Bug 2400692 (CVE-2023-53461)

Summary: CVE-2023-53461 kernel: Linux kernel: Denial of Service in io_uring due to hung task detection
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedKeywords: Security
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A flaw was identified in the Linux kernel’s io_uring subsystem related to how request completions are handled when an io_uring instance exits. During cleanup, the function io_ring_exit_work was waiting in an uninterruptible state for request completions. Under certain test and signal conditions (e.g., when the owning task is parked via SIGSTOP), this could block making progress on completions and trigger the kernel’s hung task detection mechanism, potentially leading to system instability or panic on systems configured with panic_on_hung_task.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description OSIDB Bzimport 2025-10-01 12:01:56 UTC 
In the Linux kernel, the following vulnerability has been resolved:

io_uring: wait interruptibly for request completions on exit

WHen the ring exits, cleanup is done and the final cancelation and
waiting on completions is done by io_ring_exit_work. That function is
invoked by kworker, which doesn't take any signals. Because of that, it
doesn't really matter if we wait for completions in TASK_INTERRUPTIBLE
or TASK_UNINTERRUPTIBLE state. However, it does matter to the hung task
detection checker!

Normally we expect cancelations and completions to happen rather
quickly. Some test cases, however, will exit the ring and park the
owning task stopped (eg via SIGSTOP). If the owning task needs to run
task_work to complete requests, then io_ring_exit_work won't make any
progress until the task is runnable again. Hence io_ring_exit_work can
trigger the hung task detection, which is particularly problematic if
panic-on-hung-task is enabled.

As the ring exit doesn't take signals to begin with, have it wait
interruptibly rather than uninterruptibly. io_uring has a separate
stuck-exit warning that triggers independently anyway, so we're not
really missing anything by making this switch.
Comment 1 Jon Moroney 2025-10-01 23:48:29 UTC 
Upstream advisory:
https://lore.kernel.org/linux-cve-announce/2025100106-CVE-2023-53461-b02b@gregkh/T