cve/published/2024/CVE-2024-26962.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2024-26962: dm-raid456, md/raid456: fix a deadlock for dm-raid456 while io concurrent with reshape

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 dm-raid456, md/raid456: fix a deadlock for dm-raid456 while io concurrent with reshape

 For raid456, if reshape is still in progress, then IO across reshape
 position will wait for reshape to make progress. However, for dm-raid,
 in following cases reshape will never make progress hence IO will hang:

 1) the array is read-only;
 2) MD_RECOVERY_WAIT is set;
 3) MD_RECOVERY_FROZEN is set;

 After commit c467e97f079f ("md/raid6: use valid sector values to determine
 if an I/O should wait on the reshape") fix the problem that IO across
 reshape position doesn't wait for reshape, the dm-raid test
 shell/lvconvert-raid-reshape.sh start to hang:

 [root@fedora ~]# cat /proc/979/stack
 [<0>] wait_woken+0x7d/0x90
 [<0>] raid5_make_request+0x929/0x1d70 [raid456]
 [<0>] md_handle_request+0xc2/0x3b0 [md_mod]
 [<0>] raid_map+0x2c/0x50 [dm_raid]
 [<0>] __map_bio+0x251/0x380 [dm_mod]
 [<0>] dm_submit_bio+0x1f0/0x760 [dm_mod]
 [<0>] __submit_bio+0xc2/0x1c0
 [<0>] submit_bio_noacct_nocheck+0x17f/0x450
 [<0>] submit_bio_noacct+0x2bc/0x780
 [<0>] submit_bio+0x70/0xc0
 [<0>] mpage_readahead+0x169/0x1f0
 [<0>] blkdev_readahead+0x18/0x30
 [<0>] read_pages+0x7c/0x3b0
 [<0>] page_cache_ra_unbounded+0x1ab/0x280
 [<0>] force_page_cache_ra+0x9e/0x130
 [<0>] page_cache_sync_ra+0x3b/0x110
 [<0>] filemap_get_pages+0x143/0xa30
 [<0>] filemap_read+0xdc/0x4b0
 [<0>] blkdev_read_iter+0x75/0x200
 [<0>] vfs_read+0x272/0x460
 [<0>] ksys_read+0x7a/0x170
 [<0>] __x64_sys_read+0x1c/0x30
 [<0>] do_syscall_64+0xc6/0x230
 [<0>] entry_SYSCALL_64_after_hwframe+0x6c/0x74

 This is because reshape can't make progress.

 For md/raid, the problem doesn't exist because register new sync_thread
 doesn't rely on the IO to be done any more:

 1) If array is read-only, it can switch to read-write by ioctl/sysfs;
 2) md/raid never set MD_RECOVERY_WAIT;
 3) If MD_RECOVERY_FROZEN is set, mddev_suspend() doesn't hold
    'reconfig_mutex', hence it can be cleared and reshape can continue by
    sysfs api 'sync_action'.

 However, I'm not sure yet how to avoid the problem in dm-raid yet. This
 patch on the one hand make sure raid_message() can't change
 sync_thread() through raid_message() after presuspend(), on the other
 hand detect the above 3 cases before wait for IO do be done in
 dm_suspend(), and let dm-raid requeue those IO.

 The Linux kernel CVE team has assigned CVE-2024-26962 to this issue.


 Affected and fixed versions
 ===========================

 	Fixed in 6.7.12 with commit 5943a34bf6bab5801e08a55f63e1b8d5bc90dae1
 	Fixed in 6.8.3 with commit a8d249d770cb357d16a2097b548d2e4c1c137304
 	Fixed in 6.9 with commit 41425f96d7aa59bc865f60f5dda3d7697b555677

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2024-26962
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	drivers/md/dm-raid.c
 	drivers/md/md.c
 	drivers/md/md.h
 	drivers/md/raid5.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/5943a34bf6bab5801e08a55f63e1b8d5bc90dae1
 	https://git.kernel.org/stable/c/a8d249d770cb357d16a2097b548d2e4c1c137304
 	https://git.kernel.org/stable/c/41425f96d7aa59bc865f60f5dda3d7697b555677
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2024-26962: dm-raid456, md/raid456: fix a deadlock for dm-raid456 while io concurrent with reshape

