CVE-2024-49868

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> btrfs: fix a NULL pointer dereference when failed to start a new trasacntion<br /> <br /> [BUG]<br /> Syzbot reported a NULL pointer dereference with the following crash:<br /> <br /> FAULT_INJECTION: forcing a failure.<br /> start_transaction+0x830/0x1670 fs/btrfs/transaction.c:676<br /> prepare_to_relocate+0x31f/0x4c0 fs/btrfs/relocation.c:3642<br /> relocate_block_group+0x169/0xd20 fs/btrfs/relocation.c:3678<br /> ...<br /> BTRFS info (device loop0): balance: ended with status: -12<br /> Oops: general protection fault, probably for non-canonical address 0xdffffc00000000cc: 0000 [#1] PREEMPT SMP KASAN NOPTI<br /> KASAN: null-ptr-deref in range [0x0000000000000660-0x0000000000000667]<br /> RIP: 0010:btrfs_update_reloc_root+0x362/0xa80 fs/btrfs/relocation.c:926<br /> Call Trace:<br /> <br /> commit_fs_roots+0x2ee/0x720 fs/btrfs/transaction.c:1496<br /> btrfs_commit_transaction+0xfaf/0x3740 fs/btrfs/transaction.c:2430<br /> del_balance_item fs/btrfs/volumes.c:3678 [inline]<br /> reset_balance_state+0x25e/0x3c0 fs/btrfs/volumes.c:3742<br /> btrfs_balance+0xead/0x10c0 fs/btrfs/volumes.c:4574<br /> btrfs_ioctl_balance+0x493/0x7c0 fs/btrfs/ioctl.c:3673<br /> vfs_ioctl fs/ioctl.c:51 [inline]<br /> __do_sys_ioctl fs/ioctl.c:907 [inline]<br /> __se_sys_ioctl+0xf9/0x170 fs/ioctl.c:893<br /> do_syscall_x64 arch/x86/entry/common.c:52 [inline]<br /> do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83<br /> entry_SYSCALL_64_after_hwframe+0x77/0x7f<br /> <br /> [CAUSE]<br /> The allocation failure happens at the start_transaction() inside<br /> prepare_to_relocate(), and during the error handling we call<br /> unset_reloc_control(), which makes fs_info-&gt;balance_ctl to be NULL.<br /> <br /> Then we continue the error path cleanup in btrfs_balance() by calling<br /> reset_balance_state() which will call del_balance_item() to fully delete<br /> the balance item in the root tree.<br /> <br /> However during the small window between set_reloc_contrl() and<br /> unset_reloc_control(), we can have a subvolume tree update and created a<br /> reloc_root for that subvolume.<br /> <br /> Then we go into the final btrfs_commit_transaction() of<br /> del_balance_item(), and into btrfs_update_reloc_root() inside<br /> commit_fs_roots().<br /> <br /> That function checks if fs_info-&gt;reloc_ctl is in the merge_reloc_tree<br /> stage, but since fs_info-&gt;reloc_ctl is NULL, it results a NULL pointer<br /> dereference.<br /> <br /> [FIX]<br /> Just add extra check on fs_info-&gt;reloc_ctl inside<br /> btrfs_update_reloc_root(), before checking<br /> fs_info-&gt;reloc_ctl-&gt;merge_reloc_tree.<br /> <br /> That DEAD_RELOC_TREE handling is to prevent further modification to the<br /> reloc tree during merge stage, but since there is no reloc_ctl at all,<br /> we do not need to bother that.