CVE-2025-21754: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: btrfs: fix assertion failure when splitting ordered extent after transaction abort If while we are doing a direct IO write a transaction abort happens, we mark all existing ordered extents with the BTRFS_ORDERED_IOERR flag (done at btrfs_destroy_ordered_extents()), and then after that if we enter btrfs_split_ordered_extent() and the ordered extent has bytes left (meaning we have a bio that doesn't cover the whole ordered extent, see details at btrfs_extract_ordered_extent()), we will fail on the following assertion at btrfs_split_ordered_extent(): ASSERT(!(flags & ~BTRFS_ORDERED_TYPE_FLAGS)); because the BTRFS_ORDERED_IOERR flag is set and the definition of BTRFS_ORDERED_TYPE_FLAGS is just the union of all flags that identify the type of write (regular, nocow, prealloc, compressed, direct IO, encoded). Fix this by returning an error from btrfs_extract_ordered_extent() if we find the BTRFS_ORDERED_IOERR flag in the ordered extent. The error will be the error that resulted in the transaction abort or -EIO if no transaction abort happened. This was recently reported by syzbot with the following trace: FAULT_INJECTION: forcing a failure. name failslab, interval 1, probability 0, space 0, times 1 CPU: 0 UID: 0 PID: 5321 Comm: syz.0.0 Not tainted 6.13.0-rc5-syzkaller #0 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 Call Trace: <TASK> __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120 fail_dump lib/fault-inject.c:53 [inline] should_fail_ex+0x3b0/0x4e0 lib/fault-inject.c:154 should_failslab+0xac/0x100 mm/failslab.c:46 slab_pre_alloc_hook mm/slub.c:4072 [inline] slab_alloc_node mm/slub.c:4148 [inline] __do_kmalloc_node mm/slub.c:4297 [inline] __kmalloc_noprof+0xdd/0x4c0 mm/slub.c:4310 kmalloc_noprof include/linux/slab.h:905 [inline] kzalloc_noprof include/linux/slab.h:1037 [inline] btrfs_chunk_alloc_add_chunk_item+0x244/0x1100 fs/btrfs/volumes.c:5742 reserve_chunk_space+0x1ca/0x2c0 fs/btrfs/block-group.c:4292 check_system_chunk fs/btrfs/block-group.c:4319 [inline] do_chunk_alloc fs/btrfs/block-group.c:3891 [inline] btrfs_chunk_alloc+0x77b/0xf80 fs/btrfs/block-group.c:4187 find_free_extent_update_loop fs/btrfs/extent-tree.c:4166 [inline] find_free_extent+0x42d1/0x5810 fs/btrfs/extent-tree.c:4579 btrfs_reserve_extent+0x422/0x810 fs/btrfs/extent-tree.c:4672 btrfs_new_extent_direct fs/btrfs/direct-io.c:186 [inline] btrfs_get_blocks_direct_write+0x706/0xfa0 fs/btrfs/direct-io.c:321 btrfs_dio_iomap_begin+0xbb7/0x1180 fs/btrfs/direct-io.c:525 iomap_iter+0x697/0xf60 fs/iomap/iter.c:90 __iomap_dio_rw+0xeb9/0x25b0 fs/iomap/direct-io.c:702 btrfs_dio_write fs/btrfs/direct-io.c:775 [inline] btrfs_direct_write+0x610/0xa30 fs/btrfs/direct-io.c:880 btrfs_do_write_iter+0x2a0/0x760 fs/btrfs/file.c:1397 do_iter_readv_writev+0x600/0x880 vfs_writev+0x376/0xba0 fs/read_write.c:1050 do_pwritev fs/read_write.c:1146 [inline] __do_sys_pwritev2 fs/read_write.c:1204 [inline] __se_sys_pwritev2+0x196/0x2b0 fs/read_write.c:1195 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f1281f85d29 RSP: 002b:00007f12819fe038 EFLAGS: 00000246 ORIG_RAX: 0000000000000148 RAX: ffffffffffffffda RBX: 00007f1282176080 RCX: 00007f1281f85d29 RDX: 0000000000000001 RSI: 0000000020000240 RDI: 0000000000000005 RBP: 00007f12819fe090 R08: 0000000000000000 R09: 0000000000000003 R10: 0000000000007000 R11: 0000000000000246 R12: 0000000000000002 R13: 0000000000000000 R14: 00007f1282176080 R15: 00007ffcb9e23328 </TASK> BTRFS error (device loop0 state A): Transaction aborted (error -12) BTRFS: error (device loop0 state A ---truncated---
AI Analysis
Technical Summary
