CVE-2024-42103: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: btrfs: fix adding block group to a reclaim list and the unused list during reclaim There is a potential parallel list adding for retrying in btrfs_reclaim_bgs_work and adding to the unused list. Since the block group is removed from the reclaim list and it is on a relocation work, it can be added into the unused list in parallel. When that happens, adding it to the reclaim list will corrupt the list head and trigger list corruption like below. Fix it by taking fs_info->unused_bgs_lock. [177.504][T2585409] BTRFS error (device nullb1): error relocating ch= unk 2415919104 [177.514][T2585409] list_del corruption. next->prev should be ff1100= 0344b119c0, but was ff11000377e87c70. (next=3Dff110002390cd9c0) [177.529][T2585409] ------------[ cut here ]------------ [177.537][T2585409] kernel BUG at lib/list_debug.c:65! [177.545][T2585409] Oops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN NOPTI [177.555][T2585409] CPU: 9 PID: 2585409 Comm: kworker/u128:2 Tainted: G W 6.10.0-rc5-kts #1 [177.568][T2585409] Hardware name: Supermicro SYS-520P-WTR/X12SPW-TF, BIOS 1.2 02/14/2022 [177.579][T2585409] Workqueue: events_unbound btrfs_reclaim_bgs_work[btrfs] [177.589][T2585409] RIP: 0010:__list_del_entry_valid_or_report.cold+0x70/0x72 [177.624][T2585409] RSP: 0018:ff11000377e87a70 EFLAGS: 00010286 [177.633][T2585409] RAX: 000000000000006d RBX: ff11000344b119c0 RCX:0000000000000000 [177.644][T2585409] RDX: 000000000000006d RSI: 0000000000000008 RDI:ffe21c006efd0f40 [177.655][T2585409] RBP: ff110002e0509f78 R08: 0000000000000001 R09:ffe21c006efd0f08 [177.665][T2585409] R10: ff11000377e87847 R11: 0000000000000000 R12:ff110002390cd9c0 [177.676][T2585409] R13: ff11000344b119c0 R14: ff110002e0508000 R15:dffffc0000000000 [177.687][T2585409] FS: 0000000000000000(0000) GS:ff11000fec880000(0000) knlGS:0000000000000000 [177.700][T2585409] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [177.709][T2585409] CR2: 00007f06bc7b1978 CR3: 0000001021e86005 CR4:0000000000771ef0 [177.720][T2585409] DR0: 0000000000000000 DR1: 0000000000000000 DR2:0000000000000000 [177.731][T2585409] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7:0000000000000400 [177.742][T2585409] PKRU: 55555554 [177.748][T2585409] Call Trace: [177.753][T2585409] <TASK> [177.759][T2585409] ? __die_body.cold+0x19/0x27 [177.766][T2585409] ? die+0x2e/0x50 [177.772][T2585409] ? do_trap+0x1ea/0x2d0 [177.779][T2585409] ? __list_del_entry_valid_or_report.cold+0x70/0x72 [177.788][T2585409] ? do_error_trap+0xa3/0x160 [177.795][T2585409] ? __list_del_entry_valid_or_report.cold+0x70/0x72 [177.805][T2585409] ? handle_invalid_op+0x2c/0x40 [177.812][T2585409] ? __list_del_entry_valid_or_report.cold+0x70/0x72 [177.820][T2585409] ? exc_invalid_op+0x2d/0x40 [177.827][T2585409] ? asm_exc_invalid_op+0x1a/0x20 [177.834][T2585409] ? __list_del_entry_valid_or_report.cold+0x70/0x72 [177.843][T2585409] btrfs_delete_unused_bgs+0x3d9/0x14c0 [btrfs] There is a similar retry_list code in btrfs_delete_unused_bgs(), but it is safe, AFAICS. Since the block group was in the unused list, the used bytes should be 0 when it was added to the unused list. Then, it checks block_group->{used,reserved,pinned} are still 0 under the block_group->lock. So, they should be still eligible for the unused list, not the reclaim list. The reason it is safe there it's because because we're holding space_info->groups_sem in write mode. That means no other task can allocate from the block group, so while we are at deleted_unused_bgs() it's not possible for other tasks to allocate and deallocate extents from the block group, so it can't be added to the unused list or the reclaim list by anyone else. The bug can be reproduced by btrfs/166 after a few rounds. In practice this can be hit when relocation cannot find more chunk space and ends with ENOSPC.
