In the Linux kernel, the following vulnerability has been resolved:
io_uring: fix link timeout refs
WARNING: CPU: 0 PID: 10242 at lib/refcount.c:28 refcountwarnsaturate+0x15b/0x1a0 lib/refcount.c:28 RIP: 0010:refcountwarnsaturate+0x15b/0x1a0 lib/refcount.c:28 Call Trace: __refcountsuband_test include/linux/refcount.h:283 [inline] __refcountdecand_test include/linux/refcount.h:315 [inline] refcountdecandtest include/linux/refcount.h:333 [inline] ioputreq fs/iouring.c:2140 [inline] ioqueuelinkedtimeout fs/iouring.c:6300 [inline] __ioqueuesqe+0xbef/0xec0 fs/io_uring.c:6354 iosubmitsqe fs/iouring.c:6534 [inline] iosubmitsqes+0x2bbd/0x7c50 fs/iouring.c:6660 __dosysio_uringenter fs/iouring.c:9240 [inline] _sesysiouringenter+0x256/0x1d60 fs/iouring.c:9182
iolinktimeoutfn() should put only one reference of the linked timeout request, however in case of racing with the master request's completion first ioreqcomplete() puts one and then ioputreqdeferred() is called.
[
{
"events": [
{
"introduced": "5.10.26"
},
{
"fixed": "5.10.43"
}
]
},
{
"events": [
{
"introduced": "5.10.44"
},
{
"fixed": "5.10.55"
}
]
},
{
"events": [
{
"introduced": "5.12"
},
{
"fixed": "5.12.10"
}
]
},
{
"events": [
{
"introduced": "5.12.11"
},
{
"fixed": "5.12.19"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "5.13-rc1"
}
]
}
]
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-47124.json"