CVE-2024-50225: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: btrfs: fix error propagation of split bios The purpose of btrfs_bbio_propagate_error() shall be propagating an error of split bio to its original btrfs_bio, and tell the error to the upper layer. However, it's not working well on some cases. * Case 1. Immediate (or quick) end_bio with an error When btrfs sends btrfs_bio to mirrored devices, btrfs calls btrfs_bio_end_io() when all the mirroring bios are completed. If that btrfs_bio was split, it is from btrfs_clone_bioset and its end_io function is btrfs_orig_write_end_io. For this case, btrfs_bbio_propagate_error() accesses the orig_bbio's bio context to increase the error count. That works well in most cases. However, if the end_io is called enough fast, orig_bbio's (remaining part after split) bio context may not be properly set at that time. Since the bio context is set when the orig_bbio (the last btrfs_bio) is sent to devices, that might be too late for earlier split btrfs_bio's completion. That will result in NULL pointer dereference. That bug is easily reproducible by running btrfs/146 on zoned devices [1] and it shows the following trace. [1] You need raid-stripe-tree feature as it create "-d raid0 -m raid1" FS. BUG: kernel NULL pointer dereference, address: 0000000000000020 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page PGD 0 P4D 0 Oops: Oops: 0000 [#1] PREEMPT SMP PTI CPU: 1 UID: 0 PID: 13 Comm: kworker/u32:1 Not tainted 6.11.0-rc7-BTRFS-ZNS+ #474 Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011 Workqueue: writeback wb_workfn (flush-btrfs-5) RIP: 0010:btrfs_bio_end_io+0xae/0xc0 [btrfs] BTRFS error (device dm-0): bdev /dev/mapper/error-test errs: wr 2, rd 0, flush 0, corrupt 0, gen 0 RSP: 0018:ffffc9000006f248 EFLAGS: 00010246 RAX: 0000000000000000 RBX: ffff888005a7f080 RCX: ffffc9000006f1dc RDX: 0000000000000000 RSI: 000000000000000a RDI: ffff888005a7f080 RBP: ffff888011dfc540 R08: 0000000000000000 R09: 0000000000000001 R10: ffffffff82e508e0 R11: 0000000000000005 R12: ffff88800ddfbe58 R13: ffff888005a7f080 R14: ffff888005a7f158 R15: ffff888005a7f158 FS: 0000000000000000(0000) GS:ffff88803ea80000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000020 CR3: 0000000002e22006 CR4: 0000000000370ef0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <TASK> ? __die_body.cold+0x19/0x26 ? page_fault_oops+0x13e/0x2b0 ? _printk+0x58/0x73 ? do_user_addr_fault+0x5f/0x750 ? exc_page_fault+0x76/0x240 ? asm_exc_page_fault+0x22/0x30 ? btrfs_bio_end_io+0xae/0xc0 [btrfs] ? btrfs_log_dev_io_error+0x7f/0x90 [btrfs] btrfs_orig_write_end_io+0x51/0x90 [btrfs] dm_submit_bio+0x5c2/0xa50 [dm_mod] ? find_held_lock+0x2b/0x80 ? blk_try_enter_queue+0x90/0x1e0 __submit_bio+0xe0/0x130 ? ktime_get+0x10a/0x160 ? lockdep_hardirqs_on+0x74/0x100 submit_bio_noacct_nocheck+0x199/0x410 btrfs_submit_bio+0x7d/0x150 [btrfs] btrfs_submit_chunk+0x1a1/0x6d0 [btrfs] ? lockdep_hardirqs_on+0x74/0x100 ? __folio_start_writeback+0x10/0x2c0 btrfs_submit_bbio+0x1c/0x40 [btrfs] submit_one_bio+0x44/0x60 [btrfs] submit_extent_folio+0x13f/0x330 [btrfs] ? btrfs_set_range_writeback+0xa3/0xd0 [btrfs] extent_writepage_io+0x18b/0x360 [btrfs] extent_write_locked_range+0x17c/0x340 [btrfs] ? __pfx_end_bbio_data_write+0x10/0x10 [btrfs] run_delalloc_cow+0x71/0xd0 [btrfs] btrfs_run_delalloc_range+0x176/0x500 [btrfs] ? find_lock_delalloc_range+0x119/0x260 [btrfs] writepage_delalloc+0x2ab/0x480 [btrfs] extent_write_cache_pages+0x236/0x7d0 [btrfs] btrfs_writepages+0x72/0x130 [btrfs] do_writepages+0xd4/0x240 ? find_held_lock+0x2b/0x80 ? wbc_attach_and_unlock_inode+0x12c/0x290 ? wbc_attach_and_unlock_inode+0x12c/0x29 ---truncated---
AI Analysis
Technical Summary
