{"id":"CVE-2025-38370","summary":"btrfs: fix failure to rebuild free space tree using multiple transactions","details":"In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: fix failure to rebuild free space tree using multiple transactions\n\nIf we are rebuilding a free space tree, while modifying the free space\ntree we may need to allocate a new metadata block group.\nIf we end up using multiple transactions for the rebuild, when we call\nbtrfs_end_transaction() we enter btrfs_create_pending_block_groups()\nwhich calls add_block_group_free_space() to add items to the free space\ntree for the block group.\n\nThen later during the free space tree rebuild, at\nbtrfs_rebuild_free_space_tree(), we may find such new block groups\nand call populate_free_space_tree() for them, which fails with -EEXIST\nbecause there are already items in the free space tree. Then we abort the\ntransaction with -EEXIST at btrfs_rebuild_free_space_tree().\nNotice that we say \"may find\" the new block groups because a new block\ngroup may be inserted in the block groups rbtree, which is being iterated\nby the rebuild process, before or after the current node where the rebuild\nprocess is currently at.\n\nSyzbot recently reported such case which produces a trace like the\nfollowing:\n\n  ------------[ cut here ]------------\n  BTRFS: Transaction aborted (error -17)\n  WARNING: CPU: 1 PID: 7626 at fs/btrfs/free-space-tree.c:1341 btrfs_rebuild_free_space_tree+0x470/0x54c fs/btrfs/free-space-tree.c:1341\n  Modules linked in:\n  CPU: 1 UID: 0 PID: 7626 Comm: syz.2.25 Not tainted 6.15.0-rc7-syzkaller-00085-gd7fa1af5b33e-dirty #0 PREEMPT\n  Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025\n  pstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n  pc : btrfs_rebuild_free_space_tree+0x470/0x54c fs/btrfs/free-space-tree.c:1341\n  lr : btrfs_rebuild_free_space_tree+0x470/0x54c fs/btrfs/free-space-tree.c:1341\n  sp : ffff80009c4f7740\n  x29: ffff80009c4f77b0 x28: ffff0000d4c3f400 x27: 0000000000000000\n  x26: dfff800000000000 x25: ffff70001389eee8 x24: 0000000000000003\n  x23: 1fffe000182b6e7b x22: 0000000000000000 x21: ffff0000c15b73d8\n  x20: 00000000ffffffef x19: ffff0000c15b7378 x18: 1fffe0003386f276\n  x17: ffff80008f31e000 x16: ffff80008adbe98c x15: 0000000000000001\n  x14: 1fffe0001b281550 x13: 0000000000000000 x12: 0000000000000000\n  x11: ffff60001b281551 x10: 0000000000000003 x9 : 1c8922000a902c00\n  x8 : 1c8922000a902c00 x7 : ffff800080485878 x6 : 0000000000000000\n  x5 : 0000000000000001 x4 : 0000000000000001 x3 : ffff80008047843c\n  x2 : 0000000000000001 x1 : ffff80008b3ebc40 x0 : 0000000000000001\n  Call trace:\n   btrfs_rebuild_free_space_tree+0x470/0x54c fs/btrfs/free-space-tree.c:1341 (P)\n   btrfs_start_pre_rw_mount+0xa78/0xe10 fs/btrfs/disk-io.c:3074\n   btrfs_remount_rw fs/btrfs/super.c:1319 [inline]\n   btrfs_reconfigure+0x828/0x2418 fs/btrfs/super.c:1543\n   reconfigure_super+0x1d4/0x6f0 fs/super.c:1083\n   do_remount fs/namespace.c:3365 [inline]\n   path_mount+0xb34/0xde0 fs/namespace.c:4200\n   do_mount fs/namespace.c:4221 [inline]\n   __do_sys_mount fs/namespace.c:4432 [inline]\n   __se_sys_mount fs/namespace.c:4409 [inline]\n   __arm64_sys_mount+0x3e8/0x468 fs/namespace.c:4409\n   __invoke_syscall arch/arm64/kernel/syscall.c:35 [inline]\n   invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:49\n   el0_svc_common+0x130/0x23c arch/arm64/kernel/syscall.c:132\n   do_el0_svc+0x48/0x58 arch/arm64/kernel/syscall.c:151\n   el0_svc+0x58/0x17c arch/arm64/kernel/entry-common.c:767\n   el0t_64_sync_handler+0x78/0x108 arch/arm64/kernel/entry-common.c:786\n   el0t_64_sync+0x198/0x19c arch/arm64/kernel/entry.S:600\n  irq event stamp: 330\n  hardirqs last  enabled at (329): [\u003cffff80008048590c\u003e] raw_spin_rq_unlock_irq kernel/sched/sched.h:1525 [inline]\n  hardirqs last  enabled at (329): [\u003cffff80008048590c\u003e] finish_lock_switch+0xb0/0x1c0 kernel/sched/core.c:5130\n  hardirqs last disabled at (330): [\u003cffff80008adb9e60\u003e] el1_dbg+0x24/0x80 arch/arm64/kernel/entry-common.c:511\n  softirqs last  enabled at (10): [\u003cffff8000801fbf10\u003e] local_bh_enable+0\n---truncated---","modified":"2026-04-02T12:47:57.052056Z","published":"2025-07-25T12:53:13.515Z","database_specific":{"cna_assigner":"Linux","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/38xxx/CVE-2025-38370.json"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/1e6ed33cabba8f06f532f2e5851a102602823734"},{"type":"WEB","url":"https://git.kernel.org/stable/c/88fdd4899ea9bfe6cf943f099fcf8ad5df153782"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/38xxx/CVE-2025-38370.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-38370"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"882af9f13e830c0a4ef696bb72cd5998a5067a93"},{"fixed":"88fdd4899ea9bfe6cf943f099fcf8ad5df153782"},{"fixed":"1e6ed33cabba8f06f532f2e5851a102602823734"}]}],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-38370.json"}}],"schema_version":"1.7.5"}