CVE-2025-40100
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2025-40100
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-40100.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CVE-2025-40100
- Downstream
- Published
- 2025-10-30T09:48:06Z
- Modified
- 2025-10-30T22:43:28.455209Z
- Summary
- btrfs: do not assert we found block group item when creating free space tree
- Details
-
In the Linux kernel, the following vulnerability has been resolved:
btrfs: do not assert we found block group item when creating free space tree
Currently, when building a free space tree at populatefreespacetree(), if we are not using the block group tree feature, we always expect to find block group items (either extent items or a block group item with key type BTRFSBLOCKGROUPITEMKEY) when we search the extent tree with btrfssearchslotfor_read(), so we assert that we found an item. However this expectation is wrong since we can have a new block group created in the current transaction which is still empty and for which we still have not added the block group's item to the extent tree, in which case we do not have any items in the extent tree associated to the block group.
The insertion of a new block group's block group item in the extent tree happens at btrfscreatependingblockgroups() when it calls the helper insertblockgroup_item(). This typically is done when a transaction handle is released, committed or when running delayed refs (either as part of a transaction commit or when serving tickets for space reservation if we are low on free space).
So remove the assertion at populatefreespace_tree() even when the block group tree feature is not enabled and update the comment to mention this case.
Syzbot reported this with the following stack trace:
BTRFS info (device loop3 state M): rebuilding free space tree assertion failed: ret == 0 :: 0, in fs/btrfs/free-space-tree.c:1115 ------------[ cut here ]------------ kernel BUG at fs/btrfs/free-space-tree.c:1115! Oops: invalid opcode: 0000 [#1] SMP KASAN PTI CPU: 1 UID: 0 PID: 6352 Comm: syz.3.25 Not tainted syzkaller #0 PREEMPT(full) Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/18/2025 RIP: 0010:populatefreespacetree+0x700/0x710 fs/btrfs/free-space-tree.c:1115 Code: ff ff e8 d3 (...) RSP: 0018:ffffc9000430f780 EFLAGS: 00010246 RAX: 0000000000000043 RBX: ffff88805b709630 RCX: fea61d0e2e79d000 RDX: 0000000000000000 RSI: 0000000080000000 RDI: 0000000000000000 RBP: ffffc9000430f8b0 R08: ffffc9000430f4a7 R09: 1ffff92000861e94 R10: dffffc0000000000 R11: fffff52000861e95 R12: 0000000000000001 R13: 1ffff92000861f00 R14: dffffc0000000000 R15: 0000000000000000 FS: 00007f424d9fe6c0(0000) GS:ffff888125afc000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007fd78ad212c0 CR3: 0000000076d68000 CR4: 00000000003526f0 Call Trace: <TASK> btrfsrebuildfreespacetree+0x1ba/0x6d0 fs/btrfs/free-space-tree.c:1364 btrfsstartprerwmount+0x128f/0x1bf0 fs/btrfs/disk-io.c:3062 btrfsremountrw fs/btrfs/super.c:1334 [inline] btrfsreconfigure+0xaed/0x2160 fs/btrfs/super.c:1559 reconfiguresuper+0x227/0x890 fs/super.c:1076 doremount fs/namespace.c:3279 [inline] pathmount+0xd1a/0xfe0 fs/namespace.c:4027 domount fs/namespace.c:4048 [inline] _dosysmount fs/namespace.c:4236 [inline] _sesysmount+0x313/0x410 fs/namespace.c:4213 dosyscallx64 arch/x86/entry/syscall64.c:63 [inline] dosyscall64+0xfa/0xfa0 arch/x86/entry/syscall64.c:94 entrySYSCALL64afterhwframe+0x77/0x7f RIP: 0033:0x7f424e39066a Code: d8 64 89 02 (...) RSP: 002b:00007f424d9fde68 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5 RAX: ffffffffffffffda RBX: 00007f424d9fdef0 RCX: 00007f424e39066a RDX: 0000200000000180 RSI: 0000200000000380 RDI: 0000000000000000 RBP: 0000200000000180 R08: 00007f424d9fdef0 R09: 0000000000000020 R10: 0000000000000020 R11: 0000000000000246 R12: 0000200000000380 R13: 00007f424d9fdeb0 R14: 0000000000000000 R15: 00002000000002c0 </TASK> Modules linked in: ---[ end trace 0000000000000000 ]---
- References
-
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- https://git.kernel.org/stable/c/289498da343b05c886f19b4269429606f86dd17b
- https://git.kernel.org/stable/c/3fdcfd91b93f930d87843156c7c8cc5fbcf9b144
- https://git.kernel.org/stable/c/4f4b9ca73f84130d9fbb0fc02306ce94ce8bdbe6
- https://git.kernel.org/stable/c/a5a51bf4e9b7354ce7cd697e610d72c1b33fd949
- https://git.kernel.org/stable/c/eb145463f22d7d32d426b29fe9810de9e792b6ba
Affected packages
Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Affected ranges
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introduceda5ed91828518ab076209266c2bc510adabd078dfFixed4f4b9ca73f84130d9fbb0fc02306ce94ce8bdbe6
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introduceda5ed91828518ab076209266c2bc510adabd078dfFixed289498da343b05c886f19b4269429606f86dd17b
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introduceda5ed91828518ab076209266c2bc510adabd078dfFixed3fdcfd91b93f930d87843156c7c8cc5fbcf9b144
