CVE-2023-53608

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> nilfs2: fix potential UAF of struct nilfs_sc_info in nilfs_segctor_thread()<br /> <br /> The finalization of nilfs_segctor_thread() can race with<br /> nilfs_segctor_kill_thread() which terminates that thread, potentially<br /> causing a use-after-free BUG as KASAN detected.<br /> <br /> At the end of nilfs_segctor_thread(), it assigns NULL to "sc_task" member<br /> of "struct nilfs_sc_info" to indicate the thread has finished, and then<br /> notifies nilfs_segctor_kill_thread() of this using waitqueue<br /> "sc_wait_task" on the struct nilfs_sc_info.<br /> <br /> However, here, immediately after the NULL assignment to "sc_task", it is<br /> possible that nilfs_segctor_kill_thread() will detect it and return to<br /> continue the deallocation, freeing the nilfs_sc_info structure before the<br /> thread does the notification.<br /> <br /> This fixes the issue by protecting the NULL assignment to "sc_task" and<br /> its notification, with spinlock "sc_state_lock" of the struct<br /> nilfs_sc_info. Since nilfs_segctor_kill_thread() does a final check to<br /> see if "sc_task" is NULL with "sc_state_lock" locked, this can eliminate<br /> the race.