{"dataType":"CVE_RECORD","dataVersion":"5.1","cveMetadata":{"cveId":"CVE-2024-27031","assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","state":"PUBLISHED","assignerShortName":"Linux","dateReserved":"2024-02-19T14:20:24.211Z","datePublished":"2024-05-01T12:53:29.362Z","dateUpdated":"2025-05-04T09:02:41.271Z"},"containers":{"cna":{"providerMetadata":{"orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux","dateUpdated":"2025-05-04T09:02:41.271Z"},"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nNFS: Fix nfs_netfs_issue_read() xarray locking for writeback interrupt\n\nThe loop inside nfs_netfs_issue_read() currently does not disable\ninterrupts while iterating through pages in the xarray to submit\nfor NFS read.  This is not safe though since after taking xa_lock,\nanother page in the mapping could be processed for writeback inside\nan interrupt, and deadlock can occur.  The fix is simple and clean\nif we use xa_for_each_range(), which handles the iteration with RCU\nwhile reducing code complexity.\n\nThe problem is easily reproduced with the following test:\n mount -o vers=3,fsc 127.0.0.1:/export /mnt/nfs\n dd if=/dev/zero of=/mnt/nfs/file1.bin bs=4096 count=1\n echo 3 > /proc/sys/vm/drop_caches\n dd if=/mnt/nfs/file1.bin of=/dev/null\n umount /mnt/nfs\n\nOn the console with a lockdep-enabled kernel a message similar to\nthe following will be seen:\n\n ================================\n WARNING: inconsistent lock state\n 6.7.0-lockdbg+ #10 Not tainted\n --------------------------------\n inconsistent {IN-SOFTIRQ-W} -> {SOFTIRQ-ON-W} usage.\n test5/1708 [HC0[0]:SC0[0]:HE1:SE1] takes:\n ffff888127baa598 (&xa->xa_lock#4){+.?.}-{3:3}, at:\nnfs_netfs_issue_read+0x1b2/0x4b0 [nfs]\n {IN-SOFTIRQ-W} state was registered at:\n   lock_acquire+0x144/0x380\n   _raw_spin_lock_irqsave+0x4e/0xa0\n   __folio_end_writeback+0x17e/0x5c0\n   folio_end_writeback+0x93/0x1b0\n   iomap_finish_ioend+0xeb/0x6a0\n   blk_update_request+0x204/0x7f0\n   blk_mq_end_request+0x30/0x1c0\n   blk_complete_reqs+0x7e/0xa0\n   __do_softirq+0x113/0x544\n   __irq_exit_rcu+0xfe/0x120\n   irq_exit_rcu+0xe/0x20\n   sysvec_call_function_single+0x6f/0x90\n   asm_sysvec_call_function_single+0x1a/0x20\n   pv_native_safe_halt+0xf/0x20\n   default_idle+0x9/0x20\n   default_idle_call+0x67/0xa0\n   do_idle+0x2b5/0x300\n   cpu_startup_entry+0x34/0x40\n   start_secondary+0x19d/0x1c0\n   secondary_startup_64_no_verify+0x18f/0x19b\n irq event stamp: 176891\n hardirqs last  enabled at (176891): [<ffffffffa67a0be4>]\n_raw_spin_unlock_irqrestore+0x44/0x60\n hardirqs last disabled at (176890): [<ffffffffa67a0899>]\n_raw_spin_lock_irqsave+0x79/0xa0\n softirqs last  enabled at (176646): [<ffffffffa515d91e>]\n__irq_exit_rcu+0xfe/0x120\n softirqs last disabled at (176633): [<ffffffffa515d91e>]\n__irq_exit_rcu+0xfe/0x120\n\n other info that might help us debug this:\n  Possible unsafe locking scenario:\n\n        CPU0\n        ----\n   lock(&xa->xa_lock#4);\n   <Interrupt>\n     lock(&xa->xa_lock#4);\n\n  *** DEADLOCK ***\n\n 2 locks held by test5/1708:\n  #0: ffff888127baa498 (&sb->s_type->i_mutex_key#22){++++}-{4:4}, at:\n      nfs_start_io_read+0x28/0x90 [nfs]\n  #1: ffff888127baa650 (mapping.invalidate_lock#3){.+.