| The Linux kernel vulnerability CVE-2021-47412 occurs in the block layer, specifically in the rq_qos framework. This framework is only applied to request-based drivers, and therefore `rq_qos_done_bio()` should not be called for bio-based drivers or bios that aren't tracked. |
| |
| In the `bio_endio()` function, the request queue is referenced via `bio->bi_bdev->bd_disk->queue`, which may have already been freed since the request queue refcount may not be held in certain cases. Additionally, `q->rq_qos` may also be freed in `blk_cleanup_queue()` when calling into `__rq_qos_done_bio()`. This can lead to a kernel panic. |
| |
| To fix this issue, the patch ensures that `rq_qos_ops->done_bio` is not called if the bio isn't tracked. This approach is safe because both `ioc_rqos_done_bio()` and `blkcg_iolatency_done_bio()` are no-ops if the bio isn't tracked. |
| |
| The vulnerability was fixed in kernel versions 5.14.11 with commit 004b8f8a6912 and 5.15 with commit a647a524a467. The affected file is `block/bio.c`. The Linux kernel CVE team recommends updating to the latest stable kernel version to resolve this issue, rather than cherry-picking individual commits. |
| |
