Commit 670bfe68 authored by Yu Kuai's avatar Yu Kuai Committed by Jens Axboe
Browse files

blk-mq: fix null-ptr-deref in blk_mq_free_tags() from error path 



blk_mq_free_tags() can be called after blk_mq_init_tags(), while
tags->page_list is still not initialized, causing null-ptr-deref.

Fix this problem by initializing tags->page_list at blk_mq_init_tags(),
meanwhile, also free tags directly from error path because there is no
srcu barrier.

Fixes: ad0d05db ("blk-mq: Defer freeing of tags page_list to SRCU callback")
Reported-by: default avatar <syzbot+5c5d41e80248d610221f@syzkaller.appspotmail.com>
Closes: https://lore.kernel.org/all/68d1b079.a70a0220.1b52b.0000.GAE@google.com/


Signed-off-by: default avatarYu Kuai <yukuai3@huawei.com>
Signed-off-by: default avatarJens Axboe <axboe@kernel.dk>
parent fea55691

block/blk-mq-tag.c

+9 −0
Original line number Diff line number Diff line
@@ -566,6 +566,8 @@ struct blk_mq_tags *blk_mq_init_tags(unsigned int total_tags, 
	tags->nr_tags = total_tags;

	tags->nr_reserved_tags = reserved_tags;

	spin_lock_init(&tags->lock);

	INIT_LIST_HEAD(&tags->page_list);



	if (bt_alloc(&tags->bitmap_tags, depth, round_robin, node))

		goto out_free_tags;

	if (bt_alloc(&tags->breserved_tags, reserved_tags, round_robin, node))
@@ -603,6 +605,13 @@ void blk_mq_free_tags(struct blk_mq_tag_set *set, struct blk_mq_tags *tags) 
{

	sbitmap_queue_free(&tags->bitmap_tags);

	sbitmap_queue_free(&tags->breserved_tags);



	/* if tags pages is not allocated yet, free tags directly */

	if (list_empty(&tags->page_list)) {

		kfree(tags);

		return;

	}



	call_srcu(&set->tags_srcu, &tags->rcu_head, blk_mq_free_tags_callback);

}

block/blk-mq.c

+0 −2
Original line number Diff line number Diff line
@@ -3582,8 +3582,6 @@ static int blk_mq_alloc_rqs(struct blk_mq_tag_set *set, 
	if (node == NUMA_NO_NODE)

		node = set->numa_node;



	INIT_LIST_HEAD(&tags->page_list);



	/*

	 * rq_size is the size of the request plus driver payload, rounded

	 * to the cacheline size