{"api_version":"1","generated_at":"2026-07-15T04:51:17+00:00","cve":"CVE-2024-53170","urls":{"html":"https://cve.report/CVE-2024-53170","api":"https://cve.report/api/cve/CVE-2024-53170.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2024-53170","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2024-53170"},"summary":{"title":"block: fix uaf for flush rq while iterating tags","description":"In the Linux kernel, the following vulnerability has been resolved:\n\nblock: fix uaf for flush rq while iterating tags\n\nblk_mq_clear_flush_rq_mapping() is not called during scsi probe, by\nchecking blk_queue_init_done(). However, QUEUE_FLAG_INIT_DONE is cleared\nin del_gendisk by commit aec89dc5d421 (\"block: keep q_usage_counter in\natomic mode after del_gendisk\"), hence for disk like scsi, following\nblk_mq_destroy_queue() will not clear flush rq from tags->rqs[] as well,\ncause following uaf that is found by our syzkaller for v6.6:\n\n==================================================================\nBUG: KASAN: slab-use-after-free in blk_mq_find_and_get_req+0x16e/0x1a0 block/blk-mq-tag.c:261\nRead of size 4 at addr ffff88811c969c20 by task kworker/1:2H/224909\n\nCPU: 1 PID: 224909 Comm: kworker/1:2H Not tainted 6.6.0-ga836a5060850 #32\nWorkqueue: kblockd blk_mq_timeout_work\nCall Trace:\n\n__dump_stack lib/dump_stack.c:88 [inline]\ndump_stack_lvl+0x91/0xf0 lib/dump_stack.c:106\nprint_address_description.constprop.0+0x66/0x300 mm/kasan/report.c:364\nprint_report+0x3e/0x70 mm/kasan/report.c:475\nkasan_report+0xb8/0xf0 mm/kasan/report.c:588\nblk_mq_find_and_get_req+0x16e/0x1a0 block/blk-mq-tag.c:261\nbt_iter block/blk-mq-tag.c:288 [inline]\n__sbitmap_for_each_set include/linux/sbitmap.h:295 [inline]\nsbitmap_for_each_set include/linux/sbitmap.h:316 [inline]\nbt_for_each+0x455/0x790 block/blk-mq-tag.c:325\nblk_mq_queue_tag_busy_iter+0x320/0x740 block/blk-mq-tag.c:534\nblk_mq_timeout_work+0x1a3/0x7b0 block/blk-mq.c:1673\nprocess_one_work+0x7c4/0x1450 kernel/workqueue.c:2631\nprocess_scheduled_works kernel/workqueue.c:2704 [inline]\nworker_thread+0x804/0xe40 kernel/workqueue.c:2785\nkthread+0x346/0x450 kernel/kthread.c:388\nret_from_fork+0x4d/0x80 arch/x86/kernel/process.c:147\nret_from_fork_asm+0x1b/0x30 arch/x86/entry/entry_64.S:293\n\nAllocated by task 942:\nkasan_save_stack+0x22/0x50 mm/kasan/common.c:45\nkasan_set_track+0x25/0x30 mm/kasan/common.c:52\n____kasan_kmalloc mm/kasan/common.c:374 [inline]\n__kasan_kmalloc mm/kasan/common.c:383 [inline]\n__kasan_kmalloc+0xaa/0xb0 mm/kasan/common.c:380\nkasan_kmalloc include/linux/kasan.h:198 [inline]\n__do_kmalloc_node mm/slab_common.c:1007 [inline]\n__kmalloc_node+0x69/0x170 mm/slab_common.c:1014\nkmalloc_node include/linux/slab.h:620 [inline]\nkzalloc_node include/linux/slab.h:732 [inline]\nblk_alloc_flush_queue+0x144/0x2f0 block/blk-flush.c:499\nblk_mq_alloc_hctx+0x601/0x940 block/blk-mq.c:3788\nblk_mq_alloc_and_init_hctx+0x27f/0x330 block/blk-mq.c:4261\nblk_mq_realloc_hw_ctxs+0x488/0x5e0 block/blk-mq.c:4294\nblk_mq_init_allocated_queue+0x188/0x860 block/blk-mq.c:4350\nblk_mq_init_queue_data block/blk-mq.c:4166 [inline]\nblk_mq_init_queue+0x8d/0x100 block/blk-mq.c:4176\nscsi_alloc_sdev+0x843/0xd50 drivers/scsi/scsi_scan.c:335\nscsi_probe_and_add_lun+0x77c/0xde0 drivers/scsi/scsi_scan.c:1189\n__scsi_scan_target+0x1fc/0x5a0 drivers/scsi/scsi_scan.c:1727\nscsi_scan_channel drivers/scsi/scsi_scan.c:1815 [inline]\nscsi_scan_channel+0x14b/0x1e0 drivers/scsi/scsi_scan.c:1791\nscsi_scan_host_selected+0x2fe/0x400 