cve/published/2024/CVE-2024-47689.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2024-47689: f2fs: fix to don't set SB_RDONLY in f2fs_handle_critical_error()

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 f2fs: fix to don't set SB_RDONLY in f2fs_handle_critical_error()

 syzbot reports a f2fs bug as below:

 ------------[ cut here ]------------
 WARNING: CPU: 1 PID: 58 at kernel/rcu/sync.c:177 rcu_sync_dtor+0xcd/0x180 kernel/rcu/sync.c:177
 CPU: 1 UID: 0 PID: 58 Comm: kworker/1:2 Not tainted 6.10.0-syzkaller-12562-g1722389b0d86 #0
 Workqueue: events destroy_super_work
 RIP: 0010:rcu_sync_dtor+0xcd/0x180 kernel/rcu/sync.c:177
 Call Trace:
  percpu_free_rwsem+0x41/0x80 kernel/locking/percpu-rwsem.c:42
  destroy_super_work+0xec/0x130 fs/super.c:282
  process_one_work kernel/workqueue.c:3231 [inline]
  process_scheduled_works+0xa2c/0x1830 kernel/workqueue.c:3312
  worker_thread+0x86d/0xd40 kernel/workqueue.c:3390
  kthread+0x2f0/0x390 kernel/kthread.c:389
  ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147
  ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244

 As Christian Brauner pointed out [1]: the root cause is f2fs sets
 SB_RDONLY flag in internal function, rather than setting the flag
 covered w/ sb->s_umount semaphore via remount procedure, then below
 race condition causes this bug:

 - freeze_super()
  - sb_wait_write(sb, SB_FREEZE_WRITE)
  - sb_wait_write(sb, SB_FREEZE_PAGEFAULT)
  - sb_wait_write(sb, SB_FREEZE_FS)
 					- f2fs_handle_critical_error
 					 - sb->s_flags |= SB_RDONLY
 - thaw_super
  - thaw_super_locked
   - sb_rdonly() is true, so it skips
     sb_freeze_unlock(sb, SB_FREEZE_FS)
   - deactivate_locked_super

 Since f2fs has almost the same logic as ext4 [2] when handling critical
 error in filesystem if it mounts w/ errors=remount-ro option:
 - set CP_ERROR_FLAG flag which indicates filesystem is stopped
 - record errors to superblock
 - set SB_RDONLY falg
 Once we set CP_ERROR_FLAG flag, all writable interfaces can detect the
 flag and stop any further updates on filesystem. So, it is safe to not
 set SB_RDONLY flag, let's remove the logic and keep in line w/ ext4 [3].

 [1] https://lore.kernel.org/all/20240729-himbeeren-funknetz-96e62f9c7aee@brauner
 [2] https://lore.kernel.org/all/20240729132721.hxih6ehigadqf7wx@quack3
 [3] https://lore.kernel.org/linux-ext4/20240805201241.27286-1-jack@suse.cz

 The Linux kernel CVE team has assigned CVE-2024-47689 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 6.5 with commit b62e71be2110d8b52bf5faf3c3ed7ca1a0c113a5 and fixed in 6.6.54 with commit 649ec8b30df113042588bd3d3cd4e98bcb1091e0
 	Issue introduced in 6.5 with commit b62e71be2110d8b52bf5faf3c3ed7ca1a0c113a5 and fixed in 6.10.13 with commit de43021c72993877a8f86f9fddfa0687609da5a4
 	Issue introduced in 6.5 with commit b62e71be2110d8b52bf5faf3c3ed7ca1a0c113a5 and fixed in 6.11.2 with commit 1f63f405c1a1a64b9c310388aad7055fb86b245c
 	Issue introduced in 6.5 with commit b62e71be2110d8b52bf5faf3c3ed7ca1a0c113a5 and fixed in 6.12 with commit 930c6ab93492c4b15436524e704950b364b2930c
 	Issue introduced in 6.4.4 with commit ed1d478bf838820201f3fb67a1748fdf15954ea4

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2024-47689
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	fs/f2fs/super.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/649ec8b30df113042588bd3d3cd4e98bcb1091e0
 	https://git.kernel.org/stable/c/de43021c72993877a8f86f9fddfa0687609da5a4
 	https://git.kernel.org/stable/c/1f63f405c1a1a64b9c310388aad7055fb86b245c
 	https://git.kernel.org/stable/c/930c6ab93492c4b15436524e704950b364b2930c
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2024-47689: f2fs: fix to don't set SB_RDONLY in f2fs_handle_critical_error()

