From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org,
Chaitanya Kulkarni <chaitanya.kulkarni@wdc.com>,
Christoph Hellwig <hch@lst.de>, Sasha Levin <sashal@kernel.org>
Subject: [PATCH 5.4 56/85] nvmet: fix a NULL pointer dereference when tracing the flush command
Date: Mon, 9 Nov 2020 13:55:53 +0100 [thread overview]
Message-ID: <20201109125025.260369693@linuxfoundation.org> (raw)
In-Reply-To: <20201109125022.614792961@linuxfoundation.org>
From: Chaitanya Kulkarni <chaitanya.kulkarni@wdc.com>
[ Upstream commit 3c3751f2daf6675f6b5bee83b792354c272f5bd2 ]
When target side trace in turned on and flush command is issued from the
host it results in the following Oops.
[ 856.789724] BUG: kernel NULL pointer dereference, address: 0000000000000068
[ 856.790686] #PF: supervisor read access in kernel mode
[ 856.791262] #PF: error_code(0x0000) - not-present page
[ 856.791863] PGD 6d7110067 P4D 6d7110067 PUD 66f0ad067 PMD 0
[ 856.792527] Oops: 0000 [#1] SMP NOPTI
[ 856.792950] CPU: 15 PID: 7034 Comm: nvme Tainted: G OE 5.9.0nvme-5.9+ #71
[ 856.793790] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.12.0-59-gc9ba5276e3214
[ 856.794956] RIP: 0010:trace_event_raw_event_nvmet_req_init+0x13e/0x170 [nvmet]
[ 856.795734] Code: 41 5c 41 5d c3 31 d2 31 f6 e8 4e 9b b8 e0 e9 0e ff ff ff 49 8b 55 00 48 8b 38 8b 0
[ 856.797740] RSP: 0018:ffffc90001be3a60 EFLAGS: 00010246
[ 856.798375] RAX: 0000000000000000 RBX: ffff8887e7d2c01c RCX: 0000000000000000
[ 856.799234] RDX: 0000000000000020 RSI: 0000000057e70ea2 RDI: ffff8887e7d2c034
[ 856.800088] RBP: ffff88869f710578 R08: ffff888807500d40 R09: 00000000fffffffe
[ 856.800951] R10: 0000000064c66670 R11: 00000000ef955201 R12: ffff8887e7d2c034
[ 856.801807] R13: ffff88869f7105c8 R14: 0000000000000040 R15: ffff88869f710440
[ 856.802667] FS: 00007f6a22bd8780(0000) GS:ffff888813a00000(0000) knlGS:0000000000000000
[ 856.803635] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 856.804367] CR2: 0000000000000068 CR3: 00000006d73e0000 CR4: 00000000003506e0
[ 856.805283] Call Trace:
[ 856.805613] nvmet_req_init+0x27c/0x480 [nvmet]
[ 856.806200] nvme_loop_queue_rq+0xcb/0x1d0 [nvme_loop]
[ 856.806862] blk_mq_dispatch_rq_list+0x123/0x7b0
[ 856.807459] ? kvm_sched_clock_read+0x14/0x30
[ 856.808025] __blk_mq_sched_dispatch_requests+0xc7/0x170
[ 856.808708] blk_mq_sched_dispatch_requests+0x30/0x60
[ 856.809372] __blk_mq_run_hw_queue+0x70/0x100
[ 856.809935] __blk_mq_delay_run_hw_queue+0x156/0x170
[ 856.810574] blk_mq_run_hw_queue+0x86/0xe0
[ 856.811104] blk_mq_sched_insert_request+0xef/0x160
[ 856.811733] blk_execute_rq+0x69/0xc0
[ 856.812212] ? blk_mq_rq_ctx_init+0xd0/0x230
[ 856.812784] nvme_execute_passthru_rq+0x57/0x130 [nvme_core]
[ 856.813461] nvme_submit_user_cmd+0xeb/0x300 [nvme_core]
[ 856.814099] nvme_user_cmd.isra.82+0x11e/0x1a0 [nvme_core]
