ghsa-f7wq-xf7h-wrxp
Vulnerability from github
Published
2025-12-30 15:30
Modified
2025-12-30 15:30
Details

In the Linux kernel, the following vulnerability has been resolved:

quota: fix warning in dqgrab()

There's issue as follows when do fault injection: WARNING: CPU: 1 PID: 14870 at include/linux/quotaops.h:51 dquot_disable+0x13b7/0x18c0 Modules linked in: CPU: 1 PID: 14870 Comm: fsconfig Not tainted 6.3.0-next-20230505-00006-g5107a9c821af-dirty #541 RIP: 0010:dquot_disable+0x13b7/0x18c0 RSP: 0018:ffffc9000acc79e0 EFLAGS: 00010246 RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffff88825e41b980 RDX: 0000000000000000 RSI: ffff88825e41b980 RDI: 0000000000000002 RBP: ffff888179f68000 R08: ffffffff82087ca7 R09: 0000000000000000 R10: 0000000000000001 R11: ffffed102f3ed026 R12: ffff888179f68130 R13: ffff888179f68110 R14: dffffc0000000000 R15: ffff888179f68118 FS: 00007f450a073740(0000) GS:ffff88882fc00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007ffe96f2efd8 CR3: 000000025c8ad000 CR4: 00000000000006e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: dquot_load_quota_sb+0xd53/0x1060 dquot_resume+0x172/0x230 ext4_reconfigure+0x1dc6/0x27b0 reconfigure_super+0x515/0xa90 __x64_sys_fsconfig+0xb19/0xd20 do_syscall_64+0x39/0xb0 entry_SYSCALL_64_after_hwframe+0x63/0xcd

Above issue may happens as follows: ProcessA ProcessB ProcessC sys_fsconfig vfs_fsconfig_locked reconfigure_super ext4_remount dquot_suspend -> suspend all type quota

             sys_fsconfig
              vfs_fsconfig_locked
                reconfigure_super
                 ext4_remount
                  dquot_resume
                   ret = dquot_load_quota_sb
                    add_dquot_ref
                                       do_open  -> open file O_RDWR
                                        vfs_open
                                         do_dentry_open
                                          get_write_access
                                           atomic_inc_unless_negative(&inode->i_writecount)
                                          ext4_file_open
                                           dquot_file_open
                                            dquot_initialize
                                              __dquot_initialize
                                               dqget
                        atomic_inc(&dquot->dq_count);

                      __dquot_initialize
                       __dquot_initialize
                        dqget
                         if (!test_bit(DQ_ACTIVE_B, &dquot->dq_flags))
                           ext4_acquire_dquot
                -> Return error DQ_ACTIVE_B flag isn't set
                     dquot_disable
          invalidate_dquots
           if (atomic_read(&dquot->dq_count))
                    dqgrab
             WARN_ON_ONCE(!test_bit(DQ_ACTIVE_B, &dquot->dq_flags))
                      -> Trigger warning

In the above scenario, 'dquot->dq_flags' has no DQ_ACTIVE_B is normal when dqgrab(). To solve above issue just replace the dqgrab() use in invalidate_dquots() with atomic_inc(&dquot->dq_count).

