CVE-2024-27036

cifs writeback doesn't correctly handle the case where cifsextendwriteback() hits a point where it is considering an additional folio, but this would overrun the wsize - at which point it drops out of the xarray scanning loop and calls xaspause(). The problem is that xaspause() advances the loop counter - thereby skipping that page.

What needs to happen is for xas_reset() to be called any time we decide we don't want to process the page we're looking at, but rather send the request we are building and start a new one.

Fix this by copying and adapting the netfslib writepages code as a temporary measure, with cifs writeback intending to be offloaded to netfslib in the near future.

This also fixes the issue with the use of filemapgetfolios_tag() causing retry of a bunch of pages which the extender already dealt with.

This can be tested by creating, say, a 64K file somewhere not on cifs (otherwise copy-offload may get underfoot), mounting a cifs share with a wsize of 64000, copying the file to it and then comparing the original file and the copy:

    dd if=/dev/urandom of=/tmp/64K bs=64k count=1
    mount //192.168.6.1/test /mnt -o user=...,pass=...,wsize=64000
    cp /tmp/64K /mnt/64K
    cmp /tmp/64K /mnt/64K

Without the fix, the cmp fails at position 64000 (or shortly thereafter).

Database specific

{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/27xxx/CVE-2024-27036.json",
    "cna_assigner": "Linux"
}

References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

d08089f649a0cfb2099c8551ac47eef0cc23fdf2

Fixed

e45deec35bf7f1f4f992a707b2d04a8c162f2240

Fixed

65f2ced695982ccd516196d0a9447d85dbe2eed5

Fixed

844b4e132f57f1333dc79feaa035075a096762e4

Fixed

f3dc1bdb6b0b0693562c7c54a6c28bafa608ba3c

Affected versions

v6.*

v6.3

v6.3-rc1

v6.3-rc2

v6.3-rc3

v6.3-rc4

v6.3-rc5

v6.3-rc6

v6.3-rc7

v6.4

v6.4-rc1

v6.4-rc2

v6.4-rc3

v6.4-rc4

v6.4-rc5

v6.4-rc6

v6.4-rc7

v6.5

v6.5-rc1

v6.5-rc2

v6.5-rc3

v6.5-rc4

v6.5-rc5

v6.5-rc6

v6.5-rc7

v6.6

v6.6-rc1

v6.6-rc2

v6.6-rc3

v6.6-rc4

v6.6-rc5

v6.6-rc6

v6.6-rc7

v6.6.1

v6.6.10

v6.6.11

v6.6.12

v6.6.13

v6.6.14

v6.6.15

v6.6.16

v6.6.17

v6.6.18

v6.6.19

v6.6.2

v6.6.20

v6.6.21

v6.6.22

v6.6.3

v6.6.4

v6.6.5

v6.6.6

v6.6.7

v6.6.8

v6.6.9

v6.7

v6.7-rc1

v6.7-rc2

v6.7-rc3

v6.7-rc4

v6.7-rc5

v6.7-rc6

v6.7-rc7

v6.7-rc8

v6.7.1

v6.7.10

v6.7.2

v6.7.3

v6.7.4

v6.7.5

v6.7.6

v6.7.7

v6.7.8

v6.7.9

v6.8

v6.8-rc1

v6.8-rc2

v6.8-rc3

v6.8-rc4

v6.8-rc5

v6.8-rc6

v6.8-rc7

v6.8.1

Database specific

source

"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-27036.json"

Linux / Kernel

Package

Name: Kernel

Affected ranges

Type: ECOSYSTEM
Events: Introduced

6.3.0

Fixed

6.6.23

Type: ECOSYSTEM
Events: Introduced

6.7.0

Fixed

6.7.11

Type: ECOSYSTEM
Events: Introduced

6.8.0

Fixed

6.8.2

Database specific

source

"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-27036.json"