Received: by 2002:a05:6902:102b:0:0:0:0 with SMTP id x11csp966384ybt; Fri, 19 Jun 2020 19:54:33 -0700 (PDT) X-Google-Smtp-Source: ABdhPJwFlSB5EPqyOJLnNSRCHUGmhgXQROUY0qpXvP/WHG0X2r2xfg/Q9HGSRrQ4uCp96Z3t7fQ5 X-Received: by 2002:a17:906:4b54:: with SMTP id j20mr1653202ejv.259.1592621672968; Fri, 19 Jun 2020 19:54:32 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1592621672; cv=none; d=google.com; s=arc-20160816; b=UGlvMf+L2rbeGDZvKpFkI+7GaaBwmx9n7MwyjFSC093kWyTw50SniJqABnUyOVzutw oQ8O39+aLjHaUz/Ipmm2o7q+5IcApvBKWuWkhw4EVdZj47OFASVfyxPCcUGHCbor9OHo fFdY2SosBqiNhJk0HoCxPHm+/ZIAP4vV3OUiNQMtc8CuE9eJ6zIV+qPeXWVTmj2uZOLH vfSDxW1moWDhY/GjbKGhsQO8NLT3RPwGSJfrJB7SRcDfIaQxtCEVJlFMzUS0ZCl9Jad5 u7usyW5Nuhd7WY9KMOEGINhzvSL7mofL1NfnktRFq4UNEhbMFVy4YAEF9m5JW0tORDb9 dpKg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=++rosuZ+w9vPCs3y4eFY8mJKA3A8P1bnb3FfiHMpt7k=; b=gKfhINBl9Z4AlIreA0wLSOkWgwrI6QbQmG5bP8LBxA6dXEr4T0MteL+Syw46ypBDut 9icyWXpWVLXCVZaLsUEljmKGLwY0S+vGdtEfrsUsMiVbfFAlVoozzf5MEXQa/vqGAVmN pU8OrImsQFdOoIMTj4PaFiiZmZUWyqgNghyUfstfwKoQJa5YtebWwtlz6/dXeKVjNvGB zJD3cTQoffPhfvtxUiGcMDAZZFjHr7hLBKPtQPB4Fo4y0X8G2agBjkFj5EsJcBfmsv1R dopgeuX5K2kLtNZdcdHaId2Dq13IGNRE/SfFWECzt6Fj7doRgZmGw0SGnxq7HekL2jO2 8vEw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=TzUASzFm; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id r11si5144383ejy.328.2020.06.19.19.54.10; Fri, 19 Jun 2020 19:54:32 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=TzUASzFm; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2405290AbgFSPrX (ORCPT + 99 others); Fri, 19 Jun 2020 11:47:23 -0400 Received: from mail.kernel.org ([198.145.29.99]:57884 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2404287AbgFSP0I (ORCPT ); Fri, 19 Jun 2020 11:26:08 -0400 Received: from localhost (83-86-89-107.cable.dynamic.v4.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 0A0AB20B80; Fri, 19 Jun 2020 15:26:06 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1592580367; bh=rkbbiQCs8BHaHAQU5zfRpAxLE0KUC9UftSsS8I2Mpe0=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=TzUASzFmeJ+KNtRf1uHBWJb3bWOYAj/TeyFdxmiH01pPc0Syuq6DLTQ/g49bAXPVA dQXcTdu+1jms+Qlur0SVEBQFISe6mmXp3x6WOLfsJ7+1dCNU6ZEKJn5aCoSbR6tv24 2NeD+/Weid997/5xaVnu1OocKd5fMqPC2PzwtrJ4= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, David Milburn , Sagi Grimberg , Christoph Hellwig , Sasha Levin Subject: [PATCH 5.7 223/376] nvmet: fix memory leak when removing namespaces and controllers concurrently Date: Fri, 19 Jun 2020 16:32:21 +0200 Message-Id: <20200619141720.879639115@linuxfoundation.org> X-Mailer: git-send-email 2.27.0 In-Reply-To: <20200619141710.350494719@linuxfoundation.org> References: <20200619141710.350494719@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Sagi Grimberg [ Upstream commit 64f5e9cdd711b030b05062c17b2ecfbce890cf4c ] When removing a namespace, we add an NS_CHANGE async event, however if the controller admin queue is removed