HIGH
btrfs DelayedNode UAF
CVE-2025-71159
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
KernelScan AI7.8HIGH
01Description
In the Linux kernel, the following vulnerability has been resolved: btrfs: fix use-after-free warning in btrfs_get_or_create_delayed_node() Previously, btrfs_get_or_create_delayed_node() set the delayed_node's refcount before acquiring the root->delayed_nodes lock. Commit e8513c012de7 ("btrfs: implement ref_tracker for delayed_nodes") moved refcount_set inside the critical section, which means there is no longer a memory barrier between setting the refcount and setting btrfs_inode->delayed_node. Without that barrier, the stores to node->refs and btrfs_inode->delayed_node may become visible out of order. Another thread can then read btrfs_inode->delayed_node and attempt to increment a refcount that hasn't been set yet, leading to a refcounting bug and a use-after-free warning. The fix is to move refcount_set back to where it was to take advantage of the implicit memory barrier provided by lock acquisition. Because the allocations now happen outside of the lock's critical section, they can use GFP_NOFS instead of GFP_ATOMIC.
02KernelScan AI Analysis
Risk summary
A race condition in btrfs delayed node handling can cause use-after-free conditions when multiple threads access the same inode concurrently. This could lead to kernel crashes or potential privilege escalation if an attacker can trigger the race condition through filesystem operations.
Vulnerability analysis
Root Cause: A memory ordering issue in btrfs_get_or_create_delayed_node() where refcount_set() was moved inside a critical section, removing the implicit memory barrier between setting the refcount and setting btrfs_inode->delayed_node. This allows stores to become visible out of order, enabling another thread to read btrfs_inode->delayed_node and attempt to increment a refcount that hasn't been initialized yet.
Attack Surface: Local attack surface requiring filesystem operations on btrfs. The vulnerability occurs during delayed node creation/access, which happens during normal filesystem operations. No special privileges beyond filesystem access are required.
Fix Mechanism: The patch moves refcount_set() and ref_tracker allocations back outside the critical section (before acquiring the lock), restoring the memory barrier provided by lock acquisition. This ensures proper ordering between refcount initialization and pointer assignment. Additionally, allocations can now use GFP_NOFS instead of GFP_ATOMIC since they occur outside the lock.
03Fix Versions
| Branch | Fixed in | Patch commit |
|---|---|---|
| 6.18 | 6.18.6 | c8385851a543 |
| mainline | 6.19 | 83f59076a1ae |