• Sagi Grimberg's avatar
    nvme-multipath: fix bogus request queue reference put · c3124466
    Sagi Grimberg authored
    The mpath disk node takes a reference on the request mpath
    request queue when adding live path to the mpath gendisk.
    However if we connected to an inaccessible path device_add_disk
    is not called, so if we disconnect and remove the mpath gendisk
    we endup putting an reference on the request queue that was
    never taken [1].
    
    Fix that to check if we ever added a live path (using
    NVME_NS_HEAD_HAS_DISK flag) and if not, clear the disk->queue
    reference.
    
    [1]:
    ------------[ cut here ]------------
    refcount_t: underflow; use-after-free.
    WARNING: CPU: 1 PID: 1372 at lib/refcount.c:28 refcount_warn_saturate+0xa6/0xf0
    CPU: 1 PID: 1372 Comm: nvme Tainted: G           O      5.7.0-rc2+ #3
    Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.13.0-1ubuntu1 04/01/2014
    RIP: 0010:refcount_warn_saturate+0xa6/0xf0
    RSP: 0018:ffffb29e8053bdc0 EFLAGS: 00010282
    RAX: 0000000000000000 RBX: ffff8b7a2f4fc060 RCX: 0000000000000007
    RDX: 0000000000000007 RSI: 0000000000000092 RDI: ffff8b7a3ec99980
    RBP: ffff8b7a2f4fc000 R08: 00000000000002e1 R09: 0000000000000004
    R10: 0000000000000000 R11: 0000000000000001 R12: 0000000000000000
    R13: fffffffffffffff2 R14: ffffb29e8053bf08 R15: ffff8b7a320e2da0
    FS:  00007f135d4ca800(0000) GS:ffff8b7a3ec80000(0000) knlGS:0000000000000000
    CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
    CR2: 00005651178c0c30 CR3: 000000003b650005 CR4: 0000000000360ee0
    DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
    DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
    Call Trace:
     disk_release+0xa2/0xc0
     device_release+0x28/0x80
     kobject_put+0xa5/0x1b0
     nvme_put_ns_head+0x26/0x70 [nvme_core]
     nvme_put_ns+0x30/0x60 [nvme_core]
     nvme_remove_namespaces+0x9b/0xe0 [nvme_core]
     nvme_do_delete_ctrl+0x43/0x5c [nvme_core]
     nvme_sysfs_delete.cold+0x8/0xd [nvme_core]
     kernfs_fop_write+0xc1/0x1a0
     vfs_write+0xb6/0x1a0
     ksys_write+0x5f/0xe0
     do_syscall_64+0x52/0x1a0
     entry_SYSCALL_64_after_hwframe+0x44/0xa9
    Reported-by: default avatarAnton Eidelman <anton@lightbitslabs.com>
    Tested-by: default avatarAnton Eidelman <anton@lightbitslabs.com>
    Signed-off-by: default avatarSagi Grimberg <sagi@grimberg.me>
    Signed-off-by: default avatarChristoph Hellwig <hch@lst.de>
    c3124466
multipath.c 19.1 KB