Received: by 10.192.165.148 with SMTP id m20csp914049imm; Thu, 10 May 2018 02:43:50 -0700 (PDT) X-Google-Smtp-Source: AB8JxZp+AFnAuwgoIigAf8F954nvKHWrx6DaYEXGBwT6UwH6nYmt5nmdlbj1rN7MGlx+SInEhgdy X-Received: by 2002:a17:902:5329:: with SMTP id b38-v6mr722509pli.326.1525945430141; Thu, 10 May 2018 02:43:50 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1525945430; cv=none; d=google.com; s=arc-20160816; b=VeVhsv7cC6G5sAX0xPLcccMpUZ7WyAFj0Gw2dkXFuuMo9+/cpVeXACjvxl3il/ALz8 agfpKCrfzoWgWK/uTX1JY8rYYN93Hvnm8DhFR48pluAhq7wTYoZre+j29fQpyWSiPvAl hl+bAs6ett7h/pFyJ29ANM7It5as/r7iqD0mskUOvNlWP+relJg0/8+ODtr/cxqSecHw yPYcuQlPcumPf3zWdLN1QvsqkggumyAm1FJdRVMSdzNYSlP8bso1pNaXm0R6YDjBxRJK WW82Zj1uMtGfsnWEeS91y39Ec6gPNbcUipHa7IKb3p7ieZFdYvn5iSOwTY+ZpPONAG+0 POmA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:message-id:date:subject:cc:to:from :dkim-signature:arc-authentication-results; bh=fLjUUdb/acIHIX9SgovxggWRe+c1hvbjSZGChE/Ut0I=; b=ytaYXENB7UZk9qzfBx2Me2yxJgca0UBnRIoUluCqZETn0pFpnElaRFW2ssUhzXyAQW PbhWd1PvSIZRNrf73raqV1Vk2KvxZJaQoxD0vo1O+uq6K6YgUTOKwjxsDlnH6yQBfIQA V/Vy+LGAlsGxeu05CrJsTNWJE4YhSeHqeQbeblB/7dULG6NheQ6CVexjFP1aC8ryuomr mLXp88vhsBvt+XcNzynFGckypSRi+KdMTS+d3NOzkPXJdEQRyHfqDrMeCy+eeZkBao1w pCb0w83r7vXB/Q88sn5w3IEwjGSZ+7oT+TTPz1hmAo3lEwtTcgdLAV4tA6wDIm0H36Wg Vj3Q== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@oracle.com header.s=corp-2017-10-26 header.b=UqosStZe; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=oracle.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id k3-v6si449742pld.45.2018.05.10.02.43.36; Thu, 10 May 2018 02:43:50 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@oracle.com header.s=corp-2017-10-26 header.b=UqosStZe; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=oracle.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S934263AbeEJJmM (ORCPT + 99 others); Thu, 10 May 2018 05:42:12 -0400 Received: from userp2120.oracle.com ([156.151.31.85]:48222 "EHLO userp2120.oracle.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1757061AbeEJJmK (ORCPT ); Thu, 10 May 2018 05:42:10 -0400 Received: from pps.filterd (userp2120.oracle.com [127.0.0.1]) by userp2120.oracle.com (8.16.0.22/8.16.0.22) with SMTP id w4A9fGI0041286; Thu, 10 May 2018 09:41:45 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.com; h=from : to : cc : subject : date : message-id; s=corp-2017-10-26; bh=fLjUUdb/acIHIX9SgovxggWRe+c1hvbjSZGChE/Ut0I=; b=UqosStZeNtGhFqVZmycGP3F2nu2zuCSFhYO2xyT9E9J8eMg0wgjGwN4oQOA1JtXb3PR4 zZkDSvpQBdKB6g8Xdg3aX6WtDU3d1tQxNuzGOLB2cF0oZNWXrXQgdMIFrvhehE2OMYPo zpxKN2K9GmTtc8D+X64EyXNWZwenDC8vy9OHELztTQb+hlBKjTGNps8jq2mNfzDr202D NG027ivJkN25KRqMIbr7RcGRZn+fsCk+NS+znHxOdLsIuek2JXBmzColwxVHMNaHBPUz v7c7XhwBGSTzWgLcX5LIz43tExchAV6MiUjKXqCbHMQP4lSOCuFAqsHgo22qXE2ElB6B fA== Received: from userv0021.oracle.com (userv0021.oracle.com [156.151.31.71]) by userp2120.oracle.com with ESMTP id 2hv6kp2rt7-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Thu, 10 May 2018 09:41:45 +0000 Received: from aserv0121.oracle.com (aserv0121.oracle.com [141.146.126.235]) by userv0021.oracle.com (8.14.4/8.14.4) with ESMTP id w4A9fiti025104 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Thu, 10 May 2018 09:41:45 GMT Received: from abhmp0002.oracle.com (abhmp0002.oracle.com [141.146.116.8]) by aserv0121.oracle.com (8.14.4/8.13.8) with ESMTP id w4A9fi1Q005769; Thu, 10 May 2018 09:41:44 GMT Received: from will-ThinkCentre-M910s.cn.oracle.com (/10.182.70.254) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Thu, 10 May 2018 02:41:43 -0700 From: Jianchao Wang To: keith.busch@intel.com, axboe@fb.com, hch@lst.de, sagi@grimberg.me Cc: linux-nvme@lists.infradead.org, linux-kernel@vger.kernel.org Subject: [PATCH V2] nvme-rdma: stop queue first before free it in config admin queue Date: Thu, 10 May 2018 17:42:27 +0800 Message-Id: <1525945347-1964-1-git-send-email-jianchao.w.wang@oracle.com> X-Mailer: git-send-email 2.7.4 X-Proofpoint-Virus-Version: vendor=nai engine=5900 definitions=8888 signatures=668698 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 suspectscore=2 malwarescore=0 phishscore=0 bulkscore=0 spamscore=0 mlxscore=0 mlxlogscore=999 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1711220000 definitions=main-1805100095 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org When any of cases after nvme_rdma_start_queue in nvme_rdma_configure_admin_queue fails, the ctrl->queues[0] will be freed but the NVME_RDMA_Q_LIVE is still set. If nvme_rdma_stop_queue is invoked, we will incur use-after-free which will cause memory corruption. BUG: KASAN: use-after-free in rdma_disconnect+0x1f/0xe0 [rdma_cm] Read of size 8 at addr ffff8801dc3969c0 by task kworker/u16:3/9304 CPU: 3 PID: 9304 Comm: kworker/u16:3 Kdump: loaded Tainted: G W 4.17.0-rc3+ #20 Workqueue: nvme-delete-wq nvme_delete_ctrl_work Call Trace: dump_stack+0x91/0xeb print_address_description+0x6b/0x290 kasan_report+0x261/0x360 rdma_disconnect+0x1f/0xe0 [rdma_cm] nvme_rdma_stop_queue+0x25/0x40 [nvme_rdma] nvme_rdma_shutdown_ctrl+0xf3/0x150 [nvme_rdma] nvme_delete_ctrl_work+0x98/0xe0 process_one_work+0x3ca/0xaa0 worker_thread+0x4e2/0x6c0 kthread+0x18d/0x1e0 ret_from_fork+0x24/0x30 To fix it, call nvme_rdma_stop_queue for all the failed cases after nvme_rdma_start_queue. Signed-off-by: Jianchao Wang --- V2: based on Sagi's suggestion, add out_stop_queue lable and invoke nvme_rdma_stop_queue in all the failed cases after nvme_rdma_start_queue drivers/nvme/host/rdma.c | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/drivers/nvme/host/rdma.c b/drivers/nvme/host/rdma.c index a0ead1d..966e0dd 100644 --- a/drivers/nvme/host/rdma.c +++ b/drivers/nvme/host/rdma.c @@ -777,7 +777,7 @@ static int nvme_rdma_configure_admin_queue(struct nvme_rdma_ctrl *ctrl, if (error) { dev_err(ctrl->ctrl.device, "prop_get NVME_REG_CAP failed\n"); - goto out_cleanup_queue; + goto out_stop_queue; } ctrl->ctrl.sqsize = @@ -785,23 +785,25 @@ static int nvme_rdma_configure_admin_queue(struct nvme_rdma_ctrl *ctrl, error = nvme_enable_ctrl(&ctrl->ctrl, ctrl->ctrl.cap); if (error) - goto out_cleanup_queue; + goto out_stop_queue; ctrl->ctrl.max_hw_sectors = (ctrl->max_fr_pages - 1) << (ilog2(SZ_4K) - 9); error = nvme_init_identify(&ctrl->ctrl); if (error) - goto out_cleanup_queue; + goto out_stop_queue; error = nvme_rdma_alloc_qe(ctrl->queues[0].device->dev, &ctrl->async_event_sqe, sizeof(struct nvme_command), DMA_TO_DEVICE); if (error) - goto out_cleanup_queue; + goto out_stop_queue; return 0; +out_stop_queue: + nvme_rdma_stop_queue(&ctrl->queues[0]); out_cleanup_queue: if (new) blk_cleanup_queue(ctrl->ctrl.admin_q); -- 2.7.4