CVE-2024-57975: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: btrfs: do proper folio cleanup when run_delalloc_nocow() failed [BUG] With CONFIG_DEBUG_VM set, test case generic/476 has some chance to crash with the following VM_BUG_ON_FOLIO(): BTRFS error (device dm-3): cow_file_range failed, start 1146880 end 1253375 len 106496 ret -28 BTRFS error (device dm-3): run_delalloc_nocow failed, start 1146880 end 1253375 len 106496 ret -28 page: refcount:4 mapcount:0 mapping:00000000592787cc index:0x12 pfn:0x10664 aops:btrfs_aops [btrfs] ino:101 dentry name(?):"f1774" flags: 0x2fffff80004028(uptodate|lru|private|node=0|zone=2|lastcpupid=0xfffff) page dumped because: VM_BUG_ON_FOLIO(!folio_test_locked(folio)) ------------[ cut here ]------------ kernel BUG at mm/page-writeback.c:2992! Internal error: Oops - BUG: 00000000f2000800 [#1] SMP CPU: 2 UID: 0 PID: 3943513 Comm: kworker/u24:15 Tainted: G OE 6.12.0-rc7-custom+ #87 Tainted: [O]=OOT_MODULE, [E]=UNSIGNED_MODULE Hardware name: QEMU KVM Virtual Machine, BIOS unknown 2/2/2022 Workqueue: events_unbound btrfs_async_reclaim_data_space [btrfs] pc : folio_clear_dirty_for_io+0x128/0x258 lr : folio_clear_dirty_for_io+0x128/0x258 Call trace: folio_clear_dirty_for_io+0x128/0x258 btrfs_folio_clamp_clear_dirty+0x80/0xd0 [btrfs] __process_folios_contig+0x154/0x268 [btrfs] extent_clear_unlock_delalloc+0x5c/0x80 [btrfs] run_delalloc_nocow+0x5f8/0x760 [btrfs] btrfs_run_delalloc_range+0xa8/0x220 [btrfs] writepage_delalloc+0x230/0x4c8 [btrfs] extent_writepage+0xb8/0x358 [btrfs] extent_write_cache_pages+0x21c/0x4e8 [btrfs] btrfs_writepages+0x94/0x150 [btrfs] do_writepages+0x74/0x190 filemap_fdatawrite_wbc+0x88/0xc8 start_delalloc_inodes+0x178/0x3a8 [btrfs] btrfs_start_delalloc_roots+0x174/0x280 [btrfs] shrink_delalloc+0x114/0x280 [btrfs] flush_space+0x250/0x2f8 [btrfs] btrfs_async_reclaim_data_space+0x180/0x228 [btrfs] process_one_work+0x164/0x408 worker_thread+0x25c/0x388 kthread+0x100/0x118 ret_from_fork+0x10/0x20 Code: 910a8021 a90363f7 a9046bf9 94012379 (d4210000) ---[ end trace 0000000000000000 ]--- [CAUSE] The first two lines of extra debug messages show the problem is caused by the error handling of run_delalloc_nocow(). E.g. we have the following dirtied range (4K blocksize 4K page size): 0 16K 32K |//////////////////////////////////////| | Pre-allocated | And the range [0, 16K) has a preallocated extent. - Enter run_delalloc_nocow() for range [0, 16K) Which found range [0, 16K) is preallocated, can do the proper NOCOW write. - Enter fallback_to_fow() for range [16K, 32K) Since the range [16K, 32K) is not backed by preallocated extent, we have to go COW. - cow_file_range() failed for range [16K, 32K) So cow_file_range() will do the clean up by clearing folio dirty, unlock the folios. Now the folios in range [16K, 32K) is unlocked. - Enter extent_clear_unlock_delalloc() from run_delalloc_nocow() Which is called with PAGE_START_WRITEBACK to start page writeback. But folios can only be marked writeback when it's properly locked, thus this triggered the VM_BUG_ON_FOLIO(). Furthermore there is another hidden but common bug that run_delalloc_nocow() is not clearing the folio dirty flags in its error handling path. This is the common bug shared between run_delalloc_nocow() and cow_file_range(). [FIX] - Clear folio dirty for range [@start, @cur_offset) Introduce a helper, cleanup_dirty_folios(), which will find and lock the folio in the range, clear the dirty flag and start/end the writeback, with the extra handling for the @locked_folio. - Introduce a helper to clear folio dirty, start and end writeback - Introduce a helper to record the last failed COW range end This is to trace which range we should skip, to avoid double unlocking. - Skip the failed COW range for the e ---truncated---
AI Analysis
Technical Summary
