CVE-2025-71105 (GCVE-0-2025-71105)

Vulnerability from cvelistv5 – Published: 2026-01-14 15:05 – Updated: 2026-01-14 15:05
VLAI?
Title
f2fs: use global inline_xattr_slab instead of per-sb slab cache
Summary
In the Linux kernel, the following vulnerability has been resolved: f2fs: use global inline_xattr_slab instead of per-sb slab cache As Hong Yun reported in mailing list: loop7: detected capacity change from 0 to 131072 ------------[ cut here ]------------ kmem_cache of name 'f2fs_xattr_entry-7:7' already exists WARNING: CPU: 0 PID: 24426 at mm/slab_common.c:110 kmem_cache_sanity_check mm/slab_common.c:109 [inline] WARNING: CPU: 0 PID: 24426 at mm/slab_common.c:110 __kmem_cache_create_args+0xa6/0x320 mm/slab_common.c:307 CPU: 0 UID: 0 PID: 24426 Comm: syz.7.1370 Not tainted 6.17.0-rc4 #1 PREEMPT(full) Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014 RIP: 0010:kmem_cache_sanity_check mm/slab_common.c:109 [inline] RIP: 0010:__kmem_cache_create_args+0xa6/0x320 mm/slab_common.c:307 Call Trace:  __kmem_cache_create include/linux/slab.h:353 [inline]  f2fs_kmem_cache_create fs/f2fs/f2fs.h:2943 [inline]  f2fs_init_xattr_caches+0xa5/0xe0 fs/f2fs/xattr.c:843  f2fs_fill_super+0x1645/0x2620 fs/f2fs/super.c:4918  get_tree_bdev_flags+0x1fb/0x260 fs/super.c:1692  vfs_get_tree+0x43/0x140 fs/super.c:1815  do_new_mount+0x201/0x550 fs/namespace.c:3808  do_mount fs/namespace.c:4136 [inline]  __do_sys_mount fs/namespace.c:4347 [inline]  __se_sys_mount+0x298/0x2f0 fs/namespace.c:4324  do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]  do_syscall_64+0x8e/0x3a0 arch/x86/entry/syscall_64.c:94  entry_SYSCALL_64_after_hwframe+0x76/0x7e The bug can be reproduced w/ below scripts: - mount /dev/vdb /mnt1 - mount /dev/vdc /mnt2 - umount /mnt1 - mounnt /dev/vdb /mnt1 The reason is if we created two slab caches, named f2fs_xattr_entry-7:3 and f2fs_xattr_entry-7:7, and they have the same slab size. Actually, slab system will only create one slab cache core structure which has slab name of "f2fs_xattr_entry-7:3", and two slab caches share the same structure and cache address. So, if we destroy f2fs_xattr_entry-7:3 cache w/ cache address, it will decrease reference count of slab cache, rather than release slab cache entirely, since there is one more user has referenced the cache. Then, if we try to create slab cache w/ name "f2fs_xattr_entry-7:3" again, slab system will find that there is existed cache which has the same name and trigger the warning. Let's changes to use global inline_xattr_slab instead of per-sb slab cache for fixing.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
Vendor Product Version
Linux Linux Affected: a999150f4fe3abbb7efd05411fd5b460be699943 , < 72ce19dfed162da6e430467333b2da70471d08a4 (git)
Affected: a999150f4fe3abbb7efd05411fd5b460be699943 , < be4c3a3c6c2304a8fcd14095d18d26f0cc4e222a (git)
Affected: a999150f4fe3abbb7efd05411fd5b460be699943 , < 1eb0b130196bcbc56c5c80c83139fa70c0aa82c5 (git)
Affected: a999150f4fe3abbb7efd05411fd5b460be699943 , < e6d828eae00ec192e18c2ddaa2fd32050a96048a (git)
Affected: a999150f4fe3abbb7efd05411fd5b460be699943 , < 1f27ef42bb0b7c0740c5616ec577ec188b8a1d05 (git)
Create a notification for this product.
    Linux Linux Affected: 5.7
Unaffected: 0 , < 5.7 (semver)
Unaffected: 6.1.160 , ≤ 6.1.* (semver)
Unaffected: 6.6.120 , ≤ 6.6.* (semver)
Unaffected: 6.12.64 , ≤ 6.12.* (semver)
Unaffected: 6.18.3 , ≤ 6.18.* (semver)
Unaffected: 6.19-rc1 , ≤ * (original_commit_for_fix)
Create a notification for this product.
