Wind River Support Network

Description

In the Linux kernel, the following vulnerability has been resolved:[EOL][EOL]dm: fix NULL pointer dereference in __dm_suspend()[EOL][EOL]There is a race condition between dm device suspend and table load that[EOL]can lead to null pointer dereference. The issue occurs when suspend is[EOL]invoked before table load completes:[EOL][EOL]BUG: kernel NULL pointer dereference, address: 0000000000000054[EOL]Oops: 0000 [#1] PREEMPT SMP PTI[EOL]CPU: 6 PID: 6798 Comm: dmsetup Not tainted 6.6.0-g7e52f5f0ca9b #62[EOL]Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.1-2.fc37 04/01/2014[EOL]RIP: 0010:blk_mq_wait_quiesce_done+0x0/0x50[EOL]Call Trace:[EOL]  <TASK>[EOL]  blk_mq_quiesce_queue+0x2c/0x50[EOL]  dm_stop_queue+0xd/0x20[EOL]  __dm_suspend+0x130/0x330[EOL]  dm_suspend+0x11a/0x180[EOL]  dev_suspend+0x27e/0x560[EOL]  ctl_ioctl+0x4cf/0x850[EOL]  dm_ctl_ioctl+0xd/0x20[EOL]  vfs_ioctl+0x1d/0x50[EOL]  __se_sys_ioctl+0x9b/0xc0[EOL]  __x64_sys_ioctl+0x19/0x30[EOL]  x64_sys_call+0x2c4a/0x4620[EOL]  do_syscall_64+0x9e/0x1b0[EOL][EOL]The issue can be triggered as below:[EOL][EOL]T1 \t\t\t\t\t\tT2[EOL]dm_suspend\t\t\t\t\ttable_load[EOL]__dm_suspend\t\t\t\t\tdm_setup_md_queue[EOL]\t\t\t\t\t\tdm_mq_init_request_queue[EOL]\t\t\t\t\t\tblk_mq_init_allocated_queue[EOL]\t\t\t\t\t\t=> q->mq_ops = set->ops; (1)[EOL]dm_stop_queue / dm_wait_for_completion[EOL]=> q->tag_set NULL pointer!\t(2)[EOL]\t\t\t\t\t\t=> q->tag_set = set; (3)[EOL][EOL]Fix this by checking if a valid table (map) exists before performing[EOL]request-based suspend and waiting for target I/O. When map is NULL,[EOL]skip these table-dependent suspend steps.[EOL][EOL]Even when map is NULL, no I/O can reach any target because there is[EOL]no table loaded; I/O submitted in this state will fail early in the[EOL]DM layer. Skipping the table-dependent suspend logic in this case[EOL]is safe and avoids NULL pointer dereferences.

CVEs

• CVE-2025-40134