{ "threat_severity" : "Moderate", "public_date" : "2025-10-01T00:00:00Z", "bugzilla" : { "description" : "kernel: null_blk: fix poll request timeout handling", "id" : "2400691", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2400691" }, "cvss3" : { "cvss3_base_score" : "5.3", "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:H", "status" : "verified" }, "cwe" : "CWE-366", "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\nnull_blk: fix poll request timeout handling\nWhen doing io_uring benchmark on /dev/nullb0, it's easy to crash the\nkernel if poll requests timeout triggered, as reported by David. [1]\nBUG: kernel NULL pointer dereference, address: 0000000000000008\nWorkqueue: kblockd blk_mq_timeout_work\nRIP: 0010:null_timeout_rq+0x4e/0x91\nCall Trace:\n? null_timeout_rq+0x4e/0x91\nblk_mq_handle_expired+0x31/0x4b\nbt_iter+0x68/0x84\n? bt_tags_iter+0x81/0x81\n__sbitmap_for_each_set.constprop.0+0xb0/0xf2\n? __blk_mq_complete_request_remote+0xf/0xf\nbt_for_each+0x46/0x64\n? __blk_mq_complete_request_remote+0xf/0xf\n? percpu_ref_get_many+0xc/0x2a\nblk_mq_queue_tag_busy_iter+0x14d/0x18e\nblk_mq_timeout_work+0x95/0x127\nprocess_one_work+0x185/0x263\nworker_thread+0x1b5/0x227\nThis is indeed a race problem between null_timeout_rq() and null_poll().\nnull_poll()null_timeout_rq()\nspin_lock(&nq->poll_lock)\nlist_splice_init(&nq->poll_list, &list)\nspin_unlock(&nq->poll_lock)\nwhile (!list_empty(&list))\nreq = list_first_entry()\nlist_del_init()\n...\nblk_mq_add_to_batch()\n// req->rq_next = NULL\nspin_lock(&nq->poll_lock)\n// rq->queuelist->next == NULL\nlist_del_init(&rq->queuelist)\nspin_unlock(&nq->poll_lock)\nFix these problems by setting requests state to MQ_RQ_COMPLETE under\nnq->poll_lock protection, in which null_timeout_rq() can safely detect\nthis race and early return.\nNote this patch just fix the kernel panic when request timeout happen.\n[1] https://lore.kernel.org/all/3893581.1691785261@warthog.procyon.org.uk/" ], "affected_release" : [ { "product_name" : "Red Hat Enterprise Linux 9", "release_date" : "2024-11-12T00:00:00Z", "advisory" : "RHSA-2024:9315", "cpe" : "cpe:/a:redhat:enterprise_linux:9", "package" : "kernel-0:5.14.0-503.11.1.el9_5" }, { "product_name" : "Red Hat Enterprise Linux 9", "release_date" : "2024-11-12T00:00:00Z", "advisory" : "RHSA-2024:9315", "cpe" : "cpe:/o:redhat:enterprise_linux:9", "package" : "kernel-0:5.14.0-503.11.1.el9_5" } ], "package_state" : [ { "product_name" : "Red Hat Enterprise Linux 10", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:10" }, { "product_name" : "Red Hat Enterprise Linux 6", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:6" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Not affected", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Not affected", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat Enterprise Linux 9", "fix_state" : "Fix deferred", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:9" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2023-53531\nhttps://nvd.nist.gov/vuln/detail/CVE-2023-53531\nhttps://lore.kernel.org/linux-cve-announce/2025100136-CVE-2023-53531-3c7c@gregkh/T" ], "name" : "CVE-2023-53531", "csaw" : false }