CVE-2025-37904: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: btrfs: fix the inode leak in btrfs_iget() [BUG] There is a bug report that a syzbot reproducer can lead to the following busy inode at unmount time: BTRFS info (device loop1): last unmount of filesystem 1680000e-3c1e-4c46-84b6-56bd3909af50 VFS: Busy inodes after unmount of loop1 (btrfs) ------------[ cut here ]------------ kernel BUG at fs/super.c:650! Oops: invalid opcode: 0000 [#1] SMP KASAN NOPTI CPU: 0 UID: 0 PID: 48168 Comm: syz-executor Not tainted 6.15.0-rc2-00471-g119009db2674 #2 PREEMPT(full) Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 RIP: 0010:generic_shutdown_super+0x2e9/0x390 fs/super.c:650 Call Trace: <TASK> kill_anon_super+0x3a/0x60 fs/super.c:1237 btrfs_kill_super+0x3b/0x50 fs/btrfs/super.c:2099 deactivate_locked_super+0xbe/0x1a0 fs/super.c:473 deactivate_super fs/super.c:506 [inline] deactivate_super+0xe2/0x100 fs/super.c:502 cleanup_mnt+0x21f/0x440 fs/namespace.c:1435 task_work_run+0x14d/0x240 kernel/task_work.c:227 resume_user_mode_work include/linux/resume_user_mode.h:50 [inline] exit_to_user_mode_loop kernel/entry/common.c:114 [inline] exit_to_user_mode_prepare include/linux/entry-common.h:329 [inline] __syscall_exit_to_user_mode_work kernel/entry/common.c:207 [inline] syscall_exit_to_user_mode+0x269/0x290 kernel/entry/common.c:218 do_syscall_64+0xd4/0x250 arch/x86/entry/syscall_64.c:100 entry_SYSCALL_64_after_hwframe+0x77/0x7f </TASK> [CAUSE] When btrfs_alloc_path() failed, btrfs_iget() directly returned without releasing the inode already allocated by btrfs_iget_locked(). This results the above busy inode and trigger the kernel BUG. [FIX] Fix it by calling iget_failed() if btrfs_alloc_path() failed. If we hit error inside btrfs_read_locked_inode(), it will properly call iget_failed(), so nothing to worry about. Although the iget_failed() cleanup inside btrfs_read_locked_inode() is a break of the normal error handling scheme, let's fix the obvious bug and backport first, then rework the error handling later.
AI Analysis
Technical Summary
CVE-2025-37904 is a vulnerability identified in the Linux kernel's Btrfs filesystem implementation. The issue arises from an inode leak in the function btrfs_iget(), which is responsible for inode retrieval and management within the Btrfs filesystem. Specifically, when the function btrfs_alloc_path() fails during the inode retrieval process, btrfs_iget() returns prematurely without releasing an inode that was already allocated by btrfs_iget_locked(). This improper handling leads to a 'busy inode' condition during filesystem unmount operations, which can trigger a kernel BUG and cause a kernel panic or system crash. The bug is reproducible by syzbot, an automated kernel fuzzing tool, indicating that it can be triggered under certain conditions. The root cause is a missing call to iget_failed() in the error path of btrfs_iget(), which should properly release the allocated inode resources upon failure. The fix involves ensuring iget_failed() is called if btrfs_alloc_path() fails, preventing the inode leak and subsequent kernel panic. This vulnerability affects Linux kernel versions around 6.15.0-rc2 and likely other versions using the affected Btrfs code path. It is a memory/resource management bug within the filesystem code, leading to system instability rather than direct remote code execution or privilege escalation. No known exploits are reported in the wild at this time.
