CVE-2026-23047

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> libceph: make calc_target() set t-&gt;paused, not just clear it<br /> <br /> Currently calc_target() clears t-&gt;paused if the request shouldn&amp;#39;t be<br /> paused anymore, but doesn&amp;#39;t ever set t-&gt;paused even though it&amp;#39;s able to<br /> determine when the request should be paused. Setting t-&gt;paused is left<br /> to __submit_request() which is fine for regular requests but doesn&amp;#39;t<br /> work for linger requests -- since __submit_request() doesn&amp;#39;t operate<br /> on linger requests, there is nowhere for lreq-&gt;t.paused to be set.<br /> One consequence of this is that watches don&amp;#39;t get reestablished on<br /> paused -&gt; unpaused transitions in cases where requests have been paused<br /> long enough for the (paused) unwatch request to time out and for the<br /> subsequent (re)watch request to enter the paused state. On top of the<br /> watch not getting reestablished, rbd_reregister_watch() gets stuck with<br /> rbd_dev-&gt;watch_mutex held:<br /> <br /> rbd_register_watch<br /> __rbd_register_watch<br /> ceph_osdc_watch<br /> linger_reg_commit_wait<br /> <br /> It&amp;#39;s waiting for lreq-&gt;reg_commit_wait to be completed, but for that to<br /> happen the respective request needs to end up on need_resend_linger list<br /> and be kicked when requests are unpaused. There is no chance for that<br /> if the request in question is never marked paused in the first place.<br /> <br /> The fact that rbd_dev-&gt;watch_mutex remains taken out forever then<br /> prevents the image from getting unmapped -- "rbd unmap" would inevitably<br /> hang in D state on an attempt to grab the mutex.