CVE-2024-47706 (GCVE-0-2024-47706)

Vulnerability from cvelistv5 – Published: 2024-10-21 11:53 – Updated: 2026-05-12 11:58
VLAI
Title
block, bfq: fix possible UAF for bfqq->bic with merge chain
Summary
In the Linux kernel, the following vulnerability has been resolved: block, bfq: fix possible UAF for bfqq->bic with merge chain 1) initial state, three tasks: Process 1 Process 2 Process 3 (BIC1) (BIC2) (BIC3) | Λ | Λ | Λ | | | | | | V | V | V | bfqq1 bfqq2 bfqq3 process ref: 1 1 1 2) bfqq1 merged to bfqq2: Process 1 Process 2 Process 3 (BIC1) (BIC2) (BIC3) | | | Λ \--------------\| | | V V | bfqq1--------->bfqq2 bfqq3 process ref: 0 2 1 3) bfqq2 merged to bfqq3: Process 1 Process 2 Process 3 (BIC1) (BIC2) (BIC3) here -> Λ | | \--------------\ \-------------\| V V bfqq1--------->bfqq2---------->bfqq3 process ref: 0 1 3 In this case, IO from Process 1 will get bfqq2 from BIC1 first, and then get bfqq3 through merge chain, and finially handle IO by bfqq3. Howerver, current code will think bfqq2 is owned by BIC1, like initial state, and set bfqq2->bic to BIC1. bfq_insert_request -> by Process 1 bfqq = bfq_init_rq(rq) bfqq = bfq_get_bfqq_handle_split bfqq = bic_to_bfqq -> get bfqq2 from BIC1 bfqq->ref++ rq->elv.priv[0] = bic rq->elv.priv[1] = bfqq if (bfqq_process_refs(bfqq) == 1) bfqq->bic = bic -> record BIC1 to bfqq2 __bfq_insert_request new_bfqq = bfq_setup_cooperator -> get bfqq3 from bfqq2->new_bfqq bfqq_request_freed(bfqq) new_bfqq->ref++ rq->elv.priv[1] = new_bfqq -> handle IO by bfqq3 Fix the problem by checking bfqq is from merge chain fist. And this might fix a following problem reported by our syzkaller(unreproducible): ================================================================== BUG: KASAN: slab-use-after-free in bfq_do_early_stable_merge block/bfq-iosched.c:5692 [inline] BUG: KASAN: slab-use-after-free in bfq_do_or_sched_stable_merge block/bfq-iosched.c:5805 [inline] BUG: KASAN: slab-use-after-free in bfq_get_queue+0x25b0/0x2610 block/bfq-iosched.c:5889 Write of size 1 at addr ffff888123839eb8 by task kworker/0:1H/18595 CPU: 0 PID: 18595 Comm: kworker/0:1H Tainted: G L 6.6.0-07439-gba2303cacfda #6 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014 Workqueue: kblockd blk_mq_requeue_work Call Trace: <TASK> __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x91/0xf0 lib/dump_stack.c:106 print_address_description mm/kasan/report.c:364 [inline] print_report+0x10d/0x610 mm/kasan/report.c:475 kasan_report+0x8e/0xc0 mm/kasan/report.c:588 bfq_do_early_stable_merge block/bfq-iosched.c:5692 [inline] bfq_do_or_sched_stable_merge block/bfq-iosched.c:5805 [inline] bfq_get_queue+0x25b0/0x2610 block/bfq-iosched.c:5889 bfq_get_bfqq_handle_split+0x169/0x5d0 block/bfq-iosched.c:6757 bfq_init_rq block/bfq-iosched.c:6876 [inline] bfq_insert_request block/bfq-iosched.c:6254 [inline] bfq_insert_requests+0x1112/0x5cf0 block/bfq-iosched.c:6304 blk_mq_insert_request+0x290/0x8d0 block/blk-mq.c:2593 blk_mq_requeue_work+0x6bc/0xa70 block/blk-mq.c:1502 process_one_work kernel/workqueue.c:2627 [inline] process_scheduled_works+0x432/0x13f0 kernel/workqueue.c:2700 worker_thread+0x6f2/0x1160 kernel/workqueue.c:2781 kthread+0x33c/0x440 kernel/kthread.c:388 ret_from_fork+0x4d/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1b/0x30 arch/x86/entry/entry_64.S:305 </TASK> Allocated by task 20776: kasan_save_stack+0x20/0x40 mm/kasan/common.c:45 kasan_set_track+0x25/0x30 mm/kasan/common.c:52 __kasan_slab_alloc+0x87/0x90 mm/kasan/common.c:328 kasan_slab_alloc include/linux/kasan.h:188 [inline] slab_post_alloc_hook mm/slab.h:763 [inline] slab_alloc_node mm/slub.c:3458 [inline] kmem_cache_alloc_node+0x1a4/0x6f0 mm/slub.c:3503 ioc_create_icq block/blk-ioc.c:370 [inline] ---truncated---
Severity
No CVSS data available.
SSVC
Exploitation: none Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
Assigner
References
Impacted products
Vendor Product Version
Linux Linux Affected: 36eca894832351feed9072d0f97eb06fc9482ca4 , < a9bdd5b36887d2bacb8bc777fd18317c99fc2587 (git)
Affected: 36eca894832351feed9072d0f97eb06fc9482ca4 , < bc2140534b2aae752e4f7cb4489642dbb5ec4777 (git)
Affected: 36eca894832351feed9072d0f97eb06fc9482ca4 , < e1277ae780cca4e69ef5468d4582dfd48f0b8320 (git)
Affected: 36eca894832351feed9072d0f97eb06fc9482ca4 , < 8aa9de02a4be2e7006e636816ce19b0d667ceaa3 (git)
Affected: 36eca894832351feed9072d0f97eb06fc9482ca4 , < ddbdaad123254fb53e32480cb74a486a6868b1e0 (git)
Affected: 36eca894832351feed9072d0f97eb06fc9482ca4 , < 7faed2896d78e48ec96229e73b30b0af6c00a9aa (git)
Affected: 36eca894832351feed9072d0f97eb06fc9482ca4 , < 880692ee233ba63808182705b3333403413b58f5 (git)
Affected: 36eca894832351feed9072d0f97eb06fc9482ca4 , < 6d130db286ad0ea392c96ebb2551acf0d7308048 (git)
Affected: 36eca894832351feed9072d0f97eb06fc9482ca4 , < 18ad4df091dd5d067d2faa8fce1180b79f7041a7 (git)
Create a notification for this product.
Linux Linux Affected: 4.12
Unaffected: 0 , < 4.12 (semver)
Unaffected: 4.19.323 , ≤ 4.19.* (semver)
Unaffected: 5.4.285 , ≤ 5.4.* (semver)
Unaffected: 5.10.227 , ≤ 5.10.* (semver)
Unaffected: 5.15.168 , ≤ 5.15.* (semver)
Unaffected: 6.1.113 , ≤ 6.1.* (semver)
Unaffected: 6.6.54 , ≤ 6.6.* (semver)
Unaffected: 6.10.13 , ≤ 6.10.* (semver)
Unaffected: 6.11.2 , ≤ 6.11.* (semver)
Unaffected: 6.12 , ≤ * (original_commit_for_fix)
Create a notification for this product.
Siemens RUGGEDCOM RST2428P Affected: 0 , < V3.2 (custom)
Create a notification for this product.
Siemens SCALANCE XC-300/XR-300/XC-400/XR-500WG/XR-500 family Affected: 0 , < V3.2 (custom)
Create a notification for this product.
Siemens SCALANCE XCM-/XRM-/XCH-/XRH-300 family Affected: 0 , < V3.2 (custom)
Create a notification for this product.
Siemens SIMATIC S7-1500 TM MFP - GNU/Linux subsystem Affected: 0 , < * (custom)
Create a notification for this product.
