CVE-2023-53865

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> btrfs: fix warning when putting transaction with qgroups enabled after abort<br /> <br /> If we have a transaction abort with qgroups enabled we get a warning<br /> triggered when doing the final put on the transaction, like this:<br /> <br /> [552.6789] ------------[ cut here ]------------<br /> [552.6815] WARNING: CPU: 4 PID: 81745 at fs/btrfs/transaction.c:144 btrfs_put_transaction+0x123/0x130 [btrfs]<br /> [552.6817] Modules linked in: btrfs blake2b_generic xor (...)<br /> [552.6819] CPU: 4 PID: 81745 Comm: btrfs-transacti Tainted: G W 6.4.0-rc6-btrfs-next-134+ #1<br /> [552.6819] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.2-0-gea1b7a073390-prebuilt.qemu.org 04/01/2014<br /> [552.6819] RIP: 0010:btrfs_put_transaction+0x123/0x130 [btrfs]<br /> [552.6821] Code: bd a0 01 00 (...)<br /> [552.6821] RSP: 0018:ffffa168c0527e28 EFLAGS: 00010286<br /> [552.6821] RAX: ffff936042caed00 RBX: ffff93604a3eb448 RCX: 0000000000000000<br /> [552.6821] RDX: ffff93606421b028 RSI: ffffffff92ff0878 RDI: ffff93606421b010<br /> [552.6821] RBP: ffff93606421b000 R08: 0000000000000000 R09: ffffa168c0d07c20<br /> [552.6821] R10: 0000000000000000 R11: ffff93608dc52950 R12: ffffa168c0527e70<br /> [552.6821] R13: ffff93606421b000 R14: ffff93604a3eb420 R15: ffff93606421b028<br /> [552.6821] FS: 0000000000000000(0000) GS:ffff93675fb00000(0000) knlGS:0000000000000000<br /> [552.6821] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033<br /> [552.6821] CR2: 0000558ad262b000 CR3: 000000014feda005 CR4: 0000000000370ee0<br /> [552.6822] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000<br /> [552.6822] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400<br /> [552.6822] Call Trace:<br /> [552.6822] <br /> [552.6822] ? __warn+0x80/0x130<br /> [552.6822] ? btrfs_put_transaction+0x123/0x130 [btrfs]<br /> [552.6824] ? report_bug+0x1f4/0x200<br /> [552.6824] ? handle_bug+0x42/0x70<br /> [552.6824] ? exc_invalid_op+0x14/0x70<br /> [552.6824] ? asm_exc_invalid_op+0x16/0x20<br /> [552.6824] ? btrfs_put_transaction+0x123/0x130 [btrfs]<br /> [552.6826] btrfs_cleanup_transaction+0xe7/0x5e0 [btrfs]<br /> [552.6828] ? _raw_spin_unlock_irqrestore+0x23/0x40<br /> [552.6828] ? try_to_wake_up+0x94/0x5e0<br /> [552.6828] ? __pfx_process_timeout+0x10/0x10<br /> [552.6828] transaction_kthread+0x103/0x1d0 [btrfs]<br /> [552.6830] ? __pfx_transaction_kthread+0x10/0x10 [btrfs]<br /> [552.6832] kthread+0xee/0x120<br /> [552.6832] ? __pfx_kthread+0x10/0x10<br /> [552.6832] ret_from_fork+0x29/0x50<br /> [552.6832] <br /> [552.6832] ---[ end trace 0000000000000000 ]---<br /> <br /> This corresponds to this line of code:<br /> <br /> void btrfs_put_transaction(struct btrfs_transaction *transaction)<br /> {<br /> (...)<br /> WARN_ON(!RB_EMPTY_ROOT(<br /> &amp;transaction-&gt;delayed_refs.dirty_extent_root));<br /> (...)<br /> }<br /> <br /> The warning happens because btrfs_qgroup_destroy_extent_records(), called<br /> in the transaction abort path, we free all entries from the rbtree<br /> "dirty_extent_root" with rbtree_postorder_for_each_entry_safe(), but we<br /> don&amp;#39;t actually empty the rbtree - it&amp;#39;s still pointing to nodes that were<br /> freed.<br /> <br /> So set the rbtree&amp;#39;s root node to NULL to avoid this warning (assign<br /> RB_ROOT).