CVE-2026-23047

In the Linux kernel, the following vulnerability has been resolved:

libceph: make calc_target() set t->paused, not just clear it

Currently calc_target() clears t->paused if the request shouldn't be paused anymore, but doesn't ever set t->paused even though it's able to determine when the request should be paused. Setting t->paused is left to __submit_request() which is fine for regular requests but doesn't work for linger requests -- since _submitrequest() doesn't operate on linger requests, there is nowhere for lreq->t.paused to be set. One consequence of this is that watches don't get reestablished on paused -> unpaused transitions in cases where requests have been paused long enough for the (paused) unwatch request to time out and for the subsequent (re)watch request to enter the paused state. On top of the watch not getting reestablished, rbdreregisterwatch() gets stuck with rbddev->watchmutex held:

rbdregisterwatch _rbdregisterwatch cephosdcwatch lingerregcommitwait

It's waiting for lreq->regcommitwait to be completed, but for that to happen the respective request needs to end up on needresendlinger list and be kicked when requests are unpaused. There is no chance for that if the request in question is never marked paused in the first place.

The fact that rbddev->watchmutex remains taken out forever then prevents the image from getting unmapped -- "rbd unmap" would inevitably hang in D state on an attempt to grab the mutex.