CVE-2023-53231

Current check for atomic context is not sufficient as zerofsdecompressqueueendio can be called under rcu lock from blkmqflushplug_list(). See the stacktrace [1]

In such case we should hand off the decompression work for async processing rather than trying to do sync decompression in current context. Patch fixes the detection by checking for rcureadlockanyheld() and while at it use more appropriate !intask() check than inatomic().

Background: Historically erofs would always schedule a kworker for decompression which would incur the scheduling cost regardless of the context. But zerofsdecompressqueueendio() may not always be in atomic context and we could actually benefit from doing the decompression in zerofsdecompressqueueendio() if we are in thread context, for example when running with dm-verity. This optimization was later added in patch [2] which has shown improvement in performance benchmarks.

============================================== [1] Problem stacktrace [name:core&]BUG: sleeping function called from invalid context at kernel/locking/mutex.c:291 [name:core&]inatomic(): 0, irqsdisabled(): 0, nonblock: 0, pid: 1615, name: CpuMonitorServi [name:core&]preemptcount: 0, expected: 0 [name:core&]RCU nest depth: 1, expected: 0 CPU: 7 PID: 1615 Comm: CpuMonitorServi Tainted: G S W OE 6.1.25-android14-5-maybe-dirty-mainline #1 Hardware name: MT6897 (DT) Call trace: dumpbacktrace+0x108/0x15c showstack+0x20/0x30 dumpstacklvl+0x6c/0x8c dumpstack+0x20/0x48 _mightresched+0x1fc/0x308 _mightsleep+0x50/0x88 mutexlock+0x2c/0x110 zerofsdecompressqueue+0x11c/0xc10 zerofsdecompresskickoff+0x110/0x1a4 zerofsdecompressqueueendio+0x154/0x180 bioendio+0x1b0/0x1d8 _dmiocomplete+0x22c/0x280 cloneendio+0xe4/0x280 bioendio+0x1b0/0x1d8 blkupdaterequest+0x138/0x3a4 blkmqplugissuedirect+0xd4/0x19c blkmqflushpluglist+0x2b0/0x354 _blkflushplug+0x110/0x160 blkfinishplug+0x30/0x4c readpages+0x2fc/0x370 pagecacheraunbounded+0xa4/0x23c pagecacheraorder+0x290/0x320 dosyncmmapreadahead+0x108/0x2c0 filemapfault+0x19c/0x52c _dofault+0xc4/0x114 handlemmfault+0x5b4/0x1168 dopagefault+0x338/0x4b4 dotranslationfault+0x40/0x60 domemabort+0x60/0xc8 el0da+0x4c/0xe0 el0t64synchandler+0xd4/0xfc el0t64_sync+0x1a0/0x1a4

[2] Link: https://lore.kernel.org/all/20210317035448.13921-1-huangjianan@oppo.com/

