CVE-2023-53810

In the Linux kernel, the following vulnerability has been resolved:

blk-mq: release crypto keyslot before reporting I/O complete

Once all I/O using a blkcryptokey has completed, filesystems can call blkcryptoevictkey(). However, the block layer currently doesn't call blkcryptoputkeyslot() until the request is being freed, which happens after upper layers have been told (via bioendio()) the I/O has completed. This causes a race condition where blkcryptoevictkey() can see 'slot_refs != 0' without there being an actual bug.

This makes _blkcryptoevictkey() hit the 'WARNONONCE(atomicread(&slot->slotrefs) != 0)' and return without doing anything, eventually causing a use-after-free in blkcryptoreprogramallkeys(). (This is a very rare bug and has only been seen when per-file keys are being used with fscrypt.)

There are two options to fix this: either release the keyslot before bio_endio() is called on the request's last bio, or make __blkcryptoevictkey() ignore slotrefs. Let's go with the first solution, since it preserves the ability to report bugs (via WARNONONCE) where a key is evicted while still in-use.