CVE-2023-54032 (GCVE-0-2023-54032)
Vulnerability from cvelistv5 – Published: 2025-12-24 10:55 – Updated: 2025-12-24 10:55
VLAI?
Title
btrfs: fix race when deleting quota root from the dirty cow roots list
Summary
In the Linux kernel, the following vulnerability has been resolved:
btrfs: fix race when deleting quota root from the dirty cow roots list
When disabling quotas we are deleting the quota root from the list
fs_info->dirty_cowonly_roots without taking the lock that protects it,
which is struct btrfs_fs_info::trans_lock. This unsynchronized list
manipulation may cause chaos if there's another concurrent manipulation
of this list, such as when adding a root to it with
ctree.c:add_root_to_dirty_list().
This can result in all sorts of weird failures caused by a race, such as
the following crash:
[337571.278245] general protection fault, probably for non-canonical address 0xdead000000000108: 0000 [#1] PREEMPT SMP PTI
[337571.278933] CPU: 1 PID: 115447 Comm: btrfs Tainted: G W 6.4.0-rc6-btrfs-next-134+ #1
[337571.279153] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014
[337571.279572] RIP: 0010:commit_cowonly_roots+0x11f/0x250 [btrfs]
[337571.279928] Code: 85 38 06 00 (...)
[337571.280363] RSP: 0018:ffff9f63446efba0 EFLAGS: 00010206
[337571.280582] RAX: ffff942d98ec2638 RBX: ffff9430b82b4c30 RCX: 0000000449e1c000
[337571.280798] RDX: dead000000000100 RSI: ffff9430021e4900 RDI: 0000000000036070
[337571.281015] RBP: ffff942d98ec2000 R08: ffff942d98ec2000 R09: 000000000000015b
[337571.281254] R10: 0000000000000009 R11: 0000000000000001 R12: ffff942fe8fbf600
[337571.281476] R13: ffff942dabe23040 R14: ffff942dabe20800 R15: ffff942d92cf3b48
[337571.281723] FS: 00007f478adb7340(0000) GS:ffff94349fa40000(0000) knlGS:0000000000000000
[337571.281950] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[337571.282184] CR2: 00007f478ab9a3d5 CR3: 000000001e02c001 CR4: 0000000000370ee0
[337571.282416] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[337571.282647] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[337571.282874] Call Trace:
[337571.283101] <TASK>
[337571.283327] ? __die_body+0x1b/0x60
[337571.283570] ? die_addr+0x39/0x60
[337571.283796] ? exc_general_protection+0x22e/0x430
[337571.284022] ? asm_exc_general_protection+0x22/0x30
[337571.284251] ? commit_cowonly_roots+0x11f/0x250 [btrfs]
[337571.284531] btrfs_commit_transaction+0x42e/0xf90 [btrfs]
[337571.284803] ? _raw_spin_unlock+0x15/0x30
[337571.285031] ? release_extent_buffer+0x103/0x130 [btrfs]
[337571.285305] reset_balance_state+0x152/0x1b0 [btrfs]
[337571.285578] btrfs_balance+0xa50/0x11e0 [btrfs]
[337571.285864] ? __kmem_cache_alloc_node+0x14a/0x410
[337571.286086] btrfs_ioctl+0x249a/0x3320 [btrfs]
[337571.286358] ? mod_objcg_state+0xd2/0x360
[337571.286577] ? refill_obj_stock+0xb0/0x160
[337571.286798] ? seq_release+0x25/0x30
[337571.287016] ? __rseq_handle_notify_resume+0x3ba/0x4b0
[337571.287235] ? percpu_counter_add_batch+0x2e/0xa0
[337571.287455] ? __x64_sys_ioctl+0x88/0xc0
[337571.287675] __x64_sys_ioctl+0x88/0xc0
[337571.287901] do_syscall_64+0x38/0x90
[337571.288126] entry_SYSCALL_64_after_hwframe+0x72/0xdc
[337571.288352] RIP: 0033:0x7f478aaffe9b
So fix this by locking struct btrfs_fs_info::trans_lock before deleting
the quota root from that list.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
bed92eae26ccf280d1a2168b7509447b56675a27 , < 365f318da7384cbac5de6b9c098914888a4d63e7
(git)
