{"id":"CVE-2025-40295","summary":"fscrypt: fix left shift underflow when inode-\u003ei_blkbits \u003e PAGE_SHIFT","details":"In the Linux kernel, the following vulnerability has been resolved:\n\nfscrypt: fix left shift underflow when inode-\u003ei_blkbits \u003e PAGE_SHIFT\n\nWhen simulating an nvme device on qemu with both logical_block_size and\nphysical_block_size set to 8 KiB, an error trace appears during\npartition table reading at boot time. The issue is caused by\ninode-\u003ei_blkbits being larger than PAGE_SHIFT, which leads to a left\nshift of -1 and triggering a UBSAN warning.\n\n[    2.697306] ------------[ cut here ]------------\n[    2.697309] UBSAN: shift-out-of-bounds in fs/crypto/inline_crypt.c:336:37\n[    2.697311] shift exponent -1 is negative\n[    2.697315] CPU: 3 UID: 0 PID: 274 Comm: (udev-worker) Not tainted 6.18.0-rc2+ #34 PREEMPT(voluntary)\n[    2.697317] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014\n[    2.697320] Call Trace:\n[    2.697324]  \u003cTASK\u003e\n[    2.697325]  dump_stack_lvl+0x76/0xa0\n[    2.697340]  dump_stack+0x10/0x20\n[    2.697342]  __ubsan_handle_shift_out_of_bounds+0x1e3/0x390\n[    2.697351]  bh_get_inode_and_lblk_num.cold+0x12/0x94\n[    2.697359]  fscrypt_set_bio_crypt_ctx_bh+0x44/0x90\n[    2.697365]  submit_bh_wbc+0xb6/0x190\n[    2.697370]  block_read_full_folio+0x194/0x270\n[    2.697371]  ? __pfx_blkdev_get_block+0x10/0x10\n[    2.697375]  ? __pfx_blkdev_read_folio+0x10/0x10\n[    2.697377]  blkdev_read_folio+0x18/0x30\n[    2.697379]  filemap_read_folio+0x40/0xe0\n[    2.697382]  filemap_get_pages+0x5ef/0x7a0\n[    2.697385]  ? mmap_region+0x63/0xd0\n[    2.697389]  filemap_read+0x11d/0x520\n[    2.697392]  blkdev_read_iter+0x7c/0x180\n[    2.697393]  vfs_read+0x261/0x390\n[    2.697397]  ksys_read+0x71/0xf0\n[    2.697398]  __x64_sys_read+0x19/0x30\n[    2.697399]  x64_sys_call+0x1e88/0x26a0\n[    2.697405]  do_syscall_64+0x80/0x670\n[    2.697410]  ? __x64_sys_newfstat+0x15/0x20\n[    2.697414]  ? x64_sys_call+0x204a/0x26a0\n[    2.697415]  ? do_syscall_64+0xb8/0x670\n[    2.697417]  ? irqentry_exit_to_user_mode+0x2e/0x2a0\n[    2.697420]  ? irqentry_exit+0x43/0x50\n[    2.697421]  ? exc_page_fault+0x90/0x1b0\n[    2.697422]  entry_SYSCALL_64_after_hwframe+0x76/0x7e\n[    2.697425] RIP: 0033:0x75054cba4a06\n[    2.697426] Code: 5d e8 41 8b 93 08 03 00 00 59 5e 48 83 f8 fc 75 19 83 e2 39 83 fa 08 75 11 e8 26 ff ff ff 66 0f 1f 44 00 00 48 8b 45 10 0f 05 \u003c48\u003e 8b 5d f8 c9 c3 0f 1f 40 00 f3 0f 1e fa 55 48 89 e5 48 83 ec 08\n[    2.697427] RSP: 002b:00007fff973723a0 EFLAGS: 00000202 ORIG_RAX: 0000000000000000\n[    2.697430] RAX: ffffffffffffffda RBX: 00005ea9a2c02760 RCX: 000075054cba4a06\n[    2.697432] RDX: 0000000000002000 RSI: 000075054c190000 RDI: 000000000000001b\n[    2.697433] RBP: 00007fff973723c0 R08: 0000000000000000 R09: 0000000000000000\n[    2.697434] R10: 0000000000000000 R11: 0000000000000202 R12: 0000000000000000\n[    2.697434] R13: 00005ea9a2c027c0 R14: 00005ea9a2be5608 R15: 00005ea9a2be55f0\n[    2.697436]  \u003c/TASK\u003e\n[    2.697436] ---[ end trace ]---\n\nThis situation can happen for block devices because when\nCONFIG_TRANSPARENT_HUGEPAGE is enabled, the maximum logical_block_size\nis 64 KiB. set_init_blocksize() then sets the block device\ninode-\u003ei_blkbits to 13, which is within this limit.\n\nFile I/O does not trigger this problem because for filesystems that do\nnot support the FS_LBS feature, sb_set_blocksize() prevents\nsb-\u003es_blocksize_bits from being larger than PAGE_SHIFT. During inode\nallocation, alloc_inode()-\u003einode_init_always() assigns inode-\u003ei_blkbits\nfrom sb-\u003es_blocksize_bits. Currently, only xfs_fs_type has the FS_LBS\nflag, and since xfs I/O paths do not reach submit_bh_wbc(), it does not\nhit the left-shift underflow issue.\n\n[EB: use folio_pos() and consolidate the two shifts by i_blkbits]","modified":"2026-04-02T12:48:21.423222Z","published":"2025-12-08T00:46:18.950Z","database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/40xxx/CVE-2025-40295.json","cna_assigner":"Linux"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/1e39da974ce621ed874c6d3aaf65ad14848c9f0d"},{"type":"WEB","url":"https://git.kernel.org/stable/c/dde026c5d2a5870f97924d5b512adf2b93fb7153"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/40xxx/CVE-2025-40295.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-40295"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"47dd67532303803a87f43195e088b3b4bcf0454d"},{"fixed":"dde026c5d2a5870f97924d5b512adf2b93fb7153"},{"fixed":"1e39da974ce621ed874c6d3aaf65ad14848c9f0d"}]}],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-40295.json"}},{"package":{"name":"Kernel","ecosystem":"Linux"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"6.15.0"},{"fixed":"6.17.8"}]}],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-40295.json"}}],"schema_version":"1.7.5"}