{
  "threat_severity" : "Moderate",
  "public_date" : "2025-12-09T00:00:00Z",
  "bugzilla" : {
    "description" : "kernel: dm: don't attempt to queue IO under RCU protection",
    "id" : "2420339",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2420339"
  },
  "cvss3" : {
    "cvss3_base_score" : "4.7",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H",
    "status" : "verified"
  },
  "cwe" : "CWE-663",
  "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\ndm: don't attempt to queue IO under RCU protection\ndm looks up the table for IO based on the request type, with an\nassumption that if the request is marked REQ_NOWAIT, it's fine to\nattempt to submit that IO while under RCU read lock protection. This\nis not OK, as REQ_NOWAIT just means that we should not be sleeping\nwaiting on other IO, it does not mean that we can't potentially\nschedule.\nA simple test case demonstrates this quite nicely:\nint main(int argc, char *argv[])\n{\nstruct iovec iov;\nint fd;\nfd = open(\"/dev/dm-0\", O_RDONLY | O_DIRECT);\nposix_memalign(&iov.iov_base, 4096, 4096);\niov.iov_len = 4096;\npreadv2(fd, &iov, 1, 0, RWF_NOWAIT);\nreturn 0;\n}\nwhich will instantly spew:\nBUG: sleeping function called from invalid context at include/linux/sched/mm.h:306\nin_atomic(): 0, irqs_disabled(): 0, non_block: 0, pid: 5580, name: dm-nowait\npreempt_count: 0, expected: 0\nRCU nest depth: 1, expected: 0\nINFO: lockdep is turned off.\nCPU: 7 PID: 5580 Comm: dm-nowait Not tainted 6.6.0-rc1-g39956d2dcd81 #132\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.2-debian-1.16.2-1 04/01/2014\nCall Trace:\n<TASK>\ndump_stack_lvl+0x11d/0x1b0\n__might_resched+0x3c3/0x5e0\n? preempt_count_sub+0x150/0x150\nmempool_alloc+0x1e2/0x390\n? mempool_resize+0x7d0/0x7d0\n? lock_sync+0x190/0x190\n? lock_release+0x4b7/0x670\n? internal_get_user_pages_fast+0x868/0x2d40\nbio_alloc_bioset+0x417/0x8c0\n? bvec_alloc+0x200/0x200\n? internal_get_user_pages_fast+0xb8c/0x2d40\nbio_alloc_clone+0x53/0x100\ndm_submit_bio+0x27f/0x1a20\n? lock_release+0x4b7/0x670\n? blk_try_enter_queue+0x1a0/0x4d0\n? dm_dax_direct_access+0x260/0x260\n? rcu_is_watching+0x12/0xb0\n? blk_try_enter_queue+0x1cc/0x4d0\n__submit_bio+0x239/0x310\n? __bio_queue_enter+0x700/0x700\n? kvm_clock_get_cycles+0x40/0x60\n? ktime_get+0x285/0x470\nsubmit_bio_noacct_nocheck+0x4d9/0xb80\n? should_fail_request+0x80/0x80\n? preempt_count_sub+0x150/0x150\n? lock_release+0x4b7/0x670\n? __bio_add_page+0x143/0x2d0\n? iov_iter_revert+0x27/0x360\nsubmit_bio_noacct+0x53e/0x1b30\nsubmit_bio_wait+0x10a/0x230\n? submit_bio_wait_endio+0x40/0x40\n__blkdev_direct_IO_simple+0x4f8/0x780\n? blkdev_bio_end_io+0x4c0/0x4c0\n? stack_trace_save+0x90/0xc0\n? __bio_clone+0x3c0/0x3c0\n? lock_release+0x4b7/0x670\n? lock_sync+0x190/0x190\n? atime_needs_update+0x3bf/0x7e0\n? timestamp_truncate+0x21b/0x2d0\n? inode_owner_or_capable+0x240/0x240\nblkdev_direct_IO.part.0+0x84a/0x1810\n? rcu_is_watching+0x12/0xb0\n? lock_release+0x4b7/0x670\n? blkdev_read_iter+0x40d/0x530\n? reacquire_held_locks+0x4e0/0x4e0\n? __blkdev_direct_IO_simple+0x780/0x780\n? rcu_is_watching+0x12/0xb0\n? __mark_inode_dirty+0x297/0xd50\n? preempt_count_add+0x72/0x140\nblkdev_read_iter+0x2a4/0x530\ndo_iter_readv_writev+0x2f2/0x3c0\n? generic_copy_file_range+0x1d0/0x1d0\n? fsnotify_perm.part.0+0x25d/0x630\n? security_file_permission+0xd8/0x100\ndo_iter_read+0x31b/0x880\n? import_iovec+0x10b/0x140\nvfs_readv+0x12d/0x1a0\n? vfs_iter_read+0xb0/0xb0\n? rcu_is_watching+0x12/0xb0\n? rcu_is_watching+0x12/0xb0\n? lock_release+0x4b7/0x670\ndo_preadv+0x1b3/0x260\n? do_readv+0x370/0x370\n__x64_sys_preadv2+0xef/0x150\ndo_syscall_64+0x39/0xb0\nentry_SYSCALL_64_after_hwframe+0x63/0xcd\nRIP: 0033:0x7f5af41ad806\nCode: 41 54 41 89 fc 55 44 89 c5 53 48 89 cb 48 83 ec 18 80 3d e4 dd 0d 00 00 74 7a 45 89 c1 49 89 ca 45 31 c0 b8 47 01 00 00 0f 05 <48> 3d 00 f0 ff ff 0f 87 be 00 00 00 48 85 c0 79 4a 48 8b 0d da 55\nRSP: 002b:00007ffd3145c7f0 EFLAGS: 00000246 ORIG_RAX: 0000000000000147\nRAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f5af41ad806\nRDX: 0000000000000001 RSI: 00007ffd3145c850 RDI: 0000000000000003\nRBP: 0000000000000008 R08: 0000000000000000 R09: 0000000000000008\nR10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000003\nR13: 00007ffd3145c850 R14: 000055f5f0431dd8 R15: 0000000000000001\n</TASK>\nwhere in fact it is\n---truncated---", "A sleep-in-atomic-context bug was found in the Device Mapper subsystem in the Linux kernel. When processing REQ_NOWAIT requests, dm incorrectly submits I/O while holding an RCU read lock, assuming that REQ_NOWAIT means no scheduling can occur. However, mempool_alloc() and other allocation functions may still sleep, leading to sleeping function calls from invalid contexts. This can cause kernel warnings or crashes." ],
  "statement" : "This is a sleeping-in-atomic-context bug in Device Mapper that can cause kernel warnings and potential issues when using O_DIRECT with RWF_NOWAIT flags on dm devices. The vulnerability requires local access and specific I/O patterns to trigger.",
  "affected_release" : [ {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2024-04-30T00:00:00Z",
    "advisory" : "RHSA-2024:2394",
    "cpe" : "cpe:/a:redhat:enterprise_linux:9",
    "package" : "kernel-0:5.14.0-427.13.1.el9_4"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2024-04-30T00:00:00Z",
    "advisory" : "RHSA-2024:2394",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9",
    "package" : "kernel-0:5.14.0-427.13.1.el9_4"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux 10",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:10"
  }, {
    "product_name" : "Red Hat Enterprise Linux 6",
    "fix_state" : "Out of support scope",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Not affected",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Not affected",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Fix deferred",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2023-53860\nhttps://nvd.nist.gov/vuln/detail/CVE-2023-53860\nhttps://lore.kernel.org/linux-cve-announce/2025120904-CVE-2023-53860-3722@gregkh/T" ],
  "name" : "CVE-2023-53860",
  "csaw" : false
}