CVE-2024-50225 is a vulnerability in the Linux kernel's Btrfs filesystem implementation, specifically related to error propagation in split block I/O (bio) operations. Btrfs uses a mechanism to split bios for mirrored devices and propagate errors from these split bios back to the original bio structure. The function btrfs_bbio_propagate_error() is responsible for this error propagation. However, in certain timing conditions, particularly when the end_io callback is invoked very quickly, the bio context of the original bio (orig_bbio) may not be properly initialized. This leads to a NULL pointer dereference when the function attempts to increment the error count on the bio context, causing a kernel crash (NULL pointer dereference). The vulnerability is reproducible on zoned block devices with raid-stripe-tree features enabled (e.g., a Btrfs filesystem created with "-d raid0 -m raid1" options). The kernel oops trace shows the crash occurs in btrfs_bio_end_io and related functions, triggered by the premature completion of split bios before the orig_bbio's context is set. This bug can cause system instability and crashes, potentially leading to denial of service conditions on affected systems. No known exploits are reported in the wild yet, and no CVSS score has been assigned. The issue was fixed by correcting the timing and error propagation logic in the Btrfs code to ensure the bio context is valid before accessing it.
Potential Impact
For European organizations relying on Linux systems with Btrfs filesystems, especially those using advanced storage configurations like RAID0/RAID1 on zoned block devices, this vulnerability poses a risk of kernel crashes and system instability. Such crashes could lead to denial of service, disrupting critical services and operations. Organizations using Btrfs for data storage, backups, or container storage on Linux servers may experience unexpected downtime or data unavailability. While this vulnerability does not directly lead to privilege escalation or data corruption, the resulting system crashes could impact availability and operational continuity. In environments with high availability requirements, such as financial institutions, healthcare providers, or industrial control systems in Europe, the risk of service disruption is significant. Additionally, the complexity of reproducing the bug on specific hardware configurations means some organizations may be unaware of their exposure until a crash occurs. The lack of known exploits reduces immediate risk, but the vulnerability should be addressed promptly to avoid potential exploitation or accidental triggering.
Mitigation Recommendations
1. Apply the latest Linux kernel patches that address CVE-2024-50225 as soon as they become available from trusted Linux distributions or kernel maintainers. 2. For organizations using Btrfs on zoned block devices with RAID0/RAID1 configurations, consider temporarily migrating critical data to alternative filesystems or storage configurations until patches are applied. 3. Monitor kernel logs and system stability closely for signs of btrfs-related crashes or oops messages indicating NULL pointer dereferences. 4. Implement robust backup and recovery procedures to mitigate potential data availability issues caused by unexpected crashes. 5. In virtualized or containerized environments, isolate workloads using Btrfs to minimize impact scope in case of crashes. 6. Engage with Linux distribution vendors to confirm patch availability and deployment timelines. 7. Avoid running unpatched kernels in production environments where Btrfs on zoned devices is in use. 8. Conduct testing in staging environments to verify that patches resolve the issue without introducing regressions.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Poland, Italy, Spain