[ 856.814752] blkdev_ioctl+0x1dc/0x2c0
[ 856.815197] block_ioctl+0x3f/0x50
[ 856.815606] __x64_sys_ioctl+0x84/0xc0
[ 856.816074] do_syscall_64+0x33/0x40
[ 856.816533] entry_SYSCALL_64_after_hwframe+0x44/0xa9
[ 856.817168] RIP: 0033:0x7f6a222ed107
[ 856.817617] Code: 44 00 00 48 8b 05 81 cd 2c 00 64 c7 00 26 00 00 00 48 c7 c0 ff ff ff ff c3 66 2e 8
[ 856.819901] RSP: 002b:00007ffca848f058 EFLAGS: 00000202 ORIG_RAX: 0000000000000010
[ 856.820846] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007f6a222ed107
[ 856.821726] RDX: 00007ffca848f060 RSI: 00000000c0484e43 RDI: 0000000000000003
[ 856.822603] RBP: 0000000000000003 R08: 000000000000003f R09: 0000000000000005
[ 856.823478] R10: 00007ffca848ece0 R11: 0000000000000202 R12: 00007ffca84912d3
[ 856.824359] R13: 00007ffca848f4d0 R14: 0000000000000002 R15: 000000000067e900
[ 856.825236] Modules linked in: nvme_loop(OE) nvmet(OE) nvme_fabrics(OE) null_blk nvme(OE) nvme_corel
Move the nvmet_req_init() tracepoint after we parse the command in
nvmet_req_init() so that we can get rid of the duplicate
nvmet_find_namespace() call.
Rename __assign_disk_name() -> __assign_req_name(). Now that we call
tracepoint after parsing the command simplify the newly added
__assign_req_name() which fixes this bug.
Signed-off-by: Chaitanya Kulkarni <chaitanya.kulkarni@wdc.com>
Signed-off-by: Christoph Hellwig <hch@lst.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/nvme/target/core.c | 4 ++--
drivers/nvme/target/trace.h | 21 +++++++--------------
2 files changed, 9 insertions(+), 16 deletions(-)
diff --git a/drivers/nvme/target/core.c b/drivers/nvme/target/core.c
index 6b2f1e290fa73..cca5a00c098a8 100644
--- a/drivers/nvme/target/core.c
+++ b/drivers/nvme/target/core.c
@@ -878,8 +878,6 @@ bool nvmet_req_init(struct nvmet_req *req, struct nvmet_cq *cq,
req->error_loc = NVMET_NO_ERROR_LOC;
req->error_slba = 0;
- trace_nvmet_req_init(req, req->cmd);
-
/* no support for fused commands yet */
if (unlikely(flags & (NVME_CMD_FUSE_FIRST | NVME_CMD_FUSE_SECOND))) {
req->error_loc = offsetof(struct nvme_common_command, flags);
@@ -913,6 +911,8 @@ bool nvmet_req_init(struct nvmet_req *req, struct nvmet_cq *cq,
if (status)
goto fail;
+ trace_nvmet_req_init(req, req->cmd);
+
if (unlikely(!percpu_ref_tryget_live(&sq->ref))) {
status = NVME_SC_INVALID_FIELD | NVME_SC_DNR;
goto fail;
diff --git a/drivers/nvme/target/trace.h b/drivers/nvme/target/trace.h
index e645caa882dd3..3f61b6657175e 100644
--- a/drivers/nvme/target/trace.h
+++ b/drivers/nvme/target/trace.h
@@ -46,19 +46,12 @@ static inline struct nvmet_ctrl *nvmet_req_to_ctrl(struct nvmet_req *req)
return req->sq->ctrl;
}
-static inline void __assign_disk_name(char *name, struct nvmet_req *req,
- bool init)
+static inline void __assign_req_name(char *name, struct nvmet_req *req)
