CVE-2021-46958 (GCVE-0-2021-46958)

Vulnerability from cvelistv5 – Published: 2024-02-27 18:46 – Updated: 2025-05-04 07:01
VLAI?
Title
btrfs: fix race between transaction aborts and fsyncs leading to use-after-free
Summary
In the Linux kernel, the following vulnerability has been resolved: btrfs: fix race between transaction aborts and fsyncs leading to use-after-free There is a race between a task aborting a transaction during a commit, a task doing an fsync and the transaction kthread, which leads to an use-after-free of the log root tree. When this happens, it results in a stack trace like the following: BTRFS info (device dm-0): forced readonly BTRFS warning (device dm-0): Skipping commit of aborted transaction. BTRFS: error (device dm-0) in cleanup_transaction:1958: errno=-5 IO failure BTRFS warning (device dm-0): lost page write due to IO error on /dev/mapper/error-test (-5) BTRFS warning (device dm-0): Skipping commit of aborted transaction. BTRFS warning (device dm-0): direct IO failed ino 261 rw 0,0 sector 0xa4e8 len 4096 err no 10 BTRFS error (device dm-0): error writing primary super block to device 1 BTRFS warning (device dm-0): direct IO failed ino 261 rw 0,0 sector 0x12e000 len 4096 err no 10 BTRFS warning (device dm-0): direct IO failed ino 261 rw 0,0 sector 0x12e008 len 4096 err no 10 BTRFS warning (device dm-0): direct IO failed ino 261 rw 0,0 sector 0x12e010 len 4096 err no 10 BTRFS: error (device dm-0) in write_all_supers:4110: errno=-5 IO failure (1 errors while writing supers) BTRFS: error (device dm-0) in btrfs_sync_log:3308: errno=-5 IO failure general protection fault, probably for non-canonical address 0x6b6b6b6b6b6b6b68: 0000 [#1] PREEMPT SMP DEBUG_PAGEALLOC PTI CPU: 2 PID: 2458471 Comm: fsstress Not tainted 5.12.0-rc5-btrfs-next-84 #1 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014 RIP: 0010:__mutex_lock+0x139/0xa40 Code: c0 74 19 (...) RSP: 0018:ffff9f18830d7b00 EFLAGS: 00010202 RAX: 6b6b6b6b6b6b6b68 RBX: 0000000000000001 RCX: 0000000000000002 RDX: ffffffffb9c54d13 RSI: 0000000000000000 RDI: 0000000000000000 RBP: ffff9f18830d7bc0 R08: 0000000000000000 R09: 0000000000000000 R10: ffff9f18830d7be0 R11: 0000000000000001 R12: ffff8c6cd199c040 R13: ffff8c6c95821358 R14: 00000000fffffffb R15: ffff8c6cbcf01358 FS: 00007fa9140c2b80(0000) GS:ffff8c6fac600000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007fa913d52000 CR3: 000000013d2b4003 CR4: 0000000000370ee0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: ? __btrfs_handle_fs_error+0xde/0x146 [btrfs] ? btrfs_sync_log+0x7c1/0xf20 [btrfs] ? btrfs_sync_log+0x7c1/0xf20 [btrfs] btrfs_sync_log+0x7c1/0xf20 [btrfs] btrfs_sync_file+0x40c/0x580 [btrfs] do_fsync+0x38/0x70 __x64_sys_fsync+0x10/0x20 do_syscall_64+0x33/0x80 entry_SYSCALL_64_after_hwframe+0x44/0xae RIP: 0033:0x7fa9142a55c3 Code: 8b 15 09 (...) RSP: 002b:00007fff26278d48 EFLAGS: 00000246 ORIG_RAX: 000000000000004a RAX: ffffffffffffffda RBX: 0000563c83cb4560 RCX: 00007fa9142a55c3 RDX: 00007fff26278cb0 RSI: 00007fff26278cb0 RDI: 0000000000000005 RBP: 0000000000000005 R08: 0000000000000001 R09: 00007fff26278d5c R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000340 R13: 00007fff26278de0 R14: 00007fff26278d96 R15: 0000563c83ca57c0 Modules linked in: btrfs dm_zero dm_snapshot dm_thin_pool (...) ---[ end trace ee2f1b19327d791d ]--- The steps that lead to this crash are the following: 1) We are at transaction N; 2) We have two tasks with a transaction handle attached to transaction N. Task A and Task B. Task B is doing an fsync; 3) Task B is at btrfs_sync_log(), and has saved fs_info->log_root_tree into a local variable named 'log_root_tree' at the top of btrfs_sync_log(). Task B is about to call write_all_supers(), but before that... 4) Task A calls btrfs_commit_transaction(), and after it sets the transaction state to TRANS_STATE_COMMIT_START, an error happens before it w ---truncated---
Severity ?
