CVE-2023-54067 (GCVE-0-2023-54067)

Vulnerability from cvelistv5 – Published: 2025-12-24 12:23 – Updated: 2025-12-24 12:23
VLAI?
Title
btrfs: fix race when deleting free space root from the dirty cow roots list
Summary
In the Linux kernel, the following vulnerability has been resolved: btrfs: fix race when deleting free space root from the dirty cow roots list When deleting the free space tree we are deleting the free space root from the list fs_info->dirty_cowonly_roots without taking the lock that protects it, which is struct btrfs_fs_info::trans_lock. This unsynchronized list manipulation may cause chaos if there's another concurrent manipulation of this list, such as when adding a root to it with ctree.c:add_root_to_dirty_list(). This can result in all sorts of weird failures caused by a race, such as the following crash: [337571.278245] general protection fault, probably for non-canonical address 0xdead000000000108: 0000 [#1] PREEMPT SMP PTI [337571.278933] CPU: 1 PID: 115447 Comm: btrfs Tainted: G W 6.4.0-rc6-btrfs-next-134+ #1 [337571.279153] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014 [337571.279572] RIP: 0010:commit_cowonly_roots+0x11f/0x250 [btrfs] [337571.279928] Code: 85 38 06 00 (...) [337571.280363] RSP: 0018:ffff9f63446efba0 EFLAGS: 00010206 [337571.280582] RAX: ffff942d98ec2638 RBX: ffff9430b82b4c30 RCX: 0000000449e1c000 [337571.280798] RDX: dead000000000100 RSI: ffff9430021e4900 RDI: 0000000000036070 [337571.281015] RBP: ffff942d98ec2000 R08: ffff942d98ec2000 R09: 000000000000015b [337571.281254] R10: 0000000000000009 R11: 0000000000000001 R12: ffff942fe8fbf600 [337571.281476] R13: ffff942dabe23040 R14: ffff942dabe20800 R15: ffff942d92cf3b48 [337571.281723] FS: 00007f478adb7340(0000) GS:ffff94349fa40000(0000) knlGS:0000000000000000 [337571.281950] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [337571.282184] CR2: 00007f478ab9a3d5 CR3: 000000001e02c001 CR4: 0000000000370ee0 [337571.282416] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [337571.282647] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [337571.282874] Call Trace: [337571.283101] <TASK> [337571.283327] ? __die_body+0x1b/0x60 [337571.283570] ? die_addr+0x39/0x60 [337571.283796] ? exc_general_protection+0x22e/0x430 [337571.284022] ? asm_exc_general_protection+0x22/0x30 [337571.284251] ? commit_cowonly_roots+0x11f/0x250 [btrfs] [337571.284531] btrfs_commit_transaction+0x42e/0xf90 [btrfs] [337571.284803] ? _raw_spin_unlock+0x15/0x30 [337571.285031] ? release_extent_buffer+0x103/0x130 [btrfs] [337571.285305] reset_balance_state+0x152/0x1b0 [btrfs] [337571.285578] btrfs_balance+0xa50/0x11e0 [btrfs] [337571.285864] ? __kmem_cache_alloc_node+0x14a/0x410 [337571.286086] btrfs_ioctl+0x249a/0x3320 [btrfs] [337571.286358] ? mod_objcg_state+0xd2/0x360 [337571.286577] ? refill_obj_stock+0xb0/0x160 [337571.286798] ? seq_release+0x25/0x30 [337571.287016] ? __rseq_handle_notify_resume+0x3ba/0x4b0 [337571.287235] ? percpu_counter_add_batch+0x2e/0xa0 [337571.287455] ? __x64_sys_ioctl+0x88/0xc0 [337571.287675] __x64_sys_ioctl+0x88/0xc0 [337571.287901] do_syscall_64+0x38/0x90 [337571.288126] entry_SYSCALL_64_after_hwframe+0x72/0xdc [337571.288352] RIP: 0033:0x7f478aaffe9b So fix this by locking struct btrfs_fs_info::trans_lock before deleting the free space root from that list.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
Vendor Product Version
Linux Linux Affected: a5ed91828518ab076209266c2bc510adabd078df , < 6f1c81886b0b56cb88b311e5d2f203625474d892 (git)
Affected: a5ed91828518ab076209266c2bc510adabd078df , < 8ce9139aea5e60a247bde5af804312f54975f443 (git)
Affected: a5ed91828518ab076209266c2bc510adabd078df , < babebf023e661b90b1c78b2baa384fb03a226879 (git)
Create a notification for this product.
    Linux Linux Affected: 4.5
Unaffected: 0 , < 4.5 (semver)
Unaffected: 6.1.39 , ≤ 6.1.* (semver)
Unaffected: 6.4.4 , ≤ 6.4.* (semver)
Unaffected: 6.5 , ≤ * (original_commit_for_fix)
Create a notification for this product.
