cve/published/2022/CVE-2022-49297.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2022-49297: nbd: fix io hung while disconnecting device

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 nbd: fix io hung while disconnecting device

 In our tests, "qemu-nbd" triggers a io hung:

 INFO: task qemu-nbd:11445 blocked for more than 368 seconds.
       Not tainted 5.18.0-rc3-next-20220422-00003-g2176915513ca #884
 "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
 task:qemu-nbd        state:D stack:    0 pid:11445 ppid:     1 flags:0x00000000
 Call Trace:
  <TASK>
  __schedule+0x480/0x1050
  ? _raw_spin_lock_irqsave+0x3e/0xb0
  schedule+0x9c/0x1b0
  blk_mq_freeze_queue_wait+0x9d/0xf0
  ? ipi_rseq+0x70/0x70
  blk_mq_freeze_queue+0x2b/0x40
  nbd_add_socket+0x6b/0x270 [nbd]
  nbd_ioctl+0x383/0x510 [nbd]
  blkdev_ioctl+0x18e/0x3e0
  __x64_sys_ioctl+0xac/0x120
  do_syscall_64+0x35/0x80
  entry_SYSCALL_64_after_hwframe+0x44/0xae
 RIP: 0033:0x7fd8ff706577
 RSP: 002b:00007fd8fcdfebf8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
 RAX: ffffffffffffffda RBX: 0000000040000000 RCX: 00007fd8ff706577
 RDX: 000000000000000d RSI: 000000000000ab00 RDI: 000000000000000f
 RBP: 000000000000000f R08: 000000000000fbe8 R09: 000055fe497c62b0
 R10: 00000002aff20000 R11: 0000000000000246 R12: 000000000000006d
 R13: 0000000000000000 R14: 00007ffe82dc5e70 R15: 00007fd8fcdff9c0

 "qemu-ndb -d" will call ioctl 'NBD_DISCONNECT' first, however, following
 message was found:

 block nbd0: Send disconnect failed -32

 Which indicate that something is wrong with the server. Then,
 "qemu-nbd -d" will call ioctl 'NBD_CLEAR_SOCK', however ioctl can't clear
 requests after commit 2516ab1543fd("nbd: only clear the queue on device
 teardown"). And in the meantime, request can't complete through timeout
 because nbd_xmit_timeout() will always return 'BLK_EH_RESET_TIMER', which
 means such request will never be completed in this situation.

 Now that the flag 'NBD_CMD_INFLIGHT' can make sure requests won't
 complete multiple times, switch back to call nbd_clear_sock() in
 nbd_clear_sock_ioctl(), so that inflight requests can be cleared.

 The Linux kernel CVE team has assigned CVE-2022-49297 to this issue.


 Affected and fixed versions
 ===========================

 	Fixed in 4.14.283 with commit 67e403136a0e1a55fef6a05f103a3979a39ad3fd
 	Fixed in 4.19.247 with commit 62d227f67a8c25d5e16f40e5290607f9306d2188
 	Fixed in 5.4.198 with commit 69893d6d7f5c10d8306c1b5fc64b71efc91aa6cd
 	Fixed in 5.10.122 with commit f72df77600a43e59b3189e53b47f8685739867d3
 	Fixed in 5.15.47 with commit c4ba982bd5084fa659ef518aaf159e4dab02ecda
 	Fixed in 5.17.15 with commit 54b06dc2a206b4d67349bb56b92d4bd32700b7b1
 	Fixed in 5.18.4 with commit 141318e62db87105b0103fccc59c9c5940da248d
 	Fixed in 5.19 with commit 09dadb5985023e27d4740ebd17e6fea4640110e5

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2022-49297
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	drivers/block/nbd.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/67e403136a0e1a55fef6a05f103a3979a39ad3fd
 	https://git.kernel.org/stable/c/62d227f67a8c25d5e16f40e5290607f9306d2188
 	https://git.kernel.org/stable/c/69893d6d7f5c10d8306c1b5fc64b71efc91aa6cd
 	https://git.kernel.org/stable/c/f72df77600a43e59b3189e53b47f8685739867d3
 	https://git.kernel.org/stable/c/c4ba982bd5084fa659ef518aaf159e4dab02ecda
 	https://git.kernel.org/stable/c/54b06dc2a206b4d67349bb56b92d4bd32700b7b1
 	https://git.kernel.org/stable/c/141318e62db87105b0103fccc59c9c5940da248d
 	https://git.kernel.org/stable/c/09dadb5985023e27d4740ebd17e6fea4640110e5
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2022-49297: nbd: fix io hung while disconnecting device

