CVE-2023-54227

Summary

In the Linux kernel, the following vulnerability has been resolved:

blk-mq: fix tags leak when shrink nr_hw_queues

Although we don't need to realloc set->tags[] when shrink nr_hw_queues, we need to free them. Or these tags will be leaked.

How to reproduce:

  1. mount -t configfs configfs /mnt
  2. modprobe null_blk nr_devices=0 submit_queues=8
  3. mkdir /mnt/nullb/nullb0
  4. echo 1 > /mnt/nullb/nullb0/power
  5. echo 4 > /mnt/nullb/nullb0/submit_queues
  6. rmdir /mnt/nullb/nullb0

In step 4, will alloc 9 tags (8 submit queues and 1 poll queue), then in step 5, new_nr_hw_queues = 5 (4 submit queues and 1 poll queue). At last in step 6, only these 5 tags are freed, the other 4 tags leaked.

Affected Software

VendorProductVersion RangeStatus
LinuxLinuxa846a8e6c9a5949582c5a6a8bbc83a7d27fd891e < c0ef7493e68b8896806a2f598fcffbaa97333405affected
LinuxLinuxa846a8e6c9a5949582c5a6a8bbc83a7d27fd891e < e1dd7bc93029024af5688253b0c05181d6e01f8eaffected
LinuxLinux5.16affected
LinuxLinux0 < 5.16unaffected
LinuxLinux6.5.5 <= 6.5.*unaffected
LinuxLinux6.6 <= *unaffected

Weaknesses

References