CVE-2025-40150
Description
In the Linux kernel, the following vulnerability has been resolved:
f2fs: fix to avoid migrating empty section
It reports a bug from device w/ zufs:
F2FS-fs (dm-64): Inconsistent segment (173822) type [1, 0] in SSA and SIT F2FS-fs (dm-64): Stopped filesystem due to reason: 4
Thread A Thread B - f2fs_expand_inode_data - f2fs_allocate_pinning_section - f2fs_gc_range - do_garbage_collect w/ segno #x - writepage - f2fs_allocate_data_block - new_curseg - allocate segno #x
The root cause is: fallocate on pinning file may race w/ block allocation as above, result in do_garbage_collect() from fallocate() may migrate segment which is just allocated by a log, the log will update segment type in its in-memory structure, however GC will get segment type from on-disk SSA block, once segment type changes by log, we can detect such inconsistency, then shutdown filesystem.
In this case, on-disk SSA shows type of segno #173822 is 1 (SUM_TYPE_NODE), however segno #173822 was just allocated as data type segment, so in-memory SIT shows type of segno #173822 is 0 (SUM_TYPE_DATA).
Change as below to fix this issue: - check whether current section is empty before gc - add sanity checks on do_garbage_collect() to avoid any race case, result in migrating segment used by log. - btw, it fixes misc issue in printed logs: "SSA and SIT" -> "SIT and SSA".
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Race condition in f2fs between fallocate and block allocation leads to inconsistent segment types, causing filesystem shutdown.
Vulnerability
Description CVE-2025-40150 is a race condition in the Linux kernel's f2fs filesystem. The bug occurs when fallocate() on a pinned file, which triggers garbage collection via f2fs_gc_range(), races with a concurrent block allocation (writepage → f2fs_allocate_data_block → new_curseg). This can cause garbage collection to migrate a segment that was just allocated by a log, leading to inconsistency between on-disk SSA (Segment Summary Area) and in-memory SIT (Segment Information Table) segment types [1][2].
Exploitation
An attacker with local access and the ability to trigger fallocate on pinned files while concurrent writes are occurring can exploit this race. No special permissions beyond file write access are required, but the race window is narrow. The vulnerability is inherent in the kernel's f2fs implementation and does not require network access.
Impact
Successful exploitation can cause the kernel to detect inconsistent segment types (e.g., on-disk SSA shows type 1 for node, in-memory SIT shows type 0 for data) and shut down the filesystem to prevent further corruption. This results in a denial of service (DoS), making the filesystem unavailable until manual repair is performed.
Mitigation
The fix includes checking whether the current section is empty before performing garbage collection, and adding sanity checks in do_garbage_collect() to prevent migrating segments in use by logs [1][2]. Linux kernel stable branches have received patches; users should update their kernels to versions containing commit d625a2b08c0893 or eec1589be36fcf [1][2].
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2Patches
4db489778e6f225d2dc669f2aeec1589be36fd625a2b08c08Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4News mentions
0No linked articles in our index yet.