CVE-2025-21631

Source
https://nvd.nist.gov/vuln/detail/CVE-2025-21631
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-21631.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2025-21631
Downstream
Related
Published
2025-01-19T10:17:49Z
Modified
2025-10-10T06:49:50.523511Z
Severity
  • 7.8 (High) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
block, bfq: fix waker_bfqq UAF after bfq_split_bfqq()
Details

In the Linux kernel, the following vulnerability has been resolved:

block, bfq: fix wakerbfqq UAF after bfqsplit_bfqq()

Our syzkaller report a following UAF for v6.6:

BUG: KASAN: slab-use-after-free in bfqinitrq+0x175d/0x17a0 block/bfq-iosched.c:6958 Read of size 8 at addr ffff8881b57147d8 by task fsstress/232726

CPU: 2 PID: 232726 Comm: fsstress Not tainted 6.6.0-g3629d1885222 #39 Call Trace: <TASK> _dumpstack lib/dumpstack.c:88 [inline] dumpstacklvl+0x91/0xf0 lib/dumpstack.c:106 printaddressdescription.constprop.0+0x66/0x300 mm/kasan/report.c:364 printreport+0x3e/0x70 mm/kasan/report.c:475 kasanreport+0xb8/0xf0 mm/kasan/report.c:588 hlistaddhead include/linux/list.h:1023 [inline] bfqinitrq+0x175d/0x17a0 block/bfq-iosched.c:6958 bfqinsertrequest.isra.0+0xe8/0xa20 block/bfq-iosched.c:6271 bfqinsertrequests+0x27f/0x390 block/bfq-iosched.c:6323 blkmqinsertrequest+0x290/0x8f0 block/blk-mq.c:2660 blkmqsubmitbio+0x1021/0x15e0 block/blk-mq.c:3143 _submitbio+0xa0/0x6b0 block/blk-core.c:639 _submitbionoacctmq block/blk-core.c:718 [inline] submitbionoacctnocheck+0x5b7/0x810 block/blk-core.c:747 submitbionoacct+0xca0/0x1990 block/blk-core.c:847 _ext4readbh fs/ext4/super.c:205 [inline] ext4readbh+0x15e/0x2e0 fs/ext4/super.c:230 _readextenttreeblock+0x304/0x6f0 fs/ext4/extents.c:567 ext4findextent+0x479/0xd20 fs/ext4/extents.c:947 ext4extmapblocks+0x1a3/0x2680 fs/ext4/extents.c:4182 ext4mapblocks+0x929/0x15a0 fs/ext4/inode.c:660 ext4iomapbeginreport+0x298/0x480 fs/ext4/inode.c:3569 iomapiter+0x3dd/0x1010 fs/iomap/iter.c:91 iomapfiemap+0x1f4/0x360 fs/iomap/fiemap.c:80 ext4fiemap+0x181/0x210 fs/ext4/extents.c:5051 ioctlfiemap.isra.0+0x1b4/0x290 fs/ioctl.c:220 dovfsioctl+0x31c/0x11a0 fs/ioctl.c:811 _dosysioctl fs/ioctl.c:869 [inline] _sesysioctl+0xae/0x190 fs/ioctl.c:857 dosyscallx64 arch/x86/entry/common.c:51 [inline] dosyscall64+0x70/0x120 arch/x86/entry/common.c:81 entrySYSCALL64afterhwframe+0x78/0xe2

