Amazon Linux AMI: CVE-2025-21753: Security patch for kernel (ALAS-2025-1970)

Description

In the Linux kernel, the following vulnerability has been resolved:

btrfs: fix use-after-free when attempting to join an aborted transaction

When we are trying to join the current transaction and if it's aborted,

we read its 'aborted' field after unlocking fs_info->trans_lock and

without holding any extra reference count on it. This means that a

concurrent task that is aborting the transaction may free the transaction

before we read its 'aborted' field, leading to a use-after-free.

Fix this by reading the 'aborted' field while holding fs_info->trans_lock

since any freeing task must first acquire that lock and set

fs_info->running_transaction to NULL before freeing the transaction.

This was reported by syzbot and Dmitry with the following stack traces

from KASAN:

==================================================================

BUG: KASAN: slab-use-after-free in join_transaction+0xd9b/0xda0 fs/btrfs/transaction.c:278

Read of size 4 at addr ffff888011839024 by task kworker/u4:9/1128

CPU: 0 UID: 0 PID: 1128 Comm: kworker/u4:9 Not tainted 6.13.0-rc7-syzkaller-00019-gc45323b7560e #0

Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014

Workqueue: events_unbound btrfs_async_reclaim_data_space

Call Trace:

<TASK>

__dump_stack lib/dump_stack.c:94 [inline]

dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120

print_address_description mm/kasan/report.c:378 [inline]

print_report+0x169/0x550 mm/kasan/report.c:489

kasan_report+0x143/0x180 mm/kasan/report.c:602

join_transaction+0xd9b/0xda0 fs/btrfs/transaction.c:278

start_transaction+0xaf8/0x1670 fs/btrfs/transaction.c:697

flush_space+0x448/0xcf0 fs/btrfs/space-info.c:803

btrfs_async_reclaim_data_space+0x159/0x510 fs/btrfs/space-info.c:1321

process_one_work kernel/workqueue.c:3236 [inline]

process_scheduled_works+0xa66/0x1840 kernel/workqueue.c:3317

worker_thread+0x870/0xd30 kernel/workqueue.c:3398

kthread+0x2f0/0x390 kernel/kthread.c:389

ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147

ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244

</TASK>

Allocated by task 5315:

kasan_save_stack mm/kasan/common.c:47 [inline]

kasan_save_track+0x3f/0x80 mm/kasan/common.c:68

poison_kmalloc_redzone mm/kasan/common.c:377 [inline]

__kasan_kmalloc+0x98/0xb0 mm/kasan/common.c:394

kasan_kmalloc include/linux/kasan.h:260 [inline]

__kmalloc_cache_noprof+0x243/0x390 mm/slub.c:4329

kmalloc_noprof include/linux/slab.h:901 [inline]

join_transaction+0x144/0xda0 fs/btrfs/transaction.c:308

start_transaction+0xaf8/0x1670 fs/btrfs/transaction.c:697

btrfs_create_common+0x1b2/0x2e0 fs/btrfs/inode.c:6572

lookup_open fs/namei.c:3649 [inline]

open_last_lookups fs/namei.c:3748 [inline]

path_openat+0x1c03/0x3590 fs/namei.c:3984

do_filp_open+0x27f/0x4e0 fs/namei.c:4014

do_sys_openat2+0x13e/0x1d0 fs/open.c:1402

do_sys_open fs/open.c:1417 [inline]

__do_sys_creat fs/open.c:1495 [inline]

__se_sys_creat fs/open.c:1489 [inline]

__x64_sys_creat+0x123/0x170 fs/open.c:1489

do_syscall_x64 arch/x86/entry/common.c:52 [inline]

do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83

entry_SYSCALL_64_after_hwframe+0x77/0x7f

Freed by task 5336:

kasan_save_stack mm/kasan/common.c:47 [inline]

kasan_save_track+0x3f/0x80 mm/kasan/common.c:68

kasan_save_free_info+0x40/0x50 mm/kasan/generic.c:582

poison_slab_object mm/kasan/common.c:247 [inline]

__kasan_slab_free+0x59/0x70 mm/kasan/common.c:264

kasan_slab_free include/linux/kasan.h:233 [inline]

slab_free_hook mm/slub.c:2353 [inline]

slab_free mm/slub.c:4613 [inline]

kfree+0x196/0x430 mm/slub.c:4761

cleanup_transaction fs/btrfs/transaction.c:2063 [inline]

btrfs_commit_transaction+0x2c97/0x3720 fs/btrfs/transaction.c:2598

insert_balance_item+0x1284/0x20b0 fs/btrfs/volumes.c:3757

btrfs_balance+0x992/

---truncated---