CVE-2024-38306

In the Linux kernel, the following vulnerability has been resolved:

btrfs: protect folio::private when attaching extent buffer folios

[BUG] Since v6.8 there are rare kernel crashes reported by various people, the common factor is bad page status error messages like this:

BUG: Bad page state in process kswapd0 pfn:d6e840 page: refcount:0 mapcount:0 mapping:000000007512f4f2 index:0x2796c2c7c pfn:0xd6e840 aops:btreeaops ino:1 flags: 0x17ffffe0000008(uptodate|node=0|zone=2|lastcpupid=0x3fffff) pagetype: 0xffffffff() raw: 0017ffffe0000008 dead000000000100 dead000000000122 ffff88826d0be4c0 raw: 00000002796c2c7c 0000000000000000 00000000ffffffff 0000000000000000 page dumped because: non-NULL mapping

[CAUSE] Commit 09e6cef19c9f ("btrfs: refactor allocextentbuffer() to allocate-then-attach method") changes the sequence when allocating a new extent buffer.

Previously we always called grabextentbuffer() under mapping->iprivatelock, to ensure the safety on modification on folio::private (which is a pointer to extent buffer for regular sectorsize).

This can lead to the following race:

Thread A is trying to allocate an extent buffer at bytenr X, with 4 4K pages, meanwhile thread B is trying to release the page at X + 4K (the second page of the extent buffer at X).

       Thread A                |                 Thread B

-----------------------------------+------------------------------------- | btreereleasefolio() | | This is for the page at X + 4K, | | Not page X. | | allocextentbuffer() | |- releaseextentbuffer() |- filemapaddfolio() for the | | |- atomicdecandtest(eb->refs) | page at bytenr X (the first | | | | page). | | | | Which returned -EEXIST. | | | | | | | |- filemaplockfolio() | | | | Returned the first page locked. | | | | | | | |- grabextentbuffer() | | | | |- atomicincnotzero() | | | | | Returned false | | | | |- foliodetachprivate() | | |- foliodetachprivate() for X | |- foliotestprivate() | | |- foliotestprivate() | Returned true | | | Returned true |- folioput() | |- folioput()

Now there are two puts on the same folio at folio X, leading to refcount underflow of the folio X, and eventually causing the BUG_ON() on the page->mapping.

The condition is not that easy to hit:

• The release must be triggered for the middle page of an eb If the release is on the same first page of an eb, page lock would kick in and prevent the race.

• foliodetachprivate() has a very small race window It's only between foliotestprivate() and folioclearprivate().

That's exactly when mapping->iprivatelock is used to prevent such race, and commit 09e6cef19c9f ("btrfs: refactor allocextentbuffer() to allocate-then-attach method") screwed that up.

At that time, I thought the page lock would kick in as filemapreleasefolio() also requires the page to be locked, but forgot the filemapreleasefolio() only locks one page, not all pages of an extent buffer.

[FIX] Move all the code requiring iprivatelock into attachebfoliotofilemap(), so that everything is done with proper lock protection.

Furthermore to prevent future problems, add an extra lockdepassertlocked() to ensure we're holding the proper lock.

To reproducer that is able to hit the race (takes a few minutes with instrumented code inserting delays to allocextentbuffer()):

#!/bin/sh dropcaches () { while(true); do echo 3 > /proc/sys/vm/dropcaches echo 1 > /proc/sys/vm/compact_memory done }

run_tar () { while(true); do for x in seq 1 80 ; do tar cf /dev/zero /mnt > /dev/null & done wait done }

mkfs.btrfs -f -d single -m single ---truncated---