ghsa-8c6w-27gc-g7xg
Vulnerability from github
In the Linux kernel, the following vulnerability has been resolved:
btrfs: fix data race at btrfs_use_block_rsv() when accessing block reserve
At btrfs_use_block_rsv() we read the size of a block reserve without locking its spinlock, which makes KCSAN complain because the size of a block reserve is always updated while holding its spinlock. The report from KCSAN is the following:
[653.313148] BUG: KCSAN: data-race in btrfs_update_delayed_refs_rsv [btrfs] / btrfs_use_block_rsv [btrfs]
[653.314755] read to 0x000000017f5871b8 of 8 bytes by task 7519 on cpu 0: [653.314779] btrfs_use_block_rsv+0xe4/0x2f8 [btrfs] [653.315606] btrfs_alloc_tree_block+0xdc/0x998 [btrfs] [653.316421] btrfs_force_cow_block+0x220/0xe38 [btrfs] [653.317242] btrfs_cow_block+0x1ac/0x568 [btrfs] [653.318060] btrfs_search_slot+0xda2/0x19b8 [btrfs] [653.318879] btrfs_del_csums+0x1dc/0x798 [btrfs] [653.319702] __btrfs_free_extent.isra.0+0xc24/0x2028 [btrfs] [653.320538] __btrfs_run_delayed_refs+0xd3c/0x2390 [btrfs] [653.321340] btrfs_run_delayed_refs+0xae/0x290 [btrfs] [653.322140] flush_space+0x5e4/0x718 [btrfs] [653.322958] btrfs_preempt_reclaim_metadata_space+0x102/0x2f8 [btrfs] [653.323781] process_one_work+0x3b6/0x838 [653.323800] worker_thread+0x75e/0xb10 [653.323817] kthread+0x21a/0x230 [653.323836] __ret_from_fork+0x6c/0xb8 [653.323855] ret_from_fork+0xa/0x30
[653.323887] write to 0x000000017f5871b8 of 8 bytes by task 576 on cpu 3: [653.323906] btrfs_update_delayed_refs_rsv+0x1a4/0x250 [btrfs] [653.324699] btrfs_add_delayed_data_ref+0x468/0x6d8 [btrfs] [653.325494] btrfs_free_extent+0x76/0x120 [btrfs] [653.326280] __btrfs_mod_ref+0x6a8/0x6b8 [btrfs] [653.327064] btrfs_dec_ref+0x50/0x70 [btrfs] [653.327849] walk_up_proc+0x236/0xa50 [btrfs] [653.328633] walk_up_tree+0x21c/0x448 [btrfs] [653.329418] btrfs_drop_snapshot+0x802/0x1328 [btrfs] [653.330205] btrfs_clean_one_deleted_snapshot+0x184/0x238 [btrfs] [653.330995] cleaner_kthread+0x2b0/0x2f0 [btrfs] [653.331781] kthread+0x21a/0x230 [653.331800] __ret_from_fork+0x6c/0xb8 [653.331818] ret_from_fork+0xa/0x30
So add a helper to get the size of a block reserve while holding the lock. Reading the field while holding the lock instead of using the data_race() annotation is used in order to prevent load tearing.
