VYPR
← All advisories
Unrated severityNVD Advisory· Published Dec 24, 2025· Updated Apr 15, 2026

CVE-2023-54068

CVE-2023-54068

Description

In the Linux kernel, the following vulnerability has been resolved:

f2fs: compress: fix to call f2fs_wait_on_page_writeback() in f2fs_write_raw_pages()

BUG_ON() will be triggered when writing files concurrently, because the same page is writtenback multiple times.

1597 void folio_end_writeback(struct folio *folio) 1598 { ...... 1618 if (!__folio_end_writeback(folio)) 1619 BUG(); ...... 1625 }

kernel BUG at mm/filemap.c:1619! Call Trace:

f2fs_write_end_io+0x1a0/0x370 blk_update_request+0x6c/0x410 blk_mq_end_request+0x15/0x130 blk_complete_reqs+0x3c/0x50 __do_softirq+0xb8/0x29b ? sort_range+0x20/0x20 run_ksoftirqd+0x19/0x20 smpboot_thread_fn+0x10b/0x1d0 kthread+0xde/0x110 ? kthread_complete_and_exit+0x20/0x20 ret_from_fork+0x22/0x30

Below is the concurrency scenario:

[Process A] [Process B] [Process C] f2fs_write_raw_pages() - redirty_page_for_writepage() - unlock page() f2fs_do_write_data_page() - lock_page() - clear_page_dirty_for_io() - set_page_writeback() [1st writeback] ..... - unlock page()

generic_perform_write() - f2fs_write_begin() - wait_for_stable_page()

  • f2fs_write_end()
  • set_page_dirty()
  • lock_page()
  • f2fs_do_write_data_page()
  • set_page_writeback() [2st writeback]

This problem was introduced by the previous commit 7377e853967b ("f2fs: compress: fix potential deadlock of compress file"). All pagelocks were released in f2fs_write_raw_pages(), but whether the page was in the writeback state was ignored in the subsequent writing process. Let's fix it by waiting for the page to writeback before writing.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A race condition in the Linux kernel's f2fs compressed file write path can trigger a kernel BUG due to multiple writeback being started on a page already under writeback.

Vulnerability

Description

A race condition exists in the Linux kernel's f2fs filesystem when handling compressed file writes. In the function f2fs_write_raw_pages(), a previous commit (7377e853967b) released all page locks to avoid a deadlock, but failed to check whether a page was already under writeback before starting a new writeback. This can lead to set_page_writeback() being called on a page that is already in the writeback state, causing a kernel BUG in folio_end_writeback() at mm/filemap.c:1619` when the page completes writeback and the kernel detects the double writeback [1].

Exploitation

Scenario

The vulnerability can be triggered by concurrent write operations on compressed files. As described in the CVE description, three processes can race: Process A redirties and unlocks a page, Process B starts the first writeback and unlocks the page, and Process C dirties the page again. When Process A re-locks the page and attempts to write it again, it calls set_page_writeback() a second time without waiting for the first writeback to complete. This race requires local access to the filesystem and the ability to perform concurrent writes on compressed files, but no special privileges beyond normal file write permissions [1].

Impact

If successfully exploited, this race condition causes a kernel BUG, resulting in a system crash (denial of service). The kernel panics with a BUG at mm/filemap.c:1619 with the message "kernel BUG at mm/filemap.c:1619!". This can lead to system instability or a complete system hang, requiring a reboot to recover. There is no evidence of privilege escalation or data corruption beyond the immediate crash [1].

Mitigation

The fix is to call f2fs_wait_on_page_writeback() in f2fs_write_raw_pages() before starting a new writeback, ensuring that any previous writeback on the same page completes first. The patch has been applied to the Linux kernel stable tree in commit 9940877c4fe752923a53f0f7372f2f152b6eccf0 [1]. Users should update their kernel to include this fix or apply the patch if using a custom kernel. No workaround is available other than avoiding concurrent writes to compressed files, which is not practical.

References
  1. Making sure you're not a bot!

AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

1

Patches

6
a8226a45b2a9
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitvia osv
commit
169134da419c
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitvia osv
commit
6604df2a9d07
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitvia osv
commit
9940877c4fe7
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitvia osv
commit
ad31eed06c3b
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitvia osv
commit
babedcbac164
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitvia osv
commit

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

6

News mentions

0

No linked articles in our index yet.