cve/rejected/2024/CVE-2024-26905.json - pub/scm/linux/security/vulns - Git at Google

 {
    "containers": {
       "cna": {
          "providerMetadata": {
             "orgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038"
          },
          "descriptions": [
             {
                "lang": "en",
                "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: fix data races when accessing the reserved amount of block reserves\n\nAt space_info.c we have several places where we access the ->reserved\nfield of a block reserve without taking the block reserve's spinlock\nfirst, which makes KCSAN warn about a data race since that field is\nalways updated while holding the spinlock.\n\nThe reports from KCSAN are like the following:\n\n  [117.193526] BUG: KCSAN: data-race in btrfs_block_rsv_release [btrfs] / need_preemptive_reclaim [btrfs]\n\n  [117.195148] read to 0x000000017f587190 of 8 bytes by task 6303 on cpu 3:\n  [117.195172]  need_preemptive_reclaim+0x222/0x2f0 [btrfs]\n  [117.195992]  __reserve_bytes+0xbb0/0xdc8 [btrfs]\n  [117.196807]  btrfs_reserve_metadata_bytes+0x4c/0x120 [btrfs]\n  [117.197620]  btrfs_block_rsv_add+0x78/0xa8 [btrfs]\n  [117.198434]  btrfs_delayed_update_inode+0x154/0x368 [btrfs]\n  [117.199300]  btrfs_update_inode+0x108/0x1c8 [btrfs]\n  [117.200122]  btrfs_dirty_inode+0xb4/0x140 [btrfs]\n  [117.200937]  btrfs_update_time+0x8c/0xb0 [btrfs]\n  [117.201754]  touch_atime+0x16c/0x1e0\n  [117.201789]  filemap_read+0x674/0x728\n  [117.201823]  btrfs_file_read_iter+0xf8/0x410 [btrfs]\n  [117.202653]  vfs_read+0x2b6/0x498\n  [117.203454]  ksys_read+0xa2/0x150\n  [117.203473]  __s390x_sys_read+0x68/0x88\n  [117.203495]  do_syscall+0x1c6/0x210\n  [117.203517]  __do_syscall+0xc8/0xf0\n  [117.203539]  system_call+0x70/0x98\n\n  [117.203579] write to 0x000000017f587190 of 8 bytes by task 11 on cpu 0:\n  [117.203604]  btrfs_block_rsv_release+0x2e8/0x578 [btrfs]\n  [117.204432]  btrfs_delayed_inode_release_metadata+0x7c/0x1d0 [btrfs]\n  [117.205259]  __btrfs_update_delayed_inode+0x37c/0x5e0 [btrfs]\n  [117.206093]  btrfs_async_run_delayed_root+0x356/0x498 [btrfs]\n  [117.206917]  btrfs_work_helper+0x160/0x7a0 [btrfs]\n  [117.207738]  process_one_work+0x3b6/0x838\n  [117.207768]  worker_thread+0x75e/0xb10\n  [117.207797]  kthread+0x21a/0x230\n  [117.207830]  __ret_from_fork+0x6c/0xb8\n  [117.207861]  ret_from_fork+0xa/0x30\n\nSo add a helper to get the reserved amount of a block reserve while\nholding the lock. The value may be not be up to date anymore when used by\nneed_preemptive_reclaim() and btrfs_preempt_reclaim_metadata_space(), but\nthat's ok since the worst it can do is cause more reclaim work do be done\nsooner rather than later. Reading the field while holding the lock instead\nof using the data_race() annotation is used in order to prevent load\ntearing."
             }
          ],
          "affected": [
             {
                "product": "Linux",
                "vendor": "Linux",
                "defaultStatus": "unaffected",
                "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
                "programFiles": [
                   "fs/btrfs/block-rsv.h",
                   "fs/btrfs/space-info.c"
                ],
                "versions": [
                   {
                      "version": "1da177e4c3f4",
                      "lessThan": "995e91c9556c",
                      "status": "affected",
                      "versionType": "git"
                   },
                   {
                      "version": "1da177e4c3f4",
                      "lessThan": "82220b1835ba",
                      "status": "affected",
                      "versionType": "git"
                   },
                   {
                      "version": "1da177e4c3f4",
                      "lessThan": "c44542093525",
                      "status": "affected",
                      "versionType": "git"
                   },
                   {
                      "version": "1da177e4c3f4",
                      "lessThan": "e06cc89475ed",
                      "status": "affected",
                      "versionType": "git"
                   }
                ]
             },
             {
                "product": "Linux",
                "vendor": "Linux",
                "defaultStatus": "affected",
                "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
                "programFiles": [
                   "fs/btrfs/block-rsv.h",
                   "fs/btrfs/space-info.c"
                ],
                "versions": [
                   {
                      "version": "6.1.83",
                      "lessThanOrEqual": "6.1.*",
                      "status": "unaffected",
                      "versionType": "custom"
                   },
                   {
                      "version": "6.6.23",
                      "lessThanOrEqual": "6.6.*",
                      "status": "unaffected",
                      "versionType": "custom"
                   },
                   {
                      "version": "6.7.11",
                      "lessThanOrEqual": "6.7.*",
                      "status": "unaffected",
                      "versionType": "custom"
                   },
                   {
                      "version": "6.8",
                      "lessThanOrEqual": "*",
                      "status": "unaffected",
                      "versionType": "original_commit_for_fix"
                   }
                ]
             }
          ],
          "references": [
             {
                "url": "https://git.kernel.org/stable/c/995e91c9556c8fc6028b474145a36e947d1eb6b6"
             },
             {
                "url": "https://git.kernel.org/stable/c/82220b1835baaebf4ae2e490f56353a341a09bd2"
             },
             {
                "url": "https://git.kernel.org/stable/c/c44542093525699a30c307dae1ea5a1b03b3302f"
             },
             {
                "url": "https://git.kernel.org/stable/c/e06cc89475eddc1f3a7a4d471524256152c68166"
             }
          ],
          "title": "btrfs: fix data races when accessing the reserved amount of block reserves",
          "x_generator": {
             "engine": "bippy-a5840b7849dd"
          }
       }
    },
    "cveMetadata": {
       "assignerOrgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038",
       "cveID": "CVE-2024-26905",
       "requesterUserId": "gregkh@kernel.org",
       "serial": "1",
       "state": "PUBLISHED"
    },
    "dataType": "CVE_RECORD",
    "dataVersion": "5.0"
 }
	{
	"containers": {
	"cna": {
	"providerMetadata": {
	"orgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038"
	},
	"descriptions": [
	{
	"lang": "en",
	"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: fix data races when accessing the reserved amount of block reserves\n\nAt space_info.c we have several places where we access the ->reserved\nfield of a block reserve without taking the block reserve's spinlock\nfirst, which makes KCSAN warn about a data race since that field is\nalways updated while holding the spinlock.\n\nThe reports from KCSAN are like the following:\n\n [117.193526] BUG: KCSAN: data-race in btrfs_block_rsv_release [btrfs] / need_preemptive_reclaim [btrfs]\n\n [117.195148] read to 0x000000017f587190 of 8 bytes by task 6303 on cpu 3:\n [117.195172] need_preemptive_reclaim+0x222/0x2f0 [btrfs]\n [117.195992] __reserve_bytes+0xbb0/0xdc8 [btrfs]\n [117.196807] btrfs_reserve_metadata_bytes+0x4c/0x120 [btrfs]\n [117.197620] btrfs_block_rsv_add+0x78/0xa8 [btrfs]\n [117.198434] btrfs_delayed_update_inode+0x154/0x368 [btrfs]\n [117.199300] btrfs_update_inode+0x108/0x1c8 [btrfs]\n [117.200122] btrfs_dirty_inode+0xb4/0x140 [btrfs]\n [117.200937] btrfs_update_time+0x8c/0xb0 [btrfs]\n [117.201754] touch_atime+0x16c/0x1e0\n [117.201789] filemap_read+0x674/0x728\n [117.201823] btrfs_file_read_iter+0xf8/0x410 [btrfs]\n [117.202653] vfs_read+0x2b6/0x498\n [117.203454] ksys_read+0xa2/0x150\n [117.203473] __s390x_sys_read+0x68/0x88\n [117.203495] do_syscall+0x1c6/0x210\n [117.203517] __do_syscall+0xc8/0xf0\n [117.203539] system_call+0x70/0x98\n\n [117.203579] write to 0x000000017f587190 of 8 bytes by task 11 on cpu 0:\n [117.203604] btrfs_block_rsv_release+0x2e8/0x578 [btrfs]\n [117.204432] btrfs_delayed_inode_release_metadata+0x7c/0x1d0 [btrfs]\n [117.205259] __btrfs_update_delayed_inode+0x37c/0x5e0 [btrfs]\n [117.206093] btrfs_async_run_delayed_root+0x356/0x498 [btrfs]\n [117.206917] btrfs_work_helper+0x160/0x7a0 [btrfs]\n [117.207738] process_one_work+0x3b6/0x838\n [117.207768] worker_thread+0x75e/0xb10\n [117.207797] kthread+0x21a/0x230\n [117.207830] __ret_from_fork+0x6c/0xb8\n [117.207861] ret_from_fork+0xa/0x30\n\nSo add a helper to get the reserved amount of a block reserve while\nholding the lock. The value may be not be up to date anymore when used by\nneed_preemptive_reclaim() and btrfs_preempt_reclaim_metadata_space(), but\nthat's ok since the worst it can do is cause more reclaim work do be done\nsooner rather than later. Reading the field while holding the lock instead\nof using the data_race() annotation is used in order to prevent load\ntearing."
	}
	],
	"affected": [
	{
	"product": "Linux",
	"vendor": "Linux",
	"defaultStatus": "unaffected",
	"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
	"programFiles": [
	"fs/btrfs/block-rsv.h",
	"fs/btrfs/space-info.c"
	],
	"versions": [
	{
	"version": "1da177e4c3f4",
	"lessThan": "995e91c9556c",
	"status": "affected",
	"versionType": "git"
	},
	{
	"version": "1da177e4c3f4",
	"lessThan": "82220b1835ba",
	"status": "affected",
	"versionType": "git"
	},
	{
	"version": "1da177e4c3f4",
	"lessThan": "c44542093525",
	"status": "affected",
	"versionType": "git"
	},
	{
	"version": "1da177e4c3f4",
	"lessThan": "e06cc89475ed",
	"status": "affected",
	"versionType": "git"
	}
	]
	},
	{
	"product": "Linux",
	"vendor": "Linux",
	"defaultStatus": "affected",
	"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
	"programFiles": [
	"fs/btrfs/block-rsv.h",
	"fs/btrfs/space-info.c"
	],
	"versions": [
	{
	"version": "6.1.83",
	"lessThanOrEqual": "6.1.*",
	"status": "unaffected",
	"versionType": "custom"
	},
	{
	"version": "6.6.23",
	"lessThanOrEqual": "6.6.*",
	"status": "unaffected",
	"versionType": "custom"
	},
	{
	"version": "6.7.11",
	"lessThanOrEqual": "6.7.*",
	"status": "unaffected",
	"versionType": "custom"
	},
	{
	"version": "6.8",
	"lessThanOrEqual": "*",
	"status": "unaffected",
	"versionType": "original_commit_for_fix"
	}
	]
	}
	],
	"references": [
	{
	"url": "https://git.kernel.org/stable/c/995e91c9556c8fc6028b474145a36e947d1eb6b6"
	},
	{
	"url": "https://git.kernel.org/stable/c/82220b1835baaebf4ae2e490f56353a341a09bd2"
	},
	{
	"url": "https://git.kernel.org/stable/c/c44542093525699a30c307dae1ea5a1b03b3302f"
	},
	{
	"url": "https://git.kernel.org/stable/c/e06cc89475eddc1f3a7a4d471524256152c68166"
	}
	],
	"title": "btrfs: fix data races when accessing the reserved amount of block reserves",
	"x_generator": {
	"engine": "bippy-a5840b7849dd"
	}
	}
	},
	"cveMetadata": {
	"assignerOrgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038",
	"cveID": "CVE-2024-26905",
	"requesterUserId": "gregkh@kernel.org",
	"serial": "1",
	"state": "PUBLISHED"
	},
	"dataType": "CVE_RECORD",
	"dataVersion": "5.0"
	}