ghsa-2jfj-pqmf-3wq3
Vulnerability from github
Published
2025-05-08 09:30
Modified
2025-05-08 09:30
Details

In the Linux kernel, the following vulnerability has been resolved:

btrfs: zoned: return EIO on RAID1 block group write pointer mismatch

There was a bug report about a NULL pointer dereference in __btrfs_add_free_space_zoned() that ultimately happens because a conversion from the default metadata profile DUP to a RAID1 profile on two disks.

The stack trace has the following signature:

BTRFS error (device sdc): zoned: write pointer offset mismatch of zones in raid1 profile BUG: kernel NULL pointer dereference, address: 0000000000000058 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page PGD 0 P4D 0 Oops: Oops: 0000 [#1] PREEMPT SMP NOPTI RIP: 0010:__btrfs_add_free_space_zoned.isra.0+0x61/0x1a0 RSP: 0018:ffffa236b6f3f6d0 EFLAGS: 00010246 RAX: 0000000000000000 RBX: ffff96c8132f3400 RCX: 0000000000000001 RDX: 0000000010000000 RSI: 0000000000000000 RDI: ffff96c8132f3410 RBP: 0000000010000000 R08: 0000000000000003 R09: 0000000000000000 R10: 0000000000000000 R11: 00000000ffffffff R12: 0000000000000000 R13: ffff96c758f65a40 R14: 0000000000000001 R15: 000011aac0000000 FS: 00007fdab1cb2900(0000) GS:ffff96e60ca00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000058 CR3: 00000001a05ae000 CR4: 0000000000350ef0 Call Trace: ? __die_body.cold+0x19/0x27 ? page_fault_oops+0x15c/0x2f0 ? exc_page_fault+0x7e/0x180 ? asm_exc_page_fault+0x26/0x30 ? __btrfs_add_free_space_zoned.isra.0+0x61/0x1a0 btrfs_add_free_space_async_trimmed+0x34/0x40 btrfs_add_new_free_space+0x107/0x120 btrfs_make_block_group+0x104/0x2b0 btrfs_create_chunk+0x977/0xf20 btrfs_chunk_alloc+0x174/0x510 ? srso_return_thunk+0x5/0x5f btrfs_inc_block_group_ro+0x1b1/0x230 btrfs_relocate_block_group+0x9e/0x410 btrfs_relocate_chunk+0x3f/0x130 btrfs_balance+0x8ac/0x12b0 ? srso_return_thunk+0x5/0x5f ? srso_return_thunk+0x5/0x5f ? __kmalloc_cache_noprof+0x14c/0x3e0 btrfs_ioctl+0x2686/0x2a80 ? srso_return_thunk+0x5/0x5f ? ioctl_has_perm.constprop.0.isra.0+0xd2/0x120 __x64_sys_ioctl+0x97/0xc0 do_syscall_64+0x82/0x160 ? srso_return_thunk+0x5/0x5f ? __memcg_slab_free_hook+0x11a/0x170 ? srso_return_thunk+0x5/0x5f ? kmem_cache_free+0x3f0/0x450 ? srso_return_thunk+0x5/0x5f ? srso_return_thunk+0x5/0x5f ? syscall_exit_to_user_mode+0x10/0x210 ? srso_return_thunk+0x5/0x5f ? do_syscall_64+0x8e/0x160 ? sysfs_emit+0xaf/0xc0 ? srso_return_thunk+0x5/0x5f ? srso_return_thunk+0x5/0x5f ? seq_read_iter+0x207/0x460 ? srso_return_thunk+0x5/0x5f ? vfs_read+0x29c/0x370 ? srso_return_thunk+0x5/0x5f ? srso_return_thunk+0x5/0x5f ? syscall_exit_to_user_mode+0x10/0x210 ? srso_return_thunk+0x5/0x5f ? do_syscall_64+0x8e/0x160 ? srso_return_thunk+0x5/0x5f ? exc_page_fault+0x7e/0x180 entry_SYSCALL_64_after_hwframe+0x76/0x7e RIP: 0033:0x7fdab1e0ca6d RSP: 002b:00007ffeb2b60c80 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007fdab1e0ca6d RDX: 00007ffeb2b60d80 RSI: 00000000c4009420 RDI: 0000000000000003 RBP: 00007ffeb2b60cd0 R08: 0000000000000000 R09: 0000000000000013 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 00007ffeb2b6343b R14: 00007ffeb2b60d80 R15: 0000000000000001 CR2: 0000000000000058 ---[ end trace 0000000000000000 ]---

The 1st line is the most interesting here:

BTRFS error (device sdc): zoned: write pointer offset mismatch of zones in raid1 profile

When a RAID1 block-group is created and a write pointer mismatch between the disks in the RAID set is detected, btrfs sets the alloc_offset to the length of the block group marking it as full. Afterwards the code expects that a balance operation will evacuate the data in this block-group and repair the problems.

