CVE-2025-21753

EUVD-2025-5190
In the Linux kernel, the following vulnerability has been resolved:

btrfs: fix use-after-free when attempting to join an aborted transaction

When we are trying to join the current transaction and if it's aborted,
we read its 'aborted' field after unlocking fs_info->trans_lock and
without holding any extra reference count on it. This means that a
concurrent task that is aborting the transaction may free the transaction
before we read its 'aborted' field, leading to a use-after-free.

Fix this by reading the 'aborted' field while holding fs_info->trans_lock
since any freeing task must first acquire that lock and set
fs_info->running_transaction to NULL before freeing the transaction.

This was reported by syzbot and Dmitry with the following stack traces
from KASAN:

   ==================================================================
   BUG: KASAN: slab-use-after-free in join_transaction+0xd9b/0xda0 fs/btrfs/transaction.c:278
   Read of size 4 at addr ffff888011839024 by task kworker/u4:9/1128

   CPU: 0 UID: 0 PID: 1128 Comm: kworker/u4:9 Not tainted 6.13.0-rc7-syzkaller-00019-gc45323b7560e #0
   Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
   Workqueue: events_unbound btrfs_async_reclaim_data_space
   Call Trace:
    <TASK>
    __dump_stack lib/dump_stack.c:94 [inline]
    dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120
    print_address_description mm/kasan/report.c:378 [inline]
    print_report+0x169/0x550 mm/kasan/report.c:489
    kasan_report+0x143/0x180 mm/kasan/report.c:602
    join_transaction+0xd9b/0xda0 fs/btrfs/transaction.c:278
    start_transaction+0xaf8/0x1670 fs/btrfs/transaction.c:697
    flush_space+0x448/0xcf0 fs/btrfs/space-info.c:803
    btrfs_async_reclaim_data_space+0x159/0x510 fs/btrfs/space-info.c:1321
    process_one_work kernel/workqueue.c:3236 [inline]
    process_scheduled_works+0xa66/0x1840 kernel/workqueue.c:3317
    worker_thread+0x870/0xd30 kernel/workqueue.c:3398
    kthread+0x2f0/0x390 kernel/kthread.c:389
    ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147
    ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
    </TASK>

   Allocated by task 5315:
    kasan_save_stack mm/kasan/common.c:47 [inline]
    kasan_save_track+0x3f/0x80 mm/kasan/common.c:68
    poison_kmalloc_redzone mm/kasan/common.c:377 [inline]
    __kasan_kmalloc+0x98/0xb0 mm/kasan/common.c:394
    kasan_kmalloc include/linux/kasan.h:260 [inline]
    __kmalloc_cache_noprof+0x243/0x390 mm/slub.c:4329
    kmalloc_noprof include/linux/slab.h:901 [inline]
    join_transaction+0x144/0xda0 fs/btrfs/transaction.c:308
    start_transaction+0xaf8/0x1670 fs/btrfs/transaction.c:697
    btrfs_create_common+0x1b2/0x2e0 fs/btrfs/inode.c:6572
    lookup_open fs/namei.c:3649 [inline]
    open_last_lookups fs/namei.c:3748 [inline]
    path_openat+0x1c03/0x3590 fs/namei.c:3984
    do_filp_open+0x27f/0x4e0 fs/namei.c:4014
    do_sys_openat2+0x13e/0x1d0 fs/open.c:1402
    do_sys_open fs/open.c:1417 [inline]
    __do_sys_creat fs/open.c:1495 [inline]
    __se_sys_creat fs/open.c:1489 [inline]
    __x64_sys_creat+0x123/0x170 fs/open.c:1489
    do_syscall_x64 arch/x86/entry/common.c:52 [inline]
    do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
    entry_SYSCALL_64_after_hwframe+0x77/0x7f

