* [PATCH] ligtnvm: fix double blk_put_queue on same queue
@ 2017-04-19 21:47 Rakesh Pandit
2017-04-20 13:46 ` Matias Bjørling
0 siblings, 1 reply; 5+ messages in thread
From: Rakesh Pandit @ 2017-04-19 21:47 UTC (permalink / raw)
To: Matias Bjorling; +Cc: linux-block, linux-kernel, rakesh
On an error path in NVM_DEV_CREATE ioctl blk_put_queue is being called
twice: one via blk_cleanup_queue and another via put_disk. Straight fix
seems to remove queue pointer so that disk_release never ends up caling
blk_put_queue again.
[ 391.808827] WARNING: CPU: 1 PID: 1250 at lib/refcount.c:128 refcount_sub_and_test+0x70/0x80
[ 391.808830] refcount_t: underflow; use-after-free.
[ 391.808832] Modules linked in: nf_conntrack_netbios_ns............
[ 391.809052] CPU: 1 PID: 1250 Comm: nvme Not tainted.........
[ 391.809057] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996),
BIOS rel-1.7.5-0-ge51488c-20140602_164612-nilsson.home.kraxel.org 04/01/2014
[ 391.809060] Call Trace:
[ 391.809079] dump_stack+0x63/0x86
[ 391.809094] __warn+0xcb/0xf0
[ 391.809103] warn_slowpath_fmt+0x5f/0x80
[ 391.809118] refcount_sub_and_test+0x70/0x80
[ 391.809125] refcount_dec_and_test+0x11/0x20
[ 391.809136] kobject_put+0x1f/0x60
[ 391.809149] blk_put_queue+0x15/0x20
[ 391.809159] disk_release+0xae/0xf0
[ 391.809172] device_release+0x32/0x90
[ 391.809184] kobject_release+0x6a/0x170
[ 391.809196] kobject_put+0x2f/0x60
[ 391.809206] put_disk+0x17/0x20
[ 391.809219] nvm_ioctl_dev_create.isra.16+0x897/0xa30
[ 391.809236] nvm_ctl_ioctl+0x23c/0x4c0
[ 391.809248] do_vfs_ioctl+0xa3/0x5f0
[ 391.809258] SyS_ioctl+0x79/0x90
[ 391.809271] entry_SYSCALL_64_fastpath+0x1a/0xa9
[ 391.809280] RIP: 0033:0x7f5d3ef363c7
[ 391.809286] RSP: 002b:00007ffc72ed8d78 EFLAGS: 00000206 ORIG_RAX: 0000000000000010
[ 391.809296] RAX: ffffffffffffffda RBX: 00007ffc72edb552 RCX: 00007f5d3ef363c7
[ 391.809301] RDX: 00007ffc72ed8d90 RSI: 0000000040804c22 RDI: 0000000000000003
[ 391.809306] RBP: 0000000000000001 R08: 0000000000000020 R09: 0000000000000001
[ 391.809311] R10: 000000000000053f R11: 0000000000000206 R12: 0000000000000000
[ 391.809316] R13: 0000000000000000 R14: 00007ffc72edb58d R15: 00007ffc72edb581
Signed-off-by: Rakesh Pandit <rakesh@tuxera.com>
---
drivers/lightnvm/core.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/lightnvm/core.c b/drivers/lightnvm/core.c
index 2c26af3..5d7aa45 100644
--- a/drivers/lightnvm/core.c
+++ b/drivers/lightnvm/core.c
@@ -309,6 +309,7 @@ static int nvm_create_tgt(struct nvm_dev *dev, struct nvm_ioctl_create *create)
tt->exit(targetdata);
err_init:
blk_cleanup_queue(tqueue);
+ tdisk->queue = NULL;
err_disk:
put_disk(tdisk);
err_dev:
--
2.5.5
^ permalink raw reply related [flat|nested] 5+ messages in thread
* Re: [PATCH] ligtnvm: fix double blk_put_queue on same queue
2017-04-19 21:47 [PATCH] ligtnvm: fix double blk_put_queue on same queue Rakesh Pandit
@ 2017-04-20 13:46 ` Matias Bjørling
2017-04-20 14:09 ` Jens Axboe
0 siblings, 1 reply; 5+ messages in thread
From: Matias Bjørling @ 2017-04-20 13:46 UTC (permalink / raw)
To: Rakesh Pandit; +Cc: Jens Axboe, linux-kernel
On 04/19/2017 11:47 PM, Rakesh Pandit wrote:
> On an error path in NVM_DEV_CREATE ioctl blk_put_queue is being called
> twice: one via blk_cleanup_queue and another via put_disk. Straight fix
> seems to remove queue pointer so that disk_release never ends up caling
> blk_put_queue again.
