From: "zhang.guanghui@cestc.cn" <zhang.guanghui@cestc.cn>
To: mgurtovoy <mgurtovoy@nvidia.com>,
"Maurizio Lombardi" <mlombard@bsdbackstore.eu>,
sagi <sagi@grimberg.me>, kbusch <kbusch@kernel.org>,
sashal <sashal@kernel.org>,
chunguang.xu <chunguang.xu@shopee.com>
Cc: linux-kernel <linux-kernel@vger.kernel.org>,
linux-nvme <linux-nvme@lists.infradead.org>,
linux-block <linux-block@vger.kernel.org>
Subject: Re: Re: nvme-tcp: fix a possible UAF when failing to send request
Date: Mon, 10 Feb 2025 19:16:33 +0800 [thread overview]
Message-ID: <2025021019163296203221@cestc.cn> (raw)
In-Reply-To: 3f1f7ec3-cb49-4d66-b2b0-57276a6c62f0@nvidia.com
Hi,
Thank you for your reply.
In nvme-rdma we use nvme_host_path_error(rq) , the prerequisites are -EIO, ignore this condition?
in nvme-tcp this judgment condition is different, use the function nvme_host_path_error ,
it should be possible to go to nvme_complete_rq -> nvme_retry_req -- request->mq_hctx have been freed, is NULL.
zhang.guanghui@cestc.cn
From: Max Gurtovoy
Date: 2025-02-10 18:24
To: Maurizio Lombardi; zhang.guanghui@cestc.cn; sagi; kbusch; sashal; chunguang.xu
CC: linux-kernel; linux-nvme; linux-block
Subject: Re: nvme-tcp: fix a possible UAF when failing to send request
On 10/02/2025 12:01, Maurizio Lombardi wrote:
> On Mon Feb 10, 2025 at 8:41 AM CET, zhang.guanghui@cestc.cn wrote:
>> Hello
>>
>>
> I guess you have to fix your mail client.
>
>> When using the nvme-tcp driver in a storage cluster, the driver may trigger a null pointer causing the host to crash several times.
>> By analyzing the vmcore, we know the direct cause is that the request->mq_hctx was used after free.
>>
>>
>> CPU1 CPU2
>>
>> nvme_tcp_poll nvme_tcp_try_send --failed to send reqrest 13
> This simply looks like a race condition between nvme_tcp_poll() and nvme_tcp_try_send()
> Personally, I would try to fix it inside the nvme-tcp driver without
> touching the core functions.
>
> Maybe nvme_tcp_poll should just ensure that io_work completes before
> calling nvme_tcp_try_recv(), the POLLING flag should then prevent io_work
> from getting rescheduled by the nvme_tcp_data_ready() callback.
>
>
> Maurizio
It seems to me that the HOST_PATH_ERROR handling can be improved in
nvme-tcp.
In nvme-rdma we use nvme_host_path_error(rq) and nvme_cleanup_cmd(rq) in
case we fail to submit a command..
can you try to replacing nvme_tcp_end_request(blk_mq_rq_from_pdu(req),
NVME_SC_HOST_PATH_ERROR); call with the similar logic we use in
nvme-rdma for host path error handling ?
next prev parent reply other threads:[~2025-02-10 11:16 UTC|newest]
Thread overview: 28+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-02-10 7:41 nvme-tcp: fix a possible UAF when failing to send request zhang.guanghui
2025-02-10 10:01 ` Maurizio Lombardi
2025-02-10 10:24 ` Max Gurtovoy
2025-02-10 11:16 ` zhang.guanghui [this message]
2025-02-10 11:34 ` Max Gurtovoy
2025-02-10 16:40 ` Maurizio Lombardi
[not found] ` <CAAO4dAWdsMjYMp9jdWXd_48aG0mTtVpRONqjJJ1scnc773tHzg@mail.gmail.com>
2025-02-11 8:04 ` zhang.guanghui
2025-02-12 8:11 ` Maurizio Lombardi
2025-02-12 8:23 ` Maurizio Lombardi
2025-02-12 8:52 ` Maurizio Lombardi
2025-02-12 9:47 ` zhang.guanghui
2025-02-12 10:28 ` Maurizio Lombardi
2025-02-12 11:14 ` Maurizio Lombardi
2025-02-12 11:47 ` Maurizio Lombardi
2025-02-12 15:33 ` Maurizio Lombardi
2025-02-12 16:07 ` Maurizio Lombardi
2025-02-13 2:04 ` zhang.guanghui
2025-02-17 7:46 ` Sagi Grimberg
2025-02-20 8:20 ` zhang.guanghui
2025-03-07 10:10 ` Re: nvme-tcp: fix a possible UAF when failing to send request【请注意,邮件由sagigrim@gmail.com代发】 zhang.guanghui
2025-03-11 10:52 ` Maurizio Lombardi
2025-03-13 1:48 ` zhang.guanghui
2025-03-13 7:51 ` Hannes Reinecke
2025-03-13 8:18 ` zhang.guanghui
[not found] ` <2025031316313196627826@cestc.cn>
2025-03-13 9:01 ` Maurizio Lombardi
2025-03-13 8:38 ` zhang.guanghui
2025-03-28 9:24 ` Re: nvme-tcp: fix a possible UAF when failing to send request zhang.guanghui
2025-04-01 12:11 ` Maurizio Lombardi
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=2025021019163296203221@cestc.cn \
--to=zhang.guanghui@cestc.cn \
--cc=chunguang.xu@shopee.com \
--cc=kbusch@kernel.org \
--cc=linux-block@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-nvme@lists.infradead.org \
--cc=mgurtovoy@nvidia.com \
--cc=mlombard@bsdbackstore.eu \
--cc=sagi@grimberg.me \
--cc=sashal@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.