drivers/scsi/scsi_scan.c:1844\nscsi_scan+0x3a0/0x3f0 drivers/scsi/scsi_sysfs.c:151\nstore_scan+0x2a/0x60 drivers/scsi/scsi_sysfs.c:191\ndev_attr_store+0x5c/0x90 drivers/base/core.c:2388\nsysfs_kf_write+0x11c/0x170 fs/sysfs/file.c:136\nkernfs_fop_write_iter+0x3fc/0x610 fs/kernfs/file.c:338\ncall_write_iter include/linux/fs.h:2083 [inline]\nnew_sync_write+0x1b4/0x2d0 fs/read_write.c:493\nvfs_write+0x76c/0xb00 fs/read_write.c:586\nksys_write+0x127/0x250 fs/read_write.c:639\ndo_syscall_x64 arch/x86/entry/common.c:51 [inline]\ndo_syscall_64+0x70/0x120 arch/x86/entry/common.c:81\nentry_SYSCALL_64_after_hwframe+0x78/0xe2\n\nFreed by task 244687:\nkasan_save_stack+0x22/0x50 mm/kasan/common.c:45\nkasan_set_track+0x25/0x30 mm/kasan/common.c:52\nkasan_save_free_info+0x2b/0x50 mm/kasan/generic.c:522\n____kasan_slab_free mm/kasan/common.c:236 [inline]\n__kasan_slab_free+0x12a/0x1b0 mm/kasan/common.c:244\nkasan_slab_free include/linux/kasan.h:164 [in\n---truncated---","state":"PUBLISHED","assigner":"Linux","published_at":"2024-12-27 14:15:24","updated_at":"2026-07-14 13:17:12"},"problem_types":["CWE-416","CWE-416 CWE-416 Use After Free"],"metrics":[{"version":"3.1","source":"nvd@nist.gov","type":"Primary","score":"7.8","severity":"HIGH","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","data":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","baseScore":7.8,"baseSeverity":"HIGH","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"}},{"version":"3.1","source":"ADP","type":"DECLARED","score":"7.8","severity":"HIGH","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","data":{"attackComplexity":"LOW","attackVector":"LOCAL","availabilityImpact":"HIGH","baseScore":7.8,"baseSeverity":"HIGH","confidentialityImpact":"HIGH","integrityImpact":"HIGH","privilegesRequired":"LOW","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","version":"3.1"}},{"version":"3.1","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","score":"7.8","severity":"HIGH","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","data":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","baseScore":7.8,"baseSeverity":"HIGH","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"}}],"references":[{"url":"https://git.kernel.org/stable/c/a0e93b9fefafe97d596f9c98701ae6c3b04b3ff6","name":"https://git.kernel.org/stable/c/a0e93b9fefafe97d596f9c98701ae6c3b04b3ff6","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://cert-portal.siemens.com/productcert/html/ssa-019113.html","name":"https://cert-portal.siemens.com/productcert/html/ssa-019113.html","refsource":"0b142b55-0307-4c5a-b3c9-f314f3fb7c5e","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://lists.debian.org/debian-lts-announce/2025/03/msg00001.html","name":"https://lists.debian.org/debian-lts-announce/2025/03/msg00001.html","refsource":"af854a3a-2127-422b-91ae-364da2661108","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/1921fe7d2836f8be1d321cf430d17e0d4e05301b","name":"https://git.kernel.org/stable/c/1921fe7d2836f8be1d321cf430d17e0d4e05301b","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/3802f73bd80766d70f319658f334754164075bc3","name":"https://git.kernel.org/stable/c/3802f73bd80766d70f319658f334754164075bc3","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/1364a29b71c7837770f1902c49e7a6e234d72c92","name":"https://git.kernel.org/stable/c/1364a29b71c7837770f1902c49e7a6e234d72c92","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/61092568f2a9acb0e6e186f03f2e0649a4e86d09","name":"https://git.kernel.org/stable/c/61092568f2a9acb0e6e186f03f2e0649a4e86d09","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://www.cve.org/CVERecord?id=CVE-2024-53170","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-53170","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 