>
> [ 391.808827] WARNING: CPU: 1 PID: 1250 at lib/refcount.c:128 refcount_sub_and_test+0x70/0x80
> [ 391.808830] refcount_t: underflow; use-after-free.
> [ 391.808832] Modules linked in: nf_conntrack_netbios_ns............
> [ 391.809052] CPU: 1 PID: 1250 Comm: nvme Not tainted.........
> [ 391.809057] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996),
> BIOS rel-1.7.5-0-ge51488c-20140602_164612-nilsson.home.kraxel.org 04/01/2014
> [ 391.809060] Call Trace:
> [ 391.809079] dump_stack+0x63/0x86
> [ 391.809094] __warn+0xcb/0xf0
> [ 391.809103] warn_slowpath_fmt+0x5f/0x80
> [ 391.809118] refcount_sub_and_test+0x70/0x80
> [ 391.809125] refcount_dec_and_test+0x11/0x20
> [ 391.809136] kobject_put+0x1f/0x60
> [ 391.809149] blk_put_queue+0x15/0x20
> [ 391.809159] disk_release+0xae/0xf0
> [ 391.809172] device_release+0x32/0x90
> [ 391.809184] kobject_release+0x6a/0x170
> [ 391.809196] kobject_put+0x2f/0x60
> [ 391.809206] put_disk+0x17/0x20
> [ 391.809219] nvm_ioctl_dev_create.isra.16+0x897/0xa30
> [ 391.809236] nvm_ctl_ioctl+0x23c/0x4c0
> [ 391.809248] do_vfs_ioctl+0xa3/0x5f0
> [ 391.809258] SyS_ioctl+0x79/0x90
> [ 391.809271] entry_SYSCALL_64_fastpath+0x1a/0xa9
> [ 391.809280] RIP: 0033:0x7f5d3ef363c7
> [ 391.809286] RSP: 002b:00007ffc72ed8d78 EFLAGS: 00000206 ORIG_RAX: 0000000000000010
> [ 391.809296] RAX: ffffffffffffffda RBX: 00007ffc72edb552 RCX: 00007f5d3ef363c7
> [ 391.809301] RDX: 00007ffc72ed8d90 RSI: 0000000040804c22 RDI: 0000000000000003
> [ 391.809306] RBP: 0000000000000001 R08: 0000000000000020 R09: 0000000000000001
> [ 391.809311] R10: 000000000000053f R11: 0000000000000206 R12: 0000000000000000
> [ 391.809316] R13: 0000000000000000 R14: 00007ffc72edb58d R15: 00007ffc72edb581
>
> Signed-off-by: Rakesh Pandit <rakesh@tuxera.com>
> ---
> drivers/lightnvm/core.c | 1 +
> 1 file changed, 1 insertion(+)
>
> diff --git a/drivers/lightnvm/core.c b/drivers/lightnvm/core.c
> index 2c26af3..5d7aa45 100644
> --- a/drivers/lightnvm/core.c
> +++ b/drivers/lightnvm/core.c
> @@ -309,6 +309,7 @@ static int nvm_create_tgt(struct nvm_dev *dev, struct nvm_ioctl_create *create)
> tt->exit(targetdata);
> err_init:
> blk_cleanup_queue(tqueue);
> + tdisk->queue = NULL;
> err_disk:
> put_disk(tdisk);
> err_dev:
>
Thanks Rakesh. Jens, is this too late for -rc1? :)
Reviewed-by: Matias Bjørling <matias@cnexlabs.com>
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PATCH] ligtnvm: fix double blk_put_queue on same queue
2017-04-20 13:46 ` Matias Bjørling
@ 2017-04-20 14:09 ` Jens Axboe
2017-04-20 14:13 ` Matias Bjørling
0 siblings, 1 reply; 5+ messages in thread
From: Jens Axboe @ 2017-04-20 14:09 UTC (permalink / raw)
To: Matias Bjørling; +Cc: Rakesh Pandit, linux-kernel
On Thu, Apr 20 2017, Matias Bjørling wrote:
> On 04/19/2017 11:47 PM, Rakesh Pandit wrote:
