Google Git
Sign in
kernel / pub / scm / linux / security / vulns / refs/heads/sasha-vulnerable / . / cve / published / 2025 / CVE-2025-21942.json
blob: 96091fed42f4942aed9ae0b6b2e967b9caf9e6b0 [file] [log] [blame]
{
"containers": {
"cna": {
"providerMetadata": {
"orgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038"
},
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: zoned: fix extent range end unlock in cow_file_range()\n\nRunning generic/751 on the for-next branch often results in a hang like\nbelow. They are both stack by locking an extent. This suggests someone\nforget to unlock an extent.\n\n INFO: task kworker/u128:1:12 blocked for more than 323 seconds.\n Not tainted 6.13.0-BTRFS-ZNS+ #503\n \"echo 0 > /proc/sys/kernel/hung_task_timeout_secs\" disables this message.\n task:kworker/u128:1 state:D stack:0 pid:12 tgid:12 ppid:2 flags:0x00004000\n Workqueue: btrfs-fixup btrfs_work_helper [btrfs]\n Call Trace:\n <TASK>\n __schedule+0x534/0xdd0\n schedule+0x39/0x140\n __lock_extent+0x31b/0x380 [btrfs]\n ? __pfx_autoremove_wake_function+0x10/0x10\n btrfs_writepage_fixup_worker+0xf1/0x3a0 [btrfs]\n btrfs_work_helper+0xff/0x480 [btrfs]\n ? lock_release+0x178/0x2c0\n process_one_work+0x1ee/0x570\n ? srso_return_thunk+0x5/0x5f\n worker_thread+0x1d1/0x3b0\n ? __pfx_worker_thread+0x10/0x10\n kthread+0x10b/0x230\n ? __pfx_kthread+0x10/0x10\n ret_from_fork+0x30/0x50\n ? __pfx_kthread+0x10/0x10\n ret_from_fork_asm+0x1a/0x30\n </TASK>\n INFO: task kworker/u134:0:184 blocked for more than 323 seconds.\n Not tainted 6.13.0-BTRFS-ZNS+ #503\n \"echo 0 > /proc/sys/kernel/hung_task_timeout_secs\" disables this message.\n task:kworker/u134:0 state:D stack:0 pid:184 tgid:184 ppid:2 flags:0x00004000\n Workqueue: writeback wb_workfn (flush-btrfs-4)\n Call Trace:\n <TASK>\n __schedule+0x534/0xdd0\n schedule+0x39/0x140\n __lock_extent+0x31b/0x380 [btrfs]\n ? __pfx_autoremove_wake_function+0x10/0x10\n find_lock_delalloc_range+0xdb/0x260 [btrfs]\n writepage_delalloc+0x12f/0x500 [btrfs]\n ? srso_return_thunk+0x5/0x5f\n extent_write_cache_pages+0x232/0x840 [btrfs]\n btrfs_writepages+0x72/0x130 [btrfs]\n do_writepages+0xe7/0x260\n ? srso_return_thunk+0x5/0x5f\n ? lock_acquire+0xd2/0x300\n ? srso_return_thunk+0x5/0x5f\n ? find_held_lock+0x2b/0x80\n ? wbc_attach_and_unlock_inode.part.0+0x102/0x250\n ? wbc_attach_and_unlock_inode.part.0+0x102/0x250\n __writeback_single_inode+0x5c/0x4b0\n writeback_sb_inodes+0x22d/0x550\n __writeback_inodes_wb+0x4c/0xe0\n wb_writeback+0x2f6/0x3f0\n wb_workfn+0x32a/0x510\n process_one_work+0x1ee/0x570\n ? srso_return_thunk+0x5/0x5f\n worker_thread+0x1d1/0x3b0\n ? __pfx_worker_thread+0x10/0x10\n kthread+0x10b/0x230\n ? __pfx_kthread+0x10/0x10\n ret_from_fork+0x30/0x50\n ? __pfx_kthread+0x10/0x10\n ret_from_fork_asm+0x1a/0x30\n </TASK>\n\nThis happens because we have another success path for the zoned mode. When\nthere is no active zone available, btrfs_reserve_extent() returns\n-EAGAIN. In this case, we have two reactions.\n\n(1) If the given range is never allocated, we can only wait for someone\n to finish a zone, so wait on BTRFS_FS_NEED_ZONE_FINISH bit and retry\n afterward.\n\n(2) Or, if some allocations are already done, we must bail out and let\n the caller to send IOs for the allocation. This is because these IOs\n may be necessary to finish a zone.\n\nThe commit 06f364284794 (\"btrfs: do proper folio cleanup when\ncow_file_range() failed\") moved the unlock code from the inside of the\nloop to the outside. So, previously, the allocated extents are unlocked\njust after the allocation and so before returning from the function.\nHowever, they are no longer unlocked on the case (2) above. That caused\nthe hang issue.\n\nFix the issue by modifying the 'end' to the end of the allocated\nrange. Then, we can exit the loop and the same unlock code can properly\nhandle the case."
}
],
"affected": [
{
"product": "Linux",
"vendor": "Linux",
"defaultStatus": "unaffected",
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"programFiles": [
"fs/btrfs/inode.c"
],
"versions": [
{
"version": "692cf71173bb41395c855acbbbe197d3aedfa5d4",
"lessThan": "3fcff2f55389306482ab049b4321bda49495e546",
"status": "affected",
"versionType": "git"
},
{
"version": "06f364284794f149d2abc167c11d556cf20c954b",
"lessThan": "5a4041f2c47247575a6c2e53ce14f7b0ac946c33",
"status": "affected",
"versionType": "git"
}
]
},
{
"product": "Linux",
"vendor": "Linux",
"defaultStatus": "unaffected",
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"programFiles": [
"fs/btrfs/inode.c"
],
"versions": [
{
"version": "6.13.2",
"lessThan": "6.13.7",
"status": "affected",
"versionType": "semver"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"operator": "OR",
"negate": false,
"cpeMatch": [
{
"vulnerable": true,
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.13.2",
"versionEndExcluding": "6.13.7"
}
]
}
]
}
],
"references": [
{
"url": "https://git.kernel.org/stable/c/3fcff2f55389306482ab049b4321bda49495e546"
},
{
"url": "https://git.kernel.org/stable/c/5a4041f2c47247575a6c2e53ce14f7b0ac946c33"
}
],
"title": "btrfs: zoned: fix extent range end unlock in cow_file_range()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038",
"cveID": "CVE-2025-21942",
"requesterUserId": "gregkh@kernel.org",
"serial": "1",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.0"
}