{"id":"CVE-2024-57975","summary":"btrfs: do proper folio cleanup when run_delalloc_nocow() failed","details":"In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: do proper folio cleanup when run_delalloc_nocow() failed\n\n[BUG]\nWith CONFIG_DEBUG_VM set, test case generic/476 has some chance to crash\nwith the following VM_BUG_ON_FOLIO():\n\n  BTRFS error (device dm-3): cow_file_range failed, start 1146880 end 1253375 len 106496 ret -28\n  BTRFS error (device dm-3): run_delalloc_nocow failed, start 1146880 end 1253375 len 106496 ret -28\n  page: refcount:4 mapcount:0 mapping:00000000592787cc index:0x12 pfn:0x10664\n  aops:btrfs_aops [btrfs] ino:101 dentry name(?):\"f1774\"\n  flags: 0x2fffff80004028(uptodate|lru|private|node=0|zone=2|lastcpupid=0xfffff)\n  page dumped because: VM_BUG_ON_FOLIO(!folio_test_locked(folio))\n  ------------[ cut here ]------------\n  kernel BUG at mm/page-writeback.c:2992!\n  Internal error: Oops - BUG: 00000000f2000800 [#1] SMP\n  CPU: 2 UID: 0 PID: 3943513 Comm: kworker/u24:15 Tainted: G           OE      6.12.0-rc7-custom+ #87\n  Tainted: [O]=OOT_MODULE, [E]=UNSIGNED_MODULE\n  Hardware name: QEMU KVM Virtual Machine, BIOS unknown 2/2/2022\n  Workqueue: events_unbound btrfs_async_reclaim_data_space [btrfs]\n  pc : folio_clear_dirty_for_io+0x128/0x258\n  lr : folio_clear_dirty_for_io+0x128/0x258\n  Call trace:\n   folio_clear_dirty_for_io+0x128/0x258\n   btrfs_folio_clamp_clear_dirty+0x80/0xd0 [btrfs]\n   __process_folios_contig+0x154/0x268 [btrfs]\n   extent_clear_unlock_delalloc+0x5c/0x80 [btrfs]\n   run_delalloc_nocow+0x5f8/0x760 [btrfs]\n   btrfs_run_delalloc_range+0xa8/0x220 [btrfs]\n   writepage_delalloc+0x230/0x4c8 [btrfs]\n   extent_writepage+0xb8/0x358 [btrfs]\n   extent_write_cache_pages+0x21c/0x4e8 [btrfs]\n   btrfs_writepages+0x94/0x150 [btrfs]\n   do_writepages+0x74/0x190\n   filemap_fdatawrite_wbc+0x88/0xc8\n   start_delalloc_inodes+0x178/0x3a8 [btrfs]\n   btrfs_start_delalloc_roots+0x174/0x280 [btrfs]\n   shrink_delalloc+0x114/0x280 [btrfs]\n   flush_space+0x250/0x2f8 [btrfs]\n   btrfs_async_reclaim_data_space+0x180/0x228 [btrfs]\n   process_one_work+0x164/0x408\n   worker_thread+0x25c/0x388\n   kthread+0x100/0x118\n   ret_from_fork+0x10/0x20\n  Code: 910a8021 a90363f7 a9046bf9 94012379 (d4210000)\n  ---[ end trace 0000000000000000 ]---\n\n[CAUSE]\nThe first two lines of extra debug messages show the problem is caused\nby the error handling of run_delalloc_nocow().\n\nE.g. we have the following dirtied range (4K blocksize 4K page size):\n\n    0                 16K                  32K\n    |//////////////////////////////////////|\n    |  Pre-allocated  |\n\nAnd the range [0, 16K) has a preallocated extent.\n\n- Enter run_delalloc_nocow() for range [0, 16K)\n  Which found range [0, 16K) is preallocated, can do the proper NOCOW\n  write.\n\n- Enter fallback_to_fow() for range [16K, 32K)\n  Since the range [16K, 32K) is not backed by preallocated extent, we\n  have to go COW.\n\n- cow_file_range() failed for range [16K, 32K)\n  So cow_file_range() will do the clean up by clearing folio dirty,\n  unlock the folios.\n\n  Now the folios in range [16K, 32K) is unlocked.\n\n- Enter extent_clear_unlock_delalloc() from run_delalloc_nocow()\n  Which is called with PAGE_START_WRITEBACK to start page writeback.\n  But folios can only be marked writeback when it's properly locked,\n  thus this triggered the VM_BUG_ON_FOLIO().\n\nFurthermore there is another hidden but common bug that\nrun_delalloc_nocow() is not clearing the folio dirty flags in its error\nhandling path.\nThis is the common bug shared between run_delalloc_nocow() and\ncow_file_range().\n\n[FIX]\n- Clear folio dirty for range [@start, @cur_offset)\n  Introduce a helper, cleanup_dirty_folios(), which\n  will find and lock the folio in the range, clear the dirty flag and\n  start/end the writeback, with the extra handling for the\n  @locked_folio.\n\n- Introduce a helper to clear folio dirty, start and end writeback\n\n- Introduce a helper to record the last failed COW range end\n  This is to trace which range we should skip, to avoid double\n  unlocking.\n\n- Skip the failed COW range for the e\n---truncated---","modified":"2026-04-02T12:25:26.240301Z","published":"2025-02-27T02:07:03.586Z","database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/57xxx/CVE-2024-57975.json","cna_assigner":"Linux"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/2434533f1c963e7317c45880c98287e5bed98325"},{"type":"WEB","url":"https://git.kernel.org/stable/c/5ae72abbf91eb172ce3a838a4dc34be3c9707296"},{"type":"WEB","url":"https://git.kernel.org/stable/c/c2b47df81c8e20a8e8cd94f0d7df211137ae94ed"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/57xxx/CVE-2024-57975.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-57975"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"17ca04aff7e6171df684b7b65804df8830eb8c15"},{"fixed":"5ae72abbf91eb172ce3a838a4dc34be3c9707296"},{"fixed":"2434533f1c963e7317c45880c98287e5bed98325"},{"fixed":"c2b47df81c8e20a8e8cd94f0d7df211137ae94ed"}]}],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-57975.json"}}],"schema_version":"1.7.5"}