CVE-2024-57976

In the Linux kernel, the following vulnerability has been resolved:

btrfs: do proper folio cleanup when cowfilerange() failed

[BUG] When testing with COW fixup marked as BUGON() (this is involved with the new pinuserpages*() change, which should not result new out-of-band dirty pages), I hit a crash triggered by the BUGON() from hitting COW fixup path.

This BUGON() happens just after a failed btrfsrundelallocrange():

BTRFS error (device dm-2): failed to run delalloc range, root 348 ino 405 folio 65536 submitbitmap 6-15 start 90112 len 106496: -28 ------------[ cut here ]------------ kernel BUG at fs/btrfs/extentio.c:1444! Internal error: Oops - BUG: 00000000f2000800 [#1] SMP CPU: 0 UID: 0 PID: 434621 Comm: kworker/u24:8 Tainted: G OE 6.12.0-rc7-custom+ #86 Hardware name: QEMU KVM Virtual Machine, BIOS unknown 2/2/2022 Workqueue: eventsunbound btrfsasyncreclaimdataspace [btrfs] pc : extentwritepageio+0x2d4/0x308 [btrfs] lr : extentwritepageio+0x2d4/0x308 [btrfs] Call trace: extentwritepageio+0x2d4/0x308 [btrfs] extentwritepage+0x218/0x330 [btrfs] extentwritecachepages+0x1d4/0x4b0 [btrfs] btrfswritepages+0x94/0x150 [btrfs] dowritepages+0x74/0x190 filemapfdatawritewbc+0x88/0xc8 startdelallocinodes+0x180/0x3b0 [btrfs] btrfsstartdelallocroots+0x174/0x280 [btrfs] shrinkdelalloc+0x114/0x280 [btrfs] flushspace+0x250/0x2f8 [btrfs] btrfsasyncreclaimdataspace+0x180/0x228 [btrfs] processonework+0x164/0x408 workerthread+0x25c/0x388 kthread+0x100/0x118 retfrom_fork+0x10/0x20 Code: aa1403e1 9402f3ef aa1403e0 9402f36f (d4210000) ---[ end trace 0000000000000000 ]---

[CAUSE] That failure is mostly from cowfilerange(), where we can hit -ENOSPC.

Although the -ENOSPC is already a bug related to our space reservation code, let's just focus on the error handling.

For example, we have the following dirty range [0, 64K) of an inode, with 4K sector size and 4K page size:

0 16K 32K 48K 64K |///////////////////////////////////////| |#######################################|

Where |///| means page are still dirty, and |###| means the extent io tree has EXTENT_DELALLOC flag.

• Enter extent_writepage() for page 0

• Enter btrfsrundelalloc_range() for range [0, 64K)

• Enter cowfilerange() for range [0, 64K)

• Function btrfsreserveextent() only reserved one 16K extent So we created extent map and ordered extent for range [0, 16K)

  0 16K 32K 48K 64K |////////|//////////////////////////////| |<- OE ->|##############################|

  And range [0, 16K) has its delalloc flag cleared. But since we haven't yet submit any bio, involved 4 pages are still dirty.

• Function btrfsreserveextent() returns with -ENOSPC Now we have to run error cleanup, which will clear all EXTENT_DELALLOC* flags and clear the dirty flags for the remaining ranges:

  0 16K 32K 48K 64K |////////| | | | |

  Note that range [0, 16K) still has its pages dirty.

• Some time later, writeback is triggered again for the range [0, 16K) since the page range still has dirty flags.

• btrfsrundelallocrange() will do nothing because there is no EXTENTDELALLOC flag.

• extentwritepageio() finds page 0 has no ordered flag Which falls into the COW fixup path, triggering the BUG_ON().

Unfortunately this error handling bug dates back to the introduction of btrfs. Thankfully with the abuse of COW fixup, at least it won't crash the kernel.

[FIX] Instead of immediately unlocking the extent and folios, we keep the extent and folios locked until either erroring out or the whole delalloc range finished.

When the whole delalloc range finished without error, we just unlock the whole range with PAGESETORDERED (and PAGEUNLOCK for !keeplocked cases) ---truncated---