CVE-2026-43053

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> xfs: close crash window in attr dabtree inactivation<br /> <br /> When inactivating an inode with node-format extended attributes,<br /> xfs_attr3_node_inactive() invalidates all child leaf/node blocks via<br /> xfs_trans_binval(), but intentionally does not remove the corresponding<br /> entries from their parent node blocks. The implicit assumption is that<br /> xfs_attr_inactive() will truncate the entire attr fork to zero extents<br /> afterwards, so log recovery will never reach the root node and follow<br /> those stale pointers.<br /> <br /> However, if a log shutdown occurs after the leaf/node block cancellations<br /> commit but before the attr bmap truncation commits, this assumption<br /> breaks. Recovery replays the attr bmap intact (the inode still has<br /> attr fork extents), but suppresses replay of all cancelled leaf/node<br /> blocks, maybe leaving them as stale data on disk. On the next mount,<br /> xlog_recover_process_iunlinks() retries inactivation and attempts to<br /> read the root node via the attr bmap. If the root node was not replayed,<br /> reading the unreplayed root block triggers a metadata verification<br /> failure immediately; if it was replayed, following its child pointers<br /> to unreplayed child blocks triggers the same failure:<br /> <br /> XFS (pmem0): Metadata corruption detected at<br /> xfs_da3_node_read_verify+0x53/0x220, xfs_da3_node block 0x78<br /> XFS (pmem0): Unmount and run xfs_repair<br /> XFS (pmem0): First 128 bytes of corrupted metadata buffer:<br /> 00000000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................<br /> 00000010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................<br /> 00000020: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................<br /> 00000030: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................<br /> 00000040: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................<br /> 00000050: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................<br /> 00000060: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................<br /> 00000070: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................<br /> XFS (pmem0): metadata I/O error in "xfs_da_read_buf+0x104/0x190" at daddr 0x78 len 8 error 117<br /> <br /> Fix this in two places:<br /> <br /> In xfs_attr3_node_inactive(), after calling xfs_trans_binval() on a<br /> child block, immediately remove the entry that references it from the<br /> parent node in the same transaction. This eliminates the window where<br /> the parent holds a pointer to a cancelled block. Once all children are<br /> removed, the now-empty root node is converted to a leaf block within the<br /> same transaction. This node-to-leaf conversion is necessary for crash<br /> safety. If the system shutdown after the empty node is written to the<br /> log but before the second-phase bmap truncation commits, log recovery<br /> will attempt to verify the root block on disk. xfs_da3_node_verify()<br /> does not permit a node block with count == 0; such a block will fail<br /> verification and trigger a metadata corruption shutdown. on the other<br /> hand, leaf blocks are allowed to have this transient state.<br /> <br /> In xfs_attr_inactive(), split the attr fork truncation into two explicit<br /> phases. First, truncate all extents beyond the root block (the child<br /> extents whose parent references have already been removed above).<br /> Second, invalidate the root block and truncate the attr bmap to zero in<br /> a single transaction. The two operations in the second phase must be<br /> atomic: as long as the attr bmap has any non-zero length, recovery can<br /> follow it to the root block, so the root block invalidation must commit<br /> together with the bmap-to-zero truncation.