6cfeadbff3f8905f2854735ebb88e581402c16c4 1921fe7d2836f8be1d321cf430d17e0d4e05301b git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 6cfeadbff3f8905f2854735ebb88e581402c16c4 1364a29b71c7837770f1902c49e7a6e234d72c92 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 6cfeadbff3f8905f2854735ebb88e581402c16c4 a0e93b9fefafe97d596f9c98701ae6c3b04b3ff6 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 6cfeadbff3f8905f2854735ebb88e581402c16c4 61092568f2a9acb0e6e186f03f2e0649a4e86d09 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 6cfeadbff3f8905f2854735ebb88e581402c16c4 3802f73bd80766d70f319658f334754164075bc3 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 5.19","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 5.19 semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.1.127 6.1.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.6.74 6.6.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.11.11 6.11.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.12.2 6.12.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.13 * original_commit_for_fix","platforms":[]},{"source":"ADP","vendor":"Siemens","product":"SIMATIC S7-1500 CPU 1518-4 PN/DP MFP","version":"affected V3.1.6 * custom","platforms":[]},{"source":"ADP","vendor":"Siemens","product":"SIMATIC S7-1500 CPU 1518-4 PN/DP MFP","version":"affected V3.1.6 * custom","platforms":[]},{"source":"ADP","vendor":"Siemens","product":"SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP","version":"affected V3.1.6 * custom","platforms":[]},{"source":"ADP","vendor":"Siemens","product":"SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP","version":"affected V3.1.6 * custom","platforms":[]},{"source":"ADP","vendor":"Siemens","product":"SIPLUS S7-1500 CPU 1518-4 PN/DP MFP","version":"affected V3.1.6 * custom","platforms":[]}],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2024","cve_id":"53170","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"linux","cpe5":"linux_kernel","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[]},"source_records":{"cve_program":{"containers":{"adp":[{"metrics":[{"cvssV3_1":{"attackComplexity":"LOW","attackVector":"LOCAL","availabilityImpact":"HIGH","baseScore":7.8,"baseSeverity":"HIGH","confidentialityImpact":"HIGH","integrityImpact":"HIGH","privilegesRequired":"LOW","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","version":"3.1"}},{"other":{"content":{"id":"CVE-2024-53170","options":[{"Exploitation":"none"},{"Automatable":"no"},{"Technical Impact":"total"}],"role":"CISA Coordinator","timestamp":"2025-02-10T17:13:13.034523Z","version":"2.0.3"},"type":"ssvc"}}],"problemTypes":[{"descriptions":[{"cweId":"CWE-416","description":"CWE-416 Use After Free","lang":"en","type":"CWE"}]}],"providerMetadata":{"dateUpdated":"2025-02-10T17:21:09.528Z","orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP"},"title":"CISA ADP Vulnrichment"},{"providerMetadata":{"dateUpdated":"2025-11-03T20:46:58.372Z","orgId":"af854a3a-2127-422b-91ae-364da2661108","shortName":"CVE"},"references":[{"url":"https://lists.debian.org/debian-lts-announce/2025/03/msg00001.html"}],"title":"CVE Program Container"},{"affected":[{"defaultStatus":"unknown","product":"SIMATIC