CVE-2025-21753 (GCVE-0-2025-21753)

Vulnerability from cvelistv5 – Published: 2025-02-27 02:12 – Updated: 2026-05-12 12:03
VLAI
Title
btrfs: fix use-after-free when attempting to join an aborted transaction
Summary
In the Linux kernel, the following vulnerability has been resolved: btrfs: fix use-after-free when attempting to join an aborted transaction When we are trying to join the current transaction and if it's aborted, we read its 'aborted' field after unlocking fs_info->trans_lock and without holding any extra reference count on it. This means that a concurrent task that is aborting the transaction may free the transaction before we read its 'aborted' field, leading to a use-after-free. Fix this by reading the 'aborted' field while holding fs_info->trans_lock since any freeing task must first acquire that lock and set fs_info->running_transaction to NULL before freeing the transaction. This was reported by syzbot and Dmitry with the following stack traces from KASAN: ================================================================== BUG: KASAN: slab-use-after-free in join_transaction+0xd9b/0xda0 fs/btrfs/transaction.c:278 Read of size 4 at addr ffff888011839024 by task kworker/u4:9/1128 CPU: 0 UID: 0 PID: 1128 Comm: kworker/u4:9 Not tainted 6.13.0-rc7-syzkaller-00019-gc45323b7560e #0 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 Workqueue: events_unbound btrfs_async_reclaim_data_space Call Trace: <TASK> __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:378 [inline] print_report+0x169/0x550 mm/kasan/report.c:489 kasan_report+0x143/0x180 mm/kasan/report.c:602 join_transaction+0xd9b/0xda0 fs/btrfs/transaction.c:278 start_transaction+0xaf8/0x1670 fs/btrfs/transaction.c:697 flush_space+0x448/0xcf0 fs/btrfs/space-info.c:803 btrfs_async_reclaim_data_space+0x159/0x510 fs/btrfs/space-info.c:1321 process_one_work kernel/workqueue.c:3236 [inline] process_scheduled_works+0xa66/0x1840 kernel/workqueue.c:3317 worker_thread+0x870/0xd30 kernel/workqueue.c:3398 kthread+0x2f0/0x390 kernel/kthread.c:389 ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 </TASK> Allocated by task 5315: kasan_save_stack mm/kasan/common.c:47 [inline] kasan_save_track+0x3f/0x80 mm/kasan/common.c:68 poison_kmalloc_redzone mm/kasan/common.c:377 [inline] __kasan_kmalloc+0x98/0xb0 mm/kasan/common.c:394 kasan_kmalloc include/linux/kasan.h:260 [inline] __kmalloc_cache_noprof+0x243/0x390 mm/slub.c:4329 kmalloc_noprof include/linux/slab.h:901 [inline] join_transaction+0x144/0xda0 fs/btrfs/transaction.c:308 start_transaction+0xaf8/0x1670 fs/btrfs/transaction.c:697 btrfs_create_common+0x1b2/0x2e0 fs/btrfs/inode.c:6572 lookup_open fs/namei.c:3649 [inline] open_last_lookups fs/namei.c:3748 [inline] path_openat+0x1c03/0x3590 fs/namei.c:3984 do_filp_open+0x27f/0x4e0 fs/namei.c:4014 do_sys_openat2+0x13e/0x1d0 fs/open.c:1402 do_sys_open fs/open.c:1417 [inline] __do_sys_creat fs/open.c:1495 [inline] __se_sys_creat fs/open.c:1489 [inline] __x64_sys_creat+0x123/0x170 fs/open.c:1489 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f Freed by task 5336: kasan_save_stack mm/kasan/common.c:47 [inline] kasan_save_track+0x3f/0x80 mm/kasan/common.c:68 kasan_save_free_info+0x40/0x50 mm/kasan/generic.c:582 poison_slab_object mm/kasan/common.c:247 [inline] __kasan_slab_free+0x59/0x70 mm/kasan/common.c:264 kasan_slab_free include/linux/kasan.h:233 [inline] slab_free_hook mm/slub.c:2353 [inline] slab_free mm/slub.c:4613 [inline] kfree+0x196/0x430 mm/slub.c:4761 cleanup_transaction fs/btrfs/transaction.c:2063 [inline] btrfs_commit_transaction+0x2c97/0x3720 fs/btrfs/transaction.c:2598 insert_balance_item+0x1284/0x20b0 fs/btrfs/volumes.c:3757 btrfs_balance+0x992/ ---truncated---
Severity
7.8 (High)
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
SSVC
Exploitation: none Automatable: no Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
Assigner
References
Impacted products
Vendor Product Version
Linux Linux Affected: 871383be592ba7e819d27556591e315a0df38cee , < cee55b1219568c80bf0d5dc55066e4a859baf753 (git)
Affected: 871383be592ba7e819d27556591e315a0df38cee , < c7a53757717e68af94a56929d57f1e6daff220ec (git)
Affected: 871383be592ba7e819d27556591e315a0df38cee , < 7e954b6bb95d67ae4d1a20e9cfd83c182cf929bc (git)
Affected: 871383be592ba7e819d27556591e315a0df38cee , < 6ba4663ada6c6315af23a6669d386146634808ec (git)
Affected: 871383be592ba7e819d27556591e315a0df38cee , < 8f5cff471039caa2b088060c074c2bf2081bcb01 (git)
Affected: 871383be592ba7e819d27556591e315a0df38cee , < 86d71a026a7f63da905db9add845c8ee88801eca (git)
Affected: 871383be592ba7e819d27556591e315a0df38cee , < ce628048390dad80320d5a1f74de6ca1e1be91e7 (git)
Affected: 871383be592ba7e819d27556591e315a0df38cee , < e2f0943cf37305dbdeaf9846e3c941451bcdef63 (git)
Create a notification for this product.
