CVE-2023-52982

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> fscache: Use wait_on_bit() to wait for the freeing of relinquished volume<br /> <br /> The freeing of relinquished volume will wake up the pending volume<br /> acquisition by using wake_up_bit(), however it is mismatched with<br /> wait_var_event() used in fscache_wait_on_volume_collision() and it will<br /> never wake up the waiter in the wait-queue because these two functions<br /> operate on different wait-queues.<br /> <br /> According to the implementation in fscache_wait_on_volume_collision(),<br /> if the wake-up of pending acquisition is delayed longer than 20 seconds<br /> (e.g., due to the delay of on-demand fd closing), the first<br /> wait_var_event_timeout() will timeout and the following wait_var_event()<br /> will hang forever as shown below:<br /> <br /> FS-Cache: Potential volume collision new=00000024 old=00000022<br /> ......<br /> INFO: task mount:1148 blocked for more than 122 seconds.<br /> Not tainted 6.1.0-rc6+ #1<br /> task:mount state:D stack:0 pid:1148 ppid:1<br /> Call Trace:<br /> <br /> __schedule+0x2f6/0xb80<br /> schedule+0x67/0xe0<br /> fscache_wait_on_volume_collision.cold+0x80/0x82<br /> __fscache_acquire_volume+0x40d/0x4e0<br /> erofs_fscache_register_volume+0x51/0xe0 [erofs]<br /> erofs_fscache_register_fs+0x19c/0x240 [erofs]<br /> erofs_fc_fill_super+0x746/0xaf0 [erofs]<br /> vfs_get_super+0x7d/0x100<br /> get_tree_nodev+0x16/0x20<br /> erofs_fc_get_tree+0x20/0x30 [erofs]<br /> vfs_get_tree+0x24/0xb0<br /> path_mount+0x2fa/0xa90<br /> do_mount+0x7c/0xa0<br /> __x64_sys_mount+0x8b/0xe0<br /> do_syscall_64+0x30/0x60<br /> entry_SYSCALL_64_after_hwframe+0x46/0xb0<br /> <br /> Considering that wake_up_bit() is more selective, so fix it by using<br /> wait_on_bit() instead of wait_var_event() to wait for the freeing of<br /> relinquished volume. In addition because waitqueue_active() is used in<br /> wake_up_bit() and clear_bit() doesn&amp;#39;t imply any memory barrier, use<br /> clear_and_wake_up_bit() to add the missing memory barrier between<br /> cursor-&gt;flags and waitqueue_active().