CVE-2025-23132 (GCVE-0-2025-23132)
Vulnerability from cvelistv5
Published
2025-04-16 14:13
Modified
2025-05-26 05:19
Severity ?
Summary
In the Linux kernel, the following vulnerability has been resolved: f2fs: quota: fix to avoid warning in dquot_writeback_dquots() F2FS-fs (dm-59): checkpoint=enable has some unwritten data. ------------[ cut here ]------------ WARNING: CPU: 6 PID: 8013 at fs/quota/dquot.c:691 dquot_writeback_dquots+0x2fc/0x308 pc : dquot_writeback_dquots+0x2fc/0x308 lr : f2fs_quota_sync+0xcc/0x1c4 Call trace: dquot_writeback_dquots+0x2fc/0x308 f2fs_quota_sync+0xcc/0x1c4 f2fs_write_checkpoint+0x3d4/0x9b0 f2fs_issue_checkpoint+0x1bc/0x2c0 f2fs_sync_fs+0x54/0x150 f2fs_do_sync_file+0x2f8/0x814 __f2fs_ioctl+0x1960/0x3244 f2fs_ioctl+0x54/0xe0 __arm64_sys_ioctl+0xa8/0xe4 invoke_syscall+0x58/0x114 checkpoint and f2fs_remount may race as below, resulting triggering warning in dquot_writeback_dquots(). atomic write remount - do_remount - down_write(&sb->s_umount); - f2fs_remount - ioctl - f2fs_do_sync_file - f2fs_sync_fs - f2fs_write_checkpoint - block_operations - locked = down_read_trylock(&sbi->sb->s_umount) : fail to lock due to the write lock was held by remount - up_write(&sb->s_umount); - f2fs_quota_sync - dquot_writeback_dquots - WARN_ON_ONCE(!rwsem_is_locked(&sb->s_umount)) : trigger warning because s_umount lock was unlocked by remount If checkpoint comes from mount/umount/remount/freeze/quotactl, caller of checkpoint has already held s_umount lock, calling dquot_writeback_dquots() in the context should be safe. So let's record task to sbi->umount_lock_holder, so that checkpoint can know whether the lock has held in the context or not by checking current w/ it. In addition, in order to not misrepresent caller of checkpoint, we should not allow to trigger async checkpoint for those callers: mount/umount/remount/ freeze/quotactl.
References
Impacted products
Vendor Product Version
Linux Linux Version: af033b2aa8a874fd5737fafe90d159136527b5b4
Version: af033b2aa8a874fd5737fafe90d159136527b5b4
 Create a notification for this product.
Show details on NVD website

To clipboard 

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "fs/f2fs/checkpoint.c",
            "fs/f2fs/f2fs.h",
            "fs/f2fs/super.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "d7acf0a6c87aa282c86a36dbaa2f92fda88c5884",
              "status": "affected",
              "version": "af033b2aa8a874fd5737fafe90d159136527b5b4",
              "versionType": "git"
            },
            {
              "lessThan": "eb85c2410d6f581e957cd03a644ff6ddbe592af9",
              "status": "affected",
              "version": "af033b2aa8a874fd5737fafe90d159136527b5b4",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "fs/f2fs/checkpoint.c",
            "fs/f2fs/f2fs.h",
            "fs/f2fs/super.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "4.20"
            },
            {
              "lessThan": "4.20",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.14.*",
              "status": "unaffected",
              "version": "6.14.2",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.15",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14.2",
                  "versionStartIncluding": "4.20",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15",
