ghsa-pmj7-4375-32j4
Vulnerability from github
In the Linux kernel, the following vulnerability has been resolved:
blk-mq: Fix kmemleak in blk_mq_init_allocated_queue
There is a kmemleak caused by modprobe null_blk.ko
unreferenced object 0xffff8881acb1f000 (size 1024): comm "modprobe", pid 836, jiffies 4294971190 (age 27.068s) hex dump (first 32 bytes): 00 00 00 00 ad 4e ad de ff ff ff ff 00 00 00 00 .....N.......... ff ff ff ff ff ff ff ff 00 53 99 9e ff ff ff ff .........S...... backtrace: [<000000004a10c249>] kmalloc_node_trace+0x22/0x60 [<00000000648f7950>] blk_mq_alloc_and_init_hctx+0x289/0x350 [<00000000af06de0e>] blk_mq_realloc_hw_ctxs+0x2fe/0x3d0 [<00000000e00c1872>] blk_mq_init_allocated_queue+0x48c/0x1440 [<00000000d16b4e68>] __blk_mq_alloc_disk+0xc8/0x1c0 [<00000000d10c98c3>] 0xffffffffc450d69d [<00000000b9299f48>] 0xffffffffc4538392 [<0000000061c39ed6>] do_one_initcall+0xd0/0x4f0 [<00000000b389383b>] do_init_module+0x1a4/0x680 [<0000000087cf3542>] load_module+0x6249/0x7110 [<00000000beba61b8>] __do_sys_finit_module+0x140/0x200 [<00000000fdcfff51>] do_syscall_64+0x35/0x80 [<000000003c0f1f71>] entry_SYSCALL_64_after_hwframe+0x46/0xb0
That is because q->ma_ops is set to NULL before blk_release_queue is called.
blk_mq_init_queue_data blk_mq_init_allocated_queue blk_mq_realloc_hw_ctxs for (i = 0; i < set->nr_hw_queues; i++) { old_hctx = xa_load(&q->hctx_table, i); if (!blk_mq_alloc_and_init_hctx(.., i, ..)) [1] if (!old_hctx) break;
xa_for_each_start(&q->hctx_table, j, hctx, j)
blk_mq_exit_hctx(q, set, hctx, j); [2]
if (!q->nr_hw_queues) [3]
goto err_hctxs;
err_exit: q->mq_ops = NULL; [4]
blk_put_queue blk_release_queue if (queue_is_mq(q)) [5] blk_mq_release(q);
[1]: blk_mq_alloc_and_init_hctx failed at i != 0. [2]: The hctxs allocated by [1] are moved to q->unused_hctx_list and will be cleaned up in blk_mq_release. [3]: q->nr_hw_queues is 0. [4]: Set q->mq_ops to NULL. [5]: queue_is_mq returns false due to [4]. And blk_mq_release will not be called. The hctxs in q->unused_hctx_list are leaked.
To fix it, call blk_release_queue in exception path.
{
"affected": [],
"aliases": [
"CVE-2022-49901"
],
"database_specific": {
"cwe_ids": [],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-05-01T15:16:15Z",
"severity": null
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nblk-mq: Fix kmemleak in blk_mq_init_allocated_queue\n\nThere is a kmemleak caused by modprobe null_blk.ko\n\nunreferenced object 0xffff8881acb1f000 (size 1024):\n comm \"modprobe\", pid 836, jiffies 4294971190 (age 27.068s)\n hex dump (first 32 bytes):\n 00 00 00 00 ad 4e ad de ff ff ff ff 00 00 00 00 .....N..........\n ff ff ff ff ff ff ff ff 00 53 99 9e ff ff ff ff .........S......\n backtrace:\n [\u003c000000004a10c249\u003e] kmalloc_node_trace+0x22/0x60\n [\u003c00000000648f7950\u003e] blk_mq_alloc_and_init_hctx+0x289/0x350\n [\u003c00000000af06de0e\u003e] blk_mq_realloc_hw_ctxs+0x2fe/0x3d0\n [\u003c00000000e00c1872\u003e] blk_mq_init_allocated_queue+0x48c/0x1440\n [\u003c00000000d16b4e68\u003e] __blk_mq_alloc_disk+0xc8/0x1c0\n [\u003c00000000d10c98c3\u003e] 0xffffffffc450d69d\n [\u003c00000000b9299f48\u003e] 0xffffffffc4538392\n [\u003c0000000061c39ed6\u003e] do_one_initcall+0xd0/0x4f0\n [\u003c00000000b389383b\u003e] do_init_module+0x1a4/0x680\n [\u003c0000000087cf3542\u003e] load_module+0x6249/0x7110\n [\u003c00000000beba61b8\u003e] __do_sys_finit_module+0x140/0x200\n [\u003c00000000fdcfff51\u003e] do_syscall_64+0x35/0x80\n [\u003c000000003c0f1f71\u003e] entry_SYSCALL_64_after_hwframe+0x46/0xb0\n\nThat is because q-\u003ema_ops is set to NULL before blk_release_queue is\ncalled.\n\nblk_mq_init_queue_data\n blk_mq_init_allocated_queue\n blk_mq_realloc_hw_ctxs\n for (i = 0; i \u003c set-\u003enr_hw_queues; i++) {\n old_hctx = xa_load(\u0026q-\u003ehctx_table, i);\n if (!blk_mq_alloc_and_init_hctx(.., i, ..))\t\t[1]\n if (!old_hctx)\n\t break;\n\n xa_for_each_start(\u0026q-\u003ehctx_table, j, hctx, j)\n blk_mq_exit_hctx(q, set, hctx, j); \t\t\t[2]\n\n if (!q-\u003enr_hw_queues)\t\t\t\t\t[3]\n goto err_hctxs;\n\n err_exit:\n q-\u003emq_ops = NULL;\t\t\t \t\t\t[4]\n\n blk_put_queue\n blk_release_queue\n if (queue_is_mq(q))\t\t\t\t\t[5]\n blk_mq_release(q);\n\n[1]: blk_mq_alloc_and_init_hctx failed at i != 0.\n[2]: The hctxs allocated by [1] are moved to q-\u003eunused_hctx_list and\nwill be cleaned up in blk_mq_release.\n[3]: q-\u003enr_hw_queues is 0.\n[4]: Set q-\u003emq_ops to NULL.\n[5]: queue_is_mq returns false due to [4]. And blk_mq_release\nwill not be called. The hctxs in q-\u003eunused_hctx_list are leaked.\n\nTo fix it, call blk_release_queue in exception path.",
"id": "GHSA-pmj7-4375-32j4",
"modified": "2025-05-01T15:31:52Z",
"published": "2025-05-01T15:31:51Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-49901"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/2dc97e15a54b7bdf457848aa8c663c98a24e58a6"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/943f45b9399ed8b2b5190cbc797995edaa97f58f"
}
],
"schema_version": "1.4.0",
"severity": []
}
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.