{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-04-14T17:50:13.751","vulnerabilities":[{"cve":{"id":"CVE-2025-21754","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2025-02-27T03:15:16.050","lastModified":"2025-10-28T20:50:26.130","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: fix assertion failure when splitting ordered extent after transaction abort\n\nIf while we are doing a direct IO write a transaction abort happens, we\nmark all existing ordered extents with the BTRFS_ORDERED_IOERR flag (done\nat btrfs_destroy_ordered_extents()), and then after that if we enter\nbtrfs_split_ordered_extent() and the ordered extent has bytes left\n(meaning we have a bio that doesn't cover the whole ordered extent, see\ndetails at btrfs_extract_ordered_extent()), we will fail on the following\nassertion at btrfs_split_ordered_extent():\n\n   ASSERT(!(flags & ~BTRFS_ORDERED_TYPE_FLAGS));\n\nbecause the BTRFS_ORDERED_IOERR flag is set and the definition of\nBTRFS_ORDERED_TYPE_FLAGS is just the union of all flags that identify the\ntype of write (regular, nocow, prealloc, compressed, direct IO, encoded).\n\nFix this by returning an error from btrfs_extract_ordered_extent() if we\nfind the BTRFS_ORDERED_IOERR flag in the ordered extent. The error will\nbe the error that resulted in the transaction abort or -EIO if no\ntransaction abort happened.\n\nThis was recently reported by syzbot with the following trace:\n\n   FAULT_INJECTION: forcing a failure.\n   name failslab, interval 1, probability 0, space 0, times 1\n   CPU: 0 UID: 0 PID: 5321 Comm: syz.0.0 Not tainted 6.13.0-rc5-syzkaller #0\n   Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04\/01\/2014\n   Call Trace:\n    <TASK>\n    __dump_stack lib\/dump_stack.c:94 [inline]\n    dump_stack_lvl+0x241\/0x360 lib\/dump_stack.c:120\n    fail_dump lib\/fault-inject.c:53 [inline]\n    should_fail_ex+0x3b0\/0x4e0 lib\/fault-inject.c:154\n    should_failslab+0xac\/0x100 mm\/failslab.c:46\n    slab_pre_alloc_hook mm\/slub.c:4072 [inline]\n    slab_alloc_node mm\/slub.c:4148 [inline]\n    __do_kmalloc_node mm\/slub.c:4297 [inline]\n    __kmalloc_noprof+0xdd\/0x4c0 mm\/slub.c:4310\n    kmalloc_noprof include\/linux\/slab.h:905 [inline]\n    kzalloc_noprof include\/linux\/slab.h:1037 [inline]\n    btrfs_chunk_alloc_add_chunk_item+0x244\/0x1100 fs\/btrfs\/volumes.c:5742\n    reserve_chunk_space+0x1ca\/0x2c0 fs\/btrfs\/block-group.c:4292\n    check_system_chunk fs\/btrfs\/block-group.c:4319 [inline]\n    do_chunk_alloc fs\/btrfs\/block-group.c:3891 [inline]\n    btrfs_chunk_alloc+0x77b\/0xf80 fs\/btrfs\/block-group.c:4187\n    find_free_extent_update_loop fs\/btrfs\/extent-tree.c:4166 [inline]\n    find_free_extent+0x42d1\/0x5810 fs\/btrfs\/extent-tree.c:4579\n    btrfs_reserve_extent+0x422\/0x810 fs\/btrfs\/extent-tree.c:4672\n    btrfs_new_extent_direct fs\/btrfs\/direct-io.c:186 [inline]\n    btrfs_get_blocks_direct_write+0x706\/0xfa0 fs\/btrfs\/direct-io.c:321\n    btrfs_dio_iomap_begin+0xbb7\/0x1180 fs\/btrfs\/direct-io.c:525\n    iomap_iter+0x697\/0xf60 fs\/iomap\/iter.c:90\n    __iomap_dio_rw+0xeb9\/0x25b0 fs\/iomap\/direct-io.c:702\n    btrfs_dio_write fs\/btrfs\/direct-io.c:775 [inline]\n    btrfs_direct_write+0x610\/0xa30 fs\/btrfs\/direct-io.c:880\n    btrfs_do_write_iter+0x2a0\/0x760 