Received: by 10.192.165.148 with SMTP id m20csp484630imm; Fri, 4 May 2018 01:02:18 -0700 (PDT) X-Google-Smtp-Source: AB8JxZq4LrIbeCVGl313lKhl8gFK/w8o+o9i2Ad0EBYt7fQdYEY2nppQ/n/hZf6j6VRd3/VJf8cf X-Received: by 2002:a17:902:7e4a:: with SMTP id a10-v6mr27254744pln.276.1525420938369; Fri, 04 May 2018 01:02:18 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1525420938; cv=none; d=google.com; s=arc-20160816; b=inYaf6vFbjKdZTgjgOqMedFTKnxV9L53tjyYw5n1I3z5SVXJ8Gg+k2Jvq+adsxZ0S3 r/d5456l3kUhzYEWrlHc5vOieK6pqQcKP82sTHenLQr7yf0JCgdciQ5QQdkUVmVkQ6Wy JYhWnjo637bf82RLELLD7Wrr/sVMtD6T0LR2DxrLTTF3GV+7tsCxS3GBO1nogJJUSdLA 4OwRemFfNvb/VQWf8OxqEj3JTvMhzDEC/1fSoYlQk4MOhWXOO0b3OwxIYT5xcaRy0xrw X9AVVmKZF0d+/MztQ0Htxifdf+2gExIYBvUCHl7tLzHiZ/oy5Rzi2GZlIFq9LtOyJptV BSfg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:message-id:date:subject:cc:to:from :dkim-signature:arc-authentication-results; bh=1Orsp5dguHmivG7Nva72UecMMMBPQq1vaS+NGoReNTM=; b=0WzFDR18XvNP1y5QVunIGEVDKZ/fVcL9MnADHDcjsm3S6u0LsJAU9uBblYsyUjhPnZ N34S9h/0+srjcePOuO+wg3YIWldYTH9EuJ+cSRYPOlTT+hBmf85KJ+y5gyeCHg+P+kUQ l/3mSjY240Xy6eRU2mw7XnzsqFDZBKXPkhMAQsCWwMlynG005HNNlOpG8zS+IaEnsa4a hCRXpTM5GcrfvbpBrfZ27oFae89isySH3HC0JoKsoO2uiP0H3BxhGdxEPPIiWO/R6Fot z9tBOkDPg8a9o7wl11t5RM3Aw5x1r/p+W3yEIXWGXj477KrIkU+Gy3Ck6L53eFeYDYr9 jU1A== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@oracle.com header.s=corp-2017-10-26 header.b=nzIUKlIf; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=oracle.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id f12-v6si4707251pgn.479.2018.05.04.01.02.04; Fri, 04 May 2018 01:02:18 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@oracle.com header.s=corp-2017-10-26 header.b=nzIUKlIf; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=oracle.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751476AbeEDIBy (ORCPT + 99 others); Fri, 4 May 2018 04:01:54 -0400 Received: from userp2130.oracle.com ([156.151.31.86]:43900 "EHLO userp2130.oracle.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1750733AbeEDIBw (ORCPT ); Fri, 4 May 2018 04:01:52 -0400 Received: from pps.filterd (userp2130.oracle.com [127.0.0.1]) by userp2130.oracle.com (8.16.0.22/8.16.0.22) with SMTP id w4481Gdk120666; Fri, 4 May 2018 08:01:17 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.com; h=from : to : cc : subject : date : message-id; s=corp-2017-10-26; bh=1Orsp5dguHmivG7Nva72UecMMMBPQq1vaS+NGoReNTM=; b=nzIUKlIfdOzxewnfYWll51hiCtO4tizYxafWzqtacMujuLjzPCoZvMJumCkWOSWEaT/7 ps/J8r+sVOEYN6HWQUFQ0gEI3vRBJJo9xssXb4oTk5NGR7MhNf8K99sQ9ELIOWlvIjuZ gHG/ncRWCIKN82RCAOHHkh2CSMEEJqMghQ59qgiMkkJqiW2dX0rtTTXSMrJWefC8fKpS 6tMzjAXNNCN168m0RUGqWT3GquTXu1k95i1hngzhvZSwyL/kSFKPzqn61YTgMM1ANt9s kj5PbqhyY0CzlFvCKejj09sg6u+N0wguLtSlpivGaqRUs0c/7ke1VgapQhw0WBrQU9bj 8A== Received: from aserv0022.oracle.com (aserv0022.oracle.com [141.146.126.234]) by userp2130.oracle.com with ESMTP id 2hmgdjvwcn-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Fri, 04 May 2018 08:01:17 +0000 Received: from aserv0121.oracle.com (aserv0121.oracle.com [141.146.126.235]) by aserv0022.oracle.com (8.14.4/8.14.4) with ESMTP id w4481EWO021230 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Fri, 