+}-{4:4}, at:\n      page_cache_ra_unbounded+0xa4/0x280\n\n stack backtrace:\n CPU: 6 PID: 1708 Comm: test5 Kdump: loaded Not tainted 6.7.0-lockdbg+\n Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-1.fc39\n04/01/2014\n Call Trace:\n  dump_stack_lvl+0x5b/0x90\n  mark_lock+0xb3f/0xd20\n  __lock_acquire+0x77b/0x3360\n  _raw_spin_lock+0x34/0x80\n  nfs_netfs_issue_read+0x1b2/0x4b0 [nfs]\n  netfs_begin_read+0x77f/0x980 [netfs]\n  nfs_netfs_readahead+0x45/0x60 [nfs]\n  nfs_readahead+0x323/0x5a0 [nfs]\n  read_pages+0xf3/0x5c0\n  page_cache_ra_unbounded+0x1c8/0x280\n  filemap_get_pages+0x38c/0xae0\n  filemap_read+0x206/0x5e0\n  nfs_file_read+0xb7/0x140 [nfs]\n  vfs_read+0x2a9/0x460\n  ksys_read+0xb7/0x140"}],"affected":[{"product":"Linux","vendor":"Linux","defaultStatus":"unaffected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["fs/nfs/fscache.c"],"versions":[{"version":"000dbe0bec058cbf2ca9e156e4a5584f5158b0f9","lessThan":"ad27382f8495f8ef6d2c66c413d756bfd13c0598","status":"affected","versionType":"git"},{"version":"000dbe0bec058cbf2ca9e156e4a5584f5158b0f9","lessThan":"8df1678c021ffeb20ef8a203bd9413f3ed9b0e9a","status":"affected","versionType":"git"},{"version":"000dbe0bec058cbf2ca9e156e4a5584f5158b0f9","lessThan":"8a2e5977cecd3cde6a0e3e86b7b914d00240e5dc","status":"affected","versionType":"git"},{"version":"000dbe0bec058cbf2ca9e156e4a5584f5158b0f9","lessThan":"fd5860ab6341506004219b080aea40213b299d2e","status":"affected","versionType":"git"}]},{"product":"Linux","vendor":"Linux","defaultStatus":"affected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["fs/nfs/fscache.c"],"versions":[{"version":"6.4","status":"affected"},{"version":"0","lessThan":"6.4","status":"unaffected","versionType":"semver"},{"version":"6.6.23","lessThanOrEqual":"6.6.*","status":"unaffected","versionType":"semver"},{"version":"6.7.11","lessThanOrEqual":"6.7.*","status":"unaffected","versionType":"semver"},{"version":"6.8.2","lessThanOrEqual":"6.8.*","status":"unaffected","versionType":"semver"},{"version":"6.9","lessThanOrEqual":"*","status":"unaffected","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.4","versionEndExcluding":"6.6.23"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.4","versionEndExcluding":"6.7.11"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.4","versionEndExcluding":"6.8.2"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.4","versionEndExcluding":"6.9"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/ad27382f8495f8ef6d2c66c413d756bfd13c0598"},{"url":"https://git.kernel.org/stable/c/8df1678c021ffeb20ef8a203bd9413f3ed9b0e9a"},{"url":"https://git.kernel.org/stable/c/8a2e5977cecd3cde6a0e3e86b7b914d00240e5dc"},{"url":"https://git.kernel.org/stable/c/fd5860ab6341506004219b080aea40213b299d2e"}],"title":"NFS: Fix nfs_netfs_issue_read() xarray locking for writeback interrupt","x_generator":{"engine":"bippy-1.2.0"}},"adp":[{"providerMetadata":{"orgId":"af854a3a-2127-422b-91ae-364da2661108","shortName":"CVE","dateUpdated":"2024-08-02T00:21:05.884Z"},"title":"CVE Program Container","references":[{"url":"https://git.kernel.org/stable/c/ad27382f8495f8ef6d2c66c413d756bfd13c0598","tags":["x_transferred"]},{"url":"https://git.kernel.org/stable/c/8df1678c021ffeb20ef8a203bd9413f3ed9b0e9a","tags":["x_transferred"]},{"url":"https://git.kernel.org/stable/c/8a2e5977cecd3cde6a0e3e86b7b914d00240e5dc","tags":["x_transferred"]},{"url":"https://git.kernel.org/stable/c/fd5860ab6341506004219b080aea40213b299d2e","tags":["x_transferred"]}]},{"metrics":[{"other":{"type":"ssvc","content":{"id":"CVE-2024-27031","role":"CISA Coordinator","options":[{"Exploitation":"none"},{"Automatable":"no"},{"Technical Impact":"partial"}],"version":"2.0.3","timestamp":"2024-09-10T15:44:17.758363Z"}}}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2024-09-11T17:33:56.321Z"}}]}}