CVE-2023-53865

In the Linux kernel, the following vulnerability has been resolved:

btrfs: fix warning when putting transaction with qgroups enabled after abort

If we have a transaction abort with qgroups enabled we get a warning triggered when doing the final put on the transaction, like this:

[552.6789] ------------[ cut here ]------------ [552.6815] WARNING: CPU: 4 PID: 81745 at fs/btrfs/transaction.c:144 btrfsputtransaction+0x123/0x130 [btrfs] [552.6817] Modules linked in: btrfs blake2bgeneric xor (...) [552.6819] CPU: 4 PID: 81745 Comm: btrfs-transacti Tainted: G W 6.4.0-rc6-btrfs-next-134+ #1 [552.6819] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.2-0-gea1b7a073390-prebuilt.qemu.org 04/01/2014 [552.6819] RIP: 0010:btrfsput_transaction+0x123/0x130 [btrfs] [552.6821] Code: bd a0 01 00 (...) [552.6821] RSP: 0018:ffffa168c0527e28 EFLAGS: 00010286 [552.6821] RAX: ffff936042caed00 RBX: ffff93604a3eb448 RCX: 0000000000000000 [552.6821] RDX: ffff93606421b028 RSI: ffffffff92ff0878 RDI: ffff93606421b010 [552.6821] RBP: ffff93606421b000 R08: 0000000000000000 R09: ffffa168c0d07c20 [552.6821] R10: 0000000000000000 R11: ffff93608dc52950 R12: ffffa168c0527e70 [552.6821] R13: ffff93606421b000 R14: ffff93604a3eb420 R15: ffff93606421b028 [552.6821] FS: 0000000000000000(0000) GS:ffff93675fb00000(0000) knlGS:0000000000000000 [552.6821] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [552.6821] CR2: 0000558ad262b000 CR3: 000000014feda005 CR4: 0000000000370ee0 [552.6822] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [552.6822] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [552.6822] Call Trace: [552.6822] <TASK> [552.6822] ? __warn+0x80/0x130 [552.6822] ? btrfsputtransaction+0x123/0x130 [btrfs] [552.6824] ? reportbug+0x1f4/0x200 [552.6824] ? handlebug+0x42/0x70 [552.6824] ? excinvalidop+0x14/0x70 [552.6824] ? asmexcinvalidop+0x16/0x20 [552.6824] ? btrfsputtransaction+0x123/0x130 [btrfs] [552.6826] btrfscleanuptransaction+0xe7/0x5e0 [btrfs] [552.6828] ? rawspinunlockirqrestore+0x23/0x40 [552.6828] ? trytowakeup+0x94/0x5e0 [552.6828] ? __pfxprocesstimeout+0x10/0x10 [552.6828] transaction_kthread+0x103/0x1d0 [btrfs] [552.6830] ? __pfxtransactionkthread+0x10/0x10 [btrfs] [552.6832] kthread+0xee/0x120 [552.6832] ? _pfxkthread+0x10/0x10 [552.6832] retfromfork+0x29/0x50 [552.6832] </TASK> [552.6832] ---[ end trace 0000000000000000 ]---

This corresponds to this line of code:

void btrfsputtransaction(struct btrfstransaction *transaction) { (...) WARNON(!RBEMPTYROOT( &transaction->delayedrefs.dirtyextent_root)); (...) }

The warning happens because btrfsqgroupdestroyextentrecords(), called in the transaction abort path, we free all entries from the rbtree "dirtyextentroot" with rbtreepostorderforeachentry_safe(), but we don't actually empty the rbtree - it's still pointing to nodes that were freed.

So set the rbtree's root node to NULL to avoid this warning (assign RB_ROOT).