CVE-2025-71107 Overview
A race condition vulnerability exists in the Linux kernel's f2fs (Flash-Friendly File System) implementation where the f2fs_put_super() function can complete before all node page reads are finished. This timing issue causes a filesystem reference count leak during unmount operations, resulting in kernel BUG crashes that can lead to system instability and denial of service conditions.
Critical Impact
Systems using f2fs filesystems may experience kernel crashes during unmount operations, causing denial of service and potential data corruption risks.
Affected Products
- Linux kernel with f2fs filesystem support
- Systems running kernel version 6.17.0-rc5 and potentially earlier versions
- Storage devices using f2fs (commonly flash storage, SSDs, and mobile devices)
Discovery Timeline
- 2026-01-14 - CVE CVE-2025-71107 published to NVD
- 2026-01-14 - Last updated in NVD database
Technical Details for CVE-2025-71107
Vulnerability Analysis
The vulnerability resides in the f2fs filesystem's superblock cleanup routine during unmount operations. When a filesystem is being unmounted, the kernel calls f2fs_put_super() to release resources and clean up internal structures. However, a race condition exists where this function can complete before all pending node page read operations have finished.
The crash manifests when f2fs_put_super() reaches line 1939 in fs/f2fs/super.c, detecting that a filesystem reference count leak has occurred. Specifically, the kernel identifies a type 9 reference with a count of 1 that should have been released. This triggers a kernel BUG assertion, causing an invalid opcode exception and system crash.
The call trace shows the crash occurring through the standard superblock shutdown path: generic_shutdown_super() → kill_block_super() → kill_f2fs_super() → deactivate_locked_super(), ultimately triggered during the cleanup_mnt() routine when processing task work during syscall exit.
Root Cause
The root cause is a missing synchronization point in the unmount path for pending F2FS_RD_NODE page reads. The f2fs filesystem allows asynchronous node page reads for performance optimization, but the f2fs_put_super() function did not wait for all these reads to complete before proceeding with resource cleanup.
Without proper synchronization, if node page reads are still in flight when the superblock is being torn down, the reference counts associated with these pending operations are not properly decremented, resulting in the leaked reference that triggers the BUG assertion.
Attack Vector
This vulnerability is primarily triggered through normal filesystem operations during unmount scenarios. The race condition can be reproduced using filesystem stress tests such as xfstests generic/335 and generic/336, which perform concurrent filesystem operations including mounting and unmounting.
While this vulnerability requires local access and is triggered through legitimate filesystem operations rather than malicious input, an attacker with local access could potentially craft scenarios to repeatedly trigger the race condition, causing system instability or denial of service.
The fix involves adding a call to f2fs_wait_on_all_pages() with the F2FS_RD_NODE flag before completing f2fs_put_super(), ensuring all pending node page reads complete before resource cleanup proceeds.
Detection Methods for CVE-2025-71107
Indicators of Compromise
- Kernel log messages containing "detect filesystem reference count leak during umount, type: 9"
- System crashes with kernel BUG at fs/f2fs/super.c:1939
- Invalid opcode exceptions (Oops: invalid opcode: 0000) during unmount operations
- Stack traces showing f2fs_put_super in the call chain during crashes
Detection Strategies
- Monitor kernel logs for f2fs-related BUG assertions and filesystem reference leak warnings
- Implement automated monitoring for systems using f2fs filesystems to detect abnormal unmount failures
- Run xfstests generic/335 and generic/336 on test systems to verify vulnerability status
- Monitor for unexpected system reboots or crashes correlated with filesystem unmount operations
Monitoring Recommendations
- Enable kernel crash dump collection to capture diagnostic information when the BUG is triggered
- Configure syslog monitoring for patterns matching "F2FS-fs.*reference count leak"
- Monitor system stability metrics for systems heavily utilizing f2fs filesystems
- Implement alerting for kernel oops events containing f2fs-related stack traces
How to Mitigate CVE-2025-71107
Immediate Actions Required
- Apply the kernel patches from the stable kernel git repository to affected systems
- Schedule maintenance windows for kernel updates on systems using f2fs filesystems
- Consider temporarily switching to alternative filesystems for critical systems if patching is delayed
- Minimize unnecessary mount/unmount operations on f2fs filesystems until patched
Patch Information
The vulnerability has been resolved in the Linux kernel through multiple commits available in the stable kernel repository:
- Kernel Git Commit 0b36fae23621
- Kernel Git Commit 297baa4aa263
- Kernel Git Commit 3b15d5f12935
- Kernel Git Commit c3031cf2b61f
The fix adds a synchronization call to f2fs_wait_on_all_pages() for F2FS_RD_NODE operations, ensuring all pending node page reads complete before f2fs_put_super() finishes.
Workarounds
- Reduce filesystem activity before unmounting f2fs volumes to minimize the chance of triggering the race condition
- Implement a delay or sync operation before unmount commands to allow pending I/O to complete
- For critical systems, consider migrating data to ext4 or other filesystems until the kernel is patched
- Avoid running concurrent stress tests or heavy I/O workloads during unmount operations
# Sync filesystems and wait before unmount to reduce race condition likelihood
sync
sleep 2
umount /mount/point
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
