ghsa-hq36-r5x9-pmq2
Vulnerability from github
Published
2024-08-22 03:31
Modified
2024-09-12 15:32
Severity ?
5.5 (Medium) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Details

In the Linux kernel, the following vulnerability has been resolved:

btrfs: do not start relocation until in progress drops are done

We hit a bug with a recovering relocation on mount for one of our file systems in production. I reproduced this locally by injecting errors into snapshot delete with balance running at the same time. This presented as an error while looking up an extent item

WARNING: CPU: 5 PID: 1501 at fs/btrfs/extent-tree.c:866 lookup_inline_extent_backref+0x647/0x680 CPU: 5 PID: 1501 Comm: btrfs-balance Not tainted 5.16.0-rc8+ #8 RIP: 0010:lookup_inline_extent_backref+0x647/0x680 RSP: 0018:ffffae0a023ab960 EFLAGS: 00010202 RAX: 0000000000000001 RBX: 0000000000000000 RCX: 0000000000000000 RDX: 0000000000000000 RSI: 000000000000000c RDI: 0000000000000000 RBP: ffff943fd2a39b60 R08: 0000000000000000 R09: 0000000000000001 R10: 0001434088152de0 R11: 0000000000000000 R12: 0000000001d05000 R13: ffff943fd2a39b60 R14: ffff943fdb96f2a0 R15: ffff9442fc923000 FS: 0000000000000000(0000) GS:ffff944e9eb40000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f1157b1fca8 CR3: 000000010f092000 CR4: 0000000000350ee0 Call Trace: insert_inline_extent_backref+0x46/0xd0 __btrfs_inc_extent_ref.isra.0+0x5f/0x200 ? btrfs_merge_delayed_refs+0x164/0x190 __btrfs_run_delayed_refs+0x561/0xfa0 ? btrfs_search_slot+0x7b4/0xb30 ? btrfs_update_root+0x1a9/0x2c0 btrfs_run_delayed_refs+0x73/0x1f0 ? btrfs_update_root+0x1a9/0x2c0 btrfs_commit_transaction+0x50/0xa50 ? btrfs_update_reloc_root+0x122/0x220 prepare_to_merge+0x29f/0x320 relocate_block_group+0x2b8/0x550 btrfs_relocate_block_group+0x1a6/0x350 btrfs_relocate_chunk+0x27/0xe0 btrfs_balance+0x777/0xe60 balance_kthread+0x35/0x50 ? btrfs_balance+0xe60/0xe60 kthread+0x16b/0x190 ? set_kthread_struct+0x40/0x40 ret_from_fork+0x22/0x30

Normally snapshot deletion and relocation are excluded from running at the same time by the fs_info->cleaner_mutex. However if we had a pending balance waiting to get the ->cleaner_mutex, and a snapshot deletion was running, and then the box crashed, we would come up in a state where we have a half deleted snapshot.

Again, in the normal case the snapshot deletion needs to complete before relocation can start, but in this case relocation could very well start before the snapshot deletion completes, as we simply add the root to the dead roots list and wait for the next time the cleaner runs to clean up the snapshot.

Fix this by setting a bit on the fs_info if we have any DEAD_ROOT's that had a pending drop_progress key. If they do then we know we were in the middle of the drop operation and set a flag on the fs_info. Then balance can wait until this flag is cleared to start up again.

If there are DEAD_ROOT's that don't have a drop_progress set then we're safe to start balance right away as we'll be properly protected by the cleaner_mutex.

