fkie_cve-2024-42266
Vulnerability from fkie_nvd
Published
2024-08-17 09:15
Modified
2024-08-19 12:59
Severity ?
Summary
In the Linux kernel, the following vulnerability has been resolved: btrfs: make cow_file_range_inline() honor locked_page on error The btrfs buffered write path runs through __extent_writepage() which has some tricky return value handling for writepage_delalloc(). Specifically, when that returns 1, we exit, but for other return values we continue and end up calling btrfs_folio_end_all_writers(). If the folio has been unlocked (note that we check the PageLocked bit at the start of __extent_writepage()), this results in an assert panic like this one from syzbot: BTRFS: error (device loop0 state EAL) in free_log_tree:3267: errno=-5 IO failure BTRFS warning (device loop0 state EAL): Skipping commit of aborted transaction. BTRFS: error (device loop0 state EAL) in cleanup_transaction:2018: errno=-5 IO failure assertion failed: folio_test_locked(folio), in fs/btrfs/subpage.c:871 ------------[ cut here ]------------ kernel BUG at fs/btrfs/subpage.c:871! Oops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN PTI CPU: 1 PID: 5090 Comm: syz-executor225 Not tainted 6.10.0-syzkaller-05505-gb1bc554e009e #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/27/2024 RIP: 0010:btrfs_folio_end_all_writers+0x55b/0x610 fs/btrfs/subpage.c:871 Code: e9 d3 fb ff ff e8 25 22 c2 fd 48 c7 c7 c0 3c 0e 8c 48 c7 c6 80 3d 0e 8c 48 c7 c2 60 3c 0e 8c b9 67 03 00 00 e8 66 47 ad 07 90 <0f> 0b e8 6e 45 b0 07 4c 89 ff be 08 00 00 00 e8 21 12 25 fe 4c 89 RSP: 0018:ffffc900033d72e0 EFLAGS: 00010246 RAX: 0000000000000045 RBX: 00fff0000000402c RCX: 663b7a08c50a0a00 RDX: 0000000000000000 RSI: 0000000080000000 RDI: 0000000000000000 RBP: ffffc900033d73b0 R08: ffffffff8176b98c R09: 1ffff9200067adfc R10: dffffc0000000000 R11: fffff5200067adfd R12: 0000000000000001 R13: dffffc0000000000 R14: 0000000000000000 R15: ffffea0001cbee80 FS: 0000000000000000(0000) GS:ffff8880b9500000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f5f076012f8 CR3: 000000000e134000 CR4: 00000000003506f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <TASK> __extent_writepage fs/btrfs/extent_io.c:1597 [inline] extent_write_cache_pages fs/btrfs/extent_io.c:2251 [inline] btrfs_writepages+0x14d7/0x2760 fs/btrfs/extent_io.c:2373 do_writepages+0x359/0x870 mm/page-writeback.c:2656 filemap_fdatawrite_wbc+0x125/0x180 mm/filemap.c:397 __filemap_fdatawrite_range mm/filemap.c:430 [inline] __filemap_fdatawrite mm/filemap.c:436 [inline] filemap_flush+0xdf/0x130 mm/filemap.c:463 btrfs_release_file+0x117/0x130 fs/btrfs/file.c:1547 __fput+0x24a/0x8a0 fs/file_table.c:422 task_work_run+0x24f/0x310 kernel/task_work.c:222 exit_task_work include/linux/task_work.h:40 [inline] do_exit+0xa2f/0x27f0 kernel/exit.c:877 do_group_exit+0x207/0x2c0 kernel/exit.c:1026 __do_sys_exit_group kernel/exit.c:1037 [inline] __se_sys_exit_group kernel/exit.c:1035 [inline] __x64_sys_exit_group+0x3f/0x40 kernel/exit.c:1035 x64_sys_call+0x2634/0x2640 arch/x86/include/generated/asm/syscalls_64.h:232 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f5f075b70c9 Code: Unable to access opcode bytes