In the Linux kernel, the following vulnerability has been resolved:
bfq: fix use-after-free in bfqdispatchrequest
KASAN reports a use-after-free report when doing normal scsi-mq test
[69832.239032] ================================================================== [69832.241810] BUG: KASAN: use-after-free in bfqdispatchrequest+0x1045/0x44b0 [69832.243267] Read of size 8 at addr ffff88802622ba88 by task kworker/3:1H/155 [69832.244656] [69832.245007] CPU: 3 PID: 155 Comm: kworker/3:1H Not tainted 5.10.0-10295-g576c6382529e #8 [69832.246626] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014 [69832.249069] Workqueue: kblockd blkmqrunworkfn [69832.250022] Call Trace: [69832.250541] dumpstack+0x9b/0xce [69832.251232] ? bfqdispatchrequest+0x1045/0x44b0 [69832.252243] printaddressdescription.constprop.6+0x3e/0x60 [69832.253381] ? _cpuidletextend+0x5/0x5 [69832.254211] ? vprintkfunc+0x6b/0x120 [69832.254994] ? bfqdispatchrequest+0x1045/0x44b0 [69832.255952] ? bfqdispatchrequest+0x1045/0x44b0 [69832.256914] kasanreport.cold.9+0x22/0x3a [69832.257753] ? bfqdispatchrequest+0x1045/0x44b0 [69832.258755] checkmemoryregion+0x1c1/0x1e0 [69832.260248] bfqdispatchrequest+0x1045/0x44b0 [69832.261181] ? bfqbfqqexpire+0x2440/0x2440 [69832.262032] ? blkmqdelayrunhwqueues+0xf9/0x170 [69832.263022] _blkmqdodispatchsched+0x52f/0x830 [69832.264011] ? blkmqschedrequestinserted+0x100/0x100 [69832.265101] _blkmqscheddispatchrequests+0x398/0x4f0 [69832.266206] ? blkmqdodispatchctx+0x570/0x570 [69832.267147] ? _switchto+0x5f4/0xee0 [69832.267898] blkmqscheddispatchrequests+0xdf/0x140 [69832.268946] _blkmqrunhwqueue+0xc0/0x270 [69832.269840] blkmqrunworkfn+0x51/0x60 [69832.278170] processonework+0x6d4/0xfe0 [69832.278984] workerthread+0x91/0xc80 [69832.279726] ? _kthreadparkme+0xb0/0x110 [69832.280554] ? processonework+0xfe0/0xfe0 [69832.281414] kthread+0x32d/0x3f0 [69832.282082] ? kthreadpark+0x170/0x170 [69832.282849] retfromfork+0x1f/0x30 [69832.283573] [69832.283886] Allocated by task 7725: [69832.284599] kasansavestack+0x19/0x40 [69832.285385] _kasankmalloc.constprop.2+0xc1/0xd0 [69832.286350] kmemcacheallocnode+0x13f/0x460 [69832.287237] bfqgetqueue+0x3d4/0x1140 [69832.287993] bfqgetbfqqhandlesplit+0x103/0x510 [69832.289015] bfqinitrq+0x337/0x2d50 [69832.289749] bfqinsertrequests+0x304/0x4e10 [69832.290634] blkmqschedinsertrequests+0x13e/0x390 [69832.291629] blkmqflushpluglist+0x4b4/0x760 [69832.292538] blkflushpluglist+0x2c5/0x480 [69832.293392] ioscheduleprepare+0xb2/0xd0 [69832.294209] ioscheduletimeout+0x13/0x80 [69832.295014] waitforcommonio.constprop.1+0x13c/0x270 [69832.296137] submitbiowait+0x103/0x1a0 [69832.296932] blkdevissuediscard+0xe6/0x160 [69832.297794] blkioctldiscard+0x219/0x290 [69832.298614] blkdevcommonioctl+0x50a/0x1750 [69832.304715] blkdevioctl+0x470/0x600 [69832.305474] blockioctl+0xde/0x120 [69832.306232] vfsioctl+0x6c/0xc0 [69832.306877] _sesysioctl+0x90/0xa0 [69832.307629] dosyscall64+0x2d/0x40 [69832.308362] entrySYSCALL64afterhwframe+0x44/0xa9 [69832.309382] [69832.309701] Freed by task 155: [69832.310328] kasansavestack+0x19/0x40 [69832.311121] kasansettrack+0x1c/0x30 [69832.311868] kasansetfreeinfo+0x1b/0x30 [69832.312699] _kasanslabfree+0x111/0x160 [69832.313524] kmemcachefree+0x94/0x460 [69832.314367] bfqputqueue+0x582/0x940 [69832.315112] _bfqbfqdresetinservice+0x166/0x1d0 [69832.317275] bfqbfqqexpire+0xb27/0x2440 [69832.318084] bfqdispatchrequest+0x697/0x44b0 [69832.318991] _blkmqdodispatchsched+0x52f/0x830 [69832.319984] _blkmqscheddispatchrequests+0x398/0x4f0 [69832.321087] blkmqscheddispatchrequests+0xdf/0x140 [69832.322225] _blkmqrunhwqueue+0xc0/0x270 [69832.323114] blkmqrunwork_fn+0x51/0x6 ---truncated---
