OESA-2024-1299

The Linux Kernel, the operating system core itself.

Security Fix(es):

In the Linux kernel, the following vulnerability has been resolved:

btrfs: fix deadlock when cloning inline extents and using qgroups

There are a few exceptional cases where cloning an inline extent needs to copy the inline extent data into a page of the destination inode.

When this happens, we end up starting a transaction while having a dirty page for the destination inode and while having the range locked in the destination's inode iotree too. Because when reserving metadata space for a transaction we may need to flush existing delalloc in case there is not enough free space, we have a mechanism in place to prevent a deadlock, which was introduced in commit 3d45f221ce627d ("btrfs: fix deadlock when cloning inline extent and low on free metadata space").

However when using qgroups, a transaction also reserves metadata qgroup space, which can also result in flushing delalloc in case there is not enough available space at the moment. When this happens we deadlock, since flushing delalloc requires locking the file range in the inode's iotree and the range was already locked at the very beginning of the clone operation, before attempting to start the transaction.

When this issue happens, stack traces like the following are reported:

[72747.556262] task:kworker/u81:9 state:D stack: 0 pid: 225 ppid: 2 flags:0x00004000 [72747.556268] Workqueue: writeback wbworkfn (flush-btrfs-1142) [72747.556271] Call Trace: [72747.556273] _schedule+0x296/0x760 [72747.556277] schedule+0x3c/0xa0 [72747.556279] ioschedule+0x12/0x40 [72747.556284] _lockpage+0x13c/0x280 [72747.556287] ? genericfilereadonlymmap+0x70/0x70 [72747.556325] extentwritecachepages+0x22a/0x440 [btrfs] [72747.556331] ? _setpagedirtynobuffers+0xe7/0x160 [72747.556358] ? setextentbufferdirty+0x5e/0x80 [btrfs] [72747.556362] ? updategroupcapacity+0x25/0x210 [72747.556366] ? cpumasknextand+0x1a/0x20 [72747.556391] extentwritepages+0x44/0xa0 [btrfs] [72747.556394] dowritepages+0x41/0xd0 [72747.556398] _writebacksingleinode+0x39/0x2a0 [72747.556403] writebacksbinodes+0x1ea/0x440 [72747.556407] _writebackinodeswb+0x5f/0xc0 [72747.556410] wbwriteback+0x235/0x2b0 [72747.556414] ? getnrinodes+0x35/0x50 [72747.556417] wbworkfn+0x354/0x490 [72747.556420] ? newidlebalance+0x2c5/0x3e0 [72747.556424] processonework+0x1aa/0x340 [72747.556426] workerthread+0x30/0x390 [72747.556429] ? createworker+0x1a0/0x1a0 [72747.556432] kthread+0x116/0x130 [72747.556435] ? kthreadpark+0x80/0x80 [72747.556438] retfromfork+0x1f/0x30

[72747.566958] Workqueue: btrfs-flushdelalloc btrfsworkhelper [btrfs] [72747.566961] Call Trace: [72747.566964] _schedule+0x296/0x760 [72747.566968] ? finishwait+0x80/0x80 [72747.566970] schedule+0x3c/0xa0 [72747.566995] waitextentbit.constprop.68+0x13b/0x1c0 [btrfs] [72747.566999] ? finishwait+0x80/0x80 [72747.567024] lockextentbits+0x37/0x90 [btrfs] [72747.567047] btrfsinvalidatepage+0x299/0x2c0 [btrfs] [72747.567051] ? findgetpagesrangetag+0x2cd/0x380 [72747.567076] _extentwritepage+0x203/0x320 [btrfs] [72747.567102] extentwritecachepages+0x2bb/0x440 [btrfs] [72747.567106] ? updateloadavg+0x7e/0x5f0 [72747.567109] ? enqueueentity+0xf4/0x6f0 [72747.567134] extentwritepages+0x44/0xa0 [btrfs] [72747.567137] ? enqueuetaskfair+0x93/0x6f0 [72747.567140] dowritepages+0x41/0xd0 [72747.567144] _filemapfdatawriterange+0xc7/0x100 [72747.567167] btrfsrundelallocwork+0x17/0x40 [btrfs] [72747.567195] btrfsworkhelper+0xc2/0x300 [btrfs] [72747.567200] processonework+0x1aa/0x340 [72747.567202] workerthread+0x30/0x390 [72747.567205] ? createworker+0x1a0/0x1a0 [72747.567208] kthread+0x116/0x130 [72747.567211] ? kthreadpark+0x80/0x80 [72747.567214] retfromfork+0x1f/0x30

[72747.569686] task:fsstress state:D stack:
---truncated---(CVE-2021-46987)

In the Linux kernel, the following vulnerability has been resolved:

bpf: Defer the free of inner map when necessary

When updating or deleting an inner map in map array or map htab, the map may still be accessed by non-sleepable program or sleepable program. However bpfmapfdputptr() decreases the ref-counter of the inner map directly through bpfmapput(), if the ref-counter is the last one (which is true for most cases), the inner map will be freed by ops->mapfree() in a kworker. But for now, most .mapfree() callbacks don't use synchronizercu() or its variants to wait for the elapse of a RCU grace period, so after the invocation of ops->mapfree completes, the bpf program which is accessing the inner map may incur use-after-free problem.

