CyberAlerts is shutting down on June 30th, 2025. Thank you for your support!

CVE-2025-21754: btrfs: fix assertion failure when splitting ordered extent after transaction abort

Description

In the Linux kernel, the following vulnerability has been resolved:

btrfs: fix assertion failure when splitting ordered extent after transaction abort

If while we are doing a direct IO write a transaction abort happens, we
mark all existing ordered extents with the BTRFS_ORDERED_IOERR flag (done
at btrfs_destroy_ordered_extents()), and then after that if we enter
btrfs_split_ordered_extent() and the ordered extent has bytes left
(meaning we have a bio that doesn't cover the whole ordered extent, see
details at btrfs_extract_ordered_extent()), we will fail on the following
assertion at btrfs_split_ordered_extent():

ASSERT(!(flags & ~BTRFS_ORDERED_TYPE_FLAGS));

because the BTRFS_ORDERED_IOERR flag is set and the definition of
BTRFS_ORDERED_TYPE_FLAGS is just the union of all flags that identify the
type of write (regular, nocow, prealloc, compressed, direct IO, encoded).

Fix this by returning an error from btrfs_extract_ordered_extent() if we
find the BTRFS_ORDERED_IOERR flag in the ordered extent. The error will
be the error that resulted in the transaction abort or -EIO if no
transaction abort happened.

This was recently reported by syzbot with the following trace:

FAULT_INJECTION: forcing a failure.
name failslab, interval 1, probability 0, space 0, times 1
CPU: 0 UID: 0 PID: 5321 Comm: syz.0.0 Not tainted 6.13.0-rc5-syzkaller #0
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
Call Trace:

...

Classification

CVE ID: CVE-2025-21754

Affected Products

Vendor: Linux, Linux

Product: Linux, Linux

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.03% (probability of being exploited)

EPSS Percentile: 4.16% (scored less or equal to compared to others)

EPSS Date: 2025-03-27 (when was this score calculated)

References

https://nvd.nist.gov/vuln/detail/CVE-2025-21754
https://git.kernel.org/stable/c/927b930f117bbae730a853c1dc43da8afe8380fa
https://git.kernel.org/stable/c/0ff88c2a742a7cbaa4d08507d864737d099b435a
https://git.kernel.org/stable/c/8ea8db4216d1029527ab4666f730650419451e32
https://git.kernel.org/stable/c/0d85f5c2dd91df6b5da454406756f463ba923b69

Timeline