Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752879AbdGMVHt (ORCPT ); Thu, 13 Jul 2017 17:07:49 -0400 Received: from esa2.hgst.iphmx.com ([68.232.143.124]:30395 "EHLO esa2.hgst.iphmx.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752759AbdGMVHr (ORCPT ); Thu, 13 Jul 2017 17:07:47 -0400 X-IronPort-AV: E=Sophos;i="5.40,355,1496073600"; d="scan'208";a="130300022" From: Bart Van Assche To: "linux-kernel@vger.kernel.org" , "mroos@linux.ee" , "linux-block@vger.kernel.org" Subject: Re: 4.12 NULL pointer dereference in kmem_cache_free on USB storage removal Thread-Topic: 4.12 NULL pointer dereference in kmem_cache_free on USB storage removal Thread-Index: AQHS/BYEk9a/nBOEYUmJQOnCdrn3XqJSP/EA Date: Thu, 13 Jul 2017 21:07:39 +0000 Message-ID: <1499980058.2740.22.camel@wdc.com> References: In-Reply-To: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: authentication-results: vger.kernel.org; dkim=none (message not signed) header.d=none;vger.kernel.org; dmarc=none action=none header.from=wdc.com; x-originating-ip: [63.163.107.100] x-ms-publictraffictype: Email x-microsoft-exchange-diagnostics: 1;CY1PR0401MB1533;20:HSu473cexHo8iRW1SqlTh2gBceKyfaHByHbU4cxfCEqyz7yuOJnpGuNmmD8b/XrDtNMlSHOiwsdY2h84Z6aVTFCjuZ7QpfZc2mq0OM9OqsATkQ+Y3YtMTHZIpjAAt53tEekupIEdzpn3sUldUtlPX0UXVyqrHGYbqCPU8vmPiZ4= x-ms-office365-filtering-correlation-id: ec3b08e7-53aa-438b-708c-08d4ca3331f6 x-ms-office365-filtering-ht: Tenant x-microsoft-antispam: UriScan:;BCL:0;PCL:0;RULEID:(300000500095)(300135000095)(300000501095)(300135300095)(22001)(300000502095)(300135100095)(2017030254075)(300000503095)(300135400095)(48565401081)(2017052603031)(201703131423075)(201703031133081)(300000504095)(300135200095)(300000505095)(300135600095)(300000506095)(300135500095);SRVR:CY1PR0401MB1533; x-ms-traffictypediagnostic: CY1PR0401MB1533: wdcipoutbound: EOP-TRUE x-exchange-antispam-report-test: UriScan:(48057245064654)(209349559609743); x-microsoft-antispam-prvs: x-exchange-antispam-report-cfa-test: BCL:0;PCL:0;RULEID:(100000700101)(100105000095)(100000701101)(100105300095)(100000702101)(100105100095)(6040450)(601004)(2401047)(5005006)(8121501046)(2017060910075)(93006095)(93001095)(10201501046)(3002001)(100000703101)(100105400095)(6055026)(6041248)(201703131423075)(201702281528075)(201703061421075)(201703061406153)(20161123558100)(20161123555025)(20161123564025)(20161123562025)(20161123560025)(6072148)(100000704101)(100105200095)(100000705101)(100105500095);SRVR:CY1PR0401MB1533;BCL:0;PCL:0;RULEID:(100000800101)(100110000095)(100000801101)(100110300095)(100000802101)(100110100095)(100000803101)(100110400095)(100000804101)(100110200095)(100000805101)(100110500095);SRVR:CY1PR0401MB1533; x-forefront-prvs: 0367A50BB1 x-forefront-antispam-report: SFV:NSPM;SFS:(10019020)(6009001)(39450400003)(39840400002)(39860400002)(39410400002)(39400400002)(39850400002)(377424004)(24454002)(8936002)(6436002)(66066001)(6246003)(8676002)(2201001)(50986999)(103116003)(81166006)(14454004)(36756003)(5660300001)(2501003)(478600001)(25786009)(72206003)(86362001)(38730400002)(229853002)(3846002)(53936002)(6116002)(3280700002)(99286003)(2950100002)(3660700001)(6512007)(102836003)(33646002)(7736002)(77096006)(6486002)(54356999)(189998001)(345774005)(76176999)(2906002)(2900100001)(305945005)(6506006);DIR:OUT;SFP:1102;SCL:1;SRVR:CY1PR0401MB1533;H:CY1PR0401MB1536.namprd04.prod.outlook.com;FPR:;SPF:None;MLV:sfv;LANG:en; spamdiagnosticoutput: 1:99 spamdiagnosticmetadata: NSPM Content-Type: text/plain; charset="iso-8859-1" Content-ID: MIME-Version: 1.0 X-OriginatorOrg: wdc.com X-MS-Exchange-CrossTenant-originalarrivaltime: 13 Jul 2017 21:07:39.4067 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: b61c8803-16f3-4c35-9b17-6f65f441df86 X-MS-Exchange-Transport-CrossTenantHeadersStamped: CY1PR0401MB1533 Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by nfs id v6DL82wR019285 Content-Length: 991 Lines: 26 On Thu, 2017-07-13 at 23:24 +0300, Meelis Roos wrote: > [258062.320700] RIP: 0010:kmem_cache_free+0x12/0x160 > [258062.320886] Call Trace: > [258062.320897] scsi_exit_rq+0x4d/0x60 > [258062.320909] free_request_size+0x1c/0x30 > [258062.320923] mempool_destroy+0x1d/0x60 > [258062.320935] blk_exit_rl+0x1b/0x40 > [258062.320946] __blk_release_queue+0x7d/0x120 > [258062.320959] process_one_work+0x1af/0x340 > [258062.320972] worker_thread+0x43/0x3e0 > [258062.320984] kthread+0xfe/0x130 > [258062.320995] ? create_worker+0x170/0x170 > [258062.321007] ? kthread_create_on_node+0x40/0x40 > [258062.321022] ret_from_fork+0x22/0x30 Hello Meelis, Thank you for your report. Can you apply commit 8e6882545d8c ("scsi: Avoid that scsi_exit_rq() triggers a use-after-free") on top of kernel v4.12 and retest? That commit has been tagged "Cc: stable" so I hope that this patch will be included in kernel v4.12.1. However, that kernel is not yet available unfortunately ... Thanks, Bart.