fkie_cve-2024-35956
Vulnerability from fkie_nvd
Published
2024-05-20 10:15
Modified
2024-12-14 21:15
Severity ?
Summary
In the Linux kernel, the following vulnerability has been resolved: btrfs: qgroup: fix qgroup prealloc rsv leak in subvolume operations Create subvolume, create snapshot and delete subvolume all use btrfs_subvolume_reserve_metadata() to reserve metadata for the changes done to the parent subvolume's fs tree, which cannot be mediated in the normal way via start_transaction. When quota groups (squota or qgroups) are enabled, this reserves qgroup metadata of type PREALLOC. Once the operation is associated to a transaction, we convert PREALLOC to PERTRANS, which gets cleared in bulk at the end of the transaction. However, the error paths of these three operations were not implementing this lifecycle correctly. They unconditionally converted the PREALLOC to PERTRANS in a generic cleanup step regardless of errors or whether the operation was fully associated to a transaction or not. This resulted in error paths occasionally converting this rsv to PERTRANS without calling record_root_in_trans successfully, which meant that unless that root got recorded in the transaction by some other thread, the end of the transaction would not free that root's PERTRANS, leaking it. Ultimately, this resulted in hitting a WARN in CONFIG_BTRFS_DEBUG builds at unmount for the leaked reservation. The fix is to ensure that every qgroup PREALLOC reservation observes the following properties: 1. any failure before record_root_in_trans is called successfully results in freeing the PREALLOC reservation. 2. after record_root_in_trans, we convert to PERTRANS, and now the transaction owns freeing the reservation. This patch enforces those properties on the three operations. Without it, generic/269 with squotas enabled at mkfs time would fail in ~5-10 runs on my system. With this patch, it ran successfully 1000 times in a row.
References
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/14431815a4ae4bcd7c7a68b6a64c66c7712d27c9
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/6c95336f5d8eb9ab79cd7306d71b6d0477363f8c
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/74e97958121aa1f5854da6effba70143f051b0cd
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/945559be6e282a812dc48f7bcd5adc60901ea4a0
af854a3a-2127-422b-91ae-364da2661108https://git.kernel.org/stable/c/14431815a4ae4bcd7c7a68b6a64c66c7712d27c9
af854a3a-2127-422b-91ae-364da2661108https://git.kernel.org/stable/c/6c95336f5d8eb9ab79cd7306d71b6d0477363f8c
af854a3a-2127-422b-91ae-364da2661108https://git.kernel.org/stable/c/74e97958121aa1f5854da6effba70143f051b0cd
Impacted products
Vendor Product Version


