From: Damien Le Moal <dlemoal@kernel.org>
To: Jens Axboe <axboe@kernel.dk>, linux-block@vger.kernel.org
Cc: Christoph Hellwig <hch@lst.de>
Subject: [PATCH] block: avoid use-after-free in disk_free_zone_resources()
Date: Fri, 22 May 2026 20:56:22 +0900 [thread overview]
Message-ID: <20260522115622.588535-1-dlemoal@kernel.org> (raw)
The function disk_update_zone_resources() may call
disk_free_zone_resources() in case of error, and following this,
blk_revalidate_disk_zones() will again calls disk_free_zone_resources() if
disk_update_zone_resources() failed. If a zone worker thread is being used
(which is the default for a rotational media zoned device),
disk_free_zone_resources() will try to stop the zone worker thread twice
because disk->zone_wplugs_worker is not reset to NULL when the worker
thread is stopped the first time.
In disk_free_zone_resources(), fix this by correctly clearing
disk->zone_wplugs_worker to NULL when the worker thread is stopped.
And while at it, since disk_free_zone_resources() is always called after a
failed call to disk_update_zone_resources(), remove the unnecessary call
to disk_free_zone_resources() in disk_update_zone_resources().
Fixes: 1365b6904fd0 ("block: allow submitting all zone writes from a single context")
Signed-off-by: Damien Le Moal <dlemoal@kernel.org>
---
block/blk-zoned.c | 7 +++----
1 file changed, 3 insertions(+), 4 deletions(-)
diff --git a/block/blk-zoned.c b/block/blk-zoned.c
index 42ef830054dc..6a221c180889 100644
--- a/block/blk-zoned.c
+++ b/block/blk-zoned.c
@@ -2001,8 +2001,10 @@ static void disk_set_zones_cond_array(struct gendisk *disk, u8 *zones_cond)
void disk_free_zone_resources(struct gendisk *disk)
{
- if (disk->zone_wplugs_worker)
+ if (disk->zone_wplugs_worker) {
kthread_stop(disk->zone_wplugs_worker);
+ disk->zone_wplugs_worker = NULL;
+ }
WARN_ON_ONCE(!list_empty(&disk->zone_wplugs_list));
if (disk->zone_wplugs_wq) {
@@ -2135,9 +2137,6 @@ static int disk_update_zone_resources(struct gendisk *disk,
ret = queue_limits_commit_update(q, &lim);
unfreeze:
- if (ret)
- disk_free_zone_resources(disk);
-
blk_mq_unfreeze_queue(q, memflags);
return ret;
--
2.54.0
next reply other threads:[~2026-05-22 11:56 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-05-22 11:56 Damien Le Moal [this message]
2026-05-22 12:09 ` [PATCH] block: avoid use-after-free in disk_free_zone_resources() Christoph Hellwig
2026-05-22 14:06 ` Jens Axboe
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260522115622.588535-1-dlemoal@kernel.org \
--to=dlemoal@kernel.org \
--cc=axboe@kernel.dk \
--cc=hch@lst.de \
--cc=linux-block@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.