> >On an error path in NVM_DEV_CREATE ioctl blk_put_queue is being called
> >twice: one via blk_cleanup_queue and another via put_disk. Straight fix
> >seems to remove queue pointer so that disk_release never ends up caling
> >blk_put_queue again.
> >
> > [ 391.808827] WARNING: CPU: 1 PID: 1250 at lib/refcount.c:128 refcount_sub_and_test+0x70/0x80
> > [ 391.808830] refcount_t: underflow; use-after-free.
> > [ 391.808832] Modules linked in: nf_conntrack_netbios_ns............
> > [ 391.809052] CPU: 1 PID: 1250 Comm: nvme Not tainted.........
> > [ 391.809057] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996),
> > BIOS rel-1.7.5-0-ge51488c-20140602_164612-nilsson.home.kraxel.org 04/01/2014
> > [ 391.809060] Call Trace:
> > [ 391.809079] dump_stack+0x63/0x86
> > [ 391.809094] __warn+0xcb/0xf0
> > [ 391.809103] warn_slowpath_fmt+0x5f/0x80
> > [ 391.809118] refcount_sub_and_test+0x70/0x80
> > [ 391.809125] refcount_dec_and_test+0x11/0x20
> > [ 391.809136] kobject_put+0x1f/0x60
> > [ 391.809149] blk_put_queue+0x15/0x20
> > [ 391.809159] disk_release+0xae/0xf0
> > [ 391.809172] device_release+0x32/0x90
> > [ 391.809184] kobject_release+0x6a/0x170
> > [ 391.809196] kobject_put+0x2f/0x60
> > [ 391.809206] put_disk+0x17/0x20
> > [ 391.809219] nvm_ioctl_dev_create.isra.16+0x897/0xa30
> > [ 391.809236] nvm_ctl_ioctl+0x23c/0x4c0
> > [ 391.809248] do_vfs_ioctl+0xa3/0x5f0
> > [ 391.809258] SyS_ioctl+0x79/0x90
> > [ 391.809271] entry_SYSCALL_64_fastpath+0x1a/0xa9
> > [ 391.809280] RIP: 0033:0x7f5d3ef363c7
> > [ 391.809286] RSP: 002b:00007ffc72ed8d78 EFLAGS: 00000206 ORIG_RAX: 0000000000000010
> > [ 391.809296] RAX: ffffffffffffffda RBX: 00007ffc72edb552 RCX: 00007f5d3ef363c7
> > [ 391.809301] RDX: 00007ffc72ed8d90 RSI: 0000000040804c22 RDI: 0000000000000003
> > [ 391.809306] RBP: 0000000000000001 R08: 0000000000000020 R09: 0000000000000001
> > [ 391.809311] R10: 000000000000053f R11: 0000000000000206 R12: 0000000000000000
> > [ 391.809316] R13: 0000000000000000 R14: 00007ffc72edb58d R15: 00007ffc72edb581
> >
> >Signed-off-by: Rakesh Pandit <rakesh@tuxera.com>
> >---
> > drivers/lightnvm/core.c | 1 +
> > 1 file changed, 1 insertion(+)
> >
> >diff --git a/drivers/lightnvm/core.c b/drivers/lightnvm/core.c
> >index 2c26af3..5d7aa45 100644
> >--- a/drivers/lightnvm/core.c
> >+++ b/drivers/lightnvm/core.c
> >@@ -309,6 +309,7 @@ static int nvm_create_tgt(struct nvm_dev *dev, struct nvm_ioctl_create *create)
> > tt->exit(targetdata);
> > err_init:
> > blk_cleanup_queue(tqueue);
> >+ tdisk->queue = NULL;
> > err_disk:
> > put_disk(tdisk);
> > err_dev:
> >
>
> Thanks Rakesh. Jens, is this too late for -rc1? :)
>
> Reviewed-by: Matias Bjørling <matias@cnexlabs.com>
No, there's time. Is this missing a Fixes: line, if it's fixing a commit
that went in for the 4.12 merge window?
