CVE-2026-43188
Description
In the Linux kernel, the following vulnerability has been resolved:
ceph: do not propagate page array emplacement errors as batch errors
When fscrypt is enabled, move_dirty_folio_in_page_array() may fail because it needs to allocate bounce buffers to store the encrypted versions of each folio. Each folio beyond the first allocates its bounce buffer with GFP_NOWAIT. Failures are common (and expected) under this allocation mode; they should flush (not abort) the batch.
However, ceph_process_folio_batch() uses the same rc variable for its own return code and for capturing the return codes of its routine calls; failing to reset rc back to 0 results in the error being propagated out to the main writeback loop, which cannot actually tolerate any errors here: once ceph_wbc.pages is allocated, it must be passed to ceph_submit_write() to be freed. If it survives until the next iteration (e.g. due to the goto being followed), ceph_allocate_page_array()'s BUG_ON() will oops the worker.
Note that this failure mode is currently masked due to another bug (addressed next in this series) that prevents multiple encrypted folios from being selected for the same write.
For now, just reset rc when redirtying the folio to prevent errors in move_dirty_folio_in_page_array() from propagating. Note that move_dirty_folio_in_page_array() is careful never to return errors on the first folio, so there is no need to check for that. After this change, ceph_process_folio_batch() no longer returns errors; its only remaining failure indicator is locked_pages == 0, which the caller already handles correctly.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
In the Linux kernel, a Ceph writeback bug causes kernel panic when fscrypt is enabled due to improper error handling of bounce buffer allocation failures.
Description
In the Linux kernel's Ceph filesystem, when fscrypt is enabled, the function move_dirty_folio_in_page_array() may fail while allocating bounce buffers for encrypted folios using GFP_NOWAIT. Each folio beyond the first attempts allocation without waiting, and failures are expected. However, ceph_process_folio_batch() reuses the same rc variable for its own return code and for capturing return values from its routine calls. If an error occurs on a later folio, the rc is not reset to 0, causing the error to propagate to the main writeback loop.
Exploitation
An attacker with the ability to trigger writeback of encrypted dirty folios on a Ceph filesystem could exploit this. No special privileges beyond write access are required. The system must have fscrypt enabled on the filesystem. The flaw can be triggered during normal writeback operations when multiple encrypted folios are being written, though a separate bug currently masks this failure mode.
Impact
If the error propagates, the writeback loop cannot handle errors, and the allocated ceph_wbc.pages structure may survive to the next iteration, causing a BUG_ON() in ceph_allocate_page_array() that leads to a kernel panic (oops). This results in a denial of service (system crash).
Mitigation
The fix resets the rc variable to 0 when redirtying the folio, preventing error propagation. The commit is identified as 4c0d84c788d89c167abf0bf84fd37890c4c84f08 [1] and included in the stable kernel updates. Users should apply the latest kernel patches from their distribution.
AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3News mentions
0No linked articles in our index yet.