CVE-2022-48628

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ceph: drop messages from MDS when unmounting<br /> <br /> When unmounting all the dirty buffers will be flushed and after<br /> the last osd request is finished the last reference of the i_count<br /> will be released. Then it will flush the dirty cap/snap to MDSs,<br /> and the unmounting won&amp;#39;t wait the possible acks, which will ihold<br /> the inodes when updating the metadata locally but makes no sense<br /> any more, of this. This will make the evict_inodes() to skip these<br /> inodes.<br /> <br /> If encrypt is enabled the kernel generate a warning when removing<br /> the encrypt keys when the skipped inodes still hold the keyring:<br /> <br /> WARNING: CPU: 4 PID: 168846 at fs/crypto/keyring.c:242 fscrypt_destroy_keyring+0x7e/0xd0<br /> CPU: 4 PID: 168846 Comm: umount Tainted: G S 6.1.0-rc5-ceph-g72ead199864c #1<br /> Hardware name: Supermicro SYS-5018R-WR/X10SRW-F, BIOS 2.0 12/17/2015<br /> RIP: 0010:fscrypt_destroy_keyring+0x7e/0xd0<br /> RSP: 0018:ffffc9000b277e28 EFLAGS: 00010202<br /> RAX: 0000000000000002 RBX: ffff88810d52ac00 RCX: ffff88810b56aa00<br /> RDX: 0000000080000000 RSI: ffffffff822f3a09 RDI: ffff888108f59000<br /> RBP: ffff8881d394fb88 R08: 0000000000000028 R09: 0000000000000000<br /> R10: 0000000000000001 R11: 11ff4fe6834fcd91 R12: ffff8881d394fc40<br /> R13: ffff888108f59000 R14: ffff8881d394f800 R15: 0000000000000000<br /> FS: 00007fd83f6f1080(0000) GS:ffff88885fd00000(0000) knlGS:0000000000000000<br /> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033<br /> CR2: 00007f918d417000 CR3: 000000017f89a005 CR4: 00000000003706e0<br /> DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000<br /> DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400<br /> Call Trace:<br /> <br /> generic_shutdown_super+0x47/0x120<br /> kill_anon_super+0x14/0x30<br /> ceph_kill_sb+0x36/0x90 [ceph]<br /> deactivate_locked_super+0x29/0x60<br /> cleanup_mnt+0xb8/0x140<br /> task_work_run+0x67/0xb0<br /> exit_to_user_mode_prepare+0x23d/0x240<br /> syscall_exit_to_user_mode+0x25/0x60<br /> do_syscall_64+0x40/0x80<br /> entry_SYSCALL_64_after_hwframe+0x63/0xcd<br /> RIP: 0033:0x7fd83dc39e9b<br /> <br /> Later the kernel will crash when iput() the inodes and dereferencing<br /> the "sb-&gt;s_master_keys", which has been released by the<br /> generic_shutdown_super().