Re: [PATCH v1] mtip32xx: fix use-after-free on service thread failure

Next message: Jonathan Cameron: "Re: [PATCH v3 8/8] iio: tcs3472: implement wait time and sampling frequency"
Previous message: Mathieu Poirier: "Re: [PATCH] remoteproc: xlnx: remove binding header dependency"
In reply to: Yuho Choi: "[PATCH v1] mtip32xx: fix use-after-free on service thread failure"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Jens Axboe

Date: Tue May 26 2026 - 13:00:13 EST

On Mon, 25 May 2026 12:25:31 -0400, Yuho Choi wrote:
> If service thread creation fails after device_add_disk() succeeds,
> mtip_block_initialize() calls del_gendisk() and then falls through to
> put_disk(). Since mtip32xx uses .free_disk to free struct driver_data,
> put_disk() can release dd on the added-disk path.
>
> The same unwind then continues to use dd for blk_mq_free_tag_set() and
> mtip_hw_exit(), and mtip_pci_probe() can later free dd again. This can
> cause a use-after-free and double free.
>
> [...]

Applied, thanks!

[1/1] mtip32xx: fix use-after-free on service thread failure
commit: 6b24446bee489e90f7ea843fbc0473393c73cbf9

Best regards,
--
Jens Axboe