CVE-2025-71194 (GCVE-0-2025-71194)

Vulnerability from cvelistv5 – Published: 2026-02-04 16:04 – Updated: 2026-02-09 08:36
VLAI?
Title
btrfs: fix deadlock in wait_current_trans() due to ignored transaction type
Summary
In the Linux kernel, the following vulnerability has been resolved: btrfs: fix deadlock in wait_current_trans() due to ignored transaction type When wait_current_trans() is called during start_transaction(), it currently waits for a blocked transaction without considering whether the given transaction type actually needs to wait for that particular transaction state. The btrfs_blocked_trans_types[] array already defines which transaction types should wait for which transaction states, but this check was missing in wait_current_trans(). This can lead to a deadlock scenario involving two transactions and pending ordered extents: 1. Transaction A is in TRANS_STATE_COMMIT_DOING state 2. A worker processing an ordered extent calls start_transaction() with TRANS_JOIN 3. join_transaction() returns -EBUSY because Transaction A is in TRANS_STATE_COMMIT_DOING 4. Transaction A moves to TRANS_STATE_UNBLOCKED and completes 5. A new Transaction B is created (TRANS_STATE_RUNNING) 6. The ordered extent from step 2 is added to Transaction B's pending ordered extents 7. Transaction B immediately starts commit by another task and enters TRANS_STATE_COMMIT_START 8. The worker finally reaches wait_current_trans(), sees Transaction B in TRANS_STATE_COMMIT_START (a blocked state), and waits unconditionally 9. However, TRANS_JOIN should NOT wait for TRANS_STATE_COMMIT_START according to btrfs_blocked_trans_types[] 10. Transaction B is waiting for pending ordered extents to complete 11. Deadlock: Transaction B waits for ordered extent, ordered extent waits for Transaction B This can be illustrated by the following call stacks: CPU0 CPU1 btrfs_finish_ordered_io() start_transaction(TRANS_JOIN) join_transaction() # -EBUSY (Transaction A is # TRANS_STATE_COMMIT_DOING) # Transaction A completes # Transaction B created # ordered extent added to # Transaction B's pending list btrfs_commit_transaction() # Transaction B enters # TRANS_STATE_COMMIT_START # waiting for pending ordered # extents wait_current_trans() # waits for Transaction B # (should not wait!) Task bstore_kv_sync in btrfs_commit_transaction waiting for ordered extents: __schedule+0x2e7/0x8a0 schedule+0x64/0xe0 btrfs_commit_transaction+0xbf7/0xda0 [btrfs] btrfs_sync_file+0x342/0x4d0 [btrfs] __x64_sys_fdatasync+0x4b/0x80 do_syscall_64+0x33/0x40 entry_SYSCALL_64_after_hwframe+0x44/0xa9 Task kworker in wait_current_trans waiting for transaction commit: Workqueue: btrfs-syno_nocow btrfs_work_helper [btrfs] __schedule+0x2e7/0x8a0 schedule+0x64/0xe0 wait_current_trans+0xb0/0x110 [btrfs] start_transaction+0x346/0x5b0 [btrfs] btrfs_finish_ordered_io.isra.0+0x49b/0x9c0 [btrfs] btrfs_work_helper+0xe8/0x350 [btrfs] process_one_work+0x1d3/0x3c0 worker_thread+0x4d/0x3e0 kthread+0x12d/0x150 ret_from_fork+0x1f/0x30 Fix this by passing the transaction type to wait_current_trans() and checking btrfs_blocked_trans_types[cur_trans->state] against the given type before deciding to wait. This ensures that transaction types which are allowed to join during certain blocked states will not unnecessarily wait and cause deadlocks.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
Vendor Product Version
Linux Linux Affected: 4a9d8bdee368de78ace8b36da4eb2186afea162d , < e563f59395981fcd69d130761290929806e728d6 (git)
Affected: 4a9d8bdee368de78ace8b36da4eb2186afea162d , < dc84036c173cff6a432d9ab926298850b1d2a659 (git)
Affected: 4a9d8bdee368de78ace8b36da4eb2186afea162d , < d7b04b40ac8e6d814e35202a0e1568809b818295 (git)
Affected: 4a9d8bdee368de78ace8b36da4eb2186afea162d , < 99da896614d17e8a84aeb2b2d464ac046cc8633d (git)
Affected: 4a9d8bdee368de78ace8b36da4eb2186afea162d , < 8b0bb145d3bc264360f525c9717653be3522e528 (git)
Affected: 4a9d8bdee368de78ace8b36da4eb2186afea162d , < 9ac63333d600732a56b35ee1fa46836da671eb50 (git)
Affected: 4a9d8bdee368de78ace8b36da4eb2186afea162d , < 5037b342825df7094a4906d1e2a9674baab50cb2 (git)
Create a notification for this product.
