CVE-2021-46987: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: btrfs: fix deadlock when cloning inline extents and using qgroups There are a few exceptional cases where cloning an inline extent needs to copy the inline extent data into a page of the destination inode. When this happens, we end up starting a transaction while having a dirty page for the destination inode and while having the range locked in the destination's inode iotree too. Because when reserving metadata space for a transaction we may need to flush existing delalloc in case there is not enough free space, we have a mechanism in place to prevent a deadlock, which was introduced in commit 3d45f221ce627d ("btrfs: fix deadlock when cloning inline extent and low on free metadata space"). However when using qgroups, a transaction also reserves metadata qgroup space, which can also result in flushing delalloc in case there is not enough available space at the moment. When this happens we deadlock, since flushing delalloc requires locking the file range in the inode's iotree and the range was already locked at the very beginning of the clone operation, before attempting to start the transaction. When this issue happens, stack traces like the following are reported: [72747.556262] task:kworker/u81:9 state:D stack: 0 pid: 225 ppid: 2 flags:0x00004000 [72747.556268] Workqueue: writeback wb_workfn (flush-btrfs-1142) [72747.556271] Call Trace: [72747.556273] __schedule+0x296/0x760 [72747.556277] schedule+0x3c/0xa0 [72747.556279] io_schedule+0x12/0x40 [72747.556284] __lock_page+0x13c/0x280 [72747.556287] ? generic_file_readonly_mmap+0x70/0x70 [72747.556325] extent_write_cache_pages+0x22a/0x440 [btrfs] [72747.556331] ? __set_page_dirty_nobuffers+0xe7/0x160 [72747.556358] ? set_extent_buffer_dirty+0x5e/0x80 [btrfs] [72747.556362] ? update_group_capacity+0x25/0x210 [72747.556366] ? cpumask_next_and+0x1a/0x20 [72747.556391] extent_writepages+0x44/0xa0 [btrfs] [72747.556394] do_writepages+0x41/0xd0 [72747.556398] __writeback_single_inode+0x39/0x2a0 [72747.556403] writeback_sb_inodes+0x1ea/0x440 [72747.556407] __writeback_inodes_wb+0x5f/0xc0 [72747.556410] wb_writeback+0x235/0x2b0 [72747.556414] ? get_nr_inodes+0x35/0x50 [72747.556417] wb_workfn+0x354/0x490 [72747.556420] ? newidle_balance+0x2c5/0x3e0 [72747.556424] process_one_work+0x1aa/0x340 [72747.556426] worker_thread+0x30/0x390 [72747.556429] ? create_worker+0x1a0/0x1a0 [72747.556432] kthread+0x116/0x130 [72747.556435] ? kthread_park+0x80/0x80 [72747.556438] ret_from_fork+0x1f/0x30 [72747.566958] Workqueue: btrfs-flush_delalloc btrfs_work_helper [btrfs] [72747.566961] Call Trace: [72747.566964] __schedule+0x296/0x760 [72747.566968] ? finish_wait+0x80/0x80 [72747.566970] schedule+0x3c/0xa0 [72747.566995] wait_extent_bit.constprop.68+0x13b/0x1c0 [btrfs] [72747.566999] ? finish_wait+0x80/0x80 [72747.567024] lock_extent_bits+0x37/0x90 [btrfs] [72747.567047] btrfs_invalidatepage+0x299/0x2c0 [btrfs] [72747.567051] ? find_get_pages_range_tag+0x2cd/0x380 [72747.567076] __extent_writepage+0x203/0x320 [btrfs] [72747.567102] extent_write_cache_pages+0x2bb/0x440 [btrfs] [72747.567106] ? update_load_avg+0x7e/0x5f0 [72747.567109] ? enqueue_entity+0xf4/0x6f0 [72747.567134] extent_writepages+0x44/0xa0 [btrfs] [72747.567137] ? enqueue_task_fair+0x93/0x6f0 [72747.567140] do_writepages+0x41/0xd0 [72747.567144] __filemap_fdatawrite_range+0xc7/0x100 [72747.567167] btrfs_run_delalloc_work+0x17/0x40 [btrfs] [72747.567195] btrfs_work_helper+0xc2/0x300 [btrfs] [72747.567200] process_one_work+0x1aa/0x340 [72747.567202] worker_thread+0x30/0x390 [72747.567205] ? create_worker+0x1a0/0x1a0 [72747.567208] kthread+0x116/0x130 [72747.567211] ? kthread_park+0x80/0x80 [72747.567214] ret_from_fork+0x1f/0x30 [72747.569686] task:fsstress state:D stack: ---truncated---
AI Analysis
Technical Summary
