Linux Kernel EROFS Denial-of-Service Vulnerability via Bio Completion

A denial-of-service vulnerability has been identified in the Linux kernel's EROFS (Enhanced Read-Only File System) component. This issue arises in the bio completion path when directly handling decompression, particularly in the process context of dm-verity. The problem occurs because the bio completion can call vm_map_ram() with GFP_KERNEL, which may lead to memory swapping I/O. In certain scenarios, this can cause submit_bio_wait to deadlock, as the bio_list becomes non-NULL and hangs. The vulnerability affects several versions of the Linux kernel.

Impact

Exploitation of this vulnerability can lead to a deadlock situation, where the bio_list is initialized but not cleared, causing the system to hang.

Reproduction

The vulnerability can be reproduced by triggering a bio completion in the process context, such as through dm-verity. This will initiate a decompression process that calls vm_map_ram() with GFP_KERNEL. If the system is low on memory, this can create swapping I/O that interferes with the submit_bio_wait function, causing a deadlock. The call stack will show the submit_bio_wait function hanging because the bio_list is not empty, indicating a successful reproduction of the issue.

Remediation

The vulnerability has been addressed by modifying the bio completion process to use memalloc_noio_save() and memalloc_noio_restore(), which prevent the vm_map_ram() function from generating memory swapping I/O that could cause a deadlock.