To clipboard 

{
   cveTags: [],
   descriptions: [
      {
         lang: "en",
         value: "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: qgroup: fix qgroup prealloc rsv leak in subvolume operations\n\nCreate subvolume, create snapshot and delete subvolume all use\nbtrfs_subvolume_reserve_metadata() to reserve metadata for the changes\ndone to the parent subvolume's fs tree, which cannot be mediated in the\nnormal way via start_transaction. When quota groups (squota or qgroups)\nare enabled, this reserves qgroup metadata of type PREALLOC. Once the\noperation is associated to a transaction, we convert PREALLOC to\nPERTRANS, which gets cleared in bulk at the end of the transaction.\n\nHowever, the error paths of these three operations were not implementing\nthis lifecycle correctly. They unconditionally converted the PREALLOC to\nPERTRANS in a generic cleanup step regardless of errors or whether the\noperation was fully associated to a transaction or not. This resulted in\nerror paths occasionally converting this rsv to PERTRANS without calling\nrecord_root_in_trans successfully, which meant that unless that root got\nrecorded in the transaction by some other thread, the end of the\ntransaction would not free that root's PERTRANS, leaking it. Ultimately,\nthis resulted in hitting a WARN in CONFIG_BTRFS_DEBUG builds at unmount\nfor the leaked reservation.\n\nThe fix is to ensure that every qgroup PREALLOC reservation observes the\nfollowing properties:\n\n1. any failure before record_root_in_trans is called successfully\n   results in freeing the PREALLOC reservation.\n2. after record_root_in_trans, we convert to PERTRANS, and now the\n   transaction owns freeing the reservation.\n\nThis patch enforces those properties on the three operations. Without\nit, generic/269 with squotas enabled at mkfs time would fail in ~5-10\nruns on my system. With this patch, it ran successfully 1000 times in a\nrow.",
      },
      {
         lang: "es",
         value: "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: btrfs: qgroup: corrige la fuga de rsv prealloc de qgroup en operaciones de subvolumen Crear subvolumen, crear instantánea y eliminar subvolumen, todos usan btrfs_subvolume_reserve_metadata() para reservar metadatos para los cambios realizados en el árbol fs del subvolumen principal , que no se puede mediar de la forma normal a través de start_transaction. Cuando los grupos de cuotas (squota o qgroups) están habilitados, esto reserva metadatos de qgroup de tipo PREALLOC. Una vez asociada la operación a una transacción, convertimos PREALLOC a PERTRANS, que se compensa de forma masiva al final de la transacción. Sin embargo, las rutas de error de estas tres operaciones no implementaban este ciclo de vida correctamente. Convirtieron incondicionalmente PREALLOC a PERTRANS en un paso de limpieza genérico, independientemente de los errores o de si la operación estaba completamente asociada a una transacción o no. Esto resultó en rutas de error que ocasionalmente convertían este rsv a PERTRANS sin llamar exitosamente a record_root_in_trans, lo que significaba que, a menos que algún otro hilo registrara esa raíz en la transacción, el final de la transacción no liberaría el PERTRANS de esa raíz, filtrándolo. En última instancia, esto resultó en un aviso de ADVERTENCIA en las compilaciones CONFIG_BTRFS_DEBUG al desmontar la reserva filtrada. La solución es garantizar que cada reserva PREALLOC de qgroup observe las siguientes propiedades: 1. cualquier falla antes de que se llame exitosamente a record_root_in_trans resulta en la liberación de la reserva PREALLOC. 2. después de record_root_in_trans, convertimos a PERTRANS, y ahora la transacción es dueña de la reserva. Este parche aplica esas propiedades en las tres operaciones. Sin él, generic/269 con cuotas habilitadas en el momento mkfs fallaría en ~5-10 ejecuciones en mi sistema. Con este parche, se ejecutó exitosamente 1000 veces seguidas.",
      },
   ],
   id: "CVE-2024-35956",
   lastModified: "2024-12-14T21:15:18.477",
   metrics: {},
   published: "2024-05-20T10:15:10.920",
   references: [
      {
         source: "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
         url: "https://git.kernel.org/stable/c/14431815a4ae4bcd7c7a68b6a64c66c7712d27c9",
      },
      {
         source: "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
         url: "https://git.kernel.org/stable/c/6c95336f5d8eb9ab79cd7306d71b6d0477363f8c",
      },
      {
         source: "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
         url: "https://git.kernel.org/stable/c/74e97958121aa1f5854da6effba70143f051b0cd",
      },
      {
         source: "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
         url: "https://git.kernel.org/stable/c/945559be6e282a812dc48f7bcd5adc60901ea4a0",
      },
      {
         source: "af854a3a-2127-422b-91ae-364da2661108",
         url: "https://git.kernel.org/stable/c/14431815a4ae4bcd7c7a68b6a64c66c7712d27c9",
      },
      {
         source: "af854a3a-2127-422b-91ae-364da2661108",
         url: "https://git.kernel.org/stable/c/6c95336f5d8eb9ab79cd7306d71b6d0477363f8c",
      },
      {
         source: "af854a3a-2127-422b-91ae-364da2661108",
         url: "https://git.kernel.org/stable/c/74e97958121aa1f5854da6effba70143f051b0cd",
      },
   ],
   sourceIdentifier: "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
   vulnStatus: "Awaiting Analysis",
}


Log in or create an account to share your comment.

Security Advisory comment format.

This schema specifies the format of a comment related to a security advisory.

UUIDv4 of the comment
UUIDv4 of the Vulnerability-Lookup instance
When the comment was created originally
When the comment was last updated
Title of the comment
Description of the comment
The identifier of the vulnerability (CVE ID, GHSA-ID, PYSEC ID, etc.).



Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.