CVE-2024-26758 md: Don't ignore suspended array in md_check_recovery()

2024-04-0317:00:42

Linux

github.com

linux kernel

vulnerability

md_check_recovery

mddev_suspend

sync_thread

fix

dm-raid

suspend

array

improvement

6.8 Medium

AI Score

Confidence

Low

0.0004 Low

EPSS

Percentile

9.0%

JSON

In the Linux kernel, the following vulnerability has been resolved:

md: Don’t ignore suspended array in md_check_recovery()

mddev_suspend() never stop sync_thread, hence it doesn’t make sense to
ignore suspended array in md_check_recovery(), which might cause
sync_thread can’t be unregistered.

After commit f52f5c71f3d4 (“md: fix stopping sync thread”), following
hang can be triggered by test shell/integrity-caching.sh:

suspend the array:
raid_postsuspend
mddev_suspend
stop the array:
raid_dtr
md_stop
__md_stop_writes
stop_sync_thread
set_bit(MD_RECOVERY_INTR, &mddev->recovery);
md_wakeup_thread_directly(mddev->sync_thread);
wait_event(…, !test_bit(MD_RECOVERY_RUNNING, &mddev->recovery))
sync thread done:
md_do_sync
set_bit(MD_RECOVERY_DONE, &mddev->recovery);
md_wakeup_thread(mddev->thread);
daemon thread can’t unregister sync thread:
md_check_recovery
if (mddev->suspended)
return; -> return directly
md_read_sync_thread
clear_bit(MD_RECOVERY_RUNNING, &mddev->recovery);
-> MD_RECOVERY_RUNNING can’t be cleared, hence step 2 hang;

This problem is not just related to dm-raid, fix it by ignoring
suspended array in md_check_recovery(). And follow up patches will
improve dm-raid better to frozen sync thread during suspend.

CNA Affected

[
  {
    "product": "Linux",
    "vendor": "Linux",
    "defaultStatus": "unaffected",
    "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
    "programFiles": [
      "drivers/md/md.c"
    ],
    "versions": [
      {
        "version": "68866e425be2",
        "lessThan": "a55f0d6179a1",
        "status": "affected",
        "versionType": "git"
      },
      {
        "version": "68866e425be2",
        "lessThan": "1baae052cccd",
        "status": "affected",
        "versionType": "git"
      }
    ]
  },
  {
    "product": "Linux",
    "vendor": "Linux",
    "defaultStatus": "affected",
    "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
    "programFiles": [
      "drivers/md/md.c"
    ],
    "versions": [
      {
        "version": "3.0",
        "status": "affected"
      },
      {
        "version": "0",
        "lessThan": "3.0",
        "status": "unaffected",
        "versionType": "custom"
      },
      {
        "version": "6.7.7",
        "lessThanOrEqual": "6.7.*",
        "status": "unaffected",
        "versionType": "custom"
      },
      {
        "version": "6.8",
        "lessThanOrEqual": "*",
        "status": "unaffected",
        "versionType": "original_commit_for_fix"
      }
    ]
  }
]