From nobody Mon Jun 8 22:52:29 2026 Received: from mail-qk1-f178.google.com (mail-qk1-f178.google.com [209.85.222.178]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 290F73F20E4 for ; Mon, 25 May 2026 16:25:38 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.222.178 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1779726340; cv=none; b=OKMReJGr7tSqo0qVl2ElGKG57z0PnF+6i6sVerV9A9kNiShEjDNQr7LySu9Nxe/hOsOtGvRUkaMiHK7LhvNcH+1Ukm0GzbI4A2I8VlZbHkdbNz4frsbYfjWXiFfu8RGAX5laya8KiVhM4sedI6TET6q0m8fzUSUjZxSxJP/YAWY= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1779726340; c=relaxed/simple; bh=4D5G+w8MMPOtEt420KC4dqmADXlI37lVnGAuhOqoTaA=; h=From:To:Cc:Subject:Date:Message-ID:MIME-Version; b=NGbMpTfklB44YbatzJe7luc2vCVjpIEJlLwi2+/1tQORPJ1TdraqUMlIDFhbpKVvgn9LJlsr0D+zDVWgynkb71z5maOQVbu8uSSLKUj2oA1C82ahk91ra/YZMEG0kU/p6iKfioL2AXgWE4tr4zge5jToFHvB8+oMtmpOOz+FPLU= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=n3Cvu/RF; arc=none smtp.client-ip=209.85.222.178 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="n3Cvu/RF" Received: by mail-qk1-f178.google.com with SMTP id af79cd13be357-914bfa75911so338098285a.1 for ; Mon, 25 May 2026 09:25:38 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1779726338; x=1780331138; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=FqffXA0L0N/AyxqI/cfp5RguZ8e9R9MHqbWebTgHgv0=; b=n3Cvu/RFmqp5Ssg7vIcBfkK5xAiYWZ5wSKozs+0rP6BCNQew9tKwyuqEjXPKplJ7Vj eFIzDqQOn0lSd/ZoYh7tVv/4+FWBN5c4DuLbPIrOpOo9HWMoJ1myfTeLPsY9HMCRnP33 YPmVoSjQc6YPl83JF++JJYvpXt1J3FLAUbuEMN8I4/GIS985HsEiey4v3r3+uPcrdbMI cOku8n8hV2zodQU+GIUl4P3CYikCzLSNeptpkmzCX69VLUGYXyRKYzHtOWrjAYa7Knp+ q28ldpcu2x5EBHOE+J+yOdJCLZjW1qKTYQnsRR93qpEThnSD2lgGg970X14eZjojsag6 vP+w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1779726338; x=1780331138; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=FqffXA0L0N/AyxqI/cfp5RguZ8e9R9MHqbWebTgHgv0=; b=qGO7rZm3rXFFuXjSsg+qenC8ZvheIAt4OGWmrsscE4TWJS5vs8cAfS6f4DotB3OLoA sqAtdJtAluzWlTINDkcsvFarpi+2iPbyxOTMriVO4MvQP+bGJlb0ehDKSWmG+DPR0hlM edLFOr1o0Hcbk6d7McH/a2l1fCTDC0IUHvh+TkHQRvirbJmC47b83BfFAdAUIkgEyiST 59HaSlcHl10QxJ30iwHQSKez5PgsfnypzBVhNB8AiHPdMTs/xAN5xeXwjnmkTkzSoJPs 1JqCkO416GGXcv4XFZtKJCc+U1SRfZGkOVJ5CpROE0oP0f7mvaGtDLzKmuQa8F1ktezE 5jHw== X-Forwarded-Encrypted: i=1; AFNElJ8AIycz/zoA4MXVEh9zy8pmM+JYFD4qDgUXM9exLAF696vpcAQPckp3CNVz/2/6p/o3vsSIkp6sZy9x5m4=@vger.kernel.org X-Gm-Message-State: AOJu0Yzbw7UU53jCzyh6lj7Z6Lg6/x3S3Z850rDKC7i5wpPgNcBQe7jX VA05v9H7BuwSoa9DeHNu+dEt38LosMqIRt0YHKTpR6JumN4dT6M/4+ce X-Gm-Gg: Acq92OGHEkyp/fxe9VFGJuWq2dg7wSQZp8iWJX3Yqil3ULZyFb99Tjhwou3PxDc3z0+ giUETMvLJIErEde3tFXP6dlCt4EfyIXWJAnmhwFLiiVqg4L8Of4DdkQEH+8rGL3ETDlz1VBwShU xbwWVovE0QwolV25BerKXiUQBl0QEIo4PDuuNh2FYfUWaLS6+tv8NZYpzDy8z8/pbZuCzSPTw2P 8bVq4pjEsHYS0pLOYUqWmJ/d86ripawpiDF89nes689Fu/2U5ovhnhB8YpB2zqYmjmFpeQBMKKc pqU5TjaEGlCWYn6tfBao1CDEKR/4Vi1waxZSmBb68ls3SW/yeX2W7wwH9YTy8KmcUmjVa6QCg9i sgF+bCZt3d5qGvodQeAHCfAphEywdHp1xPhOUwnkKKcMAvAHCtEl1BdW2kwHvQvNqJ6MC48M8i9 I0Xjrfs8fCNWtU8ITEhD1X7lPXsIVVqiksgqOGmQ47 X-Received: by 2002:a05:620a:2549:b0:912:5d2a:4bd1 with SMTP id af79cd13be357-914a240cbe0mr2372699085a.40.1779726337824; Mon, 25 May 2026 09:25:37 -0700 (PDT) Received: from i4-gl-tmk5904.ad.psu.edu ([130.203.156.186]) by smtp.gmail.com with ESMTPSA id af79cd13be357-914bba0deadsm1111067685a.42.2026.05.25.09.25.36 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 25 May 2026 09:25:37 -0700 (PDT) From: Yuho Choi To: Jens Axboe Cc: Thomas Fourier , "Martin K . Petersen" , Andy Shevchenko , Al Viro , linux-block@vger.kernel.org, linux-kernel@vger.kernel.org, Yuho