CVE-2024-57975 is a vulnerability identified in the Linux kernel's Btrfs (B-tree file system) implementation, specifically related to the handling of delayed allocation (delalloc) and copy-on-write (COW) operations. The issue arises in the function run_delalloc_nocow(), which is responsible for managing non-COW writes to preallocated extents. When run_delalloc_nocow() encounters an error during a fallback COW operation (cow_file_range()), it improperly handles folio (a memory management unit representing a group of pages) cleanup. This improper cleanup leads to folios being unlocked prematurely and marked for writeback without proper locking, triggering kernel BUGs and potential system crashes. The root cause is that the error handling path in run_delalloc_nocow() does not clear the folio dirty flags correctly and attempts to mark folios as writeback while they are unlocked, violating kernel memory management invariants. This bug manifests as kernel panics or oopses, particularly under configurations with CONFIG_DEBUG_VM enabled, and can be triggered by specific workloads that stress Btrfs's delayed allocation and COW mechanisms. The fix involves introducing helper functions to properly clear dirty folios, manage writeback states, and track failed COW ranges to avoid double unlocking. These changes ensure folios are correctly locked and cleaned up even when errors occur, preventing the kernel from crashing due to improper memory state transitions. The vulnerability affects Linux kernel versions including the 6.12.0-rc7 release candidate and potentially other versions using the affected Btrfs code paths. No known exploits are reported in the wild at this time.
Potential Impact
For European organizations, this vulnerability poses a risk primarily to systems running Linux with Btrfs file systems, especially those using kernel versions around 6.12.0-rc7 or similar development releases. The impact is mainly on system stability and availability, as exploitation leads to kernel crashes (kernel BUGs) and potential denial of service (DoS) conditions. Organizations relying on Btrfs for critical storage, such as data centers, cloud providers, and enterprises using Linux servers for file storage or virtualization, could experience unexpected downtime or data access interruptions. While this vulnerability does not directly expose confidentiality or integrity risks, the resulting system instability can disrupt business operations and cause data loss if crashes occur during write operations. Given the increasing adoption of Btrfs in enterprise Linux distributions and cloud environments, the threat is relevant to European entities with Linux infrastructure. The absence of known exploits reduces immediate risk, but the complexity of the bug and its manifestation under specific workloads mean that thorough testing and patching are essential to maintain operational continuity.
Mitigation Recommendations
European organizations should take the following specific mitigation steps: 1) Identify all Linux systems using Btrfs file systems, particularly those running kernel versions near 6.12.0-rc7 or other recent development kernels. 2) Apply the official Linux kernel patches that address CVE-2024-57975 as soon as they become available from trusted sources or Linux distribution vendors. 3) If immediate patching is not feasible, consider temporarily disabling Btrfs or migrating critical data to alternative stable file systems (e.g., ext4 or XFS) to avoid triggering the vulnerable code paths. 4) Enable and monitor kernel logs for VM_BUG_ON_FOLIO or related Btrfs error messages to detect early signs of the issue. 5) Conduct stress testing of Btrfs workloads in controlled environments to identify potential crash triggers before deploying to production. 6) Maintain up-to-date backups of critical data to mitigate risks of data loss due to unexpected crashes. 7) Coordinate with Linux distribution maintainers and security teams to track patch releases and advisories related to this vulnerability. These targeted actions go beyond generic advice by focusing on the specific kernel versions, file system usage, and error symptoms associated with this vulnerability.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Poland, Italy, Spain
