CVE-2024-27031

In the Linux kernel, the following vulnerability has been resolved:

NFS: Fix nfsnetfsissue_read() xarray locking for writeback interrupt

The loop inside nfsnetfsissueread() currently does not disable interrupts while iterating through pages in the xarray to submit for NFS read. This is not safe though since after taking xalock, another page in the mapping could be processed for writeback inside an interrupt, and deadlock can occur. The fix is simple and clean if we use xaforeach_range(), which handles the iteration with RCU while reducing code complexity.

The problem is easily reproduced with the following test: mount -o vers=3,fsc 127.0.0.1:/export /mnt/nfs dd if=/dev/zero of=/mnt/nfs/file1.bin bs=4096 count=1 echo 3 > /proc/sys/vm/drop_caches dd if=/mnt/nfs/file1.bin of=/dev/null umount /mnt/nfs

On the console with a lockdep-enabled kernel a message similar to the following will be seen:

================================ WARNING: inconsistent lock state 6.7.0-lockdbg+ #10 Not tainted

inconsistent {IN-SOFTIRQ-W} -> {SOFTIRQ-ON-W} usage. test5/1708 [HC0[0]:SC0[0]:HE1:SE1] takes: ffff888127baa598 (&xa->xalock#4){+.?.}-{3:3}, at: nfsnetfsissueread+0x1b2/0x4b0 [nfs] {IN-SOFTIRQ-W} state was registered at: lockacquire+0x144/0x380 _rawspinlockirqsave+0x4e/0xa0 _folioendwriteback+0x17e/0x5c0 folioendwriteback+0x93/0x1b0 iomapfinishioend+0xeb/0x6a0 blkupdaterequest+0x204/0x7f0 blkmqendrequest+0x30/0x1c0 blkcompletereqs+0x7e/0xa0 _dosoftirq+0x113/0x544 _irqexitrcu+0xfe/0x120 irqexitrcu+0xe/0x20 sysveccallfunctionsingle+0x6f/0x90 asmsysveccallfunctionsingle+0x1a/0x20 pvnativesafehalt+0xf/0x20 defaultidle+0x9/0x20 defaultidlecall+0x67/0xa0 doidle+0x2b5/0x300 cpustartupentry+0x34/0x40 startsecondary+0x19d/0x1c0 secondarystartup64noverify+0x18f/0x19b irq event stamp: 176891 hardirqs last enabled at (176891): [<ffffffffa67a0be4>] rawspinunlockirqrestore+0x44/0x60 hardirqs last disabled at (176890): [<ffffffffa67a0899>] rawspinlockirqsave+0x79/0xa0 softirqs last enabled at (176646): [<ffffffffa515d91e>] _irqexitrcu+0xfe/0x120 softirqs last disabled at (176633): [<ffffffffa515d91e>] _irqexitrcu+0xfe/0x120

other info that might help us debug this: Possible unsafe locking scenario:

    CPU0
    ----

lock(&xa->xalock#4); <Interrupt> lock(&xa->xalock#4);

* DEADLOCK *

2 locks held by test5/1708: #0: ffff888127baa498 (&sb->stype->imutexkey#22){++++}-{4:4}, at: nfsstartioread+0x28/0x90 [nfs] #1: ffff888127baa650 (mapping.invalidatelock#3){.+.+}-{4:4}, at: pagecacheraunbounded+0xa4/0x280

stack backtrace: CPU: 6 PID: 1708 Comm: test5 Kdump: loaded Not tainted 6.7.0-lockdbg+ Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-1.fc39 04/01/2014 Call Trace: dumpstacklvl+0x5b/0x90 marklock+0xb3f/0xd20 _lockacquire+0x77b/0x3360 _rawspinlock+0x34/0x80 nfsnetfsissueread+0x1b2/0x4b0 [nfs] netfsbeginread+0x77f/0x980 [netfs] nfsnetfsreadahead+0x45/0x60 [nfs] nfsreadahead+0x323/0x5a0 [nfs] readpages+0xf3/0x5c0 pagecacheraunbounded+0x1c8/0x280 filemapgetpages+0x38c/0xae0 filemapread+0x206/0x5e0 nfsfileread+0xb7/0x140 [nfs] vfsread+0x2a9/0x460 ksysread+0xb7/0x140