Allocated by task 232719: kasansavestack+0x22/0x50 mm/kasan/common.c:45 kasansettrack+0x25/0x30 mm/kasan/common.c:52 _kasanslaballoc+0x87/0x90 mm/kasan/common.c:328 kasanslaballoc include/linux/kasan.h:188 [inline] slabpostallochook mm/slab.h:768 [inline] slaballocnode mm/slub.c:3492 [inline] kmemcacheallocnode+0x1b8/0x6f0 mm/slub.c:3537 bfqgetqueue+0x215/0x1f00 block/bfq-iosched.c:5869 bfqgetbfqqhandlesplit+0x167/0x5f0 block/bfq-iosched.c:6776 bfqinitrq+0x13a4/0x17a0 block/bfq-iosched.c:6938 bfqinsertrequest.isra.0+0xe8/0xa20 block/bfq-iosched.c:6271 bfqinsertrequests+0x27f/0x390 block/bfq-iosched.c:6323 blkmqinsertrequest+0x290/0x8f0 block/blk-mq.c:2660 blkmqsubmitbio+0x1021/0x15e0 block/blk-mq.c:3143 _submitbio+0xa0/0x6b0 block/blk-core.c:639 _submitbionoacctmq block/blk-core.c:718 [inline] submitbionoacctnocheck+0x5b7/0x810 block/blk-core.c:747 submitbionoacct+0xca0/0x1990 block/blk-core.c:847 _ext4readbh fs/ext4/super.c:205 [inline] ext4readbhnowait+0x15a/0x240 fs/ext4/super.c:217 ext4readbhlock+0xac/0xd0 fs/ext4/super.c:242 ext4breadbatch+0x268/0x500 fs/ext4/inode.c:958 _ext4findentry+0x448/0x10f0 fs/ext4/namei.c:1671 ext4lookupentry fs/ext4/namei.c:1774 [inline] ext4lookup.part.0+0x359/0x6f0 fs/ext4/namei.c:1842 ext4lookup+0x72/0x90 fs/ext4/namei.c:1839 _lookupslow+0x257/0x480 fs/namei.c:1696 lookupslow fs/namei.c:1713 [inline] walkcomponent+0x454/0x5c0 fs/namei.c:2004 linkpathwalk.part.0+0x773/0xda0 fs/namei.c:2331 linkpathwalk fs/namei.c:3826 [inline] pathopenat+0x1b9/0x520 fs/namei.c:3826 dofilpopen+0x1b7/0x400 fs/namei.c:3857 dosysopenat2+0x5dc/0x6e0 fs/open.c:1428 dosysopen fs/open.c:1443 [inline] _dosysopenat fs/open.c:1459 [inline] _sesysopenat fs/open.c:1454 [inline] _x64sysopenat+0x148/0x200 fs/open.c:1454 dosyscallx64 arch/x86/entry/common.c:51 [inline] dosyscall6 ---truncated---

References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
63a07379fdb6c72450cb05294461c6016b8b7726
Fixed
f587c1ac68956c4703857d650d9b1cd7bb2ac4d7
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
de0456460f2abf921e356ed2bd8da87a376680bd
Fixed
2550149fcdf2934155ff625d76ad4e3d4b25bbc6
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
0780451f03bf518bc032a7c584de8f92e2d39d7f
Fixed
be3eed59ac01f429ac10aaa46e26f653bcf581ab
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
1ba0403ac6447f2d63914fb760c44a3b19c44eaf
Fixed
bc2aeb35ff167e0c6b0cedf0c96a5c41e6cba1ed
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
1ba0403ac6447f2d63914fb760c44a3b19c44eaf
Fixed
fcede1f0a043ccefe9bc6ad57f12718e42f63f1d
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
0b8bda0ff17156cd3f60944527c9d8c9f99f1583
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
cae58d19121a70329cf971359e2518c93fec04fe

