CVE-2024-57976: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: btrfs: do proper folio cleanup when cow_file_range() failed [BUG] When testing with COW fixup marked as BUG_ON() (this is involved with the new pin_user_pages*() change, which should not result new out-of-band dirty pages), I hit a crash triggered by the BUG_ON() from hitting COW fixup path. This BUG_ON() happens just after a failed btrfs_run_delalloc_range(): BTRFS error (device dm-2): failed to run delalloc range, root 348 ino 405 folio 65536 submit_bitmap 6-15 start 90112 len 106496: -28 ------------[ cut here ]------------ kernel BUG at fs/btrfs/extent_io.c:1444! Internal error: Oops - BUG: 00000000f2000800 [#1] SMP CPU: 0 UID: 0 PID: 434621 Comm: kworker/u24:8 Tainted: G OE 6.12.0-rc7-custom+ #86 Hardware name: QEMU KVM Virtual Machine, BIOS unknown 2/2/2022 Workqueue: events_unbound btrfs_async_reclaim_data_space [btrfs] pc : extent_writepage_io+0x2d4/0x308 [btrfs] lr : extent_writepage_io+0x2d4/0x308 [btrfs] Call trace: extent_writepage_io+0x2d4/0x308 [btrfs] extent_writepage+0x218/0x330 [btrfs] extent_write_cache_pages+0x1d4/0x4b0 [btrfs] btrfs_writepages+0x94/0x150 [btrfs] do_writepages+0x74/0x190 filemap_fdatawrite_wbc+0x88/0xc8 start_delalloc_inodes+0x180/0x3b0 [btrfs] btrfs_start_delalloc_roots+0x174/0x280 [btrfs] shrink_delalloc+0x114/0x280 [btrfs] flush_space+0x250/0x2f8 [btrfs] btrfs_async_reclaim_data_space+0x180/0x228 [btrfs] process_one_work+0x164/0x408 worker_thread+0x25c/0x388 kthread+0x100/0x118 ret_from_fork+0x10/0x20 Code: aa1403e1 9402f3ef aa1403e0 9402f36f (d4210000) ---[ end trace 0000000000000000 ]--- [CAUSE] That failure is mostly from cow_file_range(), where we can hit -ENOSPC. Although the -ENOSPC is already a bug related to our space reservation code, let's just focus on the error handling. For example, we have the following dirty range [0, 64K) of an inode, with 4K sector size and 4K page size: 0 16K 32K 48K 64K |///////////////////////////////////////| |#######################################| Where |///| means page are still dirty, and |###| means the extent io tree has EXTENT_DELALLOC flag. - Enter extent_writepage() for page 0 - Enter btrfs_run_delalloc_range() for range [0, 64K) - Enter cow_file_range() for range [0, 64K) - Function btrfs_reserve_extent() only reserved one 16K extent So we created extent map and ordered extent for range [0, 16K) 0 16K 32K 48K 64K |////////|//////////////////////////////| |<- OE ->|##############################| And range [0, 16K) has its delalloc flag cleared. But since we haven't yet submit any bio, involved 4 pages are still dirty. - Function btrfs_reserve_extent() returns with -ENOSPC Now we have to run error cleanup, which will clear all EXTENT_DELALLOC* flags and clear the dirty flags for the remaining ranges: 0 16K 32K 48K 64K |////////| | | | | Note that range [0, 16K) still has its pages dirty. - Some time later, writeback is triggered again for the range [0, 16K) since the page range still has dirty flags. - btrfs_run_delalloc_range() will do nothing because there is no EXTENT_DELALLOC flag. - extent_writepage_io() finds page 0 has no ordered flag Which falls into the COW fixup path, triggering the BUG_ON(). Unfortunately this error handling bug dates back to the introduction of btrfs. Thankfully with the abuse of COW fixup, at least it won't crash the kernel. [FIX] Instead of immediately unlocking the extent and folios, we keep the extent and folios locked until either erroring out or the whole delalloc range finished. When the whole delalloc range finished without error, we just unlock the whole range with PAGE_SET_ORDERED (and PAGE_UNLOCK for !keep_locked cases) ---truncated---
AI Analysis
Technical Summary
CVE-2024-57976 is a vulnerability in the Linux kernel's Btrfs filesystem implementation, specifically related to the handling of copy-on-write (COW) operations during file range modifications. The issue arises in the cow_file_range() function and its interaction with the delalloc (delayed allocation) mechanism. When a failure occurs in btrfs_run_delalloc_range(), particularly returning an -ENOSPC (no space left on device) error during extent reservation, the error handling code improperly cleans up folios and extent flags. This leads to a state where pages remain dirty without the corresponding EXTENT_DELALLOC flags, causing subsequent writeback operations to enter a COW fixup path that triggers a kernel BUG_ON() assertion, resulting in a kernel crash (panic). The root cause is that the error cleanup prematurely clears flags and unlocks folios before the entire delalloc range is processed, violating expected locking and state assumptions. The fix involves deferring unlocking of extents and folios until either the entire delalloc range is successfully processed or the error handling completes, ensuring consistent state and preventing the BUG_ON() crash. This bug has existed since the introduction of Btrfs but was only recently identified due to the introduction of new pin_user_pages* changes. The vulnerability affects Linux kernel versions incorporating the affected Btrfs code, including kernel 6.12.0-rc7-custom+ as referenced in the report. No known exploits are currently reported in the wild, and no CVSS score has been assigned yet.
