* [PATCH] zloop: fix KASAN use-after-free of tag set
@ 2025-07-31 11:07 Shin'ichiro Kawasaki
2025-07-31 14:04 ` Christoph Hellwig
` (2 more replies)
0 siblings, 3 replies; 4+ messages in thread
From: Shin'ichiro Kawasaki @ 2025-07-31 11:07 UTC (permalink / raw)
To: linux-block
Cc: Damien Le Moal, Christoph Hellwig, Jens Axboe,
Shin'ichiro Kawasaki
When a zoned loop device, or zloop device, is removed, KASAN enabled
kernel reports "BUG KASAN use-after-free" in blk_mq_free_tag_set(). The
BUG happens because zloop_ctl_remove() calls put_disk(), which invokes
zloop_free_disk(). The zloop_free_disk() frees the memory allocated for
the zlo pointer. However, after the memory is freed, zloop_ctl_remove()
calls blk_mq_free_tag_set(&zlo->tag_set), which accesses the freed zlo.
Hence the KASAN use-after-free.
zloop_ctl_remove()
put_disk(zlo->disk)
put_device()
kobject_put()
...
zloop_free_disk()
kvfree(zlo)
blk_mq_free_tag_set(&zlo->tag_set)
To avoid the BUG, move the call to blk_mq_free_tag_set(&zlo->tag_set)
from zloop_ctl_remove() into zloop_free_disk(). This ensures that
the tag_set is freed before the call to kvfree(zlo).
Fixes: eb0570c7df23 ("block: new zoned loop block device driver")
CC: stable@vger.kernel.org
Signed-off-by: Shin'ichiro Kawasaki <shinichiro.kawasaki@wdc.com>
---
drivers/block/zloop.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/drivers/block/zloop.c b/drivers/block/zloop.c
index 553b1a713ab9..a423228e201b 100644
--- a/drivers/block/zloop.c
+++ b/drivers/block/zloop.c
@@ -700,6 +700,8 @@ static void zloop_free_disk(struct gendisk *disk)
struct zloop_device *zlo = disk->private_data;
unsigned int i;
+ blk_mq_free_tag_set(&zlo->tag_set);
+
for (i = 0; i < zlo->nr_zones; i++) {
struct zloop_zone *zone = &zlo->zones[i];
@@ -1080,7 +1082,6 @@ static int zloop_ctl_remove(struct zloop_options *opts)
del_gendisk(zlo->disk);
put_disk(zlo->disk);
- blk_mq_free_tag_set(&zlo->tag_set);
pr_info("Removed device %d\n", opts->id);
--
2.50.1
^ permalink raw reply related [flat|nested] 4+ messages in thread
* Re: [PATCH] zloop: fix KASAN use-after-free of tag set
2025-07-31 11:07 [PATCH] zloop: fix KASAN use-after-free of tag set Shin'ichiro Kawasaki
@ 2025-07-31 14:04 ` Christoph Hellwig
2025-07-31 21:02 ` Jens Axboe
2025-07-31 23:16 ` Damien Le Moal
2 siblings, 0 replies; 4+ messages in thread
From: Christoph Hellwig @ 2025-07-31 14:04 UTC (permalink / raw)
To: Shin'ichiro Kawasaki
Cc: linux-block, Damien Le Moal, Christoph Hellwig, Jens Axboe
Looks good:
Reviewed-by: Christoph Hellwig <hch@lst.de>
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [PATCH] zloop: fix KASAN use-after-free of tag set
2025-07-31 11:07 [PATCH] zloop: fix KASAN use-after-free of tag set Shin'ichiro Kawasaki
2025-07-31 14:04 ` Christoph Hellwig
@ 2025-07-31 21:02 ` Jens Axboe
2025-07-31 23:16 ` Damien Le Moal
2 siblings, 0 replies; 4+ messages in thread
From: Jens Axboe @ 2025-07-31 21:02 UTC (permalink / raw)
To: linux-block, Shin'ichiro Kawasaki; +Cc: Damien Le Moal, Christoph Hellwig
On Thu, 31 Jul 2025 20:07:45 +0900, Shin'ichiro Kawasaki wrote:
> When a zoned loop device, or zloop device, is removed, KASAN enabled
> kernel reports "BUG KASAN use-after-free" in blk_mq_free_tag_set(). The
> BUG happens because zloop_ctl_remove() calls put_disk(), which invokes
> zloop_free_disk(). The zloop_free_disk() frees the memory allocated for
> the zlo pointer. However, after the memory is freed, zloop_ctl_remove()
> calls blk_mq_free_tag_set(&zlo->tag_set), which accesses the freed zlo.
> Hence the KASAN use-after-free.
>
> [...]
Applied, thanks!
[1/1] zloop: fix KASAN use-after-free of tag set
commit: 765761851d89c772f482494d452e266795460278
Best regards,
--
Jens Axboe
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [PATCH] zloop: fix KASAN use-after-free of tag set
2025-07-31 11:07 [PATCH] zloop: fix KASAN use-after-free of tag set Shin'ichiro Kawasaki
2025-07-31 14:04 ` Christoph Hellwig
2025-07-31 21:02 ` Jens Axboe
@ 2025-07-31 23:16 ` Damien Le Moal
2 siblings, 0 replies; 4+ messages in thread
From: Damien Le Moal @ 2025-07-31 23:16 UTC (permalink / raw)
To: Shin'ichiro Kawasaki, linux-block; +Cc: Christoph Hellwig, Jens Axboe
On 7/31/25 20:07, Shin'ichiro Kawasaki wrote:
> When a zoned loop device, or zloop device, is removed, KASAN enabled
> kernel reports "BUG KASAN use-after-free" in blk_mq_free_tag_set(). The
> BUG happens because zloop_ctl_remove() calls put_disk(), which invokes
> zloop_free_disk(). The zloop_free_disk() frees the memory allocated for
> the zlo pointer. However, after the memory is freed, zloop_ctl_remove()
> calls blk_mq_free_tag_set(&zlo->tag_set), which accesses the freed zlo.
> Hence the KASAN use-after-free.
>
> zloop_ctl_remove()
> put_disk(zlo->disk)
> put_device()
> kobject_put()
> ...
> zloop_free_disk()
> kvfree(zlo)
> blk_mq_free_tag_set(&zlo->tag_set)
>
> To avoid the BUG, move the call to blk_mq_free_tag_set(&zlo->tag_set)
> from zloop_ctl_remove() into zloop_free_disk(). This ensures that
> the tag_set is freed before the call to kvfree(zlo).
>
> Fixes: eb0570c7df23 ("block: new zoned loop block device driver")
> CC: stable@vger.kernel.org
> Signed-off-by: Shin'ichiro Kawasaki <shinichiro.kawasaki@wdc.com>
Reviewed-by: Damien Le Moal <dlemoal@kernel.org>
--
Damien Le Moal
Western Digital Research
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2025-07-31 23:16 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2025-07-31 11:07 [PATCH] zloop: fix KASAN use-after-free of tag set Shin'ichiro Kawasaki
2025-07-31 14:04 ` Christoph Hellwig
2025-07-31 21:02 ` Jens Axboe
2025-07-31 23:16 ` Damien Le Moal
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox