CVE-2023-54124
Description
In the Linux kernel, the following vulnerability has been resolved:
f2fs: fix to drop all dirty pages during umount() if cp_error is set
xfstest generic/361 reports a bug as below:
f2fs_bug_on(sbi, sbi->fsync_node_num);
kernel BUG at fs/f2fs/super.c:1627! RIP: 0010:f2fs_put_super+0x3a8/0x3b0 Call Trace: generic_shutdown_super+0x8c/0x1b0 kill_block_super+0x2b/0x60 kill_f2fs_super+0x87/0x110 deactivate_locked_super+0x39/0x80 deactivate_super+0x46/0x50 cleanup_mnt+0x109/0x170 __cleanup_mnt+0x16/0x20 task_work_run+0x65/0xa0 exit_to_user_mode_prepare+0x175/0x190 syscall_exit_to_user_mode+0x25/0x50 do_syscall_64+0x4c/0x90 entry_SYSCALL_64_after_hwframe+0x72/0xdc
During umount(), if cp_error is set, f2fs_wait_on_all_pages() should not stop waiting all F2FS_WB_CP_DATA pages to be writebacked, otherwise, fsync_node_num can be non-zero after f2fs_wait_on_all_pages() causing this bug.
In this case, to avoid deadloop in f2fs_wait_on_all_pages(), it needs to drop all dirty pages rather than redirtying them.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A kernel panic in f2fs during unmount occurs when cp_error is set, because dirty pages are not properly dropped, leaving fsync_node_num non-zero.
Vulnerability
Description
In the Linux kernel's f2fs filesystem, a bug was found where during unmount (umount) if the checkpoint error (cp_error) flag is set, the function f2fs_wait_on_all_pages() does not correctly handle all F2FS_WB_CP_DATA pages. This leads to a kernel BUG at f2fs_put_super because the `fsync_node_num remains non-zero after waiting for page writeback, as reported by xfstest generic/361 [1][2].
Exploitation
An attacker with local access and the ability to trigger a checkpoint error on an f2fs filesystem (e.g., through a storage device failure or by corrupting the filesystem metadata) can cause the system to panic during unmount. No special privileges beyond the ability to mount and unmount the filesystem are required, but the attack surface is limited to scenarios where the filesystem is in an error state.
Impact
Successful exploitation results in a kernel panic (BUG_ON), leading to a denial of service (system crash) when the filesystem is unmounted. This can disrupt system availability and potentially cause data loss if the filesystem is not cleanly unmounted.
ounted.
Mitigation
The fix, committed in the Linux kernel stable tree, ensures that when cp_error is set, all dirty pages are dropped instead of being redirtied, preventing the deadloop and the subsequent BUG. Users should apply the kernel patch referenced in the commit IDs [1][2] to resolve the issue.
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2Patches
792575f05a32d4ceedc2f8bdfad87bd313f70d8f4ad5f39797741ddc882a082c3d6e9db41c9b3649a934dVulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
7- git.kernel.org/stable/c/4ceedc2f8bdffb82e40b7d1bb912304f8e157cb1nvd
- git.kernel.org/stable/c/7741ddc882a0c806a6508ba8203c55a779db7a21nvd
- git.kernel.org/stable/c/82c3d6e9db41cbd3af1d4f90bdb441740b5fad10nvd
- git.kernel.org/stable/c/92575f05a32dafb16348bfa5e62478118a9be069nvd
- git.kernel.org/stable/c/ad87bd313f70b51e48019d5ce2d02d73152356b3nvd
- git.kernel.org/stable/c/c9b3649a934d131151111354bcbb638076f03a30nvd
- git.kernel.org/stable/c/d8f4ad5f3979dbd8e6251259562f12472717883anvd
News mentions
0No linked articles in our index yet.