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	dm-raid456, md/raid456: fix a deadlock for dm-raid456 while io concurrent with reshape

	For raid456, if reshape is still in progress, then IO across reshape
	position will wait for reshape to make progress. However, for dm-raid,
	in following cases reshape will never make progress hence IO will hang:

	1) the array is read-only;
	2) MD_RECOVERY_WAIT is set;
	3) MD_RECOVERY_FROZEN is set;

	After commit c467e97f079f ("md/raid6: use valid sector values to determine
	if an I/O should wait on the reshape") fix the problem that IO across
	reshape position doesn't wait for reshape, the dm-raid test
	shell/lvconvert-raid-reshape.sh start to hang:

	[root@fedora ~]# cat /proc/979/stack
	[<0>] wait_woken+0x7d/0x90
	[<0>] raid5_make_request+0x929/0x1d70 [raid456]
	[<0>] md_handle_request+0xc2/0x3b0 [md_mod]
	[<0>] raid_map+0x2c/0x50 [dm_raid]
	[<0>] __map_bio+0x251/0x380 [dm_mod]
	[<0>] dm_submit_bio+0x1f0/0x760 [dm_mod]
	[<0>] __submit_bio+0xc2/0x1c0
	[<0>] submit_bio_noacct_nocheck+0x17f/0x450
	[<0>] submit_bio_noacct+0x2bc/0x780
	[<0>] submit_bio+0x70/0xc0
	[<0>] mpage_readahead+0x169/0x1f0
	[<0>] blkdev_readahead+0x18/0x30
	[<0>] read_pages+0x7c/0x3b0
	[<0>] page_cache_ra_unbounded+0x1ab/0x280
	[<0>] force_page_cache_ra+0x9e/0x130
	[<0>] page_cache_sync_ra+0x3b/0x110
	[<0>] filemap_get_pages+0x143/0xa30
	[<0>] filemap_read+0xdc/0x4b0
	[<0>] blkdev_read_iter+0x75/0x200
	[<0>] vfs_read+0x272/0x460
	[<0>] ksys_read+0x7a/0x170
	[<0>] __x64_sys_read+0x1c/0x30
	[<0>] do_syscall_64+0xc6/0x230
	[<0>] entry_SYSCALL_64_after_hwframe+0x6c/0x74

	This is because reshape can't make progress.

	For md/raid, the problem doesn't exist because register new sync_thread
	doesn't rely on the IO to be done any more:

	1) If array is read-only, it can switch to read-write by ioctl/sysfs;
	2) md/raid never set MD_RECOVERY_WAIT;
	3) If MD_RECOVERY_FROZEN is set, mddev_suspend() doesn't hold
	'reconfig_mutex', hence it can be cleared and reshape can continue by
	sysfs api 'sync_action'.

	However, I'm not sure yet how to avoid the problem in dm-raid yet. This
	patch on the one hand make sure raid_message() can't change
	sync_thread() through raid_message() after presuspend(), on the other
	hand detect the above 3 cases before wait for IO do be done in
	dm_suspend(), and let dm-raid requeue those IO.

	The Linux kernel CVE team has assigned CVE-2024-26962 to this issue.


	Affected and fixed versions
	===========================

	Fixed in 6.7.12 with commit 5943a34bf6bab5801e08a55f63e1b8d5bc90dae1
	Fixed in 6.8.3 with commit a8d249d770cb357d16a2097b548d2e4c1c137304
	Fixed in 6.9 with commit 41425f96d7aa59bc865f60f5dda3d7697b555677

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2024-26962
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	drivers/md/dm-raid.c
	drivers/md/md.c
	drivers/md/md.h
	drivers/md/raid5.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/5943a34bf6bab5801e08a55f63e1b8d5bc90dae1
	https://git.kernel.org/stable/c/a8d249d770cb357d16a2097b548d2e4c1c137304
	https://git.kernel.org/stable/c/41425f96d7aa59bc865f60f5dda3d7697b555677