Affected: bed92eae26ccf280d1a2168b7509447b56675a27 , < 6da229754099518cfa27cbfcd0fd042618785fad (git) Affected: bed92eae26ccf280d1a2168b7509447b56675a27 , < 679c34821ab7cd93c8ccb96fbf57fc44848a78bc (git) Affected: bed92eae26ccf280d1a2168b7509447b56675a27 , < 6819bb0b8552dcc5f82ca606c8911b8c67e0628f (git) Affected: bed92eae26ccf280d1a2168b7509447b56675a27 , < 7ba0da31dd4a8fd24d416016c538a95a5664ff02 (git) Affected: bed92eae26ccf280d1a2168b7509447b56675a27 , < a53d78d9a8551e72c46ded23e8b0a56e55d32032 (git) Affected: bed92eae26ccf280d1a2168b7509447b56675a27 , < a5cdc4012efa808e07d073c11dc2f366b5394ad3 (git) Affected: bed92eae26ccf280d1a2168b7509447b56675a27 , < b31cb5a6eb7a48b0a7bfdf06832b1fd5088d8c79 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/btrfs/qgroup.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "365f318da7384cbac5de6b9c098914888a4d63e7",
"status": "affected",
"version": "bed92eae26ccf280d1a2168b7509447b56675a27",
"versionType": "git"
},
{
"lessThan": "6da229754099518cfa27cbfcd0fd042618785fad",
"status": "affected",
"version": "bed92eae26ccf280d1a2168b7509447b56675a27",
"versionType": "git"
},
{
"lessThan": "679c34821ab7cd93c8ccb96fbf57fc44848a78bc",
"status": "affected",
"version": "bed92eae26ccf280d1a2168b7509447b56675a27",
"versionType": "git"
},
{
"lessThan": "6819bb0b8552dcc5f82ca606c8911b8c67e0628f",
"status": "affected",
"version": "bed92eae26ccf280d1a2168b7509447b56675a27",
"versionType": "git"
},
{
"lessThan": "7ba0da31dd4a8fd24d416016c538a95a5664ff02",
"status": "affected",
"version": "bed92eae26ccf280d1a2168b7509447b56675a27",
"versionType": "git"
},
{
"lessThan": "a53d78d9a8551e72c46ded23e8b0a56e55d32032",
"status": "affected",
"version": "bed92eae26ccf280d1a2168b7509447b56675a27",
"versionType": "git"
},
{
"lessThan": "a5cdc4012efa808e07d073c11dc2f366b5394ad3",
"status": "affected",
"version": "bed92eae26ccf280d1a2168b7509447b56675a27",
"versionType": "git"
},
{
"lessThan": "b31cb5a6eb7a48b0a7bfdf06832b1fd5088d8c79",
"status": "affected",
"version": "bed92eae26ccf280d1a2168b7509447b56675a27",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/btrfs/qgroup.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.6"
},
{
"lessThan": "3.6",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.322",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.291",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.251",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.188",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.121",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.39",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.322",
"versionStartIncluding": "3.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.291",
"versionStartIncluding": "3.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.251",
"versionStartIncluding": "3.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.188",
"versionStartIncluding": "3.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.121",
"versionStartIncluding": "3.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.39",
"versionStartIncluding": "3.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.4",
"versionStartIncluding": "3.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"versionStartIncluding": "3.6",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: fix race when deleting quota root from the dirty cow roots list\n\nWhen disabling quotas we are deleting the quota root from the list\nfs_info-\u003edirty_cowonly_roots without taking the lock that protects it,\nwhich is struct btrfs_fs_info::trans_lock. This unsynchronized list\nmanipulation may cause chaos if there\u0027s another concurrent manipulation\nof this list, such as when adding a root to it with\nctree.c:add_root_to_dirty_list().\n\nThis can result in all sorts of weird failures caused by a race, such as\nthe following crash:\n\n [337571.278245] general protection fault, probably for non-canonical address 0xdead000000000108: 0000 [#1] PREEMPT SMP PTI\n [337571.278933] CPU: 1 PID: 115447 Comm: btrfs Tainted: G W 6.4.0-rc6-btrfs-next-134+ #1\n [337571.279153] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014\n [337571.279572] RIP: 0010:commit_cowonly_roots+0x11f/0x250 [btrfs]\n [337571.279928] Code: 85 38 06 00 (...)