From: kernel test robot <lkp@intel.com>
To: Fengnan Chang <fengnanchang@gmail.com>
Cc: oe-kbuild-all@lists.linux.dev, linux-kernel@vger.kernel.org,
Jens Axboe <axboe@kernel.dk>, Yu Kuai <yukuai3@huawei.com>
Subject: block/blk-mq.c:733:36: sparse: sparse: dereference of noderef expression
Date: Mon, 15 Jun 2026 02:56:26 +0800 [thread overview]
Message-ID: <202606150258.MpcYNdIz-lkp@intel.com> (raw)
tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master
head: 8cd9520d35a6c38db6567e97dd93b1f11f185dc6
commit: 89e1fb7ceffd898505ad7fa57acec0585bfaa2cc blk-mq: fix potential uaf for 'queue_hw_ctx'
date: 7 months ago
config: nios2-randconfig-r132-20260614 (https://download.01.org/0day-ci/archive/20260615/202606150258.MpcYNdIz-lkp@intel.com/config)
compiler: nios2-linux-gcc (GCC) 11.5.0
sparse: v0.6.5-rc1
reproduce (this is a W=1 build): (https://download.01.org/0day-ci/archive/20260615/202606150258.MpcYNdIz-lkp@intel.com/reproduce)
If you fix the issue in a separate patch/commit (i.e. not just a new version of
the same patch/commit), kindly add following tags
| Fixes: 89e1fb7ceffd ("blk-mq: fix potential uaf for 'queue_hw_ctx'")
| Reported-by: kernel test robot <lkp@intel.com>
| Closes: https://lore.kernel.org/oe-kbuild-all/202606150258.MpcYNdIz-lkp@intel.com/
sparse warnings: (new ones prefixed by >>)
block/blk-mq.c:4380:16: sparse: sparse: incorrect type in argument 1 (different address spaces) @@ expected void const *objp @@ got struct blk_mq_hw_ctx *[noderef] __rcu *queue_hw_ctx @@
block/blk-mq.c:4380:16: sparse: expected void const *objp
block/blk-mq.c:4380:16: sparse: got struct blk_mq_hw_ctx *[noderef] __rcu *queue_hw_ctx
block/blk-mq.c:4525:41: sparse: sparse: incorrect type in initializer (different address spaces) @@ expected struct blk_mq_hw_ctx **hctxs @@ got struct blk_mq_hw_ctx *[noderef] __rcu *queue_hw_ctx @@
block/blk-mq.c:4525:41: sparse: expected struct blk_mq_hw_ctx **hctxs
block/blk-mq.c:4525:41: sparse: got struct blk_mq_hw_ctx *[noderef] __rcu *queue_hw_ctx
>> block/blk-mq.c:733:36: sparse: sparse: dereference of noderef expression
block/blk-mq.c: note: in included file:
block/blk-mq.h:87:31: sparse: sparse: dereference of noderef expression
block/blk-mq.h:87:31: sparse: sparse: dereference of noderef expression
block/blk-mq.h:87:31: sparse: sparse: dereference of noderef expression
block/blk-mq.h:87:31: sparse: sparse: dereference of noderef expression
block/blk-mq.h:87:31: sparse: sparse: dereference of noderef expression
block/blk-mq.h:87:31: sparse: sparse: dereference of noderef expression
block/blk-mq.c:5211:48: sparse: sparse: dereference of noderef expression
vim +733 block/blk-mq.c
320ae51feed5c2f Jens Axboe 2013-10-24 686
cd6ce1482fd9e69 Bart Van Assche 2017-06-20 687 struct request *blk_mq_alloc_request_hctx(struct request_queue *q,