CVE-2024-57975: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: btrfs: do proper folio cleanup when run_delalloc_nocow() failed [BUG] With CONFIG_DEBUG_VM set, test case generic/476 has some chance to crash with the following VM_BUG_ON_FOLIO(): BTRFS error (device dm-3): cow_file_range failed, start 1146880 end 1253375 len 106496 ret -28 BTRFS error (device dm-3): run_delalloc_nocow failed, start 1146880 end 1253375 len 106496 ret -28 page: refcount:4 mapcount:0 mapping:00000000592787cc index:0x12 pfn:0x10664 aops:btrfs_aops [btrfs] ino:101 dentry name(?):"f1774" flags: 0x2fffff80004028(uptodate|lru|private|node=0|zone=2|lastcpupid=0xfffff) page dumped because: VM_BUG_ON_FOLIO(!folio_test_locked(folio)) ------------[ cut here ]------------ kernel BUG at mm/page-writeback.c:2992! Internal error: Oops - BUG: 00000000f2000800 [#1] SMP CPU: 2 UID: 0 PID: 3943513 Comm: kworker/u24:15 Tainted: G OE 6.12.0-rc7-custom+ #87 Tainted: [O]=OOT_MODULE, [E]=UNSIGNED_MODULE Hardware name: QEMU KVM Virtual Machine, BIOS unknown 2/2/2022 Workqueue: events_unbound btrfs_async_reclaim_data_space [btrfs] pc : folio_clear_dirty_for_io+0x128/0x258 lr : folio_clear_dirty_for_io+0x128/0x258 Call trace: folio_clear_dirty_for_io+0x128/0x258 btrfs_folio_clamp_clear_dirty+0x80/0xd0 [btrfs] __process_folios_contig+0x154/0x268 [btrfs] extent_clear_unlock_delalloc+0x5c/0x80 [btrfs] run_delalloc_nocow+0x5f8/0x760 [btrfs] btrfs_run_delalloc_range+0xa8/0x220 [btrfs] writepage_delalloc+0x230/0x4c8 [btrfs] extent_writepage+0xb8/0x358 [btrfs] extent_write_cache_pages+0x21c/0x4e8 [btrfs] btrfs_writepages+0x94/0x150 [btrfs] do_writepages+0x74/0x190 filemap_fdatawrite_wbc+0x88/0xc8 start_delalloc_inodes+0x178/0x3a8 [btrfs] btrfs_start_delalloc_roots+0x174/0x280 [btrfs] shrink_delalloc+0x114/0x280 [btrfs] flush_space+0x250/0x2f8 [btrfs] btrfs_async_reclaim_data_space+0x180/0x228 [btrfs] process_one_work+0x164/0x408 worker_thread+0x25c/0x388 kthread+0x100/0x118 ret_from_fork+0x10/0x20 Code: 910a8021 a90363f7 a9046bf9 94012379 (d4210000) ---[ end trace 0000000000000000 ]--- [CAUSE] The first two lines of extra debug messages show the problem is caused by the error handling of run_delalloc_nocow(). E.g. we have the following dirtied range (4K blocksize 4K page size): 0 16K 32K |//////////////////////////////////////| | Pre-allocated | And the range [0, 16K) has a preallocated extent. - Enter run_delalloc_nocow() for range [0, 16K) Which found range [0, 16K) is preallocated, can do the proper NOCOW write. - Enter fallback_to_fow() for range [16K, 32K) Since the range [16K, 32K) is not backed by preallocated extent, we have to go COW. - cow_file_range() failed for range [16K, 32K) So cow_file_range() will do the clean up by clearing folio dirty, unlock the folios. Now the folios in range [16K, 32K) is unlocked. - Enter extent_clear_unlock_delalloc() from run_delalloc_nocow() Which is called with PAGE_START_WRITEBACK to start page writeback. But folios can only be marked writeback when it's properly locked, thus this triggered the VM_BUG_ON_FOLIO(). Furthermore there is another hidden but common bug that run_delalloc_nocow() is not clearing the folio dirty flags in its error handling path. This is the common bug shared between run_delalloc_nocow() and cow_file_range(). [FIX] - Clear folio dirty for range [@start, @cur_offset) Introduce a helper, cleanup_dirty_folios(), which will find and lock the folio in the range, clear the dirty flag and start/end the writeback, with the extra handling for the @locked_folio. - Introduce a helper to clear folio dirty, start and end writeback - Introduce a helper to record the last failed COW range end This is to trace which range we should skip, to avoid double unlocking. - Skip the failed COW range for the e ---truncated---
AI-Powered Analysis
Technical Analysis
CVE-2024-57975 is a vulnerability identified in the Linux kernel's Btrfs (B-tree file system) implementation, specifically related to the handling of delayed allocation (delalloc) and copy-on-write (COW) operations. The issue arises in the function run_delalloc_nocow(), which is responsible for managing non-COW writes to preallocated extents. When run_delalloc_nocow() encounters an error during a fallback COW operation (cow_file_range()), it improperly handles folio (a memory management unit representing a group of pages) cleanup. This improper cleanup leads to folios being unlocked prematurely and marked for writeback without proper locking, triggering kernel BUGs and potential system crashes. The root cause is that the error handling path in run_delalloc_nocow() does not clear