cve/published/2021/CVE-2021-47435.json - pub/scm/linux/security/vulns - Git at Google

 {
    "containers": {
       "cna": {
          "providerMetadata": {
             "orgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038"
          },
          "descriptions": [
             {
                "lang": "en",
                "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndm: fix mempool NULL pointer race when completing IO\n\ndm_io_dec_pending() calls end_io_acct() first and will then dec md\nin-flight pending count. But if a task is swapping DM table at same\ntime this can result in a crash due to mempool->elements being NULL:\n\ntask1                             task2\ndo_resume\n ->do_suspend\n  ->dm_wait_for_completion\n                                  bio_endio\n\t\t\t\t   ->clone_endio\n\t\t\t\t    ->dm_io_dec_pending\n\t\t\t\t     ->end_io_acct\n\t\t\t\t      ->wakeup task1\n ->dm_swap_table\n  ->__bind\n   ->__bind_mempools\n    ->bioset_exit\n     ->mempool_exit\n                                     ->free_io\n\n[ 67.330330] Unable to handle kernel NULL pointer dereference at\nvirtual address 0000000000000000\n......\n[ 67.330494] pstate: 80400085 (Nzcv daIf +PAN -UAO)\n[ 67.330510] pc : mempool_free+0x70/0xa0\n[ 67.330515] lr : mempool_free+0x4c/0xa0\n[ 67.330520] sp : ffffff8008013b20\n[ 67.330524] x29: ffffff8008013b20 x28: 0000000000000004\n[ 67.330530] x27: ffffffa8c2ff40a0 x26: 00000000ffff1cc8\n[ 67.330535] x25: 0000000000000000 x24: ffffffdada34c800\n[ 67.330541] x23: 0000000000000000 x22: ffffffdada34c800\n[ 67.330547] x21: 00000000ffff1cc8 x20: ffffffd9a1304d80\n[ 67.330552] x19: ffffffdada34c970 x18: 000000b312625d9c\n[ 67.330558] x17: 00000000002dcfbf x16: 00000000000006dd\n[ 67.330563] x15: 000000000093b41e x14: 0000000000000010\n[ 67.330569] x13: 0000000000007f7a x12: 0000000034155555\n[ 67.330574] x11: 0000000000000001 x10: 0000000000000001\n[ 67.330579] x9 : 0000000000000000 x8 : 0000000000000000\n[ 67.330585] x7 : 0000000000000000 x6 : ffffff80148b5c1a\n[ 67.330590] x5 : ffffff8008013ae0 x4 : 0000000000000001\n[ 67.330596] x3 : ffffff80080139c8 x2 : ffffff801083bab8\n[ 67.330601] x1 : 0000000000000000 x0 : ffffffdada34c970\n[ 67.330609] Call trace:\n[ 67.330616] mempool_free+0x70/0xa0\n[ 67.330627] bio_put+0xf8/0x110\n[ 67.330638] dec_pending+0x13c/0x230\n[ 67.330644] clone_endio+0x90/0x180\n[ 67.330649] bio_endio+0x198/0x1b8\n[ 67.330655] dec_pending+0x190/0x230\n[ 67.330660] clone_endio+0x90/0x180\n[ 67.330665] bio_endio+0x198/0x1b8\n[ 67.330673] blk_update_request+0x214/0x428\n[ 67.330683] scsi_end_request+0x2c/0x300\n[ 67.330688] scsi_io_completion+0xa0/0x710\n[ 67.330695] scsi_finish_command+0xd8/0x110\n[ 67.330700] scsi_softirq_done+0x114/0x148\n[ 67.330708] blk_done_softirq+0x74/0xd0\n[ 67.330716] __do_softirq+0x18c/0x374\n[ 67.330724] irq_exit+0xb4/0xb8\n[ 67.330732] __handle_domain_irq+0x84/0xc0\n[ 67.330737] gic_handle_irq+0x148/0x1b0\n[ 67.330744] el1_irq+0xe8/0x190\n[ 67.330753] lpm_cpuidle_enter+0x4f8/0x538\n[ 67.330759] cpuidle_enter_state+0x1fc/0x398\n[ 67.330764] cpuidle_enter+0x18/0x20\n[ 67.330772] do_idle+0x1b4/0x290\n[ 67.330778] cpu_startup_entry+0x20/0x28\n[ 67.330786] secondary_start_kernel+0x160/0x170\n\nFix this by:\n1) Establishing pointers to 'struct dm_io' members in\ndm_io_dec_pending() so that they may be passed into end_io_acct()\n_after_ free_io() is called.\n2) Moving end_io_acct() after free_io()."
