CVE-2023-54269

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> SUNRPC: double free xprt_ctxt while still in use<br /> <br /> When an RPC request is deferred, the rq_xprt_ctxt pointer is moved out<br /> of the svc_rqst into the svc_deferred_req.<br /> When the deferred request is revisited, the pointer is copied into<br /> the new svc_rqst - and also remains in the svc_deferred_req.<br /> <br /> In the (rare?) case that the request is deferred a second time, the old<br /> svc_deferred_req is reused - it still has all the correct content.<br /> However in that case the rq_xprt_ctxt pointer is NOT cleared so that<br /> when xpo_release_xprt is called, the ctxt is freed (UDP) or possible<br /> added to a free list (RDMA).<br /> When the deferred request is revisited for a second time, it will<br /> reference this ctxt which may be invalid, and the free the object a<br /> second time which is likely to oops.<br /> <br /> So change svc_defer() to *always* clear rq_xprt_ctxt, and assert that<br /> the value is now stored in the svc_deferred_req.