CVE-2025-40295

In the Linux kernel, the following vulnerability has been resolved:

fscrypt: fix left shift underflow when inode->iblkbits > PAGESHIFT

When simulating an nvme device on qemu with both logicalblocksize and physicalblocksize set to 8 KiB, an error trace appears during partition table reading at boot time. The issue is caused by inode->iblkbits being larger than PAGESHIFT, which leads to a left shift of -1 and triggering a UBSAN warning.

[ 2.697306] ------------[ cut here ]------------ [ 2.697309] UBSAN: shift-out-of-bounds in fs/crypto/inlinecrypt.c:336:37 [ 2.697311] shift exponent -1 is negative [ 2.697315] CPU: 3 UID: 0 PID: 274 Comm: (udev-worker) Not tainted 6.18.0-rc2+ #34 PREEMPT(voluntary) [ 2.697317] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014 [ 2.697320] Call Trace: [ 2.697324] <TASK> [ 2.697325] dumpstacklvl+0x76/0xa0 [ 2.697340] dumpstack+0x10/0x20 [ 2.697342] _ubsanhandleshiftoutofbounds+0x1e3/0x390 [ 2.697351] bhgetinodeandlblknum.cold+0x12/0x94 [ 2.697359] fscryptsetbiocryptctxbh+0x44/0x90 [ 2.697365] submitbhwbc+0xb6/0x190 [ 2.697370] blockreadfullfolio+0x194/0x270 [ 2.697371] ? _pfxblkdevgetblock+0x10/0x10 [ 2.697375] ? _pfxblkdevreadfolio+0x10/0x10 [ 2.697377] blkdevreadfolio+0x18/0x30 [ 2.697379] filemapreadfolio+0x40/0xe0 [ 2.697382] filemapgetpages+0x5ef/0x7a0 [ 2.697385] ? mmapregion+0x63/0xd0 [ 2.697389] filemapread+0x11d/0x520 [ 2.697392] blkdevreaditer+0x7c/0x180 [ 2.697393] vfsread+0x261/0x390 [ 2.697397] ksysread+0x71/0xf0 [ 2.697398] _x64sysread+0x19/0x30 [ 2.697399] x64syscall+0x1e88/0x26a0 [ 2.697405] dosyscall64+0x80/0x670 [ 2.697410] ? _x64sysnewfstat+0x15/0x20 [ 2.697414] ? x64syscall+0x204a/0x26a0 [ 2.697415] ? dosyscall64+0xb8/0x670 [ 2.697417] ? irqentryexittousermode+0x2e/0x2a0 [ 2.697420] ? irqentryexit+0x43/0x50 [ 2.697421] ? excpagefault+0x90/0x1b0 [ 2.697422] entrySYSCALL64afterhwframe+0x76/0x7e [ 2.697425] RIP: 0033:0x75054cba4a06 [ 2.697426] Code: 5d e8 41 8b 93 08 03 00 00 59 5e 48 83 f8 fc 75 19 83 e2 39 83 fa 08 75 11 e8 26 ff ff ff 66 0f 1f 44 00 00 48 8b 45 10 0f 05 <48> 8b 5d f8 c9 c3 0f 1f 40 00 f3 0f 1e fa 55 48 89 e5 48 83 ec 08 [ 2.697427] RSP: 002b:00007fff973723a0 EFLAGS: 00000202 ORIG_RAX: 0000000000000000 [ 2.697430] RAX: ffffffffffffffda RBX: 00005ea9a2c02760 RCX: 000075054cba4a06 [ 2.697432] RDX: 0000000000002000 RSI: 000075054c190000 RDI: 000000000000001b [ 2.697433] RBP: 00007fff973723c0 R08: 0000000000000000 R09: 0000000000000000 [ 2.697434] R10: 0000000000000000 R11: 0000000000000202 R12: 0000000000000000 [ 2.697434] R13: 00005ea9a2c027c0 R14: 00005ea9a2be5608 R15: 00005ea9a2be55f0 [ 2.697436] </TASK> [ 2.697436] ---[ end trace ]---

This situation can happen for block devices because when CONFIGTRANSPARENTHUGEPAGE is enabled, the maximum logicalblocksize is 64 KiB. setinitblocksize() then sets the block device inode->i_blkbits to 13, which is within this limit.

File I/O does not trigger this problem because for filesystems that do not support the FSLBS feature, sbsetblocksize() prevents sb->sblocksizebits from being larger than PAGESHIFT. During inode allocation, allocinode()->inodeinitalways() assigns inode->iblkbits from sb->sblocksizebits. Currently, only xfsfstype has the FSLBS flag, and since xfs I/O paths do not reach submitbh_wbc(), it does not hit the left-shift underflow issue.

[EB: use foliopos() and consolidate the two shifts by iblkbits]