In the Linux kernel, the following vulnerability has been resolved:
lib/groupcpus: fix NULL pointer dereference from groupcpus_evenly()
While testing nullblk with configfs, echo 0 > pollqueues will trigger following panic:
BUG: kernel NULL pointer dereference, address: 0000000000000010 Oops: Oops: 0000 [#1] SMP NOPTI CPU: 27 UID: 0 PID: 920 Comm: bash Not tainted 6.15.0-02023-gadbdb95c8696-dirty #1238 PREEMPT(undef) Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.1-2.fc37 04/01/2014 RIP: 0010:_bitmapor+0x48/0x70 Call Trace: <TASK> _groupcpusevenly+0x822/0x8c0 groupcpusevenly+0x2d9/0x490 blkmqmapqueues+0x1e/0x110 nullmapqueues+0xc9/0x170 [nullblk] blkmqupdatequeuemap+0xdb/0x160 blkmqupdatenrhwqueues+0x22b/0x560 nullbupdatenrhwqueues+0x71/0xf0 [nullblk] nullbdevicepollqueuesstore+0xa4/0x130 [nullblk] configfswriteiter+0x109/0x1d0 vfswrite+0x26e/0x6f0 ksyswrite+0x79/0x180 _x64syswrite+0x1d/0x30 x64syscall+0x45c4/0x45f0 dosyscall64+0xa5/0x240 entrySYSCALL64after_hwframe+0x76/0x7e
Root cause is that numgrps is set to 0, and ZEROSIZEPTR is returned from kcalloc(), and later ZEROSIZEPTR will be deferenced.
Fix the problem by checking numgrps first in groupcpusevenly(), and return NULL directly if numgrps is zero.
[yukuai3@huawei.com: also fix the non-SMP version]