CVE-2022-49270

In the Linux kernel, the following vulnerability has been resolved:

dm: fix use-after-free in dmcleanupzoned_dev()

dmcleanupzoneddev() uses queue, so it must be called before blkcleanup_disk() starts its killing:

blkcleanupdisk->blkcleanupqueue()->kobjectput()->blkreleasequeue()-> ->...RCU...->blkfreequeuercu()->kmemcachefree()

Otherwise, RCU callback may be executed first and dmcleanupzoned_dev() will touch free'd memory:

BUG: KASAN: use-after-free in dmcleanupzoned_dev+0x33/0xd0 Read of size 8 at addr ffff88805ac6e430 by task dmsetup/681

CPU: 4 PID: 681 Comm: dmsetup Not tainted 5.17.0-rc2+ #6 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.14.0-2 04/01/2014 Call Trace: <TASK> dumpstacklvl+0x57/0x7d printaddressdescription.constprop.0+0x1f/0x150 ? dmcleanupzoneddev+0x33/0xd0 kasanreport.cold+0x7f/0x11b ? dmcleanupzoneddev+0x33/0xd0 dmcleanupzoneddev+0x33/0xd0 _dmdestroy+0x26a/0x400 ? dmblkioctl+0x230/0x230 ? upwrite+0xd8/0x270 devremove+0x156/0x1d0 ctlioctl+0x269/0x530 ? tableclear+0x140/0x140 ? lockrelease+0xb2/0x750 ? removeall+0x40/0x40 ? rcureadlockschedheld+0x12/0x70 ? lockdowngrade+0x3c0/0x3c0 ? rcureadlockschedheld+0x12/0x70 dmctlioctl+0xa/0x10 _x64sysioctl+0xb9/0xf0 dosyscall64+0x3b/0x90 entrySYSCALL64afterhwframe+0x44/0xae RIP: 0033:0x7fb6dfa95c27