at 0x7f5f075b709f. I was hitting the same issue by doing hundreds of accelerated runs of generic/475, which also hits IO errors by design. I instrumented that reproducer with bpftrace and found that the undesirable folio_unlock was coming from the following callstack: folio_unlock+5 __process_pages_contig+475 cow_file_range_inline.constprop.0+230 cow_file_range+803 btrfs_run_delalloc_range+566 writepage_delalloc+332 __extent_writepage # inlined in my stacktrace, but I added it here extent_write_cache_pages+622 Looking at the bisected-to pa ---truncated---
References
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/061e41581606000a83ce0f0f01d6ad338f3704e9
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/478574370bef7951fbd9ef5155537d6cbed49472
Impacted products
Vendor Product Version


To clipboard 

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: make cow_file_range_inline() honor locked_page on error\n\nThe btrfs buffered write path runs through __extent_writepage() which\nhas some tricky return value handling for writepage_delalloc().\nSpecifically, when that returns 1, we exit, but for other return values\nwe continue and end up calling btrfs_folio_end_all_writers(). If the\nfolio has been unlocked (note that we check the PageLocked bit at the\nstart of __extent_writepage()), this results in an assert panic like\nthis one from syzbot:\n\n  BTRFS: error (device loop0 state EAL) in free_log_tree:3267: errno=-5 IO failure\n  BTRFS warning (device loop0 state EAL): Skipping commit of aborted transaction.\n  BTRFS: error (device loop0 state EAL) in cleanup_transaction:2018: errno=-5 IO failure\n  assertion failed: folio_test_locked(folio), in fs/btrfs/subpage.c:871\n  ------------[ cut here ]------------\n  kernel BUG at fs/btrfs/subpage.c:871!\n  Oops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN PTI\n  CPU: 1 PID: 5090 Comm: syz-executor225 Not tainted\n  6.10.0-syzkaller-05505-gb1bc554e009e #0\n  Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS\n  Google 06/27/2024\n  RIP: 0010:btrfs_folio_end_all_writers+0x55b/0x610 fs/btrfs/subpage.c:871\n  Code: e9 d3 fb ff ff e8 25 22 c2 fd 48 c7 c7 c0 3c 0e 8c 48 c7 c6 80 3d\n  0e 8c 48 c7 c2 60 3c 0e 8c b9 67 03 00 00 e8 66 47 ad 07 90 \u003c0f\u003e 0b e8\n  6e 45 b0 07 4c 89 ff be 08 00 00 00 e8 21 12 25 fe 4c 89\n  RSP: 0018:ffffc900033d72e0 EFLAGS: 00010246\n  RAX: 0000000000000045 RBX: 00fff0000000402c RCX: 663b7a08c50a0a00\n  RDX: 0000000000000000 RSI: 0000000080000000 RDI: 0000000000000000\n  RBP: ffffc900033d73b0 R08: ffffffff8176b98c R09: 1ffff9200067adfc\n  R10: dffffc0000000000 R11: fffff5200067adfd R12: 0000000000000001\n  R13: dffffc0000000000 R14: 0000000000000000 R15: ffffea0001cbee80\n  FS:  0000000000000000(0000) GS:ffff8880b9500000(0000)\n  knlGS:0000000000000000\n  CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n  CR2: 00007f5f076012f8 CR3: 000000000e134000 CR4: 00000000003506f0\n  DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n  DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n  Call Trace:\n  \u003cTASK\u003e\n  __extent_writepage fs/btrfs/extent_io.c:1597 [inline]\n  extent_write_cache_pages