No CVSS data available.
Assigner
References
Impacted products
Vendor Product Version
Linux Linux Affected: ef67963dac255b293e19815ea3d440567be4626f , < a4794be7b00b7eda4b45fffd283ab7d76df7e5d6 (git)
Affected: ef67963dac255b293e19815ea3d440567be4626f , < 633f7f216663587f17601eaa1cf2ac3d5654874c (git)
Affected: ef67963dac255b293e19815ea3d440567be4626f , < e2da98788369bfba1138bada72765c47989a4338 (git)
Affected: ef67963dac255b293e19815ea3d440567be4626f , < 061dde8245356d8864d29e25207aa4daa0be4d3c (git)
Create a notification for this product.
    Linux Linux Affected: 5.7
Unaffected: 0 , < 5.7 (semver)
Unaffected: 5.10.36 , ≤ 5.10.* (semver)
Unaffected: 5.11.20 , ≤ 5.11.* (semver)
Unaffected: 5.12.3 , ≤ 5.12.* (semver)
Unaffected: 5.13 , ≤ * (original_commit_for_fix)
Create a notification for this product.
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T05:17:42.988Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/a4794be7b00b7eda4b45fffd283ab7d76df7e5d6"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/633f7f216663587f17601eaa1cf2ac3d5654874c"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/e2da98788369bfba1138bada72765c47989a4338"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/061dde8245356d8864d29e25207aa4daa0be4d3c"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2021-46958",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-08-15T19:27:46.078537Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-08-15T19:28:05.836Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "fs/btrfs/transaction.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "a4794be7b00b7eda4b45fffd283ab7d76df7e5d6",
              "status": "affected",
              "version": "ef67963dac255b293e19815ea3d440567be4626f",
              "versionType": "git"
            },
            {
              "lessThan": "633f7f216663587f17601eaa1cf2ac3d5654874c",
              "status": "affected",
              "version": "ef67963dac255b293e19815ea3d440567be4626f",
              "versionType": "git"
            },
            {
              "lessThan": "e2da98788369bfba1138bada72765c47989a4338",
              "status": "affected",
              "version": "ef67963dac255b293e19815ea3d440567be4626f",
              "versionType": "git"
            },
            {
              "lessThan": "061dde8245356d8864d29e25207aa4daa0be4d3c",
              "status": "affected",
              "version": "ef67963dac255b293e19815ea3d440567be4626f",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "fs/btrfs/transaction.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.7"
            },
            {
              "lessThan": "5.7",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.36",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.11.*",
              "status": "unaffected",
              "version": "5.11.20",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.12.*",
              "status": "unaffected",
              "version": "5.12.3",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "5.13",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.36",
                  "versionStartIncluding": "5.7",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.11.20",
                  "versionStartIncluding": "5.7",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.12.3",
