Skip to content

Commit 8b4b8b6

Browse files
caringicaringi
committed
Merge: block: three misc fixes
MR: https://gitlab.com/redhat/centos-stream/src/kernel/centos-stream-9/-/merge_requests/6746 JIRA: https://issues.redhat.com/browse/RHEL-87488 JIRA: https://issues.redhat.com/browse/RHEL-81398 CVE: CVE-2025-21745 loop: Fix use-after-free issues nvme-tcp: fix the memleak while create new ctrl failed blk-cgroup: Fix class @block_class's subsystem refcount leakage Signed-off-by: Ming Lei <ming.lei@redhat.com> Approved-by: Maurizio Lombardi <mlombard@redhat.com> Approved-by: Jeff Moyer <jmoyer@redhat.com> Approved-by: CKI KWF Bot <cki-ci-bot+kwf-gitlab-com@redhat.com> Merged-by: Augusto Caringi <acaringi@redhat.com>
2 parents 3f58eed + ecfe88a commit 8b4b8b6

File tree

2 files changed

+18
-8
lines changed

2 files changed

+18
-8
lines changed

block/blk-cgroup.c

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1139,6 +1139,7 @@ static void blkcg_fill_root_iostats(void)
11391139
blkg_iostat_set(&blkg->iostat.cur, &tmp);
11401140
u64_stats_update_end_irqrestore(&blkg->iostat.sync, flags);
11411141
}
1142+
class_dev_iter_exit(&iter);
11421143
}
11431144

11441145
static void blkcg_print_one_stat(struct blkcg_gq *blkg, struct seq_file *s)

drivers/block/loop.c

Lines changed: 17 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -1902,35 +1902,44 @@ static blk_status_t loop_queue_rq(struct blk_mq_hw_ctx *hctx,
19021902

19031903
static void loop_handle_cmd(struct loop_cmd *cmd)
19041904
{
1905+
struct cgroup_subsys_state *cmd_blkcg_css = cmd->blkcg_css;
1906+
struct cgroup_subsys_state *cmd_memcg_css = cmd->memcg_css;
19051907
struct request *rq = blk_mq_rq_from_pdu(cmd);
19061908
const bool write = op_is_write(req_op(rq));
19071909
struct loop_device *lo = rq->q->queuedata;
19081910
int ret = 0;
19091911
struct mem_cgroup *old_memcg = NULL;
1912+
const bool use_aio = cmd->use_aio;
19101913

19111914
if (write && (lo->lo_flags & LO_FLAGS_READ_ONLY)) {
19121915
ret = -EIO;
19131916
goto failed;
19141917
}
19151918

1916-
if (cmd->blkcg_css)
1917-
kthread_associate_blkcg(cmd->blkcg_css);
1918-
if (cmd->memcg_css)
1919+
if (cmd_blkcg_css)
1920+
kthread_associate_blkcg(cmd_blkcg_css);
1921+
if (cmd_memcg_css)
19191922
old_memcg = set_active_memcg(
1920-
mem_cgroup_from_css(cmd->memcg_css));
1923+
mem_cgroup_from_css(cmd_memcg_css));
19211924

1925+
/*
1926+
* do_req_filebacked() may call blk_mq_complete_request() synchronously
1927+
* or asynchronously if using aio. Hence, do not touch 'cmd' after
1928+
* do_req_filebacked() has returned unless we are sure that 'cmd' has
1929+
* not yet been completed.
1930+
*/
19221931
ret = do_req_filebacked(lo, rq);
19231932

1924-
if (cmd->blkcg_css)
1933+
if (cmd_blkcg_css)
19251934
kthread_associate_blkcg(NULL);
19261935

1927-
if (cmd->memcg_css) {
1936+
if (cmd_memcg_css) {
19281937
set_active_memcg(old_memcg);
1929-
css_put(cmd->memcg_css);
1938+
css_put(cmd_memcg_css);
19301939
}
19311940
failed:
19321941
/* complete non-aio request */
1933-
if (!cmd->use_aio || ret) {
1942+
if (!use_aio || ret) {
19341943
if (ret == -EOPNOTSUPP)
19351944
cmd->ret = ret;
19361945
else

0 commit comments

Comments
 (0)