CVE-2025-38503

In the Linux kernel, the following vulnerability has been resolved:

btrfs: fix assertion when building free space tree

When building the free space tree with the block group tree feature enabled, we can hit an assertion failure like this:

BTRFS info (device loop0 state M): rebuilding free space tree assertion failed: ret == 0, in fs/btrfs/free-space-tree.c:1102 ------------[ cut here ]------------ kernel BUG at fs/btrfs/free-space-tree.c:1102! Internal error: Oops - BUG: 00000000f2000800 [#1] SMP Modules linked in: CPU: 1 UID: 0 PID: 6592 Comm: syz-executor322 Not tainted 6.15.0-rc7-syzkaller-gd7fa1af5b33e #0 PREEMPT Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025 pstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : populatefreespacetree+0x514/0x518 fs/btrfs/free-space-tree.c:1102 lr : populatefreespacetree+0x514/0x518 fs/btrfs/free-space-tree.c:1102 sp : ffff8000a4ce7600 x29: ffff8000a4ce76e0 x28: ffff0000c9bc6000 x27: ffff0000ddfff3d8 x26: ffff0000ddfff378 x25: dfff800000000000 x24: 0000000000000001 x23: ffff8000a4ce7660 x22: ffff70001499cecc x21: ffff0000e1d8c160 x20: ffff0000e1cb7800 x19: ffff0000e1d8c0b0 x18: 00000000ffffffff x17: ffff800092f39000 x16: ffff80008ad27e48 x15: ffff700011e740c0 x14: 1ffff00011e740c0 x13: 0000000000000004 x12: ffffffffffffffff x11: ffff700011e740c0 x10: 0000000000ff0100 x9 : 94ef24f55d2dbc00 x8 : 94ef24f55d2dbc00 x7 : 0000000000000001 x6 : 0000000000000001 x5 : ffff8000a4ce6f98 x4 : ffff80008f415ba0 x3 : ffff800080548ef0 x2 : 0000000000000000 x1 : 0000000100000000 x0 : 000000000000003e Call trace: populatefreespacetree+0x514/0x518 fs/btrfs/free-space-tree.c:1102 (P) btrfsrebuildfreespacetree+0x14c/0x54c fs/btrfs/free-space-tree.c:1337 btrfsstartprerwmount+0xa78/0xe10 fs/btrfs/disk-io.c:3074 btrfsremountrw fs/btrfs/super.c:1319 [inline] btrfsreconfigure+0x828/0x2418 fs/btrfs/super.c:1543 reconfiguresuper+0x1d4/0x6f0 fs/super.c:1083 doremount fs/namespace.c:3365 [inline] pathmount+0xb34/0xde0 fs/namespace.c:4200 domount fs/namespace.c:4221 [inline] _dosysmount fs/namespace.c:4432 [inline] _sesysmount fs/namespace.c:4409 [inline] _arm64sysmount+0x3e8/0x468 fs/namespace.c:4409 _invokesyscall arch/arm64/kernel/syscall.c:35 [inline] invokesyscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:49 el0svccommon+0x130/0x23c arch/arm64/kernel/syscall.c:132 doel0svc+0x48/0x58 arch/arm64/kernel/syscall.c:151 el0svc+0x58/0x17c arch/arm64/kernel/entry-common.c:767 el0t64synchandler+0x78/0x108 arch/arm64/kernel/entry-common.c:786 el0t64sync+0x198/0x19c arch/arm64/kernel/entry.S:600 Code: f0047182 91178042 528089c3 9771d47b (d4210000) ---[ end trace 0000000000000000 ]---

This happens because we are processing an empty block group, which has no extents allocated from it, there are no items for this block group, including the block group item since block group items are stored in a dedicated tree when using the block group tree feature. It also means this is the block group with the highest start offset, so there are no higher keys in the extent root, hence btrfssearchslotforread() returns 1 (no higher key found).

Fix this by asserting 'ret' is 0 only if the block group tree feature is not enabled, in which case we should find a block group item for the block group since it's stored in the extent root and block group item keys are greater than extent item keys (the value for BTRFSBLOCKGROUPITEMKEY is 192 and for BTRFSEXTENTITEMKEY and BTRFSMETADATAITEMKEY the values are 168 and 169 respectively). In case 'ret' is 1, we just need to add a record to the free space tree which spans the whole block group, and we can achieve this by making 'ret == 0' as the while loop's condition.