CVE-2023-54158 - Vulnerability Details

Vendors	Products
Linux Subscribe	Linux Kernel Subscribe

Link	Providers
https://git.kernel.org/stable/c/04ff6bd0317735791ef3e443c7c89f3c0dda548d
https://git.kernel.org/stable/c/148b16cd30b202999ec5b534e3e5d8ab4b766f21
https://git.kernel.org/stable/c/15e877e5923ec6d6caa5e447dcc4b79a8ff7cc53
https://git.kernel.org/stable/c/1e05bf5e80bb1161b7294c9ce5292b26232ab853
https://git.kernel.org/stable/c/478bd15f46b6e3aae78aac4f3788697f1546eea6
https://git.kernel.org/stable/c/d246331b78cbef86237f9c22389205bc9b4e1cc1
https://git.kernel.org/stable/c/f264be24146bee2d652010a18ae2517df5856261

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: btrfs: don't free qgroup space unless specified Boris noticed in his simple quotas testing that he was getting a leak with Sweet Tea's change to subvol create that stopped doing a transaction commit. This was just a side effect of that change. In the delayed inode code we have an optimization that will free extra reservations if we think we can pack a dir item into an already modified leaf. Previously this wouldn't be triggered in the subvolume create case because we'd commit the transaction, it was still possible but much harder to trigger. It could actually be triggered if we did a mkdir && subvol create with qgroups enabled. This occurs because in btrfs_insert_delayed_dir_index(), which gets called when we're adding the dir item, we do the following: btrfs_block_rsv_release(fs_info, trans->block_rsv, bytes, NULL); if we're able to skip reserving space. The problem here is that trans->block_rsv points at the temporary block rsv for the subvolume create, which has qgroup reservations in the block rsv. This is a problem because btrfs_block_rsv_release() will do the following: if (block_rsv->qgroup_rsv_reserved >= block_rsv->qgroup_rsv_size) { qgroup_to_release = block_rsv->qgroup_rsv_reserved - block_rsv->qgroup_rsv_size; block_rsv->qgroup_rsv_reserved = block_rsv->qgroup_rsv_size; } The temporary block rsv just has ->qgroup_rsv_reserved set, ->qgroup_rsv_size == 0. The optimization in btrfs_insert_delayed_dir_index() sets ->qgroup_rsv_reserved = 0. Then later on when we call btrfs_subvolume_release_metadata() which has btrfs_block_rsv_release(fs_info, rsv, (u64)-1, &qgroup_to_release); btrfs_qgroup_convert_reserved_meta(root, qgroup_to_release); qgroup_to_release is set to 0, and we do not convert the reserved metadata space. The problem here is that the block rsv code has been unconditionally messing with ->qgroup_rsv_reserved, because the main place this is used is delalloc, and any time we call btrfs_block_rsv_release() we do it with qgroup_to_release set, and thus do the proper accounting. The subvolume code is the only other code that uses the qgroup reservation stuff, but it's intermingled with the above optimization, and thus was getting its reservation freed out from underneath it and thus leaking the reserved space. The solution is to simply not mess with the qgroup reservations if we don't have qgroup_to_release set. This works with the existing code as anything that messes with the delalloc reservations always have qgroup_to_release set. This fixes the leak that Boris was observing.
Title		btrfs: don't free qgroup space unless specified
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/04ff6bd0317735791ef3e443c7c89f3c0dda548d https://git.kernel.org/stable/c/148b16cd30b202999ec5b534e3e5d8ab4b766f21 https://git.kernel.org/stable/c/15e877e5923ec6d6caa5e447dcc4b79a8ff7cc53 https://git.kernel.org/stable/c/1e05bf5e80bb1161b7294c9ce5292b26232ab853 https://git.kernel.org/stable/c/478bd15f46b6e3aae78aac4f3788697f1546eea6 https://git.kernel.org/stable/c/d246331b78cbef86237f9c22389205bc9b4e1cc1 https://git.kernel.org/stable/c/f264be24146bee2d652010a18ae2517df5856261

