CVE-2024-50280 Information

Description

In the Linux kernel the following vulnerability has been resolved:

dm cache: fix flushing uninitialized delayed_work on cache_ctr error

An unexpected WARN_ON from flush_work() may occur when cache creation fails caused by destroying the uninitialized delayed_work waker in the error path of cache_create(). For example the warning appears on the superblock checksum error.

Reproduce steps:

dmsetup create cmeta –table �8192 linear /dev/sdc 0\ndmsetup create cdata –table 5536 linear /dev/sdc 8192\ndmsetup create corig –table *4288 linear /dev/sdc 262144\ndd if=/dev/urandom of=/dev/mapper/cmeta bs=4k count=1 oflag=direct dmsetup create cache –table *4288 cache /dev/mapper/cmeta
/dev/mapper/cdata /dev/mapper/corig 128 2 metadata2 writethrough smq 0\n Kernel logs:

(snip) WARNING: CPU: 0 PID: 84 at kernel/workqueue.c:4178 __flush_work+0x5d4/0x890

Fix by pulling out the cancel_delayed_work_sync() from the constructor’s error path. This patch doesn’t affect the use-after-free fix for concurrent dm_resume and dm_destroy (commit 6a459d8edbdb (\dm cache: Fix UAF in destroy())) as cache_dtr is not changed.

Reference

https://git.kernel.org/stable/c/5a754d3c771280f2d06bf8ab716d6a0d36ca256e https://git.kernel.org/stable/c/8cc12dab635333c4ea28e72d7b947be7d0543c2c https://git.kernel.org/stable/c/aee3ecda73ce13af7c3e556383342b57e6bd0718 https://git.kernel.org/stable/c/135496c208ba26fd68cdef10b64ed7a91ac9a7ff