CVE-2023-53531

See a problem?
Please try reporting it to the source first.
Source
https://nvd.nist.gov/vuln/detail/CVE-2023-53531
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2023-53531.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2023-53531
Downstream
Related
Published
2025-10-01T11:46:15Z
Modified
2025-10-16T18:28:57.937655Z
Summary
null_blk: fix poll request timeout handling
Details

In the Linux kernel, the following vulnerability has been resolved:

null_blk: fix poll request timeout handling

When doing io_uring benchmark on /dev/nullb0, it's easy to crash the kernel if poll requests timeout triggered, as reported by David. [1]

BUG: kernel NULL pointer dereference, address: 0000000000000008 Workqueue: kblockd blkmqtimeoutwork RIP: 0010:nulltimeoutrq+0x4e/0x91 Call Trace: ? nulltimeoutrq+0x4e/0x91 blkmqhandleexpired+0x31/0x4b btiter+0x68/0x84 ? bttagsiter+0x81/0x81 _sbitmapforeachset.constprop.0+0xb0/0xf2 ? _blkmqcompleterequestremote+0xf/0xf btforeach+0x46/0x64 ? _blkmqcompleterequestremote+0xf/0xf ? percpurefgetmany+0xc/0x2a blkmqqueuetagbusyiter+0x14d/0x18e blkmqtimeoutwork+0x95/0x127 processonework+0x185/0x263 worker_thread+0x1b5/0x227

This is indeed a race problem between nulltimeoutrq() and null_poll().

nullpoll() nulltimeoutrq() spinlock(&nq->polllock) listspliceinit(&nq->polllist, &list) spinunlock(&nq->polllock)

while (!listempty(&list)) req = listfirstentry() listdelinit() ... blkmqaddtobatch() // req->rqnext = NULL spinlock(&nq->polllock)

                // rq->queuelist->next == NULL
                list_del_init(&rq->queuelist)

                spin_unlock(&nq->poll_lock)

Fix these problems by setting requests state to MQRQCOMPLETE under nq->polllock protection, in which nulltimeout_rq() can safely detect this race and early return.

Note this patch just fix the kernel panic when request timeout happen.

[1] https://lore.kernel.org/all/3893581.1691785261@warthog.procyon.org.uk/

References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
0a593fbbc245a85940ed34caa3aa1e4cb060c54b
Fixed
a0b4a0666beacfe8add9c71d8922475541dbae73
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
0a593fbbc245a85940ed34caa3aa1e4cb060c54b
Fixed
a7cb2e709f2927cc3c76781df3e45de2381b3b9d
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
0a593fbbc245a85940ed34caa3aa1e4cb060c54b
Fixed
5a26e45edb4690d58406178b5a9ea4c6dcf2c105

Affected versions

v5.*

v5.15
v5.15-rc7
v5.16
v5.16-rc1
v5.16-rc2
v5.16-rc3
v5.16-rc4
v5.16-rc5
v5.16-rc6
v5.16-rc7
v5.16-rc8
v5.17
v5.17-rc1
v5.17-rc2
v5.17-rc3
v5.17-rc4
v5.17-rc5
v5.17-rc6
v5.17-rc7
v5.17-rc8
v5.18
v5.18-rc1
v5.18-rc2
v5.18-rc3
v5.18-rc4
v5.18-rc5
v5.18-rc6
v5.18-rc7
v5.19
v5.19-rc1
v5.19-rc2
v5.19-rc3
v5.19-rc4
v5.19-rc5
v5.19-rc6
v5.19-rc7
v5.19-rc8

v6.*

v6.0
v6.0-rc1
v6.0-rc2
v6.0-rc3
v6.0-rc4
v6.0-rc5
v6.0-rc6
v6.0-rc7
v6.1
v6.1-rc1
v6.1-rc2
v6.1-rc3
v6.1-rc4
v6.1-rc5
v6.1-rc6
v6.1-rc7
v6.1-rc8
v6.1.1
v6.1.10
v6.1.11
v6.1.12
v6.1.13
v6.1.14
v6.1.15
v6.1.16
v6.1.17
v6.1.18
v6.1.19
v6.1.2
v6.1.20
v6.1.21
v6.1.22
v6.1.23
v6.1.24
v6.1.25
v6.1.26
v6.1.27
v6.1.28
v6.1.29
v6.1.3
v6.1.30
v6.1.31
v6.1.32
v6.1.33
v6.1.34
v6.1.35
v6.1.36
v6.1.37
v6.1.38
v6.1.39
v6.1.4
v6.1.40
v6.1.41
v6.1.42
v6.1.43
v6.1.44
v6.1.45
v6.1.46
v6.1.47
v6.1.48
v6.1.49
v6.1.5
v6.1.50
v6.1.51
v6.1.52
v6.1.53
v6.1.6
v6.1.7
v6.1.8
v6.1.9
v6.2
v6.2-rc1
v6.2-rc2
v6.2-rc3
v6.2-rc4
v6.2-rc5
v6.2-rc6
v6.2-rc7
v6.2-rc8
v6.3
v6.3-rc1
v6.3-rc2
v6.3-rc3
v6.3-rc4
v6.3-rc5
v6.3-rc6
v6.3-rc7
v6.4
v6.4-rc1
v6.4-rc2
v6.4-rc3
v6.4-rc4
v6.4-rc5
v6.4-rc6
v6.4-rc7
v6.5
v6.5-rc1
v6.5-rc2
v6.5-rc3
v6.5-rc4
v6.5-rc5
v6.5-rc6
v6.5-rc7
v6.5.1
v6.5.2
v6.5.3

Linux / Kernel

Package

Name
Kernel

Affected ranges

Type
ECOSYSTEM
Events
Introduced
5.16.0
Fixed
6.1.54
Type
ECOSYSTEM
Events
Introduced
6.2.0
Fixed
6.5.4