block hctx Reuse UAF

Vulnerability analysis

Root Cause: The block layer's multi-queue (blk-mq) subsystem was reusing hardware context (hctx) structures that were still registered in CPU hotplug callback lists. When an hctx is allocated for reuse, the code only checked if the NUMA node matched but failed to verify that the hctx had been properly removed from cpuhp callback lists. This allowed reuse of hctx structures that still had active callback registrations, leading to use-after-free conditions when the callbacks were later invoked on freed memory.

Attack Surface: This vulnerability affects local attack surface through the block I/O subsystem. It requires local access to trigger block device operations that cause hctx allocation/reuse, particularly during CPU hotplug events or block device reconfiguration. The vulnerability is triggered through normal kernel operations rather than direct user input, making it primarily exploitable by local users or processes that can cause block I/O activity during system state changes.

Fix Mechanism: The patch introduces a new function `blk_mq_hctx_is_reusable()` that checks whether an hctx can be safely reused by verifying that both `cpuhp_online` and `cpuhp_dead` hlist nodes are unhashed (removed from their respective callback lists). The hctx allocation code now calls this function in addition to the existing NUMA node check before reusing an hctx structure. This ensures that only properly cleaned-up hctx structures are reused, preventing use-after-free scenarios.