CVE-2023-53440

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> nilfs2: fix sysfs interface lifetime<br /> <br /> The current nilfs2 sysfs support has issues with the timing of creation<br /> and deletion of sysfs entries, potentially leading to null pointer<br /> dereferences, use-after-free, and lockdep warnings.<br /> <br /> Some of the sysfs attributes for nilfs2 per-filesystem instance refer to<br /> metadata file "cpfile", "sufile", or "dat", but<br /> nilfs_sysfs_create_device_group that creates those attributes is executed<br /> before the inodes for these metadata files are loaded, and<br /> nilfs_sysfs_delete_device_group which deletes these sysfs entries is<br /> called after releasing their metadata file inodes.<br /> <br /> Therefore, access to some of these sysfs attributes may occur outside of<br /> the lifetime of these metadata files, resulting in inode NULL pointer<br /> dereferences or use-after-free.<br /> <br /> In addition, the call to nilfs_sysfs_create_device_group() is made during<br /> the locking period of the semaphore "ns_sem" of nilfs object, so the<br /> shrinker call caused by the memory allocation for the sysfs entries, may<br /> derive lock dependencies "ns_sem" -&gt; (shrinker) -&gt; "locks acquired in<br /> nilfs_evict_inode()".<br /> <br /> Since nilfs2 may acquire "ns_sem" deep in the call stack holding other<br /> locks via its error handler __nilfs_error(), this causes lockdep to report<br /> circular locking. This is a false positive and no circular locking<br /> actually occurs as no inodes exist yet when<br /> nilfs_sysfs_create_device_group() is called. Fortunately, the lockdep<br /> warnings can be resolved by simply moving the call to<br /> nilfs_sysfs_create_device_group() out of "ns_sem".<br /> <br /> This fixes these sysfs issues by revising where the device&amp;#39;s sysfs<br /> interface is created/deleted and keeping its lifetime within the lifetime<br /> of the metadata files above.