{"api_version":"1","generated_at":"2026-05-13T19:22:30+00:00","cve":"CVE-2024-47706","urls":{"html":"https://cve.report/CVE-2024-47706","api":"https://cve.report/api/cve/CVE-2024-47706.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2024-47706","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2024-47706"},"summary":{"title":"block, bfq: fix possible UAF for bfqq->bic with merge chain","description":"In the Linux kernel, the following vulnerability has been resolved:\n\nblock, bfq: fix possible UAF for bfqq->bic with merge chain\n\n1) initial state, three tasks:\n\n\t\tProcess 1       Process 2\tProcess 3\n\t\t (BIC1)          (BIC2)\t\t (BIC3)\n\t\t  |  Λ            |  Λ\t\t  |  Λ\n\t\t  |  |            |  |\t\t  |  |\n\t\t  V  |            V  |\t\t  V  |\n\t\t  bfqq1           bfqq2\t\t  bfqq3\nprocess ref:\t   1\t\t    1\t\t    1\n\n2) bfqq1 merged to bfqq2:\n\n\t\tProcess 1       Process 2\tProcess 3\n\t\t (BIC1)          (BIC2)\t\t (BIC3)\n\t\t  |               |\t\t  |  Λ\n\t\t  \\--------------\\|\t\t  |  |\n\t\t                  V\t\t  V  |\n\t\t  bfqq1--------->bfqq2\t\t  bfqq3\nprocess ref:\t   0\t\t    2\t\t    1\n\n3) bfqq2 merged to bfqq3:\n\n\t\tProcess 1       Process 2\tProcess 3\n\t\t (BIC1)          (BIC2)\t\t (BIC3)\n\t here -> Λ                |\t\t  |\n\t\t  \\--------------\\ \\-------------\\|\n\t\t                  V\t\t  V\n\t\t  bfqq1--------->bfqq2---------->bfqq3\nprocess ref:\t   0\t\t    1\t\t    3\n\nIn this case, IO from Process 1 will get bfqq2 from BIC1 first, and then\nget bfqq3 through merge chain, and finially handle IO by bfqq3.\nHowerver, current code will think bfqq2 is owned by BIC1, like initial\nstate, and set bfqq2->bic to BIC1.\n\nbfq_insert_request\n-> by Process 1\n bfqq = bfq_init_rq(rq)\n  bfqq = bfq_get_bfqq_handle_split\n   bfqq = bic_to_bfqq\n   -> get bfqq2 from BIC1\n bfqq->ref++\n rq->elv.priv[0] = bic\n rq->elv.priv[1] = bfqq\n if (bfqq_process_refs(bfqq) == 1)\n  bfqq->bic = bic\n  -> record BIC1 to bfqq2\n\n  __bfq_insert_request\n   new_bfqq = bfq_setup_cooperator\n   -> get bfqq3 from bfqq2->new_bfqq\n   bfqq_request_freed(bfqq)\n   new_bfqq->ref++\n   rq->elv.priv[1] = new_bfqq\n   -> handle IO by bfqq3\n\nFix the problem by checking bfqq is from merge chain fist. And this\nmight fix a following problem reported by our syzkaller(unreproducible):\n\n==================================================================\nBUG: KASAN: slab-use-after-free in bfq_do_early_stable_merge block/bfq-iosched.c:5692 [inline]\nBUG: KASAN: slab-use-after-free in bfq_do_or_sched_stable_merge block/bfq-iosched.c:5805 [inline]\nBUG: KASAN: slab-use-after-free in bfq_get_queue+0x25b0/0x2610 block/bfq-iosched.c:5889\nWrite of size 1 at addr ffff888123839eb8 by task kworker/0:1H/18595\n\nCPU: 0 PID: 18595 Comm: kworker/0:1H Tainted: G             L     6.6.0-07439-gba2303cacfda #6\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014\nWorkqueue: kblockd blk_mq_requeue_work\nCall Trace:\n <TASK>\n __dump_stack lib/dump_stack.c:88 [inline]\n dump_stack_lvl+0x91/0xf0 lib/dump_stack.c:106\n print_address_description mm/kasan/report.c:364 [inline]\n print_report+0x10d/0x610 mm/kasan/report.c:475\n kasan_report+0x8e/0xc0 mm/kasan/report.c:588\n bfq_do_early_stable_merge block/bfq-iosched.c:5692 [inline]\n bfq_do_or_sched_stable_merge block/bfq-iosched.c:5805 [inline]\n bfq_get_queue+0x25b0/0x2610 block/bfq-iosched.c:5889\n bfq_get_bfqq_handle_split+0x169/0x5d0 block/bfq-iosched.c:6757\n bfq_init_rq block/bfq-iosched.c:6876 [inline]\n bfq_insert_request block/bfq-iosched.c:6254 [inline]\n bfq_insert_requests+0x1112/0x5cf0 block/bfq-iosched.c:6304\n blk_mq_insert_request+0x290/0x8d0 block/blk-mq.c:2593\n blk_mq_requeue_work+0x6bc/0xa70 block/blk-mq.c:1502\n process_one_work kernel/workqueue.c:2627 [inline]\n process_scheduled_works+0x432/0x13f0 kernel/workqueue.c:2700\n worker_thread+0x6f2/0x1160 kernel/workqueue.c:2781\n kthread+0x33c/0x440 kernel/kthread.c:388\n ret_from_fork+0x4d/0x80 arch/x86/kernel/process.c:147\n ret_from_fork_asm+0x1b/0x30 arch/x86/entry/entry_64.S:305\n </TASK>\n\nAllocated by task 20776:\n kasan_save_stack+0x20/0x40 mm/kasan/common.c:45\n kasan_set_track+0x25/0x30 mm/kasan/common.c:52\n __kasan_slab_alloc+0x87/0x90 mm/kasan/common.c:328\n kasan_slab_alloc include/linux/kasan.h:188 [inline]\n slab_post_alloc_hook mm/slab.h:763 [inline]\n slab_alloc_node mm/slub.c:3458 [inline]\n kmem_cache_alloc_node+0x1a4/0x6f0 mm/slub.c:3503\n ioc_create_icq block/blk-ioc.c:370 [inline]\n---truncated---","state":"PUBLISHED","assigner":"Linux","published_at":"2024-10-21 12:15:07","updated_at":"2026-05-12 12:17:14"},"problem_types":["CWE-416"],"metrics":[{"version":"3.1","source":"nvd@nist.gov","type":"Primary","score":"5.5","severity":"MEDIUM","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","data":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","baseScore":5.5,"baseSeverity":"MEDIUM","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH"}}],"references":[{"url":"https://git.kernel.org/stable/c/6d130db286ad0ea392c96ebb2551acf0d7308048","name":"https://git.kernel.org/stable/c/6d130db286ad0ea392c96ebb2551acf0d7308048","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/880692ee233ba63808182705b3333403413b58f5","name":"https://git.kernel.org/stable/c/880692ee233ba63808182705b3333403413b58f5","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html","name":"https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html","refsource":"af854a3a-2127-422b-91ae-364da2661108","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/a9bdd5b36887d2bacb8bc777fd18317c99fc2587","name":"https://git.kernel.org/stable/c/a9bdd5b36887d2bacb8bc777fd18317c99fc2587","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/ddbdaad123254fb53e32480cb74a486a6868b1e0","name":"https://git.kernel.org/stable/c/ddbdaad123254fb53e32480cb74a486a6868b1e0","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://cert-portal.siemens.com/productcert/html/ssa-265688.html","name":"https://cert-portal.siemens.com/productcert/html/ssa-265688.html","refsource":"0b142b55-0307-4c5a-b3c9-f314f3fb7c5e","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/e1277ae780cca4e69ef5468d4582dfd48f0b8320","name":"https://git.kernel.org/stable/c/e1277ae780cca4e69ef5468d4582dfd48f0b8320","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/7faed2896d78e48ec96229e73b30b0af6c00a9aa","name":"https://git.kernel.org/stable/c/7faed2896d78e48ec96229e73b30b0af6c00a9aa","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/18ad4df091dd5d067d2faa8fce1180b79f7041a7","name":"https://git.kernel.org/stable/c/18ad4df091dd5d067d2faa8fce1180b79f7041a7","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