--
Jens Axboe
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PATCH] ligtnvm: fix double blk_put_queue on same queue
2017-04-20 14:09 ` Jens Axboe
@ 2017-04-20 14:13 ` Matias Bjørling
2017-04-20 14:18 ` Jens Axboe
0 siblings, 1 reply; 5+ messages in thread
From: Matias Bjørling @ 2017-04-20 14:13 UTC (permalink / raw)
To: Jens Axboe; +Cc: Rakesh Pandit, linux-kernel
On 04/20/2017 04:09 PM, Jens Axboe wrote:
> On Thu, Apr 20 2017, Matias Bjørling wrote:
>> On 04/19/2017 11:47 PM, Rakesh Pandit wrote:
>>> On an error path in NVM_DEV_CREATE ioctl blk_put_queue is being called
>>> twice: one via blk_cleanup_queue and another via put_disk. Straight fix
>>> seems to remove queue pointer so that disk_release never ends up caling
>>> blk_put_queue again.
>>>
>>> [ 391.808827] WARNING: CPU: 1 PID: 1250 at lib/refcount.c:128 refcount_sub_and_test+0x70/0x80
>>> [ 391.808830] refcount_t: underflow; use-after-free.
>>> [ 391.808832] Modules linked in: nf_conntrack_netbios_ns............
>>> [ 391.809052] CPU: 1 PID: 1250 Comm: nvme Not tainted.........
>>> [ 391.809057] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996),
>>> BIOS rel-1.7.5-0-ge51488c-20140602_164612-nilsson.home.kraxel.org 04/01/2014
>>> [ 391.809060] Call Trace:
>>> [ 391.809079] dump_stack+0x63/0x86
>>> [ 391.809094] __warn+0xcb/0xf0
>>> [ 391.809103] warn_slowpath_fmt+0x5f/0x80
>>> [ 391.809118] refcount_sub_and_test+0x70/0x80
>>> [ 391.809125] refcount_dec_and_test+0x11/0x20
>>> [ 391.809136] kobject_put+0x1f/0x60
>>> [ 391.809149] blk_put_queue+0x15/0x20
>>> [ 391.809159] disk_release+0xae/0xf0
>>> [ 391.809172] device_release+0x32/0x90
>>> [ 391.809184] kobject_release+0x6a/0x170
>>> [ 391.809196] kobject_put+0x2f/0x60
>>> [ 391.809206] put_disk+0x17/0x20
>>> [ 391.809219] nvm_ioctl_dev_create.isra.16+0x897/0xa30
>>> [ 391.809236] nvm_ctl_ioctl+0x23c/0x4c0
>>> [ 391.809248] do_vfs_ioctl+0xa3/0x5f0
>>> [ 391.809258] SyS_ioctl+0x79/0x90
>>> [ 391.809271] entry_SYSCALL_64_fastpath+0x1a/0xa9
>>> [ 391.809280] RIP: 0033:0x7f5d3ef363c7
>>> [ 391.809286] RSP: 002b:00007ffc72ed8d78 EFLAGS: 00000206 ORIG_RAX: 0000000000000010
>>> [ 391.809296] RAX: ffffffffffffffda RBX: 00007ffc72edb552 RCX: 00007f5d3ef363c7
>>> [ 391.809301] RDX: 00007ffc72ed8d90 RSI: 0000000040804c22 RDI: 0000000000000003
>>> [ 391.809306] RBP: 0000000000000001 R08: 0000000000000020 R09: 0000000000000001
>>> [ 391.809311] R10: 000000000000053f R11: 0000000000000206 R12: 0000000000000000
>>> [ 391.809316] R13: 0000000000000000 R14: 00007ffc72edb58d R15: 00007ffc72edb581
>>>
>>> Signed-off-by: Rakesh Pandit <rakesh@tuxera.com>
>>> ---
>>> drivers/lightnvm/core.c | 1 +
>>> 1 file changed, 1 insertion(+)
>>>
>>> diff --git a/drivers/lightnvm/core.c b/drivers/lightnvm/core.c
>>> index 2c26af3..5d7aa45 100644
>>> --- a/drivers/lightnvm/core.c
>>> +++ b/drivers/lightnvm/core.c
>>> @@ -309,6 +309,7 @@ static int nvm_create_tgt(struct nvm_dev *dev, struct nvm_ioctl_create *create)
>>> tt->exit(targetdata);
>>> err_init:
>>> blk_cleanup_queue(tqueue);
>>> + tdisk->queue = NULL;
>>> err_disk:
>>> put_disk(tdisk);
>>> err_dev:
>>>
>>
>> Thanks Rakesh. Jens, is this too late for -rc1? :)
>>
>> Reviewed-by: Matias Bjørling <matias@cnexlabs.com>
>
> No, there's time. Is this missing a Fixes: line, if it's fixing a commit
> that went in for the 4.12 merge window?
>
Yes, I should have added that as well.
Fixes: 7d1ef2f408ab "lightnvm: fix cleanup order of disk on init error"
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PATCH] ligtnvm: fix double blk_put_queue on same queue
2017-04-20 14:13 ` Matias Bjørling
@ 2017-04-20 14:18 ` Jens Axboe
0 siblings, 0 replies; 5+ messages in thread
From: Jens Axboe @ 2017-04-20 14:18 UTC (permalink / raw)
To: Matias Bjørling; +Cc: Rakesh Pandit, linux-kernel
On Thu, Apr 20 2017, Matias Bjørling wrote:
> On 04/20/2017 04:09 PM, Jens Axboe wrote:
> >On Thu, Apr 20 2017, Matias Bjørling wrote:
> >>On 04/19/2017 11:47 PM, Rakesh Pandit wrote:
> >>>On an error path in NVM_DEV_CREATE ioctl blk_put_queue is being called
> >>>twice: one via blk_cleanup_queue and another via put_disk. Straight fix
> >>>seems to remove queue pointer so that disk_release never ends up caling
> >>>blk_put_queue again.
> >>>
> >>> [ 391.808827] WARNING: CPU: 1 PID: 1250 at lib/refcount.c:128 refcount_sub_and_test+0x70/0x80
> >>> [ 391.808830] refcount_t: underflow; use-after-free.
> >>> [ 391.808832] Modules linked in: nf_conntrack_netbios_ns............
> >>> [ 391.809052] CPU: 1 PID: 1250 Comm: nvme Not tainted.........