{
- struct nvmet_ctrl *ctrl = nvmet_req_to_ctrl(req);
- struct nvmet_ns *ns;
-
- if ((init && req->sq->qid) || (!init && req->cq->qid)) {
- ns = nvmet_find_namespace(ctrl, req->cmd->rw.nsid);
- strncpy(name, ns->device_path, DISK_NAME_LEN);
- return;
- }
-
- memset(name, 0, DISK_NAME_LEN);
+ if (req->ns)
+ strncpy(name, req->ns->device_path, DISK_NAME_LEN);
+ else
+ memset(name, 0, DISK_NAME_LEN);
}
#endif
@@ -81,7 +74,7 @@ TRACE_EVENT(nvmet_req_init,
TP_fast_assign(
__entry->cmd = cmd;
__entry->ctrl = nvmet_req_to_ctrl(req);
- __assign_disk_name(__entry->disk, req, true);
+ __assign_req_name(__entry->disk, req);
__entry->qid = req->sq->qid;
__entry->cid = cmd->common.command_id;
__entry->opcode = cmd->common.opcode;
@@ -121,7 +114,7 @@ TRACE_EVENT(nvmet_req_complete,
__entry->cid = req->cqe->command_id;
__entry->result = le64_to_cpu(req->cqe->result.u64);
__entry->status = le16_to_cpu(req->cqe->status) >> 1;
- __assign_disk_name(__entry->disk, req, false);
+ __assign_req_name(__entry->disk, req);
),
TP_printk("nvmet%s: %sqid=%d, cmdid=%u, res=%#llx, status=%#x",
__print_ctrl_name(__entry->ctrl),
--
2.27.0
next prev parent reply other threads:[~2020-11-09 13:14 UTC|newest]
Thread overview: 90+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-11-09 12:54 [PATCH 5.4 00/85] 5.4.76-rc1 review Greg Kroah-Hartman
2020-11-09 12:54 ` [PATCH 5.4 01/85] drm/i915: Break up error capture compression loops with cond_resched() Greg Kroah-Hartman
2020-11-09 12:54 ` [PATCH 5.4 02/85] drm/i915/gt: Delay execlist processing for tgl Greg Kroah-Hartman
2020-11-09 12:55 ` [PATCH 5.4 03/85] drm/i915: Drop runtime-pm assert from vgpu io accessors Greg Kroah-Hartman
2020-11-09 12:55 ` [PATCH 5.4 04/85] ASoC: Intel: Skylake: Add alternative topology binary name Greg Kroah-Hartman
2020-11-09 12:55 ` [PATCH 5.4 05/85] linkage: Introduce new macros for assembler symbols Greg Kroah-Hartman
2020-11-09 12:55 ` [PATCH 5.4 06/85] arm64: asm: Add new-style position independent function annotations Greg Kroah-Hartman
2020-11-09 12:55 ` [PATCH 5.4 07/85] arm64: lib: Use modern annotations for assembly functions Greg Kroah-Hartman
2020-11-09 12:55 ` [PATCH 5.4 08/85] arm64: Change .weak to SYM_FUNC_START_WEAK_PI for arch/arm64/lib/mem*.S Greg Kroah-Hartman
2020-11-09 12:55 ` [PATCH 5.4 09/85] tipc: fix use-after-free in tipc_bcast_get_mode Greg Kroah-Hartman
2020-11-09 12:55 ` [PATCH 5.4 10/85] ptrace: fix task_join_group_stop() for the case when current is traced Greg Kroah-Hartman
2020-11-09 12:55 ` [PATCH 5.4 11/85] cadence: force nonlinear buffers to be cloned Greg Kroah-Hartman
2020-11-09 12:55 ` [PATCH 5.4 12/85] chelsio/chtls: fix memory leaks caused by a race Greg Kroah-Hartman
2020-11-09 12:55 ` [PATCH 5.4 13/85] chelsio/chtls: fix always leaking ctrl_skb Greg Kroah-Hartman
