CVE-2022-49179

In the Linux kernel, the following vulnerability has been resolved:

block, bfq: don't move oom_bfqq

Our test report a UAF:

[ 2073.019181] ================================================================== [ 2073.019188] BUG: KASAN: use-after-free in __bfqputasync_bfqq+0xa0/0x168 [ 2073.019191] Write of size 8 at addr ffff8000ccf64128 by task rmmod/72584 [ 2073.019192] [ 2073.019196] CPU: 0 PID: 72584 Comm: rmmod Kdump: loaded Not tainted 4.19.90-yk #5 [ 2073.019198] Hardware name: QEMU KVM Virtual Machine, BIOS 0.0.0 02/06/2015 [ 2073.019200] Call trace: [ 2073.019203] dumpbacktrace+0x0/0x310 [ 2073.019206] showstack+0x28/0x38 [ 2073.019210] dumpstack+0xec/0x15c [ 2073.019216] printaddressdescription+0x68/0x2d0 [ 2073.019220] kasanreport+0x238/0x2f0 [ 2073.019224] __asan_store8+0x88/0xb0 [ 2073.019229] __bfqputasyncbfqq+0xa0/0x168 [ 2073.019233] bfqput_asyncqueues+0xbc/0x208 [ 2073.019236] bfqpdoffline+0x178/0x238 [ 2073.019240] blkcgdeactivatepolicy+0x1f0/0x420 [ 2073.019244] bfqexitqueue+0x128/0x178 [ 2073.019249] blkmqexitsched+0x12c/0x160 [ 2073.019252] elevatorexit+0xc8/0xd0 [ 2073.019256] blkexitqueue+0x50/0x88 [ 2073.019259] blkcleanupqueue+0x228/0x3d8 [ 2073.019267] nulldeldev+0xfc/0x1e0 [nullblk] [ 2073.019274] nullexit+0x90/0x114 [nullblk] [ 2073.019278] __arm64sysdeletemodule+0x358/0x5a0 [ 2073.019282] el0svccommon+0xc8/0x320 [ 2073.019287] el0svchandler+0xf8/0x160 [ 2073.019290] el0svc+0x10/0x218 [ 2073.019291] [ 2073.019294] Allocated by task 14163: [ 2073.019301] kasankmalloc+0xe0/0x190 [ 2073.019305] kmemcacheallocnodetrace+0x1cc/0x418 [ 2073.019308] bfqpdalloc+0x54/0x118 [ 2073.019313] blkcgactivatepolicy+0x250/0x460 [ 2073.019317] bfqcreategrouphierarchy+0x38/0x110 [ 2073.019321] bfqinitqueue+0x6d0/0x948 [ 2073.019325] blkmqinitsched+0x1d8/0x390 [ 2073.019330] elevatorswitchmq+0x88/0x170 [ 2073.019334] elevatorswitch+0x140/0x270 [ 2073.019338] elvioschedstore+0x1a4/0x2a0 [ 2073.019342] queueattrstore+0x90/0xe0 [ 2073.019348] sysfskfwrite+0xa8/0xe8 [ 2073.019351] kernfsfopwrite+0x1f8/0x378 [ 2073.019359] __vfswrite+0xe0/0x360 [ 2073.019363] vfswrite+0xf0/0x270 [ 2073.019367] ksys_write+0xdc/0x1b8 [ 2073.019371] __arm64syswrite+0x50/0x60 [ 2073.019375] el0svccommon+0xc8/0x320 [ 2073.019380] el0svchandler+0xf8/0x160 [ 2073.019383] el0_svc+0x10/0x218 [ 2073.019385] [ 2073.019387] Freed by task 72584: [ 2073.019391] __kasanslabfree+0x120/0x228 [ 2073.019394] kasanslabfree+0x10/0x18 [ 2073.019397] kfree+0x94/0x368 [ 2073.019400] bfqgput+0x64/0xb0 [ 2073.019404] bfqgandblkgput+0x90/0xb0 [ 2073.019408] bfqputqueue+0x220/0x228 [ 2073.019413] __bfqputasync_bfqq+0x98/0x168 [ 2073.019416] bfqputasyncqueues+0xbc/0x208 [ 2073.019420] bfqpdoffline+0x178/0x238 [ 2073.019424] blkcgdeactivatepolicy+0x1f0/0x420 [ 2073.019429] bfqexitqueue+0x128/0x178 [ 2073.019433] blkmqexitsched+0x12c/0x160 [ 2073.019437] elevatorexit+0xc8/0xd0 [ 2073.019440] blkexitqueue+0x50/0x88 [ 2073.019443] blkcleanupqueue+0x228/0x3d8 [ 2073.019451] nulldeldev+0xfc/0x1e0 [nullblk] [ 2073.019459] nullexit+0x90/0x114 [nullblk] [ 2073.019462] _arm64sysdeletemodule+0x358/0x5a0 [ 2073.019467] el0svccommon+0xc8/0x320 [ 2073.019471] el0svchandler+0xf8/0x160 [ 2073.019474] el0svc+0x10/0x218 [ 2073.019475] [ 2073.019479] The buggy address belongs to the object at ffff8000ccf63f00 which belongs to the cache kmalloc-1024 of size 1024 [ 2073.019484] The buggy address is located 552 bytes inside of 1024-byte region [ffff8000ccf63f00, ffff8000ccf64300) [ 2073.019486] The buggy address belongs to the page: [ 2073.019492] page:ffff7e000333d800 count:1 mapcount:0 mapping:ffff8000c0003a00 index:0x0 compoundmapcount: 0 [ 2073.020123] flags: 0x7ffff0000008100(slab|head) [ 2073.020403] raw: 07ffff0000008100 ffff7e0003334c08 ffff7e00001f5a08 ffff8000c0003a00 [ 2073.020409] ra ---truncated---