CVE-2024-50118

In the Linux kernel, the following vulnerability has been resolved:

btrfs: reject ro->rw reconfiguration if there are hard ro requirements

[BUG] Syzbot reports the following crash:

BTRFS info (device loop0 state MCS): disabling free space tree BTRFS info (device loop0 state MCS): clearing compat-ro feature flag for FREESPACETREE (0x1) BTRFS info (device loop0 state MCS): clearing compat-ro feature flag for FREESPACETREEVALID (0x2) Oops: general protection fault, probably for non-canonical address 0xdffffc0000000003: 0000 [#1] PREEMPT SMP KASAN NOPTI KASAN: null-ptr-deref in range [0x0000000000000018-0x000000000000001f] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 RIP: 0010:backupsuperroots fs/btrfs/disk-io.c:1691 [inline] RIP: 0010:writeallsupers+0x97a/0x40f0 fs/btrfs/disk-io.c:4041 Call Trace: <TASK> btrfscommittransaction+0x1eae/0x3740 fs/btrfs/transaction.c:2530 btrfsdeletefreespacetree+0x383/0x730 fs/btrfs/free-space-tree.c:1312 btrfsstartprerwmount+0xf28/0x1300 fs/btrfs/disk-io.c:3012 btrfsremountrw fs/btrfs/super.c:1309 [inline] btrfsreconfigure+0xae6/0x2d40 fs/btrfs/super.c:1534 btrfsreconfigureformount fs/btrfs/super.c:2020 [inline] btrfsgettreesubvol fs/btrfs/super.c:2079 [inline] btrfsgettree+0x918/0x1920 fs/btrfs/super.c:2115 vfsgettree+0x90/0x2b0 fs/super.c:1800 donewmount+0x2be/0xb40 fs/namespace.c:3472 domount fs/namespace.c:3812 [inline] _dosysmount fs/namespace.c:4020 [inline] _sesysmount+0x2d6/0x3c0 fs/namespace.c:3997 dosyscallx64 arch/x86/entry/common.c:52 [inline] dosyscall64+0xf3/0x230 arch/x86/entry/common.c:83 entrySYSCALL64after_hwframe+0x77/0x7f

[CAUSE] To support mounting different subvolume with different RO/RW flags for the new mount APIs, btrfs introduced two workaround to support this feature:

• Skip mount option/feature checks if we are mounting a different subvolume

• Reconfigure the fs to RW if the initial mount is RO

Combining these two, we can have the following sequence:

• Mount the fs ro,rescue=all,clearcache,spacecache=v1 rescue=all will mark the fs as hard read-only, so no v2 cache clearing will happen.

• Mount a subvolume rw of the same fs. We go into btrfsgettreesubvol(), but fcmount() returns EBUSY because our new fc is RW, different from the original fs.

  Now we enter btrfsreconfigureformount(), which switches the RO flag first so that we can grab the existing fsinfo. Then we reconfigure the fs to RW.

• During reconfiguration, option/features check is skipped This means we will restart the v2 cache clearing, and convert back to v1 cache. This will trigger fs writes, and since the original fs has "rescue=all" option, it skips the csum tree read.

  And eventually causing NULL pointer dereference in super block writeback.

[FIX] For reconfiguration caused by different subvolume RO/RW flags, ensure we always run btrfscheckoptions() to ensure we have proper hard RO requirements met.

In fact the function btrfscheckoptions() doesn't really do many complex checks, but hard RO requirement and some feature dependency checks, thus there is no special reason not to do the check for mount reconfiguration.