CVE-2022-49257

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> watch_queue: Fix NULL dereference in error cleanup<br /> <br /> In watch_queue_set_size(), the error cleanup code doesn&amp;#39;t take account of<br /> the fact that __free_page() can&amp;#39;t handle a NULL pointer when trying to free<br /> up buffer pages that did get allocated.<br /> <br /> Fix this by only calling __free_page() on the pages actually allocated.<br /> <br /> Without the fix, this can lead to something like the following:<br /> <br /> BUG: KASAN: null-ptr-deref in __free_pages+0x1f/0x1b0 mm/page_alloc.c:5473<br /> Read of size 4 at addr 0000000000000034 by task syz-executor168/3599<br /> ...<br /> Call Trace:<br /> <br /> __dump_stack lib/dump_stack.c:88 [inline]<br /> dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106<br /> __kasan_report mm/kasan/report.c:446 [inline]<br /> kasan_report.cold+0x66/0xdf mm/kasan/report.c:459<br /> check_region_inline mm/kasan/generic.c:183 [inline]<br /> kasan_check_range+0x13d/0x180 mm/kasan/generic.c:189<br /> instrument_atomic_read include/linux/instrumented.h:71 [inline]<br /> atomic_read include/linux/atomic/atomic-instrumented.h:27 [inline]<br /> page_ref_count include/linux/page_ref.h:67 [inline]<br /> put_page_testzero include/linux/mm.h:717 [inline]<br /> __free_pages+0x1f/0x1b0 mm/page_alloc.c:5473<br /> watch_queue_set_size+0x499/0x630 kernel/watch_queue.c:275<br /> pipe_ioctl+0xac/0x2b0 fs/pipe.c:632<br /> vfs_ioctl fs/ioctl.c:51 [inline]<br /> __do_sys_ioctl fs/ioctl.c:874 [inline]<br /> __se_sys_ioctl fs/ioctl.c:860 [inline]<br /> __x64_sys_ioctl+0x193/0x200 fs/ioctl.c:860<br /> do_syscall_x64 arch/x86/entry/common.c:50 [inline]<br /> do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80<br /> entry_SYSCALL_64_after_hwframe+0x44/0xae