/8aa9de02a4be2e7006e636816ce19b0d667ceaa3","name":"https://git.kernel.org/stable/c/8aa9de02a4be2e7006e636816ce19b0d667ceaa3","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://cert-portal.siemens.com/productcert/html/ssa-355557.html","name":"https://cert-portal.siemens.com/productcert/html/ssa-355557.html","refsource":"0b142b55-0307-4c5a-b3c9-f314f3fb7c5e","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html","name":"https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html","refsource":"af854a3a-2127-422b-91ae-364da2661108","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/bc2140534b2aae752e4f7cb4489642dbb5ec4777","name":"https://git.kernel.org/stable/c/bc2140534b2aae752e4f7cb4489642dbb5ec4777","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://www.cve.org/CVERecord?id=CVE-2024-47706","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-47706","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 36eca894832351feed9072d0f97eb06fc9482ca4 a9bdd5b36887d2bacb8bc777fd18317c99fc2587 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 36eca894832351feed9072d0f97eb06fc9482ca4 bc2140534b2aae752e4f7cb4489642dbb5ec4777 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 36eca894832351feed9072d0f97eb06fc9482ca4 e1277ae780cca4e69ef5468d4582dfd48f0b8320 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 36eca894832351feed9072d0f97eb06fc9482ca4 8aa9de02a4be2e7006e636816ce19b0d667ceaa3 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 36eca894832351feed9072d0f97eb06fc9482ca4 ddbdaad123254fb53e32480cb74a486a6868b1e0 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 36eca894832351feed9072d0f97eb06fc9482ca4 7faed2896d78e48ec96229e73b30b0af6c00a9aa git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 36eca894832351feed9072d0f97eb06fc9482ca4 880692ee233ba63808182705b3333403413b58f5 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 36eca894832351feed9072d0f97eb06fc9482ca4 6d130db286ad0ea392c96ebb2551acf0d7308048 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 36eca894832351feed9072d0f97eb06fc9482ca4 18ad4df091dd5d067d2faa8fce1180b79f7041a7 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 4.12","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 4.12 semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 4.19.323 4.19.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 5.4.285 5.4.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 5.10.227 5.10.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 5.15.168 5.15.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.1.113 6.1.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.6.54 6.6.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.10.13 6.10.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.11.2 6.11.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.12 * original_commit_for_fix","platforms":[]},{"source":"ADP","vendor":"Siemens","product":"RUGGEDCOM RST2428P","version":"affected V3.2 custom","platforms":[]},{"source":"ADP","vendor":"Siemens","product":"SCALANCE XC-300/XR-300/XC-400/XR-500WG/XR-500 family","version":"affected V3.2 custom","platforms":[]},{"source":"ADP","vendor":"Siemens","product":"SCALANCE XCM-/XRM-/XCH-/XRH-300 family","version":"affected V3.2 custom","platforms":[]},{"source":"ADP","vendor":"Siemens","product":"SIMATIC S7-1500 TM MFP - GNU/Linux subsystem","version":"affected * custom","platforms":[]}],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2024","cve_id":"47706","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"linux","cpe5":"linux_kernel","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[]},"source_records":{"cve_program":{"containers":{"adp":[{"metrics":[{"other":{"content":{"id":"CVE-2024-47706","options":[{"Exploitation":"none"},{"Automatable":"no"},{"Technical Impact":"partial"}],"role":"CISA Coordinator","timestamp":"2024-10-21T13:03:53.838190Z","version":"2.0.3"},"type":"ssvc"}}],"providerMetadata":{"dateUpdated":"2024-10-21T13:04:19.673Z","orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP"},"title":"CISA ADP Vulnrichment"},{"providerMetadata":{"dateUpdated":"2025-11-03T22:21:10.318Z","orgId":"af854a3a-2127-422b-91ae-364da2661108","shortName":"CVE"},"references":[{"url":"https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html"},{"url":"https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html"}],"title":"CVE Program Container"},{"affected":[{"defaultStatus":"unknown","product":"RUGGEDCOM RST2428P","vendor":"Siemens","versions":[{"lessThan":"V3.2","status":"affected","version":"0","versionType":"custom"}]},{"defaultStatus":"unknown","product":"SCALANCE XC-300/XR-300/XC-400/XR-500WG/XR-500 family","vendor":"Siemens","versions":[{"lessThan":"V3.2","status":"affected","version":"0","versionType":"custom"}]},{"defaultStatus":"unknown","product":"SCALANCE XCM-/XRM-/XCH-/XRH-300 family","vendor":"Siemens","versions":[{"lessThan":"V3.2","status":"affected","version":"0","versionType":"custom"}]},{"defaultStatus":"unknown","product":"SIMATIC S7-1500 TM MFP - GNU/Linux subsystem","vendor":"Siemens","versions":[{"lessThan":"*","status":"affected","version":"0","versionType":"custom"}]}],"providerMetadata":{"dateUpdated":"2026-05-12T11:58:28.698Z","orgId":"0b142b55-0307-4c5a-b3c9-f314f3fb7c5e","shortName":"siemens-SADP"},"references":[{"url":"https://cert-portal.siemens.com/productcert/html/ssa-265688.html"},{"url":"https://cert-portal.siemens.com/productcert/html/ssa-355557.html"}],"x_adpType":"supplier"}],"cna":{"affected":[{"defaultStatus":"unaffected","product":"Linux","programFiles":["block/bfq-iosched.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","vendor":"Linux","versions":[{"lessThan":"a9bdd5b36887d2bacb8bc777fd18317c99fc2587","status":"affected","version":"36eca894832351feed9072d0f97eb06fc9482ca4","versionType":"git"},{"lessThan":"bc2140534b2aae752e4f7cb4489642dbb5ec4777","status":"affected","version":"36eca894832351feed9072d0f97eb06fc9482ca4","versionType":"git"},{"lessThan":"e1277ae780cca4e69ef5468d4582dfd48f0b8320","status":"affected","version":"36eca894832351feed9072d0f97eb06fc9482ca4","versionType":"git"},{"lessThan":"8aa9de02a4be2e7006e636816ce19b0d667ceaa3","status":"affected","version":"36eca894832351feed9072d0f97eb06fc9482ca4","versionType":"git"},{"lessThan":"ddbdaad123254fb53e32480cb74a486a6868b1e0","status":"affected","version":"36eca894832351feed9072d0f97eb06fc9482ca4","versionType":"git"},{"lessThan":"7faed2896d78e48ec96229e73b30b0af6c00a9aa","status":"affected","version":"36eca894832351feed9072d0f97eb06fc9482ca4","versionType":"git"},{"lessThan":"880692ee233ba63808182705b3333403413b58f5","status":"affected","version":"36eca894832351feed9072d0f97eb06fc9482ca4","versionType":"git"},{"lessThan":"6d130db286ad0ea392c96ebb2551acf0d7308048","status":"affected","version":"36eca894832351feed9072d0f97eb06fc9482ca4","versionType":"git"},{"lessThan":"18ad4df091dd5d067d2faa8fce1180b79f7041a7","status":"affected","version":"36eca894832351feed9072d0f97eb06fc9482ca4","versionType":"git"}]},{"defaultStatus":"affected","product":"Linux","programFiles":["block/bfq-iosched.