{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2025-37856","assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","state":"PUBLISHED","assignerShortName":"Linux","dateReserved":"2025-04-16T04:51:23.956Z","datePublished":"2025-05-09T06:42:04.315Z","dateUpdated":"2026-05-11T21:16:25.919Z"},"containers":{"cna":{"providerMetadata":{"orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux","dateUpdated":"2026-05-11T21:16:25.919Z"},"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: harden block_group::bg_list against list_del() races\n\nAs far as I can tell, these calls of list_del_init() on bg_list cannot\nrun concurrently with btrfs_mark_bg_unused() or btrfs_mark_bg_to_reclaim(),\nas they are in transaction error paths and situations where the block\ngroup is readonly.\n\nHowever, if there is any chance at all of racing with mark_bg_unused(),\nor a different future user of bg_list, better to be safe than sorry.\n\nOtherwise we risk the following interleaving (bg_list refcount in parens)\n\nT1 (some random op)                       T2 (btrfs_mark_bg_unused)\n                                        !list_empty(&bg->bg_list); (1)\nlist_del_init(&bg->bg_list); (1)\n                                        list_move_tail (1)\nbtrfs_put_block_group (0)\n                                        btrfs_delete_unused_bgs\n                                             bg = list_first_entry\n                                             list_del_init(&bg->bg_list);\n                                             btrfs_put_block_group(bg); (-1)\n\nUltimately, this results in a broken ref count that hits zero one deref\nearly and the real final deref underflows the refcount, resulting in a WARNING."}],"affected":[{"product":"Linux","vendor":"Linux","defaultStatus":"unaffected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["fs/btrfs/extent-tree.c","fs/btrfs/transaction.c"],"versions":[{"version":"a9f189716cf15913c453299d72f69c51a9b0f86b","lessThan":"bf089c4d1141b27332c092b1dcca5022c415a3b6","status":"affected","versionType":"git"},{"version":"a9f189716cf15913c453299d72f69c51a9b0f86b","lessThan":"909e60fb469d4101c6b08cf6e622efb062bb24a1","status":"affected","versionType":"git"},{"version":"a9f189716cf15913c453299d72f69c51a9b0f86b","lessThan":"185fd73e5ac06027c4be9a129e59193f6a3ef202","status":"affected","versionType":"git"},{"version":"a9f189716cf15913c453299d72f69c51a9b0f86b","lessThan":"7511e29cf1355b2c47d0effb39e463119913e2f6","status":"affected","versionType":"git"},{"version":"edf3b5aadb2515c808200b904baa5b70a727f0ac","status":"affected","versionType":"git"},{"version":"01eca70ef8cf499d0cb6d1bbd691558e7792cf17","status":"affected","versionType":"git"},{"version":"5d19abcffd8404078dfa7d7118cec357b5e7bc58","status":"affected","versionType":"git"}]},{"product":"Linux","vendor":"Linux","defaultStatus":"affected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["fs/btrfs/extent-tree.c","fs/btrfs/transaction.c"],"versions":[{"version":"6.5","status":"affected"},{"version":"0","lessThan":"6.5","status":"unaffected","versionType":"semver"},{"version":"6.12.24","lessThanOrEqual":"6.12.*","status":"unaffected","versionType":"semver"},{"version":"6.13.12","lessThanOrEqual":"6.13.*","status":"unaffected","versionType":"semver"},{"version":"6.14.3","lessThanOrEqual":"6.14.*","status":"unaffected","versionType":"semver"},{"version":"6.15","lessThanOrEqual":"*","status":"unaffected","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.5","versionEndExcluding":"6.12.24"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.5","versionEndExcluding":"6.13.12"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.5","versionEndExcluding":"6.14.3"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.5","versionEndExcluding":"6.15"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.15.128"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.1.47"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.4.12"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/bf089c4d1141b27332c092b1dcca5022c415a3b6"},{"url":"https://git.kernel.org/stable/c/909e60fb469d4101c6b08cf6e622efb062bb24a1"},{"url":"https://git.kernel.org/stable/c/185fd73e5ac06027c4be9a129e59193f6a3ef202"},{"url":"https://git.kernel.org/stable/c/7511e29cf1355b2c47d0effb39e463119913e2f6"}],"title":"btrfs: harden block_group::bg_list against list_del() races","x_generator":{"engine":"bippy-1.2.0"}}}}