CVE-2025-40150

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2025-40150
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-40150.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2025-40150
Downstream
Published
2025-11-12T10:23:27.399Z
Modified
2026-05-18T05:58:07.564215690Z
Summary
f2fs: fix to avoid migrating empty section
Details

In the Linux kernel, the following vulnerability has been resolved:

f2fs: fix to avoid migrating empty section

It reports a bug from device w/ zufs:

F2FS-fs (dm-64): Inconsistent segment (173822) type [1, 0] in SSA and SIT F2FS-fs (dm-64): Stopped filesystem due to reason: 4

Thread A Thread B - f2fsexpandinodedata - f2fsallocatepinningsection - f2fsgcrange - dogarbagecollect w/ segno #x - writepage - f2fsallocatedatablock - newcurseg - allocate segno #x

The root cause is: fallocate on pinning file may race w/ block allocation as above, result in dogarbagecollect() from fallocate() may migrate segment which is just allocated by a log, the log will update segment type in its in-memory structure, however GC will get segment type from on-disk SSA block, once segment type changes by log, we can detect such inconsistency, then shutdown filesystem.

In this case, on-disk SSA shows type of segno #173822 is 1 (SUMTYPENODE), however segno #173822 was just allocated as data type segment, so in-memory SIT shows type of segno #173822 is 0 (SUMTYPEDATA).

Change as below to fix this issue: - check whether current section is empty before gc - add sanity checks on dogarbagecollect() to avoid any race case, result in migrating segment used by log. - btw, it fixes misc issue in printed logs: "SSA and SIT" -> "SIT and SSA".

Database specific 
{
    "cna_assigner": "Linux",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/40xxx/CVE-2025-40150.json"
}
References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
40d76c393cca83938b11eb7ca8983aa3cd0ed69b
Fixed
db489778e6f2a4034c2cd26fadda2796eba24dcd
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
9703d69d9d153bb230711d0d577454552aeb13d4
Fixed
25d2dc669f2a7e48b335d1cb07139f2ffc9fe5df
Fixed
eec1589be36fcf7440755703e4faeee2c01e360b
Fixed
d625a2b08c089397d3a03bff13fa8645e4ec7a01

Affected versions

v6.*
v6.6.100
v6.6.101
v6.6.102
v6.6.103
v6.6.104
v6.6.105
v6.6.106
v6.6.107
v6.6.108
v6.6.109
v6.6.110
v6.6.111
v6.6.112
v6.6.113
v6.6.114
v6.6.115
v6.6.116
v6.6.117
v6.6.118
v6.6.119
v6.6.120
v6.6.121
v6.6.122
v6.6.123
v6.6.124
v6.6.125
v6.6.126
v6.6.127
v6.6.128
v6.6.129
v6.6.33
v6.6.34
v6.6.35
v6.6.36
v6.6.37
v6.6.38
v6.6.39
v6.6.40
v6.6.41
v6.6.42
v6.6.43
v6.6.44
v6.6.45
v6.6.46
v6.6.47
v6.6.48
v6.6.49
v6.6.50
v6.6.51
v6.6.52
v6.6.53
v6.6.54
v6.6.55
v6.6.56
v6.6.57
v6.6.58
v6.6.59
v6.6.60
v6.6.61
v6.6.62
v6.6.63
v6.6.64
v6.6.65
v6.6.66
v6.6.67
v6.6.68
v6.6.69
v6.6.70
v6.6.71
v6.6.72
v6.6.73
v6.6.74
v6.6.75
v6.6.76
v6.6.77
v6.6.78
v6.6.79
v6.6.80
v6.6.81
v6.6.82
v6.6.83
v6.6.84
v6.6.85
v6.6.86
v6.6.87
v6.6.88
v6.6.89
v6.6.90
v6.6.91
v6.6.92
v6.6.93
v6.6.94
v6.6.95
v6.6.96
v6.6.97
v6.6.98
v6.6.99

Database specific

source 
"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-40150.json"

Linux / Kernel

Package

Name
Kernel

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
6.6.130
Type
ECOSYSTEM
Events
Introduced
6.7.0
Fixed
6.12.78
Type
ECOSYSTEM
Events
Introduced
6.9.0
Fixed
6.17.3

Database specific

source 
"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-40150.json"