CVE-2025-39779 (GCVE-0-2025-39779)
Vulnerability from cvelistv5
Published
2025-09-11 16:56
Modified
2025-09-11 16:56
Severity ?
Summary
In the Linux kernel, the following vulnerability has been resolved: btrfs: subpage: keep TOWRITE tag until folio is cleaned btrfs_subpage_set_writeback() calls folio_start_writeback() the first time a folio is written back, and it also clears the PAGECACHE_TAG_TOWRITE tag even if there are still dirty blocks in the folio. This can break ordering guarantees, such as those required by btrfs_wait_ordered_extents(). That ordering breakage leads to a real failure. For example, running generic/464 on a zoned setup will hit the following ASSERT. This happens because the broken ordering fails to flush existing dirty pages before the file size is truncated. assertion failed: !list_empty(&ordered->list) :: 0, in fs/btrfs/zoned.c:1899 ------------[ cut here ]------------ kernel BUG at fs/btrfs/zoned.c:1899! Oops: invalid opcode: 0000 [#1] SMP NOPTI CPU: 2 UID: 0 PID: 1906169 Comm: kworker/u130:2 Kdump: loaded Not tainted 6.16.0-rc6-BTRFS-ZNS+ #554 PREEMPT(voluntary) Hardware name: Supermicro Super Server/H12SSL-NT, BIOS 2.0 02/22/2021 Workqueue: btrfs-endio-write btrfs_work_helper [btrfs] RIP: 0010:btrfs_finish_ordered_zoned.cold+0x50/0x52 [btrfs] RSP: 0018:ffffc9002efdbd60 EFLAGS: 00010246 RAX: 000000000000004c RBX: ffff88811923c4e0 RCX: 0000000000000000 RDX: 0000000000000000 RSI: ffffffff827e38b1 RDI: 00000000ffffffff RBP: ffff88810005d000 R08: 00000000ffffdfff R09: ffffffff831051c8 R10: ffffffff83055220 R11: 0000000000000000 R12: ffff8881c2458c00 R13: ffff88811923c540 R14: ffff88811923c5e8 R15: ffff8881c1bd9680 FS: 0000000000000000(0000) GS:ffff88a04acd0000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f907c7a918c CR3: 0000000004024000 CR4: 0000000000350ef0 Call Trace: <TASK> ? srso_return_thunk+0x5/0x5f btrfs_finish_ordered_io+0x4a/0x60 [btrfs] btrfs_work_helper+0xf9/0x490 [btrfs] process_one_work+0x204/0x590 ? srso_return_thunk+0x5/0x5f worker_thread+0x1d6/0x3d0 ? __pfx_worker_thread+0x10/0x10 kthread+0x118/0x230 ? __pfx_kthread+0x10/0x10 ret_from_fork+0x205/0x260 ? __pfx_kthread+0x10/0x10 ret_from_fork_asm+0x1a/0x30 </TASK> Consider process A calling writepages() with WB_SYNC_NONE. In zoned mode or for compressed writes, it locks several folios for delalloc and starts writing them out. Let's call the last locked folio folio X. Suppose the write range only partially covers folio X, leaving some pages dirty. Process A calls btrfs_subpage_set_writeback() when building a bio. This function call clears the TOWRITE tag of folio X, whose size = 8K and the block size = 4K. It is following state. 0 4K 8K |/////|/////| (flag: DIRTY, tag: DIRTY) <-----> Process A will write this range. Now suppose process B concurrently calls writepages() with WB_SYNC_ALL. It calls tag_pages_for_writeback() to tag dirty folios with PAGECACHE_TAG_TOWRITE. Since folio X is still dirty, it gets tagged. Then, B collects tagged folios using filemap_get_folios_tag() and must wait for folio X to be written before returning from writepages(). 0 4K 8K |/////|/////| (flag: DIRTY, tag: DIRTY|TOWRITE) However, between tagging and collecting, process A may call btrfs_subpage_set_writeback() and clear folio X's TOWRITE tag. 0 4K 8K | |/////| (flag: DIRTY|WRITEBACK, tag: DIRTY) As a result, process B won't see folio X in its batch, and returns without waiting for it. This breaks the WB_SYNC_ALL ordering requirement. Fix this by using btrfs_subpage_set_writeback_keepwrite(), which retains the TOWRITE tag. We now manually clear the tag only after the folio becomes clean, via the xas operation.
