CVE-2024-42103

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> btrfs: fix adding block group to a reclaim list and the unused list during reclaim<br /> <br /> There is a potential parallel list adding for retrying in<br /> btrfs_reclaim_bgs_work and adding to the unused list. Since the block<br /> group is removed from the reclaim list and it is on a relocation work,<br /> it can be added into the unused list in parallel. When that happens,<br /> adding it to the reclaim list will corrupt the list head and trigger<br /> list corruption like below.<br /> <br /> Fix it by taking fs_info-&gt;unused_bgs_lock.<br /> <br /> [177.504][T2585409] BTRFS error (device nullb1): error relocating ch= unk 2415919104<br /> [177.514][T2585409] list_del corruption. next-&gt;prev should be ff1100= 0344b119c0, but was ff11000377e87c70. (next=3Dff110002390cd9c0)<br /> [177.529][T2585409] ------------[ cut here ]------------<br /> [177.537][T2585409] kernel BUG at lib/list_debug.c:65!<br /> [177.545][T2585409] Oops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN NOPTI<br /> [177.555][T2585409] CPU: 9 PID: 2585409 Comm: kworker/u128:2 Tainted: G W 6.10.0-rc5-kts #1<br /> [177.568][T2585409] Hardware name: Supermicro SYS-520P-WTR/X12SPW-TF, BIOS 1.2 02/14/2022<br /> [177.579][T2585409] Workqueue: events_unbound btrfs_reclaim_bgs_work[btrfs]<br /> [177.589][T2585409] RIP: 0010:__list_del_entry_valid_or_report.cold+0x70/0x72<br /> [177.624][T2585409] RSP: 0018:ff11000377e87a70 EFLAGS: 00010286<br /> [177.633][T2585409] RAX: 000000000000006d RBX: ff11000344b119c0 RCX:0000000000000000<br /> [177.644][T2585409] RDX: 000000000000006d RSI: 0000000000000008 RDI:ffe21c006efd0f40<br /> [177.655][T2585409] RBP: ff110002e0509f78 R08: 0000000000000001 R09:ffe21c006efd0f08<br /> [177.665][T2585409] R10: ff11000377e87847 R11: 0000000000000000 R12:ff110002390cd9c0<br /> [177.676][T2585409] R13: ff11000344b119c0 R14: ff110002e0508000 R15:dffffc0000000000<br /> [177.687][T2585409] FS: 0000000000000000(0000) GS:ff11000fec880000(0000) knlGS:0000000000000000<br /> [177.700][T2585409] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033<br /> [177.709][T2585409] CR2: 00007f06bc7b1978 CR3: 0000001021e86005 CR4:0000000000771ef0<br /> [177.720][T2585409] DR0: 0000000000000000 DR1: 0000000000000000 DR2:0000000000000000<br /> [177.731][T2585409] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7:0000000000000400<br /> [177.742][T2585409] PKRU: 55555554<br /> [177.748][T2585409] Call Trace:<br /> [177.753][T2585409] <br /> [177.759][T2585409] ? __die_body.cold+0x19/0x27<br /> [177.766][T2585409] ? die+0x2e/0x50<br /> [177.772][T2585409] ? do_trap+0x1ea/0x2d0<br /> [177.779][T2585409] ? __list_del_entry_valid_or_report.cold+0x70/0x72<br /> [177.788][T2585409] ? do_error_trap+0xa3/0x160<br /> [177.795][T2585409] ? __list_del_entry_valid_or_report.cold+0x70/0x72<br /> [177.805][T2585409] ? handle_invalid_op+0x2c/0x40<br /> [177.812][T2585409] ? __list_del_entry_valid_or_report.cold+0x70/0x72<br /> [177.820][T2585409] ? exc_invalid_op+0x2d/0x40<br /> [177.827][T2585409] ? asm_exc_invalid_op+0x1a/0x20<br /> [177.834][T2585409] ? __list_del_entry_valid_or_report.cold+0x70/0x72<br /> [177.843][T2585409] btrfs_delete_unused_bgs+0x3d9/0x14c0 [btrfs]<br /> <br /> There is a similar retry_list code in btrfs_delete_unused_bgs(), but it is<br /> safe, AFAICS. Since the block group was in the unused list, the used bytes<br /> should be 0 when it was added to the unused list. Then, it checks<br /> block_group-&gt;{used,reserved,pinned} are still 0 under the<br /> block_group-&gt;lock. So, they should be still eligible for the unused list,<br /> not the reclaim list.<br /> <br /> The reason it is safe there it&amp;#39;s because because we&amp;#39;re holding<br /> space_info-&gt;groups_sem in write mode.<br /> <br /> That means no other task can allocate from the block group, so while we<br /> are at deleted_unused_bgs() it&amp;#39;s not possible for other tasks to<br /> allocate and deallocate extents from the block group, so it can&amp;#39;t be<br /> added to the unused list or the reclaim list by anyone else.<br /> <br /> The bug can be reproduced by btrfs/166 after a few rounds. In practice<br /> this can be hit when relocation cannot find more chunk space and ends<br /> with ENOSPC.