CVE-2024-26962

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> dm-raid456, md/raid456: fix a deadlock for dm-raid456 while io concurrent with reshape<br /> <br /> For raid456, if reshape is still in progress, then IO across reshape<br /> position will wait for reshape to make progress. However, for dm-raid,<br /> in following cases reshape will never make progress hence IO will hang:<br /> <br /> 1) the array is read-only;<br /> 2) MD_RECOVERY_WAIT is set;<br /> 3) MD_RECOVERY_FROZEN is set;<br /> <br /> After commit c467e97f079f ("md/raid6: use valid sector values to determine<br /> if an I/O should wait on the reshape") fix the problem that IO across<br /> reshape position doesn&amp;#39;t wait for reshape, the dm-raid test<br /> shell/lvconvert-raid-reshape.sh start to hang:<br /> <br /> [root@fedora ~]# cat /proc/979/stack<br /> [] wait_woken+0x7d/0x90<br /> [] raid5_make_request+0x929/0x1d70 [raid456]<br /> [] md_handle_request+0xc2/0x3b0 [md_mod]<br /> [] raid_map+0x2c/0x50 [dm_raid]<br /> [] __map_bio+0x251/0x380 [dm_mod]<br /> [] dm_submit_bio+0x1f0/0x760 [dm_mod]<br /> [] __submit_bio+0xc2/0x1c0<br /> [] submit_bio_noacct_nocheck+0x17f/0x450<br /> [] submit_bio_noacct+0x2bc/0x780<br /> [] submit_bio+0x70/0xc0<br /> [] mpage_readahead+0x169/0x1f0<br /> [] blkdev_readahead+0x18/0x30<br /> [] read_pages+0x7c/0x3b0<br /> [] page_cache_ra_unbounded+0x1ab/0x280<br /> [] force_page_cache_ra+0x9e/0x130<br /> [] page_cache_sync_ra+0x3b/0x110<br /> [] filemap_get_pages+0x143/0xa30<br /> [] filemap_read+0xdc/0x4b0<br /> [] blkdev_read_iter+0x75/0x200<br /> [] vfs_read+0x272/0x460<br /> [] ksys_read+0x7a/0x170<br /> [] __x64_sys_read+0x1c/0x30<br /> [] do_syscall_64+0xc6/0x230<br /> [] entry_SYSCALL_64_after_hwframe+0x6c/0x74<br /> <br /> This is because reshape can&amp;#39;t make progress.<br /> <br /> For md/raid, the problem doesn&amp;#39;t exist because register new sync_thread<br /> doesn&amp;#39;t rely on the IO to be done any more:<br /> <br /> 1) If array is read-only, it can switch to read-write by ioctl/sysfs;<br /> 2) md/raid never set MD_RECOVERY_WAIT;<br /> 3) If MD_RECOVERY_FROZEN is set, mddev_suspend() doesn&amp;#39;t hold<br /> &amp;#39;reconfig_mutex&amp;#39;, hence it can be cleared and reshape can continue by<br /> sysfs api &amp;#39;sync_action&amp;#39;.<br /> <br /> However, I&amp;#39;m not sure yet how to avoid the problem in dm-raid yet. This<br /> patch on the one hand make sure raid_message() can&amp;#39;t change<br /> sync_thread() through raid_message() after presuspend(), on the other<br /> hand detect the above 3 cases before wait for IO do be done in<br /> dm_suspend(), and let dm-raid requeue those IO.