CVE-2025-71159

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> btrfs: fix use-after-free warning in btrfs_get_or_create_delayed_node()<br /> <br /> Previously, btrfs_get_or_create_delayed_node() set the delayed_node&amp;#39;s<br /> refcount before acquiring the root-&gt;delayed_nodes lock.<br /> Commit e8513c012de7 ("btrfs: implement ref_tracker for delayed_nodes")<br /> moved refcount_set inside the critical section, which means there is<br /> no longer a memory barrier between setting the refcount and setting<br /> btrfs_inode-&gt;delayed_node.<br /> <br /> Without that barrier, the stores to node-&gt;refs and<br /> btrfs_inode-&gt;delayed_node may become visible out of order. Another<br /> thread can then read btrfs_inode-&gt;delayed_node and attempt to<br /> increment a refcount that hasn&amp;#39;t been set yet, leading to a<br /> refcounting bug and a use-after-free warning.<br /> <br /> The fix is to move refcount_set back to where it was to take<br /> advantage of the implicit memory barrier provided by lock<br /> acquisition.<br /> <br /> Because the allocations now happen outside of the lock&amp;#39;s critical<br /> section, they can use GFP_NOFS instead of GFP_ATOMIC.