{
  "threat_severity" : "Moderate",
  "public_date" : "2024-11-19T00:00:00Z",
  "bugzilla" : {
    "description" : "kernel: io_uring/rw: fix missing NOWAIT check for O_DIRECT start write",
    "id" : "2327374",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2327374"
  },
  "cvss3" : {
    "cvss3_base_score" : "4.4",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H",
    "status" : "verified"
  },
  "cwe" : "CWE-667",
  "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\nio_uring/rw: fix missing NOWAIT check for O_DIRECT start write\nWhen io_uring starts a write, it'll call kiocb_start_write() to bump the\nsuper block rwsem, preventing any freezes from happening while that\nwrite is in-flight. The freeze side will grab that rwsem for writing,\nexcluding any new writers from happening and waiting for existing writes\nto finish. But io_uring unconditionally uses kiocb_start_write(), which\nwill block if someone is currently attempting to freeze the mount point.\nThis causes a deadlock where freeze is waiting for previous writes to\ncomplete, but the previous writes cannot complete, as the task that is\nsupposed to complete them is blocked waiting on starting a new write.\nThis results in the following stuck trace showing that dependency with\nthe write blocked starting a new write:\ntask:fio             state:D stack:0     pid:886   tgid:886   ppid:876\nCall trace:\n__switch_to+0x1d8/0x348\n__schedule+0x8e8/0x2248\nschedule+0x110/0x3f0\npercpu_rwsem_wait+0x1e8/0x3f8\n__percpu_down_read+0xe8/0x500\nio_write+0xbb8/0xff8\nio_issue_sqe+0x10c/0x1020\nio_submit_sqes+0x614/0x2110\n__arm64_sys_io_uring_enter+0x524/0x1038\ninvoke_syscall+0x74/0x268\nel0_svc_common.constprop.0+0x160/0x238\ndo_el0_svc+0x44/0x60\nel0_svc+0x44/0xb0\nel0t_64_sync_handler+0x118/0x128\nel0t_64_sync+0x168/0x170\nINFO: task fsfreeze:7364 blocked for more than 15 seconds.\nNot tainted 6.12.0-rc5-00063-g76aaf945701c #7963\nwith the attempting freezer stuck trying to grab the rwsem:\ntask:fsfreeze        state:D stack:0     pid:7364  tgid:7364  ppid:995\nCall trace:\n__switch_to+0x1d8/0x348\n__schedule+0x8e8/0x2248\nschedule+0x110/0x3f0\npercpu_down_write+0x2b0/0x680\nfreeze_super+0x248/0x8a8\ndo_vfs_ioctl+0x149c/0x1b18\n__arm64_sys_ioctl+0xd0/0x1a0\ninvoke_syscall+0x74/0x268\nel0_svc_common.constprop.0+0x160/0x238\ndo_el0_svc+0x44/0x60\nel0_svc+0x44/0xb0\nel0t_64_sync_handler+0x118/0x128\nel0t_64_sync+0x168/0x170\nFix this by having the io_uring side honor IOCB_NOWAIT, and only attempt a\nblocking grab of the super block rwsem if it isn't set. For normal issue\nwhere IOCB_NOWAIT would always be set, this returns -EAGAIN which will\nhave io_uring core issue a blocking attempt of the write. That will in\nturn also get completions run, ensuring forward progress.\nSince freezing requires CAP_SYS_ADMIN in the first place, this isn't\nsomething that can be triggered by a regular user." ],
  "affected_release" : [ {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2025-11-11T00:00:00Z",
    "advisory" : "RHSA-2025:20518",
    "cpe" : "cpe:/a:redhat:enterprise_linux:9",
    "package" : "kernel-0:5.14.0-611.5.1.el9_7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2025-11-11T00:00:00Z",
    "advisory" : "RHSA-2025:20518",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9",
    "package" : "kernel-0:5.14.0-611.5.1.el9_7"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux 6",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Not affected",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Not affected",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Will not fix",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2024-53052\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-53052\nhttps://lore.kernel.org/linux-cve-announce/2024111927-CVE-2024-53052-3bd9@gregkh/T" ],
  "name" : "CVE-2024-53052",
  "csaw" : false
}