   Freed by task 5336:
    kasan_save_stack mm/kasan/common.c:47 [inline]
    kasan_save_track+0x3f/0x80 mm/kasan/common.c:68
    kasan_save_free_info+0x40/0x50 mm/kasan/generic.c:582
    poison_slab_object mm/kasan/common.c:247 [inline]
    __kasan_slab_free+0x59/0x70 mm/kasan/common.c:264
    kasan_slab_free include/linux/kasan.h:233 [inline]
    slab_free_hook mm/slub.c:2353 [inline]
    slab_free mm/slub.c:4613 [inline]
    kfree+0x196/0x430 mm/slub.c:4761
    cleanup_transaction fs/btrfs/transaction.c:2063 [inline]
    btrfs_commit_transaction+0x2c97/0x3720 fs/btrfs/transaction.c:2598
    insert_balance_item+0x1284/0x20b0 fs/btrfs/volumes.c:3757
    btrfs_balance+0x992/
---truncated---
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
7.8 HIGH
LOCAL
LOW
LOW
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: 3%
Affected Products (NVD)
VendorProductVersion
linuxlinux_kernel
3.4 ≤
𝑥
< 5.4.291
linuxlinux_kernel
5.5 ≤
𝑥
< 5.10.235
linuxlinux_kernel
5.11 ≤
𝑥
< 5.15.179
linuxlinux_kernel
5.16 ≤
𝑥
< 6.1.129
linuxlinux_kernel
6.2 ≤
𝑥
< 6.6.78
linuxlinux_kernel
6.7 ≤
𝑥
< 6.12.14
linuxlinux_kernel
6.13 ≤
𝑥
< 6.13.3
linuxlinux_kernel
6.14:rc1
𝑥
= Vulnerable software versions
Early Detection
Affected products identified ahead of NVD analysis through intelligence sources.
VendorProductVersionSource
SiemensSIMATIC S7-1500 TM MFP - GNU/Linux subsystem
𝑥
< *
ADP
Debian logo
Debian Releases
Debian Product
Codename
linux
bookworm
6.1.170-3
fixed
bookworm (security)
6.1.174-1
fixed
bullseye
vulnerable
bullseye (security)
5.10.257-1
fixed
forky
7.0.10-1
fixed
sid
7.0.12-2
fixed
trixie
6.12.86-1
fixed
trixie (security)
6.12.90-2
fixed
linux-6.1
bullseye (security)
6.1.174-1~deb11u1
fixed
openSUSE logo
openSUSE / SLES Releases
openSUSE Product
Release
cluster-md-kmp-default
suse enterprise server 12 SP5
4.12.14-122.250.1
fixed
dlm-kmp-default
suse enterprise server 12 SP5
4.12.14-122.250.1
fixed
gfs2-kmp-default
suse enterprise server 12 SP5
4.12.14-122.250.1
fixed
kernel-64kb
suse enterprise desktop 15 SP6
6.4.0-150600.23.47.2
fixed
suse enterprise desktop 15 SP7
6.4.0-150700.53.3.1
fixed
suse enterprise sap 15 SP6
6.4.0-150600.23.47.2
fixed
suse enterprise sap 15 SP7
6.4.0-150700.53.3.1
fixed
suse enterprise server 15 SP4
5.14.21-150400.24.161.1
fixed
suse enterprise server 15 SP6
6.4.0-150600.23.47.2
fixed
suse enterprise server 15 SP7
6.4.0-150700.53.3.1
fixed
kernel-azure
suse enterprise sap 15 SP6
6.4.0-150600.8.34.2
fixed
suse enterprise sap 15 SP7
6.4.0-150700.20.3.1
fixed
suse enterprise server 15 SP6
6.4.0-150600.8.34.2
fixed
suse enterprise server 15 SP7
6.4.0-150700.20.3.1
fixed
kernel-default
suse enterprise desktop 15 SP6
