Linux Kernel Device-Mapper RCU Protection Vulnerability

A vulnerability in the Linux kernel's device-mapper component allows I/O operations to be queued under RCU read lock protection, which can lead to scheduling issues. This problem arises from an incorrect assumption that requests marked with REQ_NOWAIT can be safely submitted while under RCU protection. The vulnerability is present in the stable Linux kernel versions prior to 6.6.0.

Impact

Exploitation of this vulnerability causes a kernel panic by introducing a bug where a sleeping function is called from an invalid context, violating the RCU read lock requirements. This is demonstrated by a test case that triggers the issue by performing a non-blocking read operation on a device-mapper target under RCU protection, leading to a crash.

Reproduction

The vulnerability can be reproduced by opening a direct I/O file descriptor to a device-mapper target and then using the preadv2 system call with the RWF_NOWAIT flag. This operation will fail with a 'BUG: sleeping function called from invalid context' error, indicating that the I/O was incorrectly queued under RCU protection.

Remediation

Users can upgrade to Linux kernel version 6.6.0 or later, where this vulnerability has been fixed.