{"id":"CVE-2023-54080","summary":"btrfs: zoned: skip splitting and logical rewriting on pre-alloc write","details":"In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: zoned: skip splitting and logical rewriting on pre-alloc write\n\nWhen doing a relocation, there is a chance that at the time of\nbtrfs_reloc_clone_csums(), there is no checksum for the corresponding\nregion.\n\nIn this case, btrfs_finish_ordered_zoned()'s sum points to an invalid item\nand so ordered_extent's logical is set to some invalid value. Then,\nbtrfs_lookup_block_group() in btrfs_zone_finish_endio() failed to find a\nblock group and will hit an assert or a null pointer dereference as\nfollowing.\n\nThis can be reprodcued by running btrfs/028 several times (e.g, 4 to 16\ntimes) with a null_blk setup. The device's zone size and capacity is set to\n32 MB and the storage size is set to 5 GB on my setup.\n\n    KASAN: null-ptr-deref in range [0x0000000000000088-0x000000000000008f]\n    CPU: 6 PID: 3105720 Comm: kworker/u16:13 Tainted: G        W          6.5.0-rc6-kts+ #1\n    Hardware name: Supermicro Super Server/X10SRL-F, BIOS 2.0 12/17/2015\n    Workqueue: btrfs-endio-write btrfs_work_helper [btrfs]\n    RIP: 0010:btrfs_zone_finish_endio.part.0+0x34/0x160 [btrfs]\n    Code: 41 54 49 89 fc 55 48 89 f5 53 e8 57 7d fc ff 48 8d b8 88 00 00 00 48 89 c3 48 b8 00 00 00 00 00\n    \u003e 3c 02 00 0f 85 02 01 00 00 f6 83 88 00 00 00 01 0f 84 a8 00 00\n    RSP: 0018:ffff88833cf87b08 EFLAGS: 00010206\n    RAX: dffffc0000000000 RBX: 0000000000000000 RCX: 0000000000000000\n    RDX: 0000000000000011 RSI: 0000000000000004 RDI: 0000000000000088\n    RBP: 0000000000000002 R08: 0000000000000001 R09: ffffed102877b827\n    R10: ffff888143bdc13b R11: ffff888125b1cbc0 R12: ffff888143bdc000\n    R13: 0000000000007000 R14: ffff888125b1cba8 R15: 0000000000000000\n    FS:  0000000000000000(0000) GS:ffff88881e500000(0000) knlGS:0000000000000000\n    CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n    CR2: 00007f3ed85223d5 CR3: 00000001519b4005 CR4: 00000000001706e0\n    Call Trace:\n     \u003cTASK\u003e\n     ? die_addr+0x3c/0xa0\n     ? exc_general_protection+0x148/0x220\n     ? asm_exc_general_protection+0x22/0x30\n     ? btrfs_zone_finish_endio.part.0+0x34/0x160 [btrfs]\n     ? btrfs_zone_finish_endio.part.0+0x19/0x160 [btrfs]\n     btrfs_finish_one_ordered+0x7b8/0x1de0 [btrfs]\n     ? rcu_is_watching+0x11/0xb0\n     ? lock_release+0x47a/0x620\n     ? btrfs_finish_ordered_zoned+0x59b/0x800 [btrfs]\n     ? __pfx_btrfs_finish_one_ordered+0x10/0x10 [btrfs]\n     ? btrfs_finish_ordered_zoned+0x358/0x800 [btrfs]\n     ? __smp_call_single_queue+0x124/0x350\n     ? rcu_is_watching+0x11/0xb0\n     btrfs_work_helper+0x19f/0xc60 [btrfs]\n     ? __pfx_try_to_wake_up+0x10/0x10\n     ? _raw_spin_unlock_irq+0x24/0x50\n     ? rcu_is_watching+0x11/0xb0\n     process_one_work+0x8c1/0x1430\n     ? __pfx_lock_acquire+0x10/0x10\n     ? __pfx_process_one_work+0x10/0x10\n     ? __pfx_do_raw_spin_lock+0x10/0x10\n     ? _raw_spin_lock_irq+0x52/0x60\n     worker_thread+0x100/0x12c0\n     ? __kthread_parkme+0xc1/0x1f0\n     ? __pfx_worker_thread+0x10/0x10\n     kthread+0x2ea/0x3c0\n     ? __pfx_kthread+0x10/0x10\n     ret_from_fork+0x30/0x70\n     ? __pfx_kthread+0x10/0x10\n     ret_from_fork_asm+0x1b/0x30\n     \u003c/TASK\u003e\n\nOn the zoned mode, writing to pre-allocated region means data relocation\nwrite. Such write always uses WRITE command so there is no need of splitting\nand rewriting logical address. Thus, we can just skip the function for the\ncase.","modified":"2026-03-31T17:29:28.386682536Z","published":"2025-12-24T13:06:12.625Z","related":["SUSE-SU-2026:0278-1","SUSE-SU-2026:0281-1","SUSE-SU-2026:0293-1","SUSE-SU-2026:0315-1","SUSE-SU-2026:20477-1","SUSE-SU-2026:20498-1","SUSE-SU-2026:20845-1","SUSE-SU-2026:20876-1"],"database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/54xxx/CVE-2023-54080.json","cna_assigner":"Linux"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/c02d35d89b317994bd713ba82e160c5e7f22d9c8"},{"type":"WEB","url":"https://git.kernel.org/stable/c/d3cfa44164688a076e8b476cafb5df87d07cfa63"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/54xxx/CVE-2023-54080.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2023-54080"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"cbfce4c7fbde23cc8bcba44822a58c728caf6ec9"},{"fixed":"d3cfa44164688a076e8b476cafb5df87d07cfa63"},{"fixed":"c02d35d89b317994bd713ba82e160c5e7f22d9c8"}]}],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2023-54080.json"}},{"package":{"name":"Kernel","ecosystem":"Linux"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"6.5.0"},{"fixed":"6.5.3"}]}],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2023-54080.json"}}],"schema_version":"1.7.5"}