From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Anton Eidelman <anton@lightbitslabs.com>,
Sagi Grimberg <sagi@grimberg.me>, Christoph Hellwig <hch@lst.de>,
Sasha Levin <sashal@kernel.org>
Subject: [PATCH 5.7 038/112] nvme-multipath: fix bogus request queue reference put
Date: Tue, 7 Jul 2020 17:16:43 +0200 [thread overview]
Message-ID: <20200707145802.805079891@linuxfoundation.org> (raw)
In-Reply-To: <20200707145800.925304888@linuxfoundation.org>
From: Sagi Grimberg <sagi@grimberg.me>
[ Upstream commit c31244669f57963b6ce133a5555b118fc50aec95 ]
The mpath disk node takes a reference on the request mpath
request queue when adding live path to the mpath gendisk.
However if we connected to an inaccessible path device_add_disk
is not called, so if we disconnect and remove the mpath gendisk
we endup putting an reference on the request queue that was
never taken [1].
Fix that to check if we ever added a live path (using
NVME_NS_HEAD_HAS_DISK flag) and if not, clear the disk->queue
reference.
[1]:
------------[ cut here ]------------
refcount_t: underflow; use-after-free.
WARNING: CPU: 1 PID: 1372 at lib/refcount.c:28 refcount_warn_saturate+0xa6/0xf0
CPU: 1 PID: 1372 Comm: nvme Tainted: G O 5.7.0-rc2+ #3
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.13.0-1ubuntu1 04/01/2014
RIP: 0010:refcount_warn_saturate+0xa6/0xf0
RSP: 0018:ffffb29e8053bdc0 EFLAGS: 00010282
RAX: 0000000000000000 RBX: ffff8b7a2f4fc060 RCX: 0000000000000007
RDX: 0000000000000007 RSI: 0000000000000092 RDI: ffff8b7a3ec99980
RBP: ffff8b7a2f4fc000 R08: 00000000000002e1 R09: 0000000000000004
R10: 0000000000000000 R11: 0000000000000001 R12: 0000000000000000
R13: fffffffffffffff2 R14: ffffb29e8053bf08 R15: ffff8b7a320e2da0
FS: 00007f135d4ca800(0000) GS:ffff8b7a3ec80000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00005651178c0c30 CR3: 000000003b650005 CR4: 0000000000360ee0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
disk_release+0xa2/0xc0
device_release+0x28/0x80
kobject_put+0xa5/0x1b0
nvme_put_ns_head+0x26/0x70 [nvme_core]
nvme_put_ns+0x30/0x60 [nvme_core]
nvme_remove_namespaces+0x9b/0xe0 [nvme_core]
nvme_do_delete_ctrl+0x43/0x5c [nvme_core]
nvme_sysfs_delete.cold+0x8/0xd [nvme_core]
kernfs_fop_write+0xc1/0x1a0
vfs_write+0xb6/0x1a0
ksys_write+0x5f/0xe0
do_syscall_64+0x52/0x1a0
entry_SYSCALL_64_after_hwframe+0x44/0xa9
Reported-by: Anton Eidelman <anton@lightbitslabs.com>
Tested-by: Anton Eidelman <anton@lightbitslabs.com>
Signed-off-by: Sagi Grimberg <sagi@grimberg.me>
Signed-off-by: Christoph Hellwig <hch@lst.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/nvme/host/multipath.c | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/drivers/nvme/host/multipath.c b/drivers/nvme/host/multipath.c
index d1cb65698288b..03bc3aba09871 100644
--- a/drivers/nvme/host/multipath.c
+++ b/drivers/nvme/host/multipath.c
@@ -691,6 +691,14 @@ void nvme_mpath_remove_disk(struct nvme_ns_head *head)
kblockd_schedule_work(&head->requeue_work);
flush_work(&head->requeue_work);
blk_cleanup_queue(head->disk->queue);
+ if (!test_bit(NVME_NSHEAD_DISK_LIVE, &head->flags)) {
+ /*
+ * if device_add_disk wasn't called, prevent
+ * disk release to put a bogus reference on the
+ * request queue
+ */
+ head->disk->queue = NULL;
+ }
put_disk(head->disk);
}
--
2.25.1
next prev parent reply other threads:[~2020-07-07 15:23 UTC|newest]
