fkie_cve-2024-57976
Vulnerability from fkie_nvd
Published
2025-02-27 02:15
Modified
2025-07-06 10:15
Severity ?
Summary
In the Linux kernel, the following vulnerability has been resolved: btrfs: do proper folio cleanup when cow_file_range() failed [BUG] When testing with COW fixup marked as BUG_ON() (this is involved with the new pin_user_pages*() change, which should not result new out-of-band dirty pages), I hit a crash triggered by the BUG_ON() from hitting COW fixup path. This BUG_ON() happens just after a failed btrfs_run_delalloc_range(): BTRFS error (device dm-2): failed to run delalloc range, root 348 ino 405 folio 65536 submit_bitmap 6-15 start 90112 len 106496: -28 ------------[ cut here ]------------ kernel BUG at fs/btrfs/extent_io.c:1444! Internal error: Oops - BUG: 00000000f2000800 [#1] SMP CPU: 0 UID: 0 PID: 434621 Comm: kworker/u24:8 Tainted: G OE 6.12.0-rc7-custom+ #86 Hardware name: QEMU KVM Virtual Machine, BIOS unknown 2/2/2022 Workqueue: events_unbound btrfs_async_reclaim_data_space [btrfs] pc : extent_writepage_io+0x2d4/0x308 [btrfs] lr : extent_writepage_io+0x2d4/0x308 [btrfs] Call trace: extent_writepage_io+0x2d4/0x308 [btrfs] extent_writepage+0x218/0x330 [btrfs] extent_write_cache_pages+0x1d4/0x4b0 [btrfs] btrfs_writepages+0x94/0x150 [btrfs] do_writepages+0x74/0x190 filemap_fdatawrite_wbc+0x88/0xc8 start_delalloc_inodes+0x180/0x3b0 [btrfs] btrfs_start_delalloc_roots+0x174/0x280 [btrfs] shrink_delalloc+0x114/0x280 [btrfs] flush_space+0x250/0x2f8 [btrfs] btrfs_async_reclaim_data_space+0x180/0x228 [btrfs] process_one_work+0x164/0x408 worker_thread+0x25c/0x388 kthread+0x100/0x118 ret_from_fork+0x10/0x20 Code: aa1403e1 9402f3ef aa1403e0 9402f36f (d4210000) ---[ end trace 0000000000000000 ]--- [CAUSE] That failure is mostly from cow_file_range(), where we can hit -ENOSPC. Although the -ENOSPC is already a bug related to our space reservation code, let's just focus on the error handling. For example, we have the following dirty range [0, 64K) of an inode, with 4K sector size and 4K page size: 0 16K 32K 48K 64K |///////////////////////////////////////| |#######################################| Where |///| means page are still dirty, and |###| means the extent io tree has EXTENT_DELALLOC flag. - Enter extent_writepage() for page 0 - Enter btrfs_run_delalloc_range() for range [0, 64K) - Enter cow_file_range() for range [0, 64K) - Function btrfs_reserve_extent() only reserved one 16K extent So we created extent map and ordered extent for range [0, 16K) 0 16K 32K 48K 64K |////////|//////////////////////////////| |<- OE ->|##############################| And range [0, 16K) has its delalloc flag cleared. But since we haven't yet submit any bio, involved 4 pages are still dirty. - Function btrfs_reserve_extent() returns with -ENOSPC Now we have to run error cleanup, which will clear all EXTENT_DELALLOC* flags and clear the dirty flags for the remaining ranges: 0 16K 32K 48K 64K |////////| | | | | Note that range [0, 16K) still has its pages dirty. - Some time later, writeback is triggered again for the range [0, 16K) since the page range still has dirty flags. - btrfs_run_delalloc_range() will do nothing because there is no EXTENT_DELALLOC flag. - extent_writepage_io() finds page 0 has no ordered flag Which falls into the COW fixup path, triggering the BUG_ON(). Unfortunately this error handling bug dates back to the introduction of btrfs. Thankfully with the abuse of COW fixup, at least it won't crash the kernel. [FIX] Instead of immediately unlocking the extent and folios, we keep the extent and folios locked until either erroring out or the whole delalloc range finished. When the whole delalloc range finished without error, we just unlock the whole range with PAGE_SET_ORDERED (and PAGE_UNLOCK for !keep_locked cases) ---truncated---
References
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/06f364284794f149d2abc167c11d556cf20c954b
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/10b3772292bf1be45604ba83fd9650eb94382e78
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/692cf71173bb41395c855acbbbe197d3aedfa5d4
Impacted products
Vendor Product Version


To clipboard 

