Received: by 10.192.165.148 with SMTP id m20csp913022imm; Thu, 10 May 2018 02:42:44 -0700 (PDT) X-Google-Smtp-Source: AB8JxZpNiVzkxjXnvCUtagYJcrURBYKU1F6TLK2a7y+VfJndibbaAFfkP1uxjIQfFr4vZ8twYwNy X-Received: by 2002:a17:902:28ab:: with SMTP id f40-v6mr710314plb.208.1525945364365; Thu, 10 May 2018 02:42:44 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1525945364; cv=none; d=google.com; s=arc-20160816; b=Kdq7beBnhSyNmgFRd3gxXXNu4GT9VQkJDfL/xOPh+xgxgXmyffnA+T4vLh9RmAF9l7 igYGCCsXYRucLDDgH+mIp166VUSHNDq32x7gXgIYW4YwRhdVl6Q7pqNUeFJLpqRDLI0d +oWJIetbscRBqsjETf+IU4hcpOBmEMQcjrqXz1UYta/7SAXBkkSEdu+azka3GsNEkt5d K3Aw/4dzTtfCmAnz94HkSiMMgGb3kOGC1XaGB+vb+EQbvN7W8+f0yOg5KGbW6xFqTvkM Mlt1JIx2a3sK3a4vxJhFl/iHK0Denk47Vs7VH43Sx/CFtf2dfva16jpJ3RqW6nZHevCx eIOQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:message-id:date:subject:cc:to:from :dkim-signature:arc-authentication-results; bh=0DFXfBSnGd5eoMBPrJinmIPXNO08k9DMbHYnn/FwgQw=; b=UnIYGHwq9ihXbukHPVoh4kMXPYmj88Odw+7v8HnsfICofwWd/ZF947tiXLh5o3FJn5 aSNh5P2BOQFjVeidBoUw9nAzM9z0FI/btmkxQDYNkuaTV74uPcZVoybK3yF1KWEJ3cJ3 hTMGH6nkEseNK+0VzayikgEB3vnwaioYvLrFqdO+ZnvPjpQIvxFNYG7artA2JSBl2vZR N6lILbLhs4K2hPJHnjq7kOzMpKGWqKdcObWIbYnHDgT9SMPOvNspJHGVU/FvUDjUHFxB KmQJ5rOlDGa7amVEBHh8TtK4iAm23NeR0aihY+PEiGHmmrt+lov3RNsts/eqKV68nye6 RQUA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@oracle.com header.s=corp-2017-10-26 header.b=iW8me/yy; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=oracle.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id 200-v6si358886pge.492.2018.05.10.02.42.29; Thu, 10 May 2018 02:42:44 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@oracle.com header.s=corp-2017-10-26 header.b=iW8me/yy; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=oracle.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1757014AbeEJJlu (ORCPT + 99 others); Thu, 10 May 2018 05:41:50 -0400 Received: from aserp2120.oracle.com ([141.146.126.78]:45376 "EHLO aserp2120.oracle.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1756726AbeEJJlt (ORCPT ); Thu, 10 May 2018 05:41:49 -0400 Received: from pps.filterd (aserp2120.oracle.com [127.0.0.1]) by aserp2120.oracle.com (8.16.0.22/8.16.0.22) with SMTP id w4A9fM1M094597; Thu, 10 May 2018 09:41:22 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.com; h=from : to : cc : subject : date : message-id; s=corp-2017-10-26; bh=0DFXfBSnGd5eoMBPrJinmIPXNO08k9DMbHYnn/FwgQw=; b=iW8me/yyX3abNMya3smiDKL7+cnY0aQzVYHFfQ3fGJ4l4/WdAutKVvH35A13aLv9Dz9u pjcEn+Hb/x9TRA+bXtWGT2bV0jJJKGLFu0h6GEWjvEeCbojGp4eM376EO7j/r1lMAoB9 HA+OsgyIzVnu3pWrKtWOsNZQ1tOiFxJ8pB0IjcoHVs7+0lggmedSDacnpmCzuCW90M5C OanWXCCImyAloVBPGr4IMiSagME8s7vD7XVojMxJ8yL/+ndP6m1XlkgV5cmuu2HEhh9l EP/M4e09uqur0Ca5G4F3/kcgKdUDzbCp+2aR5NV1hZQZwMUWr42/uXadYq3Sz6KUVLvn Vw== Received: from aserv0022.oracle.com (aserv0022.oracle.com [141.146.126.234]) by aserp2120.oracle.com with ESMTP id 2hv6kp2qpx-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Thu, 10 May 2018 09:41:22 +0000 Received: from aserv0122.oracle.com (aserv0122.oracle.com [141.146.126.236]) by aserv0022.oracle.com (8.14.4/8.14.4) with ESMTP id w4A9fLTE026708 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Thu, 