Received: by 10.192.165.148 with SMTP id m20csp3020874imm; Mon, 7 May 2018 05:26:21 -0700 (PDT) X-Google-Smtp-Source: AB8JxZo4fhvkTVulRokc/m+4JcOwiknYF9Oc3AKAIQ84c7qFexLATvH7ea1OZk/iIhkNjDN8sYLV X-Received: by 2002:a63:a70e:: with SMTP id d14-v6mr8003460pgf.357.1525695981419; Mon, 07 May 2018 05:26:21 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1525695981; cv=none; d=google.com; s=arc-20160816; b=ABreTVrnZDa3GwoubJFrOVtHlWkdLLNfGc/YZAO0LzmLYci3shSwXfJv+3U6Z1EjyR vbuURKOrtRXMl1PuTK1NnG1UHKt55ce/QJBN7KTRldZVJ68magwPSH7Q3s4LI7Qb1gW5 5uA3VDRV2t7dTjexa+ao7PpHfzB8rJ0cFoRhdMwAitOG6Tm4zBUEzSunQzek+HK87YZg BDa3M+wTWrrPfSNnxmxNo91xPsqzVVcDbJ1aqMIGgr6S/m9aT8OSBmgvYfKphYplxlXh U0vTkJ4dLIlfTqN8NkrKEDM8dS20rEhUq+PysPLt5J0On4dLRaA7+An09r7CfU6gCh3O yd4g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-disposition:mime-version:references:message-id:subject:cc :to:from:date:arc-authentication-results; bh=QkaNvQj28+oSWCWoP7eY/jiM7c/ASrrddoJl1HZnqzs=; b=dhYkeRMPIulFRLDYdUL31sB/OHGu1JbfFvFNmdSCZRLo4epPNrt0nRE7yPO1FYx75C YYoIqIXz4zbruwthhRtBuT65thn15STXKsPFKrPM9ugKK0uDODeigx0Qjg2o+KMBLIEb VN3VDlsH6/2zPJ0z4/0xgWfuJRiI7ShIEjEoWv54V2QJrKzJfKa5OivIBWbc05oa/3rr 5SnaJKnNSpfFbXK8n5D1S4B8LpIfKj4OoO1EJutHaU+YMgrOWNmWCcUHGp3kXBB2wZpV UXSSO4PyPklfpiaXNPALZCQM1swG+LP47LXWvXAe2WgQEtnEgu470oV8mRFIugB89drD ke+A== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id 31-v6si21947889plz.364.2018.05.07.05.26.07; Mon, 07 May 2018 05:26:21 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752129AbeEGMYY (ORCPT + 99 others); Mon, 7 May 2018 08:24:24 -0400 Received: from verein.lst.de ([213.95.11.211]:60210 "EHLO newverein.lst.de" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1750881AbeEGMYX (ORCPT ); Mon, 7 May 2018 08:24:23 -0400 Received: by newverein.lst.de (Postfix, from userid 2407) id 7B3476732A; Mon, 7 May 2018 14:27:36 +0200 (CEST) Date: Mon, 7 May 2018 14:27:36 +0200 From: Christoph Hellwig To: Jianchao Wang Cc: keith.busch@intel.com, axboe@fb.com, hch@lst.de, sagi@grimberg.me, linux-nvme@lists.infradead.org, linux-kernel@vger.kernel.org Subject: Re: [PATCH] nvme-rdma: fix double free in nvme_rdma_free_queue Message-ID: <20180507122736.GC27843@lst.de> References: <1525420938-9492-1-git-send-email-jianchao.w.wang@oracle.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <1525420938-9492-1-git-send-email-jianchao.w.wang@oracle.com> User-Agent: Mutt/1.5.17 (2007-11-01) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Fri, May 04, 2018 at 04:02:18PM +0800, Jianchao Wang wrote: > BUG: KASAN: double-free or invalid-free in nvme_rdma_free_queue+0xf6/0x110 [nvme_rdma] > Workqueue: nvme-reset-wq nvme_rdma_reset_ctrl_work [nvme_rdma] > Call Trace: > dump_stack+0x91/0xeb > print_address_description+0x6b/0x290 > kasan_report_invalid_free+0x55/0x80 > __kasan_slab_free+0x176/0x190 > kfree+0xeb/0x310 > nvme_rdma_free_queue+0xf6/0x110 [nvme_rdma] > nvme_rdma_configure_admin_queue+0x1a3/0x4d0 [nvme_rdma] > nvme_rdma_reset_ctrl_work+0x4e/0xd0 [nvme_rdma] > process_one_work+0x3ca/0xaa0 > worker_thread+0x4e2/0x6c0 > kthread+0x18d/0x1e0 > ret_from_fork+0x24/0x30 > > The double free is on ctrl->async_event_sqe. > If nvme_rdma_start_queue in nvme_rdma_configure_admin_queue fails, > nvme_rdma_free_queue will be invoked. However, at the moment, the > ctrl->async_event_sqe has not been allocated and it has been freed > in > nvme_rdma_reset_ctrl_work > -> nvme_rdma_shutdown_ctrl > ->nvme_rdma_destroy_admin_queue > -> nvme_rdma_free_queue > > Signed-off-by: Jianchao Wang Can you handle this in the caller instead, maybe including a comment?