Thread overview: 121+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-07-07 15:16 [PATCH 5.7 000/112] 5.7.8-rc1 review Greg Kroah-Hartman
2020-07-07 15:16 ` [PATCH 5.7 001/112] exfat: Set the unused characters of FileName field to the value 0000h Greg Kroah-Hartman
2020-07-07 15:16 ` [PATCH 5.7 002/112] exfat: add missing brelse() calls on error paths Greg Kroah-Hartman
2020-07-07 15:16 ` [PATCH 5.7 003/112] exfat: call sync_filesystem for read-only remount Greg Kroah-Hartman
2020-07-07 15:16 ` [PATCH 5.7 004/112] exfat: move setting VOL_DIRTY over exfat_remove_entries() Greg Kroah-Hartman
2020-07-07 15:16 ` [PATCH 5.7 005/112] exfat: flush dirty metadata in fsync Greg Kroah-Hartman
2020-07-07 15:16 ` [PATCH 5.7 006/112] btrfs: block-group: refactor how we delete one block group item Greg Kroah-Hartman
2020-07-07 15:16 ` [PATCH 5.7 007/112] btrfs: fix race between block group removal and block group creation Greg Kroah-Hartman
2020-07-07 15:16 ` [PATCH 5.7 008/112] mm: fix swap cache node allocation mask Greg Kroah-Hartman
2020-07-07 15:16 ` [PATCH 5.7 009/112] drm/amd/display: Fix incorrectly pruned modes with deep color Greg Kroah-Hartman
2020-07-07 15:16 ` [PATCH 5.7 010/112] drm/amd/display: Fix ineffective setting of max bpc property Greg Kroah-Hartman
2020-07-07 15:16 ` [PATCH 5.7 011/112] seg6: fix seg6_validate_srh() to avoid slab-out-of-bounds Greg Kroah-Hartman
2020-07-07 15:16 ` [PATCH 5.7 012/112] tipc: add test for Nagle algorithm effectiveness Greg Kroah-Hartman
2020-07-07 15:16 ` [PATCH 5.7 013/112] tipc: fix kernel WARNING in tipc_msg_append() Greg Kroah-Hartman
2020-07-07 15:16 ` [PATCH 5.7 014/112] usbnet: smsc95xx: Fix use-after-free after removal Greg Kroah-Hartman
2020-07-07 15:16 ` [PATCH 5.7 015/112] tipc: Fix NULL pointer dereference in __tipc_sendstream() Greg Kroah-Hartman
2020-07-07 15:16 ` [PATCH 5.7 016/112] drm/i915/gt: Mark timeline->cacheline as destroyed after rcu grace period Greg Kroah-Hartman
2020-07-07 15:16 ` [PATCH 5.7 017/112] drm/amdgpu: disable ras query and iject during gpu reset Greg Kroah-Hartman
2020-07-07 15:16 ` [PATCH 5.7 018/112] drm/amdgpu: fix non-pointer dereference for non-RAS supported Greg Kroah-Hartman
2020-07-07 15:16 ` [PATCH 5.7 019/112] drm/amdgpu: fix kernel page fault issue by ras recovery on sGPU Greg Kroah-Hartman
2020-07-07 15:16 ` [PATCH 5.7 020/112] sched/debug: Make sd->flags sysctl read-only Greg Kroah-Hartman
2020-07-07 15:16 ` [PATCH 5.7 021/112] soc: ti: omap-prm: use atomic iopoll instead of sleeping one Greg Kroah-Hartman
2020-07-07 15:16 ` [PATCH 5.7 022/112] powerpc/kvm/book3s: Add helper to walk partition scoped linux page table Greg Kroah-Hartman
2020-07-07 15:16 ` [PATCH 5.7 023/112] powerpc/book3s64/kvm: Fix secondary page table walk warning during migration Greg Kroah-Hartman
2020-07-07 15:16 ` [PATCH 5.7 024/112] mm/slub.c: fix corrupted freechain in deactivate_slab() Greg Kroah-Hartman
2020-07-07 15:16 ` [PATCH 5.7 025/112] mm/slub: fix stack overruns with SLUB_STATS Greg Kroah-Hartman
2020-07-07 15:16 ` [PATCH 5.7 026/112] mm, dump_page(): do not crash with invalid mapping pointer Greg Kroah-Hartman
2020-07-07 15:16 ` [PATCH 5.7 027/112] io_uring: fix {SQ,IO}POLL with unsupported opcodes Greg Kroah-Hartman
2020-07-07 15:16 ` [PATCH 5.7 028/112] rxrpc: Fix race between incoming ACK parser and retransmitter Greg Kroah-Hartman