4 May 2018 08:01:14 GMT Received: from abhmp0013.oracle.com (abhmp0013.oracle.com [141.146.116.19]) by aserv0121.oracle.com (8.14.4/8.13.8) with ESMTP id w4481DfK009696; Fri, 4 May 2018 08:01:14 GMT Received: from will-ThinkCentre-M910s.cn.oracle.com (/10.182.70.254) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Fri, 04 May 2018 01:01:13 -0700 From: Jianchao Wang To: keith.busch@intel.com, axboe@fb.com, hch@lst.de, sagi@grimberg.me Cc: linux-nvme@lists.infradead.org, linux-kernel@vger.kernel.org Subject: [PATCH] nvme: fix use-after-free in nvme_free_ns_head Date: Fri, 4 May 2018 16:01:57 +0800 Message-Id: <1525420917-9448-1-git-send-email-jianchao.w.wang@oracle.com> X-Mailer: git-send-email 2.7.4 X-Proofpoint-Virus-Version: vendor=nai engine=5900 definitions=8882 signatures=668698 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 suspectscore=2 malwarescore=0 phishscore=0 bulkscore=0 spamscore=0 mlxscore=0 mlxlogscore=853 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1711220000 definitions=main-1805040075 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Currently only nvme_ctrl will take a reference counter of nvme_subsystem, nvme_ns_head also needs it. Otherwise nvme_free_ns_head will access the nvme_subsystem.ns_ida which has been freed by __nvme_release_subsystem after all the reference of nvme_subsystem have been released by nvme_free_ctrl. This could cause memory corruption. BUG: KASAN: use-after-free in radix_tree_next_chunk+0x9f/0x4b0 Read of size 8 at addr ffff88036494d2e8 by task fio/1815 CPU: 1 PID: 1815 Comm: fio Kdump: loaded Tainted: G W 4.17.0-rc1+ #18 Hardware name: LENOVO 10MLS0E339/3106, BIOS M1AKT22A 06/27/2017 Call Trace: dump_stack+0x91/0xeb print_address_description+0x6b/0x290 kasan_report+0x261/0x360 radix_tree_next_chunk+0x9f/0x4b0 ida_remove+0x8b/0x180 ida_simple_remove+0x26/0x40 nvme_free_ns_head+0x58/0xc0 __blkdev_put+0x30a/0x3a0 blkdev_close+0x44/0x50 __fput+0x184/0x380 task_work_run+0xaf/0xe0 do_exit+0x501/0x1440 do_group_exit+0x89/0x140 __x64_sys_exit_group+0x28/0x30 do_syscall_64+0x72/0x230 Signed-off-by: Jianchao Wang --- drivers/nvme/host/core.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/drivers/nvme/host/core.c b/drivers/nvme/host/core.c index 0e95082..6ef2915 100644 --- a/drivers/nvme/host/core.c +++ b/drivers/nvme/host/core.c @@ -99,6 +99,7 @@ static struct class *nvme_subsys_class; static void nvme_ns_remove(struct nvme_ns *ns); static int nvme_revalidate_disk(struct gendisk *disk); +static void nvme_put_subsystem(struct nvme_subsystem *subsys); int nvme_reset_ctrl(struct nvme_ctrl *ctrl) { @@ -350,6 +351,7 @@ static void nvme_free_ns_head(struct kref *ref) ida_simple_remove(&head->subsys->ns_ida, head->instance); list_del_init(&head->entry); cleanup_srcu_struct(&head->srcu); + nvme_put_subsystem(head->subsys); kfree(head); } @@ -2860,6 +2862,9 @@ static struct nvme_ns_head *nvme_alloc_ns_head(struct nvme_ctrl *ctrl, goto out_cleanup_srcu; list_add_tail(&head->entry, &ctrl->subsys->nsheads); + + kref_get(&ctrl->subsys->ref); + return head; out_cleanup_srcu: cleanup_srcu_struct(&head->srcu); -- 2.7.4