Received: by 10.192.165.148 with SMTP id m20csp4032258imm;
        Tue, 8 May 2018 01:33:27 -0700 (PDT)
X-Google-Smtp-Source: AB8JxZrQ3uOFmikWRmQ70sgAYZUaxSjtk1czk4enVNPL89NxCE7IXUbcKO0ephC6y1oasEd404tS
X-Received: by 2002:a63:b144:: with SMTP id g4-v6mr31914656pgp.253.1525768407686;
        Tue, 08 May 2018 01:33:27 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1525768407; cv=none;
        d=google.com; s=arc-20160816;
        b=vITQlCMsgdXDLXEP2DR/qDuZQlpeqkoGie9q87XKVQ/u94WZ2z5Mw1Qt74fif4+3sm
         UKhSRc8GadXk52rls2kQIjvyyxkFWIRmznvI89uFdfEoYcF5sT8cdAuuH4K2jDTRtfR1
         XM1cJm3b8uf2UWiNGc0YIOvYkyrg9DNCtW83LrnrYz4i6MeYdkLnjtSMcOyrJU+kI+IP
         YWJIHLfQksf1YlcpwPK5K6Uanc5K8ZJZCHg4ejw5iK4lzmnX46/W1c+vpg4WBp9BgpGz
         eXzww7wgYUYYfCnfsthT0+nxZTQiGtsQhJkTANk4r6yt+c/KfZERmawWB35nrKjkro9r
         J9Qw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:content-transfer-encoding
         :content-language:in-reply-to:mime-version:user-agent:date
         :message-id:from:references:cc:to:subject:dkim-signature
         :arc-authentication-results;
        bh=oExIBUPlJ1oK0g+PcClE6VwuxRmCsTwV6XMtLW/ROgg=;
        b=bD8F6oXTeWiKbJB3DQI6qZdBXXZBNC7+n2DUXxrdZQCt2Adeq2CEYUdFfB6HTaVyHy
         y3C6LLEom8jfXM18ZVRxNb07zpoXa8F24Ud3+J5IWj2FvAKAs2wVJFxYf1ySq6SGN0j7
         v+yn+r4iiEcwB+shcAMBTvq0oRV6QnmLBie51PIR2ZbBD6OkdxCWUVcs2fyu6Z06aACQ
         wq59fCnep/o1zySLojD0p00fLDueb9BKXrr3D1xugWd+btema/9zgPv7hKkFwxZ6Jk9F
         mNMMOUhCxHPgd3hyGSuzY+Gakd1TY1R/mFWmq3O8F/j7bf/vDOd9fRRAB3HWTkp6UPQa
         cbnw==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@oracle.com header.s=corp-2017-10-26 header.b=fs+lEf7Y;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=oracle.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id d8-v6si18741701pgn.428.2018.05.08.01.33.13;
        Tue, 08 May 2018 01:33:27 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@oracle.com header.s=corp-2017-10-26 header.b=fs+lEf7Y;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=oracle.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S932866AbeEHIch (ORCPT <rfc822;gklkml16@gmail.com> + 99 others);
        Tue, 8 May 2018 04:32:37 -0400
Received: from aserp2130.oracle.com ([141.146.126.79]:56332 "EHLO
        aserp2130.oracle.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1754799AbeEHIce (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Tue, 8 May 2018 04:32:34 -0400
Received: from pps.filterd (aserp2130.oracle.com [127.0.0.1])
        by aserp2130.oracle.com (8.16.0.22/8.16.0.22) with SMTP id w488VCQt184070;
        Tue, 8 May 2018 08:31:57 GMT
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.com; h=subject : to : cc :
 references : from : message-id : date : mime-version : in-reply-to :
 content-type : content-transfer-encoding; s=corp-2017-10-26;
 bh=oExIBUPlJ1oK0g+PcClE6VwuxRmCsTwV6XMtLW/ROgg=;
 b=fs+lEf7YerObxPl202PuM5fsZ9xSI9VSPyWggGDBzaPIv+78MZk1xeLl/Qn6Sm4lCv71
 udyYUVb+s24KouwdqqCDEgO0TK5bhbIPYVX16hRdR63zL92vcR3d7tKsW5a84cfTf7A7
 yQ6yGIaehRocRRxCaTdzKO9VhrA0knkSWmpPSZZafcyozRPlQdSBsfROzXNCVyHCEpGf
 xZzCSLGFqb0Eb+maLMjT7JoaaRekUWmIgVtl2i0TOX9mr79b8nTMTFzSSVnpSD0PONLE
 ZzlJnjD9jWRhHuNiR4MLNkPtB8Ut0Rz4tweapUozJHNQSBTV+AtBeqW59J1hruDNQ18q Zg== 
Received: from aserv0022.oracle.com (aserv0022.oracle.com [141.146.126.234])
        by aserp2130.oracle.com with ESMTP id 2hs24sfkaj-1
        (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK);
        Tue, 08 May 2018 08:31:57 +0000
Received: from userv0121.oracle.com (userv0121.oracle.com [156.151.31.72])
        by aserv0022.oracle.com (8.14.4/8.14.4) with ESMTP id w488VuYX019954
        (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK);
        Tue, 8 May 2018 08:31:56 GMT
Received: from abhmp0013.oracle.com (abhmp0013.oracle.com [141.146.116.19])
        by userv0121.oracle.com (8.14.4/8.13.8) with ESMTP id w488VtbL028825;
        Tue, 8 May 2018 08:31:56 GMT
Received: from [10.182.69.179] (/10.182.69.179)
        by default (Oracle Beehive Gateway v4.0)
        with ESMTP ; Tue, 08 May 2018 01:31:55 -0700
Subject: Re: [PATCH] nvme-rdma: fix double free in nvme_rdma_free_queue
To:     Christoph Hellwig <hch@lst.de>
Cc:     keith.busch@intel.com, axboe@fb.com, sagi@grimberg.me,
        linux-nvme@lists.infradead.org, linux-kernel@vger.kernel.org
References: <1525420938-9492-1-git-send-email-jianchao.w.wang@oracle.com>
 <20180507122736.GC27843@lst.de>
From:   "jianchao.wang" <jianchao.w.wang@oracle.com>
Message-ID: <65152af5-9dc1-d6fb-6790-6055535f8048@oracle.com>
Date:   Tue, 8 May 2018 16:31:54 +0800
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101
 Thunderbird/52.7.0
MIME-Version: 1.0
In-Reply-To: <20180507122736.GC27843@lst.de>
Content-Type: text/plain; charset=utf-8
Content-Language: en-US
Content-Transfer-Encoding: 7bit
X-Proofpoint-Virus-Version: vendor=nai engine=5900 definitions=8886 signatures=668698
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 suspectscore=2 malwarescore=0
 phishscore=0 bulkscore=0 spamscore=0 mlxscore=0 mlxlogscore=999
 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1
 engine=8.0.1-1711220000 definitions=main-1805080084
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

