{"id":"AZL-67169","summary":"CVE-2025-39779 affecting package kernel 6.6.126.1-1","details":"In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: subpage: keep TOWRITE tag until folio is cleaned\n\nbtrfs_subpage_set_writeback() calls folio_start_writeback() the first time\na folio is written back, and it also clears the PAGECACHE_TAG_TOWRITE tag\neven if there are still dirty blocks in the folio. This can break ordering\nguarantees, such as those required by btrfs_wait_ordered_extents().\n\nThat ordering breakage leads to a real failure. For example, running\ngeneric/464 on a zoned setup will hit the following ASSERT. This happens\nbecause the broken ordering fails to flush existing dirty pages before the\nfile size is truncated.\n\n  assertion failed: !list_empty(&ordered-\u003elist) :: 0, in fs/btrfs/zoned.c:1899\n  ------------[ cut here ]------------\n  kernel BUG at fs/btrfs/zoned.c:1899!\n  Oops: invalid opcode: 0000 [#1] SMP NOPTI\n  CPU: 2 UID: 0 PID: 1906169 Comm: kworker/u130:2 Kdump: loaded Not tainted 6.16.0-rc6-BTRFS-ZNS+ #554 PREEMPT(voluntary)\n  Hardware name: Supermicro Super Server/H12SSL-NT, BIOS 2.0 02/22/2021\n  Workqueue: btrfs-endio-write btrfs_work_helper [btrfs]\n  RIP: 0010:btrfs_finish_ordered_zoned.cold+0x50/0x52 [btrfs]\n  RSP: 0018:ffffc9002efdbd60 EFLAGS: 00010246\n  RAX: 000000000000004c RBX: ffff88811923c4e0 RCX: 0000000000000000\n  RDX: 0000000000000000 RSI: ffffffff827e38b1 RDI: 00000000ffffffff\n  RBP: ffff88810005d000 R08: 00000000ffffdfff R09: ffffffff831051c8\n  R10: ffffffff83055220 R11: 0000000000000000 R12: ffff8881c2458c00\n  R13: ffff88811923c540 R14: ffff88811923c5e8 R15: ffff8881c1bd9680\n  FS:  0000000000000000(0000) GS:ffff88a04acd0000(0000) knlGS:0000000000000000\n  CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n  CR2: 00007f907c7a918c CR3: 0000000004024000 CR4: 0000000000350ef0\n  Call Trace:\n   \u003cTASK\u003e\n   ? srso_return_thunk+0x5/0x5f\n   btrfs_finish_ordered_io+0x4a/0x60 [btrfs]\n   btrfs_work_helper+0xf9/0x490 [btrfs]\n   process_one_work+0x204/0x590\n   ? srso_return_thunk+0x5/0x5f\n   worker_thread+0x1d6/0x3d0\n   ? __pfx_worker_thread+0x10/0x10\n   kthread+0x118/0x230\n   ? __pfx_kthread+0x10/0x10\n   ret_from_fork+0x205/0x260\n   ? __pfx_kthread+0x10/0x10\n   ret_from_fork_asm+0x1a/0x30\n   \u003c/TASK\u003e\n\nConsider process A calling writepages() with WB_SYNC_NONE. In zoned mode or\nfor compressed writes, it locks several folios for delalloc and starts\nwriting them out. Let's call the last locked folio folio X. Suppose the\nwrite range only partially covers folio X, leaving some pages dirty.\nProcess A calls btrfs_subpage_set_writeback() when building a bio. This\nfunction call clears the TOWRITE tag of folio X, whose size = 8K and\nthe block size = 4K. It is following state.\n\n   0     4K    8K\n   |/////|/////|  (flag: DIRTY, tag: DIRTY)\n   \u003c-----\u003e Process A will write this range.\n\nNow suppose process B concurrently calls writepages() with WB_SYNC_ALL. It\ncalls tag_pages_for_writeback() to tag dirty folios with\nPAGECACHE_TAG_TOWRITE. Since folio X is still dirty, it gets tagged. Then,\nB collects tagged folios using filemap_get_folios_tag() and must wait for\nfolio X to be written before returning from writepages().\n\n   0     4K    8K\n   |/////|/////|  (flag: DIRTY, tag: DIRTY|TOWRITE)\n\nHowever, between tagging and collecting, process A may call\nbtrfs_subpage_set_writeback() and clear folio X's TOWRITE tag.\n   0     4K    8K\n   |     |/////|  (flag: DIRTY|WRITEBACK, tag: DIRTY)\n\nAs a result, process B won't see folio X in its batch, and returns without\nwaiting for it. This breaks the WB_SYNC_ALL ordering requirement.\n\nFix this by using btrfs_subpage_set_writeback_keepwrite(), which retains\nthe TOWRITE tag. We now manually clear the tag only after the folio becomes\nclean, via the xas operation.","modified":"2026-04-01T05:21:08.548789Z","published":"2025-09-11T17:15:43Z","upstream":["CVE-2025-39779"],"references":[{"type":"WEB","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-39779"}],"affected":[{"package":{"name":"kernel","ecosystem":"Azure Linux:3","purl":"pkg:rpm/azure-linux/kernel"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"last_affected":"6.6.126.1-1"}]}],"database_specific":{"source":"https://github.com/microsoft/AzureLinuxVulnerabilityData/blob/main/osv/AZL-67169.json"}}],"schema_version":"1.7.5"}