CVE-2025-39884

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> btrfs: fix subvolume deletion lockup caused by inodes xarray race<br /> <br /> There is a race condition between inode eviction and inode caching that<br /> can cause a live struct btrfs_inode to be missing from the root-&gt;inodes<br /> xarray. Specifically, there is a window during evict() between the inode<br /> being unhashed and deleted from the xarray. If btrfs_iget() is called<br /> for the same inode in that window, it will be recreated and inserted<br /> into the xarray, but then eviction will delete the new entry, leaving<br /> nothing in the xarray:<br /> <br /> Thread 1 Thread 2<br /> ---------------------------------------------------------------<br /> evict()<br /> remove_inode_hash()<br /> btrfs_iget_path()<br /> btrfs_iget_locked()<br /> btrfs_read_locked_inode()<br /> btrfs_add_inode_to_root()<br /> destroy_inode()<br /> btrfs_destroy_inode()<br /> btrfs_del_inode_from_root()<br /> __xa_erase<br /> <br /> In turn, this can cause issues for subvolume deletion. Specifically, if<br /> an inode is in this lost state, and all other inodes are evicted, then<br /> btrfs_del_inode_from_root() will call btrfs_add_dead_root() prematurely.<br /> If the lost inode has a delayed_node attached to it, then when<br /> btrfs_clean_one_deleted_snapshot() calls btrfs_kill_all_delayed_nodes(),<br /> it will loop forever because the delayed_nodes xarray will never become<br /> empty (unless memory pressure forces the inode out). We saw this<br /> manifest as soft lockups in production.<br /> <br /> Fix it by only deleting the xarray entry if it matches the given inode<br /> (using __xa_cmpxchg()).