CVE-2024-56755 - Linux Kernel netfs/fscache Race Condition: Memory Barrier Fix & Exploit Analysis

In June 2024, a subtle but potentially serious bug was fixed in the Linux kernel’s FS-Cache (fscache) sub-system, specifically relating to the handling of volumes and memory barriers during concurrent cache operations. This issue is now tracked as CVE-2024-56755. It could cause stuck processes or, in rare cases, create a denial-of-service risk if not patched. This post breaks down what was wrong, how it can be triggered, how it was fixed, and why it matters, with simple explanations and snippets from the kernel code.

What is FS-Cache (fscache)?

FS-Cache is a Linux kernel feature that accelerates network and remote filesystems (like NFS or AFS) by caching their data on local disk. Multiple processes or "cookies" might try to access or initialize the same cache volume simultaneously. How concurrency is managed is critical for system reliability.

The Root of the Problem

When two or more processes (or kernel "cookies") try to look up and potentially create the same cache volume concurrently, a synchronization flag, FSCACHE_VOLUME_CREATING, is used to ensure just one initialization occurs.

cookie1 gets there first, sets a “creating” flag, and starts the process.

- cookie2 checks the flag and sees it’s set, so it goes into a wait loop, expecting to be woken up when the work is done.

The problem? The memory ordering between clearing this 'creating' flag and waking up waiting processes was not enforced. Without an explicit memory barrier, the kernel might wake up cookie2 before the bit is actually cleared, causing cookie2 to resume while still thinking someone else is working, and it might enter an indefinite wait.

Here’s a simplified version of the vulnerable code, before the patch

/* BAD: Missing barrier! */
clear_bit(FSCACHE_VOLUME_CREATING, &volume->flags);
wake_up_bit(&volume->flags, FSCACHE_VOLUME_CREATING);

This seems straightforward—first it clears the 'creating' flag, then wakes up anybody waiting. But because the Linux kernel (like most modern OSes) can reorder memory operations on multi-core CPUs, there’s no guarantee, without an explicit barrier, that other cores will *see* the bit as cleared before the wake happens.

In Practice

If cookie2 wakes up before the bit is actually cleared, it will check, see the flag is still set, and go back to sleep... possibly forever. This bears all the hallmarks of a classic deadlock.

The Exploit Scenario

While exploiting this bug doesn’t directly lead to privilege escalation or arbitrary code execution, it does have a security impact. Here’s how a malicious user could exploit it:

- Write a userspace program (or multiple) that repeatedly triggers cache volume lookups for the same volume, maximizing race conditions.
- If the timing hits the edge case, this could wedge kernel threads into indefinite sleep, reducing the system’s ability to service cache requests—effectively causing a denial of service (DoS).
- In environments with heavy remote filesystem use (like NFS in large clusters), this could badly impact availability.

Exploit PoC (Pseudo-Code)

// Simulate concurrent volume lookup stress
#include <pthread.h>
#define THREADS 20

void* volume_lookup(void* arg) {
    while (1) {
        // open("some-nfs-volume") or similar
    }
}

int main() {
    pthread_t threads[THREADS];
    for(int i = ; i < THREADS; ++i)
        pthread_create(&threads[i], NULL, volume_lookup, NULL);

    for(int i = ; i < THREADS; ++i)
        pthread_join(threads[i], NULL);
    return ;
}

This stress could, with poor luck, trigger stuck kernel workers.

The Fix

To address this, the kernel maintainers replaced the two calls with a single atomic helper: clear_and_wake_up_bit(). This function ensures proper memory barriers—so the bit really *does* get cleared before anyone is woken up.

Patched Code

// Good: atomic & barriered version
clear_and_wake_up_bit(FSCACHE_VOLUME_CREATING, &volume->flags);

This ensures any process waiting on the flag will never wake up and find the bit uncleared.

Full Patch Reference

- Original patch commit
- Linux kernel CVE page
- Discussion and code details

Simple Summary: What Should You Do?

- Update your Linux kernel: If you use network filesystems and FS-Cache, make sure your distro includes this fix (kernel 6.10+ or backported to your LTS).
- Watch for deadlocks: If you see kernel threads stuck in fscache-related waits, you may be affected.
- No direct data leak/privilege escalation, but DoS is possible.

Conclusion

CVE-2024-56755 is a great example of how low-level details like memory barriers can create real bugs even in mature projects like the Linux kernel. If your workloads depend on FS-Cache, it’s very wise to patch ASAP!

If you’re interested in more details, check out the official commit diff and Linux FS-Cache documentation.

References

- Git Kernel Commit Fix
- CVE-2024-56755 (Mitre)
- FS-Cache Documentation

Timeline

Published on: 12/29/2024 12:15:09 UTC
Last modified on: 01/06/2025 20:26:39 UTC