CVE-2025-68359 - Vulnerability Details

Vendors	Products
Linux	Linux Kernel

Link	Providers
https://git.kernel.org/stable/c/364685c4c2d9c9f4408d95451bcf42fdeebc3ebb
https://git.kernel.org/stable/c/725e46298876a2cc1f1c3fb22ba69d29102c3ddf
https://git.kernel.org/stable/c/7617680769e3119dfb3b43a2b7c287ce2242211c

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: btrfs: fix double free of qgroup record after failure to add delayed ref head In the previous code it was possible to incur into a double kfree() scenario when calling add_delayed_ref_head(). This could happen if the record was reported to already exist in the btrfs_qgroup_trace_extent_nolock() call, but then there was an error later on add_delayed_ref_head(). In this case, since add_delayed_ref_head() returned an error, the caller went to free the record. Since add_delayed_ref_head() couldn't set this kfree'd pointer to NULL, then kfree() would have acted on a non-NULL 'record' object which was pointing to memory already freed by the callee. The problem comes from the fact that the responsibility to kfree the object is on both the caller and the callee at the same time. Hence, the fix for this is to shift the ownership of the 'qrecord' object out of the add_delayed_ref_head(). That is, we will never attempt to kfree() the given object inside of this function, and will expect the caller to act on the 'qrecord' object on its own. The only exception where the 'qrecord' object cannot be kfree'd is if it was inserted into the tracing logic, for which we already have the 'qrecord_inserted_ret' boolean to account for this. Hence, the caller has to kfree the object only if add_delayed_ref_head() reports not to have inserted it on the tracing logic. As a side-effect of the above, we must guarantee that 'qrecord_inserted_ret' is properly initialized at the start of the function, not at the end, and then set when an actual insert happens. This way we avoid 'qrecord_inserted_ret' having an invalid value on an early exit. The documentation from the add_delayed_ref_head() has also been updated to reflect on the exact ownership of the 'qrecord' object.
Title		btrfs: fix double free of qgroup record after failure to add delayed ref head
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/364685c4c2d9c9f4408d95451bcf42fdeebc3ebb https://git.kernel.org/stable/c/725e46298876a2cc1f1c3fb22ba69d29102c3ddf https://git.kernel.org/stable/c/7617680769e3119dfb3b43a2b7c287ce2242211c