Show details on source website

To clipboard 

{
  "affected": [],
  "aliases": [
    "CVE-2022-48901"
  ],
  "database_specific": {
    "cwe_ids": [],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-08-22T02:15:04Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: do not start relocation until in progress drops are done\n\nWe hit a bug with a recovering relocation on mount for one of our file\nsystems in production.  I reproduced this locally by injecting errors\ninto snapshot delete with balance running at the same time.  This\npresented as an error while looking up an extent item\n\n  WARNING: CPU: 5 PID: 1501 at fs/btrfs/extent-tree.c:866 lookup_inline_extent_backref+0x647/0x680\n  CPU: 5 PID: 1501 Comm: btrfs-balance Not tainted 5.16.0-rc8+ #8\n  RIP: 0010:lookup_inline_extent_backref+0x647/0x680\n  RSP: 0018:ffffae0a023ab960 EFLAGS: 00010202\n  RAX: 0000000000000001 RBX: 0000000000000000 RCX: 0000000000000000\n  RDX: 0000000000000000 RSI: 000000000000000c RDI: 0000000000000000\n  RBP: ffff943fd2a39b60 R08: 0000000000000000 R09: 0000000000000001\n  R10: 0001434088152de0 R11: 0000000000000000 R12: 0000000001d05000\n  R13: ffff943fd2a39b60 R14: ffff943fdb96f2a0 R15: ffff9442fc923000\n  FS:  0000000000000000(0000) GS:ffff944e9eb40000(0000) knlGS:0000000000000000\n  CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n  CR2: 00007f1157b1fca8 CR3: 000000010f092000 CR4: 0000000000350ee0\n  Call Trace:\n   \u003cTASK\u003e\n   insert_inline_extent_backref+0x46/0xd0\n   __btrfs_inc_extent_ref.isra.0+0x5f/0x200\n   ? btrfs_merge_delayed_refs+0x164/0x190\n   __btrfs_run_delayed_refs+0x561/0xfa0\n   ? btrfs_search_slot+0x7b4/0xb30\n   ? btrfs_update_root+0x1a9/0x2c0\n   btrfs_run_delayed_refs+0x73/0x1f0\n   ? btrfs_update_root+0x1a9/0x2c0\n   btrfs_commit_transaction+0x50/0xa50\n   ? btrfs_update_reloc_root+0x122/0x220\n   prepare_to_merge+0x29f/0x320\n   relocate_block_group+0x2b8/0x550\n   btrfs_relocate_block_group+0x1a6/0x350\n   btrfs_relocate_chunk+0x27/0xe0\n   btrfs_balance+0x777/0xe60\n   balance_kthread+0x35/0x50\n   ? btrfs_balance+0xe60/0xe60\n   kthread+0x16b/0x190\n   ? set_kthread_struct+0x40/0x40\n   ret_from_fork+0x22/0x30\n   \u003c/TASK\u003e\n\nNormally snapshot deletion and relocation are excluded from running at\nthe same time by the fs_info-\u003ecleaner_mutex.  However if we had a\npending balance waiting to get the -\u003ecleaner_mutex, and a snapshot\ndeletion was running, and then the box crashed, we would come up in a\nstate where we have a half deleted snapshot.\n\nAgain, in the normal case the snapshot deletion needs to complete before\nrelocation can start, but in this case relocation could very well start\nbefore the snapshot deletion completes, as we simply add the root to the\ndead roots list and wait for the next time the cleaner runs to clean up\nthe snapshot.\n\nFix this by setting a bit on the fs_info if we have any DEAD_ROOT\u0027s that\nhad a pending drop_progress key.  If they do then we know we were in the\nmiddle of the drop operation and set a flag on the fs_info.  Then\nbalance can wait until this flag is cleared to start up again.\n\nIf there are DEAD_ROOT\u0027s that don\u0027t have a drop_progress set then we\u0027re\nsafe to start balance right away as we\u0027ll be properly protected by the\ncleaner_mutex.",
  "id": "GHSA-hq36-r5x9-pmq2",
  "modified": "2024-09-12T15:32:59Z",
  "published": "2024-08-22T03:31:33Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-48901"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/5e70bc827b563caf22e1203428cc3719643de5aa"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/6599d5e8bd758d897fd2ef4dc388ae50278b1f7e"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/b4be6aefa73c9a6899ef3ba9c5faaa8a66e333ef"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.