Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2025-71065

CVE-2025-71065: Linux Kernel Race Condition Vulnerability

CVE-2025-71065 is a race condition vulnerability in the Linux kernel f2fs filesystem that can cause deadlock scenarios. This article covers the technical details, affected versions, impact, and mitigation strategies.

Updated:

CVE-2025-71065 Overview

CVE-2025-71065 is a deadlock vulnerability in the Linux kernel's F2FS (Flash-Friendly File System) implementation. The flaw involves a circular locking dependency among four locks: fs_reclaim, sb_internal, &sbi->cp_rwsem, and the error recording rwsem. Concurrent execution of kswapd, iput, an ioctl for atomic write commit, and a file open path can establish a lock ordering chain that triggers a deadlock. The issue was reported by Jiaming Zhang and syzbot. A patch series has been merged into the mainline and stable kernel trees to restructure the locking and prevent the unsafe lock acquisition order.

Critical Impact

Concurrent filesystem operations on F2FS volumes can stall the system through a kernel-level deadlock, leading to denial of service on affected hosts.

Affected Products

  • Linux kernel with F2FS filesystem support (mainline branches prior to the fix commits)
  • Stable kernel branches prior to backported patches 6c3bab5c6261, 86a85a7b622e, 8bd6dff8b801, and ca8b201f2854
  • Linux distributions shipping vulnerable kernel versions with F2FS enabled

Discovery Timeline

  • Vulnerability reported by Jiaming Zhang and syzbot
  • 2026-01-13 - CVE-2025-71065 published to NVD
  • 2026-04-15 - Last updated in NVD database

Technical Details for CVE-2025-71065

Vulnerability Analysis

The vulnerability is a classic ABBA-style circular lock dependency [CWE-833] involving four kernel locks in F2FS. Lockdep detected a chain where &sbi->cp_rwsem depends on fs_reclaim, which depends on sb_internal#2. When two CPUs acquire these locks in opposing orders, the kernel cannot make forward progress.

The call paths that converge into the deadlock include kswapd performing shrinker-driven inode eviction, iput triggering f2fs_evict_inode followed by f2fs_truncate_blocks and f2fs_lock_op, an ioctl calling f2fs_ioc_commit_atomic_write that takes f2fs_lock_op before invoking f2fs_handle_error and f2fs_record_errors, and an open-path do_truncate that reaches f2fs_getxattr and ultimately calls fs_reclaim_acquire inside f2fs_commit_super.

The report does not indicate memory corruption or privilege escalation potential. Impact is limited to kernel hangs and denial of service on hosts mounting F2FS volumes.

Root Cause

The root cause is an unsafe lock acquisition order in F2FS error handling paths. The function f2fs_record_errors acquired an internal rwsem and then issued f2fs_commit_super, which calls read_mapping_folio and triggers fs_reclaim_acquire. Combined with the existing order between cp_rwsem, sb_internal, and fs_reclaim acquired in eviction and truncation paths, this introduced a circular dependency detectable by lockdep.

Attack Vector

Triggering the deadlock requires concurrent filesystem activity on an F2FS-mounted volume, including atomic write commits via ioctl, file open with truncation, inode eviction under memory pressure, and reclaim activity by kswapd. A local user with the ability to issue filesystem operations on an F2FS volume could induce the conditions. No network reachability is involved. The vulnerability manifests as a kernel deadlock rather than code execution; see the upstream patch commits for the precise locking changes that resolve the chain.

Detection Methods for CVE-2025-71065

Indicators of Compromise

  • Kernel log entries from lockdep reporting possible circular locking dependency detected involving cp_rwsem, fs_reclaim, and sb_internal on F2FS-backed mounts.
  • Hung task warnings referencing f2fs_evict_inode, f2fs_do_truncate_blocks, f2fs_lock_op, or f2fs_record_errors in stack traces.
  • kswapd0 processes stuck in D state alongside F2FS worker threads.

Detection Strategies

  • Monitor dmesg and /var/log/kern.log for lockdep splats and INFO: task ... blocked for more than N seconds messages on F2FS hosts.
  • Inspect /proc/<pid>/stack for tasks blocked in down_read or down_write calls inside F2FS code paths.
  • Track kernel version inventory and flag hosts running F2FS on unpatched kernels prior to the fix commits.

Monitoring Recommendations

  • Forward kernel logs and hung-task telemetry to a centralized log platform for correlation across the fleet.
  • Alert on repeated kswapd stalls or filesystem I/O latency spikes on F2FS volumes.
  • Track patch deployment status against the four upstream commits referenced in the NVD entry.

How to Mitigate CVE-2025-71065

Immediate Actions Required

  • Identify all systems mounting F2FS filesystems and inventory their kernel versions.
  • Schedule kernel upgrades to a release that includes the upstream fix commits.
  • For workloads that do not require F2FS, switch to an alternate filesystem until patches are applied.

Patch Information

The fix is distributed across four upstream commits that restructure the F2FS locking and error-recording paths to break the circular dependency. See Kernel Git Commit Patch ca8b201f, Kernel Git Commit Fix 86a85a7b, Kernel Git Commit Change 8bd6dff8, and Kernel Git Commit Update 6c3bab5c. Apply the patched kernel package from your distribution and reboot affected hosts.

Workarounds

  • Avoid mounting F2FS volumes on systems running unpatched kernels where deadlocks have been observed.
  • Reduce memory pressure on F2FS hosts to lower the likelihood of kswapd-driven shrinker activity intersecting with atomic write commits.
  • Disable userland tooling that issues F2FS_IOC_COMMIT_ATOMIC_WRITE until the kernel patch is applied.
bash
# Configuration example: identify F2FS mounts and current kernel
uname -r
mount | grep -w f2fs
# After installing the patched kernel package, reboot to load the fix
sudo reboot

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.