CVE-2022-49767

Description

In the Linux kernel, the following vulnerability has been resolved: 9p/trans_fd: always use O_NONBLOCK read/write syzbot is reporting hung task at p9_fd_close() [1], for p9_mux_poll_stop() from p9_conn_destroy() from p9_fd_close() is failing to interrupt already started kernel_read() from p9_fd_read() from p9_read_work() and/or kernel_write() from p9_fd_write() from p9_write_work() requests. Since p9_socket_open() sets O_NONBLOCK flag, p9_mux_poll_stop() does not need to interrupt kernel_read()/kernel_write(). However, since p9_fd_open() does not set O_NONBLOCK flag, but pipe blocks unless signal is pending, p9_mux_poll_stop() needs to interrupt kernel_read()/kernel_write() when the file descriptor refers to a pipe. In other words, pipe file descriptor needs to be handled as if socket file descriptor. We somehow need to interrupt kernel_read()/kernel_write() on pipes. A minimal change, which this patch is doing, is to set O_NONBLOCK flag from p9_fd_open(), for O_NONBLOCK flag does not affect reading/writing of regular files. But this approach changes O_NONBLOCK flag on userspace- supplied file descriptors (which might break userspace programs), and O_NONBLOCK flag could be changed by userspace. It would be possible to set O_NONBLOCK flag every time p9_fd_read()/p9_fd_write() is invoked, but still remains small race window for clearing O_NONBLOCK flag. If we don't want to manipulate O_NONBLOCK flag, we might be able to surround kernel_read()/kernel_write() with set_thread_flag(TIF_SIGPENDING) and recalc_sigpending(). Since p9_read_work()/p9_write_work() works are processed by kernel threads which process global system_wq workqueue, signals could not be delivered from remote threads when p9_mux_poll_stop() from p9_conn_destroy() from p9_fd_close() is called. Therefore, calling set_thread_flag(TIF_SIGPENDING)/recalc_sigpending() every time would be needed if we count on signals for making kernel_read()/kernel_write() non-blocking. [Dominique: add comment at Christian's suggestion]

Reserved 2025-04-16 | Published 2025-05-01 | Updated 2025-05-04 | Assigner Linux

Product status

Default status
unaffected

1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 before 0b5e6bd72b8171364616841603a70e4ba9837063
affected

1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 before 9f8554615df668e4bf83294633ee9d232b28ce45
affected

1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 before 7abf40f06a76c0dff42eada10597917e9776fbd4
affected

1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 before b1ad04da7fe4515e2ce2d5f2dcab3b5b6d45614b
affected

1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 before a8e2fc8f7b41fa9d9ca5f624f4e4d34fce5b40a9
affected

1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 before 0e07032b4b4724b8ad1003698cb81083c1818999
affected

1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 before 5af16182c5639349415118e9e9aecd8355f7a08b
affected

1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 before ef575281b21e9a34dfae544a187c6aac2ae424a9
affected

Default status
affected

4.9.334
unaffected

4.14.300
unaffected

4.19.267
unaffected

5.4.225
unaffected

5.10.156
unaffected

5.15.80
unaffected

6.0.10
unaffected

6.1
unaffected

References

git.kernel.org/...c/0b5e6bd72b8171364616841603a70e4ba9837063

git.kernel.org/...c/9f8554615df668e4bf83294633ee9d232b28ce45

git.kernel.org/...c/7abf40f06a76c0dff42eada10597917e9776fbd4

git.kernel.org/...c/b1ad04da7fe4515e2ce2d5f2dcab3b5b6d45614b

git.kernel.org/...c/a8e2fc8f7b41fa9d9ca5f624f4e4d34fce5b40a9

git.kernel.org/...c/0e07032b4b4724b8ad1003698cb81083c1818999

git.kernel.org/...c/5af16182c5639349415118e9e9aecd8355f7a08b

git.kernel.org/...c/ef575281b21e9a34dfae544a187c6aac2ae424a9

cve.org (CVE-2022-49767)

nvd.nist.gov (CVE-2022-49767)

Download JSON