Linux Kernel Ceph Module i_nlink Underrun Vulnerability During Asynchronous Unlink

A vulnerability has been identified in the Ceph module of the Linux kernel, specifically related to the handling of the i_nlink counter during asynchronous unlink operations. The issue arises because the i_nlink counter is decremented before the unlink operation is confirmed to have succeeded. This can create a race condition, particularly when other clients are also deleting files or when the completion of the unlink operation is processed by a worker thread. As a result, the i_nlink counter can be incorrectly reduced to a negative value, triggering a warning. The vulnerability has been observed in Linux kernel version 6.14.11-cm4all1-ampere.

Impact

Exploitation of this vulnerability can lead to an incorrect i_nlink counter value, causing potential issues with file deletion operations in Ceph.

Reproduction

The vulnerability can be reproduced by forcing an asynchronous unlink operation. After submitting the unlink request to the Ceph Metadata Server (MDS), a delay can be introduced to allow a worker thread to process the completion before the i_nlink counter is decremented. This will result in the i_nlink value being zero at the time of the decrement, causing an underrun.

Remediation

The vulnerability has been addressed by modifying the unlink operation to check if the i_nlink counter is already zero before attempting to decrement it. This change ensures that the counter is not incorrectly reduced, preventing the underrun issue.