[lvc-project] btrfs task hung in `lock_extent` syzbot report and CVE-2024-35784, patch series v2

Andrey Kalachev kalachev at swemel.ru
Fri Nov 14 22:44:32 MSK 2025 

> Hi.

> I've check c-repro [1] on 6.1.y branch and found that repro still produce
> the crash on 6.1.y. I notice that syzbot bisection result [2]
> is incorrect: indeed, the hung was fixed by upstream commit b0ad381fa769
> ("btrfs: fix deadlock with fiemap and extent locking"). Also,
> I saw CVE-2024-35784 [3][4] vulnerability, that have direct relation with that syzbot
> report. Therefore, syzbot reproducer provided additional way to check for CVE-2024-35784.
> 
> I attempted to fix CVE-2024-35784 in stable 6.1.y (over v6.1.157), and
> found that the initial fix commit b0ad381fa769 ("btrfs: fix deadlock with
> fiemap and extent locking") introduced regressions [5][6].
> IMHO here is the minimum patch series to eliminate CVE-2024-35784 from 6.1.y:
>
> b0ad381fa769 ("btrfs: fix deadlock with fiemap and extent locking") (Initial fix of the CVE-2024-35784)
> a1a4a9ca77f1 ("btrfs: fix race between ordered extent completion and fiemap") (Fixes: b0ad381fa769)
> 978b63f7464a ("btrfs: fix race when detecting delalloc ranges during fiemap") (Fixes: b0ad381fa769)
> 1cab1375ba6d ("btrfs: reuse cloned extent buffer during fiemap to avoid re-allocations") (Optimization: 978b63f7464a)
> 53e24158684b ("btrfs: set start on clone before calling copy_extent_buffer_full") (Fixes: 1cab1375ba6d)

UPD:
Fedor Pchelkin reported that the 1st patch series version cause fail in generic/561 fstest.
Backporting the patch
  418b09027743 ("btrfs: ensure fiemap doesn't race with writes when FIEMAP_FLAG_SYNC is given")
fixes that.

Updated patch series looks like this:

b0ad381fa769 ("btrfs: fix deadlock with fiemap and extent locking") (Initial fix of the CVE-2024-35784)
a1a4a9ca77f1 ("btrfs: fix race between ordered extent completion and fiemap") (Fixes: b0ad381fa769)
418b09027743 ("btrfs: ensure fiemap doesn't race with writes when FIEMAP_FLAG_SYNC is given") (Fixes fail of generic/561 fstest)
978b63f7464a ("btrfs: fix race when detecting delalloc ranges during fiemap") (Fixes: b0ad381fa769)
1cab1375ba6d ("btrfs: reuse cloned extent buffer during fiemap to avoid re-allocations") (Optimization: 978b63f7464a)
53e24158684b ("btrfs: set start on clone before calling copy_extent_buffer_full") (Fixes: 1cab1375ba6d)

Also, in previouse cover letter I've included the wrong C-reproducer link,
the right one is:
  https://syzkaller.appspot.com/text?tag=ReproC&x=1262428c580000

Best regards,
AK

Reported-by: syzbot+f8217aae382555004877 at syzkaller.appspotmail.com
Reported-by: Fedor Pchelkin <pchelkin at ispras.ru>

More information about the lvc-project mailing list