fkie_cve-2024-27031
Vulnerability from fkie_nvd
Published
2024-05-01 13:15
Modified
2024-12-23 19:46
Severity ?
5.5 (Medium) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Summary
In the Linux kernel, the following vulnerability has been resolved: NFS: Fix nfs_netfs_issue_read() xarray locking for writeback interrupt The loop inside nfs_netfs_issue_read() currently does not disable interrupts while iterating through pages in the xarray to submit for NFS read. This is not safe though since after taking xa_lock, another page in the mapping could be processed for writeback inside an interrupt, and deadlock can occur. The fix is simple and clean if we use xa_for_each_range(), which handles the iteration with RCU while reducing code complexity. The problem is easily reproduced with the following test: mount -o vers=3,fsc 127.0.0.1:/export /mnt/nfs dd if=/dev/zero of=/mnt/nfs/file1.bin bs=4096 count=1 echo 3 > /proc/sys/vm/drop_caches dd if=/mnt/nfs/file1.bin of=/dev/null umount /mnt/nfs On the console with a lockdep-enabled kernel a message similar to the following will be seen: ================================ WARNING: inconsistent lock state 6.7.0-lockdbg+ #10 Not tainted -------------------------------- inconsistent {IN-SOFTIRQ-W} -> {SOFTIRQ-ON-W} usage. test5/1708 [HC0[0]:SC0[0]:HE1:SE1] takes: ffff888127baa598 (&xa->xa_lock#4){+.?.}-{3:3}, at: nfs_netfs_issue_read+0x1b2/0x4b0 [nfs] {IN-SOFTIRQ-W} state was registered at: lock_acquire+0x144/0x380 _raw_spin_lock_irqsave+0x4e/0xa0 __folio_end_writeback+0x17e/0x5c0 folio_end_writeback+0x93/0x1b0 iomap_finish_ioend+0xeb/0x6a0 blk_update_request+0x204/0x7f0 blk_mq_end_request+0x30/0x1c0 blk_complete_reqs+0x7e/0xa0 __do_softirq+0x113/0x544 __irq_exit_rcu+0xfe/0x120 irq_exit_rcu+0xe/0x20 sysvec_call_function_single+0x6f/0x90 asm_sysvec_call_function_single+0x1a/0x20 pv_native_safe_halt+0xf/0x20 default_idle+0x9/0x20 default_idle_call+0x67/0xa0 do_idle+0x2b5/0x300 cpu_startup_entry+0x34/0x40 start_secondary+0x19d/0x1c0 secondary_startup_64_no_verify+0x18f/0x19b irq event stamp: 176891 hardirqs last enabled at (176891): [<ffffffffa67a0be4>] _raw_spin_unlock_irqrestore+0x44/0x60 hardirqs last disabled at (176890): [<ffffffffa67a0899>] _raw_spin_lock_irqsave+0x79/0xa0 softirqs last enabled at (176646): [<ffffffffa515d91e>] __irq_exit_rcu+0xfe/0x120 softirqs last disabled at (176633): [<ffffffffa515d91e>] __irq_exit_rcu+0xfe/0x120 other info that might help us debug this: Possible unsafe locking scenario: CPU0 ---- lock(&xa->xa_lock#4); <Interrupt> lock(&xa->xa_lock#4); *** DEADLOCK *** 2 locks held by test5/1708: #0: ffff888127baa498 (&sb->s_type->i_mutex_key#22){++++}-{4:4}, at: nfs_start_io_read+0x28/0x90 [nfs] #1: ffff888127baa650 (mapping.invalidate_lock#3){.+.+}-{4:4}, at: page_cache_ra_unbounded+0xa4/0x280 stack backtrace: CPU: 6 PID: 1708 Comm: test5 Kdump: loaded Not tainted 6.7.0-lockdbg+ Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-1.fc39 04/01/2014 Call Trace: dump_stack_lvl+0x5b/0x90 mark_lock+0xb3f/0xd20 __lock_acquire+0x77b/0x3360 _raw_spin_lock+0x34/0x80 nfs_netfs_issue_read+0x1b2/0x4b0 [nfs] netfs_begin_read+0x77f/0x980 [netfs] nfs_netfs_readahead+0x45/0x60 [nfs] nfs_readahead+0x323/0x5a0 [nfs] read_pages+0xf3/0x5c0 page_cache_ra_unbounded+0x1c8/0x280 filemap_get_pages+0x38c/0xae0 filemap_read+0x206/0x5e0 nfs_file_read+0xb7/0x140 [nfs] vfs_read+0x2a9/0x460 ksys_read+0xb7/0x140