             }
          ],
          "affected": [
             {
                "product": "Linux",
                "vendor": "Linux",
                "defaultStatus": "unaffected",
                "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
                "programFiles": [
                   "drivers/md/dm.c"
                ],
                "versions": [
                   {
                      "version": "6a8736d10cb413be95ea443ba40f25c93f4ef9b2",
                      "lessThan": "9fb7cd5c7fef0f1c982e3cd27745a0dec260eaed",
                      "status": "affected",
                      "versionType": "git"
                   },
                   {
                      "version": "6a8736d10cb413be95ea443ba40f25c93f4ef9b2",
                      "lessThan": "d35aef9c60d310eff3eaddacce301efe877e2b7c",
                      "status": "affected",
                      "versionType": "git"
                   },
                   {
                      "version": "6a8736d10cb413be95ea443ba40f25c93f4ef9b2",
                      "lessThan": "9e07272cca2ed76f7f6073f4444b1143828c8d87",
                      "status": "affected",
                      "versionType": "git"
                   },
                   {
                      "version": "6a8736d10cb413be95ea443ba40f25c93f4ef9b2",
                      "lessThan": "ad1393b92e5059218d055bfec8f4946d85ad04c4",
                      "status": "affected",
                      "versionType": "git"
                   },
                   {
                      "version": "6a8736d10cb413be95ea443ba40f25c93f4ef9b2",
                      "lessThan": "d29c78d3f9c5d2604548c1065bf1ec212728ea61",
                      "status": "affected",
                      "versionType": "git"
                   },
                   {
                      "version": "6a8736d10cb413be95ea443ba40f25c93f4ef9b2",
                      "lessThan": "6e506f07c5b561d673dd0b0d8f7f420cc48024fb",
                      "status": "affected",
                      "versionType": "git"
                   },
                   {
                      "version": "6a8736d10cb413be95ea443ba40f25c93f4ef9b2",
                      "lessThan": "d208b89401e073de986dc891037c5a668f5d5d95",
                      "status": "affected",
                      "versionType": "git"
                   }
                ]
             },
             {
                "product": "Linux",
                "vendor": "Linux",
                "defaultStatus": "affected",
                "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
                "programFiles": [
                   "drivers/md/dm.c"
                ],
                "versions": [
                   {
                      "version": "2.6.37",
                      "status": "affected"
                   },
                   {
                      "version": "0",
                      "lessThan": "2.6.37",
                      "status": "unaffected",
                      "versionType": "semver"
                   },
                   {
                      "version": "4.9.313",
                      "lessThanOrEqual": "4.9.*",
                      "status": "unaffected",
                      "versionType": "semver"
                   },
                   {
                      "version": "4.14.278",
                      "lessThanOrEqual": "4.14.*",
                      "status": "unaffected",
                      "versionType": "semver"
                   },
                   {
                      "version": "4.19.242",
                      "lessThanOrEqual": "4.19.*",
                      "status": "unaffected",
                      "versionType": "semver"
                   },
                   {
                      "version": "5.4.193",
                      "lessThanOrEqual": "5.4.*",
                      "status": "unaffected",
                      "versionType": "semver"
                   },
                   {
                      "version": "5.10.113",
                      "lessThanOrEqual": "5.10.*",
