| From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001 |
| From: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
| To: <linux-cve-announce@vger.kernel.org> |
| Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org> |
| Subject: CVE-2024-26756: md: Don't register sync_thread for reshape directly |
| |
| Description |
| =========== |
| |
| In the Linux kernel, the following vulnerability has been resolved: |
| |
| md: Don't register sync_thread for reshape directly |
| |
| Currently, if reshape is interrupted, then reassemble the array will |
| register sync_thread directly from pers->run(), in this case |
| 'MD_RECOVERY_RUNNING' is set directly, however, there is no guarantee |
| that md_do_sync() will be executed, hence stop_sync_thread() will hang |
| because 'MD_RECOVERY_RUNNING' can't be cleared. |
| |
| Last patch make sure that md_do_sync() will set MD_RECOVERY_DONE, |
| however, following hang can still be triggered by dm-raid test |
| shell/lvconvert-raid-reshape.sh occasionally: |
| |
| [root@fedora ~]# cat /proc/1982/stack |
| [<0>] stop_sync_thread+0x1ab/0x270 [md_mod] |
| [<0>] md_frozen_sync_thread+0x5c/0xa0 [md_mod] |
| [<0>] raid_presuspend+0x1e/0x70 [dm_raid] |
| [<0>] dm_table_presuspend_targets+0x40/0xb0 [dm_mod] |
| [<0>] __dm_destroy+0x2a5/0x310 [dm_mod] |
| [<0>] dm_destroy+0x16/0x30 [dm_mod] |
| [<0>] dev_remove+0x165/0x290 [dm_mod] |
| [<0>] ctl_ioctl+0x4bb/0x7b0 [dm_mod] |
| [<0>] dm_ctl_ioctl+0x11/0x20 [dm_mod] |
| [<0>] vfs_ioctl+0x21/0x60 |
| [<0>] __x64_sys_ioctl+0xb9/0xe0 |
| [<0>] do_syscall_64+0xc6/0x230 |
| [<0>] entry_SYSCALL_64_after_hwframe+0x6c/0x74 |
| |
| Meanwhile mddev->recovery is: |
| MD_RECOVERY_RUNNING | |
| MD_RECOVERY_INTR | |
| MD_RECOVERY_RESHAPE | |
| MD_RECOVERY_FROZEN |
| |
| Fix this problem by remove the code to register sync_thread directly |
| from raid10 and raid5. And let md_check_recovery() to register |
| sync_thread. |
| |
| The Linux kernel CVE team has assigned CVE-2024-26756 to this issue. |
| |
| |
| Affected and fixed versions |
| =========================== |
| |
| Issue introduced in 2.6.17 with commit f67055780caac6a99f43834795c43acf99eba6a6 and fixed in 6.7.7 with commit 13b520fb62b772e408f9b79c5fe18ad414e90417 |
| Issue introduced in 2.6.17 with commit f67055780caac6a99f43834795c43acf99eba6a6 and fixed in 6.8 with commit ad39c08186f8a0f221337985036ba86731d6aafe |
| |
| Please see https://www.kernel.org for a full list of currently supported |
| kernel versions by the kernel community. |
| |
| Unaffected versions might change over time as fixes are backported to |
| older supported kernel versions. The official CVE entry at |
| https://cve.org/CVERecord/?id=CVE-2024-26756 |
| will be updated if fixes are backported, please check that for the most |
| up to date information about this issue. |
| |
| |
| Affected files |
| ============== |
| |
| The file(s) affected by this issue are: |
| drivers/md/md.c |
| drivers/md/raid10.c |
| drivers/md/raid5.c |
| |
| |
| Mitigation |
| ========== |
| |
| The Linux kernel CVE team recommends that you update to the latest |
| stable kernel version for this, and many other bugfixes. Individual |
| changes are never tested alone, but rather are part of a larger kernel |
| release. Cherry-picking individual commits is not recommended or |
| supported by the Linux kernel community at all. If however, updating to |
| the latest release is impossible, the individual changes to resolve this |
| issue can be found at these commits: |
| https://git.kernel.org/stable/c/13b520fb62b772e408f9b79c5fe18ad414e90417 |
| https://git.kernel.org/stable/c/ad39c08186f8a0f221337985036ba86731d6aafe |
