CVE-2024-49932: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: btrfs: don't readahead the relocation inode on RST On relocation we're doing readahead on the relocation inode, but if the filesystem is backed by a RAID stripe tree we can get ENOENT (e.g. due to preallocated extents not being mapped in the RST) from the lookup. But readahead doesn't handle the error and submits invalid reads to the device, causing an assertion in the scatter-gather list code: BTRFS info (device nvme1n1): balance: start -d -m -s BTRFS info (device nvme1n1): relocating block group 6480920576 flags data|raid0 BTRFS error (device nvme1n1): cannot find raid-stripe for logical [6481928192, 6481969152] devid 2, profile raid0 ------------[ cut here ]------------ kernel BUG at include/linux/scatterlist.h:115! Oops: invalid opcode: 0000 [#1] PREEMPT SMP PTI CPU: 0 PID: 1012 Comm: btrfs Not tainted 6.10.0-rc7+ #567 RIP: 0010:__blk_rq_map_sg+0x339/0x4a0 RSP: 0018:ffffc90001a43820 EFLAGS: 00010202 RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffffea00045d4802 RDX: 0000000117520000 RSI: 0000000000000000 RDI: ffff8881027d1000 RBP: 0000000000003000 R08: ffffea00045d4902 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000001000 R12: ffff8881003d10b8 R13: ffffc90001a438f0 R14: 0000000000000000 R15: 0000000000003000 FS: 00007fcc048a6900(0000) GS:ffff88813bc00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 000000002cd11000 CR3: 00000001109ea001 CR4: 0000000000370eb0 Call Trace: <TASK> ? __die_body.cold+0x14/0x25 ? die+0x2e/0x50 ? do_trap+0xca/0x110 ? do_error_trap+0x65/0x80 ? __blk_rq_map_sg+0x339/0x4a0 ? exc_invalid_op+0x50/0x70 ? __blk_rq_map_sg+0x339/0x4a0 ? asm_exc_invalid_op+0x1a/0x20 ? __blk_rq_map_sg+0x339/0x4a0 nvme_prep_rq.part.0+0x9d/0x770 nvme_queue_rq+0x7d/0x1e0 __blk_mq_issue_directly+0x2a/0x90 ? blk_mq_get_budget_and_tag+0x61/0x90 blk_mq_try_issue_list_directly+0x56/0xf0 blk_mq_flush_plug_list.part.0+0x52b/0x5d0 __blk_flush_plug+0xc6/0x110 blk_finish_plug+0x28/0x40 read_pages+0x160/0x1c0 page_cache_ra_unbounded+0x109/0x180 relocate_file_extent_cluster+0x611/0x6a0 ? btrfs_search_slot+0xba4/0xd20 ? balance_dirty_pages_ratelimited_flags+0x26/0xb00 relocate_data_extent.constprop.0+0x134/0x160 relocate_block_group+0x3f2/0x500 btrfs_relocate_block_group+0x250/0x430 btrfs_relocate_chunk+0x3f/0x130 btrfs_balance+0x71b/0xef0 ? kmalloc_trace_noprof+0x13b/0x280 btrfs_ioctl+0x2c2e/0x3030 ? kvfree_call_rcu+0x1e6/0x340 ? list_lru_add_obj+0x66/0x80 ? mntput_no_expire+0x3a/0x220 __x64_sys_ioctl+0x96/0xc0 do_syscall_64+0x54/0x110 entry_SYSCALL_64_after_hwframe+0x76/0x7e RIP: 0033:0x7fcc04514f9b Code: Unable to access opcode bytes at 0x7fcc04514f71. RSP: 002b:00007ffeba923370 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007fcc04514f9b RDX: 00007ffeba923460 RSI: 00000000c4009420 RDI: 0000000000000003 RBP: 0000000000000000 R08: 0000000000000013 R09: 0000000000000001 R10: 00007fcc043fbba8 R11: 0000000000000246 R12: 00007ffeba924fc5 R13: 00007ffeba923460 R14: 0000000000000002 R15: 00000000004d4bb0 </TASK> Modules linked in: ---[ end trace 0000000000000000 ]--- RIP: 0010:__blk_rq_map_sg+0x339/0x4a0 RSP: 0018:ffffc90001a43820 EFLAGS: 00010202 RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffffea00045d4802 RDX: 0000000117520000 RSI: 0000000000000000 RDI: ffff8881027d1000 RBP: 0000000000003000 R08: ffffea00045d4902 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000001000 R12: ffff8881003d10b8 R13: ffffc90001a438f0 R14: 0000000000000000 R15: 0000000000003000 FS: 00007fcc048a6900(0000) GS:ffff88813bc00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007fcc04514f71 CR3: 00000001109ea001 CR4: 0000000000370eb0 Kernel p ---truncated---
AI Analysis
Technical Summary
CVE-2024-49932 is a vulnerability identified in the Linux kernel's Btrfs filesystem implementation, specifically related to the handling of relocation inodes during readahead operations on filesystems backed by RAID stripe trees (RST). The issue arises because the kernel attempts to perform readahead on the relocation inode during block group relocation. However, when the filesystem uses a RAID stripe profile, certain preallocated extents may not be mapped in the RST, causing the lookup to fail with an ENOENT (No such file or directory) error. The readahead mechanism does not properly handle this error condition and proceeds to submit invalid read requests to the underlying device. This leads to an assertion failure in the scatter-gather list code, resulting in a kernel BUG and system crash (kernel panic). The vulnerability manifests as a denial-of-service (DoS) condition due to the kernel panic triggered by invalid memory operations during block relocation. The detailed kernel oops trace shows