CVE-2025-39731

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2025-39731
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-39731.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2025-39731
Downstream
Published
2025-09-07T15:16:20.023Z
Modified
2026-05-18T05:57:29.162868064Z
Summary
f2fs: vm_unmap_ram() may be called from an invalid context
Details

In the Linux kernel, the following vulnerability has been resolved:

f2fs: vmunmapram() may be called from an invalid context

When testing F2FS with xfstests using UFS backed virtual disks the kernel complains sometimes that f2fsreleasedecompmem() calls vmunmap_ram() from an invalid context. Example trace from f2fs/007 test:

f2fs/007 5s ... [12:59:38][ 8.902525] run fstests f2fs/007 [ 11.468026] BUG: sleeping function called from invalid context at mm/vmalloc.c:2978 [ 11.471849] inatomic(): 1, irqsdisabled(): 1, nonblock: 0, pid: 68, name: irq/22-ufshcd [ 11.475357] preemptcount: 1, expected: 0 [ 11.476970] RCU nest depth: 0, expected: 0 [ 11.478531] CPU: 0 UID: 0 PID: 68 Comm: irq/22-ufshcd Tainted: G W 6.16.0-rc5-xfstests-ufs-g40f92e79b0aa #9 PREEMPT(none) [ 11.478535] Tainted: [W]=WARN [ 11.478536] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 11.478537] Call Trace: [ 11.478543] <TASK> [ 11.478545] dumpstacklvl+0x4e/0x70 [ 11.478554] __mightresched.cold+0xaf/0xbe [ 11.478557] vmunmap_ram+0x21/0xb0 [ 11.478560] f2fsreleasedecompmem+0x59/0x80 [ 11.478563] f2fsfreedic+0x18/0x1a0 [ 11.478565] f2fsfinishreadbio+0xd7/0x290 [ 11.478570] blkupdaterequest+0xec/0x3b0 [ 11.478574] ? sbitmapqueueclear+0x3b/0x60 [ 11.478576] scsiendrequest+0x27/0x1a0 [ 11.478582] scsiiocompletion+0x40/0x300 [ 11.478583] ufshcdmcqpollcqelock+0xa3/0xe0 [ 11.478588] ufshcdslintr+0x194/0x1f0 [ 11.478592] ufshcdthreadedintr+0x68/0xb0 [ 11.478594] ? __pfxirqthread_fn+0x10/0x10 [ 11.478599] irqthreadfn+0x20/0x60 [ 11.478602] ? __pfxirqthreadfn+0x10/0x10 [ 11.478603] irqthread+0xb9/0x180 [ 11.478605] ? __pfxirqthread_dtor+0x10/0x10 [ 11.478607] ? __pfxirqthread+0x10/0x10 [ 11.478609] kthread+0x10a/0x230 [ 11.478614] ? __pfxkthread+0x10/0x10 [ 11.478615] retfrom_fork+0x7e/0xd0 [ 11.478619] ? __pfxkthread+0x10/0x10 [ 11.478621] retfromforkasm+0x1a/0x30 [ 11.478623] </TASK>

This patch modifies intask() check inside f2fsreadendio() to also check if interrupts are disabled. This ensures that pages are unmapped asynchronously in an interrupt handler.

Database specific 
{
    "cna_assigner": "Linux",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/39xxx/CVE-2025-39731.json"
}
References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
bff139b49d9f70c1ac5384aac94554846aa834de
Fixed
eb69e69a5ae6c8350957893b5f68bd55b1565fb2
Fixed
1023836d1b9465593c8746f97d608da32958785f
Fixed
0fe7976b62546f1e95eebfe9879925e9aa22b7a8
Fixed
411e00f44e2e1a7fdb526013b25a7f0ed22a0947
Fixed
18eea36f4f460ead3750ed4afe5496f7ce55f99e
Fixed
08a7efc5b02a0620ae16aa9584060e980a69cb55

Database specific

source 
"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-39731.json"

Linux / Kernel

Package

Name
Kernel

Affected ranges

Type
ECOSYSTEM
Events
Introduced
6.0.0
Fixed
6.1.148
Type
ECOSYSTEM
Events
Introduced
6.2.0
Fixed
6.6.102
Type
ECOSYSTEM
Events
Introduced
6.7.0
Fixed
6.12.42
Type
ECOSYSTEM
Events
Introduced
6.13.0
Fixed
6.15.10
Type
ECOSYSTEM
Events
Introduced
6.16.0
Fixed
6.16.1

Database specific

source 
"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-39731.json"