Google Git
Sign in
kernel / pub / scm / linux / security / vulns / refs/heads/sasha-cve / . / cve / published / 2024 / CVE-2024-42077.mbox
blob: fea8a1a393e716564bb5aeed00d9db50e5038ddc [file] [log] [blame]
From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: <linux-cve-announce@vger.kernel.org>
Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
Subject: CVE-2024-42077: ocfs2: fix DIO failure due to insufficient transaction credits
Description
===========
In the Linux kernel, the following vulnerability has been resolved:
ocfs2: fix DIO failure due to insufficient transaction credits
The code in ocfs2_dio_end_io_write() estimates number of necessary
transaction credits using ocfs2_calc_extend_credits(). This however does
not take into account that the IO could be arbitrarily large and can
contain arbitrary number of extents.
Extent tree manipulations do often extend the current transaction but not
in all of the cases. For example if we have only single block extents in
the tree, ocfs2_mark_extent_written() will end up calling
ocfs2_replace_extent_rec() all the time and we will never extend the
current transaction and eventually exhaust all the transaction credits if
the IO contains many single block extents. Once that happens a
WARN_ON(jbd2_handle_buffer_credits(handle) <= 0) is triggered in
jbd2_journal_dirty_metadata() and subsequently OCFS2 aborts in response to
this error. This was actually triggered by one of our customers on a
heavily fragmented OCFS2 filesystem.
To fix the issue make sure the transaction always has enough credits for
one extent insert before each call of ocfs2_mark_extent_written().
Heming Zhao said:
------
PANIC: "Kernel panic - not syncing: OCFS2: (device dm-1): panic forced after error"
PID: xxx TASK: xxxx CPU: 5 COMMAND: "SubmitThread-CA"
#0 machine_kexec at ffffffff8c069932
#1 __crash_kexec at ffffffff8c1338fa
#2 panic at ffffffff8c1d69b9
#3 ocfs2_handle_error at ffffffffc0c86c0c [ocfs2]
#4 __ocfs2_abort at ffffffffc0c88387 [ocfs2]
#5 ocfs2_journal_dirty at ffffffffc0c51e98 [ocfs2]
#6 ocfs2_split_extent at ffffffffc0c27ea3 [ocfs2]
#7 ocfs2_change_extent_flag at ffffffffc0c28053 [ocfs2]
#8 ocfs2_mark_extent_written at ffffffffc0c28347 [ocfs2]
#9 ocfs2_dio_end_io_write at ffffffffc0c2bef9 [ocfs2]
#10 ocfs2_dio_end_io at ffffffffc0c2c0f5 [ocfs2]
#11 dio_complete at ffffffff8c2b9fa7
#12 do_blockdev_direct_IO at ffffffff8c2bc09f
#13 ocfs2_direct_IO at ffffffffc0c2b653 [ocfs2]
#14 generic_file_direct_write at ffffffff8c1dcf14
#15 __generic_file_write_iter at ffffffff8c1dd07b
#16 ocfs2_file_write_iter at ffffffffc0c49f1f [ocfs2]
#17 aio_write at ffffffff8c2cc72e
#18 kmem_cache_alloc at ffffffff8c248dde
#19 do_io_submit at ffffffff8c2ccada
#20 do_syscall_64 at ffffffff8c004984
#21 entry_SYSCALL_64_after_hwframe at ffffffff8c8000ba
The Linux kernel CVE team has assigned CVE-2024-42077 to this issue.
Affected and fixed versions
===========================
Issue introduced in 4.6 with commit c15471f79506830f80eca0e7fe09b8213953ab5f and fixed in 5.10.221 with commit a68b896aa56e435506453ec8835bc991ec3ae687
Issue introduced in 4.6 with commit c15471f79506830f80eca0e7fe09b8213953ab5f and fixed in 5.15.162 with commit 320273b5649bbcee87f9e65343077189699d2a7a
Issue introduced in 4.6 with commit c15471f79506830f80eca0e7fe09b8213953ab5f and fixed in 6.1.97 with commit 9ea2d1c6789722d58ec191f14f9a02518d55b6b4
Issue introduced in 4.6 with commit c15471f79506830f80eca0e7fe09b8213953ab5f and fixed in 6.6.37 with commit c05ffb693bfb42a48ef3ee88a55b57392984e111
Issue introduced in 4.6 with commit c15471f79506830f80eca0e7fe09b8213953ab5f and fixed in 6.9.8 with commit 331d1079d58206ff7dc5518185f800b412f89bc6
Issue introduced in 4.6 with commit c15471f79506830f80eca0e7fe09b8213953ab5f and fixed in 6.10 with commit be346c1a6eeb49d8fda827d2a9522124c2f72f36
Please see https://www.kernel.org for a full list of currently supported
kernel versions by the kernel community.
Unaffected versions might change over time as fixes are backported to
older supported kernel versions. The official CVE entry at
https://cve.org/CVERecord/?id=CVE-2024-42077
will be updated if fixes are backported, please check that for the most
up to date information about this issue.
Affected files
==============
The file(s) affected by this issue are:
fs/ocfs2/aops.c
fs/ocfs2/journal.c
fs/ocfs2/journal.h
fs/ocfs2/ocfs2_trace.h
Mitigation
==========
The Linux kernel CVE team recommends that you update to the latest
stable kernel version for this, and many other bugfixes. Individual
changes are never tested alone, but rather are part of a larger kernel
release. Cherry-picking individual commits is not recommended or
supported by the Linux kernel community at all. If however, updating to
the latest release is impossible, the individual changes to resolve this
issue can be found at these commits:
https://git.kernel.org/stable/c/a68b896aa56e435506453ec8835bc991ec3ae687
https://git.kernel.org/stable/c/320273b5649bbcee87f9e65343077189699d2a7a
https://git.kernel.org/stable/c/9ea2d1c6789722d58ec191f14f9a02518d55b6b4
https://git.kernel.org/stable/c/c05ffb693bfb42a48ef3ee88a55b57392984e111
https://git.kernel.org/stable/c/331d1079d58206ff7dc5518185f800b412f89bc6
https://git.kernel.org/stable/c/be346c1a6eeb49d8fda827d2a9522124c2f72f36