block: nbd: fix double free

Message ID	B95137F4-8B73-47EA-9DB6-BF008F59B2AD@fb.com (mailing list archive)
State	New, archived
Headers	show Return-Path: <linux-block-owner@kernel.org> From: Josef Bacik <jbacik@fb.com> To: Ming Lei <ming.lei@redhat.com>, Jens Axboe <axboe@fb.com>, "linux-block@vger.kernel.org" <linux-block@vger.kernel.org> CC: Christoph Hellwig <hch@infradead.org> Subject: Re: [PATCH] block: nbd: fix double free Thread-Topic: [PATCH] block: nbd: fix double free Thread-Index: AQHSv9gxRi/kLFCBO0+oagRCeRTGHKHafBIA Date: Fri, 28 Apr 2017 13:00:30 +0000 Message-ID: <B95137F4-8B73-47EA-9DB6-BF008F59B2AD@fb.com> References: <20170428042942.6567-1-ming.lei@redhat.com> In-Reply-To: <20170428042942.6567-1-ming.lei@redhat.com> Accept-Language: en-US Content-Language: en-US spamdiagnosticoutput: 1:99 spamdiagnosticmetadata: NSPM Content-Type: text/plain; charset="utf-8" Content-ID: <214385B7003D174AB00B6219903339DC@namprd15.prod.outlook.com> Content-Transfer-Encoding: base64 MIME-Version: 1.0 X-MS-Exchange-CrossTenant-originalarrivaltime: 28 Apr 2017 13:00:30.8661 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted Sender: linux-block-owner@vger.kernel.org Precedence: bulk

Message ID

B95137F4-8B73-47EA-9DB6-BF008F59B2AD@fb.com (mailing list archive)

State

New, archived

Headers

From: Josef Bacik <jbacik@fb.com>
To: Ming Lei <ming.lei@redhat.com>, Jens Axboe <axboe@fb.com>,
	"linux-block@vger.kernel.org" <linux-block@vger.kernel.org>
CC: Christoph Hellwig <hch@infradead.org>
Subject: Re: [PATCH] block: nbd: fix double free
Thread-Topic: [PATCH] block: nbd: fix double free
Thread-Index: AQHSv9gxRi/kLFCBO0+oagRCeRTGHKHafBIA
Date: Fri, 28 Apr 2017 13:00:30 +0000
Message-ID: <B95137F4-8B73-47EA-9DB6-BF008F59B2AD@fb.com>
References: <20170428042942.6567-1-ming.lei@redhat.com>
In-Reply-To: <20170428042942.6567-1-ming.lei@redhat.com>
Accept-Language: en-US
Content-Language: en-US
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: text/plain; charset="utf-8"
Content-ID: <214385B7003D174AB00B6219903339DC@namprd15.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-originalarrivaltime: 28 Apr 2017 13:00:30.8661
	(UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 8ae927fe-1255-47a7-a2af-5f3a069daaa2
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM5PR15MB1196
X-OriginatorOrg: fb.com
X-Proofpoint-Spam-Reason: safe
X-FB-Internal: Safe
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:, ,
	definitions=2017-04-28_06:, , signatures=0
Sender: linux-block-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-block.vger.kernel.org>
X-Mailing-List: linux-block@vger.kernel.org
X-Virus-Scanned: ClamAV using ClamSMTP

Commit Message

Josef Bacik April 28, 2017, 1 p.m. UTC

We should have 2 references on the device at this point, did you see a “nbd: possibly leaking a device” message before the kasan stuff?  Thanks,

Josef

On 4/28/17, 12:29 AM, "Ming Lei" <ming.lei@redhat.com> wrote:

Looks it is a typo, just fix it, otherwise the following
warning can be trigerred:

[ming@VM]$sudo rmmod nbd
[sudo] password for ming:
-- 
2.9.3

Comments

Ming Lei April 28, 2017, 3:27 p.m. UTC | #1

On Fri, Apr 28, 2017 at 01:00:30PM +0000, Josef Bacik wrote:
> We should have 2 references on the device at this point, did you see a “nbd: possibly leaking a device” message before the kasan stuff?  Thanks,
> 

There isn't such message before kasan warning.

Thanks,
Ming

Josef Bacik April 28, 2017, 3:29 p.m. UTC | #2

Yeah I found and fixed it already, thanks,

Josef

On 4/28/17, 11:27 AM, "Ming Lei" <ming.lei@redhat.com> wrote:

On Fri, Apr 28, 2017 at 01:00:30PM +0000, Josef Bacik wrote:
> We should have 2 references on the device at this point, did you see a “nbd: possibly leaking a device” message before the kasan stuff?  Thanks,

> 

There isn't such message before kasan warning.

Thanks,
Ming

==================================================================
BUG: KASAN: use-after-free in nbd_cleanup+0x115/0x18e [nbd] at addr ffff88024ca539b0
Read of size 8 by task rmmod/2079
Object at ffff88024ca53900, in cache kmalloc-256 size: 256
Allocated:
PID = 1414
Freed:
PID = 2079
Memory state around the buggy address:
 ffff88024ca53880: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
 ffff88024ca53900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff88024ca53980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                                     ^
 ffff88024ca53a00: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
 ffff88024ca53a80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================

Fixes: c6a4759ea0c9(nbd: add device refcounting)
Cc: Josef Bacik <jbacik@fb.com>
Signed-off-by: Ming Lei <ming.lei@redhat.com>
---
 drivers/block/nbd.c | 1 -
 1 file changed, 1 deletion(-)

diff --git a/drivers/block/nbd.c b/drivers/block/nbd.c
index 5583dc4ff941..fa44a6fce4cb 100644
--- a/drivers/block/nbd.c
+++ b/drivers/block/nbd.c
@@ -2110,7 +2110,6 @@  static void __exit nbd_cleanup(void)
 		if (refcount_read(&nbd->refs) != 2)
 			printk(KERN_ERR "nbd: possibly leaking a device\n");
 		nbd_put(nbd);
-		nbd_put(nbd);
 	}
 
 	idr_destroy(&nbd_index_idr);

block: nbd: fix double free

Commit Message

Comments

Patch