[PATCH] zloop: fix KASAN use-after-free of tag set

Linux block layer
 help / color / mirror / Atom feed

* [PATCH] zloop: fix KASAN use-after-free of tag set
@ 2025-07-31 11:07 Shin'ichiro Kawasaki
  2025-07-31 14:04 ` Christoph Hellwig
                   ` (2 more replies)
  0 siblings, 3 replies; 4+ messages in thread
From: Shin'ichiro Kawasaki @ 2025-07-31 11:07 UTC (permalink / raw)
  To: linux-block
  Cc: Damien Le Moal, Christoph Hellwig, Jens Axboe,
	Shin'ichiro Kawasaki

When a zoned loop device, or zloop device, is removed, KASAN enabled
kernel reports "BUG KASAN use-after-free" in blk_mq_free_tag_set(). The
BUG happens because zloop_ctl_remove() calls put_disk(), which invokes
zloop_free_disk(). The zloop_free_disk() frees the memory allocated for
the zlo pointer. However, after the memory is freed, zloop_ctl_remove()
calls blk_mq_free_tag_set(&zlo->tag_set), which accesses the freed zlo.
Hence the KASAN use-after-free.

 zloop_ctl_remove()
  put_disk(zlo->disk)
   put_device()
    kobject_put()
     ...
      zloop_free_disk()
        kvfree(zlo)
  blk_mq_free_tag_set(&zlo->tag_set)

To avoid the BUG, move the call to blk_mq_free_tag_set(&zlo->tag_set)
from zloop_ctl_remove() into zloop_free_disk(). This ensures that
the tag_set is freed before the call to kvfree(zlo).

Fixes: eb0570c7df23 ("block: new zoned loop block device driver")
CC: stable@vger.kernel.org
Signed-off-by: Shin'ichiro Kawasaki <shinichiro.kawasaki@wdc.com>
---
 drivers/block/zloop.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/drivers/block/zloop.c b/drivers/block/zloop.c
index 553b1a713ab9..a423228e201b 100644
--- a/drivers/block/zloop.c
+++ b/drivers/block/zloop.c
@@ -700,6 +700,8 @@ static void zloop_free_disk(struct gendisk *disk)
 	struct zloop_device *zlo = disk->private_data;
 	unsigned int i;

+	blk_mq_free_tag_set(&zlo->tag_set);
+
 	for (i = 0; i < zlo->nr_zones; i++) {
 		struct zloop_zone *zone = &zlo->zones[i];

@@ -1080,7 +1082,6 @@ static int zloop_ctl_remove(struct zloop_options *opts)

 	del_gendisk(zlo->disk);
 	put_disk(zlo->disk);
-	blk_mq_free_tag_set(&zlo->tag_set);

 	pr_info("Removed device %d\n", opts->id);

-- 
2.50.1

^ permalink raw reply related	[flat|nested] 4+ messages in thread

* Re: [PATCH] zloop: fix KASAN use-after-free of tag set
  2025-07-31 11:07 [PATCH] zloop: fix KASAN use-after-free of tag set Shin'ichiro Kawasaki
@ 2025-07-31 14:04 ` Christoph Hellwig
  2025-07-31 21:02 ` Jens Axboe
  2025-07-31 23:16 ` Damien Le Moal
  2 siblings, 0 replies; 4+ messages in thread
From: Christoph Hellwig @ 2025-07-31 14:04 UTC (permalink / raw)
  To: Shin'ichiro Kawasaki
  Cc: linux-block, Damien Le Moal, Christoph Hellwig, Jens Axboe

Looks good:

Reviewed-by: Christoph Hellwig <hch@lst.de>


^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: [PATCH] zloop: fix KASAN use-after-free of tag set
  2025-07-31 11:07 [PATCH] zloop: fix KASAN use-after-free of tag set Shin'ichiro Kawasaki
  2025-07-31 14:04 ` Christoph Hellwig
@ 2025-07-31 21:02 ` Jens Axboe
  2025-07-31 23:16 ` Damien Le Moal
  2 siblings, 0 replies; 4+ messages in thread
From: Jens Axboe @ 2025-07-31 21:02 UTC (permalink / raw)
  To: linux-block, Shin'ichiro Kawasaki; +Cc: Damien Le Moal, Christoph Hellwig


On Thu, 31 Jul 2025 20:07:45 +0900, Shin'ichiro Kawasaki wrote:
> When a zoned loop device, or zloop device, is removed, KASAN enabled
> kernel reports "BUG KASAN use-after-free" in blk_mq_free_tag_set(). The
> BUG happens because zloop_ctl_remove() calls put_disk(), which invokes
> zloop_free_disk(). The zloop_free_disk() frees the memory allocated for
> the zlo pointer. However, after the memory is freed, zloop_ctl_remove()
> calls blk_mq_free_tag_set(&zlo->tag_set), which accesses the freed zlo.
> Hence the KASAN use-after-free.
> 
> [...]

Applied, thanks!

[1/1] zloop: fix KASAN use-after-free of tag set
      commit: 765761851d89c772f482494d452e266795460278

Best regards,
-- 
Jens Axboe




^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: [PATCH] zloop: fix KASAN use-after-free of tag set
  2025-07-31 11:07 [PATCH] zloop: fix KASAN use-after-free of tag set Shin'ichiro Kawasaki
  2025-07-31 14:04 ` Christoph Hellwig
  2025-07-31 21:02 ` Jens Axboe
@ 2025-07-31 23:16 ` Damien Le Moal
  2 siblings, 0 replies; 4+ messages in thread
From: Damien Le Moal @ 2025-07-31 23:16 UTC (permalink / raw)
  To: Shin'ichiro Kawasaki, linux-block; +Cc: Christoph Hellwig, Jens Axboe

On 7/31/25 20:07, Shin'ichiro Kawasaki wrote:
> When a zoned loop device, or zloop device, is removed, KASAN enabled
> kernel reports "BUG KASAN use-after-free" in blk_mq_free_tag_set(). The
> BUG happens because zloop_ctl_remove() calls put_disk(), which invokes
> zloop_free_disk(). The zloop_free_disk() frees the memory allocated for
> the zlo pointer. However, after the memory is freed, zloop_ctl_remove()
> calls blk_mq_free_tag_set(&zlo->tag_set), which accesses the freed zlo.
> Hence the KASAN use-after-free.
> 
>  zloop_ctl_remove()
>   put_disk(zlo->disk)
>    put_device()
>     kobject_put()
>      ...
>       zloop_free_disk()
>         kvfree(zlo)
>   blk_mq_free_tag_set(&zlo->tag_set)
> 
> To avoid the BUG, move the call to blk_mq_free_tag_set(&zlo->tag_set)
> from zloop_ctl_remove() into zloop_free_disk(). This ensures that
> the tag_set is freed before the call to kvfree(zlo).
> 
> Fixes: eb0570c7df23 ("block: new zoned loop block device driver")
> CC: stable@vger.kernel.org
> Signed-off-by: Shin'ichiro Kawasaki <shinichiro.kawasaki@wdc.com>

Reviewed-by: Damien Le Moal <dlemoal@kernel.org>


-- 
Damien Le Moal
Western Digital Research

^ permalink raw reply	[flat|nested] 4+ messages in thread

end of thread, other threads:[~2025-07-31 23:16 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2025-07-31 11:07 [PATCH] zloop: fix KASAN use-after-free of tag set Shin'ichiro Kawasaki
2025-07-31 14:04 ` Christoph Hellwig
2025-07-31 21:02 ` Jens Axboe
2025-07-31 23:16 ` Damien Le Moal

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox