CVE-2025-40128
- Source
- https://cve.org/CVERecord?id=CVE-2025-40128
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-40128.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2025-40128
- Downstream
- Withdrawn
- 2026-01-12T22:22:10.883906Z
- Published
- 2025-11-12T10:23:21Z
- Modified
- 2026-01-12T22:22:10.883906Z
- Summary
- btrfs: fix symbolic link reading when bs > ps
- Details
-
In the Linux kernel, the following vulnerability has been resolved:
btrfs: fix symbolic link reading when bs > ps
[BUG DURING BS > PS TEST] When running the following script on a btrfs whose block size is larger than page size, e.g. 8K block size and 4K page size, it will trigger a kernel BUG:
# mkfs.btrfs -s 8k $dev # mount $dev $mnt # mkdir $mnt/dir # ln -s dir $mnt/link # ls $mnt/link
The call trace looks like this:
BTRFS warning (device dm-2): support for block size 8192 with page size 4096 is experimental, some features may be missing BTRFS info (device dm-2): checking UUID tree BTRFS info (device dm-2): enabling ssd optimizations BTRFS info (device dm-2): enabling free space tree ------------[ cut here ]------------ kernel BUG at /home/adam/linux/include/linux/highmem.h:275! Oops: invalid opcode: 0000 [#1] SMP CPU: 8 UID: 0 PID: 667 Comm: ls Tainted: G OE 6.17.0-rc4-custom+ #283 PREEMPT(full) Tainted: [O]=OOTMODULE, [E]=UNSIGNEDMODULE Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS unknown 02/02/2022 RIP: 0010:zerousersegments.constprop.0+0xdc/0xe0 [btrfs] Call Trace: <TASK> btrfsgetextent.cold+0x85/0x101 [btrfs 7453c70c03e631c8d8bfdd4264fa62d3e238da6f] btrfsdoreadpage+0x244/0x750 [btrfs 7453c70c03e631c8d8bfdd4264fa62d3e238da6f] btrfsreadfolio+0x9c/0x100 [btrfs 7453c70c03e631c8d8bfdd4264fa62d3e238da6f] filemapreadfolio+0x37/0xe0 doreadcache_folio+0x94/0x3e0 __pagegetlink.isra.0+0x20/0x90 pagegetlink+0x16/0x40 stepinto+0x69b/0x830 pathlookupat+0xa7/0x170 filenamelookup+0xf7/0x200 ? setptes.isra.0+0x36/0x70 vfsstatx+0x7a/0x160 dostatx+0x63/0xa0 __x64sysstatx+0x90/0xe0 dosyscall64+0x82/0xae0 entrySYSCALL64afterhwframe+0x4b/0x53 </TASK>
Please note bs > ps support is still under development and the enablement patch is not even in btrfs development branch.
[CAUSE] Btrfs reuses its data folio read path to handle symbolic links, as the symbolic link target is stored as an inline data extent.
But for newly created inodes, btrfs only set the minimal order if the target inode is a regular file.
Thus for above newly created symbolic link, it doesn't properly respect the minimal folio order, and triggered the above crash.
[FIX] Call btrfssetinodemappingorder() unconditionally inside btrfscreatenew_inode().
For symbolic links this will fix the crash as now the folio will meet the minimal order.
For regular files this brings no change.
For directory/bdev/char and all the other types of inodes, they won't go through the data read path, thus no effect either.
- References
Affected packages
Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Affected ranges
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introducedcc38d178ff33543cdb0bd58cfbb9a7c41372ff75Fixed3ea252a5c48dd3a4e1f7d0c53d3b0f7b648becc9
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introducedcc38d178ff33543cdb0bd58cfbb9a7c41372ff75Fixed67378b754608a3524d125bfa5744508a49fe48be
Affected versions
v6.*
Database specific
vanir_signatures
[
{
"digest": {
"threshold": 0.9,
"line_hashes": [
"111783796843808215168161346912608281656",
"156857285124153585787423409867782886095",
"79152312644990711707749849058768910380",
"98218955946132619011972385884251007297",
"149115783346139031381673386589131883440",
"249080361505763897312372506243472078006",
"149021174400097886815398936574272815398"
]
},
"id": "CVE-2025-40128-1f7b9013",
"signature_type": "Line",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@3ea252a5c48dd3a4e1f7d0c53d3b0f7b648becc9",
"deprecated": false,
"target": {
"file": "fs/btrfs/inode.c"
},
"signature_version": "v1"
},
{
"digest": {
"threshold": 0.9,
"line_hashes": [
"111783796843808215168161346912608281656",
"156857285124153585787423409867782886095",
"79152312644990711707749849058768910380",
"98218955946132619011972385884251007297",
"149115783346139031381673386589131883440",
"249080361505763897312372506243472078006",
"149021174400097886815398936574272815398"
]
},
"id": "CVE-2025-40128-59158ad2",
"signature_type": "Line",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@67378b754608a3524d125bfa5744508a49fe48be",
"deprecated": false,
"target": {
"file": "fs/btrfs/inode.c"
},
"signature_version": "v1"
},
{
"digest": {
"function_hash": "167256846239687884834146684828188019616",
"length": 4612.0
},
"id": "CVE-2025-40128-7abd63ff",
"signature_type": "Function",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@3ea252a5c48dd3a4e1f7d0c53d3b0f7b648becc9",
"deprecated": false,
"target": {
"function": "btrfs_create_new_inode",
"file": "fs/btrfs/inode.c"
},
"signature_version": "v1"
},
{
"digest": {
"function_hash": "167256846239687884834146684828188019616",
"length": 4612.0
},
"id": "CVE-2025-40128-f20e8002",
"signature_type": "Function",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@67378b754608a3524d125bfa5744508a49fe48be",
"deprecated": false,
"target": {
"function": "btrfs_create_new_inode",
"file": "fs/btrfs/inode.c"
},
"signature_version": "v1"
}
]
source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-40128.json"