Linux Kernel EROFS File I/O Denial-of-Service Vulnerability

A denial-of-service vulnerability has been identified in the Linux kernel's EROFS (Enhanced Read-Only File System) implementation. This issue arises in versions of the kernel that include the commit 'ce63cb62d794', which added support for unencoded inodes in file I/O operations. The vulnerability occurs when the I/O request buffer becomes full, causing the system to attempt to split the file's data into smaller chunks. However, due to a flaw in the error handling process, the file data can become locked indefinitely, preventing any further operations on it. This issue was practically unreachable until a recent change reduced the buffer capacity, making it easy to trigger by invoking a readahead operation from userspace.

Impact

Exploitation of this vulnerability leads to a deadlock situation where the affected file data remains locked indefinitely, causing any processes waiting for it to become stuck.

Reproduction

The vulnerability can be reproduced by manually invoking the readahead operation on a file descriptor of a file stored on an EROFS file system. This can be done using the 'posix_fadvise' system call with the 'POSIX_FADV_WILLNEED' advice, which preloads the file into memory. The readahead operation will fill the I/O request buffer, triggering the error handling flaw that locks the file data permanently.

Remediation

The vulnerability has been addressed in the Linux kernel by modifying the file I/O handling process to ensure that the folio splitting operation is only called after the I/O request has been successfully updated. This change prevents the file data from becoming locked indefinitely.