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-47706",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-10-21T13:03:53.838190Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-10-21T13:04:19.673Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T22:21:10.318Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "affected": [
          {
            "defaultStatus": "unknown",
            "product": "RUGGEDCOM RST2428P",
            "vendor": "Siemens",
            "versions": [
              {
                "lessThan": "V3.2",
                "status": "affected",
                "version": "0",
                "versionType": "custom"
              }
            ]
          },
          {
            "defaultStatus": "unknown",
            "product": "SCALANCE XC-300/XR-300/XC-400/XR-500WG/XR-500 family",
            "vendor": "Siemens",
            "versions": [
              {
                "lessThan": "V3.2",
                "status": "affected",
                "version": "0",
                "versionType": "custom"
              }
            ]
          },
          {
            "defaultStatus": "unknown",
            "product": "SCALANCE XCM-/XRM-/XCH-/XRH-300 family",
            "vendor": "Siemens",
            "versions": [
              {
                "lessThan": "V3.2",
                "status": "affected",
                "version": "0",
                "versionType": "custom"
              }
            ]
          },
          {
            "defaultStatus": "unknown",
            "product": "SIMATIC S7-1500 TM MFP - GNU/Linux subsystem",
            "vendor": "Siemens",
            "versions": [
              {
                "lessThan": "*",
                "status": "affected",
                "version": "0",
                "versionType": "custom"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-05-12T11:58:28.698Z",
          "orgId": "0b142b55-0307-4c5a-b3c9-f314f3fb7c5e",
          "shortName": "siemens-SADP"
        },
        "references": [
          {
            "url": "https://cert-portal.siemens.com/productcert/html/ssa-265688.html"
          },
          {
            "url": "https://cert-portal.siemens.com/productcert/html/ssa-355557.html"
          }
        ],
        "x_adpType": "supplier"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "block/bfq-iosched.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "a9bdd5b36887d2bacb8bc777fd18317c99fc2587",
              "status": "affected",
              "version": "36eca894832351feed9072d0f97eb06fc9482ca4",
              "versionType": "git"
            },
            {
              "lessThan": "bc2140534b2aae752e4f7cb4489642dbb5ec4777",
              "status": "affected",
              "version": "36eca894832351feed9072d0f97eb06fc9482ca4",
              "versionType": "git"
            },
            {
              "lessThan": "e1277ae780cca4e69ef5468d4582dfd48f0b8320",
              "status": "affected",
              "version": "36eca894832351feed9072d0f97eb06fc9482ca4",
              "versionType": "git"
            },
            {
              "lessThan": "8aa9de02a4be2e7006e636816ce19b0d667ceaa3",
              "status": "affected",
              "version": "36eca894832351feed9072d0f97eb06fc9482ca4",
              "versionType": "git"
            },
            {
              "lessThan": "ddbdaad123254fb53e32480cb74a486a6868b1e0",
              "status": "affected",
              "version": "36eca894832351feed9072d0f97eb06fc9482ca4",
              "versionType": "git"
            },
            {
              "lessThan": "7faed2896d78e48ec96229e73b30b0af6c00a9aa",
              "status": "affected",
              "version": "36eca894832351feed9072d0f97eb06fc9482ca4",
              "versionType": "git"
            },
            {
              "lessThan": "880692ee233ba63808182705b3333403413b58f5",
              "status": "affected",
              "version": "36eca894832351feed9072d0f97eb06fc9482ca4",
              "versionType": "git"
            },
            {
              "lessThan": "6d130db286ad0ea392c96ebb2551acf0d7308048",
              "status": "affected",
              "version": "36eca894832351feed9072d0f97eb06fc9482ca4",
              "versionType": "git"
            },
            {
              "lessThan": "18ad4df091dd5d067d2faa8fce1180b79f7041a7",
              "status": "affected",
              "version": "36eca894832351feed9072d0f97eb06fc9482ca4",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "block/bfq-iosched.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "4.12"
            },
            {
              "lessThan": "4.12",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "4.19.*",
              "status": "unaffected",
              "version": "4.19.323",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.285",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.227",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.168",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.113",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.54",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.10.*",
              "status": "unaffected",
              "version": "6.10.13",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.11.*",
              "status": "unaffected",
              "version": "6.11.2",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.12",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "4.19.323",
                  "versionStartIncluding": "4.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.285",
                  "versionStartIncluding": "4.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.227",
                  "versionStartIncluding": "4.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.168",
                  "versionStartIncluding": "4.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.113",
                  "versionStartIncluding": "4.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.54",
                  "versionStartIncluding": "4.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.10.13",
                  "versionStartIncluding": "4.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.11.2",
                  "versionStartIncluding": "4.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12",
