CVE-2023-54253

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> btrfs: set page extent mapped after read_folio in relocate_one_page<br /> <br /> One of the CI runs triggered the following panic<br /> <br /> assertion failed: PagePrivate(page) &amp;&amp; page-&gt;private, in fs/btrfs/subpage.c:229<br /> ------------[ cut here ]------------<br /> kernel BUG at fs/btrfs/subpage.c:229!<br /> Internal error: Oops - BUG: 00000000f2000800 [#1] SMP<br /> CPU: 0 PID: 923660 Comm: btrfs Not tainted 6.5.0-rc3+ #1<br /> pstate: 61400005 (nZCv daif +PAN -UAO -TCO +DIT -SSBS BTYPE=--)<br /> pc : btrfs_subpage_assert+0xbc/0xf0<br /> lr : btrfs_subpage_assert+0xbc/0xf0<br /> sp : ffff800093213720<br /> x29: ffff800093213720 x28: ffff8000932138b4 x27: 000000000c280000<br /> x26: 00000001b5d00000 x25: 000000000c281000 x24: 000000000c281fff<br /> x23: 0000000000001000 x22: 0000000000000000 x21: ffffff42b95bf880<br /> x20: ffff42b9528e0000 x19: 0000000000001000 x18: ffffffffffffffff<br /> x17: 667274622f736620 x16: 6e69202c65746176 x15: 0000000000000028<br /> x14: 0000000000000003 x13: 00000000002672d7 x12: 0000000000000000<br /> x11: ffffcd3f0ccd9204 x10: ffffcd3f0554ae50 x9 : ffffcd3f0379528c<br /> x8 : ffff800093213428 x7 : 0000000000000000 x6 : ffffcd3f091771e8<br /> x5 : ffff42b97f333948 x4 : 0000000000000000 x3 : 0000000000000000<br /> x2 : 0000000000000000 x1 : ffff42b9556cde80 x0 : 000000000000004f<br /> Call trace:<br /> btrfs_subpage_assert+0xbc/0xf0<br /> btrfs_subpage_set_dirty+0x38/0xa0<br /> btrfs_page_set_dirty+0x58/0x88<br /> relocate_one_page+0x204/0x5f0<br /> relocate_file_extent_cluster+0x11c/0x180<br /> relocate_data_extent+0xd0/0xf8<br /> relocate_block_group+0x3d0/0x4e8<br /> btrfs_relocate_block_group+0x2d8/0x490<br /> btrfs_relocate_chunk+0x54/0x1a8<br /> btrfs_balance+0x7f4/0x1150<br /> btrfs_ioctl+0x10f0/0x20b8<br /> __arm64_sys_ioctl+0x120/0x11d8<br /> invoke_syscall.constprop.0+0x80/0xd8<br /> do_el0_svc+0x6c/0x158<br /> el0_svc+0x50/0x1b0<br /> el0t_64_sync_handler+0x120/0x130<br /> el0t_64_sync+0x194/0x198<br /> Code: 91098021 b0007fa0 91346000 97e9c6d2 (d4210000)<br /> <br /> This is the same problem outlined in 17b17fcd6d44 ("btrfs:<br /> set_page_extent_mapped after read_folio in btrfs_cont_expand") , and the<br /> fix is the same. I originally looked for the same pattern elsewhere in<br /> our code, but mistakenly skipped over this code because I saw the page<br /> cache readahead before we set_page_extent_mapped, not realizing that<br /> this was only in the !page case, that we can still end up with a<br /> !uptodate page and then do the btrfs_read_folio further down.<br /> <br /> The fix here is the same as the above mentioned patch, move the<br /> set_page_extent_mapped call to after the btrfs_read_folio() block to<br /> make sure that we have the subpage blocksize stuff setup properly before<br /> using the page.