In the Linux kernel, the following vulnerability has been resolved:
dm-bufio: fix sched in atomic context
If "tryverifyintasklet" is set for dm-verity, DMBUFIOCLIENTNOSLEEP is enabled for dm-bufio. However, when bufio tries to evict buffers, there is a chance to trigger scheduling in spinlock_bh, the following warning is hit:
BUG: sleeping function called from invalid context at drivers/md/dm-bufio.c:2745 inatomic(): 1, irqsdisabled(): 0, nonblock: 0, pid: 123, name: kworker/2:2 preemptcount: 201, expected: 0 RCU nest depth: 0, expected: 0 4 locks held by kworker/2:2/123: #0: ffff88800a2d1548 ((wqcompletion)dmbufiocache){....}-{0:0}, at: processonework+0xe46/0x1970 #1: ffffc90000d97d20 ((workcompletion)(&dmbufioreplacementwork)){....}-{0:0}, at: processonework+0x763/0x1970 #2: ffffffff8555b528 (dmbufioclientslock){....}-{3:3}, at: doglobalcleanup+0x1ce/0x710 #3: ffff88801d5820b8 (&c->spinlock){....}-{2:2}, at: doglobalcleanup+0x2a5/0x710 Preemption disabled at: [<0000000000000000>] 0x0 CPU: 2 UID: 0 PID: 123 Comm: kworker/2:2 Not tainted 6.16.0-rc3-g90548c634bd0 #305 PREEMPT(voluntary) Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014 Workqueue: dmbufiocache doglobalcleanup Call Trace: <TASK> dumpstacklvl+0x53/0x70 _mightresched+0x360/0x4e0 doglobalcleanup+0x2f5/0x710 processonework+0x7db/0x1970 workerthread+0x518/0xea0 kthread+0x359/0x690 retfromfork+0xf3/0x1b0 retfromforkasm+0x1a/0x30 </TASK>
That can be reproduced by:
veritysetup format --data-block-size=4096 --hash-block-size=4096 /dev/vda /dev/vdb SIZE=$(blockdev --getsz /dev/vda) dmsetup create myverity -r --table "0 $SIZE verity 1 /dev/vda /dev/vdb 4096 4096 <data_blocks> 1 sha256 <root_hash> <salt> 1 tryverifyintasklet" mount /dev/dm-0 /mnt -o ro echo 102400 > /sys/module/dmbufio/parameters/maxcachesize_bytes [read files in /mnt]