CVE-2024-47706

In the Linux kernel, the following vulnerability has been resolved:

block, bfq: fix possible UAF for bfqq->bic with merge chain

1) initial state, three tasks:

    Process 1       Process 2   Process 3
     (BIC1)          (BIC2)      (BIC3)
      |  Λ            |  Λ        |  Λ
      |  |            |  |        |  |
      V  |            V  |        V  |
      bfqq1           bfqq2       bfqq3

process ref: 1 1 1

2) bfqq1 merged to bfqq2:

    Process 1       Process 2   Process 3
     (BIC1)          (BIC2)      (BIC3)
      |               |       |  Λ
      \--------------\|       |  |
                      V       V  |
      bfqq1--------->bfqq2        bfqq3

process ref: 0 2 1

3) bfqq2 merged to bfqq3:

    Process 1       Process 2   Process 3
     (BIC1)          (BIC2)      (BIC3)
 here -> Λ                |       |
      \--------------\ \-------------\|
                      V       V
      bfqq1--------->bfqq2---------->bfqq3

process ref: 0 1 3

In this case, IO from Process 1 will get bfqq2 from BIC1 first, and then get bfqq3 through merge chain, and finially handle IO by bfqq3. Howerver, current code will think bfqq2 is owned by BIC1, like initial state, and set bfqq2->bic to BIC1.

bfqinsertrequest -> by Process 1 bfqq = bfqinitrq(rq) bfqq = bfqgetbfqqhandlesplit bfqq = bictobfqq -> get bfqq2 from BIC1 bfqq->ref++ rq->elv.priv[0] = bic rq->elv.priv[1] = bfqq if (bfqqprocessrefs(bfqq) == 1) bfqq->bic = bic -> record BIC1 to bfqq2

__bfqinsertrequest newbfqq = bfqsetupcooperator -> get bfqq3 from bfqq2->newbfqq bfqqrequestfreed(bfqq) newbfqq->ref++ rq->elv.priv[1] = newbfqq -> handle IO by bfqq3

Fix the problem by checking bfqq is from merge chain fist. And this might fix a following problem reported by our syzkaller(unreproducible):

================================================================== BUG: KASAN: slab-use-after-free in bfqdoearlystablemerge block/bfq-iosched.c:5692 [inline] BUG: KASAN: slab-use-after-free in bfqdoorschedstablemerge block/bfq-iosched.c:5805 [inline] BUG: KASAN: slab-use-after-free in bfqget_queue+0x25b0/0x2610 block/bfq-iosched.c:5889 Write of size 1 at addr ffff888123839eb8 by task kworker/0:1H/18595

CPU: 0 PID: 18595 Comm: kworker/0:1H Tainted: G L 6.6.0-07439-gba2303cacfda #6 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014 Workqueue: kblockd blkmqrequeue_work Call Trace: <TASK> _dumpstack lib/dumpstack.c:88 [inline] dumpstacklvl+0x91/0xf0 lib/dumpstack.c:106 printaddressdescription mm/kasan/report.c:364 [inline] printreport+0x10d/0x610 mm/kasan/report.c:475 kasanreport+0x8e/0xc0 mm/kasan/report.c:588 bfqdoearlystablemerge block/bfq-iosched.c:5692 [inline] bfqdoorschedstablemerge block/bfq-iosched.c:5805 [inline] bfqgetqueue+0x25b0/0x2610 block/bfq-iosched.c:5889 bfqgetbfqqhandlesplit+0x169/0x5d0 block/bfq-iosched.c:6757 bfqinitrq block/bfq-iosched.c:6876 [inline] bfqinsertrequest block/bfq-iosched.c:6254 [inline] bfqinsertrequests+0x1112/0x5cf0 block/bfq-iosched.c:6304 blkmqinsertrequest+0x290/0x8d0 block/blk-mq.c:2593 blkmqrequeuework+0x6bc/0xa70 block/blk-mq.c:1502 processonework kernel/workqueue.c:2627 [inline] processscheduledworks+0x432/0x13f0 kernel/workqueue.c:2700 workerthread+0x6f2/0x1160 kernel/workqueue.c:2781 kthread+0x33c/0x440 kernel/kthread.c:388 retfromfork+0x4d/0x80 arch/x86/kernel/process.c:147 retfromforkasm+0x1b/0x30 arch/x86/entry/entry64.S:305 </TASK>

Allocated by task 20776: kasansavestack+0x20/0x40 mm/kasan/common.c:45 kasansettrack+0x25/0x30 mm/kasan/common.c:52 __kasanslaballoc+0x87/0x90 mm/kasan/common.c:328 kasanslaballoc include/linux/kasan.h:188 [inline] slabpostallochook mm/slab.h:763 [inline] slaballocnode mm/slub.c:3458 [inline] kmemcacheallocnode+0x1a4/0x6f0 mm/slub.c:3503 ioccreateicq block/blk-ioc.c:370 [inline] ---truncated---