CVE-2024-40943: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: ocfs2: fix races between hole punching and AIO+DIO After commit "ocfs2: return real error code in ocfs2_dio_wr_get_block", fstests/generic/300 become from always failed to sometimes failed: ======================================================================== [ 473.293420 ] run fstests generic/300 [ 475.296983 ] JBD2: Ignoring recovery information on journal [ 475.302473 ] ocfs2: Mounting device (253,1) on (node local, slot 0) with ordered data mode. [ 494.290998 ] OCFS2: ERROR (device dm-1): ocfs2_change_extent_flag: Owner 5668 has an extent at cpos 78723 which can no longer be found [ 494.291609 ] On-disk corruption discovered. Please run fsck.ocfs2 once the filesystem is unmounted. [ 494.292018 ] OCFS2: File system is now read-only. [ 494.292224 ] (kworker/19:11,2628,19):ocfs2_mark_extent_written:5272 ERROR: status = -30 [ 494.292602 ] (kworker/19:11,2628,19):ocfs2_dio_end_io_write:2374 ERROR: status = -3 fio: io_u error on file /mnt/scratch/racer: Read-only file system: write offset=460849152, buflen=131072 ========================================================================= In __blockdev_direct_IO, ocfs2_dio_wr_get_block is called to add unwritten extents to a list. extents are also inserted into extent tree in ocfs2_write_begin_nolock. Then another thread call fallocate to puch a hole at one of the unwritten extent. The extent at cpos was removed by ocfs2_remove_extent(). At end io worker thread, ocfs2_search_extent_list found there is no such extent at the cpos. T1 T2 T3 inode lock ... insert extents ... inode unlock ocfs2_fallocate __ocfs2_change_file_space inode lock lock ip_alloc_sem ocfs2_remove_inode_range inode ocfs2_remove_btree_range ocfs2_remove_extent ^---remove the extent at cpos 78723 ... unlock ip_alloc_sem inode unlock ocfs2_dio_end_io ocfs2_dio_end_io_write lock ip_alloc_sem ocfs2_mark_extent_written ocfs2_change_extent_flag ocfs2_search_extent_list ^---failed to find extent ... unlock ip_alloc_sem In most filesystems, fallocate is not compatible with racing with AIO+DIO, so fix it by adding to wait for all dio before fallocate/punch_hole like ext4.
AI Analysis
Technical Summary
CVE-2024-40943 is a concurrency vulnerability in the Linux kernel's OCFS2 (Oracle Cluster File System version 2) filesystem driver. The issue arises from a race condition between asynchronous direct I/O (AIO+DIO) operations and the fallocate system call, specifically when fallocate is used to punch holes (deallocate space) in files. The vulnerability occurs because the OCFS2 filesystem manages file extents (contiguous blocks of storage) in multiple data structures concurrently. When a fallocate call attempts to remove an extent (via ocfs2_remove_extent) while an asynchronous direct I/O write operation is still in progress and managing the same extent, the extent can be removed from the extent tree but still referenced by the I/O completion routines. This leads to a situation where the ocfs2_search_extent_list function cannot find the expected extent during I/O completion, causing on-disk corruption, filesystem errors, and the filesystem being remounted as read-only to prevent further damage. The root cause is a lack of proper synchronization between the fallocate operation and ongoing direct I/O writes, which is not unique to OCFS2 but is addressed here by adding waits to ensure all direct I/O completes before fallocate proceeds. The vulnerability was identified through filesystem tests (fstests/generic/300) that previously always failed and now sometimes fail, indicating intermittent race conditions. The impact manifests as data corruption and loss of write capability on affected OCFS2 filesystems until repaired with fsck.ocfs2. This vulnerability affects Linux kernel versions containing the specified commit b25801038da5823bba1b5440a57ca68afc51b6bd and likely other versions using OCFS2 with asynchronous direct I/O and fallocate support. No known exploits are reported in the wild as of publication.
