| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <CAKHoSAviexD6O+QuaNya4xsqaW6URLFWee7vgTGOiJO8x1mkJw@mail.gmail.com>
Date: Fri, 3 Jan 2025 15:37:31 +0800
From: cheung wall <zzqq0103.hey@...il.com>
To: "Theodore Ts'o" <tytso@....edu>, Andreas Dilger <adilger.kernel@...ger.ca>
Cc: linux-ext4@...r.kernel.org, linux-kernel@...r.kernel.org
Subject: "possible deadlock in corrupted" in Linux kernel version 5.15.169
Hello,
I am writing to report a potential vulnerability identified in the
Linux Kernel version 5.15.169. This issue was discovered using our
custom vulnerability discovery tool.
Affected File: fs/ext4/inode.c
File: fs/ext4/inode.c
Function: ext4_map_blocks
Detailed Call Stack:
------------[ cut here begin]------------
WARNING: possible circular locking dependency detected
------------------------------------------------------
the task is trying to acquire lock:
ffff888018a76428 (&dquot->dq_lock){+.+.}-{3:3}, at:
dquot_commit+0x4d/0x4c0 fs/quota/dquot.c:507
but other task is already holding lock:
ffff88800833a9b8 (&ei->i_data_sem/2){++++}-{3:3}, at:
ext4_map_blocks+0x686/0x1870 fs/ext4/inode.c:665
which lock already depends on the new lock.
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x8b/0xb3 lib/dump_stack.c:106
check_noncircular+0x263/0x2e0 kernel/locking/lockdep.c:2133
check_prev_add kernel/locking/lockdep.c:3053 [inline]
check_prevs_add kernel/locking/lockdep.c:3172 [inline]
validate_chain kernel/locking/lockdep.c:3788 [inline]
__lock_acquire+0x2b72/0x6070 kernel/locking/lockdep.c:5012
lock_acquire kernel/locking/lockdep.c:5623 [inline]
lock_acquire+0x194/0x470 kernel/locking/lockdep.c:5588
__mutex_lock_common kernel/locking/mutex.c:596 [inline]
__mutex_lock+0x135/0x12c0 kernel/locking/mutex.c:729
dquot_commit+0x4d/0x4c0 fs/quota/dquot.c:507
ext4_write_dquot+0x254/0x3f0 fs/ext4/super.c:6173
ext4_mark_dquot_dirty fs/ext4/super.c:6233 [inline]
ext4_mark_dquot_dirty+0x111/0x1b0 fs/ext4/super.c:6227
mark_dquot_dirty fs/quota/dquot.c:372 [inline]
mark_all_dquot_dirty fs/quota/dquot.c:412 [inline]
__dquot_free_space+0x829/0xbd0 fs/quota/dquot.c:1940
dquot_free_space_nodirty include/linux/quotaops.h:376 [inline]
dquot_free_space include/linux/quotaops.h:381 [inline]
dquot_free_block include/linux/quotaops.h:392 [inline]
ext4_mb_clear_bb fs/ext4/mballoc.c:6156 [inline]
ext4_free_blocks+0x1cc1/0x2200 fs/ext4/mballoc.c:6286
ext4_remove_blocks fs/ext4/extents.c:2523 [inline]
ext4_ext_rm_leaf fs/ext4/extents.c:2689 [inline]
ext4_ext_remove_space+0x1e96/0x3ce0 fs/ext4/extents.c:2937
ext4_ext_truncate+0x1ea/0x250 fs/ext4/extents.c:4471
ext4_truncate+0xc37/0x1160 fs/ext4/inode.c:4249
ext4_evict_inode+0xac2/0x1a50 fs/ext4/inode.c:289
evict+0x32c/0x820 fs/inode.c:622
iput_final fs/inode.c:1744 [inline]
iput.part.0+0x4b6/0x6d0 fs/inode.c:1770
iput+0x58/0x70 fs/inode.c:1760
ext4_orphan_cleanup+0x565/0xf80 fs/ext4/orphan.c:474
ext4_fill_super+0x8bb5/0xc920 fs/ext4/super.c:4975
mount_bdev+0x336/0x400 fs/super.c:1400
legacy_get_tree+0x106/0x220 fs/fs_context.c:611
vfs_get_tree+0x8e/0x300 fs/super.c:1530
do_new_mount fs/namespace.c:3012 [inline]
path_mount+0x138a/0x1ff0 fs/namespace.c:3342
do_mount fs/namespace.c:3355 [inline]
__do_sys_mount fs/namespace.c:3563 [inline]
__se_sys_mount fs/namespace.c:3540 [inline]
__x64_sys_mount+0x282/0x300 fs/namespace.c:3540
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x33/0x80 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x6c/0xd6
RIP: 0033:0x7fe399de916a
Code: d8 64 89 02 48 c7 c0 ff ff ff ff eb a6 e8 de 1a 00 00 66 2e 0f
1f 84 00 00 00 00 00 0f 1f 40 00 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d
01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fe3989b4e68 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5
RAX: ffffffffffffffda RBX: 00007fe3989b4ef0 RCX: 00007fe399de916a
RDX: 0000000020000040 RSI: 0000000020000500 RDI: 00007fe3989b4eb0
RBP: 0000000020000040 R08: 00007fe3989b4ef0 R09: 0000000000004500
R10: 0000000000004500 R11: 0000000000000246 R12: 0000000020000500
R13: 00007fe3989b4eb0 R14: 00000000000004b4 R15: 000000000000002c
------------[ cut here end]------------
Root Cause:
The crash is caused by a potential circular locking dependency
detected within the Linux kernel's Ext4 filesystem during quota
management operations. Specifically, the task is attempting to acquire
the dq_lock (&dquot->dq_lock) in the dquot_commit function
(fs/quota/dquot.c:507) while another task already holds the i_data_sem
lock (&ei->i_data_sem) in the ext4_map_blocks function
(fs/ext4/inode.c:665). This situation creates a circular dependency
where each lock is waiting for the other to be released, which can
lead to a deadlock. The call trace reveals that the issue arises
during the writeback process (wb_workfn) when the filesystem is trying
to commit quota information (dquot_commit) while simultaneously
handling inode data (ext4_map_blocks). The Kernel Lock Validator
(lockdep) has flagged this as a possible circular dependency because
the existing lock (i_data_sem) already depends on the new lock
(dq_lock), violating the expected lock acquisition order. This
improper lock ordering within the Ext4 quota handling and inode
management paths indicates a flaw in the synchronization mechanisms,
potentially caused by concurrent operations or incorrect lock
hierarchy implementation. As a result, the kernel emits a warning to
prevent a deadlock scenario, highlighting the need for revising the
locking strategy to ensure that locks are acquired in a consistent and
non-circular manner.
Thank you for your time and attention.
Best regards
Wall
Powered by blists - more mailing lists