{"id":"CVE-2024-56759","summary":"btrfs: fix use-after-free when COWing tree bock and tracing is enabled","details":"In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: fix use-after-free when COWing tree bock and tracing is enabled\n\nWhen a COWing a tree block, at btrfs_cow_block(), and we have the\ntracepoint trace_btrfs_cow_block() enabled and preemption is also enabled\n(CONFIG_PREEMPT=y), we can trigger a use-after-free in the COWed extent\nbuffer while inside the tracepoint code. This is because in some paths\nthat call btrfs_cow_block(), such as btrfs_search_slot(), we are holding\nthe last reference on the extent buffer @buf so btrfs_force_cow_block()\ndrops the last reference on the @buf extent buffer when it calls\nfree_extent_buffer_stale(buf), which schedules the release of the extent\nbuffer with RCU. This means that if we are on a kernel with preemption,\nthe current task may be preempted before calling trace_btrfs_cow_block()\nand the extent buffer already released by the time trace_btrfs_cow_block()\nis called, resulting in a use-after-free.\n\nFix this by moving the trace_btrfs_cow_block() from btrfs_cow_block() to\nbtrfs_force_cow_block() before the COWed extent buffer is freed.\nThis also has a side effect of invoking the tracepoint in the tree defrag\ncode, at defrag.c:btrfs_realloc_node(), since btrfs_force_cow_block() is\ncalled there, but this is fine and it was actually missing there.","modified":"2026-04-02T12:25:13.536709Z","published":"2025-01-06T16:20:39.668Z","related":["SUSE-SU-2025:0289-1","SUSE-SU-2025:0428-1","SUSE-SU-2025:0499-1","SUSE-SU-2025:0555-1","SUSE-SU-2025:0556-1","SUSE-SU-2025:0557-1","SUSE-SU-2025:0565-1","SUSE-SU-2025:0576-1","SUSE-SU-2025:0577-1","SUSE-SU-2025:0577-2","SUSE-SU-2025:0603-1","SUSE-SU-2025:0771-1","SUSE-SU-2025:0867-1","SUSE-SU-2025:20165-1","SUSE-SU-2025:20166-1","SUSE-SU-2025:20248-1","SUSE-SU-2025:20249-1","USN-7379-2","USN-7380-1"],"database_specific":{"cna_assigner":"Linux","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/56xxx/CVE-2024-56759.json"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/44f52bbe96dfdbe4aca3818a2534520082a07040"},{"type":"WEB","url":"https://git.kernel.org/stable/c/526ff5b27f090fb15040471f892cd2c9899ce314"},{"type":"WEB","url":"https://git.kernel.org/stable/c/66376f1a73cba57fd0af2631d7888605b738e499"},{"type":"WEB","url":"https://git.kernel.org/stable/c/9a466b8693b9add05de99af00c7bdff8259ecf19"},{"type":"WEB","url":"https://git.kernel.org/stable/c/ba5120a2fb5f23b4d39d302e181aa5d4e28a90d1"},{"type":"WEB","url":"https://git.kernel.org/stable/c/c3a403d8ce36f5a809a492581de5ad17843e4701"},{"type":"WEB","url":"https://lists.debian.org/debian-lts-announce/2025/03/msg00001.html"},{"type":"WEB","url":"https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/56xxx/CVE-2024-56759.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-56759"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"3083ee2e18b701122a3b841db83448543a87a583"},{"fixed":"ba5120a2fb5f23b4d39d302e181aa5d4e28a90d1"},{"fixed":"526ff5b27f090fb15040471f892cd2c9899ce314"},{"fixed":"66376f1a73cba57fd0af2631d7888605b738e499"},{"fixed":"9a466b8693b9add05de99af00c7bdff8259ecf19"},{"fixed":"c3a403d8ce36f5a809a492581de5ad17843e4701"},{"fixed":"44f52bbe96dfdbe4aca3818a2534520082a07040"}]}],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-56759.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}]}