CVE-2024-49932 Fix: Btrfs Readahead DoS in RAID Stripe Tree

A subtle race between Btrfs readahead and RAID stripe-tree lookups can trigger a kernel BUG that crashes systems performing block-group relocation — CVE-2024-49932 fixes this by skipping readahead of the relocation inode when the filesystem is backed by a RAID stripe tree, but operators must patch promptly and validate vendor backports to prevent denial‑of‑service in multi‑tenant or storage-heavy environments.

Background​

Btrfs is a feature-rich Linux filesystem that implements advanced features such as subvolumes, online balancing, and multiple RAID profiles. The relocation process used during a balance operation moves extents between block groups to rebalance space. During this relocation flow Btrfs may perform readahead on a relocation inode to prime cached data structures that speed subsequent I/O operations.
On certain RAID configurations that use the RAID stripe tree (RST) — commonly present in data and RAID0 profiles — a lookup for a stripe mapping can return ENOENT for preallocated extents that are not mapped in the stripe tree. When readahead does not correctly handle that lookup failure, the kernel may submit invalid block reads to the device layer, which in turn can provoke an assertion inside the scatter‑gather mapping code and a kernel BUG (panic / invalid opcode). This exact sequence is the essence of CVE‑2024‑49932. The vulnerability was discovered and fixed upstream with a small, targeted change: avoid performing readahead of the relocation inode when an RST-based mapping can produce ENOENT, preventing invalid reads from being submitted to the block layer. The patch landed in the stable kernel trees and was included in the 6.11.x stable flow as part of the usual stable‑backport process.

---

What the bug actually does — technical anatomy​

The failure window​

During relocation (for example, a btrfs balance -d -m -s invocation), Btrfs calculates new physical placements for logical extents and may perform readahead on a relocation inode to fetch metadata or extent maps. When the underlying mapping is provided by the RST, a lookup for a particular logical range can return ENOENT if an extent is preallocated but not yet mapped into the stripe tree.
Readahead code historically assumed the mapping lookup would succeed or at least return retryable outcomes; it did not account for ENOENT in this specific RST path. The readahead helper then submitted a bio/sglist with an invalid mapping into the block layer. The block subsystem’s scatter‑gather machinery asserted on the malformed sglist and the kernel hit a BUG, producing an oops/panic trace. The NVD and multiple vendor advisories reproduce the same trace pattern and stack information.

Why this matters operationally​

The bug is an availability problem first and foremost. The observed effects are kernel oops, panic, or invalid opcode faults that take a host offline until manual intervention or reboot. In environments where Btrfs is used for storage on hosts that serve many tenants — virtualization nodes, shared CI runners, cloud compute instances with Btrfs-backed images — a single triggered relocation event or crafted balance operation can cause a host‑wide outage. Because the attack vector is local (relying on filesystem operations and device mappings), the CVSS vector rates this as a local, medium‑impact availability issue.

---

Scope — who and what is affected​

• Linux kernels that include the vulnerable Btrfs relocation/readahead code prior to the upstream fixes are in scope. The stable upstream patch is referenced in the NVD entry and in the stable patch mailing lists.
• Realistic high‑risk systems:
• Hosts that mount Btrfs volumes with RAID profiles that rely on stripe tree mappings (for example RAID0, some RAID10/stripe hybrid layouts).
• Multi‑tenant or shared infrastructure where untrusted users can trigger Btrfs operations (e.g., guest images mounted via loopback, automated image ingestion pipelines).
• Storage nodes and virtualization hosts that perform frequent balancing/relocation operations.
• Low‑risk systems:
• Hosts that do not run Btrfs, or run Btrfs without RST-backed profiles, are likely unaffected in practice. Always verify kernel configuration and backport status.

