Linux Kernel blk-cgroup NULL Pointer Dereference Vulnerability

A NULL pointer dereference vulnerability has been identified in the Linux kernel's block cgroup (blk-cgroup) subsystem, specifically within the I/O cost (io.cost) policy management. This vulnerability arises because the policy data for block groups is installed before it is properly initialized, creating a race condition that can lead to a kernel crash. The issue is triggered when the I/O weight is modified while the policy data is being activated, causing a dereference of an uninitialized pointer and resulting in a system crash.

Impact

Exploitation of this vulnerability leads to a kernel crash due to a NULL pointer dereference, causing a denial of service by interrupting system operations and potentially leading to data loss or corruption.

Reproduction

The vulnerability can be reproduced by creating a script that enables the I/O cost policy, modifies the I/O weight, and then simultaneously writes to the I/O cost quality of service control, all while the policy data is being activated. This sequence creates a race condition that triggers the NULL pointer dereference, causing the system to crash.

Remediation

Users can apply the patch included in the upstream commit 'ec14a87ee1999b19d8b7ed0fa95fea80644624ae' to address this vulnerability. Instructions for applying the patch can be found in the Linux kernel stable tree.