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","vendor":"Linux","versions":[{"status":"affected","version":"4.12"},{"lessThan":"4.12","status":"unaffected","version":"0","versionType":"semver"},{"lessThanOrEqual":"4.19.*","status":"unaffected","version":"4.19.323","versionType":"semver"},{"lessThanOrEqual":"5.4.*","status":"unaffected","version":"5.4.285","versionType":"semver"},{"lessThanOrEqual":"5.10.*","status":"unaffected","version":"5.10.227","versionType":"semver"},{"lessThanOrEqual":"5.15.*","status":"unaffected","version":"5.15.168","versionType":"semver"},{"lessThanOrEqual":"6.1.*","status":"unaffected","version":"6.1.113","versionType":"semver"},{"lessThanOrEqual":"6.6.*","status":"unaffected","version":"6.6.54","versionType":"semver"},{"lessThanOrEqual":"6.10.*","status":"unaffected","version":"6.10.13","versionType":"semver"},{"lessThanOrEqual":"6.11.*","status":"unaffected","version":"6.11.2","versionType":"semver"},{"lessThanOrEqual":"*","status":"unaffected","version":"6.12","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"cpeMatch":[{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"4.19.323","versionStartIncluding":"4.12","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"5.4.285","versionStartIncluding":"4.12","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"5.10.227","versionStartIncluding":"4.12","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"5.15.168","versionStartIncluding":"4.12","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.1.113","versionStartIncluding":"4.12","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.6.54","versionStartIncluding":"4.12","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.10.13","versionStartIncluding":"4.12","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.11.2","versionStartIncluding":"4.12","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.12","versionStartIncluding":"4.12","vulnerable":true}],"negate":false,"operator":"OR"}]}],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nblock, bfq: fix possible UAF for bfqq->bic with merge chain\n\n1) initial state, three tasks:\n\n\t\tProcess 1       Process 2\tProcess 3\n\t\t (BIC1)          (BIC2)\t\t (BIC3)\n\t\t  |  Λ            |  Λ\t\t  |  Λ\n\t\t  |  |            |  |\t\t  |  |\n\t\t  V  |            V  |\t\t  V  |\n\t\t  bfqq1           bfqq2\t\t  bfqq3\nprocess ref:\t   1\t\t    1\t\t    1\n\n2) bfqq1 merged to bfqq2:\n\n\t\tProcess 1       Process 2\tProcess 3\n\t\t (BIC1)          (BIC2)\t\t (BIC3)\n\t\t  |               |\t\t  |  Λ\n\t\t  \\--------------\\|\t\t  |  |\n\t\t                  V\t\t  V  |\n\t\t  bfqq1--------->bfqq2\t\t  bfqq3\nprocess ref:\t   0\t\t    2\t\t    1\n\n3) bfqq2 merged to bfqq3:\n\n\t\tProcess 1       Process 2\tProcess 3\n\t\t (BIC1)          (BIC2)\t\t (BIC3)\n\t here -> Λ                |\t\t  |\n\t\t  \\--------------\\ \\-------------\\|\n\t\t                  V\t\t  V\n\t\t  bfqq1--------->bfqq2---------->bfqq3\nprocess ref:\t   0\t\t    1\t\t    3\n\nIn this case, IO from Process 1 will get bfqq2 from BIC1 first, and then\nget bfqq3 through merge chain, and finially handle IO by bfqq3.