CVE-2024-27031 (GCVE-0-2024-27031)

Vulnerability from cvelistv5 – Published: 2024-05-01 12:53 – Updated: 2026-05-11 20:09
VLAI
Title
NFS: Fix nfs_netfs_issue_read() xarray locking for writeback interrupt
Summary
In the Linux kernel, the following vulnerability has been resolved: NFS: Fix nfs_netfs_issue_read() xarray locking for writeback interrupt The loop inside nfs_netfs_issue_read() currently does not disable interrupts while iterating through pages in the xarray to submit for NFS read. This is not safe though since after taking xa_lock, another page in the mapping could be processed for writeback inside an interrupt, and deadlock can occur. The fix is simple and clean if we use xa_for_each_range(), which handles the iteration with RCU while reducing code complexity. The problem is easily reproduced with the following test: mount -o vers=3,fsc 127.0.0.1:/export /mnt/nfs dd if=/dev/zero of=/mnt/nfs/file1.bin bs=4096 count=1 echo 3 > /proc/sys/vm/drop_caches dd if=/mnt/nfs/file1.bin of=/dev/null umount /mnt/nfs On the console with a lockdep-enabled kernel a message similar to the following will be seen: ================================ WARNING: inconsistent lock state 6.7.0-lockdbg+ #10 Not tainted -------------------------------- inconsistent {IN-SOFTIRQ-W} -> {SOFTIRQ-ON-W} usage. test5/1708 [HC0[0]:SC0[0]:HE1:SE1] takes: ffff888127baa598 (&xa->xa_lock#4){+.?.}-{3:3}, at: nfs_netfs_issue_read+0x1b2/0x4b0 [nfs] {IN-SOFTIRQ-W} state was registered at: lock_acquire+0x144/0x380 _raw_spin_lock_irqsave+0x4e/0xa0 __folio_end_writeback+0x17e/0x5c0 folio_end_writeback+0x93/0x1b0 iomap_finish_ioend+0xeb/0x6a0 blk_update_request+0x204/0x7f0 blk_mq_end_request+0x30/0x1c0 blk_complete_reqs+0x7e/0xa0 __do_softirq+0x113/0x544 __irq_exit_rcu+0xfe/0x120 irq_exit_rcu+0xe/0x20 sysvec_call_function_single+0x6f/0x90 asm_sysvec_call_function_single+0x1a/0x20 pv_native_safe_halt+0xf/0x20 default_idle+0x9/0x20 default_idle_call+0x67/0xa0 do_idle+0x2b5/0x300 cpu_startup_entry+0x34/0x40 start_secondary+0x19d/0x1c0 secondary_startup_64_no_verify+0x18f/0x19b irq event stamp: 176891 hardirqs last enabled at (176891): [<ffffffffa67a0be4>] _raw_spin_unlock_irqrestore+0x44/0x60 hardirqs last disabled at (176890): [<ffffffffa67a0899>] _raw_spin_lock_irqsave+0x79/0xa0 softirqs last enabled at (176646): [<ffffffffa515d91e>] __irq_exit_rcu+0xfe/0x120 softirqs last disabled at (176633): [<ffffffffa515d91e>] __irq_exit_rcu+0xfe/0x120 other info that might help us debug this: Possible unsafe locking scenario: CPU0 ---- lock(&xa->xa_lock#4); <Interrupt> lock(&xa->xa_lock#4); *** DEADLOCK *** 2 locks held by test5/1708: #0: ffff888127baa498 (&sb->s_type->i_mutex_key#22){++++}-{4:4}, at: nfs_start_io_read+0x28/0x90 [nfs] #1: ffff888127baa650 (mapping.invalidate_lock#3){.+.+}-{4:4}, at: page_cache_ra_unbounded+0xa4/0x280 stack backtrace: CPU: 6 PID: 1708 Comm: test5 Kdump: loaded Not tainted 6.7.0-lockdbg+ Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-1.fc39 04/01/2014 Call Trace: dump_stack_lvl+0x5b/0x90 mark_lock+0xb3f/0xd20 __lock_acquire+0x77b/0x3360 _raw_spin_lock+0x34/0x80 nfs_netfs_issue_read+0x1b2/0x4b0 [nfs] netfs_begin_read+0x77f/0x980 [netfs] nfs_netfs_readahead+0x45/0x60 [nfs] nfs_readahead+0x323/0x5a0 [nfs] read_pages+0xf3/0x5c0 page_cache_ra_unbounded+0x1c8/0x280 filemap_get_pages+0x38c/0xae0 filemap_read+0x206/0x5e0 nfs_file_read+0xb7/0x140 [nfs] vfs_read+0x2a9/0x460 ksys_read+0xb7/0x140
Severity
No CVSS data available.
SSVC
Exploitation: none Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
Assigner
References
Impacted products
Vendor Product Version
Linux Linux Affected: 000dbe0bec058cbf2ca9e156e4a5584f5158b0f9 , < ad27382f8495f8ef6d2c66c413d756bfd13c0598 (git)
Affected: 000dbe0bec058cbf2ca9e156e4a5584f5158b0f9 , < 8df1678c021ffeb20ef8a203bd9413f3ed9b0e9a (git)
Affected: 000dbe0bec058cbf2ca9e156e4a5584f5158b0f9 , < 8a2e5977cecd3cde6a0e3e86b7b914d00240e5dc (git)
Affected: 000dbe0bec058cbf2ca9e156e4a5584f5158b0f9 , < fd5860ab6341506004219b080aea40213b299d2e (git)
Create a notification for this product.
Linux Linux Affected: 6.4
Unaffected: 0 , < 6.4 (semver)
Unaffected: 6.6.23 , ≤ 6.6.* (semver)
Unaffected: 6.7.11 , ≤ 6.7.* (semver)
Unaffected: 6.8.2 , ≤ 6.8.* (semver)
Unaffected: 6.9 , ≤ * (original_commit_for_fix)
Create a notification for this product.
