CVE-2024-56758: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: btrfs: check folio mapping after unlock in relocate_one_folio() When we call btrfs_read_folio() to bring a folio uptodate, we unlock the folio. The result of that is that a different thread can modify the mapping (like remove it with invalidate) before we call folio_lock(). This results in an invalid page and we need to try again. In particular, if we are relocating concurrently with aborting a transaction, this can result in a crash like the following: BUG: kernel NULL pointer dereference, address: 0000000000000000 PGD 0 P4D 0 Oops: 0000 [#1] SMP CPU: 76 PID: 1411631 Comm: kworker/u322:5 Workqueue: events_unbound btrfs_reclaim_bgs_work RIP: 0010:set_page_extent_mapped+0x20/0xb0 RSP: 0018:ffffc900516a7be8 EFLAGS: 00010246 RAX: ffffea009e851d08 RBX: ffffea009e0b1880 RCX: 0000000000000000 RDX: 0000000000000000 RSI: ffffc900516a7b90 RDI: ffffea009e0b1880 RBP: 0000000003573000 R08: 0000000000000001 R09: ffff88c07fd2f3f0 R10: 0000000000000000 R11: 0000194754b575be R12: 0000000003572000 R13: 0000000003572fff R14: 0000000000100cca R15: 0000000005582fff FS: 0000000000000000(0000) GS:ffff88c07fd00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000000 CR3: 000000407d00f002 CR4: 00000000007706f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 PKRU: 55555554 Call Trace: <TASK> ? __die+0x78/0xc0 ? page_fault_oops+0x2a8/0x3a0 ? __switch_to+0x133/0x530 ? wq_worker_running+0xa/0x40 ? exc_page_fault+0x63/0x130 ? asm_exc_page_fault+0x22/0x30 ? set_page_extent_mapped+0x20/0xb0 relocate_file_extent_cluster+0x1a7/0x940 relocate_data_extent+0xaf/0x120 relocate_block_group+0x20f/0x480 btrfs_relocate_block_group+0x152/0x320 btrfs_relocate_chunk+0x3d/0x120 btrfs_reclaim_bgs_work+0x2ae/0x4e0 process_scheduled_works+0x184/0x370 worker_thread+0xc6/0x3e0 ? blk_add_timer+0xb0/0xb0 kthread+0xae/0xe0 ? flush_tlb_kernel_range+0x90/0x90 ret_from_fork+0x2f/0x40 ? flush_tlb_kernel_range+0x90/0x90 ret_from_fork_asm+0x11/0x20 </TASK> This occurs because cleanup_one_transaction() calls destroy_delalloc_inodes() which calls invalidate_inode_pages2() which takes the folio_lock before setting mapping to NULL. We fail to check this, and subsequently call set_extent_mapping(), which assumes that mapping != NULL (in fact it asserts that in debug mode) Note that the "fixes" patch here is not the one that introduced the race (the very first iteration of this code from 2009) but a more recent change that made this particular crash happen in practice.
AI Analysis
Technical Summary
CVE-2024-56758 is a vulnerability identified in the Linux kernel's Btrfs filesystem implementation, specifically within the function relocate_one_folio(). The issue arises due to a race condition involving folio locking and mapping validation during concurrent operations. When btrfs_read_folio() is called to update a folio, it unlocks the folio before reacquiring the lock. This unlock allows other threads to modify or invalidate the folio's mapping concurrently. If a thread modifies the mapping (such as removing it via invalidate_inode_pages2()) before the folio_lock() is reacquired, subsequent operations assume the mapping is valid when it is actually NULL. This leads to a NULL pointer dereference and kernel crash, as demonstrated by the provided kernel oops trace. The race condition is particularly triggered when relocating data extents concurrently with aborting a transaction, where cleanup_one_transaction() calls destroy_delalloc_inodes(), which in turn invalidates inode pages and sets the mapping to NULL while holding the folio_lock. The vulnerable code fails to verify the mapping's validity after reacquiring the lock, resulting in a crash in set_page_extent_mapped(). This vulnerability stems from a long-standing race condition introduced in 2009 but only recently causing practical crashes due to code changes. The flaw affects multiple Linux kernel versions identified by specific commit hashes. No known exploits are reported in the wild, and no CVSS score has been assigned yet. The vulnerability impacts system stability and availability by causing kernel panics and crashes during filesystem operations on Btrfs volumes.
