Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

CVE-2025-23132

Severity CVSS v4.0:
Pending analysis
Type:
Unavailable / Other
Publication date:
16/04/2025
Last modified:
04/11/2025

Description

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> f2fs: quota: fix to avoid warning in dquot_writeback_dquots()<br /> <br /> F2FS-fs (dm-59): checkpoint=enable has some unwritten data.<br /> <br /> ------------[ cut here ]------------<br /> WARNING: CPU: 6 PID: 8013 at fs/quota/dquot.c:691 dquot_writeback_dquots+0x2fc/0x308<br /> pc : dquot_writeback_dquots+0x2fc/0x308<br /> lr : f2fs_quota_sync+0xcc/0x1c4<br /> Call trace:<br /> dquot_writeback_dquots+0x2fc/0x308<br /> f2fs_quota_sync+0xcc/0x1c4<br /> f2fs_write_checkpoint+0x3d4/0x9b0<br /> f2fs_issue_checkpoint+0x1bc/0x2c0<br /> f2fs_sync_fs+0x54/0x150<br /> f2fs_do_sync_file+0x2f8/0x814<br /> __f2fs_ioctl+0x1960/0x3244<br /> f2fs_ioctl+0x54/0xe0<br /> __arm64_sys_ioctl+0xa8/0xe4<br /> invoke_syscall+0x58/0x114<br /> <br /> checkpoint and f2fs_remount may race as below, resulting triggering warning<br /> in dquot_writeback_dquots().<br /> <br /> atomic write remount<br /> - do_remount<br /> - down_write(&amp;sb-&gt;s_umount);<br /> - f2fs_remount<br /> - ioctl<br /> - f2fs_do_sync_file<br /> - f2fs_sync_fs<br /> - f2fs_write_checkpoint<br /> - block_operations<br /> - locked = down_read_trylock(&amp;sbi-&gt;sb-&gt;s_umount)<br /> : fail to lock due to the write lock was held by remount<br /> - up_write(&amp;sb-&gt;s_umount);<br /> - f2fs_quota_sync<br /> - dquot_writeback_dquots<br /> - WARN_ON_ONCE(!rwsem_is_locked(&amp;sb-&gt;s_umount))<br /> : trigger warning because s_umount lock was unlocked by remount<br /> <br /> If checkpoint comes from mount/umount/remount/freeze/quotactl, caller of<br /> checkpoint has already held s_umount lock, calling dquot_writeback_dquots()<br /> in the context should be safe.<br /> <br /> So let&amp;#39;s record task to sbi-&gt;umount_lock_holder, so that checkpoint can<br /> know whether the lock has held in the context or not by checking current<br /> w/ it.<br /> <br /> In addition, in order to not misrepresent caller of checkpoint, we should<br /> not allow to trigger async checkpoint for those callers: mount/umount/remount/<br /> freeze/quotactl.

Impact

Vector 3.x
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVSS v3.1 Severity and Metrics:

Base Score: 5.50 MEDIUM
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Attack Vector (AV): Local
Attack Complexity (AC): Low
Privileges Required (PR): Low
User Interaction (UI): None
Scope (S): Unchanged
Confidentiality (C): None
Integrity (I): None
Availability (A): High

Base Score 3.x
5.50
Severity 3.x
MEDIUM

Vulnerable products and versions

CPE From Up to
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 4.20 (including) 6.14.2 (excluding)

To consult the complete list of CPE names with products and versions, see this page


References to Advisories, Solutions, and Tools