                  "versionStartIncluding": "5.7",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.13",
                  "versionStartIncluding": "5.7",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: fix race between transaction aborts and fsyncs leading to use-after-free\n\nThere is a race between a task aborting a transaction during a commit,\na task doing an fsync and the transaction kthread, which leads to an\nuse-after-free of the log root tree. When this happens, it results in a\nstack trace like the following:\n\n  BTRFS info (device dm-0): forced readonly\n  BTRFS warning (device dm-0): Skipping commit of aborted transaction.\n  BTRFS: error (device dm-0) in cleanup_transaction:1958: errno=-5 IO failure\n  BTRFS warning (device dm-0): lost page write due to IO error on /dev/mapper/error-test (-5)\n  BTRFS warning (device dm-0): Skipping commit of aborted transaction.\n  BTRFS warning (device dm-0): direct IO failed ino 261 rw 0,0 sector 0xa4e8 len 4096 err no 10\n  BTRFS error (device dm-0): error writing primary super block to device 1\n  BTRFS warning (device dm-0): direct IO failed ino 261 rw 0,0 sector 0x12e000 len 4096 err no 10\n  BTRFS warning (device dm-0): direct IO failed ino 261 rw 0,0 sector 0x12e008 len 4096 err no 10\n  BTRFS warning (device dm-0): direct IO failed ino 261 rw 0,0 sector 0x12e010 len 4096 err no 10\n  BTRFS: error (device dm-0) in write_all_supers:4110: errno=-5 IO failure (1 errors while writing supers)\n  BTRFS: error (device dm-0) in btrfs_sync_log:3308: errno=-5 IO failure\n  general protection fault, probably for non-canonical address 0x6b6b6b6b6b6b6b68: 0000 [#1] PREEMPT SMP DEBUG_PAGEALLOC PTI\n  CPU: 2 PID: 2458471 Comm: fsstress Not tainted 5.12.0-rc5-btrfs-next-84 #1\n  Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014\n  RIP: 0010:__mutex_lock+0x139/0xa40\n  Code: c0 74 19 (...)\n  RSP: 0018:ffff9f18830d7b00 EFLAGS: 00010202\n  RAX: 6b6b6b6b6b6b6b68 RBX: 0000000000000001 RCX: 0000000000000002\n  RDX: ffffffffb9c54d13 RSI: 0000000000000000 RDI: 0000000000000000\n  RBP: ffff9f18830d7bc0 R08: 0000000000000000 R09: 0000000000000000\n  R10: ffff9f18830d7be0 R11: 0000000000000001 R12: ffff8c6cd199c040\n  R13: ffff8c6c95821358 R14: 00000000fffffffb R15: ffff8c6cbcf01358\n  FS:  00007fa9140c2b80(0000) GS:ffff8c6fac600000(0000) knlGS:0000000000000000\n  CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n  CR2: 00007fa913d52000 CR3: 000000013d2b4003 CR4: 0000000000370ee0\n  DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n  DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n  Call Trace:\n   ? __btrfs_handle_fs_error+0xde/0x146 [btrfs]\n   ? btrfs_sync_log+0x7c1/0xf20 [btrfs]\n   ? btrfs_sync_log+0x7c1/0xf20 [btrfs]\n   btrfs_sync_log+0x7c1/0xf20 [btrfs]\n   btrfs_sync_file+0x40c/0x580 [btrfs]\n   do_fsync+0x38/0x70\n   __x64_sys_fsync+0x10/0x20\n   do_syscall_64+0x33/0x80\n   entry_SYSCALL_64_after_hwframe+0x44/0xae\n  RIP: 0033:0x7fa9142a55c3\n  Code: 8b 15 09 (...)\n  RSP: 002b:00007fff26278d48 EFLAGS: 00000246 ORIG_RAX: 000000000000004a\n  RAX: ffffffffffffffda RBX: 0000563c83cb4560 RCX: 00007fa9142a55c3\n  RDX: 00007fff26278cb0 RSI: 00007fff26278cb0 RDI: 0000000000000005\n  RBP: 0000000000000005 R08: 0000000000000001 R09: 00007fff26278d5c\n  R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000340\n  R13: 00007fff26278de0 R14: 00007fff26278d96 R15: 0000563c83ca57c0\n  Modules linked in: btrfs dm_zero dm_snapshot dm_thin_pool (...)