CVE-2023-54002
Description
In the Linux kernel, the following vulnerability has been resolved:
btrfs: fix assertion of exclop condition when starting balance
Balance as exclusive state is compatible with paused balance and device add, which makes some things more complicated. The assertion of valid states when starting from paused balance needs to take into account two more states, the combinations can be hit when there are several threads racing to start balance and device add. This won't typically happen when the commands are started from command line.
Scenario 1: With exclusive_operation state == BTRFS_EXCLOP_NONE.
Concurrently adding multiple devices to the same mount point and btrfs_exclop_finish executed finishes before assertion in btrfs_exclop_balance, exclusive_operation will changed to BTRFS_EXCLOP_NONE state which lead to assertion failed:
fs_info->exclusive_operation == BTRFS_EXCLOP_BALANCE || fs_info->exclusive_operation == BTRFS_EXCLOP_DEV_ADD, in fs/btrfs/ioctl.c:456 Call Trace:
btrfs_exclop_balance+0x13c/0x310 ? memdup_user+0xab/0xc0 ? PTR_ERR+0x17/0x20 btrfs_ioctl_add_dev+0x2ee/0x320 btrfs_ioctl+0x9d5/0x10d0 ? btrfs_ioctl_encoded_write+0xb80/0xb80 __x64_sys_ioctl+0x197/0x210 do_syscall_64+0x3c/0xb0 entry_SYSCALL_64_after_hwframe+0x63/0xcd
Scenario 2: With exclusive_operation state == BTRFS_EXCLOP_BALANCE_PAUSED.
Concurrently adding multiple devices to the same mount point and btrfs_exclop_balance executed finish before the latter thread execute assertion in btrfs_exclop_balance, exclusive_operation will changed to BTRFS_EXCLOP_BALANCE_PAUSED state which lead to assertion failed:
fs_info->exclusive_operation == BTRFS_EXCLOP_BALANCE || fs_info->exclusive_operation == BTRFS_EXCLOP_DEV_ADD || fs_info->exclusive_operation == BTRFS_EXCLOP_NONE, fs/btrfs/ioctl.c:458 Call Trace:
btrfs_exclop_balance+0x240/0x410 ? memdup_user+0xab/0xc0 ? PTR_ERR+0x17/0x20 btrfs_ioctl_add_dev+0x2ee/0x320 btrfs_ioctl+0x9d5/0x10d0 ? btrfs_ioctl_encoded_write+0xb80/0xb80 __x64_sys_ioctl+0x197/0x210 do_syscall_64+0x3c/0xb0 entry_SYSCALL_64_after_hwframe+0x63/0xcd
An example of the failed assertion is below, which shows that the paused balance is also needed to be checked.
root@syzkaller:/home/xsk# ./repro Failed to add device /dev/vda, errno 14 Failed to add device /dev/vda, errno 14 Failed to add device /dev/vda, errno 14 Failed to add device /dev/vda, errno 14 Failed to add device /dev/vda, errno 14 Failed to add device /dev/vda, errno 14 Failed to add device /dev/vda, errno 14 Failed to add device /dev/vda, errno 14 Failed to add device /dev/vda, errno 14 [ 416.611428][ T7970] BTRFS info (device loop0): fs_info exclusive_operation: 0 Failed to add device /dev/vda, errno 14 [ 416.613973][ T7971] BTRFS info (device loop0): fs_info exclusive_operation: 3 Failed to add device /dev/vda, errno 14 [ 416.615456][ T7972] BTRFS info (device loop0): fs_info exclusive_operation: 3 Failed to add device /dev/vda, errno 14 [ 416.617528][ T7973] BTRFS info (device loop0): fs_info exclusive_operation: 3 Failed to add device /dev/vda, errno 14 [ 416.618359][ T7974] BTRFS info (device loop0): fs_info exclusive_operation: 3 Failed to add device /dev/vda, errno 14 [ 416.622589][ T7975] BTRFS info (device loop0): fs_info exclusive_operation: 3 Failed to add device /dev/vda, errno 14 [ 416.624034][ T7976] BTRFS info (device loop0): fs_info exclusive_operation: 3 Failed to add device /dev/vda, errno 14 [ 416.626420][ T7977] BTRFS info (device loop0): fs_info exclusive_operation: 3 Failed to add device /dev/vda, errno 14 [ 416.627643][ T7978] BTRFS info (device loop0): fs_info exclusive_operation: 3 Failed to add device /dev/vda, errno 14 [ 416.629006][ T7979] BTRFS info (device loop0): fs_info exclusive_operation: 3 [ 416.630298][ T7980] BTRFS info (device loop0): fs_info exclusive_operation: 3 Fai ---truncated---
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A race condition in btrfs's exclusive operation locking can trigger a kernel assertion failure when starting balance concurrently with device add operations.
