CVE-2025-39731
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2025-39731
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-39731.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CVE-2025-39731
- Downstream
- Related
- Published
- 2025-09-07T15:16:20Z
- Modified
- 2025-11-04T02:59:31.313850Z
- Summary
- f2fs: vm_unmap_ram() may be called from an invalid context
- Details
-
In the Linux kernel, the following vulnerability has been resolved:
f2fs: vmunmapram() may be called from an invalid context
When testing F2FS with xfstests using UFS backed virtual disks the kernel complains sometimes that f2fsreleasedecompmem() calls vmunmap_ram() from an invalid context. Example trace from f2fs/007 test:
f2fs/007 5s ... [12:59:38][ 8.902525] run fstests f2fs/007 [ 11.468026] BUG: sleeping function called from invalid context at mm/vmalloc.c:2978 [ 11.471849] inatomic(): 1, irqsdisabled(): 1, nonblock: 0, pid: 68, name: irq/22-ufshcd [ 11.475357] preemptcount: 1, expected: 0 [ 11.476970] RCU nest depth: 0, expected: 0 [ 11.478531] CPU: 0 UID: 0 PID: 68 Comm: irq/22-ufshcd Tainted: G W 6.16.0-rc5-xfstests-ufs-g40f92e79b0aa #9 PREEMPT(none) [ 11.478535] Tainted: [W]=WARN [ 11.478536] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 11.478537] Call Trace: [ 11.478543] <TASK> [ 11.478545] dumpstacklvl+0x4e/0x70 [ 11.478554] _mightresched.cold+0xaf/0xbe [ 11.478557] vmunmapram+0x21/0xb0 [ 11.478560] f2fsreleasedecompmem+0x59/0x80 [ 11.478563] f2fsfreedic+0x18/0x1a0 [ 11.478565] f2fsfinishreadbio+0xd7/0x290 [ 11.478570] blkupdaterequest+0xec/0x3b0 [ 11.478574] ? sbitmapqueueclear+0x3b/0x60 [ 11.478576] scsiendrequest+0x27/0x1a0 [ 11.478582] scsiiocompletion+0x40/0x300 [ 11.478583] ufshcdmcqpollcqelock+0xa3/0xe0 [ 11.478588] ufshcdslintr+0x194/0x1f0 [ 11.478592] ufshcdthreadedintr+0x68/0xb0 [ 11.478594] ? _pfxirqthreadfn+0x10/0x10 [ 11.478599] irqthreadfn+0x20/0x60 [ 11.478602] ? _pfxirqthreadfn+0x10/0x10 [ 11.478603] irqthread+0xb9/0x180 [ 11.478605] ? _pfxirqthreaddtor+0x10/0x10 [ 11.478607] ? _pfxirqthread+0x10/0x10 [ 11.478609] kthread+0x10a/0x230 [ 11.478614] ? _pfxkthread+0x10/0x10 [ 11.478615] retfromfork+0x7e/0xd0 [ 11.478619] ? _pfxkthread+0x10/0x10 [ 11.478621] retfromfork_asm+0x1a/0x30 [ 11.478623] </TASK>
This patch modifies intask() check inside f2fsreadendio() to also check if interrupts are disabled. This ensures that pages are unmapped asynchronously in an interrupt handler.
- References
-
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- https://git.kernel.org/stable/c/08a7efc5b02a0620ae16aa9584060e980a69cb55
- https://git.kernel.org/stable/c/0fe7976b62546f1e95eebfe9879925e9aa22b7a8
- https://git.kernel.org/stable/c/1023836d1b9465593c8746f97d608da32958785f
- https://git.kernel.org/stable/c/18eea36f4f460ead3750ed4afe5496f7ce55f99e
- https://git.kernel.org/stable/c/411e00f44e2e1a7fdb526013b25a7f0ed22a0947
- https://git.kernel.org/stable/c/eb69e69a5ae6c8350957893b5f68bd55b1565fb2
- https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html
Affected packages
Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Affected ranges
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introducedbff139b49d9f70c1ac5384aac94554846aa834deFixedeb69e69a5ae6c8350957893b5f68bd55b1565fb2
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introducedbff139b49d9f70c1ac5384aac94554846aa834deFixed1023836d1b9465593c8746f97d608da32958785f
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introducedbff139b49d9f70c1ac5384aac94554846aa834deFixed0fe7976b62546f1e95eebfe9879925e9aa22b7a8
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introducedbff139b49d9f70c1ac5384aac94554846aa834deFixed411e00f44e2e1a7fdb526013b25a7f0ed22a0947
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introducedbff139b49d9f70c1ac5384aac94554846aa834deFixed18eea36f4f460ead3750ed4afe5496f7ce55f99e
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introducedbff139b49d9f70c1ac5384aac94554846aa834deFixed08a7efc5b02a0620ae16aa9584060e980a69cb55
Affected versions
v5.*
v6.*
Database specific
vanir_signatures
[
{
"digest": {
"function_hash": "59871453502745570491088102168931012922",
"length": 699.0
},
"id": "CVE-2025-39731-3e3809f8",
"signature_type": "Function",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@eb69e69a5ae6c8350957893b5f68bd55b1565fb2",
"signature_version": "v1",
"target": {
"file": "fs/f2fs/data.c",
"function": "f2fs_read_end_io"
},
"deprecated": false
},
{
"digest": {
"function_hash": "109515047232253195541813661922694077505",
"length": 656.0
},
"id": "CVE-2025-39731-4730a7da",
"signature_type": "Function",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@0fe7976b62546f1e95eebfe9879925e9aa22b7a8",
"signature_version": "v1",
"target": {
"file": "fs/f2fs/data.c",
"function": "f2fs_read_end_io"
},
"deprecated": false
},
{
"digest": {
"threshold": 0.9,
"line_hashes": [
"261515558199973159195178094042134063955",
"326600585697990492261824358012341348205",
"158482618636200701837842209974467894107",
"171524257816607767875134121880133387525"
]
},
"id": "CVE-2025-39731-6395ba97",
"signature_type": "Line",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@08a7efc5b02a0620ae16aa9584060e980a69cb55",
"signature_version": "v1",
"target": {
"file": "fs/f2fs/data.c"
},
"deprecated": false
},
{
"digest": {
"threshold": 0.9,
"line_hashes": [
"217464312338158085613323054459753603919",
"114102700901369847566109481978498590942",
"279132230052002580723618047698491172253",
"152903864619907504515538391714281980515"
]
},
"id": "CVE-2025-39731-7e1c27ef",
"signature_type": "Line",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@eb69e69a5ae6c8350957893b5f68bd55b1565fb2",
"signature_version": "v1",
"target": {
"file": "fs/f2fs/data.c"
},
"deprecated": false
},
{
"digest": {
"threshold": 0.9,
"line_hashes": [
"217464312338158085613323054459753603919",
"207879793268935425449022313652213351464",
"158482618636200701837842209974467894107",
"171524257816607767875134121880133387525"
]
},
"id": "CVE-2025-39731-a0f775a9",
"signature_type": "Line",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@0fe7976b62546f1e95eebfe9879925e9aa22b7a8",
"signature_version": "v1",
"target": {
"file": "fs/f2fs/data.c"
},
"deprecated": false
},
{
"digest": {
"function_hash": "96212656298928620002834135625525356934",
"length": 670.0
},
"id": "CVE-2025-39731-db8ab03e",
"signature_type": "Function",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@08a7efc5b02a0620ae16aa9584060e980a69cb55",
"signature_version": "v1",
"target": {
"file": "fs/f2fs/data.c",
"function": "f2fs_read_end_io"
},
"deprecated": false
}
]