CVE-2025-38260

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> btrfs: handle csum tree error with rescue=ibadroots correctly<br /> <br /> [BUG]<br /> There is syzbot based reproducer that can crash the kernel, with the<br /> following call trace: (With some debug output added)<br /> <br /> DEBUG: rescue=ibadroots parsed<br /> BTRFS: device fsid 14d642db-7b15-43e4-81e6-4b8fac6a25f8 devid 1 transid 8 /dev/loop0 (7:0) scanned by repro (1010)<br /> BTRFS info (device loop0): first mount of filesystem 14d642db-7b15-43e4-81e6-4b8fac6a25f8<br /> BTRFS info (device loop0): using blake2b (blake2b-256-generic) checksum algorithm<br /> BTRFS info (device loop0): using free-space-tree<br /> BTRFS warning (device loop0): checksum verify failed on logical 5312512 mirror 1 wanted 0xb043382657aede36608fd3386d6b001692ff406164733d94e2d9a180412c6003 found 0x810ceb2bacb7f0f9eb2bf3b2b15c02af867cb35ad450898169f3b1f0bd818651 level 0<br /> DEBUG: read tree root path failed for tree csum, ret=-5<br /> BTRFS warning (device loop0): checksum verify failed on logical 5328896 mirror 1 wanted 0x51be4e8b303da58e6340226815b70e3a93592dac3f30dd510c7517454de8567a found 0x51be4e8b303da58e634022a315b70e3a93592dac3f30dd510c7517454de8567a level 0<br /> BTRFS warning (device loop0): checksum verify failed on logical 5292032 mirror 1 wanted 0x1924ccd683be9efc2fa98582ef58760e3848e9043db8649ee382681e220cdee4 found 0x0cb6184f6e8799d9f8cb335dccd1d1832da1071d12290dab3b85b587ecacca6e level 0<br /> process &amp;#39;repro&amp;#39; launched &amp;#39;./file2&amp;#39; with NULL argv: empty string added<br /> DEBUG: no csum root, idatacsums=0 ibadroots=134217728<br /> Oops: general protection fault, probably for non-canonical address 0xdffffc0000000041: 0000 [#1] SMP KASAN NOPTI<br /> KASAN: null-ptr-deref in range [0x0000000000000208-0x000000000000020f]<br /> CPU: 5 UID: 0 PID: 1010 Comm: repro Tainted: G OE 6.15.0-custom+ #249 PREEMPT(full)<br /> Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS unknown 02/02/2022<br /> RIP: 0010:btrfs_lookup_csum+0x93/0x3d0 [btrfs]<br /> Call Trace:<br /> <br /> btrfs_lookup_bio_sums+0x47a/0xdf0 [btrfs]<br /> btrfs_submit_bbio+0x43e/0x1a80 [btrfs]<br /> submit_one_bio+0xde/0x160 [btrfs]<br /> btrfs_readahead+0x498/0x6a0 [btrfs]<br /> read_pages+0x1c3/0xb20<br /> page_cache_ra_order+0x4b5/0xc20<br /> filemap_get_pages+0x2d3/0x19e0<br /> filemap_read+0x314/0xde0<br /> __kernel_read+0x35b/0x900<br /> bprm_execve+0x62e/0x1140<br /> do_execveat_common.isra.0+0x3fc/0x520<br /> __x64_sys_execveat+0xdc/0x130<br /> do_syscall_64+0x54/0x1d0<br /> entry_SYSCALL_64_after_hwframe+0x76/0x7e<br /> ---[ end trace 0000000000000000 ]---<br /> <br /> [CAUSE]<br /> Firstly the fs has a corrupted csum tree root, thus to mount the fs we<br /> have to go "ro,rescue=ibadroots" mount option.<br /> <br /> Normally with that mount option, a bad csum tree root should set<br /> BTRFS_FS_STATE_NO_DATA_CSUMS flag, so that any future data read will<br /> ignore csum search.<br /> <br /> But in this particular case, we have the following call trace that<br /> caused NULL csum root, but not setting BTRFS_FS_STATE_NO_DATA_CSUMS:<br /> <br /> load_global_roots_objectid():<br /> <br /> ret = btrfs_search_slot();<br /> /* Succeeded */<br /> btrfs_item_key_to_cpu()<br /> found = true;<br /> /* We found the root item for csum tree. */<br /> root = read_tree_root_path();<br /> if (IS_ERR(root)) {<br /> if (!btrfs_test_opt(fs_info, IGNOREBADROOTS))<br /> /*<br /> * Since we have rescue=ibadroots mount option,<br /> * @ret is still 0.<br /> */<br /> break;<br /> if (!found || ret) {<br /> /* @found is true, @ret is 0, error handling for csum<br /> * tree is skipped.<br /> */<br /> }<br /> <br /> This means we completely skipped to set BTRFS_FS_STATE_NO_DATA_CSUMS if<br /> the csum tree is corrupted, which results unexpected later csum lookup.<br /> <br /> [FIX]<br /> If read_tree_root_path() failed, always populate @ret to the error<br /> number.<br /> <br /> As at the end of the function, we need @ret to determine if we need to<br /> do the extra error handling for csum tree.