CVE-2022-50549

In the Linux kernel, the following vulnerability has been resolved:

dm thin: Fix ABBA deadlock between shrinkslab and dmpoolabortmetadata

Following concurrent processes:

      P1(drop cache)                P2(kworker)

dropcachessysctlhandler dropslab shrinkslab downread(&shrinkerrwsem) - LOCK A doshrinkslab supercachescan pruneicachesb disposelist evict ext4evictinode ext4clearinode ext4discardpreallocations ext4mbloadbuddygfp ext4mbinitcache ext4readblockbitmapnowait ext4readbhnowait submitbh dmsubmitbio doworker processdeferredbios commit metadataoperationfailed dmpoolabortmetadata downwrite(&pmd->root_lock) - LOCK B __destroypersistentdataobjects dmblockmanagerdestroy dmbufioclientdestroy unregistershrinker downwrite(&shrinkerrwsem) thinmap | dmthinfindblock ↓ downread(&pmd->rootlock) --> ABBA deadlock

, which triggers hung task:

[ 76.974820] INFO: task kworker/u4:3:63 blocked for more than 15 seconds. [ 76.976019] Not tainted 6.1.0-rc4-00011-g8f17dd350364-dirty #910 [ 76.978521] task:kworker/u4:3 state:D stack:0 pid:63 ppid:2 [ 76.978534] Workqueue: dm-thin do_worker [ 76.978552] Call Trace: [ 76.978564] __schedule+0x6ba/0x10f0 [ 76.978582] schedule+0x9d/0x1e0 [ 76.978588] rwsemdownwriteslowpath+0x587/0xdf0 [ 76.978600] downwrite+0xec/0x110 [ 76.978607] unregistershrinker+0x2c/0xf0 [ 76.978616] dmbufioclientdestroy+0x116/0x3d0 [ 76.978625] dmblockmanager_destroy+0x19/0x40 [ 76.978629] __destroypersistentdataobjects+0x5e/0x70 [ 76.978636] dmpoolabortmetadata+0x8e/0x100 [ 76.978643] metadataoperationfailed+0x86/0x110 [ 76.978649] commit+0x6a/0x230 [ 76.978655] doworker+0xc6e/0xd90 [ 76.978702] processonework+0x269/0x630 [ 76.978714] workerthread+0x266/0x630 [ 76.978730] kthread+0x151/0x1b0 [ 76.978772] INFO: task test.sh:2646 blocked for more than 15 seconds. [ 76.979756] Not tainted 6.1.0-rc4-00011-g8f17dd350364-dirty #910 [ 76.982111] task:test.sh state:D stack:0 pid:2646 ppid:2459 [ 76.982128] Call Trace: [ 76.982139] __schedule+0x6ba/0x10f0 [ 76.982155] schedule+0x9d/0x1e0 [ 76.982159] rwsemdownreadslowpath+0x4f4/0x910 [ 76.982173] downread+0x84/0x170 [ 76.982177] dmthinfindblock+0x4c/0xd0 [ 76.982183] thinmap+0x201/0x3d0 [ 76.982188] __mapbio+0x5b/0x350 [ 76.982195] dmsubmit_bio+0x2b6/0x930 [ 76.982202] __submitbio+0x123/0x2d0 [ 76.982209] submitbionoacctnocheck+0x101/0x3e0 [ 76.982222] submitbionoacct+0x389/0x770 [ 76.982227] submitbio+0x50/0xc0 [ 76.982232] submitbhwbc+0x15e/0x230 [ 76.982238] submitbh+0x14/0x20 [ 76.982241] ext4readbhnowait+0xc5/0x130 [ 76.982247] ext4readblockbitmapnowait+0x340/0xc60 [ 76.982254] ext4mbinitcache+0x1ce/0xdc0 [ 76.982259] ext4mbloadbuddygfp+0x987/0xfa0 [ 76.982263] ext4discardpreallocations+0x45d/0x830 [ 76.982274] ext4clearinode+0x48/0xf0 [ 76.982280] ext4evictinode+0xcf/0xc70 [ 76.982285] evict+0x119/0x2b0 [ 76.982290] disposelist+0x43/0xa0 [ 76.982294] pruneicachesb+0x64/0x90 [ 76.982298] supercachescan+0x155/0x210 [ 76.982303] doshrinkslab+0x19e/0x4e0 [ 76.982310] shrinkslab+0x2bd/0x450 [ 76.982317] dropslab+0xcc/0x1a0 [ 76.982323] dropcachessysctlhandler+0xb7/0xe0 [ 76.982327] procsyscallhandler+0x1bc/0x300 [ 76.982331] procsyswrite+0x17/0x20 [ 76.982334] vfswrite+0x3d3/0x570 [ 76.982342] ksys_write+0x73/0x160 [ 76.982347] __x64syswrite+0x1e/0x30 [ 76.982352] dosyscall64+0x35/0x80 [ 76.982357] entrySYSCALL64afterhwframe+0x63/0xcd

Funct ---truncated---