Linux Kernel BFQ Queue Merging Vulnerability Leading to Use-After-Free

A use-after-free vulnerability has been identified in the Linux kernel's BFQ (Budget Fair Queueing) I/O scheduler. This issue arises when the parent of a BFQ queue changes between the initial decision to merge two queues and the execution of the merge. Such a change can occur if the process submits I/O for a different cgroup, causing the queue to be reparented. In some cases, the queue being merged with may have a parent cgroup that is already offline and being destroyed, leading to potential use-after-free issues. The vulnerability has been observed in Linux kernel version 5.15.2.

Impact

Exploitation of this vulnerability causes a use-after-free error, which can lead to memory corruption and potentially allow for arbitrary code execution.

Reproduction

The vulnerability can be reproduced by merging two BFQ queues that have different parent cgroups, particularly when one of the cgroups is offline and being destroyed. This can be achieved by submitting I/O for different cgroups, causing the BFQ queues to reparent, and then initiating a merge before the reparenting is fully processed.

Remediation

The vulnerability has been addressed in the Linux kernel by ensuring that the parents of the BFQ queues being merged are the same, preventing the conditions that lead to the use-after-free error.