CVE-2023-54158

In the Linux kernel, the following vulnerability has been resolved:

btrfs: don't free qgroup space unless specified

Boris noticed in his simple quotas testing that he was getting a leak with Sweet Tea's change to subvol create that stopped doing a transaction commit. This was just a side effect of that change.

In the delayed inode code we have an optimization that will free extra reservations if we think we can pack a dir item into an already modified leaf. Previously this wouldn't be triggered in the subvolume create case because we'd commit the transaction, it was still possible but much harder to trigger. It could actually be triggered if we did a mkdir && subvol create with qgroups enabled.

This occurs because in btrfsinsertdelayeddirindex(), which gets called when we're adding the dir item, we do the following:

btrfsblockrsvrelease(fsinfo, trans->block_rsv, bytes, NULL);

if we're able to skip reserving space.

The problem here is that trans->block_rsv points at the temporary block rsv for the subvolume create, which has qgroup reservations in the block rsv.

This is a problem because btrfsblockrsv_release() will do the following:

if (blockrsv->qgrouprsvreserved >= blockrsv->qgrouprsvsize) { qgrouptorelease = blockrsv->qgrouprsvreserved - blockrsv->qgrouprsvsize; blockrsv->qgrouprsvreserved = blockrsv->qgrouprsvsize; }

The temporary block rsv just has ->qgrouprsvreserved set, ->qgrouprsvsize == 0. The optimization in btrfsinsertdelayeddirindex() sets ->qgrouprsvreserved = 0. Then later on when we call btrfssubvolumerelease_metadata() which has

btrfsblockrsvrelease(fsinfo, rsv, (u64)-1, &qgrouptorelease); btrfsqgroupconvertreservedmeta(root, qgrouptorelease);

qgrouptorelease is set to 0, and we do not convert the reserved metadata space.

The problem here is that the block rsv code has been unconditionally messing with ->qgrouprsvreserved, because the main place this is used is delalloc, and any time we call btrfsblockrsvrelease() we do it with qgroupto_release set, and thus do the proper accounting.

The subvolume code is the only other code that uses the qgroup reservation stuff, but it's intermingled with the above optimization, and thus was getting its reservation freed out from underneath it and thus leaking the reserved space.

The solution is to simply not mess with the qgroup reservations if we don't have qgrouptorelease set. This works with the existing code as anything that messes with the delalloc reservations always have qgrouptorelease set. This fixes the leak that Boris was observing.