                  "versionStartIncluding": "4.12",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nblock, bfq: fix possible UAF for bfqq-\u003ebic with merge chain\n\n1) initial state, three tasks:\n\n\t\tProcess 1       Process 2\tProcess 3\n\t\t (BIC1)          (BIC2)\t\t (BIC3)\n\t\t  |  \u039b            |  \u039b\t\t  |  \u039b\n\t\t  |  |            |  |\t\t  |  |\n\t\t  V  |            V  |\t\t  V  |\n\t\t  bfqq1           bfqq2\t\t  bfqq3\nprocess ref:\t   1\t\t    1\t\t    1\n\n2) bfqq1 merged to bfqq2:\n\n\t\tProcess 1       Process 2\tProcess 3\n\t\t (BIC1)          (BIC2)\t\t (BIC3)\n\t\t  |               |\t\t  |  \u039b\n\t\t  \\--------------\\|\t\t  |  |\n\t\t                  V\t\t  V  |\n\t\t  bfqq1---------\u003ebfqq2\t\t  bfqq3\nprocess ref:\t   0\t\t    2\t\t    1\n\n3) bfqq2 merged to bfqq3:\n\n\t\tProcess 1       Process 2\tProcess 3\n\t\t (BIC1)          (BIC2)\t\t (BIC3)\n\t here -\u003e \u039b                |\t\t  |\n\t\t  \\--------------\\ \\-------------\\|\n\t\t                  V\t\t  V\n\t\t  bfqq1---------\u003ebfqq2----------\u003ebfqq3\nprocess ref:\t   0\t\t    1\t\t    3\n\nIn this case, IO from Process 1 will get bfqq2 from BIC1 first, and then\nget bfqq3 through merge chain, and finially handle IO by bfqq3.\nHowerver, current code will think bfqq2 is owned by BIC1, like initial\nstate, and set bfqq2-\u003ebic to BIC1.\n\nbfq_insert_request\n-\u003e by Process 1\n bfqq = bfq_init_rq(rq)\n  bfqq = bfq_get_bfqq_handle_split\n   bfqq = bic_to_bfqq\n   -\u003e get bfqq2 from BIC1\n bfqq-\u003eref++\n rq-\u003eelv.priv[0] = bic\n rq-\u003eelv.priv[1] = bfqq\n if (bfqq_process_refs(bfqq) == 1)\n  bfqq-\u003ebic = bic\n  -\u003e record BIC1 to bfqq2\n\n  __bfq_insert_request\n   new_bfqq = bfq_setup_cooperator\n   -\u003e get bfqq3 from bfqq2-\u003enew_bfqq\n   bfqq_request_freed(bfqq)\n   new_bfqq-\u003eref++\n   rq-\u003eelv.priv[1] = new_bfqq\n   -\u003e handle IO by bfqq3\n\nFix the problem by checking bfqq is from merge chain fist. And this\nmight fix a following problem reported by our syzkaller(unreproducible):\n\n==================================================================\nBUG: KASAN: slab-use-after-free in bfq_do_early_stable_merge block/bfq-iosched.c:5692 [inline]\nBUG: KASAN: slab-use-after-free in bfq_do_or_sched_stable_merge block/bfq-iosched.c:5805 [inline]\nBUG: KASAN: slab-use-after-free in bfq_get_queue+0x25b0/0x2610 block/bfq-iosched.c:5889\nWrite of size 1 at addr ffff888123839eb8 by task kworker/0:1H/18595\n\nCPU: 0 PID: 18595 Comm: kworker/0:1H Tainted: G             L     6.6.0-07439-gba2303cacfda #6\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014\nWorkqueue: kblockd blk_mq_requeue_work\nCall Trace:\n \u003cTASK\u003e\n __dump_stack lib/dump_stack.c:88 [inline]\n dump_stack_lvl+0x91/0xf0 lib/dump_stack.c:106\n print_address_description mm/kasan/report.c:364 [inline]\n print_report+0x10d/0x610 mm/kasan/report.c:475\n kasan_report+0x8e/0xc0 mm/kasan/report.c:588\n bfq_do_early_stable_merge block/bfq-iosched.c:5692 [inline]\n bfq_do_or_sched_stable_merge block/bfq-iosched.c:5805 [inline]\n bfq_get_queue+0x25b0/0x2610 block/bfq-iosched.c:5889\n bfq_get_bfqq_handle_split+0x169/0x5d0 block/bfq-iosched.c:6757\n bfq_init_rq block/bfq-iosched.c:6876 [inline]\n bfq_insert_request block/bfq-iosched.c:6254 [inline]\n bfq_insert_requests+0x1112/0x5cf0 block/bfq-iosched.c:6304\n blk_mq_insert_request+0x290/0x8d0 block/blk-mq.c:2593\n blk_mq_requeue_work+0x6bc/0xa70 block/blk-mq.c:1502\n process_one_work kernel/workqueue.c:2627 [inline]\n process_scheduled_works+0x432/0x13f0 kernel/workqueue.c:2700\n worker_thread+0x6f2/0x1160 kernel/workqueue.c:2781\n kthread+0x33c/0x440 kernel/kthread.c:388\n ret_from_fork+0x4d/0x80 arch/x86/kernel/process.c:147\n ret_from_fork_asm+0x1b/0x30 arch/x86/entry/entry_64.S:305\n \u003c/TASK\u003e\n\nAllocated by task 20776:\n kasan_save_stack+0x20/0x40 mm/kasan/common.c:45\n kasan_set_track+0x25/0x30 mm/kasan/common.c:52\n __kasan_slab_alloc+0x87/0x90 mm/kasan/common.c:328\n kasan_slab_alloc include/linux/kasan.h:188 [inline]\n slab_post_alloc_hook mm/slab.h:763 [inline]\n slab_alloc_node mm/slub.c:3458 [inline]\n kmem_cache_alloc_node+0x1a4/0x6f0 mm/slub.c:3503\n ioc_create_icq block/blk-ioc.c:370 [inline]\n---truncated---"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-11T20:39:12.735Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/a9bdd5b36887d2bacb8bc777fd18317c99fc2587"
        },
        {
          "url": "https://git.kernel.org/stable/c/bc2140534b2aae752e4f7cb4489642dbb5ec4777"
        },
        {
          "url": "https://git.kernel.org/stable/c/e1277ae780cca4e69ef5468d4582dfd48f0b8320"
        },
        {
          "url": "https://git.kernel.org/stable/c/8aa9de02a4be2e7006e636816ce19b0d667ceaa3"
        },
        {
          "url": "https://git.kernel.org/stable/c/ddbdaad123254fb53e32480cb74a486a6868b1e0"
        },
        {
          "url": "https://git.kernel.org/stable/c/7faed2896d78e48ec96229e73b30b0af6c00a9aa"
        },
        {
          "url": "https://git.kernel.org/stable/c/880692ee233ba63808182705b3333403413b58f5"
        },
        {
          "url": "https://git.kernel.org/stable/c/6d130db286ad0ea392c96ebb2551acf0d7308048"
        },
        {
          "url": "https://git.kernel.org/stable/c/18ad4df091dd5d067d2faa8fce1180b79f7041a7"
        }
      ],
      "title": "block, bfq: fix possible UAF for bfqq-\u003ebic with merge chain",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-47706",
    "datePublished": "2024-10-21T11:53:40.759Z",
    "dateReserved": "2024-09-30T16:00:12.946Z",
    "dateUpdated": "2026-05-12T11:58:28.698Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2024-47706",
      "date": "2026-06-25",
      "epss": "0.00236",
      "percentile": "0.14499"
    },
    "fkie_nvd": {
      "configurations": "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"versionStartIncluding\": \"4.12\", \"versionEndExcluding\": \"5.10.227\", \"matchCriteriaId\": \"8E629794-ADD6-44B5-8F8E-B768F34539E0\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"versionStartIncluding\": \"5.11\", \"versionEndExcluding\": \"5.15.168\", \"matchCriteriaId\": \"4D51C05D-455B-4D8D-89E7-A58E140B864C\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"versionStartIncluding\": \"5.16\", \"versionEndExcluding\": \"6.1.113\", \"matchCriteriaId\": \"D01BD22E-ACD1-4618-9D01-6116570BE1EE\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"versionStartIncluding\": \"6.2\", \"versionEndExcluding\": \"6.6.54\", \"matchCriteriaId\": \"D448821D-C085-4CAF-88FA-2DDE7BE21976\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"versionStartIncluding\": \"6.7\", \"versionEndExcluding\": \"6.10.13\", \"matchCriteriaId\": \"CE94BB8D-B0AB-4563-9ED7-A12122B56EBE\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"versionStartIncluding\": \"6.11\", \"versionEndExcluding\": \"6.11.2\", \"matchCriteriaId\": \"AB755D26-97F4-43B6-8604-CD076811E181\"}]}]}]",
