Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

CVE-2025-21754

Severity CVSS v4.0:
Pending analysis
Type:
Unavailable / Other
Publication date:
27/02/2025
Last modified:
28/10/2025

Description

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> btrfs: fix assertion failure when splitting ordered extent after transaction abort<br /> <br /> If while we are doing a direct IO write a transaction abort happens, we<br /> mark all existing ordered extents with the BTRFS_ORDERED_IOERR flag (done<br /> at btrfs_destroy_ordered_extents()), and then after that if we enter<br /> btrfs_split_ordered_extent() and the ordered extent has bytes left<br /> (meaning we have a bio that doesn&amp;#39;t cover the whole ordered extent, see<br /> details at btrfs_extract_ordered_extent()), we will fail on the following<br /> assertion at btrfs_split_ordered_extent():<br /> <br /> ASSERT(!(flags &amp; ~BTRFS_ORDERED_TYPE_FLAGS));<br /> <br /> because the BTRFS_ORDERED_IOERR flag is set and the definition of<br /> BTRFS_ORDERED_TYPE_FLAGS is just the union of all flags that identify the<br /> type of write (regular, nocow, prealloc, compressed, direct IO, encoded).<br /> <br /> Fix this by returning an error from btrfs_extract_ordered_extent() if we<br /> find the BTRFS_ORDERED_IOERR flag in the ordered extent. The error will<br /> be the error that resulted in the transaction abort or -EIO if no<br /> transaction abort happened.<br /> <br /> This was recently reported by syzbot with the following trace:<br /> <br /> FAULT_INJECTION: forcing a failure.<br /> name failslab, interval 1, probability 0, space 0, times 1<br /> CPU: 0 UID: 0 PID: 5321 Comm: syz.0.0 Not tainted 6.13.0-rc5-syzkaller #0<br /> Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014<br /> Call Trace:<br /> <br /> __dump_stack lib/dump_stack.c:94 [inline]<br /> dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120<br /> fail_dump lib/fault-inject.c:53 [inline]<br /> should_fail_ex+0x3b0/0x4e0 lib/fault-inject.c:154<br /> should_failslab+0xac/0x100 mm/failslab.c:46<br /> slab_pre_alloc_hook mm/slub.c:4072 [inline]<br /> slab_alloc_node mm/slub.c:4148 [inline]<br /> __do_kmalloc_node mm/slub.c:4297 [inline]<br /> __kmalloc_noprof+0xdd/0x4c0 mm/slub.c:4310<br /> kmalloc_noprof include/linux/slab.h:905 [inline]<br /> kzalloc_noprof include/linux/slab.h:1037 [inline]<br /> btrfs_chunk_alloc_add_chunk_item+0x244/0x1100 fs/btrfs/volumes.c:5742<br /> reserve_chunk_space+0x1ca/0x2c0 fs/btrfs/block-group.c:4292<br /> check_system_chunk fs/btrfs/block-group.c:4319 [inline]<br /> do_chunk_alloc fs/btrfs/block-group.c:3891 [inline]<br /> btrfs_chunk_alloc+0x77b/0xf80 fs/btrfs/block-group.c:4187<br /> find_free_extent_update_loop fs/btrfs/extent-tree.c:4166 [inline]<br /> find_free_extent+0x42d1/0x5810 fs/btrfs/extent-tree.c:4579<br /> btrfs_reserve_extent+0x422/0x810 fs/btrfs/extent-tree.c:4672<br /> btrfs_new_extent_direct fs/btrfs/direct-io.c:186 [inline]<br /> btrfs_get_blocks_direct_write+0x706/0xfa0 fs/btrfs/direct-io.c:321<br /> btrfs_dio_iomap_begin+0xbb7/0x1180 fs/btrfs/direct-io.c:525<br /> iomap_iter+0x697/0xf60 fs/iomap/iter.c:90<br /> __iomap_dio_rw+0xeb9/0x25b0 fs/iomap/direct-io.c:702<br /> btrfs_dio_write fs/btrfs/direct-io.c:775 [inline]<br /> btrfs_direct_write+0x610/0xa30 fs/btrfs/direct-io.c:880<br /> btrfs_do_write_iter+0x2a0/0x760 fs/btrfs/file.c:1397<br /> do_iter_readv_writev+0x600/0x880<br /> vfs_writev+0x376/0xba0 fs/read_write.c:1050<br /> do_pwritev fs/read_write.c:1146 [inline]<br /> __do_sys_pwritev2 fs/read_write.c:1204 [inline]<br /> __se_sys_pwritev2+0x196/0x2b0 fs/read_write.c:1195<br /> do_syscall_x64 arch/x86/entry/common.c:52 [inline]<br /> do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83<br /> entry_SYSCALL_64_after_hwframe+0x77/0x7f<br /> RIP: 0033:0x7f1281f85d29<br /> RSP: 002b:00007f12819fe038 EFLAGS: 00000246 ORIG_RAX: 0000000000000148<br /> RAX: ffffffffffffffda RBX: 00007f1282176080 RCX: 00007f1281f85d29<br /> RDX: 0000000000000001 RSI: 0000000020000240 RDI: 0000000000000005<br /> RBP: 00007f12819fe090 R08: 0000000000000000 R09: 0000000000000003<br /> R10: 0000000000007000 R11: 0000000000000246 R12: 0000000000000002<br /> R13: 0000000000000000 R14: 00007f1282176080 R15: 00007ffcb9e23328<br /> <br /> BTRFS error (device loop0 state A): Transaction aborted (error -12)<br /> BTRFS: error (device loop0 state A<br /> ---truncated---

Impact

Vector 3.x
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVSS v3.1 Severity and Metrics:

Base Score: 5.50 MEDIUM
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Attack Vector (AV): Local
Attack Complexity (AC): Low
Privileges Required (PR): Low
User Interaction (UI): None
Scope (S): Unchanged
Confidentiality (C): None
Integrity (I): None
Availability (A): High

Base Score 3.x
5.50
Severity 3.x
MEDIUM

Vulnerable products and versions

CPE From Up to
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 6.5 (including) 6.6.78 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 6.7 (including) 6.12.14 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 6.13 (including) 6.13.3 (excluding)
cpe:2.3:o:linux:linux_kernel:6.14:rc1:*:*:*:*:*:*

To consult the complete list of CPE names with products and versions, see this page


References to Advisories, Solutions, and Tools