Linux Linux Affected: 3.4
Unaffected: 0 , < 3.4 (semver)
Unaffected: 5.4.291 , ≤ 5.4.* (semver)
Unaffected: 5.10.235 , ≤ 5.10.* (semver)
Unaffected: 5.15.179 , ≤ 5.15.* (semver)
Unaffected: 6.1.129 , ≤ 6.1.* (semver)
Unaffected: 6.6.78 , ≤ 6.6.* (semver)
Unaffected: 6.12.14 , ≤ 6.12.* (semver)
Unaffected: 6.13.3 , ≤ 6.13.* (semver)
Unaffected: 6.14 , ≤ * (original_commit_for_fix)
Create a notification for this product.
Siemens SIMATIC S7-1500 TM MFP - GNU/Linux subsystem Affected: 0 , < * (custom)
Create a notification for this product.
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "LOCAL",
              "availabilityImpact": "HIGH",
              "baseScore": 7.8,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "HIGH",
              "privilegesRequired": "LOW",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2025-21753",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-02-27T18:14:22.911957Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-416",
                "description": "CWE-416 Use After Free",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-02-27T18:22:29.598Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T19:36:58.333Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00030.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00028.html"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "affected": [
          {
            "defaultStatus": "unknown",
            "product": "SIMATIC S7-1500 TM MFP - GNU/Linux subsystem",
            "vendor": "Siemens",
            "versions": [
              {
                "lessThan": "*",
                "status": "affected",
                "version": "0",
                "versionType": "custom"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-05-12T12:03:36.932Z",
          "orgId": "0b142b55-0307-4c5a-b3c9-f314f3fb7c5e",
          "shortName": "siemens-SADP"
        },
        "references": [
          {
            "url": "https://cert-portal.siemens.com/productcert/html/ssa-265688.html"
          }
        ],
        "x_adpType": "supplier"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "fs/btrfs/transaction.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "cee55b1219568c80bf0d5dc55066e4a859baf753",
              "status": "affected",
              "version": "871383be592ba7e819d27556591e315a0df38cee",
              "versionType": "git"
            },
            {
              "lessThan": "c7a53757717e68af94a56929d57f1e6daff220ec",
              "status": "affected",
              "version": "871383be592ba7e819d27556591e315a0df38cee",
              "versionType": "git"
            },
            {
              "lessThan": "7e954b6bb95d67ae4d1a20e9cfd83c182cf929bc",
              "status": "affected",
              "version": "871383be592ba7e819d27556591e315a0df38cee",
              "versionType": "git"
            },
            {
              "lessThan": "6ba4663ada6c6315af23a6669d386146634808ec",
              "status": "affected",
              "version": "871383be592ba7e819d27556591e315a0df38cee",
              "versionType": "git"
            },
            {
              "lessThan": "8f5cff471039caa2b088060c074c2bf2081bcb01",
              "status": "affected",
              "version": "871383be592ba7e819d27556591e315a0df38cee",
              "versionType": "git"
            },
            {
              "lessThan": "86d71a026a7f63da905db9add845c8ee88801eca",
              "status": "affected",
              "version": "871383be592ba7e819d27556591e315a0df38cee",
              "versionType": "git"
            },
            {
              "lessThan": "ce628048390dad80320d5a1f74de6ca1e1be91e7",
              "status": "affected",
              "version": "871383be592ba7e819d27556591e315a0df38cee",
              "versionType": "git"
            },
            {
              "lessThan": "e2f0943cf37305dbdeaf9846e3c941451bcdef63",
              "status": "affected",
              "version": "871383be592ba7e819d27556591e315a0df38cee",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "fs/btrfs/transaction.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "3.4"
            },
            {
              "lessThan": "3.4",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.291",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.235",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.179",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.129",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.78",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.14",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.13.*",
              "status": "unaffected",
