CVE-2025-22115: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: btrfs: fix block group refcount race in btrfs_create_pending_block_groups() Block group creation is done in two phases, which results in a slightly unintuitive property: a block group can be allocated/deallocated from after btrfs_make_block_group() adds it to the space_info with btrfs_add_bg_to_space_info(), but before creation is completely completed in btrfs_create_pending_block_groups(). As a result, it is possible for a block group to go unused and have 'btrfs_mark_bg_unused' called on it concurrently with 'btrfs_create_pending_block_groups'. This causes a number of issues, which were fixed with the block group flag 'BLOCK_GROUP_FLAG_NEW'. However, this fix is not quite complete. Since it does not use the unused_bg_lock, it is possible for the following race to occur: btrfs_create_pending_block_groups btrfs_mark_bg_unused if list_empty // false list_del_init clear_bit else if (test_bit) // true list_move_tail And we get into the exact same broken ref count and invalid new_bgs state for transaction cleanup that BLOCK_GROUP_FLAG_NEW was designed to prevent. The broken refcount aspect will result in a warning like: [1272.943527] refcount_t: underflow; use-after-free. [1272.943967] WARNING: CPU: 1 PID: 61 at lib/refcount.c:28 refcount_warn_saturate+0xba/0x110 [1272.944731] Modules linked in: btrfs virtio_net xor zstd_compress raid6_pq null_blk [last unloaded: btrfs] [1272.945550] CPU: 1 UID: 0 PID: 61 Comm: kworker/u32:1 Kdump: loaded Tainted: G W 6.14.0-rc5+ #108 [1272.946368] Tainted: [W]=WARN [1272.946585] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Arch Linux 1.16.3-1-1 04/01/2014 [1272.947273] Workqueue: btrfs_discard btrfs_discard_workfn [btrfs] [1272.947788] RIP: 0010:refcount_warn_saturate+0xba/0x110 [1272.949532] RSP: 0018:ffffbf1200247df0 EFLAGS: 00010282 [1272.949901] RAX: 0000000000000000 RBX: ffffa14b00e3f800 RCX: 0000000000000000 [1272.950437] RDX: 0000000000000000 RSI: ffffbf1200247c78 RDI: 00000000ffffdfff [1272.950986] RBP: ffffa14b00dc2860 R08: 00000000ffffdfff R09: ffffffff90526268 [1272.951512] R10: ffffffff904762c0 R11: 0000000063666572 R12: ffffa14b00dc28c0 [1272.952024] R13: 0000000000000000 R14: ffffa14b00dc2868 R15: 000001285dcd12c0 [1272.952850] FS: 0000000000000000(0000) GS:ffffa14d33c40000(0000) knlGS:0000000000000000 [1272.953458] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [1272.953931] CR2: 00007f838cbda000 CR3: 000000010104e000 CR4: 00000000000006f0 [1272.954474] Call Trace: [1272.954655] <TASK> [1272.954812] ? refcount_warn_saturate+0xba/0x110 [1272.955173] ? __warn.cold+0x93/0xd7 [1272.955487] ? refcount_warn_saturate+0xba/0x110 [1272.955816] ? report_bug+0xe7/0x120 [1272.956103] ? handle_bug+0x53/0x90 [1272.956424] ? exc_invalid_op+0x13/0x60 [1272.956700] ? asm_exc_invalid_op+0x16/0x20 [1272.957011] ? refcount_warn_saturate+0xba/0x110 [1272.957399] btrfs_discard_cancel_work.cold+0x26/0x2b [btrfs] [1272.957853] btrfs_put_block_group.cold+0x5d/0x8e [btrfs] [1272.958289] btrfs_discard_workfn+0x194/0x380 [btrfs] [1272.958729] process_one_work+0x130/0x290 [1272.959026] worker_thread+0x2ea/0x420 [1272.959335] ? __pfx_worker_thread+0x10/0x10 [1272.959644] kthread+0xd7/0x1c0 [1272.959872] ? __pfx_kthread+0x10/0x10 [1272.960172] ret_from_fork+0x30/0x50 [1272.960474] ? __pfx_kthread+0x10/0x10 [1272.960745] ret_from_fork_asm+0x1a/0x30 [1272.961035] </TASK> [1272.961238] ---[ end trace 0000000000000000 ]--- Though we have seen them in the async discard workfn as well. It is most likely to happen after a relocation finishes which cancels discard, tears down the block group, etc. Fix this fully by taking the lock arou ---truncated---
AI Analysis
Technical Summary
CVE-2025-22115 is a race condition vulnerability in the Btrfs filesystem implementation within the Linux kernel. The issue arises during the creation and management of block groups, which are allocated in two phases. Specifically, a block group can be allocated or deallocated after it is added to the space_info structure but before its creation is fully completed. This timing window allows concurrent operations—particularly between btrfs_create_pending_block_groups() and btrfs_mark_bg_unused()—to interfere with each other. The original fix introduced a block group flag (BLOCK_GROUP_FLAG_NEW) to prevent inconsistent states, but it did not fully address the race condition because it failed to use the unused_bg_lock, allowing a race that leads to broken reference counts and invalid new block group states during transaction cleanup. This manifests as refcount underflow warnings and potential use-after-free conditions in the kernel logs, indicating memory management errors. The vulnerability can cause kernel warnings, instability, and potentially memory corruption in the Btrfs subsystem, especially during asynchronous discard operations and block group relocation. Although no known exploits are reported in the wild, the flaw could be triggered by concurrent filesystem operations that manipulate block groups, potentially leading to denial of service or kernel crashes. The vulnerability affects multiple Linux kernel versions identified by specific commit hashes, and the fix requires proper locking around the critical sections to prevent the race condition.
