nvd-json-data-feeds/CVE-2024/CVE-2024-579xx/CVE-2024-57976.json

{
  "id": "CVE-2024-57976",
  "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
  "published": "2025-02-27T02:15:10.790",
  "lastModified": "2025-02-27T02:15:10.790",
  "vulnStatus": "Received",
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: do proper folio cleanup when cow_file_range() failed\n\n[BUG]\nWhen testing with COW fixup marked as BUG_ON() (this is involved with the\nnew pin_user_pages*() change, which should not result new out-of-band\ndirty pages), I hit a crash triggered by the BUG_ON() from hitting COW\nfixup path.\n\nThis BUG_ON() happens just after a failed btrfs_run_delalloc_range():\n\n  BTRFS error (device dm-2): failed to run delalloc range, root 348 ino 405 folio 65536 submit_bitmap 6-15 start 90112 len 106496: -28\n  ------------[ cut here ]------------\n  kernel BUG at fs/btrfs/extent_io.c:1444!\n  Internal error: Oops - BUG: 00000000f2000800 [#1] SMP\n  CPU: 0 UID: 0 PID: 434621 Comm: kworker/u24:8 Tainted: G           OE      6.12.0-rc7-custom+ #86\n  Hardware name: QEMU KVM Virtual Machine, BIOS unknown 2/2/2022\n  Workqueue: events_unbound btrfs_async_reclaim_data_space [btrfs]\n  pc : extent_writepage_io+0x2d4/0x308 [btrfs]\n  lr : extent_writepage_io+0x2d4/0x308 [btrfs]\n  Call trace:\n   extent_writepage_io+0x2d4/0x308 [btrfs]\n   extent_writepage+0x218/0x330 [btrfs]\n   extent_write_cache_pages+0x1d4/0x4b0 [btrfs]\n   btrfs_writepages+0x94/0x150 [btrfs]\n   do_writepages+0x74/0x190\n   filemap_fdatawrite_wbc+0x88/0xc8\n   start_delalloc_inodes+0x180/0x3b0 [btrfs]\n   btrfs_start_delalloc_roots+0x174/0x280 [btrfs]\n   shrink_delalloc+0x114/0x280 [btrfs]\n   flush_space+0x250/0x2f8 [btrfs]\n   btrfs_async_reclaim_data_space+0x180/0x228 [btrfs]\n   process_one_work+0x164/0x408\n   worker_thread+0x25c/0x388\n   kthread+0x100/0x118\n   ret_from_fork+0x10/0x20\n  Code: aa1403e1 9402f3ef aa1403e0 9402f36f (d4210000)\n  ---[ end trace 0000000000000000 ]---\n\n[CAUSE]\nThat failure is mostly from cow_file_range(), where we can hit -ENOSPC.\n\nAlthough the -ENOSPC is already a bug related to our space reservation\ncode, let's just focus on the error handling.\n\nFor example, we have the following dirty range [0, 64K) of an inode,\nwith 4K sector size and 4K page size:\n\n   0        16K        32K       48K       64K\n   |///////////////////////////////////////|\n   |#######################################|\n\nWhere |///| means page are still dirty, and |###| means the extent io\ntree has EXTENT_DELALLOC flag.\n\n- Enter extent_writepage() for page 0\n\n- Enter btrfs_run_delalloc_range() for range [0, 64K)\n\n- Enter cow_file_range() for range [0, 64K)\n\n- Function btrfs_reserve_extent() only reserved one 16K extent\n  So we created extent map and ordered extent for range [0, 16K)\n\n   0        16K        32K       48K       64K\n   |////////|//////////////////////////////|\n   |<- OE ->|##############################|\n\n   And range [0, 16K) has its delalloc flag cleared.\n   But since we haven't yet submit any bio, involved 4 pages are still\n   dirty.\n\n- Function btrfs_reserve_extent() returns with -ENOSPC\n  Now we have to run error cleanup, which will clear all\n  EXTENT_DELALLOC* flags and clear the dirty flags for the remaining\n  ranges:\n\n   0        16K        32K       48K       64K\n   |////////|                              |\n   |        |                              |\n\n  Note that range [0, 16K) still has its pages dirty.\n\n- Some time later, writeback is triggered again for the range [0, 16K)\n  since the page range still has dirty flags.\n\n- btrfs_run_delalloc_range() will do nothing because there is no\n  EXTENT_DELALLOC flag.\n\n- extent_writepage_io() finds page 0 has no ordered flag\n  Which falls into the COW fixup path, triggering the BUG_ON().\n\nUnfortunately this error handling bug dates back to the introduction of\nbtrfs.  Thankfully with the abuse of COW fixup, at least it won't crash\nthe kernel.\n\n[FIX]\nInstead of immediately unlocking the extent and folios, we keep the extent\nand folios locked until either erroring out or the whole delalloc range\nfinished.\n\nWhen the whole delalloc range finished without error, we just unlock the\nwhole range with PAGE_SET_ORDERED (and PAGE_UNLOCK for !keep_locked\
    }
  ],
  "metrics": {},
  "references": [
    {
      "url": "https://git.kernel.org/stable/c/06f364284794f149d2abc167c11d556cf20c954b",
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
    },
    {
      "url": "https://git.kernel.org/stable/c/692cf71173bb41395c855acbbbe197d3aedfa5d4",
