CVE-2021-47510: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: btrfs: fix re-dirty process of tree-log nodes There is a report of a transaction abort of -EAGAIN with the following script. #!/bin/sh for d in sda sdb; do mkfs.btrfs -d single -m single -f /dev/\${d} done mount /dev/sda /mnt/test mount /dev/sdb /mnt/scratch for dir in test scratch; do echo 3 >/proc/sys/vm/drop_caches fio --directory=/mnt/\${dir} --name=fio.\${dir} --rw=read --size=50G --bs=64m \ --numjobs=$(nproc) --time_based --ramp_time=5 --runtime=480 \ --group_reporting |& tee /dev/shm/fio.\${dir} echo 3 >/proc/sys/vm/drop_caches done for d in sda sdb; do umount /dev/\${d} done The stack trace is shown in below. [3310.967991] BTRFS: error (device sda) in btrfs_commit_transaction:2341: errno=-11 unknown (Error while writing out transaction) [3310.968060] BTRFS info (device sda): forced readonly [3310.968064] BTRFS warning (device sda): Skipping commit of aborted transaction. [3310.968065] ------------[ cut here ]------------ [3310.968066] BTRFS: Transaction aborted (error -11) [3310.968074] WARNING: CPU: 14 PID: 1684 at fs/btrfs/transaction.c:1946 btrfs_commit_transaction.cold+0x209/0x2c8 [3310.968131] CPU: 14 PID: 1684 Comm: fio Not tainted 5.14.10-300.fc35.x86_64 #1 [3310.968135] Hardware name: DIAWAY Tartu/Tartu, BIOS V2.01.B10 04/08/2021 [3310.968137] RIP: 0010:btrfs_commit_transaction.cold+0x209/0x2c8 [3310.968144] RSP: 0018:ffffb284ce393e10 EFLAGS: 00010282 [3310.968147] RAX: 0000000000000026 RBX: ffff973f147b0f60 RCX: 0000000000000027 [3310.968149] RDX: ffff974ecf098a08 RSI: 0000000000000001 RDI: ffff974ecf098a00 [3310.968150] RBP: ffff973f147b0f08 R08: 0000000000000000 R09: ffffb284ce393c48 [3310.968151] R10: ffffb284ce393c40 R11: ffffffff84f47468 R12: ffff973f101bfc00 [3310.968153] R13: ffff971f20cf2000 R14: 00000000fffffff5 R15: ffff973f147b0e58 [3310.968154] FS: 00007efe65468740(0000) GS:ffff974ecf080000(0000) knlGS:0000000000000000 [3310.968157] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [3310.968158] CR2: 000055691bcbe260 CR3: 000000105cfa4001 CR4: 0000000000770ee0 [3310.968160] PKRU: 55555554 [3310.968161] Call Trace: [3310.968167] ? dput+0xd4/0x300 [3310.968174] btrfs_sync_file+0x3f1/0x490 [3310.968180] __x64_sys_fsync+0x33/0x60 [3310.968185] do_syscall_64+0x3b/0x90 [3310.968190] entry_SYSCALL_64_after_hwframe+0x44/0xae [3310.968194] RIP: 0033:0x7efe6557329b [3310.968200] RSP: 002b:00007ffe0236ebc0 EFLAGS: 00000293 ORIG_RAX: 000000000000004a [3310.968203] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007efe6557329b [3310.968204] RDX: 0000000000000000 RSI: 00007efe58d77010 RDI: 0000000000000006 [3310.968205] RBP: 0000000004000000 R08: 0000000000000000 R09: 00007efe58d77010 [3310.968207] R10: 0000000016cacc0c R11: 0000000000000293 R12: 00007efe5ce95980 [3310.968208] R13: 0000000000000000 R14: 00007efe6447c790 R15: 0000000c80000000 [3310.968212] ---[ end trace 1a346f4d3c0d96ba ]--- [3310.968214] BTRFS: error (device sda) in cleanup_transaction:1946: errno=-11 unknown The abort occurs because of a write hole while writing out freeing tree nodes of a tree-log tree. For zoned btrfs, we re-dirty a freed tree node to ensure btrfs can write the region and does not leave a hole on write on a zoned device. The current code fails to re-dirty a node when the tree-log tree's depth is greater or equal to 2. That leads to a transaction abort with -EAGAIN. Fix the issue by properly re-dirtying a node on walking up the tree.
