CVE-2023-54067

In the Linux kernel, the following vulnerability has been resolved:

btrfs: fix race when deleting free space root from the dirty cow roots list

When deleting the free space tree we are deleting the free space root from the list fsinfo->dirtycowonlyroots without taking the lock that protects it, which is struct btrfsfsinfo::translock. This unsynchronized list manipulation may cause chaos if there's another concurrent manipulation of this list, such as when adding a root to it with ctree.c:addroottodirtylist().

This can result in all sorts of weird failures caused by a race, such as the following crash:

[337571.278245] general protection fault, probably for non-canonical address 0xdead000000000108: 0000 [#1] PREEMPT SMP PTI [337571.278933] CPU: 1 PID: 115447 Comm: btrfs Tainted: G W 6.4.0-rc6-btrfs-next-134+ #1 [337571.279153] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014 [337571.279572] RIP: 0010:commitcowonlyroots+0x11f/0x250 [btrfs] [337571.279928] Code: 85 38 06 00 (...) [337571.280363] RSP: 0018:ffff9f63446efba0 EFLAGS: 00010206 [337571.280582] RAX: ffff942d98ec2638 RBX: ffff9430b82b4c30 RCX: 0000000449e1c000 [337571.280798] RDX: dead000000000100 RSI: ffff9430021e4900 RDI: 0000000000036070 [337571.281015] RBP: ffff942d98ec2000 R08: ffff942d98ec2000 R09: 000000000000015b [337571.281254] R10: 0000000000000009 R11: 0000000000000001 R12: ffff942fe8fbf600 [337571.281476] R13: ffff942dabe23040 R14: ffff942dabe20800 R15: ffff942d92cf3b48 [337571.281723] FS: 00007f478adb7340(0000) GS:ffff94349fa40000(0000) knlGS:0000000000000000 [337571.281950] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [337571.282184] CR2: 00007f478ab9a3d5 CR3: 000000001e02c001 CR4: 0000000000370ee0 [337571.282416] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [337571.282647] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [337571.282874] Call Trace: [337571.283101] <TASK> [337571.283327] ? __diebody+0x1b/0x60 [337571.283570] ? dieaddr+0x39/0x60 [337571.283796] ? exc_generalprotection+0x22e/0x430 [337571.284022] ? asmexcgeneralprotection+0x22/0x30 [337571.284251] ? commitcowonlyroots+0x11f/0x250 [btrfs] [337571.284531] btrfscommittransaction+0x42e/0xf90 [btrfs] [337571.284803] ? rawspinunlock+0x15/0x30 [337571.285031] ? releaseextentbuffer+0x103/0x130 [btrfs] [337571.285305] resetbalancestate+0x152/0x1b0 [btrfs] [337571.285578] btrfsbalance+0xa50/0x11e0 [btrfs] [337571.285864] ? __kmemcachealloc_node+0x14a/0x410 [337571.286086] btrfsioctl+0x249a/0x3320 [btrfs] [337571.286358] ? modobjcgstate+0xd2/0x360 [337571.286577] ? refillobjstock+0xb0/0x160 [337571.286798] ? seqrelease+0x25/0x30 [337571.287016] ? __rseqhandlenotifyresume+0x3ba/0x4b0 [337571.287235] ? percpucounteraddbatch+0x2e/0xa0 [337571.287455] ? __x64sysioctl+0x88/0xc0 [337571.287675] __x64sysioctl+0x88/0xc0 [337571.287901] dosyscall64+0x38/0x90 [337571.288126] entrySYSCALL64afterhwframe+0x72/0xdc [337571.288352] RIP: 0033:0x7f478aaffe9b

So fix this by locking struct btrfsfsinfo::trans_lock before deleting the free space root from that list.