Linux Kernel Race Condition Vulnerability Leading to Kernel Crash

A race condition vulnerability has been identified in the Linux kernel, specifically related to the handling of block sizes and concurrent read operations. This vulnerability can cause a kernel crash by creating a conflict between the block size management and the read paths. The issue arises when a process reads data from a block device while another process simultaneously changes the block size, leading to a failure in the read operation and a subsequent crash. The vulnerability affects the kernel's block device management, particularly with the new support for large sector sizes.

Impact

Exploiting this vulnerability can lead to a kernel crash, causing a denial of service by interrupting system operations and potentially leading to data loss or corruption.

Reproduction

The vulnerability can be reproduced by initiating a read operation on a block device while simultaneously changing the block size from the same device. This can be done by using a udev worker to read labels from the block device, which creates an order-0 folio for the first 4096 bytes. While this read operation is in progress, the block size can be changed to 8192 bytes by mounting an 8k-sector filesystem from the same block device. When the read operation resumes, it attempts to use the outdated folio order, leading to a crash.

Remediation

The vulnerability has been addressed by truncating the page cache after flushing but before updating the block size. Additionally, file I/O and page faults should be locked out during the update process. This can be achieved by taking both the i_rwsem and the invalidate_lock in exclusive mode for invalidations, and in shared mode for read/write operations.