Potential Impact
For European organizations relying on Linux systems with Btrfs filesystems, this vulnerability poses a risk of system instability and potential denial of service (DoS) due to kernel panics triggered by inode leaks during filesystem unmount operations. This can affect servers, workstations, or embedded devices using Btrfs, particularly in environments where filesystems are frequently mounted and unmounted or where automated testing/fuzzing tools might trigger the bug. The impact is primarily on availability, as affected systems may crash or become unresponsive, requiring reboots and potentially causing service interruptions. While this does not directly lead to data breaches or privilege escalation, repeated crashes could disrupt critical services, data processing, or operational continuity. Organizations with infrastructure running Linux kernels that include the vulnerable Btrfs code should be aware of the risk, especially those using Btrfs for storage management, snapshots, or RAID configurations. The vulnerability also highlights the importance of kernel updates and filesystem stability in maintaining operational resilience.
Mitigation Recommendations
European organizations should prioritize updating their Linux kernels to versions where this vulnerability is patched. Since the fix involves calling iget_failed() properly, kernel updates from official Linux distributions or backported patches from vendors should be applied promptly. System administrators should audit their environments to identify systems using Btrfs filesystems and verify kernel versions. In environments where immediate patching is not feasible, minimizing frequent mount/unmount operations of Btrfs filesystems can reduce exposure. Additionally, monitoring kernel logs for signs of 'busy inode' messages or kernel BUGs related to Btrfs can help detect attempts to trigger this vulnerability. For critical systems, consider implementing kernel crash dump analysis and automated recovery procedures to reduce downtime. Engaging with Linux distribution vendors for timely security updates and testing patches in staging environments before production deployment is recommended. Finally, organizations should maintain robust backup and recovery strategies to mitigate potential data availability issues caused by unexpected system crashes.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Poland, Italy, Spain
CVE-2025-37904: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: btrfs: fix the inode leak in btrfs_iget() [BUG] There is a bug report that a syzbot reproducer can lead to the following busy inode at unmount time: BTRFS info (device loop1): last unmount of filesystem 1680000e-3c1e-4c46-84b6-56bd3909af50 VFS: Busy inodes after unmount of loop1 (btrfs) ------------[ cut here ]------------ kernel BUG at fs/super.c:650! Oops: invalid opcode: 0000 [#1] SMP KASAN NOPTI CPU: 0 UID: 0 PID: 48168 Comm: syz-executor Not tainted 6.15.0-rc2-00471-g119009db2674 #2 PREEMPT(full) Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 RIP: 0010:generic_shutdown_super+0x2e9/0x390 fs/super.c:650 Call Trace: <TASK> kill_anon_super+0x3a/0x60 fs/super.c:1237 btrfs_kill_super+0x3b/0x50 fs/btrfs/super.c:2099 deactivate_locked_super+0xbe/0x1a0 fs/super.c:473 deactivate_super fs/super.c:506 [inline] deactivate_super+0xe2/0x100 fs/super.c:502 cleanup_mnt+0x21f/0x440 fs/namespace.c:1435 task_work_run+0x14d/0x240 kernel/task_work.c:227 resume_user_mode_work include/linux/resume_user_mode.h:50 [inline] exit_to_user_mode_loop kernel/entry/common.c:114 [inline] exit_to_user_mode_prepare include/linux/entry-common.h:329 [inline] __syscall_exit_to_user_mode_work kernel/entry/common.c:207 [inline] syscall_exit_to_user_mode+0x269/0x290 kernel/entry/common.c:218 do_syscall_64+0xd4/0x250 arch/x86/entry/syscall_64.c:100 entry_SYSCALL_64_after_hwframe+0x77/0x7f </TASK> [CAUSE] When btrfs_alloc_path() failed, btrfs_iget() directly returned without releasing the inode already allocated by btrfs_iget_locked(). This results the above busy inode and trigger the kernel BUG. [FIX] Fix it by calling iget_failed() if btrfs_alloc_path() failed. If we hit error inside btrfs_read_locked_inode(), it will properly call iget_failed(), so nothing to worry about. Although the iget_failed() cleanup inside btrfs_read_locked_inode() is a break of the normal error handling scheme, let's fix the obvious bug and backport first, then rework the error handling later.
