From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 2D076482D0 for ; Wed, 13 Mar 2024 15:50:42 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1710345043; cv=none; b=izlZhMdJQuSKXIaJTRcw/X08paSq5mcdAkWOzalCAoqdnDaiE3T1Mq4yYHPaWfsAoPSpQjy2TcUyS0mFXXUjZl2xS/SZtyjpawnqQ3tLLWBBak5CGwgdnyTKPIdwWJuoIb7UnTEdPafCkw99uOnqOeH37HBVNrCDwsaWdFdxPAY= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1710345043; c=relaxed/simple; bh=Nur/8qCiB8FsaNtC7u0uLRtX+k4p13BEE5EAyGosZ9g=; h=From:To:Cc:Subject:Date:Message-ID:MIME-Version; b=taZQjUNgOSMIKdbnth8SjNJzlnQe4VWbL74ZKxf9tv65BNYH+ltdwNGv3WObIzmnJRs/ayX+IPI6CM6j3kllfla77hnCaWKoaVXGQOWoJ/NsyBzQUiQZ9tK1DwB5wMj//dE8CsWR4GtGdsMuz3xZgWRQTFKQajQzGyafiJN1We8= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=WeScZw2N; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="WeScZw2N" Received: by smtp.kernel.org (Postfix) with ESMTPSA id E22ABC433C7; Wed, 13 Mar 2024 15:50:41 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1710345042; bh=Nur/8qCiB8FsaNtC7u0uLRtX+k4p13BEE5EAyGosZ9g=; h=From:To:Cc:Subject:Date:Reply-to:From; b=WeScZw2N4H9kxynFhROhnmrvat7JWq3De2+ROrcJPi5j4hm6aew/9fHEa4tseEPzX ZxFfjNwGMdYhBli/tSzndnRKgKQDPKNBQR/8JTPp5ezQqeFb8EEAJW9TfsOULVcX8g pV8BgSRn7MA1AOIi20yrtFrahJMl3wSDlEC5mJXDqHr8Tap7RUOp4LXnxm3s7pmBDz nrTsQ764oY7Z+lUXSkhajBoV1UPIYrYtwR7o1tGBFkFhYl0Wh3e3GOP9LJf6L2Wsqb uovXd2tA0dkeDmfIy2KpKaUpFRYErDmNweq3ncjjt8G0c28eMUk7nLHZb49OLEjGIL p+3LxpYNCsY7w== From: Lee Jones To: linux-cve-announce@vger.kernel.org Cc: Lee Jones Subject: CVE-2024-26630: mm: cachestat: fix folio read-after-free in cache walk Date: Wed, 13 Mar 2024 15:50:38 +0000 Message-ID: <20240313155037.1968072-2-lee@kernel.org> X-Mailer: git-send-email 2.44.0.278.ge034bb2e1d-goog Precedence: bulk X-Mailing-List: linux-cve-announce@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Reply-to: , X-Developer-Signature: v=1; a=openpgp-sha256; l=2516; i=lee@kernel.org; h=from:subject; bh=Nur/8qCiB8FsaNtC7u0uLRtX+k4p13BEE5EAyGosZ9g=; b=owEBbQKS/ZANAwAKAVGvii+H/HdhAcsmYgBl8ctN/eyqyl4C/SiCufgGyNP+Kny+huFomgbwm Kum9LFOJJ2JAjMEAAEKAB0WIQR2tsk1o74gmpTwh0hRr4ovh/x3YQUCZfHLTQAKCRBRr4ovh/x3 YUjeD/9Yjt6Ld+r3+IHWpn94/+nSMnAq5cSRhTsUw8C0WCSoklbak8zFH/M2ryABhdF3hUfMnPd hoCXMsgE9FQWFKdDf2unxOZNb1h8kPdyHJRP8KVcU1+A9j3/whzmRT1RBEIAyXWURzftAEfztb2 x9cAUpZU5iPOS7BO6+Crqzr297MgZkTSxNmLYoajBAI611vyKItSaVlKn1mGPaHNwYQYkyymGT9 HGckm/R+IYkWRg69L2gbJlW9tH+Hd+PiQtOsy4u3tfTbdCsoFKBXlFUMS0dvbukr4BKsPBJ1Za9 57BSUPg4iaunQdkdE7Ue8mSnvFZgIt5qGFQy0C2ij3rcLA8TjxFqwc7HFpyUvpPS4y/8vVWEgt0 Dp0kPcM7xkYb6g55RtIpOUT4rvxEsJtNzY1Jm+uFozTjTRBgw9On4GoazJ6hR/6dulzOYFnFmaM PpQmlUCRlUiqyOPVZxkH0NYgoQvCiBAYp/jsBq5/8XuDRksReouEXczSKTa3xsd5CApf/bJ2V8h FFCyHRHCJOtM1ldHIf2eGIbJgwKblcxF9V7O3Jnkgl7BdJ/PW850Be0ryUNNOQcRWkKpy1s6tDn DGgRgQWXIk1URNivS9Tw9/xDHpHfinXxN1WYx3m1O5uQEyAsnI7HSBitQWQ2GXIrAZ9UIzNUUpb xiBebYVoSp8xnsg== X-Developer-Key: i=lee@kernel.org; a=openpgp; fpr=76B6C935A3BE209A94F0874851AF8A2F87FC7761 Content-Transfer-Encoding: 8bit Description =========== In the Linux kernel, the following vulnerability has been resolved: mm: cachestat: fix folio read-after-free in cache walk In cachestat, we access the folio from the page cache's xarray to compute its page offset, and check for its dirty and writeback flags. However, we do not hold a reference to the folio before performing these actions, which means the folio can concurrently be released and reused as another folio/page/slab. Get around this altogether by just using xarray's existing machinery for the folio page offsets and dirty/writeback states. This changes behavior for tmpfs files to now always report zeroes in their dirty and writeback counters. This is okay as tmpfs doesn't follow conventional writeback cache behavior: its pages get "cleaned" during swapout, after which they're no longer resident etc. The Linux kernel CVE team has assigned CVE-2024-26630 to this issue. Affected and fixed versions =========================== Issue introduced in 6.5 with commit cf264e1329fb and fixed in 6.6.21 with commit ba60fdf75e89 Issue introduced in 6.5 with commit cf264e1329fb and fixed in 6.7.9 with commit fe7e008e0ce7 Issue introduced in 6.5 with commit cf264e1329fb and fixed in 6.8 with commit 3a75cb05d53f Please see https://www.kernel.org or a full list of currently supported kernel versions by the kernel community. Unaffected versions might change over time as fixes are backported to older supported kernel versions. The official CVE entry at https://cve.org/CVERecord/?id=CVE-2024-26630 will be updated if fixes are backported, please check that for the most up to date information about this issue. Affected files ============== The file(s) affected by this issue are: mm/filemap.c Mitigation ========== The Linux kernel CVE team recommends that you update to the latest stable kernel version for this, and many other bugfixes. Individual changes are never tested alone, but rather are part of a larger kernel release. Cherry-picking individual commits is not recommended or supported by the Linux kernel community at all. If however, updating to the latest release is impossible, the individual changes to resolve this issue can be found at these commits: https://git.kernel.org/stable/c/ba60fdf75e89ea762bb617be578dc47f27655117 https://git.kernel.org/stable/c/fe7e008e0ce728252e4ec652cceebcc62211657c https://git.kernel.org/stable/c/3a75cb05d53f4a6823a32deb078de1366954a804