Received: by 2002:a25:683:0:0:0:0:0 with SMTP id 125csp108210ybg; Mon, 8 Jun 2020 17:49:36 -0700 (PDT) X-Google-Smtp-Source: ABdhPJxOwNDswGNfiph7Oau2XSds8x18KPqaHykwdbres8sN/wGl/0q3Ct08icxGbHO5KyZroRSd X-Received: by 2002:a17:906:6dcd:: with SMTP id j13mr20525872ejt.131.1591663775890; Mon, 08 Jun 2020 17:49:35 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1591663775; cv=none; d=google.com; s=arc-20160816; b=DcvWZfcJXFAPEPmDwU9/8YcXz7W0rx2x4J1xwDusQp8R671P6PKj2Bx/jkik+PG5D1 6Ig7Rhfx6l8gqAMU0dxHlkeZF++rpVR3pOOIxhGLjBAeayDw6E4B2h8Y/9oYxO4hNJcd xBUV9eTi4P6h6wbtWDpxyhZFUejYZIYpZcR0TDPiury6+5Dt5I66ujSFIl0YTiP63Gwa tj8BegFp6bEFbS6FJU2Gwce4hx9RNxhdCMFvMv/h3g9VtJdarWeUj/j51iJG8JCOROXJ T9W24V1q43SaEbBZDWj9hQ2cBJjpckOdZVM63g/C0P216PSMidkV4nyWTwaBBmLDxMUc KDUw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from :dkim-signature; bh=++rosuZ+w9vPCs3y4eFY8mJKA3A8P1bnb3FfiHMpt7k=; b=GQO4DEQisgor2MMeBP6OQuKz/QcxCvK5llle/6GxrWsv9cQIp702PuDeg3UGJFbXvj owOtM69ZYL9aYu7I2gRWDe3WjsqlWM6xU6sGr4E1vCZ6x3weEnbP72vr5ln1mhKwFcSn whZrNA0wTP9nHQ/zPQFvQEIZL/zNksgze5p6XUSMUhAkGoBSFFV/xbizTdEqvgcFWJ/u 0frT99byVyKEqdwD0BPrBsqyx7PizyaGV5mWWsB725oNgzcgbsC6hCMzVrEvSva1je0D WQuGE7SsjEMW6PSuszYoe4VBZPrKV8FlQpK0l0CxHYMvpN5cR/Hqq2U7CKpXO8v38aqM 9EMQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=efOhbxNz; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id jp20si10067282ejb.307.2020.06.08.17.49.12; Mon, 08 Jun 2020 17:49:35 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=efOhbxNz; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2387491AbgFIArW (ORCPT + 99 others); Mon, 8 Jun 2020 20:47:22 -0400 Received: from mail.kernel.org ([198.145.29.99]:58104 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728041AbgFHXLV (ORCPT ); Mon, 8 Jun 2020 19:11:21 -0400 Received: from sasha-vm.mshome.net (c-73-47-72-35.hsd1.nh.comcast.net [73.47.72.35]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id CEAD920890; Mon, 8 Jun 2020 23:11:19 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1591657880; bh=rkbbiQCs8BHaHAQU5zfRpAxLE0KUC9UftSsS8I2Mpe0=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=efOhbxNz2KTF7Q2wV3/g9wSdumlDXPJOtY81+KL+jko7+nhjymMvUNzkFKM0tUIFU op1y1bgDJkIwEwZ2331oChz3VhGYSS50IUYVZTkPy1JG04DfPQ1G/lqBQ5b6PTlSob Mv+3CYnKLMWtvSBvigQjwSZOjIUbMibXmx8IBdPE= From: Sasha Levin To: linux-kernel@vger.kernel.org, stable@vger.kernel.org Cc: Sagi Grimberg , David Milburn , Christoph Hellwig , Sasha Levin , linux-nvme@lists.infradead.org Subject: [PATCH AUTOSEL 5.7 237/274] nvmet: fix memory leak when removing namespaces and controllers concurrently Date: Mon, 8 Jun 2020 19:05:30 -0400 Message-Id: <20200608230607.3361041-237-sashal@kernel.org> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20200608230607.3361041-1-sashal@kernel.org> References: <20200608230607.3361041-1-sashal@kernel.org> MIME-Version: 1.0 X-stable: review X-Patchwork-Hint: Ignore Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Sagi Grimberg [ Upstream commit 64f5e9cdd711b030b05062c17b2ecfbce890cf4c ] When removing