CVE-2024-57941 (GCVE-0-2024-57941)
Vulnerability from cvelistv5
Published
2025-01-21 12:18
Modified
2025-05-04 10:07
Severity ?
Summary
In the Linux kernel, the following vulnerability has been resolved: netfs: Fix the (non-)cancellation of copy when cache is temporarily disabled When the caching for a cookie is temporarily disabled (e.g. due to a DIO write on that file), future copying to the cache for that file is disabled until all fds open on that file are closed. However, if netfslib is using the deprecated PG_private_2 method (such as is currently used by ceph), and decides it wants to copy to the cache, netfs_advance_write() will just bail at the first check seeing that the cache stream is unavailable, and indicate that it dealt with all the content. This means that we have no subrequests to provide notifications to drive the state machine or even to pin the request and the request just gets discarded, leaving the folios with PG_private_2 set. Fix this by jumping directly to cancel the request if the cache is not available. That way, we don't remove mark3 from the folio_queue list and netfs_pgpriv2_cancel() will clean up the folios. This was found by running the generic/013 xfstest against ceph with an active cache and the "-o fsc" option passed to ceph. That would usually hang
References
Impacted products
Vendor Product Version
Linux Linux Version: ee4cdf7ba857a894ad1650d6ab77669cbbfa329e
Version: ee4cdf7ba857a894ad1650d6ab77669cbbfa329e
 Create a notification for this product.
Show details on NVD website

To clipboard 

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "fs/netfs/read_pgpriv2.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "ba37bdfe59fb43e80dd79290340a21864ba4b61e",
              "status": "affected",
              "version": "ee4cdf7ba857a894ad1650d6ab77669cbbfa329e",
              "versionType": "git"
            },
            {
              "lessThan": "d0327c824338cdccad058723a31d038ecd553409",
              "status": "affected",
              "version": "ee4cdf7ba857a894ad1650d6ab77669cbbfa329e",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "fs/netfs/read_pgpriv2.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.12"
            },
            {
              "lessThan": "6.12",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.10",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.13",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.10",
                  "versionStartIncluding": "6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13",
                  "versionStartIncluding": "6.12",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfs: Fix the (non-)cancellation of copy when cache is temporarily disabled\n\nWhen the caching for a cookie is temporarily disabled (e.g. due to a DIO\nwrite on that file), future copying to the cache for that file is disabled\nuntil all fds open on that file are closed.  However, if netfslib is using\nthe deprecated PG_private_2 method (such as is currently used by ceph), and\ndecides it wants to copy to the cache, netfs_advance_write() will just bail\nat the first check seeing that the cache stream is unavailable, and\nindicate that it dealt with all the content.\n\nThis means that we have no subrequests to provide notifications to drive\nthe state machine or even to pin the request and the request just gets\ndiscarded, leaving the folios with PG_private_2 set.\n\nFix this by jumping directly to cancel the request if the cache is not\navailable.  That way, we don\u0027t remove mark3 from the folio_queue list and\nnetfs_pgpriv2_cancel() will clean up the folios.\n\nThis was found by running the generic/013 xfstest against ceph with an\nactive cache and the \"-o fsc\" option passed to ceph.  That would usually\nhang"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T10:07:08.541Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/ba37bdfe59fb43e80dd79290340a21864ba4b61e"
        },
        {
          "url": "https://git.kernel.org/stable/c/d0327c824338cdccad058723a31d038ecd553409"
        }
      ],
      "title": "netfs: Fix the (non-)cancellation of copy when cache is temporarily disabled",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-57941",
    "datePublished": "2025-01-21T12:18:09.834Z",
    "dateReserved": "2025-01-19T11:50:08.378Z",
    "dateUpdated": "2025-05-04T10:07:08.541Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2024-57941\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2025-01-21T13:15:08.640\",\"lastModified\":\"2025-01-21T13:15:08.640\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\nnetfs: Fix the (non-)cancellation of copy when cache is temporarily disabled\\n\\nWhen the caching for a cookie is temporarily disabled (e.g. due to a DIO\\nwrite on that file), future copying to the cache for that file is disabled\\nuntil all fds open on that file are closed.  However, if netfslib is using\\nthe deprecated PG_private_2 method (such as is currently used by ceph), and\\ndecides it wants to copy to the cache, netfs_advance_write() will just bail\\nat the first check seeing that the cache stream is unavailable, and\\nindicate that it dealt with all the content.\\n\\nThis means that we have no subrequests to provide notifications to drive\\nthe state machine or even to pin the request and the request just gets\\ndiscarded, leaving the folios with PG_private_2 set.\\n\\nFix this by jumping directly to cancel the request if the cache is not\\navailable.  That way, we don\u0027t remove mark3 from the folio_queue list and\\nnetfs_pgpriv2_cancel() will clean up the folios.\\n\\nThis was found by running the generic/013 xfstest against ceph with an\\nactive cache and the \\\"-o fsc\\\" option passed to ceph.  That would usually\\nhang\"},{\"lang\":\"es\",\"value\":\"En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: netfs: Arreglar la (no) cancelaci\u00f3n de copia cuando el cach\u00e9 est\u00e1 deshabilitado temporalmente Cuando el almacenamiento en cach\u00e9 de una cookie est\u00e1 deshabilitado temporalmente (por ejemplo, debido a una escritura DIO en ese archivo), la copia futura al cach\u00e9 para ese archivo se deshabilita hasta que todos los fds abiertos en ese archivo se cierren. Sin embargo, si netfslib est\u00e1 usando el m\u00e9todo PG_private_2 obsoleto (como el que usa actualmente ceph) y decide que quiere copiar al cach\u00e9, netfs_advance_write() simplemente abandonar\u00e1 en la primera verificaci\u00f3n al ver que el flujo de cach\u00e9 no est\u00e1 disponible e indicar\u00e1 que se ocup\u00f3 de todo el contenido. Esto significa que no tenemos subsolicitudes para proporcionar notificaciones para controlar la m\u00e1quina de estado o incluso para fijar la solicitud y la solicitud simplemente se descarta, dejando los folios con PG_private_2 establecido. Arregle esto saltando directamente para cancelar la solicitud si el cach\u00e9 no est\u00e1 disponible. De esa manera, no eliminamos mark3 de la lista folio_queue y netfs_pgpriv2_cancel() limpiar\u00e1 los folios. Esto se descubri\u00f3 al ejecutar el xfstest gen\u00e9rico/013 contra ceph con un cach\u00e9 activo y la opci\u00f3n \\\"-o fsc\\\" pasada a ceph. Eso generalmente se bloqueaba\"}],\"metrics\":{},\"references\":[{\"url\":\"https://git.kernel.org/stable/c/ba37bdfe59fb43e80dd79290340a21864ba4b61e\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/d0327c824338cdccad058723a31d038ecd553409\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.