ghsa-qcg4-xxf6-m8j4
Vulnerability from github
Published
2025-10-22 15:31
Modified
2025-10-22 15:31
Details

In the Linux kernel, the following vulnerability has been resolved:

blk-iocost: use spin_lock_irqsave in adjust_inuse_and_calc_cost

adjust_inuse_and_calc_cost() use spin_lock_irq() and IRQ will be enabled when unlock. DEADLOCK might happen if we have held other locks and disabled IRQ before invoking it.

Fix it by using spin_lock_irqsave() instead, which can keep IRQ state consistent with before when unlock.

================================ WARNING: inconsistent lock state 5.10.0-02758-g8e5f91fd772f #26 Not tainted

inconsistent {IN-HARDIRQ-W} -> {HARDIRQ-ON-W} usage. kworker/2:3/388 [HC0[0]:SC0[0]:HE0:SE1] takes: ffff888118c00c28 (&bfqd->lock){?.-.}-{2:2}, at: spin_lock_irq ffff888118c00c28 (&bfqd->lock){?.-.}-{2:2}, at: bfq_bio_merge+0x141/0x390 {IN-HARDIRQ-W} state was registered at: __lock_acquire+0x3d7/0x1070 lock_acquire+0x197/0x4a0 __raw_spin_lock_irqsave _raw_spin_lock_irqsave+0x3b/0x60 bfq_idle_slice_timer_body bfq_idle_slice_timer+0x53/0x1d0 __run_hrtimer+0x477/0xa70 __hrtimer_run_queues+0x1c6/0x2d0 hrtimer_interrupt+0x302/0x9e0 local_apic_timer_interrupt __sysvec_apic_timer_interrupt+0xfd/0x420 run_sysvec_on_irqstack_cond sysvec_apic_timer_interrupt+0x46/0xa0 asm_sysvec_apic_timer_interrupt+0x12/0x20 irq event stamp: 837522 hardirqs last enabled at (837521): [] __raw_spin_unlock_irqrestore hardirqs last enabled at (837521): [] _raw_spin_unlock_irqrestore+0x3d/0x40 hardirqs last disabled at (837522): [] __raw_spin_lock_irq hardirqs last disabled at (837522): [] _raw_spin_lock_irq+0x43/0x50 softirqs last enabled at (835852): [] __do_softirq+0x558/0x8ec softirqs last disabled at (835845): [] asm_call_irq_on_stack+0xf/0x20

other info that might help us debug this: Possible unsafe locking scenario:

     CPU0
     ----
lock(&bfqd->lock);
<Interrupt>
  lock(&bfqd->lock);

*** DEADLOCK ***

3 locks held by kworker/2:3/388: #0: ffff888107af0f38 ((wq_completion)kthrotld){+.+.}-{0:0}, at: process_one_work+0x742/0x13f0 #1: ffff8881176bfdd8 ((work_completion)(&td->dispatch_work)){+.+.}-{0:0}, at: process_one_work+0x777/0x13f0 #2: ffff888118c00c28 (&bfqd->lock){?.-.}-{2:2}, at: spin_lock_irq #2: ffff888118c00c28 (&bfqd->lock){?.-.}-{2:2}, at: bfq_bio_merge+0x141/0x390

stack backtrace: CPU: 2 PID: 388 Comm: kworker/2:3 Not tainted 5.10.0-02758-g8e5f91fd772f #26 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014 Workqueue: kthrotld blk_throtl_dispatch_work_fn Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x107/0x167 print_usage_bug valid_state mark_lock_irq.cold+0x32/0x3a mark_lock+0x693/0xbc0 mark_held_locks+0x9e/0xe0 __trace_hardirqs_on_caller lockdep_hardirqs_on_prepare.part.0+0x151/0x360 trace_hardirqs_on+0x5b/0x180 __raw_spin_unlock_irq _raw_spin_unlock_irq+0x24/0x40 spin_unlock_irq adjust_inuse_and_calc_cost+0x4fb/0x970 ioc_rqos_merge+0x277/0x740 __rq_qos_merge+0x62/0xb0 rq_qos_merge bio_attempt_back_merge+0x12c/0x4a0 blk_mq_sched_try_merge+0x1b6/0x4d0 bfq_bio_merge+0x24a/0x390 __blk_mq_sched_bio_merge+0xa6/0x460 blk_mq_sched_bio_merge blk_mq_submit_bio+0x2e7/0x1ee0 __submit_bio_noacct_mq+0x175/0x3b0 submit_bio_noacct+0x1fb/0x270 blk_throtl_dispatch_work_fn+0x1ef/0x2b0 process_one_work+0x83e/0x13f0 process_scheduled_works worker_thread+0x7e3/0xd80 kthread+0x353/0x470 ret_from_fork+0x1f/0x30