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2023-54158", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2025-12-24T13:02:52.530Z", "datePublished": "2025-12-24T13:07:07.438Z", "dateUpdated": "2025-12-24T13:07:07.438Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2025-12-24T13:07:07.438Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: don't free qgroup space unless specified\n\nBoris noticed in his simple quotas testing that he was getting a leak\nwith Sweet Tea's change to subvol create that stopped doing a\ntransaction commit. This was just a side effect of that change.\n\nIn the delayed inode code we have an optimization that will free extra\nreservations if we think we can pack a dir item into an already modified\nleaf. Previously this wouldn't be triggered in the subvolume create\ncase because we'd commit the transaction, it was still possible but\nmuch harder to trigger. It could actually be triggered if we did a\nmkdir && subvol create with qgroups enabled.\n\nThis occurs because in btrfs_insert_delayed_dir_index(), which gets\ncalled when we're adding the dir item, we do the following:\n\n btrfs_block_rsv_release(fs_info, trans->block_rsv, bytes, NULL);\n\nif we're able to skip reserving space.\n\nThe problem here is that trans->block_rsv points at the temporary block\nrsv for the subvolume create, which has qgroup reservations in the block\nrsv.\n\nThis is a problem because btrfs_block_rsv_release() will do the\nfollowing:\n\n if (block_rsv->qgroup_rsv_reserved >= block_rsv->qgroup_rsv_size) {\n\t qgroup_to_release = block_rsv->qgroup_rsv_reserved -\n\t\t block_rsv->qgroup_rsv_size;\n\t block_rsv->qgroup_rsv_reserved = block_rsv->qgroup_rsv_size;\n }\n\nThe temporary block rsv just has ->qgroup_rsv_reserved set,\n->qgroup_rsv_size == 0. The optimization in\nbtrfs_insert_delayed_dir_index() sets ->qgroup_rsv_reserved = 0. Then\nlater on when we call btrfs_subvolume_release_metadata() which has\n\n btrfs_block_rsv_release(fs_info, rsv, (u64)-1, &qgroup_to_release);\n btrfs_qgroup_convert_reserved_meta(root, qgroup_to_release);\n\nqgroup_to_release is set to 0, and we do not convert the reserved\nmetadata space.\n\nThe problem here is that the block rsv code has been unconditionally\nmessing with ->qgroup_rsv_reserved, because the main place this is used\nis delalloc, and any time we call btrfs_block_rsv_release() we do it\nwith qgroup_to_release set, and thus do the proper accounting.\n\nThe subvolume code is the only other code that uses the qgroup\nreservation stuff, but it's intermingled with the above optimization,\nand thus was getting its reservation freed out from underneath it and\nthus leaking the reserved space.\n\nThe solution is to simply not mess with the qgroup reservations if we\ndon't have qgroup_to_release set. This works with the existing code as\nanything that messes with the delalloc reservations always have\nqgroup_to_release set. This fixes the leak that Boris was observing."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["fs/btrfs/block-rsv.c"], "versions": [{"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "lessThan": "1e05bf5e80bb1161b7294c9ce5292b26232ab853", "status": "affected", "versionType": "git"}, {"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "lessThan": "148b16cd30b202999ec5b534e3e5d8ab4b766f21", "status": "affected", "versionType": "git"}, {"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "lessThan": "f264be24146bee2d652010a18ae2517df5856261", "status": "affected", "versionType": "git"}, {"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "lessThan": "15e877e5923ec6d6caa5e447dcc4b79a8ff7cc53", "status": "affected", "versionType": "git"}, {"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "lessThan": "04ff6bd0317735791ef3e443c7c89f3c0dda548d", "status": "affected", "versionType": "git"}, {"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "lessThan": "478bd15f46b6e3aae78aac4f3788697f1546eea6", "status": "affected", "versionType": "git"}, {"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "lessThan": "d246331b78cbef86237f9c22389205bc9b4e1cc1", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["fs/btrfs/block-rsv.c"], "versions": [{"version": "5.4.243", "lessThanOrEqual": "5.4.*", "status": "unaffected", "versionType": "semver"}, {"version": "5.10.180", "lessThanOrEqual": "5.10.*", "status": "unaffected", "versionType": "semver"}, {"version": "5.15.112", "lessThanOrEqual": "5.15.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.1.29", "lessThanOrEqual": "6.1.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.2.16", "lessThanOrEqual": "6.2.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.3.3", "lessThanOrEqual": "6.3.