CVE-2023-54313

In the Linux kernel, the following vulnerability has been resolved:

ovl: fix null pointer dereference in ovlgetacl_rcu()

Following process: P1 P2 pathopenat linkpathwalk maylookup inodepermission(rcu) ovlpermission aclpermissioncheck checkacl getcachedaclrcu ovlgetinodeacl realinode = ovlinodereal(ovlinode) drop_cache _dentrykill(ovldentry) iput(ovlinode) ovldestroyinode(ovlinode) dput(oi->upperdentry) dentrykill(upperdentry) dentryunlinkinode upperdentry->dinode = NULL ovlinodeupper upperdentry = ovlidentryupper(ovlinode) dinode(upperdentry) // returns NULL ISPOSIXACL(realinode) // NULL pointer dereference , will trigger an null pointer dereference at realinode: [ 205.472797] BUG: kernel NULL pointer dereference, address: 0000000000000028 [ 205.476701] CPU: 2 PID: 2713 Comm: ls Not tainted 6.3.0-12064-g2edfa098e750-dirty #1216 [ 205.478754] RIP: 0010:doovlgetacl+0x5d/0x300 [ 205.489584] Call Trace: [ 205.489812] <TASK> [ 205.490014] ovlgetinodeacl+0x26/0x30 [ 205.490466] getcachedaclrcu+0x61/0xa0 [ 205.490908] genericpermission+0x1bf/0x4e0 [ 205.491447] ovlpermission+0x79/0x1b0 [ 205.491917] inodepermission+0x15e/0x2c0 [ 205.492425] linkpathwalk+0x115/0x550 [ 205.493311] pathlookupat.isra.0+0xb2/0x200 [ 205.493803] filenamelookup+0xda/0x240 [ 205.495747] vfsfstatat+0x7b/0xb0

Fetch a reproducer in [Link].

Use the helper ovlipath_realinode() to get realinode and then do non-nullptr checking.