Linux Kernel Netfs Reference Leak Vulnerability

A reference leak vulnerability has been identified in the Linux kernel's netfs component. This issue arises because the netfs_alloc_request() function was modified to initialize the reference counter to 2, instead of 1. While this change generally works as intended, it creates a leak if the request is released before the I/O operation is submitted. The error handling path only decreases the reference count once, preventing the work item from being queued for completion. This flaw has led to server cluster outages, with tasks getting stuck waiting for I/O operations to finish, causing deadlocks in Ceph. The vulnerability stems from fragile reference counting in the netfs code, where certain functions allocate requests without submitting I/O, and error paths can fail before completing operations, leaving references unhandled.

Impact

The vulnerability causes a reference leak that can lead to deadlocks in Ceph by blocking tasks in netfs_wait_for_outstanding_io(), disrupting the I/O operation flow and causing tasks to remain in a positive io_count state indefinitely.

Reproduction

The vulnerability can be reproduced by invoking netfs_pgpriv2_begin_copy_to_cache() in a scenario where fscache_begin_write_operation() fails. This sequence will cause a reference leak by leaving the netfs_io_request uncompleted, which in turn blocks the I/O operation and leads to a deadlock in Ceph.

Remediation

The vulnerability has been addressed in the Linux kernel. Users can apply the latest patches available in the Linux kernel stable tree to remediate this issue.