CVE-2025-39884

There is a race condition between inode eviction and inode caching that can cause a live struct btrfsinode to be missing from the root->inodes xarray. Specifically, there is a window during evict() between the inode being unhashed and deleted from the xarray. If btrfsiget() is called for the same inode in that window, it will be recreated and inserted into the xarray, but then eviction will delete the new entry, leaving nothing in the xarray:

Thread 1 Thread 2

evict() removeinodehash() btrfsigetpath() btrfsigetlocked() btrfsreadlockedinode() btrfsaddinodetoroot() destroyinode() btrfsdestroyinode() btrfsdelinodefromroot() _xaerase

In turn, this can cause issues for subvolume deletion. Specifically, if an inode is in this lost state, and all other inodes are evicted, then btrfsdelinodefromroot() will call btrfsadddeadroot() prematurely. If the lost inode has a delayednode attached to it, then when btrfscleanonedeletedsnapshot() calls btrfskillalldelayednodes(), it will loop forever because the delayed_nodes xarray will never become empty (unless memory pressure forces the inode out). We saw this manifest as soft lockups in production.

Fix it by only deleting the xarray entry if it matches the given inode (using _xacmpxchg()).

Database specific

{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/39xxx/CVE-2025-39884.json",
    "cna_assigner": "Linux"
}

References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

310b2f5d5a9451b708ab1d3385c3b0998084904c

Fixed

9ba898c9fcbe6ebb88bcd4df8aab0f90090d202e

Fixed

f1498abaf74f8d7b1e7001f16ed77818d8ae6a59

Fixed

f6a6c280059c4ddc23e12e3de1b01098e240036f

Affected versions

v6.*

v6.10

v6.11

v6.11-rc1

v6.11-rc2

v6.11-rc3

v6.11-rc4

v6.11-rc5

v6.11-rc6

v6.11-rc7

v6.12

v6.12-rc1

v6.12-rc2

v6.12-rc3

v6.12-rc4

v6.12-rc5

v6.12-rc6

v6.12-rc7

v6.12.1

v6.12.10

v6.12.11

v6.12.12

v6.12.13

v6.12.14

v6.12.15

v6.12.16

v6.12.17

v6.12.18

v6.12.19

v6.12.2

v6.12.20

v6.12.21

v6.12.22

v6.12.23

v6.12.24

v6.12.25

v6.12.26

v6.12.27

v6.12.28

v6.12.29

v6.12.3

v6.12.30

v6.12.31

v6.12.32

v6.12.33

v6.12.34

v6.12.35

v6.12.36

v6.12.37

v6.12.38

v6.12.39

v6.12.4

v6.12.40

v6.12.41

v6.12.42

v6.12.43

v6.12.44

v6.12.45

v6.12.46

v6.12.47

v6.12.5

v6.12.6

v6.12.7

v6.12.8

v6.12.9

v6.13

v6.13-rc1

v6.13-rc2

v6.13-rc3

v6.13-rc4

v6.13-rc5

v6.13-rc6

v6.13-rc7

v6.14

v6.14-rc1

v6.14-rc2

v6.14-rc3

v6.14-rc4

v6.14-rc5

v6.14-rc6

v6.14-rc7

v6.15

v6.15-rc1

v6.15-rc2

v6.15-rc3

v6.15-rc4

v6.15-rc5

v6.15-rc6

v6.15-rc7

v6.16

v6.16-rc1

v6.16-rc2

v6.16-rc3

v6.16-rc4

v6.16-rc5

v6.16-rc6

v6.16-rc7

v6.16.1

v6.16.2

v6.16.3

v6.16.4

v6.16.5

v6.16.6

v6.16.7

Linux / Kernel

Package

Name: Kernel

Affected ranges

Type: ECOSYSTEM
Events: Introduced

6.11.0

Fixed

6.12.48

Type: ECOSYSTEM
Events: Introduced

6.13.0

Fixed

6.16.8