CVE-2023-53360

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> NFSv4.2: Rework scratch handling for READ_PLUS (again)<br /> <br /> I found that the read code might send multiple requests using the same<br /> nfs_pgio_header, but nfs4_proc_read_setup() is only called once. This is<br /> how we ended up occasionally double-freeing the scratch buffer, but also<br /> means we set a NULL pointer but non-zero length to the xdr scratch<br /> buffer. This results in an oops the first time decoding needs to copy<br /> something to scratch, which frequently happens when decoding READ_PLUS<br /> hole segments.<br /> <br /> I fix this by moving scratch handling into the pageio read code. I<br /> provide a function to allocate scratch space for decoding read replies,<br /> and free the scratch buffer when the nfs_pgio_header is freed.