CVE-2023-52897

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> btrfs: qgroup: do not warn on record without old_roots populated<br /> <br /> [BUG]<br /> There are some reports from the mailing list that since v6.1 kernel, the<br /> WARN_ON() inside btrfs_qgroup_account_extent() gets triggered during<br /> rescan:<br /> <br /> WARNING: CPU: 3 PID: 6424 at fs/btrfs/qgroup.c:2756 btrfs_qgroup_account_extents+0x1ae/0x260 [btrfs]<br /> CPU: 3 PID: 6424 Comm: snapperd Tainted: P OE 6.1.2-1-default #1 openSUSE Tumbleweed 05c7a1b1b61d5627475528f71f50444637b5aad7<br /> RIP: 0010:btrfs_qgroup_account_extents+0x1ae/0x260 [btrfs]<br /> Call Trace:<br /> <br /> btrfs_commit_transaction+0x30c/0xb40 [btrfs c39c9c546c241c593f03bd6d5f39ea1b676250f6]<br /> ? start_transaction+0xc3/0x5b0 [btrfs c39c9c546c241c593f03bd6d5f39ea1b676250f6]<br /> btrfs_qgroup_rescan+0x42/0xc0 [btrfs c39c9c546c241c593f03bd6d5f39ea1b676250f6]<br /> btrfs_ioctl+0x1ab9/0x25c0 [btrfs c39c9c546c241c593f03bd6d5f39ea1b676250f6]<br /> ? __rseq_handle_notify_resume+0xa9/0x4a0<br /> ? mntput_no_expire+0x4a/0x240<br /> ? __seccomp_filter+0x319/0x4d0<br /> __x64_sys_ioctl+0x90/0xd0<br /> do_syscall_64+0x5b/0x80<br /> ? syscall_exit_to_user_mode+0x17/0x40<br /> ? do_syscall_64+0x67/0x80<br /> entry_SYSCALL_64_after_hwframe+0x63/0xcd<br /> RIP: 0033:0x7fd9b790d9bf<br /> <br /> <br /> [CAUSE]<br /> Since commit e15e9f43c7ca ("btrfs: introduce<br /> BTRFS_QGROUP_RUNTIME_FLAG_NO_ACCOUNTING to skip qgroup accounting"), if<br /> our qgroup is already in inconsistent state, we will no longer do the<br /> time-consuming backref walk.<br /> <br /> This can leave some qgroup records without a valid old_roots ulist.<br /> Normally this is fine, as btrfs_qgroup_account_extents() would also skip<br /> those records if we have NO_ACCOUNTING flag set.<br /> <br /> But there is a small window, if we have NO_ACCOUNTING flag set, and<br /> inserted some qgroup_record without a old_roots ulist, but then the user<br /> triggered a qgroup rescan.<br /> <br /> During btrfs_qgroup_rescan(), we firstly clear NO_ACCOUNTING flag, then<br /> commit current transaction.<br /> <br /> And since we have a qgroup_record with old_roots = NULL, we trigger the<br /> WARN_ON() during btrfs_qgroup_account_extents().<br /> <br /> [FIX]<br /> Unfortunately due to the introduction of NO_ACCOUNTING flag, the<br /> assumption that every qgroup_record would have its old_roots populated<br /> is no longer correct.<br /> <br /> Fix the false alerts and drop the WARN_ON().