CVE-2025-21752

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> btrfs: don&amp;#39;t use btrfs_set_item_key_safe on RAID stripe-extents<br /> <br /> Don&amp;#39;t use btrfs_set_item_key_safe() to modify the keys in the RAID<br /> stripe-tree, as this can lead to corruption of the tree, which is caught<br /> by the checks in btrfs_set_item_key_safe():<br /> <br /> BTRFS info (device nvme1n1): leaf 49168384 gen 15 total ptrs 194 free space 8329 owner 12<br /> BTRFS info (device nvme1n1): refs 2 lock_owner 1030 current 1030<br /> [ snip ]<br /> item 105 key (354549760 230 20480) itemoff 14587 itemsize 16<br /> stride 0 devid 5 physical 67502080<br /> item 106 key (354631680 230 4096) itemoff 14571 itemsize 16<br /> stride 0 devid 1 physical 88559616<br /> item 107 key (354631680 230 32768) itemoff 14555 itemsize 16<br /> stride 0 devid 1 physical 88555520<br /> item 108 key (354717696 230 28672) itemoff 14539 itemsize 16<br /> stride 0 devid 2 physical 67604480<br /> [ snip ]<br /> BTRFS critical (device nvme1n1): slot 106 key (354631680 230 32768) new key (354635776 230 4096)<br /> ------------[ cut here ]------------<br /> kernel BUG at fs/btrfs/ctree.c:2602!<br /> Oops: invalid opcode: 0000 [#1] PREEMPT SMP PTI<br /> CPU: 1 UID: 0 PID: 1055 Comm: fsstress Not tainted 6.13.0-rc1+ #1464<br /> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.2-3-gd478f380-rebuilt.opensuse.org 04/01/2014<br /> RIP: 0010:btrfs_set_item_key_safe+0xf7/0x270<br /> Code: <br /> RSP: 0018:ffffc90001337ab0 EFLAGS: 00010287<br /> RAX: 0000000000000000 RBX: ffff8881115fd000 RCX: 0000000000000000<br /> RDX: 0000000000000001 RSI: 0000000000000001 RDI: 00000000ffffffff<br /> RBP: ffff888110ed6f50 R08: 00000000ffffefff R09: ffffffff8244c500<br /> R10: 00000000ffffefff R11: 00000000ffffffff R12: ffff888100586000<br /> R13: 00000000000000c9 R14: ffffc90001337b1f R15: ffff888110f23b58<br /> FS: 00007f7d75c72740(0000) GS:ffff88813bd00000(0000) knlGS:0000000000000000<br /> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033<br /> CR2: 00007fa811652c60 CR3: 0000000111398001 CR4: 0000000000370eb0<br /> Call Trace:<br /> <br /> ? __die_body.cold+0x14/0x1a<br /> ? die+0x2e/0x50<br /> ? do_trap+0xca/0x110<br /> ? do_error_trap+0x65/0x80<br /> ? btrfs_set_item_key_safe+0xf7/0x270<br /> ? exc_invalid_op+0x50/0x70<br /> ? btrfs_set_item_key_safe+0xf7/0x270<br /> ? asm_exc_invalid_op+0x1a/0x20<br /> ? btrfs_set_item_key_safe+0xf7/0x270<br /> btrfs_partially_delete_raid_extent+0xc4/0xe0<br /> btrfs_delete_raid_extent+0x227/0x240<br /> __btrfs_free_extent.isra.0+0x57f/0x9c0<br /> ? exc_coproc_segment_overrun+0x40/0x40<br /> __btrfs_run_delayed_refs+0x2fa/0xe80<br /> btrfs_run_delayed_refs+0x81/0xe0<br /> btrfs_commit_transaction+0x2dd/0xbe0<br /> ? preempt_count_add+0x52/0xb0<br /> btrfs_sync_file+0x375/0x4c0<br /> do_fsync+0x39/0x70<br /> __x64_sys_fsync+0x13/0x20<br /> do_syscall_64+0x54/0x110<br /> entry_SYSCALL_64_after_hwframe+0x76/0x7e<br /> RIP: 0033:0x7f7d7550ef90<br /> Code: <br /> RSP: 002b:00007ffd70237248 EFLAGS: 00000202 ORIG_RAX: 000000000000004a<br /> RAX: ffffffffffffffda RBX: 0000000000000004 RCX: 00007f7d7550ef90<br /> RDX: 000000000000013a RSI: 000000000040eb28 RDI: 0000000000000004<br /> RBP: 000000000000001b R08: 0000000000000078 R09: 00007ffd7023725c<br /> R10: 00007f7d75400390 R11: 0000000000000202 R12: 028f5c28f5c28f5c<br /> R13: 8f5c28f5c28f5c29 R14: 000000000040b520 R15: 00007f7d75c726c8<br /> <br /> <br /> While the root cause of the tree order corruption isn&amp;#39;t clear, using<br /> btrfs_duplicate_item() to copy the item and then adjusting both the key<br /> and the per-device physical addresses is a safe way to counter this<br /> problem.