From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 765E31C69C for ; Tue, 26 Mar 2024 17:19:39 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1711473579; cv=none; b=SQfrzzxYXdUFp9nGsCVCmTHXCZfdOXd/igQPCd6o4QmGXiCAXiOpYIsQnHPv5FOLkK/v0zlm/bC8FDly8OU/VAJidA4nPVN4mX+rKxf+el1ydSazrjpGz4rVyKf26xu/QQRi5lfDOIpmisP9eBxeN61tW820m88drxHH/LLMg2I= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1711473579; c=relaxed/simple; bh=lRDhFpDBni+vP5xrlMslOl0nEvkmlyjArKtv24aPQkU=; h=From:To:Cc:Subject:Date:Message-ID:MIME-Version; b=Xo87MlIQ2imC/85FEiODHd6X++Og5AfhgdZExaTXQZXCzFuoeHfGIKN0ugL8t3CxAUc4I+9Z7cW1ONs7q08TiX61ysxii117BXpPtq97riZvPEVUuB2rJcZRiKtt9ih7/Xell2DkvA8FX14LEMJhQed2dVlNf4YnDwbuVeW1z8A= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=JN3TMXkn; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="JN3TMXkn" Received: by smtp.kernel.org (Postfix) with ESMTPSA id 5F135C433F1; Tue, 26 Mar 2024 17:19:38 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1711473579; bh=lRDhFpDBni+vP5xrlMslOl0nEvkmlyjArKtv24aPQkU=; h=From:To:Cc:Subject:Date:Reply-to:From; b=JN3TMXknfTEqLdQg4Jctg8rIlumx8L+B5xDQNV6SXTUwpkGSbQEwKDOtXXt7j11Yb ONpvOOfW02SftsGdhjuk7UKuhBRF48nCEm4GBqNucPBPwAH4bcAcx5hbTL9sqa4t+Y 8nlrxE55+Zqe65hk+np+NFQ3iKJdVZVYJMB0ZLDMCKLxMVdwdjRYY7Xt3yQtZ1muGG C4sUH3+PRP5wIDVXYNpG4zeiATV8KI917Rt6hdSsAqELkVQ6ksjwAUoRY6cZWfRRe7 DxKGnCzXvBOs7wuEuR89dVG3i4N9F697yjrbSjWoJAAGCnXZ3vf5dpan0/22G5WCPd 1lmu8QiMGwOJw== From: Lee Jones To: linux-cve-announce@vger.kernel.org Cc: Lee Jones Subject: CVE-2023-52623: SUNRPC: Fix a suspicious RCU usage warning Date: Tue, 26 Mar 2024 17:19:32 +0000 Message-ID: <20240326171931.1354035-6-lee@kernel.org> X-Mailer: git-send-email 2.44.0.396.g6e790dbe36-goog Precedence: bulk X-Mailing-List: linux-cve-announce@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Reply-to: , X-Developer-Signature: v=1; a=openpgp-sha256; l=6695; i=lee@kernel.org; h=from:subject; bh=lRDhFpDBni+vP5xrlMslOl0nEvkmlyjArKtv24aPQkU=; b=owEBbQKS/ZANAwAKAVGvii+H/HdhAcsmYgBmAwOjsPhrDK7MWG7M+Z9N0DuKYUj/wsVw779LX UP9yM1ZidiJAjMEAAEKAB0WIQR2tsk1o74gmpTwh0hRr4ovh/x3YQUCZgMDowAKCRBRr4ovh/x3 YQZID/9JC/Qc1Gvw/j9uRmrKnPPNinPwnRfjNzTtsn1wu9Lf6B0OPt0PI0M8UVOD/FOLjjkEdje NvnqZvayNfZmKnOQHpKVU6dFZtgkHRfgKvjgYuQPWNAKrtkkVLxzkmDjSApRsTxoojM2xqxZp/c sPfPDXpu1VBR9b9IueFwAYx+1HCKqcHHrPTkCVb0ahAtx/euhK1v1pDMq51KckvUkjxIBRLw7/z YoI00b4o8S74onzou6zbakIF9sywh4jvJUFhl52oO2fVWyhRJEtHmnFKvGKgF1NvUYT2DpN7xHl 9JZ72uuvaBh4Sv1SAjZa061EDJ4oFQAIY+8EioHaqCxmd1yXVlkzzpFAEPUQyMG2jPST/ySNLIc 9UnbsJkKmoqPGIj4lf1ysOKv27+xlPrhvErbNf5wLhaz2aMRR6xz5KH5npY1uNQPKA6Vy0G1OL8 i8YusumlBcKycD10eca/uy+qetAwcKxakhbglEQPIuphdmKQkiElA32wbTubcYmxbp1CXi57iso v/bmRuTsc4455CkGhUZ5I0ejUKoWevV/D4FLaW/7PKLIQSeWgt4UD9feu7tAPHVR0SFbSa00TMx AMX0go3hYW02kkeo9Meh68dvey8W1CaVMix6yUHE4QJNHLLN7FisM86iplugouVODjjq/eR5Bam 3YNJxH9WVmJ4GFg== X-Developer-Key: i=lee@kernel.org; a=openpgp; fpr=76B6C935A3BE209A94F0874851AF8A2F87FC7761 Content-Transfer-Encoding: 8bit Description =========== In the Linux kernel, the following vulnerability has been resolved: SUNRPC: Fix a suspicious RCU usage warning I received