References
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/8a2e5977cecd3cde6a0e3e86b7b914d00240e5dcPatch
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/8df1678c021ffeb20ef8a203bd9413f3ed9b0e9aPatch
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/ad27382f8495f8ef6d2c66c413d756bfd13c0598Patch
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/fd5860ab6341506004219b080aea40213b299d2ePatch
af854a3a-2127-422b-91ae-364da2661108https://git.kernel.org/stable/c/8a2e5977cecd3cde6a0e3e86b7b914d00240e5dcPatch
af854a3a-2127-422b-91ae-364da2661108https://git.kernel.org/stable/c/8df1678c021ffeb20ef8a203bd9413f3ed9b0e9aPatch
af854a3a-2127-422b-91ae-364da2661108https://git.kernel.org/stable/c/ad27382f8495f8ef6d2c66c413d756bfd13c0598Patch
af854a3a-2127-422b-91ae-364da2661108https://git.kernel.org/stable/c/fd5860ab6341506004219b080aea40213b299d2ePatch
Impacted products
Vendor Product Version
linux linux_kernel *
linux linux_kernel *
linux linux_kernel *


To clipboard 

{
   configurations: [
      {
         nodes: [
            {
               cpeMatch: [
                  {
                     criteria: "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                     matchCriteriaId: "81341948-503D-47E5-9E88-7F2922865141",
                     versionEndExcluding: "6.6.23",
                     versionStartIncluding: "6.4",
                     vulnerable: true,
                  },
                  {
                     criteria: "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                     matchCriteriaId: "9B95D3A6-E162-47D5-ABFC-F3FA74FA7CFD",
                     versionEndExcluding: "6.7.11",
                     versionStartIncluding: "6.7",
                     vulnerable: true,
                  },
                  {
                     criteria: "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                     matchCriteriaId: "543A75FF-25B8-4046-A514-1EA8EDD87AB1",
                     versionEndExcluding: "6.8.2",
                     versionStartIncluding: "6.8",
                     vulnerable: true,
                  },
               ],
               negate: false,
               operator: "OR",
            },
         ],
      },
   ],
   cveTags: [],
   descriptions: [
      {
         lang: "en",
         value: "In the Linux kernel, the following vulnerability has been resolved:\n\nNFS: Fix nfs_netfs_issue_read() xarray locking for writeback interrupt\n\nThe loop inside nfs_netfs_issue_read() currently does not disable\ninterrupts while iterating through pages in the xarray to submit\nfor NFS read.  This is not safe though since after taking xa_lock,\nanother page in the mapping could be processed for writeback inside\nan interrupt, and deadlock can occur.  The fix is simple and clean\nif we use xa_for_each_range(), which handles the iteration with RCU\nwhile reducing code complexity.