CVE-2024-26696 in Linux
Summary
by MITRE • 04/03/2024
In the Linux kernel, the following vulnerability has been resolved:
nilfs2: fix hang in nilfs_lookup_dirty_data_buffers()
Syzbot reported a hang issue in migrate_pages_batch() called by mbind() and nilfs_lookup_dirty_data_buffers() called in the log writer of nilfs2.
While migrate_pages_batch() locks a folio and waits for the writeback to complete, the log writer thread that should bring the writeback to completion picks up the folio being written back in nilfs_lookup_dirty_data_buffers() that it calls for subsequent log creation and was trying to lock the folio. Thus causing a deadlock.
In the first place, it is unexpected that folios/pages in the middle of writeback will be updated and become dirty. Nilfs2 adds a checksum to verify the validity of the log being written and uses it for recovery at mount, so data changes during writeback are suppressed. Since this is broken, an unclean shutdown could potentially cause recovery to fail.
Investigation revealed that the root cause is that the wait for writeback completion in nilfs_page_mkwrite() is conditional, and if the backing device does not require stable writes, data may be modified without waiting.
Fix these issues by making nilfs_page_mkwrite() wait for writeback to finish regardless of the stable write requirement of the backing device.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 08/03/2025
The vulnerability identified as CVE-2024-26696 represents a critical deadlock condition within the Linux kernel's nilfs2 (New Implementation of Log-structured File System 2) subsystem. This issue manifests as a system hang during concurrent memory management operations involving page migration and log writing processes. The flaw occurs when the migrate_pages_batch() function attempts to lock a folio while waiting for writeback completion, simultaneously while the nilfs2 log writer thread tries to acquire the same folio lock during nilfs_lookup_dirty_data_buffers() execution. This circular dependency creates an irrecoverable deadlock state that can bring system operations to a complete halt.
The technical root cause stems from improper handling of writeback completion in the nilfs_page_mkwrite() function which implements conditional waiting behavior based on backing device stable write requirements. When a device does not require stable writes, the function fails to wait for writeback completion before allowing data modifications, creating a race condition where folios in the midst of writeback operations can become dirtied and subsequently locked by competing threads. This design flaw directly violates the fundamental principle of atomic operations and proper resource synchronization in concurrent systems. The vulnerability is categorized under CWE-367 as a Time-of-Check to Time-of-Use (TOCTOU) race condition, where the system state changes between the time a resource is checked for availability and when it is actually accessed.
The operational impact of this vulnerability extends beyond simple system hangs to potentially compromise data integrity and recovery mechanisms within the nilfs2 file system. When writeback operations are prematurely terminated or bypassed due to conditional waiting logic, the checksum verification mechanism that nilfs2 employs for log validation becomes ineffective. This can lead to inconsistent recovery states during system boot following an unclean shutdown, where the file system's ability to reconstruct data from log entries is fundamentally compromised. The vulnerability affects systems utilizing nilfs2 file systems and can be triggered through memory management operations involving mbind() and migrate_pages_batch() system calls, making it particularly dangerous in high-concurrency environments where memory migration is common.
Mitigation strategies for this vulnerability require immediate kernel updates to implement unconditional writeback completion waits in the nilfs_page_mkwrite() function, ensuring that all data modifications occur only after writeback operations are fully completed regardless of device characteristics. System administrators should prioritize patching affected kernel versions and monitoring for potential deadlock conditions in systems running nilfs2 file systems. The fix aligns with ATT&CK technique T1484.001 (Create or Modify System Process) by addressing improper system-level resource management. Organizations should also implement monitoring for memory management operations and consider implementing additional safeguards for systems where nilfs2 is in use, particularly those handling critical data where recovery integrity is paramount.