cve/published/2022/CVE-2022-49327.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2022-49327: bcache: avoid journal no-space deadlock by reserving 1 journal bucket

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 bcache: avoid journal no-space deadlock by reserving 1 journal bucket

 The journal no-space deadlock was reported time to time. Such deadlock
 can happen in the following situation.

 When all journal buckets are fully filled by active jset with heavy
 write I/O load, the cache set registration (after a reboot) will load
 all active jsets and inserting them into the btree again (which is
 called journal replay). If a journaled bkey is inserted into a btree
 node and results btree node split, new journal request might be
 triggered. For example, the btree grows one more level after the node
 split, then the root node record in cache device super block will be
 upgrade by bch_journal_meta() from bch_btree_set_root(). But there is no
 space in journal buckets, the journal replay has to wait for new journal
 bucket to be reclaimed after at least one journal bucket replayed. This
 is one example that how the journal no-space deadlock happens.

 The solution to avoid the deadlock is to reserve 1 journal bucket in
 run time, and only permit the reserved journal bucket to be used during
 cache set registration procedure for things like journal replay. Then
 the journal space will never be fully filled, there is no chance for
 journal no-space deadlock to happen anymore.

 This patch adds a new member "bool do_reserve" in struct journal, it is
 inititalized to 0 (false) when struct journal is allocated, and set to
 1 (true) by bch_journal_space_reserve() when all initialization done in
 run_cache_set(). In the run time when journal_reclaim() tries to
 allocate a new journal bucket, free_journal_buckets() is called to check
 whether there are enough free journal buckets to use. If there is only
 1 free journal bucket and journal->do_reserve is 1 (true), the last
 bucket is reserved and free_journal_buckets() will return 0 to indicate
 no free journal bucket. Then journal_reclaim() will give up, and try
 next time to see whetheer there is free journal bucket to allocate. By
 this method, there is always 1 jouranl bucket reserved in run time.

 During the cache set registration, journal->do_reserve is 0 (false), so
 the reserved journal bucket can be used to avoid the no-space deadlock.

 The Linux kernel CVE team has assigned CVE-2022-49327 to this issue.


 Affected and fixed versions
 ===========================

 	Fixed in 5.10.121 with commit 59afd4f287900c8187e968a4153ed35e6b48efce
 	Fixed in 5.15.46 with commit 5607652823ac65e2c6885e73bd46d5a4f9a20363
 	Fixed in 5.17.14 with commit 6332ea3e35efa12dc08f0cbf5faea5e6e8eb0497
 	Fixed in 5.18.3 with commit 1dda32aed6f62c163f38ff947ef5b3360e329159
 	Fixed in 5.19 with commit 32feee36c30ea06e38ccb8ae6e5c44c6eec790a6

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2022-49327
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	drivers/md/bcache/journal.c
 	drivers/md/bcache/journal.h
 	drivers/md/bcache/super.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/59afd4f287900c8187e968a4153ed35e6b48efce
 	https://git.kernel.org/stable/c/5607652823ac65e2c6885e73bd46d5a4f9a20363
 	https://git.kernel.org/stable/c/6332ea3e35efa12dc08f0cbf5faea5e6e8eb0497
 	https://git.kernel.org/stable/c/1dda32aed6f62c163f38ff947ef5b3360e329159
 	https://git.kernel.org/stable/c/32feee36c30ea06e38ccb8ae6e5c44c6eec790a6
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2022-49327: bcache: avoid journal no-space deadlock by reserving 1 journal bucket

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	bcache: avoid journal no-space deadlock by reserving 1 journal bucket

	The journal no-space deadlock was reported time to time. Such deadlock
	can happen in the following situation.

	When all journal buckets are fully filled by active jset with heavy
	write I/O load, the cache set registration (after a reboot) will load
	all active jsets and inserting them into the btree again (which is
	called journal replay). If a journaled bkey is inserted into a btree
	node and results btree node split, new journal request might be
	triggered. For example, the btree grows one more level after the node
	split, then the root node record in cache device super block will be
	upgrade by bch_journal_meta() from bch_btree_set_root(). But there is no
	space in journal buckets, the journal replay has to wait for new journal
	bucket to be reclaimed after at least one journal bucket replayed. This
	is one example that how the journal no-space deadlock happens.

	The solution to avoid the deadlock is to reserve 1 journal bucket in
	run time, and only permit the reserved journal bucket to be used during
	cache set registration procedure for things like journal replay. Then
	the journal space will never be fully filled, there is no chance for
	journal no-space deadlock to happen anymore.

	This patch adds a new member "bool do_reserve" in struct journal, it is
	inititalized to 0 (false) when struct journal is allocated, and set to
	1 (true) by bch_journal_space_reserve() when all initialization done in
	run_cache_set(). In the run time when journal_reclaim() tries to
	allocate a new journal bucket, free_journal_buckets() is called to check
	whether there are enough free journal buckets to use. If there is only
	1 free journal bucket and journal->do_reserve is 1 (true), the last
	bucket is reserved and free_journal_buckets() will return 0 to indicate
	no free journal bucket. Then journal_reclaim() will give up, and try
	next time to see whetheer there is free journal bucket to allocate. By
	this method, there is always 1 jouranl bucket reserved in run time.

	During the cache set registration, journal->do_reserve is 0 (false), so
	the reserved journal bucket can be used to avoid the no-space deadlock.

	The Linux kernel CVE team has assigned CVE-2022-49327 to this issue.


	Affected and fixed versions
	===========================

	Fixed in 5.10.121 with commit 59afd4f287900c8187e968a4153ed35e6b48efce
	Fixed in 5.15.46 with commit 5607652823ac65e2c6885e73bd46d5a4f9a20363
	Fixed in 5.17.14 with commit 6332ea3e35efa12dc08f0cbf5faea5e6e8eb0497
	Fixed in 5.18.3 with commit 1dda32aed6f62c163f38ff947ef5b3360e329159
	Fixed in 5.19 with commit 32feee36c30ea06e38ccb8ae6e5c44c6eec790a6

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2022-49327
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	drivers/md/bcache/journal.c
	drivers/md/bcache/journal.h
	drivers/md/bcache/super.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/59afd4f287900c8187e968a4153ed35e6b48efce
	https://git.kernel.org/stable/c/5607652823ac65e2c6885e73bd46d5a4f9a20363
	https://git.kernel.org/stable/c/6332ea3e35efa12dc08f0cbf5faea5e6e8eb0497
	https://git.kernel.org/stable/c/1dda32aed6f62c163f38ff947ef5b3360e329159
	https://git.kernel.org/stable/c/32feee36c30ea06e38ccb8ae6e5c44c6eec790a6