6.4.0-150600.23.47.2
fixed
suse enterprise desktop 15 SP7
6.4.0-150700.53.3.1
fixed
suse enterprise sap 15 SP6
6.4.0-150600.23.47.2
fixed
suse enterprise sap 15 SP7
6.4.0-150700.53.3.1
fixed
suse enterprise server 12 SP5
4.12.14-122.250.1
fixed
suse enterprise server 15 SP4
5.14.21-150400.24.161.1
fixed
suse enterprise server 15 SP6
6.4.0-150600.23.47.2
fixed
suse enterprise server 15 SP7
6.4.0-150700.53.3.1
fixed
kernel-default-base
suse enterprise desktop 15 SP6
6.4.0-150600.23.47.2.150600.12.20.2
fixed
suse enterprise desktop 15 SP7
6.4.0-150700.53.3.1.150700.17.2.1
fixed
suse enterprise sap 15 SP6
6.4.0-150600.23.47.2.150600.12.20.2
fixed
suse enterprise sap 15 SP7
6.4.0-150700.53.3.1.150700.17.2.1
fixed
suse enterprise server 12 SP5
4.12.14-122.250.1
fixed
suse enterprise server 15 SP4
5.14.21-150400.24.161.1.150400.24.80.1
fixed
suse enterprise server 15 SP6
6.4.0-150600.23.47.2.150600.12.20.2
fixed
suse enterprise server 15 SP7
6.4.0-150700.53.3.1.150700.17.2.1
fixed
kernel-default-man
suse enterprise server 12 SP5
4.12.14-122.250.1
fixed
kernel-docs
suse enterprise desktop 15 SP6
6.4.0-150600.23.47.1
fixed
suse enterprise desktop 15 SP7
6.4.0-150700.53.3.1
fixed
suse enterprise sap 15 SP6
6.4.0-150600.23.47.1
fixed
suse enterprise sap 15 SP7
6.4.0-150700.53.3.1
fixed
suse enterprise server 15 SP4
5.14.21-150400.24.161.1
fixed
suse enterprise server 15 SP6
6.4.0-150600.23.47.1
fixed
suse enterprise server 15 SP7
6.4.0-150700.53.3.1
fixed
kernel-macros
suse enterprise desktop 15 SP6
6.4.0-150600.23.47.2
fixed
suse enterprise desktop 15 SP7
6.4.0-150700.53.3.1
fixed
suse enterprise sap 15 SP6
6.4.0-150600.23.47.2
fixed
suse enterprise sap 15 SP7
6.4.0-150700.53.3.1
fixed
suse enterprise server 12 SP5
4.12.14-122.250.1
fixed
suse enterprise server 15 SP4
5.14.21-150400.24.161.1
fixed
suse enterprise server 15 SP6
6.4.0-150600.23.47.2
fixed
suse enterprise server 15 SP7
6.4.0-150700.53.3.1
fixed
kernel-obs-build
suse enterprise desktop 15 SP6
6.4.0-150600.23.47.1
fixed
suse enterprise desktop 15 SP7
6.4.0-150700.53.3.1
fixed
suse enterprise sap 15 SP6
6.4.0-150600.23.47.1
fixed
suse enterprise sap 15 SP7
6.4.0-150700.53.3.1
fixed
suse enterprise server 15 SP4
5.14.21-150400.24.161.1
fixed
suse enterprise server 15 SP6
6.4.0-150600.23.47.1
fixed
suse enterprise server 15 SP7
6.4.0-150700.53.3.1
fixed
kernel-source
suse enterprise desktop 15 SP6
6.4.0-150600.23.47.2
fixed
suse enterprise desktop 15 SP7
6.4.0-150700.53.3.1
fixed
suse enterprise sap 15 SP6
6.4.0-150600.23.47.2
fixed
suse enterprise sap 15 SP7
6.4.0-150700.53.3.1
fixed
suse enterprise server 12 SP5
4.12.14-122.250.1
fixed
suse enterprise server 15 SP4
5.14.21-150400.24.161.1
fixed
