CVE-2022-49465

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> blk-throttle: Set BIO_THROTTLED when bio has been throttled<br /> <br /> 1.In current process, all bio will set the BIO_THROTTLED flag<br /> after __blk_throtl_bio().<br /> <br /> 2.If bio needs to be throttled, it will start the timer and<br /> stop submit bio directly. Bio will submit in<br /> blk_throtl_dispatch_work_fn() when the timer expires.But in<br /> the current process, if bio is throttled. The BIO_THROTTLED<br /> will be set to bio after timer start. If the bio has been<br /> completed, it may cause use-after-free blow.<br /> <br /> BUG: KASAN: use-after-free in blk_throtl_bio+0x12f0/0x2c70<br /> Read of size 2 at addr ffff88801b8902d4 by task fio/26380<br /> <br /> dump_stack+0x9b/0xce<br /> print_address_description.constprop.6+0x3e/0x60<br /> kasan_report.cold.9+0x22/0x3a<br /> blk_throtl_bio+0x12f0/0x2c70<br /> submit_bio_checks+0x701/0x1550<br /> submit_bio_noacct+0x83/0xc80<br /> submit_bio+0xa7/0x330<br /> mpage_readahead+0x380/0x500<br /> read_pages+0x1c1/0xbf0<br /> page_cache_ra_unbounded+0x471/0x6f0<br /> do_page_cache_ra+0xda/0x110<br /> ondemand_readahead+0x442/0xae0<br /> page_cache_async_ra+0x210/0x300<br /> generic_file_buffered_read+0x4d9/0x2130<br /> generic_file_read_iter+0x315/0x490<br /> blkdev_read_iter+0x113/0x1b0<br /> aio_read+0x2ad/0x450<br /> io_submit_one+0xc8e/0x1d60<br /> __se_sys_io_submit+0x125/0x350<br /> do_syscall_64+0x2d/0x40<br /> entry_SYSCALL_64_after_hwframe+0x44/0xa9<br /> <br /> Allocated by task 26380:<br /> kasan_save_stack+0x19/0x40<br /> __kasan_kmalloc.constprop.2+0xc1/0xd0<br /> kmem_cache_alloc+0x146/0x440<br /> mempool_alloc+0x125/0x2f0<br /> bio_alloc_bioset+0x353/0x590<br /> mpage_alloc+0x3b/0x240<br /> do_mpage_readpage+0xddf/0x1ef0<br /> mpage_readahead+0x264/0x500<br /> read_pages+0x1c1/0xbf0<br /> page_cache_ra_unbounded+0x471/0x6f0<br /> do_page_cache_ra+0xda/0x110<br /> ondemand_readahead+0x442/0xae0<br /> page_cache_async_ra+0x210/0x300<br /> generic_file_buffered_read+0x4d9/0x2130<br /> generic_file_read_iter+0x315/0x490<br /> blkdev_read_iter+0x113/0x1b0<br /> aio_read+0x2ad/0x450<br /> io_submit_one+0xc8e/0x1d60<br /> __se_sys_io_submit+0x125/0x350<br /> do_syscall_64+0x2d/0x40<br /> entry_SYSCALL_64_after_hwframe+0x44/0xa9<br /> <br /> Freed by task 0:<br /> kasan_save_stack+0x19/0x40<br /> kasan_set_track+0x1c/0x30<br /> kasan_set_free_info+0x1b/0x30<br /> __kasan_slab_free+0x111/0x160<br /> kmem_cache_free+0x94/0x460<br /> mempool_free+0xd6/0x320<br /> bio_free+0xe0/0x130<br /> bio_put+0xab/0xe0<br /> bio_endio+0x3a6/0x5d0<br /> blk_update_request+0x590/0x1370<br /> scsi_end_request+0x7d/0x400<br /> scsi_io_completion+0x1aa/0xe50<br /> scsi_softirq_done+0x11b/0x240<br /> blk_mq_complete_request+0xd4/0x120<br /> scsi_mq_done+0xf0/0x200<br /> virtscsi_vq_done+0xbc/0x150<br /> vring_interrupt+0x179/0x390<br /> __handle_irq_event_percpu+0xf7/0x490<br /> handle_irq_event_percpu+0x7b/0x160<br /> handle_irq_event+0xcc/0x170<br /> handle_edge_irq+0x215/0xb20<br /> common_interrupt+0x60/0x120<br /> asm_common_interrupt+0x1e/0x40<br /> <br /> Fix this by move BIO_THROTTLED set into the queue_lock.