\n\nThe problem is easily reproduced with the following test:\n mount -o vers=3,fsc 127.0.0.1:/export /mnt/nfs\n dd if=/dev/zero of=/mnt/nfs/file1.bin bs=4096 count=1\n echo 3 > /proc/sys/vm/drop_caches\n dd if=/mnt/nfs/file1.bin of=/dev/null\n umount /mnt/nfs\n\nOn the console with a lockdep-enabled kernel a message similar to\nthe following will be seen:\n\n ================================\n WARNING: inconsistent lock state\n 6.7.0-lockdbg+ #10 Not tainted\n --------------------------------\n inconsistent {IN-SOFTIRQ-W} -> {SOFTIRQ-ON-W} usage.\n test5/1708 [HC0[0]:SC0[0]:HE1:SE1] takes:\n ffff888127baa598 (&xa->xa_lock#4){+.?.}-{3:3}, at:\nnfs_netfs_issue_read+0x1b2/0x4b0 [nfs]\n {IN-SOFTIRQ-W} state was registered at:\n   lock_acquire+0x144/0x380\n   _raw_spin_lock_irqsave+0x4e/0xa0\n   __folio_end_writeback+0x17e/0x5c0\n   folio_end_writeback+0x93/0x1b0\n   iomap_finish_ioend+0xeb/0x6a0\n   blk_update_request+0x204/0x7f0\n   blk_mq_end_request+0x30/0x1c0\n   blk_complete_reqs+0x7e/0xa0\n   __do_softirq+0x113/0x544\n   __irq_exit_rcu+0xfe/0x120\n   irq_exit_rcu+0xe/0x20\n   sysvec_call_function_single+0x6f/0x90\n   asm_sysvec_call_function_single+0x1a/0x20\n   pv_native_safe_halt+0xf/0x20\n   default_idle+0x9/0x20\n   default_idle_call+0x67/0xa0\n   do_idle+0x2b5/0x300\n   cpu_startup_entry+0x34/0x40\n   start_secondary+0x19d/0x1c0\n   secondary_startup_64_no_verify+0x18f/0x19b\n irq event stamp: 176891\n hardirqs last  enabled at (176891): [<ffffffffa67a0be4>]\n_raw_spin_unlock_irqrestore+0x44/0x60\n hardirqs last disabled at (176890): [<ffffffffa67a0899>]\n_raw_spin_lock_irqsave+0x79/0xa0\n softirqs last  enabled at (176646): [<ffffffffa515d91e>]\n__irq_exit_rcu+0xfe/0x120\n softirqs last disabled at (176633): [<ffffffffa515d91e>]\n__irq_exit_rcu+0xfe/0x120\n\n other info that might help us debug this:\n  Possible unsafe locking scenario:\n\n        CPU0\n        ----\n   lock(&xa->xa_lock#4);\n   <Interrupt>\n     lock(&xa->xa_lock#4);\n\n  *** DEADLOCK ***\n\n 2 locks held by test5/1708:\n  #0: ffff888127baa498 (&sb->s_type->i_mutex_key#22){++++}-{4:4}, at:\n      nfs_start_io_read+0x28/0x90 [nfs]\n  #1: ffff888127baa650 (mapping.invalidate_lock#3){.+.+}-{4:4}, at:\n      page_cache_ra_unbounded+0xa4/0x280\n\n stack backtrace:\n CPU: 6 PID: 1708 Comm: test5 Kdump: loaded Not tainted 6.7.0-lockdbg+\n Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-1.fc39\n04/01/2014\n Call Trace:\n  dump_stack_lvl+0x5b/0x90\n  mark_lock+0xb3f/0xd20\n  __lock_acquire+0x77b/0x3360\n  _raw_spin_lock+0x34/0x80\n  nfs_netfs_issue_read+0x1b2/0x4b0 [nfs]\n  netfs_begin_read+0x77f/0x980 [netfs]\n  nfs_netfs_readahead+0x45/0x60 [nfs]\n  nfs_readahead+0x323/0x5a0 [nfs]\n  read_pages+0xf3/0x5c0\n  page_cache_ra_unbounded+0x1c8/0x280\n  filemap_get_pages+0x38c/0xae0\n  filemap_read+0x206/0x5e0\n  nfs_file_read+0xb7/0x140 [nfs]\n  vfs_read+0x2a9/0x460\n  ksys_read+0xb7/0x140",
      },
      {
         lang: "es",
