CVE-2025-68358

(*) These guarantees do not apply to bitfields, because compilers often generate code to modify these using non-atomic read-modify-write sequences. Do not attempt to use bitfields to synchronize parallel algorithms.

(*) Even in cases where bitfields are protected by locks, all fields in a given bitfield must be protected by one lock. If two fields in a given bitfield are protected by different locks, the compiler's non-atomic read-modify-write sequences can cause an update to one field to corrupt the value of an adjacent field.

btrfsspaceinfo has a bitfield sharing an underlying word consisting of the fields full, chunk_alloc, and flush:

struct btrfsspaceinfo { struct btrfsfsinfo * fsinfo; /* 0 8 */ struct btrfsspaceinfo * parent; /* 8 8 */ ... int clamp; /* 172 4 */ unsigned int full:1; /* 176: 0 4 */ unsigned int chunkalloc:1; /* 176: 1 4 / unsigned int flush:1; / 176: 2 4 */ ...

Therefore, to be safe from parallel read-modify-writes losing a write to one of the bitfield members protected by a lock, all writes to all the bitfields must use the lock. They almost universally do, except for btrfsclearspaceinfofull() which iterates over the space_infos and writes out found->full = 0 without a lock.

Imagine that we have one thread completing a transaction in which we finished deleting a blockgroup and are thus calling btrfsclearspaceinfofull() while simultaneously the data reclaim ticket infrastructure is running doasyncreclaimdata_space():

      T1                                             T2

btrfscommittransaction btrfsclearspaceinfofull datasinfo->full = 0 READ: full:0, chunkalloc:0, flush:1 doasyncreclaimdataspace(datasinfo) spinlock(&spaceinfo->lock); if(listempty(tickets)) spaceinfo->flush = 0; READ: full: 0, chunkalloc:0, flush:1 MOD/WRITE: full: 0, chunkalloc:0, flush:0 spinunlock(&spaceinfo->lock); return; MOD/WRITE: full:0, chunkalloc:0, flush:1

and now datasinfo->flush is 1 but the reclaim worker has exited. This breaks the invariant that flush is 0 iff there is no work queued or running. Once this invariant is violated, future allocations that go into _reservebytes() will add tickets to spaceinfo->tickets but will see space_info->flush is set to 1 and not queue the work. After this, they will block forever on the resulting ticket, as it is now impossible to kick the worker again.

I also confirmed by looking at the assembly of the affected kernel that it is doing RMW operations. For example, to set the flush (3rd) bit to 0, the assembly is: andb $0xfb,0x60(%rbx) and similarly for setting the full (1st) bit to 0: andb $0xfe,-0x20(%rax)

So I think this is really a bug on practical systems. I have observed a number of systems in this exact state, but am currently unable to reproduce it.

Rather than leaving this footgun lying around for the future, take advantage of the fact that there is room in the struct anyway, and that it is already quite large and simply change the three bitfield members to bools. This avoids writes to space_info->full having any effect on ---truncated---

Database specific

{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/68xxx/CVE-2025-68358.json",
    "cna_assigner": "Linux"
}

