CVE-2025-71105

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> f2fs: use global inline_xattr_slab instead of per-sb slab cache<br /> <br /> As Hong Yun reported in mailing list:<br /> <br /> loop7: detected capacity change from 0 to 131072<br /> ------------[ cut here ]------------<br /> kmem_cache of name &amp;#39;f2fs_xattr_entry-7:7&amp;#39; already exists<br /> WARNING: CPU: 0 PID: 24426 at mm/slab_common.c:110 kmem_cache_sanity_check mm/slab_common.c:109 [inline]<br /> WARNING: CPU: 0 PID: 24426 at mm/slab_common.c:110 __kmem_cache_create_args+0xa6/0x320 mm/slab_common.c:307<br /> CPU: 0 UID: 0 PID: 24426 Comm: syz.7.1370 Not tainted 6.17.0-rc4 #1 PREEMPT(full)<br /> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014<br /> RIP: 0010:kmem_cache_sanity_check mm/slab_common.c:109 [inline]<br /> RIP: 0010:__kmem_cache_create_args+0xa6/0x320 mm/slab_common.c:307<br /> Call Trace:<br />  __kmem_cache_create include/linux/slab.h:353 [inline]<br />  f2fs_kmem_cache_create fs/f2fs/f2fs.h:2943 [inline]<br />  f2fs_init_xattr_caches+0xa5/0xe0 fs/f2fs/xattr.c:843<br />  f2fs_fill_super+0x1645/0x2620 fs/f2fs/super.c:4918<br />  get_tree_bdev_flags+0x1fb/0x260 fs/super.c:1692<br />  vfs_get_tree+0x43/0x140 fs/super.c:1815<br />  do_new_mount+0x201/0x550 fs/namespace.c:3808<br />  do_mount fs/namespace.c:4136 [inline]<br />  __do_sys_mount fs/namespace.c:4347 [inline]<br />  __se_sys_mount+0x298/0x2f0 fs/namespace.c:4324<br />  do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]<br />  do_syscall_64+0x8e/0x3a0 arch/x86/entry/syscall_64.c:94<br />  entry_SYSCALL_64_after_hwframe+0x76/0x7e<br /> <br /> The bug can be reproduced w/ below scripts:<br /> - mount /dev/vdb /mnt1<br /> - mount /dev/vdc /mnt2<br /> - umount /mnt1<br /> - mounnt /dev/vdb /mnt1<br /> <br /> The reason is if we created two slab caches, named f2fs_xattr_entry-7:3<br /> and f2fs_xattr_entry-7:7, and they have the same slab size. Actually,<br /> slab system will only create one slab cache core structure which has<br /> slab name of "f2fs_xattr_entry-7:3", and two slab caches share the same<br /> structure and cache address.<br /> <br /> So, if we destroy f2fs_xattr_entry-7:3 cache w/ cache address, it will<br /> decrease reference count of slab cache, rather than release slab cache<br /> entirely, since there is one more user has referenced the cache.<br /> <br /> Then, if we try to create slab cache w/ name "f2fs_xattr_entry-7:3" again,<br /> slab system will find that there is existed cache which has the same name<br /> and trigger the warning.<br /> <br /> Let&amp;#39;s changes to use global inline_xattr_slab instead of per-sb slab cache<br /> for fixing.