CVE-2023-53243

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> btrfs: add handling for RAID1C23/DUP to btrfs_reduce_alloc_profile<br /> <br /> Callers of `btrfs_reduce_alloc_profile` expect it to return exactly<br /> one allocation profile flag, and failing to do so may ultimately<br /> result in a WARN_ON and remount-ro when allocating new blocks, like<br /> the below transaction abort on 6.1.<br /> <br /> `btrfs_reduce_alloc_profile` has two ways of determining the profile,<br /> first it checks if a conversion balance is currently running and<br /> uses the profile we&amp;#39;re converting to. If no balance is currently<br /> running, it returns the max-redundancy profile which at least one<br /> block in the selected block group has.<br /> <br /> This works by simply checking each known allocation profile bit in<br /> redundancy order. However, `btrfs_reduce_alloc_profile` has not been<br /> updated as new flags have been added - first with the `DUP` profile<br /> and later with the RAID1C34 profiles.<br /> <br /> Because of the way it checks, if we have blocks with different<br /> profiles and at least one is known, that profile will be selected.<br /> However, if none are known we may return a flag set with multiple<br /> allocation profiles set.<br /> <br /> This is currently only possible when a balance from one of the three<br /> unhandled profiles to another of the unhandled profiles is canceled<br /> after allocating at least one block using the new profile.<br /> <br /> In that case, a transaction abort like the below will occur and the<br /> filesystem will need to be mounted with -o skip_balance to get it<br /> mounted rw again (but the balance cannot be resumed without a<br /> similar abort).<br /> <br /> [770.648] ------------[ cut here ]------------<br /> [770.648] BTRFS: Transaction aborted (error -22)<br /> [770.648] WARNING: CPU: 43 PID: 1159593 at fs/btrfs/extent-tree.c:4122 find_free_extent+0x1d94/0x1e00 [btrfs]<br /> [770.648] CPU: 43 PID: 1159593 Comm: btrfs Tainted: G W 6.1.0-0.deb11.7-powerpc64le #1 Debian 6.1.20-2~bpo11+1a~test<br /> [770.648] Hardware name: T2P9D01 REV 1.00 POWER9 0x4e1202 opal:skiboot-bc106a0 PowerNV<br /> [770.648] NIP: c00800000f6784fc LR: c00800000f6784f8 CTR: c000000000d746c0<br /> [770.648] REGS: c000200089afe9a0 TRAP: 0700 Tainted: G W (6.1.0-0.deb11.7-powerpc64le Debian 6.1.20-2~bpo11+1a~test)<br /> [770.648] MSR: 9000000002029033 CR: 28848282 XER: 20040000<br /> [770.648] CFAR: c000000000135110 IRQMASK: 0<br /> GPR00: c00800000f6784f8 c000200089afec40 c00800000f7ea800 0000000000000026<br /> GPR04: 00000001004820c2 c000200089afea00 c000200089afe9f8 0000000000000027<br /> GPR08: c000200ffbfe7f98 c000000002127f90 ffffffffffffffd8 0000000026d6a6e8<br /> GPR12: 0000000028848282 c000200fff7f3800 5deadbeef0000122 c00000002269d000<br /> GPR16: c0002008c7797c40 c000200089afef17 0000000000000000 0000000000000000<br /> GPR20: 0000000000000000 0000000000000001 c000200008bc5a98 0000000000000001<br /> GPR24: 0000000000000000 c0000003c73088d0 c000200089afef17 c000000016d3a800<br /> GPR28: c0000003c7308800 c00000002269d000 ffffffffffffffea 0000000000000001<br /> [770.648] NIP [c00800000f6784fc] find_free_extent+0x1d94/0x1e00 [btrfs]<br /> [770.648] LR [c00800000f6784f8] find_free_extent+0x1d90/0x1e00 [btrfs]<br /> [770.648] Call Trace:<br /> [770.648] [c000200089afec40] [c00800000f6784f8] find_free_extent+0x1d90/0x1e00 [btrfs] (unreliable)<br /> [770.648] [c000200089afed30] [c00800000f681398] btrfs_reserve_extent+0x1a0/0x2f0 [btrfs]<br /> [770.648] [c000200089afeea0] [c00800000f681bf0] btrfs_alloc_tree_block+0x108/0x670 [btrfs]<br /> [770.648] [c000200089afeff0] [c00800000f66bd68] __btrfs_cow_block+0x170/0x850 [btrfs]<br /> [770.648] [c000200089aff100] [c00800000f66c58c] btrfs_cow_block+0x144/0x288 [btrfs]<br /> [770.648] [c000200089aff1b0] [c00800000f67113c] btrfs_search_slot+0x6b4/0xcb0 [btrfs]<br /> [770.648] [c000200089aff2a0] [c00800000f679f60] lookup_inline_extent_backref+0x128/0x7c0 [btrfs]<br /> [770.648] [c000200089aff3b0] [c00800000f67b338] lookup_extent_backref+0x70/0x190 [btrfs]<br /> [770.648] [c000200089aff470] [c00800000f67b54c] __btrfs_free_extent+0xf4/0x1490 [btrfs]<br /> [770.648] [<br /> ---truncated---