cve/published/2024/CVE-2024-43855.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2024-43855: md: fix deadlock between mddev_suspend and flush bio

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 md: fix deadlock between mddev_suspend and flush bio

 Deadlock occurs when mddev is being suspended while some flush bio is in
 progress. It is a complex issue.

 T1. the first flush is at the ending stage, it clears 'mddev->flush_bio'
     and tries to submit data, but is blocked because mddev is suspended
     by T4.
 T2. the second flush sets 'mddev->flush_bio', and attempts to queue
     md_submit_flush_data(), which is already running (T1) and won't
     execute again if on the same CPU as T1.
 T3. the third flush inc active_io and tries to flush, but is blocked because
     'mddev->flush_bio' is not NULL (set by T2).
 T4. mddev_suspend() is called and waits for active_io dec to 0 which is inc
     by T3.

   T1		T2		T3		T4
   (flush 1)	(flush 2)	(third 3)	(suspend)
   md_submit_flush_data
    mddev->flush_bio = NULL;
    .
    .	 	md_flush_request
    .	  	 mddev->flush_bio = bio
    .	  	 queue submit_flushes
    .		 .
    .		 .		md_handle_request
    .		 .		 active_io + 1
    .		 .		 md_flush_request
    .		 .		  wait !mddev->flush_bio
    .		 .
    .		 .				mddev_suspend
    .		 .				 wait !active_io
    .		 .
    .		 submit_flushes
    .		 queue_work md_submit_flush_data
    .		 //md_submit_flush_data is already running (T1)
    .
    md_handle_request
     wait resume

 The root issue is non-atomic inc/dec of active_io during flush process.
 active_io is dec before md_submit_flush_data is queued, and inc soon
 after md_submit_flush_data() run.
   md_flush_request
     active_io + 1
     submit_flushes
       active_io - 1
       md_submit_flush_data
         md_handle_request
         active_io + 1
           make_request
         active_io - 1

 If active_io is dec after md_handle_request() instead of within
 submit_flushes(), make_request() can be called directly intead of
 md_handle_request() in md_submit_flush_data(), and active_io will
 only inc and dec once in the whole flush process. Deadlock will be
 fixed.

 Additionally, the only difference between fixing the issue and before is
 that there is no return error handling of make_request(). But after
 previous patch cleaned md_write_start(), make_requst() only return error
 in raid5_make_request() by dm-raid, see commit 41425f96d7aa ("dm-raid456,
 md/raid456: fix a deadlock for dm-raid456 while io concurrent with
 reshape)". Since dm always splits data and flush operation into two
 separate io, io size of flush submitted by dm always is 0, make_request()
 will not be called in md_submit_flush_data(). To prevent future
 modifications from introducing issues, add WARN_ON to ensure
 make_request() no error is returned in this context.

 The Linux kernel CVE team has assigned CVE-2024-43855 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 6.1.75 with commit f9f2d957a8ea93c73182aebf7de30935a58c027d and fixed in 6.1.103 with commit 32226070813140234b6c507084738e8e8385c5c6
 	Issue introduced in 6.6.14 with commit 530cec617f5a8ba6f26bcbf0d64d75c951d17730 and fixed in 6.6.44 with commit 2d0738a8322bf4e5bfe693d16b3111928a9ccfbf
 	Issue introduced in 6.8 with commit fa2bbff7b0b4e211fec5e5686ef96350690597b5 and fixed in 6.10.3 with commit ca963eefbc3331222b6121baa696d49ba2008811
 	Issue introduced in 6.8 with commit fa2bbff7b0b4e211fec5e5686ef96350690597b5 and fixed in 6.11 with commit 611d5cbc0b35a752e657a83eebadf40d814d006b
 	Issue introduced in 6.7.2 with commit c4c2345214b66e2505a26fd2ea58839dd7a1d48d

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2024-43855
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	drivers/md/md.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/32226070813140234b6c507084738e8e8385c5c6
 	https://git.kernel.org/stable/c/2d0738a8322bf4e5bfe693d16b3111928a9ccfbf
 	https://git.kernel.org/stable/c/ca963eefbc3331222b6121baa696d49ba2008811
 	https://git.kernel.org/stable/c/611d5cbc0b35a752e657a83eebadf40d814d006b
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2024-43855: md: fix deadlock between mddev_suspend and flush bio

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	md: fix deadlock between mddev_suspend and flush bio

	Deadlock occurs when mddev is being suspended while some flush bio is in
	progress. It is a complex issue.

