Received: by 2002:ac0:950e:0:0:0:0:0 with SMTP id f14csp800413imc; Sat, 16 Mar 2019 16:49:48 -0700 (PDT) X-Google-Smtp-Source: APXvYqzSGYoyR8TDoeWannGykUabplvm8kKpJbbpMS7krIOGzd6ryX6Lnu8CCtofHWFTnvVhf1OA X-Received: by 2002:aa7:9141:: with SMTP id 1mr11571888pfi.38.1552780188250; Sat, 16 Mar 2019 16:49:48 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1552780188; cv=none; d=google.com; s=arc-20160816; b=jMityOU9ZvsUdAFHJgtRfTDdtkFqcRFpE3eaB/MDDwgOHlWm0WlwJQ37dS7q4EKY/m FBdST//vxwup1Xm5KTRL61mJkh8AZSGkynK0QgQxe7DNfLOj5DCgLl/Zc1KXi9+ufUiU 52V1Fev7dkp1M3zf/V9yFbeKqmdLowG3PqipVndIGMZ9/a+lgR/11nLtp0P3npsxpdnq n1BsjllHVh/dIyYPq5PJ6RR/8IdF39ac9IDNooZezkxsP5SfyjO4RE1wOoj/YtSGAAnN ISIm4z/ygdR/lln86EP6EyVeL8Ub3YUU3fBTO+izKi/dgs1i7uGntyQpfaEJ6zEoKWak muiQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding :content-language:in-reply-to:mime-version:user-agent:date :message-id:from:references:cc:to:subject:dkim-signature; bh=y+DXStj5c2Xqr9WzdcP1wEOJyGpE6jq16MXzR2t7nyI=; b=VvEpCpAQBKlz5RBlu0oEVITHJmRIeQvL8ncIa9HLdFA1fJ40fZtYnWvLc+iW99nbiX W90EV6+YZm7R1YBAWftGdrFLOxj/yfMyA2L9faRGQkMwMXtKK//hIeYnNReYGSqd9zYF DxuskcHF7AgFs2f8GdOnMcPhgGLArf/W0+Vm+IkI2pfBzGNdq2FvmhEFWSm47SG1rvDw XzmgbsUrERpyfJ4YJV/l6kRCuTJssEMPrDXLSX62BBoZnYOiCAkEJnLwQbocFqpdC18L otqoWh+6PFbZ6fHYZrcWpLP3D41AaX6Mx9nIyvtq+ihtlZfu7k+vlYRtIdeiw5pyvzwS xZng== ARC-Authentication-Results: i=1; mx.google.com; dkim=fail header.i=@infradead.org header.s=merlin.20170209 header.b=xTFYEdLZ; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id c15si5244602pls.144.2019.03.16.16.49.33; Sat, 16 Mar 2019 16:49:48 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=fail header.i=@infradead.org header.s=merlin.20170209 header.b=xTFYEdLZ; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727091AbfCPXtA (ORCPT + 99 others); Sat, 16 Mar 2019 19:49:00 -0400 Received: from merlin.infradead.org ([205.233.59.134]:48226 "EHLO merlin.infradead.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726828AbfCPXtA (ORCPT ); Sat, 16 Mar 2019 19:49:00 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=infradead.org; s=merlin.20170209; h=Content-Transfer-Encoding:Content-Type: In-Reply-To:MIME-Version:Date:Message-ID:From:References:Cc:To:Subject:Sender :Reply-To:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help: List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=y+DXStj5c2Xqr9WzdcP1wEOJyGpE6jq16MXzR2t7nyI=; b=xTFYEdLZu+raIcDfqv3/w2TgQi 91zi/6li1kaAIFv2FUkSWCU/NsLPKetfUMZb2Hoy1UzXgyxzz9IoxtGewQtxJAnPu97Pt2Xu9ioYu xuDxt85CnYzow6DO6ZXPoMSKh/dihFMRlOaatwHeXfHaFoONTGpHlMnsIsETREBuY0B6ahoKLy5PR Q+G150Sj/e5Pm0WfTSG/P/rcMvEEliYcjuUk9TIzyRl0hB37wcJVKOLWvDyaxI4JiWEGxHVOXTg5C Gm8EXv3HNVjvKcj3xQNF2jMxgArl8j/LJBkbs+cvM/yBsTfx5xC8YxwrmLTEbdysjTB8/K2MvTBIO pRbW1oSw==; Received: from static-50-53-52-16.bvtn.or.frontiernet.net ([50.53.52.16] helo=dragon.dunlab) by merlin.infradead.org with esmtpsa (Exim 4.90_1 #2 (Red Hat Linux)) id 1h5J2s-0000Tk-WE; Sat, 16 Mar 2019 23:48:55 +0000 Subject: Re: paride/pf.c: blk-mq use-after-free (kernel v5.0) To: Jens Axboe , linux-block Cc: LKML , Tim Waugh , linux-parport@lists.infradead.org References: <30c63b2d-92d2-51be-40f0-62cada110388@infradead.org> <7d24a06f-f219-e50a-e8f8-915a6cc1b796@infradead.org> <59cb035e-6880-de5a-33c5-d4db6ed910f4@kernel.dk> <4a2adc33-ef38-6a5f-65ee-8fcfaa0948a9@infradead.org> <55743981-da8f-3211-0650-b143c8fec084@infradead.org> <23f48266-0d12-1891-1373-711b63f4f589@kernel.dk> From: Randy Dunlap Message-ID: <21e5a575-8f28-5a14-3916-ab41b4d37734@infradead.org> Date: Sat, 16 Mar 2019 16:48:37 -0700 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.5.1 MIME-Version: 1.0 In-Reply-To: <23f48266-0d12-1891-1373-711b63f4f589@kernel.dk> Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 7bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 3/16/19 12:31 PM, Jens Axboe wrote: > On 3/15/19 6:32 PM, Randy Dunlap wrote: >> On 3/15/19 9:33 AM, Jens Axboe wrote: >>> On 3/14/19 5:49 PM, Randy Dunlap wrote: >>>> On 3/14/19 4:43 PM, Jens Axboe wrote: >>>>> On 3/13/19 5:09 PM, Randy Dunlap wrote: >>>>>> On 3/11/19 6:34 PM, Randy Dunlap wrote: >>>>>>> On 3/11/19 6:25 PM, Randy Dunlap wrote: >>>>>>>> [Has this already been addressed/fixed?]>> >>>>>>> >>>>>>> Same bug occurs with paride/pcd.c driver. >>>>>> >>>>>> This still happens (in blk-mq) in v5.0-11053-gebc551f2b8f9 of Mar. 12, 2019, >>>>>> around 4pm PT. [caused by paride: pf.c and pcd.c) >>>>> >>>>> I'll take a look at this, been busy with other stuff. How are you >>>>> reproducing this? I'm assuming you don't actually have any hardware :-) >>>> >>>> Right. I just load the module (pf or pcd), unload it, and >>>> then load it again. >>> >>> Does this work? >>> >> >> No. Just loading the pf module gives this: > > Missing clear of the queue. This one should be more complete. > > To be fair, this was utterly broken since forever. It's just now apparent > since we complain about it. But pf/pcd was one big leak fest. > OK, this one works for both pf and pcd. By "works" I mean that the driver init function runs and exits without causing a BUG or GP fault etc. Not that I have any such hardware. Tested-by: Randy Dunlap Thanks. > > diff --git a/drivers/block/paride/pcd.c b/drivers/block/paride/pcd.c > index 96670eefaeb2..377a694dc228 100644 > --- a/drivers/block/paride/pcd.c > +++ b/drivers/block/paride/pcd.c > @@ -749,8 +749,12 @@ static int pcd_detect(void) > return 0; > > printk("%s: No CD-ROM drive found\n", name); > - for (unit = 0, cd = pcd; unit < PCD_UNITS; unit++, cd++) > + for (unit = 0, cd = pcd; unit < PCD_UNITS; unit++, cd++) { > + blk_cleanup_queue(cd->disk->queue); > + cd->disk->queue = NULL; > + blk_mq_free_tag_set(&cd->tag_set); > put_disk(cd->disk); > + } > pi_unregister_driver(par_drv); > return -1; > } > diff --git a/drivers/block/paride/pf.c b/drivers/block/paride/pf.c > index e92e7a8eeeb2..103b617cdc31 100644 > --- a/drivers/block/paride/pf.c > +++ b/drivers/block/paride/pf.c > @@ -761,8 +761,12 @@ static int pf_detect(void) > return 0; > > printk("%s: No ATAPI disk detected\n", name); > - for (pf = units, unit = 0; unit < PF_UNITS; pf++, unit++) > + for (pf = units, unit = 0; unit < PF_UNITS; pf++, unit++) { > + blk_cleanup_queue(pf->disk->queue); > + pf->disk->queue = NULL; > + blk_mq_free_tag_set(&pf->tag_set); > put_disk(pf->disk); > + } > pi_unregister_driver(par_drv); > return -1; > } > @@ -1047,13 +1051,15 @@ static void __exit pf_exit(void) > int unit; > unregister_blkdev(major, name); > for (pf = units, unit = 0; unit < PF_UNITS; pf++, unit++) { > - if (!pf->present) > - continue; > - del_gendisk(pf->disk); > + if (pf->present) > + del_gendisk(pf->disk); > + > blk_cleanup_queue(pf->disk->queue); > blk_mq_free_tag_set(&pf->tag_set); > put_disk(pf->disk); > - pi_release(pf->pi); > + > + if (pf->present) > + pi_release(pf->pi); > } > } > > -- ~Randy