suse enterprise server 15 SP6
6.4.0-150600.23.47.2
fixed
suse enterprise server 15 SP7
6.4.0-150700.53.3.1
fixed
kernel-source-azure
suse enterprise sap 15 SP6
6.4.0-150600.8.34.2
fixed
suse enterprise sap 15 SP7
6.4.0-150700.20.3.1
fixed
suse enterprise server 15 SP6
6.4.0-150600.8.34.2
fixed
suse enterprise server 15 SP7
6.4.0-150700.20.3.1
fixed
kernel-syms
suse enterprise desktop 15 SP6
6.4.0-150600.23.47.1
fixed
suse enterprise desktop 15 SP7
6.4.0-150700.53.3.1
fixed
suse enterprise sap 15 SP6
6.4.0-150600.23.47.1
fixed
suse enterprise sap 15 SP7
6.4.0-150700.53.3.1
fixed
suse enterprise server 12 SP5
4.12.14-122.250.1
fixed
suse enterprise server 15 SP4
5.14.21-150400.24.161.1
fixed
suse enterprise server 15 SP6
6.4.0-150600.23.47.1
fixed
suse enterprise server 15 SP7
6.4.0-150700.53.3.1
fixed
kernel-syms-azure
suse enterprise sap 15 SP6
6.4.0-150600.8.34.1
fixed
suse enterprise sap 15 SP7
6.4.0-150700.20.3.1
fixed
suse enterprise server 15 SP6
6.4.0-150600.8.34.1
fixed
suse enterprise server 15 SP7
6.4.0-150700.20.3.1
fixed
kernel-zfcpdump
suse enterprise desktop 15 SP6
6.4.0-150600.23.47.2
fixed
suse enterprise desktop 15 SP7
6.4.0-150700.53.3.1
fixed
suse enterprise sap 15 SP6
6.4.0-150600.23.47.2
fixed
suse enterprise sap 15 SP7
6.4.0-150700.53.3.1
fixed
suse enterprise server 15 SP4
5.14.21-150400.24.161.1
fixed
suse enterprise server 15 SP6
6.4.0-150600.23.47.2
fixed
suse enterprise server 15 SP7
6.4.0-150700.53.3.1
fixed
ocfs2-kmp-default
suse enterprise server 12 SP5
4.12.14-122.250.1
fixed
reiserfs-kmp-default
suse enterprise server 15 SP4
5.14.21-150400.24.161.1
fixed
Amazon Linux logo
Amazon Linux Releases
Amazon Package
Release
bpftool
Amazon Linux 2023
0:6.1.131-143.221.amzn2023
fixed
bpftool-debuginfo
Amazon Linux 2023
0:6.1.131-143.221.amzn2023
fixed
kernel
Amazon Linux 1
0:4.14.355-196.618.amzn1
fixed
Amazon Linux 2
0:4.14.355-276.618.amzn2
fixed
Amazon Linux 2023
0:6.1.131-143.221.amzn2023
fixed
kernel-debuginfo
Amazon Linux 1
0:4.14.355-196.618.amzn1
fixed
Amazon Linux 2
0:4.14.355-276.618.amzn2
fixed
Amazon Linux 2023
0:6.1.131-143.221.amzn2023
fixed
kernel-debuginfo-common-aarch64
Amazon Linux 2
0:4.14.355-276.618.amzn2
fixed
Amazon Linux 2023
0:6.1.131-143.221.amzn2023
fixed
kernel-debuginfo-common-i686
Amazon Linux 1
0:4.14.355-196.618.amzn1
fixed
kernel-debuginfo-common-x86_64
Amazon Linux 1
0:4.14.355-196.618.amzn1
fixed
Amazon Linux 2
0:4.14.355-276.618.amzn2
fixed
Amazon Linux 2023
0:6.1.131-143.221.amzn2023
fixed
kernel-devel
Amazon Linux 1
0:4.14.355-196.618.amzn1
fixed
Amazon Linux 2
0:4.14.355-276.618.amzn2
fixed
Amazon Linux 2023
0:6.1.131-143.221.amzn2023
fixed
kernel-headers
Amazon Linux 1