References
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/3d61136945a7008fc90d013c3c67007ce0c96131
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/b1511360c8ac882b0c52caa263620538e8d73220
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/bce7a5c77a1e7a759e227b7713dde18c52da4759
Impacted products
Vendor Product Version
Linux Linux Version: 3470da3b7d87fde4b9729d4e29c2dc074cd59c10
Version: 3470da3b7d87fde4b9729d4e29c2dc074cd59c10
Version: 3470da3b7d87fde4b9729d4e29c2dc074cd59c10
 Create a notification for this product.
   Linux Linux Version: 5.13
 Create a notification for this product.
Show details on NVD website

To clipboard 

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "fs/btrfs/subpage.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "3d61136945a7008fc90d013c3c67007ce0c96131",
              "status": "affected",
              "version": "3470da3b7d87fde4b9729d4e29c2dc074cd59c10",
              "versionType": "git"
            },
            {
              "lessThan": "bce7a5c77a1e7a759e227b7713dde18c52da4759",
              "status": "affected",
              "version": "3470da3b7d87fde4b9729d4e29c2dc074cd59c10",
              "versionType": "git"
            },
            {
              "lessThan": "b1511360c8ac882b0c52caa263620538e8d73220",
              "status": "affected",
              "version": "3470da3b7d87fde4b9729d4e29c2dc074cd59c10",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "fs/btrfs/subpage.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.13"
            },
            {
              "lessThan": "5.13",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.44",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.16.*",
              "status": "unaffected",
              "version": "6.16.4",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.17-rc3",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.44",
                  "versionStartIncluding": "5.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16.4",
                  "versionStartIncluding": "5.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.17-rc3",
                  "versionStartIncluding": "5.13",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: subpage: keep TOWRITE tag until folio is cleaned\n\nbtrfs_subpage_set_writeback() calls folio_start_writeback() the first time\na folio is written back, and it also clears the PAGECACHE_TAG_TOWRITE tag\neven if there are still dirty blocks in the folio. This can break ordering\nguarantees, such as those required by btrfs_wait_ordered_extents().\n\nThat ordering breakage leads to a real failure. For example, running\ngeneric/464 on a zoned setup will hit the following ASSERT. This happens\nbecause the broken ordering fails to flush existing dirty pages before the\nfile size is truncated.\n\n  assertion failed: !list_empty(\u0026ordered-\u003elist) :: 0, in fs/btrfs/zoned.c:1899\n  ------------[ cut here ]------------\n  kernel BUG at fs/btrfs/zoned.c:1899!\n  Oops: invalid opcode: 0000 [#1] SMP NOPTI\n  CPU: 2 UID: 0 PID: 1906169 Comm: kworker/u130:2 Kdump: loaded Not tainted 6.16.0-rc6-BTRFS-ZNS+ #554 PREEMPT(voluntary)\n  Hardware name: Supermicro Super Server/H12SSL-NT, BIOS 2.0 02/22/2021\n  Workqueue: btrfs-endio-write btrfs_work_helper [btrfs]\n  RIP: 0010:btrfs_finish_ordered_zoned.cold+0x50/0x52 [btrfs]\n  RSP: 0018:ffffc9002efdbd60 EFLAGS: 00010246\n  RAX: 000000000000004c RBX: ffff88811923c4e0 RCX: 0000000000000000\n  RDX: 0000000000000000 RSI: ffffffff827e38b1 RDI: 00000000ffffffff\n  RBP: ffff88810005d000 R08: 00000000ffffdfff R09: ffffffff831051c8\n  R10: ffffffff83055220 R11: 0000000000000000 R12: ffff8881c2458c00\n  R13: ffff88811923c540 