              "version": "6.13.3",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.14",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.291",
                  "versionStartIncluding": "3.4",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.235",
                  "versionStartIncluding": "3.4",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.179",
                  "versionStartIncluding": "3.4",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.129",
                  "versionStartIncluding": "3.4",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.78",
                  "versionStartIncluding": "3.4",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.14",
                  "versionStartIncluding": "3.4",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13.3",
                  "versionStartIncluding": "3.4",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14",
                  "versionStartIncluding": "3.4",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: fix use-after-free when attempting to join an aborted transaction\n\nWhen we are trying to join the current transaction and if it\u0027s aborted,\nwe read its \u0027aborted\u0027 field after unlocking fs_info-\u003etrans_lock and\nwithout holding any extra reference count on it. This means that a\nconcurrent task that is aborting the transaction may free the transaction\nbefore we read its \u0027aborted\u0027 field, leading to a use-after-free.\n\nFix this by reading the \u0027aborted\u0027 field while holding fs_info-\u003etrans_lock\nsince any freeing task must first acquire that lock and set\nfs_info-\u003erunning_transaction to NULL before freeing the transaction.\n\nThis was reported by syzbot and Dmitry with the following stack traces\nfrom KASAN:\n\n   ==================================================================\n   BUG: KASAN: slab-use-after-free in join_transaction+0xd9b/0xda0 fs/btrfs/transaction.c:278\n   Read of size 4 at addr ffff888011839024 by task kworker/u4:9/1128\n\n   CPU: 0 UID: 0 PID: 1128 Comm: kworker/u4:9 Not tainted 6.13.0-rc7-syzkaller-00019-gc45323b7560e #0\n   Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014\n   Workqueue: events_unbound btrfs_async_reclaim_data_space\n   Call Trace:\n    \u003cTASK\u003e\n    __dump_stack lib/dump_stack.c:94 [inline]\n    dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120\n    print_address_description mm/kasan/report.c:378 [inline]\n    print_report+0x169/0x550 mm/kasan/report.c:489\n    kasan_report+0x143/0x180 mm/kasan/report.c:602\n    join_transaction+0xd9b/0xda0 fs/btrfs/transaction.c:278\n    start_transaction+0xaf8/0x1670 fs/btrfs/transaction.c:697\n    flush_space+0x448/0xcf0 fs/btrfs/space-info.c:803\n    btrfs_async_reclaim_data_space+0x159/0x510 fs/btrfs/space-info.c:1321\n    process_one_work kernel/workqueue.c:3236 [inline]\n    process_scheduled_works+0xa66/0x1840 kernel/workqueue.c:3317\n    worker_thread+0x870/0xd30 kernel/workqueue.c:3398\n    kthread+0x2f0/0x390 kernel/kthread.c:389\n    ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147\n    ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244\n    \u003c/TASK\u003e\n\n   Allocated by task 5315:\n    kasan_save_stack mm/kasan/common.c:47 [inline]\n    kasan_save_track+0x3f/0x80 mm/kasan/common.c:68\n    poison_kmalloc_redzone mm/kasan/common.c:377 [inline]\n    __kasan_kmalloc+0x98/0xb0 mm/kasan/common.c:394\n    kasan_kmalloc include/linux/kasan.h:260 [inline]\n    __kmalloc_cache_noprof+0x243/0x390 mm/slub.c:4329\n    kmalloc_noprof include/linux/slab.h:901 [inline]\n    join_transaction+0x144/0xda0 fs/btrfs/transaction.c:308\n    start_transaction+0xaf8/0x1670 fs/btrfs/transaction.c:697\n    btrfs_create_common+0x1b2/0x2e0 fs/btrfs/inode.c:6572\n    lookup_open fs/namei.c:3649 [inline]\n    open_last_lookups fs/namei.c:3748 [inline]\n    path_openat+0x1c03/0x3590 fs/namei.c:3984\n    do_filp_open+0x27f/0x4e0 fs/namei.c:4014\n    do_sys_openat2+0x13e/0x1d0 fs/open.c:1402\n    do_sys_open fs/open.c:1417 [inline]\n    __do_sys_creat fs/open.c:1495 [inline]\n    __se_sys_creat fs/open.c:1489 [inline]\n    __x64_sys_creat+0x123/0x170 fs/open.c:1489\n    do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n    do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83\n    entry_SYSCALL_64_after_hwframe+0x77/0x7f\n\n   Freed by task 5336:\n    kasan_save_stack mm/kasan/common.c:47 [inline]\n    kasan_save_track+0x3f/0x80 mm/kasan/common.c:68\n    kasan_save_free_info+0x40/0x50 mm/kasan/generic.c:582\n    poison_slab_object mm/kasan/common.c:247 [inline]\n    __kasan_slab_free+0x59/0x70 mm/kasan/common.c:264\n    kasan_slab_free include/linux/kasan.h:233 [inline]\n    slab_free_hook mm/slub.c:2353 [inline]\n    slab_free mm/slub.c:4613 [inline]\n    kfree+0x196/0x430 mm/slub.c:4761\n    cleanup_transaction fs/btrfs/transaction.c:2063 [inline]\n    btrfs_commit_transaction+0x2c97/0x3720 fs/btrfs/transaction.c:2598\n    insert_balance_item+0x1284/0x20b0 fs/btrfs/volumes.c:3757\n    btrfs_balance+0x992/\n---truncated---"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-11T21:05:45.922Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/cee55b1219568c80bf0d5dc55066e4a859baf753"