the failure occurring in the __blk_rq_map_sg function, which is responsible for mapping block requests to scatter-gather lists. This bug affects Linux kernel versions including the 6.10.0-rc7+ release candidate and likely others with similar Btrfs and RAID0 support. The vulnerability is triggered during Btrfs balance operations that relocate block groups with RAID0 profiles, which are used to distribute data across multiple devices for performance. No known exploits are reported in the wild as of the publication date. The issue is technical and specific to certain Btrfs configurations involving RAID stripe trees, making exploitation more complex and environment-dependent. However, the impact is significant as it can cause kernel crashes and service interruptions on affected systems.
Potential Impact
For European organizations, the impact of CVE-2024-49932 can be substantial, particularly for those relying on Linux servers using Btrfs filesystems configured with RAID stripe profiles (e.g., RAID0). Such configurations are common in high-performance storage environments, including data centers, cloud service providers, and enterprises managing large-scale storage arrays. A successful trigger of this vulnerability results in a kernel panic, causing immediate denial of service and potential data unavailability. This can disrupt critical business operations, especially in sectors like finance, healthcare, telecommunications, and government services where uptime and data integrity are paramount. Additionally, repeated crashes may lead to data corruption or loss if not properly managed. The vulnerability does not appear to allow privilege escalation or remote code execution directly but can be exploited locally or via automated maintenance tasks (like Btrfs balance) that may be scheduled or triggered by system administrators or automated systems. The lack of user interaction requirement means that once the vulnerable configuration is present, the risk of accidental or malicious triggering exists. European organizations with strict regulatory requirements for data availability and integrity (e.g., GDPR mandates) may face compliance risks if service disruptions occur. Furthermore, organizations using Linux-based infrastructure for critical services must consider the operational risks posed by this vulnerability.
Mitigation Recommendations
To mitigate CVE-2024-49932, European organizations should take the following specific actions: 1) Apply the latest Linux kernel patches that address this vulnerability as soon as they become available from trusted sources or Linux distributions. Monitoring vendor advisories and kernel mailing lists is essential. 2) Review and audit Btrfs filesystem configurations to identify the use of RAID stripe profiles, particularly RAID0, and assess the necessity of such configurations. Where possible, avoid or limit the use of RAID0 with Btrfs until patched. 3) Implement robust monitoring of system logs and kernel oops messages to detect early signs of this issue, enabling proactive intervention before service disruption. 4) Schedule Btrfs balance operations during maintenance windows with proper backups in place to minimize impact if a crash occurs. 5) Maintain comprehensive backups and disaster recovery plans for systems using Btrfs with RAID profiles to ensure data availability in case of kernel panics or data corruption. 6) Consider alternative filesystems or RAID configurations if Btrfs RAID0 is not critical, to reduce exposure. 7) Limit access to systems capable of triggering this vulnerability to trusted administrators to reduce the risk of accidental or malicious exploitation. These mitigations go beyond generic advice by focusing on configuration auditing, operational procedures, and proactive monitoring tailored to the nature of this vulnerability.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Denmark, Ireland, Belgium, Italy
CVE-2024-49932: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: btrfs: don't readahead the relocation inode on RST On relocation we're doing readahead on the relocation inode, but if the filesystem is backed by a RAID stripe tree we can get ENOENT (e.g. due to preallocated extents not being mapped in the RST) from the lookup. But readahead doesn't handle the error and submits invalid reads to the device, causing an assertion in the scatter-gather list code: BTRFS info (device nvme1n1): balance: start -d -m -s BTRFS info (device nvme1n1): relocating block group 6480920576 flags data|raid0 BTRFS error (device nvme1n1): cannot find raid-stripe for logical [6481928192, 6481969152] devid 2, profile raid0 ------------[ cut here ]------------ kernel BUG at include/linux/scatterlist.h:115! Oops: invalid opcode: 0000 [#1] PREEMPT SMP PTI CPU: 0 PID: 1012 Comm: btrfs Not tainted 6.10.0-rc7+ #567 RIP: 0010:__blk_rq_map_sg+0x339/0x4a0 RSP: 0018:ffffc90001a43820 EFLAGS: 00010202 RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffffea00045d4802 RDX: 0000000117520000 RSI: 0000000000000000 RDI: ffff8881027d1000 RBP: 0000000000003000 R08: ffffea00045d4902 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000001000 R12: ffff8881003d10b8 R13: ffffc90001a438f0 R14: 0000000000000000 R15: 0000000000003000 FS: 00007fcc048a6900(0000) GS:ffff88813bc00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 000000002cd11000 CR3: 00000001109ea001 CR4: 0000000000370eb0 Call Trace: <TASK> ? __die_body.cold+0x14/0x25 ? die+0x2e/0x50 ? do_trap+0xca/0x110 ? do_error_trap+0x65/0x80 ? __blk_rq_map_sg+0x339/0x4a0 ? exc_invalid_op+0x50/0x70 ? __blk_rq_map_sg+0x339/0x4a0 ? asm_exc_invalid_op+0x1a/0x20 ? __blk_rq_map_sg+0x339/0x4a0 nvme_prep_rq.part.0+0x9d/0x770 nvme_queue_rq+0x7d/0x1e0 __blk_mq_issue_directly+0x2a/0x90 ? blk_mq_get_budget_and_tag+0x61/0x90 blk_mq_try_issue_list_directly+0x56/0xf0 blk_mq_flush_plug_list.part.0+0x52b/0x5d0 __blk_flush_plug+0xc6/0x110 blk_finish_plug+0x28/0x40 read_pages+0x160/0x1c0 page_cache_ra_unbounded+0x109/0x180 relocate_file_extent_cluster+0x611/0x6a0 ? btrfs_search_slot+0xba4/0xd20 ? balance_dirty_pages_ratelimited_flags+0x26/0xb00 relocate_data_extent.constprop.0+0x134/0x160 relocate_block_group+0x3f2/0x500 btrfs_relocate_block_group+0x250/0x430 btrfs_relocate_chunk+0x3f/0x130 btrfs_balance+0x71b/0xef0 ? kmalloc_trace_noprof+0x13b/0x280 btrfs_ioctl+0x2c2e/0x3030 ? kvfree_call_rcu+0x1e6/0x340 ? list_lru_add_obj+0x66/0x80 ? mntput_no_expire+0x3a/0x220 __x64_sys_ioctl+0x96/0xc0 do_syscall_64+0x54/0x110 entry_SYSCALL_64_after_hwframe+0x76/0x7e RIP: 0033:0x7fcc04514f9b Code: Unable to access opcode bytes at 0x7fcc04514f71. RSP: 002b:00007ffeba923370 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007fcc04514f9b RDX: 00007ffeba923460 RSI: 00000000c4009420 RDI: 0000000000000003 RBP: 0000000000000000 R08: 0000000000000013 R09: 0000000000000001 R10: 00007fcc043fbba8 R11: 0000000000000246 R12: 00007ffeba924fc5 R13: 00007ffeba923460 R14: 0000000000000002 R15: 00000000004d4bb0 </TASK> Modules linked in: ---[ end trace 0000000000000000 ]--- RIP: 0010:__blk_rq_map_sg+0x339/0x4a0 RSP: 0018:ffffc90001a43820 EFLAGS: 00010202 RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffffea00045d4802 RDX: 0000000117520000 RSI: 0000000000000000 RDI: ffff8881027d1000 RBP: 0000000000003000 R08: ffffea00045d4902 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000001000 R12: ffff8881003d10b8 R13: ffffc90001a438f0 R14: 0000000000000000 R15: 0000000000003000 FS: 00007fcc048a6900(0000) GS:ffff88813bc00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007fcc04514f71 CR3: 00000001109ea001 CR4: 0000000000370eb0 Kernel p ---truncated---
AI-Powered Analysis
Technical Analysis
CVE-2024-49932 is a vulnerability identified in the Linux kernel's Btrfs filesystem implementation, specifically related to the handling of relocation inodes during readahead operations on filesystems backed by RAID stripe trees (RST). The issue arises because the kernel attempts to perform readahead on the relocation inode during block group relocation. However, when the filesystem uses a RAID stripe profile, certain preallocated extents may not be mapped in the RST, causing the lookup to fail with an ENOENT (No such file or directory) error. The readahead mechanism does not properly handle this error condition and proceeds to submit invalid read requests to the underlying device. This leads to an assertion failure in the scatter-gather list code, resulting in a kernel BUG and system crash (kernel panic). The vulnerability manifests as a denial-of-service (DoS) condition due to the kernel panic triggered by invalid memory operations during block relocation. The detailed kernel oops trace shows the failure occurring in the __blk_rq_map_sg function, which is responsible for mapping block requests to scatter-gather lists. This bug affects Linux kernel versions including the 6.10.0-rc7+ release candidate and likely others with similar Btrfs and RAID0 support. The vulnerability is triggered during Btrfs balance operations that relocate block groups with RAID0 profiles, which are used to distribute data across multiple devices for performance. No known exploits are reported in the wild as of the publication date. The issue is technical and specific to certain Btrfs configurations involving RAID stripe trees, making exploitation more complex and environment-dependent. However, the impact is significant as it can cause kernel crashes and service interruptions on affected systems.