Potential Impact
For European organizations, the impact of CVE-2024-40943 can be significant in environments using OCFS2, particularly in clustered or high-availability Linux systems where OCFS2 is deployed for shared storage. The vulnerability can lead to silent data corruption, unexpected filesystem errors, and forced remounts to read-only mode, resulting in application downtime and potential data loss. This can disrupt critical services relying on shared storage, such as databases, virtualization hosts, or enterprise file servers. Recovery requires filesystem checks and potential data restoration, increasing operational costs and downtime. Since OCFS2 is less commonly used than other filesystems like ext4 or XFS, the impact is more targeted but severe in affected deployments. European organizations in sectors such as finance, telecommunications, and manufacturing that rely on Linux clusters with OCFS2 may face operational risks. Additionally, the vulnerability could complicate compliance with data integrity and availability requirements under regulations like GDPR if data loss or service disruption occurs.
Mitigation Recommendations
To mitigate CVE-2024-40943, organizations should: 1) Apply the latest Linux kernel updates that include the fix for this race condition, ensuring that the synchronization between fallocate and direct I/O operations in OCFS2 is properly enforced. 2) Audit and identify systems using OCFS2, especially those performing asynchronous direct I/O combined with fallocate or hole punching operations, to prioritize patching. 3) Avoid concurrent use of fallocate hole punching and asynchronous direct I/O on OCFS2 filesystems until patched. 4) Implement monitoring for filesystem errors and remount events to detect early signs of this issue. 5) Regularly back up data on OCFS2 filesystems to enable recovery from corruption. 6) Test filesystem integrity post-patching using tools like fsck.ocfs2 to ensure no latent corruption remains. 7) Consider migrating critical workloads to more widely used and actively maintained filesystems if OCFS2 usage is not mandatory, to reduce exposure to such niche vulnerabilities.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Italy, Spain
CVE-2024-40943: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: ocfs2: fix races between hole punching and AIO+DIO After commit "ocfs2: return real error code in ocfs2_dio_wr_get_block", fstests/generic/300 become from always failed to sometimes failed: ======================================================================== [ 473.293420 ] run fstests generic/300 [ 475.296983 ] JBD2: Ignoring recovery information on journal [ 475.302473 ] ocfs2: Mounting device (253,1) on (node local, slot 0) with ordered data mode. [ 494.290998 ] OCFS2: ERROR (device dm-1): ocfs2_change_extent_flag: Owner 5668 has an extent at cpos 78723 which can no longer be found [ 494.291609 ] On-disk corruption discovered. Please run fsck.ocfs2 once the filesystem is unmounted. [ 494.292018 ] OCFS2: File system is now read-only. [ 494.292224 ] (kworker/19:11,2628,19):ocfs2_mark_extent_written:5272 ERROR: status = -30 [ 494.292602 ] (kworker/19:11,2628,19):ocfs2_dio_end_io_write:2374 ERROR: status = -3 fio: io_u error on file /mnt/scratch/racer: Read-only file system: write offset=460849152, buflen=131072 ========================================================================= In __blockdev_direct_IO, ocfs2_dio_wr_get_block is called to add unwritten extents to a list. extents are also inserted into extent tree in ocfs2_write_begin_nolock. Then another thread call fallocate to puch a hole at one of the unwritten extent. The extent at cpos was removed by ocfs2_remove_extent(). At end io worker thread, ocfs2_search_extent_list found there is no such extent at the cpos. T1 T2 T3 inode lock ... insert extents ... inode unlock ocfs2_fallocate __ocfs2_change_file_space inode lock lock ip_alloc_sem ocfs2_remove_inode_range inode ocfs2_remove_btree_range ocfs2_remove_extent ^---remove the extent at cpos 78723 ... unlock ip_alloc_sem inode unlock ocfs2_dio_end_io ocfs2_dio_end_io_write lock ip_alloc_sem ocfs2_mark_extent_written ocfs2_change_extent_flag ocfs2_search_extent_list ^---failed to find extent ... unlock ip_alloc_sem In most filesystems, fallocate is not compatible with racing with AIO+DIO, so fix it by adding to wait for all dio before fallocate/punch_hole like ext4.
