slab-use-after-free in __ib_process_cq
Bart Van Assche
bvanassche at acm.org
Thu May 4 08:39:40 PDT 2023
On 5/4/23 01:32, Sagi Grimberg wrote:
>
>> Hi,
>>
>> While testing Jens' for-next branch I encountered a use-after-free
>> issue, triggered by test nvmeof-mp/002. This is not the first time I see
>> this issue - I had already observed this several weeks ago but I had not
>> yet had the time to report this.
>
> That is surprising because this area did not change for quite a while now.
>
> CCing linux-rdma as well, I'm assuming that this is with rxe?
> Does this happen with siw as well?
Hi Sagi,
This happened with the siw driver. I haven't tried the rxe driver for a while.
The crash addresses correspond to the following source file and line:
(gdb) list *(__ib_process_cq+0x11c)
0x7f7c is in __ib_process_cq (drivers/infiniband/core/cq.c:110).
105 budget - completed), wcs)) > 0) {
106 for (i = 0; i < n; i++) {
107 struct ib_wc *wc = &wcs[i];
108
109 if (wc->wr_cqe)
110 wc->wr_cqe->done(cq, wc);
111 else
112 WARN_ON_ONCE(wc->status == IB_WC_SUCCESS);
113 }
114
(gdb) list *(nvme_rdma_create_queue_ib+0x1a7)
0x3d47 is in nvme_rdma_create_queue_ib (drivers/nvme/host/rdma.c:219).
214 {
215 struct nvme_rdma_qe *ring;
216 int i;
217
218 ring = kcalloc(ib_queue_size, sizeof(struct nvme_rdma_qe), GFP_KERNEL);
219 if (!ring)
220 return NULL;
221
222 /*
223 * Bind the CQEs (post recv buffers) DMA mapping to the RDMA queue
(gdb) list *(nvme_rdma_destroy_queue_ib+0x1b8)
0x2388 is in nvme_rdma_destroy_queue_ib (drivers/nvme/host/rdma.c:358).
353 kfree(ndev);
354 }
355
356 static void nvme_rdma_dev_put(struct nvme_rdma_device *dev)
357 {
358 kref_put(&dev->ref, nvme_rdma_free_dev);
359 }
360
361 static int nvme_rdma_dev_get(struct nvme_rdma_device *dev)
362 {
Shouldn't ib_drain_qp() be called before nvme_rdma_destroy_queue_ib() destroys the QP?
Thanks,
Bart.
More information about the Linux-nvme
mailing list