References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

aea1286dcbbb87cf33595c2ac8b153c29a4611cb

Fixed

597fb60c75132719687e173b75cab8f6eb1ca657

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

aea1286dcbbb87cf33595c2ac8b153c29a4611cb

Fixed

12d0a24afd9ea58e581ea64d64e066f2027b28d9

Affected versions

v4.*

v4.18

v4.18-rc6

v4.18-rc7

v4.18-rc8

v4.19

v4.19-rc1

v4.19-rc2

v4.19-rc3

v4.19-rc4

v4.19-rc5

v4.19-rc6

v4.19-rc7

v4.19-rc8

v4.20

v4.20-rc1

v4.20-rc2

v4.20-rc3

v4.20-rc4

v4.20-rc5

v4.20-rc6

v4.20-rc7

v5.*

v5.0

v5.0-rc1

v5.0-rc2

v5.0-rc3

v5.0-rc4

v5.0-rc5

v5.0-rc6

v5.0-rc7

v5.0-rc8

v5.1

v5.1-rc1

v5.1-rc2

v5.1-rc3

v5.1-rc4

v5.1-rc5

v5.1-rc6

v5.1-rc7

v5.10

v5.10-rc1

v5.10-rc2

v5.10-rc3

v5.10-rc4

v5.10-rc5

v5.10-rc6

v5.10-rc7

v5.11

v5.11-rc1

v5.11-rc2

v5.11-rc3

v5.11-rc4

v5.11-rc5

v5.11-rc6

v5.11-rc7

v5.12

v5.12-rc1

v5.12-rc1-dontuse

v5.12-rc2

v5.12-rc3

v5.12-rc4

v5.12-rc5

v5.12-rc6

v5.12-rc7

v5.12-rc8

v5.13

v5.13-rc1

v5.13-rc2

v5.13-rc3

v5.13-rc4

v5.13-rc5

v5.13-rc6

v5.13-rc7

v5.14

v5.14-rc1

v5.14-rc2

v5.14-rc3

v5.14-rc4

v5.14-rc5

v5.14-rc6

v5.14-rc7

v5.15

v5.15-rc1

v5.15-rc2

v5.15-rc3

v5.15-rc4

v5.15-rc5

v5.15-rc6

v5.15-rc7

v5.16

v5.16-rc1

v5.16-rc2

v5.16-rc3

v5.16-rc4

v5.16-rc5

v5.16-rc6

v5.16-rc7

v5.16-rc8

v5.17

v5.17-rc1

v5.17-rc2

v5.17-rc3

v5.17-rc4

v5.17-rc5

v5.17-rc6

v5.17-rc7

v5.17-rc8

v5.18

v5.18-rc1

v5.18-rc2

v5.18-rc3

v5.18-rc4

v5.18-rc5

v5.18-rc6

v5.18-rc7

v5.19

v5.19-rc1

v5.19-rc2

v5.19-rc3

v5.19-rc4

v5.19-rc5

v5.19-rc6

v5.19-rc7

v5.19-rc8

v5.2

v5.2-rc1

v5.2-rc2

v5.2-rc3

v5.2-rc4

v5.2-rc5

v5.2-rc6

v5.2-rc7

v5.3

v5.3-rc1

v5.3-rc2

v5.3-rc3

v5.3-rc4

v5.3-rc5

v5.3-rc6

v5.3-rc7

v5.3-rc8

v5.4

v5.4-rc1

v5.4-rc2

v5.4-rc3

v5.4-rc4

v5.4-rc5

v5.4-rc6

v5.4-rc7

v5.4-rc8

v5.5

v5.5-rc1

v5.5-rc2

v5.5-rc3

v5.5-rc4

v5.5-rc5

v5.5-rc6

v5.5-rc7

v5.6

v5.6-rc1

v5.6-rc2

v5.6-rc3

v5.6-rc4

v5.6-rc5

v5.6-rc6

v5.6-rc7

v5.7

v5.7-rc1

v5.7-rc2

v5.7-rc3

v5.7-rc4

v5.7-rc5

v5.7-rc6

v5.7-rc7

v5.8

v5.8-rc1

v5.8-rc2

v5.8-rc3

v5.8-rc4

v5.8-rc5

v5.8-rc6

v5.8-rc7

v5.9

v5.9-rc1

v5.9-rc2

v5.9-rc3

v5.9-rc4

v5.9-rc5

v5.9-rc6

v5.9-rc7

v5.9-rc8

v6.*

v6.0

v6.0-rc1

v6.0-rc2

v6.0-rc3

v6.0-rc4

v6.0-rc5

v6.0-rc6

v6.0-rc7

v6.1

v6.1-rc1

v6.1-rc2

v6.1-rc3

v6.1-rc4

v6.1-rc5

v6.1-rc6

v6.1-rc7

v6.1-rc8

v6.2

v6.2-rc1

v6.2-rc2

v6.2-rc3

v6.2-rc4

v6.2-rc5

v6.2-rc6

v6.2-rc7

v6.2-rc8

v6.3

v6.3-rc1

v6.3-rc2

v6.3-rc3

v6.3-rc4

v6.3-rc5

v6.3-rc6

v6.3-rc7

v6.4

v6.4-rc1

v6.4-rc2

v6.4-rc3

v6.4-rc4

v6.4-rc5

v6.4-rc6

v6.4-rc7

v6.4.1

v6.4.2

v6.4.3

v6.4.4

v6.4.5

v6.4.6

Database specific

vanir_signatures

[
    {
        "id": "CVE-2023-53231-35955b54",
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@12d0a24afd9ea58e581ea64d64e066f2027b28d9",
        "digest": {
            "line_hashes": [
                "175919061183319328093632770586977323236",
                "217909222959499597611563417736788856544",
                "231420299102352200174988515744964296452",
                "49238463174693214147445639458248715161"
            ],
            "threshold": 0.9
        },
        "signature_version": "v1",
        "target": {
            "file": "fs/erofs/zdata.c"
        },
        "signature_type": "Line",
        "deprecated": false
    },
    {
        "id": "CVE-2023-53231-4b7a3ee3",
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@597fb60c75132719687e173b75cab8f6eb1ca657",
        "digest": {
            "line_hashes": [
                "175919061183319328093632770586977323236",
                "217909222959499597611563417736788856544",
                "231420299102352200174988515744964296452",
                "49238463174693214147445639458248715161"
            ],
            "threshold": 0.9
        },
        "signature_version": "v1",
        "target": {
            "file": "fs/erofs/zdata.c"
        },
        "signature_type": "Line",
        "deprecated": false
    },
    {
        "id": "CVE-2023-53231-4dc6885b",
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@597fb60c75132719687e173b75cab8f6eb1ca657",
        "digest": {
            "length": 903.0,
            "function_hash": "32071623582600033961739324299618775787"
        },
        "signature_version": "v1",
        "target": {
            "function": "z_erofs_decompress_kickoff",
            "file": "fs/erofs/zdata.c"
        },
        "signature_type": "Function",
        "deprecated": false
    },
    {
        "id": "CVE-2023-53231-aa99d3b8",
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@12d0a24afd9ea58e581ea64d64e066f2027b28d9",
        "digest": {
            "length": 903.0,
            "function_hash": "32071623582600033961739324299618775787"
        },
        "signature_version": "v1",
        "target": {
            "function": "z_erofs_decompress_kickoff",
            "file": "fs/erofs/zdata.c"
        },
        "signature_type": "Function",
        "deprecated": false
    }
]

CVE-2023-53231

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Affected versions

v4.*

v5.*

v6.*

Database specific

vanir_signatures

Linux / Kernel

Package

Affected ranges