Linux Kernel NVMe Subsystem Race Condition Vulnerability Leading to NULL Pointer Dereference

A race condition vulnerability has been identified in the Linux kernel's NVMe subsystem, specifically within the 'nvmet_bio_done()' function. This vulnerability can lead to a NULL pointer dereference in 'blk_cgroup_bio_start()', causing a kernel crash. The issue arises when 'nvmet_bio_done()' is called upon the completion of a bio. Subsequently, 'nvmet_req_complete()' is invoked, which triggers the 'queue_response' callback. This callback can re-queue and resubmit the same request, reusing the inline_bio from 'nvmet_req'. However, 'nvmet_req_bio_put()' (called after 'nvmet_req_complete') deinitializes the inline_bio, setting its 'bi_blkg' to NULL. When the re-submitted bio is processed, 'blk_cgroup_bio_start()' attempts to dereference the now NULL 'bi_blkg', leading to a crash. The vulnerability affects the Linux kernel stable tree.

Impact

Exploitation of this vulnerability causes a kernel NULL pointer dereference, leading to a crash. The dereference occurs in 'blk_cgroup_bio_start()', where the function attempts to access 'bio->bi_blkg', which has been set to NULL by a previous operation. This NULL dereference triggers a kernel panic, disrupting system operations and potentially causing a denial of service.

Reproduction

The vulnerability can be reproduced by submitting a bio through the NVMe target subsystem that triggers the 'nvmet_bio_done()' function. This can be done by performing I/O operations on an NVMe device that is managed by the NVMe target. The race condition is created when the 'queue_response' callback re-queues and resubmits the same request before the previous one has been properly cleaned up, allowing the re-submitted bio to enter the submission process with a NULL 'bi_blkg', which is then dereferenced in 'blk_cgroup_bio_start()', causing the crash.

Remediation

The vulnerability has been addressed by modifying the 'nvmet_bio_done()' function to call 'nvmet_req_bio_put()' before 'nvmet_req_complete()'. This change ensures that the bio is properly cleaned up before the request can be resubmitted, effectively preventing the race condition. Users can apply the latest patches available in the Linux kernel stable tree to mitigate this vulnerability.