CVE-2024-50280

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> dm cache: fix flushing uninitialized delayed_work on cache_ctr error<br /> <br /> An unexpected WARN_ON from flush_work() may occur when cache creation<br /> fails, caused by destroying the uninitialized delayed_work waker in the<br /> error path of cache_create(). For example, the warning appears on the<br /> superblock checksum error.<br /> <br /> Reproduce steps:<br /> <br /> dmsetup create cmeta --table "0 8192 linear /dev/sdc 0"<br /> dmsetup create cdata --table "0 65536 linear /dev/sdc 8192"<br /> dmsetup create corig --table "0 524288 linear /dev/sdc 262144"<br /> dd if=/dev/urandom of=/dev/mapper/cmeta bs=4k count=1 oflag=direct<br /> dmsetup create cache --table "0 524288 cache /dev/mapper/cmeta \<br /> /dev/mapper/cdata /dev/mapper/corig 128 2 metadata2 writethrough smq 0"<br /> <br /> Kernel logs:<br /> <br /> (snip)<br /> WARNING: CPU: 0 PID: 84 at kernel/workqueue.c:4178 __flush_work+0x5d4/0x890<br /> <br /> Fix by pulling out the cancel_delayed_work_sync() from the constructor&amp;#39;s<br /> error path. This patch doesn&amp;#39;t affect the use-after-free fix for<br /> concurrent dm_resume and dm_destroy (commit 6a459d8edbdb ("dm cache: Fix<br /> UAF in destroy()")) as cache_dtr is not changed.