CVE-2023-52803

In the Linux kernel, the following vulnerability has been resolved: SUNRPC:
Fix RPC client cleaned up the freed pipefs dentries RPC client pipefs
dentries cleanup is in separated rpc_remove_pipedir() workqueue,which takes
care about pipefs superblock locking. In some special scenarios, when
kernel frees the pipefs sb of the current client and immediately alloctes a
new pipefs sb, rpc_remove_pipedir function would misjudge the existence of
pipefs sb which is not the one it used to hold. As a result, the
rpc_remove_pipedir would clean the released freed pipefs dentries. To fix
this issue, rpc_remove_pipedir should check whether the current pipefs sb
is consistent with the original pipefs sb. This error can be catched by
KASAN: ========================================================= [
250.497700] BUG: KASAN: slab-use-after-free in dget_parent+0x195/0x200 [
250.498315] Read of size 4 at addr ffff88800a2ab804 by task
kworker/0:18/106503 [ 250.500549] Workqueue: events rpc_free_client_work [
250.501001] Call Trace: [ 250.502880] kasan_report+0xb6/0xf0 [ 250.503209]
? dget_parent+0x195/0x200 [ 250.503561] dget_parent+0x195/0x200 [
250.503897] ? __pfx_rpc_clntdir_depopulate+0x10/0x10 [ 250.504384]
rpc_rmdir_depopulate+0x1b/0x90 [ 250.504781]
rpc_remove_client_dir+0xf5/0x150 [ 250.505195]
rpc_free_client_work+0xe4/0x230 [ 250.505598] process_one_work+0x8ee/0x13b0
… [ 22.039056] Allocated by task 244: [ 22.039390]
kasan_save_stack+0x22/0x50 [ 22.039758] kasan_set_track+0x25/0x30 [
22.040109] __kasan_slab_alloc+0x59/0x70 [ 22.040487]
kmem_cache_alloc_lru+0xf0/0x240 [ 22.040889] __d_alloc+0x31/0x8e0 [
22.041207] d_alloc+0x44/0x1f0 [ 22.041514]
__rpc_lookup_create_exclusive+0x11c/0x140 [ 22.041987]
rpc_mkdir_populate.constprop.0+0x5f/0x110 [ 22.042459]
rpc_create_client_dir+0x34/0x150 [ 22.042874]
rpc_setup_pipedir_sb+0x102/0x1c0 [ 22.043284]
rpc_client_register+0x136/0x4e0 [ 22.043689] rpc_new_client+0x911/0x1020 [
22.044057] rpc_create_xprt+0xcb/0x370 [ 22.044417] rpc_create+0x36b/0x6c0
… [ 22.049524] Freed by task 0: [ 22.049803] kasan_save_stack+0x22/0x50 [
22.050165] kasan_set_track+0x25/0x30 [ 22.050520]
kasan_save_free_info+0x2b/0x50 [ 22.050921] __kasan_slab_free+0x10e/0x1a0 [
22.051306] kmem_cache_free+0xa5/0x390 [ 22.051667] rcu_core+0x62c/0x1930 [
22.051995] __do_softirq+0x165/0x52a [ 22.052347] [ 22.052503] Last
potentially related work creation: [ 22.052952] kasan_save_stack+0x22/0x50
[ 22.053313] __kasan_record_aux_stack+0x8e/0xa0 [ 22.053739]
__call_rcu_common.constprop.0+0x6b/0x8b0 [ 22.054209]
dentry_free+0xb2/0x140 [ 22.054540] __dentry_kill+0x3be/0x540 [ 22.054900]
shrink_dentry_list+0x199/0x510 [ 22.055293]
shrink_dcache_parent+0x190/0x240 [ 22.055703] do_one_tree+0x11/0x40 [
22.056028] shrink_dcache_for_umount+0x61/0x140 [ 22.056461]
generic_shutdown_super+0x70/0x590 [ 22.056879] kill_anon_super+0x3a/0x60 [
22.057234] rpc_kill_sb+0x121/0x200