Description
In the Linux kernel, the following vulnerability has been resolved: dm-bufio: fix sched in atomic context If "try_verify_in_tasklet" is set for dm-verity, DM_BUFIO_CLIENT_NO_SLEEP is enabled for dm-bufio. However, when bufio tries to evict buffers, there is a chance to trigger scheduling in spin_lock_bh, the following warning is hit: BUG: sleeping function called from invalid context at drivers/md/dm-bufio.c:2745 in_atomic(): 1, irqs_disabled(): 0, non_block: 0, pid: 123, name: kworker/2:2 preempt_count: 201, expected: 0 RCU nest depth: 0, expected: 0 4 locks held by kworker/2:2/123: #0: ffff88800a2d1548 ((wq_completion)dm_bufio_cache){....}-{0:0}, at: process_one_work+0xe46/0x1970 #1: ffffc90000d97d20 ((work_completion)(&dm_bufio_replacement_work)){....}-{0:0}, at: process_one_work+0x763/0x1970 #2: ffffffff8555b528 (dm_bufio_clients_lock){....}-{3:3}, at: do_global_cleanup+0x1ce/0x710 #3: ffff88801d5820b8 (&c->spinlock){....}-{2:2}, at: do_global_cleanup+0x2a5/0x710 Preemption disabled at: [<0000000000000000>] 0x0 CPU: 2 UID: 0 PID: 123 Comm: kworker/2:2 Not tainted 6.16.0-rc3-g90548c634bd0 #305 PREEMPT(voluntary) Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014 Workqueue: dm_bufio_cache do_global_cleanup Call Trace: <TASK> dump_stack_lvl+0x53/0x70 __might_resched+0x360/0x4e0 do_global_cleanup+0x2f5/0x710 process_one_work+0x7db/0x1970 worker_thread+0x518/0xea0 kthread+0x359/0x690 ret_from_fork+0xf3/0x1b0 ret_from_fork_asm+0x1a/0x30 </TASK> That can be reproduced by: veritysetup format --data-block-size=4096 --hash-block-size=4096 /dev/vda /dev/vdb SIZE=$(blockdev --getsz /dev/vda) dmsetup create myverity -r --table "0 $SIZE verity 1 /dev/vda /dev/vdb 4096 4096 <data_blocks> 1 sha256 <root_hash> <salt> 1 try_verify_in_tasklet" mount /dev/dm-0 /mnt -o ro echo 102400 > /sys/module/dm_bufio/parameters/max_cache_size_bytes [read files in /mnt]
Product status
450e8dee51aa6fa1dd0f64073e88235f1a77b035 (git) before 469a39a33a9934af157299bf11c58f6e6cb53f85
450e8dee51aa6fa1dd0f64073e88235f1a77b035 (git) before 68860d1ade385eef9fcdbf6552f061283091fdb8
450e8dee51aa6fa1dd0f64073e88235f1a77b035 (git) before 3edfdb1d4ef81320dae0caa40bc24baf8c1bbb86
450e8dee51aa6fa1dd0f64073e88235f1a77b035 (git) before b1bf1a782fdf5c482215c0c661b5da98b8e75773
6.4
Any version before 6.4
6.6.100 (semver)
6.12.40 (semver)
6.15.8 (semver)
6.16 (original_commit_for_fix)
References
git.kernel.org/...c/469a39a33a9934af157299bf11c58f6e6cb53f85
git.kernel.org/...c/68860d1ade385eef9fcdbf6552f061283091fdb8
git.kernel.org/...c/3edfdb1d4ef81320dae0caa40bc24baf8c1bbb86
git.kernel.org/...c/b1bf1a782fdf5c482215c0c661b5da98b8e75773