cve/published/2024/CVE-2024-46733.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-1.1.0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@kernel.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2024-46733: btrfs: fix qgroup reserve leaks in cow_file_range

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 btrfs: fix qgroup reserve leaks in cow_file_range

 In the buffered write path, the dirty page owns the qgroup reserve until
 it creates an ordered_extent.

 Therefore, any errors that occur before the ordered_extent is created
 must free that reservation, or else the space is leaked. The fstest
 generic/475 exercises various IO error paths, and is able to trigger
 errors in cow_file_range where we fail to get to allocating the ordered
 extent. Note that because we *do* clear delalloc, we are likely to
 remove the inode from the delalloc list, so the inodes/pages to not have
 invalidate/launder called on them in the commit abort path.

 This results in failures at the unmount stage of the test that look like:

   BTRFS: error (device dm-8 state EA) in cleanup_transaction:2018: errno=-5 IO failure
   BTRFS: error (device dm-8 state EA) in btrfs_replace_file_extents:2416: errno=-5 IO failure
   BTRFS warning (device dm-8 state EA): qgroup 0/5 has unreleased space, type 0 rsv 28672
   ------------[ cut here ]------------
   WARNING: CPU: 3 PID: 22588 at fs/btrfs/disk-io.c:4333 close_ctree+0x222/0x4d0 [btrfs]
   Modules linked in: btrfs blake2b_generic libcrc32c xor zstd_compress raid6_pq
   CPU: 3 PID: 22588 Comm: umount Kdump: loaded Tainted: G W          6.10.0-rc7-gab56fde445b8 #21
   Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Arch Linux 1.16.3-1-1 04/01/2014
   RIP: 0010:close_ctree+0x222/0x4d0 [btrfs]
   RSP: 0018:ffffb4465283be00 EFLAGS: 00010202
   RAX: 0000000000000001 RBX: ffffa1a1818e1000 RCX: 0000000000000001
   RDX: 0000000000000000 RSI: ffffb4465283bbe0 RDI: ffffa1a19374fcb8
   RBP: ffffa1a1818e13c0 R08: 0000000100028b16 R09: 0000000000000000
   R10: 0000000000000003 R11: 0000000000000003 R12: ffffa1a18ad7972c
   R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
   FS:  00007f9168312b80(0000) GS:ffffa1a4afcc0000(0000) knlGS:0000000000000000
   CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
   CR2: 00007f91683c9140 CR3: 000000010acaa000 CR4: 00000000000006f0
   Call Trace:
    <TASK>
    ? close_ctree+0x222/0x4d0 [btrfs]
    ? __warn.cold+0x8e/0xea
    ? close_ctree+0x222/0x4d0 [btrfs]
    ? report_bug+0xff/0x140
    ? handle_bug+0x3b/0x70
    ? exc_invalid_op+0x17/0x70
    ? asm_exc_invalid_op+0x1a/0x20
    ? close_ctree+0x222/0x4d0 [btrfs]
    generic_shutdown_super+0x70/0x160
    kill_anon_super+0x11/0x40
    btrfs_kill_super+0x11/0x20 [btrfs]
    deactivate_locked_super+0x2e/0xa0
    cleanup_mnt+0xb5/0x150
    task_work_run+0x57/0x80
    syscall_exit_to_user_mode+0x121/0x130
    do_syscall_64+0xab/0x1a0
    entry_SYSCALL_64_after_hwframe+0x77/0x7f
   RIP: 0033:0x7f916847a887
   ---[ end trace 0000000000000000 ]---
   BTRFS error (device dm-8 state EA): qgroup reserved space leaked

 Cases 2 and 3 in the out_reserve path both pertain to this type of leak
 and must free the reserved qgroup data. Because it is already an error
 path, I opted not to handle the possible errors in
 btrfs_free_qgroup_data.

 The Linux kernel CVE team has assigned CVE-2024-46733 to this issue.


 Affected and fixed versions
 ===========================

 	Fixed in 6.1.135 with commit 159f0f61b283ea71e827dd0c18c5dce197de1fa2
 	Fixed in 6.6.88 with commit 84464db2ec2a55b9313d5f264da196a37ec80994
 	Fixed in 6.10.9 with commit e42ef22bc10f0309c0c65d8d6ca8b4127a674b7f
 	Fixed in 6.11 with commit 30479f31d44d47ed00ae0c7453d9b253537005b2

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2024-46733
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	fs/btrfs/inode.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/159f0f61b283ea71e827dd0c18c5dce197de1fa2
 	https://git.kernel.org/stable/c/84464db2ec2a55b9313d5f264da196a37ec80994
 	https://git.kernel.org/stable/c/e42ef22bc10f0309c0c65d8d6ca8b4127a674b7f
 	https://git.kernel.org/stable/c/30479f31d44d47ed00ae0c7453d9b253537005b2
	From bippy-1.1.0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@kernel.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2024-46733: btrfs: fix qgroup reserve leaks in cow_file_range

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	btrfs: fix qgroup reserve leaks in cow_file_range

	In the buffered write path, the dirty page owns the qgroup reserve until
	it creates an ordered_extent.

