Title: kernel de Linux
Description: En el kernel de Linux se ha resuelto la siguiente vulnerabilidad: btrfs: corrige carreras de datos al acceder a la cantidad reservada de reservas de bloque En space_info.c tenemos varios lugares donde accedemos al campo ->reserved de una reserva de bloque sin tomar la reserva de bloque spinlock primero, lo que hace que KCSAN advierta sobre una carrera de datos ya que ese campo siempre se actualiza mientras se mantiene el spinlock. Los informes de KCSAN son como los siguientes: [117.193526] ERROR: KCSAN: data-race en btrfs_block_rsv_release [btrfs] / need_preemptive_reclaim [btrfs] [117.195148] leído en 0x000000017f587190 de 8 bytes por la tarea 6303 en la CPU 3 [117.19: 5172] necesidad_preemptive_reclaim+ 0x222/0x2f0 [btrfs] [117.195992] __reserve_bytes+0xbb0/0xdc8 [btrfs] [117.196807] btrfs_reserve_metadata_bytes+0x4c/0x120 [btrfs] [117.197620] 78/0xa8 [btrfs] [117.198434] btrfs_delayed_update_inode+0x154/0x368 [btrfs] [117.199300] btrfs_update_inode+0x108/0x1c8 [btrfs] [117.200122] btrfs_dirty_inode+0xb4/0x140 [btrfs] [117.200937] btrfs_update_time+0x8c/0xb0 [btrfs] 754] touch_atime+0x16c/0x1e0 [117.201789] filemap_read+0x674/0x728 [ 117.201823] btrfs_file_read_iter+0xf8/0x410 [btrfs] [117.202653] vfs_read+0x2b6/0x498 [117.203454] ksys_read+0xa2/0x150 [117.203473] x68/0x88 [117.203495] do_syscall+0x1c6/0x210 [117.203517] __do_syscall+0xc8/0xf0 [117.203539] system_call+0x70/0x98 [117.203579] escribe en 0x000000017f587190 de 8 bytes por tarea 11 en la CPU 0: [117.203604] btrfs_block_rsv_release+0x2e8/0x578 [btrfs] 32] btrfs_delayed_inode_release_metadata+0x7c/0x1d0 [btrfs] [117.205259] __btrfs_update_delayed_inode +0x37c/0x5e0 [btrfs] [117.206093] btrfs_async_run_delayed_root+0x356/0x498 [btrfs] [117.206917] btrfs_work_helper+0x160/0x7a0 [btrfs] [117.207738] 6/0x838 [117.207768] hilo_trabajador+0x75e/0xb10 [117.207797] khilo+ 0x21a/0x230 [117.207830] __ret_from_fork+0x6c/0xb8 [117.207861] ret_from_fork+0xa/0x30 Entonces agregue un ayudante para obtener la cantidad reservada de una reserva de bloque mientras mantiene el bloqueo. Es posible que el valor ya no esté actualizado cuando lo usan need_preemptive_reclaim() y btrfs_preempt_reclaim_metadata_space(), pero está bien ya que lo peor que puede hacer es provocar que se realice más trabajo de recuperación más temprano que tarde. Se utiliza la lectura del campo mientras se mantiene presionado el candado en lugar de usar la anotación data_race() para evitar el desgarro de la carga.

In the Linux kernel, the following vulnerability has been resolved:

btrfs: fix data races when accessing the reserved amount of block reserves

At space_info.c we have several places where we access the ->reserved
field of a block reserve without taking the block reserve's spinlock
first, which makes KCSAN warn about a data race since that field is
always updated while holding the spinlock.

The reports from KCSAN are like the following:

  [117.193526] BUG: KCSAN: data-race in btrfs_block_rsv_release [btrfs] / need_preemptive_reclaim [btrfs]

  [117.195148] read to 0x000000017f587190 of 8 bytes by task 6303 on cpu 3:
  [117.195172]  need_preemptive_reclaim+0x222/0x2f0 [btrfs]
  [117.195992]  __reserve_bytes+0xbb0/0xdc8 [btrfs]
  [117.196807]  btrfs_reserve_metadata_bytes+0x4c/0x120 [btrfs]
  [117.197620]  btrfs_block_rsv_add+0x78/0xa8 [btrfs]
  [117.198434]  btrfs_delayed_update_inode+0x154/0x368 [btrfs]
  [117.199300]  btrfs_update_inode+0x108/0x1c8 [btrfs]
  [117.200122]  btrfs_dirty_inode+0xb4/0x140 [btrfs]
  [117.200937]  btrfs_update_time+0x8c/0xb0 [btrfs]
  [117.201754]  touch_atime+0x16c/0x1e0
  [117.201789]  filemap_read+0x674/0x728
  [117.201823]  btrfs_file_read_iter+0xf8/0x410 [btrfs]
  [117.202653]  vfs_read+0x2b6/0x498
  [117.203454]  ksys_read+0xa2/0x150
  [117.203473]  __s390x_sys_read+0x68/0x88
  [117.203495]  do_syscall+0x1c6/0x210
  [117.203517]  __do_syscall+0xc8/0xf0
  [117.203539]  system_call+0x70/0x98

  [117.203579] write to 0x000000017f587190 of 8 bytes by task 11 on cpu 0:
  [117.203604]  btrfs_block_rsv_release+0x2e8/0x578 [btrfs]
  [117.204432]  btrfs_delayed_inode_release_metadata+0x7c/0x1d0 [btrfs]
  [117.205259]  __btrfs_update_delayed_inode+0x37c/0x5e0 [btrfs]
  [117.206093]  btrfs_async_run_delayed_root+0x356/0x498 [btrfs]
  [117.206917]  btrfs_work_helper+0x160/0x7a0 [btrfs]
  [117.207738]  process_one_work+0x3b6/0x838
  [117.207768]  worker_thread+0x75e/0xb10
  [117.207797]  kthread+0x21a/0x230
  [117.207830]  __ret_from_fork+0x6c/0xb8
  [117.207861]  ret_from_fork+0xa/0x30

So add a helper to get the reserved amount of a block reserve while
holding the lock. The value may be not be up to date anymore when used by
need_preemptive_reclaim() and btrfs_preempt_reclaim_metadata_space(), but
that's ok since the worst it can do is cause more reclaim work do be done
sooner rather than later. Reading the field while holding the lock instead
of using the data_race() annotation is used in order to prevent load
tearing.

Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.

kernel.org https://git.kernel.org/stable/c/82220b1835baaebf4ae2e490f56353a341a09bd2

kernel.org https://git.kernel.org/stable/c/995e91c9556c8fc6028b474145a36e947d1eb6b6

kernel.org https://git.kernel.org/stable/c/c44542093525699a30c307dae1ea5a1b03b3302f

kernel.org https://git.kernel.org/stable/c/e06cc89475eddc1f3a7a4d471524256152c68166