6.18-stable patches

added patches:
	block-fix-null-pointer-dereference-in-blk_zone_reset_all_bio_endio.patch

diff --git a/queue-6.18/block-fix-null-pointer-dereference-in-blk_zone_reset_all_bio_endio.patch b/queue-6.18/block-fix-null-pointer-dereference-in-blk_zone_reset_all_bio_endio.patch
new file mode 100644 (file)
index 0000000..77020c5
--- /dev/null
+++ b/queue-6.18/block-fix-null-pointer-dereference-in-blk_zone_reset_all_bio_endio.patch
@@ -0,0 +1,64 @@
+From c2b8d20628ca789640f64074a642f9440eefc623 Mon Sep 17 00:00:00 2001
+From: Damien Le Moal <dlemoal@kernel.org>
+Date: Thu, 13 Nov 2025 22:40:26 +0900
+Subject: block: fix NULL pointer dereference in blk_zone_reset_all_bio_endio()
+
+From: Damien Le Moal <dlemoal@kernel.org>
+
+commit c2b8d20628ca789640f64074a642f9440eefc623 upstream.
+
+For zoned block devices that do not need zone write plugs (e.g. most
+device mapper devices that support zones), the disk hash table of zone
+write plugs is NULL. For such devices, blk_zone_reset_all_bio_endio()
+should not attempt to scan this has table as that causes a NULL pointer
+dereference.
+
+Fix this by checking that the disk does have zone write plugs using the
+atomic counter. This is equivalent to checking for a non-NULL hash table
+but has the advantage to also speed up the execution of
+blk_zone_reset_all_bio_endio() for devices that do use zone write plugs
+but do not have any plug in the hash table (e.g. a disk with only full
+zones).
+
+Fixes: efae226c2ef1 ("block: handle zone management operations completions")
+Reported-by: Shin'ichiro Kawasaki <shinichiro.kawasaki@wdc.com>
+Signed-off-by: Damien Le Moal <dlemoal@kernel.org>
+Reviewed-by: Christoph Hellwig <hch@lst.de>
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ block/blk-zoned.c |   21 ++++++++++++---------
+ 1 file changed, 12 insertions(+), 9 deletions(-)
+
+--- a/block/blk-zoned.c
++++ b/block/blk-zoned.c
+@@ -736,17 +736,20 @@ static void blk_zone_reset_all_bio_endio
+       unsigned long flags;
+       unsigned int i;
+ 
+-      /* Update the condition of all zone write plugs. */
+-      rcu_read_lock();
+-      for (i = 0; i < disk_zone_wplugs_hash_size(disk); i++) {
+-              hlist_for_each_entry_rcu(zwplug, &disk->zone_wplugs_hash[i],
+-                                       node) {
+-                      spin_lock_irqsave(&zwplug->lock, flags);
+-                      disk_zone_wplug_set_wp_offset(disk, zwplug, 0);
+-                      spin_unlock_irqrestore(&zwplug->lock, flags);
++      if (atomic_read(&disk->nr_zone_wplugs)) {
++              /* Update the condition of all zone write plugs. */
++              rcu_read_lock();
++              for (i = 0; i < disk_zone_wplugs_hash_size(disk); i++) {
++                      hlist_for_each_entry_rcu(zwplug,
++                                               &disk->zone_wplugs_hash[i],
++                                               node) {
++                              spin_lock_irqsave(&zwplug->lock, flags);
++                              disk_zone_wplug_set_wp_offset(disk, zwplug, 0);
++                              spin_unlock_irqrestore(&zwplug->lock, flags);
++                      }
+               }
++              rcu_read_unlock();
+       }
+-      rcu_read_unlock();
+ }
+ 
+ static void blk_zone_finish_bio_endio(struct bio *bio)

diff --git a/queue-6.18/series b/queue-6.18/series
index 172bfd4bca50d0085757bc1982f49e78d284695e..157ddb6e60deab3e9f35a8e38c90554d33da0336 100644 (file)
--- a/queue-6.18/series
+++ b/queue-6.18/series
@@ -303,3 +303,4 @@ drm-pagemap-drm-xe-ensure-that-the-devmem-allocation-is-idle-before-use.patch
 drm-nouveau-dispnv50-don-t-call-drm_atomic_get_crtc_state-in-prepare_fb.patch
 drm-imagination-disallow-exporting-of-pm-fw-protected-objects.patch
 erofs-fix-unexpected-eio-under-memory-pressure.patch
+block-fix-null-pointer-dereference-in-blk_zone_reset_all_bio_endio.patch