10 May 2018 09:41:21 GMT Received: from abhmp0009.oracle.com (abhmp0009.oracle.com [141.146.116.15]) by aserv0122.oracle.com (8.14.4/8.14.4) with ESMTP id w4A9fK8T024958; Thu, 10 May 2018 09:41:21 GMT Received: from will-ThinkCentre-M910s.cn.oracle.com (/10.182.70.254) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Thu, 10 May 2018 02:41:20 -0700 From: Jianchao Wang To: keith.busch@intel.com, axboe@fb.com, hch@lst.de, sagi@grimberg.me Cc: linux-nvme@lists.infradead.org, linux-kernel@vger.kernel.org Subject: [PATCH V2] nvme-rdma: fix double free in nvme_rdma_free_queue Date: Thu, 10 May 2018 17:42:08 +0800 Message-Id: <1525945328-1908-1-git-send-email-jianchao.w.wang@oracle.com> X-Mailer: git-send-email 2.7.4 X-Proofpoint-Virus-Version: vendor=nai engine=5900 definitions=8888 signatures=668698 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 suspectscore=2 malwarescore=0 phishscore=0 bulkscore=0 spamscore=0 mlxscore=0 mlxlogscore=999 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1711220000 definitions=main-1805100095 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org BUG: KASAN: double-free or invalid-free in nvme_rdma_free_queue+0xf6/0x110 [nvme_rdma] Workqueue: nvme-reset-wq nvme_rdma_reset_ctrl_work [nvme_rdma] Call Trace: dump_stack+0x91/0xeb print_address_description+0x6b/0x290 kasan_report_invalid_free+0x55/0x80 __kasan_slab_free+0x176/0x190 kfree+0xeb/0x310 nvme_rdma_free_queue+0xf6/0x110 [nvme_rdma] nvme_rdma_configure_admin_queue+0x1a3/0x4d0 [nvme_rdma] nvme_rdma_reset_ctrl_work+0x4e/0xd0 [nvme_rdma] process_one_work+0x3ca/0xaa0 worker_thread+0x4e2/0x6c0 kthread+0x18d/0x1e0 ret_from_fork+0x24/0x30 The double free is on ctrl->async_event_sqe. If any case fails before ctrl->async_event_sqe is allocated in nvme_rdma_configure_admin_queue, nvme_rdma_free_queue will be invoked. However, at the moment, the ctrl->async_event_sqe has not been allocated because it has been freed in nvme_rdma_reset_ctrl_work -> nvme_rdma_shutdown_ctrl ->nvme_rdma_destroy_admin_queue -> nvme_rdma_free_queue Signed-off-by: Jianchao Wang --- V2: handle it in nvme_rdma_free_queue and add some comment to explain it. drivers/nvme/host/rdma.c | 15 ++++++++++++--- 1 file changed, 12 insertions(+), 3 deletions(-) diff --git a/drivers/nvme/host/rdma.c b/drivers/nvme/host/rdma.c index 966e0dd..fa5cf87 100644 --- a/drivers/nvme/host/rdma.c +++ b/drivers/nvme/host/rdma.c @@ -561,9 +561,18 @@ static void nvme_rdma_free_queue(struct nvme_rdma_queue *queue) return; if (nvme_rdma_queue_idx(queue) == 0) { - nvme_rdma_free_qe(queue->device->dev, - &queue->ctrl->async_event_sqe, - sizeof(struct nvme_command), DMA_TO_DEVICE); + /* + * async_event_sqe is not allocated in nvme_rdma_alloc_queue. + * so there are cases where NVME_RDMA_Q_ALLOCATED is set, but + * async_event_sqe is not allocated. To avoid double free, set + * async_event_sqe.data to NULL to indicate it has been freed. + */ + if (queue->ctrl->async_event_sqe.data) { + nvme_rdma_free_qe(queue->device->dev, + &queue->ctrl->async_event_sqe, + sizeof(struct nvme_command), DMA_TO_DEVICE); + queue->ctrl->async_event_sqe.data = NULL; + } } nvme_rdma_destroy_queue_ib(queue); -- 2.7.4