CVE-2025-21942: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: btrfs: zoned: fix extent range end unlock in cow_file_range() Running generic/751 on the for-next branch often results in a hang like below. They are both stack by locking an extent. This suggests someone forget to unlock an extent. INFO: task kworker/u128:1:12 blocked for more than 323 seconds. Not tainted 6.13.0-BTRFS-ZNS+ #503 "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. task:kworker/u128:1 state:D stack:0 pid:12 tgid:12 ppid:2 flags:0x00004000 Workqueue: btrfs-fixup btrfs_work_helper [btrfs] Call Trace: <TASK> __schedule+0x534/0xdd0 schedule+0x39/0x140 __lock_extent+0x31b/0x380 [btrfs] ? __pfx_autoremove_wake_function+0x10/0x10 btrfs_writepage_fixup_worker+0xf1/0x3a0 [btrfs] btrfs_work_helper+0xff/0x480 [btrfs] ? lock_release+0x178/0x2c0 process_one_work+0x1ee/0x570 ? srso_return_thunk+0x5/0x5f worker_thread+0x1d1/0x3b0 ? __pfx_worker_thread+0x10/0x10 kthread+0x10b/0x230 ? __pfx_kthread+0x10/0x10 ret_from_fork+0x30/0x50 ? __pfx_kthread+0x10/0x10 ret_from_fork_asm+0x1a/0x30 </TASK> INFO: task kworker/u134:0:184 blocked for more than 323 seconds. Not tainted 6.13.0-BTRFS-ZNS+ #503 "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. task:kworker/u134:0 state:D stack:0 pid:184 tgid:184 ppid:2 flags:0x00004000 Workqueue: writeback wb_workfn (flush-btrfs-4) Call Trace: <TASK> __schedule+0x534/0xdd0 schedule+0x39/0x140 __lock_extent+0x31b/0x380 [btrfs] ? __pfx_autoremove_wake_function+0x10/0x10 find_lock_delalloc_range+0xdb/0x260 [btrfs] writepage_delalloc+0x12f/0x500 [btrfs] ? srso_return_thunk+0x5/0x5f extent_write_cache_pages+0x232/0x840 [btrfs] btrfs_writepages+0x72/0x130 [btrfs] do_writepages+0xe7/0x260 ? srso_return_thunk+0x5/0x5f ? lock_acquire+0xd2/0x300 ? srso_return_thunk+0x5/0x5f ? find_held_lock+0x2b/0x80 ? wbc_attach_and_unlock_inode.part.0+0x102/0x250 ? wbc_attach_and_unlock_inode.part.0+0x102/0x250 __writeback_single_inode+0x5c/0x4b0 writeback_sb_inodes+0x22d/0x550 __writeback_inodes_wb+0x4c/0xe0 wb_writeback+0x2f6/0x3f0 wb_workfn+0x32a/0x510 process_one_work+0x1ee/0x570 ? srso_return_thunk+0x5/0x5f worker_thread+0x1d1/0x3b0 ? __pfx_worker_thread+0x10/0x10 kthread+0x10b/0x230 ? __pfx_kthread+0x10/0x10 ret_from_fork+0x30/0x50 ? __pfx_kthread+0x10/0x10 ret_from_fork_asm+0x1a/0x30 </TASK> This happens because we have another success path for the zoned mode. When there is no active zone available, btrfs_reserve_extent() returns -EAGAIN. In this case, we have two reactions. (1) If the given range is never allocated, we can only wait for someone to finish a zone, so wait on BTRFS_FS_NEED_ZONE_FINISH bit and retry afterward. (2) Or, if some allocations are already done, we must bail out and let the caller to send IOs for the allocation. This is because these IOs may be necessary to finish a zone. The commit 06f364284794 ("btrfs: do proper folio cleanup when cow_file_range() failed") moved the unlock code from the inside of the loop to the outside. So, previously, the allocated extents are unlocked just after the allocation and so before returning from the function. However, they are no longer unlocked on the case (2) above. That caused the hang issue. Fix the issue by modifying the 'end' to the end of the allocated range. Then, we can exit the loop and the same unlock code can properly handle the case.
AI Analysis
Technical Summary
CVE-2025-21942 is a vulnerability in the Linux kernel's Btrfs filesystem implementation, specifically affecting the zoned block device support in the function cow_file_range(). The issue arises from improper unlocking of extent ranges during copy-on-write (COW) operations in zoned mode. The vulnerability manifests as a kernel hang due to tasks being blocked indefinitely while waiting on locked extents that are never unlocked. This occurs because the code path handling the case when no active zone is available (btrfs_reserve_extent() returning -EAGAIN) was changed in commit 06f364284794, moving the unlock logic outside a loop and causing allocated extents to remain locked if partial allocations had been made. The bug leads to kernel worker threads being stuck in a blocked state for extended periods, resulting in system hangs or degraded performance. The root cause is a missing unlock call for extents in the failure path where some allocations exist but the function must bail out to allow the caller to issue IOs to finish zones. The fix involves adjusting the unlock range to cover the allocated extents properly before exiting the loop, ensuring all locks are released. This vulnerability affects Linux kernel versions containing the specified commits and impacts systems using Btrfs with zoned block device support enabled, which is common in storage systems leveraging Zoned Namespace (ZNS) devices. No known exploits are reported in the wild as of publication.
