The Linux Kernel Mailing List
 help / color / mirror / Atom feed
* Please consider 83f99de1b7c0 ("ext2: fix race between setxattr and write back") for 5.10.y, 5.15.y, and 6.1.y
@ 2026-07-10  2:31 Michael Bommarito
  2026-07-10 11:28 ` Theodore Tso
  0 siblings, 1 reply; 3+ messages in thread
From: Michael Bommarito @ 2026-07-10  2:31 UTC (permalink / raw)
  To: stable; +Cc: linux-kernel

Please consider the following already-mainlined fix for the stable
series listed below.

Upstream commit: 83f99de1b7c0dcfa42b211e5e40334b7ad786b36
Subject: ext2: fix race between setxattr and write back

This is a stable option-2 request for an already-mainlined fix. The
patch fixes a security-relevant bug pattern that remains present in the
listed stable branches in my current review.

Why this belongs in stable:
ext2_xattr_set2 allocates a block via the reservation window
concurrently with writeback (ext2_get_blocks), tripping rsv_window_dump
BUG() in ext2_try_to_allocate_with_rsv (panic/DoS); fix absent in the
checked stable branches and the unguarded reservation path plus
reservation-using xattr allocation are still present there.

Requested stable series:
- 5.10.y
- 5.15.y
- 6.1.y

Fresh stable check (2026-07-08):
- 5.10.y: 738ac465e4e9
  fix shape: absent; upstream diff: needs-adjustment
- 5.15.y: c86c4726e7f0
  fix shape: absent; upstream diff: needs-adjustment
- 6.1.y: 090666d3cc90
  fix shape: absent; upstream diff: needs-adjustment
- 6.6.y and newer checked longterms already have the fixed shape

The source-shape check looked for both the EXT2_ALLOC_NORESERVE xattr
allocation call and the matching reservation guard in fs/ext2/balloc.c.
Those are absent in the requested branches and present in the checked
6.6.y, 6.12.y, and 6.18.y branches.

Backport note:
The mechanical check above reports whether the upstream diff applies to
each listed branch as-is. Branches marked needs-adjustment may need an
equivalent stable backport rather than a straight cherry-pick.
The current upstream diff fails in fs/ext2/xattr.c at the same hunk on
5.10.y, 5.15.y, and 6.1.y, so an adjusted backport is expected for all
three requested series.

Impact: a local user with write access to an already-mounted writable
ext2 filesystem with user xattrs enabled can trigger a kernel BUG/oops
through user.* xattr churn and writeback pressure. I do not have evidence
for privilege escalation, code execution, or confidentiality/integrity
impact; this is an availability issue. My current CVSS 3.1 estimate for
that mounted-ext2 scope is 5.5.

Direct-tracking exposure in my current review includes Debian 11,
Debian 12, Amazon Linux 2023, and Android 13/14/15 GKI. Vendor trees
that do not directly track the above stable branches need separate
per-tree checks.

Primary touched files: fs/ext2/balloc.c, fs/ext2/xattr.c

No reproducer is included in this public stable request. I can provide
additional details privately if needed.

^ permalink raw reply	[flat|nested] 3+ messages in thread

end of thread, other threads:[~2026-07-11 20:10 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-07-10  2:31 Please consider 83f99de1b7c0 ("ext2: fix race between setxattr and write back") for 5.10.y, 5.15.y, and 6.1.y Michael Bommarito
2026-07-10 11:28 ` Theodore Tso
2026-07-11 20:09   ` Michael Bommarito

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox