cve/2024/CVE-2024-49854.md

### [CVE-2024-49854](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-49854)
![](https://img.shields.io/static/v1?label=Product&message=Linux&color=blue)
![](https://img.shields.io/static/v1?label=Version&message=13b3d0e8cb121f99b11918a0d4bcc1ce4647d352%20&color=brightgreen)
![](https://img.shields.io/static/v1?label=Version&message=19f3bec2ac4be329b9bd12b18a989b867618d2d8%20&color=brightgreen)
![](https://img.shields.io/static/v1?label=Version&message=3630a18846c7853aa326d3b42fd0a855af7b41bc%20&color=brightgreen)
![](https://img.shields.io/static/v1?label=Version&message=3a5f45a4ad4e1fd36b0a998eef03d76a4f02a2a8%20&color=brightgreen)
![](https://img.shields.io/static/v1?label=Version&message=42c306ed723321af4003b2a41bb73728cab54f85%20&color=brightgreen)
![](https://img.shields.io/static/v1?label=Version&message=4780f50ea50cfe8e89fc3747bf3dd155488433bb%20&color=brightgreen)
![](https://img.shields.io/static/v1?label=Version&message=9e813033594b141f61ff0ef0cfaaef292564b041%20&color=brightgreen)
![](https://img.shields.io/static/v1?label=Version&message=de6c5e3a456019d2182e345730e59721714fa0b5%20&color=brightgreen)
![](https://img.shields.io/static/v1?label=Version&message=e0c20d88b7dce85d2703bb6ba77bf359959675cd%20&color=brightgreen)
![](https://img.shields.io/static/v1?label=Vulnerability&message=n%2Fa&color=blue)

### Description

In the Linux kernel, the following vulnerability has been resolved:block, bfq: fix uaf for accessing waker_bfqq after splittingAfter commit 42c306ed7233 ("block, bfq: don't break merge chain inbfq_split_bfqq()"), if the current procress is the last holder of bfqq,the bfqq can be freed after bfq_split_bfqq(). Hence recored the bfqq andthen access bfqq->waker_bfqq may trigger UAF. What's more, the waker_bfqqmay in the merge chain of bfqq, hence just recored waker_bfqq is stillnot safe.Fix the problem by adding a helper bfq_waker_bfqq() to check ifbfqq->waker_bfqq is in the merge chain, and current procress is the onlyholder.

### POC

#### Reference
No PoCs from references.

#### Github
- https://github.com/fkie-cad/nvd-json-data-feeds
Update CVE list 2025-09-29 21:09 2025-09-29 21:09:30 +02:00			`### [CVE-2024-49854](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-49854)`
			`![](https://img.shields.io/static/v1?label=Product&message=Linux&color=blue)`
			`![](https://img.shields.io/static/v1?label=Version&message=13b3d0e8cb121f99b11918a0d4bcc1ce4647d352%20&color=brightgreen)`
			`![](https://img.shields.io/static/v1?label=Version&message=19f3bec2ac4be329b9bd12b18a989b867618d2d8%20&color=brightgreen)`
			`![](https://img.shields.io/static/v1?label=Version&message=3630a18846c7853aa326d3b42fd0a855af7b41bc%20&color=brightgreen)`
			`![](https://img.shields.io/static/v1?label=Version&message=3a5f45a4ad4e1fd36b0a998eef03d76a4f02a2a8%20&color=brightgreen)`
			`![](https://img.shields.io/static/v1?label=Version&message=42c306ed723321af4003b2a41bb73728cab54f85%20&color=brightgreen)`
			`![](https://img.shields.io/static/v1?label=Version&message=4780f50ea50cfe8e89fc3747bf3dd155488433bb%20&color=brightgreen)`
			`![](https://img.shields.io/static/v1?label=Version&message=9e813033594b141f61ff0ef0cfaaef292564b041%20&color=brightgreen)`
			`![](https://img.shields.io/static/v1?label=Version&message=de6c5e3a456019d2182e345730e59721714fa0b5%20&color=brightgreen)`
			`![](https://img.shields.io/static/v1?label=Version&message=e0c20d88b7dce85d2703bb6ba77bf359959675cd%20&color=brightgreen)`
			`![](https://img.shields.io/static/v1?label=Vulnerability&message=n%2Fa&color=blue)`

			`### Description`

			In the Linux kernel, the following vulnerability has been resolved:block, bfq: fix uaf for accessing waker_bfqq after splittingAfter commit 42c306ed7233 ("block, bfq: don't break merge chain inbfq_split_bfqq()"), if the current procress is the last holder of bfqq,the bfqq can be freed after bfq_split_bfqq(). Hence recored the bfqq andthen access bfqq->waker_bfqq may trigger UAF. What's more, the waker_bfqqmay in the merge chain of bfqq, hence just recored waker_bfqq is stillnot safe.Fix the problem by adding a helper bfq_waker_bfqq() to check ifbfqq->waker_bfqq is in the merge chain, and current procress is the onlyholder.

			`### POC`

			`#### Reference`
			`No PoCs from references.`

			`#### Github`
			`- https://github.com/fkie-cad/nvd-json-data-feeds`