the folio dirty flags correctly and attempts to mark folios as writeback while they are unlocked, violating kernel memory management invariants. This bug manifests as kernel panics or oopses, particularly under configurations with CONFIG_DEBUG_VM enabled, and can be triggered by specific workloads that stress Btrfs's delayed allocation and COW mechanisms. The fix involves introducing helper functions to properly clear dirty folios, manage writeback states, and track failed COW ranges to avoid double unlocking. These changes ensure folios are correctly locked and cleaned up even when errors occur, preventing the kernel from crashing due to improper memory state transitions. The vulnerability affects Linux kernel versions including the 6.12.0-rc7 release candidate and potentially other versions using the affected Btrfs code paths. No known exploits are reported in the wild at this time.
Potential Impact
For European organizations, this vulnerability poses a risk primarily to systems running Linux with Btrfs file systems, especially those using kernel versions around 6.12.0-rc7 or similar development releases. The impact is mainly on system stability and availability, as exploitation leads to kernel crashes (kernel BUGs) and potential denial of service (DoS) conditions. Organizations relying on Btrfs for critical storage, such as data centers, cloud providers, and enterprises using Linux servers for file storage or virtualization, could experience unexpected downtime or data access interruptions. While this vulnerability does not directly expose confidentiality or integrity risks, the resulting system instability can disrupt business operations and cause data loss if crashes occur during write operations. Given the increasing adoption of Btrfs in enterprise Linux distributions and cloud environments, the threat is relevant to European entities with Linux infrastructure. The absence of known exploits reduces immediate risk, but the complexity of the bug and its manifestation under specific workloads mean that thorough testing and patching are essential to maintain operational continuity.
Mitigation Recommendations
European organizations should take the following specific mitigation steps: 1) Identify all Linux systems using Btrfs file systems, particularly those running kernel versions near 6.12.0-rc7 or other recent development kernels. 2) Apply the official Linux kernel patches that address CVE-2024-57975 as soon as they become available from trusted sources or Linux distribution vendors. 3) If immediate patching is not feasible, consider temporarily disabling Btrfs or migrating critical data to alternative stable file systems (e.g., ext4 or XFS) to avoid triggering the vulnerable code paths. 4) Enable and monitor kernel logs for VM_BUG_ON_FOLIO or related Btrfs error messages to detect early signs of the issue. 5) Conduct stress testing of Btrfs workloads in controlled environments to identify potential crash triggers before deploying to production. 6) Maintain up-to-date backups of critical data to mitigate risks of data loss due to unexpected crashes. 7) Coordinate with Linux distribution maintainers and security teams to track patch releases and advisories related to this vulnerability. These targeted actions go beyond generic advice by focusing on the specific kernel versions, file system usage, and error symptoms associated with this vulnerability.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2025-02-27T02:04:28.912Z
- Cisa Enriched
- false
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d9823c4522896dcbdeb6b
Added to database: 5/21/2025, 9:08:51 AM
Last enriched: 6/28/2025, 9:26:12 AM
Last updated: 7/29/2025, 6:07:42 AM
Views: 8
Related Threats
CVE-2025-38738: CWE-266: Incorrect Privilege Assignment in Dell SupportAssist for Home PCs
MediumCVE-2025-36612: CWE-266: Incorrect Privilege Assignment in Dell SupportAssist for Business PCs
MediumCVE-2025-9041: CWE-1287: Improper Validation of Specified Type of Input in Rockwell Automation FLEX 5000 I/O
HighCVE-2025-43983: n/a
CriticalCVE-2025-9042: CWE-1287: Improper Validation of Specified Type of Input in Rockwell Automation FLEX 5000 I/O
HighActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.