CVE-2025-38627

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> f2fs: compress: fix UAF of f2fs_inode_info in f2fs_free_dic<br /> <br /> The decompress_io_ctx may be released asynchronously after<br /> I/O completion. If this file is deleted immediately after read,<br /> and the kworker of processing post_read_wq has not been executed yet<br /> due to high workloads, It is possible that the inode(f2fs_inode_info)<br /> is evicted and freed before it is used f2fs_free_dic.<br /> <br /> The UAF case as below:<br /> Thread A Thread B<br /> - f2fs_decompress_end_io<br /> - f2fs_put_dic<br /> - queue_work<br /> add free_dic work to post_read_wq<br /> - do_unlink<br /> - iput<br /> - evict<br /> - call_rcu<br /> This file is deleted after read.<br /> <br /> Thread C kworker to process post_read_wq<br /> - rcu_do_batch<br /> - f2fs_free_inode<br /> - kmem_cache_free<br /> inode is freed by rcu<br /> - process_scheduled_works<br /> - f2fs_late_free_dic<br /> - f2fs_free_dic<br /> - f2fs_release_decomp_mem<br /> read (dic-&gt;inode)-&gt;i_compress_algorithm<br /> <br /> This patch store compress_algorithm and sbi in dic to avoid inode UAF.<br /> <br /> In addition, the previous solution is deprecated in [1] may cause system hang.<br /> [1] https://lore.kernel.org/all/c36ab955-c8db-4a8b-a9d0-f07b5f426c3f@kernel.org