CVE-2023-53531

BUG: kernel NULL pointer dereference, address: 0000000000000008 Workqueue: kblockd blkmqtimeoutwork RIP: 0010:nulltimeoutrq+0x4e/0x91 Call Trace: ? nulltimeoutrq+0x4e/0x91 blkmqhandleexpired+0x31/0x4b btiter+0x68/0x84 ? bttagsiter+0x81/0x81 _sbitmapforeachset.constprop.0+0xb0/0xf2 ? _blkmqcompleterequestremote+0xf/0xf btforeach+0x46/0x64 ? _blkmqcompleterequestremote+0xf/0xf ? percpurefgetmany+0xc/0x2a blkmqqueuetagbusyiter+0x14d/0x18e blkmqtimeoutwork+0x95/0x127 processonework+0x185/0x263 worker_thread+0x1b5/0x227

This is indeed a race problem between nulltimeoutrq() and null_poll().

nullpoll() nulltimeoutrq() spinlock(&nq->polllock) listspliceinit(&nq->polllist, &list) spinunlock(&nq->polllock)

while (!listempty(&list)) req = listfirstentry() listdelinit() ... blkmqaddtobatch() // req->rqnext = NULL spinlock(&nq->polllock)

                // rq->queuelist->next == NULL
                list_del_init(&rq->queuelist)

                spin_unlock(&nq->poll_lock)

Fix these problems by setting requests state to MQRQCOMPLETE under nq->polllock protection, in which nulltimeout_rq() can safely detect this race and early return.

Note this patch just fix the kernel panic when request timeout happen.

[1] https://lore.kernel.org/all/3893581.1691785261@warthog.procyon.org.uk/

References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

0a593fbbc245a85940ed34caa3aa1e4cb060c54b

Fixed

a0b4a0666beacfe8add9c71d8922475541dbae73

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

0a593fbbc245a85940ed34caa3aa1e4cb060c54b

Fixed

a7cb2e709f2927cc3c76781df3e45de2381b3b9d

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

0a593fbbc245a85940ed34caa3aa1e4cb060c54b

Fixed

5a26e45edb4690d58406178b5a9ea4c6dcf2c105

Affected versions

v5.*

v5.15

v5.15-rc7

v5.16

v5.16-rc1

v5.16-rc2

v5.16-rc3

v5.16-rc4

v5.16-rc5

v5.16-rc6

v5.16-rc7

v5.16-rc8

v5.17

v5.17-rc1

v5.17-rc2

v5.17-rc3

v5.17-rc4

v5.17-rc5

v5.17-rc6

v5.17-rc7

v5.17-rc8

v5.18

v5.18-rc1

v5.18-rc2

v5.18-rc3

v5.18-rc4

v5.18-rc5

v5.18-rc6

v5.18-rc7

v5.19

v5.19-rc1

v5.19-rc2

v5.19-rc3

v5.19-rc4

v5.19-rc5

v5.19-rc6

v5.19-rc7

v5.19-rc8

v6.*

v6.0

v6.0-rc1

v6.0-rc2

v6.0-rc3

v6.0-rc4

v6.0-rc5

v6.0-rc6

v6.0-rc7

v6.1

v6.1-rc1

v6.1-rc2

v6.1-rc3

v6.1-rc4

v6.1-rc5

v6.1-rc6

v6.1-rc7

v6.1-rc8

v6.1.1

v6.1.10

v6.1.11

v6.1.12

v6.1.13

v6.1.14

v6.1.15

v6.1.16

v6.1.17

v6.1.18

v6.1.19

v6.1.2

v6.1.20

v6.1.21

v6.1.22

v6.1.23

v6.1.24

v6.1.25

v6.1.26

v6.1.27

v6.1.28

v6.1.29

v6.1.3

v6.1.30

v6.1.31

v6.1.32

v6.1.33

v6.1.34

v6.1.35

v6.1.36

v6.1.37

v6.1.38

v6.1.39

v6.1.4

v6.1.40

v6.1.41

v6.1.42

v6.1.43

v6.1.44

v6.1.45

v6.1.46

v6.1.47

v6.1.48

v6.1.49

v6.1.5

v6.1.50

v6.1.51

v6.1.52

v6.1.53

v6.1.6

v6.1.7

v6.1.8

v6.1.9

v6.2

v6.2-rc1

v6.2-rc2

v6.2-rc3

v6.2-rc4

v6.2-rc5

v6.2-rc6

v6.2-rc7

v6.2-rc8

v6.3

v6.3-rc1

v6.3-rc2

v6.3-rc3

v6.3-rc4

v6.3-rc5

v6.3-rc6

v6.3-rc7

v6.4

v6.4-rc1

v6.4-rc2

v6.4-rc3

v6.4-rc4

v6.4-rc5

v6.4-rc6

v6.4-rc7

v6.5

v6.5-rc1

v6.5-rc2

v6.5-rc3

v6.5-rc4

v6.5-rc5

v6.5-rc6

v6.5-rc7

v6.5.1

v6.5.2

v6.5.3

Database specific

vanir_signatures

[
    {
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@5a26e45edb4690d58406178b5a9ea4c6dcf2c105",
        "target": {
            "function": "null_poll",
            "file": "drivers/block/null_blk/main.c"
        },
        "signature_version": "v1",
        "deprecated": false,
        "digest": {
            "function_hash": "65980709049133529157460310363914274377",
            "length": 640.0
        },
        "id": "CVE-2023-53531-0b8b9710",
        "signature_type": "Function"
    },
    {
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@5a26e45edb4690d58406178b5a9ea4c6dcf2c105",
        "target": {
            "function": "null_timeout_rq",
            "file": "drivers/block/null_blk/main.c"
        },
        "signature_version": "v1",
        "deprecated": false,
        "digest": {
            "function_hash": "46128675065097258766918862675661731119",
            "length": 469.0
        },
        "id": "CVE-2023-53531-59fccab8",
        "signature_type": "Function"
    },
    {
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@5a26e45edb4690d58406178b5a9ea4c6dcf2c105",
        "target": {
            "file": "drivers/block/null_blk/main.c"
        },
        "signature_version": "v1",
        "deprecated": false,
        "digest": {
            "line_hashes": [
                "298991706957752478433625383919050061285",
                "334818859063533480173252352212291693749",
                "128774643468816272577032126515845473912",
                "42762040461290358470890769491199502377",
                "29615062799998189796595998502735460136",
                "134299910995136990241099448082714079888",
                "333942187150972691113743970372270592441",
                "305438166178729228757621049061783766790",
                "11009681987136482230641262447710091451",
                "121743287106415890432665268758961456030",
                "106944477760650927546344069104419953386",
                "310136908659366113783976509882949352961",
                "69104093679616116233061874571896709976",
                "125549250484857250457410246267630336503",
                "205235872170415324003811459993285187158",
                "219498705163911867202220762789388810939"
            ],
            "threshold": 0.9
        },
        "id": "CVE-2023-53531-f3cc8222",
        "signature_type": "Line"
    }
]

Linux / Kernel

Package

Name: Kernel

Affected ranges

Type: ECOSYSTEM
Events: Introduced

5.16.0

Fixed

6.1.54

Type: ECOSYSTEM
Events: Introduced

6.2.0

Fixed

6.5.4