CVE-2025-39738
published 2025-09-11CVE-2025-39738: In the Linux kernel, the following vulnerability has been resolved: btrfs: do not allow relocation of partially dropped subvolumes [BUG] There is an internal…
high7.8CVSS 3.1
AVLACLPRLUINSUCHIHAH
In the Linux kernel, the following vulnerability has been resolved:
btrfs: do not allow relocation of partially dropped subvolumes
[BUG]
There is an internal report that balance triggered transaction abort,
with the following call trace:
item 85 key (594509824 169 0) itemoff 12599 itemsize 33
extent refs 1 gen 197740 flags 2
ref#0: tree block backref root 7
item 86 key (594558976 169 0) itemoff 12566 itemsize 33
extent refs 1 gen 197522 flags 2
ref#0: tree block backref root 7
...
BTRFS error (device loop0): extent item not found for insert, bytenr 594526208 num_bytes 16384 parent 449921024 root_objectid 934 owner 1 offset 0
BTRFS error (device loop0): failed to run delayed ref for logical 594526208 num_bytes 16384 type 182 action 1 ref_mod 1: -117
------------[ cut here ]------------
BTRFS: Transaction aborted (error -117)
WARNING: CPU: 1 PID: 6963 at ../fs/btrfs/extent-tree.c:2168 btrfs_run_delayed_refs+0xfa/0x110 [btrfs]
And btrfs check doesn't report anything wrong related to the extent
tree.
[CAUSE]
The cause is a little complex, firstly the extent tree indeed doesn't
have the backref for 594526208.
The extent tree only have the following two backrefs around that bytenr
on-disk:
item 65 key (594509824 METADATA_ITEM 0) itemoff 13880 itemsize 33
refs 1 gen 197740 flags TREE_BLOCK
tree block skinny level 0
(176 0x7) tree block backref root CSUM_TREE
item 66 key (594558976 METADATA_ITEM 0) itemoff 13847 itemsize 33
refs 1 gen 197522 flags TREE_BLOCK
tree block skinny level 0
(176 0x7) tree block backref root CSUM_TREE
But the such missing backref item is not an corruption on disk, as the
offending delayed ref belongs to subvolume 934, and that subvolume is
being dropped:
item 0 key (934 ROOT_ITEM 198229) itemoff 15844 itemsize 439
generation 198229 root_dirid 256 bytenr 10741039104 byte_limit 0 bytes_used 345571328
last_snapshot 198229 flags 0x1000000000001(RDONLY) refs 0
drop_progress key (206324 EXTENT_DATA 2711650304) drop_level 2
level 2 generation_v2
Affected
35 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | debian_linux | — | — |
| debian | linux | < linux 6.1.153-1 (bookworm) | linux 6.1.153-1 (bookworm) |
| debian | linux-6.1 | < linux 6.1.153-1 (bookworm) | linux 6.1.153-1 (bookworm) |
| linux | linux | — | — |
| linux | linux | >= 638331fa56caeaa8b4d31cc1dfbe0ce989bcff67 < fa086b1398cf7e5f7dee7241bd5f2855cb5df8dc | fa086b1398cf7e5f7dee7241bd5f2855cb5df8dc |
| linux | linux | >= 638331fa56caeaa8b4d31cc1dfbe0ce989bcff67 < fcb1f77b8ed8795608ca7a1f6505e2b07236c1f3 | fcb1f77b8ed8795608ca7a1f6505e2b07236c1f3 |
| linux | linux | >= 638331fa56caeaa8b4d31cc1dfbe0ce989bcff67 < f83d4c81bda3b7d1813268ab77408f7a0ce691ff | f83d4c81bda3b7d1813268ab77408f7a0ce691ff |
| linux | linux | >= 638331fa56caeaa8b4d31cc1dfbe0ce989bcff67 < 39a93e1c9dbf7e11632efeb20fcf0fc1dcf64d51 | 39a93e1c9dbf7e11632efeb20fcf0fc1dcf64d51 |
| linux | linux | >= 638331fa56caeaa8b4d31cc1dfbe0ce989bcff67 < 125e94a4b76b7b75d194f85bedd628097d2121f0 | 125e94a4b76b7b75d194f85bedd628097d2121f0 |
| linux | linux | >= 638331fa56caeaa8b4d31cc1dfbe0ce989bcff67 < 4e403bd8e127d40dc7c05f06ee969c1ba1537ec5 | 4e403bd8e127d40dc7c05f06ee969c1ba1537ec5 |
| linux | linux | >= 638331fa56caeaa8b4d31cc1dfbe0ce989bcff67 < 4289b494ac553e74e86fed1c66b2bf9530bc1082 | 4289b494ac553e74e86fed1c66b2bf9530bc1082 |
| linux | linux_kernel | — | — |
| linux | linux_kernel | — | — |
| linux | linux_kernel | >= 0 < 6.1.153-1 | 6.1.153-1 |
| linux | linux_kernel | >= 0 < 6.12.43-1 | 6.12.43-1 |
| linux | linux_kernel | >= 0 < 6.16.3-1 | 6.16.3-1 |
| linux | linux_kernel | >= 0 < 5.15.0-163.173 | 5.15.0-163.173 |
| linux | linux_kernel | >= 0 < 6.8.0-100.100 | 6.8.0-100.100 |
| linux | linux_kernel | >= 5.11.1 < 5.15.190 | 5.15.190 |
| linux | linux_kernel | >= 5.16 < 6.1.149 | 6.1.149 |
| linux | linux_kernel | >= 6.13 < 6.15.11 | 6.15.11 |
| linux | linux_kernel | >= 6.16 < 6.16.2 | 6.16.2 |
| linux | linux_kernel | >= 6.2 < 6.6.103 | 6.6.103 |
| linux | linux_kernel | >= 6.7 < 6.12.43 | 6.12.43 |
| msrc | azl3_kernel_6.6.96.2-2_on_azure_linux_3.0 | — | — |
CVSS provenance
nvdv3.17.8HIGHCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
osv7.8HIGH