CVE-2024-46733 in Linux
Summary
by MITRE • 09/18/2024
In the Linux kernel, the following vulnerability has been resolved:
btrfs: fix qgroup reserve leaks in cow_file_range
In the buffered write path, the dirty page owns the qgroup reserve until it creates an ordered_extent.
Therefore, any errors that occur before the ordered_extent is created must free that reservation, or else the space is leaked. The fstest generic/475 exercises various IO error paths, and is able to trigger errors in cow_file_range where we fail to get to allocating the ordered extent. Note that because we *do* clear delalloc, we are likely to remove the inode from the delalloc list, so the inodes/pages to not have invalidate/launder called on them in the commit abort path.
This results in failures at the unmount stage of the test that look like:
BTRFS: error (device dm-8 state EA) in cleanup_transaction:2018: errno=-5 IO failure BTRFS: error (device dm-8 state EA) in btrfs_replace_file_extents:2416: errno=-5 IO failure BTRFS warning (device dm-8 state EA): qgroup 0/5 has unreleased space, type 0 rsv 28672 ------------[ cut here ]------------
WARNING: CPU: 3 PID: 22588 at fs/btrfs/disk-io.c:4333 close_ctree+0x222/0x4d0 [btrfs]
Modules linked in: btrfs blake2b_generic libcrc32c xor zstd_compress raid6_pq CPU: 3 PID: 22588 Comm: umount Kdump: loaded Tainted: G W 6.10.0-rc7-gab56fde445b8 #21 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Arch Linux 1.16.3-1-1 04/01/2014 RIP: 0010:close_ctree+0x222/0x4d0 [btrfs]
RSP: 0018:ffffb4465283be00 EFLAGS: 00010202 RAX: 0000000000000001 RBX: ffffa1a1818e1000 RCX: 0000000000000001 RDX: 0000000000000000 RSI: ffffb4465283bbe0 RDI: ffffa1a19374fcb8 RBP: ffffa1a1818e13c0 R08: 0000000100028b16 R09: 0000000000000000 R10: 0000000000000003 R11: 0000000000000003 R12: ffffa1a18ad7972c R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 FS: 00007f9168312b80(0000) GS:ffffa1a4afcc0000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f91683c9140 CR3: 000000010acaa000 CR4: 00000000000006f0 Call Trace: ? close_ctree+0x222/0x4d0 [btrfs]
? __warn.cold+0x8e/0xea ? close_ctree+0x222/0x4d0 [btrfs]
? report_bug+0xff/0x140 ? handle_bug+0x3b/0x70 ? exc_invalid_op+0x17/0x70 ? asm_exc_invalid_op+0x1a/0x20 ? close_ctree+0x222/0x4d0 [btrfs]
generic_shutdown_super+0x70/0x160 kill_anon_super+0x11/0x40 btrfs_kill_super+0x11/0x20 [btrfs]
deactivate_locked_super+0x2e/0xa0 cleanup_mnt+0xb5/0x150 task_work_run+0x57/0x80 syscall_exit_to_user_mode+0x121/0x130 do_syscall_64+0xab/0x1a0 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f916847a887 ---[ end trace 0000000000000000 ]---
BTRFS error (device dm-8 state EA): qgroup reserved space leaked
Cases 2 and 3 in the out_reserve path both pertain to this type of leak and must free the reserved qgroup data. Because it is already an error path, I opted not to handle the possible errors in btrfs_free_qgroup_data.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 04/05/2026
The vulnerability described in CVE-2024-46733 affects the btrfs filesystem implementation within the Linux kernel, specifically addressing a qgroup reservation leak that occurs during copy-on-write operations. This issue manifests in the buffered write path where dirty pages maintain qgroup reservations until they create an ordered extent. When errors occur before the ordered extent is allocated, the existing reservation remains unreleased, leading to space leaks that can cause filesystem unmount failures and qgroup inconsistency warnings.
The technical flaw stems from improper error handling in the cow_file_range function which is part of the btrfs filesystem's core operations. When I/O errors occur during the copy-on-write process, particularly in the generic/475 fstest case that exercises various IO error paths, the system fails to properly free qgroup reservations that were allocated for the dirty pages. This behavior is particularly problematic because while delalloc cleanup does remove inodes from the delalloc list, it does not trigger invalidate/launder operations on the affected pages and inodes during commit abort paths.
The operational impact of this vulnerability includes filesystem stability issues during unmount operations, as evidenced by the error messages showing "qgroup 0/5 has unreleased space" and "qgroup reserved space leaked" during the cleanup_transaction process. The system generates kernel warnings and potential kernel oops messages when attempting to close the filesystem tree structure, indicating that the qgroup accounting system has detected unreleased space. These failures can prevent successful unmount operations and may lead to filesystem corruption or data integrity issues, particularly in environments where btrfs is used for critical storage operations.
The fix addresses the issue by ensuring that qgroup reservations are properly freed in error paths before the ordered extent allocation occurs, specifically handling the two cases in the out_reserve path that were previously not freeing reserved qgroup data. This solution follows the established pattern of error path handling in the btrfs subsystem and aligns with security best practices for resource management in kernel code. The fix is consistent with CWE-404, which addresses improper resource release, and relates to ATT&CK technique T1490 for data destruction and T1070 for indicator removal through resource exhaustion. The implementation avoids adding additional error handling in btrfs_free_qgroup_data to maintain performance while ensuring proper resource cleanup during error conditions.