{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2025-40150","assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","state":"PUBLISHED","assignerShortName":"Linux","dateReserved":"2025-04-16T07:20:57.175Z","datePublished":"2025-11-12T10:23:27.399Z","dateUpdated":"2026-05-11T21:43:42.259Z"},"containers":{"cna":{"providerMetadata":{"orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux","dateUpdated":"2026-05-11T21:43:42.259Z"},"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nf2fs: fix to avoid migrating empty section\n\nIt reports a bug from device w/ zufs:\n\nF2FS-fs (dm-64): Inconsistent segment (173822) type [1, 0] in SSA and SIT\nF2FS-fs (dm-64): Stopped filesystem due to reason: 4\n\nThread A\t\t\t\tThread B\n- f2fs_expand_inode_data\n - f2fs_allocate_pinning_section\n  - f2fs_gc_range\n   - do_garbage_collect w/ segno #x\n\t\t\t\t\t- writepage\n\t\t\t\t\t - f2fs_allocate_data_block\n\t\t\t\t\t  - new_curseg\n\t\t\t\t\t   - allocate segno #x\n\nThe root cause is: fallocate on pinning file may race w/ block allocation\nas above, result in do_garbage_collect() from fallocate() may migrate\nsegment which is just allocated by a log, the log will update segment type\nin its in-memory structure, however GC will get segment type from on-disk\nSSA block, once segment type changes by log, we can detect such\ninconsistency, then shutdown filesystem.\n\nIn this case, on-disk SSA shows type of segno #173822 is 1 (SUM_TYPE_NODE),\nhowever segno #173822 was just allocated as data type segment, so in-memory\nSIT shows type of segno #173822 is 0 (SUM_TYPE_DATA).\n\nChange as below to fix this issue:\n- check whether current section is empty before gc\n- add sanity checks on do_garbage_collect() to avoid any race case, result\nin migrating segment used by log.\n- btw, it fixes misc issue in printed logs: \"SSA and SIT\" -> \"SIT and SSA\"."}],"affected":[{"product":"Linux","vendor":"Linux","defaultStatus":"unaffected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["fs/f2fs/gc.c"],"versions":[{"version":"40d76c393cca83938b11eb7ca8983aa3cd0ed69b","lessThan":"db489778e6f2a4034c2cd26fadda2796eba24dcd","status":"affected","versionType":"git"},{"version":"9703d69d9d153bb230711d0d577454552aeb13d4","lessThan":"25d2dc669f2a7e48b335d1cb07139f2ffc9fe5df","status":"affected","versionType":"git"},{"version":"9703d69d9d153bb230711d0d577454552aeb13d4","lessThan":"eec1589be36fcf7440755703e4faeee2c01e360b","status":"affected","versionType":"git"},{"version":"9703d69d9d153bb230711d0d577454552aeb13d4","lessThan":"d625a2b08c089397d3a03bff13fa8645e4ec7a01","status":"affected","versionType":"git"}]},{"product":"Linux","vendor":"Linux","defaultStatus":"affected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["fs/f2fs/gc.c"],"versions":[{"version":"6.9","status":"affected"},{"version":"0","lessThan":"6.9","status":"unaffected","versionType":"semver"},{"version":"6.6.130","lessThanOrEqual":"6.6.*","status":"unaffected","versionType":"semver"},{"version":"6.12.78","lessThanOrEqual":"6.12.*","status":"unaffected","versionType":"semver"},{"version":"6.17.3","lessThanOrEqual":"6.17.*","status":"unaffected","versionType":"semver"},{"version":"6.18","lessThanOrEqual":"*","status":"unaffected","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.6.33","versionEndExcluding":"6.6.130"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.9","versionEndExcluding":"6.12.78"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.9","versionEndExcluding":"6.17.3"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.9","versionEndExcluding":"6.18"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/db489778e6f2a4034c2cd26fadda2796eba24dcd"},{"url":"https://git.kernel.org/stable/c/25d2dc669f2a7e48b335d1cb07139f2ffc9fe5df"},{"url":"https://git.kernel.org/stable/c/eec1589be36fcf7440755703e4faeee2c01e360b"},{"url":"https://git.kernel.org/stable/c/d625a2b08c089397d3a03bff13fa8645e4ec7a01"}],"title":"f2fs: fix to avoid migrating empty section","x_generator":{"engine":"bippy-1.2.0"}}}}