{"id":"CVE-2024-35798","summary":"btrfs: fix race in read_extent_buffer_pages()","details":"In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: fix race in read_extent_buffer_pages()\n\nThere are reports from tree-checker that detects corrupted nodes,\nwithout any obvious pattern so possibly an overwrite in memory.\nAfter some debugging it turns out there's a race when reading an extent\nbuffer the uptodate status can be missed.\n\nTo prevent concurrent reads for the same extent buffer,\nread_extent_buffer_pages() performs these checks:\n\n    /* (1) */\n    if (test_bit(EXTENT_BUFFER_UPTODATE, &eb-\u003ebflags))\n        return 0;\n\n    /* (2) */\n    if (test_and_set_bit(EXTENT_BUFFER_READING, &eb-\u003ebflags))\n        goto done;\n\nAt this point, it seems safe to start the actual read operation. Once\nthat completes, end_bbio_meta_read() does\n\n    /* (3) */\n    set_extent_buffer_uptodate(eb);\n\n    /* (4) */\n    clear_bit(EXTENT_BUFFER_READING, &eb-\u003ebflags);\n\nNormally, this is enough to ensure only one read happens, and all other\ncallers wait for it to finish before returning.  Unfortunately, there is\na racey interleaving:\n\n    Thread A | Thread B | Thread C\n    ---------+----------+---------\n       (1)   |          |\n             |    (1)   |\n       (2)   |          |\n       (3)   |          |\n       (4)   |          |\n             |    (2)   |\n             |          |    (1)\n\nWhen this happens, thread B kicks of an unnecessary read. Worse, thread\nC will see UPTODATE set and return immediately, while the read from\nthread B is still in progress.  This race could result in tree-checker\nerrors like this as the extent buffer is concurrently modified:\n\n    BTRFS critical (device dm-0): corrupted node, root=256\n    block=8550954455682405139 owner mismatch, have 11858205567642294356\n    expect [256, 18446744073709551360]\n\nFix it by testing UPTODATE again after setting the READING bit, and if\nit's been set, skip the unnecessary read.\n\n[ minor update of changelog ]","modified":"2026-04-02T11:51:07.715514Z","published":"2024-05-17T13:23:08.868Z","database_specific":{"cna_assigner":"Linux","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/35xxx/CVE-2024-35798.json"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/0427c8ef8bbb7f304de42ef51d69c960e165e052"},{"type":"WEB","url":"https://git.kernel.org/stable/c/2885d54af2c2e1d910e20d5c8045bae40e02fbc1"},{"type":"WEB","url":"https://git.kernel.org/stable/c/3a25878a3378adce5d846300c9570f15aa7f7a80"},{"type":"WEB","url":"https://git.kernel.org/stable/c/ef1e68236b9153c27cb7cf29ead0c532870d4215"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/35xxx/CVE-2024-35798.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-35798"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"d7172f52e9933b6ec9305e7fe6e829e3939dba04"},{"fixed":"0427c8ef8bbb7f304de42ef51d69c960e165e052"},{"fixed":"3a25878a3378adce5d846300c9570f15aa7f7a80"},{"fixed":"2885d54af2c2e1d910e20d5c8045bae40e02fbc1"},{"fixed":"ef1e68236b9153c27cb7cf29ead0c532870d4215"}]}],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-35798.json"}}],"schema_version":"1.7.5"}