CVE-2023-52737
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2023-52737
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2023-52737.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CVE-2023-52737
- Downstream
- Related
- Published
- 2024-05-21T15:23:01Z
- Modified
- 2025-10-08T16:36:42.488435Z
- Summary
- btrfs: lock the inode in shared mode before starting fiemap
- Details
-
In the Linux kernel, the following vulnerability has been resolved:
btrfs: lock the inode in shared mode before starting fiemap
Currently fiemap does not take the inode's lock (VFS lock), it only locks a file range in the inode's io tree. This however can lead to a deadlock if we have a concurrent fsync on the file and fiemap code triggers a fault when accessing the user space buffer with fiemapfillnextextent(). The deadlock happens on the inode's immaplock semaphore, which is taken both by fsync and btrfspage_mkwrite(). This deadlock was recently reported by syzbot and triggers a trace like the following:
task:syz-executor361 state:D stack:20264 pid:5668 ppid:5119 flags:0x00004004 Call Trace: <TASK> contextswitch kernel/sched/core.c:5293 [inline] _schedule+0x995/0xe20 kernel/sched/core.c:6606 schedule+0xcb/0x190 kernel/sched/core.c:6682 waitonstate fs/btrfs/extent-io-tree.c:707 [inline] waitextentbit+0x577/0x6f0 fs/btrfs/extent-io-tree.c:751 lockextent+0x1c2/0x280 fs/btrfs/extent-io-tree.c:1742 findlockdelallocrange+0x4e6/0x9c0 fs/btrfs/extentio.c:488 writepagedelalloc+0x1ef/0x540 fs/btrfs/extentio.c:1863 _extentwritepage+0x736/0x14e0 fs/btrfs/extentio.c:2174 extentwritecachepages+0x983/0x1220 fs/btrfs/extentio.c:3091 extentwritepages+0x219/0x540 fs/btrfs/extentio.c:3211 dowritepages+0x3c3/0x680 mm/page-writeback.c:2581 filemapfdatawritewbc+0x11e/0x170 mm/filemap.c:388 _filemapfdatawriterange mm/filemap.c:421 [inline] filemapfdatawriterange+0x175/0x200 mm/filemap.c:439 btrfsfdatawriterange fs/btrfs/file.c:3850 [inline] startorderedops fs/btrfs/file.c:1737 [inline] btrfssyncfile+0x4ff/0x1190 fs/btrfs/file.c:1839 genericwritesync include/linux/fs.h:2885 [inline] btrfsdowriteiter+0xcd3/0x1280 fs/btrfs/file.c:1684 callwriteiter include/linux/fs.h:2189 [inline] newsyncwrite fs/readwrite.c:491 [inline] vfswrite+0x7dc/0xc50 fs/readwrite.c:584 ksyswrite+0x177/0x2a0 fs/readwrite.c:637 dosyscallx64 arch/x86/entry/common.c:50 [inline] dosyscall64+0x3d/0xb0 arch/x86/entry/common.c:80 entrySYSCALL64afterhwframe+0x63/0xcd RIP: 0033:0x7f7d4054e9b9 RSP: 002b:00007f7d404fa2f8 EFLAGS: 00000246 ORIGRAX: 0000000000000001 RAX: ffffffffffffffda RBX: 00007f7d405d87a0 RCX: 00007f7d4054e9b9 RDX: 0000000000000090 RSI: 0000000020000000 RDI: 0000000000000006 RBP: 00007f7d405a51d0 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 61635f65646f6e69 R13: 65646f7475616f6e R14: 7261637369646f6e R15: 00007f7d405d87a8 </TASK> INFO: task syz-executor361:5697 blocked for more than 145 seconds. Not tainted 6.2.0-rc3-syzkaller-00376-g7c6984405241 #0 "echo 0 > /proc/sys/kernel/hungtasktimeoutsecs" disables this message. task:syz-executor361 state:D stack:21216 pid:5697 ppid:5119 flags:0x00004004 Call Trace: <TASK> contextswitch kernel/sched/core.c:5293 [inline] _schedule+0x995/0xe20 kernel/sched/core.c:6606 schedule+0xcb/0x190 kernel/sched/core.c:6682 rwsemdownreadslowpath+0x5f9/0x930 kernel/locking/rwsem.c:1095 _downreadcommon+0x54/0x2a0 kernel/locking/rwsem.c:1260 btrfspagemkwrite+0x417/0xc80 fs/btrfs/inode.c:8526 dopagemkwrite+0x19e/0x5e0 mm/memory.c:2947 wppageshared+0x15e/0x380 mm/memory.c:3295 handleptefault mm/memory.c:4949 [inline] _handlemmfault mm/memory.c:5073 [inline] handlemmfault+0x1b79/0x26b0 mm/memory.c:5219 douseraddrfault+0x69b/0xcb0 arch/x86/mm/fault.c:1428 handlepagefault arch/x86/mm/fault.c:1519 [inline] excpagefault+0x7a/0x110 arch/x86/mm/fault.c:1575 asmexcpagefault+0x22/0x30 arch/x86/include/asm/idtentry.h:570 RIP: 0010:copyusershortstring+0xd/0x40 arch/x86/lib/copyuser64.S:233 Code: 74 0a 89 (...) RSP: 0018:ffffc9000570f330 EFLAGS: 000502 ---truncated---
- References
Affected packages
Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Affected ranges
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introduced1da177e4c3f41524e886b7f1b8a0c1fc7321cac2Fixedd8c594da79bc0244e610a70594e824a401802be1
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introduced1da177e4c3f41524e886b7f1b8a0c1fc7321cac2Fixed519b7e13b5ae8dd38da1e52275705343be6bb508
Affected versions
v2.*
v3.*
v4.*
v5.*
v6.*
Database specific
{
"vanir_signatures": [
{
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@519b7e13b5ae8dd38da1e52275705343be6bb508",
"target": {
"file": "fs/btrfs/extent_io.c"
},
"digest": {
"threshold": 0.9,
"line_hashes": [
"159833261273909840249773836235399471786",
"49698412721928003230256306503559065998",
"113134979690707017332851562661634733240",
"141211811701230245259060801420985295503",
"201206265183316197064261852415295312912",
"175590778043303895893720479571695875220",
"76551038042186119585176656535508394474"
]
},
"deprecated": false,
"id": "CVE-2023-52737-2161d630",
"signature_type": "Line",
"signature_version": "v1"
},
{
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@519b7e13b5ae8dd38da1e52275705343be6bb508",
"target": {
"function": "extent_fiemap",
"file": "fs/btrfs/extent_io.c"
},
"digest": {
"length": 3661.0,
"function_hash": "118837471559266380709892225289737550300"
},
"deprecated": false,
"id": "CVE-2023-52737-fe3de065",
"signature_type": "Function",
"signature_version": "v1"
}
]
}