| From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001 |
| From: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
| To: <linux-cve-announce@vger.kernel.org> |
| Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org> |
| Subject: CVE-2024-26832: mm: zswap: fix missing folio cleanup in writeback race path |
| |
| Description |
| =========== |
| |
| In the Linux kernel, the following vulnerability has been resolved: |
| |
| mm: zswap: fix missing folio cleanup in writeback race path |
| |
| In zswap_writeback_entry(), after we get a folio from |
| __read_swap_cache_async(), we grab the tree lock again to check that the |
| swap entry was not invalidated and recycled. If it was, we delete the |
| folio we just added to the swap cache and exit. |
| |
| However, __read_swap_cache_async() returns the folio locked when it is |
| newly allocated, which is always true for this path, and the folio is |
| ref'd. Make sure to unlock and put the folio before returning. |
| |
| This was discovered by code inspection, probably because this path handles |
| a race condition that should not happen often, and the bug would not crash |
| the system, it will only strand the folio indefinitely. |
| |
| The Linux kernel CVE team has assigned CVE-2024-26832 to this issue. |
| |
| |
| Affected and fixed versions |
| =========================== |
| |
| Issue introduced in 6.1.30 with commit 2cab13f500a6333bd2b853783ac76be9e4956f8a and fixed in 6.1.80 with commit 14f1992430ef9e647b02aa8ca12c5bcb9a1dffea |
| Issue introduced in 6.4 with commit 04fc7816089c5a32c29a04ec94b998e219dfb946 and fixed in 6.6.19 with commit 6156277d1b26cb3fdb6fcbf0686ab78268571644 |
| Issue introduced in 6.4 with commit 04fc7816089c5a32c29a04ec94b998e219dfb946 and fixed in 6.7.7 with commit e2891c763aa2cff74dd6b5e978411ccf0cf94abe |
| Issue introduced in 6.4 with commit 04fc7816089c5a32c29a04ec94b998e219dfb946 and fixed in 6.8 with commit e3b63e966cac0bf78aaa1efede1827a252815a1d |
| Issue introduced in 6.3.4 with commit ba700ea13bf0105a4773c654f7d3bef8adb64ab2 |
| |
| Please see https://www.kernel.org for a full list of currently supported |
| kernel versions by the kernel community. |
| |
| Unaffected versions might change over time as fixes are backported to |
| older supported kernel versions. The official CVE entry at |
| https://cve.org/CVERecord/?id=CVE-2024-26832 |
| will be updated if fixes are backported, please check that for the most |
| up to date information about this issue. |
| |
| |
| Affected files |
| ============== |
| |
| The file(s) affected by this issue are: |
| mm/zswap.c |
| |
| |
| Mitigation |
| ========== |
| |
| The Linux kernel CVE team recommends that you update to the latest |
| stable kernel version for this, and many other bugfixes. Individual |
| changes are never tested alone, but rather are part of a larger kernel |
| release. Cherry-picking individual commits is not recommended or |
| supported by the Linux kernel community at all. If however, updating to |
| the latest release is impossible, the individual changes to resolve this |
| issue can be found at these commits: |
| https://git.kernel.org/stable/c/14f1992430ef9e647b02aa8ca12c5bcb9a1dffea |
| https://git.kernel.org/stable/c/6156277d1b26cb3fdb6fcbf0686ab78268571644 |
| https://git.kernel.org/stable/c/e2891c763aa2cff74dd6b5e978411ccf0cf94abe |
| https://git.kernel.org/stable/c/e3b63e966cac0bf78aaa1efede1827a252815a1d |
