| { |
| "containers": { |
| "cna": { |
| "providerMetadata": { |
| "orgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038" |
| }, |
| "descriptions": [ |
| { |
| "lang": "en", |
| "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: zoned: return EIO on RAID1 block group write pointer mismatch\n\nThere was a bug report about a NULL pointer dereference in\n__btrfs_add_free_space_zoned() that ultimately happens because a\nconversion from the default metadata profile DUP to a RAID1 profile on two\ndisks.\n\nThe stack trace has the following signature:\n\n BTRFS error (device sdc): zoned: write pointer offset mismatch of zones in raid1 profile\n BUG: kernel NULL pointer dereference, address: 0000000000000058\n #PF: supervisor read access in kernel mode\n #PF: error_code(0x0000) - not-present page\n PGD 0 P4D 0\n Oops: Oops: 0000 [#1] PREEMPT SMP NOPTI\n RIP: 0010:__btrfs_add_free_space_zoned.isra.0+0x61/0x1a0\n RSP: 0018:ffffa236b6f3f6d0 EFLAGS: 00010246\n RAX: 0000000000000000 RBX: ffff96c8132f3400 RCX: 0000000000000001\n RDX: 0000000010000000 RSI: 0000000000000000 RDI: ffff96c8132f3410\n RBP: 0000000010000000 R08: 0000000000000003 R09: 0000000000000000\n R10: 0000000000000000 R11: 00000000ffffffff R12: 0000000000000000\n R13: ffff96c758f65a40 R14: 0000000000000001 R15: 000011aac0000000\n FS: 00007fdab1cb2900(0000) GS:ffff96e60ca00000(0000) knlGS:0000000000000000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 0000000000000058 CR3: 00000001a05ae000 CR4: 0000000000350ef0\n Call Trace:\n <TASK>\n ? __die_body.cold+0x19/0x27\n ? page_fault_oops+0x15c/0x2f0\n ? exc_page_fault+0x7e/0x180\n ? asm_exc_page_fault+0x26/0x30\n ? __btrfs_add_free_space_zoned.isra.0+0x61/0x1a0\n btrfs_add_free_space_async_trimmed+0x34/0x40\n btrfs_add_new_free_space+0x107/0x120\n btrfs_make_block_group+0x104/0x2b0\n btrfs_create_chunk+0x977/0xf20\n btrfs_chunk_alloc+0x174/0x510\n ? srso_return_thunk+0x5/0x5f\n btrfs_inc_block_group_ro+0x1b1/0x230\n btrfs_relocate_block_group+0x9e/0x410\n btrfs_relocate_chunk+0x3f/0x130\n btrfs_balance+0x8ac/0x12b0\n ? srso_return_thunk+0x5/0x5f\n ? srso_return_thunk+0x5/0x5f\n ? __kmalloc_cache_noprof+0x14c/0x3e0\n btrfs_ioctl+0x2686/0x2a80\n ? srso_return_thunk+0x5/0x5f\n ? ioctl_has_perm.constprop.0.isra.0+0xd2/0x120\n __x64_sys_ioctl+0x97/0xc0\n do_syscall_64+0x82/0x160\n ? srso_return_thunk+0x5/0x5f\n ? __memcg_slab_free_hook+0x11a/0x170\n ? srso_return_thunk+0x5/0x5f\n ? kmem_cache_free+0x3f0/0x450\n ? srso_return_thunk+0x5/0x5f\n ? srso_return_thunk+0x5/0x5f\n ? syscall_exit_to_user_mode+0x10/0x210\n ? srso_return_thunk+0x5/0x5f\n ? do_syscall_64+0x8e/0x160\n ? sysfs_emit+0xaf/0xc0\n ? srso_return_thunk+0x5/0x5f\n ? srso_return_thunk+0x5/0x5f\n ? seq_read_iter+0x207/0x460\n ? srso_return_thunk+0x5/0x5f\n ? vfs_read+0x29c/0x370\n ? srso_return_thunk+0x5/0x5f\n ? srso_return_thunk+0x5/0x5f\n ? syscall_exit_to_user_mode+0x10/0x210\n ? srso_return_thunk+0x5/0x5f\n ? do_syscall_64+0x8e/0x160\n ? srso_return_thunk+0x5/0x5f\n ? exc_page_fault+0x7e/0x180\n entry_SYSCALL_64_after_hwframe+0x76/0x7e\n RIP: 0033:0x7fdab1e0ca6d\n RSP: 002b:00007ffeb2b60c80 EFLAGS: 00000246 ORIG_RAX: 0000000000000010\n RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007fdab1e0ca6d\n RDX: 00007ffeb2b60d80 RSI: 00000000c4009420 RDI: 0000000000000003\n RBP: 00007ffeb2b60cd0 R08: 0000000000000000 R09: 0000000000000013\n R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000\n R13: 00007ffeb2b6343b R14: 00007ffeb2b60d80 R15: 0000000000000001\n </TASK>\n CR2: 0000000000000058\n ---[ end trace 0000000000000000 ]---\n\nThe 1st line is the most interesting here:\n\n BTRFS error (device sdc): zoned: write pointer offset mismatch of zones in raid1 profile\n\nWhen a RAID1 block-group is created and a write pointer mismatch between\nthe disks in the RAID set is detected, btrfs sets the alloc_offset to the\nlength of the block group marking it as full. Afterwards the code expects\nthat a balance operation will evacuate the data in this block-group and\nrepair the problems.\n\nBut before this is possible, the new space of this block-group will be\naccounted in the free space cache. But in __btrfs_\n---truncated---" |
