In the Linux kernel, the following vulnerability has been resolved:
s390/qeth: fix NULL deref in qethclearworkingpoollist()
When qethsetonline() calls qethclearworkingpoollist() to roll back after an error exit from qethhardsetupcard(), we are at risk of accessing card->qdio.inq before it was allocated by qethallocqdioqueues() via qethmpcinitialize().
qethclearworkingpoollist() then dereferences NULL, and by writing to queue->bufs[i].pool_entry scribbles all over the CPU's lowcore. Resulting in a crash when those lowcore areas are used next (eg. on the next machine-check interrupt).
Such a scenario would typically happen when the device is first set online and its queues aren't allocated yet. An early IO error or certain misconfigs (eg. mismatched transport mode, bad portno) then cause us to error out from qethhardsetupcard() with card->qdio.in_q still being NULL.
Fix it by checking the pointer for NULL before accessing it.
Note that we also have (rare) paths inside qethmpcinitialize() where a configuration change can cause us to free the existing queues, expecting that subsequent code will allocate them again. If we then error out before that re-allocation happens, the same bug occurs.
Root-caused-by: Heiko Carstens hca@linux.ibm.com