                      "status": "unaffected",
                      "versionType": "semver"
                   },
                   {
                      "version": "5.14.14",
                      "lessThanOrEqual": "5.14.*",
                      "status": "unaffected",
                      "versionType": "semver"
                   },
                   {
                      "version": "5.15",
                      "lessThanOrEqual": "*",
                      "status": "unaffected",
                      "versionType": "original_commit_for_fix"
                   }
                ]
             }
          ],
          "cpeApplicability": [
             {
                "nodes": [
                   {
                      "operator": "OR",
                      "negate": false,
                      "cpeMatch": [
                         {
                            "vulnerable": true,
                            "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                            "versionStartIncluding": "2.6.37",
                            "versionEndExcluding": "4.9.313"
                         },
                         {
                            "vulnerable": true,
                            "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                            "versionStartIncluding": "2.6.37",
                            "versionEndExcluding": "4.14.278"
                         },
                         {
                            "vulnerable": true,
                            "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                            "versionStartIncluding": "2.6.37",
                            "versionEndExcluding": "4.19.242"
                         },
                         {
                            "vulnerable": true,
                            "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                            "versionStartIncluding": "2.6.37",
                            "versionEndExcluding": "5.4.193"
                         },
                         {
                            "vulnerable": true,
                            "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                            "versionStartIncluding": "2.6.37",
                            "versionEndExcluding": "5.10.113"
                         },
                         {
                            "vulnerable": true,
                            "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                            "versionStartIncluding": "2.6.37",
                            "versionEndExcluding": "5.14.14"
                         },
                         {
                            "vulnerable": true,
                            "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                            "versionStartIncluding": "2.6.37",
                            "versionEndExcluding": "5.15"
                         }
                      ]
                   }
                ]
             }
          ],
          "references": [
             {
                "url": "https://git.kernel.org/stable/c/9fb7cd5c7fef0f1c982e3cd27745a0dec260eaed"
             },
             {
                "url": "https://git.kernel.org/stable/c/d35aef9c60d310eff3eaddacce301efe877e2b7c"
             },
             {
                "url": "https://git.kernel.org/stable/c/9e07272cca2ed76f7f6073f4444b1143828c8d87"
             },
             {
                "url": "https://git.kernel.org/stable/c/ad1393b92e5059218d055bfec8f4946d85ad04c4"
             },
             {
                "url": "https://git.kernel.org/stable/c/d29c78d3f9c5d2604548c1065bf1ec212728ea61"
             },
             {
                "url": "https://git.kernel.org/stable/c/6e506f07c5b561d673dd0b0d8f7f420cc48024fb"
             },
             {
                "url": "https://git.kernel.org/stable/c/d208b89401e073de986dc891037c5a668f5d5d95"
             }
          ],
          "title": "dm: fix mempool NULL pointer race when completing IO",