Potential Impact
For European organizations relying on Linux systems with Btrfs filesystems—commonly used in servers, cloud infrastructure, and enterprise storage solutions—this vulnerability poses a risk of system instability and potential denial of service. The race condition can lead to kernel crashes or unpredictable behavior, which may disrupt critical services, data storage, and processing workflows. Organizations using Btrfs for data integrity and snapshot features could face increased risk of data corruption or loss if the race condition triggers memory corruption. Although exploitation does not appear to allow privilege escalation or remote code execution directly, the resulting system crashes could be leveraged by attackers to cause service outages or to create conditions favorable for further attacks. Given the widespread use of Linux in European data centers, cloud providers, and enterprise environments, the vulnerability could impact availability and reliability of IT infrastructure, especially in sectors requiring high uptime such as finance, healthcare, and telecommunications.
Mitigation Recommendations
European organizations should prioritize updating their Linux kernels to versions that include the complete fix for CVE-2025-22115, ensuring that the unused_bg_lock is properly applied to prevent the race condition. System administrators should audit their environments to identify systems using Btrfs filesystems and verify kernel versions against the patched releases. For environments where immediate patching is not feasible, mitigating risk includes limiting concurrent heavy filesystem operations that involve block group creation and discard, such as defragmentation or relocation tasks. Monitoring kernel logs for refcount underflow warnings can help detect attempts to trigger the vulnerability. Additionally, organizations should implement robust backup and recovery procedures for Btrfs volumes to mitigate potential data loss. Where possible, consider using alternative stable filesystems until patches are applied. Coordination with Linux distribution vendors for timely patch deployment and testing in staging environments is critical to minimize operational impact.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Italy, Spain
CVE-2025-22115: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: btrfs: fix block group refcount race in btrfs_create_pending_block_groups() Block group creation is done in two phases, which results in a slightly unintuitive property: a block group can be allocated/deallocated from after btrfs_make_block_group() adds it to the space_info with btrfs_add_bg_to_space_info(), but before creation is completely completed in btrfs_create_pending_block_groups(). As a result, it is possible for a block group to go unused and have 'btrfs_mark_bg_unused' called on it concurrently with 'btrfs_create_pending_block_groups'. This causes a number of issues, which were fixed with the block group flag 'BLOCK_GROUP_FLAG_NEW'. However, this fix is not quite complete. Since it does not use the unused_bg_lock, it is possible for the following race to occur: btrfs_create_pending_block_groups btrfs_mark_bg_unused if list_empty // false list_del_init clear_bit else if (test_bit) // true list_move_tail And we get into the exact same broken ref count and invalid new_bgs state for transaction cleanup that BLOCK_GROUP_FLAG_NEW was designed to prevent. The broken refcount aspect will result in a warning like: [1272.943527] refcount_t: underflow; use-after-free. [1272.943967] WARNING: CPU: 1 PID: 61 at lib/refcount.c:28 refcount_warn_saturate+0xba/0x110 [1272.944731] Modules linked in: btrfs virtio_net xor zstd_compress raid6_pq null_blk [last unloaded: btrfs] [1272.945550] CPU: 1 UID: 0 PID: 61 Comm: kworker/u32:1 Kdump: loaded Tainted: G W 6.14.0-rc5+ #108 [1272.946368] Tainted: [W]=WARN [1272.946585] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Arch Linux 1.16.3-1-1 04/01/2014 [1272.947273] Workqueue: btrfs_discard btrfs_discard_workfn [btrfs] [1272.947788] RIP: 0010:refcount_warn_saturate+0xba/0x110 [1272.949532] RSP: 0018:ffffbf1200247df0 EFLAGS: 00010282 [1272.949901] RAX: 0000000000000000 RBX: ffffa14b00e3f800 RCX: 0000000000000000 [1272.950437] RDX: 0000000000000000 RSI: ffffbf1200247c78 RDI: 00000000ffffdfff [1272.950986] RBP: ffffa14b00dc2860 R08: 00000000ffffdfff R09: ffffffff90526268 [1272.951512] R10: ffffffff904762c0 R11: 0000000063666572 R12: ffffa14b00dc28c0 [1272.952024] R13: 0000000000000000 R14: ffffa14b00dc2868 R15: 000001285dcd12c0 [1272.952850] FS: 0000000000000000(0000) GS:ffffa14d33c40000(0000) knlGS:0000000000000000 [1272.953458] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [1272.953931] CR2: 00007f838cbda000 CR3: 000000010104e000 CR4: 00000000000006f0 [1272.954474] Call Trace: [1272.954655] <TASK> [1272.954812] ? refcount_warn_saturate+0xba/0x110 [1272.955173] ? __warn.cold+0x93/0xd7 [1272.955487] ? refcount_warn_saturate+0xba/0x110 [1272.955816] ? report_bug+0xe7/0x120 [1272.956103] ? handle_bug+0x53/0x90 [1272.956424] ? exc_invalid_op+0x13/0x60 [1272.956700] ? asm_exc_invalid_op+0x16/0x20 [1272.957011] ? refcount_warn_saturate+0xba/0x110 [1272.957399] btrfs_discard_cancel_work.cold+0x26/0x2b [btrfs] [1272.957853] btrfs_put_block_group.cold+0x5d/0x8e [btrfs] [1272.958289] btrfs_discard_workfn+0x194/0x380 [btrfs] [1272.958729] process_one_work+0x130/0x290 [1272.959026] worker_thread+0x2ea/0x420 [1272.959335] ? __pfx_worker_thread+0x10/0x10 [1272.959644] kthread+0xd7/0x1c0 [1272.959872] ? __pfx_kthread+0x10/0x10 [1272.960172] ret_from_fork+0x30/0x50 [1272.960474] ? __pfx_kthread+0x10/0x10 [1272.960745] ret_from_fork_asm+0x1a/0x30 [1272.961035] </TASK> [1272.961238] ---[ end trace 0000000000000000 ]--- Though we have seen them in the async discard workfn as well. It is most likely to happen after a relocation finishes which cancels discard, tears down the block group, etc. Fix this fully by taking the lock arou ---truncated---
AI-Powered Analysis
Technical Analysis
CVE-2025-22115 is a race condition vulnerability in the Btrfs filesystem implementation within the Linux kernel. The issue arises during the creation and management of block groups, which are allocated in two phases. Specifically, a block group can be allocated or deallocated after it is added to the space_info structure but before its creation is fully completed. This timing window allows concurrent operations—particularly between btrfs_create_pending_block_groups() and btrfs_mark_bg_unused()—to interfere with each other. The original fix introduced a block group flag (BLOCK_GROUP_FLAG_NEW) to prevent inconsistent states, but it did not fully address the race condition because it failed to use the unused_bg_lock, allowing a race that leads to broken reference counts and invalid new block group states during transaction cleanup. This manifests as refcount underflow warnings and potential use-after-free conditions in the kernel logs, indicating memory management errors. The vulnerability can cause kernel warnings, instability, and potentially memory corruption in the Btrfs subsystem, especially during asynchronous discard operations and block group relocation. Although no known exploits are reported in the wild, the flaw could be triggered by concurrent filesystem operations that manipulate block groups, potentially leading to denial of service or kernel crashes. The vulnerability affects multiple Linux kernel versions identified by specific commit hashes, and the fix requires proper locking around the critical sections to prevent the race condition.
Potential Impact
For European organizations relying on Linux systems with Btrfs filesystems—commonly used in servers, cloud infrastructure, and enterprise storage solutions—this vulnerability poses a risk of system instability and potential denial of service. The race condition can lead to kernel crashes or unpredictable behavior, which may disrupt critical services, data storage, and processing workflows. Organizations using Btrfs for data integrity and snapshot features could face increased risk of data corruption or loss if the race condition triggers memory corruption. Although exploitation does not appear to allow privilege escalation or remote code execution directly, the resulting system crashes could be leveraged by attackers to cause service outages or to create conditions favorable for further attacks. Given the widespread use of Linux in European data centers, cloud providers, and enterprise environments, the vulnerability could impact availability and reliability of IT infrastructure, especially in sectors requiring high uptime such as finance, healthcare, and telecommunications.
Mitigation Recommendations
European organizations should prioritize updating their Linux kernels to versions that include the complete fix for CVE-2025-22115, ensuring that the unused_bg_lock is properly applied to prevent the race condition. System administrators should audit their environments to identify systems using Btrfs filesystems and verify kernel versions against the patched releases. For environments where immediate patching is not feasible, mitigating risk includes limiting concurrent heavy filesystem operations that involve block group creation and discard, such as defragmentation or relocation tasks. Monitoring kernel logs for refcount underflow warnings can help detect attempts to trigger the vulnerability. Additionally, organizations should implement robust backup and recovery procedures for Btrfs volumes to mitigate potential data loss. Where possible, consider using alternative stable filesystems until patches are applied. Coordination with Linux distribution vendors for timely patch deployment and testing in staging environments is critical to minimize operational impact.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-12-29T08:45:45.823Z
- Cisa Enriched
- false
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d9820c4522896dcbdd41d
Added to database: 5/21/2025, 9:08:48 AM
Last enriched: 7/3/2025, 9:27:39 PM
Last updated: 8/18/2025, 11:32:55 PM
Views: 19
Related Threats
CVE-2025-48355: CWE-497 Exposure of Sensitive System Information to an Unauthorized Control Sphere in ProveSource LTD ProveSource Social Proof
MediumCVE-2025-57832
LowCVE-2025-57831
LowCVE-2025-57830
LowCVE-2025-57829
LowActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.