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-68359", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2025-12-16T14:48:05.305Z", "datePublished": "2025-12-24T10:32:48.456Z", "dateUpdated": "2025-12-24T10:32:48.456Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2025-12-24T10:32:48.456Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: fix double free of qgroup record after failure to add delayed ref head\n\nIn the previous code it was possible to incur into a double kfree()\nscenario when calling add_delayed_ref_head(). This could happen if the\nrecord was reported to already exist in the\nbtrfs_qgroup_trace_extent_nolock() call, but then there was an error\nlater on add_delayed_ref_head(). In this case, since\nadd_delayed_ref_head() returned an error, the caller went to free the\nrecord. Since add_delayed_ref_head() couldn't set this kfree'd pointer\nto NULL, then kfree() would have acted on a non-NULL 'record' object\nwhich was pointing to memory already freed by the callee.\n\nThe problem comes from the fact that the responsibility to kfree the\nobject is on both the caller and the callee at the same time. Hence, the\nfix for this is to shift the ownership of the 'qrecord' object out of\nthe add_delayed_ref_head(). That is, we will never attempt to kfree()\nthe given object inside of this function, and will expect the caller to\nact on the 'qrecord' object on its own. The only exception where the\n'qrecord' object cannot be kfree'd is if it was inserted into the\ntracing logic, for which we already have the 'qrecord_inserted_ret'\nboolean to account for this. Hence, the caller has to kfree the object\nonly if add_delayed_ref_head() reports not to have inserted it on the\ntracing logic.\n\nAs a side-effect of the above, we must guarantee that\n'qrecord_inserted_ret' is properly initialized at the start of the\nfunction, not at the end, and then set when an actual insert\nhappens. This way we avoid 'qrecord_inserted_ret' having an invalid\nvalue on an early exit.\n\nThe documentation from the add_delayed_ref_head() has also been updated\nto reflect on the exact ownership of the 'qrecord' object."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["fs/btrfs/delayed-ref.c"], "versions": [{"version": "6ef8fbce010421bf742b12b8f8f2b2d2ff154845", "lessThan": "7617680769e3119dfb3b43a2b7c287ce2242211c", "status": "affected", "versionType": "git"}, {"version": "6ef8fbce010421bf742b12b8f8f2b2d2ff154845", "lessThan": "364685c4c2d9c9f4408d95451bcf42fdeebc3ebb", "status": "affected", "versionType": "git"}, {"version": "6ef8fbce010421bf742b12b8f8f2b2d2ff154845", "lessThan": "725e46298876a2cc1f1c3fb22ba69d29102c3ddf", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["fs/btrfs/delayed-ref.c"], "versions": [{"version": "6.12", "status": "affected"}, {"version": "0", "lessThan": "6.12", "status": "unaffected", "versionType": "semver"}, {"version": "6.17.13", "lessThanOrEqual": "6.17.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.18.2", "lessThanOrEqual": "6.18.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.19-rc1", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.12", "versionEndExcluding": "6.17.13"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.12", "versionEndExcluding": "6.18.2"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.12", "versionEndExcluding": "6.19-rc1"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/7617680769e3119dfb3b43a2b7c287ce2242211c"}, {"url": "https://git.kernel.org/stable/c/364685c4c2d9c9f4408d95451bcf42fdeebc3ebb"}, {"url": "https://git.kernel.org/stable/c/725e46298876a2cc1f1c3fb22ba69d29102c3ddf"}], "title": "btrfs: fix double free of qgroup record after failure to add delayed ref head", "x_generator": {"engine": "bippy-1.2.0"}}}}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: fix double free of qgroup record after failure to add delayed ref head\n\nIn the previous code it was possible to incur into a double kfree()\nscenario when calling add_delayed_ref_head(). This could happen if the\nrecord was reported to already exist in the\nbtrfs_qgroup_trace_extent_nolock() call, but then there was an error\nlater on add_delayed_ref_head(). In this case, since\nadd_delayed_ref_head() returned an error, the caller went to free the\nrecord. Since add_delayed_ref_head() couldn't set this kfree'd pointer\nto NULL, then kfree() would have acted on a non-NULL 'record' object\nwhich was pointing to memory already freed by the callee.\n\nThe problem comes from the fact that the responsibility to kfree the\nobject is on both the caller and the callee at the same time. Hence, the\nfix for this is to shift the ownership of the 'qrecord' object out of\nthe add_delayed_ref_head(). That is, we will never attempt to kfree()\nthe given object inside of this function, and will expect the caller to\nact on the 'qrecord' object on its own. The only exception where the\n'qrecord' object cannot be kfree'd is if it was inserted into the\ntracing logic, for which we already have the 'qrecord_inserted_ret'\nboolean to account for this. Hence, the caller has to kfree the object\nonly if add_delayed_ref_head() reports not to have inserted it on the\ntracing logic.\n\nAs a side-effect of the above, we must guarantee that\n'qrecord_inserted_ret' is properly initialized at the start of the\nfunction, not at the end, and then set when an actual insert\nhappens. This way we avoid 'qrecord_inserted_ret' having an invalid\nvalue on an early exit.\n\nThe documentation from the add_delayed_ref_head() has also been updated\nto reflect on the exact ownership of the 'qrecord' object."}], "id": "CVE-2025-68359", "lastModified": "2025-12-24T11:15:59.283", "metrics": {}, "published": "2025-12-24T11:15:59.283", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/364685c4c2d9c9f4408d95451bcf42fdeebc3ebb"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/725e46298876a2cc1f1c3fb22ba69d29102c3ddf"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/7617680769e3119dfb3b43a2b7c287ce2242211c"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Received"}

Metrics

Affected Vendors & Products

Metrics

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object