Overview
About vulnerability
In the Linux kernel, the following vulnerability has been resolved:
blk-mq: fix tags leak when shrink nr_hw_queues
Although we don’t need to realloc set->tags[] when shrink nr_hw_queues, we need to free them. Or these tags will be leaked.
How to reproduce:
- mount -t configfs configfs /mnt
- modprobe null_blk nr_devices=0 submit_queues=8
- mkdir /mnt/nullb/nullb0
- echo 1 > /mnt/nullb/nullb0/power
- echo 4 > /mnt/nullb/nullb0/submit_queues
- rmdir /mnt/nullb/nullb0
In step 4, will alloc 9 tags (8 submit queues and 1 poll queue), then in step 5, new_nr_hw_queues = 5 (4 submit queues and 1 poll queue). At last in step 6, only these 5 tags are freed, the other 4 tags leaked.
Details
- Affected product:
- AlmaLinux 9.2 ESU , TuxCare 9.6 ESU
- Affected packages:
- kernel @ 5.14.0 (+1 more)
In the Linux kernel, the following vulnerability has been resolved:
blk-mq: fix tags leak when shrink nr_hw_queues
Although we don’t need to realloc set->tags[] when shrink nr_hw_queues, we need to free them. Or these tags will be leaked.
How to reproduce:
- mount -t configfs configfs /mnt
- modprobe null_blk nr_devices=0 submit_queues=8
- mkdir /mnt/nullb/nullb0
- echo 1 > /mnt/nullb/nullb0/power
- echo 4 > /mnt/nullb/nullb0/submit_queues
- rmdir /mnt/nullb/nullb0
In step 4, will alloc 9 tags (8 submit queues and 1 poll queue), then in step 5, new_nr_hw_queues = 5 (4 submit queues and 1 poll queue). At last in step 6, only these 5 tags are freed, the other 4 tags leaked.