Linux Kernel NULL Pointer Dereference Vulnerability in Null Block Driver via io_uring Poll Request Timeout

A vulnerability in the Linux kernel's null block driver can lead to a NULL pointer dereference, causing a kernel crash. This issue occurs during io_uring benchmarks on the null block device (/dev/nullb0) when poll requests time out. The vulnerability arises from a race condition between the null_timeout_rq() and null_poll() functions, where the timeout handling can be improperly managed, leading to a crash.

Impact

Exploitation of this vulnerability causes a kernel panic due to a NULL pointer dereference, disrupting system operations and potentially leading to a denial of service.

Reproduction

To reproduce this vulnerability, perform io_uring benchmarks on the null block device (/dev/nullb0) while inducing poll request timeouts. This can be done by configuring the io_uring requests to timeout before they are completed, which will trigger the race condition between the polling and timeout handling in the null block driver.

Remediation

Users can upgrade to the latest version of the Linux kernel where this vulnerability has been patched. The specific commit addressing this issue is available in the Linux kernel stable tree.