Executive Summary

This vulnerability is a race condition in the Linux kernel's nvmet module, specifically in the function nvmet_bio_done().

When a bio (block I/O operation) completes, nvmet_bio_done() is called, which eventually leads to re-queuing and re-submitting the same request. However, due to the order of operations, the bio's internal data structure (inline_bio) is cleaned up (its bi_blkg field set to NULL) after the request is completed but before the re-submission.

This causes a NULL pointer dereference in blk_cgroup_bio_start() when it tries to access bio->bi_blkg, leading to a kernel crash.

The fix involves reordering the calls in nvmet_bio_done() to ensure the bio is cleaned up before the request can be re-submitted, preventing the race condition.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can cause a kernel NULL pointer dereference, which leads to a kernel crash (system crash or panic).

Such crashes can result in denial of service (DoS) conditions, making the affected system unstable or unavailable until it is rebooted or the issue is resolved.

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

I don't know

Useful 0 Not Useful 0

Mitigation Strategies

The vulnerability is caused by a race condition in the Linux kernel's nvmet module leading to a NULL pointer dereference and kernel crash.

To mitigate this vulnerability, update your Linux kernel to a version where the nvmet_bio_done() function has been fixed by reordering calls so that nvmet_req_bio_put() is called before nvmet_req_complete(). This ensures proper cleanup of the bio before any re-submission, preventing the race condition.

Useful 0 Not Useful 0