CVE-2025-38358

In the Linux kernel, the following vulnerability has been resolved:

btrfs: fix race between async reclaim worker and close_ctree()

Syzbot reported an assertion failure due to an attempt to add a delayed iput after we have set BTRFSFSSTATENODELAYEDIPUT in the fsinfo state:

WARNING: CPU: 0 PID: 65 at fs/btrfs/inode.c:3420 btrfsadddelayediput+0x2f8/0x370 fs/btrfs/inode.c:3420 Modules linked in: CPU: 0 UID: 0 PID: 65 Comm: kworker/u8:4 Not tainted 6.15.0-next-20250530-syzkaller #0 PREEMPT(full) Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025 Workqueue: btrfs-endio-write btrfsworkhelper RIP: 0010:btrfsadddelayediput+0x2f8/0x370 fs/btrfs/inode.c:3420 Code: 4e ad 5d (...) RSP: 0018:ffffc9000213f780 EFLAGS: 00010293 RAX: ffffffff83c635b7 RBX: ffff888058920000 RCX: ffff88801c769e00 RDX: 0000000000000000 RSI: 0000000000000100 RDI: 0000000000000000 RBP: 0000000000000001 R08: ffff888058921b67 R09: 1ffff1100b12436c R10: dffffc0000000000 R11: ffffed100b12436d R12: 0000000000000001 R13: dffffc0000000000 R14: ffff88807d748000 R15: 0000000000000100 FS: 0000000000000000(0000) GS:ffff888125c53000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00002000000bd038 CR3: 000000006a142000 CR4: 00000000003526f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <TASK> btrfsputorderedextent+0x19f/0x470 fs/btrfs/ordered-data.c:635 btrfsfinishoneordered+0x11d8/0x1b10 fs/btrfs/inode.c:3312 btrfsworkhelper+0x399/0xc20 fs/btrfs/async-thread.c:312 processonework kernel/workqueue.c:3238 [inline] processscheduledworks+0xae1/0x17b0 kernel/workqueue.c:3321 workerthread+0x8a0/0xda0 kernel/workqueue.c:3402 kthread+0x70e/0x8a0 kernel/kthread.c:464 retfromfork+0x3fc/0x770 arch/x86/kernel/process.c:148 retfromforkasm+0x1a/0x30 arch/x86/entry/entry_64.S:245 </TASK>

This can happen due to a race with the async reclaim worker like this:

1) The async metadata reclaim worker enters shrinkdelalloc(), which calls btrfsstartdelallocroots() with an nrpages argument that has a value less than LONGMAX, and that in turn enters startdelallocinodes(), which sets the local variable 'fullflush' to false because wbc->nrtowrite is less than LONGMAX;

2) There it finds inode X in a root's delalloc list, grabs a reference for inode X (with igrab()), and triggers writeback for it with filemapfdatawritewbc(), which creates an ordered extent for inode X;

3) The unmount sequence starts from another task, we enter closectree() and we flush the workqueue fsinfo->endiowriteworkers, which waits for the ordered extent for inode X to complete and when dropping the last reference of the ordered extent, with btrfsputorderedextent(), when we call btrfsadddelayediput() we don't add the inode to the list of delayed iputs because it has a refcount of 2, so we decrement it to 1 and return;

4) Shortly after at closectree() we call btrfsrundelayediputs() which runs all delayed iputs, and then we set BTRFSFSSTATENODELAYEDIPUT in the fsinfo state;

5) The async reclaim worker, after calling filemapfdatawritewbc(), now calls btrfsadddelayediput() for inode X and there we trigger an assertion failure since the fsinfo state has the flag BTRFSFSSTATENODELAYED_IPUT set.

Fix this by setting BTRFSFSSTATENODELAYEDIPUT only after we wait for the async reclaim workers to finish, after we call cancelworksync() for them at closectree(), and by running delayed iputs after wait for the reclaim workers to finish and before setting the bit.

This race was recently introduced by commit 19e60b2a95f5 ("btrfs: add extra warning if delayed iput is added when it's not allowed"). Without the new validation at btrfsadddelayed_iput(), ---truncated---