CVE-2024-49932

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> btrfs: don&amp;#39;t readahead the relocation inode on RST<br /> <br /> On relocation we&amp;#39;re doing readahead on the relocation inode, but if the<br /> filesystem is backed by a RAID stripe tree we can get ENOENT (e.g. due to<br /> preallocated extents not being mapped in the RST) from the lookup.<br /> <br /> But readahead doesn&amp;#39;t handle the error and submits invalid reads to the<br /> device, causing an assertion in the scatter-gather list code:<br /> <br /> BTRFS info (device nvme1n1): balance: start -d -m -s<br /> BTRFS info (device nvme1n1): relocating block group 6480920576 flags data|raid0<br /> BTRFS error (device nvme1n1): cannot find raid-stripe for logical [6481928192, 6481969152] devid 2, profile raid0<br /> ------------[ cut here ]------------<br /> kernel BUG at include/linux/scatterlist.h:115!<br /> Oops: invalid opcode: 0000 [#1] PREEMPT SMP PTI<br /> CPU: 0 PID: 1012 Comm: btrfs Not tainted 6.10.0-rc7+ #567<br /> RIP: 0010:__blk_rq_map_sg+0x339/0x4a0<br /> RSP: 0018:ffffc90001a43820 EFLAGS: 00010202<br /> RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffffea00045d4802<br /> RDX: 0000000117520000 RSI: 0000000000000000 RDI: ffff8881027d1000<br /> RBP: 0000000000003000 R08: ffffea00045d4902 R09: 0000000000000000<br /> R10: 0000000000000000 R11: 0000000000001000 R12: ffff8881003d10b8<br /> R13: ffffc90001a438f0 R14: 0000000000000000 R15: 0000000000003000<br /> FS: 00007fcc048a6900(0000) GS:ffff88813bc00000(0000) knlGS:0000000000000000<br /> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033<br /> CR2: 000000002cd11000 CR3: 00000001109ea001 CR4: 0000000000370eb0<br /> Call Trace:<br /> <br /> ? __die_body.cold+0x14/0x25<br /> ? die+0x2e/0x50<br /> ? do_trap+0xca/0x110<br /> ? do_error_trap+0x65/0x80<br /> ? __blk_rq_map_sg+0x339/0x4a0<br /> ? exc_invalid_op+0x50/0x70<br /> ? __blk_rq_map_sg+0x339/0x4a0<br /> ? asm_exc_invalid_op+0x1a/0x20<br /> ? __blk_rq_map_sg+0x339/0x4a0<br /> nvme_prep_rq.part.0+0x9d/0x770<br /> nvme_queue_rq+0x7d/0x1e0<br /> __blk_mq_issue_directly+0x2a/0x90<br /> ? blk_mq_get_budget_and_tag+0x61/0x90<br /> blk_mq_try_issue_list_directly+0x56/0xf0<br /> blk_mq_flush_plug_list.part.0+0x52b/0x5d0<br /> __blk_flush_plug+0xc6/0x110<br /> blk_finish_plug+0x28/0x40<br /> read_pages+0x160/0x1c0<br /> page_cache_ra_unbounded+0x109/0x180<br /> relocate_file_extent_cluster+0x611/0x6a0<br /> ? btrfs_search_slot+0xba4/0xd20<br /> ? balance_dirty_pages_ratelimited_flags+0x26/0xb00<br /> relocate_data_extent.constprop.0+0x134/0x160<br /> relocate_block_group+0x3f2/0x500<br /> btrfs_relocate_block_group+0x250/0x430<br /> btrfs_relocate_chunk+0x3f/0x130<br /> btrfs_balance+0x71b/0xef0<br /> ? kmalloc_trace_noprof+0x13b/0x280<br /> btrfs_ioctl+0x2c2e/0x3030<br /> ? kvfree_call_rcu+0x1e6/0x340<br /> ? list_lru_add_obj+0x66/0x80<br /> ? mntput_no_expire+0x3a/0x220<br /> __x64_sys_ioctl+0x96/0xc0<br /> do_syscall_64+0x54/0x110<br /> entry_SYSCALL_64_after_hwframe+0x76/0x7e<br /> RIP: 0033:0x7fcc04514f9b<br /> Code: Unable to access opcode bytes at 0x7fcc04514f71.<br /> RSP: 002b:00007ffeba923370 EFLAGS: 00000246 ORIG_RAX: 0000000000000010<br /> RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007fcc04514f9b<br /> RDX: 00007ffeba923460 RSI: 00000000c4009420 RDI: 0000000000000003<br /> RBP: 0000000000000000 R08: 0000000000000013 R09: 0000000000000001<br /> R10: 00007fcc043fbba8 R11: 0000000000000246 R12: 00007ffeba924fc5<br /> R13: 00007ffeba923460 R14: 0000000000000002 R15: 00000000004d4bb0<br /> <br /> Modules linked in:<br /> ---[ end trace 0000000000000000 ]---<br /> RIP: 0010:__blk_rq_map_sg+0x339/0x4a0<br /> RSP: 0018:ffffc90001a43820 EFLAGS: 00010202<br /> RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffffea00045d4802<br /> RDX: 0000000117520000 RSI: 0000000000000000 RDI: ffff8881027d1000<br /> RBP: 0000000000003000 R08: ffffea00045d4902 R09: 0000000000000000<br /> R10: 0000000000000000 R11: 0000000000001000 R12: ffff8881003d10b8<br /> R13: ffffc90001a438f0 R14: 0000000000000000 R15: 0000000000003000<br /> FS: 00007fcc048a6900(0000) GS:ffff88813bc00000(0000) knlGS:0000000000000000<br /> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033<br /> CR2: 00007fcc04514f71 CR3: 00000001109ea001 CR4: 0000000000370eb0<br /> Kernel p<br /> ---truncated---