Acknowledged
Created: Jun 19, 2025
Updated: Jun 20, 2025
Found In Version: 10.22.33.1
Severity: Standard
Applicable for: Wind River Linux LTS 22
Component/s: Kernel
In the Linux kernel, the following vulnerability has been resolved:EOL][EOL]btrfs: correct the order of prelim_ref arguments in btrfs__prelim_ref[EOL][EOL]btrfs_prelim_ref() calls the old and new reference variables in the[EOL]incorrect order. This causes a NULL pointer dereference because oldref[EOL]is passed as NULL to trace_btrfs_prelim_ref_insert().[EOL][EOL]Note, trace_btrfs_prelim_ref_insert() is being called with newref as[EOL]oldref (and oldref as NULL) on purpose in order to print out[EOL]the values of newref.[EOL][EOL]To reproduce:[EOL]echo 1 > /sys/kernel/debug/tracing/events/btrfs/btrfs_prelim_ref_insert/enable[EOL][EOL]Perform some writeback operations.[EOL][EOL]Backtrace:[EOL]BUG: kernel NULL pointer dereference, address: 0000000000000018[EOL] #PF: supervisor read access in kernel mode[EOL] #PF: error_code(0x0000) - not-present page[EOL] PGD 115949067 P4D 115949067 PUD 11594a067 PMD 0[EOL] Oops: Oops: 0000 [#1] SMP NOPTI[EOL] CPU: 1 UID: 0 PID: 1188 Comm: fsstress Not tainted 6.15.0-rc2-tester+ #47 PREEMPT(voluntary) 7ca2cef72d5e9c600f0c7718adb6462de8149622[EOL] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.16.3-2-gc13ff2cd-prebuilt.qemu.org 04/01/2014[EOL] RIP: 0010:trace_event_raw_event_btrfs__prelim_ref+0x72/0x130[EOL] Code: e8 43 81 9f ff 48 85 c0 74 78 4d 85 e4 0f 84 8f 00 00 00 49 8b 94 24 c0 06 00 00 48 8b 0a 48 89 48 08 48 8b 52 08 48 89 50 10 <49> 8b 55 18 48 89 50 18 49 8b 55 20 48 89 50 20 41 0f b6 55 28 88[EOL] RSP: 0018:ffffce44820077a0 EFLAGS: 00010286[EOL] RAX: ffff8c6b403f9014 RBX: ffff8c6b55825730 RCX: 304994edf9cf506b[EOL] RDX: d8b11eb7f0fdb699 RSI: ffff8c6b403f9010 RDI: ffff8c6b403f9010[EOL] RBP: 0000000000000001 R08: 0000000000000001 R09: 0000000000000010[EOL] R10: 00000000ffffffff R11: 0000000000000000 R12: ffff8c6b4e8fb000[EOL] R13: 0000000000000000 R14: ffffce44820077a8 R15: ffff8c6b4abd1540[EOL] FS: 00007f4dc6813740(0000) GS:ffff8c6c1d378000(0000) knlGS:0000000000000000[EOL] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033[EOL] CR2: 0000000000000018 CR3: 000000010eb42000 CR4: 0000000000750ef0[EOL] PKRU: 55555554[EOL] Call Trace:[EOL] <TASK>[EOL] prelim_ref_insert+0x1c1/0x270[EOL] find_parent_nodes+0x12a6/0x1ee0[EOL] ? __entry_text_end+0x101f06/0x101f09[EOL] ? srso_alias_return_thunk+0x5/0xfbef5[EOL] ? srso_alias_return_thunk+0x5/0xfbef5[EOL] ? srso_alias_return_thunk+0x5/0xfbef5[EOL] ? srso_alias_return_thunk+0x5/0xfbef5[EOL] btrfs_is_data_extent_shared+0x167/0x640[EOL] ? fiemap_process_hole+0xd0/0x2c0[EOL] extent_fiemap+0xa5c/0xbc0[EOL] ? __entry_text_end+0x101f05/0x101f09[EOL] btrfs_fiemap+0x7e/0xd0[EOL] do_vfs_ioctl+0x425/0x9d0[EOL] __x64_sys_ioctl+0x75/0xc0
CREATE(Triage):(User=lchen-cn) [CVE-2025-38034 (https://nvd.nist.gov/vuln/detail/CVE-2025-38034)
