FKIE_CVE-2026-23047

Vulnerability from fkie_nvd - Published: 2026-02-04 16:16 - Updated: 2026-02-04 16:33
Severity ?
Summary
In the Linux kernel, the following vulnerability has been resolved: libceph: make calc_target() set t->paused, not just clear it Currently calc_target() clears t->paused if the request shouldn't be paused anymore, but doesn't ever set t->paused even though it's able to determine when the request should be paused. Setting t->paused is left to __submit_request() which is fine for regular requests but doesn't work for linger requests -- since __submit_request() doesn't operate on linger requests, there is nowhere for lreq->t.paused to be set. One consequence of this is that watches don't get reestablished on paused -> unpaused transitions in cases where requests have been paused long enough for the (paused) unwatch request to time out and for the subsequent (re)watch request to enter the paused state. On top of the watch not getting reestablished, rbd_reregister_watch() gets stuck with rbd_dev->watch_mutex held: rbd_register_watch __rbd_register_watch ceph_osdc_watch linger_reg_commit_wait It's waiting for lreq->reg_commit_wait to be completed, but for that to happen the respective request needs to end up on need_resend_linger list and be kicked when requests are unpaused. There is no chance for that if the request in question is never marked paused in the first place. The fact that rbd_dev->watch_mutex remains taken out forever then prevents the image from getting unmapped -- "rbd unmap" would inevitably hang in D state on an attempt to grab the mutex.
References
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/2b3329b3c29d9e188e40d902d5230c2d5989b940
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/4d3399c52e0e61720ae898f5a0b5b75d4460ae24
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/4ebc711b738d139cabe2fc9e7e7749847676a342
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/5647d42c47b535573b63e073e91164d6a5bb058c
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/5d0dc83cb9a69c1d0bea58f1c430199b05f6b021
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/6f468f6ff233c6a81e0e761d9124e982903fe9a5
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/c0fe2994f9a9d0a2ec9e42441ea5ba74b6a16176
Impacted products
Vendor Product Version
To clipboard 

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nlibceph: make calc_target() set t-\u003epaused, not just clear it\n\nCurrently calc_target() clears t-\u003epaused if the request shouldn\u0027t be\npaused anymore, but doesn\u0027t ever set t-\u003epaused even though it\u0027s able to\ndetermine when the request should be paused.  Setting t-\u003epaused is left\nto __submit_request() which is fine for regular requests but doesn\u0027t\nwork for linger requests -- since __submit_request() doesn\u0027t operate\non linger requests, there is nowhere for lreq-\u003et.paused to be set.\nOne consequence of this is that watches don\u0027t get reestablished on\npaused -\u003e unpaused transitions in cases where requests have been paused\nlong enough for the (paused) unwatch request to time out and for the\nsubsequent (re)watch request to enter the paused state.  On top of the\nwatch not getting reestablished, rbd_reregister_watch() gets stuck with\nrbd_dev-\u003ewatch_mutex held:\n\n  rbd_register_watch\n    __rbd_register_watch\n      ceph_osdc_watch\n        linger_reg_commit_wait\n\nIt\u0027s waiting for lreq-\u003ereg_commit_wait to be completed, but for that to\nhappen the respective request needs to end up on need_resend_linger list\nand be kicked when requests are unpaused.  There is no chance for that\nif the request in question is never marked paused in the first place.\n\nThe fact that rbd_dev-\u003ewatch_mutex remains taken out forever then\nprevents the image from getting unmapped -- \"rbd unmap\" would inevitably\nhang in D state on an attempt to grab the mutex."
    },
    {
      "lang": "es",
      "value": "En el kernel de Linux, la siguiente vulnerabilidad ha sido resuelta:\n\nlibceph: hacer que calc_target() establezca t-\u0026gt;paused, no solo lo borre\n\nActualmente, calc_target() borra t-\u0026gt;paused si la solicitud ya no deber\u00eda estar en pausa, pero nunca establece t-\u0026gt;paused a pesar de que es capaz de determinar cu\u00e1ndo la solicitud deber\u00eda estar en pausa. El establecimiento de t-\u0026gt;paused se deja a __submit_request(), lo cual est\u00e1 bien para las solicitudes regulares pero no funciona para las solicitudes persistentes (linger requests) -- ya que __submit_request() no opera en solicitudes persistentes, no hay d\u00f3nde establecer lreq-\u0026gt;t.paused. Una consecuencia de esto es que las vigilancias no se restablecen en las transiciones de pausado -\u0026gt; despausado en casos donde las solicitudes han estado en pausa el tiempo suficiente para que la solicitud de desvigilancia (unwatch) (pausada) expire y para que la solicitud de (re)vigilancia (re)watch subsiguiente entre en el estado de pausa. Adem\u00e1s de que la vigilancia no se restablece, rbd_reregister_watch() se queda atascado con rbd_dev-\u0026gt;watch_mutex retenido:\n\n  rbd_register_watch\n    __rbd_register_watch\n      ceph_osdc_watch\n        linger_reg_commit_wait\n\nEst\u00e1 esperando que lreq-\u0026gt;reg_commit_wait se complete, pero para que eso suceda la solicitud respectiva necesita terminar en la lista need_resend_linger y ser activada cuando las solicitudes se despausan. No hay posibilidad de eso si la solicitud en cuesti\u00f3n nunca se marca como pausada en primer lugar.\n\nEl hecho de que rbd_dev-\u0026gt;watch_mutex permanezca retenido indefinidamente entonces evita que la imagen se desmapee -- \u0027rbd unmap\u0027 se colgar\u00eda inevitablemente en estado D en un intento de tomar el mutex."
    }
  ],
  "id": "CVE-2026-23047",
  "lastModified": "2026-02-04T16:33:44.537",
  "metrics": {},
  "published": "2026-02-04T16:16:20.227",
  "references": [
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/2b3329b3c29d9e188e40d902d5230c2d5989b940"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/4d3399c52e0e61720ae898f5a0b5b75d4460ae24"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/4ebc711b738d139cabe2fc9e7e7749847676a342"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/5647d42c47b535573b63e073e91164d6a5bb058c"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/5d0dc83cb9a69c1d0bea58f1c430199b05f6b021"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/6f468f6ff233c6a81e0e761d9124e982903fe9a5"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/c0fe2994f9a9d0a2ec9e42441ea5ba74b6a16176"
    }
  ],
  "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
  "vulnStatus": "Awaiting Analysis"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.