Potential Impact
For European organizations, the impact of CVE-2024-49932 can be substantial, particularly for those relying on Linux servers using Btrfs filesystems configured with RAID stripe profiles (e.g., RAID0). Such configurations are common in high-performance storage environments, including data centers, cloud service providers, and enterprises managing large-scale storage arrays. A successful trigger of this vulnerability results in a kernel panic, causing immediate denial of service and potential data unavailability. This can disrupt critical business operations, especially in sectors like finance, healthcare, telecommunications, and government services where uptime and data integrity are paramount. Additionally, repeated crashes may lead to data corruption or loss if not properly managed. The vulnerability does not appear to allow privilege escalation or remote code execution directly but can be exploited locally or via automated maintenance tasks (like Btrfs balance) that may be scheduled or triggered by system administrators or automated systems. The lack of user interaction requirement means that once the vulnerable configuration is present, the risk of accidental or malicious triggering exists. European organizations with strict regulatory requirements for data availability and integrity (e.g., GDPR mandates) may face compliance risks if service disruptions occur. Furthermore, organizations using Linux-based infrastructure for critical services must consider the operational risks posed by this vulnerability.
Mitigation Recommendations
To mitigate CVE-2024-49932, European organizations should take the following specific actions: 1) Apply the latest Linux kernel patches that address this vulnerability as soon as they become available from trusted sources or Linux distributions. Monitoring vendor advisories and kernel mailing lists is essential. 2) Review and audit Btrfs filesystem configurations to identify the use of RAID stripe profiles, particularly RAID0, and assess the necessity of such configurations. Where possible, avoid or limit the use of RAID0 with Btrfs until patched. 3) Implement robust monitoring of system logs and kernel oops messages to detect early signs of this issue, enabling proactive intervention before service disruption. 4) Schedule Btrfs balance operations during maintenance windows with proper backups in place to minimize impact if a crash occurs. 5) Maintain comprehensive backups and disaster recovery plans for systems using Btrfs with RAID profiles to ensure data availability in case of kernel panics or data corruption. 6) Consider alternative filesystems or RAID configurations if Btrfs RAID0 is not critical, to reduce exposure. 7) Limit access to systems capable of triggering this vulnerability to trusted administrators to reduce the risk of accidental or malicious exploitation. These mitigations go beyond generic advice by focusing on configuration auditing, operational procedures, and proactive monitoring tailored to the nature of this vulnerability.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-10-21T12:17:06.040Z
- Cisa Enriched
- true
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d9826c4522896dcbe0a4a
Added to database: 5/21/2025, 9:08:54 AM
Last enriched: 6/28/2025, 9:54:45 PM
Last updated: 7/31/2025, 4:32:18 PM
Views: 14
Related Threats
CVE-2025-52621: CWE-346 Origin Validation Error in HCL Software BigFix SaaS Remediate
MediumCVE-2025-52620: CWE-20 Improper Input Validation in HCL Software BigFix SaaS Remediate
MediumCVE-2025-52619: CWE-209 Generation of Error Message Containing Sensitive Information in HCL Software BigFix SaaS Remediate
MediumCVE-2025-52618: CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') in HCL Software BigFix SaaS Remediate
MediumCVE-2025-43201: An app may be able to unexpectedly leak a user's credentials in Apple Apple Music Classical for Android
HighActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.