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: do proper folio cleanup when cow_file_range() failed\n\n[BUG]\nWhen testing with COW fixup marked as BUG_ON() (this is involved with the\nnew pin_user_pages*() change, which should not result new out-of-band\ndirty pages), I hit a crash triggered by the BUG_ON() from hitting COW\nfixup path.\n\nThis BUG_ON() happens just after a failed btrfs_run_delalloc_range():\n\n  BTRFS error (device dm-2): failed to run delalloc range, root 348 ino 405 folio 65536 submit_bitmap 6-15 start 90112 len 106496: -28\n  ------------[ cut here ]------------\n  kernel BUG at fs/btrfs/extent_io.c:1444!\n  Internal error: Oops - BUG: 00000000f2000800 [#1] SMP\n  CPU: 0 UID: 0 PID: 434621 Comm: kworker/u24:8 Tainted: G           OE      6.12.0-rc7-custom+ #86\n  Hardware name: QEMU KVM Virtual Machine, BIOS unknown 2/2/2022\n  Workqueue: events_unbound btrfs_async_reclaim_data_space [btrfs]\n  pc : extent_writepage_io+0x2d4/0x308 [btrfs]\n  lr : extent_writepage_io+0x2d4/0x308 [btrfs]\n  Call trace:\n   extent_writepage_io+0x2d4/0x308 [btrfs]\n   extent_writepage+0x218/0x330 [btrfs]\n   extent_write_cache_pages+0x1d4/0x4b0 [btrfs]\n   btrfs_writepages+0x94/0x150 [btrfs]\n   do_writepages+0x74/0x190\n   filemap_fdatawrite_wbc+0x88/0xc8\n   start_delalloc_inodes+0x180/0x3b0 [btrfs]\n   btrfs_start_delalloc_roots+0x174/0x280 [btrfs]\n   shrink_delalloc+0x114/0x280 [btrfs]\n   flush_space+0x250/0x2f8 [btrfs]\n   btrfs_async_reclaim_data_space+0x180/0x228 [btrfs]\n   process_one_work+0x164/0x408\n   worker_thread+0x25c/0x388\n   kthread+0x100/0x118\n   ret_from_fork+0x10/0x20\n  Code: aa1403e1 9402f3ef aa1403e0 9402f36f (d4210000)\n  ---[ end trace 0000000000000000 ]---\n\n[CAUSE]\nThat failure is mostly from cow_file_range(), where we can hit -ENOSPC.\n\nAlthough the -ENOSPC is already a bug related to our space reservation\ncode, let\u0027s just focus on the error handling.\n\nFor example, we have the following dirty range [0, 64K) of an inode,\nwith 4K sector size and 4K page size:\n\n   0        16K        32K       48K       64K\n   |///////////////////////////////////////|\n   |#######################################|\n\nWhere |///| means page are still dirty, and |###| means the extent io\ntree has EXTENT_DELALLOC flag.\n\n- Enter extent_writepage() for page 0\n\n- Enter btrfs_run_delalloc_range() for range [0, 64K)\n\n- Enter cow_file_range() for range [0, 64K)\n\n- Function btrfs_reserve_extent() only reserved one 16K extent\n  So we created extent map and ordered extent for range [0, 16K)\n\n   0        16K        32K       48K       64K\n   |////////|//////////////////////////////|\n   |\u003c- OE -\u003e|##############################|\n\n   And range [0, 16K) has its delalloc flag cleared.\n   But since we haven\u0027t yet submit any bio, involved 4 pages are still\n   dirty.\n\n- Function btrfs_reserve_extent() returns with -ENOSPC\n  Now we have to run error cleanup, which will clear all\n  EXTENT_DELALLOC* flags and clear the dirty flags for the remaining\n  ranges:\n\n   0        16K        32K       48K       64K\n   |////////|                              |\n   |        |                              |\n\n  Note that range [0, 16K) still has its pages dirty.\n\n- Some time later, writeback is triggered again for the range [0, 16K)\n  since the page range still has dirty flags.\n\n- btrfs_run_delalloc_range() will do nothing because there is no\n  EXTENT_DELALLOC flag.\n\n- extent_writepage_io() finds page 0 has no ordered flag\n  Which falls into the COW fixup path, triggering the BUG_ON().\n\nUnfortunately this error handling bug dates back to the introduction of\nbtrfs.  Thankfully with the abuse of COW fixup, at least it won\u0027t crash\nthe kernel.\n\n[FIX]\nInstead of immediately unlocking the extent and folios, we keep the extent\nand folios locked until either erroring out or the whole delalloc range\nfinished.\n\nWhen the whole delalloc range finished without error, we just unlock the\nwhole range with PAGE_SET_ORDERED (and PAGE_UNLOCK for !keep_locked\ncases)\n---truncated---"
    },
    {
      "lang": "es",
