CVE-2025-38620

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> zloop: fix KASAN use-after-free of tag set<br /> <br /> When a zoned loop device, or zloop device, is removed, KASAN enabled<br /> kernel reports "BUG KASAN use-after-free" in blk_mq_free_tag_set(). The<br /> BUG happens because zloop_ctl_remove() calls put_disk(), which invokes<br /> zloop_free_disk(). The zloop_free_disk() frees the memory allocated for<br /> the zlo pointer. However, after the memory is freed, zloop_ctl_remove()<br /> calls blk_mq_free_tag_set(&amp;zlo-&gt;tag_set), which accesses the freed zlo.<br /> Hence the KASAN use-after-free.<br /> <br /> zloop_ctl_remove()<br /> put_disk(zlo-&gt;disk)<br /> put_device()<br /> kobject_put()<br /> ...<br /> zloop_free_disk()<br /> kvfree(zlo)<br /> blk_mq_free_tag_set(&amp;zlo-&gt;tag_set)<br /> <br /> To avoid the BUG, move the call to blk_mq_free_tag_set(&amp;zlo-&gt;tag_set)<br /> from zloop_ctl_remove() into zloop_free_disk(). This ensures that<br /> the tag_set is freed before the call to kvfree(zlo).