CVE-2024-56581

In the Linux kernel, the following vulnerability has been resolved:

btrfs: ref-verify: fix use-after-free after invalid ref action

At btrfsreftreemod() after we successfully inserted the new ref entry (local variable 'ref') into the respective block entry's rbtree (local variable 'be'), if we find an unexpected action of BTRFSDROPDELAYEDREF, we error out and free the ref entry without removing it from the block entry's rbtree. Then in the error path of btrfsreftreemod() we call btrfsfreerefcache(), which iterates over all block entries and then calls freeblockentry() for each one, and there we will trigger a use-after-free when we are called against the block entry to which we added the freed ref entry to its rbtree, since the rbtree still points to the block entry, as we didn't remove it from the rbtree before freeing it in the error path at btrfsreftree_mod(). Fix this by removing the new ref entry from the rbtree before freeing it.

Syzbot report this with the following stack traces:

BTRFS error (device loop0 state EA): Ref action 2, root 5, refroot 0, parent 8564736, owner 0, offset 0, numrefs 18446744073709551615 _btrfsmodref+0x7dd/0xac0 fs/btrfs/extent-tree.c:2523 updaterefforcow+0x9cd/0x11f0 fs/btrfs/ctree.c:512 btrfsforcecowblock+0x9f6/0x1da0 fs/btrfs/ctree.c:594 btrfscowblock+0x35e/0xa40 fs/btrfs/ctree.c:754 btrfssearchslot+0xbdd/0x30d0 fs/btrfs/ctree.c:2116 btrfsinsertemptyitems+0x9c/0x1a0 fs/btrfs/ctree.c:4314 btrfsinsertemptyitem fs/btrfs/ctree.h:669 [inline] btrfsinsertorphanitem+0x1f1/0x320 fs/btrfs/orphan.c:23 btrfsorphanadd+0x6d/0x1a0 fs/btrfs/inode.c:3482 btrfsunlink+0x267/0x350 fs/btrfs/inode.c:4293 vfsunlink+0x365/0x650 fs/namei.c:4469 dounlinkat+0x4ae/0x830 fs/namei.c:4533 _dosysunlinkat fs/namei.c:4576 [inline] _sesysunlinkat fs/namei.c:4569 [inline] _x64sysunlinkat+0xcc/0xf0 fs/namei.c:4569 dosyscallx64 arch/x86/entry/common.c:52 [inline] dosyscall64+0xf3/0x230 arch/x86/entry/common.c:83 entrySYSCALL64afterhwframe+0x77/0x7f BTRFS error (device loop0 state EA): Ref action 1, root 5, refroot 5, parent 0, owner 260, offset 0, numrefs 1 _btrfsmodref+0x76b/0xac0 fs/btrfs/extent-tree.c:2521 updaterefforcow+0x96a/0x11f0 btrfsforcecowblock+0x9f6/0x1da0 fs/btrfs/ctree.c:594 btrfscowblock+0x35e/0xa40 fs/btrfs/ctree.c:754 btrfssearchslot+0xbdd/0x30d0 fs/btrfs/ctree.c:2116 btrfslookupinode+0xdc/0x480 fs/btrfs/inode-item.c:411 _btrfsupdatedelayedinode+0x1e7/0xb90 fs/btrfs/delayed-inode.c:1030 btrfsupdatedelayedinode fs/btrfs/delayed-inode.c:1114 [inline] _btrfscommitinodedelayeditems+0x2318/0x24a0 fs/btrfs/delayed-inode.c:1137 _btrfsrundelayeditems+0x213/0x490 fs/btrfs/delayed-inode.c:1171 btrfscommittransaction+0x8a8/0x3740 fs/btrfs/transaction.c:2313 preparetorelocate+0x3c4/0x4c0 fs/btrfs/relocation.c:3586 relocateblockgroup+0x16c/0xd40 fs/btrfs/relocation.c:3611 btrfsrelocateblockgroup+0x77d/0xd90 fs/btrfs/relocation.c:4081 btrfsrelocatechunk+0x12c/0x3b0 fs/btrfs/volumes.c:3377 _btrfsbalance+0x1b0f/0x26b0 fs/btrfs/volumes.c:4161 btrfsbalance+0xbdc/0x10c0 fs/btrfs/volumes.c:4538 BTRFS error (device loop0 state EA): Ref action 2, root 5, refroot 0, parent 8564736, owner 0, offset 0, numrefs 18446744073709551615 _btrfsmodref+0x7dd/0xac0 fs/btrfs/extent-tree.c:2523 updaterefforcow+0x9cd/0x11f0 fs/btrfs/ctree.c:512 btrfsforcecowblock+0x9f6/0x1da0 fs/btrfs/ctree.c:594 btrfscowblock+0x35e/0xa40 fs/btrfs/ctree.c:754 btrfssearchslot+0xbdd/0x30d0 fs/btrfs/ctree.c:2116 btrfslookupinode+0xdc/0x480 fs/btrfs/inode-item.c:411 _btrfsupdatedelayedinode+0x1e7/0xb90 fs/btrfs/delayed-inode.c:1030 btrfsupdatedelayed_i ---truncated---