	T1. the first flush is at the ending stage, it clears 'mddev->flush_bio'
	and tries to submit data, but is blocked because mddev is suspended
	by T4.
	T2. the second flush sets 'mddev->flush_bio', and attempts to queue
	md_submit_flush_data(), which is already running (T1) and won't
	execute again if on the same CPU as T1.
	T3. the third flush inc active_io and tries to flush, but is blocked because
	'mddev->flush_bio' is not NULL (set by T2).
	T4. mddev_suspend() is called and waits for active_io dec to 0 which is inc
	by T3.

	T1 T2 T3 T4
	(flush 1) (flush 2) (third 3) (suspend)
	md_submit_flush_data
	mddev->flush_bio = NULL;
	.
	. md_flush_request
	. mddev->flush_bio = bio
	. queue submit_flushes
	. .
	. . md_handle_request
	. . active_io + 1
	. . md_flush_request
	. . wait !mddev->flush_bio
	. .
	. . mddev_suspend
	. . wait !active_io
	. .
	. submit_flushes
	. queue_work md_submit_flush_data
	. //md_submit_flush_data is already running (T1)
	.
	md_handle_request
	wait resume

	The root issue is non-atomic inc/dec of active_io during flush process.
	active_io is dec before md_submit_flush_data is queued, and inc soon
	after md_submit_flush_data() run.
	md_flush_request
	active_io + 1
	submit_flushes
	active_io - 1
	md_submit_flush_data
	md_handle_request
	active_io + 1
	make_request
	active_io - 1

	If active_io is dec after md_handle_request() instead of within
	submit_flushes(), make_request() can be called directly intead of
	md_handle_request() in md_submit_flush_data(), and active_io will
	only inc and dec once in the whole flush process. Deadlock will be
	fixed.

	Additionally, the only difference between fixing the issue and before is
	that there is no return error handling of make_request(). But after
	previous patch cleaned md_write_start(), make_requst() only return error
	in raid5_make_request() by dm-raid, see commit 41425f96d7aa ("dm-raid456,
	md/raid456: fix a deadlock for dm-raid456 while io concurrent with
	reshape)". Since dm always splits data and flush operation into two
	separate io, io size of flush submitted by dm always is 0, make_request()
	will not be called in md_submit_flush_data(). To prevent future
	modifications from introducing issues, add WARN_ON to ensure
	make_request() no error is returned in this context.

	The Linux kernel CVE team has assigned CVE-2024-43855 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 6.1.75 with commit f9f2d957a8ea93c73182aebf7de30935a58c027d and fixed in 6.1.103 with commit 32226070813140234b6c507084738e8e8385c5c6
	Issue introduced in 6.6.14 with commit 530cec617f5a8ba6f26bcbf0d64d75c951d17730 and fixed in 6.6.44 with commit 2d0738a8322bf4e5bfe693d16b3111928a9ccfbf
	Issue introduced in 6.8 with commit fa2bbff7b0b4e211fec5e5686ef96350690597b5 and fixed in 6.10.3 with commit ca963eefbc3331222b6121baa696d49ba2008811
	Issue introduced in 6.8 with commit fa2bbff7b0b4e211fec5e5686ef96350690597b5 and fixed in 6.11 with commit 611d5cbc0b35a752e657a83eebadf40d814d006b
	Issue introduced in 6.7.2 with commit c4c2345214b66e2505a26fd2ea58839dd7a1d48d

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2024-43855
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	drivers/md/md.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/32226070813140234b6c507084738e8e8385c5c6
	https://git.kernel.org/stable/c/2d0738a8322bf4e5bfe693d16b3111928a9ccfbf
	https://git.kernel.org/stable/c/ca963eefbc3331222b6121baa696d49ba2008811
	https://git.kernel.org/stable/c/611d5cbc0b35a752e657a83eebadf40d814d006b