{"id":"CVE-2025-71105","summary":"f2fs: use global inline_xattr_slab instead of per-sb slab cache","details":"In the Linux kernel, the following vulnerability has been resolved:\n\nf2fs: use global inline_xattr_slab instead of per-sb slab cache\n\nAs Hong Yun reported in mailing list:\n\nloop7: detected capacity change from 0 to 131072\n------------[ cut here ]------------\nkmem_cache of name 'f2fs_xattr_entry-7:7' already exists\nWARNING: CPU: 0 PID: 24426 at mm/slab_common.c:110 kmem_cache_sanity_check mm/slab_common.c:109 [inline]\nWARNING: CPU: 0 PID: 24426 at mm/slab_common.c:110 __kmem_cache_create_args+0xa6/0x320 mm/slab_common.c:307\nCPU: 0 UID: 0 PID: 24426 Comm: syz.7.1370 Not tainted 6.17.0-rc4 #1 PREEMPT(full)\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014\nRIP: 0010:kmem_cache_sanity_check mm/slab_common.c:109 [inline]\nRIP: 0010:__kmem_cache_create_args+0xa6/0x320 mm/slab_common.c:307\nCall Trace:\n __kmem_cache_create include/linux/slab.h:353 [inline]\n f2fs_kmem_cache_create fs/f2fs/f2fs.h:2943 [inline]\n f2fs_init_xattr_caches+0xa5/0xe0 fs/f2fs/xattr.c:843\n f2fs_fill_super+0x1645/0x2620 fs/f2fs/super.c:4918\n get_tree_bdev_flags+0x1fb/0x260 fs/super.c:1692\n vfs_get_tree+0x43/0x140 fs/super.c:1815\n do_new_mount+0x201/0x550 fs/namespace.c:3808\n do_mount fs/namespace.c:4136 [inline]\n __do_sys_mount fs/namespace.c:4347 [inline]\n __se_sys_mount+0x298/0x2f0 fs/namespace.c:4324\n do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]\n do_syscall_64+0x8e/0x3a0 arch/x86/entry/syscall_64.c:94\n entry_SYSCALL_64_after_hwframe+0x76/0x7e\n\nThe bug can be reproduced w/ below scripts:\n- mount /dev/vdb /mnt1\n- mount /dev/vdc /mnt2\n- umount /mnt1\n- mounnt /dev/vdb /mnt1\n\nThe reason is if we created two slab caches, named f2fs_xattr_entry-7:3\nand f2fs_xattr_entry-7:7, and they have the same slab size. Actually,\nslab system will only create one slab cache core structure which has\nslab name of \"f2fs_xattr_entry-7:3\", and two slab caches share the same\nstructure and cache address.\n\nSo, if we destroy f2fs_xattr_entry-7:3 cache w/ cache address, it will\ndecrease reference count of slab cache, rather than release slab cache\nentirely, since there is one more user has referenced the cache.\n\nThen, if we try to create slab cache w/ name \"f2fs_xattr_entry-7:3\" again,\nslab system will find that there is existed cache which has the same name\nand trigger the warning.\n\nLet's changes to use global inline_xattr_slab instead of per-sb slab cache\nfor fixing.","modified":"2026-03-20T12:46:37.085712Z","published":"2026-01-14T15:05:54.510Z","related":["MGASA-2026-0017","MGASA-2026-0018"],"database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/71xxx/CVE-2025-71105.json","cna_assigner":"Linux"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/1eb0b130196bcbc56c5c80c83139fa70c0aa82c5"},{"type":"WEB","url":"https://git.kernel.org/stable/c/1f27ef42bb0b7c0740c5616ec577ec188b8a1d05"},{"type":"WEB","url":"https://git.kernel.org/stable/c/474cc3ed37436ddfd63cac8dbffe3b1e219e9100"},{"type":"WEB","url":"https://git.kernel.org/stable/c/72ce19dfed162da6e430467333b2da70471d08a4"},{"type":"WEB","url":"https://git.kernel.org/stable/c/93d30fe19660dec6bf1bd3d5c186c1c737b21aa5"},{"type":"WEB","url":"https://git.kernel.org/stable/c/be4c3a3c6c2304a8fcd14095d18d26f0cc4e222a"},{"type":"WEB","url":"https://git.kernel.org/stable/c/e6d828eae00ec192e18c2ddaa2fd32050a96048a"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/71xxx/CVE-2025-71105.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-71105"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"a999150f4fe3abbb7efd05411fd5b460be699943"},{"fixed":"93d30fe19660dec6bf1bd3d5c186c1c737b21aa5"},{"fixed":"474cc3ed37436ddfd63cac8dbffe3b1e219e9100"},{"fixed":"72ce19dfed162da6e430467333b2da70471d08a4"},{"fixed":"be4c3a3c6c2304a8fcd14095d18d26f0cc4e222a"},{"fixed":"1eb0b130196bcbc56c5c80c83139fa70c0aa82c5"},{"fixed":"e6d828eae00ec192e18c2ddaa2fd32050a96048a"},{"fixed":"1f27ef42bb0b7c0740c5616ec577ec188b8a1d05"}]}],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-71105.json"}},{"package":{"name":"Kernel","ecosystem":"Linux"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"5.7.0"},{"fixed":"5.10.248"}]},{"type":"ECOSYSTEM","events":[{"introduced":"5.11.0"},{"fixed":"5.15.198"}]},{"type":"ECOSYSTEM","events":[{"introduced":"5.16.0"},{"fixed":"6.1.160"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.2.0"},{"fixed":"6.6.120"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.7.0"},{"fixed":"6.12.64"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.13.0"},{"fixed":"6.18.3"}]}],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-71105.json"}}],"schema_version":"1.7.5"}