Wind River Support Network

Description

In the Linux kernel, the following vulnerability has been resolved:EOL][EOL]btrfs: avoid NULL pointer dereference if no valid csum tree[EOL][EOL][BUG][EOL]When trying read-only scrub on a btrfs with rescue=idatacsums mount[EOL]option, it will crash with the following call trace:[EOL][EOL]  BUG: kernel NULL pointer dereference, address: 0000000000000208[EOL]  #PF: supervisor read access in kernel mode[EOL]  #PF: error_code(0x0000) - not-present page[EOL]  CPU: 1 UID: 0 PID: 835 Comm: btrfs Tainted: G           O        6.15.0-rc3-custom+ #236 PREEMPT(full)[EOL]  Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS unknown 02/02/2022[EOL]  RIP: 0010:btrfs_lookup_csums_bitmap+0x49/0x480 [btrfs][EOL]  Call Trace:[EOL]   <TASK>[EOL]   scrub_find_fill_first_stripe+0x35b/0x3d0 [btrfs][EOL]   scrub_simple_mirror+0x175/0x290 [btrfs][EOL]   scrub_stripe+0x5f7/0x6f0 [btrfs][EOL]   scrub_chunk+0x9a/0x150 [btrfs][EOL]   scrub_enumerate_chunks+0x333/0x660 [btrfs][EOL]   btrfs_scrub_dev+0x23e/0x600 [btrfs][EOL]   btrfs_ioctl+0x1dcf/0x2f80 [btrfs][EOL]   __x64_sys_ioctl+0x97/0xc0[EOL]   do_syscall_64+0x4f/0x120[EOL]   entry_SYSCALL_64_after_hwframe+0x76/0x7e[EOL][EOL][CAUSE][EOL]Mount option "rescue=idatacsums" will completely skip loading the csum[EOL]tree, so that any data read will not find any data csum thus we will[EOL]ignore data checksum verification.[EOL][EOL]Normally call sites utilizing csum tree will check the fs state flag[EOL]NO_DATA_CSUMS bit, but unfortunately scrub does not check that bit at all.[EOL][EOL]This results in scrub to call btrfs_search_slot() on a NULL pointer[EOL]and triggered above crash.[EOL][EOL][FIX][EOL]Check both extent and csum tree root before doing any tree search.

CREATE(Triage):(User=lchen-cn) [CVE-2025-38059 (https://nvd.nist.gov/vuln/detail/CVE-2025-38059)