CVE-2024-56565

Summary

In the Linux kernel, the following vulnerability has been resolved:

f2fs: fix to drop all discards after creating snapshot on lvm device

Piergiorgio reported a bug in bugzilla as below:

————[ cut here ]———— WARNING: CPU: 2 PID: 969 at fs/f2fs/segment.c:1330 RIP: 0010:__submit_discard_cmd+0x27d/0x400 [f2fs] Call Trace: __issue_discard_cmd+0x1ca/0x350 [f2fs] issue_discard_thread+0x191/0x480 [f2fs] kthread+0xcf/0x100 ret_from_fork+0x31/0x50 ret_from_fork_asm+0x1a/0x30

w/ below testcase, it can reproduce this bug quickly:

  • pvcreate /dev/vdb
  • vgcreate myvg1 /dev/vdb
  • lvcreate -L 1024m -n mylv1 myvg1
  • mount /dev/myvg1/mylv1 /mnt/f2fs
  • dd if=/dev/zero of=/mnt/f2fs/file bs=1M count=20
  • sync
  • rm /mnt/f2fs/file
  • sync
  • lvcreate -L 1024m -s -n mylv1-snapshot /dev/myvg1/mylv1
  • umount /mnt/f2fs

The root cause is: it will update discard_max_bytes of mounted lvm device to zero after creating snapshot on this lvm device, then, __submit_discard_cmd() will pass parameter @nr_sects w/ zero value to __blkdev_issue_discard(), it returns a NULL bio pointer, result in panic.

This patch changes as below for fixing:

  1. Let's drop all remained discards in f2fs_unfreeze() if snapshot of lvm device is created.
  2. Checking discard_max_bytes before submitting discard during __submit_discard_cmd().

Affected Software

VendorProductVersion RangeStatus
LinuxLinux35ec7d5748849762008e8ae9f8ad2766229d5794 < ed24ab98242f8d22b66fbe0452c97751b5ea4e22affected
LinuxLinux35ec7d5748849762008e8ae9f8ad2766229d5794 < 15136c3861a3341db261ebdbb6ae4ae1765635e2affected
LinuxLinux35ec7d5748849762008e8ae9f8ad2766229d5794 < bc8aeb04fd80cb8cfae3058445c84410fd0beb5eaffected
LinuxLinux4.19affected
LinuxLinux0 < 4.19unaffected
LinuxLinux6.6.66 <= 6.6.*unaffected
LinuxLinux6.12.4 <= 6.12.*unaffected
LinuxLinux6.13 <= *unaffected

Weaknesses

References