[SRU][N][PATCH 0/1] CVE-2024-53170

[Massimiliano Pellizzer]

[Impact]

block: fix uaf for flush rq while iterating tags

blk_mq_clear_flush_rq_mapping() is not called during scsi probe, by
checking blk_queue_init_done(). However, QUEUE_FLAG_INIT_DONE is cleared
in del_gendisk by commit aec89dc5d421 ("block: keep q_usage_counter in
atomic mode after del_gendisk"), hence for disk like scsi, following
blk_mq_destroy_queue() will not clear flush rq from tags->rqs[] as well,
cause following uaf that is found by syzkaller.

Other than blk_mq_clear_flush_rq_mapping(), the flag is only used in
blk_register_queue() from initialization path, hence it's safe not to
clear the flag in del_gendisk. And since QUEUE_FLAG_REGISTERED already
make sure that queue should only be registered once, there is no need
to test the flag as well.

[Fix]

Oracular: Fixed via upstream stable updates (LP: #2091655)
Noble: Cherry picked from linux-6.6.y
Jammy: Not affected
Focal: Not affected

[Test Case]

Compile and boot tested.

[Where problems could occur]

The fix affects the Linuc block subsystem. An issue with this fix may
lead to system instability during operations involving block device
flush requests, potentially resulting in a data corruption or kernel
panics when accessing SCSI devices.

Yu Kuai (1):
  block: fix uaf for flush rq while iterating tags

 block/blk-sysfs.c | 6 ++----
 block/genhd.c     | 9 +++------
 2 files changed, 5 insertions(+), 10 deletions(-)

-- 
2.43.0