0:4.14.355-196.618.amzn1
fixed
Amazon Linux 2
0:4.14.355-276.618.amzn2
fixed
Amazon Linux 2023
0:6.1.131-143.221.amzn2023
fixed
kernel-libbpf
Amazon Linux 2023
0:6.1.131-143.221.amzn2023
fixed
kernel-libbpf-debuginfo
Amazon Linux 2023
0:6.1.131-143.221.amzn2023
fixed
kernel-libbpf-devel
Amazon Linux 2023
0:6.1.131-143.221.amzn2023
fixed
kernel-libbpf-static
Amazon Linux 2023
0:6.1.131-143.221.amzn2023
fixed
kernel-livepatch-4.14.355-276.618
Amazon Linux 2
0:1.0-0.amzn2
fixed
kernel-livepatch-6.1.131-143.221
Amazon Linux 2023
0:1.0-0.amzn2023
fixed
kernel-modules-extra
Amazon Linux 2023
0:6.1.131-143.221.amzn2023
fixed
kernel-modules-extra-common
Amazon Linux 2023
0:6.1.131-143.221.amzn2023
fixed
kernel-tools
Amazon Linux 1
0:4.14.355-196.618.amzn1
fixed
Amazon Linux 2
0:4.14.355-276.618.amzn2
fixed
Amazon Linux 2023
0:6.1.131-143.221.amzn2023
fixed
kernel-tools-debuginfo
Amazon Linux 1
0:4.14.355-196.618.amzn1
fixed
Amazon Linux 2
0:4.14.355-276.618.amzn2
fixed
Amazon Linux 2023
0:6.1.131-143.221.amzn2023
fixed
kernel-tools-devel
Amazon Linux 1
0:4.14.355-196.618.amzn1
fixed
Amazon Linux 2
0:4.14.355-276.618.amzn2
fixed
Amazon Linux 2023
0:6.1.131-143.221.amzn2023
fixed
perf
Amazon Linux 1
0:4.14.355-196.618.amzn1
fixed
Amazon Linux 2
0:4.14.355-276.618.amzn2
fixed
Amazon Linux 2023
0:6.1.131-143.221.amzn2023
fixed
perf-debuginfo
Amazon Linux 1
0:4.14.355-196.618.amzn1
fixed
Amazon Linux 2
0:4.14.355-276.618.amzn2
fixed
Amazon Linux 2023
0:6.1.131-143.221.amzn2023
fixed
python-perf
Amazon Linux 2
0:4.14.355-276.618.amzn2
fixed
python-perf-debuginfo
Amazon Linux 2
0:4.14.355-276.618.amzn2
fixed
python3-perf
Amazon Linux 2023
0:6.1.131-143.221.amzn2023
fixed
python3-perf-debuginfo
Amazon Linux 2023
0:6.1.131-143.221.amzn2023
fixed
Azure Linux logo
Azure Linux Releases
Azure Package
Release
kernel
CBL-Mariner 2.0
0:5.15.180.1-1.cm2
fixed
Common Weakness Enumeration
References
https://git.kernel.org/stable/c/6ba4663ada6c6315af23a6669d386146634808ec
https://git.kernel.org/stable/c/7e954b6bb95d67ae4d1a20e9cfd83c182cf929bc
https://git.kernel.org/stable/c/86d71a026a7f63da905db9add845c8ee88801eca
https://git.kernel.org/stable/c/8f5cff471039caa2b088060c074c2bf2081bcb01
https://git.kernel.org/stable/c/c7a53757717e68af94a56929d57f1e6daff220ec
https://git.kernel.org/stable/c/ce628048390dad80320d5a1f74de6ca1e1be91e7
https://git.kernel.org/stable/c/cee55b1219568c80bf0d5dc55066e4a859baf753
https://git.kernel.org/stable/c/e2f0943cf37305dbdeaf9846e3c941451bcdef63
https://lists.debian.org/debian-lts-announce/2025/03/msg00028.html
https://lists.debian.org/debian-lts-announce/2025/05/msg00030.html
https://cert-portal.siemens.com/productcert/html/ssa-265688.html