AI Analysis
Technical Summary
CVE-2021-47510 is a vulnerability in the Linux kernel's Btrfs (B-tree file system) implementation related to transaction handling during tree-log node processing. Btrfs is a modern copy-on-write filesystem widely used in Linux environments for its advanced features such as snapshots, checksums, and integrated RAID support. The vulnerability arises from improper handling of re-dirtying freed tree nodes in the tree-log when the tree depth is greater than or equal to two. Specifically, during a transaction commit, the kernel fails to re-dirty certain nodes, which leads to a write hole on zoned block devices. This causes the transaction to abort with an -EAGAIN error code, indicating a temporary failure that requires retrying the operation. The issue manifests as errors in the kernel logs, forced read-only remounts of the affected Btrfs device, and aborted transactions, which can disrupt normal filesystem operations. The provided script demonstrates how running concurrent I/O workloads on multiple Btrfs devices can trigger this condition, resulting in transaction aborts and filesystem errors. The root cause is a logic flaw in the btrfs_commit_transaction function where nodes freed during the transaction are not properly re-dirtied when the tree-log tree depth is >= 2, leading to incomplete writes and potential data integrity issues on zoned devices. The fix involves correctly re-dirtying these nodes during the transaction commit process to ensure all data is properly written and no holes are left. Although no known exploits are reported in the wild, the vulnerability can cause denial of service by forcing the filesystem into a read-only state and aborting transactions, potentially impacting system stability and availability.
Potential Impact
For European organizations, especially those relying on Linux servers with Btrfs filesystems on zoned block devices (such as SMR HDDs or Zoned Namespace SSDs), this vulnerability can lead to unexpected transaction aborts and forced read-only mounts. This can cause application disruptions, data write failures, and potential data loss if transactions cannot be committed properly. Organizations using Btrfs for critical storage, including cloud providers, data centers, and enterprises running Linux-based infrastructure, may experience degraded service availability and increased operational overhead due to filesystem instability. The impact is primarily on availability and integrity, as aborted transactions may prevent data from being fully committed, and forced read-only states limit write operations. While confidentiality is not directly affected, the disruption to data storage services can impact business continuity and service-level agreements. Since the vulnerability requires specific conditions (zoned devices and certain tree depths), its impact is more pronounced in environments using these storage technologies. European organizations with advanced storage setups or those adopting zoned storage for cost or performance reasons are at higher risk.
Mitigation Recommendations
1. Apply the official Linux kernel patch that fixes the re-dirtying logic in the Btrfs transaction commit process as soon as it becomes available. Monitor kernel updates from trusted Linux distributions and vendors. 2. Avoid using zoned block devices with Btrfs filesystems until the patch is applied, or consider switching to alternative filesystems that do not exhibit this issue. 3. Implement robust monitoring of Btrfs filesystem logs and kernel messages to detect early signs of transaction aborts or forced read-only remounts. 4. Regularly back up critical data stored on Btrfs filesystems to mitigate risks of data loss due to aborted transactions. 5. For environments where patching is delayed, consider limiting concurrent heavy I/O workloads on Btrfs volumes to reduce the likelihood of triggering the bug. 6. Engage with storage vendors and Linux distribution maintainers to verify compatibility and receive timely updates related to this vulnerability. 7. Test patched kernels in staging environments before production deployment to ensure stability and compatibility with existing workloads.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Estonia
