{"id":"CVE-2025-40138","summary":"f2fs: fix to avoid NULL pointer dereference in f2fs_check_quota_consistency()","details":"In the Linux kernel, the following vulnerability has been resolved:\n\nf2fs: fix to avoid NULL pointer dereference in f2fs_check_quota_consistency()\n\nsyzbot reported a f2fs bug as below:\n\nOops: gen[  107.736417][ T5848] Oops: general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] SMP KASAN PTI\nKASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]\nCPU: 1 UID: 0 PID: 5848 Comm: syz-executor263 Tainted: G        W           6.17.0-rc1-syzkaller-00014-g0e39a731820a #0 PREEMPT_{RT,(full)}\nRIP: 0010:strcmp+0x3c/0xc0 lib/string.c:284\nCall Trace:\n \u003cTASK\u003e\n f2fs_check_quota_consistency fs/f2fs/super.c:1188 [inline]\n f2fs_check_opt_consistency+0x1378/0x2c10 fs/f2fs/super.c:1436\n __f2fs_remount fs/f2fs/super.c:2653 [inline]\n f2fs_reconfigure+0x482/0x1770 fs/f2fs/super.c:5297\n reconfigure_super+0x224/0x890 fs/super.c:1077\n do_remount fs/namespace.c:3314 [inline]\n path_mount+0xd18/0xfe0 fs/namespace.c:4112\n do_mount fs/namespace.c:4133 [inline]\n __do_sys_mount fs/namespace.c:4344 [inline]\n __se_sys_mount+0x317/0x410 fs/namespace.c:4321\n do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]\n do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n\nThe direct reason is f2fs_check_quota_consistency() may suffer null-ptr-deref\nissue in strcmp().\n\nThe bug can be reproduced w/ below scripts:\nmkfs.f2fs -f /dev/vdb\nmount -t f2fs -o usrquota /dev/vdb /mnt/f2fs\nquotacheck -uc /mnt/f2fs/\numount /mnt/f2fs\nmount -t f2fs -o usrjquota=aquota.user,jqfmt=vfsold /dev/vdb /mnt/f2fs\nmount -t f2fs -o remount,usrjquota=,jqfmt=vfsold /dev/vdb /mnt/f2fs\numount /mnt/f2fs\n\nSo, before old_qname and new_qname comparison, we need to check whether\nthey are all valid pointers, fix it.","modified":"2026-03-20T12:43:11.578836Z","published":"2025-11-12T10:23:23.912Z","database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/40xxx/CVE-2025-40138.json","cna_assigner":"Linux"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/3f3458852bbfe79c60f2412b8b04677b96688b6e"},{"type":"WEB","url":"https://git.kernel.org/stable/c/930a9a6ee8e7ffa20af4bffbfc2bbd21d83bf81c"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/40xxx/CVE-2025-40138.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-40138"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"d185351325237da688de006a2c579e82ea97bdfe"},{"fixed":"3f3458852bbfe79c60f2412b8b04677b96688b6e"},{"fixed":"930a9a6ee8e7ffa20af4bffbfc2bbd21d83bf81c"}]}],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-40138.json"}},{"package":{"name":"Kernel","ecosystem":"Linux"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"6.17.0"},{"fixed":"6.17.3"}]}],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-40138.json"}}],"schema_version":"1.7.5"}