概要

In the Linux kernel, the following vulnerability has been resolved: btrfs: free exchange changeset on failures Fstests runs on my VMs have show several kmemleak reports like the following. unreferenced object 0xffff88811ae59080 (size 64): comm "xfs_io", pid 12124, jiffies 4294987392 (age 6.368s) hex dump (first 32 bytes): 00 c0 1c 00 00 00 00 00 ff cf 1c 00 00 00 00 00 ................ 90 97 e5 1a 81 88 ff ff 90 97 e5 1a 81 88 ff ff ................ backtrace: [<00000000ac0176d2&gt;] ulist_add_merge+0x60/0x150 [btrfs] [<0000000076e9f312&gt;] set_state_bits+0x86/0xc0 [btrfs] [<0000000014fe73d6&gt;] set_extent_bit+0x270/0x690 [btrfs] [<000000004f675208&gt;] set_record_extent_bits+0x19/0x20 [btrfs] [<00000000b96137b1&gt;] qgroup_reserve_data+0x274/0x310 [btrfs] [<0000000057e9dcbb&gt;] btrfs_check_data_free_space+0x5c/0xa0 [btrfs] [<0000000019c4511d&gt;] btrfs_delalloc_reserve_space+0x1b/0xa0 [btrfs] [<000000006d37e007&gt;] btrfs_dio_iomap_begin+0x415/0x970 [btrfs] [<00000000fb8a74b8&gt;] iomap_iter+0x161/0x1e0 [<0000000071dff6ff&gt;] __iomap_dio_rw+0x1df/0x700 [<000000002567ba53&gt;] iomap_dio_rw+0x5/0x20 [<0000000072e555f8&gt;] btrfs_file_write_iter+0x290/0x530 [btrfs] [<000000005eb3d845&gt;] new_sync_write+0x106/0x180 [<000000003fb505bf&gt;] vfs_write+0x24d/0x2f0 [<000000009bb57d37&gt;] __x64_sys_pwrite64+0x69/0xa0 [<000000003eba3fdf&gt;] do_syscall_64+0x43/0x90 In case brtfs_qgroup_reserve_data() or btrfs_delalloc_reserve_metadata() fail the allocated extent_changeset will not be freed. So in btrfs_check_data_free_space() and btrfs_delalloc_reserve_space() free the allocated extent_changeset to get rid of the allocated memory. The issue currently only happens in the direct IO write path, but only after 65b3c08606e5 ("btrfs: fix ENOSPC failure when attempting direct IO write into NOCOW range"), and also at defrag_one_locked_target(). Every other place is always calling extent_changeset_free() even if its call to btrfs_delalloc_reserve_space() or btrfs_check_data_free_space() has failed.

CVSS v3 指标

安全公告

影响产品