S7-1500 CPU 1518-4 PN/DP MFP","vendor":"Siemens","versions":[{"lessThan":"*","status":"affected","version":"V3.1.6","versionType":"custom"}]},{"defaultStatus":"unknown","product":"SIMATIC S7-1500 CPU 1518-4 PN/DP MFP","vendor":"Siemens","versions":[{"lessThan":"*","status":"affected","version":"V3.1.6","versionType":"custom"}]},{"defaultStatus":"unknown","product":"SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP","vendor":"Siemens","versions":[{"lessThan":"*","status":"affected","version":"V3.1.6","versionType":"custom"}]},{"defaultStatus":"unknown","product":"SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP","vendor":"Siemens","versions":[{"lessThan":"*","status":"affected","version":"V3.1.6","versionType":"custom"}]},{"defaultStatus":"unknown","product":"SIPLUS S7-1500 CPU 1518-4 PN/DP MFP","vendor":"Siemens","versions":[{"lessThan":"*","status":"affected","version":"V3.1.6","versionType":"custom"}]}],"providerMetadata":{"dateUpdated":"2026-07-14T12:38:34.196Z","orgId":"0b142b55-0307-4c5a-b3c9-f314f3fb7c5e","shortName":"siemens-SADP"},"references":[{"url":"https://cert-portal.siemens.com/productcert/html/ssa-019113.html"}],"x_adpType":"supplier"}],"cna":{"affected":[{"defaultStatus":"unaffected","product":"Linux","programFiles":["block/blk-sysfs.c","block/genhd.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","vendor":"Linux","versions":[{"lessThan":"1921fe7d2836f8be1d321cf430d17e0d4e05301b","status":"affected","version":"6cfeadbff3f8905f2854735ebb88e581402c16c4","versionType":"git"},{"lessThan":"1364a29b71c7837770f1902c49e7a6e234d72c92","status":"affected","version":"6cfeadbff3f8905f2854735ebb88e581402c16c4","versionType":"git"},{"lessThan":"a0e93b9fefafe97d596f9c98701ae6c3b04b3ff6","status":"affected","version":"6cfeadbff3f8905f2854735ebb88e581402c16c4","versionType":"git"},{"lessThan":"61092568f2a9acb0e6e186f03f2e0649a4e86d09","status":"affected","version":"6cfeadbff3f8905f2854735ebb88e581402c16c4","versionType":"git"},{"lessThan":"3802f73bd80766d70f319658f334754164075bc3","status":"affected","version":"6cfeadbff3f8905f2854735ebb88e581402c16c4","versionType":"git"}]},{"defaultStatus":"affected","product":"Linux","programFiles":["block/blk-sysfs.c","block/genhd.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","vendor":"Linux","versions":[{"status":"affected","version":"5.19"},{"lessThan":"5.19","status":"unaffected","version":"0","versionType":"semver"},{"lessThanOrEqual":"6.1.*","status":"unaffected","version":"6.1.127","versionType":"semver"},{"lessThanOrEqual":"6.6.*","status":"unaffected","version":"6.6.74","versionType":"semver"},{"lessThanOrEqual":"6.11.*","status":"unaffected","version":"6.11.11","versionType":"semver"},{"lessThanOrEqual":"6.12.*","status":"unaffected","version":"6.12.2","versionType":"semver"},{"lessThanOrEqual":"*","status":"unaffected","version":"6.13","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"cpeMatch":[{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.1.127","versionStartIncluding":"5.19","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.6.74","versionStartIncluding":"5.19","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.11.11","versionStartIncluding":"5.19","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.12.2","versionStartIncluding":"5.19","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.13","versionStartIncluding":"5.19","vulnerable":true}],"negate":false,"operator":"OR"}]}],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nblock: fix uaf for flush rq while iterating tags\n\nblk_mq_clear_flush_rq_mapping() is not called during scsi probe, by\nchecking blk_queue_init_done(). However, QUEUE_FLAG_INIT_DONE is cleared\nin del_gendisk by commit aec89dc5d421 (\"block: keep q_usage_counter in\natomic mode after del_gendisk\"), hence for disk like scsi, following\nblk_mq_destroy_queue() will not clear flush rq from tags->rqs[] as well,\ncause following uaf that is found by our syzkaller for v6.6:\n\n==================================================================\nBUG: KASAN: slab-use-after-free in blk_mq_find_and_get_req+0x16e/0x1a0 block/blk-mq-tag.c:261\nRead of size 4 at addr ffff88811c969c20 by task kworker/1:2H/224909\n\nCPU: 1 PID: 224909 Comm: kworker/1:2H Not tainted 6.6.0-ga836a5060850 #32\nWorkqueue: kblockd blk_mq_timeout_work\nCall Trace:\n\n__dump_stack lib/dump_stack.c:88 [inline]\ndump_stack_lvl+0x91/0xf0 lib/dump_stack.c:106\nprint_address_description.constprop.0+0x66/0x300 mm/kasan/report.c:364\nprint_report+0x3e/0x70 mm/kasan/report.c:475\nkasan_report+0xb8/0xf0 mm/kasan/report.c:588\nblk_mq_find_and_get_req+0x16e/0x1a0 block/blk-mq-tag.c:261\nbt_iter block/blk-mq-tag.c:288 [inline]\n__sbitmap_for_each_set include/linux/sbitmap.h:295 [inline]\nsbitmap_for_each_set include/linux/sbitmap.h:316 [inline]\nbt_for_each+0x455/0x790 block/blk-mq-tag.c:325\nblk_mq_queue_tag_busy_iter+0x320/0x740 block/blk-mq-tag.c:534\nblk_mq_timeout_work+0x1a3/0x7b0 block/blk-mq.c:1673\nprocess_one_work+0x7c4/0x1450 kernel/workqueue.c:2631\nprocess_scheduled_works kernel/workqueue.c:2704 [inline]\nworker_thread+0x804/0xe40 kernel/workqueue.c:2785\nkthread+0x346/0x450 kernel/kthread.c:388\nret_from_fork+0x4d/0x80 arch/x86/kernel/process.c:147\nret_from_fork_asm+0x1b/0x30 arch/x86/entry/entry_64.S:293\n\nAllocated by task 942:\nkasan_save_stack+0x22/0x50 mm/kasan/common.c:45\nkasan_set_track+0x25/0x30 mm/kasan/common.c:52\n____kasan_kmalloc mm/kasan/common.c:374 [inline]\n__kasan_kmalloc mm/kasan/common.c:383 [inline]\n__kasan_kmalloc+0xaa/0xb0 mm/kasan/common.c:380\nkasan_kmalloc include/linux/kasan.h:198 [inline]\n__do_kmalloc_node mm/slab_common.c:1007 [inline]\n__kmalloc_node+0x69/0x170 mm/slab_common.c:1014\nkmalloc_node include/linux/slab.h:620 [inline]\nkzalloc_node include/linux/slab.h:732 [inline]\nblk_alloc_flush_queue+0x144/0x2f0 block/blk-flush.c:499\nblk_mq_alloc_hctx+0x601/0x940 block/blk-mq.c:3788\nblk_mq_alloc_and_init_hctx+0x27f/0x330 block/blk-mq.c:4261\nblk_mq_realloc_hw_ctxs+0x488/0x5e0 block/blk-mq.c:4294\nblk_mq_init_allocated_queue+0x188/0x860 block/blk-mq.c:4350\nblk_mq_init_queue_data block/blk-mq.c:4166 [inline]\nblk_mq_init_queue+0x8d/0x100 block/blk-mq.c:4176\nscsi_alloc_sdev+0x843/0xd50 drivers/scsi/scsi_scan.c:335\nscsi_probe_and_add_lun+0x77c/0xde0 drivers/scsi/scsi_scan.c:1189\n__scsi_scan_target+0x1fc/0x5a0 drivers/scsi/scsi_scan.c:1727\nscsi_scan_channel drivers/scsi/scsi_scan.c:1815 [inline]\nscsi_scan_channel+0x14b/0x1e0 drivers/scsi/scsi_scan.c:1791\nscsi_scan_host_selected+0x2fe/0x400 drivers/scsi/scsi_scan.c:1844\nscsi_scan+0x3a0/0x3f0 drivers/scsi/scsi_sysfs.c:151\nstore_scan+0x2a/0x60 drivers/scsi/scsi_sysfs.c:191\ndev_attr_store+0x5c/0x90 drivers/base/core.c:2388\nsysfs_kf_write+0x11c/0x170 fs/sysfs/file.c:136\nkernfs_fop_write_iter+0x3fc/0x610 fs/kernfs/file.c:338\ncall_write_iter include/linux/fs.h:2083 [inline]\nnew_sync_write+0x1b4/0x2d0 fs/read_write.c:493\nvfs_write+0x76c/0xb00 fs/read_write.c:586\nksys_write+0x127/0x250 