Description
In the Linux kernel, the following vulnerability has been resolved:

ceph: do not propagate page array emplacement errors as batch errors

When fscrypt is enabled, move_dirty_folio_in_page_array() may fail
because it needs to allocate bounce buffers to store the encrypted
versions of each folio. Each folio beyond the first allocates its bounce
buffer with GFP_NOWAIT. Failures are common (and expected) under this
allocation mode; they should flush (not abort) the batch.

However, ceph_process_folio_batch() uses the same `rc` variable for its
own return code and for capturing the return codes of its routine calls;
failing to reset `rc` back to 0 results in the error being propagated
out to the main writeback loop, which cannot actually tolerate any
errors here: once `ceph_wbc.pages` is allocated, it must be passed to
ceph_submit_write() to be freed. If it survives until the next iteration
(e.g. due to the goto being followed), ceph_allocate_page_array()'s
BUG_ON() will oops the worker.

Note that this failure mode is currently masked due to another bug
(addressed next in this series) that prevents multiple encrypted folios
from being selected for the same write.

For now, just reset `rc` when redirtying the folio to prevent errors in
move_dirty_folio_in_page_array() from propagating. Note that
move_dirty_folio_in_page_array() is careful never to return errors on
the first folio, so there is no need to check for that. After this
change, ceph_process_folio_batch() no longer returns errors; its only
remaining failure indicator is `locked_pages == 0`, which the caller
already handles correctly.
Published: 2026-05-06
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

During normal writeback, Ceph’s move_dirty_folio_in_page_array() may fail to allocate bounce buffers for encrypted folios. The function ceph_process_folio_batch() reuses its return code variable without resetting it, so a failure propagates to the main kernel writeback loop. The loop cannot tolerate such errors, and the unhandled failure eventually triggers an unexpected kernel panic, terminating the system. While the kernel crash is not the only effect, this results in a denial of service by rendering the affected node inoperable. The description confirms that the error propagates into ceph_wbc.pages handling and can lead to an oops when ceph_allocate_page_array() encounters a bug.

Affected Systems

All Linux kernel builds that include the Ceph writeback code with fscrypt support are potentially vulnerable. The advisory does not list specific version ranges, so any distribution that ships a Ceph module with file‑system encryption enabled should be considered at risk until the patch is applied. The precise affected releases are not specified in the provided data, therefore administrators should review the kernel version they are running against upstream commit c0d84c7 (or the Git reference in the advisory) to determine if the fix is present.

Risk and Exploitability

The CVSS score is 5.5, indicating moderate severity. The EPSS score is less than 1%, indicating a very low exploitation probability. The vulnerability is not listed in the CISA KEV catalog. To date, there are no documented exploitation incidents. However, the documented crash during normal write operations indicates a high impact if the flaw triggers. The likely attack vector involves triggering Ceph writes that use encryption; an attacker could achieve this remotely if a Ceph client is compromised, or locally if a user has write access to the mounted filesystem. This inference is based on the context that the problem arises in Ceph write operations with fscrypt, so any entity able to effect a write could potentially trigger the failure.

Generated by OpenCVE AI on May 12, 2026 at 01:24 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply a Linux kernel update that contains the fix for this command; check the release notes for the Ceph module patch or the upstream commit that resets the rc variable.
  • If no update is available, manually apply the upstream patch that resets the rc variable in ceph_process_folio_batch() to prevent error propagation.
  • As a temporary workaround, disable Ceph writes that use fscrypt encryption or disable fscrypt on the affected volumes until the fix is applied.
  • Monitor /var/log/kern.log or dmesg for kernel oops messages related to Ceph and isolate processes that generate frequent writes to mitigate intermittent crashes.

Generated by OpenCVE AI on May 12, 2026 at 01:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 12 May 2026 00:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-703
CWE-754

Mon, 11 May 2026 20:45:00 +0000

Type Values Removed Values Added
Weaknesses NVD-CWE-noinfo
Metrics cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

Thu, 07 May 2026 00:15:00 +0000

Type Values Removed Values Added
References

Wed, 06 May 2026 16:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-703
CWE-754

Wed, 06 May 2026 12:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: ceph: do not propagate page array emplacement errors as batch errors When fscrypt is enabled, move_dirty_folio_in_page_array() may fail because it needs to allocate bounce buffers to store the encrypted versions of each folio. Each folio beyond the first allocates its bounce buffer with GFP_NOWAIT. Failures are common (and expected) under this allocation mode; they should flush (not abort) the batch. However, ceph_process_folio_batch() uses the same `rc` variable for its own return code and for capturing the return codes of its routine calls; failing to reset `rc` back to 0 results in the error being propagated out to the main writeback loop, which cannot actually tolerate any errors here: once `ceph_wbc.pages` is allocated, it must be passed to ceph_submit_write() to be freed. If it survives until the next iteration (e.g. due to the goto being followed), ceph_allocate_page_array()'s BUG_ON() will oops the worker. Note that this failure mode is currently masked due to another bug (addressed next in this series) that prevents multiple encrypted folios from being selected for the same write. For now, just reset `rc` when redirtying the folio to prevent errors in move_dirty_folio_in_page_array() from propagating. Note that move_dirty_folio_in_page_array() is careful never to return errors on the first folio, so there is no need to check for that. After this change, ceph_process_folio_batch() no longer returns errors; its only remaining failure indicator is `locked_pages == 0`, which the caller already handles correctly.
Title ceph: do not propagate page array emplacement errors as batch errors
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-05-11T22:19:32.944Z

Reserved: 2026-05-01T14:12:55.991Z

Link: CVE-2026-43188

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-05-06T12:16:37.600

Modified: 2026-05-11T20:38:38.500

Link: CVE-2026-43188

cve-icon Redhat

Severity :

Publid Date: 2026-05-06T00:00:00Z

Links: CVE-2026-43188 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-12T01:30:04Z

Weaknesses