CVE-2023-53419

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> rcu: Protect rcu_print_task_exp_stall() -&gt;exp_tasks access<br /> <br /> For kernels built with CONFIG_PREEMPT_RCU=y, the following scenario can<br /> result in a NULL-pointer dereference:<br /> <br /> CPU1 CPU2<br /> rcu_preempt_deferred_qs_irqrestore rcu_print_task_exp_stall<br /> if (special.b.blocked) READ_ONCE(rnp-&gt;exp_tasks) != NULL<br /> raw_spin_lock_rcu_node<br /> np = rcu_next_node_entry(t, rnp)<br /> if (&amp;t-&gt;rcu_node_entry == rnp-&gt;exp_tasks)<br /> WRITE_ONCE(rnp-&gt;exp_tasks, np)<br /> ....<br /> raw_spin_unlock_irqrestore_rcu_node<br /> raw_spin_lock_irqsave_rcu_node<br /> t = list_entry(rnp-&gt;exp_tasks-&gt;prev,<br /> struct task_struct, rcu_node_entry)<br /> (if rnp-&gt;exp_tasks is NULL, this<br /> will dereference a NULL pointer)<br /> <br /> The problem is that CPU2 accesses the rcu_node structure&amp;#39;s-&gt;exp_tasks<br /> field without holding the rcu_node structure&amp;#39;s -&gt;lock and CPU2 did<br /> not observe CPU1&amp;#39;s change to rcu_node structure&amp;#39;s -&gt;exp_tasks in time.<br /> Therefore, if CPU1 sets rcu_node structure&amp;#39;s-&gt;exp_tasks pointer to NULL,<br /> then CPU2 might dereference that NULL pointer.<br /> <br /> This commit therefore holds the rcu_node structure&amp;#39;s -&gt;lock while<br /> accessing that structure&amp;#39;s-&gt;exp_tasks field.<br /> <br /> [ paulmck: Apply Frederic Weisbecker feedback. ]