AZL-73959

See a problem?

Import Source

https://github.com/microsoft/AzureLinuxVulnerabilityData/blob/main/osv/AZL-73959.json

JSON Data

https://api.test.osv.dev/v1/vulns/AZL-73959

Upstream

CVE-2025-39759

Published

2025-09-11T17:15:39Z

Modified

2026-04-01T05:22:40.254215Z

Summary

CVE-2025-39759 affecting package kernel 5.15.200.1-1

Details

In the Linux kernel, the following vulnerability has been resolved:

btrfs: qgroup: fix race between quota disable and quota rescan ioctl

There's a race between a task disabling quotas and another running the rescan ioctl that can result in a use-after-free of qgroup records from the fsinfo->qgrouptree rbtree.

This happens as follows:

1) Task A enters btrfsioctlquotarescan() -> btrfsqgroup_rescan();

2) Task B enters btrfsquotadisable() and calls btrfsqgroupwaitforcompletion(), which does nothing because at that point fsinfo->qgrouprescan_running is false (it wasn't set yet by task A);

3) Task B calls btrfsfreeqgroupconfig() which starts freeing qgroups from fsinfo->qgrouptree without taking the lock fsinfo->qgroup_lock;

4) Task A enters qgrouprescanzerotracking() which starts iterating the fsinfo->qgrouptree tree while holding fsinfo->qgroup_lock, but task B is freeing qgroup records from that tree without holding the lock, resulting in a use-after-free.

Fix this by taking fsinfo->qgrouplock at btrfsfreeqgroupconfig(). Also at btrfsqgroup_rescan() don't start the rescan worker if quotas were already disabled.

References

https://nvd.nist.gov/vuln/detail/CVE-2025-39759

Affected packages

Azure Linux:2 / kernel

Package

Name: kernel
Purl: pkg:rpm/azure-linux/kernel

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Last affected

5.15.200.1-1

Database specific

source

"https://github.com/microsoft/AzureLinuxVulnerabilityData/blob/main/osv/AZL-73959.json"