fs/read_write.c:639\ndo_syscall_x64 arch/x86/entry/common.c:51 [inline]\ndo_syscall_64+0x70/0x120 arch/x86/entry/common.c:81\nentry_SYSCALL_64_after_hwframe+0x78/0xe2\n\nFreed by task 244687:\nkasan_save_stack+0x22/0x50 mm/kasan/common.c:45\nkasan_set_track+0x25/0x30 mm/kasan/common.c:52\nkasan_save_free_info+0x2b/0x50 mm/kasan/generic.c:522\n____kasan_slab_free mm/kasan/common.c:236 [inline]\n__kasan_slab_free+0x12a/0x1b0 mm/kasan/common.c:244\nkasan_slab_free include/linux/kasan.h:164 [in\n---truncated---"}],"providerMetadata":{"dateUpdated":"2026-05-11T20:52:11.774Z","orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux"},"references":[{"url":"https://git.kernel.org/stable/c/1921fe7d2836f8be1d321cf430d17e0d4e05301b"},{"url":"https://git.kernel.org/stable/c/1364a29b71c7837770f1902c49e7a6e234d72c92"},{"url":"https://git.kernel.org/stable/c/a0e93b9fefafe97d596f9c98701ae6c3b04b3ff6"},{"url":"https://git.kernel.org/stable/c/61092568f2a9acb0e6e186f03f2e0649a4e86d09"},{"url":"https://git.kernel.org/stable/c/3802f73bd80766d70f319658f334754164075bc3"}],"title":"block: fix uaf for flush rq while iterating tags","x_generator":{"engine":"bippy-1.2.0"}}},"cveMetadata":{"assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","assignerShortName":"Linux","cveId":"CVE-2024-53170","datePublished":"2024-12-27T13:49:15.712Z","dateReserved":"2024-11-19T17:17:25.006Z","dateUpdated":"2026-07-14T12:38:34.196Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.2"},"nvd":{"publishedDate":"2024-12-27 14:15:24","lastModifiedDate":"2026-07-14 13:17:12","problem_types":["CWE-416","CWE-416 CWE-416 Use After Free"],"metrics":{"cvssMetricV31":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","baseScore":7.8,"baseSeverity":"HIGH","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":1.8,"impactScore":5.9},{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","baseScore":7.8,"baseSeverity":"HIGH","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":1.8,"impactScore":5.9}],"ssvcV203":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","ssvcData":{"timestamp":"2025-02-10T17:13:13.034523Z","id":"CVE-2024-53170","options":[{"exploitation":"none"},{"automatable":"no"},{"technicalImpact":"total"}],"role":"CISA Coordinator","version":"2.0.3"}}]},"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.19","versionEndExcluding":"6.11.11","matchCriteriaId":"A482F6D5-4DB0-4611-AF23-1D568CE9F2BF"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.12","versionEndExcluding":"6.12.2","matchCriteriaId":"D8882B1B-2ABC-4838-AC1D-DBDBB5764776"}]}]}]},"legacy_mitre":{"record":{"CveYear":"2024","CveId":"53170","Ordinal":"1","Title":"block: fix uaf for flush rq while iterating tags","CVE":"CVE-2024-53170","Year":"2024"},"notes":[{"CveYear":"2024","CveId":"53170","Ordinal":"1","NoteData":"In the Linux kernel, the following vulnerability has been resolved:\n\nblock: fix uaf for flush rq while iterating tags\n\nblk_mq_clear_flush_rq_mapping() is not called during scsi probe, by\nchecking blk_queue_init_done(). However, QUEUE_FLAG_INIT_DONE is cleared\nin del_gendisk by commit aec89dc5d421 (\"block: keep q_usage_counter in\natomic mode after del_gendisk\"), hence for disk like scsi, following\nblk_mq_destroy_queue() will not clear flush rq from tags->rqs[] as well,\ncause following uaf that is found by our syzkaller for v6.6:\n\n==================================================================\nBUG: KASAN: slab-use-after-free in