cve/published/2024/CVE-2024-57975.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2024-57975: btrfs: do proper folio cleanup when run_delalloc_nocow() failed

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 btrfs: do proper folio cleanup when run_delalloc_nocow() failed

 [BUG]
 With CONFIG_DEBUG_VM set, test case generic/476 has some chance to crash
 with the following VM_BUG_ON_FOLIO():

   BTRFS error (device dm-3): cow_file_range failed, start 1146880 end 1253375 len 106496 ret -28
   BTRFS error (device dm-3): run_delalloc_nocow failed, start 1146880 end 1253375 len 106496 ret -28
   page: refcount:4 mapcount:0 mapping:00000000592787cc index:0x12 pfn:0x10664
   aops:btrfs_aops [btrfs] ino:101 dentry name(?):"f1774"
   flags: 0x2fffff80004028(uptodate|lru|private|node=0|zone=2|lastcpupid=0xfffff)
   page dumped because: VM_BUG_ON_FOLIO(!folio_test_locked(folio))
   ------------[ cut here ]------------
   kernel BUG at mm/page-writeback.c:2992!
   Internal error: Oops - BUG: 00000000f2000800 [#1] SMP
   CPU: 2 UID: 0 PID: 3943513 Comm: kworker/u24:15 Tainted: G           OE      6.12.0-rc7-custom+ #87
   Tainted: [O]=OOT_MODULE, [E]=UNSIGNED_MODULE
   Hardware name: QEMU KVM Virtual Machine, BIOS unknown 2/2/2022
   Workqueue: events_unbound btrfs_async_reclaim_data_space [btrfs]
   pc : folio_clear_dirty_for_io+0x128/0x258
   lr : folio_clear_dirty_for_io+0x128/0x258
   Call trace:
    folio_clear_dirty_for_io+0x128/0x258
    btrfs_folio_clamp_clear_dirty+0x80/0xd0 [btrfs]
    __process_folios_contig+0x154/0x268 [btrfs]
    extent_clear_unlock_delalloc+0x5c/0x80 [btrfs]
    run_delalloc_nocow+0x5f8/0x760 [btrfs]
    btrfs_run_delalloc_range+0xa8/0x220 [btrfs]
    writepage_delalloc+0x230/0x4c8 [btrfs]
    extent_writepage+0xb8/0x358 [btrfs]
    extent_write_cache_pages+0x21c/0x4e8 [btrfs]
    btrfs_writepages+0x94/0x150 [btrfs]
    do_writepages+0x74/0x190
    filemap_fdatawrite_wbc+0x88/0xc8
    start_delalloc_inodes+0x178/0x3a8 [btrfs]
    btrfs_start_delalloc_roots+0x174/0x280 [btrfs]
    shrink_delalloc+0x114/0x280 [btrfs]
    flush_space+0x250/0x2f8 [btrfs]
    btrfs_async_reclaim_data_space+0x180/0x228 [btrfs]
    process_one_work+0x164/0x408
    worker_thread+0x25c/0x388
    kthread+0x100/0x118
    ret_from_fork+0x10/0x20
   Code: 910a8021 a90363f7 a9046bf9 94012379 (d4210000)
   ---[ end trace 0000000000000000 ]---

 [CAUSE]
 The first two lines of extra debug messages show the problem is caused
 by the error handling of run_delalloc_nocow().

 E.g. we have the following dirtied range (4K blocksize 4K page size):

     0                 16K                  32K
     |//////////////////////////////////////|
     |  Pre-allocated  |

 And the range [0, 16K) has a preallocated extent.

 - Enter run_delalloc_nocow() for range [0, 16K)
   Which found range [0, 16K) is preallocated, can do the proper NOCOW
   write.

 - Enter fallback_to_fow() for range [16K, 32K)
   Since the range [16K, 32K) is not backed by preallocated extent, we
   have to go COW.

