CVE-2024-57806: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: btrfs: fix transaction atomicity bug when enabling simple quotas Set squota incompat bit before committing the transaction that enables the feature. With the config CONFIG_BTRFS_ASSERT enabled, an assertion failure occurs regarding the simple quota feature. [5.596534] assertion failed: btrfs_fs_incompat(fs_info, SIMPLE_QUOTA), in fs/btrfs/qgroup.c:365 [5.597098] ------------[ cut here ]------------ [5.597371] kernel BUG at fs/btrfs/qgroup.c:365! [5.597946] CPU: 1 UID: 0 PID: 268 Comm: mount Not tainted 6.13.0-rc2-00031-gf92f4749861b #146 [5.598450] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.2-debian-1.16.2-1 04/01/2014 [5.599008] RIP: 0010:btrfs_read_qgroup_config+0x74d/0x7a0 [5.604303] <TASK> [5.605230] ? btrfs_read_qgroup_config+0x74d/0x7a0 [5.605538] ? exc_invalid_op+0x56/0x70 [5.605775] ? btrfs_read_qgroup_config+0x74d/0x7a0 [5.606066] ? asm_exc_invalid_op+0x1f/0x30 [5.606441] ? btrfs_read_qgroup_config+0x74d/0x7a0 [5.606741] ? btrfs_read_qgroup_config+0x74d/0x7a0 [5.607038] ? try_to_wake_up+0x317/0x760 [5.607286] open_ctree+0xd9c/0x1710 [5.607509] btrfs_get_tree+0x58a/0x7e0 [5.608002] vfs_get_tree+0x2e/0x100 [5.608224] fc_mount+0x16/0x60 [5.608420] btrfs_get_tree+0x2f8/0x7e0 [5.608897] vfs_get_tree+0x2e/0x100 [5.609121] path_mount+0x4c8/0xbc0 [5.609538] __x64_sys_mount+0x10d/0x150 The issue can be easily reproduced using the following reproducer: root@q:linux# cat repro.sh set -e mkfs.btrfs -q -f /dev/sdb mount /dev/sdb /mnt/btrfs btrfs quota enable -s /mnt/btrfs umount /mnt/btrfs mount /dev/sdb /mnt/btrfs The issue is that when enabling quotas, at btrfs_quota_enable(), we set BTRFS_QGROUP_STATUS_FLAG_SIMPLE_MODE at fs_info->qgroup_flags and persist it in the quota root in the item with the key BTRFS_QGROUP_STATUS_KEY, but we only set the incompat bit BTRFS_FEATURE_INCOMPAT_SIMPLE_QUOTA after we commit the transaction used to enable simple quotas. This means that if after that transaction commit we unmount the filesystem without starting and committing any other transaction, or we have a power failure, the next time we mount the filesystem we will find the flag BTRFS_QGROUP_STATUS_FLAG_SIMPLE_MODE set in the item with the key BTRFS_QGROUP_STATUS_KEY but we will not find the incompat bit BTRFS_FEATURE_INCOMPAT_SIMPLE_QUOTA set in the superblock, triggering an assertion failure at: btrfs_read_qgroup_config() -> qgroup_read_enable_gen() To fix this issue, set the BTRFS_FEATURE_INCOMPAT_SIMPLE_QUOTA flag immediately after setting the BTRFS_QGROUP_STATUS_FLAG_SIMPLE_MODE. This ensures that both flags are flushed to disk within the same transaction.
AI Analysis
Technical Summary
CVE-2024-57806 is a vulnerability in the Linux kernel's Btrfs filesystem implementation related to the handling of simple quota feature activation. Btrfs (B-tree filesystem) supports quota groups (qgroups) to limit disk usage per subvolume or directory. The vulnerability arises from a transaction atomicity bug when enabling simple quotas. Specifically, the filesystem sets the BTRFS_QGROUP_STATUS_FLAG_SIMPLE_MODE flag in the quota root item before committing the transaction but delays setting the corresponding incompatibility feature bit BTRFS_FEATURE_INCOMPAT_SIMPLE_QUOTA in the superblock until after the transaction commits. This ordering flaw means that if the system unmounts the filesystem or experiences a power failure immediately after the transaction commit but before the incompat bit is set, the filesystem will be left in an inconsistent state. Upon the next mount, the kernel encounters the simple mode flag without the expected incompatibility bit, triggering an assertion failure and a kernel BUG at fs/btrfs/qgroup.c:365. This causes the system to crash or kernel panic during mount operations. The issue can be reproduced by formatting a device with Btrfs, enabling quotas, unmounting, and remounting without further transactions. The fix involves setting the incompatibility bit immediately after setting the simple mode flag, ensuring both flags are flushed atomically within the same transaction to maintain filesystem consistency and prevent assertion failures. This vulnerability affects Linux kernel versions including the 6.13.0-rc2 release candidate and potentially others using the affected Btrfs code path with simple quotas enabled.
