Google Git
Sign in
kernel / pub / scm / linux / security / vulns / refs/heads/sasha-cve / . / cve / published / 2024 / CVE-2024-57975.json
blob: ca63723a4a2cf297ef609df659b6a972a5a42a49 [file] [log] [blame]
{
"containers": {
"cna": {
"providerMetadata": {
"orgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038"
},
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: do proper folio cleanup when run_delalloc_nocow() failed\n\n[BUG]\nWith CONFIG_DEBUG_VM set, test case generic/476 has some chance to crash\nwith the following VM_BUG_ON_FOLIO():\n\n BTRFS error (device dm-3): cow_file_range failed, start 1146880 end 1253375 len 106496 ret -28\n BTRFS error (device dm-3): run_delalloc_nocow failed, start 1146880 end 1253375 len 106496 ret -28\n page: refcount:4 mapcount:0 mapping:00000000592787cc index:0x12 pfn:0x10664\n aops:btrfs_aops [btrfs] ino:101 dentry name(?):\"f1774\"\n flags: 0x2fffff80004028(uptodate|lru|private|node=0|zone=2|lastcpupid=0xfffff)\n page dumped because: VM_BUG_ON_FOLIO(!folio_test_locked(folio))\n ------------[ cut here ]------------\n kernel BUG at mm/page-writeback.c:2992!\n Internal error: Oops - BUG: 00000000f2000800 [#1] SMP\n CPU: 2 UID: 0 PID: 3943513 Comm: kworker/u24:15 Tainted: G OE 6.12.0-rc7-custom+ #87\n Tainted: [O]=OOT_MODULE, [E]=UNSIGNED_MODULE\n Hardware name: QEMU KVM Virtual Machine, BIOS unknown 2/2/2022\n Workqueue: events_unbound btrfs_async_reclaim_data_space [btrfs]\n pc : folio_clear_dirty_for_io+0x128/0x258\n lr : folio_clear_dirty_for_io+0x128/0x258\n Call trace:\n folio_clear_dirty_for_io+0x128/0x258\n btrfs_folio_clamp_clear_dirty+0x80/0xd0 [btrfs]\n __process_folios_contig+0x154/0x268 [btrfs]\n extent_clear_unlock_delalloc+0x5c/0x80 [btrfs]\n run_delalloc_nocow+0x5f8/0x760 [btrfs]\n btrfs_run_delalloc_range+0xa8/0x220 [btrfs]\n writepage_delalloc+0x230/0x4c8 [btrfs]\n extent_writepage+0xb8/0x358 [btrfs]\n extent_write_cache_pages+0x21c/0x4e8 [btrfs]\n btrfs_writepages+0x94/0x150 [btrfs]\n do_writepages+0x74/0x190\n filemap_fdatawrite_wbc+0x88/0xc8\n start_delalloc_inodes+0x178/0x3a8 [btrfs]\n btrfs_start_delalloc_roots+0x174/0x280 [btrfs]\n shrink_delalloc+0x114/0x280 [btrfs]\n flush_space+0x250/0x2f8 [btrfs]\n btrfs_async_reclaim_data_space+0x180/0x228 [btrfs]\n process_one_work+0x164/0x408\n worker_thread+0x25c/0x388\n kthread+0x100/0x118\n ret_from_fork+0x10/0x20\n Code: 910a8021 a90363f7 a9046bf9 94012379 (d4210000)\n ---[ end trace 0000000000000000 ]---\n\n[CAUSE]\nThe first two lines of extra debug messages show the problem is caused\nby the error handling of run_delalloc_nocow().\n\nE.g. we have the following dirtied range (4K blocksize 4K page size):\n\n 0 16K 32K\n |//////////////////////////////////////|\n | Pre-allocated |\n\nAnd the range [0, 16K) has a preallocated extent.\n\n- Enter run_delalloc_nocow() for range [0, 16K)\n Which found range [0, 16K) is preallocated, can do the proper NOCOW\n write.\n\n- Enter fallback_to_fow() for range [16K, 32K)\n Since the range [16K, 32K) is not backed by preallocated extent, we\n have to go COW.\n\n- cow_file_range() failed for range [16K, 32K)\n So cow_file_range() will do the clean up by clearing folio dirty,\n unlock the folios.\n\n Now the folios in range [16K, 32K) is unlocked.\n\n- Enter extent_clear_unlock_delalloc() from run_delalloc_nocow()\n Which is called with PAGE_START_WRITEBACK to start page writeback.\n But folios can only be marked writeback when it's properly locked,\n thus this triggered the VM_BUG_ON_FOLIO().\n\nFurthermore there is another hidden but common bug that\nrun_delalloc_nocow() is not clearing the folio dirty flags in its error\nhandling path.\nThis is the common bug shared between run_delalloc_nocow() and\ncow_file_range().\n\n[FIX]\n- Clear folio dirty for range [@start, @cur_offset)\n Introduce a helper, cleanup_dirty_folios(), which\n will find and lock the folio in the range, clear the dirty flag and\n start/end the writeback, with the extra handling for the\n @locked_folio.\n\n- Introduce a helper to clear folio dirty, start and end writeback\n\n- Introduce a helper to record the last failed COW range end\n This is to trace which range we should skip, to avoid double\n unlocking.\n\n- Skip the failed COW range for the e\n---truncated---"
}
],
"affected": [
{
"product": "Linux",
"vendor": "Linux",
"defaultStatus": "unaffected",
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"programFiles": [
"fs/btrfs/inode.c",
"fs/btrfs/subpage.h"
],
"versions": [
{
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"lessThan": "5ae72abbf91eb172ce3a838a4dc34be3c9707296",
"status": "affected",
"versionType": "git"
},
{
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"lessThan": "2434533f1c963e7317c45880c98287e5bed98325",
"status": "affected",
"versionType": "git"
},
{
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"lessThan": "c2b47df81c8e20a8e8cd94f0d7df211137ae94ed",
"status": "affected",
"versionType": "git"
}
]
},
{
"product": "Linux",
"vendor": "Linux",
"defaultStatus": "affected",
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"programFiles": [
"fs/btrfs/inode.c",
"fs/btrfs/subpage.h"
],
"versions": [
{
"version": "6.12.13",
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"versionType": "semver"
},
{
"version": "6.13.2",
"lessThanOrEqual": "6.13.*",
"status": "unaffected",
"versionType": "semver"
},
{
"version": "6.14",
"lessThanOrEqual": "*",
"status": "unaffected",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"operator": "OR",
"negate": false,
"cpeMatch": [
{
"vulnerable": true,
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.13"
},
{
"vulnerable": true,
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.13.2"
},
{
"vulnerable": true,
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.14"
}
]
}
]
}
],
"references": [
{
"url": "https://git.kernel.org/stable/c/5ae72abbf91eb172ce3a838a4dc34be3c9707296"
},
{
"url": "https://git.kernel.org/stable/c/2434533f1c963e7317c45880c98287e5bed98325"
},
{
"url": "https://git.kernel.org/stable/c/c2b47df81c8e20a8e8cd94f0d7df211137ae94ed"
}
],
"title": "btrfs: do proper folio cleanup when run_delalloc_nocow() failed",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038",
"cveID": "CVE-2024-57975",
"requesterUserId": "gregkh@kernel.org",
"serial": "1",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.0"
}