{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2025-40137","assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","state":"PUBLISHED","assignerShortName":"Linux","dateReserved":"2025-04-16T07:20:57.171Z","datePublished":"2025-11-12T10:23:23.624Z","dateUpdated":"2026-05-11T21:43:28.448Z"},"containers":{"cna":{"providerMetadata":{"orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux","dateUpdated":"2026-05-11T21:43:28.448Z"},"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nf2fs: fix to truncate first page in error path of f2fs_truncate()\n\nsyzbot reports a bug as below:\n\nloop0: detected capacity change from 0 to 40427\nF2FS-fs (loop0): Wrong SSA boundary, start(3584) end(4096) blocks(3072)\nF2FS-fs (loop0): Can't find valid F2FS filesystem in 1th superblock\nF2FS-fs (loop0): invalid crc value\nF2FS-fs (loop0): f2fs_convert_inline_folio: corrupted inline inode ino=3, i_addr[0]:0x1601, run fsck to fix.\n------------[ cut here ]------------\nkernel BUG at fs/inode.c:753!\nRIP: 0010:clear_inode+0x169/0x190 fs/inode.c:753\nCall Trace:\n <TASK>\n evict+0x504/0x9c0 fs/inode.c:810\n f2fs_fill_super+0x5612/0x6fa0 fs/f2fs/super.c:5047\n get_tree_bdev_flags+0x40e/0x4d0 fs/super.c:1692\n vfs_get_tree+0x8f/0x2b0 fs/super.c:1815\n do_new_mount+0x2a2/0x9e0 fs/namespace.c:3808\n do_mount fs/namespace.c:4136 [inline]\n __do_sys_mount fs/namespace.c:4347 [inline]\n __se_sys_mount+0x317/0x410 fs/namespace.c:4324\n do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]\n do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n\nDuring f2fs_evict_inode(), clear_inode() detects that we missed to truncate\nall page cache before destorying inode, that is because in below path, we\nwill create page #0 in cache, but missed to drop it in error path, let's fix\nit.\n\n- evict\n - f2fs_evict_inode\n  - f2fs_truncate\n   - f2fs_convert_inline_inode\n    - f2fs_grab_cache_folio\n    : create page #0 in cache\n    - f2fs_convert_inline_folio\n    : sanity check failed, return -EFSCORRUPTED\n  - clear_inode detects that inode->i_data.nrpages is not zero"}],"affected":[{"product":"Linux","vendor":"Linux","defaultStatus":"unaffected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["fs/f2fs/file.c"],"versions":[{"version":"92dffd01790a5219d234fc83c3ba854f4490b7f4","lessThan":"83a8e4efea022506a0e049e7206bdf8be9f78148","status":"affected","versionType":"git"},{"version":"92dffd01790a5219d234fc83c3ba854f4490b7f4","lessThan":"a7b7ebdd7045a36454b3e388a2ecf50344fad9e6","status":"affected","versionType":"git"},{"version":"92dffd01790a5219d234fc83c3ba854f4490b7f4","lessThan":"3b0c8908faa18cded84d64822882a830ab1f4d26","status":"affected","versionType":"git"},{"version":"92dffd01790a5219d234fc83c3ba854f4490b7f4","lessThan":"9251a9e6e871cb03c4714a18efa8f5d4a8818450","status":"affected","versionType":"git"}]},{"product":"Linux","vendor":"Linux","defaultStatus":"affected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["fs/f2fs/file.c"],"versions":[{"version":"3.19","status":"affected"},{"version":"0","lessThan":"3.19","status":"unaffected","versionType":"semver"},{"version":"6.6.112","lessThanOrEqual":"6.6.*","status":"unaffected","versionType":"semver"},{"version":"6.12.53","lessThanOrEqual":"6.12.*","status":"unaffected","versionType":"semver"},{"version":"6.17.3","lessThanOrEqual":"6.17.*","status":"unaffected","versionType":"semver"},{"version":"6.18","lessThanOrEqual":"*","status":"unaffected","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"3.19","versionEndExcluding":"6.6.112"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"3.19","versionEndExcluding":"6.12.53"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"3.19","versionEndExcluding":"6.17.3"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"3.19","versionEndExcluding":"6.18"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/83a8e4efea022506a0e049e7206bdf8be9f78148"},{"url":"https://git.kernel.org/stable/c/a7b7ebdd7045a36454b3e388a2ecf50344fad9e6"},{"url":"https://git.kernel.org/stable/c/3b0c8908faa18cded84d64822882a830ab1f4d26"},{"url":"https://git.kernel.org/stable/c/9251a9e6e871cb03c4714a18efa8f5d4a8818450"}],"title":"f2fs: fix to truncate first page in error path of f2fs_truncate()","x_generator":{"engine":"bippy-1.2.0"}}}}