ghsa-wp4j-4pcv-wwf5
Vulnerability from github
Published
2025-02-27 03:33
Modified
2025-02-27 03:33
Details

In the Linux kernel, the following vulnerability has been resolved:

btrfs: do proper folio cleanup when run_delalloc_nocow() failed

[BUG] With CONFIG_DEBUG_VM set, test case generic/476 has some chance to crash with the following VM_BUG_ON_FOLIO():

BTRFS error (device dm-3): cow_file_range failed, start 1146880 end 1253375 len 106496 ret -28 BTRFS error (device dm-3): run_delalloc_nocow failed, start 1146880 end 1253375 len 106496 ret -28 page: refcount:4 mapcount:0 mapping:00000000592787cc index:0x12 pfn:0x10664 aops:btrfs_aops [btrfs] ino:101 dentry name(?):"f1774" flags: 0x2fffff80004028(uptodate|lru|private|node=0|zone=2|lastcpupid=0xfffff) page dumped because: VM_BUG_ON_FOLIO(!folio_test_locked(folio)) ------------[ cut here ]------------ kernel BUG at mm/page-writeback.c:2992! Internal error: Oops - BUG: 00000000f2000800 [#1] SMP CPU: 2 UID: 0 PID: 3943513 Comm: kworker/u24:15 Tainted: G OE 6.12.0-rc7-custom+ #87 Tainted: [O]=OOT_MODULE, [E]=UNSIGNED_MODULE Hardware name: QEMU KVM Virtual Machine, BIOS unknown 2/2/2022 Workqueue: events_unbound btrfs_async_reclaim_data_space [btrfs] pc : folio_clear_dirty_for_io+0x128/0x258 lr : folio_clear_dirty_for_io+0x128/0x258 Call trace: folio_clear_dirty_for_io+0x128/0x258 btrfs_folio_clamp_clear_dirty+0x80/0xd0 [btrfs] __process_folios_contig+0x154/0x268 [btrfs] extent_clear_unlock_delalloc+0x5c/0x80 [btrfs] run_delalloc_nocow+0x5f8/0x760 [btrfs] btrfs_run_delalloc_range+0xa8/0x220 [btrfs] writepage_delalloc+0x230/0x4c8 [btrfs] extent_writepage+0xb8/0x358 [btrfs] extent_write_cache_pages+0x21c/0x4e8 [btrfs] btrfs_writepages+0x94/0x150 [btrfs] do_writepages+0x74/0x190 filemap_fdatawrite_wbc+0x88/0xc8 start_delalloc_inodes+0x178/0x3a8 [btrfs] btrfs_start_delalloc_roots+0x174/0x280 [btrfs] shrink_delalloc+0x114/0x280 [btrfs] flush_space+0x250/0x2f8 [btrfs] btrfs_async_reclaim_data_space+0x180/0x228 [btrfs] process_one_work+0x164/0x408 worker_thread+0x25c/0x388 kthread+0x100/0x118 ret_from_fork+0x10/0x20 Code: 910a8021 a90363f7 a9046bf9 94012379 (d4210000) ---[ end trace 0000000000000000 ]---

[CAUSE] The first two lines of extra debug messages show the problem is caused by the error handling of run_delalloc_nocow().

E.g. we have the following dirtied range (4K blocksize 4K page size):

0                 16K                  32K
|//////////////////////////////////////|
|  Pre-allocated  |

And the range [0, 16K) has a preallocated extent.

  • Enter run_delalloc_nocow() for range [0, 16K) Which found range [0, 16K) is preallocated, can do the proper NOCOW write.

  • Enter fallback_to_fow() for range [16K, 32K) Since the range [16K, 32K) is not backed by preallocated extent, we have to go COW.

  • cow_file_range() failed for range [16K, 32K) So cow_file_range() will do the clean up by clearing folio dirty, unlock the folios.

Now the folios in range [16K, 32K) is unlocked.

  • Enter extent_clear_unlock_delalloc() from run_delalloc_nocow() Which is called with PAGE_START_WRITEBACK to start page writeback. But folios can only be marked writeback when it's properly locked, thus this triggered the VM_BUG_ON_FOLIO().

Furthermore there is another hidden but common bug that run_delalloc_nocow() is not clearing the folio dirty flags in its error handling path. This is the common bug shared between run_delalloc_nocow() and cow_file_range().

[FIX] - Clear folio dirty for range [@start, @cur_offset) Introduce a helper, cleanup_dirty_folios(), which will find and lock the folio in the range, clear the dirty flag and start/end the writeback, with the extra handling for the @locked_folio.

  • Introduce a helper to clear folio dirty, start and end writeback

  • Introduce a helper to record the last failed COW range end This is to trace which range we should skip, to avoid double unlocking.