        },
        {
          "url": "https://git.kernel.org/stable/c/c7a53757717e68af94a56929d57f1e6daff220ec"
        },
        {
          "url": "https://git.kernel.org/stable/c/7e954b6bb95d67ae4d1a20e9cfd83c182cf929bc"
        },
        {
          "url": "https://git.kernel.org/stable/c/6ba4663ada6c6315af23a6669d386146634808ec"
        },
        {
          "url": "https://git.kernel.org/stable/c/8f5cff471039caa2b088060c074c2bf2081bcb01"
        },
        {
          "url": "https://git.kernel.org/stable/c/86d71a026a7f63da905db9add845c8ee88801eca"
        },
        {
          "url": "https://git.kernel.org/stable/c/ce628048390dad80320d5a1f74de6ca1e1be91e7"
        },
        {
          "url": "https://git.kernel.org/stable/c/e2f0943cf37305dbdeaf9846e3c941451bcdef63"
        }
      ],
      "title": "btrfs: fix use-after-free when attempting to join an aborted transaction",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-21753",
    "datePublished": "2025-02-27T02:12:23.235Z",
    "dateReserved": "2024-12-29T08:45:45.760Z",
    "dateUpdated": "2026-05-12T12:03:36.932Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2025-21753",
      "date": "2026-06-07",
      "epss": "0.00015",
      "percentile": "0.03396"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2025-21753\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2025-02-27T03:15:15.950\",\"lastModified\":\"2026-05-12T13:16:34.510\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\nbtrfs: fix use-after-free when attempting to join an aborted transaction\\n\\nWhen we are trying to join the current transaction and if it\u0027s aborted,\\nwe read its \u0027aborted\u0027 field after unlocking fs_info-\u003etrans_lock and\\nwithout holding any extra reference count on it. This means that a\\nconcurrent task that is aborting the transaction may free the transaction\\nbefore we read its \u0027aborted\u0027 field, leading to a use-after-free.\\n\\nFix this by reading the \u0027aborted\u0027 field while holding fs_info-\u003etrans_lock\\nsince any freeing task must first acquire that lock and set\\nfs_info-\u003erunning_transaction to NULL before freeing the transaction.\\n\\nThis was reported by syzbot and Dmitry with the following stack traces\\nfrom KASAN:\\n\\n   ==================================================================\\n   BUG: KASAN: slab-use-after-free in join_transaction+0xd9b/0xda0 fs/btrfs/transaction.c:278\\n   Read of size 4 at addr ffff888011839024 by task kworker/u4:9/1128\\n\\n   CPU: 0 UID: 0 PID: 1128 Comm: kworker/u4:9 Not tainted 6.13.0-rc7-syzkaller-00019-gc45323b7560e #0\\n   Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014\\n   Workqueue: events_unbound btrfs_async_reclaim_data_space\\n   Call Trace:\\n    \u003cTASK\u003e\\n    __dump_stack lib/dump_stack.c:94 [inline]\\n    dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120\\n    print_address_description mm/kasan/report.c:378 [inline]\\n    print_report+0x169/0x550 mm/kasan/report.c:489\\n    kasan_report+0x143/0x180 mm/kasan/report.c:602\\n    join_transaction+0xd9b/0xda0 fs/btrfs/transaction.c:278\\n    start_transaction+0xaf8/0x1670 fs/btrfs/transaction.c:697\\n    flush_space+0x448/0xcf0 fs/btrfs/space-info.c:803\\n    btrfs_async_reclaim_data_space+0x159/0x510 fs/btrfs/space-info.c:1321\\n    process_one_work kernel/workqueue.c:3236 [inline]\\n    process_scheduled_works+0xa66/0x1840 kernel/workqueue.c:3317\\n    worker_thread+0x870/0xd30 kernel/workqueue.c:3398\\n    kthread+0x2f0/0x390 kernel/kthread.c:389\\n    ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147\\n    ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244\\n    \u003c/TASK\u003e\\n\\n   Allocated by task 5315:\\n    kasan_save_stack mm/kasan/common.c:47 [inline]\\n    kasan_save_track+0x3f/0x80 mm/kasan/common.c:68\\n    poison_kmalloc_redzone mm/kasan/common.c:377 [inline]\\n    __kasan_kmalloc+0x98/0xb0 mm/kasan/common.c:394\\n    kasan_kmalloc include/linux/kasan.h:260 [inline]\\n    __kmalloc_cache_noprof+0x243/0x390 mm/slub.c:4329\\n    kmalloc_noprof include/linux/slab.h:901 [inline]\\n    