CVE-2026-23148
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Summary
In the Linux kernel, the following vulnerability has been resolved:
nvmet: fix race in nvmet_bio_done() leading to NULL pointer dereference
There is a race condition in nvmet_bio_done() that can cause a NULL pointer dereference in blk_cgroup_bio_start():
- nvmet_bio_done() is called when a bio completes
- nvmet_req_complete() is called, which invokes req->ops->queue_response(req)
- The queue_response callback can re-queue and re-submit the same request
- The re-submission reuses the same inline_bio from nvmet_req
- Meanwhile, nvmet_req_bio_put() (called after nvmet_req_complete) invokes bio_uninit() for inline_bio, which sets bio->bi_blkg to NULL
- The re-submitted bio enters submit_bio_noacct_nocheck()
- blk_cgroup_bio_start() dereferences bio->bi_blkg, causing a crash:
BUG: kernel NULL pointer dereference, address: 0000000000000028 #PF: supervisor read access in kernel mode RIP: 0010:blk_cgroup_bio_start+0x10/0xd0 Call Trace: submit_bio_noacct_nocheck+0x44/0x250 nvmet_bdev_execute_rw+0x254/0x370 [nvmet] process_one_work+0x193/0x3c0 worker_thread+0x281/0x3a0
Fix this by reordering nvmet_bio_done() to call nvmet_req_bio_put() BEFORE nvmet_req_complete(). This ensures the bio is cleaned up before the request can be re-submitted, preventing the race condition.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Linux | Linux | 431e58d56fcb5ff1f9eb630724a922e0d2a941df < ee10b06980acca1d46e0fa36d6fb4a9578eab6e4 | affected |
| Linux | Linux | 190f4c2c863af7cc5bb354b70e0805f06419c038 < 68207ceefd71cc74ce4e983fa9bd10c3122e349b | affected |
| Linux | Linux | 190f4c2c863af7cc5bb354b70e0805f06419c038 < 0fcee2cfc4b2e16e62ff8e0cc2cd8dd24efad65e | affected |
| Linux | Linux | 2e2028fcf924d1c6df017033c8d6e28b735a0508 | affected |
| Linux | Linux | 6.12.37 < 6.12.69 | affected |
| Linux | Linux | 6.15.6 < 6.16 | affected |
| Linux | Linux | 6.16 | affected |
| Linux | Linux | 0 < 6.16 | unaffected |
| Linux | Linux | 6.12.69 <= 6.12.* | unaffected |
| Linux | Linux | 6.18.9 <= 6.18.* | unaffected |
| Linux | Linux | 6.19 <= * | unaffected |
Weaknesses
References
- https://git.kernel.org/stable/c/ee10b06980acca1d46e0fa36d6fb4a9578eab6e4
- https://git.kernel.org/stable/c/68207ceefd71cc74ce4e983fa9bd10c3122e349b
- https://git.kernel.org/stable/c/0fcee2cfc4b2e16e62ff8e0cc2cd8dd24efad65e
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.