{ "id": "CVE-2024-27031", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2024-05-01T13:15:49.180", "lastModified": "2024-12-23T19:46:47.357", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nNFS: Fix nfs_netfs_issue_read() xarray locking for writeback interrupt\n\nThe loop inside nfs_netfs_issue_read() currently does not disable\ninterrupts while iterating through pages in the xarray to submit\nfor NFS read. This is not safe though since after taking xa_lock,\nanother page in the mapping could be processed for writeback inside\nan interrupt, and deadlock can occur. The fix is simple and clean\nif we use xa_for_each_range(), which handles the iteration with RCU\nwhile reducing code complexity.\n\nThe problem is easily reproduced with the following test:\n mount -o vers=3,fsc 127.0.0.1:/export /mnt/nfs\n dd if=/dev/zero of=/mnt/nfs/file1.bin bs=4096 count=1\n echo 3 > /proc/sys/vm/drop_caches\n dd if=/mnt/nfs/file1.bin of=/dev/null\n umount /mnt/nfs\n\nOn the console with a lockdep-enabled kernel a message similar to\nthe following will be seen:\n\n ================================\n WARNING: inconsistent lock state\n 6.7.0-lockdbg+ #10 Not tainted\n --------------------------------\n inconsistent {IN-SOFTIRQ-W} -> {SOFTIRQ-ON-W} usage.\n test5/1708 [HC0[0]:SC0[0]:HE1:SE1] takes:\n ffff888127baa598 (&xa->xa_lock#4){+.?.}-{3:3}, at:\nnfs_netfs_issue_read+0x1b2/0x4b0 [nfs]\n {IN-SOFTIRQ-W} state was registered at:\n lock_acquire+0x144/0x380\n _raw_spin_lock_irqsave+0x4e/0xa0\n __folio_end_writeback+0x17e/0x5c0\n folio_end_writeback+0x93/0x1b0\n iomap_finish_ioend+0xeb/0x6a0\n blk_update_request+0x204/0x7f0\n blk_mq_end_request+0x30/0x1c0\n blk_complete_reqs+0x7e/0xa0\n __do_softirq+0x113/0x544\n __irq_exit_rcu+0xfe/0x120\n irq_exit_rcu+0xe/0x20\n sysvec_call_function_single+0x6f/0x90\n asm_sysvec_call_function_single+0x1a/0x20\n pv_native_safe_halt+0xf/0x20\n default_idle+0x9/0x20\n default_idle_call+0x67/0xa0\n do_idle+0x2b5/0x300\n cpu_startup_entry+0x34/0x40\n start_secondary+0x19d/0x1c0\n secondary_startup_64_no_verify+0x18f/0x19b\n irq event stamp: 176891\n hardirqs last enabled at (176891): []\n_raw_spin_unlock_irqrestore+0x44/0x60\n hardirqs last disabled at (176890): []\n_raw_spin_lock_irqsave+0x79/0xa0\n softirqs last enabled at (176646): []\n__irq_exit_rcu+0xfe/0x120\n softirqs last disabled at (176633): []\n__irq_exit_rcu+0xfe/0x120\n\n other info that might help us debug this:\n Possible unsafe locking scenario:\n\n CPU0\n ----\n lock(&xa->xa_lock#4);\n \n lock(&xa->xa_lock#4);\n\n *** DEADLOCK ***\n\n 2 locks held by test5/1708:\n #0: ffff888127baa498 (&sb->s_type->i_mutex_key#22){++++}-{4:4}, at:\n nfs_start_io_read+0x28/0x90 [nfs]\n #1: ffff888127baa650 (mapping.invalidate_lock#3){.+.