\n  ---[ end trace ee2f1b19327d791d ]---\n\nThe steps that lead to this crash are the following:\n\n1) We are at transaction N;\n\n2) We have two tasks with a transaction handle attached to transaction N.\n   Task A and Task B. Task B is doing an fsync;\n\n3) Task B is at btrfs_sync_log(), and has saved fs_info-\u003elog_root_tree\n   into a local variable named \u0027log_root_tree\u0027 at the top of\n   btrfs_sync_log(). Task B is about to call write_all_supers(), but\n   before that...\n\n4) Task A calls btrfs_commit_transaction(), and after it sets the\n   transaction state to TRANS_STATE_COMMIT_START, an error happens before\n   it w\n---truncated---"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T07:01:10.945Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/a4794be7b00b7eda4b45fffd283ab7d76df7e5d6"
        },
        {
          "url": "https://git.kernel.org/stable/c/633f7f216663587f17601eaa1cf2ac3d5654874c"
        },
        {
          "url": "https://git.kernel.org/stable/c/e2da98788369bfba1138bada72765c47989a4338"
        },
        {
          "url": "https://git.kernel.org/stable/c/061dde8245356d8864d29e25207aa4daa0be4d3c"
        }
      ],
      "title": "btrfs: fix race between transaction aborts and fsyncs leading to use-after-free",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2021-46958",
    "datePublished": "2024-02-27T18:46:59.315Z",
    "dateReserved": "2024-02-27T18:42:55.939Z",
    "dateUpdated": "2025-05-04T07:01:10.945Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"https://git.kernel.org/stable/c/a4794be7b00b7eda4b45fffd283ab7d76df7e5d6\", \"tags\": [\"x_transferred\"]}, {\"url\": \"https://git.kernel.org/stable/c/633f7f216663587f17601eaa1cf2ac3d5654874c\", \"tags\": [\"x_transferred\"]}, {\"url\": \"https://git.kernel.org/stable/c/e2da98788369bfba1138bada72765c47989a4338\", \"tags\": [\"x_transferred\"]}, {\"url\": \"https://git.kernel.org/stable/c/061dde8245356d8864d29e25207aa4daa0be4d3c\", \"tags\": [\"x_transferred\"]}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2024-08-04T05:17:42.988Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2021-46958\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2024-08-15T19:27:46.078537Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2024-08-15T19:28:02.844Z\"}}], \"cna\": {\"title\": \"btrfs: fix race between transaction aborts and fsyncs leading to use-after-free\", \"affected\": [{\"repo\": \"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git\", \"vendor\": \"Linux\", \"product\": \"Linux\", \"versions\": [{\"status\": \"affected\", \"version\": \"ef67963dac255b293e19815ea3d440567be4626f\", \"lessThan\": \"a4794be7b00b7eda4b45fffd283ab7d76df7e5d6\", \"versionType\": \"git\"}, {\"status\": \"affected\", \"version\": \"ef67963dac255b293e19815ea3d440567be4626f\", \"lessThan\": \"633f7f216663587f17601eaa1cf2ac3d5654874c\", \"versionType\": \"git\"}, {\"status\": \"affected\", \"version\": \"ef67963dac255b293e19815ea3d440567be4626f\", \"lessThan\": \"e2da98788369bfba1138bada72765c47989a4338\", \"versionType\": \"git\"}, {\"status\": \"affected\", \"version\": \"ef67963dac255b293e19815ea3d440567be4626f\", \"lessThan\": \"061dde8245356d8864d29e25207aa4daa0be4d3c\", \"versionType\": \"git\"}], \"programFiles\": [\"fs/btrfs/transaction.c\"], \"defaultStatus\": \"unaffected\"}, {\"repo\": \"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git\", \"vendor\": \"Linux\", \"product\": \"Linux\", \"versions\": [{\"status\": \"affected\", \"version\": \"5.7\"}, {\"status\": \"unaffected\", \"version\": \"0\", \"lessThan\": \"5.7\", \"versionType\": \"semver\"}, {\"status\": \"unaffected\", \"version\": \"5.10.36\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"5.10.*\"}, {\"status\": \"unaffected\", \"version\": \"5.11.20\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"5.11.*\"}, {\"status\": \"unaffected\", \"version\": \"5.12.3\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"5.12.*\"}, {\"status\": \"unaffected\", \"version\": \"5.13\", \"versionType\": \"original_commit_for_fix\", \"lessThanOrEqual\": \"*\"}], \"programFiles\": [\"fs/btrfs/transaction.c\"], \"defaultStatus\": \"affected\"}], \"references\": [{\"url\": \"https://git.kernel.org/stable/c/a4794be7b00b7eda4b45fffd283ab7d76df7e5d6\"}, {\"url\": \"https://git.kernel.org/stable/c/633f7f216663587f17601eaa1cf2ac3d5654874c\"}, {\"url\": \"https://git.kernel.org/stable/c/e2da98788369bfba1138bada72765c47989a4338\"}, {\"url\": \"https://git.kernel.org/stable/c/061dde8245356d8864d29e25207aa4daa0be4d3c\"}], \"x_generator\": {\"engine\": \"bippy-1.2.0\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nbtrfs: fix race between transaction aborts and fsyncs leading to use-after-free\\n\\nThere is a race between a task aborting a transaction during a commit,\\na task doing an fsync and the transaction kthread, which leads to an\\nuse-after-free of the log root tree. When this happens, it results in a\\nstack trace like the following:\\n\\n  BTRFS info (device dm-0): forced readonly\\n  BTRFS warning (device dm-0): Skipping commit of aborted transaction.\\n  BTRFS: error (device dm-0) in cleanup_transaction:1958: errno=-5 IO failure\\n  BTRFS warning (device dm-0): lost page write due to IO error on /dev/mapper/error-test (-5)\\n  BTRFS warning (device dm-0): Skipping commit of aborted transaction.\\n  BTRFS warning (device dm-0): direct IO failed ino 261 rw 0,0 sector 0xa4e8 len 4096 err no 10\\n  BTRFS error (device dm-0): error writing primary super block to device 1\\n  BTRFS warning (device dm-0): direct IO failed ino 261 rw 0,0 sector 0x12e000 len 4096 err no 10\\n  BTRFS warning (device dm-0): direct IO failed ino 261 rw 0,0 sector 0x12e008 len 4096 err no 10\\n  BTRFS warning (device dm-0): direct IO failed ino 261 rw 0,0 sector 0x12e010 len 4096 err no 10\\n  BTRFS: error (device dm-0) in write_all_supers:4110: errno=-5 IO failure (1 errors while writing supers)\\n  BTRFS: error (device dm-0) in btrfs_sync_log:3308: errno=-5 IO failure\\n  general protection fault, probably for non-canonical address 0x6b6b6b6b6b6b6b68: 0000 [#1] PREEMPT SMP DEBUG_PAGEALLOC PTI\\n  CPU: 2 PID: 2458471 Comm: fsstress Not tainted 5.12.0-rc5-btrfs-next-84 #1\\n  Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014\\n  RIP: 0010:__mutex_lock+0x139/0xa40\\n  Code: c0 74 19 (...)