CVE-2025-68778 (GCVE-0-2025-68778)

Vulnerability from cvelistv5 – Published: 2026-01-13 15:28 – Updated: 2026-02-09 08:33
VLAI?
Title
btrfs: don't log conflicting inode if it's a dir moved in the current transaction
Summary
In the Linux kernel, the following vulnerability has been resolved: btrfs: don't log conflicting inode if it's a dir moved in the current transaction We can't log a conflicting inode if it's a directory and it was moved from one parent directory to another parent directory in the current transaction, as this can result an attempt to have a directory with two hard links during log replay, one for the old parent directory and another for the new parent directory. The following scenario triggers that issue: 1) We have directories "dir1" and "dir2" created in a past transaction. Directory "dir1" has inode A as its parent directory; 2) We move "dir1" to some other directory; 3) We create a file with the name "dir1" in directory inode A; 4) We fsync the new file. This results in logging the inode of the new file and the inode for the directory "dir1" that was previously moved in the current transaction. So the log tree has the INODE_REF item for the new location of "dir1"; 5) We move the new file to some other directory. This results in updating the log tree to included the new INODE_REF for the new location of the file and removes the INODE_REF for the old location. This happens during the rename when we call btrfs_log_new_name(); 6) We fsync the file, and that persists the log tree changes done in the previous step (btrfs_log_new_name() only updates the log tree in memory); 7) We have a power failure; 8) Next time the fs is mounted, log replay happens and when processing the inode for directory "dir1" we find a new INODE_REF and add that link, but we don't remove the old link of the inode since we have not logged the old parent directory of the directory inode "dir1". As a result after log replay finishes when we trigger writeback of the subvolume tree's extent buffers, the tree check will detect that we have a directory a hard link count of 2 and we get a mount failure. The errors and stack traces reported in dmesg/syslog are like this: [ 3845.729764] BTRFS info (device dm-0): start tree-log replay [ 3845.730304] page: refcount:3 mapcount:0 mapping:000000005c8a3027 index:0x1d00 pfn:0x11510c [ 3845.731236] memcg:ffff9264c02f4e00 [ 3845.731751] aops:btree_aops [btrfs] ino:1 [ 3845.732300] flags: 0x17fffc00000400a(uptodate|private|writeback|node=0|zone=2|lastcpupid=0x1ffff) [ 3845.733346] raw: 017fffc00000400a 0000000000000000 dead000000000122 ffff9264d978aea8 [ 3845.734265] raw: 0000000000001d00 ffff92650e6d4738 00000003ffffffff ffff9264c02f4e00 [ 3845.735305] page dumped because: eb page dump [ 3845.735981] BTRFS critical (device dm-0): corrupt leaf: root=5 block=30408704 slot=6 ino=257, invalid nlink: has 2 expect no more than 1 for dir [ 3845.737786] BTRFS info (device dm-0): leaf 30408704 gen 10 total ptrs 17 free space 14881 owner 5 [ 3845.737789] BTRFS info (device dm-0): refs 4 lock_owner 0 current 30701 [ 3845.737792] item 0 key (256 INODE_ITEM 0) itemoff 16123 itemsize 160 [ 3845.737794] inode generation 3 transid 9 size 16 nbytes 16384 [ 3845.737795] block group 0 mode 40755 links 1 uid 0 gid 0 [ 3845.737797] rdev 0 sequence 2 flags 0x0 [ 3845.737798] atime 1764259517.0 [ 3845.737800] ctime 1764259517.572889464 [ 3845.737801] mtime 1764259517.572889464 [ 3845.737802] otime 1764259517.0 [ 3845.737803] item 1 key (256 INODE_REF 256) itemoff 16111 itemsize 12 [ 3845.737805] index 0 name_len 2 [ 3845.737807] item 2 key (256 DIR_ITEM 2363071922) itemoff 16077 itemsize 34 [ 3845.737808] location key (257 1 0) type 2 [ 3845.737810] transid 9 data_len 0 name_len 4 [ 3845.737811] item 3 key (256 DIR_ITEM 2676584006) itemoff 16043 itemsize 34 [ 3845.737813] location key (258 1 0) type 2 [ 3845.737814] transid 9 data_len 0 name_len 4 [ 3845.737815] item 4 key (256 DIR_INDEX 2) itemoff 16009 itemsize 34 [ 3845.737816] location key (257 1 0) type 2 [ ---truncated---
Severity ?
No CVSS data available.