2020-07-07 15:16 ` [PATCH 5.7 029/112] usb: usbtest: fix missing kfree(dev->buf) in usbtest_disconnect Greg Kroah-Hartman
2020-07-07 15:16 ` [PATCH 5.7 030/112] tools lib traceevent: Add append() function helper for appending strings Greg Kroah-Hartman
2020-07-07 15:16 ` [PATCH 5.7 031/112] tools lib traceevent: Handle __attribute__((user)) in field names Greg Kroah-Hartman
2020-07-07 15:16 ` [PATCH 5.7 032/112] s390/debug: avoid kernel warning on too large number of pages Greg Kroah-Hartman
2020-07-07 15:16 ` [PATCH 5.7 033/112] io_uring: fix io_sq_thread no schedule when busy Greg Kroah-Hartman
2020-07-07 15:16 ` [PATCH 5.7 034/112] nvme-multipath: set bdi capabilities once Greg Kroah-Hartman
2020-07-07 15:16 ` [PATCH 5.7 035/112] nvme: fix possible deadlock when I/O is blocked Greg Kroah-Hartman
2020-07-07 15:16 ` [PATCH 5.7 036/112] nvme-multipath: fix deadlock between ana_work and scan_work Greg Kroah-Hartman
2020-07-07 15:16 ` [PATCH 5.7 037/112] nvme-multipath: fix deadlock due to head->lock Greg Kroah-Hartman
2020-07-07 15:16 ` Greg Kroah-Hartman [this message]
2020-07-07 15:16 ` [PATCH 5.7 039/112] io_uring: fix current->mm NULL dereference on exit Greg Kroah-Hartman
2020-07-07 15:16 ` [PATCH 5.7 040/112] kgdb: Avoid suspicious RCU usage warning Greg Kroah-Hartman
2020-07-07 15:16 ` [PATCH 5.7 041/112] Revert "tpm: selftest: cleanup after unseal with wrong auth/policy test" Greg Kroah-Hartman
2020-07-07 15:16 ` [PATCH 5.7 042/112] selftests: tpm: Use /bin/sh instead of /bin/bash Greg Kroah-Hartman
2020-07-07 15:16 ` [PATCH 5.7 043/112] tpm: Fix TIS locality timeout problems Greg Kroah-Hartman
2020-07-07 15:16 ` [PATCH 5.7 044/112] crypto: af_alg - fix use-after-free in af_alg_accept() due to bh_lock_sock() Greg Kroah-Hartman
2020-07-07 15:16 ` [PATCH 5.7 045/112] task_work: teach task_work_add() to do signal_wake_up() Greg Kroah-Hartman
2020-07-07 15:16 ` [PATCH 5.7 046/112] io_uring: use signal based task_work running Greg Kroah-Hartman
2020-07-07 15:16 ` [PATCH 5.7 047/112] drm/msm/dpu: fix error return code in dpu_encoder_init Greg Kroah-Hartman
2020-07-07 15:16 ` [PATCH 5.7 048/112] btrfs: fix RWF_NOWAIT writes blocking on extent locks and waiting for IO Greg Kroah-Hartman
2020-07-07 15:16 ` [PATCH 5.7 049/112] rxrpc: Fix afs large storage transmission performance drop Greg Kroah-Hartman
2020-07-07 15:16 ` [PATCH 5.7 050/112] mptcp: drop MP_JOIN request sock on syn cookies Greg Kroah-Hartman
2020-07-07 15:16 ` [PATCH 5.7 051/112] net: enetc: add hw tc hw offload features for PSPF capability Greg Kroah-Hartman
2020-07-07 15:16 ` [PATCH 5.7 052/112] enetc: Fix HW_VLAN_CTAG_TX|RX toggling Greg Kroah-Hartman
2020-07-07 15:16 ` [PATCH 5.7 053/112] irqchip/gic-v4.1: Use readx_poll_timeout_atomic() to fix sleep in atomic Greg Kroah-Hartman
2020-07-07 15:16 ` [PATCH 5.7 054/112] RDMA/counter: Query a counter before release Greg Kroah-Hartman
2020-07-07 15:17 ` [PATCH 5.7 055/112] xfs: fix use-after-free on CIL context on shutdown Greg Kroah-Hartman
2020-07-07 15:17 ` [PATCH 5.7 056/112] hsr: remove hsr interface if all slaves are removed Greg Kroah-Hartman
2020-07-07 15:17 ` [PATCH 5.7 057/112] hsr: avoid to create proc file after unregister Greg Kroah-Hartman
2020-07-07 15:17 ` [PATCH 5.7 058/112] cxgb4: use unaligned conversion for fetching timestamp Greg Kroah-Hartman
