(cc linux-ext4) On Fri, 3 Jan 2025 15:42:39 +0800 cheung wall <zzqq0103.hey@xxxxxxxxx> wrote: > Hello, > > I am writing to report a potential vulnerability identified in the > Linux Kernel version 5.15.169. This issue was discovered using our > custom vulnerability discovery tool. > > Affected File: mm/page_alloc.c > > File: mm/page_alloc.c > > Function: __alloc_pages > > Detailed Call Stack: > > ------------[ cut here begin]------------ > > WARNING: CPU: 1 PID: 3458 at mm/page_alloc.c:5398 current_gfp_context > include/linux/sched/mm.h:174 [inline] > WARNING: CPU: 1 PID: 3458 at mm/page_alloc.c:5398 > __alloc_pages+0x3d0/0x450 mm/page_alloc.c:5410 > Modules linked in: > CPU: 1 PID: 3458 Comm: syz.4.203 Not tainted 5.15.169 #1 > Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS > 1.16.3-debian-1.16.3-2 04/01/2014 > RIP: 0010:__alloc_pages+0x3d0/0x450 mm/page_alloc.c:5398 > Code: ff 4c 89 fa 44 89 f6 89 ef 89 6c 24 48 c6 44 24 78 00 4c 89 6c > 24 60 e8 de dc ff ff 49 89 c4 e9 f8 fd ff ff 40 80 e5 3f eb c5 <0f> 0b > eb 91 4c 89 e7 44 89 f6 45 31 e4 e8 5e 80 ff ff e9 ff fd ff > RSP: 0018:ffff8881020df718 EFLAGS: 00010246 > RAX: 0000000000000000 RBX: 1ffff1102041bee4 RCX: dffffc0000000000 > RDX: 0000000000000000 RSI: 0000000000000014 RDI: 0000000000040dc0 > RBP: 0000000000000000 R08: 0000000000000001 R09: ffff8881020dfa67 > R10: 0000000000000000 R11: 0000000000000001 R12: 0000000000000001 > R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 > FS: 00007f0c2bb1a6c0(0000) GS:ffff88811ae80000(0000) knlGS:0000000000000000 > CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 > CR2: 0000001b2d11fffc CR3: 0000000108780000 CR4: 0000000000350ee0 > Call Trace: > <TASK> > alloc_pages+0x18c/0x410 mm/mempolicy.c:2185 > kmalloc_order+0x30/0xd0 mm/slab_common.c:966 > kmalloc_order_trace+0x14/0xa0 mm/slab_common.c:982 > kmalloc_array include/linux/slab.h:631 [inline] > kcalloc include/linux/slab.h:660 [inline] > hashtab_init+0xe5/0x240 security/selinux/ss/hashtab.c:41 > policydb_read+0x781/0x61b0 security/selinux/ss/policydb.c:2531 > security_load_policy+0x15b/0xf30 security/selinux/ss/services.c:2301 > sel_write_load+0x382/0x1e70 security/selinux/selinuxfs.c:644 > vfs_write+0x28f/0xad0 fs/read_write.c:592 > ksys_write+0x12d/0x260 fs/read_write.c:647 > do_syscall_x64 arch/x86/entry/common.c:50 [inline] > do_syscall_64+0x33/0x80 arch/x86/entry/common.c:80 > entry_SYSCALL_64_after_hwframe+0x6c/0xd6 > RIP: 0033:0x7f0c2cf4c9c9 > Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 > 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d > 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 > RSP: 002b:00007f0c2bb1a038 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 > RAX: ffffffffffffffda RBX: 00007f0c2d168f80 RCX: 00007f0c2cf4c9c9 > RDX: 0000000000000163 RSI: 0000000020000380 RDI: 0000000000000003 > RBP: 00007f0c2cff91b6 R08: 0000000000000000 R09: 0000000000000000 > R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 > R13: 0000000000000000 R14: 00007f0c2d168f80 R15: 00007fff5b996ef8 > </TASK> > irq event stamp: 1509 > hardirqs last enabled at (1519): [<ffffffff812acfb8>] > __up_console_sem+0x78/0x80 kernel/printk/printk.c:257 > hardirqs last disabled at (1528): [<ffffffff812acf9d>] > __up_console_sem+0x5d/0x80 kernel/printk/printk.c:255 > softirqs last enabled at (798): [<ffffffff81166c99>] __do_softirq > kernel/softirq.c:592 [inline] > softirqs last enabled at (798): [<ffffffff81166c99>] invoke_softirq > kernel/softirq.c:432 [inline] > softirqs last enabled at (798): [<ffffffff81166c99>] __irq_exit_rcu > kernel/softirq.c:641 [inline] > softirqs last enabled at (798): [<ffffffff81166c99>] > irq_exit_rcu+0xe9/0x130 kernel/softirq.c:653 > softirqs last disabled at (175): [<ffffffff81166c99>] __do_softirq > kernel/softirq.c:592 [inline] > softirqs last disabled at (175): [<ffffffff81166c99>] invoke_softirq > kernel/softirq.c:432 [inline] > softirqs last disabled at (175): [<ffffffff81166c99>] __irq_exit_rcu > kernel/softirq.c:641 [inline] > softirqs last disabled at (175): [<ffffffff81166c99>] > irq_exit_rcu+0xe9/0x130 kernel/softirq.c:653 > > ------------[ cut here end]------------ > > Root Cause: > > The crash is caused by a circular locking dependency detected within > the Linux kernel's Ext4 filesystem and quota management subsystems. > Specifically, the task is attempting to acquire the dq_lock > (&dquot->dq_lock) in the dquot_commit function (fs/quota/dquot.c:507) > while another task already holds the i_data_sem lock (&ei->i_data_sem) > in the ext4_map_blocks function (fs/ext4/inode.c:665). This creates a > circular dependency where each lock is waiting for the other to be > released, potentially leading to a deadlock. Additionally, a separate > warning is raised in mm/page_alloc.c:5398 during the __alloc_pages > function, which occurs while loading SELinux policies > (security/selinux/ss/policydb.c:2531). This memory allocation warning > suggests that the system is experiencing issues allocating memory in > the context of SELinux operations, possibly exacerbated by the locking > problem. The combination of improper lock ordering in Ext4's quota > handling and concurrent memory allocation failures indicates flaws in > the synchronization mechanisms and memory management within the > kernel. These issues can lead to system instability, including > deadlocks and memory allocation failures, ultimately causing kernel > panics and crashes. Addressing these problems would require revising > the lock acquisition order to eliminate circular dependencies and > ensuring robust memory allocation handling during critical security > operations. > > Thank you for your time and attention. > > Best regards > > Wall
