logo_clicknbuy.png

CVE-2025-21631 – Linux block bfq: Use-After-Free in bfq_init_rq

The following table lists the changes that have been made to the
CVE-2025-21631 vulnerability over time.

Vulnerability history details can be useful for understanding the evolution
of a vulnerability, and for identifying the most recent changes that may
impact the vulnerability’s severity, exploitability, or other characteristics.

  • New CVE Received
    by 416baaa9-dc9f-4396-8d5f-8c081fb06d67

    Jan. 19, 2025

    Action Type Old Value New Value
    Added Description In the Linux kernel, the following vulnerability has been resolved:

    block, bfq: fix waker_bfqq UAF after bfq_split_bfqq()

    Our syzkaller report a following UAF for v6.6:

    BUG: KASAN: slab-use-after-free in bfq_init_rq+0x175d/0x17a0 block/bfq-iosched.c:6958
    Read of size 8 at addr ffff8881b57147d8 by task fsstress/232726

    CPU: 2 PID: 232726 Comm: fsstress Not tainted 6.6.0-g3629d1885222 #39
    Call Trace:

    __dump_stack lib/dump_stack.c:88 [inline]
    dump_stack_lvl+0x91/0xf0 lib/dump_stack.c:106
    print_address_description.constprop.0+0x66/0x300 mm/kasan/report.c:364
    print_report+0x3e/0x70 mm/kasan/report.c:475
    kasan_report+0xb8/0xf0 mm/kasan/report.c:588
    hlist_add_head include/linux/list.h:1023 [inline]
    bfq_init_rq+0x175d/0x17a0 block/bfq-iosched.c:6958
    bfq_insert_request.isra.0+0xe8/0xa20 block/bfq-iosched.c:6271
    bfq_insert_requests+0x27f/0x390 block/bfq-iosched.c:6323
    blk_mq_insert_request+0x290/0x8f0 block/blk-mq.c:2660
    blk_mq_submit_bio+0x1021/0x15e0 block/blk-mq.c:3143
    __submit_bio+0xa0/0x6b0 block/blk-core.c:639
    __submit_bio_noacct_mq block/blk-core.c:718 [inline]
    submit_bio_noacct_nocheck+0x5b7/0x810 block/blk-core.c:747
    submit_bio_noacct+0xca0/0x1990 block/blk-core.c:847
    __ext4_read_bh fs/ext4/super.c:205 [inline]
    ext4_read_bh+0x15e/0x2e0 fs/ext4/super.c:230
    __read_extent_tree_block+0x304/0x6f0 fs/ext4/extents.c:567
    ext4_find_extent+0x479/0xd20 fs/ext4/extents.c:947
    ext4_ext_map_blocks+0x1a3/0x2680 fs/ext4/extents.c:4182
    ext4_map_blocks+0x929/0x15a0 fs/ext4/inode.c:660
    ext4_iomap_begin_report+0x298/0x480 fs/ext4/inode.c:3569
    iomap_iter+0x3dd/0x1010 fs/iomap/iter.c:91
    iomap_fiemap+0x1f4/0x360 fs/iomap/fiemap.c:80
    ext4_fiemap+0x181/0x210 fs/ext4/extents.c:5051
    ioctl_fiemap.isra.0+0x1b4/0x290 fs/ioctl.c:220
    do_vfs_ioctl+0x31c/0x11a0 fs/ioctl.c:811
    __do_sys_ioctl fs/ioctl.c:869 [inline]
    __se_sys_ioctl+0xae/0x190 fs/ioctl.c:857
    do_syscall_x64 arch/x86/entry/common.c:51 [inline]
    do_syscall_64+0x70/0x120 arch/x86/entry/common.c:81
    entry_SYSCALL_64_after_hwframe+0x78/0xe2

    Allocated by task 232719:
    kasan_save_stack+0x22/0x50 mm/kasan/common.c:45
    kasan_set_track+0x25/0x30 mm/kasan/common.c:52
    __kasan_slab_alloc+0x87/0x90 mm/kasan/common.c:328
    kasan_slab_alloc include/linux/kasan.h:188 [inline]
    slab_post_alloc_hook mm/slab.h:768 [inline]
    slab_alloc_node mm/slub.c:3492 [inline]
    kmem_cache_alloc_node+0x1b8/0x6f0 mm/slub.c:3537
    bfq_get_queue+0x215/0x1f00 block/bfq-iosched.c:5869
    bfq_get_bfqq_handle_split+0x167/0x5f0 block/bfq-iosched.c:6776
    bfq_init_rq+0x13a4/0x17a0 block/bfq-iosched.c:6938
    bfq_insert_request.isra.0+0xe8/0xa20 block/bfq-iosched.c:6271
    bfq_insert_requests+0x27f/0x390 block/bfq-iosched.c:6323
    blk_mq_insert_request+0x290/0x8f0 block/blk-mq.c:2660
    blk_mq_submit_bio+0x1021/0x15e0 block/blk-mq.c:3143
    __submit_bio+0xa0/0x6b0 block/blk-core.c:639
    __submit_bio_noacct_mq block/blk-core.c:718 [inline]
    submit_bio_noacct_nocheck+0x5b7/0x810 block/blk-core.c:747
    submit_bio_noacct+0xca0/0x1990 block/blk-core.c:847
    __ext4_read_bh fs/ext4/super.c:205 [inline]
    ext4_read_bh_nowait+0x15a/0x240 fs/ext4/super.c:217
    ext4_read_bh_lock+0xac/0xd0 fs/ext4/super.c:242
    ext4_bread_batch+0x268/0x500 fs/ext4/inode.c:958
    __ext4_find_entry+0x448/0x10f0 fs/ext4/namei.c:1671
    ext4_lookup_entry fs/ext4/namei.c:1774 [inline]
    ext4_lookup.part.0+0x359/0x6f0 fs/ext4/namei.c:1842
    ext4_lookup+0x72/0x90 fs/ext4/namei.c:1839
    __lookup_slow+0x257/0x480 fs/namei.c:1696
    lookup_slow fs/namei.c:1713 [inline]
    walk_component+0x454/0x5c0 fs/namei.c:2004
    link_path_walk.part.0+0x773/0xda0 fs/namei.c:2331
    link_path_walk fs/namei.c:3826 [inline]
    path_openat+0x1b9/0x520 fs/namei.c:3826
    do_filp_open+0x1b7/0x400 fs/namei.c:3857
    do_sys_openat2+0x5dc/0x6e0 fs/open.c:1428
    do_sys_open fs/open.c:1443 [inline]
    __do_sys_openat fs/open.c:1459 [inline]
    __se_sys_openat fs/open.c:1454 [inline]
    __x64_sys_openat+0x148/0x200 fs/open.c:1454
    do_syscall_x64 arch/x86/entry/common.c:51 [inline]
    do_syscall_6
    —truncated—
    Added Reference https://git.kernel.org/stable/c/2550149fcdf2934155ff625d76ad4e3d4b25bbc6
    Added Reference https://git.kernel.org/stable/c/bc2aeb35ff167e0c6b0cedf0c96a5c41e6cba1ed
    Added Reference https://git.kernel.org/stable/c/be3eed59ac01f429ac10aaa46e26f653bcf581ab
    Added Reference https://git.kernel.org/stable/c/fcede1f0a043ccefe9bc6ad57f12718e42f63f1d
Share the Post:

Related Posts