CVE-2025-37904

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> btrfs: fix the inode leak in btrfs_iget()<br /> <br /> [BUG]<br /> There is a bug report that a syzbot reproducer can lead to the following<br /> busy inode at unmount time:<br /> <br /> BTRFS info (device loop1): last unmount of filesystem 1680000e-3c1e-4c46-84b6-56bd3909af50<br /> VFS: Busy inodes after unmount of loop1 (btrfs)<br /> ------------[ cut here ]------------<br /> kernel BUG at fs/super.c:650!<br /> Oops: invalid opcode: 0000 [#1] SMP KASAN NOPTI<br /> CPU: 0 UID: 0 PID: 48168 Comm: syz-executor Not tainted 6.15.0-rc2-00471-g119009db2674 #2 PREEMPT(full)<br /> Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014<br /> RIP: 0010:generic_shutdown_super+0x2e9/0x390 fs/super.c:650<br /> Call Trace:<br /> <br /> kill_anon_super+0x3a/0x60 fs/super.c:1237<br /> btrfs_kill_super+0x3b/0x50 fs/btrfs/super.c:2099<br /> deactivate_locked_super+0xbe/0x1a0 fs/super.c:473<br /> deactivate_super fs/super.c:506 [inline]<br /> deactivate_super+0xe2/0x100 fs/super.c:502<br /> cleanup_mnt+0x21f/0x440 fs/namespace.c:1435<br /> task_work_run+0x14d/0x240 kernel/task_work.c:227<br /> resume_user_mode_work include/linux/resume_user_mode.h:50 [inline]<br /> exit_to_user_mode_loop kernel/entry/common.c:114 [inline]<br /> exit_to_user_mode_prepare include/linux/entry-common.h:329 [inline]<br /> __syscall_exit_to_user_mode_work kernel/entry/common.c:207 [inline]<br /> syscall_exit_to_user_mode+0x269/0x290 kernel/entry/common.c:218<br /> do_syscall_64+0xd4/0x250 arch/x86/entry/syscall_64.c:100<br /> entry_SYSCALL_64_after_hwframe+0x77/0x7f<br /> <br /> <br /> [CAUSE]<br /> When btrfs_alloc_path() failed, btrfs_iget() directly returned without<br /> releasing the inode already allocated by btrfs_iget_locked().<br /> <br /> This results the above busy inode and trigger the kernel BUG.<br /> <br /> [FIX]<br /> Fix it by calling iget_failed() if btrfs_alloc_path() failed.<br /> <br /> If we hit error inside btrfs_read_locked_inode(), it will properly call<br /> iget_failed(), so nothing to worry about.<br /> <br /> Although the iget_failed() cleanup inside btrfs_read_locked_inode() is a<br /> break of the normal error handling scheme, let&amp;#39;s fix the obvious bug<br /> and backport first, then rework the error handling later.