         value: "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: NFS: corrige el bloqueo de matriz x de nfs_netfs_issue_read() para interrupción de escritura regresiva. El bucle dentro de nfs_netfs_issue_read() actualmente no deshabilita las interrupciones mientras se itera a través de páginas en la matriz x para enviarlas a lectura NFS. Sin embargo, esto no es seguro ya que después de tomar xa_lock, otra página en el mapeo podría procesarse para reescritura dentro de una interrupción, y puede ocurrir un punto muerto. La solución es simple y limpia si usamos xa_for_each_range(), que maneja la iteración con RCU mientras reduce la complejidad del código. El problema se reproduce fácilmente con la siguiente prueba: mount -o vers=3,fsc 127.0.0.1:/export /mnt/nfs dd if=/dev/zero of=/mnt/nfs/file1.bin bs=4096 count= 1 echo 3 &gt; /proc/sys/vm/drop_caches dd if=/mnt/nfs/file1.bin of=/dev/null umount /mnt/nfs En la consola con un kernel habilitado para lockdep aparecerá un mensaje similar al siguiente ser visto: ================================ ADVERTENCIA: estado de bloqueo inconsistente 6.7.0-lockdbg+ #10 No contaminado - ------------------------------- Uso inconsistente de {IN-SOFTIRQ-W} -&gt; {SOFTIRQ-ON-W}. test5/1708 [HC0[0]:SC0[0]:HE1:SE1] toma: ffff888127baa598 (&amp;xa-&gt;xa_lock#4){+.?.}-{3:3}, en: nfs_netfs_issue_read+0x1b2/0x4b0 [ nfs] El estado {IN-SOFTIRQ-W} se registró en: lock_acquire+0x144/0x380 _raw_spin_lock_irqsave+0x4e/0xa0 __folio_end_writeback+0x17e/0x5c0 folio_end_writeback+0x93/0x1b0 iomap_finish_ioend+0xeb/0x6a0 blk_update_request+ 0x204/0x7f0 blk_mq_end_request+0x30/0x1c0 blk_complete_reqs +0x7e/0xa0 __do_softirq+0x113/0x544 __irq_exit_rcu+0xfe/0x120 irq_exit_rcu+0xe/0x20 sysvec_call_function_single+0x6f/0x90 asm_sysvec_call_function_single+0x1a/0x20 +0xf/0x20 default_idle+0x9/0x20 default_idle_call+0x67/0xa0 do_idle+0x2b5/0x300 cpu_startup_entry +0x34/0x40 start_secondary+0x19d/0x1c0 second_startup_64_no_verify+0x18f/0x19b sello de evento irq: 176891 hardirqs habilitado por última vez en (176891): [] _raw_spin_unlock_irqrestore+0x44/0x60 hardirqs deshabilitado por última vez en ( 176890): [] _raw_spin_lock_irqsave+0x79/0xa0 softirqs habilitado por última vez en (176646): [] __irq_exit_rcu+0xfe/0x120 softirqs deshabilitado por última vez en (176633): [] __irq_exit_rcu+0xfe/0x120 Otra información que podría ayudarnos a depurar esto: Posible escenario de bloqueo inseguro: CPU0 ---- lock(&amp;xa-&gt;xa_lock#4);  bloqueo(&amp;xa-&gt;xa_lock#4); *** DEADLOCK *** 2 bloqueos mantenidos por test5/1708: #0: ffff888127baa498 (&amp;sb-&gt;s_type-&gt;i_mutex_key#22){++++}-{4:4}, en: nfs_start_io_read+0x28/0x90 [nfs] #1: ffff888127baa650 (mapping.invalidate_lock#3){.+.+}-{4:4}, en: page_cache_ra_unbounded+0xa4/0x280 seguimiento de pila: CPU: 6 PID: 1708 Comm: test5 Kdump: cargado No tainted 6.7.0-lockdbg+ Nombre del hardware: PC estándar QEMU (Q35 + ICH9, 2009), BIOS 1.16.3-1.fc39 01/04/2014 Seguimiento de llamadas: dump_stack_lvl+0x5b/0x90 mark_lock+0xb3f/0xd20 __lock_acquire+0x77b/ 0x3360 _raw_spin_lock+0x34/0x80 nfs_netfs_issue_read+0x1b2/0x4b0 [nfs] netfs_begin_read+0x77f/0x980 [netfs] nfs_netfs_readahead+0x45/0x60 [nfs_readahead+0x323/0x5 a0 [nfs] read_pages+0xf3/0x5c0 page_cache_ra_unbounded+0x1c8/0x280 filemap_get_pages+ 0x38c/0xae0 filemap_read+0x206/0x5e0 nfs_file_read+0xb7/0x140 [nfs] vfs_read+0x2a9/0x460 ksys_read+0xb7/0x140",
      },
   ],
   id: "CVE-2024-27031",
   lastModified: "2024-12-23T19:46:47.357",
   metrics: {
      cvssMetricV31: [
         {
            cvssData: {
               attackComplexity: "LOW",
               attackVector: "LOCAL",
               availabilityImpact: "HIGH",
               baseScore: 5.5,
               baseSeverity: "MEDIUM",
               confidentialityImpact: "NONE",
               integrityImpact: "NONE",
               privilegesRequired: "LOW",
               scope: "UNCHANGED",
               userInteraction: "NONE",
               vectorString: "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
               version: "3.1",
            },
            exploitabilityScore: 1.8,
            impactScore: 3.6,
            source: "nvd@nist.gov",
            type: "Primary",
         },
      ],
   },
   published: "2024-05-01T13:15:49.180",
   references: [
      {
         source: "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
         tags: [
            "Patch",
         ],
         url: "https://git.kernel.org/stable/c/8a2e5977cecd3cde6a0e3e86b7b914d00240e5dc",
      },
      {
         source: "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
         tags: [
            "Patch",
         ],
         url: "https://git.kernel.org/stable/c/8df1678c021ffeb20ef8a203bd9413f3ed9b0e9a",
      },
      {
         source: "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
         tags: [
            "Patch",
         ],
         url: "https://git.kernel.org/stable/c/ad27382f8495f8ef6d2c66c413d756bfd13c0598",
      },
      {
         source: "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
         tags: [
            "Patch",
         ],
         url: "https://git.kernel.org/stable/c/fd5860ab6341506004219b080aea40213b299d2e",
      },
      {
         source: "af854a3a-2127-422b-91ae-364da2661108",
         tags: [
            "Patch",
         ],
         url: "https://git.kernel.org/stable/c/8a2e5977cecd3cde6a0e3e86b7b914d00240e5dc",
      },
      {
         source: "af854a3a-2127-422b-91ae-364da2661108",
         tags: [
            "Patch",
         ],
         url: "https://git.kernel.org/stable/c/8df1678c021ffeb20ef8a203bd9413f3ed9b0e9a",
      },
      {
         source: "af854a3a-2127-422b-91ae-364da2661108",
         tags: [
            "Patch",
         ],
         url: "https://git.kernel.org/stable/c/ad27382f8495f8ef6d2c66c413d756bfd13c0598",
      },
      {
         source: "af854a3a-2127-422b-91ae-364da2661108",
         tags: [
            "Patch",
         ],
         url: "https://git.kernel.org/stable/c/fd5860ab6341506004219b080aea40213b299d2e",
      },
   ],
   sourceIdentifier: "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
   vulnStatus: "Analyzed",
   weaknesses: [
      {
         description: [
            {
               lang: "en",
               value: "CWE-667",
            },
         ],
         source: "nvd@nist.gov",
         type: "Primary",
      },
   ],
}


Log in or create an account to share your comment.

Security Advisory comment format.

This schema specifies the format of a comment related to a security advisory.

UUIDv4 of the comment
UUIDv4 of the Vulnerability-Lookup instance
When the comment was created originally
When the comment was last updated
Title of the comment
Description of the comment
The identifier of the vulnerability (CVE ID, GHSA-ID, PYSEC ID, etc.).



Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.