CVE-2025-21631

In the Linux kernel, the following vulnerability has been resolved:

block, bfq: fix wakerbfqq UAF after bfqsplit_bfqq()

Our syzkaller report a following UAF for v6.6:

BUG: KASAN: slab-use-after-free in bfqinitrq+0x175d/0x17a0 block/bfq-iosched.c:6958 Read of size 8 at addr ffff8881b57147d8 by task fsstress/232726

CPU: 2 PID: 232726 Comm: fsstress Not tainted 6.6.0-g3629d1885222 #39 Call Trace: <TASK> _dumpstack lib/dumpstack.c:88 [inline] dumpstacklvl+0x91/0xf0 lib/dumpstack.c:106 printaddressdescription.constprop.0+0x66/0x300 mm/kasan/report.c:364 printreport+0x3e/0x70 mm/kasan/report.c:475 kasanreport+0xb8/0xf0 mm/kasan/report.c:588 hlistaddhead include/linux/list.h:1023 [inline] bfqinitrq+0x175d/0x17a0 block/bfq-iosched.c:6958 bfqinsertrequest.isra.0+0xe8/0xa20 block/bfq-iosched.c:6271 bfqinsertrequests+0x27f/0x390 block/bfq-iosched.c:6323 blkmqinsertrequest+0x290/0x8f0 block/blk-mq.c:2660 blkmqsubmitbio+0x1021/0x15e0 block/blk-mq.c:3143 _submitbio+0xa0/0x6b0 block/blk-core.c:639 _submitbionoacctmq block/blk-core.c:718 [inline] submitbionoacctnocheck+0x5b7/0x810 block/blk-core.c:747 submitbionoacct+0xca0/0x1990 block/blk-core.c:847 _ext4readbh fs/ext4/super.c:205 [inline] ext4readbh+0x15e/0x2e0 fs/ext4/super.c:230 _readextenttreeblock+0x304/0x6f0 fs/ext4/extents.c:567 ext4findextent+0x479/0xd20 fs/ext4/extents.c:947 ext4extmapblocks+0x1a3/0x2680 fs/ext4/extents.c:4182 ext4mapblocks+0x929/0x15a0 fs/ext4/inode.c:660 ext4iomapbeginreport+0x298/0x480 fs/ext4/inode.c:3569 iomapiter+0x3dd/0x1010 fs/iomap/iter.c:91 iomapfiemap+0x1f4/0x360 fs/iomap/fiemap.c:80 ext4fiemap+0x181/0x210 fs/ext4/extents.c:5051 ioctlfiemap.isra.0+0x1b4/0x290 fs/ioctl.c:220 dovfsioctl+0x31c/0x11a0 fs/ioctl.c:811 _dosysioctl fs/ioctl.c:869 [inline] _sesysioctl+0xae/0x190 fs/ioctl.c:857 dosyscallx64 arch/x86/entry/common.c:51 [inline] dosyscall64+0x70/0x120 arch/x86/entry/common.c:81 entrySYSCALL64afterhwframe+0x78/0xe2

Allocated by task 232719: kasansavestack+0x22/0x50 mm/kasan/common.c:45 kasansettrack+0x25/0x30 mm/kasan/common.c:52 _kasanslaballoc+0x87/0x90 mm/kasan/common.c:328 kasanslaballoc include/linux/kasan.h:188 [inline] slabpostallochook mm/slab.h:768 [inline] slaballocnode mm/slub.c:3492 [inline] kmemcacheallocnode+0x1b8/0x6f0 mm/slub.c:3537 bfqgetqueue+0x215/0x1f00 block/bfq-iosched.c:5869 bfqgetbfqqhandlesplit+0x167/0x5f0 block/bfq-iosched.c:6776 bfqinitrq+0x13a4/0x17a0 block/bfq-iosched.c:6938 bfqinsertrequest.isra.0+0xe8/0xa20 block/bfq-iosched.c:6271 bfqinsertrequests+0x27f/0x390 block/bfq-iosched.c:6323 blkmqinsertrequest+0x290/0x8f0 block/blk-mq.c:2660 blkmqsubmitbio+0x1021/0x15e0 block/blk-mq.c:3143 _submitbio+0xa0/0x6b0 block/blk-core.c:639 _submitbionoacctmq block/blk-core.c:718 [inline] submitbionoacctnocheck+0x5b7/0x810 block/blk-core.c:747 submitbionoacct+0xca0/0x1990 block/blk-core.c:847 _ext4readbh fs/ext4/super.c:205 [inline] ext4readbhnowait+0x15a/0x240 fs/ext4/super.c:217 ext4readbhlock+0xac/0xd0 fs/ext4/super.c:242 ext4breadbatch+0x268/0x500 fs/ext4/inode.c:958 _ext4findentry+0x448/0x10f0 fs/ext4/namei.c:1671 ext4lookupentry fs/ext4/namei.c:1774 [inline] ext4lookup.part.0+0x359/0x6f0 fs/ext4/namei.c:1842 ext4lookup+0x72/0x90 fs/ext4/namei.c:1839 _lookupslow+0x257/0x480 fs/namei.c:1696 lookupslow fs/namei.c:1713 [inline] walkcomponent+0x454/0x5c0 fs/namei.c:2004 linkpathwalk.part.0+0x773/0xda0 fs/namei.c:2331 linkpathwalk fs/namei.c:3826 [inline] pathopenat+0x1b9/0x520 fs/namei.c:3826 dofilpopen+0x1b7/0x400 fs/namei.c:3857 dosysopenat2+0x5dc/0x6e0 fs/open.c:1428 dosysopen fs/open.c:1443 [inline] _dosysopenat fs/open.c:1459 [inline] _sesysopenat fs/open.c:1454 [inline] _x64sysopenat+0x148/0x200 fs/open.c:1454 dosyscallx64 arch/x86/entry/common.c:51 [inline] dosyscall6 ---truncated---