Assigner
References
Impacted products
Vendor Product Version
Linux Linux Affected: 44f714dae50a2e795d3268a6831762aa6fa54f55 , < d64f3834dffef80f0a9185a037617a54ed7f4bd2 (git)
Affected: 44f714dae50a2e795d3268a6831762aa6fa54f55 , < 7359e1d39c78816ecbdb0cb4e93975794ce53973 (git)
Affected: 44f714dae50a2e795d3268a6831762aa6fa54f55 , < d478f50727c3ee46d0359f0d2ae114f70191816e (git)
Affected: 44f714dae50a2e795d3268a6831762aa6fa54f55 , < a35788ddf8df65837897ecbb0ddb2896b863159e (git)
Affected: 44f714dae50a2e795d3268a6831762aa6fa54f55 , < 266273eaf4d99475f1ae57f687b3e42bc71ec6f0 (git)
Create a notification for this product.
    Linux Linux Affected: 4.8
Unaffected: 0 , < 4.8 (semver)
Unaffected: 6.1.160 , ≤ 6.1.* (semver)
Unaffected: 6.6.120 , ≤ 6.6.* (semver)
Unaffected: 6.12.64 , ≤ 6.12.* (semver)
Unaffected: 6.18.3 , ≤ 6.18.* (semver)
Unaffected: 6.19 , ≤ * (original_commit_for_fix)
Create a notification for this product.
Show details on NVD website
To clipboard 

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "fs/btrfs/tree-log.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "d64f3834dffef80f0a9185a037617a54ed7f4bd2",
              "status": "affected",
              "version": "44f714dae50a2e795d3268a6831762aa6fa54f55",
              "versionType": "git"
            },
            {
              "lessThan": "7359e1d39c78816ecbdb0cb4e93975794ce53973",
              "status": "affected",
              "version": "44f714dae50a2e795d3268a6831762aa6fa54f55",
              "versionType": "git"
            },
            {
              "lessThan": "d478f50727c3ee46d0359f0d2ae114f70191816e",
              "status": "affected",
              "version": "44f714dae50a2e795d3268a6831762aa6fa54f55",
              "versionType": "git"
            },
            {
              "lessThan": "a35788ddf8df65837897ecbb0ddb2896b863159e",
              "status": "affected",
              "version": "44f714dae50a2e795d3268a6831762aa6fa54f55",
              "versionType": "git"
            },
            {
              "lessThan": "266273eaf4d99475f1ae57f687b3e42bc71ec6f0",
              "status": "affected",
              "version": "44f714dae50a2e795d3268a6831762aa6fa54f55",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "fs/btrfs/tree-log.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "4.8"
            },
            {
              "lessThan": "4.8",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.160",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.120",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.64",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.18.*",
              "status": "unaffected",
              "version": "6.18.3",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.19",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.160",
                  "versionStartIncluding": "4.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.120",
                  "versionStartIncluding": "4.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.64",
                  "versionStartIncluding": "4.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18.3",
                  "versionStartIncluding": "4.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.19",
                  "versionStartIncluding": "4.8",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: don\u0027t log conflicting inode if it\u0027s a dir moved in the current transaction\n\nWe can\u0027t log a conflicting inode if it\u0027s a directory and it was moved\nfrom one parent directory to another parent directory in the current\ntransaction, as this can result an attempt to have a directory with\ntwo hard links during log replay, one for the old parent directory and\nanother for the new parent directory.\n\nThe following scenario triggers that issue:\n\n1) We have directories \"dir1\" and \"dir2\" created in a past transaction.