---

What upstream changed — the patch and rationale​

The upstream change is small and surgical: it prevents the problematic readahead call on the relocation inode when the lookup into the RST can return ENOENT. Concretely, maintainers added a check that skips readahead in the RST path (the patch references a helper check such as a btrfs_need_stripetree_update‑style test in the change set). Avoiding readahead in this corner case prevents invalid sglist construction and the resulting assertion. This minimal change reduces the risk of regressions and is straightforward to backport. Upstream discussion and the stable patch archive show the commit (anchor commit referenced in the stable mails: 04915240e2c3a018e4c7f23418478d27226c8957) and its inclusion into the 6.11 stable set. Because kernel packaging differs across distributions, vendors translate that upstream commit into package updates or backports on different release branches. Administrators should consult their distribution advisories for the exact package versions that contain the fix.

---

Impact and exploitability​

• Primary impact: Denial of Service (DoS). Triggering the condition results in kernel assertion and host crash. The loss of availability can be sustained while the attacker continues the triggering operation or persistent until manual remediation.
• Complexity: Local — an attacker must be able to cause Btrfs relocation or balancing operations or control disk image supply. In many shared environments this requirement is realistic.
• Escalation potential: theoretical but not observed — the vulnerability is a reachable assertion in kernel code rather than a straightforward memory‑corruption primitive; current advisories and public telemetry focus on DoS rather than privilege escalation. Nevertheless, kernel assertions and malformed scatter‑gather submissions are serious and could, in theory, be used in more elaborate chains if combined with other faults; treat the chance as non‑zero and apply patches accordingly.

---

Verified facts and cross‑checks​

• NVD and multiple vendor/advisory trackers (Ubuntu Security, Debian/Rapid7, Amazon ALAS, OSV) describe the same root cause and remediation. This cross‑reference confirms the technical description and the upstream commit mapping.
• The upstream stable patch is present in the linux‑stable mirror and listed in the autosel patch queue for kernel 6.11 series; commit 04915240e2c3a018e4c7f23418478d27226c8957 is the immediate upstream reference for the fix. Operators should compare vendor changelogs to that commit hash to confirm backport presence.
• Multiple independent vulnerability databases (OSV, Wiz, Feedly, security trackers) assign CVSS 3.x ≈ 5.5 (Medium) and label the impact as availability. Use that numeric priority along with local exposure to triage urgency.

If any advisory statements or vendor mapping cannot be verified against a package changelog or the upstream commit ID, treat the distribution package as unverified until direct evidence is obtained; backport policies vary and the same kernel version number can sometimes mask differing backport content.

---

Practical mitigation and remediation plan (step‑by‑step)​

• Inventory and prioritize hosts
• Identify systems that mount Btrfs: findmnt -t btrfs and cat /proc/filesystems. Check loaded Btrfs modules: lsmod | grep btrfs. Confirm whether Btrfs is built into the kernel or as a module.
• Map kernel artifacts to upstream fix
• Get uname -r on each host and inspect kernel package changelogs (apt changelog linux-image-*, rpm -q --changelog kernel) for references to CVE‑2024‑49932 or upstream commit 04915240e2c3a018e4c7f23418478d27226c8957. If your distro provides an advisory page, use that mapping.
• Patch and reboot
• Install the vendor kernel update that contains the upstream fix and schedule a reboot. Kernel patches require reboot to take effect; treat this as mandatory remediation.
• Short‑term mitigations if you cannot patch immediately
• Avoid running btrfs balance operations on affected hosts, especially those using RAID stripe profiles, until patched.
• Restrict who can mount Btrfs images or create loopback devices — control access to /dev/loop* and mount namespaces. Use udev rules and ACLs to limit device node creation.
• Harden privileges: reduce non‑root users’ ability to perform mounts (CAP_SYS_ADMIN) and consider disabling unprivileged user namespaces where acceptable.
• Monitor kernel logs for the specific error patterns referenced in advisories (look for messages citing inability to find raid‑stripe for logical ranges and scatterlist assertions).
• Post‑patch validation
• Reboot hosts and re‑run representative Btrfs balance/relocation operations on a test system or pilot ring to ensure the kernel no longer hits the previous assertion.
• Confirm that the kernel changelog or package advisory references the CVE or the upstream commit ID. Where possible, reproduce old crash logs in test to validate patch efficacy in a controlled environment.