blk_mq_find_and_get_req+0x16e/0x1a0 block/blk-mq-tag.c:261\nRead of size 4 at addr ffff88811c969c20 by task kworker/1:2H/224909\n\nCPU: 1 PID: 224909 Comm: kworker/1:2H Not tainted 6.6.0-ga836a5060850 #32\nWorkqueue: kblockd blk_mq_timeout_work\nCall Trace:\n\n__dump_stack lib/dump_stack.c:88 [inline]\ndump_stack_lvl+0x91/0xf0 lib/dump_stack.c:106\nprint_address_description.constprop.0+0x66/0x300 mm/kasan/report.c:364\nprint_report+0x3e/0x70 mm/kasan/report.c:475\nkasan_report+0xb8/0xf0 mm/kasan/report.c:588\nblk_mq_find_and_get_req+0x16e/0x1a0 block/blk-mq-tag.c:261\nbt_iter block/blk-mq-tag.c:288 [inline]\n__sbitmap_for_each_set include/linux/sbitmap.h:295 [inline]\nsbitmap_for_each_set include/linux/sbitmap.h:316 [inline]\nbt_for_each+0x455/0x790 block/blk-mq-tag.c:325\nblk_mq_queue_tag_busy_iter+0x320/0x740 block/blk-mq-tag.c:534\nblk_mq_timeout_work+0x1a3/0x7b0 block/blk-mq.c:1673\nprocess_one_work+0x7c4/0x1450 kernel/workqueue.c:2631\nprocess_scheduled_works kernel/workqueue.c:2704 [inline]\nworker_thread+0x804/0xe40 kernel/workqueue.c:2785\nkthread+0x346/0x450 kernel/kthread.c:388\nret_from_fork+0x4d/0x80 arch/x86/kernel/process.c:147\nret_from_fork_asm+0x1b/0x30 arch/x86/entry/entry_64.S:293\n\nAllocated by task 942:\nkasan_save_stack+0x22/0x50 mm/kasan/common.c:45\nkasan_set_track+0x25/0x30 mm/kasan/common.c:52\n____kasan_kmalloc mm/kasan/common.c:374 [inline]\n__kasan_kmalloc mm/kasan/common.c:383 [inline]\n__kasan_kmalloc+0xaa/0xb0 mm/kasan/common.c:380\nkasan_kmalloc include/linux/kasan.h:198 [inline]\n__do_kmalloc_node mm/slab_common.c:1007 [inline]\n__kmalloc_node+0x69/0x170 mm/slab_common.c:1014\nkmalloc_node include/linux/slab.h:620 [inline]\nkzalloc_node include/linux/slab.h:732 [inline]\nblk_alloc_flush_queue+0x144/0x2f0 block/blk-flush.c:499\nblk_mq_alloc_hctx+0x601/0x940 block/blk-mq.c:3788\nblk_mq_alloc_and_init_hctx+0x27f/0x330 block/blk-mq.c:4261\nblk_mq_realloc_hw_ctxs+0x488/0x5e0 block/blk-mq.c:4294\nblk_mq_init_allocated_queue+0x188/0x860 block/blk-mq.c:4350\nblk_mq_init_queue_data block/blk-mq.c:4166 [inline]\nblk_mq_init_queue+0x8d/0x100 block/blk-mq.c:4176\nscsi_alloc_sdev+0x843/0xd50 drivers/scsi/scsi_scan.c:335\nscsi_probe_and_add_lun+0x77c/0xde0 drivers/scsi/scsi_scan.c:1189\n__scsi_scan_target+0x1fc/0x5a0 drivers/scsi/scsi_scan.c:1727\nscsi_scan_channel drivers/scsi/scsi_scan.c:1815 [inline]\nscsi_scan_channel+0x14b/0x1e0 drivers/scsi/scsi_scan.c:1791\nscsi_scan_host_selected+0x2fe/0x400 drivers/scsi/scsi_scan.c:1844\nscsi_scan+0x3a0/0x3f0 drivers/scsi/scsi_sysfs.c:151\nstore_scan+0x2a/0x60 drivers/scsi/scsi_sysfs.c:191\ndev_attr_store+0x5c/0x90 drivers/base/core.c:2388\nsysfs_kf_write+0x11c/0x170 fs/sysfs/file.c:136\nkernfs_fop_write_iter+0x3fc/0x610 fs/kernfs/file.c:338\ncall_write_iter include/linux/fs.h:2083 [inline]\nnew_sync_write+0x1b4/0x2d0 fs/read_write.c:493\nvfs_write+0x76c/0xb00 fs/read_write.c:586\nksys_write+0x127/0x250 fs/read_write.c:639\ndo_syscall_x64 arch/x86/entry/common.c:51 [inline]\ndo_syscall_64+0x70/0x120 arch/x86/entry/common.c:81\nentry_SYSCALL_64_after_hwframe+0x78/0xe2\n\nFreed by task 244687:\nkasan_save_stack+0x22/0x50 mm/kasan/common.c:45\nkasan_set_track+0x25/0x30 mm/kasan/common.c:52\nkasan_save_free_info+0x2b/0x50 mm/kasan/generic.c:522\n____kasan_slab_free mm/kasan/common.c:236 [inline]\n__kasan_slab_free+0x12a/0x1b0 mm/kasan/common.c:244\nkasan_slab_free include/linux/kasan.h:164 [in\n---truncated---","Type":"Description","Title":"block: fix uaf for flush rq while iterating tags"}]}}}