CVE-2024-57941 (GCVE-0-2024-57941)
Vulnerability from cvelistv5
Published
2025-01-21 12:18
Modified
2025-05-04 10:07
Severity ?
Summary
In the Linux kernel, the following vulnerability has been resolved: netfs: Fix the (non-)cancellation of copy when cache is temporarily disabled When the caching for a cookie is temporarily disabled (e.g. due to a DIO write on that file), future copying to the cache for that file is disabled until all fds open on that file are closed. However, if netfslib is using the deprecated PG_private_2 method (such as is currently used by ceph), and decides it wants to copy to the cache, netfs_advance_write() will just bail at the first check seeing that the cache stream is unavailable, and indicate that it dealt with all the content. This means that we have no subrequests to provide notifications to drive the state machine or even to pin the request and the request just gets discarded, leaving the folios with PG_private_2 set. Fix this by jumping directly to cancel the request if the cache is not available. That way, we don't remove mark3 from the folio_queue list and netfs_pgpriv2_cancel() will clean up the folios. This was found by running the generic/013 xfstest against ceph with an active cache and the "-o fsc" option passed to ceph. That would usually hang
References
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/ba37bdfe59fb43e80dd79290340a21864ba4b61e
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/d0327c824338cdccad058723a31d038ecd553409
Impacted products
Vendor Product Version
Linux Linux Version: ee4cdf7ba857a894ad1650d6ab77669cbbfa329e
Version: ee4cdf7ba857a894ad1650d6ab77669cbbfa329e
 Create a notification for this product.
   Linux Linux Version: 6.12
 Create a notification for this product.
Show details on NVD website

To clipboard 

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "fs/netfs/read_pgpriv2.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "ba37bdfe59fb43e80dd79290340a21864ba4b61e",
              "status": "affected",
              "version": "ee4cdf7ba857a894ad1650d6ab77669cbbfa329e",
              "versionType": "git"
            },
            {
              "lessThan": "d0327c824338cdccad058723a31d038ecd553409",
              "status": "affected",
              "version": "ee4cdf7ba857a894ad1650d6ab77669cbbfa329e",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "fs/netfs/read_pgpriv2.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.12"
            },
            {
              "lessThan": "6.12",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.10",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.13",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.10",
                  "versionStartIncluding": "6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13",
                  "versionStartIncluding": "6.12",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfs: Fix the (non-)cancellation of copy when cache is temporarily disabled\n\nWhen the caching for a cookie is temporarily disabled (e.g. due to a DIO\nwrite on that file), future copying to the cache for that file is disabled\nuntil all fds open on that file are closed.  However, if netfslib is using\nthe deprecated PG_private_2 method (such as is currently used by ceph), and\ndecides it wants to copy to the cache, netfs_advance_write() will just bail\nat the first check seeing that the cache stream is unavailable, and\nindicate that it dealt with all the content.\n\nThis means that we have no subrequests to provide notifications to drive\nthe state machine or even to pin the request and the request just gets\ndiscarded, leaving the folios with PG_private_2 set.\n\nFix this by jumping directly to cancel the request if the cache is not\navailable.  That way, we don\u0027t remove mark3 from the folio_queue list and\nnetfs_pgpriv2_cancel() will clean up the folios.\n\nThis was found by running the generic/013 xfstest against ceph with an\nactive cache and the \"-o fsc\" option passed to ceph.  That would usually\nhang"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T10:07:08.541Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/ba37bdfe59fb43e80dd79290340a21864ba4b61e"
        },
        {
          "url": "https://git.kernel.org/stable/c/d0327c824338cdccad058723a31d038ecd553409"
        }
      ],
      "title": "netfs: Fix the (non-)cancellation of copy when cache is temporarily disabled",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-57941",
    "datePublished": "2025-01-21T12:18:09.834Z",
    "dateReserved": "2025-01-19T11:50:08.378Z",
    "dateUpdated": "2025-05-04T10:07:08.541Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2024-57941\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2025-01-21T13:15:08.640\",\"lastModified\":\"2025-01-21T13:15:08.640\",\"vulnStatus\":\"Received\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\nnetfs: Fix the (non-)cancellation of copy when cache is temporarily disabled\\n\\nWhen the caching for a cookie is temporarily disabled (e.g. due to a DIO\\nwrite on that file), future copying to the cache for that file is disabled\\nuntil all fds open on that file are closed.  However, if netfslib is using\\nthe deprecated PG_private_2 method (such as is currently used by ceph), and\\ndecides it wants to copy to the cache, netfs_advance_write() will just bail\\nat the first check seeing that the cache stream is unavailable, and\\nindicate that it dealt with all the content.\\n\\nThis means that we have no subrequests to provide notifications to drive\\nthe state machine or even to pin the request and the request just gets\\ndiscarded, leaving the folios with PG_private_2 set.\\n\\nFix this by jumping directly to cancel the request if the cache is not\\navailable.  That way, we don\u0027t remove mark3 from the folio_queue list and\\nnetfs_pgpriv2_cancel() will clean up the folios.\\n\\nThis was found by running the generic/013 xfstest against ceph with an\\nactive cache and the \\\"-o fsc\\\" option passed to ceph.  That would usually\\nhang\"}],\"metrics\":{},\"references\":[{\"url\":\"https://git.kernel.org/stable/c/ba37bdfe59fb43e80dd79290340a21864ba4b61e\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/d0327c824338cdccad058723a31d038ecd553409\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.