fs/f2fs/data.c:3290 [inline]\\n f2fs_write_data_pages+0x1c19/0x3600 fs/f2fs/data.c:3317\\n do_writepages+0x38e/0x640 mm/page-writeback.c:2634\\n filemap_fdatawrite_wbc mm/filemap.c:386 [inline]\\n __filemap_fdatawrite_range mm/filemap.c:419 [inline]\\n file_write_and_wait_range+0x2ba/0x3e0 mm/filemap.c:794\\n f2fs_do_sync_file+0x6e6/0x1b00 fs/f2fs/file.c:294\\n generic_write_sync include/linux/fs.h:3043 [inline]\\n f2fs_file_write_iter+0x76e/0x2700 fs/f2fs/file.c:5259\\n new_sync_write fs/read_write.c:593 [inline]\\n vfs_write+0x7e9/0xe00 fs/read_write.c:686\\n ksys_write+0x19d/0x2d0 fs/read_write.c:738\\n do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]\\n do_syscall_64+0xf7/0x470 arch/x86/entry/syscall_64.c:94\\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\\n\\nThe bug was triggered w/ below race condition:\\n\\nfsync\\t\\t\\t\\tsetattr\\t\\t\\tioctl\\n- f2fs_do_sync_file\\n - file_write_and_wait_range\\n - f2fs_write_cache_pages\\n : inode is non-compressed\\n : cc.cluster_size =\\n F2FS_I(inode)-\u003ei_cluster_size = 0\\n - tag_pages_for_writeback\\n\\t\\t\\t\\t- f2fs_setattr\\n\\t\\t\\t\\t - truncate_setsize\\n\\t\\t\\t\\t - f2fs_truncate\\n\\t\\t\\t\\t\\t\\t\\t- f2fs_fileattr_set\\n\\t\\t\\t\\t\\t\\t\\t - f2fs_setflags_common\\n\\t\\t\\t\\t\\t\\t\\t - set_compress_context\\n\\t\\t\\t\\t\\t\\t\\t : F2FS_I(inode)-\u003ei_cluster_size = 4\\n\\t\\t\\t\\t\\t\\t\\t : set_inode_flag(inode, FI_COMPRESSED_FILE)\\n - f2fs_compressed_file\\n : return true\\n - f2fs_all_cluster_page_ready\\n : \\\"pgidx % cc-\u003ecluster_size\\\" trigger dividing 0 issue\\n\\nLet\u0027s change as below to fix this issue:\\n- introduce a new atomic type variable .writeback in structure f2fs_inode_info\\nto track the number of threads which calling f2fs_write_cache_pages().\\n- use .i_sem lock to protect .writeback update.\\n- check .writeback before update compression context in f2fs_setflags_common()\\nto avoid race w/ -\u003ewritepages.\"}],\"metrics\":{},\"references\":[{\"url\":\"https://git.kernel.org/stable/c/0bf1a02494c7eb5bd43445de4c83c8592e02c4bf\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/0df713a9c082a474c8b0bcf670edc8e98461d5a0\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/10b591e7fb7cdc8c1e53e9c000dc0ef7069aaa76\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/ad26bfbc085c939b5dca77ff8c14798c06d151c4\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/bcd0086ee5a2e88c1224ff2ec1e4a43c83efe5a0\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"}]}}"
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…