CVE-2025-38034
Severity CVSS v4.0:
Pending analysis
Type:
Unavailable / Other
Publication date:
18/06/2025
Last modified:
18/06/2025
Description
In the Linux kernel, the following vulnerability has been resolved:<br />
<br />
btrfs: correct the order of prelim_ref arguments in btrfs__prelim_ref<br />
<br />
btrfs_prelim_ref() calls the old and new reference variables in the<br />
incorrect order. This causes a NULL pointer dereference because oldref<br />
is passed as NULL to trace_btrfs_prelim_ref_insert().<br />
<br />
Note, trace_btrfs_prelim_ref_insert() is being called with newref as<br />
oldref (and oldref as NULL) on purpose in order to print out<br />
the values of newref.<br />
<br />
To reproduce:<br />
echo 1 > /sys/kernel/debug/tracing/events/btrfs/btrfs_prelim_ref_insert/enable<br />
<br />
Perform some writeback operations.<br />
<br />
Backtrace:<br />
BUG: kernel NULL pointer dereference, address: 0000000000000018<br />
#PF: supervisor read access in kernel mode<br />
#PF: error_code(0x0000) - not-present page<br />
PGD 115949067 P4D 115949067 PUD 11594a067 PMD 0<br />
Oops: Oops: 0000 [#1] SMP NOPTI<br />
CPU: 1 UID: 0 PID: 1188 Comm: fsstress Not tainted 6.15.0-rc2-tester+ #47 PREEMPT(voluntary) 7ca2cef72d5e9c600f0c7718adb6462de8149622<br />
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.16.3-2-gc13ff2cd-prebuilt.qemu.org 04/01/2014<br />
RIP: 0010:trace_event_raw_event_btrfs__prelim_ref+0x72/0x130<br />
Code: e8 43 81 9f ff 48 85 c0 74 78 4d 85 e4 0f 84 8f 00 00 00 49 8b 94 24 c0 06 00 00 48 8b 0a 48 89 48 08 48 8b 52 08 48 89 50 10 8b 55 18 48 89 50 18 49 8b 55 20 48 89 50 20 41 0f b6 55 28 88<br />
RSP: 0018:ffffce44820077a0 EFLAGS: 00010286<br />
RAX: ffff8c6b403f9014 RBX: ffff8c6b55825730 RCX: 304994edf9cf506b<br />
RDX: d8b11eb7f0fdb699 RSI: ffff8c6b403f9010 RDI: ffff8c6b403f9010<br />
RBP: 0000000000000001 R08: 0000000000000001 R09: 0000000000000010<br />
R10: 00000000ffffffff R11: 0000000000000000 R12: ffff8c6b4e8fb000<br />
R13: 0000000000000000 R14: ffffce44820077a8 R15: ffff8c6b4abd1540<br />
FS: 00007f4dc6813740(0000) GS:ffff8c6c1d378000(0000) knlGS:0000000000000000<br />
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033<br />
CR2: 0000000000000018 CR3: 000000010eb42000 CR4: 0000000000750ef0<br />
PKRU: 55555554<br />
Call Trace:<br />
<br />
prelim_ref_insert+0x1c1/0x270<br />
find_parent_nodes+0x12a6/0x1ee0<br />
? __entry_text_end+0x101f06/0x101f09<br />
? srso_alias_return_thunk+0x5/0xfbef5<br />
? srso_alias_return_thunk+0x5/0xfbef5<br />
? srso_alias_return_thunk+0x5/0xfbef5<br />
? srso_alias_return_thunk+0x5/0xfbef5<br />
btrfs_is_data_extent_shared+0x167/0x640<br />
? fiemap_process_hole+0xd0/0x2c0<br />
extent_fiemap+0xa5c/0xbc0<br />
? __entry_text_end+0x101f05/0x101f09<br />
btrfs_fiemap+0x7e/0xd0<br />
do_vfs_ioctl+0x425/0x9d0<br />
__x64_sys_ioctl+0x75/0xc0
Impact
References to Advisories, Solutions, and Tools
- https://git.kernel.org/stable/c/0528bba48dce7820d2da72e1a114e1c4552367eb
- https://git.kernel.org/stable/c/137bfa08c6441f324d00692d1e9d22cfd773329b
- https://git.kernel.org/stable/c/5755b6731655e248c4f1d52a2e1b18795b4a2a3a
- https://git.kernel.org/stable/c/7a97f961a568a8f72472dc804af02a0f73152c5f
- https://git.kernel.org/stable/c/7f7c8c03feba5f2454792fab3bb8bd45bd6883f9
- https://git.kernel.org/stable/c/a641154cedf9d69730f8af5d0a901fe86e6486bd
- https://git.kernel.org/stable/c/a876703894a6dd6e8c04b0635d86e9f7a7c81b79
- https://git.kernel.org/stable/c/bc7e0975093567f51be8e1bdf4aa5900a3cf0b1e