Show details on source website

To clipboard 

{
  "affected": [],
  "aliases": [
    "CVE-2023-54177"
  ],
  "database_specific": {
    "cwe_ids": [],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-12-30T13:16:05Z",
    "severity": null
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nquota: fix warning in dqgrab()\n\nThere\u0027s issue as follows when do fault injection:\nWARNING: CPU: 1 PID: 14870 at include/linux/quotaops.h:51 dquot_disable+0x13b7/0x18c0\nModules linked in:\nCPU: 1 PID: 14870 Comm: fsconfig Not tainted 6.3.0-next-20230505-00006-g5107a9c821af-dirty #541\nRIP: 0010:dquot_disable+0x13b7/0x18c0\nRSP: 0018:ffffc9000acc79e0 EFLAGS: 00010246\nRAX: 0000000000000000 RBX: 0000000000000000 RCX: ffff88825e41b980\nRDX: 0000000000000000 RSI: ffff88825e41b980 RDI: 0000000000000002\nRBP: ffff888179f68000 R08: ffffffff82087ca7 R09: 0000000000000000\nR10: 0000000000000001 R11: ffffed102f3ed026 R12: ffff888179f68130\nR13: ffff888179f68110 R14: dffffc0000000000 R15: ffff888179f68118\nFS:  00007f450a073740(0000) GS:ffff88882fc00000(0000) knlGS:0000000000000000\nCS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00007ffe96f2efd8 CR3: 000000025c8ad000 CR4: 00000000000006e0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nCall Trace:\n \u003cTASK\u003e\n dquot_load_quota_sb+0xd53/0x1060\n dquot_resume+0x172/0x230\n ext4_reconfigure+0x1dc6/0x27b0\n reconfigure_super+0x515/0xa90\n __x64_sys_fsconfig+0xb19/0xd20\n do_syscall_64+0x39/0xb0\n entry_SYSCALL_64_after_hwframe+0x63/0xcd\n\nAbove issue may happens as follows:\nProcessA              ProcessB                    ProcessC\nsys_fsconfig\n  vfs_fsconfig_locked\n   reconfigure_super\n     ext4_remount\n      dquot_suspend -\u003e suspend all type quota\n\n                 sys_fsconfig\n                  vfs_fsconfig_locked\n                    reconfigure_super\n                     ext4_remount\n                      dquot_resume\n                       ret = dquot_load_quota_sb\n                        add_dquot_ref\n                                           do_open  -\u003e open file O_RDWR\n                                            vfs_open\n                                             do_dentry_open\n                                              get_write_access\n                                               atomic_inc_unless_negative(\u0026inode-\u003ei_writecount)\n                                              ext4_file_open\n                                               dquot_file_open\n                                                dquot_initialize\n                                                  __dquot_initialize\n                                                   dqget\n\t\t\t\t\t\t    atomic_inc(\u0026dquot-\u003edq_count);\n\n                          __dquot_initialize\n                           __dquot_initialize\n                            dqget\n                             if (!test_bit(DQ_ACTIVE_B, \u0026dquot-\u003edq_flags))\n                               ext4_acquire_dquot\n\t\t\t        -\u003e Return error DQ_ACTIVE_B flag isn\u0027t set\n                         dquot_disable\n\t\t\t  invalidate_dquots\n\t\t\t   if (atomic_read(\u0026dquot-\u003edq_count))\n\t                    dqgrab\n\t\t\t     WARN_ON_ONCE(!test_bit(DQ_ACTIVE_B, \u0026dquot-\u003edq_flags))\n\t                      -\u003e Trigger warning\n\nIn the above scenario, \u0027dquot-\u003edq_flags\u0027 has no DQ_ACTIVE_B is normal when\ndqgrab().\nTo solve above issue just replace the dqgrab() use in invalidate_dquots() with\natomic_inc(\u0026dquot-\u003edq_count).",
  "id": "GHSA-f7wq-xf7h-wrxp",
  "modified": "2025-12-30T15:30:30Z",
  "published": "2025-12-30T15:30:30Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-54177"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/3f378783c47b5749317ea008d8c931d6d3986d8f"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/579d814de87c3cac69c9b261efa165d07cde3357"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/6432843debe1ec7d76c5b2f76c67f9c5df22436e"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/6478eabc92274efae6269da7c515ba2b4c8e88d8"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/6f4e543d277a12dfeff027e6ab24a170e1bfc160"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/965bad2bf1afef64ec16249da676dc7310cca32e"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/cbaebbba722cb9738c55903efce11f51cdd97bee"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/d6a95db3c7ad160bc16b89e36449705309b52bcb"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.