[<prev] [next>] [day] [month] [year] [list]
Message-ID: <2025010813-CVE-2024-56780-6b91@gregkh>
Date: Wed, 8 Jan 2025 18:49:18 +0100
From: Greg Kroah-Hartman <gregkh@...uxfoundation.org>
To: linux-cve-announce@...r.kernel.org
Cc: Greg Kroah-Hartman <gregkh@...uxfoundation.org>
Subject: CVE-2024-56780: quota: flush quota_release_work upon quota writeback
Description
===========
In the Linux kernel, the following vulnerability has been resolved:
quota: flush quota_release_work upon quota writeback
One of the paths quota writeback is called from is:
freeze_super()
sync_filesystem()
ext4_sync_fs()
dquot_writeback_dquots()
Since we currently don't always flush the quota_release_work queue in
this path, we can end up with the following race:
1. dquot are added to releasing_dquots list during regular operations.
2. FS Freeze starts, however, this does not flush the quota_release_work queue.
3. Freeze completes.
4. Kernel eventually tries to flush the workqueue while FS is frozen which
hits a WARN_ON since transaction gets started during frozen state:
ext4_journal_check_start+0x28/0x110 [ext4] (unreliable)
__ext4_journal_start_sb+0x64/0x1c0 [ext4]
ext4_release_dquot+0x90/0x1d0 [ext4]
quota_release_workfn+0x43c/0x4d0
Which is the following line:
WARN_ON(sb->s_writers.frozen == SB_FREEZE_COMPLETE);
Which ultimately results in generic/390 failing due to dmesg
noise. This was detected on powerpc machine 15 cores.
To avoid this, make sure to flush the workqueue during
dquot_writeback_dquots() so we dont have any pending workitems after
freeze.
The Linux kernel CVE team has assigned CVE-2024-56780 to this issue.
Affected and fixed versions
===========================
Issue introduced in 5.4.257 with commit d40c192e119892799dd4ddf94f5cea6fa93775ef and fixed in 5.4.287 with commit a5abba5e0e586e258ded3e798fe5f69c66fec198
Issue introduced in 5.10.195 with commit 86d89987f0998c98f57d641e308b40452a994045 and fixed in 5.10.231 with commit 6f3821acd7c3143145999248087de5fb4b48cf26
Issue introduced in 5.15.132 with commit 89602de9a2d7080b7a4029d5c1bf8f78d295ff5f and fixed in 5.15.174 with commit ab6cfcf8ed2c7496f55d020b65b1d8cd55d9a2cb
Issue introduced in 6.1.53 with commit 3027e200dd58d5b437f16634dbbd355b29ffe0a6 and fixed in 6.1.120 with commit 3e6ff207cd5bd924ad94cd1a7c633bcdac0ba1cb
Issue introduced in 6.6 with commit dabc8b20756601b9e1cc85a81d47d3f98ed4d13a and fixed in 6.6.64 with commit bcacb52a985f1b6d280f698a470b873dfe52728a
Issue introduced in 6.6 with commit dabc8b20756601b9e1cc85a81d47d3f98ed4d13a and fixed in 6.12.4 with commit 8ea87e34792258825d290f4dc5216276e91cb224
Issue introduced in 6.6 with commit dabc8b20756601b9e1cc85a81d47d3f98ed4d13a and fixed in 6.13-rc2 with commit ac6f420291b3fee1113f21d612fa88b628afab5b
Issue introduced in 4.19.295 with commit f3e9a2bbdeb8987508dd6bb2b701dea911d4daec
Issue introduced in 6.4.16 with commit 903fc5d8cb48b0d2de7095ef40e39fd32bb27bd0
Issue introduced in 6.5.3 with commit 31bed65eecbc5ce57592cfe31947eaa64e3d678e
Please see https://www.kernel.org for a full list of currently supported
kernel versions by the kernel community.
Unaffected versions might change over time as fixes are backported to
older supported kernel versions. The official CVE entry at
https://cve.org/CVERecord/?id=CVE-2024-56780
will be updated if fixes are backported, please check that for the most
up to date information about this issue.
Affected files
==============
The file(s) affected by this issue are:
fs/quota/dquot.c
Mitigation
==========
The Linux kernel CVE team recommends that you update to the latest
stable kernel version for this, and many other bugfixes. Individual
changes are never tested alone, but rather are part of a larger kernel
release. Cherry-picking individual commits is not recommended or
supported by the Linux kernel community at all. If however, updating to
the latest release is impossible, the individual changes to resolve this
issue can be found at these commits:
https://git.kernel.org/stable/c/a5abba5e0e586e258ded3e798fe5f69c66fec198
https://git.kernel.org/stable/c/6f3821acd7c3143145999248087de5fb4b48cf26
https://git.kernel.org/stable/c/ab6cfcf8ed2c7496f55d020b65b1d8cd55d9a2cb
https://git.kernel.org/stable/c/3e6ff207cd5bd924ad94cd1a7c633bcdac0ba1cb
https://git.kernel.org/stable/c/bcacb52a985f1b6d280f698a470b873dfe52728a
https://git.kernel.org/stable/c/8ea87e34792258825d290f4dc5216276e91cb224
https://git.kernel.org/stable/c/ac6f420291b3fee1113f21d612fa88b628afab5b
Powered by blists - more mailing lists