CVE-2023-53865 in Linuxinfo

Summary

by MITRE • 12/09/2025

In the Linux kernel, the following vulnerability has been resolved:

btrfs: fix warning when putting transaction with qgroups enabled after abort

If we have a transaction abort with qgroups enabled we get a warning triggered when doing the final put on the transaction, like this:

[552.6789] ------------[ cut here ]------------
[552.6815] WARNING: CPU: 4 PID: 81745 at fs/btrfs/transaction.c:144 btrfs_put_transaction+0x123/0x130 [btrfs]
[552.6817] Modules linked in: btrfs blake2b_generic xor (...)
[552.6819] CPU: 4 PID: 81745 Comm: btrfs-transacti Tainted: G W 6.4.0-rc6-btrfs-next-134+ #1
[552.6819] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.2-0-gea1b7a073390-prebuilt.qemu.org 04/01/2014
[552.6819] RIP: 0010:btrfs_put_transaction+0x123/0x130 [btrfs]
[552.6821] Code: bd a0 01 00 (...)
[552.6821] RSP: 0018:ffffa168c0527e28 EFLAGS: 00010286
[552.6821] RAX: ffff936042caed00 RBX: ffff93604a3eb448 RCX: 0000000000000000
[552.6821] RDX: ffff93606421b028 RSI: ffffffff92ff0878 RDI: ffff93606421b010
[552.6821] RBP: ffff93606421b000 R08: 0000000000000000 R09: ffffa168c0d07c20
[552.6821] R10: 0000000000000000 R11: ffff93608dc52950 R12: ffffa168c0527e70
[552.6821] R13: ffff93606421b000 R14: ffff93604a3eb420 R15: ffff93606421b028
[552.6821] FS: 0000000000000000(0000) GS:ffff93675fb00000(0000) knlGS:0000000000000000
[552.6821] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[552.6821] CR2: 0000558ad262b000 CR3: 000000014feda005 CR4: 0000000000370ee0
[552.6822] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[552.6822] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[552.6822] Call Trace:
[552.6822] <TASK>
[552.6822] ? __warn+0x80/0x130
[552.6822] ? btrfs_put_transaction+0x123/0x130 [btrfs]
[552.6824] ? report_bug+0x1f4/0x200
[552.6824] ? handle_bug+0x42/0x70
[552.6824] ? exc_invalid_op+0x14/0x70
[552.6824] ? asm_exc_invalid_op+0x16/0x20
[552.6824] ? btrfs_put_transaction+0x123/0x130 [btrfs]
[552.6826] btrfs_cleanup_transaction+0xe7/0x5e0 [btrfs]
[552.6828] ? _raw_spin_unlock_irqrestore+0x23/0x40
[552.6828] ? try_to_wake_up+0x94/0x5e0
[552.6828] ? __pfx_process_timeout+0x10/0x10
[552.6828] transaction_kthread+0x103/0x1d0 [btrfs]
[552.6830] ? __pfx_transaction_kthread+0x10/0x10 [btrfs]
[552.6832] kthread+0xee/0x120
[552.6832] ? __pfx_kthread+0x10/0x10
[552.6832] ret_from_fork+0x29/0x50
[552.6832] </TASK>
[552.6832] ---[ end trace 0000000000000000 ]---

This corresponds to this line of code:

void btrfs_put_transaction(struct btrfs_transaction *transaction) {
(...) WARN_ON(!RB_EMPTY_ROOT( &transaction->delayed_refs.dirty_extent_root)); (...) }

The warning happens because btrfs_qgroup_destroy_extent_records(), called in the transaction abort path, we free all entries from the rbtree "dirty_extent_root" with rbtree_postorder_for_each_entry_safe(), but we don't actually empty the rbtree - it's still pointing to nodes that were freed.

So set the rbtree's root node to NULL to avoid this warning (assign RB_ROOT).

Once again VulDB remains the best source for vulnerability data.

Analysis

by VulDB Data Team • 03/30/2026

The vulnerability CVE-2023-53865 addresses a warning condition within the btrfs file system implementation of the Linux kernel that occurs during transaction cleanup when quality of service groups qgroups are enabled. This issue manifests specifically during the abort of a btrfs transaction that includes qgroup tracking, resulting in a kernel warning message that indicates improper handling of the delayed references rbtree structure. The warning originates from the btrfs_put_transaction function located in fs/btrfs/transaction.c at line 144, where a WARN_ON macro checks for an empty rbtree root but finds that the tree still contains references to freed nodes.

The technical flaw stems from the incomplete cleanup of the transaction's delayed_refs.dirty_extent_root rbtree during the transaction abort path. When btrfs_qgroup_destroy_extent_records() is invoked, it properly frees all entries from the rbtree using rbtree_postorder_for_each_entry_safe() but fails to reset the tree's root pointer to NULL. This leaves the rbtree structure in a state where it appears non-empty despite containing no valid nodes, triggering the warning condition when btrfs_put_transaction attempts to verify the tree's emptiness. The root cause aligns with CWE-459, which describes incomplete cleanup of resources, and represents a classic case of resource management error where freed memory references persist in data structures.

This vulnerability impacts the operational stability of btrfs file systems, particularly in environments where qgroups are actively used for quota management and resource tracking. While the warning itself does not necessarily cause system crashes or data corruption, it indicates a potential resource leak and improper state management that could degrade system performance over time. The warning is particularly concerning in high-throughput environments where btrfs transactions are frequent, as it may indicate more serious underlying issues in transaction management and memory cleanup routines. The issue is triggered during normal btrfs transaction abort scenarios, making it a potential vector for system instability under stress conditions.

Mitigation strategies for this vulnerability involve applying the kernel patch that properly initializes the rbtree root to NULL after freeing all entries, ensuring that the tree appears correctly empty to subsequent validation checks. System administrators should update their Linux kernel installations to versions containing the fix, particularly those running btrfs file systems with qgroups enabled. The fix specifically addresses the rbtree cleanup in the transaction abort path, ensuring that btrfs_qgroup_destroy_extent_records() properly resets the tree structure. This aligns with ATT&CK technique T1484.001, which involves privilege escalation through kernel-level manipulation, as improper resource management in kernel modules can create potential attack vectors. Organizations should monitor for similar patterns in other kernel subsystems and ensure comprehensive testing of file system transaction handling under various qgroup configurations.

Responsible

Linux

Reservation

12/09/2025

Disclosure

12/09/2025

Moderation

accepted

CPE

ready

EPSS

0.00199

KEV

no

Activities

very low

Sources

Do you need the next level of professionalism?

Upgrade your account now!