cve/published/2024/CVE-2024-49959.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2024-49959: jbd2: stop waiting for space when jbd2_cleanup_journal_tail() returns error

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 jbd2: stop waiting for space when jbd2_cleanup_journal_tail() returns error

 In __jbd2_log_wait_for_space(), we might call jbd2_cleanup_journal_tail()
 to recover some journal space. But if an error occurs while executing
 jbd2_cleanup_journal_tail() (e.g., an EIO), we don't stop waiting for free
 space right away, we try other branches, and if j_committing_transaction
 is NULL (i.e., the tid is 0), we will get the following complain:

 ============================================
 JBD2: I/O error when updating journal superblock for sdd-8.
 __jbd2_log_wait_for_space: needed 256 blocks and only had 217 space available
 __jbd2_log_wait_for_space: no way to get more journal space in sdd-8
 ------------[ cut here ]------------
 WARNING: CPU: 2 PID: 139804 at fs/jbd2/checkpoint.c:109 __jbd2_log_wait_for_space+0x251/0x2e0
 Modules linked in:
 CPU: 2 PID: 139804 Comm: kworker/u8:3 Not tainted 6.6.0+ #1
 RIP: 0010:__jbd2_log_wait_for_space+0x251/0x2e0
 Call Trace:
  <TASK>
  add_transaction_credits+0x5d1/0x5e0
  start_this_handle+0x1ef/0x6a0
  jbd2__journal_start+0x18b/0x340
  ext4_dirty_inode+0x5d/0xb0
  __mark_inode_dirty+0xe4/0x5d0
  generic_update_time+0x60/0x70
 [...]
 ============================================

 So only if jbd2_cleanup_journal_tail() returns 1, i.e., there is nothing to
 clean up at the moment, continue to try to reclaim free space in other ways.

 Note that this fix relies on commit 6f6a6fda2945 ("jbd2: fix ocfs2 corrupt
 when updating journal superblock fails") to make jbd2_cleanup_journal_tail
 return the correct error code.

 The Linux kernel CVE team has assigned CVE-2024-49959 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 2.6.28 with commit 8c3f25d8950c3e9fe6c9849f88679b3f2a071550 and fixed in 4.19.323 with commit 801a35dfef6996f3d5eaa96a59caf00440d9165e
 	Issue introduced in 2.6.28 with commit 8c3f25d8950c3e9fe6c9849f88679b3f2a071550 and fixed in 5.4.285 with commit d5dc65370a746750dbb2f03eabcf86b18db65f32
 	Issue introduced in 2.6.28 with commit 8c3f25d8950c3e9fe6c9849f88679b3f2a071550 and fixed in 5.10.227 with commit 481e8f18a290e39e04ddb7feb2bb2a2cc3b213ed
 	Issue introduced in 2.6.28 with commit 8c3f25d8950c3e9fe6c9849f88679b3f2a071550 and fixed in 5.15.168 with commit ec7f8337c98ad281020ad1f11ba492462d80737a
 	Issue introduced in 2.6.28 with commit 8c3f25d8950c3e9fe6c9849f88679b3f2a071550 and fixed in 6.1.113 with commit 70bae48377a2c4296fd3caf4caf8f11079111019
 	Issue introduced in 2.6.28 with commit 8c3f25d8950c3e9fe6c9849f88679b3f2a071550 and fixed in 6.6.55 with commit 1c62dc0d82c62f0dc8fcdc4843208e522acccaf5
 	Issue introduced in 2.6.28 with commit 8c3f25d8950c3e9fe6c9849f88679b3f2a071550 and fixed in 6.10.14 with commit 3ced0fe6c0eff032733ea8b38778b34707270138
 	Issue introduced in 2.6.28 with commit 8c3f25d8950c3e9fe6c9849f88679b3f2a071550 and fixed in 6.11.3 with commit c6bf043b210eac67d35a114e345c4e5585672913
 	Issue introduced in 2.6.28 with commit 8c3f25d8950c3e9fe6c9849f88679b3f2a071550 and fixed in 6.12 with commit f5cacdc6f2bb2a9bf214469dd7112b43dd2dd68a

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2024-49959
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	fs/jbd2/checkpoint.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/801a35dfef6996f3d5eaa96a59caf00440d9165e
 	https://git.kernel.org/stable/c/d5dc65370a746750dbb2f03eabcf86b18db65f32
 	https://git.kernel.org/stable/c/481e8f18a290e39e04ddb7feb2bb2a2cc3b213ed
 	https://git.kernel.org/stable/c/ec7f8337c98ad281020ad1f11ba492462d80737a
 	https://git.kernel.org/stable/c/70bae48377a2c4296fd3caf4caf8f11079111019
 	https://git.kernel.org/stable/c/1c62dc0d82c62f0dc8fcdc4843208e522acccaf5
 	https://git.kernel.org/stable/c/3ced0fe6c0eff032733ea8b38778b34707270138
 	https://git.kernel.org/stable/c/c6bf043b210eac67d35a114e345c4e5585672913
 	https://git.kernel.org/stable/c/f5cacdc6f2bb2a9bf214469dd7112b43dd2dd68a
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2024-49959: jbd2: stop waiting for space when jbd2_cleanup_journal_tail() returns error

