CVE-2025-40054

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2025-40054
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-40054.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2025-40054
Downstream
Related
Published
2025-10-28T11:48:29.073Z
Modified
2026-04-02T12:48:15.844664Z
Summary
f2fs: fix UAF issue in f2fs_merge_page_bio()
Details

In the Linux kernel, the following vulnerability has been resolved:

f2fs: fix UAF issue in f2fsmergepage_bio()

As JY reported in bugzilla [1],

Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000 pc : [0xffffffe51d249484] f2fsiscpguaranteed+0x70/0x98 lr : [0xffffffe51d24adbc] f2fsmergepagebio+0x520/0x6d4 CPU: 3 UID: 0 PID: 6790 Comm: kworker/u16:3 Tainted: P B W OE 6.12.30-android16-5-maybe-dirty-4k #1 5f7701c9cbf727d1eebe77c89bbbeb3371e895e5 Tainted: [P]=PROPRIETARYMODULE, [B]=BADPAGE, [W]=WARN, [O]=OOTMODULE, [E]=UNSIGNEDMODULE Workqueue: writeback wbworkfn (flush-254:49) Call trace: f2fsiscpguaranteed+0x70/0x98 f2fsinplacewritedata+0x174/0x2f4 f2fsdowritedatapage+0x214/0x81c f2fswritesingledatapage+0x28c/0x764 f2fswritedatapages+0x78c/0xce4 do_writepages+0xe8/0x2fc __writebacksingleinode+0x4c/0x4b4 writebacksbinodes+0x314/0x540 _writebackinodeswb+0xa4/0xf4 wbwriteback+0x160/0x448 wbworkfn+0x2f0/0x5dc processscheduledworks+0x1c8/0x458 workerthread+0x334/0x3f0 kthread+0x118/0x1ac retfromfork+0x10/0x20

[1] https://bugzilla.kernel.org/show_bug.cgi?id=220575

The panic was caused by UAF issue w/ below race condition:

kworker - writepages - f2fswritecachepages - f2fswritesingledatapage - f2fsdowritedatapage - f2fsinplacewritedata - f2fsmergepagebio - addinupage : cache page #1 into bio & cache bio in io->biolist - f2fswritesingledatapage - f2fsdowritedatapage - f2fsinplacewritedata - f2fsmergepagebio - addinupage : cache page #2 into bio which is linked in io->biolist write - f2fswritebegin : write page #1 - f2fsfoliowaitwriteback - f2fssubmitmergedipuwrite - f2fssubmitwrite_bio : submit bio which inclues page #1 and #2

                    software IRQ
                    - f2fs_write_end_io
                     - fscrypt_free_bounce_page
                     : freed bounced page which belongs to page #2
  - inc_page_count( , WB_DATA_TYPE(data_folio), false)
  : data_folio points to fio->encrypted_page
    the bounced page can be freed before
    accessing it in f2fs_is_cp_guarantee()

It can reproduce w/ below testcase: Run below script in shell #1: for ((i=1;i>0;i++)) do xfs_io -f /mnt/f2fs/enc/file \ -c "pwrite 0 32k" -c "fdatasync"

Run below script in shell #2: for ((i=1;i>0;i++)) do xfs_io -f /mnt/f2fs/enc/file \ -c "pwrite 0 32k" -c "fdatasync"

So, in f2fsmergepagebio(), let's avoid using fio->encryptedpage after commit page into internal ipu cache.

Database specific 
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/40xxx/CVE-2025-40054.json",
    "cna_assigner": "Linux"
}
References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
0b20fcec8651569935a10afe03fedc0b812d044e
Fixed
01118321e0c8a5f3ece57d0d377bfc92d83cd210
Fixed
edf7e9040fc52c922db947f9c6c36f07377c52ea

Database specific

source 
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-40054.json"

Linux / Kernel

Package

Name
Kernel

Affected ranges

Type
ECOSYSTEM
Events
Introduced
5.5.0
Fixed
6.17.3

Database specific

source 
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-40054.json"