ghsa-8c6w-27gc-g7xg
Vulnerability from github
Published
2024-04-17 12:32
Modified
2024-04-29 21:30
Severity ?
5.5 (Medium) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Details

In the Linux kernel, the following vulnerability has been resolved:

btrfs: fix data race at btrfs_use_block_rsv() when accessing block reserve

At btrfs_use_block_rsv() we read the size of a block reserve without locking its spinlock, which makes KCSAN complain because the size of a block reserve is always updated while holding its spinlock. The report from KCSAN is the following:

[653.313148] BUG: KCSAN: data-race in btrfs_update_delayed_refs_rsv [btrfs] / btrfs_use_block_rsv [btrfs]

[653.314755] read to 0x000000017f5871b8 of 8 bytes by task 7519 on cpu 0: [653.314779] btrfs_use_block_rsv+0xe4/0x2f8 [btrfs] [653.315606] btrfs_alloc_tree_block+0xdc/0x998 [btrfs] [653.316421] btrfs_force_cow_block+0x220/0xe38 [btrfs] [653.317242] btrfs_cow_block+0x1ac/0x568 [btrfs] [653.318060] btrfs_search_slot+0xda2/0x19b8 [btrfs] [653.318879] btrfs_del_csums+0x1dc/0x798 [btrfs] [653.319702] __btrfs_free_extent.isra.0+0xc24/0x2028 [btrfs] [653.320538] __btrfs_run_delayed_refs+0xd3c/0x2390 [btrfs] [653.321340] btrfs_run_delayed_refs+0xae/0x290 [btrfs] [653.322140] flush_space+0x5e4/0x718 [btrfs] [653.322958] btrfs_preempt_reclaim_metadata_space+0x102/0x2f8 [btrfs] [653.323781] process_one_work+0x3b6/0x838 [653.323800] worker_thread+0x75e/0xb10 [653.323817] kthread+0x21a/0x230 [653.323836] __ret_from_fork+0x6c/0xb8 [653.323855] ret_from_fork+0xa/0x30

[653.323887] write to 0x000000017f5871b8 of 8 bytes by task 576 on cpu 3: [653.323906] btrfs_update_delayed_refs_rsv+0x1a4/0x250 [btrfs] [653.324699] btrfs_add_delayed_data_ref+0x468/0x6d8 [btrfs] [653.325494] btrfs_free_extent+0x76/0x120 [btrfs] [653.326280] __btrfs_mod_ref+0x6a8/0x6b8 [btrfs] [653.327064] btrfs_dec_ref+0x50/0x70 [btrfs] [653.327849] walk_up_proc+0x236/0xa50 [btrfs] [653.328633] walk_up_tree+0x21c/0x448 [btrfs] [653.329418] btrfs_drop_snapshot+0x802/0x1328 [btrfs] [653.330205] btrfs_clean_one_deleted_snapshot+0x184/0x238 [btrfs] [653.330995] cleaner_kthread+0x2b0/0x2f0 [btrfs] [653.331781] kthread+0x21a/0x230 [653.331800] __ret_from_fork+0x6c/0xb8 [653.331818] ret_from_fork+0xa/0x30

So add a helper to get the size of a block reserve while holding the lock. Reading the field while holding the lock instead of using the data_race() annotation is used in order to prevent load tearing.

Show details on source website

To clipboard 

{
  "affected": [],
  "aliases": [
    "CVE-2024-26904"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-667"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-04-17T11:15:11Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: fix data race at btrfs_use_block_rsv() when accessing block reserve\n\nAt btrfs_use_block_rsv() we read the size of a block reserve without\nlocking its spinlock, which makes KCSAN complain because the size of a\nblock reserve is always updated while holding its spinlock. The report\nfrom KCSAN is the following:\n\n  [653.313148] BUG: KCSAN: data-race in btrfs_update_delayed_refs_rsv [btrfs] / btrfs_use_block_rsv [btrfs]\n\n  [653.314755] read to 0x000000017f5871b8 of 8 bytes by task 7519 on cpu 0:\n  [653.314779]  btrfs_use_block_rsv+0xe4/0x2f8 [btrfs]\n  [653.315606]  btrfs_alloc_tree_block+0xdc/0x998 [btrfs]\n  [653.316421]  btrfs_force_cow_block+0x220/0xe38 [btrfs]\n  [653.317242]  btrfs_cow_block+0x1ac/0x568 [btrfs]\n  [653.318060]  btrfs_search_slot+0xda2/0x19b8 [btrfs]\n  [653.318879]  btrfs_del_csums+0x1dc/0x798 [btrfs]\n  [653.319702]  __btrfs_free_extent.isra.0+0xc24/0x2028 [btrfs]\n  [653.320538]  __btrfs_run_delayed_refs+0xd3c/0x2390 [btrfs]\n  [653.321340]  btrfs_run_delayed_refs+0xae/0x290 [btrfs]\n  [653.322140]  flush_space+0x5e4/0x718 [btrfs]\n  [653.322958]  btrfs_preempt_reclaim_metadata_space+0x102/0x2f8 [btrfs]\n  [653.323781]  process_one_work+0x3b6/0x838\n  [653.323800]  worker_thread+0x75e/0xb10\n  [653.323817]  kthread+0x21a/0x230\n  [653.323836]  __ret_from_fork+0x6c/0xb8\n  [653.323855]  ret_from_fork+0xa/0x30\n\n  [653.323887] write to 0x000000017f5871b8 of 8 bytes by task 576 on cpu 3:\n  [653.323906]  btrfs_update_delayed_refs_rsv+0x1a4/0x250 [btrfs]\n  [653.324699]  btrfs_add_delayed_data_ref+0x468/0x6d8 [btrfs]\n  [653.325494]  btrfs_free_extent+0x76/0x120 [btrfs]\n  [653.326280]  __btrfs_mod_ref+0x6a8/0x6b8 [btrfs]\n  [653.327064]  btrfs_dec_ref+0x50/0x70 [btrfs]\n  [653.327849]  walk_up_proc+0x236/0xa50 [btrfs]\n  [653.328633]  walk_up_tree+0x21c/0x448 [btrfs]\n  [653.329418]  btrfs_drop_snapshot+0x802/0x1328 [btrfs]\n  [653.330205]  btrfs_clean_one_deleted_snapshot+0x184/0x238 [btrfs]\n  [653.330995]  cleaner_kthread+0x2b0/0x2f0 [btrfs]\n  [653.331781]  kthread+0x21a/0x230\n  [653.331800]  __ret_from_fork+0x6c/0xb8\n  [653.331818]  ret_from_fork+0xa/0x30\n\nSo add a helper to get the size of a block reserve while holding the lock.\nReading the field while holding the lock instead of using the data_race()\nannotation is used in order to prevent load tearing.",
  "id": "GHSA-8c6w-27gc-g7xg",
  "modified": "2024-04-29T21:30:33Z",
  "published": "2024-04-17T12:32:05Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26904"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/2daa2a8e895e6dc2395f8628c011bcf1e019040d"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/7e9422d35d574b646269ca46010a835ca074b310"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/ab1be3f1aa7799f99155488c28eacaef65eb68fb"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/c7bb26b847e5b97814f522686068c5628e2b3646"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/f6d4d29a12655b42a13cec038c2902bb7efc50ed"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.