Re: [Fix CVE-2024-50217 in v6.6.y] [PATCH] btrfs: fix use-after-free of block device file in __btrfs_free_extra_devids()

Sasha Levin <sashal@xxxxxxxxxx> · Mon, 3 Feb 2025 11:24:57 -0500

[ Sasha's backport helper bot ]

Hi,

Found matching upstream commit: aec8e6bf839101784f3ef037dcdb9432c3f32343

WARNING: Author mismatch between patch and found commit:
Backport author: Shubham Pushpkar<spushpka@xxxxxxxxx>
Commit author: Zhihao Cheng<chengzhihao1@xxxxxxxxxx>

Status in newer kernel trees:
6.13.y | Present (exact SHA1)
6.12.y | Present (exact SHA1)
6.6.y | Not found

Note: The patch differs from the upstream commit:
---
1:  aec8e6bf83910 ! 1:  afbc8c0c36536 btrfs: fix use-after-free of block device file in __btrfs_free_extra_devids()
    @@ Metadata
      ## Commit message ##
         btrfs: fix use-after-free of block device file in __btrfs_free_extra_devids()

    +    commit aec8e6bf839101784f3ef037dcdb9432c3f32343 ("btrfs:
    +    fix use-after-free of block device file in __btrfs_free_extra_devids()")
    +
         Mounting btrfs from two images (which have the same one fsid and two
         different dev_uuids) in certain executing order may trigger an UAF for
         variable 'device->bdev_file' in __btrfs_free_extra_devids(). And
    @@ Commit message
         Signed-off-by: Zhihao Cheng <chengzhihao1@xxxxxxxxxx>
         Reviewed-by: David Sterba <dsterba@xxxxxxxx>
         Signed-off-by: David Sterba <dsterba@xxxxxxxx>
    +    (cherry picked from commit aec8e6bf839101784f3ef037dcdb9432c3f32343)
    +    Signed-off-by: Shubham Pushpkar <spushpka@xxxxxxxxx>

      ## fs/btrfs/volumes.c ##
     @@ fs/btrfs/volumes.c: static void btrfs_close_one_device(struct btrfs_device *device)
---

Results of testing on various branches:

| Branch                    | Patch Apply | Build Test |
|---------------------------|-------------|------------|
| stable/linux-6.6.y        |  Success    |  Failed    |

Build Errors:
Build error for stable/linux-6.6.y:
    lib/test_dhry.o: warning: objtool: dhry() falls through to next function dhry_run_set.cold()
    fs/btrfs/volumes.c: In function 'btrfs_close_one_device':
    fs/btrfs/volumes.c:1179:23: error: 'struct btrfs_device' has no member named 'bdev_file'
     1179 |                 device->bdev_file = NULL;
          |                       ^~
    make[4]: *** [scripts/Makefile.build:243: fs/btrfs/volumes.o] Error 1
    make[4]: Target 'fs/btrfs/' not remade because of errors.
    make[3]: *** [scripts/Makefile.build:480: fs/btrfs] Error 2
    make[3]: Target 'fs/' not remade because of errors.
    make[2]: *** [scripts/Makefile.build:480: fs] Error 2
    make[2]: Target './' not remade because of errors.
    make[1]: *** [/home/sasha/build/linus-next/Makefile:1921: .] Error 2
    make[1]: Target '__all' not remade because of errors.
    make: *** [Makefile:234: __sub-make] Error 2
    make: Target '__all' not remade because of errors.