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T00:21:05.884Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/ad27382f8495f8ef6d2c66c413d756bfd13c0598"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/8df1678c021ffeb20ef8a203bd9413f3ed9b0e9a"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/8a2e5977cecd3cde6a0e3e86b7b914d00240e5dc"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/fd5860ab6341506004219b080aea40213b299d2e"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-27031",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-09-10T15:44:17.758363Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-09-11T17:33:56.321Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "fs/nfs/fscache.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "ad27382f8495f8ef6d2c66c413d756bfd13c0598",
              "status": "affected",
              "version": "000dbe0bec058cbf2ca9e156e4a5584f5158b0f9",
              "versionType": "git"
            },
            {
              "lessThan": "8df1678c021ffeb20ef8a203bd9413f3ed9b0e9a",
              "status": "affected",
              "version": "000dbe0bec058cbf2ca9e156e4a5584f5158b0f9",
              "versionType": "git"
            },
            {
              "lessThan": "8a2e5977cecd3cde6a0e3e86b7b914d00240e5dc",
              "status": "affected",
              "version": "000dbe0bec058cbf2ca9e156e4a5584f5158b0f9",
              "versionType": "git"
            },
            {
              "lessThan": "fd5860ab6341506004219b080aea40213b299d2e",
              "status": "affected",
              "version": "000dbe0bec058cbf2ca9e156e4a5584f5158b0f9",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "fs/nfs/fscache.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.4"
            },
            {
              "lessThan": "6.4",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.23",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.7.*",
              "status": "unaffected",
              "version": "6.7.11",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.8.*",
              "status": "unaffected",
              "version": "6.8.2",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.9",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.23",
                  "versionStartIncluding": "6.4",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.7.11",
                  "versionStartIncluding": "6.4",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.8.2",
                  "versionStartIncluding": "6.4",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.9",
                  "versionStartIncluding": "6.4",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nNFS: Fix nfs_netfs_issue_read() xarray locking for writeback interrupt\n\nThe loop inside nfs_netfs_issue_read() currently does not disable\ninterrupts while iterating through pages in the xarray to submit\nfor NFS read.  This is not safe though since after taking xa_lock,\nanother page in the mapping could be processed for writeback inside\nan interrupt, and deadlock can occur.  The fix is simple and clean\nif we use xa_for_each_range(), which handles the iteration with RCU\nwhile reducing code complexity.\n\nThe problem is easily reproduced with the following test:\n mount -o vers=3,fsc 127.0.0.1:/export /mnt/nfs\n dd if=/dev/zero of=/mnt/nfs/file1.bin bs=4096 count=1\n echo 3 \u003e /proc/sys/vm/drop_caches\n dd if=/mnt/nfs/file1.bin of=/dev/null\n umount /mnt/nfs\n\nOn the console with a lockdep-enabled kernel a message similar to\nthe following will be seen:\n\n ================================\n WARNING: inconsistent lock state\n 6.7.0-lockdbg+ #10 Not tainted\n --------------------------------\n inconsistent {IN-SOFTIRQ-W} -\u003e {SOFTIRQ-ON-W} usage.\n test5/1708 [HC0[0]:SC0[0]:HE1:SE1] takes:\n ffff888127baa598 (\u0026xa-\u003exa_lock#4){+.?.}-{3:3}, at:\nnfs_netfs_issue_read+0x1b2/0x4b0 [nfs]\n {IN-SOFTIRQ-W} state was registered at:\n   lock_acquire+0x144/0x380\n   _raw_spin_lock_irqsave+0x4e/0xa0\n   __folio_end_writeback+0x17e/0x5c0\n   folio_end_writeback+0x93/0x1b0\n   iomap_finish_ioend+0xeb/0x6a0\n   blk_update_request+0x204/0x7f0\n   blk_mq_end_request+0x30/0x1c0\n   blk_complete_reqs+0x7e/0xa0\n   __do_softirq+0x113/0x544\n   __irq_exit_rcu+0xfe/0x120\n   irq_exit_rcu+0xe/0x20\n   sysvec_call_function_single+0x6f/0x90\n   asm_sysvec_call_function_single+0x1a/0x20\n   pv_native_safe_halt+0xf/0x20\n   default_idle+0x9/0x20\n   default_idle_call+0x67/0xa0\n   do_idle+0x2b5/0x300\n   cpu_startup_entry+0x34/0x40\n   start_secondary+0x19d/0x1c0\n   secondary_startup_64_no_verify+0x18f/0x19b\n irq event stamp: 176891\n hardirqs last  enabled at (176891): [\u003cffffffffa67a0be4\u003e]\n_raw_spin_unlock_irqrestore+0x44/0x60\n hardirqs last disabled at (176890): [\u003cffffffffa67a0899\u003e]\n_raw_spin_lock_irqsave+0x79/0xa0\n softirqs last  enabled at (176646): [\u003cffffffffa515d91e\u003e]\n__irq_exit_rcu+0xfe/0x120\n softirqs last disabled at (176633): [\u003cffffffffa515d91e\u003e]\n__irq_exit_rcu+0xfe/0x120\n\n other info that might help us debug this:\n  Possible unsafe locking scenario:\n\n        CPU0\n        ----\n   lock(\u0026xa-\u003exa_lock#4);\n   \u003cInterrupt\u003e\n     lock(\u0026xa-\u003exa_lock#4);\n\n  *** DEADLOCK ***\n\n 2 locks held by test5/1708:\n  #0: ffff888127baa498 (\u0026sb-\u003es_type-\u003ei_mutex_key#22){++++}-{4:4}, at:\n      nfs_start_io_read+0x28/0x90 [nfs]\n  #1: ffff888127baa650 (mapping.invalidate_lock#3){.