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	jbd2: stop waiting for space when jbd2_cleanup_journal_tail() returns error

	In __jbd2_log_wait_for_space(), we might call jbd2_cleanup_journal_tail()
	to recover some journal space. But if an error occurs while executing
	jbd2_cleanup_journal_tail() (e.g., an EIO), we don't stop waiting for free
	space right away, we try other branches, and if j_committing_transaction
	is NULL (i.e., the tid is 0), we will get the following complain:

	============================================
	JBD2: I/O error when updating journal superblock for sdd-8.
	__jbd2_log_wait_for_space: needed 256 blocks and only had 217 space available
	__jbd2_log_wait_for_space: no way to get more journal space in sdd-8
	------------[ cut here ]------------
	WARNING: CPU: 2 PID: 139804 at fs/jbd2/checkpoint.c:109 __jbd2_log_wait_for_space+0x251/0x2e0
	Modules linked in:
	CPU: 2 PID: 139804 Comm: kworker/u8:3 Not tainted 6.6.0+ #1
	RIP: 0010:__jbd2_log_wait_for_space+0x251/0x2e0
	Call Trace:
	<TASK>
	add_transaction_credits+0x5d1/0x5e0
	start_this_handle+0x1ef/0x6a0
	jbd2__journal_start+0x18b/0x340
	ext4_dirty_inode+0x5d/0xb0
	__mark_inode_dirty+0xe4/0x5d0
	generic_update_time+0x60/0x70
	[...]
	============================================

	So only if jbd2_cleanup_journal_tail() returns 1, i.e., there is nothing to
	clean up at the moment, continue to try to reclaim free space in other ways.

	Note that this fix relies on commit 6f6a6fda2945 ("jbd2: fix ocfs2 corrupt
	when updating journal superblock fails") to make jbd2_cleanup_journal_tail
	return the correct error code.

	The Linux kernel CVE team has assigned CVE-2024-49959 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 2.6.28 with commit 8c3f25d8950c3e9fe6c9849f88679b3f2a071550 and fixed in 4.19.323 with commit 801a35dfef6996f3d5eaa96a59caf00440d9165e
	Issue introduced in 2.6.28 with commit 8c3f25d8950c3e9fe6c9849f88679b3f2a071550 and fixed in 5.4.285 with commit d5dc65370a746750dbb2f03eabcf86b18db65f32
	Issue introduced in 2.6.28 with commit 8c3f25d8950c3e9fe6c9849f88679b3f2a071550 and fixed in 5.10.227 with commit 481e8f18a290e39e04ddb7feb2bb2a2cc3b213ed
	Issue introduced in 2.6.28 with commit 8c3f25d8950c3e9fe6c9849f88679b3f2a071550 and fixed in 5.15.168 with commit ec7f8337c98ad281020ad1f11ba492462d80737a
	Issue introduced in 2.6.28 with commit 8c3f25d8950c3e9fe6c9849f88679b3f2a071550 and fixed in 6.1.113 with commit 70bae48377a2c4296fd3caf4caf8f11079111019
	Issue introduced in 2.6.28 with commit 8c3f25d8950c3e9fe6c9849f88679b3f2a071550 and fixed in 6.6.55 with commit 1c62dc0d82c62f0dc8fcdc4843208e522acccaf5
	Issue introduced in 2.6.28 with commit 8c3f25d8950c3e9fe6c9849f88679b3f2a071550 and fixed in 6.10.14 with commit 3ced0fe6c0eff032733ea8b38778b34707270138
	Issue introduced in 2.6.28 with commit 8c3f25d8950c3e9fe6c9849f88679b3f2a071550 and fixed in 6.11.3 with commit c6bf043b210eac67d35a114e345c4e5585672913
	Issue introduced in 2.6.28 with commit 8c3f25d8950c3e9fe6c9849f88679b3f2a071550 and fixed in 6.12 with commit f5cacdc6f2bb2a9bf214469dd7112b43dd2dd68a

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2024-49959
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	fs/jbd2/checkpoint.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/801a35dfef6996f3d5eaa96a59caf00440d9165e
	https://git.kernel.org/stable/c/d5dc65370a746750dbb2f03eabcf86b18db65f32
	https://git.kernel.org/stable/c/481e8f18a290e39e04ddb7feb2bb2a2cc3b213ed
	https://git.kernel.org/stable/c/ec7f8337c98ad281020ad1f11ba492462d80737a
	https://git.kernel.org/stable/c/70bae48377a2c4296fd3caf4caf8f11079111019
	https://git.kernel.org/stable/c/1c62dc0d82c62f0dc8fcdc4843208e522acccaf5
	https://git.kernel.org/stable/c/3ced0fe6c0eff032733ea8b38778b34707270138
	https://git.kernel.org/stable/c/c6bf043b210eac67d35a114e345c4e5585672913
	https://git.kernel.org/stable/c/f5cacdc6f2bb2a9bf214469dd7112b43dd2dd68a