Hi Christoph

On 05/07/2018 08:27 PM, Christoph Hellwig wrote:
> On Fri, May 04, 2018 at 04:02:18PM +0800, Jianchao Wang wrote:
>> BUG: KASAN: double-free or invalid-free in nvme_rdma_free_queue+0xf6/0x110 [nvme_rdma]
>> Workqueue: nvme-reset-wq nvme_rdma_reset_ctrl_work [nvme_rdma]
>> Call Trace:
>>  dump_stack+0x91/0xeb
>>  print_address_description+0x6b/0x290
>>  kasan_report_invalid_free+0x55/0x80
>>  __kasan_slab_free+0x176/0x190
>>  kfree+0xeb/0x310
>>  nvme_rdma_free_queue+0xf6/0x110 [nvme_rdma]
>>  nvme_rdma_configure_admin_queue+0x1a3/0x4d0 [nvme_rdma]
>>  nvme_rdma_reset_ctrl_work+0x4e/0xd0 [nvme_rdma]
>>  process_one_work+0x3ca/0xaa0
>>  worker_thread+0x4e2/0x6c0
>>  kthread+0x18d/0x1e0
>>  ret_from_fork+0x24/0x30
>>
>> The double free is on ctrl->async_event_sqe.
>> If nvme_rdma_start_queue in nvme_rdma_configure_admin_queue fails,
>> nvme_rdma_free_queue will be invoked. However, at the moment, the
>> ctrl->async_event_sqe has not been allocated and it has been freed
>> in
>> nvme_rdma_reset_ctrl_work
>>   -> nvme_rdma_shutdown_ctrl
>>     ->nvme_rdma_destroy_admin_queue
>>       -> nvme_rdma_free_queue
>>
>> Signed-off-by: Jianchao Wang <jianchao.w.wang@oracle.com>
> 
> Can you handle this in the caller instead, maybe including a comment?
> 
Yes, that will be clearer.
Thanks for your suggestion.

Jianchao