cve/published/2024/CVE-2024-42231.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2024-42231: btrfs: zoned: fix calc_available_free_space() for zoned mode

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 btrfs: zoned: fix calc_available_free_space() for zoned mode

 calc_available_free_space() returns the total size of metadata (or
 system) block groups, which can be allocated from unallocated disk
 space. The logic is wrong on zoned mode in two places.

 First, the calculation of data_chunk_size is wrong. We always allocate
 one zone as one chunk, and no partial allocation of a zone. So, we
 should use zone_size (= data_sinfo->chunk_size) as it is.

 Second, the result "avail" may not be zone aligned. Since we always
 allocate one zone as one chunk on zoned mode, returning non-zone size
 aligned bytes will result in less pressure on the async metadata reclaim
 process.

 This is serious for the nearly full state with a large zone size device.
 Allowing over-commit too much will result in less async reclaim work and
 end up in ENOSPC. We can align down to the zone size to avoid that.

 The Linux kernel CVE team has assigned CVE-2024-42231 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 6.7 with commit cb6cbab79055ca207ad88bc54226b48ececdcef0 and fixed in 6.9.9 with commit 8548903b1999bba02a2b894ad750ab8eb1f40307
 	Issue introduced in 6.7 with commit cb6cbab79055ca207ad88bc54226b48ececdcef0 and fixed in 6.10 with commit 64d2c847ba380e07b9072d65a50aa6469d2aa43f

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2024-42231
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	fs/btrfs/space-info.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/8548903b1999bba02a2b894ad750ab8eb1f40307
 	https://git.kernel.org/stable/c/64d2c847ba380e07b9072d65a50aa6469d2aa43f
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2024-42231: btrfs: zoned: fix calc_available_free_space() for zoned mode

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	btrfs: zoned: fix calc_available_free_space() for zoned mode

	calc_available_free_space() returns the total size of metadata (or
	system) block groups, which can be allocated from unallocated disk
	space. The logic is wrong on zoned mode in two places.

	First, the calculation of data_chunk_size is wrong. We always allocate
	one zone as one chunk, and no partial allocation of a zone. So, we
	should use zone_size (= data_sinfo->chunk_size) as it is.

	Second, the result "avail" may not be zone aligned. Since we always
	allocate one zone as one chunk on zoned mode, returning non-zone size
	aligned bytes will result in less pressure on the async metadata reclaim
	process.

	This is serious for the nearly full state with a large zone size device.
	Allowing over-commit too much will result in less async reclaim work and
	end up in ENOSPC. We can align down to the zone size to avoid that.

	The Linux kernel CVE team has assigned CVE-2024-42231 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 6.7 with commit cb6cbab79055ca207ad88bc54226b48ececdcef0 and fixed in 6.9.9 with commit 8548903b1999bba02a2b894ad750ab8eb1f40307
	Issue introduced in 6.7 with commit cb6cbab79055ca207ad88bc54226b48ececdcef0 and fixed in 6.10 with commit 64d2c847ba380e07b9072d65a50aa6469d2aa43f

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2024-42231
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	fs/btrfs/space-info.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/8548903b1999bba02a2b894ad750ab8eb1f40307
	https://git.kernel.org/stable/c/64d2c847ba380e07b9072d65a50aa6469d2aa43f