CVE-2021-47510: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: btrfs: fix re-dirty process of tree-log nodes There is a report of a transaction abort of -EAGAIN with the following script. #!/bin/sh for d in sda sdb; do mkfs.btrfs -d single -m single -f /dev/\${d} done mount /dev/sda /mnt/test mount /dev/sdb /mnt/scratch for dir in test scratch; do echo 3 >/proc/sys/vm/drop_caches fio --directory=/mnt/\${dir} --name=fio.\${dir} --rw=read --size=50G --bs=64m \ --numjobs=$(nproc) --time_based --ramp_time=5 --runtime=480 \ --group_reporting |& tee /dev/shm/fio.\${dir} echo 3 >/proc/sys/vm/drop_caches done for d in sda sdb; do umount /dev/\${d} done The stack trace is shown in below. [3310.967991] BTRFS: error (device sda) in btrfs_commit_transaction:2341: errno=-11 unknown (Error while writing out transaction) [3310.968060] BTRFS info (device sda): forced readonly [3310.968064] BTRFS warning (device sda): Skipping commit of aborted transaction. [3310.968065] ------------[ cut here ]------------ [3310.968066] BTRFS: Transaction aborted (error -11) [3310.968074] WARNING: CPU: 14 PID: 1684 at fs/btrfs/transaction.c:1946 btrfs_commit_transaction.cold+0x209/0x2c8 [3310.968131] CPU: 14 PID: 1684 Comm: fio Not tainted 5.14.10-300.fc35.x86_64 #1 [3310.968135] Hardware name: DIAWAY Tartu/Tartu, BIOS V2.01.B10 04/08/2021 [3310.968137] RIP: 0010:btrfs_commit_transaction.cold+0x209/0x2c8 [3310.968144] RSP: 0018:ffffb284ce393e10 EFLAGS: 00010282 [3310.968147] RAX: 0000000000000026 RBX: ffff973f147b0f60 RCX: 0000000000000027 [3310.968149] RDX: ffff974ecf098a08 RSI: 0000000000000001 RDI: ffff974ecf098a00 [3310.968150] RBP: ffff973f147b0f08 R08: 0000000000000000 R09: ffffb284ce393c48 [3310.968151] R10: ffffb284ce393c40 R11: ffffffff84f47468 R12: ffff973f101bfc00 [3310.968153] R13: ffff971f20cf2000 R14: 00000000fffffff5 R15: ffff973f147b0e58 [3310.968154] FS: 00007efe65468740(0000) GS:ffff974ecf080000(0000) knlGS:0000000000000000 [3310.968157] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [3310.968158] CR2: 000055691bcbe260 CR3: 000000105cfa4001 CR4: 0000000000770ee0 [3310.968160] PKRU: 55555554 [3310.968161] Call Trace: [3310.968167] ? dput+0xd4/0x300 [3310.968174] btrfs_sync_file+0x3f1/0x490 [3310.968180] __x64_sys_fsync+0x33/0x60 [3310.968185] do_syscall_64+0x3b/0x90 [3310.968190] entry_SYSCALL_64_after_hwframe+0x44/0xae [3310.968194] RIP: 0033:0x7efe6557329b [3310.968200] RSP: 002b:00007ffe0236ebc0 EFLAGS: 00000293 ORIG_RAX: 000000000000004a [3310.968203] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007efe6557329b [3310.968204] RDX: 0000000000000000 RSI: 00007efe58d77010 RDI: 0000000000000006 [3310.968205] RBP: 0000000004000000 R08: 0000000000000000 R09: 00007efe58d77010 [3310.968207] R10: 0000000016cacc0c R11: 0000000000000293 R12: 00007efe5ce95980 [3310.968208] R13: 0000000000000000 R14: 00007efe6447c790 R15: 0000000c80000000 [3310.968212] ---[ end trace 1a346f4d3c0d96ba ]--- [3310.968214] BTRFS: error (device sda) in cleanup_transaction:1946: errno=-11 unknown The abort occurs because of a write hole while writing out freeing tree nodes of a tree-log tree. For zoned btrfs, we re-dirty a freed tree node to ensure btrfs can write the region and does not leave a hole on write on a zoned device. The current code fails to re-dirty a node when the tree-log tree's depth is greater or equal to 2. That leads to a transaction abort with -EAGAIN. Fix the issue by properly re-dirtying a node on walking up the tree.