Fix the free of inner map by invoking bpfmapfreedeferred() after both one RCU grace period and one tasks trace RCU grace period if the inner map has been removed from the outer map before. The deferment is accomplished by using callrcu() or callrcutaskstrace() when releasing the last ref-counter of bpf map. The newly-added rcuhead field in bpfmap shares the same storage space with work field to reduce the size of bpfmap.(CVE-2023-52447)

In the Linux kernel, the following vulnerability has been resolved:

gfs2: Fix kernel NULL pointer dereference in gfs2rgrpdump

Syzkaller has reported a NULL pointer dereference when accessing rgd->rdrgl in gfs2rgrpdump(). This can happen when creating rgd->rdgl fails in readrindexentry(). Add a NULL pointer check in gfs2rgrpdump() to prevent that.(CVE-2023-52448)

In the Linux kernel, the following vulnerability has been resolved:

mtd: Fix gluebi NULL pointer dereference caused by ftl notifier

If both ftl.ko and gluebi.ko are loaded, the notifier of ftl triggers NULL pointer dereference when trying to access ‘gluebi->desc’ in gluebi_read().

ubigluebiinit ubiregistervolumenotifier ubienumeratevolumes ubinotifyall gluebinotify nb->notifiercall() gluebicreate mtddeviceregister mtddeviceparseregister addmtddevice blktransnotifyadd not->add() ftladdmtd tr->addmtd() scanheader mtdread mtdreadoob mtdreadoobstd gluebiread mtd->read() gluebi->desc - NULL

Detailed reproduction information available at the Link [1],

In the normal case, obtain gluebi->desc in the gluebigetdevice(), and access gluebi->desc in the gluebiread(). However, gluebigetdevice() is not executed in advance in the ftladd_mtd() process, which leads to NULL pointer dereference.

The solution for the gluebi module is to run jffs2 on the UBI volume without considering working with ftl or mtdblock [2]. Therefore, this problem can be avoided by preventing gluebi from creating the mtdblock device after creating mtd partition of the type MTD_UBIVOLUME.(CVE-2023-52449)

In the Linux kernel, the following vulnerability has been resolved:

bpf: Fix accesses to uninit stack slots

Privileged programs are supposed to be able to read uninitialized stack memory (ever since 6715df8d5) but, before this patch, these accesses were permitted inconsistently. In particular, accesses were permitted above state->allocatedstack, but not below it. In other words, if the stack was already "large enough", the access was permitted, but otherwise the access was rejected instead of being allowed to "grow the stack". This undesired rejection was happening in two places: - in checkstackslotwithinbounds() - in checkstackrangeinitialized() This patch arranges for these accesses to be permitted. A bunch of tests that were relying on the old rejection had to change; all of them were changed to add also run unprivileged, in which case the old behavior persists. One tests couldn't be updated - global_func16 - because it can't run unprivileged for other reasons.

This patch also fixes the tracking of the stack size for variable-offset reads. This second fix is bundled in the same commit as the first one because they're inter-related. Before this patch, writes to the stack using registers containing a variable offset (as opposed to registers with fixed, known values) were not properly contributing to the function's needed stack size. As a result, it was possible for a program to verify, but then to attempt to read out-of-bounds data at runtime because a too small stack had been allocated for it.

Each function tracks the size of the stack it needs in bpfsubproginfo.stackdepth, which is maintained by updatestackdepth(). For regular memory accesses, checkmemaccess() was calling updatestate_depth() but it was passing in only the fixed part of the offset register, ignoring the variable offset. This was incorrect; the minimum possible value of that register should be used instead.

This tracking is now fixed by centralizing the tracking of stack size in growstackstate(), and by lifting the calls to growstackstate() to checkstackaccesswithinbounds() as suggested by Andrii. The code is now simpler and more convincingly tracks the correct maximum stack size. checkstackrange_initialized() can now rely on enough stack having been allocated for the access; this helps with the fix for the first issue.

A few tests were changed to also check the stack depth computation. The one that fails without this patch is verifiervaroff:stackwriteprivvsunpriv.(CVE-2023-52452)