CVE-2021-47004: f2fs: fix to avoid touching checkpointed data in get_victim()
In the Linux kernel, the following vulnerability has been resolved:
f2fs: fix to avoid touching checkpointed data in get_victim()
In CP disabling mode, there are two issues when using LFS or SSR | AT_SSR
mode to select victim:
1. LFS is set to find source section during GC, the victim should have
no checkpointed data, since after GC, section could not be set free for
reuse.
Previously, we only check valid chpt blocks in current segment rather
than section, fix it.
2. SSR | AT_SSR are set to find target segment for writes which can be
fully filled by checkpointed and newly written blocks, we should never
select such segment, otherwise it can cause panic or data corruption
during allocation, potential case is described as below:
a) target segment has 'n' (n < 512) ckpt valid blocks
b) GC migrates 'n' valid blocks to other segment (segment is still
in dirty list)
c) GC migrates '512 - n' blocks to target segment (segment has 'n'
cp_vblocks and '512 - n' vblocks)
d) If GC selects target segment via {AT,}SSR allocator, however there
is no free space in targe segment.
Security readout for executives and security teams
Plain-English summary
This Linux kernel flaw affects F2FS garbage collection in checkpoint-disabling mode. Under specific allocation conditions, the filesystem can select a segment that is not actually reusable, leading to kernel panic or data corruption. Business risk is mainly availability and data integrity on systems that use F2FS, not broad remote compromise.
Executive priority
Treat as a targeted storage reliability issue. It deserves prompt handling where F2FS is used for important data, but the provided sources do not support emergency remote-exploitation prioritization.
Technical view
The issue is in F2FS get_victim() victim selection. In CP disabling mode, LFS could consider only checkpointed blocks in the current segment instead of the whole section, and SSR/AT_SSR could select fully occupied target segments. The resolved behavior avoids touching checkpointed data that cannot be safely reclaimed.
Likely exposure
Exposure appears limited to Linux systems using F2FS, especially configurations involving checkpoint disabling and garbage collection. The source lists Linux kernel affected ranges and stable fix commits, but distro-specific backports are not identified in the bundle.
Exploitation context
The bundle does not cite public exploitation, proof-of-concept activity, or CISA KEV listing. The described impact is panic or data corruption during allocation, suggesting a reliability and integrity issue requiring the vulnerable F2FS condition to be present.
Researcher notes
Key review areas are F2FS garbage collection victim selection, checkpointed block accounting at section versus segment scope, and SSR/AT_SSR target selection. Evidence is limited to the CVE record and kernel stable commits.
Mitigation direction
Update to a vendor kernel containing the referenced F2FS stable fixes.
Check distribution advisories for backported fixes before relying on version numbers alone.
Prioritize systems using F2FS with checkpoint-disabling workflows.
Maintain current backups for affected F2FS storage until remediation is verified.
Avoid unsupported kernel builds missing the referenced stable commits.
Validation and detection
Inventory Linux hosts using F2FS filesystems.
Identify kernel versions and vendor patch levels on those hosts.
Confirm whether kernel source or package changelog includes the referenced fix commits.
Review system logs for F2FS panic, allocation, or corruption symptoms.
Validate backups and filesystem health after updating affected systems.
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Potential ATT&CK relevance
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
cve · low confidence lookup
CVE-2021-47004 mapping review
Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.