{"dataType":"CVE_RECORD","dataVersion":"5.1","cveMetadata":{"cveId":"CVE-2024-57806","assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","state":"PUBLISHED","assignerShortName":"Linux","dateReserved":"2025-01-11T12:32:49.322Z","datePublished":"2025-01-11T12:39:52.628Z","dateUpdated":"2025-05-04T10:05:14.076Z"},"containers":{"cna":{"providerMetadata":{"orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux","dateUpdated":"2025-05-04T10:05:14.076Z"},"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: fix transaction atomicity bug when enabling simple quotas\n\nSet squota incompat bit before committing the transaction that enables\nthe feature.\n\nWith the config CONFIG_BTRFS_ASSERT enabled, an assertion\nfailure occurs regarding the simple quota feature.\n\n  [5.596534] assertion failed: btrfs_fs_incompat(fs_info, SIMPLE_QUOTA), in fs/btrfs/qgroup.c:365\n  [5.597098] ------------[ cut here ]------------\n  [5.597371] kernel BUG at fs/btrfs/qgroup.c:365!\n  [5.597946] CPU: 1 UID: 0 PID: 268 Comm: mount Not tainted 6.13.0-rc2-00031-gf92f4749861b #146\n  [5.598450] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.2-debian-1.16.2-1 04/01/2014\n  [5.599008] RIP: 0010:btrfs_read_qgroup_config+0x74d/0x7a0\n  [5.604303]  <TASK>\n  [5.605230]  ? btrfs_read_qgroup_config+0x74d/0x7a0\n  [5.605538]  ? exc_invalid_op+0x56/0x70\n  [5.605775]  ? btrfs_read_qgroup_config+0x74d/0x7a0\n  [5.606066]  ? asm_exc_invalid_op+0x1f/0x30\n  [5.606441]  ? btrfs_read_qgroup_config+0x74d/0x7a0\n  [5.606741]  ? btrfs_read_qgroup_config+0x74d/0x7a0\n  [5.607038]  ? try_to_wake_up+0x317/0x760\n  [5.607286]  open_ctree+0xd9c/0x1710\n  [5.607509]  btrfs_get_tree+0x58a/0x7e0\n  [5.608002]  vfs_get_tree+0x2e/0x100\n  [5.608224]  fc_mount+0x16/0x60\n  [5.608420]  btrfs_get_tree+0x2f8/0x7e0\n  [5.608897]  vfs_get_tree+0x2e/0x100\n  [5.609121]  path_mount+0x4c8/0xbc0\n  [5.609538]  __x64_sys_mount+0x10d/0x150\n\nThe issue can be easily reproduced using the following reproducer:\n\n  root@q:linux# cat repro.sh\n  set -e\n\n  mkfs.btrfs -q -f /dev/sdb\n  mount /dev/sdb /mnt/btrfs\n  btrfs quota enable -s /mnt/btrfs\n  umount /mnt/btrfs\n  mount /dev/sdb /mnt/btrfs\n\nThe issue is that when enabling quotas, at btrfs_quota_enable(), we set\nBTRFS_QGROUP_STATUS_FLAG_SIMPLE_MODE at fs_info->qgroup_flags and persist\nit in the quota root in the item with the key BTRFS_QGROUP_STATUS_KEY, but\nwe only set the incompat bit BTRFS_FEATURE_INCOMPAT_SIMPLE_QUOTA after we\ncommit the transaction used to enable simple quotas.\n\nThis means that if after that transaction commit we unmount the filesystem\nwithout starting and committing any other transaction, or we have a power\nfailure, the next time we mount the filesystem we will find the flag\nBTRFS_QGROUP_STATUS_FLAG_SIMPLE_MODE set in the item with the key\nBTRFS_QGROUP_STATUS_KEY but we will not find the incompat bit\nBTRFS_FEATURE_INCOMPAT_SIMPLE_QUOTA set in the superblock, triggering an\nassertion failure at:\n\n  btrfs_read_qgroup_config() -> qgroup_read_enable_gen()\n\nTo fix this issue, set the BTRFS_FEATURE_INCOMPAT_SIMPLE_QUOTA flag\nimmediately after setting the BTRFS_QGROUP_STATUS_FLAG_SIMPLE_MODE.\nThis ensures that both flags are flushed to disk within the same\ntransaction."}],"affected":[{"product":"Linux","vendor":"Linux","defaultStatus":"unaffected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["fs/btrfs/qgroup.c"],"versions":[{"version":"182940f4f4dbd932776414744c8de64333957725","lessThan":"b87c9b9ba05ba6e8e2ee9ecd29a8c930b35648ed","status":"affected","versionType":"git"},{"version":"182940f4f4dbd932776414744c8de64333957725","lessThan":"f2363e6fcc7938c5f0f6ac066fad0dd247598b51","status":"affected","versionType":"git"}]},{"product":"Linux","vendor":"Linux","defaultStatus":"affected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["fs/btrfs/qgroup.c"],"versions":[{"version":"6.7","status":"affected"},{"version":"0","lessThan":"6.7","status":"unaffected","versionType":"semver"},{"version":"6.12.8","lessThanOrEqual":"6.12.*","status":"unaffected","versionType":"semver"},{"version":"6.13","lessThanOrEqual":"*","status":"unaffected","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.7","versionEndExcluding":"6.12.8"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.7","versionEndExcluding":"6.13"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/b87c9b9ba05ba6e8e2ee9ecd29a8c930b35648ed"},{"url":"https://git.kernel.org/stable/c/f2363e6fcc7938c5f0f6ac066fad0dd247598b51"}],"title":"btrfs: fix transaction atomicity bug when enabling simple quotas","x_generator":{"engine":"bippy-1.2.0"}}}}