Potential Impact
For European organizations, this vulnerability poses a risk primarily to systems running Linux with Btrfs filesystems, especially those using kernel versions prior to the fix. The impact is a potential denial of service (DoS) via kernel crashes triggered by specific file operations that cause the error path in Btrfs to be exercised. This can lead to system instability, unplanned downtime, and potential data loss if the system crashes during critical operations. Organizations relying on Btrfs for storage, including cloud providers, hosting services, and enterprises using Linux-based infrastructure, may experience disruptions. While this vulnerability does not directly lead to privilege escalation or data corruption, the kernel panic can interrupt services and affect availability. Given the widespread use of Linux servers and virtualized environments in Europe, particularly in sectors like finance, telecommunications, and public services, the risk of operational impact is significant if unpatched systems are exploited or inadvertently triggered. The lack of known exploits reduces immediate risk, but the presence of a kernel panic vulnerability in a core filesystem component necessitates prompt attention to avoid service interruptions.
Mitigation Recommendations
European organizations should prioritize updating their Linux kernels to versions that include the fix for CVE-2024-57976. Specifically, kernel versions released after the patch date (post-6.12.0-rc7-custom+) should be deployed. For environments where immediate kernel upgrades are challenging, organizations should monitor system logs for Btrfs-related errors indicating delalloc or COW failures and consider temporarily avoiding workloads that heavily stress Btrfs writeback paths. Additionally, implementing robust backup and recovery procedures can mitigate data loss risks from unexpected crashes. System administrators should audit their use of Btrfs and evaluate whether alternative filesystems are viable for critical workloads until patches are applied. Virtualized environments should ensure host and guest kernels are patched, as the vulnerability was demonstrated on a QEMU KVM virtual machine. Finally, organizations should maintain vigilant monitoring for kernel panics and automate alerting to enable rapid incident response.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Poland, Italy, Spain
CVE-2024-57976: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: btrfs: do proper folio cleanup when cow_file_range() failed [BUG] When testing with COW fixup marked as BUG_ON() (this is involved with the new pin_user_pages*() change, which should not result new out-of-band dirty pages), I hit a crash triggered by the BUG_ON() from hitting COW fixup path. This BUG_ON() happens just after a failed btrfs_run_delalloc_range(): BTRFS error (device dm-2): failed to run delalloc range, root 348 ino 405 folio 65536 submit_bitmap 6-15 start 90112 len 106496: -28 ------------[ cut here ]------------ kernel BUG at fs/btrfs/extent_io.c:1444! Internal error: Oops - BUG: 00000000f2000800 [#1] SMP CPU: 0 UID: 0 PID: 434621 Comm: kworker/u24:8 Tainted: G OE 6.12.0-rc7-custom+ #86 Hardware name: QEMU KVM Virtual Machine, BIOS unknown 2/2/2022 Workqueue: events_unbound btrfs_async_reclaim_data_space [btrfs] pc : extent_writepage_io+0x2d4/0x308 [btrfs] lr : extent_writepage_io+0x2d4/0x308 [btrfs] Call trace: extent_writepage_io+0x2d4/0x308 [btrfs] extent_writepage+0x218/0x330 [btrfs] extent_write_cache_pages+0x1d4/0x4b0 [btrfs] btrfs_writepages+0x94/0x150 [btrfs] do_writepages+0x74/0x190 filemap_fdatawrite_wbc+0x88/0xc8 start_delalloc_inodes+0x180/0x3b0 [btrfs] btrfs_start_delalloc_roots+0x174/0x280 [btrfs] shrink_delalloc+0x114/0x280 [btrfs] flush_space+0x250/0x2f8 [btrfs] btrfs_async_reclaim_data_space+0x180/0x228 [btrfs] process_one_work+0x164/0x408 worker_thread+0x25c/0x388 kthread+0x100/0x118 ret_from_fork+0x10/0x20 Code: aa1403e1 9402f3ef aa1403e0 9402f36f (d4210000) ---[ end trace 0000000000000000 ]--- [CAUSE] That failure is mostly from cow_file_range(), where we can hit -ENOSPC. Although the -ENOSPC is already a bug related to our space reservation code, let's just focus on the error handling. For example, we have the following dirty range [0, 64K) of an inode, with 4K sector size and 4K page size: 0 16K 32K 48K 64K |///////////////////////////////////////| |#######################################| Where |///| means page are still dirty, and |###| means the extent io tree has EXTENT_DELALLOC flag. - Enter extent_writepage() for page 0 - Enter btrfs_run_delalloc_range() for range [0, 64K) - Enter cow_file_range() for range [0, 64K) - Function btrfs_reserve_extent() only reserved one 16K extent So we created extent map and ordered extent for range [0, 16K) 0 16K 32K 48K 64K |////////|//////////////////////////////| |<- OE ->|##############################| And range [0, 16K) has its delalloc flag cleared. But since we haven't yet submit any bio, involved 4 pages are still dirty. - Function btrfs_reserve_extent() returns with -ENOSPC Now we have to run error cleanup, which will clear all EXTENT_DELALLOC* flags and clear the dirty flags for the remaining ranges: 0 16K 32K 48K 64K |////////| | | | | Note that range [0, 16K) still has its pages dirty. - Some time later, writeback is triggered again for the range [0, 16K) since the page range still has dirty flags. - btrfs_run_delalloc_range() will do nothing because there is no EXTENT_DELALLOC flag. - extent_writepage_io() finds page 0 has no ordered flag Which falls into the COW fixup path, triggering the BUG_ON(). Unfortunately this error handling bug dates back to the introduction of btrfs. Thankfully with the abuse of COW fixup, at least it won't crash the kernel. [FIX] Instead of immediately unlocking the extent and folios, we keep the extent and folios locked until either erroring out or the whole delalloc range finished. When the whole delalloc range finished without error, we just unlock the whole range with PAGE_SET_ORDERED (and PAGE_UNLOCK for !keep_locked cases) ---truncated---
