Description
In the Linux kernel, the following vulnerability has been resolved: btrfs: set generation before calling btrfs_clean_tree_block in btrfs_init_new_buffer syzbot is reporting uninit-value in btrfs_clean_tree_block() [1], for commit bc877d285ca3dba2 ("btrfs: Deduplicate extent_buffer init code") missed that btrfs_set_header_generation() in btrfs_init_new_buffer() must not be moved to after clean_tree_block() because clean_tree_block() is calling btrfs_header_generation() since commit 55c69072d6bd5be1 ("Btrfs: Fix extent_buffer usage when nodesize != leafsize"). Since memzero_extent_buffer() will reset "struct btrfs_header" part, we can't move btrfs_set_header_generation() to before memzero_extent_buffer(). Just re-add btrfs_set_header_generation() before btrfs_clean_tree_block().
Product status
bc877d285ca3dba24c52406946a4a69847cc7422 (git) before 0a408c6212c16b9a2a1141d3c531247582ef8101
bc877d285ca3dba24c52406946a4a69847cc7422 (git) before a687c2890fe4a2acaac6941fa4097a1264d8f3eb
bc877d285ca3dba24c52406946a4a69847cc7422 (git) before 89bc41c92d10b905c60f6ec13c9ef664a3555c54
bc877d285ca3dba24c52406946a4a69847cc7422 (git) before cbddcc4fa3443fe8cfb2ff8e210deb1f6a0eea38
4.19
Any version before 4.19
5.15.75 (semver)
5.19.17 (semver)
6.0.3 (semver)
6.1 (original_commit_for_fix)
References
git.kernel.org/...c/0a408c6212c16b9a2a1141d3c531247582ef8101
git.kernel.org/...c/a687c2890fe4a2acaac6941fa4097a1264d8f3eb
git.kernel.org/...c/89bc41c92d10b905c60f6ec13c9ef664a3555c54
git.kernel.org/...c/cbddcc4fa3443fe8cfb2ff8e210deb1f6a0eea38
Data based on CVE®. Copyright © 1999-2025, The MITRE Corporation. All rights reserved.