Choi Subject: [PATCH v1] mtip32xx: fix use-after-free on service thread failure Date: Mon, 25 May 2026 12:25:31 -0400 Message-ID: <20260525162531.1406677-1-dbgh9129@gmail.com> X-Mailer: git-send-email 2.43.0 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" If service thread creation fails after device_add_disk() succeeds, mtip_block_initialize() calls del_gendisk() and then falls through to put_disk(). Since mtip32xx uses .free_disk to free struct driver_data, put_disk() can release dd on the added-disk path. The same unwind then continues to use dd for blk_mq_free_tag_set() and mtip_hw_exit(), and mtip_pci_probe() can later free dd again. This can cause a use-after-free and double free. Track whether the disk was added in the current initialization call. For the post-add service-thread failure path, remove the disk, release the local hardware resources, and return without dropping the final disk reference. The probe error path can then finish its cleanup and call put_disk() after it is done using dd. Keep the pre-add path using put_disk() before blk_mq_free_tag_set(), and clear dd->disk so the outer probe cleanup frees dd directly. Fixes: e8b58ef09e84 ("mtip32xx: fix device removal") Signed-off-by: Yuho Choi --- drivers/block/mtip32xx/mtip32xx.c | 17 +++++++++++++++-- 1 file changed, 15 insertions(+), 2 deletions(-) diff --git a/drivers/block/mtip32xx/mtip32xx.c b/drivers/block/mtip32xx/mti= p32xx.c index 567192e371a8..ccf5c164cf46 100644 --- a/drivers/block/mtip32xx/mtip32xx.c +++ b/drivers/block/mtip32xx/mtip32xx.c @@ -3405,6 +3405,7 @@ static int mtip_block_initialize(struct driver_data *= dd) .max_segment_size =3D 0x400000, }; int rv =3D 0, wait_for_rebuild =3D 0; + bool disk_added =3D false; sector_t capacity; unsigned int index =3D 0; =20 @@ -3438,6 +3439,7 @@ static int mtip_block_initialize(struct driver_data *= dd) dev_err(&dd->pdev->dev, "Unable to allocate request queue\n"); rv =3D -ENOMEM; + dd->disk =3D NULL; goto block_queue_alloc_init_error; } dd->queue =3D dd->disk->queue; @@ -3496,6 +3498,7 @@ static int mtip_block_initialize(struct driver_data *= dd) rv =3D device_add_disk(&dd->pdev->dev, dd->disk, mtip_disk_attr_groups); if (rv) goto read_capacity_error; + disk_added =3D true; =20 if (dd->mtip_svc_handler) { set_bit(MTIP_DDF_INIT_DONE_BIT, &dd->dd_flag); @@ -3511,7 +3514,9 @@ static int mtip_block_initialize(struct driver_data *= dd) dev_err(&dd->pdev->dev, "service thread failed to start\n"); dd->mtip_svc_handler =3D NULL; rv =3D -EFAULT; - goto kthread_run_error; + if (disk_added) + goto kthread_run_error; + goto read_capacity_error; } wake_up_process(dd->mtip_svc_handler); if (wait_for_rebuild =3D=3D MTIP_FTL_REBUILD_MAGIC) @@ -3522,6 +3527,10 @@ static int mtip_block_initialize(struct driver_data = *dd) kthread_run_error: /* Delete our gendisk. This also removes the device from /dev */ del_gendisk(dd->disk); + mtip_hw_debugfs_exit(dd); + blk_mq_free_tag_set(&dd->tags); + mtip_hw_exit(dd); + return rv; read_capacity_error: init_hw_cmds_error: mtip_hw_debugfs_exit(dd); @@ -3529,6 +3538,7 @@ static int mtip_block_initialize(struct driver_data *= dd) ida_free(&rssd_index_ida, index); ida_get_error: put_disk(dd->disk); + dd->disk =3D NULL; block_queue_alloc_init_error: blk_mq_free_tag_set(&dd->tags); block_queue_alloc_tag_error: @@ -3839,7 +3849,10 @@ static int mtip_pci_probe(struct pci_dev *pdev, } =20 iomap_err: - kfree(dd); + if (dd->disk) + put_disk(dd->disk); + else + kfree(dd); pci_set_drvdata(pdev, NULL); return rv; done: --=20 2.43.0