APPLIED: [SRU][N][PATCH 0/1] CVE-2024-56582

Koichiro Den koichiro.den at canonical.com
Fri Feb 14 06:49:21 UTC 2025 

On Fri, Feb 07, 2025 at 10:10:45AM GMT, Massimiliano Pellizzer wrote:
> [Impact]
>
> btrfs: fix use-after-free in btrfs_encoded_read_endio()
>
> Tthe following use-after free that sometimes is
> happening in our CI system when running fstests' btrfs/284 on a TCMU
> runner device:
>
>   BUG: KASAN: slab-use-after-free in lock_release+0x708/0x780
>   Read of size 8 at addr ffff888106a83f18 by task kworker/u80:6/219
>
> To fix this, change atomic_dec_return() to atomic_dec_and_test() to fix the
> corruption, as atomic_dec_return() is defined as two instructions on
> x86_64, whereas atomic_dec_and_test() is defined as a single atomic
> operation. This can lead to a situation where counter value is already
> decremented but the if statement in btrfs_encoded_read_endio() is not
> completely processed, i.e. the 0 test has not completed. If another thread
> continues executing btrfs_encoded_read_regular_fill_pages() the
> atomic_dec_return() there can see an already updated ->pending counter and
> continues by freeing the private data. Continuing in the endio handler the
> test for 0 succeeds and the wait_queue is woken up, resulting in a
> use-after-free.
>
> [Fix]
>
> Oracular: Fixed via upstream stable updates (LP: #2096744)
> Noble: Cherry picked from linux-6.6.y
> Jammy: Not affected
> Focal: Not affected
>
> [Test case]
>
> Compile and boot tested.
> Moreover, tested a btrfs partition using stress-ng:
>
> $ sudo stress-ng --hdd 4 --timeout 300s --aggressive --metrics
> stress-ng: metrc: [3992] stressor       bogo ops real time  usr time  sys time   bogo ops/s     bogo ops/s CPU used per       RSS Max
> stress-ng: metrc: [3992]                           (secs)    (secs)    (secs)   (real time) (usr+sys time) instance (%)          (KB)
> stress-ng: metrc: [3992] hdd             1591050    300.02     23.79     77.66      5303.19       15682.33         8.45         10648
> stress-ng: info:  [3992] skipped: 0
> stress-ng: info:  [3992] passed: 3: hdd (3)
> stress-ng: info:  [3992] failed: 0
> stress-ng: info:  [3992] metrics untrustworthy: 0
> stress-ng: info:  [3992] successful run completed in 5 mins, 0.03 secs
>
> [Where problems could occur]
>
> The fix affects the Btrfs implementation. An issue with this fix may
> lead to instability in filesystem I/O operations. A user might
> experience file read errors, data corruption during high I/O workloads,
> or kernel panics.
>
> Johannes Thumshirn (1):
>   btrfs: fix use-after-free in btrfs_encoded_read_endio()
>
>  fs/btrfs/inode.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
>

Applied to noble:linux master-next branch. Thanks!

More information about the kernel-team mailing list