      "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: btrfs: realiza una limpieza de folio adecuada cuando falla cow_file_range() [ERROR] Al probar con la correcci\u00f3n de COW marcada como BUG_ON() (this is involved with the new pin_user_pages*() change, which should not result new out-of-band dirty pages), I hit a crash triggered by the BUG_ON() from hitting COW fixup path. This BUG_ON() happens just after a failed btrfs_run_delalloc_range(): BTRFS error (device dm-2): failed to run delalloc range, root 348 ino 405 folio 65536 submit_bitmap 6-15 start 90112 len 106496: -28 ------------[ cut here ]------------ kernel BUG at fs/btrfs/extent_io.c:1444! Internal error: Oops - BUG: 00000000f2000800 [#1] SMP CPU: 0 UID: 0 PID: 434621 Comm: kworker/u24:8 Tainted: G OE 6.12.0-rc7-custom+ #86 Hardware name: QEMU KVM Virtual Machine, BIOS unknown 2/2/2022 Workqueue: events_unbound btrfs_async_reclaim_data_space [btrfs] pc : extent_writepage_io+0x2d4/0x308 [btrfs] lr : extent_writepage_io+0x2d4/0x308 [btrfs] Call trace: extent_writepage_io+0x2d4/0x308 [btrfs] extent_writepage+0x218/0x330 [btrfs] extent_write_cache_pages+0x1d4/0x4b0 [btrfs] btrfs_writepages+0x94/0x150 [btrfs] do_writepages+0x74/0x190 filemap_fdatawrite_wbc+0x88/0xc8 start_delalloc_inodes+0x180/0x3b0 [btrfs] btrfs_start_delalloc_roots+0x174/0x280 [btrfs] shrink_delalloc+0x114/0x280 [btrfs] flush_space+0x250/0x2f8 [btrfs] btrfs_async_reclaim_data_space+0x180/0x228 [btrfs] process_one_work+0x164/0x408 worker_thread+0x25c/0x388 kthread+0x100/0x118 ret_from_fork+0x10/0x20 Code: aa1403e1 9402f3ef aa1403e0 9402f36f (d4210000) ---[ end trace 0000000000000000 ]--- [CAUSE] That failure is mostly from cow_file_range(), where we can hit -ENOSPC. Although the -ENOSPC is already a bug related to our space reservation code, let\u0027s just focus on the error handling. For example, we have the following dirty range [0, 64K) of an inode, with 4K sector size and 4K page size: 0 16K 32K 48K 64K |///////////////////////////////////////| |#######################################| Where |///| means page are still dirty, and |###| means the extent io tree has EXTENT_DELALLOC flag. - Enter extent_writepage() for page 0 - Enter btrfs_run_delalloc_range() for range [0, 64K) - Enter cow_file_range() for range [0, 64K) - Function btrfs_reserve_extent() only reserved one 16K extent So we created extent map and ordered extent for range [0, 16K) 0 16K 32K 48K 64K |////////|//////////////////////////////| |\u0026lt;- OE -\u0026gt;|##############################| And range [0, 16K) has its delalloc flag cleared. But since we haven\u0027t yet submit any bio, involved 4 pages are still dirty. - Function btrfs_reserve_extent() returns with -ENOSPC Now we have to run error cleanup, which will clear all EXTENT_DELALLOC* flags and clear the dirty flags for the remaining ranges: 0 16K 32K 48K 64K |////////| | | | | Note that range [0, 16K) still has its pages dirty. - Some time later, writeback is triggered again for the range [0, 16K) since the page range still has dirty flags. - btrfs_run_delalloc_range() will do nothing because there is no EXTENT_DELALLOC flag. - extent_writepage_io() finds page 0 has no ordered flag Which falls into the COW fixup path, triggering the BUG_ON(). Desafortunadamente, este error de gesti\u00f3n de errores se remonta a la introducci\u00f3n de btrfs. Afortunadamente, con el abuso de la correcci\u00f3n de COW, al menos no bloquear\u00e1 el kernel. [SOLUCI\u00d3N] En lugar de desbloquear inmediatamente la extensi\u00f3n y los folios, mantenemos la extensi\u00f3n y los folios bloqueados hasta que se produzca un error o hasta que finalice todo el rango de deslocalizaci\u00f3n. Cuando finaliza todo el rango de deslocalizaci\u00f3n sin errores, simplemente desbloqueamos todo el rango con PAGE_SET_ORDERED (y PAGE_UNLOCK para los casos !keep_locked) ---truncado---"
    }
  ],
  "id": "CVE-2024-57976",
  "lastModified": "2025-07-06T10:15:23.013",
  "metrics": {},
  "published": "2025-02-27T02:15:10.790",
  "references": [
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/06f364284794f149d2abc167c11d556cf20c954b"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/10b3772292bf1be45604ba83fd9650eb94382e78"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/692cf71173bb41395c855acbbbe197d3aedfa5d4"
    }
  ],
  "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
  "vulnStatus": "Awaiting Analysis"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.