+.+}-{4:4}, at:\n      page_cache_ra_unbounded+0xa4/0x280\n\n stack backtrace:\n CPU: 6 PID: 1708 Comm: test5 Kdump: loaded Not tainted 6.7.0-lockdbg+\n Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-1.fc39\n04/01/2014\n Call Trace:\n  dump_stack_lvl+0x5b/0x90\n  mark_lock+0xb3f/0xd20\n  __lock_acquire+0x77b/0x3360\n  _raw_spin_lock+0x34/0x80\n  nfs_netfs_issue_read+0x1b2/0x4b0 [nfs]\n  netfs_begin_read+0x77f/0x980 [netfs]\n  nfs_netfs_readahead+0x45/0x60 [nfs]\n  nfs_readahead+0x323/0x5a0 [nfs]\n  read_pages+0xf3/0x5c0\n  page_cache_ra_unbounded+0x1c8/0x280\n  filemap_get_pages+0x38c/0xae0\n  filemap_read+0x206/0x5e0\n  nfs_file_read+0xb7/0x140 [nfs]\n  vfs_read+0x2a9/0x460\n  ksys_read+0xb7/0x140"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-11T20:09:04.908Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/ad27382f8495f8ef6d2c66c413d756bfd13c0598"
        },
        {
          "url": "https://git.kernel.org/stable/c/8df1678c021ffeb20ef8a203bd9413f3ed9b0e9a"
        },
        {
          "url": "https://git.kernel.org/stable/c/8a2e5977cecd3cde6a0e3e86b7b914d00240e5dc"
        },
        {
          "url": "https://git.kernel.org/stable/c/fd5860ab6341506004219b080aea40213b299d2e"
        }
      ],
      "title": "NFS: Fix nfs_netfs_issue_read() xarray locking for writeback interrupt",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-27031",
    "datePublished": "2024-05-01T12:53:29.362Z",
    "dateReserved": "2024-02-19T14:20:24.211Z",
    "dateUpdated": "2026-05-11T20:09:04.908Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2024-27031",
      "date": "2026-06-08",
      "epss": "0.00032",
      "percentile": "0.09613"
    },
    "fkie_nvd": {
      "configurations": "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"versionStartIncluding\": \"6.4\", \"versionEndExcluding\": \"6.6.23\", \"matchCriteriaId\": \"81341948-503D-47E5-9E88-7F2922865141\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"versionStartIncluding\": \"6.7\", \"versionEndExcluding\": \"6.7.11\", \"matchCriteriaId\": \"9B95D3A6-E162-47D5-ABFC-F3FA74FA7CFD\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"versionStartIncluding\": \"6.8\", \"versionEndExcluding\": \"6.8.2\", \"matchCriteriaId\": \"543A75FF-25B8-4046-A514-1EA8EDD87AB1\"}]}]}]",
      "descriptions": "[{\"lang\": \"en\", \"value\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nNFS: Fix nfs_netfs_issue_read() xarray locking for writeback interrupt\\n\\nThe loop inside nfs_netfs_issue_read() currently does not disable\\ninterrupts while iterating through pages in the xarray to submit\\nfor NFS read.  This is not safe though since after taking xa_lock,\\nanother page in the mapping could be processed for writeback inside\\nan interrupt, and deadlock can occur.  The fix is simple and clean\\nif we use xa_for_each_range(), which handles the iteration with RCU\\nwhile reducing code complexity.\\n\\nThe problem is easily reproduced with the following test:\\n mount -o vers=3,fsc 127.0.0.1:/export /mnt/nfs\\n dd if=/dev/zero of=/mnt/nfs/file1.bin bs=4096 count=1\\n echo 3 \u003e /proc/sys/vm/drop_caches\\n dd if=/mnt/nfs/file1.bin of=/dev/null\\n umount /mnt/nfs\\n\\nOn the console with a lockdep-enabled kernel a message similar to\\nthe following will be seen:\\n\\n ================================\\n WARNING: inconsistent lock state\\n 6.7.0-lockdbg+ #10 Not tainted\\n --------------------------------\\n inconsistent {IN-SOFTIRQ-W} -\u003e {SOFTIRQ-ON-W} usage.\\n test5/1708 [HC0[0]:SC0[0]:HE1:SE1] takes:\\n ffff888127baa598 (\u0026xa-\u003exa_lock#4){+.?.