On 7/31/25 20:07, Shin'ichiro Kawasaki wrote:
> When a zoned loop device, or zloop device, is removed, KASAN enabled
> kernel reports "BUG KASAN use-after-free" in blk_mq_free_tag_set(). The
> BUG happens because zloop_ctl_remove() calls put_disk(), which invokes
> zloop_free_disk(). The zloop_free_disk() frees the memory allocated for
> the zlo pointer. However, after the memory is freed, zloop_ctl_remove()
> calls blk_mq_free_tag_set(&zlo->tag_set), which accesses the freed zlo.
> Hence the KASAN use-after-free.
>
> zloop_ctl_remove()
> put_disk(zlo->disk)
> put_device()
> kobject_put()
> ...
> zloop_free_disk()
> kvfree(zlo)
> blk_mq_free_tag_set(&zlo->tag_set)
>
> To avoid the BUG, move the call to blk_mq_free_tag_set(&zlo->tag_set)
> from zloop_ctl_remove() into zloop_free_disk(). This ensures that
> the tag_set is freed before the call to kvfree(zlo).
>
> Fixes: eb0570c7df23 ("block: new zoned loop block device driver")
> CC: stable@xxxxxxxxxxxxxxx
> Signed-off-by: Shin'ichiro Kawasaki <shinichiro.kawasaki@xxxxxxx>
Reviewed-by: Damien Le Moal <dlemoal@xxxxxxxxxx>
--
Damien Le Moal
Western Digital Research
