CVE-2025-40190

syzkaller found a path where ext4xattrinodeupdateref() reads an EA inode refcount that is already <= 0 and then applies ref_change (often -1). That lets the refcount underflow and we proceed with a bogus value, triggering errors like:

EXT4-fs error: EA inode <n> ref underflow: refcount=-1 refchange=-1 EXT4-fs warning: ea_inode dec ref err=-117

Make the invariant explicit: if the current refcount is non-positive, treat this as on-disk corruption, emit ext4errorinode(), and fail the operation with -EFSCORRUPTED instead of updating the refcount. Delete the WARNONCE() as negative refcounts are now impossible; keep error reporting in ext4error_inode().

This prevents the underflow and the follow-on orphan/cleanup churn.

Database specific

{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/40xxx/CVE-2025-40190.json",
    "cna_assigner": "Linux"
}

References

Affected packages

Linux / Kernel

Package

Name: Kernel

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

5.4.301

Type: ECOSYSTEM
Events: Introduced

5.5.0

Fixed

5.10.246

Type: ECOSYSTEM
Events: Introduced

5.11.0

Fixed

5.15.195

Type: ECOSYSTEM
Events: Introduced

5.16.0

Fixed

6.1.157

Type: ECOSYSTEM
Events: Introduced

6.2.0

Fixed

6.6.113

Type: ECOSYSTEM
Events: Introduced

6.7.0

Fixed

6.12.54

Type: ECOSYSTEM
Events: Introduced

6.13.0

Fixed

6.17.4

Database specific

source

"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-40190.json"