{ "threat_severity" : "Moderate", "public_date" : "2025-04-16T00:00:00Z", "bugzilla" : { "description" : "kernel: f2fs: quota: fix to avoid warning in dquot_writeback_dquots()", "id" : "2360191", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2360191" }, "cvss3" : { "cvss3_base_score" : "4.7", "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "status" : "draft" }, "cwe" : "CWE-362", "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\nf2fs: quota: fix to avoid warning in dquot_writeback_dquots()\nF2FS-fs (dm-59): checkpoint=enable has some unwritten data.\n------------[ cut here ]------------\nWARNING: CPU: 6 PID: 8013 at fs/quota/dquot.c:691 dquot_writeback_dquots+0x2fc/0x308\npc : dquot_writeback_dquots+0x2fc/0x308\nlr : f2fs_quota_sync+0xcc/0x1c4\nCall trace:\ndquot_writeback_dquots+0x2fc/0x308\nf2fs_quota_sync+0xcc/0x1c4\nf2fs_write_checkpoint+0x3d4/0x9b0\nf2fs_issue_checkpoint+0x1bc/0x2c0\nf2fs_sync_fs+0x54/0x150\nf2fs_do_sync_file+0x2f8/0x814\n__f2fs_ioctl+0x1960/0x3244\nf2fs_ioctl+0x54/0xe0\n__arm64_sys_ioctl+0xa8/0xe4\ninvoke_syscall+0x58/0x114\ncheckpoint and f2fs_remount may race as below, resulting triggering warning\nin dquot_writeback_dquots().\natomic write remount\n- do_remount\n- down_write(&sb->s_umount);\n- f2fs_remount\n- ioctl\n- f2fs_do_sync_file\n- f2fs_sync_fs\n- f2fs_write_checkpoint\n- block_operations\n- locked = down_read_trylock(&sbi->sb->s_umount)\n: fail to lock due to the write lock was held by remount\n- up_write(&sb->s_umount);\n- f2fs_quota_sync\n- dquot_writeback_dquots\n- WARN_ON_ONCE(!rwsem_is_locked(&sb->s_umount))\n: trigger warning because s_umount lock was unlocked by remount\nIf checkpoint comes from mount/umount/remount/freeze/quotactl, caller of\ncheckpoint has already held s_umount lock, calling dquot_writeback_dquots()\nin the context should be safe.\nSo let's record task to sbi->umount_lock_holder, so that checkpoint can\nknow whether the lock has held in the context or not by checking current\nw/ it.\nIn addition, in order to not misrepresent caller of checkpoint, we should\nnot allow to trigger async checkpoint for those callers: mount/umount/remount/\nfreeze/quotactl." ], "package_state" : [ { "product_name" : "Red Hat Enterprise Linux 10", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:10" }, { "product_name" : "Red Hat Enterprise Linux 6", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:6" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Not affected", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Not affected", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat Enterprise Linux 9", "fix_state" : "Fix deferred", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:9" }, { "product_name" : "Red Hat Enterprise Linux 9", "fix_state" : "Fix deferred", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:9" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2025-23132\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-23132\nhttps://lore.kernel.org/linux-cve-announce/2025041631-CVE-2025-23132-cbf9@gregkh/T" ], "name" : "CVE-2025-23132", "csaw" : false }