\nHowerver, current code will think bfqq2 is owned by BIC1, like initial\nstate, and set bfqq2->bic to BIC1.\n\nbfq_insert_request\n-> by Process 1\n bfqq = bfq_init_rq(rq)\n  bfqq = bfq_get_bfqq_handle_split\n   bfqq = bic_to_bfqq\n   -> get bfqq2 from BIC1\n bfqq->ref++\n rq->elv.priv[0] = bic\n rq->elv.priv[1] = bfqq\n if (bfqq_process_refs(bfqq) == 1)\n  bfqq->bic = bic\n  -> record BIC1 to bfqq2\n\n  __bfq_insert_request\n   new_bfqq = bfq_setup_cooperator\n   -> get bfqq3 from bfqq2->new_bfqq\n   bfqq_request_freed(bfqq)\n   new_bfqq->ref++\n   rq->elv.priv[1] = new_bfqq\n   -> handle IO by bfqq3\n\nFix the problem by checking bfqq is from merge chain fist. And this\nmight fix a following problem reported by our syzkaller(unreproducible):\n\n==================================================================\nBUG: KASAN: slab-use-after-free in bfq_do_early_stable_merge block/bfq-iosched.c:5692 [inline]\nBUG: KASAN: slab-use-after-free in bfq_do_or_sched_stable_merge block/bfq-iosched.c:5805 [inline]\nBUG: KASAN: slab-use-after-free in bfq_get_queue+0x25b0/0x2610 block/bfq-iosched.c:5889\nWrite of size 1 at addr ffff888123839eb8 by task kworker/0:1H/18595\n\nCPU: 0 PID: 18595 Comm: kworker/0:1H Tainted: G             L     6.6.0-07439-gba2303cacfda #6\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014\nWorkqueue: kblockd blk_mq_requeue_work\nCall Trace:\n <TASK>\n __dump_stack lib/dump_stack.c:88 [inline]\n dump_stack_lvl+0x91/0xf0 lib/dump_stack.c:106\n print_address_description mm/kasan/report.c:364 [inline]\n print_report+0x10d/0x610 mm/kasan/report.c:475\n kasan_report+0x8e/0xc0 mm/kasan/report.c:588\n bfq_do_early_stable_merge block/bfq-iosched.c:5692 [inline]\n bfq_do_or_sched_stable_merge block/bfq-iosched.c:5805 [inline]\n bfq_get_queue+0x25b0/0x2610 block/bfq-iosched.c:5889\n bfq_get_bfqq_handle_split+0x169/0x5d0 block/bfq-iosched.c:6757\n bfq_init_rq block/bfq-iosched.c:6876 [inline]\n bfq_insert_request block/bfq-iosched.c:6254 [inline]\n bfq_insert_requests+0x1112/0x5cf0 block/bfq-iosched.c:6304\n blk_mq_insert_request+0x290/0x8d0 block/blk-mq.c:2593\n blk_mq_requeue_work+0x6bc/0xa70 block/blk-mq.c:1502\n process_one_work kernel/workqueue.c:2627 [inline]\n process_scheduled_works+0x432/0x13f0 kernel/workqueue.c:2700\n worker_thread+0x6f2/0x1160 kernel/workqueue.c:2781\n kthread+0x33c/0x440 kernel/kthread.c:388\n ret_from_fork+0x4d/0x80 arch/x86/kernel/process.c:147\n ret_from_fork_asm+0x1b/0x30 arch/x86/entry/entry_64.S:305\n </TASK>\n\nAllocated by task 20776:\n kasan_save_stack+0x20/0x40 mm/kasan/common.c:45\n kasan_set_track+0x25/0x30 mm/kasan/common.c:52\n __kasan_slab_alloc+0x87/0x90 mm/kasan/common.c:328\n kasan_slab_alloc include/linux/kasan.h:188 [inline]\n slab_post_alloc_hook mm/slab.h:763 [inline]\n slab_alloc_node mm/slub.c:3458 [inline]\n kmem_cache_alloc_node+0x1a4/0x6f0 mm/slub.c:3503\n ioc_create_icq block/blk-ioc.c:370 [inline]\n---truncated---"}],"providerMetadata":{"dateUpdated":"2026-05-11T20:39:12.735Z","orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux"},"references":[{"url":"https://git.kernel.org/stable/c/a9bdd5b36887d2bacb8bc777fd18317c99fc2587"},{"url":"https://git.kernel.org/stable/c/bc2140534b2aae752e4f7cb4489642dbb5ec4777"},{"url":"https://git.kernel.org/stable/c/e1277ae780cca4e69ef5468d4582dfd48f0b8320"},{"url":"https://git.kernel.org/stable/c/8aa9de02a4be2e7006e636816ce19b0d667ceaa3"},{"url":"https://git.kernel.org/stable/c/ddbdaad123254fb53e32480cb74a486a6868b1e0"},{"url":"https://git.kernel.org/stable/c/7faed2896d78e48ec96229e73b30b0af6c00a9aa"},{"url":"https://git.kernel.org/stable/c/880692ee233ba63808182705b3333403413b58f5"},{"url":"https://git.kernel.org/stable/c/6d130db286ad0ea392c96ebb2551acf0d7308048"},{"url":"https://git.kernel.org/stable/c/18ad4df091dd5d067d2faa8fce1180b79f7041a7"}],"title":"block, bfq: fix possible UAF for bfqq->bic with merge chain","x_generator":{"engine":"bippy-1.2.0"}}},"cveMetadata":{"assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","assignerShortName":"Linux","cveId":"CVE-2024-47706","datePublished":"2024-10-21T11:53:40.759Z","dateReserved":"2024-09-30T16:00:12.946Z","dateUpdated":"2026-05-12T11:58:28.698Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.2"},"nvd":{"publishedDate":"2024-10-21 12:15:07","lastModifiedDate":"2026-05-12 12:17:14","problem_types":["CWE-416"],"metrics":{"cvssMetricV31":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","baseScore":5.5,"baseSeverity":"MEDIUM","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH"},"exploitabilityScore":1.8,"impactScore":3.6}]},"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.12","versionEndExcluding":"5.10.227","matchCriteriaId":"8E629794-ADD6-44B5-8F8E-B768F34539E0"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.11","versionEndExcluding":"5.15.168","matchCriteriaId":"4D51C05D-455B-4D8D-89E7-A58E140B864C"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.16","versionEndExcluding":"6.1.113","matchCriteriaId":"D01BD22E-ACD1-4618-9D01-6116570BE1EE"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.2","versionEndExcluding":"6.6.54","matchCriteriaId":"D448821D-C085-4CAF-88FA-2DDE7BE21976"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.7","versionEndExcluding":"6.10.13","matchCriteriaId":"CE94BB8D-B0AB-4563-9ED7-A12122B56EBE"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.11","versionEndExcluding":"6.11.2","matchCriteriaId":"AB755D26-97F4-43B6-8604-CD076811E181"}]}]}]},"legacy_mitre":{"record":{"CveYear":"2024","CveId":"47706","Ordinal":"1","Title":"block, bfq: fix possible UAF for bfqq->bic with merge chain","CVE":"CVE-2024-47706","Year":"2024"},"notes":[{"CveYear":"2024","CveId":"47706","Ordinal":"1","NoteData":"In the Linux kernel, the following vulnerability has been resolved:\n\nblock, bfq: fix possible UAF for bfqq->bic with merge chain\n\n1) initial state, three tasks:\n\n\t\tProcess 1       Process 2\tProcess 3\n\t\t (BIC1)          (BIC2)\t\t (BIC3)\n\t\t  |  Λ            |  Λ\t\t  |  Λ\n\t\t  |  |            |  |\t\t  |  |\n\t\t  V  |            V  |\t\t  V  |\n\t\t  bfqq1           bfqq2\t\t  bfqq3\nprocess ref:\t   1\t\t    1\t\t    1\n\n2) bfqq1 merged to bfqq2:\n\n\t\tProcess 1       Process 2\tProcess 3\n\t\t (BIC1)          (BIC2)\t\t (BIC3)\n\t\t  |               |\t\t  |  Λ\n\t\t  \\--------------\\|\t\t  |  |\n\t\t                  V\t\t  V  |\n\t\t  bfqq1--------->bfqq2\t\t  bfqq3\nprocess ref:\t   0\t\t    2\t\t    1\n\n3) bfqq2 merged to bfqq3:\n\n\t\tProcess 1       Process 2\tProcess 3\n\t\t (BIC1)          (BIC2)\t\t (BIC3)\n\t here -> Λ                |\t\t  |\n\t\t  \\--------------\\ \\-------------\\|\n\t\t                  V\t\t  V\n\t\t  bfqq1--------->bfqq2---------->bfqq3\nprocess ref:\t   0\t\t    1\t\t    3\n\nIn this case, IO from Process 1 will get bfqq2 from BIC1 first, and then\nget bfqq3 through merge chain, and finially handle IO by bfqq3.