From patchwork Wed Mar 29 11:17:54 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Johannes Thumshirn X-Patchwork-Id: 9651349 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id B8E93601D7 for ; Wed, 29 Mar 2017 11:18:03 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id B3E0925E13 for ; Wed, 29 Mar 2017 11:18:03 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id A8CA12845D; Wed, 29 Mar 2017 11:18:03 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-6.9 required=2.0 tests=BAYES_00,RCVD_IN_DNSWL_HI autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id DC6B52844E for ; Wed, 29 Mar 2017 11:18:02 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S932480AbdC2LR7 (ORCPT ); Wed, 29 Mar 2017 07:17:59 -0400 Received: from mx2.suse.de ([195.135.220.15]:36143 "EHLO mx2.suse.de" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S932302AbdC2LR6 (ORCPT ); Wed, 29 Mar 2017 07:17:58 -0400 X-Virus-Scanned: by amavisd-new at test-mx.suse.de Received: from relay2.suse.de (charybdis-ext.suse.de [195.135.220.254]) by mx2.suse.de (Postfix) with ESMTP id E53C0AB5D; Wed, 29 Mar 2017 11:17:55 +0000 (UTC) Date: Wed, 29 Mar 2017 13:17:54 +0200 From: Johannes Thumshirn To: Junichi Nomura Cc: linux-scsi , "dick.kennedy@broadcom.com" , "james.smart@broadcom.com" , "anton@samba.org" , "martin.petersen@oracle.com" Subject: Re: [REGRESSION] v4.11-rc3: lpfc: panic during module removal / shutdown Message-ID: <20170329111754.GA9183@linux-x5ow.site> References: <99ad422f-8233-ddac-2e69-deda4a43b3d7@ce.jp.nec.com> MIME-Version: 1.0 Content-Disposition: inline In-Reply-To: <99ad422f-8233-ddac-2e69-deda4a43b3d7@ce.jp.nec.com> User-Agent: Mutt/1.5.24 (2015-08-30) Sender: linux-scsi-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-scsi@vger.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP On Wed, Mar 29, 2017 at 02:29:45AM +0000, Junichi Nomura wrote: > Since commit 895427bd012c ("scsi: lpfc: NVME Initiator: Base modifications"), > "rmmod lpfc" starting to cause panic or corruption due to double free. > > The double-free occurs as followings: > - During initialization, lpfc_create_wq_cq() binds cq and wq to > the same ring in the way that both cq->pring and wq->pring point > to the same object. > - Upon removal, lpfc_sli4_queue_destroy() ends up calling > lpfc_sli4_queue_free() for both wqs and cqs > and kfree(queue->pring) is done twice. > > The problem became more visible in v4.11-rc3 because commit 85e8a23936ab > ("scsi: lpfc: Add shutdown method for kexec") made lpfc_pci_remove_one() > called during driver shutdown. Well the obvious band-aid would be setting the pointers to NULL after freeing them. lpfc_sli4_queue_free() checks for queue's precense and doesn't use queue->pring prior to freeing it, so the following _should_ to the trick: From befa936d8935a1bed01df65b376f515fa42c99da Mon Sep 17 00:00:00 2001 From: Johannes Thumshirn Date: Wed, 29 Mar 2017 13:08:55 +0200 Subject: [PATCH] lpfc: prevent double free of lpfc queue ring pointer Since commit 895427bd012c ("scsi: lpfc: NVME Initiator: Base modifications") rmoving the lpfc module causes a double free in lpfc_sli4_queue_free(). This can be prevented by setting the queue->pring and queue pointers to NULL, so kfree() will simply ignore the pointers on a second call. Reported-by: Junichi Nomura Fixes: 895427bd012c ("scsi: lpfc: NVME Initiator: Base modifications") Signed-off-by: Johannes Thumshirn --- drivers/scsi/lpfc/lpfc_sli.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/drivers/scsi/lpfc/lpfc_sli.c b/drivers/scsi/lpfc/lpfc_sli.c index 1c9fa45..86e1529 100644 --- a/drivers/scsi/lpfc/lpfc_sli.c +++ b/drivers/scsi/lpfc/lpfc_sli.c @@ -13759,7 +13759,9 @@ lpfc_sli4_queue_free(struct lpfc_queue *queue) kfree(queue->rqbp); } kfree(queue->pring); + queue->pring = NULL; kfree(queue); + queue = NULL; return; }