{"id":"CVE-2025-38627","summary":"f2fs: compress: fix UAF of f2fs_inode_info in f2fs_free_dic","details":"In the Linux kernel, the following vulnerability has been resolved:\n\nf2fs: compress: fix UAF of f2fs_inode_info in f2fs_free_dic\n\nThe decompress_io_ctx may be released asynchronously after\nI/O completion. If this file is deleted immediately after read,\nand the kworker of processing post_read_wq has not been executed yet\ndue to high workloads, It is possible that the inode(f2fs_inode_info)\nis evicted and freed before it is used f2fs_free_dic.\n\n    The UAF case as below:\n    Thread A                                      Thread B\n    - f2fs_decompress_end_io\n     - f2fs_put_dic\n      - queue_work\n        add free_dic work to post_read_wq\n                                                   - do_unlink\n                                                    - iput\n                                                     - evict\n                                                      - call_rcu\n    This file is deleted after read.\n\n    Thread C                                 kworker to process post_read_wq\n    - rcu_do_batch\n     - f2fs_free_inode\n      - kmem_cache_free\n     inode is freed by rcu\n                                             - process_scheduled_works\n                                              - f2fs_late_free_dic\n                                               - f2fs_free_dic\n                                                - f2fs_release_decomp_mem\n                                      read (dic-\u003einode)-\u003ei_compress_algorithm\n\nThis patch store compress_algorithm and sbi in dic to avoid inode UAF.\n\nIn addition, the previous solution is deprecated in [1] may cause system hang.\n[1] https://lore.kernel.org/all/c36ab955-c8db-4a8b-a9d0-f07b5f426c3f@kernel.org","modified":"2026-04-02T12:48:03.346551Z","published":"2025-08-22T16:00:35.856Z","related":["CGA-2523-8g49-hfj7"],"database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/38xxx/CVE-2025-38627.json","cna_assigner":"Linux"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/39868685c2a94a70762bc6d77dc81d781d05bff5"},{"type":"WEB","url":"https://git.kernel.org/stable/c/5d604d40cd3232b09cb339941ef958e49283ed0a"},{"type":"WEB","url":"https://git.kernel.org/stable/c/8fae5b6addd5f6895e03797b56e3c7b9f9cd15c9"},{"type":"WEB","url":"https://git.kernel.org/stable/c/cc81768212cdc509e5a986274db7bc24d18cde19"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/38xxx/CVE-2025-38627.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-38627"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"bff139b49d9f70c1ac5384aac94554846aa834de"},{"fixed":"5d604d40cd3232b09cb339941ef958e49283ed0a"},{"fixed":"cc81768212cdc509e5a986274db7bc24d18cde19"},{"fixed":"8fae5b6addd5f6895e03797b56e3c7b9f9cd15c9"},{"fixed":"39868685c2a94a70762bc6d77dc81d781d05bff5"}]}],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-38627.json"}}],"schema_version":"1.7.5"}