CVE-2024-26962
Vulnerability from cvelistv5
Published
2024-05-01 05:19
Modified
2024-11-05 09:18
Severity ?
Summary
dm-raid456, md/raid456: fix a deadlock for dm-raid456 while io concurrent with reshape
Impacted products
LinuxLinux
LinuxLinux
Show details on NVD website


{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T00:21:05.628Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/5943a34bf6bab5801e08a55f63e1b8d5bc90dae1"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/a8d249d770cb357d16a2097b548d2e4c1c137304"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/41425f96d7aa59bc865f60f5dda3d7697b555677"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-26962",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-09-10T15:45:26.664282Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-09-11T17:33:47.573Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/md/dm-raid.c",
            "drivers/md/md.c",
            "drivers/md/md.h",
            "drivers/md/raid5.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "5943a34bf6ba",
              "status": "affected",
              "version": "1da177e4c3f4",
              "versionType": "git"
            },
            {
              "lessThan": "a8d249d770cb",
              "status": "affected",
              "version": "1da177e4c3f4",
              "versionType": "git"
            },
            {
              "lessThan": "41425f96d7aa",
              "status": "affected",
              "version": "1da177e4c3f4",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/md/dm-raid.c",
            "drivers/md/md.c",
            "drivers/md/md.h",
            "drivers/md/raid5.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThanOrEqual": "6.7.*",
              "status": "unaffected",
              "version": "6.7.12",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.8.*",
              "status": "unaffected",
              "version": "6.8.3",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.9",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndm-raid456, md/raid456: fix a deadlock for dm-raid456 while io concurrent with reshape\n\nFor raid456, if reshape is still in progress, then IO across reshape\nposition will wait for reshape to make progress. However, for dm-raid,\nin following cases reshape will never make progress hence IO will hang:\n\n1) the array is read-only;\n2) MD_RECOVERY_WAIT is set;\n3) MD_RECOVERY_FROZEN is set;\n\nAfter commit c467e97f079f (\"md/raid6: use valid sector values to determine\nif an I/O should wait on the reshape\") fix the problem that IO across\nreshape position doesn\u0027t wait for reshape, the dm-raid test\nshell/lvconvert-raid-reshape.sh start to hang:\n\n[root@fedora ~]# cat /proc/979/stack\n[\u003c0\u003e] wait_woken+0x7d/0x90\n[\u003c0\u003e] raid5_make_request+0x929/0x1d70 [raid456]\n[\u003c0\u003e] md_handle_request+0xc2/0x3b0 [md_mod]\n[\u003c0\u003e] raid_map+0x2c/0x50 [dm_raid]\n[\u003c0\u003e] __map_bio+0x251/0x380 [dm_mod]\n[\u003c0\u003e] dm_submit_bio+0x1f0/0x760 [dm_mod]\n[\u003c0\u003e] __submit_bio+0xc2/0x1c0\n[\u003c0\u003e] submit_bio_noacct_nocheck+0x17f/0x450\n[\u003c0\u003e] submit_bio_noacct+0x2bc/0x780\n[\u003c0\u003e] submit_bio+0x70/0xc0\n[\u003c0\u003e] mpage_readahead+0x169/0x1f0\n[\u003c0\u003e] blkdev_readahead+0x18/0x30\n[\u003c0\u003e] read_pages+0x7c/0x3b0\n[\u003c0\u003e] page_cache_ra_unbounded+0x1ab/0x280\n[\u003c0\u003e] force_page_cache_ra+0x9e/0x130\n[\u003c0\u003e] page_cache_sync_ra+0x3b/0x110\n[\u003c0\u003e] filemap_get_pages+0x143/0xa30\n[\u003c0\u003e] filemap_read+0xdc/0x4b0\n[\u003c0\u003e] blkdev_read_iter+0x75/0x200\n[\u003c0\u003e] vfs_read+0x272/0x460\n[\u003c0\u003e] ksys_read+0x7a/0x170\n[\u003c0\u003e] __x64_sys_read+0x1c/0x30\n[\u003c0\u003e] do_syscall_64+0xc6/0x230\n[\u003c0\u003e] entry_SYSCALL_64_after_hwframe+0x6c/0x74\n\nThis is because reshape can\u0027t make progress.