CVE-2023-52803

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> SUNRPC: Fix RPC client cleaned up the freed pipefs dentries<br /> <br /> RPC client pipefs dentries cleanup is in separated rpc_remove_pipedir()<br /> workqueue,which takes care about pipefs superblock locking.<br /> In some special scenarios, when kernel frees the pipefs sb of the<br /> current client and immediately alloctes a new pipefs sb,<br /> rpc_remove_pipedir function would misjudge the existence of pipefs<br /> sb which is not the one it used to hold. As a result,<br /> the rpc_remove_pipedir would clean the released freed pipefs dentries.<br /> <br /> To fix this issue, rpc_remove_pipedir should check whether the<br /> current pipefs sb is consistent with the original pipefs sb.<br /> <br /> This error can be catched by KASAN:<br /> =========================================================<br /> [ 250.497700] BUG: KASAN: slab-use-after-free in dget_parent+0x195/0x200<br /> [ 250.498315] Read of size 4 at addr ffff88800a2ab804 by task kworker/0:18/106503<br /> [ 250.500549] Workqueue: events rpc_free_client_work<br /> [ 250.501001] Call Trace:<br /> [ 250.502880] kasan_report+0xb6/0xf0<br /> [ 250.503209] ? dget_parent+0x195/0x200<br /> [ 250.503561] dget_parent+0x195/0x200<br /> [ 250.503897] ? __pfx_rpc_clntdir_depopulate+0x10/0x10<br /> [ 250.504384] rpc_rmdir_depopulate+0x1b/0x90<br /> [ 250.504781] rpc_remove_client_dir+0xf5/0x150<br /> [ 250.505195] rpc_free_client_work+0xe4/0x230<br /> [ 250.505598] process_one_work+0x8ee/0x13b0<br /> ...<br /> [ 22.039056] Allocated by task 244:<br /> [ 22.039390] kasan_save_stack+0x22/0x50<br /> [ 22.039758] kasan_set_track+0x25/0x30<br /> [ 22.040109] __kasan_slab_alloc+0x59/0x70<br /> [ 22.040487] kmem_cache_alloc_lru+0xf0/0x240<br /> [ 22.040889] __d_alloc+0x31/0x8e0<br /> [ 22.041207] d_alloc+0x44/0x1f0<br /> [ 22.041514] __rpc_lookup_create_exclusive+0x11c/0x140<br /> [ 22.041987] rpc_mkdir_populate.constprop.0+0x5f/0x110<br /> [ 22.042459] rpc_create_client_dir+0x34/0x150<br /> [ 22.042874] rpc_setup_pipedir_sb+0x102/0x1c0<br /> [ 22.043284] rpc_client_register+0x136/0x4e0<br /> [ 22.043689] rpc_new_client+0x911/0x1020<br /> [ 22.044057] rpc_create_xprt+0xcb/0x370<br /> [ 22.044417] rpc_create+0x36b/0x6c0<br /> ...<br /> [ 22.049524] Freed by task 0:<br /> [ 22.049803] kasan_save_stack+0x22/0x50<br /> [ 22.050165] kasan_set_track+0x25/0x30<br /> [ 22.050520] kasan_save_free_info+0x2b/0x50<br /> [ 22.050921] __kasan_slab_free+0x10e/0x1a0<br /> [ 22.051306] kmem_cache_free+0xa5/0x390<br /> [ 22.051667] rcu_core+0x62c/0x1930<br /> [ 22.051995] __do_softirq+0x165/0x52a<br /> [ 22.052347]<br /> [ 22.052503] Last potentially related work creation:<br /> [ 22.052952] kasan_save_stack+0x22/0x50<br /> [ 22.053313] __kasan_record_aux_stack+0x8e/0xa0<br /> [ 22.053739] __call_rcu_common.constprop.0+0x6b/0x8b0<br /> [ 22.054209] dentry_free+0xb2/0x140<br /> [ 22.054540] __dentry_kill+0x3be/0x540<br /> [ 22.054900] shrink_dentry_list+0x199/0x510<br /> [ 22.055293] shrink_dcache_parent+0x190/0x240<br /> [ 22.055703] do_one_tree+0x11/0x40<br /> [ 22.056028] shrink_dcache_for_umount+0x61/0x140<br /> [ 22.056461] generic_shutdown_super+0x70/0x590<br /> [ 22.056879] kill_anon_super+0x3a/0x60<br /> [ 22.057234] rpc_kill_sb+0x121/0x200