\n [337571.280363] RSP: 0018:ffff9f63446efba0 EFLAGS: 00010206\n [337571.280582] RAX: ffff942d98ec2638 RBX: ffff9430b82b4c30 RCX: 0000000449e1c000\n [337571.280798] RDX: dead000000000100 RSI: ffff9430021e4900 RDI: 0000000000036070\n [337571.281015] RBP: ffff942d98ec2000 R08: ffff942d98ec2000 R09: 000000000000015b\n [337571.281254] R10: 0000000000000009 R11: 0000000000000001 R12: ffff942fe8fbf600\n [337571.281476] R13: ffff942dabe23040 R14: ffff942dabe20800 R15: ffff942d92cf3b48\n [337571.281723] FS: 00007f478adb7340(0000) GS:ffff94349fa40000(0000) knlGS:0000000000000000\n [337571.281950] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n [337571.282184] CR2: 00007f478ab9a3d5 CR3: 000000001e02c001 CR4: 0000000000370ee0\n [337571.282416] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n [337571.282647] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n [337571.282874] Call Trace:\n [337571.283101] \u003cTASK\u003e\n [337571.283327] ? __die_body+0x1b/0x60\n [337571.283570] ? die_addr+0x39/0x60\n [337571.283796] ? exc_general_protection+0x22e/0x430\n [337571.284022] ? asm_exc_general_protection+0x22/0x30\n [337571.284251] ? commit_cowonly_roots+0x11f/0x250 [btrfs]\n [337571.284531] btrfs_commit_transaction+0x42e/0xf90 [btrfs]\n [337571.284803] ? _raw_spin_unlock+0x15/0x30\n [337571.285031] ? release_extent_buffer+0x103/0x130 [btrfs]\n [337571.285305] reset_balance_state+0x152/0x1b0 [btrfs]\n [337571.285578] btrfs_balance+0xa50/0x11e0 [btrfs]\n [337571.285864] ? __kmem_cache_alloc_node+0x14a/0x410\n [337571.286086] btrfs_ioctl+0x249a/0x3320 [btrfs]\n [337571.286358] ? mod_objcg_state+0xd2/0x360\n [337571.286577] ? refill_obj_stock+0xb0/0x160\n [337571.286798] ? seq_release+0x25/0x30\n [337571.287016] ? __rseq_handle_notify_resume+0x3ba/0x4b0\n [337571.287235] ? percpu_counter_add_batch+0x2e/0xa0\n [337571.287455] ? __x64_sys_ioctl+0x88/0xc0\n [337571.287675] __x64_sys_ioctl+0x88/0xc0\n [337571.287901] do_syscall_64+0x38/0x90\n [337571.288126] entry_SYSCALL_64_after_hwframe+0x72/0xdc\n [337571.288352] RIP: 0033:0x7f478aaffe9b\n\nSo fix this by locking struct btrfs_fs_info::trans_lock before deleting\nthe quota root from that list."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-24T10:55:59.609Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/365f318da7384cbac5de6b9c098914888a4d63e7"
},
{
"url": "https://git.kernel.org/stable/c/6da229754099518cfa27cbfcd0fd042618785fad"
},
{
"url": "https://git.kernel.org/stable/c/679c34821ab7cd93c8ccb96fbf57fc44848a78bc"
},
{
"url": "https://git.kernel.org/stable/c/6819bb0b8552dcc5f82ca606c8911b8c67e0628f"
},
{
"url": "https://git.kernel.org/stable/c/7ba0da31dd4a8fd24d416016c538a95a5664ff02"
},
{
"url": "https://git.kernel.org/stable/c/a53d78d9a8551e72c46ded23e8b0a56e55d32032"
},
{
"url": "https://git.kernel.org/stable/c/a5cdc4012efa808e07d073c11dc2f366b5394ad3"
},
{
"url": "https://git.kernel.org/stable/c/b31cb5a6eb7a48b0a7bfdf06832b1fd5088d8c79"
}
],
"title": "btrfs: fix race when deleting quota root from the dirty cow roots list",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-54032",
"datePublished": "2025-12-24T10:55:59.609Z",
"dateReserved": "2025-12-24T10:53:46.180Z",
"dateUpdated": "2025-12-24T10:55:59.609Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"vulnerability-lookup:meta": {