CVE-2021-46987 is a vulnerability in the Linux kernel's Btrfs filesystem implementation related to a deadlock condition during cloning of inline extents when quota groups (qgroups) are enabled. Btrfs supports cloning file extents to optimize storage and performance. In certain edge cases, cloning inline extents requires copying data into a page of the destination inode. During this operation, a transaction is started while holding a dirty page and a locked range in the inode's iotree. The kernel has a mechanism to prevent deadlocks when reserving metadata space by flushing delayed allocations (delalloc) if free space is insufficient. However, when qgroups are enabled, metadata qgroup space must also be reserved, which can trigger additional delalloc flushing. This flushing requires locking the same file range already locked at the start of the clone operation, causing a circular wait and resulting in a deadlock. The vulnerability manifests as kernel threads stuck in uninterruptible sleep (state D), with stack traces showing workqueue and Btrfs writeback functions waiting indefinitely. This deadlock can cause system hangs or severe performance degradation. The issue affects specific Linux kernel versions identified by commit hashes and was resolved by fixing the locking and transaction reservation logic in Btrfs. No known exploits are reported in the wild, and no CVSS score has been assigned yet. The vulnerability is technical and specific to Btrfs with qgroups enabled, impacting systems that perform cloning of inline extents under low metadata space conditions.
Potential Impact
For European organizations, the impact of CVE-2021-46987 can be significant in environments using Linux servers with Btrfs filesystems configured with quota groups. The deadlock can cause kernel-level hangs or severe performance degradation, potentially leading to denial of service (DoS) conditions on critical infrastructure such as file servers, storage appliances, or virtualized environments relying on Btrfs. This can disrupt business operations, data availability, and service continuity. Organizations using Btrfs for container storage or cloud infrastructure could experience instability affecting multiple services. Since the deadlock occurs under specific conditions involving cloning inline extents and low metadata space, workloads with heavy file cloning or snapshotting may be more vulnerable. The lack of known exploits reduces immediate risk, but unpatched systems remain susceptible to accidental or triggered deadlocks, impacting system reliability and uptime.
Mitigation Recommendations
To mitigate this vulnerability, European organizations should: 1) Apply the latest Linux kernel patches that address CVE-2021-46987 as soon as they become available from trusted sources or Linux distributions. 2) If immediate patching is not possible, consider disabling quota groups (qgroups) on Btrfs volumes as a temporary workaround, understanding this may impact quota enforcement. 3) Monitor system logs and kernel messages for signs of deadlocks or uninterruptible sleep states related to Btrfs writeback or cloning operations. 4) Avoid workloads that heavily rely on cloning inline extents or snapshotting under low metadata space conditions until patched. 5) Implement robust monitoring and alerting for filesystem performance and kernel thread states to detect early signs of deadlock. 6) Test patches in staging environments to ensure stability before production deployment. 7) Engage with Linux distribution vendors for backported fixes and security advisories. These targeted steps go beyond generic advice by focusing on the specific Btrfs qgroup and cloning context of the vulnerability.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Norway