Potential Impact
For European organizations relying on Linux systems with Btrfs filesystems, this vulnerability poses a risk of system crashes and unplanned downtime. Critical infrastructure, cloud service providers, and enterprises using Btrfs for storage management could experience kernel panics leading to service interruptions. This can affect data availability and operational continuity, especially in environments with high concurrency and frequent filesystem transactions. Although the vulnerability does not directly expose confidentiality or integrity risks, the denial-of-service impact can disrupt business operations and potentially lead to data loss if crashes occur during critical write operations. Organizations with automated transaction aborts or heavy filesystem relocation workloads are at higher risk. The lack of known exploits reduces immediate threat but does not eliminate the risk of future weaponization. European entities with compliance requirements for system availability and reliability must prioritize addressing this issue to maintain operational resilience.
Mitigation Recommendations
Organizations should promptly apply the official Linux kernel patches that address this race condition in the Btrfs codebase. Since the vulnerability involves kernel-level code, updating to a patched kernel version is the most effective mitigation. For environments where immediate patching is challenging, consider temporarily avoiding heavy concurrent Btrfs relocation and transaction abort operations to reduce exposure. Monitoring kernel logs for signs of NULL pointer dereferences or oops events related to Btrfs can help detect exploitation attempts or crashes. Additionally, implementing robust backup and recovery procedures will mitigate the impact of potential data loss from crashes. System administrators should also audit and limit concurrent filesystem operations that trigger the race condition. Employing kernel live patching solutions where available can reduce downtime during patch deployment. Finally, maintain awareness of updates from Linux kernel maintainers and security advisories to respond swiftly to any emerging exploit reports.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Norway, Denmark, Italy, Spain
CVE-2024-56758: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: btrfs: check folio mapping after unlock in relocate_one_folio() When we call btrfs_read_folio() to bring a folio uptodate, we unlock the folio. The result of that is that a different thread can modify the mapping (like remove it with invalidate) before we call folio_lock(). This results in an invalid page and we need to try again. In particular, if we are relocating concurrently with aborting a transaction, this can result in a crash like the following: BUG: kernel NULL pointer dereference, address: 0000000000000000 PGD 0 P4D 0 Oops: 0000 [#1] SMP CPU: 76 PID: 1411631 Comm: kworker/u322:5 Workqueue: events_unbound btrfs_reclaim_bgs_work RIP: 0010:set_page_extent_mapped+0x20/0xb0 RSP: 0018:ffffc900516a7be8 EFLAGS: 00010246 RAX: ffffea009e851d08 RBX: ffffea009e0b1880 RCX: 0000000000000000 RDX: 0000000000000000 RSI: ffffc900516a7b90 RDI: ffffea009e0b1880 RBP: 0000000003573000 R08: 0000000000000001 R09: ffff88c07fd2f3f0 R10: 0000000000000000 R11: 0000194754b575be R12: 0000000003572000 R13: 0000000003572fff R14: 0000000000100cca R15: 0000000005582fff FS: 0000000000000000(0000) GS:ffff88c07fd00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000000 CR3: 000000407d00f002 CR4: 00000000007706f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 PKRU: 55555554 Call Trace: <TASK> ? __die+0x78/0xc0 ? page_fault_oops+0x2a8/0x3a0 ? __switch_to+0x133/0x530 ? wq_worker_running+0xa/0x40 ? exc_page_fault+0x63/0x130 ? asm_exc_page_fault+0x22/0x30 ? set_page_extent_mapped+0x20/0xb0 relocate_file_extent_cluster+0x1a7/0x940 relocate_data_extent+0xaf/0x120 relocate_block_group+0x20f/0x480 btrfs_relocate_block_group+0x152/0x320 btrfs_relocate_chunk+0x3d/0x120 btrfs_reclaim_bgs_work+0x2ae/0x4e0 process_scheduled_works+0x184/0x370 worker_thread+0xc6/0x3e0 ? blk_add_timer+0xb0/0xb0 kthread+0xae/0xe0 ? flush_tlb_kernel_range+0x90/0x90 ret_from_fork+0x2f/0x40 ? flush_tlb_kernel_range+0x90/0x90 ret_from_fork_asm+0x11/0x20 </TASK> This occurs because cleanup_one_transaction() calls destroy_delalloc_inodes() which calls invalidate_inode_pages2() which takes the folio_lock before setting mapping to NULL. We fail to check this, and subsequently call set_extent_mapping(), which assumes that mapping != NULL (in fact it asserts that in debug mode) Note that the "fixes" patch here is not the one that introduced the race (the very first iteration of this code from 2009) but a more recent change that made this particular crash happen in practice.
