CVE-2024-56758

In the Linux kernel, the following vulnerability has been resolved:

btrfs: check folio mapping after unlock in relocateonefolio()

When we call btrfsreadfolio() to bring a folio uptodate, we unlock the folio. The result of that is that a different thread can modify the mapping (like remove it with invalidate) before we call folio_lock(). This results in an invalid page and we need to try again.

In particular, if we are relocating concurrently with aborting a transaction, this can result in a crash like the following:

BUG: kernel NULL pointer dereference, address: 0000000000000000 PGD 0 P4D 0 Oops: 0000 [#1] SMP CPU: 76 PID: 1411631 Comm: kworker/u322:5 Workqueue: eventsunbound btrfsreclaimbgswork RIP: 0010:setpageextentmapped+0x20/0xb0 RSP: 0018:ffffc900516a7be8 EFLAGS: 00010246 RAX: ffffea009e851d08 RBX: ffffea009e0b1880 RCX: 0000000000000000 RDX: 0000000000000000 RSI: ffffc900516a7b90 RDI: ffffea009e0b1880 RBP: 0000000003573000 R08: 0000000000000001 R09: ffff88c07fd2f3f0 R10: 0000000000000000 R11: 0000194754b575be R12: 0000000003572000 R13: 0000000003572fff R14: 0000000000100cca R15: 0000000005582fff FS: 0000000000000000(0000) GS:ffff88c07fd00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000000 CR3: 000000407d00f002 CR4: 00000000007706f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 PKRU: 55555554 Call Trace: <TASK> ? _die+0x78/0xc0 ? pagefaultoops+0x2a8/0x3a0 ? _switchto+0x133/0x530 ? wqworkerrunning+0xa/0x40 ? excpagefault+0x63/0x130 ? asmexcpagefault+0x22/0x30 ? setpageextentmapped+0x20/0xb0 relocatefileextentcluster+0x1a7/0x940 relocatedataextent+0xaf/0x120 relocateblockgroup+0x20f/0x480 btrfsrelocateblockgroup+0x152/0x320 btrfsrelocatechunk+0x3d/0x120 btrfsreclaimbgswork+0x2ae/0x4e0 processscheduledworks+0x184/0x370 workerthread+0xc6/0x3e0 ? blkaddtimer+0xb0/0xb0 kthread+0xae/0xe0 ? flushtlbkernelrange+0x90/0x90 retfromfork+0x2f/0x40 ? flushtlbkernelrange+0x90/0x90 retfromfork_asm+0x11/0x20 </TASK>

This occurs because cleanuponetransaction() calls destroydelallocinodes() which calls invalidateinodepages2() which takes the foliolock before setting mapping to NULL. We fail to check this, and subsequently call setextent_mapping(), which assumes that mapping != NULL (in fact it asserts that in debug mode)

Note that the "fixes" patch here is not the one that introduced the race (the very first iteration of this code from 2009) but a more recent change that made this particular crash happen in practice.