16458cf3bd15e56 Bart Van Assche 2022-07-14 688 blk_opf_t opf, blk_mq_req_flags_t flags, unsigned int hctx_idx)
1f5bd336b915056 Ming Lin 2016-06-13 689 {
e6e7abffe386b61 Christoph Hellwig 2020-05-29 690 struct blk_mq_alloc_data data = {
e6e7abffe386b61 Christoph Hellwig 2020-05-29 691 .q = q,
e6e7abffe386b61 Christoph Hellwig 2020-05-29 692 .flags = flags,
9b79f86e06283ba Jens Axboe 2025-04-15 693 .shallow_depth = 0,
16458cf3bd15e56 Bart Van Assche 2022-07-14 694 .cmd_flags = opf,
9b79f86e06283ba Jens Axboe 2025-04-15 695 .rq_flags = 0,
47c122e35d7e43b Jens Axboe 2021-10-06 696 .nr_tags = 1,
9b79f86e06283ba Jens Axboe 2025-04-15 697 .cached_rqs = NULL,
9b79f86e06283ba Jens Axboe 2025-04-15 698 .ctx = NULL,
9b79f86e06283ba Jens Axboe 2025-04-15 699 .hctx = NULL
e6e7abffe386b61 Christoph Hellwig 2020-05-29 700 };
600c3b0cea784aa Christoph Hellwig 2020-05-29 701 u64 alloc_time_ns = 0;
e3c5a78cdb6237b John Garry 2022-10-26 702 struct request *rq;
6d2809d51a5079f Omar Sandoval 2017-02-27 703 unsigned int cpu;
600c3b0cea784aa Christoph Hellwig 2020-05-29 704 unsigned int tag;
1f5bd336b915056 Ming Lin 2016-06-13 705 int ret;
1f5bd336b915056 Ming Lin 2016-06-13 706
600c3b0cea784aa Christoph Hellwig 2020-05-29 707 /* alloc_time includes depth and tag waits */
600c3b0cea784aa Christoph Hellwig 2020-05-29 708 if (blk_queue_rq_alloc_time(q))
08420cf70cfb32e Jens Axboe 2024-01-15 709 alloc_time_ns = blk_time_get_ns();
600c3b0cea784aa Christoph Hellwig 2020-05-29 710
1f5bd336b915056 Ming Lin 2016-06-13 711 /*
1f5bd336b915056 Ming Lin 2016-06-13 712 * If the tag allocator sleeps we could get an allocation for a
1f5bd336b915056 Ming Lin 2016-06-13 713 * different hardware context. No need to complicate the low level
1f5bd336b915056 Ming Lin 2016-06-13 714 * allocator for this for the rare use case of a command tied to
1f5bd336b915056 Ming Lin 2016-06-13 715 * a specific queue.
1f5bd336b915056 Ming Lin 2016-06-13 716 */
6ee858a3d3270a6 Kemeng Shi 2023-01-18 717 if (WARN_ON_ONCE(!(flags & BLK_MQ_REQ_NOWAIT)) ||
6ee858a3d3270a6 Kemeng Shi 2023-01-18 718 WARN_ON_ONCE(!(flags & BLK_MQ_REQ_RESERVED)))
1f5bd336b915056 Ming Lin 2016-06-13 719 return ERR_PTR(-EINVAL);
1f5bd336b915056 Ming Lin 2016-06-13 720
1f5bd336b915056 Ming Lin 2016-06-13 721 if (hctx_idx >= q->nr_hw_queues)
1f5bd336b915056 Ming Lin 2016-06-13 722 return ERR_PTR(-EIO);
1f5bd336b915056 Ming Lin 2016-06-13 723
3a0a529971ec4e2 Bart Van Assche 2017-11-09 724 ret = blk_queue_enter(q, flags);
1f5bd336b915056 Ming Lin 2016-06-13 725 if (ret)
1f5bd336b915056 Ming Lin 2016-06-13 726 return ERR_PTR(ret);
1f5bd336b915056 Ming Lin 2016-06-13 727
c8712c6a674e338 Christoph Hellwig 2016-09-23 728 /*
c8712c6a674e338 Christoph Hellwig 2016-09-23 729 * Check if the hardware context is actually mapped to anything.
c8712c6a674e338 Christoph Hellwig 2016-09-23 730 * If not tell the caller that it should skip this queue.
