cve/published/2024/CVE-2024-26726.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2024-26726: btrfs: don't drop extent_map for free space inode on write error

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 btrfs: don't drop extent_map for free space inode on write error

 While running the CI for an unrelated change I hit the following panic
 with generic/648 on btrfs_holes_spacecache.

 assertion failed: block_start != EXTENT_MAP_HOLE, in fs/btrfs/extent_io.c:1385
 ------------[ cut here ]------------
 kernel BUG at fs/btrfs/extent_io.c:1385!
 invalid opcode: 0000 [#1] PREEMPT SMP NOPTI
 CPU: 1 PID: 2695096 Comm: fsstress Kdump: loaded Tainted: G        W          6.8.0-rc2+ #1
 RIP: 0010:__extent_writepage_io.constprop.0+0x4c1/0x5c0
 Call Trace:
  <TASK>
  extent_write_cache_pages+0x2ac/0x8f0
  extent_writepages+0x87/0x110
  do_writepages+0xd5/0x1f0
  filemap_fdatawrite_wbc+0x63/0x90
  __filemap_fdatawrite_range+0x5c/0x80
  btrfs_fdatawrite_range+0x1f/0x50
  btrfs_write_out_cache+0x507/0x560
  btrfs_write_dirty_block_groups+0x32a/0x420
  commit_cowonly_roots+0x21b/0x290
  btrfs_commit_transaction+0x813/0x1360
  btrfs_sync_file+0x51a/0x640
  __x64_sys_fdatasync+0x52/0x90
  do_syscall_64+0x9c/0x190
  entry_SYSCALL_64_after_hwframe+0x6e/0x76

 This happens because we fail to write out the free space cache in one
 instance, come back around and attempt to write it again.  However on
 the second pass through we go to call btrfs_get_extent() on the inode to
 get the extent mapping.  Because this is a new block group, and with the
 free space inode we always search the commit root to avoid deadlocking
 with the tree, we find nothing and return a EXTENT_MAP_HOLE for the
 requested range.

 This happens because the first time we try to write the space cache out
 we hit an error, and on an error we drop the extent mapping.  This is
 normal for normal files, but the free space cache inode is special.  We
 always expect the extent map to be correct.  Thus the second time
 through we end up with a bogus extent map.

 Since we're deprecating this feature, the most straightforward way to
 fix this is to simply skip dropping the extent map range for this failed
 range.

 I shortened the test by using error injection to stress the area to make
 it easier to reproduce.  With this patch in place we no longer panic
 with my error injection test.

 The Linux kernel CVE team has assigned CVE-2024-26726 to this issue.


 Affected and fixed versions
 ===========================

 	Fixed in 6.1.79 with commit 02f2b95b00bf57d20320ee168b30fb7f3db8e555
 	Fixed in 6.6.18 with commit 7bddf18f474f166c19f91b2baf67bf7c5eda03f7
 	Fixed in 6.7.6 with commit a4b7741c8302e28073bfc6dd1c2e73598e5e535e
 	Fixed in 6.8 with commit 5571e41ec6e56e35f34ae9f5b3a335ef510e0ade

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2024-26726
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	fs/btrfs/inode.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/02f2b95b00bf57d20320ee168b30fb7f3db8e555
 	https://git.kernel.org/stable/c/7bddf18f474f166c19f91b2baf67bf7c5eda03f7
 	https://git.kernel.org/stable/c/a4b7741c8302e28073bfc6dd1c2e73598e5e535e
 	https://git.kernel.org/stable/c/5571e41ec6e56e35f34ae9f5b3a335ef510e0ade
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2024-26726: btrfs: don't drop extent_map for free space inode on write error

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	btrfs: don't drop extent_map for free space inode on write error

	While running the CI for an unrelated change I hit the following panic
	with generic/648 on btrfs_holes_spacecache.

	assertion failed: block_start != EXTENT_MAP_HOLE, in fs/btrfs/extent_io.c:1385
	------------[ cut here ]------------
	kernel BUG at fs/btrfs/extent_io.c:1385!
	invalid opcode: 0000 [#1] PREEMPT SMP NOPTI
	CPU: 1 PID: 2695096 Comm: fsstress Kdump: loaded Tainted: G W 6.8.0-rc2+ #1
	RIP: 0010:__extent_writepage_io.constprop.0+0x4c1/0x5c0
	Call Trace:
	<TASK>
	extent_write_cache_pages+0x2ac/0x8f0
	extent_writepages+0x87/0x110
	do_writepages+0xd5/0x1f0
	filemap_fdatawrite_wbc+0x63/0x90
	__filemap_fdatawrite_range+0x5c/0x80
	btrfs_fdatawrite_range+0x1f/0x50
	btrfs_write_out_cache+0x507/0x560
	btrfs_write_dirty_block_groups+0x32a/0x420
	commit_cowonly_roots+0x21b/0x290
	btrfs_commit_transaction+0x813/0x1360
	btrfs_sync_file+0x51a/0x640
	__x64_sys_fdatasync+0x52/0x90
	do_syscall_64+0x9c/0x190
	entry_SYSCALL_64_after_hwframe+0x6e/0x76

	This happens because we fail to write out the free space cache in one
	instance, come back around and attempt to write it again. However on
	the second pass through we go to call btrfs_get_extent() on the inode to
	get the extent mapping. Because this is a new block group, and with the
	free space inode we always search the commit root to avoid deadlocking
	with the tree, we find nothing and return a EXTENT_MAP_HOLE for the
	requested range.

	This happens because the first time we try to write the space cache out
	we hit an error, and on an error we drop the extent mapping. This is
	normal for normal files, but the free space cache inode is special. We
	always expect the extent map to be correct. Thus the second time
	through we end up with a bogus extent map.

	Since we're deprecating this feature, the most straightforward way to
	fix this is to simply skip dropping the extent map range for this failed
	range.

	I shortened the test by using error injection to stress the area to make
	it easier to reproduce. With this patch in place we no longer panic
	with my error injection test.

	The Linux kernel CVE team has assigned CVE-2024-26726 to this issue.


	Affected and fixed versions
	===========================

	Fixed in 6.1.79 with commit 02f2b95b00bf57d20320ee168b30fb7f3db8e555
	Fixed in 6.6.18 with commit 7bddf18f474f166c19f91b2baf67bf7c5eda03f7
	Fixed in 6.7.6 with commit a4b7741c8302e28073bfc6dd1c2e73598e5e535e
	Fixed in 6.8 with commit 5571e41ec6e56e35f34ae9f5b3a335ef510e0ade

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2024-26726
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	fs/btrfs/inode.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/02f2b95b00bf57d20320ee168b30fb7f3db8e555
	https://git.kernel.org/stable/c/7bddf18f474f166c19f91b2baf67bf7c5eda03f7
	https://git.kernel.org/stable/c/a4b7741c8302e28073bfc6dd1c2e73598e5e535e
	https://git.kernel.org/stable/c/5571e41ec6e56e35f34ae9f5b3a335ef510e0ade