join_transaction+0x144/0xda0 fs/btrfs/transaction.c:308\\n    start_transaction+0xaf8/0x1670 fs/btrfs/transaction.c:697\\n    btrfs_create_common+0x1b2/0x2e0 fs/btrfs/inode.c:6572\\n    lookup_open fs/namei.c:3649 [inline]\\n    open_last_lookups fs/namei.c:3748 [inline]\\n    path_openat+0x1c03/0x3590 fs/namei.c:3984\\n    do_filp_open+0x27f/0x4e0 fs/namei.c:4014\\n    do_sys_openat2+0x13e/0x1d0 fs/open.c:1402\\n    do_sys_open fs/open.c:1417 [inline]\\n    __do_sys_creat fs/open.c:1495 [inline]\\n    __se_sys_creat fs/open.c:1489 [inline]\\n    __x64_sys_creat+0x123/0x170 fs/open.c:1489\\n    do_syscall_x64 arch/x86/entry/common.c:52 [inline]\\n    do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83\\n    entry_SYSCALL_64_after_hwframe+0x77/0x7f\\n\\n   Freed by task 5336:\\n    kasan_save_stack mm/kasan/common.c:47 [inline]\\n    kasan_save_track+0x3f/0x80 mm/kasan/common.c:68\\n    kasan_save_free_info+0x40/0x50 mm/kasan/generic.c:582\\n    poison_slab_object mm/kasan/common.c:247 [inline]\\n    __kasan_slab_free+0x59/0x70 mm/kasan/common.c:264\\n    kasan_slab_free include/linux/kasan.h:233 [inline]\\n    slab_free_hook mm/slub.c:2353 [inline]\\n    slab_free mm/slub.c:4613 [inline]\\n    kfree+0x196/0x430 mm/slub.c:4761\\n    cleanup_transaction fs/btrfs/transaction.c:2063 [inline]\\n    btrfs_commit_transaction+0x2c97/0x3720 fs/btrfs/transaction.c:2598\\n    insert_balance_item+0x1284/0x20b0 fs/btrfs/volumes.c:3757\\n    btrfs_balance+0x992/\\n---truncated---\"},{\"lang\":\"es\",\"value\":\"En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: btrfs: corregir use-after-free al intentar unirse a una transacci\u00f3n abortada Cuando intentamos unirnos a la transacci\u00f3n actual y si se aborta, leemos su campo \u0027abortado\u0027 despu\u00e9s de desbloquear fs_info-\u0026gt;trans_lock y sin mantener ning\u00fan recuento de referencia adicional en \u00e9l. Esto significa que una tarea concurrente que est\u00e1 abortando la transacci\u00f3n puede liberar la transacci\u00f3n antes de que leamos su campo \u0027abortado\u0027, lo que lleva a un use-after-free. Arregle esto leyendo el campo \u0027abortado\u0027 mientras mantiene fs_info-\u0026gt;trans_lock ya que cualquier tarea de liberaci\u00f3n primero debe adquirir ese bloqueo y establecer fs_info-\u0026gt;running_transaction en NULL antes de liberar la transacci\u00f3n. Esto fue informado por syzbot y Dmitry con los siguientes seguimientos de pila de KASAN: ===================================================================== ERROR: KASAN: slab-use-after-free in join_transaction+0xd9b/0xda0 fs/btrfs/transaction.c:278 Read of size 4 at addr ffff888011839024 by task kworker/u4:9/1128 CPU: 0 UID: 0 PID: 1128 Comm: kworker/u4:9 Not tainted 6.13.0-rc7-syzkaller-00019-gc45323b7560e #0 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 Workqueue: events_unbound btrfs_async_reclaim_data_space Call Trace:  __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:378 [inline] print_report+0x169/0x550 mm/kasan/report.c:489 kasan_report+0x143/0x180 mm/kasan/report.c:602 join_transaction+0xd9b/0xda0 fs/btrfs/transaction.c:278 start_transaction+0xaf8/0x1670 fs/btrfs/transaction.c:697 flush_space+0x448/0xcf0 fs/btrfs/space-info.c:803 btrfs_async_reclaim_data_space+0x159/0x510 fs/btrfs/space-info.c:1321 process_one_work kernel/workqueue.c:3236 [inline] process_scheduled_works+0xa66/0x1840 kernel/workqueue.c:3317 worker_thread+0x870/0xd30 kernel/workqueue.c:3398 kthread+0x2f0/0x390 kernel/kthread.c:389 ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244  Allocated by task 5315: kasan_save_stack mm/kasan/common.c:47 [inline] kasan_save_track+0x3f/0x80 mm/kasan/common.c:68 poison_kmalloc_redzone mm/kasan/common.c:377 [inline] __kasan_kmalloc+0x98/0xb0 mm/kasan/common.c:394 kasan_kmalloc include/linux/kasan.h:260 [inline] __kmalloc_cache_noprof+0x243/0x390 mm/slub.c:4329 kmalloc_noprof include/linux/slab.h:901 [inline] join_transaction+0x144/0xda0 fs/btrfs/transaction.c:308 start_transaction+0xaf8/0x1670 fs/btrfs/transaction.c:697 btrfs_create_common+0x1b2/0x2e0 fs/btrfs/inode.c:6572 lookup_open fs/namei.c:3649 [inline] open_last_lookups fs/namei.c:3748 [inline] path_openat+0x1c03/0x3590 fs/namei.c:3984 do_filp_open+0x27f/0x4e0 fs/namei.c:4014 do_sys_openat2+0x13e/0x1d0 fs/open.c:1402 do_sys_open fs/open.c:1417 [inline] __do_sys_creat fs/open.c:1495 [inline] __se_sys_creat fs/open.c:1489 [inline] __x64_sys_creat+0x123/0x170 fs/open.c:1489 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f Freed by task 5336: kasan_save_stack mm/kasan/common.c:47 [inline] kasan_save_track+0x3f/0x80 mm/kasan/common.c:68 kasan_save_free_info+0x40/0x50 