Skip to content

Commit 9130a71

Browse files
author
Ming Lei
committed
blk-mq: fix null-ptr-deref in blk_mq_free_tags() from error path
JIRA: https://issues.redhat.com/browse/RHEL-123480 commit 670bfe6 Author: Yu Kuai <yukuai3@huawei.com> Date: Tue Sep 23 15:01:01 2025 +0800 blk-mq: fix null-ptr-deref in blk_mq_free_tags() from error path blk_mq_free_tags() can be called after blk_mq_init_tags(), while tags->page_list is still not initialized, causing null-ptr-deref. Fix this problem by initializing tags->page_list at blk_mq_init_tags(), meanwhile, also free tags directly from error path because there is no srcu barrier. Fixes: ad0d05d ("blk-mq: Defer freeing of tags page_list to SRCU callback") Reported-by: syzbot+5c5d41e80248d610221f@syzkaller.appspotmail.com Closes: https://lore.kernel.org/all/68d1b079.a70a0220.1b52b.0000.GAE@google.com/ Signed-off-by: Yu Kuai <yukuai3@huawei.com> Signed-off-by: Jens Axboe <axboe@kernel.dk> Signed-off-by: Ming Lei <ming.lei@redhat.com>
1 parent 8999ae3 commit 9130a71

File tree

2 files changed

+9
-2
lines changed

2 files changed

+9
-2
lines changed

block/blk-mq-tag.c

Lines changed: 9 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -569,6 +569,8 @@ struct blk_mq_tags *blk_mq_init_tags(unsigned int total_tags,
569569
tags->nr_tags = total_tags;
570570
tags->nr_reserved_tags = reserved_tags;
571571
spin_lock_init(&tags->lock);
572+
INIT_LIST_HEAD(&tags->page_list);
573+
572574
if (bt_alloc(&tags->bitmap_tags, depth, round_robin, node))
573575
goto out_free_tags;
574576
if (bt_alloc(&tags->breserved_tags, reserved_tags, round_robin, node))
@@ -606,6 +608,13 @@ void blk_mq_free_tags(struct blk_mq_tag_set *set, struct blk_mq_tags *tags)
606608
{
607609
sbitmap_queue_free(&tags->bitmap_tags);
608610
sbitmap_queue_free(&tags->breserved_tags);
611+
612+
/* if tags pages is not allocated yet, free tags directly */
613+
if (list_empty(&tags->page_list)) {
614+
kfree(tags);
615+
return;
616+
}
617+
609618
call_srcu(&set->tags_srcu, &tags->rcu_head, blk_mq_free_tags_callback);
610619
}
611620

block/blk-mq.c

Lines changed: 0 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -3572,8 +3572,6 @@ static int blk_mq_alloc_rqs(struct blk_mq_tag_set *set,
35723572
if (node == NUMA_NO_NODE)
35733573
node = set->numa_node;
35743574

3575-
INIT_LIST_HEAD(&tags->page_list);
3576-
35773575
/*
35783576
* rq_size is the size of the request plus driver payload, rounded
35793577
* to the cacheline size

0 commit comments

Comments
 (0)