FKIE_CVE-2025-71194

Vulnerability from fkie_nvd - Published: 2026-02-04 17:16 - Updated: 2026-02-06 17:16
Severity ?
Summary
In the Linux kernel, the following vulnerability has been resolved: btrfs: fix deadlock in wait_current_trans() due to ignored transaction type When wait_current_trans() is called during start_transaction(), it currently waits for a blocked transaction without considering whether the given transaction type actually needs to wait for that particular transaction state. The btrfs_blocked_trans_types[] array already defines which transaction types should wait for which transaction states, but this check was missing in wait_current_trans(). This can lead to a deadlock scenario involving two transactions and pending ordered extents: 1. Transaction A is in TRANS_STATE_COMMIT_DOING state 2. A worker processing an ordered extent calls start_transaction() with TRANS_JOIN 3. join_transaction() returns -EBUSY because Transaction A is in TRANS_STATE_COMMIT_DOING 4. Transaction A moves to TRANS_STATE_UNBLOCKED and completes 5. A new Transaction B is created (TRANS_STATE_RUNNING) 6. The ordered extent from step 2 is added to Transaction B's pending ordered extents 7. Transaction B immediately starts commit by another task and enters TRANS_STATE_COMMIT_START 8. The worker finally reaches wait_current_trans(), sees Transaction B in TRANS_STATE_COMMIT_START (a blocked state), and waits unconditionally 9. However, TRANS_JOIN should NOT wait for TRANS_STATE_COMMIT_START according to btrfs_blocked_trans_types[] 10. Transaction B is waiting for pending ordered extents to complete 11. Deadlock: Transaction B waits for ordered extent, ordered extent waits for Transaction B This can be illustrated by the following call stacks: CPU0 CPU1 btrfs_finish_ordered_io() start_transaction(TRANS_JOIN) join_transaction() # -EBUSY (Transaction A is # TRANS_STATE_COMMIT_DOING) # Transaction A completes # Transaction B created # ordered extent added to # Transaction B's pending list btrfs_commit_transaction() # Transaction B enters # TRANS_STATE_COMMIT_START # waiting for pending ordered # extents wait_current_trans() # waits for Transaction B # (should not wait!) Task bstore_kv_sync in btrfs_commit_transaction waiting for ordered extents: __schedule+0x2e7/0x8a0 schedule+0x64/0xe0 btrfs_commit_transaction+0xbf7/0xda0 [btrfs] btrfs_sync_file+0x342/0x4d0 [btrfs] __x64_sys_fdatasync+0x4b/0x80 do_syscall_64+0x33/0x40 entry_SYSCALL_64_after_hwframe+0x44/0xa9 Task kworker in wait_current_trans waiting for transaction commit: Workqueue: btrfs-syno_nocow btrfs_work_helper [btrfs] __schedule+0x2e7/0x8a0 schedule+0x64/0xe0 wait_current_trans+0xb0/0x110 [btrfs] start_transaction+0x346/0x5b0 [btrfs] btrfs_finish_ordered_io.isra.0+0x49b/0x9c0 [btrfs] btrfs_work_helper+0xe8/0x350 [btrfs] process_one_work+0x1d3/0x3c0 worker_thread+0x4d/0x3e0 kthread+0x12d/0x150 ret_from_fork+0x1f/0x30 Fix this by passing the transaction type to wait_current_trans() and checking btrfs_blocked_trans_types[cur_trans->state] against the given type before deciding to wait. This ensures that transaction types which are allowed to join during certain blocked states will not unnecessarily wait and cause deadlocks.
