Bug 2266752 (CVE-2021-46987)

Summary: CVE-2021-46987 kernel: btrfs: fix deadlock when cloning inline extents and using qgroups
Product: [Other] Security Response Reporter: Mauro Matteo Cascella <mcascell>
Component: vulnerabilityAssignee: Product Security <prodsec-ir-bot>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: acaringi, allarkin, aquini, bhu, chwhite, cye, cyin, dbohanno, debarbos, dfreiber, drow, dvlasenk, esandeen, ezulian, hkrzesin, jarod, jburrell, jdenham, jfaracco, jforbes, jlelli, joe.lawrence, jshortt, jstancek, jwyatt, kcarcia, ldoskova, lgoncalv, lzampier, mleitner, mmilgram, mstowell, nmurray, ptalbert, rparrazo, rrobaina, rvrbovsk, rysulliv, scweaver, sidakwo, sukulkar, tglozar, tyberry, vkumar, wcosta, williams, wmealing, ycote, ykopkova, zhijwang
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: kernel 5.11.22, kernel 5.12.5, kernel 5.13 Doc Type: If docs needed, set a value
Doc Text:
A vulnerability was found in the Linux kernel’s btrfs module, where there are a few exceptional cases when cloning an inline extent needs to copy the inline extent data into a page of the destination inode.  When this happens, a transaction starts while having a dirty page for the destination inode and while having the range locked in the destination's inode iotree. When reserving metadata space for a transaction, flushing the existing delalloc is needed in case there is not enough free space. There is a mechanism in place to prevent a deadlock, which was introduced in commit 3d45f221ce627d ("btrfs: fix deadlock when cloning inline extent and low on free metadata space"). However, when using qgroups, a transaction also reserves metadata qgroup space, which can also result in flushing delalloc in case there is not enough available space. When this happens, a deadlock occurs, since flushing delalloc requires locking the file range in the inode's iotree and the range was already locked at the very beginning of the clone operation, before attempting to start the transaction.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2266753    
Bug Blocks: 2266939    

Description Mauro Matteo Cascella 2024-02-28 21:45:08 UTC 
In the Linux kernel, the following vulnerability has been resolved:

btrfs: fix deadlock when cloning inline extents and using qgroups

The Linux kernel CVE team has assigned CVE-2021-46987 to this issue.

Upstream advisory:
https://lore.kernel.org/linux-cve-announce/2024022825-CVE-2021-46987-f73f@gregkh/T/#u
Comment 1 Mauro Matteo Cascella 2024-02-28 21:45:41 UTC 
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 2266753]
Comment 3 Justin M. Forbes 2024-03-01 22:41:41 UTC 
This was fixed for Fedora with the 5.12.5 stable kernel updates.
Comment 4 Alex 2024-06-09 13:42:37 UTC 
The result of automatic check (that is developed by Alexander Larkin) for this CVE-2021-46987 is: 	SKIPCHECK	Skip, because not a security issue or not included. Check manually anyway.	YES	NONE	READ DEADLOCK DISK INIT SKIP 	YES	YES	guess (where first YES/NO value means if related sources built).