[SRU,F,v2,0/1] CVE-2024-42077

Message ID	20241017062649.10459-1-massimiliano.pellizzer@canonical.com
Headers	show Return-Path: <kernel-team-bounces@lists.ubuntu.com> From: Massimiliano Pellizzer <massimiliano.pellizzer@canonical.com> To: kernel-team@lists.ubuntu.com Subject: [SRU][F][PATCH v2 0/1] CVE-2024-42077 Date: Thu, 17 Oct 2024 08:26:48 +0200 Message-ID: <20241017062649.10459-1-massimiliano.pellizzer@canonical.com> MIME-Version: 1.0 Precedence: list Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: "kernel-team" <kernel-team-bounces@lists.ubuntu.com>
Series	CVE-2024-42077 \| expand [SRU,F,v2,0/1] CVE-2024-42077 [SRU,F,v2,1/1] ocfs2: fix DIO failure due to insufficient transaction credits

Message ID

20241017062649.10459-1-massimiliano.pellizzer@canonical.com

Headers

From: Massimiliano Pellizzer <massimiliano.pellizzer@canonical.com>
To: kernel-team@lists.ubuntu.com
Subject: [SRU][F][PATCH v2 0/1] CVE-2024-42077
Date: Thu, 17 Oct 2024 08:26:48 +0200
Message-ID: <20241017062649.10459-1-massimiliano.pellizzer@canonical.com>
MIME-Version: 1.0
Precedence: list
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
Errors-To: kernel-team-bounces@lists.ubuntu.com
Sender: "kernel-team" <kernel-team-bounces@lists.ubuntu.com>

Series

CVE-2024-42077 | expand

Message

Massimiliano Pellizzer Oct. 17, 2024, 6:26 a.m. UTC

[Impact]

ocfs2: fix DIO failure due to insufficient transaction credits

The code in ocfs2_dio_end_io_write() estimates number of necessary
transaction credits using ocfs2_calc_extend_credits().  This however does
not take into account that the IO could be arbitrarily large and can
contain arbitrary number of extents.

Extent tree manipulations do often extend the current transaction but not
in all of the cases.  For example if we have only single block extents in
the tree, ocfs2_mark_extent_written() will end up calling
ocfs2_replace_extent_rec() all the time and we will never extend the
current transaction and eventually exhaust all the transaction credits if
the IO contains many single block extents.  Once that happens a
WARN_ON(jbd2_handle_buffer_credits(handle) <= 0) is triggered in
jbd2_journal_dirty_metadata() and subsequently OCFS2 aborts in response to
this error.  This was actually triggered by one of our customers on a
heavily fragmented OCFS2 filesystem.

To fix the issue make sure the transaction always has enough credits for
one extent insert before each call of ocfs2_mark_extent_written().

[Fix]

Noble:  Fixed
Jammy:  Fixed
Focal:  Backported from linux-5.10.y
Bionic: Sent to ESM ML
Xenial: Not affected

[Test Case]

Compile tested only.

[Where problems could occur]

The fix affects the OCFS2 file system. An issue with this fix may lead
to kernel crashes, particularly when performing file operations on OCFS2
file system. Users may also notice unexpected file system behavior, such
as I/O errors or unresponsive file access, especially during large I/O
operations or under heavy load.

Jan Kara (1):
  ocfs2: fix DIO failure due to insufficient transaction credits

 fs/ocfs2/aops.c        |  5 +++++
 fs/ocfs2/journal.c     | 17 +++++++++++++++++
 fs/ocfs2/journal.h     |  2 ++
 fs/ocfs2/ocfs2_trace.h |  2 ++
 4 files changed, 26 insertions(+)

Comments

Manuel Diewald Oct. 17, 2024, 2:44 p.m. UTC | #1

On Thu, Oct 17, 2024 at 08:26:48AM +0200, Massimiliano Pellizzer wrote:
> [Impact]
> 
> ocfs2: fix DIO failure due to insufficient transaction credits
> 
> The code in ocfs2_dio_end_io_write() estimates number of necessary
> transaction credits using ocfs2_calc_extend_credits().  This however does
> not take into account that the IO could be arbitrarily large and can
> contain arbitrary number of extents.
> 
> Extent tree manipulations do often extend the current transaction but not
> in all of the cases.  For example if we have only single block extents in
> the tree, ocfs2_mark_extent_written() will end up calling
> ocfs2_replace_extent_rec() all the time and we will never extend the
> current transaction and eventually exhaust all the transaction credits if
> the IO contains many single block extents.  Once that happens a
> WARN_ON(jbd2_handle_buffer_credits(handle) <= 0) is triggered in
> jbd2_journal_dirty_metadata() and subsequently OCFS2 aborts in response to
> this error.  This was actually triggered by one of our customers on a
> heavily fragmented OCFS2 filesystem.
> 
> To fix the issue make sure the transaction always has enough credits for
> one extent insert before each call of ocfs2_mark_extent_written().
> 
> [Fix]
> 
> Noble:  Fixed
> Jammy:  Fixed
> Focal:  Backported from linux-5.10.y
> Bionic: Sent to ESM ML
> Xenial: Not affected
> 
> [Test Case]
> 
> Compile tested only.
> 
> [Where problems could occur]
> 
> The fix affects the OCFS2 file system. An issue with this fix may lead
> to kernel crashes, particularly when performing file operations on OCFS2
> file system. Users may also notice unexpected file system behavior, such
> as I/O errors or unresponsive file access, especially during large I/O
> operations or under heavy load.
> 
> Jan Kara (1):
>   ocfs2: fix DIO failure due to insufficient transaction credits
> 
>  fs/ocfs2/aops.c        |  5 +++++
>  fs/ocfs2/journal.c     | 17 +++++++++++++++++
>  fs/ocfs2/journal.h     |  2 ++
>  fs/ocfs2/ocfs2_trace.h |  2 ++
>  4 files changed, 26 insertions(+)
> 
> -- 
> 2.43.0
> 
> 
> -- 
> kernel-team mailing list
> kernel-team@lists.ubuntu.com
> https://lists.ubuntu.com/mailman/listinfo/kernel-team

Please include a short description of what changed between v1 -> v2 of
the ML submission next time. :)

Acked-by: Manuel Diewald <manuel.diewald@canonical.com>