Johannes Thumshirn

Name of the Vulnerable Software and Affected Versions: Linux kernel (affected versions not specified) Description: A vulnerability in the Linux kernel has been resolved, related to the btrfs file system. The issue occurs when updating the action of an existing reference to BTRFS DROP DELAYED REF, which deletes the reference from its list using `list del()`. This leaves the reference's `add list` member not reinitialized, causing a crash when `drop delayed ref()` is called later. The crash happens because `list empty()` returns false due to the list not being reinitialized after `list del()`, leading to an invalid list access. This results in a splat if `CONFIG LIST HARDENED` and `CONFIG DEBUG LIST` are set, or invalid poison pointer dereferences otherwise. Recommendations: At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: Linux kernel versions prior to 6.6.74 Description: A vulnerability has been resolved in the Linux kernel, specifically in the btrfs module. The issue is related to a possible recursive locking detected when running fstests btrfs/011 with MKFS OPTIONS="-O rst". This could lead to a deadlock scenario. The vulnerability is caused by the btrfs module trying to acquire a lock that is already held by the task. Technical details about exploitation include the `btrfs map block()` function and the `dev replace.rwsem` lock. Recommendations: To resolve the issue, update the Linux kernel to version 6.6.74 or later. As a temporary workaround, consider disabling the `btrfs dev replace by ioctl()` function until a patch is available. Restrict access to the `btrfs map block()` function to minimize the risk of exploitation. Avoid using the `dev replace.rwsem` lock in the affected API endpoints until the issue is resolved.

Name of the Vulnerable Software and Affected Versions: Linux kernel versions prior to 6.10.0-rc7+ Description: The issue arises when the Linux kernel's btrfs filesystem is backed by a RAID stripe tree and readahead is performed on the relocation inode. This can lead to an ENOENT error due to preallocated extents not being mapped in the RST, causing the readahead to submit invalid reads to the device. As a result, an assertion occurs in the scatter-gather list code, leading to a kernel bug. The ` blk rq map sg` function is involved in this process, and the error can cause the system to crash. Recommendations: To resolve this issue, update the Linux kernel to a version newer than 6.10.0-rc7+. As a temporary workaround, consider disabling the readahead on relocation inode for btrfs filesystems to minimize the risk of exploitation.

Name of the Vulnerable Software and Affected Versions: Linux kernel (affected versions not specified) Description: The issue is related to a memory leak in the btrfs component of the Linux kernel. When `btrfs qgroup reserve data()` or `btrfs delalloc reserve metadata()` fail, the allocated `extent changeset` is not freed, leading to a memory leak. This issue only occurs in the direct IO write path, specifically after a certain commit (`65b3c08606e5`) that fixed an ENOSPC failure when attempting direct IO write into a NOCOW range, and also at `defrag one locked target()`. The memory leak can cause problems, but the exact impact is not specified. Recommendations: At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** The issue is related to a use-after-free vulnerability in the btrfs load zone info() function, which can be triggered by a race condition with a device replace operation. This happens because the function extracts a device from the chunk map into a local variable and then uses the device while not under the protection of the device replace rwsem. If a device replace operation occurs while the device is being extracted and the device is the source of the replace operation, a use-after-free can be triggered if the replace operation finishes and frees the device before the function finishes using it. The estimated number of potentially affected devices worldwide is not available. There is no information about real-world incidents where this issue was exploited. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions prior to 4.8.14 **Description** The issue allows local users to read or write to arbitrary kernel memory locations or cause a denial of service by leveraging access to a /dev/sg device. This is due to the blk rq map user iov function in block/blk-map.c not properly restricting the type of iterator, leading to potential use-after-free conditions. **Recommendations** For Linux kernel versions prior to 4.8.14, update to version 4.8.14 or later to resolve the issue. As a temporary workaround, consider restricting access to /dev/sg devices to minimize the risk of exploitation.