CVE-2025-21753

In the Linux kernel, the following vulnerability has been resolved:

btrfs: fix use-after-free when attempting to join an aborted transaction

When we are trying to join the current transaction and if it's aborted, we read its 'aborted' field after unlocking fsinfo->translock and without holding any extra reference count on it. This means that a concurrent task that is aborting the transaction may free the transaction before we read its 'aborted' field, leading to a use-after-free.

Fix this by reading the 'aborted' field while holding fsinfo->translock since any freeing task must first acquire that lock and set fsinfo->runningtransaction to NULL before freeing the transaction.

This was reported by syzbot and Dmitry with the following stack traces from KASAN:

================================================================== BUG: KASAN: slab-use-after-free in join_transaction+0xd9b/0xda0 fs/btrfs/transaction.c:278 Read of size 4 at addr ffff888011839024 by task kworker/u4:9/1128

CPU: 0 UID: 0 PID: 1128 Comm: kworker/u4:9 Not tainted 6.13.0-rc7-syzkaller-00019-gc45323b7560e #0 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 Workqueue: eventsunbound btrfsasyncreclaimdata_space Call Trace: <TASK> _dumpstack lib/dumpstack.c:94 [inline] dumpstacklvl+0x241/0x360 lib/dumpstack.c:120 printaddressdescription mm/kasan/report.c:378 [inline] printreport+0x169/0x550 mm/kasan/report.c:489 kasanreport+0x143/0x180 mm/kasan/report.c:602 jointransaction+0xd9b/0xda0 fs/btrfs/transaction.c:278 starttransaction+0xaf8/0x1670 fs/btrfs/transaction.c:697 flushspace+0x448/0xcf0 fs/btrfs/space-info.c:803 btrfsasyncreclaimdataspace+0x159/0x510 fs/btrfs/space-info.c:1321 processonework kernel/workqueue.c:3236 [inline] processscheduledworks+0xa66/0x1840 kernel/workqueue.c:3317 workerthread+0x870/0xd30 kernel/workqueue.c:3398 kthread+0x2f0/0x390 kernel/kthread.c:389 retfromfork+0x4b/0x80 arch/x86/kernel/process.c:147 retfromforkasm+0x1a/0x30 arch/x86/entry/entry64.S:244 </TASK>

Allocated by task 5315: kasansavestack mm/kasan/common.c:47 [inline] kasansavetrack+0x3f/0x80 mm/kasan/common.c:68 poisonkmallocredzone mm/kasan/common.c:377 [inline] __kasankmalloc+0x98/0xb0 mm/kasan/common.c:394 kasankmalloc include/linux/kasan.h:260 [inline] __kmalloccachenoprof+0x243/0x390 mm/slub.c:4329 kmallocnoprof include/linux/slab.h:901 [inline] jointransaction+0x144/0xda0 fs/btrfs/transaction.c:308 starttransaction+0xaf8/0x1670 fs/btrfs/transaction.c:697 btrfscreatecommon+0x1b2/0x2e0 fs/btrfs/inode.c:6572 lookupopen fs/namei.c:3649 [inline] openlastlookups fs/namei.c:3748 [inline] pathopenat+0x1c03/0x3590 fs/namei.c:3984 dofilpopen+0x27f/0x4e0 fs/namei.c:4014 dosysopenat2+0x13e/0x1d0 fs/open.c:1402 dosys_open fs/open.c:1417 [inline] __dosyscreat fs/open.c:1495 [inline] __sesyscreat fs/open.c:1489 [inline] __x64syscreat+0x123/0x170 fs/open.c:1489 dosyscallx64 arch/x86/entry/common.c:52 [inline] dosyscall64+0xf3/0x230 arch/x86/entry/common.c:83 entrySYSCALL64afterhwframe+0x77/0x7f

Freed by task 5336: kasansavestack mm/kasan/common.c:47 [inline] kasansavetrack+0x3f/0x80 mm/kasan/common.c:68 kasansavefreeinfo+0x40/0x50 mm/kasan/generic.c:582 poisonslab_object mm/kasan/common.c:247 [inline] _kasanslabfree+0x59/0x70 mm/kasan/common.c:264 kasanslabfree include/linux/kasan.h:233 [inline] slabfreehook mm/slub.c:2353 [inline] slabfree mm/slub.c:4613 [inline] kfree+0x196/0x430 mm/slub.c:4761 cleanuptransaction fs/btrfs/transaction.c:2063 [inline] btrfscommittransaction+0x2c97/0x3720 fs/btrfs/transaction.c:2598 insertbalanceitem+0x1284/0x20b0 fs/btrfs/volumes.c:3757 btrfsbalance+0x992/ ---truncated---