CVE-2023-54002

In the Linux kernel, the following vulnerability has been resolved:

btrfs: fix assertion of exclop condition when starting balance

Balance as exclusive state is compatible with paused balance and device add, which makes some things more complicated. The assertion of valid states when starting from paused balance needs to take into account two more states, the combinations can be hit when there are several threads racing to start balance and device add. This won't typically happen when the commands are started from command line.

Scenario 1: With exclusiveoperation state == BTRFSEXCLOP_NONE.

Concurrently adding multiple devices to the same mount point and btrfsexclopfinish executed finishes before assertion in btrfsexclopbalance, exclusiveoperation will changed to BTRFSEXCLOP_NONE state which lead to assertion failed:

fsinfo->exclusiveoperation == BTRFSEXCLOPBALANCE || fsinfo->exclusiveoperation == BTRFSEXCLOPDEVADD, in fs/btrfs/ioctl.c:456 Call Trace: <TASK> btrfsexclopbalance+0x13c/0x310 ? memdupuser+0xab/0xc0 ? PTRERR+0x17/0x20 btrfsioctladddev+0x2ee/0x320 btrfsioctl+0x9d5/0x10d0 ? btrfsioctlencodedwrite+0xb80/0xb80 __x64sysioctl+0x197/0x210 dosyscall64+0x3c/0xb0 entrySYSCALL64afterhwframe+0x63/0xcd

Scenario 2: With exclusiveoperation state == BTRFSEXCLOPBALANCEPAUSED.

Concurrently adding multiple devices to the same mount point and btrfsexclopbalance executed finish before the latter thread execute assertion in btrfsexclopbalance, exclusiveoperation will changed to BTRFSEXCLOPBALANCEPAUSED state which lead to assertion failed:

fsinfo->exclusiveoperation == BTRFSEXCLOPBALANCE || fsinfo->exclusiveoperation == BTRFSEXCLOPDEVADD || fsinfo->exclusiveoperation == BTRFSEXCLOPNONE, fs/btrfs/ioctl.c:458 Call Trace: <TASK> btrfsexclopbalance+0x240/0x410 ? memdupuser+0xab/0xc0 ? PTRERR+0x17/0x20 btrfsioctladddev+0x2ee/0x320 btrfsioctl+0x9d5/0x10d0 ? btrfsioctlencodedwrite+0xb80/0xb80 __x64sysioctl+0x197/0x210 dosyscall64+0x3c/0xb0 entrySYSCALL64afterhwframe+0x63/0xcd

An example of the failed assertion is below, which shows that the paused balance is also needed to be checked.

root@syzkaller:/home/xsk# ./repro Failed to add device /dev/vda, errno 14 Failed to add device /dev/vda, errno 14 Failed to add device /dev/vda, errno 14 Failed to add device /dev/vda, errno 14 Failed to add device /dev/vda, errno 14 Failed to add device /dev/vda, errno 14 Failed to add device /dev/vda, errno 14 Failed to add device /dev/vda, errno 14 Failed to add device /dev/vda, errno 14 [ 416.611428][ T7970] BTRFS info (device loop0): fsinfo exclusiveoperation: 0 Failed to add device /dev/vda, errno 14 [ 416.613973][ T7971] BTRFS info (device loop0): fsinfo exclusiveoperation: 3 Failed to add device /dev/vda, errno 14 [ 416.615456][ T7972] BTRFS info (device loop0): fsinfo exclusiveoperation: 3 Failed to add device /dev/vda, errno 14 [ 416.617528][ T7973] BTRFS info (device loop0): fsinfo exclusiveoperation: 3 Failed to add device /dev/vda, errno 14 [ 416.618359][ T7974] BTRFS info (device loop0): fsinfo exclusiveoperation: 3 Failed to add device /dev/vda, errno 14 [ 416.622589][ T7975] BTRFS info (device loop0): fsinfo exclusiveoperation: 3 Failed to add device /dev/vda, errno 14 [ 416.624034][ T7976] BTRFS info (device loop0): fsinfo exclusiveoperation: 3 Failed to add device /dev/vda, errno 14 [ 416.626420][ T7977] BTRFS info (device loop0): fsinfo exclusiveoperation: 3 Failed to add device /dev/vda, errno 14 [ 416.627643][ T7978] BTRFS info (device loop0): fsinfo exclusiveoperation: 3 Failed to add device /dev/vda, errno 14 [ 416.629006][ T7979] BTRFS info (device loop0): fsinfo exclusiveoperation: 3 [ 416.630298][ T7980] BTRFS info (device loop0): fsinfo exclusiveoperation: 3 Fai ---truncated---