CVE-2024-50225: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: btrfs: fix error propagation of split bios The purpose of btrfs_bbio_propagate_error() shall be propagating an error of split bio to its original btrfs_bio, and tell the error to the upper layer. However, it's not working well on some cases. * Case 1. Immediate (or quick) end_bio with an error When btrfs sends btrfs_bio to mirrored devices, btrfs calls btrfs_bio_end_io() when all the mirroring bios are completed. If that btrfs_bio was split, it is from btrfs_clone_bioset and its end_io function is btrfs_orig_write_end_io. For this case, btrfs_bbio_propagate_error() accesses the orig_bbio's bio context to increase the error count. That works well in most cases. However, if the end_io is called enough fast, orig_bbio's (remaining part after split) bio context may not be properly set at that time. Since the bio context is set when the orig_bbio (the last btrfs_bio) is sent to devices, that might be too late for earlier split btrfs_bio's completion. That will result in NULL pointer dereference. That bug is easily reproducible by running btrfs/146 on zoned devices [1] and it shows the following trace. [1] You need raid-stripe-tree feature as it create "-d raid0 -m raid1" FS. BUG: kernel NULL pointer dereference, address: 0000000000000020 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page PGD 0 P4D 0 Oops: Oops: 0000 [#1] PREEMPT SMP PTI CPU: 1 UID: 0 PID: 13 Comm: kworker/u32:1 Not tainted 6.11.0-rc7-BTRFS-ZNS+ #474 Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011 Workqueue: writeback wb_workfn (flush-btrfs-5) RIP: 0010:btrfs_bio_end_io+0xae/0xc0 [btrfs] BTRFS error (device dm-0): bdev /dev/mapper/error-test errs: wr 2, rd 0, flush 0, corrupt 0, gen 0 RSP: 0018:ffffc9000006f248 EFLAGS: 00010246 RAX: 0000000000000000 RBX: ffff888005a7f080 RCX: ffffc9000006f1dc RDX: 0000000000000000 RSI: 000000000000000a RDI: ffff888005a7f080 RBP: ffff888011dfc540 R08: 0000000000000000 R09: 0000000000000001 R10: ffffffff82e508e0 R11: 0000000000000005 R12: ffff88800ddfbe58 R13: ffff888005a7f080 R14: ffff888005a7f158 R15: ffff888005a7f158 FS: 0000000000000000(0000) GS:ffff88803ea80000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000020 CR3: 0000000002e22006 CR4: 0000000000370ef0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <TASK> ? __die_body.cold+0x19/0x26 ? page_fault_oops+0x13e/0x2b0 ? _printk+0x58/0x73 ? do_user_addr_fault+0x5f/0x750 ? exc_page_fault+0x76/0x240 ? asm_exc_page_fault+0x22/0x30 ? btrfs_bio_end_io+0xae/0xc0 [btrfs] ? btrfs_log_dev_io_error+0x7f/0x90 [btrfs] btrfs_orig_write_end_io+0x51/0x90 [btrfs] dm_submit_bio+0x5c2/0xa50 [dm_mod] ? find_held_lock+0x2b/0x80 ? blk_try_enter_queue+0x90/0x1e0 __submit_bio+0xe0/0x130 ? ktime_get+0x10a/0x160 ? lockdep_hardirqs_on+0x74/0x100 submit_bio_noacct_nocheck+0x199/0x410 btrfs_submit_bio+0x7d/0x150 [btrfs] btrfs_submit_chunk+0x1a1/0x6d0 [btrfs] ? lockdep_hardirqs_on+0x74/0x100 ? __folio_start_writeback+0x10/0x2c0 btrfs_submit_bbio+0x1c/0x40 [btrfs] submit_one_bio+0x44/0x60 [btrfs] submit_extent_folio+0x13f/0x330 [btrfs] ? btrfs_set_range_writeback+0xa3/0xd0 [btrfs] extent_writepage_io+0x18b/0x360 [btrfs] extent_write_locked_range+0x17c/0x340 [btrfs] ? __pfx_end_bbio_data_write+0x10/0x10 [btrfs] run_delalloc_cow+0x71/0xd0 [btrfs] btrfs_run_delalloc_range+0x176/0x500 [btrfs] ? find_lock_delalloc_range+0x119/0x260 [btrfs] writepage_delalloc+0x2ab/0x480 [btrfs] extent_write_cache_pages+0x236/0x7d0 [btrfs] btrfs_writepages+0x72/0x130 [btrfs] do_writepages+0xd4/0x240 ? find_held_lock+0x2b/0x80 ? wbc_attach_and_unlock_inode+0x12c/0x290 ? wbc_attach_and_unlock_inode+0x12c/0x29 ---truncated---
AI-Powered Analysis
Technical Analysis