+}-{4:4}, at:\n page_cache_ra_unbounded+0xa4/0x280\n\n stack backtrace:\n CPU: 6 PID: 1708 Comm: test5 Kdump: loaded Not tainted 6.7.0-lockdbg+\n Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-1.fc39\n04/01/2014\n Call Trace:\n dump_stack_lvl+0x5b/0x90\n mark_lock+0xb3f/0xd20\n __lock_acquire+0x77b/0x3360\n _raw_spin_lock+0x34/0x80\n nfs_netfs_issue_read+0x1b2/0x4b0 [nfs]\n netfs_begin_read+0x77f/0x980 [netfs]\n nfs_netfs_readahead+0x45/0x60 [nfs]\n nfs_readahead+0x323/0x5a0 [nfs]\n read_pages+0xf3/0x5c0\n page_cache_ra_unbounded+0x1c8/0x280\n filemap_get_pages+0x38c/0xae0\n filemap_read+0x206/0x5e0\n nfs_file_read+0xb7/0x140 [nfs]\n vfs_read+0x2a9/0x460\n ksys_read+0xb7/0x140" }, { "lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: NFS: corrige el bloqueo de matriz x de nfs_netfs_issue_read() para interrupci\u00f3n de escritura regresiva. El bucle dentro de nfs_netfs_issue_read() actualmente no deshabilita las interrupciones mientras se itera a trav\u00e9s de p\u00e1ginas en la matriz x para enviarlas a lectura NFS. Sin embargo, esto no es seguro ya que despu\u00e9s de tomar xa_lock, otra p\u00e1gina en el mapeo podr\u00eda procesarse para reescritura dentro de una interrupci\u00f3n, y puede ocurrir un punto muerto. La soluci\u00f3n es simple y limpia si usamos xa_for_each_range(), que maneja la iteraci\u00f3n con RCU mientras reduce la complejidad del c\u00f3digo. El problema se reproduce f\u00e1cilmente con la siguiente prueba: mount -o vers=3,fsc 127.0.0.1:/export /mnt/nfs dd if=/dev/zero of=/mnt/nfs/file1.bin bs=4096 count= 1 echo 3 > /proc/sys/vm/drop_caches dd if=/mnt/nfs/file1.bin of=/dev/null umount /mnt/nfs En la consola con un kernel habilitado para lockdep aparecer\u00e1 un mensaje similar al siguiente ser visto: ================================ ADVERTENCIA: estado de bloqueo inconsistente 6.7.0-lockdbg+ #10 No contaminado - ------------------------------- Uso inconsistente de {IN-SOFTIRQ-W} -> {SOFTIRQ-ON-W}. test5/1708 [HC0[0]:SC0[0]:HE1:SE1] toma: ffff888127baa598 (&xa->xa_lock#4){+.?.}-{3:3}, en: nfs_netfs_issue_read+0x1b2/0x4b0 [ nfs] El estado {IN-SOFTIRQ-W} se registr\u00f3 en: lock_acquire+0x144/0x380 _raw_spin_lock_irqsave+0x4e/0xa0 __folio_end_writeback+0x17e/0x5c0 folio_end_writeback+0x93/0x1b0 iomap_finish_ioend+0xeb/0x6a0 blk_update_request+ 0x204/0x7f0 blk_mq_end_request+0x30/0x1c0 blk_complete_reqs +0x7e/0xa0 __do_softirq+0x113/0x544 __irq_exit_rcu+0xfe/0x120 irq_exit_rcu+0xe/0x20 sysvec_call_function_single+0x6f/0x90 asm_sysvec_call_function_single+0x1a/0x20 +0xf/0x20 default_idle+0x9/0x20 default_idle_call+0x67/0xa0 do_idle+0x2b5/0x300 cpu_startup_entry +0x34/0x40 start_secondary+0x19d/0x1c0 second_startup_64_no_verify+0x18f/0x19b sello de evento irq: 176891 hardirqs habilitado por \u00faltima vez en (176891): [] _raw_spin_unlock_irqrestore+0x44/0x60 hardirqs deshabilitado por \u00faltima vez en ( 176890): [] _raw_spin_lock_irqsave+0x79/0xa0 softirqs habilitado por \u00faltima vez en (176646): [] __irq_exit_rcu+0xfe/0x120 softirqs deshabilitado por \u00faltima vez en (176633): [] __irq_exit_rcu+0xfe/0x120 Otra informaci\u00f3n que podr\u00eda ayudarnos a depurar esto: Posible escenario de bloqueo inseguro: CPU0 ---- lock(&xa->xa_lock#4); bloqueo(&xa->xa_lock#4); *** DEADLOCK *** 2 bloqueos mantenidos por test5/1708: #0: ffff888127baa498 (&sb->s_type->i_mutex_key#22){++++}-{4:4}, en: nfs_start_io_read+0x28/0x90 [nfs] #1: ffff888127baa650 (mapping.invalidate_lock#3){.