CVE-2025-38370

In the Linux kernel, the following vulnerability has been resolved:

btrfs: fix failure to rebuild free space tree using multiple transactions

If we are rebuilding a free space tree, while modifying the free space tree we may need to allocate a new metadata block group. If we end up using multiple transactions for the rebuild, when we call btrfsendtransaction() we enter btrfscreatependingblockgroups() which calls addblockgroupfreespace() to add items to the free space tree for the block group.

Then later during the free space tree rebuild, at btrfsrebuildfreespacetree(), we may find such new block groups and call populatefreespacetree() for them, which fails with -EEXIST because there are already items in the free space tree. Then we abort the transaction with -EEXIST at btrfsrebuildfreespace_tree(). Notice that we say "may find" the new block groups because a new block group may be inserted in the block groups rbtree, which is being iterated by the rebuild process, before or after the current node where the rebuild process is currently at.

Syzbot recently reported such case which produces a trace like the following:

------------[ cut here ]------------ BTRFS: Transaction aborted (error -17) WARNING: CPU: 1 PID: 7626 at fs/btrfs/free-space-tree.c:1341 btrfsrebuildfreespacetree+0x470/0x54c fs/btrfs/free-space-tree.c:1341 Modules linked in: CPU: 1 UID: 0 PID: 7626 Comm: syz.2.25 Not tainted 6.15.0-rc7-syzkaller-00085-gd7fa1af5b33e-dirty #0 PREEMPT Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025 pstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : btrfsrebuildfreespacetree+0x470/0x54c fs/btrfs/free-space-tree.c:1341 lr : btrfsrebuildfreespacetree+0x470/0x54c fs/btrfs/free-space-tree.c:1341 sp : ffff80009c4f7740 x29: ffff80009c4f77b0 x28: ffff0000d4c3f400 x27: 0000000000000000 x26: dfff800000000000 x25: ffff70001389eee8 x24: 0000000000000003 x23: 1fffe000182b6e7b x22: 0000000000000000 x21: ffff0000c15b73d8 x20: 00000000ffffffef x19: ffff0000c15b7378 x18: 1fffe0003386f276 x17: ffff80008f31e000 x16: ffff80008adbe98c x15: 0000000000000001 x14: 1fffe0001b281550 x13: 0000000000000000 x12: 0000000000000000 x11: ffff60001b281551 x10: 0000000000000003 x9 : 1c8922000a902c00 x8 : 1c8922000a902c00 x7 : ffff800080485878 x6 : 0000000000000000 x5 : 0000000000000001 x4 : 0000000000000001 x3 : ffff80008047843c x2 : 0000000000000001 x1 : ffff80008b3ebc40 x0 : 0000000000000001 Call trace: btrfsrebuildfreespacetree+0x470/0x54c fs/btrfs/free-space-tree.c:1341 (P) btrfsstartprerwmount+0xa78/0xe10 fs/btrfs/disk-io.c:3074 btrfsremountrw fs/btrfs/super.c:1319 [inline] btrfsreconfigure+0x828/0x2418 fs/btrfs/super.c:1543 reconfiguresuper+0x1d4/0x6f0 fs/super.c:1083 doremount fs/namespace.c:3365 [inline] pathmount+0xb34/0xde0 fs/namespace.c:4200 domount fs/namespace.c:4221 [inline] _dosysmount fs/namespace.c:4432 [inline] _sesysmount fs/namespace.c:4409 [inline] _arm64sysmount+0x3e8/0x468 fs/namespace.c:4409 _invokesyscall arch/arm64/kernel/syscall.c:35 [inline] invokesyscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:49 el0svccommon+0x130/0x23c arch/arm64/kernel/syscall.c:132 doel0svc+0x48/0x58 arch/arm64/kernel/syscall.c:151 el0svc+0x58/0x17c arch/arm64/kernel/entry-common.c:767 el0t64synchandler+0x78/0x108 arch/arm64/kernel/entry-common.c:786 el0t64sync+0x198/0x19c arch/arm64/kernel/entry.S:600 irq event stamp: 330 hardirqs last enabled at (329): [<ffff80008048590c>] rawspinrqunlockirq kernel/sched/sched.h:1525 [inline] hardirqs last enabled at (329): [<ffff80008048590c>] finishlockswitch+0xb0/0x1c0 kernel/sched/core.c:5130 hardirqs last disabled at (330): [<ffff80008adb9e60>] el1dbg+0x24/0x80 arch/arm64/kernel/entry-common.c:511 softirqs last enabled at (10): [<ffff8000801fbf10>] localbhenable+0 ---truncated---