CVE-2024-35979

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> raid1: fix use-after-free for original bio in raid1_write_request()<br /> <br /> r1_bio-&gt;bios[] is used to record new bios that will be issued to<br /> underlying disks, however, in raid1_write_request(), r1_bio-&gt;bios[]<br /> will set to the original bio temporarily. Meanwhile, if blocked rdev<br /> is set, free_r1bio() will be called causing that all r1_bio-&gt;bios[]<br /> to be freed:<br /> <br /> raid1_write_request()<br /> r1_bio = alloc_r1bio(mddev, bio); -&gt; r1_bio-&gt;bios[] is NULL<br /> for (i = 0; i for each rdev in conf<br /> // first rdev is normal<br /> r1_bio-&gt;bios[0] = bio; -&gt; set to original bio<br /> // second rdev is blocked<br /> if (test_bit(Blocked, &amp;rdev-&gt;flags))<br /> break<br /> <br /> if (blocked_rdev)<br /> free_r1bio()<br /> put_all_bios()<br /> bio_put(r1_bio-&gt;bios[0]) -&gt; original bio is freed<br /> <br /> Test scripts:<br /> <br /> mdadm -CR /dev/md0 -l1 -n4 /dev/sd[abcd] --assume-clean<br /> fio -filename=/dev/md0 -ioengine=libaio -rw=write -bs=4k -numjobs=1 \<br /> -iodepth=128 -name=test -direct=1<br /> echo blocked &gt; /sys/block/md0/md/rd2/state<br /> <br /> Test result:<br /> <br /> BUG bio-264 (Not tainted): Object already free<br /> -----------------------------------------------------------------------------<br /> <br /> Allocated in mempool_alloc_slab+0x24/0x50 age=1 cpu=1 pid=869<br /> kmem_cache_alloc+0x324/0x480<br /> mempool_alloc_slab+0x24/0x50<br /> mempool_alloc+0x6e/0x220<br /> bio_alloc_bioset+0x1af/0x4d0<br /> blkdev_direct_IO+0x164/0x8a0<br /> blkdev_write_iter+0x309/0x440<br /> aio_write+0x139/0x2f0<br /> io_submit_one+0x5ca/0xb70<br /> __do_sys_io_submit+0x86/0x270<br /> __x64_sys_io_submit+0x22/0x30<br /> do_syscall_64+0xb1/0x210<br /> entry_SYSCALL_64_after_hwframe+0x6c/0x74<br /> Freed in mempool_free_slab+0x1f/0x30 age=1 cpu=1 pid=869<br /> kmem_cache_free+0x28c/0x550<br /> mempool_free_slab+0x1f/0x30<br /> mempool_free+0x40/0x100<br /> bio_free+0x59/0x80<br /> bio_put+0xf0/0x220<br /> free_r1bio+0x74/0xb0<br /> raid1_make_request+0xadf/0x1150<br /> md_handle_request+0xc7/0x3b0<br /> md_submit_bio+0x76/0x130<br /> __submit_bio+0xd8/0x1d0<br /> submit_bio_noacct_nocheck+0x1eb/0x5c0<br /> submit_bio_noacct+0x169/0xd40<br /> submit_bio+0xee/0x1d0<br /> blkdev_direct_IO+0x322/0x8a0<br /> blkdev_write_iter+0x309/0x440<br /> aio_write+0x139/0x2f0<br /> <br /> Since that bios for underlying disks are not allocated yet, fix this<br /> problem by using mempool_free() directly to free the r1_bio.