In the Linux kernel, the following vulnerability has been resolved:

blktrace: fix use after free for struct blk_trace

When tracing the whole disk, 'dropped' and 'msg' will be created under 'q->debugfsdir' and 'bt->dir' is NULL, thus blktrace_free() won't remove those files. What's worse, the following UAF can be triggered because of accessing stale 'dropped' and 'msg':

================================================================== BUG: KASAN: use-after-free in blkdroppedread+0x89/0x100 Read of size 4 at addr ffff88816912f3d8 by task blktrace/1188

CPU: 27 PID: 1188 Comm: blktrace Not tainted 5.17.0-rc4-next-20220217+ #469 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS ?-20190727073836-4 Call Trace: <TASK> dumpstacklvl+0x34/0x44 printaddressdescription.constprop.0.cold+0xab/0x381 ? blkdroppedread+0x89/0x100 ? blkdroppedread+0x89/0x100 kasanreport.cold+0x83/0xdf ? blkdroppedread+0x89/0x100 kasancheckrange+0x140/0x1b0 blkdroppedread+0x89/0x100 ? blkcreatebuffilecallback+0x20/0x20 ? kmemcachefree+0xa1/0x500 ? dosysopenat2+0x258/0x460 fullproxyread+0x8f/0xc0 vfsread+0xc6/0x260 ksysread+0xb9/0x150 ? vfswrite+0x3d0/0x3d0 ? fpregsassertstateconsistent+0x55/0x60 ? exittousermodeprepare+0x39/0x1e0 dosyscall64+0x35/0x80 entrySYSCALL64afterhwframe+0x44/0xae RIP: 0033:0x7fbc080d92fd Code: ce 20 00 00 75 10 b8 00 00 00 00 0f 05 48 3d 01 f0 ff ff 73 31 c3 48 83 1 RSP: 002b:00007fbb95ff9cb0 EFLAGS: 00000293 ORIG_RAX: 0000000000000000 RAX: ffffffffffffffda RBX: 00007fbb95ff9dc0 RCX: 00007fbc080d92fd RDX: 0000000000000100 RSI: 00007fbb95ff9cc0 RDI: 0000000000000045 RBP: 0000000000000045 R08: 0000000000406299 R09: 00000000fffffffd R10: 000000000153afa0 R11: 0000000000000293 R12: 00007fbb780008c0 R13: 00007fbb78000938 R14: 0000000000608b30 R15: 00007fbb780029c8 </TASK>

Allocated by task 1050: kasansavestack+0x1e/0x40 _kasankmalloc+0x81/0xa0 doblktracesetup+0xcb/0x410 _blktracesetup+0xac/0x130 blktraceioctl+0xe9/0x1c0 blkdevioctl+0xf1/0x390 _x64sysioctl+0xa5/0xe0 dosyscall64+0x35/0x80 entrySYSCALL64afterhwframe+0x44/0xae

Freed by task 1050: kasansavestack+0x1e/0x40 kasansettrack+0x21/0x30 kasansetfreeinfo+0x20/0x30 _kasanslabfree+0x103/0x180 kfree+0x9a/0x4c0 _blktraceremove+0x53/0x70 blktraceioctl+0x199/0x1c0 blkdevcommonioctl+0x5e9/0xb30 blkdevioctl+0x1a5/0x390 _x64sysioctl+0xa5/0xe0 dosyscall64+0x35/0x80 entrySYSCALL64after_hwframe+0x44/0xae

The buggy address belongs to the object at ffff88816912f380 which belongs to the cache kmalloc-96 of size 96 The buggy address is located 88 bytes inside of 96-byte region [ffff88816912f380, ffff88816912f3e0) The buggy address belongs to the page: page:000000009a1b4e7c refcount:1 mapcount:0 mapping:0000000000000000 index:0x0f flags: 0x17ffffc0000200(slab|node=0|zone=2|lastcpupid=0x1fffff) raw: 0017ffffc0000200 ffffea00044f1100 dead000000000002 ffff88810004c780 raw: 0000000000000000 0000000000200020 00000001ffffffff 0000000000000000 page dumped because: kasan: bad access detected

Memory state around the buggy address: ffff88816912f280: fa fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc ffff88816912f300: fa fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc

ffff88816912f380: fa fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc ^ ffff88816912f400: fa fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc

ffff88816912f480: fa fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc