New subject: [PATCH OLK-5.10 1/4] block: remove QUEUE_FLAG_DEAD

21 Apr 2025

      The issue occurs in blk_mq_has_sqsched() function which accesses
q->elevator pointer and its members without any protection. During 
device state changes, related memory structures might be freed, 
causing a Use-After-Free vulnerability.

This patch introduces a QUEUE_FLAG_SQ_SCHED flag that is set during
scheduler initialization, eliminating the need for runtime checks of 
scheduler features. This removes the need to access q->elevator at 
unsafe moments, resolving the UAF issue.

Bart Van Assche (1):
  block: Decode all flag names in the debugfs output

Christoph Hellwig (1):
  block: remove QUEUE_FLAG_DEAD

Ming Lei (2):
  blk-mq: protect q->elevator by ->sysfs_lock in blk_mq_elv_switch_none
  blk-mq: avoid to touch q->elevator without any protection

 block/bfq-iosched.c               |  3 +++
 block/blk-core.c                  |  2 --
 block/blk-mq-debugfs.c            |  9 ++++-----
 block/blk-mq-sched.c              |  1 +
 block/blk-mq.c                    | 22 +++++-----------------
 block/kyber-iosched.c             |  3 ++-
 block/mq-deadline.c               |  3 +++
 drivers/block/mtip32xx/mtip32xx.c |  2 +-
 include/linux/blkdev.h            |  4 ++--
 include/linux/elevator.h          |  2 --
 10 files changed, 21 insertions(+), 30 deletions(-)

-- 
2.39.2

[PATCH OLK-5.10 0/4] block: fix UAF in blk_mq_has_sqsched()

Zheng Qixing

Zheng Qixing

Zheng Qixing

Zheng Qixing

Zheng Qixing

patchwork bot

tags

participants (2)