[PATCH] block: avoid use-after-free in disk_free_zone_resources()

[PATCH] block: avoid use-after-free in disk_free_zone_resources()

[Damien Le Moal]

The function disk_update_zone_resources() may call
disk_free_zone_resources() in case of error, and following this,
blk_revalidate_disk_zones() will again calls disk_free_zone_resources() if
disk_update_zone_resources() failed. If a zone worker thread is being used
(which is the default for a rotational media zoned device),
disk_free_zone_resources() will try to stop the zone worker thread twice
because disk->zone_wplugs_worker is not reset to NULL when the worker
thread is stopped the first time.

In disk_free_zone_resources(), fix this by correctly clearing
disk->zone_wplugs_worker to NULL when the worker thread is stopped.

And while at it, since disk_free_zone_resources() is always called after a
failed call to disk_update_zone_resources(), remove the unnecessary call
to disk_free_zone_resources() in disk_update_zone_resources().

Fixes: 1365b6904fd0 ("block: allow submitting all zone writes from a single context")
Signed-off-by: Damien Le Moal <dlemoal@kernel.org>
---
 block/blk-zoned.c | 7 +++----
 1 file changed, 3 insertions(+), 4 deletions(-)

diff --git a/block/blk-zoned.c b/block/blk-zoned.c
index 42ef830054dc..6a221c180889 100644
--- a/block/blk-zoned.c
+++ b/block/blk-zoned.c
@@ -2001,8 +2001,10 @@ static void disk_set_zones_cond_array(struct gendisk *disk, u8 *zones_cond)
 
 void disk_free_zone_resources(struct gendisk *disk)
 {
-	if (disk->zone_wplugs_worker)
+	if (disk->zone_wplugs_worker) {
 		kthread_stop(disk->zone_wplugs_worker);
+		disk->zone_wplugs_worker = NULL;
+	}
 	WARN_ON_ONCE(!list_empty(&disk->zone_wplugs_list));
 
 	if (disk->zone_wplugs_wq) {
@@ -2135,9 +2137,6 @@ static int disk_update_zone_resources(struct gendisk *disk,
 	ret = queue_limits_commit_update(q, &lim);
 
 unfreeze:
-	if (ret)
-		disk_free_zone_resources(disk);
-
 	blk_mq_unfreeze_queue(q, memflags);
 
 	return ret;
-- 
2.54.0

Re: [PATCH] block: avoid use-after-free in disk_free_zone_resources()

[Christoph Hellwig]

Looks good:

Reviewed-by: Christoph Hellwig <hch@lst.de>

Re: [PATCH] block: avoid use-after-free in disk_free_zone_resources()

[Jens Axboe]

On Fri, 22 May 2026 20:56:22 +0900, Damien Le Moal wrote:
> The function disk_update_zone_resources() may call
> disk_free_zone_resources() in case of error, and following this,
> blk_revalidate_disk_zones() will again calls disk_free_zone_resources() if
> disk_update_zone_resources() failed. If a zone worker thread is being used
> (which is the default for a rotational media zoned device),
> disk_free_zone_resources() will try to stop the zone worker thread twice
> because disk->zone_wplugs_worker is not reset to NULL when the worker
> thread is stopped the first time.
> 
> [...]

Applied, thanks!

[1/1] block: avoid use-after-free in disk_free_zone_resources()
      commit: f6982769910ecddabdb5b8b9afdab0bb8b6668ac

Best regards,
-- 
Jens Axboe