From nobody Tue Jun 16 18:01:14 2026 Received: from mail-pj1-f67.google.com (mail-pj1-f67.google.com [209.85.216.67]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 9DE1381ACA for ; Thu, 30 Apr 2026 04:28:32 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.216.67 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1777523313; cv=none; b=bIZ1TJq2NiD46r8Sc5m5LzYEbMQpWMoOTtiLdUuX1/SmmUYnyz9AbvAgDyn96SKCzGsFVrPtsQiUS5ZjBhFDx8rSb02rNjHE/X8DqeStKFWHgMNb8+/ZLoDsrre8gI5tm1u02EpudIp5M0xoiNVTaManHn22/Pu6ajR5hor/TgI= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1777523313; c=relaxed/simple; bh=T5+gGKdSpuZhUfkSn7rO4bf4xdJPJqZzx0aVM2H2T7k=; h=From:To:Cc:Subject:Date:Message-ID:MIME-Version; b=BOyguhAI41Fcgh9lwbVgtmHj+WAAfU+ptYff0gfcUjPSHVsKZypmymEX0ZiNSUzaikPOKy8azn8qhvDLgSaox3siHDIcADVJz0J/uQRoCmI+/1WRbSuMoHrj/QFWer3vuVVflR/WU9K//e1Cw0f65dJFh4YF2b2XsGUOxUmWqfI= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=QZey0UJ9; arc=none smtp.client-ip=209.85.216.67 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="QZey0UJ9" Received: by mail-pj1-f67.google.com with SMTP id 98e67ed59e1d1-35d971fb6f1so485999a91.0 for ; Wed, 29 Apr 2026 21:28:32 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1777523312; x=1778128112; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=uAr+aUBEOsJn73lAMWt8blqY6wZFQ8Uqh4fIytefAh8=; b=QZey0UJ99YK5IsBbTszKJ6+3E3KYEZqExKwFODhj4DXp0hAaJSgEMBXdckS5yV5Jpd sT5j0yzhmy3MUimQNO3L8UvyJ08KWG73e2RQJ6AHybvwL5xsdn1I9z7ReGU1bDpEhjFr Nb7hjN9y2wU1zqJkMptuEDHHuokUS7BNkYd0Nl+zM3GEB1amhZYVpTwDBxB9wiNnhb3R T3sjqQVJ9We3J/XzaPbvT4bH4jUXSiFywRKZg1FP5LNWivPCjqgwDrDEKQbe94n1h0cs Tvg9o4RiO6Vq+Tpdm5gCf3b9AczjcEFAvmNT5eLns8sjOD3uGku35hF4lFBD8e1uP2qM khzA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1777523312; x=1778128112; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=uAr+aUBEOsJn73lAMWt8blqY6wZFQ8Uqh4fIytefAh8=; b=bO7+f9osYv/1WMQXg49ipaL9JxahSAaHtf0t9Jft8e1NZC3XacyxGVq5KgaGS/O+eh QlIxycMGzMDLMZ0JBCa2YMwAe8ZzV/x4HPxplatWx5IOvxsuyZdwxweBFkaz4flzy7St sZMXv5+L9hLa/4AoW6k7TiNeaCgxQgO47jMk8hAmPVoDgyMrmPFkbYvBDtocLjHzZ1g6 1/kUgKSS3AE7Y/e+6+TTpqqtBCXe3e0OUks3r3/nw5bUztWey6T8kB0aIUAJr1KKCv1w YiTdLhLl3+HzMzLfBXTFOVxhmVJKhlJSlLjf0gOYRlJfvqxTXLEhH11PSlL67o822QP+ 6vrA== X-Forwarded-Encrypted: i=1; AFNElJ8dagKVH+3B9Iv1xjg/O9UMv6sZMaSzbGXv3eoBTqglGA382r8ndZo0ypgJqppgoCCAJEehenrXeRLF2hU=@vger.kernel.org X-Gm-Message-State: AOJu0YzYBHrHQVRKwPq8WRxWhyx3DMTu7ecfEqZcqipgeoNsm+Fj5d8o z8iv7L1tf1kHJAvo4q7ax0LWvuFM+0OMXW1aXzEZ9zevDuvx4GnrqG7N X-Gm-Gg: AeBDiesxLsIQCUW242VtdmqEYd2cPdzqP9fhnFgz945nQ4jFbo7TmutuXnEXM01THnw nMj/owkox89iGR6Bt8QuOJLttIeRcSjfgIK9nR9GHi0dSN+EDNxnKHHqUaqUxJB90wY2KNPr/++ NZjkE0zSLui8zySYIIe0uDNXD/UZa948OeS+RowQght7XfoFxtYNGMomM9YkQzQcezaSmeWJOcs wIvA/hAchVofdZ6IgwFSVhi/W1eappOSU5/YnrWVUmQpLOIyhXXfUV8JAa7al7onYAIov4ZXLKe rwDYL/vi8KJahS+m5lHGpZs9y0yp0U5wF59eh/6+Uj8S4FxI4a1Efn0jExWUANi3vCh+WG8o8rn kf+nQ6o2LolebMjh+9v6VvO1ujilZl3Tqbvj3bXZt3ogMjerHfrgPKB0AQzYOHyiIvh/Ie3sUhM K/7XNkghgQ7chUaCSPZgqmVleyA3LwZpH+fgQIwCAC5hNJ+0U3YczOAzTp X-Received: by 2002:a17:90b:224b:b0:364:6f27:43ea with SMTP id 98e67ed59e1d1-364c329dbb7mr1374939a91.21.1777523311979; Wed, 29 Apr 2026 21:28:31 -0700 (PDT) Received: from LAPTOP-1HUHJV8R.localdomain ([2408:8642:893:d2da:950b:8595:5fb6:24f3]) by smtp.gmail.com with ESMTPSA id 98e67ed59e1d1-364bd5d745csm691118a91.4.2026.04.29.21.28.28 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 29 Apr 2026 21:28:31 -0700 (PDT) From: l1za0.sec@gmail.com To: axboe@kernel.dk Cc: linux-block@vger.kernel.org, linux-kernel@vger.kernel.org Subject: [PATCH] block: blk-mq: fix UAF in blk_mq_tagset_busy_iter Date: Thu, 30 Apr 2026 12:28:21 +0800 Message-ID: <20260430042821.29120-1-l1za0.sec@gmail.com> X-Mailer: git-send-email 2.51.0 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" From: Haocheng Yu A KASAN: slab-use-after-free Read in blk_mq_tagset_busy_iter is reported by a modified Syzkaller-based kernel fuzzing tool we developed. This problem is caused by a race condition between block/blk-mq-tag.c/blk_mq_tagset_busy_iter() and block/blk-mq.c/blk_mq_realloc_tag_set_tags(). In blk_mq_realloc_tag_set_tags(), set->tags is first freed, and then new_tags is assigned to set->tags. However, this process is not protected by synchronization. Therefore, if another process reads tagset->tags in blk_mq_tagset_busy_iter() between these two steps, it will cause a use-after-free read problem. To fix this vulnerability, first save the old set->tags. After updating set->tags to new_tags, wait for the reading side to exit before releasing it. This avoids the problem of tagset->tags being directly released while blk_mq_tagset_busy_iter() is still iterating. Signed-off-by: Haocheng Yu --- The full reproducer is attached here: # {Threaded:true Repeat:true RepeatTimes:0 Procs:8 Slowdown:1 Sandbox:none = SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgr= oups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:= false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swa= p:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyO= ptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}} r0 =3D syz_open_dev$ndb(&(0x7f0000000000), 0x0, 0xc0400) r1 =3D syz_open_dev$ndb(&(0x7f0000000000), 0x0, 0x80040) ioctl$NBD_SET_FLAGS(r1, 0xab0a, 0x9ad) socketpair$nbd(0x1, 0x1, 0x0, &(0x7f0000000080)=3D{0xfffffffffffffff= f}) r3 =3D syz_open_dev$dri(&(0x7f0000000100), 0xfffffffffffffffc, 0xc8503) r4 =3D syz_open_dev$ndb(&(0x7f0000000000), 0x0, 0xc0400) socketpair$nbd(0x1, 0x1, 0x0, &(0x7f0000000080)=3D{0xfffffffffffffff= f}) ioctl$NBD_SET_SOCK(r4, 0xab00, r5) r6 =3D syz_open_dev$ndb(&(0x7f0000000240), 0x0, 0x12100) ioctl$NBD_DO_IT(r6, 0xab03) close_range(r3, 0xffffffffffffffff, 0x0) ioctl$NBD_SET_SIZE_BLOCKS(0xffffffffffffffff, 0xab07, 0x1) ioctl$NBD_SET_SOCK(r0, 0xab00, r2) r7 =3D syz_open_dev$loop(&(0x7f0000000040), 0x1, 0x200) ioctl$BLKPG(r7, 0x1269, &(0x7f00000001c0)=3D{0x1, 0x0, 0x98, &(0x7f00000000= c0)=3D{0x5, 0x2, 0x10}}) close(0x5) r8 =3D syz_open_dev$ndb(&(0x7f0000000000), 0x0, 0x100) r9 =3D syz_open_dev$ndb(&(0x7f0000000000), 0x0, 0xc0400) socketpair$nbd(0x1, 0x1, 0x0, &(0x7f0000000080)=3D{0xffffffffffffff= ff}) ioctl$NBD_SET_SOCK(r9, 0xab00, r10) close(0x5) r11 =3D syz_open_dev$ndb(&(0x7f0000000000), 0x0, 0x100) ioctl$NBD_DO_IT(r11, 0xab03) r12 =3D syz_open_dev$ndb(&(0x7f0000000040), 0x0, 0x0) ioctl$NBD_CLEAR_SOCK(r12, 0xab04) ioctl$NBD_DO_IT(r8, 0xab03) socket$inet6_tcp(0xa, 0x1, 0x0) syz_open_dev$ndb(&(0x7f0000000000), 0x0, 0xc0400) block/blk-mq.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/block/blk-mq.c b/block/blk-mq.c index d626d32f6e57..4357625a512d 100644 --- a/block/blk-mq.c +++ b/block/blk-mq.c @@ -4738,6 +4738,7 @@ static int blk_mq_realloc_tag_set_tags(struct blk_mq_= tag_set *set, int new_nr_hw_queues) { struct blk_mq_tags **new_tags; + struct blk_mq_tags **old_tags; int i; =20 if (set->nr_hw_queues >=3D new_nr_hw_queues) @@ -4751,8 +4752,10 @@ static int blk_mq_realloc_tag_set_tags(struct blk_mq= _tag_set *set, if (set->tags) memcpy(new_tags, set->tags, set->nr_hw_queues * sizeof(*set->tags)); - kfree(set->tags); + old_tags =3D set->tags; set->tags =3D new_tags; + synchronize_srcu(&set->tags_srcu); + kfree(old_tags); =20 for (i =3D set->nr_hw_queues; i < new_nr_hw_queues; i++) { if (!__blk_mq_alloc_map_and_rqs(set, i)) { base-commit: 7d0a66e4bb9081d75c82ec4957c50034cb0ea449 --=20 2.51.0