{"id":"AZL-66521","summary":"CVE-2025-38578 affecting package kernel for versions less than 6.6.104.2-1","details":"In the Linux kernel, the following vulnerability has been resolved:\n\nf2fs: fix to avoid UAF in f2fs_sync_inode_meta()\n\nsyzbot reported an UAF issue as below: [1] [2]\n\n[1] https://syzkaller.appspot.com/text?tag=CrashReport&x=16594c60580000\n\n==================================================================\nBUG: KASAN: use-after-free in __list_del_entry_valid+0xa6/0x130 lib/list_debug.c:62\nRead of size 8 at addr ffff888100567dc8 by task kworker/u4:0/8\n\nCPU: 1 PID: 8 Comm: kworker/u4:0 Tainted: G        W          6.1.129-syzkaller-00017-g642656a36791 #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2025\nWorkqueue: writeback wb_workfn (flush-7:0)\nCall Trace:\n \u003cTASK\u003e\n __dump_stack lib/dump_stack.c:88 [inline]\n dump_stack_lvl+0x151/0x1b7 lib/dump_stack.c:106\n print_address_description mm/kasan/report.c:316 [inline]\n print_report+0x158/0x4e0 mm/kasan/report.c:427\n kasan_report+0x13c/0x170 mm/kasan/report.c:531\n __asan_report_load8_noabort+0x14/0x20 mm/kasan/report_generic.c:351\n __list_del_entry_valid+0xa6/0x130 lib/list_debug.c:62\n __list_del_entry include/linux/list.h:134 [inline]\n list_del_init include/linux/list.h:206 [inline]\n f2fs_inode_synced+0x100/0x2e0 fs/f2fs/super.c:1553\n f2fs_update_inode+0x72/0x1c40 fs/f2fs/inode.c:588\n f2fs_update_inode_page+0x135/0x170 fs/f2fs/inode.c:706\n f2fs_write_inode+0x416/0x790 fs/f2fs/inode.c:734\n write_inode fs/fs-writeback.c:1460 [inline]\n __writeback_single_inode+0x4cf/0xb80 fs/fs-writeback.c:1677\n writeback_sb_inodes+0xb32/0x1910 fs/fs-writeback.c:1903\n __writeback_inodes_wb+0x118/0x3f0 fs/fs-writeback.c:1974\n wb_writeback+0x3da/0xa00 fs/fs-writeback.c:2081\n wb_check_background_flush fs/fs-writeback.c:2151 [inline]\n wb_do_writeback fs/fs-writeback.c:2239 [inline]\n wb_workfn+0xbba/0x1030 fs/fs-writeback.c:2266\n process_one_work+0x73d/0xcb0 kernel/workqueue.c:2299\n worker_thread+0xa60/0x1260 kernel/workqueue.c:2446\n kthread+0x26d/0x300 kernel/kthread.c:386\n ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295\n \u003c/TASK\u003e\n\nAllocated by task 298:\n kasan_save_stack mm/kasan/common.c:45 [inline]\n kasan_set_track+0x4b/0x70 mm/kasan/common.c:52\n kasan_save_alloc_info+0x1f/0x30 mm/kasan/generic.c:505\n __kasan_slab_alloc+0x6c/0x80 mm/kasan/common.c:333\n kasan_slab_alloc include/linux/kasan.h:202 [inline]\n slab_post_alloc_hook+0x53/0x2c0 mm/slab.h:768\n slab_alloc_node mm/slub.c:3421 [inline]\n slab_alloc mm/slub.c:3431 [inline]\n __kmem_cache_alloc_lru mm/slub.c:3438 [inline]\n kmem_cache_alloc_lru+0x102/0x270 mm/slub.c:3454\n alloc_inode_sb include/linux/fs.h:3255 [inline]\n f2fs_alloc_inode+0x2d/0x350 fs/f2fs/super.c:1437\n alloc_inode fs/inode.c:261 [inline]\n iget_locked+0x18c/0x7e0 fs/inode.c:1373\n f2fs_iget+0x55/0x4ca0 fs/f2fs/inode.c:486\n f2fs_lookup+0x3c1/0xb50 fs/f2fs/namei.c:484\n __lookup_slow+0x2b9/0x3e0 fs/namei.c:1689\n lookup_slow+0x5a/0x80 fs/namei.c:1706\n walk_component+0x2e7/0x410 fs/namei.c:1997\n lookup_last fs/namei.c:2454 [inline]\n path_lookupat+0x16d/0x450 fs/namei.c:2478\n filename_lookup+0x251/0x600 fs/namei.c:2507\n vfs_statx+0x107/0x4b0 fs/stat.c:229\n vfs_fstatat fs/stat.c:267 [inline]\n vfs_lstat include/linux/fs.h:3434 [inline]\n __do_sys_newlstat fs/stat.c:423 [inline]\n __se_sys_newlstat+0xda/0x7c0 fs/stat.c:417\n __x64_sys_newlstat+0x5b/0x70 fs/stat.c:417\n x64_sys_call+0x52/0x9a0 arch/x86/include/generated/asm/syscalls_64.h:7\n do_syscall_x64 arch/x86/entry/common.c:51 [inline]\n do_syscall_64+0x3b/0x80 arch/x86/entry/common.c:81\n entry_SYSCALL_64_after_hwframe+0x68/0xd2\n\nFreed by task 0:\n kasan_save_stack mm/kasan/common.c:45 [inline]\n kasan_set_track+0x4b/0x70 mm/kasan/common.c:52\n kasan_save_free_info+0x2b/0x40 mm/kasan/generic.c:516\n ____kasan_slab_free+0x131/0x180 mm/kasan/common.c:241\n __kasan_slab_free+0x11/0x20 mm/kasan/common.c:249\n kasan_slab_free include/linux/kasan.h:178 [inline]\n slab_free_hook mm/slub.c:1745 [inline]\n slab_free_freelist_hook mm/slub.c:1771 [inline]\n slab_free mm/slub.c:3686 [inline]\n kmem_cache_free+0x\n---truncated---","modified":"2026-04-01T05:20:59.620026Z","published":"2025-08-19T17:15:34Z","upstream":["CVE-2025-38578"],"references":[{"type":"WEB","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-38578"}],"affected":[{"package":{"name":"kernel","ecosystem":"Azure Linux:3","purl":"pkg:rpm/azure-linux/kernel"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"6.6.104.2-1"}]}],"database_specific":{"source":"https://github.com/microsoft/AzureLinuxVulnerabilityData/blob/main/osv/AZL-66521.json"}}],"schema_version":"1.7.5"}