          "x_generator": {
             "engine": "bippy-1.2.0"
          }
       }
    },
    "cveMetadata": {
       "assignerOrgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038",
       "cveID": "CVE-2021-47435",
       "requesterUserId": "gregkh@kernel.org",
       "serial": "1",
       "state": "PUBLISHED"
    },
    "dataType": "CVE_RECORD",
    "dataVersion": "5.0"
 }
	{
	"containers": {
	"cna": {
	"providerMetadata": {
	"orgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038"
	},
	"descriptions": [
	{
	"lang": "en",
	"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndm: fix mempool NULL pointer race when completing IO\n\ndm_io_dec_pending() calls end_io_acct() first and will then dec md\nin-flight pending count. But if a task is swapping DM table at same\ntime this can result in a crash due to mempool->elements being NULL:\n\ntask1 task2\ndo_resume\n ->do_suspend\n ->dm_wait_for_completion\n bio_endio\n\t\t\t\t ->clone_endio\n\t\t\t\t ->dm_io_dec_pending\n\t\t\t\t ->end_io_acct\n\t\t\t\t ->wakeup task1\n ->dm_swap_table\n ->__bind\n ->__bind_mempools\n ->bioset_exit\n ->mempool_exit\n ->free_io\n\n[ 67.330330] Unable to handle kernel NULL pointer dereference at\nvirtual address 0000000000000000\n......\n[ 67.330494] pstate: 80400085 (Nzcv daIf +PAN -UAO)\n[ 67.330510] pc : mempool_free+0x70/0xa0\n[ 67.330515] lr : mempool_free+0x4c/0xa0\n[ 67.330520] sp : ffffff8008013b20\n[ 67.330524] x29: ffffff8008013b20 x28: 0000000000000004\n[ 67.330530] x27: ffffffa8c2ff40a0 x26: 00000000ffff1cc8\n[ 67.330535] x25: 0000000000000000 x24: ffffffdada34c800\n[ 67.330541] x23: 0000000000000000 x22: ffffffdada34c800\n[ 67.330547] x21: 00000000ffff1cc8 x20: ffffffd9a1304d80\n[ 67.330552] x19: ffffffdada34c970 x18: 000000b312625d9c\n[ 67.330558] x17: 00000000002dcfbf x16: 00000000000006dd\n[ 67.330563] x15: 000000000093b41e x14: 0000000000000010\n[ 67.330569] x13: 0000000000007f7a x12: 0000000034155555\n[ 67.330574] x11: 0000000000000001 x10: 0000000000000001\n[ 67.330579] x9 : 0000000000000000 x8 : 0000000000000000\n[ 67.330585] x7 : 0000000000000000 x6 : ffffff80148b5c1a\n[ 67.330590] x5 : ffffff8008013ae0 x4 : 0000000000000001\n[ 67.330596] x3 : ffffff80080139c8 x2 : ffffff801083bab8\n[ 67.330601] x1 : 0000000000000000 x0 : ffffffdada34c970\n[ 67.330609] Call trace:\n[ 67.330616] mempool_free+0x70/0xa0\n[ 67.330627] bio_put+0xf8/0x110\n[ 67.330638] dec_pending+0x13c/0x230\n[ 67.330644] clone_endio+0x90/0x180\n[ 67.330649] bio_endio+0x198/0x1b8\n[ 67.330655] dec_pending+0x190/0x230\n[ 67.330660] clone_endio+0x90/0x180\n[ 67.330665] bio_endio+0x198/0x1b8\n[ 67.330673] blk_update_request+0x214/0x428\n[ 67.330683] scsi_end_request+0x2c/0x300\n[ 67.330688] scsi_io_completion+0xa0/0x710\n[ 67.330695] scsi_finish_command+0xd8/0x110\n[ 67.330700] scsi_softirq_done+0x114/0x148\n[ 67.330708] blk_done_softirq+0x74/0xd0\n[ 67.330716] __do_softirq+0x18c/0x374\n[ 67.330724] irq_exit+0xb4/0xb8\n[ 67.330732] __handle_domain_irq+0x84/0xc0\n[ 67.330737] gic_handle_irq+0x148/0x1b0\n[ 67.330744] el1_irq+0xe8/0x190\n[ 67.330753] lpm_cpuidle_enter+0x4f8/0x538\n[ 67.330759] cpuidle_enter_state+0x1fc/0x398\n[ 67.330764] cpuidle_enter+0x18/0x20\n[ 67.330772] do_idle+0x1b4/0x290\n[ 67.330778] cpu_startup_entry+0x20/0x28\n[ 67.330786] secondary_start_kernel+0x160/0x170\n\nFix this by:\n1) Establishing pointers to 'struct dm_io' members in\ndm_io_dec_pending() so that they may be passed into end_io_acct()\n_after_ free_io() is called.\n2) Moving end_io_acct() after free_io()."
	}
	],
	"affected": [
	{
	"product": "Linux",
	"vendor": "Linux",
	"defaultStatus": "unaffected",
	"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
	"programFiles": [
	"drivers/md/dm.c"
	],
	"versions": [
	{
	"version": "6a8736d10cb413be95ea443ba40f25c93f4ef9b2",
	"lessThan": "9fb7cd5c7fef0f1c982e3cd27745a0dec260eaed",
	"status": "affected",
	"versionType": "git"
	},
	{
	"version": "6a8736d10cb413be95ea443ba40f25c93f4ef9b2",
	"lessThan": "d35aef9c60d310eff3eaddacce301efe877e2b7c",
	"status": "affected",
	"versionType": "git"
	},
	{
	"version": "6a8736d10cb413be95ea443ba40f25c93f4ef9b2",
