All of lore.kernel.org
 help / color / mirror / Atom feed
From: "zhang.guanghui@cestc.cn" <zhang.guanghui@cestc.cn>
To: chunguang.xu <chunguang.xu@shopee.com>,
	 "Maurizio Lombardi" <mlombard@bsdbackstore.eu>
Cc: mgurtovoy <mgurtovoy@nvidia.com>,  sagi <sagi@grimberg.me>,
	 kbusch <kbusch@kernel.org>,  sashal <sashal@kernel.org>,
	 linux-kernel <linux-kernel@vger.kernel.org>,
	 linux-nvme <linux-nvme@lists.infradead.org>,
	 linux-block <linux-block@vger.kernel.org>
Subject: Re: Re: nvme-tcp: fix a possible UAF when failing to send request
Date: Tue, 11 Feb 2025 16:04:35 +0800	[thread overview]
Message-ID: <202502111604342976121@cestc.cn> (raw)
In-Reply-To: CAAO4dAWdsMjYMp9jdWXd_48aG0mTtVpRONqjJJ1scnc773tHzg@mail.gmail.com

Hi 



    This is a  race issue,  I can't reproduce it stably yet. I have not tested the latest kernel.  but in fact,  I've synced some nvme-tcp patches from  lastest upstream, 



But in fact, the issue still exists. I review nvme-tcp code and found that this issues may exist in nvme_tcp_poll processing. 







zhang.guanghui@cestc.cn



 



From: Xu Chunguang



Date: 2025-02-11 15:20



To: Maurizio Lombardi



CC: Max Gurtovoy; zhang.guanghui; sagi; kbusch; sashal; linux-kernel; linux-nvme; linux-block



Subject: Re: nvme-tcp: fix a possible UAF when failing to send request







Hi: 







Does  you have tested the latest kernel, can it  reproduce the same issue?







Maurizio Lombardi <mlombard@bsdbackstore.eu> 于 2025年2月11日周二 00:40写道:





On Mon Feb 10, 2025 at 11:24 AM CET, Max Gurtovoy wrote:



>



> It seems to me that the HOST_PATH_ERROR handling can be improved in



> nvme-tcp.



>



> In nvme-rdma we use nvme_host_path_error(rq) and nvme_cleanup_cmd(rq) in



> case we fail to submit a command..



>



> can you try to replacing nvme_tcp_end_request(blk_mq_rq_from_pdu(req),



> NVME_SC_HOST_PATH_ERROR); call with the similar logic we use in



> nvme-rdma for host path error handling ?





Yes, I could try to prepare a patch.





In any case, I think the main issue here is that nvme_tcp_poll()



should be prevented from racing against io_work... and I also think



there is a possible race condition if nvme_tcp_poll() races against



the controller resetting code.





Maurizio



  parent reply	other threads:[~2025-02-11  8:04 UTC|newest]

Thread overview: 28+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2025-02-10  7:41 nvme-tcp: fix a possible UAF when failing to send request zhang.guanghui
2025-02-10 10:01 ` Maurizio Lombardi
2025-02-10 10:24   ` Max Gurtovoy
2025-02-10 11:16     ` zhang.guanghui
2025-02-10 11:34       ` Max Gurtovoy
2025-02-10 16:40     ` Maurizio Lombardi
     [not found]       ` <CAAO4dAWdsMjYMp9jdWXd_48aG0mTtVpRONqjJJ1scnc773tHzg@mail.gmail.com>
2025-02-11  8:04         ` zhang.guanghui [this message]
2025-02-12  8:11           ` Maurizio Lombardi
2025-02-12  8:23             ` Maurizio Lombardi
2025-02-12  8:52             ` Maurizio Lombardi
2025-02-12  9:47               ` zhang.guanghui
2025-02-12 10:28                 ` Maurizio Lombardi
2025-02-12 11:14                   ` Maurizio Lombardi
2025-02-12 11:47                     ` Maurizio Lombardi
2025-02-12 15:33 ` Maurizio Lombardi
2025-02-12 16:07   ` Maurizio Lombardi
2025-02-13  2:04     ` zhang.guanghui
2025-02-17  7:46 ` Sagi Grimberg
2025-02-20  8:20   ` zhang.guanghui
2025-03-07 10:10   ` Re: nvme-tcp: fix a possible UAF when failing to send request【请注意,邮件由sagigrim@gmail.com代发】 zhang.guanghui
2025-03-11 10:52     ` Maurizio Lombardi
2025-03-13  1:48       ` zhang.guanghui
2025-03-13  7:51         ` Hannes Reinecke
2025-03-13  8:18           ` zhang.guanghui
     [not found]             ` <2025031316313196627826@cestc.cn>
2025-03-13  9:01               ` Maurizio Lombardi
2025-03-13  8:38           ` zhang.guanghui
2025-03-28  9:24       ` Re: nvme-tcp: fix a possible UAF when failing to send request zhang.guanghui
2025-04-01 12:11         ` Maurizio Lombardi

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=202502111604342976121@cestc.cn \
    --to=zhang.guanghui@cestc.cn \
    --cc=chunguang.xu@shopee.com \
    --cc=kbusch@kernel.org \
    --cc=linux-block@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-nvme@lists.infradead.org \
    --cc=mgurtovoy@nvidia.com \
    --cc=mlombard@bsdbackstore.eu \
    --cc=sagi@grimberg.me \
    --cc=sashal@kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.