CVE-2024-40925

In the Linux kernel, the following vulnerability has been resolved:

block: fix request.queuelist usage in flush

Friedrich Weber reported a kernel crash problem and bisected to commit 81ada09cc25e ("blk-flush: reuse rq queuelist in flush state machine").

The root cause is that we use "listmovetail(&rq->queuelist, pending)" in the PREFLUSH/POSTFLUSH sequences. But rq->queuelist.next == xxx since it's popped out from plug->cachedrq in _blkmqallocrequestsbatch(). We don't initialize its queuelist just for this first request, although the queuelist of all later popped requests will be initialized.

Fix it by changing to use "listaddtail(&rq->queuelist, pending)" so rq->queuelist doesn't need to be initialized. It should be ok since rq can't be on any list when PREFLUSH or POSTFLUSH, has no move actually.

Please note the commit 81ada09cc25e ("blk-flush: reuse rq queuelist in flush state machine") also has another requirement that no drivers would touch rq->queuelist after blkmqend_request() since we will reuse it to add rq to the post-flush pending list in POSTFLUSH. If this is not true, we will have to revert that commit IMHO.

This updated version adds "listdelinit(&rq->queuelist)" in flush rq callback since the dm layer may submit request of a weird invalid format (REQFSEQPREFLUSH | REQFSEQPOSTFLUSH), which causes double listadd if without this "listdel_init(&rq->queuelist)". The weird invalid format problem should be fixed in dm layer.