CVE-2025-68778

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> btrfs: don&amp;#39;t log conflicting inode if it&amp;#39;s a dir moved in the current transaction<br /> <br /> We can&amp;#39;t log a conflicting inode if it&amp;#39;s a directory and it was moved<br /> from one parent directory to another parent directory in the current<br /> transaction, as this can result an attempt to have a directory with<br /> two hard links during log replay, one for the old parent directory and<br /> another for the new parent directory.<br /> <br /> The following scenario triggers that issue:<br /> <br /> 1) We have directories "dir1" and "dir2" created in a past transaction.<br /> Directory "dir1" has inode A as its parent directory;<br /> <br /> 2) We move "dir1" to some other directory;<br /> <br /> 3) We create a file with the name "dir1" in directory inode A;<br /> <br /> 4) We fsync the new file. This results in logging the inode of the new file<br /> and the inode for the directory "dir1" that was previously moved in the<br /> current transaction. So the log tree has the INODE_REF item for the<br /> new location of "dir1";<br /> <br /> 5) We move the new file to some other directory. This results in updating<br /> the log tree to included the new INODE_REF for the new location of the<br /> file and removes the INODE_REF for the old location. This happens<br /> during the rename when we call btrfs_log_new_name();<br /> <br /> 6) We fsync the file, and that persists the log tree changes done in the<br /> previous step (btrfs_log_new_name() only updates the log tree in<br /> memory);<br /> <br /> 7) We have a power failure;<br /> <br /> 8) Next time the fs is mounted, log replay happens and when processing<br /> the inode for directory "dir1" we find a new INODE_REF and add that<br /> link, but we don&amp;#39;t remove the old link of the inode since we have<br /> not logged the old parent directory of the directory inode "dir1".<br /> <br /> As a result after log replay finishes when we trigger writeback of the<br /> subvolume tree&amp;#39;s extent buffers, the tree check will detect that we have<br /> a directory a hard link count of 2 and we get a mount failure.<br /> The errors and stack traces reported in dmesg/syslog are like this:<br /> <br /> [ 3845.729764] BTRFS info (device dm-0): start tree-log replay<br /> [ 3845.730304] page: refcount:3 mapcount:0 mapping:000000005c8a3027 index:0x1d00 pfn:0x11510c<br /> [ 3845.731236] memcg:ffff9264c02f4e00<br /> [ 3845.731751] aops:btree_aops [btrfs] ino:1<br /> [ 3845.732300] flags: 0x17fffc00000400a(uptodate|private|writeback|node=0|zone=2|lastcpupid=0x1ffff)<br /> [ 3845.733346] raw: 017fffc00000400a 0000000000000000 dead000000000122 ffff9264d978aea8<br /> [ 3845.734265] raw: 0000000000001d00 ffff92650e6d4738 00000003ffffffff ffff9264c02f4e00<br /> [ 3845.735305] page dumped because: eb page dump<br /> [ 3845.735981] BTRFS critical (device dm-0): corrupt leaf: root=5 block=30408704 slot=6 ino=257, invalid nlink: has 2 expect no more than 1 for dir<br /> [ 3845.737786] BTRFS info (device dm-0): leaf 30408704 gen 10 total ptrs 17 free space 14881 owner 5<br /> [ 3845.737789] BTRFS info (device dm-0): refs 4 lock_owner 0 current 30701<br /> [ 3845.737792] item 0 key (256 INODE_ITEM 0) itemoff 16123 itemsize 160<br /> [ 3845.737794] inode generation 3 transid 9 size 16 nbytes 16384<br /> [ 3845.737795] block group 0 mode 40755 links 1 uid 0 gid 0<br /> [ 3845.737797] rdev 0 sequence 2 flags 0x0<br /> [ 3845.737798] atime 1764259517.0<br /> [ 3845.737800] ctime 1764259517.572889464<br /> [ 3845.737801] mtime 1764259517.572889464<br /> [ 3845.737802] otime 1764259517.0<br /> [ 3845.737803] item 1 key (256 INODE_REF 256) itemoff 16111 itemsize 12<br /> [ 3845.737805] index 0 name_len 2<br /> [ 3845.737807] item 2 key (256 DIR_ITEM 2363071922) itemoff 16077 itemsize 34<br /> [ 3845.737808] location key (257 1 0) type 2<br /> [ 3845.737810] transid 9 data_len 0 name_len 4<br /> [ 3845.737811] item 3 key (256 DIR_ITEM 2676584006) itemoff 16043 itemsize 34<br /> [ 3845.737813] location key (258 1 0) type 2<br /> [ 3845.737814] transid 9 data_len 0 name_len 4<br /> [ 3845.737815] item 4 key (256 DIR_INDEX 2) itemoff 16009 itemsize 34<br /> [ 3845.737816] location key (257 1 0) type 2<br /> [<br /> ---truncated---