{"id":"CVE-2023-53829","summary":"f2fs: flush inode if atomic file is aborted","details":"In the Linux kernel, the following vulnerability has been resolved:\n\nf2fs: flush inode if atomic file is aborted\n\nLet's flush the inode being aborted atomic operation to avoid stale dirty\ninode during eviction in this call stack:\n\n  f2fs_mark_inode_dirty_sync+0x22/0x40 [f2fs]\n  f2fs_abort_atomic_write+0xc4/0xf0 [f2fs]\n  f2fs_evict_inode+0x3f/0x690 [f2fs]\n  ? sugov_start+0x140/0x140\n  evict+0xc3/0x1c0\n  evict_inodes+0x17b/0x210\n  generic_shutdown_super+0x32/0x120\n  kill_block_super+0x21/0x50\n  deactivate_locked_super+0x31/0x90\n  cleanup_mnt+0x100/0x160\n  task_work_run+0x59/0x90\n  do_exit+0x33b/0xa50\n  do_group_exit+0x2d/0x80\n  __x64_sys_exit_group+0x14/0x20\n  do_syscall_64+0x3b/0x90\n  entry_SYSCALL_64_after_hwframe+0x63/0xcd\n\nThis triggers f2fs_bug_on() in f2fs_evict_inode:\n f2fs_bug_on(sbi, is_inode_flag_set(inode, FI_DIRTY_INODE));\n\nThis fixes the syzbot report:\n\nloop0: detected capacity change from 0 to 131072\nF2FS-fs (loop0): invalid crc value\nF2FS-fs (loop0): Found nat_bits in checkpoint\nF2FS-fs (loop0): Mounted with checkpoint version = 48b305e4\n------------[ cut here ]------------\nkernel BUG at fs/f2fs/inode.c:869!\ninvalid opcode: 0000 [#1] PREEMPT SMP KASAN\nCPU: 0 PID: 5014 Comm: syz-executor220 Not tainted 6.4.0-syzkaller-11479-g6cd06ab12d1a #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/27/2023\nRIP: 0010:f2fs_evict_inode+0x172d/0x1e00 fs/f2fs/inode.c:869\nCode: ff df 48 c1 ea 03 80 3c 02 00 0f 85 6a 06 00 00 8b 75 40 ba 01 00 00 00 4c 89 e7 e8 6d ce 06 00 e9 aa fc ff ff e8 63 22 e2 fd \u003c0f\u003e 0b e8 5c 22 e2 fd 48 c7 c0 a8 3a 18 8d 48 ba 00 00 00 00 00 fc\nRSP: 0018:ffffc90003a6fa00 EFLAGS: 00010293\nRAX: 0000000000000000 RBX: 0000000000000001 RCX: 0000000000000000\nRDX: ffff8880273b8000 RSI: ffffffff83a2bd0d RDI: 0000000000000007\nRBP: ffff888077db91b0 R08: 0000000000000007 R09: 0000000000000000\nR10: 0000000000000001 R11: 0000000000000001 R12: ffff888029a3c000\nR13: ffff888077db9660 R14: ffff888029a3c0b8 R15: ffff888077db9c50\nFS:  0000000000000000(0000) GS:ffff8880b9800000(0000) knlGS:0000000000000000\nCS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00007f1909bb9000 CR3: 00000000276a9000 CR4: 0000000000350ef0\nCall Trace:\n \u003cTASK\u003e\n evict+0x2ed/0x6b0 fs/inode.c:665\n dispose_list+0x117/0x1e0 fs/inode.c:698\n evict_inodes+0x345/0x440 fs/inode.c:748\n generic_shutdown_super+0xaf/0x480 fs/super.c:478\n kill_block_super+0x64/0xb0 fs/super.c:1417\n kill_f2fs_super+0x2af/0x3c0 fs/f2fs/super.c:4704\n deactivate_locked_super+0x98/0x160 fs/super.c:330\n deactivate_super+0xb1/0xd0 fs/super.c:361\n cleanup_mnt+0x2ae/0x3d0 fs/namespace.c:1254\n task_work_run+0x16f/0x270 kernel/task_work.c:179\n exit_task_work include/linux/task_work.h:38 [inline]\n do_exit+0xa9a/0x29a0 kernel/exit.c:874\n do_group_exit+0xd4/0x2a0 kernel/exit.c:1024\n __do_sys_exit_group kernel/exit.c:1035 [inline]\n __se_sys_exit_group kernel/exit.c:1033 [inline]\n __x64_sys_exit_group+0x3e/0x50 kernel/exit.c:1033\n do_syscall_x64 arch/x86/entry/common.c:50 [inline]\n do_syscall_64+0x39/0xb0 arch/x86/entry/common.c:80\n entry_SYSCALL_64_after_hwframe+0x63/0xcd\nRIP: 0033:0x7f309be71a09\nCode: Unable to access opcode bytes at 0x7f309be719df.\nRSP: 002b:00007fff171df518 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7\nRAX: ffffffffffffffda RBX: 00007f309bef7330 RCX: 00007f309be71a09\nRDX: 000000000000003c RSI: 00000000000000e7 RDI: 0000000000000001\nRBP: 0000000000000001 R08: ffffffffffffffc0 R09: 00007f309bef1e40\nR10: 0000000000010600 R11: 0000000000000246 R12: 00007f309bef7330\nR13: 0000000000000001 R14: 0000000000000000 R15: 0000000000000001\n \u003c/TASK\u003e\nModules linked in:\n---[ end trace 0000000000000000 ]---\nRIP: 0010:f2fs_evict_inode+0x172d/0x1e00 fs/f2fs/inode.c:869\nCode: ff df 48 c1 ea 03 80 3c 02 00 0f 85 6a 06 00 00 8b 75 40 ba 01 00 00 00 4c 89 e7 e8 6d ce 06 00 e9 aa fc ff ff e8 63 22 e2 fd \u003c0f\u003e 0b e8 5c 22 e2 fd 48 c7 c0 a8 3a 18 8d 48 ba 00 00 00 00 00 fc\nRSP: 0018:ffffc90003a6fa00 EFLAGS: 00010293\nRAX: 0000000000000000 RBX: 0000000000\n---truncated---","modified":"2026-04-02T09:45:21.893768Z","published":"2025-12-09T01:29:43.645Z","database_specific":{"cna_assigner":"Linux","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/53xxx/CVE-2023-53829.json"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/1c64dbe8fa3552a340bca6d7fa09468c16ed2a85"},{"type":"WEB","url":"https://git.kernel.org/stable/c/a3ab55746612247ce3dcaac6de66f5ffc055b9df"},{"type":"WEB","url":"https://git.kernel.org/stable/c/bfa7853bb47fee0c17030b377c98cf4ede47ba33"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/53xxx/CVE-2023-53829.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2023-53829"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"98e4da8ca301e062d79ae168c67e56f3c3de3ce4"},{"fixed":"1c64dbe8fa3552a340bca6d7fa09468c16ed2a85"},{"fixed":"bfa7853bb47fee0c17030b377c98cf4ede47ba33"},{"fixed":"a3ab55746612247ce3dcaac6de66f5ffc055b9df"}]}],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-53829.json"}},{"package":{"name":"Kernel","ecosystem":"Linux"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"3.8.0"},{"fixed":"6.1.54"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.2.0"},{"fixed":"6.5.4"}]}],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-53829.json"}}],"schema_version":"1.7.5"}