CVE-2025-23130 in Linuxinfo

Summary

by MITRE • 04/16/2025

In the Linux kernel, the following vulnerability has been resolved:

f2fs: fix to avoid panic once fallocation fails for pinfile

syzbot reports a f2fs bug as below:

------------[ cut here ]------------
kernel BUG at fs/f2fs/segment.c:2746! CPU: 0 UID: 0 PID: 5323 Comm: syz.0.0 Not tainted 6.13.0-rc2-syzkaller-00018-g7cb1b4663150 #0 RIP: 0010:get_new_segment fs/f2fs/segment.c:2746 [inline]
RIP: 0010:new_curseg+0x1f52/0x1f70 fs/f2fs/segment.c:2876 Call Trace: <TASK> __allocate_new_segment+0x1ce/0x940 fs/f2fs/segment.c:3210 f2fs_allocate_new_section fs/f2fs/segment.c:3224 [inline]
f2fs_allocate_pinning_section+0xfa/0x4e0 fs/f2fs/segment.c:3238 f2fs_expand_inode_data+0x696/0xca0 fs/f2fs/file.c:1830 f2fs_fallocate+0x537/0xa10 fs/f2fs/file.c:1940 vfs_fallocate+0x569/0x6e0 fs/open.c:327 do_vfs_ioctl+0x258c/0x2e40 fs/ioctl.c:885 __do_sys_ioctl fs/ioctl.c:904 [inline]
__se_sys_ioctl+0x80/0x170 fs/ioctl.c:892 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f

Concurrent pinfile allocation may run out of free section, result in panic in get_new_segment(), let's expand pin_sem lock coverage to include f2fs_gc(), so that we can make sure to reclaim enough free space for following allocation.

In addition, do below changes to enhance error path handling: - call f2fs_bug_on() only in non-pinfile allocation path in get_new_segment(). - call reset_curseg_fields() to reset all fields of curseg in new_curseg()

Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.

Analysis

by VulDB Data Team • 02/15/2026

The vulnerability identified as CVE-2025-23130 affects the Linux kernel's f2fs (Flash-Friendly File System) implementation, specifically within the segment management subsystem. This issue arises during concurrent pinfile allocation operations where the system may exhaust available free sections, leading to a kernel panic in the get_new_segment function located at fs/f2fs/segment.c line 2746. The panic occurs due to insufficient memory management during the allocation process, particularly when the f2fs_gc() function attempts to reclaim space but fails to ensure adequate resources are available for subsequent allocations. The bug report from syzbot demonstrates a clear call trace showing the sequence of function calls that lead to the kernel BUG, beginning with f2fs_fallocate and ending at the critical get_new_segment function, indicating a failure in the allocation path when dealing with pinned file operations.

The root cause of this vulnerability stems from inadequate locking mechanisms during concurrent access to the pinfile allocation system. The current implementation fails to properly synchronize access to shared resources between the pinfile allocation and garbage collection processes, creating a race condition where multiple threads can simultaneously attempt to allocate sections without proper coordination. This lack of proper synchronization allows for the depletion of available free sections, which then triggers the panic when get_new_segment attempts to allocate a new segment but encounters an empty section pool. The vulnerability aligns with CWE-362, which describes a race condition in concurrent access to shared resources, and represents a classic example of insufficient locking in kernel-level memory management systems. The issue is particularly severe because it occurs during critical file system operations and can lead to complete system crashes, making it a critical security concern for systems relying on f2fs.

The operational impact of this vulnerability extends beyond simple system instability to potentially compromise system availability and data integrity. When a kernel panic occurs due to this bug, the entire system becomes unresponsive and requires manual intervention or reboot to recover, potentially leading to data loss or service disruption. The vulnerability affects systems using f2fs file systems, which are common in embedded devices, mobile platforms, and storage solutions where flash memory optimization is critical. Attackers could potentially exploit this vulnerability to cause denial of service attacks against systems running f2fs, especially in environments where concurrent file allocation operations are frequent. The panic occurs in a critical path of the file system allocation mechanism, making it particularly dangerous as it can affect any application or process that attempts to expand file sizes through fallocate operations, which are commonly used in database operations, virtual machine storage, and large file handling scenarios. The ATT&CK framework categorizes this as a system crash or hang technique that can be used to disrupt system availability and may also provide opportunities for further exploitation if the system fails to properly handle the crash state.

The fix for CVE-2025-23130 implements several key changes to address the concurrency and resource management issues. The primary mitigation involves expanding the coverage of the pin_sem lock to include the f2fs_gc() function, ensuring that garbage collection operations properly synchronize with allocation requests and maintain sufficient free space availability. Additionally, the solution enhances error path handling by implementing conditional f2fs_bug_on() calls that only trigger in non-pinfile allocation paths, preventing false positives during normal pinfile operations. The reset_curseg_fields() function is introduced in new_curseg() to properly reset all fields of the current segment structure, preventing potential corruption of segment state information that could lead to further instability. These changes align with security best practices for kernel memory management and concurrency control, ensuring that shared resources are properly protected while maintaining system stability. The fix also addresses the underlying synchronization issues that make the system vulnerable to race conditions during high-concurrency file allocation scenarios, providing a robust solution that maintains the performance characteristics of f2fs while eliminating the panic condition that could be exploited by malicious actors or accidentally triggered by legitimate system operations.

Responsible

Linux

Reservation

01/11/2025

Disclosure

04/16/2025

Moderation

accepted

CPE

ready

EPSS

0.00154

KEV

no

Activities

very low

Sources

Interested in the pricing of exploits?

See the underground prices here!