CVE-2024-40962

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> btrfs: zoned: allocate dummy checksums for zoned NODATASUM writes<br /> <br /> Shin&amp;#39;ichiro reported that when he&amp;#39;s running fstests&amp;#39; test-case<br /> btrfs/167 on emulated zoned devices, he&amp;#39;s seeing the following NULL<br /> pointer dereference in &amp;#39;btrfs_zone_finish_endio()&amp;#39;:<br /> <br /> Oops: general protection fault, probably for non-canonical address 0xdffffc0000000011: 0000 [#1] PREEMPT SMP KASAN NOPTI<br /> KASAN: null-ptr-deref in range [0x0000000000000088-0x000000000000008f]<br /> CPU: 4 PID: 2332440 Comm: kworker/u80:15 Tainted: G W 6.10.0-rc2-kts+ #4<br /> Hardware name: Supermicro Super Server/X11SPi-TF, BIOS 3.3 02/21/2020<br /> Workqueue: btrfs-endio-write btrfs_work_helper [btrfs]<br /> RIP: 0010:btrfs_zone_finish_endio.part.0+0x34/0x160 [btrfs]<br /> <br /> RSP: 0018:ffff88867f107a90 EFLAGS: 00010206<br /> RAX: dffffc0000000000 RBX: 0000000000000000 RCX: ffffffff893e5534<br /> RDX: 0000000000000011 RSI: 0000000000000004 RDI: 0000000000000088<br /> RBP: 0000000000000002 R08: 0000000000000001 R09: ffffed1081696028<br /> R10: ffff88840b4b0143 R11: ffff88834dfff600 R12: ffff88840b4b0000<br /> R13: 0000000000020000 R14: 0000000000000000 R15: ffff888530ad5210<br /> FS: 0000000000000000(0000) GS:ffff888e3f800000(0000) knlGS:0000000000000000<br /> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033<br /> CR2: 00007f87223fff38 CR3: 00000007a7c6a002 CR4: 00000000007706f0<br /> DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000<br /> DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400<br /> PKRU: 55555554<br /> Call Trace:<br /> <br /> ? __die_body.cold+0x19/0x27<br /> ? die_addr+0x46/0x70<br /> ? exc_general_protection+0x14f/0x250<br /> ? asm_exc_general_protection+0x26/0x30<br /> ? do_raw_read_unlock+0x44/0x70<br /> ? btrfs_zone_finish_endio.part.0+0x34/0x160 [btrfs]<br /> btrfs_finish_one_ordered+0x5d9/0x19a0 [btrfs]<br /> ? __pfx_lock_release+0x10/0x10<br /> ? do_raw_write_lock+0x90/0x260<br /> ? __pfx_do_raw_write_lock+0x10/0x10<br /> ? __pfx_btrfs_finish_one_ordered+0x10/0x10 [btrfs]<br /> ? _raw_write_unlock+0x23/0x40<br /> ? btrfs_finish_ordered_zoned+0x5a9/0x850 [btrfs]<br /> ? lock_acquire+0x435/0x500<br /> btrfs_work_helper+0x1b1/0xa70 [btrfs]<br /> ? __schedule+0x10a8/0x60b0<br /> ? __pfx___might_resched+0x10/0x10<br /> process_one_work+0x862/0x1410<br /> ? __pfx_lock_acquire+0x10/0x10<br /> ? __pfx_process_one_work+0x10/0x10<br /> ? assign_work+0x16c/0x240<br /> worker_thread+0x5e6/0x1010<br /> ? __pfx_worker_thread+0x10/0x10<br /> kthread+0x2c3/0x3a0<br /> ? trace_irq_enable.constprop.0+0xce/0x110<br /> ? __pfx_kthread+0x10/0x10<br /> ret_from_fork+0x31/0x70<br /> ? __pfx_kthread+0x10/0x10<br /> ret_from_fork_asm+0x1a/0x30<br /> <br /> <br /> Enabling CONFIG_BTRFS_ASSERT revealed the following assertion to<br /> trigger:<br /> <br /> assertion failed: !list_empty(&amp;ordered-&gt;list), in fs/btrfs/zoned.c:1815<br /> <br /> This indicates, that we&amp;#39;re missing the checksums list on the<br /> ordered_extent. As btrfs/167 is doing a NOCOW write this is to be<br /> expected.<br /> <br /> Further analysis with drgn confirmed the assumption:<br /> <br /> &gt;&gt;&gt; inode = prog.crashed_thread().stack_trace()[11][&amp;#39;ordered&amp;#39;].inode<br /> &gt;&gt;&gt; btrfs_inode = drgn.container_of(inode, "struct btrfs_inode", \<br /> "vfs_inode")<br /> &gt;&gt;&gt; print(btrfs_inode.flags)<br /> (u32)1<br /> <br /> As zoned emulation mode simulates conventional zones on regular devices,<br /> we cannot use zone-append for writing. But we&amp;#39;re only attaching dummy<br /> checksums if we&amp;#39;re doing a zone-append write.<br /> <br /> So for NOCOW zoned data writes on conventional zones, also attach a<br /> dummy checksum.