CVE-2023-54002

Balance as exclusive state is compatible with paused balance and device add, which makes some things more complicated. The assertion of valid states when starting from paused balance needs to take into account two more states, the combinations can be hit when there are several threads racing to start balance and device add. This won't typically happen when the commands are started from command line.

Scenario 1: With exclusiveoperation state == BTRFSEXCLOP_NONE.

Concurrently adding multiple devices to the same mount point and btrfsexclopfinish executed finishes before assertion in btrfsexclopbalance, exclusiveoperation will changed to BTRFSEXCLOP_NONE state which lead to assertion failed:

fsinfo->exclusiveoperation == BTRFSEXCLOPBALANCE || fsinfo->exclusiveoperation == BTRFSEXCLOPDEVADD, in fs/btrfs/ioctl.c:456 Call Trace: <TASK> btrfsexclopbalance+0x13c/0x310 ? memdupuser+0xab/0xc0 ? PTRERR+0x17/0x20 btrfsioctladddev+0x2ee/0x320 btrfsioctl+0x9d5/0x10d0 ? btrfsioctlencodedwrite+0xb80/0xb80 _x64sysioctl+0x197/0x210 dosyscall64+0x3c/0xb0 entrySYSCALL64after_hwframe+0x63/0xcd

Scenario 2: With exclusiveoperation state == BTRFSEXCLOPBALANCEPAUSED.

Concurrently adding multiple devices to the same mount point and btrfsexclopbalance executed finish before the latter thread execute assertion in btrfsexclopbalance, exclusiveoperation will changed to BTRFSEXCLOPBALANCEPAUSED state which lead to assertion failed:

fsinfo->exclusiveoperation == BTRFSEXCLOPBALANCE || fsinfo->exclusiveoperation == BTRFSEXCLOPDEVADD || fsinfo->exclusiveoperation == BTRFSEXCLOPNONE, fs/btrfs/ioctl.c:458 Call Trace: <TASK> btrfsexclopbalance+0x240/0x410 ? memdupuser+0xab/0xc0 ? PTRERR+0x17/0x20 btrfsioctladddev+0x2ee/0x320 btrfsioctl+0x9d5/0x10d0 ? btrfsioctlencodedwrite+0xb80/0xb80 _x64sysioctl+0x197/0x210 dosyscall64+0x3c/0xb0 entrySYSCALL64after_hwframe+0x63/0xcd

An example of the failed assertion is below, which shows that the paused balance is also needed to be checked.

root@syzkaller:/home/xsk# ./repro Failed to add device /dev/vda, errno 14 Failed to add device /dev/vda, errno 14 Failed to add device /dev/vda, errno 14 Failed to add device /dev/vda, errno 14 Failed to add device /dev/vda, errno 14 Failed to add device /dev/vda, errno 14 Failed to add device /dev/vda, errno 14 Failed to add device /dev/vda, errno 14 Failed to add device /dev/vda, errno 14 [ 416.611428][ T7970] BTRFS info (device loop0): fsinfo exclusiveoperation: 0 Failed to add device /dev/vda, errno 14 [ 416.613973][ T7971] BTRFS info (device loop0): fsinfo exclusiveoperation: 3 Failed to add device /dev/vda, errno 14 [ 416.615456][ T7972] BTRFS info (device loop0): fsinfo exclusiveoperation: 3 Failed to add device /dev/vda, errno 14 [ 416.617528][ T7973] BTRFS info (device loop0): fsinfo exclusiveoperation: 3 Failed to add device /dev/vda, errno 14 [ 416.618359][ T7974] BTRFS info (device loop0): fsinfo exclusiveoperation: 3 Failed to add device /dev/vda, errno 14 [ 416.622589][ T7975] BTRFS info (device loop0): fsinfo exclusiveoperation: 3 Failed to add device /dev/vda, errno 14 [ 416.624034][ T7976] BTRFS info (device loop0): fsinfo exclusiveoperation: 3 Failed to add device /dev/vda, errno 14 [ 416.626420][ T7977] BTRFS info (device loop0): fsinfo exclusiveoperation: 3 Failed to add device /dev/vda, errno 14 [ 416.627643][ T7978] BTRFS info (device loop0): fsinfo exclusiveoperation: 3 Failed to add device /dev/vda, errno 14 [ 416.629006][ T7979] BTRFS info (device loop0): fsinfo exclusiveoperation: 3 [ 416.630298][ T7980] BTRFS info (device loop0): fsinfo exclusiveoperation: 3 Fai ---truncated---

Database specific

{
    "cna_assigner": "Linux",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/54xxx/CVE-2023-54002.json"
}

References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

a174c0a2e857081195db6888323802f0fae793ef

Fixed

17eaeee4c5f24946aad0298d51f32981c3161d13

Fixed

7877dc1136ada770622d22041be306539902951b

Fixed

6062e9e335a3bf409b5118bfe4cc10aff4b6adb1

Fixed

ac868bc9d136cde6e3eb5de77019a63d57a540ff

Affected versions

v5.*

v5.16

v5.17

v5.17-rc1

v5.17-rc2

v5.17-rc3

v5.17-rc4

v5.17-rc5

v5.17-rc6

v5.17-rc7

v5.17-rc8

v5.18

v5.18-rc1

v5.18-rc2

v5.18-rc3

v5.18-rc4

v5.18-rc5

v5.18-rc6

v5.18-rc7

v5.19

v5.19-rc1

v5.19-rc2

v5.19-rc3

v5.19-rc4

v5.19-rc5

v5.19-rc6

v5.19-rc7

v5.19-rc8

v6.*

v6.0

v6.0-rc1

v6.0-rc2

v6.0-rc3

v6.0-rc4

v6.0-rc5

v6.0-rc6

v6.0-rc7

v6.1

v6.1-rc1

v6.1-rc2

v6.1-rc3

v6.1-rc4

v6.1-rc5

v6.1-rc6

v6.1-rc7

v6.1-rc8

v6.1.1

v6.1.10

v6.1.11

v6.1.12

v6.1.13

v6.1.14

v6.1.15

v6.1.16

v6.1.17

v6.1.18

v6.1.19

v6.1.2

v6.1.20

v6.1.21

v6.1.22

v6.1.23

v6.1.24

v6.1.25

v6.1.26

v6.1.27

v6.1.28

v6.1.3

v6.1.4

v6.1.5

v6.1.6

v6.1.7

v6.1.8

v6.1.9

v6.2

v6.2-rc1

v6.2-rc2

v6.2-rc3

v6.2-rc4

v6.2-rc5

v6.2-rc6

v6.2-rc7

v6.2-rc8

v6.2.1

v6.2.10

v6.2.11

v6.2.12

v6.2.13

v6.2.14

v6.2.15

v6.2.2

v6.2.3

v6.2.4

v6.2.5

v6.2.6

v6.2.7

v6.2.8

v6.2.9

v6.3

v6.3-rc1

v6.3-rc2

v6.3-rc3

v6.3-rc4

v6.3-rc5

v6.3-rc6

v6.3-rc7

v6.3.1

v6.3.2

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-54002.json"

Linux / Kernel

Package

Name: Kernel

Affected ranges

Type: ECOSYSTEM
Events: Introduced

5.17.0

Fixed

6.1.29

Type: ECOSYSTEM
Events: Introduced

6.2.0

Fixed

6.2.16

Type: ECOSYSTEM
Events: Introduced

6.3.0

Fixed

6.3.3

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-54002.json"