block/blk-mq.c:4380:16: sparse: sparse: incorrect type in argument 1 (different address spaces)

From: kernel test robot

Date: Sun Jun 14 2026 - 16:10:56 EST


tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master
head: 8cd9520d35a6c38db6567e97dd93b1f11f185dc6
commit: 89e1fb7ceffd898505ad7fa57acec0585bfaa2cc blk-mq: fix potential uaf for 'queue_hw_ctx'
date: 7 months ago
config: arm64-randconfig-r123-20260614 (https://download.01.org/0day-ci/archive/20260615/202606150408.9QUZb3ur-lkp@xxxxxxxxx/config)
compiler: aarch64-linux-gcc (GCC) 13.4.0
sparse: v0.6.5-rc1
reproduce (this is a W=1 build): (https://download.01.org/0day-ci/archive/20260615/202606150408.9QUZb3ur-lkp@xxxxxxxxx/reproduce)

If you fix the issue in a separate patch/commit (i.e. not just a new version of
the same patch/commit), kindly add following tags
| Fixes: 89e1fb7ceffd ("blk-mq: fix potential uaf for 'queue_hw_ctx'")
| Reported-by: kernel test robot <lkp@xxxxxxxxx>
| Closes: https://lore.kernel.org/oe-kbuild-all/202606150408.9QUZb3ur-lkp@xxxxxxxxx/

sparse warnings: (new ones prefixed by >>)
>> block/blk-mq.c:4380:16: sparse: sparse: incorrect type in argument 1 (different address spaces) @@ expected void const *objp @@ got struct blk_mq_hw_ctx *[noderef] __rcu *queue_hw_ctx @@
block/blk-mq.c:4380:16: sparse: expected void const *objp
block/blk-mq.c:4380:16: sparse: got struct blk_mq_hw_ctx *[noderef] __rcu *queue_hw_ctx
block/blk-mq.c:4525:41: sparse: sparse: incorrect type in initializer (different address spaces) @@ expected struct blk_mq_hw_ctx **hctxs @@ got struct blk_mq_hw_ctx *[noderef] __rcu *queue_hw_ctx @@
block/blk-mq.c:4525:41: sparse: expected struct blk_mq_hw_ctx **hctxs
block/blk-mq.c:4525:41: sparse: got struct blk_mq_hw_ctx *[noderef] __rcu *queue_hw_ctx
block/blk-mq.c:733:36: sparse: sparse: dereference of noderef expression
block/blk-mq.c: note: in included file:
block/blk-mq.h:87:31: sparse: sparse: dereference of noderef expression
block/blk-mq.h:87:31: sparse: sparse: dereference of noderef expression
block/blk-mq.h:87:31: sparse: sparse: dereference of noderef expression
block/blk-mq.h:87:31: sparse: sparse: dereference of noderef expression
block/blk-mq.h:87:31: sparse: sparse: dereference of noderef expression
block/blk-mq.h:87:31: sparse: sparse: dereference of noderef expression
block/blk-mq.c:5211:48: sparse: sparse: dereference of noderef expression

vim +4380 block/blk-mq.c

1db4909e76f64a8 Ming Lei 2018-11-20 4359
e09aae7edec1d20 Ming Lei 2015-01-29 4360 /*
e09aae7edec1d20 Ming Lei 2015-01-29 4361 * It is the actual release handler for mq, but we do it from
e09aae7edec1d20 Ming Lei 2015-01-29 4362 * request queue's release handler for avoiding use-after-free
e09aae7edec1d20 Ming Lei 2015-01-29 4363 * and headache because q->mq_kobj shouldn't have been introduced,
e09aae7edec1d20 Ming Lei 2015-01-29 4364 * but we can't group ctx/kctx kobj without it.
e09aae7edec1d20 Ming Lei 2015-01-29 4365 */
e09aae7edec1d20 Ming Lei 2015-01-29 4366 void blk_mq_release(struct request_queue *q)
e09aae7edec1d20 Ming Lei 2015-01-29 4367 {
2f8f1336a48bd51 Ming Lei 2019-04-30 4368 struct blk_mq_hw_ctx *hctx, *next;
4f481208749a22d Ming Lei 2022-03-08 4369 unsigned long i;
e09aae7edec1d20 Ming Lei 2015-01-29 4370
2f8f1336a48bd51 Ming Lei 2019-04-30 4371 queue_for_each_hw_ctx(q, hctx, i)
2f8f1336a48bd51 Ming Lei 2019-04-30 4372 WARN_ON_ONCE(hctx && list_empty(&hctx->hctx_list));
2f8f1336a48bd51 Ming Lei 2019-04-30 4373
2f8f1336a48bd51 Ming Lei 2019-04-30 4374 /* all hctx are in .unused_hctx_list now */
2f8f1336a48bd51 Ming Lei 2019-04-30 4375 list_for_each_entry_safe(hctx, next, &q->unused_hctx_list, hctx_list) {
2f8f1336a48bd51 Ming Lei 2019-04-30 4376 list_del_init(&hctx->hctx_list);
6c8b232efea1ad3 Ming Lei 2017-02-22 4377 kobject_put(&hctx->kobj);
c3b4afca7023b5a Ming Lei 2015-06-04 4378 }
e09aae7edec1d20 Ming Lei 2015-01-29 4379
d0c98769ee7d5db Fengnan Chang 2025-11-28 @4380 kfree(q->queue_hw_ctx);
e09aae7edec1d20 Ming Lei 2015-01-29 4381
7ea5fe31c12dd8b Ming Lei 2017-02-22 4382 /*
7ea5fe31c12dd8b Ming Lei 2017-02-22 4383 * release .mq_kobj and sw queue's kobject now because
7ea5fe31c12dd8b Ming Lei 2017-02-22 4384 * both share lifetime with request queue.
7ea5fe31c12dd8b Ming Lei 2017-02-22 4385 */
7ea5fe31c12dd8b Ming Lei 2017-02-22 4386 blk_mq_sysfs_deinit(q);
e09aae7edec1d20 Ming Lei 2015-01-29 4387 }
e09aae7edec1d20 Ming Lei 2015-01-29 4388

:::::: The code at line 4380 was first introduced by commit
:::::: d0c98769ee7d5db8d699a270690639cde1766cd4 blk-mq: use array manage hctx map instead of xarray

:::::: TO: Fengnan Chang <fengnanchang@xxxxxxxxx>
:::::: CC: Jens Axboe <axboe@xxxxxxxxx>

--
0-DAY CI Kernel Test Service
https://github.com/intel/lkp-tests/wiki