Linux Kernel Device Writeback Use-After-Free Vulnerability

A use-after-free vulnerability has been identified in the Linux kernel's writeback process after a disk is removed. When a disk is disconnected, the function bdi_unregister is called to halt further writeback and allow associated delayed work to finish. However, the function wb_inode_writeback_end() might schedule bandwidth estimation work after this process is complete, leading to a situation where a timer tries to access a freed bdi_writeback structure. This vulnerability has been addressed by ensuring that the bdi_writeback is still active before scheduling writeback tasks, similar to the existing procedure. Additionally, the writeback structure's work lock has been changed to an interrupt-safe lock to prevent potential issues when wb_inode_writeback_end() is called from an interrupt context.

Impact

Exploitation of this vulnerability could lead to a use-after-free condition, potentially allowing for arbitrary code execution or memory corruption.