| From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001 |
| From: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
| To: <linux-cve-announce@vger.kernel.org> |
| Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org> |
| Subject: CVE-2022-49761: btrfs: always report error in run_one_delayed_ref() |
| |
| Description |
| =========== |
| |
| In the Linux kernel, the following vulnerability has been resolved: |
| |
| btrfs: always report error in run_one_delayed_ref() |
| |
| Currently we have a btrfs_debug() for run_one_delayed_ref() failure, but |
| if end users hit such problem, there will be no chance that |
| btrfs_debug() is enabled. This can lead to very little useful info for |
| debugging. |
| |
| This patch will: |
| |
| - Add extra info for error reporting |
| Including: |
| * logical bytenr |
| * num_bytes |
| * type |
| * action |
| * ref_mod |
| |
| - Replace the btrfs_debug() with btrfs_err() |
| |
| - Move the error reporting into run_one_delayed_ref() |
| This is to avoid use-after-free, the @node can be freed in the caller. |
| |
| This error should only be triggered at most once. |
| |
| As if run_one_delayed_ref() failed, we trigger the error message, then |
| causing the call chain to error out: |
| |
| btrfs_run_delayed_refs() |
| `- btrfs_run_delayed_refs() |
| `- btrfs_run_delayed_refs_for_head() |
| `- run_one_delayed_ref() |
| |
| And we will abort the current transaction in btrfs_run_delayed_refs(). |
| If we have to run delayed refs for the abort transaction, |
| run_one_delayed_ref() will just cleanup the refs and do nothing, thus no |
| new error messages would be output. |
| |
| The Linux kernel CVE team has assigned CVE-2022-49761 to this issue. |
| |
| |
| Affected and fixed versions |
| =========================== |
| |
| Fixed in 5.10.165 with commit 18bd1c9c02e64a3567f90c83c2c8b855531c8098 |
| Fixed in 5.15.90 with commit fdb4a70bb768d2a87890409597529ad81cb3de8a |
| Fixed in 6.1.8 with commit 853ffa1511b058c79a4c9bb1407b3b20ce311792 |
| Fixed in 6.2 with commit 39f501d68ec1ed5cd5c66ac6ec2a7131c517bb92 |
| |
| Please see https://www.kernel.org for a full list of currently supported |
| kernel versions by the kernel community. |
| |
| Unaffected versions might change over time as fixes are backported to |
| older supported kernel versions. The official CVE entry at |
| https://cve.org/CVERecord/?id=CVE-2022-49761 |
| will be updated if fixes are backported, please check that for the most |
| up to date information about this issue. |
| |
| |
| Affected files |
| ============== |
| |
| The file(s) affected by this issue are: |
| fs/btrfs/extent-tree.c |
| |
| |
| Mitigation |
| ========== |
| |
| The Linux kernel CVE team recommends that you update to the latest |
| stable kernel version for this, and many other bugfixes. Individual |
| changes are never tested alone, but rather are part of a larger kernel |
| release. Cherry-picking individual commits is not recommended or |
| supported by the Linux kernel community at all. If however, updating to |
| the latest release is impossible, the individual changes to resolve this |
| issue can be found at these commits: |
| https://git.kernel.org/stable/c/18bd1c9c02e64a3567f90c83c2c8b855531c8098 |
| https://git.kernel.org/stable/c/fdb4a70bb768d2a87890409597529ad81cb3de8a |
| https://git.kernel.org/stable/c/853ffa1511b058c79a4c9bb1407b3b20ce311792 |
| https://git.kernel.org/stable/c/39f501d68ec1ed5cd5c66ac6ec2a7131c517bb92 |