      "descriptions": "[{\"lang\": \"en\", \"value\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nblock, bfq: fix possible UAF for bfqq-\u003ebic with merge chain\\n\\n1) initial state, three tasks:\\n\\n\\t\\tProcess 1       Process 2\\tProcess 3\\n\\t\\t (BIC1)          (BIC2)\\t\\t (BIC3)\\n\\t\\t  |  \\u039b            |  \\u039b\\t\\t  |  \\u039b\\n\\t\\t  |  |            |  |\\t\\t  |  |\\n\\t\\t  V  |            V  |\\t\\t  V  |\\n\\t\\t  bfqq1           bfqq2\\t\\t  bfqq3\\nprocess ref:\\t   1\\t\\t    1\\t\\t    1\\n\\n2) bfqq1 merged to bfqq2:\\n\\n\\t\\tProcess 1       Process 2\\tProcess 3\\n\\t\\t (BIC1)          (BIC2)\\t\\t (BIC3)\\n\\t\\t  |               |\\t\\t  |  \\u039b\\n\\t\\t  \\\\--------------\\\\|\\t\\t  |  |\\n\\t\\t                  V\\t\\t  V  |\\n\\t\\t  bfqq1---------\u003ebfqq2\\t\\t  bfqq3\\nprocess ref:\\t   0\\t\\t    2\\t\\t    1\\n\\n3) bfqq2 merged to bfqq3:\\n\\n\\t\\tProcess 1       Process 2\\tProcess 3\\n\\t\\t (BIC1)          (BIC2)\\t\\t (BIC3)\\n\\t here -\u003e \\u039b                |\\t\\t  |\\n\\t\\t  \\\\--------------\\\\ \\\\-------------\\\\|\\n\\t\\t                  V\\t\\t  V\\n\\t\\t  bfqq1---------\u003ebfqq2----------\u003ebfqq3\\nprocess ref:\\t   0\\t\\t    1\\t\\t    3\\n\\nIn this case, IO from Process 1 will get bfqq2 from BIC1 first, and then\\nget bfqq3 through merge chain, and finially handle IO by bfqq3.\\nHowerver, current code will think bfqq2 is owned by BIC1, like initial\\nstate, and set bfqq2-\u003ebic to BIC1.\\n\\nbfq_insert_request\\n-\u003e by Process 1\\n bfqq = bfq_init_rq(rq)\\n  bfqq = bfq_get_bfqq_handle_split\\n   bfqq = bic_to_bfqq\\n   -\u003e get bfqq2 from BIC1\\n bfqq-\u003eref++\\n rq-\u003eelv.priv[0] = bic\\n rq-\u003eelv.priv[1] = bfqq\\n if (bfqq_process_refs(bfqq) == 1)\\n  bfqq-\u003ebic = bic\\n  -\u003e record BIC1 to bfqq2\\n\\n  __bfq_insert_request\\n   new_bfqq = bfq_setup_cooperator\\n   -\u003e get bfqq3 from bfqq2-\u003enew_bfqq\\n   bfqq_request_freed(bfqq)\\n   new_bfqq-\u003eref++\\n   rq-\u003eelv.priv[1] = new_bfqq\\n   -\u003e handle IO by bfqq3\\n\\nFix the problem by checking bfqq is from merge chain fist. And this\\nmight fix a following problem reported by our syzkaller(unreproducible):\\n\\n==================================================================\\nBUG: KASAN: slab-use-after-free in bfq_do_early_stable_merge block/bfq-iosched.c:5692 [inline]\\nBUG: KASAN: slab-use-after-free in bfq_do_or_sched_stable_merge block/bfq-iosched.c:5805 [inline]\\nBUG: KASAN: slab-use-after-free in bfq_get_queue+0x25b0/0x2610 block/bfq-iosched.c:5889\\nWrite of size 1 at addr ffff888123839eb8 by task kworker/0:1H/18595\\n\\nCPU: 0 PID: 18595 Comm: kworker/0:1H Tainted: G             L     6.6.0-07439-gba2303cacfda #6\\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014\\nWorkqueue: kblockd blk_mq_requeue_work\\nCall Trace:\\n \u003cTASK\u003e\\n __dump_stack lib/dump_stack.c:88 [inline]\\n dump_stack_lvl+0x91/0xf0 lib/dump_stack.c:106\\n print_address_description mm/kasan/report.c:364 [inline]\\n print_report+0x10d/0x610 mm/kasan/report.c:475\\n kasan_report+0x8e/0xc0 mm/kasan/report.c:588\\n bfq_do_early_stable_merge block/bfq-iosched.c:5692 [inline]\\n bfq_do_or_sched_stable_merge block/bfq-iosched.c:5805 [inline]\\n bfq_get_queue+0x25b0/0x2610 block/bfq-iosched.c:5889\\n bfq_get_bfqq_handle_split+0x169/0x5d0 block/bfq-iosched.c:6757\\n bfq_init_rq block/bfq-iosched.c:6876 [inline]\\n bfq_insert_request block/bfq-iosched.c:6254 [inline]\\n bfq_insert_requests+0x1112/0x5cf0 block/bfq-iosched.c:6304\\n blk_mq_insert_request+0x290/0x8d0 block/blk-mq.c:2593\\n blk_mq_requeue_work+0x6bc/0xa70 block/blk-mq.c:1502\\n process_one_work kernel/workqueue.c:2627 [inline]\\n process_scheduled_works+0x432/0x13f0 kernel/workqueue.c:2700\\n worker_thread+0x6f2/0x1160 kernel/workqueue.c:2781\\n kthread+0x33c/0x440 kernel/kthread.c:388\\n ret_from_fork+0x4d/0x80 arch/x86/kernel/process.c:147\\n ret_from_fork_asm+0x1b/0x30 arch/x86/entry/entry_64.S:305\\n \u003c/TASK\u003e\\n\\nAllocated by task 20776:\\n kasan_save_stack+0x20/0x40 mm/kasan/common.c:45\\n kasan_set_track+0x25/0x30 mm/kasan/common.c:52\\n __kasan_slab_alloc+0x87/0x90 mm/kasan/common.c:328\\n kasan_slab_alloc include/linux/kasan.h:188 [inline]\\n slab_post_alloc_hook mm/slab.h:763 [inline]\\n slab_alloc_node mm/slub.c:3458 [inline]\\n kmem_cache_alloc_node+0x1a4/0x6f0 mm/slub.c:3503\\n ioc_create_icq block/blk-ioc.c:370 [inline]\\n---truncated---\"}, {\"lang\": \"es\", \"value\": \"En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: bloque, bfq: corregir posible UAF para bfqq-\u0026gt;bic con cadena de fusi\\u00f3n 1) estado inicial, tres tareas: Proceso 1 Proceso 2 Proceso 3 (BIC1) (BIC2) (BIC3) | ? | ? | ? | | | | | | V | V | V | bfqq1 bfqq2 bfqq3 proceso ref: 1 1 1 2) bfqq1 fusionado con bfqq2: Proceso 1 Proceso 2 Proceso 3 (BIC1) (BIC2) (BIC3) | | | ? \\\\--------------\\\\| | | VV | bfqq1---------\u0026gt;bfqq2 bfqq3 proceso ref: 0 2 1 3) bfqq2 fusionado con bfqq3: Proceso 1 Proceso 2 Proceso 3 (BIC1) (BIC2) (BIC3) aqu\\u00ed -\u0026gt; ? | | \\\\--------------\\\\ \\\\-------------\\\\| VV bfqq1--------\u0026gt;bfqq2----------\u0026gt;bfqq3 ref. de proceso: 0 1 3 En este caso, la IO del Proceso 1 obtendr\\u00e1 primero bfqq2 de BIC1, y luego obtendr\\u00e1 bfqq3 a trav\\u00e9s de la cadena de fusi\\u00f3n, y finalmente manejar\\u00e1 la IO por bfqq3. Sin embargo, el c\\u00f3digo actual pensar\\u00e1 que bfqq2 es propiedad de BIC1, como estado inicial, y establecer\\u00e1 bfqq2-\u0026gt;bic en BIC1. bfq_insert_request -\u0026gt; por Proceso 1 bfqq = bfq_init_rq(rq) bfqq = bfq_get_bfqq_handle_split bfqq = bic_to_bfqq -\u0026gt; obtener bfqq2 de BIC1 bfqq-\u0026gt;ref++ rq-\u0026gt;elv.priv[0] = bic rq-\u0026gt;elv.priv[1] = bfqq si (bfqq_process_refs(bfqq) == 1) bfqq-\u0026gt;bic = bic -\u0026gt; grabar BIC1 en bfqq2 __bfq_insert_request new_bfqq = bfq_setup_cooperator -\u0026gt; obtener bfqq3 de bfqq2-\u0026gt;new_bfqq bfqq_request_freed(bfqq) new_bfqq-\u0026gt;ref++ rq-\u0026gt;elv.priv[1] = new_bfqq -\u0026gt; manejar IO por bfqq3 Solucione el problema verificando que bfqq sea primero de la cadena de fusi\\u00f3n. Y esto podr\\u00eda solucionar el siguiente problema informado por nuestro syzkaller (irreproducible): ===================================================================== ERROR: KASAN: slab-use-after-free en el bloque bfq_do_early_stable_merge/bfq-iosched.c:5692 [en l\\u00ednea] ERROR: KASAN: slab-use-after-free en el bloque bfq_do_or_sched_stable_merge/bfq-iosched.c:5805 [en l\\u00ednea] ERROR: KASAN: slab-use-after-free en el bloque bfq_get_queue+0x25b0/0x2610/bfq-iosched.c:5889 Escribir de tama\\u00f1o 1 en la direcci\\u00f3n ffff888123839eb8 por la tarea kworker/0:1H/18595 CPU: 0 PID: 18595 Comm: kworker/0:1H Contaminado: GL 6.6.0-07439-gba2303cacfda #6 Nombre del hardware: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014 Cola de trabajo: kblockd blk_mq_requeue_work Rastreo de llamadas:  __dump_stack lib/dump_stack.c:88 [en l\\u00ednea] dump_stack_lvl+0x91/0xf0 lib/dump_stack.c:106 print_address_description mm/kasan/report.c:364 [en l\\u00ednea] imprimir_informe+0x10d/0x610 mm/kasan/report.c:475 kasan_report+0x8e/0xc0 mm/kasan/report.c:588 bloque bfq_do_early_stable_merge/bfq-iosched.c:5692 [en l\\u00ednea] bloque bfq_do_or_sched_stable_merge/bfq-iosched.c:5805 [en l\\u00ednea] bloque bfq_get_queue+0x25b0/0x2610/bfq-iosched.c:5889 bloque bfq_get_bfqq_handle_split+0x169/0x5d0/bfq-iosched.c:6757 bloque bfq_init_rq/bfq-iosched.c:6876 [en l\\u00ednea] bloque bfq_insert_request/bfq-iosched.c:6254 [en l\\u00ednea] bloque bfq_insert_requests+0x1112/0x5cf0/bfq-iosched.c:6304 bloque blk_mq_insert_request+0x290/0x8d0/blk-mq.c:2593 bloque blk_mq_requeue_work+0x6bc/0xa70/blk-mq.c:1502 proceso_uno_trabajo kernel/workqueue.c:2627 [en l\\u00ednea] proceso_trabajos_programados+0x432/0x13f0 kernel/workqueue.c:2700 subproceso_trabajador+0x6f2/0x1160 kernel/workqueue.c:2781 subproceso_k+0x33c/0x440 kernel/kthread.c:388 ret_from_fork+0x4d/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1b/0x30 arch/x86/entry/entry_64.S:305  Asignado por la tarea 20776: kasan_save_stack+0x20/0x40 mm/kasan/common.c:45 kasan_set_track+0x25/0x30 mm/kasan/common.c:52 __kasan_slab_alloc+0x87/0x90 mm/kasan/common.c:328 kasan_slab_alloc include/linux/kasan.h:188 [en l\\u00ednea] slab_post_alloc_hook mm/slab.h:763 [en l\\u00ednea] slab_alloc_node mm/slub.c:3458 [en l\\u00ednea] kmem_cache_alloc_node+0x1a4/0x6f0 mm/slub.c:3503 ioc_create_icq block/blk-ioc.c:370 [en l\\u00ednea] ---truncado---\"}]",
      "id": "CVE-2024-47706",
      "lastModified": "2024-11-08T16:15:25.847",
      "metrics": "{\"cvssMetricV31\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\", \"baseScore\": 5.5, \"baseSeverity\": \"MEDIUM\", \"attackVector\": \"LOCAL\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"LOW\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"NONE\", \"integrityImpact\": \"NONE\", \"availabilityImpact\": \"HIGH\"}, \"exploitabilityScore\": 1.8, \"impactScore\": 3.6}]}",
      "published": "2024-10-21T12:15:07.120",
      "references": "[{\"url\": \"https://git.kernel.org/stable/c/18ad4df091dd5d067d2faa8fce1180b79f7041a7\", \"source\": \"416baaa9-dc9f-4396-8d5f-8c081fb06d67\", \"tags\": [\"Patch\"]}, {\"url\": \"https://git.kernel.org/stable/c/6d130db286ad0ea392c96ebb2551acf0d7308048\", \"source\": \"416baaa9-dc9f-4396-8d5f-8c081fb06d67\", \"tags\": [\"Patch\"]}, {\"url\": \"https://git.kernel.org/stable/c/7faed2896d78e48ec96229e73b30b0af6c00a9aa\", \"source\": \"416baaa9-dc9f-4396-8d5f-8c081fb06d67\", \"tags\": [\"Patch\"]}, {\"url\": \"https://git.kernel.org/stable/c/880692ee233ba63808182705b3333403413b58f5\", \"source\": \"416baaa9-dc9f-4396-8d5f-8c081fb06d67\", \"tags\": [\"Patch\"]}, {\"url\": \"https://git.kernel.org/stable/c/8aa9de02a4be2e7006e636816ce19b0d667ceaa3\", \"source\": \"416baaa9-dc9f-4396-8d5f-8c081fb06d67\", \"tags\": [\"Patch\"]}, {\"url\": \"https://git.kernel.org/stable/c/a9bdd5b36887d2bacb8bc777fd18317c99fc2587\", \"source\": \"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"}, {\"url\": \"https://git.kernel.org/stable/c/bc2140534b2aae752e4f7cb4489642dbb5ec4777\", \"source\": \"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"}, {\"url\": \"https://git.kernel.org/stable/c/ddbdaad123254fb53e32480cb74a486a6868b1e0\", \"source\": \"416baaa9-dc9f-4396-8d5f-8c081fb06d67\", \"tags\": [\"Patch\"]}, {\"url\": \"https://git.kernel.org/stable/c/e1277ae780cca4e69ef5468d4582dfd48f0b8320\", \"source\": \"416baaa9-dc9f-4396-8d5f-8c081fb06d67\", \"tags\": [\"Patch\"]}]",
      "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "vulnStatus": "Modified",
      "weaknesses": "[{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-416\"}]}]"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2024-47706\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2024-10-21T12:15:07.120\",\"lastModified\":\"2026-05-12T12:17:14.697\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\nblock, bfq: fix possible UAF for bfqq-\u003ebic with merge chain\\n\\n1) initial state, three tasks:\\n\\n\\t\\tProcess 1       Process 2\\tProcess 3\\n\\t\\t (BIC1)          (BIC2)\\t\\t (BIC3)\\n\\t\\t  |  \u039b            |  \u039b\\t\\t  |  \u039b\\n\\t\\t  |  |            |  |\\t\\t  |  |\\n\\t\\t  V  |            V  |\\t\\t  V  |\\n\\t\\t  bfqq1           bfqq2\\t\\t  bfqq3\\nprocess ref:\\t   1\\t\\t    1\\t\\t    1\\n\\n2) bfqq1 merged to bfqq2:\\n\\n\\t\\tProcess 1       Process 2\\tProcess 3\\n\\t\\t (BIC1)          (BIC2)\\t\\t (BIC3)\\n\\t\\t  |               |\\t\\t  |  \u039b\\n\\t\\t  \\\\--------------\\\\|\\t\\t  |  |\\n\\t\\t                  V\\t\\t  V  |\\n\\t\\t  bfqq1---------\u003ebfqq2\\t\\t  bfqq3\\nprocess ref:\\t   0\\t\\t    2\\t\\t    1\\n\\n3) bfqq2 merged to bfqq3:\\n\\n\\t\\tProcess 1       Process 2\\tProcess 3\\n\\t\\t (BIC1)          (BIC2)\\t\\t (BIC3)\\n\\t here -\u003e \u039b                |\\t\\t  |\\n\\t\\t  \\\\--------------\\\\ \\\\-------------\\\\|\\n\\t\\t                  V\\t\\t  V\\n\\t\\t  bfqq1---------\u003ebfqq2----------\u003ebfqq3\\nprocess ref:\\t   0\\t\\t    1\\t\\t    3\\n\\nIn this case, IO from Process 1 will get bfqq2 from BIC1 first, and then\\nget bfqq3 through merge chain, and finially handle IO by bfqq3.\\nHowerver, current code will think bfqq2 is owned by BIC1, like initial\\nstate, and set bfqq2-\u003ebic to BIC1.\\n\\nbfq_insert_request\\n-\u003e by Process 1\\n bfqq = bfq_init_rq(rq)\\n  bfqq = bfq_get_bfqq_handle_split\\n   bfqq = bic_to_bfqq\\n   -\u003e get bfqq2 from BIC1\\n bfqq-\u003eref++\\n rq-\u003eelv.priv[0] = bic\\n rq-\u003eelv.priv[1] = bfqq\\n if (bfqq_process_refs(bfqq) == 1)\\n  bfqq-\u003ebic = bic\\n  -\u003e record BIC1 to bfqq2\\n\\n  __bfq_insert_request\\n   new_bfqq = bfq_setup_cooperator\\n   -\u003e get bfqq3 from bfqq2-\u003enew_bfqq\\n   bfqq_request_freed(bfqq)\\n   new_bfqq-\u003eref++\\n   rq-\u003eelv.priv[1] = new_bfqq\\n   -\u003e handle IO by bfqq3\\n\\nFix the problem by checking bfqq is from merge chain fist. And this\\nmight fix a following problem reported by our syzkaller(unreproducible):\\n\\n==================================================================\\nBUG: KASAN: slab-use-after-free in bfq_do_early_stable_merge block/bfq-iosched.c:5692 [inline]\\nBUG: KASAN: slab-use-after-free in bfq_do_or_sched_stable_merge block/bfq-iosched.c:5805 [inline]\\nBUG: KASAN: slab-use-after-free in bfq_get_queue+0x25b0/0x2610 block/bfq-iosched.c:5889\\nWrite of size 1 at addr ffff888123839eb8 by task kworker/0:1H/18595\\n\\nCPU: 0 PID: 18595 Comm: kworker/0:1H Tainted: G             L     6.6.0-07439-gba2303cacfda #6\\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014\\nWorkqueue: kblockd blk_mq_requeue_work\\nCall Trace:\\n \u003cTASK\u003e\\n __dump_stack lib/dump_stack.c:88 [inline]\\n dump_stack_lvl+0x91/0xf0 lib/dump_stack.c:106\\n print_address_description mm/kasan/report.c:364 [inline]\\n print_report+0x10d/0x610 mm/kasan/report.c:475\\n kasan_report+0x8e/0xc0 mm/kasan/report.c:588\\n bfq_do_early_stable_merge block/bfq-iosched.c:5692 [inline]\\n bfq_do_or_sched_stable_merge block/bfq-iosched.c:5805 [inline]\\n bfq_get_queue+0x25b0/0x2610 block/bfq-iosched.c:5889\\n bfq_get_bfqq_handle_split+0x169/0x5d0 block/bfq-iosched.c:6757\\n bfq_init_rq block/bfq-iosched.c:6876 [inline]\\n bfq_insert_request block/bfq-iosched.c:6254 [inline]\\n bfq_insert_requests+0x1112/0x5cf0 block/bfq-iosched.c:6304\\n blk_mq_insert_request+0x290/0x8d0 block/blk-mq.c:2593\\n blk_mq_requeue_work+0x6bc/0xa70 block/blk-mq.c:1502\\n process_one_work kernel/workqueue.c:2627 [inline]\\n process_scheduled_works+0x432/0x13f0 kernel/workqueue.c:2700\\n worker_thread+0x6f2/0x1160 kernel/workqueue.c:2781\\n kthread+0x33c/0x440 kernel/kthread.c:388\\n ret_from_fork+0x4d/0x80 arch/x86/kernel/process.c:147\\n ret_from_fork_asm+0x1b/0x30 arch/x86/entry/entry_64.S:305\\n \u003c/TASK\u003e\\n\\nAllocated by task 20776:\\n kasan_save_stack+0x20/0x40 mm/kasan/common.c:45\\n kasan_set_track+0x25/0x30 mm/kasan/common.c:52\\n __kasan_slab_alloc+0x87/0x90 mm/kasan/common.c:328\\n kasan_slab_alloc include/linux/kasan.h:188 [inline]\\n slab_post_alloc_hook mm/slab.h:763 [inline]\\n slab_alloc_node mm/slub.c:3458 [inline]\\n kmem_cache_alloc_node+0x1a4/0x6f0 mm/slub.c:3503\\n ioc_create_icq block/blk-ioc.c:370 [inline]\\n---truncated---\"},{\"lang\":\"es\",\"value\":\"En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: bloque, bfq: corregir posible UAF para bfqq-\u0026gt;bic con cadena de fusi\u00f3n 1) estado inicial, tres tareas: Proceso 1 Proceso 2 Proceso 3 (BIC1) (BIC2) (BIC3) | ? | ? | ? | | | | | | V | V | V | bfqq1 bfqq2 bfqq3 proceso ref: 1 1 1 2) bfqq1 fusionado con bfqq2: Proceso 1 Proceso 2 Proceso 3 (BIC1) (BIC2) (BIC3) | | | ? \\\\--------------\\\\| | | VV | bfqq1---------\u0026gt;bfqq2 bfqq3 proceso ref: 0 2 1 3) bfqq2 fusionado con bfqq3: Proceso 1 Proceso 2 Proceso 3 (BIC1) (BIC2) (BIC3) aqu\u00ed -\u0026gt; ? | | \\\\--------------\\\\ \\\\-------------\\\\| VV bfqq1--------\u0026gt;bfqq2----------\u0026gt;bfqq3 ref. de proceso: 0 1 3 En este caso, la IO del Proceso 1 obtendr\u00e1 primero bfqq2 de BIC1, y luego obtendr\u00e1 bfqq3 a trav\u00e9s de la cadena de fusi\u00f3n, y finalmente manejar\u00e1 la IO por bfqq3. Sin embargo, el c\u00f3digo actual pensar\u00e1 que bfqq2 es propiedad de BIC1, como estado inicial, y establecer\u00e1 bfqq2-\u0026gt;bic en BIC1. bfq_insert_request -\u0026gt; por Proceso 1 bfqq = bfq_init_rq(rq) bfqq = bfq_get_bfqq_handle_split bfqq = bic_to_bfqq -\u0026gt; obtener bfqq2 de BIC1 bfqq-\u0026gt;ref++ rq-\u0026gt;elv.priv[0] = bic rq-\u0026gt;elv.priv[1] = bfqq si (bfqq_process_refs(bfqq) == 1) bfqq-\u0026gt;bic = bic -\u0026gt; grabar BIC1 en bfqq2 __bfq_insert_request new_bfqq = bfq_setup_cooperator -\u0026gt; obtener bfqq3 de bfqq2-\u0026gt;new_bfqq bfqq_request_freed(bfqq) new_bfqq-\u0026gt;ref++ rq-\u0026gt;elv.priv[1] = new_bfqq -\u0026gt; manejar IO por bfqq3 Solucione el problema verificando que bfqq sea primero de la cadena de fusi\u00f3n. Y esto podr\u00eda solucionar el siguiente problema informado por nuestro syzkaller (irreproducible): ===================================================================== ERROR: KASAN: slab-use-after-free en el bloque bfq_do_early_stable_merge/bfq-iosched.c:5692 [en l\u00ednea] ERROR: KASAN: slab-use-after-free en el bloque bfq_do_or_sched_stable_merge/bfq-iosched.c:5805 [en l\u00ednea] ERROR: KASAN: slab-use-after-free en el bloque bfq_get_queue+0x25b0/0x2610/bfq-iosched.c:5889 Escribir de tama\u00f1o 1 en la direcci\u00f3n ffff888123839eb8 por la tarea kworker/0:1H/18595 CPU: 0 PID: 18595 Comm: kworker/0:1H Contaminado: GL 6.6.0-07439-gba2303cacfda #6 Nombre del hardware: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014 Cola de trabajo: kblockd blk_mq_requeue_work Rastreo de llamadas:  __dump_stack lib/dump_stack.c:88 [en l\u00ednea] dump_stack_lvl+0x91/0xf0 lib/dump_stack.c:106 print_address_description mm/kasan/report.c:364 [en l\u00ednea] imprimir_informe+0x10d/0x610 mm/kasan/report.c:475 kasan_report+0x8e/0xc0 mm/kasan/report.c:588 bloque bfq_do_early_stable_merge/bfq-iosched.c:5692 [en l\u00ednea] bloque bfq_do_or_sched_stable_merge/bfq-iosched.c:5805 [en l\u00ednea] bloque bfq_get_queue+0x25b0/0x2610/bfq-iosched.c:5889 bloque bfq_get_bfqq_handle_split+0x169/0x5d0/bfq-iosched.c:6757 bloque bfq_init_rq/bfq-iosched.c:6876 [en l\u00ednea] bloque bfq_insert_request/bfq-iosched.c:6254 [en l\u00ednea] bloque bfq_insert_requests+0x1112/0x5cf0/bfq-iosched.c:6304 bloque blk_mq_insert_request+0x290/0x8d0/blk-mq.c:2593 bloque blk_mq_requeue_work+0x6bc/0xa70/blk-mq.c:1502 proceso_uno_trabajo kernel/workqueue.c:2627 [en l\u00ednea] proceso_trabajos_programados+0x432/0x13f0 kernel/workqueue.c:2700 subproceso_trabajador+0x6f2/0x1160 kernel/workqueue.c:2781 subproceso_k+0x33c/0x440 kernel/kthread.c:388 ret_from_fork+0x4d/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1b/0x30 arch/x86/entry/entry_64.S:305  Asignado por la tarea 20776: kasan_save_stack+0x20/0x40 mm/kasan/common.c:45 kasan_set_track+0x25/0x30 mm/kasan/common.c:52 __kasan_slab_alloc+0x87/0x90 mm/kasan/common.c:328 kasan_slab_alloc include/linux/kasan.h:188 [en