AI-Powered Analysis
Technical Analysis
CVE-2025-37904 is a vulnerability identified in the Linux kernel's Btrfs filesystem implementation. The issue arises from an inode leak in the function btrfs_iget(), which is responsible for inode retrieval and management within the Btrfs filesystem. Specifically, when the function btrfs_alloc_path() fails during the inode retrieval process, btrfs_iget() returns prematurely without releasing an inode that was already allocated by btrfs_iget_locked(). This improper handling leads to a 'busy inode' condition during filesystem unmount operations, which can trigger a kernel BUG and cause a kernel panic or system crash. The bug is reproducible by syzbot, an automated kernel fuzzing tool, indicating that it can be triggered under certain conditions. The root cause is a missing call to iget_failed() in the error path of btrfs_iget(), which should properly release the allocated inode resources upon failure. The fix involves ensuring iget_failed() is called if btrfs_alloc_path() fails, preventing the inode leak and subsequent kernel panic. This vulnerability affects Linux kernel versions around 6.15.0-rc2 and likely other versions using the affected Btrfs code path. It is a memory/resource management bug within the filesystem code, leading to system instability rather than direct remote code execution or privilege escalation. No known exploits are reported in the wild at this time.
Potential Impact
For European organizations relying on Linux systems with Btrfs filesystems, this vulnerability poses a risk of system instability and potential denial of service (DoS) due to kernel panics triggered by inode leaks during filesystem unmount operations. This can affect servers, workstations, or embedded devices using Btrfs, particularly in environments where filesystems are frequently mounted and unmounted or where automated testing/fuzzing tools might trigger the bug. The impact is primarily on availability, as affected systems may crash or become unresponsive, requiring reboots and potentially causing service interruptions. While this does not directly lead to data breaches or privilege escalation, repeated crashes could disrupt critical services, data processing, or operational continuity. Organizations with infrastructure running Linux kernels that include the vulnerable Btrfs code should be aware of the risk, especially those using Btrfs for storage management, snapshots, or RAID configurations. The vulnerability also highlights the importance of kernel updates and filesystem stability in maintaining operational resilience.
Mitigation Recommendations
European organizations should prioritize updating their Linux kernels to versions where this vulnerability is patched. Since the fix involves calling iget_failed() properly, kernel updates from official Linux distributions or backported patches from vendors should be applied promptly. System administrators should audit their environments to identify systems using Btrfs filesystems and verify kernel versions. In environments where immediate patching is not feasible, minimizing frequent mount/unmount operations of Btrfs filesystems can reduce exposure. Additionally, monitoring kernel logs for signs of 'busy inode' messages or kernel BUGs related to Btrfs can help detect attempts to trigger this vulnerability. For critical systems, consider implementing kernel crash dump analysis and automated recovery procedures to reduce downtime. Engaging with Linux distribution vendors for timely security updates and testing patches in staging environments before production deployment is recommended. Finally, organizations should maintain robust backup and recovery strategies to mitigate potential data availability issues caused by unexpected system crashes.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2025-04-16T04:51:23.965Z
- Cisa Enriched
- false
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682cd0f71484d88663aeaf54
Added to database: 5/20/2025, 6:59:03 PM
Last enriched: 7/4/2025, 1:25:20 AM
Last updated: 8/1/2025, 4:33:13 AM
Views: 8
Related Threats
CVE-2025-9108: Improper Restriction of Rendered UI Layers in Portabilis i-Diario
MediumCVE-2025-9107: Cross Site Scripting in Portabilis i-Diario
MediumCVE-2025-9106: Cross Site Scripting in Portabilis i-Diario
MediumCVE-2025-9105: Cross Site Scripting in Portabilis i-Diario
MediumCVE-2025-9104: Cross Site Scripting in Portabilis i-Diario
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.