the following warning while running cthon against an ontap server running pNFS: [ 57.202521] ============================= [ 57.202522] WARNING: suspicious RCU usage [ 57.202523] 6.7.0-rc3-g2cc14f52aeb7 #41492 Not tainted [ 57.202525] ----------------------------- [ 57.202525] net/sunrpc/xprtmultipath.c:349 RCU-list traversed in non-reader section!! [ 57.202527] other info that might help us debug this: [ 57.202528] rcu_scheduler_active = 2, debug_locks = 1 [ 57.202529] no locks held by test5/3567. [ 57.202530] stack backtrace: [ 57.202532] CPU: 0 PID: 3567 Comm: test5 Not tainted 6.7.0-rc3-g2cc14f52aeb7 #41492 5b09971b4965c0aceba19f3eea324a4a806e227e [ 57.202534] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS unknown 2/2/2022 [ 57.202536] Call Trace: [ 57.202537] [ 57.202540] dump_stack_lvl+0x77/0xb0 [ 57.202551] lockdep_rcu_suspicious+0x154/0x1a0 [ 57.202556] rpc_xprt_switch_has_addr+0x17c/0x190 [sunrpc ebe02571b9a8ceebf7d98e71675af20c19bdb1f6] [ 57.202596] rpc_clnt_setup_test_and_add_xprt+0x50/0x180 [sunrpc ebe02571b9a8ceebf7d98e71675af20c19bdb1f6] [ 57.202621] ? rpc_clnt_add_xprt+0x254/0x300 [sunrpc ebe02571b9a8ceebf7d98e71675af20c19bdb1f6] [ 57.202646] rpc_clnt_add_xprt+0x27a/0x300 [sunrpc ebe02571b9a8ceebf7d98e71675af20c19bdb1f6] [ 57.202671] ? __pfx_rpc_clnt_setup_test_and_add_xprt+0x10/0x10 [sunrpc ebe02571b9a8ceebf7d98e71675af20c19bdb1f6] [ 57.202696] nfs4_pnfs_ds_connect+0x345/0x760 [nfsv4 c716d88496ded0ea6d289bbea684fa996f9b57a9] [ 57.202728] ? __pfx_nfs4_test_session_trunk+0x10/0x10 [nfsv4 c716d88496ded0ea6d289bbea684fa996f9b57a9] [ 57.202754] nfs4_fl_prepare_ds+0x75/0xc0 [nfs_layout_nfsv41_files e3a4187f18ae8a27b630f9feae6831b584a9360a] [ 57.202760] filelayout_write_pagelist+0x4a/0x200 [nfs_layout_nfsv41_files e3a4187f18ae8a27b630f9feae6831b584a9360a] [ 57.202765] pnfs_generic_pg_writepages+0xbe/0x230 [nfsv4 c716d88496ded0ea6d289bbea684fa996f9b57a9] [ 57.202788] __nfs_pageio_add_request+0x3fd/0x520 [nfs 6c976fa593a7c2976f5a0aeb4965514a828e6902] [ 57.202813] nfs_pageio_add_request+0x18b/0x390 [nfs 6c976fa593a7c2976f5a0aeb4965514a828e6902] [ 57.202831] nfs_do_writepage+0x116/0x1e0 [nfs 6c976fa593a7c2976f5a0aeb4965514a828e6902] [ 57.202849] nfs_writepages_callback+0x13/0x30 [nfs 6c976fa593a7c2976f5a0aeb4965514a828e6902] [ 57.202866] write_cache_pages+0x265/0x450 [ 57.202870] ? __pfx_nfs_writepages_callback+0x10/0x10 [nfs 6c976fa593a7c2976f5a0aeb4965514a828e6902] [ 57.202891] nfs_writepages+0x141/0x230 [nfs 6c976fa593a7c2976f5a0aeb4965514a828e6902] [ 57.202913] do_writepages+0xd2/0x230 [ 57.202917] ? filemap_fdatawrite_wbc+0x5c/0x80 [ 57.202921] filemap_fdatawrite_wbc+0x67/0x80 [ 57.202924] filemap_write_and_wait_range+0xd9/0x170 [ 57.202930] nfs_wb_all+0x49/0x180 [nfs 6c976fa593a7c2976f5a0aeb4965514a828e6902] [ 57.202947] nfs4_file_flush+0x72/0xb0 [nfsv4 c716d88496ded0ea6d289bbea684fa996f9b57a9] [ 57.202969] __se_sys_close+0x46/0xd0 [ 57.202972] do_syscall_64+0x68/0x100 [ 57.202975] ? do_syscall_64+0x77/0x100 [ 57.202976] ? do_syscall_64+0x77/0x100 [ 57.202979] entry_SYSCALL_64_after_hwframe+0x6e/0x76 [ 57.202982] RIP: 