}-{3:3}, at:\\nnfs_netfs_issue_read+0x1b2/0x4b0 [nfs]\\n {IN-SOFTIRQ-W} state was registered at:\\n   lock_acquire+0x144/0x380\\n   _raw_spin_lock_irqsave+0x4e/0xa0\\n   __folio_end_writeback+0x17e/0x5c0\\n   folio_end_writeback+0x93/0x1b0\\n   iomap_finish_ioend+0xeb/0x6a0\\n   blk_update_request+0x204/0x7f0\\n   blk_mq_end_request+0x30/0x1c0\\n   blk_complete_reqs+0x7e/0xa0\\n   __do_softirq+0x113/0x544\\n   __irq_exit_rcu+0xfe/0x120\\n   irq_exit_rcu+0xe/0x20\\n   sysvec_call_function_single+0x6f/0x90\\n   asm_sysvec_call_function_single+0x1a/0x20\\n   pv_native_safe_halt+0xf/0x20\\n   default_idle+0x9/0x20\\n   default_idle_call+0x67/0xa0\\n   do_idle+0x2b5/0x300\\n   cpu_startup_entry+0x34/0x40\\n   start_secondary+0x19d/0x1c0\\n   secondary_startup_64_no_verify+0x18f/0x19b\\n irq event stamp: 176891\\n hardirqs last  enabled at (176891): [\u003cffffffffa67a0be4\u003e]\\n_raw_spin_unlock_irqrestore+0x44/0x60\\n hardirqs last disabled at (176890): [\u003cffffffffa67a0899\u003e]\\n_raw_spin_lock_irqsave+0x79/0xa0\\n softirqs last  enabled at (176646): [\u003cffffffffa515d91e\u003e]\\n__irq_exit_rcu+0xfe/0x120\\n softirqs last disabled at (176633): [\u003cffffffffa515d91e\u003e]\\n__irq_exit_rcu+0xfe/0x120\\n\\n other info that might help us debug this:\\n  Possible unsafe locking scenario:\\n\\n        CPU0\\n        ----\\n   lock(\u0026xa-\u003exa_lock#4);\\n   \u003cInterrupt\u003e\\n     lock(\u0026xa-\u003exa_lock#4);\\n\\n  *** DEADLOCK ***\\n\\n 2 locks held by test5/1708:\\n  #0: ffff888127baa498 (\u0026sb-\u003es_type-\u003ei_mutex_key#22){++++}-{4:4}, at:\\n      nfs_start_io_read+0x28/0x90 [nfs]\\n  #1: ffff888127baa650 (mapping.invalidate_lock#3){.+.+}-{4:4}, at:\\n      page_cache_ra_unbounded+0xa4/0x280\\n\\n stack backtrace:\\n CPU: 6 PID: 1708 Comm: test5 Kdump: loaded Not tainted 6.7.0-lockdbg+\\n Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-1.fc39\\n04/01/2014\\n Call Trace:\\n  dump_stack_lvl+0x5b/0x90\\n  mark_lock+0xb3f/0xd20\\n  __lock_acquire+0x77b/0x3360\\n  _raw_spin_lock+0x34/0x80\\n  nfs_netfs_issue_read+0x1b2/0x4b0 [nfs]\\n  netfs_begin_read+0x77f/0x980 [netfs]\\n  nfs_netfs_readahead+0x45/0x60 [nfs]\\n  nfs_readahead+0x323/0x5a0 [nfs]\\n  read_pages+0xf3/0x5c0\\n  page_cache_ra_unbounded+0x1c8/0x280\\n  filemap_get_pages+0x38c/0xae0\\n  filemap_read+0x206/0x5e0\\n  nfs_file_read+0xb7/0x140 [nfs]\\n  vfs_read+0x2a9/0x460\\n  ksys_read+0xb7/0x140\"}, {\"lang\": \"es\", \"value\": \"En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: NFS: corrige el bloqueo de matriz x de nfs_netfs_issue_read() para interrupci\\u00f3n de escritura regresiva. El bucle dentro de nfs_netfs_issue_read() actualmente no deshabilita las interrupciones mientras se itera a trav\\u00e9s de p\\u00e1ginas en la matriz x para enviarlas a lectura NFS. Sin embargo, esto no es seguro ya que despu\\u00e9s de tomar xa_lock, otra p\\u00e1gina en el mapeo podr\\u00eda procesarse para reescritura dentro de una interrupci\\u00f3n, y puede ocurrir un punto muerto. La soluci\\u00f3n es simple y limpia si usamos xa_for_each_range(), que maneja la iteraci\\u00f3n con RCU mientras reduce la complejidad del c\\u00f3digo. El problema se reproduce f\\u00e1cilmente con la siguiente prueba: mount -o vers=3,fsc 127.0.0.1:/export /mnt/nfs dd if=/dev/zero of=/mnt/nfs/file1.bin bs=4096 count= 1 echo 3 \u0026gt; /proc/sys/vm/drop_caches dd if=/mnt/nfs/file1.bin of=/dev/null umount /mnt/nfs En la consola con un kernel habilitado para lockdep aparecer\\u00e1 un mensaje similar al siguiente ser visto: ================================ ADVERTENCIA: estado de bloqueo inconsistente 6.7.0-lockdbg+ #10 No contaminado - ------------------------------- Uso inconsistente de {IN-SOFTIRQ-W} -\u0026gt; {SOFTIRQ-ON-W}. test5/1708 [HC0[0]:SC0[0]:HE1:SE1] toma: ffff888127baa598 (\u0026amp;xa-\u0026gt;xa_lock#4){+.?.}-{3:3}, en: nfs_netfs_issue_read+0x1b2/0x4b0 [ nfs] El estado {IN-SOFTIRQ-W} se registr\\u00f3 en: lock_acquire+0x144/0x380 _raw_spin_lock_irqsave+0x4e/0xa0 __folio_end_writeback+0x17e/0x5c0 folio_end_writeback+0x93/0x1b0 iomap_finish_ioend+0xeb/0x6a0 blk_update_request+ 0x204/0x7f0 blk_mq_end_request+0x30/0x1c0 blk_complete_reqs +0x7e/0xa0 __do_softirq+0x113/0x544 __irq_exit_rcu+0xfe/0x120 irq_exit_rcu+0xe/0x20 sysvec_call_function_single+0x6f/0x90 asm_sysvec_call_function_single+0x1a/0x20 +0xf/0x20 default_idle+0x9/0x20 default_idle_call+0x67/0xa0 do_idle+0x2b5/0x300 cpu_startup_entry +0x34/0x40 start_secondary+0x19d/0x1c0 second_startup_64_no_verify+0x18f/0x19b sello de evento irq: 176891 hardirqs habilitado por \\u00faltima vez en (176891): [] _raw_spin_unlock_irqrestore+0x44/0x60 hardirqs deshabilitado por \\u00faltima vez en ( 176890): [] _raw_spin_lock_irqsave+0x79/0xa0 softirqs habilitado por \\u00faltima vez en (176646): [] __irq_exit_rcu+0xfe/0x120 softirqs deshabilitado por \\u00faltima vez en (176633): [] __irq_exit_rcu+0xfe/0x120 Otra informaci\\u00f3n que podr\\u00eda ayudarnos a depurar esto: Posible escenario de bloqueo inseguro: CPU0 ---- lock(\u0026amp;xa-\u0026gt;xa_lock#4);  bloqueo(\u0026amp;xa-\u0026gt;xa_lock#4); *** DEADLOCK *** 2 bloqueos mantenidos por test5/1708: #0: ffff888127baa498 (\u0026amp;sb-\u0026gt;s_type-\u0026gt;i_mutex_key#22){++++}-{4:4}, en: nfs_start_io_read+0x28/0x90 [nfs] #1: ffff888127baa650 (mapping.invalidate_lock#3){.+.+}-{4:4}, en: page_cache_ra_unbounded+0xa4/0x280 seguimiento de pila: CPU: 6 PID: 1708 Comm: test5 Kdump: cargado No tainted 6.7.0-lockdbg+ Nombre del hardware: PC est\\u00e1ndar QEMU (Q35 + ICH9, 2009), BIOS 1.16.3-1.fc39 01/04/2014 Seguimiento de llamadas: dump_stack_lvl+0x5b/0x90 mark_lock+0xb3f/0xd20 __lock_acquire+0x77b/ 0x3360 _raw_spin_lock+0x34/0x80 nfs_netfs_issue_read+0x1b2/0x4b0 [nfs] netfs_begin_read+0x77f/0x980 [netfs] nfs_netfs_readahead+0x45/0x60 [nfs_readahead+0x323/0x5 a0 [nfs] read_pages+0xf3/0x5c0 page_cache_ra_unbounded+0x1c8/0x280 filemap_get_pages+ 0x38c/0xae0 filemap_read+0x206/0x5e0 nfs_file_read+0xb7/0x140 [nfs] vfs_read+0x2a9/0x460 ksys_read+0xb7/0x140\"}]",
