CVE-2023-53481

In the Linux kernel, the following vulnerability has been resolved:

ubi: ubiwlput_peb: Fix infinite loop when wear-leveling work failed

Following process will trigger an infinite loop in ubiwlput_peb():

ubifs_bgt       ubi_bgt

ubifslebunmap ubilebunmap ubiebaunmapleb ubiwlputpeb wearlevelingworker e1 = rbentry(rbfirst(&ubi->used) e2 = getpebforwl(ubi) ubiioreadvidhdr // return err (flash fault) outerror: ubi->movefrom = ubi->moveto = NULL wlentrydestroy(ubi, e1) ubi->lookuptbl[e->pnum] = NULL retry: e = ubi->lookuptbl[pnum]; // return NULL if (e == ubi->move_from) { // NULL == NULL gets true goto retry; // infinite loop !!!

$ top PID USER PR NI VIRT RES SHR S %CPU %MEM COMMAND 7676 root 20 0 0 0 0 R 100.0 0.0 ubifsbgt00

Fix it by: 1) Letting ubiwlputpeb() returns directly if wearl leveling entry has been removed from 'ubi->lookuptbl'. 2) Using 'ubi->wllock' protecting wl entry deletion to preventing an use-after-free problem for wl entry in ubiwlput_peb().

Fetch a reproducer in [Link].