{"id":"AZL-73959","summary":"CVE-2025-39759 affecting package kernel 5.15.200.1-1","details":"In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: qgroup: fix race between quota disable and quota rescan ioctl\n\nThere's a race between a task disabling quotas and another running the\nrescan ioctl that can result in a use-after-free of qgroup records from\nthe fs_info-\u003eqgroup_tree rbtree.\n\nThis happens as follows:\n\n1) Task A enters btrfs_ioctl_quota_rescan() -\u003e btrfs_qgroup_rescan();\n\n2) Task B enters btrfs_quota_disable() and calls\n   btrfs_qgroup_wait_for_completion(), which does nothing because at that\n   point fs_info-\u003eqgroup_rescan_running is false (it wasn't set yet by\n   task A);\n\n3) Task B calls btrfs_free_qgroup_config() which starts freeing qgroups\n   from fs_info-\u003eqgroup_tree without taking the lock fs_info-\u003eqgroup_lock;\n\n4) Task A enters qgroup_rescan_zero_tracking() which starts iterating\n   the fs_info-\u003eqgroup_tree tree while holding fs_info-\u003eqgroup_lock,\n   but task B is freeing qgroup records from that tree without holding\n   the lock, resulting in a use-after-free.\n\nFix this by taking fs_info-\u003eqgroup_lock at btrfs_free_qgroup_config().\nAlso at btrfs_qgroup_rescan() don't start the rescan worker if quotas\nwere already disabled.","modified":"2026-04-01T05:22:40.254215Z","published":"2025-09-11T17:15:39Z","upstream":["CVE-2025-39759"],"references":[{"type":"WEB","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-39759"}],"affected":[{"package":{"name":"kernel","ecosystem":"Azure Linux:2","purl":"pkg:rpm/azure-linux/kernel"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"last_affected":"5.15.200.1-1"}]}],"database_specific":{"source":"https://github.com/microsoft/AzureLinuxVulnerabilityData/blob/main/osv/AZL-73959.json"}}],"schema_version":"1.7.5"}