| From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001 |
| From: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
| To: <linux-cve-announce@vger.kernel.org> |
| Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org> |
| Subject: CVE-2024-26758: md: Don't ignore suspended array in md_check_recovery() |
| |
| Description |
| =========== |
| |
| In the Linux kernel, the following vulnerability has been resolved: |
| |
| md: Don't ignore suspended array in md_check_recovery() |
| |
| mddev_suspend() never stop sync_thread, hence it doesn't make sense to |
| ignore suspended array in md_check_recovery(), which might cause |
| sync_thread can't be unregistered. |
| |
| After commit f52f5c71f3d4 ("md: fix stopping sync thread"), following |
| hang can be triggered by test shell/integrity-caching.sh: |
| |
| 1) suspend the array: |
| raid_postsuspend |
| mddev_suspend |
| |
| 2) stop the array: |
| raid_dtr |
| md_stop |
| __md_stop_writes |
| stop_sync_thread |
| set_bit(MD_RECOVERY_INTR, &mddev->recovery); |
| md_wakeup_thread_directly(mddev->sync_thread); |
| wait_event(..., !test_bit(MD_RECOVERY_RUNNING, &mddev->recovery)) |
| |
| 3) sync thread done: |
| md_do_sync |
| set_bit(MD_RECOVERY_DONE, &mddev->recovery); |
| md_wakeup_thread(mddev->thread); |
| |
| 4) daemon thread can't unregister sync thread: |
| md_check_recovery |
| if (mddev->suspended) |
| return; -> return directly |
| md_read_sync_thread |
| clear_bit(MD_RECOVERY_RUNNING, &mddev->recovery); |
| -> MD_RECOVERY_RUNNING can't be cleared, hence step 2 hang; |
| |
| This problem is not just related to dm-raid, fix it by ignoring |
| suspended array in md_check_recovery(). And follow up patches will |
| improve dm-raid better to frozen sync thread during suspend. |
| |
| The Linux kernel CVE team has assigned CVE-2024-26758 to this issue. |
| |
| |
| Affected and fixed versions |
| =========================== |
| |
| Issue introduced in 3.0 with commit 68866e425be2ef2664aa5c691bb3ab789736acf5 and fixed in 6.7.7 with commit a55f0d6179a19c6b982e2dc344d58c98647a3be0 |
| Issue introduced in 3.0 with commit 68866e425be2ef2664aa5c691bb3ab789736acf5 and fixed in 6.8 with commit 1baae052cccd08daf9a9d64c3f959d8cdb689757 |
| |
| Please see https://www.kernel.org for a full list of currently supported |
| kernel versions by the kernel community. |
| |
| Unaffected versions might change over time as fixes are backported to |
| older supported kernel versions. The official CVE entry at |
| https://cve.org/CVERecord/?id=CVE-2024-26758 |
| will be updated if fixes are backported, please check that for the most |
| up to date information about this issue. |
| |
| |
| Affected files |
| ============== |
| |
| The file(s) affected by this issue are: |
| drivers/md/md.c |
| |
| |
| Mitigation |
| ========== |
| |
| The Linux kernel CVE team recommends that you update to the latest |
| stable kernel version for this, and many other bugfixes. Individual |
| changes are never tested alone, but rather are part of a larger kernel |
| release. Cherry-picking individual commits is not recommended or |
| supported by the Linux kernel community at all. If however, updating to |
| the latest release is impossible, the individual changes to resolve this |
| issue can be found at these commits: |
| https://git.kernel.org/stable/c/a55f0d6179a19c6b982e2dc344d58c98647a3be0 |
| https://git.kernel.org/stable/c/1baae052cccd08daf9a9d64c3f959d8cdb689757 |