Potential Impact
For European organizations relying on Linux systems with Btrfs filesystems and quota management enabled, this vulnerability can lead to unexpected kernel panics or system crashes during filesystem mount operations. This disrupts availability of critical services and data access, especially in environments using Btrfs for storage management such as cloud infrastructure, virtualization hosts, or enterprise servers. The inability to mount affected filesystems without triggering a kernel BUG could result in downtime, data recovery efforts, and operational delays. Systems with automated reboot or recovery may enter crash loops or require manual intervention. Although no direct data corruption or privilege escalation is indicated, the denial of service impact on storage availability is significant. Organizations with high-availability requirements or those using Btrfs quotas for resource control must prioritize patching to avoid service interruptions. The lack of known exploits in the wild reduces immediate risk, but the reproducibility of the issue and its impact on system stability warrant urgent mitigation.
Mitigation Recommendations
1. Apply the official Linux kernel patch that addresses CVE-2024-57806 as soon as it becomes available, ensuring the incompatibility bit is set atomically with the simple quota flag. 2. Until patched, avoid enabling simple quotas on Btrfs filesystems or refrain from unmounting and remounting filesystems immediately after enabling quotas to reduce exposure. 3. Implement robust backup and recovery procedures for Btrfs volumes to mitigate potential data unavailability from mount failures. 4. Monitor kernel logs for assertion failures or BUG messages related to btrfs_read_qgroup_config to detect attempts to mount affected filesystems. 5. For critical systems, consider temporarily disabling quota features or migrating data to alternative filesystems if patching is delayed. 6. Incorporate filesystem integrity checks and mount testing in maintenance windows to detect and remediate issues proactively. 7. Coordinate with Linux distribution vendors for timely kernel updates and security advisories.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Denmark, Norway, Poland, Italy
CVE-2024-57806: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: btrfs: fix transaction atomicity bug when enabling simple quotas Set squota incompat bit before committing the transaction that enables the feature. With the config CONFIG_BTRFS_ASSERT enabled, an assertion failure occurs regarding the simple quota feature. [5.596534] assertion failed: btrfs_fs_incompat(fs_info, SIMPLE_QUOTA), in fs/btrfs/qgroup.c:365 [5.597098] ------------[ cut here ]------------ [5.597371] kernel BUG at fs/btrfs/qgroup.c:365! [5.597946] CPU: 1 UID: 0 PID: 268 Comm: mount Not tainted 6.13.0-rc2-00031-gf92f4749861b #146 [5.598450] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.2-debian-1.16.2-1 04/01/2014 [5.599008] RIP: 0010:btrfs_read_qgroup_config+0x74d/0x7a0 [5.604303] <TASK> [5.605230] ? btrfs_read_qgroup_config+0x74d/0x7a0 [5.605538] ? exc_invalid_op+0x56/0x70 [5.605775] ? btrfs_read_qgroup_config+0x74d/0x7a0 [5.606066] ? asm_exc_invalid_op+0x1f/0x30 [5.606441] ? btrfs_read_qgroup_config+0x74d/0x7a0 [5.606741] ? btrfs_read_qgroup_config+0x74d/0x7a0 [5.607038] ? try_to_wake_up+0x317/0x760 [5.607286] open_ctree+0xd9c/0x1710 [5.607509] btrfs_get_tree+0x58a/0x7e0 [5.608002] vfs_get_tree+0x2e/0x100 [5.608224] fc_mount+0x16/0x60 [5.608420] btrfs_get_tree+0x2f8/0x7e0 [5.608897] vfs_get_tree+0x2e/0x100 [5.609121] path_mount+0x4c8/0xbc0 [5.609538] __x64_sys_mount+0x10d/0x150 The issue can be easily reproduced using the following reproducer: root@q:linux# cat repro.sh set -e mkfs.btrfs -q -f /dev/sdb mount /dev/sdb /mnt/btrfs btrfs quota enable -s /mnt/btrfs umount /mnt/btrfs mount /dev/sdb /mnt/btrfs The issue is that when enabling quotas, at btrfs_quota_enable(), we set BTRFS_QGROUP_STATUS_FLAG_SIMPLE_MODE at fs_info->qgroup_flags and persist it in the quota root in the item with the key BTRFS_QGROUP_STATUS_KEY, but we only set the incompat bit BTRFS_FEATURE_INCOMPAT_SIMPLE_QUOTA after we commit the transaction used to enable simple quotas. This means that if after that transaction commit we unmount the filesystem without starting and committing any other transaction, or we have a power failure, the next time we mount the filesystem we will find the flag BTRFS_QGROUP_STATUS_FLAG_SIMPLE_MODE set in the item with the key BTRFS_QGROUP_STATUS_KEY but we will not find the incompat bit BTRFS_FEATURE_INCOMPAT_SIMPLE_QUOTA set in the superblock, triggering an assertion failure at: btrfs_read_qgroup_config() -> qgroup_read_enable_gen() To fix this issue, set the BTRFS_FEATURE_INCOMPAT_SIMPLE_QUOTA flag immediately after setting the BTRFS_QGROUP_STATUS_FLAG_SIMPLE_MODE. This ensures that both flags are flushed to disk within the same transaction.
