GHSA-9VVC-R9F2-4433

Vulnerability from github – Published: 2025-12-24 12:30 – Updated: 2025-12-24 12:30
VLAI?
Details

In the Linux kernel, the following vulnerability has been resolved:

btrfs: fix race between balance and cancel/pause

Syzbot reported a panic that looks like this:

assertion failed: fs_info->exclusive_operation == BTRFS_EXCLOP_BALANCE_PAUSED, in fs/btrfs/ioctl.c:465 ------------[ cut here ]------------ kernel BUG at fs/btrfs/messages.c:259! RIP: 0010:btrfs_assertfail+0x2c/0x30 fs/btrfs/messages.c:259 Call Trace: btrfs_exclop_balance fs/btrfs/ioctl.c:465 [inline] btrfs_ioctl_balance fs/btrfs/ioctl.c:3564 [inline] btrfs_ioctl+0x531e/0x5b30 fs/btrfs/ioctl.c:4632 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:870 [inline] __se_sys_ioctl fs/ioctl.c:856 [inline] __x64_sys_ioctl+0x197/0x210 fs/ioctl.c:856 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x39/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x63/0xcd

The reproducer is running a balance and a cancel or pause in parallel. The way balance finishes is a bit wonky, if we were paused we need to save the balance_ctl in the fs_info, but clear it otherwise and cleanup. However we rely on the return values being specific errors, or having a cancel request or no pause request. If balance completes and returns 0, but we have a pause or cancel request we won't do the appropriate cleanup, and then the next time we try to start a balance we'll trip this ASSERT.

The error handling is just wrong here, we always want to clean up, unless we got -ECANCELLED and we set the appropriate pause flag in the exclusive op. With this patch the reproducer ran for an hour without tripping, previously it would trip in less than a few minutes.

Show details on source website
To clipboard 

{
  "affected": [],
  "aliases": [
    "CVE-2023-54023"
  ],
  "database_specific": {
    "cwe_ids": [],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-12-24T11:15:55Z",
    "severity": null
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: fix race between balance and cancel/pause\n\nSyzbot reported a panic that looks like this:\n\n  assertion failed: fs_info-\u003eexclusive_operation == BTRFS_EXCLOP_BALANCE_PAUSED, in fs/btrfs/ioctl.c:465\n  ------------[ cut here ]------------\n  kernel BUG at fs/btrfs/messages.c:259!\n  RIP: 0010:btrfs_assertfail+0x2c/0x30 fs/btrfs/messages.c:259\n  Call Trace:\n   \u003cTASK\u003e\n   btrfs_exclop_balance fs/btrfs/ioctl.c:465 [inline]\n   btrfs_ioctl_balance fs/btrfs/ioctl.c:3564 [inline]\n   btrfs_ioctl+0x531e/0x5b30 fs/btrfs/ioctl.c:4632\n   vfs_ioctl fs/ioctl.c:51 [inline]\n   __do_sys_ioctl fs/ioctl.c:870 [inline]\n   __se_sys_ioctl fs/ioctl.c:856 [inline]\n   __x64_sys_ioctl+0x197/0x210 fs/ioctl.c:856\n   do_syscall_x64 arch/x86/entry/common.c:50 [inline]\n   do_syscall_64+0x39/0xb0 arch/x86/entry/common.c:80\n   entry_SYSCALL_64_after_hwframe+0x63/0xcd\n\nThe reproducer is running a balance and a cancel or pause in parallel.\nThe way balance finishes is a bit wonky, if we were paused we need to\nsave the balance_ctl in the fs_info, but clear it otherwise and cleanup.\nHowever we rely on the return values being specific errors, or having a\ncancel request or no pause request.  If balance completes and returns 0,\nbut we have a pause or cancel request we won\u0027t do the appropriate\ncleanup, and then the next time we try to start a balance we\u0027ll trip\nthis ASSERT.\n\nThe error handling is just wrong here, we always want to clean up,\nunless we got -ECANCELLED and we set the appropriate pause flag in the\nexclusive op.  With this patch the reproducer ran for an hour without\ntripping, previously it would trip in less than a few minutes.",
  "id": "GHSA-9vvc-r9f2-4433",
  "modified": "2025-12-24T12:30:28Z",
  "published": "2025-12-24T12:30:28Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-54023"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/72efe5d44821e38540888a5fe3ff3d0faab6acad"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/b19c98f237cd76981aaded52c258ce93f7daa8cb"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/ddf7e8984c83aee9122552529f4e77291903f8d9"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.