CVE-2025-22115

In the Linux kernel, the following vulnerability has been resolved:

btrfs: fix block group refcount race in btrfscreatependingblockgroups()

Block group creation is done in two phases, which results in a slightly unintuitive property: a block group can be allocated/deallocated from after btrfsmakeblockgroup() adds it to the spaceinfo with btrfsaddbgtospaceinfo(), but before creation is completely completed in btrfscreatependingblockgroups(). As a result, it is possible for a block group to go unused and have 'btrfsmarkbgunused' called on it concurrently with 'btrfscreatependingblockgroups'. This causes a number of issues, which were fixed with the block group flag 'BLOCKGROUPFLAG_NEW'.

However, this fix is not quite complete. Since it does not use the unusedbglock, it is possible for the following race to occur:

btrfscreatependingblockgroups btrfsmarkbgunused if listempty // false listdelinit clearbit else if (testbit) // true listmovetail

And we get into the exact same broken ref count and invalid newbgs state for transaction cleanup that BLOCKGROUPFLAGNEW was designed to prevent.

The broken refcount aspect will result in a warning like:

[1272.943527] refcountt: underflow; use-after-free. [1272.943967] WARNING: CPU: 1 PID: 61 at lib/refcount.c:28 refcountwarnsaturate+0xba/0x110 [1272.944731] Modules linked in: btrfs virtionet xor zstdcompress raid6pq nullblk [last unloaded: btrfs] [1272.945550] CPU: 1 UID: 0 PID: 61 Comm: kworker/u32:1 Kdump: loaded Tainted: G W 6.14.0-rc5+ #108 [1272.946368] Tainted: [W]=WARN [1272.946585] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Arch Linux 1.16.3-1-1 04/01/2014 [1272.947273] Workqueue: btrfsdiscard btrfsdiscardworkfn [btrfs] [1272.947788] RIP: 0010:refcountwarnsaturate+0xba/0x110 [1272.949532] RSP: 0018:ffffbf1200247df0 EFLAGS: 00010282 [1272.949901] RAX: 0000000000000000 RBX: ffffa14b00e3f800 RCX: 0000000000000000 [1272.950437] RDX: 0000000000000000 RSI: ffffbf1200247c78 RDI: 00000000ffffdfff [1272.950986] RBP: ffffa14b00dc2860 R08: 00000000ffffdfff R09: ffffffff90526268 [1272.951512] R10: ffffffff904762c0 R11: 0000000063666572 R12: ffffa14b00dc28c0 [1272.952024] R13: 0000000000000000 R14: ffffa14b00dc2868 R15: 000001285dcd12c0 [1272.952850] FS: 0000000000000000(0000) GS:ffffa14d33c40000(0000) knlGS:0000000000000000 [1272.953458] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [1272.953931] CR2: 00007f838cbda000 CR3: 000000010104e000 CR4: 00000000000006f0 [1272.954474] Call Trace: [1272.954655] <TASK> [1272.954812] ? refcountwarnsaturate+0xba/0x110 [1272.955173] ? _warn.cold+0x93/0xd7 [1272.955487] ? refcountwarnsaturate+0xba/0x110 [1272.955816] ? reportbug+0xe7/0x120 [1272.956103] ? handlebug+0x53/0x90 [1272.956424] ? excinvalidop+0x13/0x60 [1272.956700] ? asmexcinvalidop+0x16/0x20 [1272.957011] ? refcountwarnsaturate+0xba/0x110 [1272.957399] btrfsdiscardcancelwork.cold+0x26/0x2b [btrfs] [1272.957853] btrfsputblockgroup.cold+0x5d/0x8e [btrfs] [1272.958289] btrfsdiscardworkfn+0x194/0x380 [btrfs] [1272.958729] processonework+0x130/0x290 [1272.959026] workerthread+0x2ea/0x420 [1272.959335] ? _pfxworkerthread+0x10/0x10 [1272.959644] kthread+0xd7/0x1c0 [1272.959872] ? _pfxkthread+0x10/0x10 [1272.960172] retfromfork+0x30/0x50 [1272.960474] ? _pfxkthread+0x10/0x10 [1272.960745] retfromfork_asm+0x1a/0x30 [1272.961035] </TASK> [1272.961238] ---[ end trace 0000000000000000 ]---

Though we have seen them in the async discard workfn as well. It is most likely to happen after a relocation finishes which cancels discard, tears down the block group, etc.

Fix this fully by taking the lock arou ---truncated---