CVE-2021-47435

In the Linux kernel, the following vulnerability has been resolved:

dm: fix mempool NULL pointer race when completing IO

dmiodecpending() calls endio_acct() first and will then dec md in-flight pending count. But if a task is swapping DM table at same time this can result in a crash due to mempool->elements being NULL:

task1 task2 doresume ->dosuspend ->dmwaitforcompletion bioendio ->cloneendio ->dmiodecpending ->endioacct ->wakeup task1 ->dmswaptable ->bind ->bindmempools ->biosetexit ->mempoolexit ->freeio

[ 67.330330] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000 ...... [ 67.330494] pstate: 80400085 (Nzcv daIf +PAN -UAO) [ 67.330510] pc : mempoolfree+0x70/0xa0 [ 67.330515] lr : mempoolfree+0x4c/0xa0 [ 67.330520] sp : ffffff8008013b20 [ 67.330524] x29: ffffff8008013b20 x28: 0000000000000004 [ 67.330530] x27: ffffffa8c2ff40a0 x26: 00000000ffff1cc8 [ 67.330535] x25: 0000000000000000 x24: ffffffdada34c800 [ 67.330541] x23: 0000000000000000 x22: ffffffdada34c800 [ 67.330547] x21: 00000000ffff1cc8 x20: ffffffd9a1304d80 [ 67.330552] x19: ffffffdada34c970 x18: 000000b312625d9c [ 67.330558] x17: 00000000002dcfbf x16: 00000000000006dd [ 67.330563] x15: 000000000093b41e x14: 0000000000000010 [ 67.330569] x13: 0000000000007f7a x12: 0000000034155555 [ 67.330574] x11: 0000000000000001 x10: 0000000000000001 [ 67.330579] x9 : 0000000000000000 x8 : 0000000000000000 [ 67.330585] x7 : 0000000000000000 x6 : ffffff80148b5c1a [ 67.330590] x5 : ffffff8008013ae0 x4 : 0000000000000001 [ 67.330596] x3 : ffffff80080139c8 x2 : ffffff801083bab8 [ 67.330601] x1 : 0000000000000000 x0 : ffffffdada34c970 [ 67.330609] Call trace: [ 67.330616] mempoolfree+0x70/0xa0 [ 67.330627] bioput+0xf8/0x110 [ 67.330638] decpending+0x13c/0x230 [ 67.330644] cloneendio+0x90/0x180 [ 67.330649] bioendio+0x198/0x1b8 [ 67.330655] decpending+0x190/0x230 [ 67.330660] cloneendio+0x90/0x180 [ 67.330665] bioendio+0x198/0x1b8 [ 67.330673] blkupdaterequest+0x214/0x428 [ 67.330683] scsiendrequest+0x2c/0x300 [ 67.330688] scsiiocompletion+0xa0/0x710 [ 67.330695] scsifinishcommand+0xd8/0x110 [ 67.330700] scsisoftirqdone+0x114/0x148 [ 67.330708] blkdonesoftirq+0x74/0xd0 [ 67.330716] _dosoftirq+0x18c/0x374 [ 67.330724] irqexit+0xb4/0xb8 [ 67.330732] _handledomainirq+0x84/0xc0 [ 67.330737] gichandleirq+0x148/0x1b0 [ 67.330744] el1irq+0xe8/0x190 [ 67.330753] lpmcpuidleenter+0x4f8/0x538 [ 67.330759] cpuidleenterstate+0x1fc/0x398 [ 67.330764] cpuidleenter+0x18/0x20 [ 67.330772] doidle+0x1b4/0x290 [ 67.330778] cpustartupentry+0x20/0x28 [ 67.330786] secondarystart_kernel+0x160/0x170

Fix this by: 1) Establishing pointers to 'struct dmio' members in dmiodecpending() so that they may be passed into endioacct() after freeio() is called. 2) Moving endioacct() after freeio().