CVE-2025-71105
Unknown
Unknown - Not Provided
BaseFortify
Publication date: 2026-01-14
Last updated on: 2026-03-25
Assigner: kernel.org
Description
Description
In the Linux kernel, the following vulnerability has been resolved:
f2fs: use global inline_xattr_slab instead of per-sb slab cache
As Hong Yun reported in mailing list:
loop7: detected capacity change from 0 to 131072
------------[ cut here ]------------
kmem_cache of name 'f2fs_xattr_entry-7:7' already exists
WARNING: CPU: 0 PID: 24426 at mm/slab_common.c:110 kmem_cache_sanity_check mm/slab_common.c:109 [inline]
WARNING: CPU: 0 PID: 24426 at mm/slab_common.c:110 __kmem_cache_create_args+0xa6/0x320 mm/slab_common.c:307
CPU: 0 UID: 0 PID: 24426 Comm: syz.7.1370 Not tainted 6.17.0-rc4 #1 PREEMPT(full)
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014
RIP: 0010:kmem_cache_sanity_check mm/slab_common.c:109 [inline]
RIP: 0010:__kmem_cache_create_args+0xa6/0x320 mm/slab_common.c:307
Call Trace:
Β __kmem_cache_create include/linux/slab.h:353 [inline]
Β f2fs_kmem_cache_create fs/f2fs/f2fs.h:2943 [inline]
Β f2fs_init_xattr_caches+0xa5/0xe0 fs/f2fs/xattr.c:843
Β f2fs_fill_super+0x1645/0x2620 fs/f2fs/super.c:4918
Β get_tree_bdev_flags+0x1fb/0x260 fs/super.c:1692
Β vfs_get_tree+0x43/0x140 fs/super.c:1815
Β do_new_mount+0x201/0x550 fs/namespace.c:3808
Β do_mount fs/namespace.c:4136 [inline]
Β __do_sys_mount fs/namespace.c:4347 [inline]
Β __se_sys_mount+0x298/0x2f0 fs/namespace.c:4324
Β do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
Β do_syscall_64+0x8e/0x3a0 arch/x86/entry/syscall_64.c:94
Β entry_SYSCALL_64_after_hwframe+0x76/0x7e
The bug can be reproduced w/ below scripts:
- mount /dev/vdb /mnt1
- mount /dev/vdc /mnt2
- umount /mnt1
- mounnt /dev/vdb /mnt1
The reason is if we created two slab caches, named f2fs_xattr_entry-7:3
and f2fs_xattr_entry-7:7, and they have the same slab size. Actually,
slab system will only create one slab cache core structure which has
slab name of "f2fs_xattr_entry-7:3", and two slab caches share the same
structure and cache address.
So, if we destroy f2fs_xattr_entry-7:3 cache w/ cache address, it will
decrease reference count of slab cache, rather than release slab cache
entirely, since there is one more user has referenced the cache.
Then, if we try to create slab cache w/ name "f2fs_xattr_entry-7:3" again,
slab system will find that there is existed cache which has the same name
and trigger the warning.
Let's changes to use global inline_xattr_slab instead of per-sb slab cache
for fixing.
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| linux | linux_kernel | 5.7 |
| linux | linux_kernel | From 5.11 (inc) to 5.15.198 (exc) |
| linux | linux_kernel | 6.19 |
| linux | linux_kernel | 6.19 |
| linux | linux_kernel | 6.19 |
| linux | linux_kernel | 6.19 |
| linux | linux_kernel | 6.19 |
| linux | linux_kernel | From 5.16 (inc) to 6.1.160 (exc) |
| linux | linux_kernel | From 6.2 (inc) to 6.6.120 (exc) |
| linux | linux_kernel | From 6.7 (inc) to 6.12.64 (exc) |
| linux | linux_kernel | From 6.13 (inc) to 6.18.3 (exc) |
| linux | linux_kernel | 6.19 |
| linux | linux_kernel | 6.19 |
| linux | linux_kernel | 6.19 |
| linux | linux_kernel | From 5.7.1 (inc) to 5.10.248 (exc) |
Helpful Resources
Exploitability
CWE
KEV
| CWE ID | Description |
|---|---|
| CWE-UNKNOWN |
Attack-Flow Graph
Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70