{"id":"CVE-2025-40128","summary":"btrfs: fix symbolic link reading when bs \u003e ps","details":"In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: fix symbolic link reading when bs \u003e ps\n\n[BUG DURING BS \u003e PS TEST]\nWhen running the following script on a btrfs whose block size is larger\nthan page size, e.g. 8K block size and 4K page size, it will trigger a\nkernel BUG:\n\n  # mkfs.btrfs -s 8k $dev\n  # mount $dev $mnt\n  # mkdir $mnt/dir\n  # ln -s dir $mnt/link\n  # ls $mnt/link\n\nThe call trace looks like this:\n\n  BTRFS warning (device dm-2): support for block size 8192 with page size 4096 is experimental, some features may be missing\n  BTRFS info (device dm-2): checking UUID tree\n  BTRFS info (device dm-2): enabling ssd optimizations\n  BTRFS info (device dm-2): enabling free space tree\n  ------------[ cut here ]------------\n  kernel BUG at /home/adam/linux/include/linux/highmem.h:275!\n  Oops: invalid opcode: 0000 [#1] SMP\n  CPU: 8 UID: 0 PID: 667 Comm: ls Tainted: G           OE       6.17.0-rc4-custom+ #283 PREEMPT(full)\n  Tainted: [O]=OOT_MODULE, [E]=UNSIGNED_MODULE\n  Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS unknown 02/02/2022\n  RIP: 0010:zero_user_segments.constprop.0+0xdc/0xe0 [btrfs]\n  Call Trace:\n   \u003cTASK\u003e\n   btrfs_get_extent.cold+0x85/0x101 [btrfs 7453c70c03e631c8d8bfdd4264fa62d3e238da6f]\n   btrfs_do_readpage+0x244/0x750 [btrfs 7453c70c03e631c8d8bfdd4264fa62d3e238da6f]\n   btrfs_read_folio+0x9c/0x100 [btrfs 7453c70c03e631c8d8bfdd4264fa62d3e238da6f]\n   filemap_read_folio+0x37/0xe0\n   do_read_cache_folio+0x94/0x3e0\n   __page_get_link.isra.0+0x20/0x90\n   page_get_link+0x16/0x40\n   step_into+0x69b/0x830\n   path_lookupat+0xa7/0x170\n   filename_lookup+0xf7/0x200\n   ? set_ptes.isra.0+0x36/0x70\n   vfs_statx+0x7a/0x160\n   do_statx+0x63/0xa0\n   __x64_sys_statx+0x90/0xe0\n   do_syscall_64+0x82/0xae0\n   entry_SYSCALL_64_after_hwframe+0x4b/0x53\n   \u003c/TASK\u003e\n\nPlease note bs \u003e ps support is still under development and the\nenablement patch is not even in btrfs development branch.\n\n[CAUSE]\nBtrfs reuses its data folio read path to handle symbolic links, as the\nsymbolic link target is stored as an inline data extent.\n\nBut for newly created inodes, btrfs only set the minimal order if the\ntarget inode is a regular file.\n\nThus for above newly created symbolic link, it doesn't properly respect\nthe minimal folio order, and triggered the above crash.\n\n[FIX]\nCall btrfs_set_inode_mapping_order() unconditionally inside\nbtrfs_create_new_inode().\n\nFor symbolic links this will fix the crash as now the folio will meet\nthe minimal order.\n\nFor regular files this brings no change.\n\nFor directory/bdev/char and all the other types of inodes, they won't\ngo through the data read path, thus no effect either.","modified":"2026-01-12T22:22:10.883906Z","published":"2025-11-12T10:23:21Z","withdrawn":"2026-01-12T22:22:10.883906Z","references":[{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"},{"type":"WEB","url":"https://git.kernel.org/stable/c/3ea252a5c48dd3a4e1f7d0c53d3b0f7b648becc9"},{"type":"WEB","url":"https://git.kernel.org/stable/c/67378b754608a3524d125bfa5744508a49fe48be"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"cc38d178ff33543cdb0bd58cfbb9a7c41372ff75"},{"fixed":"3ea252a5c48dd3a4e1f7d0c53d3b0f7b648becc9"}]},{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"cc38d178ff33543cdb0bd58cfbb9a7c41372ff75"},{"fixed":"67378b754608a3524d125bfa5744508a49fe48be"}]}],"versions":["v6.16","v6.17","v6.17-rc1","v6.17-rc2","v6.17-rc3","v6.17-rc4","v6.17-rc5","v6.17-rc6","v6.17-rc7","v6.17.1","v6.17.2"],"database_specific":{"vanir_signatures":[{"target":{"file":"fs/btrfs/inode.c"},"deprecated":false,"source":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@3ea252a5c48dd3a4e1f7d0c53d3b0f7b648becc9","id":"CVE-2025-40128-1f7b9013","signature_version":"v1","signature_type":"Line","digest":{"threshold":0.9,"line_hashes":["111783796843808215168161346912608281656","156857285124153585787423409867782886095","79152312644990711707749849058768910380","98218955946132619011972385884251007297","149115783346139031381673386589131883440","249080361505763897312372506243472078006","149021174400097886815398936574272815398"]}},{"target":{"file":"fs/btrfs/inode.c"},"deprecated":false,"source":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@67378b754608a3524d125bfa5744508a49fe48be","id":"CVE-2025-40128-59158ad2","signature_version":"v1","signature_type":"Line","digest":{"threshold":0.9,"line_hashes":["111783796843808215168161346912608281656","156857285124153585787423409867782886095","79152312644990711707749849058768910380","98218955946132619011972385884251007297","149115783346139031381673386589131883440","249080361505763897312372506243472078006","149021174400097886815398936574272815398"]}},{"target":{"file":"fs/btrfs/inode.c","function":"btrfs_create_new_inode"},"deprecated":false,"source":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@3ea252a5c48dd3a4e1f7d0c53d3b0f7b648becc9","id":"CVE-2025-40128-7abd63ff","signature_version":"v1","signature_type":"Function","digest":{"function_hash":"167256846239687884834146684828188019616","length":4612}},{"target":{"file":"fs/btrfs/inode.c","function":"btrfs_create_new_inode"},"deprecated":false,"source":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@67378b754608a3524d125bfa5744508a49fe48be","id":"CVE-2025-40128-f20e8002","signature_version":"v1","signature_type":"Function","digest":{"function_hash":"167256846239687884834146684828188019616","length":4612}}],"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-40128.json"}},{"package":{"name":"Kernel","ecosystem":"Linux"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"6.17.0"},{"fixed":"6.17.3"}]}],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-40128.json"}}],"schema_version":"1.7.3"}