APPLIED: [SRU][N][PATCH 0/1] CVE-2024-53170

[Koichiro Den]

On Thu, Feb 06, 2025 at 02:46:06PM GMT, Massimiliano Pellizzer wrote:
> [Impact]
> 
> block: fix uaf for flush rq while iterating tags
> 
> blk_mq_clear_flush_rq_mapping() is not called during scsi probe, by
> checking blk_queue_init_done(). However, QUEUE_FLAG_INIT_DONE is cleared
> in del_gendisk by commit aec89dc5d421 ("block: keep q_usage_counter in
> atomic mode after del_gendisk"), hence for disk like scsi, following
> blk_mq_destroy_queue() will not clear flush rq from tags->rqs[] as well,
> cause following uaf that is found by syzkaller.
> 
> Other than blk_mq_clear_flush_rq_mapping(), the flag is only used in
> blk_register_queue() from initialization path, hence it's safe not to
> clear the flag in del_gendisk. And since QUEUE_FLAG_REGISTERED already
> make sure that queue should only be registered once, there is no need
> to test the flag as well.
> 
> [Fix]
> 
> Oracular: Fixed via upstream stable updates (LP: #2091655)
> Noble: Cherry picked from linux-6.6.y
> Jammy: Not affected
> Focal: Not affected
> 
> [Test Case]
> 
> Compile and boot tested.
> 
> [Where problems could occur]
> 
> The fix affects the Linuc block subsystem. An issue with this fix may
> lead to system instability during operations involving block device
> flush requests, potentially resulting in a data corruption or kernel
> panics when accessing SCSI devices.
> 
> Yu Kuai (1):
>   block: fix uaf for flush rq while iterating tags
> 
>  block/blk-sysfs.c | 6 ++----
>  block/genhd.c     | 9 +++------
>  2 files changed, 5 insertions(+), 10 deletions(-)
> 

Applied to noble:linux master-next branch. Thanks!