fkie_cve-2025-40150
Vulnerability from fkie_nvd
Published
2025-11-12 11:15
Modified
2025-11-12 16:19
Severity ?
Summary
In the Linux kernel, the following vulnerability has been resolved: f2fs: fix to avoid migrating empty section It reports a bug from device w/ zufs: F2FS-fs (dm-64): Inconsistent segment (173822) type [1, 0] in SSA and SIT F2FS-fs (dm-64): Stopped filesystem due to reason: 4 Thread A Thread B - f2fs_expand_inode_data - f2fs_allocate_pinning_section - f2fs_gc_range - do_garbage_collect w/ segno #x - writepage - f2fs_allocate_data_block - new_curseg - allocate segno #x The root cause is: fallocate on pinning file may race w/ block allocation as above, result in do_garbage_collect() from fallocate() may migrate segment which is just allocated by a log, the log will update segment type in its in-memory structure, however GC will get segment type from on-disk SSA block, once segment type changes by log, we can detect such inconsistency, then shutdown filesystem. In this case, on-disk SSA shows type of segno #173822 is 1 (SUM_TYPE_NODE), however segno #173822 was just allocated as data type segment, so in-memory SIT shows type of segno #173822 is 0 (SUM_TYPE_DATA). Change as below to fix this issue: - check whether current section is empty before gc - add sanity checks on do_garbage_collect() to avoid any race case, result in migrating segment used by log. - btw, it fixes misc issue in printed logs: "SSA and SIT" -> "SIT and SSA".
References
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/d625a2b08c089397d3a03bff13fa8645e4ec7a01
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/eec1589be36fcf7440755703e4faeee2c01e360b
Impacted products
Vendor Product Version


To clipboard 

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nf2fs: fix to avoid migrating empty section\n\nIt reports a bug from device w/ zufs:\n\nF2FS-fs (dm-64): Inconsistent segment (173822) type [1, 0] in SSA and SIT\nF2FS-fs (dm-64): Stopped filesystem due to reason: 4\n\nThread A\t\t\t\tThread B\n- f2fs_expand_inode_data\n - f2fs_allocate_pinning_section\n  - f2fs_gc_range\n   - do_garbage_collect w/ segno #x\n\t\t\t\t\t- writepage\n\t\t\t\t\t - f2fs_allocate_data_block\n\t\t\t\t\t  - new_curseg\n\t\t\t\t\t   - allocate segno #x\n\nThe root cause is: fallocate on pinning file may race w/ block allocation\nas above, result in do_garbage_collect() from fallocate() may migrate\nsegment which is just allocated by a log, the log will update segment type\nin its in-memory structure, however GC will get segment type from on-disk\nSSA block, once segment type changes by log, we can detect such\ninconsistency, then shutdown filesystem.\n\nIn this case, on-disk SSA shows type of segno #173822 is 1 (SUM_TYPE_NODE),\nhowever segno #173822 was just allocated as data type segment, so in-memory\nSIT shows type of segno #173822 is 0 (SUM_TYPE_DATA).\n\nChange as below to fix this issue:\n- check whether current section is empty before gc\n- add sanity checks on do_garbage_collect() to avoid any race case, result\nin migrating segment used by log.\n- btw, it fixes misc issue in printed logs: \"SSA and SIT\" -\u003e \"SIT and SSA\"."
    }
  ],
  "id": "CVE-2025-40150",
  "lastModified": "2025-11-12T16:19:12.850",
  "metrics": {},
  "published": "2025-11-12T11:15:44.923",
  "references": [
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/d625a2b08c089397d3a03bff13fa8645e4ec7a01"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/eec1589be36fcf7440755703e4faeee2c01e360b"
    }
  ],
  "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
  "vulnStatus": "Awaiting Analysis"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.