AI-Powered Analysis
Technical Analysis
CVE-2024-40943 is a concurrency vulnerability in the Linux kernel's OCFS2 (Oracle Cluster File System version 2) filesystem driver. The issue arises from a race condition between asynchronous direct I/O (AIO+DIO) operations and the fallocate system call, specifically when fallocate is used to punch holes (deallocate space) in files. The vulnerability occurs because the OCFS2 filesystem manages file extents (contiguous blocks of storage) in multiple data structures concurrently. When a fallocate call attempts to remove an extent (via ocfs2_remove_extent) while an asynchronous direct I/O write operation is still in progress and managing the same extent, the extent can be removed from the extent tree but still referenced by the I/O completion routines. This leads to a situation where the ocfs2_search_extent_list function cannot find the expected extent during I/O completion, causing on-disk corruption, filesystem errors, and the filesystem being remounted as read-only to prevent further damage. The root cause is a lack of proper synchronization between the fallocate operation and ongoing direct I/O writes, which is not unique to OCFS2 but is addressed here by adding waits to ensure all direct I/O completes before fallocate proceeds. The vulnerability was identified through filesystem tests (fstests/generic/300) that previously always failed and now sometimes fail, indicating intermittent race conditions. The impact manifests as data corruption and loss of write capability on affected OCFS2 filesystems until repaired with fsck.ocfs2. This vulnerability affects Linux kernel versions containing the specified commit b25801038da5823bba1b5440a57ca68afc51b6bd and likely other versions using OCFS2 with asynchronous direct I/O and fallocate support. No known exploits are reported in the wild as of publication.
Potential Impact
For European organizations, the impact of CVE-2024-40943 can be significant in environments using OCFS2, particularly in clustered or high-availability Linux systems where OCFS2 is deployed for shared storage. The vulnerability can lead to silent data corruption, unexpected filesystem errors, and forced remounts to read-only mode, resulting in application downtime and potential data loss. This can disrupt critical services relying on shared storage, such as databases, virtualization hosts, or enterprise file servers. Recovery requires filesystem checks and potential data restoration, increasing operational costs and downtime. Since OCFS2 is less commonly used than other filesystems like ext4 or XFS, the impact is more targeted but severe in affected deployments. European organizations in sectors such as finance, telecommunications, and manufacturing that rely on Linux clusters with OCFS2 may face operational risks. Additionally, the vulnerability could complicate compliance with data integrity and availability requirements under regulations like GDPR if data loss or service disruption occurs.
Mitigation Recommendations
To mitigate CVE-2024-40943, organizations should: 1) Apply the latest Linux kernel updates that include the fix for this race condition, ensuring that the synchronization between fallocate and direct I/O operations in OCFS2 is properly enforced. 2) Audit and identify systems using OCFS2, especially those performing asynchronous direct I/O combined with fallocate or hole punching operations, to prioritize patching. 3) Avoid concurrent use of fallocate hole punching and asynchronous direct I/O on OCFS2 filesystems until patched. 4) Implement monitoring for filesystem errors and remount events to detect early signs of this issue. 5) Regularly back up data on OCFS2 filesystems to enable recovery from corruption. 6) Test filesystem integrity post-patching using tools like fsck.ocfs2 to ensure no latent corruption remains. 7) Consider migrating critical workloads to more widely used and actively maintained filesystems if OCFS2 usage is not mandatory, to reduce exposure to such niche vulnerabilities.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-07-12T12:17:45.588Z
- Cisa Enriched
- true
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d9827c4522896dcbe143e
Added to database: 5/21/2025, 9:08:55 AM
Last enriched: 6/29/2025, 2:26:48 AM
Last updated: 8/11/2025, 2:26:13 AM
Views: 13
Related Threats
CVE-2025-8285: CWE-862: Missing Authorization in Mattermost Mattermost Confluence Plugin
MediumCVE-2025-54525: CWE-1287: Improper Validation of Specified Type of Input in Mattermost Mattermost Confluence Plugin
HighCVE-2025-54478: CWE-306: Missing Authentication for Critical Function in Mattermost Mattermost Confluence Plugin
HighCVE-2025-54463: CWE-754: Improper Check for Unusual or Exceptional Conditions in Mattermost Mattermost Confluence Plugin
MediumCVE-2025-54458: CWE-862: Missing Authorization in Mattermost Mattermost Confluence Plugin
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.