fs\/btrfs\/file.c:1397\n    do_iter_readv_writev+0x600\/0x880\n    vfs_writev+0x376\/0xba0 fs\/read_write.c:1050\n    do_pwritev fs\/read_write.c:1146 [inline]\n    __do_sys_pwritev2 fs\/read_write.c:1204 [inline]\n    __se_sys_pwritev2+0x196\/0x2b0 fs\/read_write.c:1195\n    do_syscall_x64 arch\/x86\/entry\/common.c:52 [inline]\n    do_syscall_64+0xf3\/0x230 arch\/x86\/entry\/common.c:83\n    entry_SYSCALL_64_after_hwframe+0x77\/0x7f\n   RIP: 0033:0x7f1281f85d29\n   RSP: 002b:00007f12819fe038 EFLAGS: 00000246 ORIG_RAX: 0000000000000148\n   RAX: ffffffffffffffda RBX: 00007f1282176080 RCX: 00007f1281f85d29\n   RDX: 0000000000000001 RSI: 0000000020000240 RDI: 0000000000000005\n   RBP: 00007f12819fe090 R08: 0000000000000000 R09: 0000000000000003\n   R10: 0000000000007000 R11: 0000000000000246 R12: 0000000000000002\n   R13: 0000000000000000 R14: 00007f1282176080 R15: 00007ffcb9e23328\n    <\/TASK>\n   BTRFS error (device loop0 state A): Transaction aborted (error -12)\n   BTRFS: error (device loop0 state A\n---truncated---"},{"lang":"es","value":"En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: btrfs: corrige el error de aserción al dividir la extensión ordenada después de la interrupción de la transacción Si mientras estamos realizando una escritura de E\/S directa ocurre una interrupción de la transacción, marcamos todas las extensiones ordenadas existentes con el indicador BTRFS_ORDERED_IOERR (hecho en btrfs_destroy_ordered_extents()), y luego de eso si ingresamos btrfs_split_ordered_extent() y la extensión ordenada tiene bytes restantes (lo que significa que tenemos una biografía que no cubre toda la extensión ordenada, vea los detalles en btrfs_extract_ordered_extent()), fallaremos en la siguiente aserción en btrfs_split_ordered_extent(): ASSERT(!(flags &amp; ~BTRFS_ORDERED_TYPE_FLAGS)); porque el indicador BTRFS_ORDERED_IOERR está configurado y la definición de BTRFS_ORDERED_TYPE_FLAGS es solo la unión de todos los indicadores que identifican el tipo de escritura (regular, nocow, prealloc, comprimido, E\/S directa, codificado). Solucione esto devolviendo un error de btrfs_extract_ordered_extent() si encontramos el indicador BTRFS_ORDERED_IOERR en la extensión ordenada. El error será el error que resultó en la interrupción de la transacción o -EIO si no ocurrió ninguna interrupción de la transacción. Esto fue informado recientemente por syzbot con el siguiente seguimiento: FAULT_INJECTION: forzando una falla. nombre failslab, intervalo 1, probabilidad 0, espacio 0, multiplicado por 1 CPU: 0 UID: 0 PID: 5321 Comm: syz.0.0 No contaminado 6.13.0-rc5-syzkaller #0 Nombre del hardware: PC estándar QEMU (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 01\/04\/2014 Seguimiento de llamadas:  __dump_stack lib\/dump_stack.c:94 [en línea] dump_stack_lvl+0x241\/0x360 lib\/dump_stack.c:120 fail_dump lib\/fault-inject.c:53 [en línea] should_fail_ex+0x3b0\/0x4e0 lib\/fault-inject.c:154 should_failslab+0xac\/0x100 mm\/failslab.c:46 slab_pre_alloc_hook mm\/slub.c:4072 [en línea] slab_alloc_node mm\/slub.c:4148 [en línea] __do_kmalloc_node mm\/slub.c:4297 [en línea] __kmalloc_noprof+0xdd\/0x4c0 mm\/slub.c:4310 kmalloc_noprof include\/linux\/slab.h:905 [en línea] kzalloc_noprof include\/linux\/slab.h:1037 [en línea] btrfs_chunk_alloc_add_chunk_item+0x244\/0x1100 