cve/published/2024/CVE-2024-37078.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2024-37078: nilfs2: fix potential kernel bug due to lack of writeback flag waiting

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 nilfs2: fix potential kernel bug due to lack of writeback flag waiting

 Destructive writes to a block device on which nilfs2 is mounted can cause
 a kernel bug in the folio/page writeback start routine or writeback end
 routine (__folio_start_writeback in the log below):

  kernel BUG at mm/page-writeback.c:3070!
  Oops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN PTI
  ...
  RIP: 0010:__folio_start_writeback+0xbaa/0x10e0
  Code: 25 ff 0f 00 00 0f 84 18 01 00 00 e8 40 ca c6 ff e9 17 f6 ff ff
   e8 36 ca c6 ff 4c 89 f7 48 c7 c6 80 c0 12 84 e8 e7 b3 0f 00 90 <0f>
   0b e8 1f ca c6 ff 4c 89 f7 48 c7 c6 a0 c6 12 84 e8 d0 b3 0f 00
  ...
  Call Trace:
   <TASK>
   nilfs_segctor_do_construct+0x4654/0x69d0 [nilfs2]
   nilfs_segctor_construct+0x181/0x6b0 [nilfs2]
   nilfs_segctor_thread+0x548/0x11c0 [nilfs2]
   kthread+0x2f0/0x390
   ret_from_fork+0x4b/0x80
   ret_from_fork_asm+0x1a/0x30
   </TASK>

 This is because when the log writer starts a writeback for segment summary
 blocks or a super root block that use the backing device's page cache, it
 does not wait for the ongoing folio/page writeback, resulting in an
 inconsistent writeback state.

 Fix this issue by waiting for ongoing writebacks when putting
 folios/pages on the backing device into writeback state.

 The Linux kernel CVE team has assigned CVE-2024-37078 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 2.6.30 with commit 9ff05123e3bfbb1d2b68ba1d9bf1f7d1dffc1453 and fixed in 4.19.317 with commit 95f6f81e50d858a7c9aa7c795ec14a0ac3819118
 	Issue introduced in 2.6.30 with commit 9ff05123e3bfbb1d2b68ba1d9bf1f7d1dffc1453 and fixed in 5.4.279 with commit a75b8f493dfc48aa38c518430bd9e03b53bffebe
 	Issue introduced in 2.6.30 with commit 9ff05123e3bfbb1d2b68ba1d9bf1f7d1dffc1453 and fixed in 5.10.221 with commit 0ecfe3a92869a59668d27228dabbd7965e83567f
 	Issue introduced in 2.6.30 with commit 9ff05123e3bfbb1d2b68ba1d9bf1f7d1dffc1453 and fixed in 5.15.162 with commit 33900d7eae616647e179eee1c66ebe654ee39627
 	Issue introduced in 2.6.30 with commit 9ff05123e3bfbb1d2b68ba1d9bf1f7d1dffc1453 and fixed in 6.1.95 with commit 271dcd977ccda8c7a26e360425ae7b4db7d2ecc0
 	Issue introduced in 2.6.30 with commit 9ff05123e3bfbb1d2b68ba1d9bf1f7d1dffc1453 and fixed in 6.6.35 with commit 614d397be0cf43412b3f94a0f6460eddced8ce92
 	Issue introduced in 2.6.30 with commit 9ff05123e3bfbb1d2b68ba1d9bf1f7d1dffc1453 and fixed in 6.9.5 with commit 1f3bff69f1214fe03a02bc650d5bbfaa6e65ae7d
 	Issue introduced in 2.6.30 with commit 9ff05123e3bfbb1d2b68ba1d9bf1f7d1dffc1453 and fixed in 6.10 with commit a4ca369ca221bb7e06c725792ac107f0e48e82e7

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2024-37078
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	fs/nilfs2/segment.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/95f6f81e50d858a7c9aa7c795ec14a0ac3819118
 	https://git.kernel.org/stable/c/a75b8f493dfc48aa38c518430bd9e03b53bffebe
 	https://git.kernel.org/stable/c/0ecfe3a92869a59668d27228dabbd7965e83567f
 	https://git.kernel.org/stable/c/33900d7eae616647e179eee1c66ebe654ee39627
 	https://git.kernel.org/stable/c/271dcd977ccda8c7a26e360425ae7b4db7d2ecc0
 	https://git.kernel.org/stable/c/614d397be0cf43412b3f94a0f6460eddced8ce92
 	https://git.kernel.org/stable/c/1f3bff69f1214fe03a02bc650d5bbfaa6e65ae7d
 	https://git.kernel.org/stable/c/a4ca369ca221bb7e06c725792ac107f0e48e82e7
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2024-37078: nilfs2: fix potential kernel bug due to lack of writeback flag waiting