Show details on NVD website
To clipboard 

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "fs/f2fs/f2fs.h",
            "fs/f2fs/super.c",
            "fs/f2fs/xattr.c",
            "fs/f2fs/xattr.h"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "72ce19dfed162da6e430467333b2da70471d08a4",
              "status": "affected",
              "version": "a999150f4fe3abbb7efd05411fd5b460be699943",
              "versionType": "git"
            },
            {
              "lessThan": "be4c3a3c6c2304a8fcd14095d18d26f0cc4e222a",
              "status": "affected",
              "version": "a999150f4fe3abbb7efd05411fd5b460be699943",
              "versionType": "git"
            },
            {
              "lessThan": "1eb0b130196bcbc56c5c80c83139fa70c0aa82c5",
              "status": "affected",
              "version": "a999150f4fe3abbb7efd05411fd5b460be699943",
              "versionType": "git"
            },
            {
              "lessThan": "e6d828eae00ec192e18c2ddaa2fd32050a96048a",
              "status": "affected",
              "version": "a999150f4fe3abbb7efd05411fd5b460be699943",
              "versionType": "git"
            },
            {
              "lessThan": "1f27ef42bb0b7c0740c5616ec577ec188b8a1d05",
              "status": "affected",
              "version": "a999150f4fe3abbb7efd05411fd5b460be699943",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "fs/f2fs/f2fs.h",
            "fs/f2fs/super.c",
            "fs/f2fs/xattr.c",
            "fs/f2fs/xattr.h"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.7"
            },
            {
              "lessThan": "5.7",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.160",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.120",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.64",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.18.*",
              "status": "unaffected",
              "version": "6.18.3",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.19-rc1",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.160",
                  "versionStartIncluding": "5.7",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.120",
                  "versionStartIncluding": "5.7",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.64",
                  "versionStartIncluding": "5.7",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18.3",
                  "versionStartIncluding": "5.7",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.19-rc1",
                  "versionStartIncluding": "5.7",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nf2fs: use global inline_xattr_slab instead of per-sb slab cache\n\nAs Hong Yun reported in mailing list:\n\nloop7: detected capacity change from 0 to 131072\n------------[ cut here ]------------\nkmem_cache of name \u0027f2fs_xattr_entry-7:7\u0027 already exists\nWARNING: CPU: 0 PID: 24426 at mm/slab_common.c:110 kmem_cache_sanity_check mm/slab_common.c:109 [inline]\nWARNING: CPU: 0 PID: 24426 at mm/slab_common.c:110 __kmem_cache_create_args+0xa6/0x320 mm/slab_common.c:307\nCPU: 0 UID: 0 PID: 24426 Comm: syz.7.1370 Not tainted 6.17.0-rc4 #1 PREEMPT(full)\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014\nRIP: 0010:kmem_cache_sanity_check mm/slab_common.c:109 [inline]\nRIP: 0010:__kmem_cache_create_args+0xa6/0x320 mm/slab_common.c:307\nCall Trace:\n\u00a0__kmem_cache_create include/linux/slab.h:353 [inline]\n\u00a0f2fs_kmem_cache_create fs/f2fs/f2fs.h:2943 [inline]\n\u00a0f2fs_init_xattr_caches+0xa5/0xe0 fs/f2fs/xattr.c:843\n\u00a0f2fs_fill_super+0x1645/0x2620 fs/f2fs/super.c:4918\n\u00a0get_tree_bdev_flags+0x1fb/0x260 fs/super.c:1692\n\u00a0vfs_get_tree+0x43/0x140 fs/super.c:1815\n\u00a0do_new_mount+0x201/0x550 fs/namespace.c:3808\n\u00a0do_mount fs/namespace.c:4136 [inline]\n\u00a0__do_sys_mount fs/namespace.c:4347 [inline]\n\u00a0__se_sys_mount+0x298/0x2f0 fs/namespace.c:4324\n\u00a0do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]\n\u00a0do_syscall_64+0x8e/0x3a0 arch/x86/entry/syscall_64.c:94\n\u00a0entry_SYSCALL_64_after_hwframe+0x76/0x7e\n\nThe bug can be reproduced w/ below scripts:\n- mount /dev/vdb /mnt1\n- mount /dev/vdc /mnt2\n- umount /mnt1\n- mounnt /dev/vdb /mnt1\n\nThe reason is if we created two slab caches, named f2fs_xattr_entry-7:3\nand f2fs_xattr_entry-7:7, and they have the same slab size. Actually,\nslab system will only create one slab cache core structure which has\nslab name of \"f2fs_xattr_entry-7:3\", and two slab caches share the same\nstructure and cache address.\n\nSo, if we destroy f2fs_xattr_entry-7:3 cache w/ cache address, it will\ndecrease reference count of slab cache, rather than release slab cache\nentirely, since there is one more user has referenced the cache.\n\nThen, if we try to create slab cache w/ name \"f2fs_xattr_entry-7:3\" again,\nslab system will find that there is existed cache which has the same name\nand trigger the warning.\n\nLet\u0027s changes to use global inline_xattr_slab instead of per-sb slab cache\nfor fixing."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-01-14T15:05:54.510Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/72ce19dfed162da6e430467333b2da70471d08a4"
