Re: [PATCH] block: blk-mq: fix UAF in blk_mq_tagset_busy_iter

Next message: Tycho Andersen: "[RFC v1 5/6] crypto/ccp: Register with fw_uploader and always fail"
Previous message: syzbot: "Re: [syzbot] [kvmarm] BUG: scheduling while atomic in __synchronize_srcu"
In reply to: l1za0 . sec: "[PATCH] block: blk-mq: fix UAF in blk_mq_tagset_busy_iter"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Bart Van Assche

Date: Thu Apr 30 2026 - 12:17:25 EST

On 4/29/26 9:28 PM, l1za0.sec@xxxxxxxxx wrote:

diff --git a/block/blk-mq.c b/block/blk-mq.c
index d626d32f6e57..4357625a512d 100644
--- a/block/blk-mq.c
+++ b/block/blk-mq.c
@@ -4738,6 +4738,7 @@ static int blk_mq_realloc_tag_set_tags(struct blk_mq_tag_set *set,
int new_nr_hw_queues)
{
struct blk_mq_tags **new_tags;
+ struct blk_mq_tags **old_tags;
int i;
if (set->nr_hw_queues >= new_nr_hw_queues)
@@ -4751,8 +4752,10 @@ static int blk_mq_realloc_tag_set_tags(struct blk_mq_tag_set *set,
if (set->tags)
memcpy(new_tags, set->tags, set->nr_hw_queues *
sizeof(*set->tags));
- kfree(set->tags);
+ old_tags = set->tags;
set->tags = new_tags;
+ synchronize_srcu(&set->tags_srcu);
+ kfree(old_tags);
for (i = set->nr_hw_queues; i < new_nr_hw_queues; i++) {
if (!__blk_mq_alloc_map_and_rqs(set, i)) {

The function blk_mq_realloc_tag_set_tags() no longer exists.

base-commit: 7d0a66e4bb9081d75c82ec4957c50034cb0ea449

That commit is too old. It's description is as follows: "Merge tag
'timers_urgent_for_v6.18_rc8' of git://git.kernel.org/pub/scm/linux/
kernel/git/tip/tip". Please develop block layer fixes against the
for-next branch of this kernel tree:
https://git.kernel.org/pub/scm/linux/kernel/git/axboe/linux.git/

Thanks,

Bart.