CVE-2023-54032
Description
In the Linux kernel, the following vulnerability has been resolved:
btrfs: fix race when deleting quota root from the dirty cow roots list
When disabling quotas we are deleting the quota root from the list fs_info->dirty_cowonly_roots without taking the lock that protects it, which is struct btrfs_fs_info::trans_lock. This unsynchronized list manipulation may cause chaos if there's another concurrent manipulation of this list, such as when adding a root to it with ctree.c:add_root_to_dirty_list().
This can result in all sorts of weird failures caused by a race, such as the following crash:
[337571.278245] general protection fault, probably for non-canonical address 0xdead000000000108: 0000 [#1] PREEMPT SMP PTI [337571.278933] CPU: 1 PID: 115447 Comm: btrfs Tainted: G W 6.4.0-rc6-btrfs-next-134+ #1 [337571.279153] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014 [337571.279572] RIP: 0010:commit_cowonly_roots+0x11f/0x250 [btrfs] [337571.279928] Code: 85 38 06 00 (...) [337571.280363] RSP: 0018:ffff9f63446efba0 EFLAGS: 00010206 [337571.280582] RAX: ffff942d98ec2638 RBX: ffff9430b82b4c30 RCX: 0000000449e1c000 [337571.280798] RDX: dead000000000100 RSI: ffff9430021e4900 RDI: 0000000000036070 [337571.281015] RBP: ffff942d98ec2000 R08: ffff942d98ec2000 R09: 000000000000015b [337571.281254] R10: 0000000000000009 R11: 0000000000000001 R12: ffff942fe8fbf600 [337571.281476] R13: ffff942dabe23040 R14: ffff942dabe20800 R15: ffff942d92cf3b48 [337571.281723] FS: 00007f478adb7340(0000) GS:ffff94349fa40000(0000) knlGS:0000000000000000 [337571.281950] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [337571.282184] CR2: 00007f478ab9a3d5 CR3: 000000001e02c001 CR4: 0000000000370ee0 [337571.282416] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [337571.282647] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [337571.282874] Call Trace: [337571.283101] <TASK> [337571.283327] ? __die_body+0x1b/0x60 [337571.283570] ? die_addr+0x39/0x60 [337571.283796] ? exc_general_protection+0x22e/0x430 [337571.284022] ? asm_exc_general_protection+0x22/0x30 [337571.284251] ? commit_cowonly_roots+0x11f/0x250 [btrfs] [337571.284531] btrfs_commit_transaction+0x42e/0xf90 [btrfs] [337571.284803] ? _raw_spin_unlock+0x15/0x30 [337571.285031] ? release_extent_buffer+0x103/0x130 [btrfs] [337571.285305] reset_balance_state+0x152/0x1b0 [btrfs] [337571.285578] btrfs_balance+0xa50/0x11e0 [btrfs] [337571.285864] ? __kmem_cache_alloc_node+0x14a/0x410 [337571.286086] btrfs_ioctl+0x249a/0x3320 [btrfs] [337571.286358] ? mod_objcg_state+0xd2/0x360 [337571.286577] ? refill_obj_stock+0xb0/0x160 [337571.286798] ? seq_release+0x25/0x30 [337571.287016] ? __rseq_handle_notify_resume+0x3ba/0x4b0 [337571.287235] ? percpu_counter_add_batch+0x2e/0xa0 [337571.287455] ? __x64_sys_ioctl+0x88/0xc0 [337571.287675] __x64_sys_ioctl+0x88/0xc0 [337571.287901] do_syscall_64+0x38/0x90 [337571.288126] entry_SYSCALL_64_after_hwframe+0x72/0xdc [337571.288352] RIP: 0033:0x7f478aaffe9b
So fix this by locking struct btrfs_fs_info::trans_lock before deleting the quota root from that list.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A race condition in btrfs quota root deletion from the dirty cow roots list can cause a kernel crash.
Vulnerability
CVE-2023-54032 describes a race condition in the Linux kernel's btrfs filesystem. When disabling quotas, the quota root is removed from the fs_info->dirty_cowonly_roots list without holding the trans_lock spinlock that protects it. This unsynchronized list manipulation can collide with a concurrent addition to the same list via add_root_to_dirty_list(), leading to list corruption.
Exploitation
The vulnerability is triggered during a race between the quota disable operation and any other operation that adds a root to the dirty cowonly roots list. No special privileges beyond the ability to trigger btrfs quota operations are required; the attacker must be able to cause a specific timing window. The race results in a corrupted linked list, which is later traversed by commit_cowonly_roots() during a transaction commit.
Impact
Successful exploitation causes a general protection fault (GPF) as shown in the crash report, leading to a kernel panic and denial of service. The crash occurs when commit_cowonly_roots() dereferences a corrupted list pointer, as seen in the RIP and RDX register values (dead000000000100). This can render the system unavailable.
Mitigation
The fix is to hold trans_lock while deleting the quota root from the quota root from the list, ensuring proper synchronization. Patches have been applied to the stable kernel branches as referenced in the commit history [1][2][3][4]. Users should update to a kernel version containing the fix.
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2Patches
8365f318da7386da229754099679c34821ab76819bb0b85527ba0da31dd4aa53d78d9a855a5cdc4012efab31cb5a6eb7aVulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
8- git.kernel.org/stable/c/365f318da7384cbac5de6b9c098914888a4d63e7nvd
- git.kernel.org/stable/c/679c34821ab7cd93c8ccb96fbf57fc44848a78bcnvd
- git.kernel.org/stable/c/6819bb0b8552dcc5f82ca606c8911b8c67e0628fnvd
- git.kernel.org/stable/c/6da229754099518cfa27cbfcd0fd042618785fadnvd
- git.kernel.org/stable/c/7ba0da31dd4a8fd24d416016c538a95a5664ff02nvd
- git.kernel.org/stable/c/a53d78d9a8551e72c46ded23e8b0a56e55d32032nvd
- git.kernel.org/stable/c/a5cdc4012efa808e07d073c11dc2f366b5394ad3nvd
- git.kernel.org/stable/c/b31cb5a6eb7a48b0a7bfdf06832b1fd5088d8c79nvd
News mentions
0No linked articles in our index yet.