[SRU][J][PATCH 0/1] CVE-2024-53090

Alessio Faina alessio.faina at canonical.com
Mon Oct 20 08:15:34 UTC 2025 

https://ubuntu.com/security/CVE-2024-53090

[ Impact ]

afs: Fix lock recursion
afs_wake_up_async_call() can incur lock recursion.  The problem is that it
is called from AF_RXRPC whilst holding the ->notify_lock, but it tries to
take a ref on the afs_call struct in order to pass it to a work queue - but
if the afs_call is already queued, we then have an extraneous ref that must
be put... calling afs_put_call() may call back down into AF_RXRPC through
rxrpc_kernel_shutdown_call(), however, which might try taking the
->notify_lock again.

This case isn't very common, however, so defer it to a workqueue.  The oops
looks something like:

  BUG: spinlock recursion on CPU#0, krxrpcio/7001/1646
   lock: 0xffff888141399b30, .magic: dead4ead, .owner: krxrpcio/7001/1646, .owner_cpu: 0
  CPU: 0 UID: 0 PID: 1646 Comm: krxrpcio/7001 Not tainted 6.12.0-rc2-build3+ #4351
  Hardware name: ASUS All Series/H97-PLUS, BIOS 2306 10/09/2014
  Call Trace:
   <TASK>
   dump_stack_lvl+0x47/0x70
   do_raw_spin_lock+0x3c/0x90
   rxrpc_kernel_shutdown_call+0x83/0xb0
   afs_put_call+0xd7/0x180
   rxrpc_notify_socket+0xa0/0x190
   rxrpc_input_split_jumbo+0x198/0x1d0
   rxrpc_input_data+0x14b/0x1e0
   ? rxrpc_input_call_packet+0xc2/0x1f0
   rxrpc_input_call_event+0xad/0x6b0
   rxrpc_input_packet_on_conn+0x1e1/0x210
   rxrpc_input_packet+0x3f2/0x4d0
   rxrpc_io_thread+0x243/0x410
   ? __pfx_rxrpc_io_thread+0x10/0x10
   kthread+0xcf/0xe0
   ? __pfx_kthread+0x10/0x10
   ret_from_fork+0x24/0x40
   ? __pfx_kthread+0x10/0x10
   ret_from_fork_asm+0x1a/0x30
   </TASK>

[ Fix ]

Backport the following commit from upstream:
 - 610a79ffea02102899a1373fe226d949944a7ed6: "afs: Fix lock recursion"

Plucky:   Not affected
Noble:    Not affected
Jammy:    Backported from upstream
Focal:    Fixed separately
Bionic:   Fixed separately
Xenial:   Not affected
Trusty:   Not affected

[ Test Plan ]

Compile and boot tested only.

[ Regression Potential ]

The CVE patch was taking for granted some modifications to be present so
some context changes were needed; the modificatins were not too
important, the regression potential can be considered low.


David Howells (1):
  afs: Fix lock recursion

 fs/afs/internal.h |  2 ++
 fs/afs/rxrpc.c    | 78 ++++++++++++++++++++++++++++++++++-------------
 2 files changed, 58 insertions(+), 22 deletions(-)

-- 
2.43.0

More information about the kernel-team mailing list