    Linux Linux Affected: 3.11
Unaffected: 0 , < 3.11 (semver)
Unaffected: 5.10.249 , ≤ 5.10.* (semver)
Unaffected: 5.15.199 , ≤ 5.15.* (semver)
Unaffected: 6.1.162 , ≤ 6.1.* (semver)
Unaffected: 6.6.122 , ≤ 6.6.* (semver)
Unaffected: 6.12.67 , ≤ 6.12.* (semver)
Unaffected: 6.18.7 , ≤ 6.18.* (semver)
Unaffected: 6.19 , ≤ * (original_commit_for_fix)
Create a notification for this product.
Show details on NVD website
To clipboard 

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "fs/btrfs/transaction.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "e563f59395981fcd69d130761290929806e728d6",
              "status": "affected",
              "version": "4a9d8bdee368de78ace8b36da4eb2186afea162d",
              "versionType": "git"
            },
            {
              "lessThan": "dc84036c173cff6a432d9ab926298850b1d2a659",
              "status": "affected",
              "version": "4a9d8bdee368de78ace8b36da4eb2186afea162d",
              "versionType": "git"
            },
            {
              "lessThan": "d7b04b40ac8e6d814e35202a0e1568809b818295",
              "status": "affected",
              "version": "4a9d8bdee368de78ace8b36da4eb2186afea162d",
              "versionType": "git"
            },
            {
              "lessThan": "99da896614d17e8a84aeb2b2d464ac046cc8633d",
              "status": "affected",
              "version": "4a9d8bdee368de78ace8b36da4eb2186afea162d",
              "versionType": "git"
            },
            {
              "lessThan": "8b0bb145d3bc264360f525c9717653be3522e528",
              "status": "affected",
              "version": "4a9d8bdee368de78ace8b36da4eb2186afea162d",
              "versionType": "git"
            },
            {
              "lessThan": "9ac63333d600732a56b35ee1fa46836da671eb50",
              "status": "affected",
              "version": "4a9d8bdee368de78ace8b36da4eb2186afea162d",
              "versionType": "git"
            },
            {
              "lessThan": "5037b342825df7094a4906d1e2a9674baab50cb2",
              "status": "affected",
              "version": "4a9d8bdee368de78ace8b36da4eb2186afea162d",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "fs/btrfs/transaction.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "3.11"
            },
            {
              "lessThan": "3.11",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.249",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.199",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.162",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.122",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.67",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.18.*",
              "status": "unaffected",
              "version": "6.18.7",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.19",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.249",
                  "versionStartIncluding": "3.11",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.199",
                  "versionStartIncluding": "3.11",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.162",
                  "versionStartIncluding": "3.11",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.122",
                  "versionStartIncluding": "3.11",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.67",
                  "versionStartIncluding": "3.11",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18.7",
                  "versionStartIncluding": "3.11",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.19",
                  "versionStartIncluding": "3.11",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: fix deadlock in wait_current_trans() due to ignored transaction type\n\nWhen wait_current_trans() is called during start_transaction(), it\ncurrently waits for a blocked transaction without considering whether\nthe given transaction type actually needs to wait for that particular\ntransaction state. The btrfs_blocked_trans_types[] array already defines\nwhich transaction types should wait for which transaction states, but\nthis check was missing in wait_current_trans().