CVE-2023-54023

Summary

In the Linux kernel, the following vulnerability has been resolved:

btrfs: fix race between balance and cancel/pause

Syzbot reported a panic that looks like this:

assertion failed: fs_info->exclusive_operation == BTRFS_EXCLOP_BALANCE_PAUSED, in fs/btrfs/ioctl.c:465 ————[ cut here ]———— kernel BUG at fs/btrfs/messages.c:259! RIP: 0010:btrfs_assertfail+0x2c/0x30 fs/btrfs/messages.c:259 Call Trace: <TASK> btrfs_exclop_balance fs/btrfs/ioctl.c:465 [inline] btrfs_ioctl_balance fs/btrfs/ioctl.c:3564 [inline] btrfs_ioctl+0x531e/0x5b30 fs/btrfs/ioctl.c:4632 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:870 [inline] __se_sys_ioctl fs/ioctl.c:856 [inline] __x64_sys_ioctl+0x197/0x210 fs/ioctl.c:856 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x39/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x63/0xcd

The reproducer is running a balance and a cancel or pause in parallel. The way balance finishes is a bit wonky, if we were paused we need to save the balance_ctl in the fs_info, but clear it otherwise and cleanup. However we rely on the return values being specific errors, or having a cancel request or no pause request. If balance completes and returns 0, but we have a pause or cancel request we won't do the appropriate cleanup, and then the next time we try to start a balance we'll trip this ASSERT.

The error handling is just wrong here, we always want to clean up, unless we got -ECANCELLED and we set the appropriate pause flag in the exclusive op. With this patch the reproducer ran for an hour without tripping, previously it would trip in less than a few minutes.

Affected Software

VendorProductVersion RangeStatus
LinuxLinux837d5b6e46d1a4af5b6cc8f2fe83cb5de79a2961 < ddf7e8984c83aee9122552529f4e77291903f8d9affected
LinuxLinux837d5b6e46d1a4af5b6cc8f2fe83cb5de79a2961 < 72efe5d44821e38540888a5fe3ff3d0faab6acadaffected
LinuxLinux837d5b6e46d1a4af5b6cc8f2fe83cb5de79a2961 < b19c98f237cd76981aaded52c258ce93f7daa8cbaffected
LinuxLinux3.3affected
LinuxLinux0 < 3.3unaffected
LinuxLinux6.1.42 <= 6.1.*unaffected
LinuxLinux6.4.7 <= 6.4.*unaffected
LinuxLinux6.5 <= *unaffected

Weaknesses

References