Linux kernel built with an Ext4 file system(CONFIG_EXT4_FS) support is vulnerable to a race condition flaw. It could occur while performing asynchronous & Direct I/O operations and fcntl(F_SETFL) call concurrently. An unprivileged user/process could use this flaw to crash the system kernel resulting in DoS. Upstream fix: ------------- -> https://git.kernel.org/linus/a41537e69b4aa43f0fea02498c2595a81267383b Reference: ---------- -> http://www.openwall.com/lists/oss-security/2014/10/09/25
Statement: This issue does not affect the versions of Linux kernel as shipped with Red Hat Enterprise Linux 5 and Red Hat Enterprise Linux 6. This issue affects the version of the kernel package as shipped with Red Hat Enterprise Linux 7 and Red Hat Enterprise MRG 2. Future kernel updates for Red Hat Enterprise Linux 7 and Red Hat Enterprise MRG 2 may address this issue.
Created kernel tracking bugs for this issue: Affects: fedora-all [bug 1152608]
kernel-3.17.1-302.fc21 has been pushed to the Fedora 21 stable repository. If problems still persist, please make note of it in this bug report.
kernel-3.16.6-202.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report.
I'm guessing that the problem was introduced with 7ed07ba8c3e6160e0af3adc0f59561de154c4c2e (just by perusal, I haven't run any reproducers) If this is true though, we don't need the fix before that point
Okay, my guess must be wrong because when Jiri Kastner ran the reproducer om the mrg-kernel, he got a traceback ------------[ cut here ]------------ kernel BUG at fs/ext4/inode.c:3129! invalid opcode: 0000 [#1] PREEMPT SMP Modules linked in: autofs4 ipv6 iTCO_wdt iTCO_vendor_support coretemp hwmon crc32c_intel ghash_clmulni_intel microcode serio_raw pcspkr ipmi_devintf ipmi_si ipmi_msghandler i2c_i801 lpc_ich cdc_ether usbnet mii sg shpchp cxgb4 ioatdma dca i7core_edac edac_core bnx2 ext4 jbd2 mbcache sd_mod crc_t10dif aesni_intel ablk_helper cryptd lrw aes_x86_64 xts gf128mul pata_acpi ata_generic ata_piix megaraid_sas mgag200 ttm drm_kms_helper drm i2c_algo_bit sysimgblt sysfillrect i2c_core syscopyarea dm_mirror dm_region_hash dm_log dm_mod [last unloaded: mperf] CPU: 2 PID: 9863 Comm: aio-dio-fcntl-r Not tainted 3.10.58-rt62.54.el6rt.x86_64 #1 Hardware name: IBM System x3550 M3 -[7944J2G]-/90Y4786, BIOS -[D6E158AUS-1.16]- 11/26/2012 task: ffff88045a75b020 ti: ffff88045a008000 task.ti: ffff88045a008000 RIP: 0010:[<ffffffffa018a2c5>] [<ffffffffa018a2c5>] ext4_direct_IO+0x3b5/0x420 [ext4] RSP: 0018:ffff88045a009bf8 EFLAGS: 00010246 RAX: 0000000000000000 RBX: ffff880442188af0 RCX: ffff88045770b9f8 RDX: 0000000000000001 RSI: ffff88045770b980 RDI: ffff880442188af0 RBP: ffff88045a009c78 R08: 0000000000000001 R09: 0000000000000000 R10: ffff88047fbf6ee0 R11: 0000000000000000 R12: ffff88045770b980 R13: 0000000000000200 R14: ffff880442188af0 R15: 0000000000000001 FS: 00007fdeda739700(0000) GS:ffff88046f240000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b CR2: 0000003e13f51500 CR3: 000000045a27d000 CR4: 00000000000007e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400 Stack: ffff88045a009c08 ffffffff8112d3f3 ffff88045a009c48 0000000000000001 7ffffffffffffffe ffff880442188c68 0000000000000200 0000000000000001 ffff88045770b9e8 0000000000000200 ffff88045a009c78 0000000000000200 Call Trace: [<ffffffff8112d3f3>] ? do_writepages+0x23/0x40 [<ffffffff81121208>] generic_file_direct_write+0xc8/0x190 [<ffffffff81122e40>] __generic_file_aio_write+0x2d0/0x3b0 [<ffffffff81122f85>] generic_file_aio_write+0x65/0xd0 [<ffffffffa017e230>] ext4_file_write+0x60/0x420 [ext4] [<ffffffff81187d06>] ? __sb_start_write+0x76/0x120 [<ffffffff812280e3>] ? security_file_permission+0x23/0x90 [<ffffffffa017e1d0>] ? ext4_release_file+0xe0/0xe0 [ext4] [<ffffffff811d2f82>] do_io_submit+0x462/0x760 [<ffffffff810d2a36>] ? __audit_syscall_exit+0x236/0x2e0 [<ffffffff811d3290>] SyS_io_submit+0x10/0x20 [<ffffffff815844d9>] system_call_fastpath+0x16/0x1b Code: 44 e0 ff ff 01 48 8b 90 38 e0 ff ff 80 e2 08 75 10 48 8b 80 38 e0 ff ff f6 c4 02 0f 84 34 fd ff ff e8 e0 fa 3e e1 e9 2a fd ff ff <0f> 0b eb fe 41 bc f4 ff ff ff 49 c7 c5 f4 ff ff ff e9 86 fe ff RIP [<ffffffffa018a2c5>] ext4_direct_IO+0x3b5/0x420 [ext4] RSP <ffff88045a009bf8> ---[ end trace 0000000000000002 ]---
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2015:0290 https://rhn.redhat.com/errata/RHSA-2015-0290.html
This issue has been addressed in the following products: MRG for RHEL-6 v.2 Via RHSA-2015:0694 https://rhn.redhat.com/errata/RHSA-2015-0694.html