In the Linux kernel, the following vulnerability has been resolved:
scsi: hisisas: Set debugfsdir pointer to NULL after removing debugfs
If init debugfs failed during device registration due to memory allocation failure, debugfsremoverecursive() is called, after which debugfsdir is not set to NULL. debugfsremove_recursive() will be called again during device removal. As a result, illegal pointer is accessed.
[ 1665.467244] hisisasv3hw 0000:b4:02.0: failed to init debugfs! ... [ 1669.836708] Unable to handle kernel NULL pointer dereference at virtual address 00000000000000a0 [ 1669.872669] pc : downwrite+0x24/0x70 [ 1669.876315] lr : downwrite+0x1c/0x70 [ 1669.879961] sp : ffff000036f53a30 [ 1669.883260] x29: ffff000036f53a30 x28: ffffa027c31549f8 [ 1669.888547] x27: ffffa027c3140000 x26: 0000000000000000 [ 1669.893834] x25: ffffa027bf37c270 x24: ffffa027bf37c270 [ 1669.899122] x23: ffff0000095406b8 x22: ffff0000095406a8 [ 1669.904408] x21: 0000000000000000 x20: ffffa027bf37c310 [ 1669.909695] x19: 00000000000000a0 x18: ffff8027dcd86f10 [ 1669.914982] x17: 0000000000000000 x16: 0000000000000000 [ 1669.920268] x15: 0000000000000000 x14: ffffa0274014f870 [ 1669.925555] x13: 0000000000000040 x12: 0000000000000228 [ 1669.930842] x11: 0000000000000020 x10: 0000000000000bb0 [ 1669.936129] x9 : ffff000036f537f0 x8 : ffff80273088ca10 [ 1669.941416] x7 : 000000000000001d x6 : 00000000ffffffff [ 1669.946702] x5 : ffff000008a36310 x4 : ffff80273088be00 [ 1669.951989] x3 : ffff000009513e90 x2 : 0000000000000000 [ 1669.957276] x1 : 00000000000000a0 x0 : ffffffff00000001 [ 1669.962563] Call trace: [ 1669.965000] downwrite+0x24/0x70 [ 1669.968301] debugfsremoverecursive+0x5c/0x1b0 [ 1669.972905] hisisasdebugfsexit+0x24/0x30 [hisisasmain] [ 1669.978541] hisisasv3remove+0x130/0x150 [hisisasv3hw] [ 1669.984175] pcideviceremove+0x48/0xd8 [ 1669.988082] devicereleasedriverinternal+0x1b4/0x250 [ 1669.993282] devicereleasedriver+0x28/0x38 [ 1669.997534] pcistopbusdevice+0x84/0xb8 [ 1670.001611] pcistopandremovebusdevicelocked+0x24/0x40 [ 1670.007244] removestore+0xfc/0x140 [ 1670.010802] devattrstore+0x44/0x60 [ 1670.014448] sysfskfwrite+0x58/0x80 [ 1670.018095] kernfsfopwrite+0xe8/0x1f0 [ 1670.022000] _vfswrite+0x60/0x190 [ 1670.025472] vfswrite+0xac/0x1c0 [ 1670.028771] ksyswrite+0x6c/0xd8 [ 1670.032071] _arm64syswrite+0x24/0x30 [ 1670.035977] el0svccommon+0x78/0x130 [ 1670.039710] el0svchandler+0x38/0x78 [ 1670.043442] el0svc+0x8/0xc
To fix this, set debugfsdir to NULL after debugfsremove_recursive().