CVE-2025-38503

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> btrfs: fix assertion when building free space tree<br /> <br /> When building the free space tree with the block group tree feature<br /> enabled, we can hit an assertion failure like this:<br /> <br /> BTRFS info (device loop0 state M): rebuilding free space tree<br /> assertion failed: ret == 0, in fs/btrfs/free-space-tree.c:1102<br /> ------------[ cut here ]------------<br /> kernel BUG at fs/btrfs/free-space-tree.c:1102!<br /> Internal error: Oops - BUG: 00000000f2000800 [#1] SMP<br /> Modules linked in:<br /> CPU: 1 UID: 0 PID: 6592 Comm: syz-executor322 Not tainted 6.15.0-rc7-syzkaller-gd7fa1af5b33e #0 PREEMPT<br /> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025<br /> pstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)<br /> pc : populate_free_space_tree+0x514/0x518 fs/btrfs/free-space-tree.c:1102<br /> lr : populate_free_space_tree+0x514/0x518 fs/btrfs/free-space-tree.c:1102<br /> sp : ffff8000a4ce7600<br /> x29: ffff8000a4ce76e0 x28: ffff0000c9bc6000 x27: ffff0000ddfff3d8<br /> x26: ffff0000ddfff378 x25: dfff800000000000 x24: 0000000000000001<br /> x23: ffff8000a4ce7660 x22: ffff70001499cecc x21: ffff0000e1d8c160<br /> x20: ffff0000e1cb7800 x19: ffff0000e1d8c0b0 x18: 00000000ffffffff<br /> x17: ffff800092f39000 x16: ffff80008ad27e48 x15: ffff700011e740c0<br /> x14: 1ffff00011e740c0 x13: 0000000000000004 x12: ffffffffffffffff<br /> x11: ffff700011e740c0 x10: 0000000000ff0100 x9 : 94ef24f55d2dbc00<br /> x8 : 94ef24f55d2dbc00 x7 : 0000000000000001 x6 : 0000000000000001<br /> x5 : ffff8000a4ce6f98 x4 : ffff80008f415ba0 x3 : ffff800080548ef0<br /> x2 : 0000000000000000 x1 : 0000000100000000 x0 : 000000000000003e<br /> Call trace:<br /> populate_free_space_tree+0x514/0x518 fs/btrfs/free-space-tree.c:1102 (P)<br /> btrfs_rebuild_free_space_tree+0x14c/0x54c fs/btrfs/free-space-tree.c:1337<br /> btrfs_start_pre_rw_mount+0xa78/0xe10 fs/btrfs/disk-io.c:3074<br /> btrfs_remount_rw fs/btrfs/super.c:1319 [inline]<br /> btrfs_reconfigure+0x828/0x2418 fs/btrfs/super.c:1543<br /> reconfigure_super+0x1d4/0x6f0 fs/super.c:1083<br /> do_remount fs/namespace.c:3365 [inline]<br /> path_mount+0xb34/0xde0 fs/namespace.c:4200<br /> do_mount fs/namespace.c:4221 [inline]<br /> __do_sys_mount fs/namespace.c:4432 [inline]<br /> __se_sys_mount fs/namespace.c:4409 [inline]<br /> __arm64_sys_mount+0x3e8/0x468 fs/namespace.c:4409<br /> __invoke_syscall arch/arm64/kernel/syscall.c:35 [inline]<br /> invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:49<br /> el0_svc_common+0x130/0x23c arch/arm64/kernel/syscall.c:132<br /> do_el0_svc+0x48/0x58 arch/arm64/kernel/syscall.c:151<br /> el0_svc+0x58/0x17c arch/arm64/kernel/entry-common.c:767<br /> el0t_64_sync_handler+0x78/0x108 arch/arm64/kernel/entry-common.c:786<br /> el0t_64_sync+0x198/0x19c arch/arm64/kernel/entry.S:600<br /> Code: f0047182 91178042 528089c3 9771d47b (d4210000)<br /> ---[ end trace 0000000000000000 ]---<br /> <br /> This happens because we are processing an empty block group, which has<br /> no extents allocated from it, there are no items for this block group,<br /> including the block group item since block group items are stored in a<br /> dedicated tree when using the block group tree feature. It also means<br /> this is the block group with the highest start offset, so there are no<br /> higher keys in the extent root, hence btrfs_search_slot_for_read()<br /> returns 1 (no higher key found).<br /> <br /> Fix this by asserting &amp;#39;ret&amp;#39; is 0 only if the block group tree feature<br /> is not enabled, in which case we should find a block group item for<br /> the block group since it&amp;#39;s stored in the extent root and block group<br /> item keys are greater than extent item keys (the value for<br /> BTRFS_BLOCK_GROUP_ITEM_KEY is 192 and for BTRFS_EXTENT_ITEM_KEY and<br /> BTRFS_METADATA_ITEM_KEY the values are 168 and 169 respectively).<br /> In case &amp;#39;ret&amp;#39; is 1, we just need to add a record to the free space<br /> tree which spans the whole block group, and we can achieve this by<br /> making &amp;#39;ret == 0&amp;#39; as the while loop&amp;#39;s condition.