cve/published/2021/CVE-2021-47493.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2021-47493: ocfs2: fix race between searching chunks and release journal_head from buffer_head

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 ocfs2: fix race between searching chunks and release journal_head from buffer_head

 Encountered a race between ocfs2_test_bg_bit_allocatable() and
 jbd2_journal_put_journal_head() resulting in the below vmcore.

   PID: 106879  TASK: ffff880244ba9c00  CPU: 2   COMMAND: "loop3"
   Call trace:
     panic
     oops_end
     no_context
     __bad_area_nosemaphore
     bad_area_nosemaphore
     __do_page_fault
     do_page_fault
     page_fault
       [exception RIP: ocfs2_block_group_find_clear_bits+316]
     ocfs2_block_group_find_clear_bits [ocfs2]
     ocfs2_cluster_group_search [ocfs2]
     ocfs2_search_chain [ocfs2]
     ocfs2_claim_suballoc_bits [ocfs2]
     __ocfs2_claim_clusters [ocfs2]
     ocfs2_claim_clusters [ocfs2]
     ocfs2_local_alloc_slide_window [ocfs2]
     ocfs2_reserve_local_alloc_bits [ocfs2]
     ocfs2_reserve_clusters_with_limit [ocfs2]
     ocfs2_reserve_clusters [ocfs2]
     ocfs2_lock_refcount_allocators [ocfs2]
     ocfs2_make_clusters_writable [ocfs2]
     ocfs2_replace_cow [ocfs2]
     ocfs2_refcount_cow [ocfs2]
     ocfs2_file_write_iter [ocfs2]
     lo_rw_aio
     loop_queue_work
     kthread_worker_fn
     kthread
     ret_from_fork

 When ocfs2_test_bg_bit_allocatable() called bh2jh(bg_bh), the
 bg_bh->b_private NULL as jbd2_journal_put_journal_head() raced and
 released the jounal head from the buffer head.  Needed to take bit lock
 for the bit 'BH_JournalHead' to fix this race.

 The Linux kernel CVE team has assigned CVE-2021-47493 to this issue.


 Affected and fixed versions
 ===========================

 	Fixed in 5.10.77 with commit 5043fbd294f5909a080ade0f04b70a4da9e122b7
 	Fixed in 5.14.16 with commit 2e382600e8856ea654677b5134ee66e03ea72bc2
 	Fixed in 5.15 with commit 6f1b228529ae49b0f85ab89bcdb6c365df401558

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2021-47493
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	fs/ocfs2/suballoc.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/5043fbd294f5909a080ade0f04b70a4da9e122b7
 	https://git.kernel.org/stable/c/2e382600e8856ea654677b5134ee66e03ea72bc2
 	https://git.kernel.org/stable/c/6f1b228529ae49b0f85ab89bcdb6c365df401558
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2021-47493: ocfs2: fix race between searching chunks and release journal_head from buffer_head

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	ocfs2: fix race between searching chunks and release journal_head from buffer_head

	Encountered a race between ocfs2_test_bg_bit_allocatable() and
	jbd2_journal_put_journal_head() resulting in the below vmcore.

	PID: 106879 TASK: ffff880244ba9c00 CPU: 2 COMMAND: "loop3"
	Call trace:
	panic
	oops_end
	no_context
	__bad_area_nosemaphore
	bad_area_nosemaphore
	__do_page_fault
	do_page_fault
	page_fault
	[exception RIP: ocfs2_block_group_find_clear_bits+316]
	ocfs2_block_group_find_clear_bits [ocfs2]
	ocfs2_cluster_group_search [ocfs2]
	ocfs2_search_chain [ocfs2]
	ocfs2_claim_suballoc_bits [ocfs2]
	__ocfs2_claim_clusters [ocfs2]
	ocfs2_claim_clusters [ocfs2]
	ocfs2_local_alloc_slide_window [ocfs2]
	ocfs2_reserve_local_alloc_bits [ocfs2]
	ocfs2_reserve_clusters_with_limit [ocfs2]
	ocfs2_reserve_clusters [ocfs2]
	ocfs2_lock_refcount_allocators [ocfs2]
	ocfs2_make_clusters_writable [ocfs2]
	ocfs2_replace_cow [ocfs2]
	ocfs2_refcount_cow [ocfs2]
	ocfs2_file_write_iter [ocfs2]
	lo_rw_aio
	loop_queue_work
	kthread_worker_fn
	kthread
	ret_from_fork

	When ocfs2_test_bg_bit_allocatable() called bh2jh(bg_bh), the
	bg_bh->b_private NULL as jbd2_journal_put_journal_head() raced and
	released the jounal head from the buffer head. Needed to take bit lock
	for the bit 'BH_JournalHead' to fix this race.

	The Linux kernel CVE team has assigned CVE-2021-47493 to this issue.


	Affected and fixed versions
	===========================

	Fixed in 5.10.77 with commit 5043fbd294f5909a080ade0f04b70a4da9e122b7
	Fixed in 5.14.16 with commit 2e382600e8856ea654677b5134ee66e03ea72bc2
	Fixed in 5.15 with commit 6f1b228529ae49b0f85ab89bcdb6c365df401558

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2021-47493
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	fs/ocfs2/suballoc.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/5043fbd294f5909a080ade0f04b70a4da9e122b7
	https://git.kernel.org/stable/c/2e382600e8856ea654677b5134ee66e03ea72bc2
	https://git.kernel.org/stable/c/6f1b228529ae49b0f85ab89bcdb6c365df401558