Show details on source website

To clipboard 

{
  "affected": [],
  "aliases": [
    "CVE-2023-53730"
  ],
  "database_specific": {
    "cwe_ids": [],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-10-22T14:15:48Z",
    "severity": null
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nblk-iocost: use spin_lock_irqsave in adjust_inuse_and_calc_cost\n\nadjust_inuse_and_calc_cost() use spin_lock_irq() and IRQ will be enabled\nwhen unlock. DEADLOCK might happen if we have held other locks and disabled\nIRQ before invoking it.\n\nFix it by using spin_lock_irqsave() instead, which can keep IRQ state\nconsistent with before when unlock.\n\n  ================================\n  WARNING: inconsistent lock state\n  5.10.0-02758-g8e5f91fd772f #26 Not tainted\n  --------------------------------\n  inconsistent {IN-HARDIRQ-W} -\u003e {HARDIRQ-ON-W} usage.\n  kworker/2:3/388 [HC0[0]:SC0[0]:HE0:SE1] takes:\n  ffff888118c00c28 (\u0026bfqd-\u003elock){?.-.}-{2:2}, at: spin_lock_irq\n  ffff888118c00c28 (\u0026bfqd-\u003elock){?.-.}-{2:2}, at: bfq_bio_merge+0x141/0x390\n  {IN-HARDIRQ-W} state was registered at:\n    __lock_acquire+0x3d7/0x1070\n    lock_acquire+0x197/0x4a0\n    __raw_spin_lock_irqsave\n    _raw_spin_lock_irqsave+0x3b/0x60\n    bfq_idle_slice_timer_body\n    bfq_idle_slice_timer+0x53/0x1d0\n    __run_hrtimer+0x477/0xa70\n    __hrtimer_run_queues+0x1c6/0x2d0\n    hrtimer_interrupt+0x302/0x9e0\n    local_apic_timer_interrupt\n    __sysvec_apic_timer_interrupt+0xfd/0x420\n    run_sysvec_on_irqstack_cond\n    sysvec_apic_timer_interrupt+0x46/0xa0\n    asm_sysvec_apic_timer_interrupt+0x12/0x20\n  irq event stamp: 837522\n  hardirqs last  enabled at (837521): [\u003cffffffff84b9419d\u003e] __raw_spin_unlock_irqrestore\n  hardirqs last  enabled at (837521): [\u003cffffffff84b9419d\u003e] _raw_spin_unlock_irqrestore+0x3d/0x40\n  hardirqs last disabled at (837522): [\u003cffffffff84b93fa3\u003e] __raw_spin_lock_irq\n  hardirqs last disabled at (837522): [\u003cffffffff84b93fa3\u003e] _raw_spin_lock_irq+0x43/0x50\n  softirqs last  enabled at (835852): [\u003cffffffff84e00558\u003e] __do_softirq+0x558/0x8ec\n  softirqs last disabled at (835845): [\u003cffffffff84c010ff\u003e] asm_call_irq_on_stack+0xf/0x20\n\n  other info that might help us debug this:\n   Possible unsafe locking scenario:\n\n         CPU0\n         ----\n    lock(\u0026bfqd-\u003elock);\n    \u003cInterrupt\u003e\n      lock(\u0026bfqd-\u003elock);\n\n   *** DEADLOCK ***\n\n  3 locks held by kworker/2:3/388:\n   #0: ffff888107af0f38 ((wq_completion)kthrotld){+.+.}-{0:0}, at: process_one_work+0x742/0x13f0\n   #1: ffff8881176bfdd8 ((work_completion)(\u0026td-\u003edispatch_work)){+.+.}-{0:0}, at: process_one_work+0x777/0x13f0\n   #2: ffff888118c00c28 (\u0026bfqd-\u003elock){?.-.}-{2:2}, at: spin_lock_irq\n   #2: ffff888118c00c28 (\u0026bfqd-\u003elock){?.-.}-{2:2}, at: bfq_bio_merge+0x141/0x390\n\n  stack backtrace:\n  CPU: 2 PID: 388 Comm: kworker/2:3 Not tainted 5.10.0-02758-g8e5f91fd772f #26\n  Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014\n  Workqueue: kthrotld blk_throtl_dispatch_work_fn\n  Call Trace:\n   __dump_stack lib/dump_stack.c:77 [inline]\n   dump_stack+0x107/0x167\n   print_usage_bug\n   valid_state\n   mark_lock_irq.cold+0x32/0x3a\n   mark_lock+0x693/0xbc0\n   mark_held_locks+0x9e/0xe0\n   __trace_hardirqs_on_caller\n   lockdep_hardirqs_on_prepare.part.0+0x151/0x360\n   trace_hardirqs_on+0x5b/0x180\n   __raw_spin_unlock_irq\n   _raw_spin_unlock_irq+0x24/0x40\n   spin_unlock_irq\n   adjust_inuse_and_calc_cost+0x4fb/0x970\n   ioc_rqos_merge+0x277/0x740\n   __rq_qos_merge+0x62/0xb0\n   rq_qos_merge\n   bio_attempt_back_merge+0x12c/0x4a0\n   blk_mq_sched_try_merge+0x1b6/0x4d0\n   bfq_bio_merge+0x24a/0x390\n   __blk_mq_sched_bio_merge+0xa6/0x460\n   blk_mq_sched_bio_merge\n   blk_mq_submit_bio+0x2e7/0x1ee0\n   __submit_bio_noacct_mq+0x175/0x3b0\n   submit_bio_noacct+0x1fb/0x270\n   blk_throtl_dispatch_work_fn+0x1ef/0x2b0\n   process_one_work+0x83e/0x13f0\n   process_scheduled_works\n   worker_thread+0x7e3/0xd80\n   kthread+0x353/0x470\n   ret_from_fork+0x1f/0x30",
  "id": "GHSA-qcg4-xxf6-m8j4",
  "modified": "2025-10-22T15:31:12Z",
  "published": "2025-10-22T15:31:12Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-53730"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/3376c4fe2db4aea2dc721a27a999c41fdb45b54f"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/8563b58a4360e648ce18f0e98a75a4be51667431"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/8ceeb3fc86a83700bb1585c189006080a47e8506"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/8d211554679d0b23702bd32ba04aeac0c1c4f660"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/9279a1b74ad98039d5d44d26b9e7a9cfe655b6d3"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/eb120c0aff5ceab9c9c46b87f302465bbf2bbaed"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.