Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

CVE-2024-58089

Severity CVSS v4.0:
Pending analysis
Type:
Unavailable / Other
Publication date:
12/03/2025
Last modified:
01/10/2025

Description

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> btrfs: fix double accounting race when btrfs_run_delalloc_range() failed<br /> <br /> [BUG]<br /> When running btrfs with block size (4K) smaller than page size (64K,<br /> aarch64), there is a very high chance to crash the kernel at<br /> generic/750, with the following messages:<br /> (before the call traces, there are 3 extra debug messages added)<br /> <br /> BTRFS warning (device dm-3): read-write for sector size 4096 with page size 65536 is experimental<br /> BTRFS info (device dm-3): checking UUID tree<br /> hrtimer: interrupt took 5451385 ns<br /> BTRFS error (device dm-3): cow_file_range failed, root=4957 inode=257 start=1605632 len=69632: -28<br /> BTRFS error (device dm-3): run_delalloc_nocow failed, root=4957 inode=257 start=1605632 len=69632: -28<br /> BTRFS error (device dm-3): failed to run delalloc range, root=4957 ino=257 folio=1572864 submit_bitmap=8-15 start=1605632 len=69632: -28<br /> ------------[ cut here ]------------<br /> WARNING: CPU: 2 PID: 3020984 at ordered-data.c:360 can_finish_ordered_extent+0x370/0x3b8 [btrfs]<br /> CPU: 2 UID: 0 PID: 3020984 Comm: kworker/u24:1 Tainted: G OE 6.13.0-rc1-custom+ #89<br /> Tainted: [O]=OOT_MODULE, [E]=UNSIGNED_MODULE<br /> Hardware name: QEMU KVM Virtual Machine, BIOS unknown 2/2/2022<br /> Workqueue: events_unbound btrfs_async_reclaim_data_space [btrfs]<br /> pc : can_finish_ordered_extent+0x370/0x3b8 [btrfs]<br /> lr : can_finish_ordered_extent+0x1ec/0x3b8 [btrfs]<br /> Call trace:<br /> can_finish_ordered_extent+0x370/0x3b8 [btrfs] (P)<br /> can_finish_ordered_extent+0x1ec/0x3b8 [btrfs] (L)<br /> btrfs_mark_ordered_io_finished+0x130/0x2b8 [btrfs]<br /> extent_writepage+0x10c/0x3b8 [btrfs]<br /> extent_write_cache_pages+0x21c/0x4e8 [btrfs]<br /> btrfs_writepages+0x94/0x160 [btrfs]<br /> do_writepages+0x74/0x190<br /> filemap_fdatawrite_wbc+0x74/0xa0<br /> start_delalloc_inodes+0x17c/0x3b0 [btrfs]<br /> btrfs_start_delalloc_roots+0x17c/0x288 [btrfs]<br /> shrink_delalloc+0x11c/0x280 [btrfs]<br /> flush_space+0x288/0x328 [btrfs]<br /> btrfs_async_reclaim_data_space+0x180/0x228 [btrfs]<br /> process_one_work+0x228/0x680<br /> worker_thread+0x1bc/0x360<br /> kthread+0x100/0x118<br /> ret_from_fork+0x10/0x20<br /> ---[ end trace 0000000000000000 ]---<br /> BTRFS critical (device dm-3): bad ordered extent accounting, root=4957 ino=257 OE offset=1605632 OE len=16384 to_dec=16384 left=0<br /> BTRFS critical (device dm-3): bad ordered extent accounting, root=4957 ino=257 OE offset=1622016 OE len=12288 to_dec=12288 left=0<br /> Unable to handle kernel NULL pointer dereference at virtual address 0000000000000008<br /> BTRFS critical (device dm-3): bad ordered extent accounting, root=4957 ino=257 OE offset=1634304 OE len=8192 to_dec=4096 left=0<br /> CPU: 1 UID: 0 PID: 3286940 Comm: kworker/u24:3 Tainted: G W OE 6.13.0-rc1-custom+ #89<br /> Hardware name: QEMU KVM Virtual Machine, BIOS unknown 2/2/2022<br /> Workqueue: btrfs_work_helper [btrfs] (btrfs-endio-write)<br /> pstate: 404000c5 (nZcv daIF +PAN -UAO -TCO -DIT -SSBS BTYPE=--)<br /> pc : process_one_work+0x110/0x680<br /> lr : worker_thread+0x1bc/0x360<br /> Call trace:<br /> process_one_work+0x110/0x680 (P)<br /> worker_thread+0x1bc/0x360 (L)<br /> worker_thread+0x1bc/0x360<br /> kthread+0x100/0x118<br /> ret_from_fork+0x10/0x20<br /> Code: f84086a1 f9000fe1 53041c21 b9003361 (f9400661)<br /> ---[ end trace 0000000000000000 ]---<br /> Kernel panic - not syncing: Oops: Fatal exception<br /> SMP: stopping secondary CPUs<br /> SMP: failed to stop secondary CPUs 2-3<br /> Dumping ftrace buffer:<br /> (ftrace buffer empty)<br /> Kernel Offset: 0x275bb9540000 from 0xffff800080000000<br /> PHYS_OFFSET: 0xffff8fbba0000000<br /> CPU features: 0x100,00000070,00801250,8201720b<br /> <br /> [CAUSE]<br /> The above warning is triggered immediately after the delalloc range<br /> failure, this happens in the following sequence:<br /> <br /> - Range [1568K, 1636K) is dirty<br /> <br /> 1536K 1568K 1600K 1636K 1664K<br /> | |/////////|////////| |<br /> <br /> Where 1536K, 1600K and 1664K are page boundaries (64K page size)<br /> <br /> - Enter extent_writepage() for page 1536K<br /> <br /> - Enter run_delalloc_nocow() with locke<br /> ---truncated---

Impact

Vector 3.x
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVSS v3.1 Severity and Metrics:

Base Score: 5.50 MEDIUM
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Attack Vector (AV): Local
Attack Complexity (AC): Low
Privileges Required (PR): Low
User Interaction (UI): None
Scope (S): Unchanged
Confidentiality (C): None
Integrity (I): None
Availability (A): High

Base Score 3.x
5.50
Severity 3.x
MEDIUM

Vulnerable products and versions

CPE From Up to
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 5.0 (including) 6.12.17 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 6.13 (including) 6.13.5 (excluding)
cpe:2.3:o:linux:linux_kernel:4.19.73:*:*:*:*:*:*:*

To consult the complete list of CPE names with products and versions, see this page


References to Advisories, Solutions, and Tools