CVE-2022-50388

In the Linux kernel, the following vulnerability has been resolved:

nvme: fix multipath crash caused by flush request when blktrace is enabled

The flush request initialized by blkkickflush has NULL bio, and it may be dealt with nvmeendreq during io completion. When blktrace is enabled, nvmetracebio_complete with multipath activated trying to access NULL pointer bio from flush request results in the following crash:

[ 2517.831677] BUG: kernel NULL pointer dereference, address: 000000000000001a [ 2517.835213] #PF: supervisor read access in kernel mode [ 2517.838724] #PF: errorcode(0x0000) - not-present page [ 2517.842222] PGD 7b2d51067 P4D 0 [ 2517.845684] Oops: 0000 [#1] SMP NOPTI [ 2517.849125] CPU: 2 PID: 732 Comm: kworker/2:1H Kdump: loaded Tainted: G S 5.15.67-0.cl9.x8664 #1 [ 2517.852723] Hardware name: XFUSION 2288H V6/BC13MBSBC, BIOS 1.13 07/27/2022 [ 2517.856358] Workqueue: nvmetcpwq nvmetcpiowork [nvmetcp] [ 2517.859993] RIP: 0010:blkaddtracebiocomplete+0x6/0x30 [ 2517.863628] Code: 1f 44 00 00 48 8b 46 08 31 c9 ba 04 00 10 00 48 8b 80 50 03 00 00 48 8b 78 50 e9 e5 fe ff ff 0f 1f 44 00 00 41 54 49 89 f4 55 <0f> b6 7a 1a 48 89 d5 e8 3e 1c 2b 00 48 89 ee 4c 89 e7 5d 89 c1 ba [ 2517.871269] RSP: 0018:ff7f6a008d9dbcd0 EFLAGS: 00010286 [ 2517.875081] RAX: ff3d5b4be00b1d50 RBX: 0000000002040002 RCX: ff3d5b0a270f2000 [ 2517.878966] RDX: 0000000000000000 RSI: ff3d5b0b021fb9f8 RDI: 0000000000000000 [ 2517.882849] RBP: ff3d5b0b96a6fa00 R08: 0000000000000001 R09: 0000000000000000 [ 2517.886718] R10: 000000000000000c R11: 000000000000000c R12: ff3d5b0b021fb9f8 [ 2517.890575] R13: 0000000002000000 R14: ff3d5b0b021fb1b0 R15: 0000000000000018 [ 2517.894434] FS: 0000000000000000(0000) GS:ff3d5b42bfc80000(0000) knlGS:0000000000000000 [ 2517.898299] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 2517.902157] CR2: 000000000000001a CR3: 00000004f023e005 CR4: 0000000000771ee0 [ 2517.906053] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 2517.909930] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 2517.913761] PKRU: 55555554 [ 2517.917558] Call Trace: [ 2517.921294] <TASK> [ 2517.924982] nvmecompleterq+0x1c3/0x1e0 [nvmecore] [ 2517.928715] nvmetcprecvpdu+0x4d7/0x540 [nvmetcp] [ 2517.932442] nvmetcprecvskb+0x4f/0x240 [nvmetcp] [ 2517.936137] ? nvmetcprecvpdu+0x540/0x540 [nvmetcp] [ 2517.939830] tcpreadsock+0x9c/0x260 [ 2517.943486] nvmetcptryrecv+0x65/0xa0 [nvmetcp] [ 2517.947173] nvmetcpiowork+0x64/0x90 [nvmetcp] [ 2517.950834] processonework+0x1e8/0x390 [ 2517.954473] workerthread+0x53/0x3c0 [ 2517.958069] ? processonework+0x390/0x390 [ 2517.961655] kthread+0x10c/0x130 [ 2517.965211] ? setkthreadstruct+0x40/0x40 [ 2517.968760] retfromfork+0x1f/0x30 [ 2517.972285] </TASK>

To avoid this situation, add a NULL check for req->bio before calling traceblockbio_complete.