GHSA-M54R-3P53-FCCH

Vulnerability from github – Published: 2025-12-24 12:30 – Updated: 2025-12-24 12:30
VLAI?
Details

In the Linux kernel, the following vulnerability has been resolved:

btrfs: fix assertion of exclop condition when starting balance

Balance as exclusive state is compatible with paused balance and device add, which makes some things more complicated. The assertion of valid states when starting from paused balance needs to take into account two more states, the combinations can be hit when there are several threads racing to start balance and device add. This won't typically happen when the commands are started from command line.

Scenario 1: With exclusive_operation state == BTRFS_EXCLOP_NONE.

Concurrently adding multiple devices to the same mount point and btrfs_exclop_finish executed finishes before assertion in btrfs_exclop_balance, exclusive_operation will changed to BTRFS_EXCLOP_NONE state which lead to assertion failed:

fs_info->exclusive_operation == BTRFS_EXCLOP_BALANCE || fs_info->exclusive_operation == BTRFS_EXCLOP_DEV_ADD, in fs/btrfs/ioctl.c:456 Call Trace: btrfs_exclop_balance+0x13c/0x310 ? memdup_user+0xab/0xc0 ? PTR_ERR+0x17/0x20 btrfs_ioctl_add_dev+0x2ee/0x320 btrfs_ioctl+0x9d5/0x10d0 ? btrfs_ioctl_encoded_write+0xb80/0xb80 __x64_sys_ioctl+0x197/0x210 do_syscall_64+0x3c/0xb0 entry_SYSCALL_64_after_hwframe+0x63/0xcd

Scenario 2: With exclusive_operation state == BTRFS_EXCLOP_BALANCE_PAUSED.

Concurrently adding multiple devices to the same mount point and btrfs_exclop_balance executed finish before the latter thread execute assertion in btrfs_exclop_balance, exclusive_operation will changed to BTRFS_EXCLOP_BALANCE_PAUSED state which lead to assertion failed:

fs_info->exclusive_operation == BTRFS_EXCLOP_BALANCE || fs_info->exclusive_operation == BTRFS_EXCLOP_DEV_ADD || fs_info->exclusive_operation == BTRFS_EXCLOP_NONE, fs/btrfs/ioctl.c:458 Call Trace: btrfs_exclop_balance+0x240/0x410 ? memdup_user+0xab/0xc0 ? PTR_ERR+0x17/0x20 btrfs_ioctl_add_dev+0x2ee/0x320 btrfs_ioctl+0x9d5/0x10d0 ? btrfs_ioctl_encoded_write+0xb80/0xb80 __x64_sys_ioctl+0x197/0x210 do_syscall_64+0x3c/0xb0 entry_SYSCALL_64_after_hwframe+0x63/0xcd

An example of the failed assertion is below, which shows that the paused balance is also needed to be checked.

root@syzkaller:/home/xsk# ./repro Failed to add device /dev/vda, errno 14 Failed to add device /dev/vda, errno 14 Failed to add device /dev/vda, errno 14 Failed to add device /dev/vda, errno 14 Failed to add device /dev/vda, errno 14 Failed to add device /dev/vda, errno 14 Failed to add device /dev/vda, errno 14 Failed to add device /dev/vda, errno 14 Failed to add device /dev/vda, errno 14 [ 416.611428][ T7970] BTRFS info (device loop0): fs_info exclusive_operation: 0 Failed to add device /dev/vda, errno 14 [ 416.613973][ T7971] BTRFS info (device loop0): fs_info exclusive_operation: 3 Failed to add device /dev/vda, errno 14 [ 416.615456][ T7972] BTRFS info (device loop0): fs_info exclusive_operation: 3 Failed to add device /dev/vda, errno 14 [ 416.617528][ T7973] BTRFS info (device loop0): fs_info exclusive_operation: 3 Failed to add device /dev/vda, errno 14 [ 416.618359][ T7974] BTRFS info (device loop0): fs_info exclusive_operation: 3 Failed to add device /dev/vda, errno 14 [ 416.622589][ T7975] BTRFS info (device loop0): fs_info exclusive_operation: 3 Failed to add device /dev/vda, errno 14 [ 416.624034][ T7976] BTRFS info (device loop0): fs_info exclusive_operation: 3 Failed to add device /dev/vda, errno 14 [ 416.626420][ T7977] BTRFS info (device loop0): fs_info exclusive_operation: 3 Failed to add device /dev/vda, errno 14 [ 416.627643][ T7978] BTRFS info (device loop0): fs_info exclusive_operation: 3 Failed to add device /dev/vda, errno 14 [ 416.629006][ T7979] BTRFS info (device loop0): fs_info exclusive_operation: 3 [ 416.630298][ T7980] BTRFS info (device loop0): fs_info exclusive_operation: 3 Fai ---truncated---

