Linux Kernel Mempool Free NULL Pointer Dereference Vulnerability

A NULL pointer dereference vulnerability has been identified in the Linux kernel's MD (multiple device) layer, specifically in versions prior to 6.1.0. This vulnerability leads to a crash in the 'mempool_free' function, which is responsible for freeing memory in a managed pool. The issue arises during the execution of LVM (Logical Volume Manager) tests, particularly the 'lvchange-rebuild-raid.sh' script. The root cause of the crash is a race condition between the 'super_written' function and the 'bio_put' function, which handles I/O operations. When 'super_written' decrements the pending write count and wakes up a waiting process, there is a chance that this process can interfere with the 'bio_put' operation. If the process exits before 'bio_put' completes, it can result in freeing a bio structure into a destroyed bio set, causing a kernel crash.

Impact

Exploitation of this vulnerability leads to a kernel panic due to a NULL pointer dereference, causing a crash in the 'mempool_free' function.

Reproduction

The vulnerability can be reproduced by running the LVM test suite, specifically the 'lvchange-rebuild-raid.sh' script, which triggers the race condition in the MD layer.

Remediation

Users can upgrade to Linux kernel version 6.1.0 or later, where this vulnerability has been fixed.