2020-11-09 12:55 ` [PATCH 5.4 14/85] gianfar: Replace skb_realloc_headroom with skb_cow_head for PTP Greg Kroah-Hartman
2020-11-09 12:55 ` [PATCH 5.4 15/85] gianfar: Account for Tx PTP timestamp in the skb headroom Greg Kroah-Hartman
2020-11-09 12:55 ` [PATCH 5.4 16/85] ionic: check port ptr before use Greg Kroah-Hartman
2020-11-09 12:55 ` [PATCH 5.4 17/85] ip_tunnel: fix over-mtu packet send fail without TUNNEL_DONT_FRAGMENT flags Greg Kroah-Hartman
2020-11-09 12:55 ` [PATCH 5.4 18/85] net: usb: qmi_wwan: add Telit LE910Cx 0x1230 composition Greg Kroah-Hartman
2020-11-09 12:55 ` [PATCH 5.4 19/85] powerpc/vnic: Extend "failover pending" window Greg Kroah-Hartman
2020-11-09 12:55 ` [PATCH 5.4 20/85] sctp: Fix COMM_LOST/CANT_STR_ASSOC err reporting on big-endian platforms Greg Kroah-Hartman
2020-11-09 12:55 ` [PATCH 5.4 21/85] sfp: Fix error handing in sfp_probe() Greg Kroah-Hartman
2020-11-09 12:55 ` [PATCH 5.4 22/85] Fonts: Replace discarded const qualifier Greg Kroah-Hartman
2020-11-09 12:55 ` [PATCH 5.4 23/85] ALSA: hda/realtek - Fixed HP headset Mic cant be detected Greg Kroah-Hartman
2020-11-09 12:55 ` [PATCH 5.4 24/85] ALSA: hda/realtek - Enable headphone for ASUS TM420 Greg Kroah-Hartman
2020-11-09 12:55 ` [PATCH 5.4 25/85] ALSA: usb-audio: Add implicit feedback quirk for Zoom UAC-2 Greg Kroah-Hartman
2020-11-09 12:55 ` [PATCH 5.4 26/85] ALSA: usb-audio: add usb vendor id as DSD-capable for Khadas devices Greg Kroah-Hartman
2020-11-09 12:55 ` [PATCH 5.4 27/85] ALSA: usb-audio: Add implicit feedback quirk for Qu-16 Greg Kroah-Hartman
2020-11-09 12:55 ` [PATCH 5.4 28/85] ALSA: usb-audio: Add implicit feedback quirk for MODX Greg Kroah-Hartman
2020-11-09 12:55 ` [PATCH 5.4 29/85] mm: mempolicy: fix potential pte_unmap_unlock pte error Greg Kroah-Hartman
2020-11-09 12:55 ` [PATCH 5.4 30/85] lib/crc32test: remove extra local_irq_disable/enable Greg Kroah-Hartman
2020-11-09 12:55 ` [PATCH 5.4 31/85] kthread_worker: prevent queuing delayed work from timer_fn when it is being canceled Greg Kroah-Hartman
2020-11-09 12:55 ` [PATCH 5.4 32/85] mm: always have io_remap_pfn_range() set pgprot_decrypted() Greg Kroah-Hartman
2020-11-09 12:55 ` [PATCH 5.4 33/85] gfs2: Wake up when sd_glock_disposal becomes zero Greg Kroah-Hartman
2020-11-09 12:55 ` [PATCH 5.4 34/85] ring-buffer: Fix recursion protection transitions between interrupt context Greg Kroah-Hartman
2020-11-09 12:55 ` [PATCH 5.4 35/85] mtd: spi-nor: Dont copy self-pointing struct around Greg Kroah-Hartman
2020-11-09 12:55 ` [PATCH 5.4 36/85] ftrace: Fix recursion check for NMI test Greg Kroah-Hartman
2020-11-09 12:55 ` [PATCH 5.4 37/85] ftrace: Handle tracing when switching between context Greg Kroah-Hartman
2020-11-09 12:55 ` [PATCH 5.4 38/85] regulator: defer probe when trying to get voltage from unresolved supply Greg Kroah-Hartman
2020-11-09 12:55 ` [PATCH 5.4 39/85] spi: bcm2835: fix gpio cs level inversion Greg Kroah-Hartman
2020-11-09 12:55 ` [PATCH 5.4 40/85] tracing: Fix out of bounds write in get_trace_buf Greg Kroah-Hartman
2020-11-09 12:55 ` [PATCH 5.4 41/85] futex: Handle transient "ownerless" rtmutex state correctly Greg Kroah-Hartman
2020-11-09 12:55 ` [PATCH 5.4 42/85] ARM: dts: sun4i-a10: fix cpu_alert temperature Greg Kroah-Hartman
2020-11-09 12:55 ` [PATCH 5.4 43/85] arm64: dts: meson: add missing g12 rng clock Greg Kroah-Hartman
2020-11-09 12:55 ` [PATCH 5.4 44/85] x86/kexec: Use up-to-dated screen_info copy to fill boot params Greg Kroah-Hartman
2020-11-09 12:55 ` [PATCH 5.4 45/85] of: Fix reserved-memory overlap detection Greg Kroah-Hartman
2020-11-09 12:55 ` [PATCH 5.4 46/85] drm/sun4i: frontend: Rework a bit the phase data Greg Kroah-Hartman
2020-11-09 12:55 ` [PATCH 5.4 47/85] drm/sun4i: frontend: Reuse the ch0 phase for RGB formats Greg Kroah-Hartman
2020-11-09 12:55 ` [PATCH 5.4 48/85] drm/sun4i: frontend: Fix the scaler phase on A33 Greg Kroah-Hartman
2020-11-09 12:55 ` [PATCH 5.4 49/85] blk-cgroup: Fix memleak on error path Greg Kroah-Hartman
2020-11-09 12:55 ` [PATCH 5.4 50/85] blk-cgroup: Pre-allocate tree node on blkg_conf_prep Greg Kroah-Hartman
2020-11-09 12:55 ` [PATCH 5.4 51/85] scsi: core: Dont start concurrent async scan on same host Greg Kroah-Hartman
2020-11-09 12:55 ` [PATCH 5.4 52/85] drm/amdgpu: add DID for navi10 blockchain SKU Greg Kroah-Hartman
2020-11-09 12:55 ` [PATCH 5.4 53/85] scsi: ibmvscsi: Fix potential race after loss of transport Greg Kroah-Hartman
2020-11-09 12:55 ` [PATCH 5.4 54/85] vsock: use ns_capable_noaudit() on socket create Greg Kroah-Hartman
2020-11-09 12:55 ` [PATCH 5.4 55/85] nvme-rdma: handle unexpected nvme completion data length Greg Kroah-Hartman
2020-11-09 12:55 ` Greg Kroah-Hartman [this message]
2020-11-09 12:55 ` [PATCH 5.4 57/85] drm/vc4: drv: Add error handding for bind Greg Kroah-Hartman
2020-11-09 12:55 ` [PATCH 5.4 58/85] ACPI: NFIT: Fix comparison to -ENXIO Greg Kroah-Hartman
2020-11-09 12:55 ` [PATCH 5.4 59/85] usb: cdns3: gadget: suspicious implicit sign extension Greg Kroah-Hartman
2020-11-09 12:55 ` [PATCH 5.4 60/85] drm/nouveau/nouveau: fix the start/end range for migration Greg Kroah-Hartman
2020-11-09 12:55 ` [PATCH 5.4 61/85] drm/nouveau/gem: fix "refcount_t: underflow; use-after-free" Greg Kroah-Hartman
2020-11-09 12:55 ` [PATCH 5.4 62/85] arm64/smp: Move rcu_cpu_starting() earlier Greg Kroah-Hartman
2020-11-09 12:56 ` [PATCH 5.4 63/85] Revert "coresight: Make sysfs functional on topologies with per core sink" Greg Kroah-Hartman
2020-11-09 12:56 ` [PATCH 5.4 64/85] vt: Disable KD_FONT_OP_COPY Greg Kroah-Hartman