\n   Directory \"dir1\" has inode A as its parent directory;\n\n2) We move \"dir1\" to some other directory;\n\n3) We create a file with the name \"dir1\" in directory inode A;\n\n4) We fsync the new file. This results in logging the inode of the new file\n   and the inode for the directory \"dir1\" that was previously moved in the\n   current transaction. So the log tree has the INODE_REF item for the\n   new location of \"dir1\";\n\n5) We move the new file to some other directory. This results in updating\n   the log tree to included the new INODE_REF for the new location of the\n   file and removes the INODE_REF for the old location. This happens\n   during the rename when we call btrfs_log_new_name();\n\n6) We fsync the file, and that persists the log tree changes done in the\n   previous step (btrfs_log_new_name() only updates the log tree in\n   memory);\n\n7) We have a power failure;\n\n8) Next time the fs is mounted, log replay happens and when processing\n   the inode for directory \"dir1\" we find a new INODE_REF and add that\n   link, but we don\u0027t remove the old link of the inode since we have\n   not logged the old parent directory of the directory inode \"dir1\".\n\nAs a result after log replay finishes when we trigger writeback of the\nsubvolume tree\u0027s extent buffers, the tree check will detect that we have\na directory a hard link count of 2 and we get a mount failure.\nThe errors and stack traces reported in dmesg/syslog are like this:\n\n   [ 3845.729764] BTRFS info (device dm-0): start tree-log replay\n   [ 3845.730304] page: refcount:3 mapcount:0 mapping:000000005c8a3027 index:0x1d00 pfn:0x11510c\n   [ 3845.731236] memcg:ffff9264c02f4e00\n   [ 3845.731751] aops:btree_aops [btrfs] ino:1\n   [ 3845.732300] flags: 0x17fffc00000400a(uptodate|private|writeback|node=0|zone=2|lastcpupid=0x1ffff)\n   [ 3845.733346] raw: 017fffc00000400a 0000000000000000 dead000000000122 ffff9264d978aea8\n   [ 3845.734265] raw: 0000000000001d00 ffff92650e6d4738 00000003ffffffff ffff9264c02f4e00\n   [ 3845.735305] page dumped because: eb page dump\n   [ 3845.735981] BTRFS critical (device dm-0): corrupt leaf: root=5 block=30408704 slot=6 ino=257, invalid nlink: has 2 expect no more than 1 for dir\n   [ 3845.737786] BTRFS info (device dm-0): leaf 30408704 gen 10 total ptrs 17 free space 14881 owner 5\n   [ 3845.737789] BTRFS info (device dm-0): refs 4 lock_owner 0 current 30701\n   [ 3845.737792] \titem 0 key (256 INODE_ITEM 0) itemoff 16123 itemsize 160\n   [ 3845.737794] \t\tinode generation 3 transid 9 size 16 nbytes 16384\n   [ 3845.737795] \t\tblock group 0 mode 40755 links 1 uid 0 gid 0\n   [ 3845.737797] \t\trdev 0 sequence 2 flags 0x0\n   [ 3845.737798] \t\tatime 1764259517.0\n   [ 3845.737800] \t\tctime 1764259517.572889464\n   [ 3845.737801] \t\tmtime 1764259517.572889464\n   [ 3845.737802] \t\totime 1764259517.0\n   [ 3845.737803] \titem 1 key (256 INODE_REF 256) itemoff 16111 itemsize 12\n   [ 3845.737805] \t\tindex 0 name_len 2\n   [ 3845.737807] \titem 2 key (256 DIR_ITEM 2363071922) itemoff 16077 itemsize 34\n   [ 3845.737808] \t\tlocation key (257 1 0) type 2\n   [ 3845.737810] \t\ttransid 9 data_len 0 name_len 4\n   [ 3845.737811] \titem 3 key (256 DIR_ITEM 2676584006) itemoff 16043 itemsize 34\n   [ 3845.737813] \t\tlocation key (258 1 0) type 2\n   [ 3845.737814] \t\ttransid 9 data_len 0 name_len 4\n   [ 3845.737815] \titem 4 key (256 DIR_INDEX 2) itemoff 16009 itemsize 34\n   [ 3845.737816] \t\tlocation key (257 1 0) type 2\n   [\n---truncated---"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-02-09T08:33:24.172Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/d64f3834dffef80f0a9185a037617a54ed7f4bd2"
        },
        {
          "url": "https://git.kernel.org/stable/c/7359e1d39c78816ecbdb0cb4e93975794ce53973"
        },
        {
          "url": "https://git.kernel.org/stable/c/d478f50727c3ee46d0359f0d2ae114f70191816e"
        },
        {
          "url": "https://git.kernel.org/stable/c/a35788ddf8df65837897ecbb0ddb2896b863159e"
        },
        {
          "url": "https://git.kernel.org/stable/c/266273eaf4d99475f1ae57f687b3e42bc71ec6f0"
        }
      ],
      "title": "btrfs: don\u0027t log conflicting inode if it\u0027s a dir moved in the current transaction",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-68778",
    "datePublished": "2026-01-13T15:28:54.107Z",
    "dateReserved": "2025-12-24T10:30:51.035Z",
