From a39f6afab90d818ac2894e26942dd378af404667 Mon Sep 17 00:00:00 2001
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Fri, 3 Oct 2025 14:46:00 +0200
Subject: [PATCH] 6.17-stable patches

added patches:
	blk-mq-fix-blk_mq_tags-double-free-while-nr_requests-grown.patch
	series
---
 ...-double-free-while-nr_requests-grown.patch | 47 +++++++++++++++++++
 queue-6.17/series                             |  1 +
 2 files changed, 48 insertions(+)
 create mode 100644 queue-6.17/blk-mq-fix-blk_mq_tags-double-free-while-nr_requests-grown.patch
 create mode 100644 queue-6.17/series

diff --git a/queue-6.17/blk-mq-fix-blk_mq_tags-double-free-while-nr_requests-grown.patch b/queue-6.17/blk-mq-fix-blk_mq_tags-double-free-while-nr_requests-grown.patch
new file mode 100644
index 0000000000..c7099ee5c4
--- /dev/null
+++ b/queue-6.17/blk-mq-fix-blk_mq_tags-double-free-while-nr_requests-grown.patch
@@ -0,0 +1,47 @@
+From ba28afbd9eff2a6370f23ef4e6a036ab0cfda409 Mon Sep 17 00:00:00 2001
+From: Yu Kuai <yukuai3@huawei.com>
+Date: Thu, 21 Aug 2025 14:06:12 +0800
+Subject: blk-mq: fix blk_mq_tags double free while nr_requests grown
+
+From: Yu Kuai <yukuai3@huawei.com>
+
+commit ba28afbd9eff2a6370f23ef4e6a036ab0cfda409 upstream.
+
+In the case user trigger tags grow by queue sysfs attribute nr_requests,
+hctx->sched_tags will be freed directly and replaced with a new
+allocated tags, see blk_mq_tag_update_depth().
+
+The problem is that hctx->sched_tags is from elevator->et->tags, while
+et->tags is still the freed tags, hence later elevator exit will try to
+free the tags again, causing kernel panic.
+
+Fix this problem by replacing et->tags with new allocated tags as well.
+
+Noted there are still some long term problems that will require some
+refactor to be fixed thoroughly[1].
+
+[1] https://lore.kernel.org/all/20250815080216.410665-1-yukuai1@huaweicloud.com/
+Fixes: f5a6604f7a44 ("block: fix lockdep warning caused by lock dependency in elv_iosched_store")
+
+Signed-off-by: Yu Kuai <yukuai3@huawei.com>
+Reviewed-by: Ming Lei <ming.lei@redhat.com>
+Reviewed-by: Nilay Shroff <nilay@linux.ibm.com>
+Reviewed-by: Hannes Reinecke <hare@suse.de>
+Reviewed-by: Li Nan <linan122@huawei.com>
+Link: https://lore.kernel.org/r/20250821060612.1729939-3-yukuai1@huaweicloud.com
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ block/blk-mq-tag.c |    1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/block/blk-mq-tag.c
++++ b/block/blk-mq-tag.c
+@@ -622,6 +622,7 @@ int blk_mq_tag_update_depth(struct blk_m
+ 			return -ENOMEM;
+ 
+ 		blk_mq_free_map_and_rqs(set, *tagsptr, hctx->queue_num);
++		hctx->queue->elevator->et->tags[hctx->queue_num] = new;
+ 		*tagsptr = new;
+ 	} else {
+ 		/*
diff --git a/queue-6.17/series b/queue-6.17/series
new file mode 100644
index 0000000000..c47cccf3e3
--- /dev/null
+++ b/queue-6.17/series
@@ -0,0 +1 @@
+blk-mq-fix-blk_mq_tags-double-free-while-nr_requests-grown.patch
-- 
2.47.3