CVE-2025-40138
Description
In the Linux kernel, the following vulnerability has been resolved:
f2fs: fix to avoid NULL pointer dereference in f2fs_check_quota_consistency()
syzbot reported a f2fs bug as below:
Oops: gen[ 107.736417][ T5848] Oops: general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] SMP KASAN PTI KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007] CPU: 1 UID: 0 PID: 5848 Comm: syz-executor263 Tainted: G W 6.17.0-rc1-syzkaller-00014-g0e39a731820a #0 PREEMPT_{RT,(full)} RIP: 0010:strcmp+0x3c/0xc0 lib/string.c:284 Call Trace:
f2fs_check_quota_consistency fs/f2fs/super.c:1188 [inline] f2fs_check_opt_consistency+0x1378/0x2c10 fs/f2fs/super.c:1436 __f2fs_remount fs/f2fs/super.c:2653 [inline] f2fs_reconfigure+0x482/0x1770 fs/f2fs/super.c:5297 reconfigure_super+0x224/0x890 fs/super.c:1077 do_remount fs/namespace.c:3314 [inline] path_mount+0xd18/0xfe0 fs/namespace.c:4112 do_mount fs/namespace.c:4133 [inline] __do_sys_mount fs/namespace.c:4344 [inline] __se_sys_mount+0x317/0x410 fs/namespace.c:4321 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f
The direct reason is f2fs_check_quota_consistency() may suffer null-ptr-deref issue in strcmp().
The bug can be reproduced w/ below scripts: mkfs.f2fs -f /dev/vdb mount -t f2fs -o usrquota /dev/vdb /mnt/f2fs quotacheck -uc /mnt/f2fs/ umount /mnt/f2fs mount -t f2fs -o usrjquota=aquota.user,jqfmt=vfsold /dev/vdb /mnt/f2fs mount -t f2fs -o remount,usrjquota=,jqfmt=vfsold /dev/vdb /mnt/f2fs umount /mnt/f2fs
So, before old_qname and new_qname comparison, we need to check whether they are all valid pointers, fix it.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A NULL pointer dereference in Linux kernel's f2fs filesystem quota consistency check leads to a crash during remount with manipulated quota options.
In the Linux kernel, CVE-2025-40138 is a null pointer dereference vulnerability in the f2fs filesystem's quota consistency check. The bug resides in the function f2fs_check_quota_consistency(), which compares old and new quota file names using strcmp() without verifying that the pointers are valid. As described in the vulnerability report, this was discovered during fuzzing (syzbot) and can crash the system with an Oops (general protection fault) [1].
Exploitation
Attackers with the ability to remount an f2fs filesystem can trigger this vulnerability by following a specific sequence of operations: mount with usrquota, run quotacheck, unmount, mount with a quota file name (usrjquota=aquota.user) and format (jqfmt=vfsold), then remount with the quota file name set to empty (usrjquota=). This leaves old_qname as a valid pointer and new_qname as NULL, causing strcmp to dereference NULL [1].
Impact
Successful exploitation results in a NULL pointer dereference that causes a kernel crash (denial of service). The vulnerability is reachable locally via the mount/remount operations without requiring special privileges beyond filesystem ownership.
Mitigation
The fix, introduced by commit 3f3458852bbfe79c60f2412b8b04677b96688b6e, adds a NULL check for both old_qname and new_qname before the strcmp() call. The patch is included in Linux kernel stable branches; users are advised to update their kernels to versions containing this fix.
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
23f3458852bbf930a9a6ee8e7Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
2News mentions
0No linked articles in our index yet.