CVE-2024-50225 is a vulnerability in the Linux kernel's Btrfs filesystem implementation, specifically related to error propagation in split block I/O (bio) operations. Btrfs uses a mechanism to split bios for mirrored devices and propagate errors from these split bios back to the original bio structure. The function btrfs_bbio_propagate_error() is responsible for this error propagation. However, in certain timing conditions, particularly when the end_io callback is invoked very quickly, the bio context of the original bio (orig_bbio) may not be properly initialized. This leads to a NULL pointer dereference when the function attempts to increment the error count on the bio context, causing a kernel crash (NULL pointer dereference). The vulnerability is reproducible on zoned block devices with raid-stripe-tree features enabled (e.g., a Btrfs filesystem created with "-d raid0 -m raid1" options). The kernel oops trace shows the crash occurs in btrfs_bio_end_io and related functions, triggered by the premature completion of split bios before the orig_bbio's context is set. This bug can cause system instability and crashes, potentially leading to denial of service conditions on affected systems. No known exploits are reported in the wild yet, and no CVSS score has been assigned. The issue was fixed by correcting the timing and error propagation logic in the Btrfs code to ensure the bio context is valid before accessing it.
Potential Impact
For European organizations relying on Linux systems with Btrfs filesystems, especially those using advanced storage configurations like RAID0/RAID1 on zoned block devices, this vulnerability poses a risk of kernel crashes and system instability. Such crashes could lead to denial of service, disrupting critical services and operations. Organizations using Btrfs for data storage, backups, or container storage on Linux servers may experience unexpected downtime or data unavailability. While this vulnerability does not directly lead to privilege escalation or data corruption, the resulting system crashes could impact availability and operational continuity. In environments with high availability requirements, such as financial institutions, healthcare providers, or industrial control systems in Europe, the risk of service disruption is significant. Additionally, the complexity of reproducing the bug on specific hardware configurations means some organizations may be unaware of their exposure until a crash occurs. The lack of known exploits reduces immediate risk, but the vulnerability should be addressed promptly to avoid potential exploitation or accidental triggering.
Mitigation Recommendations
1. Apply the latest Linux kernel patches that address CVE-2024-50225 as soon as they become available from trusted Linux distributions or kernel maintainers. 2. For organizations using Btrfs on zoned block devices with RAID0/RAID1 configurations, consider temporarily migrating critical data to alternative filesystems or storage configurations until patches are applied. 3. Monitor kernel logs and system stability closely for signs of btrfs-related crashes or oops messages indicating NULL pointer dereferences. 4. Implement robust backup and recovery procedures to mitigate potential data availability issues caused by unexpected crashes. 5. In virtualized or containerized environments, isolate workloads using Btrfs to minimize impact scope in case of crashes. 6. Engage with Linux distribution vendors to confirm patch availability and deployment timelines. 7. Avoid running unpatched kernels in production environments where Btrfs on zoned devices is in use. 8. Conduct testing in staging environments to verify that patches resolve the issue without introducing regressions.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-10-21T19:36:19.973Z
- Cisa Enriched
- false
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d9824c4522896dcbdf5b9
Added to database: 5/21/2025, 9:08:52 AM
Last enriched: 6/28/2025, 1:11:13 PM
Last updated: 7/27/2025, 9:37:37 AM
Views: 12
Related Threats
CVE-2025-38213
UnknownCVE-2025-8859: Unrestricted Upload in code-projects eBlog Site
MediumCVE-2025-8865: CWE-476 NULL Pointer Dereference in YugabyteDB Inc YugabyteDB
MediumCVE-2025-8852: Information Exposure Through Error Message in WuKongOpenSource WukongCRM
MediumCVE-2025-8864: CWE-532 Insertion of Sensitive Information into Log File in YugabyteDB Inc YugabyteDB Anywhere
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.