CVE-2023-54177

Summary

In the Linux kernel, the following vulnerability has been resolved:

quota: fix warning in dqgrab()

There's issue as follows when do fault injection: WARNING: CPU: 1 PID: 14870 at include/linux/quotaops.h:51 dquot_disable+0x13b7/0x18c0 Modules linked in: CPU: 1 PID: 14870 Comm: fsconfig Not tainted 6.3.0-next-20230505-00006-g5107a9c821af-dirty #541 RIP: 0010:dquot_disable+0x13b7/0x18c0 RSP: 0018:ffffc9000acc79e0 EFLAGS: 00010246 RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffff88825e41b980 RDX: 0000000000000000 RSI: ffff88825e41b980 RDI: 0000000000000002 RBP: ffff888179f68000 R08: ffffffff82087ca7 R09: 0000000000000000 R10: 0000000000000001 R11: ffffed102f3ed026 R12: ffff888179f68130 R13: ffff888179f68110 R14: dffffc0000000000 R15: ffff888179f68118 FS: 00007f450a073740(0000) GS:ffff88882fc00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007ffe96f2efd8 CR3: 000000025c8ad000 CR4: 00000000000006e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <TASK> dquot_load_quota_sb+0xd53/0x1060 dquot_resume+0x172/0x230 ext4_reconfigure+0x1dc6/0x27b0 reconfigure_super+0x515/0xa90 __x64_sys_fsconfig+0xb19/0xd20 do_syscall_64+0x39/0xb0 entry_SYSCALL_64_after_hwframe+0x63/0xcd

Above issue may happens as follows: ProcessA ProcessB ProcessC sys_fsconfig vfs_fsconfig_locked reconfigure_super ext4_remount dquot_suspend -> suspend all type quota

             sys_fsconfig
              vfs_fsconfig_locked
                reconfigure_super
                 ext4_remount
                  dquot_resume
                   ret = dquot_load_quota_sb
                    add_dquot_ref
                                       do_open  -&gt; open file O_RDWR
                                        vfs_open
                                         do_dentry_open
                                          get_write_access
                                           atomic_inc_unless_negative(&amp;inode-&gt;i_writecount)
                                          ext4_file_open
                                           dquot_file_open
                                            dquot_initialize
                                              __dquot_initialize
                                               dqget
					    atomic_inc(&amp;dquot-&gt;dq_count);

                      __dquot_initialize
                       __dquot_initialize
                        dqget
                         if (!test_bit(DQ_ACTIVE_B, &amp;dquot-&gt;dq_flags))
                           ext4_acquire_dquot
		        -&gt; Return error DQ_ACTIVE_B flag isn&#39;t set
                     dquot_disable
		  invalidate_dquots
		   if (atomic_read(&amp;dquot-&gt;dq_count))
                    dqgrab
		     WARN_ON_ONCE(!test_bit(DQ_ACTIVE_B, &amp;dquot-&gt;dq_flags))
                      -&gt; Trigger warning

In the above scenario, 'dquot->dq_flags' has no DQ_ACTIVE_B is normal when dqgrab(). To solve above issue just replace the dqgrab() use in invalidate_dquots() with atomic_inc(&dquot->dq_count).

Affected Software

VendorProductVersion RangeStatus
LinuxLinux9f985cb6c45bc3f8b7e161c9658d409d051d576f < 6478eabc92274efae6269da7c515ba2b4c8e88d8affected
LinuxLinux9f985cb6c45bc3f8b7e161c9658d409d051d576f < 965bad2bf1afef64ec16249da676dc7310cca32eaffected
LinuxLinux9f985cb6c45bc3f8b7e161c9658d409d051d576f < 3f378783c47b5749317ea008d8c931d6d3986d8faffected
LinuxLinux9f985cb6c45bc3f8b7e161c9658d409d051d576f < cbaebbba722cb9738c55903efce11f51cdd97beeaffected
LinuxLinux9f985cb6c45bc3f8b7e161c9658d409d051d576f < 579d814de87c3cac69c9b261efa165d07cde3357affected
LinuxLinux9f985cb6c45bc3f8b7e161c9658d409d051d576f < 6432843debe1ec7d76c5b2f76c67f9c5df22436eaffected
LinuxLinux9f985cb6c45bc3f8b7e161c9658d409d051d576f < 6f4e543d277a12dfeff027e6ab24a170e1bfc160affected
LinuxLinux9f985cb6c45bc3f8b7e161c9658d409d051d576f < d6a95db3c7ad160bc16b89e36449705309b52bcbaffected
LinuxLinuxb5258061a2a8f657aa5900dd3c1ded9e868e3544affected
LinuxLinux3.12.24 < 3.13affected
LinuxLinux3.15affected
LinuxLinux0 < 3.15unaffected
LinuxLinux4.14.324 <= 4.14.*unaffected
LinuxLinux4.19.293 <= 4.19.*unaffected
LinuxLinux5.4.255 <= 5.4.*unaffected
LinuxLinux5.10.192 <= 5.10.*unaffected
LinuxLinux5.15.123 <= 5.15.*unaffected
LinuxLinux6.1.42 <= 6.1.*unaffected
LinuxLinux6.4.7 <= 6.4.*unaffected
LinuxLinux6.5 <= *unaffected

Weaknesses

References