{"id":"CVE-2025-37856","summary":"btrfs: harden block_group::bg_list against list_del() races","details":"In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: harden block_group::bg_list against list_del() races\n\nAs far as I can tell, these calls of list_del_init() on bg_list cannot\nrun concurrently with btrfs_mark_bg_unused() or btrfs_mark_bg_to_reclaim(),\nas they are in transaction error paths and situations where the block\ngroup is readonly.\n\nHowever, if there is any chance at all of racing with mark_bg_unused(),\nor a different future user of bg_list, better to be safe than sorry.\n\nOtherwise we risk the following interleaving (bg_list refcount in parens)\n\nT1 (some random op)                       T2 (btrfs_mark_bg_unused)\n                                        !list_empty(&bg-\u003ebg_list); (1)\nlist_del_init(&bg-\u003ebg_list); (1)\n                                        list_move_tail (1)\nbtrfs_put_block_group (0)\n                                        btrfs_delete_unused_bgs\n                                             bg = list_first_entry\n                                             list_del_init(&bg-\u003ebg_list);\n                                             btrfs_put_block_group(bg); (-1)\n\nUltimately, this results in a broken ref count that hits zero one deref\nearly and the real final deref underflows the refcount, resulting in a WARNING.","modified":"2026-04-02T12:47:33.711295Z","published":"2025-05-09T06:42:04.315Z","related":["SUSE-SU-2025:02846-1","SUSE-SU-2025:02853-1","SUSE-SU-2025:02923-1","SUSE-SU-2025:02969-1","SUSE-SU-2025:02996-1","SUSE-SU-2025:02997-1","SUSE-SU-2025:03011-1","SUSE-SU-2025:03023-1","SUSE-SU-2025:20577-1","SUSE-SU-2025:20586-1","SUSE-SU-2025:20601-1","SUSE-SU-2025:20602-1","SUSE-SU-2025:21074-1","SUSE-SU-2025:21139-1","SUSE-SU-2025:21179-1","openSUSE-SU-2025:20081-1"],"database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/37xxx/CVE-2025-37856.json","cna_assigner":"Linux"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/185fd73e5ac06027c4be9a129e59193f6a3ef202"},{"type":"WEB","url":"https://git.kernel.org/stable/c/7511e29cf1355b2c47d0effb39e463119913e2f6"},{"type":"WEB","url":"https://git.kernel.org/stable/c/909e60fb469d4101c6b08cf6e622efb062bb24a1"},{"type":"WEB","url":"https://git.kernel.org/stable/c/bf089c4d1141b27332c092b1dcca5022c415a3b6"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/37xxx/CVE-2025-37856.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-37856"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"a9f189716cf15913c453299d72f69c51a9b0f86b"},{"fixed":"bf089c4d1141b27332c092b1dcca5022c415a3b6"},{"fixed":"909e60fb469d4101c6b08cf6e622efb062bb24a1"},{"fixed":"185fd73e5ac06027c4be9a129e59193f6a3ef202"},{"fixed":"7511e29cf1355b2c47d0effb39e463119913e2f6"}]},{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"0"},{"last_affected":"edf3b5aadb2515c808200b904baa5b70a727f0ac"},{"last_affected":"01eca70ef8cf499d0cb6d1bbd691558e7792cf17"},{"last_affected":"5d19abcffd8404078dfa7d7118cec357b5e7bc58"}]}],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-37856.json"}}],"schema_version":"1.7.5"}