R14: ffff88811923c5e8 R15: ffff8881c1bd9680\n  FS:  0000000000000000(0000) GS:ffff88a04acd0000(0000) knlGS:0000000000000000\n  CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n  CR2: 00007f907c7a918c CR3: 0000000004024000 CR4: 0000000000350ef0\n  Call Trace:\n   \u003cTASK\u003e\n   ? srso_return_thunk+0x5/0x5f\n   btrfs_finish_ordered_io+0x4a/0x60 [btrfs]\n   btrfs_work_helper+0xf9/0x490 [btrfs]\n   process_one_work+0x204/0x590\n   ? srso_return_thunk+0x5/0x5f\n   worker_thread+0x1d6/0x3d0\n   ? __pfx_worker_thread+0x10/0x10\n   kthread+0x118/0x230\n   ? __pfx_kthread+0x10/0x10\n   ret_from_fork+0x205/0x260\n   ? __pfx_kthread+0x10/0x10\n   ret_from_fork_asm+0x1a/0x30\n   \u003c/TASK\u003e\n\nConsider process A calling writepages() with WB_SYNC_NONE. In zoned mode or\nfor compressed writes, it locks several folios for delalloc and starts\nwriting them out. Let\u0027s call the last locked folio folio X. Suppose the\nwrite range only partially covers folio X, leaving some pages dirty.\nProcess A calls btrfs_subpage_set_writeback() when building a bio. This\nfunction call clears the TOWRITE tag of folio X, whose size = 8K and\nthe block size = 4K. It is following state.\n\n   0     4K    8K\n   |/////|/////|  (flag: DIRTY, tag: DIRTY)\n   \u003c-----\u003e Process A will write this range.\n\nNow suppose process B concurrently calls writepages() with WB_SYNC_ALL. It\ncalls tag_pages_for_writeback() to tag dirty folios with\nPAGECACHE_TAG_TOWRITE. Since folio X is still dirty, it gets tagged. Then,\nB collects tagged folios using filemap_get_folios_tag() and must wait for\nfolio X to be written before returning from writepages().\n\n   0     4K    8K\n   |/////|/////|  (flag: DIRTY, tag: DIRTY|TOWRITE)\n\nHowever, between tagging and collecting, process A may call\nbtrfs_subpage_set_writeback() and clear folio X\u0027s TOWRITE tag.\n   0     4K    8K\n   |     |/////|  (flag: DIRTY|WRITEBACK, tag: DIRTY)\n\nAs a result, process B won\u0027t see folio X in its batch, and returns without\nwaiting for it. This breaks the WB_SYNC_ALL ordering requirement.\n\nFix this by using btrfs_subpage_set_writeback_keepwrite(), which retains\nthe TOWRITE tag. We now manually clear the tag only after the folio becomes\nclean, via the xas operation."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-09-11T16:56:30.395Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/3d61136945a7008fc90d013c3c67007ce0c96131"
        },
        {
          "url": "https://git.kernel.org/stable/c/bce7a5c77a1e7a759e227b7713dde18c52da4759"
        },
        {
          "url": "https://git.kernel.org/stable/c/b1511360c8ac882b0c52caa263620538e8d73220"
        }
      ],
      "title": "btrfs: subpage: keep TOWRITE tag until folio is cleaned",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-39779",
    "datePublished": "2025-09-11T16:56:30.395Z",
    "dateReserved": "2025-04-16T07:20:57.130Z",
    "dateUpdated": "2025-09-11T16:56:30.395Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2025-39779\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2025-09-11T17:15:43.757\",\"lastModified\":\"2025-09-15T15:22:38.297\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\nbtrfs: subpage: keep TOWRITE tag until folio is cleaned\\n\\nbtrfs_subpage_set_writeback() calls folio_start_writeback() the first time\\na folio is written back, and it also clears the PAGECACHE_TAG_TOWRITE tag\\neven if there are still dirty blocks in the folio. This can break ordering\\nguarantees, such as those required by btrfs_wait_ordered_extents().\\n\\nThat ordering breakage leads to a real failure. For example, running\\ngeneric/464 on a zoned setup will hit the following ASSERT. This happens\\nbecause the broken ordering fails to flush existing dirty pages before the\\nfile size is truncated.