mm/kasan/generic.c:582 poison_slab_object mm/kasan/common.c:247 [inline] __kasan_slab_free+0x59/0x70 mm/kasan/common.c:264 kasan_slab_free include/linux/kasan.h:233 [inline] slab_free_hook mm/slub.c:2353 [inline] slab_free mm/slub.c:4613 [inline] kfree+0x196/0x430 mm/slub.c:4761 cleanup_transaction fs/btrfs/transaction.c:2063 [inline] btrfs_commit_transaction+0x2c97/0x3720 fs/btrfs/transaction.c:2598 insert_balance_item+0x1284/0x20b0 fs/btrfs/volumes.c:3757 btrfs_balance+0x992/ ---truncated--- \"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":7.8,\"baseSeverity\":\"HIGH\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":1.8,\"impactScore\":5.9}]},\"weaknesses\":[{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-416\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"3.4\",\"versionEndExcluding\":\"5.4.291\",\"matchCriteriaId\":\"72F7F814-6E30-44F2-9C56-A6E51C818560\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"5.5\",\"versionEndExcluding\":\"5.10.235\",\"matchCriteriaId\":\"545121FA-DE31-4154-9446-C2000FB4104D\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"5.11\",\"versionEndExcluding\":\"5.15.179\",\"matchCriteriaId\":\"C708062C-4E1B-465F-AE6D-C09C46400875\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"5.16\",\"versionEndExcluding\":\"6.1.129\",\"matchCriteriaId\":\"2DA5009C-C9B9-4A1D-9B96-78427E8F232C\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"6.2\",\"versionEndExcluding\":\"6.6.78\",\"matchCriteriaId\":\"0C58261F-EDFB-4A12-8CCD-F12101482030\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"6.7\",\"versionEndExcluding\":\"6.12.14\",\"matchCriteriaId\":\"033BB7EE-C9A2-45EA-BAC9-87BB9D951BCD\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"6.13\",\"versionEndExcluding\":\"6.13.3\",\"matchCriteriaId\":\"0E92CEE3-1FC3-4AFC-A513-DEDBA7414F00\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:6.14:rc1:*:*:*:*:*:*\",\"matchCriteriaId\":\"186716B6-2B66-4BD0-852E-D48E71C0C85F\"}]}]}],\"references\":[{\"url\":\"https://git.kernel.org/stable/c/6ba4663ada6c6315af23a6669d386146634808ec\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/7e954b6bb95d67ae4d1a20e9cfd83c182cf929bc\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/86d71a026a7f63da905db9add845c8ee88801eca\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/8f5cff471039caa2b088060c074c2bf2081bcb01\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/c7a53757717e68af94a56929d57f1e6daff220ec\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/ce628048390dad80320d5a1f74de6ca1e1be91e7\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/cee55b1219568c80bf0d5dc55066e4a859baf753\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/e2f0943cf37305dbdeaf9846e3c941451bcdef63\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://lists.debian.org/debian-lts-announce/2025/03/msg00028.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://lists.debian.org/debian-lts-announce/2025/05/msg00030.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://cert-portal.siemens.com/productcert/html/ssa-265688.html\",\"source\":\"0b142b55-0307-4c5a-b3c9-f314f3fb7c5e\"}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"https://lists.debian.org/debian-lts-announce/2025/05/msg00030.html\"}, {\"url\": \"https://lists.debian.org/debian-lts-announce/2025/03/msg00028.html\"}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2025-11-03T19:36:58.333Z\"}}, {\"affected\": [{\"vendor\": \"Siemens\", \"product\": \"SIMATIC S7-1500 TM MFP - GNU/Linux subsystem\", \"versions\": [{\"status\": \"affected\", \"version\": \"0\", \"lessThan\": \"*\", \"versionType\": \"custom\"}], \"defaultStatus\": \"unknown\"}], \"x_adpType\": \"supplier\", \"references\": [{\"url\": \"https://cert-portal.siemens.com/productcert/html/ssa-265688.html\"}], \"providerMetadata\": {\"orgId\": \"0b142b55-0307-4c5a-b3c9-f314f3fb7c5e\", \"shortName\": \"siemens-SADP\", \"dateUpdated\": \"2026-05-12T12:03:36.932Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 7.8, \"attackVector\": \"LOCAL\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"LOW\", \"confidentialityImpact\": \"HIGH\"}}, {\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2025-21753\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-02-27T18:14:22.911957Z\"}}}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-416\", \"description\": \"CWE-416 Use After Free\"}]}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-02-27T18:14:24.192Z\"}}], \"cna\": {\"title\": \"btrfs: fix use-after-free when attempting to join an aborted