Patch "blk-mq: fix NULL dereference on q->elevator in blk_mq_elv_switch_none" has been added to the 6.4-stable tree

Sasha Levin <sashal@xxxxxxxxxx> · Sun, 23 Jul 2023 21:25:56 -0400

This is a note to let you know that I've just added the patch titled

    blk-mq: fix NULL dereference on q->elevator in blk_mq_elv_switch_none

to the 6.4-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     blk-mq-fix-null-dereference-on-q-elevator-in-blk_mq_.patch
and it can be found in the queue-6.4 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.



commit 2985cb1c3caeaa23909dc76b3608d8f5ffa0034c
Author: Ming Lei <ming.lei@xxxxxxxxxx>
Date:   Fri Jun 16 21:23:54 2023 +0800

    blk-mq: fix NULL dereference on q->elevator in blk_mq_elv_switch_none
    
    [ Upstream commit 245165658e1c9f95c0fecfe02b9b1ebd30a1198a ]
    
    After grabbing q->sysfs_lock, q->elevator may become NULL because of
    elevator switch.
    
    Fix the NULL dereference on q->elevator by checking it with lock.
    
    Reported-by: Guangwu Zhang <guazhang@xxxxxxxxxx>
    Signed-off-by: Ming Lei <ming.lei@xxxxxxxxxx>
    Link: https://lore.kernel.org/r/20230616132354.415109-1-ming.lei@xxxxxxxxxx
    Signed-off-by: Jens Axboe <axboe@xxxxxxxxx>
    Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>

diff --git a/block/blk-mq.c b/block/blk-mq.c
index b9f4546139894..73ed8ccb09ce8 100644
--- a/block/blk-mq.c
+++ b/block/blk-mq.c
@@ -4617,9 +4617,6 @@ static bool blk_mq_elv_switch_none(struct list_head *head,
 {
 	struct blk_mq_qe_pair *qe;
 
-	if (!q->elevator)
-		return true;
-
 	qe = kmalloc(sizeof(*qe), GFP_NOIO | __GFP_NOWARN | __GFP_NORETRY);
 	if (!qe)
 		return false;
@@ -4627,6 +4624,12 @@ static bool blk_mq_elv_switch_none(struct list_head *head,
 	/* q->elevator needs protection from ->sysfs_lock */
 	mutex_lock(&q->sysfs_lock);
 
+	/* the check has to be done with holding sysfs_lock */
+	if (!q->elevator) {
+		kfree(qe);
+		goto unlock;
+	}
+
 	INIT_LIST_HEAD(&qe->node);
 	qe->q = q;
 	qe->type = q->elevator->type;
@@ -4634,6 +4637,7 @@ static bool blk_mq_elv_switch_none(struct list_head *head,
 	__elevator_get(qe->type);
 	list_add(&qe->node, head);
 	elevator_disable(q);
+unlock:
 	mutex_unlock(&q->sysfs_lock);
 
 	return true;






