CVE-2025-37856

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> btrfs: harden block_group::bg_list against list_del() races<br /> <br /> As far as I can tell, these calls of list_del_init() on bg_list cannot<br /> run concurrently with btrfs_mark_bg_unused() or btrfs_mark_bg_to_reclaim(),<br /> as they are in transaction error paths and situations where the block<br /> group is readonly.<br /> <br /> However, if there is any chance at all of racing with mark_bg_unused(),<br /> or a different future user of bg_list, better to be safe than sorry.<br /> <br /> Otherwise we risk the following interleaving (bg_list refcount in parens)<br /> <br /> T1 (some random op) T2 (btrfs_mark_bg_unused)<br /> !list_empty(&amp;bg-&gt;bg_list); (1)<br /> list_del_init(&amp;bg-&gt;bg_list); (1)<br /> list_move_tail (1)<br /> btrfs_put_block_group (0)<br /> btrfs_delete_unused_bgs<br /> bg = list_first_entry<br /> list_del_init(&amp;bg-&gt;bg_list);<br /> btrfs_put_block_group(bg); (-1)<br /> <br /> Ultimately, this results in a broken ref count that hits zero one deref<br /> early and the real final deref underflows the refcount, resulting in a WARNING.