cve/2024/CVE-2024-53052.md

### [CVE-2024-53052](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-53052)
![](https://img.shields.io/static/v1?label=Product&message=Linux&color=blue)
![](https://img.shields.io/static/v1?label=Version&message=&color=brightgreen)
![](https://img.shields.io/static/v1?label=Version&message=2b188cc1bb857a9d4701ae59aa7768b5124e262e%20&color=brightgreen)
![](https://img.shields.io/static/v1?label=Version&message=5.1%20&color=brightgreen)
![](https://img.shields.io/static/v1?label=Vulnerability&message=n%2Fa&color=blue)

### Description

In the Linux kernel, the following vulnerability has been resolved:io_uring/rw: fix missing NOWAIT check for O_DIRECT start writeWhen io_uring starts a write, it'll call kiocb_start_write() to bump thesuper block rwsem, preventing any freezes from happening while thatwrite is in-flight. The freeze side will grab that rwsem for writing,excluding any new writers from happening and waiting for existing writesto finish. But io_uring unconditionally uses kiocb_start_write(), whichwill block if someone is currently attempting to freeze the mount point.This causes a deadlock where freeze is waiting for previous writes tocomplete, but the previous writes cannot complete, as the task that issupposed to complete them is blocked waiting on starting a new write.This results in the following stuck trace showing that dependency withthe write blocked starting a new write:task:fio             state:D stack:0     pid:886   tgid:886   ppid:876Call trace: __switch_to+0x1d8/0x348 __schedule+0x8e8/0x2248 schedule+0x110/0x3f0 percpu_rwsem_wait+0x1e8/0x3f8 __percpu_down_read+0xe8/0x500 io_write+0xbb8/0xff8 io_issue_sqe+0x10c/0x1020 io_submit_sqes+0x614/0x2110 __arm64_sys_io_uring_enter+0x524/0x1038 invoke_syscall+0x74/0x268 el0_svc_common.constprop.0+0x160/0x238 do_el0_svc+0x44/0x60 el0_svc+0x44/0xb0 el0t_64_sync_handler+0x118/0x128 el0t_64_sync+0x168/0x170INFO: task fsfreeze:7364 blocked for more than 15 seconds.      Not tainted 6.12.0-rc5-00063-g76aaf945701c #7963with the attempting freezer stuck trying to grab the rwsem:task:fsfreeze        state:D stack:0     pid:7364  tgid:7364  ppid:995Call trace: __switch_to+0x1d8/0x348 __schedule+0x8e8/0x2248 schedule+0x110/0x3f0 percpu_down_write+0x2b0/0x680 freeze_super+0x248/0x8a8 do_vfs_ioctl+0x149c/0x1b18 __arm64_sys_ioctl+0xd0/0x1a0 invoke_syscall+0x74/0x268 el0_svc_common.constprop.0+0x160/0x238 do_el0_svc+0x44/0x60 el0_svc+0x44/0xb0 el0t_64_sync_handler+0x118/0x128 el0t_64_sync+0x168/0x170Fix this by having the io_uring side honor IOCB_NOWAIT, and only attempt ablocking grab of the super block rwsem if it isn't set. For normal issuewhere IOCB_NOWAIT would always be set, this returns -EAGAIN which willhave io_uring core issue a blocking attempt of the write. That will inturn also get completions run, ensuring forward progress.Since freezing requires CAP_SYS_ADMIN in the first place, this isn'tsomething that can be triggered by a regular user.

### POC

#### Reference
No PoCs from references.

#### Github
- https://github.com/w4zu/Debian_security
Update CVE list 2025-09-29 21:09 2025-09-29 21:09:30 +02:00			`### [CVE-2024-53052](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-53052)`
			`![](https://img.shields.io/static/v1?label=Product&message=Linux&color=blue)`
			`![](https://img.shields.io/static/v1?label=Version&message=&color=brightgreen)`
			`![](https://img.shields.io/static/v1?label=Version&message=2b188cc1bb857a9d4701ae59aa7768b5124e262e%20&color=brightgreen)`
			`![](https://img.shields.io/static/v1?label=Version&message=5.1%20&color=brightgreen)`
			`![](https://img.shields.io/static/v1?label=Vulnerability&message=n%2Fa&color=blue)`

			`### Description`

			In the Linux kernel, the following vulnerability has been resolved:io_uring/rw: fix missing NOWAIT check for O_DIRECT start writeWhen io_uring starts a write, it'll call kiocb_start_write() to bump thesuper block rwsem, preventing any freezes from happening while thatwrite is in-flight. The freeze side will grab that rwsem for writing,excluding any new writers from happening and waiting for existing writesto finish. But io_uring unconditionally uses kiocb_start_write(), whichwill block if someone is currently attempting to freeze the mount point.This causes a deadlock where freeze is waiting for previous writes tocomplete, but the previous writes cannot complete, as the task that issupposed to complete them is blocked waiting on starting a new write.This results in the following stuck trace showing that dependency withthe write blocked starting a new write:task:fio state:D stack:0 pid:886 tgid:886 ppid:876Call trace: __switch_to+0x1d8/0x348 __schedule+0x8e8/0x2248 schedule+0x110/0x3f0 percpu_rwsem_wait+0x1e8/0x3f8 __percpu_down_read+0xe8/0x500 io_write+0xbb8/0xff8 io_issue_sqe+0x10c/0x1020 io_submit_sqes+0x614/0x2110 __arm64_sys_io_uring_enter+0x524/0x1038 invoke_syscall+0x74/0x268 el0_svc_common.constprop.0+0x160/0x238 do_el0_svc+0x44/0x60 el0_svc+0x44/0xb0 el0t_64_sync_handler+0x118/0x128 el0t_64_sync+0x168/0x170INFO: task fsfreeze:7364 blocked for more than 15 seconds. Not tainted 6.12.0-rc5-00063-g76aaf945701c #7963with the attempting freezer stuck trying to grab the rwsem:task:fsfreeze state:D stack:0 pid:7364 tgid:7364 ppid:995Call trace: __switch_to+0x1d8/0x348 __schedule+0x8e8/0x2248 schedule+0x110/0x3f0 percpu_down_write+0x2b0/0x680 freeze_super+0x248/0x8a8 do_vfs_ioctl+0x149c/0x1b18 __arm64_sys_ioctl+0xd0/0x1a0 invoke_syscall+0x74/0x268 el0_svc_common.constprop.0+0x160/0x238 do_el0_svc+0x44/0x60 el0_svc+0x44/0xb0 el0t_64_sync_handler+0x118/0x128 el0t_64_sync+0x168/0x170Fix this by having the io_uring side honor IOCB_NOWAIT, and only attempt ablocking grab of the super block rwsem if it isn't set. For normal issuewhere IOCB_NOWAIT would always be set, this returns -EAGAIN which willhave io_uring core issue a blocking attempt of the write. That will inturn also get completions run, ensuring forward progress.Since freezing requires CAP_SYS_ADMIN in the first place, this isn'tsomething that can be triggered by a regular user.

			`### POC`

			`#### Reference`
			`No PoCs from references.`

			`#### Github`
			`- https://github.com/w4zu/Debian_security`