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	nilfs2: fix potential kernel bug due to lack of writeback flag waiting

	Destructive writes to a block device on which nilfs2 is mounted can cause
	a kernel bug in the folio/page writeback start routine or writeback end
	routine (__folio_start_writeback in the log below):

	kernel BUG at mm/page-writeback.c:3070!
	Oops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN PTI
	...
	RIP: 0010:__folio_start_writeback+0xbaa/0x10e0
	Code: 25 ff 0f 00 00 0f 84 18 01 00 00 e8 40 ca c6 ff e9 17 f6 ff ff
	e8 36 ca c6 ff 4c 89 f7 48 c7 c6 80 c0 12 84 e8 e7 b3 0f 00 90 <0f>
	0b e8 1f ca c6 ff 4c 89 f7 48 c7 c6 a0 c6 12 84 e8 d0 b3 0f 00
	...
	Call Trace:
	<TASK>
	nilfs_segctor_do_construct+0x4654/0x69d0 [nilfs2]
	nilfs_segctor_construct+0x181/0x6b0 [nilfs2]
	nilfs_segctor_thread+0x548/0x11c0 [nilfs2]
	kthread+0x2f0/0x390
	ret_from_fork+0x4b/0x80
	ret_from_fork_asm+0x1a/0x30
	</TASK>

	This is because when the log writer starts a writeback for segment summary
	blocks or a super root block that use the backing device's page cache, it
	does not wait for the ongoing folio/page writeback, resulting in an
	inconsistent writeback state.

	Fix this issue by waiting for ongoing writebacks when putting
	folios/pages on the backing device into writeback state.

	The Linux kernel CVE team has assigned CVE-2024-37078 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 2.6.30 with commit 9ff05123e3bfbb1d2b68ba1d9bf1f7d1dffc1453 and fixed in 4.19.317 with commit 95f6f81e50d858a7c9aa7c795ec14a0ac3819118
	Issue introduced in 2.6.30 with commit 9ff05123e3bfbb1d2b68ba1d9bf1f7d1dffc1453 and fixed in 5.4.279 with commit a75b8f493dfc48aa38c518430bd9e03b53bffebe
	Issue introduced in 2.6.30 with commit 9ff05123e3bfbb1d2b68ba1d9bf1f7d1dffc1453 and fixed in 5.10.221 with commit 0ecfe3a92869a59668d27228dabbd7965e83567f
	Issue introduced in 2.6.30 with commit 9ff05123e3bfbb1d2b68ba1d9bf1f7d1dffc1453 and fixed in 5.15.162 with commit 33900d7eae616647e179eee1c66ebe654ee39627
	Issue introduced in 2.6.30 with commit 9ff05123e3bfbb1d2b68ba1d9bf1f7d1dffc1453 and fixed in 6.1.95 with commit 271dcd977ccda8c7a26e360425ae7b4db7d2ecc0
	Issue introduced in 2.6.30 with commit 9ff05123e3bfbb1d2b68ba1d9bf1f7d1dffc1453 and fixed in 6.6.35 with commit 614d397be0cf43412b3f94a0f6460eddced8ce92
	Issue introduced in 2.6.30 with commit 9ff05123e3bfbb1d2b68ba1d9bf1f7d1dffc1453 and fixed in 6.9.5 with commit 1f3bff69f1214fe03a02bc650d5bbfaa6e65ae7d
	Issue introduced in 2.6.30 with commit 9ff05123e3bfbb1d2b68ba1d9bf1f7d1dffc1453 and fixed in 6.10 with commit a4ca369ca221bb7e06c725792ac107f0e48e82e7

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2024-37078
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	fs/nilfs2/segment.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/95f6f81e50d858a7c9aa7c795ec14a0ac3819118
	https://git.kernel.org/stable/c/a75b8f493dfc48aa38c518430bd9e03b53bffebe
	https://git.kernel.org/stable/c/0ecfe3a92869a59668d27228dabbd7965e83567f
	https://git.kernel.org/stable/c/33900d7eae616647e179eee1c66ebe654ee39627
	https://git.kernel.org/stable/c/271dcd977ccda8c7a26e360425ae7b4db7d2ecc0
	https://git.kernel.org/stable/c/614d397be0cf43412b3f94a0f6460eddced8ce92
	https://git.kernel.org/stable/c/1f3bff69f1214fe03a02bc650d5bbfaa6e65ae7d
	https://git.kernel.org/stable/c/a4ca369ca221bb7e06c725792ac107f0e48e82e7