{ "threat_severity" : "Moderate", "public_date" : "2024-08-17T00:00:00Z", "bugzilla" : { "description" : "kernel: btrfs: make cow_file_range_inline() honor locked_page on error", "id" : "2305411", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2305411" }, "cvss3" : { "cvss3_base_score" : "5.5", "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status" : "draft" }, "cwe" : "CWE-667", "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\nbtrfs: make cow_file_range_inline() honor locked_page on error\nThe btrfs buffered write path runs through __extent_writepage() which\nhas some tricky return value handling for writepage_delalloc().\nSpecifically, when that returns 1, we exit, but for other return values\nwe continue and end up calling btrfs_folio_end_all_writers(). If the\nfolio has been unlocked (note that we check the PageLocked bit at the\nstart of __extent_writepage()), this results in an assert panic like\nthis one from syzbot:\nBTRFS: error (device loop0 state EAL) in free_log_tree:3267: errno=-5 IO failure\nBTRFS warning (device loop0 state EAL): Skipping commit of aborted transaction.\nBTRFS: error (device loop0 state EAL) in cleanup_transaction:2018: errno=-5 IO failure\nassertion failed: folio_test_locked(folio), in fs/btrfs/subpage.c:871\n------------[ cut here ]------------\nkernel BUG at fs/btrfs/subpage.c:871!\nOops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN PTI\nCPU: 1 PID: 5090 Comm: syz-executor225 Not tainted\n6.10.0-syzkaller-05505-gb1bc554e009e #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS\nGoogle 06/27/2024\nRIP: 0010:btrfs_folio_end_all_writers+0x55b/0x610 fs/btrfs/subpage.c:871\nCode: e9 d3 fb ff ff e8 25 22 c2 fd 48 c7 c7 c0 3c 0e 8c 48 c7 c6 80 3d\n0e 8c 48 c7 c2 60 3c 0e 8c b9 67 03 00 00 e8 66 47 ad 07 90 <0f> 0b e8\n6e 45 b0 07 4c 89 ff be 08 00 00 00 e8 21 12 25 fe 4c 89\nRSP: 0018:ffffc900033d72e0 EFLAGS: 00010246\nRAX: 0000000000000045 RBX: 00fff0000000402c RCX: 663b7a08c50a0a00\nRDX: 0000000000000000 RSI: 0000000080000000 RDI: 0000000000000000\nRBP: ffffc900033d73b0 R08: ffffffff8176b98c R09: 1ffff9200067adfc\nR10: dffffc0000000000 R11: fffff5200067adfd R12: 0000000000000001\nR13: dffffc0000000000 R14: 0000000000000000 R15: ffffea0001cbee80\nFS: 0000000000000000(0000) GS:ffff8880b9500000(0000)\nknlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00007f5f076012f8 CR3: 000000000e134000 CR4: 00000000003506f0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nCall Trace:\n\n__extent_writepage fs/btrfs/extent_io.c:1597 [inline]\nextent_write_cache_pages fs/btrfs/extent_io.c:2251 [inline]\nbtrfs_writepages+0x14d7/0x2760 fs/btrfs/extent_io.c:2373\ndo_writepages+0x359/0x870 mm/page-writeback.c:2656\nfilemap_fdatawrite_wbc+0x125/0x180 mm/filemap.c:397\n__filemap_fdatawrite_range mm/filemap.c:430 [inline]\n__filemap_fdatawrite mm/filemap.c:436 [inline]\nfilemap_flush+0xdf/0x130 mm/filemap.c:463\nbtrfs_release_file+0x117/0x130 fs/btrfs/file.c:1547\n__fput+0x24a/0x8a0 fs/file_table.c:422\ntask_work_run+0x24f/0x310 kernel/task_work.c:222\nexit_task_work include/linux/task_work.h:40 [inline]\ndo_exit+0xa2f/0x27f0 kernel/exit.c:877\ndo_group_exit+0x207/0x2c0 kernel/exit.c:1026\n__do_sys_exit_group kernel/exit.c:1037 [inline]\n__se_sys_exit_group kernel/exit.c:1035 [inline]\n__x64_sys_exit_group+0x3f/0x40 kernel/exit.c:1035\nx64_sys_call+0x2634/0x2640\narch/x86/include/generated/asm/syscalls_64.h:232\ndo_syscall_x64 arch/x86/entry/common.c:52 [inline]\ndo_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83\nentry_SYSCALL_64_after_hwframe+0x77/0x7f\nRIP: 0033:0x7f5f075b70c9\nCode: Unable to access opcode bytes at\n0x7f5f075b709f.\nI was hitting the same issue by doing hundreds of accelerated runs of\ngeneric/475, which also hits IO errors by design.\nI instrumented that reproducer with bpftrace and found that the\nundesirable folio_unlock was coming from the following callstack:\nfolio_unlock+5\n__process_pages_contig+475\ncow_file_range_inline.constprop.0+230\ncow_file_range+803\nbtrfs_run_delalloc_range+566\nwritepage_delalloc+332\n__extent_writepage # inlined in my stacktrace, but I added it here\nextent_write_cache_pages+622\nLooking at the bisected-to pa\n---truncated---", "A flaw was found in the btrfs module in the Linux kernel. Improper locking can occur due to an improper handling of error conditions, causing a kernel panic and resulting in a denial of service." ], "statement" : "The btrfs module is not built in the kernel shipped in Red Hat Enterprise Linux 8 and 9, so it is not affected by this vulnerability.", "package_state" : [ { "product_name" : "Red Hat Enterprise Linux 6", "fix_state" : "Out of support scope", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:6" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Out of support scope", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Out of support scope", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Not affected", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat Enterprise Linux 9", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:9" }, { "product_name" : "Red Hat Enterprise Linux 9", "fix_state" : "Not affected", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:9" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2024-42266\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-42266\nhttps://lore.kernel.org/linux-cve-announce/2024081738-CVE-2024-42266-529f@gregkh/T" ], "name" : "CVE-2024-42266", "csaw" : false }