CVE-2024-40943

2024-07-1213:15:16

Linux

web.nvd.nist.gov

linux kernel

ocfs2 vulnerability

cve-2024-40943

race conditions

hole punching

aio+dio

file system errors

fallocate compatibility

AI Score

6.6

Confidence

High

EPSS

Percentile

13.4%

JSON

In the Linux kernel, the following vulnerability has been resolved:

ocfs2: fix races between hole punching and AIO+DIO

After commit “ocfs2: return real error code in ocfs2_dio_wr_get_block”,
fstests/generic/300 become from always failed to sometimes failed:

========================================================================
[ 473.293420 ] run fstests generic/300

[ 475.296983 ] JBD2: Ignoring recovery information on journal
[ 475.302473 ] ocfs2: Mounting device (253,1) on (node local, slot 0) with ordered data mode.
[ 494.290998 ] OCFS2: ERROR (device dm-1): ocfs2_change_extent_flag: Owner 5668 has an extent at cpos 78723 which can no longer be found
[ 494.291609 ] On-disk corruption discovered. Please run fsck.ocfs2 once the filesystem is unmounted.
[ 494.292018 ] OCFS2: File system is now read-only.
[ 494.292224 ] (kworker/19:11,2628,19):ocfs2_mark_extent_written:5272 ERROR: status = -30
[ 494.292602 ] (kworker/19:11,2628,19):ocfs2_dio_end_io_write:2374 ERROR: status = -3
fio: io_u error on file /mnt/scratch/racer: Read-only file system: write offset=460849152, buflen=131072

In __blockdev_direct_IO, ocfs2_dio_wr_get_block is called to add unwritten
extents to a list. extents are also inserted into extent tree in
ocfs2_write_begin_nolock. Then another thread call fallocate to puch a
hole at one of the unwritten extent. The extent at cpos was removed by
ocfs2_remove_extent(). At end io worker thread, ocfs2_search_extent_list
found there is no such extent at the cpos.

T1                        T2                T3
                          inode lock
                            ...
                            insert extents
                            ...
                          inode unlock

ocfs2_fallocate
__ocfs2_change_file_space
inode lock
lock ip_alloc_sem
ocfs2_remove_inode_range inode
ocfs2_remove_btree_range
ocfs2_remove_extent
^—remove the extent at cpos 78723
…
unlock ip_alloc_sem
inode unlock
ocfs2_dio_end_io
ocfs2_dio_end_io_write
lock ip_alloc_sem
ocfs2_mark_extent_written
ocfs2_change_extent_flag
ocfs2_search_extent_list
^—failed to find extent
…
unlock ip_alloc_sem

In most filesystems, fallocate is not compatible with racing with AIO+DIO,
so fix it by adding to wait for all dio before fallocate/punch_hole like
ext4.

Affected configurations

Vulners

Node

linuxlinux_kernelRange2.6.23–4.19.317

linuxlinux_kernelRange4.20.0–5.4.279

linuxlinux_kernelRange5.5.0–5.10.221

linuxlinux_kernelRange5.11.0–5.15.162

linuxlinux_kernelRange5.16.0–6.1.95

linuxlinux_kernelRange6.2.0–6.6.35

linuxlinux_kernelRange6.7.0–6.9.6

linuxlinux_kernelRange6.10.0≥

VendorProductVersionCPE
linuxlinux_kernel*cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
linux	linux_kernel	*	cpe:2.3:o:linux:linux_kernel::::::::

CNA Affected

[
  {
    "product": "Linux",
    "vendor": "Linux",
    "defaultStatus": "unaffected",
    "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
    "programFiles": [
      "fs/ocfs2/file.c"
    ],
    "versions": [
      {
        "version": "b25801038da5",
        "lessThan": "3c26b5d21b12",
        "status": "affected",
        "versionType": "git"
      },
      {
        "version": "b25801038da5",
        "lessThan": "e8e2db1adac4",
        "status": "affected",
        "versionType": "git"
      },
      {
        "version": "b25801038da5",
        "lessThan": "050ce8af6838",
        "status": "affected",
        "versionType": "git"
      },
      {
        "version": "b25801038da5",
        "lessThan": "38825ff9da91",
        "status": "affected",
        "versionType": "git"
      },
      {
        "version": "b25801038da5",
        "lessThan": "ea042dc2bea1",
        "status": "affected",
        "versionType": "git"
      },
      {
        "version": "b25801038da5",
        "lessThan": "3c361f313d69",
        "status": "affected",
        "versionType": "git"
      },
      {
        "version": "b25801038da5",
        "lessThan": "117b9c009b72",
        "status": "affected",
        "versionType": "git"
      },
      {
        "version": "b25801038da5",
        "lessThan": "952b023f06a2",
        "status": "affected",
        "versionType": "git"
      }
    ]
  },
  {
    "product": "Linux",
    "vendor": "Linux",
    "defaultStatus": "affected",
    "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
    "programFiles": [
      "fs/ocfs2/file.c"
    ],
    "versions": [
      {
        "version": "2.6.23",
        "status": "affected"
      },
      {
        "version": "0",
        "lessThan": "2.6.23",
        "status": "unaffected",
        "versionType": "custom"
      },
      {
        "version": "4.19.317",
        "lessThanOrEqual": "4.19.*",
        "status": "unaffected",
        "versionType": "custom"
      },
      {
        "version": "5.4.279",
        "lessThanOrEqual": "5.4.*",
        "status": "unaffected",
        "versionType": "custom"
      },
      {
        "version": "5.10.221",
        "lessThanOrEqual": "5.10.*",
        "status": "unaffected",
        "versionType": "custom"
      },
      {
        "version": "5.15.162",
        "lessThanOrEqual": "5.15.*",
        "status": "unaffected",
        "versionType": "custom"
      },
      {
        "version": "6.1.95",
        "lessThanOrEqual": "6.1.*",
        "status": "unaffected",
        "versionType": "custom"
      },
      {
        "version": "6.6.35",
        "lessThanOrEqual": "6.6.*",
        "status": "unaffected",
        "versionType": "custom"
      },
      {
        "version": "6.9.6",
        "lessThanOrEqual": "6.9.*",
        "status": "unaffected",
        "versionType": "custom"
      },
      {
        "version": "6.10",
        "lessThanOrEqual": "*",
        "status": "unaffected",
        "versionType": "original_commit_for_fix"
      }
    ]
  }
]