ublk partition_scan_work race UAF on device teardown

A race between async partition scan work and device teardown can lead to a use-after-free of ub->ub_disk (struct gendisk *). KASAN reports a slab-use-after-free with an 8-byte write from the workqueue context.

Key ordering:

• ublk_ctrl_start_dev() schedules partition_scan_work after add_disk() (trusted daemons only; unprivileged daemons keep GD_SUPPRESS_PART_SCAN set).
• ublk_stop_dev_unlocked(): del_gendisk(ub->ub_disk); ublk_detach_disk() sets ub->ub_disk = NULL; put_disk(disk) allows RCU-delayed free.
• flush_work(&ub->partition_scan_work) happens later in ublk_stop_dev(), after put_disk(), so the work can run on a freed or NULL gendisk.

The worker ublk_partition_scan_work() dereferences ub->ub_disk:

• test_and_clear_bit(GD_SUPPRESS_PART_SCAN, &disk->state)
• mutex_lock(&disk->open_mutex)
• bdev_disk_changed(disk, false)

This gives a

• KASAN slab-use-after-free in ublk_partition_scan_work (8-byte write), consistent with test_and_clear_bit() on disk->state.

Environment:

• Kernel: 6.19.0-rc4-00145-g623fb9912f6a-dirty (x86_64)
• Config: KASAN enabled; panic_on_warn=1; panic_on_oops=1
• QEMU: i440FX + PIIX

KASAN:

Disclose Timeline:

• Jan 8, 11:36 PM ET: Disclosed via security@kernel.org
• Jan 9, 2:31 AM ET: Accepted
• Jan 9, 7:15 AM ET: Patch written by ublk maintainers
• Jan 9, 8:57 AM ET: Patch applied upstream