References
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/5037b342825df7094a4906d1e2a9674baab50cb2
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/8b0bb145d3bc264360f525c9717653be3522e528
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/99da896614d17e8a84aeb2b2d464ac046cc8633d
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/9ac63333d600732a56b35ee1fa46836da671eb50
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/d7b04b40ac8e6d814e35202a0e1568809b818295
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/dc84036c173cff6a432d9ab926298850b1d2a659
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/e563f59395981fcd69d130761290929806e728d6
Impacted products
Vendor Product Version
To clipboard 

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: fix deadlock in wait_current_trans() due to ignored transaction type\n\nWhen wait_current_trans() is called during start_transaction(), it\ncurrently waits for a blocked transaction without considering whether\nthe given transaction type actually needs to wait for that particular\ntransaction state. The btrfs_blocked_trans_types[] array already defines\nwhich transaction types should wait for which transaction states, but\nthis check was missing in wait_current_trans().\n\nThis can lead to a deadlock scenario involving two transactions and\npending ordered extents:\n\n  1. Transaction A is in TRANS_STATE_COMMIT_DOING state\n\n  2. A worker processing an ordered extent calls start_transaction()\n     with TRANS_JOIN\n\n  3. join_transaction() returns -EBUSY because Transaction A is in\n     TRANS_STATE_COMMIT_DOING\n\n  4. Transaction A moves to TRANS_STATE_UNBLOCKED and completes\n\n  5. A new Transaction B is created (TRANS_STATE_RUNNING)\n\n  6. The ordered extent from step 2 is added to Transaction B\u0027s\n     pending ordered extents\n\n  7. Transaction B immediately starts commit by another task and\n     enters TRANS_STATE_COMMIT_START\n\n  8. The worker finally reaches wait_current_trans(), sees Transaction B\n     in TRANS_STATE_COMMIT_START (a blocked state), and waits\n     unconditionally\n\n  9. However, TRANS_JOIN should NOT wait for TRANS_STATE_COMMIT_START\n     according to btrfs_blocked_trans_types[]\n\n  10. Transaction B is waiting for pending ordered extents to complete\n\n  11. Deadlock: Transaction B waits for ordered extent, ordered extent\n      waits for Transaction B\n\nThis can be illustrated by the following call stacks:\n  CPU0                              CPU1\n                                    btrfs_finish_ordered_io()\n                                      start_transaction(TRANS_JOIN)\n                                        join_transaction()\n                                          # -EBUSY (Transaction A is\n                                          # TRANS_STATE_COMMIT_DOING)\n  # Transaction A completes\n  # Transaction B created\n  # ordered extent added to\n  # Transaction B\u0027s pending list\n  btrfs_commit_transaction()\n    # Transaction B enters\n    # TRANS_STATE_COMMIT_START\n    # waiting for pending ordered\n    # extents\n                                        wait_current_trans()\n                                          # waits for Transaction B\n                                          # (should not wait!)\n\nTask bstore_kv_sync in btrfs_commit_transaction waiting for ordered\nextents:\n\n  __schedule+0x2e7/0x8a0\n  schedule+0x64/0xe0\n  btrfs_commit_transaction+0xbf7/0xda0 [btrfs]\n  btrfs_sync_file+0x342/0x4d0 [btrfs]\n  __x64_sys_fdatasync+0x4b/0x80\n  do_syscall_64+0x33/0x40\n  entry_SYSCALL_64_after_hwframe+0x44/0xa9\n\nTask kworker in wait_current_trans waiting for transaction commit:\n\n  Workqueue: btrfs-syno_nocow btrfs_work_helper [btrfs]\n  __schedule+0x2e7/0x8a0\n  schedule+0x64/0xe0\n  wait_current_trans+0xb0/0x110 [btrfs]\n  start_transaction+0x346/0x5b0 [btrfs]\n  btrfs_finish_ordered_io.isra.0+0x49b/0x9c0 [btrfs]\n  btrfs_work_helper+0xe8/0x350 [btrfs]\n  process_one_work+0x1d3/0x3c0\n  worker_thread+0x4d/0x3e0\n  kthread+0x12d/0x150\n  ret_from_fork+0x1f/0x30\n\nFix this by passing the transaction type to wait_current_trans() and\nchecking btrfs_blocked_trans_types[cur_trans-\u003estate] against the given\ntype before deciding to wait. This ensures that transaction types which\nare allowed to join during certain blocked states will not unnecessarily\nwait and cause deadlocks."
    }
  ],
  "id": "CVE-2025-71194",
  "lastModified": "2026-02-06T17:16:19.230",
  "metrics": {},
  "published": "2026-02-04T17:16:11.297",
  "references": [
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/5037b342825df7094a4906d1e2a9674baab50cb2"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/8b0bb145d3bc264360f525c9717653be3522e528"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/99da896614d17e8a84aeb2b2d464ac046cc8633d"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/9ac63333d600732a56b35ee1fa46836da671eb50"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/d7b04b40ac8e6d814e35202a0e1568809b818295"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/dc84036c173cff6a432d9ab926298850b1d2a659"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/e563f59395981fcd69d130761290929806e728d6"
    }
  ],
  "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
  "vulnStatus": "Awaiting Analysis"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.