Show details on source website
To clipboard 

{
  "affected": [],
  "aliases": [
    "CVE-2023-54002"
  ],
  "database_specific": {
    "cwe_ids": [],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-12-24T11:15:53Z",
    "severity": null
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: fix assertion of exclop condition when starting balance\n\nBalance as exclusive state is compatible with paused balance and device\nadd, which makes some things more complicated. The assertion of valid\nstates when starting from paused balance needs to take into account two\nmore states, the combinations can be hit when there are several threads\nracing to start balance and device add. This won\u0027t typically happen when\nthe commands are started from command line.\n\nScenario 1: With exclusive_operation state == BTRFS_EXCLOP_NONE.\n\nConcurrently adding multiple devices to the same mount point and\nbtrfs_exclop_finish executed finishes before assertion in\nbtrfs_exclop_balance, exclusive_operation will changed to\nBTRFS_EXCLOP_NONE state which lead to assertion failed:\n\n  fs_info-\u003eexclusive_operation == BTRFS_EXCLOP_BALANCE ||\n  fs_info-\u003eexclusive_operation == BTRFS_EXCLOP_DEV_ADD,\n  in fs/btrfs/ioctl.c:456\n  Call Trace:\n   \u003cTASK\u003e\n   btrfs_exclop_balance+0x13c/0x310\n   ? memdup_user+0xab/0xc0\n   ? PTR_ERR+0x17/0x20\n   btrfs_ioctl_add_dev+0x2ee/0x320\n   btrfs_ioctl+0x9d5/0x10d0\n   ? btrfs_ioctl_encoded_write+0xb80/0xb80\n   __x64_sys_ioctl+0x197/0x210\n   do_syscall_64+0x3c/0xb0\n   entry_SYSCALL_64_after_hwframe+0x63/0xcd\n\nScenario 2: With exclusive_operation state == BTRFS_EXCLOP_BALANCE_PAUSED.\n\nConcurrently adding multiple devices to the same mount point and\nbtrfs_exclop_balance executed finish before the latter thread execute\nassertion in btrfs_exclop_balance, exclusive_operation will changed to\nBTRFS_EXCLOP_BALANCE_PAUSED state which lead to assertion failed:\n\n  fs_info-\u003eexclusive_operation == BTRFS_EXCLOP_BALANCE ||\n  fs_info-\u003eexclusive_operation == BTRFS_EXCLOP_DEV_ADD ||\n  fs_info-\u003eexclusive_operation == BTRFS_EXCLOP_NONE,\n  fs/btrfs/ioctl.c:458\n  Call Trace:\n   \u003cTASK\u003e\n   btrfs_exclop_balance+0x240/0x410\n   ? memdup_user+0xab/0xc0\n   ? PTR_ERR+0x17/0x20\n   btrfs_ioctl_add_dev+0x2ee/0x320\n   btrfs_ioctl+0x9d5/0x10d0\n   ? btrfs_ioctl_encoded_write+0xb80/0xb80\n   __x64_sys_ioctl+0x197/0x210\n   do_syscall_64+0x3c/0xb0\n   entry_SYSCALL_64_after_hwframe+0x63/0xcd\n\nAn example of the failed assertion is below, which shows that the\npaused balance is also needed to be checked.\n\n  root@syzkaller:/home/xsk# ./repro\n  Failed to add device /dev/vda, errno 14\n  Failed to add device /dev/vda, errno 14\n  Failed to add device /dev/vda, errno 14\n  Failed to add device /dev/vda, errno 14\n  Failed to add device /dev/vda, errno 14\n  Failed to add device /dev/vda, errno 14\n  Failed to add device /dev/vda, errno 14\n  Failed to add device /dev/vda, errno 14\n  Failed to add device /dev/vda, errno 14\n  [  416.611428][ T7970] BTRFS info (device loop0): fs_info exclusive_operation: 0\n  Failed to add device /dev/vda, errno 14\n  [  416.613973][ T7971] BTRFS info (device loop0): fs_info exclusive_operation: 3\n  Failed to add device /dev/vda, errno 14\n  [  416.615456][ T7972] BTRFS info (device loop0): fs_info exclusive_operation: 3\n  Failed to add device /dev/vda, errno 14\n  [  416.617528][ T7973] BTRFS info (device loop0): fs_info exclusive_operation: 3\n  Failed to add device /dev/vda, errno 14\n  [  416.618359][ T7974] BTRFS info (device loop0): fs_info exclusive_operation: 3\n  Failed to add device /dev/vda, errno 14\n  [  416.622589][ T7975] BTRFS info (device loop0): fs_info exclusive_operation: 3\n  Failed to add device /dev/vda, errno 14\n  [  416.624034][ T7976] BTRFS info (device loop0): fs_info exclusive_operation: 3\n  Failed to add device /dev/vda, errno 14\n  [  416.626420][ T7977] BTRFS info (device loop0): fs_info exclusive_operation: 3\n  Failed to add device /dev/vda, errno 14\n  [  416.627643][ T7978] BTRFS info (device loop0): fs_info exclusive_operation: 3\n  Failed to add device /dev/vda, errno 14\n  [  416.629006][ T7979] BTRFS info (device loop0): fs_info exclusive_operation: 3\n  [  416.630298][ T7980] BTRFS info (device loop0): fs_info exclusive_operation: 3\n  Fai\n---truncated---",
  "id": "GHSA-m54r-3p53-fcch",
  "modified": "2025-12-24T12:30:27Z",
  "published": "2025-12-24T12:30:27Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-54002"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/17eaeee4c5f24946aad0298d51f32981c3161d13"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/6062e9e335a3bf409b5118bfe4cc10aff4b6adb1"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/7877dc1136ada770622d22041be306539902951b"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/ac868bc9d136cde6e3eb5de77019a63d57a540ff"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.