Vulnerability
Description
CVE-2023-54002 is a race condition in the Linux kernel's btrfs filesystem. The bug lies in the btrfs_exclop_balance function, which function, which enforces exclusive operation states (e.g., balance, device add) via assertions. The assertion logic failed to account for two additional valid states—BTRFS_EXCLOP_NONE and BTRFS_EXCLOP_BALANCE_PAUSED`—that can occur when multiple threads race to start balance and device add operations simultaneously [1].
Exploitation
Scenario
An attacker with local access and the ability to mount a btrfs filesystem can trigger the race by concurrently issuing multiple btrfs device add commands while a balance operation is starting or paused. The kernel's assertion in fs/btrfs/ioctl.c checks that the exclusive operation state is one of a limited set, but due to the race, the state may be BTRFS_EXCLOP_NONE or BTRFS_EXCLOP_BALANCE_PAUSED at the moment of the check, causing the assertion to fail [1].
Impact
A successful exploit results in a kernel panic (assertion failure), leading to a denial of service (DoS) on the affected system. The vulnerability does not require authentication beyond the ability to execute privileged ioctl calls (e.g., BTRFS_IOC_ADD_DEV), which typically require root privileges. No data corruption or privilege escalation is described in the source material.
Mitigation
The fix was applied to the Linux kernel stable tree in commit 6062e9e335a3 and backported to other stable branches [1]. Users should update to a kernel version containing this commit resolves the issue. No workaround is mentioned in the advisory.
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
417eaeee4c5f27877dc1136ad6062e9e335a3ac868bc9d136Vulnerability mechanics
Root cause
"Incomplete assertion in btrfs_exclop_balance fails to account for BTRFS_EXCLOP_BALANCE_PAUSED and BTRFS_EXCLOP_NONE states, causing a kernel panic under concurrent balance and device-add operations."
Attack vector
An attacker with local access and sufficient privileges to mount a btrfs filesystem can trigger this bug by concurrently issuing multiple device-add and balance ioctl calls on the same mount point. The race condition causes the exclusive_operation state to transition to BTRFS_EXCLOP_NONE or BTRFS_EXCLOP_BALANCE_PAUSED before the assertion check in btrfs_exclop_balance completes, leading to a kernel assertion failure and system crash. No special network access is required; the attack is purely local.
Affected code
The vulnerability is in the btrfs_exclop_balance function within fs/btrfs/ioctl.c. The assertion at line 456 (and later line 458) checks fs_info->exclusive_operation but only validates against BTRFS_EXCLOP_BALANCE and BTRFS_EXCLOP_DEV_ADD, omitting BTRFS_EXCLOP_BALANCE_PAUSED and BTRFS_EXCLOP_NONE.
What the fix does
The patch [patch_id=4253] modifies the assertion in btrfs_exclop_balance (in fs/btrfs/ioctl.c) to also accept BTRFS_EXCLOP_BALANCE_PAUSED and BTRFS_EXCLOP_NONE as valid exclusive_operation states when starting from a paused balance. Previously the assertion only checked for BTRFS_EXCLOP_BALANCE and BTRFS_EXCLOP_DEV_ADD, which was too narrow. By expanding the allowed states, the fix prevents the false-positive assertion failure that occurred when racing threads changed the exclusive_operation state between the check and the assertion.
Preconditions
- authAttacker needs local access and privileges to mount a btrfs filesystem and issue ioctl calls for balance and device-add operations.
- inputMultiple concurrent ioctl calls (balance and device-add) must be issued on the same btrfs mount point to trigger the race condition.
Generated on May 18, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4News mentions
0No linked articles in our index yet.