ghsa-cv9m-prxm-594h
Vulnerability from github
Published
2025-07-25 15:30
Modified
2025-07-25 15:30
Details

In the Linux kernel, the following vulnerability has been resolved:

btrfs: fix race between async reclaim worker and close_ctree()

Syzbot reported an assertion failure due to an attempt to add a delayed iput after we have set BTRFS_FS_STATE_NO_DELAYED_IPUT in the fs_info state:

WARNING: CPU: 0 PID: 65 at fs/btrfs/inode.c:3420 btrfs_add_delayed_iput+0x2f8/0x370 fs/btrfs/inode.c:3420 Modules linked in: CPU: 0 UID: 0 PID: 65 Comm: kworker/u8:4 Not tainted 6.15.0-next-20250530-syzkaller #0 PREEMPT(full) Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025 Workqueue: btrfs-endio-write btrfs_work_helper RIP: 0010:btrfs_add_delayed_iput+0x2f8/0x370 fs/btrfs/inode.c:3420 Code: 4e ad 5d (...) RSP: 0018:ffffc9000213f780 EFLAGS: 00010293 RAX: ffffffff83c635b7 RBX: ffff888058920000 RCX: ffff88801c769e00 RDX: 0000000000000000 RSI: 0000000000000100 RDI: 0000000000000000 RBP: 0000000000000001 R08: ffff888058921b67 R09: 1ffff1100b12436c R10: dffffc0000000000 R11: ffffed100b12436d R12: 0000000000000001 R13: dffffc0000000000 R14: ffff88807d748000 R15: 0000000000000100 FS: 0000000000000000(0000) GS:ffff888125c53000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00002000000bd038 CR3: 000000006a142000 CR4: 00000000003526f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: btrfs_put_ordered_extent+0x19f/0x470 fs/btrfs/ordered-data.c:635 btrfs_finish_one_ordered+0x11d8/0x1b10 fs/btrfs/inode.c:3312 btrfs_work_helper+0x399/0xc20 fs/btrfs/async-thread.c:312 process_one_work kernel/workqueue.c:3238 [inline] process_scheduled_works+0xae1/0x17b0 kernel/workqueue.c:3321 worker_thread+0x8a0/0xda0 kernel/workqueue.c:3402 kthread+0x70e/0x8a0 kernel/kthread.c:464 ret_from_fork+0x3fc/0x770 arch/x86/kernel/process.c:148 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245

This can happen due to a race with the async reclaim worker like this:

1) The async metadata reclaim worker enters shrink_delalloc(), which calls btrfs_start_delalloc_roots() with an nr_pages argument that has a value less than LONG_MAX, and that in turn enters start_delalloc_inodes(), which sets the local variable 'full_flush' to false because wbc->nr_to_write is less than LONG_MAX;

2) There it finds inode X in a root's delalloc list, grabs a reference for inode X (with igrab()), and triggers writeback for it with filemap_fdatawrite_wbc(), which creates an ordered extent for inode X;

3) The unmount sequence starts from another task, we enter close_ctree() and we flush the workqueue fs_info->endio_write_workers, which waits for the ordered extent for inode X to complete and when dropping the last reference of the ordered extent, with btrfs_put_ordered_extent(), when we call btrfs_add_delayed_iput() we don't add the inode to the list of delayed iputs because it has a refcount of 2, so we decrement it to 1 and return;

4) Shortly after at close_ctree() we call btrfs_run_delayed_iputs() which runs all delayed iputs, and then we set BTRFS_FS_STATE_NO_DELAYED_IPUT in the fs_info state;

5) The async reclaim worker, after calling filemap_fdatawrite_wbc(), now calls btrfs_add_delayed_iput() for inode X and there we trigger an assertion failure since the fs_info state has the flag BTRFS_FS_STATE_NO_DELAYED_IPUT set.

Fix this by setting BTRFS_FS_STATE_NO_DELAYED_IPUT only after we wait for the async reclaim workers to finish, after we call cancel_work_sync() for them at close_ctree(), and by running delayed iputs after wait for the reclaim workers to finish and before setting the bit.

