cve/published/2024/CVE-2024-56780.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2024-56780: quota: flush quota_release_work upon quota writeback

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 quota: flush quota_release_work upon quota writeback

 One of the paths quota writeback is called from is:

 freeze_super()
   sync_filesystem()
     ext4_sync_fs()
       dquot_writeback_dquots()

 Since we currently don't always flush the quota_release_work queue in
 this path, we can end up with the following race:

  1. dquot are added to releasing_dquots list during regular operations.
  2. FS Freeze starts, however, this does not flush the quota_release_work queue.
  3. Freeze completes.
  4. Kernel eventually tries to flush the workqueue while FS is frozen which
     hits a WARN_ON since transaction gets started during frozen state:

   ext4_journal_check_start+0x28/0x110 [ext4] (unreliable)
   __ext4_journal_start_sb+0x64/0x1c0 [ext4]
   ext4_release_dquot+0x90/0x1d0 [ext4]
   quota_release_workfn+0x43c/0x4d0

 Which is the following line:

   WARN_ON(sb->s_writers.frozen == SB_FREEZE_COMPLETE);

 Which ultimately results in generic/390 failing due to dmesg
 noise. This was detected on powerpc machine 15 cores.

 To avoid this, make sure to flush the workqueue during
 dquot_writeback_dquots() so we dont have any pending workitems after
 freeze.

 The Linux kernel CVE team has assigned CVE-2024-56780 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 5.4.257 with commit d40c192e119892799dd4ddf94f5cea6fa93775ef and fixed in 5.4.287 with commit a5abba5e0e586e258ded3e798fe5f69c66fec198
 	Issue introduced in 5.10.195 with commit 86d89987f0998c98f57d641e308b40452a994045 and fixed in 5.10.231 with commit 6f3821acd7c3143145999248087de5fb4b48cf26
 	Issue introduced in 5.15.132 with commit 89602de9a2d7080b7a4029d5c1bf8f78d295ff5f and fixed in 5.15.174 with commit ab6cfcf8ed2c7496f55d020b65b1d8cd55d9a2cb
 	Issue introduced in 6.1.53 with commit 3027e200dd58d5b437f16634dbbd355b29ffe0a6 and fixed in 6.1.120 with commit 3e6ff207cd5bd924ad94cd1a7c633bcdac0ba1cb
 	Issue introduced in 6.6 with commit dabc8b20756601b9e1cc85a81d47d3f98ed4d13a and fixed in 6.6.64 with commit bcacb52a985f1b6d280f698a470b873dfe52728a
 	Issue introduced in 6.6 with commit dabc8b20756601b9e1cc85a81d47d3f98ed4d13a and fixed in 6.12.4 with commit 8ea87e34792258825d290f4dc5216276e91cb224
 	Issue introduced in 6.6 with commit dabc8b20756601b9e1cc85a81d47d3f98ed4d13a and fixed in 6.13 with commit ac6f420291b3fee1113f21d612fa88b628afab5b
 	Issue introduced in 4.19.295 with commit f3e9a2bbdeb8987508dd6bb2b701dea911d4daec
 	Issue introduced in 6.4.16 with commit 903fc5d8cb48b0d2de7095ef40e39fd32bb27bd0
 	Issue introduced in 6.5.3 with commit 31bed65eecbc5ce57592cfe31947eaa64e3d678e

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2024-56780
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	fs/quota/dquot.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/a5abba5e0e586e258ded3e798fe5f69c66fec198
 	https://git.kernel.org/stable/c/6f3821acd7c3143145999248087de5fb4b48cf26
 	https://git.kernel.org/stable/c/ab6cfcf8ed2c7496f55d020b65b1d8cd55d9a2cb
 	https://git.kernel.org/stable/c/3e6ff207cd5bd924ad94cd1a7c633bcdac0ba1cb
 	https://git.kernel.org/stable/c/bcacb52a985f1b6d280f698a470b873dfe52728a
 	https://git.kernel.org/stable/c/8ea87e34792258825d290f4dc5216276e91cb224
 	https://git.kernel.org/stable/c/ac6f420291b3fee1113f21d612fa88b628afab5b
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2024-56780: quota: flush quota_release_work upon quota writeback

