CVE-2025-38059

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> btrfs: avoid NULL pointer dereference if no valid csum tree<br /> <br /> [BUG]<br /> When trying read-only scrub on a btrfs with rescue=idatacsums mount<br /> option, it will crash with the following call trace:<br /> <br /> BUG: kernel NULL pointer dereference, address: 0000000000000208<br /> #PF: supervisor read access in kernel mode<br /> #PF: error_code(0x0000) - not-present page<br /> CPU: 1 UID: 0 PID: 835 Comm: btrfs Tainted: G O 6.15.0-rc3-custom+ #236 PREEMPT(full)<br /> Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS unknown 02/02/2022<br /> RIP: 0010:btrfs_lookup_csums_bitmap+0x49/0x480 [btrfs]<br /> Call Trace:<br /> <br /> scrub_find_fill_first_stripe+0x35b/0x3d0 [btrfs]<br /> scrub_simple_mirror+0x175/0x290 [btrfs]<br /> scrub_stripe+0x5f7/0x6f0 [btrfs]<br /> scrub_chunk+0x9a/0x150 [btrfs]<br /> scrub_enumerate_chunks+0x333/0x660 [btrfs]<br /> btrfs_scrub_dev+0x23e/0x600 [btrfs]<br /> btrfs_ioctl+0x1dcf/0x2f80 [btrfs]<br /> __x64_sys_ioctl+0x97/0xc0<br /> do_syscall_64+0x4f/0x120<br /> entry_SYSCALL_64_after_hwframe+0x76/0x7e<br /> <br /> [CAUSE]<br /> Mount option "rescue=idatacsums" will completely skip loading the csum<br /> tree, so that any data read will not find any data csum thus we will<br /> ignore data checksum verification.<br /> <br /> Normally call sites utilizing csum tree will check the fs state flag<br /> NO_DATA_CSUMS bit, but unfortunately scrub does not check that bit at all.<br /> <br /> This results in scrub to call btrfs_search_slot() on a NULL pointer<br /> and triggered above crash.<br /> <br /> [FIX]<br /> Check both extent and csum tree root before doing any tree search.