CVE-2024-26905

Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.

CVSS

No CVSS.

References

No reference.

Configurations

No configuration.

History

29 Jul 2024, 13:15

Type	Values Removed	Values Added
Summary	(es) En el kernel de Linux se ha resuelto la siguiente vulnerabilidad: btrfs: corrige carreras de datos al acceder a la cantidad reservada de reservas de bloque En space_info.c tenemos varios lugares donde accedemos al campo ->reserved de una reserva de bloque sin tomar la reserva de bloque spinlock primero, lo que hace que KCSAN advierta sobre una carrera de datos ya que ese campo siempre se actualiza mientras se mantiene el spinlock. Los informes de KCSAN son como los siguientes: [117.193526] ERROR: KCSAN: data-race en btrfs_block_rsv_release [btrfs] / need_preemptive_reclaim [btrfs] [117.195148] leído en 0x000000017f587190 de 8 bytes por la tarea 6303 en la CPU 3 [117.19: 5172] necesidad_preemptive_reclaim+ 0x222/0x2f0 [btrfs] [117.195992] __reserve_bytes+0xbb0/0xdc8 [btrfs] [117.196807] btrfs_reserve_metadata_bytes+0x4c/0x120 [btrfs] [117.197620] 78/0xa8 [btrfs] [117.198434] btrfs_delayed_update_inode+0x154/0x368 [btrfs] [117.199300] btrfs_update_inode+0x108/0x1c8 [btrfs] [117.200122] btrfs_dirty_inode+0xb4/0x140 [btrfs] [117.200937] btrfs_update_time+0x8c/0xb0 [btrfs] 754] touch_atime+0x16c/0x1e0 [117.201789] filemap_read+0x674/0x728 [ 117.201823] btrfs_file_read_iter+0xf8/0x410 [btrfs] [117.202653] vfs_read+0x2b6/0x498 [117.203454] ksys_read+0xa2/0x150 [117.203473] x68/0x88 [117.203495] do_syscall+0x1c6/0x210 [117.203517] __do_syscall+0xc8/0xf0 [117.203539] system_call+0x70/0x98 [117.203579] escribe en 0x000000017f587190 de 8 bytes por tarea 11 en la CPU 0: [117.203604] btrfs_block_rsv_release+0x2e8/0x578 [btrfs] 32] btrfs_delayed_inode_release_metadata+0x7c/0x1d0 [btrfs] [117.205259] __btrfs_update_delayed_inode +0x37c/0x5e0 [btrfs] [117.206093] btrfs_async_run_delayed_root+0x356/0x498 [btrfs] [117.206917] btrfs_work_helper+0x160/0x7a0 [btrfs] [117.207738] 6/0x838 [117.207768] hilo_trabajador+0x75e/0xb10 [117.207797] khilo+ 0x21a/0x230 [117.207830] __ret_from_fork+0x6c/0xb8 [117.207861] ret_from_fork+0xa/0x30 Entonces agregue un ayudante para obtener la cantidad reservada de una reserva de bloque mientras mantiene el bloqueo. Es posible que el valor ya no esté actualizado cuando lo usan need_preemptive_reclaim() y btrfs_preempt_reclaim_metadata_space(), pero está bien ya que lo peor que puede hacer es provocar que se realice más trabajo de recuperación más temprano que tarde. Se utiliza la lectura del campo mientras se mantiene presionado el candado en lugar de usar la anotación data_race() para evitar el desgarro de la carga.
Summary	(en) In the Linux kernel, the following vulnerability has been resolved: btrfs: fix data races when accessing the reserved amount of block reserves At space_info.c we have several places where we access the ->reserved field of a block reserve without taking the block reserve's spinlock first, which makes KCSAN warn about a data race since that field is always updated while holding the spinlock. The reports from KCSAN are like the following: [117.193526] BUG: KCSAN: data-race in btrfs_block_rsv_release [btrfs] / need_preemptive_reclaim [btrfs] [117.195148] read to 0x000000017f587190 of 8 bytes by task 6303 on cpu 3: [117.195172] need_preemptive_reclaim+0x222/0x2f0 [btrfs] [117.195992] __reserve_bytes+0xbb0/0xdc8 [btrfs] [117.196807] btrfs_reserve_metadata_bytes+0x4c/0x120 [btrfs] [117.197620] btrfs_block_rsv_add+0x78/0xa8 [btrfs] [117.198434] btrfs_delayed_update_inode+0x154/0x368 [btrfs] [117.199300] btrfs_update_inode+0x108/0x1c8 [btrfs] [117.200122] btrfs_dirty_inode+0xb4/0x140 [btrfs] [117.200937] btrfs_update_time+0x8c/0xb0 [btrfs] [117.201754] touch_atime+0x16c/0x1e0 [117.201789] filemap_read+0x674/0x728 [117.201823] btrfs_file_read_iter+0xf8/0x410 [btrfs] [117.202653] vfs_read+0x2b6/0x498 [117.203454] ksys_read+0xa2/0x150 [117.203473] __s390x_sys_read+0x68/0x88 [117.203495] do_syscall+0x1c6/0x210 [117.203517] __do_syscall+0xc8/0xf0 [117.203539] system_call+0x70/0x98 [117.203579] write to 0x000000017f587190 of 8 bytes by task 11 on cpu 0: [117.203604] btrfs_block_rsv_release+0x2e8/0x578 [btrfs] [117.204432] btrfs_delayed_inode_release_metadata+0x7c/0x1d0 [btrfs] [117.205259] __btrfs_update_delayed_inode+0x37c/0x5e0 [btrfs] [117.206093] btrfs_async_run_delayed_root+0x356/0x498 [btrfs] [117.206917] btrfs_work_helper+0x160/0x7a0 [btrfs] [117.207738] process_one_work+0x3b6/0x838 [117.207768] worker_thread+0x75e/0xb10 [117.207797] kthread+0x21a/0x230 [117.207830] __ret_from_fork+0x6c/0xb8 [117.207861] ret_from_fork+0xa/0x30 So add a helper to get the reserved amount of a block reserve while holding the lock. The value may be not be up to date anymore when used by need_preemptive_reclaim() and btrfs_preempt_reclaim_metadata_space(), but that's ok since the worst it can do is cause more reclaim work do be done sooner rather than later. Reading the field while holding the lock instead of using the data_race() annotation is used in order to prevent load tearing.	(en) Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.
References	~~{'url': 'https://git.kernel.org/stable/c/82220b1835baaebf4ae2e490f56353a341a09bd2', 'source': '416baaa9-dc9f-4396-8d5f-8c081fb06d67'}~~ ~~{'url': 'https://git.kernel.org/stable/c/995e91c9556c8fc6028b474145a36e947d1eb6b6', 'source': '416baaa9-dc9f-4396-8d5f-8c081fb06d67'}~~ ~~{'url': 'https://git.kernel.org/stable/c/c44542093525699a30c307dae1ea5a1b03b3302f', 'source': '416baaa9-dc9f-4396-8d5f-8c081fb06d67'}~~ ~~{'url': 'https://git.kernel.org/stable/c/e06cc89475eddc1f3a7a4d471524256152c68166', 'source': '416baaa9-dc9f-4396-8d5f-8c081fb06d67'}~~

Information

Published : 2024-04-17 11:15

Updated : 2024-07-29 13:15

NVD link : CVE-2024-26905

Mitre link : CVE-2024-26905

CVE.ORG link : CVE-2024-26905

JSON object : View

Products Affected

No product.

CWE

No CWE.