CVE-2022-50381

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> md: fix a crash in mempool_free<br /> <br /> There&amp;#39;s a crash in mempool_free when running the lvm test<br /> shell/lvchange-rebuild-raid.sh.<br /> <br /> The reason for the crash is this:<br /> * super_written calls atomic_dec_and_test(&amp;mddev-&gt;pending_writes) and<br /> wake_up(&amp;mddev-&gt;sb_wait). Then it calls rdev_dec_pending(rdev, mddev)<br /> and bio_put(bio).<br /> * so, the process that waited on sb_wait and that is woken up is racing<br /> with bio_put(bio).<br /> * if the process wins the race, it calls bioset_exit before bio_put(bio)<br /> is executed.<br /> * bio_put(bio) attempts to free a bio into a destroyed bio set - causing<br /> a crash in mempool_free.<br /> <br /> We fix this bug by moving bio_put before atomic_dec_and_test.<br /> <br /> We also move rdev_dec_pending before atomic_dec_and_test as suggested by<br /> Neil Brown.<br /> <br /> The function md_end_flush has a similar bug - we must call bio_put before<br /> we decrement the number of in-progress bios.<br /> <br /> BUG: kernel NULL pointer dereference, address: 0000000000000000<br /> #PF: supervisor write access in kernel mode<br /> #PF: error_code(0x0002) - not-present page<br /> PGD 11557f0067 P4D 11557f0067 PUD 0<br /> Oops: 0002 [#1] PREEMPT SMP<br /> CPU: 0 PID: 73 Comm: kworker/0:1 Not tainted 6.1.0-rc3 #5<br /> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.14.0-2 04/01/2014<br /> Workqueue: kdelayd flush_expired_bios [dm_delay]<br /> RIP: 0010:mempool_free+0x47/0x80<br /> Code: 48 89 ef 5b 5d ff e0 f3 c3 48 89 f7 e8 32 45 3f 00 48 63 53 08 48 89 c6 3b 53 04 7d 2d 48 8b 43 10 8d 4a 01 48 89 df 89 4b 08 89 2c d0 e8 b0 45 3f 00 48 8d 7b 30 5b 5d 31 c9 ba 01 00 00 00<br /> RSP: 0018:ffff88910036bda8 EFLAGS: 00010093<br /> RAX: 0000000000000000 RBX: ffff8891037b65d8 RCX: 0000000000000001<br /> RDX: 0000000000000000 RSI: 0000000000000202 RDI: ffff8891037b65d8<br /> RBP: ffff8891447ba240 R08: 0000000000012908 R09: 00000000003d0900<br /> R10: 0000000000000000 R11: 0000000000173544 R12: ffff889101a14000<br /> R13: ffff8891562ac300 R14: ffff889102b41440 R15: ffffe8ffffa00d05<br /> FS: 0000000000000000(0000) GS:ffff88942fa00000(0000) knlGS:0000000000000000<br /> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033<br /> CR2: 0000000000000000 CR3: 0000001102e99000 CR4: 00000000000006b0<br /> Call Trace:<br /> <br /> clone_endio+0xf4/0x1c0 [dm_mod]<br /> clone_endio+0xf4/0x1c0 [dm_mod]<br /> __submit_bio+0x76/0x120<br /> submit_bio_noacct_nocheck+0xb6/0x2a0<br /> flush_expired_bios+0x28/0x2f [dm_delay]<br /> process_one_work+0x1b4/0x300<br /> worker_thread+0x45/0x3e0<br /> ? rescuer_thread+0x380/0x380<br /> kthread+0xc2/0x100<br /> ? kthread_complete_and_exit+0x20/0x20<br /> ret_from_fork+0x1f/0x30<br /> <br /> Modules linked in: brd dm_delay dm_raid dm_mod af_packet uvesafb cfbfillrect cfbimgblt cn cfbcopyarea fb font fbdev tun autofs4 binfmt_misc configfs ipv6 virtio_rng virtio_balloon rng_core virtio_net pcspkr net_failover failover qemu_fw_cfg button mousedev raid10 raid456 libcrc32c async_raid6_recov async_memcpy async_pq raid6_pq async_xor xor async_tx raid1 raid0 md_mod sd_mod t10_pi crc64_rocksoft crc64 virtio_scsi scsi_mod evdev psmouse bsg scsi_common [last unloaded: brd]<br /> CR2: 0000000000000000<br /> ---[ end trace 0000000000000000 ]---