transaction\", \"affected\": [{\"repo\": \"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git\", \"vendor\": \"Linux\", \"product\": \"Linux\", \"versions\": [{\"status\": \"affected\", \"version\": \"871383be592ba7e819d27556591e315a0df38cee\", \"lessThan\": \"cee55b1219568c80bf0d5dc55066e4a859baf753\", \"versionType\": \"git\"}, {\"status\": \"affected\", \"version\": \"871383be592ba7e819d27556591e315a0df38cee\", \"lessThan\": \"c7a53757717e68af94a56929d57f1e6daff220ec\", \"versionType\": \"git\"}, {\"status\": \"affected\", \"version\": \"871383be592ba7e819d27556591e315a0df38cee\", \"lessThan\": \"7e954b6bb95d67ae4d1a20e9cfd83c182cf929bc\", \"versionType\": \"git\"}, {\"status\": \"affected\", \"version\": \"871383be592ba7e819d27556591e315a0df38cee\", \"lessThan\": \"6ba4663ada6c6315af23a6669d386146634808ec\", \"versionType\": \"git\"}, {\"status\": \"affected\", \"version\": \"871383be592ba7e819d27556591e315a0df38cee\", \"lessThan\": \"8f5cff471039caa2b088060c074c2bf2081bcb01\", \"versionType\": \"git\"}, {\"status\": \"affected\", \"version\": \"871383be592ba7e819d27556591e315a0df38cee\", \"lessThan\": \"86d71a026a7f63da905db9add845c8ee88801eca\", \"versionType\": \"git\"}, {\"status\": \"affected\", \"version\": \"871383be592ba7e819d27556591e315a0df38cee\", \"lessThan\": \"ce628048390dad80320d5a1f74de6ca1e1be91e7\", \"versionType\": \"git\"}, {\"status\": \"affected\", \"version\": \"871383be592ba7e819d27556591e315a0df38cee\", \"lessThan\": \"e2f0943cf37305dbdeaf9846e3c941451bcdef63\", \"versionType\": \"git\"}], \"programFiles\": [\"fs/btrfs/transaction.c\"], \"defaultStatus\": \"unaffected\"}, {\"repo\": \"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git\", \"vendor\": \"Linux\", \"product\": \"Linux\", \"versions\": [{\"status\": \"affected\", \"version\": \"3.4\"}, {\"status\": \"unaffected\", \"version\": \"0\", \"lessThan\": \"3.4\", \"versionType\": \"semver\"}, {\"status\": \"unaffected\", \"version\": \"5.4.291\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"5.4.*\"}, {\"status\": \"unaffected\", \"version\": \"5.10.235\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"5.10.*\"}, {\"status\": \"unaffected\", \"version\": \"5.15.179\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"5.15.*\"}, {\"status\": \"unaffected\", \"version\": \"6.1.129\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"6.1.*\"}, {\"status\": \"unaffected\", \"version\": \"6.6.78\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"6.6.*\"}, {\"status\": \"unaffected\", \"version\": \"6.12.14\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"6.12.*\"}, {\"status\": \"unaffected\", \"version\": \"6.13.3\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"6.13.*\"}, {\"status\": \"unaffected\", \"version\": \"6.14\", \"versionType\": \"original_commit_for_fix\", \"lessThanOrEqual\": \"*\"}], \"programFiles\": [\"fs/btrfs/transaction.c\"], \"defaultStatus\": \"affected\"}], \"references\": [{\"url\": \"https://git.kernel.org/stable/c/cee55b1219568c80bf0d5dc55066e4a859baf753\"}, {\"url\": \"https://git.kernel.org/stable/c/c7a53757717e68af94a56929d57f1e6daff220ec\"}, {\"url\": \"https://git.kernel.org/stable/c/7e954b6bb95d67ae4d1a20e9cfd83c182cf929bc\"}, {\"url\": \"https://git.kernel.org/stable/c/6ba4663ada6c6315af23a6669d386146634808ec\"}, {\"url\": \"https://git.kernel.org/stable/c/8f5cff471039caa2b088060c074c2bf2081bcb01\"}, {\"url\": \"https://git.kernel.org/stable/c/86d71a026a7f63da905db9add845c8ee88801eca\"}, {\"url\": \"https://git.kernel.org/stable/c/ce628048390dad80320d5a1f74de6ca1e1be91e7\"}, {\"url\": \"https://git.kernel.org/stable/c/e2f0943cf37305dbdeaf9846e3c941451bcdef63\"}], \"x_generator\": {\"engine\": \"bippy-1.2.0\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nbtrfs: fix use-after-free when attempting to join an aborted transaction\\n\\nWhen we are trying to join the current transaction and if it\u0027s aborted,\\nwe read its \u0027aborted\u0027 field after unlocking fs_info-\u003etrans_lock and\\nwithout holding any extra reference count on it. This means that a\\nconcurrent task that is aborting the transaction may free the transaction\\nbefore we read its \u0027aborted\u0027 field, leading to a use-after-free.\\n\\nFix this by reading the \u0027aborted\u0027 field while holding fs_info-\u003etrans_lock\\nsince any freeing task must first acquire that lock and set\\nfs_info-\u003erunning_transaction to NULL before freeing the transaction.