CVE-2025-38106

In the Linux kernel, the following vulnerability has been resolved:

io_uring: fix use-after-free of sq->thread in _iouringshowfdinfo()

syzbot reports:

BUG: KASAN: slab-use-after-free in getrusage+0x1109/0x1a60 Read of size 8 at addr ffff88810de2d2c8 by task a.out/304

CPU: 0 UID: 0 PID: 304 Comm: a.out Not tainted 6.16.0-rc1 #1 PREEMPT(voluntary) Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 Call Trace: <TASK> dumpstacklvl+0x53/0x70 printreport+0xd0/0x670 ? pfxrawspinlockirqsave+0x10/0x10 ? getrusage+0x1109/0x1a60 kasan_report+0xce/0x100 ? getrusage+0x1109/0x1a60 getrusage+0x1109/0x1a60 ? __pfx_getrusage+0x10/0x10 __iouringshowfdinfo+0x9fe/0x1790 ? ksysread+0xf7/0x1c0 ? dosyscall64+0xa4/0x260 ? vsnprintf+0x591/0x1100 ? pfxiouringshowfdinfo+0x10/0x10 ? __pfxvsnprintf+0x10/0x10 ? mutextrylock+0xcf/0x130 ? __pfxmutextrylock+0x10/0x10 ? __pfxshowfdlocks+0x10/0x10 ? iouringshowfdinfo+0x57/0x80 iouringshowfdinfo+0x57/0x80 seqshow+0x38c/0x690 seqreaditer+0x3f7/0x1180 ? inodesetctimecurrent+0x160/0x4b0 seqread+0x271/0x3e0 ? __pfxseqread+0x10/0x10 ? pfxrawspinlock+0x10/0x10 ? __markinodedirty+0x402/0x810 ? selinuxfilepermission+0x368/0x500 ? fileupdatetime+0x10f/0x160 vfsread+0x177/0xa40 ? pfxhandlemmfault+0x10/0x10 ? __pfxvfsread+0x10/0x10 ? mutex_lock+0x81/0xe0 ? __pfxmutexlock+0x10/0x10 ? fdgetpos+0x24d/0x4b0 ksysread+0xf7/0x1c0 ? __pfxksysread+0x10/0x10 ? douseraddrfault+0x43b/0x9c0 dosyscall64+0xa4/0x260 entrySYSCALL64afterhwframe+0x77/0x7f RIP: 0033:0x7f0f74170fc9 Code: 00 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 8 RSP: 002b:00007fffece049e8 EFLAGS: 00000206 ORIGRAX: 0000000000000000 RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f0f74170fc9 RDX: 0000000000001000 RSI: 00007fffece049f0 RDI: 0000000000000004 RBP: 00007fffece05ad0 R08: 0000000000000000 R09: 00007fffece04d90 R10: 0000000000000000 R11: 0000000000000206 R12: 00005651720a1100 R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 </TASK>

Allocated by task 298: kasansavestack+0x33/0x60 kasansavetrack+0x14/0x30 __kasanslaballoc+0x6e/0x70 kmemcacheallocnodenoprof+0xe8/0x330 copyprocess+0x376/0x5e00 createiothread+0xab/0xf0 iosqoffloadcreate+0x9ed/0xf20 iouringsetup+0x12b0/0x1cc0 dosyscall64+0xa4/0x260 entrySYSCALL64afterhwframe+0x77/0x7f

Freed by task 22: kasansavestack+0x33/0x60 kasansavetrack+0x14/0x30 kasansavefree_info+0x3b/0x60 __kasanslabfree+0x37/0x50 kmemcachefree+0xc4/0x360 rcucore+0x5ff/0x19f0 handlesoftirqs+0x18c/0x530 runksoftirqd+0x20/0x30 smpbootthreadfn+0x287/0x6c0 kthread+0x30d/0x630 retfromfork+0xef/0x1a0 retfromforkasm+0x1a/0x30

Last potentially related work creation: kasansavestack+0x33/0x60 kasanrecordaux_stack+0x8c/0xa0 __callrcucommon.constprop.0+0x68/0x940 __schedule+0xff2/0x2930 __condresched+0x4c/0x80 mutexlock+0x5c/0xe0 iouringdeltctxnode+0xe1/0x2b0 iouringcleantctx+0xb7/0x160 iouringcancelgeneric+0x34e/0x760 doexit+0x240/0x2350 dogroup_exit+0xab/0x220 _x64sysexitgroup+0x39/0x40 x64syscall+0x1243/0x1840 dosyscall64+0xa4/0x260 entrySYSCALL64afterhwframe+0x77/0x7f

The buggy address belongs to the object at ffff88810de2cb00 which belongs to the cache task_struct of size 3712 The buggy address is located 1992 bytes inside of freed 3712-byte region [ffff88810de2cb00, ffff88810de2d980)

which is caused by the task_struct pointed to by sq->thread being released while it is being used in the function __iouringshowfdinfo(). Holding ctx->uringlock does not prevent ehre relase or exit of sq->thread.

Fix this by assigning and looking up ->thread under RCU, and grabbing a reference to the task_struct. This e ---truncated---