CVE-2024-53052

Name of the Vulnerable Software and Affected Versions Linux kernel versions prior to 6.12.0-rc5

Description The issue arises when io uring starts a write, calling kiocb start write() to bump the super block rwsem, which can cause a deadlock if someone is attempting to freeze the mount point. This results in a stuck trace, showing the dependency with the write blocked from starting a new write. The freeze side grabs the rwsem for writing, excluding new writers and waiting for existing writes to finish. However, io uring unconditionally uses kiocb start write(), which will block if someone is currently attempting to freeze the mount point. This can be triggered when IOCB NOWAIT is not set, causing io uring to attempt a blocking grab of the super block rwsem. The fix involves having the io uring side honor IOCB NOWAIT, returning -EAGAIN and allowing io uring core to issue a blocking attempt of the write, ensuring forward progress.

Recommendations To resolve the issue, update the Linux kernel to a version that includes the fix for the missing NOWAIT check for O DIRECT start write. As a temporary workaround, consider restricting the use of io uring to minimize the risk of exploitation. Additionally, ensure that only authorized users with CAP SYS ADMIN privileges can trigger the freezing mechanism, as regular users cannot exploit this issue.