\\n  RSP: 0018:ffff9f18830d7b00 EFLAGS: 00010202\\n  RAX: 6b6b6b6b6b6b6b68 RBX: 0000000000000001 RCX: 0000000000000002\\n  RDX: ffffffffb9c54d13 RSI: 0000000000000000 RDI: 0000000000000000\\n  RBP: ffff9f18830d7bc0 R08: 0000000000000000 R09: 0000000000000000\\n  R10: ffff9f18830d7be0 R11: 0000000000000001 R12: ffff8c6cd199c040\\n  R13: ffff8c6c95821358 R14: 00000000fffffffb R15: ffff8c6cbcf01358\\n  FS:  00007fa9140c2b80(0000) GS:ffff8c6fac600000(0000) knlGS:0000000000000000\\n  CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\\n  CR2: 00007fa913d52000 CR3: 000000013d2b4003 CR4: 0000000000370ee0\\n  DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\\n  DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\\n  Call Trace:\\n   ? __btrfs_handle_fs_error+0xde/0x146 [btrfs]\\n   ? btrfs_sync_log+0x7c1/0xf20 [btrfs]\\n   ? btrfs_sync_log+0x7c1/0xf20 [btrfs]\\n   btrfs_sync_log+0x7c1/0xf20 [btrfs]\\n   btrfs_sync_file+0x40c/0x580 [btrfs]\\n   do_fsync+0x38/0x70\\n   __x64_sys_fsync+0x10/0x20\\n   do_syscall_64+0x33/0x80\\n   entry_SYSCALL_64_after_hwframe+0x44/0xae\\n  RIP: 0033:0x7fa9142a55c3\\n  Code: 8b 15 09 (...)\\n  RSP: 002b:00007fff26278d48 EFLAGS: 00000246 ORIG_RAX: 000000000000004a\\n  RAX: ffffffffffffffda RBX: 0000563c83cb4560 RCX: 00007fa9142a55c3\\n  RDX: 00007fff26278cb0 RSI: 00007fff26278cb0 RDI: 0000000000000005\\n  RBP: 0000000000000005 R08: 0000000000000001 R09: 00007fff26278d5c\\n  R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000340\\n  R13: 00007fff26278de0 R14: 00007fff26278d96 R15: 0000563c83ca57c0\\n  Modules linked in: btrfs dm_zero dm_snapshot dm_thin_pool (...)\\n  ---[ end trace ee2f1b19327d791d ]---\\n\\nThe steps that lead to this crash are the following:\\n\\n1) We are at transaction N;\\n\\n2) We have two tasks with a transaction handle attached to transaction N.\\n   Task A and Task B. Task B is doing an fsync;\\n\\n3) Task B is at btrfs_sync_log(), and has saved fs_info-\u003elog_root_tree\\n   into a local variable named \u0027log_root_tree\u0027 at the top of\\n   btrfs_sync_log(). Task B is about to call write_all_supers(), but\\n   before that...\\n\\n4) Task A calls btrfs_commit_transaction(), and after it sets the\\n   transaction state to TRANS_STATE_COMMIT_START, an error happens before\\n   it w\\n---truncated---\"}], \"cpeApplicability\": [{\"nodes\": [{\"negate\": false, \"cpeMatch\": [{\"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"5.10.36\", \"versionStartIncluding\": \"5.7\"}, {\"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"5.11.20\", \"versionStartIncluding\": \"5.7\"}, {\"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"5.12.3\", \"versionStartIncluding\": \"5.7\"}, {\"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"5.13\", \"versionStartIncluding\": \"5.7\"}], \"operator\": \"OR\"}]}], \"providerMetadata\": {\"orgId\": \"416baaa9-dc9f-4396-8d5f-8c081fb06d67\", \"shortName\": \"Linux\", \"dateUpdated\": \"2025-05-04T07:01:10.945Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2021-46958\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-05-04T07:01:10.945Z\", \"dateReserved\": \"2024-02-27T18:42:55.939Z\", \"assignerOrgId\": \"416baaa9-dc9f-4396-8d5f-8c081fb06d67\", \"datePublished\": \"2024-02-27T18:46:59.315Z\", \"assignerShortName\": \"Linux\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.