{"id":"CVE-2025-38034","summary":"btrfs: correct the order of prelim_ref arguments in btrfs__prelim_ref","details":"In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: correct the order of prelim_ref arguments in btrfs__prelim_ref\n\nbtrfs_prelim_ref() calls the old and new reference variables in the\nincorrect order. This causes a NULL pointer dereference because oldref\nis passed as NULL to trace_btrfs_prelim_ref_insert().\n\nNote, trace_btrfs_prelim_ref_insert() is being called with newref as\noldref (and oldref as NULL) on purpose in order to print out\nthe values of newref.\n\nTo reproduce:\necho 1 \u003e /sys/kernel/debug/tracing/events/btrfs/btrfs_prelim_ref_insert/enable\n\nPerform some writeback operations.\n\nBacktrace:\nBUG: kernel NULL pointer dereference, address: 0000000000000018\n #PF: supervisor read access in kernel mode\n #PF: error_code(0x0000) - not-present page\n PGD 115949067 P4D 115949067 PUD 11594a067 PMD 0\n Oops: Oops: 0000 [#1] SMP NOPTI\n CPU: 1 UID: 0 PID: 1188 Comm: fsstress Not tainted 6.15.0-rc2-tester+ #47 PREEMPT(voluntary)  7ca2cef72d5e9c600f0c7718adb6462de8149622\n Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.16.3-2-gc13ff2cd-prebuilt.qemu.org 04/01/2014\n RIP: 0010:trace_event_raw_event_btrfs__prelim_ref+0x72/0x130\n Code: e8 43 81 9f ff 48 85 c0 74 78 4d 85 e4 0f 84 8f 00 00 00 49 8b 94 24 c0 06 00 00 48 8b 0a 48 89 48 08 48 8b 52 08 48 89 50 10 \u003c49\u003e 8b 55 18 48 89 50 18 49 8b 55 20 48 89 50 20 41 0f b6 55 28 88\n RSP: 0018:ffffce44820077a0 EFLAGS: 00010286\n RAX: ffff8c6b403f9014 RBX: ffff8c6b55825730 RCX: 304994edf9cf506b\n RDX: d8b11eb7f0fdb699 RSI: ffff8c6b403f9010 RDI: ffff8c6b403f9010\n RBP: 0000000000000001 R08: 0000000000000001 R09: 0000000000000010\n R10: 00000000ffffffff R11: 0000000000000000 R12: ffff8c6b4e8fb000\n R13: 0000000000000000 R14: ffffce44820077a8 R15: ffff8c6b4abd1540\n FS:  00007f4dc6813740(0000) GS:ffff8c6c1d378000(0000) knlGS:0000000000000000\n CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 0000000000000018 CR3: 000000010eb42000 CR4: 0000000000750ef0\n PKRU: 55555554\n Call Trace:\n  \u003cTASK\u003e\n  prelim_ref_insert+0x1c1/0x270\n  find_parent_nodes+0x12a6/0x1ee0\n  ? __entry_text_end+0x101f06/0x101f09\n  ? srso_alias_return_thunk+0x5/0xfbef5\n  ? srso_alias_return_thunk+0x5/0xfbef5\n  ? srso_alias_return_thunk+0x5/0xfbef5\n  ? srso_alias_return_thunk+0x5/0xfbef5\n  btrfs_is_data_extent_shared+0x167/0x640\n  ? fiemap_process_hole+0xd0/0x2c0\n  extent_fiemap+0xa5c/0xbc0\n  ? __entry_text_end+0x101f05/0x101f09\n  btrfs_fiemap+0x7e/0xd0\n  do_vfs_ioctl+0x425/0x9d0\n  __x64_sys_ioctl+0x75/0xc0","modified":"2026-03-20T12:42:38.191979Z","published":"2025-06-18T09:33:21.120Z","related":["SUSE-SU-2025:02846-1","SUSE-SU-2025:02853-1","SUSE-SU-2025:02923-1","SUSE-SU-2025:02969-1","SUSE-SU-2025:02996-1","SUSE-SU-2025:02997-1","SUSE-SU-2025:03011-1","SUSE-SU-2025:03023-1","SUSE-SU-2025:20577-1","SUSE-SU-2025:20586-1","SUSE-SU-2025:20601-1","SUSE-SU-2025:20602-1","SUSE-SU-2025:21074-1","SUSE-SU-2025:21139-1","SUSE-SU-2025:21179-1","openSUSE-SU-2025:20081-1"],"database_specific":{"cna_assigner":"Linux","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/38xxx/CVE-2025-38034.json"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/0528bba48dce7820d2da72e1a114e1c4552367eb"},{"type":"WEB","url":"https://git.kernel.org/stable/c/137bfa08c6441f324d00692d1e9d22cfd773329b"},{"type":"WEB","url":"https://git.kernel.org/stable/c/5755b6731655e248c4f1d52a2e1b18795b4a2a3a"},{"type":"WEB","url":"https://git.kernel.org/stable/c/7a97f961a568a8f72472dc804af02a0f73152c5f"},{"type":"WEB","url":"https://git.kernel.org/stable/c/7f7c8c03feba5f2454792fab3bb8bd45bd6883f9"},{"type":"WEB","url":"https://git.kernel.org/stable/c/a641154cedf9d69730f8af5d0a901fe86e6486bd"},{"type":"WEB","url":"https://git.kernel.org/stable/c/a876703894a6dd6e8c04b0635d86e9f7a7c81b79"},{"type":"WEB","url":"https://git.kernel.org/stable/c/bc7e0975093567f51be8e1bdf4aa5900a3cf0b1e"},{"type":"WEB","url":"https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"},{"type":"WEB","url":"https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/38xxx/CVE-2025-38034.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-38034"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"00142756e1f8015d2f8ce96532d156689db7e448"},{"fixed":"5755b6731655e248c4f1d52a2e1b18795b4a2a3a"},{"fixed":"a641154cedf9d69730f8af5d0a901fe86e6486bd"},{"fixed":"a876703894a6dd6e8c04b0635d86e9f7a7c81b79"},{"fixed":"0528bba48dce7820d2da72e1a114e1c4552367eb"},{"fixed":"7a97f961a568a8f72472dc804af02a0f73152c5f"},{"fixed":"7f7c8c03feba5f2454792fab3bb8bd45bd6883f9"},{"fixed":"137bfa08c6441f324d00692d1e9d22cfd773329b"},{"fixed":"bc7e0975093567f51be8e1bdf4aa5900a3cf0b1e"}]}],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-38034.json"}}],"schema_version":"1.7.5"}