CVE-2025-21754 addresses a vulnerability in the Linux kernel's Btrfs filesystem implementation related to handling ordered extents during direct IO writes when a transaction abort occurs. Btrfs uses ordered extents to track pending IO operations. When a direct IO write triggers a transaction abort, all existing ordered extents are marked with the BTRFS_ORDERED_IOERR flag to indicate an IO error. However, if subsequently the kernel attempts to split an ordered extent that still has bytes left (i.e., a bio that does not cover the entire extent), it encounters an assertion failure due to the presence of the BTRFS_ORDERED_IOERR flag. This assertion failure occurs because the flag is not recognized as a valid write type flag, leading to a kernel panic or crash. The root cause is that the function btrfs_split_ordered_extent() expects only certain flags (BTRFS_ORDERED_TYPE_FLAGS) but encounters the IO error flag, which is outside this set. The fix involves modifying btrfs_extract_ordered_extent() to return an error immediately if the IO error flag is detected, preventing the assertion failure. This vulnerability was discovered through fault injection testing (syzbot) and results in a kernel crash when triggered. While no known exploits are reported in the wild, the vulnerability can cause denial of service by crashing systems running affected Linux kernel versions with Btrfs filesystem and direct IO workloads. The issue affects Linux kernel versions around 6.13.0-rc5 and possibly others using the vulnerable Btrfs code paths. No CVSS score is assigned yet, and no patches are linked in the provided data, but the vulnerability is publicly disclosed and classified as a kernel-level bug causing assertion failures and potential system instability.
Potential Impact
For European organizations, the primary impact of CVE-2025-21754 is the risk of denial of service (DoS) on systems running Linux with Btrfs filesystems, especially those utilizing direct IO writes. This can lead to unexpected kernel panics and system crashes, resulting in service interruptions, data unavailability, and potential operational disruptions. Organizations relying on Btrfs for critical storage—such as cloud providers, data centers, and enterprises using Linux-based storage appliances—may experience downtime or degraded performance. Although this vulnerability does not appear to allow privilege escalation or data corruption directly, the forced transaction aborts and kernel crashes could interrupt business-critical applications and services. In sectors like finance, healthcare, and manufacturing, where uptime and data integrity are paramount, such disruptions could have significant operational and financial consequences. Additionally, recovery from kernel crashes may require manual intervention, increasing administrative overhead. Since no known exploits are reported, the immediate risk is moderate, but the vulnerability's presence in the kernel codebase means attackers could potentially develop exploits to trigger DoS conditions remotely or locally, especially in multi-tenant or shared environments.
Mitigation Recommendations
To mitigate CVE-2025-21754, European organizations should: 1) Apply kernel updates promptly once official patches are released by Linux maintainers to fix the Btrfs ordered extent handling. 2) Until patches are available, consider disabling direct IO on Btrfs volumes if feasible, as the vulnerability is triggered during direct IO writes. 3) Monitor system logs for Btrfs-related errors or transaction abort messages indicating potential triggering of this bug. 4) Implement robust system monitoring and automated reboot procedures to reduce downtime caused by kernel panics. 5) For critical systems, consider migrating data from Btrfs to alternative stable filesystems (e.g., ext4 or XFS) temporarily to avoid exposure. 6) Limit untrusted user access to systems with Btrfs direct IO enabled to reduce risk of intentional triggering. 7) Engage with Linux distribution vendors and security advisories to track patch availability and deployment schedules. These steps go beyond generic advice by focusing on filesystem-specific configurations and operational controls to minimize exposure until a patch is applied.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Poland, Italy, Spain
CVE-2025-21754: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: btrfs: fix assertion failure when splitting ordered extent after transaction abort If while we are doing a direct IO write a transaction abort happens, we mark all existing ordered extents with the BTRFS_ORDERED_IOERR flag (done at btrfs_destroy_ordered_extents()), and then after that if we enter btrfs_split_ordered_extent() and the ordered extent has bytes left (meaning we have a bio that doesn't cover the whole ordered extent, see details at btrfs_extract_ordered_extent()), we will fail on the following assertion at btrfs_split_ordered_extent(): ASSERT(!(flags & ~BTRFS_ORDERED_TYPE_FLAGS)); because the BTRFS_ORDERED_IOERR flag is set and the definition of BTRFS_ORDERED_TYPE_FLAGS is just the union of all flags that identify the type of write (regular, nocow, prealloc, compressed, direct IO, encoded). Fix this by returning an error from btrfs_extract_ordered_extent() if we find the BTRFS_ORDERED_IOERR flag in the ordered extent. The error will be the error that resulted in the transaction abort or -EIO if no transaction abort happened. This was recently reported by syzbot with the following trace: FAULT_INJECTION: forcing a failure. name failslab, interval 1, probability 0, space 0, times 1 CPU: 0 UID: 0 PID: 5321 Comm: syz.0.0 Not tainted 6.13.0-rc5-syzkaller #0 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 Call Trace: <TASK> __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120 fail_dump lib/fault-inject.c:53 [inline] should_fail_ex+0x3b0/0x4e0 lib/fault-inject.c:154 should_failslab+0xac/0x100 mm/failslab.c:46 slab_pre_alloc_hook mm/slub.c:4072 [inline] slab_alloc_node mm/slub.c:4148 [inline] __do_kmalloc_node mm/slub.c:4297 [inline] __kmalloc_noprof+0xdd/0x4c0 mm/slub.c:4310 kmalloc_noprof include/linux/slab.h:905 [inline] kzalloc_noprof include/linux/slab.h:1037 [inline] btrfs_chunk_alloc_add_chunk_item+0x244/0x1100 fs/btrfs/volumes.c:5742 reserve_chunk_space+0x1ca/0x2c0 fs/btrfs/block-group.c:4292 check_system_chunk fs/btrfs/block-group.c:4319 [inline] do_chunk_alloc fs/btrfs/block-group.c:3891 [inline] btrfs_chunk_alloc+0x77b/0xf80 fs/btrfs/block-group.c:4187 find_free_extent_update_loop fs/btrfs/extent-tree.c:4166 [inline] find_free_extent+0x42d1/0x5810 fs/btrfs/extent-tree.c:4579 btrfs_reserve_extent+0x422/0x810 fs/btrfs/extent-tree.c:4672 btrfs_new_extent_direct fs/btrfs/direct-io.c:186 [inline] btrfs_get_blocks_direct_write+0x706/0xfa0 fs/btrfs/direct-io.c:321 btrfs_dio_iomap_begin+0xbb7/0x1180 fs/btrfs/direct-io.c:525 iomap_iter+0x697/0xf60 fs/iomap/iter.c:90 __iomap_dio_rw+0xeb9/0x25b0 fs/iomap/direct-io.c:702 btrfs_dio_write fs/btrfs/direct-io.c:775 [inline] btrfs_direct_write+0x610/0xa30 fs/btrfs/direct-io.c:880 btrfs_do_write_iter+0x2a0/0x760 fs/btrfs/file.c:1397 do_iter_readv_writev+0x600/0x880 vfs_writev+0x376/0xba0 fs/read_write.c:1050 do_pwritev fs/read_write.c:1146 [inline] __do_sys_pwritev2 fs/read_write.c:1204 [inline] __se_sys_pwritev2+0x196/0x2b0 fs/read_write.c:1195 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f1281f85d29 RSP: 002b:00007f12819fe038 EFLAGS: 00000246 ORIG_RAX: 0000000000000148 RAX: ffffffffffffffda RBX: 00007f1282176080 RCX: 00007f1281f85d29 RDX: 0000000000000001 RSI: 0000000020000240 RDI: 0000000000000005 RBP: 00007f12819fe090 R08: 0000000000000000 R09: 0000000000000003 R10: 0000000000007000 R11: 0000000000000246 R12: 0000000000000002 R13: 0000000000000000 R14: 00007f1282176080 R15: 00007ffcb9e23328 </TASK> BTRFS error (device loop0 state A): Transaction aborted (error -12) BTRFS: error (device loop0 state A ---truncated---
AI-Powered Analysis
Technical Analysis
CVE-2025-21754 addresses a vulnerability in the Linux kernel's Btrfs filesystem implementation related to handling ordered extents during direct IO writes when a transaction abort occurs. Btrfs uses ordered extents to track pending IO operations. When a direct IO write triggers a transaction abort, all existing ordered extents are marked with the BTRFS_ORDERED_IOERR flag to indicate an IO error. However, if subsequently the kernel attempts to split an ordered extent that still has bytes left (i.e., a bio that does not cover the entire extent), it encounters an assertion failure due to the presence of the BTRFS_ORDERED_IOERR flag. This assertion failure occurs because the flag is not recognized as a valid write type flag, leading to a kernel panic or crash. The root cause is that the function btrfs_split_ordered_extent() expects