CVE-2025-40150

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> f2fs: fix to avoid migrating empty section<br /> <br /> It reports a bug from device w/ zufs:<br /> <br /> F2FS-fs (dm-64): Inconsistent segment (173822) type [1, 0] in SSA and SIT<br /> F2FS-fs (dm-64): Stopped filesystem due to reason: 4<br /> <br /> Thread A Thread B<br /> - f2fs_expand_inode_data<br /> - f2fs_allocate_pinning_section<br /> - f2fs_gc_range<br /> - do_garbage_collect w/ segno #x<br /> - writepage<br /> - f2fs_allocate_data_block<br /> - new_curseg<br /> - allocate segno #x<br /> <br /> The root cause is: fallocate on pinning file may race w/ block allocation<br /> as above, result in do_garbage_collect() from fallocate() may migrate<br /> segment which is just allocated by a log, the log will update segment type<br /> in its in-memory structure, however GC will get segment type from on-disk<br /> SSA block, once segment type changes by log, we can detect such<br /> inconsistency, then shutdown filesystem.<br /> <br /> In this case, on-disk SSA shows type of segno #173822 is 1 (SUM_TYPE_NODE),<br /> however segno #173822 was just allocated as data type segment, so in-memory<br /> SIT shows type of segno #173822 is 0 (SUM_TYPE_DATA).<br /> <br /> Change as below to fix this issue:<br /> - check whether current section is empty before gc<br /> - add sanity checks on do_garbage_collect() to avoid any race case, result<br /> in migrating segment used by log.<br /> - btw, it fixes misc issue in printed logs: "SSA and SIT" -&gt; "SIT and SSA".