CVE-2024-40943

ocfs2: fix races between hole punching and AIO+DIO

Severity Score

"-"

*CVSS v-

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

Track

*SSVC

Descriptions

In the Linux kernel, the following vulnerability has been resolved:

ocfs2: fix races between hole punching and AIO+DIO

After commit "ocfs2: return real error code in ocfs2_dio_wr_get_block",
fstests/generic/300 become from always failed to sometimes failed:

========================================================================
[ 473.293420 ] run fstests generic/300

[ 475.296983 ] JBD2: Ignoring recovery information on journal
[ 475.302473 ] ocfs2: Mounting device (253,1) on (node local, slot 0) with ordered data mode.
[ 494.290998 ] OCFS2: ERROR (device dm-1): ocfs2_change_extent_flag: Owner 5668 has an extent at cpos 78723 which can no longer be found
[ 494.291609 ] On-disk corruption discovered. Please run fsck.ocfs2 once the filesystem is unmounted.
[ 494.292018 ] OCFS2: File system is now read-only.
[ 494.292224 ] (kworker/19:11,2628,19):ocfs2_mark_extent_written:5272 ERROR: status = -30
[ 494.292602 ] (kworker/19:11,2628,19):ocfs2_dio_end_io_write:2374 ERROR: status = -3
fio: io_u error on file /mnt/scratch/racer: Read-only file system: write offset=460849152, buflen=131072
=========================================================================

In __blockdev_direct_IO, ocfs2_dio_wr_get_block is called to add unwritten
extents to a list. extents are also inserted into extent tree in
ocfs2_write_begin_nolock. Then another thread call fallocate to puch a
hole at one of the unwritten extent. The extent at cpos was removed by
ocfs2_remove_extent(). At end io worker thread, ocfs2_search_extent_list
found there is no such extent at the cpos.

T1 T2 T3
inode lock
...
insert extents
...
inode unlock
ocfs2_fallocate
__ocfs2_change_file_space
inode lock
lock ip_alloc_sem
ocfs2_remove_inode_range inode
ocfs2_remove_btree_range
ocfs2_remove_extent
^---remove the extent at cpos 78723
...
unlock ip_alloc_sem
inode unlock
ocfs2_dio_end_io
ocfs2_dio_end_io_write
lock ip_alloc_sem
ocfs2_mark_extent_written
ocfs2_change_extent_flag
ocfs2_search_extent_list
^---failed to find extent
...
unlock ip_alloc_sem

In most filesystems, fallocate is not compatible with racing with AIO+DIO,
so fix it by adding to wait for all dio before fallocate/punch_hole like
ext4.

*Credits: N/A

CVSS Scores

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Scope

Confidentiality

Integrity

Availability

* Common Vulnerability Scoring System

SSVC

Decision:Track

Exploitation

None

Automatable

Tech. Impact

Partial

* Organization's Worst-case Scenario

Timeline

2024-07-12 CVE Reserved
2024-07-12 CVE Published
2024-07-13 EPSS Updated
2024-09-11 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CAPEC

References (9)

URL	Tag	Source
https://git.kernel.org/stable/c/b25801038da5823bba1b5440a57ca68afc51b6bd	Vuln. Introduced

URL	Date	SRC

URL	Date	SRC
https://git.kernel.org/stable/c/3c26b5d21b1239e9c7fd31ba7d9b2d7bdbaa68d9	2024-07-05
https://git.kernel.org/stable/c/e8e2db1adac47970a6a9225f3858e9aa0e86287f	2024-07-05
https://git.kernel.org/stable/c/050ce8af6838c71e872e982b50d3f1bec21da40e	2024-07-05
https://git.kernel.org/stable/c/38825ff9da91d2854dcf6d9ac320a7e641e10f25	2024-07-05
https://git.kernel.org/stable/c/ea042dc2bea19d72e37c298bf65a9c341ef3fff3	2024-06-21
https://git.kernel.org/stable/c/3c361f313d696df72f9bccf058510e9ec737b9b1	2024-06-21
https://git.kernel.org/stable/c/117b9c009b72a6c2ebfd23484354dfee2d9570d2	2024-06-21
https://git.kernel.org/stable/c/952b023f06a24b2ad6ba67304c4c84d45bea2f18	2024-04-26

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 2.6.23 < 4.19.317 Search vendor "Linux" for product "Linux Kernel" and version " >= 2.6.23 < 4.19.317"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 2.6.23 < 5.4.279 Search vendor "Linux" for product "Linux Kernel" and version " >= 2.6.23 < 5.4.279"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 2.6.23 < 5.10.221 Search vendor "Linux" for product "Linux Kernel" and version " >= 2.6.23 < 5.10.221"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 2.6.23 < 5.15.162 Search vendor "Linux" for product "Linux Kernel" and version " >= 2.6.23 < 5.15.162"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 2.6.23 < 6.1.95 Search vendor "Linux" for product "Linux Kernel" and version " >= 2.6.23 < 6.1.95"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 2.6.23 < 6.6.35 Search vendor "Linux" for product "Linux Kernel" and version " >= 2.6.23 < 6.6.35"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 2.6.23 < 6.9.6 Search vendor "Linux" for product "Linux Kernel" and version " >= 2.6.23 < 6.9.6"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 2.6.23 < 6.10 Search vendor "Linux" for product "Linux Kernel" and version " >= 2.6.23 < 6.10"		en		Affected