In the Linux kernel, the following vulnerability has been resolved:
blk-cgroup: fix UAF by grabbing blkcg lock before destroying blkg pd
KASAN reports a use-after-free report when doing fuzz test:
[693354.104835] ================================================================== [693354.105094] BUG: KASAN: use-after-free in bfqiosetweightlegacy+0xd3/0x160 [693354.105336] Read of size 4 at addr ffff888be0a35664 by task sh/1453338
[693354.105607] CPU: 41 PID: 1453338 Comm: sh Kdump: loaded Not tainted 4.18.0-147 [693354.105610] Hardware name: Huawei 2288H V5/BC11SPSCB0, BIOS 0.81 07/02/2018 [693354.105612] Call Trace: [693354.105621] dumpstack+0xf1/0x19b [693354.105626] ? showregsprintinfo+0x5/0x5 [693354.105634] ? printk+0x9c/0xc3 [693354.105638] ? cpumaskweight+0x1f/0x1f [693354.105648] printaddressdescription+0x70/0x360 [693354.105654] kasanreport+0x1b2/0x330 [693354.105659] ? bfqiosetweightlegacy+0xd3/0x160 [693354.105665] ? bfqiosetweightlegacy+0xd3/0x160 [693354.105670] bfqiosetweightlegacy+0xd3/0x160 [693354.105675] ? bfqcpdinit+0x20/0x20 [693354.105683] cgroupfilewrite+0x3aa/0x510 [693354.105693] ? _slaballoc+0x507/0x540 [693354.105698] ? cgroupfilepoll+0x60/0x60 [693354.105702] ? 0xffffffff89600000 [693354.105708] ? usercopyabort+0x90/0x90 [693354.105716] ? mutexlock+0xef/0x180 [693354.105726] kernfsfopwrite+0x1ab/0x280 [693354.105732] ? cgroupfilepoll+0x60/0x60 [693354.105738] vfswrite+0xe7/0x230 [693354.105744] ksyswrite+0xb0/0x140 [693354.105749] ? _ia32sysread+0x50/0x50 [693354.105760] dosyscall64+0x112/0x370 [693354.105766] ? syscallreturnslowpath+0x260/0x260 [693354.105772] ? dopagefault+0x9b/0x270 [693354.105779] ? prepareexittousermode+0xf9/0x1a0 [693354.105784] ? enterfromusermode+0x30/0x30 [693354.105793] entrySYSCALL64afterhwframe+0x65/0xca
[693354.105875] Allocated by task 1453337: [693354.106001] kasankmalloc+0xa0/0xd0 [693354.106006] kmemcacheallocnodetrace+0x108/0x220 [693354.106010] bfqpdalloc+0x96/0x120 [693354.106015] blkcgactivatepolicy+0x1b7/0x2b0 [693354.106020] bfqcreategrouphierarchy+0x1e/0x80 [693354.106026] bfqinitqueue+0x678/0x8c0 [693354.106031] blkmqinitsched+0x1f8/0x460 [693354.106037] elevatorswitchmq+0xe1/0x240 [693354.106041] elevatorswitch+0x25/0x40 [693354.106045] elvioschedstore+0x1a1/0x230 [693354.106049] queueattrstore+0x78/0xb0 [693354.106053] kernfsfopwrite+0x1ab/0x280 [693354.106056] vfswrite+0xe7/0x230 [693354.106060] ksyswrite+0xb0/0x140 [693354.106064] dosyscall64+0x112/0x370 [693354.106069] entrySYSCALL64afterhwframe+0x65/0xca
[693354.106114] Freed by task 1453336: [693354.106225] _kasanslabfree+0x130/0x180 [693354.106229] kfree+0x90/0x1b0 [693354.106233] blkcgdeactivatepolicy+0x12c/0x220 [693354.106238] bfqexitqueue+0xf5/0x110 [693354.106241] blkmqexitsched+0x104/0x130 [693354.106245] _elevatorexit+0x45/0x60 [693354.106249] elevatorswitchmq+0xd6/0x240 [693354.106253] elevatorswitch+0x25/0x40 [693354.106257] elvioschedstore+0x1a1/0x230 [693354.106261] queueattrstore+0x78/0xb0 [693354.106264] kernfsfopwrite+0x1ab/0x280 [693354.106268] vfswrite+0xe7/0x230 [693354.106271] ksyswrite+0xb0/0x140 [693354.106275] dosyscall64+0x112/0x370 [693354.106280] entrySYSCALL64after_hwframe+0x65/0xca
[693354.106329] The buggy address belongs to the object at ffff888be0a35580 which belongs to the cache kmalloc-1k of size 1024 [693354.106736] The buggy address is located 228 bytes inside of 1024-byte region [ffff888be0a35580, ffff888be0a35980) [693354.107114] The buggy address belongs to the page: [693354.107273] page:ffffea002f828c00 count:1 mapcount:0 mapping:ffff888107c17080 index:0x0 compound_mapcount: 0 [693354.107606] flags: 0x17ffffc0008100(slab|head) [693354.107760] raw: 0017ffffc0008100 ffffea002fcbc808 ffffea0030bd3a08 ffff888107c17080 [693354.108020] r ---truncated---