CVE-2025-68772
Description
In the Linux kernel, the following vulnerability has been resolved:
f2fs: fix to avoid updating compression context during writeback
Bai, Shuangpeng <sjb7183@psu.edu> reported a bug as below:
Oops: divide error: 0000 [#1] SMP KASAN PTI CPU: 0 UID: 0 PID: 11441 Comm: syz.0.46 Not tainted 6.17.0 #1 PREEMPT(full) Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014 RIP: 0010:f2fs_all_cluster_page_ready+0x106/0x550 fs/f2fs/compress.c:857 Call Trace:
f2fs_write_cache_pages fs/f2fs/data.c:3078 [inline] __f2fs_write_data_pages fs/f2fs/data.c:3290 [inline] f2fs_write_data_pages+0x1c19/0x3600 fs/f2fs/data.c:3317 do_writepages+0x38e/0x640 mm/page-writeback.c:2634 filemap_fdatawrite_wbc mm/filemap.c:386 [inline] __filemap_fdatawrite_range mm/filemap.c:419 [inline] file_write_and_wait_range+0x2ba/0x3e0 mm/filemap.c:794 f2fs_do_sync_file+0x6e6/0x1b00 fs/f2fs/file.c:294 generic_write_sync include/linux/fs.h:3043 [inline] f2fs_file_write_iter+0x76e/0x2700 fs/f2fs/file.c:5259 new_sync_write fs/read_write.c:593 [inline] vfs_write+0x7e9/0xe00 fs/read_write.c:686 ksys_write+0x19d/0x2d0 fs/read_write.c:738 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xf7/0x470 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f
The bug was triggered w/ below race condition:
fsync setattr ioctl - f2fs_do_sync_file - file_write_and_wait_range - f2fs_write_cache_pages : inode is non-compressed : cc.cluster_size = F2FS_I(inode)->i_cluster_size = 0 - tag_pages_for_writeback - f2fs_setattr - truncate_setsize - f2fs_truncate - f2fs_fileattr_set - f2fs_setflags_common - set_compress_context : F2FS_I(inode)->i_cluster_size = 4 : set_inode_flag(inode, FI_COMPRESSED_FILE) - f2fs_compressed_file : return true - f2fs_all_cluster_page_ready : "pgidx % cc->cluster_size" trigger dividing 0 issue
Let's change as below to fix this issue: - introduce a new atomic type variable .writeback in structure f2fs_inode_info to track the number of threads which calling f2fs_write_cache_pages(). - use .i_sem lock to protect .writeback update. - check .writeback before update compression context in f2fs_setflags_common() to avoid race w/ ->writepages.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Race condition in Linux kernel f2fs filesystem leads to divide-by-zero crash during writeback when compression context is updated concurrently.
Vulnerability
Details
A race condition exists in the Linux kernel's f2fs filesystem where a divide-by-zero error can occur during writeback. The issue arises when the compression context (cluster size) is changed while a writeback operation is in progress. As described in the CVE, a sequence of fsync, setattr, and ioctl operations can cause f2fs_all_cluster_page_ready to divide by a zero cluster_size, leading to an Oops [1].
Exploitation
To trigger this bug, an attacker needs to perform a carefully timed sequence: while f2fs_write_cache_pages is executing (e.g., via fsync), a concurrent setattr (truncate) and ioctl (setting compression flags) can change the inode's compression settings. This results in f2fs_compressed_file returning true unexpectedly, and accessing cluster_size which may still be zero, causing the division error.
Impact
Successful exploitation results in a kernel crash (Oops), leading to a denial of service. The vulnerability is triggered by local users with the ability to perform file operations and set file attributes, making it a privilege escalation vector to cause system unavailability.
Mitigation
The fix introduces a new atomic variable to properly synchronize the compression context during writeback, preventing the race condition. The patch is available in Linux kernel stable branches and should be applied to affected systems.
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
5- git.kernel.org/stable/c/0bf1a02494c7eb5bd43445de4c83c8592e02c4bfnvd
- git.kernel.org/stable/c/0df713a9c082a474c8b0bcf670edc8e98461d5a0nvd
- git.kernel.org/stable/c/10b591e7fb7cdc8c1e53e9c000dc0ef7069aaa76nvd
- git.kernel.org/stable/c/ad26bfbc085c939b5dca77ff8c14798c06d151c4nvd
- git.kernel.org/stable/c/bcd0086ee5a2e88c1224ff2ec1e4a43c83efe5a0nvd
News mentions
0No linked articles in our index yet.