---

Detection and hunting guidance​

• Kernel logs: Search dmesg / journalctl -k for the Btrfs messages captured in advisories:
• “BTRFS error (device …): cannot find raid‑stripe for logical …”
• “kernel BUG at include/linux/scatterlist.h:115” or stack traces that include __blk_rq_map_sg / blkrqmapsg.
  These are reliable indicators that the RST readahead path triggered the assertion.
• Telemetry: Alert on repeated btrfs balance failures, repeated mounts of loop images, or kernel oops frequency increases on hosts that use Btrfs with RAID profiles.
• Forensics: If a host crashed with the suspected trace, preserve kdump/vmcore and system logs before rebooting for incident analysis. Collection enables mapping to the upstream fix and supports vendor escalation if necessary.

---

Operational risk assessment — who should care most​

• High priority:
• Virtualization hosts and cloud nodes that expose Btrfs-backed volumes to untrusted tenants.
• CI/CD runners and image-processing pipelines that mount many third‑party images or use loop devices.
• Storage appliances and servers performing frequent balancing or relocation tasks.
• Medium priority:
• Single‑tenant systems using Btrfs but with strict admin controls on who can initiate balancing operations.
• Low priority:
• Systems without Btrfs support or where Btrfs is not used. WSL2 instances must be examined individually — a WSL kernel build that includes the vulnerable code and exposes Btrfs would be in scope; native Windows hosts are unaffected unless they run a Linux kernel image.

---

Why the upstream fix is reasonable — and what to watch for​

Maintainers chose a defensive, minimal change: skip readahead when the RST mapping can be missing. That reduces the chance of invalid block reads without changing the overall semantics of relocation work. Surgical fixes of this kind are common for kernel stability — they close the immediate failure mode while keeping the rest of the code path intact, which helps with safe backporting across stable branches. However, administrators should watch for these caveats:

• Vendor backport variability: some distributions may backport the fix under different package versions or may take longer to release updates for older kernel branches. Always check the vendor advisory and not just the kernel version string.
• Residual risk: the fix addresses the specific readahead/ENOENT path; other unrelated Btrfs bugs or race conditions may remain. Continue regular kernel and filesystem patching cadence.

---

Recommended patching timeline and playbook​

• Immediate (0–24 hours): Identify Btrfs hosts, prioritize multi‑tenant and storage nodes, and obtain vendor advisories that map the upstream commit to fixed packages. If you manage many images or node pools, flag those images for replacement once fixed kernels are available.
• Short term (1–7 days): Pilot the vendor kernel update on nonproduction nodes, run representative filesystem workloads (including balance/relocate operations), and validate logs for absence of the prior stack traces.
• Medium term (weeks): Roll the update fleetwide, update automation/CI images to include patched kernels, and codify a detection playbook for kernel oops patterns tied to Btrfs/blk mapping asserts.
• Ongoing: Keep a watch on vendor advisories for related Btrfs fixes and ensure any appliance/OEM kernels are inventoried and tracked — vendor kernels often have a longer tail for backports.

---

Final analysis and risk summary​

CVE‑2024‑49932 is a medium‑severity, availability‑first Linux kernel bug that manifests as a reachable assertion in the block scatter‑gather code when Btrfs readahead submits invalid reads on RST‑backed relocation inodes. The technical fix is targeted and already upstream; the principal operational risk is deployment lag and distribution backport variability that leave some hosts exposed longer than others. Multi‑tenant and storage‑heavy environments must prioritize remediation because a single host crash can cause multi‑tenant outages or disrupt critical CI/storage workflows. Apply vendor kernel updates that contain the upstream commit, validate the fix in a pilot ring, and harden mount/device privileges and image‑supply chains as compensating controls until the update is deployed. Monitor kernel logs for the specific scatter‑gather assertion messages, and treat any unexplained kernel oops on Btrfs hosts as high‑priority incidents requiring immediate investigation.

---

The kernel changes for CVE‑2024‑49932 are intentionally minimal and effective; the remaining work for operators is pragmatic: verify vendor backports, patch promptly, and tighten mounting and loop‑device controls on hosts that process untrusted images or operate in multi‑tenant configurations.

---

Source: MSRC Security Update Guide - Microsoft Security Response Center