+.+}-{4:4}, en: page_cache_ra_unbounded+0xa4/0x280 seguimiento de pila: CPU: 6 PID: 1708 Comm: test5 Kdump: cargado No tainted 6.7.0-lockdbg+ Nombre del hardware: PC est\u00e1ndar QEMU (Q35 + ICH9, 2009), BIOS 1.16.3-1.fc39 01/04/2014 Seguimiento de llamadas: dump_stack_lvl+0x5b/0x90 mark_lock+0xb3f/0xd20 __lock_acquire+0x77b/ 0x3360 _raw_spin_lock+0x34/0x80 nfs_netfs_issue_read+0x1b2/0x4b0 [nfs] netfs_begin_read+0x77f/0x980 [netfs] nfs_netfs_readahead+0x45/0x60 [nfs_readahead+0x323/0x5 a0 [nfs] read_pages+0xf3/0x5c0 page_cache_ra_unbounded+0x1c8/0x280 filemap_get_pages+ 0x38c/0xae0 filemap_read+0x206/0x5e0 nfs_file_read+0xb7/0x140 [nfs] vfs_read+0x2a9/0x460 ksys_read+0xb7/0x140" } ], "metrics": { "cvssMetricV31": [ { "source": "nvd@nist.gov", "type": "Primary", "cvssData": { "version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "baseScore": 5.5, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH" }, "exploitabilityScore": 1.8, "impactScore": 3.6 } ] }, "weaknesses": [ { "source": "nvd@nist.gov", "type": "Primary", "description": [ { "lang": "en", "value": "CWE-667" } ] } ], "configurations": [ { "nodes": [ { "operator": "OR", "negate": false, "cpeMatch": [ { "vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.4", "versionEndExcluding": "6.6.23", "matchCriteriaId": "81341948-503D-47E5-9E88-7F2922865141" }, { "vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.7", "versionEndExcluding": "6.7.11", "matchCriteriaId": "9B95D3A6-E162-47D5-ABFC-F3FA74FA7CFD" }, { "vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.8", "versionEndExcluding": "6.8.2", "matchCriteriaId": "543A75FF-25B8-4046-A514-1EA8EDD87AB1" } ] } ] } ], "references": [ { "url": "https://git.kernel.org/stable/c/8a2e5977cecd3cde6a0e3e86b7b914d00240e5dc", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": [ "Patch" ] }, { "url": "https://git.kernel.org/stable/c/8df1678c021ffeb20ef8a203bd9413f3ed9b0e9a", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": [ "Patch" ] }, { "url": "https://git.kernel.org/stable/c/ad27382f8495f8ef6d2c66c413d756bfd13c0598", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": [ "Patch" ] }, { "url": "https://git.kernel.org/stable/c/fd5860ab6341506004219b080aea40213b299d2e", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": [ "Patch" ] }, { "url": "https://git.kernel.org/stable/c/8a2e5977cecd3cde6a0e3e86b7b914d00240e5dc", "source": "af854a3a-2127-422b-91ae-364da2661108", "tags": [ "Patch" ] }, { "url": "https://git.kernel.org/stable/c/8df1678c021ffeb20ef8a203bd9413f3ed9b0e9a", "source": "af854a3a-2127-422b-91ae-364da2661108", "tags": [ "Patch" ] }, { "url": "https://git.kernel.org/stable/c/ad27382f8495f8ef6d2c66c413d756bfd13c0598", "source": "af854a3a-2127-422b-91ae-364da2661108", "tags": [ "Patch" ] }, { "url": "https://git.kernel.org/stable/c/fd5860ab6341506004219b080aea40213b299d2e", "source": "af854a3a-2127-422b-91ae-364da2661108", "tags": [ "Patch" ] } ] }