CVE-2021-46987: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: btrfs: fix deadlock when cloning inline extents and using qgroups There are a few exceptional cases where cloning an inline extent needs to copy the inline extent data into a page of the destination inode. When this happens, we end up starting a transaction while having a dirty page for the destination inode and while having the range locked in the destination's inode iotree too. Because when reserving metadata space for a transaction we may need to flush existing delalloc in case there is not enough free space, we have a mechanism in place to prevent a deadlock, which was introduced in commit 3d45f221ce627d ("btrfs: fix deadlock when cloning inline extent and low on free metadata space"). However when using qgroups, a transaction also reserves metadata qgroup space, which can also result in flushing delalloc in case there is not enough available space at the moment. When this happens we deadlock, since flushing delalloc requires locking the file range in the inode's iotree and the range was already locked at the very beginning of the clone operation, before attempting to start the transaction. When this issue happens, stack traces like the following are reported: [72747.556262] task:kworker/u81:9 state:D stack: 0 pid: 225 ppid: 2 flags:0x00004000 [72747.556268] Workqueue: writeback wb_workfn (flush-btrfs-1142) [72747.556271] Call Trace: [72747.556273] __schedule+0x296/0x760 [72747.556277] schedule+0x3c/0xa0 [72747.556279] io_schedule+0x12/0x40 [72747.556284] __lock_page+0x13c/0x280 [72747.556287] ? generic_file_readonly_mmap+0x70/0x70 [72747.556325] extent_write_cache_pages+0x22a/0x440 [btrfs] [72747.556331] ? __set_page_dirty_nobuffers+0xe7/0x160 [72747.556358] ? set_extent_buffer_dirty+0x5e/0x80 [btrfs] [72747.556362] ? update_group_capacity+0x25/0x210 [72747.556366] ? cpumask_next_and+0x1a/0x20 [72747.556391] extent_writepages+0x44/0xa0 [btrfs] [72747.556394] do_writepages+0x41/0xd0 [72747.556398] __writeback_single_inode+0x39/0x2a0 [72747.556403] writeback_sb_inodes+0x1ea/0x440 [72747.556407] __writeback_inodes_wb+0x5f/0xc0 [72747.556410] wb_writeback+0x235/0x2b0 [72747.556414] ? get_nr_inodes+0x35/0x50 [72747.556417] wb_workfn+0x354/0x490 [72747.556420] ? newidle_balance+0x2c5/0x3e0 [72747.556424] process_one_work+0x1aa/0x340 [72747.556426] worker_thread+0x30/0x390 [72747.556429] ? create_worker+0x1a0/0x1a0 [72747.556432] kthread+0x116/0x130 [72747.556435] ? kthread_park+0x80/0x80 [72747.556438] ret_from_fork+0x1f/0x30 [72747.566958] Workqueue: btrfs-flush_delalloc btrfs_work_helper [btrfs] [72747.566961] Call Trace: [72747.566964] __schedule+0x296/0x760 [72747.566968] ? finish_wait+0x80/0x80 [72747.566970] schedule+0x3c/0xa0 [72747.566995] wait_extent_bit.constprop.68+0x13b/0x1c0 [btrfs] [72747.566999] ? finish_wait+0x80/0x80 [72747.567024] lock_extent_bits+0x37/0x90 [btrfs] [72747.567047] btrfs_invalidatepage+0x299/0x2c0 [btrfs] [72747.567051] ? find_get_pages_range_tag+0x2cd/0x380 [72747.567076] __extent_writepage+0x203/0x320 [btrfs] [72747.567102] extent_write_cache_pages+0x2bb/0x440 [btrfs] [72747.567106] ? update_load_avg+0x7e/0x5f0 [72747.567109] ? enqueue_entity+0xf4/0x6f0 [72747.567134] extent_writepages+0x44/0xa0 [btrfs] [72747.567137] ? enqueue_task_fair+0x93/0x6f0 [72747.567140] do_writepages+0x41/0xd0 [72747.567144] __filemap_fdatawrite_range+0xc7/0x100 [72747.567167] btrfs_run_delalloc_work+0x17/0x40 [btrfs] [72747.567195] btrfs_work_helper+0xc2/0x300 [btrfs] [72747.567200] process_one_work+0x1aa/0x340 [72747.567202] worker_thread+0x30/0x390 [72747.567205] ? create_worker+0x1a0/0x1a0 [72747.567208] kthread+0x116/0x130 [72747.567211] ? kthread_park+0x80/0x80 [72747.567214] ret_from_fork+0x1f/0x30 [72747.569686] task:fsstress state:D stack: ---truncated---
AI-Powered Analysis
Technical Analysis
