CVE-2023-53366

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> block: be a bit more careful in checking for NULL bdev while polling<br /> <br /> Wei reports a crash with an application using polled IO:<br /> <br /> PGD 14265e067 P4D 14265e067 PUD 47ec50067 PMD 0<br /> Oops: 0000 [#1] SMP<br /> CPU: 0 PID: 21915 Comm: iocore_0 Kdump: loaded Tainted: G S 5.12.0-0_fbk12_clang_7346_g1bb6f2e7058f #1<br /> Hardware name: Wiwynn Delta Lake MP T8/Delta Lake-Class2, BIOS Y3DLM08 04/10/2022<br /> RIP: 0010:bio_poll+0x25/0x200<br /> Code: 0f 1f 44 00 00 0f 1f 44 00 00 55 41 57 41 56 41 55 41 54 53 48 83 ec 28 65 48 8b 04 25 28 00 00 00 48 89 44 24 20 48 8b 47 08 8b 80 70 02 00 00 4c 8b 70 50 8b 6f 34 31 db 83 fd ff 75 25 65<br /> RSP: 0018:ffffc90005fafdf8 EFLAGS: 00010292<br /> RAX: 0000000000000000 RBX: 0000000000000000 RCX: 74b43cd65dd66600<br /> RDX: 0000000000000003 RSI: ffffc90005fafe78 RDI: ffff8884b614e140<br /> RBP: ffff88849964df78 R08: 0000000000000000 R09: 0000000000000008<br /> R10: 0000000000000000 R11: 0000000000000000 R12: ffff88849964df00<br /> R13: ffffc90005fafe78 R14: ffff888137d3c378 R15: 0000000000000001<br /> FS: 00007fd195000640(0000) GS:ffff88903f400000(0000) knlGS:0000000000000000<br /> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033<br /> CR2: 0000000000000270 CR3: 0000000466121001 CR4: 00000000007706f0<br /> DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000<br /> DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400<br /> PKRU: 55555554<br /> Call Trace:<br /> iocb_bio_iopoll+0x1d/0x30<br /> io_do_iopoll+0xac/0x250<br /> __se_sys_io_uring_enter+0x3c5/0x5a0<br /> ? __x64_sys_write+0x89/0xd0<br /> do_syscall_64+0x2d/0x40<br /> entry_SYSCALL_64_after_hwframe+0x44/0xae<br /> RIP: 0033:0x94f225d<br /> Code: 24 cc 00 00 00 41 8b 84 24 d0 00 00 00 c1 e0 04 83 e0 10 41 09 c2 8b 33 8b 53 04 4c 8b 43 18 4c 63 4b 0c b8 aa 01 00 00 0f 05 c0 0f 88 85 00 00 00 29 03 45 84 f6 0f 84 88 00 00 00 41 f6 c7<br /> RSP: 002b:00007fd194ffcd88 EFLAGS: 00000202 ORIG_RAX: 00000000000001aa<br /> RAX: ffffffffffffffda RBX: 00007fd194ffcdc0 RCX: 00000000094f225d<br /> RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000007<br /> RBP: 00007fd194ffcdb0 R08: 0000000000000000 R09: 0000000000000008<br /> R10: 0000000000000001 R11: 0000000000000202 R12: 00007fd269d68030<br /> R13: 0000000000000000 R14: 0000000000000001 R15: 0000000000000000<br /> <br /> which is due to bio-&gt;bi_bdev being NULL. This can happen if we have two<br /> tasks doing polled IO, and task B ends up completing IO from task A if<br /> they are sharing a poll queue. If task B completes the IO and puts the<br /> bio into our cache, then it can allocate that bio again before task A<br /> is done polling for it. As that would necessitate a preempt between the<br /> two tasks, it&amp;#39;s enough to just be a bit more careful in checking for<br /> whether or not bio-&gt;bi_bdev is NULL.