Received: by 10.223.176.46 with SMTP id f43csp2744483wra; Mon, 22 Jan 2018 02:41:15 -0800 (PST) X-Google-Smtp-Source: AH8x224IjcQBCwf9aFMVfBOYqW7FNUIM4VpBRvLHzc04cAt1Q3r3AIGxm/g1ShsJuAcQPfDKeVmp X-Received: by 10.99.115.89 with SMTP id d25mr6859263pgn.218.1516617675363; Mon, 22 Jan 2018 02:41:15 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1516617675; cv=none; d=google.com; s=arc-20160816; b=A1LymQ2Kr6xG5UIo3SbxYxd11YRHWQjaq4aisej8ibkfZg7UOjNRlsRZl4mY6ta8p/ 1BgLqhfImylYmgasi0trBNBlPFrC5dPfi4l6XK1wRbwcDNnsh4/jy2q2jawDTfSIE1n2 uIkrUHM3CdWWUNRWMhsZkm2XwDSLJICmAlw6aNJmyjTEapZbVIEgDMI2rpclzt0rvFoG +3m/7kwd3tOGGtQZDj70BXY73MNwYDUORo1yf80KvDNn3kDeFMoMw5ou5LfP2epA/jEe XOg2lNuIYNrlqQY2XxYo+meUp79vAFlEcVX3HQ9gJ+W9IY8yMKO+B5A8gsDZQcglIRXv 8PLg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-disposition:mime-version:references:message-id:subject:cc :to:from:date:arc-authentication-results; bh=iq58Ztvs9tOXktNaab4A1ceNfSJKI41imCSGOBvMs8o=; b=oI3islDr7nUXnwe2LFeQn2SAtSQ9aTQKCRJL4c4ftnDJ6HFMfZ+CIwSMImTPMtJwkl XOuHZjNOUdwTGRhMeX42l4z/OFDWIu4Mif5n096IELtO6Oio7K8lrYVAh+Bw3R+IaKXU FG2vTDwtlofA4Cu5d2zBjKeoSPSWm1H08E0HQkSW5ZZPBCo9dHXMvpsude8d+OQCpNRE gam0SFvRT7nf+FrvOgbEHtY/+W53XBiC2i1rP0MTG2/d3Wt+9k51+jhDpo2qeijXVEz6 8LqUFNmqgC5WvF6iMr96kJpzDmhrwx7R/6SapbIjLZqbedhlSKbVRk2xxydAxz71AnMT r/NQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id i5-v6si520716plr.103.2018.01.22.02.41.01; Mon, 22 Jan 2018 02:41:15 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751379AbeAVKj1 (ORCPT + 99 others); Mon, 22 Jan 2018 05:39:27 -0500 Received: from mail.linuxfoundation.org ([140.211.169.12]:53438 "EHLO mail.linuxfoundation.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1750928AbeAVKjZ (ORCPT ); Mon, 22 Jan 2018 05:39:25 -0500 Received: from localhost (LFbn-1-12258-90.w90-92.abo.wanadoo.fr [90.92.71.90]) by mail.linuxfoundation.org (Postfix) with ESMTPSA id 4FB361026; Mon, 22 Jan 2018 10:39:25 +0000 (UTC) Date: Mon, 22 Jan 2018 11:39:24 +0100 From: Greg Kroah-Hartman To: "Eremin, Dmitry" Cc: "devel@driverdev.osuosl.org" , "Drokin, Oleg" , "Dilger, Andreas" , James Simmons , Dan Carpenter , Linux Kernel Mailing List , Lustre Development List Subject: Re: [PATCH] staging: lustre: Fix avoid intensive reconnecting for ko2iblnd patch Message-ID: <20180122103924.GB23996@kroah.com> References: <1516114161-27679-1-git-send-email-Dmitry.Eremin@intel.com> <9FC73D3DBECE0941BD2ED069D26863425CE76069@irsmsx110.ger.corp.intel.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <9FC73D3DBECE0941BD2ED069D26863425CE76069@irsmsx110.ger.corp.intel.com> User-Agent: Mutt/1.9.2 (2017-12-15) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, Jan 16, 2018 at 06:02:07PM +0000, Eremin, Dmitry wrote: > The logic of the original commit 4d99b2581eff ("staging: lustre: avoid intensive reconnecting for ko2iblnd") > was assumed conditional free of struct kib_conn if the second argument free_conn in function > kiblnd_destroy_conn(struct kib_conn *conn, bool free_conn) is true. But this hunk of code was dropped > from original commit. As result the logic works wrong and current code use struct kib_conn after > free. > > > drivers/staging/lustre/lnet/klnds/o2iblnd/o2iblnd_cb.c > > 3317 kiblnd_destroy_conn(conn, !peer); > > ^^^^ Freed always (but should be conditionally) > > 3318 > > 3319 spin_lock_irqsave(lock, flags); > > 3320 if (!peer) > > 3321 continue; > > 3322 > > 3323 conn->ibc_peer = peer; > > ^^^^^^^^^^^^^ Use after free > > 3324 if (peer->ibp_reconnected < KIB_RECONN_HIGH_RACE) > > 3325 list_add_tail(&conn->ibc_list, > > ^^^^^^^^^^^^ > > 3326 &kiblnd_data.kib_reconn_list); > > 3327 else > > 3328 list_add_tail(&conn->ibc_list, > > ^^^^^^^^^^^^ > > 3329 &kiblnd_data.kib_reconn_wait); > > After attached patch this code will use struct kib_conn only when it was not freed. > > Signed-off-by: Dmitry Eremin > --- > drivers/staging/lustre/lnet/klnds/o2iblnd/o2iblnd.c | 3 ++- > 1 file changed, 2 insertions(+), 1 deletion(-) > > diff --git a/drivers/staging/lustre/lnet/klnds/o2iblnd/o2iblnd.c b/drivers/staging/lustre/lnet/klnds/o2iblnd/o2iblnd.c > index 2ebc484..a15a625 100644 > --- a/drivers/staging/lustre/lnet/klnds/o2iblnd/o2iblnd.c > +++ b/drivers/staging/lustre/lnet/klnds/o2iblnd/o2iblnd.c > @@ -890,7 +890,8 @@ void kiblnd_destroy_conn(struct kib_conn *conn, bool free_conn) > atomic_dec(&net->ibn_nconns); > } > > - kfree(conn); > + if (free_conn) > + kfree(conn); > } > > int kiblnd_close_peer_conns_locked(struct kib_peer *peer, int why) This patch needs a real "Fixes:" tag, right? Also, as this was from 4.6, it should go to the stable trees, right? Can you resend this with that info, and then send a follow-on patch to fix this up the way I recommended so that no one is confused in the future? thanks, greg k-h