In the Linux kernel, the following vulnerability has been resolved:
kyber: fix out of bounds access when preempted
_blkmqschedbiomerge() gets the ctx and hctx for the current CPU and passes the hctx to ->biomerge(). kyberbiomerge() then gets the ctx for the current CPU again and uses that to get the corresponding Kyber context in the passed hctx. However, the thread may be preempted between the two calls to blkmqgetctx(), and the ctx returned the second time may no longer correspond to the passed hctx. This "works" accidentally most of the time, but it can cause us to read garbage if the second ctx came from an hctx with more ctx's than the first one (i.e., if ctx->indexhw[hctx->type] > hctx->nr_ctx).
This manifested as this UBSAN array index out of bounds error reported by Jakub:
UBSAN: array-index-out-of-bounds in ../kernel/locking/qspinlock.c:130:9 index 13106 is out of range for type 'long unsigned int [128]' Call Trace: dumpstack+0xa4/0xe5 ubsanepilogue+0x5/0x40 _ubsanhandleoutofbounds.cold.13+0x2a/0x34 queuedspinlockslowpath+0x476/0x480 dorawspinlock+0x1c2/0x1d0 kyberbiomerge+0x112/0x180 blkmqsubmitbio+0x1f5/0x1100 submitbionoacct+0x7b0/0x870 submitbio+0xc2/0x3a0 btrfsmapbio+0x4f0/0x9d0 btrfssubmitdatabio+0x24e/0x310 submitonebio+0x7f/0xb0 submitextentpage+0xc4/0x440 _extentwritepageio+0x2b8/0x5e0 _extentwritepage+0x28d/0x6e0 extentwritecachepages+0x4d7/0x7a0 extentwritepages+0xa2/0x110 dowritepages+0x8f/0x180 _writebacksingleinode+0x99/0x7f0 writebacksbinodes+0x34e/0x790 _writebackinodeswb+0x9e/0x120 wbwriteback+0x4d2/0x660 wbworkfn+0x64d/0xa10 processonework+0x53a/0xa80 workerthread+0x69/0x5b0 kthread+0x20b/0x240 retfrom_fork+0x1f/0x30
Only Kyber uses the hctx, so fix it by passing the requestqueue to ->biomerge() instead. BFQ and mq-deadline just use that, and Kyber can map the queues itself to avoid the mismatch.