CVE-2026-45934 in Linux
الملخص
بحسب VulDB • 27/05/2026
Based on the error message `BTRFS: error ... in btrfs_create_pending_block_groups:2876: errno=-17 Object already exists` and the observation of overlapping `chunk_maps`, here is an analysis of what is happening and how it could occur.
### 1. Understanding the Error
* **`errno=-17`**: This is `-EEXIST` ("File exists" or "Object already exists"). * **`btrfs_create_pending_block_groups`**: This function is called during chunk allocation. Btrfs maintains a "pending" list of block groups that are being created but not yet fully committed to the tree. * **The Core Issue**: Btrfs is trying to create a new block group (chunk) at a physical location that it *already believes* is occupied by another block group. The kernel's internal data structures (specifically the `chunk_map` or the extent tree) detect a conflict.
### 2. The Overlapping Chunk Maps
You observed: ``` Stripe 0: 0x0000000102500000 - 0x0000000142500000 (1.0G) Stripe 1: 0x0000000142500000 - 0x0000000182500000 (1.0G) Stripe 0: 0x0000000142500000 - 0x0000000182500000 (1.0G) <-- OVERLAPS with above Stripe 1 Stripe 1: 0x0000000182500000 - 0x00000001c2500000 (1.0G) ```
This is **physically impossible** in a correctly functioning Btrfs filesystem. A physical block on disk can only belong to one chunk at a time. The fact that `Stripe 1` of Chunk A and `Stripe 0` of Chunk B occupy the exact same physical range (`0x142500000 - 0x182500000`) indicates **corruption of the in-memory chunk allocation state** or **corruption of the on-disk metadata** that was loaded into memory.
### 3. How Could This Happen?
There are several potential causes, ranging from bugs to hardware issues:
#### A. Kernel Bug in Chunk Allocation (Most Likely for "Object Already Exists") The error `EEXIST` in `btrfs_create_pending_block_groups` suggests that the kernel's internal bookkeeping is inconsistent. Specifically: * **Race Condition**: If multiple threads are trying to allocate chunks concurrently (e.g., during heavy I/O, balance, or scrub), a race condition in the `btrfs_alloc_chunk()` or `btrfs_create_pending_block_groups()` functions could lead to two chunks being assigned the same physical range. * **Bug in `btrfs_find_free_chunk()`**: The function that finds free space might have a bug where it fails to properly mark a range as "in use" before another thread allocates it. * **Bug in `btrfs_add_block_group()`**: If the function that adds a block group to the tree fails to properly update the extent tree or the chunk map, subsequent allocations might not see the newly allocated range as occupied.
#### B. Memory Corruption * **Hardware Memory Error**: A bit flip in RAM could corrupt the `chunk_map` structure in memory, causing it to report overlapping ranges. This is rare but possible. * **Kernel Memory Corruption**: A bug elsewhere in the kernel (e.g., in a driver or subsystem) could overwrite memory belonging to Btrfs structures.
#### C. On-Disk Metadata Corruption * **Corrupted Extent Tree**: If the on-disk extent tree (which tracks which physical blocks belong to which logical blocks) is corrupted, Btrfs might load incorrect data into memory. When it tries to create a new chunk, it might see a conflict because the corrupted data says the range is already used. * **Corrupted Chunk Tree**: The chunk tree itself might be corrupted, leading to incorrect allocation decisions.
#### D. Filesystem Corruption Due to Improper Shutdown * If the system crashed or was powered off without a proper shutdown, Btrfs might have left pending transactions in an inconsistent state. On the next mount, it might try to replay these transactions, leading to conflicts.
### 4. How to Investigate Further
1. **Check Kernel Version**: * Are you running a
If you want to get best quality of vulnerability data, you may have to visit VulDB.