CVE-2021-47552
Severity CVSS v4.0:
Pending analysis
Type:
CWE-476
NULL Pointer Dereference
Publication date:
24/05/2024
Last modified:
06/01/2025
Description
In the Linux kernel, the following vulnerability has been resolved:<br />
<br />
blk-mq: cancel blk-mq dispatch work in both blk_cleanup_queue and disk_release()<br />
<br />
For avoiding to slow down queue destroy, we don&#39;t call<br />
blk_mq_quiesce_queue() in blk_cleanup_queue(), instead of delaying to<br />
cancel dispatch work in blk_release_queue().<br />
<br />
However, this way has caused kernel oops[1], reported by Changhui. The log<br />
shows that scsi_device can be freed before running blk_release_queue(),<br />
which is expected too since scsi_device is released after the scsi disk<br />
is closed and the scsi_device is removed.<br />
<br />
Fixes the issue by canceling blk-mq dispatch work in both blk_cleanup_queue()<br />
and disk_release():<br />
<br />
1) when disk_release() is run, the disk has been closed, and any sync<br />
dispatch activities have been done, so canceling dispatch work is enough to<br />
quiesce filesystem I/O dispatch activity.<br />
<br />
2) in blk_cleanup_queue(), we only focus on passthrough request, and<br />
passthrough request is always explicitly allocated & freed by<br />
its caller, so once queue is frozen, all sync dispatch activity<br />
for passthrough request has been done, then it is enough to just cancel<br />
dispatch work for avoiding any dispatch activity.<br />
<br />
[1] kernel panic log<br />
[12622.769416] BUG: kernel NULL pointer dereference, address: 0000000000000300<br />
[12622.777186] #PF: supervisor read access in kernel mode<br />
[12622.782918] #PF: error_code(0x0000) - not-present page<br />
[12622.788649] PGD 0 P4D 0<br />
[12622.791474] Oops: 0000 [#1] PREEMPT SMP PTI<br />
[12622.796138] CPU: 10 PID: 744 Comm: kworker/10:1H Kdump: loaded Not tainted 5.15.0+ #1<br />
[12622.804877] Hardware name: Dell Inc. PowerEdge R730/0H21J3, BIOS 1.5.4 10/002/2015<br />
[12622.813321] Workqueue: kblockd blk_mq_run_work_fn<br />
[12622.818572] RIP: 0010:sbitmap_get+0x75/0x190<br />
[12622.823336] Code: 85 80 00 00 00 41 8b 57 08 85 d2 0f 84 b1 00 00 00 45 31 e4 48 63 cd 48 8d 1c 49 48 c1 e3 06 49 03 5f 10 4c 8d 6b 40 83 f0 01 8b 33 44 89 f2 4c 89 ef 0f b6 c8 e8 fa f3 ff ff 83 f8 ff 75 58<br />
[12622.844290] RSP: 0018:ffffb00a446dbd40 EFLAGS: 00010202<br />
[12622.850120] RAX: 0000000000000001 RBX: 0000000000000300 RCX: 0000000000000004<br />
[12622.858082] RDX: 0000000000000006 RSI: 0000000000000082 RDI: ffffa0b7a2dfe030<br />
[12622.866042] RBP: 0000000000000004 R08: 0000000000000001 R09: ffffa0b742721334<br />
[12622.874003] R10: 0000000000000008 R11: 0000000000000008 R12: 0000000000000000<br />
[12622.881964] R13: 0000000000000340 R14: 0000000000000000 R15: ffffa0b7a2dfe030<br />
[12622.889926] FS: 0000000000000000(0000) GS:ffffa0baafb40000(0000) knlGS:0000000000000000<br />
[12622.898956] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033<br />
[12622.905367] CR2: 0000000000000300 CR3: 0000000641210001 CR4: 00000000001706e0<br />
[12622.913328] Call Trace:<br />
[12622.916055] <br />
[12622.918394] scsi_mq_get_budget+0x1a/0x110<br />
[12622.922969] __blk_mq_do_dispatch_sched+0x1d4/0x320<br />
[12622.928404] ? pick_next_task_fair+0x39/0x390<br />
[12622.933268] __blk_mq_sched_dispatch_requests+0xf4/0x140<br />
[12622.939194] blk_mq_sched_dispatch_requests+0x30/0x60<br />
[12622.944829] __blk_mq_run_hw_queue+0x30/0xa0<br />
[12622.949593] process_one_work+0x1e8/0x3c0<br />
[12622.954059] worker_thread+0x50/0x3b0<br />
[12622.958144] ? rescuer_thread+0x370/0x370<br />
[12622.962616] kthread+0x158/0x180<br />
[12622.966218] ? set_kthread_struct+0x40/0x40<br />
[12622.970884] ret_from_fork+0x22/0x30<br />
[12622.974875] <br />
[12622.977309] Modules linked in: scsi_debug rpcsec_gss_krb5 auth_rpcgss nfsv4 dns_resolver nfs lockd grace fscache netfs sunrpc dm_multipath intel_rapl_msr intel_rapl_common dell_wmi_descriptor sb_edac rfkill video x86_pkg_temp_thermal intel_powerclamp dcdbas coretemp kvm_intel kvm mgag200 irqbypass i2c_algo_bit rapl drm_kms_helper ipmi_ssif intel_cstate intel_uncore syscopyarea sysfillrect sysimgblt fb_sys_fops pcspkr cec mei_me lpc_ich mei ipmi_si ipmi_devintf ipmi_msghandler acpi_power_meter drm fuse xfs libcrc32c sr_mod cdrom sd_mod t10_pi sg ixgbe ahci libahci crct10dif_pclmul crc32_pclmul crc32c_intel libata megaraid_sas ghash_clmulni_intel tg3 wdat_w<br />
---truncated---
Impact
Base Score 3.x
5.50
Severity 3.x
MEDIUM
Vulnerable products and versions
CPE | From | Up to |
---|---|---|
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 5.15.6 (excluding) | |
cpe:2.3:o:linux:linux_kernel:5.16:rc1:*:*:*:*:*:* |
To consult the complete list of CPE names with products and versions, see this page