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	f2fs: fix to don't set SB_RDONLY in f2fs_handle_critical_error()

	syzbot reports a f2fs bug as below:

	------------[ cut here ]------------
	WARNING: CPU: 1 PID: 58 at kernel/rcu/sync.c:177 rcu_sync_dtor+0xcd/0x180 kernel/rcu/sync.c:177
	CPU: 1 UID: 0 PID: 58 Comm: kworker/1:2 Not tainted 6.10.0-syzkaller-12562-g1722389b0d86 #0
	Workqueue: events destroy_super_work
	RIP: 0010:rcu_sync_dtor+0xcd/0x180 kernel/rcu/sync.c:177
	Call Trace:
	percpu_free_rwsem+0x41/0x80 kernel/locking/percpu-rwsem.c:42
	destroy_super_work+0xec/0x130 fs/super.c:282
	process_one_work kernel/workqueue.c:3231 [inline]
	process_scheduled_works+0xa2c/0x1830 kernel/workqueue.c:3312
	worker_thread+0x86d/0xd40 kernel/workqueue.c:3390
	kthread+0x2f0/0x390 kernel/kthread.c:389
	ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147
	ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244

	As Christian Brauner pointed out [1]: the root cause is f2fs sets
	SB_RDONLY flag in internal function, rather than setting the flag
	covered w/ sb->s_umount semaphore via remount procedure, then below
	race condition causes this bug:

	- freeze_super()
	- sb_wait_write(sb, SB_FREEZE_WRITE)
	- sb_wait_write(sb, SB_FREEZE_PAGEFAULT)
	- sb_wait_write(sb, SB_FREEZE_FS)
	- f2fs_handle_critical_error
	- sb->s_flags \|= SB_RDONLY
	- thaw_super
	- thaw_super_locked
	- sb_rdonly() is true, so it skips
	sb_freeze_unlock(sb, SB_FREEZE_FS)
	- deactivate_locked_super

	Since f2fs has almost the same logic as ext4 [2] when handling critical
	error in filesystem if it mounts w/ errors=remount-ro option:
	- set CP_ERROR_FLAG flag which indicates filesystem is stopped
	- record errors to superblock
	- set SB_RDONLY falg
	Once we set CP_ERROR_FLAG flag, all writable interfaces can detect the
	flag and stop any further updates on filesystem. So, it is safe to not
	set SB_RDONLY flag, let's remove the logic and keep in line w/ ext4 [3].

	[1] https://lore.kernel.org/all/20240729-himbeeren-funknetz-96e62f9c7aee@brauner
	[2] https://lore.kernel.org/all/20240729132721.hxih6ehigadqf7wx@quack3
	[3] https://lore.kernel.org/linux-ext4/20240805201241.27286-1-jack@suse.cz

	The Linux kernel CVE team has assigned CVE-2024-47689 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 6.5 with commit b62e71be2110d8b52bf5faf3c3ed7ca1a0c113a5 and fixed in 6.6.54 with commit 649ec8b30df113042588bd3d3cd4e98bcb1091e0
	Issue introduced in 6.5 with commit b62e71be2110d8b52bf5faf3c3ed7ca1a0c113a5 and fixed in 6.10.13 with commit de43021c72993877a8f86f9fddfa0687609da5a4
	Issue introduced in 6.5 with commit b62e71be2110d8b52bf5faf3c3ed7ca1a0c113a5 and fixed in 6.11.2 with commit 1f63f405c1a1a64b9c310388aad7055fb86b245c
	Issue introduced in 6.5 with commit b62e71be2110d8b52bf5faf3c3ed7ca1a0c113a5 and fixed in 6.12 with commit 930c6ab93492c4b15436524e704950b364b2930c
	Issue introduced in 6.4.4 with commit ed1d478bf838820201f3fb67a1748fdf15954ea4

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2024-47689
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	fs/f2fs/super.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/649ec8b30df113042588bd3d3cd4e98bcb1091e0
	https://git.kernel.org/stable/c/de43021c72993877a8f86f9fddfa0687609da5a4
	https://git.kernel.org/stable/c/1f63f405c1a1a64b9c310388aad7055fb86b245c
	https://git.kernel.org/stable/c/930c6ab93492c4b15436524e704950b364b2930c