lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <202512301645.vLzgeSuh-lkp@intel.com>
Date: Tue, 30 Dec 2025 17:09:32 +0800
From: kernel test robot <lkp@...el.com>
To: Fengnan Chang <fengnanchang@...il.com>
Cc: oe-kbuild-all@...ts.linux.dev, linux-kernel@...r.kernel.org,
 Jens Axboe <axboe@...nel.dk>, Yu Kuai <yukuai3@...wei.com>
Subject: block/blk-mq.c:4380:16: sparse: sparse: incorrect type in
 argument 1 (different address spaces)

tree:   https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master
head:   8640b74557fc8b4c300030f6ccb8cd078f665ec8
commit: 89e1fb7ceffd898505ad7fa57acec0585bfaa2cc blk-mq: fix potential uaf for 'queue_hw_ctx'
date:   5 weeks ago
config: powerpc64-randconfig-r132-20251230 (https://download.01.org/0day-ci/archive/20251230/202512301645.vLzgeSuh-lkp@intel.com/config)
compiler: powerpc64-linux-gcc (GCC) 10.5.0
reproduce (this is a W=1 build): (https://download.01.org/0day-ci/archive/20251230/202512301645.vLzgeSuh-lkp@intel.com/reproduce)

If you fix the issue in a separate patch/commit (i.e. not just a new version of
the same patch/commit), kindly add following tags
| Reported-by: kernel test robot <lkp@...el.com>
| Closes: https://lore.kernel.org/oe-kbuild-all/202512301645.vLzgeSuh-lkp@intel.com/

sparse warnings: (new ones prefixed by >>)
>> block/blk-mq.c:4380:16: sparse: sparse: incorrect type in argument 1 (different address spaces) @@     expected void const *objp @@     got struct blk_mq_hw_ctx *[noderef] __rcu *queue_hw_ctx @@
   block/blk-mq.c:4380:16: sparse:     expected void const *objp
   block/blk-mq.c:4380:16: sparse:     got struct blk_mq_hw_ctx *[noderef] __rcu *queue_hw_ctx
   block/blk-mq.c:4525:41: sparse: sparse: incorrect type in initializer (different address spaces) @@     expected struct blk_mq_hw_ctx **hctxs @@     got struct blk_mq_hw_ctx *[noderef] __rcu *queue_hw_ctx @@
   block/blk-mq.c:4525:41: sparse:     expected struct blk_mq_hw_ctx **hctxs
   block/blk-mq.c:4525:41: sparse:     got struct blk_mq_hw_ctx *[noderef] __rcu *queue_hw_ctx
>> block/blk-mq.c:733:36: sparse: sparse: dereference of noderef expression
   block/blk-mq.c: note: in included file:
   block/blk-mq.h:87:31: sparse: sparse: dereference of noderef expression
   block/blk-mq.h:87:31: sparse: sparse: dereference of noderef expression
   block/blk-mq.h:87:31: sparse: sparse: dereference of noderef expression
   block/blk-mq.h:87:31: sparse: sparse: dereference of noderef expression
   block/blk-mq.h:87:31: sparse: sparse: dereference of noderef expression
   block/blk-mq.h:87:31: sparse: sparse: dereference of noderef expression
   block/blk-mq.c:5211:48: sparse: sparse: dereference of noderef expression

vim +4380 block/blk-mq.c

1db4909e76f64a Ming Lei      2018-11-20  4359  
e09aae7edec1d2 Ming Lei      2015-01-29  4360  /*
e09aae7edec1d2 Ming Lei      2015-01-29  4361   * It is the actual release handler for mq, but we do it from
e09aae7edec1d2 Ming Lei      2015-01-29  4362   * request queue's release handler for avoiding use-after-free
e09aae7edec1d2 Ming Lei      2015-01-29  4363   * and headache because q->mq_kobj shouldn't have been introduced,
e09aae7edec1d2 Ming Lei      2015-01-29  4364   * but we can't group ctx/kctx kobj without it.
e09aae7edec1d2 Ming Lei      2015-01-29  4365   */
e09aae7edec1d2 Ming Lei      2015-01-29  4366  void blk_mq_release(struct request_queue *q)
e09aae7edec1d2 Ming Lei      2015-01-29  4367  {
2f8f1336a48bd5 Ming Lei      2019-04-30  4368  	struct blk_mq_hw_ctx *hctx, *next;
4f481208749a22 Ming Lei      2022-03-08  4369  	unsigned long i;
e09aae7edec1d2 Ming Lei      2015-01-29  4370  
2f8f1336a48bd5 Ming Lei      2019-04-30  4371  	queue_for_each_hw_ctx(q, hctx, i)
2f8f1336a48bd5 Ming Lei      2019-04-30  4372  		WARN_ON_ONCE(hctx && list_empty(&hctx->hctx_list));
2f8f1336a48bd5 Ming Lei      2019-04-30  4373  
2f8f1336a48bd5 Ming Lei      2019-04-30  4374  	/* all hctx are in .unused_hctx_list now */
2f8f1336a48bd5 Ming Lei      2019-04-30  4375  	list_for_each_entry_safe(hctx, next, &q->unused_hctx_list, hctx_list) {
2f8f1336a48bd5 Ming Lei      2019-04-30  4376  		list_del_init(&hctx->hctx_list);
6c8b232efea1ad Ming Lei      2017-02-22  4377  		kobject_put(&hctx->kobj);
c3b4afca7023b5 Ming Lei      2015-06-04  4378  	}
e09aae7edec1d2 Ming Lei      2015-01-29  4379  
d0c98769ee7d5d Fengnan Chang 2025-11-28 @4380  	kfree(q->queue_hw_ctx);
e09aae7edec1d2 Ming Lei      2015-01-29  4381  
7ea5fe31c12dd8 Ming Lei      2017-02-22  4382  	/*
7ea5fe31c12dd8 Ming Lei      2017-02-22  4383  	 * release .mq_kobj and sw queue's kobject now because
7ea5fe31c12dd8 Ming Lei      2017-02-22  4384  	 * both share lifetime with request queue.
7ea5fe31c12dd8 Ming Lei      2017-02-22  4385  	 */
7ea5fe31c12dd8 Ming Lei      2017-02-22  4386  	blk_mq_sysfs_deinit(q);
e09aae7edec1d2 Ming Lei      2015-01-29  4387  }
e09aae7edec1d2 Ming Lei      2015-01-29  4388  

:::::: The code at line 4380 was first introduced by commit
:::::: d0c98769ee7d5db8d699a270690639cde1766cd4 blk-mq: use array manage hctx map instead of xarray

:::::: TO: Fengnan Chang <fengnanchang@...il.com>
:::::: CC: Jens Axboe <axboe@...nel.dk>

-- 
0-DAY CI Kernel Test Service
https://github.com/intel/lkp-tests/wiki

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