      "id": "CVE-2024-27031",
      "lastModified": "2024-12-23T19:46:47.357",
      "metrics": "{\"cvssMetricV31\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\", \"baseScore\": 5.5, \"baseSeverity\": \"MEDIUM\", \"attackVector\": \"LOCAL\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"LOW\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"NONE\", \"integrityImpact\": \"NONE\", \"availabilityImpact\": \"HIGH\"}, \"exploitabilityScore\": 1.8, \"impactScore\": 3.6}]}",
      "published": "2024-05-01T13:15:49.180",
      "references": "[{\"url\": \"https://git.kernel.org/stable/c/8a2e5977cecd3cde6a0e3e86b7b914d00240e5dc\", \"source\": \"416baaa9-dc9f-4396-8d5f-8c081fb06d67\", \"tags\": [\"Patch\"]}, {\"url\": \"https://git.kernel.org/stable/c/8df1678c021ffeb20ef8a203bd9413f3ed9b0e9a\", \"source\": \"416baaa9-dc9f-4396-8d5f-8c081fb06d67\", \"tags\": [\"Patch\"]}, {\"url\": \"https://git.kernel.org/stable/c/ad27382f8495f8ef6d2c66c413d756bfd13c0598\", \"source\": \"416baaa9-dc9f-4396-8d5f-8c081fb06d67\", \"tags\": [\"Patch\"]}, {\"url\": \"https://git.kernel.org/stable/c/fd5860ab6341506004219b080aea40213b299d2e\", \"source\": \"416baaa9-dc9f-4396-8d5f-8c081fb06d67\", \"tags\": [\"Patch\"]}, {\"url\": \"https://git.kernel.org/stable/c/8a2e5977cecd3cde6a0e3e86b7b914d00240e5dc\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Patch\"]}, {\"url\": \"https://git.kernel.org/stable/c/8df1678c021ffeb20ef8a203bd9413f3ed9b0e9a\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Patch\"]}, {\"url\": \"https://git.kernel.org/stable/c/ad27382f8495f8ef6d2c66c413d756bfd13c0598\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Patch\"]}, {\"url\": \"https://git.kernel.org/stable/c/fd5860ab6341506004219b080aea40213b299d2e\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Patch\"]}]",
      "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "vulnStatus": "Analyzed",
      "weaknesses": "[{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-667\"}]}]"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2024-27031\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2024-05-01T13:15:49.180\",\"lastModified\":\"2024-12-23T19:46:47.357\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\nNFS: Fix nfs_netfs_issue_read() xarray locking for writeback interrupt\\n\\nThe loop inside nfs_netfs_issue_read() currently does not disable\\ninterrupts while iterating through pages in the xarray to submit\\nfor NFS read.  This is not safe though since after taking xa_lock,\\nanother page in the mapping could be processed for writeback inside\\nan interrupt, and deadlock can occur.  The fix is simple and clean\\nif we use xa_for_each_range(), which handles the iteration with RCU\\nwhile reducing code complexity.\\n\\nThe problem is easily reproduced with the following test:\\n mount -o vers=3,fsc 127.0.0.1:/export /mnt/nfs\\n dd if=/dev/zero of=/mnt/nfs/file1.bin bs=4096 count=1\\n echo 3 \u003e /proc/sys/vm/drop_caches\\n dd if=/mnt/nfs/file1.bin of=/dev/null\\n umount /mnt/nfs\\n\\nOn the console with a lockdep-enabled kernel a message similar to\\nthe following will be seen:\\n\\n ================================\\n WARNING: inconsistent lock state\\n 6.7.0-lockdbg+ #10 Not tainted\\n --------------------------------\\n inconsistent {IN-SOFTIRQ-W} -\u003e {SOFTIRQ-ON-W} usage.\\n test5/1708 [HC0[0]:SC0[0]:HE1:SE1] takes:\\n ffff888127baa598 (\u0026xa-\u003exa_lock#4){+.?.}-{3:3}, at:\\nnfs_netfs_issue_read+0x1b2/0x4b0 [nfs]\\n {IN-SOFTIRQ-W} state was registered at:\\n   lock_acquire+0x144/0x380\\n   _raw_spin_lock_irqsave+0x4e/0xa0\\n   __folio_end_writeback+0x17e/0x5c0\\n   folio_end_writeback+0x93/0x1b0\\n   iomap_finish_ioend+0xeb/0x6a0\\n   blk_update_request+0x204/0x7f0\\n   blk_mq_end_request+0x30/0x1c0\\n   blk_complete_reqs+0x7e/0xa0\\n   __do_softirq+0x113/0x544\\n   __irq_exit_rcu+0xfe/0x120\\n   irq_exit_rcu+0xe/0x20\\n   sysvec_call_function_single+0x6f/0x90\\n   asm_sysvec_call_function_single+0x1a/0x20\\n   pv_native_safe_halt+0xf/0x20\\n   default_idle+0x9/0x20\\n   default_idle_call+0x67/0xa0\\n   do_idle+0x2b5/0x300\\n   cpu_startup_entry+0x34/0x40\\n   start_secondary+0x19d/0x1c0\\n   secondary_startup_64_no_verify+0x18f/0x19b\\n irq event stamp: 176891\\n hardirqs last  enabled at (176891): [\u003cffffffffa67a0be4\u003e]\\n_raw_spin_unlock_irqrestore+0x44/0x60\\n hardirqs last disabled at (176890): [\u003cffffffffa67a0899\u003e]\\n_raw_spin_lock_irqsave+0x79/0xa0\\n softirqs last  enabled at (176646): [\u003cffffffffa515d91e\u003e]\\n__irq_exit_rcu+0xfe/0x120\\n softirqs last disabled at (176633): [\u003cffffffffa515d91e\u003e]\\n__irq_exit_rcu+0xfe/0x120\\n\\n other info that might help us debug this:\\n  Possible unsafe locking scenario:\\n\\n        CPU0\\n        ----\\n   lock(\u0026xa-\u003exa_lock#4);\\n   \u003cInterrupt\u003e\\n     lock(\u0026xa-\u003exa_lock#4);\\n\\n  *** DEADLOCK ***\\n\\n 2 locks held by test5/1708:\\n  #0: ffff888127baa498 (\u0026sb-\u003es_type-\u003ei_mutex_key#22){++++}-{4:4}, at:\\n      nfs_start_io_read+0x28/0x90 [nfs]\\n  #1: ffff888127baa650 (mapping.invalidate_lock#3){.+.+}-{4:4}, at:\\n      page_cache_ra_unbounded+0xa4/0x280\\n\\n stack backtrace:\\n CPU: 6 PID: 1708 Comm: test5 Kdump: loaded Not tainted 6.7.0-lockdbg+\\n Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-1.fc39\\n04/01/2014\\n Call Trace:\\n  dump_stack_lvl+0x5b/0x90\\n  mark_lock+0xb3f/0xd20\\n  __lock_acquire+0x77b/0x3360\\n  _raw_spin_lock+0x34/0x80\\n  nfs_netfs_issue_read+0x1b2/0x4b0 [nfs]\\n  netfs_begin_read+0x77f/0x980 [netfs]\\n  nfs_netfs_readahead+0x45/0x60 [nfs]\\n  nfs_readahead+0x323/0x5a0 [nfs]\\n  read_pages+0xf3/0x5c0\\n  page_cache_ra_unbounded+0x1c8/0x280\\n  filemap_get_pages+0x38c/0xae0\\n  filemap_read+0x206/0x5e0\\n  nfs_file_read+0xb7/0x140 [nfs]\\n  vfs_read+0x2a9/0x460\\n  ksys_read+0xb7/0x140\"},{\"lang\":\"es\",\"value\":\"En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: NFS: corrige el bloqueo de matriz x de nfs_netfs_issue_read() para interrupci\u00f3n de escritura regresiva. El bucle dentro de nfs_netfs_issue_read() actualmente no deshabilita las interrupciones mientras se itera a trav\u00e9s de p\u00e1ginas en la matriz x para enviarlas a lectura NFS. Sin embargo, esto no es seguro ya que despu\u00e9s de tomar xa_lock, otra p\u00e1gina en el mapeo podr\u00eda procesarse para reescritura dentro de una interrupci\u00f3n, y puede ocurrir un punto muerto. La soluci\u00f3n es simple y limpia si usamos xa_for_each_range(), que maneja la iteraci\u00f3n con RCU mientras reduce la complejidad del c\u00f3digo. El problema se reproduce f\u00e1cilmente con la siguiente prueba: mount -o vers=3,fsc 127.0.0.1:/export /mnt/nfs dd if=/dev/zero of=/mnt/nfs/file1.bin bs=4096 count= 1 echo 3 \u0026gt; /proc/sys/vm/drop_caches dd if=/mnt/nfs/file1.bin of=/dev/null umount /mnt/nfs En la consola con un kernel habilitado para lockdep aparecer\u00e1 un mensaje similar al siguiente ser visto: ================================ ADVERTENCIA: estado de bloqueo inconsistente 6.7.0-lockdbg+ #10 No contaminado - ------------------------------- Uso inconsistente de {IN-SOFTIRQ-W} -\u0026gt; {SOFTIRQ-ON-W}. test5/1708 [HC0[0]:SC0[0]:HE1:SE1] toma: ffff888127baa598 (\u0026amp;xa-\u0026gt;xa_lock#4){+.?.}-{3:3}, en: nfs_netfs_issue_read+0x1b2/0x4b0 [ nfs] El estado {IN-SOFTIRQ-W} se registr\u00f3 en: lock_acquire+0x144/0x380 _raw_spin_lock_irqsave+0x4e/0xa0 __folio_end_writeback+0x17e/0x5c0 folio_end_writeback+0x93/0x1b0 iomap_finish_ioend+0xeb/0x6a0 blk_update_request+ 0x204/0x7f0 blk_mq_end_request+0x30/0x1c0 blk_complete_reqs +0x7e/0xa0 __do_softirq+0x113/0x544 __irq_exit_rcu+0xfe/0x120 irq_exit_rcu+0xe/0x20 sysvec_call_function_single+0x6f/0x90 asm_sysvec_call_function_single+0x1a/0x20 +0xf/0x20 default_idle+0x9/0x20 default_idle_call+0x67/0xa0 do_idle+0x2b5/0x300 cpu_startup_entry +0x34/0x40 start_secondary+0x19d/0x1c0 second_startup_64_no_verify+0x18f/0x19b sello de evento irq: 176891 hardirqs habilitado por \u00faltima vez en (176891): [] _raw_spin_unlock_irqrestore+0x44/0x60 hardirqs deshabilitado por \u00faltima vez en ( 176890): [] _raw_spin_lock_irqsave+0x79/0xa0 softirqs habilitado por \u00faltima vez en (176646): [] __irq_exit_rcu+0xfe/0x120 softirqs deshabilitado por \u00faltima vez en (176633): [] __irq_exit_rcu+0xfe/0x120 Otra informaci\u00f3n que podr\u00eda ayudarnos a depurar esto: Posible escenario de bloqueo inseguro: CPU0 ---- lock(\u0026amp;xa-\u0026gt;xa_lock#4);  bloqueo(\u0026amp;xa-\u0026gt;xa_lock#4); *** DEADLOCK *** 2 bloqueos mantenidos por test5/1708: #0: ffff888127baa498 (\u0026amp;sb-\u0026gt;s_type-\u0026gt;i_mutex_key#22){++++}-{4:4}, en: nfs_start_io_read+0x28/0x90 [nfs] #1: ffff888127baa650 (mapping.invalidate_lock#3){.+.