CVE-2025-22115 in Linux
Summary
by MITRE • 04/16/2025
In the Linux kernel, the following vulnerability has been resolved:
btrfs: fix block group refcount race in btrfs_create_pending_block_groups()
Block group creation is done in two phases, which results in a slightly unintuitive property: a block group can be allocated/deallocated from after btrfs_make_block_group() adds it to the space_info with btrfs_add_bg_to_space_info(), but before creation is completely completed in btrfs_create_pending_block_groups(). As a result, it is possible for a block group to go unused and have 'btrfs_mark_bg_unused' called on it concurrently with 'btrfs_create_pending_block_groups'. This causes a number of issues, which were fixed with the block group flag 'BLOCK_GROUP_FLAG_NEW'.
However, this fix is not quite complete. Since it does not use the unused_bg_lock, it is possible for the following race to occur:
btrfs_create_pending_block_groups btrfs_mark_bg_unused if list_empty // false list_del_init clear_bit else if (test_bit) // true list_move_tail
And we get into the exact same broken ref count and invalid new_bgs state for transaction cleanup that BLOCK_GROUP_FLAG_NEW was designed to prevent.
The broken refcount aspect will result in a warning like:
[1272.943527] refcount_t: underflow; use-after-free.
[1272.943967] WARNING: CPU: 1 PID: 61 at lib/refcount.c:28 refcount_warn_saturate+0xba/0x110
[1272.944731] Modules linked in: btrfs virtio_net xor zstd_compress raid6_pq null_blk [last unloaded: btrfs]
[1272.945550] CPU: 1 UID: 0 PID: 61 Comm: kworker/u32:1 Kdump: loaded Tainted: G W 6.14.0-rc5+ #108
[1272.946368] Tainted: [W]=WARN
[1272.946585] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Arch Linux 1.16.3-1-1 04/01/2014
[1272.947273] Workqueue: btrfs_discard btrfs_discard_workfn [btrfs]
[1272.947788] RIP: 0010:refcount_warn_saturate+0xba/0x110
[1272.949532] RSP: 0018:ffffbf1200247df0 EFLAGS: 00010282
[1272.949901] RAX: 0000000000000000 RBX: ffffa14b00e3f800 RCX: 0000000000000000
[1272.950437] RDX: 0000000000000000 RSI: ffffbf1200247c78 RDI: 00000000ffffdfff
[1272.950986] RBP: ffffa14b00dc2860 R08: 00000000ffffdfff R09: ffffffff90526268
[1272.951512] R10: ffffffff904762c0 R11: 0000000063666572 R12: ffffa14b00dc28c0
[1272.952024] R13: 0000000000000000 R14: ffffa14b00dc2868 R15: 000001285dcd12c0
[1272.952850] FS: 0000000000000000(0000) GS:ffffa14d33c40000(0000) knlGS:0000000000000000
[1272.953458] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[1272.953931] CR2: 00007f838cbda000 CR3: 000000010104e000 CR4: 00000000000006f0
[1272.954474] Call Trace:
[1272.954655]
[1272.954812] ? refcount_warn_saturate+0xba/0x110
[1272.955173] ? __warn.cold+0x93/0xd7
[1272.955487] ? refcount_warn_saturate+0xba/0x110
[1272.955816] ? report_bug+0xe7/0x120
[1272.956103] ? handle_bug+0x53/0x90
[1272.956424] ? exc_invalid_op+0x13/0x60
[1272.956700] ? asm_exc_invalid_op+0x16/0x20
[1272.957011] ? refcount_warn_saturate+0xba/0x110
[1272.957399] btrfs_discard_cancel_work.cold+0x26/0x2b [btrfs]
[1272.957853] btrfs_put_block_group.cold+0x5d/0x8e [btrfs]
[1272.958289] btrfs_discard_workfn+0x194/0x380 [btrfs]
[1272.958729] process_one_work+0x130/0x290
[1272.959026] worker_thread+0x2ea/0x420
[1272.959335] ? __pfx_worker_thread+0x10/0x10
[1272.959644] kthread+0xd7/0x1c0
[1272.959872] ? __pfx_kthread+0x10/0x10
[1272.960172] ret_from_fork+0x30/0x50
[1272.960474] ? __pfx_kthread+0x10/0x10
[1272.960745] ret_from_fork_asm+0x1a/0x30
[1272.961035]
[1272.961238] ---[ end trace 0000000000000000 ]---
Though we have seen them in the async discard workfn as well. It is most likely to happen after a relocation finishes which cancels discard, tears down the block group, etc.
