{
  "public_date" : "2025-02-27T00:00:00Z",
  "bugzilla" : {
    "description" : "kernel: btrfs: don't use btrfs_set_item_key_safe on RAID stripe-extents",
    "id" : "2348631",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2348631"
  },
  "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\nbtrfs: don't use btrfs_set_item_key_safe on RAID stripe-extents\nDon't use btrfs_set_item_key_safe() to modify the keys in the RAID\nstripe-tree, as this can lead to corruption of the tree, which is caught\nby the checks in btrfs_set_item_key_safe():\nBTRFS info (device nvme1n1): leaf 49168384 gen 15 total ptrs 194 free space 8329 owner 12\nBTRFS info (device nvme1n1): refs 2 lock_owner 1030 current 1030\n[ snip ]\nitem 105 key (354549760 230 20480) itemoff 14587 itemsize 16\nstride 0 devid 5 physical 67502080\nitem 106 key (354631680 230 4096) itemoff 14571 itemsize 16\nstride 0 devid 1 physical 88559616\nitem 107 key (354631680 230 32768) itemoff 14555 itemsize 16\nstride 0 devid 1 physical 88555520\nitem 108 key (354717696 230 28672) itemoff 14539 itemsize 16\nstride 0 devid 2 physical 67604480\n[ snip ]\nBTRFS critical (device nvme1n1): slot 106 key (354631680 230 32768) new key (354635776 230 4096)\n------------[ cut here ]------------\nkernel BUG at fs/btrfs/ctree.c:2602!\nOops: invalid opcode: 0000 [#1] PREEMPT SMP PTI\nCPU: 1 UID: 0 PID: 1055 Comm: fsstress Not tainted 6.13.0-rc1+ #1464\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.2-3-gd478f380-rebuilt.opensuse.org 04/01/2014\nRIP: 0010:btrfs_set_item_key_safe+0xf7/0x270\nCode: <snip>\nRSP: 0018:ffffc90001337ab0 EFLAGS: 00010287\nRAX: 0000000000000000 RBX: ffff8881115fd000 RCX: 0000000000000000\nRDX: 0000000000000001 RSI: 0000000000000001 RDI: 00000000ffffffff\nRBP: ffff888110ed6f50 R08: 00000000ffffefff R09: ffffffff8244c500\nR10: 00000000ffffefff R11: 00000000ffffffff R12: ffff888100586000\nR13: 00000000000000c9 R14: ffffc90001337b1f R15: ffff888110f23b58\nFS:  00007f7d75c72740(0000) GS:ffff88813bd00000(0000) knlGS:0000000000000000\nCS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00007fa811652c60 CR3: 0000000111398001 CR4: 0000000000370eb0\nCall Trace:\n<TASK>\n? __die_body.cold+0x14/0x1a\n? die+0x2e/0x50\n? do_trap+0xca/0x110\n? do_error_trap+0x65/0x80\n? btrfs_set_item_key_safe+0xf7/0x270\n? exc_invalid_op+0x50/0x70\n? btrfs_set_item_key_safe+0xf7/0x270\n? asm_exc_invalid_op+0x1a/0x20\n? btrfs_set_item_key_safe+0xf7/0x270\nbtrfs_partially_delete_raid_extent+0xc4/0xe0\nbtrfs_delete_raid_extent+0x227/0x240\n__btrfs_free_extent.isra.0+0x57f/0x9c0\n? exc_coproc_segment_overrun+0x40/0x40\n__btrfs_run_delayed_refs+0x2fa/0xe80\nbtrfs_run_delayed_refs+0x81/0xe0\nbtrfs_commit_transaction+0x2dd/0xbe0\n? preempt_count_add+0x52/0xb0\nbtrfs_sync_file+0x375/0x4c0\ndo_fsync+0x39/0x70\n__x64_sys_fsync+0x13/0x20\ndo_syscall_64+0x54/0x110\nentry_SYSCALL_64_after_hwframe+0x76/0x7e\nRIP: 0033:0x7f7d7550ef90\nCode: <snip>\nRSP: 002b:00007ffd70237248 EFLAGS: 00000202 ORIG_RAX: 000000000000004a\nRAX: ffffffffffffffda RBX: 0000000000000004 RCX: 00007f7d7550ef90\nRDX: 000000000000013a RSI: 000000000040eb28 RDI: 0000000000000004\nRBP: 000000000000001b R08: 0000000000000078 R09: 00007ffd7023725c\nR10: 00007f7d75400390 R11: 0000000000000202 R12: 028f5c28f5c28f5c\nR13: 8f5c28f5c28f5c29 R14: 000000000040b520 R15: 00007f7d75c726c8\n</TASK>\nWhile the root cause of the tree order corruption isn't clear, using\nbtrfs_duplicate_item() to copy the item and then adjusting both the key\nand the per-device physical addresses is a safe way to counter this\nproblem." ],
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux 10",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:10"
  }, {
    "product_name" : "Red Hat Enterprise Linux 6",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Not affected",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Not affected",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Not affected",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2025-21752\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-21752\nhttps://lore.kernel.org/linux-cve-announce/2025022602-CVE-2025-21752-5815@gregkh/T" ],
  "name" : "CVE-2025-21752",
  "csaw" : false
}