CVE-2025-37856

In the Linux kernel, the following vulnerability has been resolved:

btrfs: harden blockgroup::bglist against list_del() races

As far as I can tell, these calls of listdelinit() on bglist cannot run concurrently with btrfsmarkbgunused() or btrfsmarkbgtoreclaim(), as they are in transaction error paths and situations where the block group is readonly.

However, if there is any chance at all of racing with markbgunused(), or a different future user of bg_list, better to be safe than sorry.

Otherwise we risk the following interleaving (bg_list refcount in parens)

T1 (some random op) T2 (btrfsmarkbgunused) !listempty(&bg->bglist); (1) listdelinit(&bg->bglist); (1) listmovetail (1) btrfsputblockgroup (0) btrfsdeleteunusedbgs bg = listfirstentry listdelinit(&bg->bglist); btrfsputblockgroup(bg); (-1)

Ultimately, this results in a broken ref count that hits zero one deref early and the real final deref underflows the refcount, resulting in a WARNING.