CVE-2025-39779

In the Linux kernel, the following vulnerability has been resolved:

btrfs: subpage: keep TOWRITE tag until folio is cleaned

btrfssubpagesetwriteback() calls foliostartwriteback() the first time a folio is written back, and it also clears the PAGECACHETAGTOWRITE tag even if there are still dirty blocks in the folio. This can break ordering guarantees, such as those required by btrfswaitorderedextents().

That ordering breakage leads to a real failure. For example, running generic/464 on a zoned setup will hit the following ASSERT. This happens because the broken ordering fails to flush existing dirty pages before the file size is truncated.

assertion failed: !listempty(&ordered->list) :: 0, in fs/btrfs/zoned.c:1899 ------------[ cut here ]------------ kernel BUG at fs/btrfs/zoned.c:1899! Oops: invalid opcode: 0000 [#1] SMP NOPTI CPU: 2 UID: 0 PID: 1906169 Comm: kworker/u130:2 Kdump: loaded Not tainted 6.16.0-rc6-BTRFS-ZNS+ #554 PREEMPT(voluntary) Hardware name: Supermicro Super Server/H12SSL-NT, BIOS 2.0 02/22/2021 Workqueue: btrfs-endio-write btrfsworkhelper [btrfs] RIP: 0010:btrfsfinishorderedzoned.cold+0x50/0x52 [btrfs] RSP: 0018:ffffc9002efdbd60 EFLAGS: 00010246 RAX: 000000000000004c RBX: ffff88811923c4e0 RCX: 0000000000000000 RDX: 0000000000000000 RSI: ffffffff827e38b1 RDI: 00000000ffffffff RBP: ffff88810005d000 R08: 00000000ffffdfff R09: ffffffff831051c8 R10: ffffffff83055220 R11: 0000000000000000 R12: ffff8881c2458c00 R13: ffff88811923c540 R14: ffff88811923c5e8 R15: ffff8881c1bd9680 FS: 0000000000000000(0000) GS:ffff88a04acd0000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f907c7a918c CR3: 0000000004024000 CR4: 0000000000350ef0 Call Trace: <TASK> ? srsoreturnthunk+0x5/0x5f btrfsfinishorderedio+0x4a/0x60 [btrfs] btrfsworkhelper+0xf9/0x490 [btrfs] processonework+0x204/0x590 ? srsoreturnthunk+0x5/0x5f workerthread+0x1d6/0x3d0 ? _pfxworkerthread+0x10/0x10 kthread+0x118/0x230 ? _pfxkthread+0x10/0x10 retfromfork+0x205/0x260 ? _pfxkthread+0x10/0x10 retfromforkasm+0x1a/0x30 </TASK>

Consider process A calling writepages() with WBSYNCNONE. In zoned mode or for compressed writes, it locks several folios for delalloc and starts writing them out. Let's call the last locked folio folio X. Suppose the write range only partially covers folio X, leaving some pages dirty. Process A calls btrfssubpageset_writeback() when building a bio. This function call clears the TOWRITE tag of folio X, whose size = 8K and the block size = 4K. It is following state.

0 4K 8K |/////|/////| (flag: DIRTY, tag: DIRTY) <-----> Process A will write this range.

Now suppose process B concurrently calls writepages() with WBSYNCALL. It calls tagpagesforwriteback() to tag dirty folios with PAGECACHETAGTOWRITE. Since folio X is still dirty, it gets tagged. Then, B collects tagged folios using filemapgetfoliostag() and must wait for folio X to be written before returning from writepages().

0 4K 8K |/////|/////| (flag: DIRTY, tag: DIRTY|TOWRITE)

However, between tagging and collecting, process A may call btrfssubpageset_writeback() and clear folio X's TOWRITE tag. 0 4K 8K | |/////| (flag: DIRTY|WRITEBACK, tag: DIRTY)

As a result, process B won't see folio X in its batch, and returns without waiting for it. This breaks the WBSYNCALL ordering requirement.

Fix this by using btrfssubpagesetwritebackkeepwrite(), which retains the TOWRITE tag. We now manually clear the tag only after the folio becomes clean, via the xas operation.