	Therefore, any errors that occur before the ordered_extent is created
	must free that reservation, or else the space is leaked. The fstest
	generic/475 exercises various IO error paths, and is able to trigger
	errors in cow_file_range where we fail to get to allocating the ordered
	extent. Note that because we do clear delalloc, we are likely to
	remove the inode from the delalloc list, so the inodes/pages to not have
	invalidate/launder called on them in the commit abort path.

	This results in failures at the unmount stage of the test that look like:

	BTRFS: error (device dm-8 state EA) in cleanup_transaction:2018: errno=-5 IO failure
	BTRFS: error (device dm-8 state EA) in btrfs_replace_file_extents:2416: errno=-5 IO failure
	BTRFS warning (device dm-8 state EA): qgroup 0/5 has unreleased space, type 0 rsv 28672
	------------[ cut here ]------------
	WARNING: CPU: 3 PID: 22588 at fs/btrfs/disk-io.c:4333 close_ctree+0x222/0x4d0 [btrfs]
	Modules linked in: btrfs blake2b_generic libcrc32c xor zstd_compress raid6_pq
	CPU: 3 PID: 22588 Comm: umount Kdump: loaded Tainted: G W 6.10.0-rc7-gab56fde445b8 #21
	Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Arch Linux 1.16.3-1-1 04/01/2014
	RIP: 0010:close_ctree+0x222/0x4d0 [btrfs]
	RSP: 0018:ffffb4465283be00 EFLAGS: 00010202
	RAX: 0000000000000001 RBX: ffffa1a1818e1000 RCX: 0000000000000001
	RDX: 0000000000000000 RSI: ffffb4465283bbe0 RDI: ffffa1a19374fcb8
	RBP: ffffa1a1818e13c0 R08: 0000000100028b16 R09: 0000000000000000
	R10: 0000000000000003 R11: 0000000000000003 R12: ffffa1a18ad7972c
	R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
	FS: 00007f9168312b80(0000) GS:ffffa1a4afcc0000(0000) knlGS:0000000000000000
	CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
	CR2: 00007f91683c9140 CR3: 000000010acaa000 CR4: 00000000000006f0
	Call Trace:
	<TASK>
	? close_ctree+0x222/0x4d0 [btrfs]
	? __warn.cold+0x8e/0xea
	? close_ctree+0x222/0x4d0 [btrfs]
	? report_bug+0xff/0x140
	? handle_bug+0x3b/0x70
	? exc_invalid_op+0x17/0x70
	? asm_exc_invalid_op+0x1a/0x20
	? close_ctree+0x222/0x4d0 [btrfs]
	generic_shutdown_super+0x70/0x160
	kill_anon_super+0x11/0x40
	btrfs_kill_super+0x11/0x20 [btrfs]
	deactivate_locked_super+0x2e/0xa0
	cleanup_mnt+0xb5/0x150
	task_work_run+0x57/0x80
	syscall_exit_to_user_mode+0x121/0x130
	do_syscall_64+0xab/0x1a0
	entry_SYSCALL_64_after_hwframe+0x77/0x7f
	RIP: 0033:0x7f916847a887
	---[ end trace 0000000000000000 ]---
	BTRFS error (device dm-8 state EA): qgroup reserved space leaked

	Cases 2 and 3 in the out_reserve path both pertain to this type of leak
	and must free the reserved qgroup data. Because it is already an error
	path, I opted not to handle the possible errors in
	btrfs_free_qgroup_data.

	The Linux kernel CVE team has assigned CVE-2024-46733 to this issue.


	Affected and fixed versions
	===========================

	Fixed in 6.1.135 with commit 159f0f61b283ea71e827dd0c18c5dce197de1fa2
	Fixed in 6.6.88 with commit 84464db2ec2a55b9313d5f264da196a37ec80994
	Fixed in 6.10.9 with commit e42ef22bc10f0309c0c65d8d6ca8b4127a674b7f
	Fixed in 6.11 with commit 30479f31d44d47ed00ae0c7453d9b253537005b2

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2024-46733
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	fs/btrfs/inode.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/159f0f61b283ea71e827dd0c18c5dce197de1fa2
	https://git.kernel.org/stable/c/84464db2ec2a55b9313d5f264da196a37ec80994
	https://git.kernel.org/stable/c/e42ef22bc10f0309c0c65d8d6ca8b4127a674b7f
	https://git.kernel.org/stable/c/30479f31d44d47ed00ae0c7453d9b253537005b2