ACK: [SRU][N][PATCH 0/1] CVE-2024-56582

Jose Ogando jose.ogando at canonical.com
Fri Feb 7 16:20:39 UTC 2025 

Looks good.

Acked-by: Jose Ogando <jose.ogando at canonical.com>

On Fri, 2025-02-07 at 10:10 +0100, Massimiliano Pellizzer wrote:
> [Impact]
> 
> btrfs: fix use-after-free in btrfs_encoded_read_endio()
> 
> Tthe following use-after free that sometimes is
> happening in our CI system when running fstests' btrfs/284 on a TCMU
> runner device:
> 
>   BUG: KASAN: slab-use-after-free in lock_release+0x708/0x780
>   Read of size 8 at addr ffff888106a83f18 by task kworker/u80:6/219
> 
> To fix this, change atomic_dec_return() to atomic_dec_and_test() to
> fix the
> corruption, as atomic_dec_return() is defined as two instructions on
> x86_64, whereas atomic_dec_and_test() is defined as a single atomic
> operation. This can lead to a situation where counter value is
> already
> decremented but the if statement in btrfs_encoded_read_endio() is not
> completely processed, i.e. the 0 test has not completed. If another
> thread
> continues executing btrfs_encoded_read_regular_fill_pages() the
> atomic_dec_return() there can see an already updated ->pending
> counter and
> continues by freeing the private data. Continuing in the endio
> handler the
> test for 0 succeeds and the wait_queue is woken up, resulting in a
> use-after-free.
> 
> [Fix]
> 
> Oracular: Fixed via upstream stable updates (LP: #2096744)
> Noble: Cherry picked from linux-6.6.y
> Jammy: Not affected
> Focal: Not affected
> 
> [Test case]
> 
> Compile and boot tested.
> Moreover, tested a btrfs partition using stress-ng:
> 
> $ sudo stress-ng --hdd 4 --timeout 300s --aggressive --metrics
> stress-ng: metrc: [3992] stressor       bogo ops real time  usr time 
> sys time   bogo ops/s     bogo ops/s CPU used per       RSS Max
> stress-ng: metrc: [3992]                           (secs)   
> (secs)    (secs)   (real time) (usr+sys time) instance (%)         
> (KB)
> stress-ng: metrc: [3992] hdd             1591050    300.02    
> 23.79     77.66      5303.19       15682.33         8.45        
> 10648
> stress-ng: info:  [3992] skipped: 0
> stress-ng: info:  [3992] passed: 3: hdd (3)
> stress-ng: info:  [3992] failed: 0
> stress-ng: info:  [3992] metrics untrustworthy: 0
> stress-ng: info:  [3992] successful run completed in 5 mins, 0.03
> secs
> 
> [Where problems could occur]
> 
> The fix affects the Btrfs implementation. An issue with this fix may
> lead to instability in filesystem I/O operations. A user might
> experience file read errors, data corruption during high I/O
> workloads,
> or kernel panics.
> 
> Johannes Thumshirn (1):
>   btrfs: fix use-after-free in btrfs_encoded_read_endio()
> 
>  fs/btrfs/inode.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> -- 
> 2.43.0
> 
>

More information about the kernel-team mailing list