CVE-2024-26756

Source
https://nvd.nist.gov/vuln/detail/CVE-2024-26756
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-26756.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2024-26756
Downstream
Related
Published
2024-04-03T17:15:52Z
Modified
2025-08-09T20:01:25Z
Severity
  • 5.5 (Medium) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
Summary
[none]
Details

In the Linux kernel, the following vulnerability has been resolved:

md: Don't register sync_thread for reshape directly

Currently, if reshape is interrupted, then reassemble the array will register syncthread directly from pers->run(), in this case 'MDRECOVERYRUNNING' is set directly, however, there is no guarantee that mddosync() will be executed, hence stopsyncthread() will hang because 'MDRECOVERY_RUNNING' can't be cleared.

Last patch make sure that mddosync() will set MDRECOVERYDONE, however, following hang can still be triggered by dm-raid test shell/lvconvert-raid-reshape.sh occasionally:

[root@fedora ~]# cat /proc/1982/stack [<0>] stopsyncthread+0x1ab/0x270 [mdmod] [<0>] mdfrozensyncthread+0x5c/0xa0 [mdmod] [<0>] raidpresuspend+0x1e/0x70 [dmraid] [<0>] dmtablepresuspendtargets+0x40/0xb0 [dmmod] [<0>] _dmdestroy+0x2a5/0x310 [dmmod] [<0>] dmdestroy+0x16/0x30 [dmmod] [<0>] devremove+0x165/0x290 [dmmod] [<0>] ctlioctl+0x4bb/0x7b0 [dmmod] [<0>] dmctlioctl+0x11/0x20 [dmmod] [<0>] vfsioctl+0x21/0x60 [<0>] _x64sysioctl+0xb9/0xe0 [<0>] dosyscall64+0xc6/0x230 [<0>] entrySYSCALL64after_hwframe+0x6c/0x74

Meanwhile mddev->recovery is: MDRECOVERYRUNNING | MDRECOVERYINTR | MDRECOVERYRESHAPE | MDRECOVERYFROZEN

Fix this problem by remove the code to register syncthread directly from raid10 and raid5. And let mdcheckrecovery() to register syncthread.

References

Affected packages