                  "versionStartIncluding": "4.20",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nf2fs: quota: fix to avoid warning in dquot_writeback_dquots()\n\nF2FS-fs (dm-59): checkpoint=enable has some unwritten data.\n\n------------[ cut here ]------------\nWARNING: CPU: 6 PID: 8013 at fs/quota/dquot.c:691 dquot_writeback_dquots+0x2fc/0x308\npc : dquot_writeback_dquots+0x2fc/0x308\nlr : f2fs_quota_sync+0xcc/0x1c4\nCall trace:\ndquot_writeback_dquots+0x2fc/0x308\nf2fs_quota_sync+0xcc/0x1c4\nf2fs_write_checkpoint+0x3d4/0x9b0\nf2fs_issue_checkpoint+0x1bc/0x2c0\nf2fs_sync_fs+0x54/0x150\nf2fs_do_sync_file+0x2f8/0x814\n__f2fs_ioctl+0x1960/0x3244\nf2fs_ioctl+0x54/0xe0\n__arm64_sys_ioctl+0xa8/0xe4\ninvoke_syscall+0x58/0x114\n\ncheckpoint and f2fs_remount may race as below, resulting triggering warning\nin dquot_writeback_dquots().\n\natomic write                                    remount\n                                                - do_remount\n                                                 - down_write(\u0026sb-\u003es_umount);\n                                                  - f2fs_remount\n- ioctl\n - f2fs_do_sync_file\n  - f2fs_sync_fs\n   - f2fs_write_checkpoint\n    - block_operations\n     - locked = down_read_trylock(\u0026sbi-\u003esb-\u003es_umount)\n       : fail to lock due to the write lock was held by remount\n                                                 - up_write(\u0026sb-\u003es_umount);\n     - f2fs_quota_sync\n      - dquot_writeback_dquots\n       - WARN_ON_ONCE(!rwsem_is_locked(\u0026sb-\u003es_umount))\n       : trigger warning because s_umount lock was unlocked by remount\n\nIf checkpoint comes from mount/umount/remount/freeze/quotactl, caller of\ncheckpoint has already held s_umount lock, calling dquot_writeback_dquots()\nin the context should be safe.\n\nSo let\u0027s record task to sbi-\u003eumount_lock_holder, so that checkpoint can\nknow whether the lock has held in the context or not by checking current\nw/ it.\n\nIn addition, in order to not misrepresent caller of checkpoint, we should\nnot allow to trigger async checkpoint for those callers: mount/umount/remount/\nfreeze/quotactl."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-26T05:19:10.216Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/d7acf0a6c87aa282c86a36dbaa2f92fda88c5884"
        },
        {
          "url": "https://git.kernel.org/stable/c/eb85c2410d6f581e957cd03a644ff6ddbe592af9"
        }
      ],
      "title": "f2fs: quota: fix to avoid warning in dquot_writeback_dquots()",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-23132",
    "datePublished": "2025-04-16T14:13:13.697Z",
    "dateReserved": "2025-01-11T14:28:41.511Z",
    "dateUpdated": "2025-05-26T05:19:10.216Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2025-23132\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2025-04-16T15:16:07.630\",\"lastModified\":\"2025-11-04T17:01:21.487\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\nf2fs: quota: fix to avoid warning in dquot_writeback_dquots()\\n\\nF2FS-fs (dm-59): checkpoint=enable has some unwritten data.\\n\\n------------[ cut here ]------------\\nWARNING: CPU: 6 PID: 8013 at fs/quota/dquot.c:691 dquot_writeback_dquots+0x2fc/0x308\\npc : dquot_writeback_dquots+0x2fc/0x308\\nlr : f2fs_quota_sync+0xcc/0x1c4\\nCall trace:\\ndquot_writeback_dquots+0x2fc/0x308\\nf2fs_quota_sync+0xcc/0x1c4\\nf2fs_write_checkpoint+0x3d4/0x9b0\\nf2fs_issue_checkpoint+0x1bc/0x2c0\\nf2fs_sync_fs+0x54/0x150\\nf2fs_do_sync_file+0x2f8/0x814\\n__f2fs_ioctl+0x1960/0x3244\\nf2fs_ioctl+0x54/0xe0\\n__arm64_sys_ioctl+0xa8/0xe4\\ninvoke_syscall+0x58/0x114\\n\\ncheckpoint and f2fs_remount may race as below, resulting triggering warning\\nin dquot_writeback_dquots().\\n\\natomic write                                    remount\\n                                                - do_remount\\n                                                 - down_write(\u0026sb-\u003es_umount);\\n                                                  - f2fs_remount\\n- ioctl\\n - f2fs_do_sync_file\\n  - f2fs_sync_fs\\n   - f2fs_write_checkpoint\\n    - block_operations\\n     - locked = down_read_trylock(\u0026sbi-\u003esb-\u003es_umount)\\n       : fail to lock due to the write lock was held by remount\\n                                                 - up_write(\u0026sb-\u003es_umount);\\n     - f2fs_quota_sync\\n      - dquot_writeback_dquots\\n       - WARN_ON_ONCE(!rwsem_is_locked(\u0026sb-\u003es_umount))\\n       : trigger warning because s_umount lock was unlocked by remount\\n\\nIf checkpoint comes from mount/umount/remount/freeze/quotactl, caller of\\ncheckpoint has already held s_umount lock, calling dquot_writeback_dquots()\\nin the context should be safe.\\n\\nSo let\u0027s record task to sbi-\u003eumount_lock_holder, so that checkpoint can\\nknow whether the lock has held in the context or not by checking current\\nw/ it.\\n\\nIn addition, in order to not misrepresent caller of checkpoint, we should\\nnot allow to trigger async checkpoint for those callers: mount/umount/remount/\\nfreeze/quotactl.\"},{\"lang\":\"es\",\"value\":\"En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: f2fs: cuota: correcci\u00f3n para evitar advertencias en dquot_writeback_dquots() F2FS-fs (dm-59): checkpoint=enable tiene algunos datos no escritos. ------------[ cortar aqu\u00ed ]------------ ADVERTENCIA: CPU: 6 PID: 8013 en fs/quota/dquot.c:691 dquot_writeback_dquots+0x2fc/0x308 pc : dquot_writeback_dquots+0x2fc/0x308 lr : f2fs_quota_sync+0xcc/0x1c4 Rastreo de llamadas: dquot_writeback_dquots+0x2fc/0x308 f2fs_quota_sync+0xcc/0x1c4 f2fs_write_checkpoint+0x3d4/0x9b0 f2fs_issue_checkpoint+0x1bc/0x2c0 f2fs_sync_fs+0x54/0x150 f2fs_do_sync_file+0x2f8/0x814 __f2fs_ioctl+0x1960/0x3244 f2fs_ioctl+0x54/0xe0 __arm64_sys_ioctl+0xa8/0xe4 evolve_syscall+0x58/0x114 el punto de control y f2fs_remount pueden competir como se muestra a continuaci\u00f3n, lo que activa una advertencia en dquot_writeback_dquots(). remot de escritura at\u00f3mica - do_remount - down_write(\u0026amp;sb-\u0026gt;s_umount); - f2fs_remount - ioctl - f2fs_do_sync_file - f2fs_sync_fs - f2fs_write_checkpoint - block_operations - locking = down_read_trylock(\u0026amp;sbi-\u0026gt;sb-\u0026gt;s_umount) : no se pudo bloquear debido a que el bloqueo de escritura fue mantenido por el remot - up_write(\u0026amp;sb-\u0026gt;s_umount); - f2fs_quota_sync - dquot_writeback_dquots - WARN_ON_ONCE(!rwsem_is_locked(\u0026amp;sb-\u0026gt;s_umount)) : activa una advertencia porque el bloqueo s_umount se desbloque\u00f3 al volver a montar Si el punto de control proviene de mount/umount/remount/freeze/quotactl, el llamador del punto de control ya ha mantenido el bloqueo s_umount, llamar a dquot_writeback_dquots() en el contexto deber\u00eda ser seguro. As\u00ed que grabemos la tarea en sbi-\u0026gt;umount_lock_holder, para que el punto de control pueda saber si el bloqueo se ha mantenido en el contexto o no al verificar la corriente con \u00e9l. Adem\u00e1s, para no tergiversar la llamada del punto de control, no deber\u00edamos permitir que se active el punto de control as\u00edncrono para esos llamadores: mount/umount/remount/freeze/quotactl.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\"baseScore\":5.5,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":1.8,\"impactScore\":3.6}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"NVD-CWE-noinfo\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"4.20\",\"versionEndExcluding\":\"6.14.2\",\"matchCriteriaId\":\"0B6A4F63-7CAB-44BC-9A23-0264D67B5F15\"}]}]}],\"references\":[{\"url\":\"https://git.kernel.org/stable/c/d7acf0a6c87aa282c86a36dbaa2f92fda88c5884\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/eb85c2410d6f581e957cd03a644ff6ddbe592af9\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.