Potential Impact
For European organizations, the impact of CVE-2025-21942 can be significant in environments relying on Linux servers with Btrfs filesystems on zoned block devices, such as advanced storage arrays or data centers using ZNS SSDs for performance and endurance benefits. The vulnerability can cause kernel hangs and blocked worker threads, leading to system instability, degraded performance, or downtime. This can disrupt critical services, data processing, and storage operations, especially in sectors like finance, telecommunications, cloud service providers, and public infrastructure where Linux-based storage solutions are prevalent. The hang condition may necessitate system reboots, causing availability issues and potential data loss if not properly managed. Although no direct data corruption or privilege escalation is indicated, the denial of service effect on storage subsystems can indirectly impact confidentiality and integrity by interrupting normal operations and backups. The lack of a known exploit reduces immediate risk, but the complexity of the bug and its presence in kernel code means that targeted attackers or accidental triggers could cause outages. Organizations with high availability requirements and those using Btrfs on zoned devices should prioritize patching to maintain operational continuity.
Mitigation Recommendations
1. Apply the official Linux kernel patches that fix the extent unlock logic in cow_file_range() as soon as they become available from trusted Linux kernel sources or distributions. 2. For organizations using custom or long-term support kernels, backport the fix to affected kernel versions to prevent hangs. 3. Monitor kernel logs for hung task messages related to btrfs worker threads and extent locking to detect potential exploitation or triggering of this vulnerability. 4. Consider temporarily disabling zoned block device support in Btrfs if feasible, or avoid using Btrfs on zoned devices until patched. 5. Implement robust system monitoring and alerting to detect kernel hangs early and automate safe reboots or failover procedures to minimize downtime. 6. Validate storage device firmware and drivers are up to date to reduce interaction issues with zoned devices. 7. Conduct thorough testing of kernel updates in staging environments that mirror production storage configurations to ensure stability before deployment. 8. Educate system administrators on the symptoms of this hang condition and response procedures to reduce incident response time.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Norway, Denmark, Italy, Spain
CVE-2025-21942: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: btrfs: zoned: fix extent range end unlock in cow_file_range() Running generic/751 on the for-next branch often results in a hang like below. They are both stack by locking an extent. This suggests someone forget to unlock an extent. INFO: task kworker/u128:1:12 blocked for more than 323 seconds. Not tainted 6.13.0-BTRFS-ZNS+ #503 "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. task:kworker/u128:1 state:D stack:0 pid:12 tgid:12 ppid:2 flags:0x00004000 Workqueue: btrfs-fixup btrfs_work_helper [btrfs] Call Trace: <TASK> __schedule+0x534/0xdd0 schedule+0x39/0x140 __lock_extent+0x31b/0x380 [btrfs] ? __pfx_autoremove_wake_function+0x10/0x10 btrfs_writepage_fixup_worker+0xf1/0x3a0 [btrfs] btrfs_work_helper+0xff/0x480 [btrfs] ? lock_release+0x178/0x2c0 process_one_work+0x1ee/0x570 ? srso_return_thunk+0x5/0x5f worker_thread+0x1d1/0x3b0 ? __pfx_worker_thread+0x10/0x10 kthread+0x10b/0x230 ? __pfx_kthread+0x10/0x10 ret_from_fork+0x30/0x50 ? __pfx_kthread+0x10/0x10 ret_from_fork_asm+0x1a/0x30 </TASK> INFO: task kworker/u134:0:184 blocked for more than 323 seconds. Not tainted 6.13.0-BTRFS-ZNS+ #503 "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. task:kworker/u134:0 state:D stack:0 pid:184 tgid:184 ppid:2 flags:0x00004000 Workqueue: writeback wb_workfn (flush-btrfs-4) Call Trace: <TASK> __schedule+0x534/0xdd0 schedule+0x39/0x140 __lock_extent+0x31b/0x380 [btrfs] ? __pfx_autoremove_wake_function+0x10/0x10 find_lock_delalloc_range+0xdb/0x260 [btrfs] writepage_delalloc+0x12f/0x500 [btrfs] ? srso_return_thunk+0x5/0x5f extent_write_cache_pages+0x232/0x840 [btrfs] btrfs_writepages+0x72/0x130 [btrfs] do_writepages+0xe7/0x260 ? srso_return_thunk+0x5/0x5f ? lock_acquire+0xd2/0x300 ? srso_return_thunk+0x5/0x5f ? find_held_lock+0x2b/0x80 ? wbc_attach_and_unlock_inode.part.0+0x102/0x250 ? wbc_attach_and_unlock_inode.part.0+0x102/0x250 __writeback_single_inode+0x5c/0x4b0 writeback_sb_inodes+0x22d/0x550 __writeback_inodes_wb+0x4c/0xe0 wb_writeback+0x2f6/0x3f0 wb_workfn+0x32a/0x510 process_one_work+0x1ee/0x570 ? srso_return_thunk+0x5/0x5f worker_thread+0x1d1/0x3b0 ? __pfx_worker_thread+0x10/0x10 kthread+0x10b/0x230 ? __pfx_kthread+0x10/0x10 ret_from_fork+0x30/0x50 ? __pfx_kthread+0x10/0x10 ret_from_fork_asm+0x1a/0x30 </TASK> This happens because we have another success path for the zoned mode. When there is no active zone available, btrfs_reserve_extent() returns -EAGAIN. In this case, we have two reactions. (1) If the given range is never allocated, we can only wait for someone to finish a zone, so wait on BTRFS_FS_NEED_ZONE_FINISH bit and retry afterward. (2) Or, if some allocations are already done, we must bail out and let the caller to send IOs for the allocation. This is because these IOs may be necessary to finish a zone. The commit 06f364284794 ("btrfs: do proper folio cleanup when cow_file_range() failed") moved the unlock code from the inside of the loop to the outside. So, previously, the allocated extents are unlocked just after the allocation and so before returning from the function. However, they are no longer unlocked on the case (2) above. That caused the hang issue. Fix the issue by modifying the 'end' to the end of the allocated range. Then, we can exit the loop and the same unlock code can properly handle the case.
