ghsa-x64m-4w9m-w2j3
Vulnerability from github
Published
2025-12-04 18:30
Modified
2025-12-04 18:30
Details

In the Linux kernel, the following vulnerability has been resolved:

btrfs: directly free partially initialized fs_info in btrfs_check_leaked_roots()

If fs_info->super_copy or fs_info->super_for_commit allocated failed in btrfs_get_tree_subvol(), then no need to call btrfs_free_fs_info(). Otherwise btrfs_check_leaked_roots() would access NULL pointer because fs_info->allocated_roots had not been initialised.

syzkaller reported the following information: ------------[ cut here ]------------ BUG: unable to handle page fault for address: fffffffffffffbb0 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page PGD 64c9067 P4D 64c9067 PUD 64cb067 PMD 0 Oops: Oops: 0000 [#1] SMP KASAN PTI CPU: 0 UID: 0 PID: 1402 Comm: syz.1.35 Not tainted 6.15.8 #4 PREEMPT(lazy) Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), (...) RIP: 0010:arch_atomic_read arch/x86/include/asm/atomic.h:23 [inline] RIP: 0010:raw_atomic_read include/linux/atomic/atomic-arch-fallback.h:457 [inline] RIP: 0010:atomic_read include/linux/atomic/atomic-instrumented.h:33 [inline] RIP: 0010:refcount_read include/linux/refcount.h:170 [inline] RIP: 0010:btrfs_check_leaked_roots+0x18f/0x2c0 fs/btrfs/disk-io.c:1230 [...] Call Trace: btrfs_free_fs_info+0x310/0x410 fs/btrfs/disk-io.c:1280 btrfs_get_tree_subvol+0x592/0x6b0 fs/btrfs/super.c:2029 btrfs_get_tree+0x63/0x80 fs/btrfs/super.c:2097 vfs_get_tree+0x98/0x320 fs/super.c:1759 do_new_mount+0x357/0x660 fs/namespace.c:3899 path_mount+0x716/0x19c0 fs/namespace.c:4226 do_mount fs/namespace.c:4239 [inline] __do_sys_mount fs/namespace.c:4450 [inline] __se_sys_mount fs/namespace.c:4427 [inline] __x64_sys_mount+0x28c/0x310 fs/namespace.c:4427 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0x92/0x180 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x76/0x7e RIP: 0033:0x7f032eaffa8d [...]

Show details on source website

To clipboard 

{
  "affected": [],
  "aliases": [
    "CVE-2025-40235"
  ],
  "database_specific": {
    "cwe_ids": [],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-12-04T16:16:16Z",
    "severity": null
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: directly free partially initialized fs_info in btrfs_check_leaked_roots()\n\nIf fs_info-\u003esuper_copy or fs_info-\u003esuper_for_commit allocated failed in\nbtrfs_get_tree_subvol(), then no need to call btrfs_free_fs_info().\nOtherwise btrfs_check_leaked_roots() would access NULL pointer because\nfs_info-\u003eallocated_roots had not been initialised.\n\nsyzkaller reported the following information:\n  ------------[ cut here ]------------\n  BUG: unable to handle page fault for address: fffffffffffffbb0\n  #PF: supervisor read access in kernel mode\n  #PF: error_code(0x0000) - not-present page\n  PGD 64c9067 P4D 64c9067 PUD 64cb067 PMD 0\n  Oops: Oops: 0000 [#1] SMP KASAN PTI\n  CPU: 0 UID: 0 PID: 1402 Comm: syz.1.35 Not tainted 6.15.8 #4 PREEMPT(lazy)\n  Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), (...)\n  RIP: 0010:arch_atomic_read arch/x86/include/asm/atomic.h:23 [inline]\n  RIP: 0010:raw_atomic_read include/linux/atomic/atomic-arch-fallback.h:457 [inline]\n  RIP: 0010:atomic_read include/linux/atomic/atomic-instrumented.h:33 [inline]\n  RIP: 0010:refcount_read include/linux/refcount.h:170 [inline]\n  RIP: 0010:btrfs_check_leaked_roots+0x18f/0x2c0 fs/btrfs/disk-io.c:1230\n  [...]\n  Call Trace:\n   \u003cTASK\u003e\n   btrfs_free_fs_info+0x310/0x410 fs/btrfs/disk-io.c:1280\n   btrfs_get_tree_subvol+0x592/0x6b0 fs/btrfs/super.c:2029\n   btrfs_get_tree+0x63/0x80 fs/btrfs/super.c:2097\n   vfs_get_tree+0x98/0x320 fs/super.c:1759\n   do_new_mount+0x357/0x660 fs/namespace.c:3899\n   path_mount+0x716/0x19c0 fs/namespace.c:4226\n   do_mount fs/namespace.c:4239 [inline]\n   __do_sys_mount fs/namespace.c:4450 [inline]\n   __se_sys_mount fs/namespace.c:4427 [inline]\n   __x64_sys_mount+0x28c/0x310 fs/namespace.c:4427\n   do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]\n   do_syscall_64+0x92/0x180 arch/x86/entry/syscall_64.c:94\n   entry_SYSCALL_64_after_hwframe+0x76/0x7e\n  RIP: 0033:0x7f032eaffa8d\n  [...]",
  "id": "GHSA-x64m-4w9m-w2j3",
  "modified": "2025-12-04T18:30:52Z",
  "published": "2025-12-04T18:30:52Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-40235"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/0c2b2d4d053e9840e6da6ed581befa20309f281a"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/17679ac6df6c4830ba711835aa8cf961be36cfa1"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/b1c2b4e6ffd307720ab6ce42f6749b0c02ba0a73"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.