CVE-2024-53689

In the Linux kernel, the following vulnerability has been resolved:

block: Fix potential deadlock while freezing queue and acquiring sysfs_lock

For storing a value to a queue attribute, the queueattrstore function first freezes the queue (->qusagecounter(io)) and then acquire ->sysfslock. This seems not correct as the usual ordering should be to acquire ->sysfslock before freezing the queue. This incorrect ordering causes the following lockdep splat which we are able to reproduce always simply by accessing /sys/kernel/debug file using ls command:

[ 57.597146] WARNING: possible circular locking dependency detected [ 57.597154] 6.12.0-10553-gb86545e02e8c #20 Tainted: G W [ 57.597162] ------------------------------------------------------ [ 57.597168] ls/4605 is trying to acquire lock: [ 57.597176] c00000003eb56710 (&mm->mmaplock){++++}-{4:4}, at: _mightfault+0x58/0xc0 [ 57.597200] but task is already holding lock: [ 57.597207] c0000018e27c6810 (&sb->stype->imutexkey#3){++++}-{4:4}, at: iterate_dir+0x94/0x1d4 [ 57.597226] which lock already depends on the new lock.

[ 57.597233] the existing dependency chain (in reverse order) is: [ 57.597241] -> #5 (&sb->stype->imutexkey#3){++++}-{4:4}: [ 57.597255] downwrite+0x6c/0x18c [ 57.597264] startcreating+0xb4/0x24c [ 57.597274] debugfscreatedir+0x2c/0x1e8 [ 57.597283] blkregisterqueue+0xec/0x294 [ 57.597292] adddiskfwnode+0x2e4/0x548 [ 57.597302] brdalloc+0x2c8/0x338 [ 57.597309] brdinit+0x100/0x178 [ 57.597317] dooneinitcall+0x88/0x3e4 [ 57.597326] kernelinitfreeable+0x3cc/0x6e0 [ 57.597334] kernelinit+0x34/0x1cc [ 57.597342] retfromkerneluserthread+0x14/0x1c [ 57.597350] -> #4 (&q->debugfsmutex){+.+.}-{4:4}: [ 57.597362] _mutexlock+0xfc/0x12a0 [ 57.597370] blkregisterqueue+0xd4/0x294 [ 57.597379] adddiskfwnode+0x2e4/0x548 [ 57.597388] brdalloc+0x2c8/0x338 [ 57.597395] brdinit+0x100/0x178 [ 57.597402] dooneinitcall+0x88/0x3e4 [ 57.597410] kernelinitfreeable+0x3cc/0x6e0 [ 57.597418] kernelinit+0x34/0x1cc [ 57.597426] retfromkerneluserthread+0x14/0x1c [ 57.597434] -> #3 (&q->sysfslock){+.+.}-{4:4}: [ 57.597446] _mutexlock+0xfc/0x12a0 [ 57.597454] queueattrstore+0x9c/0x110 [ 57.597462] sysfskfwrite+0x70/0xb0 [ 57.597471] kernfsfopwriteiter+0x1b0/0x2ac [ 57.597480] vfswrite+0x3dc/0x6e8 [ 57.597488] ksyswrite+0x84/0x140 [ 57.597495] systemcallexception+0x130/0x360 [ 57.597504] systemcallcommon+0x160/0x2c4 [ 57.597516] -> #2 (&q->qusagecounter(io)#21){++++}-{0:0}: [ 57.597530] _submitbio+0x5ec/0x828 [ 57.597538] submitbionoacctnocheck+0x1e4/0x4f0 [ 57.597547] iomapreadahead+0x2a0/0x448 [ 57.597556] xfsvmreadahead+0x28/0x3c [ 57.597564] readpages+0x88/0x41c [ 57.597571] pagecacheraunbounded+0x1ac/0x2d8 [ 57.597580] filemapgetpages+0x188/0x984 [ 57.597588] filemapread+0x13c/0x4bc [ 57.597596] xfsfilebufferedread+0x88/0x17c [ 57.597605] xfsfilereaditer+0xac/0x158 [ 57.597614] vfsread+0x2d4/0x3b4 [ 57.597622] ksysread+0x84/0x144 [ 57.597629] systemcallexception+0x130/0x360 [ 57.597637] systemcallcommon+0x160/0x2c4 [ 57.597647] -> #1 (mapping.invalidatelock#2){++++}-{4:4}: [ 57.597661] downread+0x6c/0x220 [ 57.597669] filemapfault+0x870/0x100c [ 57.597677] xfsfilemapfault+0xc4/0x18c [ 57.597684] _dofault+0x64/0x164 [ 57.597693] _handlemmfault+0x1274/0x1dac [ 57.597702] handlemm_fault+0x248/0x48 ---truncated---