AI-Powered Analysis
Technical Analysis
CVE-2024-56758 is a vulnerability identified in the Linux kernel's Btrfs filesystem implementation, specifically within the function relocate_one_folio(). The issue arises due to a race condition involving folio locking and mapping validation during concurrent operations. When btrfs_read_folio() is called to update a folio, it unlocks the folio before reacquiring the lock. This unlock allows other threads to modify or invalidate the folio's mapping concurrently. If a thread modifies the mapping (such as removing it via invalidate_inode_pages2()) before the folio_lock() is reacquired, subsequent operations assume the mapping is valid when it is actually NULL. This leads to a NULL pointer dereference and kernel crash, as demonstrated by the provided kernel oops trace. The race condition is particularly triggered when relocating data extents concurrently with aborting a transaction, where cleanup_one_transaction() calls destroy_delalloc_inodes(), which in turn invalidates inode pages and sets the mapping to NULL while holding the folio_lock. The vulnerable code fails to verify the mapping's validity after reacquiring the lock, resulting in a crash in set_page_extent_mapped(). This vulnerability stems from a long-standing race condition introduced in 2009 but only recently causing practical crashes due to code changes. The flaw affects multiple Linux kernel versions identified by specific commit hashes. No known exploits are reported in the wild, and no CVSS score has been assigned yet. The vulnerability impacts system stability and availability by causing kernel panics and crashes during filesystem operations on Btrfs volumes.
Potential Impact
For European organizations relying on Linux systems with Btrfs filesystems, this vulnerability poses a risk of system crashes and unplanned downtime. Critical infrastructure, cloud service providers, and enterprises using Btrfs for storage management could experience kernel panics leading to service interruptions. This can affect data availability and operational continuity, especially in environments with high concurrency and frequent filesystem transactions. Although the vulnerability does not directly expose confidentiality or integrity risks, the denial-of-service impact can disrupt business operations and potentially lead to data loss if crashes occur during critical write operations. Organizations with automated transaction aborts or heavy filesystem relocation workloads are at higher risk. The lack of known exploits reduces immediate threat but does not eliminate the risk of future weaponization. European entities with compliance requirements for system availability and reliability must prioritize addressing this issue to maintain operational resilience.
Mitigation Recommendations
Organizations should promptly apply the official Linux kernel patches that address this race condition in the Btrfs codebase. Since the vulnerability involves kernel-level code, updating to a patched kernel version is the most effective mitigation. For environments where immediate patching is challenging, consider temporarily avoiding heavy concurrent Btrfs relocation and transaction abort operations to reduce exposure. Monitoring kernel logs for signs of NULL pointer dereferences or oops events related to Btrfs can help detect exploitation attempts or crashes. Additionally, implementing robust backup and recovery procedures will mitigate the impact of potential data loss from crashes. System administrators should also audit and limit concurrent filesystem operations that trigger the race condition. Employing kernel live patching solutions where available can reduce downtime during patch deployment. Finally, maintain awareness of updates from Linux kernel maintainers and security advisories to respond swiftly to any emerging exploit reports.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-12-29T11:26:39.761Z
- Cisa Enriched
- false
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d9820c4522896dcbdd192
Added to database: 5/21/2025, 9:08:48 AM
Last enriched: 7/7/2025, 4:11:52 AM
Last updated: 7/28/2025, 10:32:08 PM
Views: 12
Related Threats
CVE-2025-8985: SQL Injection in SourceCodester COVID 19 Testing Management System
MediumCVE-2025-8984: SQL Injection in itsourcecode Online Tour and Travel Management System
MediumCVE-2025-8983: SQL Injection in itsourcecode Online Tour and Travel Management System
MediumCVE-2025-8982: SQL Injection in itsourcecode Online Tour and Travel Management System
MediumCVE-2025-8981: SQL Injection in itsourcecode Online Tour and Travel Management System
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.