btrfs: adjust subpage bit start based on sectorsize
Summary
| CVE | CVE-2025-37931 |
|---|---|
| State | PUBLISHED |
| Assigner | Linux |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2025-05-20 16:15:29 UTC |
| Updated | 2026-05-12 13:16:41 UTC |
| Description | In the Linux kernel, the following vulnerability has been resolved: btrfs: adjust subpage bit start based on sectorsize When running machines with 64k page size and a 16k nodesize we started seeing tree log corruption in production. This turned out to be because we were not writing out dirty blocks sometimes, so this in fact affects all metadata writes. When writing out a subpage EB we scan the subpage bitmap for a dirty range. If the range isn't dirty we do bit_start++; to move onto the next bit. The problem is the bitmap is based on the number of sectors that an EB has. So in this case, we have a 64k pagesize, 16k nodesize, but a 4k sectorsize. This means our bitmap is 4 bits for every node. With a 64k page size we end up with 4 nodes per page. To make this easier this is how everything looks [0 16k 32k 48k ] logical address [0 4 8 12 ] radix tree offset [ 64k page ] folio [ 16k eb ][ 16k eb ][ 16k eb ][ 16k eb ] extent buffers [ | | | | | | | | | | | | | | | | ] bitmap Now we use all of our addressing based on fs_info->sectorsize_bits, so as you can see the above our 16k eb->start turns into radix entry 4. When we find a dirty range for our eb, we correctly do bit_start += sectors_per_node, because if we start at bit 0, the next bit for the next eb is 4, to correspond to eb->start 16k. However if our range is clean, we will do bit_start++, which will now put us offset from our radix tree entries. In our case, assume that the first time we check the bitmap the block is not dirty, we increment bit_start so now it == 1, and then we loop around and check again. This time it is dirty, and we go to find that start using the following equation start = folio_start + bit_start * fs_info->sectorsize; so in the case above, eb->start 0 is now dirty, and we calculate start as 0 + 1 * fs_info->sectorsize = 4096 4096 >> 12 = 1 Now we're looking up the radix tree for 1, and we won't find an eb. What's worse is now we're using bit_start == 1, so we do bit_start += sectors_per_node, which is now 5. If that eb is dirty we will run into the same thing, we will look at an offset that is not populated in the radix tree, and now we're skipping the writeout of dirty extent buffers. The best fix for this is to not use sectorsize_bits to address nodes, but that's a larger change. Since this is a fs corruption problem fix it simply by always using sectors_per_node to increment the start bit. |
Risk And Classification
Primary CVSS: v3.1 5.5 MEDIUM from [email protected]
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Problem Types: NVD-CWE-noinfo
CVSS v3.1 Breakdown
Attack Vector
LocalAttack Complexity
LowPrivileges Required
LowUser Interaction
NoneScope
UnchangedConfidentiality
NoneIntegrity
NoneAvailability
HighCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
NVD Known Affected Configurations (CPE 2.3)
| Type | Vendor | Product | Version | Update | Edition | Language |
|---|---|---|---|---|---|---|
| Operating System | Linux | Linux Kernel | All | All | All | All |
Vendor Declared Affected Products
| Source | Vendor | Product | Version | Platforms |
|---|---|---|---|---|
| CNA | Linux | Linux | affected c4aec299fa8f73f0fd10bc556f936f0da50e3e83 5111b148360f50cac9abbae8fca44cc0ac4bf9bf git | Not specified |
| CNA | Linux | Linux | affected c4aec299fa8f73f0fd10bc556f936f0da50e3e83 977849e8acd2466ac3cb49e04a3ecc73837f6b90 git | Not specified |
| CNA | Linux | Linux | affected c4aec299fa8f73f0fd10bc556f936f0da50e3e83 b80db09b614cb7edec5bada1bc7c7b0eb3b453ea git | Not specified |
| CNA | Linux | Linux | affected c4aec299fa8f73f0fd10bc556f936f0da50e3e83 396f4002710030ea1cfd4c789ebaf0a6969ab34f git | Not specified |
| CNA | Linux | Linux | affected c4aec299fa8f73f0fd10bc556f936f0da50e3e83 e08e49d986f82c30f42ad0ed43ebbede1e1e3739 git | Not specified |
| CNA | Linux | Linux | affected 5.13 | Not specified |
| CNA | Linux | Linux | unaffected 5.13 semver | Not specified |
| CNA | Linux | Linux | unaffected 6.1.151 6.1.* semver | Not specified |
| CNA | Linux | Linux | unaffected 6.6.105 6.6.* semver | Not specified |
| CNA | Linux | Linux | unaffected 6.12.28 6.12.* semver | Not specified |
| CNA | Linux | Linux | unaffected 6.14.6 6.14.* semver | Not specified |
| CNA | Linux | Linux | unaffected 6.15 * original_commit_for_fix | Not specified |
| ADP | Siemens | SIMATIC CN 4100 | affected V5.0 custom | Not specified |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| git.kernel.org/stable/c/b80db09b614cb7edec5bada1bc7c7b0eb3b453ea | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | git.kernel.org | Patch |
| lists.debian.org/debian-lts-announce/2025/10/msg00008.html | af854a3a-2127-422b-91ae-364da2661108 | lists.debian.org | Third Party Advisory |
| git.kernel.org/stable/c/5111b148360f50cac9abbae8fca44cc0ac4bf9bf | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | git.kernel.org | Patch |
| git.kernel.org/stable/c/e08e49d986f82c30f42ad0ed43ebbede1e1e3739 | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | git.kernel.org | Patch |
| git.kernel.org/stable/c/396f4002710030ea1cfd4c789ebaf0a6969ab34f | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | git.kernel.org | Patch |
| cert-portal.siemens.com/productcert/html/ssa-032379.html | 0b142b55-0307-4c5a-b3c9-f314f3fb7c5e | cert-portal.siemens.com | |
| git.kernel.org/stable/c/977849e8acd2466ac3cb49e04a3ecc73837f6b90 | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | git.kernel.org | Patch |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
No vendor comments have been submitted for this CVE.
There are currently no legacy QID mappings associated with this CVE.