To avoid use-after-free in accessing stale requests in the driver tags
rqs[], clear the mappings for the request queue static rqs.
Signed-off-by: John Garry <john.garry@xxxxxxxxxx>
---
block/blk-mq-sched.c | 1 +
block/blk-mq.h | 2 ++
2 files changed, 3 insertions(+)
diff --git a/block/blk-mq-sched.c b/block/blk-mq-sched.c
index 7b5c46647820..f1cea7f3bc68 100644
--- a/block/blk-mq-sched.c
+++ b/block/blk-mq-sched.c
@@ -711,6 +711,7 @@ void blk_mq_sched_free_requests(struct request_queue *q)
queue_for_each_hw_ctx(q, hctx, i) {
if (hctx->sched_tags) {
if (blk_mq_is_sbitmap_shared(q->tag_set->flags)) {
+ blk_mq_clear_rq_mapping(q->tag_set, i, &q->page_list);
} else {
blk_mq_free_rqs(q->tag_set, hctx->sched_tags, i);
}
diff --git a/block/blk-mq.h b/block/blk-mq.h
index 1e0fbb06412b..a5b7aa7a07b9 100644
--- a/block/blk-mq.h
+++ b/block/blk-mq.h
@@ -69,6 +69,8 @@ int blk_mq_alloc_rqs(struct blk_mq_tag_set *set, struct blk_mq_tags *tags,
int __blk_mq_alloc_rqs(struct blk_mq_tag_set *set, unsigned int hctx_idx,
unsigned int depth, struct list_head *page_list,
struct request **static_rqs);
+void blk_mq_clear_rq_mapping(struct blk_mq_tag_set *set, unsigned int hctx_idx,
+ struct list_head *page_list);
/*
* Internal helpers for request insertion into sw queues
--
2.26.2