	"lessThan": "9e07272cca2ed76f7f6073f4444b1143828c8d87",
	"status": "affected",
	"versionType": "git"
	},
	{
	"version": "6a8736d10cb413be95ea443ba40f25c93f4ef9b2",
	"lessThan": "ad1393b92e5059218d055bfec8f4946d85ad04c4",
	"status": "affected",
	"versionType": "git"
	},
	{
	"version": "6a8736d10cb413be95ea443ba40f25c93f4ef9b2",
	"lessThan": "d29c78d3f9c5d2604548c1065bf1ec212728ea61",
	"status": "affected",
	"versionType": "git"
	},
	{
	"version": "6a8736d10cb413be95ea443ba40f25c93f4ef9b2",
	"lessThan": "6e506f07c5b561d673dd0b0d8f7f420cc48024fb",
	"status": "affected",
	"versionType": "git"
	},
	{
	"version": "6a8736d10cb413be95ea443ba40f25c93f4ef9b2",
	"lessThan": "d208b89401e073de986dc891037c5a668f5d5d95",
	"status": "affected",
	"versionType": "git"
	}
	]
	},
	{
	"product": "Linux",
	"vendor": "Linux",
	"defaultStatus": "affected",
	"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
	"programFiles": [
	"drivers/md/dm.c"
	],
	"versions": [
	{
	"version": "2.6.37",
	"status": "affected"
	},
	{
	"version": "0",
	"lessThan": "2.6.37",
	"status": "unaffected",
	"versionType": "semver"
	},
	{
	"version": "4.9.313",
	"lessThanOrEqual": "4.9.*",
	"status": "unaffected",
	"versionType": "semver"
	},
	{
	"version": "4.14.278",
	"lessThanOrEqual": "4.14.*",
	"status": "unaffected",
	"versionType": "semver"
	},
	{
	"version": "4.19.242",
	"lessThanOrEqual": "4.19.*",
	"status": "unaffected",
	"versionType": "semver"
	},
	{
	"version": "5.4.193",
	"lessThanOrEqual": "5.4.*",
	"status": "unaffected",
	"versionType": "semver"
	},
	{
	"version": "5.10.113",
	"lessThanOrEqual": "5.10.*",
	"status": "unaffected",
	"versionType": "semver"
	},
	{
	"version": "5.14.14",
	"lessThanOrEqual": "5.14.*",
	"status": "unaffected",
	"versionType": "semver"
	},
	{
	"version": "5.15",
	"lessThanOrEqual": "*",
	"status": "unaffected",
	"versionType": "original_commit_for_fix"
	}
	]
	}
	],
	"cpeApplicability": [
	{
	"nodes": [
	{
	"operator": "OR",
	"negate": false,
	"cpeMatch": [
	{
	"vulnerable": true,
	"criteria": "cpe:2.3:o:linux:linux_kernel::::::::",
	"versionStartIncluding": "2.6.37",
	"versionEndExcluding": "4.9.313"
	},
	{
	"vulnerable": true,
	"criteria": "cpe:2.3:o:linux:linux_kernel::::::::",
	"versionStartIncluding": "2.6.37",
	"versionEndExcluding": "4.14.278"
	},
	{
	"vulnerable": true,
	"criteria": "cpe:2.3:o:linux:linux_kernel::::::::",
	"versionStartIncluding": "2.6.37",
	"versionEndExcluding": "4.19.242"
	},
	{
	"vulnerable": true,
	"criteria": "cpe:2.3:o:linux:linux_kernel::::::::",
	"versionStartIncluding": "2.6.37",
	"versionEndExcluding": "5.4.193"
	},
	{
	"vulnerable": true,
	"criteria": "cpe:2.3:o:linux:linux_kernel::::::::",
	"versionStartIncluding": "2.6.37",
	"versionEndExcluding": "5.10.113"
	},
	{
	"vulnerable": true,
	"criteria": "cpe:2.3:o:linux:linux_kernel::::::::",
	"versionStartIncluding": "2.6.37",
	"versionEndExcluding": "5.14.14"
	},
	{
	"vulnerable": true,
	"criteria": "cpe:2.3:o:linux:linux_kernel::::::::",
	"versionStartIncluding": "2.6.37",
	"versionEndExcluding": "5.15"
	}
	]
	}
	]
	}
	],
	"references": [
	{
	"url": "https://git.kernel.org/stable/c/9fb7cd5c7fef0f1c982e3cd27745a0dec260eaed"
	},
	{
	"url": "https://git.kernel.org/stable/c/d35aef9c60d310eff3eaddacce301efe877e2b7c"
	},
	{
	"url": "https://git.kernel.org/stable/c/9e07272cca2ed76f7f6073f4444b1143828c8d87"
	},
	{
	"url": "https://git.kernel.org/stable/c/ad1393b92e5059218d055bfec8f4946d85ad04c4"
	},
	{
	"url": "https://git.kernel.org/stable/c/d29c78d3f9c5d2604548c1065bf1ec212728ea61"
	},
	{
	"url": "https://git.kernel.org/stable/c/6e506f07c5b561d673dd0b0d8f7f420cc48024fb"
	},
	{
	"url": "https://git.kernel.org/stable/c/d208b89401e073de986dc891037c5a668f5d5d95"
	}
	],
	"title": "dm: fix mempool NULL pointer race when completing IO",
	"x_generator": {
	"engine": "bippy-1.2.0"
	}
	}
	},
	"cveMetadata": {
	"assignerOrgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038",
	"cveID": "CVE-2021-47435",
	"requesterUserId": "gregkh@kernel.org",
	"serial": "1",
	"state": "PUBLISHED"
	},
	"dataType": "CVE_RECORD",
	"dataVersion": "5.0"
	}