l\u00ednea] slab_post_alloc_hook mm/slab.h:763 [en l\u00ednea] slab_alloc_node mm/slub.c:3458 [en l\u00ednea] kmem_cache_alloc_node+0x1a4/0x6f0 mm/slub.c:3503 ioc_create_icq block/blk-ioc.c:370 [en l\u00ednea] ---truncado---\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\"baseScore\":5.5,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":1.8,\"impactScore\":3.6}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-416\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"4.12\",\"versionEndExcluding\":\"5.10.227\",\"matchCriteriaId\":\"8E629794-ADD6-44B5-8F8E-B768F34539E0\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"5.11\",\"versionEndExcluding\":\"5.15.168\",\"matchCriteriaId\":\"4D51C05D-455B-4D8D-89E7-A58E140B864C\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"5.16\",\"versionEndExcluding\":\"6.1.113\",\"matchCriteriaId\":\"D01BD22E-ACD1-4618-9D01-6116570BE1EE\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"6.2\",\"versionEndExcluding\":\"6.6.54\",\"matchCriteriaId\":\"D448821D-C085-4CAF-88FA-2DDE7BE21976\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"6.7\",\"versionEndExcluding\":\"6.10.13\",\"matchCriteriaId\":\"CE94BB8D-B0AB-4563-9ED7-A12122B56EBE\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"6.11\",\"versionEndExcluding\":\"6.11.2\",\"matchCriteriaId\":\"AB755D26-97F4-43B6-8604-CD076811E181\"}]}]}],\"references\":[{\"url\":\"https://git.kernel.org/stable/c/18ad4df091dd5d067d2faa8fce1180b79f7041a7\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/6d130db286ad0ea392c96ebb2551acf0d7308048\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/7faed2896d78e48ec96229e73b30b0af6c00a9aa\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/880692ee233ba63808182705b3333403413b58f5\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/8aa9de02a4be2e7006e636816ce19b0d667ceaa3\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/a9bdd5b36887d2bacb8bc777fd18317c99fc2587\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/bc2140534b2aae752e4f7cb4489642dbb5ec4777\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/ddbdaad123254fb53e32480cb74a486a6868b1e0\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/e1277ae780cca4e69ef5468d4582dfd48f0b8320\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://cert-portal.siemens.com/productcert/html/ssa-265688.html\",\"source\":\"0b142b55-0307-4c5a-b3c9-f314f3fb7c5e\"},{\"url\":\"https://cert-portal.siemens.com/productcert/html/ssa-355557.html\",\"source\":\"0b142b55-0307-4c5a-b3c9-f314f3fb7c5e\"}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2024-47706\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2024-10-21T13:03:53.838190Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2024-10-21T13:03:56.861Z\"}}], \"cna\": {\"title\": \"block, bfq: fix possible UAF for bfqq-\u003ebic with merge chain\", \"affected\": [{\"repo\": \"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git\", \"vendor\": \"Linux\", \"product\": \"Linux\", \"versions\": [{\"status\": \"affected\", \"version\": \"36eca894832351feed9072d0f97eb06fc9482ca4\", \"lessThan\": \"a9bdd5b36887d2bacb8bc777fd18317c99fc2587\", \"versionType\": \"git\"}, {\"status\": \"affected\", \"version\": \"36eca894832351feed9072d0f97eb06fc9482ca4\", \"lessThan\": \"bc2140534b2aae752e4f7cb4489642dbb5ec4777\", \"versionType\": \"git\"}, {\"status\": \"affected\", \"version\": \"36eca894832351feed9072d0f97eb06fc9482ca4\", \"lessThan\": \"e1277ae780cca4e69ef5468d4582dfd48f0b8320\", \"versionType\": \"git\"}, {\"status\": \"affected\", \"version\": \"36eca894832351feed9072d0f97eb06fc9482ca4\", \"lessThan\": \"8aa9de02a4be2e7006e636816ce19b0d667ceaa3\", \"versionType\": \"git\"}, {\"status\": \"affected\", \"version\": \"36eca894832351feed9072d0f97eb06fc9482ca4\", \"lessThan\": \"ddbdaad123254fb53e32480cb74a486a6868b1e0\", \"versionType\": \"git\"}, {\"status\": \"affected\", \"version\": \"36eca894832351feed9072d0f97eb06fc9482ca4\", \"lessThan\": \"7faed2896d78e48ec96229e73b30b0af6c00a9aa\", \"versionType\": \"git\"}, {\"status\": \"affected\", \"version\": \"36eca894832351feed9072d0f97eb06fc9482ca4\", \"lessThan\": \"880692ee233ba63808182705b3333403413b58f5\", \"versionType\": \"git\"}, {\"status\": \"affected\", \"version\": \"36eca894832351feed9072d0f97eb06fc9482ca4\", \"lessThan\": \"6d130db286ad0ea392c96ebb2551acf0d7308048\", \"versionType\": \"git\"}, {\"status\": \"affected\", \"version\": \"36eca894832351feed9072d0f97eb06fc9482ca4\", \"lessThan\": \"18ad4df091dd5d067d2faa8fce1180b79f7041a7\", \"versionType\": \"git\"}], \"programFiles\": [\"block/bfq-iosched.c\"], \"defaultStatus\": \"unaffected\"}, {\"repo\": \"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git\", \"vendor\": \"Linux\", \"product\": \"Linux\", \"versions\": [{\"status\": \"affected\", \"version\": \"4.12\"}, {\"status\": \"unaffected\", \"version\": \"0\", \"lessThan\": \"4.12\", \"versionType\": \"semver\"}, {\"status\": \"unaffected\", \"version\": \"4.19.323\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"4.19.*\"}, {\"status\": \"unaffected\", \"version\": \"5.4.285\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"5.4.*\"}, {\"status\": \"unaffected\", \"version\": \"5.10.227\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"5.10.*\"}, {\"status\": \"unaffected\", \"version\": \"5.15.168\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"5.15.*\"}, {\"status\": \"unaffected\", \"version\": \"6.1.113\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"6.1.*\"}, {\"status\": \"unaffected\", \"version\": \"6.6.54\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"6.6.*\"}, {\"status\": \"unaffected\", \"version\": \"6.10.13\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"6.10.*\"}, {\"status\": \"unaffected\", \"version\": \"6.11.2\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"6.11.