CVE-2023-54177

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> quota: fix warning in dqgrab()<br /> <br /> There&amp;#39;s issue as follows when do fault injection:<br /> WARNING: CPU: 1 PID: 14870 at include/linux/quotaops.h:51 dquot_disable+0x13b7/0x18c0<br /> Modules linked in:<br /> CPU: 1 PID: 14870 Comm: fsconfig Not tainted 6.3.0-next-20230505-00006-g5107a9c821af-dirty #541<br /> RIP: 0010:dquot_disable+0x13b7/0x18c0<br /> RSP: 0018:ffffc9000acc79e0 EFLAGS: 00010246<br /> RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffff88825e41b980<br /> RDX: 0000000000000000 RSI: ffff88825e41b980 RDI: 0000000000000002<br /> RBP: ffff888179f68000 R08: ffffffff82087ca7 R09: 0000000000000000<br /> R10: 0000000000000001 R11: ffffed102f3ed026 R12: ffff888179f68130<br /> R13: ffff888179f68110 R14: dffffc0000000000 R15: ffff888179f68118<br /> FS: 00007f450a073740(0000) GS:ffff88882fc00000(0000) knlGS:0000000000000000<br /> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033<br /> CR2: 00007ffe96f2efd8 CR3: 000000025c8ad000 CR4: 00000000000006e0<br /> DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000<br /> DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400<br /> Call Trace:<br /> <br /> dquot_load_quota_sb+0xd53/0x1060<br /> dquot_resume+0x172/0x230<br /> ext4_reconfigure+0x1dc6/0x27b0<br /> reconfigure_super+0x515/0xa90<br /> __x64_sys_fsconfig+0xb19/0xd20<br /> do_syscall_64+0x39/0xb0<br /> entry_SYSCALL_64_after_hwframe+0x63/0xcd<br /> <br /> Above issue may happens as follows:<br /> ProcessA ProcessB ProcessC<br /> sys_fsconfig<br /> vfs_fsconfig_locked<br /> reconfigure_super<br /> ext4_remount<br /> dquot_suspend -&gt; suspend all type quota<br /> <br /> sys_fsconfig<br /> vfs_fsconfig_locked<br /> reconfigure_super<br /> ext4_remount<br /> dquot_resume<br /> ret = dquot_load_quota_sb<br /> add_dquot_ref<br /> do_open -&gt; open file O_RDWR<br /> vfs_open<br /> do_dentry_open<br /> get_write_access<br /> atomic_inc_unless_negative(&amp;inode-&gt;i_writecount)<br /> ext4_file_open<br /> dquot_file_open<br /> dquot_initialize<br /> __dquot_initialize<br /> dqget<br /> atomic_inc(&amp;dquot-&gt;dq_count);<br /> <br /> __dquot_initialize<br /> __dquot_initialize<br /> dqget<br /> if (!test_bit(DQ_ACTIVE_B, &amp;dquot-&gt;dq_flags))<br /> ext4_acquire_dquot<br /> -&gt; Return error DQ_ACTIVE_B flag isn&amp;#39;t set<br /> dquot_disable<br /> invalidate_dquots<br /> if (atomic_read(&amp;dquot-&gt;dq_count))<br /> dqgrab<br /> WARN_ON_ONCE(!test_bit(DQ_ACTIVE_B, &amp;dquot-&gt;dq_flags))<br /> -&gt; Trigger warning<br /> <br /> In the above scenario, &amp;#39;dquot-&gt;dq_flags&amp;#39; has no DQ_ACTIVE_B is normal when<br /> dqgrab().<br /> To solve above issue just replace the dqgrab() use in invalidate_dquots() with<br /> atomic_inc(&amp;dquot-&gt;dq_count).