Show details on NVD website
To clipboard 

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "fs/btrfs/free-space-tree.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "6f1c81886b0b56cb88b311e5d2f203625474d892",
              "status": "affected",
              "version": "a5ed91828518ab076209266c2bc510adabd078df",
              "versionType": "git"
            },
            {
              "lessThan": "8ce9139aea5e60a247bde5af804312f54975f443",
              "status": "affected",
              "version": "a5ed91828518ab076209266c2bc510adabd078df",
              "versionType": "git"
            },
            {
              "lessThan": "babebf023e661b90b1c78b2baa384fb03a226879",
              "status": "affected",
              "version": "a5ed91828518ab076209266c2bc510adabd078df",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "fs/btrfs/free-space-tree.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "4.5"
            },
            {
              "lessThan": "4.5",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.39",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.4.*",
              "status": "unaffected",
              "version": "6.4.4",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.5",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.39",
                  "versionStartIncluding": "4.5",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.4.4",
                  "versionStartIncluding": "4.5",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.5",
                  "versionStartIncluding": "4.5",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: fix race when deleting free space root from the dirty cow roots list\n\nWhen deleting the free space tree we are deleting the free space root\nfrom the list fs_info-\u003edirty_cowonly_roots without taking the lock that\nprotects it, which is struct btrfs_fs_info::trans_lock.\nThis unsynchronized list manipulation may cause chaos if there\u0027s another\nconcurrent manipulation of this list, such as when adding a root to it\nwith ctree.c:add_root_to_dirty_list().\n\nThis can result in all sorts of weird failures caused by a race, such as\nthe following crash:\n\n  [337571.278245] general protection fault, probably for non-canonical address 0xdead000000000108: 0000 [#1] PREEMPT SMP PTI\n  [337571.278933] CPU: 1 PID: 115447 Comm: btrfs Tainted: G        W          6.4.0-rc6-btrfs-next-134+ #1\n  [337571.279153] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014\n  [337571.279572] RIP: 0010:commit_cowonly_roots+0x11f/0x250 [btrfs]\n  [337571.279928] Code: 85 38 06 00 (...)\n  [337571.280363] RSP: 0018:ffff9f63446efba0 EFLAGS: 00010206\n  [337571.280582] RAX: ffff942d98ec2638 RBX: ffff9430b82b4c30 RCX: 0000000449e1c000\n  [337571.280798] RDX: dead000000000100 RSI: ffff9430021e4900 RDI: 0000000000036070\n  [337571.281015] RBP: ffff942d98ec2000 R08: ffff942d98ec2000 R09: 000000000000015b\n  [337571.281254] R10: 0000000000000009 R11: 0000000000000001 R12: ffff942fe8fbf600\n  [337571.281476] R13: ffff942dabe23040 R14: ffff942dabe20800 R15: ffff942d92cf3b48\n  [337571.281723] FS:  00007f478adb7340(0000) GS:ffff94349fa40000(0000) knlGS:0000000000000000\n  [337571.281950] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n  [337571.282184] CR2: 00007f478ab9a3d5 CR3: 000000001e02c001 CR4: 0000000000370ee0\n  [337571.282416] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n  [337571.282647] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n  [337571.282874] Call Trace:\n  [337571.283101]  \u003cTASK\u003e\n  [337571.283327]  ? __die_body+0x1b/0x60\n  [337571.283570]  ? die_addr+0x39/0x60\n  [337571.283796]  ? exc_general_protection+0x22e/0x430\n  [337571.284022]  ? asm_exc_general_protection+0x22/0x30\n  [337571.284251]  ? commit_cowonly_roots+0x11f/0x250 [btrfs]\n  [337571.284531]  btrfs_commit_transaction+0x42e/0xf90 [btrfs]\n  [337571.284803]  ? _raw_spin_unlock+0x15/0x30\n  [337571.285031]  ? release_extent_buffer+0x103/0x130 [btrfs]\n  [337571.285305]  reset_balance_state+0x152/0x1b0 [btrfs]\n  [337571.285578]  btrfs_balance+0xa50/0x11e0 [btrfs]\n  [337571.285864]  ? __kmem_cache_alloc_node+0x14a/0x410\n  [337571.286086]  btrfs_ioctl+0x249a/0x3320 [btrfs]\n  [337571.286358]  ? mod_objcg_state+0xd2/0x360\n  [337571.286577]  ? refill_obj_stock+0xb0/0x160\n  [337571.286798]  ? seq_release+0x25/0x30\n  [337571.287016]  ? __rseq_handle_notify_resume+0x3ba/0x4b0\n  [337571.287235]  ? percpu_counter_add_batch+0x2e/0xa0\n  [337571.287455]  ? __x64_sys_ioctl+0x88/0xc0\n  [337571.287675]  __x64_sys_ioctl+0x88/0xc0\n  [337571.287901]  do_syscall_64+0x38/0x90\n  [337571.288126]  entry_SYSCALL_64_after_hwframe+0x72/0xdc\n  [337571.288352] RIP: 0033:0x7f478aaffe9b\n\nSo fix this by locking struct btrfs_fs_info::trans_lock before deleting\nthe free space root from that list."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-12-24T12:23:12.109Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/6f1c81886b0b56cb88b311e5d2f203625474d892"
