CVE-2025-68769
Description
In the Linux kernel, the following vulnerability has been resolved:
f2fs: fix return value of f2fs_recover_fsync_data()
With below scripts, it will trigger panic in f2fs:
mkfs.f2fs -f /dev/vdd mount /dev/vdd /mnt/f2fs touch /mnt/f2fs/foo sync echo 111 >> /mnt/f2fs/foo f2fs_io fsync /mnt/f2fs/foo f2fs_io shutdown 2 /mnt/f2fs umount /mnt/f2fs mount -o ro,norecovery /dev/vdd /mnt/f2fs or mount -o ro,disable_roll_forward /dev/vdd /mnt/f2fs
F2FS-fs (vdd): f2fs_recover_fsync_data: recovery fsync data, check_only: 0 F2FS-fs (vdd): Mounted with checkpoint version = 7f5c361f F2FS-fs (vdd): Stopped filesystem due to reason: 0 F2FS-fs (vdd): f2fs_recover_fsync_data: recovery fsync data, check_only: 1 Filesystem f2fs get_tree() didn't set fc->root, returned 1 ------------[ cut here ]------------ kernel BUG at fs/super.c:1761! Oops: invalid opcode: 0000 [#1] SMP PTI CPU: 3 UID: 0 PID: 722 Comm: mount Not tainted 6.18.0-rc2+ #721 PREEMPT(voluntary) Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 RIP: 0010:vfs_get_tree.cold+0x18/0x1a Call Trace:
fc_mount+0x13/0xa0 path_mount+0x34e/0xc50 __x64_sys_mount+0x121/0x150 do_syscall_64+0x84/0x800 entry_SYSCALL_64_after_hwframe+0x76/0x7e RIP: 0033:0x7fa6cc126cfe
The root cause is we missed to handle error number returned from f2fs_recover_fsync_data() when mounting image w/ ro,norecovery or ro,disable_roll_forward mount option, result in returning a positive error number to vfs_get_tree(), fix it.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Failure to handle error return from f2fs_recover_fsync_data() causes kernel panic on mount with ro,norecovery or ro,disable_roll_forward.
Vulnerability
In the Linux kernel's f2fs filesystem, the function f2fs_recover_fsync_data() can return a positive error number (instead of negative or zero) when the filesystem is mounted with -o ro,norecovery or -o ro,disable_roll_forward options. This occurs because the error handling path misses to convert the internal error to a proper negative errno. Consequently, vfs_get_tree() receives a positive value and triggers a kernel BUG at fs/super.c:1761, leading to a system crash.
Exploitation
The vulnerability is triggered by mounting a crafted or manipulated f2fs filesystem image with the specific read-only options. An attacker with the ability to mount a filesystem (e.g., via physical access or a malicious storage device) can cause a denial-of-service by crashing the kernel. No authentication or special privileges are required beyond mount capability.
Impact
Successful exploitation results in a kernel panic, causing a denial-of-service. The system becomes unavailable until reboot. The vulnerability affects Linux kernels prior to the fix, which was included in stable updates.
Mitigation
The fix is included in the Linux kernel stable branches. Users should update to the latest stable kernel version that contains the commit addressing this issue. There is no known workaround other than avoiding the vulnerable mount options if the kernel is unpatched.
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
7- git.kernel.org/stable/c/01fba45deaddcce0d0b01c411435d1acf6feab7bnvd
- git.kernel.org/stable/c/0de4977a1eeafe9d77701e3c031a1bcdba389243nvd
- git.kernel.org/stable/c/4560db9678a2c5952b6205fbca468c6805c2ba2anvd
- git.kernel.org/stable/c/473550e715654ad7612aa490d583cb7c25fe2ff3nvd
- git.kernel.org/stable/c/9bc246018aaa3b46a7710428d0a2196c229f9d49nvd
- git.kernel.org/stable/c/a4c67d96f92eefcfa5596a08f069e77b743c5865nvd
- git.kernel.org/stable/c/e6ac31abd30e9fd2ef5f0819ce7f3f932be3b725nvd
News mentions
0No linked articles in our index yet.