Ubuntu.comUB:CVE-2024-26726CVE-2024-26726
In the Linux kernel, the following vulnerability has been resolved: btrfs:
don’t drop extent_map for free space inode on write error While running the
CI for an unrelated change I hit the following panic with generic/648 on
btrfs_holes_spacecache. assertion failed: block_start != EXTENT_MAP_HOLE,
in fs/btrfs/extent_io.c:1385 ------------[ cut here ]------------ kernel
BUG at fs/btrfs/extent_io.c:1385! invalid opcode: 0000 [#1] PREEMPT SMP
NOPTI CPU: 1 PID: 2695096 Comm: fsstress Kdump: loaded Tainted: G W
6.8.0-rc2+ #1 RIP: 0010:__extent_writepage_io.constprop.0+0x4c1/0x5c0 Call
Trace: <TASK> extent_write_cache_pages+0x2ac/0x8f0
extent_writepages+0x87/0x110 do_writepages+0xd5/0x1f0
filemap_fdatawrite_wbc+0x63/0x90 __filemap_fdatawrite_range+0x5c/0x80
btrfs_fdatawrite_range+0x1f/0x50 btrfs_write_out_cache+0x507/0x560
btrfs_write_dirty_block_groups+0x32a/0x420 commit_cowonly_roots+0x21b/0x290
btrfs_commit_transaction+0x813/0x1360 btrfs_sync_file+0x51a/0x640
__x64_sys_fdatasync+0x52/0x90 do_syscall_64+0x9c/0x190
entry_SYSCALL_64_after_hwframe+0x6e/0x76 This happens because we fail to
write out the free space cache in one instance, come back around and
attempt to write it again. However on the second pass through we go to call
btrfs_get_extent() on the inode to get the extent mapping. Because this is
a new block group, and with the free space inode we always search the
commit root to avoid deadlocking with the tree, we find nothing and return
a EXTENT_MAP_HOLE for the requested range. This happens because the first
time we try to write the space cache out we hit an error, and on an error
we drop the extent mapping. This is normal for normal files, but the free
space cache inode is special. We always expect the extent map to be
correct. Thus the second time through we end up with a bogus extent map.
Since we’re deprecating this feature, the most straightforward way to fix
this is to simply skip dropping the extent map range for this failed range.
I shortened the test by using error injection to stress the area to make it
easier to reproduce. With this patch in place we no longer panic with my
error injection test.
| OS | Version | Architecture | Package | Version | Filename |
|---|---|---|---|---|---|
| ubuntu | 20.04 | noarch | linux | < any | UNKNOWN |
| ubuntu | 22.04 | noarch | linux | < any | UNKNOWN |
| ubuntu | 23.10 | noarch | linux | < 6.5.0-44.44 | UNKNOWN |
| ubuntu | 20.04 | noarch | linux-aws | < any | UNKNOWN |
| ubuntu | 22.04 | noarch | linux-aws | < any | UNKNOWN |
| ubuntu | 20.04 | noarch | linux-aws-5.15 | < any | UNKNOWN |
| ubuntu | 22.04 | noarch | linux-aws-6.5 | < 6.5.0-1023.23~22.04.1 | UNKNOWN |
| ubuntu | 20.04 | noarch | linux-azure | < any | UNKNOWN |
| ubuntu | 22.04 | noarch | linux-azure | < any | UNKNOWN |
| ubuntu | 20.04 | noarch | linux-azure-5.15 | < any | UNKNOWN |
References
git.kernel.org/linus/5571e41ec6e56e35f34ae9f5b3a335ef510e0ade (6.8-rc5)
git.kernel.org/stable/c/02f2b95b00bf57d20320ee168b30fb7f3db8e555
git.kernel.org/stable/c/5571e41ec6e56e35f34ae9f5b3a335ef510e0ade
git.kernel.org/stable/c/7bddf18f474f166c19f91b2baf67bf7c5eda03f7
git.kernel.org/stable/c/a4b7741c8302e28073bfc6dd1c2e73598e5e535e
launchpad.net/bugs/cve/CVE-2024-26726
nvd.nist.gov/vuln/detail/CVE-2024-26726
security-tracker.debian.org/tracker/CVE-2024-26726
ubuntu.com/security/notices/USN-6895-1
ubuntu.com/security/notices/USN-6895-2
ubuntu.com/security/notices/USN-6895-3
ubuntu.com/security/notices/USN-6900-1
www.cve.org/CVERecord?id=CVE-2024-26726
Related