References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

957780eb2788d8c218d539e19a85653f51a96dc1

Fixed

db4ae18e1b31e0421fb5312e56aefa382bbc6ece

Fixed

6f442808a86eef847ee10afa9e6459494ed85bb3

Fixed

742b90eaf394f0018352c0e10dc89763b2dd5267

Fixed

38e818718c5e04961eea0fa8feff3f100ce40408

Affected versions

v4.*

v4.10

v4.10-rc1

v4.10-rc2

v4.10-rc3

v4.10-rc4

v4.10-rc5

v4.10-rc6

v4.10-rc7

v4.10-rc8

v4.11

v4.11-rc1

v4.11-rc2

v4.11-rc3

v4.11-rc4

v4.11-rc5

v4.11-rc6

v4.11-rc7

v4.11-rc8

v4.12

v4.12-rc1

v4.12-rc2

v4.12-rc3

v4.12-rc4

v4.12-rc5

v4.12-rc6

v4.12-rc7

v4.13

v4.13-rc1

v4.13-rc2

v4.13-rc3

v4.13-rc4

v4.13-rc5

v4.13-rc6

v4.13-rc7

v4.14

v4.14-rc1

v4.14-rc2

v4.14-rc3

v4.14-rc4

v4.14-rc5

v4.14-rc6

v4.14-rc7

v4.14-rc8

v4.15

v4.15-rc1

v4.15-rc2

v4.15-rc3

v4.15-rc4

v4.15-rc5

v4.15-rc6

v4.15-rc7

v4.15-rc8

v4.15-rc9

v4.16

v4.16-rc1

v4.16-rc2

v4.16-rc3

v4.16-rc4

v4.16-rc5

v4.16-rc6

v4.16-rc7

v4.17

v4.17-rc1

v4.17-rc2

v4.17-rc3

v4.17-rc4

v4.17-rc5

v4.17-rc6

v4.17-rc7

v4.18

v4.18-rc1

v4.18-rc2

v4.18-rc3

v4.18-rc4

v4.18-rc5

v4.18-rc6

v4.18-rc7

v4.18-rc8

v4.19

v4.19-rc1

v4.19-rc2

v4.19-rc3

v4.19-rc4

v4.19-rc5

v4.19-rc6

v4.19-rc7

v4.19-rc8

v4.20

v4.20-rc1

v4.20-rc2

v4.20-rc3

v4.20-rc4

v4.20-rc5

v4.20-rc6

v4.20-rc7

v4.7

v4.7-rc7

v4.8

v4.8-rc1

v4.8-rc2

v4.8-rc3

v4.8-rc4

v4.8-rc5

v4.8-rc6

v4.8-rc7

v4.8-rc8

v4.9

v4.9-rc1

v4.9-rc2

v4.9-rc3

v4.9-rc4

v4.9-rc5

v4.9-rc6

v4.9-rc7

v4.9-rc8

v5.*

v5.0

v5.0-rc1

v5.0-rc2

v5.0-rc3

v5.0-rc4

v5.0-rc5

v5.0-rc6

v5.0-rc7

v5.0-rc8

v5.1

v5.1-rc1

v5.1-rc2

v5.1-rc3

v5.1-rc4

v5.1-rc5

v5.1-rc6

v5.1-rc7

v5.10

v5.10-rc1

v5.10-rc2

v5.10-rc3

v5.10-rc4

v5.10-rc5

v5.10-rc6

v5.10-rc7

v5.11

v5.11-rc1

v5.11-rc2

v5.11-rc3

v5.11-rc4

v5.11-rc5

v5.11-rc6

v5.11-rc7

v5.12

v5.12-rc1

v5.12-rc1-dontuse

v5.12-rc2

v5.12-rc3

v5.12-rc4

v5.12-rc5

v5.12-rc6

v5.12-rc7

v5.12-rc8

v5.13

v5.13-rc1

v5.13-rc2

v5.13-rc3

v5.13-rc4

v5.13-rc5

v5.13-rc6

v5.13-rc7

v5.14

v5.14-rc1

v5.14-rc2

v5.14-rc3

v5.14-rc4

v5.14-rc5

v5.14-rc6

v5.14-rc7

v5.15

v5.15-rc1

v5.15-rc2

v5.15-rc3

v5.15-rc4

v5.15-rc5

v5.15-rc6

v5.15-rc7

v5.16

v5.16-rc1

v5.16-rc2

v5.16-rc3

v5.16-rc4

v5.16-rc5

v5.16-rc6

v5.16-rc7

v5.16-rc8

v5.17

v5.17-rc1

v5.17-rc2

v5.17-rc3

v5.17-rc4

v5.17-rc5

v5.17-rc6

v5.17-rc7

v5.17-rc8

v5.18

v5.18-rc1

v5.18-rc2

v5.18-rc3

v5.18-rc4

v5.18-rc5

v5.18-rc6

v5.18-rc7

v5.19

v5.19-rc1

v5.19-rc2

v5.19-rc3

v5.19-rc4

v5.19-rc5

v5.19-rc6

v5.19-rc7

v5.19-rc8

v5.2

v5.2-rc1

v5.2-rc2

v5.2-rc3

v5.2-rc4

v5.2-rc5

v5.2-rc6

v5.2-rc7

v5.3

v5.3-rc1

v5.3-rc2

v5.3-rc3

v5.3-rc4

v5.3-rc5

v5.3-rc6

v5.3-rc7

v5.3-rc8

v5.4

v5.4-rc1

v5.4-rc2

v5.4-rc3

v5.4-rc4

v5.4-rc5

v5.4-rc6

v5.4-rc7

v5.4-rc8

v5.5

v5.5-rc1

v5.5-rc2

v5.5-rc3

v5.5-rc4

v5.5-rc5

v5.5-rc6

v5.5-rc7

v5.6

v5.6-rc1

v5.6-rc2

v5.6-rc3

v5.6-rc4

v5.6-rc5

v5.6-rc6

v5.6-rc7

