commit: a33d94814aa2669eceeecc62ffa12e2b1a73c783 Author: Arisu Tachibana <alicef <AT> gentoo <DOT> org> AuthorDate: Thu Oct 2 03:04:31 2025 +0000 Commit: Arisu Tachibana <alicef <AT> gentoo <DOT> org> CommitDate: Thu Oct 2 03:11:03 2025 +0000 URL: https://gitweb.gentoo.org/proj/linux-patches.git/commit/?id=a33d9481
Add patch 2101 blk-mq: fix blk_mq_tags double free while nr_requests grown Ref: https://lore.kernel.org/all/CAFj5m9K+ct=ioJUz8v78Wr_myC7pjVnB1SAKRXc-CLysHV_5ww <AT> mail.gmail.com/ Signed-off-by: Arisu Tachibana <alicef <AT> gentoo.org> 0000_README | 4 ++ ..._tags_double_free_while_nr_requests_grown.patch | 47 ++++++++++++++++++++++ 2 files changed, 51 insertions(+) diff --git a/0000_README b/0000_README index 48b50ad0..7c89ecd8 100644 --- a/0000_README +++ b/0000_README @@ -95,6 +95,10 @@ Patch: 2000_BT-Check-key-sizes-only-if-Secure-Simple-Pairing-enabled.patch From: https://lore.kernel.org/linux-bluetooth/[email protected]/raw Desc: Bluetooth: Check key sizes only when Secure Simple Pairing is enabled. See bug #686758 +Patch: 2101_blk-mq_fix_blk_mq_tags_double_free_while_nr_requests_grown.patch +From: https://lore.kernel.org/all/CAFj5m9K+ct=iojuz8v78wr_myc7pjvnb1sakrxc-clyshv_...@mail.gmail.com/ +Desc: blk-mq: fix blk_mq_tags double free while nr_requests grown + Patch: 2901_permit-menuconfig-sorting.patch From: https://lore.kernel.org/ Desc: menuconfig: Allow sorting the entries alphabetically diff --git a/2101_blk-mq_fix_blk_mq_tags_double_free_while_nr_requests_grown.patch b/2101_blk-mq_fix_blk_mq_tags_double_free_while_nr_requests_grown.patch new file mode 100644 index 00000000..e47b4b2a --- /dev/null +++ b/2101_blk-mq_fix_blk_mq_tags_double_free_while_nr_requests_grown.patch @@ -0,0 +1,47 @@ +From ba28afbd9eff2a6370f23ef4e6a036ab0cfda409 Mon Sep 17 00:00:00 2001 +From: Yu Kuai <[email protected]> +Date: Thu, 21 Aug 2025 14:06:12 +0800 +Subject: blk-mq: fix blk_mq_tags double free while nr_requests grown + +In the case user trigger tags grow by queue sysfs attribute nr_requests, +hctx->sched_tags will be freed directly and replaced with a new +allocated tags, see blk_mq_tag_update_depth(). + +The problem is that hctx->sched_tags is from elevator->et->tags, while +et->tags is still the freed tags, hence later elevator exit will try to +free the tags again, causing kernel panic. + +Fix this problem by replacing et->tags with new allocated tags as well. + +Noted there are still some long term problems that will require some +refactor to be fixed thoroughly[1]. + +[1] https://lore.kernel.org/all/[email protected]/ +Fixes: f5a6604f7a44 ("block: fix lockdep warning caused by lock dependency in elv_iosched_store") + +Signed-off-by: Yu Kuai <[email protected]> +Reviewed-by: Ming Lei <[email protected]> +Reviewed-by: Nilay Shroff <[email protected]> +Reviewed-by: Hannes Reinecke <[email protected]> +Reviewed-by: Li Nan <[email protected]> +Link: https://lore.kernel.org/r/[email protected] +Signed-off-by: Jens Axboe <[email protected]> +--- + block/blk-mq-tag.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/block/blk-mq-tag.c b/block/blk-mq-tag.c +index d880c50629d612..5cffa5668d0c38 100644 +--- a/block/blk-mq-tag.c ++++ b/block/blk-mq-tag.c +@@ -622,6 +622,7 @@ int blk_mq_tag_update_depth(struct blk_mq_hw_ctx *hctx, + return -ENOMEM; + + blk_mq_free_map_and_rqs(set, *tagsptr, hctx->queue_num); ++ hctx->queue->elevator->et->tags[hctx->queue_num] = new; + *tagsptr = new; + } else { + /* +-- +cgit 1.2.3-korg +