\\n\\n  assertion failed: !list_empty(\u0026ordered-\u003elist) :: 0, in fs/btrfs/zoned.c:1899\\n  ------------[ cut here ]------------\\n  kernel BUG at fs/btrfs/zoned.c:1899!\\n  Oops: invalid opcode: 0000 [#1] SMP NOPTI\\n  CPU: 2 UID: 0 PID: 1906169 Comm: kworker/u130:2 Kdump: loaded Not tainted 6.16.0-rc6-BTRFS-ZNS+ #554 PREEMPT(voluntary)\\n  Hardware name: Supermicro Super Server/H12SSL-NT, BIOS 2.0 02/22/2021\\n  Workqueue: btrfs-endio-write btrfs_work_helper [btrfs]\\n  RIP: 0010:btrfs_finish_ordered_zoned.cold+0x50/0x52 [btrfs]\\n  RSP: 0018:ffffc9002efdbd60 EFLAGS: 00010246\\n  RAX: 000000000000004c RBX: ffff88811923c4e0 RCX: 0000000000000000\\n  RDX: 0000000000000000 RSI: ffffffff827e38b1 RDI: 00000000ffffffff\\n  RBP: ffff88810005d000 R08: 00000000ffffdfff R09: ffffffff831051c8\\n  R10: ffffffff83055220 R11: 0000000000000000 R12: ffff8881c2458c00\\n  R13: ffff88811923c540 R14: ffff88811923c5e8 R15: ffff8881c1bd9680\\n  FS:  0000000000000000(0000) GS:ffff88a04acd0000(0000) knlGS:0000000000000000\\n  CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\\n  CR2: 00007f907c7a918c CR3: 0000000004024000 CR4: 0000000000350ef0\\n  Call Trace:\\n   \u003cTASK\u003e\\n   ? srso_return_thunk+0x5/0x5f\\n   btrfs_finish_ordered_io+0x4a/0x60 [btrfs]\\n   btrfs_work_helper+0xf9/0x490 [btrfs]\\n   process_one_work+0x204/0x590\\n   ? srso_return_thunk+0x5/0x5f\\n   worker_thread+0x1d6/0x3d0\\n   ? __pfx_worker_thread+0x10/0x10\\n   kthread+0x118/0x230\\n   ? __pfx_kthread+0x10/0x10\\n   ret_from_fork+0x205/0x260\\n   ? __pfx_kthread+0x10/0x10\\n   ret_from_fork_asm+0x1a/0x30\\n   \u003c/TASK\u003e\\n\\nConsider process A calling writepages() with WB_SYNC_NONE. In zoned mode or\\nfor compressed writes, it locks several folios for delalloc and starts\\nwriting them out. Let\u0027s call the last locked folio folio X. Suppose the\\nwrite range only partially covers folio X, leaving some pages dirty.\\nProcess A calls btrfs_subpage_set_writeback() when building a bio. This\\nfunction call clears the TOWRITE tag of folio X, whose size = 8K and\\nthe block size = 4K. It is following state.\\n\\n   0     4K    8K\\n   |/////|/////|  (flag: DIRTY, tag: DIRTY)\\n   \u003c-----\u003e Process A will write this range.\\n\\nNow suppose process B concurrently calls writepages() with WB_SYNC_ALL. It\\ncalls tag_pages_for_writeback() to tag dirty folios with\\nPAGECACHE_TAG_TOWRITE. Since folio X is still dirty, it gets tagged. Then,\\nB collects tagged folios using filemap_get_folios_tag() and must wait for\\nfolio X to be written before returning from writepages().\\n\\n   0     4K    8K\\n   |/////|/////|  (flag: DIRTY, tag: DIRTY|TOWRITE)\\n\\nHowever, between tagging and collecting, process A may call\\nbtrfs_subpage_set_writeback() and clear folio X\u0027s TOWRITE tag.\\n   0     4K    8K\\n   |     |/////|  (flag: DIRTY|WRITEBACK, tag: DIRTY)\\n\\nAs a result, process B won\u0027t see folio X in its batch, and returns without\\nwaiting for it. This breaks the WB_SYNC_ALL ordering requirement.\\n\\nFix this by using btrfs_subpage_set_writeback_keepwrite(), which retains\\nthe TOWRITE tag. We now manually clear the tag only after the folio becomes\\nclean, via the xas operation.\"}],\"metrics\":{},\"references\":[{\"url\":\"https://git.kernel.org/stable/c/3d61136945a7008fc90d013c3c67007ce0c96131\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/b1511360c8ac882b0c52caa263620538e8d73220\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/bce7a5c77a1e7a759e227b7713dde18c52da4759\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.