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	quota: flush quota_release_work upon quota writeback

	One of the paths quota writeback is called from is:

	freeze_super()
	sync_filesystem()
	ext4_sync_fs()
	dquot_writeback_dquots()

	Since we currently don't always flush the quota_release_work queue in
	this path, we can end up with the following race:

	1. dquot are added to releasing_dquots list during regular operations.
	2. FS Freeze starts, however, this does not flush the quota_release_work queue.
	3. Freeze completes.
	4. Kernel eventually tries to flush the workqueue while FS is frozen which
	hits a WARN_ON since transaction gets started during frozen state:

	ext4_journal_check_start+0x28/0x110 [ext4] (unreliable)
	__ext4_journal_start_sb+0x64/0x1c0 [ext4]
	ext4_release_dquot+0x90/0x1d0 [ext4]
	quota_release_workfn+0x43c/0x4d0

	Which is the following line:

	WARN_ON(sb->s_writers.frozen == SB_FREEZE_COMPLETE);

	Which ultimately results in generic/390 failing due to dmesg
	noise. This was detected on powerpc machine 15 cores.

	To avoid this, make sure to flush the workqueue during
	dquot_writeback_dquots() so we dont have any pending workitems after
	freeze.

	The Linux kernel CVE team has assigned CVE-2024-56780 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 5.4.257 with commit d40c192e119892799dd4ddf94f5cea6fa93775ef and fixed in 5.4.287 with commit a5abba5e0e586e258ded3e798fe5f69c66fec198
	Issue introduced in 5.10.195 with commit 86d89987f0998c98f57d641e308b40452a994045 and fixed in 5.10.231 with commit 6f3821acd7c3143145999248087de5fb4b48cf26
	Issue introduced in 5.15.132 with commit 89602de9a2d7080b7a4029d5c1bf8f78d295ff5f and fixed in 5.15.174 with commit ab6cfcf8ed2c7496f55d020b65b1d8cd55d9a2cb
	Issue introduced in 6.1.53 with commit 3027e200dd58d5b437f16634dbbd355b29ffe0a6 and fixed in 6.1.120 with commit 3e6ff207cd5bd924ad94cd1a7c633bcdac0ba1cb
	Issue introduced in 6.6 with commit dabc8b20756601b9e1cc85a81d47d3f98ed4d13a and fixed in 6.6.64 with commit bcacb52a985f1b6d280f698a470b873dfe52728a
	Issue introduced in 6.6 with commit dabc8b20756601b9e1cc85a81d47d3f98ed4d13a and fixed in 6.12.4 with commit 8ea87e34792258825d290f4dc5216276e91cb224
	Issue introduced in 6.6 with commit dabc8b20756601b9e1cc85a81d47d3f98ed4d13a and fixed in 6.13 with commit ac6f420291b3fee1113f21d612fa88b628afab5b
	Issue introduced in 4.19.295 with commit f3e9a2bbdeb8987508dd6bb2b701dea911d4daec
	Issue introduced in 6.4.16 with commit 903fc5d8cb48b0d2de7095ef40e39fd32bb27bd0
	Issue introduced in 6.5.3 with commit 31bed65eecbc5ce57592cfe31947eaa64e3d678e

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2024-56780
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	fs/quota/dquot.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/a5abba5e0e586e258ded3e798fe5f69c66fec198
	https://git.kernel.org/stable/c/6f3821acd7c3143145999248087de5fb4b48cf26
	https://git.kernel.org/stable/c/ab6cfcf8ed2c7496f55d020b65b1d8cd55d9a2cb
	https://git.kernel.org/stable/c/3e6ff207cd5bd924ad94cd1a7c633bcdac0ba1cb
	https://git.kernel.org/stable/c/bcacb52a985f1b6d280f698a470b873dfe52728a
	https://git.kernel.org/stable/c/8ea87e34792258825d290f4dc5216276e91cb224
	https://git.kernel.org/stable/c/ac6f420291b3fee1113f21d612fa88b628afab5b