CVE-2025-21752
Severity CVSS v4.0:
Pending analysis
Type:
Unavailable / Other
Publication date:
27/02/2025
Last modified:
27/02/2025
Description
In the Linux kernel, the following vulnerability has been resolved:<br />
<br />
btrfs: don&#39;t use btrfs_set_item_key_safe on RAID stripe-extents<br />
<br />
Don&#39;t use btrfs_set_item_key_safe() to modify the keys in the RAID<br />
stripe-tree, as this can lead to corruption of the tree, which is caught<br />
by the checks in btrfs_set_item_key_safe():<br />
<br />
BTRFS info (device nvme1n1): leaf 49168384 gen 15 total ptrs 194 free space 8329 owner 12<br />
BTRFS info (device nvme1n1): refs 2 lock_owner 1030 current 1030<br />
[ snip ]<br />
item 105 key (354549760 230 20480) itemoff 14587 itemsize 16<br />
stride 0 devid 5 physical 67502080<br />
item 106 key (354631680 230 4096) itemoff 14571 itemsize 16<br />
stride 0 devid 1 physical 88559616<br />
item 107 key (354631680 230 32768) itemoff 14555 itemsize 16<br />
stride 0 devid 1 physical 88555520<br />
item 108 key (354717696 230 28672) itemoff 14539 itemsize 16<br />
stride 0 devid 2 physical 67604480<br />
[ snip ]<br />
BTRFS critical (device nvme1n1): slot 106 key (354631680 230 32768) new key (354635776 230 4096)<br />
------------[ cut here ]------------<br />
kernel BUG at fs/btrfs/ctree.c:2602!<br />
Oops: invalid opcode: 0000 [#1] PREEMPT SMP PTI<br />
CPU: 1 UID: 0 PID: 1055 Comm: fsstress Not tainted 6.13.0-rc1+ #1464<br />
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.2-3-gd478f380-rebuilt.opensuse.org 04/01/2014<br />
RIP: 0010:btrfs_set_item_key_safe+0xf7/0x270<br />
Code: <br />
RSP: 0018:ffffc90001337ab0 EFLAGS: 00010287<br />
RAX: 0000000000000000 RBX: ffff8881115fd000 RCX: 0000000000000000<br />
RDX: 0000000000000001 RSI: 0000000000000001 RDI: 00000000ffffffff<br />
RBP: ffff888110ed6f50 R08: 00000000ffffefff R09: ffffffff8244c500<br />
R10: 00000000ffffefff R11: 00000000ffffffff R12: ffff888100586000<br />
R13: 00000000000000c9 R14: ffffc90001337b1f R15: ffff888110f23b58<br />
FS: 00007f7d75c72740(0000) GS:ffff88813bd00000(0000) knlGS:0000000000000000<br />
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033<br />
CR2: 00007fa811652c60 CR3: 0000000111398001 CR4: 0000000000370eb0<br />
Call Trace:<br />
<br />
? __die_body.cold+0x14/0x1a<br />
? die+0x2e/0x50<br />
? do_trap+0xca/0x110<br />
? do_error_trap+0x65/0x80<br />
? btrfs_set_item_key_safe+0xf7/0x270<br />
? exc_invalid_op+0x50/0x70<br />
? btrfs_set_item_key_safe+0xf7/0x270<br />
? asm_exc_invalid_op+0x1a/0x20<br />
? btrfs_set_item_key_safe+0xf7/0x270<br />
btrfs_partially_delete_raid_extent+0xc4/0xe0<br />
btrfs_delete_raid_extent+0x227/0x240<br />
__btrfs_free_extent.isra.0+0x57f/0x9c0<br />
? exc_coproc_segment_overrun+0x40/0x40<br />
__btrfs_run_delayed_refs+0x2fa/0xe80<br />
btrfs_run_delayed_refs+0x81/0xe0<br />
btrfs_commit_transaction+0x2dd/0xbe0<br />
? preempt_count_add+0x52/0xb0<br />
btrfs_sync_file+0x375/0x4c0<br />
do_fsync+0x39/0x70<br />
__x64_sys_fsync+0x13/0x20<br />
do_syscall_64+0x54/0x110<br />
entry_SYSCALL_64_after_hwframe+0x76/0x7e<br />
RIP: 0033:0x7f7d7550ef90<br />
Code: <br />
RSP: 002b:00007ffd70237248 EFLAGS: 00000202 ORIG_RAX: 000000000000004a<br />
RAX: ffffffffffffffda RBX: 0000000000000004 RCX: 00007f7d7550ef90<br />
RDX: 000000000000013a RSI: 000000000040eb28 RDI: 0000000000000004<br />
RBP: 000000000000001b R08: 0000000000000078 R09: 00007ffd7023725c<br />
R10: 00007f7d75400390 R11: 0000000000000202 R12: 028f5c28f5c28f5c<br />
R13: 8f5c28f5c28f5c29 R14: 000000000040b520 R15: 00007f7d75c726c8<br />
<br />
<br />
While the root cause of the tree order corruption isn&#39;t clear, using<br />
btrfs_duplicate_item() to copy the item and then adjusting both the key<br />
and the per-device physical addresses is a safe way to counter this<br />
problem.