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introduceda5ed91828518ab076209266c2bc510adabd078dfFixedeb145463f22d7d32d426b29fe9810de9e792b6ba
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introduceda5ed91828518ab076209266c2bc510adabd078dfFixeda5a51bf4e9b7354ce7cd697e610d72c1b33fd949
Affected versions
v4.*
v5.*
v6.*
Database specific
vanir_signatures
[
{
"id": "CVE-2025-40100-08609265",
"deprecated": false,
"signature_version": "v1",
"signature_type": "Function",
"digest": {
"function_hash": "211400618085250892048727982574729452504",
"length": 1638.0
},
"target": {
"file": "fs/btrfs/free-space-tree.c",
"function": "populate_free_space_tree"
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@4f4b9ca73f84130d9fbb0fc02306ce94ce8bdbe6"
},
{
"id": "CVE-2025-40100-1be3b47a",
"deprecated": false,
"signature_version": "v1",
"signature_type": "Function",
"digest": {
"function_hash": "211400618085250892048727982574729452504",
"length": 1638.0
},
"target": {
"file": "fs/btrfs/free-space-tree.c",
"function": "populate_free_space_tree"
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@3fdcfd91b93f930d87843156c7c8cc5fbcf9b144"
},
{
"id": "CVE-2025-40100-1f29deac",
"deprecated": false,
"signature_version": "v1",
"signature_type": "Line",
"digest": {
"line_hashes": [
"68321794398000519214682842165086395731",
"276786499354925210650842689220775723521",
"197188671446049748039634651209992446421",
"328928293052537822328613461592933398443",
"305499484414016744676319523026072964355"
],
"threshold": 0.9
},
"target": {
"file": "fs/btrfs/free-space-tree.c"
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@3fdcfd91b93f930d87843156c7c8cc5fbcf9b144"
},
{
"id": "CVE-2025-40100-4e690c2a",
"deprecated": false,
"signature_version": "v1",
"signature_type": "Line",
"digest": {
"line_hashes": [
"68321794398000519214682842165086395731",
"276786499354925210650842689220775723521",
"197188671446049748039634651209992446421",
"328928293052537822328613461592933398443",
"305499484414016744676319523026072964355"
],
"threshold": 0.9
},
"target": {
"file": "fs/btrfs/free-space-tree.c"
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@289498da343b05c886f19b4269429606f86dd17b"
},
{
"id": "CVE-2025-40100-50e3ea2a",
"deprecated": false,
"signature_version": "v1",
"signature_type": "Function",
"digest": {
"function_hash": "179554800411412540728785746454748202321",
"length": 1609.0
},
"target": {
"file": "fs/btrfs/free-space-tree.c",
"function": "populate_free_space_tree"
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@eb145463f22d7d32d426b29fe9810de9e792b6ba"
},
{
"id": "CVE-2025-40100-5c7dde2f",
"deprecated": false,
"signature_version": "v1",
"signature_type": "Line",
"digest": {
"line_hashes": [
"68321794398000519214682842165086395731",
"276786499354925210650842689220775723521",
"197188671446049748039634651209992446421",
"328928293052537822328613461592933398443",
"305499484414016744676319523026072964355"
],
"threshold": 0.9
},
"target": {
"file": "fs/btrfs/free-space-tree.c"
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@4f4b9ca73f84130d9fbb0fc02306ce94ce8bdbe6"
},
{
"id": "CVE-2025-40100-65b64762",
"deprecated": false,
"signature_version": "v1",
"signature_type": "Function",
"digest": {
"function_hash": "211400618085250892048727982574729452504",
"length": 1638.0
},
"target": {
"file": "fs/btrfs/free-space-tree.c",
"function": "populate_free_space_tree"
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@289498da343b05c886f19b4269429606f86dd17b"
},
{
"id": "CVE-2025-40100-c755c8e4",
"deprecated": false,
"signature_version": "v1",
"signature_type": "Line",
"digest": {
"line_hashes": [
"68321794398000519214682842165086395731",
"276786499354925210650842689220775723521",
"197188671446049748039634651209992446421",
"328928293052537822328613461592933398443",
"305499484414016744676319523026072964355"
],
"threshold": 0.9
},
"target": {
"file": "fs/btrfs/free-space-tree.c"
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@eb145463f22d7d32d426b29fe9810de9e792b6ba"
},
{
"id": "CVE-2025-40100-cb67f901",
"deprecated": false,
"signature_version": "v1",
"signature_type": "Line",
"digest": {
"line_hashes": [
"68321794398000519214682842165086395731",
"276786499354925210650842689220775723521",
"197188671446049748039634651209992446421",
"328928293052537822328613461592933398443",
"305499484414016744676319523026072964355"
],
"threshold": 0.9
},
"target": {
"file": "fs/btrfs/free-space-tree.c"
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@a5a51bf4e9b7354ce7cd697e610d72c1b33fd949"
},
{
"id": "CVE-2025-40100-fc23f9b1",
"deprecated": false,
"signature_version": "v1",
"signature_type": "Function",
"digest": {
"function_hash": "179554800411412540728785746454748202321",
"length": 1609.0
},
"target": {
"file": "fs/btrfs/free-space-tree.c",
"function": "populate_free_space_tree"
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@a5a51bf4e9b7354ce7cd697e610d72c1b33fd949"
}
]