0033:0x7fe2b12e4a94 [ 57.202985] Code: 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 80 3d d5 18 0e 00 00 74 13 b8 03 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 44 c3 0f 1f 00 48 83 ec 18 89 7c 24 0c e8 c3 [ 57.202987] RSP: 002b:00007ffe857ddb38 EFLAGS: 00000202 ORIG_RAX: 0000000000000003 [ 57.202989] RAX: ffffffffffffffda RBX: 00007ffe857dfd68 RCX: 00007fe2b12e4a94 [ 57.202991] RDX: 0000000000002000 RSI: 00007ffe857ddc40 RDI: 0000000000000003 [ 57.202992] RBP: 00007ffe857dfc50 R08: 7fffffffffffffff R09: 0000000065650f49 [ 57.202993] R10: 00007fe2b11f8300 R11: 0000000000000202 R12: 0000000000000000 [ 57.202994] R13: 00007ffe857dfd80 R14: 00007fe2b1445000 R15: 0000000000000000 [ 57.202999] The problem seems to be that two out of three callers aren't taking the rcu_read_lock() before calling the list_for_each_entry_rcu() function in rpc_xprt_switch_has_addr(). I fix this by having rpc_xprt_switch_has_addr() unconditionaly take the rcu_read_lock(), which is okay to do recursively in the case that the lock has already been taken by a caller. The Linux kernel CVE team has assigned CVE-2023-52623 to this issue. Affected and fixed versions =========================== Fixed in 4.19.307 with commit fece80a2a671 Fixed in 5.4.269 with commit 7a96d85bf196 Fixed in 5.10.210 with commit c430e6bb4395 Fixed in 5.15.149 with commit f8cf4dabbdcb Fixed in 6.1.77 with commit e8ca3e73301e Fixed in 6.6.16 with commit 69c7eeb4f622 Fixed in 6.7.4 with commit 8f860c840747 Fixed in 6.8 with commit 31b62908693c Please see https://www.kernel.org for a full list of currently supported kernel versions by the kernel community. Unaffected versions might change over time as fixes are backported to older supported kernel versions. The official CVE entry at https://cve.org/CVERecord/?id=CVE-2023-52623 will be updated if fixes are backported, please check that for the most up to date information about this issue. Affected files ============== The file(s) affected by this issue are: net/sunrpc/xprtmultipath.c Mitigation ========== The Linux kernel CVE team recommends that you update to the latest stable kernel version for this, and many other bugfixes. Individual changes are never tested alone, but rather are part of a larger kernel release. Cherry-picking individual commits is not recommended or supported by the Linux kernel community at all. If however, updating to the latest release is impossible, the individual changes to resolve this issue can be found at these commits: https://git.kernel.org/stable/c/fece80a2a6718ed58487ce397285bb1b83a3e54e https://git.kernel.org/stable/c/7a96d85bf196c170dcf1b47a82e9bb97cca69aa6 https://git.kernel.org/stable/c/c430e6bb43955c6bf573665fcebf31694925b9f7 https://git.kernel.org/stable/c/f8cf4dabbdcb8bef85335b0ed7ad5b25fd82ff56 https://git.kernel.org/stable/c/e8ca3e73301e23e8c0ac0ce2e6bac4545cd776e0 https://git.kernel.org/stable/c/69c7eeb4f622c2a28da965f970f982db171f3dc6 https://git.kernel.org/stable/c/8f860c8407470baff2beb9982ad6b172c94f1d0a https://git.kernel.org/stable/c/31b62908693c90d4d07db597e685d9f25a120073