vulnerability

SUSE: CVE-2024-40962: SUSE Linux Security Advisory

Try Surface Command
Back to search
Severity
5
CVSS
(AV:L/AC:L/Au:S/C:N/I:N/A:C)
Published
Sep 10, 2024
Added
Dec 5, 2025
Modified
Dec 5, 2025

Description

In the Linux kernel, the following vulnerability has been resolved:

btrfs: zoned: allocate dummy checksums for zoned NODATASUM writes

Shin'ichiro reported that when he's running fstests' test-case
btrfs/167 on emulated zoned devices, he's seeing the following NULL
pointer dereference in 'btrfs_zone_finish_endio()':

Oops: general protection fault, probably for non-canonical address 0xdffffc0000000011: 0000 [#1] PREEMPT SMP KASAN NOPTI
KASAN: null-ptr-deref in range [0x0000000000000088-0x000000000000008f]
CPU: 4 PID: 2332440 Comm: kworker/u80:15 Tainted: G W 6.10.0-rc2-kts+ #4
Hardware name: Supermicro Super Server/X11SPi-TF, BIOS 3.3 02/21/2020
Workqueue: btrfs-endio-write btrfs_work_helper [btrfs]
RIP: 0010:btrfs_zone_finish_endio.part.0+0x34/0x160 [btrfs]

RSP: 0018:ffff88867f107a90 EFLAGS: 00010206
RAX: dffffc0000000000 RBX: 0000000000000000 RCX: ffffffff893e5534
RDX: 0000000000000011 RSI: 0000000000000004 RDI: 0000000000000088
RBP: 0000000000000002 R08: 0000000000000001 R09: ffffed1081696028
R10: ffff88840b4b0143 R11: ffff88834dfff600 R12: ffff88840b4b0000
R13: 0000000000020000 R14: 0000000000000000 R15: ffff888530ad5210
FS: 0000000000000000(0000) GS:ffff888e3f800000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f87223fff38 CR3: 00000007a7c6a002 CR4: 00000000007706f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
PKRU: 55555554
Call Trace:
<TASK>
? __die_body.cold+0x19/0x27
? die_addr+0x46/0x70
? exc_general_protection+0x14f/0x250
? asm_exc_general_protection+0x26/0x30
? do_raw_read_unlock+0x44/0x70
? btrfs_zone_finish_endio.part.0+0x34/0x160 [btrfs]
btrfs_finish_one_ordered+0x5d9/0x19a0 [btrfs]
? __pfx_lock_release+0x10/0x10
? do_raw_write_lock+0x90/0x260
? __pfx_do_raw_write_lock+0x10/0x10
? __pfx_btrfs_finish_one_ordered+0x10/0x10 [btrfs]
? _raw_write_unlock+0x23/0x40
? btrfs_finish_ordered_zoned+0x5a9/0x850 [btrfs]
? lock_acquire+0x435/0x500
btrfs_work_helper+0x1b1/0xa70 [btrfs]
? __schedule+0x10a8/0x60b0
? __pfx___might_resched+0x10/0x10
process_one_work+0x862/0x1410
? __pfx_lock_acquire+0x10/0x10
? __pfx_process_one_work+0x10/0x10
? assign_work+0x16c/0x240
worker_thread+0x5e6/0x1010
? __pfx_worker_thread+0x10/0x10
kthread+0x2c3/0x3a0
? trace_irq_enable.constprop.0+0xce/0x110
? __pfx_kthread+0x10/0x10
ret_from_fork+0x31/0x70
? __pfx_kthread+0x10/0x10
ret_from_fork_asm+0x1a/0x30
</TASK>

Enabling CONFIG_BTRFS_ASSERT revealed the following assertion to
trigger:

assertion failed: !list_empty(&ordered->list), in fs/btrfs/zoned.c:1815

This indicates, that we're missing the checksums list on the
ordered_extent. As btrfs/167 is doing a NOCOW write this is to be
expected.

Further analysis with drgn confirmed the assumption:

>>> inode = prog.crashed_thread().stack_trace()[11]['ordered'].inode
>>> btrfs_inode = drgn.container_of(inode, "struct btrfs_inode", \
"vfs_inode")
>>> print(btrfs_inode.flags)
(u32)1

As zoned emulation mode simulates conventional zones on regular devices,
we cannot use zone-append for writing. But we're only attaching dummy
checksums if we're doing a zone-append write.

So for NOCOW zoned data writes on conventional zones, also attach a
dummy checksum.