2020-07-07 15:17 ` [PATCH 5.7 059/112] cxgb4: parse TC-U32 key values and masks natively Greg Kroah-Hartman
2020-07-07 15:17 ` [PATCH 5.7 060/112] cxgb4: fix endian conversions for L4 ports in filters Greg Kroah-Hartman
2020-07-07 15:17 ` [PATCH 5.7 061/112] cxgb4: use correct type for all-mask IP address comparison Greg Kroah-Hartman
2020-07-07 15:17 ` [PATCH 5.7 062/112] cxgb4: fix SGE queue dump destination buffer context Greg Kroah-Hartman
2020-07-07 15:17 ` [PATCH 5.7 063/112] security: Fix hook iteration and default value for inode_copy_up_xattr Greg Kroah-Hartman
2020-07-07 15:17 ` [PATCH 5.7 064/112] hwmon: (max6697) Make sure the OVERT mask is set correctly Greg Kroah-Hartman
2020-07-07 15:17 ` [PATCH 5.7 065/112] hwmon: (acpi_power_meter) Fix potential memory leak in acpi_power_meter_add() Greg Kroah-Hartman
2020-07-07 15:17 ` [PATCH 5.7 066/112] scsi: qla2xxx: Fix a condition in qla2x00_find_all_fabric_devs() Greg Kroah-Hartman
2020-07-07 15:17 ` [PATCH 5.7 067/112] thermal/drivers/mediatek: Fix bank number settings on mt8183 Greg Kroah-Hartman
2020-07-07 15:17 ` [PATCH 5.7 068/112] thermal/drivers/sprd: Fix return value of sprd_thm_probe() Greg Kroah-Hartman
2020-07-07 15:17 ` [PATCH 5.7 069/112] thermal/drivers/rcar_gen3: Fix undefined temperature if negative Greg Kroah-Hartman
2020-07-07 15:17 ` [PATCH 5.7 070/112] kthread: save thread function Greg Kroah-Hartman
2020-07-07 15:32 ` J. Bruce Fields
2020-07-07 15:17 ` [PATCH 5.7 071/112] nfsd: clients dont need to break their own delegations Greg Kroah-Hartman
2020-07-07 15:17 ` [PATCH 5.7 072/112] nfsd4: fix nfsdfs reference count loop Greg Kroah-Hartman
2020-07-07 15:17 ` [PATCH 5.7 073/112] nfsd: fix nfsdfs inode reference count leak Greg Kroah-Hartman
2020-07-07 15:17 ` [PATCH 5.7 074/112] drm: sun4i: hdmi: Remove extra HPD polling Greg Kroah-Hartman
2020-07-07 15:17 ` [PATCH 5.7 075/112] virtio-blk: free vblk-vqs in error path of virtblk_probe() Greg Kroah-Hartman
2020-07-07 15:17 ` [PATCH 5.7 076/112] SMB3: Honor posix flag for multiuser mounts Greg Kroah-Hartman
2020-07-07 15:17 ` [PATCH 5.7 077/112] nvme: fix identify error status silent ignore Greg Kroah-Hartman
2020-07-07 15:17 ` [PATCH 5.7 078/112] nvme: fix a crash in nvme_mpath_add_disk Greg Kroah-Hartman
2020-07-07 15:17 ` [PATCH 5.7 079/112] tpm: ibmvtpm: Wait for ready buffer before probing for TPM2 attributes Greg Kroah-Hartman
2020-07-07 15:17 ` [PATCH 5.7 080/112] samples/vfs: avoid warning in statx override Greg Kroah-Hartman
2020-07-07 15:17 ` [PATCH 5.7 081/112] i2c: algo-pca: Add 0x78 as SCL stuck low status for PCA9665 Greg Kroah-Hartman
2020-07-07 15:17 ` [PATCH 5.7 082/112] i2c: designware: platdrv: Set class based on DMI Greg Kroah-Hartman
2020-07-07 15:17 ` [PATCH 5.7 083/112] i2c: mlxcpld: check correct size of maximum RECV_LEN packet Greg Kroah-Hartman
2020-07-07 15:17 ` [PATCH 5.7 084/112] io_uring: fix regression with always ignoring signals in io_cqring_wait() Greg Kroah-Hartman
2020-07-07 15:17 ` [PATCH 5.7 085/112] spi: spi-fsl-dspi: Fix external abort on interrupt in resume or exit paths Greg Kroah-Hartman
2020-07-07 15:17 ` [PATCH 5.7 086/112] nfsd: apply umask on fs without ACL support Greg Kroah-Hartman
2020-07-07 15:17 ` [PATCH 5.7 087/112] Revert "ALSA: usb-audio: Improve frames size computation" Greg Kroah-Hartman