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.4", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "5.4.243"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "5.10.180"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "5.15.112"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.1.29"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.2.16"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.3.3"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.4"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/1e05bf5e80bb1161b7294c9ce5292b26232ab853"}, {"url": "https://git.kernel.org/stable/c/148b16cd30b202999ec5b534e3e5d8ab4b766f21"}, {"url": "https://git.kernel.org/stable/c/f264be24146bee2d652010a18ae2517df5856261"}, {"url": "https://git.kernel.org/stable/c/15e877e5923ec6d6caa5e447dcc4b79a8ff7cc53"}, {"url": "https://git.kernel.org/stable/c/04ff6bd0317735791ef3e443c7c89f3c0dda548d"}, {"url": "https://git.kernel.org/stable/c/478bd15f46b6e3aae78aac4f3788697f1546eea6"}, {"url": "https://git.kernel.org/stable/c/d246331b78cbef86237f9c22389205bc9b4e1cc1"}], "title": "btrfs: don't free qgroup space unless specified", "x_generator": {"engine": "bippy-1.2.0"}}}}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: don't free qgroup space unless specified\n\nBoris noticed in his simple quotas testing that he was getting a leak\nwith Sweet Tea's change to subvol create that stopped doing a\ntransaction commit. This was just a side effect of that change.\n\nIn the delayed inode code we have an optimization that will free extra\nreservations if we think we can pack a dir item into an already modified\nleaf. Previously this wouldn't be triggered in the subvolume create\ncase because we'd commit the transaction, it was still possible but\nmuch harder to trigger. It could actually be triggered if we did a\nmkdir && subvol create with qgroups enabled.\n\nThis occurs because in btrfs_insert_delayed_dir_index(), which gets\ncalled when we're adding the dir item, we do the following:\n\n btrfs_block_rsv_release(fs_info, trans->block_rsv, bytes, NULL);\n\nif we're able to skip reserving space.\n\nThe problem here is that trans->block_rsv points at the temporary block\nrsv for the subvolume create, which has qgroup reservations in the block\nrsv.\n\nThis is a problem because btrfs_block_rsv_release() will do the\nfollowing:\n\n if (block_rsv->qgroup_rsv_reserved >= block_rsv->qgroup_rsv_size) {\n\t qgroup_to_release = block_rsv->qgroup_rsv_reserved -\n\t\t block_rsv->qgroup_rsv_size;\n\t block_rsv->qgroup_rsv_reserved = block_rsv->qgroup_rsv_size;\n }\n\nThe temporary block rsv just has ->qgroup_rsv_reserved set,\n->qgroup_rsv_size == 0. The optimization in\nbtrfs_insert_delayed_dir_index() sets ->qgroup_rsv_reserved = 0. Then\nlater on when we call btrfs_subvolume_release_metadata() which has\n\n btrfs_block_rsv_release(fs_info, rsv, (u64)-1, &qgroup_to_release);\n btrfs_qgroup_convert_reserved_meta(root, qgroup_to_release);\n\nqgroup_to_release is set to 0, and we do not convert the reserved\nmetadata space.\n\nThe problem here is that the block rsv code has been unconditionally\nmessing with ->qgroup_rsv_reserved, because the main place this is used\nis delalloc, and any time we call btrfs_block_rsv_release() we do it\nwith qgroup_to_release set, and thus do the proper accounting.\n\nThe subvolume code is the only other code that uses the qgroup\nreservation stuff, but it's intermingled with the above optimization,\nand thus was getting its reservation freed out from underneath it and\nthus leaking the reserved space.\n\nThe solution is to simply not mess with the qgroup reservations if we\ndon't have qgroup_to_release set. This works with the existing code as\nanything that messes with the delalloc reservations always have\nqgroup_to_release set. This fixes the leak that Boris was observing."}], "id": "CVE-2023-54158", "lastModified": "2025-12-24T13:16:17.850", "metrics": {}, "published": "2025-12-24T13:16:17.850", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/04ff6bd0317735791ef3e443c7c89f3c0dda548d"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/148b16cd30b202999ec5b534e3e5d8ab4b766f21"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/15e877e5923ec6d6caa5e447dcc4b79a8ff7cc53"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/1e05bf5e80bb1161b7294c9ce5292b26232ab853"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/478bd15f46b6e3aae78aac4f3788697f1546eea6"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/d246331b78cbef86237f9c22389205bc9b4e1cc1"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/f264be24146bee2d652010a18ae2517df5856261"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Received"}

Metrics

Affected Vendors & Products

Projects

Metrics

Affected Vendors & Products

Projects

JSON object

JSON object

JSON object

JSON object

JSON object