*\"}, {\"status\": \"unaffected\", \"version\": \"6.12\", \"versionType\": \"original_commit_for_fix\", \"lessThanOrEqual\": \"*\"}], \"programFiles\": [\"block/bfq-iosched.c\"], \"defaultStatus\": \"affected\"}], \"references\": [{\"url\": \"https://git.kernel.org/stable/c/a9bdd5b36887d2bacb8bc777fd18317c99fc2587\"}, {\"url\": \"https://git.kernel.org/stable/c/bc2140534b2aae752e4f7cb4489642dbb5ec4777\"}, {\"url\": \"https://git.kernel.org/stable/c/e1277ae780cca4e69ef5468d4582dfd48f0b8320\"}, {\"url\": \"https://git.kernel.org/stable/c/8aa9de02a4be2e7006e636816ce19b0d667ceaa3\"}, {\"url\": \"https://git.kernel.org/stable/c/ddbdaad123254fb53e32480cb74a486a6868b1e0\"}, {\"url\": \"https://git.kernel.org/stable/c/7faed2896d78e48ec96229e73b30b0af6c00a9aa\"}, {\"url\": \"https://git.kernel.org/stable/c/880692ee233ba63808182705b3333403413b58f5\"}, {\"url\": \"https://git.kernel.org/stable/c/6d130db286ad0ea392c96ebb2551acf0d7308048\"}, {\"url\": \"https://git.kernel.org/stable/c/18ad4df091dd5d067d2faa8fce1180b79f7041a7\"}], \"x_generator\": {\"engine\": \"bippy-1.2.0\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nblock, bfq: fix possible UAF for bfqq-\u003ebic with merge chain\\n\\n1) initial state, three tasks:\\n\\n\\t\\tProcess 1       Process 2\\tProcess 3\\n\\t\\t (BIC1)          (BIC2)\\t\\t (BIC3)\\n\\t\\t  |  \\u039b            |  \\u039b\\t\\t  |  \\u039b\\n\\t\\t  |  |            |  |\\t\\t  |  |\\n\\t\\t  V  |            V  |\\t\\t  V  |\\n\\t\\t  bfqq1           bfqq2\\t\\t  bfqq3\\nprocess ref:\\t   1\\t\\t    1\\t\\t    1\\n\\n2) bfqq1 merged to bfqq2:\\n\\n\\t\\tProcess 1       Process 2\\tProcess 3\\n\\t\\t (BIC1)          (BIC2)\\t\\t (BIC3)\\n\\t\\t  |               |\\t\\t  |  \\u039b\\n\\t\\t  \\\\--------------\\\\|\\t\\t  |  |\\n\\t\\t                  V\\t\\t  V  |\\n\\t\\t  bfqq1---------\u003ebfqq2\\t\\t  bfqq3\\nprocess ref:\\t   0\\t\\t    2\\t\\t    1\\n\\n3) bfqq2 merged to bfqq3:\\n\\n\\t\\tProcess 1       Process 2\\tProcess 3\\n\\t\\t (BIC1)          (BIC2)\\t\\t (BIC3)\\n\\t here -\u003e \\u039b                |\\t\\t  |\\n\\t\\t  \\\\--------------\\\\ \\\\-------------\\\\|\\n\\t\\t                  V\\t\\t  V\\n\\t\\t  bfqq1---------\u003ebfqq2----------\u003ebfqq3\\nprocess ref:\\t   0\\t\\t    1\\t\\t    3\\n\\nIn this case, IO from Process 1 will get bfqq2 from BIC1 first, and then\\nget bfqq3 through merge chain, and finially handle IO by bfqq3.\\nHowerver, current code will think bfqq2 is owned by BIC1, like initial\\nstate, and set bfqq2-\u003ebic to BIC1.\\n\\nbfq_insert_request\\n-\u003e by Process 1\\n bfqq = bfq_init_rq(rq)\\n  bfqq = bfq_get_bfqq_handle_split\\n   bfqq = bic_to_bfqq\\n   -\u003e get bfqq2 from BIC1\\n bfqq-\u003eref++\\n rq-\u003eelv.priv[0] = bic\\n rq-\u003eelv.priv[1] = bfqq\\n if (bfqq_process_refs(bfqq) == 1)\\n  bfqq-\u003ebic = bic\\n  -\u003e record BIC1 to bfqq2\\n\\n  __bfq_insert_request\\n   new_bfqq = bfq_setup_cooperator\\n   -\u003e get bfqq3 from bfqq2-\u003enew_bfqq\\n   bfqq_request_freed(bfqq)\\n   new_bfqq-\u003eref++\\n   rq-\u003eelv.priv[1] = new_bfqq\\n   -\u003e handle IO by bfqq3\\n\\nFix the problem by checking bfqq is from merge chain fist. And this\\nmight fix a following problem reported by our syzkaller(unreproducible):\\n\\n==================================================================\\nBUG: KASAN: slab-use-after-free in bfq_do_early_stable_merge block/bfq-iosched.c:5692 [inline]\\nBUG: KASAN: slab-use-after-free in bfq_do_or_sched_stable_merge block/bfq-iosched.c:5805 [inline]\\nBUG: KASAN: slab-use-after-free in bfq_get_queue+0x25b0/0x2610 block/bfq-iosched.c:5889\\nWrite of size 1 at addr ffff888123839eb8 by task kworker/0:1H/18595\\n\\nCPU: 0 PID: 18595 Comm: kworker/0:1H Tainted: G             L     6.6.0-07439-gba2303cacfda #6\\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014\\nWorkqueue: kblockd blk_mq_requeue_work\\nCall Trace:\\n \u003cTASK\u003e\\n __dump_stack lib/dump_stack.c:88 [inline]\\n dump_stack_lvl+0x91/0xf0 lib/dump_stack.c:106\\n print_address_description mm/kasan/report.c:364 [inline]\\n print_report+0x10d/0x610 mm/kasan/report.c:475\\n kasan_report+0x8e/0xc0 mm/kasan/report.c:588\\n bfq_do_early_stable_merge block/bfq-iosched.c:5692 [inline]\\n bfq_do_or_sched_stable_merge block/bfq-iosched.c:5805 [inline]\\n bfq_get_queue+0x25b0/0x2610 block/bfq-iosched.c:5889\\n bfq_get_bfqq_handle_split+0x169/0x5d0 block/bfq-iosched.c:6757\\n bfq_init_rq block/bfq-iosched.c:6876 [inline]\\n bfq_insert_request block/bfq-iosched.c:6254 [inline]\\n bfq_insert_requests+0x1112/0x5cf0 block/bfq-iosched.c:6304\\n blk_mq_insert_request+0x290/0x8d0 block/blk-mq.c:2593\\n blk_mq_requeue_work+0x6bc/0xa70 block/blk-mq.c:1502\\n process_one_work kernel/workqueue.c:2627 [inline]\\n process_scheduled_works+0x432/0x13f0 kernel/workqueue.c:2700\\n worker_thread+0x6f2/0x1160 kernel/workqueue.c:2781\\n kthread+0x33c/0x440 kernel/kthread.c:388\\n ret_from_fork+0x4d/0x80 arch/x86/kernel/process.c:147\\n ret_from_fork_asm+0x1b/0x30 arch/x86/entry/entry_64.S:305\\n \u003c/TASK\u003e\\n\\nAllocated by task 20776:\\n kasan_save_stack+0x20/0x40 mm/kasan/common.c:45\\n kasan_set_track+0x25/0x30 mm/kasan/common.c:52\\n __kasan_slab_alloc+0x87/0x90 mm/kasan/common.c:328\\n kasan_slab_alloc include/linux/kasan.h:188 [inline]\\n slab_post_alloc_hook mm/slab.h:763 [inline]\\n slab_alloc_node mm/slub.c:3458 [inline]\\n kmem_cache_alloc_node+0x1a4/0x6f0 mm/slub.c:3503\\n ioc_create_icq block/blk-ioc.c:370 [inline]\\n---truncated---\"}], \"cpeApplicability\": [{\"nodes\": [{\"negate\": false, \"cpeMatch\": [{\"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"4.19.323\", \"versionStartIncluding\": \"4.12\"}, {\"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"5.4.285\", \"versionStartIncluding\": \"4.12\"}, {\"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"5.10.227\", \"versionStartIncluding\": \"4.12\"}, {\"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"5.15.168\", \"versionStartIncluding\": \"4.12\"}, {\"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"6.1.113\", \"versionStartIncluding\": \"4.12\"}, {\"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"6.6.54\", \"versionStartIncluding\": \"4.12\"}, {\"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"6.10.13\", \"versionStartIncluding\": \"4.12\"}, {\"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"6.11.2\", \"versionStartIncluding\": \"4.12\"}, {\"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"6.12\", \"versionStartIncluding\": \"4.12\"}], \"operator\": \"OR\"}]}], \"providerMetadata\": {\"orgId\": \"416baaa9-dc9f-4396-8d5f-8c081fb06d67\", \"shortName\": \"Linux\", \"dateUpdated\": \"2025-05-04T09:37:55.250Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2024-47706\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-05-04T09:37:55.250Z\", \"dateReserved\": \"2024-09-30T16:00:12.946Z\", \"assignerOrgId\": \"416baaa9-dc9f-4396-8d5f-8c081fb06d67\", \"datePublished\": \"2024-10-21T11:53:40.759Z\", \"assignerShortName\": \"Linux\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.





Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.


Detection rules are retrieved from Rulezet.