Security update for the Linux Kernel SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2024:3403-1 Final 1 1 2024-09-23T13:55:21Z current 2024-09-23T13:55:21Z 2024-09-23T13:55:21Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for the Linux Kernel The SUSE Linux Enterprise 15 SP4 RT kernel was updated to receive various security bugfixes. The following security bugs were fixed: - CVE-2024-45003: Don't evict inode under the inode lru traversing context. (bsc#1230245) The following non-security bugs were fixed: - Revert 'mm, kmsan: fix infinite recursion due to RCU critical section'. (bsc#1230413) - Revert 'mm/sparsemem: fix race in accessing memory_section->usage'. (bsc#1230413) - Revert 'mm: prevent derefencing NULL ptr in pfn_section_valid()'. (bsc#1230413) The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). SUSE-2024-3403,SUSE-SLE-Micro-5.3-2024-3403,SUSE-SLE-Micro-5.4-2024-3403 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2024/suse-su-20243403-1/ Link for SUSE-SU-2024:3403-1 https://lists.suse.com/pipermail/sle-security-updates/2024-September/019501.html E-Mail link for SUSE-SU-2024:3403-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1230245 SUSE Bug 1230245 https://bugzilla.suse.com/1230413 SUSE Bug 1230413 https://www.suse.com/security/cve/CVE-2024-45003/ SUSE CVE CVE-2024-45003 page SUSE Linux Enterprise Micro 5.3 SUSE Linux Enterprise Micro 5.4 cluster-md-kmp-rt-5.14.21-150400.15.94.1 dlm-kmp-rt-5.14.21-150400.15.94.1 gfs2-kmp-rt-5.14.21-150400.15.94.1 kernel-devel-rt-5.14.21-150400.15.94.1 kernel-rt-5.14.21-150400.15.94.1 kernel-rt-devel-5.14.21-150400.15.94.1 kernel-rt-extra-5.14.21-150400.15.94.1 kernel-rt-livepatch-5.14.21-150400.15.94.1 kernel-rt-livepatch-devel-5.14.21-150400.15.94.1 kernel-rt-optional-5.14.21-150400.15.94.1 kernel-rt_debug-5.14.21-150400.15.94.1 kernel-rt_debug-devel-5.14.21-150400.15.94.1 kernel-rt_debug-livepatch-devel-5.14.21-150400.15.94.1 kernel-source-rt-5.14.21-150400.15.94.1 kernel-syms-rt-5.14.21-150400.15.94.1 kselftests-kmp-rt-5.14.21-150400.15.94.1 ocfs2-kmp-rt-5.14.21-150400.15.94.1 reiserfs-kmp-rt-5.14.21-150400.15.94.1 kernel-rt-5.14.21-150400.15.94.1 as a component of SUSE Linux Enterprise Micro 5.3 kernel-source-rt-5.14.21-150400.15.94.1 as a component of SUSE Linux Enterprise Micro 5.3 kernel-rt-5.14.21-150400.15.94.1 as a component of SUSE Linux Enterprise Micro 5.4 kernel-source-rt-5.14.21-150400.15.94.1 as a component of SUSE Linux Enterprise Micro 5.4 In the Linux kernel, the following vulnerability has been resolved: vfs: Don't evict inode under the inode lru traversing context The inode reclaiming process(See function prune_icache_sb) collects all reclaimable inodes and mark them with I_FREEING flag at first, at that time, other processes will be stuck if they try getting these inodes (See function find_inode_fast), then the reclaiming process destroy the inodes by function dispose_list(). Some filesystems(eg. ext4 with ea_inode feature, ubifs with xattr) may do inode lookup in the inode evicting callback function, if the inode lookup is operated under the inode lru traversing context, deadlock problems may happen. Case 1: In function ext4_evict_inode(), the ea inode lookup could happen if ea_inode feature is enabled, the lookup process will be stuck under the evicting context like this: 1. File A has inode i_reg and an ea inode i_ea 2. getfattr(A, xattr_buf) // i_ea is added into lru // lru->i_ea 3. Then, following three processes running like this: PA PB echo 2 > /proc/sys/vm/drop_caches shrink_slab prune_dcache_sb // i_reg is added into lru, lru->i_ea->i_reg prune_icache_sb list_lru_walk_one inode_lru_isolate i_ea->i_state |= I_FREEING // set inode state inode_lru_isolate __iget(i_reg) spin_unlock(&i_reg->i_lock) spin_unlock(lru_lock) rm file A i_reg->nlink = 0 iput(i_reg) // i_reg->nlink is 0, do evict ext4_evict_inode ext4_xattr_delete_inode ext4_xattr_inode_dec_ref_all ext4_xattr_inode_iget ext4_iget(i_ea->i_ino) iget_locked find_inode_fast __wait_on_freeing_inode(i_ea) ----→ AA deadlock dispose_list // cannot be executed by prune_icache_sb wake_up_bit(&i_ea->i_state) Case 2: In deleted inode writing function ubifs_jnl_write_inode(), file deleting process holds BASEHD's wbuf->io_mutex while getting the xattr inode, which could race with inode reclaiming process(The reclaiming process could try locking BASEHD's wbuf->io_mutex in inode evicting function), then an ABBA deadlock problem would happen as following: 1. File A has inode ia and a xattr(with inode ixa), regular file B has inode ib and a xattr. 2. getfattr(A, xattr_buf) // ixa is added into lru // lru->ixa 3. Then, following three processes running like this: PA PB PC echo 2 > /proc/sys/vm/drop_caches shrink_slab prune_dcache_sb // ib and ia are added into lru, lru->ixa->ib->ia prune_icache_sb list_lru_walk_one inode_lru_isolate ixa->i_state |= I_FREEING // set inode state inode_lru_isolate __iget(ib) spin_unlock(&ib->i_lock) spin_unlock(lru_lock) rm file B ib->nlink = 0 rm file A iput(ia) ubifs_evict_inode(ia) ubifs_jnl_delete_inode(ia) ubifs_jnl_write_inode(ia) make_reservation(BASEHD) // Lock wbuf->io_mutex ubifs_iget(ixa->i_ino) iget_locked find_inode_fast __wait_on_freeing_inode(ixa) | iput(ib) // ib->nlink is 0, do evict | ubifs_evict_inode | ubifs_jnl_delete_inode(ib) ↓ ubifs_jnl_write_inode ABBA deadlock ←-----make_reservation(BASEHD) dispose_list // cannot be executed by prune_icache_sb wake_up_bit(&ixa->i_state) Fix the possible deadlock by using new inode state flag I_LRU_ISOLATING to pin the inode in memory while inode_lru_isolate( ---truncated--- CVE-2024-45003 SUSE Linux Enterprise Micro 5.3:kernel-rt-5.14.21-150400.15.94.1 SUSE Linux Enterprise Micro 5.3:kernel-source-rt-5.14.21-150400.15.94.1 SUSE Linux Enterprise Micro 5.4:kernel-rt-5.14.21-150400.15.94.1 SUSE Linux Enterprise Micro 5.4:kernel-source-rt-5.14.21-150400.15.94.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2024/suse-su-20243403-1/ https://www.suse.com/security/cve/CVE-2024-45003.html CVE-2024-45003 https://bugzilla.suse.com/1230245 SUSE Bug 1230245