| } |
| ], |
| "affected": [ |
| { |
| "product": "Linux", |
| "vendor": "Linux", |
| "defaultStatus": "unaffected", |
| "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", |
| "programFiles": [ |
| "fs/btrfs/zoned.c" |
| ], |
| "versions": [ |
| { |
| "version": "b1934cd6069538db2255dc94ba573771ecf3b560", |
| "lessThan": "9a447f748f6c7287dad68fa91913cd382fa0fcc8", |
| "status": "affected", |
| "versionType": "git" |
| }, |
| { |
| "version": "b1934cd6069538db2255dc94ba573771ecf3b560", |
| "lessThan": "f4717a02cc422cf4bb2dbb280b154a1ae65c5f84", |
| "status": "affected", |
| "versionType": "git" |
| }, |
| { |
| "version": "b1934cd6069538db2255dc94ba573771ecf3b560", |
| "lessThan": "b0c26f47992672661340dd6ea931240213016609", |
| "status": "affected", |
| "versionType": "git" |
| }, |
| { |
| "version": "e91dab550dd1d2221333cac9f5c012ab5193696f", |
| "status": "affected", |
| "versionType": "git" |
| } |
| ] |
| }, |
| { |
| "product": "Linux", |
| "vendor": "Linux", |
| "defaultStatus": "affected", |
| "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", |
| "programFiles": [ |
| "fs/btrfs/zoned.c" |
| ], |
| "versions": [ |
| { |
| "version": "6.11", |
| "status": "affected" |
| }, |
| { |
| "version": "0", |
| "lessThan": "6.11", |
| "status": "unaffected", |
| "versionType": "semver" |
| }, |
| { |
| "version": "6.12.26", |
| "lessThanOrEqual": "6.12.*", |
| "status": "unaffected", |
| "versionType": "semver" |
| }, |
| { |
| "version": "6.14.5", |
| "lessThanOrEqual": "6.14.*", |
| "status": "unaffected", |
| "versionType": "semver" |
| }, |
| { |
| "version": "6.15", |
| "lessThanOrEqual": "*", |
| "status": "unaffected", |
| "versionType": "original_commit_for_fix" |
| } |
| ] |
| } |
| ], |
| "cpeApplicability": [ |
| { |
| "nodes": [ |
| { |
| "operator": "OR", |
| "negate": false, |
| "cpeMatch": [ |
| { |
| "vulnerable": true, |
| "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", |
| "versionStartIncluding": "6.11", |
| "versionEndExcluding": "6.12.26" |
| }, |
| { |
| "vulnerable": true, |
| "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", |
| "versionStartIncluding": "6.11", |
| "versionEndExcluding": "6.14.5" |
| }, |
| { |
| "vulnerable": true, |
| "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", |
| "versionStartIncluding": "6.11", |
| "versionEndExcluding": "6.15" |
| }, |
| { |
| "vulnerable": true, |
| "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", |
| "versionStartIncluding": "6.10.10" |
| } |
| ] |
| } |
| ] |
| } |
| ], |
| "references": [ |
| { |
| "url": "https://git.kernel.org/stable/c/9a447f748f6c7287dad68fa91913cd382fa0fcc8" |
| }, |
| { |
| "url": "https://git.kernel.org/stable/c/f4717a02cc422cf4bb2dbb280b154a1ae65c5f84" |
| }, |
| { |
| "url": "https://git.kernel.org/stable/c/b0c26f47992672661340dd6ea931240213016609" |
| } |
| ], |
| "title": "btrfs: zoned: return EIO on RAID1 block group write pointer mismatch", |
| "x_generator": { |
| "engine": "bippy-1.2.0" |
| } |
| } |
| }, |
| "cveMetadata": { |
| "assignerOrgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038", |
| "cveID": "CVE-2025-37827", |
| "requesterUserId": "gregkh@kernel.org", |
| "serial": "1", |
| "state": "PUBLISHED" |
| }, |
| "dataType": "CVE_RECORD", |
| "dataVersion": "5.0" |
| } |
