CVE-2023-54195

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> rxrpc: Fix timeout of a call that hasn&amp;#39;t yet been granted a channel<br /> <br /> afs_make_call() calls rxrpc_kernel_begin_call() to begin a call (which may<br /> get stalled in the background waiting for a connection to become<br /> available); it then calls rxrpc_kernel_set_max_life() to set the timeouts -<br /> but that starts the call timer so the call timer might then expire before<br /> we get a connection assigned - leading to the following oops if the call<br /> stalled:<br /> <br /> BUG: kernel NULL pointer dereference, address: 0000000000000000<br /> ...<br /> CPU: 1 PID: 5111 Comm: krxrpcio/0 Not tainted 6.3.0-rc7-build3+ #701<br /> RIP: 0010:rxrpc_alloc_txbuf+0xc0/0x157<br /> ...<br /> Call Trace:<br /> <br /> rxrpc_send_ACK+0x50/0x13b<br /> rxrpc_input_call_event+0x16a/0x67d<br /> rxrpc_io_thread+0x1b6/0x45f<br /> ? _raw_spin_unlock_irqrestore+0x1f/0x35<br /> ? rxrpc_input_packet+0x519/0x519<br /> kthread+0xe7/0xef<br /> ? kthread_complete_and_exit+0x1b/0x1b<br /> ret_from_fork+0x22/0x30<br /> <br /> Fix this by noting the timeouts in struct rxrpc_call when the call is<br /> created. The timer will be started when the first packet is transmitted.<br /> <br /> It shouldn&amp;#39;t be possible to trigger this directly from userspace through<br /> AF_RXRPC as sendmsg() will return EBUSY if the call is in the<br /> waiting-for-conn state if it dropped out of the wait due to a signal.