Benjamin Block

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions prior to 5.3.18-53-default #1 SLE15-SP3 **Description** The vulnerability is related to a double free of the `blk mq tag set` in the device-mapper table for a request-based mapped device. When the allocation/initialization of the `blk mq tag set` fails, a following device remove will cause a double free, leading to a kernel panic. The issue is caused by the pointer not being reset to NULL after the `blk mq tag set` is uninitialized/freed. To exploit this vulnerability, an attacker would need to cause the allocation/initialization of the `blk mq tag set` to fail, and then trigger a device remove. This could potentially allow the attacker to cause a denial-of-service or execute arbitrary code. The `dm mq init request queue()` function is vulnerable, and the `dm mq cleanup mapped device()` function tries to uninitialize and free the `blk mq tag set` again, causing the double free. The vulnerability can be fixed by setting the pointer to NULL in `dm mq init request queue()` error-handling and in `dm mq cleanup mapped device()`. **Recommendations** To resolve the issue, update the Linux kernel to a version that includes the fix for the double free vulnerability. Specifically, update to a version later than 5.3.18-53-default #1 SLE15-SP3. As a temporary workaround, consider disabling the `dm mq init request queue()` function or restricting access to the device-mapper table to minimize the risk of exploitation. However, this should not be considered a permanent solution, and updating the kernel to a patched version is recommended as soon as possible.