{ affected: [], aliases: [ "CVE-2024-26904", ], database_specific: { cwe_ids: [ "CWE-667", ], github_reviewed: false, github_reviewed_at: null, nvd_published_at: "2024-04-17T11:15:11Z", severity: "MODERATE", }, details: "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: fix data race at btrfs_use_block_rsv() when accessing block reserve\n\nAt btrfs_use_block_rsv() we read the size of a block reserve without\nlocking its spinlock, which makes KCSAN complain because the size of a\nblock reserve is always updated while holding its spinlock. The report\nfrom KCSAN is the following:\n\n [653.313148] BUG: KCSAN: data-race in btrfs_update_delayed_refs_rsv [btrfs] / btrfs_use_block_rsv [btrfs]\n\n [653.314755] read to 0x000000017f5871b8 of 8 bytes by task 7519 on cpu 0:\n [653.314779] btrfs_use_block_rsv+0xe4/0x2f8 [btrfs]\n [653.315606] btrfs_alloc_tree_block+0xdc/0x998 [btrfs]\n [653.316421] btrfs_force_cow_block+0x220/0xe38 [btrfs]\n [653.317242] btrfs_cow_block+0x1ac/0x568 [btrfs]\n [653.318060] btrfs_search_slot+0xda2/0x19b8 [btrfs]\n [653.318879] btrfs_del_csums+0x1dc/0x798 [btrfs]\n [653.319702] __btrfs_free_extent.isra.0+0xc24/0x2028 [btrfs]\n [653.320538] __btrfs_run_delayed_refs+0xd3c/0x2390 [btrfs]\n [653.321340] btrfs_run_delayed_refs+0xae/0x290 [btrfs]\n [653.322140] flush_space+0x5e4/0x718 [btrfs]\n [653.322958] btrfs_preempt_reclaim_metadata_space+0x102/0x2f8 [btrfs]\n [653.323781] process_one_work+0x3b6/0x838\n [653.323800] worker_thread+0x75e/0xb10\n [653.323817] kthread+0x21a/0x230\n [653.323836] __ret_from_fork+0x6c/0xb8\n [653.323855] ret_from_fork+0xa/0x30\n\n [653.323887] write to 0x000000017f5871b8 of 8 bytes by task 576 on cpu 3:\n [653.323906] btrfs_update_delayed_refs_rsv+0x1a4/0x250 [btrfs]\n [653.324699] btrfs_add_delayed_data_ref+0x468/0x6d8 [btrfs]\n [653.325494] btrfs_free_extent+0x76/0x120 [btrfs]\n [653.326280] __btrfs_mod_ref+0x6a8/0x6b8 [btrfs]\n [653.327064] btrfs_dec_ref+0x50/0x70 [btrfs]\n [653.327849] walk_up_proc+0x236/0xa50 [btrfs]\n [653.328633] walk_up_tree+0x21c/0x448 [btrfs]\n [653.329418] btrfs_drop_snapshot+0x802/0x1328 [btrfs]\n [653.330205] btrfs_clean_one_deleted_snapshot+0x184/0x238 [btrfs]\n [653.330995] cleaner_kthread+0x2b0/0x2f0 [btrfs]\n [653.331781] kthread+0x21a/0x230\n [653.331800] __ret_from_fork+0x6c/0xb8\n [653.331818] ret_from_fork+0xa/0x30\n\nSo add a helper to get the size of a block reserve while holding the lock.\nReading the field while holding the lock instead of using the data_race()\nannotation is used in order to prevent load tearing.", id: "GHSA-8c6w-27gc-g7xg", modified: "2024-04-29T21:30:33Z", published: "2024-04-17T12:32:05Z", references: [ { type: "ADVISORY", url: "https://nvd.nist.gov/vuln/detail/CVE-2024-26904", }, { type: "WEB", url: "https://git.kernel.org/stable/c/2daa2a8e895e6dc2395f8628c011bcf1e019040d", }, { type: "WEB", url: "https://git.kernel.org/stable/c/7e9422d35d574b646269ca46010a835ca074b310", }, { type: "WEB", url: "https://git.kernel.org/stable/c/ab1be3f1aa7799f99155488c28eacaef65eb68fb", }, { type: "WEB", url: "https://git.kernel.org/stable/c/c7bb26b847e5b97814f522686068c5628e2b3646", }, { type: "WEB", url: "https://git.kernel.org/stable/c/f6d4d29a12655b42a13cec038c2902bb7efc50ed", }, ], schema_version: "1.4.0", severity: [ { score: "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", type: "CVSS_V3", }, ], }
Log in or create an account to share your comment.
This schema specifies the format of a comment related to a security advisory.
Sightings
Author | Source | Type | Date |
---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.