Received: by 2002:ac0:a5a7:0:0:0:0:0 with SMTP id m36-v6csp1164339imm; Wed, 1 Aug 2018 11:14:48 -0700 (PDT) X-Google-Smtp-Source: AAOMgpcYeNN0j0NuvG3a70y8l4AoprnaJNzDmxB0FWcRexQm8fXDswATeKo5DcamUDQw3k1Pkd7k X-Received: by 2002:a17:902:44a4:: with SMTP id l33-v6mr25640267pld.134.1533147288346; Wed, 01 Aug 2018 11:14:48 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1533147288; cv=none; d=google.com; s=arc-20160816; b=KE+Z1yShAtSTe1GNXa0WrBxsdOuy3Bq7AMmiKN4inbwv7v9eiAhGFQEtLZoA38kC7S N0ydUHG/RYDKPQfKs3tEet3iAOzTd7RAkzxHMXsTjyVGXmfX7Z1AxcOWs30DHxNXCMcw WKJ/IfrQylzA4qDfcJDuYrwaWdmz1CVCjK6aEhs9w5Fbq6ZQtkmIVebbwfd5Q75HLh4z 26iuYgeBvc0/s9lWO1mNepP3WOD2OlpbUpqj4i7GSlMH4+L9f9QQyJT36cAs8I5g+jqT iH8AZ2LJefZhL5xQkAI+ROe/hhVNu/c4IWDcK7x6qsDHRcN+A88E/Syufyx6ItUMDE7I OK3A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:mime-version:user-agent:references :in-reply-to:message-id:date:subject:cc:to:from :arc-authentication-results; bh=xR9XX1hPZELPux8VYOqT5uHpyo+bfppNRiUTnMSXvYw=; b=ZIqv4EBoSTlYWdinNh5w/+M8xQQXu/aWbvrPZxPWtzeSVOlC9+qU6Ah3e5VoVRLa24 wjWD6ZanCfWWqCAj5be8i5YkhkVxHkg9lLj5+T2gz2HPoySTM0hrCGlk0H8As/8hdK8Q APfbU2JjLp0kGNstJNEwCrIGaun/MvRyOxt6L7U39CLrxPQyswzmGC/dQa9MyjQcnkB1 2hSWDx4aXgJV2+/hKT66gK57KCMLdTO8QJf+9XZHJGYAfeyl7qVxBRFVDuIH3bDv834Z CoNktp2V9kpPZhwyYQywU1loKU5yg491+vO8k4ofUPRvQj5WwYYqfKg1zlZ3jmVF3ABs WiPg== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id o18-v6si14851192pgh.91.2018.08.01.11.14.34; Wed, 01 Aug 2018 11:14:48 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1732859AbeHAUAK (ORCPT + 99 others); Wed, 1 Aug 2018 16:00:10 -0400 Received: from mail.linuxfoundation.org ([140.211.169.12]:49804 "EHLO mail.linuxfoundation.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2405667AbeHATIe (ORCPT ); Wed, 1 Aug 2018 15:08:34 -0400 Received: from localhost (D57E6652.static.ziggozakelijk.nl [213.126.102.82]) by mail.linuxfoundation.org (Postfix) with ESMTPSA id B0E0713D9; Wed, 1 Aug 2018 17:16:16 +0000 (UTC) From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Jianchao Wang , Sagi Grimberg , Max Gurtovoy , Christoph Hellwig , Sasha Levin Subject: [PATCH 4.14 089/246] nvme-rdma: stop admin queue before freeing it Date: Wed, 1 Aug 2018 18:49:59 +0200 Message-Id: <20180801165015.967427698@linuxfoundation.org> X-Mailer: git-send-email 2.18.0 In-Reply-To: <20180801165011.700991984@linuxfoundation.org> References: <20180801165011.700991984@linuxfoundation.org> User-Agent: quilt/0.65 X-stable: review MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 4.14-stable review patch. If anyone has any objections, please let me know. ------------------ From: Jianchao Wang [ Upstream commit 2e050f00a0f0e07467050cb4afae0234941e5bf3 ] For any failure after nvme_rdma_start_queue in nvme_rdma_configure_admin_queue, the admin queue will be freed with the NVME_RDMA_Q_LIVE flag still set. Once nvme_rdma_stop_queue is invoked, that will cause a use-after-free. BUG: KASAN: use-after-free in rdma_disconnect+0x1f/0xe0 [rdma_cm] To fix it, call nvme_rdma_stop_queue for all the failed cases after nvme_rdma_start_queue. Signed-off-by: Jianchao Wang Suggested-by: Sagi Grimberg Reviewed-by: Max Gurtovoy Signed-off-by: Christoph Hellwig Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman --- drivers/nvme/host/rdma.c | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) --- a/drivers/nvme/host/rdma.c +++ b/drivers/nvme/host/rdma.c @@ -796,7 +796,7 @@ static int nvme_rdma_configure_admin_que if (error) { dev_err(ctrl->ctrl.device, "prop_get NVME_REG_CAP failed\n"); - goto out_cleanup_queue; + goto out_stop_queue; } ctrl->ctrl.sqsize = @@ -804,23 +804,25 @@ static int nvme_rdma_configure_admin_que error = nvme_enable_ctrl(&ctrl->ctrl, ctrl->ctrl.cap); if (error) - goto out_cleanup_queue; + goto out_stop_queue; ctrl->ctrl.max_hw_sectors = (ctrl->max_fr_pages - 1) << (ilog2(SZ_4K) - 9); error = nvme_init_identify(&ctrl->ctrl); if (error) - goto out_cleanup_queue; + goto out_stop_queue; error = nvme_rdma_alloc_qe(ctrl->queues[0].device->dev, &ctrl->async_event_sqe, sizeof(struct nvme_command), DMA_TO_DEVICE); if (error) - goto out_cleanup_queue; + goto out_stop_queue; return 0; +out_stop_queue: + nvme_rdma_stop_queue(&ctrl->queues[0]); out_cleanup_queue: if (new) blk_cleanup_queue(ctrl->ctrl.admin_q);