fs/btrfs/extent_io.c:2251 [inline]\n  btrfs_writepages+0x14d7/0x2760 fs/btrfs/extent_io.c:2373\n  do_writepages+0x359/0x870 mm/page-writeback.c:2656\n  filemap_fdatawrite_wbc+0x125/0x180 mm/filemap.c:397\n  __filemap_fdatawrite_range mm/filemap.c:430 [inline]\n  __filemap_fdatawrite mm/filemap.c:436 [inline]\n  filemap_flush+0xdf/0x130 mm/filemap.c:463\n  btrfs_release_file+0x117/0x130 fs/btrfs/file.c:1547\n  __fput+0x24a/0x8a0 fs/file_table.c:422\n  task_work_run+0x24f/0x310 kernel/task_work.c:222\n  exit_task_work include/linux/task_work.h:40 [inline]\n  do_exit+0xa2f/0x27f0 kernel/exit.c:877\n  do_group_exit+0x207/0x2c0 kernel/exit.c:1026\n  __do_sys_exit_group kernel/exit.c:1037 [inline]\n  __se_sys_exit_group kernel/exit.c:1035 [inline]\n  __x64_sys_exit_group+0x3f/0x40 kernel/exit.c:1035\n  x64_sys_call+0x2634/0x2640\n  arch/x86/include/generated/asm/syscalls_64.h:232\n  do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n  do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83\n  entry_SYSCALL_64_after_hwframe+0x77/0x7f\n  RIP: 0033:0x7f5f075b70c9\n  Code: Unable to access opcode bytes at\n  0x7f5f075b709f.\n\nI was hitting the same issue by doing hundreds of accelerated runs of\ngeneric/475, which also hits IO errors by design.\n\nI instrumented that reproducer with bpftrace and found that the\nundesirable folio_unlock was coming from the following callstack:\n\n  folio_unlock+5\n  __process_pages_contig+475\n  cow_file_range_inline.constprop.0+230\n  cow_file_range+803\n  btrfs_run_delalloc_range+566\n  writepage_delalloc+332\n  __extent_writepage # inlined in my stacktrace, but I added it here\n  extent_write_cache_pages+622\n\nLooking at the bisected-to pa\n---truncated---"
    },
    {
      "lang": "es",
      "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: btrfs: haga que cow_file_range_inline() respete la p\u00e1gina bloqueada en caso de error. La ruta de escritura almacenada en el b\u00fafer de btrfs pasa por __extent_writepage(), que tiene un manejo complicado del valor de retorno para writepage_delalloc(). Espec\u00edficamente, cuando eso devuelve 1, salimos, pero para otros valores de retorno continuamos y terminamos llamando a btrfs_folio_end_all_writers(). Si la publicaci\u00f3n se ha desbloqueado (tenga en cuenta que verificamos el bit PageLocked al inicio de __extent_writepage()), esto resulta en un p\u00e1nico de afirmaci\u00f3n como este de syzbot: BTRFS: error (device loop0 state EAL) in free_log_tree:3267: errno = -5 Fallo de E/S Advertencia BTRFS (estado EAL del bucle 0 del dispositivo): omitir El commit de la transacci\u00f3n abortada. BTRFS: error (EAL de estado de bucle 0 del dispositivo) en cleanup_transaction:2018: errno=-5 Error de aserci\u00f3n de E/S fallida: folio_test_locked(folio), en fs/btrfs/subpage.c:871 ------------ [cortar aqu\u00ed]------------ \u00a1ERROR del kernel en fs/btrfs/subpage.c:871! Vaya: c\u00f3digo de operaci\u00f3n no v\u00e1lido: 0000 [#1] PREEMPT SMP KASAN PTI CPU: 1 PID: 5090 Comm: syz-executor225 No est\u00e1 contaminado 6.10.0-syzkaller-05505-gb1bc554e009e #0 Nombre de hardware: Google Google Compute Engine/Google Compute Engine, BIOS