From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from n169-111.mail.139.com (n169-111.mail.139.com [120.232.169.111]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id E57A92D8376 for ; Mon, 27 Apr 2026 08:21:09 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=120.232.169.111 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1777278073; cv=none; b=nL5yj/hht/fxw7nyQUIFTDvDhTCh10egr4h2lrb6H9PAPwkvZlXOFoi++PbSFVL4zco6bmX5LodITGwnUfsqJCVthzv3x0E1dPh4X/YjZeIsG0eFGILeZHeM7wJpRosz+VbHj27eKyoXR05fBhS2M4Nh36aQ5aUfc1ZOXX6bg5g= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1777278073; c=relaxed/simple; bh=vtBYq/w5nRz41XCWKAhvk4+TVHirr60LaIIWADbLUL0=; h=From:To:Subject:Date:Message-Id:MIME-Version; b=Lp2e8UHfLUqNBC5lswYJAsmsmXz2H8Z/GxWmQOSWv70lXUQwGWgVtHM3pLYXXp/aCzgNxQzq35eBFB2t/hxN4u+mDdmWHBY31ds3dsSVNW0RDpc8g1FVIeVCYTIcDh//xTk680GmAwTwdMK4nqasga/K+H2ZgjxtuVlF+UC4VBs= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=139.com; spf=pass smtp.mailfrom=139.com; dkim=pass (1024-bit key) header.d=139.com header.i=@139.com header.b=dSRwL5Ze; arc=none smtp.client-ip=120.232.169.111 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=139.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=139.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=139.com header.i=@139.com header.b="dSRwL5Ze" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=139.com; s=dkim; l=0; h=from:subject:message-id:to:mime-version; bh=47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU=; b=dSRwL5ZeO5dSKQNchItQ70zp0wp/EZj/LFk73xzqD2na9tWxyS0eyKd2KStwZ2L9eId7yMS+++zSm oidRb9j+zmFHAXRj30s3w7QqWklzCKGqzCA03vMgY3gNVJxX/nY384E98Sx1GsQC0OIELeoDJ39+7w iLKUFahC63pgl1Kk= X-RM-TagInfo: emlType=0 X-RM-SPAM: X-RM-SPAM-FLAG:00000000 Received:from China-Mobile-Kernel-Team (unknown[223.104.40.155]) by rmsmtp-lg-appmail-11-12089 (RichMail) with SMTP id 2f3969ef1c69de3-764a6; Mon, 27 Apr 2026 16:20:59 +0800 (CST) X-RM-TRANSID:2f3969ef1c69de3-764a6 From: Leon Chen To: guazhang@redhat.com, ming.lei@redhat.com, axboe@kernel.dk, stable@vger.kernel.org Subject: [PATCH 6.1.y] blk-mq: fix NULL dereference on q->elevator in blk_mq_elv_switch_none Date: Mon, 27 Apr 2026 16:20:57 +0800 Message-Id: <20260427082057.9619-1-leonchen.oss@139.com> X-Mailer: git-send-email 2.35.3 Precedence: bulk X-Mailing-List: stable@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit From: Ming Lei [ Upstream commit 245165658e1c9f95c0fecfe02b9b1ebd30a1198a ] After grabbing q->sysfs_lock, q->elevator may become NULL because of elevator switch. Fix the NULL dereference on q->elevator by checking it with lock. Reported-by: Guangwu Zhang Signed-off-by: Ming Lei Link: https://lore.kernel.org/r/20230616132354.415109-1-ming.lei@redhat.com Signed-off-by: Jens Axboe Signed-off-by: Leon Chen --- block/blk-mq.c | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/block/blk-mq.c b/block/blk-mq.c index f480b6ddba5e..8a9d9e3db166 100644 --- a/block/blk-mq.c +++ b/block/blk-mq.c @@ -4732,9 +4732,6 @@ static bool blk_mq_elv_switch_none(struct list_head *head, { struct blk_mq_qe_pair *qe; - if (!q->elevator) - return true; - qe = kmalloc(sizeof(*qe), GFP_NOIO | __GFP_NOWARN | __GFP_NORETRY); if (!qe) return false; @@ -4742,6 +4739,12 @@ static bool blk_mq_elv_switch_none(struct list_head *head, /* q->elevator needs protection from ->sysfs_lock */ mutex_lock(&q->sysfs_lock); + /* the check has to be done with holding sysfs_lock */ + if (!q->elevator) { + kfree(qe); + goto unlock; + } + INIT_LIST_HEAD(&qe->node); qe->q = q; qe->type = q->elevator->type; @@ -4756,6 +4759,7 @@ static bool blk_mq_elv_switch_none(struct list_head *head, */ __module_get(qe->type->elevator_owner); elevator_switch(q, NULL); +unlock: mutex_unlock(&q->sysfs_lock); return true; -- 2.35.3