This race was recently introduced by commit 19e60b2a95f5 ("btrfs: add extra warning if delayed iput is added when it's not allowed"). Without the new validation at btrfs_add_delayed_iput(), ---truncated---

Show details on source website

To clipboard 

{
  "affected": [],
  "aliases": [
    "CVE-2025-38358"
  ],
  "database_specific": {
    "cwe_ids": [],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-07-25T13:15:24Z",
    "severity": null
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: fix race between async reclaim worker and close_ctree()\n\nSyzbot reported an assertion failure due to an attempt to add a delayed\niput after we have set BTRFS_FS_STATE_NO_DELAYED_IPUT in the fs_info\nstate:\n\n  WARNING: CPU: 0 PID: 65 at fs/btrfs/inode.c:3420 btrfs_add_delayed_iput+0x2f8/0x370 fs/btrfs/inode.c:3420\n  Modules linked in:\n  CPU: 0 UID: 0 PID: 65 Comm: kworker/u8:4 Not tainted 6.15.0-next-20250530-syzkaller #0 PREEMPT(full)\n  Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025\n  Workqueue: btrfs-endio-write btrfs_work_helper\n  RIP: 0010:btrfs_add_delayed_iput+0x2f8/0x370 fs/btrfs/inode.c:3420\n  Code: 4e ad 5d (...)\n  RSP: 0018:ffffc9000213f780 EFLAGS: 00010293\n  RAX: ffffffff83c635b7 RBX: ffff888058920000 RCX: ffff88801c769e00\n  RDX: 0000000000000000 RSI: 0000000000000100 RDI: 0000000000000000\n  RBP: 0000000000000001 R08: ffff888058921b67 R09: 1ffff1100b12436c\n  R10: dffffc0000000000 R11: ffffed100b12436d R12: 0000000000000001\n  R13: dffffc0000000000 R14: ffff88807d748000 R15: 0000000000000100\n  FS:  0000000000000000(0000) GS:ffff888125c53000(0000) knlGS:0000000000000000\n  CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n  CR2: 00002000000bd038 CR3: 000000006a142000 CR4: 00000000003526f0\n  DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n  DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n  Call Trace:\n   \u003cTASK\u003e\n   btrfs_put_ordered_extent+0x19f/0x470 fs/btrfs/ordered-data.c:635\n   btrfs_finish_one_ordered+0x11d8/0x1b10 fs/btrfs/inode.c:3312\n   btrfs_work_helper+0x399/0xc20 fs/btrfs/async-thread.c:312\n   process_one_work kernel/workqueue.c:3238 [inline]\n   process_scheduled_works+0xae1/0x17b0 kernel/workqueue.c:3321\n   worker_thread+0x8a0/0xda0 kernel/workqueue.c:3402\n   kthread+0x70e/0x8a0 kernel/kthread.c:464\n   ret_from_fork+0x3fc/0x770 arch/x86/kernel/process.c:148\n   ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245\n   \u003c/TASK\u003e\n\nThis can happen due to a race with the async reclaim worker like this:\n\n1) The async metadata reclaim worker enters shrink_delalloc(), which calls\n   btrfs_start_delalloc_roots() with an nr_pages argument that has a value\n   less than LONG_MAX, and that in turn enters start_delalloc_inodes(),\n   which sets the local variable \u0027full_flush\u0027 to false because\n   wbc-\u003enr_to_write is less than LONG_MAX;\n\n2) There it finds inode X in a root\u0027s delalloc list, grabs a reference for\n   inode X (with igrab()), and triggers writeback for it with\n   filemap_fdatawrite_wbc(), which creates an ordered extent for inode X;\n\n3) The unmount sequence starts from another task, we enter close_ctree()\n   and we flush the workqueue fs_info-\u003eendio_write_workers, which waits\n   for the ordered extent for inode X to complete and when dropping the\n   last reference of the ordered extent, with btrfs_put_ordered_extent(),\n   when we call btrfs_add_delayed_iput() we don\u0027t add the inode to the\n   list of delayed iputs because it has a refcount of 2, so we decrement\n   it to 1 and return;\n\n4) Shortly after at close_ctree() we call btrfs_run_delayed_iputs() which\n   runs all delayed iputs, and then we set BTRFS_FS_STATE_NO_DELAYED_IPUT\n   in the fs_info state;\n\n5) The async reclaim worker, after calling filemap_fdatawrite_wbc(), now\n   calls btrfs_add_delayed_iput() for inode X and there we trigger an\n   assertion failure since the fs_info state has the flag\n   BTRFS_FS_STATE_NO_DELAYED_IPUT set.\n\nFix this by setting BTRFS_FS_STATE_NO_DELAYED_IPUT only after we wait for\nthe async reclaim workers to finish, after we call cancel_work_sync() for\nthem at close_ctree(), and by running delayed iputs after wait for the\nreclaim workers to finish and before setting the bit.\n\nThis race was recently introduced by commit 19e60b2a95f5 (\"btrfs: add\nextra warning if delayed iput is added when it\u0027s not allowed\"). Without\nthe new validation at btrfs_add_delayed_iput(), \n---truncated---",
  "id": "GHSA-cv9m-prxm-594h",
  "modified": "2025-07-25T15:30:51Z",
  "published": "2025-07-25T15:30:51Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-38358"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/4693cda2c06039c875f2eef0123b22340c34bfa0"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/a26bf338cdad3643a6e7c3d78a172baadba15c1a"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.