Google 27/06/2024 RIP: 0010:btrfs_folio_end_all_writers+0x55b/0x610 fs/btrfs/subpage.c:871 C\u00f3digo: e9 d3 fb ff ff e8 25 22 c2 fd 48 c7 c7 c0 3c 0e 8c 48 c7 c6 80 3d 0e 8c 48 c7 c2 60 3c 0e 8c b9 67 03 00 00 e8 66 47 ad 07 90 \u0026lt;0f\u0026gt; 0b e8 6e 45 b0 07 4c 89 ff be 08 00 00 00 e8 21 12 25 fe 4c 89 RSP: 00033d72e0 EFLAGS: 00010246 RAX: 0000000000000045 RBX: 00fff0000000402c RCX: 663b7a08c50a0a00 RDX: 0000000000000000 RSI: 0000000080000000 RDI: 000000000 0000000 RBP: ffffc900033d73b0 R08: ffffffff8176b98c R09: 1ffff9200067adfc R10: dffffc0000000000 R11: fffff5200067adfd R12: 0000000000000001 R13: 0000000000 R14: 0000000000000000 R15: ffffea0001cbee80 FS: 0000000000000000( 0000) GS:ffff8880b9500000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f5f076012f8 CR3: e134000 CR4: 00000000003506f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000ffe0ff0 DR7: 0000000000000400 Seguimiento de llamadas:  __extent_writepage fs/btrfs/extent_io.c:1597 [en l\u00ednea] extend_write_cache_pages fs/btrfs/extent_io.c:2251 [en l\u00ednea] btrfs_writepages+0x14d7/0x2760 fs/btrfs/extent_io.c:2373 do_writepages+0x359/ 0x870 mm/page-writeback.c:2656 filemap_fdatawrite_wbc+0x125/0x180 mm/filemap.c:397 __filemap_fdatawrite_range mm/filemap.c:430 [en l\u00ednea] __filemap_fdatawrite mm/filemap.c:436 [en l\u00ednea] filemap_flush+0xdf/0x130 mm /filemap.c:463 btrfs_release_file+0x117/0x130 fs/btrfs/file.c:1547 __fput+0x24a/0x8a0 fs/file_table.c:422 task_work_run+0x24f/0x310 kernel/task_work.c:222 exit_task_work include/linux/task_work .h:40 [en l\u00ednea] do_exit+0xa2f/0x27f0 kernel/exit.c:877 do_group_exit+0x207/0x2c0 kernel/exit.c:1026 __do_sys_exit_group kernel/exit.c:1037 [en l\u00ednea] __se_sys_exit_group kernel/exit.c:1035 [en l\u00ednea] __x64_sys_exit_group+0x3f/0x40 kernel/exit.c:1035 x64_sys_call+0x2634/0x2640 arch/x86/include/generated/asm/syscalls_64.h:232 do_syscall_x64 arch/x86/entry/common.c:52 [en l\u00ednea] do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83 Entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f5f075b70c9 C\u00f3digo: No se puede acceder a los bytes del c\u00f3digo de operaci\u00f3n en 0x7f5f075b709f. Me encontr\u00e9 con el mismo problema al realizar cientos de ejecuciones aceleradas de generic/475, que tambi\u00e9n genera errores de IO por dise\u00f1o. Instrument\u00e9 ese reproductor con bpftrace y descubr\u00ed que el folio_unlock no deseado proven\u00eda de la siguiente pila de llamadas: folio_unlock+5 __process_pages_contig+475 cow_file_range_inline.constprop.0+230 cow_file_range+803 btrfs_run_delalloc_range+566 writepage_delalloc+332 __extent_writepage #  ---truncado---"
    }
  ],
  "id": "CVE-2024-42266",
  "lastModified": "2024-08-19T12:59:59.177",
  "metrics": {},
  "published": "2024-08-17T09:15:07.967",
  "references": [
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/061e41581606000a83ce0f0f01d6ad338f3704e9"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/478574370bef7951fbd9ef5155537d6cbed49472"
    }
  ],
  "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
  "vulnStatus": "Awaiting Analysis"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.