Bug 2435644 (CVE-2025-71184)

Summary: CVE-2025-71184 kernel: btrfs: fix NULL dereference on root when tracing inode eviction
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedKeywords: Security
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A NULL pointer dereference vulnerability was found in the Linux kernel's Btrfs filesystem. When evicting an inode in btrfs_evict_inode(), the tracing setup code attempts to fetch the root's ID before checking if the root pointer is NULL. This can cause a kernel crash when the inode's root is NULL during eviction, which can occur in certain error recovery paths.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description OSIDB Bzimport 2026-01-31 12:01:34 UTC 
In the Linux kernel, the following vulnerability has been resolved:

btrfs: fix NULL dereference on root when tracing inode eviction

When evicting an inode the first thing we do is to setup tracing for it,
which implies fetching the root's id. But in btrfs_evict_inode() the
root might be NULL, as implied in the next check that we do in
btrfs_evict_inode().

Hence, we either should set the ->root_objectid to 0 in case the root is
NULL, or we move tracing setup after checking that the root is not
NULL. Setting the rootid to 0 at least gives us the possibility to trace
this call even in the case when the root is NULL, so that's the solution
taken here.
Comment 1 TEJ RATHI 2026-02-02 07:17:05 UTC 
Upstream advisory:
https://lore.kernel.org/linux-cve-announce/2026013134-CVE-2025-71184-e27f@gregkh/T