CVE-2024-57806

See a problem?
Please try reporting it to the source first.
Source
https://nvd.nist.gov/vuln/detail/CVE-2024-57806
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-57806.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2024-57806
Downstream
Related
Published
2025-01-11T12:39:52Z
Modified
2025-10-17T19:33:02.617955Z
Summary
btrfs: fix transaction atomicity bug when enabling simple quotas
Details

In the Linux kernel, the following vulnerability has been resolved:

btrfs: fix transaction atomicity bug when enabling simple quotas

Set squota incompat bit before committing the transaction that enables the feature.

With the config CONFIGBTRFSASSERT enabled, an assertion failure occurs regarding the simple quota feature.

[5.596534] assertion failed: btrfsfsincompat(fsinfo, SIMPLEQUOTA), in fs/btrfs/qgroup.c:365 [5.597098] ------------[ cut here ]------------ [5.597371] kernel BUG at fs/btrfs/qgroup.c:365! [5.597946] CPU: 1 UID: 0 PID: 268 Comm: mount Not tainted 6.13.0-rc2-00031-gf92f4749861b #146 [5.598450] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.2-debian-1.16.2-1 04/01/2014 [5.599008] RIP: 0010:btrfsreadqgroupconfig+0x74d/0x7a0 [5.604303] <TASK> [5.605230] ? btrfsreadqgroupconfig+0x74d/0x7a0 [5.605538] ? excinvalidop+0x56/0x70 [5.605775] ? btrfsreadqgroupconfig+0x74d/0x7a0 [5.606066] ? asmexcinvalidop+0x1f/0x30 [5.606441] ? btrfsreadqgroupconfig+0x74d/0x7a0 [5.606741] ? btrfsreadqgroupconfig+0x74d/0x7a0 [5.607038] ? trytowakeup+0x317/0x760 [5.607286] openctree+0xd9c/0x1710 [5.607509] btrfsgettree+0x58a/0x7e0 [5.608002] vfsgettree+0x2e/0x100 [5.608224] fcmount+0x16/0x60 [5.608420] btrfsgettree+0x2f8/0x7e0 [5.608897] vfsgettree+0x2e/0x100 [5.609121] pathmount+0x4c8/0xbc0 [5.609538] _x64sys_mount+0x10d/0x150

The issue can be easily reproduced using the following reproducer:

root@q:linux# cat repro.sh set -e

mkfs.btrfs -q -f /dev/sdb mount /dev/sdb /mnt/btrfs btrfs quota enable -s /mnt/btrfs umount /mnt/btrfs mount /dev/sdb /mnt/btrfs

The issue is that when enabling quotas, at btrfsquotaenable(), we set BTRFSQGROUPSTATUSFLAGSIMPLEMODE at fsinfo->qgroupflags and persist it in the quota root in the item with the key BTRFSQGROUPSTATUSKEY, but we only set the incompat bit BTRFSFEATUREINCOMPATSIMPLEQUOTA after we commit the transaction used to enable simple quotas.

This means that if after that transaction commit we unmount the filesystem without starting and committing any other transaction, or we have a power failure, the next time we mount the filesystem we will find the flag BTRFSQGROUPSTATUSFLAGSIMPLEMODE set in the item with the key BTRFSQGROUPSTATUSKEY but we will not find the incompat bit BTRFSFEATUREINCOMPATSIMPLEQUOTA set in the superblock, triggering an assertion failure at:

btrfsreadqgroupconfig() -> qgroupreadenablegen()

To fix this issue, set the BTRFSFEATUREINCOMPATSIMPLEQUOTA flag immediately after setting the BTRFSQGROUPSTATUSFLAGSIMPLE_MODE. This ensures that both flags are flushed to disk within the same transaction.

