cve/published/2024/CVE-2024-47690.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2024-47690: f2fs: get rid of online repaire on corrupted directory

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 f2fs: get rid of online repaire on corrupted directory

 syzbot reports a f2fs bug as below:

 kernel BUG at fs/f2fs/inode.c:896!
 RIP: 0010:f2fs_evict_inode+0x1598/0x15c0 fs/f2fs/inode.c:896
 Call Trace:
  evict+0x532/0x950 fs/inode.c:704
  dispose_list fs/inode.c:747 [inline]
  evict_inodes+0x5f9/0x690 fs/inode.c:797
  generic_shutdown_super+0x9d/0x2d0 fs/super.c:627
  kill_block_super+0x44/0x90 fs/super.c:1696
  kill_f2fs_super+0x344/0x690 fs/f2fs/super.c:4898
  deactivate_locked_super+0xc4/0x130 fs/super.c:473
  cleanup_mnt+0x41f/0x4b0 fs/namespace.c:1373
  task_work_run+0x24f/0x310 kernel/task_work.c:228
  ptrace_notify+0x2d2/0x380 kernel/signal.c:2402
  ptrace_report_syscall include/linux/ptrace.h:415 [inline]
  ptrace_report_syscall_exit include/linux/ptrace.h:477 [inline]
  syscall_exit_work+0xc6/0x190 kernel/entry/common.c:173
  syscall_exit_to_user_mode_prepare kernel/entry/common.c:200 [inline]
  __syscall_exit_to_user_mode_work kernel/entry/common.c:205 [inline]
  syscall_exit_to_user_mode+0x279/0x370 kernel/entry/common.c:218
  do_syscall_64+0x100/0x230 arch/x86/entry/common.c:89
  entry_SYSCALL_64_after_hwframe+0x77/0x7f
 RIP: 0010:f2fs_evict_inode+0x1598/0x15c0 fs/f2fs/inode.c:896

 Online repaire on corrupted directory in f2fs_lookup() can generate
 dirty data/meta while racing w/ readonly remount, it may leave dirty
 inode after filesystem becomes readonly, however, checkpoint() will
 skips flushing dirty inode in a state of readonly mode, result in
 above panic.

 Let's get rid of online repaire in f2fs_lookup(), and leave the work
 to fsck.f2fs.

 The Linux kernel CVE team has assigned CVE-2024-47690 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 4.1 with commit 510022a85839a8409d1e6a519bb86ce71a84f30a and fixed in 5.15.168 with commit e8d64f598eeb079c42a52deaa3a91312c736a49d
 	Issue introduced in 4.1 with commit 510022a85839a8409d1e6a519bb86ce71a84f30a and fixed in 6.1.113 with commit f4746f2d79507f65cfbde11d3c39ee8338aa50af
 	Issue introduced in 4.1 with commit 510022a85839a8409d1e6a519bb86ce71a84f30a and fixed in 6.6.54 with commit f9ce2f550d53d044ecfb5ce996406cf42cd6b84d
 	Issue introduced in 4.1 with commit 510022a85839a8409d1e6a519bb86ce71a84f30a and fixed in 6.10.13 with commit 8be95cd607478d85fa4626e86f811e785905bcbf
 	Issue introduced in 4.1 with commit 510022a85839a8409d1e6a519bb86ce71a84f30a and fixed in 6.11.2 with commit bcefd0b0611f35b560d0a7281d87529fbe7a1e32
 	Issue introduced in 4.1 with commit 510022a85839a8409d1e6a519bb86ce71a84f30a and fixed in 6.12 with commit 884ee6dc85b959bc152f15bca80c30f06069e6c4

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2024-47690
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	fs/f2fs/f2fs.h
 	fs/f2fs/namei.c
 	include/linux/f2fs_fs.h


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/e8d64f598eeb079c42a52deaa3a91312c736a49d
 	https://git.kernel.org/stable/c/f4746f2d79507f65cfbde11d3c39ee8338aa50af
 	https://git.kernel.org/stable/c/f9ce2f550d53d044ecfb5ce996406cf42cd6b84d
 	https://git.kernel.org/stable/c/8be95cd607478d85fa4626e86f811e785905bcbf
 	https://git.kernel.org/stable/c/bcefd0b0611f35b560d0a7281d87529fbe7a1e32
 	https://git.kernel.org/stable/c/884ee6dc85b959bc152f15bca80c30f06069e6c4
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2024-47690: f2fs: get rid of online repaire on corrupted directory