        },
        {
          "url": "https://git.kernel.org/stable/c/be4c3a3c6c2304a8fcd14095d18d26f0cc4e222a"
        },
        {
          "url": "https://git.kernel.org/stable/c/1eb0b130196bcbc56c5c80c83139fa70c0aa82c5"
        },
        {
          "url": "https://git.kernel.org/stable/c/e6d828eae00ec192e18c2ddaa2fd32050a96048a"
        },
        {
          "url": "https://git.kernel.org/stable/c/1f27ef42bb0b7c0740c5616ec577ec188b8a1d05"
        }
      ],
      "title": "f2fs: use global inline_xattr_slab instead of per-sb slab cache",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-71105",
    "datePublished": "2026-01-14T15:05:54.510Z",
    "dateReserved": "2026-01-13T15:30:19.651Z",
    "dateUpdated": "2026-01-14T15:05:54.510Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2025-71105\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2026-01-14T15:15:59.533\",\"lastModified\":\"2026-01-14T16:25:12.057\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\nf2fs: use global inline_xattr_slab instead of per-sb slab cache\\n\\nAs Hong Yun reported in mailing list:\\n\\nloop7: detected capacity change from 0 to 131072\\n------------[ cut here ]------------\\nkmem_cache of name \u0027f2fs_xattr_entry-7:7\u0027 already exists\\nWARNING: CPU: 0 PID: 24426 at mm/slab_common.c:110 kmem_cache_sanity_check mm/slab_common.c:109 [inline]\\nWARNING: CPU: 0 PID: 24426 at mm/slab_common.c:110 __kmem_cache_create_args+0xa6/0x320 mm/slab_common.c:307\\nCPU: 0 UID: 0 PID: 24426 Comm: syz.7.1370 Not tainted 6.17.0-rc4 #1 PREEMPT(full)\\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014\\nRIP: 0010:kmem_cache_sanity_check mm/slab_common.c:109 [inline]\\nRIP: 0010:__kmem_cache_create_args+0xa6/0x320 mm/slab_common.c:307\\nCall Trace:\\n\u00a0__kmem_cache_create include/linux/slab.h:353 [inline]\\n\u00a0f2fs_kmem_cache_create fs/f2fs/f2fs.h:2943 [inline]\\n\u00a0f2fs_init_xattr_caches+0xa5/0xe0 fs/f2fs/xattr.c:843\\n\u00a0f2fs_fill_super+0x1645/0x2620 fs/f2fs/super.c:4918\\n\u00a0get_tree_bdev_flags+0x1fb/0x260 fs/super.c:1692\\n\u00a0vfs_get_tree+0x43/0x140 fs/super.c:1815\\n\u00a0do_new_mount+0x201/0x550 fs/namespace.c:3808\\n\u00a0do_mount fs/namespace.c:4136 [inline]\\n\u00a0__do_sys_mount fs/namespace.c:4347 [inline]\\n\u00a0__se_sys_mount+0x298/0x2f0 fs/namespace.c:4324\\n\u00a0do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]\\n\u00a0do_syscall_64+0x8e/0x3a0 arch/x86/entry/syscall_64.c:94\\n\u00a0entry_SYSCALL_64_after_hwframe+0x76/0x7e\\n\\nThe bug can be reproduced w/ below scripts:\\n- mount /dev/vdb /mnt1\\n- mount /dev/vdc /mnt2\\n- umount /mnt1\\n- mounnt /dev/vdb /mnt1\\n\\nThe reason is if we created two slab caches, named f2fs_xattr_entry-7:3\\nand f2fs_xattr_entry-7:7, and they have the same slab size. Actually,\\nslab system will only create one slab cache core structure which has\\nslab name of \\\"f2fs_xattr_entry-7:3\\\", and two slab caches share the same\\nstructure and cache address.\\n\\nSo, if we destroy f2fs_xattr_entry-7:3 cache w/ cache address, it will\\ndecrease reference count of slab cache, rather than release slab cache\\nentirely, since there is one more user has referenced the cache.\\n\\nThen, if we try to create slab cache w/ name \\\"f2fs_xattr_entry-7:3\\\" again,\\nslab system will find that there is existed cache which has the same name\\nand trigger the warning.\\n\\nLet\u0027s changes to use global inline_xattr_slab instead of per-sb slab cache\\nfor fixing.\"}],\"metrics\":{},\"references\":[{\"url\":\"https://git.kernel.org/stable/c/1eb0b130196bcbc56c5c80c83139fa70c0aa82c5\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/1f27ef42bb0b7c0740c5616ec577ec188b8a1d05\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/72ce19dfed162da6e430467333b2da70471d08a4\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/be4c3a3c6c2304a8fcd14095d18d26f0cc4e222a\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/e6d828eae00ec192e18c2ddaa2fd32050a96048a\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.