AI Analysis
Technical Summary
CVE-2024-42103 is a concurrency vulnerability in the Btrfs filesystem implementation within the Linux kernel. The flaw arises from improper synchronization when managing block groups during reclaim and unused list operations. Specifically, the vulnerability involves a race condition between two kernel worker threads executing btrfs_reclaim_bgs_work and btrfs_delete_unused_bgs functions. When a block group is removed from the reclaim list and simultaneously undergoing relocation work, it can be added to the unused list in parallel without proper locking. This parallel addition leads to corruption of the doubly linked list data structures that track block groups, causing list head corruption and kernel crashes. The corruption manifests as list_del corruption errors and kernel BUGs, as observed in the provided kernel logs. The root cause is the missing acquisition of the fs_info->unused_bgs_lock during these operations, which allows concurrent modifications to the same list. The vulnerability can be triggered when Btrfs relocation runs out of chunk space (ENOSPC), causing repeated retries that expose the race condition. The bug is reproducible with specific Btrfs test workloads (e.g., btrfs/166). The issue is fixed by adding the appropriate locking to serialize access to the unused block group list, preventing concurrent additions and ensuring list integrity. This vulnerability affects multiple recent Linux kernel versions as indicated by the affected commit hashes. No known exploits are currently reported in the wild, and no CVSS score has been assigned yet.
Potential Impact
For European organizations relying on Linux servers with Btrfs filesystems, this vulnerability poses a risk of kernel crashes and potential denial of service (DoS). Systems performing heavy Btrfs relocation or space management operations may experience instability or unexpected reboots due to list corruption. This can disrupt critical services, data availability, and operational continuity. While the vulnerability does not directly lead to privilege escalation or data leakage, the resulting kernel panics can cause service outages and potential data loss if not properly managed. Organizations using Btrfs for storage in data centers, cloud infrastructure, or embedded systems should be aware of the risk of system instability. The impact is particularly relevant for environments with high filesystem churn or constrained storage space triggering relocation. Given the Linux kernel's widespread use across European enterprises, cloud providers, and public sector infrastructure, the vulnerability could affect a broad range of systems if unpatched. However, exploitation requires specific filesystem conditions and workload patterns, limiting immediate risk. Still, the potential for denial of service and operational disruption warrants prompt mitigation.
Mitigation Recommendations
European organizations should prioritize updating Linux kernels to versions that include the fix for CVE-2024-42103, ensuring the fs_info->unused_bgs_lock is properly applied in Btrfs reclaim and unused list operations. Kernel updates from trusted Linux distributions should be applied promptly. For environments where immediate patching is not feasible, organizations should monitor Btrfs-related kernel logs for signs of list_del corruption or kernel BUG messages indicative of this issue. Reducing filesystem relocation activity by managing free space proactively can help mitigate triggering conditions. Implementing robust kernel crash recovery and system monitoring will minimize downtime impact. For critical systems, consider temporarily migrating data off Btrfs or using alternative filesystems until patched. Additionally, system administrators should review and harden kernel parameters related to Btrfs space management and ensure that workloads do not exhaust chunk space, which triggers the vulnerable code path. Testing kernel updates in staging environments to validate stability before production deployment is recommended.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Poland, Italy, Spain