{ "vanir_signatures": [ { "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@5687958bf18f84384d809f521210d0f5deed03b0", "target": { "function": "bfq_dispatch_request", "file": "block/bfq-iosched.c" }, "digest": { "length": 395.0, "function_hash": "29726676771119278203584956631554652156" }, "id": "CVE-2022-49176-0c714c40", "deprecated": false, "signature_type": "Function", "signature_version": "v1" }, { "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@df6e00b1a53c57dca82c63b5ecbcad5452231bc7", "target": { "file": "block/bfq-iosched.c" }, "digest": { "threshold": 0.9, "line_hashes": [ "183819016152918127612270536557764187479", "136821486216760683993481516284607243704", "65030658396208994873376401788203022005", "292680763503451761731504093475938740506", "46199488818312687256700599901455715518", "191461055097758334945081660456107497000", "154338062005017078921949093445345738892", "184954134442255983131223180537619744491", "160203922286818733608648428899011232571", "66367823120901477919339120155752659413", "143981027506010529166577002307281976629", "238766401628584479493294796199669305597" ] }, "id": "CVE-2022-49176-4af68a03", "deprecated": false, "signature_type": "Line", "signature_version": "v1" }, { "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@5117c9ff4c2ebae0f5c2c262d42a25a8fbc086e6", "target": { "function": "bfq_dispatch_request", "file": "block/bfq-iosched.c" }, "digest": { "length": 395.0, "function_hash": "29726676771119278203584956631554652156" }, "id": "CVE-2022-49176-4b0c44ae", "deprecated": false, "signature_type": "Function", "signature_version": "v1" }, { "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@74e610b5ee0d95e751280567100509eb11517efa", "target": { "function": "bfq_dispatch_request", "file": "block/bfq-iosched.c" }, "digest": { "length": 395.0, "function_hash": "29726676771119278203584956631554652156" }, "id": "CVE-2022-49176-7026ee6f", "deprecated": false, "signature_type": "Function", "signature_version": "v1" }, { "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@ab552fcb17cc9e4afe0e4ac4df95fc7b30e8490a", "target": { "file": "block/bfq-iosched.c" }, "digest": { "threshold": 0.9, "line_hashes": [ "183819016152918127612270536557764187479", "136821486216760683993481516284607243704", "65030658396208994873376401788203022005", "292680763503451761731504093475938740506", "46199488818312687256700599901455715518", "191461055097758334945081660456107497000", "154338062005017078921949093445345738892", "184954134442255983131223180537619744491", "160203922286818733608648428899011232571", "66367823120901477919339120155752659413", "143981027506010529166577002307281976629", "238766401628584479493294796199669305597" ] }, "id": "CVE-2022-49176-7dc44e87", "deprecated": false, "signature_type": "Line", "signature_version": "v1" }, { "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@080665e2c3cbfc68359b9a348a3546ed9b908e7a", "target": { "function": "bfq_dispatch_request", "file": "block/bfq-iosched.c" }, "digest": { "length": 395.0, "function_hash": "29726676771119278203584956631554652156" }, "id": "CVE-2022-49176-83701857", "deprecated": false, "signature_type": "Function", "signature_version": "v1" }, { "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@5687958bf18f84384d809f521210d0f5deed03b0", "target": { "file": "block/bfq-iosched.c" }, "digest": { "threshold": 0.9, "line_hashes": [ "183819016152918127612270536557764187479", "136821486216760683993481516284607243704", "65030658396208994873376401788203022005", "292680763503451761731504093475938740506", "46199488818312687256700599901455715518", "191461055097758334945081660456107497000", "154338062005017078921949093445345738892", "184954134442255983131223180537619744491", "160203922286818733608648428899011232571", "66367823120901477919339120155752659413", "143981027506010529166577002307281976629", "238766401628584479493294796199669305597" ] }, "id": "CVE-2022-49176-923e82f7", "deprecated": false, "signature_type": "Line", "signature_version": "v1" }, { "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@40b4ba0030e0b02cbacd424ebb9f4c8b0976c786", "target": { "file": "block/bfq-iosched.c" }, "digest": { "threshold": 0.9, "line_hashes": [ "183819016152918127612270536557764187479", "136821486216760683993481516284607243704", "65030658396208994873376401788203022005", "292680763503451761731504093475938740506", "46199488818312687256700599901455715518", "191461055097758334945081660456107497000", "154338062005017078921949093445345738892", "184954134442255983131223180537619744491", "160203922286818733608648428899011232571", "66367823120901477919339120155752659413", "143981027506010529166577002307281976629", "238766401628584479493294796199669305597" ] }, "id": "CVE-2022-49176-9a6c690c", "deprecated": false, "signature_type": "Line", "signature_version": "v1" }, { "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@080665e2c3cbfc68359b9a348a3546ed9b908e7a", "target": { "file": "block/bfq-iosched.c" }, "digest": { "threshold": 0.9, "line_hashes": [ "183819016152918127612270536557764187479", "136821486216760683993481516284607243704", "65030658396208994873376401788203022005", "292680763503451761731504093475938740506", "46199488818312687256700599901455715518", "191461055097758334945081660456107497000", "154338062005017078921949093445345738892", "184954134442255983131223180537619744491", "160203922286818733608648428899011232571", "66367823120901477919339120155752659413", "143981027506010529166577002307281976629", "238766401628584479493294796199669305597" ] }, "id": "CVE-2022-49176-ab8ededc", "deprecated": false, "signature_type": "Line", "signature_version": "v1" }, { "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@40b4ba0030e0b02cbacd424ebb9f4c8b0976c786", "target": { "function": "bfq_dispatch_request", "file": "block/bfq-iosched.c" }, "digest": { "length": 395.0, "function_hash": "29726676771119278203584956631554652156" }, "id": "CVE-2022-49176-ba9d4628", "deprecated": false, "signature_type": "Function", "signature_version": "v1" }, { "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@df6e00b1a53c57dca82c63b5ecbcad5452231bc7", "target": { "function": "bfq_dispatch_request", "file": "block/bfq-iosched.c" }, "digest": { "length": 395.0, "function_hash": "29726676771119278203584956631554652156" }, "id": "CVE-2022-49176-d16fd2b6", "deprecated": false, "signature_type": "Function", "signature_version": "v1" }, { "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@74e610b5ee0d95e751280567100509eb11517efa", "target": { "file": "block/bfq-iosched.c" }, "digest": { "threshold": 0.9, "line_hashes": [ "183819016152918127612270536557764187479", "136821486216760683993481516284607243704", "65030658396208994873376401788203022005", "292680763503451761731504093475938740506", "46199488818312687256700599901455715518", "191461055097758334945081660456107497000", "154338062005017078921949093445345738892", "184954134442255983131223180537619744491", "160203922286818733608648428899011232571", "66367823120901477919339120155752659413", "143981027506010529166577002307281976629", "238766401628584479493294796199669305597" ] }, "id": "CVE-2022-49176-d497e392", "deprecated": false, "signature_type": "Line", "signature_version": "v1" }, { "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@5117c9ff4c2ebae0f5c2c262d42a25a8fbc086e6", "target": { "file": "block/bfq-iosched.c" }, "digest": { "threshold": 0.9, "line_hashes": [ "183819016152918127612270536557764187479", "136821486216760683993481516284607243704", "65030658396208994873376401788203022005", "292680763503451761731504093475938740506", "46199488818312687256700599901455715518", "191461055097758334945081660456107497000", "154338062005017078921949093445345738892", "184954134442255983131223180537619744491", "160203922286818733608648428899011232571", "66367823120901477919339120155752659413", "143981027506010529166577002307281976629", "238766401628584479493294796199669305597" ] }, "id": "CVE-2022-49176-dab6b8b8", "deprecated": false, "signature_type": "Line", "signature_version": "v1" }, { "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@ab552fcb17cc9e4afe0e4ac4df95fc7b30e8490a", "target": { "function": "bfq_dispatch_request", "file": "block/bfq-iosched.c" }, "digest": { "length": 395.0, "function_hash": "29726676771119278203584956631554652156" }, "id": "CVE-2022-49176-e2b7b612", "deprecated": false, "signature_type": "Function", "signature_version": "v1" } ] }