AI-Powered Analysis
Technical Analysis
CVE-2025-21942 is a vulnerability in the Linux kernel's Btrfs filesystem implementation, specifically affecting the zoned block device support in the function cow_file_range(). The issue arises from improper unlocking of extent ranges during copy-on-write (COW) operations in zoned mode. The vulnerability manifests as a kernel hang due to tasks being blocked indefinitely while waiting on locked extents that are never unlocked. This occurs because the code path handling the case when no active zone is available (btrfs_reserve_extent() returning -EAGAIN) was changed in commit 06f364284794, moving the unlock logic outside a loop and causing allocated extents to remain locked if partial allocations had been made. The bug leads to kernel worker threads being stuck in a blocked state for extended periods, resulting in system hangs or degraded performance. The root cause is a missing unlock call for extents in the failure path where some allocations exist but the function must bail out to allow the caller to issue IOs to finish zones. The fix involves adjusting the unlock range to cover the allocated extents properly before exiting the loop, ensuring all locks are released. This vulnerability affects Linux kernel versions containing the specified commits and impacts systems using Btrfs with zoned block device support enabled, which is common in storage systems leveraging Zoned Namespace (ZNS) devices. No known exploits are reported in the wild as of publication.
Potential Impact
For European organizations, the impact of CVE-2025-21942 can be significant in environments relying on Linux servers with Btrfs filesystems on zoned block devices, such as advanced storage arrays or data centers using ZNS SSDs for performance and endurance benefits. The vulnerability can cause kernel hangs and blocked worker threads, leading to system instability, degraded performance, or downtime. This can disrupt critical services, data processing, and storage operations, especially in sectors like finance, telecommunications, cloud service providers, and public infrastructure where Linux-based storage solutions are prevalent. The hang condition may necessitate system reboots, causing availability issues and potential data loss if not properly managed. Although no direct data corruption or privilege escalation is indicated, the denial of service effect on storage subsystems can indirectly impact confidentiality and integrity by interrupting normal operations and backups. The lack of a known exploit reduces immediate risk, but the complexity of the bug and its presence in kernel code means that targeted attackers or accidental triggers could cause outages. Organizations with high availability requirements and those using Btrfs on zoned devices should prioritize patching to maintain operational continuity.
Mitigation Recommendations
1. Apply the official Linux kernel patches that fix the extent unlock logic in cow_file_range() as soon as they become available from trusted Linux kernel sources or distributions. 2. For organizations using custom or long-term support kernels, backport the fix to affected kernel versions to prevent hangs. 3. Monitor kernel logs for hung task messages related to btrfs worker threads and extent locking to detect potential exploitation or triggering of this vulnerability. 4. Consider temporarily disabling zoned block device support in Btrfs if feasible, or avoid using Btrfs on zoned devices until patched. 5. Implement robust system monitoring and alerting to detect kernel hangs early and automate safe reboots or failover procedures to minimize downtime. 6. Validate storage device firmware and drivers are up to date to reduce interaction issues with zoned devices. 7. Conduct thorough testing of kernel updates in staging environments that mirror production storage configurations to ensure stability before deployment. 8. Educate system administrators on the symptoms of this hang condition and response procedures to reduce incident response time.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-12-29T08:45:45.789Z
- Cisa Enriched
- false
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d9833c4522896dcbe8c75
Added to database: 5/21/2025, 9:09:07 AM
Last enriched: 6/30/2025, 10:57:16 AM
Last updated: 8/18/2025, 12:43:28 AM
Views: 9
Related Threats
CVE-2025-53948: CWE-415 Double Free in Santesoft Sante PACS Server
HighCVE-2025-52584: CWE-122 Heap-based Buffer Overflow in Ashlar-Vellum Cobalt
HighCVE-2025-46269: CWE-122 Heap-based Buffer Overflow in Ashlar-Vellum Cobalt
HighCVE-2025-54862: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in Santesoft Sante PACS Server
MediumCVE-2025-54759: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in Santesoft Sante PACS Server
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.