Fix this fully by taking the lock arou ---truncated---
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 02/15/2026
The vulnerability identified as CVE-2025-22115 resides within the Linux kernel's Btrfs filesystem implementation, specifically within the block group management subsystem. This issue manifests as a race condition during the creation and cleanup of block groups, which are fundamental units of storage allocation in Btrfs. The race condition occurs between the functions `btrfs_create_pending_block_groups` and `btrfs_mark_bg_unused`, both of which manipulate the state of block groups in a concurrent environment. The underlying flaw stems from an incomplete fix previously implemented to address similar issues, which relied on the `BLOCK_GROUP_FLAG_NEW` flag but failed to utilize the `unused_bg_lock` for synchronization. This oversight creates a window where concurrent operations can lead to improper reference counting and invalid block group states, ultimately resulting in a use-after-free condition.
The technical nature of this vulnerability aligns with CWE-362, which describes a race condition where two or more threads access shared data concurrently, and at least one of the threads modifies the data, leading to unpredictable behavior. The flaw is particularly dangerous because it operates at the kernel level, where improper reference counting can result in memory corruption and system instability. The specific warning message indicates a refcount_t underflow, a classic symptom of use-after-free errors that can be exploited to cause system crashes or potentially enable privilege escalation. The issue is further exacerbated by the fact that the race condition can occur during asynchronous discard operations, which are critical for maintaining filesystem performance and storage efficiency. The call trace reveals that the error originates from `btrfs_discard_workfn`, indicating that the problem manifests during background cleanup operations rather than during active filesystem usage.
The operational impact of this vulnerability extends beyond simple system instability to potential security implications. When a system experiences a use-after-free condition in kernel space, it can lead to arbitrary code execution, especially if an attacker can control the timing of operations that trigger the race condition. This vulnerability affects systems running Btrfs filesystems and is particularly concerning for environments where high availability and security are paramount. The race condition is most likely to occur after filesystem relocation operations that cancel discard work and tear down block groups, suggesting that the vulnerability may be triggered more frequently during maintenance operations or when storage is being actively managed. Attackers could potentially exploit this vulnerability to cause denial of service or escalate privileges by manipulating the timing of concurrent operations that access shared block group data structures. The fix requires implementing proper locking mechanisms around the affected code paths to ensure atomicity during block group state transitions.
Mitigation strategies for this vulnerability involve applying the patched kernel version that implements proper locking around the `unused_bg_lock` during block group creation and cleanup operations. System administrators should prioritize updating their kernel versions to include the fix for CVE-2025-22115, particularly in production environments where Btrfs filesystems are in use. Monitoring for warning messages indicating refcount_t underflows should be implemented to detect potential exploitation attempts. The vulnerability demonstrates the importance of comprehensive race condition testing in kernel code, especially for filesystem implementations that manage complex data structures with concurrent access patterns. Organizations should also consider implementing additional security controls such as kernel lockdown modes and restricting access to filesystem management operations to minimize the attack surface. The fix addresses the root cause by ensuring that all operations modifying block group state are properly synchronized, preventing the interleaving of operations that lead to the invalid reference counting behavior. This vulnerability serves as a reminder of the critical importance of proper synchronization primitives in kernel-level code and the potential consequences of incomplete fixes to previously identified race conditions.