CVE-2024-42103: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: btrfs: fix adding block group to a reclaim list and the unused list during reclaim There is a potential parallel list adding for retrying in btrfs_reclaim_bgs_work and adding to the unused list. Since the block group is removed from the reclaim list and it is on a relocation work, it can be added into the unused list in parallel. When that happens, adding it to the reclaim list will corrupt the list head and trigger list corruption like below. Fix it by taking fs_info->unused_bgs_lock. [177.504][T2585409] BTRFS error (device nullb1): error relocating ch= unk 2415919104 [177.514][T2585409] list_del corruption. next->prev should be ff1100= 0344b119c0, but was ff11000377e87c70. (next=3Dff110002390cd9c0) [177.529][T2585409] ------------[ cut here ]------------ [177.537][T2585409] kernel BUG at lib/list_debug.c:65! [177.545][T2585409] Oops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN NOPTI [177.555][T2585409] CPU: 9 PID: 2585409 Comm: kworker/u128:2 Tainted: G W 6.10.0-rc5-kts #1 [177.568][T2585409] Hardware name: Supermicro SYS-520P-WTR/X12SPW-TF, BIOS 1.2 02/14/2022 [177.579][T2585409] Workqueue: events_unbound btrfs_reclaim_bgs_work[btrfs] [177.589][T2585409] RIP: 0010:__list_del_entry_valid_or_report.cold+0x70/0x72 [177.624][T2585409] RSP: 0018:ff11000377e87a70 EFLAGS: 00010286 [177.633][T2585409] RAX: 000000000000006d RBX: ff11000344b119c0 RCX:0000000000000000 [177.644][T2585409] RDX: 000000000000006d RSI: 0000000000000008 RDI:ffe21c006efd0f40 [177.655][T2585409] RBP: ff110002e0509f78 R08: 0000000000000001 R09:ffe21c006efd0f08 [177.665][T2585409] R10: ff11000377e87847 R11: 0000000000000000 R12:ff110002390cd9c0 [177.676][T2585409] R13: ff11000344b119c0 R14: ff110002e0508000 R15:dffffc0000000000 [177.687][T2585409] FS: 0000000000000000(0000) GS:ff11000fec880000(0000) knlGS:0000000000000000 [177.700][T2585409] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [177.709][T2585409] CR2: 00007f06bc7b1978 CR3: 0000001021e86005 CR4:0000000000771ef0 [177.720][T2585409] DR0: 0000000000000000 DR1: 0000000000000000 DR2:0000000000000000 [177.731][T2585409] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7:0000000000000400 [177.742][T2585409] PKRU: 55555554 [177.748][T2585409] Call Trace: [177.753][T2585409] <TASK> [177.759][T2585409] ? __die_body.cold+0x19/0x27 [177.766][T2585409] ? die+0x2e/0x50 [177.772][T2585409] ? do_trap+0x1ea/0x2d0 [177.779][T2585409] ? __list_del_entry_valid_or_report.cold+0x70/0x72 [177.788][T2585409] ? do_error_trap+0xa3/0x160 [177.795][T2585409] ? __list_del_entry_valid_or_report.cold+0x70/0x72 [177.805][T2585409] ? handle_invalid_op+0x2c/0x40 [177.812][T2585409] ? __list_del_entry_valid_or_report.cold+0x70/0x72 [177.820][T2585409] ? exc_invalid_op+0x2d/0x40 [177.827][T2585409] ? asm_exc_invalid_op+0x1a/0x20 [177.834][T2585409] ? __list_del_entry_valid_or_report.cold+0x70/0x72 [177.843][T2585409] btrfs_delete_unused_bgs+0x3d9/0x14c0 [btrfs] There is a similar retry_list code in btrfs_delete_unused_bgs(), but it is safe, AFAICS. Since the block group was in the unused list, the used bytes should be 0 when it was added to the unused list. Then, it checks block_group->{used,reserved,pinned} are still 0 under the block_group->lock. So, they should be still eligible for the unused list, not the reclaim list. The reason it is safe there it's because because we're holding space_info->groups_sem in write mode. That means no other task can allocate from the block group, so while we are at deleted_unused_bgs() it's not possible for other tasks to allocate and deallocate extents from the block group, so it can't be added to the unused list or the reclaim list by anyone else. The bug can be reproduced by btrfs/166 after a few rounds. In practice this can be hit when relocation cannot find more chunk space and ends with ENOSPC.