But before this is possible, the new space of this block-group will be accounted in the free space cache. But in __btrfs_ ---truncated---

Show details on source website

To clipboard 

{
  "affected": [],
  "aliases": [
    "CVE-2025-37827"
  ],
  "database_specific": {
    "cwe_ids": [],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-05-08T07:15:53Z",
    "severity": null
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: zoned: return EIO on RAID1 block group write pointer mismatch\n\nThere was a bug report about a NULL pointer dereference in\n__btrfs_add_free_space_zoned() that ultimately happens because a\nconversion from the default metadata profile DUP to a RAID1 profile on two\ndisks.\n\nThe stack trace has the following signature:\n\n  BTRFS error (device sdc): zoned: write pointer offset mismatch of zones in raid1 profile\n  BUG: kernel NULL pointer dereference, address: 0000000000000058\n  #PF: supervisor read access in kernel mode\n  #PF: error_code(0x0000) - not-present page\n  PGD 0 P4D 0\n  Oops: Oops: 0000 [#1] PREEMPT SMP NOPTI\n  RIP: 0010:__btrfs_add_free_space_zoned.isra.0+0x61/0x1a0\n  RSP: 0018:ffffa236b6f3f6d0 EFLAGS: 00010246\n  RAX: 0000000000000000 RBX: ffff96c8132f3400 RCX: 0000000000000001\n  RDX: 0000000010000000 RSI: 0000000000000000 RDI: ffff96c8132f3410\n  RBP: 0000000010000000 R08: 0000000000000003 R09: 0000000000000000\n  R10: 0000000000000000 R11: 00000000ffffffff R12: 0000000000000000\n  R13: ffff96c758f65a40 R14: 0000000000000001 R15: 000011aac0000000\n  FS: 00007fdab1cb2900(0000) GS:ffff96e60ca00000(0000) knlGS:0000000000000000\n  CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n  CR2: 0000000000000058 CR3: 00000001a05ae000 CR4: 0000000000350ef0\n  Call Trace:\n  \u003cTASK\u003e\n  ? __die_body.cold+0x19/0x27\n  ? page_fault_oops+0x15c/0x2f0\n  ? exc_page_fault+0x7e/0x180\n  ? asm_exc_page_fault+0x26/0x30\n  ? __btrfs_add_free_space_zoned.isra.0+0x61/0x1a0\n  btrfs_add_free_space_async_trimmed+0x34/0x40\n  btrfs_add_new_free_space+0x107/0x120\n  btrfs_make_block_group+0x104/0x2b0\n  btrfs_create_chunk+0x977/0xf20\n  btrfs_chunk_alloc+0x174/0x510\n  ? srso_return_thunk+0x5/0x5f\n  btrfs_inc_block_group_ro+0x1b1/0x230\n  btrfs_relocate_block_group+0x9e/0x410\n  btrfs_relocate_chunk+0x3f/0x130\n  btrfs_balance+0x8ac/0x12b0\n  ? srso_return_thunk+0x5/0x5f\n  ? srso_return_thunk+0x5/0x5f\n  ? __kmalloc_cache_noprof+0x14c/0x3e0\n  btrfs_ioctl+0x2686/0x2a80\n  ? srso_return_thunk+0x5/0x5f\n  ? ioctl_has_perm.constprop.0.isra.0+0xd2/0x120\n  __x64_sys_ioctl+0x97/0xc0\n  do_syscall_64+0x82/0x160\n  ? srso_return_thunk+0x5/0x5f\n  ? __memcg_slab_free_hook+0x11a/0x170\n  ? srso_return_thunk+0x5/0x5f\n  ? kmem_cache_free+0x3f0/0x450\n  ? srso_return_thunk+0x5/0x5f\n  ? srso_return_thunk+0x5/0x5f\n  ? syscall_exit_to_user_mode+0x10/0x210\n  ? srso_return_thunk+0x5/0x5f\n  ? do_syscall_64+0x8e/0x160\n  ? sysfs_emit+0xaf/0xc0\n  ? srso_return_thunk+0x5/0x5f\n  ? srso_return_thunk+0x5/0x5f\n  ? seq_read_iter+0x207/0x460\n  ? srso_return_thunk+0x5/0x5f\n  ? vfs_read+0x29c/0x370\n  ? srso_return_thunk+0x5/0x5f\n  ? srso_return_thunk+0x5/0x5f\n  ? syscall_exit_to_user_mode+0x10/0x210\n  ? srso_return_thunk+0x5/0x5f\n  ? do_syscall_64+0x8e/0x160\n  ? srso_return_thunk+0x5/0x5f\n  ? exc_page_fault+0x7e/0x180\n  entry_SYSCALL_64_after_hwframe+0x76/0x7e\n  RIP: 0033:0x7fdab1e0ca6d\n  RSP: 002b:00007ffeb2b60c80 EFLAGS: 00000246 ORIG_RAX: 0000000000000010\n  RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007fdab1e0ca6d\n  RDX: 00007ffeb2b60d80 RSI: 00000000c4009420 RDI: 0000000000000003\n  RBP: 00007ffeb2b60cd0 R08: 0000000000000000 R09: 0000000000000013\n  R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000\n  R13: 00007ffeb2b6343b R14: 00007ffeb2b60d80 R15: 0000000000000001\n  \u003c/TASK\u003e\n  CR2: 0000000000000058\n  ---[ end trace 0000000000000000 ]---\n\nThe 1st line is the most interesting here:\n\n BTRFS error (device sdc): zoned: write pointer offset mismatch of zones in raid1 profile\n\nWhen a RAID1 block-group is created and a write pointer mismatch between\nthe disks in the RAID set is detected, btrfs sets the alloc_offset to the\nlength of the block group marking it as full. Afterwards the code expects\nthat a balance operation will evacuate the data in this block-group and\nrepair the problems.\n\nBut before this is possible, the new space of this block-group will be\naccounted in the free space cache. But in __btrfs_\n---truncated---",
  "id": "GHSA-2jfj-pqmf-3wq3",
  "modified": "2025-05-08T09:30:25Z",
  "published": "2025-05-08T09:30:25Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-37827"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/9a447f748f6c7287dad68fa91913cd382fa0fcc8"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/b0c26f47992672661340dd6ea931240213016609"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/f4717a02cc422cf4bb2dbb280b154a1ae65c5f84"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.