  • Skip the failed COW range for the e ---truncated---

Show details on source website

To clipboard 

{
  "affected": [],
  "aliases": [
    "CVE-2024-57975"
  ],
  "database_specific": {
    "cwe_ids": [],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-02-27T02:15:10Z",
    "severity": null
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: do proper folio cleanup when run_delalloc_nocow() failed\n\n[BUG]\nWith CONFIG_DEBUG_VM set, test case generic/476 has some chance to crash\nwith the following VM_BUG_ON_FOLIO():\n\n  BTRFS error (device dm-3): cow_file_range failed, start 1146880 end 1253375 len 106496 ret -28\n  BTRFS error (device dm-3): run_delalloc_nocow failed, start 1146880 end 1253375 len 106496 ret -28\n  page: refcount:4 mapcount:0 mapping:00000000592787cc index:0x12 pfn:0x10664\n  aops:btrfs_aops [btrfs] ino:101 dentry name(?):\"f1774\"\n  flags: 0x2fffff80004028(uptodate|lru|private|node=0|zone=2|lastcpupid=0xfffff)\n  page dumped because: VM_BUG_ON_FOLIO(!folio_test_locked(folio))\n  ------------[ cut here ]------------\n  kernel BUG at mm/page-writeback.c:2992!\n  Internal error: Oops - BUG: 00000000f2000800 [#1] SMP\n  CPU: 2 UID: 0 PID: 3943513 Comm: kworker/u24:15 Tainted: G           OE      6.12.0-rc7-custom+ #87\n  Tainted: [O]=OOT_MODULE, [E]=UNSIGNED_MODULE\n  Hardware name: QEMU KVM Virtual Machine, BIOS unknown 2/2/2022\n  Workqueue: events_unbound btrfs_async_reclaim_data_space [btrfs]\n  pc : folio_clear_dirty_for_io+0x128/0x258\n  lr : folio_clear_dirty_for_io+0x128/0x258\n  Call trace:\n   folio_clear_dirty_for_io+0x128/0x258\n   btrfs_folio_clamp_clear_dirty+0x80/0xd0 [btrfs]\n   __process_folios_contig+0x154/0x268 [btrfs]\n   extent_clear_unlock_delalloc+0x5c/0x80 [btrfs]\n   run_delalloc_nocow+0x5f8/0x760 [btrfs]\n   btrfs_run_delalloc_range+0xa8/0x220 [btrfs]\n   writepage_delalloc+0x230/0x4c8 [btrfs]\n   extent_writepage+0xb8/0x358 [btrfs]\n   extent_write_cache_pages+0x21c/0x4e8 [btrfs]\n   btrfs_writepages+0x94/0x150 [btrfs]\n   do_writepages+0x74/0x190\n   filemap_fdatawrite_wbc+0x88/0xc8\n   start_delalloc_inodes+0x178/0x3a8 [btrfs]\n   btrfs_start_delalloc_roots+0x174/0x280 [btrfs]\n   shrink_delalloc+0x114/0x280 [btrfs]\n   flush_space+0x250/0x2f8 [btrfs]\n   btrfs_async_reclaim_data_space+0x180/0x228 [btrfs]\n   process_one_work+0x164/0x408\n   worker_thread+0x25c/0x388\n   kthread+0x100/0x118\n   ret_from_fork+0x10/0x20\n  Code: 910a8021 a90363f7 a9046bf9 94012379 (d4210000)\n  ---[ end trace 0000000000000000 ]---\n\n[CAUSE]\nThe first two lines of extra debug messages show the problem is caused\nby the error handling of run_delalloc_nocow().\n\nE.g. we have the following dirtied range (4K blocksize 4K page size):\n\n    0                 16K                  32K\n    |//////////////////////////////////////|\n    |  Pre-allocated  |\n\nAnd the range [0, 16K) has a preallocated extent.\n\n- Enter run_delalloc_nocow() for range [0, 16K)\n  Which found range [0, 16K) is preallocated, can do the proper NOCOW\n  write.\n\n- Enter fallback_to_fow() for range [16K, 32K)\n  Since the range [16K, 32K) is not backed by preallocated extent, we\n  have to go COW.\n\n- cow_file_range() failed for range [16K, 32K)\n  So cow_file_range() will do the clean up by clearing folio dirty,\n  unlock the folios.\n\n  Now the folios in range [16K, 32K) is unlocked.\n\n- Enter extent_clear_unlock_delalloc() from run_delalloc_nocow()\n  Which is called with PAGE_START_WRITEBACK to start page writeback.\n  But folios can only be marked writeback when it\u0027s properly locked,\n  thus this triggered the VM_BUG_ON_FOLIO().\n\nFurthermore there is another hidden but common bug that\nrun_delalloc_nocow() is not clearing the folio dirty flags in its error\nhandling path.\nThis is the common bug shared between run_delalloc_nocow() and\ncow_file_range().\n\n[FIX]\n- Clear folio dirty for range [@start, @cur_offset)\n  Introduce a helper, cleanup_dirty_folios(), which\n  will find and lock the folio in the range, clear the dirty flag and\n  start/end the writeback, with the extra handling for the\n  @locked_folio.\n\n- Introduce a helper to clear folio dirty, start and end writeback\n\n- Introduce a helper to record the last failed COW range end\n  This is to trace which range we should skip, to avoid double\n  unlocking.\n\n- Skip the failed COW range for the e\n---truncated---",
  "id": "GHSA-wp4j-4pcv-wwf5",
  "modified": "2025-02-27T03:33:58Z",
  "published": "2025-02-27T03:33:58Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-57975"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/2434533f1c963e7317c45880c98287e5bed98325"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/5ae72abbf91eb172ce3a838a4dc34be3c9707296"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/c2b47df81c8e20a8e8cd94f0d7df211137ae94ed"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.