CVE-2025-38034 | THREATINT

Description

In the Linux kernel, the following vulnerability has been resolved: btrfs: correct the order of prelim_ref arguments in btrfs__prelim_ref btrfs_prelim_ref() calls the old and new reference variables in the incorrect order. This causes a NULL pointer dereference because oldref is passed as NULL to trace_btrfs_prelim_ref_insert(). Note, trace_btrfs_prelim_ref_insert() is being called with newref as oldref (and oldref as NULL) on purpose in order to print out the values of newref. To reproduce: echo 1 > /sys/kernel/debug/tracing/events/btrfs/btrfs_prelim_ref_insert/enable Perform some writeback operations. Backtrace: BUG: kernel NULL pointer dereference, address: 0000000000000018 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page PGD 115949067 P4D 115949067 PUD 11594a067 PMD 0 Oops: Oops: 0000 [#1] SMP NOPTI CPU: 1 UID: 0 PID: 1188 Comm: fsstress Not tainted 6.15.0-rc2-tester+ #47 PREEMPT(voluntary) 7ca2cef72d5e9c600f0c7718adb6462de8149622 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.16.3-2-gc13ff2cd-prebuilt.qemu.org 04/01/2014 RIP: 0010:trace_event_raw_event_btrfs__prelim_ref+0x72/0x130 Code: e8 43 81 9f ff 48 85 c0 74 78 4d 85 e4 0f 84 8f 00 00 00 49 8b 94 24 c0 06 00 00 48 8b 0a 48 89 48 08 48 8b 52 08 48 89 50 10 <49> 8b 55 18 48 89 50 18 49 8b 55 20 48 89 50 20 41 0f b6 55 28 88 RSP: 0018:ffffce44820077a0 EFLAGS: 00010286 RAX: ffff8c6b403f9014 RBX: ffff8c6b55825730 RCX: 304994edf9cf506b RDX: d8b11eb7f0fdb699 RSI: ffff8c6b403f9010 RDI: ffff8c6b403f9010 RBP: 0000000000000001 R08: 0000000000000001 R09: 0000000000000010 R10: 00000000ffffffff R11: 0000000000000000 R12: ffff8c6b4e8fb000 R13: 0000000000000000 R14: ffffce44820077a8 R15: ffff8c6b4abd1540 FS: 00007f4dc6813740(0000) GS:ffff8c6c1d378000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000018 CR3: 000000010eb42000 CR4: 0000000000750ef0 PKRU: 55555554 Call Trace: <TASK> prelim_ref_insert+0x1c1/0x270 find_parent_nodes+0x12a6/0x1ee0 ? __entry_text_end+0x101f06/0x101f09 ? srso_alias_return_thunk+0x5/0xfbef5 ? srso_alias_return_thunk+0x5/0xfbef5 ? srso_alias_return_thunk+0x5/0xfbef5 ? srso_alias_return_thunk+0x5/0xfbef5 btrfs_is_data_extent_shared+0x167/0x640 ? fiemap_process_hole+0xd0/0x2c0 extent_fiemap+0xa5c/0xbc0 ? __entry_text_end+0x101f05/0x101f09 btrfs_fiemap+0x7e/0xd0 do_vfs_ioctl+0x425/0x9d0 __x64_sys_ioctl+0x75/0xc0

Reserved 2025-04-16 | Published 2025-06-18 | Updated 2025-06-18 | Assigner Linux

Product status

Default status

unaffected

1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 before 5755b6731655e248c4f1d52a2e1b18795b4a2a3a

affected

1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 before a641154cedf9d69730f8af5d0a901fe86e6486bd

affected

1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 before a876703894a6dd6e8c04b0635d86e9f7a7c81b79

affected

1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 before 0528bba48dce7820d2da72e1a114e1c4552367eb

affected

1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 before 7a97f961a568a8f72472dc804af02a0f73152c5f

affected

1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 before 7f7c8c03feba5f2454792fab3bb8bd45bd6883f9

affected

1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 before 137bfa08c6441f324d00692d1e9d22cfd773329b

affected

1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 before bc7e0975093567f51be8e1bdf4aa5900a3cf0b1e

affected

Default status

affected

5.4.294

unaffected

5.10.238

unaffected

5.15.185

unaffected

6.1.141

unaffected

6.6.93

unaffected

6.12.31

unaffected

6.14.9

unaffected

6.15

unaffected

References

git.kernel.org/...c/5755b6731655e248c4f1d52a2e1b18795b4a2a3a

git.kernel.org/...c/a641154cedf9d69730f8af5d0a901fe86e6486bd

git.kernel.org/...c/a876703894a6dd6e8c04b0635d86e9f7a7c81b79

git.kernel.org/...c/0528bba48dce7820d2da72e1a114e1c4552367eb

git.kernel.org/...c/7a97f961a568a8f72472dc804af02a0f73152c5f

git.kernel.org/...c/7f7c8c03feba5f2454792fab3bb8bd45bd6883f9

git.kernel.org/...c/137bfa08c6441f324d00692d1e9d22cfd773329b

git.kernel.org/...c/bc7e0975093567f51be8e1bdf4aa5900a3cf0b1e

cve.org (CVE-2025-38034)

nvd.nist.gov (CVE-2025-38034)

Download JSON