Wind River Support Network

Description

In the Linux kernel, the following vulnerability has been resolved:EOL][EOL]btrfs: handle csum tree error with rescue=ibadroots correctly[EOL][EOL][BUG][EOL]There is syzbot based reproducer that can crash the kernel, with the[EOL]following call trace: (With some debug output added)[EOL][EOL] DEBUG: rescue=ibadroots parsed[EOL] BTRFS: device fsid 14d642db-7b15-43e4-81e6-4b8fac6a25f8 devid 1 transid 8 /dev/loop0 (7:0) scanned by repro (1010)[EOL] BTRFS info (device loop0): first mount of filesystem 14d642db-7b15-43e4-81e6-4b8fac6a25f8[EOL] BTRFS info (device loop0): using blake2b (blake2b-256-generic) checksum algorithm[EOL] BTRFS info (device loop0): using free-space-tree[EOL] BTRFS warning (device loop0): checksum verify failed on logical 5312512 mirror 1 wanted 0xb043382657aede36608fd3386d6b001692ff406164733d94e2d9a180412c6003 found 0x810ceb2bacb7f0f9eb2bf3b2b15c02af867cb35ad450898169f3b1f0bd818651 level 0[EOL] DEBUG: read tree root path failed for tree csum, ret=-5[EOL] BTRFS warning (device loop0): checksum verify failed on logical 5328896 mirror 1 wanted 0x51be4e8b303da58e6340226815b70e3a93592dac3f30dd510c7517454de8567a found 0x51be4e8b303da58e634022a315b70e3a93592dac3f30dd510c7517454de8567a level 0[EOL] BTRFS warning (device loop0): checksum verify failed on logical 5292032 mirror 1 wanted 0x1924ccd683be9efc2fa98582ef58760e3848e9043db8649ee382681e220cdee4 found 0x0cb6184f6e8799d9f8cb335dccd1d1832da1071d12290dab3b85b587ecacca6e level 0[EOL] process 'repro' launched './file2' with NULL argv: empty string added[EOL] DEBUG: no csum root, idatacsums=0 ibadroots=134217728[EOL] Oops: general protection fault, probably for non-canonical address 0xdffffc0000000041: 0000 [#1] SMP KASAN NOPTI[EOL] KASAN: null-ptr-deref in range [0x0000000000000208-0x000000000000020f][EOL] CPU: 5 UID: 0 PID: 1010 Comm: repro Tainted: G           OE       6.15.0-custom+ #249 PREEMPT(full)[EOL] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS unknown 02/02/2022[EOL] RIP: 0010:btrfs_lookup_csum+0x93/0x3d0 [btrfs][EOL] Call Trace:[EOL]  <TASK>[EOL]  btrfs_lookup_bio_sums+0x47a/0xdf0 [btrfs][EOL]  btrfs_submit_bbio+0x43e/0x1a80 [btrfs][EOL]  submit_one_bio+0xde/0x160 [btrfs][EOL]  btrfs_readahead+0x498/0x6a0 [btrfs][EOL]  read_pages+0x1c3/0xb20[EOL]  page_cache_ra_order+0x4b5/0xc20[EOL]  filemap_get_pages+0x2d3/0x19e0[EOL]  filemap_read+0x314/0xde0[EOL]  __kernel_read+0x35b/0x900[EOL]  bprm_execve+0x62e/0x1140[EOL]  do_execveat_common.isra.0+0x3fc/0x520[EOL]  __x64_sys_execveat+0xdc/0x130[EOL]  do_syscall_64+0x54/0x1d0[EOL]  entry_SYSCALL_64_after_hwframe+0x76/0x7e[EOL] ---[ end trace 0000000000000000 ]---[EOL][EOL][CAUSE][EOL]Firstly the fs has a corrupted csum tree root, thus to mount the fs we[EOL]have to go "ro,rescue=ibadroots" mount option.[EOL][EOL]Normally with that mount option, a bad csum tree root should set[EOL]BTRFS_FS_STATE_NO_DATA_CSUMS flag, so that any future data read will[EOL]ignore csum search.[EOL][EOL]But in this particular case, we have the following call trace that[EOL]caused NULL csum root, but not setting BTRFS_FS_STATE_NO_DATA_CSUMS:[EOL][EOL]load_global_roots_objectid():[EOL][EOL]\t\tret = btrfs_search_slot();[EOL]\t\t/* Succeeded */[EOL]\t\tbtrfs_item_key_to_cpu()[EOL]\t\tfound = true;[EOL]\t\t/* We found the root item for csum tree. */[EOL]\t\troot = read_tree_root_path();[EOL]\t\tif (IS_ERR(root)) {[EOL]\t\t\tif (!btrfs_test_opt(fs_info, IGNOREBADROOTS))[EOL]\t\t\t/*[EOL]\t\t\t * Since we have rescue=ibadroots mount option,[EOL]\t\t\t * @ret is still 0.[EOL]\t\t\t */[EOL]\t\t\tbreak;[EOL]\tif (!found  (| ret) {[EOL)\t\t/* @found is true, @ret is 0, error handling for csumEOL]\t\t * tree is skipped.[EOL]\t\t */[EOL]\t}[EOL][EOL]This means we completely skipped to set BTRFS_FS_STATE_NO_DATA_CSUMS if[EOL]the csum tree is corrupted, which results unexpected later csum lookup.[EOL][EOL][FIX][EOL]If read_tree_root_path() failed, always populate @ret to the error[EOL]number.[EOL][EOL]As at the end of the function, we need @ret to determine if we need to[EOL]do the extra error handling for csum tree.

CREATE(Triage):(User=admin) [CVE-2025-38260 (https://nvd.nist.gov/vuln/detail/CVE-2025-38260)