        },
        {
          "url": "https://git.kernel.org/stable/c/8ce9139aea5e60a247bde5af804312f54975f443"
        },
        {
          "url": "https://git.kernel.org/stable/c/babebf023e661b90b1c78b2baa384fb03a226879"
        }
      ],
      "title": "btrfs: fix race when deleting free space root from the dirty cow roots list",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2023-54067",
    "datePublished": "2025-12-24T12:23:12.109Z",
    "dateReserved": "2025-12-24T12:21:05.092Z",
    "dateUpdated": "2025-12-24T12:23:12.109Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2023-54067\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2025-12-24T13:16:08.540\",\"lastModified\":\"2025-12-24T13:16:08.540\",\"vulnStatus\":\"Received\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\nbtrfs: fix race when deleting free space root from the dirty cow roots list\\n\\nWhen deleting the free space tree we are deleting the free space root\\nfrom the list fs_info-\u003edirty_cowonly_roots without taking the lock that\\nprotects it, which is struct btrfs_fs_info::trans_lock.\\nThis unsynchronized list manipulation may cause chaos if there\u0027s another\\nconcurrent manipulation of this list, such as when adding a root to it\\nwith ctree.c:add_root_to_dirty_list().\\n\\nThis can result in all sorts of weird failures caused by a race, such as\\nthe following crash:\\n\\n  [337571.278245] general protection fault, probably for non-canonical address 0xdead000000000108: 0000 [#1] PREEMPT SMP PTI\\n  [337571.278933] CPU: 1 PID: 115447 Comm: btrfs Tainted: G        W          6.4.0-rc6-btrfs-next-134+ #1\\n  [337571.279153] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014\\n  [337571.279572] RIP: 0010:commit_cowonly_roots+0x11f/0x250 [btrfs]\\n  [337571.279928] Code: 85 38 06 00 (...)\\n  [337571.280363] RSP: 0018:ffff9f63446efba0 EFLAGS: 00010206\\n  [337571.280582] RAX: ffff942d98ec2638 RBX: ffff9430b82b4c30 RCX: 0000000449e1c000\\n  [337571.280798] RDX: dead000000000100 RSI: ffff9430021e4900 RDI: 0000000000036070\\n  [337571.281015] RBP: ffff942d98ec2000 R08: ffff942d98ec2000 R09: 000000000000015b\\n  [337571.281254] R10: 0000000000000009 R11: 0000000000000001 R12: ffff942fe8fbf600\\n  [337571.281476] R13: ffff942dabe23040 R14: ffff942dabe20800 R15: ffff942d92cf3b48\\n  [337571.281723] FS:  00007f478adb7340(0000) GS:ffff94349fa40000(0000) knlGS:0000000000000000\\n  [337571.281950] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\\n  [337571.282184] CR2: 00007f478ab9a3d5 CR3: 000000001e02c001 CR4: 0000000000370ee0\\n  [337571.282416] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\\n  [337571.282647] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\\n  [337571.282874] Call Trace:\\n  [337571.283101]  \u003cTASK\u003e\\n  [337571.283327]  ? __die_body+0x1b/0x60\\n  [337571.283570]  ? die_addr+0x39/0x60\\n  [337571.283796]  ? exc_general_protection+0x22e/0x430\\n  [337571.284022]  ? asm_exc_general_protection+0x22/0x30\\n  [337571.284251]  ? commit_cowonly_roots+0x11f/0x250 [btrfs]\\n  [337571.284531]  btrfs_commit_transaction+0x42e/0xf90 [btrfs]\\n  [337571.284803]  ? _raw_spin_unlock+0x15/0x30\\n  [337571.285031]  ? release_extent_buffer+0x103/0x130 [btrfs]\\n  [337571.285305]  reset_balance_state+0x152/0x1b0 [btrfs]\\n  [337571.285578]  btrfs_balance+0xa50/0x11e0 [btrfs]\\n  [337571.285864]  ? __kmem_cache_alloc_node+0x14a/0x410\\n  [337571.286086]  btrfs_ioctl+0x249a/0x3320 [btrfs]\\n  [337571.286358]  ? mod_objcg_state+0xd2/0x360\\n  [337571.286577]  ? refill_obj_stock+0xb0/0x160\\n  [337571.286798]  ? seq_release+0x25/0x30\\n  [337571.287016]  ? __rseq_handle_notify_resume+0x3ba/0x4b0\\n  [337571.287235]  ? percpu_counter_add_batch+0x2e/0xa0\\n  [337571.287455]  ? __x64_sys_ioctl+0x88/0xc0\\n  [337571.287675]  __x64_sys_ioctl+0x88/0xc0\\n  [337571.287901]  do_syscall_64+0x38/0x90\\n  [337571.288126]  entry_SYSCALL_64_after_hwframe+0x72/0xdc\\n  [337571.288352] RIP: 0033:0x7f478aaffe9b\\n\\nSo fix this by locking struct btrfs_fs_info::trans_lock before deleting\\nthe free space root from that list.\"}],\"metrics\":{},\"references\":[{\"url\":\"https://git.kernel.org/stable/c/6f1c81886b0b56cb88b311e5d2f203625474d892\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/8ce9139aea5e60a247bde5af804312f54975f443\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/babebf023e661b90b1c78b2baa384fb03a226879\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.