CVE-2023-54023

EPSS 0.03%
Veröffentlicht 24.12.2025 10:55:52
Zuletzt bearbeitet 15.04.2026 00:35:42
Quelle 416baaa9-dc9f-4396-8d5f-8c081f
CVE-Watchlists
Login
Unerledigt
Login

btrfs: fix race between balance and cancel/pause

In the Linux kernel, the following vulnerability has been resolved:

btrfs: fix race between balance and cancel/pause

Syzbot reported a panic that looks like this:

  assertion failed: fs_info->exclusive_operation == BTRFS_EXCLOP_BALANCE_PAUSED, in fs/btrfs/ioctl.c:465
  ------------[ cut here ]------------
  kernel BUG at fs/btrfs/messages.c:259!
  RIP: 0010:btrfs_assertfail+0x2c/0x30 fs/btrfs/messages.c:259
  Call Trace:
   <TASK>
   btrfs_exclop_balance fs/btrfs/ioctl.c:465 [inline]
   btrfs_ioctl_balance fs/btrfs/ioctl.c:3564 [inline]
   btrfs_ioctl+0x531e/0x5b30 fs/btrfs/ioctl.c:4632
   vfs_ioctl fs/ioctl.c:51 [inline]
   __do_sys_ioctl fs/ioctl.c:870 [inline]
   __se_sys_ioctl fs/ioctl.c:856 [inline]
   __x64_sys_ioctl+0x197/0x210 fs/ioctl.c:856
   do_syscall_x64 arch/x86/entry/common.c:50 [inline]
   do_syscall_64+0x39/0xb0 arch/x86/entry/common.c:80
   entry_SYSCALL_64_after_hwframe+0x63/0xcd

The reproducer is running a balance and a cancel or pause in parallel.
The way balance finishes is a bit wonky, if we were paused we need to
save the balance_ctl in the fs_info, but clear it otherwise and cleanup.
However we rely on the return values being specific errors, or having a
cancel request or no pause request.  If balance completes and returns 0,
but we have a pause or cancel request we won't do the appropriate
cleanup, and then the next time we try to start a balance we'll trip
this ASSERT.

The error handling is just wrong here, we always want to clean up,
unless we got -ECANCELLED and we set the appropriate pause flag in the
exclusive op.  With this patch the reproducer ran for an hour without
tripping, previously it would trip in less than a few minutes.

Betroffene Produkte Warnungen 0 Metriken 1 CWE 0 Referenzen 6

CNA 2 VulnDex Vulnerability Enrichment 11

Daten sind bereitgestellt durch das CVE Programm von einer CVE Numbering Authority (CNA) (Unstrukturiert).

HerstellerLinux

≫

Produkt Linux

Default Statusunaffected

Version 837d5b6e46d1a4af5b6cc8f2fe83cb5de79a2961

Version < ddf7e8984c83aee9122552529f4e77291903f8d9

Status affected

Version 837d5b6e46d1a4af5b6cc8f2fe83cb5de79a2961

Version < 72efe5d44821e38540888a5fe3ff3d0faab6acad

Status affected

Version 837d5b6e46d1a4af5b6cc8f2fe83cb5de79a2961

Version < b19c98f237cd76981aaded52c258ce93f7daa8cb

Status affected

HerstellerLinux

≫

Produkt Linux

Default Statusaffected

Version 3.3

Status affected

Version 0

Version < 3.3

Status unaffected

Version <= 6.1.*

Version 6.1.42

Status unaffected

Version <= 6.4.*

Version 6.4.7

Status unaffected

Version <= *

Version 6.5

Status unaffected

VulnDex Vulnerability Enrichment

Diese Information steht angemeldeten Benutzern zur Verfügung.

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.03%	0.092

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String

Es wurden noch keine Informationen zu CWE veröffentlicht.

https://git.kernel.org/stable/c/ddf7e8984c83aee9122552529f4e77291903f8d9

https://git.kernel.org/stable/c/72efe5d44821e38540888a5fe3ff3d0faab6acad

https://git.kernel.org/stable/c/b19c98f237cd76981aaded52c258ce93f7daa8cb

https://nvd.nist.gov/vuln/detail/CVE-2023-54023

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2023-54023

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2023-54023

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2023-54023