Linux Kernel Request Queue Quality of Service API Synchronization Vulnerability

A vulnerability in the Linux kernel's block layer can lead to concurrent access issues with the request queue quality of service (rq_qos) APIs. This vulnerability arises from a change that moved the rq_qos_exit() function from disk_release() to del_gendisk(), creating a race condition. When rq_qos_add() is called by enabling iocost or iolatency through cgroupfs, it can overlap with del_gendisk(), leading to unsafe concurrent writes. Additionally, if rq_qos_exit() is invoked mid-process, it can cause a null pointer dereference in the blkcg_activate_policy() function. The vulnerability also allows for memory leaks if rq_qos_exit() is called before rq_qos_add() during disk management operations.

Impact

The vulnerability can cause memory leaks, null pointer dereferences, and unsafe concurrent writes to the rq_qos structure, potentially leading to undefined behavior in the block layer.

Reproduction

The vulnerability can be reproduced by enabling iocost or iolatency through cgroupfs, which triggers rq_qos_add() while concurrently executing del_gendisk(). This overlap causes rq_qos_exit() to be called improperly, leading to a null pointer dereference or a memory leak.

Remediation

The vulnerability has been addressed by introducing a new mutex, 'rq_qos_mutex', at the disk level. This mutex protects the rq_qos_exit() function and synchronizes rq_qos_add() calls with disk removal processes. Users should ensure they are running a version of the Linux kernel that includes this patch.