References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
182940f4f4dbd932776414744c8de64333957725
Fixed
b87c9b9ba05ba6e8e2ee9ecd29a8c930b35648ed
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
182940f4f4dbd932776414744c8de64333957725
Fixed
f2363e6fcc7938c5f0f6ac066fad0dd247598b51

Affected versions

v6.*

v6.10
v6.10-rc1
v6.10-rc2
v6.10-rc3
v6.10-rc4
v6.10-rc5
v6.10-rc6
v6.10-rc7
v6.11
v6.11-rc1
v6.11-rc2
v6.11-rc3
v6.11-rc4
v6.11-rc5
v6.11-rc6
v6.11-rc7
v6.12
v6.12-rc1
v6.12-rc2
v6.12-rc3
v6.12-rc4
v6.12-rc5
v6.12-rc6
v6.12-rc7
v6.12.1
v6.12.2
v6.12.3
v6.12.4
v6.12.5
v6.12.6
v6.12.7
v6.6
v6.6-rc6
v6.6-rc7
v6.7
v6.7-rc1
v6.7-rc2
v6.7-rc3
v6.7-rc4
v6.7-rc5
v6.7-rc6
v6.7-rc7
v6.7-rc8
v6.8
v6.8-rc1
v6.8-rc2
v6.8-rc3
v6.8-rc4
v6.8-rc5
v6.8-rc6
v6.8-rc7
v6.9
v6.9-rc1
v6.9-rc2
v6.9-rc3
v6.9-rc4
v6.9-rc5
v6.9-rc6
v6.9-rc7

Database specific

vanir_signatures

[
    {
        "signature_type": "Line",
        "deprecated": false,
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@b87c9b9ba05ba6e8e2ee9ecd29a8c930b35648ed",
        "signature_version": "v1",
        "target": {
            "file": "fs/btrfs/qgroup.c"
        },
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "296252214400971197452926034785538861709",
                "337219910276361082763199672617548622723",
                "25543751297617680577011145644457927315",
                "21285986195595508050206733018601373840",
                "73645230012138523808995893029434165941",
                "286568352329815288157025517911322402680",
                "327191406361374201934890612629217333665",
                "168689701628805495270535891961129883007",
                "276454266598590575425112282897476391311"
            ]
        },
        "id": "CVE-2024-57806-43f247c0"
    },
    {
        "signature_type": "Function",
        "deprecated": false,
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@f2363e6fcc7938c5f0f6ac066fad0dd247598b51",
        "signature_version": "v1",
        "target": {
            "function": "btrfs_quota_enable",
            "file": "fs/btrfs/qgroup.c"
        },
        "digest": {
            "function_hash": "134469819910486891784619035123030673629",
            "length": 4749.0
        },
        "id": "CVE-2024-57806-a7a3900e"
    },
    {
        "signature_type": "Line",
        "deprecated": false,
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@f2363e6fcc7938c5f0f6ac066fad0dd247598b51",
        "signature_version": "v1",
        "target": {
            "file": "fs/btrfs/qgroup.c"
        },
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "296252214400971197452926034785538861709",
                "337219910276361082763199672617548622723",
                "25543751297617680577011145644457927315",
                "21285986195595508050206733018601373840",
                "73645230012138523808995893029434165941",
                "286568352329815288157025517911322402680",
                "327191406361374201934890612629217333665",
                "168689701628805495270535891961129883007",
                "276454266598590575425112282897476391311"
            ]
        },
        "id": "CVE-2024-57806-e55c6b7c"
    },
    {
        "signature_type": "Function",
        "deprecated": false,
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@b87c9b9ba05ba6e8e2ee9ecd29a8c930b35648ed",
        "signature_version": "v1",
        "target": {
            "function": "btrfs_quota_enable",
            "file": "fs/btrfs/qgroup.c"
        },
        "digest": {
            "function_hash": "134469819910486891784619035123030673629",
            "length": 4749.0
        },
        "id": "CVE-2024-57806-e5d9bf07"
    }
]

Linux / Kernel

Package

Name
Kernel

Affected ranges

Type
ECOSYSTEM
Events
Introduced
6.7.0
Fixed
6.12.8