CVE-2025-40137
Description
In the Linux kernel, the following vulnerability has been resolved:
f2fs: fix to truncate first page in error path of f2fs_truncate()
syzbot reports a bug as below:
loop0: detected capacity change from 0 to 40427 F2FS-fs (loop0): Wrong SSA boundary, start(3584) end(4096) blocks(3072) F2FS-fs (loop0): Can't find valid F2FS filesystem in 1th superblock F2FS-fs (loop0): invalid crc value F2FS-fs (loop0): f2fs_convert_inline_folio: corrupted inline inode ino=3, i_addr[0]:0x1601, run fsck to fix. ------------[ cut here ]------------ kernel BUG at fs/inode.c:753! RIP: 0010:clear_inode+0x169/0x190 fs/inode.c:753 Call Trace:
evict+0x504/0x9c0 fs/inode.c:810 f2fs_fill_super+0x5612/0x6fa0 fs/f2fs/super.c:5047 get_tree_bdev_flags+0x40e/0x4d0 fs/super.c:1692 vfs_get_tree+0x8f/0x2b0 fs/super.c:1815 do_new_mount+0x2a2/0x9e0 fs/namespace.c:3808 do_mount fs/namespace.c:4136 [inline] __do_sys_mount fs/namespace.c:4347 [inline] __se_sys_mount+0x317/0x410 fs/namespace.c:4324 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f
During f2fs_evict_inode(), clear_inode() detects that we missed to truncate all page cache before destorying inode, that is because in below path, we will create page #0 in cache, but missed to drop it in error path, let's fix it.
- evict - f2fs_evict_inode - f2fs_truncate - f2fs_convert_inline_inode - f2fs_grab_cache_folio : create page #0 in cache - f2fs_convert_inline_folio : sanity check failed, return -EFSCORRUPTED - clear_inode detects that inode->i_data.nrpages is not zero
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
In the Linux kernel's f2fs filesystem, a bug in f2fs_truncate() fails to drop a cached page on error, causing a kernel BUG during inode eviction.
Vulnerability
Overview
In the Linux kernel's f2fs filesystem, a flaw in the error handling path of f2fs_truncate() can lead to a kernel BUG. The issue occurs when f2fs_convert_inline_inode() creates page #0 in the page cache via f2 via f2fs_grab_cache_folio(), but if the subsequent f2fs_convert_inline_folio()` sanity check fails (e.g., due to filesystem corruption), the function returns an error without dropping the newly created page. This leaves the inode's page cache non-empty.
Exploitation
Conditions
An attacker would need to trigger filesystem corruption that causes the sanity check in f2fs_convert_inline_folio() to fail. This could be achieved by mounting a crafted or corrupted f2fs image. The attack requires local access to mount a filesystem, but no special privileges beyond the ability to mount a block device.
Impact
When the inode is later evicted (e.g., during unmount or memory pressure), clear_inode() in `fs/inode.c detects that the page cache was not fully truncated and triggers a kernel BUG (at fs/inode.c:753). This results in a kernel panic, leading to a denial of service (system crash). The bug was reported by syzbot, indicating it can be triggered by fuzzing.
Mitigation
The fix has been applied to the Linux kernel stable tree in commit 9251a9e6e871cb03c4714a18efa8f5d4a8818450 [1]. Users should apply the stable kernel series should update to a version containing this commit. No workaround is available other than avoiding mounting untrusted f2fs images.
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
483a8e4efea02a7b7ebdd70453b0c8908faa19251a9e6e871Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4News mentions
0No linked articles in our index yet.