 - cow_file_range() failed for range [16K, 32K)
   So cow_file_range() will do the clean up by clearing folio dirty,
   unlock the folios.

   Now the folios in range [16K, 32K) is unlocked.

 - Enter extent_clear_unlock_delalloc() from run_delalloc_nocow()
   Which is called with PAGE_START_WRITEBACK to start page writeback.
   But folios can only be marked writeback when it's properly locked,
   thus this triggered the VM_BUG_ON_FOLIO().

 Furthermore there is another hidden but common bug that
 run_delalloc_nocow() is not clearing the folio dirty flags in its error
 handling path.
 This is the common bug shared between run_delalloc_nocow() and
 cow_file_range().

 [FIX]
 - Clear folio dirty for range [@start, @cur_offset)
   Introduce a helper, cleanup_dirty_folios(), which
   will find and lock the folio in the range, clear the dirty flag and
   start/end the writeback, with the extra handling for the
   @locked_folio.

 - Introduce a helper to clear folio dirty, start and end writeback

 - Introduce a helper to record the last failed COW range end
   This is to trace which range we should skip, to avoid double
   unlocking.

 - Skip the failed COW range for the error handling

 The Linux kernel CVE team has assigned CVE-2024-57975 to this issue.


 Affected and fixed versions
 ===========================

 	Fixed in 6.12.13 with commit 5ae72abbf91eb172ce3a838a4dc34be3c9707296
 	Fixed in 6.13.2 with commit 2434533f1c963e7317c45880c98287e5bed98325
 	Fixed in 6.14 with commit c2b47df81c8e20a8e8cd94f0d7df211137ae94ed

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2024-57975
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	fs/btrfs/inode.c
 	fs/btrfs/subpage.h


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/5ae72abbf91eb172ce3a838a4dc34be3c9707296
 	https://git.kernel.org/stable/c/2434533f1c963e7317c45880c98287e5bed98325
 	https://git.kernel.org/stable/c/c2b47df81c8e20a8e8cd94f0d7df211137ae94ed
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2024-57975: btrfs: do proper folio cleanup when run_delalloc_nocow() failed

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	btrfs: do proper folio cleanup when run_delalloc_nocow() failed

	[BUG]
	With CONFIG_DEBUG_VM set, test case generic/476 has some chance to crash
	with the following VM_BUG_ON_FOLIO():

	BTRFS error (device dm-3): cow_file_range failed, start 1146880 end 1253375 len 106496 ret -28
	BTRFS error (device dm-3): run_delalloc_nocow failed, start 1146880 end 1253375 len 106496 ret -28
	page: refcount:4 mapcount:0 mapping:00000000592787cc index:0x12 pfn:0x10664
	aops:btrfs_aops [btrfs] ino:101 dentry name(?):"f1774"
	flags: 0x2fffff80004028(uptodate\|lru\|private\|node=0\|zone=2\|lastcpupid=0xfffff)
	page dumped because: VM_BUG_ON_FOLIO(!folio_test_locked(folio))
	------------[ cut here ]------------
	kernel BUG at mm/page-writeback.c:2992!
	Internal error: Oops - BUG: 00000000f2000800 [#1] SMP
	CPU: 2 UID: 0 PID: 3943513 Comm: kworker/u24:15 Tainted: G OE 6.12.0-rc7-custom+ #87
	Tainted: [O]=OOT_MODULE, [E]=UNSIGNED_MODULE
	Hardware name: QEMU KVM Virtual Machine, BIOS unknown 2/2/2022
	Workqueue: events_unbound btrfs_async_reclaim_data_space [btrfs]
	pc : folio_clear_dirty_for_io+0x128/0x258
	lr : folio_clear_dirty_for_io+0x128/0x258
	Call trace:
	folio_clear_dirty_for_io+0x128/0x258
	btrfs_folio_clamp_clear_dirty+0x80/0xd0 [btrfs]
	__process_folios_contig+0x154/0x268 [btrfs]
	extent_clear_unlock_delalloc+0x5c/0x80 [btrfs]
	run_delalloc_nocow+0x5f8/0x760 [btrfs]
	btrfs_run_delalloc_range+0xa8/0x220 [btrfs]
	writepage_delalloc+0x230/0x4c8 [btrfs]
	extent_writepage+0xb8/0x358 [btrfs]
	extent_write_cache_pages+0x21c/0x4e8 [btrfs]
	btrfs_writepages+0x94/0x150 [btrfs]
	do_writepages+0x74/0x190
	filemap_fdatawrite_wbc+0x88/0xc8
	start_delalloc_inodes+0x178/0x3a8 [btrfs]
	btrfs_start_delalloc_roots+0x174/0x280 [btrfs]
	shrink_delalloc+0x114/0x280 [btrfs]
	flush_space+0x250/0x2f8 [btrfs]
	btrfs_async_reclaim_data_space+0x180/0x228 [btrfs]
	process_one_work+0x164/0x408
	worker_thread+0x25c/0x388
	kthread+0x100/0x118
	ret_from_fork+0x10/0x20
	Code: 910a8021 a90363f7 a9046bf9 94012379 (d4210000)
	---[ end trace 0000000000000000 ]---

	[CAUSE]
	The first two lines of extra debug messages show the problem is caused
	by the error handling of run_delalloc_nocow().

	E.g. we have the following dirtied range (4K blocksize 4K page size):

	0 16K 32K
	\|//////////////////////////////////////\|
	\| Pre-allocated \|

	And the range [0, 16K) has a preallocated extent.

	- Enter run_delalloc_nocow() for range [0, 16K)
	Which found range [0, 16K) is preallocated, can do the proper NOCOW
	write.

	- Enter fallback_to_fow() for range [16K, 32K)
	Since the range [16K, 32K) is not backed by preallocated extent, we
	have to go COW.

	- cow_file_range() failed for range [16K, 32K)
	So cow_file_range() will do the clean up by clearing folio dirty,
	unlock the folios.

	Now the folios in range [16K, 32K) is unlocked.

	- Enter extent_clear_unlock_delalloc() from run_delalloc_nocow()
	Which is called with PAGE_START_WRITEBACK to start page writeback.
	But folios can only be marked writeback when it's properly locked,
	thus this triggered the VM_BUG_ON_FOLIO().

	Furthermore there is another hidden but common bug that
	run_delalloc_nocow() is not clearing the folio dirty flags in its error
	handling path.
	This is the common bug shared between run_delalloc_nocow() and
	cow_file_range().

	[FIX]
	- Clear folio dirty for range [@start, @cur_offset)
	Introduce a helper, cleanup_dirty_folios(), which
	will find and lock the folio in the range, clear the dirty flag and
	start/end the writeback, with the extra handling for the
	@locked_folio.

	- Introduce a helper to clear folio dirty, start and end writeback

	- Introduce a helper to record the last failed COW range end
	This is to trace which range we should skip, to avoid double
	unlocking.

	- Skip the failed COW range for the error handling

	The Linux kernel CVE team has assigned CVE-2024-57975 to this issue.


	Affected and fixed versions
	===========================

	Fixed in 6.12.13 with commit 5ae72abbf91eb172ce3a838a4dc34be3c9707296
	Fixed in 6.13.2 with commit 2434533f1c963e7317c45880c98287e5bed98325
	Fixed in 6.14 with commit c2b47df81c8e20a8e8cd94f0d7df211137ae94ed

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2024-57975
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	fs/btrfs/inode.c
	fs/btrfs/subpage.h


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/5ae72abbf91eb172ce3a838a4dc34be3c9707296
	https://git.kernel.org/stable/c/2434533f1c963e7317c45880c98287e5bed98325
	https://git.kernel.org/stable/c/c2b47df81c8e20a8e8cd94f0d7df211137ae94ed