cve/published/2023/CVE-2023-52897.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2023-52897: btrfs: qgroup: do not warn on record without old_roots populated

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 btrfs: qgroup: do not warn on record without old_roots populated

 [BUG]
 There are some reports from the mailing list that since v6.1 kernel, the
 WARN_ON() inside btrfs_qgroup_account_extent() gets triggered during
 rescan:

   WARNING: CPU: 3 PID: 6424 at fs/btrfs/qgroup.c:2756 btrfs_qgroup_account_extents+0x1ae/0x260 [btrfs]
   CPU: 3 PID: 6424 Comm: snapperd Tainted: P           OE      6.1.2-1-default #1 openSUSE Tumbleweed 05c7a1b1b61d5627475528f71f50444637b5aad7
   RIP: 0010:btrfs_qgroup_account_extents+0x1ae/0x260 [btrfs]
   Call Trace:
    <TASK>
   btrfs_commit_transaction+0x30c/0xb40 [btrfs c39c9c546c241c593f03bd6d5f39ea1b676250f6]
    ? start_transaction+0xc3/0x5b0 [btrfs c39c9c546c241c593f03bd6d5f39ea1b676250f6]
   btrfs_qgroup_rescan+0x42/0xc0 [btrfs c39c9c546c241c593f03bd6d5f39ea1b676250f6]
    btrfs_ioctl+0x1ab9/0x25c0 [btrfs c39c9c546c241c593f03bd6d5f39ea1b676250f6]
    ? __rseq_handle_notify_resume+0xa9/0x4a0
    ? mntput_no_expire+0x4a/0x240
    ? __seccomp_filter+0x319/0x4d0
    __x64_sys_ioctl+0x90/0xd0
    do_syscall_64+0x5b/0x80
    ? syscall_exit_to_user_mode+0x17/0x40
    ? do_syscall_64+0x67/0x80
   entry_SYSCALL_64_after_hwframe+0x63/0xcd
   RIP: 0033:0x7fd9b790d9bf
    </TASK>

 [CAUSE]
 Since commit e15e9f43c7ca ("btrfs: introduce
 BTRFS_QGROUP_RUNTIME_FLAG_NO_ACCOUNTING to skip qgroup accounting"), if
 our qgroup is already in inconsistent state, we will no longer do the
 time-consuming backref walk.

 This can leave some qgroup records without a valid old_roots ulist.
 Normally this is fine, as btrfs_qgroup_account_extents() would also skip
 those records if we have NO_ACCOUNTING flag set.

 But there is a small window, if we have NO_ACCOUNTING flag set, and
 inserted some qgroup_record without a old_roots ulist, but then the user
 triggered a qgroup rescan.

 During btrfs_qgroup_rescan(), we firstly clear NO_ACCOUNTING flag, then
 commit current transaction.

 And since we have a qgroup_record with old_roots = NULL, we trigger the
 WARN_ON() during btrfs_qgroup_account_extents().

 [FIX]
 Unfortunately due to the introduction of NO_ACCOUNTING flag, the
 assumption that every qgroup_record would have its old_roots populated
 is no longer correct.

 Fix the false alerts and drop the WARN_ON().

 The Linux kernel CVE team has assigned CVE-2023-52897 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 6.1 with commit e15e9f43c7ca25603fcf4c20d44ec777726f1034 and fixed in 6.1.8 with commit bb2c2e62539f2b63c5e0beb51501d328260c7595
 	Issue introduced in 6.1 with commit e15e9f43c7ca25603fcf4c20d44ec777726f1034 and fixed in 6.2 with commit 75181406b4eafacc531ff2ee5fb032bd93317e2b

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2023-52897
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	fs/btrfs/qgroup.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/bb2c2e62539f2b63c5e0beb51501d328260c7595
 	https://git.kernel.org/stable/c/75181406b4eafacc531ff2ee5fb032bd93317e2b
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2023-52897: btrfs: qgroup: do not warn on record without old_roots populated

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	btrfs: qgroup: do not warn on record without old_roots populated

	[BUG]
	There are some reports from the mailing list that since v6.1 kernel, the
	WARN_ON() inside btrfs_qgroup_account_extent() gets triggered during
	rescan:

	WARNING: CPU: 3 PID: 6424 at fs/btrfs/qgroup.c:2756 btrfs_qgroup_account_extents+0x1ae/0x260 [btrfs]
	CPU: 3 PID: 6424 Comm: snapperd Tainted: P OE 6.1.2-1-default #1 openSUSE Tumbleweed 05c7a1b1b61d5627475528f71f50444637b5aad7
	RIP: 0010:btrfs_qgroup_account_extents+0x1ae/0x260 [btrfs]
	Call Trace:
	<TASK>
	btrfs_commit_transaction+0x30c/0xb40 [btrfs c39c9c546c241c593f03bd6d5f39ea1b676250f6]
	? start_transaction+0xc3/0x5b0 [btrfs c39c9c546c241c593f03bd6d5f39ea1b676250f6]
	btrfs_qgroup_rescan+0x42/0xc0 [btrfs c39c9c546c241c593f03bd6d5f39ea1b676250f6]
	btrfs_ioctl+0x1ab9/0x25c0 [btrfs c39c9c546c241c593f03bd6d5f39ea1b676250f6]
	? __rseq_handle_notify_resume+0xa9/0x4a0
	? mntput_no_expire+0x4a/0x240
	? __seccomp_filter+0x319/0x4d0
	__x64_sys_ioctl+0x90/0xd0
	do_syscall_64+0x5b/0x80
	? syscall_exit_to_user_mode+0x17/0x40
	? do_syscall_64+0x67/0x80
	entry_SYSCALL_64_after_hwframe+0x63/0xcd
	RIP: 0033:0x7fd9b790d9bf
	</TASK>

	[CAUSE]
	Since commit e15e9f43c7ca ("btrfs: introduce
	BTRFS_QGROUP_RUNTIME_FLAG_NO_ACCOUNTING to skip qgroup accounting"), if
	our qgroup is already in inconsistent state, we will no longer do the
	time-consuming backref walk.

	This can leave some qgroup records without a valid old_roots ulist.
	Normally this is fine, as btrfs_qgroup_account_extents() would also skip
	those records if we have NO_ACCOUNTING flag set.

	But there is a small window, if we have NO_ACCOUNTING flag set, and
	inserted some qgroup_record without a old_roots ulist, but then the user
	triggered a qgroup rescan.

	During btrfs_qgroup_rescan(), we firstly clear NO_ACCOUNTING flag, then
	commit current transaction.

	And since we have a qgroup_record with old_roots = NULL, we trigger the
	WARN_ON() during btrfs_qgroup_account_extents().

	[FIX]
	Unfortunately due to the introduction of NO_ACCOUNTING flag, the
	assumption that every qgroup_record would have its old_roots populated
	is no longer correct.

	Fix the false alerts and drop the WARN_ON().

	The Linux kernel CVE team has assigned CVE-2023-52897 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 6.1 with commit e15e9f43c7ca25603fcf4c20d44ec777726f1034 and fixed in 6.1.8 with commit bb2c2e62539f2b63c5e0beb51501d328260c7595
	Issue introduced in 6.1 with commit e15e9f43c7ca25603fcf4c20d44ec777726f1034 and fixed in 6.2 with commit 75181406b4eafacc531ff2ee5fb032bd93317e2b

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2023-52897
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	fs/btrfs/qgroup.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/bb2c2e62539f2b63c5e0beb51501d328260c7595
	https://git.kernel.org/stable/c/75181406b4eafacc531ff2ee5fb032bd93317e2b