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	nbd: fix io hung while disconnecting device

	In our tests, "qemu-nbd" triggers a io hung:

	INFO: task qemu-nbd:11445 blocked for more than 368 seconds.
	Not tainted 5.18.0-rc3-next-20220422-00003-g2176915513ca #884
	"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
	task:qemu-nbd state:D stack: 0 pid:11445 ppid: 1 flags:0x00000000
	Call Trace:
	<TASK>
	__schedule+0x480/0x1050
	? _raw_spin_lock_irqsave+0x3e/0xb0
	schedule+0x9c/0x1b0
	blk_mq_freeze_queue_wait+0x9d/0xf0
	? ipi_rseq+0x70/0x70
	blk_mq_freeze_queue+0x2b/0x40
	nbd_add_socket+0x6b/0x270 [nbd]
	nbd_ioctl+0x383/0x510 [nbd]
	blkdev_ioctl+0x18e/0x3e0
	__x64_sys_ioctl+0xac/0x120
	do_syscall_64+0x35/0x80
	entry_SYSCALL_64_after_hwframe+0x44/0xae
	RIP: 0033:0x7fd8ff706577
	RSP: 002b:00007fd8fcdfebf8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
	RAX: ffffffffffffffda RBX: 0000000040000000 RCX: 00007fd8ff706577
	RDX: 000000000000000d RSI: 000000000000ab00 RDI: 000000000000000f
	RBP: 000000000000000f R08: 000000000000fbe8 R09: 000055fe497c62b0
	R10: 00000002aff20000 R11: 0000000000000246 R12: 000000000000006d
	R13: 0000000000000000 R14: 00007ffe82dc5e70 R15: 00007fd8fcdff9c0

	"qemu-ndb -d" will call ioctl 'NBD_DISCONNECT' first, however, following
	message was found:

	block nbd0: Send disconnect failed -32

	Which indicate that something is wrong with the server. Then,
	"qemu-nbd -d" will call ioctl 'NBD_CLEAR_SOCK', however ioctl can't clear
	requests after commit 2516ab1543fd("nbd: only clear the queue on device
	teardown"). And in the meantime, request can't complete through timeout
	because nbd_xmit_timeout() will always return 'BLK_EH_RESET_TIMER', which
	means such request will never be completed in this situation.

	Now that the flag 'NBD_CMD_INFLIGHT' can make sure requests won't
	complete multiple times, switch back to call nbd_clear_sock() in
	nbd_clear_sock_ioctl(), so that inflight requests can be cleared.

	The Linux kernel CVE team has assigned CVE-2022-49297 to this issue.


	Affected and fixed versions
	===========================

	Fixed in 4.14.283 with commit 67e403136a0e1a55fef6a05f103a3979a39ad3fd
	Fixed in 4.19.247 with commit 62d227f67a8c25d5e16f40e5290607f9306d2188
	Fixed in 5.4.198 with commit 69893d6d7f5c10d8306c1b5fc64b71efc91aa6cd
	Fixed in 5.10.122 with commit f72df77600a43e59b3189e53b47f8685739867d3
	Fixed in 5.15.47 with commit c4ba982bd5084fa659ef518aaf159e4dab02ecda
	Fixed in 5.17.15 with commit 54b06dc2a206b4d67349bb56b92d4bd32700b7b1
	Fixed in 5.18.4 with commit 141318e62db87105b0103fccc59c9c5940da248d
	Fixed in 5.19 with commit 09dadb5985023e27d4740ebd17e6fea4640110e5

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2022-49297
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	drivers/block/nbd.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/67e403136a0e1a55fef6a05f103a3979a39ad3fd
	https://git.kernel.org/stable/c/62d227f67a8c25d5e16f40e5290607f9306d2188
	https://git.kernel.org/stable/c/69893d6d7f5c10d8306c1b5fc64b71efc91aa6cd
	https://git.kernel.org/stable/c/f72df77600a43e59b3189e53b47f8685739867d3
	https://git.kernel.org/stable/c/c4ba982bd5084fa659ef518aaf159e4dab02ecda
	https://git.kernel.org/stable/c/54b06dc2a206b4d67349bb56b92d4bd32700b7b1
	https://git.kernel.org/stable/c/141318e62db87105b0103fccc59c9c5940da248d
	https://git.kernel.org/stable/c/09dadb5985023e27d4740ebd17e6fea4640110e5