Home

Description

In the Linux kernel, the following vulnerability has been resolved: btrfs: fix race between balance and cancel/pause Syzbot reported a panic that looks like this: assertion failed: fs_info->exclusive_operation == BTRFS_EXCLOP_BALANCE_PAUSED, in fs/btrfs/ioctl.c:465 ------------[ cut here ]------------ kernel BUG at fs/btrfs/messages.c:259! RIP: 0010:btrfs_assertfail+0x2c/0x30 fs/btrfs/messages.c:259 Call Trace: <TASK> btrfs_exclop_balance fs/btrfs/ioctl.c:465 [inline] btrfs_ioctl_balance fs/btrfs/ioctl.c:3564 [inline] btrfs_ioctl+0x531e/0x5b30 fs/btrfs/ioctl.c:4632 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:870 [inline] __se_sys_ioctl fs/ioctl.c:856 [inline] __x64_sys_ioctl+0x197/0x210 fs/ioctl.c:856 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x39/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x63/0xcd The reproducer is running a balance and a cancel or pause in parallel. The way balance finishes is a bit wonky, if we were paused we need to save the balance_ctl in the fs_info, but clear it otherwise and cleanup. However we rely on the return values being specific errors, or having a cancel request or no pause request. If balance completes and returns 0, but we have a pause or cancel request we won't do the appropriate cleanup, and then the next time we try to start a balance we'll trip this ASSERT. The error handling is just wrong here, we always want to clean up, unless we got -ECANCELLED and we set the appropriate pause flag in the exclusive op. With this patch the reproducer ran for an hour without tripping, previously it would trip in less than a few minutes.

PUBLISHED Reserved 2025-12-24 | Published 2025-12-24 | Updated 2025-12-24 | Assigner Linux

Product status

Default status
unaffected

1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 (git) before ddf7e8984c83aee9122552529f4e77291903f8d9
affected

1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 (git) before 72efe5d44821e38540888a5fe3ff3d0faab6acad
affected

1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 (git) before b19c98f237cd76981aaded52c258ce93f7daa8cb
affected

Default status
affected

6.1.42 (semver)
unaffected

6.4.7 (semver)
unaffected

6.5 (original_commit_for_fix)
unaffected

References

git.kernel.org/...c/ddf7e8984c83aee9122552529f4e77291903f8d9

git.kernel.org/...c/72efe5d44821e38540888a5fe3ff3d0faab6acad

git.kernel.org/...c/b19c98f237cd76981aaded52c258ce93f7daa8cb

cve.org (CVE-2023-54023)

nvd.nist.gov (CVE-2023-54023)

Download JSON

Data based on CVE®. Copyright © 1999-2025, The MITRE Corporation. All rights reserved.