git.ipfire.org Git - thirdparty/kernel/stable.git/commit

author	Ming Lei <ming.lei@redhat.com>
	Wed, 25 Dec 2024 11:06:40 +0000 (19:06 +0800)
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	Thu, 2 Jan 2025 09:34:20 +0000 (10:34 +0100)
commit	7d680f2f76a3417fdfc3946da7471e81464f7b41
tree	b1ec11aeaa74eb56dfa95852db5279927e1c8a22	tree
parent	ccdc8fd86fc7b34630bc1ce2da26537219f8b473	commit \| diff

ublk: detach gendisk from ublk device if add_disk() fails

[ Upstream commit 75cd4005da5492129917a4a4ee45e81660556104 ]

Inside ublk_abort_requests(), gendisk is grabbed for aborting all
inflight requests. And ublk_abort_requests() is called when exiting
the uring context or handling timeout.

If add_disk() fails, the gendisk may have been freed when calling
ublk_abort_requests(), so use-after-free can be caused when getting
disk's reference in ublk_abort_requests().

Fixes the bug by detaching gendisk from ublk device if add_disk() fails.

Fixes: bd23f6c2c2d0 ("ublk: quiesce request queue when aborting queue")
Signed-off-by: Ming Lei <ming.lei@redhat.com>
Link: https://lore.kernel.org/r/20241225110640.351531-1-ming.lei@redhat.com
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Sasha Levin <sashal@kernel.org>