AI-Powered Analysis
Technical Analysis
CVE-2024-42103 is a concurrency vulnerability in the Btrfs filesystem implementation within the Linux kernel. The flaw arises from improper synchronization when managing block groups during reclaim and unused list operations. Specifically, the vulnerability involves a race condition between two kernel worker threads executing btrfs_reclaim_bgs_work and btrfs_delete_unused_bgs functions. When a block group is removed from the reclaim list and simultaneously undergoing relocation work, it can be added to the unused list in parallel without proper locking. This parallel addition leads to corruption of the doubly linked list data structures that track block groups, causing list head corruption and kernel crashes. The corruption manifests as list_del corruption errors and kernel BUGs, as observed in the provided kernel logs. The root cause is the missing acquisition of the fs_info->unused_bgs_lock during these operations, which allows concurrent modifications to the same list. The vulnerability can be triggered when Btrfs relocation runs out of chunk space (ENOSPC), causing repeated retries that expose the race condition. The bug is reproducible with specific Btrfs test workloads (e.g., btrfs/166). The issue is fixed by adding the appropriate locking to serialize access to the unused block group list, preventing concurrent additions and ensuring list integrity. This vulnerability affects multiple recent Linux kernel versions as indicated by the affected commit hashes. No known exploits are currently reported in the wild, and no CVSS score has been assigned yet.
Potential Impact
For European organizations relying on Linux servers with Btrfs filesystems, this vulnerability poses a risk of kernel crashes and potential denial of service (DoS). Systems performing heavy Btrfs relocation or space management operations may experience instability or unexpected reboots due to list corruption. This can disrupt critical services, data availability, and operational continuity. While the vulnerability does not directly lead to privilege escalation or data leakage, the resulting kernel panics can cause service outages and potential data loss if not properly managed. Organizations using Btrfs for storage in data centers, cloud infrastructure, or embedded systems should be aware of the risk of system instability. The impact is particularly relevant for environments with high filesystem churn or constrained storage space triggering relocation. Given the Linux kernel's widespread use across European enterprises, cloud providers, and public sector infrastructure, the vulnerability could affect a broad range of systems if unpatched. However, exploitation requires specific filesystem conditions and workload patterns, limiting immediate risk. Still, the potential for denial of service and operational disruption warrants prompt mitigation.
Mitigation Recommendations
European organizations should prioritize updating Linux kernels to versions that include the fix for CVE-2024-42103, ensuring the fs_info->unused_bgs_lock is properly applied in Btrfs reclaim and unused list operations. Kernel updates from trusted Linux distributions should be applied promptly. For environments where immediate patching is not feasible, organizations should monitor Btrfs-related kernel logs for signs of list_del corruption or kernel BUG messages indicative of this issue. Reducing filesystem relocation activity by managing free space proactively can help mitigate triggering conditions. Implementing robust kernel crash recovery and system monitoring will minimize downtime impact. For critical systems, consider temporarily migrating data off Btrfs or using alternative filesystems until patched. Additionally, system administrators should review and harden kernel parameters related to Btrfs space management and ensure that workloads do not exhaust chunk space, which triggers the vulnerable code path. Testing kernel updates in staging environments to validate stability before production deployment is recommended.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-07-29T15:50:41.175Z
- Cisa Enriched
- true
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d9827c4522896dcbe1a69
Added to database: 5/21/2025, 9:08:55 AM
Last enriched: 6/29/2025, 5:11:54 AM
Last updated: 8/18/2025, 11:25:28 PM
Views: 12
Related Threats
CVE-2025-8567: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in posimyththemes Nexter Blocks – WordPress Gutenberg Blocks & 1000+ Starter Templates
MediumCVE-2025-41689: CWE-306 Missing Authentication for Critical Function in Wiesemann & Theis Motherbox 3
MediumCVE-2025-41685: CWE-359 Exposure of Private Personal Information to an Unauthorized Actor in SMA ennexos.sunnyportal.com
MediumCVE-2025-8723: CWE-94 Improper Control of Generation of Code ('Code Injection') in mecanik Cloudflare Image Resizing – Optimize & Accelerate Your Images
CriticalCVE-2025-8622: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in webaware Flexible Map
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.