| The Linux kernel has a vulnerability (CVE-2021-47435) in the device-mapper (dm) module, specifically in the `dm_io_dec_pending()` function. This function is responsible for decrementing the pending I/O count of a dm io structure when an I/O operation completes. |
| |
| The issue arises because the `end_io_acct()` function, which updates the I/O accounting statistics, is called before `free_io()`, which frees the dm io structure. This can cause a use-after-free bug, where the `end_io_acct()` function accesses memory that has already been freed. |
| |
| To fix this issue, two changes were made: |
| |
| 1. Pointers to `struct dm_io` members are established in `dm_io_dec_pending()` so that they can be passed into `end_io_acct()` after `free_io()` is called. |
| 2. The call to `end_io_acct()` is moved after the call to `free_io()`. |
| |
| This vulnerability affects various kernel versions, including 4.9, 4.14, 4.19, 5.4, 5.10, and 5.15. Fixes are available in the form of commits that can be applied to these kernel versions. The Linux kernel CVE team recommends updating to the latest stable kernel version to address this issue, as well as many other bugfixes. |
| |
