{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2023-54158","assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","state":"PUBLISHED","assignerShortName":"Linux","dateReserved":"2025-12-24T13:02:52.530Z","datePublished":"2025-12-24T13:07:07.438Z","dateUpdated":"2026-05-11T19:56:36.669Z"},"containers":{"cna":{"providerMetadata":{"orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux","dateUpdated":"2026-05-11T19:56:36.669Z"},"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: don't free qgroup space unless specified\n\nBoris noticed in his simple quotas testing that he was getting a leak\nwith Sweet Tea's change to subvol create that stopped doing a\ntransaction commit.  This was just a side effect of that change.\n\nIn the delayed inode code we have an optimization that will free extra\nreservations if we think we can pack a dir item into an already modified\nleaf.  Previously this wouldn't be triggered in the subvolume create\ncase because we'd commit the transaction, it was still possible but\nmuch harder to trigger.  It could actually be triggered if we did a\nmkdir && subvol create with qgroups enabled.\n\nThis occurs because in btrfs_insert_delayed_dir_index(), which gets\ncalled when we're adding the dir item, we do the following:\n\n  btrfs_block_rsv_release(fs_info, trans->block_rsv, bytes, NULL);\n\nif we're able to skip reserving space.\n\nThe problem here is that trans->block_rsv points at the temporary block\nrsv for the subvolume create, which has qgroup reservations in the block\nrsv.\n\nThis is a problem because btrfs_block_rsv_release() will do the\nfollowing:\n\n  if (block_rsv->qgroup_rsv_reserved >= block_rsv->qgroup_rsv_size) {\n\t  qgroup_to_release = block_rsv->qgroup_rsv_reserved -\n\t\t  block_rsv->qgroup_rsv_size;\n\t  block_rsv->qgroup_rsv_reserved = block_rsv->qgroup_rsv_size;\n  }\n\nThe temporary block rsv just has ->qgroup_rsv_reserved set,\n->qgroup_rsv_size == 0.  The optimization in\nbtrfs_insert_delayed_dir_index() sets ->qgroup_rsv_reserved = 0.  Then\nlater on when we call btrfs_subvolume_release_metadata() which has\n\n  btrfs_block_rsv_release(fs_info, rsv, (u64)-1, &qgroup_to_release);\n  btrfs_qgroup_convert_reserved_meta(root, qgroup_to_release);\n\nqgroup_to_release is set to 0, and we do not convert the reserved\nmetadata space.\n\nThe problem here is that the block rsv code has been unconditionally\nmessing with ->qgroup_rsv_reserved, because the main place this is used\nis delalloc, and any time we call btrfs_block_rsv_release() we do it\nwith qgroup_to_release set, and thus do the proper accounting.\n\nThe subvolume code is the only other code that uses the qgroup\nreservation stuff, but it's intermingled with the above optimization,\nand thus was getting its reservation freed out from underneath it and\nthus leaking the reserved space.\n\nThe solution is to simply not mess with the qgroup reservations if we\ndon't have qgroup_to_release set.  This works with the existing code as\nanything that messes with the delalloc reservations always have\nqgroup_to_release set.  This fixes the leak that Boris was observing."}],"affected":[{"product":"Linux","vendor":"Linux","defaultStatus":"unaffected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["fs/btrfs/block-rsv.c"],"versions":[{"version":"ff6bc37eb7f6e7b052e50c13a480e1080b3ec07a","lessThan":"1e05bf5e80bb1161b7294c9ce5292b26232ab853","status":"affected","versionType":"git"},{"version":"ff6bc37eb7f6e7b052e50c13a480e1080b3ec07a","lessThan":"148b16cd30b202999ec5b534e3e5d8ab4b766f21","status":"affected","versionType":"git"},{"version":"ff6bc37eb7f6e7b052e50c13a480e1080b3ec07a","lessThan":"f264be24146bee2d652010a18ae2517df5856261","status":"affected","versionType":"git"},{"version":"ff6bc37eb7f6e7b052e50c13a480e1080b3ec07a","lessThan":"15e877e5923ec6d6caa5e447dcc4b79a8ff7cc53","status":"affected","versionType":"git"},{"version":"ff6bc37eb7f6e7b052e50c13a480e1080b3ec07a","lessThan":"04ff6bd0317735791ef3e443c7c89f3c0dda548d","status":"affected","versionType":"git"},{"version":"ff6bc37eb7f6e7b052e50c13a480e1080b3ec07a","lessThan":"478bd15f46b6e3aae78aac4f3788697f1546eea6","status":"affected","versionType":"git"},{"version":"ff6bc37eb7f6e7b052e50c13a480e1080b3ec07a","lessThan":"d246331b78cbef86237f9c22389205bc9b4e1cc1","status":"affected","versionType":"git"}]},{"product":"Linux","vendor":"Linux","defaultStatus":"affected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["fs/btrfs/block-rsv.c"],"versions":[{"version":"4.17","status":"affected"},{"version":"0","lessThan":"4.17","status":"unaffected","versionType":"semver"},{"version":"5.4.243","lessThanOrEqual":"5.4.*","status":"unaffected","versionType":"semver"},{"version":"5.10.180","lessThanOrEqual":"5.10.*","status":"unaffected","versionType":"semver"},{"version":"5.15.112","lessThanOrEqual":"5.15.*","status":"unaffected","versionType":"semver"},{"version":"6.1.29","lessThanOrEqual":"6.1.*","status":"unaffected","versionType":"semver"},{"version":"6.2.16","lessThanOrEqual":"6.2.*","status":"unaffected","versionType":"semver"},{"version":"6.3.3","lessThanOrEqual":"6.3.*","status":"unaffected","versionType":"semver"},{"version":"6.4","lessThanOrEqual":"*","status":"unaffected","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.17","versionEndExcluding":"5.4.243"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.17","versionEndExcluding":"5.10.180"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.17","versionEndExcluding":"5.15.112"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.17","versionEndExcluding":"6.1.29"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.17","versionEndExcluding":"6.2.16"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.17","versionEndExcluding":"6.3.3"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.17","versionEndExcluding":"6.4"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/1e05bf5e80bb1161b7294c9ce5292b26232ab853"},{"url":"https://git.kernel.org/stable/c/148b16cd30b202999ec5b534e3e5d8ab4b766f21"},{"url":"https://git.kernel.org/stable/c/f264be24146bee2d652010a18ae2517df5856261"},{"url":"https://git.kernel.org/stable/c/15e877e5923ec6d6caa5e447dcc4b79a8ff7cc53"},{"url":"https://git.kernel.org/stable/c/04ff6bd0317735791ef3e443c7c89f3c0dda548d"},{"url":"https://git.kernel.org/stable/c/478bd15f46b6e3aae78aac4f3788697f1546eea6"},{"url":"https://git.kernel.org/stable/c/d246331b78cbef86237f9c22389205bc9b4e1cc1"}],"title":"btrfs: don't free qgroup space unless specified","x_generator":{"engine":"bippy-1.2.0"}}}}