CVE-2023-54293

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> bcache: fixup btree_cache_wait list damage<br /> <br /> We get a kernel crash about "list_add corruption. next-&gt;prev should be<br /> prev (ffff9c801bc01210), but was ffff9c77b688237c.<br /> (next=ffffae586d8afe68)."<br /> <br /> crash&gt; struct list_head 0xffff9c801bc01210<br /> struct list_head {<br /> next = 0xffffae586d8afe68,<br /> prev = 0xffffae586d8afe68<br /> }<br /> crash&gt; struct list_head 0xffff9c77b688237c<br /> struct list_head {<br /> next = 0x0,<br /> prev = 0x0<br /> }<br /> crash&gt; struct list_head 0xffffae586d8afe68<br /> struct list_head struct: invalid kernel virtual address: ffffae586d8afe68 type: "gdb_readmem_callback"<br /> Cannot access memory at address 0xffffae586d8afe68<br /> <br /> [230469.019492] Call Trace:<br /> [230469.032041] prepare_to_wait+0x8a/0xb0<br /> [230469.044363] ? bch_btree_keys_free+0x6c/0xc0 [escache]<br /> [230469.056533] mca_cannibalize_lock+0x72/0x90 [escache]<br /> [230469.068788] mca_alloc+0x2ae/0x450 [escache]<br /> [230469.080790] bch_btree_node_get+0x136/0x2d0 [escache]<br /> [230469.092681] bch_btree_check_thread+0x1e1/0x260 [escache]<br /> [230469.104382] ? finish_wait+0x80/0x80<br /> [230469.115884] ? bch_btree_check_recurse+0x1a0/0x1a0 [escache]<br /> [230469.127259] kthread+0x112/0x130<br /> [230469.138448] ? kthread_flush_work_fn+0x10/0x10<br /> [230469.149477] ret_from_fork+0x35/0x40<br /> <br /> bch_btree_check_thread() and bch_dirty_init_thread() may call<br /> mca_cannibalize() to cannibalize other cached btree nodes. Only one thread<br /> can do it at a time, so the op of other threads will be added to the<br /> btree_cache_wait list.<br /> <br /> We must call finish_wait() to remove op from btree_cache_wait before free<br /> it&amp;#39;s memory address. Otherwise, the list will be damaged. Also should call<br /> bch_cannibalize_unlock() to release the btree_cache_alloc_lock and wake_up<br /> other waiters.