{
  "threat_severity" : "Moderate",
  "public_date" : "2025-01-19T00:00:00Z",
  "bugzilla" : {
    "description" : "kernel: block, bfq: fix waker_bfqq UAF after bfq_split_bfqq()",
    "id" : "2338832",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2338832"
  },
  "cvss3" : {
    "cvss3_base_score" : "6.0",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:H",
    "status" : "verified"
  },
  "cwe" : "CWE-416",
  "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\nblock, bfq: fix waker_bfqq UAF after bfq_split_bfqq()\nOur syzkaller report a following UAF for v6.6:\nBUG: KASAN: slab-use-after-free in bfq_init_rq+0x175d/0x17a0 block/bfq-iosched.c:6958\nRead of size 8 at addr ffff8881b57147d8 by task fsstress/232726\nCPU: 2 PID: 232726 Comm: fsstress Not tainted 6.6.0-g3629d1885222 #39\nCall Trace:\n<TASK>\n__dump_stack lib/dump_stack.c:88 [inline]\ndump_stack_lvl+0x91/0xf0 lib/dump_stack.c:106\nprint_address_description.constprop.0+0x66/0x300 mm/kasan/report.c:364\nprint_report+0x3e/0x70 mm/kasan/report.c:475\nkasan_report+0xb8/0xf0 mm/kasan/report.c:588\nhlist_add_head include/linux/list.h:1023 [inline]\nbfq_init_rq+0x175d/0x17a0 block/bfq-iosched.c:6958\nbfq_insert_request.isra.0+0xe8/0xa20 block/bfq-iosched.c:6271\nbfq_insert_requests+0x27f/0x390 block/bfq-iosched.c:6323\nblk_mq_insert_request+0x290/0x8f0 block/blk-mq.c:2660\nblk_mq_submit_bio+0x1021/0x15e0 block/blk-mq.c:3143\n__submit_bio+0xa0/0x6b0 block/blk-core.c:639\n__submit_bio_noacct_mq block/blk-core.c:718 [inline]\nsubmit_bio_noacct_nocheck+0x5b7/0x810 block/blk-core.c:747\nsubmit_bio_noacct+0xca0/0x1990 block/blk-core.c:847\n__ext4_read_bh fs/ext4/super.c:205 [inline]\next4_read_bh+0x15e/0x2e0 fs/ext4/super.c:230\n__read_extent_tree_block+0x304/0x6f0 fs/ext4/extents.c:567\next4_find_extent+0x479/0xd20 fs/ext4/extents.c:947\next4_ext_map_blocks+0x1a3/0x2680 fs/ext4/extents.c:4182\next4_map_blocks+0x929/0x15a0 fs/ext4/inode.c:660\next4_iomap_begin_report+0x298/0x480 fs/ext4/inode.c:3569\niomap_iter+0x3dd/0x1010 fs/iomap/iter.c:91\niomap_fiemap+0x1f4/0x360 fs/iomap/fiemap.c:80\next4_fiemap+0x181/0x210 fs/ext4/extents.c:5051\nioctl_fiemap.isra.0+0x1b4/0x290 fs/ioctl.c:220\ndo_vfs_ioctl+0x31c/0x11a0 fs/ioctl.c:811\n__do_sys_ioctl fs/ioctl.c:869 [inline]\n__se_sys_ioctl+0xae/0x190 fs/ioctl.c:857\ndo_syscall_x64 arch/x86/entry/common.c:51 [inline]\ndo_syscall_64+0x70/0x120 arch/x86/entry/common.c:81\nentry_SYSCALL_64_after_hwframe+0x78/0xe2\nAllocated by task 232719:\nkasan_save_stack+0x22/0x50 mm/kasan/common.c:45\nkasan_set_track+0x25/0x30 mm/kasan/common.c:52\n__kasan_slab_alloc+0x87/0x90 mm/kasan/common.c:328\nkasan_slab_alloc include/linux/kasan.h:188 [inline]\nslab_post_alloc_hook mm/slab.h:768 [inline]\nslab_alloc_node mm/slub.c:3492 [inline]\nkmem_cache_alloc_node+0x1b8/0x6f0 mm/slub.c:3537\nbfq_get_queue+0x215/0x1f00 block/bfq-iosched.c:5869\nbfq_get_bfqq_handle_split+0x167/0x5f0 block/bfq-iosched.c:6776\nbfq_init_rq+0x13a4/0x17a0 block/bfq-iosched.c:6938\nbfq_insert_request.isra.0+0xe8/0xa20 block/bfq-iosched.c:6271\nbfq_insert_requests+0x27f/0x390 block/bfq-iosched.c:6323\nblk_mq_insert_request+0x290/0x8f0 block/blk-mq.c:2660\nblk_mq_submit_bio+0x1021/0x15e0 block/blk-mq.c:3143\n__submit_bio+0xa0/0x6b0 block/blk-core.c:639\n__submit_bio_noacct_mq block/blk-core.c:718 [inline]\nsubmit_bio_noacct_nocheck+0x5b7/0x810 block/blk-core.c:747\nsubmit_bio_noacct+0xca0/0x1990 block/blk-core.c:847\n__ext4_read_bh fs/ext4/super.c:205 [inline]\next4_read_bh_nowait+0x15a/0x240 fs/ext4/super.c:217\next4_read_bh_lock+0xac/0xd0 fs/ext4/super.c:242\next4_bread_batch+0x268/0x500 fs/ext4/inode.c:958\n__ext4_find_entry+0x448/0x10f0 fs/ext4/namei.c:1671\next4_lookup_entry fs/ext4/namei.c:1774 [inline]\next4_lookup.part.0+0x359/0x6f0 fs/ext4/namei.c:1842\next4_lookup+0x72/0x90 fs/ext4/namei.c:1839\n__lookup_slow+0x257/0x480 fs/namei.c:1696\nlookup_slow fs/namei.c:1713 [inline]\nwalk_component+0x454/0x5c0 fs/namei.c:2004\nlink_path_walk.part.0+0x773/0xda0 fs/namei.c:2331\nlink_path_walk fs/namei.c:3826 [inline]\npath_openat+0x1b9/0x520 fs/namei.c:3826\ndo_filp_open+0x1b7/0x400 fs/namei.c:3857\ndo_sys_openat2+0x5dc/0x6e0 fs/open.c:1428\ndo_sys_open fs/open.c:1443 [inline]\n__do_sys_openat fs/open.c:1459 [inline]\n__se_sys_openat fs/open.c:1454 [inline]\n__x64_sys_openat+0x148/0x200 fs/open.c:1454\ndo_syscall_x64 arch/x86/entry/common.c:51 [inline]\ndo_syscall_6\n---truncated---" ],
  "affected_release" : [ {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2025-11-11T00:00:00Z",
    "advisory" : "RHSA-2025:20518",
    "cpe" : "cpe:/a:redhat:enterprise_linux:9",
    "package" : "kernel-0:5.14.0-611.5.1.el9_7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2025-11-11T00:00:00Z",
    "advisory" : "RHSA-2025:20518",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9",
    "package" : "kernel-0:5.14.0-611.5.1.el9_7"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux 10",
    "fix_state" : "Affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:10"
  }, {
    "product_name" : "Red Hat Enterprise Linux 6",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Not affected",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Not affected",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Affected",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2025-21631\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-21631\nhttps://lore.kernel.org/linux-cve-announce/2025011939-CVE-2025-21631-5f2d@gregkh/T" ],
  "name" : "CVE-2025-21631",
  "csaw" : false
}