CVE-2024-26726

In the Linux kernel, the following vulnerability has been resolved:

btrfs: don't drop extent_map for free space inode on write error

While running the CI for an unrelated change I hit the following panic with generic/648 on btrfsholesspacecache.

assertion failed: blockstart != EXTENTMAPHOLE, in fs/btrfs/extentio.c:1385 ------------[ cut here ]------------ kernel BUG at fs/btrfs/extent_io.c:1385! invalid opcode: 0000 [#1] PREEMPT SMP NOPTI CPU: 1 PID: 2695096 Comm: fsstress Kdump: loaded Tainted: G W 6.8.0-rc2+ #1 RIP: 0010:__extentwritepageio.constprop.0+0x4c1/0x5c0 Call Trace: <TASK> extentwritecachepages+0x2ac/0x8f0 extentwritepages+0x87/0x110 dowritepages+0xd5/0x1f0 filemapfdatawrite_wbc+0x63/0x90 __filemapfdatawriterange+0x5c/0x80 btrfsfdatawriterange+0x1f/0x50 btrfswriteoutcache+0x507/0x560 btrfswritedirtyblockgroups+0x32a/0x420 commitcowonlyroots+0x21b/0x290 btrfscommittransaction+0x813/0x1360 btrfssync_file+0x51a/0x640 __x64sysfdatasync+0x52/0x90 dosyscall64+0x9c/0x190 entrySYSCALL64afterhwframe+0x6e/0x76

This happens because we fail to write out the free space cache in one instance, come back around and attempt to write it again. However on the second pass through we go to call btrfsgetextent() on the inode to get the extent mapping. Because this is a new block group, and with the free space inode we always search the commit root to avoid deadlocking with the tree, we find nothing and return a EXTENTMAPHOLE for the requested range.

This happens because the first time we try to write the space cache out we hit an error, and on an error we drop the extent mapping. This is normal for normal files, but the free space cache inode is special. We always expect the extent map to be correct. Thus the second time through we end up with a bogus extent map.

Since we're deprecating this feature, the most straightforward way to fix this is to simply skip dropping the extent map range for this failed range.

I shortened the test by using error injection to stress the area to make it easier to reproduce. With this patch in place we no longer panic with my error injection test.