From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1032628AbdDTOS4 (ORCPT ); Thu, 20 Apr 2017 10:18:56 -0400 Received: from mail-io0-f173.google.com ([209.85.223.173]:34066 "EHLO mail-io0-f173.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1032397AbdDTOSv (ORCPT ); Thu, 20 Apr 2017 10:18:51 -0400 Date: Thu, 20 Apr 2017 08:18:20 -0600 From: Jens Axboe To: Matias =?iso-8859-1?Q?Bj=F8rling?= Cc: Rakesh Pandit , linux-kernel@vger.kernel.org Subject: Re: [PATCH] ligtnvm: fix double blk_put_queue on same queue Message-ID: <20170420141817.GA10057@kernel.dk> References: <20170419214754.GA7979@hercules.tuxera.com> <520b34ab-6fa9-6c85-1f45-28c1b71fef30@lightnvm.io> <20170420140922.GA13019@kernel.dk> MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Thu, Apr 20 2017, Matias Bjørling wrote: > On 04/20/2017 04:09 PM, Jens Axboe wrote: > >On Thu, Apr 20 2017, Matias Bjørling wrote: > >>On 04/19/2017 11:47 PM, Rakesh Pandit wrote: > >>>On an error path in NVM_DEV_CREATE ioctl blk_put_queue is being called > >>>twice: one via blk_cleanup_queue and another via put_disk. Straight fix > >>>seems to remove queue pointer so that disk_release never ends up caling > >>>blk_put_queue again. > >>> > >>> [ 391.808827] WARNING: CPU: 1 PID: 1250 at lib/refcount.c:128 refcount_sub_and_test+0x70/0x80 > >>> [ 391.808830] refcount_t: underflow; use-after-free. > >>> [ 391.808832] Modules linked in: nf_conntrack_netbios_ns............ > >>> [ 391.809052] CPU: 1 PID: 1250 Comm: nvme Not tainted......... > >>> [ 391.809057] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), > >>> BIOS rel-1.7.5-0-ge51488c-20140602_164612-nilsson.home.kraxel.org 04/01/2014 > >>> [ 391.809060] Call Trace: > >>> [ 391.809079] dump_stack+0x63/0x86 > >>> [ 391.809094] __warn+0xcb/0xf0 > >>> [ 391.809103] warn_slowpath_fmt+0x5f/0x80 > >>> [ 391.809118] refcount_sub_and_test+0x70/0x80 > >>> [ 391.809125] refcount_dec_and_test+0x11/0x20 > >>> [ 391.809136] kobject_put+0x1f/0x60 > >>> [ 391.809149] blk_put_queue+0x15/0x20 > >>> [ 391.809159] disk_release+0xae/0xf0 > >>> [ 391.809172] device_release+0x32/0x90 > >>> [ 391.809184] kobject_release+0x6a/0x170 > >>> [ 391.809196] kobject_put+0x2f/0x60 > >>> [ 391.809206] put_disk+0x17/0x20 > >>> [ 391.809219] nvm_ioctl_dev_create.isra.16+0x897/0xa30 > >>> [ 391.809236] nvm_ctl_ioctl+0x23c/0x4c0 > >>> [ 391.809248] do_vfs_ioctl+0xa3/0x5f0 > >>> [ 391.809258] SyS_ioctl+0x79/0x90 > >>> [ 391.809271] entry_SYSCALL_64_fastpath+0x1a/0xa9 > >>> [ 391.809280] RIP: 0033:0x7f5d3ef363c7 > >>> [ 391.809286] RSP: 002b:00007ffc72ed8d78 EFLAGS: 00000206 ORIG_RAX: 0000000000000010 > >>> [ 391.809296] RAX: ffffffffffffffda RBX: 00007ffc72edb552 RCX: 00007f5d3ef363c7 > >>> [ 391.809301] RDX: 00007ffc72ed8d90 RSI: 0000000040804c22 RDI: 0000000000000003 > >>> [ 391.809306] RBP: 0000000000000001 R08: 0000000000000020 R09: 0000000000000001 > >>> [ 391.809311] R10: 000000000000053f R11: 0000000000000206 R12: 0000000000000000 > >>> [ 391.809316] R13: 0000000000000000 R14: 00007ffc72edb58d R15: 00007ffc72edb581 > >>> > >>>Signed-off-by: Rakesh Pandit > >>>--- > >>>drivers/lightnvm/core.c | 1 + > >>>1 file changed, 1 insertion(+) > >>> > >>>diff --git a/drivers/lightnvm/core.c b/drivers/lightnvm/core.c > >>>index 2c26af3..5d7aa45 100644 > >>>--- a/drivers/lightnvm/core.c > >>>+++ b/drivers/lightnvm/core.c > >>>@@ -309,6 +309,7 @@ static int nvm_create_tgt(struct nvm_dev *dev, struct nvm_ioctl_create *create) > >>> tt->exit(targetdata); > >>>err_init: > >>> blk_cleanup_queue(tqueue); > >>>+ tdisk->queue = NULL; > >>>err_disk: > >>> put_disk(tdisk); > >>>err_dev: > >>> > >> > >>Thanks Rakesh. Jens, is this too late for -rc1? :) > >> > >>Reviewed-by: Matias Bjørling > > > >No, there's time. Is this missing a Fixes: line, if it's fixing a commit > >that went in for the 4.12 merge window? > > > > Yes, I should have added that as well. > > Fixes: 7d1ef2f408ab "lightnvm: fix cleanup order of disk on init error" Perfect, thanks. Added for 4.12. -- Jens Axboe