[SRU][N][PATCH 0/1] CVE-2024-56582

Massimiliano Pellizzer massimiliano.pellizzer at canonical.com
Fri Feb 7 09:10:45 UTC 2025 

[Impact]

btrfs: fix use-after-free in btrfs_encoded_read_endio()

Tthe following use-after free that sometimes is
happening in our CI system when running fstests' btrfs/284 on a TCMU
runner device:

  BUG: KASAN: slab-use-after-free in lock_release+0x708/0x780
  Read of size 8 at addr ffff888106a83f18 by task kworker/u80:6/219

To fix this, change atomic_dec_return() to atomic_dec_and_test() to fix the
corruption, as atomic_dec_return() is defined as two instructions on
x86_64, whereas atomic_dec_and_test() is defined as a single atomic
operation. This can lead to a situation where counter value is already
decremented but the if statement in btrfs_encoded_read_endio() is not
completely processed, i.e. the 0 test has not completed. If another thread
continues executing btrfs_encoded_read_regular_fill_pages() the
atomic_dec_return() there can see an already updated ->pending counter and
continues by freeing the private data. Continuing in the endio handler the
test for 0 succeeds and the wait_queue is woken up, resulting in a
use-after-free.

[Fix]

Oracular: Fixed via upstream stable updates (LP: #2096744)
Noble: Cherry picked from linux-6.6.y
Jammy: Not affected
Focal: Not affected

[Test case]

Compile and boot tested.
Moreover, tested a btrfs partition using stress-ng:

$ sudo stress-ng --hdd 4 --timeout 300s --aggressive --metrics
stress-ng: metrc: [3992] stressor       bogo ops real time  usr time  sys time   bogo ops/s     bogo ops/s CPU used per       RSS Max
stress-ng: metrc: [3992]                           (secs)    (secs)    (secs)   (real time) (usr+sys time) instance (%)          (KB)
stress-ng: metrc: [3992] hdd             1591050    300.02     23.79     77.66      5303.19       15682.33         8.45         10648
stress-ng: info:  [3992] skipped: 0
stress-ng: info:  [3992] passed: 3: hdd (3)
stress-ng: info:  [3992] failed: 0
stress-ng: info:  [3992] metrics untrustworthy: 0
stress-ng: info:  [3992] successful run completed in 5 mins, 0.03 secs

[Where problems could occur]

The fix affects the Btrfs implementation. An issue with this fix may
lead to instability in filesystem I/O operations. A user might
experience file read errors, data corruption during high I/O workloads,
or kernel panics.

Johannes Thumshirn (1):
  btrfs: fix use-after-free in btrfs_encoded_read_endio()

 fs/btrfs/inode.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

-- 
2.43.0

More information about the kernel-team mailing list