after the event was added but not yet processed, we won't free the aens, resulting in the below memory leak [1]. Fix that by moving nvmet_async_event_free to the final controller release after it is detached from subsys->ctrls ensuring no async events are added, and modify it to simply remove all pending aens. -- $ cat /sys/kernel/debug/kmemleak unreferenced object 0xffff888c1af2c000 (size 32): comm "nvmetcli", pid 5164, jiffies 4295220864 (age 6829.924s) hex dump (first 32 bytes): 28 01 82 3b 8b 88 ff ff 28 01 82 3b 8b 88 ff ff (..;....(..;.... 02 00 04 65 76 65 6e 74 5f 66 69 6c 65 00 00 00 ...event_file... backtrace: [<00000000217ae580>] nvmet_add_async_event+0x57/0x290 [nvmet] [<0000000012aa2ea9>] nvmet_ns_changed+0x206/0x300 [nvmet] [<00000000bb3fd52e>] nvmet_ns_disable+0x367/0x4f0 [nvmet] [<00000000e91ca9ec>] nvmet_ns_free+0x15/0x180 [nvmet] [<00000000a15deb52>] config_item_release+0xf1/0x1c0 [<000000007e148432>] configfs_rmdir+0x555/0x7c0 [<00000000f4506ea6>] vfs_rmdir+0x142/0x3c0 [<0000000000acaaf0>] do_rmdir+0x2b2/0x340 [<0000000034d1aa52>] do_syscall_64+0xa5/0x4d0 [<00000000211f13bc>] entry_SYSCALL_64_after_hwframe+0x6a/0xdf Fixes: a07b4970f464 ("nvmet: add a generic NVMe target") Reported-by: David Milburn Signed-off-by: Sagi Grimberg Tested-by: David Milburn Signed-off-by: Christoph Hellwig Signed-off-by: Sasha Levin --- drivers/nvme/target/core.c | 15 ++++++--------- 1 file changed, 6 insertions(+), 9 deletions(-) diff --git a/drivers/nvme/target/core.c b/drivers/nvme/target/core.c index b685f99d56a1..aa5ca222c6f5 100644 --- a/drivers/nvme/target/core.c +++ b/drivers/nvme/target/core.c @@ -157,14 +157,12 @@ static void nvmet_async_events_process(struct nvmet_ctrl *ctrl, u16 status) static void nvmet_async_events_free(struct nvmet_ctrl *ctrl) { - struct nvmet_req *req; + struct nvmet_async_event *aen, *tmp; mutex_lock(&ctrl->lock); - while (ctrl->nr_async_event_cmds) { - req = ctrl->async_event_cmds[--ctrl->nr_async_event_cmds]; - mutex_unlock(&ctrl->lock); - nvmet_req_complete(req, NVME_SC_INTERNAL | NVME_SC_DNR); - mutex_lock(&ctrl->lock); + list_for_each_entry_safe(aen, tmp, &ctrl->async_events, entry) { + list_del(&aen->entry); + kfree(aen); } mutex_unlock(&ctrl->lock); } @@ -764,10 +762,8 @@ void nvmet_sq_destroy(struct nvmet_sq *sq) * If this is the admin queue, complete all AERs so that our * queue doesn't have outstanding requests on it. */ - if (ctrl && ctrl->sqs && ctrl->sqs[0] == sq) { + if (ctrl && ctrl->sqs && ctrl->sqs[0] == sq) nvmet_async_events_process(ctrl, status); - nvmet_async_events_free(ctrl); - } percpu_ref_kill_and_confirm(&sq->ref, nvmet_confirm_sq); wait_for_completion(&sq->confirm_done); wait_for_completion(&sq->free_done); @@ -1357,6 +1353,7 @@ static void nvmet_ctrl_free(struct kref *ref) ida_simple_remove(&cntlid_ida, ctrl->cntlid); + nvmet_async_events_free(ctrl); kfree(ctrl->sqs); kfree(ctrl->cqs); kfree(ctrl->changed_ns_list); -- 2.25.1