"nvd": "{\"cve\":{\"id\":\"CVE-2023-54032\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2025-12-24T11:15:56.193\",\"lastModified\":\"2025-12-29T15:58:56.260\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\nbtrfs: fix race when deleting quota root from the dirty cow roots list\\n\\nWhen disabling quotas we are deleting the quota root from the list\\nfs_info-\u003edirty_cowonly_roots without taking the lock that protects it,\\nwhich is struct btrfs_fs_info::trans_lock. This unsynchronized list\\nmanipulation may cause chaos if there\u0027s another concurrent manipulation\\nof this list, such as when adding a root to it with\\nctree.c:add_root_to_dirty_list().\\n\\nThis can result in all sorts of weird failures caused by a race, such as\\nthe following crash:\\n\\n [337571.278245] general protection fault, probably for non-canonical address 0xdead000000000108: 0000 [#1] PREEMPT SMP PTI\\n [337571.278933] CPU: 1 PID: 115447 Comm: btrfs Tainted: G W 6.4.0-rc6-btrfs-next-134+ #1\\n [337571.279153] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014\\n [337571.279572] RIP: 0010:commit_cowonly_roots+0x11f/0x250 [btrfs]\\n [337571.279928] Code: 85 38 06 00 (...)\\n [337571.280363] RSP: 0018:ffff9f63446efba0 EFLAGS: 00010206\\n [337571.280582] RAX: ffff942d98ec2638 RBX: ffff9430b82b4c30 RCX: 0000000449e1c000\\n [337571.280798] RDX: dead000000000100 RSI: ffff9430021e4900 RDI: 0000000000036070\\n [337571.281015] RBP: ffff942d98ec2000 R08: ffff942d98ec2000 R09: 000000000000015b\\n [337571.281254] R10: 0000000000000009 R11: 0000000000000001 R12: ffff942fe8fbf600\\n [337571.281476] R13: ffff942dabe23040 R14: ffff942dabe20800 R15: ffff942d92cf3b48\\n [337571.281723] FS: 00007f478adb7340(0000) GS:ffff94349fa40000(0000) knlGS:0000000000000000\\n [337571.281950] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\\n [337571.282184] CR2: 00007f478ab9a3d5 CR3: 000000001e02c001 CR4: 0000000000370ee0\\n [337571.282416] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\\n [337571.282647] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\\n [337571.282874] Call Trace:\\n [337571.283101] \u003cTASK\u003e\\n [337571.283327] ? __die_body+0x1b/0x60\\n [337571.283570] ? die_addr+0x39/0x60\\n [337571.283796] ? exc_general_protection+0x22e/0x430\\n [337571.284022] ? asm_exc_general_protection+0x22/0x30\\n [337571.284251] ? commit_cowonly_roots+0x11f/0x250 [btrfs]\\n [337571.284531] btrfs_commit_transaction+0x42e/0xf90 [btrfs]\\n [337571.284803] ? _raw_spin_unlock+0x15/0x30\\n [337571.285031] ? release_extent_buffer+0x103/0x130 [btrfs]\\n [337571.285305] reset_balance_state+0x152/0x1b0 [btrfs]\\n [337571.285578] btrfs_balance+0xa50/0x11e0 [btrfs]\\n [337571.285864] ? __kmem_cache_alloc_node+0x14a/0x410\\n [337571.286086] btrfs_ioctl+0x249a/0x3320 [btrfs]\\n [337571.286358] ? mod_objcg_state+0xd2/0x360\\n [337571.286577] ? refill_obj_stock+0xb0/0x160\\n [337571.286798] ? seq_release+0x25/0x30\\n [337571.287016] ? __rseq_handle_notify_resume+0x3ba/0x4b0\\n [337571.287235] ? percpu_counter_add_batch+0x2e/0xa0\\n [337571.287455] ? __x64_sys_ioctl+0x88/0xc0\\n [337571.287675] __x64_sys_ioctl+0x88/0xc0\\n [337571.287901] do_syscall_64+0x38/0x90\\n [337571.288126] entry_SYSCALL_64_after_hwframe+0x72/0xdc\\n [337571.288352] RIP: 0033:0x7f478aaffe9b\\n\\nSo fix this by locking struct btrfs_fs_info::trans_lock before deleting\\nthe quota root from that list.\"}],\"metrics\":{},\"references\":[{\"url\":\"https://git.kernel.org/stable/c/365f318da7384cbac5de6b9c098914888a4d63e7\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/679c34821ab7cd93c8ccb96fbf57fc44848a78bc\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/6819bb0b8552dcc5f82ca606c8911b8c67e0628f\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/6da229754099518cfa27cbfcd0fd042618785fad\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/7ba0da31dd4a8fd24d416016c538a95a5664ff02\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/a53d78d9a8551e72c46ded23e8b0a56e55d32032\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/a5cdc4012efa808e07d073c11dc2f366b5394ad3\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/b31cb5a6eb7a48b0a7bfdf06832b1fd5088d8c79\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"}]}}"
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…