\n\nThis can lead to a deadlock scenario involving two transactions and\npending ordered extents:\n\n  1. Transaction A is in TRANS_STATE_COMMIT_DOING state\n\n  2. A worker processing an ordered extent calls start_transaction()\n     with TRANS_JOIN\n\n  3. join_transaction() returns -EBUSY because Transaction A is in\n     TRANS_STATE_COMMIT_DOING\n\n  4. Transaction A moves to TRANS_STATE_UNBLOCKED and completes\n\n  5. A new Transaction B is created (TRANS_STATE_RUNNING)\n\n  6. The ordered extent from step 2 is added to Transaction B\u0027s\n     pending ordered extents\n\n  7. Transaction B immediately starts commit by another task and\n     enters TRANS_STATE_COMMIT_START\n\n  8. The worker finally reaches wait_current_trans(), sees Transaction B\n     in TRANS_STATE_COMMIT_START (a blocked state), and waits\n     unconditionally\n\n  9. However, TRANS_JOIN should NOT wait for TRANS_STATE_COMMIT_START\n     according to btrfs_blocked_trans_types[]\n\n  10. Transaction B is waiting for pending ordered extents to complete\n\n  11. Deadlock: Transaction B waits for ordered extent, ordered extent\n      waits for Transaction B\n\nThis can be illustrated by the following call stacks:\n  CPU0                              CPU1\n                                    btrfs_finish_ordered_io()\n                                      start_transaction(TRANS_JOIN)\n                                        join_transaction()\n                                          # -EBUSY (Transaction A is\n                                          # TRANS_STATE_COMMIT_DOING)\n  # Transaction A completes\n  # Transaction B created\n  # ordered extent added to\n  # Transaction B\u0027s pending list\n  btrfs_commit_transaction()\n    # Transaction B enters\n    # TRANS_STATE_COMMIT_START\n    # waiting for pending ordered\n    # extents\n                                        wait_current_trans()\n                                          # waits for Transaction B\n                                          # (should not wait!)\n\nTask bstore_kv_sync in btrfs_commit_transaction waiting for ordered\nextents:\n\n  __schedule+0x2e7/0x8a0\n  schedule+0x64/0xe0\n  btrfs_commit_transaction+0xbf7/0xda0 [btrfs]\n  btrfs_sync_file+0x342/0x4d0 [btrfs]\n  __x64_sys_fdatasync+0x4b/0x80\n  do_syscall_64+0x33/0x40\n  entry_SYSCALL_64_after_hwframe+0x44/0xa9\n\nTask kworker in wait_current_trans waiting for transaction commit:\n\n  Workqueue: btrfs-syno_nocow btrfs_work_helper [btrfs]\n  __schedule+0x2e7/0x8a0\n  schedule+0x64/0xe0\n  wait_current_trans+0xb0/0x110 [btrfs]\n  start_transaction+0x346/0x5b0 [btrfs]\n  btrfs_finish_ordered_io.isra.0+0x49b/0x9c0 [btrfs]\n  btrfs_work_helper+0xe8/0x350 [btrfs]\n  process_one_work+0x1d3/0x3c0\n  worker_thread+0x4d/0x3e0\n  kthread+0x12d/0x150\n  ret_from_fork+0x1f/0x30\n\nFix this by passing the transaction type to wait_current_trans() and\nchecking btrfs_blocked_trans_types[cur_trans-\u003estate] against the given\ntype before deciding to wait. This ensures that transaction types which\nare allowed to join during certain blocked states will not unnecessarily\nwait and cause deadlocks."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-02-09T08:36:19.806Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/e563f59395981fcd69d130761290929806e728d6"
        },
        {
          "url": "https://git.kernel.org/stable/c/dc84036c173cff6a432d9ab926298850b1d2a659"
        },
        {
          "url": "https://git.kernel.org/stable/c/d7b04b40ac8e6d814e35202a0e1568809b818295"
        },
        {
          "url": "https://git.kernel.org/stable/c/99da896614d17e8a84aeb2b2d464ac046cc8633d"
        },
        {
          "url": "https://git.kernel.org/stable/c/8b0bb145d3bc264360f525c9717653be3522e528"
        },
        {
          "url": "https://git.kernel.org/stable/c/9ac63333d600732a56b35ee1fa46836da671eb50"
        },
        {
          "url": "https://git.kernel.org/stable/c/5037b342825df7094a4906d1e2a9674baab50cb2"
        }
      ],
      "title": "btrfs: fix deadlock in wait_current_trans() due to ignored transaction type",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-71194",
    "datePublished": "2026-02-04T16:04:15.389Z",
    "dateReserved": "2026-01-31T11:36:51.190Z",
