CVE-2025-68358

In the Linux kernel, the following vulnerability has been resolved:

btrfs: fix racy bitfield write in btrfsclearspaceinfofull()

From the memory-barriers.txt document regarding memory barrier ordering guarantees:

(*) These guarantees do not apply to bitfields, because compilers often generate code to modify these using non-atomic read-modify-write sequences. Do not attempt to use bitfields to synchronize parallel algorithms.

(*) Even in cases where bitfields are protected by locks, all fields in a given bitfield must be protected by one lock. If two fields in a given bitfield are protected by different locks, the compiler's non-atomic read-modify-write sequences can cause an update to one field to corrupt the value of an adjacent field.

btrfsspaceinfo has a bitfield sharing an underlying word consisting of the fields full, chunk_alloc, and flush:

struct btrfsspaceinfo { struct btrfsfsinfo * fsinfo; /* 0 8 */ struct btrfsspace_info * parent; /* 8 8 / ... int clamp; / 172 4 / unsigned int full:1; / 176: 0 4 / unsigned int chunk_alloc:1; / 176: 1 4 / unsigned int flush:1; / 176: 2 4 */ ...

Therefore, to be safe from parallel read-modify-writes losing a write to one of the bitfield members protected by a lock, all writes to all the bitfields must use the lock. They almost universally do, except for btrfsclearspaceinfofull() which iterates over the space_infos and writes out found->full = 0 without a lock.

Imagine that we have one thread completing a transaction in which we finished deleting a blockgroup and are thus calling btrfsclearspaceinfofull() while simultaneously the data reclaim ticket infrastructure is running doasyncreclaimdata_space():

      T1                                             T2

btrfscommittransaction btrfsclearspaceinfofull datasinfo->full = 0 READ: full:0, chunkalloc:0, flush:1 doasyncreclaimdataspace(datasinfo) spinlock(&spaceinfo->lock); if(listempty(tickets)) spaceinfo->flush = 0; READ: full: 0, chunkalloc:0, flush:1 MOD/WRITE: full: 0, chunkalloc:0, flush:0 spinunlock(&spaceinfo->lock); return; MOD/WRITE: full:0, chunkalloc:0, flush:1

and now data_sinfo->flush is 1 but the reclaim worker has exited. This breaks the invariant that flush is 0 iff there is no work queued or running. Once this invariant is violated, future allocations that go into _reservebytes() will add tickets to spaceinfo->tickets but will see spaceinfo->flush is set to 1 and not queue the work. After this, they will block forever on the resulting ticket, as it is now impossible to kick the worker again.

I also confirmed by looking at the assembly of the affected kernel that it is doing RMW operations. For example, to set the flush (3rd) bit to 0, the assembly is: andb $0xfb,0x60(%rbx) and similarly for setting the full (1st) bit to 0: andb $0xfe,-0x20(%rax)

So I think this is really a bug on practical systems. I have observed a number of systems in this exact state, but am currently unable to reproduce it.

Rather than leaving this footgun lying around for the future, take advantage of the fact that there is room in the struct anyway, and that it is already quite large and simply change the three bitfield members to bools. This avoids writes to space_info->full having any effect on ---truncated---