\\n\\nThis was reported by syzbot and Dmitry with the following stack traces\\nfrom KASAN:\\n\\n   ==================================================================\\n   BUG: KASAN: slab-use-after-free in join_transaction+0xd9b/0xda0 fs/btrfs/transaction.c:278\\n   Read of size 4 at addr ffff888011839024 by task kworker/u4:9/1128\\n\\n   CPU: 0 UID: 0 PID: 1128 Comm: kworker/u4:9 Not tainted 6.13.0-rc7-syzkaller-00019-gc45323b7560e #0\\n   Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014\\n   Workqueue: events_unbound btrfs_async_reclaim_data_space\\n   Call Trace:\\n    \u003cTASK\u003e\\n    __dump_stack lib/dump_stack.c:94 [inline]\\n    dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120\\n    print_address_description mm/kasan/report.c:378 [inline]\\n    print_report+0x169/0x550 mm/kasan/report.c:489\\n    kasan_report+0x143/0x180 mm/kasan/report.c:602\\n    join_transaction+0xd9b/0xda0 fs/btrfs/transaction.c:278\\n    start_transaction+0xaf8/0x1670 fs/btrfs/transaction.c:697\\n    flush_space+0x448/0xcf0 fs/btrfs/space-info.c:803\\n    btrfs_async_reclaim_data_space+0x159/0x510 fs/btrfs/space-info.c:1321\\n    process_one_work kernel/workqueue.c:3236 [inline]\\n    process_scheduled_works+0xa66/0x1840 kernel/workqueue.c:3317\\n    worker_thread+0x870/0xd30 kernel/workqueue.c:3398\\n    kthread+0x2f0/0x390 kernel/kthread.c:389\\n    ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147\\n    ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244\\n    \u003c/TASK\u003e\\n\\n   Allocated by task 5315:\\n    kasan_save_stack mm/kasan/common.c:47 [inline]\\n    kasan_save_track+0x3f/0x80 mm/kasan/common.c:68\\n    poison_kmalloc_redzone mm/kasan/common.c:377 [inline]\\n    __kasan_kmalloc+0x98/0xb0 mm/kasan/common.c:394\\n    kasan_kmalloc include/linux/kasan.h:260 [inline]\\n    __kmalloc_cache_noprof+0x243/0x390 mm/slub.c:4329\\n    kmalloc_noprof include/linux/slab.h:901 [inline]\\n    join_transaction+0x144/0xda0 fs/btrfs/transaction.c:308\\n    start_transaction+0xaf8/0x1670 fs/btrfs/transaction.c:697\\n    btrfs_create_common+0x1b2/0x2e0 fs/btrfs/inode.c:6572\\n    lookup_open fs/namei.c:3649 [inline]\\n    open_last_lookups fs/namei.c:3748 [inline]\\n    path_openat+0x1c03/0x3590 fs/namei.c:3984\\n    do_filp_open+0x27f/0x4e0 fs/namei.c:4014\\n    do_sys_openat2+0x13e/0x1d0 fs/open.c:1402\\n    do_sys_open fs/open.c:1417 [inline]\\n    __do_sys_creat fs/open.c:1495 [inline]\\n    __se_sys_creat fs/open.c:1489 [inline]\\n    __x64_sys_creat+0x123/0x170 fs/open.c:1489\\n    do_syscall_x64 arch/x86/entry/common.c:52 [inline]\\n    do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83\\n    entry_SYSCALL_64_after_hwframe+0x77/0x7f\\n\\n   Freed by task 5336:\\n    kasan_save_stack mm/kasan/common.c:47 [inline]\\n    kasan_save_track+0x3f/0x80 mm/kasan/common.c:68\\n    kasan_save_free_info+0x40/0x50 mm/kasan/generic.c:582\\n    poison_slab_object mm/kasan/common.c:247 [inline]\\n    __kasan_slab_free+0x59/0x70 mm/kasan/common.c:264\\n    kasan_slab_free include/linux/kasan.h:233 [inline]\\n    slab_free_hook mm/slub.c:2353 [inline]\\n    slab_free mm/slub.c:4613 [inline]\\n    kfree+0x196/0x430 mm/slub.c:4761\\n    cleanup_transaction fs/btrfs/transaction.c:2063 [inline]\\n    btrfs_commit_transaction+0x2c97/0x3720 fs/btrfs/transaction.c:2598\\n    insert_balance_item+0x1284/0x20b0 fs/btrfs/volumes.c:3757\\n    btrfs_balance+0x992/\\n---truncated---\"}], \"cpeApplicability\": [{\"nodes\": [{\"negate\": false, \"cpeMatch\": [{\"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"5.4.291\", \"versionStartIncluding\": \"3.4\"}, {\"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"5.10.235\", \"versionStartIncluding\": \"3.4\"}, {\"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"5.15.179\", \"versionStartIncluding\": \"3.4\"}, {\"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"6.1.129\", \"versionStartIncluding\": \"3.4\"}, {\"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"6.6.78\", \"versionStartIncluding\": \"3.4\"}, {\"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"6.12.14\", \"versionStartIncluding\": \"3.4\"}, {\"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"6.13.3\", \"versionStartIncluding\": \"3.4\"}, {\"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"6.14\", \"versionStartIncluding\": \"3.4\"}], \"operator\": \"OR\"}]}], \"providerMetadata\": {\"orgId\": \"416baaa9-dc9f-4396-8d5f-8c081fb06d67\", \"shortName\": \"Linux\", \"dateUpdated\": \"2026-05-11T21:05:45.922Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2025-21753\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-05-12T12:03:36.932Z\", \"dateReserved\": \"2024-12-29T08:45:45.760Z\", \"assignerOrgId\": \"416baaa9-dc9f-4396-8d5f-8c081fb06d67\", \"datePublished\": \"2025-02-27T02:12:23.235Z\", \"assignerShortName\": \"Linux\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.





Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.


Detection rules are retrieved from Rulezet.