    "dateUpdated": "2026-02-09T08:33:24.172Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2025-68778\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2026-01-13T16:15:57.423\",\"lastModified\":\"2026-01-14T16:26:00.933\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\nbtrfs: don\u0027t log conflicting inode if it\u0027s a dir moved in the current transaction\\n\\nWe can\u0027t log a conflicting inode if it\u0027s a directory and it was moved\\nfrom one parent directory to another parent directory in the current\\ntransaction, as this can result an attempt to have a directory with\\ntwo hard links during log replay, one for the old parent directory and\\nanother for the new parent directory.\\n\\nThe following scenario triggers that issue:\\n\\n1) We have directories \\\"dir1\\\" and \\\"dir2\\\" created in a past transaction.\\n   Directory \\\"dir1\\\" has inode A as its parent directory;\\n\\n2) We move \\\"dir1\\\" to some other directory;\\n\\n3) We create a file with the name \\\"dir1\\\" in directory inode A;\\n\\n4) We fsync the new file. This results in logging the inode of the new file\\n   and the inode for the directory \\\"dir1\\\" that was previously moved in the\\n   current transaction. So the log tree has the INODE_REF item for the\\n   new location of \\\"dir1\\\";\\n\\n5) We move the new file to some other directory. This results in updating\\n   the log tree to included the new INODE_REF for the new location of the\\n   file and removes the INODE_REF for the old location. This happens\\n   during the rename when we call btrfs_log_new_name();\\n\\n6) We fsync the file, and that persists the log tree changes done in the\\n   previous step (btrfs_log_new_name() only updates the log tree in\\n   memory);\\n\\n7) We have a power failure;\\n\\n8) Next time the fs is mounted, log replay happens and when processing\\n   the inode for directory \\\"dir1\\\" we find a new INODE_REF and add that\\n   link, but we don\u0027t remove the old link of the inode since we have\\n   not logged the old parent directory of the directory inode \\\"dir1\\\".\\n\\nAs a result after log replay finishes when we trigger writeback of the\\nsubvolume tree\u0027s extent buffers, the tree check will detect that we have\\na directory a hard link count of 2 and we get a mount failure.\\nThe errors and stack traces reported in dmesg/syslog are like this:\\n\\n   [ 3845.729764] BTRFS info (device dm-0): start tree-log replay\\n   [ 3845.730304] page: refcount:3 mapcount:0 mapping:000000005c8a3027 index:0x1d00 pfn:0x11510c\\n   [ 3845.731236] memcg:ffff9264c02f4e00\\n   [ 3845.731751] aops:btree_aops [btrfs] ino:1\\n   [ 3845.732300] flags: 0x17fffc00000400a(uptodate|private|writeback|node=0|zone=2|lastcpupid=0x1ffff)\\n   [ 3845.733346] raw: 017fffc00000400a 0000000000000000 dead000000000122 ffff9264d978aea8\\n   [ 3845.734265] raw: 0000000000001d00 ffff92650e6d4738 00000003ffffffff ffff9264c02f4e00\\n   [ 3845.735305] page dumped because: eb page dump\\n   [ 3845.735981] BTRFS critical (device dm-0): corrupt leaf: root=5 block=30408704 slot=6 ino=257, invalid nlink: has 2 expect no more than 1 for dir\\n   [ 3845.737786] BTRFS info (device dm-0): leaf 30408704 gen 10 total ptrs 17 free space 14881 owner 5\\n   [ 3845.737789] BTRFS info (device dm-0): refs 4 lock_owner 0 current 30701\\n   [ 3845.737792] \\titem 0 key (256 INODE_ITEM 0) itemoff 16123 itemsize 160\\n   [ 3845.737794] \\t\\tinode generation 3 transid 9 size 16 nbytes 16384\\n   [ 3845.737795] \\t\\tblock group 0 mode 40755 links 1 uid 0 gid 0\\n   [ 3845.737797] \\t\\trdev 0 sequence 2 flags 0x0\\n   [ 3845.737798] \\t\\tatime 1764259517.0\\n   [ 3845.737800] \\t\\tctime 1764259517.572889464\\n   [ 3845.737801] \\t\\tmtime 1764259517.572889464\\n   [ 3845.737802] \\t\\totime 1764259517.0\\n   [ 3845.737803] \\titem 1 key (256 INODE_REF 256) itemoff 16111 itemsize 12\\n   [ 3845.737805] \\t\\tindex 0 name_len 2\\n   [ 3845.737807] \\titem 2 key (256 DIR_ITEM 2363071922) itemoff 16077 itemsize 34\\n   [ 3845.737808] \\t\\tlocation key (257 1 0) type 2\\n   [ 3845.737810] \\t\\ttransid 9 data_len 0 name_len 4\\n   [ 3845.737811] \\titem 3 key (256 DIR_ITEM 2676584006) itemoff 16043 itemsize 34\\n   [ 3845.737813] \\t\\tlocation key (258 1 0) type 2\\n   [ 3845.737814] \\t\\ttransid 9 data_len 0 name_len 4\\n   [ 3845.737815] \\titem 4 key (256 DIR_INDEX 2) itemoff 16009 itemsize 34\\n   [ 3845.737816] \\t\\tlocation key (257 1 0) type 2\\n   [\\n---truncated---\"}],\"metrics\":{},\"references\":[{\"url\":\"https://git.kernel.org/stable/c/266273eaf4d99475f1ae57f687b3e42bc71ec6f0\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/7359e1d39c78816ecbdb0cb4e93975794ce53973\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/a35788ddf8df65837897ecbb0ddb2896b863159e\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/d478f50727c3ee46d0359f0d2ae114f70191816e\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/d64f3834dffef80f0a9185a037617a54ed7f4bd2\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.