CVE-2024-44963: btrfs: do not BUG_ON() when freeing tree block after error

0.0 CVSS

Description

In the Linux kernel, the following vulnerability has been resolved:

btrfs: do not BUG_ON() when freeing tree block after error

When freeing a tree block, at btrfs_free_tree_block(), if we fail to
create a delayed reference we don't deal with the error and just do a
BUG_ON(). The error most likely to happen is -ENOMEM, and we have a
comment mentioning that only -ENOMEM can happen, but that is not true,
because in case qgroups are enabled any error returned from
btrfs_qgroup_trace_extent_post() (can be -EUCLEAN or anything returned
from btrfs_search_slot() for example) can be propagated back to
btrfs_free_tree_block().

So stop doing a BUG_ON() and return the error to the callers and make
them abort the transaction to prevent leaking space. Syzbot was
triggering this, likely due to memory allocation failure injection.

Classification

CVE ID: CVE-2024-44963

CVSS Base Severity: LOW

CVSS Base Score: 0.0

Affected Products

Vendor: Linux

Product: Linux

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.04% (probability of being exploited)

EPSS Percentile: 5.06% (scored less or equal to compared to others)

EPSS Date: 2025-02-03 (when was this score calculated)

References

https://git.kernel.org/stable/c/22d907bcd283d69d5e60497fc0d51969545c583b
https://git.kernel.org/stable/c/98251cd60b4d702a8a81de442ab621e83a3fb24f
https://git.kernel.org/stable/c/bb3868033a4cccff7be57e9145f2117cbdc91c11

Timeline

2024-12-10 00:31:24 UTC
CVE

btrfs: do not BUG_ON() when freeing tree block after error