CVE-2022-48920

In the Linux kernel, the following vulnerability has been resolved: btrfs: get rid of warning on transaction commit when using flushoncommit When using the flushoncommit mount option, during almost every transaction commit we trigger a warning from __writeback_inodes_sb_nr(): $ cat fs/fs-writeback.c: (...) static void __writeback_inodes_sb_nr(struct super_block *sb, ... { (...) WARN_ON(!rwsem_is_locked(&sb->s_umount)); (...) } (...) The trace produced in dmesg looks like the following: [947.473890] WARNING: CPU: 5 PID: 930 at fs/fs-writeback.c:2610 __writeback_inodes_sb_nr+0x7e/0xb3 [947.481623] Modules linked in: nfsd nls_cp437 cifs asn1_decoder cifs_arc4 fscache cifs_md4 ipmi_ssif [947.489571] CPU: 5 PID: 930 Comm: btrfs-transacti Not tainted 95.16.3-srb-asrock-00001-g36437ad63879 #186 [947.497969] RIP: 0010:__writeback_inodes_sb_nr+0x7e/0xb3 [947.502097] Code: 24 10 4c 89 44 24 18 c6 (...) [947.519760] RSP: 0018:ffffc90000777e10 EFLAGS: 00010246 [947.523818] RAX: 0000000000000000 RBX: 0000000000963300 RCX: 0000000000000000 [947.529765] RDX: 0000000000000000 RSI: 000000000000fa51 RDI: ffffc90000777e50 [947.535740] RBP: ffff888101628a90 R08: ffff888100955800 R09: ffff888100956000 [947.541701] R10: 0000000000000002 R11: 0000000000000001 R12: ffff888100963488 [947.547645] R13: ffff888100963000 R14: ffff888112fb7200 R15: ffff888100963460 [947.553621] FS: 0000000000000000(0000) GS:ffff88841fd40000(0000) knlGS:0000000000000000 [947.560537] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [947.565122] CR2: 0000000008be50c4 CR3: 000000000220c000 CR4: 00000000001006e0 [947.571072] Call Trace: [947.572354] <TASK> [947.573266] btrfs_commit_transaction+0x1f1/0x998 [947.576785] ? start_transaction+0x3ab/0x44e [947.579867] ? schedule_timeout+0x8a/0xdd [947.582716] transaction_kthread+0xe9/0x156 [947.585721] ? btrfs_cleanup_transaction.isra.0+0x407/0x407 [947.590104] kthread+0x131/0x139 [947.592168] ? set_kthread_struct+0x32/0x32 [947.595174] ret_from_fork+0x22/0x30 [947.597561] </TASK> [947.598553] ---[ end trace 644721052755541c ]--- This is because we started using writeback_inodes_sb() to flush delalloc when committing a transaction (when using -o flushoncommit), in order to avoid deadlocks with filesystem freeze operations. This change was made by commit ce8ea7cc6eb313 ("btrfs: don't call btrfs_start_delalloc_roots in flushoncommit"). After that change we started producing that warning, and every now and then a user reports this since the warning happens too often, it spams dmesg/syslog, and a user is unsure if this reflects any problem that might compromise the filesystem's reliability. We can not just lock the sb->s_umount semaphore before calling writeback_inodes_sb(), because that would at least deadlock with filesystem freezing, since at fs/super.c:freeze_super() sync_filesystem() is called while we are holding that semaphore in write mode, and that can trigger a transaction commit, resulting in a deadlock. It would also trigger the same type of deadlock in the unmount path. Possibly, it could also introduce some other locking dependencies that lockdep would report. To fix this call try_to_writeback_inodes_sb() instead of writeback_inodes_sb(), because that will try to read lock sb->s_umount and then will only call writeback_inodes_sb() if it was able to lock it. This is fine because the cases where it can't read lock sb->s_umount are during a filesystem unmount or during a filesystem freeze - in those cases sb->s_umount is write locked and sync_filesystem() is called, which calls writeback_inodes_sb(). In other words, in all cases where we can't take a read lock on sb->s_umount, writeback is already being triggered elsewhere. An alternative would be to call btrfs_start_delalloc_roots() with a number of pages different from LONG_MAX, for example matching the number of delalloc bytes we currently have, in ---truncated---
Configurations

Configuration 1 (hide)

OR cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:5.17:rc1:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:5.17:rc2:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:5.17:rc3:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:5.17:rc4:*:*:*:*:*:*

History

12 Sep 2024, 13:04

Type Values Removed Values Added
CVSS v2 : unknown
v3 : unknown
v2 : unknown
v3 : 5.5
CWE CWE-667
CPE cpe:2.3:o:linux:linux_kernel:5.17:rc3:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:5.17:rc2:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:5.17:rc1:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:5.17:rc4:*:*:*:*:*:*
References () https://git.kernel.org/stable/c/850a77c999b81dd2724efd2684068d6f90db8c16 - () https://git.kernel.org/stable/c/850a77c999b81dd2724efd2684068d6f90db8c16 - Patch
References () https://git.kernel.org/stable/c/a0f0cf8341e34e5d2265bfd3a7ad68342da1e2aa - () https://git.kernel.org/stable/c/a0f0cf8341e34e5d2265bfd3a7ad68342da1e2aa - Patch
References () https://git.kernel.org/stable/c/e4d044dbffcd570351f21c747fc77ff90aed7f2e - () https://git.kernel.org/stable/c/e4d044dbffcd570351f21c747fc77ff90aed7f2e - Patch
First Time Linux linux Kernel
Linux

