CVE-2025-21753 in Linux
Summary
by MITRE • 02/27/2025
In the Linux kernel, the following vulnerability has been resolved:
btrfs: fix use-after-free when attempting to join an aborted transaction
When we are trying to join the current transaction and if it's aborted, we read its 'aborted' field after unlocking fs_info->trans_lock and without holding any extra reference count on it. This means that a concurrent task that is aborting the transaction may free the transaction before we read its 'aborted' field, leading to a use-after-free.
Fix this by reading the 'aborted' field while holding fs_info->trans_lock since any freeing task must first acquire that lock and set fs_info->running_transaction to NULL before freeing the transaction.
This was reported by syzbot and Dmitry with the following stack traces from KASAN:
================================================================== BUG: KASAN: slab-use-after-free in join_transaction+0xd9b/0xda0 fs/btrfs/transaction.c:278 Read of size 4 at addr ffff888011839024 by task kworker/u4:9/1128
CPU: 0 UID: 0 PID: 1128 Comm: kworker/u4:9 Not tainted 6.13.0-rc7-syzkaller-00019-gc45323b7560e #0 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 Workqueue: events_unbound btrfs_async_reclaim_data_space Call Trace: __dump_stack lib/dump_stack.c:94 [inline]
dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:378 [inline]
print_report+0x169/0x550 mm/kasan/report.c:489 kasan_report+0x143/0x180 mm/kasan/report.c:602 join_transaction+0xd9b/0xda0 fs/btrfs/transaction.c:278 start_transaction+0xaf8/0x1670 fs/btrfs/transaction.c:697 flush_space+0x448/0xcf0 fs/btrfs/space-info.c:803 btrfs_async_reclaim_data_space+0x159/0x510 fs/btrfs/space-info.c:1321 process_one_work kernel/workqueue.c:3236 [inline]
process_scheduled_works+0xa66/0x1840 kernel/workqueue.c:3317 worker_thread+0x870/0xd30 kernel/workqueue.c:3398 kthread+0x2f0/0x390 kernel/kthread.c:389 ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
Allocated by task 5315: kasan_save_stack mm/kasan/common.c:47 [inline]
kasan_save_track+0x3f/0x80 mm/kasan/common.c:68 poison_kmalloc_redzone mm/kasan/common.c:377 [inline]
__kasan_kmalloc+0x98/0xb0 mm/kasan/common.c:394 kasan_kmalloc include/linux/kasan.h:260 [inline]
__kmalloc_cache_noprof+0x243/0x390 mm/slub.c:4329 kmalloc_noprof include/linux/slab.h:901 [inline]
join_transaction+0x144/0xda0 fs/btrfs/transaction.c:308 start_transaction+0xaf8/0x1670 fs/btrfs/transaction.c:697 btrfs_create_common+0x1b2/0x2e0 fs/btrfs/inode.c:6572 lookup_open fs/namei.c:3649 [inline]
open_last_lookups fs/namei.c:3748 [inline]
path_openat+0x1c03/0x3590 fs/namei.c:3984 do_filp_open+0x27f/0x4e0 fs/namei.c:4014 do_sys_openat2+0x13e/0x1d0 fs/open.c:1402 do_sys_open fs/open.c:1417 [inline]
__do_sys_creat fs/open.c:1495 [inline]
__se_sys_creat fs/open.c:1489 [inline]
__x64_sys_creat+0x123/0x170 fs/open.c:1489 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f
Freed by task 5336: kasan_save_stack mm/kasan/common.c:47 [inline]
kasan_save_track+0x3f/0x80 mm/kasan/common.c:68 kasan_save_free_info+0x40/0x50 mm/kasan/generic.c:582 poison_slab_object mm/kasan/common.c:247 [inline]
__kasan_slab_free+0x59/0x70 mm/kasan/common.c:264 kasan_slab_free include/linux/kasan.h:233 [inline]
slab_free_hook mm/slub.c:2353 [inline]
slab_free mm/slub.c:4613 [inline]
kfree+0x196/0x430 mm/slub.c:4761 cleanup_transaction fs/btrfs/transaction.c:2063 [inline]
btrfs_commit_transaction+0x2c97/0x3720 fs/btrfs/transaction.c:2598 insert_balance_item+0x1284/0x20b0 fs/btrfs/volumes.c:3757 btrfs_balance+0x992/ ---truncated---
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 05/25/2026
The vulnerability CVE-2025-21753 resides within the Linux kernel's btrfs file system implementation and represents a use-after-free condition that arises during transaction management operations. This flaw occurs when attempting to join an aborted transaction, where the system reads the 'aborted' field of a transaction structure after releasing the fs_info->trans_lock mutex and without maintaining an additional reference count. The sequence of events leading to this issue allows a concurrent task that is aborting the transaction to free the transaction object before the reading task has completed its access to the 'aborted' field, resulting in undefined behavior and potential system instability. The vulnerability was identified through KASAN (Kernel Address Sanitizer) analysis which produced stack traces showing the exact point of failure in the join_transaction function at line 278 of fs/btrfs/transaction.c. This type of vulnerability aligns with CWE-416, which describes the use of freed memory condition, and can be categorized under ATT&CK technique T1059.001 for execution through system commands, potentially leading to privilege escalation or denial of service. The flaw manifests when a worker thread attempts to join a transaction that has been concurrently marked as aborted, creating a race condition that violates proper synchronization protocols. The fix implemented involves ensuring that the 'aborted' field is read while holding the fs_info->trans_lock mutex, since any task responsible for freeing the transaction must first acquire this lock and set fs_info->running_transaction to NULL before proceeding with the actual deallocation. This approach follows the principle of maintaining proper locking hierarchy and prevents the race condition that leads to memory corruption. The vulnerability was reported by syzbot and Dmitry, with detailed stack traces indicating that the issue occurs during asynchronous data space reclaim operations and involves multiple kernel subsystems including workqueue processing, transaction management, and memory allocation. The use of KASAN instrumentation provided precise tracking of memory allocation and deallocation patterns, revealing that the freed memory was allocated in the join_transaction function and freed during the cleanup_transaction process, demonstrating a classic use-after-free scenario. This vulnerability affects systems running Linux kernel versions where btrfs transaction handling is implemented, particularly those utilizing asynchronous workqueue operations for space management and transaction cleanup. The impact extends beyond simple memory corruption to potentially allow for privilege escalation or system crashes, making it a critical issue for system stability and security. The mitigation strategy focuses on enforcing proper locking semantics during transaction state access, ensuring that all transaction state checks occur under appropriate synchronization primitives to prevent concurrent access patterns that could lead to memory safety violations.