CVE-2025-68358
Unknown Unknown - Not Provided
Race Condition in Linux btrfs Bitfield Write Causes Deadlock Risk

Publication date: 2025-12-24

Last updated on: 2026-02-26

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: btrfs: fix racy bitfield write in btrfs_clear_space_info_full() From the memory-barriers.txt document regarding memory barrier ordering guarantees: (*) These guarantees do not apply to bitfields, because compilers often generate code to modify these using non-atomic read-modify-write sequences. Do not attempt to use bitfields to synchronize parallel algorithms. (*) Even in cases where bitfields are protected by locks, all fields in a given bitfield must be protected by one lock. If two fields in a given bitfield are protected by different locks, the compiler's non-atomic read-modify-write sequences can cause an update to one field to corrupt the value of an adjacent field. btrfs_space_info has a bitfield sharing an underlying word consisting of the fields full, chunk_alloc, and flush: struct btrfs_space_info { struct btrfs_fs_info * fs_info; /* 0 8 */ struct btrfs_space_info * parent; /* 8 8 */ ... int clamp; /* 172 4 */ unsigned int full:1; /* 176: 0 4 */ unsigned int chunk_alloc:1; /* 176: 1 4 */ unsigned int flush:1; /* 176: 2 4 */ ... Therefore, to be safe from parallel read-modify-writes losing a write to one of the bitfield members protected by a lock, all writes to all the bitfields must use the lock. They almost universally do, except for btrfs_clear_space_info_full() which iterates over the space_infos and writes out found->full = 0 without a lock. Imagine that we have one thread completing a transaction in which we finished deleting a block_group and are thus calling btrfs_clear_space_info_full() while simultaneously the data reclaim ticket infrastructure is running do_async_reclaim_data_space(): T1 T2 btrfs_commit_transaction btrfs_clear_space_info_full data_sinfo->full = 0 READ: full:0, chunk_alloc:0, flush:1 do_async_reclaim_data_space(data_sinfo) spin_lock(&space_info->lock); if(list_empty(tickets)) space_info->flush = 0; READ: full: 0, chunk_alloc:0, flush:1 MOD/WRITE: full: 0, chunk_alloc:0, flush:0 spin_unlock(&space_info->lock); return; MOD/WRITE: full:0, chunk_alloc:0, flush:1 and now data_sinfo->flush is 1 but the reclaim worker has exited. This breaks the invariant that flush is 0 iff there is no work queued or running. Once this invariant is violated, future allocations that go into __reserve_bytes() will add tickets to space_info->tickets but will see space_info->flush is set to 1 and not queue the work. After this, they will block forever on the resulting ticket, as it is now impossible to kick the worker again. I also confirmed by looking at the assembly of the affected kernel that it is doing RMW operations. For example, to set the flush (3rd) bit to 0, the assembly is: andb $0xfb,0x60(%rbx) and similarly for setting the full (1st) bit to 0: andb $0xfe,-0x20(%rax) So I think this is really a bug on practical systems. I have observed a number of systems in this exact state, but am currently unable to reproduce it. Rather than leaving this footgun lying around for the future, take advantage of the fact that there is room in the struct anyway, and that it is already quite large and simply change the three bitfield members to bools. This avoids writes to space_info->full having any effect on ---truncated---
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-12-24
Last Modified
2026-02-26
Generated
2026-05-07
AI Q&A
2025-12-24
EPSS Evaluated
2026-05-05
NVD
CVE-2025-68358
Affected Vendors & Products
Showing 6 associated CPEs
Vendor Product Version / Range
linux linux_kernel From 6.13 (inc) to 6.17.13 (exc)
linux linux_kernel From 6.18 (inc) to 6.18.2 (exc)
linux linux_kernel From 6.7 (inc) to 6.12.68 (exc)
linux linux_kernel From 4.8 (inc) to 5.15.201 (exc)
linux linux_kernel From 5.16 (inc) to 6.1.164 (exc)
linux linux_kernel From 6.2 (inc) to 6.6.124 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability is a race condition in the Linux kernel's btrfs filesystem code, specifically in the function btrfs_clear_space_info_full(). It involves unsafe concurrent writes to bitfields without proper locking, which can cause corruption of adjacent bitfield values due to non-atomic read-modify-write sequences generated by compilers. This leads to a broken invariant where the 'flush' bit is incorrectly set, causing future allocations to block indefinitely because the system believes work is still queued or running when it is not.


How can this vulnerability impact me? :

The vulnerability can cause the btrfs filesystem to enter a state where certain operations block forever, specifically allocations that rely on the 'flush' bit to determine if work is queued or running. This can lead to system hangs or deadlocks during filesystem operations, potentially impacting system stability and availability.


What immediate steps should I take to mitigate this vulnerability?

The vulnerability is caused by a race condition in the Linux kernel's btrfs filesystem code where bitfield writes are done without proper locking, leading to corrupted state and potential deadlocks. To mitigate this vulnerability, update the Linux kernel to a version where this issue is fixed by changing the bitfield members to bools and ensuring all writes are properly locked. This prevents the race condition and maintains the invariant required for correct operation.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart