CVE-2025-38620
N/A
Summary
In the Linux kernel, the following vulnerability has been resolved:
zloop: fix KASAN use-after-free of tag set
When a zoned loop device, or zloop device, is removed, KASAN enabled kernel reports "BUG KASAN use-after-free" in blk_mq_free_tag_set(). The BUG happens because zloop_ctl_remove() calls put_disk(), which invokes zloop_free_disk(). The zloop_free_disk() frees the memory allocated for the zlo pointer. However, after the memory is freed, zloop_ctl_remove() calls blk_mq_free_tag_set(&zlo->tag_set), which accesses the freed zlo. Hence the KASAN use-after-free.
zloop_ctl_remove() put_disk(zlo->disk) put_device() kobject_put() … zloop_free_disk() kvfree(zlo) blk_mq_free_tag_set(&zlo->tag_set)
To avoid the BUG, move the call to blk_mq_free_tag_set(&zlo->tag_set) from zloop_ctl_remove() into zloop_free_disk(). This ensures that the tag_set is freed before the call to kvfree(zlo).
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Linux | Linux | eb0570c7df23c2f32fe899fcdaf8fca9a5ecd51e < c7c87046b41a9ef28ee7ac476c369da5b5228bc5 | affected |
| Linux | Linux | eb0570c7df23c2f32fe899fcdaf8fca9a5ecd51e < 765761851d89c772f482494d452e266795460278 | affected |
| Linux | Linux | 6.16 | affected |
| Linux | Linux | 0 < 6.16 | unaffected |
| Linux | Linux | 6.16.1 <= 6.16.* | unaffected |
| Linux | Linux | 6.17 <= * | unaffected |
Weaknesses
References
- https://git.kernel.org/stable/c/c7c87046b41a9ef28ee7ac476c369da5b5228bc5
- https://git.kernel.org/stable/c/765761851d89c772f482494d452e266795460278
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.