\n\nFor md/raid, the problem doesn\u0027t exist because register new sync_thread\ndoesn\u0027t rely on the IO to be done any more:\n\n1) If array is read-only, it can switch to read-write by ioctl/sysfs;\n2) md/raid never set MD_RECOVERY_WAIT;\n3) If MD_RECOVERY_FROZEN is set, mddev_suspend() doesn\u0027t hold\n   \u0027reconfig_mutex\u0027, hence it can be cleared and reshape can continue by\n   sysfs api \u0027sync_action\u0027.\n\nHowever, I\u0027m not sure yet how to avoid the problem in dm-raid yet. This\npatch on the one hand make sure raid_message() can\u0027t change\nsync_thread() through raid_message() after presuspend(), on the other\nhand detect the above 3 cases before wait for IO do be done in\ndm_suspend(), and let dm-raid requeue those IO."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-11-05T09:18:59.399Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/5943a34bf6bab5801e08a55f63e1b8d5bc90dae1"
        },
        {
          "url": "https://git.kernel.org/stable/c/a8d249d770cb357d16a2097b548d2e4c1c137304"
        },
        {
          "url": "https://git.kernel.org/stable/c/41425f96d7aa59bc865f60f5dda3d7697b555677"
        }
      ],
      "title": "dm-raid456, md/raid456: fix a deadlock for dm-raid456 while io concurrent with reshape",
      "x_generator": {
        "engine": "bippy-9e1c9544281a"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-26962",
    "datePublished": "2024-05-01T05:19:20.579Z",
    "dateReserved": "2024-02-19T14:20:24.201Z",
    "dateUpdated": "2024-11-05T09:18:59.399Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2024-26962\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2024-05-01T06:15:12.527\",\"lastModified\":\"2024-05-01T13:02:20.750\",\"vulnStatus\":\"Awaiting Analysis\",\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\ndm-raid456, md/raid456: fix a deadlock for dm-raid456 while io concurrent with reshape\\n\\nFor raid456, if reshape is still in progress, then IO across reshape\\nposition will wait for reshape to make progress. However, for dm-raid,\\nin following cases reshape will never make progress hence IO will hang:\\n\\n1) the array is read-only;\\n2) MD_RECOVERY_WAIT is set;\\n3) MD_RECOVERY_FROZEN is set;\\n\\nAfter commit c467e97f079f (\\\"md/raid6: use valid sector values to determine\\nif an I/O should wait on the reshape\\\") fix the problem that IO across\\nreshape position doesn\u0027t wait for reshape, the dm-raid test\\nshell/lvconvert-raid-reshape.sh start to hang:\\n\\n[root@fedora ~]# cat /proc/979/stack\\n[\u003c0\u003e] wait_woken+0x7d/0x90\\n[\u003c0\u003e] raid5_make_request+0x929/0x1d70 [raid456]\\n[\u003c0\u003e] md_handle_request+0xc2/0x3b0 [md_mod]\\n[\u003c0\u003e] raid_map+0x2c/0x50 [dm_raid]\\n[\u003c0\u003e] __map_bio+0x251/0x380 [dm_mod]\\n[\u003c0\u003e] dm_submit_bio+0x1f0/0x760 [dm_mod]\\n[\u003c0\u003e] __submit_bio+0xc2/0x1c0\\n[\u003c0\u003e] submit_bio_noacct_nocheck+0x17f/0x450\\n[\u003c0\u003e] submit_bio_noacct+0x2bc/0x780\\n[\u003c0\u003e] submit_bio+0x70/0xc0\\n[\u003c0\u003e] mpage_readahead+0x169/0x1f0\\n[\u003c0\u003e] blkdev_readahead+0x18/0x30\\n[\u003c0\u003e] read_pages+0x7c/0x3b0\\n[\u003c0\u003e] page_cache_ra_unbounded+0x1ab/0x280\\n[\u003c0\u003e] force_page_cache_ra+0x9e/0x130\\n[\u003c0\u003e] page_cache_sync_ra+0x3b/0x110\\n[\u003c0\u003e] filemap_get_pages+0x143/0xa30\\n[\u003c0\u003e] filemap_read+0xdc/0x4b0\\n[\u003c0\u003e] blkdev_read_iter+0x75/0x200\\n[\u003c0\u003e] vfs_read+0x272/0x460\\n[\u003c0\u003e] ksys_read+0x7a/0x170\\n[\u003c0\u003e] __x64_sys_read+0x1c/0x30\\n[\u003c0\u003e] do_syscall_64+0xc6/0x230\\n[\u003c0\u003e] entry_SYSCALL_64_after_hwframe+0x6c/0x74\\n\\nThis is because reshape can\u0027t make progress.\\n\\nFor md/raid, the problem doesn\u0027t exist because register new sync_thread\\ndoesn\u0027t rely on the IO to be done any more:\\n\\n1) If array is read-only, it can switch to read-write by ioctl/sysfs;\\n2) md/raid never set MD_RECOVERY_WAIT;\\n3) If MD_RECOVERY_FROZEN is set, mddev_suspend() doesn\u0027t hold\\n   \u0027reconfig_mutex\u0027, hence it can be cleared and reshape can continue by\\n   sysfs api \u0027sync_action\u0027.