CVE-2023-53339
Description
In the Linux kernel, the following vulnerability has been resolved: btrfs: fix BUG_ON condition in btrfs_cancel_balance Pausing and canceling balance can race to interrupt balance lead to BUG_ON panic in btrfs_cancel_balance. The BUG_ON condition in btrfs_cancel_balance does not take this race scenario into account. However, the race condition has no other side effects. We can fix that. Reproducing it with panic trace like this: kernel BUG at fs/btrfs/volumes.c:4618! RIP: 0010:btrfs_cancel_balance+0x5cf/0x6a0 Call Trace: <TASK> ? do_nanosleep+0x60/0x120 ? hrtimer_nanosleep+0xb7/0x1a0 ? sched_core_clone_cookie+0x70/0x70 btrfs_ioctl_balance_ctl+0x55/0x70 btrfs_ioctl+0xa46/0xd20 __x64_sys_ioctl+0x7d/0xa0 do_syscall_64+0x38/0x80 entry_SYSCALL_64_after_hwframe+0x63/0xcd Race scenario as follows: > mutex_unlock(&fs_info->balance_mutex); > -------------------- > .......issue pause and cancel req in another thread > -------------------- > ret = __btrfs_balance(fs_info); > > mutex_lock(&fs_info->balance_mutex); > if (ret == -ECANCELED && atomic_read(&fs_info->balance_pause_req)) { > btrfs_info(fs_info, "balance: paused"); > btrfs_exclop_balance(fs_info, BTRFS_EXCLOP_BALANCE_PAUSED); > }
CVSS Details
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H Threat Intelligence
Weaknesses 1
Affected Products 12
| Vendor | Product | Version | Range |
|---|---|---|---|
| linux | linux_kernel | * | <4.19.293 |
| linux | linux_kernel | * | ≥4.20 – <5.4.255 |
| linux | linux_kernel | * | ≥5.5 – <5.10.192 |
| linux | linux_kernel | * | ≥5.11 – <5.15.128 |
| linux | linux_kernel | * | ≥5.16 – <6.1.47 |
| linux | linux_kernel | * | ≥6.2 – <6.4.12 |
| linux | linux_kernel | 6.5 | any |
| linux | linux_kernel | 6.5 | any |
| linux | linux_kernel | 6.5 | any |
| linux | linux_kernel | 6.5 | any |
| linux | linux_kernel | 6.5 | any |
| linux | linux_kernel | 6.5 | any |
References 3
- git.kernel.org https://git.kernel.org/stable/c/29eefa6d0d07e185f7bfe9576f91e6dba98189c2
- git.kernel.org https://git.kernel.org/stable/c/ae81329f7de3aa6f34ecdfa5412e72161a30e9ce
- git.kernel.org https://git.kernel.org/stable/c/ceb9ba8e30833a4823e2dc73f80ebcdf2498d01a
Remediation
- git.kernel.org https://git.kernel.org/stable/c/29eefa6d0d07e185f7bfe9576f91e6dba98189c2
- git.kernel.org https://git.kernel.org/stable/c/ae81329f7de3aa6f34ecdfa5412e72161a30e9ce
- git.kernel.org https://git.kernel.org/stable/c/ceb9ba8e30833a4823e2dc73f80ebcdf2498d01a