CVE-2025-37904 Information
Description
In the Linux kernel the following vulnerability has been resolved:
btrfs: fix the inode leak in btrfs_iget()
[BUG] There is a bug report that a syzbot reproducer can lead to the following busy inode at unmount time:
BTRFS info (device loop1): last unmount of filesystem 1680000e-3c1e-4c46-84b6-56bd3909af50
VFS: Busy inodes after unmount of loop1 (btrfs)
————[ cut here ]————
kernel BUG at fs/super.c:650!
Oops: invalid opcode: 0000 [1] SMP KASAN NOPTI
CPU: 0 UID: 0 PID: 48168 Comm: syz-executor Not tainted 6.15.0-rc2-00471-g119009db2674 2 PREEMPT(full)
Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX 1996) BIOS 1.16.3-debian-1.16.3-2 04/01/2014
RIP: 0010:generic_shutdown_super+0x2e9/0x390 fs/super.c:650
Call Trace:
[CAUSE] When btrfs_alloc_path() failed btrfs_iget() directly returned without releasing the inode already allocated by btrfs_iget_locked().
This results the above busy inode and trigger the kernel BUG.
[FIX] Fix it by calling iget_failed() if btrfs_alloc_path() failed.
If we hit error inside btrfs_read_locked_inode() it will properly call iget_failed() so nothing to worry about.
Although the iget_failed() cleanup inside btrfs_read_locked_inode() is a break of the normal error handling scheme let’s fix the obvious bug and backport first then rework the error handling later.
Reference
https://git.kernel.org/stable/c/30a339bece3a44ab0a821477139e84fb86af9761 https://git.kernel.org/stable/c/48c1d1bb525b1c44b8bdc8e7ec5629cb6c2b9fc4
Share on: