CVE-2025-71069
Description
In the Linux kernel, the following vulnerability has been resolved:
f2fs: invalidate dentry cache on failed whiteout creation
F2FS can mount filesystems with corrupted directory depth values that get runtime-clamped to MAX_DIR_HASH_DEPTH. When RENAME_WHITEOUT operations are performed on such directories, f2fs_rename performs directory modifications (updating target entry and deleting source entry) before attempting to add the whiteout entry via f2fs_add_link.
If f2fs_add_link fails due to the corrupted directory structure, the function returns an error to VFS, but the partial directory modifications have already been committed to disk. VFS assumes the entire rename operation failed and does not update the dentry cache, leaving stale mappings.
In the error path, VFS does not call d_move() to update the dentry cache. This results in new_dentry still pointing to the old inode (new_inode) which has already had its i_nlink decremented to zero. The stale cache causes subsequent operations to incorrectly reference the freed inode.
This causes subsequent operations to use cached dentry information that no longer matches the on-disk state. When a second rename targets the same entry, VFS attempts to decrement i_nlink on the stale inode, which may already have i_nlink=0, triggering a WARNING in drop_nlink().
Example sequence: 1. First rename (RENAME_WHITEOUT): file2 → file1 - f2fs updates file1 entry on disk (points to inode 8) - f2fs deletes file2 entry on disk - f2fs_add_link(whiteout) fails (corrupted directory) - Returns error to VFS - VFS does not call d_move() due to error - VFS cache still has: file1 → inode 7 (stale!) - inode 7 has i_nlink=0 (already decremented)
2. Second rename: file3 → file1 - VFS uses stale cache: file1 → inode 7 - Tries to drop_nlink on inode 7 (i_nlink already 0) - WARNING in drop_nlink()
Fix this by explicitly invalidating old_dentry and new_dentry when f2fs_add_link fails during whiteout creation. This forces VFS to refresh from disk on subsequent operations, ensuring cache consistency even when the rename partially succeeds.
Reproducer: 1. Mount F2FS image with corrupted i_current_depth 2. renameat2(file2, file1, RENAME_WHITEOUT) 3. renameat2(file3, file1, 0) 4. System triggers WARNING in drop_nlink()
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
F2FS rename-with-whiteout can leave stale dentries and corrupt inodes when directory structure is corrupted, leading to kernel-wide.
Root
Cause
CVE-2025-71069 describes a race in the Linux kernel's F2FS filesystem where a failed whiteout creation during rename can corrupt the dentry cache. When f2fs_rename performs a RENAME_WHITEOUT operation on a directory with a corrupted depth value (clamped to MAX_DIR_HASH_DEPTH), the function modifies directory entries (updating target, deleting source) *before* calling f2fs_add_link for the whiteout. If f2fs_add_link fails due to the corrupted structure, the partial disk modifications remain committed, but VFS treats the entire rename as failed and does not call d_move(), leaving the dentry cache stale dentry cache mappings intact [CVE description].
Exploitation and
Attack Surface
No authentication or special privileges are needed beyond the ability to trigger a rename with whiteout on a mounted F2FS volume that has a corrupted directory depth value. The attack surface is local; an unprivileged user could exploit this by crafting a filesystem image with the required corruption and mounting it, then performing a sequence of rename operations. The stale dentry cache means that a subsequent rename targeting the same name will use the old dentry that still references a freed inode (its i_nlink already decremented to zero). This leads to drop_nlink() being called on an inode with i_nlink == 0, triggering a kernel WARNING and potentially leading to further inode corruption [1][2][3][4].
Impact
The impact is a denial-of-service (kernel WARNING) and possible data corruption on the F2FS filesystem. An attacker who can trigger this scenario could cause a system crash or destabilize the filesystem state. There is no indication of privilege escalation or remote exploitation.
Mitigation
The fix, committed to the Linux kernel stable branches, explicitly invalidates old_dentry and new_dentry and new_dentry in the error path when f2fs_add_link fails during whiteout creation [1]. This forces VFS to reload the dentry from disk on subsequent accesses, preventing the stale reference the correct inode, and avoid the stale state. Users should apply the relevant stable kernel patch (4 commits: d33f89b34aa3, c89845fae250, 64587ab4d1f16, 0dde30753c1e`) or update to a kernel version containing the fix [1][2][3][4]. No workaround is available; patching is required.
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
7- git.kernel.org/stable/c/0dde30753c1e8648665dbe069d814e540ce2fd37nvd
- git.kernel.org/stable/c/3d65e27e57aaa9d66709fda4cbfb62a87c04a3f5nvd
- git.kernel.org/stable/c/3d95ed8cf980fdfa67a3ab9491357521ae576168nvd
- git.kernel.org/stable/c/64587ab4d1f16fc94f70e04fa87b2e3f69f8a7bbnvd
- git.kernel.org/stable/c/7f2bae0c881aa1e0a6318756df692cc13df2cc83nvd
- git.kernel.org/stable/c/c89845fae250efdd59c1d4ec60e9e1c652cee4b6nvd
- git.kernel.org/stable/c/d33f89b34aa313f50f9a512d58dd288999f246b0nvd
News mentions
0No linked articles in our index yet.