\\n\\nHowever, I\u0027m not sure yet how to avoid the problem in dm-raid yet. This\\npatch on the one hand make sure raid_message() can\u0027t change\\nsync_thread() through raid_message() after presuspend(), on the other\\nhand detect the above 3 cases before wait for IO do be done in\\ndm_suspend(), and let dm-raid requeue those IO.\"},{\"lang\":\"es\",\"value\":\"En el kernel de Linux, se resolvi\u00f3 la siguiente vulnerabilidad: dm-raid456, md/raid456: soluciona un punto muerto para dm-raid456 mientras io concurre con reshape. Para raid456, si el reshape todav\u00eda est\u00e1 en progreso, entonces IO en la posici\u00f3n de reshape esperar\u00e1 remodelar para progresar. Sin embargo, para dm-raid, en los siguientes casos la remodelaci\u00f3n nunca progresar\u00e1, por lo que IO se bloquear\u00e1: 1) la matriz es de solo lectura; 2) MD_RECOVERY_WAIT est\u00e1 configurado; 3) MD_RECOVERY_FROZEN est\u00e1 configurado; Despu\u00e9s de confirmar c467e97f079f (\\\"md/raid6: use valores de sector v\u00e1lidos para determinar si una E/S debe esperar a la remodelaci\u00f3n\\\") solucione el problema de que IO en la posici\u00f3n de remodelaci\u00f3n no espera a la remodelaci\u00f3n, la prueba dm-raid shell/lvconvert -raid-reshape.sh comienza a colgarse: [root@fedora ~]# cat /proc/979/stack [\u0026lt;0\u0026gt;] wait_woken+0x7d/0x90 [\u0026lt;0\u0026gt;] raid5_make_request+0x929/0x1d70 [raid456] [\u0026lt;0 \u0026gt;] md_handle_request+0xc2/0x3b0 [md_mod] [\u0026lt;0\u0026gt;] raid_map+0x2c/0x50 [dm_raid] [\u0026lt;0\u0026gt;] __map_bio+0x251/0x380 [dm_mod] [\u0026lt;0\u0026gt;] dm_submit_bio+0x1f0/0x760 [dm_mod] [ \u0026lt;0\u0026gt;] __submit_bio+0xc2/0x1c0 [\u0026lt;0\u0026gt;] submit_bio_noacct_nocheck+0x17f/0x450 [\u0026lt;0\u0026gt;] submit_bio_noacct+0x2bc/0x780 [\u0026lt;0\u0026gt;] submit_bio+0x70/0xc0 [\u0026lt;0\u0026gt;] mpage_readahead+0x169/0x1f0 [ \u0026lt;0\u0026gt;] blkdev_readahead+0x18/0x30 [\u0026lt;0\u0026gt;] read_pages+0x7c/0x3b0 [\u0026lt;0\u0026gt;] page_cache_ra_unbounded+0x1ab/0x280 [\u0026lt;0\u0026gt;] force_page_cache_ra+0x9e/0x130 [\u0026lt;0\u0026gt;] page_cache_sync_ra+0x3b/0x110 [ \u0026lt;0\u0026gt;] filemap_get_pages+0x143/0xa30 [\u0026lt;0\u0026gt;] filemap_read+0xdc/0x4b0 [\u0026lt;0\u0026gt;] blkdev_read_iter+0x75/0x200 [\u0026lt;0\u0026gt;] vfs_read+0x272/0x460 [\u0026lt;0\u0026gt;] ksys_read+0x7a/0x170 [ \u0026lt;0\u0026gt;] __x64_sys_read+0x1c/0x30 [\u0026lt;0\u0026gt;] do_syscall_64+0xc6/0x230 [\u0026lt;0\u0026gt;] Entry_SYSCALL_64_after_hwframe+0x6c/0x74 Esto se debe a que la remodelaci\u00f3n no puede progresar. Para md/raid, el problema no existe porque registrar un nuevo sync_thread ya no depende de que se realice la IO: 1) Si la matriz es de solo lectura, puede cambiar a lectura-escritura mediante ioctl/sysfs; 2) md/raid nunca configur\u00f3 MD_RECOVERY_WAIT; 3) Si se configura MD_RECOVERY_FROZEN, mddev_suspend() no contiene \u0027reconfig_mutex\u0027, por lo tanto, se puede borrar y la remodelaci\u00f3n puede continuar mediante sysfs api \u0027sync_action\u0027. Sin embargo, todav\u00eda no estoy seguro de c\u00f3mo evitar el problema en dm-raid. Este parche, por un lado, garantiza que raid_message() no pueda cambiar sync_thread() a trav\u00e9s de raid_message() despu\u00e9s de presuspend(), por otro lado detecta los 3 casos anteriores antes de esperar a que IO se realice en dm_suspend(), y deja dm-raid pone en cola esas IO.\"}],\"metrics\":{},\"references\":[{\"url\":\"https://git.kernel.org/stable/c/41425f96d7aa59bc865f60f5dda3d7697b555677\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/5943a34bf6bab5801e08a55f63e1b8d5bc90dae1\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/a8d249d770cb357d16a2097b548d2e4c1c137304\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading...

Loading...

Loading...
  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.