From: Ming Lei <ming.lei@redhat.com> mainline inclusion from mainline-v6.5-rc1 commit 245165658e1c9f95c0fecfe02b9b1ebd30a1198a category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/ICY9NG CVE: CVE-2023-53292 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?i... ------------------ After grabbing q->sysfs_lock, q->elevator may become NULL because of elevator switch. Fix the NULL dereference on q->elevator by checking it with lock. Reported-by: Guangwu Zhang <guazhang@redhat.com> Signed-off-by: Ming Lei <ming.lei@redhat.com> Link: https://lore.kernel.org/r/20230616132354.415109-1-ming.lei@redhat.com Signed-off-by: Jens Axboe <axboe@kernel.dk> Conflicts: block/blk-mq.c [Due to not merging commit dd6f7f17bf58 ("block: add proper helpers for elevator_type module refcount management").] Signed-off-by: Zheng Qixing <zhengqixing@huawei.com> --- block/blk-mq.c | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/block/blk-mq.c b/block/blk-mq.c index f94adf15bf53..53834ed3565b 100644 --- a/block/blk-mq.c +++ b/block/blk-mq.c @@ -3903,9 +3903,6 @@ static bool blk_mq_elv_switch_none(struct list_head *head, { struct blk_mq_qe_pair *qe; - if (!q->elevator) - return true; - qe = kmalloc(sizeof(*qe), GFP_NOIO | __GFP_NOWARN | __GFP_NORETRY); if (!qe) return false; @@ -3913,6 +3910,12 @@ static bool blk_mq_elv_switch_none(struct list_head *head, /* q->elevator needs protection from ->sysfs_lock */ mutex_lock(&q->sysfs_lock); + /* the check has to be done with holding sysfs_lock */ + if (!q->elevator) { + kfree(qe); + goto unlock; + } + INIT_LIST_HEAD(&qe->node); qe->q = q; qe->type = q->elevator->type; @@ -3927,6 +3930,7 @@ static bool blk_mq_elv_switch_none(struct list_head *head, */ __module_get(qe->type->elevator_owner); elevator_switch(q, NULL); +unlock: mutex_unlock(&q->sysfs_lock); return true; -- 2.39.2