In the Linux kernel, the following vulnerability has been resolved:
tty: fix possible null-ptr-defer in spkttyiorelease
Run the following tests on the qemu platform:
syzkaller:~# modprobe speakup_audptr input: Speakup as /devices/virtual/input/input4 initialized device: /dev/synth, node (MAJOR 10, MINOR 125) speakup 3.1.6: initialized synth name on entry is: (null) synth probe
spkttyioinitialiseldisc failed because ttykopen_exclusive returned failed (errno -16), then remove the module, we will get a null-ptr-defer problem, as follow:
syzkaller:~# modprobe -r speakupaudptr releasing synth audptr BUG: kernel NULL pointer dereference, address: 0000000000000080 #PF: supervisor write access in kernel mode #PF: errorcode(0x0002) - not-present page PGD 0 P4D 0 Oops: 0002 [#1] PREEMPT SMP PTI CPU: 2 PID: 204 Comm: modprobe Not tainted 6.1.0-rc6-dirty #1 RIP: 0010:mutexlock+0x14/0x30 Call Trace: <TASK> spkttyiorelease+0x19/0x70 [speakup] synthrelease.part.6+0xac/0xc0 [speakup] synthremove+0x56/0x60 [speakup] _x64sysdeletemodule+0x156/0x250 ? fpregsassertstateconsistent+0x1d/0x50 dosyscall64+0x37/0x90 entrySYSCALL64afterhwframe+0x63/0xcd </TASK> Modules linked in: speakup_audptr(-) speakup Dumping ftrace buffer:
insynth->dev was not initialized during modprobe, so we add check for insynth->dev to fix this bug.