> >>> [ 391.809057] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996),
> >>> BIOS rel-1.7.5-0-ge51488c-20140602_164612-nilsson.home.kraxel.org 04/01/2014
> >>> [ 391.809060] Call Trace:
> >>> [ 391.809079] dump_stack+0x63/0x86
> >>> [ 391.809094] __warn+0xcb/0xf0
> >>> [ 391.809103] warn_slowpath_fmt+0x5f/0x80
> >>> [ 391.809118] refcount_sub_and_test+0x70/0x80
> >>> [ 391.809125] refcount_dec_and_test+0x11/0x20
> >>> [ 391.809136] kobject_put+0x1f/0x60
> >>> [ 391.809149] blk_put_queue+0x15/0x20
> >>> [ 391.809159] disk_release+0xae/0xf0
> >>> [ 391.809172] device_release+0x32/0x90
> >>> [ 391.809184] kobject_release+0x6a/0x170
> >>> [ 391.809196] kobject_put+0x2f/0x60
> >>> [ 391.809206] put_disk+0x17/0x20
> >>> [ 391.809219] nvm_ioctl_dev_create.isra.16+0x897/0xa30
> >>> [ 391.809236] nvm_ctl_ioctl+0x23c/0x4c0
> >>> [ 391.809248] do_vfs_ioctl+0xa3/0x5f0
> >>> [ 391.809258] SyS_ioctl+0x79/0x90
> >>> [ 391.809271] entry_SYSCALL_64_fastpath+0x1a/0xa9
> >>> [ 391.809280] RIP: 0033:0x7f5d3ef363c7
> >>> [ 391.809286] RSP: 002b:00007ffc72ed8d78 EFLAGS: 00000206 ORIG_RAX: 0000000000000010
> >>> [ 391.809296] RAX: ffffffffffffffda RBX: 00007ffc72edb552 RCX: 00007f5d3ef363c7
> >>> [ 391.809301] RDX: 00007ffc72ed8d90 RSI: 0000000040804c22 RDI: 0000000000000003
> >>> [ 391.809306] RBP: 0000000000000001 R08: 0000000000000020 R09: 0000000000000001
> >>> [ 391.809311] R10: 000000000000053f R11: 0000000000000206 R12: 0000000000000000
> >>> [ 391.809316] R13: 0000000000000000 R14: 00007ffc72edb58d R15: 00007ffc72edb581
> >>>
> >>>Signed-off-by: Rakesh Pandit <rakesh@tuxera.com>
> >>>---
> >>>drivers/lightnvm/core.c | 1 +
> >>>1 file changed, 1 insertion(+)
> >>>
> >>>diff --git a/drivers/lightnvm/core.c b/drivers/lightnvm/core.c
> >>>index 2c26af3..5d7aa45 100644
> >>>--- a/drivers/lightnvm/core.c
> >>>+++ b/drivers/lightnvm/core.c
> >>>@@ -309,6 +309,7 @@ static int nvm_create_tgt(struct nvm_dev *dev, struct nvm_ioctl_create *create)
> >>> tt->exit(targetdata);
> >>>err_init:
> >>> blk_cleanup_queue(tqueue);
> >>>+ tdisk->queue = NULL;
> >>>err_disk:
> >>> put_disk(tdisk);
> >>>err_dev:
> >>>
> >>
> >>Thanks Rakesh. Jens, is this too late for -rc1? :)
> >>
> >>Reviewed-by: Matias Bjørling <matias@cnexlabs.com>
> >
> >No, there's time. Is this missing a Fixes: line, if it's fixing a commit
> >that went in for the 4.12 merge window?
> >
>
> Yes, I should have added that as well.
>
> Fixes: 7d1ef2f408ab "lightnvm: fix cleanup order of disk on init error"
Perfect, thanks. Added for 4.12.
--
Jens Axboe
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2017-04-20 14:18 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2017-04-19 21:47 [PATCH] ligtnvm: fix double blk_put_queue on same queue Rakesh Pandit
2017-04-20 13:46 ` Matias Bjørling
2017-04-20 14:09 ` Jens Axboe
2017-04-20 14:13 ` Matias Bjørling
2017-04-20 14:18 ` Jens Axboe
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).