CVE-2025-38620

Summary

In the Linux kernel, the following vulnerability has been resolved:

zloop: fix KASAN use-after-free of tag set

When a zoned loop device, or zloop device, is removed, KASAN enabled kernel reports "BUG KASAN use-after-free" in blk_mq_free_tag_set(). The BUG happens because zloop_ctl_remove() calls put_disk(), which invokes zloop_free_disk(). The zloop_free_disk() frees the memory allocated for the zlo pointer. However, after the memory is freed, zloop_ctl_remove() calls blk_mq_free_tag_set(&zlo->tag_set), which accesses the freed zlo. Hence the KASAN use-after-free.

zloop_ctl_remove() put_disk(zlo->disk) put_device() kobject_put() … zloop_free_disk() kvfree(zlo) blk_mq_free_tag_set(&zlo->tag_set)

To avoid the BUG, move the call to blk_mq_free_tag_set(&zlo->tag_set) from zloop_ctl_remove() into zloop_free_disk(). This ensures that the tag_set is freed before the call to kvfree(zlo).

Affected Software

VendorProductVersion RangeStatus
LinuxLinuxeb0570c7df23c2f32fe899fcdaf8fca9a5ecd51e < c7c87046b41a9ef28ee7ac476c369da5b5228bc5affected
LinuxLinuxeb0570c7df23c2f32fe899fcdaf8fca9a5ecd51e < 765761851d89c772f482494d452e266795460278affected
LinuxLinux6.16affected
LinuxLinux0 < 6.16unaffected
LinuxLinux6.16.1 <= 6.16.*unaffected
LinuxLinux6.17 <= *unaffected

Weaknesses

References