+}-{4:4}, en: page_cache_ra_unbounded+0xa4/0x280 seguimiento de pila: CPU: 6 PID: 1708 Comm: test5 Kdump: cargado No tainted 6.7.0-lockdbg+ Nombre del hardware: PC est\u00e1ndar QEMU (Q35 + ICH9, 2009), BIOS 1.16.3-1.fc39 01/04/2014 Seguimiento de llamadas: dump_stack_lvl+0x5b/0x90 mark_lock+0xb3f/0xd20 __lock_acquire+0x77b/ 0x3360 _raw_spin_lock+0x34/0x80 nfs_netfs_issue_read+0x1b2/0x4b0 [nfs] netfs_begin_read+0x77f/0x980 [netfs] nfs_netfs_readahead+0x45/0x60 [nfs_readahead+0x323/0x5 a0 [nfs] read_pages+0xf3/0x5c0 page_cache_ra_unbounded+0x1c8/0x280 filemap_get_pages+ 0x38c/0xae0 filemap_read+0x206/0x5e0 nfs_file_read+0xb7/0x140 [nfs] vfs_read+0x2a9/0x460 ksys_read+0xb7/0x140\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\"baseScore\":5.5,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":1.8,\"impactScore\":3.6}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-667\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"6.4\",\"versionEndExcluding\":\"6.6.23\",\"matchCriteriaId\":\"81341948-503D-47E5-9E88-7F2922865141\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"6.7\",\"versionEndExcluding\":\"6.7.11\",\"matchCriteriaId\":\"9B95D3A6-E162-47D5-ABFC-F3FA74FA7CFD\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"6.8\",\"versionEndExcluding\":\"6.8.2\",\"matchCriteriaId\":\"543A75FF-25B8-4046-A514-1EA8EDD87AB1\"}]}]}],\"references\":[{\"url\":\"https://git.kernel.org/stable/c/8a2e5977cecd3cde6a0e3e86b7b914d00240e5dc\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/8df1678c021ffeb20ef8a203bd9413f3ed9b0e9a\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/ad27382f8495f8ef6d2c66c413d756bfd13c0598\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/fd5860ab6341506004219b080aea40213b299d2e\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/8a2e5977cecd3cde6a0e3e86b7b914d00240e5dc\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/8df1678c021ffeb20ef8a203bd9413f3ed9b0e9a\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/ad27382f8495f8ef6d2c66c413d756bfd13c0598\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/fd5860ab6341506004219b080aea40213b299d2e\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\"]}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"https://git.kernel.org/stable/c/ad27382f8495f8ef6d2c66c413d756bfd13c0598\", \"tags\": [\"x_transferred\"]}, {\"url\": \"https://git.kernel.org/stable/c/8df1678c021ffeb20ef8a203bd9413f3ed9b0e9a\", \"tags\": [\"x_transferred\"]}, {\"url\": \"https://git.kernel.org/stable/c/8a2e5977cecd3cde6a0e3e86b7b914d00240e5dc\", \"tags\": [\"x_transferred\"]}, {\"url\": \"https://git.kernel.org/stable/c/fd5860ab6341506004219b080aea40213b299d2e\", \"tags\": [\"x_transferred\"]}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2024-08-02T00:21:05.884Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2024-27031\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2024-09-10T15:44:17.758363Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2024-09-11T12:42:19.713Z\"}}], \"cna\": {\"title\": \"NFS: Fix nfs_netfs_issue_read() xarray locking for writeback interrupt\", \"affected\": [{\"repo\": \"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git\", \"vendor\": \"Linux\", \"product\": \"Linux\", \"versions\": [{\"status\": \"affected\", \"version\": \"000dbe0bec058cbf2ca9e156e4a5584f5158b0f9\", \"lessThan\": \"ad27382f8495f8ef6d2c66c413d756bfd13c0598\", \"versionType\": \"git\"}, {\"status\": \"affected\", \"version\": \"000dbe0bec058cbf2ca9e156e4a5584f5158b0f9\", \"lessThan\": \"8df1678c021ffeb20ef8a203bd9413f3ed9b0e9a\", \"versionType\": \"git\"}, {\"status\": \"affected\", \"version\": \"000dbe0bec058cbf2ca9e156e4a5584f5158b0f9\", \"lessThan\": \"8a2e5977cecd3cde6a0e3e86b7b914d00240e5dc\", \"versionType\": \"git\"}, {\"status\": \"affected\", \"version\": \"000dbe0bec058cbf2ca9e156e4a5584f5158b0f9\", \"lessThan\": \"fd5860ab6341506004219b080aea40213b299d2e\", \"versionType\": \"git\"}], \"programFiles\": [\"fs/nfs/fscache.c\"], \"defaultStatus\": \"unaffected\"}, {\"repo\": \"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git\", \"vendor\": \"Linux\", \"product\": \"Linux\", \"versions\": [{\"status\": \"affected\", \"version\": \"6.4\"}, {\"status\": \"unaffected\", \"version\": \"0\", \"lessThan\": \"6.4\", \"versionType\": \"semver\"}, {\"status\": \"unaffected\", \"version\": \"6.6.23\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"6.6.*\"}, {\"status\": \"unaffected\", \"version\": \"6.7.11\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"6.7.*\"}, {\"status\": \"unaffected\", \"version\": \"6.8.2\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"6.8.*\"}, {\"status\": \"unaffected\", \"version\": \"6.9\", \"versionType\": \"original_commit_for_fix\", \"lessThanOrEqual\": \"*\"}], \"programFiles\": [\"fs/nfs/fscache.c\"], \"defaultStatus\": \"affected\"}], \"references\": [{\"url\": \"https://git.kernel.org/stable/c/ad27382f8495f8ef6d2c66c413d756bfd13c0598\"}, {\"url\": \"https://git.kernel.org/stable/c/8df1678c021ffeb20ef8a203bd9413f3ed9b0e9a\"}, {\"url\": \"https://git.kernel.org/stable/c/8a2e5977cecd3cde6a0e3e86b7b914d00240e5dc\"}, {\"url\": \"https://git.kernel.org/stable/c/fd5860ab6341506004219b080aea40213b299d2e\"}], \"x_generator\": {\"engine\": \"bippy-1.2.0\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nNFS: Fix nfs_netfs_issue_read() xarray locking for writeback interrupt\\n\\nThe loop inside nfs_netfs_issue_read() currently does not disable\\ninterrupts while iterating through pages in the xarray to submit\\nfor NFS read.  This is not safe though since after taking xa_lock,\\nanother page in the mapping could be processed for writeback inside\\nan interrupt, and deadlock can occur.  The fix is simple and clean\\nif we use xa_for_each_range(), which handles the iteration with RCU\\nwhile reducing code complexity.\\n\\nThe problem is easily reproduced with the following test:\\n mount -o vers=3,fsc 127.0.0.1:/export /mnt/nfs\\n dd if=/dev/zero of=/mnt/nfs/file1.bin bs=4096 count=1\\n echo 3 \u003e /proc/sys/vm/drop_caches\\n dd if=/mnt/nfs/file1.bin of=/dev/null\\n umount /mnt/nfs\\n\\nOn the console with a lockdep-enabled kernel a message similar to\\nthe following will be seen:\\n\\n ================================\\n WARNING: inconsistent lock state\\n 6.7.0-lockdbg+ #10 Not tainted\\n --------------------------------\\n inconsistent {IN-SOFTIRQ-W} -\u003e {SOFTIRQ-ON-W} usage.\\n test5/1708 [HC0[0]:SC0[0]:HE1:SE1] takes:\\n ffff888127baa598 (\u0026xa-\u003exa_lock#4){+.?.}-{3:3}, at:\\nnfs_netfs_issue_read+0x1b2/0x4b0 [nfs]\\n {IN-SOFTIRQ-W} state was registered at:\\n   lock_acquire+0x144/0x380\\n   _raw_spin_lock_irqsave+0x4e/0xa0\\n   __folio_end_writeback+0x17e/0x5c0\\n   folio_end_writeback+0x93/0x1b0\\n   iomap_finish_ioend+0xeb/0x6a0\\n   blk_update_request+0x204/0x7f0\\n   blk_mq_end_request+0x30/0x1c0\\n   blk_complete_reqs+0x7e/0xa0\\n   __do_softirq+0x113/0x544\\n   __irq_exit_rcu+0xfe/0x120\\n   irq_exit_rcu+0xe/0x20\\n   sysvec_call_function_single+0x6f/0x90\\n   asm_sysvec_call_function_single+0x1a/0x20\\n   pv_native_safe_halt+0xf/0x20\\n   default_idle+0x9/0x20\\n   default_idle_call+0x67/0xa0\\n   do_idle+0x2b5/0x300\\n   cpu_startup_entry+0x34/0x40\\n   start_secondary+0x19d/0x1c0\\n   secondary_startup_64_no_verify+0x18f/0x19b\\n irq event stamp: 176891\\n hardirqs last  enabled at (176891): [\u003cffffffffa67a0be4\u003e]\\n_raw_spin_unlock_irqrestore+0x44/0x60\\n hardirqs last disabled at (176890): [\u003cffffffffa67a0899\u003e]\\n_raw_spin_lock_irqsave+0x79/0xa0\\n softirqs last  enabled at (176646): [\u003cffffffffa515d91e\u003e]\\n__irq_exit_rcu+0xfe/0x120\\n softirqs last disabled at (176633): [\u003cffffffffa515d91e\u003e]\\n__irq_exit_rcu+0xfe/0x120\\n\\n other info that might help us debug this:\\n  Possible unsafe locking scenario:\\n\\n        CPU0\\n        ----\\n   lock(\u0026xa-\u003exa_lock#4);\\n   \u003cInterrupt\u003e\\n     lock(\u0026xa-\u003exa_lock#4);\\n\\n  *** DEADLOCK ***\\n\\n 2 locks held by test5/1708:\\n  #0: ffff888127baa498 (\u0026sb-\u003es_type-\u003ei_mutex_key#22){++++}-{4:4}, at:\\n      nfs_start_io_read+0x28/0x90 [nfs]\\n  #1: ffff888127baa650 (mapping.invalidate_lock#3){.+.+}-{4:4}, at:\\n      page_cache_ra_unbounded+0xa4/0x280\\n\\n stack backtrace:\\n CPU: 6 PID: 1708 Comm: test5 Kdump: loaded Not tainted 6.7.0-lockdbg+\\n Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-1.fc39\\n04/01/2014\\n Call Trace:\\n  dump_stack_lvl+0x5b/0x90\\n  mark_lock+0xb3f/0xd20\\n  __lock_acquire+0x77b/0x3360\\n  _raw_spin_lock+0x34/0x80\\n  nfs_netfs_issue_read+0x1b2/0x4b0 [nfs]\\n  netfs_begin_read+0x77f/0x980 [netfs]\\n  nfs_netfs_readahead+0x45/0x60 [nfs]\\n  nfs_readahead+0x323/0x5a0 [nfs]\\n  read_pages+0xf3/0x5c0\\n  page_cache_ra_unbounded+0x1c8/0x280\\n  filemap_get_pages+0x38c/0xae0\\n  filemap_read+0x206/0x5e0\\n  nfs_file_read+0xb7/0x140 [nfs]\\n  vfs_read+0x2a9/0x460\\n  ksys_read+0xb7/0x140\"}], \"cpeApplicability\": [{\"nodes\": [{\"negate\": false, \"cpeMatch\": [{\"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"6.6.23\", \"versionStartIncluding\": \"6.4\"}, {\"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"6.7.11\", \"versionStartIncluding\": \"6.4\"}, {\"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"6.8.2\", \"versionStartIncluding\": \"6.4\"}, {\"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"6.9\", \"versionStartIncluding\": \"6.4\"}], \"operator\": \"OR\"}]}], \"providerMetadata\": {\"orgId\": \"416baaa9-dc9f-4396-8d5f-8c081fb06d67\", \"shortName\": \"Linux\", \"dateUpdated\": \"2025-05-04T09:02:41.271Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2024-27031\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-05-04T09:02:41.271Z\", \"dateReserved\": \"2024-02-19T14:20:24.211Z\", \"assignerOrgId\": \"416baaa9-dc9f-4396-8d5f-8c081fb06d67\", \"datePublished\": \"2024-05-01T12:53:29.362Z\", \"assignerShortName\": \"Linux\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.





Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.


Detection rules are retrieved from Rulezet.