VYPR
← All advisories
Unrated severityNVD Advisory· Published Dec 30, 2025· Updated Apr 15, 2026

CVE-2023-54180

CVE-2023-54180

Description

In the Linux kernel, the following vulnerability has been resolved:

btrfs: handle case when repair happens with dev-replace

[BUG] There is a bug report that a BUG_ON() in btrfs_repair_io_failure() (originally repair_io_failure() in v6.0 kernel) got triggered when replacing a unreliable disk:

BTRFS warning (device sda1): csum failed root 257 ino 2397453 off 39624704 csum 0xb0d18c75 expected csum 0x4dae9c5e mirror 3 kernel BUG at fs/btrfs/extent_io.c:2380! invalid opcode: 0000 [#1] PREEMPT SMP NOPTI CPU: 9 PID: 3614331 Comm: kworker/u257:2 Tainted: G OE 6.0.0-5-amd64 #1 Debian 6.0.10-2 Hardware name: Micro-Star International Co., Ltd. MS-7C60/TRX40 PRO WIFI (MS-7C60), BIOS 2.70 07/01/2021 Workqueue: btrfs-endio btrfs_end_bio_work [btrfs] RIP: 0010:repair_io_failure+0x24a/0x260 [btrfs] Call Trace:

clean_io_failure+0x14d/0x180 [btrfs] end_bio_extent_readpage+0x412/0x6e0 [btrfs] ? __switch_to+0x106/0x420 process_one_work+0x1c7/0x380 worker_thread+0x4d/0x380 ? rescuer_thread+0x3a0/0x3a0 kthread+0xe9/0x110 ? kthread_complete_and_exit+0x20/0x20 ret_from_fork+0x22/0x30

[CAUSE]

Before the BUG_ON(), we got some read errors from the replace target first, note the mirror number (3, which is beyond RAID1 duplication, thus it's read from the replace target device).

Then at the BUG_ON() location, we are trying to writeback the repaired sectors back the failed device.

The check looks like this:

ret = btrfs_map_block(fs_info, BTRFS_MAP_WRITE, logical, &map_length, &bioc, mirror_num); if (ret) goto out_counter_dec; BUG_ON(mirror_num != bioc->mirror_num);

But inside btrfs_map_block(), we can modify bioc->mirror_num especially for dev-replace:

if (dev_replace_is_ongoing && mirror_num == map->num_stripes + 1 && !need_full_stripe(op) && dev_replace->tgtdev != NULL) { ret = get_extra_mirror_from_replace(fs_info, logical, *length, dev_replace->srcdev->devid, &mirror_num, &physical_to_patch_in_first_stripe); patch_the_first_stripe_for_dev_replace = 1; }

Thus if we're repairing the replace target device, we're going to trigger that BUG_ON().

But in reality, the read failure from the replace target device may be that, our replace hasn't reached the range we're reading, thus we're reading garbage, but with replace running, the range would be properly filled later.

Thus in that case, we don't need to do anything but let the replace routine to handle it.

[FIX] Instead of a BUG_ON(), just skip the repair if we're repairing the device replace target device.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A BUG_ON() in btrfs_repair_io_failure() can be triggered during device replace when a read error occurs on the replace target mirror number is used for writeback, causing a kernel panic.

Vulnerability

Overview

In the Linux kernel's btrfs filesystem, a BUG_ON() assertion in btrfs_repair_io_failure() (formerly repair_io_failure() in v6.0) can be triggered when a read error occurs on a device that is part of a device-replace operation. The bug manifests when a checksum mismatch is detected on mirror 3 (a mirror number beyond RAID1 duplication, indicating the read came from the replace target device), and the repair code attempts to write the corrected data back to the failed device.

Root

Cause

The root cause lies in the interaction between the repair path and btrfs_map_block(). At the BUG_ON() site, the code checks that the mirror number used for the write matches the mirror number returned by btrfs_map_block(). However, during an ongoing device replace, btrfs_map_block() can modify bioc->mirror_num via get_extra_mirror_from_replace(), causing a mismatch between the original mirror_num (3) and the adjusted value. This leads to the BUG_ON() being hit, resulting in a kernel panic [1].

Impact

An attacker with the ability to trigger read errors on a btrfs filesystem undergoing device replacement (e.g., by causing disk failures or injecting I/O errors) can cause a denial of service by crashing the system. The bug is reachable from the btrfs endio workqueue, meaning it can be triggered during normal read operations when a device replace is active.

Mitigation

The vulnerability is fixed in the Linux kernel by commit a7018b40b49c. Users should apply the stable kernel update containing this fix. There is no known workaround; avoiding concurrent device replace operations on unreliable disks may reduce risk, but the safest mitigation is to apply the patch.

References
  1. Making sure you're not a bot!

AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

1

Patches

3
a7018b40b49c
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitvia osv
commit
53e9d6851b56
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitvia osv
commit
d73a27b86fc7
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitvia osv
commit

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

3

News mentions

0

No linked articles in our index yet.