CVE-2024-40943

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ocfs2: fix races between hole punching and AIO+DIO<br /> <br /> After commit "ocfs2: return real error code in ocfs2_dio_wr_get_block",<br /> fstests/generic/300 become from always failed to sometimes failed:<br /> <br /> ========================================================================<br /> [ 473.293420 ] run fstests generic/300<br /> <br /> [ 475.296983 ] JBD2: Ignoring recovery information on journal<br /> [ 475.302473 ] ocfs2: Mounting device (253,1) on (node local, slot 0) with ordered data mode.<br /> [ 494.290998 ] OCFS2: ERROR (device dm-1): ocfs2_change_extent_flag: Owner 5668 has an extent at cpos 78723 which can no longer be found<br /> [ 494.291609 ] On-disk corruption discovered. Please run fsck.ocfs2 once the filesystem is unmounted.<br /> [ 494.292018 ] OCFS2: File system is now read-only.<br /> [ 494.292224 ] (kworker/19:11,2628,19):ocfs2_mark_extent_written:5272 ERROR: status = -30<br /> [ 494.292602 ] (kworker/19:11,2628,19):ocfs2_dio_end_io_write:2374 ERROR: status = -3<br /> fio: io_u error on file /mnt/scratch/racer: Read-only file system: write offset=460849152, buflen=131072<br /> =========================================================================<br /> <br /> In __blockdev_direct_IO, ocfs2_dio_wr_get_block is called to add unwritten<br /> extents to a list. extents are also inserted into extent tree in<br /> ocfs2_write_begin_nolock. Then another thread call fallocate to puch a<br /> hole at one of the unwritten extent. The extent at cpos was removed by<br /> ocfs2_remove_extent(). At end io worker thread, ocfs2_search_extent_list<br /> found there is no such extent at the cpos.<br /> <br /> T1 T2 T3<br /> inode lock<br /> ...<br /> insert extents<br /> ...<br /> inode unlock<br /> ocfs2_fallocate<br /> __ocfs2_change_file_space<br /> inode lock<br /> lock ip_alloc_sem<br /> ocfs2_remove_inode_range inode<br /> ocfs2_remove_btree_range<br /> ocfs2_remove_extent<br /> ^---remove the extent at cpos 78723<br /> ...<br /> unlock ip_alloc_sem<br /> inode unlock<br /> ocfs2_dio_end_io<br /> ocfs2_dio_end_io_write<br /> lock ip_alloc_sem<br /> ocfs2_mark_extent_written<br /> ocfs2_change_extent_flag<br /> ocfs2_search_extent_list<br /> ^---failed to find extent<br /> ...<br /> unlock ip_alloc_sem<br /> <br /> In most filesystems, fallocate is not compatible with racing with AIO+DIO,<br /> so fix it by adding to wait for all dio before fallocate/punch_hole like<br /> ext4.