AI-Powered Analysis
Technical Analysis
CVE-2021-47510 is a vulnerability in the Linux kernel's Btrfs (B-tree file system) implementation related to transaction handling during tree-log node processing. Btrfs is a modern copy-on-write filesystem widely used in Linux environments for its advanced features such as snapshots, checksums, and integrated RAID support. The vulnerability arises from improper handling of re-dirtying freed tree nodes in the tree-log when the tree depth is greater than or equal to two. Specifically, during a transaction commit, the kernel fails to re-dirty certain nodes, which leads to a write hole on zoned block devices. This causes the transaction to abort with an -EAGAIN error code, indicating a temporary failure that requires retrying the operation. The issue manifests as errors in the kernel logs, forced read-only remounts of the affected Btrfs device, and aborted transactions, which can disrupt normal filesystem operations. The provided script demonstrates how running concurrent I/O workloads on multiple Btrfs devices can trigger this condition, resulting in transaction aborts and filesystem errors. The root cause is a logic flaw in the btrfs_commit_transaction function where nodes freed during the transaction are not properly re-dirtied when the tree-log tree depth is >= 2, leading to incomplete writes and potential data integrity issues on zoned devices. The fix involves correctly re-dirtying these nodes during the transaction commit process to ensure all data is properly written and no holes are left. Although no known exploits are reported in the wild, the vulnerability can cause denial of service by forcing the filesystem into a read-only state and aborting transactions, potentially impacting system stability and availability.
Potential Impact
For European organizations, especially those relying on Linux servers with Btrfs filesystems on zoned block devices (such as SMR HDDs or Zoned Namespace SSDs), this vulnerability can lead to unexpected transaction aborts and forced read-only mounts. This can cause application disruptions, data write failures, and potential data loss if transactions cannot be committed properly. Organizations using Btrfs for critical storage, including cloud providers, data centers, and enterprises running Linux-based infrastructure, may experience degraded service availability and increased operational overhead due to filesystem instability. The impact is primarily on availability and integrity, as aborted transactions may prevent data from being fully committed, and forced read-only states limit write operations. While confidentiality is not directly affected, the disruption to data storage services can impact business continuity and service-level agreements. Since the vulnerability requires specific conditions (zoned devices and certain tree depths), its impact is more pronounced in environments using these storage technologies. European organizations with advanced storage setups or those adopting zoned storage for cost or performance reasons are at higher risk.
Mitigation Recommendations
1. Apply the official Linux kernel patch that fixes the re-dirtying logic in the Btrfs transaction commit process as soon as it becomes available. Monitor kernel updates from trusted Linux distributions and vendors. 2. Avoid using zoned block devices with Btrfs filesystems until the patch is applied, or consider switching to alternative filesystems that do not exhibit this issue. 3. Implement robust monitoring of Btrfs filesystem logs and kernel messages to detect early signs of transaction aborts or forced read-only remounts. 4. Regularly back up critical data stored on Btrfs filesystems to mitigate risks of data loss due to aborted transactions. 5. For environments where patching is delayed, consider limiting concurrent heavy I/O workloads on Btrfs volumes to reduce the likelihood of triggering the bug. 6. Engage with storage vendors and Linux distribution maintainers to verify compatibility and receive timely updates related to this vulnerability. 7. Test patched kernels in staging environments before production deployment to ensure stability and compatibility with existing workloads.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-05-24T15:02:54.823Z
- Cisa Enriched
- true
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d9833c4522896dcbe92fd
Added to database: 5/21/2025, 9:09:07 AM
Last enriched: 6/30/2025, 1:57:21 PM
Last updated: 8/11/2025, 11:55:37 AM
Views: 10
Related Threats
CVE-2025-53948: CWE-415 Double Free in Santesoft Sante PACS Server
HighCVE-2025-52584: CWE-122 Heap-based Buffer Overflow in Ashlar-Vellum Cobalt
HighCVE-2025-46269: CWE-122 Heap-based Buffer Overflow in Ashlar-Vellum Cobalt
HighCVE-2025-54862: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in Santesoft Sante PACS Server
MediumCVE-2025-54759: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in Santesoft Sante PACS Server
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.