c8712c6a674e338 Christoph Hellwig 2016-09-23 731 */
a5ea5811058ddb9 Christoph Hellwig 2020-05-16 732 ret = -EXDEV;
d0c98769ee7d5db Fengnan Chang 2025-11-28 @733 data.hctx = q->queue_hw_ctx[hctx_idx];
e6e7abffe386b61 Christoph Hellwig 2020-05-29 734 if (!blk_mq_hw_queue_mapped(data.hctx))
a5ea5811058ddb9 Christoph Hellwig 2020-05-16 735 goto out_queue_exit;
e6e7abffe386b61 Christoph Hellwig 2020-05-29 736 cpu = cpumask_first_and(data.hctx->cpumask, cpu_online_mask);
14dc7a18abbe417 Bart Van Assche 2022-06-15 737 if (cpu >= nr_cpu_ids)
14dc7a18abbe417 Bart Van Assche 2022-06-15 738 goto out_queue_exit;
e6e7abffe386b61 Christoph Hellwig 2020-05-29 739 data.ctx = __blk_mq_get_ctx(q, cpu);
1f5bd336b915056 Ming Lin 2016-06-13 740
dd6216bb16e83e3 Christoph Hellwig 2023-05-18 741 if (q->elevator)
dd6216bb16e83e3 Christoph Hellwig 2023-05-18 742 data.rq_flags |= RQF_SCHED_TAGS;
781dd830ec4f4d5 Jens Axboe 2021-11-02 743 else
dd6216bb16e83e3 Christoph Hellwig 2023-05-18 744 blk_mq_tag_busy(data.hctx);
600c3b0cea784aa Christoph Hellwig 2020-05-29 745
99e48cd6855e953 John Garry 2022-07-06 746 if (flags & BLK_MQ_REQ_RESERVED)
99e48cd6855e953 John Garry 2022-07-06 747 data.rq_flags |= RQF_RESV;
99e48cd6855e953 John Garry 2022-07-06 748
a5ea5811058ddb9 Christoph Hellwig 2020-05-16 749 ret = -EWOULDBLOCK;
600c3b0cea784aa Christoph Hellwig 2020-05-29 750 tag = blk_mq_get_tag(&data);
600c3b0cea784aa Christoph Hellwig 2020-05-29 751 if (tag == BLK_MQ_NO_TAG)
a5ea5811058ddb9 Christoph Hellwig 2020-05-16 752 goto out_queue_exit;
b8643d682669994 Chengming Zhou 2023-09-13 753 if (!(data.rq_flags & RQF_SCHED_TAGS))
b8643d682669994 Chengming Zhou 2023-09-13 754 blk_mq_inc_active_requests(data.hctx);
5c17f45e91f5035 Chengming Zhou 2023-07-10 755 rq = blk_mq_rq_ctx_init(&data, blk_mq_tags_from_data(&data), tag);
5c17f45e91f5035 Chengming Zhou 2023-07-10 756 blk_mq_rq_time_init(rq, alloc_time_ns);
e3c5a78cdb6237b John Garry 2022-10-26 757 rq->__data_len = 0;
2f6b2565d43cdb5 Keith Busch 2025-10-14 758 rq->phys_gap_bit = 0;
e3c5a78cdb6237b John Garry 2022-10-26 759 rq->__sector = (sector_t) -1;
e3c5a78cdb6237b John Garry 2022-10-26 760 rq->bio = rq->biotail = NULL;
e3c5a78cdb6237b John Garry 2022-10-26 761 return rq;
600c3b0cea784aa Christoph Hellwig 2020-05-29 762
a5ea5811058ddb9 Christoph Hellwig 2020-05-16 763 out_queue_exit:
a5ea5811058ddb9 Christoph Hellwig 2020-05-16 764 blk_queue_exit(q);
a5ea5811058ddb9 Christoph Hellwig 2020-05-16 765 return ERR_PTR(ret);
1f5bd336b915056 Ming Lin 2016-06-13 766 }
1f5bd336b915056 Ming Lin 2016-06-13 767 EXPORT_SYMBOL_GPL(blk_mq_alloc_request_hctx);
1f5bd336b915056 Ming Lin 2016-06-13 768
:::::: The code at line 733 was first introduced by commit
:::::: d0c98769ee7d5db8d699a270690639cde1766cd4 blk-mq: use array manage hctx map instead of xarray
:::::: TO: Fengnan Chang <fengnanchang@gmail.com>
:::::: CC: Jens Axboe <axboe@kernel.dk>
--
0-DAY CI Kernel Test Service
https://github.com/intel/lkp-tests/wiki
next reply other threads:[~2026-06-14 18:56 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-14 18:56 kernel test robot [this message]
-- strict thread matches above, loose matches on Subject: below --
2026-05-14 3:33 block/blk-mq.c:733:36: sparse: sparse: dereference of noderef expression kernel test robot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=202606150258.MpcYNdIz-lkp@intel.com \
--to=lkp@intel.com \
--cc=axboe@kernel.dk \
--cc=fengnanchang@gmail.com \
--cc=linux-kernel@vger.kernel.org \
--cc=oe-kbuild-all@lists.linux.dev \
--cc=yukuai3@huawei.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.