| { |
| "containers": { |
| "cna": { |
| "providerMetadata": { |
| "orgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038" |
| }, |
| "descriptions": [ |
| { |
| "lang": "en", |
| "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nblk-iolatency: Fix inflight count imbalances and IO hangs on offline\n\niolatency needs to track the number of inflight IOs per cgroup. As this\ntracking can be expensive, it is disabled when no cgroup has iolatency\nconfigured for the device. To ensure that the inflight counters stay\nbalanced, iolatency_set_limit() freezes the request_queue while manipulating\nthe enabled counter, which ensures that no IO is in flight and thus all\ncounters are zero.\n\nUnfortunately, iolatency_set_limit() isn't the only place where the enabled\ncounter is manipulated. iolatency_pd_offline() can also dec the counter and\ntrigger disabling. As this disabling happens without freezing the q, this\ncan easily happen while some IOs are in flight and thus leak the counts.\n\nThis can be easily demonstrated by turning on iolatency on an one empty\ncgroup while IOs are in flight in other cgroups and then removing the\ncgroup. Note that iolatency shouldn't have been enabled elsewhere in the\nsystem to ensure that removing the cgroup disables iolatency for the whole\ndevice.\n\nThe following keeps flipping on and off iolatency on sda:\n\n echo +io > /sys/fs/cgroup/cgroup.subtree_control\n while true; do\n mkdir -p /sys/fs/cgroup/test\n echo '8:0 target=100000' > /sys/fs/cgroup/test/io.latency\n sleep 1\n rmdir /sys/fs/cgroup/test\n sleep 1\n done\n\nand there's concurrent fio generating direct rand reads:\n\n fio --name test --filename=/dev/sda --direct=1 --rw=randread \\\n --runtime=600 --time_based --iodepth=256 --numjobs=4 --bs=4k\n\nwhile monitoring with the following drgn script:\n\n while True:\n for css in css_for_each_descendant_pre(prog['blkcg_root'].css.address_of_()):\n for pos in hlist_for_each(container_of(css, 'struct blkcg', 'css').blkg_list):\n blkg = container_of(pos, 'struct blkcg_gq', 'blkcg_node')\n pd = blkg.pd[prog['blkcg_policy_iolatency'].plid]\n if pd.value_() == 0:\n continue\n iolat = container_of(pd, 'struct iolatency_grp', 'pd')\n inflight = iolat.rq_wait.inflight.counter.value_()\n if inflight:\n print(f'inflight={inflight} {disk_name(blkg.q.disk).decode(\"utf-8\")} '\n f'{cgroup_path(css.cgroup).decode(\"utf-8\")}')\n time.sleep(1)\n\nThe monitoring output looks like the following:\n\n inflight=1 sda /user.slice\n inflight=1 sda /user.slice\n ...\n inflight=14 sda /user.slice\n inflight=13 sda /user.slice\n inflight=17 sda /user.slice\n inflight=15 sda /user.slice\n inflight=18 sda /user.slice\n inflight=17 sda /user.slice\n inflight=20 sda /user.slice\n inflight=19 sda /user.slice <- fio stopped, inflight stuck at 19\n inflight=19 sda /user.slice\n inflight=19 sda /user.slice\n\nIf a cgroup with stuck inflight ends up getting throttled, the throttled IOs\nwill never get issued as there's no completion event to wake it up leading\nto an indefinite hang.\n\nThis patch fixes the bug by unifying enable handling into a work item which\nis automatically kicked off from iolatency_set_min_lat_nsec() which is\ncalled from both iolatency_set_limit() and iolatency_pd_offline() paths.\nPunting to a work item is necessary as iolatency_pd_offline() is called\nunder spinlocks while freezing a request_queue requires a sleepable context.\n\nThis also simplifies the code reducing LOC sans the comments and avoids the\nunnecessary freezes which were happening whenever a cgroup's latency target\nis newly set or cleared." |
| } |
| ], |
| "affected": [ |
| { |
| "product": "Linux", |
| "vendor": "Linux", |
| "defaultStatus": "unaffected", |
| "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", |
| "programFiles": [ |
| "block/blk-iolatency.c" |
| ], |
| "versions": [ |
| { |
| "version": "6d482bc5697763eb1214f207286daa201b32d20a", |
| "lessThan": "515d077ee3085ae343b6bea7fd031f9906645f38", |
| "status": "affected", |
| "versionType": "git" |
| }, |
| { |
| "version": "8c772a9bfc7c07c76f4a58b58910452fbb20843b", |
| "lessThan": "d19fa8f252000d141f9199ca32959c50314e1f05", |
| "status": "affected", |
| "versionType": "git" |
| }, |
| { |
| "version": "8c772a9bfc7c07c76f4a58b58910452fbb20843b", |
| "lessThan": "77692c02e1517c54f2fd0535f41aa4286ac9f140", |
| "status": "affected", |
| "versionType": "git" |
| }, |
| { |
| "version": "8c772a9bfc7c07c76f4a58b58910452fbb20843b", |
| "lessThan": "a30acbb5dfb7bcc813ad6a18ca31011ac44e5547", |
| "status": "affected", |
| "versionType": "git" |
| }, |
| { |
| "version": "8c772a9bfc7c07c76f4a58b58910452fbb20843b", |
| "lessThan": "968f7a239c590454ffba79c126fbe0e963a0ba78", |
| "status": "affected", |
| "versionType": "git" |
| }, |
| { |
| "version": "8c772a9bfc7c07c76f4a58b58910452fbb20843b", |
| "lessThan": "5b0ff3ebbef791341695b718f8d2870869cf1d01", |
| "status": "affected", |
| "versionType": "git" |
| }, |
| { |
| "version": "8c772a9bfc7c07c76f4a58b58910452fbb20843b", |
| "lessThan": "8a177a36da6c54c98b8685d4f914cb3637d53c0d", |
| "status": "affected", |
| "versionType": "git" |
| }, |
| { |
| "version": "beed6109acd4efc2f1717c31bddcd0ad7ebbf253", |
| "status": "affected", |
| "versionType": "git" |
| } |
| ] |
| }, |
| { |
| "product": "Linux", |
| "vendor": "Linux", |
| "defaultStatus": "affected", |
| "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", |
| "programFiles": [ |
| "block/blk-iolatency.c" |
| ], |
| "versions": [ |
| { |
| "version": "5.0", |
| "status": "affected" |
| }, |
| { |
| "version": "0", |
| "lessThan": "5.0", |
| "status": "unaffected", |
| "versionType": "semver" |
| }, |
| { |
| "version": "4.19.247", |
| "lessThanOrEqual": "4.19.*", |
| "status": "unaffected", |
| "versionType": "semver" |
| }, |
| { |
| "version": "5.4.198", |
| "lessThanOrEqual": "5.4.*", |
| "status": "unaffected", |
| "versionType": "semver" |
| }, |
| { |
| "version": "5.10.121", |
| "lessThanOrEqual": "5.10.*", |
| "status": "unaffected", |
| "versionType": "semver" |
| }, |
| { |
| "version": "5.15.46", |
| "lessThanOrEqual": "5.15.*", |
| "status": "unaffected", |
| "versionType": "semver" |
| }, |
| { |
| "version": "5.17.14", |
| "lessThanOrEqual": "5.17.*", |
| "status": "unaffected", |
| "versionType": "semver" |
| }, |
| { |
| "version": "5.18.3", |
| "lessThanOrEqual": "5.18.*", |
| "status": "unaffected", |
| "versionType": "semver" |
| }, |
| { |
| "version": "5.19", |
| "lessThanOrEqual": "*", |
| "status": "unaffected", |
| "versionType": "original_commit_for_fix" |
| } |
| ] |
| } |
| ], |
| "cpeApplicability": [ |
| { |
| "nodes": [ |
| { |
| "operator": "OR", |
| "negate": false, |
| "cpeMatch": [ |
| { |
| "vulnerable": true, |
| "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", |
| "versionStartIncluding": "4.19.29", |
| "versionEndExcluding": "4.19.247" |
| }, |
| { |
| "vulnerable": true, |
| "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", |
| "versionStartIncluding": "5.0", |
| "versionEndExcluding": "5.4.198" |
| }, |
| { |
| "vulnerable": true, |
| "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", |
| "versionStartIncluding": "5.0", |
| "versionEndExcluding": "5.10.121" |
| }, |
| { |
| "vulnerable": true, |
| "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", |
| "versionStartIncluding": "5.0", |
| "versionEndExcluding": "5.15.46" |
| }, |
| { |
| "vulnerable": true, |
| "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", |
| "versionStartIncluding": "5.0", |
| "versionEndExcluding": "5.17.14" |
| }, |
| { |
| "vulnerable": true, |
| "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", |
| "versionStartIncluding": "5.0", |
| "versionEndExcluding": "5.18.3" |
| }, |
| { |
| "vulnerable": true, |
| "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", |
| "versionStartIncluding": "5.0", |
| "versionEndExcluding": "5.19" |
| }, |
| { |
| "vulnerable": true, |
| "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", |
| "versionStartIncluding": "4.20.16" |
| } |
| ] |
| } |
| ] |
| } |
| ], |
| "references": [ |
| { |
| "url": "https://git.kernel.org/stable/c/515d077ee3085ae343b6bea7fd031f9906645f38" |
| }, |
| { |
| "url": "https://git.kernel.org/stable/c/d19fa8f252000d141f9199ca32959c50314e1f05" |
| }, |
| { |
| "url": "https://git.kernel.org/stable/c/77692c02e1517c54f2fd0535f41aa4286ac9f140" |
| }, |
| { |
| "url": "https://git.kernel.org/stable/c/a30acbb5dfb7bcc813ad6a18ca31011ac44e5547" |
| }, |
| { |
| "url": "https://git.kernel.org/stable/c/968f7a239c590454ffba79c126fbe0e963a0ba78" |
| }, |
| { |
| "url": "https://git.kernel.org/stable/c/5b0ff3ebbef791341695b718f8d2870869cf1d01" |
| }, |
| { |
| "url": "https://git.kernel.org/stable/c/8a177a36da6c54c98b8685d4f914cb3637d53c0d" |
| } |
| ], |
| "title": "blk-iolatency: Fix inflight count imbalances and IO hangs on offline", |
| "x_generator": { |
| "engine": "bippy-1.2.0" |
| } |
| } |
| }, |
| "cveMetadata": { |
| "assignerOrgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038", |
| "cveID": "CVE-2022-49394", |
| "requesterUserId": "gregkh@kernel.org", |
| "serial": "1", |
| "state": "PUBLISHED" |
| }, |
| "dataType": "CVE_RECORD", |
| "dataVersion": "5.0" |
| } |