v5.7

v5.7-rc1

v5.7-rc2

v5.7-rc3

v5.7-rc4

v5.7-rc5

v5.7-rc6

v5.7-rc7

v5.8

v5.8-rc1

v5.8-rc2

v5.8-rc3

v5.8-rc4

v5.8-rc5

v5.8-rc6

v5.8-rc7

v5.9

v5.9-rc1

v5.9-rc2

v5.9-rc3

v5.9-rc4

v5.9-rc5

v5.9-rc6

v5.9-rc7

v5.9-rc8

v6.*

v6.0

v6.0-rc1

v6.0-rc2

v6.0-rc3

v6.0-rc4

v6.0-rc5

v6.0-rc6

v6.0-rc7

v6.1

v6.1-rc1

v6.1-rc2

v6.1-rc3

v6.1-rc4

v6.1-rc5

v6.1-rc6

v6.1-rc7

v6.1-rc8

v6.10

v6.10-rc1

v6.10-rc2

v6.10-rc3

v6.10-rc4

v6.10-rc5

v6.10-rc6

v6.10-rc7

v6.11

v6.11-rc1

v6.11-rc2

v6.11-rc3

v6.11-rc4

v6.11-rc5

v6.11-rc6

v6.11-rc7

v6.12

v6.12-rc1

v6.12-rc2

v6.12-rc3

v6.12-rc4

v6.12-rc5

v6.12-rc6

v6.12-rc7

v6.12.1

v6.12.10

v6.12.11

v6.12.12

v6.12.13

v6.12.14

v6.12.15

v6.12.16

v6.12.17

v6.12.18

v6.12.19

v6.12.2

v6.12.20

v6.12.21

v6.12.22

v6.12.23

v6.12.24

v6.12.25

v6.12.26

v6.12.27

v6.12.28

v6.12.29

v6.12.3

v6.12.30

v6.12.31

v6.12.32

v6.12.33

v6.12.34

v6.12.35

v6.12.36

v6.12.37

v6.12.38

v6.12.39

v6.12.4

v6.12.40

v6.12.41

v6.12.42

v6.12.43

v6.12.44

v6.12.45

v6.12.46

v6.12.47

v6.12.48

v6.12.49

v6.12.5

v6.12.50

v6.12.51

v6.12.52

v6.12.53

v6.12.54

v6.12.55

v6.12.56

v6.12.57

v6.12.58

v6.12.59

v6.12.6

v6.12.60

v6.12.61

v6.12.62

v6.12.63

v6.12.64

v6.12.65

v6.12.66

v6.12.67

v6.12.7

v6.12.8

v6.12.9

v6.13

v6.13-rc1

v6.13-rc2

v6.13-rc3

v6.13-rc4

v6.13-rc5

v6.13-rc6

v6.13-rc7

v6.14

v6.14-rc1

v6.14-rc2

v6.14-rc3

v6.14-rc4

v6.14-rc5

v6.14-rc6

v6.14-rc7

v6.15

v6.15-rc1

v6.15-rc2

v6.15-rc3

v6.15-rc4

v6.15-rc5

v6.15-rc6

v6.15-rc7

v6.16

v6.16-rc1

v6.16-rc2

v6.16-rc3

v6.16-rc4

v6.16-rc5

v6.16-rc6

v6.16-rc7

v6.17

v6.17-rc1

v6.17-rc2

v6.17-rc3

v6.17-rc4

v6.17-rc5

v6.17-rc6

v6.17-rc7

v6.17.1

v6.17.10

v6.17.11

v6.17.12

v6.17.2

v6.17.3

v6.17.4

v6.17.5

v6.17.6

v6.17.7

v6.17.8

v6.17.9

v6.18

v6.18-rc1

v6.18-rc2

v6.18-rc3

v6.18-rc4

v6.18-rc5

v6.18-rc6

v6.18-rc7

v6.18.1

v6.2

v6.2-rc1

v6.2-rc2

v6.2-rc3

v6.2-rc4

v6.2-rc5

v6.2-rc6

v6.2-rc7

v6.2-rc8

v6.3

v6.3-rc1

v6.3-rc2

v6.3-rc3

v6.3-rc4

v6.3-rc5

v6.3-rc6

v6.3-rc7

v6.4

v6.4-rc1

v6.4-rc2

v6.4-rc3

v6.4-rc4

v6.4-rc5

v6.4-rc6

v6.4-rc7

v6.5

v6.5-rc1

v6.5-rc2

v6.5-rc3

v6.5-rc4

v6.5-rc5

v6.5-rc6

v6.5-rc7

v6.6

v6.6-rc1

v6.6-rc2

v6.6-rc3

v6.6-rc4

v6.6-rc5

v6.6-rc6

v6.6-rc7

v6.7

v6.7-rc1

v6.7-rc2

v6.7-rc3

v6.7-rc4

v6.7-rc5

v6.7-rc6

v6.7-rc7

v6.7-rc8

v6.8

v6.8-rc1

v6.8-rc2

v6.8-rc3

v6.8-rc4

v6.8-rc5

v6.8-rc6

v6.8-rc7

v6.9

v6.9-rc1

v6.9-rc2

v6.9-rc3

v6.9-rc4

v6.9-rc5

v6.9-rc6

v6.9-rc7

Database specific

source

"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-68358.json"

Linux / Kernel

Package

Name: Kernel

Affected ranges

Type: ECOSYSTEM
Events: Introduced

4.8.0

Fixed

6.12.68

Type: ECOSYSTEM
Events: Introduced

6.13.0

Fixed

6.17.13

Type: ECOSYSTEM
Events: Introduced

6.18.0

Fixed

6.18.2

Database specific

source

"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-68358.json"