CVE-2021-46987 is a vulnerability in the Linux kernel's Btrfs filesystem implementation related to a deadlock condition during cloning of inline extents when quota groups (qgroups) are enabled. Btrfs supports cloning file extents to optimize storage and performance. In certain edge cases, cloning inline extents requires copying data into a page of the destination inode. During this operation, a transaction is started while holding a dirty page and a locked range in the inode's iotree. The kernel has a mechanism to prevent deadlocks when reserving metadata space by flushing delayed allocations (delalloc) if free space is insufficient. However, when qgroups are enabled, metadata qgroup space must also be reserved, which can trigger additional delalloc flushing. This flushing requires locking the same file range already locked at the start of the clone operation, causing a circular wait and resulting in a deadlock. The vulnerability manifests as kernel threads stuck in uninterruptible sleep (state D), with stack traces showing workqueue and Btrfs writeback functions waiting indefinitely. This deadlock can cause system hangs or severe performance degradation. The issue affects specific Linux kernel versions identified by commit hashes and was resolved by fixing the locking and transaction reservation logic in Btrfs. No known exploits are reported in the wild, and no CVSS score has been assigned yet. The vulnerability is technical and specific to Btrfs with qgroups enabled, impacting systems that perform cloning of inline extents under low metadata space conditions.
Potential Impact
For European organizations, the impact of CVE-2021-46987 can be significant in environments using Linux servers with Btrfs filesystems configured with quota groups. The deadlock can cause kernel-level hangs or severe performance degradation, potentially leading to denial of service (DoS) conditions on critical infrastructure such as file servers, storage appliances, or virtualized environments relying on Btrfs. This can disrupt business operations, data availability, and service continuity. Organizations using Btrfs for container storage or cloud infrastructure could experience instability affecting multiple services. Since the deadlock occurs under specific conditions involving cloning inline extents and low metadata space, workloads with heavy file cloning or snapshotting may be more vulnerable. The lack of known exploits reduces immediate risk, but unpatched systems remain susceptible to accidental or triggered deadlocks, impacting system reliability and uptime.
Mitigation Recommendations
To mitigate this vulnerability, European organizations should: 1) Apply the latest Linux kernel patches that address CVE-2021-46987 as soon as they become available from trusted sources or Linux distributions. 2) If immediate patching is not possible, consider disabling quota groups (qgroups) on Btrfs volumes as a temporary workaround, understanding this may impact quota enforcement. 3) Monitor system logs and kernel messages for signs of deadlocks or uninterruptible sleep states related to Btrfs writeback or cloning operations. 4) Avoid workloads that heavily rely on cloning inline extents or snapshotting under low metadata space conditions until patched. 5) Implement robust monitoring and alerting for filesystem performance and kernel thread states to detect early signs of deadlock. 6) Test patches in staging environments to ensure stability before production deployment. 7) Engage with Linux distribution vendors for backported fixes and security advisories. These targeted steps go beyond generic advice by focusing on the specific Btrfs qgroup and cloning context of the vulnerability.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-02-27T18:42:55.947Z
- Cisa Enriched
- true
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d9821c4522896dcbddfd8
Added to database: 5/21/2025, 9:08:49 AM
Last enriched: 6/28/2025, 4:41:09 AM
Last updated: 8/6/2025, 5:51:14 PM
Views: 13
Related Threats
CVE-2025-8690: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in addix Simple Responsive Slider
MediumCVE-2025-8688: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in ebernstein Inline Stock Quotes
MediumCVE-2025-8685: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in emilien Wp chart generator
MediumCVE-2025-8621: CWE-80 Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) in odn Mosaic Generator
MediumCVE-2025-8568: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in prabode GMap Generator
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.