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
    }
  ]
}
Auto-Update: 2025-02-27T03:00:20.119429+00:00 2025-02-27 03:03:52 +00:00			`{`
			`"id": "CVE-2024-57976",`
			`"sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",`
			`"published": "2025-02-27T02:15:10.790",`
			`"lastModified": "2025-02-27T02:15:10.790",`
			`"vulnStatus": "Received",`
			`"cveTags": [],`
			`"descriptions": [`
			`{`
			`"lang": "en",`
			"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: do proper folio cleanup when cow_file_range() failed\n\n[BUG]\nWhen testing with COW fixup marked as BUG_ON() (this is involved with the\nnew pin_user_pages() change, which should not result new out-of-band\ndirty pages), I hit a crash triggered by the BUG_ON() from hitting COW\nfixup path.\n\nThis BUG_ON() happens just after a failed btrfs_run_delalloc_range():\n\n BTRFS error (device dm-2): failed to run delalloc range, root 348 ino 405 folio 65536 submit_bitmap 6-15 start 90112 len 106496: -28\n ------------[ cut here ]------------\n kernel BUG at fs/btrfs/extent_io.c:1444!\n Internal error: Oops - BUG: 00000000f2000800 [#1] SMP\n CPU: 0 UID: 0 PID: 434621 Comm: kworker/u24:8 Tainted: G OE 6.12.0-rc7-custom+ #86\n Hardware name: QEMU KVM Virtual Machine, BIOS unknown 2/2/2022\n Workqueue: events_unbound btrfs_async_reclaim_data_space [btrfs]\n pc : extent_writepage_io+0x2d4/0x308 [btrfs]\n lr : extent_writepage_io+0x2d4/0x308 [btrfs]\n Call trace:\n extent_writepage_io+0x2d4/0x308 [btrfs]\n extent_writepage+0x218/0x330 [btrfs]\n extent_write_cache_pages+0x1d4/0x4b0 [btrfs]\n btrfs_writepages+0x94/0x150 [btrfs]\n do_writepages+0x74/0x190\n filemap_fdatawrite_wbc+0x88/0xc8\n start_delalloc_inodes+0x180/0x3b0 [btrfs]\n btrfs_start_delalloc_roots+0x174/0x280 [btrfs]\n shrink_delalloc+0x114/0x280 [btrfs]\n flush_space+0x250/0x2f8 [btrfs]\n btrfs_async_reclaim_data_space+0x180/0x228 [btrfs]\n process_one_work+0x164/0x408\n worker_thread+0x25c/0x388\n kthread+0x100/0x118\n ret_from_fork+0x10/0x20\n Code: aa1403e1 9402f3ef aa1403e0 9402f36f (d4210000)\n ---[ end trace 0000000000000000 ]---\n\n[CAUSE]\nThat failure is mostly from cow_file_range(), where we can hit -ENOSPC.\n\nAlthough the -ENOSPC is already a bug related to our space reservation\ncode, let's just focus on the error handling.\n\nFor example, we have the following dirty range [0, 64K) of an inode,\nwith 4K sector size and 4K page size:\n\n 0 16K 32K 48K 64K\n \|///////////////////////////////////////\|\n \|#######################################\|\n\nWhere \|///\| means page are still dirty, and \|###\| means the extent io\ntree has EXTENT_DELALLOC flag.\n\n- Enter extent_writepage() for page 0\n\n- Enter btrfs_run_delalloc_range() for range [0, 64K)\n\n- Enter cow_file_range() for range [0, 64K)\n\n- Function btrfs_reserve_extent() only reserved one 16K extent\n So we created extent map and ordered extent for range [0, 16K)\n\n 0 16K 32K 48K 64K\n \|////////\|//////////////////////////////\|\n \|<- OE ->\|##############################\|\n\n And range [0, 16K) has its delalloc flag cleared.\n But since we haven't yet submit any bio, involved 4 pages are still\n dirty.\n\n- Function btrfs_reserve_extent() returns with -ENOSPC\n Now we have to run error cleanup, which will clear all\n EXTENT_DELALLOC flags and clear the dirty flags for the remaining\n ranges:\n\n 0 16K 32K 48K 64K\n \|////////\| \|\n \| \| \|\n\n Note that range [0, 16K) still has its pages dirty.\n\n- Some time later, writeback is triggered again for the range [0, 16K)\n since the page range still has dirty flags.\n\n- btrfs_run_delalloc_range() will do nothing because there is no\n EXTENT_DELALLOC flag.\n\n- extent_writepage_io() finds page 0 has no ordered flag\n Which falls into the COW fixup path, triggering the BUG_ON().\n\nUnfortunately this error handling bug dates back to the introduction of\nbtrfs. Thankfully with the abuse of COW fixup, at least it won't crash\nthe kernel.\n\n[FIX]\nInstead of immediately unlocking the extent and folios, we keep the extent\nand folios locked until either erroring out or the whole delalloc range\nfinished.\n\nWhen the whole delalloc range finished without error, we just unlock the\nwhole range with PAGE_SET_ORDERED (and PAGE_UNLOCK for !keep_locked\
			`}`
			`],`
			`"metrics": {},`
			`"references": [`
			`{`
			`"url": "https://git.kernel.org/stable/c/06f364284794f149d2abc167c11d556cf20c954b",`
			`"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"`
			`},`
			`{`
			`"url": "https://git.kernel.org/stable/c/692cf71173bb41395c855acbbbe197d3aedfa5d4",`
			`"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"`
			`}`
			`]`
			`}`