CVE-2023-53623

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> mm/swap: fix swap_info_struct race between swapoff and get_swap_pages()<br /> <br /> The si-&gt;lock must be held when deleting the si from the available list. <br /> Otherwise, another thread can re-add the si to the available list, which<br /> can lead to memory corruption. The only place we have found where this<br /> happens is in the swapoff path. This case can be described as below:<br /> <br /> core 0 core 1<br /> swapoff<br /> <br /> del_from_avail_list(si) waiting<br /> <br /> try lock si-&gt;lock acquire swap_avail_lock<br /> and re-add si into<br /> swap_avail_head<br /> <br /> acquire si-&gt;lock but missing si already being added again, and continuing<br /> to clear SWP_WRITEOK, etc.<br /> <br /> It can be easily found that a massive warning messages can be triggered<br /> inside get_swap_pages() by some special cases, for example, we call<br /> madvise(MADV_PAGEOUT) on blocks of touched memory concurrently, meanwhile,<br /> run much swapon-swapoff operations (e.g. stress-ng-swap).<br /> <br /> However, in the worst case, panic can be caused by the above scene. In<br /> swapoff(), the memory used by si could be kept in swap_info[] after<br /> turning off a swap. This means memory corruption will not be caused<br /> immediately until allocated and reset for a new swap in the swapon path. <br /> A panic message caused: (with CONFIG_PLIST_DEBUG enabled)<br /> <br /> ------------[ cut here ]------------<br /> top: 00000000e58a3003, n: 0000000013e75cda, p: 000000008cd4451a<br /> prev: 0000000035b1e58a, n: 000000008cd4451a, p: 000000002150ee8d<br /> next: 000000008cd4451a, n: 000000008cd4451a, p: 000000008cd4451a<br /> WARNING: CPU: 21 PID: 1843 at lib/plist.c:60 plist_check_prev_next_node+0x50/0x70<br /> Modules linked in: rfkill(E) crct10dif_ce(E)...<br /> CPU: 21 PID: 1843 Comm: stress-ng Kdump: ... 5.10.134+<br /> Hardware name: Alibaba Cloud ECS, BIOS 0.0.0 02/06/2015<br /> pstate: 60400005 (nZCv daif +PAN -UAO -TCO BTYPE=--)<br /> pc : plist_check_prev_next_node+0x50/0x70<br /> lr : plist_check_prev_next_node+0x50/0x70<br /> sp : ffff0018009d3c30<br /> x29: ffff0018009d3c40 x28: ffff800011b32a98<br /> x27: 0000000000000000 x26: ffff001803908000<br /> x25: ffff8000128ea088 x24: ffff800011b32a48<br /> x23: 0000000000000028 x22: ffff001800875c00<br /> x21: ffff800010f9e520 x20: ffff001800875c00<br /> x19: ffff001800fdc6e0 x18: 0000000000000030<br /> x17: 0000000000000000 x16: 0000000000000000<br /> x15: 0736076307640766 x14: 0730073007380731<br /> x13: 0736076307640766 x12: 0730073007380731<br /> x11: 000000000004058d x10: 0000000085a85b76<br /> x9 : ffff8000101436e4 x8 : ffff800011c8ce08<br /> x7 : 0000000000000000 x6 : 0000000000000001<br /> x5 : ffff0017df9ed338 x4 : 0000000000000001<br /> x3 : ffff8017ce62a000 x2 : ffff0017df9ed340<br /> x1 : 0000000000000000 x0 : 0000000000000000<br /> Call trace:<br /> plist_check_prev_next_node+0x50/0x70<br /> plist_check_head+0x80/0xf0<br /> plist_add+0x28/0x140<br /> add_to_avail_list+0x9c/0xf0<br /> _enable_swap_info+0x78/0xb4<br /> __do_sys_swapon+0x918/0xa10<br /> __arm64_sys_swapon+0x20/0x30<br /> el0_svc_common+0x8c/0x220<br /> do_el0_svc+0x2c/0x90<br /> el0_svc+0x1c/0x30<br /> el0_sync_handler+0xa8/0xb0<br /> el0_sync+0x148/0x180<br /> irq event stamp: 2082270<br /> <br /> Now, si-&gt;lock locked before calling &amp;#39;del_from_avail_list()&amp;#39; to make sure<br /> other thread see the si had been deleted and SWP_WRITEOK cleared together,<br /> will not reinsert again.<br /> <br /> This problem exists in versions after stable 5.10.y.