Re: [PATCH] ligtnvm: fix double blk_put_queue on same queue

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Jens Axboe <axboe@kernel.dk>
To: "Matias Bjørling" <mb@lightnvm.io>
Cc: Rakesh Pandit <rakesh@tuxera.com>, linux-kernel@vger.kernel.org
Subject: Re: [PATCH] ligtnvm: fix double blk_put_queue on same queue
Date: Thu, 20 Apr 2017 08:09:24 -0600	[thread overview]
Message-ID: <20170420140922.GA13019@kernel.dk> (raw)
In-Reply-To: <520b34ab-6fa9-6c85-1f45-28c1b71fef30@lightnvm.io>

On Thu, Apr 20 2017, Matias Bjørling wrote:
> On 04/19/2017 11:47 PM, Rakesh Pandit wrote:
> >On an error path in NVM_DEV_CREATE ioctl blk_put_queue is being called
> >twice: one via blk_cleanup_queue and another via put_disk.  Straight fix
> >seems to remove queue pointer so that disk_release never ends up caling
> >blk_put_queue again.
> >
> >  [  391.808827] WARNING: CPU: 1 PID: 1250 at lib/refcount.c:128 refcount_sub_and_test+0x70/0x80
> >  [  391.808830] refcount_t: underflow; use-after-free.
> >  [ 391.808832] Modules linked in: nf_conntrack_netbios_ns............
> >  [  391.809052] CPU: 1 PID: 1250 Comm: nvme Not tainted.........
> >  [  391.809057] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996),
> >             BIOS rel-1.7.5-0-ge51488c-20140602_164612-nilsson.home.kraxel.org 04/01/2014
> >  [  391.809060] Call Trace:
> >  [  391.809079]  dump_stack+0x63/0x86
> >  [  391.809094]  __warn+0xcb/0xf0
> >  [  391.809103]  warn_slowpath_fmt+0x5f/0x80
> >  [  391.809118]  refcount_sub_and_test+0x70/0x80
> >  [  391.809125]  refcount_dec_and_test+0x11/0x20
> >  [  391.809136]  kobject_put+0x1f/0x60
> >  [  391.809149]  blk_put_queue+0x15/0x20
> >  [  391.809159]  disk_release+0xae/0xf0
> >  [  391.809172]  device_release+0x32/0x90
> >  [  391.809184]  kobject_release+0x6a/0x170
> >  [  391.809196]  kobject_put+0x2f/0x60
> >  [  391.809206]  put_disk+0x17/0x20
> >  [  391.809219]  nvm_ioctl_dev_create.isra.16+0x897/0xa30
> >  [  391.809236]  nvm_ctl_ioctl+0x23c/0x4c0
> >  [  391.809248]  do_vfs_ioctl+0xa3/0x5f0
> >  [  391.809258]  SyS_ioctl+0x79/0x90
> >  [  391.809271]  entry_SYSCALL_64_fastpath+0x1a/0xa9
> >  [  391.809280] RIP: 0033:0x7f5d3ef363c7
> >  [  391.809286] RSP: 002b:00007ffc72ed8d78 EFLAGS: 00000206 ORIG_RAX: 0000000000000010
> >  [  391.809296] RAX: ffffffffffffffda RBX: 00007ffc72edb552 RCX: 00007f5d3ef363c7
> >  [  391.809301] RDX: 00007ffc72ed8d90 RSI: 0000000040804c22 RDI: 0000000000000003
> >  [  391.809306] RBP: 0000000000000001 R08: 0000000000000020 R09: 0000000000000001
> >  [  391.809311] R10: 000000000000053f R11: 0000000000000206 R12: 0000000000000000
> >  [  391.809316] R13: 0000000000000000 R14: 00007ffc72edb58d R15: 00007ffc72edb581
> >
> >Signed-off-by: Rakesh Pandit <rakesh@tuxera.com>
> >---
> > drivers/lightnvm/core.c | 1 +
> > 1 file changed, 1 insertion(+)
> >
> >diff --git a/drivers/lightnvm/core.c b/drivers/lightnvm/core.c
> >index 2c26af3..5d7aa45 100644
> >--- a/drivers/lightnvm/core.c
> >+++ b/drivers/lightnvm/core.c
> >@@ -309,6 +309,7 @@ static int nvm_create_tgt(struct nvm_dev *dev, struct nvm_ioctl_create *create)
> > 		tt->exit(targetdata);
> > err_init:
> > 	blk_cleanup_queue(tqueue);
> >+	tdisk->queue = NULL;
> > err_disk:
> > 	put_disk(tdisk);
> > err_dev:
> >
> 
> Thanks Rakesh. Jens, is this too late for -rc1? :)
> 
> Reviewed-by: Matias Bjørling <matias@cnexlabs.com>

No, there's time. Is this missing a Fixes: line, if it's fixing a commit
that went in for the 4.12 merge window?

-- 
Jens Axboe

next prev parent reply	other threads:[~2017-04-20 14:09 UTC|newest]

Thread overview: 5+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2017-04-19 21:47 [PATCH] ligtnvm: fix double blk_put_queue on same queue Rakesh Pandit
2017-04-20 13:46 ` Matias Bjørling
2017-04-20 14:09   ` Jens Axboe [this message]
2017-04-20 14:13     ` Matias Bjørling
2017-04-20 14:18       ` Jens Axboe

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20170420140922.GA13019@kernel.dk \
    --to=axboe@kernel.dk \
    --cc=linux-kernel@vger.kernel.org \
    --cc=mb@lightnvm.io \
    --cc=rakesh@tuxera.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.