a namespace, we add an NS_CHANGE async event, however if the controller admin queue is removed after the event was added but not yet processed, we won't free the aens, resulting in the below memory leak [1]. Fix that by moving nvmet_async_event_free to the final controller release after it is detached from subsys->ctrls ensuring no async events are added, and modify it to simply remove all pending aens. -- $ cat /sys/kernel/debug/kmemleak unreferenced object 0xffff888c1af2c000 (size 32): comm "nvmetcli", pid 5164, jiffies 4295220864 (age 6829.924s) hex dump (first 32 bytes): 28 01 82 3b 8b 88 ff ff 28 01 82 3b 8b 88 ff ff (..;....(..;.... 02 00 04 65 76 65 6e 74 5f 66 69 6c 65 00 00 00 ...event_file... backtrace: [<00000000217ae580>] nvmet_add_async_event+0x57/0x290 [nvmet] [<0000000012aa2ea9>] nvmet_ns_changed+0x206/0x300 [nvmet] [<00000000bb3fd52e>] nvmet_ns_disable+0x367/0x4f0 [nvmet] [<00000000e91ca9ec>] nvmet_ns_free+0x15/0x180 [nvmet] [<00000000a15deb52>] config_item_release+0xf1/0x1c0 [<000000007e148432>] configfs_rmdir+0x555/0x7c0 [<00000000f4506ea6>] vfs_rmdir+0x142/0x3c0 [<0000000000acaaf0>] do_rmdir+0x2b2/0x340 [<0000000034d1aa52>] do_syscall_64+0xa5/0x4d0 [<00000000211f13bc>] entry_SYSCALL_64_after_hwframe+0x6a/0xdf Fixes: a07b4970f464 ("nvmet: add a generic NVMe target") Reported-by: David Milburn Signed-off-by: Sagi Grimberg Tested-by: David Milburn Signed-off-by: Christoph Hellwig Signed-off-by: Sasha Levin --- drivers/nvme/target/core.c | 15 ++++++--------- 1 file changed, 6 insertions(+), 9 deletions(-) diff --git a/drivers/nvme/target/core.c b/drivers/nvme/target/core.c index b685f99d56a1..aa5ca222c6f5 100644 --- a/drivers/nvme/target/core.c +++ b/drivers/nvme/target/core.c @@ -157,14 +157,12 @@ static void nvmet_async_events_process(struct nvmet_ctrl *ctrl, u16 status) static void nvmet_async_events_free(struct nvmet_ctrl *ctrl) { - struct nvmet_req *req; + struct nvmet_async_event *aen, *tmp; mutex_lock(&ctrl->lock); - while (ctrl->nr_async_event_cmds) { - req = ctrl->async_event_cmds[--ctrl->nr_async_event_cmds]; - mutex_unlock(&ctrl->lock); - nvmet_req_complete(req, NVME_SC_INTERNAL | NVME_SC_DNR); - mutex_lock(&ctrl->lock); + list_for_each_entry_safe(aen, tmp, &ctrl->async_events, entry) { + list_del(&aen->entry); + kfree(aen); } mutex_unlock(&ctrl->lock); } @@ -764,10 +762,8 @@ void nvmet_sq_destroy(struct nvmet_sq *sq) * If this is the admin queue, complete all AERs so that our * queue doesn't have outstanding requests on it. */ - if (ctrl && ctrl->sqs && ctrl->sqs[0] == sq) { + if (ctrl && ctrl->sqs && ctrl->sqs[0] == sq) nvmet_async_events_process(ctrl, status); - nvmet_async_events_free(ctrl); - } percpu_ref_kill_and_confirm(&sq->ref, nvmet_confirm_sq); wait_for_completion(&sq->confirm_done); wait_for_completion(&sq->free_done); @@ -1357,6 +1353,7 @@ static void nvmet_ctrl_free(struct kref *ref) ida_simple_remove(&cntlid_ida, ctrl->cntlid); + nvmet_async_events_free(ctrl); kfree(ctrl->sqs); kfree(ctrl->cqs); kfree(ctrl->changed_ns_list); -- 2.25.1