In the Linux kernel, the following vulnerability has been resolved: btrfs:
fix data race at btrfs_use_block_rsv() when accessing block reserve At
btrfs_use_block_rsv() we read the size of a block reserve without locking
its spinlock, which makes KCSAN complain because the size of a block
reserve is always updated while holding its spinlock. The report from KCSAN
is the following: [653.313148] BUG: KCSAN: data-race in
btrfs_update_delayed_refs_rsv [btrfs] / btrfs_use_block_rsv [btrfs]
[653.314755] read to 0x000000017f5871b8 of 8 bytes by task 7519 on cpu 0:
[653.314779] btrfs_use_block_rsv+0xe4/0x2f8 [btrfs] [653.315606]
btrfs_alloc_tree_block+0xdc/0x998 [btrfs] [653.316421]
btrfs_force_cow_block+0x220/0xe38 [btrfs] [653.317242]
btrfs_cow_block+0x1ac/0x568 [btrfs] [653.318060]
btrfs_search_slot+0xda2/0x19b8 [btrfs] [653.318879]
btrfs_del_csums+0x1dc/0x798 [btrfs] [653.319702]
__btrfs_free_extent.isra.0+0xc24/0x2028 [btrfs] [653.320538]
__btrfs_run_delayed_refs+0xd3c/0x2390 [btrfs] [653.321340]
btrfs_run_delayed_refs+0xae/0x290 [btrfs] [653.322140]
flush_space+0x5e4/0x718 [btrfs] [653.322958]
btrfs_preempt_reclaim_metadata_space+0x102/0x2f8 [btrfs] [653.323781]
process_one_work+0x3b6/0x838 [653.323800] worker_thread+0x75e/0xb10
[653.323817] kthread+0x21a/0x230 [653.323836] __ret_from_fork+0x6c/0xb8
[653.323855] ret_from_fork+0xa/0x30 [653.323887] write to
0x000000017f5871b8 of 8 bytes by task 576 on cpu 3: [653.323906]
btrfs_update_delayed_refs_rsv+0x1a4/0x250 [btrfs] [653.324699]
btrfs_add_delayed_data_ref+0x468/0x6d8 [btrfs] [653.325494]
btrfs_free_extent+0x76/0x120 [btrfs] [653.326280]
__btrfs_mod_ref+0x6a8/0x6b8 [btrfs] [653.327064] btrfs_dec_ref+0x50/0x70
[btrfs] [653.327849] walk_up_proc+0x236/0xa50 [btrfs] [653.328633]
walk_up_tree+0x21c/0x448 [btrfs] [653.329418]
btrfs_drop_snapshot+0x802/0x1328 [btrfs] [653.330205]
btrfs_clean_one_deleted_snapshot+0x184/0x238 [btrfs] [653.330995]
cleaner_kthread+0x2b0/0x2f0 [btrfs] [653.331781] kthread+0x21a/0x230
[653.331800] __ret_from_fork+0x6c/0xb8 [653.331818] ret_from_fork+0xa/0x30
So add a helper to get the size of a block reserve while holding the lock.
Reading the field while holding the lock instead of using the data_race()
annotation is used in order to prevent load tearing.
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
ubuntu | 18.04 | noarch | linux | < any | UNKNOWN |
ubuntu | 20.04 | noarch | linux | < any | UNKNOWN |
ubuntu | 22.04 | noarch | linux | < any | UNKNOWN |
ubuntu | 23.10 | noarch | linux | < any | UNKNOWN |
ubuntu | 24.04 | noarch | linux | < any | UNKNOWN |
ubuntu | 14.04 | noarch | linux | < any | UNKNOWN |
ubuntu | 16.04 | noarch | linux | < any | UNKNOWN |
ubuntu | 18.04 | noarch | linux-aws | < any | UNKNOWN |
ubuntu | 20.04 | noarch | linux-aws | < any | UNKNOWN |
ubuntu | 22.04 | noarch | linux-aws | < any | UNKNOWN |
git.kernel.org/linus/c7bb26b847e5b97814f522686068c5628e2b3646 (6.8-rc7)
git.kernel.org/stable/c/2daa2a8e895e6dc2395f8628c011bcf1e019040d
git.kernel.org/stable/c/7e9422d35d574b646269ca46010a835ca074b310
git.kernel.org/stable/c/ab1be3f1aa7799f99155488c28eacaef65eb68fb
git.kernel.org/stable/c/c7bb26b847e5b97814f522686068c5628e2b3646
git.kernel.org/stable/c/f6d4d29a12655b42a13cec038c2902bb7efc50ed
launchpad.net/bugs/cve/CVE-2024-26904
nvd.nist.gov/vuln/detail/CVE-2024-26904
security-tracker.debian.org/tracker/CVE-2024-26904
www.cve.org/CVERecord?id=CVE-2024-26904