CVE-2025-40150
N/A
Summary
In the Linux kernel, the following vulnerability has been resolved:
f2fs: fix to avoid migrating empty section
It reports a bug from device w/ zufs:
F2FS-fs (dm-64): Inconsistent segment (173822) type [1, 0] in SSA and SIT F2FS-fs (dm-64): Stopped filesystem due to reason: 4
Thread A Thread B
- f2fs_expand_inode_data
- f2fs_allocate_pinning_section
- f2fs_gc_range
- do_garbage_collect w/ segno #x - writepage - f2fs_allocate_data_block - new_curseg - allocate segno #x
The root cause is: fallocate on pinning file may race w/ block allocation as above, result in do_garbage_collect() from fallocate() may migrate segment which is just allocated by a log, the log will update segment type in its in-memory structure, however GC will get segment type from on-disk SSA block, once segment type changes by log, we can detect such inconsistency, then shutdown filesystem.
In this case, on-disk SSA shows type of segno #173822 is 1 (SUM_TYPE_NODE), however segno #173822 was just allocated as data type segment, so in-memory SIT shows type of segno #173822 is 0 (SUM_TYPE_DATA).
Change as below to fix this issue:
- check whether current section is empty before gc
- add sanity checks on do_garbage_collect() to avoid any race case, result in migrating segment used by log.
- btw, it fixes misc issue in printed logs: "SSA and SIT" -> "SIT and SSA".
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Linux | Linux | 40d76c393cca83938b11eb7ca8983aa3cd0ed69b < db489778e6f2a4034c2cd26fadda2796eba24dcd | affected |
| Linux | Linux | 9703d69d9d153bb230711d0d577454552aeb13d4 < 25d2dc669f2a7e48b335d1cb07139f2ffc9fe5df | affected |
| Linux | Linux | 9703d69d9d153bb230711d0d577454552aeb13d4 < eec1589be36fcf7440755703e4faeee2c01e360b | affected |
| Linux | Linux | 9703d69d9d153bb230711d0d577454552aeb13d4 < d625a2b08c089397d3a03bff13fa8645e4ec7a01 | affected |
| Linux | Linux | 6.6.33 < 6.6.130 | affected |
| Linux | Linux | 6.9 | affected |
| Linux | Linux | 0 < 6.9 | unaffected |
| Linux | Linux | 6.6.130 <= 6.6.* | unaffected |
| Linux | Linux | 6.12.78 <= 6.12.* | unaffected |
| Linux | Linux | 6.17.3 <= 6.17.* | unaffected |
| Linux | Linux | 6.18 <= * | unaffected |
Weaknesses
References
- https://git.kernel.org/stable/c/db489778e6f2a4034c2cd26fadda2796eba24dcd
- https://git.kernel.org/stable/c/25d2dc669f2a7e48b335d1cb07139f2ffc9fe5df
- https://git.kernel.org/stable/c/eec1589be36fcf7440755703e4faeee2c01e360b
- https://git.kernel.org/stable/c/d625a2b08c089397d3a03bff13fa8645e4ec7a01
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.