CVE-2023-54293

In the Linux kernel, the following vulnerability has been resolved:

bcache: fixup btreecachewait list damage

We get a kernel crash about "list_add corruption. next->prev should be prev (ffff9c801bc01210), but was ffff9c77b688237c. (next=ffffae586d8afe68)."

crash> struct listhead 0xffff9c801bc01210 struct listhead { next = 0xffffae586d8afe68, prev = 0xffffae586d8afe68 } crash> struct listhead 0xffff9c77b688237c struct listhead { next = 0x0, prev = 0x0 } crash> struct listhead 0xffffae586d8afe68 struct listhead struct: invalid kernel virtual address: ffffae586d8afe68 type: "gdbreadmemcallback" Cannot access memory at address 0xffffae586d8afe68

[230469.019492] Call Trace: [230469.032041] preparetowait+0x8a/0xb0 [230469.044363] ? bchbtreekeysfree+0x6c/0xc0 [escache] [230469.056533] mcacannibalizelock+0x72/0x90 [escache] [230469.068788] mcaalloc+0x2ae/0x450 [escache] [230469.080790] bchbtreenodeget+0x136/0x2d0 [escache] [230469.092681] bchbtreecheckthread+0x1e1/0x260 [escache] [230469.104382] ? finishwait+0x80/0x80 [230469.115884] ? bchbtreecheckrecurse+0x1a0/0x1a0 [escache] [230469.127259] kthread+0x112/0x130 [230469.138448] ? kthreadflushworkfn+0x10/0x10 [230469.149477] retfrom_fork+0x35/0x40

bchbtreecheckthread() and bchdirtyinitthread() may call mcacannibalize() to cannibalize other cached btree nodes. Only one thread can do it at a time, so the op of other threads will be added to the btreecache_wait list.

We must call finishwait() to remove op from btreecachewait before free it's memory address. Otherwise, the list will be damaged. Also should call bchcannibalizeunlock() to release the btreecachealloclock and wake_up other waiters.