22 Aug 2024, 12:48

Type Values Removed Values Added
Summary
  • (es) En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: btrfs: elimina la advertencia en el commit de transacción cuando se usa fluoncommit Cuando se usa la opción de montaje fluoncommit, durante casi cada commit de transacción activamos una advertencia de __writeback_inodes_sb_nr(): $ cat fs/fs -writeback.c: (...) vacío estático __writeback_inodes_sb_nr(struct super_block *sb, ... { (...) WARN_ON(!rwsem_is_locked(&amp;sb-&gt;s_umount)); (...) } (... ) La traza producida en dmesg se parece a la siguiente: [947.473890] ADVERTENCIA: CPU: 5 PID: 930 en fs/fs-writeback.c:2610 __writeback_inodes_sb_nr+0x7e/0xb3 [947.481623] Módulos vinculados en: nfsd nls_cp437 cifs asn1_decoder s_arc4 fscache cifs_md4 ipmi_ssif [947.489571] CPU: 5 PID: 930 Comm: btrfs-transacti No contaminado 95.16.3-srb-asrock-00001-g36437ad63879 #186 [947.497969] RIP: __writeback_inodes_sb_nr +0x7e/0xb3 [947.502097] Código: 24 10 4c 89 44 24 18 c6 (...) [947.519760] RSP: 0018:ffffc90000777e10 EFLAGS: 00010246 [947.523818] RAX: 0000000000000000 RBX: 0000000000963300 X: 0000000000000000 [947.529765] RDX: 0000000000000000 RSI: 000000000000fa51 RDI: ffffc90000777e50 [947.535740] RBP : ffff888101628a90 R08: ffff888100955800 R09: ffff888100956000 [947.541701] R10: 00000000000000002 R11: 0000000000000001 R12: ffff88810096 3488 [947.547645] R13: ffff888100963000 R14: ffff888112fb7200 R15: ffff888100963460 [947.553621] FS: 0000000000000000(0000) GS:ffff88841fd40 000(0000) knlGS:0000000000000000 [947.560537] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [947.565122] CR2: 0000000008be50c4 CR3: 000000000220c000 CR4: 00000000001006e 0 [947.571072] Seguimiento de llamadas: [947.572354] [947.573266] btrfs_commit_transaction+0x1f1/0x998 [947.576785] ? start_transaction+0x3ab/0x44e [947.579867] ? Schedule_timeout+0x8a/0xdd [947.582716] transacción_kthread+0xe9/0x156 [947.585721] ? btrfs_cleanup_transaction.isra.0+0x407/0x407 [947.590104] kthread+0x131/0x139 [947.592168] ? set_kthread_struct+0x32/0x32 [947.595174] ret_from_fork+0x22/0x30 [947.597561] [947.598553] ---[ end trace 644721052755541c ]--- Esto se debe a que comenzamos a usar writeback_inodes_sb() para vaciar delalloc cuando cometer una transacción (cuando se usa -o fluoncommit), para evitar interbloqueos con las operaciones de congelación del sistema de archivos. Este cambio se realizó mediante el commit ce8ea7cc6eb313 ("btrfs: no llame a btrfs_start_delalloc_roots en flowoncommit"). Después de ese cambio, comenzamos a producir esa advertencia y, de vez en cuando, un usuario informa esto ya que la advertencia ocurre con demasiada frecuencia, envía spam a dmesg/syslog y el usuario no está seguro de si esto refleja algún problema que pueda comprometer la confiabilidad del sistema de archivos. No podemos simplemente bloquear el semáforo sb-&gt;s_umount antes de llamar a writeback_inodes_sb(), porque eso al menos bloquearía el sistema de archivos, ya que en fs/super.c:freeze_super() se llama a sync_filesystem() mientras mantenemos ese semáforo en modo de escritura, y eso puede desencadenar un commit de transacción, lo que resulta en un punto muerto. También desencadenaría el mismo tipo de punto muerto en la ruta de desmontaje. Posiblemente, también podría introducir algunas otras dependencias de bloqueo que lockdep informaría. Para solucionar este problema, llame a try_to_writeback_inodes_sb() en lugar de writeback_inodes_sb(), porque intentará leer el bloqueo sb-&gt;s_umount y luego solo llamará a writeback_inodes_sb() si pudo bloquearlo. Esto está bien porque los casos en los que no puede leer el bloqueo sb-&gt;s_umount son durante un desmontaje del sistema de archivos o durante una congelación del sistema de archivos; en esos casos, sb-&gt;s_umount está bloqueado contra escritura y se llama a sync_filesystem(), que llama a writeback_inodes_sb() . En otras palabras, en todos los casos en los que no podemos adoptar un bloqueo de lectura en sb-&gt;s_umount, la reescritura ya se está activando en otro lugar. ---truncado---

22 Aug 2024, 02:15

Type Values Removed Values Added
New CVE

Information

Published : 2024-08-22 02:15

Updated : 2024-09-12 13:04


NVD link : CVE-2022-48920

Mitre link : CVE-2022-48920

CVE.ORG link : CVE-2022-48920


JSON object : View

Products Affected

linux

  • linux_kernel
CWE
CWE-667

Improper Locking