{ "threat_severity" : "Low", "public_date" : "2025-12-24T00:00:00Z", "bugzilla" : { "description" : "kernel: btrfs: fix double free of qgroup record after failure to add delayed ref head", "id" : "2424863", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2424863" }, "cvss3" : { "cvss3_base_score" : "5.5", "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status" : "draft" }, "cwe" : "CWE-763", "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\nbtrfs: fix double free of qgroup record after failure to add delayed ref head\nIn the previous code it was possible to incur into a double kfree()\nscenario when calling add_delayed_ref_head(). This could happen if the\nrecord was reported to already exist in the\nbtrfs_qgroup_trace_extent_nolock() call, but then there was an error\nlater on add_delayed_ref_head(). In this case, since\nadd_delayed_ref_head() returned an error, the caller went to free the\nrecord. Since add_delayed_ref_head() couldn't set this kfree'd pointer\nto NULL, then kfree() would have acted on a non-NULL 'record' object\nwhich was pointing to memory already freed by the callee.\nThe problem comes from the fact that the responsibility to kfree the\nobject is on both the caller and the callee at the same time. Hence, the\nfix for this is to shift the ownership of the 'qrecord' object out of\nthe add_delayed_ref_head(). That is, we will never attempt to kfree()\nthe given object inside of this function, and will expect the caller to\nact on the 'qrecord' object on its own. The only exception where the\n'qrecord' object cannot be kfree'd is if it was inserted into the\ntracing logic, for which we already have the 'qrecord_inserted_ret'\nboolean to account for this. Hence, the caller has to kfree the object\nonly if add_delayed_ref_head() reports not to have inserted it on the\ntracing logic.\nAs a side-effect of the above, we must guarantee that\n'qrecord_inserted_ret' is properly initialized at the start of the\nfunction, not at the end, and then set when an actual insert\nhappens. This way we avoid 'qrecord_inserted_ret' having an invalid\nvalue on an early exit.\nThe documentation from the add_delayed_ref_head() has also been updated\nto reflect on the exact ownership of the 'qrecord' object." ], "package_state" : [ { "product_name" : "Red Hat Enterprise Linux 10", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:10" }, { "product_name" : "Red Hat Enterprise Linux 6", "fix_state" : "Out of support scope", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:6" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Not affected", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Not affected", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat Enterprise Linux 9", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:9" }, { "product_name" : "Red Hat Enterprise Linux 9", "fix_state" : "Not affected", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:9" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2025-68359\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-68359\nhttps://lore.kernel.org/linux-cve-announce/2025122457-CVE-2025-68359-c931@gregkh/T" ], "name" : "CVE-2025-68359", "csaw" : false }