[PATCH v2 1/7] blk-cgroup: protect q->blkg_list iteration in blkg_destroy_all() with blkcg_mutex

Next message: Manivannan Sadhasivam: "[PATCH] soc: qcom: ice: Remove platform_driver support and expose as a pure library"
Previous message: Yu Kuai: "[PATCH v2 0/7] blk-cgroup: fix races and deadlocks"
In reply to: Yu Kuai: "[PATCH v2 0/7] blk-cgroup: fix races and deadlocks"
Next in thread: Yu Kuai: "[PATCH v2 2/7] bfq: protect q-&gt;blkg_list iteration in bfq_end_wr_async() with blkcg_mutex"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Yu Kuai

Date: Tue Feb 03 2026 - 03:07:03 EST

blkg_destroy_all() iterates q->blkg_list without holding blkcg_mutex,
which can race with blkg_free_workfn() that removes blkgs from the list
while holding blkcg_mutex.

Add blkcg_mutex protection around the q->blkg_list iteration to prevent
potential list corruption or use-after-free issues.

Signed-off-by: Yu Kuai <yukuai@xxxxxxxxx>
---
block/blk-cgroup.c | 3 +++
1 file changed, 3 insertions(+)

diff --git a/block/blk-cgroup.c b/block/blk-cgroup.c
index 3cffb68ba5d8..0bc7b19399b6 100644
--- a/block/blk-cgroup.c
+++ b/block/blk-cgroup.c
@@ -574,6 +574,7 @@ static void blkg_destroy_all(struct gendisk *disk)
int i;

restart:
+ mutex_lock(&q->blkcg_mutex);
spin_lock_irq(&q->queue_lock);
list_for_each_entry(blkg, &q->blkg_list, q_node) {
struct blkcg *blkcg = blkg->blkcg;
@@ -592,6 +593,7 @@ static void blkg_destroy_all(struct gendisk *disk)
if (!(--count)) {
count = BLKG_DESTROY_BATCH_SIZE;
spin_unlock_irq(&q->queue_lock);
+ mutex_unlock(&q->blkcg_mutex);
cond_resched();
goto restart;
}
@@ -611,6 +613,7 @@ static void blkg_destroy_all(struct gendisk *disk)

q->root_blkg = NULL;
spin_unlock_irq(&q->queue_lock);
+ mutex_unlock(&q->blkcg_mutex);
}

static void blkg_iostat_set(struct blkg_iostat *dst, struct blkg_iostat *src)
--
2.51.0