    "dateUpdated": "2026-02-09T08:36:19.806Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2025-71194\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2026-02-04T17:16:11.297\",\"lastModified\":\"2026-02-06T17:16:19.230\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\nbtrfs: fix deadlock in wait_current_trans() due to ignored transaction type\\n\\nWhen wait_current_trans() is called during start_transaction(), it\\ncurrently waits for a blocked transaction without considering whether\\nthe given transaction type actually needs to wait for that particular\\ntransaction state. The btrfs_blocked_trans_types[] array already defines\\nwhich transaction types should wait for which transaction states, but\\nthis check was missing in wait_current_trans().\\n\\nThis can lead to a deadlock scenario involving two transactions and\\npending ordered extents:\\n\\n  1. Transaction A is in TRANS_STATE_COMMIT_DOING state\\n\\n  2. A worker processing an ordered extent calls start_transaction()\\n     with TRANS_JOIN\\n\\n  3. join_transaction() returns -EBUSY because Transaction A is in\\n     TRANS_STATE_COMMIT_DOING\\n\\n  4. Transaction A moves to TRANS_STATE_UNBLOCKED and completes\\n\\n  5. A new Transaction B is created (TRANS_STATE_RUNNING)\\n\\n  6. The ordered extent from step 2 is added to Transaction B\u0027s\\n     pending ordered extents\\n\\n  7. Transaction B immediately starts commit by another task and\\n     enters TRANS_STATE_COMMIT_START\\n\\n  8. The worker finally reaches wait_current_trans(), sees Transaction B\\n     in TRANS_STATE_COMMIT_START (a blocked state), and waits\\n     unconditionally\\n\\n  9. However, TRANS_JOIN should NOT wait for TRANS_STATE_COMMIT_START\\n     according to btrfs_blocked_trans_types[]\\n\\n  10. Transaction B is waiting for pending ordered extents to complete\\n\\n  11. Deadlock: Transaction B waits for ordered extent, ordered extent\\n      waits for Transaction B\\n\\nThis can be illustrated by the following call stacks:\\n  CPU0                              CPU1\\n                                    btrfs_finish_ordered_io()\\n                                      start_transaction(TRANS_JOIN)\\n                                        join_transaction()\\n                                          # -EBUSY (Transaction A is\\n                                          # TRANS_STATE_COMMIT_DOING)\\n  # Transaction A completes\\n  # Transaction B created\\n  # ordered extent added to\\n  # Transaction B\u0027s pending list\\n  btrfs_commit_transaction()\\n    # Transaction B enters\\n    # TRANS_STATE_COMMIT_START\\n    # waiting for pending ordered\\n    # extents\\n                                        wait_current_trans()\\n                                          # waits for Transaction B\\n                                          # (should not wait!)\\n\\nTask bstore_kv_sync in btrfs_commit_transaction waiting for ordered\\nextents:\\n\\n  __schedule+0x2e7/0x8a0\\n  schedule+0x64/0xe0\\n  btrfs_commit_transaction+0xbf7/0xda0 [btrfs]\\n  btrfs_sync_file+0x342/0x4d0 [btrfs]\\n  __x64_sys_fdatasync+0x4b/0x80\\n  do_syscall_64+0x33/0x40\\n  entry_SYSCALL_64_after_hwframe+0x44/0xa9\\n\\nTask kworker in wait_current_trans waiting for transaction commit:\\n\\n  Workqueue: btrfs-syno_nocow btrfs_work_helper [btrfs]\\n  __schedule+0x2e7/0x8a0\\n  schedule+0x64/0xe0\\n  wait_current_trans+0xb0/0x110 [btrfs]\\n  start_transaction+0x346/0x5b0 [btrfs]\\n  btrfs_finish_ordered_io.isra.0+0x49b/0x9c0 [btrfs]\\n  btrfs_work_helper+0xe8/0x350 [btrfs]\\n  process_one_work+0x1d3/0x3c0\\n  worker_thread+0x4d/0x3e0\\n  kthread+0x12d/0x150\\n  ret_from_fork+0x1f/0x30\\n\\nFix this by passing the transaction type to wait_current_trans() and\\nchecking btrfs_blocked_trans_types[cur_trans-\u003estate] against the given\\ntype before deciding to wait. This ensures that transaction types which\\nare allowed to join during certain blocked states will not unnecessarily\\nwait and cause deadlocks.\"}],\"metrics\":{},\"references\":[{\"url\":\"https://git.kernel.org/stable/c/5037b342825df7094a4906d1e2a9674baab50cb2\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/8b0bb145d3bc264360f525c9717653be3522e528\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/99da896614d17e8a84aeb2b2d464ac046cc8633d\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/9ac63333d600732a56b35ee1fa46836da671eb50\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/d7b04b40ac8e6d814e35202a0e1568809b818295\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/dc84036c173cff6a432d9ab926298850b1d2a659\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/e563f59395981fcd69d130761290929806e728d6\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.