CVE-2024-43855

In the Linux kernel, the following vulnerability has been resolved: md: fix deadlock between mddev_suspend and flush bio Deadlock occurs when mddev is being suspended while some flush bio is in progress. It is a complex issue. T1. the first flush is at the ending stage, it clears 'mddev->flush_bio' and tries to submit data, but is blocked because mddev is suspended by T4. T2. the second flush sets 'mddev->flush_bio', and attempts to queue md_submit_flush_data(), which is already running (T1) and won't execute again if on the same CPU as T1. T3. the third flush inc active_io and tries to flush, but is blocked because 'mddev->flush_bio' is not NULL (set by T2). T4. mddev_suspend() is called and waits for active_io dec to 0 which is inc by T3. T1 T2 T3 T4 (flush 1) (flush 2) (third 3) (suspend) md_submit_flush_data mddev->flush_bio = NULL; . . md_flush_request . mddev->flush_bio = bio . queue submit_flushes . . . . md_handle_request . . active_io + 1 . . md_flush_request . . wait !mddev->flush_bio . . . . mddev_suspend . . wait !active_io . . . submit_flushes . queue_work md_submit_flush_data . //md_submit_flush_data is already running (T1) . md_handle_request wait resume The root issue is non-atomic inc/dec of active_io during flush process. active_io is dec before md_submit_flush_data is queued, and inc soon after md_submit_flush_data() run. md_flush_request active_io + 1 submit_flushes active_io - 1 md_submit_flush_data md_handle_request active_io + 1 make_request active_io - 1 If active_io is dec after md_handle_request() instead of within submit_flushes(), make_request() can be called directly intead of md_handle_request() in md_submit_flush_data(), and active_io will only inc and dec once in the whole flush process. Deadlock will be fixed. Additionally, the only difference between fixing the issue and before is that there is no return error handling of make_request(). But after previous patch cleaned md_write_start(), make_requst() only return error in raid5_make_request() by dm-raid, see commit 41425f96d7aa ("dm-raid456, md/raid456: fix a deadlock for dm-raid456 while io concurrent with reshape)". Since dm always splits data and flush operation into two separate io, io size of flush submitted by dm always is 0, make_request() will not be called in md_submit_flush_data(). To prevent future modifications from introducing issues, add WARN_ON to ensure make_request() no error is returned in this context.
Configurations

Configuration 1 (hide)

OR cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*

History

22 Aug 2024, 17:48

Type Values Removed Values Added
CWE CWE-476
CVSS v2 : unknown
v3 : unknown
v2 : unknown
v3 : 5.5
First Time Linux linux Kernel
Linux
CPE cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
References () https://git.kernel.org/stable/c/2d0738a8322bf4e5bfe693d16b3111928a9ccfbf - () https://git.kernel.org/stable/c/2d0738a8322bf4e5bfe693d16b3111928a9ccfbf - Patch
References () https://git.kernel.org/stable/c/32226070813140234b6c507084738e8e8385c5c6 - () https://git.kernel.org/stable/c/32226070813140234b6c507084738e8e8385c5c6 - Patch
References () https://git.kernel.org/stable/c/611d5cbc0b35a752e657a83eebadf40d814d006b - () https://git.kernel.org/stable/c/611d5cbc0b35a752e657a83eebadf40d814d006b - Patch
References () https://git.kernel.org/stable/c/ca963eefbc3331222b6121baa696d49ba2008811 - () https://git.kernel.org/stable/c/ca963eefbc3331222b6121baa696d49ba2008811 - Patch

19 Aug 2024, 12:59

Type Values Removed Values Added
Summary
  • (es) En el kernel de Linux, se resolvió la siguiente vulnerabilidad: md: corrige el punto muerto entre mddev_suspend y purgar bio. El punto muerto ocurre cuando mddev se suspende mientras se realiza algún purga de biografía. Es una cuestión compleja. T1. la primera descarga está en la etapa final, borra 'mddev->flush_bio' e intenta enviar datos, pero se bloquea porque T4 suspende mddev. T2. la segunda descarga establece 'mddev->flush_bio' e intenta poner en cola md_submit_flush_data(), que ya se está ejecutando (T1) y no se ejecutará nuevamente si está en la misma CPU que T1. T3. el tercer enjuague incluye active_io e intenta descargar, pero se bloquea porque 'mddev->flush_bio' no es NULL (establecido por T2). T4. Se llama a mddev_suspend() y espera que active_io dec a 0, que es incrementado por T3. T1 T2 T3 T4 (flush 1) (flush 2) (tercero 3) (suspender) md_submit_flush_data mddev->flush_bio = NULL; . . md_flush_request. mddev->flush_bio = biografía. cola submit_flushes . . . . md_handle_request. . activo_io + 1. . md_flush_request. . ¡espera! mddev->flush_bio. . . . mddev_suspend. . ¡espera! active_io. . . enviar_flushes. queue_work md_submit_flush_data. //md_submit_flush_data ya se está ejecutando (T1). md_handle_request espera reanudar la raíz del problema es el aumento/disminución no atómico de active_io durante el proceso de descarga. active_io disminuye antes de que md_submit_flush_data se ponga en cola y se inc poco después de ejecutar md_submit_flush_data(). md_flush_request active_io + 1 submit_flushes active_io - 1 md_submit_flush_data md_handle_request active_io + 1 make_request active_io - 1 Si active_io se dec después de md_handle_request() en lugar de dentro de submit_flushes(), se puede llamar a make_request() directamente en lugar de md_handle_request() en md_submit_flush_data(), y active_io solo aumentará y disminuirá una vez durante todo el proceso de descarga. Se solucionará el punto muerto. Además, la única diferencia entre solucionar el problema y antes es que no hay manejo de errores de devolución de make_request(). Pero después de que el parche anterior limpió md_write_start(), make_requst() solo devuelve un error en raid5_make_request() por dm-raid, consulte el commit 41425f96d7aa ("dm-raid456, md/raid456: solucione un punto muerto para dm-raid456 mientras io concurre con reshape) ". Dado que dm siempre divide los datos y la operación de descarga en dos io separados, el tamaño de io de descarga enviado por dm siempre es 0, no se llamará a make_request() en md_submit_flush_data(). Para evitar que modificaciones futuras introduzcan problemas, agregue WARN_ON para garantizar que make_request() no se devuelva ningún error en este contexto.

17 Aug 2024, 10:15

Type Values Removed Values Added
New CVE

Information

Published : 2024-08-17 10:15

Updated : 2024-08-22 17:48


NVD link : CVE-2024-43855

Mitre link : CVE-2024-43855

CVE.ORG link : CVE-2024-43855


JSON object : View

Products Affected

linux

  • linux_kernel
CWE
CWE-476

NULL Pointer Dereference