2020-07-07 15:17 ` [PATCH 5.7 088/112] padata: upgrade smp_mb__after_atomic to smp_mb in padata_do_serial Greg Kroah-Hartman
2020-07-07 15:17 ` [PATCH 5.7 089/112] SMB3: Honor seal flag for multiuser mounts Greg Kroah-Hartman
2020-07-07 15:17 ` [PATCH 5.7 090/112] SMB3: Honor persistent/resilient handle flags " Greg Kroah-Hartman
2020-07-07 15:17 ` [PATCH 5.7 091/112] SMB3: Honor lease disabling " Greg Kroah-Hartman
2020-07-07 15:17 ` [PATCH 5.7 092/112] SMB3: Honor handletimeout flag " Greg Kroah-Hartman
2020-07-07 15:17 ` [PATCH 5.7 093/112] cifs: Fix the target file was deleted when rename failed Greg Kroah-Hartman
2020-07-07 15:17 ` [PATCH 5.7 094/112] Drivers: hv: Change flag to write log level in panic msg to false Greg Kroah-Hartman
2020-07-07 15:17 ` [PATCH 5.7 095/112] hwmon: (pmbus) Fix page vs. register when accessing fans Greg Kroah-Hartman
2020-07-07 15:17 ` [PATCH 5.7 096/112] thermal/drivers/cpufreq_cooling: Fix wrong frequency converted from power Greg Kroah-Hartman
2020-07-07 15:17 ` [PATCH 5.7 097/112] ACPI: fan: Fix Tiger Lake ACPI device ID Greg Kroah-Hartman
2020-07-07 15:17 ` [PATCH 5.7 098/112] gfs2: fix trans slab error when withdraw occurs inside log_flush Greg Kroah-Hartman
2020-07-07 15:17 ` [PATCH 5.7 099/112] x86/split_lock: Dont write MSR_TEST_CTRL on CPUs that arent whitelisted Greg Kroah-Hartman
2020-07-07 15:17 ` [PATCH 5.7 100/112] MIPS: lantiq: xway: sysctrl: fix the GPHY clock alias names Greg Kroah-Hartman
2020-07-07 15:17 ` [PATCH 5.7 101/112] MIPS: Add missing EHB in mtc0 -> mfc0 sequence for DSPen Greg Kroah-Hartman
2020-07-07 15:17 ` [PATCH 5.7 102/112] drm/i915: Include asm sources for {ivb, hsw}_clear_kernel.c Greg Kroah-Hartman
2020-07-07 15:17 ` [PATCH 5.7 103/112] drm/amd/powerplay: Fix NULL dereference in lock_bus() on Vega20 w/o RAS Greg Kroah-Hartman
2020-07-07 15:17 ` [PATCH 5.7 104/112] drm/amd/display: Only revalidate bandwidth on medium and fast updates Greg Kroah-Hartman
2020-07-07 15:17 ` [PATCH 5.7 105/112] drm/amdgpu: use %u rather than %d for sclk/mclk Greg Kroah-Hartman
2020-07-07 15:17 ` [PATCH 5.7 106/112] drm/amdgpu/atomfirmware: fix vram_info fetching for renoir Greg Kroah-Hartman
2020-07-07 15:17 ` [PATCH 5.7 107/112] dma-buf: Move dma_buf_release() from fops to dentry_ops Greg Kroah-Hartman
2020-07-07 15:17 ` [PATCH 5.7 108/112] irqchip/gic: Atomically update affinity Greg Kroah-Hartman
2020-07-07 15:17 ` [PATCH 5.7 109/112] mm/hugetlb.c: fix pages per hugetlb calculation Greg Kroah-Hartman
2020-07-07 15:17 ` [PATCH 5.7 110/112] mm/cma.c: use exact_nid true to fix possible per-numa cma leak Greg Kroah-Hartman
2020-07-07 15:17 ` [PATCH 5.7 111/112] dm zoned: assign max_io_len correctly Greg Kroah-Hartman
2020-07-07 15:17 ` [PATCH 5.7 112/112] efi: Make it possible to disable efivar_ssdt entirely Greg Kroah-Hartman
2020-07-08 5:08 ` [PATCH 5.7 000/112] 5.7.8-rc1 review Naresh Kamboju
2020-07-08 15:16 ` Greg Kroah-Hartman
2020-07-08 13:05 ` Shuah Khan
2020-07-08 15:28 ` Greg Kroah-Hartman
2020-07-08 15:33 ` Puranjay Mohan
2020-07-08 17:53 ` Guenter Roeck
2020-07-09 9:29 ` Greg Kroah-Hartman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200707145802.805079891@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=anton@lightbitslabs.com \
--cc=hch@lst.de \
--cc=linux-kernel@vger.kernel.org \
--cc=sagi@grimberg.me \
--cc=sashal@kernel.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.