CVE-2023-52896: btrfs: fix race between quota rescan and disable leading to NULL pointer deref

Description

In the Linux kernel, the following vulnerability has been resolved:

btrfs: fix race between quota rescan and disable leading to NULL pointer deref

If we have one task trying to start the quota rescan worker while another
one is trying to disable quotas, we can end up hitting a race that results
in the quota rescan worker doing a NULL pointer dereference. The steps for
this are the following:

1) Quotas are enabled;

2) Task A calls the quota rescan ioctl and enters btrfs_qgroup_rescan().
It calls qgroup_rescan_init() which returns 0 (success) and then joins a
transaction and commits it;

3) Task B calls the quota disable ioctl and enters btrfs_quota_disable().
It clears the bit BTRFS_FS_QUOTA_ENABLED from fs_info->flags and calls
btrfs_qgroup_wait_for_completion(), which returns immediately since the
rescan worker is not yet running.
Then it starts a transaction and locks fs_info->qgroup_ioctl_lock;

4) Task A queues the rescan worker, by calling btrfs_queue_work();

5) The rescan worker starts, and calls rescan_should_stop() at the start
of its while loop, which results in 0 iterations of the loop, since
the flag BTRFS_FS_QUOTA_ENABLED was cleared from fs_info->flags by
task B at step 3);

6) Task B sets fs_info->quota_root to NULL;

7) The rescan worker tries to start a transaction and uses
fs_info->quota_root as the root argument for btrfs_start_transaction().
This results in a NULL pointer dereference down the call chain of
btrfs_s...

Classification

CVE ID: CVE-2023-52896

Affected Products

Vendor: Linux

Product: Linux

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.04% (probability of being exploited)

EPSS Percentile: 5.08% (scored less or equal to compared to others)

EPSS Date: 2025-02-04 (when was this score calculated)

References

https://git.kernel.org/stable/c/89ac597e3e807b91e2ebd6a7c36fec7b97290233
https://git.kernel.org/stable/c/3bd43374857103ba3cac751d6d4afa8d83b5d92a
https://git.kernel.org/stable/c/64287cd456a22373053998c1fccf14b651e9cbbd
https://git.kernel.org/stable/c/1004fc90f0d79a4b7d9e3d432729914f472f9ad1
https://git.kernel.org/stable/c/b7adbf9ada3513d2092362c8eac5cddc5b651f5c

Timeline