only certain flags (BTRFS_ORDERED_TYPE_FLAGS) but encounters the IO error flag, which is outside this set. The fix involves modifying btrfs_extract_ordered_extent() to return an error immediately if the IO error flag is detected, preventing the assertion failure. This vulnerability was discovered through fault injection testing (syzbot) and results in a kernel crash when triggered. While no known exploits are reported in the wild, the vulnerability can cause denial of service by crashing systems running affected Linux kernel versions with Btrfs filesystem and direct IO workloads. The issue affects Linux kernel versions around 6.13.0-rc5 and possibly others using the vulnerable Btrfs code paths. No CVSS score is assigned yet, and no patches are linked in the provided data, but the vulnerability is publicly disclosed and classified as a kernel-level bug causing assertion failures and potential system instability.
Potential Impact
For European organizations, the primary impact of CVE-2025-21754 is the risk of denial of service (DoS) on systems running Linux with Btrfs filesystems, especially those utilizing direct IO writes. This can lead to unexpected kernel panics and system crashes, resulting in service interruptions, data unavailability, and potential operational disruptions. Organizations relying on Btrfs for critical storage—such as cloud providers, data centers, and enterprises using Linux-based storage appliances—may experience downtime or degraded performance. Although this vulnerability does not appear to allow privilege escalation or data corruption directly, the forced transaction aborts and kernel crashes could interrupt business-critical applications and services. In sectors like finance, healthcare, and manufacturing, where uptime and data integrity are paramount, such disruptions could have significant operational and financial consequences. Additionally, recovery from kernel crashes may require manual intervention, increasing administrative overhead. Since no known exploits are reported, the immediate risk is moderate, but the vulnerability's presence in the kernel codebase means attackers could potentially develop exploits to trigger DoS conditions remotely or locally, especially in multi-tenant or shared environments.
Mitigation Recommendations
To mitigate CVE-2025-21754, European organizations should: 1) Apply kernel updates promptly once official patches are released by Linux maintainers to fix the Btrfs ordered extent handling. 2) Until patches are available, consider disabling direct IO on Btrfs volumes if feasible, as the vulnerability is triggered during direct IO writes. 3) Monitor system logs for Btrfs-related errors or transaction abort messages indicating potential triggering of this bug. 4) Implement robust system monitoring and automated reboot procedures to reduce downtime caused by kernel panics. 5) For critical systems, consider migrating data from Btrfs to alternative stable filesystems (e.g., ext4 or XFS) temporarily to avoid exposure. 6) Limit untrusted user access to systems with Btrfs direct IO enabled to reduce risk of intentional triggering. 7) Engage with Linux distribution vendors and security advisories to track patch availability and deployment schedules. These steps go beyond generic advice by focusing on filesystem-specific configurations and operational controls to minimize exposure until a patch is applied.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-12-29T08:45:45.760Z
- Cisa Enriched
- false
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d9832c4522896dcbe86c8
Added to database: 5/21/2025, 9:09:06 AM
Last enriched: 6/30/2025, 8:55:20 AM
Last updated: 8/18/2025, 11:29:05 PM
Views: 15
Related Threats
CVE-2025-57749: CWE-59: Improper Link Resolution Before File Access ('Link Following') in n8n-io n8n
MediumCVE-2025-9288: CWE-20 Improper Input Validation
CriticalCVE-2025-9252: Stack-based Buffer Overflow in Linksys RE6250
HighCVE-2025-9251: Stack-based Buffer Overflow in Linksys RE6250
HighCVE-2025-9250: Stack-based Buffer Overflow in Linksys RE6250
HighActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.