CVE-2026-43420

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ceph: fix i_nlink underrun during async unlink<br /> <br /> During async unlink, we drop the `i_nlink` counter before we receive<br /> the completion (that will eventually update the `i_nlink`) because "we<br /> assume that the unlink will succeed". That is not a bad idea, but it<br /> races against deletions by other clients (or against the completion of<br /> our own unlink) and can lead to an underrun which emits a WARNING like<br /> this one:<br /> <br /> WARNING: CPU: 85 PID: 25093 at fs/inode.c:407 drop_nlink+0x50/0x68<br /> Modules linked in:<br /> CPU: 85 UID: 3221252029 PID: 25093 Comm: php-cgi8.1 Not tainted 6.14.11-cm4all1-ampere #655<br /> Hardware name: Supermicro ARS-110M-NR/R12SPD-A, BIOS 1.1b 10/17/2023<br /> pstate: 60400009 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)<br /> pc : drop_nlink+0x50/0x68<br /> lr : ceph_unlink+0x6c4/0x720<br /> sp : ffff80012173bc90<br /> x29: ffff80012173bc90 x28: ffff086d0a45aaf8 x27: ffff0871d0eb5680<br /> x26: ffff087f2a64a718 x25: 0000020000000180 x24: 0000000061c88647<br /> x23: 0000000000000002 x22: ffff07ff9236d800 x21: 0000000000001203<br /> x20: ffff07ff9237b000 x19: ffff088b8296afc0 x18: 00000000f3c93365<br /> x17: 0000000000070000 x16: ffff08faffcbdfe8 x15: ffff08faffcbdfec<br /> x14: 0000000000000000 x13: 45445f65645f3037 x12: 34385f6369706f74<br /> x11: 0000a2653104bb20 x10: ffffd85f26d73290 x9 : ffffd85f25664f94<br /> x8 : 00000000000000c0 x7 : 0000000000000000 x6 : 0000000000000002<br /> x5 : 0000000000000081 x4 : 0000000000000481 x3 : 0000000000000000<br /> x2 : 0000000000000000 x1 : 0000000000000000 x0 : ffff08727d3f91e8<br /> Call trace:<br /> drop_nlink+0x50/0x68 (P)<br /> vfs_unlink+0xb0/0x2e8<br /> do_unlinkat+0x204/0x288<br /> __arm64_sys_unlinkat+0x3c/0x80<br /> invoke_syscall.constprop.0+0x54/0xe8<br /> do_el0_svc+0xa4/0xc8<br /> el0_svc+0x18/0x58<br /> el0t_64_sync_handler+0x104/0x130<br /> el0t_64_sync+0x154/0x158<br /> <br /> In ceph_unlink(), a call to ceph_mdsc_submit_request() submits the<br /> CEPH_MDS_OP_UNLINK to the MDS, but does not wait for completion.<br /> <br /> Meanwhile, between this call and the following drop_nlink() call, a<br /> worker thread may process a CEPH_CAP_OP_IMPORT, CEPH_CAP_OP_GRANT or<br /> just a CEPH_MSG_CLIENT_REPLY (the latter of which could be our own<br /> completion). These will lead to a set_nlink() call, updating the<br /> `i_nlink` counter to the value received from the MDS. If that new<br /> `i_nlink` value happens to be zero, it is illegal to decrement it<br /> further. But that is exactly what ceph_unlink() will do then.<br /> <br /> The WARNING can be reproduced this way:<br /> <br /> 1. Force async unlink; only the async code path is affected. Having<br /> no real clue about Ceph internals, I was unable to find out why the<br /> MDS wouldn&amp;#39;t give me the "Fxr" capabilities, so I patched<br /> get_caps_for_async_unlink() to always succeed.<br /> <br /> (Note that the WARNING dump above was found on an unpatched kernel,<br /> without this kludge - this is not a theoretical bug.)<br /> <br /> 2. Add a sleep call after ceph_mdsc_submit_request() so the unlink<br /> completion gets handled by a worker thread before drop_nlink() is<br /> called. This guarantees that the `i_nlink` is already zero before<br /> drop_nlink() runs.<br /> <br /> The solution is to skip the counter decrement when it is already zero,<br /> but doing so without a lock is still racy (TOCTOU). Since<br /> ceph_fill_inode() and handle_cap_grant() both hold the<br /> `ceph_inode_info.i_ceph_lock` spinlock while set_nlink() runs, this<br /> seems like the proper lock to protect the `i_nlink` updates.<br /> <br /> I found prior art in NFS and SMB (using `inode.i_lock`) and AFS (using<br /> `afs_vnode.cb_lock`). All three have the zero check as well.