Description
In the Linux kernel, the following vulnerability has been resolved: ocfs2: fix recursive semaphore deadlock in fiemap call syzbot detected a OCFS2 hang due to a recursive semaphore on a FS_IOC_FIEMAP of the extent list on a specially crafted mmap file. context_switch kernel/sched/core.c:5357 [inline] __schedule+0x1798/0x4cc0 kernel/sched/core.c:6961 __schedule_loop kernel/sched/core.c:7043 [inline] schedule+0x165/0x360 kernel/sched/core.c:7058 schedule_preempt_disabled+0x13/0x30 kernel/sched/core.c:7115 rwsem_down_write_slowpath+0x872/0xfe0 kernel/locking/rwsem.c:1185 __down_write_common kernel/locking/rwsem.c:1317 [inline] __down_write kernel/locking/rwsem.c:1326 [inline] down_write+0x1ab/0x1f0 kernel/locking/rwsem.c:1591 ocfs2_page_mkwrite+0x2ff/0xc40 fs/ocfs2/mmap.c:142 do_page_mkwrite+0x14d/0x310 mm/memory.c:3361 wp_page_shared mm/memory.c:3762 [inline] do_wp_page+0x268d/0x5800 mm/memory.c:3981 handle_pte_fault mm/memory.c:6068 [inline] __handle_mm_fault+0x1033/0x5440 mm/memory.c:6195 handle_mm_fault+0x40a/0x8e0 mm/memory.c:6364 do_user_addr_fault+0x764/0x1390 arch/x86/mm/fault.c:1387 handle_page_fault arch/x86/mm/fault.c:1476 [inline] exc_page_fault+0x76/0xf0 arch/x86/mm/fault.c:1532 asm_exc_page_fault+0x26/0x30 arch/x86/include/asm/idtentry.h:623 RIP: 0010:copy_user_generic arch/x86/include/asm/uaccess_64.h:126 [inline] RIP: 0010:raw_copy_to_user arch/x86/include/asm/uaccess_64.h:147 [inline] RIP: 0010:_inline_copy_to_user include/linux/uaccess.h:197 [inline] RIP: 0010:_copy_to_user+0x85/0xb0 lib/usercopy.c:26 Code: e8 00 bc f7 fc 4d 39 fc 72 3d 4d 39 ec 77 38 e8 91 b9 f7 fc 4c 89 f7 89 de e8 47 25 5b fd 0f 01 cb 4c 89 ff 48 89 d9 4c 89 f6 <f3> a4 0f 1f 00 48 89 cb 0f 01 ca 48 89 d8 5b 41 5c 41 5d 41 5e 41 RSP: 0018:ffffc9000403f950 EFLAGS: 00050256 RAX: ffffffff84c7f101 RBX: 0000000000000038 RCX: 0000000000000038 RDX: 0000000000000000 RSI: ffffc9000403f9e0 RDI: 0000200000000060 RBP: ffffc9000403fa90 R08: ffffc9000403fa17 R09: 1ffff92000807f42 R10: dffffc0000000000 R11: fffff52000807f43 R12: 0000200000000098 R13: 00007ffffffff000 R14: ffffc9000403f9e0 R15: 0000200000000060 copy_to_user include/linux/uaccess.h:225 [inline] fiemap_fill_next_extent+0x1c0/0x390 fs/ioctl.c:145 ocfs2_fiemap+0x888/0xc90 fs/ocfs2/extent_map.c:806 ioctl_fiemap fs/ioctl.c:220 [inline] do_vfs_ioctl+0x1173/0x1430 fs/ioctl.c:532 __do_sys_ioctl fs/ioctl.c:596 [inline] __se_sys_ioctl+0x82/0x170 fs/ioctl.c:584 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f5f13850fd9 RSP: 002b:00007ffe3b3518b8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 RAX: ffffffffffffffda RBX: 0000200000000000 RCX: 00007f5f13850fd9 RDX: 0000200000000040 RSI: 00000000c020660b RDI: 0000000000000004 RBP: 6165627472616568 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 00007ffe3b3518f0 R13: 00007ffe3b351b18 R14: 431bde82d7b634db R15: 00007f5f1389a03b ocfs2_fiemap() takes a read lock of the ip_alloc_sem semaphore (since v2.6.22-527-g7307de80510a) and calls fiemap_fill_next_extent() to read the extent list of this running mmap executable. The user supplied buffer to hold the fiemap information page faults calling ocfs2_page_mkwrite() which will take a write lock (since v2.6.27-38-g00dc417fa3e7) of the same semaphore. This recursive semaphore will hold filesystem locks and causes a hang of the fileystem. The ip_alloc_sem protects the inode extent list and size. Release the read semphore before calling fiemap_fill_next_extent() in ocfs2_fiemap() and ocfs2_fiemap_inline(). This does an unnecessary semaphore lock/unlock on the last extent but simplifies the error path.
Product status
00dc417fa3e763345b34ccb6034d72de76eea0a1 (git) before 16e518ca84dfe860c20a62f3615e14e8af0ace57
00dc417fa3e763345b34ccb6034d72de76eea0a1 (git) before 7e1514bd44ef68007703c752c99ff7319f35bce6
00dc417fa3e763345b34ccb6034d72de76eea0a1 (git) before ef30404980e4c832ef9bba1b10c08f67fa77a9ec
00dc417fa3e763345b34ccb6034d72de76eea0a1 (git) before 36054554772f95d090eb45793faf6aa3c0254b02
00dc417fa3e763345b34ccb6034d72de76eea0a1 (git) before 0709bc11b942870fc0a7be150e42aea42321093a
00dc417fa3e763345b34ccb6034d72de76eea0a1 (git) before 1d3c96547ee2ddeaddf8f19a3ef99ea06cc8115e
00dc417fa3e763345b34ccb6034d72de76eea0a1 (git) before 9efcb7a8b97310efed995397941a292cf89fa94f
00dc417fa3e763345b34ccb6034d72de76eea0a1 (git) before 04100f775c2ea501927f508f17ad824ad1f23c8d
2.6.28
Any version before 2.6.28
5.4.300 (semver)
5.10.245 (semver)
5.15.194 (semver)
6.1.153 (semver)
6.6.107 (semver)
6.12.48 (semver)
6.16.8 (semver)
6.17 (original_commit_for_fix)
References
lists.debian.org/debian-lts-announce/2025/10/msg00008.html
git.kernel.org/...c/16e518ca84dfe860c20a62f3615e14e8af0ace57
git.kernel.org/...c/7e1514bd44ef68007703c752c99ff7319f35bce6
git.kernel.org/...c/ef30404980e4c832ef9bba1b10c08f67fa77a9ec
git.kernel.org/...c/36054554772f95d090eb45793faf6aa3c0254b02
git.kernel.org/...c/0709bc11b942870fc0a7be150e42aea42321093a
git.kernel.org/...c/1d3c96547ee2ddeaddf8f19a3ef99ea06cc8115e
git.kernel.org/...c/9efcb7a8b97310efed995397941a292cf89fa94f
git.kernel.org/...c/04100f775c2ea501927f508f17ad824ad1f23c8d
