| From bippy-1.1.0 Mon Sep 17 00:00:00 2001 |
| From: Greg Kroah-Hartman <gregkh@kernel.org> |
| To: <linux-cve-announce@vger.kernel.org> |
| Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org> |
| Subject: CVE-2023-53089: ext4: fix task hung in ext4_xattr_delete_inode |
| |
| Description |
| =========== |
| |
| In the Linux kernel, the following vulnerability has been resolved: |
| |
| ext4: fix task hung in ext4_xattr_delete_inode |
| |
| Syzbot reported a hung task problem: |
| ================================================================== |
| INFO: task syz-executor232:5073 blocked for more than 143 seconds. |
| Not tainted 6.2.0-rc2-syzkaller-00024-g512dee0c00ad #0 |
| "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. |
| task:syz-exec232 state:D stack:21024 pid:5073 ppid:5072 flags:0x00004004 |
| Call Trace: |
| <TASK> |
| context_switch kernel/sched/core.c:5244 [inline] |
| __schedule+0x995/0xe20 kernel/sched/core.c:6555 |
| schedule+0xcb/0x190 kernel/sched/core.c:6631 |
| __wait_on_freeing_inode fs/inode.c:2196 [inline] |
| find_inode_fast+0x35a/0x4c0 fs/inode.c:950 |
| iget_locked+0xb1/0x830 fs/inode.c:1273 |
| __ext4_iget+0x22e/0x3ed0 fs/ext4/inode.c:4861 |
| ext4_xattr_inode_iget+0x68/0x4e0 fs/ext4/xattr.c:389 |
| ext4_xattr_inode_dec_ref_all+0x1a7/0xe50 fs/ext4/xattr.c:1148 |
| ext4_xattr_delete_inode+0xb04/0xcd0 fs/ext4/xattr.c:2880 |
| ext4_evict_inode+0xd7c/0x10b0 fs/ext4/inode.c:296 |
| evict+0x2a4/0x620 fs/inode.c:664 |
| ext4_orphan_cleanup+0xb60/0x1340 fs/ext4/orphan.c:474 |
| __ext4_fill_super fs/ext4/super.c:5516 [inline] |
| ext4_fill_super+0x81cd/0x8700 fs/ext4/super.c:5644 |
| get_tree_bdev+0x400/0x620 fs/super.c:1282 |
| vfs_get_tree+0x88/0x270 fs/super.c:1489 |
| do_new_mount+0x289/0xad0 fs/namespace.c:3145 |
| do_mount fs/namespace.c:3488 [inline] |
| __do_sys_mount fs/namespace.c:3697 [inline] |
| __se_sys_mount+0x2d3/0x3c0 fs/namespace.c:3674 |
| do_syscall_x64 arch/x86/entry/common.c:50 [inline] |
| do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80 |
| entry_SYSCALL_64_after_hwframe+0x63/0xcd |
| RIP: 0033:0x7fa5406fd5ea |
| RSP: 002b:00007ffc7232f968 EFLAGS: 00000202 ORIG_RAX: 00000000000000a5 |
| RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007fa5406fd5ea |
| RDX: 0000000020000440 RSI: 0000000020000000 RDI: 00007ffc7232f970 |
| RBP: 00007ffc7232f970 R08: 00007ffc7232f9b0 R09: 0000000000000432 |
| R10: 0000000000804a03 R11: 0000000000000202 R12: 0000000000000004 |
| R13: 0000555556a7a2c0 R14: 00007ffc7232f9b0 R15: 0000000000000000 |
| </TASK> |
| ================================================================== |
| |
| The problem is that the inode contains an xattr entry with ea_inum of 15 |
| when cleaning up an orphan inode <15>. When evict inode <15>, the reference |
| counting of the corresponding EA inode is decreased. When EA inode <15> is |
| found by find_inode_fast() in __ext4_iget(), it is found that the EA inode |
| holds the I_FREEING flag and waits for the EA inode to complete deletion. |
| As a result, when inode <15> is being deleted, we wait for inode <15> to |
| complete the deletion, resulting in an infinite loop and triggering Hung |
| Task. To solve this problem, we only need to check whether the ino of EA |
| inode and parent is the same before getting EA inode. |
| |
| The Linux kernel CVE team has assigned CVE-2023-53089 to this issue. |
| |
| |
| Affected and fixed versions |
| =========================== |
| |
| Fixed in 4.14.311 with commit efddc7e106fdf8d1f62d45e79de78f63b7c04fba |
| Fixed in 4.19.279 with commit 64b72f5e7574020dea62ab733d88a54d903c42a1 |
| Fixed in 5.4.238 with commit 2c96c52aeaa6fd9163cfacdd98778b4a0398ef18 |
| Fixed in 5.10.176 with commit a98160d8f3e6242ca9b7f443f26e7ef3a61ba684 |
| Fixed in 5.15.104 with commit 1aec41c98cce61d19ce89650895e51b9f3cdef13 |
| Fixed in 6.1.21 with commit 94fd091576b12540924f6316ebc0678e84cb2800 |
| Fixed in 6.2.8 with commit 73f7987fe1b82596f1a380e85cd0097ebaae7e01 |
| Fixed in 6.3 with commit 0f7bfd6f8164be32dbbdf36aa1e5d00485c53cd7 |
| |
| Please see https://www.kernel.org for a full list of currently supported |
| kernel versions by the kernel community. |
| |
| Unaffected versions might change over time as fixes are backported to |
| older supported kernel versions. The official CVE entry at |
| https://cve.org/CVERecord/?id=CVE-2023-53089 |
| will be updated if fixes are backported, please check that for the most |
| up to date information about this issue. |
| |
| |
| Affected files |
| ============== |
| |
| The file(s) affected by this issue are: |
| fs/ext4/xattr.c |
| |
| |
| Mitigation |
| ========== |
| |
| The Linux kernel CVE team recommends that you update to the latest |
| stable kernel version for this, and many other bugfixes. Individual |
| changes are never tested alone, but rather are part of a larger kernel |
| release. Cherry-picking individual commits is not recommended or |
| supported by the Linux kernel community at all. If however, updating to |
| the latest release is impossible, the individual changes to resolve this |
| issue can be found at these commits: |
| https://git.kernel.org/stable/c/efddc7e106fdf8d1f62d45e79de78f63b7c04fba |
| https://git.kernel.org/stable/c/64b72f5e7574020dea62ab733d88a54d903c42a1 |
| https://git.kernel.org/stable/c/2c96c52aeaa6fd9163cfacdd98778b4a0398ef18 |
| https://git.kernel.org/stable/c/a98160d8f3e6242ca9b7f443f26e7ef3a61ba684 |
| https://git.kernel.org/stable/c/1aec41c98cce61d19ce89650895e51b9f3cdef13 |
| https://git.kernel.org/stable/c/94fd091576b12540924f6316ebc0678e84cb2800 |
| https://git.kernel.org/stable/c/73f7987fe1b82596f1a380e85cd0097ebaae7e01 |
| https://git.kernel.org/stable/c/0f7bfd6f8164be32dbbdf36aa1e5d00485c53cd7 |