Solutions

suse-upgrade-cluster-md-kmp-64kbsuse-upgrade-cluster-md-kmp-azuresuse-upgrade-cluster-md-kmp-defaultsuse-upgrade-cluster-md-kmp-rtsuse-upgrade-dlm-kmp-64kbsuse-upgrade-dlm-kmp-azuresuse-upgrade-dlm-kmp-defaultsuse-upgrade-dlm-kmp-rtsuse-upgrade-dtb-allwinnersuse-upgrade-dtb-alterasuse-upgrade-dtb-amazonsuse-upgrade-dtb-amdsuse-upgrade-dtb-amlogicsuse-upgrade-dtb-apmsuse-upgrade-dtb-applesuse-upgrade-dtb-armsuse-upgrade-dtb-broadcomsuse-upgrade-dtb-caviumsuse-upgrade-dtb-exynossuse-upgrade-dtb-freescalesuse-upgrade-dtb-hisiliconsuse-upgrade-dtb-lgsuse-upgrade-dtb-marvellsuse-upgrade-dtb-mediateksuse-upgrade-dtb-nvidiasuse-upgrade-dtb-qcomsuse-upgrade-dtb-renesassuse-upgrade-dtb-rockchipsuse-upgrade-dtb-socionextsuse-upgrade-dtb-sprdsuse-upgrade-dtb-xilinxsuse-upgrade-gfs2-kmp-64kbsuse-upgrade-gfs2-kmp-azuresuse-upgrade-gfs2-kmp-defaultsuse-upgrade-gfs2-kmp-rtsuse-upgrade-kernel-64kbsuse-upgrade-kernel-64kb-develsuse-upgrade-kernel-64kb-extrasuse-upgrade-kernel-64kb-livepatch-develsuse-upgrade-kernel-64kb-optionalsuse-upgrade-kernel-azuresuse-upgrade-kernel-azure-develsuse-upgrade-kernel-azure-extrasuse-upgrade-kernel-azure-livepatch-develsuse-upgrade-kernel-azure-optionalsuse-upgrade-kernel-azure-vdsosuse-upgrade-kernel-debugsuse-upgrade-kernel-debug-develsuse-upgrade-kernel-debug-livepatch-develsuse-upgrade-kernel-debug-vdsosuse-upgrade-kernel-defaultsuse-upgrade-kernel-default-basesuse-upgrade-kernel-default-base-rebuildsuse-upgrade-kernel-default-develsuse-upgrade-kernel-default-extrasuse-upgrade-kernel-default-livepatchsuse-upgrade-kernel-default-livepatch-develsuse-upgrade-kernel-default-optionalsuse-upgrade-kernel-default-vdsosuse-upgrade-kernel-develsuse-upgrade-kernel-devel-azuresuse-upgrade-kernel-devel-rtsuse-upgrade-kernel-docssuse-upgrade-kernel-docs-htmlsuse-upgrade-kernel-kvmsmallsuse-upgrade-kernel-kvmsmall-develsuse-upgrade-kernel-kvmsmall-livepatch-develsuse-upgrade-kernel-kvmsmall-vdsosuse-upgrade-kernel-macrossuse-upgrade-kernel-obs-buildsuse-upgrade-kernel-obs-qasuse-upgrade-kernel-rtsuse-upgrade-kernel-rt-develsuse-upgrade-kernel-rt-extrasuse-upgrade-kernel-rt-livepatch-develsuse-upgrade-kernel-rt-optionalsuse-upgrade-kernel-rt-vdsosuse-upgrade-kernel-rt_debugsuse-upgrade-kernel-rt_debug-develsuse-upgrade-kernel-rt_debug-livepatch-develsuse-upgrade-kernel-rt_debug-vdsosuse-upgrade-kernel-sourcesuse-upgrade-kernel-source-azuresuse-upgrade-kernel-source-rtsuse-upgrade-kernel-source-vanillasuse-upgrade-kernel-symssuse-upgrade-kernel-syms-azuresuse-upgrade-kernel-syms-rtsuse-upgrade-kernel-zfcpdumpsuse-upgrade-kselftests-kmp-64kbsuse-upgrade-kselftests-kmp-azuresuse-upgrade-kselftests-kmp-defaultsuse-upgrade-kselftests-kmp-rtsuse-upgrade-ocfs2-kmp-64kbsuse-upgrade-ocfs2-kmp-azuresuse-upgrade-ocfs2-kmp-defaultsuse-upgrade-ocfs2-kmp-rtsuse-upgrade-reiserfs-kmp-64kbsuse-upgrade-reiserfs-kmp-azuresuse-upgrade-reiserfs-kmp-defaultsuse-upgrade-reiserfs-kmp-rt

References

Title
NEW

Explore Exposure Command

Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.

Try it today