\nHowerver, current code will think bfqq2 is owned by BIC1, like initial\nstate, and set bfqq2->bic to BIC1.\n\nbfq_insert_request\n-> by Process 1\n bfqq = bfq_init_rq(rq)\n  bfqq = bfq_get_bfqq_handle_split\n   bfqq = bic_to_bfqq\n   -> get bfqq2 from BIC1\n bfqq->ref++\n rq->elv.priv[0] = bic\n rq->elv.priv[1] = bfqq\n if (bfqq_process_refs(bfqq) == 1)\n  bfqq->bic = bic\n  -> record BIC1 to bfqq2\n\n  __bfq_insert_request\n   new_bfqq = bfq_setup_cooperator\n   -> get bfqq3 from bfqq2->new_bfqq\n   bfqq_request_freed(bfqq)\n   new_bfqq->ref++\n   rq->elv.priv[1] = new_bfqq\n   -> handle IO by bfqq3\n\nFix the problem by checking bfqq is from merge chain fist. And this\nmight fix a following problem reported by our syzkaller(unreproducible):\n\n==================================================================\nBUG: KASAN: slab-use-after-free in bfq_do_early_stable_merge block/bfq-iosched.c:5692 [inline]\nBUG: KASAN: slab-use-after-free in bfq_do_or_sched_stable_merge block/bfq-iosched.c:5805 [inline]\nBUG: KASAN: slab-use-after-free in bfq_get_queue+0x25b0/0x2610 block/bfq-iosched.c:5889\nWrite of size 1 at addr ffff888123839eb8 by task kworker/0:1H/18595\n\nCPU: 0 PID: 18595 Comm: kworker/0:1H Tainted: G             L     6.6.0-07439-gba2303cacfda #6\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014\nWorkqueue: kblockd blk_mq_requeue_work\nCall Trace:\n <TASK>\n __dump_stack lib/dump_stack.c:88 [inline]\n dump_stack_lvl+0x91/0xf0 lib/dump_stack.c:106\n print_address_description mm/kasan/report.c:364 [inline]\n print_report+0x10d/0x610 mm/kasan/report.c:475\n kasan_report+0x8e/0xc0 mm/kasan/report.c:588\n bfq_do_early_stable_merge block/bfq-iosched.c:5692 [inline]\n bfq_do_or_sched_stable_merge block/bfq-iosched.c:5805 [inline]\n bfq_get_queue+0x25b0/0x2610 block/bfq-iosched.c:5889\n bfq_get_bfqq_handle_split+0x169/0x5d0 block/bfq-iosched.c:6757\n bfq_init_rq block/bfq-iosched.c:6876 [inline]\n bfq_insert_request block/bfq-iosched.c:6254 [inline]\n bfq_insert_requests+0x1112/0x5cf0 block/bfq-iosched.c:6304\n blk_mq_insert_request+0x290/0x8d0 block/blk-mq.c:2593\n blk_mq_requeue_work+0x6bc/0xa70 block/blk-mq.c:1502\n process_one_work kernel/workqueue.c:2627 [inline]\n process_scheduled_works+0x432/0x13f0 kernel/workqueue.c:2700\n worker_thread+0x6f2/0x1160 kernel/workqueue.c:2781\n kthread+0x33c/0x440 kernel/kthread.c:388\n ret_from_fork+0x4d/0x80 arch/x86/kernel/process.c:147\n ret_from_fork_asm+0x1b/0x30 arch/x86/entry/entry_64.S:305\n </TASK>\n\nAllocated by task 20776:\n kasan_save_stack+0x20/0x40 mm/kasan/common.c:45\n kasan_set_track+0x25/0x30 mm/kasan/common.c:52\n __kasan_slab_alloc+0x87/0x90 mm/kasan/common.c:328\n kasan_slab_alloc include/linux/kasan.h:188 [inline]\n slab_post_alloc_hook mm/slab.h:763 [inline]\n slab_alloc_node mm/slub.c:3458 [inline]\n kmem_cache_alloc_node+0x1a4/0x6f0 mm/slub.c:3503\n ioc_create_icq block/blk-ioc.c:370 [inline]\n---truncated---","Type":"Description","Title":"block, bfq: fix possible UAF for bfqq->bic with merge chain"}]}}}