fs\/btrfs\/volumes.c:5742 reserve_chunk_space+0x1ca\/0x2c0 fs\/btrfs\/block-group.c:4292 check_system_chunk fs\/btrfs\/block-group.c:4319 [en línea] do_chunk_alloc fs\/btrfs\/block-group.c:3891 [en línea] btrfs_chunk_alloc+0x77b\/0xf80 fs\/btrfs\/block-group.c:4187 find_free_extent_update_loop fs\/btrfs\/extent-tree.c:4166 [en línea] find_free_extent+0x42d1\/0x5810 fs\/btrfs\/extent-tree.c:4579 btrfs_reserve_extent+0x422\/0x810 fs\/btrfs\/extent-tree.c:4672 btrfs_new_extent_direct fs\/btrfs\/direct-io.c:186 [en línea] btrfs_get_blocks_direct_write+0x706\/0xfa0 fs\/btrfs\/direct-io.c:321 btrfs_dio_iomap_begin+0xbb7\/0x1180 fs\/btrfs\/direct-io.c:525 iomap_iter+0x697\/0xf60 fs\/iomap\/iter.c:90 __iomap_dio_rw+0xeb9\/0x25b0 fs\/iomap\/direct-io.c:702 btrfs_dio_write fs\/btrfs\/direct-io.c:775 [en línea] btrfs_direct_write+0x610\/0xa30 fs\/btrfs\/direct-io.c:880 btrfs_do_write_iter+0x2a0\/0x760 fs\/btrfs\/file.c:1397 do_iter_readv_writev+0x600\/0x880 vfs_writev+0x376\/0xba0 fs\/read_write.c:1050 do_pwritev fs\/read_write.c:1146 [en línea] __do_sys_pwritev2 fs\/read_write.c:1204 [en línea] __se_sys_pwritev2+0x196\/0x2b0 fs\/read_write.c:1195 do_syscall_x64 arch\/x86\/entry\/common.c:52 [en línea] do_syscall_64+0xf3\/0x230 arch\/x86\/entry\/common.c:83 entry_SYSCALL_64_after_hwframe+0x77\/0x7f RIP: 0033:0x7f1281f85d29 RSP: 002b:00007f12819fe038 EFLAGS: 00000246 ORIG_RAX: 0000000000000148 RAX: ffffffffffffffda RBX: 00007f1282176080 RCX: 00007f1281f85d29 RDX: 0000000000000001 RSI: 0000000020000240 RDI: 00000000000000005 RBP: 00007f12819fe090 R08: 0000000000000000 R09: 0000000000000003 R10: 0000000000007000 R11: 0000000000000246 R12: 0000000000000002 R13: 0000000000000000 R14: 00007f1282176080 R15: 00007ffcb9e23328  Error BTRFS (estado A del bucle 0 del dispositivo): transacción abortada (error -12) BTRFS: ---truncado---"}],"metrics":{"cvssMetricV31":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1\/AV:L\/AC:L\/PR:L\/UI:N\/S:U\/C:N\/I:N\/A:H","baseScore":5.5,"baseSeverity":"MEDIUM","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH"},"exploitabilityScore":1.8,"impactScore":3.6}]},"weaknesses":[{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"CWE-617"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.5","versionEndExcluding":"6.6.78","matchCriteriaId":"620D4308-FEF2-4D7F-84A9-21E66BDB5A28"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.7","versionEndExcluding":"6.12.14","matchCriteriaId":"033BB7EE-C9A2-45EA-BAC9-87BB9D951BCD"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.13","versionEndExcluding":"6.13.3","matchCriteriaId":"0E92CEE3-1FC3-4AFC-A513-DEDBA7414F00"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:6.14:rc1:*:*:*:*:*:*","matchCriteriaId":"186716B6-2B66-4BD0-852E-D48E71C0C85F"}]}]}],"references":[{"url":"https:\/\/git.kernel.org\/stable\/c\/0d85f5c2dd91df6b5da454406756f463ba923b69","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https:\/\/git.kernel.org\/stable\/c\/0ff88c2a742a7cbaa4d08507d864737d099b435a","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https:\/\/git.kernel.org\/stable\/c\/8ea8db4216d1029527ab4666f730650419451e32","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https:\/\/git.kernel.org\/stable\/c\/927b930f117bbae730a853c1dc43da8afe8380fa","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]}]}}]}