{"id":"CVE-2023-54032","summary":"btrfs: fix race when deleting quota root from the dirty cow roots list","details":"In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: fix race when deleting quota root from the dirty cow roots list\n\nWhen disabling quotas we are deleting the quota root from the list\nfs_info-\u003edirty_cowonly_roots without taking the lock that protects it,\nwhich is struct btrfs_fs_info::trans_lock. This unsynchronized list\nmanipulation may cause chaos if there's another concurrent manipulation\nof this list, such as when adding a root to it with\nctree.c:add_root_to_dirty_list().\n\nThis can result in all sorts of weird failures caused by a race, such as\nthe following crash:\n\n  [337571.278245] general protection fault, probably for non-canonical address 0xdead000000000108: 0000 [#1] PREEMPT SMP PTI\n  [337571.278933] CPU: 1 PID: 115447 Comm: btrfs Tainted: G        W          6.4.0-rc6-btrfs-next-134+ #1\n  [337571.279153] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014\n  [337571.279572] RIP: 0010:commit_cowonly_roots+0x11f/0x250 [btrfs]\n  [337571.279928] Code: 85 38 06 00 (...)\n  [337571.280363] RSP: 0018:ffff9f63446efba0 EFLAGS: 00010206\n  [337571.280582] RAX: ffff942d98ec2638 RBX: ffff9430b82b4c30 RCX: 0000000449e1c000\n  [337571.280798] RDX: dead000000000100 RSI: ffff9430021e4900 RDI: 0000000000036070\n  [337571.281015] RBP: ffff942d98ec2000 R08: ffff942d98ec2000 R09: 000000000000015b\n  [337571.281254] R10: 0000000000000009 R11: 0000000000000001 R12: ffff942fe8fbf600\n  [337571.281476] R13: ffff942dabe23040 R14: ffff942dabe20800 R15: ffff942d92cf3b48\n  [337571.281723] FS:  00007f478adb7340(0000) GS:ffff94349fa40000(0000) knlGS:0000000000000000\n  [337571.281950] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n  [337571.282184] CR2: 00007f478ab9a3d5 CR3: 000000001e02c001 CR4: 0000000000370ee0\n  [337571.282416] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n  [337571.282647] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n  [337571.282874] Call Trace:\n  [337571.283101]  \u003cTASK\u003e\n  [337571.283327]  ? __die_body+0x1b/0x60\n  [337571.283570]  ? die_addr+0x39/0x60\n  [337571.283796]  ? exc_general_protection+0x22e/0x430\n  [337571.284022]  ? asm_exc_general_protection+0x22/0x30\n  [337571.284251]  ? commit_cowonly_roots+0x11f/0x250 [btrfs]\n  [337571.284531]  btrfs_commit_transaction+0x42e/0xf90 [btrfs]\n  [337571.284803]  ? _raw_spin_unlock+0x15/0x30\n  [337571.285031]  ? release_extent_buffer+0x103/0x130 [btrfs]\n  [337571.285305]  reset_balance_state+0x152/0x1b0 [btrfs]\n  [337571.285578]  btrfs_balance+0xa50/0x11e0 [btrfs]\n  [337571.285864]  ? __kmem_cache_alloc_node+0x14a/0x410\n  [337571.286086]  btrfs_ioctl+0x249a/0x3320 [btrfs]\n  [337571.286358]  ? mod_objcg_state+0xd2/0x360\n  [337571.286577]  ? refill_obj_stock+0xb0/0x160\n  [337571.286798]  ? seq_release+0x25/0x30\n  [337571.287016]  ? __rseq_handle_notify_resume+0x3ba/0x4b0\n  [337571.287235]  ? percpu_counter_add_batch+0x2e/0xa0\n  [337571.287455]  ? __x64_sys_ioctl+0x88/0xc0\n  [337571.287675]  __x64_sys_ioctl+0x88/0xc0\n  [337571.287901]  do_syscall_64+0x38/0x90\n  [337571.288126]  entry_SYSCALL_64_after_hwframe+0x72/0xdc\n  [337571.288352] RIP: 0033:0x7f478aaffe9b\n\nSo fix this by locking struct btrfs_fs_info::trans_lock before deleting\nthe quota root from that list.","modified":"2026-03-31T17:29:47.202038681Z","published":"2025-12-24T10:55:59.609Z","related":["SUSE-SU-2026:0278-1","SUSE-SU-2026:0281-1","SUSE-SU-2026:0293-1","SUSE-SU-2026:0315-1","SUSE-SU-2026:0316-1","SUSE-SU-2026:20477-1","SUSE-SU-2026:20498-1","SUSE-SU-2026:20845-1","SUSE-SU-2026:20876-1"],"database_specific":{"cna_assigner":"Linux","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/54xxx/CVE-2023-54032.json"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/365f318da7384cbac5de6b9c098914888a4d63e7"},{"type":"WEB","url":"https://git.kernel.org/stable/c/679c34821ab7cd93c8ccb96fbf57fc44848a78bc"},{"type":"WEB","url":"https://git.kernel.org/stable/c/6819bb0b8552dcc5f82ca606c8911b8c67e0628f"},{"type":"WEB","url":"https://git.kernel.org/stable/c/6da229754099518cfa27cbfcd0fd042618785fad"},{"type":"WEB","url":"https://git.kernel.org/stable/c/7ba0da31dd4a8fd24d416016c538a95a5664ff02"},{"type":"WEB","url":"https://git.kernel.org/stable/c/a53d78d9a8551e72c46ded23e8b0a56e55d32032"},{"type":"WEB","url":"https://git.kernel.org/stable/c/a5cdc4012efa808e07d073c11dc2f366b5394ad3"},{"type":"WEB","url":"https://git.kernel.org/stable/c/b31cb5a6eb7a48b0a7bfdf06832b1fd5088d8c79"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/54xxx/CVE-2023-54032.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2023-54032"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"bed92eae26ccf280d1a2168b7509447b56675a27"},{"fixed":"365f318da7384cbac5de6b9c098914888a4d63e7"},{"fixed":"6da229754099518cfa27cbfcd0fd042618785fad"},{"fixed":"679c34821ab7cd93c8ccb96fbf57fc44848a78bc"},{"fixed":"6819bb0b8552dcc5f82ca606c8911b8c67e0628f"},{"fixed":"7ba0da31dd4a8fd24d416016c538a95a5664ff02"},{"fixed":"a53d78d9a8551e72c46ded23e8b0a56e55d32032"},{"fixed":"a5cdc4012efa808e07d073c11dc2f366b5394ad3"},{"fixed":"b31cb5a6eb7a48b0a7bfdf06832b1fd5088d8c79"}]}],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2023-54032.json"}},{"package":{"name":"Kernel","ecosystem":"Linux"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"3.6.0"},{"fixed":"4.14.322"}]},{"type":"ECOSYSTEM","events":[{"introduced":"4.15.0"},{"fixed":"4.19.291"}]},{"type":"ECOSYSTEM","events":[{"introduced":"4.20.0"},{"fixed":"5.4.251"}]},{"type":"ECOSYSTEM","events":[{"introduced":"5.5.0"},{"fixed":"5.10.188"}]},{"type":"ECOSYSTEM","events":[{"introduced":"5.11.0"},{"fixed":"5.15.121"}]},{"type":"ECOSYSTEM","events":[{"introduced":"5.16.0"},{"fixed":"6.1.39"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.2.0"},{"fixed":"6.4.4"}]}],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2023-54032.json"}}],"schema_version":"1.7.5"}