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	f2fs: get rid of online repaire on corrupted directory

	syzbot reports a f2fs bug as below:

	kernel BUG at fs/f2fs/inode.c:896!
	RIP: 0010:f2fs_evict_inode+0x1598/0x15c0 fs/f2fs/inode.c:896
	Call Trace:
	evict+0x532/0x950 fs/inode.c:704
	dispose_list fs/inode.c:747 [inline]
	evict_inodes+0x5f9/0x690 fs/inode.c:797
	generic_shutdown_super+0x9d/0x2d0 fs/super.c:627
	kill_block_super+0x44/0x90 fs/super.c:1696
	kill_f2fs_super+0x344/0x690 fs/f2fs/super.c:4898
	deactivate_locked_super+0xc4/0x130 fs/super.c:473
	cleanup_mnt+0x41f/0x4b0 fs/namespace.c:1373
	task_work_run+0x24f/0x310 kernel/task_work.c:228
	ptrace_notify+0x2d2/0x380 kernel/signal.c:2402
	ptrace_report_syscall include/linux/ptrace.h:415 [inline]
	ptrace_report_syscall_exit include/linux/ptrace.h:477 [inline]
	syscall_exit_work+0xc6/0x190 kernel/entry/common.c:173
	syscall_exit_to_user_mode_prepare kernel/entry/common.c:200 [inline]
	__syscall_exit_to_user_mode_work kernel/entry/common.c:205 [inline]
	syscall_exit_to_user_mode+0x279/0x370 kernel/entry/common.c:218
	do_syscall_64+0x100/0x230 arch/x86/entry/common.c:89
	entry_SYSCALL_64_after_hwframe+0x77/0x7f
	RIP: 0010:f2fs_evict_inode+0x1598/0x15c0 fs/f2fs/inode.c:896

	Online repaire on corrupted directory in f2fs_lookup() can generate
	dirty data/meta while racing w/ readonly remount, it may leave dirty
	inode after filesystem becomes readonly, however, checkpoint() will
	skips flushing dirty inode in a state of readonly mode, result in
	above panic.

	Let's get rid of online repaire in f2fs_lookup(), and leave the work
	to fsck.f2fs.

	The Linux kernel CVE team has assigned CVE-2024-47690 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 4.1 with commit 510022a85839a8409d1e6a519bb86ce71a84f30a and fixed in 5.15.168 with commit e8d64f598eeb079c42a52deaa3a91312c736a49d
	Issue introduced in 4.1 with commit 510022a85839a8409d1e6a519bb86ce71a84f30a and fixed in 6.1.113 with commit f4746f2d79507f65cfbde11d3c39ee8338aa50af
	Issue introduced in 4.1 with commit 510022a85839a8409d1e6a519bb86ce71a84f30a and fixed in 6.6.54 with commit f9ce2f550d53d044ecfb5ce996406cf42cd6b84d
	Issue introduced in 4.1 with commit 510022a85839a8409d1e6a519bb86ce71a84f30a and fixed in 6.10.13 with commit 8be95cd607478d85fa4626e86f811e785905bcbf
	Issue introduced in 4.1 with commit 510022a85839a8409d1e6a519bb86ce71a84f30a and fixed in 6.11.2 with commit bcefd0b0611f35b560d0a7281d87529fbe7a1e32
	Issue introduced in 4.1 with commit 510022a85839a8409d1e6a519bb86ce71a84f30a and fixed in 6.12 with commit 884ee6dc85b959bc152f15bca80c30f06069e6c4

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2024-47690
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	fs/f2fs/f2fs.h
	fs/f2fs/namei.c
	include/linux/f2fs_fs.h


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/e8d64f598eeb079c42a52deaa3a91312c736a49d
	https://git.kernel.org/stable/c/f4746f2d79507f65cfbde11d3c39ee8338aa50af
	https://git.kernel.org/stable/c/f9ce2f550d53d044ecfb5ce996406cf42cd6b84d
	https://git.kernel.org/stable/c/8be95cd607478d85fa4626e86f811e785905bcbf
	https://git.kernel.org/stable/c/bcefd0b0611f35b560d0a7281d87529fbe7a1e32
	https://git.kernel.org/stable/c/884ee6dc85b959bc152f15bca80c30f06069e6c4