CVE-2024-35956

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> btrfs: qgroup: fix qgroup prealloc rsv leak in subvolume operations<br /> <br /> Create subvolume, create snapshot and delete subvolume all use<br /> btrfs_subvolume_reserve_metadata() to reserve metadata for the changes<br /> done to the parent subvolume&amp;#39;s fs tree, which cannot be mediated in the<br /> normal way via start_transaction. When quota groups (squota or qgroups)<br /> are enabled, this reserves qgroup metadata of type PREALLOC. Once the<br /> operation is associated to a transaction, we convert PREALLOC to<br /> PERTRANS, which gets cleared in bulk at the end of the transaction.<br /> <br /> However, the error paths of these three operations were not implementing<br /> this lifecycle correctly. They unconditionally converted the PREALLOC to<br /> PERTRANS in a generic cleanup step regardless of errors or whether the<br /> operation was fully associated to a transaction or not. This resulted in<br /> error paths occasionally converting this rsv to PERTRANS without calling<br /> record_root_in_trans successfully, which meant that unless that root got<br /> recorded in the transaction by some other thread, the end of the<br /> transaction would not free that root&amp;#39;s PERTRANS, leaking it. Ultimately,<br /> this resulted in hitting a WARN in CONFIG_BTRFS_DEBUG builds at unmount<br /> for the leaked reservation.<br /> <br /> The fix is to ensure that every qgroup PREALLOC reservation observes the<br /> following properties:<br /> <br /> 1. any failure before record_root_in_trans is called successfully<br /> results in freeing the PREALLOC reservation.<br /> 2. after record_root_in_trans, we convert to PERTRANS, and now the<br /> transaction owns freeing the reservation.<br /> <br /> This patch enforces those properties on the three operations. Without<br /> it, generic/269 with squotas enabled at mkfs time would fail in ~5-10<br /> runs on my system. With this patch, it ran successfully 1000 times in a<br /> row.