tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
1
fork

Configure Feed

Select the types of activity you want to include in your feed.

blk-mq: fix NULL dereference on q->elevator in blk_mq_elv_switch_none

After grabbing q->sysfs_lock, q->elevator may become NULL because of
elevator switch.

Fix the NULL dereference on q->elevator by checking it with lock.

Reported-by: Guangwu Zhang <guazhang@redhat.com>
Signed-off-by: Ming Lei <ming.lei@redhat.com>
Link: https://lore.kernel.org/r/20230616132354.415109-1-ming.lei@redhat.com
Signed-off-by: Jens Axboe <axboe@kernel.dk>

authored by

Ming Lei and committed by
Jens Axboe 24516565 84bd06c6

+7 -3
+7 -3
block/blk-mq.c
··· 4604 4604 { 4605 4605 struct blk_mq_qe_pair *qe; 4606 4606 4607 - if (!q->elevator) 4608 - return true; 4609 - 4610 4607 qe = kmalloc(sizeof(*qe), GFP_NOIO | __GFP_NOWARN | __GFP_NORETRY); 4611 4608 if (!qe) 4612 4609 return false; 4613 4610 4614 4611 /* q->elevator needs protection from ->sysfs_lock */ 4615 4612 mutex_lock(&q->sysfs_lock); 4613 + 4614 + /* the check has to be done with holding sysfs_lock */ 4615 + if (!q->elevator) { 4616 + kfree(qe); 4617 + goto unlock; 4618 + } 4616 4619 4617 4620 INIT_LIST_HEAD(&qe->node); 4618 4621 qe->q = q; ··· 4624 4621 __elevator_get(qe->type); 4625 4622 list_add(&qe->node, head); 4626 4623 elevator_disable(q); 4624 + unlock: 4627 4625 mutex_unlock(&q->sysfs_lock); 4628 4626 4629 4627 return true;