2020-11-09 12:56 ` [PATCH 5.4 65/85] fork: fix copy_process(CLONE_PARENT) race with the exiting ->real_parent Greg Kroah-Hartman
2020-11-09 12:56 ` [PATCH 5.4 66/85] s390/pkey: fix paes selftest failure with paes and pkey static build Greg Kroah-Hartman
2020-11-09 12:56 ` [PATCH 5.4 67/85] serial: 8250_mtk: Fix uart_get_baud_rate warning Greg Kroah-Hartman
2020-11-09 12:56 ` [PATCH 5.4 68/85] serial: txx9: add missing platform_driver_unregister() on error in serial_txx9_init Greg Kroah-Hartman
2020-11-09 12:56 ` [PATCH 5.4 69/85] USB: serial: cyberjack: fix write-URB completion race Greg Kroah-Hartman
2020-11-09 12:56 ` [PATCH 5.4 70/85] USB: serial: option: add Quectel EC200T module support Greg Kroah-Hartman
2020-11-09 12:56 ` [PATCH 5.4 71/85] USB: serial: option: add LE910Cx compositions 0x1203, 0x1230, 0x1231 Greg Kroah-Hartman
2020-11-09 12:56 ` [PATCH 5.4 72/85] USB: serial: option: add Telit FN980 composition 0x1055 Greg Kroah-Hartman
2020-11-09 12:56 ` [PATCH 5.4 73/85] tty: serial: fsl_lpuart: add LS1028A support Greg Kroah-Hartman
2020-11-09 12:56 ` [PATCH 5.4 74/85] tty: serial: fsl_lpuart: LS1021A has a FIFO size of 16 words, like LS1028A Greg Kroah-Hartman
2020-11-09 12:56 ` [PATCH 5.4 75/85] usb: dwc3: ep0: Fix delay status handling Greg Kroah-Hartman
2020-11-09 12:56 ` [PATCH 5.4 76/85] USB: Add NO_LPM quirk for Kingston flash drive Greg Kroah-Hartman
2020-11-09 12:56 ` [PATCH 5.4 77/85] usb: mtu3: fix panic in mtu3_gadget_stop() Greg Kroah-Hartman
2020-11-09 12:56 ` [PATCH 5.4 78/85] drm/panfrost: Fix a deadlock between the shrinker and madvise path Greg Kroah-Hartman
2020-11-09 12:56 ` [PATCH 5.4 79/85] ARC: stack unwinding: avoid indefinite looping Greg Kroah-Hartman
2020-11-09 12:56 ` [PATCH 5.4 80/85] PM: runtime: Drop runtime PM references to supplier on link removal Greg Kroah-Hartman
2020-11-09 12:56 ` [PATCH 5.4 81/85] PM: runtime: Drop pm_runtime_clean_up_links() Greg Kroah-Hartman
2020-11-09 12:56 ` [PATCH 5.4 82/85] PM: runtime: Resume the device earlier in __device_release_driver() Greg Kroah-Hartman
2020-11-09 12:56 ` [PATCH 5.4 83/85] xfs: flush for older, xfs specific ioctls Greg Kroah-Hartman
2020-11-09 12:56 ` [PATCH 5.4 84/85] perf/core: Fix a memory leak in perf_event_parse_addr_filter() Greg Kroah-Hartman
2020-11-09 12:56 ` [PATCH 5.4 85/85] arm64: dts: marvell: espressobin: Add ethernet switch aliases Greg Kroah-Hartman
2020-11-09 15:44 ` [PATCH 5.4 00/85] 5.4.76-rc1 review Jon Hunter
2020-11-09 23:05 ` Guenter Roeck
2020-11-09 23:22 ` Shuah Khan
2020-11-10 4:14 ` Naresh Kamboju
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20201109125025.260369693@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=chaitanya.kulkarni@wdc.com \
--cc=hch@lst.de \
--cc=linux-kernel@vger.kernel.org \
--cc=sashal@kernel.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.