CVE-2025-38627

In the Linux kernel, the following vulnerability has been resolved:

f2fs: compress: fix UAF of f2fs_inode_info in f2fs_free_dic

The decompress_io_ctx may be released asynchronously after
I/O completion. If this file is deleted immediately after read,
and the kworker of processing post_read_wq has not been executed yet
due to high workloads, It is possible that the inode(f2fs_inode_info)
is evicted and freed before it is used f2fs_free_dic.

The UAF case as below:
Thread A Thread B
– f2fs_decompress_end_io
– f2fs_put_dic
– queue_work
add free_dic work to post_read_wq
– do_unlink
– iput
– evict
– call_rcu
This file is deleted after read.

Thread C kworker to process post_read_wq
– rcu_do_batch
– f2fs_free_inode
– kmem_cache_free
inode is freed by rcu
– process_scheduled_works
– f2fs_late_free_dic
– f2fs_free_dic
– f2fs_release_decomp_mem
read (dic->inode)->i_compress_algorithm

This patch store compress_algorithm and sbi in dic to avoid inode UAF.

In addition, the previous solution is deprecated in [1] may cause system hang.
[1] https://lore.kernel.org/all/c36ab955-c8db-4a8b-a9d0-f07b5f426c3f@kernel.org

More information : https://git.kernel.org/stable/c/39868685c2a94a70762bc6d77dc81d781d05bff5