CVE-2024-56759

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> btrfs: fix use-after-free when COWing tree bock and tracing is enabled<br /> <br /> When a COWing a tree block, at btrfs_cow_block(), and we have the<br /> tracepoint trace_btrfs_cow_block() enabled and preemption is also enabled<br /> (CONFIG_PREEMPT=y), we can trigger a use-after-free in the COWed extent<br /> buffer while inside the tracepoint code. This is because in some paths<br /> that call btrfs_cow_block(), such as btrfs_search_slot(), we are holding<br /> the last reference on the extent buffer @buf so btrfs_force_cow_block()<br /> drops the last reference on the @buf extent buffer when it calls<br /> free_extent_buffer_stale(buf), which schedules the release of the extent<br /> buffer with RCU. This means that if we are on a kernel with preemption,<br /> the current task may be preempted before calling trace_btrfs_cow_block()<br /> and the extent buffer already released by the time trace_btrfs_cow_block()<br /> is called, resulting in a use-after-free.<br /> <br /> Fix this by moving the trace_btrfs_cow_block() from btrfs_cow_block() to<br /> btrfs_force_cow_block() before the COWed extent buffer is freed.<br /> This also has a side effect of invoking the tracepoint in the tree defrag<br /> code, at defrag.c:btrfs_realloc_node(), since btrfs_force_cow_block() is<br /> called there, but this is fine and it was actually missing there.