CVE-2025-21752

In the Linux kernel, the following vulnerability has been resolved:

btrfs: don't use btrfssetitemkeysafe on RAID stripe-extents

Don't use btrfssetitemkeysafe() to modify the keys in the RAID stripe-tree, as this can lead to corruption of the tree, which is caught by the checks in btrfssetitemkeysafe():

BTRFS info (device nvme1n1): leaf 49168384 gen 15 total ptrs 194 free space 8329 owner 12 BTRFS info (device nvme1n1): refs 2 lockowner 1030 current 1030 [ snip ] item 105 key (354549760 230 20480) itemoff 14587 itemsize 16 stride 0 devid 5 physical 67502080 item 106 key (354631680 230 4096) itemoff 14571 itemsize 16 stride 0 devid 1 physical 88559616 item 107 key (354631680 230 32768) itemoff 14555 itemsize 16 stride 0 devid 1 physical 88555520 item 108 key (354717696 230 28672) itemoff 14539 itemsize 16 stride 0 devid 2 physical 67604480 [ snip ] BTRFS critical (device nvme1n1): slot 106 key (354631680 230 32768) new key (354635776 230 4096) ------------[ cut here ]------------ kernel BUG at fs/btrfs/ctree.c:2602! Oops: invalid opcode: 0000 [#1] PREEMPT SMP PTI CPU: 1 UID: 0 PID: 1055 Comm: fsstress Not tainted 6.13.0-rc1+ #1464 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.2-3-gd478f380-rebuilt.opensuse.org 04/01/2014 RIP: 0010:btrfssetitemkeysafe+0xf7/0x270 Code: <snip> RSP: 0018:ffffc90001337ab0 EFLAGS: 00010287 RAX: 0000000000000000 RBX: ffff8881115fd000 RCX: 0000000000000000 RDX: 0000000000000001 RSI: 0000000000000001 RDI: 00000000ffffffff RBP: ffff888110ed6f50 R08: 00000000ffffefff R09: ffffffff8244c500 R10: 00000000ffffefff R11: 00000000ffffffff R12: ffff888100586000 R13: 00000000000000c9 R14: ffffc90001337b1f R15: ffff888110f23b58 FS: 00007f7d75c72740(0000) GS:ffff88813bd00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007fa811652c60 CR3: 0000000111398001 CR4: 0000000000370eb0 Call Trace: <TASK> ? _diebody.cold+0x14/0x1a ? die+0x2e/0x50 ? dotrap+0xca/0x110 ? doerrortrap+0x65/0x80 ? btrfssetitemkeysafe+0xf7/0x270 ? excinvalidop+0x50/0x70 ? btrfssetitemkeysafe+0xf7/0x270 ? asmexcinvalidop+0x1a/0x20 ? btrfssetitemkeysafe+0xf7/0x270 btrfspartiallydeleteraidextent+0xc4/0xe0 btrfsdeleteraidextent+0x227/0x240 _btrfsfreeextent.isra.0+0x57f/0x9c0 ? exccoprocsegmentoverrun+0x40/0x40 _btrfsrundelayedrefs+0x2fa/0xe80 btrfsrundelayedrefs+0x81/0xe0 btrfscommittransaction+0x2dd/0xbe0 ? preemptcountadd+0x52/0xb0 btrfssyncfile+0x375/0x4c0 dofsync+0x39/0x70 _x64sysfsync+0x13/0x20 dosyscall64+0x54/0x110 entrySYSCALL64afterhwframe+0x76/0x7e RIP: 0033:0x7f7d7550ef90 Code: <snip> RSP: 002b:00007ffd70237248 EFLAGS: 00000202 ORIGRAX: 000000000000004a RAX: ffffffffffffffda RBX: 0000000000000004 RCX: 00007f7d7550ef90 RDX: 000000000000013a RSI: 000000000040eb28 RDI: 0000000000000004 RBP: 000000000000001b R08: 0000000000000078 R09: 00007ffd7023725c R10: 00007f7d75400390 R11: 0000000000000202 R12: 028f5c28f5c28f5c R13: 8f5c28f5c28f5c29 R14: 000000000040b520 R15: 00007f7d75c726c8 </TASK>

While the root cause of the tree order corruption isn't clear, using btrfsduplicateitem() to copy the item and then adjusting both the key and the per-device physical addresses is a safe way to counter this problem.