CVE-2024-50225

In the Linux kernel, the following vulnerability has been resolved:

btrfs: fix error propagation of split bios

The purpose of btrfsbbiopropagateerror() shall be propagating an error of split bio to its original btrfsbio, and tell the error to the upper layer. However, it's not working well on some cases.

• Case 1. Immediate (or quick) end_bio with an error

When btrfs sends btrfsbio to mirrored devices, btrfs calls btrfsbioendio() when all the mirroring bios are completed. If that btrfsbio was split, it is from btrfsclonebioset and its endio function is btrfsorigwriteendio. For this case, btrfsbbiopropagateerror() accesses the origbbio's bio context to increase the error count.

That works well in most cases. However, if the endio is called enough fast, origbbio's (remaining part after split) bio context may not be properly set at that time. Since the bio context is set when the origbbio (the last btrfsbio) is sent to devices, that might be too late for earlier split btrfs_bio's completion. That will result in NULL pointer dereference.

That bug is easily reproducible by running btrfs/146 on zoned devices [1] and it shows the following trace.

[1] You need raid-stripe-tree feature as it create "-d raid0 -m raid1" FS.

BUG: kernel NULL pointer dereference, address: 0000000000000020 #PF: supervisor read access in kernel mode #PF: errorcode(0x0000) - not-present page PGD 0 P4D 0 Oops: Oops: 0000 [#1] PREEMPT SMP PTI CPU: 1 UID: 0 PID: 13 Comm: kworker/u32:1 Not tainted 6.11.0-rc7-BTRFS-ZNS+ #474 Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011 Workqueue: writeback wbworkfn (flush-btrfs-5) RIP: 0010:btrfsbioendio+0xae/0xc0 [btrfs] BTRFS error (device dm-0): bdev /dev/mapper/error-test errs: wr 2, rd 0, flush 0, corrupt 0, gen 0 RSP: 0018:ffffc9000006f248 EFLAGS: 00010246 RAX: 0000000000000000 RBX: ffff888005a7f080 RCX: ffffc9000006f1dc RDX: 0000000000000000 RSI: 000000000000000a RDI: ffff888005a7f080 RBP: ffff888011dfc540 R08: 0000000000000000 R09: 0000000000000001 R10: ffffffff82e508e0 R11: 0000000000000005 R12: ffff88800ddfbe58 R13: ffff888005a7f080 R14: ffff888005a7f158 R15: ffff888005a7f158 FS: 0000000000000000(0000) GS:ffff88803ea80000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000020 CR3: 0000000002e22006 CR4: 0000000000370ef0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <TASK> ? _diebody.cold+0x19/0x26 ? pagefaultoops+0x13e/0x2b0 ? _printk+0x58/0x73 ? douseraddrfault+0x5f/0x750 ? excpagefault+0x76/0x240 ? asmexcpagefault+0x22/0x30 ? btrfsbioendio+0xae/0xc0 [btrfs] ? btrfslogdevioerror+0x7f/0x90 [btrfs] btrfsorigwriteendio+0x51/0x90 [btrfs] dmsubmitbio+0x5c2/0xa50 [dmmod] ? findheldlock+0x2b/0x80 ? blktryenterqueue+0x90/0x1e0 _submitbio+0xe0/0x130 ? ktimeget+0x10a/0x160 ? lockdephardirqson+0x74/0x100 submitbionoacctnocheck+0x199/0x410 btrfssubmitbio+0x7d/0x150 [btrfs] btrfssubmitchunk+0x1a1/0x6d0 [btrfs] ? lockdephardirqson+0x74/0x100 ? _foliostartwriteback+0x10/0x2c0 btrfssubmitbbio+0x1c/0x40 [btrfs] submitonebio+0x44/0x60 [btrfs] submitextentfolio+0x13f/0x330 [btrfs] ? btrfssetrangewriteback+0xa3/0xd0 [btrfs] extentwritepageio+0x18b/0x360 [btrfs] extentwritelockedrange+0x17c/0x340 [btrfs] ? _pfxendbbiodatawrite+0x10/0x10 [btrfs] rundelalloccow+0x71/0xd0 [btrfs] btrfsrundelallocrange+0x176/0x500 [btrfs] ? findlockdelallocrange+0x119/0x260 [btrfs] writepagedelalloc+0x2ab/0x480 [btrfs] extentwritecachepages+0x236/0x7d0 [btrfs] btrfswritepages+0x72/0x130 [btrfs] dowritepages+0xd4/0x240 ? findheldlock+0x2b/0x80 ? wbcattachandunlockinode+0x12c/0x290 ? wbcattachandunlockinode+0x12c/0x29 ---truncated---