Affected versions

v5.*

v5.10.1
v5.10.10
v5.10.11
v5.10.12
v5.10.13
v5.10.14
v5.10.15
v5.10.16
v5.10.17
v5.10.18
v5.10.19
v5.10.2
v5.10.3
v5.10.4
v5.10.5
v5.10.6
v5.10.7
v5.10.8
v5.10.9
v5.11.1
v5.11.10
v5.11.11
v5.11.12
v5.11.13
v5.11.14
v5.11.15
v5.11.16
v5.11.17
v5.11.18
v5.11.19
v5.11.2
v5.11.20
v5.11.21
v5.11.3
v5.11.4
v5.11.5
v5.11.6
v5.11.7
v5.11.8
v5.11.9
v5.12.1
v5.12.10
v5.12.11
v5.12.12
v5.12.13
v5.12.14
v5.12.15
v5.12.16
v5.12.17
v5.12.18
v5.12.19
v5.12.2
v5.12.3
v5.12.4
v5.12.5
v5.12.6
v5.12.7
v5.12.8
v5.12.9
v5.13.1
v5.13.10
v5.13.11
v5.13.12
v5.13.13
v5.13.14
v5.13.15
v5.13.16
v5.13.17
v5.13.18
v5.13.2
v5.13.3
v5.13.4
v5.13.5
v5.13.6
v5.13.7
v5.13.8
v5.13.9
v5.14.1
v5.14.10
v5.14.11
v5.14.12
v5.14.13
v5.14.14
v5.14.15
v5.14.16
v5.14.17
v5.14.18
v5.14.19
v5.14.2
v5.14.20
v5.14.3
v5.14.4
v5.14.5
v5.14.6
v5.14.7
v5.14.8
v5.14.9
v5.15.1
v5.15.10
v5.15.11
v5.15.12
v5.15.13
v5.15.14
v5.15.15
v5.15.16
v5.15.168
v5.15.169
v5.15.17
v5.15.170
v5.15.171
v5.15.172
v5.15.173
v5.15.174
v5.15.175
v5.15.176
v5.15.18
v5.15.19
v5.15.2
v5.15.3
v5.15.4
v5.15.5
v5.15.6
v5.15.7
v5.15.8
v5.15.9
v5.16.1
v5.16.10
v5.16.11
v5.16.12
v5.16.13
v5.16.14
v5.16.15
v5.16.16
v5.16.17
v5.16.18
v5.16.19
v5.16.2
v5.16.20
v5.16.3
v5.16.4
v5.16.5
v5.16.6
v5.16.7
v5.16.8
v5.16.9
v5.17.1
v5.17.10
v5.17.11
v5.17.12
v5.17.13
v5.17.14
v5.17.2
v5.17.3
v5.17.4
v5.17.5
v5.17.6
v5.17.7
v5.17.8
v5.17.9
v5.18.1
v5.18.10
v5.18.11
v5.18.12
v5.18.13
v5.18.14
v5.18.15
v5.18.16
v5.18.17
v5.18.18
v5.18.19
v5.18.2
v5.18.3
v5.18.4
v5.18.5
v5.18.6
v5.18.7
v5.18.8
v5.18.9
v5.19.1
v5.19.10
v5.19.11
v5.19.12
v5.19.13
v5.19.14
v5.19.15
v5.19.16
v5.19.2
v5.19.3
v5.19.4
v5.19.5
v5.19.6
v5.19.7
v5.19.8
v5.19.9
v5.6.1
v5.6.10
v5.6.11
v5.6.12
v5.6.13
v5.6.14
v5.6.15
v5.6.16
v5.6.17
v5.6.18
v5.6.2
v5.6.3
v5.6.4
v5.6.5
v5.6.6
v5.6.7
v5.6.8
v5.6.9
v5.7.1
v5.7.10
v5.7.11
v5.7.12
v5.7.13
v5.7.14
v5.7.15
v5.7.16
v5.7.2
v5.7.3
v5.7.4
v5.7.5
v5.7.6
v5.7.7
v5.7.8
v5.7.9
v5.8.1
v5.8.10
v5.8.11
v5.8.12
v5.8.13
v5.8.14
v5.8.15
v5.8.16
v5.8.17
v5.8.18
v5.8.2
v5.8.3
v5.8.4
v5.8.5
v5.8.6
v5.8.7
v5.8.8
v5.8.9
v5.9.1
v5.9.10
v5.9.11
v5.9.12
v5.9.13
v5.9.14
v5.9.15
v5.9.16
v5.9.2
v5.9.3
v5.9.4
v5.9.5
v5.9.6
v5.9.7
v5.9.8
v5.9.9

v6.*

v6.0.1
v6.0.10
v6.0.11
v6.0.12
v6.0.13
v6.0.14
v6.0.15
v6.0.16
v6.0.17
v6.0.18
v6.0.2
v6.0.3
v6.0.4
v6.0.5
v6.0.6
v6.0.7
v6.0.8
v6.0.9
v6.1.1
v6.1.10
v6.1.11
v6.1.113
v6.1.114
v6.1.115
v6.1.116
v6.1.117
v6.1.118
v6.1.119
v6.1.12
v6.1.120
v6.1.121
v6.1.122
v6.1.123
v6.1.124
v6.1.13
v6.1.14
v6.1.15
v6.1.2
v6.1.3
v6.1.4
v6.1.5
v6.1.6
v6.1.7
v6.1.8
v6.1.9
v6.10.1
v6.10.10
v6.10.11
v6.10.12
v6.10.13
v6.10.14
v6.10.2
v6.10.3
v6.10.4
v6.10.5
v6.10.6
v6.10.7
v6.10.8
v6.10.9
v6.11
v6.11-rc1
v6.11-rc2
v6.11-rc3
v6.11-rc4
v6.11-rc5
v6.11-rc6
v6.11-rc7
v6.11.1
v6.11.10
v6.11.11
v6.11.2
v6.11.3
v6.11.4
v6.11.5
v6.11.6
v6.11.7
v6.11.8
v6.11.9
v6.12
v6.12-rc1
v6.12-rc2
v6.12-rc3
v6.12-rc4
v6.12-rc5
v6.12-rc6
v6.12-rc7
v6.12.1
v6.12.10
v6.12.11
v6.12.12
v6.12.13
v6.12.14
v6.12.2
v6.12.3
v6.12.4
v6.12.5
v6.12.6
v6.12.7
v6.12.8
v6.12.9
v6.13
v6.13-rc1
v6.13-rc2
v6.13-rc3
v6.13-rc4
v6.13-rc5
v6.13-rc6
v6.13-rc7
v6.13.1
v6.13.10
v6.13.11
v6.13.12
v6.13.2
v6.13.3
v6.13.4
v6.13.5
v6.13.6
v6.13.7
v6.13.8
v6.13.9
v6.14
v6.14-rc1
v6.14-rc2
v6.14-rc3
v6.14-rc4
v6.14-rc5
v6.14-rc6
v6.14-rc7
v6.14.1
v6.14.10
v6.14.11
v6.14.2
v6.14.3
v6.14.4
v6.14.5
v6.14.6
v6.14.7
v6.14.8
v6.14.9
v6.15
v6.15-rc1
v6.15-rc2
v6.15-rc3
v6.15-rc4
v6.15-rc5
v6.15-rc6
v6.15-rc7
v6.15.1
v6.15.10
v6.15.11
v6.15.2
v6.15.3
v6.15.4
v6.15.5
v6.15.6
v6.15.7
v6.15.8
v6.15.9
v6.16
v6.16-rc1
v6.16-rc2
v6.16-rc3
v6.16-rc4
v6.16-rc5
v6.16-rc6
v6.16-rc7
v6.16.1
v6.16.10
v6.16.11
v6.16.2
v6.16.3
v6.16.4
v6.16.5
v6.16.6
v6.16.7
v6.16.8
v6.16.9
v6.2.1
v6.2.10
v6.2.11
v6.2.12
v6.2.13
v6.2.14
v6.2.15
v6.2.2
v6.2.3
v6.2.4
v6.2.5
v6.2.6
v6.2.7
v6.2.8
v6.2.9
v6.3.1
v6.3.10
v6.3.11
v6.3.12
v6.3.2
v6.3.3
v6.3.4
v6.3.5
v6.3.6
v6.3.7
v6.3.8
v6.3.9
v6.4.1
v6.4.10
v6.4.11
v6.4.12
v6.4.13
v6.4.14
v6.4.15
v6.4.16
v6.4.2
v6.4.3
v6.4.4
v6.4.5
v6.4.6
v6.4.7
v6.4.8
v6.4.9
v6.5.1
v6.5.10
v6.5.11
v6.5.12
v6.5.13
v6.5.2
v6.5.3
v6.5.4
v6.5.5
v6.5.6
v6.5.7
v6.5.8
v6.5.9
v6.6.1
v6.6.10
v6.6.11
v6.6.12
v6.6.13
v6.6.14
v6.6.2
v6.6.3
v6.6.4
v6.6.5
v6.6.54
v6.6.55
v6.6.56
v6.6.57
v6.6.58
v6.6.59
v6.6.6
v6.6.60
v6.6.61
v6.6.62
v6.6.63
v6.6.64
v6.6.65
v6.6.66
v6.6.67
v6.6.68
v6.6.69
v6.6.7
v6.6.70
v6.6.71
v6.6.8
v6.6.9
v6.7.1
v6.7.10
v6.7.11
v6.7.2
v6.7.3
v6.7.4
v6.7.5
v6.7.6
v6.7.7
v6.7.8
v6.7.9
v6.8.1
v6.8.10
v6.8.11
v6.8.2
v6.8.3
v6.8.4
v6.8.5
v6.8.6
v6.8.7
v6.8.8
v6.8.9
v6.9.1
v6.9.10
v6.9.11
v6.9.12
v6.9.2
v6.9.3
v6.9.4
v6.9.5
v6.9.6
v6.9.7
v6.9.8
v6.9.9

Linux / Kernel

Package

Name
Kernel

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
5.15.177
Type
ECOSYSTEM
Events
Introduced
5.16.0
Fixed
6.1.125
Type
ECOSYSTEM
Events
Introduced
6.2.0
Fixed
6.6.72
Type
ECOSYSTEM
Events
Introduced
6.7.0
Fixed
6.12.10