ghsa-gcr7-hvf6-ph59
Vulnerability from github
Published
2025-04-14 21:32
Modified
2025-04-14 21:32
Severity ?
5.5 (Medium) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Details

In the Linux kernel, the following vulnerability has been resolved:

ceph: fix possible deadlock when holding Fwb to get inline_data

1, mount with wsync. 2, create a file with O_RDWR, and the request was sent to mds.0:

ceph_atomic_open()--> ceph_mdsc_do_request(openc) finish_open(file, dentry, ceph_open)--> ceph_open()--> ceph_init_file()--> ceph_init_file_info()--> ceph_uninline_data()--> { ... if (inline_version == 1 || / initial version, no data / inline_version == CEPH_INLINE_NONE) goto out_unlock; ... }

The inline_version will be 1, which is the initial version for the new create file. And here the ci->i_inline_version will keep with 1, it's buggy.

3, buffer write to the file immediately:

ceph_write_iter()--> ceph_get_caps(file, need=Fw, want=Fb, ...); generic_perform_write()--> a_ops->write_begin()--> ceph_write_begin()--> netfs_write_begin()--> netfs_begin_read()--> netfs_rreq_submit_slice()--> netfs_read_from_server()--> rreq->netfs_ops->issue_read()--> ceph_netfs_issue_read()--> { ... if (ci->i_inline_version != CEPH_INLINE_NONE && ceph_netfs_issue_op_inline(subreq)) return; ... } ceph_put_cap_refs(ci, Fwb);

The ceph_netfs_issue_op_inline() will send a getattr(Fsr) request to mds.1.

4, then the mds.1 will request the rd lock for CInode::filelock from the auth mds.0, the mds.0 will do the CInode::filelock state transation from excl --> sync, but it need to revoke the Fxwb caps back from the clients.

While the kernel client has aleady held the Fwb caps and waiting for the getattr(Fsr).

It's deadlock!

URL: https://tracker.ceph.com/issues/55377

Show details on source website

To clipboard 

{
  "affected": [],
  "aliases": [
    "CVE-2022-49296"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-667"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-02-26T07:01:06Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nceph: fix possible deadlock when holding Fwb to get inline_data\n\n1, mount with wsync.\n2, create a file with O_RDWR, and the request was sent to mds.0:\n\n   ceph_atomic_open()--\u003e\n     ceph_mdsc_do_request(openc)\n     finish_open(file, dentry, ceph_open)--\u003e\n       ceph_open()--\u003e\n         ceph_init_file()--\u003e\n           ceph_init_file_info()--\u003e\n             ceph_uninline_data()--\u003e\n             {\n               ...\n               if (inline_version == 1 || /* initial version, no data */\n                   inline_version == CEPH_INLINE_NONE)\n                     goto out_unlock;\n               ...\n             }\n\nThe inline_version will be 1, which is the initial version for the\nnew create file. And here the ci-\u003ei_inline_version will keep with 1,\nit\u0027s buggy.\n\n3, buffer write to the file immediately:\n\n   ceph_write_iter()--\u003e\n     ceph_get_caps(file, need=Fw, want=Fb, ...);\n     generic_perform_write()--\u003e\n       a_ops-\u003ewrite_begin()--\u003e\n         ceph_write_begin()--\u003e\n           netfs_write_begin()--\u003e\n             netfs_begin_read()--\u003e\n               netfs_rreq_submit_slice()--\u003e\n                 netfs_read_from_server()--\u003e\n                   rreq-\u003enetfs_ops-\u003eissue_read()--\u003e\n                     ceph_netfs_issue_read()--\u003e\n                     {\n                       ...\n                       if (ci-\u003ei_inline_version != CEPH_INLINE_NONE \u0026\u0026\n                           ceph_netfs_issue_op_inline(subreq))\n                         return;\n                       ...\n                     }\n     ceph_put_cap_refs(ci, Fwb);\n\nThe ceph_netfs_issue_op_inline() will send a getattr(Fsr) request to\nmds.1.\n\n4, then the mds.1 will request the rd lock for CInode::filelock from\nthe auth mds.0, the mds.0 will do the CInode::filelock state transation\nfrom excl --\u003e sync, but it need to revoke the Fxwb caps back from the\nclients.\n\nWhile the kernel client has aleady held the Fwb caps and waiting for\nthe getattr(Fsr).\n\nIt\u0027s deadlock!\n\nURL: https://tracker.ceph.com/issues/55377",
  "id": "GHSA-gcr7-hvf6-ph59",
  "modified": "2025-04-14T21:32:20Z",
  "published": "2025-04-14T21:32:20Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-49296"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/292b7a7275ce535a1abfa4dd0b2e586162aaae1e"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/825978fd6a0defc3c29d8a38b6cea76a0938d21e"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.