CVE-2024-53052

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> io_uring/rw: fix missing NOWAIT check for O_DIRECT start write<br /> <br /> When io_uring starts a write, it&amp;#39;ll call kiocb_start_write() to bump the<br /> super block rwsem, preventing any freezes from happening while that<br /> write is in-flight. The freeze side will grab that rwsem for writing,<br /> excluding any new writers from happening and waiting for existing writes<br /> to finish. But io_uring unconditionally uses kiocb_start_write(), which<br /> will block if someone is currently attempting to freeze the mount point.<br /> This causes a deadlock where freeze is waiting for previous writes to<br /> complete, but the previous writes cannot complete, as the task that is<br /> supposed to complete them is blocked waiting on starting a new write.<br /> This results in the following stuck trace showing that dependency with<br /> the write blocked starting a new write:<br /> <br /> task:fio state:D stack:0 pid:886 tgid:886 ppid:876<br /> Call trace:<br /> __switch_to+0x1d8/0x348<br /> __schedule+0x8e8/0x2248<br /> schedule+0x110/0x3f0<br /> percpu_rwsem_wait+0x1e8/0x3f8<br /> __percpu_down_read+0xe8/0x500<br /> io_write+0xbb8/0xff8<br /> io_issue_sqe+0x10c/0x1020<br /> io_submit_sqes+0x614/0x2110<br /> __arm64_sys_io_uring_enter+0x524/0x1038<br /> invoke_syscall+0x74/0x268<br /> el0_svc_common.constprop.0+0x160/0x238<br /> do_el0_svc+0x44/0x60<br /> el0_svc+0x44/0xb0<br /> el0t_64_sync_handler+0x118/0x128<br /> el0t_64_sync+0x168/0x170<br /> INFO: task fsfreeze:7364 blocked for more than 15 seconds.<br /> Not tainted 6.12.0-rc5-00063-g76aaf945701c #7963<br /> <br /> with the attempting freezer stuck trying to grab the rwsem:<br /> <br /> task:fsfreeze state:D stack:0 pid:7364 tgid:7364 ppid:995<br /> Call trace:<br /> __switch_to+0x1d8/0x348<br /> __schedule+0x8e8/0x2248<br /> schedule+0x110/0x3f0<br /> percpu_down_write+0x2b0/0x680<br /> freeze_super+0x248/0x8a8<br /> do_vfs_ioctl+0x149c/0x1b18<br /> __arm64_sys_ioctl+0xd0/0x1a0<br /> invoke_syscall+0x74/0x268<br /> el0_svc_common.constprop.0+0x160/0x238<br /> do_el0_svc+0x44/0x60<br /> el0_svc+0x44/0xb0<br /> el0t_64_sync_handler+0x118/0x128<br /> el0t_64_sync+0x168/0x170<br /> <br /> Fix this by having the io_uring side honor IOCB_NOWAIT, and only attempt a<br /> blocking grab of the super block rwsem if it isn&amp;#39;t set. For normal issue<br /> where IOCB_NOWAIT would always be set, this returns -EAGAIN which will<br /> have io_uring core issue a blocking attempt of the write. That will in<br /> turn also get completions run, ensuring forward progress.<br /> <br /> Since freezing requires CAP_SYS_ADMIN in the first place, this isn&amp;#39;t<br /> something that can be triggered by a regular user.