AI-Powered Analysis
Technical Analysis
CVE-2024-57806 is a vulnerability in the Linux kernel's Btrfs filesystem implementation related to the handling of simple quota feature activation. Btrfs (B-tree filesystem) supports quota groups (qgroups) to limit disk usage per subvolume or directory. The vulnerability arises from a transaction atomicity bug when enabling simple quotas. Specifically, the filesystem sets the BTRFS_QGROUP_STATUS_FLAG_SIMPLE_MODE flag in the quota root item before committing the transaction but delays setting the corresponding incompatibility feature bit BTRFS_FEATURE_INCOMPAT_SIMPLE_QUOTA in the superblock until after the transaction commits. This ordering flaw means that if the system unmounts the filesystem or experiences a power failure immediately after the transaction commit but before the incompat bit is set, the filesystem will be left in an inconsistent state. Upon the next mount, the kernel encounters the simple mode flag without the expected incompatibility bit, triggering an assertion failure and a kernel BUG at fs/btrfs/qgroup.c:365. This causes the system to crash or kernel panic during mount operations. The issue can be reproduced by formatting a device with Btrfs, enabling quotas, unmounting, and remounting without further transactions. The fix involves setting the incompatibility bit immediately after setting the simple mode flag, ensuring both flags are flushed atomically within the same transaction to maintain filesystem consistency and prevent assertion failures. This vulnerability affects Linux kernel versions including the 6.13.0-rc2 release candidate and potentially others using the affected Btrfs code path with simple quotas enabled.
Potential Impact
For European organizations relying on Linux systems with Btrfs filesystems and quota management enabled, this vulnerability can lead to unexpected kernel panics or system crashes during filesystem mount operations. This disrupts availability of critical services and data access, especially in environments using Btrfs for storage management such as cloud infrastructure, virtualization hosts, or enterprise servers. The inability to mount affected filesystems without triggering a kernel BUG could result in downtime, data recovery efforts, and operational delays. Systems with automated reboot or recovery may enter crash loops or require manual intervention. Although no direct data corruption or privilege escalation is indicated, the denial of service impact on storage availability is significant. Organizations with high-availability requirements or those using Btrfs quotas for resource control must prioritize patching to avoid service interruptions. The lack of known exploits in the wild reduces immediate risk, but the reproducibility of the issue and its impact on system stability warrant urgent mitigation.
Mitigation Recommendations
1. Apply the official Linux kernel patch that addresses CVE-2024-57806 as soon as it becomes available, ensuring the incompatibility bit is set atomically with the simple quota flag. 2. Until patched, avoid enabling simple quotas on Btrfs filesystems or refrain from unmounting and remounting filesystems immediately after enabling quotas to reduce exposure. 3. Implement robust backup and recovery procedures for Btrfs volumes to mitigate potential data unavailability from mount failures. 4. Monitor kernel logs for assertion failures or BUG messages related to btrfs_read_qgroup_config to detect attempts to mount affected filesystems. 5. For critical systems, consider temporarily disabling quota features or migrating data to alternative filesystems if patching is delayed. 6. Incorporate filesystem integrity checks and mount testing in maintenance windows to detect and remediate issues proactively. 7. Coordinate with Linux distribution vendors for timely kernel updates and security advisories.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2025-01-11T12:32:49.322Z
- Cisa Enriched
- false
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d9822c4522896dcbde88e
Added to database: 5/21/2025, 9:08:50 AM
Last enriched: 6/28/2025, 8:11:57 AM
Last updated: 8/15/2025, 2:50:14 PM
Views: 13
Related Threats
CVE-2025-9091: Hard-coded Credentials in Tenda AC20
LowCVE-2025-9090: Command Injection in Tenda AC20
MediumCVE-2025-9092: CWE-400 Uncontrolled Resource Consumption in Legion of the Bouncy Castle Inc. Bouncy Castle for Java - BC-FJA 2.1.0
LowCVE-2025-9089: Stack-based Buffer Overflow in Tenda AC20
HighCVE-2025-9088: Stack-based Buffer Overflow in Tenda AC20
HighActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.