AI-Powered Analysis
Technical Analysis
CVE-2024-57976 is a vulnerability in the Linux kernel's Btrfs filesystem implementation, specifically related to the handling of copy-on-write (COW) operations during file range modifications. The issue arises in the cow_file_range() function and its interaction with the delalloc (delayed allocation) mechanism. When a failure occurs in btrfs_run_delalloc_range(), particularly returning an -ENOSPC (no space left on device) error during extent reservation, the error handling code improperly cleans up folios and extent flags. This leads to a state where pages remain dirty without the corresponding EXTENT_DELALLOC flags, causing subsequent writeback operations to enter a COW fixup path that triggers a kernel BUG_ON() assertion, resulting in a kernel crash (panic). The root cause is that the error cleanup prematurely clears flags and unlocks folios before the entire delalloc range is processed, violating expected locking and state assumptions. The fix involves deferring unlocking of extents and folios until either the entire delalloc range is successfully processed or the error handling completes, ensuring consistent state and preventing the BUG_ON() crash. This bug has existed since the introduction of Btrfs but was only recently identified due to the introduction of new pin_user_pages* changes. The vulnerability affects Linux kernel versions incorporating the affected Btrfs code, including kernel 6.12.0-rc7-custom+ as referenced in the report. No known exploits are currently reported in the wild, and no CVSS score has been assigned yet.
Potential Impact
For European organizations, this vulnerability poses a risk primarily to systems running Linux with Btrfs filesystems, especially those using kernel versions prior to the fix. The impact is a potential denial of service (DoS) via kernel crashes triggered by specific file operations that cause the error path in Btrfs to be exercised. This can lead to system instability, unplanned downtime, and potential data loss if the system crashes during critical operations. Organizations relying on Btrfs for storage, including cloud providers, hosting services, and enterprises using Linux-based infrastructure, may experience disruptions. While this vulnerability does not directly lead to privilege escalation or data corruption, the kernel panic can interrupt services and affect availability. Given the widespread use of Linux servers and virtualized environments in Europe, particularly in sectors like finance, telecommunications, and public services, the risk of operational impact is significant if unpatched systems are exploited or inadvertently triggered. The lack of known exploits reduces immediate risk, but the presence of a kernel panic vulnerability in a core filesystem component necessitates prompt attention to avoid service interruptions.
Mitigation Recommendations
European organizations should prioritize updating their Linux kernels to versions that include the fix for CVE-2024-57976. Specifically, kernel versions released after the patch date (post-6.12.0-rc7-custom+) should be deployed. For environments where immediate kernel upgrades are challenging, organizations should monitor system logs for Btrfs-related errors indicating delalloc or COW failures and consider temporarily avoiding workloads that heavily stress Btrfs writeback paths. Additionally, implementing robust backup and recovery procedures can mitigate data loss risks from unexpected crashes. System administrators should audit their use of Btrfs and evaluate whether alternative filesystems are viable for critical workloads until patches are applied. Virtualized environments should ensure host and guest kernels are patched, as the vulnerability was demonstrated on a QEMU KVM virtual machine. Finally, organizations should maintain vigilant monitoring for kernel panics and automate alerting to enable rapid incident response.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2025-02-27T02:04:28.912Z
- Cisa Enriched
- false
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d9823c4522896dcbdeb78
Added to database: 5/21/2025, 9:08:51 AM
Last enriched: 6/28/2025, 9:26:41 AM
Last updated: 8/15/2025, 4:36:13 AM
Views: 25
Related Threats
Plex warns users to patch security vulnerability immediately
HighCVE-2025-9019: Heap-based Buffer Overflow in tcpreplay
LowCVE-2025-9017: Cross Site Scripting in PHPGurukul Zoo Management System
MediumCVE-2025-9051: SQL Injection in projectworlds Travel Management System
MediumCVE-2025-1929: CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') in Risk Yazılım Teknolojileri Ltd. Şti. Reel Sektör Hazine ve Risk Yönetimi Yazılımı
HighActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.