| From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001 |
| From: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
| To: <linux-cve-announce@vger.kernel.org> |
| Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org> |
| Subject: CVE-2024-53052: io_uring/rw: fix missing NOWAIT check for O_DIRECT start write |
| |
| Description |
| =========== |
| |
| In the Linux kernel, the following vulnerability has been resolved: |
| |
| io_uring/rw: fix missing NOWAIT check for O_DIRECT start write |
| |
| When io_uring starts a write, it'll call kiocb_start_write() to bump the |
| super block rwsem, preventing any freezes from happening while that |
| write is in-flight. The freeze side will grab that rwsem for writing, |
| excluding any new writers from happening and waiting for existing writes |
| to finish. But io_uring unconditionally uses kiocb_start_write(), which |
| will block if someone is currently attempting to freeze the mount point. |
| This causes a deadlock where freeze is waiting for previous writes to |
| complete, but the previous writes cannot complete, as the task that is |
| supposed to complete them is blocked waiting on starting a new write. |
| This results in the following stuck trace showing that dependency with |
| the write blocked starting a new write: |
| |
| task:fio state:D stack:0 pid:886 tgid:886 ppid:876 |
| Call trace: |
| __switch_to+0x1d8/0x348 |
| __schedule+0x8e8/0x2248 |
| schedule+0x110/0x3f0 |
| percpu_rwsem_wait+0x1e8/0x3f8 |
| __percpu_down_read+0xe8/0x500 |
| io_write+0xbb8/0xff8 |
| io_issue_sqe+0x10c/0x1020 |
| io_submit_sqes+0x614/0x2110 |
| __arm64_sys_io_uring_enter+0x524/0x1038 |
| invoke_syscall+0x74/0x268 |
| el0_svc_common.constprop.0+0x160/0x238 |
| do_el0_svc+0x44/0x60 |
| el0_svc+0x44/0xb0 |
| el0t_64_sync_handler+0x118/0x128 |
| el0t_64_sync+0x168/0x170 |
| INFO: task fsfreeze:7364 blocked for more than 15 seconds. |
| Not tainted 6.12.0-rc5-00063-g76aaf945701c #7963 |
| |
| with the attempting freezer stuck trying to grab the rwsem: |
| |
| task:fsfreeze state:D stack:0 pid:7364 tgid:7364 ppid:995 |
| Call trace: |
| __switch_to+0x1d8/0x348 |
| __schedule+0x8e8/0x2248 |
| schedule+0x110/0x3f0 |
| percpu_down_write+0x2b0/0x680 |
| freeze_super+0x248/0x8a8 |
| do_vfs_ioctl+0x149c/0x1b18 |
| __arm64_sys_ioctl+0xd0/0x1a0 |
| invoke_syscall+0x74/0x268 |
| el0_svc_common.constprop.0+0x160/0x238 |
| do_el0_svc+0x44/0x60 |
| el0_svc+0x44/0xb0 |
| el0t_64_sync_handler+0x118/0x128 |
| el0t_64_sync+0x168/0x170 |
| |
| Fix this by having the io_uring side honor IOCB_NOWAIT, and only attempt a |
| blocking grab of the super block rwsem if it isn't set. For normal issue |
| where IOCB_NOWAIT would always be set, this returns -EAGAIN which will |
| have io_uring core issue a blocking attempt of the write. That will in |
| turn also get completions run, ensuring forward progress. |
| |
| Since freezing requires CAP_SYS_ADMIN in the first place, this isn't |
| something that can be triggered by a regular user. |
| |
| The Linux kernel CVE team has assigned CVE-2024-53052 to this issue. |
| |
| |
| Affected and fixed versions |
| =========================== |
| |
| Issue introduced in 5.1 with commit 2b188cc1bb857a9d4701ae59aa7768b5124e262e and fixed in 5.10.230 with commit 485d9232112b17f389b29497ff41b97b3189546b |
| Issue introduced in 5.1 with commit 2b188cc1bb857a9d4701ae59aa7768b5124e262e and fixed in 5.15.172 with commit 4e24041ba86d50aaa4c792ae2c88ed01b3d96243 |
| Issue introduced in 5.1 with commit 2b188cc1bb857a9d4701ae59aa7768b5124e262e and fixed in 6.1.116 with commit 9e8debb8e51354b201db494689198078ec2c1e75 |
| Issue introduced in 5.1 with commit 2b188cc1bb857a9d4701ae59aa7768b5124e262e and fixed in 6.6.60 with commit 003d2996964c03dfd34860500428f4cdf1f5879e |
| Issue introduced in 5.1 with commit 2b188cc1bb857a9d4701ae59aa7768b5124e262e and fixed in 6.11.7 with commit 26b8c48f369b7591f5679e0b90612f4862a32929 |
| Issue introduced in 5.1 with commit 2b188cc1bb857a9d4701ae59aa7768b5124e262e and fixed in 6.12 with commit 1d60d74e852647255bd8e76f5a22dc42531e4389 |
| |
| Please see https://www.kernel.org for a full list of currently supported |
| kernel versions by the kernel community. |
| |
| Unaffected versions might change over time as fixes are backported to |
| older supported kernel versions. The official CVE entry at |
| https://cve.org/CVERecord/?id=CVE-2024-53052 |
| will be updated if fixes are backported, please check that for the most |
| up to date information about this issue. |
| |
| |
| Affected files |
| ============== |
| |
| The file(s) affected by this issue are: |
| io_uring/rw.c |
| |
| |
| Mitigation |
| ========== |
| |
| The Linux kernel CVE team recommends that you update to the latest |
| stable kernel version for this, and many other bugfixes. Individual |
| changes are never tested alone, but rather are part of a larger kernel |
| release. Cherry-picking individual commits is not recommended or |
| supported by the Linux kernel community at all. If however, updating to |
| the latest release is impossible, the individual changes to resolve this |
| issue can be found at these commits: |
| https://git.kernel.org/stable/c/485d9232112b17f389b29497ff41b97b3189546b |
| https://git.kernel.org/stable/c/4e24041ba86d50aaa4c792ae2c88ed01b3d96243 |
| https://git.kernel.org/stable/c/9e8debb8e51354b201db494689198078ec2c1e75 |
| https://git.kernel.org/stable/c/003d2996964c03dfd34860500428f4cdf1f5879e |
| https://git.kernel.org/stable/c/26b8c48f369b7591f5679e0b90612f4862a32929 |
| https://git.kernel.org/stable/c/1d60d74e852647255bd8e76f5a22dc42531e4389 |
